diff --git a/packages/atlassian_confluence/1.5.2/LICENSE.txt b/packages/atlassian_confluence/1.5.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/atlassian_confluence/1.5.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/atlassian_confluence/1.5.2/changelog.yml b/packages/atlassian_confluence/1.5.2/changelog.yml deleted file mode 100755 index 77e39bcd36..0000000000 --- a/packages/atlassian_confluence/1.5.2/changelog.yml +++ /dev/null @@ -1,61 +0,0 @@ -# newer versions go on top -- version: "1.5.2" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.5.1" - changes: - - description: Clarify basic authentication config options. - type: bugfix - link: https://github.com/elastic/integrations/pull/3693 -- version: "1.5.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3841 -- version: "1.4.1" - changes: - - description: Fix proxy URL documentation rendering. - type: bugfix - link: https://github.com/elastic/integrations/pull/3881 -- version: "1.4.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.3.0" - changes: - - description: Add support for Atlassian Confluence Cloud - type: enhancement - link: https://github.com/elastic/integrations/pull/2715 -- version: "1.2.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "1.1.2" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3062 -- version: "1.1.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.1.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2378 -- version: "1.0.1" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.0.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/2208 diff --git a/packages/atlassian_confluence/1.5.2/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/atlassian_confluence/1.5.2/data_stream/audit/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 6f54d0d4ba..0000000000 --- a/packages/atlassian_confluence/1.5.2/data_stream/audit/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,123 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" - -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} - -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} - -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} - -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} - -{{#if atlassian_cloud}} -{{! Atlassian Confluence Cloud }} -request.url: {{api_url}}/wiki/rest/api/audit -request.transforms: - - set: - target: url.params.limit - value: '{{ limit }}' - - set: - target: url.params.startDate - value: '[[.cursor.last_timestamp]]' - default: '[[(now (parseDuration "-{{initial_interval}}")).UnixMilli]]' - - set: - target: url.params.endDate - value: '[[now.UnixMilli]]' - - set: - target: url.params.start - value: '0' - -response.split: - target: body.results - -response.pagination: - - set: - target: url.value - value: > - [[sprintf "%s/wiki/rest/api/audit?endDate=%s&startDate=%s&start=%d&limit=%s" - "{{api_url}}" - (.last_response.url.params.Get "endDate") - (.last_response.url.params.Get "startDate") - (add (toInt .last_response.body.start) (toInt .last_response.body.limit)) - "{{ limit }}"]] - fail_on_template_error: true - -cursor: - last_timestamp: - value: '[[.first_event.creationDate]]' - -fields_under_root: true -fields: - _config: - atlassian_cloud: true - -{{else}} -{{! Self-hosted Confluence Data Center }} -request.url: {{api_url}}/rest/auditing/1.0/events -request.transforms: - - set: - target: url.params.limit - value: '{{ limit }}' - -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: Bearer {{token}} -{{/if}} -{{/unless}} -{{/unless}} - - - set: - target: url.params.from - value: '[[.cursor.last_timestamp]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' - - set: - target: url.params.to - value: '[[formatDate now]]' - -response.split: - target: body.entities - -response.pagination: - - set: - target: url.value - value: '[[ .last_response.body.pagingInfo.nextPageLink ]]' - fail_on_template_error: true - -cursor: - last_timestamp: - value: '[[.first_event.timestamp]]' -{{/if}} - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/atlassian_confluence/1.5.2/data_stream/audit/agent/stream/stream.yml.hbs b/packages/atlassian_confluence/1.5.2/data_stream/audit/agent/stream/stream.yml.hbs deleted file mode 100755 index c6e5ed4c73..0000000000 --- a/packages/atlassian_confluence/1.5.2/data_stream/audit/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -exclude_files: [".gz$"] -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/atlassian_confluence/1.5.2/data_stream/audit/elasticsearch/ingest_pipeline/cloud.yml b/packages/atlassian_confluence/1.5.2/data_stream/audit/elasticsearch/ingest_pipeline/cloud.yml deleted file mode 100755 index 0e81f00f67..0000000000 --- a/packages/atlassian_confluence/1.5.2/data_stream/audit/elasticsearch/ingest_pipeline/cloud.yml +++ /dev/null @@ -1,84 +0,0 @@ ---- -description: Pipeline for processing Atlassian Confluence Cloud audit logs. -processors: -- date: - field: json.creationDate - formats: - - UNIX_MS -- rename: - field: json.remoteAddress - target_field: source.address - ignore_missing: true -- rename: - field: json.author.accountId - target_field: user.id - ignore_missing: true -- rename: - field: json.author.displayName - target_field: user.full_name - ignore_missing: true -- rename: - field: json.author.externalCollaborator - target_field: confluence.audit.external_collaborator - ignore_missing: true -- rename: - field: json.category - target_field: confluence.audit.type.category - ignore_missing: true -- rename: - field: json.summary - target_field: confluence.audit.type.action - ignore_missing: true -- set: - field: event.action - copy_from: confluence.audit.type.action - ignore_empty_value: true -- rename: - field: json.associatedObjects - target_field: confluence.audit.affected_objects - ignore_missing: true -- rename: - field: json.changedValues - target_field: confluence.audit.changed_values - ignore_missing: true -- script: - lang: painless - description: Modify data to match Self Hosted - source: >- - if(ctx.confluence?.audit?.affected_objects == null) { - ArrayList items = new ArrayList(); - ctx.confluence?.audit.put("affected_objects", items); - } - if(ctx.json?.affectedObject != null && !ctx.confluence?.audit?.affected_objects.contains(ctx.json?.affectedObject)) { - ctx.confluence?.audit?.affected_objects.add(ctx.json?.affectedObject); - } - - if(ctx.confluence?.audit?.affected_objects != null) { - for (def j = 0; j < ctx.confluence?.audit?.affected_objects.length; j++) { - if(ctx.confluence.audit.affected_objects[j]?.objectType != null) { - ctx.confluence.audit.affected_objects[j].put('type', ctx.confluence.audit.affected_objects[j].objectType); - ctx.confluence.audit.affected_objects[j].remove('objectType'); - } - } - } - if(ctx.confluence?.audit?.changed_values != null) { - for (def j = 0; j < ctx.confluence?.audit?.changed_values.length; j++) { - if(ctx.confluence.audit.changed_values[j]?.name != null) { - ctx.confluence.audit.changed_values[j].put('i18nKey', ctx.confluence.audit.changed_values[j].name); - ctx.confluence.audit.changed_values[j].put('key', ctx.confluence.audit.changed_values[j].name); - ctx.confluence.audit.changed_values[j].remove('name'); - } - if(ctx.confluence.audit.changed_values[j]?.newValue != null) { - ctx.confluence.audit.changed_values[j].put('to', ctx.confluence.audit.changed_values[j].newValue); - ctx.confluence.audit.changed_values[j].remove('newValue'); - } - if(ctx.confluence.audit.changed_values[j]?.oldValue != null) { - ctx.confluence.audit.changed_values[j].put('from', ctx.confluence.audit.changed_values[j].oldValue); - ctx.confluence.audit.changed_values[j].remove('oldValue'); - } - } - } -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/atlassian_confluence/1.5.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/atlassian_confluence/1.5.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7bee77628c..0000000000 --- a/packages/atlassian_confluence/1.5.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,448 +0,0 @@ ---- -description: Pipeline for processing Atlassian Confluence audit logs. -processors: -- set: - field: ecs.version - value: '8.4.0' -- rename: - field: message - target_field: event.original -- json: - field: event.original - target_field: json -- pipeline: - name: '{{ IngestPipeline "cloud" }}' - if: "ctx._config?.atlassian_cloud != null" -- pipeline: - name: '{{ IngestPipeline "self-hosted" }}' - if: "ctx._config?.atlassian_cloud == null" -- convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- script: - lang: painless - description: Add ECS categorization - params: - Global permission added: - category: - - iam - - configuration - type: - - admin - - creation - audit.logging.summary.global.permission.added: - category: - - iam - - configuration - type: - - admin - - creation - Global permission removed: - category: - - iam - - configuration - type: - - admin - - deletion - audit.logging.summary.space.permission.added: - category: - - iam - - configuration - type: - - admin - - creation - User created: - category: - - iam - type: - - user - - creation - audit.logging.summary.user.created: - category: - - iam - type: - - user - - creation - User renamed: - category: - - iam - type: - - user - - change - audit.logging.summary.user.renamed: - category: - - iam - type: - - user - - change - User details updated: - category: - - iam - type: - - user - - change - audit.logging.summary.user.updated: - category: - - iam - type: - - user - - change - User deleted: - category: - - iam - type: - - user - - deletion - audit.logging.summary.user.deleted: - category: - - iam - type: - - user - - deletion - User added to group: - category: - - iam - type: - - group - - change - audit.logging.summary.group.membership.added: - category: - - iam - type: - - group - - change - User removed from group: - category: - - iam - type: - - group - - change - audit.logging.summary.group.membership.removed: - category: - - iam - type: - - group - - change - Group created: - category: - - iam - type: - - group - - creation - audit.logging.summary.group.created: - category: - - iam - type: - - group - - creation - Group deleted: - category: - - iam - type: - - group - - deletion - audit.logging.summary.group.deleted: - category: - - iam - type: - - group - - deletion - Audit Log configuration updated: - category: - - configuration - type: - - admin - - change - atlassian.audit.event.action.audit.config.updated: - category: - - configuration - type: - - admin - - change - audit.logging.summary.global.settings.edited: - category: - - configuration - type: - - admin - - change - personal.access.tokens.audit.log.summary.token.created: - category: - - iam - type: - - admin - - creation - personal.access.tokens.audit.log.summary.token.deleted: - category: - - iam - type: - - admin - - deletion - audit.logging.summary.login.success: - category: - - authentication - type: - - start - outcome: success - audit.logging.summary.user.logout: - category: - - authentication - type: - - end - audit.logging.summary.login.failed: - category: - - authentication - type: - - info - outcome: failure - audit.logging.summary.user.password.changed: - category: - - iam - type: - - user - - change - outcome: success - audit.logging.summary.sudo.auth.successful: - category: - - authentication - type: - - admin - - start - audit.logging.summary.sudo.logout: - category: - - authentication - type: - - admin - - end - audit.logging.summary.space.created: - category: - - configuration - type: - - creation - audit.logging.summary.page.created: - category: - - configuration - type: - - creation - audit.logging.summary.page.deleted: - category: - - configuration - type: - - deletion - audit.logging.summary.space.removed: - category: - - configuration - type: - - deletion - audit.logging.summary.space.config.updated: - category: - - configuration - type: - - change - source: >- - ctx.event.kind = 'event'; - ctx.event.type = 'info'; - if (ctx?.event?.action == null) { - return; - } - if (params.get(ctx.event.action) == null) { - return; - } - def hm = new HashMap(params.get(ctx.event.action)); - hm.forEach((k, v) -> ctx.event[k] = v); -- script: - lang: painless - description: Add ECS User fields - if: "['audit.logging.category.user.management','audit.logging.category.auth'].contains(ctx.confluence?.audit?.type?.categoryI18nKey) || ['Users and groups'].contains(ctx.confluence?.audit?.type?.category)" - source: >- - if (ctx?.event?.action == null) { - return; - } - if (ctx.group == null) { - Map map = new HashMap(); - ctx.put("group", map); - } - if (ctx.user == null) { - Map map = new HashMap(); - ctx.put("user", map); - } - if (ctx.user?.target == null) { - Map map = new HashMap(); - ctx.user.put("target", map); - } - if (ctx.user?.changes == null) { - Map map = new HashMap(); - ctx.user.put("changes", map); - } - if (ctx.user?.target?.group == null) { - Map map = new HashMap(); - ctx.user.target.put("group", map); - } - if(ctx.confluence?.audit?.affected_objects != null) { - for (def j = 0; j < ctx.confluence?.audit?.affected_objects.length; j++) { - if(ctx.confluence?.audit?.affected_objects[j]?.type == 'Group') { - String group_name = ctx.confluence?.audit?.affected_objects[j]?.name; - String group_id = ctx.confluence?.audit?.affected_objects[j]?.id; - if(ctx._config?.atlassian_cloud != null) { - def m = /(.+):(\b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b)$/.matcher(group_name); - if (m.find()) { - group_name = m.group(1); - group_id = m.group(2); - } - } - if(['audit.logging.summary.group.created', 'audit.logging.summary.group.deleted', 'Group created', 'Group deleted'].contains(ctx.event.action)) { - ctx.group.put("name", group_name); - ctx.group.put("id", group_id); - } - if(['audit.logging.summary.group.membership.added', 'audit.logging.summary.group.membership.removed', 'User added to group','User removed from group'].contains(ctx.event.action)) { - ctx.user.target.group.put("name", group_name); - ctx.user.target.group.put("id", group_id); - } - } - if(ctx.confluence?.audit?.affected_objects[j]?.type == 'User') { - if(['audit.logging.summary.user.created', 'audit.logging.summary.user.deleted', 'audit.logging.summary.user.password.changed','audit.logging.summary.user.updated', 'User created', 'User deleted', 'User details updated'].contains(ctx.event.action)) { - ctx.user.target.put("full_name", ctx.confluence?.audit?.affected_objects[j]?.name); - ctx.user.target.put("id", ctx.confluence?.audit?.affected_objects[j]?.id); - if(ctx.confluence?.audit?.affected_objects[j]?.uri != null) { - def m = /\?username=([a-zA-Z0-9._-]+)$/.matcher(ctx.confluence?.audit?.affected_objects[j]?.uri); - if (m.find()) { - ctx.user.target.put("name", m.group(1)); - } - } - } - if(['audit.logging.summary.group.membership.added', 'audit.logging.summary.group.membership.removed', 'User added to group', 'User removed from group'].contains(ctx.event.action)) { - ctx.user.target.put("name", ctx.confluence?.audit?.affected_objects[j]?.name); - ctx.user.target.put("id", ctx.confluence?.audit?.affected_objects[j]?.id); - } - if(['audit.logging.summary.login.success', 'audit.logging.summary.login.failed'].contains(ctx.event.action)) { - ctx.user.put("full_name", ctx.confluence?.audit?.affected_objects[j]?.name); - ctx.user.put("id", ctx.confluence?.audit?.affected_objects[j]?.id); - if(ctx.confluence?.audit?.affected_objects[j]?.uri != null) { - def m = /\?username=([a-zA-Z0-9._-]+)$/.matcher(ctx.confluence?.audit?.affected_objects[j]?.uri); - if (m.find()) { - ctx.user.put("name", m.group(1)); - } - } - } - } - } - } - if(ctx.confluence?.audit?.changed_values != null) { - for (def j = 0; j < ctx.confluence?.audit?.changed_values.length; j++) { - if(['audit.logging.summary.user.renamed', 'User renamed'].contains(ctx.event.action)) { - if(ctx.confluence?.audit?.changed_values[j]?.i18nKey == 'audit.logging.changed.value.username') { - ctx.user.changes.put("name", ctx.confluence?.audit?.changed_values[j]?.to); - ctx.user.target.put("name", ctx.confluence?.audit?.changed_values[j]?.from); - } - } - if(['audit.logging.summary.user.created','audit.logging.summary.user.updated', 'User created', 'User details updated'].contains(ctx.event.action)) { - if(ctx.confluence?.audit?.changed_values[j]?.i18nKey == 'Username') { - ctx.user.changes.put("name", ctx.confluence?.audit?.changed_values[j]?.to); - ctx.user.target.put("name", ctx.confluence?.audit?.changed_values[j]?.to); - if(ctx.confluence?.audit?.changed_values[j]?.from != null) { - ctx.user.target.put("name", ctx.confluence?.audit?.changed_values[j]?.from); - } - } - if(ctx.confluence?.audit?.changed_values[j]?.i18nKey == 'Email') { - ctx.user.changes.put("email", ctx.confluence?.audit?.changed_values[j]?.to); - ctx.user.target.put("email", ctx.confluence?.audit?.changed_values[j]?.to); - if(ctx.confluence?.audit?.changed_values[j]?.from != null) { - ctx.user.target.put("email", ctx.confluence?.audit?.changed_values[j]?.from); - } - } - if(ctx.confluence?.audit?.changed_values[j]?.i18nKey == 'Display name') { - ctx.user.changes.put("full_name", ctx.confluence?.audit?.changed_values[j]?.to); - ctx.user.target.put("full_name", ctx.confluence?.audit?.changed_values[j]?.to); - if(ctx.confluence?.audit?.changed_values[j]?.from != null) { - ctx.user.target.put("full_name", ctx.confluence?.audit?.changed_values[j]?.from); - } - } - } - } - } -- append: - field: related.user - value: '{{user.name}}' - allow_duplicates: false - if: ctx.user?.name != null -- append: - field: related.user - value: '{{user.target.name}}' - allow_duplicates: false - if: ctx.user?.target?.name != null -- append: - field: related.user - value: '{{user.changes.name}}' - allow_duplicates: false - if: ctx.user?.changes?.name != null -- append: - field: related.ip - value: '{{source.ip}}' - allow_duplicates: false - if: ctx.source?.ip != null -- remove: - field: - - json - - _tmp - - _config - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- remove: - field: - - _config - - _tmp - ignore_failure: true -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/atlassian_confluence/1.5.2/data_stream/audit/elasticsearch/ingest_pipeline/self-hosted.yml b/packages/atlassian_confluence/1.5.2/data_stream/audit/elasticsearch/ingest_pipeline/self-hosted.yml deleted file mode 100755 index ee49315d6a..0000000000 --- a/packages/atlassian_confluence/1.5.2/data_stream/audit/elasticsearch/ingest_pipeline/self-hosted.yml +++ /dev/null @@ -1,81 +0,0 @@ ---- -description: Pipeline for processing self-hosted Atlassian Confluence audit logs. -processors: -- set: - field: _tmp.timestamp - copy_from: json.timestamp - if: ctx.json?.timestamp != null && ctx.json.timestamp instanceof String -- set: - field: _tmp.timestamp - value: "{{{json.timestamp.epochSecond}}}.{{{json.timestamp.nano}}}" - if: ctx.json?.timestamp != null && ctx.json.timestamp instanceof Map && ctx.json.timestamp?.epochSecond != null && ctx.json.timestamp?.nano != null -- date: - field: _tmp.timestamp - formats: - - UNIX - - ISO8601 -- rename: - field: json.source - target_field: source.address - ignore_missing: true -- rename: - field: json.author.id - target_field: user.id - ignore_missing: true -- rename: - field: json.author.name - target_field: user.full_name - ignore_missing: true -- grok: - field: json.author.uri - ignore_missing: true - ignore_failure: true - if: ctx?.json?.author?.uri != "" - patterns: - - '\?username=%{USER:user.name}$' -- rename: - field: json.auditType - target_field: confluence.audit.type - ignore_missing: true -- rename: - field: json.type - target_field: confluence.audit.type - ignore_missing: true -- rename: - field: json.method - target_field: confluence.audit.method - ignore_missing: true -- rename: - field: json.system - target_field: service.address - ignore_missing: true -- uri_parts: - field: service.address - target_field: _tmp.service - ignore_failure: true - if: ctx.service?.address != null -- rename: - field: json.extraAttributes - target_field: confluence.audit.extra_attributes - ignore_missing: true -- rename: - field: json.changedValues - target_field: confluence.audit.changed_values - ignore_missing: true -- rename: - field: json.affectedObjects - target_field: confluence.audit.affected_objects - ignore_missing: true -- set: - field: event.action - copy_from: confluence.audit.type.actionI18nKey - ignore_empty_value: true -- append: - field: related.hosts - value: '{{_tmp.service.domain}}' - allow_duplicates: false - if: ctx._tmp?.service?.domain != null -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/atlassian_confluence/1.5.2/data_stream/audit/fields/agent.yml b/packages/atlassian_confluence/1.5.2/data_stream/audit/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/atlassian_confluence/1.5.2/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/atlassian_confluence/1.5.2/data_stream/audit/fields/base-fields.yml b/packages/atlassian_confluence/1.5.2/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index ed93c08819..0000000000 --- a/packages/atlassian_confluence/1.5.2/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: atlassian_confluence -- name: event.dataset - type: constant_keyword - description: Event dataset - value: atlassian_confluence.audit -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/atlassian_confluence/1.5.2/data_stream/audit/fields/ecs.yml b/packages/atlassian_confluence/1.5.2/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 788f1179b3..0000000000 --- a/packages/atlassian_confluence/1.5.2/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,191 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Address where data about this service was collected from. - This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). - name: service.address - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.changes.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.changes.full_name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.changes.name - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: User email address. - name: user.target.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.target.full_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/atlassian_confluence/1.5.2/data_stream/audit/fields/fields.yml b/packages/atlassian_confluence/1.5.2/data_stream/audit/fields/fields.yml deleted file mode 100755 index bded174347..0000000000 --- a/packages/atlassian_confluence/1.5.2/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,47 +0,0 @@ -- name: confluence.audit - type: group - fields: - - name: type.categoryI18nKey - type: keyword - description: | - categoryI18nKey - - name: type.actionI18nKey - type: keyword - description: | - actionI18nKey - - name: type.category - type: keyword - description: | - Category - - name: type.action - type: keyword - description: | - Action - - name: type.area - type: keyword - description: | - Area - - name: type.level - type: keyword - description: | - Audit Level - - name: method - type: keyword - description: | - Method - - name: extra_attributes - type: flattened - description: | - Extra Attributes - - name: changed_values - type: flattened - description: | - Changed Values - - name: affected_objects - type: flattened - description: | - Affected Objects - - name: external_collaborator - type: boolean - description: | - Whether the user is an external collaborator user diff --git a/packages/atlassian_confluence/1.5.2/data_stream/audit/manifest.yml b/packages/atlassian_confluence/1.5.2/data_stream/audit/manifest.yml deleted file mode 100755 index e37aa56a4a..0000000000 --- a/packages/atlassian_confluence/1.5.2/data_stream/audit/manifest.yml +++ /dev/null @@ -1,150 +0,0 @@ -title: Confluence Audit Logs -type: logs -streams: - - input: logfile - title: Confluence audit logs - description: Collect Confluence audit logs - template_path: stream.yml.hbs - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/atlassian/application-data/confluence/log/audit/*.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - confluence-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: httpjson - title: Confluence audit logs via Confluence audit API - description: Collect Confluence audit logs via Confluence audit API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: api_url - type: text - title: API URL - description: The base URL to the Confluence server. - multi: false - required: true - show_user: true - - name: username - type: text - title: Confluence User Identifier - description: Your email address used as a Confluence user identifier, to be used with a Confluence API Token. Do not fill if you are using a personal access token. - multi: false - required: false - show_user: true - - name: password - type: password - title: Confluence API Token - description: Confluence API token used to authenticate with a Confluence user identifier. Do not fill if you are using a personal access token. - multi: false - required: false - show_user: true - - name: token - type: password - title: Personal Access Token - description: The Personal Access Token used for self-hosted instances. If set, Confluence User Identifier and Confluence API Token will be ignored. - required: false - multi: false - show_user: true - - name: atlassian_cloud - required: true - show_user: true - title: Atlassian Cloud - description: Is this an Atlassian SaaS Confluence instance - type: bool - multi: false - default: false - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: true - default: 60s - - name: limit - type: integer - title: Limit - description: Number of events to fetch on each request - show_user: false - required: true - default: 1000 - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - description: Interval at which the logs will be pulled. The value must be between 2m and 1h. - default: 1h - - name: initial_interval - type: text - title: Initial Interval - multi: false - required: true - show_user: false - description: Initial interval for the first API call. Defaults to 24 hours. - default: 24h - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http\[s\]://:@: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - forwarded - - confluence-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details." diff --git a/packages/atlassian_confluence/1.5.2/data_stream/audit/sample_event.json b/packages/atlassian_confluence/1.5.2/data_stream/audit/sample_event.json deleted file mode 100755 index bac7977383..0000000000 --- a/packages/atlassian_confluence/1.5.2/data_stream/audit/sample_event.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "@timestamp": "2021-11-23T00:41:45.280Z", - "agent": { - "ephemeral_id": "a362a4c6-e4c0-441d-9bca-edd06245f232", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "confluence": { - "audit": { - "extra_attributes": [ - { - "name": "ID Range", - "nameI18nKey": "atlassian.audit.event.attribute.id", - "value": "77 - 176" - }, - { - "name": "Query", - "nameI18nKey": "atlassian.audit.event.attribute.query" - }, - { - "name": "Results returned", - "nameI18nKey": "atlassian.audit.event.attribute.results", - "value": "100" - }, - { - "name": "Timestamp Range", - "nameI18nKey": "atlassian.audit.event.attribute.timestamp", - "value": "2021-11-23T00:39:37.155Z - 2021-11-23T00:41:17.165Z" - } - ], - "method": "Browser", - "type": { - "action": "Audit Log search performed", - "actionI18nKey": "atlassian.audit.event.action.audit.search", - "category": "Auditing", - "categoryI18nKey": "atlassian.audit.event.category.audit" - } - } - }, - "data_stream": { - "dataset": "atlassian_confluence.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "atlassian.audit.event.action.audit.search", - "agent_id_status": "verified", - "created": "2021-12-24T00:49:08.197Z", - "dataset": "atlassian_confluence.audit", - "ingested": "2021-12-24T00:49:09Z", - "kind": "event", - "original": "{\"affectedObjects\":[],\"author\":{\"avatarUri\":\"\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"name\":\"test user\",\"type\":\"user\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"77 - 176\"},{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"100\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-23T00:39:37.155Z - 2021-11-23T00:41:17.165Z\"}],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":\"2021-11-23T00:41:45.280Z\",\"type\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\"}}", - "type": "info" - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "confluence.internal" - ], - "ip": [ - "81.2.69.143" - ], - "user": [ - "admin" - ] - }, - "service": { - "address": "http://confluence.internal:8090" - }, - "source": { - "address": "81.2.69.143", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "confluence-audit" - ], - "user": { - "full_name": "test user", - "id": "2c9680837d4a3682017d4a375a280000", - "name": "admin" - } -} \ No newline at end of file diff --git a/packages/atlassian_confluence/1.5.2/docs/README.md b/packages/atlassian_confluence/1.5.2/docs/README.md deleted file mode 100755 index dff2e5de8c..0000000000 --- a/packages/atlassian_confluence/1.5.2/docs/README.md +++ /dev/null @@ -1,232 +0,0 @@ -# Atlassian Confluence Integration - -The Confluence integration collects [audit logs](https://confluence.atlassian.com/doc/auditing-in-confluence-829076528.html) from the audit log files or the [audit API](https://developer.atlassian.com/cloud/confluence/rest/api-group-audit/). - -## Authentication Set-Up - -When setting up the Atlassian Confluence Integration for Atlassian Cloud you will need to use the "Confluence User Identifier" and "Confluence API Token" fields in the integration configuration. These will allow connection to the [Atlassian Cloud REST API](https://developer.atlassian.com/cloud/confluence/basic-auth-for-rest-apis/). - -If you are using a self-hosted instance, you will be able to use either the "Confluence User Identifier" and "Confluence API Token" fields above, *or* use the "Personal Access Token" field to [authenticate with a PAT](https://confluence.atlassian.com/enterprise/using-personal-access-tokens-1026032365.html). If the "Personal Access Token" field is set in the configuration, it will take precedence over the User ID/API Token fields. - -## Logs - -### Audit - -The Confluence integration collects audit logs from the audit log files or the audit API from self hosted Confluence Data Center. It has been tested with Confluence 7.14.2 but is expected to work with newer versions. As of version 1.2.0, this integration added experimental support for Atlassian Confluence Cloud. JIRA Cloud only supports Basic Auth using username and a Personal Access Token. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| confluence.audit.affected_objects | Affected Objects | flattened | -| confluence.audit.changed_values | Changed Values | flattened | -| confluence.audit.external_collaborator | Whether the user is an external collaborator user | boolean | -| confluence.audit.extra_attributes | Extra Attributes | flattened | -| confluence.audit.method | Method | keyword | -| confluence.audit.type.action | Action | keyword | -| confluence.audit.type.actionI18nKey | actionI18nKey | keyword | -| confluence.audit.type.area | Area | keyword | -| confluence.audit.type.category | Category | keyword | -| confluence.audit.type.categoryI18nKey | categoryI18nKey | keyword | -| confluence.audit.type.level | Audit Level | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.changes.email | User email address. | keyword | -| user.changes.full_name | User's full name, if available. | keyword | -| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | -| user.changes.name | Short name or login of the user. | keyword | -| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.email | User email address. | keyword | -| user.target.full_name | User's full name, if available. | keyword | -| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2021-11-23T00:41:45.280Z", - "agent": { - "ephemeral_id": "a362a4c6-e4c0-441d-9bca-edd06245f232", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "confluence": { - "audit": { - "extra_attributes": [ - { - "name": "ID Range", - "nameI18nKey": "atlassian.audit.event.attribute.id", - "value": "77 - 176" - }, - { - "name": "Query", - "nameI18nKey": "atlassian.audit.event.attribute.query" - }, - { - "name": "Results returned", - "nameI18nKey": "atlassian.audit.event.attribute.results", - "value": "100" - }, - { - "name": "Timestamp Range", - "nameI18nKey": "atlassian.audit.event.attribute.timestamp", - "value": "2021-11-23T00:39:37.155Z - 2021-11-23T00:41:17.165Z" - } - ], - "method": "Browser", - "type": { - "action": "Audit Log search performed", - "actionI18nKey": "atlassian.audit.event.action.audit.search", - "category": "Auditing", - "categoryI18nKey": "atlassian.audit.event.category.audit" - } - } - }, - "data_stream": { - "dataset": "atlassian_confluence.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "atlassian.audit.event.action.audit.search", - "agent_id_status": "verified", - "created": "2021-12-24T00:49:08.197Z", - "dataset": "atlassian_confluence.audit", - "ingested": "2021-12-24T00:49:09Z", - "kind": "event", - "original": "{\"affectedObjects\":[],\"author\":{\"avatarUri\":\"\",\"id\":\"2c9680837d4a3682017d4a375a280000\",\"name\":\"test user\",\"type\":\"user\",\"uri\":\"http://confluence.internal:8090/admin/users/viewuser.action?username=admin\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"ID Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.id\",\"value\":\"77 - 176\"},{\"name\":\"Query\",\"nameI18nKey\":\"atlassian.audit.event.attribute.query\",\"value\":\"\"},{\"name\":\"Results returned\",\"nameI18nKey\":\"atlassian.audit.event.attribute.results\",\"value\":\"100\"},{\"name\":\"Timestamp Range\",\"nameI18nKey\":\"atlassian.audit.event.attribute.timestamp\",\"value\":\"2021-11-23T00:39:37.155Z - 2021-11-23T00:41:17.165Z\"}],\"method\":\"Browser\",\"source\":\"81.2.69.143\",\"system\":\"http://confluence.internal:8090\",\"timestamp\":\"2021-11-23T00:41:45.280Z\",\"type\":{\"action\":\"Audit Log search performed\",\"actionI18nKey\":\"atlassian.audit.event.action.audit.search\",\"category\":\"Auditing\",\"categoryI18nKey\":\"atlassian.audit.event.category.audit\"}}", - "type": "info" - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "confluence.internal" - ], - "ip": [ - "81.2.69.143" - ], - "user": [ - "admin" - ] - }, - "service": { - "address": "http://confluence.internal:8090" - }, - "source": { - "address": "81.2.69.143", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "confluence-audit" - ], - "user": { - "full_name": "test user", - "id": "2c9680837d4a3682017d4a375a280000", - "name": "admin" - } -} -``` \ No newline at end of file diff --git a/packages/atlassian_confluence/1.5.2/img/confluence-logo.svg b/packages/atlassian_confluence/1.5.2/img/confluence-logo.svg deleted file mode 100755 index 7aac36a6fe..0000000000 --- a/packages/atlassian_confluence/1.5.2/img/confluence-logo.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/atlassian_confluence/1.5.2/manifest.yml b/packages/atlassian_confluence/1.5.2/manifest.yml deleted file mode 100755 index a51a23f612..0000000000 --- a/packages/atlassian_confluence/1.5.2/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -format_version: 1.0.0 -name: atlassian_confluence -title: Atlassian Confluence -version: "1.5.2" -license: basic -description: Collect logs from Atlassian Confluence with Elastic Agent. -type: integration -categories: - - security - - web -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/confluence-logo.svg - title: Confluence Logo - size: 400x400 - type: image/svg+xml -policy_templates: - - name: audit - title: Audit Logs - description: Collect audit logs from Atlassian Confluence with Elastic Agent. - inputs: - - type: logfile - title: "Collect Confluence audit logs via log files" - description: "Collecting audit logs from Confluence via log files" - - type: httpjson - title: "Collect Confluence audit logs via API" - description: "Collecting audit logs from Confluence via API" -owner: - github: elastic/security-external-integrations diff --git a/packages/auth0/1.2.1/LICENSE.txt b/packages/auth0/1.2.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/auth0/1.2.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/auth0/1.2.1/changelog.yml b/packages/auth0/1.2.1/changelog.yml deleted file mode 100755 index 996b15ce9e..0000000000 --- a/packages/auth0/1.2.1/changelog.yml +++ /dev/null @@ -1,51 +0,0 @@ -# newer versions go on top -- version: "1.2.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.2.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3841 -- version: "1.1.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.1.4" - changes: - - description: Update Readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3065 -- version: "0.1.3" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.1.2" - changes: - - description: Fix documentation bug - type: bugfix - link: https://github.com/elastic/integrations/pull/2761 -- version: "0.1.1" - changes: - - description: Update Auth0 logo image - type: bugfix - link: https://github.com/elastic/integrations/pull/2749 -- version: "0.1.0" - changes: - - description: Initial commit - type: enhancement - link: https://github.com/elastic/integrations/pull/2152 diff --git a/packages/auth0/1.2.1/data_stream/logs/agent/stream/http_endpoint.yml.hbs b/packages/auth0/1.2.1/data_stream/logs/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 1203728f14..0000000000 --- a/packages/auth0/1.2.1/data_stream/logs/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,41 +0,0 @@ -type: http_endpoint -enabled: true -prefix: json - -{{#if listen_address}} -listen_address: {{listen_address}} -{{/if}} -{{#if listen_port}} -listen_port: {{listen_port}} -{{/if}} -{{#if url}} -url: {{url}} -{{/if}} - -{{#if secret_value}} -secret.header: Authorization -secret.value: "{{secret_value}}" -{{/if}} - -{{#if ssl}} -ssl: {{ssl}} -{{/if}} - -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/auth0/1.2.1/data_stream/logs/elasticsearch/ingest_pipeline/default.yml b/packages/auth0/1.2.1/data_stream/logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 0ccbb38ac4..0000000000 --- a/packages/auth0/1.2.1/data_stream/logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1105 +0,0 @@ ---- -description: Pipeline for processing Auth0 log stream events -processors: -- set: - field: ecs.version - value: '8.4.0' -- set: - field: auth0.logs.data - copy_from: json.data -- date: - field: auth0.logs.data.date - formats: - - ISO8601 -- set: - field: log.level - value: info -- set: - field: log.level - value: error - if: ctx?.auth0?.logs?.data?.details?.error != null -- set: - field: source.ip - copy_from: auth0.logs.data.ip - if: ctx?.auth0?.logs?.data?.ip != null -# IP Geolocation Lookup -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: 'ctx.source?.geo == null && ctx?.source?.ip != null' -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: ctx?.source?.ip != null -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- set: - field: network.type - value: ipv6 - if: 'ctx.source?.ip != null && ctx.source?.ip.contains(":")' -- set: - field: network.type - value: ipv4 - if: 'ctx.network?.type == null && ctx.source?.ip != null' -- set: - field: user.name - copy_from: auth0.logs.data.user_name - if: 'ctx?.auth0?.logs?.data?.user_name != null' -- set: - field: user.id - copy_from: auth0.logs.data.user_id - if: 'ctx?.auth0?.logs?.data?.user_id != null' -- user_agent: - field: auth0.logs.data.user_agent - ignore_missing: true -- set: - field: event.id - copy_from: auth0.logs.data.log_id - if: 'ctx?.auth0?.logs?.data?.log_id != null' -## -# Event kind, code and action -## -- set: - field: event.kind - value: event -- append: - field: event.category - value: authentication -- script: - lang: painless - description: Sets event type, category and action based on type - if: ctx?.auth0?.logs?.data?.type != null - params: - actions: - f: - classification: "Login - Failure" - value: "Failed login" - type: - - info - action: failed-login - fc: - classification: "Login - Failure" - value: "Failed connector login" - type: - - info - action: failed-connector-login - fco: - classification: "Login - Failure" - value: "Origin is not in the application's Allowed Origins list" - type: - - info - action: origin-not-allowed - fcoa: - classification: "Login - Failure" - value: "Failed cross-origin authentication" - type: - - info - action: failed-cross-origin-authentication - fens: - classification: "Login - Failure" - value: "Failed native social login" - type: - - info - action: failed-native-social-login - fp: - classification: "Login - Failure" - value: "Incorrect password" - type: - - info - action: incorrect-password - fu: - classification: "Login - Failure" - value: "Invalid email or username" - type: - - info - - indicator - category: - - threat - action: invalid-username-or-email - w: - classification: "Login - Notification" - value: "Warnings during login" - type: - - info - - indicator - category: - - threat - action: warnings-during-login - s: - classification: "Login - Success" - value: "Successful login" - type: - - info - - start - category: - - session - action: successful-login - scoa: - classification: "Login - Success" - value: "Successful cross-origin authentication" - type: - - info - - start - category: - - session - action: successful-cross-origin-authentication - sens: - classification: "Login - Success" - value: "Successful native social login" - type: - - info - - start - category: - - session - action: successful-native-social-login - flo: - classification: "Logout - Failure" - value: "User logout failed" - type: - - info - category: - - session - action: user-logout-failed - slo: - classification: "Logout - Success" - value: "User successfully logged out" - type: - - info - - end - category: - - session - action: user-logout-successful - fs: - classification: "Signup - Failure" - value: "User signup failed" - type: - - info - - creation - - user - category: - - iam - action: user-signup-failed - fsa: - classification: "Silent Authentication - Failure" - value: "Failed silent authentication" - type: - - info - - indicator - category: - - threat - action: failed-silent-authentication - ssa: - classification: "Silent Authentication - Success" - value: "Successful silent authentication" - type: - - info - action: successful-silent-authentication - feacft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Authorization Code for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-auth-code-for-access-token - feccft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Access Token for a Client Credentials Grant" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-access-token-for-client-cred-grant - fede: - classification: "Token Exchange - Failure" - value: "Failed exchange of Device Code for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-device-code-for-access-token - feoobft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Password and OOB Challenge for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-password-oob-challenge-for-access-token - feotpft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Password and OTP Challenge for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-password-otp-challenge-for-access-token - fepft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Password for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-password-for-access-token - fepotpft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Passwordless OTP for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-passwordless-otp-for-access-token - fercft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Password and MFA Recovery code for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-password-mfa-recovery-code-for-access-token - ferrt: - classification: "Token Exchange - Failure" - value: "Failed exchange of Rotating Refresh Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-rotating-refresh-token - fertft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Refresh Token for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-refresh-token-for-access-token - seacft: - classification: "Token Exchange - Success" - value: "Successful exchange of Authorization Code for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-auth-code-for-access-token - seccft: - classification: "Token Exchange - Success" - value: "Successful exchange of Access Token for a Client Credentials Grant" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-access-token-for-client-cred-grant - sede: - classification: "Token Exchange - Success" - value: "Successful exchange of Device Code for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-device-code-for-access-token - seoobft: - classification: "Token Exchange - Success" - value: "Successful exchange of Password and OOB Challenge for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-password-oob-challange-for-access-token - seotpft: - classification: "Token Exchange - Success" - value: "Successful exchange of Password and OTP Challenge for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-password-otp-challenge-for-access-token - sepft: - classification: "Token Exchange - Success" - value: "Successful exchange of Password for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-password-for-access-token - sercft: - classification: "Token Exchange - Success" - value: "Successful exchange of Password and MFA Recovery code for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-mfa-recovery-code-for-access-token - sertft: - classification: "Token Exchange - Success" - value: "Successful exchange of Refresh Token for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-refresh-token-for-access-token - fapi: - classification: "Management API - Failure" - value: "Failed Management API operation" - type: - - info - - error - category: - - web - action: failed-mgmt-api-operation - sapi: - classification: "Management API - Success" - value: "Successful Management API operation" - type: - - info - - access - - change - category: - - web - - iam - action: success-mgmt-api-op - mgmt_api_read: - classification: "Management API - Success" - value: "API GET operation returning secrets completed successfully" - type: - - info - - access - category: - - web - - iam - action: success-mgmt-api-op-secrets-returned - admin_update_launch: - classification: "System - Notification" - value: "Auth0 Update Launched" - type: - - change - category: - - configuration - action: auth0-update-launched - api_limit: - classification: "System - Notification" - value: "The maximum number of requests to the Authentication or Management APIs in given time has reached" - type: - - info - - access - category: - - network - action: max-requests-reached - coff: - classification: "System - Notification" - value: "AD/LDAP Connector is offline" - type: - - error - - connection - category: - - network - - web - action: ad-ldap-connector-offline - con: - classification: "System - Notification" - value: "AD/LDAP Connector is online and working" - type: - - info - - connection - category: - - network - action: ad-ldap-connector-online - depnote: - classification: "System - Notification" - value: "Deprecation Notice" - type: - - info - action: deprecation-notice - fcpro: - classification: "System - Notification" - value: "Failed to provision a AD/LDAP connector" - type: - - info - - connection - - error - category: - - network - action: failed-ad-ldap-provision - fui: - classification: "System - Notification" - value: "Failed to import users" - type: - - info - - user - - error - category: - - iam - - web - action: failed-to-import-users - limit_delegation: - classification: "System - Notification" - value: "Rate limit exceeded to /delegation endpoint" - type: - - info - - access - category: - - network - action: rate-limit-exceeded-to-delegation-endpoint - limit_mu: - classification: "System - Notification" - value: "An IP address is blocked with 100 failed login attempts using different usernames" - type: - - indicator - - info - category: - - threat - - intrusion_detection - action: hundred-failed-logins-ip-address-blocked - limit_wc: - classification: "System - Notification" - value: "An IP address is blocked with 10 failed login attempts into a single account from the same IP address" - type: - - indicator - - info - category: - - threat - - intrusion_detection - action: ten-failed-logins-ip-address-blocked - sys_os_update_start: - classification: "System - Notification" - value: "Auth0 OS Update Started" - type: - - change - - start - - installation - category: - - configuration - - package - action: auth0-os-update-started - sys_os_update_end: - classification: "System - Notification" - value: "Auth0 OS Update Ended" - type: - - change - - end - - installation - category: - - configuration - - package - action: auth0-os-update-ended - sys_update_start: - classification: "System - Notification" - value: "Auth0 Update Started" - type: - - change - - start - - installation - category: - - configuration - - package - action: auth0-update-started - sys_update_end: - classification: "System - Notification" - value: "Auth0 Update Ended" - type: - - change - - end - - installation - category: - - configuration - - package - action: auth0-update-ended - fce: - classification: "User/Behavioral - Failure" - value: "Failed to change user email" - type: - - change - - user - category: - - iam - action: failed-to-change-user-email - fcp: - classification: "User/Behavioral - Failure" - value: "Failed to change password" - type: - - change - - user - category: - - iam - action: failed-to-change-password - fcpn: - classification: "User/Behavioral - Failure" - value: "Failed to change phone number" - type: - - change - - user - category: - - iam - action: failed-to-change-phone-number - fcpr: - classification: "User/Behavioral - Failure" - value: "Failed change password request" - type: - - change - - user - category: - - iam - action: failed-change-password-request - fcu: - classification: "User/Behavioral - Failure" - value: "Failed to change username" - type: - - change - - user - category: - - iam - action: failed-to-change-username - fd: - classification: "User/Behavioral - Failure" - value: "Failed to generate delegation token" - type: - - info - - user - category: - - iam - action: failed-to-generate-delegation-token - fdeaz: - classification: "User/Behavioral - Failure" - value: "Device authorization request failed" - type: - - info - - user - category: - - iam - action: failed-device-authorization-request - fdecc: - classification: "User/Behavioral - Failure" - value: "User did not confirm device" - type: - - info - action: user-device-not-confirmed - fdu: - classification: "User/Behavioral - Failure" - value: "Failed user deletion" - type: - - deletion - - user - category: - - iam - action: failed-user-deletion - fn: - classification: "User/Behavioral - Failure" - value: "Failed to send email notification" - type: - - info - action: failed-to-send-email-notification - fv: - classification: "User/Behavioral - Failure" - value: "Failed to send verification email" - type: - - info - action: failed-to-send-verification-email - fvr: - classification: "User/Behavioral - Failure" - value: "Failed to process verification email request" - type: - - info - action: failed-to-process-verification-email - cs: - classification: "User/Behavioral - Notification" - value: "Passwordless login code has been sent" - type: - - info - action: passwordless-login-code-sent - du: - classification: "User/Behavioral - Notification" - value: "User has been deleted" - type: - - info - - user - - deletion - category: - - iam - action: user-deleted - gd_enrollment_complete: - classification: "User/Behavioral - Notification" - value: "A first time MFA user has successfully enrolled using one of the factors" - type: - - info - - change - - end - category: - - iam - - session - action: mfa-enrollment-completed - gd_start_enroll: - classification: "User/Behavioral - Notification" - value: "Multi-factor authentication enroll has started" - type: - - info - - change - - start - category: - - iam - - session - action: mfa-enrollment-started - gd_unenroll: - classification: "User/Behavioral - Notification" - value: "Device used for second factor authentication has been unenrolled" - type: - - info - - deletion - category: - - iam - action: mfa-device-unenrolled - gd_update_device_account: - classification: "User/Behavioral - Notification" - value: "Device used for second factor authentication has been updated" - type: - - info - - change - category: - - iam - action: mfa-device-updated - ublkdu: - classification: "User/Behavioral - Notification" - value: "User block setup by anomaly detection has been released" - type: - - info - action: user-login-block-released - sce: - classification: "User/Behavioral - Success" - value: "Successfully changed user email" - type: - - info - - change - - user - category: - - iam - action: user-email-changed-successfully - scp: - classification: "User/Behavioral - Success" - value: "Successfully changed password" - type: - - info - - change - - user - category: - - iam - action: user-password-changed-successfully - scpn: - classification: "User/Behavioral - Success" - value: "Successfully changed phone number" - type: - - info - - change - - user - category: - - iam - action: user-phone-number-changed-successfully - scpr: - classification: "User/Behavioral - Success" - value: "Successful change password request" - type: - - info - - change - - user - category: - - iam - action: user-password-change-request-successful - scu: - classification: "User/Behavioral - Success" - value: "Successfully changed username" - type: - - info - - change - - user - category: - - iam - action: username-changed-successfully - sdu: - classification: "User/Behavioral - Success" - value: "User successfully deleted" - type: - - info - - deletion - category: - - iam - action: user-deleted-successfully - srrt: - classification: "User/Behavioral - Success" - value: "Successfully revoked a Refresh Token" - type: - - info - - deletion - category: - - iam - action: revoked-refresh-token-successfully - sui: - classification: "User/Behavioral - Success" - value: "Successfully imported users" - type: - - info - - user - category: - - iam - action: imported-users-successfully - sv: - classification: "User/Behavioral - Success" - value: "Sent verification email" - type: - - info - - user - category: - - iam - action: sent-verification-email - svr: - classification: "User/Behavioral - Success" - value: "Successfully processed verification email request" - type: - - info - - user - category: - - iam - action: email-verification-processed-successfully - fcph: - classification: "Other" - value: "Failed Post Change Password Hook" - type: - - change - - user - category: - - iam - action: failed-post-change-password-hook - fdeac: - classification: "Other" - value: "Failed to activate device" - type: - - info - action: failed-to-activate-device - fi: - classification: "Other" - value: "Failed to accept a user invitation. This could happen if the user accepts an invitation using a different email address than provided in the invitation, or due to a system failure while provisioning the invitation." - type: - - info - action: failed-to-accept-user-invitation - gd_auth_failed: - classification: "Other" - value: "Multi-factor authentication failed. This could happen due to a wrong code entered for SMS/Voice/Email/TOTP factors, or a system failure." - type: - - info - action: mfa-authentication-failed-wrong-code - gd_auth_rejected: - classification: "Other" - value: "A user rejected a Multi-factor authentication request via push-notification." - type: - - info - action: user-rejected-mfa-request - gd_auth_succeed: - classification: "Other" - value: "Multi-factor authentication success." - type: - - info - action: mfa-authentication-succeeded - gd_otp_rate_limit_exceed: - classification: "Other" - value: "A user, during enrollment or authentication, enters an incorrect code more than the maximum allowed number of times. Ex: A user enrolling in SMS enters the 6-digit code wrong more than 10 times in a row." - type: - - info - - indicator - category: - - threat - action: user-entered-too-many-incorrect-codes - gd_recovery_failed: - classification: "Other" - value: "A user enters a wrong recovery code when attempting to authenticate." - type: - - info - action: user-entered-wrong-recovery-code - gd_recovery_rate_limit_exceed: - classification: "Other" - value: "A user enters a wrong recovery code too many times." - type: - - info - - indicator - category: - - threat - action: user-entered-too-many-wrong-codes - gd_recovery_succeed: - classification: "Other" - value: "A user successfully authenticates with a recovery code" - type: - - info - action: recovery-succeeded - gd_send_pn: - classification: "Other" - value: "Push notification for MFA sent successfully sent." - type: - - info - action: push-notification-sent - gd_send_sms: - classification: "Other" - value: "SMS for MFA successfully sent." - type: - - info - action: sms-sent - gd_send_sms_failure: - classification: "Other" - value: "Attempt to send SMS for MFA failed." - type: - - info - action: failed-to-send-sms - gd_send_voice: - classification: "Other" - value: "Voice call for MFA successfully made." - type: - - info - action: voice-call-made - gd_send_voice_failure: - classification: "Other" - value: "Attempt to make Voice call for MFA failed." - type: - - info - action: voice-call-failure - gd_start_auth: - classification: "Other" - value: "Second factor authentication event started for MFA." - type: - - info - action: 2fa-auth-event-started - gd_tenant_update: - classification: "Other" - value: "Guardian tenant update" - type: - - info - action: guardian-tenant-update - limit_sul: - classification: "Other" - value: "A user is temporarily prevented from logging in because more than 20 logins per minute occurred from the same IP address" - type: - - info - - indicator - category: - - threat - action: user-blocked-too-many-failed-logins-from-same-ip - mfar: - classification: "Other" - value: "A user has been prompted for multi-factor authentication (MFA). When using Adaptive MFA, Auth0 includes details about the risk assessment." - type: - - info - action: user-prompted-for-mfa - pla: - classification: "Other" - value: "This log is generated before a login and helps in monitoring the behavior of bot detection without having to enable it." - type: - - info - action: pre-login-assessment - pwd_leak: - classification: "Other" - value: "Someone behind the IP address attempted to login with a leaked password." - type: - - info - category: - - intrusion_detection - action: login-with-breached-password - scph: - classification: "Other" - value: "Success Post Change Password Hook" - type: - - info - action: success-post-change-password-hook - sd: - classification: "Other" - value: "Success delegation" - type: - - info - action: success-delegation - si: - classification: "Other" - value: "Successfully accepted a user invitation" - type: - - info - action: successfully-accepted-user-invitation - ss: - classification: "Other" - value: "Success Signup" - type: - - info - action: success-signup - source: |- - def eventType = ctx.auth0.logs.data.type; - def actions = params.get('actions'); - def actionData = actions.get(eventType); - if (actionData == null) { - ctx.event.action = 'unknown-' + eventType; - ctx.event.type = ['info']; - return; - } - // overwrite type abbreviation with actual value - def eventTypeVal = actionData.get('value'); - if (eventTypeVal != null) { - ctx.auth0.logs.data.type = eventTypeVal; - } - // event.type - def actionType = actionData.get('type'); - if (actionType != null) { - ctx.event.type = new ArrayList(actionType); - } - // event.category - def actionCategory = actionData.get('category'); - if (actionCategory != null) { - for (def c : actionCategory) { - ctx.event.category.add(c); - } - } - // event.action - def action = actionData.get('action'); - if (action != null) { - ctx.event.action = action; - } - // auth0 event category / classification group - def classification = actionData.get('classification'); - if (classification != null) { - ctx.auth0.logs.data.classification = classification; - } - // event.outcome - if (classification.toLowerCase().contains("success")) { - ctx.event.outcome = "success"; - } else if (classification.toLowerCase().contains("failure")) { - ctx.event.outcome = "failure"; - } else { - ctx.event.outcome = "unknown"; - } -- date: - if: ctx?.auth0?.logs?.data?.details?.initiatedAt != null - field: auth0.logs.data.details.initiatedAt - target_field: auth0.logs.data.login.initiatedAt - formats: - - UNIX_MS -- date: - if: ctx?.auth0?.logs?.data?.details?.completedAt != null - field: auth0.logs.data.details.completedAt - target_field: auth0.logs.data.login.completedAt - formats: - - UNIX_MS -- convert: - if: ctx?.auth0?.logs?.data?.details?.elapsedTime != null - field: auth0.logs.data.details.elapsedTime - target_field: auth0.logs.data.login.elapsedTime - type: long - ignore_missing: true -- convert: - if: "ctx.auth0.logs.data.type == 'Successful login'" - field: auth0.logs.data.details.stats.loginsCount - target_field: auth0.logs.data.login.stats.loginsCount - type: long - ignore_missing: true -## -# Clean up -## -- remove: - field: - - json - - auth0.logs.data.ip - - auth0.logs.data.user_name - - auth0.logs.data.user_id - - auth0.logs.data.user_agent - - auth0.logs.data.log_id - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/auth0/1.2.1/data_stream/logs/fields/agent.yml b/packages/auth0/1.2.1/data_stream/logs/fields/agent.yml deleted file mode 100755 index b4f84cf84a..0000000000 --- a/packages/auth0/1.2.1/data_stream/logs/fields/agent.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: input.type - type: keyword - description: Input type. diff --git a/packages/auth0/1.2.1/data_stream/logs/fields/base-fields.yml b/packages/auth0/1.2.1/data_stream/logs/fields/base-fields.yml deleted file mode 100755 index bc27cfd1c1..0000000000 --- a/packages/auth0/1.2.1/data_stream/logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event timestamp. - value: auth0 -- name: event.dataset - type: constant_keyword - description: Event timestamp. - value: auth0.logs diff --git a/packages/auth0/1.2.1/data_stream/logs/fields/ecs.yml b/packages/auth0/1.2.1/data_stream/logs/fields/ecs.yml deleted file mode 100755 index 3f2bc288be..0000000000 --- a/packages/auth0/1.2.1/data_stream/logs/fields/ecs.yml +++ /dev/null @@ -1,312 +0,0 @@ -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: destination.user.domain - type: keyword -- description: Unique identifier of the user. - name: destination.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - normalize: - - array - type: keyword -- description: |- - Length of the process.args array. - This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - name: process.args_count - type: long -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: user_agent.os.type - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/auth0/1.2.1/data_stream/logs/fields/fields.yml b/packages/auth0/1.2.1/data_stream/logs/fields/fields.yml deleted file mode 100755 index fc2da86b51..0000000000 --- a/packages/auth0/1.2.1/data_stream/logs/fields/fields.yml +++ /dev/null @@ -1,126 +0,0 @@ -- name: auth0 - type: group - description: Fields for Auth0 events. - fields: - - name: logs - type: group - description: Fields for Auth0 log events. - fields: - - name: log_id - type: keyword - description: Unique log event identifier - - name: data - type: group - description: log stream event data - fields: - - name: log_id - type: keyword - description: Unique log event identifier - - name: date - type: date - description: Date when the event occurred in ISO 8601 format. - - name: type - type: keyword - description: Type of event. - - name: description - type: text - description: Description of this event. - - name: connection - type: keyword - description: Name of the connection the event relates to. - - name: connection_id - type: keyword - description: ID of the connection the event relates to. - - name: client_id - type: keyword - description: ID of the client (application). - - name: client_name - type: keyword - description: Name of the client (application). - - name: ip - type: ip - description: IP address of the log event source. - - name: hostname - type: keyword - description: Hostname the event applies to. - - name: user_id - type: keyword - description: ID of the user involved in the event. - - name: user_name - type: keyword - description: Name of the user involved in the event. - - name: audience - type: keyword - description: API audience the event applies to. - - name: scope - type: keyword - description: Scope permissions applied to the event. - - name: strategy - type: keyword - description: Name of the strategy involved in the event. - - name: strategy_type - type: keyword - description: Type of strategy involved in the event. - - name: log_id - type: keyword - description: Unique ID of the event. - - name: is_mobile - type: boolean - description: Whether the client was a mobile device (true) or desktop/laptop/server (false). - - name: classification - type: keyword - description: Log stream filters - - name: details - type: flattened - description: Additional useful details about this event (values here depend upon event type). - - name: login - type: group - description: Filtered fields for login type - fields: - - name: initiatedAt - type: date - description: Time at which the operation was initiated - - name: completedAt - type: date - description: Time at which the operation was completed - - name: elapsedTime - type: long - description: Number of milliseconds the operation took to complete. - - name: stats - type: group - description: login stats - fields: - - name: loginsCount - type: long - description: Total number of logins performed by the user - - name: user_agent - type: text - description: User agent string from the client device that caused the event. - - name: location_info - type: group - description: Information about the location that triggered this event based on the IP. - fields: - - name: country_code - type: keyword - description: Two-letter [Alpha-2 ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) country code - - name: country_code3 - type: keyword - description: Three-letter [Alpha-3 ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) country code - - name: country_name - type: keyword - description: Full country name in English. - - name: city_name - type: keyword - description: Full city name in English. - - name: latitude - type: keyword - description: Global latitude (horizontal) position. - - name: longitude - type: keyword - description: Global longitude (vertical) position. - - name: time_zone - type: keyword - description: Time zone name as found in the [tz database](https://www.iana.org/time-zones). - - name: continent_code - type: keyword - description: Continent the country is located within. Can be AF (Africa), AN (Antarctica), AS (Asia), EU (Europe), NA (North America), OC (Oceania) or SA (South America). diff --git a/packages/auth0/1.2.1/data_stream/logs/manifest.yml b/packages/auth0/1.2.1/data_stream/logs/manifest.yml deleted file mode 100755 index 0e7b6a206d..0000000000 --- a/packages/auth0/1.2.1/data_stream/logs/manifest.yml +++ /dev/null @@ -1,74 +0,0 @@ -title: "Auth0 logs via Webhooks" -type: logs -streams: - - input: http_endpoint - title: Auth0 log events - description: Receives log events from Auth0 - template_path: http_endpoint.yml.hbs - vars: - - name: listen_address - type: text - title: Listen Address - description: Bind address for the listener. Use 0.0.0.0 to listen on all interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - multi: false - required: true - show_user: true - default: 8383 - - name: url - type: text - title: Webhook path - description: URL path where the webhook will accept requests. - multi: false - required: true - show_user: false - default: /auth0/logs - - name: secret_value - type: text - description: Authorization token - multi: false - required: false - show_user: true - - name: ssl - type: yaml - title: TLS - description: Options for enabling TLS for the listening webhook endpoint. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - multi: false - required: false - show_user: false - default: | - enabled: false - certificate: "/etc/pki/client/cert.pem" - key: "/etc/pki/client/cert.key" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - auth0-logstream - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/auth0/1.2.1/data_stream/logs/sample_event.json b/packages/auth0/1.2.1/data_stream/logs/sample_event.json deleted file mode 100755 index f1f4ada246..0000000000 --- a/packages/auth0/1.2.1/data_stream/logs/sample_event.json +++ /dev/null @@ -1,156 +0,0 @@ -{ - "@timestamp": "2021-11-03T03:25:28.923Z", - "agent": { - "ephemeral_id": "3c2232a0-df0e-48e0-8440-96d5500ce25c", - "hostname": "docker-fleet-agent", - "id": "38ed1ea2-8c9a-4d5a-81ee-826cead96859", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.2" - }, - "auth0": { - "logs": { - "data": { - "classification": "Login - Success", - "client_id": "aI61p8I8aFjmYRliLWgvM9ev97kCCNDB", - "client_name": "Default App", - "connection": "Username-Password-Authentication", - "connection_id": "con_1a5wCUmAs6VOU17n", - "date": "2021-11-03T03:25:28.923Z", - "details": { - "completedAt": 1635909928922, - "elapsedTime": 1110091, - "initiatedAt": 1635908818831, - "prompts": [ - { - "completedAt": 1635909903693, - "connection": "Username-Password-Authentication", - "connection_id": "con_1a5wCUmAs6VOU17n", - "identity": "6182002f34f4dd006b05b5c7", - "name": "prompt-authenticate", - "stats": { - "loginsCount": 1 - }, - "strategy": "auth0" - }, - { - "completedAt": 1635909903745, - "elapsedTime": 1084902, - "flow": "universal-login", - "initiatedAt": 1635908818843, - "name": "login", - "timers": { - "rules": 5 - }, - "user_id": "auth0|6182002f34f4dd006b05b5c7", - "user_name": "neo@test.com" - }, - { - "completedAt": 1635909928352, - "elapsedTime": 23378, - "flow": "consent", - "grantInfo": { - "audience": "https://dev-yoj8axza.au.auth0.com/userinfo", - "id": "618201284369c9b4f9cd6d52", - "scope": "openid profile" - }, - "initiatedAt": 1635909904974, - "name": "consent" - } - ], - "session_id": "1TAd-7tsPYzxWudzqfHYXN0e6q1D0GSc", - "stats": { - "loginsCount": 1 - } - }, - "hostname": "dev-yoj8axza.au.auth0.com", - "login": { - "completedAt": "2021-11-03T03:25:28.922Z", - "elapsedTime": 1110091, - "initiatedAt": "2021-11-03T03:06:58.831Z", - "stats": { - "loginsCount": 1 - } - }, - "strategy": "auth0", - "strategy_type": "database", - "type": "Successful login" - } - } - }, - "data_stream": { - "dataset": "auth0.logs", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "38ed1ea2-8c9a-4d5a-81ee-826cead96859", - "snapshot": false, - "version": "7.16.2" - }, - "event": { - "action": "successful-login", - "agent_id_status": "verified", - "category": [ - "authentication", - "session" - ], - "dataset": "auth0.logs", - "id": "90020211103032530111223343147286033102509916061341581378", - "ingested": "2022-01-20T05:57:05Z", - "kind": "event", - "original": "{\"data\":{\"client_id\":\"aI61p8I8aFjmYRliLWgvM9ev97kCCNDB\",\"client_name\":\"Default App\",\"connection\":\"Username-Password-Authentication\",\"connection_id\":\"con_1a5wCUmAs6VOU17n\",\"date\":\"2021-11-03T03:25:28.923Z\",\"details\":{\"completedAt\":1635909928922,\"elapsedTime\":1110091,\"initiatedAt\":1635908818831,\"prompts\":[{\"completedAt\":1635909903693,\"connection\":\"Username-Password-Authentication\",\"connection_id\":\"con_1a5wCUmAs6VOU17n\",\"elapsedTime\":null,\"identity\":\"6182002f34f4dd006b05b5c7\",\"name\":\"prompt-authenticate\",\"stats\":{\"loginsCount\":1},\"strategy\":\"auth0\"},{\"completedAt\":1635909903745,\"elapsedTime\":1084902,\"flow\":\"universal-login\",\"initiatedAt\":1635908818843,\"name\":\"login\",\"timers\":{\"rules\":5},\"user_id\":\"auth0|6182002f34f4dd006b05b5c7\",\"user_name\":\"neo@test.com\"},{\"completedAt\":1635909928352,\"elapsedTime\":23378,\"flow\":\"consent\",\"grantInfo\":{\"audience\":\"https://dev-yoj8axza.au.auth0.com/userinfo\",\"expiration\":null,\"id\":\"618201284369c9b4f9cd6d52\",\"scope\":\"openid profile\"},\"initiatedAt\":1635909904974,\"name\":\"consent\"}],\"session_id\":\"1TAd-7tsPYzxWudzqfHYXN0e6q1D0GSc\",\"stats\":{\"loginsCount\":1}},\"hostname\":\"dev-yoj8axza.au.auth0.com\",\"ip\":\"81.2.69.143\",\"log_id\":\"90020211103032530111223343147286033102509916061341581378\",\"strategy\":\"auth0\",\"strategy_type\":\"database\",\"type\":\"s\",\"user_agent\":\"Mozilla/5.0 (X11;Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0\",\"user_id\":\"auth0|6182002f34f4dd006b05b5c7\",\"user_name\":\"neo@test.com\"},\"log_id\":\"90020211103032530111223343147286033102509916061341581378\"}", - "outcome": "success", - "type": [ - "info", - "start" - ] - }, - "input": { - "type": "http_endpoint" - }, - "log": { - "level": "info" - }, - "network": { - "type": "ipv4" - }, - "source": { - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "auth0-logstream" - ], - "user": { - "id": "auth0|6182002f34f4dd006b05b5c7", - "name": "neo@test.com" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (X11;Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0", - "os": { - "name": "Ubuntu" - }, - "version": "93.0." - } -} \ No newline at end of file diff --git a/packages/auth0/1.2.1/docs/README.md b/packages/auth0/1.2.1/docs/README.md deleted file mode 100755 index 2e77acffa4..0000000000 --- a/packages/auth0/1.2.1/docs/README.md +++ /dev/null @@ -1,330 +0,0 @@ -# Auth0 Log Streams Integration - -Auth0 offers integrations that push log events via log streams to Elasticsearch. The [Auth0 Log Streams](https://auth0.com/docs/customize/log-streams) integration package creates a HTTP listener that accepts incoming log events and ingests them into Elasticsearch. This allows you to search, observe and visualize the Auth0 log events through Elasticsearch. - -The agent running this integration must be able to accept requests from the Internet in order for Auth0 to be able connect. Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration. - -For more information, see Auth0's webpage on [integration to Elastic Security](https://marketplace.auth0.com/integrations/elastic-security). - -## Compatability - -The package collects log events sent via log stream webhooks. - -## Configuration - -### Enabling the integration in Elastic - -1. In Kibana go to **Management > Integrations** -2. In "Search for integrations" search bar type **Auth0** -3. Click on "Auth0" integration from the search results. -4. Click on **Add Auth0** button to add Auth0 integration. - -### Configure the Auth0 integration - -1. Enter values for "Listen Address", "Listen Port" and "Webhook path" to form the endpoint URL. Make note of the **Endpoint URL** `https://{AGENT_ADDRESS}:8383/auth0/logs`. -2. Enter value for "Secret value". This must match the "Authorization Token" value entered when configuring the "Custom Webhook" from Auth0 cloud. -3. Enter values for "TLS". Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration. - -### Creating the stream in Auth0 - -1. From the Auth0 management console, navigate to **Logs > Streams** and click **+ Create Stream**. -2. Choose **Custom Webhook**. -3. Name the new **Event Stream** appropriately (e.g. Elastic) and click **Create**. -4. In **Payload URL**, paste the **Endpoint URL** collected during Step 1 of **Configure the Auth0 integration** section. -5. In **Authorization Token**, paste the **Authorization Token**. This must match the value entered in Step 2 of **Configure the Auth0 integration** section. -6. In **Content Type**, choose **application/json**. -7. In **Content Format**, choose **JSON Lines**. -8. **Click Save**. - -## Log Events - -Enable to collect Auth0 log events for all the applications configured for the chosen log stream. - -## Logs - -### Log Stream Events - -The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log events are available in the `auth0.logs` field group. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| auth0.logs.data.audience | API audience the event applies to. | keyword | -| auth0.logs.data.classification | Log stream filters | keyword | -| auth0.logs.data.client_id | ID of the client (application). | keyword | -| auth0.logs.data.client_name | Name of the client (application). | keyword | -| auth0.logs.data.connection | Name of the connection the event relates to. | keyword | -| auth0.logs.data.connection_id | ID of the connection the event relates to. | keyword | -| auth0.logs.data.date | Date when the event occurred in ISO 8601 format. | date | -| auth0.logs.data.description | Description of this event. | text | -| auth0.logs.data.details | Additional useful details about this event (values here depend upon event type). | flattened | -| auth0.logs.data.hostname | Hostname the event applies to. | keyword | -| auth0.logs.data.ip | IP address of the log event source. | ip | -| auth0.logs.data.is_mobile | Whether the client was a mobile device (true) or desktop/laptop/server (false). | boolean | -| auth0.logs.data.location_info.city_name | Full city name in English. | keyword | -| auth0.logs.data.location_info.continent_code | Continent the country is located within. Can be AF (Africa), AN (Antarctica), AS (Asia), EU (Europe), NA (North America), OC (Oceania) or SA (South America). | keyword | -| auth0.logs.data.location_info.country_code | Two-letter [Alpha-2 ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) country code | keyword | -| auth0.logs.data.location_info.country_code3 | Three-letter [Alpha-3 ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) country code | keyword | -| auth0.logs.data.location_info.country_name | Full country name in English. | keyword | -| auth0.logs.data.location_info.latitude | Global latitude (horizontal) position. | keyword | -| auth0.logs.data.location_info.longitude | Global longitude (vertical) position. | keyword | -| auth0.logs.data.location_info.time_zone | Time zone name as found in the [tz database](https://www.iana.org/time-zones). | keyword | -| auth0.logs.data.log_id | Unique ID of the event. | keyword | -| auth0.logs.data.login.completedAt | Time at which the operation was completed | date | -| auth0.logs.data.login.elapsedTime | Number of milliseconds the operation took to complete. | long | -| auth0.logs.data.login.initiatedAt | Time at which the operation was initiated | date | -| auth0.logs.data.login.stats.loginsCount | Total number of logins performed by the user | long | -| auth0.logs.data.scope | Scope permissions applied to the event. | keyword | -| auth0.logs.data.strategy | Name of the strategy involved in the event. | keyword | -| auth0.logs.data.strategy_type | Type of strategy involved in the event. | keyword | -| auth0.logs.data.type | Type of event. | keyword | -| auth0.logs.data.user_agent | User agent string from the client device that caused the event. | text | -| auth0.logs.data.user_id | ID of the user involved in the event. | keyword | -| auth0.logs.data.user_name | Name of the user involved in the event. | keyword | -| auth0.logs.log_id | Unique log event identifier | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event timestamp. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event timestamp. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| input.type | Input type. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `logs` looks as following: - -```json -{ - "@timestamp": "2021-11-03T03:25:28.923Z", - "agent": { - "ephemeral_id": "3c2232a0-df0e-48e0-8440-96d5500ce25c", - "hostname": "docker-fleet-agent", - "id": "38ed1ea2-8c9a-4d5a-81ee-826cead96859", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.2" - }, - "auth0": { - "logs": { - "data": { - "classification": "Login - Success", - "client_id": "aI61p8I8aFjmYRliLWgvM9ev97kCCNDB", - "client_name": "Default App", - "connection": "Username-Password-Authentication", - "connection_id": "con_1a5wCUmAs6VOU17n", - "date": "2021-11-03T03:25:28.923Z", - "details": { - "completedAt": 1635909928922, - "elapsedTime": 1110091, - "initiatedAt": 1635908818831, - "prompts": [ - { - "completedAt": 1635909903693, - "connection": "Username-Password-Authentication", - "connection_id": "con_1a5wCUmAs6VOU17n", - "identity": "6182002f34f4dd006b05b5c7", - "name": "prompt-authenticate", - "stats": { - "loginsCount": 1 - }, - "strategy": "auth0" - }, - { - "completedAt": 1635909903745, - "elapsedTime": 1084902, - "flow": "universal-login", - "initiatedAt": 1635908818843, - "name": "login", - "timers": { - "rules": 5 - }, - "user_id": "auth0|6182002f34f4dd006b05b5c7", - "user_name": "neo@test.com" - }, - { - "completedAt": 1635909928352, - "elapsedTime": 23378, - "flow": "consent", - "grantInfo": { - "audience": "https://dev-yoj8axza.au.auth0.com/userinfo", - "id": "618201284369c9b4f9cd6d52", - "scope": "openid profile" - }, - "initiatedAt": 1635909904974, - "name": "consent" - } - ], - "session_id": "1TAd-7tsPYzxWudzqfHYXN0e6q1D0GSc", - "stats": { - "loginsCount": 1 - } - }, - "hostname": "dev-yoj8axza.au.auth0.com", - "login": { - "completedAt": "2021-11-03T03:25:28.922Z", - "elapsedTime": 1110091, - "initiatedAt": "2021-11-03T03:06:58.831Z", - "stats": { - "loginsCount": 1 - } - }, - "strategy": "auth0", - "strategy_type": "database", - "type": "Successful login" - } - } - }, - "data_stream": { - "dataset": "auth0.logs", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "38ed1ea2-8c9a-4d5a-81ee-826cead96859", - "snapshot": false, - "version": "7.16.2" - }, - "event": { - "action": "successful-login", - "agent_id_status": "verified", - "category": [ - "authentication", - "session" - ], - "dataset": "auth0.logs", - "id": "90020211103032530111223343147286033102509916061341581378", - "ingested": "2022-01-20T05:57:05Z", - "kind": "event", - "original": "{\"data\":{\"client_id\":\"aI61p8I8aFjmYRliLWgvM9ev97kCCNDB\",\"client_name\":\"Default App\",\"connection\":\"Username-Password-Authentication\",\"connection_id\":\"con_1a5wCUmAs6VOU17n\",\"date\":\"2021-11-03T03:25:28.923Z\",\"details\":{\"completedAt\":1635909928922,\"elapsedTime\":1110091,\"initiatedAt\":1635908818831,\"prompts\":[{\"completedAt\":1635909903693,\"connection\":\"Username-Password-Authentication\",\"connection_id\":\"con_1a5wCUmAs6VOU17n\",\"elapsedTime\":null,\"identity\":\"6182002f34f4dd006b05b5c7\",\"name\":\"prompt-authenticate\",\"stats\":{\"loginsCount\":1},\"strategy\":\"auth0\"},{\"completedAt\":1635909903745,\"elapsedTime\":1084902,\"flow\":\"universal-login\",\"initiatedAt\":1635908818843,\"name\":\"login\",\"timers\":{\"rules\":5},\"user_id\":\"auth0|6182002f34f4dd006b05b5c7\",\"user_name\":\"neo@test.com\"},{\"completedAt\":1635909928352,\"elapsedTime\":23378,\"flow\":\"consent\",\"grantInfo\":{\"audience\":\"https://dev-yoj8axza.au.auth0.com/userinfo\",\"expiration\":null,\"id\":\"618201284369c9b4f9cd6d52\",\"scope\":\"openid profile\"},\"initiatedAt\":1635909904974,\"name\":\"consent\"}],\"session_id\":\"1TAd-7tsPYzxWudzqfHYXN0e6q1D0GSc\",\"stats\":{\"loginsCount\":1}},\"hostname\":\"dev-yoj8axza.au.auth0.com\",\"ip\":\"81.2.69.143\",\"log_id\":\"90020211103032530111223343147286033102509916061341581378\",\"strategy\":\"auth0\",\"strategy_type\":\"database\",\"type\":\"s\",\"user_agent\":\"Mozilla/5.0 (X11;Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0\",\"user_id\":\"auth0|6182002f34f4dd006b05b5c7\",\"user_name\":\"neo@test.com\"},\"log_id\":\"90020211103032530111223343147286033102509916061341581378\"}", - "outcome": "success", - "type": [ - "info", - "start" - ] - }, - "input": { - "type": "http_endpoint" - }, - "log": { - "level": "info" - }, - "network": { - "type": "ipv4" - }, - "source": { - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "auth0-logstream" - ], - "user": { - "id": "auth0|6182002f34f4dd006b05b5c7", - "name": "neo@test.com" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (X11;Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0", - "os": { - "name": "Ubuntu" - }, - "version": "93.0." - } -} -``` diff --git a/packages/auth0/1.2.1/img/auth0-logo.svg b/packages/auth0/1.2.1/img/auth0-logo.svg deleted file mode 100755 index e0f2aa1d36..0000000000 --- a/packages/auth0/1.2.1/img/auth0-logo.svg +++ /dev/null @@ -1,60 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/auth0/1.2.1/img/auth0-screenshot.png b/packages/auth0/1.2.1/img/auth0-screenshot.png deleted file mode 100755 index 72b880f161..0000000000 Binary files a/packages/auth0/1.2.1/img/auth0-screenshot.png and /dev/null differ diff --git a/packages/auth0/1.2.1/kibana/dashboard/auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf.json b/packages/auth0/1.2.1/kibana/dashboard/auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf.json deleted file mode 100755 index 86e7ba2c55..0000000000 --- a/packages/auth0/1.2.1/kibana/dashboard/auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c9215ac0-57f7-4fbb-af81-9f5bb365a238\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c9215ac0-57f7-4fbb-af81-9f5bb365a238\":{\"columnOrder\":[\"ad18389f-67bd-47ae-bd5e-7a0a8a74ef31\",\"becf928d-1e95-4cf0-a37f-e4eb735dcc27\"],\"columns\":{\"ad18389f-67bd-47ae-bd5e-7a0a8a74ef31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"becf928d-1e95-4cf0-a37f-e4eb735dcc27\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"},\"becf928d-1e95-4cf0-a37f-e4eb735dcc27\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ad18389f-67bd-47ae-bd5e-7a0a8a74ef31\"],\"layerId\":\"c9215ac0-57f7-4fbb-af81-9f5bb365a238\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"becf928d-1e95-4cf0-a37f-e4eb735dcc27\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"1a13814d-17bf-42cf-8ef9-2dc599fb6766\",\"w\":15,\"x\":0,\"y\":0},\"panelIndex\":\"1a13814d-17bf-42cf-8ef9-2dc599fb6766\",\"title\":\"Auth0 Log Stream Event Types\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f92a60a-ed7e-42e4-b03c-4a3fb37e1a35\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f92a60a-ed7e-42e4-b03c-4a3fb37e1a35\":{\"columnOrder\":[\"234dec72-0dd2-42cb-b486-059fa3e0a077\",\"9fb2da13-fb8b-4041-b60e-0840068dc570\"],\"columns\":{\"234dec72-0dd2-42cb-b486-059fa3e0a077\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"9fb2da13-fb8b-4041-b60e-0840068dc570\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of event.type\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"9fb2da13-fb8b-4041-b60e-0840068dc570\"],\"layerId\":\"1f92a60a-ed7e-42e4-b03c-4a3fb37e1a35\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"234dec72-0dd2-42cb-b486-059fa3e0a077\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"6089a77e-3c96-4414-9932-eda55ced3d07\",\"w\":14,\"x\":15,\"y\":0},\"panelIndex\":\"6089a77e-3c96-4414-9932-eda55ced3d07\",\"title\":\"Rate of events\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Login - Failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Login - Failure\"}}}],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"\",\"type\":\"metric\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"5124c723-8890-477e-aad5-bc4fd529bd46\",\"w\":9,\"x\":29,\"y\":0},\"panelIndex\":\"5124c723-8890-477e-aad5-bc4fd529bd46\",\"title\":\"Number of Failed Logins\",\"type\":\"visualization\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Signup - Success\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Signup - Success\"}}}],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"\",\"type\":\"metric\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"cb337534-d263-480b-b6a3-80cc4f14d73b\",\"w\":10,\"x\":38,\"y\":0},\"panelIndex\":\"cb337534-d263-480b-b6a3-80cc4f14d73b\",\"title\":\"Number of Successful Signups\",\"type\":\"visualization\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e7270679-c5d0-496a-9fd2-7409b402bdb0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e7270679-c5d0-496a-9fd2-7409b402bdb0\":{\"columnOrder\":[\"60724141-ecf4-4f42-b263-d12cd64fe1a3\",\"14ed1312-1743-452e-89e9-52018d6db787\"],\"columns\":{\"14ed1312-1743-452e-89e9-52018d6db787\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"60724141-ecf4-4f42-b263-d12cd64fe1a3\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Login - Success\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Login - Success\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"14ed1312-1743-452e-89e9-52018d6db787\"],\"layerId\":\"e7270679-c5d0-496a-9fd2-7409b402bdb0\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"60724141-ecf4-4f42-b263-d12cd64fe1a3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"d00429d4-502f-41d8-8a2b-7300859930ea\",\"w\":15,\"x\":0,\"y\":10},\"panelIndex\":\"d00429d4-502f-41d8-8a2b-7300859930ea\",\"title\":\"Rate of Successful Logins\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4fc38bcd-1242-43bb-a213-0c6fe6e7a26e\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4fc38bcd-1242-43bb-a213-0c6fe6e7a26e\":{\"columnOrder\":[\"56478895-2ad9-4541-9b3c-debffe3de81d\",\"d8ee79e4-d617-4809-9065-217bcd1f628c\"],\"columns\":{\"56478895-2ad9-4541-9b3c-debffe3de81d\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d8ee79e4-d617-4809-9065-217bcd1f628c\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Login - Failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Login - Failure\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"d8ee79e4-d617-4809-9065-217bcd1f628c\"],\"layerId\":\"4fc38bcd-1242-43bb-a213-0c6fe6e7a26e\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"56478895-2ad9-4541-9b3c-debffe3de81d\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8\",\"w\":14,\"x\":15,\"y\":10},\"panelIndex\":\"c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8\",\"title\":\"Rate of Failed Logins\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"d6323397-e8a4-4869-ad2b-d48ee5b5a70a\",\"w\":19,\"x\":29,\"y\":10},\"panelIndex\":\"d6323397-e8a4-4869-ad2b-d48ee5b5a70a\",\"panelRefName\":\"panel_d6323397-e8a4-4869-ad2b-d48ee5b5a70a\",\"type\":\"visualization\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"253f1007-1537-4012-a663-48bccf233f4c\",\"w\":48,\"x\":0,\"y\":22},\"panelIndex\":\"253f1007-1537-4012-a663-48bccf233f4c\",\"panelRefName\":\"panel_253f1007-1537-4012-a663-48bccf233f4c\",\"type\":\"search\",\"version\":\"7.15.1\"}]", - "timeRestore": false, - "title": "Auth0", - "version": 1 - }, - "coreMigrationVersion": "7.15.1", - "id": "auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "logs-*", - "name": "1a13814d-17bf-42cf-8ef9-2dc599fb6766:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1a13814d-17bf-42cf-8ef9-2dc599fb6766:indexpattern-datasource-layer-c9215ac0-57f7-4fbb-af81-9f5bb365a238", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1a13814d-17bf-42cf-8ef9-2dc599fb6766:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6089a77e-3c96-4414-9932-eda55ced3d07:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6089a77e-3c96-4414-9932-eda55ced3d07:indexpattern-datasource-layer-1f92a60a-ed7e-42e4-b03c-4a3fb37e1a35", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6089a77e-3c96-4414-9932-eda55ced3d07:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5124c723-8890-477e-aad5-bc4fd529bd46:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5124c723-8890-477e-aad5-bc4fd529bd46:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5124c723-8890-477e-aad5-bc4fd529bd46:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d00429d4-502f-41d8-8a2b-7300859930ea:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d00429d4-502f-41d8-8a2b-7300859930ea:indexpattern-datasource-layer-e7270679-c5d0-496a-9fd2-7409b402bdb0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d00429d4-502f-41d8-8a2b-7300859930ea:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d00429d4-502f-41d8-8a2b-7300859930ea:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8:indexpattern-datasource-layer-4fc38bcd-1242-43bb-a213-0c6fe6e7a26e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9", - "name": "d6323397-e8a4-4869-ad2b-d48ee5b5a70a:panel_d6323397-e8a4-4869-ad2b-d48ee5b5a70a", - "type": "visualization" - }, - { - "id": "auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf", - "name": "253f1007-1537-4012-a663-48bccf233f4c:panel_253f1007-1537-4012-a663-48bccf233f4c", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/auth0/1.2.1/kibana/search/auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf.json b/packages/auth0/1.2.1/kibana/search/auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf.json deleted file mode 100755 index 3d37f68df5..0000000000 --- a/packages/auth0/1.2.1/kibana/search/auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "columns": [ - "auth0.logs.data.connection", - "auth0.logs.data.user_name", - "auth0.logs.data.user_agent" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"auth0.logs\\\" \"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Auth0 logs", - "version": 1 - }, - "coreMigrationVersion": "7.15.1", - "id": "auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/auth0/1.2.1/kibana/visualization/auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9.json b/packages/auth0/1.2.1/kibana/visualization/auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9.json deleted file mode 100755 index 59f6851d51..0000000000 --- a/packages/auth0/1.2.1/kibana/visualization/auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Login - Failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Login - Failure\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "IP Addresses of failed logins", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"auth0.logs.data.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"IP Addresses of failed logins\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.15.1", - "id": "auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/auth0/1.2.1/manifest.yml b/packages/auth0/1.2.1/manifest.yml deleted file mode 100755 index c7f3c9b7f6..0000000000 --- a/packages/auth0/1.2.1/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -format_version: 1.0.0 -name: auth0 -title: "Auth0" -version: 1.2.1 -license: basic -description: Collect logs from Auth0 with Elastic Agent. -type: integration -categories: - - cloud - - network - - security -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -screenshots: - - src: /img/auth0-screenshot.png - title: Auth0 Dashboard - size: 600x600 - type: image/png -icons: - - src: /img/auth0-logo.svg - title: Auth0 logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: auth0_events - title: Auth0 log stream events via Webhooks - description: Collect Auth0 log streams events via Webhooks. - inputs: - - type: http_endpoint - title: Collect Auth0 log streams events via Webhooks - description: Collecting Auth0 log stream events via Webhooks. -owner: - github: elastic/security-external-integrations diff --git a/packages/auth0/1.2.2/LICENSE.txt b/packages/auth0/1.2.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/auth0/1.2.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/auth0/1.2.2/changelog.yml b/packages/auth0/1.2.2/changelog.yml deleted file mode 100755 index 1a18a5a944..0000000000 --- a/packages/auth0/1.2.2/changelog.yml +++ /dev/null @@ -1,56 +0,0 @@ -# newer versions go on top -- version: "1.2.2" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "1.2.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.2.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3841 -- version: "1.1.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.1.4" - changes: - - description: Update Readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3065 -- version: "0.1.3" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.1.2" - changes: - - description: Fix documentation bug - type: bugfix - link: https://github.com/elastic/integrations/pull/2761 -- version: "0.1.1" - changes: - - description: Update Auth0 logo image - type: bugfix - link: https://github.com/elastic/integrations/pull/2749 -- version: "0.1.0" - changes: - - description: Initial commit - type: enhancement - link: https://github.com/elastic/integrations/pull/2152 diff --git a/packages/auth0/1.2.2/data_stream/logs/agent/stream/http_endpoint.yml.hbs b/packages/auth0/1.2.2/data_stream/logs/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 1203728f14..0000000000 --- a/packages/auth0/1.2.2/data_stream/logs/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,41 +0,0 @@ -type: http_endpoint -enabled: true -prefix: json - -{{#if listen_address}} -listen_address: {{listen_address}} -{{/if}} -{{#if listen_port}} -listen_port: {{listen_port}} -{{/if}} -{{#if url}} -url: {{url}} -{{/if}} - -{{#if secret_value}} -secret.header: Authorization -secret.value: "{{secret_value}}" -{{/if}} - -{{#if ssl}} -ssl: {{ssl}} -{{/if}} - -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/auth0/1.2.2/data_stream/logs/elasticsearch/ingest_pipeline/default.yml b/packages/auth0/1.2.2/data_stream/logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 0ccbb38ac4..0000000000 --- a/packages/auth0/1.2.2/data_stream/logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1105 +0,0 @@ ---- -description: Pipeline for processing Auth0 log stream events -processors: -- set: - field: ecs.version - value: '8.4.0' -- set: - field: auth0.logs.data - copy_from: json.data -- date: - field: auth0.logs.data.date - formats: - - ISO8601 -- set: - field: log.level - value: info -- set: - field: log.level - value: error - if: ctx?.auth0?.logs?.data?.details?.error != null -- set: - field: source.ip - copy_from: auth0.logs.data.ip - if: ctx?.auth0?.logs?.data?.ip != null -# IP Geolocation Lookup -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: 'ctx.source?.geo == null && ctx?.source?.ip != null' -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: ctx?.source?.ip != null -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- set: - field: network.type - value: ipv6 - if: 'ctx.source?.ip != null && ctx.source?.ip.contains(":")' -- set: - field: network.type - value: ipv4 - if: 'ctx.network?.type == null && ctx.source?.ip != null' -- set: - field: user.name - copy_from: auth0.logs.data.user_name - if: 'ctx?.auth0?.logs?.data?.user_name != null' -- set: - field: user.id - copy_from: auth0.logs.data.user_id - if: 'ctx?.auth0?.logs?.data?.user_id != null' -- user_agent: - field: auth0.logs.data.user_agent - ignore_missing: true -- set: - field: event.id - copy_from: auth0.logs.data.log_id - if: 'ctx?.auth0?.logs?.data?.log_id != null' -## -# Event kind, code and action -## -- set: - field: event.kind - value: event -- append: - field: event.category - value: authentication -- script: - lang: painless - description: Sets event type, category and action based on type - if: ctx?.auth0?.logs?.data?.type != null - params: - actions: - f: - classification: "Login - Failure" - value: "Failed login" - type: - - info - action: failed-login - fc: - classification: "Login - Failure" - value: "Failed connector login" - type: - - info - action: failed-connector-login - fco: - classification: "Login - Failure" - value: "Origin is not in the application's Allowed Origins list" - type: - - info - action: origin-not-allowed - fcoa: - classification: "Login - Failure" - value: "Failed cross-origin authentication" - type: - - info - action: failed-cross-origin-authentication - fens: - classification: "Login - Failure" - value: "Failed native social login" - type: - - info - action: failed-native-social-login - fp: - classification: "Login - Failure" - value: "Incorrect password" - type: - - info - action: incorrect-password - fu: - classification: "Login - Failure" - value: "Invalid email or username" - type: - - info - - indicator - category: - - threat - action: invalid-username-or-email - w: - classification: "Login - Notification" - value: "Warnings during login" - type: - - info - - indicator - category: - - threat - action: warnings-during-login - s: - classification: "Login - Success" - value: "Successful login" - type: - - info - - start - category: - - session - action: successful-login - scoa: - classification: "Login - Success" - value: "Successful cross-origin authentication" - type: - - info - - start - category: - - session - action: successful-cross-origin-authentication - sens: - classification: "Login - Success" - value: "Successful native social login" - type: - - info - - start - category: - - session - action: successful-native-social-login - flo: - classification: "Logout - Failure" - value: "User logout failed" - type: - - info - category: - - session - action: user-logout-failed - slo: - classification: "Logout - Success" - value: "User successfully logged out" - type: - - info - - end - category: - - session - action: user-logout-successful - fs: - classification: "Signup - Failure" - value: "User signup failed" - type: - - info - - creation - - user - category: - - iam - action: user-signup-failed - fsa: - classification: "Silent Authentication - Failure" - value: "Failed silent authentication" - type: - - info - - indicator - category: - - threat - action: failed-silent-authentication - ssa: - classification: "Silent Authentication - Success" - value: "Successful silent authentication" - type: - - info - action: successful-silent-authentication - feacft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Authorization Code for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-auth-code-for-access-token - feccft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Access Token for a Client Credentials Grant" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-access-token-for-client-cred-grant - fede: - classification: "Token Exchange - Failure" - value: "Failed exchange of Device Code for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-device-code-for-access-token - feoobft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Password and OOB Challenge for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-password-oob-challenge-for-access-token - feotpft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Password and OTP Challenge for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-password-otp-challenge-for-access-token - fepft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Password for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-password-for-access-token - fepotpft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Passwordless OTP for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-passwordless-otp-for-access-token - fercft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Password and MFA Recovery code for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-password-mfa-recovery-code-for-access-token - ferrt: - classification: "Token Exchange - Failure" - value: "Failed exchange of Rotating Refresh Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-rotating-refresh-token - fertft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Refresh Token for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-refresh-token-for-access-token - seacft: - classification: "Token Exchange - Success" - value: "Successful exchange of Authorization Code for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-auth-code-for-access-token - seccft: - classification: "Token Exchange - Success" - value: "Successful exchange of Access Token for a Client Credentials Grant" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-access-token-for-client-cred-grant - sede: - classification: "Token Exchange - Success" - value: "Successful exchange of Device Code for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-device-code-for-access-token - seoobft: - classification: "Token Exchange - Success" - value: "Successful exchange of Password and OOB Challenge for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-password-oob-challange-for-access-token - seotpft: - classification: "Token Exchange - Success" - value: "Successful exchange of Password and OTP Challenge for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-password-otp-challenge-for-access-token - sepft: - classification: "Token Exchange - Success" - value: "Successful exchange of Password for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-password-for-access-token - sercft: - classification: "Token Exchange - Success" - value: "Successful exchange of Password and MFA Recovery code for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-mfa-recovery-code-for-access-token - sertft: - classification: "Token Exchange - Success" - value: "Successful exchange of Refresh Token for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-refresh-token-for-access-token - fapi: - classification: "Management API - Failure" - value: "Failed Management API operation" - type: - - info - - error - category: - - web - action: failed-mgmt-api-operation - sapi: - classification: "Management API - Success" - value: "Successful Management API operation" - type: - - info - - access - - change - category: - - web - - iam - action: success-mgmt-api-op - mgmt_api_read: - classification: "Management API - Success" - value: "API GET operation returning secrets completed successfully" - type: - - info - - access - category: - - web - - iam - action: success-mgmt-api-op-secrets-returned - admin_update_launch: - classification: "System - Notification" - value: "Auth0 Update Launched" - type: - - change - category: - - configuration - action: auth0-update-launched - api_limit: - classification: "System - Notification" - value: "The maximum number of requests to the Authentication or Management APIs in given time has reached" - type: - - info - - access - category: - - network - action: max-requests-reached - coff: - classification: "System - Notification" - value: "AD/LDAP Connector is offline" - type: - - error - - connection - category: - - network - - web - action: ad-ldap-connector-offline - con: - classification: "System - Notification" - value: "AD/LDAP Connector is online and working" - type: - - info - - connection - category: - - network - action: ad-ldap-connector-online - depnote: - classification: "System - Notification" - value: "Deprecation Notice" - type: - - info - action: deprecation-notice - fcpro: - classification: "System - Notification" - value: "Failed to provision a AD/LDAP connector" - type: - - info - - connection - - error - category: - - network - action: failed-ad-ldap-provision - fui: - classification: "System - Notification" - value: "Failed to import users" - type: - - info - - user - - error - category: - - iam - - web - action: failed-to-import-users - limit_delegation: - classification: "System - Notification" - value: "Rate limit exceeded to /delegation endpoint" - type: - - info - - access - category: - - network - action: rate-limit-exceeded-to-delegation-endpoint - limit_mu: - classification: "System - Notification" - value: "An IP address is blocked with 100 failed login attempts using different usernames" - type: - - indicator - - info - category: - - threat - - intrusion_detection - action: hundred-failed-logins-ip-address-blocked - limit_wc: - classification: "System - Notification" - value: "An IP address is blocked with 10 failed login attempts into a single account from the same IP address" - type: - - indicator - - info - category: - - threat - - intrusion_detection - action: ten-failed-logins-ip-address-blocked - sys_os_update_start: - classification: "System - Notification" - value: "Auth0 OS Update Started" - type: - - change - - start - - installation - category: - - configuration - - package - action: auth0-os-update-started - sys_os_update_end: - classification: "System - Notification" - value: "Auth0 OS Update Ended" - type: - - change - - end - - installation - category: - - configuration - - package - action: auth0-os-update-ended - sys_update_start: - classification: "System - Notification" - value: "Auth0 Update Started" - type: - - change - - start - - installation - category: - - configuration - - package - action: auth0-update-started - sys_update_end: - classification: "System - Notification" - value: "Auth0 Update Ended" - type: - - change - - end - - installation - category: - - configuration - - package - action: auth0-update-ended - fce: - classification: "User/Behavioral - Failure" - value: "Failed to change user email" - type: - - change - - user - category: - - iam - action: failed-to-change-user-email - fcp: - classification: "User/Behavioral - Failure" - value: "Failed to change password" - type: - - change - - user - category: - - iam - action: failed-to-change-password - fcpn: - classification: "User/Behavioral - Failure" - value: "Failed to change phone number" - type: - - change - - user - category: - - iam - action: failed-to-change-phone-number - fcpr: - classification: "User/Behavioral - Failure" - value: "Failed change password request" - type: - - change - - user - category: - - iam - action: failed-change-password-request - fcu: - classification: "User/Behavioral - Failure" - value: "Failed to change username" - type: - - change - - user - category: - - iam - action: failed-to-change-username - fd: - classification: "User/Behavioral - Failure" - value: "Failed to generate delegation token" - type: - - info - - user - category: - - iam - action: failed-to-generate-delegation-token - fdeaz: - classification: "User/Behavioral - Failure" - value: "Device authorization request failed" - type: - - info - - user - category: - - iam - action: failed-device-authorization-request - fdecc: - classification: "User/Behavioral - Failure" - value: "User did not confirm device" - type: - - info - action: user-device-not-confirmed - fdu: - classification: "User/Behavioral - Failure" - value: "Failed user deletion" - type: - - deletion - - user - category: - - iam - action: failed-user-deletion - fn: - classification: "User/Behavioral - Failure" - value: "Failed to send email notification" - type: - - info - action: failed-to-send-email-notification - fv: - classification: "User/Behavioral - Failure" - value: "Failed to send verification email" - type: - - info - action: failed-to-send-verification-email - fvr: - classification: "User/Behavioral - Failure" - value: "Failed to process verification email request" - type: - - info - action: failed-to-process-verification-email - cs: - classification: "User/Behavioral - Notification" - value: "Passwordless login code has been sent" - type: - - info - action: passwordless-login-code-sent - du: - classification: "User/Behavioral - Notification" - value: "User has been deleted" - type: - - info - - user - - deletion - category: - - iam - action: user-deleted - gd_enrollment_complete: - classification: "User/Behavioral - Notification" - value: "A first time MFA user has successfully enrolled using one of the factors" - type: - - info - - change - - end - category: - - iam - - session - action: mfa-enrollment-completed - gd_start_enroll: - classification: "User/Behavioral - Notification" - value: "Multi-factor authentication enroll has started" - type: - - info - - change - - start - category: - - iam - - session - action: mfa-enrollment-started - gd_unenroll: - classification: "User/Behavioral - Notification" - value: "Device used for second factor authentication has been unenrolled" - type: - - info - - deletion - category: - - iam - action: mfa-device-unenrolled - gd_update_device_account: - classification: "User/Behavioral - Notification" - value: "Device used for second factor authentication has been updated" - type: - - info - - change - category: - - iam - action: mfa-device-updated - ublkdu: - classification: "User/Behavioral - Notification" - value: "User block setup by anomaly detection has been released" - type: - - info - action: user-login-block-released - sce: - classification: "User/Behavioral - Success" - value: "Successfully changed user email" - type: - - info - - change - - user - category: - - iam - action: user-email-changed-successfully - scp: - classification: "User/Behavioral - Success" - value: "Successfully changed password" - type: - - info - - change - - user - category: - - iam - action: user-password-changed-successfully - scpn: - classification: "User/Behavioral - Success" - value: "Successfully changed phone number" - type: - - info - - change - - user - category: - - iam - action: user-phone-number-changed-successfully - scpr: - classification: "User/Behavioral - Success" - value: "Successful change password request" - type: - - info - - change - - user - category: - - iam - action: user-password-change-request-successful - scu: - classification: "User/Behavioral - Success" - value: "Successfully changed username" - type: - - info - - change - - user - category: - - iam - action: username-changed-successfully - sdu: - classification: "User/Behavioral - Success" - value: "User successfully deleted" - type: - - info - - deletion - category: - - iam - action: user-deleted-successfully - srrt: - classification: "User/Behavioral - Success" - value: "Successfully revoked a Refresh Token" - type: - - info - - deletion - category: - - iam - action: revoked-refresh-token-successfully - sui: - classification: "User/Behavioral - Success" - value: "Successfully imported users" - type: - - info - - user - category: - - iam - action: imported-users-successfully - sv: - classification: "User/Behavioral - Success" - value: "Sent verification email" - type: - - info - - user - category: - - iam - action: sent-verification-email - svr: - classification: "User/Behavioral - Success" - value: "Successfully processed verification email request" - type: - - info - - user - category: - - iam - action: email-verification-processed-successfully - fcph: - classification: "Other" - value: "Failed Post Change Password Hook" - type: - - change - - user - category: - - iam - action: failed-post-change-password-hook - fdeac: - classification: "Other" - value: "Failed to activate device" - type: - - info - action: failed-to-activate-device - fi: - classification: "Other" - value: "Failed to accept a user invitation. This could happen if the user accepts an invitation using a different email address than provided in the invitation, or due to a system failure while provisioning the invitation." - type: - - info - action: failed-to-accept-user-invitation - gd_auth_failed: - classification: "Other" - value: "Multi-factor authentication failed. This could happen due to a wrong code entered for SMS/Voice/Email/TOTP factors, or a system failure." - type: - - info - action: mfa-authentication-failed-wrong-code - gd_auth_rejected: - classification: "Other" - value: "A user rejected a Multi-factor authentication request via push-notification." - type: - - info - action: user-rejected-mfa-request - gd_auth_succeed: - classification: "Other" - value: "Multi-factor authentication success." - type: - - info - action: mfa-authentication-succeeded - gd_otp_rate_limit_exceed: - classification: "Other" - value: "A user, during enrollment or authentication, enters an incorrect code more than the maximum allowed number of times. Ex: A user enrolling in SMS enters the 6-digit code wrong more than 10 times in a row." - type: - - info - - indicator - category: - - threat - action: user-entered-too-many-incorrect-codes - gd_recovery_failed: - classification: "Other" - value: "A user enters a wrong recovery code when attempting to authenticate." - type: - - info - action: user-entered-wrong-recovery-code - gd_recovery_rate_limit_exceed: - classification: "Other" - value: "A user enters a wrong recovery code too many times." - type: - - info - - indicator - category: - - threat - action: user-entered-too-many-wrong-codes - gd_recovery_succeed: - classification: "Other" - value: "A user successfully authenticates with a recovery code" - type: - - info - action: recovery-succeeded - gd_send_pn: - classification: "Other" - value: "Push notification for MFA sent successfully sent." - type: - - info - action: push-notification-sent - gd_send_sms: - classification: "Other" - value: "SMS for MFA successfully sent." - type: - - info - action: sms-sent - gd_send_sms_failure: - classification: "Other" - value: "Attempt to send SMS for MFA failed." - type: - - info - action: failed-to-send-sms - gd_send_voice: - classification: "Other" - value: "Voice call for MFA successfully made." - type: - - info - action: voice-call-made - gd_send_voice_failure: - classification: "Other" - value: "Attempt to make Voice call for MFA failed." - type: - - info - action: voice-call-failure - gd_start_auth: - classification: "Other" - value: "Second factor authentication event started for MFA." - type: - - info - action: 2fa-auth-event-started - gd_tenant_update: - classification: "Other" - value: "Guardian tenant update" - type: - - info - action: guardian-tenant-update - limit_sul: - classification: "Other" - value: "A user is temporarily prevented from logging in because more than 20 logins per minute occurred from the same IP address" - type: - - info - - indicator - category: - - threat - action: user-blocked-too-many-failed-logins-from-same-ip - mfar: - classification: "Other" - value: "A user has been prompted for multi-factor authentication (MFA). When using Adaptive MFA, Auth0 includes details about the risk assessment." - type: - - info - action: user-prompted-for-mfa - pla: - classification: "Other" - value: "This log is generated before a login and helps in monitoring the behavior of bot detection without having to enable it." - type: - - info - action: pre-login-assessment - pwd_leak: - classification: "Other" - value: "Someone behind the IP address attempted to login with a leaked password." - type: - - info - category: - - intrusion_detection - action: login-with-breached-password - scph: - classification: "Other" - value: "Success Post Change Password Hook" - type: - - info - action: success-post-change-password-hook - sd: - classification: "Other" - value: "Success delegation" - type: - - info - action: success-delegation - si: - classification: "Other" - value: "Successfully accepted a user invitation" - type: - - info - action: successfully-accepted-user-invitation - ss: - classification: "Other" - value: "Success Signup" - type: - - info - action: success-signup - source: |- - def eventType = ctx.auth0.logs.data.type; - def actions = params.get('actions'); - def actionData = actions.get(eventType); - if (actionData == null) { - ctx.event.action = 'unknown-' + eventType; - ctx.event.type = ['info']; - return; - } - // overwrite type abbreviation with actual value - def eventTypeVal = actionData.get('value'); - if (eventTypeVal != null) { - ctx.auth0.logs.data.type = eventTypeVal; - } - // event.type - def actionType = actionData.get('type'); - if (actionType != null) { - ctx.event.type = new ArrayList(actionType); - } - // event.category - def actionCategory = actionData.get('category'); - if (actionCategory != null) { - for (def c : actionCategory) { - ctx.event.category.add(c); - } - } - // event.action - def action = actionData.get('action'); - if (action != null) { - ctx.event.action = action; - } - // auth0 event category / classification group - def classification = actionData.get('classification'); - if (classification != null) { - ctx.auth0.logs.data.classification = classification; - } - // event.outcome - if (classification.toLowerCase().contains("success")) { - ctx.event.outcome = "success"; - } else if (classification.toLowerCase().contains("failure")) { - ctx.event.outcome = "failure"; - } else { - ctx.event.outcome = "unknown"; - } -- date: - if: ctx?.auth0?.logs?.data?.details?.initiatedAt != null - field: auth0.logs.data.details.initiatedAt - target_field: auth0.logs.data.login.initiatedAt - formats: - - UNIX_MS -- date: - if: ctx?.auth0?.logs?.data?.details?.completedAt != null - field: auth0.logs.data.details.completedAt - target_field: auth0.logs.data.login.completedAt - formats: - - UNIX_MS -- convert: - if: ctx?.auth0?.logs?.data?.details?.elapsedTime != null - field: auth0.logs.data.details.elapsedTime - target_field: auth0.logs.data.login.elapsedTime - type: long - ignore_missing: true -- convert: - if: "ctx.auth0.logs.data.type == 'Successful login'" - field: auth0.logs.data.details.stats.loginsCount - target_field: auth0.logs.data.login.stats.loginsCount - type: long - ignore_missing: true -## -# Clean up -## -- remove: - field: - - json - - auth0.logs.data.ip - - auth0.logs.data.user_name - - auth0.logs.data.user_id - - auth0.logs.data.user_agent - - auth0.logs.data.log_id - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/auth0/1.2.2/data_stream/logs/fields/agent.yml b/packages/auth0/1.2.2/data_stream/logs/fields/agent.yml deleted file mode 100755 index b4f84cf84a..0000000000 --- a/packages/auth0/1.2.2/data_stream/logs/fields/agent.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: input.type - type: keyword - description: Input type. diff --git a/packages/auth0/1.2.2/data_stream/logs/fields/base-fields.yml b/packages/auth0/1.2.2/data_stream/logs/fields/base-fields.yml deleted file mode 100755 index bc27cfd1c1..0000000000 --- a/packages/auth0/1.2.2/data_stream/logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event timestamp. - value: auth0 -- name: event.dataset - type: constant_keyword - description: Event timestamp. - value: auth0.logs diff --git a/packages/auth0/1.2.2/data_stream/logs/fields/ecs.yml b/packages/auth0/1.2.2/data_stream/logs/fields/ecs.yml deleted file mode 100755 index 3f2bc288be..0000000000 --- a/packages/auth0/1.2.2/data_stream/logs/fields/ecs.yml +++ /dev/null @@ -1,312 +0,0 @@ -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: destination.user.domain - type: keyword -- description: Unique identifier of the user. - name: destination.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - normalize: - - array - type: keyword -- description: |- - Length of the process.args array. - This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - name: process.args_count - type: long -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: user_agent.os.type - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/auth0/1.2.2/data_stream/logs/fields/fields.yml b/packages/auth0/1.2.2/data_stream/logs/fields/fields.yml deleted file mode 100755 index a1d734682f..0000000000 --- a/packages/auth0/1.2.2/data_stream/logs/fields/fields.yml +++ /dev/null @@ -1,123 +0,0 @@ -- name: auth0 - type: group - description: Fields for Auth0 events. - fields: - - name: logs - type: group - description: Fields for Auth0 log events. - fields: - - name: log_id - type: keyword - description: Unique log event identifier - - name: data - type: group - description: log stream event data - fields: - - name: log_id - type: keyword - description: Unique log event identifier - - name: date - type: date - description: Date when the event occurred in ISO 8601 format. - - name: type - type: keyword - description: Type of event. - - name: description - type: text - description: Description of this event. - - name: connection - type: keyword - description: Name of the connection the event relates to. - - name: connection_id - type: keyword - description: ID of the connection the event relates to. - - name: client_id - type: keyword - description: ID of the client (application). - - name: client_name - type: keyword - description: Name of the client (application). - - name: ip - type: ip - description: IP address of the log event source. - - name: hostname - type: keyword - description: Hostname the event applies to. - - name: user_id - type: keyword - description: ID of the user involved in the event. - - name: user_name - type: keyword - description: Name of the user involved in the event. - - name: audience - type: keyword - description: API audience the event applies to. - - name: scope - type: keyword - description: Scope permissions applied to the event. - - name: strategy - type: keyword - description: Name of the strategy involved in the event. - - name: strategy_type - type: keyword - description: Type of strategy involved in the event. - - name: is_mobile - type: boolean - description: Whether the client was a mobile device (true) or desktop/laptop/server (false). - - name: classification - type: keyword - description: Log stream filters - - name: details - type: flattened - description: Additional useful details about this event (values here depend upon event type). - - name: login - type: group - description: Filtered fields for login type - fields: - - name: initiatedAt - type: date - description: Time at which the operation was initiated - - name: completedAt - type: date - description: Time at which the operation was completed - - name: elapsedTime - type: long - description: Number of milliseconds the operation took to complete. - - name: stats - type: group - description: login stats - fields: - - name: loginsCount - type: long - description: Total number of logins performed by the user - - name: user_agent - type: text - description: User agent string from the client device that caused the event. - - name: location_info - type: group - description: Information about the location that triggered this event based on the IP. - fields: - - name: country_code - type: keyword - description: Two-letter [Alpha-2 ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) country code - - name: country_code3 - type: keyword - description: Three-letter [Alpha-3 ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) country code - - name: country_name - type: keyword - description: Full country name in English. - - name: city_name - type: keyword - description: Full city name in English. - - name: latitude - type: keyword - description: Global latitude (horizontal) position. - - name: longitude - type: keyword - description: Global longitude (vertical) position. - - name: time_zone - type: keyword - description: Time zone name as found in the [tz database](https://www.iana.org/time-zones). - - name: continent_code - type: keyword - description: Continent the country is located within. Can be AF (Africa), AN (Antarctica), AS (Asia), EU (Europe), NA (North America), OC (Oceania) or SA (South America). diff --git a/packages/auth0/1.2.2/data_stream/logs/manifest.yml b/packages/auth0/1.2.2/data_stream/logs/manifest.yml deleted file mode 100755 index 0e7b6a206d..0000000000 --- a/packages/auth0/1.2.2/data_stream/logs/manifest.yml +++ /dev/null @@ -1,74 +0,0 @@ -title: "Auth0 logs via Webhooks" -type: logs -streams: - - input: http_endpoint - title: Auth0 log events - description: Receives log events from Auth0 - template_path: http_endpoint.yml.hbs - vars: - - name: listen_address - type: text - title: Listen Address - description: Bind address for the listener. Use 0.0.0.0 to listen on all interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - multi: false - required: true - show_user: true - default: 8383 - - name: url - type: text - title: Webhook path - description: URL path where the webhook will accept requests. - multi: false - required: true - show_user: false - default: /auth0/logs - - name: secret_value - type: text - description: Authorization token - multi: false - required: false - show_user: true - - name: ssl - type: yaml - title: TLS - description: Options for enabling TLS for the listening webhook endpoint. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - multi: false - required: false - show_user: false - default: | - enabled: false - certificate: "/etc/pki/client/cert.pem" - key: "/etc/pki/client/cert.key" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - auth0-logstream - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/auth0/1.2.2/data_stream/logs/sample_event.json b/packages/auth0/1.2.2/data_stream/logs/sample_event.json deleted file mode 100755 index f1f4ada246..0000000000 --- a/packages/auth0/1.2.2/data_stream/logs/sample_event.json +++ /dev/null @@ -1,156 +0,0 @@ -{ - "@timestamp": "2021-11-03T03:25:28.923Z", - "agent": { - "ephemeral_id": "3c2232a0-df0e-48e0-8440-96d5500ce25c", - "hostname": "docker-fleet-agent", - "id": "38ed1ea2-8c9a-4d5a-81ee-826cead96859", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.2" - }, - "auth0": { - "logs": { - "data": { - "classification": "Login - Success", - "client_id": "aI61p8I8aFjmYRliLWgvM9ev97kCCNDB", - "client_name": "Default App", - "connection": "Username-Password-Authentication", - "connection_id": "con_1a5wCUmAs6VOU17n", - "date": "2021-11-03T03:25:28.923Z", - "details": { - "completedAt": 1635909928922, - "elapsedTime": 1110091, - "initiatedAt": 1635908818831, - "prompts": [ - { - "completedAt": 1635909903693, - "connection": "Username-Password-Authentication", - "connection_id": "con_1a5wCUmAs6VOU17n", - "identity": "6182002f34f4dd006b05b5c7", - "name": "prompt-authenticate", - "stats": { - "loginsCount": 1 - }, - "strategy": "auth0" - }, - { - "completedAt": 1635909903745, - "elapsedTime": 1084902, - "flow": "universal-login", - "initiatedAt": 1635908818843, - "name": "login", - "timers": { - "rules": 5 - }, - "user_id": "auth0|6182002f34f4dd006b05b5c7", - "user_name": "neo@test.com" - }, - { - "completedAt": 1635909928352, - "elapsedTime": 23378, - "flow": "consent", - "grantInfo": { - "audience": "https://dev-yoj8axza.au.auth0.com/userinfo", - "id": "618201284369c9b4f9cd6d52", - "scope": "openid profile" - }, - "initiatedAt": 1635909904974, - "name": "consent" - } - ], - "session_id": "1TAd-7tsPYzxWudzqfHYXN0e6q1D0GSc", - "stats": { - "loginsCount": 1 - } - }, - "hostname": "dev-yoj8axza.au.auth0.com", - "login": { - "completedAt": "2021-11-03T03:25:28.922Z", - "elapsedTime": 1110091, - "initiatedAt": "2021-11-03T03:06:58.831Z", - "stats": { - "loginsCount": 1 - } - }, - "strategy": "auth0", - "strategy_type": "database", - "type": "Successful login" - } - } - }, - "data_stream": { - "dataset": "auth0.logs", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "38ed1ea2-8c9a-4d5a-81ee-826cead96859", - "snapshot": false, - "version": "7.16.2" - }, - "event": { - "action": "successful-login", - "agent_id_status": "verified", - "category": [ - "authentication", - "session" - ], - "dataset": "auth0.logs", - "id": "90020211103032530111223343147286033102509916061341581378", - "ingested": "2022-01-20T05:57:05Z", - "kind": "event", - "original": "{\"data\":{\"client_id\":\"aI61p8I8aFjmYRliLWgvM9ev97kCCNDB\",\"client_name\":\"Default App\",\"connection\":\"Username-Password-Authentication\",\"connection_id\":\"con_1a5wCUmAs6VOU17n\",\"date\":\"2021-11-03T03:25:28.923Z\",\"details\":{\"completedAt\":1635909928922,\"elapsedTime\":1110091,\"initiatedAt\":1635908818831,\"prompts\":[{\"completedAt\":1635909903693,\"connection\":\"Username-Password-Authentication\",\"connection_id\":\"con_1a5wCUmAs6VOU17n\",\"elapsedTime\":null,\"identity\":\"6182002f34f4dd006b05b5c7\",\"name\":\"prompt-authenticate\",\"stats\":{\"loginsCount\":1},\"strategy\":\"auth0\"},{\"completedAt\":1635909903745,\"elapsedTime\":1084902,\"flow\":\"universal-login\",\"initiatedAt\":1635908818843,\"name\":\"login\",\"timers\":{\"rules\":5},\"user_id\":\"auth0|6182002f34f4dd006b05b5c7\",\"user_name\":\"neo@test.com\"},{\"completedAt\":1635909928352,\"elapsedTime\":23378,\"flow\":\"consent\",\"grantInfo\":{\"audience\":\"https://dev-yoj8axza.au.auth0.com/userinfo\",\"expiration\":null,\"id\":\"618201284369c9b4f9cd6d52\",\"scope\":\"openid profile\"},\"initiatedAt\":1635909904974,\"name\":\"consent\"}],\"session_id\":\"1TAd-7tsPYzxWudzqfHYXN0e6q1D0GSc\",\"stats\":{\"loginsCount\":1}},\"hostname\":\"dev-yoj8axza.au.auth0.com\",\"ip\":\"81.2.69.143\",\"log_id\":\"90020211103032530111223343147286033102509916061341581378\",\"strategy\":\"auth0\",\"strategy_type\":\"database\",\"type\":\"s\",\"user_agent\":\"Mozilla/5.0 (X11;Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0\",\"user_id\":\"auth0|6182002f34f4dd006b05b5c7\",\"user_name\":\"neo@test.com\"},\"log_id\":\"90020211103032530111223343147286033102509916061341581378\"}", - "outcome": "success", - "type": [ - "info", - "start" - ] - }, - "input": { - "type": "http_endpoint" - }, - "log": { - "level": "info" - }, - "network": { - "type": "ipv4" - }, - "source": { - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "auth0-logstream" - ], - "user": { - "id": "auth0|6182002f34f4dd006b05b5c7", - "name": "neo@test.com" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (X11;Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0", - "os": { - "name": "Ubuntu" - }, - "version": "93.0." - } -} \ No newline at end of file diff --git a/packages/auth0/1.2.2/docs/README.md b/packages/auth0/1.2.2/docs/README.md deleted file mode 100755 index 54dd19aa56..0000000000 --- a/packages/auth0/1.2.2/docs/README.md +++ /dev/null @@ -1,330 +0,0 @@ -# Auth0 Log Streams Integration - -Auth0 offers integrations that push log events via log streams to Elasticsearch. The [Auth0 Log Streams](https://auth0.com/docs/customize/log-streams) integration package creates a HTTP listener that accepts incoming log events and ingests them into Elasticsearch. This allows you to search, observe and visualize the Auth0 log events through Elasticsearch. - -The agent running this integration must be able to accept requests from the Internet in order for Auth0 to be able connect. Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration. - -For more information, see Auth0's webpage on [integration to Elastic Security](https://marketplace.auth0.com/integrations/elastic-security). - -## Compatability - -The package collects log events sent via log stream webhooks. - -## Configuration - -### Enabling the integration in Elastic - -1. In Kibana go to **Management > Integrations** -2. In "Search for integrations" search bar type **Auth0** -3. Click on "Auth0" integration from the search results. -4. Click on **Add Auth0** button to add Auth0 integration. - -### Configure the Auth0 integration - -1. Enter values for "Listen Address", "Listen Port" and "Webhook path" to form the endpoint URL. Make note of the **Endpoint URL** `https://{AGENT_ADDRESS}:8383/auth0/logs`. -2. Enter value for "Secret value". This must match the "Authorization Token" value entered when configuring the "Custom Webhook" from Auth0 cloud. -3. Enter values for "TLS". Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration. - -### Creating the stream in Auth0 - -1. From the Auth0 management console, navigate to **Logs > Streams** and click **+ Create Stream**. -2. Choose **Custom Webhook**. -3. Name the new **Event Stream** appropriately (e.g. Elastic) and click **Create**. -4. In **Payload URL**, paste the **Endpoint URL** collected during Step 1 of **Configure the Auth0 integration** section. -5. In **Authorization Token**, paste the **Authorization Token**. This must match the value entered in Step 2 of **Configure the Auth0 integration** section. -6. In **Content Type**, choose **application/json**. -7. In **Content Format**, choose **JSON Lines**. -8. **Click Save**. - -## Log Events - -Enable to collect Auth0 log events for all the applications configured for the chosen log stream. - -## Logs - -### Log Stream Events - -The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log events are available in the `auth0.logs` field group. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| auth0.logs.data.audience | API audience the event applies to. | keyword | -| auth0.logs.data.classification | Log stream filters | keyword | -| auth0.logs.data.client_id | ID of the client (application). | keyword | -| auth0.logs.data.client_name | Name of the client (application). | keyword | -| auth0.logs.data.connection | Name of the connection the event relates to. | keyword | -| auth0.logs.data.connection_id | ID of the connection the event relates to. | keyword | -| auth0.logs.data.date | Date when the event occurred in ISO 8601 format. | date | -| auth0.logs.data.description | Description of this event. | text | -| auth0.logs.data.details | Additional useful details about this event (values here depend upon event type). | flattened | -| auth0.logs.data.hostname | Hostname the event applies to. | keyword | -| auth0.logs.data.ip | IP address of the log event source. | ip | -| auth0.logs.data.is_mobile | Whether the client was a mobile device (true) or desktop/laptop/server (false). | boolean | -| auth0.logs.data.location_info.city_name | Full city name in English. | keyword | -| auth0.logs.data.location_info.continent_code | Continent the country is located within. Can be AF (Africa), AN (Antarctica), AS (Asia), EU (Europe), NA (North America), OC (Oceania) or SA (South America). | keyword | -| auth0.logs.data.location_info.country_code | Two-letter [Alpha-2 ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) country code | keyword | -| auth0.logs.data.location_info.country_code3 | Three-letter [Alpha-3 ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) country code | keyword | -| auth0.logs.data.location_info.country_name | Full country name in English. | keyword | -| auth0.logs.data.location_info.latitude | Global latitude (horizontal) position. | keyword | -| auth0.logs.data.location_info.longitude | Global longitude (vertical) position. | keyword | -| auth0.logs.data.location_info.time_zone | Time zone name as found in the [tz database](https://www.iana.org/time-zones). | keyword | -| auth0.logs.data.log_id | Unique log event identifier | keyword | -| auth0.logs.data.login.completedAt | Time at which the operation was completed | date | -| auth0.logs.data.login.elapsedTime | Number of milliseconds the operation took to complete. | long | -| auth0.logs.data.login.initiatedAt | Time at which the operation was initiated | date | -| auth0.logs.data.login.stats.loginsCount | Total number of logins performed by the user | long | -| auth0.logs.data.scope | Scope permissions applied to the event. | keyword | -| auth0.logs.data.strategy | Name of the strategy involved in the event. | keyword | -| auth0.logs.data.strategy_type | Type of strategy involved in the event. | keyword | -| auth0.logs.data.type | Type of event. | keyword | -| auth0.logs.data.user_agent | User agent string from the client device that caused the event. | text | -| auth0.logs.data.user_id | ID of the user involved in the event. | keyword | -| auth0.logs.data.user_name | Name of the user involved in the event. | keyword | -| auth0.logs.log_id | Unique log event identifier | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event timestamp. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event timestamp. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| input.type | Input type. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `logs` looks as following: - -```json -{ - "@timestamp": "2021-11-03T03:25:28.923Z", - "agent": { - "ephemeral_id": "3c2232a0-df0e-48e0-8440-96d5500ce25c", - "hostname": "docker-fleet-agent", - "id": "38ed1ea2-8c9a-4d5a-81ee-826cead96859", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.2" - }, - "auth0": { - "logs": { - "data": { - "classification": "Login - Success", - "client_id": "aI61p8I8aFjmYRliLWgvM9ev97kCCNDB", - "client_name": "Default App", - "connection": "Username-Password-Authentication", - "connection_id": "con_1a5wCUmAs6VOU17n", - "date": "2021-11-03T03:25:28.923Z", - "details": { - "completedAt": 1635909928922, - "elapsedTime": 1110091, - "initiatedAt": 1635908818831, - "prompts": [ - { - "completedAt": 1635909903693, - "connection": "Username-Password-Authentication", - "connection_id": "con_1a5wCUmAs6VOU17n", - "identity": "6182002f34f4dd006b05b5c7", - "name": "prompt-authenticate", - "stats": { - "loginsCount": 1 - }, - "strategy": "auth0" - }, - { - "completedAt": 1635909903745, - "elapsedTime": 1084902, - "flow": "universal-login", - "initiatedAt": 1635908818843, - "name": "login", - "timers": { - "rules": 5 - }, - "user_id": "auth0|6182002f34f4dd006b05b5c7", - "user_name": "neo@test.com" - }, - { - "completedAt": 1635909928352, - "elapsedTime": 23378, - "flow": "consent", - "grantInfo": { - "audience": "https://dev-yoj8axza.au.auth0.com/userinfo", - "id": "618201284369c9b4f9cd6d52", - "scope": "openid profile" - }, - "initiatedAt": 1635909904974, - "name": "consent" - } - ], - "session_id": "1TAd-7tsPYzxWudzqfHYXN0e6q1D0GSc", - "stats": { - "loginsCount": 1 - } - }, - "hostname": "dev-yoj8axza.au.auth0.com", - "login": { - "completedAt": "2021-11-03T03:25:28.922Z", - "elapsedTime": 1110091, - "initiatedAt": "2021-11-03T03:06:58.831Z", - "stats": { - "loginsCount": 1 - } - }, - "strategy": "auth0", - "strategy_type": "database", - "type": "Successful login" - } - } - }, - "data_stream": { - "dataset": "auth0.logs", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "38ed1ea2-8c9a-4d5a-81ee-826cead96859", - "snapshot": false, - "version": "7.16.2" - }, - "event": { - "action": "successful-login", - "agent_id_status": "verified", - "category": [ - "authentication", - "session" - ], - "dataset": "auth0.logs", - "id": "90020211103032530111223343147286033102509916061341581378", - "ingested": "2022-01-20T05:57:05Z", - "kind": "event", - "original": "{\"data\":{\"client_id\":\"aI61p8I8aFjmYRliLWgvM9ev97kCCNDB\",\"client_name\":\"Default App\",\"connection\":\"Username-Password-Authentication\",\"connection_id\":\"con_1a5wCUmAs6VOU17n\",\"date\":\"2021-11-03T03:25:28.923Z\",\"details\":{\"completedAt\":1635909928922,\"elapsedTime\":1110091,\"initiatedAt\":1635908818831,\"prompts\":[{\"completedAt\":1635909903693,\"connection\":\"Username-Password-Authentication\",\"connection_id\":\"con_1a5wCUmAs6VOU17n\",\"elapsedTime\":null,\"identity\":\"6182002f34f4dd006b05b5c7\",\"name\":\"prompt-authenticate\",\"stats\":{\"loginsCount\":1},\"strategy\":\"auth0\"},{\"completedAt\":1635909903745,\"elapsedTime\":1084902,\"flow\":\"universal-login\",\"initiatedAt\":1635908818843,\"name\":\"login\",\"timers\":{\"rules\":5},\"user_id\":\"auth0|6182002f34f4dd006b05b5c7\",\"user_name\":\"neo@test.com\"},{\"completedAt\":1635909928352,\"elapsedTime\":23378,\"flow\":\"consent\",\"grantInfo\":{\"audience\":\"https://dev-yoj8axza.au.auth0.com/userinfo\",\"expiration\":null,\"id\":\"618201284369c9b4f9cd6d52\",\"scope\":\"openid profile\"},\"initiatedAt\":1635909904974,\"name\":\"consent\"}],\"session_id\":\"1TAd-7tsPYzxWudzqfHYXN0e6q1D0GSc\",\"stats\":{\"loginsCount\":1}},\"hostname\":\"dev-yoj8axza.au.auth0.com\",\"ip\":\"81.2.69.143\",\"log_id\":\"90020211103032530111223343147286033102509916061341581378\",\"strategy\":\"auth0\",\"strategy_type\":\"database\",\"type\":\"s\",\"user_agent\":\"Mozilla/5.0 (X11;Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0\",\"user_id\":\"auth0|6182002f34f4dd006b05b5c7\",\"user_name\":\"neo@test.com\"},\"log_id\":\"90020211103032530111223343147286033102509916061341581378\"}", - "outcome": "success", - "type": [ - "info", - "start" - ] - }, - "input": { - "type": "http_endpoint" - }, - "log": { - "level": "info" - }, - "network": { - "type": "ipv4" - }, - "source": { - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "auth0-logstream" - ], - "user": { - "id": "auth0|6182002f34f4dd006b05b5c7", - "name": "neo@test.com" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (X11;Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0", - "os": { - "name": "Ubuntu" - }, - "version": "93.0." - } -} -``` diff --git a/packages/auth0/1.2.2/img/auth0-logo.svg b/packages/auth0/1.2.2/img/auth0-logo.svg deleted file mode 100755 index e0f2aa1d36..0000000000 --- a/packages/auth0/1.2.2/img/auth0-logo.svg +++ /dev/null @@ -1,60 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/auth0/1.2.2/img/auth0-screenshot.png b/packages/auth0/1.2.2/img/auth0-screenshot.png deleted file mode 100755 index 72b880f161..0000000000 Binary files a/packages/auth0/1.2.2/img/auth0-screenshot.png and /dev/null differ diff --git a/packages/auth0/1.2.2/kibana/dashboard/auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf.json b/packages/auth0/1.2.2/kibana/dashboard/auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf.json deleted file mode 100755 index 86e7ba2c55..0000000000 --- a/packages/auth0/1.2.2/kibana/dashboard/auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c9215ac0-57f7-4fbb-af81-9f5bb365a238\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c9215ac0-57f7-4fbb-af81-9f5bb365a238\":{\"columnOrder\":[\"ad18389f-67bd-47ae-bd5e-7a0a8a74ef31\",\"becf928d-1e95-4cf0-a37f-e4eb735dcc27\"],\"columns\":{\"ad18389f-67bd-47ae-bd5e-7a0a8a74ef31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"becf928d-1e95-4cf0-a37f-e4eb735dcc27\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"},\"becf928d-1e95-4cf0-a37f-e4eb735dcc27\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ad18389f-67bd-47ae-bd5e-7a0a8a74ef31\"],\"layerId\":\"c9215ac0-57f7-4fbb-af81-9f5bb365a238\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"becf928d-1e95-4cf0-a37f-e4eb735dcc27\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"1a13814d-17bf-42cf-8ef9-2dc599fb6766\",\"w\":15,\"x\":0,\"y\":0},\"panelIndex\":\"1a13814d-17bf-42cf-8ef9-2dc599fb6766\",\"title\":\"Auth0 Log Stream Event Types\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f92a60a-ed7e-42e4-b03c-4a3fb37e1a35\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f92a60a-ed7e-42e4-b03c-4a3fb37e1a35\":{\"columnOrder\":[\"234dec72-0dd2-42cb-b486-059fa3e0a077\",\"9fb2da13-fb8b-4041-b60e-0840068dc570\"],\"columns\":{\"234dec72-0dd2-42cb-b486-059fa3e0a077\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"9fb2da13-fb8b-4041-b60e-0840068dc570\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of event.type\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"9fb2da13-fb8b-4041-b60e-0840068dc570\"],\"layerId\":\"1f92a60a-ed7e-42e4-b03c-4a3fb37e1a35\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"234dec72-0dd2-42cb-b486-059fa3e0a077\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"6089a77e-3c96-4414-9932-eda55ced3d07\",\"w\":14,\"x\":15,\"y\":0},\"panelIndex\":\"6089a77e-3c96-4414-9932-eda55ced3d07\",\"title\":\"Rate of events\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Login - Failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Login - Failure\"}}}],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"\",\"type\":\"metric\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"5124c723-8890-477e-aad5-bc4fd529bd46\",\"w\":9,\"x\":29,\"y\":0},\"panelIndex\":\"5124c723-8890-477e-aad5-bc4fd529bd46\",\"title\":\"Number of Failed Logins\",\"type\":\"visualization\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Signup - Success\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Signup - Success\"}}}],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"\",\"type\":\"metric\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"cb337534-d263-480b-b6a3-80cc4f14d73b\",\"w\":10,\"x\":38,\"y\":0},\"panelIndex\":\"cb337534-d263-480b-b6a3-80cc4f14d73b\",\"title\":\"Number of Successful Signups\",\"type\":\"visualization\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e7270679-c5d0-496a-9fd2-7409b402bdb0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e7270679-c5d0-496a-9fd2-7409b402bdb0\":{\"columnOrder\":[\"60724141-ecf4-4f42-b263-d12cd64fe1a3\",\"14ed1312-1743-452e-89e9-52018d6db787\"],\"columns\":{\"14ed1312-1743-452e-89e9-52018d6db787\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"60724141-ecf4-4f42-b263-d12cd64fe1a3\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Login - Success\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Login - Success\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"14ed1312-1743-452e-89e9-52018d6db787\"],\"layerId\":\"e7270679-c5d0-496a-9fd2-7409b402bdb0\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"60724141-ecf4-4f42-b263-d12cd64fe1a3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"d00429d4-502f-41d8-8a2b-7300859930ea\",\"w\":15,\"x\":0,\"y\":10},\"panelIndex\":\"d00429d4-502f-41d8-8a2b-7300859930ea\",\"title\":\"Rate of Successful Logins\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4fc38bcd-1242-43bb-a213-0c6fe6e7a26e\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4fc38bcd-1242-43bb-a213-0c6fe6e7a26e\":{\"columnOrder\":[\"56478895-2ad9-4541-9b3c-debffe3de81d\",\"d8ee79e4-d617-4809-9065-217bcd1f628c\"],\"columns\":{\"56478895-2ad9-4541-9b3c-debffe3de81d\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d8ee79e4-d617-4809-9065-217bcd1f628c\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Login - Failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Login - Failure\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"d8ee79e4-d617-4809-9065-217bcd1f628c\"],\"layerId\":\"4fc38bcd-1242-43bb-a213-0c6fe6e7a26e\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"56478895-2ad9-4541-9b3c-debffe3de81d\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8\",\"w\":14,\"x\":15,\"y\":10},\"panelIndex\":\"c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8\",\"title\":\"Rate of Failed Logins\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"d6323397-e8a4-4869-ad2b-d48ee5b5a70a\",\"w\":19,\"x\":29,\"y\":10},\"panelIndex\":\"d6323397-e8a4-4869-ad2b-d48ee5b5a70a\",\"panelRefName\":\"panel_d6323397-e8a4-4869-ad2b-d48ee5b5a70a\",\"type\":\"visualization\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"253f1007-1537-4012-a663-48bccf233f4c\",\"w\":48,\"x\":0,\"y\":22},\"panelIndex\":\"253f1007-1537-4012-a663-48bccf233f4c\",\"panelRefName\":\"panel_253f1007-1537-4012-a663-48bccf233f4c\",\"type\":\"search\",\"version\":\"7.15.1\"}]", - "timeRestore": false, - "title": "Auth0", - "version": 1 - }, - "coreMigrationVersion": "7.15.1", - "id": "auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "logs-*", - "name": "1a13814d-17bf-42cf-8ef9-2dc599fb6766:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1a13814d-17bf-42cf-8ef9-2dc599fb6766:indexpattern-datasource-layer-c9215ac0-57f7-4fbb-af81-9f5bb365a238", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1a13814d-17bf-42cf-8ef9-2dc599fb6766:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6089a77e-3c96-4414-9932-eda55ced3d07:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6089a77e-3c96-4414-9932-eda55ced3d07:indexpattern-datasource-layer-1f92a60a-ed7e-42e4-b03c-4a3fb37e1a35", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6089a77e-3c96-4414-9932-eda55ced3d07:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5124c723-8890-477e-aad5-bc4fd529bd46:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5124c723-8890-477e-aad5-bc4fd529bd46:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5124c723-8890-477e-aad5-bc4fd529bd46:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d00429d4-502f-41d8-8a2b-7300859930ea:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d00429d4-502f-41d8-8a2b-7300859930ea:indexpattern-datasource-layer-e7270679-c5d0-496a-9fd2-7409b402bdb0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d00429d4-502f-41d8-8a2b-7300859930ea:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d00429d4-502f-41d8-8a2b-7300859930ea:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8:indexpattern-datasource-layer-4fc38bcd-1242-43bb-a213-0c6fe6e7a26e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9", - "name": "d6323397-e8a4-4869-ad2b-d48ee5b5a70a:panel_d6323397-e8a4-4869-ad2b-d48ee5b5a70a", - "type": "visualization" - }, - { - "id": "auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf", - "name": "253f1007-1537-4012-a663-48bccf233f4c:panel_253f1007-1537-4012-a663-48bccf233f4c", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/auth0/1.2.2/kibana/search/auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf.json b/packages/auth0/1.2.2/kibana/search/auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf.json deleted file mode 100755 index 3d37f68df5..0000000000 --- a/packages/auth0/1.2.2/kibana/search/auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "columns": [ - "auth0.logs.data.connection", - "auth0.logs.data.user_name", - "auth0.logs.data.user_agent" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"auth0.logs\\\" \"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Auth0 logs", - "version": 1 - }, - "coreMigrationVersion": "7.15.1", - "id": "auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/auth0/1.2.2/kibana/visualization/auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9.json b/packages/auth0/1.2.2/kibana/visualization/auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9.json deleted file mode 100755 index 59f6851d51..0000000000 --- a/packages/auth0/1.2.2/kibana/visualization/auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Login - Failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Login - Failure\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "IP Addresses of failed logins", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"auth0.logs.data.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"IP Addresses of failed logins\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.15.1", - "id": "auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/auth0/1.2.2/manifest.yml b/packages/auth0/1.2.2/manifest.yml deleted file mode 100755 index 524c602d69..0000000000 --- a/packages/auth0/1.2.2/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -format_version: 1.0.0 -name: auth0 -title: "Auth0" -version: 1.2.2 -license: basic -description: Collect logs from Auth0 with Elastic Agent. -type: integration -categories: - - cloud - - network - - security -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -screenshots: - - src: /img/auth0-screenshot.png - title: Auth0 Dashboard - size: 600x600 - type: image/png -icons: - - src: /img/auth0-logo.svg - title: Auth0 logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: auth0_events - title: Auth0 log stream events via Webhooks - description: Collect Auth0 log streams events via Webhooks. - inputs: - - type: http_endpoint - title: Collect Auth0 log streams events via Webhooks - description: Collecting Auth0 log stream events via Webhooks. -owner: - github: elastic/security-external-integrations diff --git a/packages/carbon_black_cloud/1.2.2/LICENSE.txt b/packages/carbon_black_cloud/1.2.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/carbon_black_cloud/1.2.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/carbon_black_cloud/1.2.2/changelog.yml b/packages/carbon_black_cloud/1.2.2/changelog.yml deleted file mode 100755 index 51a8bf64af..0000000000 --- a/packages/carbon_black_cloud/1.2.2/changelog.yml +++ /dev/null @@ -1,61 +0,0 @@ -# newer versions go on top -- version: "1.2.2" - changes: - - description: Ensure stability of related.hash array ordering. - type: bugfix - link: https://github.com/elastic/integrations/issues/4296 -- version: "1.2.1" - changes: - - description: Remove unused visualizations - type: enhancement - link: https://github.com/elastic/integrations/issues/3975 -- version: "1.2.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3842 -- version: "1.1.1" - changes: - - description: Fix proxy URL documentation rendering. - type: bugfix - link: https://github.com/elastic/integrations/pull/3881 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.0.3" - changes: - - description: Add correct field mapping for event.created - type: bugfix - link: https://github.com/elastic/integrations/issues/3579 -- version: "1.0.2" - changes: - - description: Fix dashboard issues. - type: bugfix - link: https://github.com/elastic/integrations/issues/3462 -- version: "1.0.1" - changes: - - description: Change event.outcome value from failure to failed according to ECS - type: bugfix - link: https://github.com/elastic/integrations/issues/3407 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: 0.1.2 - changes: - - description: Add "VMware" to the title to make it "VMware Carbon Black Cloud". - type: enhancement - link: https://github.com/elastic/integrations/pull/3196 -- version: 0.1.1 - changes: - - description: Captured domain from username and hostname - type: enhancement - link: https://github.com/elastic/integrations/pull/3106 -- version: 0.1.0 - changes: - - description: Initial draft of the package. - type: enhancement - link: https://github.com/elastic/integrations/pull/2760 diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/alert/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.2.2/data_stream/alert/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index e02c596614..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/alert/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -bucket_arn: {{bucket_arn}} -number_of_workers: {{number_of_workers}} -bucket_list_interval: {{interval}} -access_key_id: {{access_key_id}} -secret_access_key: {{secret_access_key}} -bucket_list_prefix: {{bucket_list_prefix}} -expand_event_list_from_field: Records -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.2.2/data_stream/alert/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 2f738b21a6..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/alert/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,52 +0,0 @@ -config_version: 2 -interval: {{interval}} -request.timeout: 2m -request.method: POST - -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} - -request.url: {{hostname}}/appservices/v6/orgs/{{org_key}}/alerts/_search -request.transforms: - - set: - target: header.X-Auth-Token - value: {{custom_api_secret_key}}/{{custom_api_id}} - - set: - target: body.criteria.last_update_time.start - value: '[[.cursor.last_update_timestamp]]' - default: '[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "-15m")) "RFC3339"]]' - - set: - target: body.criteria.last_update_time.end - value: '[[formatDate (now (parseDuration "-15m")) "RFC3339"]]' - - set: - target: body.sort - value: '[{ "field": "last_update_time", "order": "ASC"}]' - value_type: json -response.pagination: - - set: - target: body.criteria.last_update_time.start - value: '[[if (ne .last_response.body.num_found .last_response.body.num_available)]][[.last_event.last_update_time]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_update_timestamp: - value: '[[.last_event.last_update_time]]' -response.split: - target: body.results -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.2.2/data_stream/alert/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a302659e9e..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,313 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud alerts. -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.id - - json.create_time - - json.last_update_time - target_field: _id - ignore_missing: true - - date: - field: json.create_time - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - set: - field: event.kind - value: alert - - rename: - field: json.id - target_field: event.id - ignore_missing: true - - rename: - field: json.first_event_time - target_field: event.start - ignore_missing: true - - rename: - field: json.last_event_time - target_field: event.end - ignore_missing: true - - rename: - field: json.severity - target_field: event.severity - ignore_missing: true - - urldecode: - field: json.alert_url - target_field: event.url - ignore_missing: true - - rename: - field: json.reason - target_field: event.reason - ignore_missing: true - - convert: - field: json.device_id - target_field: host.id - type: string - ignore_missing: true - - set: - field: host.os.type - value: windows - if: ctx?.json?.device_os == "WINDOWS" - - set: - field: host.os.type - value: linux - if: ctx?.json?.device_os == "LINUX" - - set: - field: host.os.type - value: macos - if: ctx?.json?.device_os == "MAC" - - set: - field: event.kind - value: alert - - rename: - field: json.device_os_version - target_field: host.os.version - ignore_missing: true - - rename: - field: json.device_name - target_field: host.hostname - ignore_missing: true - - grok: - field: host.hostname - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' - ignore_missing: true - ignore_failure: true - - set: - field: host.name - value: "{{{host.hostname}}}" - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_internal_ip}}}" - if: ctx?.json?.device_internal_ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_external_ip}}}" - if: ctx?.json?.device_external_ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.device_username - target_field: user.name - ignore_missing: true - - grok: - field: user.name - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:user.name})$' - ignore_missing: true - ignore_failure: true - - append: - field: related.ip - value: - - "{{{json.device_internal_ip}}}" - - "{{{json.device_external_ip}}}" - allow_duplicates: false - - append: - field: related.user - value: - - "{{{user.name}}}" - allow_duplicates: false - - append: - field: related.hosts - value: - - "{{{host.hostname}}}" - - "{{{user.domain}}}" - allow_duplicates: false - - append: - field: related.hash - value: - - "{{{json.threat_cause_actor_md5}}}" - - "{{{json.threat_cause_actor_sha256}}}" - allow_duplicates: false - - rename: - field: json.process_name - target_field: process.name - ignore_missing: true - - rename: - field: json.process_path - target_field: process.executable - ignore_missing: true - - rename: - field: json.process_guid - target_field: process.entity_id - ignore_missing: true - - rename: - field: json.vendor_name - target_field: carbon_black_cloud.alert.vendor_name - ignore_missing: true - - rename: - field: json.product_name - target_field: carbon_black_cloud.alert.product_name - ignore_missing: true - - rename: - field: json.serial_number - target_field: carbon_black_cloud.alert.serial_number - ignore_missing: true - - rename: - field: json.policy_id - target_field: carbon_black_cloud.alert.policy.id - ignore_missing: true - - rename: - field: json.policy_name - target_field: carbon_black_cloud.alert.policy.name - ignore_missing: true - - rename: - field: json.threat_id - target_field: carbon_black_cloud.alert.threat_id - ignore_missing: true - - rename: - field: json.policy_applied - target_field: carbon_black_cloud.alert.policy.applied - ignore_missing: true - - rename: - field: json.threat_activity_c2 - target_field: carbon_black_cloud.alert.threat_activity.c2 - ignore_missing: true - - rename: - field: json.threat_activity_dlp - target_field: carbon_black_cloud.alert.threat_activity.dlp - ignore_missing: true - - rename: - field: json.threat_activity_phish - target_field: carbon_black_cloud.alert.threat_activity.phish - ignore_missing: true - - rename: - field: json.threat_cause_actor_name - target_field: carbon_black_cloud.alert.threat_cause.actor.name - ignore_missing: true - - rename: - field: json.threat_cause_actor_process_pid - target_field: carbon_black_cloud.alert.threat_cause.actor.process_pid - ignore_missing: true - - rename: - field: json.threat_cause_actor_sha256 - target_field: carbon_black_cloud.alert.threat_cause.actor.sha256 - ignore_missing: true - - rename: - field: json.threat_cause_actor_md5 - target_field: carbon_black_cloud.alert.threat_cause.actor.md5 - ignore_missing: true - - rename: - field: json.threat_cause_cause_event_id - target_field: carbon_black_cloud.alert.threat_cause.cause_event_id - ignore_missing: true - - rename: - field: json.threat_cause_parent_guid - target_field: carbon_black_cloud.alert.threat_cause.process.parent.guid - ignore_missing: true - - rename: - field: json.threat_cause_process_guid - target_field: carbon_black_cloud.alert.threat_cause.process.guid - ignore_missing: true - - rename: - field: json.threat_cause_reputation - target_field: carbon_black_cloud.alert.threat_cause.reputation - ignore_missing: true - - rename: - field: json.threat_cause_threat_category - target_field: carbon_black_cloud.alert.threat_cause.threat_category - ignore_missing: true - - rename: - field: json.threat_cause_vector - target_field: carbon_black_cloud.alert.threat_cause.vector - ignore_missing: true - - rename: - field: json.ioc_field - target_field: carbon_black_cloud.alert.ioc.field - ignore_missing: true - - rename: - field: json.ioc_hit - target_field: carbon_black_cloud.alert.ioc.hit - ignore_missing: true - - rename: - field: json.ioc_id - target_field: carbon_black_cloud.alert.ioc.id - ignore_missing: true - - rename: - field: json.report_id - target_field: carbon_black_cloud.alert.report.id - ignore_missing: true - - rename: - field: json.report_name - target_field: carbon_black_cloud.alert.report.name - ignore_missing: true - - rename: - field: json.org_key - target_field: carbon_black_cloud.alert.organization_key - ignore_missing: true - - rename: - field: json.device_location - target_field: carbon_black_cloud.alert.device.location - ignore_missing: true - - rename: - field: json.device_os - target_field: carbon_black_cloud.alert.device.os - ignore_missing: true - - rename: - field: json.device_internal_ip - target_field: carbon_black_cloud.alert.device.internal_ip - ignore_missing: true - - rename: - field: json.device_external_ip - target_field: carbon_black_cloud.alert.device.external_ip - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - lowercase: - field: json.category - ignore_missing: true - - script: - description: Adds all the remaining fields in fields under carbon_black_cloud.alert - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.alert[m.getKey()] = m.getValue(); - } - - remove: - field: - - json - - carbon_black_cloud.alert.create_time - - carbon_black_cloud.alert.device_id - - carbon_black_cloud.alert.alert_url - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/alert/fields/agent.yml b/packages/carbon_black_cloud/1.2.2/data_stream/alert/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/alert/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/alert/fields/base-fields.yml b/packages/carbon_black_cloud/1.2.2/data_stream/alert/fields/base-fields.yml deleted file mode 100755 index 14fb618ea4..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/alert/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.alert diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/alert/fields/ecs.yml b/packages/carbon_black_cloud/1.2.2/data_stream/alert/fields/ecs.yml deleted file mode 100755 index 7aa008a975..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/alert/fields/ecs.yml +++ /dev/null @@ -1,135 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - URL linking to an external system to continue investigation of this event. - This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.url - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/alert/fields/fields.yml b/packages/carbon_black_cloud/1.2.2/data_stream/alert/fields/fields.yml deleted file mode 100755 index 3eca3a1515..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/alert/fields/fields.yml +++ /dev/null @@ -1,218 +0,0 @@ -- name: carbon_black_cloud.alert - type: group - fields: - - name: blocked_threat_category - type: keyword - description: The category of threat which we were able to take action on. - - name: category - type: keyword - description: The category of the alert. - - name: count - type: long - - name: created_by_event_id - type: keyword - description: Event identifier that initiated the alert. - - name: device - type: group - fields: - - name: location - type: keyword - description: The Location of device. - - name: os - type: keyword - description: OS of the device. - - name: internal_ip - type: ip - description: Internal IP of the device. - - name: external_ip - type: ip - description: External IP of the device. - - name: document_guid - type: keyword - description: Unique ID of document. - - name: ioc - type: group - fields: - - name: field - type: keyword - description: The field the indicator of comprise (IOC) hit contains. - - name: hit - type: keyword - description: IOC field value or IOC query that matches. - - name: id - type: keyword - description: The identifier of the IOC that cause the hit. - - name: kill_chain_status - type: keyword - description: The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert. - - name: last_update_time - type: date - description: The last time the alert was updated as an ISO 8601 UTC timestamp. - - name: legacy_alert_id - type: keyword - description: The legacy identifier for the alert. - - name: not_blocked_threat_category - type: keyword - description: Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule). - - name: notes_present - type: boolean - description: Indicates if notes are associated with the threat_id. - - name: organization_key - type: keyword - description: The unique identifier for the organization associated with the alert. - - name: policy - type: group - fields: - - name: applied - type: keyword - description: Whether a policy was applied. - - name: id - type: long - description: The identifier for the policy associated with the device at the time of the alert. - - name: name - type: keyword - description: The name of the policy associated with the device at the time of the alert. - - name: product_id - type: keyword - description: The hexadecimal id of the USB device's product. - - name: product_name - type: keyword - description: The name of the USB device’s vendor. - - name: reason_code - type: keyword - description: Shorthand enum for the full-text reason. - - name: report - type: group - fields: - - name: id - type: keyword - description: The identifier of the report that contains the IOC. - - name: name - type: keyword - description: The name of the report that contains the IOC. - - name: run_state - type: keyword - description: Whether the threat in the alert ran. - - name: sensor_action - type: keyword - description: The action taken by the sensor, according to the rule of the policy. - - name: serial_number - type: keyword - description: The serial number of the USB device. - - name: status - type: keyword - description: status of alert. - - name: tags - type: keyword - description: Tags associated with the alert. - - name: target_value - type: keyword - description: The priority of the device assigned by the policy. - - name: threat_activity - type: group - fields: - - name: c2 - type: keyword - description: Whether the alert involved a command and control (c2) server. - - name: dlp - type: keyword - description: Whether the alert involved data loss prevention (DLP). - - name: phish - type: keyword - description: Whether the alert involved phishing. - - name: threat_cause - type: group - fields: - - name: actor - type: group - fields: - - name: md5 - type: keyword - description: MD5 of the threat cause actor. - - name: name - type: keyword - description: 'The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan.' - - name: process_pid - type: keyword - description: Process identifier (PID) of the actor process. - - name: sha256 - type: keyword - description: SHA256 of the threat cause actor. - - name: cause_event_id - type: keyword - description: ID of the Event that triggered the threat. - - name: process - type: group - fields: - - name: guid - type: keyword - description: The global unique identifier of the process. - - name: parent - type: group - fields: - - name: guid - type: keyword - description: The global unique identifier of the process. - - name: reputation - type: keyword - description: Reputation of the threat cause. - - name: threat_category - type: keyword - description: Category of the threat cause. - - name: vector - type: keyword - description: The source of the threat cause. - - name: threat_id - type: keyword - description: The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. - - name: threat_indicators - type: group - description: List of the threat indicators that make up the threat. - fields: - - name: process_name - type: keyword - description: Process name associated with threat. - - name: sha256 - type: keyword - description: Sha256 associated with threat. - - name: ttps - type: keyword - description: Tactics, techniques and procedures associated with threat. - - name: type - type: keyword - description: Type of alert. - - name: vendor_id - type: keyword - description: The hexadecimal id of the USB device's vendor. - - name: vendor_name - type: keyword - description: The name of the USB device’s vendor. - - name: watchlists - type: group - description: List of watchlists associated with an alert. - fields: - - name: id - type: keyword - description: The identifier of watchlist. - - name: name - type: keyword - description: The name of the watchlist. - - name: workflow - type: group - description: Tracking system for alerts as they are triaged and resolved. - fields: - - name: changed_by - type: keyword - description: The name of user who changed the workflow. - - name: comment - type: keyword - description: Comment associated with workflow. - - name: last_update_time - type: date - description: The last update time of workflow. - - name: remediation - type: keyword - description: N/A - - name: state - type: keyword - description: The state of workflow. diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/alert/manifest.yml b/packages/carbon_black_cloud/1.2.2/data_stream/alert/manifest.yml deleted file mode 100755 index 477667ce22..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/alert/manifest.yml +++ /dev/null @@ -1,95 +0,0 @@ -title: Alert -type: logs -streams: - - input: httpjson - title: Collect alerts from Carbon Black Cloud - description: Collect alerts from Carbon Black Cloud. - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval - description: Interval to fetch alerts from Carbon Black Cloud. - multi: false - required: true - show_user: true - default: 1m - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the alerts from the Carbon Black Cloud API. - default: 24h - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: aws-s3 - title: Collect alerts from Carbon Black Cloud - description: Collect alerts from Carbon Black Cloud. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: Bucket Prefix - description: Prefix to apply for the list request to the S3 bucket. - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval - description: Interval to fetch alerts from AWS S3 bucket. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/alert/sample_event.json b/packages/carbon_black_cloud/1.2.2/data_stream/alert/sample_event.json deleted file mode 100755 index 7ecbfab721..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/alert/sample_event.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "@timestamp": "2020-11-17T22:05:13.000Z", - "agent": { - "ephemeral_id": "cc329655-90f8-4dc9-8014-e152f2b949da", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "carbon_black_cloud": { - "alert": { - "category": "warning", - "device": { - "external_ip": "81.2.69.143", - "internal_ip": "81.2.69.144", - "location": "UNKNOWN", - "os": "WINDOWS" - }, - "last_update_time": "2020-11-17T22:05:13Z", - "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720", - "organization_key": "ABCD6X3T", - "policy": { - "applied": "APPLIED", - "id": 6997287, - "name": "Standard" - }, - "product_id": "0x5406", - "product_name": "U3 Cruzer Micro", - "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC", - "run_state": "DID_NOT_RUN", - "sensor_action": "DENY", - "serial_number": "0875920EF7C2A304", - "target_value": "MEDIUM", - "threat_cause": { - "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E", - "threat_category": "NON_MALWARE", - "vector": "REMOVABLE_MEDIA" - }, - "threat_id": "t5678", - "type": "DEVICE_CONTROL", - "vendor_id": "0x0781", - "vendor_name": "SanDisk", - "workflow": { - "changed_by": "Carbon Black", - "last_update_time": "2020-11-17T22:02:16Z", - "state": "OPEN" - } - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-09-26T01:58:04.610Z", - "dataset": "carbon_black_cloud.alert", - "end": "2020-11-17T22:02:16Z", - "id": "test1", - "ingested": "2022-09-26T01:58:05Z", - "kind": "alert", - "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}", - "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.", - "severity": 3, - "start": "2020-11-17T22:02:16Z", - "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976" - }, - "host": { - "hostname": "DESKTOP-002", - "id": "2", - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "name": "DESKTOP-002", - "os": { - "type": "windows", - "version": "Windows 10 x64" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-002" - ], - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "user": [ - "test34@demo.com" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-alert" - ], - "user": { - "name": "test34@demo.com" - } -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 310b6e05d5..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,45 +0,0 @@ -config_version: 2 -interval: {{interval}} -request.method: POST -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.url: {{hostname}}/vulnerability/assessment/api/v1/orgs/{{org_key}}/devices/vulnerabilities/summary/_search -request.transforms: - - set: - target: header.X-Auth-Token - value: {{custom_api_secret_key}}/{{custom_api_id}} - - set: - target: body.start - value: '0' - value_type: int - - set: - target: body.rows - value: '10000' - value_type: int -request.timeout: 2m -response.pagination: - - set: - target: body.start - value: '[[if (eq (len .last_response.body.results) 0)]][[.last_response.terminate_pagination]][[else]][[mul .last_response.page .body.rows]][[end]]' - value_type: int - fail_on_template_error: true -response.split: - target: body.results -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 5ded16ebb3..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,132 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud Asset Vulnerability Summary. -processors: -- rename: - field: message - target_field: event.original - ignore_missing: true -- set: - field: ecs.version - value: '8.4.0' -- json: - field: event.original - target_field: json -- rename: - field: json.host_name - target_field: host.hostname - ignore_missing: true -- convert: - field: json.device_id - type: string - target_field: host.id - ignore_missing: true -- rename: - field: json.name - target_field: host.name - ignore_missing: true -- rename: - field: json.os_info.os_name - target_field: host.os.name - ignore_missing: true -- set: - field: host.os.type - value: windows - if: ctx?.json?.os_info.os_type == "WINDOWS" -- set: - field: host.os.type - value: ubuntu - if: ctx?.json?.os_info.os_type == "UBUNTU" -- set: - field: host.os.type - value: centos - if: ctx?.json?.os_info.os_type == "CENTOS" -- remove : - field: json.os_info.os_type - ignore_missing: true -- remove : - field: json.device_id - ignore_missing: true -- rename: - field: json.os_info.os_version - target_field: host.os.version - ignore_missing: true -- rename: - field: json.highest_risk_score - target_field: vulnerability.score.base - ignore_missing: true -- rename: - field: json.severity - target_field: vulnerability.severity - ignore_missing: true -- date: - field: json.last_sync_ts - formats: - - ISO8601 - target_field: carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp -- remove: - field: json.last_sync_ts - ignore_missing: true -- rename: - field: json.sync_status - target_field: carbon_black_cloud.asset_vulnerability_summary.sync.status - ignore_missing: true -- rename: - field: json.sync_type - target_field: carbon_black_cloud.asset_vulnerability_summary.sync.type - ignore_missing: true -- rename: - field: json.type - target_field: carbon_black_cloud.asset_vulnerability_summary.type - ignore_missing: true -- rename: - field: json.vm_id - target_field: carbon_black_cloud.asset_vulnerability_summary.vm.id - ignore_missing: true -- rename: - field: json.vm_name - target_field: carbon_black_cloud.asset_vulnerability_summary.vm.name - ignore_missing: true -- rename: - field: json.vuln_count - target_field: carbon_black_cloud.asset_vulnerability_summary.vuln_count - ignore_missing: true -- append: - field: related.hosts - value: "{{{host.hostname}}}" - allow_duplicates: false -- script: - description: Adds all the remaining fields in fields under carbon_black_cloud.asset_vulnerability_summary - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.asset_vulnerability_summary[m.getKey()] = m.getValue(); - } -- remove: - field: json - ignore_missing: true -- script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/fields/agent.yml b/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/fields/base-fields.yml b/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/fields/base-fields.yml deleted file mode 100755 index e6791517a6..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset - value: carbon_black_cloud.asset_vulnerability_summary diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/fields/ecs.yml b/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/fields/ecs.yml deleted file mode 100755 index 2888171bb0..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/fields/ecs.yml +++ /dev/null @@ -1,67 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) - name: vulnerability.score.base - type: float -- description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) - name: vulnerability.severity - type: keyword diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/fields/fields.yml b/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/fields/fields.yml deleted file mode 100755 index a70b2974e8..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/fields/fields.yml +++ /dev/null @@ -1,39 +0,0 @@ -- name: carbon_black_cloud.asset_vulnerability_summary - type: group - fields: - - name: os_info - type: group - fields: - - name: os_arch - type: keyword - description: The identifier is for the Operating system architecture. - - name: last_sync - type: group - fields: - - name: timestamp - type: date - description: The identifier is for the Last sync time. - - name: sync - type: group - fields: - - name: status - type: keyword - description: The identifier is for the Device sync status. - - name: type - type: keyword - description: The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync. - - name: type - type: keyword - description: The identifier is for the Device type. - - name: vm - type: group - fields: - - name: id - type: keyword - description: The identifier is for the Virtual Machine ID. - - name: name - type: keyword - description: The identifier is for the Virtual Machine name. - - name: vuln_count - type: integer - description: The identifier is for the Number of vulnerabilities at this level. diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/manifest.yml b/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/manifest.yml deleted file mode 100755 index b7bf78f84d..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -title: Asset Vulnerability Summary -type: logs -streams: - - input: httpjson - title: Collect asset vulnerability summary from Carbon Black Cloud - description: Collect asset vulnerability summary from Carbon Black Cloud. - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval - description: Interval to query asset vulnerability summary in Carbon Black Cloud. - multi: false - required: true - show_user: true - default: 1h - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-asset-vulnerability-summary - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/sample_event.json b/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/sample_event.json deleted file mode 100755 index 18a138c167..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/asset_vulnerability_summary/sample_event.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "@timestamp": "2022-09-26T01:58:41.710Z", - "agent": { - "ephemeral_id": "818ffeea-8e73-497b-bc16-b13e6bb3010c", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "carbon_black_cloud": { - "asset_vulnerability_summary": { - "last_sync": { - "timestamp": "2022-01-17T08:33:37.384Z" - }, - "os_info": { - "os_arch": "64-bit" - }, - "sync": { - "status": "COMPLETED", - "type": "SCHEDULED" - }, - "type": "ENDPOINT", - "vuln_count": 1770 - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-09-26T01:58:41.710Z", - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "ingested": "2022-09-26T01:58:45Z", - "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}" - }, - "host": { - "hostname": "DESKTOP-008", - "id": "8", - "name": "DESKTOP-008KK", - "os": { - "name": "Microsoft Windows 10 Education", - "type": "windows", - "version": "10.0.17763" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-008" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-asset-vulnerability-summary" - ], - "vulnerability": { - "score": { - "base": 10 - }, - "severity": "CRITICAL" - } -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.2.2/data_stream/audit/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 2693bd2bbb..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/audit/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -config_version: 2 -interval: {{interval}} -request.method: GET - -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} - -request.url: {{hostname}}/integrationServices/v3/auditlogs -request.transforms: - - set: - target: header.X-Auth-Token - value: {{api_secret_key}}/{{api_id}} -response.split: - target: body.notifications -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.2.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ebf7661d61..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,93 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud audit logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.eventTime - target_field: "@timestamp" - ignore_failure: true - formats: - - UNIX_MS - - set: - field: event.kind - value: event - - set: - field: event.outcome - value: success - - set: - field: event.outcome - value: failure - if: ctx?.json?.flagged == true - - rename: - field: json.description - target_field: event.reason - - rename: - field: json.clientIp - target_field: client.ip - ignore_missing: true - - rename: - field: json.loginName - target_field: client.user.id - ignore_missing: true - - rename: - field: json.eventId - target_field: event.id - ignore_missing: true - - rename: - field: json.orgName - target_field: organization.name - ignore_missing: true - - urldecode: - field: json.requestUrl - target_field: url.original - ignore_missing: true - - rename: - field: json.verbose - target_field: carbon_black_cloud.audit.verbose - ignore_missing: true - - rename: - field: json.flagged - target_field: carbon_black_cloud.audit.flagged - ignore_missing: true - - append: - field: related.ip - value: "{{{client.ip}}}" - allow_duplicates: false - - remove: - field: json - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/audit/fields/agent.yml b/packages/carbon_black_cloud/1.2.2/data_stream/audit/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/audit/fields/base-fields.yml b/packages/carbon_black_cloud/1.2.2/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index a14e71251a..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.audit diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/audit/fields/ecs.yml b/packages/carbon_black_cloud/1.2.2/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 1e5dc2f871..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,66 +0,0 @@ -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: organization.name - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/audit/fields/fields.yml b/packages/carbon_black_cloud/1.2.2/data_stream/audit/fields/fields.yml deleted file mode 100755 index 24af5d42b9..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: carbon_black_cloud.audit - type: group - fields: - - name: flagged - type: boolean - description: true if action is failed otherwise false. - - name: verbose - type: boolean - description: true if verbose audit log otherwise false. diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/audit/manifest.yml b/packages/carbon_black_cloud/1.2.2/data_stream/audit/manifest.yml deleted file mode 100755 index 929093a4ef..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/audit/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -title: Audit -type: logs -streams: - - input: httpjson - title: Collect audit logs from Carbon Black Cloud - description: Collect audit logs from Carbon Black Cloud. - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval - description: Interval to fetch audit logs from Carbon Black Cloud. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/audit/sample_event.json b/packages/carbon_black_cloud/1.2.2/data_stream/audit/sample_event.json deleted file mode 100755 index d12c27c706..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/audit/sample_event.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "@timestamp": "2022-02-10T16:04:30.263Z", - "agent": { - "ephemeral_id": "a332765e-1e1f-4ec7-b24e-ae2d0dd5d74f", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "carbon_black_cloud": { - "audit": { - "flagged": false, - "verbose": false - } - }, - "client": { - "ip": "10.10.10.10", - "user": { - "id": "abc@demo.com" - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-09-26T01:59:24.724Z", - "dataset": "carbon_black_cloud.audit", - "id": "2122f8ce8xxxxxxxxxxxxx", - "ingested": "2022-09-26T01:59:25Z", - "kind": "event", - "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}", - "outcome": "success", - "reason": "Logged in successfully" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "name": "cb-xxxx-xxxx.com" - }, - "related": { - "ip": [ - "10.10.10.10" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-audit" - ] -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index e02c596614..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -bucket_arn: {{bucket_arn}} -number_of_workers: {{number_of_workers}} -bucket_list_interval: {{interval}} -access_key_id: {{access_key_id}} -secret_access_key: {{secret_access_key}} -bucket_list_prefix: {{bucket_list_prefix}} -expand_event_list_from_field: Records -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 4729351d25..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,593 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud Endpoint Events. -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.create_time - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.action - target_field: event.action - ignore_missing: true - - rename: - field: json.event_id - target_field: event.id - ignore_missing: true - - rename: - field: json.event_description - target_field: event.reason - ignore_missing: true - - rename: - field: json.filemod_name - target_field: file.path - ignore_missing: true - - rename: - field: json.modload_name - target_field: dll.path - ignore_missing: true - - set: - field: network.transport - value: udp - if: ctx?.json?.netconn_protocol == "PROTO_UDP" - - set: - field: network.transport - value: tcp - if: ctx?.json?.netconn_protocol == "PROTO_TCP" - - set: - field: network.direction - value: inbound - if: ctx?.json?.netconn_inbound == true - - set: - field: network.direction - value: outbound - if: ctx?.json?.netconn_inbound == false - - rename: - field: json.remote_port - target_field: source.port - ignore_missing: true - - rename: - field: json.remote_ip - target_field: source.ip - ignore_missing: true - - rename: - field: json.netconn_domain - target_field: source.address - ignore_missing: true - - rename: - field: json.local_port - target_field: client.port - ignore_missing: true - - rename: - field: json.local_ip - target_field: client.ip - ignore_missing: true - - convert: - field: json.device_id - target_field: host.id - type: string - ignore_missing: true - - set: - field: host.os.type - value: windows - if: ctx?.json?.device_os == "WINDOWS" - - set: - field: host.os.type - value: linux - if: ctx?.json?.device_os == "LINUX" - - set: - field: host.os.type - value: macos - if: ctx?.json?.device_os == "MAC" - - rename: - field: json.device_name - target_field: host.hostname - ignore_missing: true - - grok: - field: host.hostname - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' - ignore_missing: true - ignore_failure: true - - set: - field: host.name - value: "{{{host.hostname}}}" - ignore_failure: true - - rename: - field: json.device_group - target_field: host.os.family - ignore_missing: true - - append: - field: host.ip - value: "{{{json.device_internal_ip}}}" - if: ctx?.json?.device_internal_ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_external_ip}}}" - if: ctx?.json?.device_external_ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.device_group - target_field: host.os.family - ignore_missing: true - - rename: - field: json.process_cmdline - target_field: process.command_line - ignore_missing: true - - rename: - field: json.process_guid - target_field: process.entity_id - ignore_missing: true - - rename: - field: json.process_path - target_field: process.executable - ignore_missing: true - - rename: - field: json.process_pid - target_field: process.pid - ignore_missing: true - - rename: - field: json.parent_cmdline - target_field: process.parent.command_line - ignore_missing: true - - rename: - field: json.parent_guid - target_field: process.parent.entity_id - ignore_missing: true - - rename: - field: json.parent_path - target_field: process.parent.executable - ignore_missing: true - - rename: - field: json.parent_pid - target_field: process.parent.pid - ignore_missing: true - - rename: - field: json.regmod_name - target_field: registry.path - ignore_missing: true - - append: - field: related.ip - value: - - "{{{json.device_internal_ip}}}" - - "{{{json.device_external_ip}}}" - - "{{{json.netconn_proxy_ip}}}" - - "{{{source.ip}}}" - - "{{{client.ip}}}" - allow_duplicates: false - - append: - field: related.user - value: - - "{{{json.process_username}}}" - - "{{{json.childproc_username}}}" - allow_duplicates: false - - append: - field: related.hosts - value: - - "{{{host.hostname}}}" - - "{{{user.domain}}}" - allow_duplicates: false - - script: - description: Dynamically map MD5 and SHA256 hash - lang: painless - source: | - void mapHashField(def ctx, def hashes, def key) { - for (hash in hashes) { - if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;} - if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;} - } - } - if (ctx.json?.process_hash instanceof List) { - mapHashField(ctx, ctx.json?.process_hash, "process_hash"); - } - if (ctx.json?.parent_hash instanceof List) { - mapHashField(ctx, ctx.json?.parent_hash, "parent_hash"); - } - if (ctx.json?.filemod_hash instanceof List) { - mapHashField(ctx, ctx.json?.filemod_hash, "filemod_hash"); - } - if (ctx.json?.childproc_hash instanceof List) { - mapHashField(ctx, ctx.json?.childproc_hash, "childproc_hash"); - } - if (ctx.json?.crossproc_hash instanceof List) { - mapHashField(ctx, ctx.json?.crossproc_hash, "crossproc_hash"); - } - if (ctx.json?.scriptload_hash instanceof List) { - mapHashField(ctx, ctx.json?.scriptload_hash, "scriptload_hash"); - } - - rename: - field: json.process_hash_md5 - target_field: process.hash.md5 - ignore_missing: true - - rename: - field: json.process_hash_sha256 - target_field: process.hash.sha256 - ignore_missing: true - - rename: - field: json.parent_hash_md5 - target_field: process.parent.hash.md5 - ignore_missing: true - - rename: - field: json.parent_hash_sha256 - target_field: process.parent.hash.sha256 - ignore_missing: true - - rename: - field: json.backend_timestamp - target_field: carbon_black_cloud.endpoint_event.backend.timestamp - ignore_missing: true - - rename: - field: json.device_timestamp - target_field: carbon_black_cloud.endpoint_event.device.timestamp - ignore_missing: true - - rename: - field: json.device_os - target_field: carbon_black_cloud.endpoint_event.device.os - ignore_missing: true - - rename: - field: json.childproc_name - target_field: carbon_black_cloud.endpoint_event.childproc.name - ignore_missing: true - - rename: - field: json.org_key - target_field: carbon_black_cloud.endpoint_event.organization_key - ignore_missing: true - - rename: - field: json.process_duration - target_field: carbon_black_cloud.endpoint_event.process.duration - ignore_missing: true - - foreach: - field: json.process_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.process_publisher - target_field: carbon_black_cloud.endpoint_event.process.publisher - ignore_missing: true - - rename: - field: json.process_reputation - target_field: carbon_black_cloud.endpoint_event.process.reputation - ignore_missing: true - - rename: - field: json.process_terminated - target_field: carbon_black_cloud.endpoint_event.process.terminated - ignore_missing: true - - rename: - field: json.process_username - target_field: carbon_black_cloud.endpoint_event.process.username - ignore_missing: true - - rename: - field: json.parent_reputation - target_field: carbon_black_cloud.endpoint_event.process.parent.reputation - ignore_missing: true - - rename: - field: json.target_cmdline - target_field: carbon_black_cloud.endpoint_event.target_cmdline - ignore_missing: true - - rename: - field: json.type - target_field: carbon_black_cloud.endpoint_event.type - ignore_missing: true - -# Mapping for endpoint.event.crossproc event type - - - rename: - field: json.crossproc_action - target_field: carbon_black_cloud.endpoint_event.crossproc.action - ignore_missing: true - - rename: - field: json.crossproc_api - target_field: carbon_black_cloud.endpoint_event.crossproc.api - ignore_missing: true - - rename: - field: json.crossproc_guid - target_field: carbon_black_cloud.endpoint_event.crossproc.guid - ignore_missing: true - - rename: - field: json.crossproc_name - target_field: carbon_black_cloud.endpoint_event.crossproc.name - ignore_missing: true - - rename: - field: json.crossproc_target - target_field: carbon_black_cloud.endpoint_event.crossproc.target - ignore_missing: true - - rename: - field: json.crossproc_reputation - target_field: carbon_black_cloud.endpoint_event.crossproc.reputation - ignore_missing: true - - foreach: - field: json.crossproc_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.crossproc_publisher - target_field: carbon_black_cloud.endpoint_event.crossproc.publisher - ignore_missing: true - - rename: - field: json.crossproc_hash_md5 - target_field: carbon_black_cloud.endpoint_event.crossproc.hash.md5 - ignore_missing: true - - rename: - field: json.crossproc_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.crossproc.hash.sha256 - ignore_missing: true - -# Mapping for endpoint.event.filemod event type - - - rename: - field: json.filemod_hash_md5 - target_field: file.hash.md5 - ignore_missing: true - - rename: - field: json.filemod_hash_sha256 - target_field: file.hash.sha256 - ignore_missing: true - -# Mapping for endpoint.event.fileless_scriptload event type - - - rename: - field: json.fileless_scriptload_cmdline - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline - ignore_missing: true - - rename: - field: json.fileless_scriptload_cmdline_length - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length - ignore_missing: true - - rename: - field: json.fileless_scriptload_hash_md5 - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5 - ignore_missing: true - - rename: - field: json.fileless_scriptload_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256 - ignore_missing: true - -# Mapping for endpoint.event.moduleload event type - - - rename: - field: json.modload_md5 - target_field: dll.hash.md5 - ignore_missing: true - - rename: - field: json.modload_sha256 - target_field: dll.hash.sha256 - ignore_missing: true - - rename: - field: json.modload_effective_reputation - target_field: carbon_black_cloud.endpoint_event.modload.effective_reputation - ignore_missing: true - - rename: - field: json.modload_count - target_field: carbon_black_cloud.endpoint_event.modload.count - ignore_missing: true - - foreach: - field: json.modload_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.modload_publisher - target_field: carbon_black_cloud.endpoint_event.modload.publisher - ignore_missing: true - -# Mapping for endpoint.event.netconn_proxy event type - - - rename: - field: json.netconn_proxy_domain - target_field: carbon_black_cloud.endpoint_event.netconn.proxy.domain - ignore_missing: true - - rename: - field: json.netconn_proxy_port - target_field: carbon_black_cloud.endpoint_event.netconn.proxy.port - ignore_missing: true - - rename: - field: json.netconn_proxy_ip - target_field: carbon_black_cloud.endpoint_event.netconn.proxy.ip - ignore_missing: true - -# Mapping for endpoint.event.procstart event type - - - rename: - field: json.childproc_guid - target_field: carbon_black_cloud.endpoint_event.childproc.guid - ignore_missing: true - - rename: - field: json.childproc_name - target_field: carbon_black_cloud.endpoint_event.childproc.name - ignore_missing: true - - rename: - field: json.childproc_pid - target_field: carbon_black_cloud.endpoint_event.childproc.pid - ignore_missing: true - - foreach: - field: json.childproc_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.childproc_publisher - target_field: carbon_black_cloud.endpoint_event.childproc.publisher - ignore_missing: true - - rename: - field: json.childproc_reputation - target_field: carbon_black_cloud.endpoint_event.childproc.reputation - ignore_missing: true - - rename: - field: json.childproc_username - target_field: carbon_black_cloud.endpoint_event.childproc.username - ignore_missing: true - - rename: - field: json.childproc_hash_md5 - target_field: carbon_black_cloud.endpoint_event.childproc.hash.md5 - ignore_missing: true - - rename: - field: json.childproc_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.childproc.hash.sha256 - ignore_missing: true - -# Mapping for NGAV endpoint.event.scriptload event type - - - rename: - field: json.scriptload_name - target_field: carbon_black_cloud.endpoint_event.scriptload.name - ignore_missing: true - - foreach: - field: json.scriptload_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.scriptload_publisher - target_field: carbon_black_cloud.endpoint_event.scriptload.publisher - ignore_missing: true - - rename: - field: json.scriptload_count - target_field: carbon_black_cloud.endpoint_event.scriptload.count - ignore_missing: true - - rename: - field: json.scriptload_hash_md5 - target_field: carbon_black_cloud.endpoint_event.scriptload.hash.md5 - ignore_missing: true - - rename: - field: json.scriptload_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.scriptload.hash.sha256 - ignore_missing: true - - rename: - field: json.scriptload_effective_reputation - target_field: carbon_black_cloud.endpoint_event.scriptload.effective_reputation - ignore_missing: true - - rename: - field: json.scriptload_reputation - target_field: carbon_black_cloud.endpoint_event.scriptload.reputation - ignore_missing: true - - rename: - field: json.device_internal_ip - target_field: carbon_black_cloud.endpoint_event.device.internal_ip - ignore_missing: true - - rename: - field: json.device_external_ip - target_field: carbon_black_cloud.endpoint_event.device.external_ip - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - - append: - field: related.hash - value: - - "{{{process.hash.md5}}}" - - "{{{process.hash.sha256}}}" - - "{{{process.parent.hash.md5}}}" - - "{{{process.parent.hash.sha256}}}" - - "{{{file.hash.md5}}}" - - "{{{file.hash.sha256}}}" - - "{{{dll.hash.md5}}}" - - "{{{dll.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.childproc.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.childproc.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.sha256}}}" - allow_duplicates: false - - script: - description: Adds all the remaining fields in fields under carbon_black_cloud.endpoint_event - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.endpoint_event[m.getKey()] = m.getValue(); - } - - remove: - field: - - json - - carbon_black_cloud.endpoint_event.create_time - - carbon_black_cloud.endpoint_event.device_id - - carbon_black_cloud.endpoint_event.process_hash - - carbon_black_cloud.endpoint_event.parent_hash - - carbon_black_cloud.endpoint_event.crossproc_hash - - carbon_black_cloud.endpoint_event.filemod_hash - - carbon_black_cloud.endpoint_event.childproc_hash - - carbon_black_cloud.endpoint_event.modload_hash - - carbon_black_cloud.endpoint_event.scriptload_hash - - carbon_black_cloud.endpoint_event.netconn_inbound - - carbon_black_cloud.endpoint_event.netconn_protocol - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - script: - description: Remove duplicate values - lang: painless - source: | - if (ctx?.related?.user != null) { - ctx.related.user = new HashSet(ctx.related.user) - } - if (ctx?.related?.ip != null) { - ctx.related.ip = new HashSet(ctx.related.ip) - } - if (ctx?.related?.hash != null) { - def hashes = new HashSet(ctx.related.hash); - def hash = new ArrayList(); - for (def h: hashes) { - hash.add(h); - } - Collections.sort(hash); - ctx.related.hash = hash; - } -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/fields/agent.yml b/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/fields/base-fields.yml b/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/fields/base-fields.yml deleted file mode 100755 index 9b3253d2db..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.endpoint_event diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/fields/ecs.yml b/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/fields/ecs.yml deleted file mode 100755 index 770f024b15..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: MD5 hash. - name: dll.hash.md5 - type: keyword -- description: SHA256 hash. - name: dll.hash.sha256 - type: keyword -- description: Full file path of the library. - name: dll.path - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: host.os.family - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.parent.hash.sha256 - type: keyword -- description: Process id. - name: process.parent.pid - type: long -- description: Process id. - name: process.pid - type: long -- description: Full path, including hive, key and value - name: registry.path - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/fields/fields.yml b/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/fields/fields.yml deleted file mode 100755 index 199988ffb6..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/fields/fields.yml +++ /dev/null @@ -1,239 +0,0 @@ -- name: carbon_black_cloud.endpoint_event - type: group - fields: - - name: alert_id - type: keyword - description: The ID of the Alert this event is associated with. - - name: backend - type: group - fields: - - name: timestamp - type: keyword - description: Time when the backend received the batch of events. - - name: childproc - type: group - fields: - - name: guid - type: keyword - description: Unique ID of the child process. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: Cryptographic MD5 hashes of the executable file backing the child process. - - name: sha256 - type: keyword - description: Cryptographic SHA256 hashes of the executable file backing the child process. - - name: name - type: keyword - description: Full path to the target of the crossproc event on the device's local file system. - - name: pid - type: long - description: OS-reported Process ID of the child process. - - name: publisher - type: group - description: Signature entry for the childproc as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Carbon Black Cloud Reputation string for the childproc. - - name: username - type: keyword - description: The username associated with the user context that the child process was started under. - - name: crossproc - type: group - fields: - - name: action - type: keyword - description: The action taken on cross-process. - - name: api - type: keyword - description: Name of the operating system API called by the actor process. - - name: guid - type: keyword - description: Unique ID of the cross process. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: Cryptographic MD5 hashes of the target of the crossproc event. - - name: sha256 - type: keyword - description: Cryptographic SHA256 hashes of the target of the crossproc event. - - name: name - type: keyword - description: Full path to the target of the crossproc event on the device's local file system. - - name: publisher - type: group - description: Signature entry for the crossproc as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Carbon Black Cloud Reputation string for the crossproc. - - name: target - type: boolean - description: True if the process was the target of the cross-process event; false if the process was the actor. - - name: device - type: group - fields: - - name: os - type: keyword - description: Os name. - - name: timestamp - type: keyword - description: Time seen on sensor. - - name: internal_ip - type: ip - description: Internal IP of the device. - - name: external_ip - type: ip - description: External IP of the device. - - name: event_origin - type: keyword - description: Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard. - - name: fileless_scriptload - type: group - fields: - - name: cmdline - type: keyword - description: Deobfuscated script content run in a fileless context by the process. - - name: cmdline_length - type: keyword - description: Character count of the deobfuscated script content run in a fileless context. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: MD5 hash of the deobfuscated script content run by the process in a fileless context. - - name: sha256 - type: keyword - description: SHA-256 hash of the deobfuscated script content run by the process in a fileless context. - - name: modload - type: group - fields: - - name: count - type: long - description: Count of modload events reported by the sensor since last initialization. - - name: effective_reputation - type: keyword - description: Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred. - - name: publisher - type: group - description: Signature entry for the moduleload as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: netconn - type: group - fields: - - name: proxy - type: group - fields: - - name: domain - type: keyword - description: DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address. - - name: ip - type: keyword - description: IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection. - - name: port - type: keyword - description: UDP/TCP port number associated with the "proxy" end of this network connection. - - name: organization_key - type: keyword - description: The organization key associated with the console instance. - - name: process - type: group - fields: - - name: duration - type: long - description: The time difference in seconds between the process start and process terminate event. - - name: parent - type: group - fields: - - name: reputation - type: keyword - description: Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: publisher - type: group - description: Signature entry for the process as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: terminated - type: boolean - description: True if process was terminated elase false. - - name: username - type: keyword - description: The username associated with the user context that this process was started under. - - name: schema - type: long - description: The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. - - name: scriptload - type: group - fields: - - name: count - type: long - description: Count of scriptload events across all processes reported by the sensor since last initialization. - - name: effective_reputation - type: keyword - description: Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: Cryptographic MD5 hashes of the target of the scriptload event. - - name: sha256 - type: keyword - description: Cryptographic SHA256 hashes of the target of the scriptload event. - - name: name - type: keyword - description: Full path to the target of the crossproc event on the device's local file system. - - name: publisher - type: group - description: Signature entry for the scriptload as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Carbon Black Cloud Reputation string for the scriptload. - - name: sensor_action - type: keyword - description: The sensor action taken on event. - - name: target_cmdline - type: keyword - description: Process command line associated with the target process. - - name: type - type: keyword - description: The event type. diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/manifest.yml b/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/manifest.yml deleted file mode 100755 index 0f52e82022..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/manifest.yml +++ /dev/null @@ -1,48 +0,0 @@ -title: Endpoint Event -type: logs -streams: - - input: aws-s3 - title: Collect endpoint events from Carbon Black Cloud - description: Collect endpoint events from Carbon Black Cloud. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: Bucket Prefix - description: Prefix to apply for the list request to the S3 bucket. - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval - description: Interval to fetch endpoint events from AWS S3 bucket. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-endpoint-event - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/sample_event.json b/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/sample_event.json deleted file mode 100755 index f025682463..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/endpoint_event/sample_event.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "process": { - "parent": { - "pid": 1684, - "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62", - "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe", - "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe", - "hash": { - "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5", - "md5": "03dd698da2671383c9b4f868c9931879" - } - }, - "pid": 4880, - "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37", - "command_line": "\"route.exe\" print", - "executable": "c:\\windows\\system32\\route.exe", - "hash": { - "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6", - "md5": "2498272dc48446891182747428d02a30" - } - }, - "ecs": { - "version": "8.3.0" - }, - "carbon_black_cloud": { - "endpoint_event": { - "schema": 1, - "event_origin": "EDR", - "process": { - "duration": 2, - "parent": { - "reputation": "REP_RESOLVING" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_RESOLVING", - "terminated": true, - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "XXXXXXXX", - "backend": { - "timestamp": "2022-02-10 11:52:50 +0000 UTC" - }, - "target_cmdline": "\"route.exe\" print", - "type": "endpoint.event.procend", - "device": { - "os": "WINDOWS", - "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC", - "external_ip": "67.43.156.12" - }, - "sensor_action": "ACTION_ALLOW" - } - }, - "host": { - "hostname": "client-cb2", - "id": "4034605", - "os": { - "type": "windows" - }, - "ip": [ - "67.43.156.13" - ] - }, - "event": { - "action": "ACTION_PROCESS_TERMINATE", - "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}" - }, - "data_stream": { - "dataset": "carbon_black_cloud.endpoint_event", - "namespace": "ep", - "type": "logs" - }, - "elastic_agent": { - "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5", - "snapshot": true, - "version": "8.0.0" - }, - "input": { - "type": "aws-s3" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-endpoint-event" - ] -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index e02c596614..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -bucket_arn: {{bucket_arn}} -number_of_workers: {{number_of_workers}} -bucket_list_interval: {{interval}} -access_key_id: {{access_key_id}} -secret_access_key: {{secret_access_key}} -bucket_list_prefix: {{bucket_list_prefix}} -expand_event_list_from_field: Records -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index f59084b05a..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,299 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud watchlist hit. -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.create_time - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.severity - target_field: event.severity - ignore_missing: true - - convert: - field: json.device_id - target_field: host.id - type: string - ignore_missing: true - - set: - field: host.os.type - value: windows - if: ctx?.json?.device_os == "WINDOWS" - - set: - field: host.os.type - value: linux - if: ctx?.json?.device_os == "LINUX" - - set: - field: host.os.type - value: macos - if: ctx?.json?.device_os == "MAC" - - rename: - field: json.device_os_version - target_field: host.os.version - ignore_missing: true - - rename: - field: json.device_name - target_field: host.hostname - ignore_missing: true - - grok: - field: host.hostname - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' - ignore_missing: true - ignore_failure: true - - set: - field: host.name - value: "{{{host.hostname}}}" - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_internal_ip}}}" - if: ctx?.json?.device_internal_ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_external_ip}}}" - if: ctx?.json?.device_external_ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.process_cmdline - target_field: process.command_line - ignore_missing: true - - rename: - field: json.process_guid - target_field: process.entity_id - ignore_missing: true - - rename: - field: json.process_path - target_field: process.executable - ignore_missing: true - - rename: - field: json.process_pid - target_field: process.pid - ignore_missing: true - - rename: - field: json.parent_cmdline - target_field: process.parent.command_line - ignore_missing: true - - rename: - field: json.parent_guid - target_field: process.parent.entity_id - ignore_missing: true - - rename: - field: json.parent_path - target_field: process.parent.executable - ignore_missing: true - - rename: - field: json.parent_pid - target_field: process.parent.pid - ignore_missing: true - - append: - field: related.ip - value: - - "{{{json.device_internal_ip}}}" - - "{{{json.device_external_ip}}}" - allow_duplicates: false - - append: - field: related.user - value: - - "{{{json.parent_username}}}" - - "{{{json.process_username}}}" - allow_duplicates: false - - append: - field: related.hosts - value: - - "{{{host.hostname}}}" - - "{{{user.domain}}}" - allow_duplicates: false - - script: - description: Dynamically map MD5 and SHA256 hash - lang: painless - source: | - void mapHashField(def ctx, def hashes, def key) { - for (hash in hashes) { - if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;} - if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;} - } - } - if (ctx.json?.process_hash instanceof List) { - mapHashField(ctx, ctx.json?.process_hash, "process_hash"); - } - if (ctx.json?.parent_hash instanceof List) { - mapHashField(ctx, ctx.json?.parent_hash, "parent_hash"); - } - - rename: - field: json.process_hash_md5 - target_field: process.hash.md5 - ignore_missing: true - - rename: - field: json.process_hash_sha256 - target_field: process.hash.sha256 - ignore_missing: true - - rename: - field: json.parent_hash_md5 - target_field: process.parent.hash.md5 - ignore_missing: true - - rename: - field: json.parent_hash_sha256 - target_field: process.parent.hash.sha256 - ignore_missing: true - - append: - field: related.hash - value: - - "{{{process.hash.md5}}}" - - "{{{process.hash.sha256}}}" - - "{{{process.parent.hash.md5}}}" - - "{{{process.parent.hash.sha256}}}" - allow_duplicates: false - - rename: - field: json.device_os - target_field: carbon_black_cloud.watchlist_hit.device.os - ignore_missing: true - - rename: - field: json.device_internal_ip - target_field: carbon_black_cloud.watchlist_hit.device.internal_ip - ignore_missing: true - - rename: - field: json.device_external_ip - target_field: carbon_black_cloud.watchlist_hit.device.external_ip - ignore_missing: true - - rename: - field: json.ioc_hit - target_field: carbon_black_cloud.watchlist_hit.ioc.hit - ignore_missing: true - - rename: - field: json.ioc_id - target_field: carbon_black_cloud.watchlist_hit.ioc.id - ignore_missing: true - - rename: - field: json.org_key - target_field: carbon_black_cloud.watchlist_hit.organization_key - ignore_missing: true - - foreach: - field: json.parent_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.parent_publisher - target_field: carbon_black_cloud.watchlist_hit.process.parent.publisher - ignore_missing: true - - rename: - field: json.parent_reputation - target_field: carbon_black_cloud.watchlist_hit.process.parent.reputation - ignore_missing: true - - rename: - field: json.parent_username - target_field: carbon_black_cloud.watchlist_hit.process.parent.username - ignore_missing: true - - foreach: - field: json.process_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.process_publisher - target_field: carbon_black_cloud.watchlist_hit.process.publisher - ignore_missing: true - - rename: - field: json.process_reputation - target_field: carbon_black_cloud.watchlist_hit.process.reputation - ignore_missing: true - - rename: - field: json.process_username - target_field: carbon_black_cloud.watchlist_hit.process.username - ignore_missing: true - - rename: - field: json.report_id - target_field: carbon_black_cloud.watchlist_hit.report.id - ignore_missing: true - - rename: - field: json.report_name - target_field: carbon_black_cloud.watchlist_hit.report.name - ignore_missing: true - - rename: - field: json.report_tags - target_field: carbon_black_cloud.watchlist_hit.report.tags - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - - script: - description: Adds all the remaining fields in fields under carbon_black_cloud.watchlist_hit - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.watchlist_hit[m.getKey()] = m.getValue(); - } - - remove: - field: - - json - - carbon_black_cloud.watchlist_hit.create_time - - carbon_black_cloud.watchlist_hit.device_id - - carbon_black_cloud.watchlist_hit.process_hash - - carbon_black_cloud.watchlist_hit.parent_hash - ignore_missing: true - - script: - description: Remove duplicate values - lang: painless - source: | - if (ctx?.related?.user != null) { - ctx.related.user = new HashSet(ctx.related.user) - } - if (ctx?.related?.hash != null) { - def hashes = new HashSet(ctx.related.hash); - def hash = new ArrayList(); - for (def h: hashes) { - hash.add(h); - } - Collections.sort(hash); - ctx.related.hash = hash; - } -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/fields/agent.yml b/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/fields/base-fields.yml b/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/fields/base-fields.yml deleted file mode 100755 index 89df536282..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.watchlist_hit diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/fields/ecs.yml b/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/fields/ecs.yml deleted file mode 100755 index 77c05e054a..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/fields/ecs.yml +++ /dev/null @@ -1,145 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.parent.hash.sha256 - type: keyword -- description: Process id. - name: process.parent.pid - type: long -- description: Process id. - name: process.pid - type: long -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/fields/fields.yml b/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/fields/fields.yml deleted file mode 100755 index 25cb25005e..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/fields/fields.yml +++ /dev/null @@ -1,89 +0,0 @@ -- name: carbon_black_cloud.watchlist_hit - type: group - fields: - - name: device - type: group - fields: - - name: os - type: keyword - description: OS Type of device (Windows/OSX/Linux). - - name: internal_ip - type: ip - description: Internal IP of the device. - - name: external_ip - type: ip - description: External IP of the device. - - name: ioc - type: group - fields: - - name: field - type: keyword - description: Field the IOC hit contains. - - name: hit - type: keyword - description: IOC field value, or IOC query that matches. - - name: id - type: keyword - description: ID of the IOC that caused the hit. - - name: organization_key - type: keyword - description: The organization key associated with the console instance. - - name: process - type: group - fields: - - name: parent - type: group - fields: - - name: publisher - type: group - description: signature entry for the process as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: username - type: keyword - description: The username associated with the user context that this process was started under. - - name: publisher - type: group - description: signature entry for the process as reported by the endpoint. - - name: reputation - type: keyword - description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: username - type: keyword - description: The username associated with the user context that this process was started under. - - name: report - type: group - fields: - - name: id - type: keyword - description: ID of the watchlist report(s) that detected a hit on the process. - - name: name - type: keyword - description: Name of the watchlist report(s) that detected a hit on the process. - - name: tags - type: keyword - description: List of tags associated with the report(s) that detected a hit on the process. - - name: schema - type: long - description: Schema version. - - name: type - type: keyword - description: The watchlist hit type. - - name: watchlists - type: group - description: List of watchlists that contain the report of the ioc hit. - fields: - - name: id - type: keyword - description: The ID of the watchlists. - - name: name - type: keyword - description: The name of the watchlists. diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/manifest.yml b/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/manifest.yml deleted file mode 100755 index 7782458210..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/manifest.yml +++ /dev/null @@ -1,48 +0,0 @@ -title: Watchlist Hit -type: logs -streams: - - input: aws-s3 - title: Collect watchlist hit from Carbon Black Cloud - description: Collect watchlist hit from Carbon Black Cloud. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: Bucket Prefix - description: Prefix to apply for the list request to the S3 bucket. - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval - description: Interval to fetch watchlist hit from AWS S3 bucket. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-watchlist-hit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/sample_event.json b/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/sample_event.json deleted file mode 100755 index ec2206a46e..0000000000 --- a/packages/carbon_black_cloud/1.2.2/data_stream/watchlist_hit/sample_event.json +++ /dev/null @@ -1,130 +0,0 @@ -{ - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-watchlist-hit" - ], - "input": { - "type": "aws-s3" - }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "carbon_black_cloud.watchlist_hit" - }, - "agent": { - "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.3.0" - }, - "process": { - "parent": { - "pid": 4076, - "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1", - "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"", - "executable": "c:\\windows\\syswow64\\cmd.exe", - "hash": { - "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22", - "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b" - } - }, - "pid": 7516, - "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6", - "command_line": "sc query aella_conf ", - "executable": "c:\\windows\\syswow64\\sc.exe", - "hash": { - "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2", - "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8" - } - }, - "carbon_black_cloud": { - "watchlist_hit": { - "schema": 1, - "process": { - "parent": { - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "xxxxxxxx", - "report": { - "name": "Discovery - System Service Discovery Detected", - "id": "CFnKBKLTv6hUkBGFobRdg-565571", - "tags": [ - "attack", - "attackframework", - "threathunting", - "hunting", - "t1007", - "recon", - "discovery", - "windows" - ] - }, - "watchlists": [ - { - "name": "ATT\u0026CK Framework", - "id": "P5f9AW29TGmTOvBW156Cig" - } - ], - "type": "watchlist.hit", - "ioc": { - "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true", - "id": "565571-0" - }, - "device": { - "internal_ip": "10.10.156.12", - "external_ip": "67.43.156.12", - "os": "WINDOWS" - } - } - }, - "host": { - "hostname": "Carbonblack-win1", - "os": { - "type": "windows" - }, - "ip": [ - "10.10.156.12", - "67.43.156.12" - ], - "id": "4467271" - }, - "event": { - "kind": "event", - "severity": 3, - "agent_id_status": "verified", - "ingested": "2022-02-17T07:23:31Z", - "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}", - "dataset": "carbon_black_cloud.watchlist_hit" - } -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/docs/README.md b/packages/carbon_black_cloud/1.2.2/docs/README.md deleted file mode 100755 index 0c5b987e8f..0000000000 --- a/packages/carbon_black_cloud/1.2.2/docs/README.md +++ /dev/null @@ -1,1044 +0,0 @@ -# VMware Carbon Black Cloud - -The VMware Carbon Black Cloud integration collects and parses data from the Carbon Black Cloud REST APIs and AWS S3 bucket. - -## Compatibility - -This module has been tested against `Alerts API (v6)`, `Audit Log Events (v3)` and `Vulnerability Assessment (v1)`. - -## Requirements - -### In order to ingest data from the AWS S3 bucket you must: -1. Configure the [Data Forwarder](https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/carbon-black-cloud-user-guide/GUID-F68F63DD-2271-4088-82C9-71D675CD0535.html) to ingest data into an AWS S3 bucket. -2. Create an [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - - -### In order to ingest data from the APIs you must generate API keys and API Secret Keys: -1. In Carbon Black Cloud, On the left navigation pane, click **Settings > API Access**. -2. Click Add API Key. -3. Give the API key a unique name and description. - - Select the appropriate access level type. Please check required Access Levels & Permissions for integration in below table. - **Note:** To use a custom access level, select Custom from the Access Level type drop-down menu and specify the Custom Access Level. - - Optional: Add authorized IP addresses. - - You can restrict the use of an API key to a specific set of IP addresses for security reasons. - **Note:** Authorized IP addresses are not available with Custom keys. -4. To apply the changes, click Save. - -#### Access Levels & Permissions -- The following tables indicate which type of API Key access level is required. If the type is Custom then the permission that is required will also be included. - -| Data stream | Access Level and Permissions | -| --------------------------- | ------------------------------------------ | -| Audit | API | -| Alert | Custom orgs.alerts (Read) | -| Asset Vulnerability Summary | Custom vulnerabilityAssessment.data (Read) | - - -## Note - -- The alert data stream has a 15-minute delay to ensure that no occurrences are missed. - -## Logs - -### Audit - -This is the `audit` dataset. - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2022-02-10T16:04:30.263Z", - "agent": { - "ephemeral_id": "a332765e-1e1f-4ec7-b24e-ae2d0dd5d74f", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "carbon_black_cloud": { - "audit": { - "flagged": false, - "verbose": false - } - }, - "client": { - "ip": "10.10.10.10", - "user": { - "id": "abc@demo.com" - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-09-26T01:59:24.724Z", - "dataset": "carbon_black_cloud.audit", - "id": "2122f8ce8xxxxxxxxxxxxx", - "ingested": "2022-09-26T01:59:25Z", - "kind": "event", - "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}", - "outcome": "success", - "reason": "Logged in successfully" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "name": "cb-xxxx-xxxx.com" - }, - "related": { - "ip": [ - "10.10.10.10" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-audit" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.audit.flagged | true if action is failed otherwise false. | boolean | -| carbon_black_cloud.audit.verbose | true if verbose audit log otherwise false. | boolean | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | - - -### Alert - -This is the `alert` dataset. - -An example event for `alert` looks as following: - -```json -{ - "@timestamp": "2020-11-17T22:05:13.000Z", - "agent": { - "ephemeral_id": "cc329655-90f8-4dc9-8014-e152f2b949da", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "carbon_black_cloud": { - "alert": { - "category": "warning", - "device": { - "external_ip": "81.2.69.143", - "internal_ip": "81.2.69.144", - "location": "UNKNOWN", - "os": "WINDOWS" - }, - "last_update_time": "2020-11-17T22:05:13Z", - "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720", - "organization_key": "ABCD6X3T", - "policy": { - "applied": "APPLIED", - "id": 6997287, - "name": "Standard" - }, - "product_id": "0x5406", - "product_name": "U3 Cruzer Micro", - "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC", - "run_state": "DID_NOT_RUN", - "sensor_action": "DENY", - "serial_number": "0875920EF7C2A304", - "target_value": "MEDIUM", - "threat_cause": { - "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E", - "threat_category": "NON_MALWARE", - "vector": "REMOVABLE_MEDIA" - }, - "threat_id": "t5678", - "type": "DEVICE_CONTROL", - "vendor_id": "0x0781", - "vendor_name": "SanDisk", - "workflow": { - "changed_by": "Carbon Black", - "last_update_time": "2020-11-17T22:02:16Z", - "state": "OPEN" - } - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-09-26T01:58:04.610Z", - "dataset": "carbon_black_cloud.alert", - "end": "2020-11-17T22:02:16Z", - "id": "test1", - "ingested": "2022-09-26T01:58:05Z", - "kind": "alert", - "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}", - "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.", - "severity": 3, - "start": "2020-11-17T22:02:16Z", - "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976" - }, - "host": { - "hostname": "DESKTOP-002", - "id": "2", - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "name": "DESKTOP-002", - "os": { - "type": "windows", - "version": "Windows 10 x64" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-002" - ], - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "user": [ - "test34@demo.com" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-alert" - ], - "user": { - "name": "test34@demo.com" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.alert.blocked_threat_category | The category of threat which we were able to take action on. | keyword | -| carbon_black_cloud.alert.category | The category of the alert. | keyword | -| carbon_black_cloud.alert.count | | long | -| carbon_black_cloud.alert.created_by_event_id | Event identifier that initiated the alert. | keyword | -| carbon_black_cloud.alert.device.external_ip | External IP of the device. | ip | -| carbon_black_cloud.alert.device.internal_ip | Internal IP of the device. | ip | -| carbon_black_cloud.alert.device.location | The Location of device. | keyword | -| carbon_black_cloud.alert.device.os | OS of the device. | keyword | -| carbon_black_cloud.alert.document_guid | Unique ID of document. | keyword | -| carbon_black_cloud.alert.ioc.field | The field the indicator of comprise (IOC) hit contains. | keyword | -| carbon_black_cloud.alert.ioc.hit | IOC field value or IOC query that matches. | keyword | -| carbon_black_cloud.alert.ioc.id | The identifier of the IOC that cause the hit. | keyword | -| carbon_black_cloud.alert.kill_chain_status | The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert. | keyword | -| carbon_black_cloud.alert.last_update_time | The last time the alert was updated as an ISO 8601 UTC timestamp. | date | -| carbon_black_cloud.alert.legacy_alert_id | The legacy identifier for the alert. | keyword | -| carbon_black_cloud.alert.not_blocked_threat_category | Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule). | keyword | -| carbon_black_cloud.alert.notes_present | Indicates if notes are associated with the threat_id. | boolean | -| carbon_black_cloud.alert.organization_key | The unique identifier for the organization associated with the alert. | keyword | -| carbon_black_cloud.alert.policy.applied | Whether a policy was applied. | keyword | -| carbon_black_cloud.alert.policy.id | The identifier for the policy associated with the device at the time of the alert. | long | -| carbon_black_cloud.alert.policy.name | The name of the policy associated with the device at the time of the alert. | keyword | -| carbon_black_cloud.alert.product_id | The hexadecimal id of the USB device's product. | keyword | -| carbon_black_cloud.alert.product_name | The name of the USB device’s vendor. | keyword | -| carbon_black_cloud.alert.reason_code | Shorthand enum for the full-text reason. | keyword | -| carbon_black_cloud.alert.report.id | The identifier of the report that contains the IOC. | keyword | -| carbon_black_cloud.alert.report.name | The name of the report that contains the IOC. | keyword | -| carbon_black_cloud.alert.run_state | Whether the threat in the alert ran. | keyword | -| carbon_black_cloud.alert.sensor_action | The action taken by the sensor, according to the rule of the policy. | keyword | -| carbon_black_cloud.alert.serial_number | The serial number of the USB device. | keyword | -| carbon_black_cloud.alert.status | status of alert. | keyword | -| carbon_black_cloud.alert.tags | Tags associated with the alert. | keyword | -| carbon_black_cloud.alert.target_value | The priority of the device assigned by the policy. | keyword | -| carbon_black_cloud.alert.threat_activity.c2 | Whether the alert involved a command and control (c2) server. | keyword | -| carbon_black_cloud.alert.threat_activity.dlp | Whether the alert involved data loss prevention (DLP). | keyword | -| carbon_black_cloud.alert.threat_activity.phish | Whether the alert involved phishing. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.md5 | MD5 of the threat cause actor. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.name | The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.process_pid | Process identifier (PID) of the actor process. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.sha256 | SHA256 of the threat cause actor. | keyword | -| carbon_black_cloud.alert.threat_cause.cause_event_id | ID of the Event that triggered the threat. | keyword | -| carbon_black_cloud.alert.threat_cause.process.guid | The global unique identifier of the process. | keyword | -| carbon_black_cloud.alert.threat_cause.process.parent.guid | The global unique identifier of the process. | keyword | -| carbon_black_cloud.alert.threat_cause.reputation | Reputation of the threat cause. | keyword | -| carbon_black_cloud.alert.threat_cause.threat_category | Category of the threat cause. | keyword | -| carbon_black_cloud.alert.threat_cause.vector | The source of the threat cause. | keyword | -| carbon_black_cloud.alert.threat_id | The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. | keyword | -| carbon_black_cloud.alert.threat_indicators.process_name | Process name associated with threat. | keyword | -| carbon_black_cloud.alert.threat_indicators.sha256 | Sha256 associated with threat. | keyword | -| carbon_black_cloud.alert.threat_indicators.ttps | Tactics, techniques and procedures associated with threat. | keyword | -| carbon_black_cloud.alert.type | Type of alert. | keyword | -| carbon_black_cloud.alert.vendor_id | The hexadecimal id of the USB device's vendor. | keyword | -| carbon_black_cloud.alert.vendor_name | The name of the USB device’s vendor. | keyword | -| carbon_black_cloud.alert.watchlists.id | The identifier of watchlist. | keyword | -| carbon_black_cloud.alert.watchlists.name | The name of the watchlist. | keyword | -| carbon_black_cloud.alert.workflow.changed_by | The name of user who changed the workflow. | keyword | -| carbon_black_cloud.alert.workflow.comment | Comment associated with workflow. | keyword | -| carbon_black_cloud.alert.workflow.last_update_time | The last update time of workflow. | date | -| carbon_black_cloud.alert.workflow.remediation | N/A | keyword | -| carbon_black_cloud.alert.workflow.state | The state of workflow. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -### Endpoint Event - -This is the `endpoint_event` dataset. - -An example event for `endpoint_event` looks as following: - -```json -{ - "process": { - "parent": { - "pid": 1684, - "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62", - "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe", - "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe", - "hash": { - "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5", - "md5": "03dd698da2671383c9b4f868c9931879" - } - }, - "pid": 4880, - "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37", - "command_line": "\"route.exe\" print", - "executable": "c:\\windows\\system32\\route.exe", - "hash": { - "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6", - "md5": "2498272dc48446891182747428d02a30" - } - }, - "ecs": { - "version": "8.3.0" - }, - "carbon_black_cloud": { - "endpoint_event": { - "schema": 1, - "event_origin": "EDR", - "process": { - "duration": 2, - "parent": { - "reputation": "REP_RESOLVING" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_RESOLVING", - "terminated": true, - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "XXXXXXXX", - "backend": { - "timestamp": "2022-02-10 11:52:50 +0000 UTC" - }, - "target_cmdline": "\"route.exe\" print", - "type": "endpoint.event.procend", - "device": { - "os": "WINDOWS", - "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC", - "external_ip": "67.43.156.12" - }, - "sensor_action": "ACTION_ALLOW" - } - }, - "host": { - "hostname": "client-cb2", - "id": "4034605", - "os": { - "type": "windows" - }, - "ip": [ - "67.43.156.13" - ] - }, - "event": { - "action": "ACTION_PROCESS_TERMINATE", - "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}" - }, - "data_stream": { - "dataset": "carbon_black_cloud.endpoint_event", - "namespace": "ep", - "type": "logs" - }, - "elastic_agent": { - "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5", - "snapshot": true, - "version": "8.0.0" - }, - "input": { - "type": "aws-s3" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-endpoint-event" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.endpoint_event.alert_id | The ID of the Alert this event is associated with. | keyword | -| carbon_black_cloud.endpoint_event.backend.timestamp | Time when the backend received the batch of events. | keyword | -| carbon_black_cloud.endpoint_event.childproc.guid | Unique ID of the child process. | keyword | -| carbon_black_cloud.endpoint_event.childproc.hash.md5 | Cryptographic MD5 hashes of the executable file backing the child process. | keyword | -| carbon_black_cloud.endpoint_event.childproc.hash.sha256 | Cryptographic SHA256 hashes of the executable file backing the child process. | keyword | -| carbon_black_cloud.endpoint_event.childproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword | -| carbon_black_cloud.endpoint_event.childproc.pid | OS-reported Process ID of the child process. | long | -| carbon_black_cloud.endpoint_event.childproc.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.childproc.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.childproc.reputation | Carbon Black Cloud Reputation string for the childproc. | keyword | -| carbon_black_cloud.endpoint_event.childproc.username | The username associated with the user context that the child process was started under. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.action | The action taken on cross-process. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.api | Name of the operating system API called by the actor process. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.guid | Unique ID of the cross process. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.hash.md5 | Cryptographic MD5 hashes of the target of the crossproc event. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.hash.sha256 | Cryptographic SHA256 hashes of the target of the crossproc event. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.reputation | Carbon Black Cloud Reputation string for the crossproc. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.target | True if the process was the target of the cross-process event; false if the process was the actor. | boolean | -| carbon_black_cloud.endpoint_event.device.external_ip | External IP of the device. | ip | -| carbon_black_cloud.endpoint_event.device.internal_ip | Internal IP of the device. | ip | -| carbon_black_cloud.endpoint_event.device.os | Os name. | keyword | -| carbon_black_cloud.endpoint_event.device.timestamp | Time seen on sensor. | keyword | -| carbon_black_cloud.endpoint_event.event_origin | Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline | Deobfuscated script content run in a fileless context by the process. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length | Character count of the deobfuscated script content run in a fileless context. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5 | MD5 hash of the deobfuscated script content run by the process in a fileless context. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256 | SHA-256 hash of the deobfuscated script content run by the process in a fileless context. | keyword | -| carbon_black_cloud.endpoint_event.modload.count | Count of modload events reported by the sensor since last initialization. | long | -| carbon_black_cloud.endpoint_event.modload.effective_reputation | Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred. | keyword | -| carbon_black_cloud.endpoint_event.modload.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.modload.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.netconn.proxy.domain | DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address. | keyword | -| carbon_black_cloud.endpoint_event.netconn.proxy.ip | IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection. | keyword | -| carbon_black_cloud.endpoint_event.netconn.proxy.port | UDP/TCP port number associated with the "proxy" end of this network connection. | keyword | -| carbon_black_cloud.endpoint_event.organization_key | The organization key associated with the console instance. | keyword | -| carbon_black_cloud.endpoint_event.process.duration | The time difference in seconds between the process start and process terminate event. | long | -| carbon_black_cloud.endpoint_event.process.parent.reputation | Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.endpoint_event.process.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.process.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.endpoint_event.process.terminated | True if process was terminated elase false. | boolean | -| carbon_black_cloud.endpoint_event.process.username | The username associated with the user context that this process was started under. | keyword | -| carbon_black_cloud.endpoint_event.schema | The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. | long | -| carbon_black_cloud.endpoint_event.scriptload.count | Count of scriptload events across all processes reported by the sensor since last initialization. | long | -| carbon_black_cloud.endpoint_event.scriptload.effective_reputation | Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.hash.md5 | Cryptographic MD5 hashes of the target of the scriptload event. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.hash.sha256 | Cryptographic SHA256 hashes of the target of the scriptload event. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.name | Full path to the target of the crossproc event on the device's local file system. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.reputation | Carbon Black Cloud Reputation string for the scriptload. | keyword | -| carbon_black_cloud.endpoint_event.sensor_action | The sensor action taken on event. | keyword | -| carbon_black_cloud.endpoint_event.target_cmdline | Process command line associated with the target process. | keyword | -| carbon_black_cloud.endpoint_event.type | The event type. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dll.hash.md5 | MD5 hash. | keyword | -| dll.hash.sha256 | SHA256 hash. | keyword | -| dll.path | Full file path of the library. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| registry.path | Full path, including hive, key and value | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | - - -### Watchlist Hit - -This is the `watchlist_hit` dataset. - -An example event for `watchlist_hit` looks as following: - -```json -{ - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-watchlist-hit" - ], - "input": { - "type": "aws-s3" - }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "carbon_black_cloud.watchlist_hit" - }, - "agent": { - "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.3.0" - }, - "process": { - "parent": { - "pid": 4076, - "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1", - "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"", - "executable": "c:\\windows\\syswow64\\cmd.exe", - "hash": { - "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22", - "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b" - } - }, - "pid": 7516, - "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6", - "command_line": "sc query aella_conf ", - "executable": "c:\\windows\\syswow64\\sc.exe", - "hash": { - "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2", - "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8" - } - }, - "carbon_black_cloud": { - "watchlist_hit": { - "schema": 1, - "process": { - "parent": { - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "xxxxxxxx", - "report": { - "name": "Discovery - System Service Discovery Detected", - "id": "CFnKBKLTv6hUkBGFobRdg-565571", - "tags": [ - "attack", - "attackframework", - "threathunting", - "hunting", - "t1007", - "recon", - "discovery", - "windows" - ] - }, - "watchlists": [ - { - "name": "ATT\u0026CK Framework", - "id": "P5f9AW29TGmTOvBW156Cig" - } - ], - "type": "watchlist.hit", - "ioc": { - "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true", - "id": "565571-0" - }, - "device": { - "internal_ip": "10.10.156.12", - "external_ip": "67.43.156.12", - "os": "WINDOWS" - } - } - }, - "host": { - "hostname": "Carbonblack-win1", - "os": { - "type": "windows" - }, - "ip": [ - "10.10.156.12", - "67.43.156.12" - ], - "id": "4467271" - }, - "event": { - "kind": "event", - "severity": 3, - "agent_id_status": "verified", - "ingested": "2022-02-17T07:23:31Z", - "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}", - "dataset": "carbon_black_cloud.watchlist_hit" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.watchlist_hit.device.external_ip | External IP of the device. | ip | -| carbon_black_cloud.watchlist_hit.device.internal_ip | Internal IP of the device. | ip | -| carbon_black_cloud.watchlist_hit.device.os | OS Type of device (Windows/OSX/Linux). | keyword | -| carbon_black_cloud.watchlist_hit.ioc.field | Field the IOC hit contains. | keyword | -| carbon_black_cloud.watchlist_hit.ioc.hit | IOC field value, or IOC query that matches. | keyword | -| carbon_black_cloud.watchlist_hit.ioc.id | ID of the IOC that caused the hit. | keyword | -| carbon_black_cloud.watchlist_hit.organization_key | The organization key associated with the console instance. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.username | The username associated with the user context that this process was started under. | keyword | -| carbon_black_cloud.watchlist_hit.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.watchlist_hit.process.username | The username associated with the user context that this process was started under. | keyword | -| carbon_black_cloud.watchlist_hit.report.id | ID of the watchlist report(s) that detected a hit on the process. | keyword | -| carbon_black_cloud.watchlist_hit.report.name | Name of the watchlist report(s) that detected a hit on the process. | keyword | -| carbon_black_cloud.watchlist_hit.report.tags | List of tags associated with the report(s) that detected a hit on the process. | keyword | -| carbon_black_cloud.watchlist_hit.schema | Schema version. | long | -| carbon_black_cloud.watchlist_hit.type | The watchlist hit type. | keyword | -| carbon_black_cloud.watchlist_hit.watchlists.id | The ID of the watchlists. | keyword | -| carbon_black_cloud.watchlist_hit.watchlists.name | The name of the watchlists. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | - - -### Asset Vulnerability Summary - -This is the `asset_vulnerability_summary` dataset. - -An example event for `asset_vulnerability_summary` looks as following: - -```json -{ - "@timestamp": "2022-09-26T01:58:41.710Z", - "agent": { - "ephemeral_id": "818ffeea-8e73-497b-bc16-b13e6bb3010c", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "carbon_black_cloud": { - "asset_vulnerability_summary": { - "last_sync": { - "timestamp": "2022-01-17T08:33:37.384Z" - }, - "os_info": { - "os_arch": "64-bit" - }, - "sync": { - "status": "COMPLETED", - "type": "SCHEDULED" - }, - "type": "ENDPOINT", - "vuln_count": 1770 - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-09-26T01:58:41.710Z", - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "ingested": "2022-09-26T01:58:45Z", - "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}" - }, - "host": { - "hostname": "DESKTOP-008", - "id": "8", - "name": "DESKTOP-008KK", - "os": { - "name": "Microsoft Windows 10 Education", - "type": "windows", - "version": "10.0.17763" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-008" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-asset-vulnerability-summary" - ], - "vulnerability": { - "score": { - "base": 10 - }, - "severity": "CRITICAL" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp | The identifier is for the Last sync time. | date | -| carbon_black_cloud.asset_vulnerability_summary.os_info.os_arch | The identifier is for the Operating system architecture. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.sync.status | The identifier is for the Device sync status. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.sync.type | The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.type | The identifier is for the Device type. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.vm.id | The identifier is for the Virtual Machine ID. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.vm.name | The identifier is for the Virtual Machine name. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.vuln_count | The identifier is for the Number of vulnerabilities at this level. | integer | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | diff --git a/packages/carbon_black_cloud/1.2.2/img/carbon_black_cloud-logo.svg b/packages/carbon_black_cloud/1.2.2/img/carbon_black_cloud-logo.svg deleted file mode 100755 index 180cc3d212..0000000000 --- a/packages/carbon_black_cloud/1.2.2/img/carbon_black_cloud-logo.svg +++ /dev/null @@ -1,91 +0,0 @@ - - - - -Created by potrace 1.16, written by Peter Selinger 2001-2019 - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/carbon_black_cloud/1.2.2/img/carbon_black_cloud-screenshot.png b/packages/carbon_black_cloud/1.2.2/img/carbon_black_cloud-screenshot.png deleted file mode 100755 index 6fda3c108d..0000000000 Binary files a/packages/carbon_black_cloud/1.2.2/img/carbon_black_cloud-screenshot.png and /dev/null differ diff --git a/packages/carbon_black_cloud/1.2.2/kibana/dashboard/carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b.json b/packages/carbon_black_cloud/1.2.2/kibana/dashboard/carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b.json deleted file mode 100755 index 4879b5460d..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/dashboard/carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c54d9223-56ad-42b4-9452-a44657dbcd6e\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"c54d9223-56ad-42b4-9452-a44657dbcd6e\",\"panelRefName\":\"panel_c54d9223-56ad-42b4-9452-a44657dbcd6e\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d3728fd5-5390-4448-8f26-277521569f30\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"d3728fd5-5390-4448-8f26-277521569f30\",\"panelRefName\":\"panel_d3728fd5-5390-4448-8f26-277521569f30\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c\",\"panelRefName\":\"panel_f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5f57acd4-74a8-4d97-9e7b-d7b069efc867\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"5f57acd4-74a8-4d97-9e7b-d7b069efc867\",\"panelRefName\":\"panel_5f57acd4-74a8-4d97-9e7b-d7b069efc867\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"909c2914-4695-42dd-aa36-93e043a5c025\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"909c2914-4695-42dd-aa36-93e043a5c025\",\"panelRefName\":\"panel_909c2914-4695-42dd-aa36-93e043a5c025\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5\",\"panelRefName\":\"panel_c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9e320d15-f9df-4aea-9564-ac1c4257b51b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"9e320d15-f9df-4aea-9564-ac1c4257b51b\",\"panelRefName\":\"panel_9e320d15-f9df-4aea-9564-ac1c4257b51b\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c\",\"panelRefName\":\"panel_5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7da33ed3-29d9-4fe1-87a9-4debfc7bdd24\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"7da33ed3-29d9-4fe1-87a9-4debfc7bdd24\",\"panelRefName\":\"panel_7da33ed3-29d9-4fe1-87a9-4debfc7bdd24\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ed2de824-c493-4240-a6b5-329889c40c43\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"ed2de824-c493-4240-a6b5-329889c40c43\",\"panelRefName\":\"panel_ed2de824-c493-4240-a6b5-329889c40c43\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a6d4e61e-57bc-413a-8c68-5f55ab59e16a\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"a6d4e61e-57bc-413a-8c68-5f55ab59e16a\",\"panelRefName\":\"panel_a6d4e61e-57bc-413a-8c68-5f55ab59e16a\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bf749130-3138-45fe-a010-5b30b4636e7b\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"bf749130-3138-45fe-a010-5b30b4636e7b\",\"panelRefName\":\"panel_bf749130-3138-45fe-a010-5b30b4636e7b\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44ed553e-d5cc-4841-85e9-0d8af122086a\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"44ed553e-d5cc-4841-85e9-0d8af122086a\",\"panelRefName\":\"panel_44ed553e-d5cc-4841-85e9-0d8af122086a\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cd3cb74e-b13e-4a52-a48c-82d13a59421a\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"cd3cb74e-b13e-4a52-a48c-82d13a59421a\",\"panelRefName\":\"panel_cd3cb74e-b13e-4a52-a48c-82d13a59421a\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"42b64f1c-9526-4430-8f62-cc6596cf07d7\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"42b64f1c-9526-4430-8f62-cc6596cf07d7\",\"panelRefName\":\"panel_42b64f1c-9526-4430-8f62-cc6596cf07d7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b2fe20be-cad5-4bfa-abd1-c9b069fd2494\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"b2fe20be-cad5-4bfa-abd1-c9b069fd2494\",\"panelRefName\":\"panel_b2fe20be-cad5-4bfa-abd1-c9b069fd2494\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ef6af3c0-10e9-46af-933c-a032464bdecf\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"ef6af3c0-10e9-46af-933c-a032464bdecf\",\"panelRefName\":\"panel_ef6af3c0-10e9-46af-933c-a032464bdecf\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc\",\"panelRefName\":\"panel_f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"247ad399-6383-4bf0-910e-9cb6767781c3\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"247ad399-6383-4bf0-910e-9cb6767781c3\",\"panelRefName\":\"panel_247ad399-6383-4bf0-910e-9cb6767781c3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5c60fc1b-5ad1-4036-8adc-ce9adf455758\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"5c60fc1b-5ad1-4036-8adc-ce9adf455758\",\"panelRefName\":\"panel_5c60fc1b-5ad1-4036-8adc-ce9adf455758\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"0a228399-6f69-4803-b4cd-65f30dca5890\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"0a228399-6f69-4803-b4cd-65f30dca5890\",\"panelRefName\":\"panel_0a228399-6f69-4803-b4cd-65f30dca5890\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5b015940-3fee-411a-be82-661078ead366\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"5b015940-3fee-411a-be82-661078ead366\",\"panelRefName\":\"panel_5b015940-3fee-411a-be82-661078ead366\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"655bc1d2-5c31-4a38-9759-ab72f88bdb92\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"655bc1d2-5c31-4a38-9759-ab72f88bdb92\",\"panelRefName\":\"panel_655bc1d2-5c31-4a38-9759-ab72f88bdb92\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8cdf7cdc-1858-4561-9e3b-5b5c73498586\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"8cdf7cdc-1858-4561-9e3b-5b5c73498586\",\"panelRefName\":\"panel_8cdf7cdc-1858-4561-9e3b-5b5c73498586\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2d6c60e3-32cc-4746-bc7d-3fa40b80447c\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"2d6c60e3-32cc-4746-bc7d-3fa40b80447c\",\"panelRefName\":\"panel_2d6c60e3-32cc-4746-bc7d-3fa40b80447c\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":23,\"i\":\"bc34dc1a-ba27-489e-a950-90a978974351\",\"w\":48,\"x\":0,\"y\":180},\"panelIndex\":\"bc34dc1a-ba27-489e-a950-90a978974351\",\"panelRefName\":\"panel_bc34dc1a-ba27-489e-a950-90a978974351\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-1h", - "timeRestore": true, - "timeTo": "now", - "title": "[Carbon Black Cloud] Alert", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95", - "name": "c54d9223-56ad-42b4-9452-a44657dbcd6e:panel_c54d9223-56ad-42b4-9452-a44657dbcd6e", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95", - "name": "d3728fd5-5390-4448-8f26-277521569f30:panel_d3728fd5-5390-4448-8f26-277521569f30", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95", - "name": "f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c:panel_f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95", - "name": "5f57acd4-74a8-4d97-9e7b-d7b069efc867:panel_5f57acd4-74a8-4d97-9e7b-d7b069efc867", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95", - "name": "909c2914-4695-42dd-aa36-93e043a5c025:panel_909c2914-4695-42dd-aa36-93e043a5c025", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95", - "name": "c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5:panel_c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95", - "name": "9e320d15-f9df-4aea-9564-ac1c4257b51b:panel_9e320d15-f9df-4aea-9564-ac1c4257b51b", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95", - "name": "5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c:panel_5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95", - "name": "7da33ed3-29d9-4fe1-87a9-4debfc7bdd24:panel_7da33ed3-29d9-4fe1-87a9-4debfc7bdd24", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95", - "name": "ed2de824-c493-4240-a6b5-329889c40c43:panel_ed2de824-c493-4240-a6b5-329889c40c43", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95", - "name": "a6d4e61e-57bc-413a-8c68-5f55ab59e16a:panel_a6d4e61e-57bc-413a-8c68-5f55ab59e16a", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95", - "name": "bf749130-3138-45fe-a010-5b30b4636e7b:panel_bf749130-3138-45fe-a010-5b30b4636e7b", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95", - "name": "44ed553e-d5cc-4841-85e9-0d8af122086a:panel_44ed553e-d5cc-4841-85e9-0d8af122086a", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95", - "name": "cd3cb74e-b13e-4a52-a48c-82d13a59421a:panel_cd3cb74e-b13e-4a52-a48c-82d13a59421a", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95", - "name": "42b64f1c-9526-4430-8f62-cc6596cf07d7:panel_42b64f1c-9526-4430-8f62-cc6596cf07d7", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95", - "name": "b2fe20be-cad5-4bfa-abd1-c9b069fd2494:panel_b2fe20be-cad5-4bfa-abd1-c9b069fd2494", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95", - "name": "ef6af3c0-10e9-46af-933c-a032464bdecf:panel_ef6af3c0-10e9-46af-933c-a032464bdecf", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95", - "name": "f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc:panel_f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95", - "name": "247ad399-6383-4bf0-910e-9cb6767781c3:panel_247ad399-6383-4bf0-910e-9cb6767781c3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95", - "name": "5c60fc1b-5ad1-4036-8adc-ce9adf455758:panel_5c60fc1b-5ad1-4036-8adc-ce9adf455758", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b", - "name": "0a228399-6f69-4803-b4cd-65f30dca5890:panel_0a228399-6f69-4803-b4cd-65f30dca5890", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95", - "name": "5b015940-3fee-411a-be82-661078ead366:panel_5b015940-3fee-411a-be82-661078ead366", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95", - "name": "655bc1d2-5c31-4a38-9759-ab72f88bdb92:panel_655bc1d2-5c31-4a38-9759-ab72f88bdb92", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95", - "name": "8cdf7cdc-1858-4561-9e3b-5b5c73498586:panel_8cdf7cdc-1858-4561-9e3b-5b5c73498586", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95", - "name": "2d6c60e3-32cc-4746-bc7d-3fa40b80447c:panel_2d6c60e3-32cc-4746-bc7d-3fa40b80447c", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95", - "name": "bc34dc1a-ba27-489e-a950-90a978974351:panel_bc34dc1a-ba27-489e-a950-90a978974351", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 129cd1c62a..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"table\":null,\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":0,\"width\":831}]}}},\"gridData\":{\"h\":15,\"i\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"panelRefName\":\"panel_3\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Audit Logs", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.2.2/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json deleted file mode 100755 index e3f216759c..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"carbon_black_cloud.endpoint_event.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"title\":\"[Carbon Black Cloud] Top 10 Event Types\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"panelRefName\":\"panel_12\",\"title\":\"[Carbon Black Cloud] Top 10 Effective Reputation of Loaded Modules\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"w\":48,\"x\":0,\"y\":105},\"panelIndex\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"panelRefName\":\"panel_13\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Endpoint Event", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "f19543f7-04f5-42dd-849b-5f2fd8ca15f8:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7", - "name": "panel_13", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.2.2/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index ee0df3955b..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"panelRefName\":\"panel_0\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"panelRefName\":\"panel_2\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Severity\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"panelRefName\":\"panel_3\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"panelRefName\":\"panel_4\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Risk Score\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"panelRefName\":\"panel_6\",\"title\":\"[Carbon Black Cloud] Top 10 OS Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":20,\"i\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"panelRefName\":\"panel_7\",\"title\":\"[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Asset Vulnerability Summary", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf", - "name": "panel_7", - "type": "search" - }, - { - "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf", - "name": "panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.2.2/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 94761c84e1..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.watchlist_hit.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IPs\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit Name\",\"field\":\"carbon_black_cloud.watchlist_hit.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Watchlist Hit Names\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Severity\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Parent Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"panelRefName\":\"panel_9\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"panelRefName\":\"panel_10\",\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":31,\"i\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"w\":48,\"x\":0,\"y\":120},\"panelIndex\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"panelRefName\":\"panel_11\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Watchlist Hit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "4f7b5cef-a7e9-44a9-8769-44d5326a8df4:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3d454d18-6baa-40de-aa94-4ebfaee9a759:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b0289aae-02bb-472e-8a22-07ff9f5d2372:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d29f5a98-736d-4f47-877e-b4552d15f889:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ae5c96d5-b7d6-45f8-b57b-42cc190f990b:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826", - "name": "panel_11", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.2.2/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json deleted file mode 100755 index fde5382f93..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "carbon_black_cloud.watchlist_hit.watchlists.name", - "process.command_line", - "process.parent.command_line", - "process.executable", - "process.parent.executable", - "carbon_black_cloud.watchlist_hit.ioc.id", - "carbon_black_cloud.watchlist_hit.ioc.hit" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Watchlist Hit Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index fdc104f3b2..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.id", - "client.user.id", - "event.reason", - "client.ip" - ], - "description": "", - "grid": {}, - "hideChart": true, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Audit Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.2.2/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 800a5cb006..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "carbon_black_cloud.endpoint_event.type", - "process.command_line", - "process.parent.command_line", - "dll.path", - "carbon_black_cloud.endpoint_event.target_cmdline", - "process.executable", - "process.parent.executable" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Endpoint Events Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1a37e59347..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.id", - "event.reason", - "event.url", - "carbon_black_cloud.alert.threat_indicators.process_name", - "carbon_black_cloud.alert.category" - ], - "description": "", - "grid": {}, - "hideChart": true, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Alerts Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.2.2/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index c060c3bd41..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.hostname", - "vulnerability.severity", - "vulnerability.score.base", - "carbon_black_cloud.asset_vulnerability_summary.vuln_count" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json deleted file mode 100755 index bf6bf9170c..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 329118ed72..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by OS, OS version", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by OS, OS version\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index fb78529067..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Client IPs", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client IPs\",\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Client IPs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index edfb4ab922..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators TTPS\",\"field\":\"carbon_black_cloud.alert.threat_indicators.ttps\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json deleted file mode 100755 index e058315a1e..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Actions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Top 10 Actions\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index e9926e3521..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by OS", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"carbon_black_cloud.watchlist_hit.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by OS\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 5c97a8d4eb..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Severity", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 8bb3adabfb..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 7bec55f465..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Child Process Username", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":9},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Username\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index e4b7fe64f8..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 6b1cb56ea0..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Origin\",\"field\":\"carbon_black_cloud.endpoint_event.event_origin\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index c59f3f2623..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 0a01e78828..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 682f389163..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Endpoint Events by OS", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device OS\",\"field\":\"carbon_black_cloud.endpoint_event.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by OS\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 7af6d5ad55..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 IOC Hits", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.watchlist_hit.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hits\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1c116157a2..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Category", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"carbon_black_cloud.alert.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 3ced47d3fe..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 60cf2f819b..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by OS Type, OS Version", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Type\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"row\":true,\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 811d8c6112..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.vector\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index e390c83ecc..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by IOC field", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Field\",\"field\":\"carbon_black_cloud.alert.ioc.field\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by IOC field\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 02160d4bea..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 OS Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Names\",\"field\":\"host.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"row\":false,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 OS Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 6c64141f00..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 Hosts with Highest Vulnerability Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Vulnerability Count\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.vuln_count\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 630d474e6e..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Workflow State", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Workflow State\",\"field\":\"carbon_black_cloud.alert.workflow.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Workflow State\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 228daf684c..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 1bd12c5d2e..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Severity", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"vulnerability.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b.json deleted file mode 100755 index 0919e5e20a..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Threat Cause Actor Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Actor Name\",\"field\":\"carbon_black_cloud.alert.threat_cause.actor.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Threat Cause Actor Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 0a3d26dad2..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Report Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Report Name\",\"field\":\"carbon_black_cloud.watchlist_hit.report.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Report Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 6e873422cb..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 Hosts with Highest Risk Score", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Risk Score\",\"field\":\"vulnerability.score.base\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Risk Score\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 48a0ff614a..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index b549ad14a1..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Sync Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 116934a90e..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Child Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index ebce21d74d..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Sync Status", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync Status\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 5d57824451..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 IOC Hit", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.alert.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hit\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index dd5f86134d..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit\",\"field\":\"carbon_black_cloud.alert.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 60669ee962..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Reputation\",\"field\":\"carbon_black_cloud.alert.threat_cause.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 19ad6bf381..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Threat Indicators Process Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators Process Name\",\"field\":\"carbon_black_cloud.alert.threat_indicators.process_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Threat Indicators Process Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 7992c14128..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Devices", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Devices\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index ebcc102bf4..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Run State", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Run State\",\"field\":\"carbon_black_cloud.alert.run_state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Run State\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index bf3592d08f..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1025e00226..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Sensor Action", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.alert.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Sensor Action\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index c4ce665f33..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Device Username", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Username\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 7db345ec9b..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Audit Logs by Flag Status", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flagged\",\"field\":\"carbon_black_cloud.audit.flagged\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Audit Logs by Flag Status\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 37864260d1..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Effective Reputation of Loaded Modules\",\"field\":\"carbon_black_cloud.endpoint_event.modload.effective_reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index cf20544145..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Child Process Publisher Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":8},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index dd2d0ee97a..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Usernames", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Usernames\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json deleted file mode 100755 index bb4fb20b4b..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Device Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 3a76cb6cae..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.endpoint_event.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 29d985b4d8..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit by Report Tag\",\"field\":\"carbon_black_cloud.watchlist_hit.report.tags\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 50933d86cc..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Not Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.not_blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index bf02f82c2e..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Policy Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"carbon_black_cloud.alert.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Policy Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index bfebab9f24..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Reason Codes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Reason Codes\",\"field\":\"carbon_black_cloud.alert.reason_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Reason Codes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 85bf297c56..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Parent Process Usernames", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Usernames\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 2ad0964cbb..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Request URLs", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"URL\",\"field\":\"url.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Request URLs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index cb945df49b..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Kill Chain Status\",\"field\":\"carbon_black_cloud.alert.kill_chain_status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index fc1c6812f0..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Process Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Name\",\"field\":\"process.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Process Name\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 3c04444ca9..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Device External IP", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.endpoint_event.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index a79db35e93..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Alert Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"carbon_black_cloud.alert.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Alert Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 84fedf340e..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Username", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Username\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1c30c4f320..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Policy Applied", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Applied\",\"field\":\"carbon_black_cloud.alert.policy.applied\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Policy Applied\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 4a17555983..0000000000 --- a/packages/carbon_black_cloud/1.2.2/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Target Value", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Value\",\"field\":\"carbon_black_cloud.alert.target_value\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Target Value\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.2.2/manifest.yml b/packages/carbon_black_cloud/1.2.2/manifest.yml deleted file mode 100755 index b3f35cbda2..0000000000 --- a/packages/carbon_black_cloud/1.2.2/manifest.yml +++ /dev/null @@ -1,136 +0,0 @@ -format_version: 1.0.0 -name: carbon_black_cloud -title: VMware Carbon Black Cloud -version: "1.2.2" -license: basic -description: Collect logs from VMWare Carbon Black Cloud with Elastic Agent. -type: integration -categories: - - security -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/carbon_black_cloud-screenshot.png - title: Carbon Black Cloud alert dashboard screenshot - size: 600x600 - type: image/png -icons: - - src: /img/carbon_black_cloud-logo.svg - title: Carbon Black Cloud logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: carbon_black_cloud - title: Carbon Black Cloud - description: Collect Logs from Carbon Black Cloud - inputs: - - type: httpjson - title: Collect Carbon Black Cloud logs via API - description: Collect Carbon Black Cloud logs via API - vars: - - name: hostname - type: text - title: Hostname - description: Carbon Black Cloud console Hostname. Find hostname in the console dashboard at the beginning of the web address (Add https:// before the hostname). - required: true - - name: org_key - type: text - title: Organization Key - description: Organization Key. - required: true - - name: custom_api_id - type: text - title: Custom API ID - description: API ID with Custom Access Level type. - required: true - - name: custom_api_secret_key - type: password - title: Custom API Secret Key - description: API Secret Key with Custom Access Level type - required: true - - name: api_id - type: text - title: API ID - description: API ID with API Access Level type. - required: true - - name: api_secret_key - type: password - title: API Secret Key - description: API Secret Key with API Access Level type - required: true - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http\[s\]://:@:. Please ensure your username and password are in URL encoded format. - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - - type: aws-s3 - title: Collect Carbon Black Cloud logs via AWS S3 - description: Collect Carbon Black Cloud logs via AWS S3 - vars: - - name: bucket_arn - type: text - title: Bucket ARN - multi: false - required: true - show_user: true - - name: access_key_id - type: password - title: Access Key ID - multi: false - required: true - show_user: true - - name: secret_access_key - type: password - title: Secret Access Key - multi: false - required: true - show_user: true - - name: number_of_workers - type: integer - title: Number of Workers - multi: false - required: false - show_user: false - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http\[s\]://:@:. Please ensure your username and password are in URL encoded format. -owner: - github: elastic/security-external-integrations diff --git a/packages/carbon_black_cloud/1.3.0/LICENSE.txt b/packages/carbon_black_cloud/1.3.0/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/carbon_black_cloud/1.3.0/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/carbon_black_cloud/1.3.0/changelog.yml b/packages/carbon_black_cloud/1.3.0/changelog.yml deleted file mode 100755 index 16ed462487..0000000000 --- a/packages/carbon_black_cloud/1.3.0/changelog.yml +++ /dev/null @@ -1,66 +0,0 @@ -# newer versions go on top -- version: "1.3.0" - changes: - - description: Add Support of SQS input type. - type: enhancement - link: https://github.com/elastic/integrations/issues/4316 -- version: "1.2.2" - changes: - - description: Ensure stability of related.hash array ordering. - type: bugfix - link: https://github.com/elastic/integrations/issues/4296 -- version: "1.2.1" - changes: - - description: Remove unused visualizations - type: enhancement - link: https://github.com/elastic/integrations/issues/3975 -- version: "1.2.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3842 -- version: "1.1.1" - changes: - - description: Fix proxy URL documentation rendering. - type: bugfix - link: https://github.com/elastic/integrations/pull/3881 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.0.3" - changes: - - description: Add correct field mapping for event.created - type: bugfix - link: https://github.com/elastic/integrations/issues/3579 -- version: "1.0.2" - changes: - - description: Fix dashboard issues. - type: bugfix - link: https://github.com/elastic/integrations/issues/3462 -- version: "1.0.1" - changes: - - description: Change event.outcome value from failure to failed according to ECS - type: bugfix - link: https://github.com/elastic/integrations/issues/3407 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: 0.1.2 - changes: - - description: Add "VMware" to the title to make it "VMware Carbon Black Cloud". - type: enhancement - link: https://github.com/elastic/integrations/pull/3196 -- version: 0.1.1 - changes: - - description: Captured domain from username and hostname - type: enhancement - link: https://github.com/elastic/integrations/pull/3106 -- version: 0.1.0 - changes: - - description: Initial draft of the package. - type: enhancement - link: https://github.com/elastic/integrations/pull/2760 diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/alert/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.3.0/data_stream/alert/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 26c4d05045..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/alert/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,82 +0,0 @@ -{{#if collect_s3_logs}} - -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if interval}} -bucket_list_interval: {{interval}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}} -{{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} -{{#if file_selectors}} -file_selectors: -{{file_selectors}} -{{/if}} -{{/if}} - -expand_event_list_from_field: Records -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.3.0/data_stream/alert/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 2f738b21a6..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/alert/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,52 +0,0 @@ -config_version: 2 -interval: {{interval}} -request.timeout: 2m -request.method: POST - -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} - -request.url: {{hostname}}/appservices/v6/orgs/{{org_key}}/alerts/_search -request.transforms: - - set: - target: header.X-Auth-Token - value: {{custom_api_secret_key}}/{{custom_api_id}} - - set: - target: body.criteria.last_update_time.start - value: '[[.cursor.last_update_timestamp]]' - default: '[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "-15m")) "RFC3339"]]' - - set: - target: body.criteria.last_update_time.end - value: '[[formatDate (now (parseDuration "-15m")) "RFC3339"]]' - - set: - target: body.sort - value: '[{ "field": "last_update_time", "order": "ASC"}]' - value_type: json -response.pagination: - - set: - target: body.criteria.last_update_time.start - value: '[[if (ne .last_response.body.num_found .last_response.body.num_available)]][[.last_event.last_update_time]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_update_timestamp: - value: '[[.last_event.last_update_time]]' -response.split: - target: body.results -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.3.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a302659e9e..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,313 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud alerts. -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.id - - json.create_time - - json.last_update_time - target_field: _id - ignore_missing: true - - date: - field: json.create_time - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - set: - field: event.kind - value: alert - - rename: - field: json.id - target_field: event.id - ignore_missing: true - - rename: - field: json.first_event_time - target_field: event.start - ignore_missing: true - - rename: - field: json.last_event_time - target_field: event.end - ignore_missing: true - - rename: - field: json.severity - target_field: event.severity - ignore_missing: true - - urldecode: - field: json.alert_url - target_field: event.url - ignore_missing: true - - rename: - field: json.reason - target_field: event.reason - ignore_missing: true - - convert: - field: json.device_id - target_field: host.id - type: string - ignore_missing: true - - set: - field: host.os.type - value: windows - if: ctx?.json?.device_os == "WINDOWS" - - set: - field: host.os.type - value: linux - if: ctx?.json?.device_os == "LINUX" - - set: - field: host.os.type - value: macos - if: ctx?.json?.device_os == "MAC" - - set: - field: event.kind - value: alert - - rename: - field: json.device_os_version - target_field: host.os.version - ignore_missing: true - - rename: - field: json.device_name - target_field: host.hostname - ignore_missing: true - - grok: - field: host.hostname - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' - ignore_missing: true - ignore_failure: true - - set: - field: host.name - value: "{{{host.hostname}}}" - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_internal_ip}}}" - if: ctx?.json?.device_internal_ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_external_ip}}}" - if: ctx?.json?.device_external_ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.device_username - target_field: user.name - ignore_missing: true - - grok: - field: user.name - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:user.name})$' - ignore_missing: true - ignore_failure: true - - append: - field: related.ip - value: - - "{{{json.device_internal_ip}}}" - - "{{{json.device_external_ip}}}" - allow_duplicates: false - - append: - field: related.user - value: - - "{{{user.name}}}" - allow_duplicates: false - - append: - field: related.hosts - value: - - "{{{host.hostname}}}" - - "{{{user.domain}}}" - allow_duplicates: false - - append: - field: related.hash - value: - - "{{{json.threat_cause_actor_md5}}}" - - "{{{json.threat_cause_actor_sha256}}}" - allow_duplicates: false - - rename: - field: json.process_name - target_field: process.name - ignore_missing: true - - rename: - field: json.process_path - target_field: process.executable - ignore_missing: true - - rename: - field: json.process_guid - target_field: process.entity_id - ignore_missing: true - - rename: - field: json.vendor_name - target_field: carbon_black_cloud.alert.vendor_name - ignore_missing: true - - rename: - field: json.product_name - target_field: carbon_black_cloud.alert.product_name - ignore_missing: true - - rename: - field: json.serial_number - target_field: carbon_black_cloud.alert.serial_number - ignore_missing: true - - rename: - field: json.policy_id - target_field: carbon_black_cloud.alert.policy.id - ignore_missing: true - - rename: - field: json.policy_name - target_field: carbon_black_cloud.alert.policy.name - ignore_missing: true - - rename: - field: json.threat_id - target_field: carbon_black_cloud.alert.threat_id - ignore_missing: true - - rename: - field: json.policy_applied - target_field: carbon_black_cloud.alert.policy.applied - ignore_missing: true - - rename: - field: json.threat_activity_c2 - target_field: carbon_black_cloud.alert.threat_activity.c2 - ignore_missing: true - - rename: - field: json.threat_activity_dlp - target_field: carbon_black_cloud.alert.threat_activity.dlp - ignore_missing: true - - rename: - field: json.threat_activity_phish - target_field: carbon_black_cloud.alert.threat_activity.phish - ignore_missing: true - - rename: - field: json.threat_cause_actor_name - target_field: carbon_black_cloud.alert.threat_cause.actor.name - ignore_missing: true - - rename: - field: json.threat_cause_actor_process_pid - target_field: carbon_black_cloud.alert.threat_cause.actor.process_pid - ignore_missing: true - - rename: - field: json.threat_cause_actor_sha256 - target_field: carbon_black_cloud.alert.threat_cause.actor.sha256 - ignore_missing: true - - rename: - field: json.threat_cause_actor_md5 - target_field: carbon_black_cloud.alert.threat_cause.actor.md5 - ignore_missing: true - - rename: - field: json.threat_cause_cause_event_id - target_field: carbon_black_cloud.alert.threat_cause.cause_event_id - ignore_missing: true - - rename: - field: json.threat_cause_parent_guid - target_field: carbon_black_cloud.alert.threat_cause.process.parent.guid - ignore_missing: true - - rename: - field: json.threat_cause_process_guid - target_field: carbon_black_cloud.alert.threat_cause.process.guid - ignore_missing: true - - rename: - field: json.threat_cause_reputation - target_field: carbon_black_cloud.alert.threat_cause.reputation - ignore_missing: true - - rename: - field: json.threat_cause_threat_category - target_field: carbon_black_cloud.alert.threat_cause.threat_category - ignore_missing: true - - rename: - field: json.threat_cause_vector - target_field: carbon_black_cloud.alert.threat_cause.vector - ignore_missing: true - - rename: - field: json.ioc_field - target_field: carbon_black_cloud.alert.ioc.field - ignore_missing: true - - rename: - field: json.ioc_hit - target_field: carbon_black_cloud.alert.ioc.hit - ignore_missing: true - - rename: - field: json.ioc_id - target_field: carbon_black_cloud.alert.ioc.id - ignore_missing: true - - rename: - field: json.report_id - target_field: carbon_black_cloud.alert.report.id - ignore_missing: true - - rename: - field: json.report_name - target_field: carbon_black_cloud.alert.report.name - ignore_missing: true - - rename: - field: json.org_key - target_field: carbon_black_cloud.alert.organization_key - ignore_missing: true - - rename: - field: json.device_location - target_field: carbon_black_cloud.alert.device.location - ignore_missing: true - - rename: - field: json.device_os - target_field: carbon_black_cloud.alert.device.os - ignore_missing: true - - rename: - field: json.device_internal_ip - target_field: carbon_black_cloud.alert.device.internal_ip - ignore_missing: true - - rename: - field: json.device_external_ip - target_field: carbon_black_cloud.alert.device.external_ip - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - lowercase: - field: json.category - ignore_missing: true - - script: - description: Adds all the remaining fields in fields under carbon_black_cloud.alert - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.alert[m.getKey()] = m.getValue(); - } - - remove: - field: - - json - - carbon_black_cloud.alert.create_time - - carbon_black_cloud.alert.device_id - - carbon_black_cloud.alert.alert_url - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/alert/fields/agent.yml b/packages/carbon_black_cloud/1.3.0/data_stream/alert/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/alert/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/alert/fields/base-fields.yml b/packages/carbon_black_cloud/1.3.0/data_stream/alert/fields/base-fields.yml deleted file mode 100755 index 14fb618ea4..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/alert/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.alert diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/alert/fields/ecs.yml b/packages/carbon_black_cloud/1.3.0/data_stream/alert/fields/ecs.yml deleted file mode 100755 index 7aa008a975..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/alert/fields/ecs.yml +++ /dev/null @@ -1,135 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - URL linking to an external system to continue investigation of this event. - This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.url - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/alert/fields/fields.yml b/packages/carbon_black_cloud/1.3.0/data_stream/alert/fields/fields.yml deleted file mode 100755 index 3eca3a1515..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/alert/fields/fields.yml +++ /dev/null @@ -1,218 +0,0 @@ -- name: carbon_black_cloud.alert - type: group - fields: - - name: blocked_threat_category - type: keyword - description: The category of threat which we were able to take action on. - - name: category - type: keyword - description: The category of the alert. - - name: count - type: long - - name: created_by_event_id - type: keyword - description: Event identifier that initiated the alert. - - name: device - type: group - fields: - - name: location - type: keyword - description: The Location of device. - - name: os - type: keyword - description: OS of the device. - - name: internal_ip - type: ip - description: Internal IP of the device. - - name: external_ip - type: ip - description: External IP of the device. - - name: document_guid - type: keyword - description: Unique ID of document. - - name: ioc - type: group - fields: - - name: field - type: keyword - description: The field the indicator of comprise (IOC) hit contains. - - name: hit - type: keyword - description: IOC field value or IOC query that matches. - - name: id - type: keyword - description: The identifier of the IOC that cause the hit. - - name: kill_chain_status - type: keyword - description: The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert. - - name: last_update_time - type: date - description: The last time the alert was updated as an ISO 8601 UTC timestamp. - - name: legacy_alert_id - type: keyword - description: The legacy identifier for the alert. - - name: not_blocked_threat_category - type: keyword - description: Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule). - - name: notes_present - type: boolean - description: Indicates if notes are associated with the threat_id. - - name: organization_key - type: keyword - description: The unique identifier for the organization associated with the alert. - - name: policy - type: group - fields: - - name: applied - type: keyword - description: Whether a policy was applied. - - name: id - type: long - description: The identifier for the policy associated with the device at the time of the alert. - - name: name - type: keyword - description: The name of the policy associated with the device at the time of the alert. - - name: product_id - type: keyword - description: The hexadecimal id of the USB device's product. - - name: product_name - type: keyword - description: The name of the USB device’s vendor. - - name: reason_code - type: keyword - description: Shorthand enum for the full-text reason. - - name: report - type: group - fields: - - name: id - type: keyword - description: The identifier of the report that contains the IOC. - - name: name - type: keyword - description: The name of the report that contains the IOC. - - name: run_state - type: keyword - description: Whether the threat in the alert ran. - - name: sensor_action - type: keyword - description: The action taken by the sensor, according to the rule of the policy. - - name: serial_number - type: keyword - description: The serial number of the USB device. - - name: status - type: keyword - description: status of alert. - - name: tags - type: keyword - description: Tags associated with the alert. - - name: target_value - type: keyword - description: The priority of the device assigned by the policy. - - name: threat_activity - type: group - fields: - - name: c2 - type: keyword - description: Whether the alert involved a command and control (c2) server. - - name: dlp - type: keyword - description: Whether the alert involved data loss prevention (DLP). - - name: phish - type: keyword - description: Whether the alert involved phishing. - - name: threat_cause - type: group - fields: - - name: actor - type: group - fields: - - name: md5 - type: keyword - description: MD5 of the threat cause actor. - - name: name - type: keyword - description: 'The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan.' - - name: process_pid - type: keyword - description: Process identifier (PID) of the actor process. - - name: sha256 - type: keyword - description: SHA256 of the threat cause actor. - - name: cause_event_id - type: keyword - description: ID of the Event that triggered the threat. - - name: process - type: group - fields: - - name: guid - type: keyword - description: The global unique identifier of the process. - - name: parent - type: group - fields: - - name: guid - type: keyword - description: The global unique identifier of the process. - - name: reputation - type: keyword - description: Reputation of the threat cause. - - name: threat_category - type: keyword - description: Category of the threat cause. - - name: vector - type: keyword - description: The source of the threat cause. - - name: threat_id - type: keyword - description: The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. - - name: threat_indicators - type: group - description: List of the threat indicators that make up the threat. - fields: - - name: process_name - type: keyword - description: Process name associated with threat. - - name: sha256 - type: keyword - description: Sha256 associated with threat. - - name: ttps - type: keyword - description: Tactics, techniques and procedures associated with threat. - - name: type - type: keyword - description: Type of alert. - - name: vendor_id - type: keyword - description: The hexadecimal id of the USB device's vendor. - - name: vendor_name - type: keyword - description: The name of the USB device’s vendor. - - name: watchlists - type: group - description: List of watchlists associated with an alert. - fields: - - name: id - type: keyword - description: The identifier of watchlist. - - name: name - type: keyword - description: The name of the watchlist. - - name: workflow - type: group - description: Tracking system for alerts as they are triaged and resolved. - fields: - - name: changed_by - type: keyword - description: The name of user who changed the workflow. - - name: comment - type: keyword - description: Comment associated with workflow. - - name: last_update_time - type: date - description: The last update time of workflow. - - name: remediation - type: keyword - description: N/A - - name: state - type: keyword - description: The state of workflow. diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/alert/manifest.yml b/packages/carbon_black_cloud/1.3.0/data_stream/alert/manifest.yml deleted file mode 100755 index a5b71d8b23..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/alert/manifest.yml +++ /dev/null @@ -1,136 +0,0 @@ -title: Alert -type: logs -streams: - - input: httpjson - title: Collect alerts from Carbon Black Cloud - description: Collect alerts from Carbon Black Cloud. - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval - description: Interval to fetch alerts from Carbon Black Cloud. - multi: false - required: true - show_user: true - default: 1m - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the alerts from the Carbon Black Cloud API. - default: 24h - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: aws-s3 - title: Collect alerts from Carbon Black Cloud - description: Collect alerts from Carbon Black Cloud. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: '[S3] Bucket Prefix' - multi: false - required: false - show_user: true - default: alert_logs - description: Prefix to apply for the list request to the S3 bucket. - - name: interval - type: text - title: '[S3] Interval' - multi: false - required: false - show_user: true - default: 1m - description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. - - name: number_of_workers - type: integer - title: '[S3] Number of Workers' - multi: false - required: false - show_user: true - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: visibility_timeout - type: text - title: '[SQS] Visibility Timeout' - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. NOTE:- Supported units for this parameter are h/m/s. - - name: api_timeout - type: text - title: '[SQS] API Timeout' - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. NOTE:- Supported units for this parameter are h/m/s. - - name: max_number_of_messages - type: integer - title: '[SQS] Maximum Concurrent SQS Messages' - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - - name: file_selectors - type: yaml - title: '[SQS] File Selectors' - multi: false - required: false - show_user: false - default: | - - regex: 'alert_logs/' - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/alert/sample_event.json b/packages/carbon_black_cloud/1.3.0/data_stream/alert/sample_event.json deleted file mode 100755 index 7ecbfab721..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/alert/sample_event.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "@timestamp": "2020-11-17T22:05:13.000Z", - "agent": { - "ephemeral_id": "cc329655-90f8-4dc9-8014-e152f2b949da", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "carbon_black_cloud": { - "alert": { - "category": "warning", - "device": { - "external_ip": "81.2.69.143", - "internal_ip": "81.2.69.144", - "location": "UNKNOWN", - "os": "WINDOWS" - }, - "last_update_time": "2020-11-17T22:05:13Z", - "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720", - "organization_key": "ABCD6X3T", - "policy": { - "applied": "APPLIED", - "id": 6997287, - "name": "Standard" - }, - "product_id": "0x5406", - "product_name": "U3 Cruzer Micro", - "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC", - "run_state": "DID_NOT_RUN", - "sensor_action": "DENY", - "serial_number": "0875920EF7C2A304", - "target_value": "MEDIUM", - "threat_cause": { - "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E", - "threat_category": "NON_MALWARE", - "vector": "REMOVABLE_MEDIA" - }, - "threat_id": "t5678", - "type": "DEVICE_CONTROL", - "vendor_id": "0x0781", - "vendor_name": "SanDisk", - "workflow": { - "changed_by": "Carbon Black", - "last_update_time": "2020-11-17T22:02:16Z", - "state": "OPEN" - } - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-09-26T01:58:04.610Z", - "dataset": "carbon_black_cloud.alert", - "end": "2020-11-17T22:02:16Z", - "id": "test1", - "ingested": "2022-09-26T01:58:05Z", - "kind": "alert", - "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}", - "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.", - "severity": 3, - "start": "2020-11-17T22:02:16Z", - "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976" - }, - "host": { - "hostname": "DESKTOP-002", - "id": "2", - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "name": "DESKTOP-002", - "os": { - "type": "windows", - "version": "Windows 10 x64" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-002" - ], - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "user": [ - "test34@demo.com" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-alert" - ], - "user": { - "name": "test34@demo.com" - } -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 310b6e05d5..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,45 +0,0 @@ -config_version: 2 -interval: {{interval}} -request.method: POST -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.url: {{hostname}}/vulnerability/assessment/api/v1/orgs/{{org_key}}/devices/vulnerabilities/summary/_search -request.transforms: - - set: - target: header.X-Auth-Token - value: {{custom_api_secret_key}}/{{custom_api_id}} - - set: - target: body.start - value: '0' - value_type: int - - set: - target: body.rows - value: '10000' - value_type: int -request.timeout: 2m -response.pagination: - - set: - target: body.start - value: '[[if (eq (len .last_response.body.results) 0)]][[.last_response.terminate_pagination]][[else]][[mul .last_response.page .body.rows]][[end]]' - value_type: int - fail_on_template_error: true -response.split: - target: body.results -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 5ded16ebb3..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,132 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud Asset Vulnerability Summary. -processors: -- rename: - field: message - target_field: event.original - ignore_missing: true -- set: - field: ecs.version - value: '8.4.0' -- json: - field: event.original - target_field: json -- rename: - field: json.host_name - target_field: host.hostname - ignore_missing: true -- convert: - field: json.device_id - type: string - target_field: host.id - ignore_missing: true -- rename: - field: json.name - target_field: host.name - ignore_missing: true -- rename: - field: json.os_info.os_name - target_field: host.os.name - ignore_missing: true -- set: - field: host.os.type - value: windows - if: ctx?.json?.os_info.os_type == "WINDOWS" -- set: - field: host.os.type - value: ubuntu - if: ctx?.json?.os_info.os_type == "UBUNTU" -- set: - field: host.os.type - value: centos - if: ctx?.json?.os_info.os_type == "CENTOS" -- remove : - field: json.os_info.os_type - ignore_missing: true -- remove : - field: json.device_id - ignore_missing: true -- rename: - field: json.os_info.os_version - target_field: host.os.version - ignore_missing: true -- rename: - field: json.highest_risk_score - target_field: vulnerability.score.base - ignore_missing: true -- rename: - field: json.severity - target_field: vulnerability.severity - ignore_missing: true -- date: - field: json.last_sync_ts - formats: - - ISO8601 - target_field: carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp -- remove: - field: json.last_sync_ts - ignore_missing: true -- rename: - field: json.sync_status - target_field: carbon_black_cloud.asset_vulnerability_summary.sync.status - ignore_missing: true -- rename: - field: json.sync_type - target_field: carbon_black_cloud.asset_vulnerability_summary.sync.type - ignore_missing: true -- rename: - field: json.type - target_field: carbon_black_cloud.asset_vulnerability_summary.type - ignore_missing: true -- rename: - field: json.vm_id - target_field: carbon_black_cloud.asset_vulnerability_summary.vm.id - ignore_missing: true -- rename: - field: json.vm_name - target_field: carbon_black_cloud.asset_vulnerability_summary.vm.name - ignore_missing: true -- rename: - field: json.vuln_count - target_field: carbon_black_cloud.asset_vulnerability_summary.vuln_count - ignore_missing: true -- append: - field: related.hosts - value: "{{{host.hostname}}}" - allow_duplicates: false -- script: - description: Adds all the remaining fields in fields under carbon_black_cloud.asset_vulnerability_summary - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.asset_vulnerability_summary[m.getKey()] = m.getValue(); - } -- remove: - field: json - ignore_missing: true -- script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/fields/agent.yml b/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/fields/base-fields.yml b/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/fields/base-fields.yml deleted file mode 100755 index e6791517a6..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset - value: carbon_black_cloud.asset_vulnerability_summary diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/fields/ecs.yml b/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/fields/ecs.yml deleted file mode 100755 index 2888171bb0..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/fields/ecs.yml +++ /dev/null @@ -1,67 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) - name: vulnerability.score.base - type: float -- description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) - name: vulnerability.severity - type: keyword diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/fields/fields.yml b/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/fields/fields.yml deleted file mode 100755 index a70b2974e8..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/fields/fields.yml +++ /dev/null @@ -1,39 +0,0 @@ -- name: carbon_black_cloud.asset_vulnerability_summary - type: group - fields: - - name: os_info - type: group - fields: - - name: os_arch - type: keyword - description: The identifier is for the Operating system architecture. - - name: last_sync - type: group - fields: - - name: timestamp - type: date - description: The identifier is for the Last sync time. - - name: sync - type: group - fields: - - name: status - type: keyword - description: The identifier is for the Device sync status. - - name: type - type: keyword - description: The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync. - - name: type - type: keyword - description: The identifier is for the Device type. - - name: vm - type: group - fields: - - name: id - type: keyword - description: The identifier is for the Virtual Machine ID. - - name: name - type: keyword - description: The identifier is for the Virtual Machine name. - - name: vuln_count - type: integer - description: The identifier is for the Number of vulnerabilities at this level. diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/manifest.yml b/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/manifest.yml deleted file mode 100755 index b7bf78f84d..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -title: Asset Vulnerability Summary -type: logs -streams: - - input: httpjson - title: Collect asset vulnerability summary from Carbon Black Cloud - description: Collect asset vulnerability summary from Carbon Black Cloud. - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval - description: Interval to query asset vulnerability summary in Carbon Black Cloud. - multi: false - required: true - show_user: true - default: 1h - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-asset-vulnerability-summary - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/sample_event.json b/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/sample_event.json deleted file mode 100755 index 18a138c167..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/asset_vulnerability_summary/sample_event.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "@timestamp": "2022-09-26T01:58:41.710Z", - "agent": { - "ephemeral_id": "818ffeea-8e73-497b-bc16-b13e6bb3010c", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "carbon_black_cloud": { - "asset_vulnerability_summary": { - "last_sync": { - "timestamp": "2022-01-17T08:33:37.384Z" - }, - "os_info": { - "os_arch": "64-bit" - }, - "sync": { - "status": "COMPLETED", - "type": "SCHEDULED" - }, - "type": "ENDPOINT", - "vuln_count": 1770 - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-09-26T01:58:41.710Z", - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "ingested": "2022-09-26T01:58:45Z", - "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}" - }, - "host": { - "hostname": "DESKTOP-008", - "id": "8", - "name": "DESKTOP-008KK", - "os": { - "name": "Microsoft Windows 10 Education", - "type": "windows", - "version": "10.0.17763" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-008" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-asset-vulnerability-summary" - ], - "vulnerability": { - "score": { - "base": 10 - }, - "severity": "CRITICAL" - } -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.3.0/data_stream/audit/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 2693bd2bbb..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/audit/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -config_version: 2 -interval: {{interval}} -request.method: GET - -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} - -request.url: {{hostname}}/integrationServices/v3/auditlogs -request.transforms: - - set: - target: header.X-Auth-Token - value: {{api_secret_key}}/{{api_id}} -response.split: - target: body.notifications -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.3.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ebf7661d61..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,93 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud audit logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.eventTime - target_field: "@timestamp" - ignore_failure: true - formats: - - UNIX_MS - - set: - field: event.kind - value: event - - set: - field: event.outcome - value: success - - set: - field: event.outcome - value: failure - if: ctx?.json?.flagged == true - - rename: - field: json.description - target_field: event.reason - - rename: - field: json.clientIp - target_field: client.ip - ignore_missing: true - - rename: - field: json.loginName - target_field: client.user.id - ignore_missing: true - - rename: - field: json.eventId - target_field: event.id - ignore_missing: true - - rename: - field: json.orgName - target_field: organization.name - ignore_missing: true - - urldecode: - field: json.requestUrl - target_field: url.original - ignore_missing: true - - rename: - field: json.verbose - target_field: carbon_black_cloud.audit.verbose - ignore_missing: true - - rename: - field: json.flagged - target_field: carbon_black_cloud.audit.flagged - ignore_missing: true - - append: - field: related.ip - value: "{{{client.ip}}}" - allow_duplicates: false - - remove: - field: json - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/audit/fields/agent.yml b/packages/carbon_black_cloud/1.3.0/data_stream/audit/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/audit/fields/base-fields.yml b/packages/carbon_black_cloud/1.3.0/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index a14e71251a..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.audit diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/audit/fields/ecs.yml b/packages/carbon_black_cloud/1.3.0/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 1e5dc2f871..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,66 +0,0 @@ -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: organization.name - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/audit/fields/fields.yml b/packages/carbon_black_cloud/1.3.0/data_stream/audit/fields/fields.yml deleted file mode 100755 index 24af5d42b9..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: carbon_black_cloud.audit - type: group - fields: - - name: flagged - type: boolean - description: true if action is failed otherwise false. - - name: verbose - type: boolean - description: true if verbose audit log otherwise false. diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/audit/manifest.yml b/packages/carbon_black_cloud/1.3.0/data_stream/audit/manifest.yml deleted file mode 100755 index 929093a4ef..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/audit/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -title: Audit -type: logs -streams: - - input: httpjson - title: Collect audit logs from Carbon Black Cloud - description: Collect audit logs from Carbon Black Cloud. - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval - description: Interval to fetch audit logs from Carbon Black Cloud. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/audit/sample_event.json b/packages/carbon_black_cloud/1.3.0/data_stream/audit/sample_event.json deleted file mode 100755 index d12c27c706..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/audit/sample_event.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "@timestamp": "2022-02-10T16:04:30.263Z", - "agent": { - "ephemeral_id": "a332765e-1e1f-4ec7-b24e-ae2d0dd5d74f", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "carbon_black_cloud": { - "audit": { - "flagged": false, - "verbose": false - } - }, - "client": { - "ip": "10.10.10.10", - "user": { - "id": "abc@demo.com" - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-09-26T01:59:24.724Z", - "dataset": "carbon_black_cloud.audit", - "id": "2122f8ce8xxxxxxxxxxxxx", - "ingested": "2022-09-26T01:59:25Z", - "kind": "event", - "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}", - "outcome": "success", - "reason": "Logged in successfully" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "name": "cb-xxxx-xxxx.com" - }, - "related": { - "ip": [ - "10.10.10.10" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-audit" - ] -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 26c4d05045..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,82 +0,0 @@ -{{#if collect_s3_logs}} - -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if interval}} -bucket_list_interval: {{interval}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}} -{{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} -{{#if file_selectors}} -file_selectors: -{{file_selectors}} -{{/if}} -{{/if}} - -expand_event_list_from_field: Records -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 4729351d25..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,593 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud Endpoint Events. -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.create_time - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.action - target_field: event.action - ignore_missing: true - - rename: - field: json.event_id - target_field: event.id - ignore_missing: true - - rename: - field: json.event_description - target_field: event.reason - ignore_missing: true - - rename: - field: json.filemod_name - target_field: file.path - ignore_missing: true - - rename: - field: json.modload_name - target_field: dll.path - ignore_missing: true - - set: - field: network.transport - value: udp - if: ctx?.json?.netconn_protocol == "PROTO_UDP" - - set: - field: network.transport - value: tcp - if: ctx?.json?.netconn_protocol == "PROTO_TCP" - - set: - field: network.direction - value: inbound - if: ctx?.json?.netconn_inbound == true - - set: - field: network.direction - value: outbound - if: ctx?.json?.netconn_inbound == false - - rename: - field: json.remote_port - target_field: source.port - ignore_missing: true - - rename: - field: json.remote_ip - target_field: source.ip - ignore_missing: true - - rename: - field: json.netconn_domain - target_field: source.address - ignore_missing: true - - rename: - field: json.local_port - target_field: client.port - ignore_missing: true - - rename: - field: json.local_ip - target_field: client.ip - ignore_missing: true - - convert: - field: json.device_id - target_field: host.id - type: string - ignore_missing: true - - set: - field: host.os.type - value: windows - if: ctx?.json?.device_os == "WINDOWS" - - set: - field: host.os.type - value: linux - if: ctx?.json?.device_os == "LINUX" - - set: - field: host.os.type - value: macos - if: ctx?.json?.device_os == "MAC" - - rename: - field: json.device_name - target_field: host.hostname - ignore_missing: true - - grok: - field: host.hostname - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' - ignore_missing: true - ignore_failure: true - - set: - field: host.name - value: "{{{host.hostname}}}" - ignore_failure: true - - rename: - field: json.device_group - target_field: host.os.family - ignore_missing: true - - append: - field: host.ip - value: "{{{json.device_internal_ip}}}" - if: ctx?.json?.device_internal_ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_external_ip}}}" - if: ctx?.json?.device_external_ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.device_group - target_field: host.os.family - ignore_missing: true - - rename: - field: json.process_cmdline - target_field: process.command_line - ignore_missing: true - - rename: - field: json.process_guid - target_field: process.entity_id - ignore_missing: true - - rename: - field: json.process_path - target_field: process.executable - ignore_missing: true - - rename: - field: json.process_pid - target_field: process.pid - ignore_missing: true - - rename: - field: json.parent_cmdline - target_field: process.parent.command_line - ignore_missing: true - - rename: - field: json.parent_guid - target_field: process.parent.entity_id - ignore_missing: true - - rename: - field: json.parent_path - target_field: process.parent.executable - ignore_missing: true - - rename: - field: json.parent_pid - target_field: process.parent.pid - ignore_missing: true - - rename: - field: json.regmod_name - target_field: registry.path - ignore_missing: true - - append: - field: related.ip - value: - - "{{{json.device_internal_ip}}}" - - "{{{json.device_external_ip}}}" - - "{{{json.netconn_proxy_ip}}}" - - "{{{source.ip}}}" - - "{{{client.ip}}}" - allow_duplicates: false - - append: - field: related.user - value: - - "{{{json.process_username}}}" - - "{{{json.childproc_username}}}" - allow_duplicates: false - - append: - field: related.hosts - value: - - "{{{host.hostname}}}" - - "{{{user.domain}}}" - allow_duplicates: false - - script: - description: Dynamically map MD5 and SHA256 hash - lang: painless - source: | - void mapHashField(def ctx, def hashes, def key) { - for (hash in hashes) { - if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;} - if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;} - } - } - if (ctx.json?.process_hash instanceof List) { - mapHashField(ctx, ctx.json?.process_hash, "process_hash"); - } - if (ctx.json?.parent_hash instanceof List) { - mapHashField(ctx, ctx.json?.parent_hash, "parent_hash"); - } - if (ctx.json?.filemod_hash instanceof List) { - mapHashField(ctx, ctx.json?.filemod_hash, "filemod_hash"); - } - if (ctx.json?.childproc_hash instanceof List) { - mapHashField(ctx, ctx.json?.childproc_hash, "childproc_hash"); - } - if (ctx.json?.crossproc_hash instanceof List) { - mapHashField(ctx, ctx.json?.crossproc_hash, "crossproc_hash"); - } - if (ctx.json?.scriptload_hash instanceof List) { - mapHashField(ctx, ctx.json?.scriptload_hash, "scriptload_hash"); - } - - rename: - field: json.process_hash_md5 - target_field: process.hash.md5 - ignore_missing: true - - rename: - field: json.process_hash_sha256 - target_field: process.hash.sha256 - ignore_missing: true - - rename: - field: json.parent_hash_md5 - target_field: process.parent.hash.md5 - ignore_missing: true - - rename: - field: json.parent_hash_sha256 - target_field: process.parent.hash.sha256 - ignore_missing: true - - rename: - field: json.backend_timestamp - target_field: carbon_black_cloud.endpoint_event.backend.timestamp - ignore_missing: true - - rename: - field: json.device_timestamp - target_field: carbon_black_cloud.endpoint_event.device.timestamp - ignore_missing: true - - rename: - field: json.device_os - target_field: carbon_black_cloud.endpoint_event.device.os - ignore_missing: true - - rename: - field: json.childproc_name - target_field: carbon_black_cloud.endpoint_event.childproc.name - ignore_missing: true - - rename: - field: json.org_key - target_field: carbon_black_cloud.endpoint_event.organization_key - ignore_missing: true - - rename: - field: json.process_duration - target_field: carbon_black_cloud.endpoint_event.process.duration - ignore_missing: true - - foreach: - field: json.process_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.process_publisher - target_field: carbon_black_cloud.endpoint_event.process.publisher - ignore_missing: true - - rename: - field: json.process_reputation - target_field: carbon_black_cloud.endpoint_event.process.reputation - ignore_missing: true - - rename: - field: json.process_terminated - target_field: carbon_black_cloud.endpoint_event.process.terminated - ignore_missing: true - - rename: - field: json.process_username - target_field: carbon_black_cloud.endpoint_event.process.username - ignore_missing: true - - rename: - field: json.parent_reputation - target_field: carbon_black_cloud.endpoint_event.process.parent.reputation - ignore_missing: true - - rename: - field: json.target_cmdline - target_field: carbon_black_cloud.endpoint_event.target_cmdline - ignore_missing: true - - rename: - field: json.type - target_field: carbon_black_cloud.endpoint_event.type - ignore_missing: true - -# Mapping for endpoint.event.crossproc event type - - - rename: - field: json.crossproc_action - target_field: carbon_black_cloud.endpoint_event.crossproc.action - ignore_missing: true - - rename: - field: json.crossproc_api - target_field: carbon_black_cloud.endpoint_event.crossproc.api - ignore_missing: true - - rename: - field: json.crossproc_guid - target_field: carbon_black_cloud.endpoint_event.crossproc.guid - ignore_missing: true - - rename: - field: json.crossproc_name - target_field: carbon_black_cloud.endpoint_event.crossproc.name - ignore_missing: true - - rename: - field: json.crossproc_target - target_field: carbon_black_cloud.endpoint_event.crossproc.target - ignore_missing: true - - rename: - field: json.crossproc_reputation - target_field: carbon_black_cloud.endpoint_event.crossproc.reputation - ignore_missing: true - - foreach: - field: json.crossproc_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.crossproc_publisher - target_field: carbon_black_cloud.endpoint_event.crossproc.publisher - ignore_missing: true - - rename: - field: json.crossproc_hash_md5 - target_field: carbon_black_cloud.endpoint_event.crossproc.hash.md5 - ignore_missing: true - - rename: - field: json.crossproc_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.crossproc.hash.sha256 - ignore_missing: true - -# Mapping for endpoint.event.filemod event type - - - rename: - field: json.filemod_hash_md5 - target_field: file.hash.md5 - ignore_missing: true - - rename: - field: json.filemod_hash_sha256 - target_field: file.hash.sha256 - ignore_missing: true - -# Mapping for endpoint.event.fileless_scriptload event type - - - rename: - field: json.fileless_scriptload_cmdline - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline - ignore_missing: true - - rename: - field: json.fileless_scriptload_cmdline_length - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length - ignore_missing: true - - rename: - field: json.fileless_scriptload_hash_md5 - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5 - ignore_missing: true - - rename: - field: json.fileless_scriptload_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256 - ignore_missing: true - -# Mapping for endpoint.event.moduleload event type - - - rename: - field: json.modload_md5 - target_field: dll.hash.md5 - ignore_missing: true - - rename: - field: json.modload_sha256 - target_field: dll.hash.sha256 - ignore_missing: true - - rename: - field: json.modload_effective_reputation - target_field: carbon_black_cloud.endpoint_event.modload.effective_reputation - ignore_missing: true - - rename: - field: json.modload_count - target_field: carbon_black_cloud.endpoint_event.modload.count - ignore_missing: true - - foreach: - field: json.modload_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.modload_publisher - target_field: carbon_black_cloud.endpoint_event.modload.publisher - ignore_missing: true - -# Mapping for endpoint.event.netconn_proxy event type - - - rename: - field: json.netconn_proxy_domain - target_field: carbon_black_cloud.endpoint_event.netconn.proxy.domain - ignore_missing: true - - rename: - field: json.netconn_proxy_port - target_field: carbon_black_cloud.endpoint_event.netconn.proxy.port - ignore_missing: true - - rename: - field: json.netconn_proxy_ip - target_field: carbon_black_cloud.endpoint_event.netconn.proxy.ip - ignore_missing: true - -# Mapping for endpoint.event.procstart event type - - - rename: - field: json.childproc_guid - target_field: carbon_black_cloud.endpoint_event.childproc.guid - ignore_missing: true - - rename: - field: json.childproc_name - target_field: carbon_black_cloud.endpoint_event.childproc.name - ignore_missing: true - - rename: - field: json.childproc_pid - target_field: carbon_black_cloud.endpoint_event.childproc.pid - ignore_missing: true - - foreach: - field: json.childproc_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.childproc_publisher - target_field: carbon_black_cloud.endpoint_event.childproc.publisher - ignore_missing: true - - rename: - field: json.childproc_reputation - target_field: carbon_black_cloud.endpoint_event.childproc.reputation - ignore_missing: true - - rename: - field: json.childproc_username - target_field: carbon_black_cloud.endpoint_event.childproc.username - ignore_missing: true - - rename: - field: json.childproc_hash_md5 - target_field: carbon_black_cloud.endpoint_event.childproc.hash.md5 - ignore_missing: true - - rename: - field: json.childproc_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.childproc.hash.sha256 - ignore_missing: true - -# Mapping for NGAV endpoint.event.scriptload event type - - - rename: - field: json.scriptload_name - target_field: carbon_black_cloud.endpoint_event.scriptload.name - ignore_missing: true - - foreach: - field: json.scriptload_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.scriptload_publisher - target_field: carbon_black_cloud.endpoint_event.scriptload.publisher - ignore_missing: true - - rename: - field: json.scriptload_count - target_field: carbon_black_cloud.endpoint_event.scriptload.count - ignore_missing: true - - rename: - field: json.scriptload_hash_md5 - target_field: carbon_black_cloud.endpoint_event.scriptload.hash.md5 - ignore_missing: true - - rename: - field: json.scriptload_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.scriptload.hash.sha256 - ignore_missing: true - - rename: - field: json.scriptload_effective_reputation - target_field: carbon_black_cloud.endpoint_event.scriptload.effective_reputation - ignore_missing: true - - rename: - field: json.scriptload_reputation - target_field: carbon_black_cloud.endpoint_event.scriptload.reputation - ignore_missing: true - - rename: - field: json.device_internal_ip - target_field: carbon_black_cloud.endpoint_event.device.internal_ip - ignore_missing: true - - rename: - field: json.device_external_ip - target_field: carbon_black_cloud.endpoint_event.device.external_ip - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - - append: - field: related.hash - value: - - "{{{process.hash.md5}}}" - - "{{{process.hash.sha256}}}" - - "{{{process.parent.hash.md5}}}" - - "{{{process.parent.hash.sha256}}}" - - "{{{file.hash.md5}}}" - - "{{{file.hash.sha256}}}" - - "{{{dll.hash.md5}}}" - - "{{{dll.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.childproc.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.childproc.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.sha256}}}" - allow_duplicates: false - - script: - description: Adds all the remaining fields in fields under carbon_black_cloud.endpoint_event - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.endpoint_event[m.getKey()] = m.getValue(); - } - - remove: - field: - - json - - carbon_black_cloud.endpoint_event.create_time - - carbon_black_cloud.endpoint_event.device_id - - carbon_black_cloud.endpoint_event.process_hash - - carbon_black_cloud.endpoint_event.parent_hash - - carbon_black_cloud.endpoint_event.crossproc_hash - - carbon_black_cloud.endpoint_event.filemod_hash - - carbon_black_cloud.endpoint_event.childproc_hash - - carbon_black_cloud.endpoint_event.modload_hash - - carbon_black_cloud.endpoint_event.scriptload_hash - - carbon_black_cloud.endpoint_event.netconn_inbound - - carbon_black_cloud.endpoint_event.netconn_protocol - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - script: - description: Remove duplicate values - lang: painless - source: | - if (ctx?.related?.user != null) { - ctx.related.user = new HashSet(ctx.related.user) - } - if (ctx?.related?.ip != null) { - ctx.related.ip = new HashSet(ctx.related.ip) - } - if (ctx?.related?.hash != null) { - def hashes = new HashSet(ctx.related.hash); - def hash = new ArrayList(); - for (def h: hashes) { - hash.add(h); - } - Collections.sort(hash); - ctx.related.hash = hash; - } -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/fields/agent.yml b/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/fields/base-fields.yml b/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/fields/base-fields.yml deleted file mode 100755 index 9b3253d2db..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.endpoint_event diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/fields/ecs.yml b/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/fields/ecs.yml deleted file mode 100755 index 770f024b15..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: MD5 hash. - name: dll.hash.md5 - type: keyword -- description: SHA256 hash. - name: dll.hash.sha256 - type: keyword -- description: Full file path of the library. - name: dll.path - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: host.os.family - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.parent.hash.sha256 - type: keyword -- description: Process id. - name: process.parent.pid - type: long -- description: Process id. - name: process.pid - type: long -- description: Full path, including hive, key and value - name: registry.path - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/fields/fields.yml b/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/fields/fields.yml deleted file mode 100755 index 199988ffb6..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/fields/fields.yml +++ /dev/null @@ -1,239 +0,0 @@ -- name: carbon_black_cloud.endpoint_event - type: group - fields: - - name: alert_id - type: keyword - description: The ID of the Alert this event is associated with. - - name: backend - type: group - fields: - - name: timestamp - type: keyword - description: Time when the backend received the batch of events. - - name: childproc - type: group - fields: - - name: guid - type: keyword - description: Unique ID of the child process. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: Cryptographic MD5 hashes of the executable file backing the child process. - - name: sha256 - type: keyword - description: Cryptographic SHA256 hashes of the executable file backing the child process. - - name: name - type: keyword - description: Full path to the target of the crossproc event on the device's local file system. - - name: pid - type: long - description: OS-reported Process ID of the child process. - - name: publisher - type: group - description: Signature entry for the childproc as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Carbon Black Cloud Reputation string for the childproc. - - name: username - type: keyword - description: The username associated with the user context that the child process was started under. - - name: crossproc - type: group - fields: - - name: action - type: keyword - description: The action taken on cross-process. - - name: api - type: keyword - description: Name of the operating system API called by the actor process. - - name: guid - type: keyword - description: Unique ID of the cross process. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: Cryptographic MD5 hashes of the target of the crossproc event. - - name: sha256 - type: keyword - description: Cryptographic SHA256 hashes of the target of the crossproc event. - - name: name - type: keyword - description: Full path to the target of the crossproc event on the device's local file system. - - name: publisher - type: group - description: Signature entry for the crossproc as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Carbon Black Cloud Reputation string for the crossproc. - - name: target - type: boolean - description: True if the process was the target of the cross-process event; false if the process was the actor. - - name: device - type: group - fields: - - name: os - type: keyword - description: Os name. - - name: timestamp - type: keyword - description: Time seen on sensor. - - name: internal_ip - type: ip - description: Internal IP of the device. - - name: external_ip - type: ip - description: External IP of the device. - - name: event_origin - type: keyword - description: Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard. - - name: fileless_scriptload - type: group - fields: - - name: cmdline - type: keyword - description: Deobfuscated script content run in a fileless context by the process. - - name: cmdline_length - type: keyword - description: Character count of the deobfuscated script content run in a fileless context. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: MD5 hash of the deobfuscated script content run by the process in a fileless context. - - name: sha256 - type: keyword - description: SHA-256 hash of the deobfuscated script content run by the process in a fileless context. - - name: modload - type: group - fields: - - name: count - type: long - description: Count of modload events reported by the sensor since last initialization. - - name: effective_reputation - type: keyword - description: Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred. - - name: publisher - type: group - description: Signature entry for the moduleload as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: netconn - type: group - fields: - - name: proxy - type: group - fields: - - name: domain - type: keyword - description: DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address. - - name: ip - type: keyword - description: IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection. - - name: port - type: keyword - description: UDP/TCP port number associated with the "proxy" end of this network connection. - - name: organization_key - type: keyword - description: The organization key associated with the console instance. - - name: process - type: group - fields: - - name: duration - type: long - description: The time difference in seconds between the process start and process terminate event. - - name: parent - type: group - fields: - - name: reputation - type: keyword - description: Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: publisher - type: group - description: Signature entry for the process as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: terminated - type: boolean - description: True if process was terminated elase false. - - name: username - type: keyword - description: The username associated with the user context that this process was started under. - - name: schema - type: long - description: The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. - - name: scriptload - type: group - fields: - - name: count - type: long - description: Count of scriptload events across all processes reported by the sensor since last initialization. - - name: effective_reputation - type: keyword - description: Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: Cryptographic MD5 hashes of the target of the scriptload event. - - name: sha256 - type: keyword - description: Cryptographic SHA256 hashes of the target of the scriptload event. - - name: name - type: keyword - description: Full path to the target of the crossproc event on the device's local file system. - - name: publisher - type: group - description: Signature entry for the scriptload as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Carbon Black Cloud Reputation string for the scriptload. - - name: sensor_action - type: keyword - description: The sensor action taken on event. - - name: target_cmdline - type: keyword - description: Process command line associated with the target process. - - name: type - type: keyword - description: The event type. diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/manifest.yml b/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/manifest.yml deleted file mode 100755 index 5770608c6a..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/manifest.yml +++ /dev/null @@ -1,89 +0,0 @@ -title: Endpoint Event -type: logs -streams: - - input: aws-s3 - title: Collect endpoint events from Carbon Black Cloud - description: Collect endpoint events from Carbon Black Cloud. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: '[S3] Bucket Prefix' - multi: false - required: false - show_user: true - default: endpoint_event_logs - description: Prefix to apply for the list request to the S3 bucket. - - name: interval - type: text - title: '[S3] Interval' - multi: false - required: false - show_user: true - default: 1m - description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. - - name: number_of_workers - type: integer - title: '[S3] Number of Workers' - multi: false - required: false - show_user: true - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: visibility_timeout - type: text - title: '[SQS] Visibility Timeout' - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. NOTE:- Supported units for this parameter are h/m/s. - - name: api_timeout - type: text - title: '[SQS] API Timeout' - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. NOTE:- Supported units for this parameter are h/m/s. - - name: max_number_of_messages - type: integer - title: '[SQS] Maximum Concurrent SQS Messages' - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - - name: file_selectors - type: yaml - title: '[SQS] File Selectors' - multi: false - required: false - show_user: false - default: | - - regex: 'endpoint_event_logs/' - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-endpoint-event - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/sample_event.json b/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/sample_event.json deleted file mode 100755 index f025682463..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/endpoint_event/sample_event.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "process": { - "parent": { - "pid": 1684, - "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62", - "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe", - "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe", - "hash": { - "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5", - "md5": "03dd698da2671383c9b4f868c9931879" - } - }, - "pid": 4880, - "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37", - "command_line": "\"route.exe\" print", - "executable": "c:\\windows\\system32\\route.exe", - "hash": { - "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6", - "md5": "2498272dc48446891182747428d02a30" - } - }, - "ecs": { - "version": "8.3.0" - }, - "carbon_black_cloud": { - "endpoint_event": { - "schema": 1, - "event_origin": "EDR", - "process": { - "duration": 2, - "parent": { - "reputation": "REP_RESOLVING" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_RESOLVING", - "terminated": true, - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "XXXXXXXX", - "backend": { - "timestamp": "2022-02-10 11:52:50 +0000 UTC" - }, - "target_cmdline": "\"route.exe\" print", - "type": "endpoint.event.procend", - "device": { - "os": "WINDOWS", - "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC", - "external_ip": "67.43.156.12" - }, - "sensor_action": "ACTION_ALLOW" - } - }, - "host": { - "hostname": "client-cb2", - "id": "4034605", - "os": { - "type": "windows" - }, - "ip": [ - "67.43.156.13" - ] - }, - "event": { - "action": "ACTION_PROCESS_TERMINATE", - "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}" - }, - "data_stream": { - "dataset": "carbon_black_cloud.endpoint_event", - "namespace": "ep", - "type": "logs" - }, - "elastic_agent": { - "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5", - "snapshot": true, - "version": "8.0.0" - }, - "input": { - "type": "aws-s3" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-endpoint-event" - ] -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 26c4d05045..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,82 +0,0 @@ -{{#if collect_s3_logs}} - -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if interval}} -bucket_list_interval: {{interval}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}} -{{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} -{{#if file_selectors}} -file_selectors: -{{file_selectors}} -{{/if}} -{{/if}} - -expand_event_list_from_field: Records -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index f59084b05a..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,299 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud watchlist hit. -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.create_time - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.severity - target_field: event.severity - ignore_missing: true - - convert: - field: json.device_id - target_field: host.id - type: string - ignore_missing: true - - set: - field: host.os.type - value: windows - if: ctx?.json?.device_os == "WINDOWS" - - set: - field: host.os.type - value: linux - if: ctx?.json?.device_os == "LINUX" - - set: - field: host.os.type - value: macos - if: ctx?.json?.device_os == "MAC" - - rename: - field: json.device_os_version - target_field: host.os.version - ignore_missing: true - - rename: - field: json.device_name - target_field: host.hostname - ignore_missing: true - - grok: - field: host.hostname - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' - ignore_missing: true - ignore_failure: true - - set: - field: host.name - value: "{{{host.hostname}}}" - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_internal_ip}}}" - if: ctx?.json?.device_internal_ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_external_ip}}}" - if: ctx?.json?.device_external_ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.process_cmdline - target_field: process.command_line - ignore_missing: true - - rename: - field: json.process_guid - target_field: process.entity_id - ignore_missing: true - - rename: - field: json.process_path - target_field: process.executable - ignore_missing: true - - rename: - field: json.process_pid - target_field: process.pid - ignore_missing: true - - rename: - field: json.parent_cmdline - target_field: process.parent.command_line - ignore_missing: true - - rename: - field: json.parent_guid - target_field: process.parent.entity_id - ignore_missing: true - - rename: - field: json.parent_path - target_field: process.parent.executable - ignore_missing: true - - rename: - field: json.parent_pid - target_field: process.parent.pid - ignore_missing: true - - append: - field: related.ip - value: - - "{{{json.device_internal_ip}}}" - - "{{{json.device_external_ip}}}" - allow_duplicates: false - - append: - field: related.user - value: - - "{{{json.parent_username}}}" - - "{{{json.process_username}}}" - allow_duplicates: false - - append: - field: related.hosts - value: - - "{{{host.hostname}}}" - - "{{{user.domain}}}" - allow_duplicates: false - - script: - description: Dynamically map MD5 and SHA256 hash - lang: painless - source: | - void mapHashField(def ctx, def hashes, def key) { - for (hash in hashes) { - if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;} - if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;} - } - } - if (ctx.json?.process_hash instanceof List) { - mapHashField(ctx, ctx.json?.process_hash, "process_hash"); - } - if (ctx.json?.parent_hash instanceof List) { - mapHashField(ctx, ctx.json?.parent_hash, "parent_hash"); - } - - rename: - field: json.process_hash_md5 - target_field: process.hash.md5 - ignore_missing: true - - rename: - field: json.process_hash_sha256 - target_field: process.hash.sha256 - ignore_missing: true - - rename: - field: json.parent_hash_md5 - target_field: process.parent.hash.md5 - ignore_missing: true - - rename: - field: json.parent_hash_sha256 - target_field: process.parent.hash.sha256 - ignore_missing: true - - append: - field: related.hash - value: - - "{{{process.hash.md5}}}" - - "{{{process.hash.sha256}}}" - - "{{{process.parent.hash.md5}}}" - - "{{{process.parent.hash.sha256}}}" - allow_duplicates: false - - rename: - field: json.device_os - target_field: carbon_black_cloud.watchlist_hit.device.os - ignore_missing: true - - rename: - field: json.device_internal_ip - target_field: carbon_black_cloud.watchlist_hit.device.internal_ip - ignore_missing: true - - rename: - field: json.device_external_ip - target_field: carbon_black_cloud.watchlist_hit.device.external_ip - ignore_missing: true - - rename: - field: json.ioc_hit - target_field: carbon_black_cloud.watchlist_hit.ioc.hit - ignore_missing: true - - rename: - field: json.ioc_id - target_field: carbon_black_cloud.watchlist_hit.ioc.id - ignore_missing: true - - rename: - field: json.org_key - target_field: carbon_black_cloud.watchlist_hit.organization_key - ignore_missing: true - - foreach: - field: json.parent_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.parent_publisher - target_field: carbon_black_cloud.watchlist_hit.process.parent.publisher - ignore_missing: true - - rename: - field: json.parent_reputation - target_field: carbon_black_cloud.watchlist_hit.process.parent.reputation - ignore_missing: true - - rename: - field: json.parent_username - target_field: carbon_black_cloud.watchlist_hit.process.parent.username - ignore_missing: true - - foreach: - field: json.process_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.process_publisher - target_field: carbon_black_cloud.watchlist_hit.process.publisher - ignore_missing: true - - rename: - field: json.process_reputation - target_field: carbon_black_cloud.watchlist_hit.process.reputation - ignore_missing: true - - rename: - field: json.process_username - target_field: carbon_black_cloud.watchlist_hit.process.username - ignore_missing: true - - rename: - field: json.report_id - target_field: carbon_black_cloud.watchlist_hit.report.id - ignore_missing: true - - rename: - field: json.report_name - target_field: carbon_black_cloud.watchlist_hit.report.name - ignore_missing: true - - rename: - field: json.report_tags - target_field: carbon_black_cloud.watchlist_hit.report.tags - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - - script: - description: Adds all the remaining fields in fields under carbon_black_cloud.watchlist_hit - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.watchlist_hit[m.getKey()] = m.getValue(); - } - - remove: - field: - - json - - carbon_black_cloud.watchlist_hit.create_time - - carbon_black_cloud.watchlist_hit.device_id - - carbon_black_cloud.watchlist_hit.process_hash - - carbon_black_cloud.watchlist_hit.parent_hash - ignore_missing: true - - script: - description: Remove duplicate values - lang: painless - source: | - if (ctx?.related?.user != null) { - ctx.related.user = new HashSet(ctx.related.user) - } - if (ctx?.related?.hash != null) { - def hashes = new HashSet(ctx.related.hash); - def hash = new ArrayList(); - for (def h: hashes) { - hash.add(h); - } - Collections.sort(hash); - ctx.related.hash = hash; - } -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/fields/agent.yml b/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/fields/base-fields.yml b/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/fields/base-fields.yml deleted file mode 100755 index 89df536282..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.watchlist_hit diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/fields/ecs.yml b/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/fields/ecs.yml deleted file mode 100755 index 77c05e054a..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/fields/ecs.yml +++ /dev/null @@ -1,145 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.parent.hash.sha256 - type: keyword -- description: Process id. - name: process.parent.pid - type: long -- description: Process id. - name: process.pid - type: long -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/fields/fields.yml b/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/fields/fields.yml deleted file mode 100755 index 25cb25005e..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/fields/fields.yml +++ /dev/null @@ -1,89 +0,0 @@ -- name: carbon_black_cloud.watchlist_hit - type: group - fields: - - name: device - type: group - fields: - - name: os - type: keyword - description: OS Type of device (Windows/OSX/Linux). - - name: internal_ip - type: ip - description: Internal IP of the device. - - name: external_ip - type: ip - description: External IP of the device. - - name: ioc - type: group - fields: - - name: field - type: keyword - description: Field the IOC hit contains. - - name: hit - type: keyword - description: IOC field value, or IOC query that matches. - - name: id - type: keyword - description: ID of the IOC that caused the hit. - - name: organization_key - type: keyword - description: The organization key associated with the console instance. - - name: process - type: group - fields: - - name: parent - type: group - fields: - - name: publisher - type: group - description: signature entry for the process as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: username - type: keyword - description: The username associated with the user context that this process was started under. - - name: publisher - type: group - description: signature entry for the process as reported by the endpoint. - - name: reputation - type: keyword - description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: username - type: keyword - description: The username associated with the user context that this process was started under. - - name: report - type: group - fields: - - name: id - type: keyword - description: ID of the watchlist report(s) that detected a hit on the process. - - name: name - type: keyword - description: Name of the watchlist report(s) that detected a hit on the process. - - name: tags - type: keyword - description: List of tags associated with the report(s) that detected a hit on the process. - - name: schema - type: long - description: Schema version. - - name: type - type: keyword - description: The watchlist hit type. - - name: watchlists - type: group - description: List of watchlists that contain the report of the ioc hit. - fields: - - name: id - type: keyword - description: The ID of the watchlists. - - name: name - type: keyword - description: The name of the watchlists. diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/manifest.yml b/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/manifest.yml deleted file mode 100755 index f522dac85c..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/manifest.yml +++ /dev/null @@ -1,89 +0,0 @@ -title: Watchlist Hit -type: logs -streams: - - input: aws-s3 - title: Collect watchlist hit from Carbon Black Cloud - description: Collect watchlist hit from Carbon Black Cloud. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: '[S3] Bucket Prefix' - multi: false - required: false - show_user: true - default: watchlist_hit_logs - description: Prefix to apply for the list request to the S3 bucket. - - name: interval - type: text - title: '[S3] Interval' - multi: false - required: false - show_user: true - default: 1m - description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. - - name: number_of_workers - type: integer - title: '[S3] Number of Workers' - multi: false - required: false - show_user: true - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: visibility_timeout - type: text - title: '[SQS] Visibility Timeout' - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. NOTE:- Supported units for this parameter are h/m/s. - - name: api_timeout - type: text - title: '[SQS] API Timeout' - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. NOTE:- Supported units for this parameter are h/m/s. - - name: max_number_of_messages - type: integer - title: '[SQS] Maximum Concurrent SQS Messages' - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - - name: file_selectors - type: yaml - title: '[SQS] File Selectors' - multi: false - required: false - show_user: false - default: | - - regex: 'watchlist_hit_logs/' - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-watchlist-hit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/sample_event.json b/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/sample_event.json deleted file mode 100755 index ec2206a46e..0000000000 --- a/packages/carbon_black_cloud/1.3.0/data_stream/watchlist_hit/sample_event.json +++ /dev/null @@ -1,130 +0,0 @@ -{ - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-watchlist-hit" - ], - "input": { - "type": "aws-s3" - }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "carbon_black_cloud.watchlist_hit" - }, - "agent": { - "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.3.0" - }, - "process": { - "parent": { - "pid": 4076, - "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1", - "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"", - "executable": "c:\\windows\\syswow64\\cmd.exe", - "hash": { - "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22", - "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b" - } - }, - "pid": 7516, - "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6", - "command_line": "sc query aella_conf ", - "executable": "c:\\windows\\syswow64\\sc.exe", - "hash": { - "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2", - "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8" - } - }, - "carbon_black_cloud": { - "watchlist_hit": { - "schema": 1, - "process": { - "parent": { - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "xxxxxxxx", - "report": { - "name": "Discovery - System Service Discovery Detected", - "id": "CFnKBKLTv6hUkBGFobRdg-565571", - "tags": [ - "attack", - "attackframework", - "threathunting", - "hunting", - "t1007", - "recon", - "discovery", - "windows" - ] - }, - "watchlists": [ - { - "name": "ATT\u0026CK Framework", - "id": "P5f9AW29TGmTOvBW156Cig" - } - ], - "type": "watchlist.hit", - "ioc": { - "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true", - "id": "565571-0" - }, - "device": { - "internal_ip": "10.10.156.12", - "external_ip": "67.43.156.12", - "os": "WINDOWS" - } - } - }, - "host": { - "hostname": "Carbonblack-win1", - "os": { - "type": "windows" - }, - "ip": [ - "10.10.156.12", - "67.43.156.12" - ], - "id": "4467271" - }, - "event": { - "kind": "event", - "severity": 3, - "agent_id_status": "verified", - "ingested": "2022-02-17T07:23:31Z", - "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}", - "dataset": "carbon_black_cloud.watchlist_hit" - } -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/docs/README.md b/packages/carbon_black_cloud/1.3.0/docs/README.md deleted file mode 100755 index dff0199ce8..0000000000 --- a/packages/carbon_black_cloud/1.3.0/docs/README.md +++ /dev/null @@ -1,1062 +0,0 @@ -# VMware Carbon Black Cloud - -The VMware Carbon Black Cloud integration collects and parses data from the Carbon Black Cloud REST APIs and AWS S3 bucket. - -## Compatibility - -This module has been tested against `Alerts API (v6)`, `Audit Log Events (v3)` and `Vulnerability Assessment (v1)`. - -## Requirements - -### In order to ingest data from the AWS S3 bucket you must: -1. Configure the [Data Forwarder](https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/carbon-black-cloud-user-guide/GUID-F68F63DD-2271-4088-82C9-71D675CD0535.html) to ingest data into an AWS S3 bucket. -2. Create an [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). -3. The default value of the "Bucket List Prefix" is listed below. However, the user can set the parameter "Bucket List Prefix" according to the requirement. - - | Data Stream Name | Bucket List Prefix | - | ----------------- | ---------------------- | - | Alert | alert_logs | - | Endpoint Event | endpoint_event_logs | - | Watchlist Hit | watchlist_hit_logs | - -### To collect data from AWS SQS, follow the below steps: -1. If data forwarding to an AWS S3 Bucket hasn't been configured, then first setup an AWS S3 Bucket as mentioned in the above documentation. -2. To setup an SQS queue, follow "Step 1: Create an Amazon SQS queue" mentioned in the [Documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html). - - While creating an SQS Queue, please provide the same bucket ARN that has been generated after creating an AWS S3 Bucket. -3. Setup event notification for an S3 bucket. Follow this [Link](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications.html). - - The user has to perform Step 3 for all the data-streams individually, and each time prefix parameter should be set the same as the S3 Bucket List Prefix as created earlier. (for example, `alert_logs/` for alert data stream.) - - For all the event notifications that have been created, select the event type as s3:ObjectCreated:*, select the destination type SQS Queue, and select the queue that has been created in Step 2. - -**Note**: - - Credentials for the above AWS S3 and SQS input types should be configured using the [link](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-s3.html#aws-credentials-config). - - Data collection via AWS S3 Bucket and AWS SQS are mutually exclusive in this case. - -### In order to ingest data from the APIs you must generate API keys and API Secret Keys: -1. In Carbon Black Cloud, On the left navigation pane, click **Settings > API Access**. -2. Click Add API Key. -3. Give the API key a unique name and description. - - Select the appropriate access level type. Please check required Access Levels & Permissions for integration in below table. - **Note:** To use a custom access level, select Custom from the Access Level type drop-down menu and specify the Custom Access Level. - - Optional: Add authorized IP addresses. - - You can restrict the use of an API key to a specific set of IP addresses for security reasons. - **Note:** Authorized IP addresses are not available with Custom keys. -4. To apply the changes, click Save. - -#### Access Levels & Permissions -- The following tables indicate which type of API Key access level is required. If the type is Custom then the permission that is required will also be included. - -| Data stream | Access Level and Permissions | -| --------------------------- | ------------------------------------------ | -| Audit | API | -| Alert | Custom orgs.alerts (Read) | -| Asset Vulnerability Summary | Custom vulnerabilityAssessment.data (Read) | - - -## Note - -- The alert data stream has a 15-minute delay to ensure that no occurrences are missed. - -## Logs - -### Audit - -This is the `audit` dataset. - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2022-02-10T16:04:30.263Z", - "agent": { - "ephemeral_id": "a332765e-1e1f-4ec7-b24e-ae2d0dd5d74f", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "carbon_black_cloud": { - "audit": { - "flagged": false, - "verbose": false - } - }, - "client": { - "ip": "10.10.10.10", - "user": { - "id": "abc@demo.com" - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-09-26T01:59:24.724Z", - "dataset": "carbon_black_cloud.audit", - "id": "2122f8ce8xxxxxxxxxxxxx", - "ingested": "2022-09-26T01:59:25Z", - "kind": "event", - "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}", - "outcome": "success", - "reason": "Logged in successfully" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "name": "cb-xxxx-xxxx.com" - }, - "related": { - "ip": [ - "10.10.10.10" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-audit" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.audit.flagged | true if action is failed otherwise false. | boolean | -| carbon_black_cloud.audit.verbose | true if verbose audit log otherwise false. | boolean | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | - - -### Alert - -This is the `alert` dataset. - -An example event for `alert` looks as following: - -```json -{ - "@timestamp": "2020-11-17T22:05:13.000Z", - "agent": { - "ephemeral_id": "cc329655-90f8-4dc9-8014-e152f2b949da", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "carbon_black_cloud": { - "alert": { - "category": "warning", - "device": { - "external_ip": "81.2.69.143", - "internal_ip": "81.2.69.144", - "location": "UNKNOWN", - "os": "WINDOWS" - }, - "last_update_time": "2020-11-17T22:05:13Z", - "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720", - "organization_key": "ABCD6X3T", - "policy": { - "applied": "APPLIED", - "id": 6997287, - "name": "Standard" - }, - "product_id": "0x5406", - "product_name": "U3 Cruzer Micro", - "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC", - "run_state": "DID_NOT_RUN", - "sensor_action": "DENY", - "serial_number": "0875920EF7C2A304", - "target_value": "MEDIUM", - "threat_cause": { - "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E", - "threat_category": "NON_MALWARE", - "vector": "REMOVABLE_MEDIA" - }, - "threat_id": "t5678", - "type": "DEVICE_CONTROL", - "vendor_id": "0x0781", - "vendor_name": "SanDisk", - "workflow": { - "changed_by": "Carbon Black", - "last_update_time": "2020-11-17T22:02:16Z", - "state": "OPEN" - } - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-09-26T01:58:04.610Z", - "dataset": "carbon_black_cloud.alert", - "end": "2020-11-17T22:02:16Z", - "id": "test1", - "ingested": "2022-09-26T01:58:05Z", - "kind": "alert", - "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}", - "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.", - "severity": 3, - "start": "2020-11-17T22:02:16Z", - "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976" - }, - "host": { - "hostname": "DESKTOP-002", - "id": "2", - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "name": "DESKTOP-002", - "os": { - "type": "windows", - "version": "Windows 10 x64" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-002" - ], - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "user": [ - "test34@demo.com" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-alert" - ], - "user": { - "name": "test34@demo.com" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.alert.blocked_threat_category | The category of threat which we were able to take action on. | keyword | -| carbon_black_cloud.alert.category | The category of the alert. | keyword | -| carbon_black_cloud.alert.count | | long | -| carbon_black_cloud.alert.created_by_event_id | Event identifier that initiated the alert. | keyword | -| carbon_black_cloud.alert.device.external_ip | External IP of the device. | ip | -| carbon_black_cloud.alert.device.internal_ip | Internal IP of the device. | ip | -| carbon_black_cloud.alert.device.location | The Location of device. | keyword | -| carbon_black_cloud.alert.device.os | OS of the device. | keyword | -| carbon_black_cloud.alert.document_guid | Unique ID of document. | keyword | -| carbon_black_cloud.alert.ioc.field | The field the indicator of comprise (IOC) hit contains. | keyword | -| carbon_black_cloud.alert.ioc.hit | IOC field value or IOC query that matches. | keyword | -| carbon_black_cloud.alert.ioc.id | The identifier of the IOC that cause the hit. | keyword | -| carbon_black_cloud.alert.kill_chain_status | The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert. | keyword | -| carbon_black_cloud.alert.last_update_time | The last time the alert was updated as an ISO 8601 UTC timestamp. | date | -| carbon_black_cloud.alert.legacy_alert_id | The legacy identifier for the alert. | keyword | -| carbon_black_cloud.alert.not_blocked_threat_category | Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule). | keyword | -| carbon_black_cloud.alert.notes_present | Indicates if notes are associated with the threat_id. | boolean | -| carbon_black_cloud.alert.organization_key | The unique identifier for the organization associated with the alert. | keyword | -| carbon_black_cloud.alert.policy.applied | Whether a policy was applied. | keyword | -| carbon_black_cloud.alert.policy.id | The identifier for the policy associated with the device at the time of the alert. | long | -| carbon_black_cloud.alert.policy.name | The name of the policy associated with the device at the time of the alert. | keyword | -| carbon_black_cloud.alert.product_id | The hexadecimal id of the USB device's product. | keyword | -| carbon_black_cloud.alert.product_name | The name of the USB device’s vendor. | keyword | -| carbon_black_cloud.alert.reason_code | Shorthand enum for the full-text reason. | keyword | -| carbon_black_cloud.alert.report.id | The identifier of the report that contains the IOC. | keyword | -| carbon_black_cloud.alert.report.name | The name of the report that contains the IOC. | keyword | -| carbon_black_cloud.alert.run_state | Whether the threat in the alert ran. | keyword | -| carbon_black_cloud.alert.sensor_action | The action taken by the sensor, according to the rule of the policy. | keyword | -| carbon_black_cloud.alert.serial_number | The serial number of the USB device. | keyword | -| carbon_black_cloud.alert.status | status of alert. | keyword | -| carbon_black_cloud.alert.tags | Tags associated with the alert. | keyword | -| carbon_black_cloud.alert.target_value | The priority of the device assigned by the policy. | keyword | -| carbon_black_cloud.alert.threat_activity.c2 | Whether the alert involved a command and control (c2) server. | keyword | -| carbon_black_cloud.alert.threat_activity.dlp | Whether the alert involved data loss prevention (DLP). | keyword | -| carbon_black_cloud.alert.threat_activity.phish | Whether the alert involved phishing. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.md5 | MD5 of the threat cause actor. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.name | The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.process_pid | Process identifier (PID) of the actor process. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.sha256 | SHA256 of the threat cause actor. | keyword | -| carbon_black_cloud.alert.threat_cause.cause_event_id | ID of the Event that triggered the threat. | keyword | -| carbon_black_cloud.alert.threat_cause.process.guid | The global unique identifier of the process. | keyword | -| carbon_black_cloud.alert.threat_cause.process.parent.guid | The global unique identifier of the process. | keyword | -| carbon_black_cloud.alert.threat_cause.reputation | Reputation of the threat cause. | keyword | -| carbon_black_cloud.alert.threat_cause.threat_category | Category of the threat cause. | keyword | -| carbon_black_cloud.alert.threat_cause.vector | The source of the threat cause. | keyword | -| carbon_black_cloud.alert.threat_id | The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. | keyword | -| carbon_black_cloud.alert.threat_indicators.process_name | Process name associated with threat. | keyword | -| carbon_black_cloud.alert.threat_indicators.sha256 | Sha256 associated with threat. | keyword | -| carbon_black_cloud.alert.threat_indicators.ttps | Tactics, techniques and procedures associated with threat. | keyword | -| carbon_black_cloud.alert.type | Type of alert. | keyword | -| carbon_black_cloud.alert.vendor_id | The hexadecimal id of the USB device's vendor. | keyword | -| carbon_black_cloud.alert.vendor_name | The name of the USB device’s vendor. | keyword | -| carbon_black_cloud.alert.watchlists.id | The identifier of watchlist. | keyword | -| carbon_black_cloud.alert.watchlists.name | The name of the watchlist. | keyword | -| carbon_black_cloud.alert.workflow.changed_by | The name of user who changed the workflow. | keyword | -| carbon_black_cloud.alert.workflow.comment | Comment associated with workflow. | keyword | -| carbon_black_cloud.alert.workflow.last_update_time | The last update time of workflow. | date | -| carbon_black_cloud.alert.workflow.remediation | N/A | keyword | -| carbon_black_cloud.alert.workflow.state | The state of workflow. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -### Endpoint Event - -This is the `endpoint_event` dataset. - -An example event for `endpoint_event` looks as following: - -```json -{ - "process": { - "parent": { - "pid": 1684, - "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62", - "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe", - "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe", - "hash": { - "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5", - "md5": "03dd698da2671383c9b4f868c9931879" - } - }, - "pid": 4880, - "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37", - "command_line": "\"route.exe\" print", - "executable": "c:\\windows\\system32\\route.exe", - "hash": { - "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6", - "md5": "2498272dc48446891182747428d02a30" - } - }, - "ecs": { - "version": "8.3.0" - }, - "carbon_black_cloud": { - "endpoint_event": { - "schema": 1, - "event_origin": "EDR", - "process": { - "duration": 2, - "parent": { - "reputation": "REP_RESOLVING" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_RESOLVING", - "terminated": true, - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "XXXXXXXX", - "backend": { - "timestamp": "2022-02-10 11:52:50 +0000 UTC" - }, - "target_cmdline": "\"route.exe\" print", - "type": "endpoint.event.procend", - "device": { - "os": "WINDOWS", - "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC", - "external_ip": "67.43.156.12" - }, - "sensor_action": "ACTION_ALLOW" - } - }, - "host": { - "hostname": "client-cb2", - "id": "4034605", - "os": { - "type": "windows" - }, - "ip": [ - "67.43.156.13" - ] - }, - "event": { - "action": "ACTION_PROCESS_TERMINATE", - "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}" - }, - "data_stream": { - "dataset": "carbon_black_cloud.endpoint_event", - "namespace": "ep", - "type": "logs" - }, - "elastic_agent": { - "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5", - "snapshot": true, - "version": "8.0.0" - }, - "input": { - "type": "aws-s3" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-endpoint-event" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.endpoint_event.alert_id | The ID of the Alert this event is associated with. | keyword | -| carbon_black_cloud.endpoint_event.backend.timestamp | Time when the backend received the batch of events. | keyword | -| carbon_black_cloud.endpoint_event.childproc.guid | Unique ID of the child process. | keyword | -| carbon_black_cloud.endpoint_event.childproc.hash.md5 | Cryptographic MD5 hashes of the executable file backing the child process. | keyword | -| carbon_black_cloud.endpoint_event.childproc.hash.sha256 | Cryptographic SHA256 hashes of the executable file backing the child process. | keyword | -| carbon_black_cloud.endpoint_event.childproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword | -| carbon_black_cloud.endpoint_event.childproc.pid | OS-reported Process ID of the child process. | long | -| carbon_black_cloud.endpoint_event.childproc.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.childproc.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.childproc.reputation | Carbon Black Cloud Reputation string for the childproc. | keyword | -| carbon_black_cloud.endpoint_event.childproc.username | The username associated with the user context that the child process was started under. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.action | The action taken on cross-process. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.api | Name of the operating system API called by the actor process. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.guid | Unique ID of the cross process. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.hash.md5 | Cryptographic MD5 hashes of the target of the crossproc event. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.hash.sha256 | Cryptographic SHA256 hashes of the target of the crossproc event. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.reputation | Carbon Black Cloud Reputation string for the crossproc. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.target | True if the process was the target of the cross-process event; false if the process was the actor. | boolean | -| carbon_black_cloud.endpoint_event.device.external_ip | External IP of the device. | ip | -| carbon_black_cloud.endpoint_event.device.internal_ip | Internal IP of the device. | ip | -| carbon_black_cloud.endpoint_event.device.os | Os name. | keyword | -| carbon_black_cloud.endpoint_event.device.timestamp | Time seen on sensor. | keyword | -| carbon_black_cloud.endpoint_event.event_origin | Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline | Deobfuscated script content run in a fileless context by the process. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length | Character count of the deobfuscated script content run in a fileless context. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5 | MD5 hash of the deobfuscated script content run by the process in a fileless context. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256 | SHA-256 hash of the deobfuscated script content run by the process in a fileless context. | keyword | -| carbon_black_cloud.endpoint_event.modload.count | Count of modload events reported by the sensor since last initialization. | long | -| carbon_black_cloud.endpoint_event.modload.effective_reputation | Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred. | keyword | -| carbon_black_cloud.endpoint_event.modload.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.modload.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.netconn.proxy.domain | DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address. | keyword | -| carbon_black_cloud.endpoint_event.netconn.proxy.ip | IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection. | keyword | -| carbon_black_cloud.endpoint_event.netconn.proxy.port | UDP/TCP port number associated with the "proxy" end of this network connection. | keyword | -| carbon_black_cloud.endpoint_event.organization_key | The organization key associated with the console instance. | keyword | -| carbon_black_cloud.endpoint_event.process.duration | The time difference in seconds between the process start and process terminate event. | long | -| carbon_black_cloud.endpoint_event.process.parent.reputation | Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.endpoint_event.process.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.process.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.endpoint_event.process.terminated | True if process was terminated elase false. | boolean | -| carbon_black_cloud.endpoint_event.process.username | The username associated with the user context that this process was started under. | keyword | -| carbon_black_cloud.endpoint_event.schema | The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. | long | -| carbon_black_cloud.endpoint_event.scriptload.count | Count of scriptload events across all processes reported by the sensor since last initialization. | long | -| carbon_black_cloud.endpoint_event.scriptload.effective_reputation | Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.hash.md5 | Cryptographic MD5 hashes of the target of the scriptload event. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.hash.sha256 | Cryptographic SHA256 hashes of the target of the scriptload event. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.name | Full path to the target of the crossproc event on the device's local file system. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.reputation | Carbon Black Cloud Reputation string for the scriptload. | keyword | -| carbon_black_cloud.endpoint_event.sensor_action | The sensor action taken on event. | keyword | -| carbon_black_cloud.endpoint_event.target_cmdline | Process command line associated with the target process. | keyword | -| carbon_black_cloud.endpoint_event.type | The event type. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dll.hash.md5 | MD5 hash. | keyword | -| dll.hash.sha256 | SHA256 hash. | keyword | -| dll.path | Full file path of the library. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| registry.path | Full path, including hive, key and value | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | - - -### Watchlist Hit - -This is the `watchlist_hit` dataset. - -An example event for `watchlist_hit` looks as following: - -```json -{ - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-watchlist-hit" - ], - "input": { - "type": "aws-s3" - }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "carbon_black_cloud.watchlist_hit" - }, - "agent": { - "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.3.0" - }, - "process": { - "parent": { - "pid": 4076, - "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1", - "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"", - "executable": "c:\\windows\\syswow64\\cmd.exe", - "hash": { - "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22", - "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b" - } - }, - "pid": 7516, - "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6", - "command_line": "sc query aella_conf ", - "executable": "c:\\windows\\syswow64\\sc.exe", - "hash": { - "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2", - "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8" - } - }, - "carbon_black_cloud": { - "watchlist_hit": { - "schema": 1, - "process": { - "parent": { - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "xxxxxxxx", - "report": { - "name": "Discovery - System Service Discovery Detected", - "id": "CFnKBKLTv6hUkBGFobRdg-565571", - "tags": [ - "attack", - "attackframework", - "threathunting", - "hunting", - "t1007", - "recon", - "discovery", - "windows" - ] - }, - "watchlists": [ - { - "name": "ATT\u0026CK Framework", - "id": "P5f9AW29TGmTOvBW156Cig" - } - ], - "type": "watchlist.hit", - "ioc": { - "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true", - "id": "565571-0" - }, - "device": { - "internal_ip": "10.10.156.12", - "external_ip": "67.43.156.12", - "os": "WINDOWS" - } - } - }, - "host": { - "hostname": "Carbonblack-win1", - "os": { - "type": "windows" - }, - "ip": [ - "10.10.156.12", - "67.43.156.12" - ], - "id": "4467271" - }, - "event": { - "kind": "event", - "severity": 3, - "agent_id_status": "verified", - "ingested": "2022-02-17T07:23:31Z", - "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}", - "dataset": "carbon_black_cloud.watchlist_hit" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.watchlist_hit.device.external_ip | External IP of the device. | ip | -| carbon_black_cloud.watchlist_hit.device.internal_ip | Internal IP of the device. | ip | -| carbon_black_cloud.watchlist_hit.device.os | OS Type of device (Windows/OSX/Linux). | keyword | -| carbon_black_cloud.watchlist_hit.ioc.field | Field the IOC hit contains. | keyword | -| carbon_black_cloud.watchlist_hit.ioc.hit | IOC field value, or IOC query that matches. | keyword | -| carbon_black_cloud.watchlist_hit.ioc.id | ID of the IOC that caused the hit. | keyword | -| carbon_black_cloud.watchlist_hit.organization_key | The organization key associated with the console instance. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.username | The username associated with the user context that this process was started under. | keyword | -| carbon_black_cloud.watchlist_hit.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.watchlist_hit.process.username | The username associated with the user context that this process was started under. | keyword | -| carbon_black_cloud.watchlist_hit.report.id | ID of the watchlist report(s) that detected a hit on the process. | keyword | -| carbon_black_cloud.watchlist_hit.report.name | Name of the watchlist report(s) that detected a hit on the process. | keyword | -| carbon_black_cloud.watchlist_hit.report.tags | List of tags associated with the report(s) that detected a hit on the process. | keyword | -| carbon_black_cloud.watchlist_hit.schema | Schema version. | long | -| carbon_black_cloud.watchlist_hit.type | The watchlist hit type. | keyword | -| carbon_black_cloud.watchlist_hit.watchlists.id | The ID of the watchlists. | keyword | -| carbon_black_cloud.watchlist_hit.watchlists.name | The name of the watchlists. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | - - -### Asset Vulnerability Summary - -This is the `asset_vulnerability_summary` dataset. - -An example event for `asset_vulnerability_summary` looks as following: - -```json -{ - "@timestamp": "2022-09-26T01:58:41.710Z", - "agent": { - "ephemeral_id": "818ffeea-8e73-497b-bc16-b13e6bb3010c", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "carbon_black_cloud": { - "asset_vulnerability_summary": { - "last_sync": { - "timestamp": "2022-01-17T08:33:37.384Z" - }, - "os_info": { - "os_arch": "64-bit" - }, - "sync": { - "status": "COMPLETED", - "type": "SCHEDULED" - }, - "type": "ENDPOINT", - "vuln_count": 1770 - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-09-26T01:58:41.710Z", - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "ingested": "2022-09-26T01:58:45Z", - "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}" - }, - "host": { - "hostname": "DESKTOP-008", - "id": "8", - "name": "DESKTOP-008KK", - "os": { - "name": "Microsoft Windows 10 Education", - "type": "windows", - "version": "10.0.17763" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-008" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-asset-vulnerability-summary" - ], - "vulnerability": { - "score": { - "base": 10 - }, - "severity": "CRITICAL" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp | The identifier is for the Last sync time. | date | -| carbon_black_cloud.asset_vulnerability_summary.os_info.os_arch | The identifier is for the Operating system architecture. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.sync.status | The identifier is for the Device sync status. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.sync.type | The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.type | The identifier is for the Device type. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.vm.id | The identifier is for the Virtual Machine ID. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.vm.name | The identifier is for the Virtual Machine name. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.vuln_count | The identifier is for the Number of vulnerabilities at this level. | integer | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | diff --git a/packages/carbon_black_cloud/1.3.0/img/carbon_black_cloud-logo.svg b/packages/carbon_black_cloud/1.3.0/img/carbon_black_cloud-logo.svg deleted file mode 100755 index 180cc3d212..0000000000 --- a/packages/carbon_black_cloud/1.3.0/img/carbon_black_cloud-logo.svg +++ /dev/null @@ -1,91 +0,0 @@ - - - - -Created by potrace 1.16, written by Peter Selinger 2001-2019 - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/carbon_black_cloud/1.3.0/img/carbon_black_cloud-screenshot.png b/packages/carbon_black_cloud/1.3.0/img/carbon_black_cloud-screenshot.png deleted file mode 100755 index 6fda3c108d..0000000000 Binary files a/packages/carbon_black_cloud/1.3.0/img/carbon_black_cloud-screenshot.png and /dev/null differ diff --git a/packages/carbon_black_cloud/1.3.0/kibana/dashboard/carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b.json b/packages/carbon_black_cloud/1.3.0/kibana/dashboard/carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b.json deleted file mode 100755 index 4879b5460d..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/dashboard/carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c54d9223-56ad-42b4-9452-a44657dbcd6e\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"c54d9223-56ad-42b4-9452-a44657dbcd6e\",\"panelRefName\":\"panel_c54d9223-56ad-42b4-9452-a44657dbcd6e\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d3728fd5-5390-4448-8f26-277521569f30\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"d3728fd5-5390-4448-8f26-277521569f30\",\"panelRefName\":\"panel_d3728fd5-5390-4448-8f26-277521569f30\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c\",\"panelRefName\":\"panel_f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5f57acd4-74a8-4d97-9e7b-d7b069efc867\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"5f57acd4-74a8-4d97-9e7b-d7b069efc867\",\"panelRefName\":\"panel_5f57acd4-74a8-4d97-9e7b-d7b069efc867\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"909c2914-4695-42dd-aa36-93e043a5c025\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"909c2914-4695-42dd-aa36-93e043a5c025\",\"panelRefName\":\"panel_909c2914-4695-42dd-aa36-93e043a5c025\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5\",\"panelRefName\":\"panel_c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9e320d15-f9df-4aea-9564-ac1c4257b51b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"9e320d15-f9df-4aea-9564-ac1c4257b51b\",\"panelRefName\":\"panel_9e320d15-f9df-4aea-9564-ac1c4257b51b\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c\",\"panelRefName\":\"panel_5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7da33ed3-29d9-4fe1-87a9-4debfc7bdd24\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"7da33ed3-29d9-4fe1-87a9-4debfc7bdd24\",\"panelRefName\":\"panel_7da33ed3-29d9-4fe1-87a9-4debfc7bdd24\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ed2de824-c493-4240-a6b5-329889c40c43\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"ed2de824-c493-4240-a6b5-329889c40c43\",\"panelRefName\":\"panel_ed2de824-c493-4240-a6b5-329889c40c43\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a6d4e61e-57bc-413a-8c68-5f55ab59e16a\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"a6d4e61e-57bc-413a-8c68-5f55ab59e16a\",\"panelRefName\":\"panel_a6d4e61e-57bc-413a-8c68-5f55ab59e16a\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bf749130-3138-45fe-a010-5b30b4636e7b\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"bf749130-3138-45fe-a010-5b30b4636e7b\",\"panelRefName\":\"panel_bf749130-3138-45fe-a010-5b30b4636e7b\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44ed553e-d5cc-4841-85e9-0d8af122086a\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"44ed553e-d5cc-4841-85e9-0d8af122086a\",\"panelRefName\":\"panel_44ed553e-d5cc-4841-85e9-0d8af122086a\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cd3cb74e-b13e-4a52-a48c-82d13a59421a\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"cd3cb74e-b13e-4a52-a48c-82d13a59421a\",\"panelRefName\":\"panel_cd3cb74e-b13e-4a52-a48c-82d13a59421a\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"42b64f1c-9526-4430-8f62-cc6596cf07d7\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"42b64f1c-9526-4430-8f62-cc6596cf07d7\",\"panelRefName\":\"panel_42b64f1c-9526-4430-8f62-cc6596cf07d7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b2fe20be-cad5-4bfa-abd1-c9b069fd2494\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"b2fe20be-cad5-4bfa-abd1-c9b069fd2494\",\"panelRefName\":\"panel_b2fe20be-cad5-4bfa-abd1-c9b069fd2494\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ef6af3c0-10e9-46af-933c-a032464bdecf\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"ef6af3c0-10e9-46af-933c-a032464bdecf\",\"panelRefName\":\"panel_ef6af3c0-10e9-46af-933c-a032464bdecf\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc\",\"panelRefName\":\"panel_f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"247ad399-6383-4bf0-910e-9cb6767781c3\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"247ad399-6383-4bf0-910e-9cb6767781c3\",\"panelRefName\":\"panel_247ad399-6383-4bf0-910e-9cb6767781c3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5c60fc1b-5ad1-4036-8adc-ce9adf455758\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"5c60fc1b-5ad1-4036-8adc-ce9adf455758\",\"panelRefName\":\"panel_5c60fc1b-5ad1-4036-8adc-ce9adf455758\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"0a228399-6f69-4803-b4cd-65f30dca5890\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"0a228399-6f69-4803-b4cd-65f30dca5890\",\"panelRefName\":\"panel_0a228399-6f69-4803-b4cd-65f30dca5890\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5b015940-3fee-411a-be82-661078ead366\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"5b015940-3fee-411a-be82-661078ead366\",\"panelRefName\":\"panel_5b015940-3fee-411a-be82-661078ead366\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"655bc1d2-5c31-4a38-9759-ab72f88bdb92\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"655bc1d2-5c31-4a38-9759-ab72f88bdb92\",\"panelRefName\":\"panel_655bc1d2-5c31-4a38-9759-ab72f88bdb92\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8cdf7cdc-1858-4561-9e3b-5b5c73498586\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"8cdf7cdc-1858-4561-9e3b-5b5c73498586\",\"panelRefName\":\"panel_8cdf7cdc-1858-4561-9e3b-5b5c73498586\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2d6c60e3-32cc-4746-bc7d-3fa40b80447c\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"2d6c60e3-32cc-4746-bc7d-3fa40b80447c\",\"panelRefName\":\"panel_2d6c60e3-32cc-4746-bc7d-3fa40b80447c\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":23,\"i\":\"bc34dc1a-ba27-489e-a950-90a978974351\",\"w\":48,\"x\":0,\"y\":180},\"panelIndex\":\"bc34dc1a-ba27-489e-a950-90a978974351\",\"panelRefName\":\"panel_bc34dc1a-ba27-489e-a950-90a978974351\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-1h", - "timeRestore": true, - "timeTo": "now", - "title": "[Carbon Black Cloud] Alert", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95", - "name": "c54d9223-56ad-42b4-9452-a44657dbcd6e:panel_c54d9223-56ad-42b4-9452-a44657dbcd6e", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95", - "name": "d3728fd5-5390-4448-8f26-277521569f30:panel_d3728fd5-5390-4448-8f26-277521569f30", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95", - "name": "f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c:panel_f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95", - "name": "5f57acd4-74a8-4d97-9e7b-d7b069efc867:panel_5f57acd4-74a8-4d97-9e7b-d7b069efc867", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95", - "name": "909c2914-4695-42dd-aa36-93e043a5c025:panel_909c2914-4695-42dd-aa36-93e043a5c025", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95", - "name": "c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5:panel_c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95", - "name": "9e320d15-f9df-4aea-9564-ac1c4257b51b:panel_9e320d15-f9df-4aea-9564-ac1c4257b51b", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95", - "name": "5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c:panel_5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95", - "name": "7da33ed3-29d9-4fe1-87a9-4debfc7bdd24:panel_7da33ed3-29d9-4fe1-87a9-4debfc7bdd24", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95", - "name": "ed2de824-c493-4240-a6b5-329889c40c43:panel_ed2de824-c493-4240-a6b5-329889c40c43", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95", - "name": "a6d4e61e-57bc-413a-8c68-5f55ab59e16a:panel_a6d4e61e-57bc-413a-8c68-5f55ab59e16a", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95", - "name": "bf749130-3138-45fe-a010-5b30b4636e7b:panel_bf749130-3138-45fe-a010-5b30b4636e7b", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95", - "name": "44ed553e-d5cc-4841-85e9-0d8af122086a:panel_44ed553e-d5cc-4841-85e9-0d8af122086a", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95", - "name": "cd3cb74e-b13e-4a52-a48c-82d13a59421a:panel_cd3cb74e-b13e-4a52-a48c-82d13a59421a", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95", - "name": "42b64f1c-9526-4430-8f62-cc6596cf07d7:panel_42b64f1c-9526-4430-8f62-cc6596cf07d7", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95", - "name": "b2fe20be-cad5-4bfa-abd1-c9b069fd2494:panel_b2fe20be-cad5-4bfa-abd1-c9b069fd2494", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95", - "name": "ef6af3c0-10e9-46af-933c-a032464bdecf:panel_ef6af3c0-10e9-46af-933c-a032464bdecf", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95", - "name": "f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc:panel_f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95", - "name": "247ad399-6383-4bf0-910e-9cb6767781c3:panel_247ad399-6383-4bf0-910e-9cb6767781c3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95", - "name": "5c60fc1b-5ad1-4036-8adc-ce9adf455758:panel_5c60fc1b-5ad1-4036-8adc-ce9adf455758", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b", - "name": "0a228399-6f69-4803-b4cd-65f30dca5890:panel_0a228399-6f69-4803-b4cd-65f30dca5890", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95", - "name": "5b015940-3fee-411a-be82-661078ead366:panel_5b015940-3fee-411a-be82-661078ead366", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95", - "name": "655bc1d2-5c31-4a38-9759-ab72f88bdb92:panel_655bc1d2-5c31-4a38-9759-ab72f88bdb92", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95", - "name": "8cdf7cdc-1858-4561-9e3b-5b5c73498586:panel_8cdf7cdc-1858-4561-9e3b-5b5c73498586", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95", - "name": "2d6c60e3-32cc-4746-bc7d-3fa40b80447c:panel_2d6c60e3-32cc-4746-bc7d-3fa40b80447c", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95", - "name": "bc34dc1a-ba27-489e-a950-90a978974351:panel_bc34dc1a-ba27-489e-a950-90a978974351", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 129cd1c62a..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"table\":null,\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":0,\"width\":831}]}}},\"gridData\":{\"h\":15,\"i\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"panelRefName\":\"panel_3\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Audit Logs", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.0/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json deleted file mode 100755 index e3f216759c..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"carbon_black_cloud.endpoint_event.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"title\":\"[Carbon Black Cloud] Top 10 Event Types\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"panelRefName\":\"panel_12\",\"title\":\"[Carbon Black Cloud] Top 10 Effective Reputation of Loaded Modules\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"w\":48,\"x\":0,\"y\":105},\"panelIndex\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"panelRefName\":\"panel_13\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Endpoint Event", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "f19543f7-04f5-42dd-849b-5f2fd8ca15f8:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7", - "name": "panel_13", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.0/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index ee0df3955b..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"panelRefName\":\"panel_0\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"panelRefName\":\"panel_2\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Severity\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"panelRefName\":\"panel_3\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"panelRefName\":\"panel_4\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Risk Score\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"panelRefName\":\"panel_6\",\"title\":\"[Carbon Black Cloud] Top 10 OS Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":20,\"i\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"panelRefName\":\"panel_7\",\"title\":\"[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Asset Vulnerability Summary", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf", - "name": "panel_7", - "type": "search" - }, - { - "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf", - "name": "panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.0/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 94761c84e1..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.watchlist_hit.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IPs\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit Name\",\"field\":\"carbon_black_cloud.watchlist_hit.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Watchlist Hit Names\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Severity\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Parent Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"panelRefName\":\"panel_9\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"panelRefName\":\"panel_10\",\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":31,\"i\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"w\":48,\"x\":0,\"y\":120},\"panelIndex\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"panelRefName\":\"panel_11\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Watchlist Hit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "4f7b5cef-a7e9-44a9-8769-44d5326a8df4:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3d454d18-6baa-40de-aa94-4ebfaee9a759:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b0289aae-02bb-472e-8a22-07ff9f5d2372:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d29f5a98-736d-4f47-877e-b4552d15f889:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ae5c96d5-b7d6-45f8-b57b-42cc190f990b:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826", - "name": "panel_11", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.0/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json deleted file mode 100755 index fde5382f93..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "carbon_black_cloud.watchlist_hit.watchlists.name", - "process.command_line", - "process.parent.command_line", - "process.executable", - "process.parent.executable", - "carbon_black_cloud.watchlist_hit.ioc.id", - "carbon_black_cloud.watchlist_hit.ioc.hit" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Watchlist Hit Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index fdc104f3b2..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.id", - "client.user.id", - "event.reason", - "client.ip" - ], - "description": "", - "grid": {}, - "hideChart": true, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Audit Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.0/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 800a5cb006..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "carbon_black_cloud.endpoint_event.type", - "process.command_line", - "process.parent.command_line", - "dll.path", - "carbon_black_cloud.endpoint_event.target_cmdline", - "process.executable", - "process.parent.executable" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Endpoint Events Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1a37e59347..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.id", - "event.reason", - "event.url", - "carbon_black_cloud.alert.threat_indicators.process_name", - "carbon_black_cloud.alert.category" - ], - "description": "", - "grid": {}, - "hideChart": true, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Alerts Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.0/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index c060c3bd41..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.hostname", - "vulnerability.severity", - "vulnerability.score.base", - "carbon_black_cloud.asset_vulnerability_summary.vuln_count" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json deleted file mode 100755 index bf6bf9170c..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 329118ed72..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by OS, OS version", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by OS, OS version\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index fb78529067..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Client IPs", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client IPs\",\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Client IPs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index edfb4ab922..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators TTPS\",\"field\":\"carbon_black_cloud.alert.threat_indicators.ttps\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json deleted file mode 100755 index e058315a1e..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Actions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Top 10 Actions\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index e9926e3521..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by OS", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"carbon_black_cloud.watchlist_hit.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by OS\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 5c97a8d4eb..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Severity", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 8bb3adabfb..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 7bec55f465..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Child Process Username", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":9},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Username\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index e4b7fe64f8..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 6b1cb56ea0..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Origin\",\"field\":\"carbon_black_cloud.endpoint_event.event_origin\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index c59f3f2623..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 0a01e78828..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 682f389163..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Endpoint Events by OS", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device OS\",\"field\":\"carbon_black_cloud.endpoint_event.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by OS\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 7af6d5ad55..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 IOC Hits", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.watchlist_hit.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hits\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1c116157a2..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Category", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"carbon_black_cloud.alert.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 3ced47d3fe..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 60cf2f819b..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by OS Type, OS Version", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Type\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"row\":true,\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 811d8c6112..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.vector\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index e390c83ecc..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by IOC field", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Field\",\"field\":\"carbon_black_cloud.alert.ioc.field\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by IOC field\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 02160d4bea..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 OS Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Names\",\"field\":\"host.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"row\":false,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 OS Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 6c64141f00..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 Hosts with Highest Vulnerability Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Vulnerability Count\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.vuln_count\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 630d474e6e..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Workflow State", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Workflow State\",\"field\":\"carbon_black_cloud.alert.workflow.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Workflow State\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 228daf684c..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 1bd12c5d2e..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Severity", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"vulnerability.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b.json deleted file mode 100755 index 0919e5e20a..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Threat Cause Actor Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Actor Name\",\"field\":\"carbon_black_cloud.alert.threat_cause.actor.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Threat Cause Actor Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 0a3d26dad2..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Report Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Report Name\",\"field\":\"carbon_black_cloud.watchlist_hit.report.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Report Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 6e873422cb..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 Hosts with Highest Risk Score", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Risk Score\",\"field\":\"vulnerability.score.base\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Risk Score\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 48a0ff614a..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index b549ad14a1..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Sync Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 116934a90e..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Child Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index ebce21d74d..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Sync Status", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync Status\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 5d57824451..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 IOC Hit", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.alert.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hit\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index dd5f86134d..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit\",\"field\":\"carbon_black_cloud.alert.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 60669ee962..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Reputation\",\"field\":\"carbon_black_cloud.alert.threat_cause.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 19ad6bf381..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Threat Indicators Process Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators Process Name\",\"field\":\"carbon_black_cloud.alert.threat_indicators.process_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Threat Indicators Process Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 7992c14128..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Devices", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Devices\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index ebcc102bf4..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Run State", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Run State\",\"field\":\"carbon_black_cloud.alert.run_state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Run State\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index bf3592d08f..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1025e00226..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Sensor Action", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.alert.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Sensor Action\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index c4ce665f33..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Device Username", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Username\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 7db345ec9b..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Audit Logs by Flag Status", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flagged\",\"field\":\"carbon_black_cloud.audit.flagged\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Audit Logs by Flag Status\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 37864260d1..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Effective Reputation of Loaded Modules\",\"field\":\"carbon_black_cloud.endpoint_event.modload.effective_reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index cf20544145..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Child Process Publisher Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":8},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index dd2d0ee97a..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Usernames", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Usernames\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json deleted file mode 100755 index bb4fb20b4b..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Device Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 3a76cb6cae..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.endpoint_event.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 29d985b4d8..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit by Report Tag\",\"field\":\"carbon_black_cloud.watchlist_hit.report.tags\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 50933d86cc..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Not Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.not_blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index bf02f82c2e..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Policy Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"carbon_black_cloud.alert.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Policy Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index bfebab9f24..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Reason Codes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Reason Codes\",\"field\":\"carbon_black_cloud.alert.reason_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Reason Codes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 85bf297c56..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Parent Process Usernames", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Usernames\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 2ad0964cbb..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Request URLs", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"URL\",\"field\":\"url.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Request URLs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index cb945df49b..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Kill Chain Status\",\"field\":\"carbon_black_cloud.alert.kill_chain_status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index fc1c6812f0..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Process Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Name\",\"field\":\"process.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Process Name\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 3c04444ca9..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Device External IP", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.endpoint_event.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index a79db35e93..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Alert Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"carbon_black_cloud.alert.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Alert Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 84fedf340e..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Username", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Username\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1c30c4f320..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Policy Applied", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Applied\",\"field\":\"carbon_black_cloud.alert.policy.applied\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Policy Applied\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 4a17555983..0000000000 --- a/packages/carbon_black_cloud/1.3.0/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Target Value", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Value\",\"field\":\"carbon_black_cloud.alert.target_value\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Target Value\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.0/manifest.yml b/packages/carbon_black_cloud/1.3.0/manifest.yml deleted file mode 100755 index d9b63712b6..0000000000 --- a/packages/carbon_black_cloud/1.3.0/manifest.yml +++ /dev/null @@ -1,190 +0,0 @@ -format_version: 1.0.0 -name: carbon_black_cloud -title: VMware Carbon Black Cloud -version: "1.3.0" -license: basic -description: Collect logs from VMWare Carbon Black Cloud with Elastic Agent. -type: integration -categories: - - security -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/carbon_black_cloud-screenshot.png - title: Carbon Black Cloud alert dashboard screenshot - size: 600x600 - type: image/png -icons: - - src: /img/carbon_black_cloud-logo.svg - title: Carbon Black Cloud logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: carbon_black_cloud - title: Carbon Black Cloud - description: Collect Logs from Carbon Black Cloud - inputs: - - type: httpjson - title: Collect Carbon Black Cloud logs via API - description: Collect Carbon Black Cloud logs via API - vars: - - name: hostname - type: text - title: Hostname - description: Carbon Black Cloud console Hostname. Find hostname in the console dashboard at the beginning of the web address (Add https:// before the hostname). - required: true - - name: org_key - type: text - title: Organization Key - description: Organization Key. - required: true - - name: custom_api_id - type: text - title: Custom API ID - description: API ID with Custom Access Level type. - required: true - - name: custom_api_secret_key - type: password - title: Custom API Secret Key - description: API Secret Key with Custom Access Level type - required: true - - name: api_id - type: text - title: API ID - description: API ID with API Access Level type. - required: true - - name: api_secret_key - type: password - title: API Secret Key - description: API Secret Key with API Access Level type - required: true - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http\[s\]://:@:. Please ensure your username and password are in URL encoded format. - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - - type: aws-s3 - title: Collect Carbon Black Cloud logs via AWS S3 or AWS SQS - description: Collect Carbon Black Cloud logs via AWS S3 or AWS SQS. - vars: - - name: collect_s3_logs - required: true - show_user: true - title: Collect logs via S3 Bucket - description: To Collect logs via S3 bucket enable the toggle switch. By default, it will collect logs via SQS Queue. - type: bool - multi: false - default: false - - name: bucket_arn - type: text - title: "[S3] Bucket ARN" - multi: false - required: false - show_user: true - description: It is a required parameter for collecting logs via the AWS S3 Bucket. - - name: queue_url - type: text - title: "[SQS] Queue URL" - multi: false - required: false - show_user: true - description: URL of the AWS SQS queue that messages will be received from. It is a required parameter for collecting logs via the AWS SQS. - - name: access_key_id - type: password - title: Access Key ID - multi: false - required: false - show_user: true - description: First part of access key. - - name: secret_access_key - type: password - title: Secret Access Key - multi: false - required: false - show_user: true - description: Second part of access key. - - name: session_token - type: text - title: Session Token - multi: false - required: false - show_user: true - description: Required when using temporary security credentials. - - name: shared_credential_file - type: text - title: Shared Credential File - multi: false - required: false - show_user: false - description: Directory of the shared credentials file. - - name: credential_profile_name - type: text - title: Credential Profile Name - multi: false - required: false - show_user: false - description: Profile name in shared credentials file. - - name: role_arn - type: text - title: Role ARN - multi: false - required: false - show_user: false - description: AWS IAM Role to assume. - - name: endpoint - type: text - title: Endpoint - multi: false - required: false - show_user: false - default: "" - description: URL of the entry point for an AWS web service. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. -owner: - github: elastic/security-external-integrations diff --git a/packages/carbonblack_edr/1.5.1/LICENSE.txt b/packages/carbonblack_edr/1.5.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/carbonblack_edr/1.5.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/carbonblack_edr/1.5.1/changelog.yml b/packages/carbonblack_edr/1.5.1/changelog.yml deleted file mode 100755 index 9c21eaa171..0000000000 --- a/packages/carbonblack_edr/1.5.1/changelog.yml +++ /dev/null @@ -1,71 +0,0 @@ -# newer versions go on top -- version: "1.5.1" - changes: - - description: Remove duplicate field. - type: enhancement - link: https://github.com/elastic/integrations/pull/4339 -- version: "1.5.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3842 -- version: "1.4.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.3.0" - changes: - - description: Add JA3/JA3S parsing - type: enhancement - link: https://github.com/elastic/integrations/pull/3440 -- version: "1.2.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "1.1.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.1.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2385 -- version: "1.0.0" - changes: - - description: GA integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2360 -- version: "0.3.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "0.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2232 -- version: "0.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1949 -- version: "0.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1801 -- version: "0.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1651 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/1527 diff --git a/packages/carbonblack_edr/1.5.1/data_stream/log/agent/stream/http_endpoint.yml.hbs b/packages/carbonblack_edr/1.5.1/data_stream/log/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index f9eb3c784c..0000000000 --- a/packages/carbonblack_edr/1.5.1/data_stream/log/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,25 +0,0 @@ -listen_address: "{{listen_address}}" -listen_port: {{listen_port}} -preserve_original_event: {{preserve_original_event}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbonblack_edr/1.5.1/data_stream/log/agent/stream/log.yml.hbs b/packages/carbonblack_edr/1.5.1/data_stream/log/agent/stream/log.yml.hbs deleted file mode 100755 index 4e5f4d4718..0000000000 --- a/packages/carbonblack_edr/1.5.1/data_stream/log/agent/stream/log.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -exclude_files: [".gz$"] -processors: -- decode_json_fields: - fields: [message] - target: json -{{#if preserve_original_event}} -- convert: - fields: - - from: message - to: event.original - mode: rename -{{else}} -- drop_fields: - fields: - - message - ignore_missing: true -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/carbonblack_edr/1.5.1/data_stream/log/agent/stream/tcpudp.yml.hbs b/packages/carbonblack_edr/1.5.1/data_stream/log/agent/stream/tcpudp.yml.hbs deleted file mode 100755 index 7013021da2..0000000000 --- a/packages/carbonblack_edr/1.5.1/data_stream/log/agent/stream/tcpudp.yml.hbs +++ /dev/null @@ -1,35 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -processors: -- decode_json_fields: - fields: [message] - target: json -{{#if preserve_original_event}} -- convert: - fields: - - from: message - to: event.original - mode: rename -{{else}} -- drop_fields: - fields: - - message - ignore_missing: true -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/carbonblack_edr/1.5.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/carbonblack_edr/1.5.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 65c7b199eb..0000000000 --- a/packages/carbonblack_edr/1.5.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,872 +0,0 @@ ---- -description: Pipeline for parsing CarbonBlack EDR logs -processors: -- set: - field: ecs.version - value: '8.4.0' - -# Validate that the input document conforms to the expected format -# to avoid repetitive checks. -- fail: - description: 'Validates input document format' - message: 'json object is missing from event' - if: 'ctx.json == null' - -# Fail if `docs` fields is an array with more than one element. -# This is possible according to the documentation, but fortunately for us -# CB Event Forwarded splits an input event with multiple docs into multiple -# output events with a single doc each. -- fail: - description: 'Validates that docs field contains a single document' - message: 'docs array has more than one entry, this is unsupported. Use CB Event Forwarder as source of events' - if: 'ctx.json.docs != null && ctx.json.docs instanceof List && ctx.json.docs.size() > 1' - -- script: - description: 'Selects a single document from docs input field' - lang: painless - if: 'ctx.json.docs != null' - source: |- - def docs = ctx.json.docs; - if (docs instanceof List && docs.size() > 0) { - ctx.json["doc"] = docs[0]; - } else if (docs instanceof Map) { - ctx.json["doc"] = docs; - } else { - throw new Exception("Unexpected type"); - } - ctx.json.remove("docs"); - on_failure: - - append: - field: error.message - value: 'Failed extracting docs field: {{{ _ingest.on_failure_message }}}' - -# -# Convert some fields to their expected types. -# These can be string if using the http_endpoint input due to -# https://github.com/elastic/beats/issues/27382 -# -- convert: - field: json.compressed_size - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.emet_timestamp - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.event_timestamp - type: double - ignore_missing: true - ignore_failure: true - -- convert: - field: json.feed_id - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.local_port - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.parent_create_time - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.pid - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.doc.process_pid - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.doc.parent_pid - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.port - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.remote_port - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.requested_access - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.size - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.doc.orig_mod_len - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.scores.alliance_score_virustotal - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.target_create_time - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.target_pid - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.timestamp - type: double - ignore_missing: true - ignore_failure: true - -# -# This flag is used to signal that it can write to host.* fields. -# -- set: - field: _tmp.forwarded - value: true - if: 'ctx.host?.name == null' - -- script: - description: 'Removes empty string fields' - lang: painless - source: |- - void removeEmptyStr(Map m) { - if (m != null) m.entrySet().removeIf( e -> e.value == ""); - } - removeEmptyStr(ctx.json); - removeEmptyStr(ctx.json.doc); - -- rename: - description: 'Renames type field to ECS event action' - field: json.type - target_field: event.action - on_failure: - # This happens in cb_edr.log only. - # is this real or just an artifact in our samples? - # - #- append: - # field: error.message - # value: 'type field not present in document' - - set: - field: event.action - value: unknown - -- script: - description: 'Sets ECS categorisation fields from EDR Event ID.' - lang: painless - params: - "alert.watchlist.hit.ingress.host": - kind: alert - category: [ host ] - type: [ info ] - - "alert.watchlist.hit.ingress.binary": - kind: alert - category: [ file ] - type: [ info ] - - "alert.watchlist.hit.ingress.process": - kind: alert - category: [ process ] - type: [ info ] - - "alert.watchlist.hit.query.binary": - kind: alert - category: [ file ] - type: [ info ] - - "alert.watchlist.hit.query.process": - kind: alert - category: [ process ] - type: [ info ] - - "binaryinfo.host.observed": - kind: event - category: [ host ] - type: [ info ] - - "binaryinfo.group.observed": - kind: event - category: [ file ] - type: [ info ] - - "binaryinfo.observed": - kind: event - category: [ file ] - type: [ info ] - - "binarystore.file.added": - kind: event - category: [ file ] - type: [ creation ] - - "feed.ingress.hit.host": - kind: event - category: [ host ] - type: [ info ] - - "feed.ingress.hit.binary": - kind: event - category: [ file ] - type: [ info ] - - "feed.ingress.hit.process": - kind: event - category: [ process ] - type: [ info ] - - "feed.query.hit.binary": - kind: event - category: [ file ] - type: [ info ] - - "feed.query.hit.process": - kind: event - category: [ process ] - type: [ info ] - - "feed.storage.hit.binary": - kind: event - category: [ file ] - type: [ info ] - - "feed.storage.hit.process": - kind: event - category: [ process ] - type: [ info ] - - "watchlist.hit.process": - kind: event - category: [ process ] - type: [ info ] - - "watchlist.hit.binary": - kind: event - category: [ file ] - type: [ info ] - - "watchlist.storage.hit.binary": - kind: event - category: [ file ] - type: [ info ] - - "watchlist.storage.hit.process": - kind: event - category: [ process ] - type: [ info ] - - "ingress.event.regmod": - kind: event - category: [ registry ] - type: [ change ] - - "ingress.event.filemod": - kind: event - category: [ file ] - type: [ change ] - - "ingress.event.netconn": - kind: event - category: [ network ] - type: [ connection, start ] - - "ingress.event.module": - kind: event - category: [ process ] - type: [ start, info ] - - "ingress.event.childproc": - kind: event - category: [ process ] - type: [ start, info ] - - "ingress.event.process": - kind: event - category: [ process ] - type: [ info ] - - "ingress.event.crossprocopen": - kind: event - category: [ process ] - type: [ info ] - - "ingress.event.remotethread": - kind: event - category: [ process ] - type: [ info ] - - "ingress.event.emetmitigation": - kind: event - category: [ process ] - type: [ info, end ] - - "ingress.event.processblock": - kind: event - category: [ process ] - type: [ info, end ] - - "ingress.event.tamper": - kind: event - category: [ process, driver ] - type: [ info ] - - "unknown": - kind: event - source: |- - def clone(def ref) { - if (ref == null) return ref; - if (ref instanceof Map) { - ref = ref.entrySet().stream().collect( - Collectors.toMap( - e -> e.getKey(), - e -> clone(e.getValue()) - ) - ); - } else if (ref instanceof List) { - ref = ref.stream().map(e -> clone(e)).collect( - Collectors.toList() - ); - } - return ref; - } - def event = ctx.event; - if (event == null) { - event = new HashMap(); - ctx["event"] = event; - } - def type = ctx.event.action; - def fields = params[type] != null? params[type] : params["unknown"]; - fields.forEach( (k, v) -> { - event[k] = clone(v); - }); - -# -# Set observer fields. -# -- set: - field: observer.vendor - value: 'VMWare' - -- set: - field: observer.product - value: 'Carbon Black EDR' - -- set: - field: observer.type - value: 'edr' - -- rename: - field: json.cb_version - target_field: observer.version - ignore_missing: true - -- rename: - field: json.cb_server - target_field: observer.name - ignore_missing: true - -- rename: - field: json.server_name - target_field: observer.name - ignore_missing: true - if: 'ctx.observer.name == null' - -# -# Some events use ioc_attrs instead of ioc_attr. -# -- rename: - field: json.ioc_attrs - target_field: json.ioc_attr - ignore_missing: true - -# -# A few events have ioc_attr as a JSON string -# instead of an object. -# -- json: - field: json.ioc_attr - if: 'ctx.json.ioc_attr != null && ctx.json.ioc_attr instanceof String' - on_failure: - - append: - field: error.message - value: 'Failed to parse string field ioc_attr as JSON (value:{{{ json.ioc_attr }}}): {{{ _ingest.on_failure_message }}}' - # Remove field to prevent ingest failure. - - remove: - field: json.ioc_attr -# -# Parse @timestamp from a few possible timestamp fields. -# -- convert: - field: json.timestamp - target_field: _tmp.timestamp - type: double - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'failed to convert numeric timestamp (value: {{{json.timestamp}}}): {{{_ingest.on_failure_message}}}' - -- convert: - field: json.event_timestamp - target_field: _tmp.timestamp - type: double - ignore_missing: true - if: 'ctx._tmp?.timestamp == null' - on_failure: - - append: - field: error.message - value: 'failed to convert numeric event_timestamp (value: {{{json.event_timestamp}}}): {{{_ingest.on_failure_message}}}' - -- set: - field: _tmp.timestamp - value: '{{{ json.doc.timestamp }}}' - ignore_empty_value: true - if: 'ctx._tmp?.timestamp == null' - -- date: - field: _tmp.timestamp - formats: - - UNIX - - ISO8601 - if: 'ctx._tmp?.timestamp != null' - on_failure: - - append: - field: error.message - value: 'failed to parse timestamp (value: {{{ _tmp.timestamp }}}): {{{_ingest.on_failure_message}}}' - -# -# Rule fields -# -- convert: - field: json.watchlist_id - target_field: rule.id - ignore_missing: true - type: string - -- rename: - field: json.watchlist_name - target_field: rule.name - ignore_missing: true - -# Most of the time doc.endpoint is an array. Convert it to array otherwise. -- script: - description: 'Converts doc.endpoint to an array' - lang: painless - source: |- - def ep = ctx.json.doc?.endpoint; - if (ep != null && !(ep instanceof List)) { - ctx.json.doc.endpoint = [ ep ]; - } - -# -# Set host.name when unset from Filebeat (forwarded events). -# -- rename: - field: json.doc.hostname - target_field: host.name - ignore_missing: true - if: 'ctx.host?.name == null' - -- rename: - field: json.hostname - target_field: host.name - ignore_missing: true - if: 'ctx.host?.name == null' - -- foreach: - description: 'Sets host.name from docs.endpoint field' - field: json.doc.endpoint - ignore_missing: true - if: 'ctx.host?.name == null && ctx.json.doc?.hostname == null && ctx.json.doc?.endpoint != null' - processor: - grok: - field: '_ingest._value' - patterns: - # endpoint field format is "HOSTNAME|ID" - # This extracts the HOSTNAME part. - - '^%{NOT_SEPARATOR:host.name}%{SEPARATOR}' - pattern_definitions: - SEPARATOR: '|' - NOT_SEPARATOR: '[^|]*' - -# -# Digital signature fields -# -- rename: - field: json.doc.digsig_subject - target_field: file.code_signature.subject_name - ignore_missing: true - -- rename: - field: json.doc.digsig_status - target_field: file.code_signature.status - ignore_missing: true - -- set: - field: file.code_signature.exists - value: true - if: 'ctx.file_signature != null' - -# -# Source os_type can be Windows, Linux or Osx -# -- lowercase: - field: json.doc.os_type - target_field: host.os.type - ignore_missing: true - if: 'ctx._tmp?.forwarded != null' - -- set: - field: host.os.type - value: macos - if: 'ctx._tmp?.forwarded != null && ctx.host?.os?.type == "osx"' - -# Ensures that only accepted values are introduced in os.type. -- remove: - field: host.os.type - if: 'ctx._tmp?.forwarded != null && ctx.json.doc?.os_type != null && !["windows","linux","macos"].contains(ctx.host.os.type)' - -- rename: - field: json.doc.os_name - target_field: host.os.name - ignore_missing: true - if: 'ctx._tmp?.forwarded != null' - -# -# Assorted fields -# -- append: - field: file.attributes - value: 'executable' - if: 'ctx.json.doc?.is_executable_image == true || ctx.json.doc?.is_executable_image == "true"' - -- lowercase: - field: json.doc.md5 - target_field: file.hash.md5 - ignore_missing: true - -- foreach: - field: json.doc.observed_filename - ignore_missing: true - processor: - set: - field: file.path - value: '{{{ _ingest._value }}}' - -- rename: - field: json.file_path - target_field: file.path - ignore_missing: true - -- grok: - description: 'Extract registry path' - field: json.path - patterns: - - '(?i)\\registry\\%{GREEDYDATA:registry.path}' - ignore_failure: true - ignore_missing: true - if: 'ctx.event?.action == "ingress.event.regmod"' - -- rename: - field: json.doc.orig_mod_len - target_field: file.size - ignore_missing: true - -- rename: - field: json.size - target_field: file.size - ignore_missing: true - if: 'ctx.file?.size == null' - -- rename: - field: json.doc.cmdline - target_field: process.command_line - ignore_missing: true - -- rename: - field: json.doc.path - target_field: process.executable - ignore_missing: true - -- lowercase: - field: json.doc.process_md5 - target_field: process.hash.md5 - ignore_missing: true - -- rename: - field: json.doc.process_name - target_field: process.name - ignore_missing: true - -- rename: - field: json.doc.process_pid - target_field: process.pid - ignore_missing: true - -- rename: - field: json.doc.unique_id - target_field: process.entity_id - ignore_missing: true - -- date: - field: json.doc.start - target_field: process.start - formats: - - ISO8601 - - UNIX - if: 'ctx.json.doc?.start != null' - on_failure: - - append: - field: error.message - value: 'failed to parse process start timestamp (value: {{{ doc.start }}}): {{{_ingest.on_failure_message}}}' - -- rename: - field: json.doc.parent_name - target_field: process.parent.name - ignore_missing: true - -- rename: - field: json.doc.parent_pid - target_field: process.parent.pid - ignore_missing: true - -- rename: - field: json.doc.parent_unique_id - target_field: process.parent.entity_id - ignore_missing: true - -- lowercase: - field: json.doc.parent_md5 - target_field: process.parent.hash.md5 - ignore_missing: true - -- convert: - field: json.doc.is_64bit - type: boolean - ignore_missing: true - on_failure: - - remove: - field: json.doc.is_64bit - -- set: - field: file.pe.architecture - value: x64 - if: 'ctx.json.doc?.is_64bit == true' - -- set: - field: file.pe.architecture - value: x86 - if: 'ctx.json.doc?.is_64bit == false' - -- rename: - field: json.utf8_file_description - target_field: file.pe.description - ignore_missing: true - -- rename: - field: json.utf8_company_name - target_field: file.pe.company - ignore_missing: true - -- rename: - field: json.utf8_product - target_field: file.pe.product_name - ignore_missing: true - -- rename: - field: json.utf8_product_name - target_field: file.pe.product - ignore_missing: true - -- rename: - field: json.utf8_original_file_name - target_field: file.pe.original_file_name - ignore_missing: true - -- rename: - field: json.utf8_file_version - target_field: file.pe.file_version - ignore_missing: true - -# -# Map ioc_type field to STIX 2.0 Cyber Observable values (threat.indicator.type). -# -- script: - lang: painless - if: 'ctx.json.ioc_type != null' - description: > - Maps ioc_type field to STIX 2.0 Cyber Observable values (threat.indicator.type). - params: - dns: - type: domain-name - target: threat.indicator.url.domain - ipv4: - type: ipv4-addr - target: threat.indicator.ip - ipv6: - type: ipv6-addr - target: threat.indicator.ip - md5: - type: file - target: threat.indicator.file.hash.md5 - - source: > - void _set(Map base, def path, def value) { - if (path.length == 0) return; - for (int i=0; i - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/carbonblack_edr/1.5.1/data_stream/log/fields/base-fields.yml b/packages/carbonblack_edr/1.5.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 6100281fc6..0000000000 --- a/packages/carbonblack_edr/1.5.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: carbonblack_edr -- name: event.dataset - type: constant_keyword - description: Event dataset - value: carbonblack_edr.log -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/carbonblack_edr/1.5.1/data_stream/log/fields/beats.yml b/packages/carbonblack_edr/1.5.1/data_stream/log/fields/beats.yml deleted file mode 100755 index 9275638f93..0000000000 --- a/packages/carbonblack_edr/1.5.1/data_stream/log/fields/beats.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/carbonblack_edr/1.5.1/data_stream/log/fields/ecs.yml b/packages/carbonblack_edr/1.5.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index d2547858cf..0000000000 --- a/packages/carbonblack_edr/1.5.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,268 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Boolean to capture if a signature is present. - name: file.code_signature.exists - type: boolean -- description: |- - Additional information about the certificate status. - This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - name: file.code_signature.status - type: keyword -- description: Subject name of the code signer - name: file.code_signature.subject_name - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: CPU architecture target for the file. - name: file.pe.architecture - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: os.type - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: Process id. - name: process.parent.pid - type: long -- description: Process id. - name: process.pid - type: long -- description: The time the process started. - name: process.start - type: date -- description: Full path, including hive, key and value - name: registry.path - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Type of indicator as represented by Cyber Observable in STIX 2.0. - name: threat.indicator.type - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: Identifies a threat indicator as a port number (irrespective of direction). - name: threat.indicator.port - type: long -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword diff --git a/packages/carbonblack_edr/1.5.1/data_stream/log/fields/fields.yml b/packages/carbonblack_edr/1.5.1/data_stream/log/fields/fields.yml deleted file mode 100755 index dfe35699bf..0000000000 --- a/packages/carbonblack_edr/1.5.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,308 +0,0 @@ -- name: carbonblack.edr - type: group - release: experimental - description: > - Fields for VMware Carbon Black EDR Logs - - fields: - - name: cb_version - type: keyword - - name: doc - type: flattened - - name: event_timestamp - type: double - - name: server_name - type: keyword - - name: watchlist_id - type: keyword - - name: watchlist_name - type: keyword - - name: feed_id - type: keyword - - name: feed_name - type: keyword - - name: hostname - type: keyword - - name: ioc_attr - type: flattened - - name: ioc_type - type: keyword - - name: ioc_value - type: keyword - - name: process_id - type: keyword - - name: report_id - type: keyword - - name: sensor_id - type: keyword - - name: md5 - type: keyword - - name: segment_id - type: keyword - - name: scores - type: group - fields: - - name: alliance_score_virustotal - type: long - - name: alliance_score_srstrust - type: long - - name: watchlists - type: group - fields: - - name: watchlist_7 - type: keyword - - name: watchlist_9 - type: keyword - - name: watchlist_1 - type: keyword - - name: compressed_size - type: long - - name: file_path - type: keyword - - name: size - type: long - - name: action - type: keyword - - name: actiontype - type: keyword - - name: cb_server - type: keyword - - name: computer_name - type: keyword - - name: event_type - type: keyword - - name: link_process - type: keyword - - name: link_sensor - type: keyword - - name: path - type: keyword - - name: pid - type: long - - name: process_guid - type: keyword - - name: timestamp - type: double - - name: type - type: keyword - - name: filetype - type: keyword - - name: filetype_name - type: keyword - - name: direction - type: keyword - - name: domain - type: keyword - - name: ipv4 - type: keyword - - name: local_ip - type: keyword - - name: local_port - type: long - - name: port - type: long - - name: protocol - type: keyword - - name: remote_ip - type: keyword - - name: remote_port - type: long - - name: child_process_guid - type: keyword - - name: created - type: boolean - - name: link_child - type: keyword - - name: command_line - type: keyword - - name: expect_followon_w_md5 - type: boolean - - name: link_parent - type: keyword - - name: parent_create_time - type: long - - name: parent_md5 - type: keyword - - name: parent_path - type: keyword - - name: parent_process_guid - type: keyword - - name: username - type: keyword - - name: cross_process_type - type: keyword - - name: is_target - type: boolean - - name: link_target - type: keyword - - name: requested_access - type: long - - name: target_create_time - type: long - - name: target_md5 - type: keyword - - name: target_path - type: keyword - - name: target_pid - type: long - - name: target_process_guid - type: keyword - - name: blocked - type: boolean - - name: emet_timestamp - type: long - - name: log_id - type: keyword - - name: log_message - type: keyword - - name: mitigation - type: keyword - - name: blocked_event - type: keyword - - name: blocked_reason - type: keyword - - name: blocked_result - type: keyword - - name: uid - type: keyword - - name: tamper_type - type: keyword - - name: alert_severity - type: double - - name: alert_type - type: keyword - - name: childproc_count - type: long - - name: comms_ip - type: keyword - - name: created_time - type: keyword - - name: crossproc_count - type: long - - name: feed_rating - type: double - - name: filemod_count - type: long - - name: group - type: keyword - - name: host - type: keyword - - name: interface_ip - type: keyword - - name: ioc_confidence - type: double - - name: link_md5 - type: keyword - - name: modload_count - type: long - - name: netconn_count - type: long - - name: os_type - type: keyword - - name: process_name - type: keyword - - name: process_path - type: keyword - - name: process_unique_id - type: keyword - - name: regmod_count - type: long - - name: report_score - type: long - - name: sensor_criticality - type: double - - name: sha256 - type: keyword - - name: status - type: keyword - - name: unique_id - type: keyword - - name: child_pid - type: long - - name: child_suppressed - type: boolean - - name: childproc_type - type: keyword - - name: parent_guid - type: keyword - - name: tamper - type: boolean - - name: tamper_sent - type: boolean - - name: child_command_line - type: keyword - - name: child_username - type: keyword - - name: target_sha256 - type: keyword - - name: script - type: keyword - - name: script_sha256 - type: keyword - - name: file_md5 - type: keyword - - name: file_sha256 - type: keyword - - name: proxy - type: boolean - - name: ja3 - type: keyword - - name: ja3s - type: keyword - - name: filtering_known_dlls - type: boolean - - name: parent_pid - type: long - - name: parent_sha256 - type: keyword - - name: digsig - type: group - fields: - - name: result - type: keyword - - name: program_name - type: keyword - - name: result_code - type: keyword - - name: publisher - type: keyword - - name: subject_name - type: keyword - - name: sign_time - type: keyword - - name: issuer_name - type: keyword - - name: icon - type: keyword - - name: image_file_header - type: keyword - - name: utf8_comments - type: keyword - - name: utf8_company_name - type: keyword - - name: utf8_copied_module_length - type: long - - name: utf8_file_description - type: keyword - - name: utf8_file_version - type: keyword - - name: utf8_internal_name - type: keyword - - name: utf8_legal_copyright - type: keyword - - name: utf8_legal_trademark - type: keyword - - name: utf8_on_disk_filename - type: keyword - - name: utf8_original_file_name - type: keyword - - name: utf8_private_build - type: keyword - - name: utf8_product_description - type: keyword - - name: utf8_product_name - type: keyword - - name: utf8_product_version - type: keyword - - name: utf8_special_build - type: keyword diff --git a/packages/carbonblack_edr/1.5.1/data_stream/log/manifest.yml b/packages/carbonblack_edr/1.5.1/data_stream/log/manifest.yml deleted file mode 100755 index 21303f9bb5..0000000000 --- a/packages/carbonblack_edr/1.5.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,178 +0,0 @@ -type: logs -title: Carbon Black EDR logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: Carbon Black EDR logs - description: Receive Carbon Black EDR logs via HTTP. - vars: - - name: listen_address - type: text - title: Listen address - description: The bind address for the HTTP server. - multi: false - required: true - show_user: true - - name: listen_port - type: integer - title: Listen port - description: Port number for the HTTP server. - multi: false - required: false - show_user: true - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - carbonblack_edr-log - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" - - input: tcp - enabled: false - template_path: tcpudp.yml.hbs - title: Carbon Black EDR logs - description: Receive Carbon Black EDR logs via TCP. - vars: - - name: listen_address - type: text - title: Listen address - description: The bind address for receiving TCP connections. - multi: false - required: true - show_user: true - - name: listen_port - type: integer - title: Listen port - description: Port number to listen for TCP connections. - multi: false - required: false - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - carbonblack_edr-log - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" - - input: udp - enabled: false - template_path: tcpudp.yml.hbs - title: Carbon Black EDR logs - description: Receive Carbon Black EDR logs via UDP. - vars: - - name: listen_address - type: text - title: Listen address - description: The bind address for receiving UDP packets. - multi: false - required: true - show_user: true - - name: listen_port - type: integer - title: Listen port - description: Port number to listen for UDP packets. - multi: false - required: false - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - carbonblack_edr-log - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" - - input: logfile - enabled: false - template_path: log.yml.hbs - title: Carbon Black EDR logs - description: Read Carbon Black EDR logs from a file. - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/cb/data/event_bridge_output.json - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - carbonblack_edr-log - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" diff --git a/packages/carbonblack_edr/1.5.1/data_stream/log/sample_event.json b/packages/carbonblack_edr/1.5.1/data_stream/log/sample_event.json deleted file mode 100755 index 433b51f838..0000000000 --- a/packages/carbonblack_edr/1.5.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "@timestamp": "2014-04-11T19:21:33.682Z", - "agent": { - "ephemeral_id": "7bb86a18-d262-4348-b206-131e38d2d1c8", - "id": "9cb9fa70-f3e9-45d8-b1cb-61425bd93e1a", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "carbonblack": { - "edr": { - "event_timestamp": 1397244093.682, - "feed_id": 7, - "feed_name": "dxmtest1", - "ioc_attr": {}, - "md5": "506708142BC63DABA64F2D3AD1DCD5BF", - "report_id": "dxmtest1_04", - "sensor_id": 3321 - } - }, - "data_stream": { - "dataset": "carbonblack_edr.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "9cb9fa70-f3e9-45d8-b1cb-61425bd93e1a", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "unknown", - "agent_id_status": "verified", - "dataset": "carbonblack_edr.log", - "ingested": "2022-01-25T07:45:03Z", - "kind": "event", - "original": "{\"md5\":\"506708142BC63DABA64F2D3AD1DCD5BF\",\"report_id\":\"dxmtest1_04\",\"ioc_type\":\"md5\",\"ioc_value\":\"506708142bc63daba64f2d3ad1dcd5bf\",\"ioc_attr\":{},\"feed_id\":7,\"hostname\":\"FS-SEA-529\",\"sensor_id\":3321,\"cb_version\":\"4.2.1.140808.1059\",\"server_name\":\"localhost.localdomain\",\"feed_name\":\"dxmtest1\",\"event_timestamp\":1397244093.682}\n" - }, - "host": { - "name": "FS-SEA-529" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.19.0.4:46263" - } - }, - "observer": { - "name": "localhost.localdomain", - "product": "Carbon Black EDR", - "type": "edr", - "vendor": "VMWare", - "version": "4.2.1.140808.1059" - }, - "tags": [ - "carbonblack_edr-log", - "forwarded", - "preserve_original_event" - ], - "threat": { - "indicator": { - "file": { - "hash": { - "md5": "506708142bc63daba64f2d3ad1dcd5bf" - } - }, - "type": "file" - } - } -} \ No newline at end of file diff --git a/packages/carbonblack_edr/1.5.1/docs/README.md b/packages/carbonblack_edr/1.5.1/docs/README.md deleted file mode 100755 index 38298446c1..0000000000 --- a/packages/carbonblack_edr/1.5.1/docs/README.md +++ /dev/null @@ -1,351 +0,0 @@ -# VMware Carbon Black EDR Integration - -The VMware Carbon Black EDR integration collects EDR Server and raw Endpoint events exported by [Carbon Black EDR Event Forwarder.](https://github.com/carbonblack/cb-event-forwarder) The following output methods are supported: `http`, `tcp`, `udp` and `file`. - -## Compatibility - -This integration has been tested with the 3.7.4 version of EDR Event Forwarder. - -## Configuration - -The following configuration is necessary in `cb-event-forwarder.conf`: - -- `output_format=json` (default) - -For `http` output: - - `output_type=http` - - `http_post_template=[{{range .Events}}{{.EventText}}{{end}}]` - - `content_type=application/json` (default) - -For `tcp` output: - - `output_type=tcp` - - `tcpout=
:` - -For `udp` output: -- `output_type=tcp` -- `tcpout=
:` - -For `file` output: -- `output_type=file` -- `outfile=` - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2014-04-11T19:21:33.682Z", - "agent": { - "ephemeral_id": "7bb86a18-d262-4348-b206-131e38d2d1c8", - "id": "9cb9fa70-f3e9-45d8-b1cb-61425bd93e1a", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "carbonblack": { - "edr": { - "event_timestamp": 1397244093.682, - "feed_id": 7, - "feed_name": "dxmtest1", - "ioc_attr": {}, - "md5": "506708142BC63DABA64F2D3AD1DCD5BF", - "report_id": "dxmtest1_04", - "sensor_id": 3321 - } - }, - "data_stream": { - "dataset": "carbonblack_edr.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "9cb9fa70-f3e9-45d8-b1cb-61425bd93e1a", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "unknown", - "agent_id_status": "verified", - "dataset": "carbonblack_edr.log", - "ingested": "2022-01-25T07:45:03Z", - "kind": "event", - "original": "{\"md5\":\"506708142BC63DABA64F2D3AD1DCD5BF\",\"report_id\":\"dxmtest1_04\",\"ioc_type\":\"md5\",\"ioc_value\":\"506708142bc63daba64f2d3ad1dcd5bf\",\"ioc_attr\":{},\"feed_id\":7,\"hostname\":\"FS-SEA-529\",\"sensor_id\":3321,\"cb_version\":\"4.2.1.140808.1059\",\"server_name\":\"localhost.localdomain\",\"feed_name\":\"dxmtest1\",\"event_timestamp\":1397244093.682}\n" - }, - "host": { - "name": "FS-SEA-529" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.19.0.4:46263" - } - }, - "observer": { - "name": "localhost.localdomain", - "product": "Carbon Black EDR", - "type": "edr", - "vendor": "VMWare", - "version": "4.2.1.140808.1059" - }, - "tags": [ - "carbonblack_edr-log", - "forwarded", - "preserve_original_event" - ], - "threat": { - "indicator": { - "file": { - "hash": { - "md5": "506708142bc63daba64f2d3ad1dcd5bf" - } - }, - "type": "file" - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbonblack.edr.action | | keyword | -| carbonblack.edr.actiontype | | keyword | -| carbonblack.edr.alert_severity | | double | -| carbonblack.edr.alert_type | | keyword | -| carbonblack.edr.blocked | | boolean | -| carbonblack.edr.blocked_event | | keyword | -| carbonblack.edr.blocked_reason | | keyword | -| carbonblack.edr.blocked_result | | keyword | -| carbonblack.edr.cb_server | | keyword | -| carbonblack.edr.cb_version | | keyword | -| carbonblack.edr.child_command_line | | keyword | -| carbonblack.edr.child_pid | | long | -| carbonblack.edr.child_process_guid | | keyword | -| carbonblack.edr.child_suppressed | | boolean | -| carbonblack.edr.child_username | | keyword | -| carbonblack.edr.childproc_count | | long | -| carbonblack.edr.childproc_type | | keyword | -| carbonblack.edr.command_line | | keyword | -| carbonblack.edr.comms_ip | | keyword | -| carbonblack.edr.compressed_size | | long | -| carbonblack.edr.computer_name | | keyword | -| carbonblack.edr.created | | boolean | -| carbonblack.edr.created_time | | keyword | -| carbonblack.edr.cross_process_type | | keyword | -| carbonblack.edr.crossproc_count | | long | -| carbonblack.edr.digsig.issuer_name | | keyword | -| carbonblack.edr.digsig.program_name | | keyword | -| carbonblack.edr.digsig.publisher | | keyword | -| carbonblack.edr.digsig.result | | keyword | -| carbonblack.edr.digsig.result_code | | keyword | -| carbonblack.edr.digsig.sign_time | | keyword | -| carbonblack.edr.digsig.subject_name | | keyword | -| carbonblack.edr.direction | | keyword | -| carbonblack.edr.doc | | flattened | -| carbonblack.edr.domain | | keyword | -| carbonblack.edr.emet_timestamp | | long | -| carbonblack.edr.event_timestamp | | double | -| carbonblack.edr.event_type | | keyword | -| carbonblack.edr.expect_followon_w_md5 | | boolean | -| carbonblack.edr.feed_id | | keyword | -| carbonblack.edr.feed_name | | keyword | -| carbonblack.edr.feed_rating | | double | -| carbonblack.edr.file_md5 | | keyword | -| carbonblack.edr.file_path | | keyword | -| carbonblack.edr.file_sha256 | | keyword | -| carbonblack.edr.filemod_count | | long | -| carbonblack.edr.filetype | | keyword | -| carbonblack.edr.filetype_name | | keyword | -| carbonblack.edr.filtering_known_dlls | | boolean | -| carbonblack.edr.group | | keyword | -| carbonblack.edr.host | | keyword | -| carbonblack.edr.hostname | | keyword | -| carbonblack.edr.icon | | keyword | -| carbonblack.edr.image_file_header | | keyword | -| carbonblack.edr.interface_ip | | keyword | -| carbonblack.edr.ioc_attr | | flattened | -| carbonblack.edr.ioc_confidence | | double | -| carbonblack.edr.ioc_type | | keyword | -| carbonblack.edr.ioc_value | | keyword | -| carbonblack.edr.ipv4 | | keyword | -| carbonblack.edr.is_target | | boolean | -| carbonblack.edr.ja3 | | keyword | -| carbonblack.edr.ja3s | | keyword | -| carbonblack.edr.link_child | | keyword | -| carbonblack.edr.link_md5 | | keyword | -| carbonblack.edr.link_parent | | keyword | -| carbonblack.edr.link_process | | keyword | -| carbonblack.edr.link_sensor | | keyword | -| carbonblack.edr.link_target | | keyword | -| carbonblack.edr.local_ip | | keyword | -| carbonblack.edr.local_port | | long | -| carbonblack.edr.log_id | | keyword | -| carbonblack.edr.log_message | | keyword | -| carbonblack.edr.md5 | | keyword | -| carbonblack.edr.mitigation | | keyword | -| carbonblack.edr.modload_count | | long | -| carbonblack.edr.netconn_count | | long | -| carbonblack.edr.os_type | | keyword | -| carbonblack.edr.parent_create_time | | long | -| carbonblack.edr.parent_guid | | keyword | -| carbonblack.edr.parent_md5 | | keyword | -| carbonblack.edr.parent_path | | keyword | -| carbonblack.edr.parent_pid | | long | -| carbonblack.edr.parent_process_guid | | keyword | -| carbonblack.edr.parent_sha256 | | keyword | -| carbonblack.edr.path | | keyword | -| carbonblack.edr.pid | | long | -| carbonblack.edr.port | | long | -| carbonblack.edr.process_guid | | keyword | -| carbonblack.edr.process_id | | keyword | -| carbonblack.edr.process_name | | keyword | -| carbonblack.edr.process_path | | keyword | -| carbonblack.edr.process_unique_id | | keyword | -| carbonblack.edr.protocol | | keyword | -| carbonblack.edr.proxy | | boolean | -| carbonblack.edr.regmod_count | | long | -| carbonblack.edr.remote_ip | | keyword | -| carbonblack.edr.remote_port | | long | -| carbonblack.edr.report_id | | keyword | -| carbonblack.edr.report_score | | long | -| carbonblack.edr.requested_access | | long | -| carbonblack.edr.scores.alliance_score_srstrust | | long | -| carbonblack.edr.scores.alliance_score_virustotal | | long | -| carbonblack.edr.script | | keyword | -| carbonblack.edr.script_sha256 | | keyword | -| carbonblack.edr.segment_id | | keyword | -| carbonblack.edr.sensor_criticality | | double | -| carbonblack.edr.sensor_id | | keyword | -| carbonblack.edr.server_name | | keyword | -| carbonblack.edr.sha256 | | keyword | -| carbonblack.edr.size | | long | -| carbonblack.edr.status | | keyword | -| carbonblack.edr.tamper | | boolean | -| carbonblack.edr.tamper_sent | | boolean | -| carbonblack.edr.tamper_type | | keyword | -| carbonblack.edr.target_create_time | | long | -| carbonblack.edr.target_md5 | | keyword | -| carbonblack.edr.target_path | | keyword | -| carbonblack.edr.target_pid | | long | -| carbonblack.edr.target_process_guid | | keyword | -| carbonblack.edr.target_sha256 | | keyword | -| carbonblack.edr.timestamp | | double | -| carbonblack.edr.type | | keyword | -| carbonblack.edr.uid | | keyword | -| carbonblack.edr.unique_id | | keyword | -| carbonblack.edr.username | | keyword | -| carbonblack.edr.utf8_comments | | keyword | -| carbonblack.edr.utf8_company_name | | keyword | -| carbonblack.edr.utf8_copied_module_length | | long | -| carbonblack.edr.utf8_file_description | | keyword | -| carbonblack.edr.utf8_file_version | | keyword | -| carbonblack.edr.utf8_internal_name | | keyword | -| carbonblack.edr.utf8_legal_copyright | | keyword | -| carbonblack.edr.utf8_legal_trademark | | keyword | -| carbonblack.edr.utf8_on_disk_filename | | keyword | -| carbonblack.edr.utf8_original_file_name | | keyword | -| carbonblack.edr.utf8_private_build | | keyword | -| carbonblack.edr.utf8_product_description | | keyword | -| carbonblack.edr.utf8_product_name | | keyword | -| carbonblack.edr.utf8_product_version | | keyword | -| carbonblack.edr.utf8_special_build | | keyword | -| carbonblack.edr.watchlist_id | | keyword | -| carbonblack.edr.watchlist_name | | keyword | -| carbonblack.edr.watchlists.watchlist_1 | | keyword | -| carbonblack.edr.watchlists.watchlist_7 | | keyword | -| carbonblack.edr.watchlists.watchlist_9 | | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.code_signature.exists | Boolean to capture if a signature is present. | boolean | -| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| file.code_signature.subject_name | Subject name of the code signer | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.pe.architecture | CPU architecture target for the file. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| registry.path | Full path, including hive, key and value | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | - - diff --git a/packages/carbonblack_edr/1.5.1/img/carbon-black-logo.svg b/packages/carbonblack_edr/1.5.1/img/carbon-black-logo.svg deleted file mode 100755 index 180cc3d212..0000000000 --- a/packages/carbonblack_edr/1.5.1/img/carbon-black-logo.svg +++ /dev/null @@ -1,91 +0,0 @@ - - - - -Created by potrace 1.16, written by Peter Selinger 2001-2019 - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/carbonblack_edr/1.5.1/manifest.yml b/packages/carbonblack_edr/1.5.1/manifest.yml deleted file mode 100755 index def7123ef1..0000000000 --- a/packages/carbonblack_edr/1.5.1/manifest.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: carbonblack_edr -title: VMware Carbon Black EDR -version: "1.5.1" -release: ga -description: Collect logs from VMware Carbon Black EDR with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -conditions: - kibana.version: ^7.14.0 || ^8.0.0 -policy_templates: - - name: log - title: Carbon Black EDR logs - description: Collect logs from Carbon Black EDR - inputs: - - type: http_endpoint - title: "Collect Carbon Black EDR via HTTP" - description: "Collect logs from Carbon Black EDR via HTTP" - - type: tcp - title: "Collect Carbon Black EDR via TCP" - description: "Collect logs from Carbon Black EDR via TCP" - - type: udp - title: "Collect Carbon Black EDR via UDP" - description: "Collect logs from Carbon Black EDR via UDP" - - type: logfile - title: "Collect Carbon Black EDR from a file" - description: "Collect logs from Carbon Black EDR from a file" -icons: - - src: /img/carbon-black-logo.svg - title: VMWare Carbon Black - size: 32x32 - type: image/svg+xml -owner: - github: elastic/security-external-integrations diff --git a/packages/cef/2.3.2/LICENSE.txt b/packages/cef/2.3.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cef/2.3.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cef/2.3.2/changelog.yml b/packages/cef/2.3.2/changelog.yml deleted file mode 100755 index 5970fddc20..0000000000 --- a/packages/cef/2.3.2/changelog.yml +++ /dev/null @@ -1,159 +0,0 @@ -# newer versions go on top -- version: "2.3.2" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.3.1" - changes: - - description: Remove unused visualizations - type: enhancement - link: https://github.com/elastic/integrations/issues/3975 -- version: "2.3.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3842 -- version: "2.2.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "2.2.0" - changes: - - description: Add generic CEF dashboards - type: enhancement - link: https://github.com/elastic/integrations/pull/3526 -- version: "2.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "2.0.3" - changes: - - description: Format source.mac and destination.mac as per ECS. - type: bugfix - link: https://github.com/elastic/integrations/pull/3566 -- version: "2.0.2" - changes: - - description: Improve field documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3465 -- version: "2.0.1" - changes: - - description: Clarify scope of dashboards - type: bugfix - link: https://github.com/elastic/integrations/pull/3470 -- version: "2.0.0" - changes: - - description: Migrate map visualisation from tile_map to map object - type: enhancement - link: https://github.com/elastic/integrations/pull/3263 -- version: "1.5.0" - changes: - - description: Update to ECS 8.2 by modifying Check Point events to use the new email field set. - type: enhancement - link: https://github.com/elastic/integrations/pull/2804 -- version: "1.4.3" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.4.2" - changes: - - description: Add field mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/2808 -- version: "1.4.1" - changes: - - description: Append pipeline errors to error.message instead of overwriting existing errors. - type: bugfix - link: https://github.com/elastic/integrations/pull/2789 -- version: "1.4.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2386 -- version: "1.3.1" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.3.0" - changes: - - description: Change test IPs to the supported set for GeoIP - type: enhancement - link: https://github.com/elastic/integrations/pull/2216 - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2216 -- version: "1.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1950 -- version: "1.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1802 -- version: "1.2.0" - changes: - - description: Add CEF time zone config option. - type: enhancement - link: https://github.com/elastic/integrations/pull/1723 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1652 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1604 -- version: "0.5.2" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1469 -- version: '0.5.1' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1375 -- version: "0.5.0" - changes: - - description: Update documentation to fit mdx spec - type: enhancement - link: https://github.com/elastic/integrations/pull/1401 -- version: "0.4.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.3.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1255 -- version: "0.2.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options. - type: enhancement - link: https://github.com/elastic/integrations/pull/1032 -- version: "0.1.0" - changes: - - description: Change syslog input to udp input. Add syslog timestamp parsing to Ingest Node pipeline. - type: enhancement - link: https://github.com/elastic/integrations/pull/898 -- version: "0.0.4" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/838 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/418 diff --git a/packages/cef/2.3.2/data_stream/log/agent/stream/log.yml.hbs b/packages/cef/2.3.2/data_stream/log/agent/stream/log.yml.hbs deleted file mode 100755 index c9f24092e8..0000000000 --- a/packages/cef/2.3.2/data_stream/log/agent/stream/log.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -paths: - {{#each paths as |path i|}} -- {{path}} - {{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- rename: - fields: - - {from: "message", to: "event.original"} -- decode_cef: - field: event.original -{{#if decode_cef_timezone}} - timezone: {{ decode_cef_timezone }} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/cef/2.3.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/cef/2.3.2/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 4d71aa0234..0000000000 --- a/packages/cef/2.3.2/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- rename: - fields: - - {from: "message", to: "event.original"} -- decode_cef: - field: event.original -{{#if decode_cef_timezone}} - timezone: {{ decode_cef_timezone }} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cef/2.3.2/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml b/packages/cef/2.3.2/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml deleted file mode 100755 index 8a53e9b0c7..0000000000 --- a/packages/cef/2.3.2/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml +++ /dev/null @@ -1,380 +0,0 @@ ---- -description: Pipeline for Check Point CEF - -processors: - # This script is mapping CEF extensions to ECS when possible. Otherwise - # it maps them to fields under the `checkpoint` group using Check Point log - # field names. - # - # [1] Description of Check Point CEF extensions: - # https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060 - # [2] Description of Check Point log field names (sk144192): - # https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192 - # - # Note that in some cases the CEF extension name doesn't accurately describe - # its contents. For example sntdom/sourceNtDomain, which is used to store - # Check Point's domain_name, documented as "Domain name sent to DNS request". - # - # This script processes the `params.extensions` list below. This list consists - # of two different kinds of mappings, the simpler has a source ext `name` - # and a `to` field. It copies the given extension field to the target `to`. - # - # When the `labels` dict is defined, the target field depends on the value of - # the accompanying label field. For example, the field deviceCustomIPv6Address2 - # is mapped to `source.ip` only when the extension deviceCustomIPv6Address2Label - # exists and its value is "Source IPv6 Address". - # - # Also it can convert the destination value by simple mapping when the - # convert key exists. Values without an entry in the convert dict are not - # copied and the target field remains unset. - # - # The output of this processor is a single field, `_tmp_copy`, that contains - # a list of actions `{"to": "target_field", "value":"field value"}` that is - # later executed using a foreach processor. This is done to avoid complex - # de-dotting and other gotchas of setting arbitrary fields in Painless. - - script: - lang: painless - params: - extensions: - - name: cp_app_risk - to: checkpoint.app_risk - - - name: cp_app_risk - to: event.risk_score - # This mapping is a mix of [1] and [2] above. - convert: - unknown: 0 - informational: 0 - very-low: 1 - low: 2 - medium: 3 - high: 4 - very-high: 5 - critical: 5 - - - name: cp_severity - to: checkpoint.severity - - - name: cp_severity - to: event.severity - convert: - # This mapping is a mix of [1] and [2] above. - unknown: 0 - informational: 0 - very-low: 1 - low: 1 - medium: 2 - high: 3 - very-high: 4 - critical: 4 - - # Number of events associated with the log - - name: baseEventCount - to: checkpoint.event_count - - # Log type - - name: deviceExternalId - to: observer.type - - # Product Family (override deviceExternalId if present). - - name: deviceFacility - to: observer.type - convert: - '0': Network - '1': Endpoint - '2': Access - '3': Threat - '4': Mobile - - # Gateway interface, where the connection is received from in case of an outbound connection - - name: deviceInboundInterface - to: observer.ingress.interface.name - - # Gateway interface, where the connection is sent from, in case of an inbound connection - - name: deviceOutboundInterface - to: observer.egress.interface.name - - - name: externalId - to: checkpoint.uuid - - - name: fileHash - to: checkpoint.file_hash - - - name: reason - to: checkpoint.termination_reason - - # Possibly an IKE cookie - - name: requestCookies - to: checkpoint.cookie - - # Probably a typo in CP's CEF docs - - name: checkrequestCookies - to: checkpoint.cookie - - # Domain name sent to DNS request - - name: sourceNtDomain - to: dns.question.name - - # CVE registry entry - - name: Signature - to: vulnerability.id - - - name: Recipient - to: destination.user.email - - - name: Sender - to: source.user.email - - - name: deviceCustomFloatingPoint1 - labels: - update version: observer.version - - - name: deviceCustomIPv6Address2 - labels: - source ipv6 address: source.ip - - - name: deviceCustomIPv6Address3 - labels: - destination ipv6 address: destination.ip - - - name: deviceCustomNumber1 - labels: - payload: network.bytes - elapsed time in seconds: event.duration - email recipients number: checkpoint.email_recipients_num - - - name: deviceCustomNumber2 - labels: - duration in seconds: event.duration - icmp type: checkpoint.icmp_type - - - name: deviceCustomNumber3 - labels: - icmp code: checkpoint.icmp_code - - - name: deviceCustomString1 - labels: - application rule name: rule.name - dlp rule name: rule.name - threat prevention rule name: rule.name - connectivity state: checkpoint.connectivity_state - email id: checkpoint.email_id - voip log type: checkpoint.voip_log_type - - - name: deviceCustomString2 - labels: - # Protection malware id - protection id: checkpoint.protection_id - update status: checkpoint.update_status - email subject: checkpoint.email_subject - sensor mode: checkpoint.sensor_mode - scan invoke type: checkpoint.integrity_av_invoke_type - category: checkpoint.category - # Matched categories - categories: rule.category - peer gateway: checkpoint.peer_gateway - - - name: deviceCustomString6 - labels: - application name: network.application - virus name: checkpoint.virus_name - malware name: checkpoint.spyware_name - malware family: checkpoint.malware_family - - - name: deviceCustomString3 - labels: - user group: group.name - # Format of original data. - incident extension: checkpoint.incident_extension - identity type: checkpoint.identity_type - email spool id: checkpoint.email_spool_id - # Type of protection used to detect the attack - protection type: checkpoint.protection_type - - - name: deviceCustomString4 - labels: - malware status: checkpoint.spyware_status - destination os: os.name - scan result: checkpoint.scan_result - frequency: checkpoint.frequency - protection name: checkpoint.protection_name - user response: checkpoint.user_status - email control: checkpoint.email_control - tcp flags: checkpoint.tcp_flags - threat prevention rule id: rule.id - - - name: deviceCustomString5 - labels: - matched category: rule.category - authentication method: checkpoint.auth_method - email session id: checkpoint.email_session_id - vlan id: network.vlan.id - - - name: deviceCustomDate2 - labels: - subscription expiration: checkpoint.subs_exp - - - name: deviceFlexNumber1 - labels: - confidence: checkpoint.confidence_level - - - name: deviceFlexNumber2 - labels: - destination phone number: checkpoint.dst_phone_number - performance impact: checkpoint.performance_impact - - - name: flexString1 - labels: - application signature id: checkpoint.app_sig_id - - - name: flexString2 - labels: - malware action: rule.description - attack information: event.action - - - name: rule_uid - to: rule.uuid - - - name: ifname - to: observer.ingress.interface.name - - - name: inzone - to: observer.ingress.zone - - - name: outzone - to: observer.egress.zone - - - name: product - to: observer.product - - source: | - def actions = new ArrayList(); - def exts = ctx.cef?.extensions; - if (exts == null) return; - for (entry in params.extensions) { - def value = exts[entry.name]; - if (value == null || - (entry.convert != null && - (value=entry.convert[value.toLowerCase()]) == null)) - continue; - if (entry.to != null) { - actions.add([ - "value": value, - "to": entry.to - ]); - continue; - } - def label = exts[entry.name + "Label"]; - if (label == null) continue; - def dest = entry.labels[label.toLowerCase()]; - if (dest == null) continue; - actions.add([ - "value": value, - "to": dest - ]); - } - ctx["_tmp_copy"] = actions; - - - foreach: - field: _tmp_copy - processor: - set: - field: "{{_ingest._value.to}}" - value: "{{_ingest._value.value}}" - - - remove: - field: _tmp_copy - - - set: - field: email.to.address - value: ["{{{destination.user.email}}}"] - if: "ctx?.destination?.user?.email != null" - - set: - field: email.from.address - value: ["{{{source.user.email}}}"] - if: "ctx?.source?.user?.email != null" - - set: - field: email.subject - copy_from: checkpoint.email_subject - if: "ctx?.checkpoint?.email_subject != null" - - set: - field: email.message_id - copy_from: checkpoint.email_session_id - if: "ctx?.checkpoint?.email_session_id != null" - - convert: - field: event.risk_score - type: float - ignore_missing: true - on_failure: - - remove: - field: event.risk_score - - convert: - field: event.severity - type: long - ignore_missing: true - on_failure: - - remove: - field: event.severity - - # event.duration is a string and contains seconds. Convert to long nanos. - - script: - params: - second_to_nanos: 1000000000 - lang: painless - source: | - def duration = ctx.event?.duration; - if (duration == null) return; - ctx.event.duration = Long.parseLong(duration) * params.second_to_nanos; - on_failure: - - remove: - field: event.duration - ignore_missing: true - - # checkpoint.file_hash can be either MD5, SHA1 or SHA256. - - rename: - field: checkpoint.file_hash - target_field: file.hash.md5 - if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==32' - - rename: - field: checkpoint.file_hash - target_field: file.hash.sha1 - if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==40' - - rename: - field: checkpoint.file_hash - target_field: file.hash.sha256 - if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==64' - - # Event kind is 'event' by default. 'alert' when a risk score and rule info - # is present. - - set: - field: event.kind - value: event - - set: - field: event.kind - value: alert - if: 'ctx.cef?.extensions?.cp_app_risk != null && ctx.rule != null' - - # Set event.category to network/malware/intrusion_detection depending on which - # fields have been populated. - - set: - field: event.category - value: network - if: 'ctx.source?.ip != null && ctx.destination?.ip != null' - - set: - field: event.category - value: malware - if: 'ctx.checkpoint?.protection_id != null || ctx.checkpoint?.spyware_name != null || ctx.checkpoint?.malware_family != null || ctx.checkpoint?.spyware_status != null' - - set: - field: event.category - value: intrusion_detection - if: 'ctx.event?.category != "malware" && (ctx.checkpoint?.protection_type != null || ctx.cef.extensions?.flexString2Label == "Attack Information")' - - - convert: - field: checkpoint.event_count - type: long - ignore_missing: true - - convert: - field: cef.extensions.baseEventCount - type: long - ignore_missing: true - diff --git a/packages/cef/2.3.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cef/2.3.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 01c4ed82c6..0000000000 --- a/packages/cef/2.3.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,177 +0,0 @@ ---- -description: Pipeline for CEF logs. CEF decoding happens in the Agent. This performs additional enrichment and vendor specific transformations. - -processors: - - set: - field: ecs.version - value: '8.4.0' - - - convert: - field: event.id - type: string - ignore_missing: true - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hash - value: "{{cef.extensions.fileHash}}" - allow_duplicates: false - if: "ctx?.cef?.extensions?.fileHash != null && ctx?.cef?.extensions?.fileHash != ''" - - append: - field: related.hash - value: "{{cef.extensions.oldFileHash}}" - allow_duplicates: false - if: "ctx?.cef?.extensions?.oldFileHash != null && ctx?.cef?.extensions?.oldFileHash != ''" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: "ctx?.destination?.ip != null && ctx?.destination?.ip != ''" - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: "ctx?.destination?.nat?.ip != null && ctx?.destination?.nat?.ip != ''" - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: "ctx?.source?.ip != null && ctx?.source?.ip != ''" - - append: - field: related.ip - value: "{{source.nat.ip}}" - allow_duplicates: false - if: "ctx?.source?.nat?.ip != null && ctx?.source?.nat?.ip != ''" - - append: - field: related.user - value: "{{destination.user.name}}" - if: "ctx?.destination?.user?.name != null" - - append: - field: related.user - value: "{{source.user.name}}" - allow_duplicates: false - if: "ctx?.source?.user?.name != null && ctx?.source?.user?.name != ''" - - append: - field: related.hosts - value: "{{observer.hostname}}" - allow_duplicates: false - if: "ctx?.observer?.hostname != null && ctx?.observer?.hostname != ''" - - pipeline: - name: '{{ IngestPipeline "fp-pipeline" }}' - if: "ctx.cef?.device?.vendor == 'FORCEPOINT'" - - pipeline: - name: '{{ IngestPipeline "cp-pipeline" }}' - if: "ctx.cef?.device?.vendor == 'Check Point'" - - community_id: {} - - # Ensure source.mac and destination.mac are formatted to ECS specifications. - - gsub: - field: destination.mac - ignore_missing: true - pattern: '[:.]' - replacement: '-' - - gsub: - field: source.mac - ignore_missing: true - pattern: '[:.]' - replacement: '-' - - uppercase: - field: destination.mac - ignore_missing: true - - uppercase: - field: source.mac - ignore_missing: true - - # - # Timestamp parsing. - # - - grok: - # decode_cef sets @timestamp when deviceReceiptTime is provided. - description: Extract timestamp from log header when deviceReceiptTime not given. - if: ctx?.cef?.extensions?.deviceReceiptTime == null - field: event.original - patterns: - - '^%{SYSLOG_TIMESTAMP} ' - - '^%{ECS_SYSLOG_PRI}%{SYSLOG_TIMESTAMP} ' # RFC3164 - - '^%{ECS_SYSLOG_PRI}%{NONNEGINT} %{SYSLOG_TIMESTAMP} ' # RFC5224 - pattern_definitions: - ECS_SYSLOG_PRI: '<%{NONNEGINT:log.syslog.priority:long}>' - SYSLOG_TIMESTAMP: '(?:%{SYSLOGTIMESTAMP:_tmp.timestamp}|%{TIMESTAMP_ISO8601:_tmp.timestamp8601})' - ignore_failure: true - - date: - if: ctx?._tmp?.timestamp8601 != null - field: _tmp.timestamp8601 - formats: - - ISO8601 - - date: - if: ctx?._tmp?.timestamp != null - field: _tmp.timestamp - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - remove: - field: - - _tmp - ignore_failure: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - # Cleanup - - remove: - field: - - cef.extensions._cefVer - ignore_missing: true - -on_failure: - - remove: - field: - - _tmp - ignore_failure: true - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cef/2.3.2/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml b/packages/cef/2.3.2/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml deleted file mode 100755 index f87d217328..0000000000 --- a/packages/cef/2.3.2/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for Forcepoint CEF - -processors: - # cs1 is ruleID - - set: - field: rule.id - value: "{{cef.extensions.deviceCustomString1}}" - ignore_empty_value: true - - # cs2 is natRuleID - - set: - field: rule.id - value: "{{cef.extensions.deviceCustomString2}}" - ignore_empty_value: true - - # cs3 is VulnerabilityReference - - set: - field: vulnerability.reference - value: "{{cef.extensions.deviceCustomString3}}" - ignore_empty_value: true - - # cs4 is virusID - - set: - field: cef.forcepoint.virus_id - value: "{{cef.extensions.deviceCustomString4}}" - ignore_empty_value: true diff --git a/packages/cef/2.3.2/data_stream/log/fields/agent.yml b/packages/cef/2.3.2/data_stream/log/fields/agent.yml deleted file mode 100755 index d03a5f0211..0000000000 --- a/packages/cef/2.3.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cef/2.3.2/data_stream/log/fields/base-fields.yml b/packages/cef/2.3.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 88e15e9046..0000000000 --- a/packages/cef/2.3.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cef -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cef.log -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/cef/2.3.2/data_stream/log/fields/ecs.yml b/packages/cef/2.3.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index 92436bf957..0000000000 --- a/packages/cef/2.3.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,389 +0,0 @@ -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: Unique identifier for the group on the system/platform. - name: destination.user.group.id - type: keyword -- description: Name of the group. - name: destination.user.group.name - type: keyword -- description: Unique identifier of the user. - name: destination.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: The email address of the sender, typically from the RFC 5322 `From:` header field. - name: email.from.address - normalize: - - array - type: keyword -- description: The email address of recipient - name: email.to.address - normalize: - - array - type: keyword -- description: A brief summary of the topic of the message. - multi_fields: - - name: text - type: match_only_text - name: email.subject - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: Primary group name of the file. - name: file.group - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: Inode representing the file in the filesystem. - name: file.inode - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: IP addresses of the observer. - name: observer.ip - normalize: - - array - type: ip -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - name: rule.uuid - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: Unique identifier for the group on the system/platform. - name: source.user.group.id - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - name: event.risk_score - type: float -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long diff --git a/packages/cef/2.3.2/data_stream/log/fields/fields.yml b/packages/cef/2.3.2/data_stream/log/fields/fields.yml deleted file mode 100755 index c667ec5df0..0000000000 --- a/packages/cef/2.3.2/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,608 +0,0 @@ -- name: cef.name - type: keyword -- name: cef.severity - type: keyword -- name: cef.version - type: keyword -- name: destination.service.name - type: keyword -- name: source.service.name - type: keyword -- name: cef.forcepoint - type: group - fields: - - name: virus_id - type: keyword - description: | - Virus ID -- name: checkpoint - type: group - fields: - - name: app_risk - type: keyword - description: Application risk. - - name: app_severity - type: keyword - description: Application threat severity. - - name: app_sig_id - type: keyword - description: The signature ID which the application was detected by. - - name: auth_method - type: keyword - description: Password authentication protocol used. - - name: category - type: keyword - description: Category. - - name: confidence_level - type: integer - description: Confidence level determined. - - name: connectivity_state - type: keyword - description: Connectivity state. - - name: cookie - type: keyword - description: IKE cookie. - - name: dst_phone_number - type: keyword - description: Destination IP-Phone. - - name: email_control - type: keyword - description: Engine name. - - name: email_id - type: keyword - description: Internal email ID. - - name: email_recipients_num - type: long - description: Number of recipients. - - name: email_session_id - type: keyword - description: Internal email session ID. - - name: email_spool_id - type: keyword - description: Internal email spool ID. - - name: email_subject - type: keyword - description: Email subject. - - name: event_count - type: long - description: Number of events associated with the log. - - name: frequency - type: keyword - description: Scan frequency. - - name: icmp_type - type: long - description: ICMP type. - - name: icmp_code - type: long - description: ICMP code. - - name: identity_type - type: keyword - description: Identity type. - - name: incident_extension - type: keyword - description: Format of original data. - - name: integrity_av_invoke_type - type: keyword - description: Scan invoke type. - - name: malware_family - type: keyword - description: Malware family. - - name: peer_gateway - type: ip - description: Main IP of the peer Security Gateway. - - name: performance_impact - type: integer - description: Protection performance impact. - - name: protection_id - type: keyword - description: Protection malware ID. - - name: protection_name - type: keyword - description: Specific signature name of the attack. - - name: protection_type - type: keyword - description: Type of protection used to detect the attack. - - name: scan_result - type: keyword - description: Scan result. - - name: sensor_mode - type: keyword - description: Sensor mode. - - name: severity - type: keyword - description: Threat severity. - - name: spyware_name - type: keyword - description: Spyware name. - - name: spyware_status - type: keyword - description: Spyware status. - - name: subs_exp - type: date - description: The expiration date of the subscription. - - name: tcp_flags - type: keyword - description: TCP packet flags. - - name: termination_reason - type: keyword - description: Termination reason. - - name: update_status - type: keyword - description: Update status. - - name: user_status - type: keyword - description: User response. - - name: uuid - type: keyword - description: External ID. - - name: virus_name - type: keyword - description: Virus name. - - name: voip_log_type - type: keyword - description: VoIP log types. -- name: cef.device - type: group - fields: - - name: event_class_id - type: keyword - description: Unique identifier of the event type. - - name: product - type: keyword - description: Product of the device that produced the message. - - name: vendor - type: keyword - description: Vendor of the device that produced the message. - - name: version - type: keyword - description: Version of the product that produced the message. -- name: cef.extensions - type: group - fields: - - name: agentAddress - type: ip - description: The IP address of the ArcSight connector that processed the event. - - name: agentHostName - type: keyword - description: The hostname of the ArcSight connector that processed the event. - - name: agentId - type: keyword - description: The agent ID of the ArcSight connector that processed the event. - - name: agentReceiptTime - type: date - description: The time at which information about the event was received by the ArcSight connector. - - name: agentTimeZone - type: keyword - description: The agent time zone of the ArcSight connector that processed the event. - - name: agentType - type: keyword - description: The agent type of the ArcSight connector that processed the event. - - name: destinationHostName - type: keyword - description: Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. - - name: deviceTimeZone - type: keyword - description: The time zone for the device generating the event. - - name: requestUrlFileName - type: keyword - - name: startTime - type: date - description: The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). - - name: type - type: long - description: 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). - - name: agentVersion - type: keyword - description: The version of the ArcSight connector that processed the event. - - name: agentZoneURI - type: keyword - - name: deviceSeverity - type: keyword - - name: deviceZoneURI - type: keyword - description: Thee URI for the Zone that the device asset has been assigned to in ArcSight. - - name: fileType - type: keyword - description: Type of file (pipe, socket, etc.) - - name: filename - type: keyword - description: Name of the file only (without its path). - - name: managerReceiptTime - type: date - description: When the Arcsight ESM received the event. - - name: agentMacAddress - type: keyword - description: The MAC address of the ArcSight connector that processed the event. - - name: deviceProcessName - type: keyword - description: Process name associated with the event. An example might be the process generating the syslog entry in UNIX. - - name: baseEventCount - type: long - description: A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. - - name: dvc - type: ip - description: This field is used by Trend Micro if the hostname is an IPv4 address. - - name: dvchost - type: keyword - description: This field is used by Trend Micro for hostnames and IPv6 addresses. - - name: cp_app_risk - type: keyword - - name: cp_severity - type: keyword - - name: ifname - type: keyword - - name: inzone - type: keyword - - name: layer_uuid - type: keyword - - name: layer_name - type: keyword - - name: logid - type: keyword - - name: loguid - type: keyword - - name: match_id - type: keyword - - name: nat_addtnl_rulenum - type: keyword - - name: nat_rulenum - type: keyword - - name: origin - type: keyword - - name: originsicname - type: keyword - - name: outzone - type: keyword - - name: parent_rule - type: keyword - - name: product - type: keyword - - name: rule_action - type: keyword - - name: rule_uid - type: keyword - - name: sequencenum - type: keyword - - name: service_id - type: keyword - - name: version - type: keyword - - name: applicationProtocol - type: keyword - description: Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. - - name: categoryDeviceGroup - type: keyword - description: General device group like Firewall (ArcSight). - - name: categoryTechnique - type: keyword - description: Technique being used (e.g. /DoS) (ArcSight). - - name: deviceEventCategory - type: keyword - description: Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". - - name: sourceNtDomain - type: keyword - description: The Windows domain name for the source address. - - name: destinationNtDomain - type: keyword - description: Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). - - name: categoryOutcome - type: keyword - description: Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). - - name: categorySignificance - type: keyword - description: Characterization of the importance of the event (ArcSight). - - name: categoryObject - type: keyword - description: Object that the event is about. For example it can be an operating sytem, database, file, etc (ArcSight). - - name: categoryBehavior - type: keyword - description: Action or a behavior associated with an event. It's what is being done to the object (ArcSight). - - name: categoryDeviceType - type: keyword - description: Device type. Examples - Proxy, IDS, Web Server (ArcSight). - - name: baseEventCount - type: keyword - description: A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. - - name: bytesIn - type: long - description: Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. - - name: bytesOut - type: long - description: Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. - - name: destinationAddress - type: ip - description: Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. - - name: destinationPort - type: long - description: The valid port numbers are between 0 and 65535. - - name: destinationServiceName - type: keyword - description: The service targeted by this event. - - name: destinationTranslatedAddress - type: ip - description: Identifies the translated destination that the event refers to in an IP network. - - name: destinationTranslatedPort - type: long - description: Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. - - name: destinationUserName - type: keyword - description: Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. - - name: destinationUserPrivileges - type: keyword - description: The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". - - name: deviceAction - type: keyword - description: Action taken by the device. - - name: deviceAddress - type: ip - description: Identifies the device address that an event refers to in an IP network. - - name: deviceCustomDate2 - type: keyword - description: One of two timestamp fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomDate2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address2 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address3 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address3Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomNumber1 - type: long - description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomNumber1Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomNumber2 - type: long - description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomNumber2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomNumber3 - type: long - description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomNumber3Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString1 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString1Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString2 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString3 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString3Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString4 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString4Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString5 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString5Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString6 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString6Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceDirection - type: long - description: Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. - - name: deviceExternalId - type: keyword - description: A name that uniquely identifies the device generating this event. - - name: deviceFacility - type: keyword - description: The facility generating this event. For example, Syslog has an explicit facility associated with every event. - - name: deviceHostName - type: keyword - description: The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. - - name: deviceOutboundInterface - type: keyword - description: Interface on which the packet or data left the device. - - name: deviceReceiptTime - type: keyword - description: The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) - - name: eventId - type: long - description: This is a unique ID that ArcSight assigns to each event. - - name: fileHash - type: keyword - description: Hash of a file. - - name: message - type: keyword - description: An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. - - name: oldFileHash - type: keyword - description: Hash of the old file. - - name: requestContext - type: keyword - description: Description of the content from which the request originated (for example, HTTP Referrer). - - name: requestMethod - type: keyword - description: The HTTP method used to access a URL. - - name: requestUrl - type: keyword - description: In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. - - name: method - type: keyword - description: HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - - name: sourceAddress - type: ip - description: Identifies the source that an event refers to in an IP network. - - name: sourceGeoLatitude - type: long - - name: sourceGeoLongitude - type: long - - name: sourcePort - type: long - description: The valid port numbers are 0 to 65535. - - name: sourceServiceName - type: keyword - description: The service that is responsible for generating this event. - - name: sourceTranslatedAddress - type: ip - description: Identifies the translated source that the event refers to in an IP network. - - name: sourceTranslatedPort - type: long - description: A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. - - name: sourceUserName - type: keyword - description: Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. - - name: sourceUserPrivileges - type: keyword - description: The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". - - name: transportProtocol - type: keyword - description: Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. - - name: ad - type: flattened - - name: TrendMicroDsDetectionConfidence - type: keyword - - name: TrendMicroDsFileMD5 - type: keyword - - name: TrendMicroDsFileSHA1 - type: keyword - - name: TrendMicroDsFileSHA256 - type: keyword - - name: TrendMicroDsFrameType - type: keyword - - name: TrendMicroDsMalwareTarget - type: keyword - - name: TrendMicroDsMalwareTargetType - type: keyword - - name: TrendMicroDsPacketData - type: keyword - - name: TrendMicroDsRelevantDetectionNames - type: keyword - - name: TrendMicroDsTenant - type: keyword - - name: TrendMicroDsTenantId - type: keyword - - name: assetCriticality - type: keyword - - name: deviceAssetId - type: keyword - - name: deviceCustomIPv6Address1 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address1Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address2 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address3 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address3Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address4 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address4Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceInboundInterface - type: keyword - description: Interface on which the packet or data entered the device. - - name: deviceZoneID - type: keyword - - name: eventAnnotationAuditTrail - type: keyword - - name: eventAnnotationEndTime - type: date - - name: eventAnnotationFlags - type: keyword - - name: eventAnnotationManagerReceiptTime - type: date - - name: eventAnnotationModificationTime - type: date - - name: eventAnnotationStageUpdateTime - type: date - - name: eventAnnotationVersion - type: keyword - - name: locality - type: keyword - - name: modelConfidence - type: keyword - - name: originalAgentAddress - type: keyword - - name: originalAgentHostName - type: keyword - - name: originalAgentId - type: keyword - - name: originalAgentType - type: keyword - - name: originalAgentVersion - type: keyword - - name: originalAgentZoneURI - type: keyword - - name: priority - type: keyword - - name: relevance - type: keyword - - name: severity - type: keyword - - name: sourceTranslatedZoneID - type: keyword - - name: sourceTranslatedZoneURI - type: keyword - description: The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. - - name: sourceZoneID - type: keyword - description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. - - name: sourceZoneURI - type: keyword - description: The URI for the Zone that the source asset has been assigned to in ArcSight. - - name: aggregationType - type: keyword - - name: destinationMacAddress - type: keyword - description: Six colon-separated hexadecimal numbers. - - name: filePath - type: keyword - description: Full path to the file, including file name itself. - - name: fileSize - type: long - description: Size of the file. - - name: repeatCount - type: keyword - - name: sourceHostName - type: keyword - description: Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. - - name: sourceMacAddress - type: keyword - description: Six colon-separated hexadecimal numbers. - - name: sourceUserId - type: keyword - description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. - - name: target - type: keyword diff --git a/packages/cef/2.3.2/data_stream/log/manifest.yml b/packages/cef/2.3.2/data_stream/log/manifest.yml deleted file mode 100755 index 8383dac3ad..0000000000 --- a/packages/cef/2.3.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,104 +0,0 @@ -type: logs -title: CEF log logs -streams: - - input: logfile - template_path: log.yml.hbs - title: CEF logs - description: Collect CEF logs using log input - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/cef.log - - name: decode_cef_timezone - type: text - title: CEF Timezone - multi: false - required: false - show_user: false - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting timestamps without a time zone in the CEF message. - - name: tags - type: text - title: Tags - description: A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. - multi: true - required: true - show_user: false - default: - - cef - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: udp - template_path: udp.yml.hbs - title: CEF logs - description: Collect CEF logs using udp input - vars: - - name: syslog_host - type: text - title: Syslog Host - description: The interface to listen to UDP based syslog traffic. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - description: The UDP port to listen for syslog traffic. - multi: false - required: true - show_user: true - default: 9003 - - name: decode_cef_timezone - type: text - title: CEF Timezone - multi: false - required: false - show_user: false - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting timestamps without a time zone in the CEF message. - - name: tags - type: text - title: Tags - description: A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. - multi: true - required: true - show_user: false - default: - - cef - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cef/2.3.2/data_stream/log/sample_event.json b/packages/cef/2.3.2/data_stream/log/sample_event.json deleted file mode 100755 index aa4da19638..0000000000 --- a/packages/cef/2.3.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "@timestamp": "2022-06-03T01:39:47.734Z", - "agent": { - "ephemeral_id": "167ce484-a1a1-4fac-aaff-607b859e3ddf", - "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "cef": { - "device": { - "event_class_id": "18", - "product": "Vaporware", - "vendor": "Elastic", - "version": "1.0.0-alpha" - }, - "extensions": { - "destinationAddress": "192.168.10.1", - "destinationPort": 443, - "eventId": 3457, - "requestContext": "https://www.google.com", - "requestMethod": "POST", - "requestUrl": "https://www.example.com/cart", - "sourceAddress": "89.160.20.156", - "sourceGeoLatitude": 38.915, - "sourceGeoLongitude": -77.511, - "sourcePort": 33876, - "sourceServiceName": "httpd", - "transportProtocol": "TCP" - }, - "name": "Web request", - "severity": "low", - "version": "0" - }, - "data_stream": { - "dataset": "cef.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "192.168.10.1", - "port": 443 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "code": "18", - "dataset": "cef.log", - "id": "3457", - "ingested": "2022-06-03T01:39:48Z", - "severity": 0 - }, - "http": { - "request": { - "method": "POST", - "referrer": "https://www.google.com" - } - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.112.4:35889" - } - }, - "message": "Web request", - "network": { - "community_id": "1:UgazGyZMuRDtuImGjF+6GveZFw0=", - "transport": "tcp" - }, - "observer": { - "product": "Vaporware", - "vendor": "Elastic", - "version": "1.0.0-alpha" - }, - "related": { - "ip": [ - "192.168.10.1", - "89.160.20.156" - ] - }, - "source": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 33876, - "service": { - "name": "httpd" - } - }, - "tags": [ - "cef", - "forwarded" - ], - "url": { - "original": "https://www.example.com/cart" - } -} \ No newline at end of file diff --git a/packages/cef/2.3.2/docs/README.md b/packages/cef/2.3.2/docs/README.md deleted file mode 100755 index 03da14097b..0000000000 --- a/packages/cef/2.3.2/docs/README.md +++ /dev/null @@ -1,617 +0,0 @@ -# Common Event Format (CEF) Integration - -This is an integration for parsing Common Event Format (CEF) data. It can accept -data over syslog or read it from a file. - -CEF data is a format like - -`CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello` - -When syslog is used as the transport the CEF data becomes the message that is -contained in the syslog envelope. This integration will parse the syslog -timestamp if it is present. Depending on the syslog RFC used the message will -have a format like one of these: - -`<189> Jun 18 10:55:50 host CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello` - -`<189>1 2021-06-18T10:55:50.000003Z host app - - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello` - -In both cases the integration will use the syslog timestamp as the `@timestamp` -unless the CEF data contains a device receipt timestamp. - -The Elastic Agent's `decode_cef` processor is applied to parse the CEF encoded -data. The decoded data is written into a `cef` object field. Lastly any Elastic -Common Schema (ECS) fields that can be populated with the CEF data are -populated. - -## Compatibility - -### Forcepoint NGFW Security Management Center - -This module will process CEF data from Forcepoint NGFW Security Management -Center (SMC). In the SMC configure the logs to be forwarded to the address set -in `var.syslog_host` in format CEF and service UDP on `var.syslog_port`. -Instructions can be found in [KB -15002](https://support.forcepoint.com/KBArticle?id=000015002) for configuring -the SMC. - -Testing was done with CEF logs from SMC version 6.6.1 and custom string mappings -were taken from 'CEF Connector Configuration Guide' dated December 5, 2011. - -### Check Point devices - -This module will parse CEF data from Check Point devices as documented in [Log -Exporter CEF Field -Mappings](https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060). - -Check Point CEF extensions are mapped as follows: - - -| CEF Extension | CEF Label value | ECS Fields | Non-ECS Field | -|----------------------------|-----------------------------|--------------------------|--------------------------------| -| cp_app_risk | - | event.risk_score | checkpoint.app_risk | -| cp_severity | - | event.severity | checkpoint.severity | -| baseEventCount | - | - | checkpoint.event_count | -| deviceExternalId | - | observer.type | - | -| deviceFacility | - | observer.type | - | -| deviceInboundInterface | - | observer.ingress.interface.name | - | -| deviceOutboundInterface | - | observer.egress.interface.name | - | -| externalId | - | - | checkpoint.uuid | -| fileHash | - | file.hash.\{md5,sha1\} | - | -| reason | - | - | checkpoint.termination_reason | -| requestCookies | - | - | checkpoint.cookie | -| sourceNtDomain | - | dns.question.name | - | -| Signature | - | vulnerability.id | - | -| Recipient | - | email.to.address | - | -| Sender | - | email.from.address | - | -| deviceCustomFloatingPoint1 | update version | observer.version | - | -| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - | -| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - | -| deviceCustomNumber1 | elapsed time in seconds | event.duration | - | -| deviceCustomNumber1 | email recipients number | - | checkpoint.email_recipients_num | -| deviceCustomNumber1 | payload | network.bytes | - | -| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type | -| deviceCustomNumber2 | duration in seconds | event.duration | - | -| deviceCustomNumber3 | icmp code | - | checkpoint.icmp_code | -| deviceCustomString1 | connectivity state | - | checkpoint.connectivity_state | -| deviceCustomString1 | application rule name | rule.name | - | -| deviceCustomString1 | threat prevention rule name | rule.name | - | -| deviceCustomString1 | voip log type | - | checkpoint.voip_log_type | -| deviceCustomString1 | dlp rule name | rule.name | - | -| deviceCustomString1 | email id | - | checkpoint.email_id | -| deviceCustomString2 | category | - | checkpoint.category | -| deviceCustomString2 | email subject | email.subject | checkpoint.email_subject | -| deviceCustomString2 | sensor mode | - | checkpoint.sensor_mode | -| deviceCustomString2 | protection id | - | checkpoint.protection_id | -| deviceCustomString2 | scan invoke type | - | checkpoint.integrity_av_invoke_type | -| deviceCustomString2 | update status | - | checkpoint.update_status | -| deviceCustomString2 | peer gateway | - | checkpoint.peer_gateway | -| deviceCustomString2 | categories | rule.category | - | -| deviceCustomString6 | application name | network.application | - | -| deviceCustomString6 | virus name | - | checkpoint.virus_name | -| deviceCustomString6 | malware name | - | checkpoint.spyware_name | -| deviceCustomString6 | malware family | - | checkpoint.malware_family | -| deviceCustomString3 | user group | group.name | - | -| deviceCustomString3 | incident extension | - | checkpoint.incident_extension | -| deviceCustomString3 | protection type | - | checkpoint.protection_type | -| deviceCustomString3 | email spool id | - | checkpoint.email_spool_id | -| deviceCustomString3 | identity type | - | checkpoint.identity_type | -| deviceCustomString4 | malware status | - | checkpoint.spyware_status | -| deviceCustomString4 | threat prevention rule id | rule.id | - | -| deviceCustomString4 | scan result | - | checkpoint.scan_result | -| deviceCustomString4 | tcp flags | - | checkpoint.tcp_flags | -| deviceCustomString4 | destination os | os.name | - | -| deviceCustomString4 | protection name | - | checkpoint.protection_name | -| deviceCustomString4 | email control | - | checkpoint.email_control | -| deviceCustomString4 | frequency | - | checkpoint.frequency | -| deviceCustomString4 | user response | - | checkpoint.user_status | -| deviceCustomString5 | matched category | rule.category | - | -| deviceCustomString5 | vlan id | network.vlan.id | - | -| deviceCustomString5 | authentication method | - | checkpoint.auth_method | -| deviceCustomString5 | email session id | email.message_id | checkpoint.email_session_id | -| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp | -| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level | -| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact | -| deviceFlexNumber2 | destination phone number | - | checkpoint.dst_phone_number | -| flexString1 | application signature id | - | checkpoint.app_sig_id | -| flexString2 | malware action | rule.description | - | -| flexString2 | attack information | event.action | - | -| rule_uid | - | rule.uuid | - | -| ifname | - | observer.ingress.interface.name | - | -| inzone | - | observer.ingress.zone | - | -| outzone | - | observer.egress.zone | - | -| product | - | observer.product | - | - -## Logs - -### CEF log - -This is the CEF `log` dataset. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2022-06-03T01:39:47.734Z", - "agent": { - "ephemeral_id": "167ce484-a1a1-4fac-aaff-607b859e3ddf", - "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "cef": { - "device": { - "event_class_id": "18", - "product": "Vaporware", - "vendor": "Elastic", - "version": "1.0.0-alpha" - }, - "extensions": { - "destinationAddress": "192.168.10.1", - "destinationPort": 443, - "eventId": 3457, - "requestContext": "https://www.google.com", - "requestMethod": "POST", - "requestUrl": "https://www.example.com/cart", - "sourceAddress": "89.160.20.156", - "sourceGeoLatitude": 38.915, - "sourceGeoLongitude": -77.511, - "sourcePort": 33876, - "sourceServiceName": "httpd", - "transportProtocol": "TCP" - }, - "name": "Web request", - "severity": "low", - "version": "0" - }, - "data_stream": { - "dataset": "cef.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "192.168.10.1", - "port": 443 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "code": "18", - "dataset": "cef.log", - "id": "3457", - "ingested": "2022-06-03T01:39:48Z", - "severity": 0 - }, - "http": { - "request": { - "method": "POST", - "referrer": "https://www.google.com" - } - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.112.4:35889" - } - }, - "message": "Web request", - "network": { - "community_id": "1:UgazGyZMuRDtuImGjF+6GveZFw0=", - "transport": "tcp" - }, - "observer": { - "product": "Vaporware", - "vendor": "Elastic", - "version": "1.0.0-alpha" - }, - "related": { - "ip": [ - "192.168.10.1", - "89.160.20.156" - ] - }, - "source": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 33876, - "service": { - "name": "httpd" - } - }, - "tags": [ - "cef", - "forwarded" - ], - "url": { - "original": "https://www.example.com/cart" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cef.device.event_class_id | Unique identifier of the event type. | keyword | -| cef.device.product | Product of the device that produced the message. | keyword | -| cef.device.vendor | Vendor of the device that produced the message. | keyword | -| cef.device.version | Version of the product that produced the message. | keyword | -| cef.extensions.TrendMicroDsDetectionConfidence | | keyword | -| cef.extensions.TrendMicroDsFileMD5 | | keyword | -| cef.extensions.TrendMicroDsFileSHA1 | | keyword | -| cef.extensions.TrendMicroDsFileSHA256 | | keyword | -| cef.extensions.TrendMicroDsFrameType | | keyword | -| cef.extensions.TrendMicroDsMalwareTarget | | keyword | -| cef.extensions.TrendMicroDsMalwareTargetType | | keyword | -| cef.extensions.TrendMicroDsPacketData | | keyword | -| cef.extensions.TrendMicroDsRelevantDetectionNames | | keyword | -| cef.extensions.TrendMicroDsTenant | | keyword | -| cef.extensions.TrendMicroDsTenantId | | keyword | -| cef.extensions.ad | | flattened | -| cef.extensions.agentAddress | The IP address of the ArcSight connector that processed the event. | ip | -| cef.extensions.agentHostName | The hostname of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentId | The agent ID of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentMacAddress | The MAC address of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentReceiptTime | The time at which information about the event was received by the ArcSight connector. | date | -| cef.extensions.agentTimeZone | The agent time zone of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentType | The agent type of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentVersion | The version of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentZoneURI | | keyword | -| cef.extensions.aggregationType | | keyword | -| cef.extensions.applicationProtocol | Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. | keyword | -| cef.extensions.assetCriticality | | keyword | -| cef.extensions.baseEventCount | A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. | keyword | -| cef.extensions.bytesIn | Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. | long | -| cef.extensions.bytesOut | Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. | long | -| cef.extensions.categoryBehavior | Action or a behavior associated with an event. It's what is being done to the object (ArcSight). | keyword | -| cef.extensions.categoryDeviceGroup | General device group like Firewall (ArcSight). | keyword | -| cef.extensions.categoryDeviceType | Device type. Examples - Proxy, IDS, Web Server (ArcSight). | keyword | -| cef.extensions.categoryObject | Object that the event is about. For example it can be an operating sytem, database, file, etc (ArcSight). | keyword | -| cef.extensions.categoryOutcome | Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). | keyword | -| cef.extensions.categorySignificance | Characterization of the importance of the event (ArcSight). | keyword | -| cef.extensions.categoryTechnique | Technique being used (e.g. /DoS) (ArcSight). | keyword | -| cef.extensions.cp_app_risk | | keyword | -| cef.extensions.cp_severity | | keyword | -| cef.extensions.destinationAddress | Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. | ip | -| cef.extensions.destinationHostName | Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. | keyword | -| cef.extensions.destinationMacAddress | Six colon-separated hexadecimal numbers. | keyword | -| cef.extensions.destinationNtDomain | Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). | keyword | -| cef.extensions.destinationPort | The valid port numbers are between 0 and 65535. | long | -| cef.extensions.destinationServiceName | The service targeted by this event. | keyword | -| cef.extensions.destinationTranslatedAddress | Identifies the translated destination that the event refers to in an IP network. | ip | -| cef.extensions.destinationTranslatedPort | Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. | long | -| cef.extensions.destinationUserName | Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. | keyword | -| cef.extensions.destinationUserPrivileges | The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". | keyword | -| cef.extensions.deviceAction | Action taken by the device. | keyword | -| cef.extensions.deviceAddress | Identifies the device address that an event refers to in an IP network. | ip | -| cef.extensions.deviceAssetId | | keyword | -| cef.extensions.deviceCustomDate2 | One of two timestamp fields available to map fields that do not apply to any other in this dictionary. | keyword | -| cef.extensions.deviceCustomDate2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomIPv6Address1 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | -| cef.extensions.deviceCustomIPv6Address1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomIPv6Address2 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | -| cef.extensions.deviceCustomIPv6Address2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomIPv6Address3 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | -| cef.extensions.deviceCustomIPv6Address3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomIPv6Address4 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | -| cef.extensions.deviceCustomIPv6Address4Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomNumber1 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | -| cef.extensions.deviceCustomNumber1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomNumber2 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | -| cef.extensions.deviceCustomNumber2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomNumber3 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | -| cef.extensions.deviceCustomNumber3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString1 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString2 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString3 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString4 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString4Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString5 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString5Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString6 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString6Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceDirection | Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. | long | -| cef.extensions.deviceEventCategory | Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". | keyword | -| cef.extensions.deviceExternalId | A name that uniquely identifies the device generating this event. | keyword | -| cef.extensions.deviceFacility | The facility generating this event. For example, Syslog has an explicit facility associated with every event. | keyword | -| cef.extensions.deviceHostName | The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. | keyword | -| cef.extensions.deviceInboundInterface | Interface on which the packet or data entered the device. | keyword | -| cef.extensions.deviceOutboundInterface | Interface on which the packet or data left the device. | keyword | -| cef.extensions.deviceProcessName | Process name associated with the event. An example might be the process generating the syslog entry in UNIX. | keyword | -| cef.extensions.deviceReceiptTime | The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) | keyword | -| cef.extensions.deviceSeverity | | keyword | -| cef.extensions.deviceTimeZone | The time zone for the device generating the event. | keyword | -| cef.extensions.deviceZoneID | | keyword | -| cef.extensions.deviceZoneURI | Thee URI for the Zone that the device asset has been assigned to in ArcSight. | keyword | -| cef.extensions.dvc | This field is used by Trend Micro if the hostname is an IPv4 address. | ip | -| cef.extensions.dvchost | This field is used by Trend Micro for hostnames and IPv6 addresses. | keyword | -| cef.extensions.eventAnnotationAuditTrail | | keyword | -| cef.extensions.eventAnnotationEndTime | | date | -| cef.extensions.eventAnnotationFlags | | keyword | -| cef.extensions.eventAnnotationManagerReceiptTime | | date | -| cef.extensions.eventAnnotationModificationTime | | date | -| cef.extensions.eventAnnotationStageUpdateTime | | date | -| cef.extensions.eventAnnotationVersion | | keyword | -| cef.extensions.eventId | This is a unique ID that ArcSight assigns to each event. | long | -| cef.extensions.fileHash | Hash of a file. | keyword | -| cef.extensions.filePath | Full path to the file, including file name itself. | keyword | -| cef.extensions.fileSize | Size of the file. | long | -| cef.extensions.fileType | Type of file (pipe, socket, etc.) | keyword | -| cef.extensions.filename | Name of the file only (without its path). | keyword | -| cef.extensions.ifname | | keyword | -| cef.extensions.inzone | | keyword | -| cef.extensions.layer_name | | keyword | -| cef.extensions.layer_uuid | | keyword | -| cef.extensions.locality | | keyword | -| cef.extensions.logid | | keyword | -| cef.extensions.loguid | | keyword | -| cef.extensions.managerReceiptTime | When the Arcsight ESM received the event. | date | -| cef.extensions.match_id | | keyword | -| cef.extensions.message | An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. | keyword | -| cef.extensions.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| cef.extensions.modelConfidence | | keyword | -| cef.extensions.nat_addtnl_rulenum | | keyword | -| cef.extensions.nat_rulenum | | keyword | -| cef.extensions.oldFileHash | Hash of the old file. | keyword | -| cef.extensions.origin | | keyword | -| cef.extensions.originalAgentAddress | | keyword | -| cef.extensions.originalAgentHostName | | keyword | -| cef.extensions.originalAgentId | | keyword | -| cef.extensions.originalAgentType | | keyword | -| cef.extensions.originalAgentVersion | | keyword | -| cef.extensions.originalAgentZoneURI | | keyword | -| cef.extensions.originsicname | | keyword | -| cef.extensions.outzone | | keyword | -| cef.extensions.parent_rule | | keyword | -| cef.extensions.priority | | keyword | -| cef.extensions.product | | keyword | -| cef.extensions.relevance | | keyword | -| cef.extensions.repeatCount | | keyword | -| cef.extensions.requestContext | Description of the content from which the request originated (for example, HTTP Referrer). | keyword | -| cef.extensions.requestMethod | The HTTP method used to access a URL. | keyword | -| cef.extensions.requestUrl | In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. | keyword | -| cef.extensions.requestUrlFileName | | keyword | -| cef.extensions.rule_action | | keyword | -| cef.extensions.rule_uid | | keyword | -| cef.extensions.sequencenum | | keyword | -| cef.extensions.service_id | | keyword | -| cef.extensions.severity | | keyword | -| cef.extensions.sourceAddress | Identifies the source that an event refers to in an IP network. | ip | -| cef.extensions.sourceGeoLatitude | | long | -| cef.extensions.sourceGeoLongitude | | long | -| cef.extensions.sourceHostName | Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. | keyword | -| cef.extensions.sourceMacAddress | Six colon-separated hexadecimal numbers. | keyword | -| cef.extensions.sourceNtDomain | The Windows domain name for the source address. | keyword | -| cef.extensions.sourcePort | The valid port numbers are 0 to 65535. | long | -| cef.extensions.sourceServiceName | The service that is responsible for generating this event. | keyword | -| cef.extensions.sourceTranslatedAddress | Identifies the translated source that the event refers to in an IP network. | ip | -| cef.extensions.sourceTranslatedPort | A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. | long | -| cef.extensions.sourceTranslatedZoneID | | keyword | -| cef.extensions.sourceTranslatedZoneURI | The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. | keyword | -| cef.extensions.sourceUserId | Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. | keyword | -| cef.extensions.sourceUserName | Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. | keyword | -| cef.extensions.sourceUserPrivileges | The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". | keyword | -| cef.extensions.sourceZoneID | Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. | keyword | -| cef.extensions.sourceZoneURI | The URI for the Zone that the source asset has been assigned to in ArcSight. | keyword | -| cef.extensions.startTime | The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). | date | -| cef.extensions.target | | keyword | -| cef.extensions.transportProtocol | Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. | keyword | -| cef.extensions.type | 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). | long | -| cef.extensions.version | | keyword | -| cef.forcepoint.virus_id | Virus ID | keyword | -| cef.name | | keyword | -| cef.severity | | keyword | -| cef.version | | keyword | -| checkpoint.app_risk | Application risk. | keyword | -| checkpoint.app_severity | Application threat severity. | keyword | -| checkpoint.app_sig_id | The signature ID which the application was detected by. | keyword | -| checkpoint.auth_method | Password authentication protocol used. | keyword | -| checkpoint.category | Category. | keyword | -| checkpoint.confidence_level | Confidence level determined. | integer | -| checkpoint.connectivity_state | Connectivity state. | keyword | -| checkpoint.cookie | IKE cookie. | keyword | -| checkpoint.dst_phone_number | Destination IP-Phone. | keyword | -| checkpoint.email_control | Engine name. | keyword | -| checkpoint.email_id | Internal email ID. | keyword | -| checkpoint.email_recipients_num | Number of recipients. | long | -| checkpoint.email_session_id | Internal email session ID. | keyword | -| checkpoint.email_spool_id | Internal email spool ID. | keyword | -| checkpoint.email_subject | Email subject. | keyword | -| checkpoint.event_count | Number of events associated with the log. | long | -| checkpoint.frequency | Scan frequency. | keyword | -| checkpoint.icmp_code | ICMP code. | long | -| checkpoint.icmp_type | ICMP type. | long | -| checkpoint.identity_type | Identity type. | keyword | -| checkpoint.incident_extension | Format of original data. | keyword | -| checkpoint.integrity_av_invoke_type | Scan invoke type. | keyword | -| checkpoint.malware_family | Malware family. | keyword | -| checkpoint.peer_gateway | Main IP of the peer Security Gateway. | ip | -| checkpoint.performance_impact | Protection performance impact. | integer | -| checkpoint.protection_id | Protection malware ID. | keyword | -| checkpoint.protection_name | Specific signature name of the attack. | keyword | -| checkpoint.protection_type | Type of protection used to detect the attack. | keyword | -| checkpoint.scan_result | Scan result. | keyword | -| checkpoint.sensor_mode | Sensor mode. | keyword | -| checkpoint.severity | Threat severity. | keyword | -| checkpoint.spyware_name | Spyware name. | keyword | -| checkpoint.spyware_status | Spyware status. | keyword | -| checkpoint.subs_exp | The expiration date of the subscription. | date | -| checkpoint.tcp_flags | TCP packet flags. | keyword | -| checkpoint.termination_reason | Termination reason. | keyword | -| checkpoint.update_status | Update status. | keyword | -| checkpoint.user_status | User response. | keyword | -| checkpoint.uuid | External ID. | keyword | -| checkpoint.virus_name | Virus name. | keyword | -| checkpoint.voip_log_type | VoIP log types. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.service.name | | keyword | -| destination.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| destination.user.group.name | Name of the group. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| file.group | Primary group name of the file. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.service.name | | keyword | -| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - diff --git a/packages/cef/2.3.2/kibana/dashboard/cef-04749697-de8d-49b3-8eca-c873ab2c5ac9.json b/packages/cef/2.3.2/kibana/dashboard/cef-04749697-de8d-49b3-8eca-c873ab2c5ac9.json deleted file mode 100755 index 13b12cde8e..0000000000 --- a/packages/cef/2.3.2/kibana/dashboard/cef-04749697-de8d-49b3-8eca-c873ab2c5ac9.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Suspicious network activity overview", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Addresses\":\"#E0752D\",\"Destination Ports\":\"#E24D42\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":28},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":16,\"x\":0,\"y\":40},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":16,\"x\":16,\"y\":40},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":40},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(255,255,204)\",\"100 - 200\":\"rgb(253,141,60)\",\"200 - 300\":\"rgb(227,27,28)\",\"300 - 400\":\"rgb(128,0,38)\",\"50 - 100\":\"rgb(254,217,118)\"}}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF] Network Suspicious Activity Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-04749697-de8d-49b3-8eca-c873ab2c5ac9", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-270139ff-fc2f-4fca-b241-93a8f57cdcdf", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-07a4a351-d282-44a1-85b0-bc7e846f8471", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-b7227081-e125-49cb-a580-1be363f06be0", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-1c869759-1d3e-4898-b9c7-d2604ed38655", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-8f38607c-eb10-410e-aec5-15d8b474211e", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-655beadd-2678-4495-8793-72b5780f6283", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-769e3f37-2b08-4edb-9013-09140a520e69", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-cbde6788-7371-4712-b2e0-3eb07e0841f4", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-0959df23-10c9-47fd-bebd-c382007b3584", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-d7d7bd9e-c767-428c-b7de-d09f9d87f652", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa", - "name": "17:panel_17", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/dashboard/cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c.json b/packages/cef/2.3.2/kibana/dashboard/cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c.json deleted file mode 100755 index e75f167514..0000000000 --- a/packages/cef/2.3.2/kibana/dashboard/cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "attributes": { - "description": "Network data overview", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":48},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"success\":\"#629E51\",\"unknown\":\"#0A50A1\"}}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":40},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"21\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c6a1fd07-de0f-444b-8814-902cbf2d019a\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"c1643919-b9de-4588-826f-93710a159e2b\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Events [Logs CEF]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"5183bb72-a077-4cf0-8aba-561a15b012cf\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Events [Logs CEF]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"w\":24,\"x\":0,\"y\":80},\"panelIndex\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c2329af2-2183-45cb-9f40-d0f2e984c5b3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"1fc250c2-4990-401e-b709-61e1f4824005\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Source Locations by Events [Logs CEF]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"e1eda4fd-94b9-4c31-9615-70334517a966\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Source Locations by Events [Logs CEF]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"w\":24,\"x\":24,\"y\":80},\"panelIndex\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF] Network Overview Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-38061262-edbe-4ccc-8c5c-d22c480b3c64", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-daa1fe0b-a698-4429-8e5d-db251502276c", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-efa710e7-907c-4723-92cd-2bd2276f44dd", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-d3ce586b-d372-4e03-9c19-b768b1b953f3", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-291cd92f-52c4-421b-b354-468318ba3e65", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-0a202432-3dbd-49c0-af57-623ffb90211d", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-85818e02-7a16-4afa-8278-99c4059ddd82", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-841a5d3f-c201-4499-a0fd-883247360640", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-baa6c9ee-dffe-4ea5-bedd-91962700f450", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "cef-535a7bf8-a701-4016-86c0-038bc6d9d069", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "cef-a5e56e2a-b807-4fd7-92c2-9da42134e0a9", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa", - "name": "20:panel_20", - "type": "visualization" - }, - { - "id": "cef-d42600fb-ea45-4dc9-a5d2-dd6a502fb76e", - "name": "21:panel_21", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "49de47fb-1382-4009-89d2-b96a4161e12d:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d097034-9ebb-4f53-ad39-e42e625b541c:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json b/packages/cef/2.3.2/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json deleted file mode 100755 index c44bda0cc2..0000000000 --- a/packages/cef/2.3.2/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "description": "Overview of Microsoft DNS activity via ArcSight", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":48},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"11\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"12\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"56b3b288-a0f1-416d-9d40-96a37c8484fd\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"d50cbece-4556-4421-bb06-fb015bfe7baa\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Sources by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"555cbeac-b098-4946-9498-6b700e745e8a\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Sources by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"w\":24,\"x\":0,\"y\":72},\"panelIndex\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"5231e15c-d374-46ca-9553-3308d723ded3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"8cdaae20-5dcc-4930-b105-802fc344fcb6\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destinations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"88700fdc-3a96-46b8-b51f-3839111eb6ec\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destinations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"w\":24,\"x\":24,\"y\":72},\"panelIndex\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Microsoft DNS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-56428e01-0c47-4770-8ba4-9345a029ea41", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-249e2737-b41f-4115-b303-88bc9d279655", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-fcf798a8-db8f-4492-827b-8fa7581108a9", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "3cf2118b-5231-49f5-b685-0ff0e1f52c32:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "07f92eca-2078-4aa6-8373-d27ca33595d6:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/dashboard/cef-607f756e-288d-499a-8f8a-33791354ffaf.json b/packages/cef/2.3.2/kibana/dashboard/cef-607f756e-288d-499a-8f8a-33791354ffaf.json deleted file mode 100755 index e155c10a5e..0000000000 --- a/packages/cef/2.3.2/kibana/dashboard/cef-607f756e-288d-499a-8f8a-33791354ffaf.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "description": "Overview of Microsoft DNS activity", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":48},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"11\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"12\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"56b3b288-a0f1-416d-9d40-96a37c8484fd\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"d50cbece-4556-4421-bb06-fb015bfe7baa\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Sources by Events [Logs CEF]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"555cbeac-b098-4946-9498-6b700e745e8a\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Sources by Events [Logs CEF]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"w\":24,\"x\":0,\"y\":72},\"panelIndex\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"5231e15c-d374-46ca-9553-3308d723ded3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"8cdaae20-5dcc-4930-b105-802fc344fcb6\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destinations by Events [Logs CEF]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"88700fdc-3a96-46b8-b51f-3839111eb6ec\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destinations by Events [Logs CEF]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"w\":24,\"x\":24,\"y\":72},\"panelIndex\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF] Microsoft DNS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-607f756e-288d-499a-8f8a-33791354ffaf", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-b25e0340-0e97-4849-9b89-959b9ad8c958", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-0d0fd899-a40a-43e5-ac80-56f3bf09c18c", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-1bd44f46-e28d-4a2d-8245-6994372155ab", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-04096ec6-9644-4da7-bba3-35da7882f87d", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-490c415c-b859-4ed0-a2a4-5c4968084985", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-33290695-4eb1-4270-9e63-7083e7b132ed", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-8869f0bb-b8a3-4e6b-b3c4-3cc80b67b3da", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-0959df23-10c9-47fd-bebd-c382007b3584", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-19e44299-4e2a-4da4-a9e5-595b428d49dd", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-38fd061a-0976-4005-b0d3-729d693cdd5d", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-d85b0ce0-4fa7-4fe5-9fe1-41cf40606ef3", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "3cf2118b-5231-49f5-b685-0ff0e1f52c32:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "07f92eca-2078-4aa6-8373-d27ca33595d6:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/dashboard/cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf.json b/packages/cef/2.3.2/kibana/dashboard/cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf.json deleted file mode 100755 index c86601cba3..0000000000 --- a/packages/cef/2.3.2/kibana/dashboard/cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "description": "Operating system activity from endpoints", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Destination User Names\":\"#E24D42\",\"Event Types\":\"#EF843C\"},\"legendOpen\":true}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 55k\":\"rgb(255,255,204)\",\"110k - 165k\":\"rgb(254,225,135)\",\"165k - 220k\":\"rgb(254,201,101)\",\"220k - 275k\":\"rgb(254,171,73)\",\"275k - 330k\":\"rgb(253,141,60)\",\"330k - 385k\":\"rgb(252,91,46)\",\"385k - 440k\":\"rgb(237,47,34)\",\"440k - 495k\":\"rgb(212,16,32)\",\"495k - 550k\":\"rgb(176,0,38)\",\"55k - 110k\":\"rgb(255,241,170)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"failure\":\"#E24D42\",\"success\":\"#7EB26D\",\"unknown\":\"#447EBC\"}}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":24,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Users\":\"#E24D42\",\"Event Count\":\"#64B0C8\"}}},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":64},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":24,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":84},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":32,\"x\":0,\"y\":80},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":32,\"x\":0,\"y\":100},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":32,\"x\":0,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":32,\"x\":0,\"y\":92},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF] Endpoint Activity Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-868d68b5-3e62-4fc2-b942-fbb69a7c91d5", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-4c86b51e-6886-4484-98a2-508e92b455bb", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "cef-cc7f89bc-22ad-4778-9c9f-1873ff38750b", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-0a5276a2-907b-4319-88ab-86fe5ade8b38", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-2b96deab-dbf1-4be3-ae70-1bfb6c3fbd2a", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "cef-7dc26e6f-76d4-4454-99a9-6ccbba8948f0", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-d2332147-4293-4422-930b-0a319ebeb958", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "cef-0959df23-10c9-47fd-bebd-c382007b3584", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-2a0a7692-9a08-449f-bcef-b85de1855fd5", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-a52d1fe2-6933-48bd-b079-61f6e2dc05c2", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-82a333a7-d9d3-4752-b564-160d4b9f188b", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-b4ac112e-809a-437d-a805-3ff44a67c21c", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-1479b35b-1bf3-4767-a510-9d210e010342", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cef-bd35faa9-492e-4abe-9bf1-2d3c0d98171d", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "cef-255c0885-6349-4ab4-ba00-f055c6cc8000", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "cef-56247c19-7aa5-475d-b074-5b0cd4794f0c", - "name": "19:panel_19", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json b/packages/cef/2.3.2/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json deleted file mode 100755 index e740d26d0b..0000000000 --- a/packages/cef/2.3.2/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "description": "Operating system activity from endpoints via ArcSight", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Destination User Names\":\"#E24D42\",\"Event Types\":\"#EF843C\"},\"legendOpen\":true}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 55k\":\"rgb(255,255,204)\",\"110k - 165k\":\"rgb(254,225,135)\",\"165k - 220k\":\"rgb(254,201,101)\",\"220k - 275k\":\"rgb(254,171,73)\",\"275k - 330k\":\"rgb(253,141,60)\",\"330k - 385k\":\"rgb(252,91,46)\",\"385k - 440k\":\"rgb(237,47,34)\",\"440k - 495k\":\"rgb(212,16,32)\",\"495k - 550k\":\"rgb(176,0,38)\",\"55k - 110k\":\"rgb(255,241,170)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#447EBC\",\"/Failure\":\"#E24D42\",\"/Success\":\"#7EB26D\"}}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":24,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Users\":\"#E24D42\",\"Event Count\":\"#64B0C8\"}}},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":64},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":24,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":84},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":32,\"x\":0,\"y\":80},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":32,\"x\":0,\"y\":100},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":32,\"x\":0,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":32,\"x\":0,\"y\":92},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Endpoint OS Activity Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-9e352900-89c3-4c1b-863e-249e24d0dac9", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-59ad829b-12b8-4256-95a5-e7078eda628b", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "cef-77ee0e91-010b-4897-b483-7e9a907d2afe", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "cef-2726382e-638a-4dcc-94fc-0ffdc0f92048", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-92aecea0-a632-4a55-bb56-50e4cdaca036", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-76c088c3-486e-4420-8840-5ede667edffe", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-316fdc75-7215-4c6b-8e1b-70a097b34e28", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cef-acc915fe-b971-4795-9040-3fbfdf62abe1", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "cef-8cd00d20-957d-4663-be4d-ea80b1609586", - "name": "19:panel_19", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/dashboard/cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15.json b/packages/cef/2.3.2/kibana/dashboard/cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15.json deleted file mode 100755 index c7f45b8189..0000000000 --- a/packages/cef/2.3.2/kibana/dashboard/cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "description": "Summary of endpoint event data", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"success\":\"#629E51\",\"unknown\":\"#0A50A1\"}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"success\":\"#629E51\",\"unknown\":\"#0A50A1\"}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"columns\":[\"cef.extensions.categoryDeviceGroup\",\"cef.extensions.categoryTechnique\",\"event.outcome\",\"event.category\",\"event.type\",\"cef.extensions.categoryObject\",\"event.action\",\"cef.extensions.categoryDeviceType\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":20,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":72},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"search\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"de084257-24da-4ea9-922e-a2d7565ebcd6\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"741ceaa6-5b51-4959-9935-c5961b12f539\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Event [Logs CEF]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"ba850a09-c635-4855-b68b-de16dd200d6f\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Event [Logs CEF]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-180},\"mapCenter\":{\"lat\":20.86831,\"lon\":-12.2843,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":20,\"i\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF] Endpoint Overview Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-f856a77c-a0fd-4047-afa6-e21a912814c5", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-4970ec04-796a-4c0e-90d9-7e23d0b7e48d", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-dd339ff5-6b26-4455-ae06-f3b5591479e3", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-0fe1baba-84a8-4cb3-9b17-bae8693c345a", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-0410a35e-eabd-46f4-a124-c780b6d1fd2e", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-b4a28b54-9adb-4c4b-8ae6-158dfeb673ce", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", - "name": "9:panel_9", - "type": "search" - }, - { - "id": "cef-2ecd00c0-66f4-4020-9c6e-dff40d47654c", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "cef-98729301-9b46-4169-b99e-1392af8fa563", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-0959df23-10c9-47fd-bebd-c382007b3584", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "c9fd3ece-2bef-4cdc-9f83-ed689b35a17a:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json b/packages/cef/2.3.2/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json deleted file mode 100755 index 3fa223db88..0000000000 --- a/packages/cef/2.3.2/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "description": "Summary of ArcSight endpoint event data", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"columns\":[\"cef.extensions.categoryDeviceGroup\",\"cef.extensions.categoryTechnique\",\"cef.extensions.categoryOutcome\",\"cef.extensions.categorySignificance\",\"cef.extensions.categoryObject\",\"cef.extensions.categoryBehavior\",\"cef.extensions.categoryDeviceType\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":20,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":76},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"search\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Anti-Virus\":\"#EAB839\",\"Database\":\"#629E51\",\"Host-based IDS/IPS\":\"#E0752D\",\"Operating System\":\"#BF1B00\",\"Security Mangement\":\"#64B0C8\"}}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Informational\":\"#7EB26D\",\"/Informational/Warning\":\"#EF843C\",\"/Success\":\"#629E51\",\"Anti-Virus\":\"#EAB839\",\"Database\":\"#629E51\",\"Host-based IDS/IPS\":\"#E0752D\",\"Log Consolidator\":\"#E0F9D7\",\"Operating System\":\"#BF1B00\",\"Recon\":\"#BF1B00\",\"Security Mangement\":\"#64B0C8\"}}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"de084257-24da-4ea9-922e-a2d7565ebcd6\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"741ceaa6-5b51-4959-9935-c5961b12f539\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Event [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"ba850a09-c635-4855-b68b-de16dd200d6f\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Event [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Endpoint Overview Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-9457ee67-895f-4b78-a543-268f9687a745", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-89998099-9a39-44cf-beba-5b97f0524cf9", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-718b074e-3dd1-4d03-ba11-7f869cdcd703", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-7454c034-c5f3-48fe-8fce-ef4385c80350", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-118af639-1f37-4541-a960-5a3ff0613e0e", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "9:panel_9", - "type": "search" - }, - { - "id": "cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "cef-f57734dd-0f32-42b4-94dd-5d597f6735e1", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-295986d4-d2ea-4541-8e82-7dc95c0cd830", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "c9fd3ece-2bef-4cdc-9f83-ed689b35a17a:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json b/packages/cef/2.3.2/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json deleted file mode 100755 index 153645a090..0000000000 --- a/packages/cef/2.3.2/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "Suspicious network activity overview via ArcSight", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Addresses\":\"#E0752D\",\"Destination Ports\":\"#E24D42\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":32,\"x\":0,\"y\":28},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":16,\"x\":0,\"y\":40},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":16,\"x\":16,\"y\":40},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":16,\"x\":32,\"y\":28},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":40},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(255,255,204)\",\"100 - 200\":\"rgb(253,141,60)\",\"200 - 300\":\"rgb(227,27,28)\",\"300 - 400\":\"rgb(128,0,38)\",\"50 - 100\":\"rgb(254,217,118)\"}}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Network Suspicious Activity Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-db1e1aca-279e-4ecc-b84e-fe58644f7619", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-fa8b26c1-6973-4381-adb3-bcde0d03a520", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-d02dd523-ce91-40e9-9209-83797f80ed45", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-589fec8c-336e-4122-8fef-a450bddf84f6", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-86bd5f13-ca6b-43fa-b209-54e7460344bb", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-1204cf27-05e0-4905-bfa1-688aaaaaa840", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db", - "name": "17:panel_17", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json b/packages/cef/2.3.2/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json deleted file mode 100755 index 9c26408568..0000000000 --- a/packages/cef/2.3.2/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "description": "Network data overview via ArcSight", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":68},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":32,\"x\":0,\"y\":32},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":32},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Anti-Virus\":\"#EF843C\",\"Content Security\":\"#7EB26D\",\"Firewall\":\"#E24D42\",\"Integrated Security\":\"#962D82\",\"Network-based IDS/IPS\":\"#1F78C1\",\"Operating System\":\"#1F78C1\",\"VPN\":\"#EAB839\"}}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":24,\"x\":0,\"y\":76},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":24,\"x\":24,\"y\":76},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"21\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c6a1fd07-de0f-444b-8814-902cbf2d019a\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"c1643919-b9de-4588-826f-93710a159e2b\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"5183bb72-a077-4cf0-8aba-561a15b012cf\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"w\":24,\"x\":0,\"y\":92},\"panelIndex\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c2329af2-2183-45cb-9f40-d0f2e984c5b3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"1fc250c2-4990-401e-b709-61e1f4824005\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Source Locations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"e1eda4fd-94b9-4c31-9615-70334517a966\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Source Locations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"w\":24,\"x\":24,\"y\":92},\"panelIndex\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Network Overview Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-dd0bc9af-2e89-4150-9b42-62517ea56b71", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-f5258de9-71f7-410f-b713-201007f77470", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-0abfc226-535b-45a2-b534-e9bc87e5584f", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-499f50ba-2f84-4f7c-9021-73a4efc47921", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-df056709-2deb-4363-ae7a-b0148ea456c6", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-e89a64e8-928c-41fc-8745-3c8157b21cdb", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-a729c249-8d34-4eb1-bbb0-5d25cf224114", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cef-e513c269-350c-40c3-ac20-16c5782103b8", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "cef-8f6075c5-f525-4173-92a4-3a56e96e362d", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "cef-013ff153-7b80-490b-8fec-6e56cba785ed", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db", - "name": "20:panel_20", - "type": "visualization" - }, - { - "id": "cef-c394e650-b16c-407c-b305-bd409d69d433", - "name": "21:panel_21", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "49de47fb-1382-4009-89d2-b96a4161e12d:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d097034-9ebb-4f53-ad39-e42e625b541c:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/search/cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c.json b/packages/cef/2.3.2/kibana/search/cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c.json deleted file mode 100755 index 4a63506766..0000000000 --- a/packages/cef/2.3.2/kibana/search/cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "columns": [ - "priority", - "message", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "network.application", - "message", - "event.action", - "event.outcome", - "cef.extensions.deviceAddress", - "cef.device.product", - "cef.device.vendor", - "cef.extensions.categoryDeviceGroup", - "cef.extensions.categoryDeviceType" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"term\\\":{\\\"event.category\\\":\\\"network\\\"}}\"},\"query\":{\"term\":{\"event.category\":\"network\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Network Events [Logs CEF]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/search/cef-41770860-2a81-4ce7-b8b4-a0c6970725b0.json b/packages/cef/2.3.2/kibana/search/cef-41770860-2a81-4ce7-b8b4-a0c6970725b0.json deleted file mode 100755 index d508c55580..0000000000 --- a/packages/cef/2.3.2/kibana/search/cef-41770860-2a81-4ce7-b8b4-a0c6970725b0.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.extensions.categoryDeviceGroup", - "cef.extensions.categoryTechnique", - "event.outcome", - "event.category", - "event.type", - "cef.extensions.categoryObject", - "event.action", - "cef.extensions.categoryDeviceType" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Endpoint Event Explorer [Logs CEF]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/search/cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042.json b/packages/cef/2.3.2/kibana/search/cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042.json deleted file mode 100755 index f6647c5dd1..0000000000 --- a/packages/cef/2.3.2/kibana/search/cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.device.vendor", - "cef.device.product", - "message", - "cef.device.event_class_id", - "cef.extensions.deviceEventCategory", - "source.user.name", - "destination.user.name", - "destination.domain", - "event.action", - "event.outcome", - "cef.extensions.sourceNtDomain", - "cef.extensions.destinationNtDomain" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Endpoint - Events [Logs CEF]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/search/cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c.json b/packages/cef/2.3.2/kibana/search/cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c.json deleted file mode 100755 index 1982f9bf79..0000000000 --- a/packages/cef/2.3.2/kibana/search/cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.device.vendor", - "cef.device.product", - "event.action", - "event.outcome", - "destination.ip", - "destination.port", - "destination.domain", - "cef.device.event_class_id", - "cef.extensions.deviceCustomString1Label", - "cef.extensions.deviceCustomString1", - "cef.extensions.deviceCustomString2Label", - "cef.extensions.deviceCustomString2", - "cef.extension.deviceCustomString3Label", - "cef.extension.deviceCustomString3", - "cef.extension.deviceCustomString4Label", - "cef.extension.deviceCustomString4", - "cef.extensions.deviceEventCategory", - "event.severity", - "source.ip", - "source.port", - "network.transport", - "source.bytes", - "url.original" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Microsoft DNS Events [Logs CEF]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json b/packages/cef/2.3.2/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json deleted file mode 100755 index cf5b2ee7e4..0000000000 --- a/packages/cef/2.3.2/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.extensions.categoryDeviceGroup", - "cef.extensions.categoryTechnique", - "cef.extensions.categoryOutcome", - "cef.extensions.categorySignificance", - "cef.extensions.categoryObject", - "cef.extensions.categoryBehavior", - "cef.extensions.categoryDeviceType" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Endpoint Event Explorer [Logs CEF ArcSight]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json b/packages/cef/2.3.2/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json deleted file mode 100755 index dad033d27d..0000000000 --- a/packages/cef/2.3.2/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "columns": [ - "priority", - "message", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "network.application", - "message", - "cef.extensions.categoryBehavior", - "cef.extensions.categoryOutcome", - "cef.extensions.deviceAddress", - "cef.device.product", - "cef.device.vendor", - "cef.extensions.categoryDeviceGroup", - "cef.extensions.categoryDeviceType" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"terms\\\":{\\\"cef.extensions.categoryDeviceGroup\\\":[\\\"/VPN\\\",\\\"/IDS/Network\\\",\\\"/Firewall\\\"]}}\"},\"query\":{\"terms\":{\"cef.extensions.categoryDeviceGroup\":[\"/VPN\",\"/IDS/Network\",\"/Firewall\"]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Network Events [Logs CEF ArcSight]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json b/packages/cef/2.3.2/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json deleted file mode 100755 index 9082a5e861..0000000000 --- a/packages/cef/2.3.2/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.device.vendor", - "cef.device.product", - "message", - "cef.device.event_class_id", - "cef.extensions.deviceEventCategory", - "source.user.name", - "destination.user.name", - "destination.domain", - "cef.extensions.categoryBehavior", - "cef.extensions.categoryOutcome", - "cef.extensions.sourceNtDomain", - "cef.extensions.destinationNtDomain" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Endpoint - OS Events [Logs CEF ArcSight]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json b/packages/cef/2.3.2/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json deleted file mode 100755 index 74d6b3c820..0000000000 --- a/packages/cef/2.3.2/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.device.vendor", - "cef.device.product", - "cef.extensions.categoryBehavior", - "cef.extensions.categoryOutcome", - "destination.ip", - "destination.port", - "destination.domain", - "cef.device.event_class_id", - "cef.extensions.deviceCustomString1Label", - "cef.extensions.deviceCustomString1", - "cef.extensions.deviceCustomString2Label", - "cef.extensions.deviceCustomString2", - "cef.extension.deviceCustomString3Label", - "cef.extension.deviceCustomString3", - "cef.extension.deviceCustomString4Label", - "cef.extension.deviceCustomString4", - "cef.extensions.deviceEventCategory", - "event.severity", - "source.ip", - "source.port", - "network.transport", - "source.bytes", - "url.original" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Microsoft DNS Events [Logs CEF ArcSight]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json b/packages/cef/2.3.2/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json deleted file mode 100755 index f7372f962e..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 20 Source Countries [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 20 Source Countries [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-013ff153-7b80-490b-8fec-6e56cba785ed", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json b/packages/cef/2.3.2/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json deleted file mode 100755 index e4e3fbc58d..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-04096ec6-9644-4da7-bba3-35da7882f87d.json b/packages/cef/2.3.2/kibana/visualization/cef-04096ec6-9644-4da7-bba3-35da7882f87d.json deleted file mode 100755 index c0264531f9..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-04096ec6-9644-4da7-bba3-35da7882f87d.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Event Types [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":50,\"minFontSize\":12,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Event Types [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-04096ec6-9644-4da7-bba3-35da7882f87d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-0410a35e-eabd-46f4-a124-c780b6d1fd2e.json b/packages/cef/2.3.2/kibana/visualization/cef-0410a35e-eabd-46f4-a124-c780b6d1fd2e.json deleted file mode 100755 index 6f56e86928..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-0410a35e-eabd-46f4-a124-c780b6d1fd2e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Port [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Port [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0410a35e-eabd-46f4-a124-c780b6d1fd2e", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-07a4a351-d282-44a1-85b0-bc7e846f8471.json b/packages/cef/2.3.2/kibana/visualization/cef-07a4a351-d282-44a1-85b0-bc7e846f8471.json deleted file mode 100755 index 183db7cb98..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-07a4a351-d282-44a1-85b0-bc7e846f8471.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Sources by Destination Addresses [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Addresses [Logs CEF]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-07a4a351-d282-44a1-85b0-bc7e846f8471", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-0959df23-10c9-47fd-bebd-c382007b3584.json b/packages/cef/2.3.2/kibana/visualization/cef-0959df23-10c9-47fd-bebd-c382007b3584.json deleted file mode 100755 index 1c27cabbe6..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-0959df23-10c9-47fd-bebd-c382007b3584.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}" - }, - "title": " Dashboard Navigation [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c) | [Network Suspicious Activity](#/dashboard/cef-04749697-de8d-49b3-8eca-c873ab2c5ac9) | [Endpoint Overview](#dashboard/cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15) | [Endpoint Activity](#/dashboard/cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf) | [Microsoft DNS Overview](#/dashboard/cef-607f756e-288d-499a-8f8a-33791354ffaf)\"},\"title\":\" Dashboard Navigation [Logs CEF]\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0959df23-10c9-47fd-bebd-c382007b3584", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-0a202432-3dbd-49c0-af57-623ffb90211d.json b/packages/cef/2.3.2/kibana/visualization/cef-0a202432-3dbd-49c0-af57-623ffb90211d.json deleted file mode 100755 index 6209fc854f..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-0a202432-3dbd-49c0-af57-623ffb90211d.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Destination Ports by Outcome [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"success\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Protocols\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Protocols\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcome [Logs CEF]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0a202432-3dbd-49c0-af57-623ffb90211d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-0a5276a2-907b-4319-88ab-86fe5ade8b38.json b/packages/cef/2.3.2/kibana/visualization/cef-0a5276a2-907b-4319-88ab-86fe5ade8b38.json deleted file mode 100755 index 13e0680159..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-0a5276a2-907b-4319-88ab-86fe5ade8b38.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Outcomes [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"},\"id\":\"74716d29-91c6-4095-bc7d-7f6700f12b1f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"hide_in_legend\":0,\"id\":\"932c5de4-f841-4f27-99e4-60d95d3aa16c\",\"label\":\"Event Outcomes\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"4c263b6d-8117-43c6-b83f-5c4145f43cfc\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"94371b84-a7aa-4824-b4d1-217ecbe725a5\",\"label\":\"Failure\"},{\"color\":\"rgba(104,188,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"31564794-9278-4f2e-bb20-557f5cfbea79\",\"label\":\"Success\"},{\"color\":\"rgba(251,158,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"10c0f919-0853-41b5-94b4-2e39932e7aa0\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"terms_field\":\"event.outcome\",\"terms_size\":\"3\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,182,204,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"c9eca9d0-c2e0-45e6-a3ce-f158c40fdd74\",\"label\":\"Event Count\",\"line_width\":1,\"metrics\":[{\"id\":\"6d8513ca-cc72-4b27-91b6-6b689558cdcb\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcomes [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0a5276a2-907b-4319-88ab-86fe5ade8b38", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json b/packages/cef/2.3.2/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json deleted file mode 100755 index bec9522083..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Bandwidth Utilization [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"d27f09dc-b07e-493f-a223-a85033ad6548\",\"label\":\"Inbound\",\"line_width\":1,\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"9ce9ec3a-2f11-4935-91b2-531494d2a619\",\"type\":\"sum\"}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_order_by\":\"_count\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b1ef2c75-5916-469d-8790-5b213367a5a0\",\"label\":\"Outbound\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"type\":\"sum\"},{\"id\":\"2a6b00bf-1658-4d02-b4e2-61ad6e4c3a9b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"id\":\"c57067f2-2927-41d8-97f4-9f47b3b3bcae\",\"name\":\"outbound\"}]}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Bandwidth Utilization [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0abfc226-535b-45a2-b534-e9bc87e5584f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-0d0fd899-a40a-43e5-ac80-56f3bf09c18c.json b/packages/cef/2.3.2/kibana/visualization/cef-0d0fd899-a40a-43e5-ac80-56f3bf09c18c.json deleted file mode 100755 index 87df75c155..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-0d0fd899-a40a-43e5-ac80-56f3bf09c18c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "DNS Metrics Overview [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threads\",\"field\":\"cef.extensions.deviceCustomString1\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OpCodes\",\"field\":\"cef.extensions.deviceCustomString2\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Activity Types\",\"field\":\"cef.device.event_class_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"32\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"DNS Metrics Overview [Logs CEF]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0d0fd899-a40a-43e5-ac80-56f3bf09c18c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json b/packages/cef/2.3.2/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json deleted file mode 100755 index 702933c209..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Outcomes [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"},\"id\":\"74716d29-91c6-4095-bc7d-7f6700f12b1f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"hide_in_legend\":0,\"id\":\"932c5de4-f841-4f27-99e4-60d95d3aa16c\",\"label\":\"Event Outcomes\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"4c263b6d-8117-43c6-b83f-5c4145f43cfc\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"94371b84-a7aa-4824-b4d1-217ecbe725a5\",\"label\":\"Failure\"},{\"color\":\"rgba(104,188,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"31564794-9278-4f2e-bb20-557f5cfbea79\",\"label\":\"Success\"},{\"color\":\"rgba(251,158,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"10c0f919-0853-41b5-94b4-2e39932e7aa0\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"terms_field\":\"cef.extensions.categoryOutcome\",\"terms_size\":\"3\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,182,204,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"c9eca9d0-c2e0-45e6-a3ce-f158c40fdd74\",\"label\":\"Event Count\",\"line_width\":1,\"metrics\":[{\"id\":\"6d8513ca-cc72-4b27-91b6-6b689558cdcb\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcomes [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-0fe1baba-84a8-4cb3-9b17-bae8693c345a.json b/packages/cef/2.3.2/kibana/visualization/cef-0fe1baba-84a8-4cb3-9b17-bae8693c345a.json deleted file mode 100755 index f26cc0f813..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-0fe1baba-84a8-4cb3-9b17-bae8693c345a.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Device [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"},\"id\":\"fd1ffeb6-678e-4163-9421-6a164fd59048\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(254,37,37,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"6a10f77d-4e26-4b27-9c19-f1b0029b075b\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"gamma\":0.3,\"id\":\"59675e84-1a8e-41df-9f63-875109bd795a\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" \"},\"id\":\"d9a580c3-eb83-4d20-a391-0934d7df8837\",\"label\":\"Operating System\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\" cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\"\"},\"id\":\"9ce8be14-6191-4c9a-a679-e3992fdab8d2\",\"label\":\"Host IDS\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"id\":\"262ecd54-a042-4bfb-b489-d7db8431c36e\",\"label\":\"Application\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"92e98952-8e25-472f-abb5-05a7d9b830ea\",\"label\":\"Moving Average by Device HostNames\",\"line_width\":1,\"metrics\":[{\"id\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"gamma\":0.3,\"id\":\"9765367a-0fc2-45ba-88a8-e87991210edd\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0fe1baba-84a8-4cb3-9b17-bae8693c345a", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json b/packages/cef/2.3.2/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json deleted file mode 100755 index bba67eb563..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcomes by Device Type [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"cef.extensions.categoryDeviceType: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcomes by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-118af639-1f37-4541-a960-5a3ff0613e0e", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json b/packages/cef/2.3.2/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json deleted file mode 100755 index 1f0e2fde5c..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Ports [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Ports [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-1204cf27-05e0-4905-bfa1-688aaaaaa840", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-1479b35b-1bf3-4767-a510-9d210e010342.json b/packages/cef/2.3.2/kibana/visualization/cef-1479b35b-1bf3-4767-a510-9d210e010342.json deleted file mode 100755 index 19c4fa4610..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-1479b35b-1bf3-4767-a510-9d210e010342.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destinations [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destinations [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-1479b35b-1bf3-4767-a510-9d210e010342", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json b/packages/cef/2.3.2/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json deleted file mode 100755 index ec2f257b88..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Endpoint OS Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Outcomes\",\"field\":\"cef.extensions.categoryOutcome\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"20\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint OS Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json b/packages/cef/2.3.2/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json deleted file mode 100755 index a3f9d219f4..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Direction [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"be556a57-cd1c-496c-8714-0bd210947c85\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"filter\":{\"language\":\"lucene\",\"query\":\"device\"},\"formatter\":\"number\",\"id\":\"9aae7344-9de9-4378-b21d-296cb964f93b\",\"label\":\"Inbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"1cd0b964-45cf-408e-a7e4-e26955f8a3b0\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"id\":\"f860f6e0-fbd4-4949-8046-6300322dfe84\",\"label\":\"Inbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"formatter\":\"number\",\"id\":\"ed1abe18-e01b-4202-9db4-06fda10692e0\",\"label\":\"Outbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"type\":\"count\"},{\"id\":\"6bc37118-ddac-41ec-85b3-9db7e1b3636b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"id\":\"f73f4f22-03d5-446a-b031-04eee531e3cc\",\"name\":\"outbound\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(211,49,21,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"id\":\"a9c50e1b-8f11-4bc2-9077-bb8870ed0b62\",\"label\":\"Outbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Direction [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-19e44299-4e2a-4da4-a9e5-595b428d49dd.json b/packages/cef/2.3.2/kibana/visualization/cef-19e44299-4e2a-4da4-a9e5-595b428d49dd.json deleted file mode 100755 index f1ef73d247..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-19e44299-4e2a-4da4-a9e5-595b428d49dd.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources by Size [Logs CEF]", - "uiStateJSON": "{\"P-11\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-13\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-2\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-3\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-4\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 18,000\":\"rgb(247,251,255)\",\"108,000 - 126,000\":\"rgb(74,152,201)\",\"126,000 - 144,000\":\"rgb(46,126,188)\",\"144,000 - 162,000\":\"rgb(23,100,171)\",\"162,000 - 180,000\":\"rgb(8,74,145)\",\"18,000 - 36,000\":\"rgb(227,238,249)\",\"36,000 - 54,000\":\"rgb(208,225,242)\",\"54,000 - 72,000\":\"rgb(182,212,233)\",\"72,000 - 90,000\":\"rgb(148,196,223)\",\"90,000 - 108,000\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Sources by Size [Logs CEF]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-19e44299-4e2a-4da4-a9e5-595b428d49dd", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json b/packages/cef/2.3.2/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json deleted file mode 100755 index 6c04dc9028..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destinations by Size [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Destinations by Size [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-1bd44f46-e28d-4a2d-8245-6994372155ab.json b/packages/cef/2.3.2/kibana/visualization/cef-1bd44f46-e28d-4a2d-8245-6994372155ab.json deleted file mode 100755 index 734effac6e..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-1bd44f46-e28d-4a2d-8245-6994372155ab.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top Destinations by Traffic Size [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"label\":\"Inbound\"},{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"label\":\"Outbound\"}]},\"schema\":\"segment\",\"type\":\"filters\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":10,\"colorsRange\":[{\"from\":0,\"to\":null}],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"top\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top Destinations by Traffic Size [Logs CEF]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-1bd44f46-e28d-4a2d-8245-6994372155ab", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-1c869759-1d3e-4898-b9c7-d2604ed38655.json b/packages/cef/2.3.2/kibana/visualization/cef-1c869759-1d3e-4898-b9c7-d2604ed38655.json deleted file mode 100755 index 7bfc8c774b..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-1c869759-1d3e-4898-b9c7-d2604ed38655.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Severity [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"0ca18a89-9c81-4bee-835a-85e6103aec37\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"hide_last_value_indicator\":true,\"id\":\"c39a76e5-f613-41a9-8335-c442747791e0\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"0.0[0]a\",\"id\":\"da3b92b4-2c24-473b-9102-fb5a343a96d9\",\"label\":\"Event by Severities\",\"line_width\":1,\"metrics\":[{\"id\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"type\":\"count\"},{\"field\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"id\":\"1b1c931c-a09b-4980-af81-6f9c3db56401\",\"sigma\":\"\",\"type\":\"sum_bucket\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,204,202,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Low\\\" OR severity:\\\"0\\\"\"},\"id\":\"ebe970ac-5cc9-4c4a-af60-82affafc667c\",\"label\":\"LOW\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Medium\\\"\"},\"id\":\"0c4ff16a-b53d-4ce4-af76-d6b74d8788db\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"High\\\"\"},\"id\":\"e142c55b-6ee5-416a-8bd3-d10398044864\",\"label\":\"HIGH\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Very-High\\\"\"},\"id\":\"4b05b562-c419-4214-b814-d4c242251521\",\"label\":\"VERY HIGH\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Events by Severity [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-1c869759-1d3e-4898-b9c7-d2604ed38655", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json b/packages/cef/2.3.2/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json deleted file mode 100755 index 3b90350ff6..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "DNS Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threads\",\"field\":\"cef.extensions.deviceCustomString1\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OpCodes\",\"field\":\"cef.extensions.deviceCustomString2\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Activity Types\",\"field\":\"cef.device.event_class_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"32\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"DNS Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-249e2737-b41f-4115-b303-88bc9d279655", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-255c0885-6349-4ab4-ba00-f055c6cc8000.json b/packages/cef/2.3.2/kibana/visualization/cef-255c0885-6349-4ab4-ba00-f055c6cc8000.json deleted file mode 100755 index 25f79d7cc1..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-255c0885-6349-4ab4-ba00-f055c6cc8000.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Sources [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-255c0885-6349-4ab4-ba00-f055c6cc8000", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json b/packages/cef/2.3.2/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json deleted file mode 100755 index 401dfbed0a..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources by Size [Logs CEF ArcSight]", - "uiStateJSON": "{\"P-11\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-13\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-2\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-3\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-4\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 18,000\":\"rgb(247,251,255)\",\"108,000 - 126,000\":\"rgb(74,152,201)\",\"126,000 - 144,000\":\"rgb(46,126,188)\",\"144,000 - 162,000\":\"rgb(23,100,171)\",\"162,000 - 180,000\":\"rgb(8,74,145)\",\"18,000 - 36,000\":\"rgb(227,238,249)\",\"36,000 - 54,000\":\"rgb(208,225,242)\",\"54,000 - 72,000\":\"rgb(182,212,233)\",\"72,000 - 90,000\":\"rgb(148,196,223)\",\"90,000 - 108,000\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Sources by Size [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-270139ff-fc2f-4fca-b241-93a8f57cdcdf.json b/packages/cef/2.3.2/kibana/visualization/cef-270139ff-fc2f-4fca-b241-93a8f57cdcdf.json deleted file mode 100755 index a8dd56342f..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-270139ff-fc2f-4fca-b241-93a8f57cdcdf.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Unique Destinations and Ports by Source [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Addresses\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Addresses\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Destination Ports\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Addresses\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Ports\"},\"type\":\"value\"}]},\"title\":\"Unique Destinations and Ports by Source [Logs CEF]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-270139ff-fc2f-4fca-b241-93a8f57cdcdf", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json b/packages/cef/2.3.2/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json deleted file mode 100755 index 1697d134c5..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 15 Event Types by Events [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":15},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":15,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 15 Event Types by Events [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-2726382e-638a-4dcc-94fc-0ffdc0f92048", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-291cd92f-52c4-421b-b354-468318ba3e65.json b/packages/cef/2.3.2/kibana/visualization/cef-291cd92f-52c4-421b-b354-468318ba3e65.json deleted file mode 100755 index 368418b81f..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-291cd92f-52c4-421b-b354-468318ba3e65.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Metrics Overview [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-291cd92f-52c4-421b-b354-468318ba3e65", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json b/packages/cef/2.3.2/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json deleted file mode 100755 index c52b647746..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Countries by Event [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":35},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Event [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-295986d4-d2ea-4541-8e82-7dc95c0cd830", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-2a0a7692-9a08-449f-bcef-b85de1855fd5.json b/packages/cef/2.3.2/kibana/visualization/cef-2a0a7692-9a08-449f-bcef-b85de1855fd5.json deleted file mode 100755 index 0cdee83a6a..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-2a0a7692-9a08-449f-bcef-b85de1855fd5.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Endpoint - Average EPS [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"ce9549a0-3af0-4070-b169-4b6d145d4c39\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"94161c6c-4f48-4beb-9d78-f79f29c02a34\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"type\":\"cumulative_sum\"},{\"field\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"id\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"gamma\":0.3,\"id\":\"f46a6e6e-444f-4c7e-b5eb-e1a59568f2eb\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"offset_time\":\"1m\",\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint - Average EPS [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-2a0a7692-9a08-449f-bcef-b85de1855fd5", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-2b96deab-dbf1-4be3-ae70-1bfb6c3fbd2a.json b/packages/cef/2.3.2/kibana/visualization/cef-2b96deab-dbf1-4be3-ae70-1bfb6c3fbd2a.json deleted file mode 100755 index 0c2cecb2d8..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-2b96deab-dbf1-4be3-ae70-1bfb6c3fbd2a.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 20 Behaviors by Outcome [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Behavior\",\"field\":\"event.action\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 20 Behaviors by Outcome [Logs CEF]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-2b96deab-dbf1-4be3-ae70-1bfb6c3fbd2a", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-2ecd00c0-66f4-4020-9c6e-dff40d47654c.json b/packages/cef/2.3.2/kibana/visualization/cef-2ecd00c0-66f4-4020-9c6e-dff40d47654c.json deleted file mode 100755 index 6cf742b59b..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-2ecd00c0-66f4-4020-9c6e-dff40d47654c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Source Countries [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 5 Source Countries [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-2ecd00c0-66f4-4020-9c6e-dff40d47654c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json b/packages/cef/2.3.2/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json deleted file mode 100755 index 63e38a3cff..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources by Destinations [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Host\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Host\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Sources by Destinations [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-316fdc75-7215-4c6b-8e1b-70a097b34e28", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-33290695-4eb1-4270-9e63-7083e7b132ed.json b/packages/cef/2.3.2/kibana/visualization/cef-33290695-4eb1-4270-9e63-7083e7b132ed.json deleted file mode 100755 index 5f6c8a1920..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-33290695-4eb1-4270-9e63-7083e7b132ed.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events Types by Severity [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"db54ebce-9dd2-4a1e-b476-b3ddb9a9024e\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"81da76ca-1112-4d91-82f4-c66cd3156a84\",\"label\":\"Cumulative Bytes\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"521d560c-321a-4410-9eb3-2b2bf3f4efee\",\"type\":\"count\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\")\"},\"id\":\"3f31a7e4-acf3-4f2d-8b7d-e30522325b2a\",\"label\":\"HIGH\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\")\"},\"id\":\"7949d31b-8aae-433a-b7cf-6939a8728cc9\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(NOT (event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\" OR event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\"))\"},\"id\":\"d2627211-5f9e-4c65-8a47-1cd6f085939d\",\"label\":\"LOW\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"a5fda184-fdd6-4221-ab59-492eab162f0a\",\"label\":\"Count by Event Type\",\"line_width\":1,\"metrics\":[{\"id\":\"e147ba1c-b13a-496f-9841-b99ddee81c5a\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.device.event_class_id\",\"terms_size\":\"20\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events Types by Severity [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-33290695-4eb1-4270-9e63-7083e7b132ed", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json b/packages/cef/2.3.2/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json deleted file mode 100755 index 5ec0797be6..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Network - Event Throughput [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"8d4596c5-49ad-429b-af54-5451b1c2e8d4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"type\":\"cumulative_sum\"},{\"field\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"id\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"gamma\":0.3,\"id\":\"92bc1447-2b30-498c-ae8a-c67904fc82b2\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Network - Event Throughput [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-38061262-edbe-4ccc-8c5c-d22c480b3c64.json b/packages/cef/2.3.2/kibana/visualization/cef-38061262-edbe-4ccc-8c5c-d22c480b3c64.json deleted file mode 100755 index d47376e13f..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-38061262-edbe-4ccc-8c5c-d22c480b3c64.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Application Protocols [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.application\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Application Protocols [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-38061262-edbe-4ccc-8c5c-d22c480b3c64", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-38fd061a-0976-4005-b0d3-729d693cdd5d.json b/packages/cef/2.3.2/kibana/visualization/cef-38fd061a-0976-4005-b0d3-729d693cdd5d.json deleted file mode 100755 index f7b6ad4a29..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-38fd061a-0976-4005-b0d3-729d693cdd5d.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Direction [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"be556a57-cd1c-496c-8714-0bd210947c85\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"filter\":{\"language\":\"lucene\",\"query\":\"device\"},\"formatter\":\"number\",\"id\":\"9aae7344-9de9-4378-b21d-296cb964f93b\",\"label\":\"Inbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"1cd0b964-45cf-408e-a7e4-e26955f8a3b0\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"id\":\"f860f6e0-fbd4-4949-8046-6300322dfe84\",\"label\":\"Inbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"formatter\":\"number\",\"id\":\"ed1abe18-e01b-4202-9db4-06fda10692e0\",\"label\":\"Outbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"type\":\"count\"},{\"id\":\"6bc37118-ddac-41ec-85b3-9db7e1b3636b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"id\":\"f73f4f22-03d5-446a-b031-04eee531e3cc\",\"name\":\"outbound\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(211,49,21,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"id\":\"a9c50e1b-8f11-4bc2-9077-bb8870ed0b62\",\"label\":\"Outbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Direction [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-38fd061a-0976-4005-b0d3-729d693cdd5d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json b/packages/cef/2.3.2/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json deleted file mode 100755 index 563c47bef0..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Type Breakdown [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Device Type Breakdown [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-490c415c-b859-4ed0-a2a4-5c4968084985.json b/packages/cef/2.3.2/kibana/visualization/cef-490c415c-b859-4ed0-a2a4-5c4968084985.json deleted file mode 100755 index 5b43a8fe58..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-490c415c-b859-4ed0-a2a4-5c4968084985.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Event Types by Size [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Total (Bytes)\":\"#E24D42\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Total (Bytes)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Type\"},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Total (Bytes)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":false,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total (Bytes)\"},\"type\":\"value\"}]},\"title\":\"Event Types by Size [Logs CEF]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-490c415c-b859-4ed0-a2a4-5c4968084985", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-4970ec04-796a-4c0e-90d9-7e23d0b7e48d.json b/packages/cef/2.3.2/kibana/visualization/cef-4970ec04-796a-4c0e-90d9-7e23d0b7e48d.json deleted file mode 100755 index 8192a37ebd..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-4970ec04-796a-4c0e-90d9-7e23d0b7e48d.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Destination Ports by Outcomes [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"destination.port: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcomes [Logs CEF]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-4970ec04-796a-4c0e-90d9-7e23d0b7e48d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json b/packages/cef/2.3.2/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json deleted file mode 100755 index a2085e9b19..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"bar_color\":null,\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\",\"value\":0}],\"drilldown_url\":\"\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"(cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\") AND _exists_:cef.extensions.categoryOutcome\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"c43af7e6-3f06-48a4-a7c3-7ba8bd6214f9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"4c7aac7d-2749-41b6-8136-40dc8636a7e7\",\"label\":\"Firewall\"}],\"split_mode\":\"filter\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"1\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Event Outcome\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,188,0,0.35)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"cb1ae397-13a0-4b6f-a848-bcdc96870f05\",\"label\":\"Success\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"ef021c15-1b95-4334-bc3c-e2950e9b0f6f\",\"label\":\"Failure\"},{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"2ff1e859-b178-4824-a0f2-69a115932b98\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"stacked\",\"terms_field\":\"cef.extensions.categoryOutcome\",\"terms_size\":\"3\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcome [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-499f50ba-2f84-4f7c-9021-73a4efc47921", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json b/packages/cef/2.3.2/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json deleted file mode 100755 index 0614970e4b..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destinations [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destinations [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-4c86b51e-6886-4484-98a2-508e92b455bb.json b/packages/cef/2.3.2/kibana/visualization/cef-4c86b51e-6886-4484-98a2-508e92b455bb.json deleted file mode 100755 index 468d364c92..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-4c86b51e-6886-4484-98a2-508e92b455bb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Endpoint OS Metrics Overview [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"event.action\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Outcomes\",\"field\":\"event.outcome\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"20\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint OS Metrics Overview [Logs CEF]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-4c86b51e-6886-4484-98a2-508e92b455bb", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json b/packages/cef/2.3.2/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json deleted file mode 100755 index b0e9b3c257..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Sources [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-535a7bf8-a701-4016-86c0-038bc6d9d069.json b/packages/cef/2.3.2/kibana/visualization/cef-535a7bf8-a701-4016-86c0-038bc6d9d069.json deleted file mode 100755 index 8a11a9886a..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-535a7bf8-a701-4016-86c0-038bc6d9d069.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Countries by Events [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Events [Logs CEF]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-535a7bf8-a701-4016-86c0-038bc6d9d069", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-56247c19-7aa5-475d-b074-5b0cd4794f0c.json b/packages/cef/2.3.2/kibana/visualization/cef-56247c19-7aa5-475d-b074-5b0cd4794f0c.json deleted file mode 100755 index 4ad4b41dc5..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-56247c19-7aa5-475d-b074-5b0cd4794f0c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Users [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Users [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-56247c19-7aa5-475d-b074-5b0cd4794f0c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json b/packages/cef/2.3.2/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json deleted file mode 100755 index 5c7272c0cb..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top Destinations by Traffic Size [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"label\":\"Inbound\"},{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"label\":\"Outbound\"}]},\"schema\":\"segment\",\"type\":\"filters\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":10,\"colorsRange\":[{\"from\":0,\"to\":null}],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"top\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top Destinations by Traffic Size [Logs CEF ArcSight]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json b/packages/cef/2.3.2/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json deleted file mode 100755 index bb3e848ce7..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Addresses [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Addresses [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-589fec8c-336e-4122-8fef-a450bddf84f6", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json b/packages/cef/2.3.2/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json deleted file mode 100755 index 38ac936b78..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Source Users by Event Type and Destination Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination User Names\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Users\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Event Types\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination User Names\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Source Users by Event Type and Destination Users [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-59ad829b-12b8-4256-95a5-e7078eda628b", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json b/packages/cef/2.3.2/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json deleted file mode 100755 index 558660d19f..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcomes by User Names [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Informational\":\"#7EB26D\",\"/Informational/Warning\":\"#EF843C\",\"/Success\":\"#64B0C8\",\"Anti-Virus\":\"#B7DBAB\",\"Host-based IDS/IPS\":\"#629E51\",\"Log Consolidator\":\"#E0F9D7\",\"Operating System\":\"#3F6833\",\"Recon\":\"#BF1B00\",\"Security Mangement\":\"#CFFAFF\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"Network-based IDS/IPS\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Outcomes by User Names [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json b/packages/cef/2.3.2/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json deleted file mode 100755 index 0a393d6652..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Events by Source and Destination Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Event Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Source Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Events by Source and Destination Users [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa.json b/packages/cef/2.3.2/kibana/visualization/cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa.json deleted file mode 100755 index 6b2188bd73..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Network - Event Throughput [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"8d4596c5-49ad-429b-af54-5451b1c2e8d4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"type\":\"cumulative_sum\"},{\"field\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"id\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"gamma\":0.3,\"id\":\"92bc1447-2b30-498c-ae8a-c67904fc82b2\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Network - Event Throughput [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json b/packages/cef/2.3.2/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json deleted file mode 100755 index cc03e710d3..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Users by Destination Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Source Users by Destination Users [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-655beadd-2678-4495-8793-72b5780f6283.json b/packages/cef/2.3.2/kibana/visualization/cef-655beadd-2678-4495-8793-72b5780f6283.json deleted file mode 100755 index bee1ff9470..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-655beadd-2678-4495-8793-72b5780f6283.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Addresses [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Addresses [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-655beadd-2678-4495-8793-72b5780f6283", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json b/packages/cef/2.3.2/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json deleted file mode 100755 index 834908bc67..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}" - }, - "title": " Dashboard Navigation [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71) | [Network Suspicious Activity](#/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619) | [Endpoint Overview](#dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b) | [Endpoint OS Activity](#/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9) | [Microsoft DNS Overview](#/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41)\"},\"title\":\" Dashboard Navigation [Logs CEF ArcSight]\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json b/packages/cef/2.3.2/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json deleted file mode 100755 index 9518a579c1..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Device [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"id\":\"fd1ffeb6-678e-4163-9421-6a164fd59048\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(254,37,37,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"6a10f77d-4e26-4b27-9c19-f1b0029b075b\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"gamma\":0.3,\"id\":\"59675e84-1a8e-41df-9f63-875109bd795a\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" \"},\"id\":\"d9a580c3-eb83-4d20-a391-0934d7df8837\",\"label\":\"Operating System\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\" cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\"\"},\"id\":\"9ce8be14-6191-4c9a-a679-e3992fdab8d2\",\"label\":\"Host IDS\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"id\":\"262ecd54-a042-4bfb-b489-d7db8431c36e\",\"label\":\"Application\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"92e98952-8e25-472f-abb5-05a7d9b830ea\",\"label\":\"Moving Average by Device HostNames\",\"line_width\":1,\"metrics\":[{\"id\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"gamma\":0.3,\"id\":\"9765367a-0fc2-45ba-88a8-e87991210edd\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-718b074e-3dd1-4d03-ba11-7f869cdcd703", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json b/packages/cef/2.3.2/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json deleted file mode 100755 index c978cbecff..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Endpoint Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Port\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-7454c034-c5f3-48fe-8fce-ef4385c80350", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json b/packages/cef/2.3.2/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json deleted file mode 100755 index dc2ddd1c89..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Source Countries [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 5 Source Countries [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json b/packages/cef/2.3.2/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json deleted file mode 100755 index 09e0d6ff6a..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Event Types [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":50,\"minFontSize\":12,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Event Types [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-769e3f37-2b08-4edb-9013-09140a520e69.json b/packages/cef/2.3.2/kibana/visualization/cef-769e3f37-2b08-4edb-9013-09140a520e69.json deleted file mode 100755 index 4600411dab..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-769e3f37-2b08-4edb-9013-09140a520e69.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Addresses [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Addresses [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-769e3f37-2b08-4edb-9013-09140a520e69", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json b/packages/cef/2.3.2/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json deleted file mode 100755 index 7ba2b39a50..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Endpoint - OS Average EPS [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"ce9549a0-3af0-4070-b169-4b6d145d4c39\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"94161c6c-4f48-4beb-9d78-f79f29c02a34\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"type\":\"cumulative_sum\"},{\"field\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"id\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"gamma\":0.3,\"id\":\"f46a6e6e-444f-4c7e-b5eb-e1a59568f2eb\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"offset_time\":\"1m\",\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint - OS Average EPS [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-76c088c3-486e-4420-8840-5ede667edffe", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json b/packages/cef/2.3.2/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json deleted file mode 100755 index fa5dcd2adc..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Behaviors by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 9,000\":\"rgb(255,255,204)\",\"18,000 - 27,000\":\"rgb(254,225,135)\",\"27,000 - 36,000\":\"rgb(254,201,101)\",\"36,000 - 45,000\":\"rgb(254,171,73)\",\"45,000 - 54,000\":\"rgb(253,141,60)\",\"54,000 - 63,000\":\"rgb(252,91,46)\",\"63,000 - 72,000\":\"rgb(237,47,34)\",\"72,000 - 81,000\":\"rgb(212,16,32)\",\"81,000 - 90,000\":\"rgb(176,0,38)\",\"9,000 - 18,000\":\"rgb(255,241,170)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Behaviors by Outcome [Logs CEF ArcSight]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-77ee0e91-010b-4897-b483-7e9a907d2afe", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-7dc26e6f-76d4-4454-99a9-6ccbba8948f0.json b/packages/cef/2.3.2/kibana/visualization/cef-7dc26e6f-76d4-4454-99a9-6ccbba8948f0.json deleted file mode 100755 index 872327564c..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-7dc26e6f-76d4-4454-99a9-6ccbba8948f0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 15 Event Types by Events [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"event.action\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":15},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":15,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 15 Event Types by Events [Logs CEF]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-7dc26e6f-76d4-4454-99a9-6ccbba8948f0", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json b/packages/cef/2.3.2/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json deleted file mode 100755 index 86943ae981..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "DNS - Event Throughput [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"fa374805-d1ca-4261-b723-9b482a7dd43a\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"type\":\"cumulative_sum\"},{\"field\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"id\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"gamma\":0.3,\"id\":\"48026f85-83c8-40e6-aff4-71f3bd6c77c9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"DNS - Event Throughput [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-82a333a7-d9d3-4752-b564-160d4b9f188b.json b/packages/cef/2.3.2/kibana/visualization/cef-82a333a7-d9d3-4752-b564-160d4b9f188b.json deleted file mode 100755 index 40aa11b8ad..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-82a333a7-d9d3-4752-b564-160d4b9f188b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources by Destinations [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Host\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Host\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Sources by Destinations [Logs CEF]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-82a333a7-d9d3-4752-b564-160d4b9f188b", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json b/packages/cef/2.3.2/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json deleted file mode 100755 index 899b95824b..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Sources by Destination Addresses [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Addresses [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-841a5d3f-c201-4499-a0fd-883247360640.json b/packages/cef/2.3.2/kibana/visualization/cef-841a5d3f-c201-4499-a0fd-883247360640.json deleted file mode 100755 index ba984322c2..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-841a5d3f-c201-4499-a0fd-883247360640.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Devices by Outcome [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Host Names\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":6,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":true,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Devices by Outcome [Logs CEF]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-841a5d3f-c201-4499-a0fd-883247360640", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-85818e02-7a16-4afa-8278-99c4059ddd82.json b/packages/cef/2.3.2/kibana/visualization/cef-85818e02-7a16-4afa-8278-99c4059ddd82.json deleted file mode 100755 index 3386972ae8..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-85818e02-7a16-4afa-8278-99c4059ddd82.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Devices by Bandwidth [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source(s)\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination(s)\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bandwidth (Incoming)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bandwidth (Outgoing)\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Devices by Bandwidth [Logs CEF]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-85818e02-7a16-4afa-8278-99c4059ddd82", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-868d68b5-3e62-4fc2-b942-fbb69a7c91d5.json b/packages/cef/2.3.2/kibana/visualization/cef-868d68b5-3e62-4fc2-b942-fbb69a7c91d5.json deleted file mode 100755 index b3f601f158..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-868d68b5-3e62-4fc2-b942-fbb69a7c91d5.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Source Users by Event Type and Destination Users [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"event.action\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination User Names\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Users\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Event Types\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination User Names\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Source Users by Event Type and Destination Users [Logs CEF]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-868d68b5-3e62-4fc2-b942-fbb69a7c91d5", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json b/packages/cef/2.3.2/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json deleted file mode 100755 index 34d704fef6..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Addresses [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Addresses [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-86bd5f13-ca6b-43fa-b209-54e7460344bb", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-8869f0bb-b8a3-4e6b-b3c4-3cc80b67b3da.json b/packages/cef/2.3.2/kibana/visualization/cef-8869f0bb-b8a3-4e6b-b3c4-3cc80b67b3da.json deleted file mode 100755 index 776e8391c6..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-8869f0bb-b8a3-4e6b-b3c4-3cc80b67b3da.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destinations by Size [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Destinations by Size [Logs CEF]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-8869f0bb-b8a3-4e6b-b3c4-3cc80b67b3da", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json b/packages/cef/2.3.2/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json deleted file mode 100755 index dd63b9809f..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcomes Breakdown [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Attempt\":\"#3F2B5B\",\"/Failure\":\"#BF1B00\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Time\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcomes Breakdown [Logs CEF ArcSight]\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-89998099-9a39-44cf-beba-5b97f0524cf9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json b/packages/cef/2.3.2/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json deleted file mode 100755 index 1f8c398abc..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Users [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-8cd00d20-957d-4663-be4d-ea80b1609586", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-8f38607c-eb10-410e-aec5-15d8b474211e.json b/packages/cef/2.3.2/kibana/visualization/cef-8f38607c-eb10-410e-aec5-15d8b474211e.json deleted file mode 100755 index 335a09d44d..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-8f38607c-eb10-410e-aec5-15d8b474211e.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Source Addresses [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"a0bf5a1d-8ebf-49d4-a347-738a6ce20562\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"id\":\"42f84a0a-ee13-4ca8-b61d-3de482ae4ab0\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"117fde19-e227-4fcb-8019-e82e6677c340\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostmessage\",\"terms_order_by\":null,\"value_template\":\"{{value}}\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"3ffe652e-43c2-4a1d-ad8a-f7ab10f09f2b\",\"label\":\"Top Source Addresses\",\"line_width\":\"0\",\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"b753ad38-c3ed-4463-8f6d-176f4d477897\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"source.ip\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source Addresses [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-8f38607c-eb10-410e-aec5-15d8b474211e", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json b/packages/cef/2.3.2/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json deleted file mode 100755 index f4f5f6eadc..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Countries by Events [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Events [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-8f6075c5-f525-4173-92a4-3a56e96e362d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json b/packages/cef/2.3.2/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json deleted file mode 100755 index ab180b299a..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Vendors by Product [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Vendor\",\"field\":\"cef.device.vendor\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Product\",\"field\":\"cef.device.product\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 5 Vendors by Product [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-92aecea0-a632-4a55-bb56-50e4cdaca036", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json b/packages/cef/2.3.2/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json deleted file mode 100755 index 3da6c90cb1..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Endpoint Average EPS [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"85a1c642-9781-430d-b84b-b28cb2a42fb4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"b7a85957-123e-4e25-9e8e-ff7992c9b2b9\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"type\":\"cumulative_sum\"},{\"field\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"id\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"gamma\":0.3,\"id\":\"f4dfe09a-e397-4287-ab99-3206516cded3\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint Average EPS [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-9457ee67-895f-4b78-a543-268f9687a745", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-98729301-9b46-4169-b99e-1392af8fa563.json b/packages/cef/2.3.2/kibana/visualization/cef-98729301-9b46-4169-b99e-1392af8fa563.json deleted file mode 100755 index f5d7ad975b..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-98729301-9b46-4169-b99e-1392af8fa563.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Countries by Event [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":35},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Event [Logs CEF]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-98729301-9b46-4169-b99e-1392af8fa563", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json b/packages/cef/2.3.2/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json deleted file mode 100755 index 001000873c..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Severity [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"0ca18a89-9c81-4bee-835a-85e6103aec37\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"hide_last_value_indicator\":true,\"id\":\"c39a76e5-f613-41a9-8335-c442747791e0\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"0.0[0]a\",\"id\":\"da3b92b4-2c24-473b-9102-fb5a343a96d9\",\"label\":\"Event by Severities\",\"line_width\":1,\"metrics\":[{\"id\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"type\":\"count\"},{\"field\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"id\":\"1b1c931c-a09b-4980-af81-6f9c3db56401\",\"sigma\":\"\",\"type\":\"sum_bucket\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,204,202,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Low\\\" OR severity:\\\"0\\\"\"},\"id\":\"ebe970ac-5cc9-4c4a-af60-82affafc667c\",\"label\":\"LOW\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Medium\\\"\"},\"id\":\"0c4ff16a-b53d-4ce4-af76-d6b74d8788db\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"High\\\"\"},\"id\":\"e142c55b-6ee5-416a-8bd3-d10398044864\",\"label\":\"HIGH\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Very-High\\\"\"},\"id\":\"4b05b562-c419-4214-b814-d4c242251521\",\"label\":\"VERY HIGH\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Events by Severity [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-a52d1fe2-6933-48bd-b079-61f6e2dc05c2.json b/packages/cef/2.3.2/kibana/visualization/cef-a52d1fe2-6933-48bd-b079-61f6e2dc05c2.json deleted file mode 100755 index 0c8cab2464..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-a52d1fe2-6933-48bd-b079-61f6e2dc05c2.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Events by Source and Destination Users [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Event Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Source Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Events by Source and Destination Users [Logs CEF]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-a52d1fe2-6933-48bd-b079-61f6e2dc05c2", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-a5e56e2a-b807-4fd7-92c2-9da42134e0a9.json b/packages/cef/2.3.2/kibana/visualization/cef-a5e56e2a-b807-4fd7-92c2-9da42134e0a9.json deleted file mode 100755 index 6db6150ea6..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-a5e56e2a-b807-4fd7-92c2-9da42134e0a9.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 20 Source Countries [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 20 Source Countries [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-a5e56e2a-b807-4fd7-92c2-9da42134e0a9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json b/packages/cef/2.3.2/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json deleted file mode 100755 index 8ec3a53f1f..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Devices by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Host Names\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":6,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":true,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Devices by Outcome [Logs CEF ArcSight]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-a729c249-8d34-4eb1-bbb0-5d25cf224114", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json b/packages/cef/2.3.2/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json deleted file mode 100755 index a5448711e4..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Source [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"0c929603-fc92-4ebc-a963-fe2795417d89\",\"label\":\"Firewall Events\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\"\"},\"id\":\"7798827b-87ab-436b-9e62-9fe36143eb9b\",\"label\":\"Intrusion Detection Events\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"id\":\"490f7ad7-8218-45f9-85a9-a4dd9ed7da13\",\"label\":\"VPN\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Device Hosts\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json b/packages/cef/2.3.2/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json deleted file mode 100755 index 71eae19918..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Users [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-acc915fe-b971-4795-9040-3fbfdf62abe1", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json b/packages/cef/2.3.2/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json deleted file mode 100755 index 8a888d067a..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcome by Device Type [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Firewall Types\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":true,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcome by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-b25e0340-0e97-4849-9b89-959b9ad8c958.json b/packages/cef/2.3.2/kibana/visualization/cef-b25e0340-0e97-4849-9b89-959b9ad8c958.json deleted file mode 100755 index 6d692d4846..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-b25e0340-0e97-4849-9b89-959b9ad8c958.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "DNS - Event Throughput [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"fa374805-d1ca-4261-b723-9b482a7dd43a\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"type\":\"cumulative_sum\"},{\"field\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"id\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"gamma\":0.3,\"id\":\"48026f85-83c8-40e6-aff4-71f3bd6c77c9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"DNS - Event Throughput [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-b25e0340-0e97-4849-9b89-959b9ad8c958", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-b4a28b54-9adb-4c4b-8ae6-158dfeb673ce.json b/packages/cef/2.3.2/kibana/visualization/cef-b4a28b54-9adb-4c4b-8ae6-158dfeb673ce.json deleted file mode 100755 index dc44b3cae7..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-b4a28b54-9adb-4c4b-8ae6-158dfeb673ce.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Endpoint Metrics Overview [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Port\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint Metrics Overview [Logs CEF]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-b4a28b54-9adb-4c4b-8ae6-158dfeb673ce", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-b4ac112e-809a-437d-a805-3ff44a67c21c.json b/packages/cef/2.3.2/kibana/visualization/cef-b4ac112e-809a-437d-a805-3ff44a67c21c.json deleted file mode 100755 index 1b3af86506..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-b4ac112e-809a-437d-a805-3ff44a67c21c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Users by Destination Users [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Source Users by Destination Users [Logs CEF]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-b4ac112e-809a-437d-a805-3ff44a67c21c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-b7227081-e125-49cb-a580-1be363f06be0.json b/packages/cef/2.3.2/kibana/visualization/cef-b7227081-e125-49cb-a580-1be363f06be0.json deleted file mode 100755 index 74d3b0f829..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-b7227081-e125-49cb-a580-1be363f06be0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Sources by Destination Ports [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Ports [Logs CEF]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-b7227081-e125-49cb-a580-1be363f06be0", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-baa6c9ee-dffe-4ea5-bedd-91962700f450.json b/packages/cef/2.3.2/kibana/visualization/cef-baa6c9ee-dffe-4ea5-bedd-91962700f450.json deleted file mode 100755 index a8db546b0d..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-baa6c9ee-dffe-4ea5-bedd-91962700f450.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Device Types [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":\"\",\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"78bfdf07-ec02-4dd8-8ff4-b7e250c561c2\",\"label\":\"Firewall\"}],\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(251,158,0,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Top Device Types by Mvg Averages\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.extensions.categoryDeviceType\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device Types [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-baa6c9ee-dffe-4ea5-bedd-91962700f450", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-bd35faa9-492e-4abe-9bf1-2d3c0d98171d.json b/packages/cef/2.3.2/kibana/visualization/cef-bd35faa9-492e-4abe-9bf1-2d3c0d98171d.json deleted file mode 100755 index ea5bb8c83f..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-bd35faa9-492e-4abe-9bf1-2d3c0d98171d.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Users [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Users [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-bd35faa9-492e-4abe-9bf1-2d3c0d98171d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json b/packages/cef/2.3.2/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json deleted file mode 100755 index 6601533058..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}" - }, - "title": " Dashboard Navigation [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71) | [Network Suspicious Activity](#/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619) | [Endpoint Overview](#dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b) | [Endpoint OS Activity](#/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9) | [Microsoft DNS Overview](#/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41)\"},\"title\":\" Dashboard Navigation [Logs CEF ArcSight]\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-c394e650-b16c-407c-b305-bd409d69d433", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json b/packages/cef/2.3.2/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json deleted file mode 100755 index 4860454ee5..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Port [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Port [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-cbde6788-7371-4712-b2e0-3eb07e0841f4.json b/packages/cef/2.3.2/kibana/visualization/cef-cbde6788-7371-4712-b2e0-3eb07e0841f4.json deleted file mode 100755 index 03c08e6f40..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-cbde6788-7371-4712-b2e0-3eb07e0841f4.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Ports [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Ports [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-cbde6788-7371-4712-b2e0-3eb07e0841f4", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-cc7f89bc-22ad-4778-9c9f-1873ff38750b.json b/packages/cef/2.3.2/kibana/visualization/cef-cc7f89bc-22ad-4778-9c9f-1873ff38750b.json deleted file mode 100755 index 9d68c5563a..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-cc7f89bc-22ad-4778-9c9f-1873ff38750b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Behaviors by Outcome [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 9,000\":\"rgb(255,255,204)\",\"18,000 - 27,000\":\"rgb(254,225,135)\",\"27,000 - 36,000\":\"rgb(254,201,101)\",\"36,000 - 45,000\":\"rgb(254,171,73)\",\"45,000 - 54,000\":\"rgb(253,141,60)\",\"54,000 - 63,000\":\"rgb(252,91,46)\",\"63,000 - 72,000\":\"rgb(237,47,34)\",\"72,000 - 81,000\":\"rgb(212,16,32)\",\"81,000 - 90,000\":\"rgb(176,0,38)\",\"9,000 - 18,000\":\"rgb(255,241,170)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"event.action\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Behaviors by Outcome [Logs CEF]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-cc7f89bc-22ad-4778-9c9f-1873ff38750b", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json b/packages/cef/2.3.2/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json deleted file mode 100755 index bf65f0baac..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Source Addresses [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"a0bf5a1d-8ebf-49d4-a347-738a6ce20562\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"id\":\"42f84a0a-ee13-4ca8-b61d-3de482ae4ab0\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"117fde19-e227-4fcb-8019-e82e6677c340\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostmessage\",\"terms_order_by\":null,\"value_template\":\"{{value}}\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"3ffe652e-43c2-4a1d-ad8a-f7ab10f09f2b\",\"label\":\"Top Source Addresses\",\"line_width\":\"0\",\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"b753ad38-c3ed-4463-8f6d-176f4d477897\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"source.ip\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source Addresses [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d02dd523-ce91-40e9-9209-83797f80ed45", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json b/packages/cef/2.3.2/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json deleted file mode 100755 index f56ace942b..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-d2332147-4293-4422-930b-0a319ebeb958.json b/packages/cef/2.3.2/kibana/visualization/cef-d2332147-4293-4422-930b-0a319ebeb958.json deleted file mode 100755 index c2380e89a6..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-d2332147-4293-4422-930b-0a319ebeb958.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Vendors by Product [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Vendor\",\"field\":\"cef.device.vendor\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Product\",\"field\":\"cef.device.product\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 5 Vendors by Product [Logs CEF]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d2332147-4293-4422-930b-0a319ebeb958", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-d3ce586b-d372-4e03-9c19-b768b1b953f3.json b/packages/cef/2.3.2/kibana/visualization/cef-d3ce586b-d372-4e03-9c19-b768b1b953f3.json deleted file mode 100755 index 3d96a77a18..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-d3ce586b-d372-4e03-9c19-b768b1b953f3.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Outcome [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"bar_color\":null,\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\",\"value\":0}],\"drilldown_url\":\"\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"(cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\") AND _exists_:cef.extensions.categoryOutcome\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"c43af7e6-3f06-48a4-a7c3-7ba8bd6214f9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"4c7aac7d-2749-41b6-8136-40dc8636a7e7\",\"label\":\"Firewall\"}],\"split_mode\":\"filter\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"1\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Event Outcome\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,188,0,0.35)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"cb1ae397-13a0-4b6f-a848-bcdc96870f05\",\"label\":\"Success\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"ef021c15-1b95-4334-bc3c-e2950e9b0f6f\",\"label\":\"Failure\"},{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"2ff1e859-b178-4824-a0f2-69a115932b98\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"stacked\",\"terms_field\":\"event.outcome\",\"terms_size\":\"3\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcome [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d3ce586b-d372-4e03-9c19-b768b1b953f3", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-d42600fb-ea45-4dc9-a5d2-dd6a502fb76e.json b/packages/cef/2.3.2/kibana/visualization/cef-d42600fb-ea45-4dc9-a5d2-dd6a502fb76e.json deleted file mode 100755 index f3176b2af1..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-d42600fb-ea45-4dc9-a5d2-dd6a502fb76e.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}" - }, - "title": " Dashboard Navigation [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c) | [Network Suspicious Activity](#/dashboard/cef-04749697-de8d-49b3-8eca-c873ab2c5ac9) | [Endpoint Overview](#dashboard/cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15) | [Endpoint Activity](#/dashboard/cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf) | [Microsoft DNS Overview](#/dashboard/cef-607f756e-288d-499a-8f8a-33791354ffaf)\"},\"title\":\" Dashboard Navigation [Logs CEF]\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d42600fb-ea45-4dc9-a5d2-dd6a502fb76e", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-d7d7bd9e-c767-428c-b7de-d09f9d87f652.json b/packages/cef/2.3.2/kibana/visualization/cef-d7d7bd9e-c767-428c-b7de-d09f9d87f652.json deleted file mode 100755 index c076beb64e..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-d7d7bd9e-c767-428c-b7de-d09f9d87f652.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Metrics Overview [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d7d7bd9e-c767-428c-b7de-d09f9d87f652", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-d85b0ce0-4fa7-4fe5-9fe1-41cf40606ef3.json b/packages/cef/2.3.2/kibana/visualization/cef-d85b0ce0-4fa7-4fe5-9fe1-41cf40606ef3.json deleted file mode 100755 index 3fe6aa4bce..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-d85b0ce0-4fa7-4fe5-9fe1-41cf40606ef3.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Size [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"6e634117-6b30-411c-b74c-75510befe42f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"formatter\":\"bytes\",\"id\":\"28b1fb5b-0f16-4519-b901-4dd2dcc39915\",\"label\":\"Inbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"f613f33f-6459-4e46-a3a0-c36c48c46b2e\",\"type\":\"sum\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"formatter\":\"bytes\",\"id\":\"5a5c2529-4990-4006-b039-c94069ff6b7e\",\"label\":\"Outbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"type\":\"sum\"},{\"id\":\"0aaab374-5845-44ab-94f5-ac4fab25c287\",\"script\":\"params.outbound_bytes \\u003e= 0 ? params.outbound_bytes * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"id\":\"23b8c41c-0e98-4ace-8bca-3593e46cd955\",\"name\":\"outbound_bytes\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Size [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d85b0ce0-4fa7-4fe5-9fe1-41cf40606ef3", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-daa1fe0b-a698-4429-8e5d-db251502276c.json b/packages/cef/2.3.2/kibana/visualization/cef-daa1fe0b-a698-4429-8e5d-db251502276c.json deleted file mode 100755 index 0cab527765..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-daa1fe0b-a698-4429-8e5d-db251502276c.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Bandwidth Utilization [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"d27f09dc-b07e-493f-a223-a85033ad6548\",\"label\":\"Inbound\",\"line_width\":1,\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"9ce9ec3a-2f11-4935-91b2-531494d2a619\",\"type\":\"sum\"}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_order_by\":\"_count\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b1ef2c75-5916-469d-8790-5b213367a5a0\",\"label\":\"Outbound\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"type\":\"sum\"},{\"id\":\"2a6b00bf-1658-4d02-b4e2-61ad6e4c3a9b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"id\":\"c57067f2-2927-41d8-97f4-9f47b3b3bcae\",\"name\":\"outbound\"}]}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Bandwidth Utilization [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-daa1fe0b-a698-4429-8e5d-db251502276c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-dd339ff5-6b26-4455-ae06-f3b5591479e3.json b/packages/cef/2.3.2/kibana/visualization/cef-dd339ff5-6b26-4455-ae06-f3b5591479e3.json deleted file mode 100755 index 4a6677a4a9..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-dd339ff5-6b26-4455-ae06-f3b5591479e3.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcomes Breakdown [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"unknown\":\"#3F2B5B\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Time\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcomes Breakdown [Logs CEF]\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-dd339ff5-6b26-4455-ae06-f3b5591479e3", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json b/packages/cef/2.3.2/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json deleted file mode 100755 index 6cf6e86635..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Destination Ports by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Protocols\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Protocols\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcome [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-df056709-2deb-4363-ae7a-b0148ea456c6", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json b/packages/cef/2.3.2/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json deleted file mode 100755 index 20bdf88f92..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 20 Behaviors by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Behavior\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 20 Behaviors by Outcome [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json b/packages/cef/2.3.2/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json deleted file mode 100755 index cb732f40b3..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Device Types [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":\"\",\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"78bfdf07-ec02-4dd8-8ff4-b7e250c561c2\",\"label\":\"Firewall\"}],\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(251,158,0,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Top Device Types by Mvg Averages\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.extensions.categoryDeviceType\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device Types [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-e513c269-350c-40c3-ac20-16c5782103b8", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json b/packages/cef/2.3.2/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json deleted file mode 100755 index 5387593733..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Devices by Bandwidth [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source(s)\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination(s)\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bandwidth (Incoming)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bandwidth (Outgoing)\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Devices by Bandwidth [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-e89a64e8-928c-41fc-8745-3c8157b21cdb", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-efa710e7-907c-4723-92cd-2bd2276f44dd.json b/packages/cef/2.3.2/kibana/visualization/cef-efa710e7-907c-4723-92cd-2bd2276f44dd.json deleted file mode 100755 index 3c1744583b..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-efa710e7-907c-4723-92cd-2bd2276f44dd.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Source [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"0c929603-fc92-4ebc-a963-fe2795417d89\",\"label\":\"Firewall Events\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\"\"},\"id\":\"7798827b-87ab-436b-9e62-9fe36143eb9b\",\"label\":\"Intrusion Detection Events\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"id\":\"490f7ad7-8218-45f9-85a9-a4dd9ed7da13\",\"label\":\"VPN\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Device Hosts\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-efa710e7-907c-4723-92cd-2bd2276f44dd", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json b/packages/cef/2.3.2/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json deleted file mode 100755 index 4c21032237..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Sources by Destination Ports [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Ports [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json b/packages/cef/2.3.2/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json deleted file mode 100755 index 827c7905e2..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events Types by Severity [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"db54ebce-9dd2-4a1e-b476-b3ddb9a9024e\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"81da76ca-1112-4d91-82f4-c66cd3156a84\",\"label\":\"Cumulative Bytes\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"521d560c-321a-4410-9eb3-2b2bf3f4efee\",\"type\":\"count\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\")\"},\"id\":\"3f31a7e4-acf3-4f2d-8b7d-e30522325b2a\",\"label\":\"HIGH\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\")\"},\"id\":\"7949d31b-8aae-433a-b7cf-6939a8728cc9\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(NOT (event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\" OR event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\"))\"},\"id\":\"d2627211-5f9e-4c65-8a47-1cd6f085939d\",\"label\":\"LOW\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"a5fda184-fdd6-4221-ab59-492eab162f0a\",\"label\":\"Count by Event Type\",\"line_width\":1,\"metrics\":[{\"id\":\"e147ba1c-b13a-496f-9841-b99ddee81c5a\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.device.event_class_id\",\"terms_size\":\"20\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events Types by Severity [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json b/packages/cef/2.3.2/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json deleted file mode 100755 index 5b23c7fb8e..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Size [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"6e634117-6b30-411c-b74c-75510befe42f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"formatter\":\"bytes\",\"id\":\"28b1fb5b-0f16-4519-b901-4dd2dcc39915\",\"label\":\"Inbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"f613f33f-6459-4e46-a3a0-c36c48c46b2e\",\"type\":\"sum\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"formatter\":\"bytes\",\"id\":\"5a5c2529-4990-4006-b039-c94069ff6b7e\",\"label\":\"Outbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"type\":\"sum\"},{\"id\":\"0aaab374-5845-44ab-94f5-ac4fab25c287\",\"script\":\"params.outbound_bytes \\u003e= 0 ? params.outbound_bytes * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"id\":\"23b8c41c-0e98-4ace-8bca-3593e46cd955\",\"name\":\"outbound_bytes\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Size [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json b/packages/cef/2.3.2/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json deleted file mode 100755 index aed8102339..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Application Protocols [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.application\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Application Protocols [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f5258de9-71f7-410f-b713-201007f77470", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json b/packages/cef/2.3.2/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json deleted file mode 100755 index 74a61138dc..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Types by Vendor [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"Network-based IDS/IPS\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"exclude\":\"\",\"field\":\"cef.device.vendor\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Device Types by Vendor [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f57734dd-0f32-42b4-94dd-5d597f6735e1", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-f856a77c-a0fd-4047-afa6-e21a912814c5.json b/packages/cef/2.3.2/kibana/visualization/cef-f856a77c-a0fd-4047-afa6-e21a912814c5.json deleted file mode 100755 index afc14f82bb..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-f856a77c-a0fd-4047-afa6-e21a912814c5.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Endpoint Average EPS [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"85a1c642-9781-430d-b84b-b28cb2a42fb4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"b7a85957-123e-4e25-9e8e-ff7992c9b2b9\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"type\":\"cumulative_sum\"},{\"field\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"id\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"gamma\":0.3,\"id\":\"f4dfe09a-e397-4287-ab99-3206516cded3\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint Average EPS [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f856a77c-a0fd-4047-afa6-e21a912814c5", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json b/packages/cef/2.3.2/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json deleted file mode 100755 index 32a6dda32a..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Unique Destinations and Ports by Source [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Addresses\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Addresses\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Destination Ports\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Addresses\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Ports\"},\"type\":\"value\"}]},\"title\":\"Unique Destinations and Ports by Source [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-fa8b26c1-6973-4381-adb3-bcde0d03a520", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json b/packages/cef/2.3.2/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json deleted file mode 100755 index cce501f750..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Event Types by Size [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Total (Bytes)\":\"#E24D42\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Total (Bytes)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Type\"},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Total (Bytes)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":false,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total (Bytes)\"},\"type\":\"value\"}]},\"title\":\"Event Types by Size [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-fcf798a8-db8f-4492-827b-8fa7581108a9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json b/packages/cef/2.3.2/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json deleted file mode 100755 index 0907dbbef8..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Destination Ports by Outcomes [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"destination.port: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcomes [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json b/packages/cef/2.3.2/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json deleted file mode 100755 index df5b0a6e9f..0000000000 --- a/packages/cef/2.3.2/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcome by Device Type [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Firewall Types\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":true,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcome by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.2/manifest.yml b/packages/cef/2.3.2/manifest.yml deleted file mode 100755 index 38688c6fd8..0000000000 --- a/packages/cef/2.3.2/manifest.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: cef -title: Common Event Format (CEF) -version: 2.3.2 -release: ga -description: Collect logs from CEF Logs with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: - - network - - security -conditions: - kibana.version: ^8.0.0 -policy_templates: - - name: cef - title: CEF logs - description: Collect logs from CEF instances - inputs: - - type: logfile - title: "Collect CEF application logs (input: logfile)" - description: "Collecting application logs from CEF instances (input: logfile)" - - type: udp - title: "Collect CEF application logs (input: udp)" - description: "Collecting application logs from CEF instances (input: udp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/cef/2.3.3/LICENSE.txt b/packages/cef/2.3.3/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cef/2.3.3/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cef/2.3.3/changelog.yml b/packages/cef/2.3.3/changelog.yml deleted file mode 100755 index 25c1c86bd1..0000000000 --- a/packages/cef/2.3.3/changelog.yml +++ /dev/null @@ -1,164 +0,0 @@ -# newer versions go on top -- version: "2.3.3" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "2.3.2" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.3.1" - changes: - - description: Remove unused visualizations - type: enhancement - link: https://github.com/elastic/integrations/issues/3975 -- version: "2.3.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3842 -- version: "2.2.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "2.2.0" - changes: - - description: Add generic CEF dashboards - type: enhancement - link: https://github.com/elastic/integrations/pull/3526 -- version: "2.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "2.0.3" - changes: - - description: Format source.mac and destination.mac as per ECS. - type: bugfix - link: https://github.com/elastic/integrations/pull/3566 -- version: "2.0.2" - changes: - - description: Improve field documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3465 -- version: "2.0.1" - changes: - - description: Clarify scope of dashboards - type: bugfix - link: https://github.com/elastic/integrations/pull/3470 -- version: "2.0.0" - changes: - - description: Migrate map visualisation from tile_map to map object - type: enhancement - link: https://github.com/elastic/integrations/pull/3263 -- version: "1.5.0" - changes: - - description: Update to ECS 8.2 by modifying Check Point events to use the new email field set. - type: enhancement - link: https://github.com/elastic/integrations/pull/2804 -- version: "1.4.3" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.4.2" - changes: - - description: Add field mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/2808 -- version: "1.4.1" - changes: - - description: Append pipeline errors to error.message instead of overwriting existing errors. - type: bugfix - link: https://github.com/elastic/integrations/pull/2789 -- version: "1.4.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2386 -- version: "1.3.1" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.3.0" - changes: - - description: Change test IPs to the supported set for GeoIP - type: enhancement - link: https://github.com/elastic/integrations/pull/2216 - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2216 -- version: "1.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1950 -- version: "1.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1802 -- version: "1.2.0" - changes: - - description: Add CEF time zone config option. - type: enhancement - link: https://github.com/elastic/integrations/pull/1723 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1652 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1604 -- version: "0.5.2" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1469 -- version: '0.5.1' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1375 -- version: "0.5.0" - changes: - - description: Update documentation to fit mdx spec - type: enhancement - link: https://github.com/elastic/integrations/pull/1401 -- version: "0.4.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.3.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1255 -- version: "0.2.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options. - type: enhancement - link: https://github.com/elastic/integrations/pull/1032 -- version: "0.1.0" - changes: - - description: Change syslog input to udp input. Add syslog timestamp parsing to Ingest Node pipeline. - type: enhancement - link: https://github.com/elastic/integrations/pull/898 -- version: "0.0.4" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/838 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/418 diff --git a/packages/cef/2.3.3/data_stream/log/agent/stream/log.yml.hbs b/packages/cef/2.3.3/data_stream/log/agent/stream/log.yml.hbs deleted file mode 100755 index c9f24092e8..0000000000 --- a/packages/cef/2.3.3/data_stream/log/agent/stream/log.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -paths: - {{#each paths as |path i|}} -- {{path}} - {{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- rename: - fields: - - {from: "message", to: "event.original"} -- decode_cef: - field: event.original -{{#if decode_cef_timezone}} - timezone: {{ decode_cef_timezone }} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/cef/2.3.3/data_stream/log/agent/stream/udp.yml.hbs b/packages/cef/2.3.3/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 4d71aa0234..0000000000 --- a/packages/cef/2.3.3/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- rename: - fields: - - {from: "message", to: "event.original"} -- decode_cef: - field: event.original -{{#if decode_cef_timezone}} - timezone: {{ decode_cef_timezone }} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cef/2.3.3/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml b/packages/cef/2.3.3/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml deleted file mode 100755 index 8a53e9b0c7..0000000000 --- a/packages/cef/2.3.3/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml +++ /dev/null @@ -1,380 +0,0 @@ ---- -description: Pipeline for Check Point CEF - -processors: - # This script is mapping CEF extensions to ECS when possible. Otherwise - # it maps them to fields under the `checkpoint` group using Check Point log - # field names. - # - # [1] Description of Check Point CEF extensions: - # https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060 - # [2] Description of Check Point log field names (sk144192): - # https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192 - # - # Note that in some cases the CEF extension name doesn't accurately describe - # its contents. For example sntdom/sourceNtDomain, which is used to store - # Check Point's domain_name, documented as "Domain name sent to DNS request". - # - # This script processes the `params.extensions` list below. This list consists - # of two different kinds of mappings, the simpler has a source ext `name` - # and a `to` field. It copies the given extension field to the target `to`. - # - # When the `labels` dict is defined, the target field depends on the value of - # the accompanying label field. For example, the field deviceCustomIPv6Address2 - # is mapped to `source.ip` only when the extension deviceCustomIPv6Address2Label - # exists and its value is "Source IPv6 Address". - # - # Also it can convert the destination value by simple mapping when the - # convert key exists. Values without an entry in the convert dict are not - # copied and the target field remains unset. - # - # The output of this processor is a single field, `_tmp_copy`, that contains - # a list of actions `{"to": "target_field", "value":"field value"}` that is - # later executed using a foreach processor. This is done to avoid complex - # de-dotting and other gotchas of setting arbitrary fields in Painless. - - script: - lang: painless - params: - extensions: - - name: cp_app_risk - to: checkpoint.app_risk - - - name: cp_app_risk - to: event.risk_score - # This mapping is a mix of [1] and [2] above. - convert: - unknown: 0 - informational: 0 - very-low: 1 - low: 2 - medium: 3 - high: 4 - very-high: 5 - critical: 5 - - - name: cp_severity - to: checkpoint.severity - - - name: cp_severity - to: event.severity - convert: - # This mapping is a mix of [1] and [2] above. - unknown: 0 - informational: 0 - very-low: 1 - low: 1 - medium: 2 - high: 3 - very-high: 4 - critical: 4 - - # Number of events associated with the log - - name: baseEventCount - to: checkpoint.event_count - - # Log type - - name: deviceExternalId - to: observer.type - - # Product Family (override deviceExternalId if present). - - name: deviceFacility - to: observer.type - convert: - '0': Network - '1': Endpoint - '2': Access - '3': Threat - '4': Mobile - - # Gateway interface, where the connection is received from in case of an outbound connection - - name: deviceInboundInterface - to: observer.ingress.interface.name - - # Gateway interface, where the connection is sent from, in case of an inbound connection - - name: deviceOutboundInterface - to: observer.egress.interface.name - - - name: externalId - to: checkpoint.uuid - - - name: fileHash - to: checkpoint.file_hash - - - name: reason - to: checkpoint.termination_reason - - # Possibly an IKE cookie - - name: requestCookies - to: checkpoint.cookie - - # Probably a typo in CP's CEF docs - - name: checkrequestCookies - to: checkpoint.cookie - - # Domain name sent to DNS request - - name: sourceNtDomain - to: dns.question.name - - # CVE registry entry - - name: Signature - to: vulnerability.id - - - name: Recipient - to: destination.user.email - - - name: Sender - to: source.user.email - - - name: deviceCustomFloatingPoint1 - labels: - update version: observer.version - - - name: deviceCustomIPv6Address2 - labels: - source ipv6 address: source.ip - - - name: deviceCustomIPv6Address3 - labels: - destination ipv6 address: destination.ip - - - name: deviceCustomNumber1 - labels: - payload: network.bytes - elapsed time in seconds: event.duration - email recipients number: checkpoint.email_recipients_num - - - name: deviceCustomNumber2 - labels: - duration in seconds: event.duration - icmp type: checkpoint.icmp_type - - - name: deviceCustomNumber3 - labels: - icmp code: checkpoint.icmp_code - - - name: deviceCustomString1 - labels: - application rule name: rule.name - dlp rule name: rule.name - threat prevention rule name: rule.name - connectivity state: checkpoint.connectivity_state - email id: checkpoint.email_id - voip log type: checkpoint.voip_log_type - - - name: deviceCustomString2 - labels: - # Protection malware id - protection id: checkpoint.protection_id - update status: checkpoint.update_status - email subject: checkpoint.email_subject - sensor mode: checkpoint.sensor_mode - scan invoke type: checkpoint.integrity_av_invoke_type - category: checkpoint.category - # Matched categories - categories: rule.category - peer gateway: checkpoint.peer_gateway - - - name: deviceCustomString6 - labels: - application name: network.application - virus name: checkpoint.virus_name - malware name: checkpoint.spyware_name - malware family: checkpoint.malware_family - - - name: deviceCustomString3 - labels: - user group: group.name - # Format of original data. - incident extension: checkpoint.incident_extension - identity type: checkpoint.identity_type - email spool id: checkpoint.email_spool_id - # Type of protection used to detect the attack - protection type: checkpoint.protection_type - - - name: deviceCustomString4 - labels: - malware status: checkpoint.spyware_status - destination os: os.name - scan result: checkpoint.scan_result - frequency: checkpoint.frequency - protection name: checkpoint.protection_name - user response: checkpoint.user_status - email control: checkpoint.email_control - tcp flags: checkpoint.tcp_flags - threat prevention rule id: rule.id - - - name: deviceCustomString5 - labels: - matched category: rule.category - authentication method: checkpoint.auth_method - email session id: checkpoint.email_session_id - vlan id: network.vlan.id - - - name: deviceCustomDate2 - labels: - subscription expiration: checkpoint.subs_exp - - - name: deviceFlexNumber1 - labels: - confidence: checkpoint.confidence_level - - - name: deviceFlexNumber2 - labels: - destination phone number: checkpoint.dst_phone_number - performance impact: checkpoint.performance_impact - - - name: flexString1 - labels: - application signature id: checkpoint.app_sig_id - - - name: flexString2 - labels: - malware action: rule.description - attack information: event.action - - - name: rule_uid - to: rule.uuid - - - name: ifname - to: observer.ingress.interface.name - - - name: inzone - to: observer.ingress.zone - - - name: outzone - to: observer.egress.zone - - - name: product - to: observer.product - - source: | - def actions = new ArrayList(); - def exts = ctx.cef?.extensions; - if (exts == null) return; - for (entry in params.extensions) { - def value = exts[entry.name]; - if (value == null || - (entry.convert != null && - (value=entry.convert[value.toLowerCase()]) == null)) - continue; - if (entry.to != null) { - actions.add([ - "value": value, - "to": entry.to - ]); - continue; - } - def label = exts[entry.name + "Label"]; - if (label == null) continue; - def dest = entry.labels[label.toLowerCase()]; - if (dest == null) continue; - actions.add([ - "value": value, - "to": dest - ]); - } - ctx["_tmp_copy"] = actions; - - - foreach: - field: _tmp_copy - processor: - set: - field: "{{_ingest._value.to}}" - value: "{{_ingest._value.value}}" - - - remove: - field: _tmp_copy - - - set: - field: email.to.address - value: ["{{{destination.user.email}}}"] - if: "ctx?.destination?.user?.email != null" - - set: - field: email.from.address - value: ["{{{source.user.email}}}"] - if: "ctx?.source?.user?.email != null" - - set: - field: email.subject - copy_from: checkpoint.email_subject - if: "ctx?.checkpoint?.email_subject != null" - - set: - field: email.message_id - copy_from: checkpoint.email_session_id - if: "ctx?.checkpoint?.email_session_id != null" - - convert: - field: event.risk_score - type: float - ignore_missing: true - on_failure: - - remove: - field: event.risk_score - - convert: - field: event.severity - type: long - ignore_missing: true - on_failure: - - remove: - field: event.severity - - # event.duration is a string and contains seconds. Convert to long nanos. - - script: - params: - second_to_nanos: 1000000000 - lang: painless - source: | - def duration = ctx.event?.duration; - if (duration == null) return; - ctx.event.duration = Long.parseLong(duration) * params.second_to_nanos; - on_failure: - - remove: - field: event.duration - ignore_missing: true - - # checkpoint.file_hash can be either MD5, SHA1 or SHA256. - - rename: - field: checkpoint.file_hash - target_field: file.hash.md5 - if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==32' - - rename: - field: checkpoint.file_hash - target_field: file.hash.sha1 - if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==40' - - rename: - field: checkpoint.file_hash - target_field: file.hash.sha256 - if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==64' - - # Event kind is 'event' by default. 'alert' when a risk score and rule info - # is present. - - set: - field: event.kind - value: event - - set: - field: event.kind - value: alert - if: 'ctx.cef?.extensions?.cp_app_risk != null && ctx.rule != null' - - # Set event.category to network/malware/intrusion_detection depending on which - # fields have been populated. - - set: - field: event.category - value: network - if: 'ctx.source?.ip != null && ctx.destination?.ip != null' - - set: - field: event.category - value: malware - if: 'ctx.checkpoint?.protection_id != null || ctx.checkpoint?.spyware_name != null || ctx.checkpoint?.malware_family != null || ctx.checkpoint?.spyware_status != null' - - set: - field: event.category - value: intrusion_detection - if: 'ctx.event?.category != "malware" && (ctx.checkpoint?.protection_type != null || ctx.cef.extensions?.flexString2Label == "Attack Information")' - - - convert: - field: checkpoint.event_count - type: long - ignore_missing: true - - convert: - field: cef.extensions.baseEventCount - type: long - ignore_missing: true - diff --git a/packages/cef/2.3.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cef/2.3.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 01c4ed82c6..0000000000 --- a/packages/cef/2.3.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,177 +0,0 @@ ---- -description: Pipeline for CEF logs. CEF decoding happens in the Agent. This performs additional enrichment and vendor specific transformations. - -processors: - - set: - field: ecs.version - value: '8.4.0' - - - convert: - field: event.id - type: string - ignore_missing: true - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hash - value: "{{cef.extensions.fileHash}}" - allow_duplicates: false - if: "ctx?.cef?.extensions?.fileHash != null && ctx?.cef?.extensions?.fileHash != ''" - - append: - field: related.hash - value: "{{cef.extensions.oldFileHash}}" - allow_duplicates: false - if: "ctx?.cef?.extensions?.oldFileHash != null && ctx?.cef?.extensions?.oldFileHash != ''" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: "ctx?.destination?.ip != null && ctx?.destination?.ip != ''" - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: "ctx?.destination?.nat?.ip != null && ctx?.destination?.nat?.ip != ''" - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: "ctx?.source?.ip != null && ctx?.source?.ip != ''" - - append: - field: related.ip - value: "{{source.nat.ip}}" - allow_duplicates: false - if: "ctx?.source?.nat?.ip != null && ctx?.source?.nat?.ip != ''" - - append: - field: related.user - value: "{{destination.user.name}}" - if: "ctx?.destination?.user?.name != null" - - append: - field: related.user - value: "{{source.user.name}}" - allow_duplicates: false - if: "ctx?.source?.user?.name != null && ctx?.source?.user?.name != ''" - - append: - field: related.hosts - value: "{{observer.hostname}}" - allow_duplicates: false - if: "ctx?.observer?.hostname != null && ctx?.observer?.hostname != ''" - - pipeline: - name: '{{ IngestPipeline "fp-pipeline" }}' - if: "ctx.cef?.device?.vendor == 'FORCEPOINT'" - - pipeline: - name: '{{ IngestPipeline "cp-pipeline" }}' - if: "ctx.cef?.device?.vendor == 'Check Point'" - - community_id: {} - - # Ensure source.mac and destination.mac are formatted to ECS specifications. - - gsub: - field: destination.mac - ignore_missing: true - pattern: '[:.]' - replacement: '-' - - gsub: - field: source.mac - ignore_missing: true - pattern: '[:.]' - replacement: '-' - - uppercase: - field: destination.mac - ignore_missing: true - - uppercase: - field: source.mac - ignore_missing: true - - # - # Timestamp parsing. - # - - grok: - # decode_cef sets @timestamp when deviceReceiptTime is provided. - description: Extract timestamp from log header when deviceReceiptTime not given. - if: ctx?.cef?.extensions?.deviceReceiptTime == null - field: event.original - patterns: - - '^%{SYSLOG_TIMESTAMP} ' - - '^%{ECS_SYSLOG_PRI}%{SYSLOG_TIMESTAMP} ' # RFC3164 - - '^%{ECS_SYSLOG_PRI}%{NONNEGINT} %{SYSLOG_TIMESTAMP} ' # RFC5224 - pattern_definitions: - ECS_SYSLOG_PRI: '<%{NONNEGINT:log.syslog.priority:long}>' - SYSLOG_TIMESTAMP: '(?:%{SYSLOGTIMESTAMP:_tmp.timestamp}|%{TIMESTAMP_ISO8601:_tmp.timestamp8601})' - ignore_failure: true - - date: - if: ctx?._tmp?.timestamp8601 != null - field: _tmp.timestamp8601 - formats: - - ISO8601 - - date: - if: ctx?._tmp?.timestamp != null - field: _tmp.timestamp - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - remove: - field: - - _tmp - ignore_failure: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - # Cleanup - - remove: - field: - - cef.extensions._cefVer - ignore_missing: true - -on_failure: - - remove: - field: - - _tmp - ignore_failure: true - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cef/2.3.3/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml b/packages/cef/2.3.3/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml deleted file mode 100755 index f87d217328..0000000000 --- a/packages/cef/2.3.3/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for Forcepoint CEF - -processors: - # cs1 is ruleID - - set: - field: rule.id - value: "{{cef.extensions.deviceCustomString1}}" - ignore_empty_value: true - - # cs2 is natRuleID - - set: - field: rule.id - value: "{{cef.extensions.deviceCustomString2}}" - ignore_empty_value: true - - # cs3 is VulnerabilityReference - - set: - field: vulnerability.reference - value: "{{cef.extensions.deviceCustomString3}}" - ignore_empty_value: true - - # cs4 is virusID - - set: - field: cef.forcepoint.virus_id - value: "{{cef.extensions.deviceCustomString4}}" - ignore_empty_value: true diff --git a/packages/cef/2.3.3/data_stream/log/fields/agent.yml b/packages/cef/2.3.3/data_stream/log/fields/agent.yml deleted file mode 100755 index d03a5f0211..0000000000 --- a/packages/cef/2.3.3/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cef/2.3.3/data_stream/log/fields/base-fields.yml b/packages/cef/2.3.3/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 88e15e9046..0000000000 --- a/packages/cef/2.3.3/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cef -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cef.log -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/cef/2.3.3/data_stream/log/fields/ecs.yml b/packages/cef/2.3.3/data_stream/log/fields/ecs.yml deleted file mode 100755 index 92436bf957..0000000000 --- a/packages/cef/2.3.3/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,389 +0,0 @@ -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: Unique identifier for the group on the system/platform. - name: destination.user.group.id - type: keyword -- description: Name of the group. - name: destination.user.group.name - type: keyword -- description: Unique identifier of the user. - name: destination.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: The email address of the sender, typically from the RFC 5322 `From:` header field. - name: email.from.address - normalize: - - array - type: keyword -- description: The email address of recipient - name: email.to.address - normalize: - - array - type: keyword -- description: A brief summary of the topic of the message. - multi_fields: - - name: text - type: match_only_text - name: email.subject - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: Primary group name of the file. - name: file.group - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: Inode representing the file in the filesystem. - name: file.inode - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: IP addresses of the observer. - name: observer.ip - normalize: - - array - type: ip -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - name: rule.uuid - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: Unique identifier for the group on the system/platform. - name: source.user.group.id - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - name: event.risk_score - type: float -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long diff --git a/packages/cef/2.3.3/data_stream/log/fields/fields.yml b/packages/cef/2.3.3/data_stream/log/fields/fields.yml deleted file mode 100755 index a431804b6b..0000000000 --- a/packages/cef/2.3.3/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,605 +0,0 @@ -- name: cef.name - type: keyword -- name: cef.severity - type: keyword -- name: cef.version - type: keyword -- name: destination.service.name - type: keyword -- name: source.service.name - type: keyword -- name: cef.forcepoint - type: group - fields: - - name: virus_id - type: keyword - description: | - Virus ID -- name: checkpoint - type: group - fields: - - name: app_risk - type: keyword - description: Application risk. - - name: app_severity - type: keyword - description: Application threat severity. - - name: app_sig_id - type: keyword - description: The signature ID which the application was detected by. - - name: auth_method - type: keyword - description: Password authentication protocol used. - - name: category - type: keyword - description: Category. - - name: confidence_level - type: integer - description: Confidence level determined. - - name: connectivity_state - type: keyword - description: Connectivity state. - - name: cookie - type: keyword - description: IKE cookie. - - name: dst_phone_number - type: keyword - description: Destination IP-Phone. - - name: email_control - type: keyword - description: Engine name. - - name: email_id - type: keyword - description: Internal email ID. - - name: email_recipients_num - type: long - description: Number of recipients. - - name: email_session_id - type: keyword - description: Internal email session ID. - - name: email_spool_id - type: keyword - description: Internal email spool ID. - - name: email_subject - type: keyword - description: Email subject. - - name: event_count - type: long - description: Number of events associated with the log. - - name: frequency - type: keyword - description: Scan frequency. - - name: icmp_type - type: long - description: ICMP type. - - name: icmp_code - type: long - description: ICMP code. - - name: identity_type - type: keyword - description: Identity type. - - name: incident_extension - type: keyword - description: Format of original data. - - name: integrity_av_invoke_type - type: keyword - description: Scan invoke type. - - name: malware_family - type: keyword - description: Malware family. - - name: peer_gateway - type: ip - description: Main IP of the peer Security Gateway. - - name: performance_impact - type: integer - description: Protection performance impact. - - name: protection_id - type: keyword - description: Protection malware ID. - - name: protection_name - type: keyword - description: Specific signature name of the attack. - - name: protection_type - type: keyword - description: Type of protection used to detect the attack. - - name: scan_result - type: keyword - description: Scan result. - - name: sensor_mode - type: keyword - description: Sensor mode. - - name: severity - type: keyword - description: Threat severity. - - name: spyware_name - type: keyword - description: Spyware name. - - name: spyware_status - type: keyword - description: Spyware status. - - name: subs_exp - type: date - description: The expiration date of the subscription. - - name: tcp_flags - type: keyword - description: TCP packet flags. - - name: termination_reason - type: keyword - description: Termination reason. - - name: update_status - type: keyword - description: Update status. - - name: user_status - type: keyword - description: User response. - - name: uuid - type: keyword - description: External ID. - - name: virus_name - type: keyword - description: Virus name. - - name: voip_log_type - type: keyword - description: VoIP log types. -- name: cef.device - type: group - fields: - - name: event_class_id - type: keyword - description: Unique identifier of the event type. - - name: product - type: keyword - description: Product of the device that produced the message. - - name: vendor - type: keyword - description: Vendor of the device that produced the message. - - name: version - type: keyword - description: Version of the product that produced the message. -- name: cef.extensions - type: group - fields: - - name: agentAddress - type: ip - description: The IP address of the ArcSight connector that processed the event. - - name: agentHostName - type: keyword - description: The hostname of the ArcSight connector that processed the event. - - name: agentId - type: keyword - description: The agent ID of the ArcSight connector that processed the event. - - name: agentReceiptTime - type: date - description: The time at which information about the event was received by the ArcSight connector. - - name: agentTimeZone - type: keyword - description: The agent time zone of the ArcSight connector that processed the event. - - name: agentType - type: keyword - description: The agent type of the ArcSight connector that processed the event. - - name: destinationHostName - type: keyword - description: Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. - - name: deviceTimeZone - type: keyword - description: The time zone for the device generating the event. - - name: requestUrlFileName - type: keyword - - name: startTime - type: date - description: The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). - - name: type - type: long - description: 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). - - name: agentVersion - type: keyword - description: The version of the ArcSight connector that processed the event. - - name: agentZoneURI - type: keyword - - name: deviceSeverity - type: keyword - - name: deviceZoneURI - type: keyword - description: Thee URI for the Zone that the device asset has been assigned to in ArcSight. - - name: fileType - type: keyword - description: Type of file (pipe, socket, etc.) - - name: filename - type: keyword - description: Name of the file only (without its path). - - name: managerReceiptTime - type: date - description: When the Arcsight ESM received the event. - - name: agentMacAddress - type: keyword - description: The MAC address of the ArcSight connector that processed the event. - - name: deviceProcessName - type: keyword - description: Process name associated with the event. An example might be the process generating the syslog entry in UNIX. - - name: baseEventCount - type: long - description: A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. - - name: dvc - type: ip - description: This field is used by Trend Micro if the hostname is an IPv4 address. - - name: dvchost - type: keyword - description: This field is used by Trend Micro for hostnames and IPv6 addresses. - - name: cp_app_risk - type: keyword - - name: cp_severity - type: keyword - - name: ifname - type: keyword - - name: inzone - type: keyword - - name: layer_uuid - type: keyword - - name: layer_name - type: keyword - - name: logid - type: keyword - - name: loguid - type: keyword - - name: match_id - type: keyword - - name: nat_addtnl_rulenum - type: keyword - - name: nat_rulenum - type: keyword - - name: origin - type: keyword - - name: originsicname - type: keyword - - name: outzone - type: keyword - - name: parent_rule - type: keyword - - name: product - type: keyword - - name: rule_action - type: keyword - - name: rule_uid - type: keyword - - name: sequencenum - type: keyword - - name: service_id - type: keyword - - name: version - type: keyword - - name: applicationProtocol - type: keyword - description: Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. - - name: categoryDeviceGroup - type: keyword - description: General device group like Firewall (ArcSight). - - name: categoryTechnique - type: keyword - description: Technique being used (e.g. /DoS) (ArcSight). - - name: deviceEventCategory - type: keyword - description: Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". - - name: sourceNtDomain - type: keyword - description: The Windows domain name for the source address. - - name: destinationNtDomain - type: keyword - description: Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). - - name: categoryOutcome - type: keyword - description: Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). - - name: categorySignificance - type: keyword - description: Characterization of the importance of the event (ArcSight). - - name: categoryObject - type: keyword - description: Object that the event is about. For example it can be an operating sytem, database, file, etc (ArcSight). - - name: categoryBehavior - type: keyword - description: Action or a behavior associated with an event. It's what is being done to the object (ArcSight). - - name: categoryDeviceType - type: keyword - description: Device type. Examples - Proxy, IDS, Web Server (ArcSight). - - name: bytesIn - type: long - description: Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. - - name: bytesOut - type: long - description: Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. - - name: destinationAddress - type: ip - description: Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. - - name: destinationPort - type: long - description: The valid port numbers are between 0 and 65535. - - name: destinationServiceName - type: keyword - description: The service targeted by this event. - - name: destinationTranslatedAddress - type: ip - description: Identifies the translated destination that the event refers to in an IP network. - - name: destinationTranslatedPort - type: long - description: Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. - - name: destinationUserName - type: keyword - description: Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. - - name: destinationUserPrivileges - type: keyword - description: The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". - - name: deviceAction - type: keyword - description: Action taken by the device. - - name: deviceAddress - type: ip - description: Identifies the device address that an event refers to in an IP network. - - name: deviceCustomDate2 - type: keyword - description: One of two timestamp fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomDate2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address2 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address3 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address3Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomNumber1 - type: long - description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomNumber1Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomNumber2 - type: long - description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomNumber2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomNumber3 - type: long - description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomNumber3Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString1 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString1Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString2 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString3 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString3Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString4 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString4Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString5 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString5Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString6 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString6Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceDirection - type: long - description: Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. - - name: deviceExternalId - type: keyword - description: A name that uniquely identifies the device generating this event. - - name: deviceFacility - type: keyword - description: The facility generating this event. For example, Syslog has an explicit facility associated with every event. - - name: deviceHostName - type: keyword - description: The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. - - name: deviceOutboundInterface - type: keyword - description: Interface on which the packet or data left the device. - - name: deviceReceiptTime - type: keyword - description: The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) - - name: eventId - type: long - description: This is a unique ID that ArcSight assigns to each event. - - name: fileHash - type: keyword - description: Hash of a file. - - name: message - type: keyword - description: An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. - - name: oldFileHash - type: keyword - description: Hash of the old file. - - name: requestContext - type: keyword - description: Description of the content from which the request originated (for example, HTTP Referrer). - - name: requestMethod - type: keyword - description: The HTTP method used to access a URL. - - name: requestUrl - type: keyword - description: In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. - - name: method - type: keyword - description: HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - - name: sourceAddress - type: ip - description: Identifies the source that an event refers to in an IP network. - - name: sourceGeoLatitude - type: long - - name: sourceGeoLongitude - type: long - - name: sourcePort - type: long - description: The valid port numbers are 0 to 65535. - - name: sourceServiceName - type: keyword - description: The service that is responsible for generating this event. - - name: sourceTranslatedAddress - type: ip - description: Identifies the translated source that the event refers to in an IP network. - - name: sourceTranslatedPort - type: long - description: A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. - - name: sourceUserName - type: keyword - description: Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. - - name: sourceUserPrivileges - type: keyword - description: The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". - - name: transportProtocol - type: keyword - description: Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. - - name: ad - type: flattened - - name: TrendMicroDsDetectionConfidence - type: keyword - - name: TrendMicroDsFileMD5 - type: keyword - - name: TrendMicroDsFileSHA1 - type: keyword - - name: TrendMicroDsFileSHA256 - type: keyword - - name: TrendMicroDsFrameType - type: keyword - - name: TrendMicroDsMalwareTarget - type: keyword - - name: TrendMicroDsMalwareTargetType - type: keyword - - name: TrendMicroDsPacketData - type: keyword - - name: TrendMicroDsRelevantDetectionNames - type: keyword - - name: TrendMicroDsTenant - type: keyword - - name: TrendMicroDsTenantId - type: keyword - - name: assetCriticality - type: keyword - - name: deviceAssetId - type: keyword - - name: deviceCustomIPv6Address1 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address1Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address2 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address3 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address3Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address4 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address4Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceInboundInterface - type: keyword - description: Interface on which the packet or data entered the device. - - name: deviceZoneID - type: keyword - - name: eventAnnotationAuditTrail - type: keyword - - name: eventAnnotationEndTime - type: date - - name: eventAnnotationFlags - type: keyword - - name: eventAnnotationManagerReceiptTime - type: date - - name: eventAnnotationModificationTime - type: date - - name: eventAnnotationStageUpdateTime - type: date - - name: eventAnnotationVersion - type: keyword - - name: locality - type: keyword - - name: modelConfidence - type: keyword - - name: originalAgentAddress - type: keyword - - name: originalAgentHostName - type: keyword - - name: originalAgentId - type: keyword - - name: originalAgentType - type: keyword - - name: originalAgentVersion - type: keyword - - name: originalAgentZoneURI - type: keyword - - name: priority - type: keyword - - name: relevance - type: keyword - - name: severity - type: keyword - - name: sourceTranslatedZoneID - type: keyword - - name: sourceTranslatedZoneURI - type: keyword - description: The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. - - name: sourceZoneID - type: keyword - description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. - - name: sourceZoneURI - type: keyword - description: The URI for the Zone that the source asset has been assigned to in ArcSight. - - name: aggregationType - type: keyword - - name: destinationMacAddress - type: keyword - description: Six colon-separated hexadecimal numbers. - - name: filePath - type: keyword - description: Full path to the file, including file name itself. - - name: fileSize - type: long - description: Size of the file. - - name: repeatCount - type: keyword - - name: sourceHostName - type: keyword - description: Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. - - name: sourceMacAddress - type: keyword - description: Six colon-separated hexadecimal numbers. - - name: sourceUserId - type: keyword - description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. - - name: target - type: keyword diff --git a/packages/cef/2.3.3/data_stream/log/manifest.yml b/packages/cef/2.3.3/data_stream/log/manifest.yml deleted file mode 100755 index 8383dac3ad..0000000000 --- a/packages/cef/2.3.3/data_stream/log/manifest.yml +++ /dev/null @@ -1,104 +0,0 @@ -type: logs -title: CEF log logs -streams: - - input: logfile - template_path: log.yml.hbs - title: CEF logs - description: Collect CEF logs using log input - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/cef.log - - name: decode_cef_timezone - type: text - title: CEF Timezone - multi: false - required: false - show_user: false - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting timestamps without a time zone in the CEF message. - - name: tags - type: text - title: Tags - description: A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. - multi: true - required: true - show_user: false - default: - - cef - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: udp - template_path: udp.yml.hbs - title: CEF logs - description: Collect CEF logs using udp input - vars: - - name: syslog_host - type: text - title: Syslog Host - description: The interface to listen to UDP based syslog traffic. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - description: The UDP port to listen for syslog traffic. - multi: false - required: true - show_user: true - default: 9003 - - name: decode_cef_timezone - type: text - title: CEF Timezone - multi: false - required: false - show_user: false - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting timestamps without a time zone in the CEF message. - - name: tags - type: text - title: Tags - description: A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. - multi: true - required: true - show_user: false - default: - - cef - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cef/2.3.3/data_stream/log/sample_event.json b/packages/cef/2.3.3/data_stream/log/sample_event.json deleted file mode 100755 index aa4da19638..0000000000 --- a/packages/cef/2.3.3/data_stream/log/sample_event.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "@timestamp": "2022-06-03T01:39:47.734Z", - "agent": { - "ephemeral_id": "167ce484-a1a1-4fac-aaff-607b859e3ddf", - "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "cef": { - "device": { - "event_class_id": "18", - "product": "Vaporware", - "vendor": "Elastic", - "version": "1.0.0-alpha" - }, - "extensions": { - "destinationAddress": "192.168.10.1", - "destinationPort": 443, - "eventId": 3457, - "requestContext": "https://www.google.com", - "requestMethod": "POST", - "requestUrl": "https://www.example.com/cart", - "sourceAddress": "89.160.20.156", - "sourceGeoLatitude": 38.915, - "sourceGeoLongitude": -77.511, - "sourcePort": 33876, - "sourceServiceName": "httpd", - "transportProtocol": "TCP" - }, - "name": "Web request", - "severity": "low", - "version": "0" - }, - "data_stream": { - "dataset": "cef.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "192.168.10.1", - "port": 443 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "code": "18", - "dataset": "cef.log", - "id": "3457", - "ingested": "2022-06-03T01:39:48Z", - "severity": 0 - }, - "http": { - "request": { - "method": "POST", - "referrer": "https://www.google.com" - } - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.112.4:35889" - } - }, - "message": "Web request", - "network": { - "community_id": "1:UgazGyZMuRDtuImGjF+6GveZFw0=", - "transport": "tcp" - }, - "observer": { - "product": "Vaporware", - "vendor": "Elastic", - "version": "1.0.0-alpha" - }, - "related": { - "ip": [ - "192.168.10.1", - "89.160.20.156" - ] - }, - "source": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 33876, - "service": { - "name": "httpd" - } - }, - "tags": [ - "cef", - "forwarded" - ], - "url": { - "original": "https://www.example.com/cart" - } -} \ No newline at end of file diff --git a/packages/cef/2.3.3/docs/README.md b/packages/cef/2.3.3/docs/README.md deleted file mode 100755 index 537e54c938..0000000000 --- a/packages/cef/2.3.3/docs/README.md +++ /dev/null @@ -1,617 +0,0 @@ -# Common Event Format (CEF) Integration - -This is an integration for parsing Common Event Format (CEF) data. It can accept -data over syslog or read it from a file. - -CEF data is a format like - -`CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello` - -When syslog is used as the transport the CEF data becomes the message that is -contained in the syslog envelope. This integration will parse the syslog -timestamp if it is present. Depending on the syslog RFC used the message will -have a format like one of these: - -`<189> Jun 18 10:55:50 host CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello` - -`<189>1 2021-06-18T10:55:50.000003Z host app - - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello` - -In both cases the integration will use the syslog timestamp as the `@timestamp` -unless the CEF data contains a device receipt timestamp. - -The Elastic Agent's `decode_cef` processor is applied to parse the CEF encoded -data. The decoded data is written into a `cef` object field. Lastly any Elastic -Common Schema (ECS) fields that can be populated with the CEF data are -populated. - -## Compatibility - -### Forcepoint NGFW Security Management Center - -This module will process CEF data from Forcepoint NGFW Security Management -Center (SMC). In the SMC configure the logs to be forwarded to the address set -in `var.syslog_host` in format CEF and service UDP on `var.syslog_port`. -Instructions can be found in [KB -15002](https://support.forcepoint.com/KBArticle?id=000015002) for configuring -the SMC. - -Testing was done with CEF logs from SMC version 6.6.1 and custom string mappings -were taken from 'CEF Connector Configuration Guide' dated December 5, 2011. - -### Check Point devices - -This module will parse CEF data from Check Point devices as documented in [Log -Exporter CEF Field -Mappings](https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060). - -Check Point CEF extensions are mapped as follows: - - -| CEF Extension | CEF Label value | ECS Fields | Non-ECS Field | -|----------------------------|-----------------------------|--------------------------|--------------------------------| -| cp_app_risk | - | event.risk_score | checkpoint.app_risk | -| cp_severity | - | event.severity | checkpoint.severity | -| baseEventCount | - | - | checkpoint.event_count | -| deviceExternalId | - | observer.type | - | -| deviceFacility | - | observer.type | - | -| deviceInboundInterface | - | observer.ingress.interface.name | - | -| deviceOutboundInterface | - | observer.egress.interface.name | - | -| externalId | - | - | checkpoint.uuid | -| fileHash | - | file.hash.\{md5,sha1\} | - | -| reason | - | - | checkpoint.termination_reason | -| requestCookies | - | - | checkpoint.cookie | -| sourceNtDomain | - | dns.question.name | - | -| Signature | - | vulnerability.id | - | -| Recipient | - | email.to.address | - | -| Sender | - | email.from.address | - | -| deviceCustomFloatingPoint1 | update version | observer.version | - | -| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - | -| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - | -| deviceCustomNumber1 | elapsed time in seconds | event.duration | - | -| deviceCustomNumber1 | email recipients number | - | checkpoint.email_recipients_num | -| deviceCustomNumber1 | payload | network.bytes | - | -| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type | -| deviceCustomNumber2 | duration in seconds | event.duration | - | -| deviceCustomNumber3 | icmp code | - | checkpoint.icmp_code | -| deviceCustomString1 | connectivity state | - | checkpoint.connectivity_state | -| deviceCustomString1 | application rule name | rule.name | - | -| deviceCustomString1 | threat prevention rule name | rule.name | - | -| deviceCustomString1 | voip log type | - | checkpoint.voip_log_type | -| deviceCustomString1 | dlp rule name | rule.name | - | -| deviceCustomString1 | email id | - | checkpoint.email_id | -| deviceCustomString2 | category | - | checkpoint.category | -| deviceCustomString2 | email subject | email.subject | checkpoint.email_subject | -| deviceCustomString2 | sensor mode | - | checkpoint.sensor_mode | -| deviceCustomString2 | protection id | - | checkpoint.protection_id | -| deviceCustomString2 | scan invoke type | - | checkpoint.integrity_av_invoke_type | -| deviceCustomString2 | update status | - | checkpoint.update_status | -| deviceCustomString2 | peer gateway | - | checkpoint.peer_gateway | -| deviceCustomString2 | categories | rule.category | - | -| deviceCustomString6 | application name | network.application | - | -| deviceCustomString6 | virus name | - | checkpoint.virus_name | -| deviceCustomString6 | malware name | - | checkpoint.spyware_name | -| deviceCustomString6 | malware family | - | checkpoint.malware_family | -| deviceCustomString3 | user group | group.name | - | -| deviceCustomString3 | incident extension | - | checkpoint.incident_extension | -| deviceCustomString3 | protection type | - | checkpoint.protection_type | -| deviceCustomString3 | email spool id | - | checkpoint.email_spool_id | -| deviceCustomString3 | identity type | - | checkpoint.identity_type | -| deviceCustomString4 | malware status | - | checkpoint.spyware_status | -| deviceCustomString4 | threat prevention rule id | rule.id | - | -| deviceCustomString4 | scan result | - | checkpoint.scan_result | -| deviceCustomString4 | tcp flags | - | checkpoint.tcp_flags | -| deviceCustomString4 | destination os | os.name | - | -| deviceCustomString4 | protection name | - | checkpoint.protection_name | -| deviceCustomString4 | email control | - | checkpoint.email_control | -| deviceCustomString4 | frequency | - | checkpoint.frequency | -| deviceCustomString4 | user response | - | checkpoint.user_status | -| deviceCustomString5 | matched category | rule.category | - | -| deviceCustomString5 | vlan id | network.vlan.id | - | -| deviceCustomString5 | authentication method | - | checkpoint.auth_method | -| deviceCustomString5 | email session id | email.message_id | checkpoint.email_session_id | -| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp | -| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level | -| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact | -| deviceFlexNumber2 | destination phone number | - | checkpoint.dst_phone_number | -| flexString1 | application signature id | - | checkpoint.app_sig_id | -| flexString2 | malware action | rule.description | - | -| flexString2 | attack information | event.action | - | -| rule_uid | - | rule.uuid | - | -| ifname | - | observer.ingress.interface.name | - | -| inzone | - | observer.ingress.zone | - | -| outzone | - | observer.egress.zone | - | -| product | - | observer.product | - | - -## Logs - -### CEF log - -This is the CEF `log` dataset. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2022-06-03T01:39:47.734Z", - "agent": { - "ephemeral_id": "167ce484-a1a1-4fac-aaff-607b859e3ddf", - "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "cef": { - "device": { - "event_class_id": "18", - "product": "Vaporware", - "vendor": "Elastic", - "version": "1.0.0-alpha" - }, - "extensions": { - "destinationAddress": "192.168.10.1", - "destinationPort": 443, - "eventId": 3457, - "requestContext": "https://www.google.com", - "requestMethod": "POST", - "requestUrl": "https://www.example.com/cart", - "sourceAddress": "89.160.20.156", - "sourceGeoLatitude": 38.915, - "sourceGeoLongitude": -77.511, - "sourcePort": 33876, - "sourceServiceName": "httpd", - "transportProtocol": "TCP" - }, - "name": "Web request", - "severity": "low", - "version": "0" - }, - "data_stream": { - "dataset": "cef.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "192.168.10.1", - "port": 443 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "code": "18", - "dataset": "cef.log", - "id": "3457", - "ingested": "2022-06-03T01:39:48Z", - "severity": 0 - }, - "http": { - "request": { - "method": "POST", - "referrer": "https://www.google.com" - } - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.112.4:35889" - } - }, - "message": "Web request", - "network": { - "community_id": "1:UgazGyZMuRDtuImGjF+6GveZFw0=", - "transport": "tcp" - }, - "observer": { - "product": "Vaporware", - "vendor": "Elastic", - "version": "1.0.0-alpha" - }, - "related": { - "ip": [ - "192.168.10.1", - "89.160.20.156" - ] - }, - "source": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 33876, - "service": { - "name": "httpd" - } - }, - "tags": [ - "cef", - "forwarded" - ], - "url": { - "original": "https://www.example.com/cart" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cef.device.event_class_id | Unique identifier of the event type. | keyword | -| cef.device.product | Product of the device that produced the message. | keyword | -| cef.device.vendor | Vendor of the device that produced the message. | keyword | -| cef.device.version | Version of the product that produced the message. | keyword | -| cef.extensions.TrendMicroDsDetectionConfidence | | keyword | -| cef.extensions.TrendMicroDsFileMD5 | | keyword | -| cef.extensions.TrendMicroDsFileSHA1 | | keyword | -| cef.extensions.TrendMicroDsFileSHA256 | | keyword | -| cef.extensions.TrendMicroDsFrameType | | keyword | -| cef.extensions.TrendMicroDsMalwareTarget | | keyword | -| cef.extensions.TrendMicroDsMalwareTargetType | | keyword | -| cef.extensions.TrendMicroDsPacketData | | keyword | -| cef.extensions.TrendMicroDsRelevantDetectionNames | | keyword | -| cef.extensions.TrendMicroDsTenant | | keyword | -| cef.extensions.TrendMicroDsTenantId | | keyword | -| cef.extensions.ad | | flattened | -| cef.extensions.agentAddress | The IP address of the ArcSight connector that processed the event. | ip | -| cef.extensions.agentHostName | The hostname of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentId | The agent ID of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentMacAddress | The MAC address of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentReceiptTime | The time at which information about the event was received by the ArcSight connector. | date | -| cef.extensions.agentTimeZone | The agent time zone of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentType | The agent type of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentVersion | The version of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentZoneURI | | keyword | -| cef.extensions.aggregationType | | keyword | -| cef.extensions.applicationProtocol | Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. | keyword | -| cef.extensions.assetCriticality | | keyword | -| cef.extensions.baseEventCount | A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. | long | -| cef.extensions.bytesIn | Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. | long | -| cef.extensions.bytesOut | Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. | long | -| cef.extensions.categoryBehavior | Action or a behavior associated with an event. It's what is being done to the object (ArcSight). | keyword | -| cef.extensions.categoryDeviceGroup | General device group like Firewall (ArcSight). | keyword | -| cef.extensions.categoryDeviceType | Device type. Examples - Proxy, IDS, Web Server (ArcSight). | keyword | -| cef.extensions.categoryObject | Object that the event is about. For example it can be an operating sytem, database, file, etc (ArcSight). | keyword | -| cef.extensions.categoryOutcome | Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). | keyword | -| cef.extensions.categorySignificance | Characterization of the importance of the event (ArcSight). | keyword | -| cef.extensions.categoryTechnique | Technique being used (e.g. /DoS) (ArcSight). | keyword | -| cef.extensions.cp_app_risk | | keyword | -| cef.extensions.cp_severity | | keyword | -| cef.extensions.destinationAddress | Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. | ip | -| cef.extensions.destinationHostName | Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. | keyword | -| cef.extensions.destinationMacAddress | Six colon-separated hexadecimal numbers. | keyword | -| cef.extensions.destinationNtDomain | Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). | keyword | -| cef.extensions.destinationPort | The valid port numbers are between 0 and 65535. | long | -| cef.extensions.destinationServiceName | The service targeted by this event. | keyword | -| cef.extensions.destinationTranslatedAddress | Identifies the translated destination that the event refers to in an IP network. | ip | -| cef.extensions.destinationTranslatedPort | Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. | long | -| cef.extensions.destinationUserName | Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. | keyword | -| cef.extensions.destinationUserPrivileges | The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". | keyword | -| cef.extensions.deviceAction | Action taken by the device. | keyword | -| cef.extensions.deviceAddress | Identifies the device address that an event refers to in an IP network. | ip | -| cef.extensions.deviceAssetId | | keyword | -| cef.extensions.deviceCustomDate2 | One of two timestamp fields available to map fields that do not apply to any other in this dictionary. | keyword | -| cef.extensions.deviceCustomDate2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomIPv6Address1 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | -| cef.extensions.deviceCustomIPv6Address1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomIPv6Address2 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | -| cef.extensions.deviceCustomIPv6Address2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomIPv6Address3 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | -| cef.extensions.deviceCustomIPv6Address3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomIPv6Address4 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | -| cef.extensions.deviceCustomIPv6Address4Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomNumber1 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | -| cef.extensions.deviceCustomNumber1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomNumber2 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | -| cef.extensions.deviceCustomNumber2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomNumber3 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | -| cef.extensions.deviceCustomNumber3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString1 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString2 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString3 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString4 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString4Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString5 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString5Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString6 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString6Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceDirection | Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. | long | -| cef.extensions.deviceEventCategory | Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". | keyword | -| cef.extensions.deviceExternalId | A name that uniquely identifies the device generating this event. | keyword | -| cef.extensions.deviceFacility | The facility generating this event. For example, Syslog has an explicit facility associated with every event. | keyword | -| cef.extensions.deviceHostName | The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. | keyword | -| cef.extensions.deviceInboundInterface | Interface on which the packet or data entered the device. | keyword | -| cef.extensions.deviceOutboundInterface | Interface on which the packet or data left the device. | keyword | -| cef.extensions.deviceProcessName | Process name associated with the event. An example might be the process generating the syslog entry in UNIX. | keyword | -| cef.extensions.deviceReceiptTime | The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) | keyword | -| cef.extensions.deviceSeverity | | keyword | -| cef.extensions.deviceTimeZone | The time zone for the device generating the event. | keyword | -| cef.extensions.deviceZoneID | | keyword | -| cef.extensions.deviceZoneURI | Thee URI for the Zone that the device asset has been assigned to in ArcSight. | keyword | -| cef.extensions.dvc | This field is used by Trend Micro if the hostname is an IPv4 address. | ip | -| cef.extensions.dvchost | This field is used by Trend Micro for hostnames and IPv6 addresses. | keyword | -| cef.extensions.eventAnnotationAuditTrail | | keyword | -| cef.extensions.eventAnnotationEndTime | | date | -| cef.extensions.eventAnnotationFlags | | keyword | -| cef.extensions.eventAnnotationManagerReceiptTime | | date | -| cef.extensions.eventAnnotationModificationTime | | date | -| cef.extensions.eventAnnotationStageUpdateTime | | date | -| cef.extensions.eventAnnotationVersion | | keyword | -| cef.extensions.eventId | This is a unique ID that ArcSight assigns to each event. | long | -| cef.extensions.fileHash | Hash of a file. | keyword | -| cef.extensions.filePath | Full path to the file, including file name itself. | keyword | -| cef.extensions.fileSize | Size of the file. | long | -| cef.extensions.fileType | Type of file (pipe, socket, etc.) | keyword | -| cef.extensions.filename | Name of the file only (without its path). | keyword | -| cef.extensions.ifname | | keyword | -| cef.extensions.inzone | | keyword | -| cef.extensions.layer_name | | keyword | -| cef.extensions.layer_uuid | | keyword | -| cef.extensions.locality | | keyword | -| cef.extensions.logid | | keyword | -| cef.extensions.loguid | | keyword | -| cef.extensions.managerReceiptTime | When the Arcsight ESM received the event. | date | -| cef.extensions.match_id | | keyword | -| cef.extensions.message | An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. | keyword | -| cef.extensions.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| cef.extensions.modelConfidence | | keyword | -| cef.extensions.nat_addtnl_rulenum | | keyword | -| cef.extensions.nat_rulenum | | keyword | -| cef.extensions.oldFileHash | Hash of the old file. | keyword | -| cef.extensions.origin | | keyword | -| cef.extensions.originalAgentAddress | | keyword | -| cef.extensions.originalAgentHostName | | keyword | -| cef.extensions.originalAgentId | | keyword | -| cef.extensions.originalAgentType | | keyword | -| cef.extensions.originalAgentVersion | | keyword | -| cef.extensions.originalAgentZoneURI | | keyword | -| cef.extensions.originsicname | | keyword | -| cef.extensions.outzone | | keyword | -| cef.extensions.parent_rule | | keyword | -| cef.extensions.priority | | keyword | -| cef.extensions.product | | keyword | -| cef.extensions.relevance | | keyword | -| cef.extensions.repeatCount | | keyword | -| cef.extensions.requestContext | Description of the content from which the request originated (for example, HTTP Referrer). | keyword | -| cef.extensions.requestMethod | The HTTP method used to access a URL. | keyword | -| cef.extensions.requestUrl | In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. | keyword | -| cef.extensions.requestUrlFileName | | keyword | -| cef.extensions.rule_action | | keyword | -| cef.extensions.rule_uid | | keyword | -| cef.extensions.sequencenum | | keyword | -| cef.extensions.service_id | | keyword | -| cef.extensions.severity | | keyword | -| cef.extensions.sourceAddress | Identifies the source that an event refers to in an IP network. | ip | -| cef.extensions.sourceGeoLatitude | | long | -| cef.extensions.sourceGeoLongitude | | long | -| cef.extensions.sourceHostName | Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. | keyword | -| cef.extensions.sourceMacAddress | Six colon-separated hexadecimal numbers. | keyword | -| cef.extensions.sourceNtDomain | The Windows domain name for the source address. | keyword | -| cef.extensions.sourcePort | The valid port numbers are 0 to 65535. | long | -| cef.extensions.sourceServiceName | The service that is responsible for generating this event. | keyword | -| cef.extensions.sourceTranslatedAddress | Identifies the translated source that the event refers to in an IP network. | ip | -| cef.extensions.sourceTranslatedPort | A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. | long | -| cef.extensions.sourceTranslatedZoneID | | keyword | -| cef.extensions.sourceTranslatedZoneURI | The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. | keyword | -| cef.extensions.sourceUserId | Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. | keyword | -| cef.extensions.sourceUserName | Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. | keyword | -| cef.extensions.sourceUserPrivileges | The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". | keyword | -| cef.extensions.sourceZoneID | Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. | keyword | -| cef.extensions.sourceZoneURI | The URI for the Zone that the source asset has been assigned to in ArcSight. | keyword | -| cef.extensions.startTime | The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). | date | -| cef.extensions.target | | keyword | -| cef.extensions.transportProtocol | Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. | keyword | -| cef.extensions.type | 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). | long | -| cef.extensions.version | | keyword | -| cef.forcepoint.virus_id | Virus ID | keyword | -| cef.name | | keyword | -| cef.severity | | keyword | -| cef.version | | keyword | -| checkpoint.app_risk | Application risk. | keyword | -| checkpoint.app_severity | Application threat severity. | keyword | -| checkpoint.app_sig_id | The signature ID which the application was detected by. | keyword | -| checkpoint.auth_method | Password authentication protocol used. | keyword | -| checkpoint.category | Category. | keyword | -| checkpoint.confidence_level | Confidence level determined. | integer | -| checkpoint.connectivity_state | Connectivity state. | keyword | -| checkpoint.cookie | IKE cookie. | keyword | -| checkpoint.dst_phone_number | Destination IP-Phone. | keyword | -| checkpoint.email_control | Engine name. | keyword | -| checkpoint.email_id | Internal email ID. | keyword | -| checkpoint.email_recipients_num | Number of recipients. | long | -| checkpoint.email_session_id | Internal email session ID. | keyword | -| checkpoint.email_spool_id | Internal email spool ID. | keyword | -| checkpoint.email_subject | Email subject. | keyword | -| checkpoint.event_count | Number of events associated with the log. | long | -| checkpoint.frequency | Scan frequency. | keyword | -| checkpoint.icmp_code | ICMP code. | long | -| checkpoint.icmp_type | ICMP type. | long | -| checkpoint.identity_type | Identity type. | keyword | -| checkpoint.incident_extension | Format of original data. | keyword | -| checkpoint.integrity_av_invoke_type | Scan invoke type. | keyword | -| checkpoint.malware_family | Malware family. | keyword | -| checkpoint.peer_gateway | Main IP of the peer Security Gateway. | ip | -| checkpoint.performance_impact | Protection performance impact. | integer | -| checkpoint.protection_id | Protection malware ID. | keyword | -| checkpoint.protection_name | Specific signature name of the attack. | keyword | -| checkpoint.protection_type | Type of protection used to detect the attack. | keyword | -| checkpoint.scan_result | Scan result. | keyword | -| checkpoint.sensor_mode | Sensor mode. | keyword | -| checkpoint.severity | Threat severity. | keyword | -| checkpoint.spyware_name | Spyware name. | keyword | -| checkpoint.spyware_status | Spyware status. | keyword | -| checkpoint.subs_exp | The expiration date of the subscription. | date | -| checkpoint.tcp_flags | TCP packet flags. | keyword | -| checkpoint.termination_reason | Termination reason. | keyword | -| checkpoint.update_status | Update status. | keyword | -| checkpoint.user_status | User response. | keyword | -| checkpoint.uuid | External ID. | keyword | -| checkpoint.virus_name | Virus name. | keyword | -| checkpoint.voip_log_type | VoIP log types. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.service.name | | keyword | -| destination.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| destination.user.group.name | Name of the group. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| file.group | Primary group name of the file. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.service.name | | keyword | -| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - diff --git a/packages/cef/2.3.3/kibana/dashboard/cef-04749697-de8d-49b3-8eca-c873ab2c5ac9.json b/packages/cef/2.3.3/kibana/dashboard/cef-04749697-de8d-49b3-8eca-c873ab2c5ac9.json deleted file mode 100755 index 13b12cde8e..0000000000 --- a/packages/cef/2.3.3/kibana/dashboard/cef-04749697-de8d-49b3-8eca-c873ab2c5ac9.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "description": "Suspicious network activity overview", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Addresses\":\"#E0752D\",\"Destination Ports\":\"#E24D42\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":28},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":16,\"x\":0,\"y\":40},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":16,\"x\":16,\"y\":40},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":40},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(255,255,204)\",\"100 - 200\":\"rgb(253,141,60)\",\"200 - 300\":\"rgb(227,27,28)\",\"300 - 400\":\"rgb(128,0,38)\",\"50 - 100\":\"rgb(254,217,118)\"}}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF] Network Suspicious Activity Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-04749697-de8d-49b3-8eca-c873ab2c5ac9", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-270139ff-fc2f-4fca-b241-93a8f57cdcdf", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-07a4a351-d282-44a1-85b0-bc7e846f8471", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-b7227081-e125-49cb-a580-1be363f06be0", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-1c869759-1d3e-4898-b9c7-d2604ed38655", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-8f38607c-eb10-410e-aec5-15d8b474211e", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-655beadd-2678-4495-8793-72b5780f6283", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-769e3f37-2b08-4edb-9013-09140a520e69", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-cbde6788-7371-4712-b2e0-3eb07e0841f4", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-0959df23-10c9-47fd-bebd-c382007b3584", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-d7d7bd9e-c767-428c-b7de-d09f9d87f652", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa", - "name": "17:panel_17", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/dashboard/cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c.json b/packages/cef/2.3.3/kibana/dashboard/cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c.json deleted file mode 100755 index e75f167514..0000000000 --- a/packages/cef/2.3.3/kibana/dashboard/cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "attributes": { - "description": "Network data overview", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":48},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"success\":\"#629E51\",\"unknown\":\"#0A50A1\"}}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":40},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"21\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c6a1fd07-de0f-444b-8814-902cbf2d019a\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"c1643919-b9de-4588-826f-93710a159e2b\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Events [Logs CEF]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"5183bb72-a077-4cf0-8aba-561a15b012cf\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Events [Logs CEF]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"w\":24,\"x\":0,\"y\":80},\"panelIndex\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c2329af2-2183-45cb-9f40-d0f2e984c5b3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"1fc250c2-4990-401e-b709-61e1f4824005\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Source Locations by Events [Logs CEF]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"e1eda4fd-94b9-4c31-9615-70334517a966\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Source Locations by Events [Logs CEF]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"w\":24,\"x\":24,\"y\":80},\"panelIndex\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF] Network Overview Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-38061262-edbe-4ccc-8c5c-d22c480b3c64", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-daa1fe0b-a698-4429-8e5d-db251502276c", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-efa710e7-907c-4723-92cd-2bd2276f44dd", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-d3ce586b-d372-4e03-9c19-b768b1b953f3", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-291cd92f-52c4-421b-b354-468318ba3e65", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-0a202432-3dbd-49c0-af57-623ffb90211d", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-85818e02-7a16-4afa-8278-99c4059ddd82", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-841a5d3f-c201-4499-a0fd-883247360640", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-baa6c9ee-dffe-4ea5-bedd-91962700f450", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "cef-535a7bf8-a701-4016-86c0-038bc6d9d069", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "cef-a5e56e2a-b807-4fd7-92c2-9da42134e0a9", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa", - "name": "20:panel_20", - "type": "visualization" - }, - { - "id": "cef-d42600fb-ea45-4dc9-a5d2-dd6a502fb76e", - "name": "21:panel_21", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "49de47fb-1382-4009-89d2-b96a4161e12d:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d097034-9ebb-4f53-ad39-e42e625b541c:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json b/packages/cef/2.3.3/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json deleted file mode 100755 index c44bda0cc2..0000000000 --- a/packages/cef/2.3.3/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "description": "Overview of Microsoft DNS activity via ArcSight", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":48},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"11\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"12\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"56b3b288-a0f1-416d-9d40-96a37c8484fd\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"d50cbece-4556-4421-bb06-fb015bfe7baa\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Sources by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"555cbeac-b098-4946-9498-6b700e745e8a\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Sources by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"w\":24,\"x\":0,\"y\":72},\"panelIndex\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"5231e15c-d374-46ca-9553-3308d723ded3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"8cdaae20-5dcc-4930-b105-802fc344fcb6\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destinations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"88700fdc-3a96-46b8-b51f-3839111eb6ec\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destinations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"w\":24,\"x\":24,\"y\":72},\"panelIndex\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Microsoft DNS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-56428e01-0c47-4770-8ba4-9345a029ea41", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-249e2737-b41f-4115-b303-88bc9d279655", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-fcf798a8-db8f-4492-827b-8fa7581108a9", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "3cf2118b-5231-49f5-b685-0ff0e1f52c32:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "07f92eca-2078-4aa6-8373-d27ca33595d6:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/dashboard/cef-607f756e-288d-499a-8f8a-33791354ffaf.json b/packages/cef/2.3.3/kibana/dashboard/cef-607f756e-288d-499a-8f8a-33791354ffaf.json deleted file mode 100755 index e155c10a5e..0000000000 --- a/packages/cef/2.3.3/kibana/dashboard/cef-607f756e-288d-499a-8f8a-33791354ffaf.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "description": "Overview of Microsoft DNS activity", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":48},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"11\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"12\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"56b3b288-a0f1-416d-9d40-96a37c8484fd\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"d50cbece-4556-4421-bb06-fb015bfe7baa\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Sources by Events [Logs CEF]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"555cbeac-b098-4946-9498-6b700e745e8a\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Sources by Events [Logs CEF]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"w\":24,\"x\":0,\"y\":72},\"panelIndex\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"5231e15c-d374-46ca-9553-3308d723ded3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"8cdaae20-5dcc-4930-b105-802fc344fcb6\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destinations by Events [Logs CEF]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"88700fdc-3a96-46b8-b51f-3839111eb6ec\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destinations by Events [Logs CEF]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"w\":24,\"x\":24,\"y\":72},\"panelIndex\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF] Microsoft DNS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-607f756e-288d-499a-8f8a-33791354ffaf", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-b25e0340-0e97-4849-9b89-959b9ad8c958", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-0d0fd899-a40a-43e5-ac80-56f3bf09c18c", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-1bd44f46-e28d-4a2d-8245-6994372155ab", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-04096ec6-9644-4da7-bba3-35da7882f87d", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-490c415c-b859-4ed0-a2a4-5c4968084985", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-33290695-4eb1-4270-9e63-7083e7b132ed", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-8869f0bb-b8a3-4e6b-b3c4-3cc80b67b3da", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-0959df23-10c9-47fd-bebd-c382007b3584", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-19e44299-4e2a-4da4-a9e5-595b428d49dd", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-38fd061a-0976-4005-b0d3-729d693cdd5d", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-d85b0ce0-4fa7-4fe5-9fe1-41cf40606ef3", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "3cf2118b-5231-49f5-b685-0ff0e1f52c32:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "07f92eca-2078-4aa6-8373-d27ca33595d6:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/dashboard/cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf.json b/packages/cef/2.3.3/kibana/dashboard/cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf.json deleted file mode 100755 index c86601cba3..0000000000 --- a/packages/cef/2.3.3/kibana/dashboard/cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "description": "Operating system activity from endpoints", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Destination User Names\":\"#E24D42\",\"Event Types\":\"#EF843C\"},\"legendOpen\":true}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 55k\":\"rgb(255,255,204)\",\"110k - 165k\":\"rgb(254,225,135)\",\"165k - 220k\":\"rgb(254,201,101)\",\"220k - 275k\":\"rgb(254,171,73)\",\"275k - 330k\":\"rgb(253,141,60)\",\"330k - 385k\":\"rgb(252,91,46)\",\"385k - 440k\":\"rgb(237,47,34)\",\"440k - 495k\":\"rgb(212,16,32)\",\"495k - 550k\":\"rgb(176,0,38)\",\"55k - 110k\":\"rgb(255,241,170)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"failure\":\"#E24D42\",\"success\":\"#7EB26D\",\"unknown\":\"#447EBC\"}}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":24,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Users\":\"#E24D42\",\"Event Count\":\"#64B0C8\"}}},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":64},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":24,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":84},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":32,\"x\":0,\"y\":80},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":32,\"x\":0,\"y\":100},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":32,\"x\":0,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":32,\"x\":0,\"y\":92},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF] Endpoint Activity Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-868d68b5-3e62-4fc2-b942-fbb69a7c91d5", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-4c86b51e-6886-4484-98a2-508e92b455bb", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "cef-cc7f89bc-22ad-4778-9c9f-1873ff38750b", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-0a5276a2-907b-4319-88ab-86fe5ade8b38", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-2b96deab-dbf1-4be3-ae70-1bfb6c3fbd2a", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "cef-7dc26e6f-76d4-4454-99a9-6ccbba8948f0", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-d2332147-4293-4422-930b-0a319ebeb958", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "cef-0959df23-10c9-47fd-bebd-c382007b3584", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-2a0a7692-9a08-449f-bcef-b85de1855fd5", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-a52d1fe2-6933-48bd-b079-61f6e2dc05c2", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-82a333a7-d9d3-4752-b564-160d4b9f188b", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-b4ac112e-809a-437d-a805-3ff44a67c21c", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-1479b35b-1bf3-4767-a510-9d210e010342", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cef-bd35faa9-492e-4abe-9bf1-2d3c0d98171d", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "cef-255c0885-6349-4ab4-ba00-f055c6cc8000", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "cef-56247c19-7aa5-475d-b074-5b0cd4794f0c", - "name": "19:panel_19", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json b/packages/cef/2.3.3/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json deleted file mode 100755 index e740d26d0b..0000000000 --- a/packages/cef/2.3.3/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "description": "Operating system activity from endpoints via ArcSight", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Destination User Names\":\"#E24D42\",\"Event Types\":\"#EF843C\"},\"legendOpen\":true}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 55k\":\"rgb(255,255,204)\",\"110k - 165k\":\"rgb(254,225,135)\",\"165k - 220k\":\"rgb(254,201,101)\",\"220k - 275k\":\"rgb(254,171,73)\",\"275k - 330k\":\"rgb(253,141,60)\",\"330k - 385k\":\"rgb(252,91,46)\",\"385k - 440k\":\"rgb(237,47,34)\",\"440k - 495k\":\"rgb(212,16,32)\",\"495k - 550k\":\"rgb(176,0,38)\",\"55k - 110k\":\"rgb(255,241,170)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#447EBC\",\"/Failure\":\"#E24D42\",\"/Success\":\"#7EB26D\"}}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":24,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Users\":\"#E24D42\",\"Event Count\":\"#64B0C8\"}}},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":64},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":24,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":84},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":32,\"x\":0,\"y\":80},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":32,\"x\":0,\"y\":100},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":32,\"x\":0,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":32,\"x\":0,\"y\":92},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Endpoint OS Activity Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-9e352900-89c3-4c1b-863e-249e24d0dac9", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-59ad829b-12b8-4256-95a5-e7078eda628b", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "cef-77ee0e91-010b-4897-b483-7e9a907d2afe", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "cef-2726382e-638a-4dcc-94fc-0ffdc0f92048", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-92aecea0-a632-4a55-bb56-50e4cdaca036", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-76c088c3-486e-4420-8840-5ede667edffe", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-316fdc75-7215-4c6b-8e1b-70a097b34e28", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cef-acc915fe-b971-4795-9040-3fbfdf62abe1", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "cef-8cd00d20-957d-4663-be4d-ea80b1609586", - "name": "19:panel_19", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/dashboard/cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15.json b/packages/cef/2.3.3/kibana/dashboard/cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15.json deleted file mode 100755 index c7f45b8189..0000000000 --- a/packages/cef/2.3.3/kibana/dashboard/cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "attributes": { - "description": "Summary of endpoint event data", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"success\":\"#629E51\",\"unknown\":\"#0A50A1\"}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"success\":\"#629E51\",\"unknown\":\"#0A50A1\"}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"columns\":[\"cef.extensions.categoryDeviceGroup\",\"cef.extensions.categoryTechnique\",\"event.outcome\",\"event.category\",\"event.type\",\"cef.extensions.categoryObject\",\"event.action\",\"cef.extensions.categoryDeviceType\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":20,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":72},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"search\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"de084257-24da-4ea9-922e-a2d7565ebcd6\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"741ceaa6-5b51-4959-9935-c5961b12f539\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Event [Logs CEF]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"ba850a09-c635-4855-b68b-de16dd200d6f\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Event [Logs CEF]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-180},\"mapCenter\":{\"lat\":20.86831,\"lon\":-12.2843,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":20,\"i\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF] Endpoint Overview Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-f856a77c-a0fd-4047-afa6-e21a912814c5", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-4970ec04-796a-4c0e-90d9-7e23d0b7e48d", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-dd339ff5-6b26-4455-ae06-f3b5591479e3", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-0fe1baba-84a8-4cb3-9b17-bae8693c345a", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-0410a35e-eabd-46f4-a124-c780b6d1fd2e", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-b4a28b54-9adb-4c4b-8ae6-158dfeb673ce", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", - "name": "9:panel_9", - "type": "search" - }, - { - "id": "cef-2ecd00c0-66f4-4020-9c6e-dff40d47654c", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "cef-98729301-9b46-4169-b99e-1392af8fa563", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-0959df23-10c9-47fd-bebd-c382007b3584", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "c9fd3ece-2bef-4cdc-9f83-ed689b35a17a:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json b/packages/cef/2.3.3/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json deleted file mode 100755 index 3fa223db88..0000000000 --- a/packages/cef/2.3.3/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "description": "Summary of ArcSight endpoint event data", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"columns\":[\"cef.extensions.categoryDeviceGroup\",\"cef.extensions.categoryTechnique\",\"cef.extensions.categoryOutcome\",\"cef.extensions.categorySignificance\",\"cef.extensions.categoryObject\",\"cef.extensions.categoryBehavior\",\"cef.extensions.categoryDeviceType\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":20,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":76},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"search\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Anti-Virus\":\"#EAB839\",\"Database\":\"#629E51\",\"Host-based IDS/IPS\":\"#E0752D\",\"Operating System\":\"#BF1B00\",\"Security Mangement\":\"#64B0C8\"}}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Informational\":\"#7EB26D\",\"/Informational/Warning\":\"#EF843C\",\"/Success\":\"#629E51\",\"Anti-Virus\":\"#EAB839\",\"Database\":\"#629E51\",\"Host-based IDS/IPS\":\"#E0752D\",\"Log Consolidator\":\"#E0F9D7\",\"Operating System\":\"#BF1B00\",\"Recon\":\"#BF1B00\",\"Security Mangement\":\"#64B0C8\"}}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"de084257-24da-4ea9-922e-a2d7565ebcd6\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"741ceaa6-5b51-4959-9935-c5961b12f539\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Event [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"ba850a09-c635-4855-b68b-de16dd200d6f\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Event [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Endpoint Overview Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-9457ee67-895f-4b78-a543-268f9687a745", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-89998099-9a39-44cf-beba-5b97f0524cf9", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-718b074e-3dd1-4d03-ba11-7f869cdcd703", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-7454c034-c5f3-48fe-8fce-ef4385c80350", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-118af639-1f37-4541-a960-5a3ff0613e0e", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "9:panel_9", - "type": "search" - }, - { - "id": "cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "cef-f57734dd-0f32-42b4-94dd-5d597f6735e1", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-295986d4-d2ea-4541-8e82-7dc95c0cd830", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "c9fd3ece-2bef-4cdc-9f83-ed689b35a17a:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json b/packages/cef/2.3.3/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json deleted file mode 100755 index 153645a090..0000000000 --- a/packages/cef/2.3.3/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "Suspicious network activity overview via ArcSight", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Addresses\":\"#E0752D\",\"Destination Ports\":\"#E24D42\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":32,\"x\":0,\"y\":28},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":16,\"x\":0,\"y\":40},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":16,\"x\":16,\"y\":40},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":16,\"x\":32,\"y\":28},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":40},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(255,255,204)\",\"100 - 200\":\"rgb(253,141,60)\",\"200 - 300\":\"rgb(227,27,28)\",\"300 - 400\":\"rgb(128,0,38)\",\"50 - 100\":\"rgb(254,217,118)\"}}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Network Suspicious Activity Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-db1e1aca-279e-4ecc-b84e-fe58644f7619", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-fa8b26c1-6973-4381-adb3-bcde0d03a520", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-d02dd523-ce91-40e9-9209-83797f80ed45", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-589fec8c-336e-4122-8fef-a450bddf84f6", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-86bd5f13-ca6b-43fa-b209-54e7460344bb", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-1204cf27-05e0-4905-bfa1-688aaaaaa840", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db", - "name": "17:panel_17", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json b/packages/cef/2.3.3/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json deleted file mode 100755 index 9c26408568..0000000000 --- a/packages/cef/2.3.3/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "description": "Network data overview via ArcSight", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":68},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":32,\"x\":0,\"y\":32},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":32},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Anti-Virus\":\"#EF843C\",\"Content Security\":\"#7EB26D\",\"Firewall\":\"#E24D42\",\"Integrated Security\":\"#962D82\",\"Network-based IDS/IPS\":\"#1F78C1\",\"Operating System\":\"#1F78C1\",\"VPN\":\"#EAB839\"}}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":24,\"x\":0,\"y\":76},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":24,\"x\":24,\"y\":76},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"21\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c6a1fd07-de0f-444b-8814-902cbf2d019a\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"c1643919-b9de-4588-826f-93710a159e2b\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"5183bb72-a077-4cf0-8aba-561a15b012cf\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"w\":24,\"x\":0,\"y\":92},\"panelIndex\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c2329af2-2183-45cb-9f40-d0f2e984c5b3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"1fc250c2-4990-401e-b709-61e1f4824005\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Source Locations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"e1eda4fd-94b9-4c31-9615-70334517a966\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Source Locations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"w\":24,\"x\":24,\"y\":92},\"panelIndex\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Network Overview Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-dd0bc9af-2e89-4150-9b42-62517ea56b71", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-f5258de9-71f7-410f-b713-201007f77470", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-0abfc226-535b-45a2-b534-e9bc87e5584f", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-499f50ba-2f84-4f7c-9021-73a4efc47921", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-df056709-2deb-4363-ae7a-b0148ea456c6", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-e89a64e8-928c-41fc-8745-3c8157b21cdb", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-a729c249-8d34-4eb1-bbb0-5d25cf224114", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cef-e513c269-350c-40c3-ac20-16c5782103b8", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "cef-8f6075c5-f525-4173-92a4-3a56e96e362d", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "cef-013ff153-7b80-490b-8fec-6e56cba785ed", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db", - "name": "20:panel_20", - "type": "visualization" - }, - { - "id": "cef-c394e650-b16c-407c-b305-bd409d69d433", - "name": "21:panel_21", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "49de47fb-1382-4009-89d2-b96a4161e12d:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d097034-9ebb-4f53-ad39-e42e625b541c:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/search/cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c.json b/packages/cef/2.3.3/kibana/search/cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c.json deleted file mode 100755 index 4a63506766..0000000000 --- a/packages/cef/2.3.3/kibana/search/cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "columns": [ - "priority", - "message", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "network.application", - "message", - "event.action", - "event.outcome", - "cef.extensions.deviceAddress", - "cef.device.product", - "cef.device.vendor", - "cef.extensions.categoryDeviceGroup", - "cef.extensions.categoryDeviceType" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"term\\\":{\\\"event.category\\\":\\\"network\\\"}}\"},\"query\":{\"term\":{\"event.category\":\"network\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Network Events [Logs CEF]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/search/cef-41770860-2a81-4ce7-b8b4-a0c6970725b0.json b/packages/cef/2.3.3/kibana/search/cef-41770860-2a81-4ce7-b8b4-a0c6970725b0.json deleted file mode 100755 index d508c55580..0000000000 --- a/packages/cef/2.3.3/kibana/search/cef-41770860-2a81-4ce7-b8b4-a0c6970725b0.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.extensions.categoryDeviceGroup", - "cef.extensions.categoryTechnique", - "event.outcome", - "event.category", - "event.type", - "cef.extensions.categoryObject", - "event.action", - "cef.extensions.categoryDeviceType" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Endpoint Event Explorer [Logs CEF]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/search/cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042.json b/packages/cef/2.3.3/kibana/search/cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042.json deleted file mode 100755 index f6647c5dd1..0000000000 --- a/packages/cef/2.3.3/kibana/search/cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.device.vendor", - "cef.device.product", - "message", - "cef.device.event_class_id", - "cef.extensions.deviceEventCategory", - "source.user.name", - "destination.user.name", - "destination.domain", - "event.action", - "event.outcome", - "cef.extensions.sourceNtDomain", - "cef.extensions.destinationNtDomain" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Endpoint - Events [Logs CEF]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/search/cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c.json b/packages/cef/2.3.3/kibana/search/cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c.json deleted file mode 100755 index 1982f9bf79..0000000000 --- a/packages/cef/2.3.3/kibana/search/cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.device.vendor", - "cef.device.product", - "event.action", - "event.outcome", - "destination.ip", - "destination.port", - "destination.domain", - "cef.device.event_class_id", - "cef.extensions.deviceCustomString1Label", - "cef.extensions.deviceCustomString1", - "cef.extensions.deviceCustomString2Label", - "cef.extensions.deviceCustomString2", - "cef.extension.deviceCustomString3Label", - "cef.extension.deviceCustomString3", - "cef.extension.deviceCustomString4Label", - "cef.extension.deviceCustomString4", - "cef.extensions.deviceEventCategory", - "event.severity", - "source.ip", - "source.port", - "network.transport", - "source.bytes", - "url.original" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Microsoft DNS Events [Logs CEF]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json b/packages/cef/2.3.3/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json deleted file mode 100755 index cf5b2ee7e4..0000000000 --- a/packages/cef/2.3.3/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.extensions.categoryDeviceGroup", - "cef.extensions.categoryTechnique", - "cef.extensions.categoryOutcome", - "cef.extensions.categorySignificance", - "cef.extensions.categoryObject", - "cef.extensions.categoryBehavior", - "cef.extensions.categoryDeviceType" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Endpoint Event Explorer [Logs CEF ArcSight]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json b/packages/cef/2.3.3/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json deleted file mode 100755 index dad033d27d..0000000000 --- a/packages/cef/2.3.3/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "columns": [ - "priority", - "message", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "network.application", - "message", - "cef.extensions.categoryBehavior", - "cef.extensions.categoryOutcome", - "cef.extensions.deviceAddress", - "cef.device.product", - "cef.device.vendor", - "cef.extensions.categoryDeviceGroup", - "cef.extensions.categoryDeviceType" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"terms\\\":{\\\"cef.extensions.categoryDeviceGroup\\\":[\\\"/VPN\\\",\\\"/IDS/Network\\\",\\\"/Firewall\\\"]}}\"},\"query\":{\"terms\":{\"cef.extensions.categoryDeviceGroup\":[\"/VPN\",\"/IDS/Network\",\"/Firewall\"]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Network Events [Logs CEF ArcSight]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json b/packages/cef/2.3.3/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json deleted file mode 100755 index 9082a5e861..0000000000 --- a/packages/cef/2.3.3/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.device.vendor", - "cef.device.product", - "message", - "cef.device.event_class_id", - "cef.extensions.deviceEventCategory", - "source.user.name", - "destination.user.name", - "destination.domain", - "cef.extensions.categoryBehavior", - "cef.extensions.categoryOutcome", - "cef.extensions.sourceNtDomain", - "cef.extensions.destinationNtDomain" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Endpoint - OS Events [Logs CEF ArcSight]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json b/packages/cef/2.3.3/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json deleted file mode 100755 index 74d6b3c820..0000000000 --- a/packages/cef/2.3.3/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.device.vendor", - "cef.device.product", - "cef.extensions.categoryBehavior", - "cef.extensions.categoryOutcome", - "destination.ip", - "destination.port", - "destination.domain", - "cef.device.event_class_id", - "cef.extensions.deviceCustomString1Label", - "cef.extensions.deviceCustomString1", - "cef.extensions.deviceCustomString2Label", - "cef.extensions.deviceCustomString2", - "cef.extension.deviceCustomString3Label", - "cef.extension.deviceCustomString3", - "cef.extension.deviceCustomString4Label", - "cef.extension.deviceCustomString4", - "cef.extensions.deviceEventCategory", - "event.severity", - "source.ip", - "source.port", - "network.transport", - "source.bytes", - "url.original" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Microsoft DNS Events [Logs CEF ArcSight]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json b/packages/cef/2.3.3/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json deleted file mode 100755 index f7372f962e..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 20 Source Countries [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 20 Source Countries [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-013ff153-7b80-490b-8fec-6e56cba785ed", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json b/packages/cef/2.3.3/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json deleted file mode 100755 index e4e3fbc58d..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-04096ec6-9644-4da7-bba3-35da7882f87d.json b/packages/cef/2.3.3/kibana/visualization/cef-04096ec6-9644-4da7-bba3-35da7882f87d.json deleted file mode 100755 index c0264531f9..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-04096ec6-9644-4da7-bba3-35da7882f87d.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Event Types [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":50,\"minFontSize\":12,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Event Types [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-04096ec6-9644-4da7-bba3-35da7882f87d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-0410a35e-eabd-46f4-a124-c780b6d1fd2e.json b/packages/cef/2.3.3/kibana/visualization/cef-0410a35e-eabd-46f4-a124-c780b6d1fd2e.json deleted file mode 100755 index 6f56e86928..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-0410a35e-eabd-46f4-a124-c780b6d1fd2e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Port [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Port [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0410a35e-eabd-46f4-a124-c780b6d1fd2e", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-07a4a351-d282-44a1-85b0-bc7e846f8471.json b/packages/cef/2.3.3/kibana/visualization/cef-07a4a351-d282-44a1-85b0-bc7e846f8471.json deleted file mode 100755 index 183db7cb98..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-07a4a351-d282-44a1-85b0-bc7e846f8471.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Sources by Destination Addresses [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Addresses [Logs CEF]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-07a4a351-d282-44a1-85b0-bc7e846f8471", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-0959df23-10c9-47fd-bebd-c382007b3584.json b/packages/cef/2.3.3/kibana/visualization/cef-0959df23-10c9-47fd-bebd-c382007b3584.json deleted file mode 100755 index 1c27cabbe6..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-0959df23-10c9-47fd-bebd-c382007b3584.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}" - }, - "title": " Dashboard Navigation [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c) | [Network Suspicious Activity](#/dashboard/cef-04749697-de8d-49b3-8eca-c873ab2c5ac9) | [Endpoint Overview](#dashboard/cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15) | [Endpoint Activity](#/dashboard/cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf) | [Microsoft DNS Overview](#/dashboard/cef-607f756e-288d-499a-8f8a-33791354ffaf)\"},\"title\":\" Dashboard Navigation [Logs CEF]\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0959df23-10c9-47fd-bebd-c382007b3584", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-0a202432-3dbd-49c0-af57-623ffb90211d.json b/packages/cef/2.3.3/kibana/visualization/cef-0a202432-3dbd-49c0-af57-623ffb90211d.json deleted file mode 100755 index 6209fc854f..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-0a202432-3dbd-49c0-af57-623ffb90211d.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Destination Ports by Outcome [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"success\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Protocols\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Protocols\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcome [Logs CEF]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0a202432-3dbd-49c0-af57-623ffb90211d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-0a5276a2-907b-4319-88ab-86fe5ade8b38.json b/packages/cef/2.3.3/kibana/visualization/cef-0a5276a2-907b-4319-88ab-86fe5ade8b38.json deleted file mode 100755 index 13e0680159..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-0a5276a2-907b-4319-88ab-86fe5ade8b38.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Outcomes [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"},\"id\":\"74716d29-91c6-4095-bc7d-7f6700f12b1f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"hide_in_legend\":0,\"id\":\"932c5de4-f841-4f27-99e4-60d95d3aa16c\",\"label\":\"Event Outcomes\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"4c263b6d-8117-43c6-b83f-5c4145f43cfc\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"94371b84-a7aa-4824-b4d1-217ecbe725a5\",\"label\":\"Failure\"},{\"color\":\"rgba(104,188,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"31564794-9278-4f2e-bb20-557f5cfbea79\",\"label\":\"Success\"},{\"color\":\"rgba(251,158,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"10c0f919-0853-41b5-94b4-2e39932e7aa0\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"terms_field\":\"event.outcome\",\"terms_size\":\"3\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,182,204,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"c9eca9d0-c2e0-45e6-a3ce-f158c40fdd74\",\"label\":\"Event Count\",\"line_width\":1,\"metrics\":[{\"id\":\"6d8513ca-cc72-4b27-91b6-6b689558cdcb\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcomes [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0a5276a2-907b-4319-88ab-86fe5ade8b38", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json b/packages/cef/2.3.3/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json deleted file mode 100755 index bec9522083..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Bandwidth Utilization [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"d27f09dc-b07e-493f-a223-a85033ad6548\",\"label\":\"Inbound\",\"line_width\":1,\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"9ce9ec3a-2f11-4935-91b2-531494d2a619\",\"type\":\"sum\"}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_order_by\":\"_count\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b1ef2c75-5916-469d-8790-5b213367a5a0\",\"label\":\"Outbound\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"type\":\"sum\"},{\"id\":\"2a6b00bf-1658-4d02-b4e2-61ad6e4c3a9b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"id\":\"c57067f2-2927-41d8-97f4-9f47b3b3bcae\",\"name\":\"outbound\"}]}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Bandwidth Utilization [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0abfc226-535b-45a2-b534-e9bc87e5584f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-0d0fd899-a40a-43e5-ac80-56f3bf09c18c.json b/packages/cef/2.3.3/kibana/visualization/cef-0d0fd899-a40a-43e5-ac80-56f3bf09c18c.json deleted file mode 100755 index 87df75c155..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-0d0fd899-a40a-43e5-ac80-56f3bf09c18c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "DNS Metrics Overview [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threads\",\"field\":\"cef.extensions.deviceCustomString1\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OpCodes\",\"field\":\"cef.extensions.deviceCustomString2\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Activity Types\",\"field\":\"cef.device.event_class_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"32\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"DNS Metrics Overview [Logs CEF]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0d0fd899-a40a-43e5-ac80-56f3bf09c18c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json b/packages/cef/2.3.3/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json deleted file mode 100755 index 702933c209..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Outcomes [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"},\"id\":\"74716d29-91c6-4095-bc7d-7f6700f12b1f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"hide_in_legend\":0,\"id\":\"932c5de4-f841-4f27-99e4-60d95d3aa16c\",\"label\":\"Event Outcomes\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"4c263b6d-8117-43c6-b83f-5c4145f43cfc\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"94371b84-a7aa-4824-b4d1-217ecbe725a5\",\"label\":\"Failure\"},{\"color\":\"rgba(104,188,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"31564794-9278-4f2e-bb20-557f5cfbea79\",\"label\":\"Success\"},{\"color\":\"rgba(251,158,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"10c0f919-0853-41b5-94b4-2e39932e7aa0\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"terms_field\":\"cef.extensions.categoryOutcome\",\"terms_size\":\"3\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,182,204,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"c9eca9d0-c2e0-45e6-a3ce-f158c40fdd74\",\"label\":\"Event Count\",\"line_width\":1,\"metrics\":[{\"id\":\"6d8513ca-cc72-4b27-91b6-6b689558cdcb\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcomes [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-0fe1baba-84a8-4cb3-9b17-bae8693c345a.json b/packages/cef/2.3.3/kibana/visualization/cef-0fe1baba-84a8-4cb3-9b17-bae8693c345a.json deleted file mode 100755 index f26cc0f813..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-0fe1baba-84a8-4cb3-9b17-bae8693c345a.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Device [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"},\"id\":\"fd1ffeb6-678e-4163-9421-6a164fd59048\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(254,37,37,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"6a10f77d-4e26-4b27-9c19-f1b0029b075b\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"gamma\":0.3,\"id\":\"59675e84-1a8e-41df-9f63-875109bd795a\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" \"},\"id\":\"d9a580c3-eb83-4d20-a391-0934d7df8837\",\"label\":\"Operating System\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\" cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\"\"},\"id\":\"9ce8be14-6191-4c9a-a679-e3992fdab8d2\",\"label\":\"Host IDS\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"id\":\"262ecd54-a042-4bfb-b489-d7db8431c36e\",\"label\":\"Application\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"92e98952-8e25-472f-abb5-05a7d9b830ea\",\"label\":\"Moving Average by Device HostNames\",\"line_width\":1,\"metrics\":[{\"id\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"gamma\":0.3,\"id\":\"9765367a-0fc2-45ba-88a8-e87991210edd\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0fe1baba-84a8-4cb3-9b17-bae8693c345a", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json b/packages/cef/2.3.3/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json deleted file mode 100755 index bba67eb563..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcomes by Device Type [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"cef.extensions.categoryDeviceType: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcomes by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-118af639-1f37-4541-a960-5a3ff0613e0e", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json b/packages/cef/2.3.3/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json deleted file mode 100755 index 1f0e2fde5c..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Ports [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Ports [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-1204cf27-05e0-4905-bfa1-688aaaaaa840", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-1479b35b-1bf3-4767-a510-9d210e010342.json b/packages/cef/2.3.3/kibana/visualization/cef-1479b35b-1bf3-4767-a510-9d210e010342.json deleted file mode 100755 index 19c4fa4610..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-1479b35b-1bf3-4767-a510-9d210e010342.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destinations [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destinations [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-1479b35b-1bf3-4767-a510-9d210e010342", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json b/packages/cef/2.3.3/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json deleted file mode 100755 index ec2f257b88..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Endpoint OS Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Outcomes\",\"field\":\"cef.extensions.categoryOutcome\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"20\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint OS Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json b/packages/cef/2.3.3/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json deleted file mode 100755 index a3f9d219f4..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Direction [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"be556a57-cd1c-496c-8714-0bd210947c85\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"filter\":{\"language\":\"lucene\",\"query\":\"device\"},\"formatter\":\"number\",\"id\":\"9aae7344-9de9-4378-b21d-296cb964f93b\",\"label\":\"Inbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"1cd0b964-45cf-408e-a7e4-e26955f8a3b0\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"id\":\"f860f6e0-fbd4-4949-8046-6300322dfe84\",\"label\":\"Inbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"formatter\":\"number\",\"id\":\"ed1abe18-e01b-4202-9db4-06fda10692e0\",\"label\":\"Outbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"type\":\"count\"},{\"id\":\"6bc37118-ddac-41ec-85b3-9db7e1b3636b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"id\":\"f73f4f22-03d5-446a-b031-04eee531e3cc\",\"name\":\"outbound\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(211,49,21,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"id\":\"a9c50e1b-8f11-4bc2-9077-bb8870ed0b62\",\"label\":\"Outbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Direction [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-19e44299-4e2a-4da4-a9e5-595b428d49dd.json b/packages/cef/2.3.3/kibana/visualization/cef-19e44299-4e2a-4da4-a9e5-595b428d49dd.json deleted file mode 100755 index f1ef73d247..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-19e44299-4e2a-4da4-a9e5-595b428d49dd.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources by Size [Logs CEF]", - "uiStateJSON": "{\"P-11\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-13\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-2\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-3\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-4\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 18,000\":\"rgb(247,251,255)\",\"108,000 - 126,000\":\"rgb(74,152,201)\",\"126,000 - 144,000\":\"rgb(46,126,188)\",\"144,000 - 162,000\":\"rgb(23,100,171)\",\"162,000 - 180,000\":\"rgb(8,74,145)\",\"18,000 - 36,000\":\"rgb(227,238,249)\",\"36,000 - 54,000\":\"rgb(208,225,242)\",\"54,000 - 72,000\":\"rgb(182,212,233)\",\"72,000 - 90,000\":\"rgb(148,196,223)\",\"90,000 - 108,000\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Sources by Size [Logs CEF]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-19e44299-4e2a-4da4-a9e5-595b428d49dd", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json b/packages/cef/2.3.3/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json deleted file mode 100755 index 6c04dc9028..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destinations by Size [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Destinations by Size [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-1bd44f46-e28d-4a2d-8245-6994372155ab.json b/packages/cef/2.3.3/kibana/visualization/cef-1bd44f46-e28d-4a2d-8245-6994372155ab.json deleted file mode 100755 index 734effac6e..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-1bd44f46-e28d-4a2d-8245-6994372155ab.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top Destinations by Traffic Size [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"label\":\"Inbound\"},{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"label\":\"Outbound\"}]},\"schema\":\"segment\",\"type\":\"filters\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":10,\"colorsRange\":[{\"from\":0,\"to\":null}],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"top\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top Destinations by Traffic Size [Logs CEF]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-1bd44f46-e28d-4a2d-8245-6994372155ab", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-1c869759-1d3e-4898-b9c7-d2604ed38655.json b/packages/cef/2.3.3/kibana/visualization/cef-1c869759-1d3e-4898-b9c7-d2604ed38655.json deleted file mode 100755 index 7bfc8c774b..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-1c869759-1d3e-4898-b9c7-d2604ed38655.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Severity [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"0ca18a89-9c81-4bee-835a-85e6103aec37\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"hide_last_value_indicator\":true,\"id\":\"c39a76e5-f613-41a9-8335-c442747791e0\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"0.0[0]a\",\"id\":\"da3b92b4-2c24-473b-9102-fb5a343a96d9\",\"label\":\"Event by Severities\",\"line_width\":1,\"metrics\":[{\"id\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"type\":\"count\"},{\"field\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"id\":\"1b1c931c-a09b-4980-af81-6f9c3db56401\",\"sigma\":\"\",\"type\":\"sum_bucket\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,204,202,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Low\\\" OR severity:\\\"0\\\"\"},\"id\":\"ebe970ac-5cc9-4c4a-af60-82affafc667c\",\"label\":\"LOW\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Medium\\\"\"},\"id\":\"0c4ff16a-b53d-4ce4-af76-d6b74d8788db\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"High\\\"\"},\"id\":\"e142c55b-6ee5-416a-8bd3-d10398044864\",\"label\":\"HIGH\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Very-High\\\"\"},\"id\":\"4b05b562-c419-4214-b814-d4c242251521\",\"label\":\"VERY HIGH\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Events by Severity [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-1c869759-1d3e-4898-b9c7-d2604ed38655", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json b/packages/cef/2.3.3/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json deleted file mode 100755 index 3b90350ff6..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "DNS Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threads\",\"field\":\"cef.extensions.deviceCustomString1\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OpCodes\",\"field\":\"cef.extensions.deviceCustomString2\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Activity Types\",\"field\":\"cef.device.event_class_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"32\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"DNS Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-249e2737-b41f-4115-b303-88bc9d279655", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-255c0885-6349-4ab4-ba00-f055c6cc8000.json b/packages/cef/2.3.3/kibana/visualization/cef-255c0885-6349-4ab4-ba00-f055c6cc8000.json deleted file mode 100755 index 25f79d7cc1..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-255c0885-6349-4ab4-ba00-f055c6cc8000.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Sources [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-255c0885-6349-4ab4-ba00-f055c6cc8000", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json b/packages/cef/2.3.3/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json deleted file mode 100755 index 401dfbed0a..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources by Size [Logs CEF ArcSight]", - "uiStateJSON": "{\"P-11\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-13\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-2\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-3\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-4\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 18,000\":\"rgb(247,251,255)\",\"108,000 - 126,000\":\"rgb(74,152,201)\",\"126,000 - 144,000\":\"rgb(46,126,188)\",\"144,000 - 162,000\":\"rgb(23,100,171)\",\"162,000 - 180,000\":\"rgb(8,74,145)\",\"18,000 - 36,000\":\"rgb(227,238,249)\",\"36,000 - 54,000\":\"rgb(208,225,242)\",\"54,000 - 72,000\":\"rgb(182,212,233)\",\"72,000 - 90,000\":\"rgb(148,196,223)\",\"90,000 - 108,000\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Sources by Size [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-270139ff-fc2f-4fca-b241-93a8f57cdcdf.json b/packages/cef/2.3.3/kibana/visualization/cef-270139ff-fc2f-4fca-b241-93a8f57cdcdf.json deleted file mode 100755 index a8dd56342f..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-270139ff-fc2f-4fca-b241-93a8f57cdcdf.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Unique Destinations and Ports by Source [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Addresses\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Addresses\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Destination Ports\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Addresses\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Ports\"},\"type\":\"value\"}]},\"title\":\"Unique Destinations and Ports by Source [Logs CEF]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-270139ff-fc2f-4fca-b241-93a8f57cdcdf", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json b/packages/cef/2.3.3/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json deleted file mode 100755 index 1697d134c5..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 15 Event Types by Events [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":15},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":15,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 15 Event Types by Events [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-2726382e-638a-4dcc-94fc-0ffdc0f92048", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-291cd92f-52c4-421b-b354-468318ba3e65.json b/packages/cef/2.3.3/kibana/visualization/cef-291cd92f-52c4-421b-b354-468318ba3e65.json deleted file mode 100755 index 368418b81f..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-291cd92f-52c4-421b-b354-468318ba3e65.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Metrics Overview [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-291cd92f-52c4-421b-b354-468318ba3e65", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json b/packages/cef/2.3.3/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json deleted file mode 100755 index c52b647746..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Countries by Event [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":35},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Event [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-295986d4-d2ea-4541-8e82-7dc95c0cd830", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-2a0a7692-9a08-449f-bcef-b85de1855fd5.json b/packages/cef/2.3.3/kibana/visualization/cef-2a0a7692-9a08-449f-bcef-b85de1855fd5.json deleted file mode 100755 index 0cdee83a6a..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-2a0a7692-9a08-449f-bcef-b85de1855fd5.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Endpoint - Average EPS [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"ce9549a0-3af0-4070-b169-4b6d145d4c39\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"94161c6c-4f48-4beb-9d78-f79f29c02a34\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"type\":\"cumulative_sum\"},{\"field\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"id\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"gamma\":0.3,\"id\":\"f46a6e6e-444f-4c7e-b5eb-e1a59568f2eb\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"offset_time\":\"1m\",\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint - Average EPS [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-2a0a7692-9a08-449f-bcef-b85de1855fd5", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-2b96deab-dbf1-4be3-ae70-1bfb6c3fbd2a.json b/packages/cef/2.3.3/kibana/visualization/cef-2b96deab-dbf1-4be3-ae70-1bfb6c3fbd2a.json deleted file mode 100755 index 0c2cecb2d8..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-2b96deab-dbf1-4be3-ae70-1bfb6c3fbd2a.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 20 Behaviors by Outcome [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Behavior\",\"field\":\"event.action\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 20 Behaviors by Outcome [Logs CEF]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-2b96deab-dbf1-4be3-ae70-1bfb6c3fbd2a", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-2ecd00c0-66f4-4020-9c6e-dff40d47654c.json b/packages/cef/2.3.3/kibana/visualization/cef-2ecd00c0-66f4-4020-9c6e-dff40d47654c.json deleted file mode 100755 index 6cf742b59b..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-2ecd00c0-66f4-4020-9c6e-dff40d47654c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Source Countries [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 5 Source Countries [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-2ecd00c0-66f4-4020-9c6e-dff40d47654c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json b/packages/cef/2.3.3/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json deleted file mode 100755 index 63e38a3cff..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources by Destinations [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Host\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Host\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Sources by Destinations [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-316fdc75-7215-4c6b-8e1b-70a097b34e28", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-33290695-4eb1-4270-9e63-7083e7b132ed.json b/packages/cef/2.3.3/kibana/visualization/cef-33290695-4eb1-4270-9e63-7083e7b132ed.json deleted file mode 100755 index 5f6c8a1920..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-33290695-4eb1-4270-9e63-7083e7b132ed.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events Types by Severity [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"db54ebce-9dd2-4a1e-b476-b3ddb9a9024e\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"81da76ca-1112-4d91-82f4-c66cd3156a84\",\"label\":\"Cumulative Bytes\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"521d560c-321a-4410-9eb3-2b2bf3f4efee\",\"type\":\"count\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\")\"},\"id\":\"3f31a7e4-acf3-4f2d-8b7d-e30522325b2a\",\"label\":\"HIGH\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\")\"},\"id\":\"7949d31b-8aae-433a-b7cf-6939a8728cc9\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(NOT (event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\" OR event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\"))\"},\"id\":\"d2627211-5f9e-4c65-8a47-1cd6f085939d\",\"label\":\"LOW\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"a5fda184-fdd6-4221-ab59-492eab162f0a\",\"label\":\"Count by Event Type\",\"line_width\":1,\"metrics\":[{\"id\":\"e147ba1c-b13a-496f-9841-b99ddee81c5a\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.device.event_class_id\",\"terms_size\":\"20\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events Types by Severity [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-33290695-4eb1-4270-9e63-7083e7b132ed", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json b/packages/cef/2.3.3/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json deleted file mode 100755 index 5ec0797be6..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Network - Event Throughput [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"8d4596c5-49ad-429b-af54-5451b1c2e8d4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"type\":\"cumulative_sum\"},{\"field\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"id\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"gamma\":0.3,\"id\":\"92bc1447-2b30-498c-ae8a-c67904fc82b2\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Network - Event Throughput [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-38061262-edbe-4ccc-8c5c-d22c480b3c64.json b/packages/cef/2.3.3/kibana/visualization/cef-38061262-edbe-4ccc-8c5c-d22c480b3c64.json deleted file mode 100755 index d47376e13f..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-38061262-edbe-4ccc-8c5c-d22c480b3c64.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Application Protocols [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.application\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Application Protocols [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-38061262-edbe-4ccc-8c5c-d22c480b3c64", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-38fd061a-0976-4005-b0d3-729d693cdd5d.json b/packages/cef/2.3.3/kibana/visualization/cef-38fd061a-0976-4005-b0d3-729d693cdd5d.json deleted file mode 100755 index f7b6ad4a29..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-38fd061a-0976-4005-b0d3-729d693cdd5d.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Direction [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"be556a57-cd1c-496c-8714-0bd210947c85\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"filter\":{\"language\":\"lucene\",\"query\":\"device\"},\"formatter\":\"number\",\"id\":\"9aae7344-9de9-4378-b21d-296cb964f93b\",\"label\":\"Inbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"1cd0b964-45cf-408e-a7e4-e26955f8a3b0\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"id\":\"f860f6e0-fbd4-4949-8046-6300322dfe84\",\"label\":\"Inbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"formatter\":\"number\",\"id\":\"ed1abe18-e01b-4202-9db4-06fda10692e0\",\"label\":\"Outbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"type\":\"count\"},{\"id\":\"6bc37118-ddac-41ec-85b3-9db7e1b3636b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"id\":\"f73f4f22-03d5-446a-b031-04eee531e3cc\",\"name\":\"outbound\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(211,49,21,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"id\":\"a9c50e1b-8f11-4bc2-9077-bb8870ed0b62\",\"label\":\"Outbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Direction [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-38fd061a-0976-4005-b0d3-729d693cdd5d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json b/packages/cef/2.3.3/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json deleted file mode 100755 index 563c47bef0..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Type Breakdown [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Device Type Breakdown [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-490c415c-b859-4ed0-a2a4-5c4968084985.json b/packages/cef/2.3.3/kibana/visualization/cef-490c415c-b859-4ed0-a2a4-5c4968084985.json deleted file mode 100755 index 5b43a8fe58..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-490c415c-b859-4ed0-a2a4-5c4968084985.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Event Types by Size [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Total (Bytes)\":\"#E24D42\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Total (Bytes)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Type\"},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Total (Bytes)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":false,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total (Bytes)\"},\"type\":\"value\"}]},\"title\":\"Event Types by Size [Logs CEF]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-490c415c-b859-4ed0-a2a4-5c4968084985", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-4970ec04-796a-4c0e-90d9-7e23d0b7e48d.json b/packages/cef/2.3.3/kibana/visualization/cef-4970ec04-796a-4c0e-90d9-7e23d0b7e48d.json deleted file mode 100755 index 8192a37ebd..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-4970ec04-796a-4c0e-90d9-7e23d0b7e48d.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Destination Ports by Outcomes [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"destination.port: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcomes [Logs CEF]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-4970ec04-796a-4c0e-90d9-7e23d0b7e48d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json b/packages/cef/2.3.3/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json deleted file mode 100755 index a2085e9b19..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"bar_color\":null,\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\",\"value\":0}],\"drilldown_url\":\"\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"(cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\") AND _exists_:cef.extensions.categoryOutcome\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"c43af7e6-3f06-48a4-a7c3-7ba8bd6214f9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"4c7aac7d-2749-41b6-8136-40dc8636a7e7\",\"label\":\"Firewall\"}],\"split_mode\":\"filter\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"1\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Event Outcome\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,188,0,0.35)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"cb1ae397-13a0-4b6f-a848-bcdc96870f05\",\"label\":\"Success\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"ef021c15-1b95-4334-bc3c-e2950e9b0f6f\",\"label\":\"Failure\"},{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"2ff1e859-b178-4824-a0f2-69a115932b98\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"stacked\",\"terms_field\":\"cef.extensions.categoryOutcome\",\"terms_size\":\"3\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcome [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-499f50ba-2f84-4f7c-9021-73a4efc47921", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json b/packages/cef/2.3.3/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json deleted file mode 100755 index 0614970e4b..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destinations [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destinations [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-4c86b51e-6886-4484-98a2-508e92b455bb.json b/packages/cef/2.3.3/kibana/visualization/cef-4c86b51e-6886-4484-98a2-508e92b455bb.json deleted file mode 100755 index 468d364c92..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-4c86b51e-6886-4484-98a2-508e92b455bb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Endpoint OS Metrics Overview [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"event.action\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Outcomes\",\"field\":\"event.outcome\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"20\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint OS Metrics Overview [Logs CEF]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-4c86b51e-6886-4484-98a2-508e92b455bb", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json b/packages/cef/2.3.3/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json deleted file mode 100755 index b0e9b3c257..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Sources [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-535a7bf8-a701-4016-86c0-038bc6d9d069.json b/packages/cef/2.3.3/kibana/visualization/cef-535a7bf8-a701-4016-86c0-038bc6d9d069.json deleted file mode 100755 index 8a11a9886a..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-535a7bf8-a701-4016-86c0-038bc6d9d069.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Countries by Events [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Events [Logs CEF]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-535a7bf8-a701-4016-86c0-038bc6d9d069", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-56247c19-7aa5-475d-b074-5b0cd4794f0c.json b/packages/cef/2.3.3/kibana/visualization/cef-56247c19-7aa5-475d-b074-5b0cd4794f0c.json deleted file mode 100755 index 4ad4b41dc5..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-56247c19-7aa5-475d-b074-5b0cd4794f0c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Users [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Users [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-56247c19-7aa5-475d-b074-5b0cd4794f0c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json b/packages/cef/2.3.3/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json deleted file mode 100755 index 5c7272c0cb..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top Destinations by Traffic Size [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"label\":\"Inbound\"},{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"label\":\"Outbound\"}]},\"schema\":\"segment\",\"type\":\"filters\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":10,\"colorsRange\":[{\"from\":0,\"to\":null}],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"top\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top Destinations by Traffic Size [Logs CEF ArcSight]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json b/packages/cef/2.3.3/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json deleted file mode 100755 index bb3e848ce7..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Addresses [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Addresses [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-589fec8c-336e-4122-8fef-a450bddf84f6", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json b/packages/cef/2.3.3/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json deleted file mode 100755 index 38ac936b78..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Source Users by Event Type and Destination Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination User Names\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Users\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Event Types\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination User Names\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Source Users by Event Type and Destination Users [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-59ad829b-12b8-4256-95a5-e7078eda628b", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json b/packages/cef/2.3.3/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json deleted file mode 100755 index 558660d19f..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcomes by User Names [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Informational\":\"#7EB26D\",\"/Informational/Warning\":\"#EF843C\",\"/Success\":\"#64B0C8\",\"Anti-Virus\":\"#B7DBAB\",\"Host-based IDS/IPS\":\"#629E51\",\"Log Consolidator\":\"#E0F9D7\",\"Operating System\":\"#3F6833\",\"Recon\":\"#BF1B00\",\"Security Mangement\":\"#CFFAFF\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"Network-based IDS/IPS\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Outcomes by User Names [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json b/packages/cef/2.3.3/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json deleted file mode 100755 index 0a393d6652..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Events by Source and Destination Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Event Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Source Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Events by Source and Destination Users [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa.json b/packages/cef/2.3.3/kibana/visualization/cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa.json deleted file mode 100755 index 6b2188bd73..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Network - Event Throughput [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"8d4596c5-49ad-429b-af54-5451b1c2e8d4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"type\":\"cumulative_sum\"},{\"field\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"id\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"gamma\":0.3,\"id\":\"92bc1447-2b30-498c-ae8a-c67904fc82b2\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Network - Event Throughput [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json b/packages/cef/2.3.3/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json deleted file mode 100755 index cc03e710d3..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Users by Destination Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Source Users by Destination Users [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-655beadd-2678-4495-8793-72b5780f6283.json b/packages/cef/2.3.3/kibana/visualization/cef-655beadd-2678-4495-8793-72b5780f6283.json deleted file mode 100755 index bee1ff9470..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-655beadd-2678-4495-8793-72b5780f6283.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Addresses [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Addresses [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-655beadd-2678-4495-8793-72b5780f6283", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json b/packages/cef/2.3.3/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json deleted file mode 100755 index 834908bc67..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}" - }, - "title": " Dashboard Navigation [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71) | [Network Suspicious Activity](#/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619) | [Endpoint Overview](#dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b) | [Endpoint OS Activity](#/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9) | [Microsoft DNS Overview](#/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41)\"},\"title\":\" Dashboard Navigation [Logs CEF ArcSight]\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json b/packages/cef/2.3.3/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json deleted file mode 100755 index 9518a579c1..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Device [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"id\":\"fd1ffeb6-678e-4163-9421-6a164fd59048\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(254,37,37,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"6a10f77d-4e26-4b27-9c19-f1b0029b075b\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"gamma\":0.3,\"id\":\"59675e84-1a8e-41df-9f63-875109bd795a\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" \"},\"id\":\"d9a580c3-eb83-4d20-a391-0934d7df8837\",\"label\":\"Operating System\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\" cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\"\"},\"id\":\"9ce8be14-6191-4c9a-a679-e3992fdab8d2\",\"label\":\"Host IDS\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"id\":\"262ecd54-a042-4bfb-b489-d7db8431c36e\",\"label\":\"Application\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"92e98952-8e25-472f-abb5-05a7d9b830ea\",\"label\":\"Moving Average by Device HostNames\",\"line_width\":1,\"metrics\":[{\"id\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"gamma\":0.3,\"id\":\"9765367a-0fc2-45ba-88a8-e87991210edd\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-718b074e-3dd1-4d03-ba11-7f869cdcd703", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json b/packages/cef/2.3.3/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json deleted file mode 100755 index c978cbecff..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Endpoint Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Port\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-7454c034-c5f3-48fe-8fce-ef4385c80350", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json b/packages/cef/2.3.3/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json deleted file mode 100755 index dc2ddd1c89..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Source Countries [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 5 Source Countries [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json b/packages/cef/2.3.3/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json deleted file mode 100755 index 09e0d6ff6a..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Event Types [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":50,\"minFontSize\":12,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Event Types [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-769e3f37-2b08-4edb-9013-09140a520e69.json b/packages/cef/2.3.3/kibana/visualization/cef-769e3f37-2b08-4edb-9013-09140a520e69.json deleted file mode 100755 index 4600411dab..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-769e3f37-2b08-4edb-9013-09140a520e69.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Addresses [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Addresses [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-769e3f37-2b08-4edb-9013-09140a520e69", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json b/packages/cef/2.3.3/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json deleted file mode 100755 index 7ba2b39a50..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Endpoint - OS Average EPS [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"ce9549a0-3af0-4070-b169-4b6d145d4c39\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"94161c6c-4f48-4beb-9d78-f79f29c02a34\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"type\":\"cumulative_sum\"},{\"field\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"id\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"gamma\":0.3,\"id\":\"f46a6e6e-444f-4c7e-b5eb-e1a59568f2eb\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"offset_time\":\"1m\",\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint - OS Average EPS [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-76c088c3-486e-4420-8840-5ede667edffe", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json b/packages/cef/2.3.3/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json deleted file mode 100755 index fa5dcd2adc..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Behaviors by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 9,000\":\"rgb(255,255,204)\",\"18,000 - 27,000\":\"rgb(254,225,135)\",\"27,000 - 36,000\":\"rgb(254,201,101)\",\"36,000 - 45,000\":\"rgb(254,171,73)\",\"45,000 - 54,000\":\"rgb(253,141,60)\",\"54,000 - 63,000\":\"rgb(252,91,46)\",\"63,000 - 72,000\":\"rgb(237,47,34)\",\"72,000 - 81,000\":\"rgb(212,16,32)\",\"81,000 - 90,000\":\"rgb(176,0,38)\",\"9,000 - 18,000\":\"rgb(255,241,170)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Behaviors by Outcome [Logs CEF ArcSight]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-77ee0e91-010b-4897-b483-7e9a907d2afe", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-7dc26e6f-76d4-4454-99a9-6ccbba8948f0.json b/packages/cef/2.3.3/kibana/visualization/cef-7dc26e6f-76d4-4454-99a9-6ccbba8948f0.json deleted file mode 100755 index 872327564c..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-7dc26e6f-76d4-4454-99a9-6ccbba8948f0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 15 Event Types by Events [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"event.action\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":15},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":15,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 15 Event Types by Events [Logs CEF]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-7dc26e6f-76d4-4454-99a9-6ccbba8948f0", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json b/packages/cef/2.3.3/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json deleted file mode 100755 index 86943ae981..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "DNS - Event Throughput [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"fa374805-d1ca-4261-b723-9b482a7dd43a\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"type\":\"cumulative_sum\"},{\"field\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"id\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"gamma\":0.3,\"id\":\"48026f85-83c8-40e6-aff4-71f3bd6c77c9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"DNS - Event Throughput [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-82a333a7-d9d3-4752-b564-160d4b9f188b.json b/packages/cef/2.3.3/kibana/visualization/cef-82a333a7-d9d3-4752-b564-160d4b9f188b.json deleted file mode 100755 index 40aa11b8ad..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-82a333a7-d9d3-4752-b564-160d4b9f188b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources by Destinations [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Host\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Host\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Sources by Destinations [Logs CEF]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-82a333a7-d9d3-4752-b564-160d4b9f188b", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json b/packages/cef/2.3.3/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json deleted file mode 100755 index 899b95824b..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Sources by Destination Addresses [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Addresses [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-841a5d3f-c201-4499-a0fd-883247360640.json b/packages/cef/2.3.3/kibana/visualization/cef-841a5d3f-c201-4499-a0fd-883247360640.json deleted file mode 100755 index ba984322c2..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-841a5d3f-c201-4499-a0fd-883247360640.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Devices by Outcome [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Host Names\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":6,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":true,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Devices by Outcome [Logs CEF]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-841a5d3f-c201-4499-a0fd-883247360640", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-85818e02-7a16-4afa-8278-99c4059ddd82.json b/packages/cef/2.3.3/kibana/visualization/cef-85818e02-7a16-4afa-8278-99c4059ddd82.json deleted file mode 100755 index 3386972ae8..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-85818e02-7a16-4afa-8278-99c4059ddd82.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Devices by Bandwidth [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source(s)\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination(s)\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bandwidth (Incoming)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bandwidth (Outgoing)\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Devices by Bandwidth [Logs CEF]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-85818e02-7a16-4afa-8278-99c4059ddd82", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-868d68b5-3e62-4fc2-b942-fbb69a7c91d5.json b/packages/cef/2.3.3/kibana/visualization/cef-868d68b5-3e62-4fc2-b942-fbb69a7c91d5.json deleted file mode 100755 index b3f601f158..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-868d68b5-3e62-4fc2-b942-fbb69a7c91d5.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Source Users by Event Type and Destination Users [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"event.action\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination User Names\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Users\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Event Types\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination User Names\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Source Users by Event Type and Destination Users [Logs CEF]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-868d68b5-3e62-4fc2-b942-fbb69a7c91d5", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json b/packages/cef/2.3.3/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json deleted file mode 100755 index 34d704fef6..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Addresses [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Addresses [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-86bd5f13-ca6b-43fa-b209-54e7460344bb", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-8869f0bb-b8a3-4e6b-b3c4-3cc80b67b3da.json b/packages/cef/2.3.3/kibana/visualization/cef-8869f0bb-b8a3-4e6b-b3c4-3cc80b67b3da.json deleted file mode 100755 index 776e8391c6..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-8869f0bb-b8a3-4e6b-b3c4-3cc80b67b3da.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destinations by Size [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Destinations by Size [Logs CEF]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-8869f0bb-b8a3-4e6b-b3c4-3cc80b67b3da", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json b/packages/cef/2.3.3/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json deleted file mode 100755 index dd63b9809f..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcomes Breakdown [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Attempt\":\"#3F2B5B\",\"/Failure\":\"#BF1B00\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Time\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcomes Breakdown [Logs CEF ArcSight]\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-89998099-9a39-44cf-beba-5b97f0524cf9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json b/packages/cef/2.3.3/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json deleted file mode 100755 index 1f8c398abc..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Users [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-8cd00d20-957d-4663-be4d-ea80b1609586", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-8f38607c-eb10-410e-aec5-15d8b474211e.json b/packages/cef/2.3.3/kibana/visualization/cef-8f38607c-eb10-410e-aec5-15d8b474211e.json deleted file mode 100755 index 335a09d44d..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-8f38607c-eb10-410e-aec5-15d8b474211e.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Source Addresses [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"a0bf5a1d-8ebf-49d4-a347-738a6ce20562\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"id\":\"42f84a0a-ee13-4ca8-b61d-3de482ae4ab0\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"117fde19-e227-4fcb-8019-e82e6677c340\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostmessage\",\"terms_order_by\":null,\"value_template\":\"{{value}}\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"3ffe652e-43c2-4a1d-ad8a-f7ab10f09f2b\",\"label\":\"Top Source Addresses\",\"line_width\":\"0\",\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"b753ad38-c3ed-4463-8f6d-176f4d477897\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"source.ip\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source Addresses [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-8f38607c-eb10-410e-aec5-15d8b474211e", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json b/packages/cef/2.3.3/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json deleted file mode 100755 index f4f5f6eadc..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Countries by Events [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Events [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-8f6075c5-f525-4173-92a4-3a56e96e362d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json b/packages/cef/2.3.3/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json deleted file mode 100755 index ab180b299a..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Vendors by Product [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Vendor\",\"field\":\"cef.device.vendor\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Product\",\"field\":\"cef.device.product\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 5 Vendors by Product [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-92aecea0-a632-4a55-bb56-50e4cdaca036", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json b/packages/cef/2.3.3/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json deleted file mode 100755 index 3da6c90cb1..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Endpoint Average EPS [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"85a1c642-9781-430d-b84b-b28cb2a42fb4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"b7a85957-123e-4e25-9e8e-ff7992c9b2b9\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"type\":\"cumulative_sum\"},{\"field\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"id\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"gamma\":0.3,\"id\":\"f4dfe09a-e397-4287-ab99-3206516cded3\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint Average EPS [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-9457ee67-895f-4b78-a543-268f9687a745", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-98729301-9b46-4169-b99e-1392af8fa563.json b/packages/cef/2.3.3/kibana/visualization/cef-98729301-9b46-4169-b99e-1392af8fa563.json deleted file mode 100755 index f5d7ad975b..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-98729301-9b46-4169-b99e-1392af8fa563.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Countries by Event [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":35},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Event [Logs CEF]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-98729301-9b46-4169-b99e-1392af8fa563", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json b/packages/cef/2.3.3/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json deleted file mode 100755 index 001000873c..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Severity [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"0ca18a89-9c81-4bee-835a-85e6103aec37\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"hide_last_value_indicator\":true,\"id\":\"c39a76e5-f613-41a9-8335-c442747791e0\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"0.0[0]a\",\"id\":\"da3b92b4-2c24-473b-9102-fb5a343a96d9\",\"label\":\"Event by Severities\",\"line_width\":1,\"metrics\":[{\"id\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"type\":\"count\"},{\"field\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"id\":\"1b1c931c-a09b-4980-af81-6f9c3db56401\",\"sigma\":\"\",\"type\":\"sum_bucket\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,204,202,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Low\\\" OR severity:\\\"0\\\"\"},\"id\":\"ebe970ac-5cc9-4c4a-af60-82affafc667c\",\"label\":\"LOW\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Medium\\\"\"},\"id\":\"0c4ff16a-b53d-4ce4-af76-d6b74d8788db\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"High\\\"\"},\"id\":\"e142c55b-6ee5-416a-8bd3-d10398044864\",\"label\":\"HIGH\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Very-High\\\"\"},\"id\":\"4b05b562-c419-4214-b814-d4c242251521\",\"label\":\"VERY HIGH\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Events by Severity [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-a52d1fe2-6933-48bd-b079-61f6e2dc05c2.json b/packages/cef/2.3.3/kibana/visualization/cef-a52d1fe2-6933-48bd-b079-61f6e2dc05c2.json deleted file mode 100755 index 0c8cab2464..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-a52d1fe2-6933-48bd-b079-61f6e2dc05c2.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Events by Source and Destination Users [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Event Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Source Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Events by Source and Destination Users [Logs CEF]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-a52d1fe2-6933-48bd-b079-61f6e2dc05c2", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-a5e56e2a-b807-4fd7-92c2-9da42134e0a9.json b/packages/cef/2.3.3/kibana/visualization/cef-a5e56e2a-b807-4fd7-92c2-9da42134e0a9.json deleted file mode 100755 index 6db6150ea6..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-a5e56e2a-b807-4fd7-92c2-9da42134e0a9.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 20 Source Countries [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 20 Source Countries [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-a5e56e2a-b807-4fd7-92c2-9da42134e0a9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json b/packages/cef/2.3.3/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json deleted file mode 100755 index 8ec3a53f1f..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Devices by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Host Names\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":6,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":true,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Devices by Outcome [Logs CEF ArcSight]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-a729c249-8d34-4eb1-bbb0-5d25cf224114", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json b/packages/cef/2.3.3/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json deleted file mode 100755 index a5448711e4..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Source [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"0c929603-fc92-4ebc-a963-fe2795417d89\",\"label\":\"Firewall Events\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\"\"},\"id\":\"7798827b-87ab-436b-9e62-9fe36143eb9b\",\"label\":\"Intrusion Detection Events\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"id\":\"490f7ad7-8218-45f9-85a9-a4dd9ed7da13\",\"label\":\"VPN\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Device Hosts\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json b/packages/cef/2.3.3/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json deleted file mode 100755 index 71eae19918..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Users [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-acc915fe-b971-4795-9040-3fbfdf62abe1", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json b/packages/cef/2.3.3/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json deleted file mode 100755 index 8a888d067a..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcome by Device Type [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Firewall Types\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":true,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcome by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-b25e0340-0e97-4849-9b89-959b9ad8c958.json b/packages/cef/2.3.3/kibana/visualization/cef-b25e0340-0e97-4849-9b89-959b9ad8c958.json deleted file mode 100755 index 6d692d4846..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-b25e0340-0e97-4849-9b89-959b9ad8c958.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "DNS - Event Throughput [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"fa374805-d1ca-4261-b723-9b482a7dd43a\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"type\":\"cumulative_sum\"},{\"field\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"id\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"gamma\":0.3,\"id\":\"48026f85-83c8-40e6-aff4-71f3bd6c77c9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"DNS - Event Throughput [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-b25e0340-0e97-4849-9b89-959b9ad8c958", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-b4a28b54-9adb-4c4b-8ae6-158dfeb673ce.json b/packages/cef/2.3.3/kibana/visualization/cef-b4a28b54-9adb-4c4b-8ae6-158dfeb673ce.json deleted file mode 100755 index dc44b3cae7..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-b4a28b54-9adb-4c4b-8ae6-158dfeb673ce.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Endpoint Metrics Overview [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Port\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint Metrics Overview [Logs CEF]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-b4a28b54-9adb-4c4b-8ae6-158dfeb673ce", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-b4ac112e-809a-437d-a805-3ff44a67c21c.json b/packages/cef/2.3.3/kibana/visualization/cef-b4ac112e-809a-437d-a805-3ff44a67c21c.json deleted file mode 100755 index 1b3af86506..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-b4ac112e-809a-437d-a805-3ff44a67c21c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Users by Destination Users [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Source Users by Destination Users [Logs CEF]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-b4ac112e-809a-437d-a805-3ff44a67c21c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-b7227081-e125-49cb-a580-1be363f06be0.json b/packages/cef/2.3.3/kibana/visualization/cef-b7227081-e125-49cb-a580-1be363f06be0.json deleted file mode 100755 index 74d3b0f829..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-b7227081-e125-49cb-a580-1be363f06be0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Sources by Destination Ports [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Ports [Logs CEF]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-b7227081-e125-49cb-a580-1be363f06be0", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-baa6c9ee-dffe-4ea5-bedd-91962700f450.json b/packages/cef/2.3.3/kibana/visualization/cef-baa6c9ee-dffe-4ea5-bedd-91962700f450.json deleted file mode 100755 index a8db546b0d..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-baa6c9ee-dffe-4ea5-bedd-91962700f450.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Device Types [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":\"\",\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"78bfdf07-ec02-4dd8-8ff4-b7e250c561c2\",\"label\":\"Firewall\"}],\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(251,158,0,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Top Device Types by Mvg Averages\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.extensions.categoryDeviceType\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device Types [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-baa6c9ee-dffe-4ea5-bedd-91962700f450", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-bd35faa9-492e-4abe-9bf1-2d3c0d98171d.json b/packages/cef/2.3.3/kibana/visualization/cef-bd35faa9-492e-4abe-9bf1-2d3c0d98171d.json deleted file mode 100755 index ea5bb8c83f..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-bd35faa9-492e-4abe-9bf1-2d3c0d98171d.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Users [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Users [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-bd35faa9-492e-4abe-9bf1-2d3c0d98171d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json b/packages/cef/2.3.3/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json deleted file mode 100755 index 6601533058..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}" - }, - "title": " Dashboard Navigation [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71) | [Network Suspicious Activity](#/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619) | [Endpoint Overview](#dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b) | [Endpoint OS Activity](#/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9) | [Microsoft DNS Overview](#/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41)\"},\"title\":\" Dashboard Navigation [Logs CEF ArcSight]\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-c394e650-b16c-407c-b305-bd409d69d433", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json b/packages/cef/2.3.3/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json deleted file mode 100755 index 4860454ee5..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Port [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Port [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-cbde6788-7371-4712-b2e0-3eb07e0841f4.json b/packages/cef/2.3.3/kibana/visualization/cef-cbde6788-7371-4712-b2e0-3eb07e0841f4.json deleted file mode 100755 index 03c08e6f40..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-cbde6788-7371-4712-b2e0-3eb07e0841f4.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Ports [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Ports [Logs CEF]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-cbde6788-7371-4712-b2e0-3eb07e0841f4", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-cc7f89bc-22ad-4778-9c9f-1873ff38750b.json b/packages/cef/2.3.3/kibana/visualization/cef-cc7f89bc-22ad-4778-9c9f-1873ff38750b.json deleted file mode 100755 index 9d68c5563a..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-cc7f89bc-22ad-4778-9c9f-1873ff38750b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Behaviors by Outcome [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 9,000\":\"rgb(255,255,204)\",\"18,000 - 27,000\":\"rgb(254,225,135)\",\"27,000 - 36,000\":\"rgb(254,201,101)\",\"36,000 - 45,000\":\"rgb(254,171,73)\",\"45,000 - 54,000\":\"rgb(253,141,60)\",\"54,000 - 63,000\":\"rgb(252,91,46)\",\"63,000 - 72,000\":\"rgb(237,47,34)\",\"72,000 - 81,000\":\"rgb(212,16,32)\",\"81,000 - 90,000\":\"rgb(176,0,38)\",\"9,000 - 18,000\":\"rgb(255,241,170)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"event.action\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Behaviors by Outcome [Logs CEF]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-cc7f89bc-22ad-4778-9c9f-1873ff38750b", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json b/packages/cef/2.3.3/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json deleted file mode 100755 index bf65f0baac..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Source Addresses [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"a0bf5a1d-8ebf-49d4-a347-738a6ce20562\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"id\":\"42f84a0a-ee13-4ca8-b61d-3de482ae4ab0\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"117fde19-e227-4fcb-8019-e82e6677c340\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostmessage\",\"terms_order_by\":null,\"value_template\":\"{{value}}\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"3ffe652e-43c2-4a1d-ad8a-f7ab10f09f2b\",\"label\":\"Top Source Addresses\",\"line_width\":\"0\",\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"b753ad38-c3ed-4463-8f6d-176f4d477897\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"source.ip\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source Addresses [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d02dd523-ce91-40e9-9209-83797f80ed45", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json b/packages/cef/2.3.3/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json deleted file mode 100755 index f56ace942b..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-d2332147-4293-4422-930b-0a319ebeb958.json b/packages/cef/2.3.3/kibana/visualization/cef-d2332147-4293-4422-930b-0a319ebeb958.json deleted file mode 100755 index c2380e89a6..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-d2332147-4293-4422-930b-0a319ebeb958.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Vendors by Product [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Vendor\",\"field\":\"cef.device.vendor\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Product\",\"field\":\"cef.device.product\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 5 Vendors by Product [Logs CEF]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d2332147-4293-4422-930b-0a319ebeb958", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-d3ce586b-d372-4e03-9c19-b768b1b953f3.json b/packages/cef/2.3.3/kibana/visualization/cef-d3ce586b-d372-4e03-9c19-b768b1b953f3.json deleted file mode 100755 index 3d96a77a18..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-d3ce586b-d372-4e03-9c19-b768b1b953f3.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Outcome [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"bar_color\":null,\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\",\"value\":0}],\"drilldown_url\":\"\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"(cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\") AND _exists_:cef.extensions.categoryOutcome\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"c43af7e6-3f06-48a4-a7c3-7ba8bd6214f9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"4c7aac7d-2749-41b6-8136-40dc8636a7e7\",\"label\":\"Firewall\"}],\"split_mode\":\"filter\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"1\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Event Outcome\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,188,0,0.35)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"cb1ae397-13a0-4b6f-a848-bcdc96870f05\",\"label\":\"Success\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"ef021c15-1b95-4334-bc3c-e2950e9b0f6f\",\"label\":\"Failure\"},{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"2ff1e859-b178-4824-a0f2-69a115932b98\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"stacked\",\"terms_field\":\"event.outcome\",\"terms_size\":\"3\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcome [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d3ce586b-d372-4e03-9c19-b768b1b953f3", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-d42600fb-ea45-4dc9-a5d2-dd6a502fb76e.json b/packages/cef/2.3.3/kibana/visualization/cef-d42600fb-ea45-4dc9-a5d2-dd6a502fb76e.json deleted file mode 100755 index f3176b2af1..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-d42600fb-ea45-4dc9-a5d2-dd6a502fb76e.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}" - }, - "title": " Dashboard Navigation [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c) | [Network Suspicious Activity](#/dashboard/cef-04749697-de8d-49b3-8eca-c873ab2c5ac9) | [Endpoint Overview](#dashboard/cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15) | [Endpoint Activity](#/dashboard/cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf) | [Microsoft DNS Overview](#/dashboard/cef-607f756e-288d-499a-8f8a-33791354ffaf)\"},\"title\":\" Dashboard Navigation [Logs CEF]\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d42600fb-ea45-4dc9-a5d2-dd6a502fb76e", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-d7d7bd9e-c767-428c-b7de-d09f9d87f652.json b/packages/cef/2.3.3/kibana/visualization/cef-d7d7bd9e-c767-428c-b7de-d09f9d87f652.json deleted file mode 100755 index c076beb64e..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-d7d7bd9e-c767-428c-b7de-d09f9d87f652.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Metrics Overview [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d7d7bd9e-c767-428c-b7de-d09f9d87f652", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-d85b0ce0-4fa7-4fe5-9fe1-41cf40606ef3.json b/packages/cef/2.3.3/kibana/visualization/cef-d85b0ce0-4fa7-4fe5-9fe1-41cf40606ef3.json deleted file mode 100755 index 3fe6aa4bce..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-d85b0ce0-4fa7-4fe5-9fe1-41cf40606ef3.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Size [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"6e634117-6b30-411c-b74c-75510befe42f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"formatter\":\"bytes\",\"id\":\"28b1fb5b-0f16-4519-b901-4dd2dcc39915\",\"label\":\"Inbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"f613f33f-6459-4e46-a3a0-c36c48c46b2e\",\"type\":\"sum\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"formatter\":\"bytes\",\"id\":\"5a5c2529-4990-4006-b039-c94069ff6b7e\",\"label\":\"Outbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"type\":\"sum\"},{\"id\":\"0aaab374-5845-44ab-94f5-ac4fab25c287\",\"script\":\"params.outbound_bytes \\u003e= 0 ? params.outbound_bytes * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"id\":\"23b8c41c-0e98-4ace-8bca-3593e46cd955\",\"name\":\"outbound_bytes\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Size [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d85b0ce0-4fa7-4fe5-9fe1-41cf40606ef3", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-daa1fe0b-a698-4429-8e5d-db251502276c.json b/packages/cef/2.3.3/kibana/visualization/cef-daa1fe0b-a698-4429-8e5d-db251502276c.json deleted file mode 100755 index 0cab527765..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-daa1fe0b-a698-4429-8e5d-db251502276c.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Bandwidth Utilization [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"d27f09dc-b07e-493f-a223-a85033ad6548\",\"label\":\"Inbound\",\"line_width\":1,\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"9ce9ec3a-2f11-4935-91b2-531494d2a619\",\"type\":\"sum\"}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_order_by\":\"_count\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b1ef2c75-5916-469d-8790-5b213367a5a0\",\"label\":\"Outbound\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"type\":\"sum\"},{\"id\":\"2a6b00bf-1658-4d02-b4e2-61ad6e4c3a9b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"id\":\"c57067f2-2927-41d8-97f4-9f47b3b3bcae\",\"name\":\"outbound\"}]}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Bandwidth Utilization [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-daa1fe0b-a698-4429-8e5d-db251502276c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-dd339ff5-6b26-4455-ae06-f3b5591479e3.json b/packages/cef/2.3.3/kibana/visualization/cef-dd339ff5-6b26-4455-ae06-f3b5591479e3.json deleted file mode 100755 index 4a6677a4a9..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-dd339ff5-6b26-4455-ae06-f3b5591479e3.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcomes Breakdown [Logs CEF]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"unknown\":\"#3F2B5B\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Time\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcomes Breakdown [Logs CEF]\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-dd339ff5-6b26-4455-ae06-f3b5591479e3", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json b/packages/cef/2.3.3/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json deleted file mode 100755 index 6cf6e86635..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Destination Ports by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Protocols\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Protocols\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcome [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-df056709-2deb-4363-ae7a-b0148ea456c6", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json b/packages/cef/2.3.3/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json deleted file mode 100755 index 20bdf88f92..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 20 Behaviors by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Behavior\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 20 Behaviors by Outcome [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json b/packages/cef/2.3.3/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json deleted file mode 100755 index cb732f40b3..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Device Types [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":\"\",\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"78bfdf07-ec02-4dd8-8ff4-b7e250c561c2\",\"label\":\"Firewall\"}],\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(251,158,0,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Top Device Types by Mvg Averages\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.extensions.categoryDeviceType\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device Types [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-e513c269-350c-40c3-ac20-16c5782103b8", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json b/packages/cef/2.3.3/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json deleted file mode 100755 index 5387593733..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Devices by Bandwidth [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source(s)\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination(s)\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bandwidth (Incoming)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bandwidth (Outgoing)\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Devices by Bandwidth [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-e89a64e8-928c-41fc-8745-3c8157b21cdb", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-efa710e7-907c-4723-92cd-2bd2276f44dd.json b/packages/cef/2.3.3/kibana/visualization/cef-efa710e7-907c-4723-92cd-2bd2276f44dd.json deleted file mode 100755 index 3c1744583b..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-efa710e7-907c-4723-92cd-2bd2276f44dd.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Source [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"0c929603-fc92-4ebc-a963-fe2795417d89\",\"label\":\"Firewall Events\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\"\"},\"id\":\"7798827b-87ab-436b-9e62-9fe36143eb9b\",\"label\":\"Intrusion Detection Events\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"id\":\"490f7ad7-8218-45f9-85a9-a4dd9ed7da13\",\"label\":\"VPN\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Device Hosts\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-efa710e7-907c-4723-92cd-2bd2276f44dd", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json b/packages/cef/2.3.3/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json deleted file mode 100755 index 4c21032237..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Sources by Destination Ports [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Ports [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json b/packages/cef/2.3.3/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json deleted file mode 100755 index 827c7905e2..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events Types by Severity [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"db54ebce-9dd2-4a1e-b476-b3ddb9a9024e\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"81da76ca-1112-4d91-82f4-c66cd3156a84\",\"label\":\"Cumulative Bytes\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"521d560c-321a-4410-9eb3-2b2bf3f4efee\",\"type\":\"count\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\")\"},\"id\":\"3f31a7e4-acf3-4f2d-8b7d-e30522325b2a\",\"label\":\"HIGH\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\")\"},\"id\":\"7949d31b-8aae-433a-b7cf-6939a8728cc9\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(NOT (event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\" OR event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\"))\"},\"id\":\"d2627211-5f9e-4c65-8a47-1cd6f085939d\",\"label\":\"LOW\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"a5fda184-fdd6-4221-ab59-492eab162f0a\",\"label\":\"Count by Event Type\",\"line_width\":1,\"metrics\":[{\"id\":\"e147ba1c-b13a-496f-9841-b99ddee81c5a\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.device.event_class_id\",\"terms_size\":\"20\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events Types by Severity [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json b/packages/cef/2.3.3/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json deleted file mode 100755 index 5b23c7fb8e..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Size [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"6e634117-6b30-411c-b74c-75510befe42f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"formatter\":\"bytes\",\"id\":\"28b1fb5b-0f16-4519-b901-4dd2dcc39915\",\"label\":\"Inbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"f613f33f-6459-4e46-a3a0-c36c48c46b2e\",\"type\":\"sum\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"formatter\":\"bytes\",\"id\":\"5a5c2529-4990-4006-b039-c94069ff6b7e\",\"label\":\"Outbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"type\":\"sum\"},{\"id\":\"0aaab374-5845-44ab-94f5-ac4fab25c287\",\"script\":\"params.outbound_bytes \\u003e= 0 ? params.outbound_bytes * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"id\":\"23b8c41c-0e98-4ace-8bca-3593e46cd955\",\"name\":\"outbound_bytes\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Size [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json b/packages/cef/2.3.3/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json deleted file mode 100755 index aed8102339..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Application Protocols [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.application\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Application Protocols [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f5258de9-71f7-410f-b713-201007f77470", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json b/packages/cef/2.3.3/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json deleted file mode 100755 index 74a61138dc..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Types by Vendor [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"Network-based IDS/IPS\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"exclude\":\"\",\"field\":\"cef.device.vendor\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Device Types by Vendor [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f57734dd-0f32-42b4-94dd-5d597f6735e1", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-f856a77c-a0fd-4047-afa6-e21a912814c5.json b/packages/cef/2.3.3/kibana/visualization/cef-f856a77c-a0fd-4047-afa6-e21a912814c5.json deleted file mode 100755 index afc14f82bb..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-f856a77c-a0fd-4047-afa6-e21a912814c5.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Endpoint Average EPS [Logs CEF]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"85a1c642-9781-430d-b84b-b28cb2a42fb4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"b7a85957-123e-4e25-9e8e-ff7992c9b2b9\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"type\":\"cumulative_sum\"},{\"field\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"id\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"gamma\":0.3,\"id\":\"f4dfe09a-e397-4287-ab99-3206516cded3\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint Average EPS [Logs CEF]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f856a77c-a0fd-4047-afa6-e21a912814c5", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json b/packages/cef/2.3.3/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json deleted file mode 100755 index 32a6dda32a..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Unique Destinations and Ports by Source [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Addresses\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Addresses\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Destination Ports\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Addresses\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Ports\"},\"type\":\"value\"}]},\"title\":\"Unique Destinations and Ports by Source [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-fa8b26c1-6973-4381-adb3-bcde0d03a520", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json b/packages/cef/2.3.3/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json deleted file mode 100755 index cce501f750..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Event Types by Size [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Total (Bytes)\":\"#E24D42\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Total (Bytes)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Type\"},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Total (Bytes)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":false,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total (Bytes)\"},\"type\":\"value\"}]},\"title\":\"Event Types by Size [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-fcf798a8-db8f-4492-827b-8fa7581108a9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json b/packages/cef/2.3.3/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json deleted file mode 100755 index 0907dbbef8..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Destination Ports by Outcomes [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"destination.port: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcomes [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json b/packages/cef/2.3.3/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json deleted file mode 100755 index df5b0a6e9f..0000000000 --- a/packages/cef/2.3.3/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcome by Device Type [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Firewall Types\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":true,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcome by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.3.3/manifest.yml b/packages/cef/2.3.3/manifest.yml deleted file mode 100755 index 6b3007a198..0000000000 --- a/packages/cef/2.3.3/manifest.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: cef -title: Common Event Format (CEF) -version: 2.3.3 -release: ga -description: Collect logs from CEF Logs with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: - - network - - security -conditions: - kibana.version: ^8.0.0 -policy_templates: - - name: cef - title: CEF logs - description: Collect logs from CEF instances - inputs: - - type: logfile - title: "Collect CEF application logs (input: logfile)" - description: "Collecting application logs from CEF instances (input: logfile)" - - type: udp - title: "Collect CEF application logs (input: udp)" - description: "Collecting application logs from CEF instances (input: udp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/checkpoint/1.8.2/LICENSE.txt b/packages/checkpoint/1.8.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/checkpoint/1.8.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/checkpoint/1.8.2/changelog.yml b/packages/checkpoint/1.8.2/changelog.yml deleted file mode 100755 index 0e80d6ede5..0000000000 --- a/packages/checkpoint/1.8.2/changelog.yml +++ /dev/null @@ -1,161 +0,0 @@ -# newer versions go on top -- version: "1.8.2" - changes: - - description: Remove duplicate field. - type: enhancement - link: https://github.com/elastic/integrations/issues/4339 -- version: "1.8.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.8.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3842 -- version: "1.7.1" - changes: - - description: Fix handling of R81 fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/3800 -- version: "1.7.0" - changes: - - description: Add handling of authentication events. - type: enhancement - link: https://github.com/elastic/integrations/pull/3750 -- version: "1.6.1" - changes: - - description: Improve TCP, SSL config description and example. - type: enhancement - link: https://github.com/elastic/integrations/pull/3763 -- version: "1.6.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.5.1" - changes: - - description: Update Checkpoint logo. - type: enhancement - link: https://github.com/elastic/integrations/pull/3557 -- version: "1.5.0" - changes: - - description: Add TLS and custom options support to TCP input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3317 -- version: "1.4.0" - changes: - - description: Update to ECS 8.2 to use new email field set. - type: enhancement - link: https://github.com/elastic/integrations/pull/2803 -- version: "1.3.6" - changes: - - description: Fixed parsing error when logs have trailing spaces - type: bugfix - link: https://github.com/elastic/integrations/pull/3035 -- version: "1.3.5" - changes: - - description: Added link to check point documentation. - type: enhancement - link: https://github.com/elastic/integrations/pull/2926 -- version: "1.3.4" - changes: - - description: Change mapping type of checkpoint.source_object to keyword from integer. - type: bugfix - link: https://github.com/elastic/integrations/pull/2951 -- version: "1.3.3" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.3.2" - changes: - - description: Fix field mapping conflicts for `checkpoint.icmp_type`, `checkpoint.icmp_code` & `checkpoint.email_recipients_num` - type: bugfix - link: https://github.com/elastic/integrations/pull/2895 -- version: "1.3.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2387 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2231 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1951 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1803 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1653 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1605 -- version: "0.8.2" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1470 -- version: '0.8.1' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1376 -- version: "0.8.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.7.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1256 -- version: "0.6.0" - changes: - - description: update to ECS 1.10.0 and syncing module changes - type: enhancement - link: https://github.com/elastic/integrations/pull/1033 -- version: "0.5.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/839 -- version: "0.5.1" - changes: - - description: Change kibana.version constraint to be more conservative. - type: bugfix - link: https://github.com/elastic/integrations/pull/749 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/220 diff --git a/packages/checkpoint/1.8.2/data_stream/firewall/agent/stream/log.yml.hbs b/packages/checkpoint/1.8.2/data_stream/firewall/agent/stream/log.yml.hbs deleted file mode 100755 index 24ecbba6d7..0000000000 --- a/packages/checkpoint/1.8.2/data_stream/firewall/agent/stream/log.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} -{{#if internal_zones.length}} -- add_fields: - target: _temp_ - fields: - internal_zones: - {{#each internal_zones as |zone i|}} - - {{zone}} - {{/each}} -{{/if}} -{{#if external_zones.length}} -- add_fields: - target: _temp_ - fields: - external_zones: - {{#each external_zones as |zone i|}} - - {{zone}} - {{/each}} -{{/if}} diff --git a/packages/checkpoint/1.8.2/data_stream/firewall/agent/stream/tcp.yml.hbs b/packages/checkpoint/1.8.2/data_stream/firewall/agent/stream/tcp.yml.hbs deleted file mode 100755 index cc8e682ac4..0000000000 --- a/packages/checkpoint/1.8.2/data_stream/firewall/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,40 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} -{{#if internal_zones.length}} -- add_fields: - target: _temp_ - fields: - internal_zones: - {{#each internal_zones as |zone i|}} - - {{zone}} - {{/each}} -{{/if}} -{{#if external_zones.length}} -- add_fields: - target: _temp_ - fields: - external_zones: - {{#each external_zones as |zone i|}} - - {{zone}} - {{/each}} -{{/if}} -{{#if tcp_options.length}} -{{tcp_options}} -{{/if}} diff --git a/packages/checkpoint/1.8.2/data_stream/firewall/agent/stream/udp.yml.hbs b/packages/checkpoint/1.8.2/data_stream/firewall/agent/stream/udp.yml.hbs deleted file mode 100755 index 79ed0fc89d..0000000000 --- a/packages/checkpoint/1.8.2/data_stream/firewall/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,34 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} -{{#if internal_zones.length}} -- add_fields: - target: _temp_ - fields: - internal_zones: - {{#each internal_zones as |zone i|}} - - {{zone}} - {{/each}} -{{/if}} -{{#if external_zones.length}} -- add_fields: - target: _temp_ - fields: - external_zones: - {{#each external_zones as |zone i|}} - - {{zone}} - {{/each}} -{{/if}} diff --git a/packages/checkpoint/1.8.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/1.8.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index e0cc4219a1..0000000000 --- a/packages/checkpoint/1.8.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,895 +0,0 @@ ---- -description: Pipeline for parsing checkpoint firewall logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - grok: - field: event.original - patterns: - - '%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) - +(?:%{IPORHOST:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) - +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(?::-|%{SYSLOG5424PRINTASCII:syslog5424_msgid}) - +\[%{GREEDYDATA:syslog5424_sd}\]' - - kv: - field: syslog5424_sd - field_split: "; " - value_split: ":" - trim_key: " " - trim_value: " " - prefix: checkpoint. - strip_brackets: true - ignore_failure: true - exclude_keys: - - flags - - layer_uuid - - originsicname - - __policy_id_tag - - version - - rounded_bytes - - db_tag - - update_service - - remove: - field: - - syslog5424_sd - - syslog5424_app - - syslog5424_host - - syslog5424_msgid - - syslog5424_pri - - syslog5424_proc - - syslog5424_ver - - host - ignore_missing: true - - rename: - field: "@timestamp" - target_field: "event.created" - ignore_missing: true - - date: - field: "syslog5424_ts" - formats: ["ISO8601", "UNIX"] - if: "ctx.checkpoint?.time == null" - - append: - field: event.category - value: network - if: ctx.checkpoint?.operation != 'Log In' - - set: - field: observer.vendor - value: Checkpoint - - set: - field: observer.type - value: firewall - if: ctx.checkpoint?.type == null - - set: - field: observer.product - value: "{{checkpoint.product}}" - ignore_empty_value: true - - rename: - field: checkpoint.src - target_field: source.ip - ignore_missing: true - - rename: - field: checkpoint.client_ip - target_field: source.ip - ignore_missing: true - if: ctx.source?.ip == null - - rename: - field: checkpoint.xlatesrc - target_field: source.nat.ip - if: "ctx.checkpoint?.xlatesrc != '0.0.0.0'" - ignore_missing: true - - rename: - field: checkpoint.dst - target_field: destination.ip - ignore_missing: true - - rename: - field: checkpoint.xlatedst - target_field: destination.nat.ip - if: "ctx.checkpoint?.xlatedst != '0.0.0.0'" - ignore_missing: true - - rename: - field: checkpoint.uid - target_field: source.user.id - ignore_missing: true - - rename: - field: checkpoint.administrator - target_field: source.user.name - ignore_missing: true - - rename: - field: checkpoint.source_user_name - target_field: source.user.name - if: ctx.source?.user?.name == null - ignore_missing: true - - convert: - field: checkpoint.client_outbound_packets - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: checkpoint.server_outbound_packets - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: checkpoint.client_outbound_bytes - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: checkpoint.sent_byte - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: ctx.source?.bytes == null - - convert: - field: checkpoint.server_outbound_bytes - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: checkpoint.received_bytes - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: ctx.destination?.bytes == null - - convert: - field: checkpoint.service - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: checkpoint.xlatedport - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.checkpoint?.xlatedport != '0'" - - convert: - field: checkpoint.s_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: checkpoint.xlatesport - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.checkpoint?.xlatesport != '0'" - - rename: - field: checkpoint.mac_source_address - target_field: source.mac - ignore_missing: true - - rename: - field: checkpoint.src_machine_name - target_field: source.domain - ignore_missing: true - - rename: - field: checkpoint.destination_dns_hostname - target_field: destination.domain - ignore_missing: true - - rename: - field: checkpoint.dst_machine_name - target_field: destination.domain - if: ctx.server?.domain == null - ignore_missing: true - - rename: - field: checkpoint.src_user_group - target_field: source.user.group.name - ignore_missing: true - - append: - field: event.category - value: authentication - if: ctx.checkpoint?.operation == 'Log In' - - set: - field: event.kind - value: alert - if: "['Prevent', 'Detect', 'Quarantine'].contains(ctx.checkpoint?.rule_action)" - - set: - field: event.kind - value: event - if: ctx.event?.kind == null - - set: - field: event.outcome - value: success - if: "['Accept', 'Allow'].contains(ctx.checkpoint?.rule_action)" - - append: - field: event.type - value: - - allowed - - connection - if: "['Accept', 'Allow'].contains(ctx.checkpoint?.rule_action)" - - set: - field: event.outcome - value: success - if: ctx.checkpoint?.audit_status == 'Success' - - set: - field: event.outcome - value: failure - if: ctx.checkpoint?.audit_status == 'Failure' - - set: - field: event.outcome - value: success - if: "['Drop', 'Reject', 'Block', 'Prevent'].contains(ctx.checkpoint?.rule_action)" - - append: - field: event.type - value: - - connection - - denied - if: "['Drop', 'Reject', 'Block', 'Prevent'].contains(ctx.checkpoint?.rule_action)" - - append: - field: event.category - value: malware - if: ctx.checkpoint?.malware_action != null - - append: - field: event.category - value: intrusion_detection - if: "['Detect', 'Prevent'].contains(ctx.checkpoint?.rule_action)" - - set: - field: event.outcome - value: success - if: ctx.checkpoint?.action == 'Log In' - - set: - field: event.outcome - value: failure - if: ctx.checkpoint?.action == 'Failed Log In' - - append: - field: event.category - value: authentication - if: "['Log In', 'Failed Log In'].contains(ctx.checkpoint?.action)" - - append: - field: event.type - value: allowed - if: ctx.checkpoint?.action == 'Log In' - - set: - field: checkpoint.action - value: logged-in - if: ctx.checkpoint?.action == 'Log In' - - append: - field: event.type - value: denied - if: ctx.checkpoint?.action == 'Failed Log In' - - set: - field: checkpoint.action - value: logon-failed - if: ctx.checkpoint?.action == 'Failed Log In' - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{source.nat.ip}}" - if: ctx.source?.nat?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx.destination?.ip != null - - append: - field: related.ip - value: "{{destination.nat.ip}}" - if: ctx.destination?.nat?.ip != null - - append: - field: related.hash - value: "{{checkpoint.file_md5}}" - if: ctx.checkpoint?.file_md5 != null - - append: - field: related.hash - value: "{{checkpoint.file_sha1}}" - if: ctx.checkpoint?.file_sha1 != null - - append: - field: related.hash - value: "{{checkpoint.file_sha256}}" - if: ctx.checkpoint?.file_sha256 != null - - rename: - field: checkpoint.from - target_field: source.user.email - ignore_missing: true - - rename: - field: checkpoint.to - target_field: destination.user.email - ignore_missing: true - - set: - field: email.from.address - value: ["{{{destination.user.email}}}"] - if: "ctx?.destination?.user?.email != null" - - set: - field: email.to.address - value: ["{{{destination.user.email}}}"] - if: "ctx?.destination?.user?.email != null" - - append: - field: email.from.address - value: "{{{checkpoint.mime_from}}}" - if: "ctx?.checkpoint?.mime_from != null" - - append: - field: email.to.address - value: "{{{checkpoint.mime_to}}}" - if: "ctx?.checkpoint?.mime_to != null" - - set: - field: email.subject - copy_from: checkpoint.email_subject - if: "ctx?.checkpoint?.email_subject != null" - - append: - field: email.bcc.address - value: "{{{checkpoint.bcc}}}" - if: "ctx?.checkpoint?.bcc != null" - - append: - field: email.cc.address - value: "{{{checkpoint.cc}}}" - if: "ctx?.checkpoint?.cc != null" - - set: - field: email.delivery_timestamp - copy_from: checkpoint.delivery_time - if: "ctx?.checkpoint?.delivery_time != null" - - set: - field: email.message_id - copy_from: checkpoint.email_message_id - if: "ctx?.checkpoint?.email_message_id != null" - - set: - field: email.local_id - copy_from: checkpoint.email_queue_id - if: "ctx?.checkpoint?.email_queue_id != null" - - rename: - field: checkpoint.usercheck_incident_uid - target_field: destination.user.id - ignore_missing: true - - rename: - field: checkpoint.service_name - target_field: destination.service.name - ignore_missing: true - - rename: - field: checkpoint.mac_destination_address - target_field: destination.mac - ignore_missing: true - - rename: - field: checkpoint.dns_type - target_field: dns.question.type - ignore_missing: true - - rename: - field: checkpoint.domain_name - target_field: dns.question.name - ignore_missing: true - - rename: - field: checkpoint.dns_message_type - target_field: dns.type - ignore_missing: true - - rename: - field: checkpoint.tid - target_field: dns.id - ignore_missing: true - - rename: - field: checkpoint.loguid - target_field: event.id - ignore_missing: true - - convert: - field: checkpoint.sequencenum - target_field: event.sequence - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: checkpoint.severity - target_field: event.severity - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: checkpoint.action - target_field: event.action - ignore_missing: true - - rename: - field: checkpoint.packet_capture - target_field: event.url - ignore_missing: true - - rename: - field: checkpoint.start_time - target_field: event.start - ignore_missing: true - - rename: - field: checkpoint.first_detection - target_field: event.start - ignore_missing: true - if: ctx.event?.start == null - - rename: - field: checkpoint.last_detection - target_field: event.end - ignore_missing: true - - rename: - field: checkpoint.app_risk - target_field: event.risk_score - ignore_missing: true - - rename: - field: checkpoint.file_id - target_field: file.inode - ignore_missing: true - - rename: - field: checkpoint.file_type - target_field: file.type - ignore_missing: true - - rename: - field: checkpoint.file_name - target_field: file.name - ignore_missing: true - - convert: - field: checkpoint.file_size - target_field: file.size - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: checkpoint.file_md5 - target_field: file.hash.md5 - ignore_missing: true - - rename: - field: checkpoint.file_sha1 - target_field: file.hash.sha1 - ignore_missing: true - - rename: - field: checkpoint.file_sha256 - target_field: file.hash.sha256 - ignore_missing: true - - rename: - field: checkpoint.dlp_file_name - target_field: file.name - ignore_missing: true - - rename: - field: checkpoint.user_group - target_field: group.name - ignore_missing: true - - rename: - field: checkpoint.os_version - target_field: host.os.version - ignore_missing: true - - rename: - field: checkpoint.os_name - target_field: host.os.name - ignore_missing: true - - rename: - field: checkpoint.method - target_field: http.request.method - ignore_missing: true - - rename: - field: checkpoint.referrer - target_field: http.request.referrer - ignore_missing: true - - rename: - field: checkpoint.service_id - target_field: network.application - ignore_missing: true - - rename: - field: checkpoint.ifdir - target_field: network.direction - ignore_missing: true - - convert: - field: checkpoint.bytes - type: long - ignore_missing: true - - rename: - field: checkpoint.bytes - target_field: network.bytes - ignore_missing: true - - rename: - field: checkpoint.proto - target_field: network.iana_number - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - convert: - field: checkpoint.packets - type: long - ignore_missing: true - - rename: - field: checkpoint.packets - target_field: network.packets - ignore_missing: true - - rename: - field: checkpoint.layer_name - target_field: network.name - ignore_missing: true - - rename: - field: checkpoint.app_name - target_field: network.application - ignore_missing: true - - rename: - field: checkpoint.client_inbound_interface - target_field: observer.ingress.interface.name - ignore_missing: true - - rename: - field: checkpoint.client_outbound_interface - target_field: observer.egress.interface.name - ignore_missing: true - - rename: - field: checkpoint.ifname - target_field: observer.ingress.interface.name - ignore_missing: true - if: ctx.observer?.ingress?.interface?.name == null && ctx.network?.direction == 'inbound' - - rename: - field: checkpoint.ifname - target_field: observer.egress.interface.name - ignore_missing: true - if: ctx.observer?.egress?.interface?.name == null && ctx.network?.direction == 'outbound' - - rename: - field: checkpoint.type - target_field: observer.type - ignore_missing: true - - rename: - field: checkpoint.origin - target_field: observer.name - ignore_missing: true - - rename: - field: checkpoint.mac_address - target_field: observer.mac - ignore_missing: true - - gsub: - field: observer.mac - ignore_missing: true - pattern: '[:]' - replacement: '-' - - uppercase: - field: observer.mac - ignore_missing: true - - rename: - field: checkpoint.origin_ip - target_field: observer.ip - ignore_missing: true - - rename: - field: checkpoint.endpoint_ip - target_field: observer.ip - ignore_missing: true - if: ctx.observer?.ip == null - - rename: - field: checkpoint.outzone - target_field: observer.egress.zone - ignore_missing: true - - rename: - field: checkpoint.inzone - target_field: observer.ingress.zone - ignore_missing: true - - rename: - field: checkpoint.security_outzone - target_field: observer.egress.zone - ignore_missing: true - if: ctx.observer?.egress?.zone == null - - rename: - field: checkpoint.security_inzone - target_field: observer.ingress.zone - ignore_missing: true - if: ctx.observer?.ingress?.zone == null - - rename: - field: checkpoint.update_version - target_field: observer.version - ignore_missing: true - - rename: - field: checkpoint.process_md5 - target_field: process.hash.md5 - ignore_missing: true - - rename: - field: checkpoint.process_name - target_field: process.name - ignore_missing: true - - rename: - field: checkpoint.parent_process_md5 - target_field: process.parent.hash.md5 - ignore_missing: true - - rename: - field: checkpoint.parent_process_name - target_field: process.parent.name - ignore_missing: true - - rename: - field: checkpoint.matched_category - target_field: rule.category - ignore_missing: true - - rename: - field: checkpoint.categories - target_field: rule.category - ignore_missing: true - if: ctx.rule?.category == null - - rename: - field: checkpoint.malware_action - target_field: rule.description - ignore_missing: true - - rename: - field: checkpoint.malware_rule_id - target_field: rule.id - ignore_missing: true - - rename: - field: checkpoint.app_rule_id - target_field: rule.id - ignore_missing: true - if: ctx.rule?.id == null - - rename: - field: checkpoint.objectname - target_field: rule.name - ignore_missing: true - - rename: - field: checkpoint.rule_name - target_field: rule.name - ignore_missing: true - if: ctx.rule?.name == null - - rename: - field: checkpoint.malware_rule_name - target_field: rule.name - ignore_missing: true - if: ctx.rule?.name == null - - rename: - field: checkpoint.app_rule_name - target_field: rule.name - ignore_missing: true - if: ctx.rule?.name == null - - rename: - field: checkpoint.dlp_rule_name - target_field: rule.name - ignore_missing: true - if: ctx.rule?.name == null - - rename: - field: checkpoint.smartdefence_profile - target_field: rule.ruleset - ignore_missing: true - - rename: - field: checkpoint.policy - target_field: rule.ruleset - ignore_missing: true - if: ctx.rule?.ruleset == null - - rename: - field: checkpoint.rule_uid - target_field: rule.uuid - ignore_missing: true - - rename: - field: checkpoint.dlp_rule_uid - target_field: rule.uuid - ignore_missing: true - if: ctx.rule?.uuid == null - - rename: - field: checkpoint.url - target_field: url.original - ignore_missing: true - - rename: - field: checkpoint.resource - target_field: url.original - ignore_missing: true - if: ctx.url?.original == null - - rename: - field: checkpoint.http_host - target_field: url.domain - ignore_missing: true - - rename: - field: checkpoint.web_client_type - target_field: user_agent.name - ignore_missing: true - - rename: - field: checkpoint.user_agent - target_field: user_agent.original - ignore_missing: true - - rename: - field: checkpoint.industry_reference - target_field: vulnerability.id - ignore_missing: true - - date: - field: "checkpoint.time" - formats: ["ISO8601", "UNIX"] - if: "ctx.checkpoint?.time != null" - - rename: - field: checkpoint.message - target_field: message - ignore_missing: true - - rename: - field: checkpoint.reason - target_field: message - ignore_missing: true - if: ctx.message == null - - rename: - field: checkpoint.subject - target_field: message - ignore_missing: true - if: ctx.message == null - - gsub: - field: checkpoint.sys_message - pattern: ^:" - replacement: "" - if: ctx.checkpoint?.sys_message != null - - append: - field: related.user - value: "{{source.user.name}}" - if: ctx.source?.user?.name != null - - append: - field: related.user - value: "{{destination.user.name}}" - if: ctx.destination?.user?.name != null - - script: - lang: painless - source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: ctx?.source?.bytes != null && ctx?.destination?.bytes != null && ctx?.network?.bytes == null - ignore_failure: true - - script: - lang: painless - source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" - if: ctx?.source?.packets != null && ctx?.destination?.packets != null && ctx?.network?.packets == null - ignore_failure: true - - rename: - field: checkpoint.action_reason - target_field: checkpoint.action_reason_msg - if: ctx.checkpoint?.action_reason != null && ctx.checkpoint?.action_reason.contains(" ") - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: ctx.source?.geo == null - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: ctx.destination?.geo == null - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - # Handle zone-based network directionality - - set: - field: network.direction - value: inbound - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) - - set: - field: network.direction - value: outbound - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: internal - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: external - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: unknown - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ( - ( - !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) - ) || - ( - !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && - !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - ) - ) - - remove: - field: - - checkpoint.ifname - - checkpoint.server_outbound_interface - - checkpoint.client_outbound_packets - - checkpoint.server_outbound_packets - - checkpoint.client_outbound_bytes - - checkpoint.server_outbound_bytes - - checkpoint.client_inbound_packets - - checkpoint.server_inbound_packets - - checkpoint.client_inbound_bytes - - checkpoint.server_inbound_bytes - - checkpoint.sent_byte - - checkpoint.received_bytes - - checkpoint.service - - checkpoint.xlatedport - - checkpoint.s_port - - checkpoint.xlatesport - - checkpoint.contextnum - - checkpoint.sequencenum - - checkpoint.file_size - - checkpoint.product - - checkpoint.severity - - checkpoint.xlatesrc - - checkpoint.xlatedst - - checkpoint.uid - - checkpoint.time - - checkpoint.__nsons - - checkpoint.__p_dport - - checkpoint.__pos - - checkpoint.hll_key - - checkpoint.segment_time - - syslog5424_ts - - _temp_ - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/checkpoint/1.8.2/data_stream/firewall/fields/agent.yml b/packages/checkpoint/1.8.2/data_stream/firewall/fields/agent.yml deleted file mode 100755 index 915a21e22a..0000000000 --- a/packages/checkpoint/1.8.2/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,153 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/checkpoint/1.8.2/data_stream/firewall/fields/base-fields.yml b/packages/checkpoint/1.8.2/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 6bdf832a14..0000000000 --- a/packages/checkpoint/1.8.2/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: checkpoint -- name: event.dataset - type: constant_keyword - description: Event dataset - value: checkpoint.firewall -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/checkpoint/1.8.2/data_stream/firewall/fields/beats.yml b/packages/checkpoint/1.8.2/data_stream/firewall/fields/beats.yml deleted file mode 100755 index e272492dea..0000000000 --- a/packages/checkpoint/1.8.2/data_stream/firewall/fields/beats.yml +++ /dev/null @@ -1,15 +0,0 @@ -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: Name of the service data is collected from. - name: destination.service.name - type: keyword -- description: Source address of logs received over the network. - name: log.source.address - type: keyword diff --git a/packages/checkpoint/1.8.2/data_stream/firewall/fields/ecs.yml b/packages/checkpoint/1.8.2/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index c217784bc6..0000000000 --- a/packages/checkpoint/1.8.2/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,543 +0,0 @@ -- description: Unique container id. - name: container.id - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: User email address. - name: destination.user.email - type: keyword -- description: Unique identifier of the user. - name: destination.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: The date and time when the email message was received by the service or client. - name: email.delivery_timestamp - type: date -- description: The email address of the sender, typically from the RFC 5322 `From:` header field. - name: email.from.address - normalize: - - array - type: keyword -- description: The email address of recipient - name: email.to.address - normalize: - - array - type: keyword -- description: The email address of BCC recipient - name: email.bcc.address - normalize: - - array - type: keyword -- description: The email address of CC recipient - name: email.cc.address - normalize: - - array - type: keyword -- description: A brief summary of the topic of the message. - multi_fields: - - name: text - type: match_only_text - name: email.subject - type: keyword -- description: Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. - name: email.message_id - type: wildcard -- description: |- - Unique identifier given to the email by the source that created the event. - Identifier is not persistent across hops. - name: email.local_id - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - name: event.risk_score - type: float -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - URL linking to an external system to continue investigation of this event. - This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.url - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: Inode representing the file in the filesystem. - name: file.inode - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: IP addresses of the observer. - name: observer.ip - normalize: - - array - type: ip -- description: |- - MAC addresses of the observer. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: observer.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: The description of the rule generating the event. - name: rule.description - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - name: rule.ruleset - type: keyword -- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - name: rule.uuid - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: User email address. - name: source.user.email - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] - name: vulnerability.id - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword diff --git a/packages/checkpoint/1.8.2/data_stream/firewall/fields/fields.yml b/packages/checkpoint/1.8.2/data_stream/firewall/fields/fields.yml deleted file mode 100755 index f2822fa823..0000000000 --- a/packages/checkpoint/1.8.2/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,1646 +0,0 @@ -- name: checkpoint - type: group - release: beta - fields: - - name: action_reason - type: integer - description: | - Connection drop reason. - - name: action_reason_msg - type: keyword - overwrite: true - description: | - Connection drop reason message. - - name: additional_info - type: keyword - description: | - ID of original file/mail which are sent by admin. - - name: additional_ip - type: keyword - description: | - DNS host name. - - name: additional_rdata - type: keyword - description: | - List of additional resource records. - - name: alert - type: keyword - description: | - Alert level of matched rule (for connection logs). - - name: allocated_ports - type: integer - description: | - Amount of allocated ports. - - name: analyzed_on - type: keyword - description: | - Check Point ThreatCloud / emulator name. - - name: answer_rdata - type: keyword - description: | - List of answer resource records to the questioned domains. - - name: anti_virus_type - type: keyword - description: | - Anti virus type. - - name: app_desc - type: keyword - description: | - Application description. - - name: app_id - type: integer - description: | - Application ID. - - name: app_package - type: keyword - description: | - Unique identifier of the application on the protected mobile device. - - name: app_properties - type: keyword - description: | - List of all found categories. - - name: app_repackaged - type: keyword - description: | - Indicates whether the original application was repackage not by the official developer. - - name: app_sid_id - type: keyword - description: | - Unique SHA identifier of a mobile application. - - name: app_sig_id - type: keyword - description: | - IOC indicator description. - - name: app_version - type: keyword - description: | - Version of the application downloaded on the protected mobile device. - - name: appi_name - type: keyword - description: | - Name of application downloaded on the protected mobile device. - - name: arrival_time - type: keyword - description: | - Email arrival timestamp. - - name: attachments_num - type: integer - description: | - Number of attachments in the mail. - - name: attack_status - type: keyword - description: | - In case of a malicious event on an endpoint computer, the status of the attack. - - name: audit_status - type: keyword - description: | - Audit Status. Can be Success or Failure. - - name: auth_method - type: keyword - description: | - Password authentication protocol used (PAP or EAP). - - name: auth_status - type: keyword - description: | - The authentication status for an event. - - name: authority_rdata - type: keyword - description: | - List of authoritative servers. - - name: authorization - type: keyword - description: | - Authorization HTTP header value. - - name: bcc - type: keyword - description: | - List of BCC addresses. - - name: blade_name - type: keyword - description: | - Blade name. - - name: broker_publisher - type: ip - description: | - IP address of the broker publisher who shared the session information. - - name: browse_time - type: keyword - description: | - Application session browse time. - - name: c_bytes - type: integer - description: | - Boolean value indicates whether bytes sent from the client side are used. - - name: calc_desc - type: keyword - description: | - Log description. - - name: capacity - type: integer - description: | - Capacity of the ports. - - name: capture_uuid - type: keyword - description: | - UUID generated for the capture. Used when enabling the capture when logging. - - name: cc - type: keyword - description: | - The Carbon Copy address of the email. - - name: certificate_resource - type: keyword - description: | - HTTPS resource Possible values: SNI or domain name (DN). - - name: certificate_validation - type: keyword - description: | - Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature. - - name: cgnet - type: keyword - description: | - Describes NAT allocation for specific subscriber. - - name: chunk_type - type: keyword - description: | - Chunck of the sctp stream. - - name: client_name - type: keyword - description: | - Client Application or Software Blade that detected the event. - - name: client_type - type: keyword - description: | - Endpoint Connect. - - name: client_type_os - type: keyword - description: | - Client OS detected in the HTTP request. - - name: client_version - type: keyword - description: | - Build version of SandBlast Agent client installed on the computer. - - name: cluster_info - type: keyword - description: | - Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. - - name: comment - type: keyword - - name: community - type: keyword - description: | - Community name for the IPSec key and the use of the IKEv. - - name: confidence_level - type: integer - description: | - Confidence level determined by ThreatCloud. - - name: conn_direction - type: keyword - description: Connection direction - - name: connection_uid - type: keyword - description: | - Calculation of md5 of the IP and user name as UID. - - name: connectivity_level - type: keyword - description: | - Log for a new connection in wire mode. - - name: conns_amount - type: integer - description: | - Connections amount of aggregated log info. - - name: content_disposition - type: keyword - description: | - Indicates how the content is expected to be displayed inline in the browser. - - name: content_length - type: keyword - description: | - Indicates the size of the entity-body of the HTTP header. - - name: content_risk - type: integer - description: | - File risk. - - name: content_type - type: keyword - description: | - Mail content type. Possible values: application/msword, text/html, image/gif etc. - - name: context_num - type: integer - description: | - Serial number of the log for a specific connection. - - name: cookieI - type: keyword - description: | - Initiator cookie. - - name: cookieR - type: keyword - description: | - Responder cookie. - - name: cp_message - type: integer - description: | - Used to log a general message. - - name: cvpn_category - type: keyword - description: | - Mobile Access application type. - - name: cvpn_resource - type: keyword - description: | - Mobile Access application. - - name: data_type_name - type: keyword - description: | - Data type in rulebase that was matched. - - name: db_ver - type: keyword - description: Database version - - name: dce-rpc_interface_uuid - type: keyword - description: | - Log for new RPC state - UUID values - - name: delivery_time - type: keyword - description: | - Timestamp of when email was delivered (MTA finished handling the email. - - name: desc - type: keyword - description: | - Override application description. - - name: description - type: keyword - description: | - Additional explanation how the security gateway enforced the connection. - - name: destination_object - type: keyword - description: | - Matched object name on destination column. - - name: detected_on - type: keyword - description: | - System and applications version the file was emulated on. - - name: developer_certificate_name - type: keyword - description: | - Name of the developer's certificate that was used to sign the mobile application. - - name: diameter_app_ID - type: integer - description: | - The ID of diameter application. - - name: diameter_cmd_code - type: integer - description: | - Diameter not allowed application command id. - - name: diameter_msg_type - type: keyword - description: | - Diameter message type. - - name: dlp_action_reason - type: keyword - description: | - Action chosen reason. - - name: dlp_additional_action - type: keyword - description: | - Watermark/None. - - name: dlp_categories - type: keyword - description: | - Data type category. - - name: dlp_data_type_name - type: keyword - description: | - Matched data type. - - name: dlp_data_type_uid - type: keyword - description: | - Unique ID of the matched data type. - - name: dlp_fingerprint_files_number - type: integer - description: | - Number of successfully scanned files in repository. - - name: dlp_fingerprint_long_status - type: keyword - description: | - Scan status - long format. - - name: dlp_fingerprint_short_status - type: keyword - description: | - Scan status - short format. - - name: dlp_incident_uid - type: keyword - description: | - Unique ID of the matched rule. - - name: dlp_recipients - type: keyword - description: | - Mail recipients. - - name: dlp_related_incident_uid - type: keyword - description: | - Other ID related to this one. - - name: dlp_relevant_data_types - type: keyword - description: | - In case of Compound/Group: the inner data types that were matched. - - name: dlp_repository_directories_number - type: integer - description: | - Number of directories in repository. - - name: dlp_repository_files_number - type: integer - description: | - Number of files in repository. - - name: dlp_repository_id - type: keyword - description: | - ID of scanned repository. - - name: dlp_repository_not_scanned_directories_percentage - type: integer - description: | - Percentage of directories the Security Gateway was unable to read. - - name: dlp_repository_reached_directories_number - type: integer - description: | - Number of scanned directories in repository. - - name: dlp_repository_root_path - type: keyword - description: | - Repository path. - - name: dlp_repository_scan_progress - type: integer - description: | - Scan percentage. - - name: dlp_repository_scanned_directories_number - type: integer - description: | - Amount of directories scanned. - - name: dlp_repository_scanned_files_number - type: integer - description: | - Number of scanned files in repository. - - name: dlp_repository_scanned_total_size - type: integer - description: | - Size scanned. - - name: dlp_repository_skipped_files_number - type: integer - description: | - Skipped number of files because of configuration. - - name: dlp_repository_total_size - type: integer - description: | - Repository size. - - name: dlp_repository_unreachable_directories_number - type: integer - description: | - Number of directories the Security Gateway was unable to read. - - name: dlp_rule_name - type: keyword - description: | - Matched rule name. - - name: dlp_subject - type: keyword - description: | - Mail subject. - - name: dlp_template_score - type: keyword - description: | - Template data type match score. - - name: dlp_transint - type: keyword - description: | - HTTP/SMTP/FTP. - - name: dlp_violation_description - type: keyword - description: | - Violation descriptions described in the rulebase. - - name: dlp_watermark_profile - type: keyword - description: | - Watermark which was applied. - - name: dlp_word_list - type: keyword - description: | - Phrases matched by data type. - - name: dns_query - type: keyword - description: | - DNS query. - - name: drop_reason - type: keyword - description: | - Drop reason description. - - name: dropped_file_hash - type: keyword - description: | - List of file hashes dropped from the original file. - - name: dropped_file_name - type: keyword - description: | - List of names dropped from the original file. - - name: dropped_file_type - type: keyword - description: | - List of file types dropped from the original file. - - name: dropped_file_verdict - type: keyword - description: | - List of file verdics dropped from the original file. - - name: dropped_incoming - type: integer - description: | - Number of incoming bytes dropped when using UP-limit feature. - - name: dropped_outgoing - type: integer - description: | - Number of outgoing bytes dropped when using UP-limit feature. - - name: dropped_total - type: integer - description: | - Amount of dropped packets (both incoming and outgoing). - - name: drops_amount - type: integer - description: | - Amount of multicast packets dropped. - - name: dst_country - type: keyword - description: | - Destination country. - - name: dst_phone_number - type: keyword - description: | - Destination IP-Phone. - - name: dst_user_name - type: keyword - description: | - Connected user name on the destination IP. - - name: dstkeyid - type: keyword - description: | - Responder Spi ID. - - name: duplicate - type: keyword - description: | - Log marked as duplicated, when mail is split and the Security Gateway sees it twice. - - name: duration - type: keyword - description: "Scan duration. \n" - - name: elapsed - type: keyword - description: | - Time passed since start time. - - name: email_content - type: keyword - description: | - Mail contents. Possible options: attachments/links & attachments/links/text only. - - name: email_control - type: keyword - description: | - Engine name. - - name: email_control_analysis - type: keyword - description: | - Message classification, received from spam vendor engine. - - name: email_headers - type: keyword - description: | - String containing all the email headers. - - name: email_id - type: keyword - description: | - Email number in smtp connection. - - name: email_message_id - type: keyword - description: | - Email session id (uniqe ID of the mail). - - name: email_queue_id - type: keyword - description: | - Postfix email queue id. - - name: email_queue_name - type: keyword - description: | - Postfix email queue name. - - name: email_recipients_num - type: long - description: | - Amount of recipients whom the mail was sent to. - - name: email_session_id - type: keyword - description: | - Connection uuid. - - name: email_spam_category - type: keyword - description: | - Email categories. Possible values: spam/not spam/phishing. - - name: email_status - type: keyword - description: | - Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended - - name: email_subject - type: keyword - description: | - Original email subject. - - name: emulated_on - type: keyword - description: | - Images the files were emulated on. - - name: encryption_failure - type: keyword - description: | - Message indicating why the encryption failed. - - name: end_time - type: keyword - description: | - TCP connection end time. - - name: end_user_firewall_type - type: keyword - description: | - End user firewall type. - - name: esod_access_status - type: keyword - description: | - Access denied. - - name: esod_associated_policies - type: keyword - description: | - Associated policies. - - name: esod_noncompliance_reason - type: keyword - description: | - Non-compliance reason. - - name: esod_rule_action - type: keyword - description: | - Unknown rule action. - - name: esod_rule_name - type: keyword - description: | - Unknown rule name. - - name: esod_rule_type - type: keyword - description: | - Unknown rule type. - - name: esod_scan_status - type: keyword - description: | - Scan failed. - - name: event_count - type: long - description: | - Number of events associated with the log. - - name: expire_time - type: keyword - description: | - Connection closing time. - - name: extension_version - type: keyword - description: | - Build version of the SandBlast Agent browser extension. - - name: extracted_file_hash - type: keyword - description: | - Archive hash in case of extracted files. - - name: extracted_file_names - type: keyword - description: | - Names of extracted files in case of an archive. - - name: extracted_file_type - type: keyword - description: | - Types of extracted files in case of an archive. - - name: extracted_file_uid - type: keyword - description: | - UID of extracted files in case of an archive. - - name: extracted_file_verdict - type: keyword - description: | - Verdict of extracted files in case of an archive. - - name: failure_impact - type: keyword - description: | - The impact of update service failure. - - name: failure_reason - type: keyword - description: | - MTA failure description. - - name: file_direction - type: keyword - description: | - File direction. Possible options: upload/download. - - name: file_name - type: keyword - description: | - Malicious file name. - - name: files_names - type: keyword - description: | - List of files requested by FTP. - - name: first_hit_time - type: integer - description: | - First hit time in current interval. - - name: fs-proto - type: keyword - description: | - The file share protocol used in mobile acess file share application. - - name: ftp_user - type: keyword - description: | - FTP username. - - name: fw_message - type: keyword - description: | - Used for various firewall errors. - - name: fw_subproduct - type: keyword - description: | - Can be vpn/non vpn. - - name: hide_ip - type: ip - description: | - Source IP which will be used after CGNAT. - - name: hit - type: integer - description: | - Number of hits on a rule. - - name: host_time - type: keyword - description: | - Local time on the endpoint computer. - - name: http_host - type: keyword - description: | - Domain name of the server that the HTTP request is sent to. - - name: http_location - type: keyword - description: | - Response header, indicates the URL to redirect a page to. - - name: http_server - type: keyword - description: | - Server HTTP header value, contains information about the software used by the origin server, which handles the request. - - name: https_inspection_action - type: keyword - description: | - HTTPS inspection action (Inspect/Bypass/Error). - - name: https_inspection_rule_id - type: keyword - description: | - ID of the matched rule. - - name: https_inspection_rule_name - type: keyword - description: | - Name of the matched rule. - - name: https_validation - type: keyword - description: | - Precise error, describing HTTPS inspection failure. - - name: icap_more_info - type: integer - description: | - Free text for verdict. - - name: icap_server_name - type: keyword - description: | - Server name. - - name: icap_server_service - type: keyword - description: | - Service name, as given in the ICAP URI - - name: icap_service_id - type: integer - description: | - Service ID, can work with multiple servers, treated as services. - - name: icmp - type: keyword - description: | - Number of packets, received by the client. - - name: icmp_code - type: long - description: | - In case a connection is ICMP, code info will be added to the log. - - name: icmp_type - type: long - description: | - In case a connection is ICMP, type info will be added to the log. - - name: id - type: integer - description: | - Override application ID. - - name: identity_src - type: keyword - description: | - The source for authentication identity information. - - name: identity_type - type: keyword - description: | - The type of identity used for authentication. - - name: ike - type: keyword - description: | - IKEMode (PHASE1, PHASE2, etc..). - - name: ike_ids - type: keyword - description: | - All QM ids. - - name: impacted_files - type: keyword - description: | - In case of an infection on an endpoint computer, the list of files that the malware impacted. - - name: incident_extension - type: keyword - description: | - Matched data type. - - name: indicator_description - type: keyword - description: | - IOC indicator description. - - name: indicator_name - type: keyword - description: | - IOC indicator name. - - name: indicator_reference - type: keyword - description: | - IOC indicator reference. - - name: indicator_uuid - type: keyword - description: | - IOC indicator uuid. - - name: info - type: keyword - description: | - Special log message. - - name: information - type: keyword - description: | - Policy installation status for a specific blade. - - name: inspection_category - type: keyword - description: | - Inspection category: protocol anomaly, signature etc. - - name: inspection_item - type: keyword - description: | - Blade element performed inspection. - - name: inspection_profile - type: keyword - description: | - Profile which the activated protection belongs to. - - name: inspection_settings_log - type: keyword - description: | - Indicats that the log was released by inspection settings. - - name: installed_products - type: keyword - description: | - List of installed Endpoint Software Blades. - - name: int_end - type: integer - description: | - Subscriber end int which will be used for NAT. - - name: int_start - type: integer - description: | - Subscriber start int which will be used for NAT. - - name: interface_name - type: keyword - description: | - Designated interface for mirror And decrypt. - - name: internal_error - type: keyword - description: | - Internal error, for troubleshooting - - name: invalid_file_size - type: integer - description: | - File_size field is valid only if this field is set to 0. - - name: ip_option - type: integer - description: | - IP option that was dropped. - - name: isp_link - type: keyword - description: | - Name of ISP link. - - name: last_hit_time - type: integer - description: | - Last hit time in current interval. - - name: last_rematch_time - type: keyword - description: | - Connection rematched time. - - name: layer_name - type: keyword - description: | - Layer name. - - name: layer_uuid - type: keyword - description: | - Layer UUID. - - name: limit_applied - type: integer - description: | - Indicates whether the session was actually date limited. - - name: limit_requested - type: integer - description: | - Indicates whether data limit was requested for the session. - - name: link_probing_status_update - type: keyword - description: | - IP address response status. - - name: links_num - type: integer - description: | - Number of links in the mail. - - name: log_delay - type: integer - description: | - Time left before deleting template. - - name: log_id - type: integer - description: | - Unique identity for logs. - - name: logid - type: keyword - description: | - System messages - - name: long_desc - type: keyword - description: | - More information on the process (usually describing error reason in failure). - - name: machine - type: keyword - description: | - L2TP machine which triggered the log and the log refers to it. - - name: malware_family - type: keyword - description: | - Additional information on protection. - - name: match_fk - type: integer - description: | - Rule number. - - name: match_id - type: integer - description: | - Private key of the rule - - name: matched_file - type: keyword - description: | - Unique ID of the matched data type. - - name: matched_file_percentage - type: integer - description: | - Fingerprint: match percentage of the traffic. - - name: matched_file_text_segments - type: integer - description: | - Fingerprint: number of text segments matched by this traffic. - - name: media_type - type: keyword - description: | - Media used (audio, video, etc.) - - name: message - type: keyword - description: | - ISP link has failed. - - name: message_info - type: keyword - description: | - Used for information messages, for example:NAT connection has ended. - - name: message_size - type: integer - description: | - Mail/post size. - - name: method - type: keyword - description: | - HTTP method. - - name: methods - type: keyword - description: | - IPSEc methods. - - name: mime_from - type: keyword - description: | - Sender's address. - - name: mime_to - type: keyword - description: | - List of receiver address. - - name: mirror_and_decrypt_type - type: keyword - description: | - Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass). - - name: mitre_collection - type: keyword - description: | - The adversary is trying to collect data of interest to achieve his goal. - - name: mitre_command_and_control - type: keyword - description: | - The adversary is trying to communicate with compromised systems in order to control them. - - name: mitre_credential_access - type: keyword - description: | - The adversary is trying to steal account names and passwords. - - name: mitre_defense_evasion - type: keyword - description: | - The adversary is trying to avoid being detected. - - name: mitre_discovery - type: keyword - description: | - The adversary is trying to expose information about your environment. - - name: mitre_execution - type: keyword - description: | - The adversary is trying to run malicious code. - - name: mitre_exfiltration - type: keyword - description: | - The adversary is trying to steal data. - - name: mitre_impact - type: keyword - description: | - The adversary is trying to manipulate, interrupt, or destroy your systems and data. - - name: mitre_initial_access - type: keyword - description: | - The adversary is trying to break into your network. - - name: mitre_lateral_movement - type: keyword - description: | - The adversary is trying to explore your environment. - - name: mitre_persistence - type: keyword - description: | - The adversary is trying to maintain his foothold. - - name: mitre_privilege_escalation - type: keyword - description: | - The adversary is trying to gain higher-level permissions. - - name: monitor_reason - type: keyword - description: | - Aggregated logs of monitored packets. - - name: msgid - type: keyword - description: | - Message ID. - - name: name - type: keyword - description: | - Application name. - - name: nat46 - type: keyword - description: | - NAT 46 status, in most cases "enabled". - - name: nat_addtnl_rulenum - type: integer - description: | - When matching 2 automatic rules , second rule match will be shown otherwise field will be 0. - - name: nat_exhausted_pool - type: keyword - description: | - 4-tuple of an exhausted pool. - - name: nat_rulenum - type: integer - description: | - NAT rulebase first matched rule. - - name: needs_browse_time - type: integer - description: | - Browse time required for the connection. - - name: next_hop_ip - type: keyword - description: | - Next hop IP address. - - name: next_scheduled_scan_date - type: keyword - description: | - Next scan scheduled time according to time object. - - name: number_of_errors - type: integer - description: | - Number of files that were not scanned due to an error. - - name: objecttable - type: keyword - description: | - Table of affected objects. - - name: objecttype - type: keyword - description: | - The type of the affected object. - - name: observable_comment - type: keyword - description: | - IOC observable signature description. - - name: observable_id - type: keyword - description: | - IOC observable signature id. - - name: observable_name - type: keyword - description: | - IOC observable signature name. - - name: operation - type: keyword - description: | - Operation made by Threat Extraction. - - name: operation_number - type: keyword - description: | - The operation nuber. - - name: origin_sic_name - type: keyword - description: | - Machine SIC. - - name: original_queue_id - type: keyword - description: | - Original postfix email queue id. - - name: outgoing_url - type: keyword - description: | - URL related to this log (for HTTP). - - name: packet_amount - type: integer - description: | - Amount of packets dropped. - - name: packet_capture_unique_id - type: keyword - description: | - Identifier of the packet capture files. - - name: parent_file_hash - type: keyword - description: | - Archive's hash in case of extracted files. - - name: parent_file_name - type: keyword - description: | - Archive's name in case of extracted files. - - name: parent_file_uid - type: keyword - description: | - Archive's UID in case of extracted files. - - name: parent_process_username - type: keyword - description: | - Owner username of the parent process of the process that triggered the attack. - - name: parent_rule - type: integer - description: | - Parent rule number, in case of inline layer. - - name: peer_gateway - type: ip - description: | - Main IP of the peer Security Gateway. - - name: peer_ip - type: keyword - description: | - IP address which the client connects to. - - name: peer_ip_probing_status_update - type: keyword - description: | - IP address response status. - - name: performance_impact - type: integer - description: | - Protection performance impact. - - name: policy_mgmt - type: keyword - description: | - Name of the Management Server that manages this Security Gateway. - - name: policy_name - type: keyword - description: | - Name of the last policy that this Security Gateway fetched. - - name: ports_usage - type: integer - description: | - Percentage of allocated ports. - - name: ppp - type: keyword - description: | - Authentication status. - - name: precise_error - type: keyword - description: | - HTTP parser error. - - name: process_username - type: keyword - description: | - Owner username of the process that triggered the attack. - - name: properties - type: keyword - description: | - Application categories. - - name: protection_id - type: keyword - description: | - Protection malware id. - - name: protection_name - type: keyword - description: | - Specific signature name of the attack. - - name: protection_type - type: keyword - description: | - Type of protection used to detect the attack. - - name: protocol - type: keyword - description: | - Protocol detected on the connection. - - name: proxy_machine_name - type: integer - description: | - Machine name connected to proxy IP. - - name: proxy_src_ip - type: ip - description: | - Sender source IP (even when using proxy). - - name: proxy_user_dn - type: keyword - description: | - User distinguished name connected to proxy IP. - - name: proxy_user_name - type: keyword - description: | - User name connected to proxy IP. - - name: query - type: keyword - description: | - DNS query. - - name: question_rdata - type: keyword - description: | - List of question records domains. - - name: referrer - type: keyword - description: | - Referrer HTTP request header, previous web page address. - - name: referrer_parent_uid - type: keyword - description: | - Log UUID of the referring application. - - name: referrer_self_uid - type: keyword - description: | - UUID of the current log. - - name: registered_ip-phones - type: keyword - description: | - Registered IP-Phones. - - name: reject_category - type: keyword - description: | - Authentication failure reason. - - name: reject_id - type: keyword - description: | - A reject ID that corresponds to the one presented in the Mobile Access error page. - - name: rematch_info - type: keyword - description: | - Information sent when old connections cannot be matched during policy installation. - - name: remediated_files - type: keyword - description: | - In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. - - name: reply_status - type: integer - description: | - ICAP reply status code, e.g. 200 or 204. - - name: risk - type: keyword - description: | - Risk level we got from the engine. - - name: roles - type: keyword - description: | - The role of identity. - - name: rpc_prog - type: integer - description: | - Log for new RPC state - prog values. - - name: rule - type: integer - description: | - Matched rule number. - - name: rule_action - type: keyword - description: | - Action of the matched rule in the access policy. - - name: rulebase_id - type: integer - description: | - Layer number. - - name: scan_direction - type: keyword - description: | - Scan direction. - - name: scan_hosts_day - type: integer - description: | - Number of unique hosts during the last day. - - name: scan_hosts_hour - type: integer - description: | - Number of unique hosts during the last hour. - - name: scan_hosts_week - type: integer - description: | - Number of unique hosts during the last week. - - name: scan_id - type: keyword - description: | - Sequential number of scan. - - name: scan_mail - type: integer - description: | - Number of emails that were scanned by "AB malicious activity" engine. - - name: scan_results - type: keyword - description: | - "Infected"/description of a failure. - - name: scheme - type: keyword - description: | - Describes the scheme used for the log. - - name: scope - type: keyword - description: | - IP related to the attack. - - name: scrub_activity - type: keyword - description: | - The result of the extraction - - name: scrub_download_time - type: keyword - description: | - File download time from resource. - - name: scrub_time - type: keyword - description: | - Extraction process duration. - - name: scrub_total_time - type: keyword - description: | - Threat extraction total file handling time. - - name: scrubbed_content - type: keyword - description: | - Active content that was found. - - name: sctp_association_state - type: keyword - description: | - The bad state you were trying to update to. - - name: sctp_error - type: keyword - description: | - Error information, what caused sctp to fail on out_of_state. - - name: scv_message_info - type: keyword - description: | - Drop reason. - - name: scv_user - type: keyword - description: | - Username whose packets are dropped on SCV. - - name: securexl_message - type: keyword - description: | - Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop. - - name: session_id - type: keyword - description: | - Log uuid. - - name: session_uid - type: keyword - description: | - HTTP session-id. - - name: short_desc - type: keyword - description: | - Short description of the process that was executed. - - name: sig_id - type: keyword - description: | - Application's signature ID which how it was detected by. - - name: similar_communication - type: keyword - description: | - Network action found similar to the malicious file. - - name: similar_hashes - type: keyword - description: | - Hashes found similar to the malicious file. - - name: similar_strings - type: keyword - description: | - Strings found similar to the malicious file. - - name: similiar_iocs - type: keyword - description: | - Other IoCs similar to the ones found, related to the malicious file. - - name: sip_reason - type: keyword - description: | - Explains why 'source_ip' isn't allowed to redirect (handover). - - name: site_name - type: keyword - description: | - Site name. - - name: source_interface - type: keyword - description: | - External Interface name for source interface or Null if not found. - - name: snid - type: keyword - description: | - The Check Point session ID. - - name: source_object - type: keyword - description: | - Matched object name on source column. - - name: source_os - type: keyword - description: | - OS which generated the attack. - - name: special_properties - type: integer - description: | - If this field is set to '1' the log will not be shown (in use for monitoring scan progress). - - name: specific_data_type_name - type: keyword - description: | - Compound/Group scenario, data type that was matched. - - name: speed - type: integer - description: | - Current scan speed. - - name: spyware_name - type: keyword - description: | - Spyware name. - - name: spyware_type - type: keyword - description: | - Spyware type. - - name: src_country - type: keyword - description: | - Country name, derived from connection source IP address. - - name: src_phone_number - type: keyword - description: | - Source IP-Phone. - - name: src_user_dn - type: keyword - description: | - User distinguished name connected to source IP. - - name: src_user_name - type: keyword - description: | - User name connected to source IP - - name: srckeyid - type: keyword - description: | - Initiator Spi ID. - - name: status - type: keyword - description: | - Ok/Warning/Error. - - name: status_update - type: keyword - description: | - Last time log was updated. - - name: sub_policy_name - type: keyword - description: | - Layer name. - - name: sub_policy_uid - type: keyword - description: | - Layer uid. - - name: subscriber - type: ip - description: | - Source IP before CGNAT. - - name: summary - type: keyword - description: | - Summary message of a non-compliant DNS traffic drops or detects. - - name: suppressed_logs - type: integer - description: | - Aggregated connections for five minutes on the same source, destination and port. - - name: sync - type: keyword - description: | - Sync status and the reason (stable, at risk). - - name: sys_message - type: keyword - description: | - System messages - - name: tcp_end_reason - type: keyword - description: | - Reason for TCP connection closure. - - name: tcp_flags - type: keyword - description: | - TCP packet flags (SYN, ACK, etc.,). - - name: tcp_packet_out_of_state - type: keyword - description: | - State violation. - - name: tcp_state - type: keyword - description: | - Log reinting a tcp state change. - - name: te_verdict_determined_by - type: keyword - description: | - Emulators determined file verdict. - - name: ticket_id - type: keyword - description: | - Unique ID per file. - - name: tls_server_host_name - type: keyword - description: | - SNI/CN from encrypted TLS connection used by URLF for categorization. - - name: top_archive_file_name - type: keyword - description: | - In case of archive file: the file that was sent/received. - - name: total_attachments - type: integer - description: | - The number of attachments in an email. - - name: triggered_by - type: keyword - description: | - The name of the mechanism that triggered the Software Blade to enforce a protection. - - name: trusted_domain - type: keyword - description: In case of phishing event, the domain, which the attacker was impersonating. - - name: unique_detected_day - type: integer - description: | - Detected virus for a specific host during the last day. - - name: unique_detected_hour - type: integer - description: | - Detected virus for a specific host during the last hour. - - name: unique_detected_week - type: integer - description: | - Detected virus for a specific host during the last week. - - name: update_status - type: keyword - description: Status of database update - - name: url - type: keyword - description: | - Translated URL. - - name: user - type: keyword - description: | - Source user name. - - name: user_agent - type: keyword - description: | - String identifying requesting software user agent. - - name: vendor_list - type: keyword - description: | - The vendor name that provided the verdict for a malicious URL. - - name: verdict - type: keyword - description: | - TE engine verdict Possible values: Malicious/Benign/Error. - - name: via - type: keyword - description: | - Via header is added by proxies for tracking purposes to avoid sending reqests in loop. - - name: voip_attach_action_info - type: keyword - description: | - Attachment action Info. - - name: voip_attach_sz - type: integer - description: | - Attachment size. - - name: voip_call_dir - type: keyword - description: | - Call direction: in/out. - - name: voip_call_id - type: keyword - description: | - Call-ID. - - name: voip_call_state - type: keyword - description: | - Call state. Possible values: in/out. - - name: voip_call_term_time - type: keyword - description: | - Call termination time stamp. - - name: voip_config - type: keyword - description: | - Configuration. - - name: voip_duration - type: keyword - description: | - Call duration (seconds). - - name: voip_est_codec - type: keyword - description: | - Estimated codec. - - name: voip_exp - type: integer - description: | - Expiration. - - name: voip_from_user_type - type: keyword - description: | - Source IP-Phone type. - - name: voip_log_type - type: keyword - description: | - VoIP log types. Possible values: reject, call, registration. - - name: voip_media_codec - type: keyword - description: | - Estimated codec. - - name: voip_media_ipp - type: keyword - description: | - Media IP protocol. - - name: voip_media_port - type: keyword - description: | - Media int. - - name: voip_method - type: keyword - description: | - Registration request. - - name: voip_reason_info - type: keyword - description: | - Information. - - name: voip_reg_int - type: integer - description: | - Registration port. - - name: voip_reg_ipp - type: integer - description: | - Registration IP protocol. - - name: voip_reg_period - type: integer - description: | - Registration period. - - name: voip_reg_server - type: ip - description: | - Registrar server IP address. - - name: voip_reg_user_type - type: keyword - description: | - Registered IP-Phone type. - - name: voip_reject_reason - type: keyword - description: | - Reject reason. - - name: voip_to_user_type - type: keyword - description: | - Destination IP-Phone type. - - name: vpn_feature_name - type: keyword - description: | - L2TP /IKE / Link Selection. - - name: watermark - type: keyword - description: | - Reports whether watermark is added to the cleaned file. - - name: web_server_type - type: keyword - description: | - Web server detected in the HTTP response. - - name: word_list - type: keyword - description: | - Words matched by data type. diff --git a/packages/checkpoint/1.8.2/data_stream/firewall/manifest.yml b/packages/checkpoint/1.8.2/data_stream/firewall/manifest.yml deleted file mode 100755 index a89aa8dbcb..0000000000 --- a/packages/checkpoint/1.8.2/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,114 +0,0 @@ -type: logs -title: Check Point firewall logs -streams: - - input: udp - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: udp.yml.hbs - title: Check Point firewall logs (syslog over UDP) - description: Collect Check Point firewall logs using udp input - - input: tcp - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate, keys, supported_protocols, verification_mode etc. See [SSL](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details. - multi: false - required: false - show_user: false - default: | - #certificate: "/etc/server/cert.pem" - #key: "/etc/server/key.pem" - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - #max_connections: 1 - #framing: delimiter - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. - template_path: tcp.yml.hbs - title: Check Point firewall logs (syslog over TCP) - description: Collect Check Point firewall logs using tcp input - - input: logfile - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Check Point firewall logs (log) - description: Collect Check Point firewall logs using log input diff --git a/packages/checkpoint/1.8.2/data_stream/firewall/sample_event.json b/packages/checkpoint/1.8.2/data_stream/firewall/sample_event.json deleted file mode 100755 index e911516a1f..0000000000 --- a/packages/checkpoint/1.8.2/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "@timestamp": "2020-03-29T13:19:20.000Z", - "agent": { - "ephemeral_id": "7c0059da-6518-4067-9e8d-0f1b316dfef5", - "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "checkpoint": { - "sys_message": "The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk" - }, - "data_stream": { - "dataset": "checkpoint.firewall", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2021-12-25T09:18:51.178Z", - "dataset": "checkpoint.firewall", - "id": "{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}", - "ingested": "2021-12-25T09:18:52Z", - "kind": "event", - "sequence": 1, - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.32.7:52492" - } - }, - "network": { - "direction": "inbound" - }, - "observer": { - "ingress": { - "interface": { - "name": "daemon" - } - }, - "name": "192.168.1.100", - "product": "System Monitor", - "type": "firewall", - "vendor": "Checkpoint" - }, - "tags": [ - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/checkpoint/1.8.2/docs/README.md b/packages/checkpoint/1.8.2/docs/README.md deleted file mode 100755 index 39d5cccce3..0000000000 --- a/packages/checkpoint/1.8.2/docs/README.md +++ /dev/null @@ -1,677 +0,0 @@ -# Check Point Integration - -This integration is for [Check Point](https://sc1.checkpoint.com/documents/latest/APIs/#introduction~v1.8%20) products. It includes the -following datasets for receiving logs: - -- `firewall` dataset: consists of log entries from the [Log Exporter]( - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323) - in the Syslog format. - -## Compatibility - -This module has been tested against Check Point Log Exporter on R80.X but should also work with R77.30. - -## Logs - -### Firewall - -Consists of log entries from the Log Exporter in the Syslog format. - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2020-03-29T13:19:20.000Z", - "agent": { - "ephemeral_id": "7c0059da-6518-4067-9e8d-0f1b316dfef5", - "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "checkpoint": { - "sys_message": "The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk" - }, - "data_stream": { - "dataset": "checkpoint.firewall", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2021-12-25T09:18:51.178Z", - "dataset": "checkpoint.firewall", - "id": "{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}", - "ingested": "2021-12-25T09:18:52Z", - "kind": "event", - "sequence": 1, - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.32.7:52492" - } - }, - "network": { - "direction": "inbound" - }, - "observer": { - "ingress": { - "interface": { - "name": "daemon" - } - }, - "name": "192.168.1.100", - "product": "System Monitor", - "type": "firewall", - "vendor": "Checkpoint" - }, - "tags": [ - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| checkpoint.action_reason | Connection drop reason. | integer | -| checkpoint.action_reason_msg | Connection drop reason message. | keyword | -| checkpoint.additional_info | ID of original file/mail which are sent by admin. | keyword | -| checkpoint.additional_ip | DNS host name. | keyword | -| checkpoint.additional_rdata | List of additional resource records. | keyword | -| checkpoint.alert | Alert level of matched rule (for connection logs). | keyword | -| checkpoint.allocated_ports | Amount of allocated ports. | integer | -| checkpoint.analyzed_on | Check Point ThreatCloud / emulator name. | keyword | -| checkpoint.answer_rdata | List of answer resource records to the questioned domains. | keyword | -| checkpoint.anti_virus_type | Anti virus type. | keyword | -| checkpoint.app_desc | Application description. | keyword | -| checkpoint.app_id | Application ID. | integer | -| checkpoint.app_package | Unique identifier of the application on the protected mobile device. | keyword | -| checkpoint.app_properties | List of all found categories. | keyword | -| checkpoint.app_repackaged | Indicates whether the original application was repackage not by the official developer. | keyword | -| checkpoint.app_sid_id | Unique SHA identifier of a mobile application. | keyword | -| checkpoint.app_sig_id | IOC indicator description. | keyword | -| checkpoint.app_version | Version of the application downloaded on the protected mobile device. | keyword | -| checkpoint.appi_name | Name of application downloaded on the protected mobile device. | keyword | -| checkpoint.arrival_time | Email arrival timestamp. | keyword | -| checkpoint.attachments_num | Number of attachments in the mail. | integer | -| checkpoint.attack_status | In case of a malicious event on an endpoint computer, the status of the attack. | keyword | -| checkpoint.audit_status | Audit Status. Can be Success or Failure. | keyword | -| checkpoint.auth_method | Password authentication protocol used (PAP or EAP). | keyword | -| checkpoint.auth_status | The authentication status for an event. | keyword | -| checkpoint.authority_rdata | List of authoritative servers. | keyword | -| checkpoint.authorization | Authorization HTTP header value. | keyword | -| checkpoint.bcc | List of BCC addresses. | keyword | -| checkpoint.blade_name | Blade name. | keyword | -| checkpoint.broker_publisher | IP address of the broker publisher who shared the session information. | ip | -| checkpoint.browse_time | Application session browse time. | keyword | -| checkpoint.c_bytes | Boolean value indicates whether bytes sent from the client side are used. | integer | -| checkpoint.calc_desc | Log description. | keyword | -| checkpoint.capacity | Capacity of the ports. | integer | -| checkpoint.capture_uuid | UUID generated for the capture. Used when enabling the capture when logging. | keyword | -| checkpoint.cc | The Carbon Copy address of the email. | keyword | -| checkpoint.certificate_resource | HTTPS resource Possible values: SNI or domain name (DN). | keyword | -| checkpoint.certificate_validation | Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature. | keyword | -| checkpoint.cgnet | Describes NAT allocation for specific subscriber. | keyword | -| checkpoint.chunk_type | Chunck of the sctp stream. | keyword | -| checkpoint.client_name | Client Application or Software Blade that detected the event. | keyword | -| checkpoint.client_type | Endpoint Connect. | keyword | -| checkpoint.client_type_os | Client OS detected in the HTTP request. | keyword | -| checkpoint.client_version | Build version of SandBlast Agent client installed on the computer. | keyword | -| checkpoint.cluster_info | Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. | keyword | -| checkpoint.comment | | keyword | -| checkpoint.community | Community name for the IPSec key and the use of the IKEv. | keyword | -| checkpoint.confidence_level | Confidence level determined by ThreatCloud. | integer | -| checkpoint.conn_direction | Connection direction | keyword | -| checkpoint.connection_uid | Calculation of md5 of the IP and user name as UID. | keyword | -| checkpoint.connectivity_level | Log for a new connection in wire mode. | keyword | -| checkpoint.conns_amount | Connections amount of aggregated log info. | integer | -| checkpoint.content_disposition | Indicates how the content is expected to be displayed inline in the browser. | keyword | -| checkpoint.content_length | Indicates the size of the entity-body of the HTTP header. | keyword | -| checkpoint.content_risk | File risk. | integer | -| checkpoint.content_type | Mail content type. Possible values: application/msword, text/html, image/gif etc. | keyword | -| checkpoint.context_num | Serial number of the log for a specific connection. | integer | -| checkpoint.cookieI | Initiator cookie. | keyword | -| checkpoint.cookieR | Responder cookie. | keyword | -| checkpoint.cp_message | Used to log a general message. | integer | -| checkpoint.cvpn_category | Mobile Access application type. | keyword | -| checkpoint.cvpn_resource | Mobile Access application. | keyword | -| checkpoint.data_type_name | Data type in rulebase that was matched. | keyword | -| checkpoint.db_ver | Database version | keyword | -| checkpoint.dce-rpc_interface_uuid | Log for new RPC state - UUID values | keyword | -| checkpoint.delivery_time | Timestamp of when email was delivered (MTA finished handling the email. | keyword | -| checkpoint.desc | Override application description. | keyword | -| checkpoint.description | Additional explanation how the security gateway enforced the connection. | keyword | -| checkpoint.destination_object | Matched object name on destination column. | keyword | -| checkpoint.detected_on | System and applications version the file was emulated on. | keyword | -| checkpoint.developer_certificate_name | Name of the developer's certificate that was used to sign the mobile application. | keyword | -| checkpoint.diameter_app_ID | The ID of diameter application. | integer | -| checkpoint.diameter_cmd_code | Diameter not allowed application command id. | integer | -| checkpoint.diameter_msg_type | Diameter message type. | keyword | -| checkpoint.dlp_action_reason | Action chosen reason. | keyword | -| checkpoint.dlp_additional_action | Watermark/None. | keyword | -| checkpoint.dlp_categories | Data type category. | keyword | -| checkpoint.dlp_data_type_name | Matched data type. | keyword | -| checkpoint.dlp_data_type_uid | Unique ID of the matched data type. | keyword | -| checkpoint.dlp_fingerprint_files_number | Number of successfully scanned files in repository. | integer | -| checkpoint.dlp_fingerprint_long_status | Scan status - long format. | keyword | -| checkpoint.dlp_fingerprint_short_status | Scan status - short format. | keyword | -| checkpoint.dlp_incident_uid | Unique ID of the matched rule. | keyword | -| checkpoint.dlp_recipients | Mail recipients. | keyword | -| checkpoint.dlp_related_incident_uid | Other ID related to this one. | keyword | -| checkpoint.dlp_relevant_data_types | In case of Compound/Group: the inner data types that were matched. | keyword | -| checkpoint.dlp_repository_directories_number | Number of directories in repository. | integer | -| checkpoint.dlp_repository_files_number | Number of files in repository. | integer | -| checkpoint.dlp_repository_id | ID of scanned repository. | keyword | -| checkpoint.dlp_repository_not_scanned_directories_percentage | Percentage of directories the Security Gateway was unable to read. | integer | -| checkpoint.dlp_repository_reached_directories_number | Number of scanned directories in repository. | integer | -| checkpoint.dlp_repository_root_path | Repository path. | keyword | -| checkpoint.dlp_repository_scan_progress | Scan percentage. | integer | -| checkpoint.dlp_repository_scanned_directories_number | Amount of directories scanned. | integer | -| checkpoint.dlp_repository_scanned_files_number | Number of scanned files in repository. | integer | -| checkpoint.dlp_repository_scanned_total_size | Size scanned. | integer | -| checkpoint.dlp_repository_skipped_files_number | Skipped number of files because of configuration. | integer | -| checkpoint.dlp_repository_total_size | Repository size. | integer | -| checkpoint.dlp_repository_unreachable_directories_number | Number of directories the Security Gateway was unable to read. | integer | -| checkpoint.dlp_rule_name | Matched rule name. | keyword | -| checkpoint.dlp_subject | Mail subject. | keyword | -| checkpoint.dlp_template_score | Template data type match score. | keyword | -| checkpoint.dlp_transint | HTTP/SMTP/FTP. | keyword | -| checkpoint.dlp_violation_description | Violation descriptions described in the rulebase. | keyword | -| checkpoint.dlp_watermark_profile | Watermark which was applied. | keyword | -| checkpoint.dlp_word_list | Phrases matched by data type. | keyword | -| checkpoint.dns_query | DNS query. | keyword | -| checkpoint.drop_reason | Drop reason description. | keyword | -| checkpoint.dropped_file_hash | List of file hashes dropped from the original file. | keyword | -| checkpoint.dropped_file_name | List of names dropped from the original file. | keyword | -| checkpoint.dropped_file_type | List of file types dropped from the original file. | keyword | -| checkpoint.dropped_file_verdict | List of file verdics dropped from the original file. | keyword | -| checkpoint.dropped_incoming | Number of incoming bytes dropped when using UP-limit feature. | integer | -| checkpoint.dropped_outgoing | Number of outgoing bytes dropped when using UP-limit feature. | integer | -| checkpoint.dropped_total | Amount of dropped packets (both incoming and outgoing). | integer | -| checkpoint.drops_amount | Amount of multicast packets dropped. | integer | -| checkpoint.dst_country | Destination country. | keyword | -| checkpoint.dst_phone_number | Destination IP-Phone. | keyword | -| checkpoint.dst_user_name | Connected user name on the destination IP. | keyword | -| checkpoint.dstkeyid | Responder Spi ID. | keyword | -| checkpoint.duplicate | Log marked as duplicated, when mail is split and the Security Gateway sees it twice. | keyword | -| checkpoint.duration | Scan duration. | keyword | -| checkpoint.elapsed | Time passed since start time. | keyword | -| checkpoint.email_content | Mail contents. Possible options: attachments/links & attachments/links/text only. | keyword | -| checkpoint.email_control | Engine name. | keyword | -| checkpoint.email_control_analysis | Message classification, received from spam vendor engine. | keyword | -| checkpoint.email_headers | String containing all the email headers. | keyword | -| checkpoint.email_id | Email number in smtp connection. | keyword | -| checkpoint.email_message_id | Email session id (uniqe ID of the mail). | keyword | -| checkpoint.email_queue_id | Postfix email queue id. | keyword | -| checkpoint.email_queue_name | Postfix email queue name. | keyword | -| checkpoint.email_recipients_num | Amount of recipients whom the mail was sent to. | long | -| checkpoint.email_session_id | Connection uuid. | keyword | -| checkpoint.email_spam_category | Email categories. Possible values: spam/not spam/phishing. | keyword | -| checkpoint.email_status | Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended | keyword | -| checkpoint.email_subject | Original email subject. | keyword | -| checkpoint.emulated_on | Images the files were emulated on. | keyword | -| checkpoint.encryption_failure | Message indicating why the encryption failed. | keyword | -| checkpoint.end_time | TCP connection end time. | keyword | -| checkpoint.end_user_firewall_type | End user firewall type. | keyword | -| checkpoint.esod_access_status | Access denied. | keyword | -| checkpoint.esod_associated_policies | Associated policies. | keyword | -| checkpoint.esod_noncompliance_reason | Non-compliance reason. | keyword | -| checkpoint.esod_rule_action | Unknown rule action. | keyword | -| checkpoint.esod_rule_name | Unknown rule name. | keyword | -| checkpoint.esod_rule_type | Unknown rule type. | keyword | -| checkpoint.esod_scan_status | Scan failed. | keyword | -| checkpoint.event_count | Number of events associated with the log. | long | -| checkpoint.expire_time | Connection closing time. | keyword | -| checkpoint.extension_version | Build version of the SandBlast Agent browser extension. | keyword | -| checkpoint.extracted_file_hash | Archive hash in case of extracted files. | keyword | -| checkpoint.extracted_file_names | Names of extracted files in case of an archive. | keyword | -| checkpoint.extracted_file_type | Types of extracted files in case of an archive. | keyword | -| checkpoint.extracted_file_uid | UID of extracted files in case of an archive. | keyword | -| checkpoint.extracted_file_verdict | Verdict of extracted files in case of an archive. | keyword | -| checkpoint.failure_impact | The impact of update service failure. | keyword | -| checkpoint.failure_reason | MTA failure description. | keyword | -| checkpoint.file_direction | File direction. Possible options: upload/download. | keyword | -| checkpoint.file_name | Malicious file name. | keyword | -| checkpoint.files_names | List of files requested by FTP. | keyword | -| checkpoint.first_hit_time | First hit time in current interval. | integer | -| checkpoint.fs-proto | The file share protocol used in mobile acess file share application. | keyword | -| checkpoint.ftp_user | FTP username. | keyword | -| checkpoint.fw_message | Used for various firewall errors. | keyword | -| checkpoint.fw_subproduct | Can be vpn/non vpn. | keyword | -| checkpoint.hide_ip | Source IP which will be used after CGNAT. | ip | -| checkpoint.hit | Number of hits on a rule. | integer | -| checkpoint.host_time | Local time on the endpoint computer. | keyword | -| checkpoint.http_host | Domain name of the server that the HTTP request is sent to. | keyword | -| checkpoint.http_location | Response header, indicates the URL to redirect a page to. | keyword | -| checkpoint.http_server | Server HTTP header value, contains information about the software used by the origin server, which handles the request. | keyword | -| checkpoint.https_inspection_action | HTTPS inspection action (Inspect/Bypass/Error). | keyword | -| checkpoint.https_inspection_rule_id | ID of the matched rule. | keyword | -| checkpoint.https_inspection_rule_name | Name of the matched rule. | keyword | -| checkpoint.https_validation | Precise error, describing HTTPS inspection failure. | keyword | -| checkpoint.icap_more_info | Free text for verdict. | integer | -| checkpoint.icap_server_name | Server name. | keyword | -| checkpoint.icap_server_service | Service name, as given in the ICAP URI | keyword | -| checkpoint.icap_service_id | Service ID, can work with multiple servers, treated as services. | integer | -| checkpoint.icmp | Number of packets, received by the client. | keyword | -| checkpoint.icmp_code | In case a connection is ICMP, code info will be added to the log. | long | -| checkpoint.icmp_type | In case a connection is ICMP, type info will be added to the log. | long | -| checkpoint.id | Override application ID. | integer | -| checkpoint.identity_src | The source for authentication identity information. | keyword | -| checkpoint.identity_type | The type of identity used for authentication. | keyword | -| checkpoint.ike | IKEMode (PHASE1, PHASE2, etc..). | keyword | -| checkpoint.ike_ids | All QM ids. | keyword | -| checkpoint.impacted_files | In case of an infection on an endpoint computer, the list of files that the malware impacted. | keyword | -| checkpoint.incident_extension | Matched data type. | keyword | -| checkpoint.indicator_description | IOC indicator description. | keyword | -| checkpoint.indicator_name | IOC indicator name. | keyword | -| checkpoint.indicator_reference | IOC indicator reference. | keyword | -| checkpoint.indicator_uuid | IOC indicator uuid. | keyword | -| checkpoint.info | Special log message. | keyword | -| checkpoint.information | Policy installation status for a specific blade. | keyword | -| checkpoint.inspection_category | Inspection category: protocol anomaly, signature etc. | keyword | -| checkpoint.inspection_item | Blade element performed inspection. | keyword | -| checkpoint.inspection_profile | Profile which the activated protection belongs to. | keyword | -| checkpoint.inspection_settings_log | Indicats that the log was released by inspection settings. | keyword | -| checkpoint.installed_products | List of installed Endpoint Software Blades. | keyword | -| checkpoint.int_end | Subscriber end int which will be used for NAT. | integer | -| checkpoint.int_start | Subscriber start int which will be used for NAT. | integer | -| checkpoint.interface_name | Designated interface for mirror And decrypt. | keyword | -| checkpoint.internal_error | Internal error, for troubleshooting | keyword | -| checkpoint.invalid_file_size | File_size field is valid only if this field is set to 0. | integer | -| checkpoint.ip_option | IP option that was dropped. | integer | -| checkpoint.isp_link | Name of ISP link. | keyword | -| checkpoint.last_hit_time | Last hit time in current interval. | integer | -| checkpoint.last_rematch_time | Connection rematched time. | keyword | -| checkpoint.layer_name | Layer name. | keyword | -| checkpoint.layer_uuid | Layer UUID. | keyword | -| checkpoint.limit_applied | Indicates whether the session was actually date limited. | integer | -| checkpoint.limit_requested | Indicates whether data limit was requested for the session. | integer | -| checkpoint.link_probing_status_update | IP address response status. | keyword | -| checkpoint.links_num | Number of links in the mail. | integer | -| checkpoint.log_delay | Time left before deleting template. | integer | -| checkpoint.log_id | Unique identity for logs. | integer | -| checkpoint.logid | System messages | keyword | -| checkpoint.long_desc | More information on the process (usually describing error reason in failure). | keyword | -| checkpoint.machine | L2TP machine which triggered the log and the log refers to it. | keyword | -| checkpoint.malware_family | Additional information on protection. | keyword | -| checkpoint.match_fk | Rule number. | integer | -| checkpoint.match_id | Private key of the rule | integer | -| checkpoint.matched_file | Unique ID of the matched data type. | keyword | -| checkpoint.matched_file_percentage | Fingerprint: match percentage of the traffic. | integer | -| checkpoint.matched_file_text_segments | Fingerprint: number of text segments matched by this traffic. | integer | -| checkpoint.media_type | Media used (audio, video, etc.) | keyword | -| checkpoint.message | ISP link has failed. | keyword | -| checkpoint.message_info | Used for information messages, for example:NAT connection has ended. | keyword | -| checkpoint.message_size | Mail/post size. | integer | -| checkpoint.method | HTTP method. | keyword | -| checkpoint.methods | IPSEc methods. | keyword | -| checkpoint.mime_from | Sender's address. | keyword | -| checkpoint.mime_to | List of receiver address. | keyword | -| checkpoint.mirror_and_decrypt_type | Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass). | keyword | -| checkpoint.mitre_collection | The adversary is trying to collect data of interest to achieve his goal. | keyword | -| checkpoint.mitre_command_and_control | The adversary is trying to communicate with compromised systems in order to control them. | keyword | -| checkpoint.mitre_credential_access | The adversary is trying to steal account names and passwords. | keyword | -| checkpoint.mitre_defense_evasion | The adversary is trying to avoid being detected. | keyword | -| checkpoint.mitre_discovery | The adversary is trying to expose information about your environment. | keyword | -| checkpoint.mitre_execution | The adversary is trying to run malicious code. | keyword | -| checkpoint.mitre_exfiltration | The adversary is trying to steal data. | keyword | -| checkpoint.mitre_impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data. | keyword | -| checkpoint.mitre_initial_access | The adversary is trying to break into your network. | keyword | -| checkpoint.mitre_lateral_movement | The adversary is trying to explore your environment. | keyword | -| checkpoint.mitre_persistence | The adversary is trying to maintain his foothold. | keyword | -| checkpoint.mitre_privilege_escalation | The adversary is trying to gain higher-level permissions. | keyword | -| checkpoint.monitor_reason | Aggregated logs of monitored packets. | keyword | -| checkpoint.msgid | Message ID. | keyword | -| checkpoint.name | Application name. | keyword | -| checkpoint.nat46 | NAT 46 status, in most cases "enabled". | keyword | -| checkpoint.nat_addtnl_rulenum | When matching 2 automatic rules , second rule match will be shown otherwise field will be 0. | integer | -| checkpoint.nat_exhausted_pool | 4-tuple of an exhausted pool. | keyword | -| checkpoint.nat_rulenum | NAT rulebase first matched rule. | integer | -| checkpoint.needs_browse_time | Browse time required for the connection. | integer | -| checkpoint.next_hop_ip | Next hop IP address. | keyword | -| checkpoint.next_scheduled_scan_date | Next scan scheduled time according to time object. | keyword | -| checkpoint.number_of_errors | Number of files that were not scanned due to an error. | integer | -| checkpoint.objecttable | Table of affected objects. | keyword | -| checkpoint.objecttype | The type of the affected object. | keyword | -| checkpoint.observable_comment | IOC observable signature description. | keyword | -| checkpoint.observable_id | IOC observable signature id. | keyword | -| checkpoint.observable_name | IOC observable signature name. | keyword | -| checkpoint.operation | Operation made by Threat Extraction. | keyword | -| checkpoint.operation_number | The operation nuber. | keyword | -| checkpoint.origin_sic_name | Machine SIC. | keyword | -| checkpoint.original_queue_id | Original postfix email queue id. | keyword | -| checkpoint.outgoing_url | URL related to this log (for HTTP). | keyword | -| checkpoint.packet_amount | Amount of packets dropped. | integer | -| checkpoint.packet_capture_unique_id | Identifier of the packet capture files. | keyword | -| checkpoint.parent_file_hash | Archive's hash in case of extracted files. | keyword | -| checkpoint.parent_file_name | Archive's name in case of extracted files. | keyword | -| checkpoint.parent_file_uid | Archive's UID in case of extracted files. | keyword | -| checkpoint.parent_process_username | Owner username of the parent process of the process that triggered the attack. | keyword | -| checkpoint.parent_rule | Parent rule number, in case of inline layer. | integer | -| checkpoint.peer_gateway | Main IP of the peer Security Gateway. | ip | -| checkpoint.peer_ip | IP address which the client connects to. | keyword | -| checkpoint.peer_ip_probing_status_update | IP address response status. | keyword | -| checkpoint.performance_impact | Protection performance impact. | integer | -| checkpoint.policy_mgmt | Name of the Management Server that manages this Security Gateway. | keyword | -| checkpoint.policy_name | Name of the last policy that this Security Gateway fetched. | keyword | -| checkpoint.ports_usage | Percentage of allocated ports. | integer | -| checkpoint.ppp | Authentication status. | keyword | -| checkpoint.precise_error | HTTP parser error. | keyword | -| checkpoint.process_username | Owner username of the process that triggered the attack. | keyword | -| checkpoint.properties | Application categories. | keyword | -| checkpoint.protection_id | Protection malware id. | keyword | -| checkpoint.protection_name | Specific signature name of the attack. | keyword | -| checkpoint.protection_type | Type of protection used to detect the attack. | keyword | -| checkpoint.protocol | Protocol detected on the connection. | keyword | -| checkpoint.proxy_machine_name | Machine name connected to proxy IP. | integer | -| checkpoint.proxy_src_ip | Sender source IP (even when using proxy). | ip | -| checkpoint.proxy_user_dn | User distinguished name connected to proxy IP. | keyword | -| checkpoint.proxy_user_name | User name connected to proxy IP. | keyword | -| checkpoint.query | DNS query. | keyword | -| checkpoint.question_rdata | List of question records domains. | keyword | -| checkpoint.referrer | Referrer HTTP request header, previous web page address. | keyword | -| checkpoint.referrer_parent_uid | Log UUID of the referring application. | keyword | -| checkpoint.referrer_self_uid | UUID of the current log. | keyword | -| checkpoint.registered_ip-phones | Registered IP-Phones. | keyword | -| checkpoint.reject_category | Authentication failure reason. | keyword | -| checkpoint.reject_id | A reject ID that corresponds to the one presented in the Mobile Access error page. | keyword | -| checkpoint.rematch_info | Information sent when old connections cannot be matched during policy installation. | keyword | -| checkpoint.remediated_files | In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. | keyword | -| checkpoint.reply_status | ICAP reply status code, e.g. 200 or 204. | integer | -| checkpoint.risk | Risk level we got from the engine. | keyword | -| checkpoint.roles | The role of identity. | keyword | -| checkpoint.rpc_prog | Log for new RPC state - prog values. | integer | -| checkpoint.rule | Matched rule number. | integer | -| checkpoint.rule_action | Action of the matched rule in the access policy. | keyword | -| checkpoint.rulebase_id | Layer number. | integer | -| checkpoint.scan_direction | Scan direction. | keyword | -| checkpoint.scan_hosts_day | Number of unique hosts during the last day. | integer | -| checkpoint.scan_hosts_hour | Number of unique hosts during the last hour. | integer | -| checkpoint.scan_hosts_week | Number of unique hosts during the last week. | integer | -| checkpoint.scan_id | Sequential number of scan. | keyword | -| checkpoint.scan_mail | Number of emails that were scanned by "AB malicious activity" engine. | integer | -| checkpoint.scan_results | "Infected"/description of a failure. | keyword | -| checkpoint.scheme | Describes the scheme used for the log. | keyword | -| checkpoint.scope | IP related to the attack. | keyword | -| checkpoint.scrub_activity | The result of the extraction | keyword | -| checkpoint.scrub_download_time | File download time from resource. | keyword | -| checkpoint.scrub_time | Extraction process duration. | keyword | -| checkpoint.scrub_total_time | Threat extraction total file handling time. | keyword | -| checkpoint.scrubbed_content | Active content that was found. | keyword | -| checkpoint.sctp_association_state | The bad state you were trying to update to. | keyword | -| checkpoint.sctp_error | Error information, what caused sctp to fail on out_of_state. | keyword | -| checkpoint.scv_message_info | Drop reason. | keyword | -| checkpoint.scv_user | Username whose packets are dropped on SCV. | keyword | -| checkpoint.securexl_message | Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop. | keyword | -| checkpoint.session_id | Log uuid. | keyword | -| checkpoint.session_uid | HTTP session-id. | keyword | -| checkpoint.short_desc | Short description of the process that was executed. | keyword | -| checkpoint.sig_id | Application's signature ID which how it was detected by. | keyword | -| checkpoint.similar_communication | Network action found similar to the malicious file. | keyword | -| checkpoint.similar_hashes | Hashes found similar to the malicious file. | keyword | -| checkpoint.similar_strings | Strings found similar to the malicious file. | keyword | -| checkpoint.similiar_iocs | Other IoCs similar to the ones found, related to the malicious file. | keyword | -| checkpoint.sip_reason | Explains why 'source_ip' isn't allowed to redirect (handover). | keyword | -| checkpoint.site_name | Site name. | keyword | -| checkpoint.snid | The Check Point session ID. | keyword | -| checkpoint.source_interface | External Interface name for source interface or Null if not found. | keyword | -| checkpoint.source_object | Matched object name on source column. | keyword | -| checkpoint.source_os | OS which generated the attack. | keyword | -| checkpoint.special_properties | If this field is set to '1' the log will not be shown (in use for monitoring scan progress). | integer | -| checkpoint.specific_data_type_name | Compound/Group scenario, data type that was matched. | keyword | -| checkpoint.speed | Current scan speed. | integer | -| checkpoint.spyware_name | Spyware name. | keyword | -| checkpoint.spyware_type | Spyware type. | keyword | -| checkpoint.src_country | Country name, derived from connection source IP address. | keyword | -| checkpoint.src_phone_number | Source IP-Phone. | keyword | -| checkpoint.src_user_dn | User distinguished name connected to source IP. | keyword | -| checkpoint.src_user_name | User name connected to source IP | keyword | -| checkpoint.srckeyid | Initiator Spi ID. | keyword | -| checkpoint.status | Ok/Warning/Error. | keyword | -| checkpoint.status_update | Last time log was updated. | keyword | -| checkpoint.sub_policy_name | Layer name. | keyword | -| checkpoint.sub_policy_uid | Layer uid. | keyword | -| checkpoint.subscriber | Source IP before CGNAT. | ip | -| checkpoint.summary | Summary message of a non-compliant DNS traffic drops or detects. | keyword | -| checkpoint.suppressed_logs | Aggregated connections for five minutes on the same source, destination and port. | integer | -| checkpoint.sync | Sync status and the reason (stable, at risk). | keyword | -| checkpoint.sys_message | System messages | keyword | -| checkpoint.tcp_end_reason | Reason for TCP connection closure. | keyword | -| checkpoint.tcp_flags | TCP packet flags (SYN, ACK, etc.,). | keyword | -| checkpoint.tcp_packet_out_of_state | State violation. | keyword | -| checkpoint.tcp_state | Log reinting a tcp state change. | keyword | -| checkpoint.te_verdict_determined_by | Emulators determined file verdict. | keyword | -| checkpoint.ticket_id | Unique ID per file. | keyword | -| checkpoint.tls_server_host_name | SNI/CN from encrypted TLS connection used by URLF for categorization. | keyword | -| checkpoint.top_archive_file_name | In case of archive file: the file that was sent/received. | keyword | -| checkpoint.total_attachments | The number of attachments in an email. | integer | -| checkpoint.triggered_by | The name of the mechanism that triggered the Software Blade to enforce a protection. | keyword | -| checkpoint.trusted_domain | In case of phishing event, the domain, which the attacker was impersonating. | keyword | -| checkpoint.unique_detected_day | Detected virus for a specific host during the last day. | integer | -| checkpoint.unique_detected_hour | Detected virus for a specific host during the last hour. | integer | -| checkpoint.unique_detected_week | Detected virus for a specific host during the last week. | integer | -| checkpoint.update_status | Status of database update | keyword | -| checkpoint.url | Translated URL. | keyword | -| checkpoint.user | Source user name. | keyword | -| checkpoint.user_agent | String identifying requesting software user agent. | keyword | -| checkpoint.vendor_list | The vendor name that provided the verdict for a malicious URL. | keyword | -| checkpoint.verdict | TE engine verdict Possible values: Malicious/Benign/Error. | keyword | -| checkpoint.via | Via header is added by proxies for tracking purposes to avoid sending reqests in loop. | keyword | -| checkpoint.voip_attach_action_info | Attachment action Info. | keyword | -| checkpoint.voip_attach_sz | Attachment size. | integer | -| checkpoint.voip_call_dir | Call direction: in/out. | keyword | -| checkpoint.voip_call_id | Call-ID. | keyword | -| checkpoint.voip_call_state | Call state. Possible values: in/out. | keyword | -| checkpoint.voip_call_term_time | Call termination time stamp. | keyword | -| checkpoint.voip_config | Configuration. | keyword | -| checkpoint.voip_duration | Call duration (seconds). | keyword | -| checkpoint.voip_est_codec | Estimated codec. | keyword | -| checkpoint.voip_exp | Expiration. | integer | -| checkpoint.voip_from_user_type | Source IP-Phone type. | keyword | -| checkpoint.voip_log_type | VoIP log types. Possible values: reject, call, registration. | keyword | -| checkpoint.voip_media_codec | Estimated codec. | keyword | -| checkpoint.voip_media_ipp | Media IP protocol. | keyword | -| checkpoint.voip_media_port | Media int. | keyword | -| checkpoint.voip_method | Registration request. | keyword | -| checkpoint.voip_reason_info | Information. | keyword | -| checkpoint.voip_reg_int | Registration port. | integer | -| checkpoint.voip_reg_ipp | Registration IP protocol. | integer | -| checkpoint.voip_reg_period | Registration period. | integer | -| checkpoint.voip_reg_server | Registrar server IP address. | ip | -| checkpoint.voip_reg_user_type | Registered IP-Phone type. | keyword | -| checkpoint.voip_reject_reason | Reject reason. | keyword | -| checkpoint.voip_to_user_type | Destination IP-Phone type. | keyword | -| checkpoint.vpn_feature_name | L2TP /IKE / Link Selection. | keyword | -| checkpoint.watermark | Reports whether watermark is added to the cleaned file. | keyword | -| checkpoint.web_server_type | Web server detected in the HTTP response. | keyword | -| checkpoint.word_list | Words matched by data type. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| destination.service.name | Name of the service data is collected from. | keyword | -| destination.user.email | User email address. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.bcc.address | The email address of BCC recipient | keyword | -| email.cc.address | The email address of CC recipient | keyword | -| email.delivery_timestamp | The date and time when the email message was received by the service or client. | date | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.local_id | Unique identifier given to the email by the source that created the event. Identifier is not persistent across hops. | keyword | -| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address of logs received over the network. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.hash.md5 | MD5 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.user.email | User email address. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | - diff --git a/packages/checkpoint/1.8.2/img/checkpoint-logo.svg b/packages/checkpoint/1.8.2/img/checkpoint-logo.svg deleted file mode 100755 index aa73ccdd7f..0000000000 --- a/packages/checkpoint/1.8.2/img/checkpoint-logo.svg +++ /dev/null @@ -1,159 +0,0 @@ - - - - - - - image/svg+xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/checkpoint/1.8.2/manifest.yml b/packages/checkpoint/1.8.2/manifest.yml deleted file mode 100755 index 291769e9ee..0000000000 --- a/packages/checkpoint/1.8.2/manifest.yml +++ /dev/null @@ -1,109 +0,0 @@ -name: checkpoint -title: Check Point -version: "1.8.2" -release: ga -description: Collect logs from Check Point with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/checkpoint-logo.svg - title: Check Point - size: 761x341 - type: image/svg+xml -policy_templates: - - name: checkpoint - title: Check Point logs - description: Collect logs from Check Point instances - inputs: - - type: logfile - title: "Collect Check Point firewall logs (input: logfile)" - description: "Collecting firewall logs from Check Point instances (input: logfile)" - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - - name: internal_zones - type: text - title: Internal Zones - multi: true - required: false - show_user: false - default: - - trust - - name: external_zones - type: text - title: External Zones - multi: true - required: false - show_user: false - default: - - untrust - - type: tcp - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9001 - - name: internal_zones - type: text - title: Internal Zones - multi: true - required: false - show_user: false - - name: external_zones - type: text - title: External Zones - multi: true - required: false - show_user: false - title: "Collect Check Point firewall logs (input: tcp)" - description: "Collecting firewall logs from Check Point instances (input: tcp)" - - type: udp - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9001 - - name: internal_zones - type: text - title: Internal Zones - multi: true - required: false - show_user: false - - name: external_zones - type: text - title: External Zones - multi: true - required: false - show_user: false - title: "Collect Check Point firewall logs (input: udp)" - description: "Collecting firewall logs from Check Point instances (input: udp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_aironet/0.0.2/LICENSE.txt b/packages/cisco_aironet/0.0.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cisco_aironet/0.0.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_aironet/0.0.2/changelog.yml b/packages/cisco_aironet/0.0.2/changelog.yml deleted file mode 100755 index e3d55feaa1..0000000000 --- a/packages/cisco_aironet/0.0.2/changelog.yml +++ /dev/null @@ -1,11 +0,0 @@ -# newer versions go on top -- version: "0.0.2" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "0.0.1" - changes: - - description: Initial draft of the package for Cisco WLC - type: enhancement - link: https://github.com/elastic/integrations/pull/4050 diff --git a/packages/cisco_aironet/0.0.2/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_aironet/0.0.2/data_stream/log/agent/stream/stream.yml.hbs deleted file mode 100755 index ecd627f6a8..0000000000 --- a/packages/cisco_aironet/0.0.2/data_stream/log/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/cisco_aironet/0.0.2/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_aironet/0.0.2/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index c5750d039b..0000000000 --- a/packages/cisco_aironet/0.0.2/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,26 +0,0 @@ -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} -{{#if tcp_options}} -{{tcp_options}} -{{/if}} diff --git a/packages/cisco_aironet/0.0.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_aironet/0.0.2/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index f0fa58a08a..0000000000 --- a/packages/cisco_aironet/0.0.2/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/cisco_aironet/0.0.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_aironet/0.0.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 43014001b7..0000000000 --- a/packages/cisco_aironet/0.0.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,302 +0,0 @@ ---- -description: Pipeline for processing Cisco Aironet Logs -processors: - - rename: - field: message - target_field: event.original - ignore_missing: true - ignore_failure: true - - set: - field: ecs.version - value: '8.4.0' - - grok: - field: event.original - patterns: - - "%{SYSLOG_HEADER}:\\s%%{GREEDYDATA:_temp_.full_message}" - - "%{SYSLOGFACILITY}%{INT}: AP:%{MAC:host.mac}: \\*%{AIRONET_DATE:_temp_.raw_date}: %%{GREEDYDATA:_temp_.full_message}" - - "%{SYSLOGFACILITY}%{DATA:host.name}: -%{GREEDYDATA:_temp_.full_message}" - pattern_definitions: - SYSLOG_HEADER: "%{SYSLOGFACILITY}%{DATA:host.name}:\\s\\*%{DATA:process.name}:\\s%{AIRONET_DATE:_temp_.raw_date}" - SYSLOGFACILITY: "<%{NONNEGINT:log.syslog.priority:int}>" - AIRONET_DATE: "%{MONTH} %{MONTHDAY} %{TIME}" - - script: - lang: painless - source: | - if (ctx.log?.syslog?.priority != null) { - def severity = new HashMap(); - severity['code'] = ctx.log.syslog.priority&0x7; - ctx.log.syslog['severity'] = severity; - def facility = new HashMap(); - facility['code'] = ctx.log.syslog.priority>>3; - ctx.log.syslog['facility'] = facility; - } - - grok: - field: _temp_.full_message - ignore_failure: true - patterns: - - "%{DATA:event.provider}-%{INT:event.severity}-%{DATA:event.action}: %{DATA}:%{INT} %{GREEDYDATA:message}" - - grok: - field: _temp_.full_message - ignore_failure: true - patterns: - - "%{DATA:_temp_.reason}:" - - # Set log.level - - set: - field: "log.level" - value: unknown - - set: - field: "log.level" - if: "ctx.log?.syslog?.severity?.code == 1" - value: alert - - set: - field: "log.level" - if: "ctx.log?.syslog?.severity?.code == 2" - value: critical - - set: - field: "log.level" - if: "ctx.log?.syslog?.severity?.code == 3" - value: error - - set: - field: "log.level" - if: "ctx.log?.syslog?.severity?.code == 4" - value: warning - - set: - field: "log.level" - if: "ctx.log?.syslog?.severity?.code == 5" - value: notification - - set: - field: "log.level" - if: "ctx.log?.syslog?.severity?.code == 6" - value: informational - - set: - field: "log.level" - if: "ctx.log?.syslog?.severity?.code == 7" - value: debug - - # Parse the date included in logs - - set: - field: _conf.tz_offset - value: UTC - override: false - - date: - if: "ctx._temp_?.raw_date != null" - field: "_temp_.raw_date" - target_field: "@timestamp" - formats: - - "MMM d HH:mm:ss.SSS" - timezone: '{{{_conf.tz_offset}}}' - - # Adding information to event types - - grok: - description: SISF-6-ENTRY_CREATED, SISF-6-ENTRY_DELETED, SISF-6-ENTRY_CHANGED, LOG-6-Q_IND - field: message - if: ctx._temp_?.reason == 'SISF-6-ENTRY_CREATED' || - ctx._temp_?.reason == 'SISF-6-ENTRY_DELETED' || - ctx._temp_?.reason == 'SISF-6-ENTRY_CHANGED'|| - ctx._temp_?.reason == 'LOG-6-Q_IND' - patterns: - - "A=%{IP:client.ip} V=%{INT} I=%{DATA:cisco.interface.type}:%{INT} P=%{INT} M=((%{MAC:client.mac})|$)" - - "Username entry \\(%{DATA:user.name}\\)%{DATA}mobile %{MAC:client.mac}" - ignore_failure: false - ### - - grok: - description: AAA-5-AAA_AUTH_ADMIN_USER - field: message - if: ctx._temp_?.reason == 'AAA-5-AAA_AUTH_ADMIN_USER' - patterns: - - "for admin user '%{USER:user.name}' on %{IP:client.ip}" - ignore_failure: false - ### - - grok: - description: NIM-3-ADMIN_MODE_DISABLE - field: message - if: ctx._temp_?.reason == 'NIM-3-ADMIN_MODE_DISABLE' - patterns: - - "Port %{INT:interface.id}" - ignore_failure: false - ### - - grok: - description: WPS-4-SIG_ALARM_OFF - field: message - if: ctx._temp_?.reason == 'WPS-4-SIG_ALARM_OFF' - patterns: - - "AP %{MAC:host.mac}.*?track=%{DATA:cisco.wps.track} preced=%{INT:cisco.wps.preced:int} hits=%{INT:cisco.wps.hits:int} slot=%{INT:cisco.wps.slot:int} channel=%{INT:cisco.wps.channel:int}" - ignore_failure: false - - grok: - description: WPS-4-SIG_ALARM_OFF_CONT - field: message - if: ctx._temp_?.reason == 'WPS-4-SIG_ALARM_OFF_CONT' - patterns: - - "source mac= %{MAC:client.mac}" - ignore_failure: false - - set: - description: WPS-4-SIG_ALARM_OFF - field: event.kind - if: ctx._temp_?.reason == 'WPS-4-SIG_ALARM_OFF' || - ctx._temp_?.reason == 'WPS-4-SIG_ALARM_OFF_CONT' || - ctx._temp_?.reason == 'LWAPP-4-SIG_INFO1' - value: alert - ignore_failure: true - ### - - grok: - description: LWAPP-4-SIG_INFO1 - field: message - if: ctx._temp_?.reason == 'LWAPP-4-SIG_INFO1' - patterns: - - "Signature information; AP %{MAC:destination.mac}, alarm ON, %{SIGNATURE:threat.indicator.description}, track %{DATA}precedence %{INT}, hits %{INT}, slot %{INT}, channel %{INT}, most offending MAC %{MAC:source.mac}" - pattern_definitions: - SIGNATURE: "%{DATA} sig %{DATA}" - ignore_failure: true - - set: - description: LWAPP-4-SIG_INFO1 - field: threat.indicator.type - if: ctx._temp_?.reason == 'LWAPP-4-SIG_INFO1' && ctx.threat?.indicator?.description != null && ctx.threat.indicator.description != "" - value: process - ignore_failure: true - ### - - grok: - description: DOT1X-4-MAX_EAPOL_KEY_RETRANS - field: message - if: ctx._temp_?.reason == 'DOT1X-4-MAX_EAPOL_KEY_RETRANS' - patterns: - - "client %{MAC:client.mac}" - ignore_failure: false - ### - - grok: - description: RRM-3-RRM_LOGMSG - field: message - if: ctx._temp_?.reason == 'RRM-3-RRM_LOGMSG' - patterns: - - "Client not found: %{MAC:client.mac}" - - "AP:\\s+%{MAC:host.mac}" - ignore_failure: false - ### - - grok: - description: DOT1X-3-ABORT_AUTH - field: message - if: ctx._temp_?.reason == 'DOT1X-3-ABORT_AUTH' - patterns: - - "client %{MAC:client.mac} Abort Reason:%{DATA:event.reason}$" - ignore_failure: false - ### - - grok: - description: LOG-3-Q_IND, INVALID_WPA_KEY_STATE - field: message - if: ctx._temp_?.reason == 'LOG-3-Q_IND' || - ctx._temp_?.reason == 'DOT1X-3-INVALID_WPA_KEY_STATE' - patterns: - - "version %{INT:cisco.eapol.version:int}, type %{INT:cisco.eapol.type:int}, descriptor %{INT:cisco.eapol.descriptor:int}, client %{MAC:client.mac}" - - "client %{MAC:client.mac}" - ignore_failure: false - ### - - grok: - description: APF-6-USER_NAME_CREATED, APF-6-USER_NAME_DELETED - field: message - if: ctx._temp_?.reason == 'APF-6-USER_NAME_CREATED' || - ctx._temp_?.reason == 'APF-6-USER_NAME_DELETED' - patterns: - - "Username entry \\(%{DATA:user.name}\\)%{DATA}mobile %{MAC:client.mac}" - ignore_failure: false - ### - - grok: - description: DTL-4-ARP_ORPHANPKT_DETECTED, Dot1x_NW_MsgTask_4 - field: message - if: ctx._temp_?.reason == 'DTL-4-ARP_ORPHANPKT_DETECTED' || - ctx._temp_?.reason == 'LOG-4-Q_IND' - patterns: - - "STA\\(Target MAC Address\\) \\[%{MAC:client.mac}.*?\\] %{DATA:event.reason}\\(Source IP Address\\) %{IP:client.ip}%{DATA}\\(Destination IP Address\\) %{IP:server.ip}" - ignore_failure: false - ### - # Client MAC - - grok: - field: message - ignore_missing: true - ignore_failure: true - patterns: - - "client %{MAC:client.mac}" - # Mac address cleanup - - uppercase: - field: client.mac - ignore_missing: true - - gsub: - field: client.mac - pattern: '[:.]' - replacement: '-' - ignore_missing: true - - uppercase: - field: source.mac - ignore_missing: true - - gsub: - field: source.mac - pattern: '[-:.]' - replacement: '-' - ignore_missing: true - - uppercase: - field: destination.mac - ignore_missing: true - - gsub: - field: destination.mac - pattern: '[-:.]' - replacement: '-' - ignore_missing: true - - uppercase: - field: host.mac - ignore_missing: true - - gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true - - gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true - - # IP Geolocation Lookup - - geoip: - field: client.ip - target_field: client.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: client.ip - target_field: client.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: client.as.asn - target_field: client.as.number - ignore_missing: true - - rename: - field: client.as.organization_name - target_field: client.as.organization.name - ignore_missing: true - - # Cleanup fields - - remove: - field: _temp_ - ignore_failure: true - ignore_missing: true - - remove: - field: _conf - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - - - -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/cisco_aironet/0.0.2/data_stream/log/fields/agent.yml b/packages/cisco_aironet/0.0.2/data_stream/log/fields/agent.yml deleted file mode 100755 index 4ee57ba4af..0000000000 --- a/packages/cisco_aironet/0.0.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,8 +0,0 @@ -- name: input.type - type: keyword - description: Input type. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. -- name: log.offset - type: long diff --git a/packages/cisco_aironet/0.0.2/data_stream/log/fields/aironet-fields.yml b/packages/cisco_aironet/0.0.2/data_stream/log/fields/aironet-fields.yml deleted file mode 100755 index 16c856630d..0000000000 --- a/packages/cisco_aironet/0.0.2/data_stream/log/fields/aironet-fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: cisco.interface.type - type: keyword - description: Cisco interface type -- name: cisco.wps.channel - type: short - description: Cisco WPS channel -- name: cisco.wps.hits - type: short - description: Cisco WPS hits -- name: cisco.wps.preced - type: short - description: Cisco WPS precedence -- name: cisco.wps.slot - type: short - description: Cisco WPS slot -- name: cisco.wps.track - type: keyword - description: Cisco WPS track -- name: cisco.eapol.descriptor - type: short - description: Cisco eapol descriptor -- name: cisco.eapol.type - type: short - description: Cisco eapol type -- name: cisco.eapol.version - type: short - description: Cisco eapol version diff --git a/packages/cisco_aironet/0.0.2/data_stream/log/fields/base-fields.yml b/packages/cisco_aironet/0.0.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 24a2fcc691..0000000000 --- a/packages/cisco_aironet/0.0.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_aironet -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_aironet.log diff --git a/packages/cisco_aironet/0.0.2/data_stream/log/fields/ecs.yml b/packages/cisco_aironet/0.0.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index c3ea79fe2d..0000000000 --- a/packages/cisco_aironet/0.0.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,118 +0,0 @@ -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: client.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: client.as.organization.name - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - name: client.geo.location - type: geo_point -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - MAC address of the client. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: client.mac - type: keyword -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: Describes the type of action conducted by the threat. - name: threat.indicator.description - type: keyword -- description: Type of indicator as represented by Cyber Observable in STIX 2.0. - name: threat.indicator.type - type: keyword -- description: Interface ID as reported by an observer (typically SNMP interface ID). - name: interface.id - type: keyword diff --git a/packages/cisco_aironet/0.0.2/data_stream/log/manifest.yml b/packages/cisco_aironet/0.0.2/data_stream/log/manifest.yml deleted file mode 100755 index 59497e5089..0000000000 --- a/packages/cisco_aironet/0.0.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,180 +0,0 @@ -title: Cisco Aironet logs -type: logs -streams: - - input: udp - title: Cisco Aironet logs - description: Collect Cisco Aironet logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-aironet - - forwarded - - name: udp_host - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: 0.0.0.0 - - name: udp_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9009 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: tz_offset - type: text - title: Timezone - multi: false - required: true - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Cisco Aironet logs - description: Collect Cisco Aironet logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-aironet - - forwarded - - name: tcp_host - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: 0.0.0.0 - - name: tcp_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9009 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: tz_offset - type: text - title: Timezone - multi: false - required: true - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate, keys, supported_protocols, verification_mode etc. See [SSL](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details. - multi: false - required: false - show_user: false - default: | - #certificate: "/etc/server/cert.pem" - #key: "/etc/server/key.pem" - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - #max_connections: 1 - #framing: delimiter - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. - - input: logfile - enabled: false - title: Cisco Aironet logs - description: Collect Cisco Aironet logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/cisco-aironet.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-aironet - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: tz_offset - type: text - title: Timezone - multi: false - required: true - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_aironet/0.0.2/data_stream/log/sample_event.json b/packages/cisco_aironet/0.0.2/data_stream/log/sample_event.json deleted file mode 100755 index dca7e20320..0000000000 --- a/packages/cisco_aironet/0.0.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "@timestamp": "2022-08-20T11:25:50.157Z", - "agent": { - "ephemeral_id": "df000191-6494-448e-9b24-396a3762094a", - "id": "68e210ce-ee67-482a-8fb4-c45055e6f2b2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.3" - }, - "cisco": { - "interface": { - "type": "wired" - } - }, - "client": { - "ip": "fe80::aee2:d3ff:feba:56a4" - }, - "data_stream": { - "dataset": "cisco_aironet.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "68e210ce-ee67-482a-8fb4-c45055e6f2b2", - "snapshot": false, - "version": "8.3.3" - }, - "event": { - "action": "ENTRY_DELETED", - "agent_id_status": "verified", - "dataset": "cisco_aironet.log", - "ingested": "2022-09-09T08:30:39Z", - "original": "\u003c134\u003eWLC001: *SISF BT Process: Aug 20 11:25:50.157: %SISF-6-ENTRY_DELETED: sisf_shim_utils.c:482 Entry deleted A=fe80::aee2:d3ff:feba:56a4 V=0 I=wired:1 P=0000 M=", - "provider": "SISF", - "severity": "6", - "timezone": "+00:00" - }, - "host": { - "name": "WLC001" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "informational", - "source": { - "address": "172.26.0.5:45299" - }, - "syslog": { - "facility": { - "code": 16 - }, - "priority": 134, - "severity": { - "code": 6 - } - } - }, - "message": "Entry deleted A=fe80::aee2:d3ff:feba:56a4 V=0 I=wired:1 P=0000 M=", - "process": { - "name": "SISF BT Process" - }, - "tags": [ - "preserve_original_event", - "cisco-aironet", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/cisco_aironet/0.0.2/docs/README.md b/packages/cisco_aironet/0.0.2/docs/README.md deleted file mode 100755 index 1ba69f85f1..0000000000 --- a/packages/cisco_aironet/0.0.2/docs/README.md +++ /dev/null @@ -1,142 +0,0 @@ -# Cisco Aironet - -This integration is for Cisco Aironet WLC logs. It includes the following -datasets for receiving logs over syslog or read from a file: - -- `log` dataset: supports Cisco Aironet WLC logs. - -## Logs - -### Aironet - -The `log` dataset collects the Cisco Aironet WLC logs. The descriptions of system messages can be obtained from the [Cisco documentation](https://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/products-system-message-guides-list.html). - - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2022-08-20T11:25:50.157Z", - "agent": { - "ephemeral_id": "df000191-6494-448e-9b24-396a3762094a", - "id": "68e210ce-ee67-482a-8fb4-c45055e6f2b2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.3" - }, - "cisco": { - "interface": { - "type": "wired" - } - }, - "client": { - "ip": "fe80::aee2:d3ff:feba:56a4" - }, - "data_stream": { - "dataset": "cisco_aironet.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "68e210ce-ee67-482a-8fb4-c45055e6f2b2", - "snapshot": false, - "version": "8.3.3" - }, - "event": { - "action": "ENTRY_DELETED", - "agent_id_status": "verified", - "dataset": "cisco_aironet.log", - "ingested": "2022-09-09T08:30:39Z", - "original": "\u003c134\u003eWLC001: *SISF BT Process: Aug 20 11:25:50.157: %SISF-6-ENTRY_DELETED: sisf_shim_utils.c:482 Entry deleted A=fe80::aee2:d3ff:feba:56a4 V=0 I=wired:1 P=0000 M=", - "provider": "SISF", - "severity": "6", - "timezone": "+00:00" - }, - "host": { - "name": "WLC001" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "informational", - "source": { - "address": "172.26.0.5:45299" - }, - "syslog": { - "facility": { - "code": 16 - }, - "priority": 134, - "severity": { - "code": 6 - } - } - }, - "message": "Entry deleted A=fe80::aee2:d3ff:feba:56a4 V=0 I=wired:1 P=0000 M=", - "process": { - "name": "SISF BT Process" - }, - "tags": [ - "preserve_original_event", - "cisco-aironet", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cisco.eapol.descriptor | Cisco eapol descriptor | short | -| cisco.eapol.type | Cisco eapol type | short | -| cisco.eapol.version | Cisco eapol version | short | -| cisco.interface.type | Cisco interface type | keyword | -| cisco.wps.channel | Cisco WPS channel | short | -| cisco.wps.hits | Cisco WPS hits | short | -| cisco.wps.preced | Cisco WPS precedence | short | -| cisco.wps.slot | Cisco WPS slot | short | -| cisco.wps.track | Cisco WPS track | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| input.type | Input type. | keyword | -| interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/cisco_aironet/0.0.2/img/cisco.svg b/packages/cisco_aironet/0.0.2/img/cisco.svg deleted file mode 100755 index 20ebebf197..0000000000 --- a/packages/cisco_aironet/0.0.2/img/cisco.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/cisco_aironet/0.0.2/manifest.yml b/packages/cisco_aironet/0.0.2/manifest.yml deleted file mode 100755 index 1d8e402305..0000000000 --- a/packages/cisco_aironet/0.0.2/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -format_version: 1.0.0 -name: cisco_aironet -title: "Cisco Aironet" -version: 0.0.2 -release: beta -license: basic -description: "Integration for Cisco Aironet WLC Logs" -type: integration -categories: - - network -conditions: - kibana.version: "^8.0.0" - elastic.subscription: "basic" -icons: - - src: /img/cisco.svg - title: Cisco - size: 32x32 - type: image/svg+xml -policy_templates: - - name: cisco_aironet - title: Cisco Aironet logs - description: Collect logs from Cisco Aironet instances - inputs: - - type: tcp - title: Collect logs from Cisco Aironet via TCP - description: Collecting logs from Cisco Aironet via TCP - - type: udp - title: Collect logs from Cisco Aironet via UDP - description: Collecting logs from Cisco Aironet via UDP - - type: logfile - title: Collect logs from Cisco Aironet via file - description: Collecting logs from Cisco Aironet via file -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_asa/2.7.5/LICENSE.txt b/packages/cisco_asa/2.7.5/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cisco_asa/2.7.5/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_asa/2.7.5/changelog.yml b/packages/cisco_asa/2.7.5/changelog.yml deleted file mode 100755 index a8d2c75a62..0000000000 --- a/packages/cisco_asa/2.7.5/changelog.yml +++ /dev/null @@ -1,163 +0,0 @@ -# newer versions go on top -- version: "2.7.5" - changes: - - description: Fix handling of 302020 event messages. - type: bugfix - link: https://github.com/elastic/integrations/pull/4209 -- version: "2.7.4" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.7.3" - changes: - - description: Fix handling of non-canonical 113005 messages. - type: bugfix - link: https://github.com/elastic/integrations/pull/4189 -- version: "2.7.2" - changes: - - description: Clean up grok pattern naming. - type: bugfix - link: https://github.com/elastic/integrations/pull/4163 -- version: "2.7.1" - changes: - - description: Fix handling of some non-canonical log formats. - type: bugfix - link: https://github.com/elastic/integrations/pull/3943 -- version: "2.7.0" - changes: - - description: Add handling of AAA operations. - type: enhancement - link: https://github.com/elastic/integrations/pull/3740 -- version: "2.6.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3842 -- version: "2.5.2" - changes: - - description: Improve TCP, SSL config description and example. - type: enhancement - link: https://github.com/elastic/integrations/pull/3763 -- version: "2.5.1" - changes: - - description: Fix handling of user parsing when SGT fields are present. - type: bugfix - link: https://github.com/elastic/integrations/pull/3650 - - description: Fix handling of user parsing for 302013 and 302015 events. - type: bugfix - link: https://github.com/elastic/integrations/pull/3650 -- version: "2.5.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "2.4.2" - changes: - - description: Map syslog priority details according to ECS - type: bugfix - link: https://github.com/elastic/integrations/pull/3549 - - description: Extract syslog facility and severity codes from syslog priority - type: bugfix - link: https://github.com/elastic/integrations/pull/3549 -- version: "2.4.1" - changes: - - description: Ensure invalid event.outcome does not get recorded in event - type: bugfix - link: https://github.com/elastic/integrations/pull/3354 -- version: "2.4.0" - changes: - - description: Add TCP input with TLS support - type: enhancement - link: https://github.com/elastic/integrations/pull/3312 -- version: "2.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "2.2.2" - changes: - - description: Change visualizations to use event.code instead of cisco.asa.message_id. - type: bugfix - link: https://github.com/elastic/integrations/pull/3146 -- version: "2.2.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "2.2.0" - changes: - - description: Add community_id processor, update 805001, 304001, 106023 and 602304 message parsing. elastic/beats#26879 - type: enhancement - link: https://github.com/elastic/integrations/pull/2820 - - description: Add user.name field to ASA Security negotiation log line. elastic/beats#26975 - type: enhancement - link: https://github.com/elastic/integrations/pull/2820 - - description: Change event.outcome and event.type handling to be more ECS compliant. elastic/beats#29698 - type: enhancement - link: https://github.com/elastic/integrations/pull/2820 -- version: "2.1.0" - changes: - - description: Add parsing for event code 113029-113040 - type: enhancement - link: https://github.com/elastic/integrations/pull/2535 -- version: "2.0.1" - changes: - - description: Clarify configuration option documentation - type: bugfix - link: https://github.com/elastic/integrations/pull/2649 -- version: "2.0.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2389 -- version: "1.3.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.3.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2236 -- version: "1.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1952 -- version: "1.2.1" - changes: - - description: Relax time parsing and capture group and session type in Cisco ASA module - type: bugfix - link: https://github.com/elastic/integrations/pull/1891 -- version: "1.2.0" - changes: - - description: Add support for Cisco ASA SIP events - type: enhancement - link: https://github.com/elastic/integrations/pull/1865 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1805 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1782 -- version: "1.0.1" - changes: - - description: Adding missing ECS fields - type: bugfix - link: https://github.com/elastic/integrations/pull/1732 -- version: "1.0.0" - changes: - - description: Split Cisco ASA into its own package - type: enhancement - link: https://github.com/elastic/integrations/pull/1583 diff --git a/packages/cisco_asa/2.7.5/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_asa/2.7.5/data_stream/log/agent/stream/stream.yml.hbs deleted file mode 100755 index 1190ec3f3c..0000000000 --- a/packages/cisco_asa/2.7.5/data_stream/log/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/cisco_asa/2.7.5/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_asa/2.7.5/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 169989f2d7..0000000000 --- a/packages/cisco_asa/2.7.5/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} -{{#if tcp_options}} -{{tcp_options}} -{{/if}} diff --git a/packages/cisco_asa/2.7.5/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_asa/2.7.5/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index e01f113448..0000000000 --- a/packages/cisco_asa/2.7.5/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/cisco_asa/2.7.5/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/2.7.5/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ccc4d5252c..0000000000 --- a/packages/cisco_asa/2.7.5/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,2252 +0,0 @@ ---- -description: "Pipeline for Cisco ASA logs" -processors: - - rename: - field: message - target_field: event.original - ignore_missing: true - - set: - field: ecs.version - value: '8.4.0' - # - # Parse the syslog header - # - # This populates the host.hostname, process.name, timestamp and other fields - # from the header and stores the message contents in _temp_.full_message. - - grok: - field: event.original - patterns: - - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}" - pattern_definitions: - SYSLOG_HEADER: "(?:%{SYSPRIORITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?" - SYSPRIORITY: "<%{NONNEGINT:log.syslog.priority:int}>" - # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. - FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" - ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" - PROCESS: "(?:[^%\\s:\\[]+)" - SYSLOG_END: "(?:(:|\\s)\\s+)" - # exactly match the syntax for firepower management logs - PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})" - HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?" - - script: - lang: painless - source: | - if (ctx.log?.syslog?.priority != null) { - def severity = new HashMap(); - severity['code'] = ctx.log.syslog.priority&0x7; - ctx.log.syslog['severity'] = severity; - def facility = new HashMap(); - facility['code'] = ctx.log.syslog.priority>>3; - ctx.log.syslog['facility'] = facility; - } - - # - # Parse FTD/ASA style message - # - # This parses the header of an EMBLEM-style message for FTD and ASA prefixes. - - grok: - field: _temp_.full_message - patterns: - - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" - # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. - - "%{GREEDYDATA:message}" - pattern_definitions: - FTD_SUFFIX: "[^0-9-]+" - # Before version 6.3, FTD used ASA prefix in syslog messages - FTD_PREFIX: "%{DATA}%(?:[A-Z]+)" - - # - # Create missing fields when no %FTD label is present - # - # message_id is needed in order for some processors below to work. - - set: - field: _temp_.cisco.message_id - value: "" - if: "ctx?._temp_?.cisco?.message_id == null" - - # - # set default event.severity to 7 (debug): - # - # This value is read from the EMBLEM header and won't be present if this is not - # an emblem message (firewalls can be configured to report other kinds of events) - - set: - field: event.severity - value: 7 - if: "ctx?.event?.severity == null" - - # - # Parse the date included in FTD logs - # - - date: - if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null" - field: "_temp_.raw_date" - target_field: "@timestamp" - formats: - - "ISO8601" - - "MMM d HH:mm:ss" - - "MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "EEE MMM dd HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - [ - { - "append": - { - "field": "error.message", - "value": "{{ _ingest.on_failure_message }}", - }, - }, - ] - - date: - if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null" - timezone: "{{ event.timezone }}" - field: "_temp_.raw_date" - target_field: "@timestamp" - formats: - - "ISO8601" - - "MMM d HH:mm:ss" - - "MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "EEE MMM dd HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - [ - { - "append": - { - "field": "error.message", - "value": "{{ _ingest.on_failure_message }}", - }, - }, - ] - - # - # Set log.level - # - - set: - field: "log.level" - if: "ctx.event.severity == 0" - value: unknown - - set: - field: "log.level" - if: "ctx.event.severity == 1" - value: alert - - set: - field: "log.level" - if: "ctx.event.severity == 2" - value: critical - - set: - field: "log.level" - if: "ctx.event.severity == 3" - value: error - - set: - field: "log.level" - if: "ctx.event.severity == 4" - value: warning - - set: - field: "log.level" - if: "ctx.event.severity == 5" - value: notification - - set: - field: "log.level" - if: "ctx.event.severity == 6" - value: informational - - set: - field: "log.level" - if: "ctx.event.severity == 7" - value: debug - - # - # Firewall messages - # - # This set of messages is shared between FTD and ASA. - - set: - if: 'ctx._temp_.cisco.message_id != ""' - field: "event.action" - value: "firewall-rule" - - dissect: - if: "ctx._temp_.cisco.message_id == '106001'" - field: "message" - description: "106001" - pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106002'" - field: "message" - description: "106002" - pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106006'" - field: "message" - description: "106006" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106007'" - field: "message" - description: "106007" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" - - grok: - if: "ctx._temp_.cisco.message_id == '106010'" - field: "message" - description: "106010" - patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" - - dissect: - if: "ctx._temp_.cisco.message_id == '106013'" - field: "message" - description: "106013" - pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}" - - set: - if: "ctx._temp_.cisco.message_id == '106013'" - field: "network.transport" - description: "106013" - value: icmp - - set: - if: "ctx._temp_.cisco.message_id == '106013'" - field: "network.direction" - description: "106013" - value: inbound - - grok: - if: "ctx._temp_.cisco.message_id == '106014'" - field: "message" - description: "106014" - patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?" - - grok: - if: "ctx._temp_.cisco.message_id == '106015'" - field: "message" - description: "106015" - patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IPORHOST:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106016'" - field: "message" - pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" - description: "106016" - - dissect: - if: "ctx._temp_.cisco.message_id == '106017'" - field: "message" - pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}" - description: "106017" - - dissect: - if: "ctx._temp_.cisco.message_id == '106018'" - field: "message" - pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" - description: "106018" - - dissect: - if: "ctx._temp_.cisco.message_id == '106020'" - field: "message" - pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" - description: "106020" - - dissect: - if: "ctx._temp_.cisco.message_id == '106021'" - field: "message" - pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" - description: "106021" - - dissect: - if: "ctx._temp_.cisco.message_id == '106022'" - field: "message" - pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" - description: "106022" - - grok: - if: "ctx._temp_.cisco.message_id == '106023'" - field: "message" - description: "106023" - patterns: - - ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(\(%{CISCO_USER:_temp_.cisco.source_username}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}" - pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" - IPORHOST: "(?:%{IP}|%{HOSTNAME})" - NOTCOLON: "[^:]*" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - - dissect: - if: "ctx._temp_.cisco.message_id == '106027'" - field: "message" - description: "106027" - pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"' - - dissect: - if: "ctx._temp_.cisco.message_id == '106100'" - field: "message" - description: "106100" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'" - field: "message" - description: "106103" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '111004'" - field: "message" - description: "111004" - pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" - - set: - field: event.outcome - description: "111004" - value: "success" - if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" - - set: - field: event.outcome - description: "111004" - value: "failure" - if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" - - remove: - field: _temp_.cisco.cli_outcome - ignore_missing: true - - append: - field: event.type - description: "111004" - value: "change" - if: "ctx._temp_.cisco.message_id == '111004'" - - grok: - if: "ctx._temp_.cisco.message_id == '111009'" - description: "111009" - field: "message" - patterns: - - "^%{NOTSPACE} '%{NOTSPACE:server.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" - - grok: - if: "ctx._temp_.cisco.message_id == '111010'" - field: "message" - description: "111010" - patterns: - - "User '%{NOTSPACE:server.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" - - dissect: - if: "ctx._temp_.cisco.message_id == '113004'" - field: "message" - description: "113004" - pattern: "AAA user %{_temp_.cisco.aaa_type} Successful: server = %{destination.address} , User = %{source.user.name}" - - grok: - if: "ctx._temp_.cisco.message_id == '113005'" - description: "113005" - field: "message" - patterns: - - "AAA user authentication Rejected: reason = %{REASON}: server = %{IP:destination.address} : user = ?%{CISCO_USER:source.user.name}: user IP = %{IP:source.address}" - pattern_definitions: - REASON: (AAA failure|Account has been disabled) - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - - dissect: - if: "ctx._temp_.cisco.message_id == '113012'" - field: "message" - description: "113012" - pattern: "AAA user authentication Successful: local database: user = %{source.user.name}" - - dissect: - if: "ctx._temp_.cisco.message_id == '113019'" - field: "message" - description: "113019" - pattern: "Group = %{source.user.group.name}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{_temp_.cisco.session_type}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{event.reason}" - - dissect: - if: "ctx._temp_.cisco.message_id == '113021'" - field: "message" - description: "113021" - pattern: "Attempted console login failed. User %{source.user.name} did NOT have appropriate Admin Rights." - - dissect: - if: "ctx._temp_.cisco.message_id == '113040'" - field: "message" - description: "113040" - pattern: "Terminating the VPN connection attempt from %{source.user.group.name}. Reason: This connection is group locked to %{}." - - grok: - if: '["113029","113030","113031","113032","113033","113034","113035","113036","113038","113039"].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "113029, 113030, 113031, 113032, 113033, 113034, 113035, 113036, 113038, 113039" - patterns: - - "Group <%{NOTSPACE:source.user.group.name}> User <%{CISCO_USER:source.user.name}> IP <%{IP:source.address}>" - - "Group %{NOTSPACE:source.user.group.name} User %{CISCO_USER:source.user.name} IP %{IP:source.address}" - pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" - IPORHOST: "(?:%{IP}|%{HOSTNAME})" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - - grok: - if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "302013, 302015" - patterns: - - Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port} \(%{IPORHOST:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER:_temp_.cisco.destination_username}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} - pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" - IPORHOST: "(?:%{IP}|%{HOSTNAME})" - NOTCOLON: "[^:]*" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - - dissect: - if: "ctx._temp_.cisco.message_id == '303002'" - field: "message" - description: "303002" - pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" - - grok: - if: "ctx._temp_.cisco.message_id == '305012'" - field: "message" - description: "305012" - patterns: - - Teardown %{DATA} %{NOTSPACE:network.transport} translation from %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port}(\s*\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} duration %{DURATION:_temp_.duration_hms} - pattern_definitions: - NOTCOLON: "[^:]*" - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" - IPORHOST: "(?:%{IP}|%{HOSTNAME})" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - DURATION: "%{INT}:%{MINUTE}:%{SECOND}" - - set: - if: '["302020"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "flow-creation" - description: "302020" - - grok: - if: "ctx._temp_.cisco.message_id == '302020'" - field: "message" - description: "302020" - patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" - pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" - IPORHOST: "(?:%{IP}|%{HOSTNAME})" - NOTCOLON: "[^:]*" - ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" - ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" - MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - - dissect: - if: "ctx._temp_.cisco.message_id == '302022'" - field: "message" - description: "302022" - pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '302023'" - field: "message" - description: "302023" - pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}" - - grok: - if: "ctx._temp_.cisco.message_id == '304001'" - field: "message" - description: "304001" - patterns: - - "(%{NOTSPACE:source.user.name}@)?%{IP:source.address}(\\(%{DATA}\\))? %{DATA} (%{NOTSPACE}@)?%{IPORHOST:destination.address}:%{GREEDYDATA:url.original}" - - set: - if: "ctx._temp_.cisco.message_id == '304001'" - field: "event.outcome" - description: "304001" - value: allowed - - dissect: - if: "ctx._temp_.cisco.message_id == '304002'" - field: "message" - description: "304002" - pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" - - grok: - if: "ctx._temp_.cisco.message_id == '305011'" - field: "message" - description: "305011" - patterns: - - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} - - dissect: - if: "ctx._temp_.cisco.message_id == '313001'" - field: "message" - description: "313001" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '313004'" - field: "message" - description: "313004" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" - - dissect: - if: "ctx._temp_.cisco.message_id == '313005'" - field: "message" - description: "313005" - pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '313008'" - field: "message" - description: "313008" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '313009'" - field: "message" - description: "313009" - pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '322001'" - field: "message" - description: "322001" - pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338001'" - field: "message" - description: "338001" - pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338001'" - field: "server.domain" - description: "338001" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338002'" - field: "message" - description: "338002" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - - set: - if: "ctx._temp_.cisco.message_id == '338002'" - field: "server.domain" - description: "338002" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338003'" - field: "message" - description: "338003" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338004'" - field: "message" - description: "338004" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338005'" - field: "message" - description: "338005" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338005'" - field: "server.domain" - description: "338005" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338006'" - field: "message" - description: "338006" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338006'" - field: "server.domain" - description: "338006" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338007'" - field: "message" - description: "338007" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338008'" - field: "message" - description: "338008" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338101'" - field: "message" - description: "338101" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" - - set: - if: "ctx._temp_.cisco.message_id == '338101'" - field: "server.domain" - description: "338101" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338102'" - field: "message" - description: "338102" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - - set: - if: "ctx._temp_.cisco.message_id == '338102'" - field: "server.domain" - description: "338102" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338103'" - field: "message" - description: "338103" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338104'" - field: "message" - description: "338104" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338201'" - field: "message" - description: "338201" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338201'" - field: "server.domain" - description: "338201" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338202'" - field: "message" - description: "338202" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338202'" - field: "server.domain" - description: "338202" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338203'" - field: "message" - description: "338203" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338203'" - field: "server.domain" - description: "338203" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338204'" - field: "message" - description: "338204" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338204'" - field: "server.domain" - description: "338204" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "message" - description: "338301" - pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}" - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "client.address" - description: "338301" - value: "{{destination.address}}" - ignore_empty_value: true - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "client.port" - description: "338301" - value: "{{destination.port}}" - ignore_empty_value: true - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "server.address" - description: "338301" - value: "{{source.address}}" - ignore_empty_value: true - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "server.port" - description: "338301" - value: "{{source.port}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '502103'" - field: "message" - description: "502103" - pattern: "User priv level changed: Uname: %{server.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" - - append: - if: "ctx._temp_.cisco.message_id == '502103'" - field: "event.type" - description: "502103" - value: - - "group" - - "change" - - append: - if: "ctx._temp_.cisco.message_id == '502103'" - field: "event.category" - description: "502103" - value: "iam" - - dissect: - if: "ctx._temp_.cisco.message_id == '507003'" - field: "message" - description: "507003" - pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" - - dissect: - if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "605004, 605005" - pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' - - dissect: - if: "ctx._temp_.cisco.message_id == '609001'" - field: "message" - description: "609001" - pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" - - dissect: - if: "ctx._temp_.cisco.message_id == '607001'" - field: "message" - description: "607001" - pattern: "Pre-allocate SIP %{_temp_.cisco.connection_type} secondary channel for %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} to %{_temp_.cisco.source_interface}:%{source.address} from %{_temp_.cisco.message} message" - - grok: - if: "ctx._temp_.cisco.message_id == '607001'" - description: "607001" - field: "_temp_.cisco.connection_type" - patterns: - - "%{CONNECTION}" - pattern_definitions: - TRANSPORTS: "(?:UDP|TCP)" - PROTOCOLS: "(?:RTP|RTCP)" - CONNECTION: "(?:%{TRANSPORTS:network.transport}|%{PROTOCOLS:network.protocol})" - ignore_failure: true - - dissect: - if: "ctx._temp_.cisco.message_id == '609002'" - field: "message" - description: "609002" - pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" - - dissect: - if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "611102, 611101" - pattern: 'User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{server.user.name}' - - dissect: - if: "ctx._temp_.cisco.message_id == '710003'" - field: "message" - description: "710003" - pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - - dissect: - if: "ctx._temp_.cisco.message_id == '710005'" - field: "message" - description: "710005" - pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - - dissect: - if: "ctx._temp_.cisco.message_id == '713049'" - field: "message" - description: "713049" - pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" - ignore_failure: true - - dissect: - if: "ctx._temp_.cisco.message_id == '713049'" - field: "message" - description: "713049" - pattern: "Group = %{}, Username = %{user.name}, IP = %{source.address}, Security negotiation complete for User (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" - ignore_failure: true - - grok: - if: "ctx._temp_.cisco.message_id == '716002'" - field: "message" - description: "716002" - patterns: - - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> WebVPN session terminated: %{GREEDYDATA:event.reason}." - - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} WebVPN session terminated: %{GREEDYDATA:event.reason}." - - grok: - if: "ctx._temp_.cisco.message_id == '722051'" - field: "message" - description: "722051" - patterns: - - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" - - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" - - grok: - if: "ctx._temp_.cisco.message_id == '733100'" - field: "message" - description: "733100" - patterns: - - \[(%{SPACE})?%{DATA:_temp_.cisco.burst.object}\] drop %{NOTSPACE:_temp_.cisco.burst.id} exceeded. Current burst rate is %{INT:_temp_.cisco.burst.current_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_rate}; Current average rate is %{INT:_temp_.cisco.burst.avg_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{INT:_temp_.cisco.burst.cumulative_count} - - dissect: - if: "ctx._temp_.cisco.message_id == '734001'" - field: "message" - description: "734001" - pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" - - dissect: - if: "ctx._temp_.cisco.message_id == '805001'" - field: "message" - description: "805001" - pattern: "Offloaded %{network.transport} Flow for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - - dissect: - if: "ctx._temp_.cisco.message_id == '805002'" - field: "message" - description: "805002" - pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - - split: - field: "_temp_.cisco.dap_records" - separator: ",\\s+" - ignore_missing: true - - dissect: - if: "ctx._temp_.cisco.message_id == '434002'" - field: "message" - pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - - dissect: - if: "ctx._temp_.cisco.message_id == '434004'" - field: "message" - pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" - - dissect: - if: "ctx._temp_.cisco.message_id == '110002'" - field: "message" - pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" - - dissect: - if: "ctx._temp_.cisco.message_id == '419002'" - field: "message" - pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" - - dissect: - if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' - field: "message" - pattern: "%{network.type}: An %{network.direction} %{_temp_.cisco.tunnel_type} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." - - dissect: - if: "ctx._temp_.cisco.message_id == '750002'" - field: "message" - pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" - - dissect: - if: "ctx._temp_.cisco.message_id == '713120'" - field: "message" - pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})" - - dissect: - if: "ctx._temp_.cisco.message_id == '713202'" - field: "message" - pattern: "IP = %{source.address}, %{event.reason}. %{} packet." - - grok: - if: "ctx._temp_.cisco.message_id == '716039'" - field: "message" - patterns: - - "Authentication: rejected, group = %{NOTSPACE:source.user.group.name} user = %{USER:source.user.name} , Session Type: %{NOTSPACE:_temp_.cisco.session_type}" - - "Group <%{NOTSPACE:source.user.group.name}> User <%{USER:source.user.name}> IP <%{IP:source.address}> Authentication: rejected, Session Type: %{NOTSPACE:_temp_.cisco.session_type}\\." - - dissect: - if: "ctx._temp_.cisco.message_id == '750003'" - field: "message" - pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" - - grok: - if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' - field: "message" - patterns: - - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$" - # Handle ecs action outcome protocol - - set: - if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "unknown" - - set: - if: '["419002"].contains(ctx._temp_.cisco.message_id)' - field: "network.protocol" - value: "tcp" - - set: - if: '["110002"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "dropped" - - set: - if: '["713120"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "success" - - set: - if: '["113004", "113012"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "success" - - set: - if: '["113002", "113005", "113021"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "failure" - - set: - if: '["602303", "602304", "611101"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "success" - - set: - if: '["605004", "611102"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "failure" - - set: - if: '["734001"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "success" - - set: - if: '["716039"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "failure" - - set: - if: '["710005"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "dropped" - - set: - if: '["713901", "713902", "713903", "713904", "713905"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "failure" - - set: - if: '["113039"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "client-vpn-connected" - - set: - if: '["113029","113030","113031","113032","113033","113034","113035","113036","113037","113038"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "client-vpn-error" - - set: - if: '["113040"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "client-vpn-disconnected" - - set: - if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "connection-started" - - set: - if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "error" - - set: - if: '["113005", "113021", "605004", "611102", "716039"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "logon-failed" - - set: - if: '["113004", "113012", "611101", "734001"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "logged-in" - - append: - if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' - field: "event.type" - value: "error" - - # - # Handle 302xxx messages (Flow expiration a.k.a "Teardown") - # - - set: - if: '["305012", "302014", "302016", "302018", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "flow-expiration" - description: "305012, 302014, 302016, 302018, 302021, 302036, 302304, 302306, 609001, 609002" - - grok: - field: "message" - if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' - description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" - patterns: - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{CISCO_USER:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{CISCO_USER:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{CISCO_USER:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) - - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{CISCO_USER:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? - pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" - IPORHOST: "(?:%{IP}|%{HOSTNAME})" - NOTCOLON: "[^:]*" - ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" - ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" - MAPPEDSRC: "(?:%{IPORHOST:_temp_.natsrcip}|%{HOSTNAME})" - DURATION: "%{INT}:%{MINUTE}:%{SECOND}" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - - # - # Decode FTD's Security Event Syslog Messages - # - # 43000x messages are security event syslog messages specific to FTD. - # Format is a comma-separated sequence of key: value pairs. - # - # The result of this decoding is saved as _temp_.orig_security.{Key}: {Value} - - kv: - if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "430001, 430002, 430003, 430004, 430005" - field_split: ",(?=[A-za-z1-9\\s]+:)" - value_split: ":" - target_field: "_temp_.orig_security" - trim_key: " " - trim_value: " " - ignore_failure: true - - # - # Remove _temp_.full_message. - # - # The field has been used as temporary buffer while decoding. The full message - # is kept under event.original. Processors below can still add a message field, as some - # security events contain an explanatory Message field. - - remove: - field: - - message - - _temp_.full_message - ignore_missing: true - - # - # Populate ECS fields from Security Events - # - # This script uses the key-value pairs from Security Events to populate - # the appropriate ECS fields. - # - # A single key can be mapped to multiple ECS fields, and more than one key can - # map to the same ECS field, which results in an array being created. - # - # This script performs an additional job: - # - # Before FTD version 6.3, the message_id was not included in Security Events. - # As this field encodes the kind of event (intrusion, connection, malware...) - # the script below will guess the right message_id from the keys present in - # the event. - # - # The reason for overloading this script with different behaviors is - # that this pipeline is already reaching the limit on script compilations. - # - #******************************************************************************* - # Code generated by go generate. DO NOT EDIT. - #******************************************************************************* - - script: - if: ctx._temp_?.orig_security != null - params: - ACPolicy: - target: ac_policy - id: ["430001", "430002", "430003"] - ecs: [_temp_.cisco.rule_name] - AccessControlRuleAction: - target: access_control_rule_action - id: ["430002", "430003"] - ecs: [event.outcome] - AccessControlRuleName: - target: access_control_rule_name - id: ["430002", "430003"] - ecs: [_temp_.cisco.rule_name] - AccessControlRuleReason: - target: access_control_rule_reason - id: ["430002", "430003"] - ApplicationProtocol: - target: application_protocol - ecs: [network.protocol] - ArchiveDepth: - target: archive_depth - id: ["430004", "430005"] - ArchiveFileName: - target: archive_file_name - id: ["430004", "430005"] - ecs: [file.name] - ArchiveFileStatus: - target: archive_file_status - id: ["430004", "430005"] - ArchiveSHA256: - target: archive_sha256 - id: ["430004", "430005"] - ecs: [file.hash.sha256] - Classification: - target: classification - id: ["430001"] - Client: - target: client - ecs: [network.application] - ClientVersion: - target: client_version - id: ["430002", "430003"] - ConnectionDuration: - target: connection_duration - id: ["430003"] - ecs: [event.duration] - DNS_Sinkhole: - target: dns_sinkhole - id: ["430002", "430003"] - DNS_TTL: - target: dns_ttl - id: ["430002", "430003"] - DNSQuery: - target: dns_query - id: ["430002", "430003"] - ecs: [dns.question.name] - DNSRecordType: - target: dns_record_type - id: ["430002", "430003"] - ecs: [dns.question.type] - DNSResponseType: - target: dns_response_type - id: ["430002", "430003"] - ecs: [dns.response_code] - DNSSICategory: - target: dnssi_category - id: ["430002", "430003"] - DstIP: - target: dst_ip - ecs: [destination.address] - DstPort: - target: dst_port - ecs: [destination.port] - EgressInterface: - target: egress_interface - id: ["430001", "430002", "430003"] - ecs: [_temp_.cisco.destination_interface] - EgressZone: - target: egress_zone - id: ["430001", "430002", "430003"] - Endpoint Profile: - target: endpoint_profile - id: ["430002", "430003"] - FileAction: - target: file_action - id: ["430004", "430005"] - FileCount: - target: file_count - id: ["430002", "430003"] - FileDirection: - target: file_direction - id: ["430004", "430005"] - FileName: - target: file_name - id: ["430004", "430005"] - ecs: [file.name] - FilePolicy: - target: file_policy - id: ["430004", "430005"] - ecs: [_temp_.cisco.rule_name] - FileSHA256: - target: file_sha256 - id: ["430004", "430005"] - ecs: [file.hash.sha256] - FileSandboxStatus: - target: file_sandbox_status - id: ["430004", "430005"] - FileSize: - target: file_size - id: ["430004", "430005"] - ecs: [file.size] - FileStorageStatus: - target: file_storage_status - id: ["430004", "430005"] - FileType: - target: file_type - id: ["430004", "430005"] - FirstPacketSecond: - target: first_packet_second - id: ["430004", "430005"] - ecs: [event.start] - GID: - target: gid - id: ["430001"] - ecs: [service.id] - HTTPReferer: - target: http_referer - id: ["430002", "430003"] - ecs: [http.request.referrer] - HTTPResponse: - target: http_response - id: ["430001", "430002", "430003"] - ecs: [http.response.status_code] - ICMPCode: - target: icmp_code - id: ["430001", "430002", "430003"] - ICMPType: - target: icmp_type - id: ["430001", "430002", "430003"] - IPReputationSICategory: - target: ip_reputation_si_category - id: ["430002", "430003"] - IPSCount: - target: ips_count - id: ["430002", "430003"] - IngressInterface: - target: ingress_interface - id: ["430001", "430002", "430003"] - ecs: [_temp_.cisco.source_interface] - IngressZone: - target: ingress_zone - id: ["430001", "430002", "430003"] - InitiatorBytes: - target: initiator_bytes - id: ["430003"] - ecs: [source.bytes] - InitiatorPackets: - target: initiator_packets - id: ["430003"] - ecs: [source.packets] - InlineResult: - target: inline_result - id: ["430001"] - ecs: [event.outcome] - IntrusionPolicy: - target: intrusion_policy - id: ["430001"] - ecs: [_temp_.cisco.rule_name] - MPLS_Label: - target: mpls_label - id: ["430001"] - Message: - target: message - id: ["430001"] - ecs: [message] - NAPPolicy: - target: nap_policy - id: ["430001", "430002", "430003"] - NetBIOSDomain: - target: net_bios_domain - id: ["430002", "430003"] - ecs: [host.hostname] - NumIOC: - target: num_ioc - id: ["430001"] - Prefilter Policy: - target: prefilter_policy - id: ["430002", "430003"] - Priority: - target: priority - id: ["430001"] - Protocol: - target: protocol - ecs: [network.transport] - ReferencedHost: - target: referenced_host - id: ["430002", "430003"] - ecs: [url.domain] - ResponderBytes: - target: responder_bytes - id: ["430003"] - ecs: [destination.bytes] - ResponderPackets: - target: responder_packets - id: ["430003"] - ecs: [destination.packets] - Revision: - target: revision - id: ["430001"] - SHA_Disposition: - target: sha_disposition - id: ["430004", "430005"] - SID: - target: sid - id: ["430001"] - SSLActualAction: - target: ssl_actual_action - ecs: [event.outcome] - SSLCertificate: - target: ssl_certificate - id: ["430002", "430003", "430004", "430005"] - SSLExpectedAction: - target: ssl_expected_action - id: ["430002", "430003"] - SSLFlowStatus: - target: ssl_flow_status - id: ["430002", "430003", "430004", "430005"] - SSLPolicy: - target: ssl_policy - id: ["430002", "430003"] - SSLRuleName: - target: ssl_rule_name - id: ["430002", "430003"] - SSLServerCertStatus: - target: ssl_server_cert_status - id: ["430002", "430003"] - SSLServerName: - target: ssl_server_name - id: ["430002", "430003"] - ecs: [server.domain] - SSLSessionID: - target: ssl_session_id - id: ["430002", "430003"] - SSLTicketID: - target: ssl_ticket_id - id: ["430002", "430003"] - SSLURLCategory: - target: sslurl_category - id: ["430002", "430003"] - SSLVersion: - target: ssl_version - id: ["430002", "430003"] - SSSLCipherSuite: - target: sssl_cipher_suite - id: ["430002", "430003"] - SecIntMatchingIP: - target: sec_int_matching_ip - id: ["430002", "430003"] - Security Group: - target: security_group - id: ["430002", "430003"] - SperoDisposition: - target: spero_disposition - id: ["430004", "430005"] - SrcIP: - target: src_ip - ecs: [source.address] - SrcPort: - target: src_port - ecs: [source.port] - TCPFlags: - target: tcp_flags - id: ["430002", "430003"] - ThreatName: - target: threat_name - id: ["430005"] - ecs: [_temp_.cisco.threat_category] - ThreatScore: - target: threat_score - id: ["430005"] - ecs: [_temp_.cisco.threat_level] - Tunnel or Prefilter Rule: - target: tunnel_or_prefilter_rule - id: ["430002", "430003"] - URI: - target: uri - id: ["430004", "430005"] - ecs: [url.original] - URL: - target: url - id: ["430002", "430003"] - ecs: [url.original] - URLCategory: - target: url_category - id: ["430002", "430003"] - URLReputation: - target: url_reputation - id: ["430002", "430003"] - URLSICategory: - target: urlsi_category - id: ["430002", "430003"] - User: - target: user - ecs: [user.id, user.name] - UserAgent: - target: user_agent - id: ["430002", "430003"] - ecs: [user_agent.original] - VLAN_ID: - target: vlan_id - id: ["430001", "430002", "430003"] - WebApplication: - target: web_application - ecs: [network.application] - originalClientSrcIP: - target: original_client_src_ip - id: ["430002", "430003"] - ecs: [client.address] - lang: painless - source: | - boolean isEmpty(def value) { - return (value instanceof AbstractList? value.size() : value.length()) == 0; - } - def appendOrCreate(Map dest, String[] path, def value) { - for (int i=0; i new HashMap()); - } - String key = path[path.length - 1]; - def existing = dest.get(key); - return existing == null? - dest.put(key, value) - : existing instanceof AbstractList? - existing.add(value) - : dest.put(key, new ArrayList([existing, value])); - } - def msg = ctx._temp_.orig_security; - def counters = new HashMap(); - def dest = new HashMap(); - ctx._temp_.cisco['security'] = dest; - for (entry in msg.entrySet()) { - def param = params.get(entry.getKey()); - if (param == null) { - continue; - } - param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) ); - if (!isEmpty(entry.getValue())) { - param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) ); - dest[param.target] = entry.getValue(); - } - } - if (ctx._temp_.cisco.message_id != "") return; - def best; - for (entry in counters.entrySet()) { - if (best == null || best.getValue() < entry.getValue()) best = entry; - } - if (best != null) ctx._temp_.cisco.message_id = best.getKey(); - #******************************************************************************* - # End of generated code. - #******************************************************************************* - - # - # Normalize ECS field values - # - - script: - lang: painless - params: - "ctx._temp_.cisco.message_id": - target: event.action - map: - "430001": intrusion-detected - "430002": connection-started - "430003": connection-finished - "430004": file-detected - "430005": malware-detected - "dns.question.type": - map: - "a host address": A - "ip6 address": AAAA - "text strings": TXT - "a domain name pointer": PTR - "an authoritative name server": NS - "the canonical name for an alias": CNAME - "marks the start of a zone of authority": SOA - "mail exchange": MX - "server selection": SRV - "dns.response_code": - map: - "non-existent domain": NXDOMAIN - "server failure": SERVFAIL - "query refused": REFUSED - "no error": NOERROR - source: | - def getField(Map src, String[] path) { - for (int i=0; i new HashMap()); - } - dest[path[path.length-1]] = value; - } - for (entry in params.entrySet()) { - def srcField = entry.getKey(); - def param = entry.getValue(); - String oldVal = getField(ctx, srcField.splitOnToken('.')); - if (oldVal == null) continue; - def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null); - if (newVal != null) { - def dstField = param.getOrDefault('target', srcField); - setField(ctx, dstField.splitOnToken('.'), newVal); - } - } - - set: - if: "ctx.dns?.question?.type != null && ctx.dns?.response_code == null" - field: dns.response_code - value: NOERROR - - set: - if: 'ctx._temp_.cisco.message_id == "430001"' - field: event.action - value: intrusion-detected - - set: - if: 'ctx._temp_.cisco.message_id == "430002"' - field: event.action - value: connection-started - - set: - if: 'ctx._temp_.cisco.message_id == "430003"' - field: event.action - value: connection-finished - - set: - if: 'ctx._temp_.cisco.message_id == "430004"' - field: event.action - value: file-detected - - set: - if: 'ctx._temp_.cisco.message_id == "430005"' - field: event.action - value: malware-detected - - # - # Handle event.duration - # - # It can be set from ConnectionDuration FTD field above. This field holds - # seconds as a string. Copy it to _temp_.duration_hms so that the following - # processor converts it to the right value and populates start and end. - - set: - field: "_temp_.duration_hms" - value: "{{event.duration}}" - ignore_empty_value: true - - # - # Process the flow duration "hh:mm:ss" present in some messages - # This will fill event.start, event.end and event.duration - # - - script: - lang: painless - if: "ctx?._temp_?.duration_hms != null" - source: > - long parse_hms(String s) { - long cur = 0, total = 0; - for (char c: s.toCharArray()) { - if (c >= (char)'0' && c <= (char)'9') { - cur = (cur*10) + (long)c - (char)'0'; - } else if (c == (char)':') { - total = (total + cur) * 60; - cur = 0; - } else if (c != (char)'h' && c == (char)'m' && c == (char)'s') { - return 0; - } - } - return total + cur; - } - if (ctx?.event == null) { - ctx['event'] = new HashMap(); - } - String end = ctx['@timestamp']; - ctx.event['end'] = end; - long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; - ctx.event['duration'] = nanos; - ctx.event['start'] = ZonedDateTime.ofInstant( - Instant.parse(end).minusNanos(nanos), - ZoneOffset.UTC); - # - # Parse Source/Dest Username/Domain - # - - grok: - field: "_temp_.cisco.source_username" - if: 'ctx?._temp_?.cisco?.source_username != null' - ignore_failure: true - patterns: - - '%{CISCO_DOMAIN_USER:_temp_.cisco.source_username}%{CISCO_SGT}' - pattern_definitions: - CISCO_DOMAIN_USER: (%{CISCO_DOMAIN})?%{CISCO_USER} - CISCO_SGT: (, *%{NUMBER:_temp_.cisco.source_user_security_group_tag})? - CISCO_USER: "%{USERNAME}(@%{HOSTNAME})?" - CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME}\\)? - - convert: - field: _temp_.cisco.source_user_security_group_tag - type: long - ignore_missing: true - - grok: - field: "_temp_.cisco.destination_username" - if: 'ctx?._temp_?.cisco?.destination_username != null' - ignore_failure: true - patterns: - - '%{CISCO_DOMAIN_USER:_temp_.cisco.destination_username}%{CISCO_SGT}' - pattern_definitions: - CISCO_DOMAIN_USER: (%{CISCO_DOMAIN})?%{CISCO_USER} - CISCO_SGT: (, *%{NUMBER:_temp_.cisco.destination_user_security_group_tag})? - CISCO_USER: "%{USERNAME}(@%{HOSTNAME})?" - CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME}\\)? - - convert: - field: _temp_.cisco.destination_user_security_group_tag - type: long - ignore_missing: true - - set: - field: source.user.name - value: "{{{ _temp_.cisco.source_username }}}" - if: 'ctx?.source?.user?.name == null && ctx?._temp_?.cisco?.source_username != null' - - set: - field: destination.user.name - value: "{{{ _temp_.cisco.destination_username }}}" - if: 'ctx?.destination?.user?.name == null && ctx?._temp_?.cisco?.destination_username != null' - - grok: - field: "source.user.name" - if: 'ctx?.source?.user?.name != null' - ignore_failure: true - patterns: - - (%{CISCO_DOMAIN})?%{CISCO_USER} - pattern_definitions: - CISCO_USER: "%{USERNAME:source.user.name}(@%{HOSTNAME:source.user.domain})?" - CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:source.user.domain}\\)? - - grok: - field: "destination.user.name" - if: 'ctx?.destination?.user?.name != null' - ignore_failure: true - patterns: - - (%{CISCO_DOMAIN})?%{CISCO_USER} - pattern_definitions: - CISCO_USER: "%{USERNAME:destination.user.name}(@%{HOSTNAME:destination.user.domain})?" - CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)? - - # - # Normalize protocol names - # - - lowercase: - field: "network.transport" - ignore_failure: true - - lowercase: - field: "network.protocol" - ignore_failure: true - - lowercase: - field: "network.application" - ignore_failure: true - - lowercase: - field: "file.type" - ignore_failure: true - - lowercase: - field: "network.direction" - ignore_failure: true - - lowercase: - field: "network.type" - ignore_failure: true - # - # Populate network.iana_number from network.transport. Also does reverse - # mapping in case network.transport contains the iana_number. - # - - script: - if: "ctx?.network?.transport != null" - lang: painless - params: - icmp: 1 - igmp: 2 - ipv4: 4 - tcp: 6 - egp: 8 - igp: 9 - pup: 12 - udp: 17 - rdp: 27 - irtp: 28 - dccp: 33 - idpr: 35 - ipv6: 41 - ipv6-route: 43 - ipv6-frag: 44 - rsvp: 46 - gre: 47 - esp: 50 - ipv6-icmp: 58 - ipv6-nonxt: 59 - ipv6-opts: 60 - source: > - def net = ctx.network; - def iana = params[net.transport]; - if (iana != null) { - net['iana_number'] = iana; - return; - } - def reverse = new HashMap(); - def[] arr = new def[] { null }; - for (entry in params.entrySet()) { - arr[0] = entry.getValue(); - reverse.put(String.format("%d", arr), entry.getKey()); - } - def trans = reverse[net.transport]; - if (trans != null) { - net['iana_number'] = net.transport; - net['transport'] = trans; - } - # - # Normalize event.outcome - # - - lowercase: - field: "event.outcome" - ignore_missing: true - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "est-allowed"' - value: "allowed" - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "permitted"' - value: "allowed" - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "allow"' - value: allowed - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "deny"' - value: denied - - set: - field: "network.transport" - if: 'ctx.network?.transport == "icmpv6"' - value: "ipv6-icmp" - # - # Convert numeric fields to integer or long, as output of dissect and kv processors is always a string - # - - convert: - field: source.port - type: integer - ignore_failure: true - ignore_missing: true - - convert: - field: destination.port - type: integer - ignore_failure: true - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: network.bytes - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: source.packets - type: integer - ignore_failure: true - ignore_missing: true - - convert: - field: destination.packets - type: integer - ignore_failure: true - ignore_missing: true - - convert: - field: _temp_.cisco.mapped_source_port - type: integer - ignore_failure: true - ignore_missing: true - - convert: - field: _temp_.cisco.mapped_destination_port - type: integer - ignore_failure: true - ignore_missing: true - - convert: - field: _temp_.cisco.icmp_code - type: integer - ignore_failure: true - ignore_missing: true - - convert: - field: _temp_.cisco.icmp_type - type: integer - ignore_failure: true - ignore_missing: true - - convert: - field: http.response.status_code - type: integer - ignore_failure: true - - convert: - field: file.size - type: integer - ignore_failure: true - - convert: - field: network.iana_number - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: sip.to.uri.port - type: integer - ignore_failure: true - # - # Assign ECS .ip fields from .address is a valid IP address is found, - # otherwise set .domain field. - # - - grok: - field: source.address - patterns: - - "^(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})$" - ignore_failure: true - - grok: - field: destination.address - patterns: - - "^(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})$" - ignore_failure: true - - grok: - field: client.address - patterns: - - "^(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})$" - ignore_failure: true - - grok: - field: server.address - patterns: - - "^(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})$" - ignore_failure: true - # - # Geolocation for source and destination addresses - # - - geoip: - field: "source.ip" - target_field: "source.geo" - ignore_missing: true - - geoip: - field: "destination.ip" - target_field: "destination.geo" - ignore_missing: true - # - # IP Autonomous System (AS) Lookup - # - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - # - # Set mapped_{src|dst}_ip fields only if they consist of a valid IP address. - # - - grok: - field: _temp_.natsrcip - patterns: - - "^(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})$" - ignore_failure: true - - grok: - field: _temp_.natdstip - patterns: - - "^(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})$" - ignore_failure: true - # - # NAT fields - # - # The firewall always populates mapped ip and port even if there was no NAT. - # This populates both nat.ip and nat.port only when some translation is done. - # Fills nat.ip and nat.port even when only the ip or port changed. - - set: - field: source.nat.ip - value: "{{_temp_.cisco.mapped_source_ip}}" - if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip" - ignore_empty_value: true - - convert: - field: source.nat.ip - type: ip - ignore_missing: true - - set: - field: source.nat.port - value: "{{_temp_.cisco.mapped_source_port}}" - if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port" - ignore_empty_value: true - - convert: - field: source.nat.port - type: long - ignore_missing: true - - set: - field: destination.nat.ip - value: "{{_temp_.cisco.mapped_destination_ip}}" - if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip" - ignore_empty_value: true - - convert: - field: destination.nat.ip - type: ip - ignore_missing: true - - set: - field: destination.nat.port - value: "{{_temp_.cisco.mapped_destination_port}}" - if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" - ignore_empty_value: true - - convert: - field: destination.nat.port - type: long - ignore_missing: true - # - # Zone-based Network Directionality - # - # If external and internal zones are specified and our ingress/egress zones are - # populated, then we can classify traffic directionality based off of our defined - # zones rather than the logs. - - set: - field: network.direction - value: inbound - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) - - set: - field: network.direction - value: outbound - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: internal - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: external - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: unknown - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.egress?.zone != null && - ctx?.observer?.ingress?.zone != null && - ( - ( - !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) - ) || - ( - !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && - !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - ) - ) - - - set: - field: _temp_.url_domain - value: "{{url.domain}}" - ignore_failure: true - if: ctx?.url?.domain != null - - - uri_parts: - field: url.original - ignore_failure: true - if: ctx?.url?.original != null - - append: - field: url.domain - value: "{{_temp_.url_domain}}" - ignore_failure: true - allow_duplicates: false - if: ctx?._temp_?.url_domain != null - - # - # Populate ECS event.code - # - - rename: - field: _temp_.cisco.message_id - target_field: event.code - ignore_failure: true - - remove: - field: - - _temp_.cisco.message_id - - event.code - if: 'ctx._temp_.cisco.message_id == ""' - ignore_failure: true - # - # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd. - # - - rename: - field: _temp_.cisco - target_field: "cisco.asa" - ignore_failure: true - # - # Remove temporary fields - # - - remove: - field: _temp_ - ignore_missing: true - # - # Rename some 7.x fields - # - - rename: - field: cisco.asa.list_id - target_field: cisco.asa.rule_name - ignore_missing: true - # ECS categorization - - script: - lang: painless - params: - connection-finished: - kind: event - category: - - network - type: - - end - connection-started: - kind: event - category: - - network - type: - - start - file-detected: - kind: alert - category: - - malware - type: - - info - firewall-rule: - kind: event - category: - - network - type: [] - flow-creation: - kind: event - category: - - network - type: - - connection - - start - flow-expiration: - kind: event - category: - - network - type: - - connection - - end - intrusion-detected: - kind: alert - category: - - intrusion_detection - type: - - info - logged-in: - kind: event - category: - - authentication - - network - type: ['allowed', 'info'] - logon-failed: - kind: event - category: - - authentication - - network - type: ['denied', 'info'] - malware-detected: - kind: alert - category: - - malware - type: - - info - bypass: - kind: event - category: - - network - type: - - info - - change - error: - kind: event - outcome: failure - category: - - network - type: - - error - deleted: - kind: event - category: - - network - type: - - info - - deletion - - user - creation: - kind: event - category: - - network - type: - - info - - creation - - user - client-vpn-connected: - kind: event - category: - - network - - session - type: - - connection - - start - client-vpn-error: - kind: event - category: - - network - type: - - connection - - error - - denied - client-vpn-disconnected: - kind: event - category: - - network - type: - - connection - - end - source: >- - if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { - return; - } - - ctx.event.kind = params.get(ctx.event.action).get('kind'); - ctx.event.category = params.get(ctx.event.action).get('category').clone(); - ctx.event.type = params.get(ctx.event.action).get('type').clone(); - if (ctx?.event?.outcome == null || (!ctx.event.category.contains('network') && !ctx.event.category.contains('intrusion_detection'))) { - if (ctx?.event?.action == 'firewall-rule') { - ctx.event.type.add('info'); - } else if (ctx?.event?.action.startsWith('connection-')) { - ctx.event.type.add('connection'); - } - return; - } - if (ctx.event.outcome == 'allowed') { - ctx.event.outcome = 'success'; - ctx.event.type.add('connection'); - ctx.event.type.add('allowed'); - } else if (ctx.event.outcome == 'denied' || ctx.event.outcome == 'block') { - ctx.event.outcome = 'success'; - ctx.event.type.add('connection'); - ctx.event.type.add('denied'); - } else if (ctx.event.outcome == 'dropped') { - ctx.event.outcome = 'failure'; - ctx.event.type.add('connection'); - ctx.event.type.add('denied'); - } else if (ctx?.event?.action == 'firewall-rule') { - ctx.event.type.add('info'); - } else if (ctx?.event?.action.startsWith('connection-')) { - ctx.event.type.add('connection'); - } - if (ctx.event.outcome == 'monitored') { - ctx.event.category.add('intrusion_detection'); - ctx.event.outcome = 'success'; - } - - - set: - description: copy destination.user.name to user.name if it is not set - field: user.name - value: "{{destination.user.name}}" - ignore_empty_value: true - if: ctx?.user?.name == null - - # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. - - set: - field: observer.hostname - value: "{{ host.hostname }}" - ignore_empty_value: true - - set: - field: observer.vendor - value: "Cisco" - ignore_empty_value: true - - set: - field: observer.type - value: "firewall" - ignore_empty_value: true - - set: - field: observer.product - value: "asa" - ignore_empty_value: true - - set: - field: observer.egress.interface.name - value: "{{ cisco.asa.destination_interface }}" - ignore_empty_value: true - - set: - field: observer.ingress.interface.name - value: "{{ cisco.asa.source_interface }}" - ignore_empty_value: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{source.nat.ip}}" - if: "ctx?.source?.nat?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.nat.ip}}" - if: "ctx?.destination?.nat?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{{user.name}}}" - if: ctx?.user?.name != null && ctx?.user?.name != '' - allow_duplicates: false - - append: - field: related.user - value: "{{server.user.name}}" - if: ctx?.server?.user?.name != null && ctx?.server?.user?.name != '' - allow_duplicates: false - - append: - field: related.user - value: "{{{source.user.name}}}" - if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' - allow_duplicates: false - - append: - field: related.user - value: "{{{destination.user.name}}}" - if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' - allow_duplicates: false - - append: - field: related.hash - value: "{{file.hash.sha256}}" - if: "ctx?.file?.hash?.sha256 != null" - allow_duplicates: false - - append: - field: related.hosts - value: "{{host.hostname}}" - if: ctx.host?.hostname != null && ctx.host?.hostname != '' - allow_duplicates: false - - append: - field: related.hosts - value: "{{observer.hostname}}" - if: ctx.observer?.hostname != null && ctx.observer?.hostname != '' - allow_duplicates: false - - append: - field: related.hosts - value: "{{destination.domain}}" - if: ctx.destination?.domain != null && ctx.destination?.domain != '' - allow_duplicates: false - - append: - field: related.hosts - value: "{{source.domain}}" - if: ctx.source?.domain != null && ctx.source?.domain != '' - allow_duplicates: false - - append: - field: related.hosts - value: "{{source.user.domain}}" - if: ctx.source?.user?.domain != null && ctx.source?.user?.domain != '' - allow_duplicates: false - - append: - field: related.hosts - value: "{{destination.user.domain}}" - if: ctx.destination?.user?.domain != null && ctx.destination?.user?.domain != '' - allow_duplicates: false - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - community_id: - ignore_missing: true - ignore_failure: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - # Copy any fields under _temp_.cisco to its final destination. Those can help - # with diagnosing the failure. - - rename: - field: _temp_.cisco - target_field: "cisco.asa" - ignore_failure: true - # Remove _temp_ to avoid adding a lot of unnecessary fields to the index. - - remove: - field: _temp_ - ignore_missing: true - - append: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco_asa/2.7.5/data_stream/log/fields/agent.yml b/packages/cisco_asa/2.7.5/data_stream/log/fields/agent.yml deleted file mode 100755 index d38a70bd6b..0000000000 --- a/packages/cisco_asa/2.7.5/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cisco_asa/2.7.5/data_stream/log/fields/base-fields.yml b/packages/cisco_asa/2.7.5/data_stream/log/fields/base-fields.yml deleted file mode 100755 index efbed64fad..0000000000 --- a/packages/cisco_asa/2.7.5/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_asa -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_asa.log -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/cisco_asa/2.7.5/data_stream/log/fields/ecs.yml b/packages/cisco_asa/2.7.5/data_stream/log/fields/ecs.yml deleted file mode 100755 index f962a622be..0000000000 --- a/packages/cisco_asa/2.7.5/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,520 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: client.user.name - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: destination.user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Custom key/value pairs. - Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. - Example: `docker` and `k8s` labels. - name: labels - type: object -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) - name: network.inner - type: object -- description: VLAN ID as reported by the observer. - name: network.inner.vlan.id - type: keyword -- description: Optional VLAN name as reported by the observer. - name: network.inner.vlan.name - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: IP addresses of the observer. - name: observer.ip - normalize: - - array - type: ip -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: url.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: Port of the server. - name: server.port - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: server.user.name - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Port of the client. - name: client.port - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip diff --git a/packages/cisco_asa/2.7.5/data_stream/log/fields/fields.yml b/packages/cisco_asa/2.7.5/data_stream/log/fields/fields.yml deleted file mode 100755 index 37c02de23d..0000000000 --- a/packages/cisco_asa/2.7.5/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,218 +0,0 @@ -- name: cisco.asa - type: group - fields: - - name: message_id - type: keyword - description: > - The Cisco ASA message identifier. - - - name: suffix - type: keyword - description: > - Optional suffix after %ASA identifier. - - - name: source_interface - type: keyword - description: > - Source interface for the flow or event. - - - name: destination_interface - type: keyword - description: > - Destination interface for the flow or event. - - - name: rule_name - type: keyword - description: > - Name of the Access Control List rule that matched this event. - - - name: source_username - type: keyword - description: > - Name of the user that is the source for this event. - - - name: source_user_security_group_tag - type: long - description: > - The Security Group Tag for the source user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. - - - name: destination_username - type: keyword - description: > - Name of the user that is the destination for this event. - - - name: destination_user_security_group_tag - type: long - description: > - The Security Group Tag for the destination user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. - - - name: mapped_source_ip - type: ip - description: > - The translated source IP address. - - - name: mapped_source_port - type: long - description: > - The translated source port. - - - name: mapped_destination_ip - type: ip - description: > - The translated destination IP address. - - - name: mapped_destination_port - type: long - description: > - The translated destination port. - - - name: threat_level - type: keyword - description: > - Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. - - - name: threat_category - type: keyword - description: > - Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. - - - name: connection_id - type: keyword - description: > - Unique identifier for a flow. - - - name: icmp_type - type: short - description: > - ICMP type. - - - name: icmp_code - type: short - description: > - ICMP code. - - - name: aaa_type - type: keyword - description: > - The AAA operation type. One of authentication, authorization, or accounting. - - - name: connection_type - type: keyword - description: > - The VPN connection type - - - name: session_type - type: keyword - default_field: false - description: > - Session type (for example, IPsec or UDP). - - - name: dap_records - type: keyword - description: > - The assigned DAP records - - - name: mapped_destination_host - type: keyword - - name: username - type: keyword - - name: mapped_source_host - type: keyword - - name: command_line_arguments - default_field: false - type: keyword - description: > - The command line arguments logged by the local audit log - - - name: assigned_ip - default_field: false - type: ip - description: > - The IP address assigned to a VPN client successfully connecting - - - name: privilege.old - default_field: false - type: keyword - description: > - When a users privilege is changed this is the old value - - - name: privilege.new - default_field: false - type: keyword - description: > - When a users privilege is changed this is the new value - - - name: burst.object - default_field: false - type: keyword - description: > - The related object for burst warnings - - - name: burst.id - default_field: false - type: keyword - description: > - The related rate ID for burst warnings - - - name: burst.current_rate - default_field: false - type: keyword - description: > - The current burst rate seen - - - name: burst.configured_rate - default_field: false - type: keyword - description: > - The current configured burst rate - - - name: burst.avg_rate - default_field: false - type: keyword - description: > - The current average burst rate seen - - - name: burst.configured_avg_rate - default_field: false - type: keyword - description: > - The current configured average burst rate allowed - - - name: burst.cumulative_count - default_field: false - type: keyword - description: > - The total count of burst rate hits since the object was created or cleared - - - name: security - type: flattened - description: Cisco FTD security event fields. - - name: webvpn.group_name - type: keyword - default_field: false - description: > - The WebVPN group name the user belongs to - - - name: termination_initiator - type: keyword - default_field: false - description: > - Interface name of the side that initiated the teardown - - - name: tunnel_type - type: keyword - default_field: false - description: > - SA type (remote access or L2L) - - - name: termination_user - default_field: false - type: keyword - description: > - AAA name of user requesting termination - - - name: message - default_field: false - type: keyword - description: >- - The message associated with SIP and Skinny VoIP events diff --git a/packages/cisco_asa/2.7.5/data_stream/log/manifest.yml b/packages/cisco_asa/2.7.5/data_stream/log/manifest.yml deleted file mode 100755 index 2293945655..0000000000 --- a/packages/cisco_asa/2.7.5/data_stream/log/manifest.yml +++ /dev/null @@ -1,156 +0,0 @@ -title: Cisco ASA logs -type: logs -streams: - - input: udp - title: Cisco ASA logs - description: Collect Cisco ASA logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-asa - - forwarded - - name: udp_host - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9001 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Cisco ASA logs - description: Collect Cisco ASA logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-asa - - forwarded - - name: tcp_host - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9001 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate, keys, supported_protocols, verification_mode etc. See [SSL](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details. - multi: false - required: false - show_user: false - default: | - #certificate: "/etc/server/cert.pem" - #key: "/etc/server/key.pem" - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - #max_connections: 1 - #framing: delimiter - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. - - input: logfile - enabled: false - title: Cisco ASA logs - description: Collect Cisco ASA logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/cisco-asa.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-asa - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_asa/2.7.5/data_stream/log/sample_event.json b/packages/cisco_asa/2.7.5/data_stream/log/sample_event.json deleted file mode 100755 index 8236d873b3..0000000000 --- a/packages/cisco_asa/2.7.5/data_stream/log/sample_event.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "@timestamp": "2018-10-10T12:34:56.000Z", - "agent": { - "ephemeral_id": "90753735-64f6-4611-b88a-892365f67be0", - "id": "c077f5c5-ca69-4197-9db5-7963794bdac3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - }, - "data_stream": { - "dataset": "cisco_asa.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "192.168.98.44", - "ip": "192.168.98.44", - "port": 8256 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "c077f5c5-ca69-4197-9db5-7963794bdac3", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "305011", - "dataset": "cisco_asa.log", - "ingested": "2022-06-21T10:34:19Z", - "kind": "event", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", - "severity": 6, - "timezone": "+00:00", - "type": [ - "info" - ] - }, - "host": { - "hostname": "localhost" - }, - "input": { - "type": "tcp" - }, - "log": { - "level": "informational", - "source": { - "address": "192.168.208.4:52674" - } - }, - "network": { - "community_id": "1:5fapvb2/9FPSvoCspfD2WiW0NdQ=", - "iana_number": "6", - "transport": "tcp" - }, - "observer": { - "egress": { - "interface": { - "name": "outside" - } - }, - "hostname": "localhost", - "ingress": { - "interface": { - "name": "inside" - } - }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco" - }, - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "related": { - "hosts": [ - "localhost" - ], - "ip": [ - "172.31.98.44", - "192.168.98.44" - ] - }, - "source": { - "address": "172.31.98.44", - "ip": "172.31.98.44", - "port": 1772 - }, - "tags": [ - "preserve_original_event", - "cisco-asa", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.5/docs/README.md b/packages/cisco_asa/2.7.5/docs/README.md deleted file mode 100755 index 9ef9022489..0000000000 --- a/packages/cisco_asa/2.7.5/docs/README.md +++ /dev/null @@ -1,333 +0,0 @@ -# Cisco ASA Integration - -This integration is for Cisco ASA network device's logs. It includes the following -datasets for receiving logs over syslog or read from a file: - -- `log` dataset: supports Cisco ASA firewall logs. - -## Logs - -### ASA - -The `log` dataset collects the Cisco ASA firewall logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2018-10-10T12:34:56.000Z", - "agent": { - "ephemeral_id": "90753735-64f6-4611-b88a-892365f67be0", - "id": "c077f5c5-ca69-4197-9db5-7963794bdac3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - }, - "data_stream": { - "dataset": "cisco_asa.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "192.168.98.44", - "ip": "192.168.98.44", - "port": 8256 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "c077f5c5-ca69-4197-9db5-7963794bdac3", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "305011", - "dataset": "cisco_asa.log", - "ingested": "2022-06-21T10:34:19Z", - "kind": "event", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", - "severity": 6, - "timezone": "+00:00", - "type": [ - "info" - ] - }, - "host": { - "hostname": "localhost" - }, - "input": { - "type": "tcp" - }, - "log": { - "level": "informational", - "source": { - "address": "192.168.208.4:52674" - } - }, - "network": { - "community_id": "1:5fapvb2/9FPSvoCspfD2WiW0NdQ=", - "iana_number": "6", - "transport": "tcp" - }, - "observer": { - "egress": { - "interface": { - "name": "outside" - } - }, - "hostname": "localhost", - "ingress": { - "interface": { - "name": "inside" - } - }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco" - }, - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "related": { - "hosts": [ - "localhost" - ], - "ip": [ - "172.31.98.44", - "192.168.98.44" - ] - }, - "source": { - "address": "172.31.98.44", - "ip": "172.31.98.44", - "port": 1772 - }, - "tags": [ - "preserve_original_event", - "cisco-asa", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cisco.asa.aaa_type | The AAA operation type. One of authentication, authorization, or accounting. | keyword | -| cisco.asa.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | -| cisco.asa.burst.avg_rate | The current average burst rate seen | keyword | -| cisco.asa.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | -| cisco.asa.burst.configured_rate | The current configured burst rate | keyword | -| cisco.asa.burst.cumulative_count | The total count of burst rate hits since the object was created or cleared | keyword | -| cisco.asa.burst.current_rate | The current burst rate seen | keyword | -| cisco.asa.burst.id | The related rate ID for burst warnings | keyword | -| cisco.asa.burst.object | The related object for burst warnings | keyword | -| cisco.asa.command_line_arguments | The command line arguments logged by the local audit log | keyword | -| cisco.asa.connection_id | Unique identifier for a flow. | keyword | -| cisco.asa.connection_type | The VPN connection type | keyword | -| cisco.asa.dap_records | The assigned DAP records | keyword | -| cisco.asa.destination_interface | Destination interface for the flow or event. | keyword | -| cisco.asa.destination_user_security_group_tag | The Security Group Tag for the destination user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. | long | -| cisco.asa.destination_username | Name of the user that is the destination for this event. | keyword | -| cisco.asa.icmp_code | ICMP code. | short | -| cisco.asa.icmp_type | ICMP type. | short | -| cisco.asa.mapped_destination_host | | keyword | -| cisco.asa.mapped_destination_ip | The translated destination IP address. | ip | -| cisco.asa.mapped_destination_port | The translated destination port. | long | -| cisco.asa.mapped_source_host | | keyword | -| cisco.asa.mapped_source_ip | The translated source IP address. | ip | -| cisco.asa.mapped_source_port | The translated source port. | long | -| cisco.asa.message | The message associated with SIP and Skinny VoIP events | keyword | -| cisco.asa.message_id | The Cisco ASA message identifier. | keyword | -| cisco.asa.privilege.new | When a users privilege is changed this is the new value | keyword | -| cisco.asa.privilege.old | When a users privilege is changed this is the old value | keyword | -| cisco.asa.rule_name | Name of the Access Control List rule that matched this event. | keyword | -| cisco.asa.security | Cisco FTD security event fields. | flattened | -| cisco.asa.session_type | Session type (for example, IPsec or UDP). | keyword | -| cisco.asa.source_interface | Source interface for the flow or event. | keyword | -| cisco.asa.source_user_security_group_tag | The Security Group Tag for the source user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. | long | -| cisco.asa.source_username | Name of the user that is the source for this event. | keyword | -| cisco.asa.suffix | Optional suffix after %ASA identifier. | keyword | -| cisco.asa.termination_initiator | Interface name of the side that initiated the teardown | keyword | -| cisco.asa.termination_user | AAA name of user requesting termination | keyword | -| cisco.asa.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword | -| cisco.asa.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword | -| cisco.asa.tunnel_type | SA type (remote access or L2L) | keyword | -| cisco.asa.username | | keyword | -| cisco.asa.webvpn.group_name | The WebVPN group name the user belongs to | keyword | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.user.name | Short name or login of the user. | keyword | -| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/cisco_asa/2.7.5/img/cisco.svg b/packages/cisco_asa/2.7.5/img/cisco.svg deleted file mode 100755 index 20ebebf197..0000000000 --- a/packages/cisco_asa/2.7.5/img/cisco.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/cisco_asa/2.7.5/img/kibana-cisco-asa.png b/packages/cisco_asa/2.7.5/img/kibana-cisco-asa.png deleted file mode 100755 index ad51be2204..0000000000 Binary files a/packages/cisco_asa/2.7.5/img/kibana-cisco-asa.png and /dev/null differ diff --git a/packages/cisco_asa/2.7.5/kibana/dashboard/cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.5/kibana/dashboard/cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index be56be76ce..0000000000 --- a/packages/cisco_asa/2.7.5/kibana/dashboard/cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "attributes": { - "description": "Sample dashboard for Cisco ASA Firewall devices", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Destination Port and Transport\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Source Port and Transport\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"ASA Firewall Events Over Time\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"ASA Flows by Network Bytes\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"title\":\"Blocked by Source\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"8\",\"panelRefName\":\"panel_5\",\"title\":\"Top ACL by Blocked\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"9\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Cisco] ASA Firewall", - "version": 1 - }, - "id": "cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.5/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.5/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index c4e9b835ce..0000000000 --- a/packages/cisco_asa/2.7.5/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cisco_asa.log\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "All ASA Logs [Cisco]", - "version": 1 - }, - "id": "cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.5/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.5/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index 827e718b96..0000000000 --- a/packages/cisco_asa/2.7.5/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cisco_asa.log and event.action:\\\"flow-expiration\\\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "ASA Firewall flows [Cisco]", - "version": 1 - }, - "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.5/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.5/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index ecea457cb0..0000000000 --- a/packages/cisco_asa/2.7.5/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cisco_asa.log and event.action:\\\"firewall-rule\\\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "ASA Firewall Events [Cisco]", - "version": 1 - }, - "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index 3d47d84b87..0000000000 --- a/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.outcome:\\\"deny\\\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "ASA Top ACL by Blocked [Cisco]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ACL ID\",\"field\":\"cisco.asa.rule_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"ASA Top ACL by Blocked [Cisco]\",\"type\":\"table\"}" - }, - "id": "cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index 6f81464b3a..0000000000 --- a/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Destination Port and Transport [Cisco]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.port\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Destination Port and Transport [Cisco]\",\"type\":\"pie\"}" - }, - "id": "cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index 68171576d0..0000000000 --- a/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Source Port and Transport [Cisco]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.port\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Source Port and Transport [Cisco]\",\"type\":\"pie\"}" - }, - "id": "cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index a39f27880f..0000000000 --- a/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "ASA Flows by Network Bytes [Cisco]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now+1y\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Total bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"3\",\"label\":\"Total bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total bytes\"},\"type\":\"value\"}]},\"title\":\"ASA Flows by Network Bytes [Cisco]\",\"type\":\"histogram\"}" - }, - "id": "cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index 67b75fd248..0000000000 --- a/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "ASA Events Over Time [Cisco]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now+1y\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"ASA Events Over Time [Cisco]\",\"type\":\"histogram\"}" - }, - "id": "cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index cab50f4d5c..0000000000 --- a/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "ASA Firewall Blocked by Source [Cisco]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"ASA Firewall Blocked by Source [Cisco]\",\"type\":\"table\"}" - }, - "id": "cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index 0b55816042..0000000000 --- a/packages/cisco_asa/2.7.5/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top ASA Messages [Cisco]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ID\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Severity\",\"field\":\"log.level\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Sample message\",\"field\":\"event.original\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top ASA Messages [Cisco]\",\"type\":\"table\"}" - }, - "id": "cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.5/manifest.yml b/packages/cisco_asa/2.7.5/manifest.yml deleted file mode 100755 index afd1f935a1..0000000000 --- a/packages/cisco_asa/2.7.5/manifest.yml +++ /dev/null @@ -1,39 +0,0 @@ -format_version: 1.0.0 -name: cisco_asa -title: Cisco ASA -version: "2.7.5" -license: basic -description: Collect logs from Cisco ASA with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -screenshots: - - src: /img/kibana-cisco-asa.png - title: kibana cisco asa - size: 1800x1559 - type: image/png -icons: - - src: /img/cisco.svg - title: cisco - size: 216x216 - type: image/svg+xml -policy_templates: - - name: cisco_asa - title: Cisco ASA logs - description: Collect logs from Cisco ASA instances - inputs: - - type: tcp - title: Collect logs from Cisco ASA via TCP - description: Collecting logs from Cisco ASA via TCP - - type: udp - title: Collect logs from Cisco ASA via UDP - description: Collecting logs from Cisco ASA via UDP - - type: logfile - title: Collect logs from Cisco ASA via file - description: Collecting logs from Cisco ASA via file -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_asa/2.7.6/LICENSE.txt b/packages/cisco_asa/2.7.6/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cisco_asa/2.7.6/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_asa/2.7.6/changelog.yml b/packages/cisco_asa/2.7.6/changelog.yml deleted file mode 100755 index 39a900a281..0000000000 --- a/packages/cisco_asa/2.7.6/changelog.yml +++ /dev/null @@ -1,168 +0,0 @@ -# newer versions go on top -- version: "2.7.6" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "2.7.5" - changes: - - description: Fix handling of 302020 event messages. - type: bugfix - link: https://github.com/elastic/integrations/pull/4209 -- version: "2.7.4" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.7.3" - changes: - - description: Fix handling of non-canonical 113005 messages. - type: bugfix - link: https://github.com/elastic/integrations/pull/4189 -- version: "2.7.2" - changes: - - description: Clean up grok pattern naming. - type: bugfix - link: https://github.com/elastic/integrations/pull/4163 -- version: "2.7.1" - changes: - - description: Fix handling of some non-canonical log formats. - type: bugfix - link: https://github.com/elastic/integrations/pull/3943 -- version: "2.7.0" - changes: - - description: Add handling of AAA operations. - type: enhancement - link: https://github.com/elastic/integrations/pull/3740 -- version: "2.6.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3842 -- version: "2.5.2" - changes: - - description: Improve TCP, SSL config description and example. - type: enhancement - link: https://github.com/elastic/integrations/pull/3763 -- version: "2.5.1" - changes: - - description: Fix handling of user parsing when SGT fields are present. - type: bugfix - link: https://github.com/elastic/integrations/pull/3650 - - description: Fix handling of user parsing for 302013 and 302015 events. - type: bugfix - link: https://github.com/elastic/integrations/pull/3650 -- version: "2.5.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "2.4.2" - changes: - - description: Map syslog priority details according to ECS - type: bugfix - link: https://github.com/elastic/integrations/pull/3549 - - description: Extract syslog facility and severity codes from syslog priority - type: bugfix - link: https://github.com/elastic/integrations/pull/3549 -- version: "2.4.1" - changes: - - description: Ensure invalid event.outcome does not get recorded in event - type: bugfix - link: https://github.com/elastic/integrations/pull/3354 -- version: "2.4.0" - changes: - - description: Add TCP input with TLS support - type: enhancement - link: https://github.com/elastic/integrations/pull/3312 -- version: "2.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "2.2.2" - changes: - - description: Change visualizations to use event.code instead of cisco.asa.message_id. - type: bugfix - link: https://github.com/elastic/integrations/pull/3146 -- version: "2.2.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "2.2.0" - changes: - - description: Add community_id processor, update 805001, 304001, 106023 and 602304 message parsing. elastic/beats#26879 - type: enhancement - link: https://github.com/elastic/integrations/pull/2820 - - description: Add user.name field to ASA Security negotiation log line. elastic/beats#26975 - type: enhancement - link: https://github.com/elastic/integrations/pull/2820 - - description: Change event.outcome and event.type handling to be more ECS compliant. elastic/beats#29698 - type: enhancement - link: https://github.com/elastic/integrations/pull/2820 -- version: "2.1.0" - changes: - - description: Add parsing for event code 113029-113040 - type: enhancement - link: https://github.com/elastic/integrations/pull/2535 -- version: "2.0.1" - changes: - - description: Clarify configuration option documentation - type: bugfix - link: https://github.com/elastic/integrations/pull/2649 -- version: "2.0.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2389 -- version: "1.3.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.3.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2236 -- version: "1.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1952 -- version: "1.2.1" - changes: - - description: Relax time parsing and capture group and session type in Cisco ASA module - type: bugfix - link: https://github.com/elastic/integrations/pull/1891 -- version: "1.2.0" - changes: - - description: Add support for Cisco ASA SIP events - type: enhancement - link: https://github.com/elastic/integrations/pull/1865 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1805 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1782 -- version: "1.0.1" - changes: - - description: Adding missing ECS fields - type: bugfix - link: https://github.com/elastic/integrations/pull/1732 -- version: "1.0.0" - changes: - - description: Split Cisco ASA into its own package - type: enhancement - link: https://github.com/elastic/integrations/pull/1583 diff --git a/packages/cisco_asa/2.7.6/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_asa/2.7.6/data_stream/log/agent/stream/stream.yml.hbs deleted file mode 100755 index 1190ec3f3c..0000000000 --- a/packages/cisco_asa/2.7.6/data_stream/log/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/cisco_asa/2.7.6/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_asa/2.7.6/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 169989f2d7..0000000000 --- a/packages/cisco_asa/2.7.6/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} -{{#if tcp_options}} -{{tcp_options}} -{{/if}} diff --git a/packages/cisco_asa/2.7.6/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_asa/2.7.6/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index e01f113448..0000000000 --- a/packages/cisco_asa/2.7.6/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/cisco_asa/2.7.6/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/2.7.6/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ccc4d5252c..0000000000 --- a/packages/cisco_asa/2.7.6/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,2252 +0,0 @@ ---- -description: "Pipeline for Cisco ASA logs" -processors: - - rename: - field: message - target_field: event.original - ignore_missing: true - - set: - field: ecs.version - value: '8.4.0' - # - # Parse the syslog header - # - # This populates the host.hostname, process.name, timestamp and other fields - # from the header and stores the message contents in _temp_.full_message. - - grok: - field: event.original - patterns: - - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}" - pattern_definitions: - SYSLOG_HEADER: "(?:%{SYSPRIORITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?" - SYSPRIORITY: "<%{NONNEGINT:log.syslog.priority:int}>" - # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. - FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" - ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" - PROCESS: "(?:[^%\\s:\\[]+)" - SYSLOG_END: "(?:(:|\\s)\\s+)" - # exactly match the syntax for firepower management logs - PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})" - HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?" - - script: - lang: painless - source: | - if (ctx.log?.syslog?.priority != null) { - def severity = new HashMap(); - severity['code'] = ctx.log.syslog.priority&0x7; - ctx.log.syslog['severity'] = severity; - def facility = new HashMap(); - facility['code'] = ctx.log.syslog.priority>>3; - ctx.log.syslog['facility'] = facility; - } - - # - # Parse FTD/ASA style message - # - # This parses the header of an EMBLEM-style message for FTD and ASA prefixes. - - grok: - field: _temp_.full_message - patterns: - - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" - # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. - - "%{GREEDYDATA:message}" - pattern_definitions: - FTD_SUFFIX: "[^0-9-]+" - # Before version 6.3, FTD used ASA prefix in syslog messages - FTD_PREFIX: "%{DATA}%(?:[A-Z]+)" - - # - # Create missing fields when no %FTD label is present - # - # message_id is needed in order for some processors below to work. - - set: - field: _temp_.cisco.message_id - value: "" - if: "ctx?._temp_?.cisco?.message_id == null" - - # - # set default event.severity to 7 (debug): - # - # This value is read from the EMBLEM header and won't be present if this is not - # an emblem message (firewalls can be configured to report other kinds of events) - - set: - field: event.severity - value: 7 - if: "ctx?.event?.severity == null" - - # - # Parse the date included in FTD logs - # - - date: - if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null" - field: "_temp_.raw_date" - target_field: "@timestamp" - formats: - - "ISO8601" - - "MMM d HH:mm:ss" - - "MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "EEE MMM dd HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - [ - { - "append": - { - "field": "error.message", - "value": "{{ _ingest.on_failure_message }}", - }, - }, - ] - - date: - if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null" - timezone: "{{ event.timezone }}" - field: "_temp_.raw_date" - target_field: "@timestamp" - formats: - - "ISO8601" - - "MMM d HH:mm:ss" - - "MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "EEE MMM dd HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - [ - { - "append": - { - "field": "error.message", - "value": "{{ _ingest.on_failure_message }}", - }, - }, - ] - - # - # Set log.level - # - - set: - field: "log.level" - if: "ctx.event.severity == 0" - value: unknown - - set: - field: "log.level" - if: "ctx.event.severity == 1" - value: alert - - set: - field: "log.level" - if: "ctx.event.severity == 2" - value: critical - - set: - field: "log.level" - if: "ctx.event.severity == 3" - value: error - - set: - field: "log.level" - if: "ctx.event.severity == 4" - value: warning - - set: - field: "log.level" - if: "ctx.event.severity == 5" - value: notification - - set: - field: "log.level" - if: "ctx.event.severity == 6" - value: informational - - set: - field: "log.level" - if: "ctx.event.severity == 7" - value: debug - - # - # Firewall messages - # - # This set of messages is shared between FTD and ASA. - - set: - if: 'ctx._temp_.cisco.message_id != ""' - field: "event.action" - value: "firewall-rule" - - dissect: - if: "ctx._temp_.cisco.message_id == '106001'" - field: "message" - description: "106001" - pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106002'" - field: "message" - description: "106002" - pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106006'" - field: "message" - description: "106006" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106007'" - field: "message" - description: "106007" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" - - grok: - if: "ctx._temp_.cisco.message_id == '106010'" - field: "message" - description: "106010" - patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" - - dissect: - if: "ctx._temp_.cisco.message_id == '106013'" - field: "message" - description: "106013" - pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}" - - set: - if: "ctx._temp_.cisco.message_id == '106013'" - field: "network.transport" - description: "106013" - value: icmp - - set: - if: "ctx._temp_.cisco.message_id == '106013'" - field: "network.direction" - description: "106013" - value: inbound - - grok: - if: "ctx._temp_.cisco.message_id == '106014'" - field: "message" - description: "106014" - patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?" - - grok: - if: "ctx._temp_.cisco.message_id == '106015'" - field: "message" - description: "106015" - patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IPORHOST:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106016'" - field: "message" - pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" - description: "106016" - - dissect: - if: "ctx._temp_.cisco.message_id == '106017'" - field: "message" - pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}" - description: "106017" - - dissect: - if: "ctx._temp_.cisco.message_id == '106018'" - field: "message" - pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" - description: "106018" - - dissect: - if: "ctx._temp_.cisco.message_id == '106020'" - field: "message" - pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" - description: "106020" - - dissect: - if: "ctx._temp_.cisco.message_id == '106021'" - field: "message" - pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" - description: "106021" - - dissect: - if: "ctx._temp_.cisco.message_id == '106022'" - field: "message" - pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" - description: "106022" - - grok: - if: "ctx._temp_.cisco.message_id == '106023'" - field: "message" - description: "106023" - patterns: - - ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(\(%{CISCO_USER:_temp_.cisco.source_username}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}" - pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" - IPORHOST: "(?:%{IP}|%{HOSTNAME})" - NOTCOLON: "[^:]*" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - - dissect: - if: "ctx._temp_.cisco.message_id == '106027'" - field: "message" - description: "106027" - pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"' - - dissect: - if: "ctx._temp_.cisco.message_id == '106100'" - field: "message" - description: "106100" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'" - field: "message" - description: "106103" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '111004'" - field: "message" - description: "111004" - pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" - - set: - field: event.outcome - description: "111004" - value: "success" - if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" - - set: - field: event.outcome - description: "111004" - value: "failure" - if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" - - remove: - field: _temp_.cisco.cli_outcome - ignore_missing: true - - append: - field: event.type - description: "111004" - value: "change" - if: "ctx._temp_.cisco.message_id == '111004'" - - grok: - if: "ctx._temp_.cisco.message_id == '111009'" - description: "111009" - field: "message" - patterns: - - "^%{NOTSPACE} '%{NOTSPACE:server.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" - - grok: - if: "ctx._temp_.cisco.message_id == '111010'" - field: "message" - description: "111010" - patterns: - - "User '%{NOTSPACE:server.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" - - dissect: - if: "ctx._temp_.cisco.message_id == '113004'" - field: "message" - description: "113004" - pattern: "AAA user %{_temp_.cisco.aaa_type} Successful: server = %{destination.address} , User = %{source.user.name}" - - grok: - if: "ctx._temp_.cisco.message_id == '113005'" - description: "113005" - field: "message" - patterns: - - "AAA user authentication Rejected: reason = %{REASON}: server = %{IP:destination.address} : user = ?%{CISCO_USER:source.user.name}: user IP = %{IP:source.address}" - pattern_definitions: - REASON: (AAA failure|Account has been disabled) - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - - dissect: - if: "ctx._temp_.cisco.message_id == '113012'" - field: "message" - description: "113012" - pattern: "AAA user authentication Successful: local database: user = %{source.user.name}" - - dissect: - if: "ctx._temp_.cisco.message_id == '113019'" - field: "message" - description: "113019" - pattern: "Group = %{source.user.group.name}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{_temp_.cisco.session_type}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{event.reason}" - - dissect: - if: "ctx._temp_.cisco.message_id == '113021'" - field: "message" - description: "113021" - pattern: "Attempted console login failed. User %{source.user.name} did NOT have appropriate Admin Rights." - - dissect: - if: "ctx._temp_.cisco.message_id == '113040'" - field: "message" - description: "113040" - pattern: "Terminating the VPN connection attempt from %{source.user.group.name}. Reason: This connection is group locked to %{}." - - grok: - if: '["113029","113030","113031","113032","113033","113034","113035","113036","113038","113039"].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "113029, 113030, 113031, 113032, 113033, 113034, 113035, 113036, 113038, 113039" - patterns: - - "Group <%{NOTSPACE:source.user.group.name}> User <%{CISCO_USER:source.user.name}> IP <%{IP:source.address}>" - - "Group %{NOTSPACE:source.user.group.name} User %{CISCO_USER:source.user.name} IP %{IP:source.address}" - pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" - IPORHOST: "(?:%{IP}|%{HOSTNAME})" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - - grok: - if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "302013, 302015" - patterns: - - Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port} \(%{IPORHOST:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER:_temp_.cisco.destination_username}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} - pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" - IPORHOST: "(?:%{IP}|%{HOSTNAME})" - NOTCOLON: "[^:]*" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - - dissect: - if: "ctx._temp_.cisco.message_id == '303002'" - field: "message" - description: "303002" - pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" - - grok: - if: "ctx._temp_.cisco.message_id == '305012'" - field: "message" - description: "305012" - patterns: - - Teardown %{DATA} %{NOTSPACE:network.transport} translation from %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port}(\s*\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} duration %{DURATION:_temp_.duration_hms} - pattern_definitions: - NOTCOLON: "[^:]*" - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" - IPORHOST: "(?:%{IP}|%{HOSTNAME})" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - DURATION: "%{INT}:%{MINUTE}:%{SECOND}" - - set: - if: '["302020"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "flow-creation" - description: "302020" - - grok: - if: "ctx._temp_.cisco.message_id == '302020'" - field: "message" - description: "302020" - patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" - pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" - IPORHOST: "(?:%{IP}|%{HOSTNAME})" - NOTCOLON: "[^:]*" - ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" - ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" - MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - - dissect: - if: "ctx._temp_.cisco.message_id == '302022'" - field: "message" - description: "302022" - pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '302023'" - field: "message" - description: "302023" - pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}" - - grok: - if: "ctx._temp_.cisco.message_id == '304001'" - field: "message" - description: "304001" - patterns: - - "(%{NOTSPACE:source.user.name}@)?%{IP:source.address}(\\(%{DATA}\\))? %{DATA} (%{NOTSPACE}@)?%{IPORHOST:destination.address}:%{GREEDYDATA:url.original}" - - set: - if: "ctx._temp_.cisco.message_id == '304001'" - field: "event.outcome" - description: "304001" - value: allowed - - dissect: - if: "ctx._temp_.cisco.message_id == '304002'" - field: "message" - description: "304002" - pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" - - grok: - if: "ctx._temp_.cisco.message_id == '305011'" - field: "message" - description: "305011" - patterns: - - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} - - dissect: - if: "ctx._temp_.cisco.message_id == '313001'" - field: "message" - description: "313001" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '313004'" - field: "message" - description: "313004" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" - - dissect: - if: "ctx._temp_.cisco.message_id == '313005'" - field: "message" - description: "313005" - pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '313008'" - field: "message" - description: "313008" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '313009'" - field: "message" - description: "313009" - pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '322001'" - field: "message" - description: "322001" - pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338001'" - field: "message" - description: "338001" - pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338001'" - field: "server.domain" - description: "338001" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338002'" - field: "message" - description: "338002" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - - set: - if: "ctx._temp_.cisco.message_id == '338002'" - field: "server.domain" - description: "338002" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338003'" - field: "message" - description: "338003" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338004'" - field: "message" - description: "338004" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338005'" - field: "message" - description: "338005" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338005'" - field: "server.domain" - description: "338005" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338006'" - field: "message" - description: "338006" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338006'" - field: "server.domain" - description: "338006" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338007'" - field: "message" - description: "338007" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338008'" - field: "message" - description: "338008" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338101'" - field: "message" - description: "338101" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" - - set: - if: "ctx._temp_.cisco.message_id == '338101'" - field: "server.domain" - description: "338101" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338102'" - field: "message" - description: "338102" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - - set: - if: "ctx._temp_.cisco.message_id == '338102'" - field: "server.domain" - description: "338102" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338103'" - field: "message" - description: "338103" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338104'" - field: "message" - description: "338104" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338201'" - field: "message" - description: "338201" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338201'" - field: "server.domain" - description: "338201" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338202'" - field: "message" - description: "338202" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338202'" - field: "server.domain" - description: "338202" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338203'" - field: "message" - description: "338203" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338203'" - field: "server.domain" - description: "338203" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338204'" - field: "message" - description: "338204" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338204'" - field: "server.domain" - description: "338204" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "message" - description: "338301" - pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}" - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "client.address" - description: "338301" - value: "{{destination.address}}" - ignore_empty_value: true - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "client.port" - description: "338301" - value: "{{destination.port}}" - ignore_empty_value: true - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "server.address" - description: "338301" - value: "{{source.address}}" - ignore_empty_value: true - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "server.port" - description: "338301" - value: "{{source.port}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '502103'" - field: "message" - description: "502103" - pattern: "User priv level changed: Uname: %{server.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" - - append: - if: "ctx._temp_.cisco.message_id == '502103'" - field: "event.type" - description: "502103" - value: - - "group" - - "change" - - append: - if: "ctx._temp_.cisco.message_id == '502103'" - field: "event.category" - description: "502103" - value: "iam" - - dissect: - if: "ctx._temp_.cisco.message_id == '507003'" - field: "message" - description: "507003" - pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" - - dissect: - if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "605004, 605005" - pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' - - dissect: - if: "ctx._temp_.cisco.message_id == '609001'" - field: "message" - description: "609001" - pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" - - dissect: - if: "ctx._temp_.cisco.message_id == '607001'" - field: "message" - description: "607001" - pattern: "Pre-allocate SIP %{_temp_.cisco.connection_type} secondary channel for %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} to %{_temp_.cisco.source_interface}:%{source.address} from %{_temp_.cisco.message} message" - - grok: - if: "ctx._temp_.cisco.message_id == '607001'" - description: "607001" - field: "_temp_.cisco.connection_type" - patterns: - - "%{CONNECTION}" - pattern_definitions: - TRANSPORTS: "(?:UDP|TCP)" - PROTOCOLS: "(?:RTP|RTCP)" - CONNECTION: "(?:%{TRANSPORTS:network.transport}|%{PROTOCOLS:network.protocol})" - ignore_failure: true - - dissect: - if: "ctx._temp_.cisco.message_id == '609002'" - field: "message" - description: "609002" - pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" - - dissect: - if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "611102, 611101" - pattern: 'User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{server.user.name}' - - dissect: - if: "ctx._temp_.cisco.message_id == '710003'" - field: "message" - description: "710003" - pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - - dissect: - if: "ctx._temp_.cisco.message_id == '710005'" - field: "message" - description: "710005" - pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - - dissect: - if: "ctx._temp_.cisco.message_id == '713049'" - field: "message" - description: "713049" - pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" - ignore_failure: true - - dissect: - if: "ctx._temp_.cisco.message_id == '713049'" - field: "message" - description: "713049" - pattern: "Group = %{}, Username = %{user.name}, IP = %{source.address}, Security negotiation complete for User (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" - ignore_failure: true - - grok: - if: "ctx._temp_.cisco.message_id == '716002'" - field: "message" - description: "716002" - patterns: - - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> WebVPN session terminated: %{GREEDYDATA:event.reason}." - - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} WebVPN session terminated: %{GREEDYDATA:event.reason}." - - grok: - if: "ctx._temp_.cisco.message_id == '722051'" - field: "message" - description: "722051" - patterns: - - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" - - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" - - grok: - if: "ctx._temp_.cisco.message_id == '733100'" - field: "message" - description: "733100" - patterns: - - \[(%{SPACE})?%{DATA:_temp_.cisco.burst.object}\] drop %{NOTSPACE:_temp_.cisco.burst.id} exceeded. Current burst rate is %{INT:_temp_.cisco.burst.current_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_rate}; Current average rate is %{INT:_temp_.cisco.burst.avg_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{INT:_temp_.cisco.burst.cumulative_count} - - dissect: - if: "ctx._temp_.cisco.message_id == '734001'" - field: "message" - description: "734001" - pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" - - dissect: - if: "ctx._temp_.cisco.message_id == '805001'" - field: "message" - description: "805001" - pattern: "Offloaded %{network.transport} Flow for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - - dissect: - if: "ctx._temp_.cisco.message_id == '805002'" - field: "message" - description: "805002" - pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - - split: - field: "_temp_.cisco.dap_records" - separator: ",\\s+" - ignore_missing: true - - dissect: - if: "ctx._temp_.cisco.message_id == '434002'" - field: "message" - pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - - dissect: - if: "ctx._temp_.cisco.message_id == '434004'" - field: "message" - pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" - - dissect: - if: "ctx._temp_.cisco.message_id == '110002'" - field: "message" - pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" - - dissect: - if: "ctx._temp_.cisco.message_id == '419002'" - field: "message" - pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" - - dissect: - if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' - field: "message" - pattern: "%{network.type}: An %{network.direction} %{_temp_.cisco.tunnel_type} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." - - dissect: - if: "ctx._temp_.cisco.message_id == '750002'" - field: "message" - pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" - - dissect: - if: "ctx._temp_.cisco.message_id == '713120'" - field: "message" - pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})" - - dissect: - if: "ctx._temp_.cisco.message_id == '713202'" - field: "message" - pattern: "IP = %{source.address}, %{event.reason}. %{} packet." - - grok: - if: "ctx._temp_.cisco.message_id == '716039'" - field: "message" - patterns: - - "Authentication: rejected, group = %{NOTSPACE:source.user.group.name} user = %{USER:source.user.name} , Session Type: %{NOTSPACE:_temp_.cisco.session_type}" - - "Group <%{NOTSPACE:source.user.group.name}> User <%{USER:source.user.name}> IP <%{IP:source.address}> Authentication: rejected, Session Type: %{NOTSPACE:_temp_.cisco.session_type}\\." - - dissect: - if: "ctx._temp_.cisco.message_id == '750003'" - field: "message" - pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" - - grok: - if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' - field: "message" - patterns: - - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$" - # Handle ecs action outcome protocol - - set: - if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "unknown" - - set: - if: '["419002"].contains(ctx._temp_.cisco.message_id)' - field: "network.protocol" - value: "tcp" - - set: - if: '["110002"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "dropped" - - set: - if: '["713120"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "success" - - set: - if: '["113004", "113012"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "success" - - set: - if: '["113002", "113005", "113021"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "failure" - - set: - if: '["602303", "602304", "611101"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "success" - - set: - if: '["605004", "611102"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "failure" - - set: - if: '["734001"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "success" - - set: - if: '["716039"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "failure" - - set: - if: '["710005"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "dropped" - - set: - if: '["713901", "713902", "713903", "713904", "713905"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "failure" - - set: - if: '["113039"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "client-vpn-connected" - - set: - if: '["113029","113030","113031","113032","113033","113034","113035","113036","113037","113038"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "client-vpn-error" - - set: - if: '["113040"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "client-vpn-disconnected" - - set: - if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "connection-started" - - set: - if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "error" - - set: - if: '["113005", "113021", "605004", "611102", "716039"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "logon-failed" - - set: - if: '["113004", "113012", "611101", "734001"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "logged-in" - - append: - if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' - field: "event.type" - value: "error" - - # - # Handle 302xxx messages (Flow expiration a.k.a "Teardown") - # - - set: - if: '["305012", "302014", "302016", "302018", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "flow-expiration" - description: "305012, 302014, 302016, 302018, 302021, 302036, 302304, 302306, 609001, 609002" - - grok: - field: "message" - if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' - description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" - patterns: - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{CISCO_USER:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{CISCO_USER:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{CISCO_USER:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) - - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{CISCO_USER:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? - pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" - IPORHOST: "(?:%{IP}|%{HOSTNAME})" - NOTCOLON: "[^:]*" - ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" - ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" - MAPPEDSRC: "(?:%{IPORHOST:_temp_.natsrcip}|%{HOSTNAME})" - DURATION: "%{INT}:%{MINUTE}:%{SECOND}" - CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - - # - # Decode FTD's Security Event Syslog Messages - # - # 43000x messages are security event syslog messages specific to FTD. - # Format is a comma-separated sequence of key: value pairs. - # - # The result of this decoding is saved as _temp_.orig_security.{Key}: {Value} - - kv: - if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "430001, 430002, 430003, 430004, 430005" - field_split: ",(?=[A-za-z1-9\\s]+:)" - value_split: ":" - target_field: "_temp_.orig_security" - trim_key: " " - trim_value: " " - ignore_failure: true - - # - # Remove _temp_.full_message. - # - # The field has been used as temporary buffer while decoding. The full message - # is kept under event.original. Processors below can still add a message field, as some - # security events contain an explanatory Message field. - - remove: - field: - - message - - _temp_.full_message - ignore_missing: true - - # - # Populate ECS fields from Security Events - # - # This script uses the key-value pairs from Security Events to populate - # the appropriate ECS fields. - # - # A single key can be mapped to multiple ECS fields, and more than one key can - # map to the same ECS field, which results in an array being created. - # - # This script performs an additional job: - # - # Before FTD version 6.3, the message_id was not included in Security Events. - # As this field encodes the kind of event (intrusion, connection, malware...) - # the script below will guess the right message_id from the keys present in - # the event. - # - # The reason for overloading this script with different behaviors is - # that this pipeline is already reaching the limit on script compilations. - # - #******************************************************************************* - # Code generated by go generate. DO NOT EDIT. - #******************************************************************************* - - script: - if: ctx._temp_?.orig_security != null - params: - ACPolicy: - target: ac_policy - id: ["430001", "430002", "430003"] - ecs: [_temp_.cisco.rule_name] - AccessControlRuleAction: - target: access_control_rule_action - id: ["430002", "430003"] - ecs: [event.outcome] - AccessControlRuleName: - target: access_control_rule_name - id: ["430002", "430003"] - ecs: [_temp_.cisco.rule_name] - AccessControlRuleReason: - target: access_control_rule_reason - id: ["430002", "430003"] - ApplicationProtocol: - target: application_protocol - ecs: [network.protocol] - ArchiveDepth: - target: archive_depth - id: ["430004", "430005"] - ArchiveFileName: - target: archive_file_name - id: ["430004", "430005"] - ecs: [file.name] - ArchiveFileStatus: - target: archive_file_status - id: ["430004", "430005"] - ArchiveSHA256: - target: archive_sha256 - id: ["430004", "430005"] - ecs: [file.hash.sha256] - Classification: - target: classification - id: ["430001"] - Client: - target: client - ecs: [network.application] - ClientVersion: - target: client_version - id: ["430002", "430003"] - ConnectionDuration: - target: connection_duration - id: ["430003"] - ecs: [event.duration] - DNS_Sinkhole: - target: dns_sinkhole - id: ["430002", "430003"] - DNS_TTL: - target: dns_ttl - id: ["430002", "430003"] - DNSQuery: - target: dns_query - id: ["430002", "430003"] - ecs: [dns.question.name] - DNSRecordType: - target: dns_record_type - id: ["430002", "430003"] - ecs: [dns.question.type] - DNSResponseType: - target: dns_response_type - id: ["430002", "430003"] - ecs: [dns.response_code] - DNSSICategory: - target: dnssi_category - id: ["430002", "430003"] - DstIP: - target: dst_ip - ecs: [destination.address] - DstPort: - target: dst_port - ecs: [destination.port] - EgressInterface: - target: egress_interface - id: ["430001", "430002", "430003"] - ecs: [_temp_.cisco.destination_interface] - EgressZone: - target: egress_zone - id: ["430001", "430002", "430003"] - Endpoint Profile: - target: endpoint_profile - id: ["430002", "430003"] - FileAction: - target: file_action - id: ["430004", "430005"] - FileCount: - target: file_count - id: ["430002", "430003"] - FileDirection: - target: file_direction - id: ["430004", "430005"] - FileName: - target: file_name - id: ["430004", "430005"] - ecs: [file.name] - FilePolicy: - target: file_policy - id: ["430004", "430005"] - ecs: [_temp_.cisco.rule_name] - FileSHA256: - target: file_sha256 - id: ["430004", "430005"] - ecs: [file.hash.sha256] - FileSandboxStatus: - target: file_sandbox_status - id: ["430004", "430005"] - FileSize: - target: file_size - id: ["430004", "430005"] - ecs: [file.size] - FileStorageStatus: - target: file_storage_status - id: ["430004", "430005"] - FileType: - target: file_type - id: ["430004", "430005"] - FirstPacketSecond: - target: first_packet_second - id: ["430004", "430005"] - ecs: [event.start] - GID: - target: gid - id: ["430001"] - ecs: [service.id] - HTTPReferer: - target: http_referer - id: ["430002", "430003"] - ecs: [http.request.referrer] - HTTPResponse: - target: http_response - id: ["430001", "430002", "430003"] - ecs: [http.response.status_code] - ICMPCode: - target: icmp_code - id: ["430001", "430002", "430003"] - ICMPType: - target: icmp_type - id: ["430001", "430002", "430003"] - IPReputationSICategory: - target: ip_reputation_si_category - id: ["430002", "430003"] - IPSCount: - target: ips_count - id: ["430002", "430003"] - IngressInterface: - target: ingress_interface - id: ["430001", "430002", "430003"] - ecs: [_temp_.cisco.source_interface] - IngressZone: - target: ingress_zone - id: ["430001", "430002", "430003"] - InitiatorBytes: - target: initiator_bytes - id: ["430003"] - ecs: [source.bytes] - InitiatorPackets: - target: initiator_packets - id: ["430003"] - ecs: [source.packets] - InlineResult: - target: inline_result - id: ["430001"] - ecs: [event.outcome] - IntrusionPolicy: - target: intrusion_policy - id: ["430001"] - ecs: [_temp_.cisco.rule_name] - MPLS_Label: - target: mpls_label - id: ["430001"] - Message: - target: message - id: ["430001"] - ecs: [message] - NAPPolicy: - target: nap_policy - id: ["430001", "430002", "430003"] - NetBIOSDomain: - target: net_bios_domain - id: ["430002", "430003"] - ecs: [host.hostname] - NumIOC: - target: num_ioc - id: ["430001"] - Prefilter Policy: - target: prefilter_policy - id: ["430002", "430003"] - Priority: - target: priority - id: ["430001"] - Protocol: - target: protocol - ecs: [network.transport] - ReferencedHost: - target: referenced_host - id: ["430002", "430003"] - ecs: [url.domain] - ResponderBytes: - target: responder_bytes - id: ["430003"] - ecs: [destination.bytes] - ResponderPackets: - target: responder_packets - id: ["430003"] - ecs: [destination.packets] - Revision: - target: revision - id: ["430001"] - SHA_Disposition: - target: sha_disposition - id: ["430004", "430005"] - SID: - target: sid - id: ["430001"] - SSLActualAction: - target: ssl_actual_action - ecs: [event.outcome] - SSLCertificate: - target: ssl_certificate - id: ["430002", "430003", "430004", "430005"] - SSLExpectedAction: - target: ssl_expected_action - id: ["430002", "430003"] - SSLFlowStatus: - target: ssl_flow_status - id: ["430002", "430003", "430004", "430005"] - SSLPolicy: - target: ssl_policy - id: ["430002", "430003"] - SSLRuleName: - target: ssl_rule_name - id: ["430002", "430003"] - SSLServerCertStatus: - target: ssl_server_cert_status - id: ["430002", "430003"] - SSLServerName: - target: ssl_server_name - id: ["430002", "430003"] - ecs: [server.domain] - SSLSessionID: - target: ssl_session_id - id: ["430002", "430003"] - SSLTicketID: - target: ssl_ticket_id - id: ["430002", "430003"] - SSLURLCategory: - target: sslurl_category - id: ["430002", "430003"] - SSLVersion: - target: ssl_version - id: ["430002", "430003"] - SSSLCipherSuite: - target: sssl_cipher_suite - id: ["430002", "430003"] - SecIntMatchingIP: - target: sec_int_matching_ip - id: ["430002", "430003"] - Security Group: - target: security_group - id: ["430002", "430003"] - SperoDisposition: - target: spero_disposition - id: ["430004", "430005"] - SrcIP: - target: src_ip - ecs: [source.address] - SrcPort: - target: src_port - ecs: [source.port] - TCPFlags: - target: tcp_flags - id: ["430002", "430003"] - ThreatName: - target: threat_name - id: ["430005"] - ecs: [_temp_.cisco.threat_category] - ThreatScore: - target: threat_score - id: ["430005"] - ecs: [_temp_.cisco.threat_level] - Tunnel or Prefilter Rule: - target: tunnel_or_prefilter_rule - id: ["430002", "430003"] - URI: - target: uri - id: ["430004", "430005"] - ecs: [url.original] - URL: - target: url - id: ["430002", "430003"] - ecs: [url.original] - URLCategory: - target: url_category - id: ["430002", "430003"] - URLReputation: - target: url_reputation - id: ["430002", "430003"] - URLSICategory: - target: urlsi_category - id: ["430002", "430003"] - User: - target: user - ecs: [user.id, user.name] - UserAgent: - target: user_agent - id: ["430002", "430003"] - ecs: [user_agent.original] - VLAN_ID: - target: vlan_id - id: ["430001", "430002", "430003"] - WebApplication: - target: web_application - ecs: [network.application] - originalClientSrcIP: - target: original_client_src_ip - id: ["430002", "430003"] - ecs: [client.address] - lang: painless - source: | - boolean isEmpty(def value) { - return (value instanceof AbstractList? value.size() : value.length()) == 0; - } - def appendOrCreate(Map dest, String[] path, def value) { - for (int i=0; i new HashMap()); - } - String key = path[path.length - 1]; - def existing = dest.get(key); - return existing == null? - dest.put(key, value) - : existing instanceof AbstractList? - existing.add(value) - : dest.put(key, new ArrayList([existing, value])); - } - def msg = ctx._temp_.orig_security; - def counters = new HashMap(); - def dest = new HashMap(); - ctx._temp_.cisco['security'] = dest; - for (entry in msg.entrySet()) { - def param = params.get(entry.getKey()); - if (param == null) { - continue; - } - param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) ); - if (!isEmpty(entry.getValue())) { - param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) ); - dest[param.target] = entry.getValue(); - } - } - if (ctx._temp_.cisco.message_id != "") return; - def best; - for (entry in counters.entrySet()) { - if (best == null || best.getValue() < entry.getValue()) best = entry; - } - if (best != null) ctx._temp_.cisco.message_id = best.getKey(); - #******************************************************************************* - # End of generated code. - #******************************************************************************* - - # - # Normalize ECS field values - # - - script: - lang: painless - params: - "ctx._temp_.cisco.message_id": - target: event.action - map: - "430001": intrusion-detected - "430002": connection-started - "430003": connection-finished - "430004": file-detected - "430005": malware-detected - "dns.question.type": - map: - "a host address": A - "ip6 address": AAAA - "text strings": TXT - "a domain name pointer": PTR - "an authoritative name server": NS - "the canonical name for an alias": CNAME - "marks the start of a zone of authority": SOA - "mail exchange": MX - "server selection": SRV - "dns.response_code": - map: - "non-existent domain": NXDOMAIN - "server failure": SERVFAIL - "query refused": REFUSED - "no error": NOERROR - source: | - def getField(Map src, String[] path) { - for (int i=0; i new HashMap()); - } - dest[path[path.length-1]] = value; - } - for (entry in params.entrySet()) { - def srcField = entry.getKey(); - def param = entry.getValue(); - String oldVal = getField(ctx, srcField.splitOnToken('.')); - if (oldVal == null) continue; - def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null); - if (newVal != null) { - def dstField = param.getOrDefault('target', srcField); - setField(ctx, dstField.splitOnToken('.'), newVal); - } - } - - set: - if: "ctx.dns?.question?.type != null && ctx.dns?.response_code == null" - field: dns.response_code - value: NOERROR - - set: - if: 'ctx._temp_.cisco.message_id == "430001"' - field: event.action - value: intrusion-detected - - set: - if: 'ctx._temp_.cisco.message_id == "430002"' - field: event.action - value: connection-started - - set: - if: 'ctx._temp_.cisco.message_id == "430003"' - field: event.action - value: connection-finished - - set: - if: 'ctx._temp_.cisco.message_id == "430004"' - field: event.action - value: file-detected - - set: - if: 'ctx._temp_.cisco.message_id == "430005"' - field: event.action - value: malware-detected - - # - # Handle event.duration - # - # It can be set from ConnectionDuration FTD field above. This field holds - # seconds as a string. Copy it to _temp_.duration_hms so that the following - # processor converts it to the right value and populates start and end. - - set: - field: "_temp_.duration_hms" - value: "{{event.duration}}" - ignore_empty_value: true - - # - # Process the flow duration "hh:mm:ss" present in some messages - # This will fill event.start, event.end and event.duration - # - - script: - lang: painless - if: "ctx?._temp_?.duration_hms != null" - source: > - long parse_hms(String s) { - long cur = 0, total = 0; - for (char c: s.toCharArray()) { - if (c >= (char)'0' && c <= (char)'9') { - cur = (cur*10) + (long)c - (char)'0'; - } else if (c == (char)':') { - total = (total + cur) * 60; - cur = 0; - } else if (c != (char)'h' && c == (char)'m' && c == (char)'s') { - return 0; - } - } - return total + cur; - } - if (ctx?.event == null) { - ctx['event'] = new HashMap(); - } - String end = ctx['@timestamp']; - ctx.event['end'] = end; - long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; - ctx.event['duration'] = nanos; - ctx.event['start'] = ZonedDateTime.ofInstant( - Instant.parse(end).minusNanos(nanos), - ZoneOffset.UTC); - # - # Parse Source/Dest Username/Domain - # - - grok: - field: "_temp_.cisco.source_username" - if: 'ctx?._temp_?.cisco?.source_username != null' - ignore_failure: true - patterns: - - '%{CISCO_DOMAIN_USER:_temp_.cisco.source_username}%{CISCO_SGT}' - pattern_definitions: - CISCO_DOMAIN_USER: (%{CISCO_DOMAIN})?%{CISCO_USER} - CISCO_SGT: (, *%{NUMBER:_temp_.cisco.source_user_security_group_tag})? - CISCO_USER: "%{USERNAME}(@%{HOSTNAME})?" - CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME}\\)? - - convert: - field: _temp_.cisco.source_user_security_group_tag - type: long - ignore_missing: true - - grok: - field: "_temp_.cisco.destination_username" - if: 'ctx?._temp_?.cisco?.destination_username != null' - ignore_failure: true - patterns: - - '%{CISCO_DOMAIN_USER:_temp_.cisco.destination_username}%{CISCO_SGT}' - pattern_definitions: - CISCO_DOMAIN_USER: (%{CISCO_DOMAIN})?%{CISCO_USER} - CISCO_SGT: (, *%{NUMBER:_temp_.cisco.destination_user_security_group_tag})? - CISCO_USER: "%{USERNAME}(@%{HOSTNAME})?" - CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME}\\)? - - convert: - field: _temp_.cisco.destination_user_security_group_tag - type: long - ignore_missing: true - - set: - field: source.user.name - value: "{{{ _temp_.cisco.source_username }}}" - if: 'ctx?.source?.user?.name == null && ctx?._temp_?.cisco?.source_username != null' - - set: - field: destination.user.name - value: "{{{ _temp_.cisco.destination_username }}}" - if: 'ctx?.destination?.user?.name == null && ctx?._temp_?.cisco?.destination_username != null' - - grok: - field: "source.user.name" - if: 'ctx?.source?.user?.name != null' - ignore_failure: true - patterns: - - (%{CISCO_DOMAIN})?%{CISCO_USER} - pattern_definitions: - CISCO_USER: "%{USERNAME:source.user.name}(@%{HOSTNAME:source.user.domain})?" - CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:source.user.domain}\\)? - - grok: - field: "destination.user.name" - if: 'ctx?.destination?.user?.name != null' - ignore_failure: true - patterns: - - (%{CISCO_DOMAIN})?%{CISCO_USER} - pattern_definitions: - CISCO_USER: "%{USERNAME:destination.user.name}(@%{HOSTNAME:destination.user.domain})?" - CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)? - - # - # Normalize protocol names - # - - lowercase: - field: "network.transport" - ignore_failure: true - - lowercase: - field: "network.protocol" - ignore_failure: true - - lowercase: - field: "network.application" - ignore_failure: true - - lowercase: - field: "file.type" - ignore_failure: true - - lowercase: - field: "network.direction" - ignore_failure: true - - lowercase: - field: "network.type" - ignore_failure: true - # - # Populate network.iana_number from network.transport. Also does reverse - # mapping in case network.transport contains the iana_number. - # - - script: - if: "ctx?.network?.transport != null" - lang: painless - params: - icmp: 1 - igmp: 2 - ipv4: 4 - tcp: 6 - egp: 8 - igp: 9 - pup: 12 - udp: 17 - rdp: 27 - irtp: 28 - dccp: 33 - idpr: 35 - ipv6: 41 - ipv6-route: 43 - ipv6-frag: 44 - rsvp: 46 - gre: 47 - esp: 50 - ipv6-icmp: 58 - ipv6-nonxt: 59 - ipv6-opts: 60 - source: > - def net = ctx.network; - def iana = params[net.transport]; - if (iana != null) { - net['iana_number'] = iana; - return; - } - def reverse = new HashMap(); - def[] arr = new def[] { null }; - for (entry in params.entrySet()) { - arr[0] = entry.getValue(); - reverse.put(String.format("%d", arr), entry.getKey()); - } - def trans = reverse[net.transport]; - if (trans != null) { - net['iana_number'] = net.transport; - net['transport'] = trans; - } - # - # Normalize event.outcome - # - - lowercase: - field: "event.outcome" - ignore_missing: true - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "est-allowed"' - value: "allowed" - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "permitted"' - value: "allowed" - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "allow"' - value: allowed - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "deny"' - value: denied - - set: - field: "network.transport" - if: 'ctx.network?.transport == "icmpv6"' - value: "ipv6-icmp" - # - # Convert numeric fields to integer or long, as output of dissect and kv processors is always a string - # - - convert: - field: source.port - type: integer - ignore_failure: true - ignore_missing: true - - convert: - field: destination.port - type: integer - ignore_failure: true - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: network.bytes - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: source.packets - type: integer - ignore_failure: true - ignore_missing: true - - convert: - field: destination.packets - type: integer - ignore_failure: true - ignore_missing: true - - convert: - field: _temp_.cisco.mapped_source_port - type: integer - ignore_failure: true - ignore_missing: true - - convert: - field: _temp_.cisco.mapped_destination_port - type: integer - ignore_failure: true - ignore_missing: true - - convert: - field: _temp_.cisco.icmp_code - type: integer - ignore_failure: true - ignore_missing: true - - convert: - field: _temp_.cisco.icmp_type - type: integer - ignore_failure: true - ignore_missing: true - - convert: - field: http.response.status_code - type: integer - ignore_failure: true - - convert: - field: file.size - type: integer - ignore_failure: true - - convert: - field: network.iana_number - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: sip.to.uri.port - type: integer - ignore_failure: true - # - # Assign ECS .ip fields from .address is a valid IP address is found, - # otherwise set .domain field. - # - - grok: - field: source.address - patterns: - - "^(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})$" - ignore_failure: true - - grok: - field: destination.address - patterns: - - "^(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})$" - ignore_failure: true - - grok: - field: client.address - patterns: - - "^(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})$" - ignore_failure: true - - grok: - field: server.address - patterns: - - "^(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})$" - ignore_failure: true - # - # Geolocation for source and destination addresses - # - - geoip: - field: "source.ip" - target_field: "source.geo" - ignore_missing: true - - geoip: - field: "destination.ip" - target_field: "destination.geo" - ignore_missing: true - # - # IP Autonomous System (AS) Lookup - # - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - # - # Set mapped_{src|dst}_ip fields only if they consist of a valid IP address. - # - - grok: - field: _temp_.natsrcip - patterns: - - "^(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})$" - ignore_failure: true - - grok: - field: _temp_.natdstip - patterns: - - "^(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})$" - ignore_failure: true - # - # NAT fields - # - # The firewall always populates mapped ip and port even if there was no NAT. - # This populates both nat.ip and nat.port only when some translation is done. - # Fills nat.ip and nat.port even when only the ip or port changed. - - set: - field: source.nat.ip - value: "{{_temp_.cisco.mapped_source_ip}}" - if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip" - ignore_empty_value: true - - convert: - field: source.nat.ip - type: ip - ignore_missing: true - - set: - field: source.nat.port - value: "{{_temp_.cisco.mapped_source_port}}" - if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port" - ignore_empty_value: true - - convert: - field: source.nat.port - type: long - ignore_missing: true - - set: - field: destination.nat.ip - value: "{{_temp_.cisco.mapped_destination_ip}}" - if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip" - ignore_empty_value: true - - convert: - field: destination.nat.ip - type: ip - ignore_missing: true - - set: - field: destination.nat.port - value: "{{_temp_.cisco.mapped_destination_port}}" - if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" - ignore_empty_value: true - - convert: - field: destination.nat.port - type: long - ignore_missing: true - # - # Zone-based Network Directionality - # - # If external and internal zones are specified and our ingress/egress zones are - # populated, then we can classify traffic directionality based off of our defined - # zones rather than the logs. - - set: - field: network.direction - value: inbound - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) - - set: - field: network.direction - value: outbound - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: internal - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: external - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: unknown - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.egress?.zone != null && - ctx?.observer?.ingress?.zone != null && - ( - ( - !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) - ) || - ( - !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && - !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - ) - ) - - - set: - field: _temp_.url_domain - value: "{{url.domain}}" - ignore_failure: true - if: ctx?.url?.domain != null - - - uri_parts: - field: url.original - ignore_failure: true - if: ctx?.url?.original != null - - append: - field: url.domain - value: "{{_temp_.url_domain}}" - ignore_failure: true - allow_duplicates: false - if: ctx?._temp_?.url_domain != null - - # - # Populate ECS event.code - # - - rename: - field: _temp_.cisco.message_id - target_field: event.code - ignore_failure: true - - remove: - field: - - _temp_.cisco.message_id - - event.code - if: 'ctx._temp_.cisco.message_id == ""' - ignore_failure: true - # - # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd. - # - - rename: - field: _temp_.cisco - target_field: "cisco.asa" - ignore_failure: true - # - # Remove temporary fields - # - - remove: - field: _temp_ - ignore_missing: true - # - # Rename some 7.x fields - # - - rename: - field: cisco.asa.list_id - target_field: cisco.asa.rule_name - ignore_missing: true - # ECS categorization - - script: - lang: painless - params: - connection-finished: - kind: event - category: - - network - type: - - end - connection-started: - kind: event - category: - - network - type: - - start - file-detected: - kind: alert - category: - - malware - type: - - info - firewall-rule: - kind: event - category: - - network - type: [] - flow-creation: - kind: event - category: - - network - type: - - connection - - start - flow-expiration: - kind: event - category: - - network - type: - - connection - - end - intrusion-detected: - kind: alert - category: - - intrusion_detection - type: - - info - logged-in: - kind: event - category: - - authentication - - network - type: ['allowed', 'info'] - logon-failed: - kind: event - category: - - authentication - - network - type: ['denied', 'info'] - malware-detected: - kind: alert - category: - - malware - type: - - info - bypass: - kind: event - category: - - network - type: - - info - - change - error: - kind: event - outcome: failure - category: - - network - type: - - error - deleted: - kind: event - category: - - network - type: - - info - - deletion - - user - creation: - kind: event - category: - - network - type: - - info - - creation - - user - client-vpn-connected: - kind: event - category: - - network - - session - type: - - connection - - start - client-vpn-error: - kind: event - category: - - network - type: - - connection - - error - - denied - client-vpn-disconnected: - kind: event - category: - - network - type: - - connection - - end - source: >- - if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { - return; - } - - ctx.event.kind = params.get(ctx.event.action).get('kind'); - ctx.event.category = params.get(ctx.event.action).get('category').clone(); - ctx.event.type = params.get(ctx.event.action).get('type').clone(); - if (ctx?.event?.outcome == null || (!ctx.event.category.contains('network') && !ctx.event.category.contains('intrusion_detection'))) { - if (ctx?.event?.action == 'firewall-rule') { - ctx.event.type.add('info'); - } else if (ctx?.event?.action.startsWith('connection-')) { - ctx.event.type.add('connection'); - } - return; - } - if (ctx.event.outcome == 'allowed') { - ctx.event.outcome = 'success'; - ctx.event.type.add('connection'); - ctx.event.type.add('allowed'); - } else if (ctx.event.outcome == 'denied' || ctx.event.outcome == 'block') { - ctx.event.outcome = 'success'; - ctx.event.type.add('connection'); - ctx.event.type.add('denied'); - } else if (ctx.event.outcome == 'dropped') { - ctx.event.outcome = 'failure'; - ctx.event.type.add('connection'); - ctx.event.type.add('denied'); - } else if (ctx?.event?.action == 'firewall-rule') { - ctx.event.type.add('info'); - } else if (ctx?.event?.action.startsWith('connection-')) { - ctx.event.type.add('connection'); - } - if (ctx.event.outcome == 'monitored') { - ctx.event.category.add('intrusion_detection'); - ctx.event.outcome = 'success'; - } - - - set: - description: copy destination.user.name to user.name if it is not set - field: user.name - value: "{{destination.user.name}}" - ignore_empty_value: true - if: ctx?.user?.name == null - - # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. - - set: - field: observer.hostname - value: "{{ host.hostname }}" - ignore_empty_value: true - - set: - field: observer.vendor - value: "Cisco" - ignore_empty_value: true - - set: - field: observer.type - value: "firewall" - ignore_empty_value: true - - set: - field: observer.product - value: "asa" - ignore_empty_value: true - - set: - field: observer.egress.interface.name - value: "{{ cisco.asa.destination_interface }}" - ignore_empty_value: true - - set: - field: observer.ingress.interface.name - value: "{{ cisco.asa.source_interface }}" - ignore_empty_value: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{source.nat.ip}}" - if: "ctx?.source?.nat?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.nat.ip}}" - if: "ctx?.destination?.nat?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{{user.name}}}" - if: ctx?.user?.name != null && ctx?.user?.name != '' - allow_duplicates: false - - append: - field: related.user - value: "{{server.user.name}}" - if: ctx?.server?.user?.name != null && ctx?.server?.user?.name != '' - allow_duplicates: false - - append: - field: related.user - value: "{{{source.user.name}}}" - if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' - allow_duplicates: false - - append: - field: related.user - value: "{{{destination.user.name}}}" - if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' - allow_duplicates: false - - append: - field: related.hash - value: "{{file.hash.sha256}}" - if: "ctx?.file?.hash?.sha256 != null" - allow_duplicates: false - - append: - field: related.hosts - value: "{{host.hostname}}" - if: ctx.host?.hostname != null && ctx.host?.hostname != '' - allow_duplicates: false - - append: - field: related.hosts - value: "{{observer.hostname}}" - if: ctx.observer?.hostname != null && ctx.observer?.hostname != '' - allow_duplicates: false - - append: - field: related.hosts - value: "{{destination.domain}}" - if: ctx.destination?.domain != null && ctx.destination?.domain != '' - allow_duplicates: false - - append: - field: related.hosts - value: "{{source.domain}}" - if: ctx.source?.domain != null && ctx.source?.domain != '' - allow_duplicates: false - - append: - field: related.hosts - value: "{{source.user.domain}}" - if: ctx.source?.user?.domain != null && ctx.source?.user?.domain != '' - allow_duplicates: false - - append: - field: related.hosts - value: "{{destination.user.domain}}" - if: ctx.destination?.user?.domain != null && ctx.destination?.user?.domain != '' - allow_duplicates: false - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - community_id: - ignore_missing: true - ignore_failure: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - # Copy any fields under _temp_.cisco to its final destination. Those can help - # with diagnosing the failure. - - rename: - field: _temp_.cisco - target_field: "cisco.asa" - ignore_failure: true - # Remove _temp_ to avoid adding a lot of unnecessary fields to the index. - - remove: - field: _temp_ - ignore_missing: true - - append: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco_asa/2.7.6/data_stream/log/fields/agent.yml b/packages/cisco_asa/2.7.6/data_stream/log/fields/agent.yml deleted file mode 100755 index d38a70bd6b..0000000000 --- a/packages/cisco_asa/2.7.6/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cisco_asa/2.7.6/data_stream/log/fields/base-fields.yml b/packages/cisco_asa/2.7.6/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 4a5f053438..0000000000 --- a/packages/cisco_asa/2.7.6/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_asa -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_asa.log diff --git a/packages/cisco_asa/2.7.6/data_stream/log/fields/ecs.yml b/packages/cisco_asa/2.7.6/data_stream/log/fields/ecs.yml deleted file mode 100755 index f962a622be..0000000000 --- a/packages/cisco_asa/2.7.6/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,520 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: client.user.name - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: destination.user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Custom key/value pairs. - Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. - Example: `docker` and `k8s` labels. - name: labels - type: object -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) - name: network.inner - type: object -- description: VLAN ID as reported by the observer. - name: network.inner.vlan.id - type: keyword -- description: Optional VLAN name as reported by the observer. - name: network.inner.vlan.name - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: IP addresses of the observer. - name: observer.ip - normalize: - - array - type: ip -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: url.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: Port of the server. - name: server.port - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: server.user.name - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Port of the client. - name: client.port - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip diff --git a/packages/cisco_asa/2.7.6/data_stream/log/fields/fields.yml b/packages/cisco_asa/2.7.6/data_stream/log/fields/fields.yml deleted file mode 100755 index 37c02de23d..0000000000 --- a/packages/cisco_asa/2.7.6/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,218 +0,0 @@ -- name: cisco.asa - type: group - fields: - - name: message_id - type: keyword - description: > - The Cisco ASA message identifier. - - - name: suffix - type: keyword - description: > - Optional suffix after %ASA identifier. - - - name: source_interface - type: keyword - description: > - Source interface for the flow or event. - - - name: destination_interface - type: keyword - description: > - Destination interface for the flow or event. - - - name: rule_name - type: keyword - description: > - Name of the Access Control List rule that matched this event. - - - name: source_username - type: keyword - description: > - Name of the user that is the source for this event. - - - name: source_user_security_group_tag - type: long - description: > - The Security Group Tag for the source user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. - - - name: destination_username - type: keyword - description: > - Name of the user that is the destination for this event. - - - name: destination_user_security_group_tag - type: long - description: > - The Security Group Tag for the destination user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. - - - name: mapped_source_ip - type: ip - description: > - The translated source IP address. - - - name: mapped_source_port - type: long - description: > - The translated source port. - - - name: mapped_destination_ip - type: ip - description: > - The translated destination IP address. - - - name: mapped_destination_port - type: long - description: > - The translated destination port. - - - name: threat_level - type: keyword - description: > - Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. - - - name: threat_category - type: keyword - description: > - Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. - - - name: connection_id - type: keyword - description: > - Unique identifier for a flow. - - - name: icmp_type - type: short - description: > - ICMP type. - - - name: icmp_code - type: short - description: > - ICMP code. - - - name: aaa_type - type: keyword - description: > - The AAA operation type. One of authentication, authorization, or accounting. - - - name: connection_type - type: keyword - description: > - The VPN connection type - - - name: session_type - type: keyword - default_field: false - description: > - Session type (for example, IPsec or UDP). - - - name: dap_records - type: keyword - description: > - The assigned DAP records - - - name: mapped_destination_host - type: keyword - - name: username - type: keyword - - name: mapped_source_host - type: keyword - - name: command_line_arguments - default_field: false - type: keyword - description: > - The command line arguments logged by the local audit log - - - name: assigned_ip - default_field: false - type: ip - description: > - The IP address assigned to a VPN client successfully connecting - - - name: privilege.old - default_field: false - type: keyword - description: > - When a users privilege is changed this is the old value - - - name: privilege.new - default_field: false - type: keyword - description: > - When a users privilege is changed this is the new value - - - name: burst.object - default_field: false - type: keyword - description: > - The related object for burst warnings - - - name: burst.id - default_field: false - type: keyword - description: > - The related rate ID for burst warnings - - - name: burst.current_rate - default_field: false - type: keyword - description: > - The current burst rate seen - - - name: burst.configured_rate - default_field: false - type: keyword - description: > - The current configured burst rate - - - name: burst.avg_rate - default_field: false - type: keyword - description: > - The current average burst rate seen - - - name: burst.configured_avg_rate - default_field: false - type: keyword - description: > - The current configured average burst rate allowed - - - name: burst.cumulative_count - default_field: false - type: keyword - description: > - The total count of burst rate hits since the object was created or cleared - - - name: security - type: flattened - description: Cisco FTD security event fields. - - name: webvpn.group_name - type: keyword - default_field: false - description: > - The WebVPN group name the user belongs to - - - name: termination_initiator - type: keyword - default_field: false - description: > - Interface name of the side that initiated the teardown - - - name: tunnel_type - type: keyword - default_field: false - description: > - SA type (remote access or L2L) - - - name: termination_user - default_field: false - type: keyword - description: > - AAA name of user requesting termination - - - name: message - default_field: false - type: keyword - description: >- - The message associated with SIP and Skinny VoIP events diff --git a/packages/cisco_asa/2.7.6/data_stream/log/manifest.yml b/packages/cisco_asa/2.7.6/data_stream/log/manifest.yml deleted file mode 100755 index 2293945655..0000000000 --- a/packages/cisco_asa/2.7.6/data_stream/log/manifest.yml +++ /dev/null @@ -1,156 +0,0 @@ -title: Cisco ASA logs -type: logs -streams: - - input: udp - title: Cisco ASA logs - description: Collect Cisco ASA logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-asa - - forwarded - - name: udp_host - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9001 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Cisco ASA logs - description: Collect Cisco ASA logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-asa - - forwarded - - name: tcp_host - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9001 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate, keys, supported_protocols, verification_mode etc. See [SSL](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details. - multi: false - required: false - show_user: false - default: | - #certificate: "/etc/server/cert.pem" - #key: "/etc/server/key.pem" - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - #max_connections: 1 - #framing: delimiter - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. - - input: logfile - enabled: false - title: Cisco ASA logs - description: Collect Cisco ASA logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/cisco-asa.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-asa - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_asa/2.7.6/data_stream/log/sample_event.json b/packages/cisco_asa/2.7.6/data_stream/log/sample_event.json deleted file mode 100755 index 8236d873b3..0000000000 --- a/packages/cisco_asa/2.7.6/data_stream/log/sample_event.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "@timestamp": "2018-10-10T12:34:56.000Z", - "agent": { - "ephemeral_id": "90753735-64f6-4611-b88a-892365f67be0", - "id": "c077f5c5-ca69-4197-9db5-7963794bdac3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - }, - "data_stream": { - "dataset": "cisco_asa.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "192.168.98.44", - "ip": "192.168.98.44", - "port": 8256 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "c077f5c5-ca69-4197-9db5-7963794bdac3", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "305011", - "dataset": "cisco_asa.log", - "ingested": "2022-06-21T10:34:19Z", - "kind": "event", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", - "severity": 6, - "timezone": "+00:00", - "type": [ - "info" - ] - }, - "host": { - "hostname": "localhost" - }, - "input": { - "type": "tcp" - }, - "log": { - "level": "informational", - "source": { - "address": "192.168.208.4:52674" - } - }, - "network": { - "community_id": "1:5fapvb2/9FPSvoCspfD2WiW0NdQ=", - "iana_number": "6", - "transport": "tcp" - }, - "observer": { - "egress": { - "interface": { - "name": "outside" - } - }, - "hostname": "localhost", - "ingress": { - "interface": { - "name": "inside" - } - }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco" - }, - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "related": { - "hosts": [ - "localhost" - ], - "ip": [ - "172.31.98.44", - "192.168.98.44" - ] - }, - "source": { - "address": "172.31.98.44", - "ip": "172.31.98.44", - "port": 1772 - }, - "tags": [ - "preserve_original_event", - "cisco-asa", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.6/docs/README.md b/packages/cisco_asa/2.7.6/docs/README.md deleted file mode 100755 index 566ea2439c..0000000000 --- a/packages/cisco_asa/2.7.6/docs/README.md +++ /dev/null @@ -1,333 +0,0 @@ -# Cisco ASA Integration - -This integration is for Cisco ASA network device's logs. It includes the following -datasets for receiving logs over syslog or read from a file: - -- `log` dataset: supports Cisco ASA firewall logs. - -## Logs - -### ASA - -The `log` dataset collects the Cisco ASA firewall logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2018-10-10T12:34:56.000Z", - "agent": { - "ephemeral_id": "90753735-64f6-4611-b88a-892365f67be0", - "id": "c077f5c5-ca69-4197-9db5-7963794bdac3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "cisco": { - "asa": { - "destination_interface": "outside", - "source_interface": "inside" - } - }, - "data_stream": { - "dataset": "cisco_asa.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "192.168.98.44", - "ip": "192.168.98.44", - "port": 8256 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "c077f5c5-ca69-4197-9db5-7963794bdac3", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "305011", - "dataset": "cisco_asa.log", - "ingested": "2022-06-21T10:34:19Z", - "kind": "event", - "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", - "severity": 6, - "timezone": "+00:00", - "type": [ - "info" - ] - }, - "host": { - "hostname": "localhost" - }, - "input": { - "type": "tcp" - }, - "log": { - "level": "informational", - "source": { - "address": "192.168.208.4:52674" - } - }, - "network": { - "community_id": "1:5fapvb2/9FPSvoCspfD2WiW0NdQ=", - "iana_number": "6", - "transport": "tcp" - }, - "observer": { - "egress": { - "interface": { - "name": "outside" - } - }, - "hostname": "localhost", - "ingress": { - "interface": { - "name": "inside" - } - }, - "product": "asa", - "type": "firewall", - "vendor": "Cisco" - }, - "process": { - "name": "CiscoASA", - "pid": 999 - }, - "related": { - "hosts": [ - "localhost" - ], - "ip": [ - "172.31.98.44", - "192.168.98.44" - ] - }, - "source": { - "address": "172.31.98.44", - "ip": "172.31.98.44", - "port": 1772 - }, - "tags": [ - "preserve_original_event", - "cisco-asa", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cisco.asa.aaa_type | The AAA operation type. One of authentication, authorization, or accounting. | keyword | -| cisco.asa.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | -| cisco.asa.burst.avg_rate | The current average burst rate seen | keyword | -| cisco.asa.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | -| cisco.asa.burst.configured_rate | The current configured burst rate | keyword | -| cisco.asa.burst.cumulative_count | The total count of burst rate hits since the object was created or cleared | keyword | -| cisco.asa.burst.current_rate | The current burst rate seen | keyword | -| cisco.asa.burst.id | The related rate ID for burst warnings | keyword | -| cisco.asa.burst.object | The related object for burst warnings | keyword | -| cisco.asa.command_line_arguments | The command line arguments logged by the local audit log | keyword | -| cisco.asa.connection_id | Unique identifier for a flow. | keyword | -| cisco.asa.connection_type | The VPN connection type | keyword | -| cisco.asa.dap_records | The assigned DAP records | keyword | -| cisco.asa.destination_interface | Destination interface for the flow or event. | keyword | -| cisco.asa.destination_user_security_group_tag | The Security Group Tag for the destination user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. | long | -| cisco.asa.destination_username | Name of the user that is the destination for this event. | keyword | -| cisco.asa.icmp_code | ICMP code. | short | -| cisco.asa.icmp_type | ICMP type. | short | -| cisco.asa.mapped_destination_host | | keyword | -| cisco.asa.mapped_destination_ip | The translated destination IP address. | ip | -| cisco.asa.mapped_destination_port | The translated destination port. | long | -| cisco.asa.mapped_source_host | | keyword | -| cisco.asa.mapped_source_ip | The translated source IP address. | ip | -| cisco.asa.mapped_source_port | The translated source port. | long | -| cisco.asa.message | The message associated with SIP and Skinny VoIP events | keyword | -| cisco.asa.message_id | The Cisco ASA message identifier. | keyword | -| cisco.asa.privilege.new | When a users privilege is changed this is the new value | keyword | -| cisco.asa.privilege.old | When a users privilege is changed this is the old value | keyword | -| cisco.asa.rule_name | Name of the Access Control List rule that matched this event. | keyword | -| cisco.asa.security | Cisco FTD security event fields. | flattened | -| cisco.asa.session_type | Session type (for example, IPsec or UDP). | keyword | -| cisco.asa.source_interface | Source interface for the flow or event. | keyword | -| cisco.asa.source_user_security_group_tag | The Security Group Tag for the source user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. | long | -| cisco.asa.source_username | Name of the user that is the source for this event. | keyword | -| cisco.asa.suffix | Optional suffix after %ASA identifier. | keyword | -| cisco.asa.termination_initiator | Interface name of the side that initiated the teardown | keyword | -| cisco.asa.termination_user | AAA name of user requesting termination | keyword | -| cisco.asa.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword | -| cisco.asa.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword | -| cisco.asa.tunnel_type | SA type (remote access or L2L) | keyword | -| cisco.asa.username | | keyword | -| cisco.asa.webvpn.group_name | The WebVPN group name the user belongs to | keyword | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.user.name | Short name or login of the user. | keyword | -| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/cisco_asa/2.7.6/img/cisco.svg b/packages/cisco_asa/2.7.6/img/cisco.svg deleted file mode 100755 index 20ebebf197..0000000000 --- a/packages/cisco_asa/2.7.6/img/cisco.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/cisco_asa/2.7.6/img/kibana-cisco-asa.png b/packages/cisco_asa/2.7.6/img/kibana-cisco-asa.png deleted file mode 100755 index ad51be2204..0000000000 Binary files a/packages/cisco_asa/2.7.6/img/kibana-cisco-asa.png and /dev/null differ diff --git a/packages/cisco_asa/2.7.6/kibana/dashboard/cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.6/kibana/dashboard/cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index be56be76ce..0000000000 --- a/packages/cisco_asa/2.7.6/kibana/dashboard/cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "attributes": { - "description": "Sample dashboard for Cisco ASA Firewall devices", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Destination Port and Transport\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Source Port and Transport\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"ASA Firewall Events Over Time\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"ASA Flows by Network Bytes\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"title\":\"Blocked by Source\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"8\",\"panelRefName\":\"panel_5\",\"title\":\"Top ACL by Blocked\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"9\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Cisco] ASA Firewall", - "version": 1 - }, - "id": "cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.6/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.6/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index c4e9b835ce..0000000000 --- a/packages/cisco_asa/2.7.6/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cisco_asa.log\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "All ASA Logs [Cisco]", - "version": 1 - }, - "id": "cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.6/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.6/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index 827e718b96..0000000000 --- a/packages/cisco_asa/2.7.6/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cisco_asa.log and event.action:\\\"flow-expiration\\\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "ASA Firewall flows [Cisco]", - "version": 1 - }, - "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.6/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.6/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index ecea457cb0..0000000000 --- a/packages/cisco_asa/2.7.6/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cisco_asa.log and event.action:\\\"firewall-rule\\\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "ASA Firewall Events [Cisco]", - "version": 1 - }, - "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index 3d47d84b87..0000000000 --- a/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.outcome:\\\"deny\\\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "ASA Top ACL by Blocked [Cisco]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ACL ID\",\"field\":\"cisco.asa.rule_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"ASA Top ACL by Blocked [Cisco]\",\"type\":\"table\"}" - }, - "id": "cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index 6f81464b3a..0000000000 --- a/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Destination Port and Transport [Cisco]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.port\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Destination Port and Transport [Cisco]\",\"type\":\"pie\"}" - }, - "id": "cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index 68171576d0..0000000000 --- a/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Source Port and Transport [Cisco]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.port\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Source Port and Transport [Cisco]\",\"type\":\"pie\"}" - }, - "id": "cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index a39f27880f..0000000000 --- a/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "ASA Flows by Network Bytes [Cisco]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now+1y\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Total bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"3\",\"label\":\"Total bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total bytes\"},\"type\":\"value\"}]},\"title\":\"ASA Flows by Network Bytes [Cisco]\",\"type\":\"histogram\"}" - }, - "id": "cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index 67b75fd248..0000000000 --- a/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "ASA Events Over Time [Cisco]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now+1y\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"ASA Events Over Time [Cisco]\",\"type\":\"histogram\"}" - }, - "id": "cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index cab50f4d5c..0000000000 --- a/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "ASA Firewall Blocked by Source [Cisco]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"ASA Firewall Blocked by Source [Cisco]\",\"type\":\"table\"}" - }, - "id": "cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json deleted file mode 100755 index 0b55816042..0000000000 --- a/packages/cisco_asa/2.7.6/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top ASA Messages [Cisco]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ID\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Severity\",\"field\":\"log.level\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Sample message\",\"field\":\"event.original\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top ASA Messages [Cisco]\",\"type\":\"table\"}" - }, - "id": "cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295", - "references": [ - { - "id": "cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cisco_asa/2.7.6/manifest.yml b/packages/cisco_asa/2.7.6/manifest.yml deleted file mode 100755 index a190079981..0000000000 --- a/packages/cisco_asa/2.7.6/manifest.yml +++ /dev/null @@ -1,39 +0,0 @@ -format_version: 1.0.0 -name: cisco_asa -title: Cisco ASA -version: "2.7.6" -license: basic -description: Collect logs from Cisco ASA with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -screenshots: - - src: /img/kibana-cisco-asa.png - title: kibana cisco asa - size: 1800x1559 - type: image/png -icons: - - src: /img/cisco.svg - title: cisco - size: 216x216 - type: image/svg+xml -policy_templates: - - name: cisco_asa - title: Cisco ASA logs - description: Collect logs from Cisco ASA instances - inputs: - - type: tcp - title: Collect logs from Cisco ASA via TCP - description: Collecting logs from Cisco ASA via TCP - - type: udp - title: Collect logs from Cisco ASA via UDP - description: Collecting logs from Cisco ASA via UDP - - type: logfile - title: Collect logs from Cisco ASA via file - description: Collecting logs from Cisco ASA via file -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_ftd/2.4.3/LICENSE.txt b/packages/cisco_ftd/2.4.3/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cisco_ftd/2.4.3/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_ftd/2.4.3/changelog.yml b/packages/cisco_ftd/2.4.3/changelog.yml deleted file mode 100755 index f16cb27eed..0000000000 --- a/packages/cisco_ftd/2.4.3/changelog.yml +++ /dev/null @@ -1,127 +0,0 @@ -# newer versions go on top -- version: "2.4.3" - changes: - - description: Fix handling of 302020 event messages. - type: bugfix - link: https://github.com/elastic/integrations/pull/4209 -- version: "2.4.2" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.4.1" - changes: - - description: Clean up grok pattern naming. - type: bugfix - link: https://github.com/elastic/integrations/pull/4163 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3842 -- version: "2.3.1" - changes: - - description: Improve TCP, SSL config description and example. - type: enhancement - link: https://github.com/elastic/integrations/pull/3763 -- version: "2.3.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "2.2.2" - changes: - - description: Map syslog priority details according to ECS - type: bugfix - link: https://github.com/elastic/integrations/pull/3549 - - description: Extract syslog facility and severity codes from syslog priority - type: bugfix - link: https://github.com/elastic/integrations/pull/3549 -- version: "2.2.1" - changes: - - description: Remove invalid values from ECS fields - type: bugfix - link: https://github.com/elastic/integrations/pull/3344 -- version: "2.2.0" - changes: - - description: Add TLS system test - type: enhancement - link: https://github.com/elastic/integrations/pull/3339 - - description: Add TCP input with TLS support - type: enhancement - link: https://github.com/elastic/integrations/pull/3313 -- version: "2.1.1" - changes: - - description: Added link to Cisco's FTD documentation in readme - type: enhancement - link: https://github.com/elastic/integrations/pull/2931 -- version: "2.1.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "2.0.4" - changes: - - description: Set event.kind to alert only when sha_disposition is malware or custom - type: bugfix - link: https://github.com/elastic/integrations/pull/3041 -- version: "2.0.3" - changes: - - description: Make fields agree with ECS - type: bugfix - link: https://github.com/elastic/integrations/pull/3018 -- version: "2.0.2" - changes: - - description: Update observer to ftd and idps to better match this integration. - type: bugfix - link: https://github.com/elastic/integrations/pull/2551 -- version: "2.0.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "2.0.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2391 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2258 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1954 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1806 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1783 -- version: "1.0.1" - changes: - - description: Adding missing ECS fields - type: bugfix - link: https://github.com/elastic/integrations/pull/1731 -- version: "1.0.0" - changes: - - description: Initial version to split Cisco FTD out from the general Cisco package - type: enhancement - link: https://github.com/elastic/integrations/pull/1586 diff --git a/packages/cisco_ftd/2.4.3/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_ftd/2.4.3/data_stream/log/agent/stream/stream.yml.hbs deleted file mode 100755 index 28ea4aaa98..0000000000 --- a/packages/cisco_ftd/2.4.3/data_stream/log/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_ftd/2.4.3/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_ftd/2.4.3/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 8f3ae72293..0000000000 --- a/packages/cisco_ftd/2.4.3/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} -{{#if tcp_options}} -{{tcp_options}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_ftd/2.4.3/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_ftd/2.4.3/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index e129442a23..0000000000 --- a/packages/cisco_ftd/2.4.3/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_ftd/2.4.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/2.4.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index fe507b40db..0000000000 --- a/packages/cisco_ftd/2.4.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,2000 +0,0 @@ ---- -description: "Pipeline for Cisco FTD logs" -processors: - - rename: - field: message - target_field: event.original - ignore_missing: true - - set: - field: ecs.version - value: '8.4.0' - # - # Parse the syslog header - # - # This populates the host.hostname, process.name, timestamp and other fields - # from the header and stores the message contents in _temp_.full_message. - - grok: - field: event.original - patterns: - - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}" - pattern_definitions: - SYSLOG_HEADER: "(?:%{SYSPRIORITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?" - SYSPRIORITY: "<%{NONNEGINT:log.syslog.priority:int}>" - # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. - FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" - ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" - PROCESS: "(?:[^%\\s:\\[]+)" - SYSLOG_END: "(?:(:|\\s)\\s+)" - # exactly match the syntax for firepower management logs - PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})" - HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?" - - script: - lang: painless - source: | - if (ctx.log?.syslog?.priority != null) { - def severity = new HashMap(); - severity['code'] = ctx.log.syslog.priority&0x7; - ctx.log.syslog['severity'] = severity; - def facility = new HashMap(); - facility['code'] = ctx.log.syslog.priority>>3; - ctx.log.syslog['facility'] = facility; - } - - # - # Parse FTD/ASA style message - # - # This parses the header of an EMBLEM-style message for FTD and ASA prefixes. - - grok: - field: _temp_.full_message - patterns: - - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" - # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. - - "%{GREEDYDATA:message}" - pattern_definitions: - FTD_SUFFIX: "[^0-9-]+" - # Before version 6.3, FTD used ASA prefix in syslog messages - FTD_PREFIX: "%{DATA}%(?:[A-Z]+)" - - # - # Create missing fields when no %FTD label is present - # - # message_id is needed in order for some processors below to work. - - set: - field: _temp_.cisco.message_id - value: "" - if: "ctx?._temp_?.cisco?.message_id == null" - - # - # set default event.severity to 7 (debug): - # - # This value is read from the EMBLEM header and won't be present if this is not - # an emblem message (firewalls can be configured to report other kinds of events) - - set: - field: event.severity - value: 7 - if: "ctx?.event?.severity == null" - - # - # Parse the date included in FTD logs - # - - date: - if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null" - field: "_temp_.raw_date" - target_field: "@timestamp" - formats: - - "ISO8601" - - "MMM d HH:mm:ss" - - "MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "EEE MMM dd HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - [ - { - "append": - { - "field": "error.message", - "value": "{{ _ingest.on_failure_message }}", - }, - }, - ] - - date: - if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null" - timezone: "{{ event.timezone }}" - field: "_temp_.raw_date" - target_field: "@timestamp" - formats: - - "ISO8601" - - "MMM d HH:mm:ss" - - "MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "EEE MMM dd HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - [ - { - "append": - { - "field": "error.message", - "value": "{{ _ingest.on_failure_message }}", - }, - }, - ] - - # - # Set log.level - # - - set: - field: "log.level" - if: "ctx.event.severity == 0" - value: unknown - - set: - field: "log.level" - if: "ctx.event.severity == 1" - value: alert - - set: - field: "log.level" - if: "ctx.event.severity == 2" - value: critical - - set: - field: "log.level" - if: "ctx.event.severity == 3" - value: error - - set: - field: "log.level" - if: "ctx.event.severity == 4" - value: warning - - set: - field: "log.level" - if: "ctx.event.severity == 5" - value: notification - - set: - field: "log.level" - if: "ctx.event.severity == 6" - value: informational - - set: - field: "log.level" - if: "ctx.event.severity == 7" - value: debug - - # - # Firewall messages - # - # This set of messages is shared between FTD and ASA. - - set: - if: 'ctx._temp_.cisco.message_id != ""' - field: "event.action" - value: "firewall-rule" - - dissect: - if: "ctx._temp_.cisco.message_id == '106001'" - field: "message" - description: "106001" - pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106002'" - field: "message" - description: "106002" - pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106006'" - field: "message" - description: "106006" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106007'" - field: "message" - description: "106007" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" - - grok: - if: "ctx._temp_.cisco.message_id == '106010'" - field: "message" - description: "106010" - patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" - - dissect: - if: "ctx._temp_.cisco.message_id == '106013'" - field: "message" - description: "106013" - pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}" - - set: - if: "ctx._temp_.cisco.message_id == '106013'" - field: "network.transport" - description: "106013" - value: icmp - - set: - if: "ctx._temp_.cisco.message_id == '106013'" - field: "network.direction" - description: "106013" - value: inbound - - grok: - if: "ctx._temp_.cisco.message_id == '106014'" - field: "message" - description: "106014" - patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?" - - grok: - if: "ctx._temp_.cisco.message_id == '106015'" - field: "message" - description: "106015" - patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106016'" - field: "message" - pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" - description: "106016" - - dissect: - if: "ctx._temp_.cisco.message_id == '106017'" - field: "message" - pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}" - description: "106017" - - dissect: - if: "ctx._temp_.cisco.message_id == '106018'" - field: "message" - pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" - description: "106018" - - dissect: - if: "ctx._temp_.cisco.message_id == '106020'" - field: "message" - pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" - description: "106020" - - dissect: - if: "ctx._temp_.cisco.message_id == '106021'" - field: "message" - pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" - description: "106021" - - dissect: - if: "ctx._temp_.cisco.message_id == '106022'" - field: "message" - pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" - description: "106022" - - grok: - if: "ctx._temp_.cisco.message_id == '106023'" - field: "message" - description: "106023" - patterns: - - ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106027'" - field: "message" - description: "106027" - pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"' - - dissect: - if: "ctx._temp_.cisco.message_id == '106100'" - field: "message" - description: "106100" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'" - field: "message" - description: "106103" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '111004'" - field: "message" - description: "111004" - pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" - - set: - field: event.outcome - description: "111004" - value: "success" - if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" - - set: - field: event.outcome - description: "111004" - value: "failure" - if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" - - remove: - field: _temp_.cisco.cli_outcome - ignore_missing: true - - append: - field: event.type - description: "111004" - value: "change" - if: "ctx._temp_.cisco.message_id == '111004'" - - grok: - if: "ctx._temp_.cisco.message_id == '111009'" - description: "111009" - field: "message" - patterns: - - "^%{NOTSPACE} '%{NOTSPACE:server.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" - - grok: - if: "ctx._temp_.cisco.message_id == '111010'" - field: "message" - description: "111010" - patterns: - - "User '%{NOTSPACE:server.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" - - dissect: - if: "ctx._temp_.cisco.message_id == '113019'" - field: "message" - description: "113019" - pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}" - - grok: - if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "302013, 302015" - patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \\(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\\)(\\(%{NOTSPACE:_temp_.cisco.source_username}\\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \\(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\\)( \\(%{NOTSPACE:destination.user.name}\\))?%{GREEDYDATA}" - - dissect: - if: "ctx._temp_.cisco.message_id == '303002'" - field: "message" - description: "303002" - pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" - - dissect: - if: "ctx._temp_.cisco.message_id == '302012'" - field: "message" - description: "302012" - pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}" - - set: - if: '["302020"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "flow-creation" - description: "302020" - - grok: - if: "ctx._temp_.cisco.message_id == '302020'" - field: "message" - description: "302020" - patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" - pattern_definitions: - NOTCOLON: "[^:]*" - ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" - ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" - MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" - - dissect: - if: "ctx._temp_.cisco.message_id == '302022'" - field: "message" - description: "302022" - pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '302023'" - field: "message" - description: "302023" - pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}" - - grok: - if: "ctx._temp_.cisco.message_id == '304001'" - field: "message" - description: "304001" - patterns: - - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" - - set: - if: "ctx._temp_.cisco.message_id == '304001'" - field: "event.outcome" - description: "304001" - value: success - - dissect: - if: "ctx._temp_.cisco.message_id == '304002'" - field: "message" - description: "304002" - pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" - - grok: - if: "ctx._temp_.cisco.message_id == '305011'" - field: "message" - description: "305011" - patterns: - - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} - - dissect: - if: "ctx._temp_.cisco.message_id == '313001'" - field: "message" - description: "313001" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '313004'" - field: "message" - description: "313004" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" - - dissect: - if: "ctx._temp_.cisco.message_id == '313005'" - field: "message" - description: "313005" - pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '313008'" - field: "message" - description: "313008" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '313009'" - field: "message" - description: "313009" - pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '322001'" - field: "message" - description: "322001" - pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338001'" - field: "message" - description: "338001" - pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338001'" - field: "server.domain" - description: "338001" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338002'" - field: "message" - description: "338002" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - - set: - if: "ctx._temp_.cisco.message_id == '338002'" - field: "server.domain" - description: "338002" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338003'" - field: "message" - description: "338003" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338004'" - field: "message" - description: "338004" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338005'" - field: "message" - description: "338005" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338005'" - field: "server.domain" - description: "338005" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338006'" - field: "message" - description: "338006" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338006'" - field: "server.domain" - description: "338006" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338007'" - field: "message" - description: "338007" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338008'" - field: "message" - description: "338008" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338101'" - field: "message" - description: "338101" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" - - set: - if: "ctx._temp_.cisco.message_id == '338101'" - field: "server.domain" - description: "338101" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338102'" - field: "message" - description: "338102" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - - set: - if: "ctx._temp_.cisco.message_id == '338102'" - field: "server.domain" - description: "338102" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338103'" - field: "message" - description: "338103" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338104'" - field: "message" - description: "338104" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338201'" - field: "message" - description: "338201" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338201'" - field: "server.domain" - description: "338201" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338202'" - field: "message" - description: "338202" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338202'" - field: "server.domain" - description: "338202" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338203'" - field: "message" - description: "338203" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338203'" - field: "server.domain" - description: "338203" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338204'" - field: "message" - description: "338204" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338204'" - field: "server.domain" - description: "338204" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "message" - description: "338301" - pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}" - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "client.address" - description: "338301" - value: "{{destination.address}}" - ignore_empty_value: true - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "client.port" - description: "338301" - value: "{{destination.port}}" - ignore_empty_value: true - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "server.address" - description: "338301" - value: "{{source.address}}" - ignore_empty_value: true - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "server.port" - description: "338301" - value: "{{source.port}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '502103'" - field: "message" - description: "502103" - pattern: "User priv level changed: Uname: %{server.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" - - append: - if: "ctx._temp_.cisco.message_id == '502103'" - field: "event.type" - description: "502103" - value: - - "group" - - "change" - - append: - if: "ctx._temp_.cisco.message_id == '502103'" - field: "event.category" - description: "502103" - value: "iam" - - dissect: - if: "ctx._temp_.cisco.message_id == '507003'" - field: "message" - description: "507003" - pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" - - dissect: - if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "605004, 605005" - pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' - - dissect: - if: "ctx._temp_.cisco.message_id == '609001'" - field: "message" - description: "609001" - pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" - - dissect: - if: "ctx._temp_.cisco.message_id == '609002'" - field: "message" - description: "609002" - pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" - - dissect: - if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "611102, 611101" - pattern: "User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{server.user.name}" - - dissect: - if: "ctx._temp_.cisco.message_id == '710003'" - field: "message" - description: "710003" - pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - - dissect: - if: "ctx._temp_.cisco.message_id == '710005'" - field: "message" - description: "710005" - pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - - dissect: - if: "ctx._temp_.cisco.message_id == '713049'" - field: "message" - description: "713049" - pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" - - grok: - if: "ctx._temp_.cisco.message_id == '716002'" - field: "message" - description: "716002" - patterns: - - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> WebVPN session terminated: %{GREEDYDATA:event.reason}." - - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} WebVPN session terminated: %{GREEDYDATA:event.reason}." - - grok: - if: "ctx._temp_.cisco.message_id == '722051'" - field: "message" - description: "722051" - patterns: - - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" - - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" - - dissect: - if: "ctx._temp_.cisco.message_id == '733100'" - field: "message" - description: "733100" - pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}" - - dissect: - if: "ctx._temp_.cisco.message_id == '734001'" - field: "message" - description: "734001" - pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" - - dissect: - if: "ctx._temp_.cisco.message_id == '805001'" - field: "message" - description: "805001" - pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - - dissect: - if: "ctx._temp_.cisco.message_id == '805002'" - field: "message" - description: "805002" - pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - - split: - field: "_temp_.cisco.dap_records" - separator: ",\\s+" - ignore_missing: true - - dissect: - if: "ctx._temp_.cisco.message_id == '434002'" - field: "message" - pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - - dissect: - if: "ctx._temp_.cisco.message_id == '434004'" - field: "message" - pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" - - dissect: - if: "ctx._temp_.cisco.message_id == '110002'" - field: "message" - pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" - - dissect: - if: "ctx._temp_.cisco.message_id == '419002'" - field: "message" - pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" - - dissect: - if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' - field: "message" - pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." - - dissect: - if: "ctx._temp_.cisco.message_id == '750002'" - field: "message" - pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" - - dissect: - if: "ctx._temp_.cisco.message_id == '713120'" - field: "message" - pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})" - - dissect: - if: "ctx._temp_.cisco.message_id == '713202'" - field: "message" - pattern: "IP = %{source.address}, %{event.reason}. %{} packet." - - dissect: - if: "ctx._temp_.cisco.message_id == '750003'" - field: "message" - pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" - - grok: - if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' - field: "message" - patterns: - - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$" - # Handle ecs action outcome protocol - - set: - if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "unknown" - - set: - if: '["419002"].contains(ctx._temp_.cisco.message_id)' - field: "network.protocol" - value: "tcp" - - set: - if: '["110002"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "failure" - - set: - if: '["713120"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "success" - - set: - if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "success" - - set: - if: '["713905", "713904", "713906", "713902", "713901", "710005"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "failure" - - set: - if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "connection-started" - - set: - if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "error" - - append: - if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' - field: "event.type" - value: "error" - - # - # Handle 302xxx messages (Flow expiration a.k.a "Teardown") - # - - set: - if: '["302012", "302014", "302016", "302018", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "flow-expiration" - description: "302012, 302014, 302016, 302018, 302021, 302036, 302304, 302306, 609001, 609002" - - grok: - field: "message" - if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' - description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" - patterns: - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) - - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.destination_username}\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? - pattern_definitions: - NOTCOLON: "[^:]*" - ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" - ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" - MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" - - # - # Decode FTD's Security Event Syslog Messages - # - # 43000x messages are security event syslog messages specific to FTD. - # Format is a comma-separated sequence of key: value pairs. - # - # The result of this decoding is saved as _temp_.orig_security.{Key}: {Value} - - kv: - if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "430001, 430002, 430003, 430004, 430005" - field_split: ",(?=[A-za-z1-9\\s]+:)" - value_split: ":" - target_field: "_temp_.orig_security" - trim_key: " " - trim_value: " " - ignore_failure: true - - # - # Remove _temp_.full_message. - # - # The field has been used as temporary buffer while decoding. The full message - # is kept under event.original. Processors below can still add a message field, as some - # security events contain an explanatory Message field. - - remove: - field: - - message - - _temp_.full_message - ignore_missing: true - - # - # Populate ECS fields from Security Events - # - # This script uses the key-value pairs from Security Events to populate - # the appropriate ECS fields. - # - # A single key can be mapped to multiple ECS fields, and more than one key can - # map to the same ECS field, which results in an array being created. - # - # This script performs an additional job: - # - # Before FTD version 6.3, the message_id was not included in Security Events. - # As this field encodes the kind of event (intrusion, connection, malware...) - # the script below will guess the right message_id from the keys present in - # the event. - # - # The reason for overloading this script with different behaviors is - # that this pipeline is already reaching the limit on script compilations. - # - #******************************************************************************* - # Code generated by go generate. DO NOT EDIT. - #******************************************************************************* - - script: - if: ctx._temp_?.orig_security != null - params: - ACPolicy: - target: ac_policy - id: ["430001", "430002", "430003"] - ecs: [_temp_.cisco.rule_name] - AccessControlRuleAction: - target: access_control_rule_action - id: ["430002", "430003"] - ecs: [event.outcome] - AccessControlRuleName: - target: access_control_rule_name - id: ["430002", "430003"] - ecs: [_temp_.cisco.rule_name] - AccessControlRuleReason: - target: access_control_rule_reason - id: ["430002", "430003"] - ApplicationProtocol: - target: application_protocol - ecs: [network.protocol] - ArchiveDepth: - target: archive_depth - id: ["430004", "430005"] - ArchiveFileName: - target: archive_file_name - id: ["430004", "430005"] - ecs: [file.name] - ArchiveFileStatus: - target: archive_file_status - id: ["430004", "430005"] - ArchiveSHA256: - target: archive_sha256 - id: ["430004", "430005"] - ecs: [file.hash.sha256] - Classification: - target: classification - id: ["430001"] - Client: - target: client - ecs: [network.application] - ClientVersion: - target: client_version - id: ["430002", "430003"] - ConnectionDuration: - target: connection_duration - id: ["430003"] - ecs: [event.duration] - DNS_Sinkhole: - target: dns_sinkhole - id: ["430002", "430003"] - DNS_TTL: - target: dns_ttl - id: ["430002", "430003"] - DNSQuery: - target: dns_query - id: ["430002", "430003"] - ecs: [dns.question.name] - DNSRecordType: - target: dns_record_type - id: ["430002", "430003"] - ecs: [dns.question.type] - DNSResponseType: - target: dns_response_type - id: ["430002", "430003"] - ecs: [dns.response_code] - DNSSICategory: - target: dnssi_category - id: ["430002", "430003"] - DstIP: - target: dst_ip - ecs: [destination.address] - DstPort: - target: dst_port - ecs: [destination.port] - EgressInterface: - target: egress_interface - id: ["430001", "430002", "430003"] - ecs: [_temp_.cisco.destination_interface] - EgressZone: - target: egress_zone - id: ["430001", "430002", "430003"] - Endpoint Profile: - target: endpoint_profile - id: ["430002", "430003"] - FileAction: - target: file_action - id: ["430004", "430005"] - FileCount: - target: file_count - id: ["430002", "430003"] - FileDirection: - target: file_direction - id: ["430004", "430005"] - FileName: - target: file_name - id: ["430004", "430005"] - ecs: [file.name] - FilePolicy: - target: file_policy - id: ["430004", "430005"] - ecs: [_temp_.cisco.rule_name] - FileSHA256: - target: file_sha256 - id: ["430004", "430005"] - ecs: [file.hash.sha256] - FileSandboxStatus: - target: file_sandbox_status - id: ["430004", "430005"] - FileSize: - target: file_size - id: ["430004", "430005"] - ecs: [file.size] - FileStorageStatus: - target: file_storage_status - id: ["430004", "430005"] - FileType: - target: file_type - id: ["430004", "430005"] - FirstPacketSecond: - target: first_packet_second - id: ["430004", "430005"] - ecs: [event.start] - GID: - target: gid - id: ["430001"] - ecs: [service.id] - HTTPReferer: - target: http_referer - id: ["430002", "430003"] - ecs: [http.request.referrer] - HTTPResponse: - target: http_response - id: ["430001", "430002", "430003"] - ecs: [http.response.status_code] - ICMPCode: - target: icmp_code - id: ["430001", "430002", "430003"] - ICMPType: - target: icmp_type - id: ["430001", "430002", "430003"] - IPReputationSICategory: - target: ip_reputation_si_category - id: ["430002", "430003"] - IPSCount: - target: ips_count - id: ["430002", "430003"] - IngressInterface: - target: ingress_interface - id: ["430001", "430002", "430003"] - ecs: [_temp_.cisco.source_interface] - IngressZone: - target: ingress_zone - id: ["430001", "430002", "430003"] - InitiatorBytes: - target: initiator_bytes - id: ["430003"] - ecs: [source.bytes] - InitiatorPackets: - target: initiator_packets - id: ["430003"] - ecs: [source.packets] - InlineResult: - target: inline_result - id: ["430001"] - ecs: [event.outcome] - IntrusionPolicy: - target: intrusion_policy - id: ["430001"] - ecs: [_temp_.cisco.rule_name] - MPLS_Label: - target: mpls_label - id: ["430001"] - Message: - target: message - id: ["430001"] - ecs: [message] - NAPPolicy: - target: nap_policy - id: ["430001", "430002", "430003"] - NetBIOSDomain: - target: net_bios_domain - id: ["430002", "430003"] - ecs: [host.hostname] - NumIOC: - target: num_ioc - id: ["430001"] - Prefilter Policy: - target: prefilter_policy - id: ["430002", "430003"] - Priority: - target: priority - id: ["430001"] - Protocol: - target: protocol - ecs: [network.transport] - ReferencedHost: - target: referenced_host - id: ["430002", "430003"] - ecs: [url.domain] - ResponderBytes: - target: responder_bytes - id: ["430003"] - ecs: [destination.bytes] - ResponderPackets: - target: responder_packets - id: ["430003"] - ecs: [destination.packets] - Revision: - target: revision - id: ["430001"] - SHA_Disposition: - target: sha_disposition - id: ["430004", "430005"] - SID: - target: sid - id: ["430001"] - SSLActualAction: - target: ssl_actual_action - ecs: [event.outcome] - SSLCertificate: - target: ssl_certificate - id: ["430002", "430003", "430004", "430005"] - SSLExpectedAction: - target: ssl_expected_action - id: ["430002", "430003"] - SSLFlowStatus: - target: ssl_flow_status - id: ["430002", "430003", "430004", "430005"] - SSLPolicy: - target: ssl_policy - id: ["430002", "430003"] - SSLRuleName: - target: ssl_rule_name - id: ["430002", "430003"] - SSLServerCertStatus: - target: ssl_server_cert_status - id: ["430002", "430003"] - SSLServerName: - target: ssl_server_name - id: ["430002", "430003"] - ecs: [server.domain] - SSLSessionID: - target: ssl_session_id - id: ["430002", "430003"] - SSLTicketID: - target: ssl_ticket_id - id: ["430002", "430003"] - SSLURLCategory: - target: sslurl_category - id: ["430002", "430003"] - SSLVersion: - target: ssl_version - id: ["430002", "430003"] - SSSLCipherSuite: - target: sssl_cipher_suite - id: ["430002", "430003"] - SecIntMatchingIP: - target: sec_int_matching_ip - id: ["430002", "430003"] - Security Group: - target: security_group - id: ["430002", "430003"] - SperoDisposition: - target: spero_disposition - id: ["430004", "430005"] - SrcIP: - target: src_ip - ecs: [source.address] - SrcPort: - target: src_port - ecs: [source.port] - TCPFlags: - target: tcp_flags - id: ["430002", "430003"] - ThreatName: - target: threat_name - id: ["430005"] - ecs: [_temp_.cisco.threat_category] - ThreatScore: - target: threat_score - id: ["430005"] - ecs: [_temp_.cisco.threat_level] - Tunnel or Prefilter Rule: - target: tunnel_or_prefilter_rule - id: ["430002", "430003"] - URI: - target: uri - id: ["430004", "430005"] - ecs: [url.original] - URL: - target: url - id: ["430002", "430003"] - ecs: [url.original] - URLCategory: - target: url_category - id: ["430002", "430003"] - URLReputation: - target: url_reputation - id: ["430002", "430003"] - URLSICategory: - target: urlsi_category - id: ["430002", "430003"] - User: - target: user - ecs: [user.id, user.name] - UserAgent: - target: user_agent - id: ["430002", "430003"] - ecs: [user_agent.original] - VLAN_ID: - target: vlan_id - id: ["430001", "430002", "430003"] - WebApplication: - target: web_application - ecs: [network.application] - originalClientSrcIP: - target: original_client_src_ip - id: ["430002", "430003"] - ecs: [client.address] - lang: painless - source: | - boolean isEmpty(def value) { - return (value instanceof AbstractList? value.size() : value.length()) == 0; - } - def appendOrCreate(Map dest, String[] path, def value) { - for (int i=0; i new HashMap()); - } - String key = path[path.length - 1]; - def existing = dest.get(key); - return existing == null? - dest.put(key, value) - : existing instanceof AbstractList? - existing.add(value) - : dest.put(key, new ArrayList([existing, value])); - } - def msg = ctx._temp_.orig_security; - def counters = new HashMap(); - def dest = new HashMap(); - ctx._temp_.cisco['security'] = dest; - for (entry in msg.entrySet()) { - def param = params.get(entry.getKey()); - if (param == null) { - continue; - } - param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) ); - if (!isEmpty(entry.getValue())) { - param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) ); - dest[param.target] = entry.getValue(); - } - } - if (ctx._temp_.cisco.message_id != "") return; - def best; - for (entry in counters.entrySet()) { - if (best == null || best.getValue() < entry.getValue()) best = entry; - } - if (best != null) ctx._temp_.cisco.message_id = best.getKey(); - #******************************************************************************* - # End of generated code. - #******************************************************************************* - - # - # Normalize ECS field values - # - - script: - lang: painless - params: - "ctx._temp_.cisco.message_id": - target: event.action - map: - "430001": intrusion-detected - "430002": connection-started - "430003": connection-finished - "430004": file-detected - "430005": malware-detected - "dns.question.type": - map: - "a host address": A - "ip6 address": AAAA - "text strings": TXT - "a domain name pointer": PTR - "an authoritative name server": NS - "the canonical name for an alias": CNAME - "marks the start of a zone of authority": SOA - "mail exchange": MX - "server selection": SRV - "dns.response_code": - map: - "non-existent domain": NXDOMAIN - "server failure": SERVFAIL - "query refused": REFUSED - "no error": NOERROR - source: | - def getField(Map src, String[] path) { - for (int i=0; i new HashMap()); - } - dest[path[path.length-1]] = value; - } - for (entry in params.entrySet()) { - def srcField = entry.getKey(); - def param = entry.getValue(); - String oldVal = getField(ctx, srcField.splitOnToken('.')); - if (oldVal == null) continue; - def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null); - if (newVal != null) { - def dstField = param.getOrDefault('target', srcField); - setField(ctx, dstField.splitOnToken('.'), newVal); - } - } - - set: - if: "ctx.dns?.question?.type != null && ctx.dns?.response_code == null" - field: dns.response_code - value: NOERROR - - set: - if: 'ctx._temp_.cisco.message_id == "430001"' - field: event.action - value: intrusion-detected - - set: - if: 'ctx._temp_.cisco.message_id == "430002"' - field: event.action - value: connection-started - - set: - if: 'ctx._temp_.cisco.message_id == "430003"' - field: event.action - value: connection-finished - - set: - if: 'ctx._temp_.cisco.message_id == "430004"' - field: event.action - value: file-detected - - set: - if: 'ctx._temp_.cisco.message_id == "430005"' - field: event.action - value: malware-detected - - # - # Handle event.duration - # - # It can be set from ConnectionDuration FTD field above. This field holds - # seconds as a string. Copy it to _temp_.duration_hms so that the following - # processor converts it to the right value and populates start and end. - - set: - field: "_temp_.duration_hms" - value: "{{event.duration}}" - ignore_empty_value: true - - # - # Process the flow duration "hh:mm:ss" present in some messages - # This will fill event.start, event.end and event.duration - # - - script: - lang: painless - if: "ctx?._temp_?.duration_hms != null" - source: > - long parse_hms(String s) { - long cur = 0, total = 0; - for (char c: s.toCharArray()) { - if (c >= (char)'0' && c <= (char)'9') { - cur = (cur*10) + (long)c - (char)'0'; - } else if (c == (char)':') { - total = (total + cur) * 60; - cur = 0; - } else { - return 0; - } - } - return total + cur; - } - if (ctx?.event == null) { - ctx['event'] = new HashMap(); - } - String end = ctx['@timestamp']; - ctx.event['end'] = end; - long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; - ctx.event['duration'] = nanos; - ctx.event['start'] = ZonedDateTime.ofInstant( - Instant.parse(end).minusNanos(nanos), - ZoneOffset.UTC); - # - # Normalize protocol names - # - - lowercase: - field: "network.transport" - ignore_failure: true - - lowercase: - field: "network.protocol" - ignore_failure: true - - lowercase: - field: "network.application" - ignore_failure: true - - lowercase: - field: "file.type" - ignore_failure: true - - lowercase: - field: "network.direction" - ignore_failure: true - - lowercase: - field: "network.type" - ignore_failure: true - # - # Populate network.iana_number from network.transport. Also does reverse - # mapping in case network.transport contains the iana_number. - # - - script: - if: "ctx?.network?.transport != null" - lang: painless - params: - icmp: 1 - igmp: 2 - ipv4: 4 - tcp: 6 - egp: 8 - igp: 9 - pup: 12 - udp: 17 - rdp: 27 - irtp: 28 - dccp: 33 - idpr: 35 - ipv6: 41 - ipv6-route: 43 - ipv6-frag: 44 - rsvp: 46 - gre: 47 - esp: 50 - ipv6-icmp: 58 - ipv6-nonxt: 59 - ipv6-opts: 60 - source: > - def net = ctx.network; - def iana = params[net.transport]; - if (iana != null) { - net['iana_number'] = iana; - return; - } - def reverse = new HashMap(); - def[] arr = new def[] { null }; - for (entry in params.entrySet()) { - arr[0] = entry.getValue(); - reverse.put(String.format("%d", arr), entry.getKey()); - } - def trans = reverse[net.transport]; - if (trans != null) { - net['iana_number'] = net.transport; - net['transport'] = trans; - } - # - # Normalize event.outcome - # - - lowercase: - field: "event.outcome" - ignore_missing: true - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "est-allowed"' - value: success - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "permitted"' - value: success - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "allow"' - value: success - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "denied"' - value: failure - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "deny"' - value: failure - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "dropped"' - value: failure - - set: - field: "network.transport" - if: 'ctx.network?.transport == "icmpv6"' - value: "ipv6-icmp" - # - # Convert numeric fields to integer or long, as output of dissect and kv processors is always a string - # - - convert: - field: source.port - type: integer - ignore_failure: true - - convert: - field: destination.port - type: integer - ignore_failure: true - - convert: - field: source.bytes - type: long - ignore_failure: true - - convert: - field: destination.bytes - type: long - ignore_failure: true - - convert: - field: network.bytes - type: long - ignore_failure: true - - convert: - field: source.packets - type: integer - ignore_failure: true - - convert: - field: destination.packets - type: integer - ignore_failure: true - - convert: - field: _temp_.cisco.mapped_source_port - type: integer - ignore_failure: true - - convert: - field: _temp_.cisco.mapped_destination_port - type: integer - ignore_failure: true - - convert: - field: _temp_.cisco.icmp_code - type: integer - ignore_failure: true - - convert: - field: _temp_.cisco.icmp_type - type: integer - ignore_failure: true - - convert: - field: http.response.status_code - type: integer - ignore_failure: true - - convert: - field: file.size - type: integer - ignore_failure: true - - convert: - field: network.iana_number - type: string - ignore_failure: true - # - # Assign ECS .ip fields from .address is a valid IP address is found, - # otherwise set .domain field. - # - - grok: - field: source.address - patterns: - - "^(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})$" - ignore_failure: true - - grok: - field: destination.address - patterns: - - "^(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})$" - ignore_failure: true - - grok: - field: client.address - patterns: - - "^(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})$" - ignore_failure: true - - grok: - field: server.address - patterns: - - "^(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})$" - ignore_failure: true - # - # Geolocation for source and destination addresses - # - - geoip: - field: "source.ip" - target_field: "source.geo" - ignore_missing: true - - geoip: - field: "destination.ip" - target_field: "destination.geo" - ignore_missing: true - # - # IP Autonomous System (AS) Lookup - # - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - # - # Set mapped_{src|dst}_ip fields only if they consist of a valid IP address. - # - - grok: - field: _temp_.natsrcip - patterns: - - "^(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})$" - ignore_failure: true - - grok: - field: _temp_.natdstip - patterns: - - "^(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})$" - ignore_failure: true - # - # NAT fields - # - # The firewall always populates mapped ip and port even if there was no NAT. - # This populates both nat.ip and nat.port only when some translation is done. - # Fills nat.ip and nat.port even when only the ip or port changed. - - set: - field: source.nat.ip - value: "{{_temp_.cisco.mapped_source_ip}}" - if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip" - ignore_empty_value: true - - convert: - field: source.nat.ip - type: ip - ignore_missing: true - - set: - field: source.nat.port - value: "{{_temp_.cisco.mapped_source_port}}" - if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port" - ignore_empty_value: true - - convert: - field: source.nat.port - type: long - ignore_missing: true - - set: - field: destination.nat.ip - value: "{{_temp_.cisco.mapped_destination_ip}}" - if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip" - ignore_empty_value: true - - convert: - field: destination.nat.ip - type: ip - ignore_missing: true - - set: - field: destination.nat.port - value: "{{_temp_.cisco.mapped_destination_port}}" - if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" - ignore_empty_value: true - - convert: - field: destination.nat.port - type: long - ignore_missing: true - # - # Zone-based Network Directionality - # - # If external and internal zones are specified and our ingress/egress zones are - # populated, then we can classify traffic directionality based off of our defined - # zones rather than the logs. - - set: - field: network.direction - value: inbound - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) - - set: - field: network.direction - value: outbound - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: internal - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: external - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: unknown - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.egress?.zone != null && - ctx?.observer?.ingress?.zone != null && - ( - ( - !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) - ) || - ( - !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && - !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - ) - ) - - - set: - field: _temp_.url_domain - value: "{{url.domain}}" - ignore_failure: true - if: ctx?.url?.domain != null - - - uri_parts: - field: url.original - ignore_failure: true - if: ctx?.url?.original != null - - append: - field: url.domain - value: "{{_temp_.url_domain}}" - ignore_failure: true - allow_duplicates: false - if: ctx?._temp_?.url_domain != null - - # - # Populate ECS event.code - # - - rename: - field: _temp_.cisco.message_id - target_field: event.code - ignore_failure: true - - remove: - field: - - _temp_.cisco.message_id - - event.code - if: 'ctx._temp_.cisco.message_id == ""' - ignore_failure: true - # - # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd. - # - - rename: - field: _temp_.cisco - target_field: "cisco.ftd" - ignore_failure: true - # - # Remove temporary fields - # - - remove: - field: _temp_ - ignore_missing: true - # - # Rename some 7.x fields - # - - rename: - field: cisco.ftd.list_id - target_field: cisco.ftd.rule_name - ignore_missing: true - # ECS categorization - - script: - lang: painless - params: - connection-finished: - kind: event - category: - - network - type: - - connection - - end - connection-started: - kind: event - category: - - network - type: - - connection - - start - file-detected: - kind: alert - category: - - malware - type: - - info - firewall-rule: - kind: event - category: - - network - type: - - info - flow-creation: - kind: event - category: - - network - type: - - connection - - start - flow-expiration: - kind: event - category: - - network - type: - - connection - - end - intrusion-detected: - kind: alert - category: - - intrusion_detection - type: - - info - malware-detected: - kind: event - category: - - malware - type: - - info - bypass: - kind: event - category: - - network - type: - - info - - change - error: - kind: event - outcome: failure - category: - - network - type: - - error - deleted: - kind: event - category: - - network - type: - - info - - deletion - - user - creation: - kind: event - category: - - network - type: - - info - - creation - - user - source: >- - if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { - return; - } - ctx.event.kind = params.get(ctx.event.action).get('kind'); - ctx.event.category = params.get(ctx.event.action).get('category').clone(); - ctx.event.type = params.get(ctx.event.action).get('type').clone(); - if (ctx?.event?.outcome == null) { - return; - } - if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) { - if (ctx.event.outcome == 'success') { - ctx.event.type.add('allowed'); - } - if (ctx.event.outcome == 'failure') { - ctx.event.type.add('denied'); - } - if (ctx.event.outcome == 'block') { - ctx.event.outcome = 'success'; - ctx.event.type.add('denied'); - } - if (ctx.event.outcome == 'monitored') { - ctx.event.category.add('intrusion_detection'); - ctx.event.outcome = 'success'; - } - } - - # Malware event kind is classified as alert when sha_disposition is "Malware", "Custom Detection" not for other cases. - - set: - if: 'ctx?.event?.code == "430005" && ["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)' - field: event.kind - value: alert - - append: - if: 'ctx?.event?.code == "430005" && !["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)' - field: event.category - value: file - - - set: - description: copy destination.user.name to user.name if it is not set - field: user.name - value: "{{destination.user.name}}" - ignore_empty_value: true - if: ctx?.user?.name == null - - # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. - - set: - field: observer.hostname - value: "{{ host.hostname }}" - ignore_empty_value: true - - set: - field: observer.vendor - value: "Cisco" - ignore_empty_value: true - - set: - field: observer.type - value: "idps" - ignore_empty_value: true - - set: - field: observer.product - value: "ftd" - ignore_empty_value: true - - set: - field: observer.egress.interface.name - value: "{{ cisco.ftd.destination_interface }}" - ignore_empty_value: true - - set: - field: observer.ingress.interface.name - value: "{{ cisco.ftd.source_interface }}" - ignore_empty_value: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{source.nat.ip}}" - if: "ctx?.source?.nat?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.nat.ip}}" - if: "ctx?.destination?.nat?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{user.name}}" - if: ctx?.user?.name != null && ctx?.user?.name != '' - allow_duplicates: false - - append: - field: related.user - value: "{{server.user.name}}" - if: ctx?.server?.user?.name != null && ctx?.server?.user?.name != '' - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' - allow_duplicates: false - - append: - field: related.user - value: "{{destination.user.name}}" - if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' - allow_duplicates: false - - append: - field: related.hash - value: "{{file.hash.sha256}}" - if: "ctx?.file?.hash?.sha256 != null" - allow_duplicates: false - - append: - field: related.hosts - value: "{{host.hostname}}" - if: ctx.host?.hostname != null && ctx.host?.hostname != '' - allow_duplicates: false - - append: - field: related.hosts - value: "{{observer.hostname}}" - if: ctx.observer?.hostname != null && ctx.observer?.hostname != '' - allow_duplicates: false - - append: - field: related.hosts - value: "{{destination.domain}}" - if: ctx.destination?.domain != null && ctx.destination?.domain != '' - allow_duplicates: false - - append: - field: related.hosts - value: "{{source.domain}}" - if: ctx.source?.domain != null && ctx.source?.domain != '' - allow_duplicates: false - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - # Copy any fields under _temp_.cisco to its final destination. Those can help - # with diagnosing the failure. - - rename: - field: _temp_.cisco - target_field: "cisco.ftd" - ignore_failure: true - # Remove _temp_ to avoid adding a lot of unnecessary fields to the index. - - remove: - field: _temp_ - ignore_missing: true - - append: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco_ftd/2.4.3/data_stream/log/fields/agent.yml b/packages/cisco_ftd/2.4.3/data_stream/log/fields/agent.yml deleted file mode 100755 index d38a70bd6b..0000000000 --- a/packages/cisco_ftd/2.4.3/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cisco_ftd/2.4.3/data_stream/log/fields/base-fields.yml b/packages/cisco_ftd/2.4.3/data_stream/log/fields/base-fields.yml deleted file mode 100755 index e02b7e2a25..0000000000 --- a/packages/cisco_ftd/2.4.3/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_ftd -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_ftd.log -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/cisco_ftd/2.4.3/data_stream/log/fields/ecs.yml b/packages/cisco_ftd/2.4.3/data_stream/log/fields/ecs.yml deleted file mode 100755 index 19f59bcca7..0000000000 --- a/packages/cisco_ftd/2.4.3/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,587 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: client.user.name - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: |- - Custom key/value pairs. - Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. - Example: `docker` and `k8s` labels. - name: labels - type: object -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) - name: network.inner - type: object -- description: VLAN ID as reported by the observer. - name: network.inner.vlan.id - type: keyword -- description: Optional VLAN name as reported by the observer. - name: network.inner.vlan.name - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: IP addresses of the observer. - name: observer.ip - normalize: - - array - type: ip -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. - This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. - Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. - name: service.id - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: url.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: Port of the server. - name: server.port - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: server.user.name - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Port of the client. - name: client.port - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip diff --git a/packages/cisco_ftd/2.4.3/data_stream/log/fields/fields.yml b/packages/cisco_ftd/2.4.3/data_stream/log/fields/fields.yml deleted file mode 100755 index 26b46deb16..0000000000 --- a/packages/cisco_ftd/2.4.3/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,149 +0,0 @@ -- name: cisco.ftd - type: group - fields: - - name: message_id - type: keyword - description: | - The Cisco FTD message identifier. - - name: suffix - type: keyword - description: | - Optional suffix after %FTD identifier. - - name: source_interface - type: keyword - description: | - Source interface for the flow or event. - - name: destination_interface - type: keyword - description: | - Destination interface for the flow or event. - - name: rule_name - type: keyword - description: | - Name of the Access Control List rule that matched this event. - - name: source_username - type: keyword - description: | - Name of the user that is the source for this event. - - name: destination_username - type: keyword - description: | - Name of the user that is the destination for this event. - - name: mapped_source_ip - type: ip - description: | - The translated source IP address. - - name: mapped_source_port - type: long - description: | - The translated source port. - - name: mapped_destination_ip - type: ip - description: | - The translated destination IP address. - - name: mapped_destination_port - type: long - description: | - The translated destination port. - - name: threat_level - type: keyword - description: | - Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. - - name: threat_category - type: keyword - description: | - Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. - - name: connection_id - type: keyword - description: | - Unique identifier for a flow. - - name: icmp_type - type: short - description: | - ICMP type. - - name: icmp_code - type: short - description: | - ICMP code. - - name: connection_type - type: keyword - description: | - The VPN connection type - - name: dap_records - type: keyword - description: | - The assigned DAP records - - name: mapped_destination_host - type: keyword - - name: username - type: keyword - - name: mapped_source_host - type: keyword - - name: command_line_arguments - default_field: false - type: keyword - description: | - The command line arguments logged by the local audit log - - name: assigned_ip - default_field: false - type: ip - description: | - The IP address assigned to a VPN client successfully connecting - - name: privilege.old - default_field: false - type: keyword - description: | - When a users privilege is changed this is the old value - - name: privilege.new - default_field: false - type: keyword - description: | - When a users privilege is changed this is the new value - - name: burst.object - default_field: false - type: keyword - description: | - The related object for burst warnings - - name: burst.id - default_field: false - type: keyword - description: | - The related rate ID for burst warnings - - name: burst.current_rate - default_field: false - type: keyword - description: | - The current burst rate seen - - name: burst.configured_rate - default_field: false - type: keyword - description: | - The current configured burst rate - - name: burst.avg_rate - default_field: false - type: keyword - description: | - The current average burst rate seen - - name: burst.configured_avg_rate - default_field: false - type: keyword - description: | - The current configured average burst rate allowed - - name: burst.cumulative_count - default_field: false - type: keyword - description: | - The total count of burst rate hits since the object was created or cleared - - name: security - type: flattened - description: Cisco FTD security event fields. - - name: webvpn.group_name - type: keyword - default_field: false - description: | - The WebVPN group name the user belongs to - - name: termination_user - default_field: false - type: keyword - description: |- - AAA name of user requesting termination diff --git a/packages/cisco_ftd/2.4.3/data_stream/log/manifest.yml b/packages/cisco_ftd/2.4.3/data_stream/log/manifest.yml deleted file mode 100755 index 7831571093..0000000000 --- a/packages/cisco_ftd/2.4.3/data_stream/log/manifest.yml +++ /dev/null @@ -1,153 +0,0 @@ -title: Cisco FTD logs -type: logs -streams: - - input: udp - title: Cisco FTD logs - description: Collect Cisco FTD logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-ftd - - forwarded - - name: udp_host - type: text - title: UDP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: UDP Port to listen on - multi: false - required: true - show_user: true - default: 9003 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Cisco FTD logs - description: Collect Cisco FTD logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-ftd - - forwarded - - name: tcp_host - type: text - title: TCP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: TCP Port to listen on - multi: false - required: true - show_user: true - default: 9003 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate, keys, supported_protocols, verification_mode etc. See [SSL](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details. - multi: false - required: false - show_user: false - default: | - #certificate: "/etc/server/cert.pem" - #key: "/etc/server/key.pem" - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - #max_connections: 1 - #framing: delimiter - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. - - input: logfile - enabled: false - title: Cisco FTD logs - description: Collect Cisco FTD logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/cisco-ftd.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-ftd - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/cisco_ftd/2.4.3/data_stream/log/sample_event.json b/packages/cisco_ftd/2.4.3/data_stream/log/sample_event.json deleted file mode 100755 index 9125f92cbf..0000000000 --- a/packages/cisco_ftd/2.4.3/data_stream/log/sample_event.json +++ /dev/null @@ -1,156 +0,0 @@ -{ - "@timestamp": "2019-08-16T09:39:03.000Z", - "agent": { - "ephemeral_id": "173348ff-0df7-4c59-b0b0-f4aad4a82751", - "id": "b9045ecb-c8cf-4d1a-8b37-757e202e9ea1", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "cisco": { - "ftd": { - "rule_name": "malware-and-file-policy", - "security": { - "application_protocol": "HTTP", - "client": "cURL", - "dst_ip": "81.2.69.144", - "dst_port": "80", - "file_action": "Malware Cloud Lookup", - "file_direction": "Download", - "file_name": "eicar_com.zip", - "file_policy": "malware-and-file-policy", - "file_sandbox_status": "File Size Is Too Small", - "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", - "file_size": "184", - "file_storage_status": "Not Stored (Disposition Was Pending)", - "file_type": "ZIP", - "first_packet_second": "2019-08-16T09:39:02Z", - "protocol": "tcp", - "sha_disposition": "Unavailable", - "spero_disposition": "Spero detection not performed on file", - "src_ip": "10.0.1.20", - "src_port": "46004", - "threat_name": "Win.Ransomware.Eicar::95.sbx.tg", - "uri": "http://www.eicar.org/download/eicar_com.zip", - "user": "No Authentication Required" - }, - "threat_category": "Win.Ransomware.Eicar::95.sbx.tg" - } - }, - "data_stream": { - "dataset": "cisco_ftd.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.144", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.144", - "port": 80 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "b9045ecb-c8cf-4d1a-8b37-757e202e9ea1", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "malware-detected", - "agent_id_status": "verified", - "category": [ - "malware", - "file" - ], - "code": "430005", - "dataset": "cisco_ftd.log", - "ingested": "2022-06-22T01:38:18Z", - "kind": "event", - "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", - "severity": 1, - "start": "2019-08-16T09:39:02Z", - "timezone": "+00:00", - "type": [ - "info" - ] - }, - "file": { - "hash": { - "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" - }, - "name": "eicar_com.zip", - "size": 184 - }, - "host": { - "hostname": "firepower" - }, - "input": { - "type": "tcp" - }, - "log": { - "level": "alert", - "source": { - "address": "172.31.0.6:55524" - } - }, - "network": { - "application": "curl", - "iana_number": "6", - "protocol": "http", - "transport": "tcp" - }, - "observer": { - "hostname": "firepower", - "product": "ftd", - "type": "idps", - "vendor": "Cisco" - }, - "related": { - "hash": [ - "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" - ], - "hosts": [ - "firepower" - ], - "ip": [ - "10.0.1.20", - "81.2.69.144" - ], - "user": [ - "No Authentication Required" - ] - }, - "source": { - "address": "10.0.1.20", - "ip": "10.0.1.20", - "port": 46004 - }, - "tags": [ - "preserve_original_event", - "cisco-ftd", - "forwarded" - ], - "url": { - "domain": "www.eicar.org", - "extension": "zip", - "original": "http://www.eicar.org/download/eicar_com.zip", - "path": "/download/eicar_com.zip", - "scheme": "http" - }, - "user": { - "id": "No Authentication Required", - "name": "No Authentication Required" - } -} \ No newline at end of file diff --git a/packages/cisco_ftd/2.4.3/docs/README.md b/packages/cisco_ftd/2.4.3/docs/README.md deleted file mode 100755 index afec5f3f06..0000000000 --- a/packages/cisco_ftd/2.4.3/docs/README.md +++ /dev/null @@ -1,397 +0,0 @@ -# Cisco FTD Integration - -This integration is for [Cisco](https://www.cisco.com/c/en/us/support/security/index.html) Firepower Threat Defence (FTD) device's logs. The package processes syslog messages from Cisco Firepower devices - -It includes the following datasets for receiving logs over syslog or read from a file: - -- `log` dataset: supports Cisco Firepower Threat Defense (FTD) logs. - -## Configuration - -Cisco provides a range of Firepower devices, which may have different configuration steps. We recommend users navigate to the device specific configuration page, and search for/go to the "FTD Logging" or "Configure Logging on FTD" page for the specific device. - -## Logs - -### FTD - -The `log` dataset collects the Cisco Firepower Threat Defense (FTD) logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2019-08-16T09:39:03.000Z", - "agent": { - "ephemeral_id": "173348ff-0df7-4c59-b0b0-f4aad4a82751", - "id": "b9045ecb-c8cf-4d1a-8b37-757e202e9ea1", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "cisco": { - "ftd": { - "rule_name": "malware-and-file-policy", - "security": { - "application_protocol": "HTTP", - "client": "cURL", - "dst_ip": "81.2.69.144", - "dst_port": "80", - "file_action": "Malware Cloud Lookup", - "file_direction": "Download", - "file_name": "eicar_com.zip", - "file_policy": "malware-and-file-policy", - "file_sandbox_status": "File Size Is Too Small", - "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", - "file_size": "184", - "file_storage_status": "Not Stored (Disposition Was Pending)", - "file_type": "ZIP", - "first_packet_second": "2019-08-16T09:39:02Z", - "protocol": "tcp", - "sha_disposition": "Unavailable", - "spero_disposition": "Spero detection not performed on file", - "src_ip": "10.0.1.20", - "src_port": "46004", - "threat_name": "Win.Ransomware.Eicar::95.sbx.tg", - "uri": "http://www.eicar.org/download/eicar_com.zip", - "user": "No Authentication Required" - }, - "threat_category": "Win.Ransomware.Eicar::95.sbx.tg" - } - }, - "data_stream": { - "dataset": "cisco_ftd.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.144", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.144", - "port": 80 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "b9045ecb-c8cf-4d1a-8b37-757e202e9ea1", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "malware-detected", - "agent_id_status": "verified", - "category": [ - "malware", - "file" - ], - "code": "430005", - "dataset": "cisco_ftd.log", - "ingested": "2022-06-22T01:38:18Z", - "kind": "event", - "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", - "severity": 1, - "start": "2019-08-16T09:39:02Z", - "timezone": "+00:00", - "type": [ - "info" - ] - }, - "file": { - "hash": { - "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" - }, - "name": "eicar_com.zip", - "size": 184 - }, - "host": { - "hostname": "firepower" - }, - "input": { - "type": "tcp" - }, - "log": { - "level": "alert", - "source": { - "address": "172.31.0.6:55524" - } - }, - "network": { - "application": "curl", - "iana_number": "6", - "protocol": "http", - "transport": "tcp" - }, - "observer": { - "hostname": "firepower", - "product": "ftd", - "type": "idps", - "vendor": "Cisco" - }, - "related": { - "hash": [ - "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" - ], - "hosts": [ - "firepower" - ], - "ip": [ - "10.0.1.20", - "81.2.69.144" - ], - "user": [ - "No Authentication Required" - ] - }, - "source": { - "address": "10.0.1.20", - "ip": "10.0.1.20", - "port": 46004 - }, - "tags": [ - "preserve_original_event", - "cisco-ftd", - "forwarded" - ], - "url": { - "domain": "www.eicar.org", - "extension": "zip", - "original": "http://www.eicar.org/download/eicar_com.zip", - "path": "/download/eicar_com.zip", - "scheme": "http" - }, - "user": { - "id": "No Authentication Required", - "name": "No Authentication Required" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cisco.ftd.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | -| cisco.ftd.burst.avg_rate | The current average burst rate seen | keyword | -| cisco.ftd.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | -| cisco.ftd.burst.configured_rate | The current configured burst rate | keyword | -| cisco.ftd.burst.cumulative_count | The total count of burst rate hits since the object was created or cleared | keyword | -| cisco.ftd.burst.current_rate | The current burst rate seen | keyword | -| cisco.ftd.burst.id | The related rate ID for burst warnings | keyword | -| cisco.ftd.burst.object | The related object for burst warnings | keyword | -| cisco.ftd.command_line_arguments | The command line arguments logged by the local audit log | keyword | -| cisco.ftd.connection_id | Unique identifier for a flow. | keyword | -| cisco.ftd.connection_type | The VPN connection type | keyword | -| cisco.ftd.dap_records | The assigned DAP records | keyword | -| cisco.ftd.destination_interface | Destination interface for the flow or event. | keyword | -| cisco.ftd.destination_username | Name of the user that is the destination for this event. | keyword | -| cisco.ftd.icmp_code | ICMP code. | short | -| cisco.ftd.icmp_type | ICMP type. | short | -| cisco.ftd.mapped_destination_host | | keyword | -| cisco.ftd.mapped_destination_ip | The translated destination IP address. | ip | -| cisco.ftd.mapped_destination_port | The translated destination port. | long | -| cisco.ftd.mapped_source_host | | keyword | -| cisco.ftd.mapped_source_ip | The translated source IP address. | ip | -| cisco.ftd.mapped_source_port | The translated source port. | long | -| cisco.ftd.message_id | The Cisco FTD message identifier. | keyword | -| cisco.ftd.privilege.new | When a users privilege is changed this is the new value | keyword | -| cisco.ftd.privilege.old | When a users privilege is changed this is the old value | keyword | -| cisco.ftd.rule_name | Name of the Access Control List rule that matched this event. | keyword | -| cisco.ftd.security | Cisco FTD security event fields. | flattened | -| cisco.ftd.source_interface | Source interface for the flow or event. | keyword | -| cisco.ftd.source_username | Name of the user that is the source for this event. | keyword | -| cisco.ftd.suffix | Optional suffix after %FTD identifier. | keyword | -| cisco.ftd.termination_user | AAA name of user requesting termination | keyword | -| cisco.ftd.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword | -| cisco.ftd.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword | -| cisco.ftd.username | | keyword | -| cisco.ftd.webvpn.group_name | The WebVPN group name the user belongs to | keyword | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.status_code | HTTP response status code. | long | -| input.type | Input type. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.user.name | Short name or login of the user. | keyword | -| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | -| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - diff --git a/packages/cisco_ftd/2.4.3/img/cisco.svg b/packages/cisco_ftd/2.4.3/img/cisco.svg deleted file mode 100755 index 20ebebf197..0000000000 --- a/packages/cisco_ftd/2.4.3/img/cisco.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/cisco_ftd/2.4.3/manifest.yml b/packages/cisco_ftd/2.4.3/manifest.yml deleted file mode 100755 index b63712ab69..0000000000 --- a/packages/cisco_ftd/2.4.3/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -format_version: 1.0.0 -name: cisco_ftd -title: Cisco FTD -version: "2.4.3" -license: basic -description: Collect logs from Cisco FTD with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/cisco.svg - title: cisco - size: 216x216 - type: image/svg+xml -policy_templates: - - name: cisco_ftd - title: Cisco FTD logs - description: Collect logs from Cisco FTD instances - inputs: - - type: tcp - title: Collect logs from Cisco FTD via TCP - description: Collecting logs from Cisco FTD via TCP - - type: udp - title: Collect logs from Cisco FTD via UDP - description: Collecting logs from Cisco FTD via UDP - - type: logfile - title: Collect logs from Cisco FTD via file - description: Collecting logs from Cisco FTD via file -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_ftd/2.4.4/LICENSE.txt b/packages/cisco_ftd/2.4.4/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cisco_ftd/2.4.4/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_ftd/2.4.4/changelog.yml b/packages/cisco_ftd/2.4.4/changelog.yml deleted file mode 100755 index e7495eb70e..0000000000 --- a/packages/cisco_ftd/2.4.4/changelog.yml +++ /dev/null @@ -1,132 +0,0 @@ -# newer versions go on top -- version: "2.4.4" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "2.4.3" - changes: - - description: Fix handling of 302020 event messages. - type: bugfix - link: https://github.com/elastic/integrations/pull/4209 -- version: "2.4.2" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.4.1" - changes: - - description: Clean up grok pattern naming. - type: bugfix - link: https://github.com/elastic/integrations/pull/4163 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3842 -- version: "2.3.1" - changes: - - description: Improve TCP, SSL config description and example. - type: enhancement - link: https://github.com/elastic/integrations/pull/3763 -- version: "2.3.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "2.2.2" - changes: - - description: Map syslog priority details according to ECS - type: bugfix - link: https://github.com/elastic/integrations/pull/3549 - - description: Extract syslog facility and severity codes from syslog priority - type: bugfix - link: https://github.com/elastic/integrations/pull/3549 -- version: "2.2.1" - changes: - - description: Remove invalid values from ECS fields - type: bugfix - link: https://github.com/elastic/integrations/pull/3344 -- version: "2.2.0" - changes: - - description: Add TLS system test - type: enhancement - link: https://github.com/elastic/integrations/pull/3339 - - description: Add TCP input with TLS support - type: enhancement - link: https://github.com/elastic/integrations/pull/3313 -- version: "2.1.1" - changes: - - description: Added link to Cisco's FTD documentation in readme - type: enhancement - link: https://github.com/elastic/integrations/pull/2931 -- version: "2.1.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "2.0.4" - changes: - - description: Set event.kind to alert only when sha_disposition is malware or custom - type: bugfix - link: https://github.com/elastic/integrations/pull/3041 -- version: "2.0.3" - changes: - - description: Make fields agree with ECS - type: bugfix - link: https://github.com/elastic/integrations/pull/3018 -- version: "2.0.2" - changes: - - description: Update observer to ftd and idps to better match this integration. - type: bugfix - link: https://github.com/elastic/integrations/pull/2551 -- version: "2.0.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "2.0.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2391 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2258 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1954 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1806 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1783 -- version: "1.0.1" - changes: - - description: Adding missing ECS fields - type: bugfix - link: https://github.com/elastic/integrations/pull/1731 -- version: "1.0.0" - changes: - - description: Initial version to split Cisco FTD out from the general Cisco package - type: enhancement - link: https://github.com/elastic/integrations/pull/1586 diff --git a/packages/cisco_ftd/2.4.4/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_ftd/2.4.4/data_stream/log/agent/stream/stream.yml.hbs deleted file mode 100755 index 28ea4aaa98..0000000000 --- a/packages/cisco_ftd/2.4.4/data_stream/log/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_ftd/2.4.4/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_ftd/2.4.4/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 8f3ae72293..0000000000 --- a/packages/cisco_ftd/2.4.4/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} -{{#if tcp_options}} -{{tcp_options}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_ftd/2.4.4/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_ftd/2.4.4/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index e129442a23..0000000000 --- a/packages/cisco_ftd/2.4.4/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_ftd/2.4.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/2.4.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index fe507b40db..0000000000 --- a/packages/cisco_ftd/2.4.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,2000 +0,0 @@ ---- -description: "Pipeline for Cisco FTD logs" -processors: - - rename: - field: message - target_field: event.original - ignore_missing: true - - set: - field: ecs.version - value: '8.4.0' - # - # Parse the syslog header - # - # This populates the host.hostname, process.name, timestamp and other fields - # from the header and stores the message contents in _temp_.full_message. - - grok: - field: event.original - patterns: - - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}" - pattern_definitions: - SYSLOG_HEADER: "(?:%{SYSPRIORITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?" - SYSPRIORITY: "<%{NONNEGINT:log.syslog.priority:int}>" - # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. - FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" - ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" - PROCESS: "(?:[^%\\s:\\[]+)" - SYSLOG_END: "(?:(:|\\s)\\s+)" - # exactly match the syntax for firepower management logs - PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})" - HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?" - - script: - lang: painless - source: | - if (ctx.log?.syslog?.priority != null) { - def severity = new HashMap(); - severity['code'] = ctx.log.syslog.priority&0x7; - ctx.log.syslog['severity'] = severity; - def facility = new HashMap(); - facility['code'] = ctx.log.syslog.priority>>3; - ctx.log.syslog['facility'] = facility; - } - - # - # Parse FTD/ASA style message - # - # This parses the header of an EMBLEM-style message for FTD and ASA prefixes. - - grok: - field: _temp_.full_message - patterns: - - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" - # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. - - "%{GREEDYDATA:message}" - pattern_definitions: - FTD_SUFFIX: "[^0-9-]+" - # Before version 6.3, FTD used ASA prefix in syslog messages - FTD_PREFIX: "%{DATA}%(?:[A-Z]+)" - - # - # Create missing fields when no %FTD label is present - # - # message_id is needed in order for some processors below to work. - - set: - field: _temp_.cisco.message_id - value: "" - if: "ctx?._temp_?.cisco?.message_id == null" - - # - # set default event.severity to 7 (debug): - # - # This value is read from the EMBLEM header and won't be present if this is not - # an emblem message (firewalls can be configured to report other kinds of events) - - set: - field: event.severity - value: 7 - if: "ctx?.event?.severity == null" - - # - # Parse the date included in FTD logs - # - - date: - if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null" - field: "_temp_.raw_date" - target_field: "@timestamp" - formats: - - "ISO8601" - - "MMM d HH:mm:ss" - - "MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "EEE MMM dd HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - [ - { - "append": - { - "field": "error.message", - "value": "{{ _ingest.on_failure_message }}", - }, - }, - ] - - date: - if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null" - timezone: "{{ event.timezone }}" - field: "_temp_.raw_date" - target_field: "@timestamp" - formats: - - "ISO8601" - - "MMM d HH:mm:ss" - - "MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "EEE MMM dd HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - [ - { - "append": - { - "field": "error.message", - "value": "{{ _ingest.on_failure_message }}", - }, - }, - ] - - # - # Set log.level - # - - set: - field: "log.level" - if: "ctx.event.severity == 0" - value: unknown - - set: - field: "log.level" - if: "ctx.event.severity == 1" - value: alert - - set: - field: "log.level" - if: "ctx.event.severity == 2" - value: critical - - set: - field: "log.level" - if: "ctx.event.severity == 3" - value: error - - set: - field: "log.level" - if: "ctx.event.severity == 4" - value: warning - - set: - field: "log.level" - if: "ctx.event.severity == 5" - value: notification - - set: - field: "log.level" - if: "ctx.event.severity == 6" - value: informational - - set: - field: "log.level" - if: "ctx.event.severity == 7" - value: debug - - # - # Firewall messages - # - # This set of messages is shared between FTD and ASA. - - set: - if: 'ctx._temp_.cisco.message_id != ""' - field: "event.action" - value: "firewall-rule" - - dissect: - if: "ctx._temp_.cisco.message_id == '106001'" - field: "message" - description: "106001" - pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106002'" - field: "message" - description: "106002" - pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106006'" - field: "message" - description: "106006" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106007'" - field: "message" - description: "106007" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" - - grok: - if: "ctx._temp_.cisco.message_id == '106010'" - field: "message" - description: "106010" - patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" - - dissect: - if: "ctx._temp_.cisco.message_id == '106013'" - field: "message" - description: "106013" - pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}" - - set: - if: "ctx._temp_.cisco.message_id == '106013'" - field: "network.transport" - description: "106013" - value: icmp - - set: - if: "ctx._temp_.cisco.message_id == '106013'" - field: "network.direction" - description: "106013" - value: inbound - - grok: - if: "ctx._temp_.cisco.message_id == '106014'" - field: "message" - description: "106014" - patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?" - - grok: - if: "ctx._temp_.cisco.message_id == '106015'" - field: "message" - description: "106015" - patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106016'" - field: "message" - pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" - description: "106016" - - dissect: - if: "ctx._temp_.cisco.message_id == '106017'" - field: "message" - pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}" - description: "106017" - - dissect: - if: "ctx._temp_.cisco.message_id == '106018'" - field: "message" - pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" - description: "106018" - - dissect: - if: "ctx._temp_.cisco.message_id == '106020'" - field: "message" - pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" - description: "106020" - - dissect: - if: "ctx._temp_.cisco.message_id == '106021'" - field: "message" - pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" - description: "106021" - - dissect: - if: "ctx._temp_.cisco.message_id == '106022'" - field: "message" - pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" - description: "106022" - - grok: - if: "ctx._temp_.cisco.message_id == '106023'" - field: "message" - description: "106023" - patterns: - - ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106027'" - field: "message" - description: "106027" - pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"' - - dissect: - if: "ctx._temp_.cisco.message_id == '106100'" - field: "message" - description: "106100" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'" - field: "message" - description: "106103" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '111004'" - field: "message" - description: "111004" - pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" - - set: - field: event.outcome - description: "111004" - value: "success" - if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" - - set: - field: event.outcome - description: "111004" - value: "failure" - if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" - - remove: - field: _temp_.cisco.cli_outcome - ignore_missing: true - - append: - field: event.type - description: "111004" - value: "change" - if: "ctx._temp_.cisco.message_id == '111004'" - - grok: - if: "ctx._temp_.cisco.message_id == '111009'" - description: "111009" - field: "message" - patterns: - - "^%{NOTSPACE} '%{NOTSPACE:server.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" - - grok: - if: "ctx._temp_.cisco.message_id == '111010'" - field: "message" - description: "111010" - patterns: - - "User '%{NOTSPACE:server.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" - - dissect: - if: "ctx._temp_.cisco.message_id == '113019'" - field: "message" - description: "113019" - pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}" - - grok: - if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "302013, 302015" - patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \\(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\\)(\\(%{NOTSPACE:_temp_.cisco.source_username}\\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \\(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\\)( \\(%{NOTSPACE:destination.user.name}\\))?%{GREEDYDATA}" - - dissect: - if: "ctx._temp_.cisco.message_id == '303002'" - field: "message" - description: "303002" - pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" - - dissect: - if: "ctx._temp_.cisco.message_id == '302012'" - field: "message" - description: "302012" - pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}" - - set: - if: '["302020"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "flow-creation" - description: "302020" - - grok: - if: "ctx._temp_.cisco.message_id == '302020'" - field: "message" - description: "302020" - patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" - pattern_definitions: - NOTCOLON: "[^:]*" - ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" - ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" - MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" - - dissect: - if: "ctx._temp_.cisco.message_id == '302022'" - field: "message" - description: "302022" - pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '302023'" - field: "message" - description: "302023" - pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}" - - grok: - if: "ctx._temp_.cisco.message_id == '304001'" - field: "message" - description: "304001" - patterns: - - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" - - set: - if: "ctx._temp_.cisco.message_id == '304001'" - field: "event.outcome" - description: "304001" - value: success - - dissect: - if: "ctx._temp_.cisco.message_id == '304002'" - field: "message" - description: "304002" - pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" - - grok: - if: "ctx._temp_.cisco.message_id == '305011'" - field: "message" - description: "305011" - patterns: - - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} - - dissect: - if: "ctx._temp_.cisco.message_id == '313001'" - field: "message" - description: "313001" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '313004'" - field: "message" - description: "313004" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" - - dissect: - if: "ctx._temp_.cisco.message_id == '313005'" - field: "message" - description: "313005" - pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '313008'" - field: "message" - description: "313008" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '313009'" - field: "message" - description: "313009" - pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '322001'" - field: "message" - description: "322001" - pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338001'" - field: "message" - description: "338001" - pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338001'" - field: "server.domain" - description: "338001" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338002'" - field: "message" - description: "338002" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - - set: - if: "ctx._temp_.cisco.message_id == '338002'" - field: "server.domain" - description: "338002" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338003'" - field: "message" - description: "338003" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338004'" - field: "message" - description: "338004" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338005'" - field: "message" - description: "338005" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338005'" - field: "server.domain" - description: "338005" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338006'" - field: "message" - description: "338006" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338006'" - field: "server.domain" - description: "338006" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338007'" - field: "message" - description: "338007" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338008'" - field: "message" - description: "338008" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338101'" - field: "message" - description: "338101" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" - - set: - if: "ctx._temp_.cisco.message_id == '338101'" - field: "server.domain" - description: "338101" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338102'" - field: "message" - description: "338102" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - - set: - if: "ctx._temp_.cisco.message_id == '338102'" - field: "server.domain" - description: "338102" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338103'" - field: "message" - description: "338103" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338104'" - field: "message" - description: "338104" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338201'" - field: "message" - description: "338201" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338201'" - field: "server.domain" - description: "338201" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338202'" - field: "message" - description: "338202" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338202'" - field: "server.domain" - description: "338202" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338203'" - field: "message" - description: "338203" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338203'" - field: "server.domain" - description: "338203" - value: "{{source.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338204'" - field: "message" - description: "338204" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338204'" - field: "server.domain" - description: "338204" - value: "{{destination.domain}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "message" - description: "338301" - pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}" - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "client.address" - description: "338301" - value: "{{destination.address}}" - ignore_empty_value: true - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "client.port" - description: "338301" - value: "{{destination.port}}" - ignore_empty_value: true - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "server.address" - description: "338301" - value: "{{source.address}}" - ignore_empty_value: true - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "server.port" - description: "338301" - value: "{{source.port}}" - ignore_empty_value: true - - dissect: - if: "ctx._temp_.cisco.message_id == '502103'" - field: "message" - description: "502103" - pattern: "User priv level changed: Uname: %{server.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" - - append: - if: "ctx._temp_.cisco.message_id == '502103'" - field: "event.type" - description: "502103" - value: - - "group" - - "change" - - append: - if: "ctx._temp_.cisco.message_id == '502103'" - field: "event.category" - description: "502103" - value: "iam" - - dissect: - if: "ctx._temp_.cisco.message_id == '507003'" - field: "message" - description: "507003" - pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" - - dissect: - if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "605004, 605005" - pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' - - dissect: - if: "ctx._temp_.cisco.message_id == '609001'" - field: "message" - description: "609001" - pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" - - dissect: - if: "ctx._temp_.cisco.message_id == '609002'" - field: "message" - description: "609002" - pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" - - dissect: - if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "611102, 611101" - pattern: "User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{server.user.name}" - - dissect: - if: "ctx._temp_.cisco.message_id == '710003'" - field: "message" - description: "710003" - pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - - dissect: - if: "ctx._temp_.cisco.message_id == '710005'" - field: "message" - description: "710005" - pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - - dissect: - if: "ctx._temp_.cisco.message_id == '713049'" - field: "message" - description: "713049" - pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" - - grok: - if: "ctx._temp_.cisco.message_id == '716002'" - field: "message" - description: "716002" - patterns: - - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> WebVPN session terminated: %{GREEDYDATA:event.reason}." - - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} WebVPN session terminated: %{GREEDYDATA:event.reason}." - - grok: - if: "ctx._temp_.cisco.message_id == '722051'" - field: "message" - description: "722051" - patterns: - - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" - - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" - - dissect: - if: "ctx._temp_.cisco.message_id == '733100'" - field: "message" - description: "733100" - pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}" - - dissect: - if: "ctx._temp_.cisco.message_id == '734001'" - field: "message" - description: "734001" - pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" - - dissect: - if: "ctx._temp_.cisco.message_id == '805001'" - field: "message" - description: "805001" - pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - - dissect: - if: "ctx._temp_.cisco.message_id == '805002'" - field: "message" - description: "805002" - pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - - split: - field: "_temp_.cisco.dap_records" - separator: ",\\s+" - ignore_missing: true - - dissect: - if: "ctx._temp_.cisco.message_id == '434002'" - field: "message" - pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - - dissect: - if: "ctx._temp_.cisco.message_id == '434004'" - field: "message" - pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" - - dissect: - if: "ctx._temp_.cisco.message_id == '110002'" - field: "message" - pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" - - dissect: - if: "ctx._temp_.cisco.message_id == '419002'" - field: "message" - pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" - - dissect: - if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' - field: "message" - pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." - - dissect: - if: "ctx._temp_.cisco.message_id == '750002'" - field: "message" - pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" - - dissect: - if: "ctx._temp_.cisco.message_id == '713120'" - field: "message" - pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})" - - dissect: - if: "ctx._temp_.cisco.message_id == '713202'" - field: "message" - pattern: "IP = %{source.address}, %{event.reason}. %{} packet." - - dissect: - if: "ctx._temp_.cisco.message_id == '750003'" - field: "message" - pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" - - grok: - if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' - field: "message" - patterns: - - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$" - # Handle ecs action outcome protocol - - set: - if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "unknown" - - set: - if: '["419002"].contains(ctx._temp_.cisco.message_id)' - field: "network.protocol" - value: "tcp" - - set: - if: '["110002"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "failure" - - set: - if: '["713120"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "success" - - set: - if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "success" - - set: - if: '["713905", "713904", "713906", "713902", "713901", "710005"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "failure" - - set: - if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "connection-started" - - set: - if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "error" - - append: - if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' - field: "event.type" - value: "error" - - # - # Handle 302xxx messages (Flow expiration a.k.a "Teardown") - # - - set: - if: '["302012", "302014", "302016", "302018", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "flow-expiration" - description: "302012, 302014, 302016, 302018, 302021, 302036, 302304, 302306, 609001, 609002" - - grok: - field: "message" - if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' - description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" - patterns: - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) - - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.destination_username}\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? - pattern_definitions: - NOTCOLON: "[^:]*" - ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" - ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" - MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" - - # - # Decode FTD's Security Event Syslog Messages - # - # 43000x messages are security event syslog messages specific to FTD. - # Format is a comma-separated sequence of key: value pairs. - # - # The result of this decoding is saved as _temp_.orig_security.{Key}: {Value} - - kv: - if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)' - field: "message" - description: "430001, 430002, 430003, 430004, 430005" - field_split: ",(?=[A-za-z1-9\\s]+:)" - value_split: ":" - target_field: "_temp_.orig_security" - trim_key: " " - trim_value: " " - ignore_failure: true - - # - # Remove _temp_.full_message. - # - # The field has been used as temporary buffer while decoding. The full message - # is kept under event.original. Processors below can still add a message field, as some - # security events contain an explanatory Message field. - - remove: - field: - - message - - _temp_.full_message - ignore_missing: true - - # - # Populate ECS fields from Security Events - # - # This script uses the key-value pairs from Security Events to populate - # the appropriate ECS fields. - # - # A single key can be mapped to multiple ECS fields, and more than one key can - # map to the same ECS field, which results in an array being created. - # - # This script performs an additional job: - # - # Before FTD version 6.3, the message_id was not included in Security Events. - # As this field encodes the kind of event (intrusion, connection, malware...) - # the script below will guess the right message_id from the keys present in - # the event. - # - # The reason for overloading this script with different behaviors is - # that this pipeline is already reaching the limit on script compilations. - # - #******************************************************************************* - # Code generated by go generate. DO NOT EDIT. - #******************************************************************************* - - script: - if: ctx._temp_?.orig_security != null - params: - ACPolicy: - target: ac_policy - id: ["430001", "430002", "430003"] - ecs: [_temp_.cisco.rule_name] - AccessControlRuleAction: - target: access_control_rule_action - id: ["430002", "430003"] - ecs: [event.outcome] - AccessControlRuleName: - target: access_control_rule_name - id: ["430002", "430003"] - ecs: [_temp_.cisco.rule_name] - AccessControlRuleReason: - target: access_control_rule_reason - id: ["430002", "430003"] - ApplicationProtocol: - target: application_protocol - ecs: [network.protocol] - ArchiveDepth: - target: archive_depth - id: ["430004", "430005"] - ArchiveFileName: - target: archive_file_name - id: ["430004", "430005"] - ecs: [file.name] - ArchiveFileStatus: - target: archive_file_status - id: ["430004", "430005"] - ArchiveSHA256: - target: archive_sha256 - id: ["430004", "430005"] - ecs: [file.hash.sha256] - Classification: - target: classification - id: ["430001"] - Client: - target: client - ecs: [network.application] - ClientVersion: - target: client_version - id: ["430002", "430003"] - ConnectionDuration: - target: connection_duration - id: ["430003"] - ecs: [event.duration] - DNS_Sinkhole: - target: dns_sinkhole - id: ["430002", "430003"] - DNS_TTL: - target: dns_ttl - id: ["430002", "430003"] - DNSQuery: - target: dns_query - id: ["430002", "430003"] - ecs: [dns.question.name] - DNSRecordType: - target: dns_record_type - id: ["430002", "430003"] - ecs: [dns.question.type] - DNSResponseType: - target: dns_response_type - id: ["430002", "430003"] - ecs: [dns.response_code] - DNSSICategory: - target: dnssi_category - id: ["430002", "430003"] - DstIP: - target: dst_ip - ecs: [destination.address] - DstPort: - target: dst_port - ecs: [destination.port] - EgressInterface: - target: egress_interface - id: ["430001", "430002", "430003"] - ecs: [_temp_.cisco.destination_interface] - EgressZone: - target: egress_zone - id: ["430001", "430002", "430003"] - Endpoint Profile: - target: endpoint_profile - id: ["430002", "430003"] - FileAction: - target: file_action - id: ["430004", "430005"] - FileCount: - target: file_count - id: ["430002", "430003"] - FileDirection: - target: file_direction - id: ["430004", "430005"] - FileName: - target: file_name - id: ["430004", "430005"] - ecs: [file.name] - FilePolicy: - target: file_policy - id: ["430004", "430005"] - ecs: [_temp_.cisco.rule_name] - FileSHA256: - target: file_sha256 - id: ["430004", "430005"] - ecs: [file.hash.sha256] - FileSandboxStatus: - target: file_sandbox_status - id: ["430004", "430005"] - FileSize: - target: file_size - id: ["430004", "430005"] - ecs: [file.size] - FileStorageStatus: - target: file_storage_status - id: ["430004", "430005"] - FileType: - target: file_type - id: ["430004", "430005"] - FirstPacketSecond: - target: first_packet_second - id: ["430004", "430005"] - ecs: [event.start] - GID: - target: gid - id: ["430001"] - ecs: [service.id] - HTTPReferer: - target: http_referer - id: ["430002", "430003"] - ecs: [http.request.referrer] - HTTPResponse: - target: http_response - id: ["430001", "430002", "430003"] - ecs: [http.response.status_code] - ICMPCode: - target: icmp_code - id: ["430001", "430002", "430003"] - ICMPType: - target: icmp_type - id: ["430001", "430002", "430003"] - IPReputationSICategory: - target: ip_reputation_si_category - id: ["430002", "430003"] - IPSCount: - target: ips_count - id: ["430002", "430003"] - IngressInterface: - target: ingress_interface - id: ["430001", "430002", "430003"] - ecs: [_temp_.cisco.source_interface] - IngressZone: - target: ingress_zone - id: ["430001", "430002", "430003"] - InitiatorBytes: - target: initiator_bytes - id: ["430003"] - ecs: [source.bytes] - InitiatorPackets: - target: initiator_packets - id: ["430003"] - ecs: [source.packets] - InlineResult: - target: inline_result - id: ["430001"] - ecs: [event.outcome] - IntrusionPolicy: - target: intrusion_policy - id: ["430001"] - ecs: [_temp_.cisco.rule_name] - MPLS_Label: - target: mpls_label - id: ["430001"] - Message: - target: message - id: ["430001"] - ecs: [message] - NAPPolicy: - target: nap_policy - id: ["430001", "430002", "430003"] - NetBIOSDomain: - target: net_bios_domain - id: ["430002", "430003"] - ecs: [host.hostname] - NumIOC: - target: num_ioc - id: ["430001"] - Prefilter Policy: - target: prefilter_policy - id: ["430002", "430003"] - Priority: - target: priority - id: ["430001"] - Protocol: - target: protocol - ecs: [network.transport] - ReferencedHost: - target: referenced_host - id: ["430002", "430003"] - ecs: [url.domain] - ResponderBytes: - target: responder_bytes - id: ["430003"] - ecs: [destination.bytes] - ResponderPackets: - target: responder_packets - id: ["430003"] - ecs: [destination.packets] - Revision: - target: revision - id: ["430001"] - SHA_Disposition: - target: sha_disposition - id: ["430004", "430005"] - SID: - target: sid - id: ["430001"] - SSLActualAction: - target: ssl_actual_action - ecs: [event.outcome] - SSLCertificate: - target: ssl_certificate - id: ["430002", "430003", "430004", "430005"] - SSLExpectedAction: - target: ssl_expected_action - id: ["430002", "430003"] - SSLFlowStatus: - target: ssl_flow_status - id: ["430002", "430003", "430004", "430005"] - SSLPolicy: - target: ssl_policy - id: ["430002", "430003"] - SSLRuleName: - target: ssl_rule_name - id: ["430002", "430003"] - SSLServerCertStatus: - target: ssl_server_cert_status - id: ["430002", "430003"] - SSLServerName: - target: ssl_server_name - id: ["430002", "430003"] - ecs: [server.domain] - SSLSessionID: - target: ssl_session_id - id: ["430002", "430003"] - SSLTicketID: - target: ssl_ticket_id - id: ["430002", "430003"] - SSLURLCategory: - target: sslurl_category - id: ["430002", "430003"] - SSLVersion: - target: ssl_version - id: ["430002", "430003"] - SSSLCipherSuite: - target: sssl_cipher_suite - id: ["430002", "430003"] - SecIntMatchingIP: - target: sec_int_matching_ip - id: ["430002", "430003"] - Security Group: - target: security_group - id: ["430002", "430003"] - SperoDisposition: - target: spero_disposition - id: ["430004", "430005"] - SrcIP: - target: src_ip - ecs: [source.address] - SrcPort: - target: src_port - ecs: [source.port] - TCPFlags: - target: tcp_flags - id: ["430002", "430003"] - ThreatName: - target: threat_name - id: ["430005"] - ecs: [_temp_.cisco.threat_category] - ThreatScore: - target: threat_score - id: ["430005"] - ecs: [_temp_.cisco.threat_level] - Tunnel or Prefilter Rule: - target: tunnel_or_prefilter_rule - id: ["430002", "430003"] - URI: - target: uri - id: ["430004", "430005"] - ecs: [url.original] - URL: - target: url - id: ["430002", "430003"] - ecs: [url.original] - URLCategory: - target: url_category - id: ["430002", "430003"] - URLReputation: - target: url_reputation - id: ["430002", "430003"] - URLSICategory: - target: urlsi_category - id: ["430002", "430003"] - User: - target: user - ecs: [user.id, user.name] - UserAgent: - target: user_agent - id: ["430002", "430003"] - ecs: [user_agent.original] - VLAN_ID: - target: vlan_id - id: ["430001", "430002", "430003"] - WebApplication: - target: web_application - ecs: [network.application] - originalClientSrcIP: - target: original_client_src_ip - id: ["430002", "430003"] - ecs: [client.address] - lang: painless - source: | - boolean isEmpty(def value) { - return (value instanceof AbstractList? value.size() : value.length()) == 0; - } - def appendOrCreate(Map dest, String[] path, def value) { - for (int i=0; i new HashMap()); - } - String key = path[path.length - 1]; - def existing = dest.get(key); - return existing == null? - dest.put(key, value) - : existing instanceof AbstractList? - existing.add(value) - : dest.put(key, new ArrayList([existing, value])); - } - def msg = ctx._temp_.orig_security; - def counters = new HashMap(); - def dest = new HashMap(); - ctx._temp_.cisco['security'] = dest; - for (entry in msg.entrySet()) { - def param = params.get(entry.getKey()); - if (param == null) { - continue; - } - param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) ); - if (!isEmpty(entry.getValue())) { - param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) ); - dest[param.target] = entry.getValue(); - } - } - if (ctx._temp_.cisco.message_id != "") return; - def best; - for (entry in counters.entrySet()) { - if (best == null || best.getValue() < entry.getValue()) best = entry; - } - if (best != null) ctx._temp_.cisco.message_id = best.getKey(); - #******************************************************************************* - # End of generated code. - #******************************************************************************* - - # - # Normalize ECS field values - # - - script: - lang: painless - params: - "ctx._temp_.cisco.message_id": - target: event.action - map: - "430001": intrusion-detected - "430002": connection-started - "430003": connection-finished - "430004": file-detected - "430005": malware-detected - "dns.question.type": - map: - "a host address": A - "ip6 address": AAAA - "text strings": TXT - "a domain name pointer": PTR - "an authoritative name server": NS - "the canonical name for an alias": CNAME - "marks the start of a zone of authority": SOA - "mail exchange": MX - "server selection": SRV - "dns.response_code": - map: - "non-existent domain": NXDOMAIN - "server failure": SERVFAIL - "query refused": REFUSED - "no error": NOERROR - source: | - def getField(Map src, String[] path) { - for (int i=0; i new HashMap()); - } - dest[path[path.length-1]] = value; - } - for (entry in params.entrySet()) { - def srcField = entry.getKey(); - def param = entry.getValue(); - String oldVal = getField(ctx, srcField.splitOnToken('.')); - if (oldVal == null) continue; - def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null); - if (newVal != null) { - def dstField = param.getOrDefault('target', srcField); - setField(ctx, dstField.splitOnToken('.'), newVal); - } - } - - set: - if: "ctx.dns?.question?.type != null && ctx.dns?.response_code == null" - field: dns.response_code - value: NOERROR - - set: - if: 'ctx._temp_.cisco.message_id == "430001"' - field: event.action - value: intrusion-detected - - set: - if: 'ctx._temp_.cisco.message_id == "430002"' - field: event.action - value: connection-started - - set: - if: 'ctx._temp_.cisco.message_id == "430003"' - field: event.action - value: connection-finished - - set: - if: 'ctx._temp_.cisco.message_id == "430004"' - field: event.action - value: file-detected - - set: - if: 'ctx._temp_.cisco.message_id == "430005"' - field: event.action - value: malware-detected - - # - # Handle event.duration - # - # It can be set from ConnectionDuration FTD field above. This field holds - # seconds as a string. Copy it to _temp_.duration_hms so that the following - # processor converts it to the right value and populates start and end. - - set: - field: "_temp_.duration_hms" - value: "{{event.duration}}" - ignore_empty_value: true - - # - # Process the flow duration "hh:mm:ss" present in some messages - # This will fill event.start, event.end and event.duration - # - - script: - lang: painless - if: "ctx?._temp_?.duration_hms != null" - source: > - long parse_hms(String s) { - long cur = 0, total = 0; - for (char c: s.toCharArray()) { - if (c >= (char)'0' && c <= (char)'9') { - cur = (cur*10) + (long)c - (char)'0'; - } else if (c == (char)':') { - total = (total + cur) * 60; - cur = 0; - } else { - return 0; - } - } - return total + cur; - } - if (ctx?.event == null) { - ctx['event'] = new HashMap(); - } - String end = ctx['@timestamp']; - ctx.event['end'] = end; - long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; - ctx.event['duration'] = nanos; - ctx.event['start'] = ZonedDateTime.ofInstant( - Instant.parse(end).minusNanos(nanos), - ZoneOffset.UTC); - # - # Normalize protocol names - # - - lowercase: - field: "network.transport" - ignore_failure: true - - lowercase: - field: "network.protocol" - ignore_failure: true - - lowercase: - field: "network.application" - ignore_failure: true - - lowercase: - field: "file.type" - ignore_failure: true - - lowercase: - field: "network.direction" - ignore_failure: true - - lowercase: - field: "network.type" - ignore_failure: true - # - # Populate network.iana_number from network.transport. Also does reverse - # mapping in case network.transport contains the iana_number. - # - - script: - if: "ctx?.network?.transport != null" - lang: painless - params: - icmp: 1 - igmp: 2 - ipv4: 4 - tcp: 6 - egp: 8 - igp: 9 - pup: 12 - udp: 17 - rdp: 27 - irtp: 28 - dccp: 33 - idpr: 35 - ipv6: 41 - ipv6-route: 43 - ipv6-frag: 44 - rsvp: 46 - gre: 47 - esp: 50 - ipv6-icmp: 58 - ipv6-nonxt: 59 - ipv6-opts: 60 - source: > - def net = ctx.network; - def iana = params[net.transport]; - if (iana != null) { - net['iana_number'] = iana; - return; - } - def reverse = new HashMap(); - def[] arr = new def[] { null }; - for (entry in params.entrySet()) { - arr[0] = entry.getValue(); - reverse.put(String.format("%d", arr), entry.getKey()); - } - def trans = reverse[net.transport]; - if (trans != null) { - net['iana_number'] = net.transport; - net['transport'] = trans; - } - # - # Normalize event.outcome - # - - lowercase: - field: "event.outcome" - ignore_missing: true - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "est-allowed"' - value: success - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "permitted"' - value: success - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "allow"' - value: success - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "denied"' - value: failure - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "deny"' - value: failure - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "dropped"' - value: failure - - set: - field: "network.transport" - if: 'ctx.network?.transport == "icmpv6"' - value: "ipv6-icmp" - # - # Convert numeric fields to integer or long, as output of dissect and kv processors is always a string - # - - convert: - field: source.port - type: integer - ignore_failure: true - - convert: - field: destination.port - type: integer - ignore_failure: true - - convert: - field: source.bytes - type: long - ignore_failure: true - - convert: - field: destination.bytes - type: long - ignore_failure: true - - convert: - field: network.bytes - type: long - ignore_failure: true - - convert: - field: source.packets - type: integer - ignore_failure: true - - convert: - field: destination.packets - type: integer - ignore_failure: true - - convert: - field: _temp_.cisco.mapped_source_port - type: integer - ignore_failure: true - - convert: - field: _temp_.cisco.mapped_destination_port - type: integer - ignore_failure: true - - convert: - field: _temp_.cisco.icmp_code - type: integer - ignore_failure: true - - convert: - field: _temp_.cisco.icmp_type - type: integer - ignore_failure: true - - convert: - field: http.response.status_code - type: integer - ignore_failure: true - - convert: - field: file.size - type: integer - ignore_failure: true - - convert: - field: network.iana_number - type: string - ignore_failure: true - # - # Assign ECS .ip fields from .address is a valid IP address is found, - # otherwise set .domain field. - # - - grok: - field: source.address - patterns: - - "^(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})$" - ignore_failure: true - - grok: - field: destination.address - patterns: - - "^(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})$" - ignore_failure: true - - grok: - field: client.address - patterns: - - "^(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})$" - ignore_failure: true - - grok: - field: server.address - patterns: - - "^(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})$" - ignore_failure: true - # - # Geolocation for source and destination addresses - # - - geoip: - field: "source.ip" - target_field: "source.geo" - ignore_missing: true - - geoip: - field: "destination.ip" - target_field: "destination.geo" - ignore_missing: true - # - # IP Autonomous System (AS) Lookup - # - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - # - # Set mapped_{src|dst}_ip fields only if they consist of a valid IP address. - # - - grok: - field: _temp_.natsrcip - patterns: - - "^(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})$" - ignore_failure: true - - grok: - field: _temp_.natdstip - patterns: - - "^(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})$" - ignore_failure: true - # - # NAT fields - # - # The firewall always populates mapped ip and port even if there was no NAT. - # This populates both nat.ip and nat.port only when some translation is done. - # Fills nat.ip and nat.port even when only the ip or port changed. - - set: - field: source.nat.ip - value: "{{_temp_.cisco.mapped_source_ip}}" - if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip" - ignore_empty_value: true - - convert: - field: source.nat.ip - type: ip - ignore_missing: true - - set: - field: source.nat.port - value: "{{_temp_.cisco.mapped_source_port}}" - if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port" - ignore_empty_value: true - - convert: - field: source.nat.port - type: long - ignore_missing: true - - set: - field: destination.nat.ip - value: "{{_temp_.cisco.mapped_destination_ip}}" - if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip" - ignore_empty_value: true - - convert: - field: destination.nat.ip - type: ip - ignore_missing: true - - set: - field: destination.nat.port - value: "{{_temp_.cisco.mapped_destination_port}}" - if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" - ignore_empty_value: true - - convert: - field: destination.nat.port - type: long - ignore_missing: true - # - # Zone-based Network Directionality - # - # If external and internal zones are specified and our ingress/egress zones are - # populated, then we can classify traffic directionality based off of our defined - # zones rather than the logs. - - set: - field: network.direction - value: inbound - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) - - set: - field: network.direction - value: outbound - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: internal - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: external - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && - ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) - - set: - field: network.direction - value: unknown - if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.egress?.zone != null && - ctx?.observer?.ingress?.zone != null && - ( - ( - !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && - !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) - ) || - ( - !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && - !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - ) - ) - - - set: - field: _temp_.url_domain - value: "{{url.domain}}" - ignore_failure: true - if: ctx?.url?.domain != null - - - uri_parts: - field: url.original - ignore_failure: true - if: ctx?.url?.original != null - - append: - field: url.domain - value: "{{_temp_.url_domain}}" - ignore_failure: true - allow_duplicates: false - if: ctx?._temp_?.url_domain != null - - # - # Populate ECS event.code - # - - rename: - field: _temp_.cisco.message_id - target_field: event.code - ignore_failure: true - - remove: - field: - - _temp_.cisco.message_id - - event.code - if: 'ctx._temp_.cisco.message_id == ""' - ignore_failure: true - # - # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd. - # - - rename: - field: _temp_.cisco - target_field: "cisco.ftd" - ignore_failure: true - # - # Remove temporary fields - # - - remove: - field: _temp_ - ignore_missing: true - # - # Rename some 7.x fields - # - - rename: - field: cisco.ftd.list_id - target_field: cisco.ftd.rule_name - ignore_missing: true - # ECS categorization - - script: - lang: painless - params: - connection-finished: - kind: event - category: - - network - type: - - connection - - end - connection-started: - kind: event - category: - - network - type: - - connection - - start - file-detected: - kind: alert - category: - - malware - type: - - info - firewall-rule: - kind: event - category: - - network - type: - - info - flow-creation: - kind: event - category: - - network - type: - - connection - - start - flow-expiration: - kind: event - category: - - network - type: - - connection - - end - intrusion-detected: - kind: alert - category: - - intrusion_detection - type: - - info - malware-detected: - kind: event - category: - - malware - type: - - info - bypass: - kind: event - category: - - network - type: - - info - - change - error: - kind: event - outcome: failure - category: - - network - type: - - error - deleted: - kind: event - category: - - network - type: - - info - - deletion - - user - creation: - kind: event - category: - - network - type: - - info - - creation - - user - source: >- - if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { - return; - } - ctx.event.kind = params.get(ctx.event.action).get('kind'); - ctx.event.category = params.get(ctx.event.action).get('category').clone(); - ctx.event.type = params.get(ctx.event.action).get('type').clone(); - if (ctx?.event?.outcome == null) { - return; - } - if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) { - if (ctx.event.outcome == 'success') { - ctx.event.type.add('allowed'); - } - if (ctx.event.outcome == 'failure') { - ctx.event.type.add('denied'); - } - if (ctx.event.outcome == 'block') { - ctx.event.outcome = 'success'; - ctx.event.type.add('denied'); - } - if (ctx.event.outcome == 'monitored') { - ctx.event.category.add('intrusion_detection'); - ctx.event.outcome = 'success'; - } - } - - # Malware event kind is classified as alert when sha_disposition is "Malware", "Custom Detection" not for other cases. - - set: - if: 'ctx?.event?.code == "430005" && ["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)' - field: event.kind - value: alert - - append: - if: 'ctx?.event?.code == "430005" && !["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)' - field: event.category - value: file - - - set: - description: copy destination.user.name to user.name if it is not set - field: user.name - value: "{{destination.user.name}}" - ignore_empty_value: true - if: ctx?.user?.name == null - - # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. - - set: - field: observer.hostname - value: "{{ host.hostname }}" - ignore_empty_value: true - - set: - field: observer.vendor - value: "Cisco" - ignore_empty_value: true - - set: - field: observer.type - value: "idps" - ignore_empty_value: true - - set: - field: observer.product - value: "ftd" - ignore_empty_value: true - - set: - field: observer.egress.interface.name - value: "{{ cisco.ftd.destination_interface }}" - ignore_empty_value: true - - set: - field: observer.ingress.interface.name - value: "{{ cisco.ftd.source_interface }}" - ignore_empty_value: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{source.nat.ip}}" - if: "ctx?.source?.nat?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.nat.ip}}" - if: "ctx?.destination?.nat?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{user.name}}" - if: ctx?.user?.name != null && ctx?.user?.name != '' - allow_duplicates: false - - append: - field: related.user - value: "{{server.user.name}}" - if: ctx?.server?.user?.name != null && ctx?.server?.user?.name != '' - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' - allow_duplicates: false - - append: - field: related.user - value: "{{destination.user.name}}" - if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' - allow_duplicates: false - - append: - field: related.hash - value: "{{file.hash.sha256}}" - if: "ctx?.file?.hash?.sha256 != null" - allow_duplicates: false - - append: - field: related.hosts - value: "{{host.hostname}}" - if: ctx.host?.hostname != null && ctx.host?.hostname != '' - allow_duplicates: false - - append: - field: related.hosts - value: "{{observer.hostname}}" - if: ctx.observer?.hostname != null && ctx.observer?.hostname != '' - allow_duplicates: false - - append: - field: related.hosts - value: "{{destination.domain}}" - if: ctx.destination?.domain != null && ctx.destination?.domain != '' - allow_duplicates: false - - append: - field: related.hosts - value: "{{source.domain}}" - if: ctx.source?.domain != null && ctx.source?.domain != '' - allow_duplicates: false - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - # Copy any fields under _temp_.cisco to its final destination. Those can help - # with diagnosing the failure. - - rename: - field: _temp_.cisco - target_field: "cisco.ftd" - ignore_failure: true - # Remove _temp_ to avoid adding a lot of unnecessary fields to the index. - - remove: - field: _temp_ - ignore_missing: true - - append: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco_ftd/2.4.4/data_stream/log/fields/agent.yml b/packages/cisco_ftd/2.4.4/data_stream/log/fields/agent.yml deleted file mode 100755 index d38a70bd6b..0000000000 --- a/packages/cisco_ftd/2.4.4/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cisco_ftd/2.4.4/data_stream/log/fields/base-fields.yml b/packages/cisco_ftd/2.4.4/data_stream/log/fields/base-fields.yml deleted file mode 100755 index c867421bad..0000000000 --- a/packages/cisco_ftd/2.4.4/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_ftd -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_ftd.log diff --git a/packages/cisco_ftd/2.4.4/data_stream/log/fields/ecs.yml b/packages/cisco_ftd/2.4.4/data_stream/log/fields/ecs.yml deleted file mode 100755 index 19f59bcca7..0000000000 --- a/packages/cisco_ftd/2.4.4/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,587 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: client.user.name - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: |- - Custom key/value pairs. - Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. - Example: `docker` and `k8s` labels. - name: labels - type: object -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) - name: network.inner - type: object -- description: VLAN ID as reported by the observer. - name: network.inner.vlan.id - type: keyword -- description: Optional VLAN name as reported by the observer. - name: network.inner.vlan.name - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: IP addresses of the observer. - name: observer.ip - normalize: - - array - type: ip -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. - This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. - Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. - name: service.id - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: url.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: Port of the server. - name: server.port - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: server.user.name - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Port of the client. - name: client.port - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip diff --git a/packages/cisco_ftd/2.4.4/data_stream/log/fields/fields.yml b/packages/cisco_ftd/2.4.4/data_stream/log/fields/fields.yml deleted file mode 100755 index 26b46deb16..0000000000 --- a/packages/cisco_ftd/2.4.4/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,149 +0,0 @@ -- name: cisco.ftd - type: group - fields: - - name: message_id - type: keyword - description: | - The Cisco FTD message identifier. - - name: suffix - type: keyword - description: | - Optional suffix after %FTD identifier. - - name: source_interface - type: keyword - description: | - Source interface for the flow or event. - - name: destination_interface - type: keyword - description: | - Destination interface for the flow or event. - - name: rule_name - type: keyword - description: | - Name of the Access Control List rule that matched this event. - - name: source_username - type: keyword - description: | - Name of the user that is the source for this event. - - name: destination_username - type: keyword - description: | - Name of the user that is the destination for this event. - - name: mapped_source_ip - type: ip - description: | - The translated source IP address. - - name: mapped_source_port - type: long - description: | - The translated source port. - - name: mapped_destination_ip - type: ip - description: | - The translated destination IP address. - - name: mapped_destination_port - type: long - description: | - The translated destination port. - - name: threat_level - type: keyword - description: | - Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. - - name: threat_category - type: keyword - description: | - Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. - - name: connection_id - type: keyword - description: | - Unique identifier for a flow. - - name: icmp_type - type: short - description: | - ICMP type. - - name: icmp_code - type: short - description: | - ICMP code. - - name: connection_type - type: keyword - description: | - The VPN connection type - - name: dap_records - type: keyword - description: | - The assigned DAP records - - name: mapped_destination_host - type: keyword - - name: username - type: keyword - - name: mapped_source_host - type: keyword - - name: command_line_arguments - default_field: false - type: keyword - description: | - The command line arguments logged by the local audit log - - name: assigned_ip - default_field: false - type: ip - description: | - The IP address assigned to a VPN client successfully connecting - - name: privilege.old - default_field: false - type: keyword - description: | - When a users privilege is changed this is the old value - - name: privilege.new - default_field: false - type: keyword - description: | - When a users privilege is changed this is the new value - - name: burst.object - default_field: false - type: keyword - description: | - The related object for burst warnings - - name: burst.id - default_field: false - type: keyword - description: | - The related rate ID for burst warnings - - name: burst.current_rate - default_field: false - type: keyword - description: | - The current burst rate seen - - name: burst.configured_rate - default_field: false - type: keyword - description: | - The current configured burst rate - - name: burst.avg_rate - default_field: false - type: keyword - description: | - The current average burst rate seen - - name: burst.configured_avg_rate - default_field: false - type: keyword - description: | - The current configured average burst rate allowed - - name: burst.cumulative_count - default_field: false - type: keyword - description: | - The total count of burst rate hits since the object was created or cleared - - name: security - type: flattened - description: Cisco FTD security event fields. - - name: webvpn.group_name - type: keyword - default_field: false - description: | - The WebVPN group name the user belongs to - - name: termination_user - default_field: false - type: keyword - description: |- - AAA name of user requesting termination diff --git a/packages/cisco_ftd/2.4.4/data_stream/log/manifest.yml b/packages/cisco_ftd/2.4.4/data_stream/log/manifest.yml deleted file mode 100755 index 7831571093..0000000000 --- a/packages/cisco_ftd/2.4.4/data_stream/log/manifest.yml +++ /dev/null @@ -1,153 +0,0 @@ -title: Cisco FTD logs -type: logs -streams: - - input: udp - title: Cisco FTD logs - description: Collect Cisco FTD logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-ftd - - forwarded - - name: udp_host - type: text - title: UDP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: UDP Port to listen on - multi: false - required: true - show_user: true - default: 9003 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Cisco FTD logs - description: Collect Cisco FTD logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-ftd - - forwarded - - name: tcp_host - type: text - title: TCP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: TCP Port to listen on - multi: false - required: true - show_user: true - default: 9003 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate, keys, supported_protocols, verification_mode etc. See [SSL](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details. - multi: false - required: false - show_user: false - default: | - #certificate: "/etc/server/cert.pem" - #key: "/etc/server/key.pem" - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - #max_connections: 1 - #framing: delimiter - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. - - input: logfile - enabled: false - title: Cisco FTD logs - description: Collect Cisco FTD logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/cisco-ftd.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-ftd - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/cisco_ftd/2.4.4/data_stream/log/sample_event.json b/packages/cisco_ftd/2.4.4/data_stream/log/sample_event.json deleted file mode 100755 index 9125f92cbf..0000000000 --- a/packages/cisco_ftd/2.4.4/data_stream/log/sample_event.json +++ /dev/null @@ -1,156 +0,0 @@ -{ - "@timestamp": "2019-08-16T09:39:03.000Z", - "agent": { - "ephemeral_id": "173348ff-0df7-4c59-b0b0-f4aad4a82751", - "id": "b9045ecb-c8cf-4d1a-8b37-757e202e9ea1", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "cisco": { - "ftd": { - "rule_name": "malware-and-file-policy", - "security": { - "application_protocol": "HTTP", - "client": "cURL", - "dst_ip": "81.2.69.144", - "dst_port": "80", - "file_action": "Malware Cloud Lookup", - "file_direction": "Download", - "file_name": "eicar_com.zip", - "file_policy": "malware-and-file-policy", - "file_sandbox_status": "File Size Is Too Small", - "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", - "file_size": "184", - "file_storage_status": "Not Stored (Disposition Was Pending)", - "file_type": "ZIP", - "first_packet_second": "2019-08-16T09:39:02Z", - "protocol": "tcp", - "sha_disposition": "Unavailable", - "spero_disposition": "Spero detection not performed on file", - "src_ip": "10.0.1.20", - "src_port": "46004", - "threat_name": "Win.Ransomware.Eicar::95.sbx.tg", - "uri": "http://www.eicar.org/download/eicar_com.zip", - "user": "No Authentication Required" - }, - "threat_category": "Win.Ransomware.Eicar::95.sbx.tg" - } - }, - "data_stream": { - "dataset": "cisco_ftd.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.144", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.144", - "port": 80 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "b9045ecb-c8cf-4d1a-8b37-757e202e9ea1", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "malware-detected", - "agent_id_status": "verified", - "category": [ - "malware", - "file" - ], - "code": "430005", - "dataset": "cisco_ftd.log", - "ingested": "2022-06-22T01:38:18Z", - "kind": "event", - "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", - "severity": 1, - "start": "2019-08-16T09:39:02Z", - "timezone": "+00:00", - "type": [ - "info" - ] - }, - "file": { - "hash": { - "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" - }, - "name": "eicar_com.zip", - "size": 184 - }, - "host": { - "hostname": "firepower" - }, - "input": { - "type": "tcp" - }, - "log": { - "level": "alert", - "source": { - "address": "172.31.0.6:55524" - } - }, - "network": { - "application": "curl", - "iana_number": "6", - "protocol": "http", - "transport": "tcp" - }, - "observer": { - "hostname": "firepower", - "product": "ftd", - "type": "idps", - "vendor": "Cisco" - }, - "related": { - "hash": [ - "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" - ], - "hosts": [ - "firepower" - ], - "ip": [ - "10.0.1.20", - "81.2.69.144" - ], - "user": [ - "No Authentication Required" - ] - }, - "source": { - "address": "10.0.1.20", - "ip": "10.0.1.20", - "port": 46004 - }, - "tags": [ - "preserve_original_event", - "cisco-ftd", - "forwarded" - ], - "url": { - "domain": "www.eicar.org", - "extension": "zip", - "original": "http://www.eicar.org/download/eicar_com.zip", - "path": "/download/eicar_com.zip", - "scheme": "http" - }, - "user": { - "id": "No Authentication Required", - "name": "No Authentication Required" - } -} \ No newline at end of file diff --git a/packages/cisco_ftd/2.4.4/docs/README.md b/packages/cisco_ftd/2.4.4/docs/README.md deleted file mode 100755 index 9c1e3b5b83..0000000000 --- a/packages/cisco_ftd/2.4.4/docs/README.md +++ /dev/null @@ -1,397 +0,0 @@ -# Cisco FTD Integration - -This integration is for [Cisco](https://www.cisco.com/c/en/us/support/security/index.html) Firepower Threat Defence (FTD) device's logs. The package processes syslog messages from Cisco Firepower devices - -It includes the following datasets for receiving logs over syslog or read from a file: - -- `log` dataset: supports Cisco Firepower Threat Defense (FTD) logs. - -## Configuration - -Cisco provides a range of Firepower devices, which may have different configuration steps. We recommend users navigate to the device specific configuration page, and search for/go to the "FTD Logging" or "Configure Logging on FTD" page for the specific device. - -## Logs - -### FTD - -The `log` dataset collects the Cisco Firepower Threat Defense (FTD) logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2019-08-16T09:39:03.000Z", - "agent": { - "ephemeral_id": "173348ff-0df7-4c59-b0b0-f4aad4a82751", - "id": "b9045ecb-c8cf-4d1a-8b37-757e202e9ea1", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "cisco": { - "ftd": { - "rule_name": "malware-and-file-policy", - "security": { - "application_protocol": "HTTP", - "client": "cURL", - "dst_ip": "81.2.69.144", - "dst_port": "80", - "file_action": "Malware Cloud Lookup", - "file_direction": "Download", - "file_name": "eicar_com.zip", - "file_policy": "malware-and-file-policy", - "file_sandbox_status": "File Size Is Too Small", - "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", - "file_size": "184", - "file_storage_status": "Not Stored (Disposition Was Pending)", - "file_type": "ZIP", - "first_packet_second": "2019-08-16T09:39:02Z", - "protocol": "tcp", - "sha_disposition": "Unavailable", - "spero_disposition": "Spero detection not performed on file", - "src_ip": "10.0.1.20", - "src_port": "46004", - "threat_name": "Win.Ransomware.Eicar::95.sbx.tg", - "uri": "http://www.eicar.org/download/eicar_com.zip", - "user": "No Authentication Required" - }, - "threat_category": "Win.Ransomware.Eicar::95.sbx.tg" - } - }, - "data_stream": { - "dataset": "cisco_ftd.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.144", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.144", - "port": 80 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "b9045ecb-c8cf-4d1a-8b37-757e202e9ea1", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "malware-detected", - "agent_id_status": "verified", - "category": [ - "malware", - "file" - ], - "code": "430005", - "dataset": "cisco_ftd.log", - "ingested": "2022-06-22T01:38:18Z", - "kind": "event", - "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", - "severity": 1, - "start": "2019-08-16T09:39:02Z", - "timezone": "+00:00", - "type": [ - "info" - ] - }, - "file": { - "hash": { - "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" - }, - "name": "eicar_com.zip", - "size": 184 - }, - "host": { - "hostname": "firepower" - }, - "input": { - "type": "tcp" - }, - "log": { - "level": "alert", - "source": { - "address": "172.31.0.6:55524" - } - }, - "network": { - "application": "curl", - "iana_number": "6", - "protocol": "http", - "transport": "tcp" - }, - "observer": { - "hostname": "firepower", - "product": "ftd", - "type": "idps", - "vendor": "Cisco" - }, - "related": { - "hash": [ - "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" - ], - "hosts": [ - "firepower" - ], - "ip": [ - "10.0.1.20", - "81.2.69.144" - ], - "user": [ - "No Authentication Required" - ] - }, - "source": { - "address": "10.0.1.20", - "ip": "10.0.1.20", - "port": 46004 - }, - "tags": [ - "preserve_original_event", - "cisco-ftd", - "forwarded" - ], - "url": { - "domain": "www.eicar.org", - "extension": "zip", - "original": "http://www.eicar.org/download/eicar_com.zip", - "path": "/download/eicar_com.zip", - "scheme": "http" - }, - "user": { - "id": "No Authentication Required", - "name": "No Authentication Required" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cisco.ftd.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | -| cisco.ftd.burst.avg_rate | The current average burst rate seen | keyword | -| cisco.ftd.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | -| cisco.ftd.burst.configured_rate | The current configured burst rate | keyword | -| cisco.ftd.burst.cumulative_count | The total count of burst rate hits since the object was created or cleared | keyword | -| cisco.ftd.burst.current_rate | The current burst rate seen | keyword | -| cisco.ftd.burst.id | The related rate ID for burst warnings | keyword | -| cisco.ftd.burst.object | The related object for burst warnings | keyword | -| cisco.ftd.command_line_arguments | The command line arguments logged by the local audit log | keyword | -| cisco.ftd.connection_id | Unique identifier for a flow. | keyword | -| cisco.ftd.connection_type | The VPN connection type | keyword | -| cisco.ftd.dap_records | The assigned DAP records | keyword | -| cisco.ftd.destination_interface | Destination interface for the flow or event. | keyword | -| cisco.ftd.destination_username | Name of the user that is the destination for this event. | keyword | -| cisco.ftd.icmp_code | ICMP code. | short | -| cisco.ftd.icmp_type | ICMP type. | short | -| cisco.ftd.mapped_destination_host | | keyword | -| cisco.ftd.mapped_destination_ip | The translated destination IP address. | ip | -| cisco.ftd.mapped_destination_port | The translated destination port. | long | -| cisco.ftd.mapped_source_host | | keyword | -| cisco.ftd.mapped_source_ip | The translated source IP address. | ip | -| cisco.ftd.mapped_source_port | The translated source port. | long | -| cisco.ftd.message_id | The Cisco FTD message identifier. | keyword | -| cisco.ftd.privilege.new | When a users privilege is changed this is the new value | keyword | -| cisco.ftd.privilege.old | When a users privilege is changed this is the old value | keyword | -| cisco.ftd.rule_name | Name of the Access Control List rule that matched this event. | keyword | -| cisco.ftd.security | Cisco FTD security event fields. | flattened | -| cisco.ftd.source_interface | Source interface for the flow or event. | keyword | -| cisco.ftd.source_username | Name of the user that is the source for this event. | keyword | -| cisco.ftd.suffix | Optional suffix after %FTD identifier. | keyword | -| cisco.ftd.termination_user | AAA name of user requesting termination | keyword | -| cisco.ftd.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword | -| cisco.ftd.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword | -| cisco.ftd.username | | keyword | -| cisco.ftd.webvpn.group_name | The WebVPN group name the user belongs to | keyword | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.status_code | HTTP response status code. | long | -| input.type | Input type. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.user.name | Short name or login of the user. | keyword | -| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | -| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - diff --git a/packages/cisco_ftd/2.4.4/img/cisco.svg b/packages/cisco_ftd/2.4.4/img/cisco.svg deleted file mode 100755 index 20ebebf197..0000000000 --- a/packages/cisco_ftd/2.4.4/img/cisco.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/cisco_ftd/2.4.4/manifest.yml b/packages/cisco_ftd/2.4.4/manifest.yml deleted file mode 100755 index 82c0f59b0b..0000000000 --- a/packages/cisco_ftd/2.4.4/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -format_version: 1.0.0 -name: cisco_ftd -title: Cisco FTD -version: "2.4.4" -license: basic -description: Collect logs from Cisco FTD with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/cisco.svg - title: cisco - size: 216x216 - type: image/svg+xml -policy_templates: - - name: cisco_ftd - title: Cisco FTD logs - description: Collect logs from Cisco FTD instances - inputs: - - type: tcp - title: Collect logs from Cisco FTD via TCP - description: Collecting logs from Cisco FTD via TCP - - type: udp - title: Collect logs from Cisco FTD via UDP - description: Collecting logs from Cisco FTD via UDP - - type: logfile - title: Collect logs from Cisco FTD via file - description: Collecting logs from Cisco FTD via file -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_ios/1.9.1/LICENSE.txt b/packages/cisco_ios/1.9.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cisco_ios/1.9.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_ios/1.9.1/changelog.yml b/packages/cisco_ios/1.9.1/changelog.yml deleted file mode 100755 index bfe4205307..0000000000 --- a/packages/cisco_ios/1.9.1/changelog.yml +++ /dev/null @@ -1,99 +0,0 @@ -# newer versions go on top -- version: "1.9.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.9.0" - changes: - - description: Handle ASR Log Format. - type: enhancement - link: https://github.com/elastic/integrations/pull/3694 -- version: "1.8.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3842 -- version: "1.7.2" - changes: - - description: Improve TCP, SSL config description and example. - type: enhancement - link: https://github.com/elastic/integrations/pull/3763 -- version: "1.7.1" - changes: - - description: update readme file - added link to cisco documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/2932 -- version: "1.7.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.6.0" - changes: - - description: Add TLS system test - type: enhancement - link: https://github.com/elastic/integrations/pull/3338 - - description: Add TCP input with TLS support - type: enhancement - link: https://github.com/elastic/integrations/pull/3314 -- version: "1.5.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "1.4.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.4.1" - changes: - - description: Add missing event.original mapping - type: bugfix - link: https://github.com/elastic/integrations/pull/2636 -- version: "1.4.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2392 -- version: "1.3.0" - changes: - - description: Add syslog header and timestamp parsing. - type: enhancement - link: https://github.com/elastic/integrations/pull/2475 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2279 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1955 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1807 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1784 -- version: "1.0.0" - changes: - - description: Initial version of Cisco IOS as separate package - type: enhancement - link: https://github.com/elastic/integrations/pull/1582 diff --git a/packages/cisco_ios/1.9.1/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_ios/1.9.1/data_stream/log/agent/stream/stream.yml.hbs deleted file mode 100755 index eac70741c1..0000000000 --- a/packages/cisco_ios/1.9.1/data_stream/log/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,26 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_ios/1.9.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_ios/1.9.1/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 4a401c1add..0000000000 --- a/packages/cisco_ios/1.9.1/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} -{{#if tcp_options}} -{{tcp_options}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_ios/1.9.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_ios/1.9.1/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index f0f20354c1..0000000000 --- a/packages/cisco_ios/1.9.1/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_ios/1.9.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ios/1.9.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 74d2929aff..0000000000 --- a/packages/cisco_ios/1.9.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,301 +0,0 @@ ---- -description: Pipeline for Cisco IOS logs. - -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.category - value: network - - set: - field: event.provider - value: firewall - - set: - field: event.type - value: info - - - set: - field: event.original - copy_from: message - override: false - - remove: - field: message - ignore_missing: true - - dissect: - field: event.original - pattern: '%{_temp_.header} %%{message}' - - grok: - field: _temp_.header - patterns: - - '^<%{NONNEGINT:log.syslog.priority:long}>%{NUMBER:cisco.ios.message_count}?: (?:%{SYSLOGHOST:log.syslog.hostname}: )?(?:%{NUMBER:cisco.ios.sequence}: )?(%{CISCO_TIMESTAMP:_temp_.cisco_timestamp}|%{NOTSPACE:cisco.ios.uptime}:)' - - '%{SYSLOGHOST:log.syslog.hostname} (%{NUMBER:cisco.ios.sequence}: )?%{CISCO_TIMESTAMP:_temp_.cisco_timestamp}' - pattern_definitions: - CISCO_TIMESTAMP: '%{CISCOTIMESTAMP}(?: %{TZ})?' - ignore_failure: true - - set: - field: event.sequence - copy_from: cisco.ios.sequence - if: ctx.cisco?.ios?.sequence != null - - convert: - field: cisco.ios.message_count - type: long - ignore_failure: true - - set: - field: event.sequence - copy_from: cisco.ios.message_count - if: ctx.cisco?.ios?.message_count != null && ctx.event?.sequence == null - ignore_failure: true - - gsub: - description: Remove double spacing from the date. - field: _temp_.cisco_timestamp - ignore_missing: true - pattern: ' {2,}' - replacement: ' ' - - set: - field: _conf.tz_offset - value: UTC - override: false - - date: - if: ctx?._temp_.cisco_timestamp != null - field: _temp_.cisco_timestamp - formats: - - "MMM d yyyy HH:mm:ss.SSS z" - - "MMM d yyyy HH:mm:ss.SSS" - - "MMM d yyyy HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - # Repeat without year. - - "MMM d HH:mm:ss.SSS z" - - "MMM d HH:mm:ss.SSS" - - "MMM d HH:mm:ss z" - - "MMM d HH:mm:ss" - timezone: '{{{_conf.tz_offset}}}' - - grok: - field: message - patterns: - - "%{DATA:cisco.ios.facility}-%{POSINT:event.severity}-%{DATA:event.code}: %{GREEDYDATA:message}" - - convert: - field: event.severity - type: long - ignore_missing: true - - convert: - field: event.sequence - type: long - ignore_missing: true - - dissect: - field: message - pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address}(%{source.port}) %{} %{destination.address}(%{destination.port}), %{source.packets} packet" - if: "['IPACCESSLOGP', 'ACCESSLOGP'].contains(ctx.event?.code)" - - dissect: - field: message - pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address} (%{icmp.type}/%{icmp.code}), %{source.packets} packet" - if: "['IPACCESSLOGDP', 'ACCESSLOGDP'].contains(ctx.event?.code)" - - dissect: - field: message - pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address}, %{source.packets} packet" - if: "ctx.event?.code == 'IPACCESSLOGRP'" - - dissect: - field: message - pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address} (%{igmp.type}), %{source.packets} packet" - if: "['IPACCESSLOGSP', 'ACCESSLOGSP'].contains(ctx.event?.code)" - - dissect: - field: message - pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.iana_number} %{source.address} %{} %{destination.address}, %{source.packets} packet" - if: "['IPACCESSLOGNP', 'ACCESSLOGNP'].contains(ctx.event?.code)" - - dissect: - field: message - pattern: "%{cisco.ios.action} %{_temp_.event.action} [user: %{source.user.name}] [Source: %{source.address}] [localport: %{destination.port}] at %{}" - if: "ctx.event?.code == 'LOGIN_SUCCESS'" - - dissect: - field: message - pattern: "User %{source.user.name} has %{cisco.ios.action} %{cisco.ios.session.type} session %{cisco.ios.session.number}(%{source.address})" - if: "ctx.event?.code == 'LOGOUT'" - - grok: - field: message - patterns: - - 'Received \(%{PIM_SOURCE}, %{DATA:cisco.ios.pim.group.ip}\) %{WORD:cisco.ios.action} from %{IP:source.address} for %{DATA:cisco.ios.outcome} %{IP:destination.address}' - pattern_definitions: - PIM_SOURCE: (%{IP:cisco.ios.pim.source.ip}|%{DATA}) - if: "ctx.event?.code == 'INVALID_RP_JOIN'" - - set: - field: event.action - value: "multicast-join" - if: ctx.event?.code == "INVALID_RP_JOIN" - - set: - field: event.outcome - value: "failure" - if: ctx.event?.code == "INVALID_RP_JOIN" - - set: - field: event.reason - value: "Invalid RP" - if: ctx.event?.code == "INVALID_RP_JOIN" - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_failure: true - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - convert: - field: cisco.ios.pim.source.ip - type: ip - ignore_missing: true - - convert: - field: source.port - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: destination.port - type: long - ignore_missing: true - - set: - field: network.packets - copy_from: source.packets - if: ctx.source?.packets != null - - set: - field: network.type - value: ipv4 - if: "ctx.source?.ip != null && ctx.source?.ip.contains('.')" - - set: - field: network.type - value: ipv6 - if: "ctx.source?.ip != null && ctx.network?.type == null" - - set: - field: event.action - value: deny - if: "ctx._temp_?.event?.action == 'denied'" - - set: - field: event.type - value: denied - if: "ctx.event?.action == 'deny'" - - set: - field: event.action - value: allow - if: "ctx._temp_?.event?.action == 'permitted'" - - set: - field: event.type - value: allowed - if: "ctx.event?.action == 'allow'" - - set: - field: "log.level" - if: "ctx.event.severity == 0" - value: emergencies - - set: - field: "log.level" - if: "ctx.event.severity == 1" - value: alert - - set: - field: "log.level" - if: "ctx.event.severity == 2" - value: critical - - set: - field: "log.level" - if: "ctx.event.severity == 3" - value: error - - set: - field: "log.level" - if: "ctx.event.severity == 4" - value: warning - - set: - field: "log.level" - if: "ctx.event.severity == 5" - value: notification - - set: - field: "log.level" - if: "ctx.event.severity == 6" - value: informational - - set: - field: "log.level" - if: "ctx.event.severity == 7" - value: debug - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - - append: - field: related.ip - value: "{{{source.ip}}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{{destination.ip}}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.user - value: "{{{source.user.name}}}" - allow_duplicates: false - if: ctx.source?.user?.name != null - - community_id: - ignore_missing: true - ignore_failure: true - - remove: - field: - - _temp_ - - _conf - ignore_missing: true - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - -on_failure: - - remove: - field: - - _temp_ - - _conf - ignore_missing: true - - set: - field: error.message - value: "processor {{{ _ingest.on_failure_processor_type}}}: {{{ _ingest.on_failure_message }}}" diff --git a/packages/cisco_ios/1.9.1/data_stream/log/fields/agent.yml b/packages/cisco_ios/1.9.1/data_stream/log/fields/agent.yml deleted file mode 100755 index 32d10234f9..0000000000 --- a/packages/cisco_ios/1.9.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,216 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: elastic.agent.id - type: keyword -- name: elastic.agent.snapshot - type: boolean -- name: elastic.agent.version - type: keyword -- name: input.type - type: keyword -- name: log.offset - type: long -- name: log.source.address - type: keyword -- name: hostname - type: keyword - description: Hostname from syslog header. -- name: process.program - type: keyword - description: Process from syslog header. diff --git a/packages/cisco_ios/1.9.1/data_stream/log/fields/base-fields.yml b/packages/cisco_ios/1.9.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 30f3b7cd06..0000000000 --- a/packages/cisco_ios/1.9.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_ios -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_ios.log -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/cisco_ios/1.9.1/data_stream/log/fields/ecs.yml b/packages/cisco_ios/1.9.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index 39f464dfb8..0000000000 --- a/packages/cisco_ios/1.9.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,253 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Custom key/value pairs. - Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. - Example: `docker` and `k8s` labels. - name: labels - type: object -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long diff --git a/packages/cisco_ios/1.9.1/data_stream/log/fields/fields.yml b/packages/cisco_ios/1.9.1/data_stream/log/fields/fields.yml deleted file mode 100755 index 1eac30828a..0000000000 --- a/packages/cisco_ios/1.9.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,65 +0,0 @@ -- name: cisco.ios - type: group - fields: - - name: access_list - type: keyword - description: | - Name of the IP access list. - - name: action - type: keyword - description: | - Action taken by the device - - name: facility - type: keyword - description: | - The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. - - name: pim - type: group - fields: - - name: group - type: group - fields: - - name: ip - type: ip - description: Multicast group IP - - name: source - type: group - fields: - - name: ip - type: ip - description: Multicast source IP - - name: outcome - type: keyword - description: The result of the event - - name: sequence - type: keyword - description: Sequence number provided by the device when the device's service sequence-numbers global configuration is set. - - name: message_count - type: long - description: Message count number provided by the device when the device's service message-counter global configuration is set. - - name: session - type: group - description: Fields for Session information - fields: - - name: number - type: integer - description: Session ID - - name: type - type: keyword - example: tty - description: Session type - - name: uptime - type: keyword - description: The uptime for the device. -- name: icmp.code - type: keyword - description: ICMP code. -- name: icmp.type - type: keyword - description: ICMP type. -- name: igmp.type - type: keyword - description: IGMP type. -- name: log.syslog.hostname - type: keyword - description: Hostname parsed from syslog header. diff --git a/packages/cisco_ios/1.9.1/data_stream/log/manifest.yml b/packages/cisco_ios/1.9.1/data_stream/log/manifest.yml deleted file mode 100755 index de5d50174a..0000000000 --- a/packages/cisco_ios/1.9.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,176 +0,0 @@ -title: Cisco IOS logs -type: logs -streams: - - input: udp - title: Cisco IOS logs - description: Collect Cisco IOS logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-ios - - forwarded - - name: syslog_host - type: text - title: Host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9002 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: tz_offset - type: text - title: Timezone - multi: false - required: true - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Cisco IOS logs - description: Collect Cisco IOS logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-ios - - forwarded - - name: syslog_host - type: text - title: Host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9002 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: tz_offset - type: text - title: Timezone - multi: false - required: true - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate, keys, supported_protocols, verification_mode etc. See [SSL](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details. - multi: false - required: false - show_user: false - default: | - #certificate: "/etc/server/cert.pem" - #key: "/etc/server/key.pem" - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - #max_connections: 1 - #framing: delimiter - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. - - input: logfile - enabled: false - title: Cisco IOS logs - description: Collect Cisco IOS logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/cisco-ios.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-ios - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: tz_offset - type: text - title: Timezone - multi: false - required: true - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_ios/1.9.1/data_stream/log/sample_event.json b/packages/cisco_ios/1.9.1/data_stream/log/sample_event.json deleted file mode 100755 index 8c6e38575d..0000000000 --- a/packages/cisco_ios/1.9.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "@timestamp": "2022-01-06T20:52:12.861Z", - "agent": { - "ephemeral_id": "4bd1343d-9dcb-41b1-acc2-0c9242506d4d", - "id": "9e9a5067-5380-4f64-9fb0-e004f4733651", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cisco": { - "ios": { - "facility": "SYS", - "message_count": 2360957 - } - }, - "data_stream": { - "dataset": "cisco_ios.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "9e9a5067-5380-4f64-9fb0-e004f4733651", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "code": "CONFIG_I", - "dataset": "cisco_ios.log", - "ingested": "2022-08-08T05:05:27Z", - "original": "\u003c189\u003e2360957: Jan 6 2022 20:52:12.861: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)", - "provider": "firewall", - "sequence": 2360957, - "severity": 5, - "timezone": "+00:00", - "type": "info" - }, - "input": { - "type": "tcp" - }, - "log": { - "level": "notification", - "source": { - "address": "172.26.0.4:57514" - }, - "syslog": { - "priority": 189 - } - }, - "message": "Configured from console by akroh on vty0 (10.100.11.10)", - "tags": [ - "preserve_original_event", - "cisco-ios", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/cisco_ios/1.9.1/docs/README.md b/packages/cisco_ios/1.9.1/docs/README.md deleted file mode 100755 index 4225296027..0000000000 --- a/packages/cisco_ios/1.9.1/docs/README.md +++ /dev/null @@ -1,198 +0,0 @@ -# Cisco IOS Integration - -This integration is for [Cisco IOS network devices'](https://developer.cisco.com/docs/) logs. It includes the following -datasets for receiving logs over syslog or read from a file: - -## Log Configuration - -The Cisco appliance may be [configured in a variety of ways](https://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/SysMsgLogging.html) to include or exclude fields. The Cisco IOS Integration expects the host name and timestamp to be present. If the `sequence-number` is configured to be present it will be used to populate `event.sequence`. If it is not, but `message-count` is configured to be present that field will be used in its place. - -### IOS - -The `log` dataset collects the Cisco IOS router and switch logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2022-01-06T20:52:12.861Z", - "agent": { - "ephemeral_id": "4bd1343d-9dcb-41b1-acc2-0c9242506d4d", - "id": "9e9a5067-5380-4f64-9fb0-e004f4733651", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cisco": { - "ios": { - "facility": "SYS", - "message_count": 2360957 - } - }, - "data_stream": { - "dataset": "cisco_ios.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "9e9a5067-5380-4f64-9fb0-e004f4733651", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "code": "CONFIG_I", - "dataset": "cisco_ios.log", - "ingested": "2022-08-08T05:05:27Z", - "original": "\u003c189\u003e2360957: Jan 6 2022 20:52:12.861: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)", - "provider": "firewall", - "sequence": 2360957, - "severity": 5, - "timezone": "+00:00", - "type": "info" - }, - "input": { - "type": "tcp" - }, - "log": { - "level": "notification", - "source": { - "address": "172.26.0.4:57514" - }, - "syslog": { - "priority": 189 - } - }, - "message": "Configured from console by akroh on vty0 (10.100.11.10)", - "tags": [ - "preserve_original_event", - "cisco-ios", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cisco.ios.access_list | Name of the IP access list. | keyword | -| cisco.ios.action | Action taken by the device | keyword | -| cisco.ios.facility | The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. | keyword | -| cisco.ios.message_count | Message count number provided by the device when the device's service message-counter global configuration is set. | long | -| cisco.ios.outcome | The result of the event | keyword | -| cisco.ios.pim.group.ip | Multicast group IP | ip | -| cisco.ios.pim.source.ip | Multicast source IP | ip | -| cisco.ios.sequence | Sequence number provided by the device when the device's service sequence-numbers global configuration is set. | keyword | -| cisco.ios.session.number | Session ID | integer | -| cisco.ios.session.type | Session type | keyword | -| cisco.ios.uptime | The uptime for the device. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| elastic.agent.id | | keyword | -| elastic.agent.snapshot | | boolean | -| elastic.agent.version | | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| hostname | Hostname from syslog header. | keyword | -| icmp.code | ICMP code. | keyword | -| icmp.type | ICMP type. | keyword | -| igmp.type | IGMP type. | keyword | -| input.type | | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | | long | -| log.source.address | | keyword | -| log.syslog.hostname | Hostname parsed from syslog header. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| process.program | Process from syslog header. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | diff --git a/packages/cisco_ios/1.9.1/img/cisco.svg b/packages/cisco_ios/1.9.1/img/cisco.svg deleted file mode 100755 index 20ebebf197..0000000000 --- a/packages/cisco_ios/1.9.1/img/cisco.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/cisco_ios/1.9.1/manifest.yml b/packages/cisco_ios/1.9.1/manifest.yml deleted file mode 100755 index 0da19bfce0..0000000000 --- a/packages/cisco_ios/1.9.1/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -format_version: 1.0.0 -name: cisco_ios -title: Cisco IOS -version: "1.9.1" -license: basic -description: Collect logs from Cisco IOS with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/cisco.svg - title: cisco - size: 216x216 - type: image/svg+xml -policy_templates: - - name: cisco_ios - title: Cisco IOS logs - description: Collect logs from Cisco IOS instances - inputs: - - type: tcp - title: Collect logs from Cisco IOS via TCP - description: Collecting logs from Cisco IOS via TCP - - type: udp - title: Collect logs from Cisco IOS via UDP - description: Collecting logs from Cisco IOS via UDP - - type: logfile - title: Collect logs from Cisco IOS via file - description: Collecting logs from Cisco IOS via file -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_ios/1.9.2/LICENSE.txt b/packages/cisco_ios/1.9.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cisco_ios/1.9.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_ios/1.9.2/changelog.yml b/packages/cisco_ios/1.9.2/changelog.yml deleted file mode 100755 index 6950368d1a..0000000000 --- a/packages/cisco_ios/1.9.2/changelog.yml +++ /dev/null @@ -1,104 +0,0 @@ -# newer versions go on top -- version: "1.9.2" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "1.9.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.9.0" - changes: - - description: Handle ASR Log Format. - type: enhancement - link: https://github.com/elastic/integrations/pull/3694 -- version: "1.8.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3842 -- version: "1.7.2" - changes: - - description: Improve TCP, SSL config description and example. - type: enhancement - link: https://github.com/elastic/integrations/pull/3763 -- version: "1.7.1" - changes: - - description: update readme file - added link to cisco documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/2932 -- version: "1.7.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.6.0" - changes: - - description: Add TLS system test - type: enhancement - link: https://github.com/elastic/integrations/pull/3338 - - description: Add TCP input with TLS support - type: enhancement - link: https://github.com/elastic/integrations/pull/3314 -- version: "1.5.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "1.4.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.4.1" - changes: - - description: Add missing event.original mapping - type: bugfix - link: https://github.com/elastic/integrations/pull/2636 -- version: "1.4.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2392 -- version: "1.3.0" - changes: - - description: Add syslog header and timestamp parsing. - type: enhancement - link: https://github.com/elastic/integrations/pull/2475 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2279 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1955 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1807 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1784 -- version: "1.0.0" - changes: - - description: Initial version of Cisco IOS as separate package - type: enhancement - link: https://github.com/elastic/integrations/pull/1582 diff --git a/packages/cisco_ios/1.9.2/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_ios/1.9.2/data_stream/log/agent/stream/stream.yml.hbs deleted file mode 100755 index eac70741c1..0000000000 --- a/packages/cisco_ios/1.9.2/data_stream/log/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,26 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_ios/1.9.2/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_ios/1.9.2/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 4a401c1add..0000000000 --- a/packages/cisco_ios/1.9.2/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} -{{#if tcp_options}} -{{tcp_options}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_ios/1.9.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_ios/1.9.2/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index f0f20354c1..0000000000 --- a/packages/cisco_ios/1.9.2/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_ios/1.9.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ios/1.9.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 74d2929aff..0000000000 --- a/packages/cisco_ios/1.9.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,301 +0,0 @@ ---- -description: Pipeline for Cisco IOS logs. - -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.category - value: network - - set: - field: event.provider - value: firewall - - set: - field: event.type - value: info - - - set: - field: event.original - copy_from: message - override: false - - remove: - field: message - ignore_missing: true - - dissect: - field: event.original - pattern: '%{_temp_.header} %%{message}' - - grok: - field: _temp_.header - patterns: - - '^<%{NONNEGINT:log.syslog.priority:long}>%{NUMBER:cisco.ios.message_count}?: (?:%{SYSLOGHOST:log.syslog.hostname}: )?(?:%{NUMBER:cisco.ios.sequence}: )?(%{CISCO_TIMESTAMP:_temp_.cisco_timestamp}|%{NOTSPACE:cisco.ios.uptime}:)' - - '%{SYSLOGHOST:log.syslog.hostname} (%{NUMBER:cisco.ios.sequence}: )?%{CISCO_TIMESTAMP:_temp_.cisco_timestamp}' - pattern_definitions: - CISCO_TIMESTAMP: '%{CISCOTIMESTAMP}(?: %{TZ})?' - ignore_failure: true - - set: - field: event.sequence - copy_from: cisco.ios.sequence - if: ctx.cisco?.ios?.sequence != null - - convert: - field: cisco.ios.message_count - type: long - ignore_failure: true - - set: - field: event.sequence - copy_from: cisco.ios.message_count - if: ctx.cisco?.ios?.message_count != null && ctx.event?.sequence == null - ignore_failure: true - - gsub: - description: Remove double spacing from the date. - field: _temp_.cisco_timestamp - ignore_missing: true - pattern: ' {2,}' - replacement: ' ' - - set: - field: _conf.tz_offset - value: UTC - override: false - - date: - if: ctx?._temp_.cisco_timestamp != null - field: _temp_.cisco_timestamp - formats: - - "MMM d yyyy HH:mm:ss.SSS z" - - "MMM d yyyy HH:mm:ss.SSS" - - "MMM d yyyy HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - # Repeat without year. - - "MMM d HH:mm:ss.SSS z" - - "MMM d HH:mm:ss.SSS" - - "MMM d HH:mm:ss z" - - "MMM d HH:mm:ss" - timezone: '{{{_conf.tz_offset}}}' - - grok: - field: message - patterns: - - "%{DATA:cisco.ios.facility}-%{POSINT:event.severity}-%{DATA:event.code}: %{GREEDYDATA:message}" - - convert: - field: event.severity - type: long - ignore_missing: true - - convert: - field: event.sequence - type: long - ignore_missing: true - - dissect: - field: message - pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address}(%{source.port}) %{} %{destination.address}(%{destination.port}), %{source.packets} packet" - if: "['IPACCESSLOGP', 'ACCESSLOGP'].contains(ctx.event?.code)" - - dissect: - field: message - pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address} (%{icmp.type}/%{icmp.code}), %{source.packets} packet" - if: "['IPACCESSLOGDP', 'ACCESSLOGDP'].contains(ctx.event?.code)" - - dissect: - field: message - pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address}, %{source.packets} packet" - if: "ctx.event?.code == 'IPACCESSLOGRP'" - - dissect: - field: message - pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address} (%{igmp.type}), %{source.packets} packet" - if: "['IPACCESSLOGSP', 'ACCESSLOGSP'].contains(ctx.event?.code)" - - dissect: - field: message - pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.iana_number} %{source.address} %{} %{destination.address}, %{source.packets} packet" - if: "['IPACCESSLOGNP', 'ACCESSLOGNP'].contains(ctx.event?.code)" - - dissect: - field: message - pattern: "%{cisco.ios.action} %{_temp_.event.action} [user: %{source.user.name}] [Source: %{source.address}] [localport: %{destination.port}] at %{}" - if: "ctx.event?.code == 'LOGIN_SUCCESS'" - - dissect: - field: message - pattern: "User %{source.user.name} has %{cisco.ios.action} %{cisco.ios.session.type} session %{cisco.ios.session.number}(%{source.address})" - if: "ctx.event?.code == 'LOGOUT'" - - grok: - field: message - patterns: - - 'Received \(%{PIM_SOURCE}, %{DATA:cisco.ios.pim.group.ip}\) %{WORD:cisco.ios.action} from %{IP:source.address} for %{DATA:cisco.ios.outcome} %{IP:destination.address}' - pattern_definitions: - PIM_SOURCE: (%{IP:cisco.ios.pim.source.ip}|%{DATA}) - if: "ctx.event?.code == 'INVALID_RP_JOIN'" - - set: - field: event.action - value: "multicast-join" - if: ctx.event?.code == "INVALID_RP_JOIN" - - set: - field: event.outcome - value: "failure" - if: ctx.event?.code == "INVALID_RP_JOIN" - - set: - field: event.reason - value: "Invalid RP" - if: ctx.event?.code == "INVALID_RP_JOIN" - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_failure: true - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - convert: - field: cisco.ios.pim.source.ip - type: ip - ignore_missing: true - - convert: - field: source.port - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: destination.port - type: long - ignore_missing: true - - set: - field: network.packets - copy_from: source.packets - if: ctx.source?.packets != null - - set: - field: network.type - value: ipv4 - if: "ctx.source?.ip != null && ctx.source?.ip.contains('.')" - - set: - field: network.type - value: ipv6 - if: "ctx.source?.ip != null && ctx.network?.type == null" - - set: - field: event.action - value: deny - if: "ctx._temp_?.event?.action == 'denied'" - - set: - field: event.type - value: denied - if: "ctx.event?.action == 'deny'" - - set: - field: event.action - value: allow - if: "ctx._temp_?.event?.action == 'permitted'" - - set: - field: event.type - value: allowed - if: "ctx.event?.action == 'allow'" - - set: - field: "log.level" - if: "ctx.event.severity == 0" - value: emergencies - - set: - field: "log.level" - if: "ctx.event.severity == 1" - value: alert - - set: - field: "log.level" - if: "ctx.event.severity == 2" - value: critical - - set: - field: "log.level" - if: "ctx.event.severity == 3" - value: error - - set: - field: "log.level" - if: "ctx.event.severity == 4" - value: warning - - set: - field: "log.level" - if: "ctx.event.severity == 5" - value: notification - - set: - field: "log.level" - if: "ctx.event.severity == 6" - value: informational - - set: - field: "log.level" - if: "ctx.event.severity == 7" - value: debug - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - - append: - field: related.ip - value: "{{{source.ip}}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{{destination.ip}}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.user - value: "{{{source.user.name}}}" - allow_duplicates: false - if: ctx.source?.user?.name != null - - community_id: - ignore_missing: true - ignore_failure: true - - remove: - field: - - _temp_ - - _conf - ignore_missing: true - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - -on_failure: - - remove: - field: - - _temp_ - - _conf - ignore_missing: true - - set: - field: error.message - value: "processor {{{ _ingest.on_failure_processor_type}}}: {{{ _ingest.on_failure_message }}}" diff --git a/packages/cisco_ios/1.9.2/data_stream/log/fields/agent.yml b/packages/cisco_ios/1.9.2/data_stream/log/fields/agent.yml deleted file mode 100755 index 32d10234f9..0000000000 --- a/packages/cisco_ios/1.9.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,216 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: elastic.agent.id - type: keyword -- name: elastic.agent.snapshot - type: boolean -- name: elastic.agent.version - type: keyword -- name: input.type - type: keyword -- name: log.offset - type: long -- name: log.source.address - type: keyword -- name: hostname - type: keyword - description: Hostname from syslog header. -- name: process.program - type: keyword - description: Process from syslog header. diff --git a/packages/cisco_ios/1.9.2/data_stream/log/fields/base-fields.yml b/packages/cisco_ios/1.9.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 2af9255d83..0000000000 --- a/packages/cisco_ios/1.9.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_ios -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_ios.log diff --git a/packages/cisco_ios/1.9.2/data_stream/log/fields/ecs.yml b/packages/cisco_ios/1.9.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index 39f464dfb8..0000000000 --- a/packages/cisco_ios/1.9.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,253 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Custom key/value pairs. - Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. - Example: `docker` and `k8s` labels. - name: labels - type: object -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long diff --git a/packages/cisco_ios/1.9.2/data_stream/log/fields/fields.yml b/packages/cisco_ios/1.9.2/data_stream/log/fields/fields.yml deleted file mode 100755 index 1eac30828a..0000000000 --- a/packages/cisco_ios/1.9.2/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,65 +0,0 @@ -- name: cisco.ios - type: group - fields: - - name: access_list - type: keyword - description: | - Name of the IP access list. - - name: action - type: keyword - description: | - Action taken by the device - - name: facility - type: keyword - description: | - The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. - - name: pim - type: group - fields: - - name: group - type: group - fields: - - name: ip - type: ip - description: Multicast group IP - - name: source - type: group - fields: - - name: ip - type: ip - description: Multicast source IP - - name: outcome - type: keyword - description: The result of the event - - name: sequence - type: keyword - description: Sequence number provided by the device when the device's service sequence-numbers global configuration is set. - - name: message_count - type: long - description: Message count number provided by the device when the device's service message-counter global configuration is set. - - name: session - type: group - description: Fields for Session information - fields: - - name: number - type: integer - description: Session ID - - name: type - type: keyword - example: tty - description: Session type - - name: uptime - type: keyword - description: The uptime for the device. -- name: icmp.code - type: keyword - description: ICMP code. -- name: icmp.type - type: keyword - description: ICMP type. -- name: igmp.type - type: keyword - description: IGMP type. -- name: log.syslog.hostname - type: keyword - description: Hostname parsed from syslog header. diff --git a/packages/cisco_ios/1.9.2/data_stream/log/manifest.yml b/packages/cisco_ios/1.9.2/data_stream/log/manifest.yml deleted file mode 100755 index de5d50174a..0000000000 --- a/packages/cisco_ios/1.9.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,176 +0,0 @@ -title: Cisco IOS logs -type: logs -streams: - - input: udp - title: Cisco IOS logs - description: Collect Cisco IOS logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-ios - - forwarded - - name: syslog_host - type: text - title: Host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9002 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: tz_offset - type: text - title: Timezone - multi: false - required: true - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Cisco IOS logs - description: Collect Cisco IOS logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-ios - - forwarded - - name: syslog_host - type: text - title: Host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9002 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: tz_offset - type: text - title: Timezone - multi: false - required: true - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate, keys, supported_protocols, verification_mode etc. See [SSL](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details. - multi: false - required: false - show_user: false - default: | - #certificate: "/etc/server/cert.pem" - #key: "/etc/server/key.pem" - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - #max_connections: 1 - #framing: delimiter - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. - - input: logfile - enabled: false - title: Cisco IOS logs - description: Collect Cisco IOS logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/cisco-ios.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-ios - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: tz_offset - type: text - title: Timezone - multi: false - required: true - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_ios/1.9.2/data_stream/log/sample_event.json b/packages/cisco_ios/1.9.2/data_stream/log/sample_event.json deleted file mode 100755 index 8c6e38575d..0000000000 --- a/packages/cisco_ios/1.9.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "@timestamp": "2022-01-06T20:52:12.861Z", - "agent": { - "ephemeral_id": "4bd1343d-9dcb-41b1-acc2-0c9242506d4d", - "id": "9e9a5067-5380-4f64-9fb0-e004f4733651", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cisco": { - "ios": { - "facility": "SYS", - "message_count": 2360957 - } - }, - "data_stream": { - "dataset": "cisco_ios.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "9e9a5067-5380-4f64-9fb0-e004f4733651", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "code": "CONFIG_I", - "dataset": "cisco_ios.log", - "ingested": "2022-08-08T05:05:27Z", - "original": "\u003c189\u003e2360957: Jan 6 2022 20:52:12.861: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)", - "provider": "firewall", - "sequence": 2360957, - "severity": 5, - "timezone": "+00:00", - "type": "info" - }, - "input": { - "type": "tcp" - }, - "log": { - "level": "notification", - "source": { - "address": "172.26.0.4:57514" - }, - "syslog": { - "priority": 189 - } - }, - "message": "Configured from console by akroh on vty0 (10.100.11.10)", - "tags": [ - "preserve_original_event", - "cisco-ios", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/cisco_ios/1.9.2/docs/README.md b/packages/cisco_ios/1.9.2/docs/README.md deleted file mode 100755 index 4225296027..0000000000 --- a/packages/cisco_ios/1.9.2/docs/README.md +++ /dev/null @@ -1,198 +0,0 @@ -# Cisco IOS Integration - -This integration is for [Cisco IOS network devices'](https://developer.cisco.com/docs/) logs. It includes the following -datasets for receiving logs over syslog or read from a file: - -## Log Configuration - -The Cisco appliance may be [configured in a variety of ways](https://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/SysMsgLogging.html) to include or exclude fields. The Cisco IOS Integration expects the host name and timestamp to be present. If the `sequence-number` is configured to be present it will be used to populate `event.sequence`. If it is not, but `message-count` is configured to be present that field will be used in its place. - -### IOS - -The `log` dataset collects the Cisco IOS router and switch logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2022-01-06T20:52:12.861Z", - "agent": { - "ephemeral_id": "4bd1343d-9dcb-41b1-acc2-0c9242506d4d", - "id": "9e9a5067-5380-4f64-9fb0-e004f4733651", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cisco": { - "ios": { - "facility": "SYS", - "message_count": 2360957 - } - }, - "data_stream": { - "dataset": "cisco_ios.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "9e9a5067-5380-4f64-9fb0-e004f4733651", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "code": "CONFIG_I", - "dataset": "cisco_ios.log", - "ingested": "2022-08-08T05:05:27Z", - "original": "\u003c189\u003e2360957: Jan 6 2022 20:52:12.861: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)", - "provider": "firewall", - "sequence": 2360957, - "severity": 5, - "timezone": "+00:00", - "type": "info" - }, - "input": { - "type": "tcp" - }, - "log": { - "level": "notification", - "source": { - "address": "172.26.0.4:57514" - }, - "syslog": { - "priority": 189 - } - }, - "message": "Configured from console by akroh on vty0 (10.100.11.10)", - "tags": [ - "preserve_original_event", - "cisco-ios", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cisco.ios.access_list | Name of the IP access list. | keyword | -| cisco.ios.action | Action taken by the device | keyword | -| cisco.ios.facility | The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. | keyword | -| cisco.ios.message_count | Message count number provided by the device when the device's service message-counter global configuration is set. | long | -| cisco.ios.outcome | The result of the event | keyword | -| cisco.ios.pim.group.ip | Multicast group IP | ip | -| cisco.ios.pim.source.ip | Multicast source IP | ip | -| cisco.ios.sequence | Sequence number provided by the device when the device's service sequence-numbers global configuration is set. | keyword | -| cisco.ios.session.number | Session ID | integer | -| cisco.ios.session.type | Session type | keyword | -| cisco.ios.uptime | The uptime for the device. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| elastic.agent.id | | keyword | -| elastic.agent.snapshot | | boolean | -| elastic.agent.version | | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| hostname | Hostname from syslog header. | keyword | -| icmp.code | ICMP code. | keyword | -| icmp.type | ICMP type. | keyword | -| igmp.type | IGMP type. | keyword | -| input.type | | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | | long | -| log.source.address | | keyword | -| log.syslog.hostname | Hostname parsed from syslog header. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| process.program | Process from syslog header. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | diff --git a/packages/cisco_ios/1.9.2/img/cisco.svg b/packages/cisco_ios/1.9.2/img/cisco.svg deleted file mode 100755 index 20ebebf197..0000000000 --- a/packages/cisco_ios/1.9.2/img/cisco.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/cisco_ios/1.9.2/manifest.yml b/packages/cisco_ios/1.9.2/manifest.yml deleted file mode 100755 index 0e9c370074..0000000000 --- a/packages/cisco_ios/1.9.2/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -format_version: 1.0.0 -name: cisco_ios -title: Cisco IOS -version: "1.9.2" -license: basic -description: Collect logs from Cisco IOS with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/cisco.svg - title: cisco - size: 216x216 - type: image/svg+xml -policy_templates: - - name: cisco_ios - title: Cisco IOS logs - description: Collect logs from Cisco IOS instances - inputs: - - type: tcp - title: Collect logs from Cisco IOS via TCP - description: Collecting logs from Cisco IOS via TCP - - type: udp - title: Collect logs from Cisco IOS via UDP - description: Collecting logs from Cisco IOS via UDP - - type: logfile - title: Collect logs from Cisco IOS via file - description: Collecting logs from Cisco IOS via file -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_meraki/1.1.2/LICENSE.txt b/packages/cisco_meraki/1.1.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cisco_meraki/1.1.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_meraki/1.1.2/changelog.yml b/packages/cisco_meraki/1.1.2/changelog.yml deleted file mode 100755 index a795a48b24..0000000000 --- a/packages/cisco_meraki/1.1.2/changelog.yml +++ /dev/null @@ -1,91 +0,0 @@ -# newer versions go on top -- version: "1.1.2" - changes: - - description: Fix MAC address formatting. - type: bugfix - link: https://github.com/elastic/integrations/issues/4283 -- version: "1.1.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3924 -- version: "1.0.1" - changes: - - description: Fix client.geo.location mapping - type: bugfix - link: https://github.com/elastic/integrations/pull/3941 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3859 -- version: "0.6.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "0.6.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "0.5.1" - changes: - - description: Fix doc build - type: enhancement - link: https://github.com/elastic/integrations/pull/3529 -- version: "0.5.0" - changes: - - description: Replace RSA2ELK with Syslog and Webhook integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2897 -- version: "0.4.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.4.0" - changes: - - description: Update to ECS 8.0.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2580 -- version: "0.3.1" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2270 -- version: "0.2.3" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1956 -- version: "0.2.2" - changes: - - description: Fixed a bug that prevents the package from working in 7.16. - type: bugfix - link: https://github.com/elastic/integrations/pull/1882 -- version: "0.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1808 -- version: "0.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1785 -- version: "0.1.0" - changes: - - description: Initial commit splitting Cisco meraki from general Cisco package - type: enhancement - link: https://github.com/elastic/integrations/pull/1587 diff --git a/packages/cisco_meraki/1.1.2/data_stream/events/agent/stream/http_endpoint.yml.hbs b/packages/cisco_meraki/1.1.2/data_stream/events/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 1203728f14..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/events/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,41 +0,0 @@ -type: http_endpoint -enabled: true -prefix: json - -{{#if listen_address}} -listen_address: {{listen_address}} -{{/if}} -{{#if listen_port}} -listen_port: {{listen_port}} -{{/if}} -{{#if url}} -url: {{url}} -{{/if}} - -{{#if secret_value}} -secret.header: Authorization -secret.value: "{{secret_value}}" -{{/if}} - -{{#if ssl}} -ssl: {{ssl}} -{{/if}} - -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cisco_meraki/1.1.2/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_meraki/1.1.2/data_stream/events/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ace8dc48cb..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,300 +0,0 @@ ---- -description: Pipeline for processing Cisco Meraki events -processors: -- set: - field: ecs.version - value: '8.4.0' -- set: - field: observer.serial_number - copy_from: json.deviceSerial -- gsub: - field: json.deviceMac - target_field: observer.mac - pattern: '[-:.]' - replacement: '-' -- set: - field: observer.name - copy_from: json.deviceName -- set: - field: observer.vendor - value: Cisco -- set: - field: observer.product - copy_from: json.deviceModel -- set: - field: network.name - copy_from: json.networkName -- date: - field: json.occurredAt - formats: - - ISO8601 -- set: - field: organization.id - copy_from: json.organizationId -- set: - field: organization.name - copy_from: json.organizationName -- set: - field: log.level - copy_from: json.alertLevel -- append: - field: event.category - value: network -- append: - field: event.type - value: info -- script: - lang: painless - description: The script sets event type, action and category based on type and sub-type fields - params: - eventmap: - "started_reporting": - type: - - start - "stopped_reporting": - type: - - end - "foreign_ap": - category: - - intrusion_detection - - threat - type: - - indicator - "bluetooth_in": - type: - - start - "bluetooth_out": - type: - - end - "port_cable_error": - type: - - connection - "node_hardware_failure": - category: - - host - type: - - end - "cellular_up": - type: - - start - "cellular_down": - type: - - end - "umbrella_expiring": - category: - - configuration - "ip_conflict": - type: - - protocol - "rogue_ap_association": - category: - - threat - type: - - indicator - "client_connectivity": - category: - - session - type: - - connection - "pcc_security_compliance": - category: - - configuration - "pcc_security_violation": - category: - - configuration - - threat - type: - - change - - indicator - "pcc_outage_end": - category: - - host - type: - - connection - "pcc_enrollment": - category: - - session - type: - - connection - - start - "geofencing_out": - type: - - connection - "pcc_outage_begin": - category: - - host - type: - - connection - - end - "dhcp_no_leases": - type: - - connection - - denied - - protocol - "vrrp": - category: - - configuration - type: - - change - "pcc_expired_apns_cert": - category: - - authentication - "amp_malware_blocked": - category: - - threat - - intrusion_detection - type: - - indicator - - denied - "amp_malware_detected": - category: - - threat - - intrusion_detection - type: - - indicator - - allowed - "pcc_sw_found": - category: - - host - - configuration - type: - - change - "pcc_unmanaged": - category: - - configuration - - iam - type: - - change - - deletion - "dhcp_alerts": - type: - - protocol - "power_supply_up": - type: - - start - "power_supply_down": - category: - - host - type: - - end - "unreachable_radius_server": - category: - - authentication - type: - - end - - denied - "rogue_ap": - category: - - threat - type: - - indicator - "rogue_dhcp": - category: - - threat - type: - - indicator - "settings_changed": - category: - - configuration - type: - - change - "port_connected": - type: - - connection - "port_disconnected": - type: - - end - "port_speed_change": - category: - - configuration - type: - - change - - protocol - "udld_error": - type: - - connection - - end - "uplink_ip6_conflict": - type: - - protocol - if: ctx?.json?.alertTypeId != null - source: |- - def alertTypeId = ctx.json.alertTypeId; - def eventMap = params.get('eventmap'); - def eventData = eventMap.get(alertTypeId); - ctx.event.action = ctx.json.alertType; - if (eventData == null) { - // Unclassified events - // - geofencing_in, critical_temperature - // - gateway_to_repeater, mi_alert - // - motion_alert, usage_alert - // - new_splash_signup, rps_base_supply_up - // - rps_backup, vpn_connectivity_change - return; - } - def eventCategory = eventData.get('category'); - if (eventCategory != null) { - for (def c : eventCategory) { - ctx.event.category.add(c); - } - } - def eventType = eventData.get('type'); - if (eventType != null) { - for (def t : eventType) { - ctx.event.type.add(t); - } - } -- rename: - field: json - target_field: cisco_meraki.event -## -# Clean up -## -- remove: - field: - - cisco_meraki.event.deviceSerial - - cisco_meraki.event.deviceMac - - cisco_meraki.event.deviceName - - cisco_meraki.event.deviceModel - - cisco_meraki.event.occurredAt - - cisco_meraki.event.networkName - - cisco_meraki.event.organizationId - - cisco_meraki.event.organizationName - - cisco_meraki.event.alertType - - cisco_meraki.event.alertLevel - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/cisco_meraki/1.1.2/data_stream/events/fields/agent.yml b/packages/cisco_meraki/1.1.2/data_stream/events/fields/agent.yml deleted file mode 100755 index 162c9f3aa3..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/events/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. -- name: log.offset - type: long - description: Offset of the entry in the log file. diff --git a/packages/cisco_meraki/1.1.2/data_stream/events/fields/base-fields.yml b/packages/cisco_meraki/1.1.2/data_stream/events/fields/base-fields.yml deleted file mode 100755 index ebba8d4244..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/events/fields/base-fields.yml +++ /dev/null @@ -1,32 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_meraki -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_meraki.events -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword diff --git a/packages/cisco_meraki/1.1.2/data_stream/events/fields/ecs.yml b/packages/cisco_meraki/1.1.2/data_stream/events/fields/ecs.yml deleted file mode 100755 index 56320fe5d0..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/events/fields/ecs.yml +++ /dev/null @@ -1,697 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - MAC address of the client. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: client.mac - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - MAC addresses of the observer. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: observer.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - MAC address of the server. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: server.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: VLAN ID as reported by the observer. - name: network.vlan.id - type: keyword -- description: |- - The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. - While not required, you can use a MITRE ATT&CK® software type. - name: threat.software.type - type: keyword -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: Describes the type of action conducted by the threat. - name: threat.indicator.description - type: keyword -- description: Reference URL linking to additional information about this indicator. - name: threat.indicator.reference - type: keyword -- description: Name of the file including the extension, without the directory. - name: threat.indicator.file.name - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - name: client.geo.location.lat - type: geo_point -- description: Longitude and latitude. - name: client.geo.location.lon - type: geo_point -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: organization.name - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword diff --git a/packages/cisco_meraki/1.1.2/data_stream/events/fields/fields.yml b/packages/cisco_meraki/1.1.2/data_stream/events/fields/fields.yml deleted file mode 100755 index 7443e7680a..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/events/fields/fields.yml +++ /dev/null @@ -1,72 +0,0 @@ -- name: cisco_meraki - type: group - fields: - - name: event - type: group - fields: - - name: version - type: keyword - description: Current version of webhook format - - name: sharedSecret - type: keyword - description: User defined secret to be validated by the webhook receiver (optional) - - name: sentAt - type: date - description: Timestamp of the sent message (UTC) - - name: organizationId - type: keyword - description: ID of the Meraki organization - - name: organizationName - type: keyword - description: Name of the Meraki organization - - name: organizationUrl - type: keyword - description: URL of the Meraki Dashboard organization - - name: networkId - type: keyword - description: ID for the Meraki network - - name: networkName - type: keyword - description: Name for the Meraki network - - name: networkUrl - type: keyword - description: URL of the Meraki Dashboard network - - name: networkTags - type: keyword - description: Tags assigned to the Meraki network - - name: deviceSerial - type: keyword - description: Serial number of the Meraki device - - name: deviceMac - type: keyword - description: MAC address of the Meraki device - - name: deviceName - type: keyword - description: Name assigned to the Meraki device - - name: deviceUrl - type: keyword - description: URL of the Meraki device - - name: deviceTags - type: keyword - description: Tags assigned to the Meraki device - - name: deviceModel - type: keyword - description: Meraki device model - - name: alertId - type: keyword - description: ID for this alert message - - name: alertType - type: keyword - description: Type of alert (“Network usage alert”, “Settings changed”, etc.) - - name: alertTypeId - type: keyword - description: Unique ID for the type of alert - - name: alertLevel - type: keyword - description: Alert level (informational, critical etc.) - - name: occurredAt - type: date - description: Timestamp of the alert (UTC) - - name: alertData - type: flattened - description: Additional alert data (differs based on alert type) diff --git a/packages/cisco_meraki/1.1.2/data_stream/events/manifest.yml b/packages/cisco_meraki/1.1.2/data_stream/events/manifest.yml deleted file mode 100755 index bc4b29aa45..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/events/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -title: Cisco Meraki webhook events -release: experimental -type: logs -streams: - - input: http_endpoint - title: Cisco Meraki webhook events - description: Receives events from Cisco Meraki webhook - template_path: http_endpoint.yml.hbs - enabled: false - vars: - - name: listen_address - type: text - title: Listen Address - description: Bind address for the listener. Use 0.0.0.0 to listen on all interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - multi: false - required: true - show_user: true - default: 8686 - - name: url - type: text - title: Webhook path - description: URL path where the webhook will accept requests. - multi: false - required: true - show_user: false - default: /meraki/events - - name: secret_value - type: text - description: Authorization token - multi: false - required: false - show_user: true - - name: ssl - type: yaml - title: TLS - description: Options for enabling TLS for the listening webhook endpoint. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - multi: false - required: false - show_user: false - default: | - enabled: false - certificate: "/etc/pki/client/cert.pem" - key: "/etc/pki/client/cert.key" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - meraki-events - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/cisco_meraki/1.1.2/data_stream/events/sample_event.json b/packages/cisco_meraki/1.1.2/data_stream/events/sample_event.json deleted file mode 100755 index 83633463a4..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/events/sample_event.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "@timestamp": "2018-02-11T00:00:00.123Z", - "agent": { - "ephemeral_id": "4e898a47-a469-4602-9ba2-0a46f55a3998", - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cisco_meraki": { - "event": { - "alertData": { - "connection": "LTE", - "local": "192.168.1.2", - "model": "UML290VW", - "provider": "Purview Wireless", - "remote": "1.2.3.5" - }, - "alertId": "0000000000000000", - "alertTypeId": "cellular_up", - "deviceTags": [ - "tag1", - "tag2" - ], - "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", - "networkId": "N_24329156", - "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", - "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", - "sentAt": "2021-10-07T08:42:00.926325Z", - "sharedSecret": "secret", - "version": "0.1" - } - }, - "data_stream": { - "dataset": "cisco_meraki.events", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "action": "Cellular came up", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cisco_meraki.events", - "ingested": "2022-08-08T18:48:35Z", - "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}", - "type": [ - "info", - "start" - ] - }, - "input": { - "type": "http_endpoint" - }, - "log": { - "level": "informational" - }, - "network": { - "name": "Main Office" - }, - "observer": { - "mac": "00-11-22-33-44-55", - "name": "My appliance", - "product": "MX", - "serial_number": "Q234-ABCD-5678", - "vendor": "Cisco" - }, - "organization": { - "id": "2930418", - "name": "My organization" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "meraki-events" - ] -} \ No newline at end of file diff --git a/packages/cisco_meraki/1.1.2/data_stream/log/agent/stream/logfile.yml.hbs b/packages/cisco_meraki/1.1.2/data_stream/log/agent/stream/logfile.yml.hbs deleted file mode 100755 index 52b248876b..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/log/agent/stream/logfile.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cisco_meraki/1.1.2/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_meraki/1.1.2/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 993860734e..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -max_message_size: 1 MiB - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cisco_meraki/1.1.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_meraki/1.1.2/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 993860734e..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -max_message_size: 1 MiB - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/airmarshal.yml b/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/airmarshal.yml deleted file mode 100755 index 2a7b399e94..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/airmarshal.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -description: Pipeline for Cisco Meraki airmarshal_events type -processors: -- dissect: - description: Determine the airmarshal event type - field: event.original - pattern: "%{} airmarshal_events %{*type}=%{&type} %{}" -- rename: - field: type - target_field: cisco_meraki.event_subtype -- grok: - field: event.original - patterns: - - '%{GREEDYDATA} ssid=%{QS:_temp.ssid}%{SPACE}%{GREEDYDATA:_temp.kvline}' -- dissect: - field: _temp.ssid - pattern: "'%{_temp.kv.ssid}'" -- kv: - field: _temp.kvline - field_split: " " - value_split: "=" - target_field: _temp.kv - strip_brackets: true -- rename: - field: _temp.kv.ssid - target_field: network.name - if: ctx?._temp?.kv?.ssid != null -- rename: - field: _temp.kv.bssid - target_field: cisco_meraki.bssid -- rename: - field: _temp.kv.vap - target_field: cisco_meraki.vap - if: ctx?.cisco_meraki?.event_subtype == 'ssid_spoofing_detected' -- gsub: - field: _temp.kv.src - target_field: source.mac - pattern: '[-:.]' - replacement: '-' -- gsub: - field: _temp.kv.dst - target_field: destination.mac - pattern: '[-:.]' - replacement: '-' -- gsub: - field: _temp.kv.wired_mac - target_field: observer.mac - pattern: '[-:.]' - replacement: '-' - if: ctx?.cisco_meraki?.event_subtype == 'rogue_ssid_detected' -- rename: - field: _temp.kv.vlan_id - target_field: network.vlan.id - if: ctx?.cisco_meraki?.event_subtype == 'rogue_ssid_detected' -- rename: - field: _temp.kv.channel - target_field: cisco_meraki.channel -- rename: - field: _temp.kv.fc_type - target_field: cisco_meraki.fc_type -- rename: - field: _temp.kv.fc_subtype - target_field: cisco_meraki.fc_subtype diff --git a/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index bcb383879e..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,356 +0,0 @@ ---- -description: Pipeline for Cisco Meraki syslog -processors: -- set: - field: ecs.version - value: '8.4.0' -- rename: - field: message - target_field: event.original -- dissect: - description: Extract syslog words - field: event.original - pattern: "%{} %{_temp.ts_nano} %{observer.hostname} %{cisco_meraki.event_type} %{}" -- date: - field: _temp.ts_nano - formats: - - UNIX - timezone: '{{{_conf.tz_offset}}}' -- pipeline: - name: '{{ IngestPipeline "flows" }}' - if: ctx.cisco_meraki.event_type == 'flows' -- pipeline: - name: '{{ IngestPipeline "ipflows" }}' - if: ctx.cisco_meraki.event_type == 'ip_flow_start' || ctx.cisco_meraki.event_type == 'ip_flow_end' -- pipeline: - name: '{{ IngestPipeline "airmarshal" }}' - if: ctx.cisco_meraki.event_type == 'airmarshal_events' -- pipeline: - name: '{{ IngestPipeline "security" }}' - if: ctx.cisco_meraki.event_type == 'security_event' -- pipeline: - name: '{{ IngestPipeline "idsalerts" }}' - if: ctx.cisco_meraki.event_type == 'ids-alerts' -- pipeline: - name: '{{ IngestPipeline "events" }}' - if: ctx.cisco_meraki.event_type == 'events' -- pipeline: - name: '{{ IngestPipeline "urls" }}' - if: ctx.cisco_meraki.event_type == 'urls' -- append: - field: event.category - value: ["network"] -- append: - field: event.type - value: ["info"] -- script: - lang: painless - description: The script sets event type, action and category based on type and sub-type fields - tag: set-event-type-for-meraki-events - params: - eventmap: - "vpn_connectivity_change": - category: - - session - type: - - connection - action: vpn-connectivity-change - "dhcp_offer": - type: - - access - - allowed - action: dhcp-offer - "dhcp_no_offer": - type: - - access - - denied - action: dhcp-no-offer - "Site-to-Site VPN": - type: - - access - action: site-to-site-vpn - "client_vpn_connect": - category: - - session - type: - - access - - allowed - - start - action: site-to-site-vpn - "ip_session_initiated": - type: - - access - - start - action: ip-session-initiated - "flow_allowed": - type: - - connection - - start - action: layer3-firewall-allowed-flow - "flow_denied": - type: - - access - - denied - action: layer3-firewall-denied-flow - "http_access": - category: - - web - type: - - access - action: http-access - "http_access_error": - category: - - web - type: - - error - action: http-access-error - "ids_alerted": - category: - - threat - type: - - indicator - action: ids-signature-matched - "security_filtering_file_scanned": - category: - - threat - - malware - type: - - indicator - - info - action: malicious-file-actioned - "security_filtering_disposition_change": - category: - - threat - - malware - type: - - indicator - - info - action: issued-retrospective-malicious-disposition - "association": - type: - - access - - connection - action: wifi-association-request - "disassociation": - category: - - session - type: - - access - - end - action: wifi-disassociation-request - "wpa_auth": - category: - - authentication - type: - - start - - access - action: wifi-wpa-authentication - "wpa_deauth": - category: - - authentication - type: - - end - - denied - action: wifi-wpa-failed-auth-or-deauth - "8021x_eap_failure": - category: - - authentication - type: - - end - - denied - action: wifi-8021x-failed-authentication-attempt - "8021x_deauth": - category: - - authentication - type: - - end - - denied - action: wifi-8021x-failed-auth-or-deauth - "8021x_eap_success": - category: - - authentication - type: - - start - action: wifi-8021x-auth - "splash_auth": - category: - - authentication - type: - - start - action: splash-authentication - "device_packet_flood": - category: - - threat - type: - - indicator - action: wireless-packet-flood-detected - "rogue_ssid_detected": - category: - - threat - type: - - indicator - action: rogue-ssid-detected - "ssid_spoofing_detected": - category: - - threat - type: - - indicator - action: ssid-spoofing-detected - "multiple_dhcp_servers_detected": - type: - - protocol - "dfs_event": - action: dynamic-frequency-selection-detected - "aps_association_reject": - action: association-rejected-for-load-balancing - if: ctx?.cisco_meraki?.event_subtype != null - source: |- - def eventMap = params.get('eventmap'); - def eventData = eventMap.get(ctx.cisco_meraki.event_subtype); - if (eventData == null) { - ctx.event.action = ctx.cisco_meraki.event_subtype; - return; - } - def eventCategory = eventData.get('category'); - def eventType = eventData.get('type'); - def eventAction = eventData.get('action'); - if (eventType != null) { - for (def t : eventType) { - ctx.event.type.add(t); - } - } - if (eventCategory != null) { - for (def c : eventCategory) { - ctx.event.category.add(c); - } - } - if (eventAction != null) { - ctx.event.action = eventAction; - } - -# IP Geolocation Lookup (source) -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: ctx.source?.geo == null && ctx?.source?.ip != null -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: ctx?.source?.ip != null -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -# IP Geolocation Lookup (destination) -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: ctx.destination?.geo == null && ctx?.destination?.ip != null -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: ctx?.destination?.ip != null -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -# IP Geolocation Lookup (client) -- geoip: - field: client.ip - target_field: client.geo - ignore_missing: true - if: ctx.client?.geo == null && ctx?.client?.ip != null -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: client.ip - target_field: client.as - properties: - - asn - - organization_name - ignore_missing: true - if: ctx?.client?.ip != null -- rename: - field: client.as.asn - target_field: client.as.number - ignore_missing: true -- rename: - field: client.as.organization_name - target_field: client.as.organization.name - ignore_missing: true -## -# Clean up -## -- remove: - field: - - _temp - - _conf - - sport - - dport - - mac - - src - - dst - - translated_src_ip - - translated_dst_ip - - translated_port - - wired_mac - - rssi - - protocol - - dhost - - client_mac - - radio - - sts - - msgtype - - timestamp - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/events.yml b/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/events.yml deleted file mode 100755 index 42ee924ac9..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/events.yml +++ /dev/null @@ -1,206 +0,0 @@ ---- -description: Pipeline for Cisco Meraki events type -processors: -#################################################### -# set event_subtype based on type/format -#################################################### -- dissect: - description: Determine event type/format - field: event.original - pattern: "%{} events %{msgtype} %{}" -- set: - field: cisco_meraki.event_subtype - value: 'Site-to-Site VPN' - if: ctx?.msgtype.toLowerCase() == "site-to-site" -- set: - field: cisco_meraki.event_subtype - value: client_vpn_connect - if: ctx?.msgtype.toLowerCase() == "client_vpn_connect" -#################################################### -# log event with type= format -# these are dfs_event, association, disassocation, -# vpn_connectivity_change, wpa_auth, wpa_deauth -#################################################### -- dissect: - description: Get the event subtype - field: event.original - pattern: "%{} events type=%{type} %{}" - if: ctx?.msgtype.startsWith("type=") -- rename: - field: type - target_field: cisco_meraki.event_subtype - if: ctx?.type != null - -#################################################### -# Handle DHCP log events -#################################################### -- dissect: - field: event.original - pattern: "%{} events dhcp %{_temp.dhcp_op} %{_temp.dhcp_op2} %{}" - if: ctx?.msgtype.toLowerCase() == "dhcp" -- set: - field: network.protocol - value: dhcp - if: ctx?.msgtype.toLowerCase() == "dhcp" -- dissect: - field: event.original - pattern: "%{} events dhcp lease of ip %{_temp.client_ip} from %{} mac %{server.mac} for client mac %{client.mac} %{}" - if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'lease' -- dissect: - field: event.original - pattern: "%{} events dhcp no offers for mac %{client.mac} %{}" - if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'no' && ctx?._temp?.dhcp_op2.toLowerCase() == 'offers' -- set: - field: cisco_meraki.event_subtype - value: dhcp_offer - if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op == 'lease' -- set: - field: cisco_meraki.event_subtype - value: dhcp_no_offer - if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'no' && ctx?._temp?.dhcp_op2.toLowerCase() == 'offers' -#################################################### -# Handle Site-to-Site VPN message -#################################################### -- grok: - description: Process Site-to-Site VPN messages - field: event.original - patterns: - - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}(?i)Site-to-Site VPN:%{GREEDYDATA:cisco_meraki.site_to_site_vpn.raw}' - pattern_definitions: - SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>' - SYSLOGVER: '\b(?:\d{1,2})\b' - SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}' - WORDORHOST: '(?:%{WORD}|%{HOSTNAME})' - if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "Site-to-Site VPN" - -#################################################### -# Handle dfs_event, wpa_auth, wpa_deauth, -# association or disassociation -#################################################### -- grok: - field: event.original - patterns: - - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}%{GREEDYDATA:_temp.rest}' - pattern_definitions: - SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>' - SYSLOGVER: '\b(?:\d{1,2})\b' - SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}' - WORDORHOST: '(?:%{WORD}|%{HOSTNAME})' - if: ctx.event.original.startsWith('<') && ['dfs_event', 'association', 'disassociation', 'aps_association_reject', 'multiple_dhcp_servers_detected', 'wpa_deauth', 'wpa_auth', 'vpn_connectivity_change', '8021x_eap_failure', '8021x_auth', '8021x_deauth', '8021x_eap_success', 'splash_auth', 'device_packet_flood'].contains(ctx.cisco_meraki.event_subtype) -- kv: - field: _temp.rest - field_split: "[ \t]{1,}" - value_split: "=" - target_field: cisco_meraki.{{{cisco_meraki.event_subtype}}} - strip_brackets: true - if: ctx?._temp?.rest != null && ['dfs_event', 'association', 'disassociation', 'aps_association_reject', 'multiple_dhcp_servers_detected', 'wpa_deauth', 'wpa_auth', '8021x_eap_failure', '8021x_auth', '8021x_deauth', '8021x_eap_success', 'splash_auth', 'device_packet_flood'].contains(ctx.cisco_meraki.event_subtype) -# special case for site-to-site vpn -- kv: - field: _temp.rest - field_split: "[ \t]{1,}" - value_split: "=" - target_field: cisco_meraki.site_to_site_vpn.connectivity_change - strip_brackets: true - if: ctx?._temp?.rest != null && ctx?.cisco_meraki?.event_subtype == 'vpn_connectivity_change' - -#################################################### -# Move values from event subtypes to ECS fields -# multiple_dhcp_servers_detected -#################################################### -- set: - field: network.protocol - value: dhcp - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -- rename: - field: cisco_meraki.multiple_dhcp_servers_detected.original_server_mac - target_field: server.mac - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -# process original_server_ip -- grok: - field: cisco_meraki.multiple_dhcp_servers_detected.original_server_ip - patterns: - - "^%{IPV4:cisco_meraki.multiple_dhcp_servers_detected.original_server_ip}$" - - "^%{IPV6:cisco_meraki.multiple_dhcp_servers_detected.original_server_ip}$" - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' - ignore_failure: true -- convert: - type: ip - field: cisco_meraki.multiple_dhcp_servers_detected.original_server_ip - target_field: server.ip - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' - ignore_failure: true -# cleanup only if the conversion was successful -- remove: - field: cisco_meraki.multiple_dhcp_servers_detected.original_server_ip - if: ctx?.server?.ip != null -- append: - field: related.ip - value: "{{{server.ip}}}" - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -# process server_ip (the other dhcp server ip) -- grok: - field: cisco_meraki.multiple_dhcp_servers_detected.server_ip - patterns: - - "^%{IPV4:cisco_meraki.multiple_dhcp_servers_detected.server_ip}$" - - "^%{IPV6:cisco_meraki.multiple_dhcp_servers_detected.server_ip}$" - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -- convert: - type: ip - field: cisco_meraki.multiple_dhcp_servers_detected.server_ip - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -- append: - field: related.ip - value: "{{{cisco_meraki.multiple_dhcp_servers_detected.server_ip}}}" - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -#################################################### -# wpa_deauth -#################################################### -- rename: - field: cisco_meraki.wpa_deauth.client_mac - target_field: client.mac - if: ctx?.cisco_meraki?.event_subtype == 'wpa_deauth' - -#################################################### -# Handle client_vpn_connect -#################################################### -- dissect: - field: event.original - pattern: "%{} events client_vpn_connect user id '%{user.name}' local ip %{network.forwarded_ip} connected from %{_temp.client_ip}" - if: ctx?.cisco_meraki?.event_subtype == "client_vpn_connect" - -#################################################### -# parse dissected IP values and convert to IP type -# common case for DHCP lease and client_vpn_connect -#################################################### -- grok: - field: _temp.client_ip - patterns: - - "^%{IPV4:_temp.client_ip}$" - - "^%{IPV6:_temp.client_ip}$" - if: ctx?._temp?.client_ip != null - ignore_failure: true -- convert: - type: ip - field: _temp.client_ip - target_field: client.ip - if: ctx?._temp?.client_ip != null - ignore_failure: true - -# Make MAC addresses conform to ECS spec. -- gsub: - field: client.mac - pattern: '[:.]' - replacement: '-' - ignore_missing: true -- uppercase: - field: client.mac - ignore_missing: true -- gsub: - field: server.mac - pattern: '[:.]' - replacement: '-' - ignore_missing: true -- uppercase: - field: server.mac - ignore_missing: true - diff --git a/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/flows.yml b/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/flows.yml deleted file mode 100755 index 7f47b9f6cc..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/flows.yml +++ /dev/null @@ -1,72 +0,0 @@ ---- -description: Pipeline for Cisco Meraki flows message type -processors: -- dissect: - description: Determine if the token is src= or operation - field: event.original - pattern: "%{} %{} %{} %{} %{_temp.token} %{}" -- dissect: - description: Case for src= follows flows keyword - field: event.original - pattern: "%{} flows %{*src}=%{&src} %{*dst}=%{&dst} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport} %{}" - if: ctx._temp.token.startsWith("src=") == true -- dissect: - description: Case for firewall action prepends src= - field: event.original - pattern: "%{} flows %{cisco_meraki.flows.op} %{*src}=%{&src} %{*dst}=%{&dst} %{*mac}=%{&mac} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport}" - if: ctx._temp.token.startsWith("src=") == false -- grok: - field: src - patterns: - - "^%{IPV4:src}$" - - "^%{IPV6:src}$" - if: ctx?.src != null -- convert: - type: ip - field: src - target_field: source.ip - ignore_failure: true -- grok: - field: dst - patterns: - - "^%{IPV4:dst}$" - - "^%{IPV6:dst}$" - if: ctx?.dst != null -- convert: - type: ip - field: dst - target_field: destination.ip - ignore_failure: true -- rename: - field: protocol - target_field: network.protocol -- convert: - field: sport - target_field: source.port - type: long - if: ctx?.sport != "0" - ignore_failure: true -- convert: - field: dport - target_field: destination.port - type: long - if: ctx?.dport != "0" - ignore_failure: true -- gsub: - field: mac - target_field: source.mac - pattern: '[-:.]' - replacement: '-' - if: ctx._temp.token.startsWith("src=") == false -- set: - field: cisco_meraki.event_subtype - value: "ip_session_initiated" - if: ctx._temp.token.startsWith("src=") == true -- set: - field: cisco_meraki.event_subtype - value: "flow_allowed" - if: ctx._temp.token.startsWith("src=") == false && ctx?.cisco_meraki?.flows?.op == 'allow' -- set: - field: cisco_meraki.event_subtype - value: "flow_denied" - if: ctx._temp.token.startsWith("src=") == false && ctx?.cisco_meraki?.flows?.op == 'deny' diff --git a/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml b/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml deleted file mode 100755 index a1684a5e30..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- -description: Pipeline for Cisco Meraki ids-alerts type -processors: -- dissect: - description: Determine the ids-alerts security event type - field: event.original - pattern: "%{} ids-alerts %{*sig}=%{&sig} %{*pri}=%{&pri} %{*ts}=%{&ts} %{*dir}=%{&dir} %{*prot}=%{&prot} %{*src}=%{&src}" -- set: - field: cisco_meraki.event_subtype - value: ids_alerted -- rename: - field: priority - target_field: cisco_meraki.security.priority -- rename: - field: signature - target_field: cisco_meraki.security.signature -- date: - field: timestamp - target_field: threat.indicator.last_seen - formats: ['UNIX'] -- rename: - field: direction - target_field: network.direction -- lowercase: - field: protocol - target_field: network.protocol -- grok: - field: src - patterns: - - "^%{IPV4:_temp.src_ip}:%{PORT:sport}$" - - "^\\[%{IPV6:_temp.src_ip}\\]:%{PORT:sport}$" - - "^%{IPV6NOCOMPRESS:_temp.src_ip}:%{PORT:sport}$" - - "^%{IPV6:_temp.src_ip}%{IPV6PORTSEP}%{PORT:sport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' - if: ctx?.src != null -- convert: - type: ip - field: _temp.src_ip - target_field: source.ip - ignore_failure: true -- convert: - field: sport - target_field: source.port - type: long - ignore_failure: true diff --git a/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/ipflows.yml b/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/ipflows.yml deleted file mode 100755 index eb6667d991..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/ipflows.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- -description: Pipeline for Cisco Meraki ip_flow_start and ip_flow_end message type -processors: -- dissect: - description: Determine if the token is src= or operation - field: event.original - pattern: "%{} %{} %{} %{_temp.event_type} %{_temp.token} %{}" -- dissect: - description: Case for src= follows ip_flow_start - field: event.original - pattern: "%{} ip_flow_start %{*src}=%{&src} %{*dst}=%{&dst} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport} %{*tsi}=%{&tsi} %{*tp}=%{&tp}" - if: ctx._temp.event_type == 'ip_flow_start' && ctx._temp.token.startsWith("src=") == true -- dissect: - description: Case for src= follows ip_flow_end - field: event.original - pattern: "%{} ip_flow_end %{*src}=%{&src} %{*dst}=%{&dst} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport} %{*tsi_or_tdi}=%{&tsi_or_tdi} %{*tp}=%{&tp}" - if: ctx._temp.event_type == 'ip_flow_end' && ctx._temp.token.startsWith("src=") == true -# source field IP:port handling -- convert: - type: ip - field: translated_src_ip - target_field: source.ip - if: ctx?.translated_src_ip != null -- convert: - type: ip - field: src - target_field: source.ip - if: ctx?.translated_src_ip == null && ctx?.src != null -- convert: - field: translated_port - target_field: source.port - type: long - if: ctx?.translated_src_ip != null && ctx?.translated_port != null -- convert: - field: sport - target_field: source.port - type: long - if: ctx?.translated_src_ip == null && ctx?.sport != null -# destination field IP:port handling -- convert: - type: ip - field: translated_dst_ip - target_field: destination.ip - if: ctx?.translated_dst_ip != null -- convert: - type: ip - field: dst - target_field: destination.ip - if: ctx?.translated_dst_ip == null && ctx?.dst != null -- convert: - field: translated_port - target_field: destination.port - type: long - if: ctx?.translated_dst_ip != null && ctx?.translated_port != null -- convert: - field: dport - target_field: destination.port - type: long - if: ctx?.translated_dst_ip == null && ctx?.dport != null -- rename: - field: protocol - target_field: network.protocol diff --git a/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/security.yml b/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/security.yml deleted file mode 100755 index 6ddd6e2f37..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/security.yml +++ /dev/null @@ -1,151 +0,0 @@ ---- -description: Pipeline for Cisco Meraki security_event type -processors: -- dissect: - description: Determine the security event type - field: event.original - pattern: "%{} security_event %{type} %{}" -- rename: - field: type - target_field: cisco_meraki.event_subtype - -# scan event based on event type -- dissect: - field: event.original - pattern: "%{} ids_alerted %{*sig}=%{&sig} %{*pri}=%{&pri} %{*ts}=%{&ts} %{*dhost}=%{&dhost} %{*dir}=%{&dir} %{*prot}=%{&prot} %{*src}=%{&src} %{*dst}=%{&dst} %{}" - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- dissect: - field: event.original - pattern: "%{} security_filtering_file_scanned %{*url}=%{&url} %{*src}=%{&src} %{*dst}=%{&dst} %{*mac}=%{&mac} %{*name}='%{&name}' %{*sha256}=%{&sha256} %{*disp}=%{&disp} %{*action}=%{&action}" - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' -- dissect: - field: event.original - pattern: "%{} security_filtering_disposition_change %{*name}=%{&name} %{*sha256}=%{&sha256} %{*disp}=%{&disp} %{*action}=%{&action}" - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' - -# handle fields of ids_alerted type -- rename: - field: priority - target_field: cisco_meraki.security.priority - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- rename: - field: signature - target_field: cisco_meraki.security.signature - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- date: - field: timestamp - target_field: threat.indicator.last_seen - formats: ['UNIX'] - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- gsub: - field: dhost - target_field: cisco_meraki.security.dhost - pattern: '[-:.]' - replacement: '-' - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- rename: - field: direction - target_field: network.direction - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- lowercase: - field: protocol - target_field: network.protocol - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -# Process the remaining after dst=. It can have "decision= message: *" or just "message: *" -- dissect: - field: event.original - pattern: "%{} dst=%{?ignore} %{*decision}=%{&decision} %{*message}:%{&message}" - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' - ignore_failure: true -- dissect: - field: event.original - pattern: "%{} dst=%{?ignore} %{*message}:%{&message}" - if: ctx?.decision == null && ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- rename: - field: message - target_field: threat.indicator.description - ignore_missing: true - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- rename: - field: decision - target_field: cisco_meraki.security.decision - ignore_missing: true - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' - -# handle fields of security_filtering_file_scanned or security_filtering_disposition_change type -- rename: - field: url - target_field: threat.indicator.reference - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' -- gsub: - field: mac - target_field: cisco_meraki.security.mac - pattern: '[-:.]' - replacement: '-' - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' -- rename: - field: name - target_field: threat.indicator.file.name - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' || ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' -- rename: - field: sha256 - target_field: threat.indicator.file.hash.sha256 - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' || ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' -- rename: - field: disposition - target_field: cisco_meraki.disposition - ignore_missing: true -- rename: - field: action - target_field: cisco_meraki.security.action - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' || ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' -# fields common to more than one event type -# src processing -- grok: - field: src - patterns: - - "^%{IPV4:_temp.src_ip}:%{PORT:sport}$" - - "^\\[%{IPV6:_temp.src_ip}\\]:%{PORT:sport}$" - - "^%{IPV6NOCOMPRESS:_temp.src_ip}:%{PORT:sport}$" - - "^%{IPV6:_temp.src_ip}%{IPV6PORTSEP}%{PORT:sport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' - if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' && ctx?.src != null -- convert: - type: ip - field: _temp.src_ip - target_field: source.ip - if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' -- convert: - field: sport - target_field: source.port - type: long - if: ctx?.sport != "0" && ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' - ignore_failure: true -# dst processing -- grok: - field: dst - patterns: - - "^%{IPV4:_temp.dst_ip}:%{PORT:dport}$" - - "^\\[%{IPV6:_temp.dst_ip}\\]:%{PORT:dport}$" - - "^%{IPV6NOCOMPRESS:_temp.dst_ip}:%{PORT:dport}$" - - "^%{IPV6:_temp.dst_ip}%{IPV6PORTSEP}%{PORT:dport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' - if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' && ctx?.dst != null -- convert: - type: ip - field: _temp.dst_ip - target_field: destination.ip - ignore_failure: true - if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' -- convert: - field: dport - target_field: destination.port - type: long - if: ctx?.dport != "0" && ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' - ignore_failure: true diff --git a/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/urls.yml b/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/urls.yml deleted file mode 100755 index 68bcddb288..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/urls.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Cisco Meraki urls type -processors: -- dissect: - description: Determine the security event type - field: event.original - pattern: "%{} urls %{*src}=%{&src} %{*dst}=%{&dst} %{*mac}=%{&mac} request: %{http.request.method} %{url.original}" -# src processing -- grok: - field: src - patterns: - - "^%{IPV4:_temp.src_ip}:%{PORT:sport}$" - - "^\\[%{IPV6:_temp.src_ip}\\]:%{PORT:sport}$" - - "^%{IPV6NOCOMPRESS:_temp.src_ip}:%{PORT:sport}$" - - "^%{IPV6:_temp.src_ip}%{IPV6PORTSEP}%{PORT:sport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' -- convert: - type: ip - field: _temp.src_ip - target_field: source.ip -- convert: - type: long - field: sport - target_field: source.port - ignore_failure: true -# dst processing -- grok: - field: dst - patterns: - - "^%{IPV4:_temp.dst_ip}:%{PORT:dport}$" - - "^\\[%{IPV6:_temp.dst_ip}\\]:%{PORT:dport}$" - - "^%{IPV6NOCOMPRESS:_temp.dst_ip}:%{PORT:dport}$" - - "^%{IPV6:_temp.dst_ip}%{IPV6PORTSEP}%{PORT:dport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' -- convert: - type: ip - field: _temp.dst_ip - target_field: destination.ip - ignore_failure: true -- convert: - type: long - field: dport - target_field: destination.port - if: ctx?.dport != "0" && ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' - ignore_failure: true -- gsub: - field: mac - target_field: cisco_meraki.urls.mac - pattern: '[-:.]' - replacement: '-' -- set: - field: cisco_meraki.event_subtype - value: 'http_access' - if: ctx?.http?.request?.method.toLowerCase() != 'unknown' -- set: - field: cisco_meraki.event_subtype - value: 'http_access_error' - if: ctx?.http?.request?.method.toLowerCase() == 'unknown' diff --git a/packages/cisco_meraki/1.1.2/data_stream/log/fields/agent.yml b/packages/cisco_meraki/1.1.2/data_stream/log/fields/agent.yml deleted file mode 100755 index 162c9f3aa3..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. -- name: log.offset - type: long - description: Offset of the entry in the log file. diff --git a/packages/cisco_meraki/1.1.2/data_stream/log/fields/base-fields.yml b/packages/cisco_meraki/1.1.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 7691cacc73..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_meraki -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_meraki.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword diff --git a/packages/cisco_meraki/1.1.2/data_stream/log/fields/ecs.yml b/packages/cisco_meraki/1.1.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index f8293ea2df..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,674 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - MAC address of the client. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: client.mac - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - MAC addresses of the observer. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: observer.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - MAC address of the server. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: server.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: VLAN ID as reported by the observer. - name: network.vlan.id - type: keyword -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: Describes the type of action conducted by the threat. - name: threat.indicator.description - type: keyword -- description: Reference URL linking to additional information about this indicator. - name: threat.indicator.reference - type: keyword -- description: Name of the file including the extension, without the directory. - name: threat.indicator.file.name - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - name: client.geo.location - type: geo_point -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword diff --git a/packages/cisco_meraki/1.1.2/data_stream/log/fields/fields.yml b/packages/cisco_meraki/1.1.2/data_stream/log/fields/fields.yml deleted file mode 100755 index 10a68230e9..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: cisco_meraki - type: group - fields: - - name: disposition - type: keyword - - name: event_type - type: keyword - - name: event_subtype - type: keyword - - name: bssid - type: keyword - - name: vap - type: keyword - - name: channel - type: keyword - - name: fc_type - type: keyword - - name: fc_subtype - type: keyword - - name: flows - type: flattened - - name: dfs_event - type: flattened - - name: wpa_auth - type: flattened - - name: wpa_deauth - type: flattened - - name: association - type: flattened - - name: disassociation - type: flattened - - name: 8021x_eap_failure - type: flattened - - name: 8021x_deauth - type: flattened - - name: 8021x_auth - type: flattened - - name: 8021x_eap_success - type: flattened - - name: splash_auth - type: flattened - - name: device_packet_flood - type: flattened - - name: multiple_dhcp_servers_detected - type: flattened - - name: aps_association_reject - type: flattened - - name: urls - type: group - fields: - - name: mac - type: keyword - - name: security - type: group - fields: - - name: priority - type: keyword - - name: signature - type: keyword - - name: dhost - type: keyword - - name: decision - type: keyword - - name: mac - type: keyword - - name: action - type: keyword - - name: site_to_site_vpn - type: group - fields: - - name: raw - type: text - - name: connectivity_change - type: flattened diff --git a/packages/cisco_meraki/1.1.2/data_stream/log/manifest.yml b/packages/cisco_meraki/1.1.2/data_stream/log/manifest.yml deleted file mode 100755 index bf78f78a80..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,175 +0,0 @@ -title: Cisco Meraki logs (via Syslog) -release: experimental -type: logs -streams: - - input: udp - template_path: udp.yml.hbs - title: Cisco Meraki logs - description: Collect Cisco Meraki logs (via Syslog) - enabled: true - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 8685 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-meraki - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - template_path: tcp.yml.hbs - title: Cisco Meraki logs - description: Collect Cisco Meraki logs (via Syslog) - enabled: false - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 8685 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: ssl - type: yaml - title: TLS - description: Options for enabling TLS for the listening TCP socket. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - multi: false - required: false - show_user: false - default: | - enabled: false - certificate: "/etc/pki/client/cert.pem" - key: "/etc/pki/client/cert.key" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-meraki - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - template_path: logfile.yml.hbs - title: Cisco Meraki logs - description: Collect Cisco Meraki logs (via Syslog) - enabled: false - vars: - - name: paths - type: text - title: Paths - multi: true - required: false - show_user: true - default: - - /var/log/cisco-meraki.log - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - cisco-meraki - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/cisco_meraki/1.1.2/data_stream/log/sample_event.json b/packages/cisco_meraki/1.1.2/data_stream/log/sample_event.json deleted file mode 100755 index 930a22a9e8..0000000000 --- a/packages/cisco_meraki/1.1.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "@timestamp": "2021-11-23T18:13:18.348Z", - "agent": { - "ephemeral_id": "d0614353-dd50-4b65-b142-df54b2a69013", - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cisco_meraki": { - "event_subtype": "ids_alerted", - "event_type": "security_event", - "security": { - "decision": "allowed", - "dhost": "D0-AB-D5-7B-43-73", - "priority": "1", - "signature": "1:29708:4" - } - }, - "data_stream": { - "dataset": "cisco_meraki.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.3.162", - "port": 56391 - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "action": "ids-signature-matched", - "agent_id_status": "verified", - "category": [ - "network", - "threat" - ], - "dataset": "cisco_meraki.log", - "ingested": "2022-08-08T18:50:52Z", - "original": "\u003c134\u003e1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "type": [ - "info", - "indicator" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.18.0.5:44064" - } - }, - "network": { - "direction": "ingress", - "protocol": "tcp/ip" - }, - "observer": { - "hostname": "MX84" - }, - "source": { - "as": { - "number": 35908 - }, - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.12", - "port": 80 - }, - "tags": [ - "preserve_original_event", - "cisco-meraki", - "forwarded" - ], - "threat": { - "indicator": { - "description": " BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "last_seen": "2021-11-23T18:13:18.330Z" - } - } -} \ No newline at end of file diff --git a/packages/cisco_meraki/1.1.2/docs/README.md b/packages/cisco_meraki/1.1.2/docs/README.md deleted file mode 100755 index c1cf972166..0000000000 --- a/packages/cisco_meraki/1.1.2/docs/README.md +++ /dev/null @@ -1,697 +0,0 @@ -# Cisco Meraki Integration - -Cisco Meraki offers a centralized cloud management platform for all Meraki devices such as MX Security Appliances, MR Access Points and so on. Its out-of-band cloud architecture creates secure, scalable and easy-to-deploy networks that can be managed from anywhere. This can be done from almost any device using web-based Meraki Dashboard and Meraki Mobile App. Each Meraki network generates its own events. - -Cisco Meraki offers [several methods for device reporting](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Meraki_Device_Reporting_-_Syslog%2C_SNMP%2C_and_API). This integration supports gathering events via the Cisco Meraki syslog and via API reporting webhooks. The integration package allows you to search, observe, and visualize the events through Elasticsearch. - -## Compatibility - -A syslog server can be configured to store messages for reporting purposes from MX Security Appliances, MR Access Points, and MS switches. This package collects events from the configured syslog server. The integration supports collection of events from "MX Security Appliances" and "MR Access Points". The "MS Switch" events are not recognized. - -## Configuration - -### Enabling the integration in Elastic - -1. In Kibana go to **Management > Integrations** -2. In "Search for integrations" search bar type **Meraki** -3. Click on "Cisco Meraki" integration from the search results. -4. Click on **Add Cisco Meraki Integration** button to add the integration. - -### Cisco Meraki Dashboard Configuration - -#### Syslog - -Cisco Meraki dashboard can be used to configure one or more syslog servers and Meraki message types to be sent to the syslog servers. Refer to [Syslog Server Overview and Configuration](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration#Configuring_a_Syslog_Server) page for more information on how to configure syslog server on Cisco Meraki. - -#### API Endpoint (Webhooks) - -Cisco Meraki dashboard can be used to configure Meraki webhooks. Refer to the [Webhooks Dashboard Setup](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Meraki_Device_Reporting_-_Syslog%2C_SNMP%2C_and_API#Webhooks_Dashboard_Setup) section. - -### Configure the Cisco Meraki integration - -#### Syslog - -Depending on the syslog server setup in your environment check one/more of the following options "Collect syslog from Cisco Meraki via UDP", "Collect syslog from Cisco Meraki via TCP", "Collect syslog from Cisco Meraki via file". - -Enter the values for syslog host and port OR file path based on the chosen configuration options. - -### API Endpoint (Webhooks) - -Check the option "Collect events from Cisco Meraki via Webhooks" option. - -1. Enter values for "Listen Address", "Listen Port" and "Webhook path" to form the endpoint URL. Make note of the **Endpoint URL** `https://{AGENT_ADDRESS}:8686/meraki/events`. -2. Enter value for "Secret value". This must match the "Shared Secret" value entered when configuring the webhook from Meraki cloud. -3. Enter values for "TLS". Cisco Meraki requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration. - -### Log Events - -Enable to collect Cisco Meraki log events for all the applications configured for the chosen log stream. - -## Logs - -### Syslog - -The `cisco_meraki.log` dataset provides events from the configured syslog server. All Cisco Meraki syslog specific fields are available in the `cisco_meraki.log` field group. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cisco_meraki.8021x_auth | | flattened | -| cisco_meraki.8021x_deauth | | flattened | -| cisco_meraki.8021x_eap_failure | | flattened | -| cisco_meraki.8021x_eap_success | | flattened | -| cisco_meraki.aps_association_reject | | flattened | -| cisco_meraki.association | | flattened | -| cisco_meraki.bssid | | keyword | -| cisco_meraki.channel | | keyword | -| cisco_meraki.device_packet_flood | | flattened | -| cisco_meraki.dfs_event | | flattened | -| cisco_meraki.disassociation | | flattened | -| cisco_meraki.disposition | | keyword | -| cisco_meraki.event_subtype | | keyword | -| cisco_meraki.event_type | | keyword | -| cisco_meraki.fc_subtype | | keyword | -| cisco_meraki.fc_type | | keyword | -| cisco_meraki.flows | | flattened | -| cisco_meraki.multiple_dhcp_servers_detected | | flattened | -| cisco_meraki.security.action | | keyword | -| cisco_meraki.security.decision | | keyword | -| cisco_meraki.security.dhost | | keyword | -| cisco_meraki.security.mac | | keyword | -| cisco_meraki.security.priority | | keyword | -| cisco_meraki.security.signature | | keyword | -| cisco_meraki.site_to_site_vpn.connectivity_change | | flattened | -| cisco_meraki.site_to_site_vpn.raw | | text | -| cisco_meraki.splash_auth | | flattened | -| cisco_meraki.urls.mac | | keyword | -| cisco_meraki.vap | | keyword | -| cisco_meraki.wpa_auth | | flattened | -| cisco_meraki.wpa_deauth | | flattened | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-11-23T18:13:18.348Z", - "agent": { - "ephemeral_id": "d0614353-dd50-4b65-b142-df54b2a69013", - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cisco_meraki": { - "event_subtype": "ids_alerted", - "event_type": "security_event", - "security": { - "decision": "allowed", - "dhost": "D0-AB-D5-7B-43-73", - "priority": "1", - "signature": "1:29708:4" - } - }, - "data_stream": { - "dataset": "cisco_meraki.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.3.162", - "port": 56391 - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "action": "ids-signature-matched", - "agent_id_status": "verified", - "category": [ - "network", - "threat" - ], - "dataset": "cisco_meraki.log", - "ingested": "2022-08-08T18:50:52Z", - "original": "\u003c134\u003e1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "type": [ - "info", - "indicator" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.18.0.5:44064" - } - }, - "network": { - "direction": "ingress", - "protocol": "tcp/ip" - }, - "observer": { - "hostname": "MX84" - }, - "source": { - "as": { - "number": 35908 - }, - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.12", - "port": 80 - }, - "tags": [ - "preserve_original_event", - "cisco-meraki", - "forwarded" - ], - "threat": { - "indicator": { - "description": " BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "last_seen": "2021-11-23T18:13:18.330Z" - } - } -} -``` - -### API Endpoint (Webhooks) - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cisco_meraki.event.alertData | Additional alert data (differs based on alert type) | flattened | -| cisco_meraki.event.alertId | ID for this alert message | keyword | -| cisco_meraki.event.alertLevel | Alert level (informational, critical etc.) | keyword | -| cisco_meraki.event.alertType | Type of alert (“Network usage alert”, “Settings changed”, etc.) | keyword | -| cisco_meraki.event.alertTypeId | Unique ID for the type of alert | keyword | -| cisco_meraki.event.deviceMac | MAC address of the Meraki device | keyword | -| cisco_meraki.event.deviceModel | Meraki device model | keyword | -| cisco_meraki.event.deviceName | Name assigned to the Meraki device | keyword | -| cisco_meraki.event.deviceSerial | Serial number of the Meraki device | keyword | -| cisco_meraki.event.deviceTags | Tags assigned to the Meraki device | keyword | -| cisco_meraki.event.deviceUrl | URL of the Meraki device | keyword | -| cisco_meraki.event.networkId | ID for the Meraki network | keyword | -| cisco_meraki.event.networkName | Name for the Meraki network | keyword | -| cisco_meraki.event.networkTags | Tags assigned to the Meraki network | keyword | -| cisco_meraki.event.networkUrl | URL of the Meraki Dashboard network | keyword | -| cisco_meraki.event.occurredAt | Timestamp of the alert (UTC) | date | -| cisco_meraki.event.organizationId | ID of the Meraki organization | keyword | -| cisco_meraki.event.organizationName | Name of the Meraki organization | keyword | -| cisco_meraki.event.organizationUrl | URL of the Meraki Dashboard organization | keyword | -| cisco_meraki.event.sentAt | Timestamp of the sent message (UTC) | date | -| cisco_meraki.event.sharedSecret | User defined secret to be validated by the webhook receiver (optional) | keyword | -| cisco_meraki.event.version | Current version of webhook format | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location.lat | Longitude and latitude. | geo_point | -| client.geo.location.lon | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| organization.id | Unique identifier for the organization. | keyword | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.software.type | The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `events` looks as following: - -```json -{ - "@timestamp": "2018-02-11T00:00:00.123Z", - "agent": { - "ephemeral_id": "4e898a47-a469-4602-9ba2-0a46f55a3998", - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cisco_meraki": { - "event": { - "alertData": { - "connection": "LTE", - "local": "192.168.1.2", - "model": "UML290VW", - "provider": "Purview Wireless", - "remote": "1.2.3.5" - }, - "alertId": "0000000000000000", - "alertTypeId": "cellular_up", - "deviceTags": [ - "tag1", - "tag2" - ], - "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", - "networkId": "N_24329156", - "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", - "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", - "sentAt": "2021-10-07T08:42:00.926325Z", - "sharedSecret": "secret", - "version": "0.1" - } - }, - "data_stream": { - "dataset": "cisco_meraki.events", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "action": "Cellular came up", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cisco_meraki.events", - "ingested": "2022-08-08T18:48:35Z", - "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}", - "type": [ - "info", - "start" - ] - }, - "input": { - "type": "http_endpoint" - }, - "log": { - "level": "informational" - }, - "network": { - "name": "Main Office" - }, - "observer": { - "mac": "00-11-22-33-44-55", - "name": "My appliance", - "product": "MX", - "serial_number": "Q234-ABCD-5678", - "vendor": "Cisco" - }, - "organization": { - "id": "2930418", - "name": "My organization" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "meraki-events" - ] -} -``` diff --git a/packages/cisco_meraki/1.1.2/img/cisco-logo.svg b/packages/cisco_meraki/1.1.2/img/cisco-logo.svg deleted file mode 100755 index a174ad4488..0000000000 --- a/packages/cisco_meraki/1.1.2/img/cisco-logo.svg +++ /dev/null @@ -1 +0,0 @@ - diff --git a/packages/cisco_meraki/1.1.2/img/cisco-meraki-dashboard-1.png b/packages/cisco_meraki/1.1.2/img/cisco-meraki-dashboard-1.png deleted file mode 100755 index 7f6816cf73..0000000000 Binary files a/packages/cisco_meraki/1.1.2/img/cisco-meraki-dashboard-1.png and /dev/null differ diff --git a/packages/cisco_meraki/1.1.2/img/cisco-meraki-dashboard-2.png b/packages/cisco_meraki/1.1.2/img/cisco-meraki-dashboard-2.png deleted file mode 100755 index 810b80d4ad..0000000000 Binary files a/packages/cisco_meraki/1.1.2/img/cisco-meraki-dashboard-2.png and /dev/null differ diff --git a/packages/cisco_meraki/1.1.2/img/cisco-meraki-dashboard-3.png b/packages/cisco_meraki/1.1.2/img/cisco-meraki-dashboard-3.png deleted file mode 100755 index 1cfa3ccb7d..0000000000 Binary files a/packages/cisco_meraki/1.1.2/img/cisco-meraki-dashboard-3.png and /dev/null differ diff --git a/packages/cisco_meraki/1.1.2/kibana/dashboard/cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4.json b/packages/cisco_meraki/1.1.2/kibana/dashboard/cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4.json deleted file mode 100755 index 11cb03d88a..0000000000 --- a/packages/cisco_meraki/1.1.2/kibana/dashboard/cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4.json +++ /dev/null @@ -1,157 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9f3c668f-fec6-4125-ae7b-fcb073df79c1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9f3c668f-fec6-4125-ae7b-fcb073df79c1\":{\"columnOrder\":[\"c379da24-eba4-47a5-b9aa-213324504619\"],\"columns\":{\"c379da24-eba4-47a5-b9aa-213324504619\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of source.mac\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"source.mac\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"c379da24-eba4-47a5-b9aa-213324504619\",\"layerId\":\"9f3c668f-fec6-4125-ae7b-fcb073df79c1\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"372a6801-2e52-4c4c-a674-746eec7f7e09\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"372a6801-2e52-4c4c-a674-746eec7f7e09\",\"title\":\"Count of source MAC address\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-511effff-5682-4cfa-a2de-739bbefa93ea\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"511effff-5682-4cfa-a2de-739bbefa93ea\":{\"columnOrder\":[\"b6287f3a-b96b-4973-b2d2-1e4f7830f9e5\",\"0929169c-0ee9-4eb6-93b6-effcb648c779\",\"c66ed022-eab0-4834-8a01-f508aa4b32b3\"],\"columns\":{\"0929169c-0ee9-4eb6-93b6-effcb648c779\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"b6287f3a-b96b-4973-b2d2-1e4f7830f9e5\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cisco_meraki.event_type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c66ed022-eab0-4834-8a01-f508aa4b32b3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cisco_meraki.event_type\"},\"c66ed022-eab0-4834-8a01-f508aa4b32b3\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"c66ed022-eab0-4834-8a01-f508aa4b32b3\"],\"layerId\":\"511effff-5682-4cfa-a2de-739bbefa93ea\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"b6287f3a-b96b-4973-b2d2-1e4f7830f9e5\",\"xAccessor\":\"0929169c-0ee9-4eb6-93b6-effcb648c779\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"03bf41fe-673d-4f95-9d6e-510d8dc46ba6\",\"w\":13,\"x\":9,\"y\":0},\"panelIndex\":\"03bf41fe-673d-4f95-9d6e-510d8dc46ba6\",\"title\":\"Rate of events by type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-abda3ec0-db97-4e02-a42e-45e716110de2\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"abda3ec0-db97-4e02-a42e-45e716110de2\":{\"columnOrder\":[\"c59ef8c2-80ea-4386-834f-378f4a76b87c\",\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\"],\"columns\":{\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c59ef8c2-80ea-4386-834f-378f4a76b87c\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cisco_meraki.event_type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cisco_meraki.event_type\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"c59ef8c2-80ea-4386-834f-378f4a76b87c\"],\"layerId\":\"abda3ec0-db97-4e02-a42e-45e716110de2\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"475cb47c-34d7-4c56-b57d-e27d25678fc8\",\"w\":13,\"x\":22,\"y\":0},\"panelIndex\":\"475cb47c-34d7-4c56-b57d-e27d25678fc8\",\"title\":\"Event distribution by type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d8f74b4f-a83b-47bc-b862-2bc47ee790eb\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d8f74b4f-a83b-47bc-b862-2bc47ee790eb\":{\"columnOrder\":[\"d1a56033-ffe5-44ed-a05f-ab79d5db90aa\",\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\"],\"columns\":{\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of cisco_meraki.event_type\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"cisco_meraki.event_type\"},\"d1a56033-ffe5-44ed-a05f-ab79d5db90aa\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cisco_meraki.event_subtype\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cisco_meraki.event_subtype\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d1a56033-ffe5-44ed-a05f-ab79d5db90aa\"],\"layerId\":\"d8f74b4f-a83b-47bc-b862-2bc47ee790eb\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"58bbda58-7c31-44e1-8568-d37c2c585e53\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"58bbda58-7c31-44e1-8568-d37c2c585e53\",\"title\":\"Event distribution by sub-type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d\":{\"columnOrder\":[\"66ede758-6532-443e-834d-a847c964682f\"],\"columns\":{\"66ede758-6532-443e-834d-a847c964682f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"No. of rogue SSIDs detected\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"cisco_meraki.event_subtype\",\"negate\":false,\"params\":{\"query\":\"rogue_ssid_detected\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_meraki.event_subtype\":\"rogue_ssid_detected\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"66ede758-6532-443e-834d-a847c964682f\",\"layerId\":\"5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"8baff03a-7860-4fcc-90ff-3d5534e70845\",\"w\":9,\"x\":0,\"y\":5},\"panelIndex\":\"8baff03a-7860-4fcc-90ff-3d5534e70845\",\"title\":\"Number of rogue SSIDs detected\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bcffdee9-d006-4e9c-abcc-081ac4739d02\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bcffdee9-d006-4e9c-abcc-081ac4739d02\":{\"columnOrder\":[\"86b75fce-daae-4725-8de4-6bcd5c7cc80a\"],\"columns\":{\"86b75fce-daae-4725-8de4-6bcd5c7cc80a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"No. of SSID spoofing detected\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"cisco_meraki.event_subtype\",\"negate\":false,\"params\":{\"query\":\"ssid_spoofing_detected\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_meraki.event_subtype\":\"ssid_spoofing_detected\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"86b75fce-daae-4725-8de4-6bcd5c7cc80a\",\"layerId\":\"bcffdee9-d006-4e9c-abcc-081ac4739d02\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"bcfe3eee-750d-476f-b7c1-afec41803720\",\"w\":9,\"x\":0,\"y\":10},\"panelIndex\":\"bcfe3eee-750d-476f-b7c1-afec41803720\",\"title\":\"Number of SSID spoofing detected\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9a165bef-572a-44fb-9285-70d75530b799\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9a165bef-572a-44fb-9285-70d75530b799\":{\"columnOrder\":[\"9df0ec49-bc15-494a-8ca7-437cd63ee7cd\",\"aca7f561-3ca9-4705-bf6e-e470d1fb0536\",\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\"],\"columns\":{\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of event.action\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.action\"},\"9df0ec49-bc15-494a-8ca7-437cd63ee7cd\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"},\"aca7f561-3ca9-4705-bf6e-e470d1fb0536\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9df0ec49-bc15-494a-8ca7-437cd63ee7cd\",\"aca7f561-3ca9-4705-bf6e-e470d1fb0536\"],\"layerId\":\"9a165bef-572a-44fb-9285-70d75530b799\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":24,\"i\":\"e359d544-a8d6-4019-9756-74519a9d3335\",\"w\":27,\"x\":0,\"y\":15},\"panelIndex\":\"e359d544-a8d6-4019-9756-74519a9d3335\",\"title\":\"Events by category and action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"09082ad3-0055-461d-bf69-2b69a5dfb298\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"ce84cee6-da49-4261-beaa-628ca03abc52\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}]},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"color\\\":\\\"Green to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\",\\\"useCustomColorRamp\\\":false}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":3}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"field\\\":{\\\"label\\\":\\\"count\\\",\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\",\\\"type\\\":\\\"number\\\",\\\"supportsAutoDomain\\\":true}}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"8dec8632-de8b-43df-9731-5c6c45ecb45f\\\",\\\"label\\\":\\\"src-dst-ip-p2p\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.61,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-2y\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[{\\\"meta\\\":{\\\"index\\\":\\\"logs-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"data_stream.dataset\\\",\\\"params\\\":{\\\"query\\\":\\\"cisco_meraki.log\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"data_stream.dataset\\\":\\\"cisco_meraki.log\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}}],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":180,\"minLat\":-85.05113,\"minLon\":-180},\"mapCenter\":{\"lat\":19.50912,\"lon\":-10.59576,\"zoom\":0.61},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"beacf090-799a-415a-bbad-302cd02d50be\",\"w\":21,\"x\":27,\"y\":15},\"panelIndex\":\"beacf090-799a-415a-bbad-302cd02d50be\",\"title\":\"IP Flows\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-04c98418-d7c7-4552-9ed3-d0380795febd\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"04c98418-d7c7-4552-9ed3-d0380795febd\":{\"columnOrder\":[\"1e47d004-4347-46ee-aed2-280f64e8888d\",\"4c2300ef-9033-45bd-8b0e-06deea3996f1\"],\"columns\":{\"1e47d004-4347-46ee-aed2-280f64e8888d\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of url.original\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4c2300ef-9033-45bd-8b0e-06deea3996f1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"url.original\"},\"4c2300ef-9033-45bd-8b0e-06deea3996f1\":{\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"4c2300ef-9033-45bd-8b0e-06deea3996f1\"],\"layerId\":\"04c98418-d7c7-4552-9ed3-d0380795febd\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"xAccessor\":\"1e47d004-4347-46ee-aed2-280f64e8888d\",\"yConfig\":[{\"axisMode\":\"auto\",\"forAccessor\":\"4c2300ef-9033-45bd-8b0e-06deea3996f1\"}]}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"58d65007-15fc-492f-a8db-f509b7d28aad\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"58d65007-15fc-492f-a8db-f509b7d28aad\",\"title\":\"Top URL access\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"a7fc4a8a-954f-4fc0-acfc-2d358c89b2c6\",\"w\":48,\"x\":0,\"y\":39},\"panelIndex\":\"a7fc4a8a-954f-4fc0-acfc-2d358c89b2c6\",\"title\":\"Log stream\",\"type\":\"LOG_STREAM_EMBEDDABLE\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cisco Meraki Syslog Events] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "372a6801-2e52-4c4c-a674-746eec7f7e09:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "372a6801-2e52-4c4c-a674-746eec7f7e09:indexpattern-datasource-layer-9f3c668f-fec6-4125-ae7b-fcb073df79c1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "372a6801-2e52-4c4c-a674-746eec7f7e09:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "03bf41fe-673d-4f95-9d6e-510d8dc46ba6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "03bf41fe-673d-4f95-9d6e-510d8dc46ba6:indexpattern-datasource-layer-511effff-5682-4cfa-a2de-739bbefa93ea", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "03bf41fe-673d-4f95-9d6e-510d8dc46ba6:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "475cb47c-34d7-4c56-b57d-e27d25678fc8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "475cb47c-34d7-4c56-b57d-e27d25678fc8:indexpattern-datasource-layer-abda3ec0-db97-4e02-a42e-45e716110de2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "475cb47c-34d7-4c56-b57d-e27d25678fc8:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58bbda58-7c31-44e1-8568-d37c2c585e53:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58bbda58-7c31-44e1-8568-d37c2c585e53:indexpattern-datasource-layer-d8f74b4f-a83b-47bc-b862-2bc47ee790eb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:indexpattern-datasource-layer-5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bcfe3eee-750d-476f-b7c1-afec41803720:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bcfe3eee-750d-476f-b7c1-afec41803720:indexpattern-datasource-layer-bcffdee9-d006-4e9c-abcc-081ac4739d02", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bcfe3eee-750d-476f-b7c1-afec41803720:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bcfe3eee-750d-476f-b7c1-afec41803720:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e359d544-a8d6-4019-9756-74519a9d3335:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e359d544-a8d6-4019-9756-74519a9d3335:indexpattern-datasource-layer-9a165bef-572a-44fb-9285-70d75530b799", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e359d544-a8d6-4019-9756-74519a9d3335:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "beacf090-799a-415a-bbad-302cd02d50be:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58d65007-15fc-492f-a8db-f509b7d28aad:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58d65007-15fc-492f-a8db-f509b7d28aad:indexpattern-datasource-layer-04c98418-d7c7-4552-9ed3-d0380795febd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58d65007-15fc-492f-a8db-f509b7d28aad:filter-index-pattern-0", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cisco_meraki/1.1.2/manifest.yml b/packages/cisco_meraki/1.1.2/manifest.yml deleted file mode 100755 index 2ba61c0709..0000000000 --- a/packages/cisco_meraki/1.1.2/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -format_version: 1.0.0 -name: cisco_meraki -title: Cisco Meraki -version: 1.1.2 -license: basic -description: Collect logs from Cisco Meraki with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/cisco-meraki-dashboard-1.png - title: Cisco Meraki Dashboard - size: 600x600 - type: image/png - - src: /img/cisco-meraki-dashboard-2.png - title: Cisco Meraki Dashboard - size: 600x600 - type: image/png - - src: /img/cisco-meraki-dashboard-3.png - title: Cisco Meraki Dashboard - size: 600x600 - type: image/png -icons: - - src: /img/cisco-logo.svg - title: Cisco logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: cisco_meraki - title: Cisco Meraki logs or events - description: Collect logs or events from Cisco Meraki - inputs: - - type: udp - title: Collect syslog from Cisco Meraki via UDP - description: Collecting syslog from Cisco Meraki via UDP - - type: tcp - title: Collect syslog from Cisco Meraki via TCP - description: Collecting syslog from Cisco Meraki via TCP - - type: logfile - title: Collect syslog from Cisco Meraki via file - description: Collecting syslog from Cisco Meraki via file - - type: http_endpoint - title: Collect events from Cisco Meraki via Webhooks - description: Collecting events from Cisco Meraki via Webhooks -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_meraki/1.2.0/LICENSE.txt b/packages/cisco_meraki/1.2.0/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cisco_meraki/1.2.0/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_meraki/1.2.0/changelog.yml b/packages/cisco_meraki/1.2.0/changelog.yml deleted file mode 100755 index a60da793d8..0000000000 --- a/packages/cisco_meraki/1.2.0/changelog.yml +++ /dev/null @@ -1,96 +0,0 @@ -# newer versions go on top -- version: "1.2.0" - changes: - - description: Add preserve_original_event function to default pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4097 -- version: "1.1.2" - changes: - - description: Fix MAC address formatting. - type: bugfix - link: https://github.com/elastic/integrations/issues/4283 -- version: "1.1.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3924 -- version: "1.0.1" - changes: - - description: Fix client.geo.location mapping - type: bugfix - link: https://github.com/elastic/integrations/pull/3941 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3859 -- version: "0.6.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "0.6.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "0.5.1" - changes: - - description: Fix doc build - type: enhancement - link: https://github.com/elastic/integrations/pull/3529 -- version: "0.5.0" - changes: - - description: Replace RSA2ELK with Syslog and Webhook integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2897 -- version: "0.4.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.4.0" - changes: - - description: Update to ECS 8.0.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2580 -- version: "0.3.1" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2270 -- version: "0.2.3" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1956 -- version: "0.2.2" - changes: - - description: Fixed a bug that prevents the package from working in 7.16. - type: bugfix - link: https://github.com/elastic/integrations/pull/1882 -- version: "0.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1808 -- version: "0.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1785 -- version: "0.1.0" - changes: - - description: Initial commit splitting Cisco meraki from general Cisco package - type: enhancement - link: https://github.com/elastic/integrations/pull/1587 diff --git a/packages/cisco_meraki/1.2.0/data_stream/events/agent/stream/http_endpoint.yml.hbs b/packages/cisco_meraki/1.2.0/data_stream/events/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 1203728f14..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/events/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,41 +0,0 @@ -type: http_endpoint -enabled: true -prefix: json - -{{#if listen_address}} -listen_address: {{listen_address}} -{{/if}} -{{#if listen_port}} -listen_port: {{listen_port}} -{{/if}} -{{#if url}} -url: {{url}} -{{/if}} - -{{#if secret_value}} -secret.header: Authorization -secret.value: "{{secret_value}}" -{{/if}} - -{{#if ssl}} -ssl: {{ssl}} -{{/if}} - -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cisco_meraki/1.2.0/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_meraki/1.2.0/data_stream/events/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ace8dc48cb..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,300 +0,0 @@ ---- -description: Pipeline for processing Cisco Meraki events -processors: -- set: - field: ecs.version - value: '8.4.0' -- set: - field: observer.serial_number - copy_from: json.deviceSerial -- gsub: - field: json.deviceMac - target_field: observer.mac - pattern: '[-:.]' - replacement: '-' -- set: - field: observer.name - copy_from: json.deviceName -- set: - field: observer.vendor - value: Cisco -- set: - field: observer.product - copy_from: json.deviceModel -- set: - field: network.name - copy_from: json.networkName -- date: - field: json.occurredAt - formats: - - ISO8601 -- set: - field: organization.id - copy_from: json.organizationId -- set: - field: organization.name - copy_from: json.organizationName -- set: - field: log.level - copy_from: json.alertLevel -- append: - field: event.category - value: network -- append: - field: event.type - value: info -- script: - lang: painless - description: The script sets event type, action and category based on type and sub-type fields - params: - eventmap: - "started_reporting": - type: - - start - "stopped_reporting": - type: - - end - "foreign_ap": - category: - - intrusion_detection - - threat - type: - - indicator - "bluetooth_in": - type: - - start - "bluetooth_out": - type: - - end - "port_cable_error": - type: - - connection - "node_hardware_failure": - category: - - host - type: - - end - "cellular_up": - type: - - start - "cellular_down": - type: - - end - "umbrella_expiring": - category: - - configuration - "ip_conflict": - type: - - protocol - "rogue_ap_association": - category: - - threat - type: - - indicator - "client_connectivity": - category: - - session - type: - - connection - "pcc_security_compliance": - category: - - configuration - "pcc_security_violation": - category: - - configuration - - threat - type: - - change - - indicator - "pcc_outage_end": - category: - - host - type: - - connection - "pcc_enrollment": - category: - - session - type: - - connection - - start - "geofencing_out": - type: - - connection - "pcc_outage_begin": - category: - - host - type: - - connection - - end - "dhcp_no_leases": - type: - - connection - - denied - - protocol - "vrrp": - category: - - configuration - type: - - change - "pcc_expired_apns_cert": - category: - - authentication - "amp_malware_blocked": - category: - - threat - - intrusion_detection - type: - - indicator - - denied - "amp_malware_detected": - category: - - threat - - intrusion_detection - type: - - indicator - - allowed - "pcc_sw_found": - category: - - host - - configuration - type: - - change - "pcc_unmanaged": - category: - - configuration - - iam - type: - - change - - deletion - "dhcp_alerts": - type: - - protocol - "power_supply_up": - type: - - start - "power_supply_down": - category: - - host - type: - - end - "unreachable_radius_server": - category: - - authentication - type: - - end - - denied - "rogue_ap": - category: - - threat - type: - - indicator - "rogue_dhcp": - category: - - threat - type: - - indicator - "settings_changed": - category: - - configuration - type: - - change - "port_connected": - type: - - connection - "port_disconnected": - type: - - end - "port_speed_change": - category: - - configuration - type: - - change - - protocol - "udld_error": - type: - - connection - - end - "uplink_ip6_conflict": - type: - - protocol - if: ctx?.json?.alertTypeId != null - source: |- - def alertTypeId = ctx.json.alertTypeId; - def eventMap = params.get('eventmap'); - def eventData = eventMap.get(alertTypeId); - ctx.event.action = ctx.json.alertType; - if (eventData == null) { - // Unclassified events - // - geofencing_in, critical_temperature - // - gateway_to_repeater, mi_alert - // - motion_alert, usage_alert - // - new_splash_signup, rps_base_supply_up - // - rps_backup, vpn_connectivity_change - return; - } - def eventCategory = eventData.get('category'); - if (eventCategory != null) { - for (def c : eventCategory) { - ctx.event.category.add(c); - } - } - def eventType = eventData.get('type'); - if (eventType != null) { - for (def t : eventType) { - ctx.event.type.add(t); - } - } -- rename: - field: json - target_field: cisco_meraki.event -## -# Clean up -## -- remove: - field: - - cisco_meraki.event.deviceSerial - - cisco_meraki.event.deviceMac - - cisco_meraki.event.deviceName - - cisco_meraki.event.deviceModel - - cisco_meraki.event.occurredAt - - cisco_meraki.event.networkName - - cisco_meraki.event.organizationId - - cisco_meraki.event.organizationName - - cisco_meraki.event.alertType - - cisco_meraki.event.alertLevel - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/cisco_meraki/1.2.0/data_stream/events/fields/agent.yml b/packages/cisco_meraki/1.2.0/data_stream/events/fields/agent.yml deleted file mode 100755 index 162c9f3aa3..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/events/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. -- name: log.offset - type: long - description: Offset of the entry in the log file. diff --git a/packages/cisco_meraki/1.2.0/data_stream/events/fields/base-fields.yml b/packages/cisco_meraki/1.2.0/data_stream/events/fields/base-fields.yml deleted file mode 100755 index ebba8d4244..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/events/fields/base-fields.yml +++ /dev/null @@ -1,32 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_meraki -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_meraki.events -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword diff --git a/packages/cisco_meraki/1.2.0/data_stream/events/fields/ecs.yml b/packages/cisco_meraki/1.2.0/data_stream/events/fields/ecs.yml deleted file mode 100755 index 56320fe5d0..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/events/fields/ecs.yml +++ /dev/null @@ -1,697 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - MAC address of the client. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: client.mac - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - MAC addresses of the observer. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: observer.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - MAC address of the server. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: server.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: VLAN ID as reported by the observer. - name: network.vlan.id - type: keyword -- description: |- - The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. - While not required, you can use a MITRE ATT&CK® software type. - name: threat.software.type - type: keyword -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: Describes the type of action conducted by the threat. - name: threat.indicator.description - type: keyword -- description: Reference URL linking to additional information about this indicator. - name: threat.indicator.reference - type: keyword -- description: Name of the file including the extension, without the directory. - name: threat.indicator.file.name - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - name: client.geo.location.lat - type: geo_point -- description: Longitude and latitude. - name: client.geo.location.lon - type: geo_point -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: organization.name - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword diff --git a/packages/cisco_meraki/1.2.0/data_stream/events/fields/fields.yml b/packages/cisco_meraki/1.2.0/data_stream/events/fields/fields.yml deleted file mode 100755 index 7443e7680a..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/events/fields/fields.yml +++ /dev/null @@ -1,72 +0,0 @@ -- name: cisco_meraki - type: group - fields: - - name: event - type: group - fields: - - name: version - type: keyword - description: Current version of webhook format - - name: sharedSecret - type: keyword - description: User defined secret to be validated by the webhook receiver (optional) - - name: sentAt - type: date - description: Timestamp of the sent message (UTC) - - name: organizationId - type: keyword - description: ID of the Meraki organization - - name: organizationName - type: keyword - description: Name of the Meraki organization - - name: organizationUrl - type: keyword - description: URL of the Meraki Dashboard organization - - name: networkId - type: keyword - description: ID for the Meraki network - - name: networkName - type: keyword - description: Name for the Meraki network - - name: networkUrl - type: keyword - description: URL of the Meraki Dashboard network - - name: networkTags - type: keyword - description: Tags assigned to the Meraki network - - name: deviceSerial - type: keyword - description: Serial number of the Meraki device - - name: deviceMac - type: keyword - description: MAC address of the Meraki device - - name: deviceName - type: keyword - description: Name assigned to the Meraki device - - name: deviceUrl - type: keyword - description: URL of the Meraki device - - name: deviceTags - type: keyword - description: Tags assigned to the Meraki device - - name: deviceModel - type: keyword - description: Meraki device model - - name: alertId - type: keyword - description: ID for this alert message - - name: alertType - type: keyword - description: Type of alert (“Network usage alert”, “Settings changed”, etc.) - - name: alertTypeId - type: keyword - description: Unique ID for the type of alert - - name: alertLevel - type: keyword - description: Alert level (informational, critical etc.) - - name: occurredAt - type: date - description: Timestamp of the alert (UTC) - - name: alertData - type: flattened - description: Additional alert data (differs based on alert type) diff --git a/packages/cisco_meraki/1.2.0/data_stream/events/manifest.yml b/packages/cisco_meraki/1.2.0/data_stream/events/manifest.yml deleted file mode 100755 index bc4b29aa45..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/events/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -title: Cisco Meraki webhook events -release: experimental -type: logs -streams: - - input: http_endpoint - title: Cisco Meraki webhook events - description: Receives events from Cisco Meraki webhook - template_path: http_endpoint.yml.hbs - enabled: false - vars: - - name: listen_address - type: text - title: Listen Address - description: Bind address for the listener. Use 0.0.0.0 to listen on all interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - multi: false - required: true - show_user: true - default: 8686 - - name: url - type: text - title: Webhook path - description: URL path where the webhook will accept requests. - multi: false - required: true - show_user: false - default: /meraki/events - - name: secret_value - type: text - description: Authorization token - multi: false - required: false - show_user: true - - name: ssl - type: yaml - title: TLS - description: Options for enabling TLS for the listening webhook endpoint. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - multi: false - required: false - show_user: false - default: | - enabled: false - certificate: "/etc/pki/client/cert.pem" - key: "/etc/pki/client/cert.key" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - meraki-events - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/cisco_meraki/1.2.0/data_stream/events/sample_event.json b/packages/cisco_meraki/1.2.0/data_stream/events/sample_event.json deleted file mode 100755 index 83633463a4..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/events/sample_event.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "@timestamp": "2018-02-11T00:00:00.123Z", - "agent": { - "ephemeral_id": "4e898a47-a469-4602-9ba2-0a46f55a3998", - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cisco_meraki": { - "event": { - "alertData": { - "connection": "LTE", - "local": "192.168.1.2", - "model": "UML290VW", - "provider": "Purview Wireless", - "remote": "1.2.3.5" - }, - "alertId": "0000000000000000", - "alertTypeId": "cellular_up", - "deviceTags": [ - "tag1", - "tag2" - ], - "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", - "networkId": "N_24329156", - "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", - "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", - "sentAt": "2021-10-07T08:42:00.926325Z", - "sharedSecret": "secret", - "version": "0.1" - } - }, - "data_stream": { - "dataset": "cisco_meraki.events", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "action": "Cellular came up", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cisco_meraki.events", - "ingested": "2022-08-08T18:48:35Z", - "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}", - "type": [ - "info", - "start" - ] - }, - "input": { - "type": "http_endpoint" - }, - "log": { - "level": "informational" - }, - "network": { - "name": "Main Office" - }, - "observer": { - "mac": "00-11-22-33-44-55", - "name": "My appliance", - "product": "MX", - "serial_number": "Q234-ABCD-5678", - "vendor": "Cisco" - }, - "organization": { - "id": "2930418", - "name": "My organization" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "meraki-events" - ] -} \ No newline at end of file diff --git a/packages/cisco_meraki/1.2.0/data_stream/log/agent/stream/logfile.yml.hbs b/packages/cisco_meraki/1.2.0/data_stream/log/agent/stream/logfile.yml.hbs deleted file mode 100755 index 52b248876b..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/log/agent/stream/logfile.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cisco_meraki/1.2.0/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_meraki/1.2.0/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 993860734e..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -max_message_size: 1 MiB - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cisco_meraki/1.2.0/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_meraki/1.2.0/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 993860734e..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -max_message_size: 1 MiB - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/airmarshal.yml b/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/airmarshal.yml deleted file mode 100755 index 2a7b399e94..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/airmarshal.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -description: Pipeline for Cisco Meraki airmarshal_events type -processors: -- dissect: - description: Determine the airmarshal event type - field: event.original - pattern: "%{} airmarshal_events %{*type}=%{&type} %{}" -- rename: - field: type - target_field: cisco_meraki.event_subtype -- grok: - field: event.original - patterns: - - '%{GREEDYDATA} ssid=%{QS:_temp.ssid}%{SPACE}%{GREEDYDATA:_temp.kvline}' -- dissect: - field: _temp.ssid - pattern: "'%{_temp.kv.ssid}'" -- kv: - field: _temp.kvline - field_split: " " - value_split: "=" - target_field: _temp.kv - strip_brackets: true -- rename: - field: _temp.kv.ssid - target_field: network.name - if: ctx?._temp?.kv?.ssid != null -- rename: - field: _temp.kv.bssid - target_field: cisco_meraki.bssid -- rename: - field: _temp.kv.vap - target_field: cisco_meraki.vap - if: ctx?.cisco_meraki?.event_subtype == 'ssid_spoofing_detected' -- gsub: - field: _temp.kv.src - target_field: source.mac - pattern: '[-:.]' - replacement: '-' -- gsub: - field: _temp.kv.dst - target_field: destination.mac - pattern: '[-:.]' - replacement: '-' -- gsub: - field: _temp.kv.wired_mac - target_field: observer.mac - pattern: '[-:.]' - replacement: '-' - if: ctx?.cisco_meraki?.event_subtype == 'rogue_ssid_detected' -- rename: - field: _temp.kv.vlan_id - target_field: network.vlan.id - if: ctx?.cisco_meraki?.event_subtype == 'rogue_ssid_detected' -- rename: - field: _temp.kv.channel - target_field: cisco_meraki.channel -- rename: - field: _temp.kv.fc_type - target_field: cisco_meraki.fc_type -- rename: - field: _temp.kv.fc_subtype - target_field: cisco_meraki.fc_subtype diff --git a/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 019665db1c..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,361 +0,0 @@ ---- -description: Pipeline for Cisco Meraki syslog -processors: -- set: - field: ecs.version - value: '8.4.0' -- rename: - field: message - target_field: event.original -- dissect: - description: Extract syslog words - field: event.original - pattern: "%{} %{_temp.ts_nano} %{observer.hostname} %{cisco_meraki.event_type} %{}" -- date: - field: _temp.ts_nano - formats: - - UNIX - timezone: '{{{_conf.tz_offset}}}' -- pipeline: - name: '{{ IngestPipeline "flows" }}' - if: ctx.cisco_meraki.event_type == 'flows' -- pipeline: - name: '{{ IngestPipeline "ipflows" }}' - if: ctx.cisco_meraki.event_type == 'ip_flow_start' || ctx.cisco_meraki.event_type == 'ip_flow_end' -- pipeline: - name: '{{ IngestPipeline "airmarshal" }}' - if: ctx.cisco_meraki.event_type == 'airmarshal_events' -- pipeline: - name: '{{ IngestPipeline "security" }}' - if: ctx.cisco_meraki.event_type == 'security_event' -- pipeline: - name: '{{ IngestPipeline "idsalerts" }}' - if: ctx.cisco_meraki.event_type == 'ids-alerts' -- pipeline: - name: '{{ IngestPipeline "events" }}' - if: ctx.cisco_meraki.event_type == 'events' -- pipeline: - name: '{{ IngestPipeline "urls" }}' - if: ctx.cisco_meraki.event_type == 'urls' -- append: - field: event.category - value: ["network"] -- append: - field: event.type - value: ["info"] -- script: - lang: painless - description: The script sets event type, action and category based on type and sub-type fields - tag: set-event-type-for-meraki-events - params: - eventmap: - "vpn_connectivity_change": - category: - - session - type: - - connection - action: vpn-connectivity-change - "dhcp_offer": - type: - - access - - allowed - action: dhcp-offer - "dhcp_no_offer": - type: - - access - - denied - action: dhcp-no-offer - "Site-to-Site VPN": - type: - - access - action: site-to-site-vpn - "client_vpn_connect": - category: - - session - type: - - access - - allowed - - start - action: site-to-site-vpn - "ip_session_initiated": - type: - - access - - start - action: ip-session-initiated - "flow_allowed": - type: - - connection - - start - action: layer3-firewall-allowed-flow - "flow_denied": - type: - - access - - denied - action: layer3-firewall-denied-flow - "http_access": - category: - - web - type: - - access - action: http-access - "http_access_error": - category: - - web - type: - - error - action: http-access-error - "ids_alerted": - category: - - threat - type: - - indicator - action: ids-signature-matched - "security_filtering_file_scanned": - category: - - threat - - malware - type: - - indicator - - info - action: malicious-file-actioned - "security_filtering_disposition_change": - category: - - threat - - malware - type: - - indicator - - info - action: issued-retrospective-malicious-disposition - "association": - type: - - access - - connection - action: wifi-association-request - "disassociation": - category: - - session - type: - - access - - end - action: wifi-disassociation-request - "wpa_auth": - category: - - authentication - type: - - start - - access - action: wifi-wpa-authentication - "wpa_deauth": - category: - - authentication - type: - - end - - denied - action: wifi-wpa-failed-auth-or-deauth - "8021x_eap_failure": - category: - - authentication - type: - - end - - denied - action: wifi-8021x-failed-authentication-attempt - "8021x_deauth": - category: - - authentication - type: - - end - - denied - action: wifi-8021x-failed-auth-or-deauth - "8021x_eap_success": - category: - - authentication - type: - - start - action: wifi-8021x-auth - "splash_auth": - category: - - authentication - type: - - start - action: splash-authentication - "device_packet_flood": - category: - - threat - type: - - indicator - action: wireless-packet-flood-detected - "rogue_ssid_detected": - category: - - threat - type: - - indicator - action: rogue-ssid-detected - "ssid_spoofing_detected": - category: - - threat - type: - - indicator - action: ssid-spoofing-detected - "multiple_dhcp_servers_detected": - type: - - protocol - "dfs_event": - action: dynamic-frequency-selection-detected - "aps_association_reject": - action: association-rejected-for-load-balancing - if: ctx?.cisco_meraki?.event_subtype != null - source: |- - def eventMap = params.get('eventmap'); - def eventData = eventMap.get(ctx.cisco_meraki.event_subtype); - if (eventData == null) { - ctx.event.action = ctx.cisco_meraki.event_subtype; - return; - } - def eventCategory = eventData.get('category'); - def eventType = eventData.get('type'); - def eventAction = eventData.get('action'); - if (eventType != null) { - for (def t : eventType) { - ctx.event.type.add(t); - } - } - if (eventCategory != null) { - for (def c : eventCategory) { - ctx.event.category.add(c); - } - } - if (eventAction != null) { - ctx.event.action = eventAction; - } - -# IP Geolocation Lookup (source) -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: ctx.source?.geo == null && ctx?.source?.ip != null -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: ctx?.source?.ip != null -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -# IP Geolocation Lookup (destination) -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: ctx.destination?.geo == null && ctx?.destination?.ip != null -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: ctx?.destination?.ip != null -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -# IP Geolocation Lookup (client) -- geoip: - field: client.ip - target_field: client.geo - ignore_missing: true - if: ctx.client?.geo == null && ctx?.client?.ip != null -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: client.ip - target_field: client.as - properties: - - asn - - organization_name - ignore_missing: true - if: ctx?.client?.ip != null -- rename: - field: client.as.asn - target_field: client.as.number - ignore_missing: true -- rename: - field: client.as.organization_name - target_field: client.as.organization.name - ignore_missing: true -## -# Clean up -## -- remove: - field: - - _temp - - _conf - - sport - - dport - - mac - - src - - dst - - translated_src_ip - - translated_dst_ip - - translated_port - - wired_mac - - rssi - - protocol - - dhost - - client_mac - - radio - - sts - - msgtype - - timestamp - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/events.yml b/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/events.yml deleted file mode 100755 index 42ee924ac9..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/events.yml +++ /dev/null @@ -1,206 +0,0 @@ ---- -description: Pipeline for Cisco Meraki events type -processors: -#################################################### -# set event_subtype based on type/format -#################################################### -- dissect: - description: Determine event type/format - field: event.original - pattern: "%{} events %{msgtype} %{}" -- set: - field: cisco_meraki.event_subtype - value: 'Site-to-Site VPN' - if: ctx?.msgtype.toLowerCase() == "site-to-site" -- set: - field: cisco_meraki.event_subtype - value: client_vpn_connect - if: ctx?.msgtype.toLowerCase() == "client_vpn_connect" -#################################################### -# log event with type= format -# these are dfs_event, association, disassocation, -# vpn_connectivity_change, wpa_auth, wpa_deauth -#################################################### -- dissect: - description: Get the event subtype - field: event.original - pattern: "%{} events type=%{type} %{}" - if: ctx?.msgtype.startsWith("type=") -- rename: - field: type - target_field: cisco_meraki.event_subtype - if: ctx?.type != null - -#################################################### -# Handle DHCP log events -#################################################### -- dissect: - field: event.original - pattern: "%{} events dhcp %{_temp.dhcp_op} %{_temp.dhcp_op2} %{}" - if: ctx?.msgtype.toLowerCase() == "dhcp" -- set: - field: network.protocol - value: dhcp - if: ctx?.msgtype.toLowerCase() == "dhcp" -- dissect: - field: event.original - pattern: "%{} events dhcp lease of ip %{_temp.client_ip} from %{} mac %{server.mac} for client mac %{client.mac} %{}" - if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'lease' -- dissect: - field: event.original - pattern: "%{} events dhcp no offers for mac %{client.mac} %{}" - if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'no' && ctx?._temp?.dhcp_op2.toLowerCase() == 'offers' -- set: - field: cisco_meraki.event_subtype - value: dhcp_offer - if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op == 'lease' -- set: - field: cisco_meraki.event_subtype - value: dhcp_no_offer - if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'no' && ctx?._temp?.dhcp_op2.toLowerCase() == 'offers' -#################################################### -# Handle Site-to-Site VPN message -#################################################### -- grok: - description: Process Site-to-Site VPN messages - field: event.original - patterns: - - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}(?i)Site-to-Site VPN:%{GREEDYDATA:cisco_meraki.site_to_site_vpn.raw}' - pattern_definitions: - SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>' - SYSLOGVER: '\b(?:\d{1,2})\b' - SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}' - WORDORHOST: '(?:%{WORD}|%{HOSTNAME})' - if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "Site-to-Site VPN" - -#################################################### -# Handle dfs_event, wpa_auth, wpa_deauth, -# association or disassociation -#################################################### -- grok: - field: event.original - patterns: - - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}%{GREEDYDATA:_temp.rest}' - pattern_definitions: - SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>' - SYSLOGVER: '\b(?:\d{1,2})\b' - SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}' - WORDORHOST: '(?:%{WORD}|%{HOSTNAME})' - if: ctx.event.original.startsWith('<') && ['dfs_event', 'association', 'disassociation', 'aps_association_reject', 'multiple_dhcp_servers_detected', 'wpa_deauth', 'wpa_auth', 'vpn_connectivity_change', '8021x_eap_failure', '8021x_auth', '8021x_deauth', '8021x_eap_success', 'splash_auth', 'device_packet_flood'].contains(ctx.cisco_meraki.event_subtype) -- kv: - field: _temp.rest - field_split: "[ \t]{1,}" - value_split: "=" - target_field: cisco_meraki.{{{cisco_meraki.event_subtype}}} - strip_brackets: true - if: ctx?._temp?.rest != null && ['dfs_event', 'association', 'disassociation', 'aps_association_reject', 'multiple_dhcp_servers_detected', 'wpa_deauth', 'wpa_auth', '8021x_eap_failure', '8021x_auth', '8021x_deauth', '8021x_eap_success', 'splash_auth', 'device_packet_flood'].contains(ctx.cisco_meraki.event_subtype) -# special case for site-to-site vpn -- kv: - field: _temp.rest - field_split: "[ \t]{1,}" - value_split: "=" - target_field: cisco_meraki.site_to_site_vpn.connectivity_change - strip_brackets: true - if: ctx?._temp?.rest != null && ctx?.cisco_meraki?.event_subtype == 'vpn_connectivity_change' - -#################################################### -# Move values from event subtypes to ECS fields -# multiple_dhcp_servers_detected -#################################################### -- set: - field: network.protocol - value: dhcp - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -- rename: - field: cisco_meraki.multiple_dhcp_servers_detected.original_server_mac - target_field: server.mac - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -# process original_server_ip -- grok: - field: cisco_meraki.multiple_dhcp_servers_detected.original_server_ip - patterns: - - "^%{IPV4:cisco_meraki.multiple_dhcp_servers_detected.original_server_ip}$" - - "^%{IPV6:cisco_meraki.multiple_dhcp_servers_detected.original_server_ip}$" - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' - ignore_failure: true -- convert: - type: ip - field: cisco_meraki.multiple_dhcp_servers_detected.original_server_ip - target_field: server.ip - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' - ignore_failure: true -# cleanup only if the conversion was successful -- remove: - field: cisco_meraki.multiple_dhcp_servers_detected.original_server_ip - if: ctx?.server?.ip != null -- append: - field: related.ip - value: "{{{server.ip}}}" - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -# process server_ip (the other dhcp server ip) -- grok: - field: cisco_meraki.multiple_dhcp_servers_detected.server_ip - patterns: - - "^%{IPV4:cisco_meraki.multiple_dhcp_servers_detected.server_ip}$" - - "^%{IPV6:cisco_meraki.multiple_dhcp_servers_detected.server_ip}$" - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -- convert: - type: ip - field: cisco_meraki.multiple_dhcp_servers_detected.server_ip - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -- append: - field: related.ip - value: "{{{cisco_meraki.multiple_dhcp_servers_detected.server_ip}}}" - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -#################################################### -# wpa_deauth -#################################################### -- rename: - field: cisco_meraki.wpa_deauth.client_mac - target_field: client.mac - if: ctx?.cisco_meraki?.event_subtype == 'wpa_deauth' - -#################################################### -# Handle client_vpn_connect -#################################################### -- dissect: - field: event.original - pattern: "%{} events client_vpn_connect user id '%{user.name}' local ip %{network.forwarded_ip} connected from %{_temp.client_ip}" - if: ctx?.cisco_meraki?.event_subtype == "client_vpn_connect" - -#################################################### -# parse dissected IP values and convert to IP type -# common case for DHCP lease and client_vpn_connect -#################################################### -- grok: - field: _temp.client_ip - patterns: - - "^%{IPV4:_temp.client_ip}$" - - "^%{IPV6:_temp.client_ip}$" - if: ctx?._temp?.client_ip != null - ignore_failure: true -- convert: - type: ip - field: _temp.client_ip - target_field: client.ip - if: ctx?._temp?.client_ip != null - ignore_failure: true - -# Make MAC addresses conform to ECS spec. -- gsub: - field: client.mac - pattern: '[:.]' - replacement: '-' - ignore_missing: true -- uppercase: - field: client.mac - ignore_missing: true -- gsub: - field: server.mac - pattern: '[:.]' - replacement: '-' - ignore_missing: true -- uppercase: - field: server.mac - ignore_missing: true - diff --git a/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/flows.yml b/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/flows.yml deleted file mode 100755 index 7f47b9f6cc..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/flows.yml +++ /dev/null @@ -1,72 +0,0 @@ ---- -description: Pipeline for Cisco Meraki flows message type -processors: -- dissect: - description: Determine if the token is src= or operation - field: event.original - pattern: "%{} %{} %{} %{} %{_temp.token} %{}" -- dissect: - description: Case for src= follows flows keyword - field: event.original - pattern: "%{} flows %{*src}=%{&src} %{*dst}=%{&dst} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport} %{}" - if: ctx._temp.token.startsWith("src=") == true -- dissect: - description: Case for firewall action prepends src= - field: event.original - pattern: "%{} flows %{cisco_meraki.flows.op} %{*src}=%{&src} %{*dst}=%{&dst} %{*mac}=%{&mac} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport}" - if: ctx._temp.token.startsWith("src=") == false -- grok: - field: src - patterns: - - "^%{IPV4:src}$" - - "^%{IPV6:src}$" - if: ctx?.src != null -- convert: - type: ip - field: src - target_field: source.ip - ignore_failure: true -- grok: - field: dst - patterns: - - "^%{IPV4:dst}$" - - "^%{IPV6:dst}$" - if: ctx?.dst != null -- convert: - type: ip - field: dst - target_field: destination.ip - ignore_failure: true -- rename: - field: protocol - target_field: network.protocol -- convert: - field: sport - target_field: source.port - type: long - if: ctx?.sport != "0" - ignore_failure: true -- convert: - field: dport - target_field: destination.port - type: long - if: ctx?.dport != "0" - ignore_failure: true -- gsub: - field: mac - target_field: source.mac - pattern: '[-:.]' - replacement: '-' - if: ctx._temp.token.startsWith("src=") == false -- set: - field: cisco_meraki.event_subtype - value: "ip_session_initiated" - if: ctx._temp.token.startsWith("src=") == true -- set: - field: cisco_meraki.event_subtype - value: "flow_allowed" - if: ctx._temp.token.startsWith("src=") == false && ctx?.cisco_meraki?.flows?.op == 'allow' -- set: - field: cisco_meraki.event_subtype - value: "flow_denied" - if: ctx._temp.token.startsWith("src=") == false && ctx?.cisco_meraki?.flows?.op == 'deny' diff --git a/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml b/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml deleted file mode 100755 index a1684a5e30..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- -description: Pipeline for Cisco Meraki ids-alerts type -processors: -- dissect: - description: Determine the ids-alerts security event type - field: event.original - pattern: "%{} ids-alerts %{*sig}=%{&sig} %{*pri}=%{&pri} %{*ts}=%{&ts} %{*dir}=%{&dir} %{*prot}=%{&prot} %{*src}=%{&src}" -- set: - field: cisco_meraki.event_subtype - value: ids_alerted -- rename: - field: priority - target_field: cisco_meraki.security.priority -- rename: - field: signature - target_field: cisco_meraki.security.signature -- date: - field: timestamp - target_field: threat.indicator.last_seen - formats: ['UNIX'] -- rename: - field: direction - target_field: network.direction -- lowercase: - field: protocol - target_field: network.protocol -- grok: - field: src - patterns: - - "^%{IPV4:_temp.src_ip}:%{PORT:sport}$" - - "^\\[%{IPV6:_temp.src_ip}\\]:%{PORT:sport}$" - - "^%{IPV6NOCOMPRESS:_temp.src_ip}:%{PORT:sport}$" - - "^%{IPV6:_temp.src_ip}%{IPV6PORTSEP}%{PORT:sport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' - if: ctx?.src != null -- convert: - type: ip - field: _temp.src_ip - target_field: source.ip - ignore_failure: true -- convert: - field: sport - target_field: source.port - type: long - ignore_failure: true diff --git a/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/ipflows.yml b/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/ipflows.yml deleted file mode 100755 index eb6667d991..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/ipflows.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- -description: Pipeline for Cisco Meraki ip_flow_start and ip_flow_end message type -processors: -- dissect: - description: Determine if the token is src= or operation - field: event.original - pattern: "%{} %{} %{} %{_temp.event_type} %{_temp.token} %{}" -- dissect: - description: Case for src= follows ip_flow_start - field: event.original - pattern: "%{} ip_flow_start %{*src}=%{&src} %{*dst}=%{&dst} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport} %{*tsi}=%{&tsi} %{*tp}=%{&tp}" - if: ctx._temp.event_type == 'ip_flow_start' && ctx._temp.token.startsWith("src=") == true -- dissect: - description: Case for src= follows ip_flow_end - field: event.original - pattern: "%{} ip_flow_end %{*src}=%{&src} %{*dst}=%{&dst} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport} %{*tsi_or_tdi}=%{&tsi_or_tdi} %{*tp}=%{&tp}" - if: ctx._temp.event_type == 'ip_flow_end' && ctx._temp.token.startsWith("src=") == true -# source field IP:port handling -- convert: - type: ip - field: translated_src_ip - target_field: source.ip - if: ctx?.translated_src_ip != null -- convert: - type: ip - field: src - target_field: source.ip - if: ctx?.translated_src_ip == null && ctx?.src != null -- convert: - field: translated_port - target_field: source.port - type: long - if: ctx?.translated_src_ip != null && ctx?.translated_port != null -- convert: - field: sport - target_field: source.port - type: long - if: ctx?.translated_src_ip == null && ctx?.sport != null -# destination field IP:port handling -- convert: - type: ip - field: translated_dst_ip - target_field: destination.ip - if: ctx?.translated_dst_ip != null -- convert: - type: ip - field: dst - target_field: destination.ip - if: ctx?.translated_dst_ip == null && ctx?.dst != null -- convert: - field: translated_port - target_field: destination.port - type: long - if: ctx?.translated_dst_ip != null && ctx?.translated_port != null -- convert: - field: dport - target_field: destination.port - type: long - if: ctx?.translated_dst_ip == null && ctx?.dport != null -- rename: - field: protocol - target_field: network.protocol diff --git a/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/security.yml b/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/security.yml deleted file mode 100755 index 6ddd6e2f37..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/security.yml +++ /dev/null @@ -1,151 +0,0 @@ ---- -description: Pipeline for Cisco Meraki security_event type -processors: -- dissect: - description: Determine the security event type - field: event.original - pattern: "%{} security_event %{type} %{}" -- rename: - field: type - target_field: cisco_meraki.event_subtype - -# scan event based on event type -- dissect: - field: event.original - pattern: "%{} ids_alerted %{*sig}=%{&sig} %{*pri}=%{&pri} %{*ts}=%{&ts} %{*dhost}=%{&dhost} %{*dir}=%{&dir} %{*prot}=%{&prot} %{*src}=%{&src} %{*dst}=%{&dst} %{}" - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- dissect: - field: event.original - pattern: "%{} security_filtering_file_scanned %{*url}=%{&url} %{*src}=%{&src} %{*dst}=%{&dst} %{*mac}=%{&mac} %{*name}='%{&name}' %{*sha256}=%{&sha256} %{*disp}=%{&disp} %{*action}=%{&action}" - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' -- dissect: - field: event.original - pattern: "%{} security_filtering_disposition_change %{*name}=%{&name} %{*sha256}=%{&sha256} %{*disp}=%{&disp} %{*action}=%{&action}" - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' - -# handle fields of ids_alerted type -- rename: - field: priority - target_field: cisco_meraki.security.priority - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- rename: - field: signature - target_field: cisco_meraki.security.signature - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- date: - field: timestamp - target_field: threat.indicator.last_seen - formats: ['UNIX'] - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- gsub: - field: dhost - target_field: cisco_meraki.security.dhost - pattern: '[-:.]' - replacement: '-' - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- rename: - field: direction - target_field: network.direction - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- lowercase: - field: protocol - target_field: network.protocol - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -# Process the remaining after dst=. It can have "decision= message: *" or just "message: *" -- dissect: - field: event.original - pattern: "%{} dst=%{?ignore} %{*decision}=%{&decision} %{*message}:%{&message}" - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' - ignore_failure: true -- dissect: - field: event.original - pattern: "%{} dst=%{?ignore} %{*message}:%{&message}" - if: ctx?.decision == null && ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- rename: - field: message - target_field: threat.indicator.description - ignore_missing: true - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- rename: - field: decision - target_field: cisco_meraki.security.decision - ignore_missing: true - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' - -# handle fields of security_filtering_file_scanned or security_filtering_disposition_change type -- rename: - field: url - target_field: threat.indicator.reference - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' -- gsub: - field: mac - target_field: cisco_meraki.security.mac - pattern: '[-:.]' - replacement: '-' - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' -- rename: - field: name - target_field: threat.indicator.file.name - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' || ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' -- rename: - field: sha256 - target_field: threat.indicator.file.hash.sha256 - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' || ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' -- rename: - field: disposition - target_field: cisco_meraki.disposition - ignore_missing: true -- rename: - field: action - target_field: cisco_meraki.security.action - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' || ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' -# fields common to more than one event type -# src processing -- grok: - field: src - patterns: - - "^%{IPV4:_temp.src_ip}:%{PORT:sport}$" - - "^\\[%{IPV6:_temp.src_ip}\\]:%{PORT:sport}$" - - "^%{IPV6NOCOMPRESS:_temp.src_ip}:%{PORT:sport}$" - - "^%{IPV6:_temp.src_ip}%{IPV6PORTSEP}%{PORT:sport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' - if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' && ctx?.src != null -- convert: - type: ip - field: _temp.src_ip - target_field: source.ip - if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' -- convert: - field: sport - target_field: source.port - type: long - if: ctx?.sport != "0" && ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' - ignore_failure: true -# dst processing -- grok: - field: dst - patterns: - - "^%{IPV4:_temp.dst_ip}:%{PORT:dport}$" - - "^\\[%{IPV6:_temp.dst_ip}\\]:%{PORT:dport}$" - - "^%{IPV6NOCOMPRESS:_temp.dst_ip}:%{PORT:dport}$" - - "^%{IPV6:_temp.dst_ip}%{IPV6PORTSEP}%{PORT:dport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' - if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' && ctx?.dst != null -- convert: - type: ip - field: _temp.dst_ip - target_field: destination.ip - ignore_failure: true - if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' -- convert: - field: dport - target_field: destination.port - type: long - if: ctx?.dport != "0" && ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' - ignore_failure: true diff --git a/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/urls.yml b/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/urls.yml deleted file mode 100755 index 68bcddb288..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/log/elasticsearch/ingest_pipeline/urls.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Cisco Meraki urls type -processors: -- dissect: - description: Determine the security event type - field: event.original - pattern: "%{} urls %{*src}=%{&src} %{*dst}=%{&dst} %{*mac}=%{&mac} request: %{http.request.method} %{url.original}" -# src processing -- grok: - field: src - patterns: - - "^%{IPV4:_temp.src_ip}:%{PORT:sport}$" - - "^\\[%{IPV6:_temp.src_ip}\\]:%{PORT:sport}$" - - "^%{IPV6NOCOMPRESS:_temp.src_ip}:%{PORT:sport}$" - - "^%{IPV6:_temp.src_ip}%{IPV6PORTSEP}%{PORT:sport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' -- convert: - type: ip - field: _temp.src_ip - target_field: source.ip -- convert: - type: long - field: sport - target_field: source.port - ignore_failure: true -# dst processing -- grok: - field: dst - patterns: - - "^%{IPV4:_temp.dst_ip}:%{PORT:dport}$" - - "^\\[%{IPV6:_temp.dst_ip}\\]:%{PORT:dport}$" - - "^%{IPV6NOCOMPRESS:_temp.dst_ip}:%{PORT:dport}$" - - "^%{IPV6:_temp.dst_ip}%{IPV6PORTSEP}%{PORT:dport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' -- convert: - type: ip - field: _temp.dst_ip - target_field: destination.ip - ignore_failure: true -- convert: - type: long - field: dport - target_field: destination.port - if: ctx?.dport != "0" && ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' - ignore_failure: true -- gsub: - field: mac - target_field: cisco_meraki.urls.mac - pattern: '[-:.]' - replacement: '-' -- set: - field: cisco_meraki.event_subtype - value: 'http_access' - if: ctx?.http?.request?.method.toLowerCase() != 'unknown' -- set: - field: cisco_meraki.event_subtype - value: 'http_access_error' - if: ctx?.http?.request?.method.toLowerCase() == 'unknown' diff --git a/packages/cisco_meraki/1.2.0/data_stream/log/fields/agent.yml b/packages/cisco_meraki/1.2.0/data_stream/log/fields/agent.yml deleted file mode 100755 index 162c9f3aa3..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. -- name: log.offset - type: long - description: Offset of the entry in the log file. diff --git a/packages/cisco_meraki/1.2.0/data_stream/log/fields/base-fields.yml b/packages/cisco_meraki/1.2.0/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 7691cacc73..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_meraki -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_meraki.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword diff --git a/packages/cisco_meraki/1.2.0/data_stream/log/fields/ecs.yml b/packages/cisco_meraki/1.2.0/data_stream/log/fields/ecs.yml deleted file mode 100755 index f8293ea2df..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,674 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - MAC address of the client. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: client.mac - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - MAC addresses of the observer. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: observer.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - MAC address of the server. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: server.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: VLAN ID as reported by the observer. - name: network.vlan.id - type: keyword -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: Describes the type of action conducted by the threat. - name: threat.indicator.description - type: keyword -- description: Reference URL linking to additional information about this indicator. - name: threat.indicator.reference - type: keyword -- description: Name of the file including the extension, without the directory. - name: threat.indicator.file.name - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - name: client.geo.location - type: geo_point -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword diff --git a/packages/cisco_meraki/1.2.0/data_stream/log/fields/fields.yml b/packages/cisco_meraki/1.2.0/data_stream/log/fields/fields.yml deleted file mode 100755 index 10a68230e9..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: cisco_meraki - type: group - fields: - - name: disposition - type: keyword - - name: event_type - type: keyword - - name: event_subtype - type: keyword - - name: bssid - type: keyword - - name: vap - type: keyword - - name: channel - type: keyword - - name: fc_type - type: keyword - - name: fc_subtype - type: keyword - - name: flows - type: flattened - - name: dfs_event - type: flattened - - name: wpa_auth - type: flattened - - name: wpa_deauth - type: flattened - - name: association - type: flattened - - name: disassociation - type: flattened - - name: 8021x_eap_failure - type: flattened - - name: 8021x_deauth - type: flattened - - name: 8021x_auth - type: flattened - - name: 8021x_eap_success - type: flattened - - name: splash_auth - type: flattened - - name: device_packet_flood - type: flattened - - name: multiple_dhcp_servers_detected - type: flattened - - name: aps_association_reject - type: flattened - - name: urls - type: group - fields: - - name: mac - type: keyword - - name: security - type: group - fields: - - name: priority - type: keyword - - name: signature - type: keyword - - name: dhost - type: keyword - - name: decision - type: keyword - - name: mac - type: keyword - - name: action - type: keyword - - name: site_to_site_vpn - type: group - fields: - - name: raw - type: text - - name: connectivity_change - type: flattened diff --git a/packages/cisco_meraki/1.2.0/data_stream/log/manifest.yml b/packages/cisco_meraki/1.2.0/data_stream/log/manifest.yml deleted file mode 100755 index bf78f78a80..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/log/manifest.yml +++ /dev/null @@ -1,175 +0,0 @@ -title: Cisco Meraki logs (via Syslog) -release: experimental -type: logs -streams: - - input: udp - template_path: udp.yml.hbs - title: Cisco Meraki logs - description: Collect Cisco Meraki logs (via Syslog) - enabled: true - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 8685 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-meraki - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - template_path: tcp.yml.hbs - title: Cisco Meraki logs - description: Collect Cisco Meraki logs (via Syslog) - enabled: false - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 8685 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: ssl - type: yaml - title: TLS - description: Options for enabling TLS for the listening TCP socket. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - multi: false - required: false - show_user: false - default: | - enabled: false - certificate: "/etc/pki/client/cert.pem" - key: "/etc/pki/client/cert.key" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-meraki - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - template_path: logfile.yml.hbs - title: Cisco Meraki logs - description: Collect Cisco Meraki logs (via Syslog) - enabled: false - vars: - - name: paths - type: text - title: Paths - multi: true - required: false - show_user: true - default: - - /var/log/cisco-meraki.log - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - cisco-meraki - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/cisco_meraki/1.2.0/data_stream/log/sample_event.json b/packages/cisco_meraki/1.2.0/data_stream/log/sample_event.json deleted file mode 100755 index 930a22a9e8..0000000000 --- a/packages/cisco_meraki/1.2.0/data_stream/log/sample_event.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "@timestamp": "2021-11-23T18:13:18.348Z", - "agent": { - "ephemeral_id": "d0614353-dd50-4b65-b142-df54b2a69013", - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cisco_meraki": { - "event_subtype": "ids_alerted", - "event_type": "security_event", - "security": { - "decision": "allowed", - "dhost": "D0-AB-D5-7B-43-73", - "priority": "1", - "signature": "1:29708:4" - } - }, - "data_stream": { - "dataset": "cisco_meraki.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.3.162", - "port": 56391 - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "action": "ids-signature-matched", - "agent_id_status": "verified", - "category": [ - "network", - "threat" - ], - "dataset": "cisco_meraki.log", - "ingested": "2022-08-08T18:50:52Z", - "original": "\u003c134\u003e1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "type": [ - "info", - "indicator" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.18.0.5:44064" - } - }, - "network": { - "direction": "ingress", - "protocol": "tcp/ip" - }, - "observer": { - "hostname": "MX84" - }, - "source": { - "as": { - "number": 35908 - }, - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.12", - "port": 80 - }, - "tags": [ - "preserve_original_event", - "cisco-meraki", - "forwarded" - ], - "threat": { - "indicator": { - "description": " BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "last_seen": "2021-11-23T18:13:18.330Z" - } - } -} \ No newline at end of file diff --git a/packages/cisco_meraki/1.2.0/docs/README.md b/packages/cisco_meraki/1.2.0/docs/README.md deleted file mode 100755 index c1cf972166..0000000000 --- a/packages/cisco_meraki/1.2.0/docs/README.md +++ /dev/null @@ -1,697 +0,0 @@ -# Cisco Meraki Integration - -Cisco Meraki offers a centralized cloud management platform for all Meraki devices such as MX Security Appliances, MR Access Points and so on. Its out-of-band cloud architecture creates secure, scalable and easy-to-deploy networks that can be managed from anywhere. This can be done from almost any device using web-based Meraki Dashboard and Meraki Mobile App. Each Meraki network generates its own events. - -Cisco Meraki offers [several methods for device reporting](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Meraki_Device_Reporting_-_Syslog%2C_SNMP%2C_and_API). This integration supports gathering events via the Cisco Meraki syslog and via API reporting webhooks. The integration package allows you to search, observe, and visualize the events through Elasticsearch. - -## Compatibility - -A syslog server can be configured to store messages for reporting purposes from MX Security Appliances, MR Access Points, and MS switches. This package collects events from the configured syslog server. The integration supports collection of events from "MX Security Appliances" and "MR Access Points". The "MS Switch" events are not recognized. - -## Configuration - -### Enabling the integration in Elastic - -1. In Kibana go to **Management > Integrations** -2. In "Search for integrations" search bar type **Meraki** -3. Click on "Cisco Meraki" integration from the search results. -4. Click on **Add Cisco Meraki Integration** button to add the integration. - -### Cisco Meraki Dashboard Configuration - -#### Syslog - -Cisco Meraki dashboard can be used to configure one or more syslog servers and Meraki message types to be sent to the syslog servers. Refer to [Syslog Server Overview and Configuration](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration#Configuring_a_Syslog_Server) page for more information on how to configure syslog server on Cisco Meraki. - -#### API Endpoint (Webhooks) - -Cisco Meraki dashboard can be used to configure Meraki webhooks. Refer to the [Webhooks Dashboard Setup](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Meraki_Device_Reporting_-_Syslog%2C_SNMP%2C_and_API#Webhooks_Dashboard_Setup) section. - -### Configure the Cisco Meraki integration - -#### Syslog - -Depending on the syslog server setup in your environment check one/more of the following options "Collect syslog from Cisco Meraki via UDP", "Collect syslog from Cisco Meraki via TCP", "Collect syslog from Cisco Meraki via file". - -Enter the values for syslog host and port OR file path based on the chosen configuration options. - -### API Endpoint (Webhooks) - -Check the option "Collect events from Cisco Meraki via Webhooks" option. - -1. Enter values for "Listen Address", "Listen Port" and "Webhook path" to form the endpoint URL. Make note of the **Endpoint URL** `https://{AGENT_ADDRESS}:8686/meraki/events`. -2. Enter value for "Secret value". This must match the "Shared Secret" value entered when configuring the webhook from Meraki cloud. -3. Enter values for "TLS". Cisco Meraki requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration. - -### Log Events - -Enable to collect Cisco Meraki log events for all the applications configured for the chosen log stream. - -## Logs - -### Syslog - -The `cisco_meraki.log` dataset provides events from the configured syslog server. All Cisco Meraki syslog specific fields are available in the `cisco_meraki.log` field group. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cisco_meraki.8021x_auth | | flattened | -| cisco_meraki.8021x_deauth | | flattened | -| cisco_meraki.8021x_eap_failure | | flattened | -| cisco_meraki.8021x_eap_success | | flattened | -| cisco_meraki.aps_association_reject | | flattened | -| cisco_meraki.association | | flattened | -| cisco_meraki.bssid | | keyword | -| cisco_meraki.channel | | keyword | -| cisco_meraki.device_packet_flood | | flattened | -| cisco_meraki.dfs_event | | flattened | -| cisco_meraki.disassociation | | flattened | -| cisco_meraki.disposition | | keyword | -| cisco_meraki.event_subtype | | keyword | -| cisco_meraki.event_type | | keyword | -| cisco_meraki.fc_subtype | | keyword | -| cisco_meraki.fc_type | | keyword | -| cisco_meraki.flows | | flattened | -| cisco_meraki.multiple_dhcp_servers_detected | | flattened | -| cisco_meraki.security.action | | keyword | -| cisco_meraki.security.decision | | keyword | -| cisco_meraki.security.dhost | | keyword | -| cisco_meraki.security.mac | | keyword | -| cisco_meraki.security.priority | | keyword | -| cisco_meraki.security.signature | | keyword | -| cisco_meraki.site_to_site_vpn.connectivity_change | | flattened | -| cisco_meraki.site_to_site_vpn.raw | | text | -| cisco_meraki.splash_auth | | flattened | -| cisco_meraki.urls.mac | | keyword | -| cisco_meraki.vap | | keyword | -| cisco_meraki.wpa_auth | | flattened | -| cisco_meraki.wpa_deauth | | flattened | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-11-23T18:13:18.348Z", - "agent": { - "ephemeral_id": "d0614353-dd50-4b65-b142-df54b2a69013", - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cisco_meraki": { - "event_subtype": "ids_alerted", - "event_type": "security_event", - "security": { - "decision": "allowed", - "dhost": "D0-AB-D5-7B-43-73", - "priority": "1", - "signature": "1:29708:4" - } - }, - "data_stream": { - "dataset": "cisco_meraki.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.3.162", - "port": 56391 - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "action": "ids-signature-matched", - "agent_id_status": "verified", - "category": [ - "network", - "threat" - ], - "dataset": "cisco_meraki.log", - "ingested": "2022-08-08T18:50:52Z", - "original": "\u003c134\u003e1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "type": [ - "info", - "indicator" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.18.0.5:44064" - } - }, - "network": { - "direction": "ingress", - "protocol": "tcp/ip" - }, - "observer": { - "hostname": "MX84" - }, - "source": { - "as": { - "number": 35908 - }, - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.12", - "port": 80 - }, - "tags": [ - "preserve_original_event", - "cisco-meraki", - "forwarded" - ], - "threat": { - "indicator": { - "description": " BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "last_seen": "2021-11-23T18:13:18.330Z" - } - } -} -``` - -### API Endpoint (Webhooks) - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cisco_meraki.event.alertData | Additional alert data (differs based on alert type) | flattened | -| cisco_meraki.event.alertId | ID for this alert message | keyword | -| cisco_meraki.event.alertLevel | Alert level (informational, critical etc.) | keyword | -| cisco_meraki.event.alertType | Type of alert (“Network usage alert”, “Settings changed”, etc.) | keyword | -| cisco_meraki.event.alertTypeId | Unique ID for the type of alert | keyword | -| cisco_meraki.event.deviceMac | MAC address of the Meraki device | keyword | -| cisco_meraki.event.deviceModel | Meraki device model | keyword | -| cisco_meraki.event.deviceName | Name assigned to the Meraki device | keyword | -| cisco_meraki.event.deviceSerial | Serial number of the Meraki device | keyword | -| cisco_meraki.event.deviceTags | Tags assigned to the Meraki device | keyword | -| cisco_meraki.event.deviceUrl | URL of the Meraki device | keyword | -| cisco_meraki.event.networkId | ID for the Meraki network | keyword | -| cisco_meraki.event.networkName | Name for the Meraki network | keyword | -| cisco_meraki.event.networkTags | Tags assigned to the Meraki network | keyword | -| cisco_meraki.event.networkUrl | URL of the Meraki Dashboard network | keyword | -| cisco_meraki.event.occurredAt | Timestamp of the alert (UTC) | date | -| cisco_meraki.event.organizationId | ID of the Meraki organization | keyword | -| cisco_meraki.event.organizationName | Name of the Meraki organization | keyword | -| cisco_meraki.event.organizationUrl | URL of the Meraki Dashboard organization | keyword | -| cisco_meraki.event.sentAt | Timestamp of the sent message (UTC) | date | -| cisco_meraki.event.sharedSecret | User defined secret to be validated by the webhook receiver (optional) | keyword | -| cisco_meraki.event.version | Current version of webhook format | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location.lat | Longitude and latitude. | geo_point | -| client.geo.location.lon | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| organization.id | Unique identifier for the organization. | keyword | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.software.type | The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `events` looks as following: - -```json -{ - "@timestamp": "2018-02-11T00:00:00.123Z", - "agent": { - "ephemeral_id": "4e898a47-a469-4602-9ba2-0a46f55a3998", - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cisco_meraki": { - "event": { - "alertData": { - "connection": "LTE", - "local": "192.168.1.2", - "model": "UML290VW", - "provider": "Purview Wireless", - "remote": "1.2.3.5" - }, - "alertId": "0000000000000000", - "alertTypeId": "cellular_up", - "deviceTags": [ - "tag1", - "tag2" - ], - "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", - "networkId": "N_24329156", - "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", - "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", - "sentAt": "2021-10-07T08:42:00.926325Z", - "sharedSecret": "secret", - "version": "0.1" - } - }, - "data_stream": { - "dataset": "cisco_meraki.events", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "action": "Cellular came up", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cisco_meraki.events", - "ingested": "2022-08-08T18:48:35Z", - "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}", - "type": [ - "info", - "start" - ] - }, - "input": { - "type": "http_endpoint" - }, - "log": { - "level": "informational" - }, - "network": { - "name": "Main Office" - }, - "observer": { - "mac": "00-11-22-33-44-55", - "name": "My appliance", - "product": "MX", - "serial_number": "Q234-ABCD-5678", - "vendor": "Cisco" - }, - "organization": { - "id": "2930418", - "name": "My organization" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "meraki-events" - ] -} -``` diff --git a/packages/cisco_meraki/1.2.0/img/cisco-logo.svg b/packages/cisco_meraki/1.2.0/img/cisco-logo.svg deleted file mode 100755 index a174ad4488..0000000000 --- a/packages/cisco_meraki/1.2.0/img/cisco-logo.svg +++ /dev/null @@ -1 +0,0 @@ - diff --git a/packages/cisco_meraki/1.2.0/img/cisco-meraki-dashboard-1.png b/packages/cisco_meraki/1.2.0/img/cisco-meraki-dashboard-1.png deleted file mode 100755 index 7f6816cf73..0000000000 Binary files a/packages/cisco_meraki/1.2.0/img/cisco-meraki-dashboard-1.png and /dev/null differ diff --git a/packages/cisco_meraki/1.2.0/img/cisco-meraki-dashboard-2.png b/packages/cisco_meraki/1.2.0/img/cisco-meraki-dashboard-2.png deleted file mode 100755 index 810b80d4ad..0000000000 Binary files a/packages/cisco_meraki/1.2.0/img/cisco-meraki-dashboard-2.png and /dev/null differ diff --git a/packages/cisco_meraki/1.2.0/img/cisco-meraki-dashboard-3.png b/packages/cisco_meraki/1.2.0/img/cisco-meraki-dashboard-3.png deleted file mode 100755 index 1cfa3ccb7d..0000000000 Binary files a/packages/cisco_meraki/1.2.0/img/cisco-meraki-dashboard-3.png and /dev/null differ diff --git a/packages/cisco_meraki/1.2.0/kibana/dashboard/cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4.json b/packages/cisco_meraki/1.2.0/kibana/dashboard/cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4.json deleted file mode 100755 index 11cb03d88a..0000000000 --- a/packages/cisco_meraki/1.2.0/kibana/dashboard/cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4.json +++ /dev/null @@ -1,157 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9f3c668f-fec6-4125-ae7b-fcb073df79c1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9f3c668f-fec6-4125-ae7b-fcb073df79c1\":{\"columnOrder\":[\"c379da24-eba4-47a5-b9aa-213324504619\"],\"columns\":{\"c379da24-eba4-47a5-b9aa-213324504619\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of source.mac\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"source.mac\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"c379da24-eba4-47a5-b9aa-213324504619\",\"layerId\":\"9f3c668f-fec6-4125-ae7b-fcb073df79c1\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"372a6801-2e52-4c4c-a674-746eec7f7e09\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"372a6801-2e52-4c4c-a674-746eec7f7e09\",\"title\":\"Count of source MAC address\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-511effff-5682-4cfa-a2de-739bbefa93ea\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"511effff-5682-4cfa-a2de-739bbefa93ea\":{\"columnOrder\":[\"b6287f3a-b96b-4973-b2d2-1e4f7830f9e5\",\"0929169c-0ee9-4eb6-93b6-effcb648c779\",\"c66ed022-eab0-4834-8a01-f508aa4b32b3\"],\"columns\":{\"0929169c-0ee9-4eb6-93b6-effcb648c779\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"b6287f3a-b96b-4973-b2d2-1e4f7830f9e5\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cisco_meraki.event_type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c66ed022-eab0-4834-8a01-f508aa4b32b3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cisco_meraki.event_type\"},\"c66ed022-eab0-4834-8a01-f508aa4b32b3\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"c66ed022-eab0-4834-8a01-f508aa4b32b3\"],\"layerId\":\"511effff-5682-4cfa-a2de-739bbefa93ea\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"b6287f3a-b96b-4973-b2d2-1e4f7830f9e5\",\"xAccessor\":\"0929169c-0ee9-4eb6-93b6-effcb648c779\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"03bf41fe-673d-4f95-9d6e-510d8dc46ba6\",\"w\":13,\"x\":9,\"y\":0},\"panelIndex\":\"03bf41fe-673d-4f95-9d6e-510d8dc46ba6\",\"title\":\"Rate of events by type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-abda3ec0-db97-4e02-a42e-45e716110de2\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"abda3ec0-db97-4e02-a42e-45e716110de2\":{\"columnOrder\":[\"c59ef8c2-80ea-4386-834f-378f4a76b87c\",\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\"],\"columns\":{\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c59ef8c2-80ea-4386-834f-378f4a76b87c\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cisco_meraki.event_type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cisco_meraki.event_type\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"c59ef8c2-80ea-4386-834f-378f4a76b87c\"],\"layerId\":\"abda3ec0-db97-4e02-a42e-45e716110de2\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"475cb47c-34d7-4c56-b57d-e27d25678fc8\",\"w\":13,\"x\":22,\"y\":0},\"panelIndex\":\"475cb47c-34d7-4c56-b57d-e27d25678fc8\",\"title\":\"Event distribution by type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d8f74b4f-a83b-47bc-b862-2bc47ee790eb\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d8f74b4f-a83b-47bc-b862-2bc47ee790eb\":{\"columnOrder\":[\"d1a56033-ffe5-44ed-a05f-ab79d5db90aa\",\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\"],\"columns\":{\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of cisco_meraki.event_type\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"cisco_meraki.event_type\"},\"d1a56033-ffe5-44ed-a05f-ab79d5db90aa\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cisco_meraki.event_subtype\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cisco_meraki.event_subtype\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d1a56033-ffe5-44ed-a05f-ab79d5db90aa\"],\"layerId\":\"d8f74b4f-a83b-47bc-b862-2bc47ee790eb\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"58bbda58-7c31-44e1-8568-d37c2c585e53\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"58bbda58-7c31-44e1-8568-d37c2c585e53\",\"title\":\"Event distribution by sub-type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d\":{\"columnOrder\":[\"66ede758-6532-443e-834d-a847c964682f\"],\"columns\":{\"66ede758-6532-443e-834d-a847c964682f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"No. of rogue SSIDs detected\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"cisco_meraki.event_subtype\",\"negate\":false,\"params\":{\"query\":\"rogue_ssid_detected\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_meraki.event_subtype\":\"rogue_ssid_detected\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"66ede758-6532-443e-834d-a847c964682f\",\"layerId\":\"5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"8baff03a-7860-4fcc-90ff-3d5534e70845\",\"w\":9,\"x\":0,\"y\":5},\"panelIndex\":\"8baff03a-7860-4fcc-90ff-3d5534e70845\",\"title\":\"Number of rogue SSIDs detected\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bcffdee9-d006-4e9c-abcc-081ac4739d02\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bcffdee9-d006-4e9c-abcc-081ac4739d02\":{\"columnOrder\":[\"86b75fce-daae-4725-8de4-6bcd5c7cc80a\"],\"columns\":{\"86b75fce-daae-4725-8de4-6bcd5c7cc80a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"No. of SSID spoofing detected\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"cisco_meraki.event_subtype\",\"negate\":false,\"params\":{\"query\":\"ssid_spoofing_detected\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_meraki.event_subtype\":\"ssid_spoofing_detected\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"86b75fce-daae-4725-8de4-6bcd5c7cc80a\",\"layerId\":\"bcffdee9-d006-4e9c-abcc-081ac4739d02\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"bcfe3eee-750d-476f-b7c1-afec41803720\",\"w\":9,\"x\":0,\"y\":10},\"panelIndex\":\"bcfe3eee-750d-476f-b7c1-afec41803720\",\"title\":\"Number of SSID spoofing detected\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9a165bef-572a-44fb-9285-70d75530b799\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9a165bef-572a-44fb-9285-70d75530b799\":{\"columnOrder\":[\"9df0ec49-bc15-494a-8ca7-437cd63ee7cd\",\"aca7f561-3ca9-4705-bf6e-e470d1fb0536\",\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\"],\"columns\":{\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of event.action\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.action\"},\"9df0ec49-bc15-494a-8ca7-437cd63ee7cd\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"},\"aca7f561-3ca9-4705-bf6e-e470d1fb0536\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9df0ec49-bc15-494a-8ca7-437cd63ee7cd\",\"aca7f561-3ca9-4705-bf6e-e470d1fb0536\"],\"layerId\":\"9a165bef-572a-44fb-9285-70d75530b799\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":24,\"i\":\"e359d544-a8d6-4019-9756-74519a9d3335\",\"w\":27,\"x\":0,\"y\":15},\"panelIndex\":\"e359d544-a8d6-4019-9756-74519a9d3335\",\"title\":\"Events by category and action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"09082ad3-0055-461d-bf69-2b69a5dfb298\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"ce84cee6-da49-4261-beaa-628ca03abc52\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}]},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"color\\\":\\\"Green to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\",\\\"useCustomColorRamp\\\":false}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":3}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"field\\\":{\\\"label\\\":\\\"count\\\",\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\",\\\"type\\\":\\\"number\\\",\\\"supportsAutoDomain\\\":true}}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"8dec8632-de8b-43df-9731-5c6c45ecb45f\\\",\\\"label\\\":\\\"src-dst-ip-p2p\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.61,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-2y\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[{\\\"meta\\\":{\\\"index\\\":\\\"logs-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"data_stream.dataset\\\",\\\"params\\\":{\\\"query\\\":\\\"cisco_meraki.log\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"data_stream.dataset\\\":\\\"cisco_meraki.log\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}}],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":180,\"minLat\":-85.05113,\"minLon\":-180},\"mapCenter\":{\"lat\":19.50912,\"lon\":-10.59576,\"zoom\":0.61},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"beacf090-799a-415a-bbad-302cd02d50be\",\"w\":21,\"x\":27,\"y\":15},\"panelIndex\":\"beacf090-799a-415a-bbad-302cd02d50be\",\"title\":\"IP Flows\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-04c98418-d7c7-4552-9ed3-d0380795febd\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"04c98418-d7c7-4552-9ed3-d0380795febd\":{\"columnOrder\":[\"1e47d004-4347-46ee-aed2-280f64e8888d\",\"4c2300ef-9033-45bd-8b0e-06deea3996f1\"],\"columns\":{\"1e47d004-4347-46ee-aed2-280f64e8888d\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of url.original\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4c2300ef-9033-45bd-8b0e-06deea3996f1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"url.original\"},\"4c2300ef-9033-45bd-8b0e-06deea3996f1\":{\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"4c2300ef-9033-45bd-8b0e-06deea3996f1\"],\"layerId\":\"04c98418-d7c7-4552-9ed3-d0380795febd\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"xAccessor\":\"1e47d004-4347-46ee-aed2-280f64e8888d\",\"yConfig\":[{\"axisMode\":\"auto\",\"forAccessor\":\"4c2300ef-9033-45bd-8b0e-06deea3996f1\"}]}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"58d65007-15fc-492f-a8db-f509b7d28aad\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"58d65007-15fc-492f-a8db-f509b7d28aad\",\"title\":\"Top URL access\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"a7fc4a8a-954f-4fc0-acfc-2d358c89b2c6\",\"w\":48,\"x\":0,\"y\":39},\"panelIndex\":\"a7fc4a8a-954f-4fc0-acfc-2d358c89b2c6\",\"title\":\"Log stream\",\"type\":\"LOG_STREAM_EMBEDDABLE\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cisco Meraki Syslog Events] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "372a6801-2e52-4c4c-a674-746eec7f7e09:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "372a6801-2e52-4c4c-a674-746eec7f7e09:indexpattern-datasource-layer-9f3c668f-fec6-4125-ae7b-fcb073df79c1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "372a6801-2e52-4c4c-a674-746eec7f7e09:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "03bf41fe-673d-4f95-9d6e-510d8dc46ba6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "03bf41fe-673d-4f95-9d6e-510d8dc46ba6:indexpattern-datasource-layer-511effff-5682-4cfa-a2de-739bbefa93ea", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "03bf41fe-673d-4f95-9d6e-510d8dc46ba6:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "475cb47c-34d7-4c56-b57d-e27d25678fc8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "475cb47c-34d7-4c56-b57d-e27d25678fc8:indexpattern-datasource-layer-abda3ec0-db97-4e02-a42e-45e716110de2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "475cb47c-34d7-4c56-b57d-e27d25678fc8:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58bbda58-7c31-44e1-8568-d37c2c585e53:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58bbda58-7c31-44e1-8568-d37c2c585e53:indexpattern-datasource-layer-d8f74b4f-a83b-47bc-b862-2bc47ee790eb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:indexpattern-datasource-layer-5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bcfe3eee-750d-476f-b7c1-afec41803720:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bcfe3eee-750d-476f-b7c1-afec41803720:indexpattern-datasource-layer-bcffdee9-d006-4e9c-abcc-081ac4739d02", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bcfe3eee-750d-476f-b7c1-afec41803720:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bcfe3eee-750d-476f-b7c1-afec41803720:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e359d544-a8d6-4019-9756-74519a9d3335:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e359d544-a8d6-4019-9756-74519a9d3335:indexpattern-datasource-layer-9a165bef-572a-44fb-9285-70d75530b799", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e359d544-a8d6-4019-9756-74519a9d3335:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "beacf090-799a-415a-bbad-302cd02d50be:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58d65007-15fc-492f-a8db-f509b7d28aad:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58d65007-15fc-492f-a8db-f509b7d28aad:indexpattern-datasource-layer-04c98418-d7c7-4552-9ed3-d0380795febd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58d65007-15fc-492f-a8db-f509b7d28aad:filter-index-pattern-0", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cisco_meraki/1.2.0/manifest.yml b/packages/cisco_meraki/1.2.0/manifest.yml deleted file mode 100755 index b28e473e0b..0000000000 --- a/packages/cisco_meraki/1.2.0/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -format_version: 1.0.0 -name: cisco_meraki -title: Cisco Meraki -version: 1.2.0 -license: basic -description: Collect logs from Cisco Meraki with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/cisco-meraki-dashboard-1.png - title: Cisco Meraki Dashboard - size: 600x600 - type: image/png - - src: /img/cisco-meraki-dashboard-2.png - title: Cisco Meraki Dashboard - size: 600x600 - type: image/png - - src: /img/cisco-meraki-dashboard-3.png - title: Cisco Meraki Dashboard - size: 600x600 - type: image/png -icons: - - src: /img/cisco-logo.svg - title: Cisco logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: cisco_meraki - title: Cisco Meraki logs or events - description: Collect logs or events from Cisco Meraki - inputs: - - type: udp - title: Collect syslog from Cisco Meraki via UDP - description: Collecting syslog from Cisco Meraki via UDP - - type: tcp - title: Collect syslog from Cisco Meraki via TCP - description: Collecting syslog from Cisco Meraki via TCP - - type: logfile - title: Collect syslog from Cisco Meraki via file - description: Collecting syslog from Cisco Meraki via file - - type: http_endpoint - title: Collect events from Cisco Meraki via Webhooks - description: Collecting events from Cisco Meraki via Webhooks -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_meraki/1.2.1/LICENSE.txt b/packages/cisco_meraki/1.2.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cisco_meraki/1.2.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_meraki/1.2.1/changelog.yml b/packages/cisco_meraki/1.2.1/changelog.yml deleted file mode 100755 index cab9355dd4..0000000000 --- a/packages/cisco_meraki/1.2.1/changelog.yml +++ /dev/null @@ -1,101 +0,0 @@ -# newer versions go on top -- version: "1.2.1" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "1.2.0" - changes: - - description: Add preserve_original_event function to default pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/4097 -- version: "1.1.2" - changes: - - description: Fix MAC address formatting. - type: bugfix - link: https://github.com/elastic/integrations/issues/4283 -- version: "1.1.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3924 -- version: "1.0.1" - changes: - - description: Fix client.geo.location mapping - type: bugfix - link: https://github.com/elastic/integrations/pull/3941 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3859 -- version: "0.6.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "0.6.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "0.5.1" - changes: - - description: Fix doc build - type: enhancement - link: https://github.com/elastic/integrations/pull/3529 -- version: "0.5.0" - changes: - - description: Replace RSA2ELK with Syslog and Webhook integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2897 -- version: "0.4.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.4.0" - changes: - - description: Update to ECS 8.0.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2580 -- version: "0.3.1" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2270 -- version: "0.2.3" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1956 -- version: "0.2.2" - changes: - - description: Fixed a bug that prevents the package from working in 7.16. - type: bugfix - link: https://github.com/elastic/integrations/pull/1882 -- version: "0.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1808 -- version: "0.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1785 -- version: "0.1.0" - changes: - - description: Initial commit splitting Cisco meraki from general Cisco package - type: enhancement - link: https://github.com/elastic/integrations/pull/1587 diff --git a/packages/cisco_meraki/1.2.1/data_stream/events/agent/stream/http_endpoint.yml.hbs b/packages/cisco_meraki/1.2.1/data_stream/events/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 1203728f14..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/events/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,41 +0,0 @@ -type: http_endpoint -enabled: true -prefix: json - -{{#if listen_address}} -listen_address: {{listen_address}} -{{/if}} -{{#if listen_port}} -listen_port: {{listen_port}} -{{/if}} -{{#if url}} -url: {{url}} -{{/if}} - -{{#if secret_value}} -secret.header: Authorization -secret.value: "{{secret_value}}" -{{/if}} - -{{#if ssl}} -ssl: {{ssl}} -{{/if}} - -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cisco_meraki/1.2.1/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_meraki/1.2.1/data_stream/events/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ace8dc48cb..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,300 +0,0 @@ ---- -description: Pipeline for processing Cisco Meraki events -processors: -- set: - field: ecs.version - value: '8.4.0' -- set: - field: observer.serial_number - copy_from: json.deviceSerial -- gsub: - field: json.deviceMac - target_field: observer.mac - pattern: '[-:.]' - replacement: '-' -- set: - field: observer.name - copy_from: json.deviceName -- set: - field: observer.vendor - value: Cisco -- set: - field: observer.product - copy_from: json.deviceModel -- set: - field: network.name - copy_from: json.networkName -- date: - field: json.occurredAt - formats: - - ISO8601 -- set: - field: organization.id - copy_from: json.organizationId -- set: - field: organization.name - copy_from: json.organizationName -- set: - field: log.level - copy_from: json.alertLevel -- append: - field: event.category - value: network -- append: - field: event.type - value: info -- script: - lang: painless - description: The script sets event type, action and category based on type and sub-type fields - params: - eventmap: - "started_reporting": - type: - - start - "stopped_reporting": - type: - - end - "foreign_ap": - category: - - intrusion_detection - - threat - type: - - indicator - "bluetooth_in": - type: - - start - "bluetooth_out": - type: - - end - "port_cable_error": - type: - - connection - "node_hardware_failure": - category: - - host - type: - - end - "cellular_up": - type: - - start - "cellular_down": - type: - - end - "umbrella_expiring": - category: - - configuration - "ip_conflict": - type: - - protocol - "rogue_ap_association": - category: - - threat - type: - - indicator - "client_connectivity": - category: - - session - type: - - connection - "pcc_security_compliance": - category: - - configuration - "pcc_security_violation": - category: - - configuration - - threat - type: - - change - - indicator - "pcc_outage_end": - category: - - host - type: - - connection - "pcc_enrollment": - category: - - session - type: - - connection - - start - "geofencing_out": - type: - - connection - "pcc_outage_begin": - category: - - host - type: - - connection - - end - "dhcp_no_leases": - type: - - connection - - denied - - protocol - "vrrp": - category: - - configuration - type: - - change - "pcc_expired_apns_cert": - category: - - authentication - "amp_malware_blocked": - category: - - threat - - intrusion_detection - type: - - indicator - - denied - "amp_malware_detected": - category: - - threat - - intrusion_detection - type: - - indicator - - allowed - "pcc_sw_found": - category: - - host - - configuration - type: - - change - "pcc_unmanaged": - category: - - configuration - - iam - type: - - change - - deletion - "dhcp_alerts": - type: - - protocol - "power_supply_up": - type: - - start - "power_supply_down": - category: - - host - type: - - end - "unreachable_radius_server": - category: - - authentication - type: - - end - - denied - "rogue_ap": - category: - - threat - type: - - indicator - "rogue_dhcp": - category: - - threat - type: - - indicator - "settings_changed": - category: - - configuration - type: - - change - "port_connected": - type: - - connection - "port_disconnected": - type: - - end - "port_speed_change": - category: - - configuration - type: - - change - - protocol - "udld_error": - type: - - connection - - end - "uplink_ip6_conflict": - type: - - protocol - if: ctx?.json?.alertTypeId != null - source: |- - def alertTypeId = ctx.json.alertTypeId; - def eventMap = params.get('eventmap'); - def eventData = eventMap.get(alertTypeId); - ctx.event.action = ctx.json.alertType; - if (eventData == null) { - // Unclassified events - // - geofencing_in, critical_temperature - // - gateway_to_repeater, mi_alert - // - motion_alert, usage_alert - // - new_splash_signup, rps_base_supply_up - // - rps_backup, vpn_connectivity_change - return; - } - def eventCategory = eventData.get('category'); - if (eventCategory != null) { - for (def c : eventCategory) { - ctx.event.category.add(c); - } - } - def eventType = eventData.get('type'); - if (eventType != null) { - for (def t : eventType) { - ctx.event.type.add(t); - } - } -- rename: - field: json - target_field: cisco_meraki.event -## -# Clean up -## -- remove: - field: - - cisco_meraki.event.deviceSerial - - cisco_meraki.event.deviceMac - - cisco_meraki.event.deviceName - - cisco_meraki.event.deviceModel - - cisco_meraki.event.occurredAt - - cisco_meraki.event.networkName - - cisco_meraki.event.organizationId - - cisco_meraki.event.organizationName - - cisco_meraki.event.alertType - - cisco_meraki.event.alertLevel - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/cisco_meraki/1.2.1/data_stream/events/fields/agent.yml b/packages/cisco_meraki/1.2.1/data_stream/events/fields/agent.yml deleted file mode 100755 index 90bd07fa04..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/events/fields/agent.yml +++ /dev/null @@ -1,184 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. -- name: log.offset - type: long - description: Offset of the entry in the log file. diff --git a/packages/cisco_meraki/1.2.1/data_stream/events/fields/base-fields.yml b/packages/cisco_meraki/1.2.1/data_stream/events/fields/base-fields.yml deleted file mode 100755 index fcbdca9da6..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/events/fields/base-fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_meraki -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_meraki.events -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword diff --git a/packages/cisco_meraki/1.2.1/data_stream/events/fields/ecs.yml b/packages/cisco_meraki/1.2.1/data_stream/events/fields/ecs.yml deleted file mode 100755 index 56320fe5d0..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/events/fields/ecs.yml +++ /dev/null @@ -1,697 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - MAC address of the client. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: client.mac - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - MAC addresses of the observer. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: observer.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - MAC address of the server. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: server.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: VLAN ID as reported by the observer. - name: network.vlan.id - type: keyword -- description: |- - The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. - While not required, you can use a MITRE ATT&CK® software type. - name: threat.software.type - type: keyword -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: Describes the type of action conducted by the threat. - name: threat.indicator.description - type: keyword -- description: Reference URL linking to additional information about this indicator. - name: threat.indicator.reference - type: keyword -- description: Name of the file including the extension, without the directory. - name: threat.indicator.file.name - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - name: client.geo.location.lat - type: geo_point -- description: Longitude and latitude. - name: client.geo.location.lon - type: geo_point -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: organization.name - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword diff --git a/packages/cisco_meraki/1.2.1/data_stream/events/fields/fields.yml b/packages/cisco_meraki/1.2.1/data_stream/events/fields/fields.yml deleted file mode 100755 index 7443e7680a..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/events/fields/fields.yml +++ /dev/null @@ -1,72 +0,0 @@ -- name: cisco_meraki - type: group - fields: - - name: event - type: group - fields: - - name: version - type: keyword - description: Current version of webhook format - - name: sharedSecret - type: keyword - description: User defined secret to be validated by the webhook receiver (optional) - - name: sentAt - type: date - description: Timestamp of the sent message (UTC) - - name: organizationId - type: keyword - description: ID of the Meraki organization - - name: organizationName - type: keyword - description: Name of the Meraki organization - - name: organizationUrl - type: keyword - description: URL of the Meraki Dashboard organization - - name: networkId - type: keyword - description: ID for the Meraki network - - name: networkName - type: keyword - description: Name for the Meraki network - - name: networkUrl - type: keyword - description: URL of the Meraki Dashboard network - - name: networkTags - type: keyword - description: Tags assigned to the Meraki network - - name: deviceSerial - type: keyword - description: Serial number of the Meraki device - - name: deviceMac - type: keyword - description: MAC address of the Meraki device - - name: deviceName - type: keyword - description: Name assigned to the Meraki device - - name: deviceUrl - type: keyword - description: URL of the Meraki device - - name: deviceTags - type: keyword - description: Tags assigned to the Meraki device - - name: deviceModel - type: keyword - description: Meraki device model - - name: alertId - type: keyword - description: ID for this alert message - - name: alertType - type: keyword - description: Type of alert (“Network usage alert”, “Settings changed”, etc.) - - name: alertTypeId - type: keyword - description: Unique ID for the type of alert - - name: alertLevel - type: keyword - description: Alert level (informational, critical etc.) - - name: occurredAt - type: date - description: Timestamp of the alert (UTC) - - name: alertData - type: flattened - description: Additional alert data (differs based on alert type) diff --git a/packages/cisco_meraki/1.2.1/data_stream/events/manifest.yml b/packages/cisco_meraki/1.2.1/data_stream/events/manifest.yml deleted file mode 100755 index bc4b29aa45..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/events/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -title: Cisco Meraki webhook events -release: experimental -type: logs -streams: - - input: http_endpoint - title: Cisco Meraki webhook events - description: Receives events from Cisco Meraki webhook - template_path: http_endpoint.yml.hbs - enabled: false - vars: - - name: listen_address - type: text - title: Listen Address - description: Bind address for the listener. Use 0.0.0.0 to listen on all interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - multi: false - required: true - show_user: true - default: 8686 - - name: url - type: text - title: Webhook path - description: URL path where the webhook will accept requests. - multi: false - required: true - show_user: false - default: /meraki/events - - name: secret_value - type: text - description: Authorization token - multi: false - required: false - show_user: true - - name: ssl - type: yaml - title: TLS - description: Options for enabling TLS for the listening webhook endpoint. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - multi: false - required: false - show_user: false - default: | - enabled: false - certificate: "/etc/pki/client/cert.pem" - key: "/etc/pki/client/cert.key" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - meraki-events - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/cisco_meraki/1.2.1/data_stream/events/sample_event.json b/packages/cisco_meraki/1.2.1/data_stream/events/sample_event.json deleted file mode 100755 index 83633463a4..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/events/sample_event.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "@timestamp": "2018-02-11T00:00:00.123Z", - "agent": { - "ephemeral_id": "4e898a47-a469-4602-9ba2-0a46f55a3998", - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cisco_meraki": { - "event": { - "alertData": { - "connection": "LTE", - "local": "192.168.1.2", - "model": "UML290VW", - "provider": "Purview Wireless", - "remote": "1.2.3.5" - }, - "alertId": "0000000000000000", - "alertTypeId": "cellular_up", - "deviceTags": [ - "tag1", - "tag2" - ], - "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", - "networkId": "N_24329156", - "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", - "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", - "sentAt": "2021-10-07T08:42:00.926325Z", - "sharedSecret": "secret", - "version": "0.1" - } - }, - "data_stream": { - "dataset": "cisco_meraki.events", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "action": "Cellular came up", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cisco_meraki.events", - "ingested": "2022-08-08T18:48:35Z", - "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}", - "type": [ - "info", - "start" - ] - }, - "input": { - "type": "http_endpoint" - }, - "log": { - "level": "informational" - }, - "network": { - "name": "Main Office" - }, - "observer": { - "mac": "00-11-22-33-44-55", - "name": "My appliance", - "product": "MX", - "serial_number": "Q234-ABCD-5678", - "vendor": "Cisco" - }, - "organization": { - "id": "2930418", - "name": "My organization" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "meraki-events" - ] -} \ No newline at end of file diff --git a/packages/cisco_meraki/1.2.1/data_stream/log/agent/stream/logfile.yml.hbs b/packages/cisco_meraki/1.2.1/data_stream/log/agent/stream/logfile.yml.hbs deleted file mode 100755 index 52b248876b..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/log/agent/stream/logfile.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cisco_meraki/1.2.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_meraki/1.2.1/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 993860734e..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -max_message_size: 1 MiB - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cisco_meraki/1.2.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_meraki/1.2.1/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 993860734e..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -max_message_size: 1 MiB - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/airmarshal.yml b/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/airmarshal.yml deleted file mode 100755 index 2a7b399e94..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/airmarshal.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -description: Pipeline for Cisco Meraki airmarshal_events type -processors: -- dissect: - description: Determine the airmarshal event type - field: event.original - pattern: "%{} airmarshal_events %{*type}=%{&type} %{}" -- rename: - field: type - target_field: cisco_meraki.event_subtype -- grok: - field: event.original - patterns: - - '%{GREEDYDATA} ssid=%{QS:_temp.ssid}%{SPACE}%{GREEDYDATA:_temp.kvline}' -- dissect: - field: _temp.ssid - pattern: "'%{_temp.kv.ssid}'" -- kv: - field: _temp.kvline - field_split: " " - value_split: "=" - target_field: _temp.kv - strip_brackets: true -- rename: - field: _temp.kv.ssid - target_field: network.name - if: ctx?._temp?.kv?.ssid != null -- rename: - field: _temp.kv.bssid - target_field: cisco_meraki.bssid -- rename: - field: _temp.kv.vap - target_field: cisco_meraki.vap - if: ctx?.cisco_meraki?.event_subtype == 'ssid_spoofing_detected' -- gsub: - field: _temp.kv.src - target_field: source.mac - pattern: '[-:.]' - replacement: '-' -- gsub: - field: _temp.kv.dst - target_field: destination.mac - pattern: '[-:.]' - replacement: '-' -- gsub: - field: _temp.kv.wired_mac - target_field: observer.mac - pattern: '[-:.]' - replacement: '-' - if: ctx?.cisco_meraki?.event_subtype == 'rogue_ssid_detected' -- rename: - field: _temp.kv.vlan_id - target_field: network.vlan.id - if: ctx?.cisco_meraki?.event_subtype == 'rogue_ssid_detected' -- rename: - field: _temp.kv.channel - target_field: cisco_meraki.channel -- rename: - field: _temp.kv.fc_type - target_field: cisco_meraki.fc_type -- rename: - field: _temp.kv.fc_subtype - target_field: cisco_meraki.fc_subtype diff --git a/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 019665db1c..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,361 +0,0 @@ ---- -description: Pipeline for Cisco Meraki syslog -processors: -- set: - field: ecs.version - value: '8.4.0' -- rename: - field: message - target_field: event.original -- dissect: - description: Extract syslog words - field: event.original - pattern: "%{} %{_temp.ts_nano} %{observer.hostname} %{cisco_meraki.event_type} %{}" -- date: - field: _temp.ts_nano - formats: - - UNIX - timezone: '{{{_conf.tz_offset}}}' -- pipeline: - name: '{{ IngestPipeline "flows" }}' - if: ctx.cisco_meraki.event_type == 'flows' -- pipeline: - name: '{{ IngestPipeline "ipflows" }}' - if: ctx.cisco_meraki.event_type == 'ip_flow_start' || ctx.cisco_meraki.event_type == 'ip_flow_end' -- pipeline: - name: '{{ IngestPipeline "airmarshal" }}' - if: ctx.cisco_meraki.event_type == 'airmarshal_events' -- pipeline: - name: '{{ IngestPipeline "security" }}' - if: ctx.cisco_meraki.event_type == 'security_event' -- pipeline: - name: '{{ IngestPipeline "idsalerts" }}' - if: ctx.cisco_meraki.event_type == 'ids-alerts' -- pipeline: - name: '{{ IngestPipeline "events" }}' - if: ctx.cisco_meraki.event_type == 'events' -- pipeline: - name: '{{ IngestPipeline "urls" }}' - if: ctx.cisco_meraki.event_type == 'urls' -- append: - field: event.category - value: ["network"] -- append: - field: event.type - value: ["info"] -- script: - lang: painless - description: The script sets event type, action and category based on type and sub-type fields - tag: set-event-type-for-meraki-events - params: - eventmap: - "vpn_connectivity_change": - category: - - session - type: - - connection - action: vpn-connectivity-change - "dhcp_offer": - type: - - access - - allowed - action: dhcp-offer - "dhcp_no_offer": - type: - - access - - denied - action: dhcp-no-offer - "Site-to-Site VPN": - type: - - access - action: site-to-site-vpn - "client_vpn_connect": - category: - - session - type: - - access - - allowed - - start - action: site-to-site-vpn - "ip_session_initiated": - type: - - access - - start - action: ip-session-initiated - "flow_allowed": - type: - - connection - - start - action: layer3-firewall-allowed-flow - "flow_denied": - type: - - access - - denied - action: layer3-firewall-denied-flow - "http_access": - category: - - web - type: - - access - action: http-access - "http_access_error": - category: - - web - type: - - error - action: http-access-error - "ids_alerted": - category: - - threat - type: - - indicator - action: ids-signature-matched - "security_filtering_file_scanned": - category: - - threat - - malware - type: - - indicator - - info - action: malicious-file-actioned - "security_filtering_disposition_change": - category: - - threat - - malware - type: - - indicator - - info - action: issued-retrospective-malicious-disposition - "association": - type: - - access - - connection - action: wifi-association-request - "disassociation": - category: - - session - type: - - access - - end - action: wifi-disassociation-request - "wpa_auth": - category: - - authentication - type: - - start - - access - action: wifi-wpa-authentication - "wpa_deauth": - category: - - authentication - type: - - end - - denied - action: wifi-wpa-failed-auth-or-deauth - "8021x_eap_failure": - category: - - authentication - type: - - end - - denied - action: wifi-8021x-failed-authentication-attempt - "8021x_deauth": - category: - - authentication - type: - - end - - denied - action: wifi-8021x-failed-auth-or-deauth - "8021x_eap_success": - category: - - authentication - type: - - start - action: wifi-8021x-auth - "splash_auth": - category: - - authentication - type: - - start - action: splash-authentication - "device_packet_flood": - category: - - threat - type: - - indicator - action: wireless-packet-flood-detected - "rogue_ssid_detected": - category: - - threat - type: - - indicator - action: rogue-ssid-detected - "ssid_spoofing_detected": - category: - - threat - type: - - indicator - action: ssid-spoofing-detected - "multiple_dhcp_servers_detected": - type: - - protocol - "dfs_event": - action: dynamic-frequency-selection-detected - "aps_association_reject": - action: association-rejected-for-load-balancing - if: ctx?.cisco_meraki?.event_subtype != null - source: |- - def eventMap = params.get('eventmap'); - def eventData = eventMap.get(ctx.cisco_meraki.event_subtype); - if (eventData == null) { - ctx.event.action = ctx.cisco_meraki.event_subtype; - return; - } - def eventCategory = eventData.get('category'); - def eventType = eventData.get('type'); - def eventAction = eventData.get('action'); - if (eventType != null) { - for (def t : eventType) { - ctx.event.type.add(t); - } - } - if (eventCategory != null) { - for (def c : eventCategory) { - ctx.event.category.add(c); - } - } - if (eventAction != null) { - ctx.event.action = eventAction; - } - -# IP Geolocation Lookup (source) -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: ctx.source?.geo == null && ctx?.source?.ip != null -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: ctx?.source?.ip != null -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -# IP Geolocation Lookup (destination) -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: ctx.destination?.geo == null && ctx?.destination?.ip != null -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: ctx?.destination?.ip != null -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -# IP Geolocation Lookup (client) -- geoip: - field: client.ip - target_field: client.geo - ignore_missing: true - if: ctx.client?.geo == null && ctx?.client?.ip != null -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: client.ip - target_field: client.as - properties: - - asn - - organization_name - ignore_missing: true - if: ctx?.client?.ip != null -- rename: - field: client.as.asn - target_field: client.as.number - ignore_missing: true -- rename: - field: client.as.organization_name - target_field: client.as.organization.name - ignore_missing: true -## -# Clean up -## -- remove: - field: - - _temp - - _conf - - sport - - dport - - mac - - src - - dst - - translated_src_ip - - translated_dst_ip - - translated_port - - wired_mac - - rssi - - protocol - - dhost - - client_mac - - radio - - sts - - msgtype - - timestamp - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/events.yml b/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/events.yml deleted file mode 100755 index 42ee924ac9..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/events.yml +++ /dev/null @@ -1,206 +0,0 @@ ---- -description: Pipeline for Cisco Meraki events type -processors: -#################################################### -# set event_subtype based on type/format -#################################################### -- dissect: - description: Determine event type/format - field: event.original - pattern: "%{} events %{msgtype} %{}" -- set: - field: cisco_meraki.event_subtype - value: 'Site-to-Site VPN' - if: ctx?.msgtype.toLowerCase() == "site-to-site" -- set: - field: cisco_meraki.event_subtype - value: client_vpn_connect - if: ctx?.msgtype.toLowerCase() == "client_vpn_connect" -#################################################### -# log event with type= format -# these are dfs_event, association, disassocation, -# vpn_connectivity_change, wpa_auth, wpa_deauth -#################################################### -- dissect: - description: Get the event subtype - field: event.original - pattern: "%{} events type=%{type} %{}" - if: ctx?.msgtype.startsWith("type=") -- rename: - field: type - target_field: cisco_meraki.event_subtype - if: ctx?.type != null - -#################################################### -# Handle DHCP log events -#################################################### -- dissect: - field: event.original - pattern: "%{} events dhcp %{_temp.dhcp_op} %{_temp.dhcp_op2} %{}" - if: ctx?.msgtype.toLowerCase() == "dhcp" -- set: - field: network.protocol - value: dhcp - if: ctx?.msgtype.toLowerCase() == "dhcp" -- dissect: - field: event.original - pattern: "%{} events dhcp lease of ip %{_temp.client_ip} from %{} mac %{server.mac} for client mac %{client.mac} %{}" - if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'lease' -- dissect: - field: event.original - pattern: "%{} events dhcp no offers for mac %{client.mac} %{}" - if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'no' && ctx?._temp?.dhcp_op2.toLowerCase() == 'offers' -- set: - field: cisco_meraki.event_subtype - value: dhcp_offer - if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op == 'lease' -- set: - field: cisco_meraki.event_subtype - value: dhcp_no_offer - if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'no' && ctx?._temp?.dhcp_op2.toLowerCase() == 'offers' -#################################################### -# Handle Site-to-Site VPN message -#################################################### -- grok: - description: Process Site-to-Site VPN messages - field: event.original - patterns: - - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}(?i)Site-to-Site VPN:%{GREEDYDATA:cisco_meraki.site_to_site_vpn.raw}' - pattern_definitions: - SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>' - SYSLOGVER: '\b(?:\d{1,2})\b' - SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}' - WORDORHOST: '(?:%{WORD}|%{HOSTNAME})' - if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "Site-to-Site VPN" - -#################################################### -# Handle dfs_event, wpa_auth, wpa_deauth, -# association or disassociation -#################################################### -- grok: - field: event.original - patterns: - - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}%{GREEDYDATA:_temp.rest}' - pattern_definitions: - SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>' - SYSLOGVER: '\b(?:\d{1,2})\b' - SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}' - WORDORHOST: '(?:%{WORD}|%{HOSTNAME})' - if: ctx.event.original.startsWith('<') && ['dfs_event', 'association', 'disassociation', 'aps_association_reject', 'multiple_dhcp_servers_detected', 'wpa_deauth', 'wpa_auth', 'vpn_connectivity_change', '8021x_eap_failure', '8021x_auth', '8021x_deauth', '8021x_eap_success', 'splash_auth', 'device_packet_flood'].contains(ctx.cisco_meraki.event_subtype) -- kv: - field: _temp.rest - field_split: "[ \t]{1,}" - value_split: "=" - target_field: cisco_meraki.{{{cisco_meraki.event_subtype}}} - strip_brackets: true - if: ctx?._temp?.rest != null && ['dfs_event', 'association', 'disassociation', 'aps_association_reject', 'multiple_dhcp_servers_detected', 'wpa_deauth', 'wpa_auth', '8021x_eap_failure', '8021x_auth', '8021x_deauth', '8021x_eap_success', 'splash_auth', 'device_packet_flood'].contains(ctx.cisco_meraki.event_subtype) -# special case for site-to-site vpn -- kv: - field: _temp.rest - field_split: "[ \t]{1,}" - value_split: "=" - target_field: cisco_meraki.site_to_site_vpn.connectivity_change - strip_brackets: true - if: ctx?._temp?.rest != null && ctx?.cisco_meraki?.event_subtype == 'vpn_connectivity_change' - -#################################################### -# Move values from event subtypes to ECS fields -# multiple_dhcp_servers_detected -#################################################### -- set: - field: network.protocol - value: dhcp - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -- rename: - field: cisco_meraki.multiple_dhcp_servers_detected.original_server_mac - target_field: server.mac - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -# process original_server_ip -- grok: - field: cisco_meraki.multiple_dhcp_servers_detected.original_server_ip - patterns: - - "^%{IPV4:cisco_meraki.multiple_dhcp_servers_detected.original_server_ip}$" - - "^%{IPV6:cisco_meraki.multiple_dhcp_servers_detected.original_server_ip}$" - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' - ignore_failure: true -- convert: - type: ip - field: cisco_meraki.multiple_dhcp_servers_detected.original_server_ip - target_field: server.ip - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' - ignore_failure: true -# cleanup only if the conversion was successful -- remove: - field: cisco_meraki.multiple_dhcp_servers_detected.original_server_ip - if: ctx?.server?.ip != null -- append: - field: related.ip - value: "{{{server.ip}}}" - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -# process server_ip (the other dhcp server ip) -- grok: - field: cisco_meraki.multiple_dhcp_servers_detected.server_ip - patterns: - - "^%{IPV4:cisco_meraki.multiple_dhcp_servers_detected.server_ip}$" - - "^%{IPV6:cisco_meraki.multiple_dhcp_servers_detected.server_ip}$" - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -- convert: - type: ip - field: cisco_meraki.multiple_dhcp_servers_detected.server_ip - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -- append: - field: related.ip - value: "{{{cisco_meraki.multiple_dhcp_servers_detected.server_ip}}}" - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -#################################################### -# wpa_deauth -#################################################### -- rename: - field: cisco_meraki.wpa_deauth.client_mac - target_field: client.mac - if: ctx?.cisco_meraki?.event_subtype == 'wpa_deauth' - -#################################################### -# Handle client_vpn_connect -#################################################### -- dissect: - field: event.original - pattern: "%{} events client_vpn_connect user id '%{user.name}' local ip %{network.forwarded_ip} connected from %{_temp.client_ip}" - if: ctx?.cisco_meraki?.event_subtype == "client_vpn_connect" - -#################################################### -# parse dissected IP values and convert to IP type -# common case for DHCP lease and client_vpn_connect -#################################################### -- grok: - field: _temp.client_ip - patterns: - - "^%{IPV4:_temp.client_ip}$" - - "^%{IPV6:_temp.client_ip}$" - if: ctx?._temp?.client_ip != null - ignore_failure: true -- convert: - type: ip - field: _temp.client_ip - target_field: client.ip - if: ctx?._temp?.client_ip != null - ignore_failure: true - -# Make MAC addresses conform to ECS spec. -- gsub: - field: client.mac - pattern: '[:.]' - replacement: '-' - ignore_missing: true -- uppercase: - field: client.mac - ignore_missing: true -- gsub: - field: server.mac - pattern: '[:.]' - replacement: '-' - ignore_missing: true -- uppercase: - field: server.mac - ignore_missing: true - diff --git a/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/flows.yml b/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/flows.yml deleted file mode 100755 index 7f47b9f6cc..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/flows.yml +++ /dev/null @@ -1,72 +0,0 @@ ---- -description: Pipeline for Cisco Meraki flows message type -processors: -- dissect: - description: Determine if the token is src= or operation - field: event.original - pattern: "%{} %{} %{} %{} %{_temp.token} %{}" -- dissect: - description: Case for src= follows flows keyword - field: event.original - pattern: "%{} flows %{*src}=%{&src} %{*dst}=%{&dst} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport} %{}" - if: ctx._temp.token.startsWith("src=") == true -- dissect: - description: Case for firewall action prepends src= - field: event.original - pattern: "%{} flows %{cisco_meraki.flows.op} %{*src}=%{&src} %{*dst}=%{&dst} %{*mac}=%{&mac} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport}" - if: ctx._temp.token.startsWith("src=") == false -- grok: - field: src - patterns: - - "^%{IPV4:src}$" - - "^%{IPV6:src}$" - if: ctx?.src != null -- convert: - type: ip - field: src - target_field: source.ip - ignore_failure: true -- grok: - field: dst - patterns: - - "^%{IPV4:dst}$" - - "^%{IPV6:dst}$" - if: ctx?.dst != null -- convert: - type: ip - field: dst - target_field: destination.ip - ignore_failure: true -- rename: - field: protocol - target_field: network.protocol -- convert: - field: sport - target_field: source.port - type: long - if: ctx?.sport != "0" - ignore_failure: true -- convert: - field: dport - target_field: destination.port - type: long - if: ctx?.dport != "0" - ignore_failure: true -- gsub: - field: mac - target_field: source.mac - pattern: '[-:.]' - replacement: '-' - if: ctx._temp.token.startsWith("src=") == false -- set: - field: cisco_meraki.event_subtype - value: "ip_session_initiated" - if: ctx._temp.token.startsWith("src=") == true -- set: - field: cisco_meraki.event_subtype - value: "flow_allowed" - if: ctx._temp.token.startsWith("src=") == false && ctx?.cisco_meraki?.flows?.op == 'allow' -- set: - field: cisco_meraki.event_subtype - value: "flow_denied" - if: ctx._temp.token.startsWith("src=") == false && ctx?.cisco_meraki?.flows?.op == 'deny' diff --git a/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml b/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml deleted file mode 100755 index a1684a5e30..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- -description: Pipeline for Cisco Meraki ids-alerts type -processors: -- dissect: - description: Determine the ids-alerts security event type - field: event.original - pattern: "%{} ids-alerts %{*sig}=%{&sig} %{*pri}=%{&pri} %{*ts}=%{&ts} %{*dir}=%{&dir} %{*prot}=%{&prot} %{*src}=%{&src}" -- set: - field: cisco_meraki.event_subtype - value: ids_alerted -- rename: - field: priority - target_field: cisco_meraki.security.priority -- rename: - field: signature - target_field: cisco_meraki.security.signature -- date: - field: timestamp - target_field: threat.indicator.last_seen - formats: ['UNIX'] -- rename: - field: direction - target_field: network.direction -- lowercase: - field: protocol - target_field: network.protocol -- grok: - field: src - patterns: - - "^%{IPV4:_temp.src_ip}:%{PORT:sport}$" - - "^\\[%{IPV6:_temp.src_ip}\\]:%{PORT:sport}$" - - "^%{IPV6NOCOMPRESS:_temp.src_ip}:%{PORT:sport}$" - - "^%{IPV6:_temp.src_ip}%{IPV6PORTSEP}%{PORT:sport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' - if: ctx?.src != null -- convert: - type: ip - field: _temp.src_ip - target_field: source.ip - ignore_failure: true -- convert: - field: sport - target_field: source.port - type: long - ignore_failure: true diff --git a/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/ipflows.yml b/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/ipflows.yml deleted file mode 100755 index eb6667d991..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/ipflows.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- -description: Pipeline for Cisco Meraki ip_flow_start and ip_flow_end message type -processors: -- dissect: - description: Determine if the token is src= or operation - field: event.original - pattern: "%{} %{} %{} %{_temp.event_type} %{_temp.token} %{}" -- dissect: - description: Case for src= follows ip_flow_start - field: event.original - pattern: "%{} ip_flow_start %{*src}=%{&src} %{*dst}=%{&dst} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport} %{*tsi}=%{&tsi} %{*tp}=%{&tp}" - if: ctx._temp.event_type == 'ip_flow_start' && ctx._temp.token.startsWith("src=") == true -- dissect: - description: Case for src= follows ip_flow_end - field: event.original - pattern: "%{} ip_flow_end %{*src}=%{&src} %{*dst}=%{&dst} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport} %{*tsi_or_tdi}=%{&tsi_or_tdi} %{*tp}=%{&tp}" - if: ctx._temp.event_type == 'ip_flow_end' && ctx._temp.token.startsWith("src=") == true -# source field IP:port handling -- convert: - type: ip - field: translated_src_ip - target_field: source.ip - if: ctx?.translated_src_ip != null -- convert: - type: ip - field: src - target_field: source.ip - if: ctx?.translated_src_ip == null && ctx?.src != null -- convert: - field: translated_port - target_field: source.port - type: long - if: ctx?.translated_src_ip != null && ctx?.translated_port != null -- convert: - field: sport - target_field: source.port - type: long - if: ctx?.translated_src_ip == null && ctx?.sport != null -# destination field IP:port handling -- convert: - type: ip - field: translated_dst_ip - target_field: destination.ip - if: ctx?.translated_dst_ip != null -- convert: - type: ip - field: dst - target_field: destination.ip - if: ctx?.translated_dst_ip == null && ctx?.dst != null -- convert: - field: translated_port - target_field: destination.port - type: long - if: ctx?.translated_dst_ip != null && ctx?.translated_port != null -- convert: - field: dport - target_field: destination.port - type: long - if: ctx?.translated_dst_ip == null && ctx?.dport != null -- rename: - field: protocol - target_field: network.protocol diff --git a/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/security.yml b/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/security.yml deleted file mode 100755 index 6ddd6e2f37..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/security.yml +++ /dev/null @@ -1,151 +0,0 @@ ---- -description: Pipeline for Cisco Meraki security_event type -processors: -- dissect: - description: Determine the security event type - field: event.original - pattern: "%{} security_event %{type} %{}" -- rename: - field: type - target_field: cisco_meraki.event_subtype - -# scan event based on event type -- dissect: - field: event.original - pattern: "%{} ids_alerted %{*sig}=%{&sig} %{*pri}=%{&pri} %{*ts}=%{&ts} %{*dhost}=%{&dhost} %{*dir}=%{&dir} %{*prot}=%{&prot} %{*src}=%{&src} %{*dst}=%{&dst} %{}" - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- dissect: - field: event.original - pattern: "%{} security_filtering_file_scanned %{*url}=%{&url} %{*src}=%{&src} %{*dst}=%{&dst} %{*mac}=%{&mac} %{*name}='%{&name}' %{*sha256}=%{&sha256} %{*disp}=%{&disp} %{*action}=%{&action}" - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' -- dissect: - field: event.original - pattern: "%{} security_filtering_disposition_change %{*name}=%{&name} %{*sha256}=%{&sha256} %{*disp}=%{&disp} %{*action}=%{&action}" - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' - -# handle fields of ids_alerted type -- rename: - field: priority - target_field: cisco_meraki.security.priority - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- rename: - field: signature - target_field: cisco_meraki.security.signature - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- date: - field: timestamp - target_field: threat.indicator.last_seen - formats: ['UNIX'] - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- gsub: - field: dhost - target_field: cisco_meraki.security.dhost - pattern: '[-:.]' - replacement: '-' - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- rename: - field: direction - target_field: network.direction - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- lowercase: - field: protocol - target_field: network.protocol - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -# Process the remaining after dst=. It can have "decision= message: *" or just "message: *" -- dissect: - field: event.original - pattern: "%{} dst=%{?ignore} %{*decision}=%{&decision} %{*message}:%{&message}" - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' - ignore_failure: true -- dissect: - field: event.original - pattern: "%{} dst=%{?ignore} %{*message}:%{&message}" - if: ctx?.decision == null && ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- rename: - field: message - target_field: threat.indicator.description - ignore_missing: true - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- rename: - field: decision - target_field: cisco_meraki.security.decision - ignore_missing: true - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' - -# handle fields of security_filtering_file_scanned or security_filtering_disposition_change type -- rename: - field: url - target_field: threat.indicator.reference - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' -- gsub: - field: mac - target_field: cisco_meraki.security.mac - pattern: '[-:.]' - replacement: '-' - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' -- rename: - field: name - target_field: threat.indicator.file.name - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' || ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' -- rename: - field: sha256 - target_field: threat.indicator.file.hash.sha256 - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' || ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' -- rename: - field: disposition - target_field: cisco_meraki.disposition - ignore_missing: true -- rename: - field: action - target_field: cisco_meraki.security.action - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' || ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' -# fields common to more than one event type -# src processing -- grok: - field: src - patterns: - - "^%{IPV4:_temp.src_ip}:%{PORT:sport}$" - - "^\\[%{IPV6:_temp.src_ip}\\]:%{PORT:sport}$" - - "^%{IPV6NOCOMPRESS:_temp.src_ip}:%{PORT:sport}$" - - "^%{IPV6:_temp.src_ip}%{IPV6PORTSEP}%{PORT:sport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' - if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' && ctx?.src != null -- convert: - type: ip - field: _temp.src_ip - target_field: source.ip - if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' -- convert: - field: sport - target_field: source.port - type: long - if: ctx?.sport != "0" && ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' - ignore_failure: true -# dst processing -- grok: - field: dst - patterns: - - "^%{IPV4:_temp.dst_ip}:%{PORT:dport}$" - - "^\\[%{IPV6:_temp.dst_ip}\\]:%{PORT:dport}$" - - "^%{IPV6NOCOMPRESS:_temp.dst_ip}:%{PORT:dport}$" - - "^%{IPV6:_temp.dst_ip}%{IPV6PORTSEP}%{PORT:dport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' - if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' && ctx?.dst != null -- convert: - type: ip - field: _temp.dst_ip - target_field: destination.ip - ignore_failure: true - if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' -- convert: - field: dport - target_field: destination.port - type: long - if: ctx?.dport != "0" && ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' - ignore_failure: true diff --git a/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/urls.yml b/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/urls.yml deleted file mode 100755 index 68bcddb288..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/urls.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Cisco Meraki urls type -processors: -- dissect: - description: Determine the security event type - field: event.original - pattern: "%{} urls %{*src}=%{&src} %{*dst}=%{&dst} %{*mac}=%{&mac} request: %{http.request.method} %{url.original}" -# src processing -- grok: - field: src - patterns: - - "^%{IPV4:_temp.src_ip}:%{PORT:sport}$" - - "^\\[%{IPV6:_temp.src_ip}\\]:%{PORT:sport}$" - - "^%{IPV6NOCOMPRESS:_temp.src_ip}:%{PORT:sport}$" - - "^%{IPV6:_temp.src_ip}%{IPV6PORTSEP}%{PORT:sport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' -- convert: - type: ip - field: _temp.src_ip - target_field: source.ip -- convert: - type: long - field: sport - target_field: source.port - ignore_failure: true -# dst processing -- grok: - field: dst - patterns: - - "^%{IPV4:_temp.dst_ip}:%{PORT:dport}$" - - "^\\[%{IPV6:_temp.dst_ip}\\]:%{PORT:dport}$" - - "^%{IPV6NOCOMPRESS:_temp.dst_ip}:%{PORT:dport}$" - - "^%{IPV6:_temp.dst_ip}%{IPV6PORTSEP}%{PORT:dport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' -- convert: - type: ip - field: _temp.dst_ip - target_field: destination.ip - ignore_failure: true -- convert: - type: long - field: dport - target_field: destination.port - if: ctx?.dport != "0" && ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' - ignore_failure: true -- gsub: - field: mac - target_field: cisco_meraki.urls.mac - pattern: '[-:.]' - replacement: '-' -- set: - field: cisco_meraki.event_subtype - value: 'http_access' - if: ctx?.http?.request?.method.toLowerCase() != 'unknown' -- set: - field: cisco_meraki.event_subtype - value: 'http_access_error' - if: ctx?.http?.request?.method.toLowerCase() == 'unknown' diff --git a/packages/cisco_meraki/1.2.1/data_stream/log/fields/agent.yml b/packages/cisco_meraki/1.2.1/data_stream/log/fields/agent.yml deleted file mode 100755 index 90bd07fa04..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,184 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. -- name: log.offset - type: long - description: Offset of the entry in the log file. diff --git a/packages/cisco_meraki/1.2.1/data_stream/log/fields/base-fields.yml b/packages/cisco_meraki/1.2.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 79eddd5d6c..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_meraki -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_meraki.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword diff --git a/packages/cisco_meraki/1.2.1/data_stream/log/fields/ecs.yml b/packages/cisco_meraki/1.2.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index f8293ea2df..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,674 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - MAC address of the client. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: client.mac - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - MAC addresses of the observer. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: observer.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - MAC address of the server. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: server.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: VLAN ID as reported by the observer. - name: network.vlan.id - type: keyword -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: Describes the type of action conducted by the threat. - name: threat.indicator.description - type: keyword -- description: Reference URL linking to additional information about this indicator. - name: threat.indicator.reference - type: keyword -- description: Name of the file including the extension, without the directory. - name: threat.indicator.file.name - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - name: client.geo.location - type: geo_point -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword diff --git a/packages/cisco_meraki/1.2.1/data_stream/log/fields/fields.yml b/packages/cisco_meraki/1.2.1/data_stream/log/fields/fields.yml deleted file mode 100755 index 10a68230e9..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: cisco_meraki - type: group - fields: - - name: disposition - type: keyword - - name: event_type - type: keyword - - name: event_subtype - type: keyword - - name: bssid - type: keyword - - name: vap - type: keyword - - name: channel - type: keyword - - name: fc_type - type: keyword - - name: fc_subtype - type: keyword - - name: flows - type: flattened - - name: dfs_event - type: flattened - - name: wpa_auth - type: flattened - - name: wpa_deauth - type: flattened - - name: association - type: flattened - - name: disassociation - type: flattened - - name: 8021x_eap_failure - type: flattened - - name: 8021x_deauth - type: flattened - - name: 8021x_auth - type: flattened - - name: 8021x_eap_success - type: flattened - - name: splash_auth - type: flattened - - name: device_packet_flood - type: flattened - - name: multiple_dhcp_servers_detected - type: flattened - - name: aps_association_reject - type: flattened - - name: urls - type: group - fields: - - name: mac - type: keyword - - name: security - type: group - fields: - - name: priority - type: keyword - - name: signature - type: keyword - - name: dhost - type: keyword - - name: decision - type: keyword - - name: mac - type: keyword - - name: action - type: keyword - - name: site_to_site_vpn - type: group - fields: - - name: raw - type: text - - name: connectivity_change - type: flattened diff --git a/packages/cisco_meraki/1.2.1/data_stream/log/manifest.yml b/packages/cisco_meraki/1.2.1/data_stream/log/manifest.yml deleted file mode 100755 index bf78f78a80..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,175 +0,0 @@ -title: Cisco Meraki logs (via Syslog) -release: experimental -type: logs -streams: - - input: udp - template_path: udp.yml.hbs - title: Cisco Meraki logs - description: Collect Cisco Meraki logs (via Syslog) - enabled: true - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 8685 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-meraki - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - template_path: tcp.yml.hbs - title: Cisco Meraki logs - description: Collect Cisco Meraki logs (via Syslog) - enabled: false - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 8685 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: ssl - type: yaml - title: TLS - description: Options for enabling TLS for the listening TCP socket. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - multi: false - required: false - show_user: false - default: | - enabled: false - certificate: "/etc/pki/client/cert.pem" - key: "/etc/pki/client/cert.key" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-meraki - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - template_path: logfile.yml.hbs - title: Cisco Meraki logs - description: Collect Cisco Meraki logs (via Syslog) - enabled: false - vars: - - name: paths - type: text - title: Paths - multi: true - required: false - show_user: true - default: - - /var/log/cisco-meraki.log - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - cisco-meraki - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/cisco_meraki/1.2.1/data_stream/log/sample_event.json b/packages/cisco_meraki/1.2.1/data_stream/log/sample_event.json deleted file mode 100755 index 930a22a9e8..0000000000 --- a/packages/cisco_meraki/1.2.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "@timestamp": "2021-11-23T18:13:18.348Z", - "agent": { - "ephemeral_id": "d0614353-dd50-4b65-b142-df54b2a69013", - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cisco_meraki": { - "event_subtype": "ids_alerted", - "event_type": "security_event", - "security": { - "decision": "allowed", - "dhost": "D0-AB-D5-7B-43-73", - "priority": "1", - "signature": "1:29708:4" - } - }, - "data_stream": { - "dataset": "cisco_meraki.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.3.162", - "port": 56391 - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "action": "ids-signature-matched", - "agent_id_status": "verified", - "category": [ - "network", - "threat" - ], - "dataset": "cisco_meraki.log", - "ingested": "2022-08-08T18:50:52Z", - "original": "\u003c134\u003e1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "type": [ - "info", - "indicator" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.18.0.5:44064" - } - }, - "network": { - "direction": "ingress", - "protocol": "tcp/ip" - }, - "observer": { - "hostname": "MX84" - }, - "source": { - "as": { - "number": 35908 - }, - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.12", - "port": 80 - }, - "tags": [ - "preserve_original_event", - "cisco-meraki", - "forwarded" - ], - "threat": { - "indicator": { - "description": " BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "last_seen": "2021-11-23T18:13:18.330Z" - } - } -} \ No newline at end of file diff --git a/packages/cisco_meraki/1.2.1/docs/README.md b/packages/cisco_meraki/1.2.1/docs/README.md deleted file mode 100755 index 0cc7e5d7cf..0000000000 --- a/packages/cisco_meraki/1.2.1/docs/README.md +++ /dev/null @@ -1,697 +0,0 @@ -# Cisco Meraki Integration - -Cisco Meraki offers a centralized cloud management platform for all Meraki devices such as MX Security Appliances, MR Access Points and so on. Its out-of-band cloud architecture creates secure, scalable and easy-to-deploy networks that can be managed from anywhere. This can be done from almost any device using web-based Meraki Dashboard and Meraki Mobile App. Each Meraki network generates its own events. - -Cisco Meraki offers [several methods for device reporting](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Meraki_Device_Reporting_-_Syslog%2C_SNMP%2C_and_API). This integration supports gathering events via the Cisco Meraki syslog and via API reporting webhooks. The integration package allows you to search, observe, and visualize the events through Elasticsearch. - -## Compatibility - -A syslog server can be configured to store messages for reporting purposes from MX Security Appliances, MR Access Points, and MS switches. This package collects events from the configured syslog server. The integration supports collection of events from "MX Security Appliances" and "MR Access Points". The "MS Switch" events are not recognized. - -## Configuration - -### Enabling the integration in Elastic - -1. In Kibana go to **Management > Integrations** -2. In "Search for integrations" search bar type **Meraki** -3. Click on "Cisco Meraki" integration from the search results. -4. Click on **Add Cisco Meraki Integration** button to add the integration. - -### Cisco Meraki Dashboard Configuration - -#### Syslog - -Cisco Meraki dashboard can be used to configure one or more syslog servers and Meraki message types to be sent to the syslog servers. Refer to [Syslog Server Overview and Configuration](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration#Configuring_a_Syslog_Server) page for more information on how to configure syslog server on Cisco Meraki. - -#### API Endpoint (Webhooks) - -Cisco Meraki dashboard can be used to configure Meraki webhooks. Refer to the [Webhooks Dashboard Setup](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Meraki_Device_Reporting_-_Syslog%2C_SNMP%2C_and_API#Webhooks_Dashboard_Setup) section. - -### Configure the Cisco Meraki integration - -#### Syslog - -Depending on the syslog server setup in your environment check one/more of the following options "Collect syslog from Cisco Meraki via UDP", "Collect syslog from Cisco Meraki via TCP", "Collect syslog from Cisco Meraki via file". - -Enter the values for syslog host and port OR file path based on the chosen configuration options. - -### API Endpoint (Webhooks) - -Check the option "Collect events from Cisco Meraki via Webhooks" option. - -1. Enter values for "Listen Address", "Listen Port" and "Webhook path" to form the endpoint URL. Make note of the **Endpoint URL** `https://{AGENT_ADDRESS}:8686/meraki/events`. -2. Enter value for "Secret value". This must match the "Shared Secret" value entered when configuring the webhook from Meraki cloud. -3. Enter values for "TLS". Cisco Meraki requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration. - -### Log Events - -Enable to collect Cisco Meraki log events for all the applications configured for the chosen log stream. - -## Logs - -### Syslog - -The `cisco_meraki.log` dataset provides events from the configured syslog server. All Cisco Meraki syslog specific fields are available in the `cisco_meraki.log` field group. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cisco_meraki.8021x_auth | | flattened | -| cisco_meraki.8021x_deauth | | flattened | -| cisco_meraki.8021x_eap_failure | | flattened | -| cisco_meraki.8021x_eap_success | | flattened | -| cisco_meraki.aps_association_reject | | flattened | -| cisco_meraki.association | | flattened | -| cisco_meraki.bssid | | keyword | -| cisco_meraki.channel | | keyword | -| cisco_meraki.device_packet_flood | | flattened | -| cisco_meraki.dfs_event | | flattened | -| cisco_meraki.disassociation | | flattened | -| cisco_meraki.disposition | | keyword | -| cisco_meraki.event_subtype | | keyword | -| cisco_meraki.event_type | | keyword | -| cisco_meraki.fc_subtype | | keyword | -| cisco_meraki.fc_type | | keyword | -| cisco_meraki.flows | | flattened | -| cisco_meraki.multiple_dhcp_servers_detected | | flattened | -| cisco_meraki.security.action | | keyword | -| cisco_meraki.security.decision | | keyword | -| cisco_meraki.security.dhost | | keyword | -| cisco_meraki.security.mac | | keyword | -| cisco_meraki.security.priority | | keyword | -| cisco_meraki.security.signature | | keyword | -| cisco_meraki.site_to_site_vpn.connectivity_change | | flattened | -| cisco_meraki.site_to_site_vpn.raw | | text | -| cisco_meraki.splash_auth | | flattened | -| cisco_meraki.urls.mac | | keyword | -| cisco_meraki.vap | | keyword | -| cisco_meraki.wpa_auth | | flattened | -| cisco_meraki.wpa_deauth | | flattened | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Input type. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-11-23T18:13:18.348Z", - "agent": { - "ephemeral_id": "d0614353-dd50-4b65-b142-df54b2a69013", - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cisco_meraki": { - "event_subtype": "ids_alerted", - "event_type": "security_event", - "security": { - "decision": "allowed", - "dhost": "D0-AB-D5-7B-43-73", - "priority": "1", - "signature": "1:29708:4" - } - }, - "data_stream": { - "dataset": "cisco_meraki.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.3.162", - "port": 56391 - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "action": "ids-signature-matched", - "agent_id_status": "verified", - "category": [ - "network", - "threat" - ], - "dataset": "cisco_meraki.log", - "ingested": "2022-08-08T18:50:52Z", - "original": "\u003c134\u003e1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "type": [ - "info", - "indicator" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.18.0.5:44064" - } - }, - "network": { - "direction": "ingress", - "protocol": "tcp/ip" - }, - "observer": { - "hostname": "MX84" - }, - "source": { - "as": { - "number": 35908 - }, - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.12", - "port": 80 - }, - "tags": [ - "preserve_original_event", - "cisco-meraki", - "forwarded" - ], - "threat": { - "indicator": { - "description": " BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "last_seen": "2021-11-23T18:13:18.330Z" - } - } -} -``` - -### API Endpoint (Webhooks) - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cisco_meraki.event.alertData | Additional alert data (differs based on alert type) | flattened | -| cisco_meraki.event.alertId | ID for this alert message | keyword | -| cisco_meraki.event.alertLevel | Alert level (informational, critical etc.) | keyword | -| cisco_meraki.event.alertType | Type of alert (“Network usage alert”, “Settings changed”, etc.) | keyword | -| cisco_meraki.event.alertTypeId | Unique ID for the type of alert | keyword | -| cisco_meraki.event.deviceMac | MAC address of the Meraki device | keyword | -| cisco_meraki.event.deviceModel | Meraki device model | keyword | -| cisco_meraki.event.deviceName | Name assigned to the Meraki device | keyword | -| cisco_meraki.event.deviceSerial | Serial number of the Meraki device | keyword | -| cisco_meraki.event.deviceTags | Tags assigned to the Meraki device | keyword | -| cisco_meraki.event.deviceUrl | URL of the Meraki device | keyword | -| cisco_meraki.event.networkId | ID for the Meraki network | keyword | -| cisco_meraki.event.networkName | Name for the Meraki network | keyword | -| cisco_meraki.event.networkTags | Tags assigned to the Meraki network | keyword | -| cisco_meraki.event.networkUrl | URL of the Meraki Dashboard network | keyword | -| cisco_meraki.event.occurredAt | Timestamp of the alert (UTC) | date | -| cisco_meraki.event.organizationId | ID of the Meraki organization | keyword | -| cisco_meraki.event.organizationName | Name of the Meraki organization | keyword | -| cisco_meraki.event.organizationUrl | URL of the Meraki Dashboard organization | keyword | -| cisco_meraki.event.sentAt | Timestamp of the sent message (UTC) | date | -| cisco_meraki.event.sharedSecret | User defined secret to be validated by the webhook receiver (optional) | keyword | -| cisco_meraki.event.version | Current version of webhook format | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location.lat | Longitude and latitude. | geo_point | -| client.geo.location.lon | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Input type. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| organization.id | Unique identifier for the organization. | keyword | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.software.type | The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `events` looks as following: - -```json -{ - "@timestamp": "2018-02-11T00:00:00.123Z", - "agent": { - "ephemeral_id": "4e898a47-a469-4602-9ba2-0a46f55a3998", - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cisco_meraki": { - "event": { - "alertData": { - "connection": "LTE", - "local": "192.168.1.2", - "model": "UML290VW", - "provider": "Purview Wireless", - "remote": "1.2.3.5" - }, - "alertId": "0000000000000000", - "alertTypeId": "cellular_up", - "deviceTags": [ - "tag1", - "tag2" - ], - "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", - "networkId": "N_24329156", - "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", - "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", - "sentAt": "2021-10-07T08:42:00.926325Z", - "sharedSecret": "secret", - "version": "0.1" - } - }, - "data_stream": { - "dataset": "cisco_meraki.events", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "action": "Cellular came up", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cisco_meraki.events", - "ingested": "2022-08-08T18:48:35Z", - "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}", - "type": [ - "info", - "start" - ] - }, - "input": { - "type": "http_endpoint" - }, - "log": { - "level": "informational" - }, - "network": { - "name": "Main Office" - }, - "observer": { - "mac": "00-11-22-33-44-55", - "name": "My appliance", - "product": "MX", - "serial_number": "Q234-ABCD-5678", - "vendor": "Cisco" - }, - "organization": { - "id": "2930418", - "name": "My organization" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "meraki-events" - ] -} -``` diff --git a/packages/cisco_meraki/1.2.1/img/cisco-logo.svg b/packages/cisco_meraki/1.2.1/img/cisco-logo.svg deleted file mode 100755 index a174ad4488..0000000000 --- a/packages/cisco_meraki/1.2.1/img/cisco-logo.svg +++ /dev/null @@ -1 +0,0 @@ - diff --git a/packages/cisco_meraki/1.2.1/img/cisco-meraki-dashboard-1.png b/packages/cisco_meraki/1.2.1/img/cisco-meraki-dashboard-1.png deleted file mode 100755 index 7f6816cf73..0000000000 Binary files a/packages/cisco_meraki/1.2.1/img/cisco-meraki-dashboard-1.png and /dev/null differ diff --git a/packages/cisco_meraki/1.2.1/img/cisco-meraki-dashboard-2.png b/packages/cisco_meraki/1.2.1/img/cisco-meraki-dashboard-2.png deleted file mode 100755 index 810b80d4ad..0000000000 Binary files a/packages/cisco_meraki/1.2.1/img/cisco-meraki-dashboard-2.png and /dev/null differ diff --git a/packages/cisco_meraki/1.2.1/img/cisco-meraki-dashboard-3.png b/packages/cisco_meraki/1.2.1/img/cisco-meraki-dashboard-3.png deleted file mode 100755 index 1cfa3ccb7d..0000000000 Binary files a/packages/cisco_meraki/1.2.1/img/cisco-meraki-dashboard-3.png and /dev/null differ diff --git a/packages/cisco_meraki/1.2.1/kibana/dashboard/cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4.json b/packages/cisco_meraki/1.2.1/kibana/dashboard/cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4.json deleted file mode 100755 index 11cb03d88a..0000000000 --- a/packages/cisco_meraki/1.2.1/kibana/dashboard/cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4.json +++ /dev/null @@ -1,157 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9f3c668f-fec6-4125-ae7b-fcb073df79c1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9f3c668f-fec6-4125-ae7b-fcb073df79c1\":{\"columnOrder\":[\"c379da24-eba4-47a5-b9aa-213324504619\"],\"columns\":{\"c379da24-eba4-47a5-b9aa-213324504619\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of source.mac\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"source.mac\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"c379da24-eba4-47a5-b9aa-213324504619\",\"layerId\":\"9f3c668f-fec6-4125-ae7b-fcb073df79c1\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"372a6801-2e52-4c4c-a674-746eec7f7e09\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"372a6801-2e52-4c4c-a674-746eec7f7e09\",\"title\":\"Count of source MAC address\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-511effff-5682-4cfa-a2de-739bbefa93ea\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"511effff-5682-4cfa-a2de-739bbefa93ea\":{\"columnOrder\":[\"b6287f3a-b96b-4973-b2d2-1e4f7830f9e5\",\"0929169c-0ee9-4eb6-93b6-effcb648c779\",\"c66ed022-eab0-4834-8a01-f508aa4b32b3\"],\"columns\":{\"0929169c-0ee9-4eb6-93b6-effcb648c779\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"b6287f3a-b96b-4973-b2d2-1e4f7830f9e5\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cisco_meraki.event_type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c66ed022-eab0-4834-8a01-f508aa4b32b3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cisco_meraki.event_type\"},\"c66ed022-eab0-4834-8a01-f508aa4b32b3\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"c66ed022-eab0-4834-8a01-f508aa4b32b3\"],\"layerId\":\"511effff-5682-4cfa-a2de-739bbefa93ea\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"b6287f3a-b96b-4973-b2d2-1e4f7830f9e5\",\"xAccessor\":\"0929169c-0ee9-4eb6-93b6-effcb648c779\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"03bf41fe-673d-4f95-9d6e-510d8dc46ba6\",\"w\":13,\"x\":9,\"y\":0},\"panelIndex\":\"03bf41fe-673d-4f95-9d6e-510d8dc46ba6\",\"title\":\"Rate of events by type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-abda3ec0-db97-4e02-a42e-45e716110de2\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"abda3ec0-db97-4e02-a42e-45e716110de2\":{\"columnOrder\":[\"c59ef8c2-80ea-4386-834f-378f4a76b87c\",\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\"],\"columns\":{\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c59ef8c2-80ea-4386-834f-378f4a76b87c\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cisco_meraki.event_type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cisco_meraki.event_type\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"c59ef8c2-80ea-4386-834f-378f4a76b87c\"],\"layerId\":\"abda3ec0-db97-4e02-a42e-45e716110de2\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"475cb47c-34d7-4c56-b57d-e27d25678fc8\",\"w\":13,\"x\":22,\"y\":0},\"panelIndex\":\"475cb47c-34d7-4c56-b57d-e27d25678fc8\",\"title\":\"Event distribution by type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d8f74b4f-a83b-47bc-b862-2bc47ee790eb\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d8f74b4f-a83b-47bc-b862-2bc47ee790eb\":{\"columnOrder\":[\"d1a56033-ffe5-44ed-a05f-ab79d5db90aa\",\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\"],\"columns\":{\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of cisco_meraki.event_type\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"cisco_meraki.event_type\"},\"d1a56033-ffe5-44ed-a05f-ab79d5db90aa\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cisco_meraki.event_subtype\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cisco_meraki.event_subtype\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d1a56033-ffe5-44ed-a05f-ab79d5db90aa\"],\"layerId\":\"d8f74b4f-a83b-47bc-b862-2bc47ee790eb\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"58bbda58-7c31-44e1-8568-d37c2c585e53\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"58bbda58-7c31-44e1-8568-d37c2c585e53\",\"title\":\"Event distribution by sub-type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d\":{\"columnOrder\":[\"66ede758-6532-443e-834d-a847c964682f\"],\"columns\":{\"66ede758-6532-443e-834d-a847c964682f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"No. of rogue SSIDs detected\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"cisco_meraki.event_subtype\",\"negate\":false,\"params\":{\"query\":\"rogue_ssid_detected\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_meraki.event_subtype\":\"rogue_ssid_detected\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"66ede758-6532-443e-834d-a847c964682f\",\"layerId\":\"5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"8baff03a-7860-4fcc-90ff-3d5534e70845\",\"w\":9,\"x\":0,\"y\":5},\"panelIndex\":\"8baff03a-7860-4fcc-90ff-3d5534e70845\",\"title\":\"Number of rogue SSIDs detected\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bcffdee9-d006-4e9c-abcc-081ac4739d02\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bcffdee9-d006-4e9c-abcc-081ac4739d02\":{\"columnOrder\":[\"86b75fce-daae-4725-8de4-6bcd5c7cc80a\"],\"columns\":{\"86b75fce-daae-4725-8de4-6bcd5c7cc80a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"No. of SSID spoofing detected\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"cisco_meraki.event_subtype\",\"negate\":false,\"params\":{\"query\":\"ssid_spoofing_detected\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_meraki.event_subtype\":\"ssid_spoofing_detected\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"86b75fce-daae-4725-8de4-6bcd5c7cc80a\",\"layerId\":\"bcffdee9-d006-4e9c-abcc-081ac4739d02\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"bcfe3eee-750d-476f-b7c1-afec41803720\",\"w\":9,\"x\":0,\"y\":10},\"panelIndex\":\"bcfe3eee-750d-476f-b7c1-afec41803720\",\"title\":\"Number of SSID spoofing detected\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9a165bef-572a-44fb-9285-70d75530b799\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9a165bef-572a-44fb-9285-70d75530b799\":{\"columnOrder\":[\"9df0ec49-bc15-494a-8ca7-437cd63ee7cd\",\"aca7f561-3ca9-4705-bf6e-e470d1fb0536\",\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\"],\"columns\":{\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of event.action\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.action\"},\"9df0ec49-bc15-494a-8ca7-437cd63ee7cd\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"},\"aca7f561-3ca9-4705-bf6e-e470d1fb0536\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9df0ec49-bc15-494a-8ca7-437cd63ee7cd\",\"aca7f561-3ca9-4705-bf6e-e470d1fb0536\"],\"layerId\":\"9a165bef-572a-44fb-9285-70d75530b799\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":24,\"i\":\"e359d544-a8d6-4019-9756-74519a9d3335\",\"w\":27,\"x\":0,\"y\":15},\"panelIndex\":\"e359d544-a8d6-4019-9756-74519a9d3335\",\"title\":\"Events by category and action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"09082ad3-0055-461d-bf69-2b69a5dfb298\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"ce84cee6-da49-4261-beaa-628ca03abc52\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}]},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"color\\\":\\\"Green to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\",\\\"useCustomColorRamp\\\":false}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":3}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"field\\\":{\\\"label\\\":\\\"count\\\",\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\",\\\"type\\\":\\\"number\\\",\\\"supportsAutoDomain\\\":true}}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"8dec8632-de8b-43df-9731-5c6c45ecb45f\\\",\\\"label\\\":\\\"src-dst-ip-p2p\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.61,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-2y\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[{\\\"meta\\\":{\\\"index\\\":\\\"logs-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"data_stream.dataset\\\",\\\"params\\\":{\\\"query\\\":\\\"cisco_meraki.log\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"data_stream.dataset\\\":\\\"cisco_meraki.log\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}}],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":180,\"minLat\":-85.05113,\"minLon\":-180},\"mapCenter\":{\"lat\":19.50912,\"lon\":-10.59576,\"zoom\":0.61},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"beacf090-799a-415a-bbad-302cd02d50be\",\"w\":21,\"x\":27,\"y\":15},\"panelIndex\":\"beacf090-799a-415a-bbad-302cd02d50be\",\"title\":\"IP Flows\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-04c98418-d7c7-4552-9ed3-d0380795febd\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"04c98418-d7c7-4552-9ed3-d0380795febd\":{\"columnOrder\":[\"1e47d004-4347-46ee-aed2-280f64e8888d\",\"4c2300ef-9033-45bd-8b0e-06deea3996f1\"],\"columns\":{\"1e47d004-4347-46ee-aed2-280f64e8888d\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of url.original\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4c2300ef-9033-45bd-8b0e-06deea3996f1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"url.original\"},\"4c2300ef-9033-45bd-8b0e-06deea3996f1\":{\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"4c2300ef-9033-45bd-8b0e-06deea3996f1\"],\"layerId\":\"04c98418-d7c7-4552-9ed3-d0380795febd\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"xAccessor\":\"1e47d004-4347-46ee-aed2-280f64e8888d\",\"yConfig\":[{\"axisMode\":\"auto\",\"forAccessor\":\"4c2300ef-9033-45bd-8b0e-06deea3996f1\"}]}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"58d65007-15fc-492f-a8db-f509b7d28aad\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"58d65007-15fc-492f-a8db-f509b7d28aad\",\"title\":\"Top URL access\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"a7fc4a8a-954f-4fc0-acfc-2d358c89b2c6\",\"w\":48,\"x\":0,\"y\":39},\"panelIndex\":\"a7fc4a8a-954f-4fc0-acfc-2d358c89b2c6\",\"title\":\"Log stream\",\"type\":\"LOG_STREAM_EMBEDDABLE\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cisco Meraki Syslog Events] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "372a6801-2e52-4c4c-a674-746eec7f7e09:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "372a6801-2e52-4c4c-a674-746eec7f7e09:indexpattern-datasource-layer-9f3c668f-fec6-4125-ae7b-fcb073df79c1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "372a6801-2e52-4c4c-a674-746eec7f7e09:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "03bf41fe-673d-4f95-9d6e-510d8dc46ba6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "03bf41fe-673d-4f95-9d6e-510d8dc46ba6:indexpattern-datasource-layer-511effff-5682-4cfa-a2de-739bbefa93ea", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "03bf41fe-673d-4f95-9d6e-510d8dc46ba6:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "475cb47c-34d7-4c56-b57d-e27d25678fc8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "475cb47c-34d7-4c56-b57d-e27d25678fc8:indexpattern-datasource-layer-abda3ec0-db97-4e02-a42e-45e716110de2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "475cb47c-34d7-4c56-b57d-e27d25678fc8:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58bbda58-7c31-44e1-8568-d37c2c585e53:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58bbda58-7c31-44e1-8568-d37c2c585e53:indexpattern-datasource-layer-d8f74b4f-a83b-47bc-b862-2bc47ee790eb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:indexpattern-datasource-layer-5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bcfe3eee-750d-476f-b7c1-afec41803720:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bcfe3eee-750d-476f-b7c1-afec41803720:indexpattern-datasource-layer-bcffdee9-d006-4e9c-abcc-081ac4739d02", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bcfe3eee-750d-476f-b7c1-afec41803720:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bcfe3eee-750d-476f-b7c1-afec41803720:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e359d544-a8d6-4019-9756-74519a9d3335:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e359d544-a8d6-4019-9756-74519a9d3335:indexpattern-datasource-layer-9a165bef-572a-44fb-9285-70d75530b799", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e359d544-a8d6-4019-9756-74519a9d3335:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "beacf090-799a-415a-bbad-302cd02d50be:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58d65007-15fc-492f-a8db-f509b7d28aad:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58d65007-15fc-492f-a8db-f509b7d28aad:indexpattern-datasource-layer-04c98418-d7c7-4552-9ed3-d0380795febd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58d65007-15fc-492f-a8db-f509b7d28aad:filter-index-pattern-0", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cisco_meraki/1.2.1/manifest.yml b/packages/cisco_meraki/1.2.1/manifest.yml deleted file mode 100755 index 239f7341bd..0000000000 --- a/packages/cisco_meraki/1.2.1/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -format_version: 1.0.0 -name: cisco_meraki -title: Cisco Meraki -version: 1.2.1 -license: basic -description: Collect logs from Cisco Meraki with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/cisco-meraki-dashboard-1.png - title: Cisco Meraki Dashboard - size: 600x600 - type: image/png - - src: /img/cisco-meraki-dashboard-2.png - title: Cisco Meraki Dashboard - size: 600x600 - type: image/png - - src: /img/cisco-meraki-dashboard-3.png - title: Cisco Meraki Dashboard - size: 600x600 - type: image/png -icons: - - src: /img/cisco-logo.svg - title: Cisco logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: cisco_meraki - title: Cisco Meraki logs or events - description: Collect logs or events from Cisco Meraki - inputs: - - type: udp - title: Collect syslog from Cisco Meraki via UDP - description: Collecting syslog from Cisco Meraki via UDP - - type: tcp - title: Collect syslog from Cisco Meraki via TCP - description: Collecting syslog from Cisco Meraki via TCP - - type: logfile - title: Collect syslog from Cisco Meraki via file - description: Collecting syslog from Cisco Meraki via file - - type: http_endpoint - title: Collect events from Cisco Meraki via Webhooks - description: Collecting events from Cisco Meraki via Webhooks -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_nexus/0.7.2/LICENSE.txt b/packages/cisco_nexus/0.7.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cisco_nexus/0.7.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_nexus/0.7.2/changelog.yml b/packages/cisco_nexus/0.7.2/changelog.yml deleted file mode 100755 index 9bd0ad0b6c..0000000000 --- a/packages/cisco_nexus/0.7.2/changelog.yml +++ /dev/null @@ -1,76 +0,0 @@ -# newer versions go on top -- version: "0.7.2" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "0.7.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "0.7.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3843 -- version: "0.6.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "0.5.1" - changes: - - description: Updated readme file - type: enhancement - link: https://github.com/elastic/integrations/pull/2934 -- version: "0.5.0" - changes: - - description: Update to ECS 8.2.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "0.4.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.4.0" - changes: - - description: Update to ECS 8.0.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2581 -- version: "0.3.1" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2250 -- version: "0.2.3" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1957 -- version: "0.2.2" - changes: - - description: Fixed a bug that prevents the package from working in 7.16. - type: bugfix - link: https://github.com/elastic/integrations/pull/1882 -- version: "0.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1809 -- version: "0.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1786 -- version: "0.1.0" - changes: - - description: Initial implementation for splitting Cisco nexus from Cisco package - type: enhancement - link: https://github.com/elastic/integrations/pull/1588 diff --git a/packages/cisco_nexus/0.7.2/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_nexus/0.7.2/data_stream/log/agent/stream/stream.yml.hbs deleted file mode 100755 index d998957901..0000000000 --- a/packages/cisco_nexus/0.7.2/data_stream/log/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,7179 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Cisco" - product: "Nexus" - type: "Switches" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} Hit-count = %{dclass_counter1}"); - - var dup60 = setc("dclass_counter1_string","Hit Count"); - - var dup61 = setc("eventcategory","1603100000"); - - var dup62 = setc("eventcategory","1701020000"); - - var dup63 = setc("eventcategory","1801000000"); - - var dup64 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); - - var dup65 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); - - var dup66 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); - - var dup67 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); - - var dup68 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); - - var dup69 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); - - var dup70 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); - - var dup71 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); - - var dup72 = setc("ec_outcome","Error"); - - var dup73 = setc("eventcategory","1703000000"); - - var dup74 = setc("obj_type","vPC"); - - var dup75 = setc("ec_subject","OS"); - - var dup76 = setc("ec_activity","Start"); - - var dup77 = setc("eventcategory","1801010000"); - - var dup78 = setc("ec_activity","Receive"); - - var dup79 = setc("ec_activity","Send"); - - var dup80 = setc("ec_activity","Create"); - - var dup81 = setc("event_description","Switchover completed."); - - var dup82 = setc("event_description","Invalid user"); - - var dup83 = setc("eventcategory","1401000000"); - - var dup84 = setc("ec_subject","Service"); - - var dup85 = setc("event_description","Duplicate address Detected."); - - var dup86 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var dup87 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var dup88 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var dup89 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var dup90 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var dup91 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var dup92 = linear_select([ - dup26, - dup27, - ]); - - var dup93 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var dup94 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var dup95 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var dup96 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, - ])); - - var dup97 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ - dup33, - dup2, - dup3, - dup4, - ])); - - var dup98 = linear_select([ - dup46, - dup47, - ]); - - var dup99 = linear_select([ - dup49, - dup50, - ]); - - var dup100 = linear_select([ - dup54, - dup55, - ]); - - var dup101 = linear_select([ - dup57, - dup58, - ]); - - var dup102 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var dup103 = linear_select([ - dup65, - dup66, - ]); - - var dup104 = linear_select([ - dup67, - dup68, - ]); - - var dup105 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var dup106 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var dup107 = linear_select([ - dup70, - dup71, - ]); - - var dup108 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - ])); - - var hdr1 = match("HEADER#0:0001", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0007", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0007"), - ])); - - var hdr3 = match("HEADER#2:0005", "message", "%{hfld4->} %{hfld5->} %{hfld6->} %{hfld7->} : %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0005"), - ])); - - var hdr4 = match("HEADER#3:0002", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr5 = match("HEADER#4:0012", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0012"), - ])); - - var hdr6 = match("HEADER#5:0008", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0008"), - ])); - - var hdr7 = match("HEADER#6:0011", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}[%{hfld18}]:%{payload}", processor_chain([ - setc("header_id","0011"), - ])); - - var hdr8 = match("HEADER#7:0003", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ - setc("header_id","0003"), - ])); - - var hdr9 = match("HEADER#8:0004", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var hdr10 = match("HEADER#9:0009", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ - setc("header_id","0009"), - ])); - - var hdr11 = match("HEADER#10:0013", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ - setc("header_id","0013"), - ])); - - var hdr12 = match("HEADER#11:0010", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ - setc("header_id","0010"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, - hdr7, - hdr8, - hdr9, - hdr10, - hdr11, - hdr12, - ]); - - var msg1 = msg("LOG-7-SYSTEM_MSG", dup86); - - var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup6, - ])); - - var msg2 = msg("SYSTEM_MSG", part1); - - var part2 = match("MESSAGE#2:SYSTEM_MSG:12", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{shost}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup6, - ])); - - var msg3 = msg("SYSTEM_MSG:12", part2); - - var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup7, - ])); - - var msg4 = msg("SYSTEM_MSG:01", part3); - - var part4 = match("MESSAGE#4:SYSTEM_MSG:11", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{shost}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup7, - ])); - - var msg5 = msg("SYSTEM_MSG:11", part4); - - var part5 = match("MESSAGE#5:SYSTEM_MSG:19/0", "nwparser.payload", "error: maximum authentication attempts exceeded for %{p0}"); - - var part6 = match("MESSAGE#5:SYSTEM_MSG:19/1_0", "nwparser.p0", "invalid user %{username->} from %{p0}"); - - var part7 = match("MESSAGE#5:SYSTEM_MSG:19/1_1", "nwparser.p0", "%{username->} from %{p0}"); - - var select2 = linear_select([ - part6, - part7, - ]); - - var part8 = match("MESSAGE#5:SYSTEM_MSG:19/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol->} - %{agent}[%{process_id}]"); - - var all1 = all_match({ - processors: [ - part5, - select2, - part8, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - ]), - }); - - var msg6 = msg("SYSTEM_MSG:19", all1); - - var part9 = match("MESSAGE#6:SYSTEM_MSG:02", "nwparser.payload", "error:%{result}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var msg7 = msg("SYSTEM_MSG:02", part9); - - var part10 = match("MESSAGE#7:SYSTEM_MSG:03/0_0", "nwparser.payload", "(pam_unix)%{p0}"); - - var part11 = match("MESSAGE#7:SYSTEM_MSG:03/0_1", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}):%{p0}"); - - var select3 = linear_select([ - part10, - part11, - ]); - - var part12 = match("MESSAGE#7:SYSTEM_MSG:03/1", "nwparser.p0", "%{}authentication failure; logname=%{fld20->} uid=%{fld21->} euid=%{fld22->} tty=%{terminal->} ruser=%{fld24->} rhost=%{p0}"); - - var part13 = match("MESSAGE#7:SYSTEM_MSG:03/2_0", "nwparser.p0", "%{fld25->} user=%{username->} - %{p0}"); - - var part14 = match("MESSAGE#7:SYSTEM_MSG:03/2_1", "nwparser.p0", "%{fld25->} - %{p0}"); - - var select4 = linear_select([ - part13, - part14, - ]); - - var part15 = match_copy("MESSAGE#7:SYSTEM_MSG:03/3", "nwparser.p0", "agent"); - - var all2 = all_match({ - processors: [ - select3, - part12, - select4, - part15, - ], - on_success: processor_chain([ - dup5, - dup2, - dup3, - dup4, - ]), - }); - - var msg8 = msg("SYSTEM_MSG:03", all2); - - var part16 = match("MESSAGE#8:SYSTEM_MSG:04", "nwparser.payload", "(pam_unix) %{event_description}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - ])); - - var msg9 = msg("SYSTEM_MSG:04", part16); - - var part17 = match("MESSAGE#9:SYSTEM_MSG:05/0", "nwparser.payload", "pam_aaa:Authentication failed f%{p0}"); - - var part18 = match("MESSAGE#9:SYSTEM_MSG:05/1_0", "nwparser.p0", "or user %{username->} from%{p0}"); - - var part19 = match("MESSAGE#9:SYSTEM_MSG:05/1_1", "nwparser.p0", "rom%{p0}"); - - var select5 = linear_select([ - part18, - part19, - ]); - - var part20 = match("MESSAGE#9:SYSTEM_MSG:05/2", "nwparser.p0", "%{} %{saddr->} - %{agent}[%{process_id}]"); - - var all3 = all_match({ - processors: [ - part17, - select5, - part20, - ], - on_success: processor_chain([ - dup5, - dup2, - dup3, - dup4, - ]), - }); - - var msg10 = msg("SYSTEM_MSG:05", all3); - - var part21 = match("MESSAGE#10:SYSTEM_MSG:06", "nwparser.payload", "FAILED LOGIN (%{fld20}) on %{fld21->} FOR %{username}, Authentication failure - login[%{process_id}]", processor_chain([ - dup5, - dup2, - dup3, - dup4, - ])); - - var msg11 = msg("SYSTEM_MSG:06", part21); - - var part22 = match("MESSAGE#11:SYSTEM_MSG:07", "nwparser.payload", "fatal:%{event_description}", processor_chain([ - dup9, - dup2, - dup3, - dup4, - ])); - - var msg12 = msg("SYSTEM_MSG:07", part22); - - var part23 = match("MESSAGE#12:SYSTEM_MSG:09", "nwparser.payload", "%{fld1}: Host name is set %{hostname->} - kernel", processor_chain([ - dup9, - dup2, - dup3, - dup4, - ])); - - var msg13 = msg("SYSTEM_MSG:09", part23); - - var part24 = match("MESSAGE#13:SYSTEM_MSG:10", "nwparser.payload", "Unauthorized access by NFS client %{saddr}.", processor_chain([ - dup5, - dup2, - dup3, - dup4, - ])); - - var msg14 = msg("SYSTEM_MSG:10", part24); - - var part25 = match("MESSAGE#14:SYSTEM_MSG:13", "nwparser.payload", "%{fld43->} : SNMP UDP authentication failed for %{saddr}.", processor_chain([ - dup5, - dup2, - dup3, - dup4, - ])); - - var msg15 = msg("SYSTEM_MSG:13", part25); - - var part26 = match("MESSAGE#15:SYSTEM_MSG:14", "nwparser.payload", "%{fld43->} : Subsequent authentication success for user (%{username}) failed.", processor_chain([ - dup5, - dup2, - dup3, - dup4, - ])); - - var msg16 = msg("SYSTEM_MSG:14", part26); - - var part27 = match("MESSAGE#16:SYSTEM_MSG:15", "nwparser.payload", "%{fld1->} : TTY=%{terminal->} ; PWD=%{directory->} ; USER=%{username->} ; COMMAND=%{param}", processor_chain([ - dup10, - dup2, - dup3, - dup4, - dup11, - dup12, - ])); - - var msg17 = msg("SYSTEM_MSG:15", part27); - - var part28 = match("MESSAGE#17:SYSTEM_MSG:16", "nwparser.payload", "Login failed for user %{username->} - %{agent}[%{process_id}]", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup11, - dup13, - dup12, - dup14, - ])); - - var msg18 = msg("SYSTEM_MSG:16", part28); - - var part29 = match("MESSAGE#18:SYSTEM_MSG:17/0", "nwparser.payload", "NTP: Peer %{hostip->} %{p0}"); - - var part30 = match("MESSAGE#18:SYSTEM_MSG:17/1_0", "nwparser.p0", "with stratum %{fld1->} selected - %{p0}"); - - var part31 = match("MESSAGE#18:SYSTEM_MSG:17/1_1", "nwparser.p0", "is %{disposition->} - %{p0}"); - - var select6 = linear_select([ - part30, - part31, - ]); - - var part32 = match("MESSAGE#18:SYSTEM_MSG:17/2", "nwparser.p0", "%{agent}[%{process_id}]"); - - var all4 = all_match({ - processors: [ - part29, - select6, - part32, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg19 = msg("SYSTEM_MSG:17", all4); - - var part33 = match("MESSAGE#19:SYSTEM_MSG:20", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ - dup10, - dup2, - dup3, - dup4, - dup12, - ])); - - var msg20 = msg("SYSTEM_MSG:20", part33); - - var part34 = match("MESSAGE#20:SYSTEM_MSG:21", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): password changed for %{username->} - %{agent}", processor_chain([ - dup10, - dup2, - dup3, - dup4, - setc("ec_subject","Password"), - dup16, - dup12, - dup17, - ])); - - var msg21 = msg("SYSTEM_MSG:21", part34); - - var part35 = match("MESSAGE#21:SYSTEM_MSG:22", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): check pass; user %{username->} - %{agent}", processor_chain([ - dup10, - dup2, - dup3, - dup4, - dup12, - ])); - - var msg22 = msg("SYSTEM_MSG:22", part35); - - var part36 = match("MESSAGE#22:SYSTEM_MSG:23", "nwparser.payload", "new user: name=%{username}, uid=%{uid}, gid=%{fld1}, home=%{directory}, shell=%{fld2->} - %{agent}[%{process_id}]", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup11, - ])); - - var msg23 = msg("SYSTEM_MSG:23", part36); - - var part37 = match("MESSAGE#23:SYSTEM_MSG:24/0", "nwparser.payload", "delete user %{p0}"); - - var part38 = match("MESSAGE#23:SYSTEM_MSG:24/1_0", "nwparser.p0", "`%{p0}"); - - var part39 = match("MESSAGE#23:SYSTEM_MSG:24/1_1", "nwparser.p0", "'%{p0}"); - - var select7 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#23:SYSTEM_MSG:24/2", "nwparser.p0", "'%{username->} - %{agent}[%{process_id}]"); - - var all5 = all_match({ - processors: [ - part37, - select7, - part40, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup11, - dup20, - dup17, - ]), - }); - - var msg24 = msg("SYSTEM_MSG:24", all5); - - var part41 = match("MESSAGE#24:SYSTEM_MSG:08/0_0", "nwparser.payload", "%{event_description->} - %{agent}"); - - var select8 = linear_select([ - part41, - dup21, - ]); - - var all6 = all_match({ - processors: [ - select8, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg25 = msg("SYSTEM_MSG:08", all6); - - var select9 = linear_select([ - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - ]); - - var part42 = match("MESSAGE#25:VDC_HOSTNAME_CHANGE", "nwparser.payload", "%{fld1->} hostname changed to %{hostname}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg26 = msg("VDC_HOSTNAME_CHANGE", part42); - - var part43 = match("MESSAGE#26:POLICY_ACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is activated by profile %{username}", processor_chain([ - dup22, - dup2, - dup3, - dup4, - setc("action","activated"), - setc("event_description","Policy is activated by profile"), - ])); - - var msg27 = msg("POLICY_ACTIVATE_EVENT", part43); - - var part44 = match("MESSAGE#27:POLICY_COMMIT_EVENT", "nwparser.payload", "Commit operation %{disposition}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg28 = msg("POLICY_COMMIT_EVENT", part44); - - var part45 = match("MESSAGE#28:POLICY_DEACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is de-activated by last referring profile %{username}", processor_chain([ - setc("eventcategory","1701070000"), - dup2, - dup3, - dup4, - setc("action","de-activated"), - setc("event_description","Policy is de-activated by last referring profile"), - ])); - - var msg29 = msg("POLICY_DEACTIVATE_EVENT", part45); - - var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2->} dst.zone.name=%{dst_zone->} src.zone.name=%{src_zone}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg30 = msg("POLICY_LOOKUP_EVENT:01", part46); - - var part47 = match("MESSAGE#30:POLICY_LOOKUP_EVENT", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg31 = msg("POLICY_LOOKUP_EVENT", part47); - - var part48 = match("MESSAGE#31:POLICY_LOOKUP_EVENT:02", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} net.ethertype=%{fld2}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg32 = msg("POLICY_LOOKUP_EVENT:02", part48); - - var select10 = linear_select([ - msg30, - msg31, - msg32, - ]); - - var msg33 = msg("NEIGHBOR_UPDATE_AUTOCOPY", dup87); - - var msg34 = msg("MTSERROR", dup86); - - var part49 = match("MESSAGE#34:IF_DOWN_ERROR_DISABLED", "nwparser.payload", "Interface %{interface->} is down (Error disabled. Reason:%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg35 = msg("IF_DOWN_ERROR_DISABLED", part49); - - var msg36 = msg("IF_DOWN_ADMIN_DOWN", dup88); - - var msg37 = msg("IF_DOWN_ADMIN_DOWN:01", dup89); - - var select11 = linear_select([ - msg36, - msg37, - ]); - - var msg38 = msg("IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", dup90); - - var msg39 = msg("IF_DOWN_INTERFACE_REMOVED", dup91); - - var part50 = match("MESSAGE#39:IF_DOWN_LINK_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - dup25, - ])); - - var msg40 = msg("IF_DOWN_LINK_FAILURE", part50); - - var msg41 = msg("IF_DOWN_LINK_FAILURE:01", dup89); - - var select12 = linear_select([ - msg40, - msg41, - ]); - - var msg42 = msg("IF_DOWN_MODULE_REMOVED", dup91); - - var msg43 = msg("IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN", dup88); - - var part51 = match("MESSAGE#43:IF_DUPLEX", "nwparser.payload", "Interface %{interface}, operational duplex mode changed to %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface duplex mode changed"), - ])); - - var msg44 = msg("IF_DUPLEX", part51); - - var part52 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Receive Flow Cont%{p0}"); - - var all7 = all_match({ - processors: [ - part52, - dup92, - dup28, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface operational Receive Flow Control state changed"), - ]), - }); - - var msg45 = msg("IF_RX_FLOW_CONTROL", all7); - - var part53 = match_copy("MESSAGE#45:IF_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg46 = msg("IF_SEQ_ERROR", part53); - - var part54 = match("MESSAGE#46:IF_TX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Transmit Flow Cont%{p0}"); - - var all8 = all_match({ - processors: [ - part54, - dup92, - dup28, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface operational Transmit Flow Control state changed"), - ]), - }); - - var msg47 = msg("IF_TX_FLOW_CONTROL", all8); - - var part55 = match("MESSAGE#47:IF_UP", "nwparser.payload", "%{fld43->} Interface %{sinterface->} is up in mode %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface is up in mode"), - ])); - - var msg48 = msg("IF_UP", part55); - - var part56 = match("MESSAGE#48:IF_UP:01", "nwparser.payload", "Interface %{sinterface->} is up", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface is up"), - ])); - - var msg49 = msg("IF_UP:01", part56); - - var select13 = linear_select([ - msg48, - msg49, - ]); - - var part57 = match("MESSAGE#49:SPEED", "nwparser.payload", "Interface %{interface}, operational speed changed to %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface operational speed changed"), - ])); - - var msg50 = msg("SPEED", part57); - - var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object->} created", processor_chain([ - dup29, - dup2, - dup3, - dup4, - ])); - - var msg51 = msg("CREATED", part58); - - var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object}: first operational port changed from %{change_old->} to %{change_new}", processor_chain([ - dup30, - dup2, - dup3, - dup4, - ])); - - var msg52 = msg("FOP_CHANGED", part59); - - var part60 = match("MESSAGE#52:PORT_DOWN", "nwparser.payload", "%{group_object}: %{interface->} is down", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg53 = msg("PORT_DOWN", part60); - - var part61 = match("MESSAGE#53:PORT_UP", "nwparser.payload", "%{group_object}: %{interface->} is up", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg54 = msg("PORT_UP", part61); - - var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Interface %{interface->} is added to %{group_object->} with subgroup id %{fld20}", processor_chain([ - dup29, - dup2, - dup3, - dup4, - ])); - - var msg55 = msg("SUBGROUP_ID_PORT_ADDED", part62); - - var part63 = match("MESSAGE#55:SUBGROUP_ID_PORT_REMOVED", "nwparser.payload", "Interface %{interface->} is removed from %{group_object->} with subgroup id %{fld20}", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg56 = msg("SUBGROUP_ID_PORT_REMOVED", part63); - - var msg57 = msg("MTS_DROP", dup87); - - var msg58 = msg("SYSLOG_LOG_WARNING", dup87); - - var msg59 = msg("IM_SEQ_ERROR", dup93); - - var msg60 = msg("ADDON_IMG_DNLD_COMPLETE", dup87); - - var msg61 = msg("ADDON_IMG_DNLD_STARTED", dup87); - - var msg62 = msg("ADDON_IMG_DNLD_SUCCESSFUL", dup87); - - var msg63 = msg("IMG_DNLD_COMPLETE", dup87); - - var msg64 = msg("IMG_DNLD_STARTED", dup87); - - var part64 = match_copy("MESSAGE#64:PORT_SOFTWARE_FAILURE", "nwparser.payload", "result", processor_chain([ - dup31, - dup2, - dup3, - dup4, - ])); - - var msg65 = msg("PORT_SOFTWARE_FAILURE", part64); - - var msg66 = msg("MSM_CRIT", dup93); - - var part65 = match("MESSAGE#66:LOG_CMP_AAA_FAILURE", "nwparser.payload", "Authentication failed for a login from %{shost->} (%{result})", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup7, - ])); - - var msg67 = msg("LOG_CMP_AAA_FAILURE", part65); - - var msg68 = msg("LOG_LIC_N1K_EXPIRY_WARNING", dup87); - - var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of module %{fld20->} (serial: %{serial_number}) failed", processor_chain([ - dup32, - dup2, - dup3, - dup4, - ])); - - var msg69 = msg("MOD_FAIL", part66); - - var part67 = match("MESSAGE#69:MOD_MAJORSWFAIL", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported a critical failure in service %{fld22}", processor_chain([ - dup33, - dup2, - dup3, - dup4, - ])); - - var msg70 = msg("MOD_MAJORSWFAIL", part67); - - var part68 = match("MESSAGE#70:MOD_SRG_NOT_COMPATIBLE", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) firmware is not compatible with supervisor, downloading new image", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg71 = msg("MOD_SRG_NOT_COMPATIBLE", part68); - - var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warnings on %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ - dup32, - dup2, - dup3, - dup4, - ])); - - var msg72 = msg("MOD_WARNING:01", part69); - - var part70 = match("MESSAGE#72:MOD_WARNING", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warning %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ - dup32, - dup2, - dup3, - dup4, - ])); - - var msg73 = msg("MOD_WARNING", part70); - - var select14 = linear_select([ - msg72, - msg73, - ]); - - var part71 = match("MESSAGE#73:ACTIVE_SUP_OK", "nwparser.payload", "Supervisor %{fld20->} is active (serial: %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg74 = msg("ACTIVE_SUP_OK", part71); - - var part72 = match("MESSAGE#74:MOD_OK", "nwparser.payload", "Module %{fld20->} is online (serial: %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg75 = msg("MOD_OK", part72); - - var part73 = match("MESSAGE#75:MOD_RESTART", "nwparser.payload", "Module %{fld20->} is restarting after image download", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg76 = msg("MOD_RESTART", part73); - - var part74 = match("MESSAGE#76:DISPUTE_CLEARED", "nwparser.payload", "Dispute resolved for port %{portname->} on %{vlan}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","Dispute resolved for port on VLAN"), - ])); - - var msg77 = msg("DISPUTE_CLEARED", part74); - - var part75 = match("MESSAGE#77:DISPUTE_DETECTED", "nwparser.payload", "Dispute detected on port %{portname->} on %{vlan}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","Dispute detected on port on VLAN"), - ])); - - var msg78 = msg("DISPUTE_DETECTED", part75); - - var msg79 = msg("DOMAIN_CFG_SYNC_DONE", dup87); - - var msg80 = msg("CHASSIS_CLKMODOK", dup87); - - var msg81 = msg("CHASSIS_CLKSRC", dup87); - - var msg82 = msg("FAN_OK", dup87); - - var part76 = match("MESSAGE#82:MOD_DETECT", "nwparser.payload", "Module %{fld19->} detected (Serial number %{serial_number}) Module-Type %{fld20->} Model %{fld21}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg83 = msg("MOD_DETECT", part76); - - var part77 = match("MESSAGE#83:MOD_PWRDN", "nwparser.payload", "Module %{fld19->} powered down (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg84 = msg("MOD_PWRDN", part77); - - var part78 = match("MESSAGE#84:MOD_PWRUP", "nwparser.payload", "Module %{fld19->} powered up (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg85 = msg("MOD_PWRUP", part78); - - var part79 = match("MESSAGE#85:MOD_REMOVE", "nwparser.payload", "Module %{fld19->} removed (Serial number %{serial_number})", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg86 = msg("MOD_REMOVE", part79); - - var msg87 = msg("PFM_MODULE_POWER_ON", dup87); - - var msg88 = msg("PFM_SYSTEM_RESET", dup87); - - var msg89 = msg("PFM_VEM_REMOVE_NO_HB", dup94); - - var msg90 = msg("PFM_VEM_REMOVE_RESET", dup94); - - var msg91 = msg("PFM_VEM_REMOVE_STATE_CONFLICT", dup94); - - var msg92 = msg("PFM_VEM_REMOVE_TWO_ACT_VSM", dup94); - - var msg93 = msg("PFM_VEM_UNLICENSED", dup87); - - var msg94 = msg("PS_FANOK", dup87); - - var part80 = match("MESSAGE#94:PS_OK", "nwparser.payload", "Power supply %{fld19->} ok (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg95 = msg("PS_OK", part80); - - var part81 = match_copy("MESSAGE#95:MOD_BRINGUP_MULTI_LIMIT", "nwparser.payload", "event_description", processor_chain([ - dup31, - dup2, - dup3, - dup4, - ])); - - var msg96 = msg("MOD_BRINGUP_MULTI_LIMIT", part81); - - var part82 = match("MESSAGE#96:FAN_DETECT", "nwparser.payload", "Fan module %{fld19->} (Serial number %{serial_number}) %{fld20->} detected", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg97 = msg("FAN_DETECT", part82); - - var msg98 = msg("MOD_STATUS", dup87); - - var part83 = match("MESSAGE#98:PEER_VPC_CFGD_VLANS_CHANGED", "nwparser.payload", "Peer vPC %{obj_name->} configured vlans changed", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Peer vPC configured vlans changed"), - ])); - - var msg99 = msg("PEER_VPC_CFGD_VLANS_CHANGED", part83); - - var part84 = match("MESSAGE#99:PEER_VPC_DELETED", "nwparser.payload", "Peer vPC %{obj_name->} deleted", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg100 = msg("PEER_VPC_DELETED", part84); - - var msg101 = msg("PFM_VEM_DETECTED", dup87); - - var part85 = match("MESSAGE#101:PS_FOUND", "nwparser.payload", "Power supply %{fld19->} found (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg102 = msg("PS_FOUND", part85); - - var part86 = match("MESSAGE#102:PS_STATUS/0_0", "nwparser.payload", "PowerSupply %{fld1->} current-status is %{disposition}"); - - var select15 = linear_select([ - part86, - dup21, - ]); - - var all9 = all_match({ - processors: [ - select15, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg103 = msg("PS_STATUS", all9); - - var part87 = match("MESSAGE#103:PS_CAPACITY_CHANGE:01", "nwparser.payload", "Power supply %{fld1->} changed its capacity. possibly due to On/Off or power cable removal/insertion (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg104 = msg("PS_CAPACITY_CHANGE:01", part87); - - var msg105 = msg("PS_CAPACITY_CHANGE", dup87); - - var select16 = linear_select([ - msg104, - msg105, - ]); - - var msg106 = msg("IF_DOWN_FCOT_NOT_PRESENT", dup88); - - var msg107 = msg("IF_DOWN_FCOT_NOT_PRESENT:01", dup89); - - var select17 = linear_select([ - msg106, - msg107, - ]); - - var msg108 = msg("IF_DOWN_INITIALIZING", dup90); - - var msg109 = msg("IF_DOWN_INITIALIZING:01", dup95); - - var select18 = linear_select([ - msg108, - msg109, - ]); - - var part88 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, - ])); - - var msg110 = msg("IF_DOWN_NONE", part88); - - var msg111 = msg("IF_DOWN_NONE:01", dup96); - - var select19 = linear_select([ - msg110, - msg111, - ]); - - var msg112 = msg("IF_DOWN_NOS_RCVD", dup88); - - var msg113 = msg("IF_DOWN_NOS_RCVD:01", dup89); - - var select20 = linear_select([ - msg112, - msg113, - ]); - - var msg114 = msg("IF_DOWN_OFFLINE", dup88); - - var msg115 = msg("IF_DOWN_OLS_RCVD", dup88); - - var part89 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup31, - dup2, - dup3, - dup4, - ])); - - var msg116 = msg("IF_DOWN_SOFTWARE_FAILURE", part89); - - var msg117 = msg("IF_DOWN_SRC_PORT_NOT_BOUND", dup90); - - var part90 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is down (%{info})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg118 = msg("IF_TRUNK_DOWN", part90); - - var part91 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} down", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg119 = msg("IF_TRUNK_DOWN:01", part91); - - var part92 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is down %{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg120 = msg("IF_TRUNK_DOWN:02", part92); - - var select21 = linear_select([ - msg118, - msg119, - msg120, - ]); - - var part93 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is up", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg121 = msg("IF_TRUNK_UP", part93); - - var part94 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} up", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg122 = msg("IF_TRUNK_UP:01", part94); - - var part95 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is up %{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg123 = msg("IF_TRUNK_UP:02", part95); - - var select22 = linear_select([ - msg121, - msg122, - msg123, - ]); - - var msg124 = msg("PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", dup97); - - var part96 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface->} is inheriting port-profile %{fld20}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg125 = msg("IF_PORTPROFILE_ATTACHED", part96); - - var msg126 = msg("STANDBY_SUP_OK", dup87); - - var part97 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname->} and %{info->} vlan %{vlan->} - %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Loops detected in the network among ports"), - ])); - - var msg127 = msg("STM_LOOP_DETECT", part97); - - var part98 = match("MESSAGE#127:SYNC_COMPLETE", "nwparser.payload", "Sync completed.%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg128 = msg("SYNC_COMPLETE", part98); - - var msg129 = msg("PVLAN_PPM_PORT_CONFIG_FAILED", dup97); - - var msg130 = msg("MESG", dup87); - - var part99 = match("MESSAGE#130:ERR_MSG", "nwparser.payload", "ERROR:%{result}", processor_chain([ - dup33, - dup2, - dup3, - dup4, - ])); - - var msg131 = msg("ERR_MSG", part99); - - var msg132 = msg("RM_VICPP_RECREATE_ERROR", dup97); - - var part100 = match("MESSAGE#132:CFGWRITE_ABORTED_LOCK", "nwparser.payload", "Unable to lock the configuration (error-id %{resultcode}). Aborting configuration copy.", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg133 = msg("CFGWRITE_ABORTED_LOCK", part100); - - var part101 = match("MESSAGE#133:CFGWRITE_FAILED", "nwparser.payload", "Configuration copy failed (error-id %{resultcode}).", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg134 = msg("CFGWRITE_FAILED", part101); - - var msg135 = msg("CFGWRITE_ABORTED", dup87); - - var msg136 = msg("CFGWRITE_DONE", dup87); - - var part102 = match("MESSAGE#136:CFGWRITE_STARTED/0_0", "nwparser.payload", "%{event_description->} (PID %{process_id})."); - - var select23 = linear_select([ - part102, - dup21, - ]); - - var all10 = all_match({ - processors: [ - select23, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg137 = msg("CFGWRITE_STARTED", all10); - - var msg138 = msg("IF_ATTACHED", dup87); - - var msg139 = msg("IF_DELETE_AUTO", dup94); - - var part103 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface->} is detached", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg140 = msg("IF_DETACHED", part103); - - var msg141 = msg("IF_DETACHED_MODULE_REMOVED", dup94); - - var msg142 = msg("IF_DOWN_INACTIVE", dup88); - - var msg143 = msg("IF_DOWN_NON_PARTICIPATING", dup88); - - var part104 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface->} is down", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part104); - - var part105 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname->} connected to the vCenter Server.", processor_chain([ - dup36, - dup2, - dup3, - dup4, - ])); - - var msg145 = msg("CONN_CONNECT", part105); - - var part106 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname->} disconnected from the vCenter Server.", processor_chain([ - setc("eventcategory","1801030000"), - dup2, - dup3, - dup4, - ])); - - var msg146 = msg("CONN_DISCONNECT", part106); - - var part107 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info->} on the vCenter Server.", processor_chain([ - dup29, - dup2, - dup3, - dup4, - ])); - - var msg147 = msg("DVPG_CREATE", part107); - - var part108 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info->} from the vCenter Server.", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg148 = msg("DVPG_DELETE", part108); - - var msg149 = msg("DVS_HOSTMEMBER_INFO", dup87); - - var part109 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info->} on the vCenter Server.", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg150 = msg("DVS_NAME_CHANGE", part109); - - var msg151 = msg("VMS_PPM_SYNC_COMPLETE", dup87); - - var part110 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name->} is deleted", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg152 = msg("VPC_DELETED", part110); - - var part111 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} is up", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","VPC is up"), - ])); - - var msg153 = msg("VPC_UP", part111); - - var part112 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username->} on %{p0}"); - - var part113 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); - - var part114 = match_copy("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_1", "nwparser.p0", "saddr"); - - var select24 = linear_select([ - part113, - part114, - ]); - - var all11 = all_match({ - processors: [ - part112, - select24, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg154 = msg("VSHD_SYSLOG_CONFIG_I", all11); - - var part115 = match("MESSAGE#154:VSHD_SYSLOG_CONFIG_I:01", "nwparser.payload", "Configuring console from %{fld43->} %{saddr}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg155 = msg("VSHD_SYSLOG_CONFIG_I:01", part115); - - var select25 = linear_select([ - msg154, - msg155, - ]); - - var part116 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol->} (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg156 = msg("AAA_ACCOUNTING_MESSAGE:18", part116); - - var part117 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:enabled telnet", processor_chain([ - dup22, - dup37, - dup38, - dup17, - dup2, - dup3, - dup4, - dup39, - dup40, - ])); - - var msg157 = msg("AAA_ACCOUNTING_MESSAGE:17", part117); - - var part118 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "start:%{saddr}@%{application}:%{username}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","program start"), - ])); - - var msg158 = msg("AAA_ACCOUNTING_MESSAGE", part118); - - var part119 = match("MESSAGE#158:AAA_ACCOUNTING_MESSAGE:08", "nwparser.payload", "start:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg159 = msg("AAA_ACCOUNTING_MESSAGE:08", part119); - - var part120 = match("MESSAGE#159:AAA_ACCOUNTING_MESSAGE:03", "nwparser.payload", "start:%{saddr}(%{terminal}):%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg160 = msg("AAA_ACCOUNTING_MESSAGE:03", part120); - - var part121 = match("MESSAGE#160:AAA_ACCOUNTING_MESSAGE:19", "nwparser.payload", "start:%{fld40}:%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg161 = msg("AAA_ACCOUNTING_MESSAGE:19", part121); - - var part122 = match("MESSAGE#161:AAA_ACCOUNTING_MESSAGE:22", "nwparser.payload", "update:::added user %{username}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - ])); - - var msg162 = msg("AAA_ACCOUNTING_MESSAGE:22", part122); - - var part123 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", "update:::%{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part123); - - var part124 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport}) deleted", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part124); - - var part125 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport->} timeout:%{fld44->} retry:%{fld45->} tagList:trap params:%{fld46}) added", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part125); - - var part126 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to up", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part126); - - var part127 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to down", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg167 = msg("AAA_ACCOUNTING_MESSAGE:14", part127); - - var part128 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Performing configuration copy.", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part128); - - var part129 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1->} (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - dup41, - ])); - - var msg169 = msg("AAA_ACCOUNTING_MESSAGE:16", part129); - - var part130 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal length %{fld5}:%{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part130); - - var part131 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1->} (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - dup41, - ])); - - var msg171 = msg("AAA_ACCOUNTING_MESSAGE:01", part131); - - var part132 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_0", "nwparser.p0", "configure terminal ; ntp source-interface %{sinterface->} (%{p0}"); - - var part133 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_1", "nwparser.p0", "show ntp statistics peer ipaddr %{hostip->} (%{p0}"); - - var select26 = linear_select([ - part132, - part133, - ]); - - var all12 = all_match({ - processors: [ - dup42, - select26, - dup43, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - dup44, - ]), - }); - - var msg172 = msg("AAA_ACCOUNTING_MESSAGE:27", all12); - - var part134 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_0", "nwparser.p0", "clock set %{event_time_string->} (%{p0}"); - - var part135 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_1", "nwparser.p0", "show logging last %{fld1->} (%{p0}"); - - var select27 = linear_select([ - part134, - part135, - ]); - - var all13 = all_match({ - processors: [ - dup42, - select27, - dup43, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - dup44, - ]), - }); - - var msg173 = msg("AAA_ACCOUNTING_MESSAGE:28", all13); - - var part136 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info->} (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg174 = msg("AAA_ACCOUNTING_MESSAGE:20", part136); - - var part137 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:added user %{c_username}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup11, - dup17, - setc("event_description","Added user"), - dup44, - ])); - - var msg175 = msg("AAA_ACCOUNTING_MESSAGE:30", part137); - - var part138 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:deleted user %{c_username}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup11, - dup17, - setc("event_description","Deleted user"), - dup44, - ])); - - var msg176 = msg("AAA_ACCOUNTING_MESSAGE:29", part138); - - var part139 = match("MESSAGE#176:AAA_ACCOUNTING_MESSAGE:21", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg177 = msg("AAA_ACCOUNTING_MESSAGE:21", part139); - - var part140 = match("MESSAGE#177:AAA_ACCOUNTING_MESSAGE:07", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal width %{dclass_counter1}:%{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg178 = msg("AAA_ACCOUNTING_MESSAGE:07", part140); - - var part141 = match("MESSAGE#178:AAA_ACCOUNTING_MESSAGE:05", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal session-timeout %{fld5}:%{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg179 = msg("AAA_ACCOUNTING_MESSAGE:05", part141); - - var part142 = match("MESSAGE#179:AAA_ACCOUNTING_MESSAGE:10", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:copy %{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg180 = msg("AAA_ACCOUNTING_MESSAGE:10", part142); - - var part143 = match("MESSAGE#180:AAA_ACCOUNTING_MESSAGE:24", "nwparser.payload", "update:%{terminal}:%{username}: %{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg181 = msg("AAA_ACCOUNTING_MESSAGE:24", part143); - - var part144 = match("MESSAGE#181:AAA_ACCOUNTING_MESSAGE:06", "nwparser.payload", "stop:%{saddr}(%{fld3}):%{username}:shell terminated", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg182 = msg("AAA_ACCOUNTING_MESSAGE:06", part144); - - var part145 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:shell %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","shell terminated"), - ])); - - var msg183 = msg("AAA_ACCOUNTING_MESSAGE:02", part145); - - var part146 = match("MESSAGE#183:AAA_ACCOUNTING_MESSAGE:25", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:%{fld40}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg184 = msg("AAA_ACCOUNTING_MESSAGE:25", part146); - - var part147 = match("MESSAGE#184:AAA_ACCOUNTING_MESSAGE:09", "nwparser.payload", "stop:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg185 = msg("AAA_ACCOUNTING_MESSAGE:09", part147); - - var part148 = match("MESSAGE#185:AAA_ACCOUNTING_MESSAGE:26", "nwparser.payload", "stop:%{terminal}:%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg186 = msg("AAA_ACCOUNTING_MESSAGE:26", part148); - - var select28 = linear_select([ - msg156, - msg157, - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - msg174, - msg175, - msg176, - msg177, - msg178, - msg179, - msg180, - msg181, - msg182, - msg183, - msg184, - msg185, - msg186, - ]); - - var all14 = all_match({ - processors: [ - dup45, - dup98, - dup48, - dup99, - dup51, - dup98, - dup52, - dup99, - dup53, - dup100, - dup56, - dup101, - dup59, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","ACL Log Flow Interval"), - dup60, - ]), - }); - - var msg187 = msg("ACLLOG_FLOW_INTERVAL", all14); - - var part149 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3->} reached for number of flows", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg188 = msg("ACLLOG_MAXFLOW_REACHED", part149); - - var all15 = all_match({ - processors: [ - dup45, - dup98, - dup48, - dup99, - dup51, - dup98, - dup52, - dup99, - dup53, - dup100, - dup56, - dup101, - dup59, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","ACL Lof New Flow"), - dup60, - ]), - }); - - var msg189 = msg("ACLLOG_NEW_FLOW", all15); - - var part150 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process->} [%{process_id}] Source address of packet received from %{smacaddr->} on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Source address of packet received on vlan is duplicate of local virtual ip"), - ])); - - var msg190 = msg("DUP_VADDR_SRC_IP", part150); - - var part151 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are removed from suspended state.", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg191 = msg("IF_ERROR_VLANS_REMOVED", part151); - - var part152 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are being suspended. (Reason: %{info})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part152); - - var part153 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface->} is down(%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg193 = msg("IF_DOWN_CFG_CHANGE", part153); - - var part154 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock setting has been changed on the system. Please be aware that clock changes will force a recheckout of all existing VEM licenses. During this recheckout procedure, licensed VEMs which are offline will lose their licenses.%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg194 = msg("PFM_CLOCK_CHANGE", part154); - - var part155 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3->} causing standby to reset.", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg195 = msg("SYNC_FAILURE_STANDBY_RESET", part155); - - var part156 = match("MESSAGE#195:snmpd", "nwparser.payload", "snmp_pss_snapshot : Copying local engine DB PSS file to url%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg196 = msg("snmpd", part156); - - var part157 = match("MESSAGE#196:snmpd:01", "nwparser.payload", "SNMPD_SYSLOG_CONFIG_I: Configuration update from %{fld43}_%{saddr->} %{info}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg197 = msg("snmpd:01", part157); - - var select29 = linear_select([ - msg196, - msg197, - ]); - - var part158 = match("MESSAGE#197:CFGWRITE_USER_ABORT", "nwparser.payload", "Configuration copy aborted by the user.%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg198 = msg("CFGWRITE_USER_ABORT", part158); - - var msg199 = msg("IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED", dup95); - - var part159 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1->} time", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","last message repeated number of times."), - setc("dclass_counter1_string","Number of times repeated"), - ])); - - var msg200 = msg("last", part159); - - var part160 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service->} (PID %{parent_pid}) hasn't caught signal %{fld43->} (%{result}).", processor_chain([ - dup32, - dup2, - dup3, - dup4, - ])); - - var msg201 = msg("SERVICE_CRASHED", part160); - - var part161 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service->} lost on WCCP Client %{saddr}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - setc("event_description","Service lost on WCCP Client"), - ])); - - var msg202 = msg("SERVICELOST", part161); - - var part162 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface->} is allowed to come up even with SFP checksum error", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part162); - - var part163 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43->} failed or shut%{p0}"); - - var part164 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); - - var part165 = match("MESSAGE#203:PS_FAIL/1_1", "nwparser.p0", "down %{p0}"); - - var select30 = linear_select([ - part164, - part165, - ]); - - var part166 = match("MESSAGE#203:PS_FAIL/2", "nwparser.p0", "(Serial number %{serial_number})"); - - var all16 = all_match({ - processors: [ - part163, - select30, - part166, - ], - on_success: processor_chain([ - dup23, - dup2, - dup3, - dup4, - ]), - }); - - var msg204 = msg("PS_FAIL", all16); - - var msg205 = msg("INFORMATION", dup87); - - var msg206 = msg("EVENT", dup87); - - var part167 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Native VLAN mismatch discovered on %{interface}, with %{fld23}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg207 = msg("NATIVE_VLAN_MISMATCH", part167); - - var part168 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22->} discovered of type %{fld23->} with port %{fld24->} on incoming port %{interface->} with ip addr %{fld25->} and mgmt ip %{hostip}", processor_chain([ - dup29, - dup2, - dup3, - dup4, - ])); - - var msg208 = msg("NEIGHBOR_ADDED", part168); - - var part169 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22->} on port %{interface->} has been removed", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg209 = msg("NEIGHBOR_REMOVED", part169); - - var part170 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Interface %{interface},%{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg210 = msg("IF_BANDWIDTH_CHANGE", part170); - - var part171 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (Parent interface down)", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part171); - - var part172 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface->} is down", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg212 = msg("PORT_INDIVIDUAL_DOWN", part172); - - var part173 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface->} is suspended", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg213 = msg("PORT_SUSPENDED", part173); - - var part174 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22->} of Fex %{fld23->} that is connected with %{interface->} changed its status from %{change_old->} to %{change_new}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("change_attribute","status"), - ])); - - var msg214 = msg("FEX_PORT_STATUS_NOTI", part174); - - var msg215 = msg("NOHMS_DIAG_ERR_PS_FAIL", dup102); - - var msg216 = msg("NOHMS_DIAG_ERR_PS_RECOVERED", dup87); - - var msg217 = msg("ADJCHANGE", dup87); - - var part175 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan->} with role %{fld22}, state %{disposition}, %{info}", processor_chain([ - dup29, - dup2, - dup3, - dup4, - ])); - - var msg218 = msg("PORT_ADDED", part175); - - var part176 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface %{interface}, removed from VLAN%{vlan}", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg219 = msg("PORT_DELETED", part176); - - var part177 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} role changed to %{fld22}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - ])); - - var msg220 = msg("PORT_ROLE", part177); - - var part178 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} moving from %{change_old->} to %{change_new}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("change_attribute","Port state"), - ])); - - var msg221 = msg("PORT_STATE", part178); - - var part179 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol->} (%{result}) %{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg222 = msg("TACACS_ACCOUNTING_MESSAGE", part179); - - var part180 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}: enabled telnet", processor_chain([ - dup22, - dup37, - dup38, - dup17, - dup2, - dup3, - dup4, - dup39, - dup40, - ])); - - var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part180); - - var part181 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface->} (%{result})%{info}", processor_chain([ - dup63, - dup2, - dup4, - ])); - - var msg224 = msg("TACACS_ACCOUNTING_MESSAGE:04", part181); - - var part182 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/0", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: show %{p0}"); - - var part183 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_0", "nwparser.p0", "ntp statistics peer ipaddr %{hostip->} (%{p0}"); - - var part184 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_1", "nwparser.p0", "logging last %{fld3->} (%{p0}"); - - var select31 = linear_select([ - part183, - part184, - ]); - - var part185 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/2", "nwparser.p0", "%{result})%{info}"); - - var all17 = all_match({ - processors: [ - part182, - select31, - part185, - ], - on_success: processor_chain([ - dup63, - dup2, - dup4, - ]), - }); - - var msg225 = msg("TACACS_ACCOUNTING_MESSAGE:05", all17); - - var part186 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string->} (%{result})%{info}", processor_chain([ - dup63, - dup2, - dup4, - ])); - - var msg226 = msg("TACACS_ACCOUNTING_MESSAGE:06", part186); - - var part187 = match("MESSAGE#371:TACACS_ACCOUNTING_MESSAGE:08", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: Performing configuration copy. %{info}", processor_chain([ - dup63, - dup2, - dup4, - setc("event_description","Performing configuration copy"), - ])); - - var msg227 = msg("TACACS_ACCOUNTING_MESSAGE:08", part187); - - var part188 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/2", "nwparser.p0", "%{username}: shell terminated because of session timeout %{p0}"); - - var all18 = all_match({ - processors: [ - dup64, - dup103, - part188, - dup104, - ], - on_success: processor_chain([ - dup63, - dup2, - dup4, - setc("event_description","shell terminated because of session timeout"), - ]), - }); - - var msg228 = msg("TACACS_ACCOUNTING_MESSAGE:09", all18); - - var part189 = match("MESSAGE#373:TACACS_ACCOUNTING_MESSAGE:07/2", "nwparser.p0", "%{username}: %{event_description->} %{p0}"); - - var all19 = all_match({ - processors: [ - dup64, - dup103, - part189, - dup104, - ], - on_success: processor_chain([ - dup63, - dup2, - dup4, - ]), - }); - - var msg229 = msg("TACACS_ACCOUNTING_MESSAGE:07", all19); - - var select32 = linear_select([ - msg222, - msg223, - msg224, - msg225, - msg226, - msg227, - msg228, - msg229, - ]); - - var msg230 = msg("TACACS_ERROR_MESSAGE", dup102); - - var msg231 = msg("IF_SFP_WARNING", dup105); - - var msg232 = msg("IF_DOWN_TCP_MAX_RETRANSMIT", dup106); - - var msg233 = msg("FCIP_PEER_CAVIUM", dup87); - - var msg234 = msg("IF_DOWN_PEER_CLOSE", dup106); - - var msg235 = msg("IF_DOWN_PEER_RESET", dup106); - - var part190 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name->} configuration is not consistent (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","configuration is not consistent in domain"), - ])); - - var msg236 = msg("INTF_CONSISTENCY_FAILED", part190); - - var part191 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name->} configuration is consistent", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","configuration is consistent in domain"), - ])); - - var msg237 = msg("INTF_CONSISTENCY_SUCCESS", part191); - - var msg238 = msg("INTF_COUNTERS_CLEARED", dup105); - - var msg239 = msg("IF_HARDWARE", dup105); - - var part192 = match_copy("MESSAGE#233:HEARTBEAT_FAILURE", "nwparser.payload", "event_description", processor_chain([ - setc("eventcategory","1604010000"), - dup2, - dup3, - dup4, - ])); - - var msg240 = msg("HEARTBEAT_FAILURE", part192); - - var msg241 = msg("SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG", dup87); - - var msg242 = msg("PFM_FAN_FLTR_STATUS", dup87); - - var msg243 = msg("MOUNT", dup87); - - var msg244 = msg("LOG_CMP_UP", dup87); - - var part193 = match("MESSAGE#238:IF_XCVR_WARNING/2", "nwparser.p0", "Temperature Warning cleared%{}"); - - var all20 = all_match({ - processors: [ - dup69, - dup107, - part193, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg245 = msg("IF_XCVR_WARNING", all20); - - var msg246 = msg("IF_XCVR_WARNING:01", dup108); - - var select33 = linear_select([ - msg245, - msg246, - ]); - - var part194 = match("MESSAGE#240:IF_XCVR_ALARM/2", "nwparser.p0", "Temperature Alarm cleared%{}"); - - var all21 = all_match({ - processors: [ - dup69, - dup107, - part194, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg247 = msg("IF_XCVR_ALARM", all21); - - var msg248 = msg("IF_XCVR_ALARM:01", dup108); - - var select34 = linear_select([ - msg247, - msg248, - ]); - - var msg249 = msg("MEMORY_ALERT", dup87); - - var msg250 = msg("MEMORY_ALERT_RECOVERED", dup87); - - var part195 = match("MESSAGE#244:IF_SFP_ALARM/2", "nwparser.p0", "Rx Power Alarm cleared%{}"); - - var all22 = all_match({ - processors: [ - dup69, - dup107, - part195, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg251 = msg("IF_SFP_ALARM", all22); - - var msg252 = msg("IF_SFP_ALARM:01", dup108); - - var select35 = linear_select([ - msg251, - msg252, - ]); - - var part196 = match_copy("MESSAGE#246:NBRCHANGE_DUAL", "nwparser.payload", "event_description", processor_chain([ - dup61, - dup2, - dup3, - dup4, - ])); - - var msg253 = msg("NBRCHANGE_DUAL", part196); - - var part197 = match("MESSAGE#247:SOHMS_DIAG_ERROR/0", "nwparser.payload", "%{} %{device->} %{p0}"); - - var part198 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_0", "nwparser.p0", "%{action}: System %{p0}"); - - var part199 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_1", "nwparser.p0", "System %{p0}"); - - var select36 = linear_select([ - part198, - part199, - ]); - - var part200 = match("MESSAGE#247:SOHMS_DIAG_ERROR/2", "nwparser.p0", "minor alarm on fans in fan tray %{dclass_counter1}"); - - var all23 = all_match({ - processors: [ - part197, - select36, - part200, - ], - on_success: processor_chain([ - dup61, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","System minor alarm on fans in fan tray"), - ]), - }); - - var msg254 = msg("SOHMS_DIAG_ERROR", all23); - - var part201 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device->} System minor alarm on power supply %{fld42}: %{result}", processor_chain([ - dup61, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","FEX-System minor alarm on power supply."), - ])); - - var msg255 = msg("SOHMS_DIAG_ERROR:01", part201); - - var part202 = match("MESSAGE#249:SOHMS_DIAG_ERROR:02", "nwparser.payload", "%{device}: %{event_description}", processor_chain([ - dup61, - dup38, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg256 = msg("SOHMS_DIAG_ERROR:02", part202); - - var select37 = linear_select([ - msg254, - msg255, - msg256, - ]); - - var part203 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device->} for group: %{fld1}, (%{fld2->} (%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ - dup73, - dup34, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","Failed to program the mac table"), - ])); - - var msg257 = msg("M2FIB_MAC_TBL_PRGMING", part203); - - var part204 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", "deleting expired user account:%{username}", processor_chain([ - dup19, - dup11, - dup20, - setc("ec_theme","UserGroup"), - dup2, - dup3, - dup4, - setc("event_description","deleting expired user account"), - ])); - - var msg258 = msg("DELETE_STALE_USER_ACCOUNT", part204); - - var part205 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface->} is admin up", processor_chain([ - dup30, - dup34, - dup38, - dup17, - dup2, - dup3, - dup4, - setc("event_description","Interface is admin up."), - ])); - - var msg259 = msg("IF_ADMIN_UP", part205); - - var part206 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name->} is configured", processor_chain([ - dup30, - dup34, - dup38, - dup17, - dup2, - dup3, - dup4, - setc("event_description","vPC is configured"), - dup74, - ])); - - var msg260 = msg("VPC_CFGD", part206); - - var part207 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Manager has received notification of %{info}", processor_chain([ - dup30, - dup38, - dup17, - dup2, - dup3, - dup4, - setc("event_description","System Manager has received notification of local module becoming online."), - ])); - - var msg261 = msg("MODULE_ONLINE", part207); - - var part208 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", "System booted from Primary BIOS Flash%{}", processor_chain([ - dup30, - dup75, - dup76, - dup2, - dup3, - dup4, - setc("event_description","System booted from Primary BIOS Flash"), - ])); - - var msg262 = msg("BIOS_DAEMON_LC_PRI_BOOT", part208); - - var part209 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name->} is down ()", processor_chain([ - dup77, - dup34, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","Peer vPC is down"), - dup74, - ])); - - var msg263 = msg("PEER_VPC_DOWN", part209); - - var part210 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/0", "nwparser.payload", "In domain %{domain}, %{p0}"); - - var part211 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_0", "nwparser.p0", "VPC%{p0}"); - - var part212 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_1", "nwparser.p0", "vPC%{p0}"); - - var select38 = linear_select([ - part211, - part212, - ]); - - var part213 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/2", "nwparser.p0", "%{}peer%{p0}"); - - var part214 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_0", "nwparser.p0", "-keepalive%{p0}"); - - var part215 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_1", "nwparser.p0", " keep-alive%{p0}"); - - var select39 = linear_select([ - part214, - part215, - ]); - - var part216 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/4", "nwparser.p0", "%{}received on interface %{interface}"); - - var all24 = all_match({ - processors: [ - part210, - select38, - part213, - select39, - part216, - ], - on_success: processor_chain([ - dup36, - dup2, - dup3, - dup4, - setc("event_description","In domain, VPC peer-keepalive received on interface"), - ]), - }); - - var msg264 = msg("PEER_KEEP_ALIVE_RECV_INT_LATEST", all24); - - var part217 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive receive is successful", processor_chain([ - dup36, - dup34, - dup78, - dup35, - dup17, - dup2, - dup3, - dup4, - setc("event_description","In domain, vPC peer keep-alive receive is successful"), - ])); - - var msg265 = msg("PEER_KEEP_ALIVE_RECV_SUCCESS", part217); - - var part218 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", "In domain %{domain}, VPC peer keep-alive receive has failed", processor_chain([ - dup77, - dup34, - dup78, - dup35, - dup14, - dup2, - dup3, - dup4, - setc("event_description","In domain, VPC peer keep-alive receive has failed"), - ])); - - var msg266 = msg("PEER_KEEP_ALIVE_RECV_FAIL", part218); - - var part219 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.payload", "In domain %{domain}, VPC peer-keepalive sent on interface %{interface}", processor_chain([ - dup36, - dup34, - dup79, - dup35, - dup2, - dup3, - dup4, - setc("event_description","In domain, VPC peer-keepalive sent on interface"), - ])); - - var msg267 = msg("PEER_KEEP_ALIVE_SEND_INT_LATEST", part219); - - var part220 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive send is successful", processor_chain([ - dup36, - dup34, - dup79, - dup35, - dup17, - dup2, - dup3, - dup4, - setc("event_description","In domain, vPC peer keep-alive send is successful"), - ])); - - var msg268 = msg("PEER_KEEP_ALIVE_SEND_SUCCESS", part220); - - var part221 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "In domain %{domain}, peer keep-alive status changed to %{change_new}", processor_chain([ - dup30, - dup34, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Peer keep-alive status changed."), - setc("change_attribute","peer keep-alive status"), - ])); - - var msg269 = msg("PEER_KEEP_ALIVE_STATUS", part221); - - var part222 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47->} has changed, %{info}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Ejectors' status in slot has changed."), - ])); - - var msg270 = msg("EJECTOR_STAT_CHANGED", part222); - - var part223 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41->} detected (Serial number %{fld42})", processor_chain([ - dup29, - setc("ec_activity","Detect"), - dup38, - dup2, - dup3, - dup4, - setc("event_description","Xbar detected"), - ])); - - var msg271 = msg("XBAR_DETECT", part223); - - var part224 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41->} powered up (Serial number %{fld42})", processor_chain([ - dup15, - dup75, - dup76, - dup2, - dup3, - dup4, - setc("event_description","Xbar powered up"), - ])); - - var msg272 = msg("XBAR_PWRUP", part224); - - var part225 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41->} powered down (Serial number %{fld42})", processor_chain([ - dup15, - dup75, - setc("ec_activity","Stop"), - dup2, - dup3, - dup4, - setc("event_description","Xbar powered down"), - ])); - - var msg273 = msg("XBAR_PWRDN", part225); - - var part226 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41->} is online (serial: %{fld42})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Xbar is online"), - ])); - - var msg274 = msg("XBAR_OK", part226); - - var part227 = match("MESSAGE#268:VPC_ISSU_START", "nwparser.payload", "Peer vPC switch ISSU start, locking configuration%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Peer vPC switch ISSU start, locking configuration"), - ])); - - var msg275 = msg("VPC_ISSU_START", part227); - - var part228 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC switch ISSU end, unlocking configuration%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Peer vPC switch ISSU end, unlocking configuration"), - ])); - - var msg276 = msg("VPC_ISSU_END", part228); - - var part229 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - setc("obj_type","new_role"), - ])); - - var msg277 = msg("PORT_RANGE_ROLE", part229); - - var part230 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - setc("obj_type","new_state"), - ])); - - var msg278 = msg("PORT_RANGE_STATE", part230); - - var part231 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface->} removed from mst=%{fld42}", processor_chain([ - dup24, - dup34, - dup20, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Interface removed from MST."), - ])); - - var msg279 = msg("PORT_RANGE_DELETED", part231); - - var part232 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface->} added to mst=%{fld42->} with %{info}", processor_chain([ - dup29, - dup34, - dup80, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Interface added to MST."), - ])); - - var msg280 = msg("PORT_RANGE_ADDED", part232); - - var part233 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname->} removed as MST Boundary port", processor_chain([ - dup24, - dup34, - dup20, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Port removed as MST Boundary port"), - ])); - - var msg281 = msg("MST_PORT_BOUNDARY", part233); - - var part234 = match("MESSAGE#275:PIXM_SYSLOG_MESSAGE_TYPE_CRIT", "nwparser.payload", "Non-transactional PIXM Error. Error Type: %{result}.%{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Non-transactional PIXM Error"), - ])); - - var msg282 = msg("PIXM_SYSLOG_MESSAGE_TYPE_CRIT", part234); - - var part235 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interface->} is %{obj_name->} in vdc %{fld43}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("obj_type"," Interface state"), - ])); - - var msg283 = msg("IM_INTF_STATE", part235); - - var part236 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43->} state changed to %{obj_name}", processor_chain([ - dup62, - dup34, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","VDC state changed."), - setc("obj_type"," VDC state"), - ])); - - var msg284 = msg("VDC_STATE_CHANGE", part236); - - var part237 = match("MESSAGE#278:SWITCHOVER_OVER", "nwparser.payload", "Switchover completed.%{}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - dup81, - ])); - - var msg285 = msg("SWITCHOVER_OVER", part237); - - var part238 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process}: Module type changed to %{obj_name}", processor_chain([ - dup62, - dup16, - dup38, - dup2, - dup3, - dup4, - dup81, - setc("obj_type"," New Module type"), - ])); - - var msg286 = msg("VDC_MODULETYPE", part238); - - var part239 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44->} for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ - dup77, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, - setc("event_description","Unable to sync HA sequence number for service"), - ])); - - var msg287 = msg("HASEQNO_SYNC_FAILED", part239); - - var part240 = match("MESSAGE#281:MSG_SEND_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in sending message to standby causing standby to reset.%{}", processor_chain([ - dup1, - dup34, - dup79, - dup35, - dup14, - dup2, - dup3, - dup4, - setc("event_description","Failure in sending message to standby causing standby to reset."), - ])); - - var msg288 = msg("MSG_SEND_FAILURE_STANDBY_RESET", part240); - - var part241 = match("MESSAGE#282:MODULE_LOCK_FAILED", "nwparser.payload", "Failed to lock the local module to avoid reset (error-id %{resultcode}).", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Failed to lock the local module to avoid reset"), - ])); - - var msg289 = msg("MODULE_LOCK_FAILED", part241); - - var part242 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", "Failed to send Mac New Learns/Mac moves due to mts send failure errno %{resultcode}", processor_chain([ - dup1, - dup34, - dup79, - dup35, - dup14, - dup2, - dup3, - dup4, - setc("event_description","Failed to send Mac New Learns/Mac moves due to mts send failure."), - ])); - - var msg290 = msg("L2FMC_NL_MTS_SEND_FAILURE", part242); - - var part243 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} management address %{fld46->} discovered on local port %{portname->} in vlan %{vlan->} %{info}", processor_chain([ - dup29, - dup80, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Server discovered on local in vlan 0 with enabled capability Station"), - ])); - - var msg291 = msg("SERVER_ADDED", part243); - - var part244 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} on local port %{portname->} has been removed", processor_chain([ - dup24, - dup20, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Server on local port has been removed"), - ])); - - var msg292 = msg("SERVER_REMOVED", part244); - - var part245 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ - dup23, - dup34, - dup72, - dup2, - dup3, - dup4, - dup25, - ])); - - var msg293 = msg("IF_DOWN_SUSPENDED_BY_SPEED", part245); - - var part246 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{portname->} is operationally individual", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","port is operationally individual"), - ])); - - var msg294 = msg("PORT_INDIVIDUAL", part246); - - var part247 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ - dup23, - dup34, - dup38, - dup72, - dup2, - dup3, - dup4, - dup25, - ])); - - var msg295 = msg("IF_DOWN_CHANNEL_ADMIN_DOWN", part247); - - var part248 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface->} is being recovered from error disabled state %{info}", processor_chain([ - dup22, - dup2, - dup3, - dup4, - setc("event_description","Interface is being recovered from error disabled state"), - ])); - - var msg296 = msg("IF_ERRDIS_RECOVERY", part248); - - var part249 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface->} is detected", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Non-Cisco transceiver on interface is detected"), - ])); - - var msg297 = msg("IF_NON_CISCO_TRANSCEIVER", part249); - - var part250 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47->} is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Active supervisor is running with less memory than standby supervisor."), - ])); - - var msg298 = msg("ACTIVE_LOWER_MEM_THAN_STANDBY", part250); - - var part251 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configuration update started (PID %{process_id}).", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Configuration update started."), - ])); - - var msg299 = msg("READCONF_STARTED", part251); - - var part252 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47->} is running with less memory than active supervisor in slot %{fld48}", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Supervisor is running with less memory than active supervisor."), - ])); - - var msg300 = msg("SUP_POWERDOWN", part252); - - var part253 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Starting linecard upgrade%{}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Starting linecard upgrade"), - ])); - - var msg301 = msg("LC_UPGRADE_START", part253); - - var part254 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Rebooting linecard as a part of upgrade%{}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Rebooting linecard as a part of upgrade"), - ])); - - var msg302 = msg("LC_UPGRADE_REBOOT", part254); - - var part255 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload", "Runtime database controller started (PID %{process_id}).", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Runtime database controller started."), - ])); - - var msg303 = msg("RUNTIME_DB_RESTORE_STARTED", part255); - - var part256 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload", "Runtime database successfully restored.%{}", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Runtime database successfully restored."), - ])); - - var msg304 = msg("RUNTIME_DB_RESTORE_SUCCESS", part256); - - var part257 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49->} started", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Upgrade of module started"), - ])); - - var msg305 = msg("LCM_MODULE_UPGRADE_START", part257); - - var part258 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49->} ended", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Upgrade of module ended"), - ])); - - var msg306 = msg("LCM_MODULE_UPGRADE_END", part258); - - var part259 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recieved insert for %{fld50}", processor_chain([ - dup63, - dup34, - dup78, - dup35, - dup2, - dup3, - dup4, - setc("event_description","Recieved insert for lc mod"), - ])); - - var msg307 = msg("FIPS_POST_INFO_MSG", part259); - - var part260 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name->} is configured", processor_chain([ - dup30, - dup34, - dup38, - dup17, - dup2, - dup3, - dup4, - setc("event_description","peer vPC is configured"), - dup74, - ])); - - var msg308 = msg("PEER_VPC_CFGD", part260); - - var part261 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: Potential Interop issue on [%{interface}]: %{result}", processor_chain([ - dup73, - dup34, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","Potential Interop issue on interface."), - ])); - - var msg309 = msg("SYN_COLL_DIS_EN", part261); - - var part262 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device->} Off-line (Serial Number %{fld42})", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","FEX OFFLINE"), - ])); - - var msg310 = msg("NOHMS_ENV_FEX_OFFLINE", part262); - - var part263 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device->} On-line", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","FEX ONLINE"), - ])); - - var msg311 = msg("NOHMS_ENV_FEX_ONLINE", part263); - - var part264 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device->} is online", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Fex is online"), - ])); - - var msg312 = msg("FEX_STATUS_online", part264); - - var part265 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device->} is offline", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Fex is offline"), - ])); - - var msg313 = msg("FEX_STATUS_offline", part265); - - var select40 = linear_select([ - msg312, - msg313, - ]); - - var part266 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41->} present but all AC/DC inputs are not connected, power redundancy might be affected", processor_chain([ - dup73, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","Power supply present but all AC/DC inputs are not connected, power redundancy might be affected"), - ])); - - var msg314 = msg("PS_PWR_INPUT_MISSING", part266); - - var part267 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Power redundancy operational mode changed to %{change_new}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Power redundancy operational mode changed."), - setc("change_attribute","operational mode"), - ])); - - var msg315 = msg("PS_RED_MODE_RESTORED", part267); - - var part268 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", "All ejectors open, Module %{fld41->} will not be powered up (Serial number %{fld42})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","All ejectors open, Module will not be powered up."), - ])); - - var msg316 = msg("MOD_PWRFAIL_EJECTORS_OPEN", part268); - - var part269 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device->} pinning information is changed", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Fex pinning information is changed"), - ])); - - var msg317 = msg("PINNING_CHANGED", part269); - - var part270 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device->} Module %{fld41}: Cold boot", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","FEX-100 Module -Cold boot"), - ])); - - var msg318 = msg("SATCTRL", part270); - - var part271 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51->} [%{fld52}] Client %{fld43->} register more than once with same pid%{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Client register more than once with same pid"), - ])); - - var msg319 = msg("DUP_REGISTER", part271); - - var part272 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51->} [%{fld52}] Unknown mtype: %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Unknown mtype"), - ])); - - var msg320 = msg("UNKNOWN_MTYPE", part272); - - var part273 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} %{event_description}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - ])); - - var msg321 = msg("SATCTRL_IMAGE", part273); - - var part274 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ - dup1, - setc("ec_subject","Process"), - dup14, - dup2, - dup3, - dup4, - ])); - - var msg322 = msg("API_FAILED", part274); - - var part275 = match_copy("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "event_description", processor_chain([ - dup8, - dup2, - dup3, - dup4, - ])); - - var msg323 = msg("SENSOR_MSG1", part275); - - var part276 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ - dup30, - dup2, - dup3, - dup4, - ])); - - var msg324 = msg("API_INIT_SEM_CLEAR", part276); - - var part277 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51->} has come online", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","vdc has come online"), - ])); - - var msg325 = msg("VDC_ONLINE", part277); - - var part278 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname->} of port-channel %{interface->} not receiving any LACP BPDUs %{result}", processor_chain([ - dup77, - dup34, - dup78, - dup35, - dup72, - dup2, - dup3, - dup4, - setc("event_description","LACP port of port-channel not receiving any LACP BPDUs."), - ])); - - var msg326 = msg("LACP_SUSPEND_INDIVIDUAL", part278); - - var part279 = match("MESSAGE#320:dstats", "nwparser.payload", "%{process}: %{info}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - ])); - - var msg327 = msg("dstats", part279); - - var part280 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} logged OUT.", processor_chain([ - dup77, - dup34, - setc("ec_activity","Logoff"), - dup35, - dup2, - dup3, - dup4, - ])); - - var msg328 = msg("MSG_PORT_LOGGED_OUT", part280); - - var part281 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} with FCID %{fld54->} logged IN.", processor_chain([ - dup77, - dup34, - dup13, - dup35, - dup2, - dup3, - dup4, - ])); - - var msg329 = msg("MSG_PORT_LOGGED_IN", part281); - - var msg330 = msg("IF_DOWN_ELP_FAILURE_ISOLATION", dup96); - - var part282 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52->} Zone merge failure, isolating interface %{interface->} reason: %{result}:[%{resultcode}]", processor_chain([ - dup23, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, - ])); - - var msg331 = msg("ZS_MERGE_FAILED", part282); - - var msg332 = msg("IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION", dup96); - - var part283 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname->} in vlan %{vlan->} is flapping between port %{change_old->} and port %{change_new}", processor_chain([ - dup23, - dup34, - dup35, - dup2, - dup3, - dup4, - setc("change_attribute","Port"), - ])); - - var msg333 = msg("MAC_MOVE_NOTIFICATION", part283); - - var part284 = match("MESSAGE#327:zone", "nwparser.payload", "num_tlv greater than 1, %{result}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - ])); - - var msg334 = msg("zone", part284); - - var part285 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_description}: %{info}", processor_chain([ - dup1, - dup34, - dup35, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg335 = msg("ERROR", part285); - - var part286 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr->} on %{interface}", processor_chain([ - dup77, - dup34, - dup78, - dup35, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg336 = msg("INVAL_IP", part286); - - var part287 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{process}: message repeated %{dclass_counter1->} times in last %{duration}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var msg337 = msg("SYSLOG_SL_MSG_WARNING", part287); - - var part288 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex mismatch discovered on %{interface}, with %{fld55}", processor_chain([ - dup77, - dup34, - dup35, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg338 = msg("DUPLEX_MISMATCH", part288); - - var part289 = match("MESSAGE#332:NOHMS_DIAG_ERROR", "nwparser.payload", "Module %{fld20}: Runtime diag detected major event: Fabric port failure %{interface}", processor_chain([ - dup77, - dup34, - dup35, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg339 = msg("NOHMS_DIAG_ERROR", part289); - - var part290 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "Re enabling dynamic learning on all interfaces%{}", processor_chain([ - dup15, - dup34, - dup35, - dup2, - dup3, - dup4, - ])); - - var msg340 = msg("STM_LEARNING_RE_ENABLE", part290); - - var part291 = match("MESSAGE#334:UDLD_PORT_DISABLED", "nwparser.payload", "UDLD disabled interface %{interface}, %{result}", processor_chain([ - dup77, - dup34, - dup35, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg341 = msg("UDLD_PORT_DISABLED", part291); - - var part292 = match("MESSAGE#335:ntpd", "nwparser.payload", "ntp:no servers reachable%{}", processor_chain([ - dup15, - dup2, - dup4, - ])); - - var msg342 = msg("ntpd", part292); - - var part293 = match("MESSAGE#336:ntpd:01", "nwparser.payload", "ntp:event EVNT_UNREACH %{saddr}", processor_chain([ - dup15, - dup2, - dup4, - ])); - - var msg343 = msg("ntpd:01", part293); - - var part294 = match("MESSAGE#337:ntpd:02", "nwparser.payload", "ntp:event EVNT_REACH %{saddr}", processor_chain([ - dup15, - dup2, - dup4, - ])); - - var msg344 = msg("ntpd:02", part294); - - var part295 = match("MESSAGE#338:ntpd:03", "nwparser.payload", "ntp:synchronized to %{saddr}, stratum %{fld9}", processor_chain([ - dup15, - dup2, - dup4, - ])); - - var msg345 = msg("ntpd:03", part295); - - var part296 = match("MESSAGE#339:ntpd:04", "nwparser.payload", "ntp:%{event_description}", processor_chain([ - dup15, - dup2, - dup4, - ])); - - var msg346 = msg("ntpd:04", part296); - - var select41 = linear_select([ - msg342, - msg343, - msg344, - msg345, - msg346, - ]); - - var part297 = match_copy("MESSAGE#340:PFM_ALERT", "nwparser.payload", "event_description", processor_chain([ - dup9, - dup2, - dup3, - dup4, - ])); - - var msg347 = msg("PFM_ALERT", part297); - - var part298 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Client %{saddr}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - setc("event_description","Service acquired on WCCP Client"), - ])); - - var msg348 = msg("SERVICEFOUND", part298); - - var part299 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Router %{saddr}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - setc("event_description","Service acquired on WCCP Router"), - ])); - - var msg349 = msg("ROUTERFOUND", part299); - - var part300 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "pam_aaa:Authentication failed from %{shost->} - %{agent}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - setc("event_description","Authentication failed"), - ])); - - var msg350 = msg("%AUTHPRIV-3-SYSTEM_MSG", part300); - - var part301 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ - dup18, - dup2, - dup12, - dup3, - dup4, - setc("event_description","New user added"), - ])); - - var msg351 = msg("%AUTHPRIV-5-SYSTEM_MSG", part301); - - var part302 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", "%{action}: %{service->} pid=%{process_id->} from=::ffff:%{saddr->} - %{agent}", processor_chain([ - dup10, - dup2, - dup12, - dup3, - dup4, - ])); - - var msg352 = msg("%AUTHPRIV-6-SYSTEM_MSG:01", part302); - - var part303 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "pam_unix(%{fld1}:session): session opened for user %{username->} by (uid=%{uid}) - %{agent}", processor_chain([ - dup10, - dup2, - dup12, - dup3, - dup4, - setc("event_description","session opened for user"), - ])); - - var msg353 = msg("%AUTHPRIV-6-SYSTEM_MSG", part303); - - var select42 = linear_select([ - msg352, - msg353, - ]); - - var part304 = match("MESSAGE#347:%USER-3-SYSTEM_MSG", "nwparser.payload", "error: %{result}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - ])); - - var msg354 = msg("%USER-3-SYSTEM_MSG", part304); - - var part305 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Invalid user %{username->} from %{saddr->} - %{agent}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup82, - ])); - - var msg355 = msg("%USER-6-SYSTEM_MSG", part305); - - var part306 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "input_userauth_request: invalid user %{username->} - %{agent}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup82, - ])); - - var msg356 = msg("%USER-6-SYSTEM_MSG:01", part306); - - var part307 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Failed none for invalid user %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - setc("event_description","Failed none for invalid user"), - ])); - - var msg357 = msg("%USER-6-SYSTEM_MSG:02", part307); - - var part308 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ - dup83, - dup2, - dup3, - dup4, - setc("event_description","Accepted password for user"), - ])); - - var msg358 = msg("%USER-6-SYSTEM_MSG:03", part308); - - var part309 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "lastlog_openseek: Couldn't stat %{directory}: No such file or directory - %{agent}", processor_chain([ - dup83, - dup2, - dup3, - dup4, - setc("event_description","No such file or directory"), - ])); - - var msg359 = msg("%USER-6-SYSTEM_MSG:04", part309); - - var part310 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type->} - %{agent}", processor_chain([ - dup83, - dup2, - dup3, - dup4, - setc("event_description","Could not load host key"), - ])); - - var msg360 = msg("%USER-6-SYSTEM_MSG:05", part310); - - var part311 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description->} - %{agent}", processor_chain([ - dup83, - dup2, - dup3, - dup4, - ])); - - var msg361 = msg("%USER-6-SYSTEM_MSG:06", part311); - - var select43 = linear_select([ - msg355, - msg356, - msg357, - msg358, - msg359, - msg360, - msg361, - ]); - - var part312 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan->} for %{duration}s due to too many mac moves", processor_chain([ - dup30, - dup2, - dup4, - setc("ec_activity","Disable"), - ])); - - var msg362 = msg("L2FM_MAC_FLAP_DISABLE_LEARN", part312); - - var part313 = match("MESSAGE#356:L2FM_MAC_FLAP_RE_ENABLE_LEARN", "nwparser.payload", "Re-enabling learning in vlan %{vlan}", processor_chain([ - dup30, - dup2, - dup4, - dup37, - ])); - - var msg363 = msg("L2FM_MAC_FLAP_RE_ENABLE_LEARN", part313); - - var part314 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply %{fld1->} is %{disposition}, ps-redundancy might be affected", processor_chain([ - dup1, - dup2, - dup4, - ])); - - var msg364 = msg("PS_ABSENT", part314); - - var part315 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply %{fld1->} detected but %{disposition->} (Serial number %{serial_number})", processor_chain([ - dup1, - dup2, - dup4, - ])); - - var msg365 = msg("PS_DETECT", part315); - - var part316 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"System Manager (configuration controller)\" (PID %{process_id}) has finished with error code %{result->} (%{resultcode}).", processor_chain([ - dup1, - dup2, - dup4, - ])); - - var msg366 = msg("SUBPROC_TERMINATED", part316); - - var part317 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"%{service}\" (PID %{process_id}) has successfully exited with exit code %{result->} (%{resultcode}).", processor_chain([ - dup15, - dup2, - dup4, - dup84, - dup17, - ])); - - var msg367 = msg("SUBPROC_SUCCESS_EXIT", part317); - - var part318 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on Interface vlan %{vlan}, changed state to %{disposition}", processor_chain([ - dup30, - dup2, - dup4, - ])); - - var msg368 = msg("UPDOWN", part318); - - var part319 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr->} in vlan %{vlan->} has moved between %{change_old->} to %{change_new}", processor_chain([ - dup30, - dup2, - dup4, - setc("change_attribute","Interface"), - ])); - - var msg369 = msg("L2FM_MAC_MOVE2", part319); - - var part320 = match("MESSAGE#363:PFM_PS_RED_MODE_CHG", "nwparser.payload", "Power redundancy configured mode changed to %{event_state}", processor_chain([ - dup30, - dup2, - dup4, - dup38, - ])); - - var msg370 = msg("PFM_PS_RED_MODE_CHG", part320); - - var part321 = match("MESSAGE#364:PS_RED_MODE_CHG", "nwparser.payload", "Power supply operational redundancy mode changed to %{event_state}", processor_chain([ - dup30, - dup2, - dup4, - dup38, - ])); - - var msg371 = msg("PS_RED_MODE_CHG", part321); - - var part322 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr->} on %{vlan}", processor_chain([ - dup63, - dup2, - dup4, - ])); - - var msg372 = msg("INVAL_MAC", part322); - - var part323 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State for service \"%{service}\" changed from %{change_old->} to %{change_new->} in vdc %{fld1}.", processor_chain([ - dup15, - dup2, - dup4, - setc("change_attribute","Service status"), - ])); - - var msg373 = msg("SRVSTATE_CHANGED", part323); - - var part324 = match_copy("MESSAGE#367:INFO", "nwparser.payload", "event_description", processor_chain([ - dup63, - dup2, - dup4, - ])); - - var msg374 = msg("INFO", part324); - - var part325 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service \"%{service}\" in vdc %{fld1->} started with PID(%{process_id}).", processor_chain([ - dup15, - dup2, - dup4, - dup84, - dup76, - dup17, - ])); - - var msg375 = msg("SERVICE_STARTED", part325); - - var part326 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local Virtual ip, %{saddr}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - dup85, - ])); - - var msg376 = msg("DUP_VADDR_SRCIP_PROBE", part326); - - var part327 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local ip, %{saddr}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - dup85, - ])); - - var msg377 = msg("DUP_SRCIP_PROBE", part327); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "%AUTHPRIV-3-SYSTEM_MSG": msg350, - "%AUTHPRIV-5-SYSTEM_MSG": msg351, - "%AUTHPRIV-6-SYSTEM_MSG": select42, - "%USER-3-SYSTEM_MSG": msg354, - "%USER-6-SYSTEM_MSG": select43, - "AAA_ACCOUNTING_MESSAGE": select28, - "ACLLOG_FLOW_INTERVAL": msg187, - "ACLLOG_MAXFLOW_REACHED": msg188, - "ACLLOG_NEW_FLOW": msg189, - "ACTIVE_LOWER_MEM_THAN_STANDBY": msg298, - "ACTIVE_SUP_OK": msg74, - "ADDON_IMG_DNLD_COMPLETE": msg60, - "ADDON_IMG_DNLD_STARTED": msg61, - "ADDON_IMG_DNLD_SUCCESSFUL": msg62, - "ADJCHANGE": msg217, - "API_FAILED": msg322, - "API_INIT_SEM_CLEAR": msg324, - "BIOS_DAEMON_LC_PRI_BOOT": msg262, - "CFGWRITE_ABORTED": msg135, - "CFGWRITE_ABORTED_LOCK": msg133, - "CFGWRITE_DONE": msg136, - "CFGWRITE_FAILED": msg134, - "CFGWRITE_STARTED": msg137, - "CFGWRITE_USER_ABORT": msg198, - "CHASSIS_CLKMODOK": msg80, - "CHASSIS_CLKSRC": msg81, - "CONN_CONNECT": msg145, - "CONN_DISCONNECT": msg146, - "CREATED": msg51, - "DELETE_STALE_USER_ACCOUNT": msg258, - "DISPUTE_CLEARED": msg77, - "DISPUTE_DETECTED": msg78, - "DOMAIN_CFG_SYNC_DONE": msg79, - "DUPLEX_MISMATCH": msg338, - "DUP_REGISTER": msg319, - "DUP_SRCIP_PROBE": msg377, - "DUP_VADDR_SRCIP_PROBE": msg376, - "DUP_VADDR_SRC_IP": msg190, - "DVPG_CREATE": msg147, - "DVPG_DELETE": msg148, - "DVS_HOSTMEMBER_INFO": msg149, - "DVS_NAME_CHANGE": msg150, - "EJECTOR_STAT_CHANGED": msg270, - "ERROR": msg335, - "ERR_MSG": msg131, - "EVENT": msg206, - "FAN_DETECT": msg97, - "FAN_OK": msg82, - "FCIP_PEER_CAVIUM": msg233, - "FEX_PORT_STATUS_NOTI": msg214, - "FEX_STATUS": select40, - "FIPS_POST_INFO_MSG": msg307, - "FOP_CHANGED": msg52, - "HASEQNO_SYNC_FAILED": msg287, - "HEARTBEAT_FAILURE": msg240, - "IF_ADMIN_UP": msg259, - "IF_ATTACHED": msg138, - "IF_BANDWIDTH_CHANGE": msg210, - "IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR": msg203, - "IF_DELETE_AUTO": msg139, - "IF_DETACHED": msg140, - "IF_DETACHED_MODULE_REMOVED": msg141, - "IF_DOWN_ADMIN_DOWN": select11, - "IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED": msg199, - "IF_DOWN_CFG_CHANGE": msg193, - "IF_DOWN_CHANNEL_ADMIN_DOWN": msg295, - "IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS": msg38, - "IF_DOWN_ELP_FAILURE_ISOLATION": msg330, - "IF_DOWN_ERROR_DISABLED": msg35, - "IF_DOWN_FCOT_NOT_PRESENT": select17, - "IF_DOWN_INACTIVE": msg142, - "IF_DOWN_INITIALIZING": select18, - "IF_DOWN_INTERFACE_REMOVED": msg39, - "IF_DOWN_LINK_FAILURE": select12, - "IF_DOWN_MODULE_REMOVED": msg42, - "IF_DOWN_NONE": select19, - "IF_DOWN_NON_PARTICIPATING": msg143, - "IF_DOWN_NOS_RCVD": select20, - "IF_DOWN_OFFLINE": msg114, - "IF_DOWN_OLS_RCVD": msg115, - "IF_DOWN_PARENT_ADMIN_DOWN": msg211, - "IF_DOWN_PEER_CLOSE": msg234, - "IF_DOWN_PEER_RESET": msg235, - "IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN": msg43, - "IF_DOWN_SOFTWARE_FAILURE": msg116, - "IF_DOWN_SRC_PORT_NOT_BOUND": msg117, - "IF_DOWN_SUSPENDED_BY_SPEED": msg293, - "IF_DOWN_TCP_MAX_RETRANSMIT": msg232, - "IF_DOWN_VEM_UNLICENSED": msg144, - "IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION": msg332, - "IF_DUPLEX": msg44, - "IF_ERRDIS_RECOVERY": msg296, - "IF_ERROR_VLANS_REMOVED": msg191, - "IF_ERROR_VLANS_SUSPENDED": msg192, - "IF_HARDWARE": msg239, - "IF_NON_CISCO_TRANSCEIVER": msg297, - "IF_PORTPROFILE_ATTACHED": msg125, - "IF_RX_FLOW_CONTROL": msg45, - "IF_SEQ_ERROR": msg46, - "IF_SFP_ALARM": select35, - "IF_SFP_WARNING": msg231, - "IF_TRUNK_DOWN": select21, - "IF_TRUNK_UP": select22, - "IF_TX_FLOW_CONTROL": msg47, - "IF_UP": select13, - "IF_XCVR_ALARM": select34, - "IF_XCVR_WARNING": select33, - "IMG_DNLD_COMPLETE": msg63, - "IMG_DNLD_STARTED": msg64, - "IM_INTF_STATE": msg283, - "IM_SEQ_ERROR": msg59, - "INFO": msg374, - "INFORMATION": msg205, - "INTF_CONSISTENCY_FAILED": msg236, - "INTF_CONSISTENCY_SUCCESS": msg237, - "INTF_COUNTERS_CLEARED": msg238, - "INVAL_IP": msg336, - "INVAL_MAC": msg372, - "L2FMC_NL_MTS_SEND_FAILURE": msg290, - "L2FM_MAC_FLAP_DISABLE_LEARN": msg362, - "L2FM_MAC_FLAP_RE_ENABLE_LEARN": msg363, - "L2FM_MAC_MOVE2": msg369, - "LACP_SUSPEND_INDIVIDUAL": msg326, - "LCM_MODULE_UPGRADE_END": msg306, - "LCM_MODULE_UPGRADE_START": msg305, - "LC_UPGRADE_REBOOT": msg302, - "LC_UPGRADE_START": msg301, - "LOG-7-SYSTEM_MSG": msg1, - "LOG_CMP_AAA_FAILURE": msg67, - "LOG_CMP_UP": msg244, - "LOG_LIC_N1K_EXPIRY_WARNING": msg68, - "M2FIB_MAC_TBL_PRGMING": msg257, - "MAC_MOVE_NOTIFICATION": msg333, - "MEMORY_ALERT": msg249, - "MEMORY_ALERT_RECOVERED": msg250, - "MESG": msg130, - "MODULE_LOCK_FAILED": msg289, - "MODULE_ONLINE": msg261, - "MOD_BRINGUP_MULTI_LIMIT": msg96, - "MOD_DETECT": msg83, - "MOD_FAIL": msg69, - "MOD_MAJORSWFAIL": msg70, - "MOD_OK": msg75, - "MOD_PWRDN": msg84, - "MOD_PWRFAIL_EJECTORS_OPEN": msg316, - "MOD_PWRUP": msg85, - "MOD_REMOVE": msg86, - "MOD_RESTART": msg76, - "MOD_SRG_NOT_COMPATIBLE": msg71, - "MOD_STATUS": msg98, - "MOD_WARNING": select14, - "MOUNT": msg243, - "MSG_PORT_LOGGED_IN": msg329, - "MSG_PORT_LOGGED_OUT": msg328, - "MSG_SEND_FAILURE_STANDBY_RESET": msg288, - "MSM_CRIT": msg66, - "MST_PORT_BOUNDARY": msg281, - "MTSERROR": msg34, - "MTS_DROP": msg57, - "NATIVE_VLAN_MISMATCH": msg207, - "NBRCHANGE_DUAL": msg253, - "NEIGHBOR_ADDED": msg208, - "NEIGHBOR_REMOVED": msg209, - "NEIGHBOR_UPDATE_AUTOCOPY": msg33, - "NOHMS_DIAG_ERROR": msg339, - "NOHMS_DIAG_ERR_PS_FAIL": msg215, - "NOHMS_DIAG_ERR_PS_RECOVERED": msg216, - "NOHMS_ENV_FEX_OFFLINE": msg310, - "NOHMS_ENV_FEX_ONLINE": msg311, - "PEER_KEEP_ALIVE_RECV_FAIL": msg266, - "PEER_KEEP_ALIVE_RECV_INT_LATEST": msg264, - "PEER_KEEP_ALIVE_RECV_SUCCESS": msg265, - "PEER_KEEP_ALIVE_SEND_INT_LATEST": msg267, - "PEER_KEEP_ALIVE_SEND_SUCCESS": msg268, - "PEER_KEEP_ALIVE_STATUS": msg269, - "PEER_VPC_CFGD": msg308, - "PEER_VPC_CFGD_VLANS_CHANGED": msg99, - "PEER_VPC_DELETED": msg100, - "PEER_VPC_DOWN": msg263, - "PFM_ALERT": msg347, - "PFM_CLOCK_CHANGE": msg194, - "PFM_FAN_FLTR_STATUS": msg242, - "PFM_MODULE_POWER_ON": msg87, - "PFM_PS_RED_MODE_CHG": msg370, - "PFM_SYSTEM_RESET": msg88, - "PFM_VEM_DETECTED": msg101, - "PFM_VEM_REMOVE_NO_HB": msg89, - "PFM_VEM_REMOVE_RESET": msg90, - "PFM_VEM_REMOVE_STATE_CONFLICT": msg91, - "PFM_VEM_REMOVE_TWO_ACT_VSM": msg92, - "PFM_VEM_UNLICENSED": msg93, - "PINNING_CHANGED": msg317, - "PIXM_SYSLOG_MESSAGE_TYPE_CRIT": msg282, - "POLICY_ACTIVATE_EVENT": msg27, - "POLICY_COMMIT_EVENT": msg28, - "POLICY_DEACTIVATE_EVENT": msg29, - "POLICY_LOOKUP_EVENT": select10, - "PORT_ADDED": msg218, - "PORT_DELETED": msg219, - "PORT_DOWN": msg53, - "PORT_INDIVIDUAL": msg294, - "PORT_INDIVIDUAL_DOWN": msg212, - "PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE": msg124, - "PORT_RANGE_ADDED": msg280, - "PORT_RANGE_DELETED": msg279, - "PORT_RANGE_ROLE": msg277, - "PORT_RANGE_STATE": msg278, - "PORT_ROLE": msg220, - "PORT_SOFTWARE_FAILURE": msg65, - "PORT_STATE": msg221, - "PORT_SUSPENDED": msg213, - "PORT_UP": msg54, - "PS_ABSENT": msg364, - "PS_CAPACITY_CHANGE": select16, - "PS_DETECT": msg365, - "PS_FAIL": msg204, - "PS_FANOK": msg94, - "PS_FOUND": msg102, - "PS_OK": msg95, - "PS_PWR_INPUT_MISSING": msg314, - "PS_RED_MODE_CHG": msg371, - "PS_RED_MODE_RESTORED": msg315, - "PS_STATUS": msg103, - "PVLAN_PPM_PORT_CONFIG_FAILED": msg129, - "READCONF_STARTED": msg299, - "RM_VICPP_RECREATE_ERROR": msg132, - "ROUTERFOUND": msg349, - "RUNTIME_DB_RESTORE_STARTED": msg303, - "RUNTIME_DB_RESTORE_SUCCESS": msg304, - "SATCTRL": msg318, - "SATCTRL_IMAGE": msg321, - "SENSOR_MSG1": msg323, - "SERVER_ADDED": msg291, - "SERVER_REMOVED": msg292, - "SERVICEFOUND": msg348, - "SERVICELOST": msg202, - "SERVICE_CRASHED": msg201, - "SERVICE_STARTED": msg375, - "SOHMS_DIAG_ERROR": select37, - "SPEED": msg50, - "SRVSTATE_CHANGED": msg373, - "STANDBY_SUP_OK": msg126, - "STM_LEARNING_RE_ENABLE": msg340, - "STM_LOOP_DETECT": msg127, - "SUBGROUP_ID_PORT_ADDED": msg55, - "SUBGROUP_ID_PORT_REMOVED": msg56, - "SUBPROC_SUCCESS_EXIT": msg367, - "SUBPROC_TERMINATED": msg366, - "SUP_POWERDOWN": msg300, - "SWITCHOVER_OVER": msg285, - "SYNC_COMPLETE": msg128, - "SYNC_FAILURE_STANDBY_RESET": msg195, - "SYN_COLL_DIS_EN": msg309, - "SYSLOG_LOG_WARNING": msg58, - "SYSLOG_SL_MSG_WARNING": msg337, - "SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG": msg241, - "SYSTEM_MSG": select9, - "TACACS_ACCOUNTING_MESSAGE": select32, - "TACACS_ERROR_MESSAGE": msg230, - "UDLD_PORT_DISABLED": msg341, - "UNKNOWN_MTYPE": msg320, - "UPDOWN": msg368, - "VDC_HOSTNAME_CHANGE": msg26, - "VDC_MODULETYPE": msg286, - "VDC_ONLINE": msg325, - "VDC_STATE_CHANGE": msg284, - "VMS_PPM_SYNC_COMPLETE": msg151, - "VPC_CFGD": msg260, - "VPC_DELETED": msg152, - "VPC_ISSU_END": msg276, - "VPC_ISSU_START": msg275, - "VPC_UP": msg153, - "VSHD_SYSLOG_CONFIG_I": select25, - "XBAR_DETECT": msg271, - "XBAR_OK": msg274, - "XBAR_PWRDN": msg273, - "XBAR_PWRUP": msg272, - "ZS_MERGE_FAILED": msg331, - "dstats": msg327, - "last": msg200, - "ntpd": select41, - "snmpd": select29, - "zone": msg334, - }), - ]); - - var part328 = match_copy("MESSAGE#24:SYSTEM_MSG:08/0_1", "nwparser.payload", "event_description"); - - var part329 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); - - var part330 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); - - var part331 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); - - var part332 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); - - var part333 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); - - var part334 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); - - var part335 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); - - var part336 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); - - var part337 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); - - var part338 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); - - var part339 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); - - var part340 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); - - var part341 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); - - var part342 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); - - var part343 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); - - var part344 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); - - var part345 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); - - var part346 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); - - var part347 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); - - var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); - - var part349 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); - - var part350 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); - - var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); - - var part352 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); - - var part353 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); - - var part354 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); - - var part355 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); - - var part356 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); - - var part357 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var part358 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var part359 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var part360 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var part361 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var part362 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var select44 = linear_select([ - dup26, - dup27, - ]); - - var part363 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var part364 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var part365 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var part366 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, - ])); - - var part367 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ - dup33, - dup2, - dup3, - dup4, - ])); - - var select45 = linear_select([ - dup46, - dup47, - ]); - - var select46 = linear_select([ - dup49, - dup50, - ]); - - var select47 = linear_select([ - dup54, - dup55, - ]); - - var select48 = linear_select([ - dup57, - dup58, - ]); - - var part368 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var select49 = linear_select([ - dup65, - dup66, - ]); - - var select50 = linear_select([ - dup67, - dup68, - ]); - - var part369 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var part370 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var select51 = linear_select([ - dup70, - dup71, - ]); - - var part371 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/cisco_nexus/0.7.2/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_nexus/0.7.2/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 9de232f8f2..0000000000 --- a/packages/cisco_nexus/0.7.2/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,7176 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Cisco" - product: "Nexus" - type: "Switches" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} Hit-count = %{dclass_counter1}"); - - var dup60 = setc("dclass_counter1_string","Hit Count"); - - var dup61 = setc("eventcategory","1603100000"); - - var dup62 = setc("eventcategory","1701020000"); - - var dup63 = setc("eventcategory","1801000000"); - - var dup64 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); - - var dup65 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); - - var dup66 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); - - var dup67 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); - - var dup68 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); - - var dup69 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); - - var dup70 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); - - var dup71 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); - - var dup72 = setc("ec_outcome","Error"); - - var dup73 = setc("eventcategory","1703000000"); - - var dup74 = setc("obj_type","vPC"); - - var dup75 = setc("ec_subject","OS"); - - var dup76 = setc("ec_activity","Start"); - - var dup77 = setc("eventcategory","1801010000"); - - var dup78 = setc("ec_activity","Receive"); - - var dup79 = setc("ec_activity","Send"); - - var dup80 = setc("ec_activity","Create"); - - var dup81 = setc("event_description","Switchover completed."); - - var dup82 = setc("event_description","Invalid user"); - - var dup83 = setc("eventcategory","1401000000"); - - var dup84 = setc("ec_subject","Service"); - - var dup85 = setc("event_description","Duplicate address Detected."); - - var dup86 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var dup87 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var dup88 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var dup89 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var dup90 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var dup91 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var dup92 = linear_select([ - dup26, - dup27, - ]); - - var dup93 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var dup94 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var dup95 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var dup96 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, - ])); - - var dup97 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ - dup33, - dup2, - dup3, - dup4, - ])); - - var dup98 = linear_select([ - dup46, - dup47, - ]); - - var dup99 = linear_select([ - dup49, - dup50, - ]); - - var dup100 = linear_select([ - dup54, - dup55, - ]); - - var dup101 = linear_select([ - dup57, - dup58, - ]); - - var dup102 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var dup103 = linear_select([ - dup65, - dup66, - ]); - - var dup104 = linear_select([ - dup67, - dup68, - ]); - - var dup105 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var dup106 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var dup107 = linear_select([ - dup70, - dup71, - ]); - - var dup108 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - ])); - - var hdr1 = match("HEADER#0:0001", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0007", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0007"), - ])); - - var hdr3 = match("HEADER#2:0005", "message", "%{hfld4->} %{hfld5->} %{hfld6->} %{hfld7->} : %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0005"), - ])); - - var hdr4 = match("HEADER#3:0002", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr5 = match("HEADER#4:0012", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0012"), - ])); - - var hdr6 = match("HEADER#5:0008", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0008"), - ])); - - var hdr7 = match("HEADER#6:0011", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}[%{hfld18}]:%{payload}", processor_chain([ - setc("header_id","0011"), - ])); - - var hdr8 = match("HEADER#7:0003", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ - setc("header_id","0003"), - ])); - - var hdr9 = match("HEADER#8:0004", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var hdr10 = match("HEADER#9:0009", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ - setc("header_id","0009"), - ])); - - var hdr11 = match("HEADER#10:0013", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ - setc("header_id","0013"), - ])); - - var hdr12 = match("HEADER#11:0010", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ - setc("header_id","0010"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, - hdr7, - hdr8, - hdr9, - hdr10, - hdr11, - hdr12, - ]); - - var msg1 = msg("LOG-7-SYSTEM_MSG", dup86); - - var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup6, - ])); - - var msg2 = msg("SYSTEM_MSG", part1); - - var part2 = match("MESSAGE#2:SYSTEM_MSG:12", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{shost}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup6, - ])); - - var msg3 = msg("SYSTEM_MSG:12", part2); - - var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup7, - ])); - - var msg4 = msg("SYSTEM_MSG:01", part3); - - var part4 = match("MESSAGE#4:SYSTEM_MSG:11", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{shost}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup7, - ])); - - var msg5 = msg("SYSTEM_MSG:11", part4); - - var part5 = match("MESSAGE#5:SYSTEM_MSG:19/0", "nwparser.payload", "error: maximum authentication attempts exceeded for %{p0}"); - - var part6 = match("MESSAGE#5:SYSTEM_MSG:19/1_0", "nwparser.p0", "invalid user %{username->} from %{p0}"); - - var part7 = match("MESSAGE#5:SYSTEM_MSG:19/1_1", "nwparser.p0", "%{username->} from %{p0}"); - - var select2 = linear_select([ - part6, - part7, - ]); - - var part8 = match("MESSAGE#5:SYSTEM_MSG:19/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol->} - %{agent}[%{process_id}]"); - - var all1 = all_match({ - processors: [ - part5, - select2, - part8, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - ]), - }); - - var msg6 = msg("SYSTEM_MSG:19", all1); - - var part9 = match("MESSAGE#6:SYSTEM_MSG:02", "nwparser.payload", "error:%{result}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var msg7 = msg("SYSTEM_MSG:02", part9); - - var part10 = match("MESSAGE#7:SYSTEM_MSG:03/0_0", "nwparser.payload", "(pam_unix)%{p0}"); - - var part11 = match("MESSAGE#7:SYSTEM_MSG:03/0_1", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}):%{p0}"); - - var select3 = linear_select([ - part10, - part11, - ]); - - var part12 = match("MESSAGE#7:SYSTEM_MSG:03/1", "nwparser.p0", "%{}authentication failure; logname=%{fld20->} uid=%{fld21->} euid=%{fld22->} tty=%{terminal->} ruser=%{fld24->} rhost=%{p0}"); - - var part13 = match("MESSAGE#7:SYSTEM_MSG:03/2_0", "nwparser.p0", "%{fld25->} user=%{username->} - %{p0}"); - - var part14 = match("MESSAGE#7:SYSTEM_MSG:03/2_1", "nwparser.p0", "%{fld25->} - %{p0}"); - - var select4 = linear_select([ - part13, - part14, - ]); - - var part15 = match_copy("MESSAGE#7:SYSTEM_MSG:03/3", "nwparser.p0", "agent"); - - var all2 = all_match({ - processors: [ - select3, - part12, - select4, - part15, - ], - on_success: processor_chain([ - dup5, - dup2, - dup3, - dup4, - ]), - }); - - var msg8 = msg("SYSTEM_MSG:03", all2); - - var part16 = match("MESSAGE#8:SYSTEM_MSG:04", "nwparser.payload", "(pam_unix) %{event_description}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - ])); - - var msg9 = msg("SYSTEM_MSG:04", part16); - - var part17 = match("MESSAGE#9:SYSTEM_MSG:05/0", "nwparser.payload", "pam_aaa:Authentication failed f%{p0}"); - - var part18 = match("MESSAGE#9:SYSTEM_MSG:05/1_0", "nwparser.p0", "or user %{username->} from%{p0}"); - - var part19 = match("MESSAGE#9:SYSTEM_MSG:05/1_1", "nwparser.p0", "rom%{p0}"); - - var select5 = linear_select([ - part18, - part19, - ]); - - var part20 = match("MESSAGE#9:SYSTEM_MSG:05/2", "nwparser.p0", "%{} %{saddr->} - %{agent}[%{process_id}]"); - - var all3 = all_match({ - processors: [ - part17, - select5, - part20, - ], - on_success: processor_chain([ - dup5, - dup2, - dup3, - dup4, - ]), - }); - - var msg10 = msg("SYSTEM_MSG:05", all3); - - var part21 = match("MESSAGE#10:SYSTEM_MSG:06", "nwparser.payload", "FAILED LOGIN (%{fld20}) on %{fld21->} FOR %{username}, Authentication failure - login[%{process_id}]", processor_chain([ - dup5, - dup2, - dup3, - dup4, - ])); - - var msg11 = msg("SYSTEM_MSG:06", part21); - - var part22 = match("MESSAGE#11:SYSTEM_MSG:07", "nwparser.payload", "fatal:%{event_description}", processor_chain([ - dup9, - dup2, - dup3, - dup4, - ])); - - var msg12 = msg("SYSTEM_MSG:07", part22); - - var part23 = match("MESSAGE#12:SYSTEM_MSG:09", "nwparser.payload", "%{fld1}: Host name is set %{hostname->} - kernel", processor_chain([ - dup9, - dup2, - dup3, - dup4, - ])); - - var msg13 = msg("SYSTEM_MSG:09", part23); - - var part24 = match("MESSAGE#13:SYSTEM_MSG:10", "nwparser.payload", "Unauthorized access by NFS client %{saddr}.", processor_chain([ - dup5, - dup2, - dup3, - dup4, - ])); - - var msg14 = msg("SYSTEM_MSG:10", part24); - - var part25 = match("MESSAGE#14:SYSTEM_MSG:13", "nwparser.payload", "%{fld43->} : SNMP UDP authentication failed for %{saddr}.", processor_chain([ - dup5, - dup2, - dup3, - dup4, - ])); - - var msg15 = msg("SYSTEM_MSG:13", part25); - - var part26 = match("MESSAGE#15:SYSTEM_MSG:14", "nwparser.payload", "%{fld43->} : Subsequent authentication success for user (%{username}) failed.", processor_chain([ - dup5, - dup2, - dup3, - dup4, - ])); - - var msg16 = msg("SYSTEM_MSG:14", part26); - - var part27 = match("MESSAGE#16:SYSTEM_MSG:15", "nwparser.payload", "%{fld1->} : TTY=%{terminal->} ; PWD=%{directory->} ; USER=%{username->} ; COMMAND=%{param}", processor_chain([ - dup10, - dup2, - dup3, - dup4, - dup11, - dup12, - ])); - - var msg17 = msg("SYSTEM_MSG:15", part27); - - var part28 = match("MESSAGE#17:SYSTEM_MSG:16", "nwparser.payload", "Login failed for user %{username->} - %{agent}[%{process_id}]", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup11, - dup13, - dup12, - dup14, - ])); - - var msg18 = msg("SYSTEM_MSG:16", part28); - - var part29 = match("MESSAGE#18:SYSTEM_MSG:17/0", "nwparser.payload", "NTP: Peer %{hostip->} %{p0}"); - - var part30 = match("MESSAGE#18:SYSTEM_MSG:17/1_0", "nwparser.p0", "with stratum %{fld1->} selected - %{p0}"); - - var part31 = match("MESSAGE#18:SYSTEM_MSG:17/1_1", "nwparser.p0", "is %{disposition->} - %{p0}"); - - var select6 = linear_select([ - part30, - part31, - ]); - - var part32 = match("MESSAGE#18:SYSTEM_MSG:17/2", "nwparser.p0", "%{agent}[%{process_id}]"); - - var all4 = all_match({ - processors: [ - part29, - select6, - part32, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg19 = msg("SYSTEM_MSG:17", all4); - - var part33 = match("MESSAGE#19:SYSTEM_MSG:20", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ - dup10, - dup2, - dup3, - dup4, - dup12, - ])); - - var msg20 = msg("SYSTEM_MSG:20", part33); - - var part34 = match("MESSAGE#20:SYSTEM_MSG:21", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): password changed for %{username->} - %{agent}", processor_chain([ - dup10, - dup2, - dup3, - dup4, - setc("ec_subject","Password"), - dup16, - dup12, - dup17, - ])); - - var msg21 = msg("SYSTEM_MSG:21", part34); - - var part35 = match("MESSAGE#21:SYSTEM_MSG:22", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): check pass; user %{username->} - %{agent}", processor_chain([ - dup10, - dup2, - dup3, - dup4, - dup12, - ])); - - var msg22 = msg("SYSTEM_MSG:22", part35); - - var part36 = match("MESSAGE#22:SYSTEM_MSG:23", "nwparser.payload", "new user: name=%{username}, uid=%{uid}, gid=%{fld1}, home=%{directory}, shell=%{fld2->} - %{agent}[%{process_id}]", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup11, - ])); - - var msg23 = msg("SYSTEM_MSG:23", part36); - - var part37 = match("MESSAGE#23:SYSTEM_MSG:24/0", "nwparser.payload", "delete user %{p0}"); - - var part38 = match("MESSAGE#23:SYSTEM_MSG:24/1_0", "nwparser.p0", "`%{p0}"); - - var part39 = match("MESSAGE#23:SYSTEM_MSG:24/1_1", "nwparser.p0", "'%{p0}"); - - var select7 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#23:SYSTEM_MSG:24/2", "nwparser.p0", "'%{username->} - %{agent}[%{process_id}]"); - - var all5 = all_match({ - processors: [ - part37, - select7, - part40, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup11, - dup20, - dup17, - ]), - }); - - var msg24 = msg("SYSTEM_MSG:24", all5); - - var part41 = match("MESSAGE#24:SYSTEM_MSG:08/0_0", "nwparser.payload", "%{event_description->} - %{agent}"); - - var select8 = linear_select([ - part41, - dup21, - ]); - - var all6 = all_match({ - processors: [ - select8, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg25 = msg("SYSTEM_MSG:08", all6); - - var select9 = linear_select([ - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - ]); - - var part42 = match("MESSAGE#25:VDC_HOSTNAME_CHANGE", "nwparser.payload", "%{fld1->} hostname changed to %{hostname}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg26 = msg("VDC_HOSTNAME_CHANGE", part42); - - var part43 = match("MESSAGE#26:POLICY_ACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is activated by profile %{username}", processor_chain([ - dup22, - dup2, - dup3, - dup4, - setc("action","activated"), - setc("event_description","Policy is activated by profile"), - ])); - - var msg27 = msg("POLICY_ACTIVATE_EVENT", part43); - - var part44 = match("MESSAGE#27:POLICY_COMMIT_EVENT", "nwparser.payload", "Commit operation %{disposition}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg28 = msg("POLICY_COMMIT_EVENT", part44); - - var part45 = match("MESSAGE#28:POLICY_DEACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is de-activated by last referring profile %{username}", processor_chain([ - setc("eventcategory","1701070000"), - dup2, - dup3, - dup4, - setc("action","de-activated"), - setc("event_description","Policy is de-activated by last referring profile"), - ])); - - var msg29 = msg("POLICY_DEACTIVATE_EVENT", part45); - - var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2->} dst.zone.name=%{dst_zone->} src.zone.name=%{src_zone}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg30 = msg("POLICY_LOOKUP_EVENT:01", part46); - - var part47 = match("MESSAGE#30:POLICY_LOOKUP_EVENT", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg31 = msg("POLICY_LOOKUP_EVENT", part47); - - var part48 = match("MESSAGE#31:POLICY_LOOKUP_EVENT:02", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} net.ethertype=%{fld2}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg32 = msg("POLICY_LOOKUP_EVENT:02", part48); - - var select10 = linear_select([ - msg30, - msg31, - msg32, - ]); - - var msg33 = msg("NEIGHBOR_UPDATE_AUTOCOPY", dup87); - - var msg34 = msg("MTSERROR", dup86); - - var part49 = match("MESSAGE#34:IF_DOWN_ERROR_DISABLED", "nwparser.payload", "Interface %{interface->} is down (Error disabled. Reason:%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg35 = msg("IF_DOWN_ERROR_DISABLED", part49); - - var msg36 = msg("IF_DOWN_ADMIN_DOWN", dup88); - - var msg37 = msg("IF_DOWN_ADMIN_DOWN:01", dup89); - - var select11 = linear_select([ - msg36, - msg37, - ]); - - var msg38 = msg("IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", dup90); - - var msg39 = msg("IF_DOWN_INTERFACE_REMOVED", dup91); - - var part50 = match("MESSAGE#39:IF_DOWN_LINK_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - dup25, - ])); - - var msg40 = msg("IF_DOWN_LINK_FAILURE", part50); - - var msg41 = msg("IF_DOWN_LINK_FAILURE:01", dup89); - - var select12 = linear_select([ - msg40, - msg41, - ]); - - var msg42 = msg("IF_DOWN_MODULE_REMOVED", dup91); - - var msg43 = msg("IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN", dup88); - - var part51 = match("MESSAGE#43:IF_DUPLEX", "nwparser.payload", "Interface %{interface}, operational duplex mode changed to %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface duplex mode changed"), - ])); - - var msg44 = msg("IF_DUPLEX", part51); - - var part52 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Receive Flow Cont%{p0}"); - - var all7 = all_match({ - processors: [ - part52, - dup92, - dup28, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface operational Receive Flow Control state changed"), - ]), - }); - - var msg45 = msg("IF_RX_FLOW_CONTROL", all7); - - var part53 = match_copy("MESSAGE#45:IF_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg46 = msg("IF_SEQ_ERROR", part53); - - var part54 = match("MESSAGE#46:IF_TX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Transmit Flow Cont%{p0}"); - - var all8 = all_match({ - processors: [ - part54, - dup92, - dup28, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface operational Transmit Flow Control state changed"), - ]), - }); - - var msg47 = msg("IF_TX_FLOW_CONTROL", all8); - - var part55 = match("MESSAGE#47:IF_UP", "nwparser.payload", "%{fld43->} Interface %{sinterface->} is up in mode %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface is up in mode"), - ])); - - var msg48 = msg("IF_UP", part55); - - var part56 = match("MESSAGE#48:IF_UP:01", "nwparser.payload", "Interface %{sinterface->} is up", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface is up"), - ])); - - var msg49 = msg("IF_UP:01", part56); - - var select13 = linear_select([ - msg48, - msg49, - ]); - - var part57 = match("MESSAGE#49:SPEED", "nwparser.payload", "Interface %{interface}, operational speed changed to %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface operational speed changed"), - ])); - - var msg50 = msg("SPEED", part57); - - var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object->} created", processor_chain([ - dup29, - dup2, - dup3, - dup4, - ])); - - var msg51 = msg("CREATED", part58); - - var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object}: first operational port changed from %{change_old->} to %{change_new}", processor_chain([ - dup30, - dup2, - dup3, - dup4, - ])); - - var msg52 = msg("FOP_CHANGED", part59); - - var part60 = match("MESSAGE#52:PORT_DOWN", "nwparser.payload", "%{group_object}: %{interface->} is down", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg53 = msg("PORT_DOWN", part60); - - var part61 = match("MESSAGE#53:PORT_UP", "nwparser.payload", "%{group_object}: %{interface->} is up", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg54 = msg("PORT_UP", part61); - - var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Interface %{interface->} is added to %{group_object->} with subgroup id %{fld20}", processor_chain([ - dup29, - dup2, - dup3, - dup4, - ])); - - var msg55 = msg("SUBGROUP_ID_PORT_ADDED", part62); - - var part63 = match("MESSAGE#55:SUBGROUP_ID_PORT_REMOVED", "nwparser.payload", "Interface %{interface->} is removed from %{group_object->} with subgroup id %{fld20}", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg56 = msg("SUBGROUP_ID_PORT_REMOVED", part63); - - var msg57 = msg("MTS_DROP", dup87); - - var msg58 = msg("SYSLOG_LOG_WARNING", dup87); - - var msg59 = msg("IM_SEQ_ERROR", dup93); - - var msg60 = msg("ADDON_IMG_DNLD_COMPLETE", dup87); - - var msg61 = msg("ADDON_IMG_DNLD_STARTED", dup87); - - var msg62 = msg("ADDON_IMG_DNLD_SUCCESSFUL", dup87); - - var msg63 = msg("IMG_DNLD_COMPLETE", dup87); - - var msg64 = msg("IMG_DNLD_STARTED", dup87); - - var part64 = match_copy("MESSAGE#64:PORT_SOFTWARE_FAILURE", "nwparser.payload", "result", processor_chain([ - dup31, - dup2, - dup3, - dup4, - ])); - - var msg65 = msg("PORT_SOFTWARE_FAILURE", part64); - - var msg66 = msg("MSM_CRIT", dup93); - - var part65 = match("MESSAGE#66:LOG_CMP_AAA_FAILURE", "nwparser.payload", "Authentication failed for a login from %{shost->} (%{result})", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup7, - ])); - - var msg67 = msg("LOG_CMP_AAA_FAILURE", part65); - - var msg68 = msg("LOG_LIC_N1K_EXPIRY_WARNING", dup87); - - var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of module %{fld20->} (serial: %{serial_number}) failed", processor_chain([ - dup32, - dup2, - dup3, - dup4, - ])); - - var msg69 = msg("MOD_FAIL", part66); - - var part67 = match("MESSAGE#69:MOD_MAJORSWFAIL", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported a critical failure in service %{fld22}", processor_chain([ - dup33, - dup2, - dup3, - dup4, - ])); - - var msg70 = msg("MOD_MAJORSWFAIL", part67); - - var part68 = match("MESSAGE#70:MOD_SRG_NOT_COMPATIBLE", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) firmware is not compatible with supervisor, downloading new image", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg71 = msg("MOD_SRG_NOT_COMPATIBLE", part68); - - var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warnings on %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ - dup32, - dup2, - dup3, - dup4, - ])); - - var msg72 = msg("MOD_WARNING:01", part69); - - var part70 = match("MESSAGE#72:MOD_WARNING", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warning %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ - dup32, - dup2, - dup3, - dup4, - ])); - - var msg73 = msg("MOD_WARNING", part70); - - var select14 = linear_select([ - msg72, - msg73, - ]); - - var part71 = match("MESSAGE#73:ACTIVE_SUP_OK", "nwparser.payload", "Supervisor %{fld20->} is active (serial: %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg74 = msg("ACTIVE_SUP_OK", part71); - - var part72 = match("MESSAGE#74:MOD_OK", "nwparser.payload", "Module %{fld20->} is online (serial: %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg75 = msg("MOD_OK", part72); - - var part73 = match("MESSAGE#75:MOD_RESTART", "nwparser.payload", "Module %{fld20->} is restarting after image download", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg76 = msg("MOD_RESTART", part73); - - var part74 = match("MESSAGE#76:DISPUTE_CLEARED", "nwparser.payload", "Dispute resolved for port %{portname->} on %{vlan}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","Dispute resolved for port on VLAN"), - ])); - - var msg77 = msg("DISPUTE_CLEARED", part74); - - var part75 = match("MESSAGE#77:DISPUTE_DETECTED", "nwparser.payload", "Dispute detected on port %{portname->} on %{vlan}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","Dispute detected on port on VLAN"), - ])); - - var msg78 = msg("DISPUTE_DETECTED", part75); - - var msg79 = msg("DOMAIN_CFG_SYNC_DONE", dup87); - - var msg80 = msg("CHASSIS_CLKMODOK", dup87); - - var msg81 = msg("CHASSIS_CLKSRC", dup87); - - var msg82 = msg("FAN_OK", dup87); - - var part76 = match("MESSAGE#82:MOD_DETECT", "nwparser.payload", "Module %{fld19->} detected (Serial number %{serial_number}) Module-Type %{fld20->} Model %{fld21}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg83 = msg("MOD_DETECT", part76); - - var part77 = match("MESSAGE#83:MOD_PWRDN", "nwparser.payload", "Module %{fld19->} powered down (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg84 = msg("MOD_PWRDN", part77); - - var part78 = match("MESSAGE#84:MOD_PWRUP", "nwparser.payload", "Module %{fld19->} powered up (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg85 = msg("MOD_PWRUP", part78); - - var part79 = match("MESSAGE#85:MOD_REMOVE", "nwparser.payload", "Module %{fld19->} removed (Serial number %{serial_number})", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg86 = msg("MOD_REMOVE", part79); - - var msg87 = msg("PFM_MODULE_POWER_ON", dup87); - - var msg88 = msg("PFM_SYSTEM_RESET", dup87); - - var msg89 = msg("PFM_VEM_REMOVE_NO_HB", dup94); - - var msg90 = msg("PFM_VEM_REMOVE_RESET", dup94); - - var msg91 = msg("PFM_VEM_REMOVE_STATE_CONFLICT", dup94); - - var msg92 = msg("PFM_VEM_REMOVE_TWO_ACT_VSM", dup94); - - var msg93 = msg("PFM_VEM_UNLICENSED", dup87); - - var msg94 = msg("PS_FANOK", dup87); - - var part80 = match("MESSAGE#94:PS_OK", "nwparser.payload", "Power supply %{fld19->} ok (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg95 = msg("PS_OK", part80); - - var part81 = match_copy("MESSAGE#95:MOD_BRINGUP_MULTI_LIMIT", "nwparser.payload", "event_description", processor_chain([ - dup31, - dup2, - dup3, - dup4, - ])); - - var msg96 = msg("MOD_BRINGUP_MULTI_LIMIT", part81); - - var part82 = match("MESSAGE#96:FAN_DETECT", "nwparser.payload", "Fan module %{fld19->} (Serial number %{serial_number}) %{fld20->} detected", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg97 = msg("FAN_DETECT", part82); - - var msg98 = msg("MOD_STATUS", dup87); - - var part83 = match("MESSAGE#98:PEER_VPC_CFGD_VLANS_CHANGED", "nwparser.payload", "Peer vPC %{obj_name->} configured vlans changed", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Peer vPC configured vlans changed"), - ])); - - var msg99 = msg("PEER_VPC_CFGD_VLANS_CHANGED", part83); - - var part84 = match("MESSAGE#99:PEER_VPC_DELETED", "nwparser.payload", "Peer vPC %{obj_name->} deleted", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg100 = msg("PEER_VPC_DELETED", part84); - - var msg101 = msg("PFM_VEM_DETECTED", dup87); - - var part85 = match("MESSAGE#101:PS_FOUND", "nwparser.payload", "Power supply %{fld19->} found (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg102 = msg("PS_FOUND", part85); - - var part86 = match("MESSAGE#102:PS_STATUS/0_0", "nwparser.payload", "PowerSupply %{fld1->} current-status is %{disposition}"); - - var select15 = linear_select([ - part86, - dup21, - ]); - - var all9 = all_match({ - processors: [ - select15, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg103 = msg("PS_STATUS", all9); - - var part87 = match("MESSAGE#103:PS_CAPACITY_CHANGE:01", "nwparser.payload", "Power supply %{fld1->} changed its capacity. possibly due to On/Off or power cable removal/insertion (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg104 = msg("PS_CAPACITY_CHANGE:01", part87); - - var msg105 = msg("PS_CAPACITY_CHANGE", dup87); - - var select16 = linear_select([ - msg104, - msg105, - ]); - - var msg106 = msg("IF_DOWN_FCOT_NOT_PRESENT", dup88); - - var msg107 = msg("IF_DOWN_FCOT_NOT_PRESENT:01", dup89); - - var select17 = linear_select([ - msg106, - msg107, - ]); - - var msg108 = msg("IF_DOWN_INITIALIZING", dup90); - - var msg109 = msg("IF_DOWN_INITIALIZING:01", dup95); - - var select18 = linear_select([ - msg108, - msg109, - ]); - - var part88 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, - ])); - - var msg110 = msg("IF_DOWN_NONE", part88); - - var msg111 = msg("IF_DOWN_NONE:01", dup96); - - var select19 = linear_select([ - msg110, - msg111, - ]); - - var msg112 = msg("IF_DOWN_NOS_RCVD", dup88); - - var msg113 = msg("IF_DOWN_NOS_RCVD:01", dup89); - - var select20 = linear_select([ - msg112, - msg113, - ]); - - var msg114 = msg("IF_DOWN_OFFLINE", dup88); - - var msg115 = msg("IF_DOWN_OLS_RCVD", dup88); - - var part89 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup31, - dup2, - dup3, - dup4, - ])); - - var msg116 = msg("IF_DOWN_SOFTWARE_FAILURE", part89); - - var msg117 = msg("IF_DOWN_SRC_PORT_NOT_BOUND", dup90); - - var part90 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is down (%{info})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg118 = msg("IF_TRUNK_DOWN", part90); - - var part91 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} down", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg119 = msg("IF_TRUNK_DOWN:01", part91); - - var part92 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is down %{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg120 = msg("IF_TRUNK_DOWN:02", part92); - - var select21 = linear_select([ - msg118, - msg119, - msg120, - ]); - - var part93 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is up", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg121 = msg("IF_TRUNK_UP", part93); - - var part94 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} up", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg122 = msg("IF_TRUNK_UP:01", part94); - - var part95 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is up %{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg123 = msg("IF_TRUNK_UP:02", part95); - - var select22 = linear_select([ - msg121, - msg122, - msg123, - ]); - - var msg124 = msg("PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", dup97); - - var part96 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface->} is inheriting port-profile %{fld20}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg125 = msg("IF_PORTPROFILE_ATTACHED", part96); - - var msg126 = msg("STANDBY_SUP_OK", dup87); - - var part97 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname->} and %{info->} vlan %{vlan->} - %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Loops detected in the network among ports"), - ])); - - var msg127 = msg("STM_LOOP_DETECT", part97); - - var part98 = match("MESSAGE#127:SYNC_COMPLETE", "nwparser.payload", "Sync completed.%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg128 = msg("SYNC_COMPLETE", part98); - - var msg129 = msg("PVLAN_PPM_PORT_CONFIG_FAILED", dup97); - - var msg130 = msg("MESG", dup87); - - var part99 = match("MESSAGE#130:ERR_MSG", "nwparser.payload", "ERROR:%{result}", processor_chain([ - dup33, - dup2, - dup3, - dup4, - ])); - - var msg131 = msg("ERR_MSG", part99); - - var msg132 = msg("RM_VICPP_RECREATE_ERROR", dup97); - - var part100 = match("MESSAGE#132:CFGWRITE_ABORTED_LOCK", "nwparser.payload", "Unable to lock the configuration (error-id %{resultcode}). Aborting configuration copy.", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg133 = msg("CFGWRITE_ABORTED_LOCK", part100); - - var part101 = match("MESSAGE#133:CFGWRITE_FAILED", "nwparser.payload", "Configuration copy failed (error-id %{resultcode}).", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg134 = msg("CFGWRITE_FAILED", part101); - - var msg135 = msg("CFGWRITE_ABORTED", dup87); - - var msg136 = msg("CFGWRITE_DONE", dup87); - - var part102 = match("MESSAGE#136:CFGWRITE_STARTED/0_0", "nwparser.payload", "%{event_description->} (PID %{process_id})."); - - var select23 = linear_select([ - part102, - dup21, - ]); - - var all10 = all_match({ - processors: [ - select23, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg137 = msg("CFGWRITE_STARTED", all10); - - var msg138 = msg("IF_ATTACHED", dup87); - - var msg139 = msg("IF_DELETE_AUTO", dup94); - - var part103 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface->} is detached", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg140 = msg("IF_DETACHED", part103); - - var msg141 = msg("IF_DETACHED_MODULE_REMOVED", dup94); - - var msg142 = msg("IF_DOWN_INACTIVE", dup88); - - var msg143 = msg("IF_DOWN_NON_PARTICIPATING", dup88); - - var part104 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface->} is down", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part104); - - var part105 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname->} connected to the vCenter Server.", processor_chain([ - dup36, - dup2, - dup3, - dup4, - ])); - - var msg145 = msg("CONN_CONNECT", part105); - - var part106 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname->} disconnected from the vCenter Server.", processor_chain([ - setc("eventcategory","1801030000"), - dup2, - dup3, - dup4, - ])); - - var msg146 = msg("CONN_DISCONNECT", part106); - - var part107 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info->} on the vCenter Server.", processor_chain([ - dup29, - dup2, - dup3, - dup4, - ])); - - var msg147 = msg("DVPG_CREATE", part107); - - var part108 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info->} from the vCenter Server.", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg148 = msg("DVPG_DELETE", part108); - - var msg149 = msg("DVS_HOSTMEMBER_INFO", dup87); - - var part109 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info->} on the vCenter Server.", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg150 = msg("DVS_NAME_CHANGE", part109); - - var msg151 = msg("VMS_PPM_SYNC_COMPLETE", dup87); - - var part110 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name->} is deleted", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg152 = msg("VPC_DELETED", part110); - - var part111 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} is up", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","VPC is up"), - ])); - - var msg153 = msg("VPC_UP", part111); - - var part112 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username->} on %{p0}"); - - var part113 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); - - var part114 = match_copy("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_1", "nwparser.p0", "saddr"); - - var select24 = linear_select([ - part113, - part114, - ]); - - var all11 = all_match({ - processors: [ - part112, - select24, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg154 = msg("VSHD_SYSLOG_CONFIG_I", all11); - - var part115 = match("MESSAGE#154:VSHD_SYSLOG_CONFIG_I:01", "nwparser.payload", "Configuring console from %{fld43->} %{saddr}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg155 = msg("VSHD_SYSLOG_CONFIG_I:01", part115); - - var select25 = linear_select([ - msg154, - msg155, - ]); - - var part116 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol->} (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg156 = msg("AAA_ACCOUNTING_MESSAGE:18", part116); - - var part117 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:enabled telnet", processor_chain([ - dup22, - dup37, - dup38, - dup17, - dup2, - dup3, - dup4, - dup39, - dup40, - ])); - - var msg157 = msg("AAA_ACCOUNTING_MESSAGE:17", part117); - - var part118 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "start:%{saddr}@%{application}:%{username}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","program start"), - ])); - - var msg158 = msg("AAA_ACCOUNTING_MESSAGE", part118); - - var part119 = match("MESSAGE#158:AAA_ACCOUNTING_MESSAGE:08", "nwparser.payload", "start:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg159 = msg("AAA_ACCOUNTING_MESSAGE:08", part119); - - var part120 = match("MESSAGE#159:AAA_ACCOUNTING_MESSAGE:03", "nwparser.payload", "start:%{saddr}(%{terminal}):%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg160 = msg("AAA_ACCOUNTING_MESSAGE:03", part120); - - var part121 = match("MESSAGE#160:AAA_ACCOUNTING_MESSAGE:19", "nwparser.payload", "start:%{fld40}:%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg161 = msg("AAA_ACCOUNTING_MESSAGE:19", part121); - - var part122 = match("MESSAGE#161:AAA_ACCOUNTING_MESSAGE:22", "nwparser.payload", "update:::added user %{username}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - ])); - - var msg162 = msg("AAA_ACCOUNTING_MESSAGE:22", part122); - - var part123 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", "update:::%{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part123); - - var part124 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport}) deleted", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part124); - - var part125 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport->} timeout:%{fld44->} retry:%{fld45->} tagList:trap params:%{fld46}) added", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part125); - - var part126 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to up", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part126); - - var part127 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to down", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg167 = msg("AAA_ACCOUNTING_MESSAGE:14", part127); - - var part128 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Performing configuration copy.", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part128); - - var part129 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1->} (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - dup41, - ])); - - var msg169 = msg("AAA_ACCOUNTING_MESSAGE:16", part129); - - var part130 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal length %{fld5}:%{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part130); - - var part131 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1->} (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - dup41, - ])); - - var msg171 = msg("AAA_ACCOUNTING_MESSAGE:01", part131); - - var part132 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_0", "nwparser.p0", "configure terminal ; ntp source-interface %{sinterface->} (%{p0}"); - - var part133 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_1", "nwparser.p0", "show ntp statistics peer ipaddr %{hostip->} (%{p0}"); - - var select26 = linear_select([ - part132, - part133, - ]); - - var all12 = all_match({ - processors: [ - dup42, - select26, - dup43, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - dup44, - ]), - }); - - var msg172 = msg("AAA_ACCOUNTING_MESSAGE:27", all12); - - var part134 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_0", "nwparser.p0", "clock set %{event_time_string->} (%{p0}"); - - var part135 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_1", "nwparser.p0", "show logging last %{fld1->} (%{p0}"); - - var select27 = linear_select([ - part134, - part135, - ]); - - var all13 = all_match({ - processors: [ - dup42, - select27, - dup43, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - dup44, - ]), - }); - - var msg173 = msg("AAA_ACCOUNTING_MESSAGE:28", all13); - - var part136 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info->} (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg174 = msg("AAA_ACCOUNTING_MESSAGE:20", part136); - - var part137 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:added user %{c_username}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup11, - dup17, - setc("event_description","Added user"), - dup44, - ])); - - var msg175 = msg("AAA_ACCOUNTING_MESSAGE:30", part137); - - var part138 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:deleted user %{c_username}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup11, - dup17, - setc("event_description","Deleted user"), - dup44, - ])); - - var msg176 = msg("AAA_ACCOUNTING_MESSAGE:29", part138); - - var part139 = match("MESSAGE#176:AAA_ACCOUNTING_MESSAGE:21", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg177 = msg("AAA_ACCOUNTING_MESSAGE:21", part139); - - var part140 = match("MESSAGE#177:AAA_ACCOUNTING_MESSAGE:07", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal width %{dclass_counter1}:%{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg178 = msg("AAA_ACCOUNTING_MESSAGE:07", part140); - - var part141 = match("MESSAGE#178:AAA_ACCOUNTING_MESSAGE:05", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal session-timeout %{fld5}:%{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg179 = msg("AAA_ACCOUNTING_MESSAGE:05", part141); - - var part142 = match("MESSAGE#179:AAA_ACCOUNTING_MESSAGE:10", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:copy %{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg180 = msg("AAA_ACCOUNTING_MESSAGE:10", part142); - - var part143 = match("MESSAGE#180:AAA_ACCOUNTING_MESSAGE:24", "nwparser.payload", "update:%{terminal}:%{username}: %{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg181 = msg("AAA_ACCOUNTING_MESSAGE:24", part143); - - var part144 = match("MESSAGE#181:AAA_ACCOUNTING_MESSAGE:06", "nwparser.payload", "stop:%{saddr}(%{fld3}):%{username}:shell terminated", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg182 = msg("AAA_ACCOUNTING_MESSAGE:06", part144); - - var part145 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:shell %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","shell terminated"), - ])); - - var msg183 = msg("AAA_ACCOUNTING_MESSAGE:02", part145); - - var part146 = match("MESSAGE#183:AAA_ACCOUNTING_MESSAGE:25", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:%{fld40}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg184 = msg("AAA_ACCOUNTING_MESSAGE:25", part146); - - var part147 = match("MESSAGE#184:AAA_ACCOUNTING_MESSAGE:09", "nwparser.payload", "stop:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg185 = msg("AAA_ACCOUNTING_MESSAGE:09", part147); - - var part148 = match("MESSAGE#185:AAA_ACCOUNTING_MESSAGE:26", "nwparser.payload", "stop:%{terminal}:%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg186 = msg("AAA_ACCOUNTING_MESSAGE:26", part148); - - var select28 = linear_select([ - msg156, - msg157, - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - msg174, - msg175, - msg176, - msg177, - msg178, - msg179, - msg180, - msg181, - msg182, - msg183, - msg184, - msg185, - msg186, - ]); - - var all14 = all_match({ - processors: [ - dup45, - dup98, - dup48, - dup99, - dup51, - dup98, - dup52, - dup99, - dup53, - dup100, - dup56, - dup101, - dup59, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","ACL Log Flow Interval"), - dup60, - ]), - }); - - var msg187 = msg("ACLLOG_FLOW_INTERVAL", all14); - - var part149 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3->} reached for number of flows", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg188 = msg("ACLLOG_MAXFLOW_REACHED", part149); - - var all15 = all_match({ - processors: [ - dup45, - dup98, - dup48, - dup99, - dup51, - dup98, - dup52, - dup99, - dup53, - dup100, - dup56, - dup101, - dup59, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","ACL Lof New Flow"), - dup60, - ]), - }); - - var msg189 = msg("ACLLOG_NEW_FLOW", all15); - - var part150 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process->} [%{process_id}] Source address of packet received from %{smacaddr->} on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Source address of packet received on vlan is duplicate of local virtual ip"), - ])); - - var msg190 = msg("DUP_VADDR_SRC_IP", part150); - - var part151 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are removed from suspended state.", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg191 = msg("IF_ERROR_VLANS_REMOVED", part151); - - var part152 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are being suspended. (Reason: %{info})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part152); - - var part153 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface->} is down(%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg193 = msg("IF_DOWN_CFG_CHANGE", part153); - - var part154 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock setting has been changed on the system. Please be aware that clock changes will force a recheckout of all existing VEM licenses. During this recheckout procedure, licensed VEMs which are offline will lose their licenses.%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg194 = msg("PFM_CLOCK_CHANGE", part154); - - var part155 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3->} causing standby to reset.", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg195 = msg("SYNC_FAILURE_STANDBY_RESET", part155); - - var part156 = match("MESSAGE#195:snmpd", "nwparser.payload", "snmp_pss_snapshot : Copying local engine DB PSS file to url%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg196 = msg("snmpd", part156); - - var part157 = match("MESSAGE#196:snmpd:01", "nwparser.payload", "SNMPD_SYSLOG_CONFIG_I: Configuration update from %{fld43}_%{saddr->} %{info}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg197 = msg("snmpd:01", part157); - - var select29 = linear_select([ - msg196, - msg197, - ]); - - var part158 = match("MESSAGE#197:CFGWRITE_USER_ABORT", "nwparser.payload", "Configuration copy aborted by the user.%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg198 = msg("CFGWRITE_USER_ABORT", part158); - - var msg199 = msg("IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED", dup95); - - var part159 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1->} time", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","last message repeated number of times."), - setc("dclass_counter1_string","Number of times repeated"), - ])); - - var msg200 = msg("last", part159); - - var part160 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service->} (PID %{parent_pid}) hasn't caught signal %{fld43->} (%{result}).", processor_chain([ - dup32, - dup2, - dup3, - dup4, - ])); - - var msg201 = msg("SERVICE_CRASHED", part160); - - var part161 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service->} lost on WCCP Client %{saddr}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - setc("event_description","Service lost on WCCP Client"), - ])); - - var msg202 = msg("SERVICELOST", part161); - - var part162 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface->} is allowed to come up even with SFP checksum error", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part162); - - var part163 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43->} failed or shut%{p0}"); - - var part164 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); - - var part165 = match("MESSAGE#203:PS_FAIL/1_1", "nwparser.p0", "down %{p0}"); - - var select30 = linear_select([ - part164, - part165, - ]); - - var part166 = match("MESSAGE#203:PS_FAIL/2", "nwparser.p0", "(Serial number %{serial_number})"); - - var all16 = all_match({ - processors: [ - part163, - select30, - part166, - ], - on_success: processor_chain([ - dup23, - dup2, - dup3, - dup4, - ]), - }); - - var msg204 = msg("PS_FAIL", all16); - - var msg205 = msg("INFORMATION", dup87); - - var msg206 = msg("EVENT", dup87); - - var part167 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Native VLAN mismatch discovered on %{interface}, with %{fld23}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg207 = msg("NATIVE_VLAN_MISMATCH", part167); - - var part168 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22->} discovered of type %{fld23->} with port %{fld24->} on incoming port %{interface->} with ip addr %{fld25->} and mgmt ip %{hostip}", processor_chain([ - dup29, - dup2, - dup3, - dup4, - ])); - - var msg208 = msg("NEIGHBOR_ADDED", part168); - - var part169 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22->} on port %{interface->} has been removed", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg209 = msg("NEIGHBOR_REMOVED", part169); - - var part170 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Interface %{interface},%{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg210 = msg("IF_BANDWIDTH_CHANGE", part170); - - var part171 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (Parent interface down)", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part171); - - var part172 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface->} is down", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg212 = msg("PORT_INDIVIDUAL_DOWN", part172); - - var part173 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface->} is suspended", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg213 = msg("PORT_SUSPENDED", part173); - - var part174 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22->} of Fex %{fld23->} that is connected with %{interface->} changed its status from %{change_old->} to %{change_new}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("change_attribute","status"), - ])); - - var msg214 = msg("FEX_PORT_STATUS_NOTI", part174); - - var msg215 = msg("NOHMS_DIAG_ERR_PS_FAIL", dup102); - - var msg216 = msg("NOHMS_DIAG_ERR_PS_RECOVERED", dup87); - - var msg217 = msg("ADJCHANGE", dup87); - - var part175 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan->} with role %{fld22}, state %{disposition}, %{info}", processor_chain([ - dup29, - dup2, - dup3, - dup4, - ])); - - var msg218 = msg("PORT_ADDED", part175); - - var part176 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface %{interface}, removed from VLAN%{vlan}", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg219 = msg("PORT_DELETED", part176); - - var part177 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} role changed to %{fld22}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - ])); - - var msg220 = msg("PORT_ROLE", part177); - - var part178 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} moving from %{change_old->} to %{change_new}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("change_attribute","Port state"), - ])); - - var msg221 = msg("PORT_STATE", part178); - - var part179 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol->} (%{result}) %{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg222 = msg("TACACS_ACCOUNTING_MESSAGE", part179); - - var part180 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}: enabled telnet", processor_chain([ - dup22, - dup37, - dup38, - dup17, - dup2, - dup3, - dup4, - dup39, - dup40, - ])); - - var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part180); - - var part181 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface->} (%{result})%{info}", processor_chain([ - dup63, - dup2, - dup4, - ])); - - var msg224 = msg("TACACS_ACCOUNTING_MESSAGE:04", part181); - - var part182 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/0", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: show %{p0}"); - - var part183 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_0", "nwparser.p0", "ntp statistics peer ipaddr %{hostip->} (%{p0}"); - - var part184 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_1", "nwparser.p0", "logging last %{fld3->} (%{p0}"); - - var select31 = linear_select([ - part183, - part184, - ]); - - var part185 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/2", "nwparser.p0", "%{result})%{info}"); - - var all17 = all_match({ - processors: [ - part182, - select31, - part185, - ], - on_success: processor_chain([ - dup63, - dup2, - dup4, - ]), - }); - - var msg225 = msg("TACACS_ACCOUNTING_MESSAGE:05", all17); - - var part186 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string->} (%{result})%{info}", processor_chain([ - dup63, - dup2, - dup4, - ])); - - var msg226 = msg("TACACS_ACCOUNTING_MESSAGE:06", part186); - - var part187 = match("MESSAGE#371:TACACS_ACCOUNTING_MESSAGE:08", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: Performing configuration copy. %{info}", processor_chain([ - dup63, - dup2, - dup4, - setc("event_description","Performing configuration copy"), - ])); - - var msg227 = msg("TACACS_ACCOUNTING_MESSAGE:08", part187); - - var part188 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/2", "nwparser.p0", "%{username}: shell terminated because of session timeout %{p0}"); - - var all18 = all_match({ - processors: [ - dup64, - dup103, - part188, - dup104, - ], - on_success: processor_chain([ - dup63, - dup2, - dup4, - setc("event_description","shell terminated because of session timeout"), - ]), - }); - - var msg228 = msg("TACACS_ACCOUNTING_MESSAGE:09", all18); - - var part189 = match("MESSAGE#373:TACACS_ACCOUNTING_MESSAGE:07/2", "nwparser.p0", "%{username}: %{event_description->} %{p0}"); - - var all19 = all_match({ - processors: [ - dup64, - dup103, - part189, - dup104, - ], - on_success: processor_chain([ - dup63, - dup2, - dup4, - ]), - }); - - var msg229 = msg("TACACS_ACCOUNTING_MESSAGE:07", all19); - - var select32 = linear_select([ - msg222, - msg223, - msg224, - msg225, - msg226, - msg227, - msg228, - msg229, - ]); - - var msg230 = msg("TACACS_ERROR_MESSAGE", dup102); - - var msg231 = msg("IF_SFP_WARNING", dup105); - - var msg232 = msg("IF_DOWN_TCP_MAX_RETRANSMIT", dup106); - - var msg233 = msg("FCIP_PEER_CAVIUM", dup87); - - var msg234 = msg("IF_DOWN_PEER_CLOSE", dup106); - - var msg235 = msg("IF_DOWN_PEER_RESET", dup106); - - var part190 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name->} configuration is not consistent (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","configuration is not consistent in domain"), - ])); - - var msg236 = msg("INTF_CONSISTENCY_FAILED", part190); - - var part191 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name->} configuration is consistent", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","configuration is consistent in domain"), - ])); - - var msg237 = msg("INTF_CONSISTENCY_SUCCESS", part191); - - var msg238 = msg("INTF_COUNTERS_CLEARED", dup105); - - var msg239 = msg("IF_HARDWARE", dup105); - - var part192 = match_copy("MESSAGE#233:HEARTBEAT_FAILURE", "nwparser.payload", "event_description", processor_chain([ - setc("eventcategory","1604010000"), - dup2, - dup3, - dup4, - ])); - - var msg240 = msg("HEARTBEAT_FAILURE", part192); - - var msg241 = msg("SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG", dup87); - - var msg242 = msg("PFM_FAN_FLTR_STATUS", dup87); - - var msg243 = msg("MOUNT", dup87); - - var msg244 = msg("LOG_CMP_UP", dup87); - - var part193 = match("MESSAGE#238:IF_XCVR_WARNING/2", "nwparser.p0", "Temperature Warning cleared%{}"); - - var all20 = all_match({ - processors: [ - dup69, - dup107, - part193, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg245 = msg("IF_XCVR_WARNING", all20); - - var msg246 = msg("IF_XCVR_WARNING:01", dup108); - - var select33 = linear_select([ - msg245, - msg246, - ]); - - var part194 = match("MESSAGE#240:IF_XCVR_ALARM/2", "nwparser.p0", "Temperature Alarm cleared%{}"); - - var all21 = all_match({ - processors: [ - dup69, - dup107, - part194, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg247 = msg("IF_XCVR_ALARM", all21); - - var msg248 = msg("IF_XCVR_ALARM:01", dup108); - - var select34 = linear_select([ - msg247, - msg248, - ]); - - var msg249 = msg("MEMORY_ALERT", dup87); - - var msg250 = msg("MEMORY_ALERT_RECOVERED", dup87); - - var part195 = match("MESSAGE#244:IF_SFP_ALARM/2", "nwparser.p0", "Rx Power Alarm cleared%{}"); - - var all22 = all_match({ - processors: [ - dup69, - dup107, - part195, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg251 = msg("IF_SFP_ALARM", all22); - - var msg252 = msg("IF_SFP_ALARM:01", dup108); - - var select35 = linear_select([ - msg251, - msg252, - ]); - - var part196 = match_copy("MESSAGE#246:NBRCHANGE_DUAL", "nwparser.payload", "event_description", processor_chain([ - dup61, - dup2, - dup3, - dup4, - ])); - - var msg253 = msg("NBRCHANGE_DUAL", part196); - - var part197 = match("MESSAGE#247:SOHMS_DIAG_ERROR/0", "nwparser.payload", "%{} %{device->} %{p0}"); - - var part198 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_0", "nwparser.p0", "%{action}: System %{p0}"); - - var part199 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_1", "nwparser.p0", "System %{p0}"); - - var select36 = linear_select([ - part198, - part199, - ]); - - var part200 = match("MESSAGE#247:SOHMS_DIAG_ERROR/2", "nwparser.p0", "minor alarm on fans in fan tray %{dclass_counter1}"); - - var all23 = all_match({ - processors: [ - part197, - select36, - part200, - ], - on_success: processor_chain([ - dup61, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","System minor alarm on fans in fan tray"), - ]), - }); - - var msg254 = msg("SOHMS_DIAG_ERROR", all23); - - var part201 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device->} System minor alarm on power supply %{fld42}: %{result}", processor_chain([ - dup61, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","FEX-System minor alarm on power supply."), - ])); - - var msg255 = msg("SOHMS_DIAG_ERROR:01", part201); - - var part202 = match("MESSAGE#249:SOHMS_DIAG_ERROR:02", "nwparser.payload", "%{device}: %{event_description}", processor_chain([ - dup61, - dup38, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg256 = msg("SOHMS_DIAG_ERROR:02", part202); - - var select37 = linear_select([ - msg254, - msg255, - msg256, - ]); - - var part203 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device->} for group: %{fld1}, (%{fld2->} (%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ - dup73, - dup34, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","Failed to program the mac table"), - ])); - - var msg257 = msg("M2FIB_MAC_TBL_PRGMING", part203); - - var part204 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", "deleting expired user account:%{username}", processor_chain([ - dup19, - dup11, - dup20, - setc("ec_theme","UserGroup"), - dup2, - dup3, - dup4, - setc("event_description","deleting expired user account"), - ])); - - var msg258 = msg("DELETE_STALE_USER_ACCOUNT", part204); - - var part205 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface->} is admin up", processor_chain([ - dup30, - dup34, - dup38, - dup17, - dup2, - dup3, - dup4, - setc("event_description","Interface is admin up."), - ])); - - var msg259 = msg("IF_ADMIN_UP", part205); - - var part206 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name->} is configured", processor_chain([ - dup30, - dup34, - dup38, - dup17, - dup2, - dup3, - dup4, - setc("event_description","vPC is configured"), - dup74, - ])); - - var msg260 = msg("VPC_CFGD", part206); - - var part207 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Manager has received notification of %{info}", processor_chain([ - dup30, - dup38, - dup17, - dup2, - dup3, - dup4, - setc("event_description","System Manager has received notification of local module becoming online."), - ])); - - var msg261 = msg("MODULE_ONLINE", part207); - - var part208 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", "System booted from Primary BIOS Flash%{}", processor_chain([ - dup30, - dup75, - dup76, - dup2, - dup3, - dup4, - setc("event_description","System booted from Primary BIOS Flash"), - ])); - - var msg262 = msg("BIOS_DAEMON_LC_PRI_BOOT", part208); - - var part209 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name->} is down ()", processor_chain([ - dup77, - dup34, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","Peer vPC is down"), - dup74, - ])); - - var msg263 = msg("PEER_VPC_DOWN", part209); - - var part210 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/0", "nwparser.payload", "In domain %{domain}, %{p0}"); - - var part211 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_0", "nwparser.p0", "VPC%{p0}"); - - var part212 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_1", "nwparser.p0", "vPC%{p0}"); - - var select38 = linear_select([ - part211, - part212, - ]); - - var part213 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/2", "nwparser.p0", "%{}peer%{p0}"); - - var part214 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_0", "nwparser.p0", "-keepalive%{p0}"); - - var part215 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_1", "nwparser.p0", " keep-alive%{p0}"); - - var select39 = linear_select([ - part214, - part215, - ]); - - var part216 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/4", "nwparser.p0", "%{}received on interface %{interface}"); - - var all24 = all_match({ - processors: [ - part210, - select38, - part213, - select39, - part216, - ], - on_success: processor_chain([ - dup36, - dup2, - dup3, - dup4, - setc("event_description","In domain, VPC peer-keepalive received on interface"), - ]), - }); - - var msg264 = msg("PEER_KEEP_ALIVE_RECV_INT_LATEST", all24); - - var part217 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive receive is successful", processor_chain([ - dup36, - dup34, - dup78, - dup35, - dup17, - dup2, - dup3, - dup4, - setc("event_description","In domain, vPC peer keep-alive receive is successful"), - ])); - - var msg265 = msg("PEER_KEEP_ALIVE_RECV_SUCCESS", part217); - - var part218 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", "In domain %{domain}, VPC peer keep-alive receive has failed", processor_chain([ - dup77, - dup34, - dup78, - dup35, - dup14, - dup2, - dup3, - dup4, - setc("event_description","In domain, VPC peer keep-alive receive has failed"), - ])); - - var msg266 = msg("PEER_KEEP_ALIVE_RECV_FAIL", part218); - - var part219 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.payload", "In domain %{domain}, VPC peer-keepalive sent on interface %{interface}", processor_chain([ - dup36, - dup34, - dup79, - dup35, - dup2, - dup3, - dup4, - setc("event_description","In domain, VPC peer-keepalive sent on interface"), - ])); - - var msg267 = msg("PEER_KEEP_ALIVE_SEND_INT_LATEST", part219); - - var part220 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive send is successful", processor_chain([ - dup36, - dup34, - dup79, - dup35, - dup17, - dup2, - dup3, - dup4, - setc("event_description","In domain, vPC peer keep-alive send is successful"), - ])); - - var msg268 = msg("PEER_KEEP_ALIVE_SEND_SUCCESS", part220); - - var part221 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "In domain %{domain}, peer keep-alive status changed to %{change_new}", processor_chain([ - dup30, - dup34, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Peer keep-alive status changed."), - setc("change_attribute","peer keep-alive status"), - ])); - - var msg269 = msg("PEER_KEEP_ALIVE_STATUS", part221); - - var part222 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47->} has changed, %{info}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Ejectors' status in slot has changed."), - ])); - - var msg270 = msg("EJECTOR_STAT_CHANGED", part222); - - var part223 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41->} detected (Serial number %{fld42})", processor_chain([ - dup29, - setc("ec_activity","Detect"), - dup38, - dup2, - dup3, - dup4, - setc("event_description","Xbar detected"), - ])); - - var msg271 = msg("XBAR_DETECT", part223); - - var part224 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41->} powered up (Serial number %{fld42})", processor_chain([ - dup15, - dup75, - dup76, - dup2, - dup3, - dup4, - setc("event_description","Xbar powered up"), - ])); - - var msg272 = msg("XBAR_PWRUP", part224); - - var part225 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41->} powered down (Serial number %{fld42})", processor_chain([ - dup15, - dup75, - setc("ec_activity","Stop"), - dup2, - dup3, - dup4, - setc("event_description","Xbar powered down"), - ])); - - var msg273 = msg("XBAR_PWRDN", part225); - - var part226 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41->} is online (serial: %{fld42})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Xbar is online"), - ])); - - var msg274 = msg("XBAR_OK", part226); - - var part227 = match("MESSAGE#268:VPC_ISSU_START", "nwparser.payload", "Peer vPC switch ISSU start, locking configuration%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Peer vPC switch ISSU start, locking configuration"), - ])); - - var msg275 = msg("VPC_ISSU_START", part227); - - var part228 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC switch ISSU end, unlocking configuration%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Peer vPC switch ISSU end, unlocking configuration"), - ])); - - var msg276 = msg("VPC_ISSU_END", part228); - - var part229 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - setc("obj_type","new_role"), - ])); - - var msg277 = msg("PORT_RANGE_ROLE", part229); - - var part230 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - setc("obj_type","new_state"), - ])); - - var msg278 = msg("PORT_RANGE_STATE", part230); - - var part231 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface->} removed from mst=%{fld42}", processor_chain([ - dup24, - dup34, - dup20, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Interface removed from MST."), - ])); - - var msg279 = msg("PORT_RANGE_DELETED", part231); - - var part232 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface->} added to mst=%{fld42->} with %{info}", processor_chain([ - dup29, - dup34, - dup80, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Interface added to MST."), - ])); - - var msg280 = msg("PORT_RANGE_ADDED", part232); - - var part233 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname->} removed as MST Boundary port", processor_chain([ - dup24, - dup34, - dup20, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Port removed as MST Boundary port"), - ])); - - var msg281 = msg("MST_PORT_BOUNDARY", part233); - - var part234 = match("MESSAGE#275:PIXM_SYSLOG_MESSAGE_TYPE_CRIT", "nwparser.payload", "Non-transactional PIXM Error. Error Type: %{result}.%{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Non-transactional PIXM Error"), - ])); - - var msg282 = msg("PIXM_SYSLOG_MESSAGE_TYPE_CRIT", part234); - - var part235 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interface->} is %{obj_name->} in vdc %{fld43}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("obj_type"," Interface state"), - ])); - - var msg283 = msg("IM_INTF_STATE", part235); - - var part236 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43->} state changed to %{obj_name}", processor_chain([ - dup62, - dup34, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","VDC state changed."), - setc("obj_type"," VDC state"), - ])); - - var msg284 = msg("VDC_STATE_CHANGE", part236); - - var part237 = match("MESSAGE#278:SWITCHOVER_OVER", "nwparser.payload", "Switchover completed.%{}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - dup81, - ])); - - var msg285 = msg("SWITCHOVER_OVER", part237); - - var part238 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process}: Module type changed to %{obj_name}", processor_chain([ - dup62, - dup16, - dup38, - dup2, - dup3, - dup4, - dup81, - setc("obj_type"," New Module type"), - ])); - - var msg286 = msg("VDC_MODULETYPE", part238); - - var part239 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44->} for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ - dup77, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, - setc("event_description","Unable to sync HA sequence number for service"), - ])); - - var msg287 = msg("HASEQNO_SYNC_FAILED", part239); - - var part240 = match("MESSAGE#281:MSG_SEND_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in sending message to standby causing standby to reset.%{}", processor_chain([ - dup1, - dup34, - dup79, - dup35, - dup14, - dup2, - dup3, - dup4, - setc("event_description","Failure in sending message to standby causing standby to reset."), - ])); - - var msg288 = msg("MSG_SEND_FAILURE_STANDBY_RESET", part240); - - var part241 = match("MESSAGE#282:MODULE_LOCK_FAILED", "nwparser.payload", "Failed to lock the local module to avoid reset (error-id %{resultcode}).", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Failed to lock the local module to avoid reset"), - ])); - - var msg289 = msg("MODULE_LOCK_FAILED", part241); - - var part242 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", "Failed to send Mac New Learns/Mac moves due to mts send failure errno %{resultcode}", processor_chain([ - dup1, - dup34, - dup79, - dup35, - dup14, - dup2, - dup3, - dup4, - setc("event_description","Failed to send Mac New Learns/Mac moves due to mts send failure."), - ])); - - var msg290 = msg("L2FMC_NL_MTS_SEND_FAILURE", part242); - - var part243 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} management address %{fld46->} discovered on local port %{portname->} in vlan %{vlan->} %{info}", processor_chain([ - dup29, - dup80, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Server discovered on local in vlan 0 with enabled capability Station"), - ])); - - var msg291 = msg("SERVER_ADDED", part243); - - var part244 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} on local port %{portname->} has been removed", processor_chain([ - dup24, - dup20, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Server on local port has been removed"), - ])); - - var msg292 = msg("SERVER_REMOVED", part244); - - var part245 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ - dup23, - dup34, - dup72, - dup2, - dup3, - dup4, - dup25, - ])); - - var msg293 = msg("IF_DOWN_SUSPENDED_BY_SPEED", part245); - - var part246 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{portname->} is operationally individual", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","port is operationally individual"), - ])); - - var msg294 = msg("PORT_INDIVIDUAL", part246); - - var part247 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ - dup23, - dup34, - dup38, - dup72, - dup2, - dup3, - dup4, - dup25, - ])); - - var msg295 = msg("IF_DOWN_CHANNEL_ADMIN_DOWN", part247); - - var part248 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface->} is being recovered from error disabled state %{info}", processor_chain([ - dup22, - dup2, - dup3, - dup4, - setc("event_description","Interface is being recovered from error disabled state"), - ])); - - var msg296 = msg("IF_ERRDIS_RECOVERY", part248); - - var part249 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface->} is detected", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Non-Cisco transceiver on interface is detected"), - ])); - - var msg297 = msg("IF_NON_CISCO_TRANSCEIVER", part249); - - var part250 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47->} is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Active supervisor is running with less memory than standby supervisor."), - ])); - - var msg298 = msg("ACTIVE_LOWER_MEM_THAN_STANDBY", part250); - - var part251 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configuration update started (PID %{process_id}).", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Configuration update started."), - ])); - - var msg299 = msg("READCONF_STARTED", part251); - - var part252 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47->} is running with less memory than active supervisor in slot %{fld48}", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Supervisor is running with less memory than active supervisor."), - ])); - - var msg300 = msg("SUP_POWERDOWN", part252); - - var part253 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Starting linecard upgrade%{}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Starting linecard upgrade"), - ])); - - var msg301 = msg("LC_UPGRADE_START", part253); - - var part254 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Rebooting linecard as a part of upgrade%{}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Rebooting linecard as a part of upgrade"), - ])); - - var msg302 = msg("LC_UPGRADE_REBOOT", part254); - - var part255 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload", "Runtime database controller started (PID %{process_id}).", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Runtime database controller started."), - ])); - - var msg303 = msg("RUNTIME_DB_RESTORE_STARTED", part255); - - var part256 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload", "Runtime database successfully restored.%{}", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Runtime database successfully restored."), - ])); - - var msg304 = msg("RUNTIME_DB_RESTORE_SUCCESS", part256); - - var part257 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49->} started", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Upgrade of module started"), - ])); - - var msg305 = msg("LCM_MODULE_UPGRADE_START", part257); - - var part258 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49->} ended", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Upgrade of module ended"), - ])); - - var msg306 = msg("LCM_MODULE_UPGRADE_END", part258); - - var part259 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recieved insert for %{fld50}", processor_chain([ - dup63, - dup34, - dup78, - dup35, - dup2, - dup3, - dup4, - setc("event_description","Recieved insert for lc mod"), - ])); - - var msg307 = msg("FIPS_POST_INFO_MSG", part259); - - var part260 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name->} is configured", processor_chain([ - dup30, - dup34, - dup38, - dup17, - dup2, - dup3, - dup4, - setc("event_description","peer vPC is configured"), - dup74, - ])); - - var msg308 = msg("PEER_VPC_CFGD", part260); - - var part261 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: Potential Interop issue on [%{interface}]: %{result}", processor_chain([ - dup73, - dup34, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","Potential Interop issue on interface."), - ])); - - var msg309 = msg("SYN_COLL_DIS_EN", part261); - - var part262 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device->} Off-line (Serial Number %{fld42})", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","FEX OFFLINE"), - ])); - - var msg310 = msg("NOHMS_ENV_FEX_OFFLINE", part262); - - var part263 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device->} On-line", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","FEX ONLINE"), - ])); - - var msg311 = msg("NOHMS_ENV_FEX_ONLINE", part263); - - var part264 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device->} is online", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Fex is online"), - ])); - - var msg312 = msg("FEX_STATUS_online", part264); - - var part265 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device->} is offline", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Fex is offline"), - ])); - - var msg313 = msg("FEX_STATUS_offline", part265); - - var select40 = linear_select([ - msg312, - msg313, - ]); - - var part266 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41->} present but all AC/DC inputs are not connected, power redundancy might be affected", processor_chain([ - dup73, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","Power supply present but all AC/DC inputs are not connected, power redundancy might be affected"), - ])); - - var msg314 = msg("PS_PWR_INPUT_MISSING", part266); - - var part267 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Power redundancy operational mode changed to %{change_new}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Power redundancy operational mode changed."), - setc("change_attribute","operational mode"), - ])); - - var msg315 = msg("PS_RED_MODE_RESTORED", part267); - - var part268 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", "All ejectors open, Module %{fld41->} will not be powered up (Serial number %{fld42})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","All ejectors open, Module will not be powered up."), - ])); - - var msg316 = msg("MOD_PWRFAIL_EJECTORS_OPEN", part268); - - var part269 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device->} pinning information is changed", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Fex pinning information is changed"), - ])); - - var msg317 = msg("PINNING_CHANGED", part269); - - var part270 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device->} Module %{fld41}: Cold boot", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","FEX-100 Module -Cold boot"), - ])); - - var msg318 = msg("SATCTRL", part270); - - var part271 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51->} [%{fld52}] Client %{fld43->} register more than once with same pid%{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Client register more than once with same pid"), - ])); - - var msg319 = msg("DUP_REGISTER", part271); - - var part272 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51->} [%{fld52}] Unknown mtype: %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Unknown mtype"), - ])); - - var msg320 = msg("UNKNOWN_MTYPE", part272); - - var part273 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} %{event_description}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - ])); - - var msg321 = msg("SATCTRL_IMAGE", part273); - - var part274 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ - dup1, - setc("ec_subject","Process"), - dup14, - dup2, - dup3, - dup4, - ])); - - var msg322 = msg("API_FAILED", part274); - - var part275 = match_copy("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "event_description", processor_chain([ - dup8, - dup2, - dup3, - dup4, - ])); - - var msg323 = msg("SENSOR_MSG1", part275); - - var part276 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ - dup30, - dup2, - dup3, - dup4, - ])); - - var msg324 = msg("API_INIT_SEM_CLEAR", part276); - - var part277 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51->} has come online", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","vdc has come online"), - ])); - - var msg325 = msg("VDC_ONLINE", part277); - - var part278 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname->} of port-channel %{interface->} not receiving any LACP BPDUs %{result}", processor_chain([ - dup77, - dup34, - dup78, - dup35, - dup72, - dup2, - dup3, - dup4, - setc("event_description","LACP port of port-channel not receiving any LACP BPDUs."), - ])); - - var msg326 = msg("LACP_SUSPEND_INDIVIDUAL", part278); - - var part279 = match("MESSAGE#320:dstats", "nwparser.payload", "%{process}: %{info}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - ])); - - var msg327 = msg("dstats", part279); - - var part280 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} logged OUT.", processor_chain([ - dup77, - dup34, - setc("ec_activity","Logoff"), - dup35, - dup2, - dup3, - dup4, - ])); - - var msg328 = msg("MSG_PORT_LOGGED_OUT", part280); - - var part281 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} with FCID %{fld54->} logged IN.", processor_chain([ - dup77, - dup34, - dup13, - dup35, - dup2, - dup3, - dup4, - ])); - - var msg329 = msg("MSG_PORT_LOGGED_IN", part281); - - var msg330 = msg("IF_DOWN_ELP_FAILURE_ISOLATION", dup96); - - var part282 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52->} Zone merge failure, isolating interface %{interface->} reason: %{result}:[%{resultcode}]", processor_chain([ - dup23, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, - ])); - - var msg331 = msg("ZS_MERGE_FAILED", part282); - - var msg332 = msg("IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION", dup96); - - var part283 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname->} in vlan %{vlan->} is flapping between port %{change_old->} and port %{change_new}", processor_chain([ - dup23, - dup34, - dup35, - dup2, - dup3, - dup4, - setc("change_attribute","Port"), - ])); - - var msg333 = msg("MAC_MOVE_NOTIFICATION", part283); - - var part284 = match("MESSAGE#327:zone", "nwparser.payload", "num_tlv greater than 1, %{result}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - ])); - - var msg334 = msg("zone", part284); - - var part285 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_description}: %{info}", processor_chain([ - dup1, - dup34, - dup35, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg335 = msg("ERROR", part285); - - var part286 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr->} on %{interface}", processor_chain([ - dup77, - dup34, - dup78, - dup35, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg336 = msg("INVAL_IP", part286); - - var part287 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{process}: message repeated %{dclass_counter1->} times in last %{duration}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var msg337 = msg("SYSLOG_SL_MSG_WARNING", part287); - - var part288 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex mismatch discovered on %{interface}, with %{fld55}", processor_chain([ - dup77, - dup34, - dup35, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg338 = msg("DUPLEX_MISMATCH", part288); - - var part289 = match("MESSAGE#332:NOHMS_DIAG_ERROR", "nwparser.payload", "Module %{fld20}: Runtime diag detected major event: Fabric port failure %{interface}", processor_chain([ - dup77, - dup34, - dup35, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg339 = msg("NOHMS_DIAG_ERROR", part289); - - var part290 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "Re enabling dynamic learning on all interfaces%{}", processor_chain([ - dup15, - dup34, - dup35, - dup2, - dup3, - dup4, - ])); - - var msg340 = msg("STM_LEARNING_RE_ENABLE", part290); - - var part291 = match("MESSAGE#334:UDLD_PORT_DISABLED", "nwparser.payload", "UDLD disabled interface %{interface}, %{result}", processor_chain([ - dup77, - dup34, - dup35, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg341 = msg("UDLD_PORT_DISABLED", part291); - - var part292 = match("MESSAGE#335:ntpd", "nwparser.payload", "ntp:no servers reachable%{}", processor_chain([ - dup15, - dup2, - dup4, - ])); - - var msg342 = msg("ntpd", part292); - - var part293 = match("MESSAGE#336:ntpd:01", "nwparser.payload", "ntp:event EVNT_UNREACH %{saddr}", processor_chain([ - dup15, - dup2, - dup4, - ])); - - var msg343 = msg("ntpd:01", part293); - - var part294 = match("MESSAGE#337:ntpd:02", "nwparser.payload", "ntp:event EVNT_REACH %{saddr}", processor_chain([ - dup15, - dup2, - dup4, - ])); - - var msg344 = msg("ntpd:02", part294); - - var part295 = match("MESSAGE#338:ntpd:03", "nwparser.payload", "ntp:synchronized to %{saddr}, stratum %{fld9}", processor_chain([ - dup15, - dup2, - dup4, - ])); - - var msg345 = msg("ntpd:03", part295); - - var part296 = match("MESSAGE#339:ntpd:04", "nwparser.payload", "ntp:%{event_description}", processor_chain([ - dup15, - dup2, - dup4, - ])); - - var msg346 = msg("ntpd:04", part296); - - var select41 = linear_select([ - msg342, - msg343, - msg344, - msg345, - msg346, - ]); - - var part297 = match_copy("MESSAGE#340:PFM_ALERT", "nwparser.payload", "event_description", processor_chain([ - dup9, - dup2, - dup3, - dup4, - ])); - - var msg347 = msg("PFM_ALERT", part297); - - var part298 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Client %{saddr}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - setc("event_description","Service acquired on WCCP Client"), - ])); - - var msg348 = msg("SERVICEFOUND", part298); - - var part299 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Router %{saddr}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - setc("event_description","Service acquired on WCCP Router"), - ])); - - var msg349 = msg("ROUTERFOUND", part299); - - var part300 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "pam_aaa:Authentication failed from %{shost->} - %{agent}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - setc("event_description","Authentication failed"), - ])); - - var msg350 = msg("%AUTHPRIV-3-SYSTEM_MSG", part300); - - var part301 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ - dup18, - dup2, - dup12, - dup3, - dup4, - setc("event_description","New user added"), - ])); - - var msg351 = msg("%AUTHPRIV-5-SYSTEM_MSG", part301); - - var part302 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", "%{action}: %{service->} pid=%{process_id->} from=::ffff:%{saddr->} - %{agent}", processor_chain([ - dup10, - dup2, - dup12, - dup3, - dup4, - ])); - - var msg352 = msg("%AUTHPRIV-6-SYSTEM_MSG:01", part302); - - var part303 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "pam_unix(%{fld1}:session): session opened for user %{username->} by (uid=%{uid}) - %{agent}", processor_chain([ - dup10, - dup2, - dup12, - dup3, - dup4, - setc("event_description","session opened for user"), - ])); - - var msg353 = msg("%AUTHPRIV-6-SYSTEM_MSG", part303); - - var select42 = linear_select([ - msg352, - msg353, - ]); - - var part304 = match("MESSAGE#347:%USER-3-SYSTEM_MSG", "nwparser.payload", "error: %{result}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - ])); - - var msg354 = msg("%USER-3-SYSTEM_MSG", part304); - - var part305 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Invalid user %{username->} from %{saddr->} - %{agent}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup82, - ])); - - var msg355 = msg("%USER-6-SYSTEM_MSG", part305); - - var part306 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "input_userauth_request: invalid user %{username->} - %{agent}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup82, - ])); - - var msg356 = msg("%USER-6-SYSTEM_MSG:01", part306); - - var part307 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Failed none for invalid user %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - setc("event_description","Failed none for invalid user"), - ])); - - var msg357 = msg("%USER-6-SYSTEM_MSG:02", part307); - - var part308 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ - dup83, - dup2, - dup3, - dup4, - setc("event_description","Accepted password for user"), - ])); - - var msg358 = msg("%USER-6-SYSTEM_MSG:03", part308); - - var part309 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "lastlog_openseek: Couldn't stat %{directory}: No such file or directory - %{agent}", processor_chain([ - dup83, - dup2, - dup3, - dup4, - setc("event_description","No such file or directory"), - ])); - - var msg359 = msg("%USER-6-SYSTEM_MSG:04", part309); - - var part310 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type->} - %{agent}", processor_chain([ - dup83, - dup2, - dup3, - dup4, - setc("event_description","Could not load host key"), - ])); - - var msg360 = msg("%USER-6-SYSTEM_MSG:05", part310); - - var part311 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description->} - %{agent}", processor_chain([ - dup83, - dup2, - dup3, - dup4, - ])); - - var msg361 = msg("%USER-6-SYSTEM_MSG:06", part311); - - var select43 = linear_select([ - msg355, - msg356, - msg357, - msg358, - msg359, - msg360, - msg361, - ]); - - var part312 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan->} for %{duration}s due to too many mac moves", processor_chain([ - dup30, - dup2, - dup4, - setc("ec_activity","Disable"), - ])); - - var msg362 = msg("L2FM_MAC_FLAP_DISABLE_LEARN", part312); - - var part313 = match("MESSAGE#356:L2FM_MAC_FLAP_RE_ENABLE_LEARN", "nwparser.payload", "Re-enabling learning in vlan %{vlan}", processor_chain([ - dup30, - dup2, - dup4, - dup37, - ])); - - var msg363 = msg("L2FM_MAC_FLAP_RE_ENABLE_LEARN", part313); - - var part314 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply %{fld1->} is %{disposition}, ps-redundancy might be affected", processor_chain([ - dup1, - dup2, - dup4, - ])); - - var msg364 = msg("PS_ABSENT", part314); - - var part315 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply %{fld1->} detected but %{disposition->} (Serial number %{serial_number})", processor_chain([ - dup1, - dup2, - dup4, - ])); - - var msg365 = msg("PS_DETECT", part315); - - var part316 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"System Manager (configuration controller)\" (PID %{process_id}) has finished with error code %{result->} (%{resultcode}).", processor_chain([ - dup1, - dup2, - dup4, - ])); - - var msg366 = msg("SUBPROC_TERMINATED", part316); - - var part317 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"%{service}\" (PID %{process_id}) has successfully exited with exit code %{result->} (%{resultcode}).", processor_chain([ - dup15, - dup2, - dup4, - dup84, - dup17, - ])); - - var msg367 = msg("SUBPROC_SUCCESS_EXIT", part317); - - var part318 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on Interface vlan %{vlan}, changed state to %{disposition}", processor_chain([ - dup30, - dup2, - dup4, - ])); - - var msg368 = msg("UPDOWN", part318); - - var part319 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr->} in vlan %{vlan->} has moved between %{change_old->} to %{change_new}", processor_chain([ - dup30, - dup2, - dup4, - setc("change_attribute","Interface"), - ])); - - var msg369 = msg("L2FM_MAC_MOVE2", part319); - - var part320 = match("MESSAGE#363:PFM_PS_RED_MODE_CHG", "nwparser.payload", "Power redundancy configured mode changed to %{event_state}", processor_chain([ - dup30, - dup2, - dup4, - dup38, - ])); - - var msg370 = msg("PFM_PS_RED_MODE_CHG", part320); - - var part321 = match("MESSAGE#364:PS_RED_MODE_CHG", "nwparser.payload", "Power supply operational redundancy mode changed to %{event_state}", processor_chain([ - dup30, - dup2, - dup4, - dup38, - ])); - - var msg371 = msg("PS_RED_MODE_CHG", part321); - - var part322 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr->} on %{vlan}", processor_chain([ - dup63, - dup2, - dup4, - ])); - - var msg372 = msg("INVAL_MAC", part322); - - var part323 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State for service \"%{service}\" changed from %{change_old->} to %{change_new->} in vdc %{fld1}.", processor_chain([ - dup15, - dup2, - dup4, - setc("change_attribute","Service status"), - ])); - - var msg373 = msg("SRVSTATE_CHANGED", part323); - - var part324 = match_copy("MESSAGE#367:INFO", "nwparser.payload", "event_description", processor_chain([ - dup63, - dup2, - dup4, - ])); - - var msg374 = msg("INFO", part324); - - var part325 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service \"%{service}\" in vdc %{fld1->} started with PID(%{process_id}).", processor_chain([ - dup15, - dup2, - dup4, - dup84, - dup76, - dup17, - ])); - - var msg375 = msg("SERVICE_STARTED", part325); - - var part326 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local Virtual ip, %{saddr}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - dup85, - ])); - - var msg376 = msg("DUP_VADDR_SRCIP_PROBE", part326); - - var part327 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local ip, %{saddr}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - dup85, - ])); - - var msg377 = msg("DUP_SRCIP_PROBE", part327); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "%AUTHPRIV-3-SYSTEM_MSG": msg350, - "%AUTHPRIV-5-SYSTEM_MSG": msg351, - "%AUTHPRIV-6-SYSTEM_MSG": select42, - "%USER-3-SYSTEM_MSG": msg354, - "%USER-6-SYSTEM_MSG": select43, - "AAA_ACCOUNTING_MESSAGE": select28, - "ACLLOG_FLOW_INTERVAL": msg187, - "ACLLOG_MAXFLOW_REACHED": msg188, - "ACLLOG_NEW_FLOW": msg189, - "ACTIVE_LOWER_MEM_THAN_STANDBY": msg298, - "ACTIVE_SUP_OK": msg74, - "ADDON_IMG_DNLD_COMPLETE": msg60, - "ADDON_IMG_DNLD_STARTED": msg61, - "ADDON_IMG_DNLD_SUCCESSFUL": msg62, - "ADJCHANGE": msg217, - "API_FAILED": msg322, - "API_INIT_SEM_CLEAR": msg324, - "BIOS_DAEMON_LC_PRI_BOOT": msg262, - "CFGWRITE_ABORTED": msg135, - "CFGWRITE_ABORTED_LOCK": msg133, - "CFGWRITE_DONE": msg136, - "CFGWRITE_FAILED": msg134, - "CFGWRITE_STARTED": msg137, - "CFGWRITE_USER_ABORT": msg198, - "CHASSIS_CLKMODOK": msg80, - "CHASSIS_CLKSRC": msg81, - "CONN_CONNECT": msg145, - "CONN_DISCONNECT": msg146, - "CREATED": msg51, - "DELETE_STALE_USER_ACCOUNT": msg258, - "DISPUTE_CLEARED": msg77, - "DISPUTE_DETECTED": msg78, - "DOMAIN_CFG_SYNC_DONE": msg79, - "DUPLEX_MISMATCH": msg338, - "DUP_REGISTER": msg319, - "DUP_SRCIP_PROBE": msg377, - "DUP_VADDR_SRCIP_PROBE": msg376, - "DUP_VADDR_SRC_IP": msg190, - "DVPG_CREATE": msg147, - "DVPG_DELETE": msg148, - "DVS_HOSTMEMBER_INFO": msg149, - "DVS_NAME_CHANGE": msg150, - "EJECTOR_STAT_CHANGED": msg270, - "ERROR": msg335, - "ERR_MSG": msg131, - "EVENT": msg206, - "FAN_DETECT": msg97, - "FAN_OK": msg82, - "FCIP_PEER_CAVIUM": msg233, - "FEX_PORT_STATUS_NOTI": msg214, - "FEX_STATUS": select40, - "FIPS_POST_INFO_MSG": msg307, - "FOP_CHANGED": msg52, - "HASEQNO_SYNC_FAILED": msg287, - "HEARTBEAT_FAILURE": msg240, - "IF_ADMIN_UP": msg259, - "IF_ATTACHED": msg138, - "IF_BANDWIDTH_CHANGE": msg210, - "IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR": msg203, - "IF_DELETE_AUTO": msg139, - "IF_DETACHED": msg140, - "IF_DETACHED_MODULE_REMOVED": msg141, - "IF_DOWN_ADMIN_DOWN": select11, - "IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED": msg199, - "IF_DOWN_CFG_CHANGE": msg193, - "IF_DOWN_CHANNEL_ADMIN_DOWN": msg295, - "IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS": msg38, - "IF_DOWN_ELP_FAILURE_ISOLATION": msg330, - "IF_DOWN_ERROR_DISABLED": msg35, - "IF_DOWN_FCOT_NOT_PRESENT": select17, - "IF_DOWN_INACTIVE": msg142, - "IF_DOWN_INITIALIZING": select18, - "IF_DOWN_INTERFACE_REMOVED": msg39, - "IF_DOWN_LINK_FAILURE": select12, - "IF_DOWN_MODULE_REMOVED": msg42, - "IF_DOWN_NONE": select19, - "IF_DOWN_NON_PARTICIPATING": msg143, - "IF_DOWN_NOS_RCVD": select20, - "IF_DOWN_OFFLINE": msg114, - "IF_DOWN_OLS_RCVD": msg115, - "IF_DOWN_PARENT_ADMIN_DOWN": msg211, - "IF_DOWN_PEER_CLOSE": msg234, - "IF_DOWN_PEER_RESET": msg235, - "IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN": msg43, - "IF_DOWN_SOFTWARE_FAILURE": msg116, - "IF_DOWN_SRC_PORT_NOT_BOUND": msg117, - "IF_DOWN_SUSPENDED_BY_SPEED": msg293, - "IF_DOWN_TCP_MAX_RETRANSMIT": msg232, - "IF_DOWN_VEM_UNLICENSED": msg144, - "IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION": msg332, - "IF_DUPLEX": msg44, - "IF_ERRDIS_RECOVERY": msg296, - "IF_ERROR_VLANS_REMOVED": msg191, - "IF_ERROR_VLANS_SUSPENDED": msg192, - "IF_HARDWARE": msg239, - "IF_NON_CISCO_TRANSCEIVER": msg297, - "IF_PORTPROFILE_ATTACHED": msg125, - "IF_RX_FLOW_CONTROL": msg45, - "IF_SEQ_ERROR": msg46, - "IF_SFP_ALARM": select35, - "IF_SFP_WARNING": msg231, - "IF_TRUNK_DOWN": select21, - "IF_TRUNK_UP": select22, - "IF_TX_FLOW_CONTROL": msg47, - "IF_UP": select13, - "IF_XCVR_ALARM": select34, - "IF_XCVR_WARNING": select33, - "IMG_DNLD_COMPLETE": msg63, - "IMG_DNLD_STARTED": msg64, - "IM_INTF_STATE": msg283, - "IM_SEQ_ERROR": msg59, - "INFO": msg374, - "INFORMATION": msg205, - "INTF_CONSISTENCY_FAILED": msg236, - "INTF_CONSISTENCY_SUCCESS": msg237, - "INTF_COUNTERS_CLEARED": msg238, - "INVAL_IP": msg336, - "INVAL_MAC": msg372, - "L2FMC_NL_MTS_SEND_FAILURE": msg290, - "L2FM_MAC_FLAP_DISABLE_LEARN": msg362, - "L2FM_MAC_FLAP_RE_ENABLE_LEARN": msg363, - "L2FM_MAC_MOVE2": msg369, - "LACP_SUSPEND_INDIVIDUAL": msg326, - "LCM_MODULE_UPGRADE_END": msg306, - "LCM_MODULE_UPGRADE_START": msg305, - "LC_UPGRADE_REBOOT": msg302, - "LC_UPGRADE_START": msg301, - "LOG-7-SYSTEM_MSG": msg1, - "LOG_CMP_AAA_FAILURE": msg67, - "LOG_CMP_UP": msg244, - "LOG_LIC_N1K_EXPIRY_WARNING": msg68, - "M2FIB_MAC_TBL_PRGMING": msg257, - "MAC_MOVE_NOTIFICATION": msg333, - "MEMORY_ALERT": msg249, - "MEMORY_ALERT_RECOVERED": msg250, - "MESG": msg130, - "MODULE_LOCK_FAILED": msg289, - "MODULE_ONLINE": msg261, - "MOD_BRINGUP_MULTI_LIMIT": msg96, - "MOD_DETECT": msg83, - "MOD_FAIL": msg69, - "MOD_MAJORSWFAIL": msg70, - "MOD_OK": msg75, - "MOD_PWRDN": msg84, - "MOD_PWRFAIL_EJECTORS_OPEN": msg316, - "MOD_PWRUP": msg85, - "MOD_REMOVE": msg86, - "MOD_RESTART": msg76, - "MOD_SRG_NOT_COMPATIBLE": msg71, - "MOD_STATUS": msg98, - "MOD_WARNING": select14, - "MOUNT": msg243, - "MSG_PORT_LOGGED_IN": msg329, - "MSG_PORT_LOGGED_OUT": msg328, - "MSG_SEND_FAILURE_STANDBY_RESET": msg288, - "MSM_CRIT": msg66, - "MST_PORT_BOUNDARY": msg281, - "MTSERROR": msg34, - "MTS_DROP": msg57, - "NATIVE_VLAN_MISMATCH": msg207, - "NBRCHANGE_DUAL": msg253, - "NEIGHBOR_ADDED": msg208, - "NEIGHBOR_REMOVED": msg209, - "NEIGHBOR_UPDATE_AUTOCOPY": msg33, - "NOHMS_DIAG_ERROR": msg339, - "NOHMS_DIAG_ERR_PS_FAIL": msg215, - "NOHMS_DIAG_ERR_PS_RECOVERED": msg216, - "NOHMS_ENV_FEX_OFFLINE": msg310, - "NOHMS_ENV_FEX_ONLINE": msg311, - "PEER_KEEP_ALIVE_RECV_FAIL": msg266, - "PEER_KEEP_ALIVE_RECV_INT_LATEST": msg264, - "PEER_KEEP_ALIVE_RECV_SUCCESS": msg265, - "PEER_KEEP_ALIVE_SEND_INT_LATEST": msg267, - "PEER_KEEP_ALIVE_SEND_SUCCESS": msg268, - "PEER_KEEP_ALIVE_STATUS": msg269, - "PEER_VPC_CFGD": msg308, - "PEER_VPC_CFGD_VLANS_CHANGED": msg99, - "PEER_VPC_DELETED": msg100, - "PEER_VPC_DOWN": msg263, - "PFM_ALERT": msg347, - "PFM_CLOCK_CHANGE": msg194, - "PFM_FAN_FLTR_STATUS": msg242, - "PFM_MODULE_POWER_ON": msg87, - "PFM_PS_RED_MODE_CHG": msg370, - "PFM_SYSTEM_RESET": msg88, - "PFM_VEM_DETECTED": msg101, - "PFM_VEM_REMOVE_NO_HB": msg89, - "PFM_VEM_REMOVE_RESET": msg90, - "PFM_VEM_REMOVE_STATE_CONFLICT": msg91, - "PFM_VEM_REMOVE_TWO_ACT_VSM": msg92, - "PFM_VEM_UNLICENSED": msg93, - "PINNING_CHANGED": msg317, - "PIXM_SYSLOG_MESSAGE_TYPE_CRIT": msg282, - "POLICY_ACTIVATE_EVENT": msg27, - "POLICY_COMMIT_EVENT": msg28, - "POLICY_DEACTIVATE_EVENT": msg29, - "POLICY_LOOKUP_EVENT": select10, - "PORT_ADDED": msg218, - "PORT_DELETED": msg219, - "PORT_DOWN": msg53, - "PORT_INDIVIDUAL": msg294, - "PORT_INDIVIDUAL_DOWN": msg212, - "PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE": msg124, - "PORT_RANGE_ADDED": msg280, - "PORT_RANGE_DELETED": msg279, - "PORT_RANGE_ROLE": msg277, - "PORT_RANGE_STATE": msg278, - "PORT_ROLE": msg220, - "PORT_SOFTWARE_FAILURE": msg65, - "PORT_STATE": msg221, - "PORT_SUSPENDED": msg213, - "PORT_UP": msg54, - "PS_ABSENT": msg364, - "PS_CAPACITY_CHANGE": select16, - "PS_DETECT": msg365, - "PS_FAIL": msg204, - "PS_FANOK": msg94, - "PS_FOUND": msg102, - "PS_OK": msg95, - "PS_PWR_INPUT_MISSING": msg314, - "PS_RED_MODE_CHG": msg371, - "PS_RED_MODE_RESTORED": msg315, - "PS_STATUS": msg103, - "PVLAN_PPM_PORT_CONFIG_FAILED": msg129, - "READCONF_STARTED": msg299, - "RM_VICPP_RECREATE_ERROR": msg132, - "ROUTERFOUND": msg349, - "RUNTIME_DB_RESTORE_STARTED": msg303, - "RUNTIME_DB_RESTORE_SUCCESS": msg304, - "SATCTRL": msg318, - "SATCTRL_IMAGE": msg321, - "SENSOR_MSG1": msg323, - "SERVER_ADDED": msg291, - "SERVER_REMOVED": msg292, - "SERVICEFOUND": msg348, - "SERVICELOST": msg202, - "SERVICE_CRASHED": msg201, - "SERVICE_STARTED": msg375, - "SOHMS_DIAG_ERROR": select37, - "SPEED": msg50, - "SRVSTATE_CHANGED": msg373, - "STANDBY_SUP_OK": msg126, - "STM_LEARNING_RE_ENABLE": msg340, - "STM_LOOP_DETECT": msg127, - "SUBGROUP_ID_PORT_ADDED": msg55, - "SUBGROUP_ID_PORT_REMOVED": msg56, - "SUBPROC_SUCCESS_EXIT": msg367, - "SUBPROC_TERMINATED": msg366, - "SUP_POWERDOWN": msg300, - "SWITCHOVER_OVER": msg285, - "SYNC_COMPLETE": msg128, - "SYNC_FAILURE_STANDBY_RESET": msg195, - "SYN_COLL_DIS_EN": msg309, - "SYSLOG_LOG_WARNING": msg58, - "SYSLOG_SL_MSG_WARNING": msg337, - "SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG": msg241, - "SYSTEM_MSG": select9, - "TACACS_ACCOUNTING_MESSAGE": select32, - "TACACS_ERROR_MESSAGE": msg230, - "UDLD_PORT_DISABLED": msg341, - "UNKNOWN_MTYPE": msg320, - "UPDOWN": msg368, - "VDC_HOSTNAME_CHANGE": msg26, - "VDC_MODULETYPE": msg286, - "VDC_ONLINE": msg325, - "VDC_STATE_CHANGE": msg284, - "VMS_PPM_SYNC_COMPLETE": msg151, - "VPC_CFGD": msg260, - "VPC_DELETED": msg152, - "VPC_ISSU_END": msg276, - "VPC_ISSU_START": msg275, - "VPC_UP": msg153, - "VSHD_SYSLOG_CONFIG_I": select25, - "XBAR_DETECT": msg271, - "XBAR_OK": msg274, - "XBAR_PWRDN": msg273, - "XBAR_PWRUP": msg272, - "ZS_MERGE_FAILED": msg331, - "dstats": msg327, - "last": msg200, - "ntpd": select41, - "snmpd": select29, - "zone": msg334, - }), - ]); - - var part328 = match_copy("MESSAGE#24:SYSTEM_MSG:08/0_1", "nwparser.payload", "event_description"); - - var part329 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); - - var part330 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); - - var part331 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); - - var part332 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); - - var part333 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); - - var part334 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); - - var part335 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); - - var part336 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); - - var part337 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); - - var part338 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); - - var part339 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); - - var part340 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); - - var part341 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); - - var part342 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); - - var part343 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); - - var part344 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); - - var part345 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); - - var part346 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); - - var part347 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); - - var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); - - var part349 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); - - var part350 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); - - var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); - - var part352 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); - - var part353 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); - - var part354 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); - - var part355 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); - - var part356 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); - - var part357 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var part358 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var part359 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var part360 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var part361 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var part362 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var select44 = linear_select([ - dup26, - dup27, - ]); - - var part363 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var part364 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var part365 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var part366 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, - ])); - - var part367 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ - dup33, - dup2, - dup3, - dup4, - ])); - - var select45 = linear_select([ - dup46, - dup47, - ]); - - var select46 = linear_select([ - dup49, - dup50, - ]); - - var select47 = linear_select([ - dup54, - dup55, - ]); - - var select48 = linear_select([ - dup57, - dup58, - ]); - - var part368 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var select49 = linear_select([ - dup65, - dup66, - ]); - - var select50 = linear_select([ - dup67, - dup68, - ]); - - var part369 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var part370 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var select51 = linear_select([ - dup70, - dup71, - ]); - - var part371 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/cisco_nexus/0.7.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_nexus/0.7.2/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 64f17de3e0..0000000000 --- a/packages/cisco_nexus/0.7.2/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,7176 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Cisco" - product: "Nexus" - type: "Switches" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} Hit-count = %{dclass_counter1}"); - - var dup60 = setc("dclass_counter1_string","Hit Count"); - - var dup61 = setc("eventcategory","1603100000"); - - var dup62 = setc("eventcategory","1701020000"); - - var dup63 = setc("eventcategory","1801000000"); - - var dup64 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); - - var dup65 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); - - var dup66 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); - - var dup67 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); - - var dup68 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); - - var dup69 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); - - var dup70 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); - - var dup71 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); - - var dup72 = setc("ec_outcome","Error"); - - var dup73 = setc("eventcategory","1703000000"); - - var dup74 = setc("obj_type","vPC"); - - var dup75 = setc("ec_subject","OS"); - - var dup76 = setc("ec_activity","Start"); - - var dup77 = setc("eventcategory","1801010000"); - - var dup78 = setc("ec_activity","Receive"); - - var dup79 = setc("ec_activity","Send"); - - var dup80 = setc("ec_activity","Create"); - - var dup81 = setc("event_description","Switchover completed."); - - var dup82 = setc("event_description","Invalid user"); - - var dup83 = setc("eventcategory","1401000000"); - - var dup84 = setc("ec_subject","Service"); - - var dup85 = setc("event_description","Duplicate address Detected."); - - var dup86 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var dup87 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var dup88 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var dup89 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var dup90 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var dup91 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var dup92 = linear_select([ - dup26, - dup27, - ]); - - var dup93 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var dup94 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var dup95 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var dup96 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, - ])); - - var dup97 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ - dup33, - dup2, - dup3, - dup4, - ])); - - var dup98 = linear_select([ - dup46, - dup47, - ]); - - var dup99 = linear_select([ - dup49, - dup50, - ]); - - var dup100 = linear_select([ - dup54, - dup55, - ]); - - var dup101 = linear_select([ - dup57, - dup58, - ]); - - var dup102 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var dup103 = linear_select([ - dup65, - dup66, - ]); - - var dup104 = linear_select([ - dup67, - dup68, - ]); - - var dup105 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var dup106 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var dup107 = linear_select([ - dup70, - dup71, - ]); - - var dup108 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - ])); - - var hdr1 = match("HEADER#0:0001", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0007", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0007"), - ])); - - var hdr3 = match("HEADER#2:0005", "message", "%{hfld4->} %{hfld5->} %{hfld6->} %{hfld7->} : %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0005"), - ])); - - var hdr4 = match("HEADER#3:0002", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr5 = match("HEADER#4:0012", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0012"), - ])); - - var hdr6 = match("HEADER#5:0008", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ - setc("header_id","0008"), - ])); - - var hdr7 = match("HEADER#6:0011", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}[%{hfld18}]:%{payload}", processor_chain([ - setc("header_id","0011"), - ])); - - var hdr8 = match("HEADER#7:0003", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ - setc("header_id","0003"), - ])); - - var hdr9 = match("HEADER#8:0004", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var hdr10 = match("HEADER#9:0009", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ - setc("header_id","0009"), - ])); - - var hdr11 = match("HEADER#10:0013", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ - setc("header_id","0013"), - ])); - - var hdr12 = match("HEADER#11:0010", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ - setc("header_id","0010"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, - hdr7, - hdr8, - hdr9, - hdr10, - hdr11, - hdr12, - ]); - - var msg1 = msg("LOG-7-SYSTEM_MSG", dup86); - - var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup6, - ])); - - var msg2 = msg("SYSTEM_MSG", part1); - - var part2 = match("MESSAGE#2:SYSTEM_MSG:12", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{shost}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup6, - ])); - - var msg3 = msg("SYSTEM_MSG:12", part2); - - var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup7, - ])); - - var msg4 = msg("SYSTEM_MSG:01", part3); - - var part4 = match("MESSAGE#4:SYSTEM_MSG:11", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{shost}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup7, - ])); - - var msg5 = msg("SYSTEM_MSG:11", part4); - - var part5 = match("MESSAGE#5:SYSTEM_MSG:19/0", "nwparser.payload", "error: maximum authentication attempts exceeded for %{p0}"); - - var part6 = match("MESSAGE#5:SYSTEM_MSG:19/1_0", "nwparser.p0", "invalid user %{username->} from %{p0}"); - - var part7 = match("MESSAGE#5:SYSTEM_MSG:19/1_1", "nwparser.p0", "%{username->} from %{p0}"); - - var select2 = linear_select([ - part6, - part7, - ]); - - var part8 = match("MESSAGE#5:SYSTEM_MSG:19/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol->} - %{agent}[%{process_id}]"); - - var all1 = all_match({ - processors: [ - part5, - select2, - part8, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - ]), - }); - - var msg6 = msg("SYSTEM_MSG:19", all1); - - var part9 = match("MESSAGE#6:SYSTEM_MSG:02", "nwparser.payload", "error:%{result}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var msg7 = msg("SYSTEM_MSG:02", part9); - - var part10 = match("MESSAGE#7:SYSTEM_MSG:03/0_0", "nwparser.payload", "(pam_unix)%{p0}"); - - var part11 = match("MESSAGE#7:SYSTEM_MSG:03/0_1", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}):%{p0}"); - - var select3 = linear_select([ - part10, - part11, - ]); - - var part12 = match("MESSAGE#7:SYSTEM_MSG:03/1", "nwparser.p0", "%{}authentication failure; logname=%{fld20->} uid=%{fld21->} euid=%{fld22->} tty=%{terminal->} ruser=%{fld24->} rhost=%{p0}"); - - var part13 = match("MESSAGE#7:SYSTEM_MSG:03/2_0", "nwparser.p0", "%{fld25->} user=%{username->} - %{p0}"); - - var part14 = match("MESSAGE#7:SYSTEM_MSG:03/2_1", "nwparser.p0", "%{fld25->} - %{p0}"); - - var select4 = linear_select([ - part13, - part14, - ]); - - var part15 = match_copy("MESSAGE#7:SYSTEM_MSG:03/3", "nwparser.p0", "agent"); - - var all2 = all_match({ - processors: [ - select3, - part12, - select4, - part15, - ], - on_success: processor_chain([ - dup5, - dup2, - dup3, - dup4, - ]), - }); - - var msg8 = msg("SYSTEM_MSG:03", all2); - - var part16 = match("MESSAGE#8:SYSTEM_MSG:04", "nwparser.payload", "(pam_unix) %{event_description}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - ])); - - var msg9 = msg("SYSTEM_MSG:04", part16); - - var part17 = match("MESSAGE#9:SYSTEM_MSG:05/0", "nwparser.payload", "pam_aaa:Authentication failed f%{p0}"); - - var part18 = match("MESSAGE#9:SYSTEM_MSG:05/1_0", "nwparser.p0", "or user %{username->} from%{p0}"); - - var part19 = match("MESSAGE#9:SYSTEM_MSG:05/1_1", "nwparser.p0", "rom%{p0}"); - - var select5 = linear_select([ - part18, - part19, - ]); - - var part20 = match("MESSAGE#9:SYSTEM_MSG:05/2", "nwparser.p0", "%{} %{saddr->} - %{agent}[%{process_id}]"); - - var all3 = all_match({ - processors: [ - part17, - select5, - part20, - ], - on_success: processor_chain([ - dup5, - dup2, - dup3, - dup4, - ]), - }); - - var msg10 = msg("SYSTEM_MSG:05", all3); - - var part21 = match("MESSAGE#10:SYSTEM_MSG:06", "nwparser.payload", "FAILED LOGIN (%{fld20}) on %{fld21->} FOR %{username}, Authentication failure - login[%{process_id}]", processor_chain([ - dup5, - dup2, - dup3, - dup4, - ])); - - var msg11 = msg("SYSTEM_MSG:06", part21); - - var part22 = match("MESSAGE#11:SYSTEM_MSG:07", "nwparser.payload", "fatal:%{event_description}", processor_chain([ - dup9, - dup2, - dup3, - dup4, - ])); - - var msg12 = msg("SYSTEM_MSG:07", part22); - - var part23 = match("MESSAGE#12:SYSTEM_MSG:09", "nwparser.payload", "%{fld1}: Host name is set %{hostname->} - kernel", processor_chain([ - dup9, - dup2, - dup3, - dup4, - ])); - - var msg13 = msg("SYSTEM_MSG:09", part23); - - var part24 = match("MESSAGE#13:SYSTEM_MSG:10", "nwparser.payload", "Unauthorized access by NFS client %{saddr}.", processor_chain([ - dup5, - dup2, - dup3, - dup4, - ])); - - var msg14 = msg("SYSTEM_MSG:10", part24); - - var part25 = match("MESSAGE#14:SYSTEM_MSG:13", "nwparser.payload", "%{fld43->} : SNMP UDP authentication failed for %{saddr}.", processor_chain([ - dup5, - dup2, - dup3, - dup4, - ])); - - var msg15 = msg("SYSTEM_MSG:13", part25); - - var part26 = match("MESSAGE#15:SYSTEM_MSG:14", "nwparser.payload", "%{fld43->} : Subsequent authentication success for user (%{username}) failed.", processor_chain([ - dup5, - dup2, - dup3, - dup4, - ])); - - var msg16 = msg("SYSTEM_MSG:14", part26); - - var part27 = match("MESSAGE#16:SYSTEM_MSG:15", "nwparser.payload", "%{fld1->} : TTY=%{terminal->} ; PWD=%{directory->} ; USER=%{username->} ; COMMAND=%{param}", processor_chain([ - dup10, - dup2, - dup3, - dup4, - dup11, - dup12, - ])); - - var msg17 = msg("SYSTEM_MSG:15", part27); - - var part28 = match("MESSAGE#17:SYSTEM_MSG:16", "nwparser.payload", "Login failed for user %{username->} - %{agent}[%{process_id}]", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup11, - dup13, - dup12, - dup14, - ])); - - var msg18 = msg("SYSTEM_MSG:16", part28); - - var part29 = match("MESSAGE#18:SYSTEM_MSG:17/0", "nwparser.payload", "NTP: Peer %{hostip->} %{p0}"); - - var part30 = match("MESSAGE#18:SYSTEM_MSG:17/1_0", "nwparser.p0", "with stratum %{fld1->} selected - %{p0}"); - - var part31 = match("MESSAGE#18:SYSTEM_MSG:17/1_1", "nwparser.p0", "is %{disposition->} - %{p0}"); - - var select6 = linear_select([ - part30, - part31, - ]); - - var part32 = match("MESSAGE#18:SYSTEM_MSG:17/2", "nwparser.p0", "%{agent}[%{process_id}]"); - - var all4 = all_match({ - processors: [ - part29, - select6, - part32, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg19 = msg("SYSTEM_MSG:17", all4); - - var part33 = match("MESSAGE#19:SYSTEM_MSG:20", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ - dup10, - dup2, - dup3, - dup4, - dup12, - ])); - - var msg20 = msg("SYSTEM_MSG:20", part33); - - var part34 = match("MESSAGE#20:SYSTEM_MSG:21", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): password changed for %{username->} - %{agent}", processor_chain([ - dup10, - dup2, - dup3, - dup4, - setc("ec_subject","Password"), - dup16, - dup12, - dup17, - ])); - - var msg21 = msg("SYSTEM_MSG:21", part34); - - var part35 = match("MESSAGE#21:SYSTEM_MSG:22", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): check pass; user %{username->} - %{agent}", processor_chain([ - dup10, - dup2, - dup3, - dup4, - dup12, - ])); - - var msg22 = msg("SYSTEM_MSG:22", part35); - - var part36 = match("MESSAGE#22:SYSTEM_MSG:23", "nwparser.payload", "new user: name=%{username}, uid=%{uid}, gid=%{fld1}, home=%{directory}, shell=%{fld2->} - %{agent}[%{process_id}]", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup11, - ])); - - var msg23 = msg("SYSTEM_MSG:23", part36); - - var part37 = match("MESSAGE#23:SYSTEM_MSG:24/0", "nwparser.payload", "delete user %{p0}"); - - var part38 = match("MESSAGE#23:SYSTEM_MSG:24/1_0", "nwparser.p0", "`%{p0}"); - - var part39 = match("MESSAGE#23:SYSTEM_MSG:24/1_1", "nwparser.p0", "'%{p0}"); - - var select7 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#23:SYSTEM_MSG:24/2", "nwparser.p0", "'%{username->} - %{agent}[%{process_id}]"); - - var all5 = all_match({ - processors: [ - part37, - select7, - part40, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup11, - dup20, - dup17, - ]), - }); - - var msg24 = msg("SYSTEM_MSG:24", all5); - - var part41 = match("MESSAGE#24:SYSTEM_MSG:08/0_0", "nwparser.payload", "%{event_description->} - %{agent}"); - - var select8 = linear_select([ - part41, - dup21, - ]); - - var all6 = all_match({ - processors: [ - select8, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg25 = msg("SYSTEM_MSG:08", all6); - - var select9 = linear_select([ - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - ]); - - var part42 = match("MESSAGE#25:VDC_HOSTNAME_CHANGE", "nwparser.payload", "%{fld1->} hostname changed to %{hostname}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg26 = msg("VDC_HOSTNAME_CHANGE", part42); - - var part43 = match("MESSAGE#26:POLICY_ACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is activated by profile %{username}", processor_chain([ - dup22, - dup2, - dup3, - dup4, - setc("action","activated"), - setc("event_description","Policy is activated by profile"), - ])); - - var msg27 = msg("POLICY_ACTIVATE_EVENT", part43); - - var part44 = match("MESSAGE#27:POLICY_COMMIT_EVENT", "nwparser.payload", "Commit operation %{disposition}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg28 = msg("POLICY_COMMIT_EVENT", part44); - - var part45 = match("MESSAGE#28:POLICY_DEACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is de-activated by last referring profile %{username}", processor_chain([ - setc("eventcategory","1701070000"), - dup2, - dup3, - dup4, - setc("action","de-activated"), - setc("event_description","Policy is de-activated by last referring profile"), - ])); - - var msg29 = msg("POLICY_DEACTIVATE_EVENT", part45); - - var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2->} dst.zone.name=%{dst_zone->} src.zone.name=%{src_zone}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg30 = msg("POLICY_LOOKUP_EVENT:01", part46); - - var part47 = match("MESSAGE#30:POLICY_LOOKUP_EVENT", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg31 = msg("POLICY_LOOKUP_EVENT", part47); - - var part48 = match("MESSAGE#31:POLICY_LOOKUP_EVENT:02", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} net.ethertype=%{fld2}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg32 = msg("POLICY_LOOKUP_EVENT:02", part48); - - var select10 = linear_select([ - msg30, - msg31, - msg32, - ]); - - var msg33 = msg("NEIGHBOR_UPDATE_AUTOCOPY", dup87); - - var msg34 = msg("MTSERROR", dup86); - - var part49 = match("MESSAGE#34:IF_DOWN_ERROR_DISABLED", "nwparser.payload", "Interface %{interface->} is down (Error disabled. Reason:%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg35 = msg("IF_DOWN_ERROR_DISABLED", part49); - - var msg36 = msg("IF_DOWN_ADMIN_DOWN", dup88); - - var msg37 = msg("IF_DOWN_ADMIN_DOWN:01", dup89); - - var select11 = linear_select([ - msg36, - msg37, - ]); - - var msg38 = msg("IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", dup90); - - var msg39 = msg("IF_DOWN_INTERFACE_REMOVED", dup91); - - var part50 = match("MESSAGE#39:IF_DOWN_LINK_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - dup25, - ])); - - var msg40 = msg("IF_DOWN_LINK_FAILURE", part50); - - var msg41 = msg("IF_DOWN_LINK_FAILURE:01", dup89); - - var select12 = linear_select([ - msg40, - msg41, - ]); - - var msg42 = msg("IF_DOWN_MODULE_REMOVED", dup91); - - var msg43 = msg("IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN", dup88); - - var part51 = match("MESSAGE#43:IF_DUPLEX", "nwparser.payload", "Interface %{interface}, operational duplex mode changed to %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface duplex mode changed"), - ])); - - var msg44 = msg("IF_DUPLEX", part51); - - var part52 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Receive Flow Cont%{p0}"); - - var all7 = all_match({ - processors: [ - part52, - dup92, - dup28, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface operational Receive Flow Control state changed"), - ]), - }); - - var msg45 = msg("IF_RX_FLOW_CONTROL", all7); - - var part53 = match_copy("MESSAGE#45:IF_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg46 = msg("IF_SEQ_ERROR", part53); - - var part54 = match("MESSAGE#46:IF_TX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Transmit Flow Cont%{p0}"); - - var all8 = all_match({ - processors: [ - part54, - dup92, - dup28, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface operational Transmit Flow Control state changed"), - ]), - }); - - var msg47 = msg("IF_TX_FLOW_CONTROL", all8); - - var part55 = match("MESSAGE#47:IF_UP", "nwparser.payload", "%{fld43->} Interface %{sinterface->} is up in mode %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface is up in mode"), - ])); - - var msg48 = msg("IF_UP", part55); - - var part56 = match("MESSAGE#48:IF_UP:01", "nwparser.payload", "Interface %{sinterface->} is up", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface is up"), - ])); - - var msg49 = msg("IF_UP:01", part56); - - var select13 = linear_select([ - msg48, - msg49, - ]); - - var part57 = match("MESSAGE#49:SPEED", "nwparser.payload", "Interface %{interface}, operational speed changed to %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Interface operational speed changed"), - ])); - - var msg50 = msg("SPEED", part57); - - var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object->} created", processor_chain([ - dup29, - dup2, - dup3, - dup4, - ])); - - var msg51 = msg("CREATED", part58); - - var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object}: first operational port changed from %{change_old->} to %{change_new}", processor_chain([ - dup30, - dup2, - dup3, - dup4, - ])); - - var msg52 = msg("FOP_CHANGED", part59); - - var part60 = match("MESSAGE#52:PORT_DOWN", "nwparser.payload", "%{group_object}: %{interface->} is down", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg53 = msg("PORT_DOWN", part60); - - var part61 = match("MESSAGE#53:PORT_UP", "nwparser.payload", "%{group_object}: %{interface->} is up", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg54 = msg("PORT_UP", part61); - - var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Interface %{interface->} is added to %{group_object->} with subgroup id %{fld20}", processor_chain([ - dup29, - dup2, - dup3, - dup4, - ])); - - var msg55 = msg("SUBGROUP_ID_PORT_ADDED", part62); - - var part63 = match("MESSAGE#55:SUBGROUP_ID_PORT_REMOVED", "nwparser.payload", "Interface %{interface->} is removed from %{group_object->} with subgroup id %{fld20}", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg56 = msg("SUBGROUP_ID_PORT_REMOVED", part63); - - var msg57 = msg("MTS_DROP", dup87); - - var msg58 = msg("SYSLOG_LOG_WARNING", dup87); - - var msg59 = msg("IM_SEQ_ERROR", dup93); - - var msg60 = msg("ADDON_IMG_DNLD_COMPLETE", dup87); - - var msg61 = msg("ADDON_IMG_DNLD_STARTED", dup87); - - var msg62 = msg("ADDON_IMG_DNLD_SUCCESSFUL", dup87); - - var msg63 = msg("IMG_DNLD_COMPLETE", dup87); - - var msg64 = msg("IMG_DNLD_STARTED", dup87); - - var part64 = match_copy("MESSAGE#64:PORT_SOFTWARE_FAILURE", "nwparser.payload", "result", processor_chain([ - dup31, - dup2, - dup3, - dup4, - ])); - - var msg65 = msg("PORT_SOFTWARE_FAILURE", part64); - - var msg66 = msg("MSM_CRIT", dup93); - - var part65 = match("MESSAGE#66:LOG_CMP_AAA_FAILURE", "nwparser.payload", "Authentication failed for a login from %{shost->} (%{result})", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup7, - ])); - - var msg67 = msg("LOG_CMP_AAA_FAILURE", part65); - - var msg68 = msg("LOG_LIC_N1K_EXPIRY_WARNING", dup87); - - var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of module %{fld20->} (serial: %{serial_number}) failed", processor_chain([ - dup32, - dup2, - dup3, - dup4, - ])); - - var msg69 = msg("MOD_FAIL", part66); - - var part67 = match("MESSAGE#69:MOD_MAJORSWFAIL", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported a critical failure in service %{fld22}", processor_chain([ - dup33, - dup2, - dup3, - dup4, - ])); - - var msg70 = msg("MOD_MAJORSWFAIL", part67); - - var part68 = match("MESSAGE#70:MOD_SRG_NOT_COMPATIBLE", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) firmware is not compatible with supervisor, downloading new image", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg71 = msg("MOD_SRG_NOT_COMPATIBLE", part68); - - var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warnings on %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ - dup32, - dup2, - dup3, - dup4, - ])); - - var msg72 = msg("MOD_WARNING:01", part69); - - var part70 = match("MESSAGE#72:MOD_WARNING", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warning %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ - dup32, - dup2, - dup3, - dup4, - ])); - - var msg73 = msg("MOD_WARNING", part70); - - var select14 = linear_select([ - msg72, - msg73, - ]); - - var part71 = match("MESSAGE#73:ACTIVE_SUP_OK", "nwparser.payload", "Supervisor %{fld20->} is active (serial: %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg74 = msg("ACTIVE_SUP_OK", part71); - - var part72 = match("MESSAGE#74:MOD_OK", "nwparser.payload", "Module %{fld20->} is online (serial: %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg75 = msg("MOD_OK", part72); - - var part73 = match("MESSAGE#75:MOD_RESTART", "nwparser.payload", "Module %{fld20->} is restarting after image download", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg76 = msg("MOD_RESTART", part73); - - var part74 = match("MESSAGE#76:DISPUTE_CLEARED", "nwparser.payload", "Dispute resolved for port %{portname->} on %{vlan}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","Dispute resolved for port on VLAN"), - ])); - - var msg77 = msg("DISPUTE_CLEARED", part74); - - var part75 = match("MESSAGE#77:DISPUTE_DETECTED", "nwparser.payload", "Dispute detected on port %{portname->} on %{vlan}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","Dispute detected on port on VLAN"), - ])); - - var msg78 = msg("DISPUTE_DETECTED", part75); - - var msg79 = msg("DOMAIN_CFG_SYNC_DONE", dup87); - - var msg80 = msg("CHASSIS_CLKMODOK", dup87); - - var msg81 = msg("CHASSIS_CLKSRC", dup87); - - var msg82 = msg("FAN_OK", dup87); - - var part76 = match("MESSAGE#82:MOD_DETECT", "nwparser.payload", "Module %{fld19->} detected (Serial number %{serial_number}) Module-Type %{fld20->} Model %{fld21}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg83 = msg("MOD_DETECT", part76); - - var part77 = match("MESSAGE#83:MOD_PWRDN", "nwparser.payload", "Module %{fld19->} powered down (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg84 = msg("MOD_PWRDN", part77); - - var part78 = match("MESSAGE#84:MOD_PWRUP", "nwparser.payload", "Module %{fld19->} powered up (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg85 = msg("MOD_PWRUP", part78); - - var part79 = match("MESSAGE#85:MOD_REMOVE", "nwparser.payload", "Module %{fld19->} removed (Serial number %{serial_number})", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg86 = msg("MOD_REMOVE", part79); - - var msg87 = msg("PFM_MODULE_POWER_ON", dup87); - - var msg88 = msg("PFM_SYSTEM_RESET", dup87); - - var msg89 = msg("PFM_VEM_REMOVE_NO_HB", dup94); - - var msg90 = msg("PFM_VEM_REMOVE_RESET", dup94); - - var msg91 = msg("PFM_VEM_REMOVE_STATE_CONFLICT", dup94); - - var msg92 = msg("PFM_VEM_REMOVE_TWO_ACT_VSM", dup94); - - var msg93 = msg("PFM_VEM_UNLICENSED", dup87); - - var msg94 = msg("PS_FANOK", dup87); - - var part80 = match("MESSAGE#94:PS_OK", "nwparser.payload", "Power supply %{fld19->} ok (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg95 = msg("PS_OK", part80); - - var part81 = match_copy("MESSAGE#95:MOD_BRINGUP_MULTI_LIMIT", "nwparser.payload", "event_description", processor_chain([ - dup31, - dup2, - dup3, - dup4, - ])); - - var msg96 = msg("MOD_BRINGUP_MULTI_LIMIT", part81); - - var part82 = match("MESSAGE#96:FAN_DETECT", "nwparser.payload", "Fan module %{fld19->} (Serial number %{serial_number}) %{fld20->} detected", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg97 = msg("FAN_DETECT", part82); - - var msg98 = msg("MOD_STATUS", dup87); - - var part83 = match("MESSAGE#98:PEER_VPC_CFGD_VLANS_CHANGED", "nwparser.payload", "Peer vPC %{obj_name->} configured vlans changed", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Peer vPC configured vlans changed"), - ])); - - var msg99 = msg("PEER_VPC_CFGD_VLANS_CHANGED", part83); - - var part84 = match("MESSAGE#99:PEER_VPC_DELETED", "nwparser.payload", "Peer vPC %{obj_name->} deleted", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg100 = msg("PEER_VPC_DELETED", part84); - - var msg101 = msg("PFM_VEM_DETECTED", dup87); - - var part85 = match("MESSAGE#101:PS_FOUND", "nwparser.payload", "Power supply %{fld19->} found (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg102 = msg("PS_FOUND", part85); - - var part86 = match("MESSAGE#102:PS_STATUS/0_0", "nwparser.payload", "PowerSupply %{fld1->} current-status is %{disposition}"); - - var select15 = linear_select([ - part86, - dup21, - ]); - - var all9 = all_match({ - processors: [ - select15, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg103 = msg("PS_STATUS", all9); - - var part87 = match("MESSAGE#103:PS_CAPACITY_CHANGE:01", "nwparser.payload", "Power supply %{fld1->} changed its capacity. possibly due to On/Off or power cable removal/insertion (Serial number %{serial_number})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg104 = msg("PS_CAPACITY_CHANGE:01", part87); - - var msg105 = msg("PS_CAPACITY_CHANGE", dup87); - - var select16 = linear_select([ - msg104, - msg105, - ]); - - var msg106 = msg("IF_DOWN_FCOT_NOT_PRESENT", dup88); - - var msg107 = msg("IF_DOWN_FCOT_NOT_PRESENT:01", dup89); - - var select17 = linear_select([ - msg106, - msg107, - ]); - - var msg108 = msg("IF_DOWN_INITIALIZING", dup90); - - var msg109 = msg("IF_DOWN_INITIALIZING:01", dup95); - - var select18 = linear_select([ - msg108, - msg109, - ]); - - var part88 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, - ])); - - var msg110 = msg("IF_DOWN_NONE", part88); - - var msg111 = msg("IF_DOWN_NONE:01", dup96); - - var select19 = linear_select([ - msg110, - msg111, - ]); - - var msg112 = msg("IF_DOWN_NOS_RCVD", dup88); - - var msg113 = msg("IF_DOWN_NOS_RCVD:01", dup89); - - var select20 = linear_select([ - msg112, - msg113, - ]); - - var msg114 = msg("IF_DOWN_OFFLINE", dup88); - - var msg115 = msg("IF_DOWN_OLS_RCVD", dup88); - - var part89 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup31, - dup2, - dup3, - dup4, - ])); - - var msg116 = msg("IF_DOWN_SOFTWARE_FAILURE", part89); - - var msg117 = msg("IF_DOWN_SRC_PORT_NOT_BOUND", dup90); - - var part90 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is down (%{info})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg118 = msg("IF_TRUNK_DOWN", part90); - - var part91 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} down", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg119 = msg("IF_TRUNK_DOWN:01", part91); - - var part92 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is down %{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg120 = msg("IF_TRUNK_DOWN:02", part92); - - var select21 = linear_select([ - msg118, - msg119, - msg120, - ]); - - var part93 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is up", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg121 = msg("IF_TRUNK_UP", part93); - - var part94 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} up", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg122 = msg("IF_TRUNK_UP:01", part94); - - var part95 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is up %{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg123 = msg("IF_TRUNK_UP:02", part95); - - var select22 = linear_select([ - msg121, - msg122, - msg123, - ]); - - var msg124 = msg("PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", dup97); - - var part96 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface->} is inheriting port-profile %{fld20}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg125 = msg("IF_PORTPROFILE_ATTACHED", part96); - - var msg126 = msg("STANDBY_SUP_OK", dup87); - - var part97 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname->} and %{info->} vlan %{vlan->} - %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Loops detected in the network among ports"), - ])); - - var msg127 = msg("STM_LOOP_DETECT", part97); - - var part98 = match("MESSAGE#127:SYNC_COMPLETE", "nwparser.payload", "Sync completed.%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg128 = msg("SYNC_COMPLETE", part98); - - var msg129 = msg("PVLAN_PPM_PORT_CONFIG_FAILED", dup97); - - var msg130 = msg("MESG", dup87); - - var part99 = match("MESSAGE#130:ERR_MSG", "nwparser.payload", "ERROR:%{result}", processor_chain([ - dup33, - dup2, - dup3, - dup4, - ])); - - var msg131 = msg("ERR_MSG", part99); - - var msg132 = msg("RM_VICPP_RECREATE_ERROR", dup97); - - var part100 = match("MESSAGE#132:CFGWRITE_ABORTED_LOCK", "nwparser.payload", "Unable to lock the configuration (error-id %{resultcode}). Aborting configuration copy.", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg133 = msg("CFGWRITE_ABORTED_LOCK", part100); - - var part101 = match("MESSAGE#133:CFGWRITE_FAILED", "nwparser.payload", "Configuration copy failed (error-id %{resultcode}).", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg134 = msg("CFGWRITE_FAILED", part101); - - var msg135 = msg("CFGWRITE_ABORTED", dup87); - - var msg136 = msg("CFGWRITE_DONE", dup87); - - var part102 = match("MESSAGE#136:CFGWRITE_STARTED/0_0", "nwparser.payload", "%{event_description->} (PID %{process_id})."); - - var select23 = linear_select([ - part102, - dup21, - ]); - - var all10 = all_match({ - processors: [ - select23, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg137 = msg("CFGWRITE_STARTED", all10); - - var msg138 = msg("IF_ATTACHED", dup87); - - var msg139 = msg("IF_DELETE_AUTO", dup94); - - var part103 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface->} is detached", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg140 = msg("IF_DETACHED", part103); - - var msg141 = msg("IF_DETACHED_MODULE_REMOVED", dup94); - - var msg142 = msg("IF_DOWN_INACTIVE", dup88); - - var msg143 = msg("IF_DOWN_NON_PARTICIPATING", dup88); - - var part104 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface->} is down", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part104); - - var part105 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname->} connected to the vCenter Server.", processor_chain([ - dup36, - dup2, - dup3, - dup4, - ])); - - var msg145 = msg("CONN_CONNECT", part105); - - var part106 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname->} disconnected from the vCenter Server.", processor_chain([ - setc("eventcategory","1801030000"), - dup2, - dup3, - dup4, - ])); - - var msg146 = msg("CONN_DISCONNECT", part106); - - var part107 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info->} on the vCenter Server.", processor_chain([ - dup29, - dup2, - dup3, - dup4, - ])); - - var msg147 = msg("DVPG_CREATE", part107); - - var part108 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info->} from the vCenter Server.", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg148 = msg("DVPG_DELETE", part108); - - var msg149 = msg("DVS_HOSTMEMBER_INFO", dup87); - - var part109 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info->} on the vCenter Server.", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg150 = msg("DVS_NAME_CHANGE", part109); - - var msg151 = msg("VMS_PPM_SYNC_COMPLETE", dup87); - - var part110 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name->} is deleted", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg152 = msg("VPC_DELETED", part110); - - var part111 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} is up", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","VPC is up"), - ])); - - var msg153 = msg("VPC_UP", part111); - - var part112 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username->} on %{p0}"); - - var part113 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); - - var part114 = match_copy("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_1", "nwparser.p0", "saddr"); - - var select24 = linear_select([ - part113, - part114, - ]); - - var all11 = all_match({ - processors: [ - part112, - select24, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg154 = msg("VSHD_SYSLOG_CONFIG_I", all11); - - var part115 = match("MESSAGE#154:VSHD_SYSLOG_CONFIG_I:01", "nwparser.payload", "Configuring console from %{fld43->} %{saddr}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg155 = msg("VSHD_SYSLOG_CONFIG_I:01", part115); - - var select25 = linear_select([ - msg154, - msg155, - ]); - - var part116 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol->} (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg156 = msg("AAA_ACCOUNTING_MESSAGE:18", part116); - - var part117 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:enabled telnet", processor_chain([ - dup22, - dup37, - dup38, - dup17, - dup2, - dup3, - dup4, - dup39, - dup40, - ])); - - var msg157 = msg("AAA_ACCOUNTING_MESSAGE:17", part117); - - var part118 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "start:%{saddr}@%{application}:%{username}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","program start"), - ])); - - var msg158 = msg("AAA_ACCOUNTING_MESSAGE", part118); - - var part119 = match("MESSAGE#158:AAA_ACCOUNTING_MESSAGE:08", "nwparser.payload", "start:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg159 = msg("AAA_ACCOUNTING_MESSAGE:08", part119); - - var part120 = match("MESSAGE#159:AAA_ACCOUNTING_MESSAGE:03", "nwparser.payload", "start:%{saddr}(%{terminal}):%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg160 = msg("AAA_ACCOUNTING_MESSAGE:03", part120); - - var part121 = match("MESSAGE#160:AAA_ACCOUNTING_MESSAGE:19", "nwparser.payload", "start:%{fld40}:%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg161 = msg("AAA_ACCOUNTING_MESSAGE:19", part121); - - var part122 = match("MESSAGE#161:AAA_ACCOUNTING_MESSAGE:22", "nwparser.payload", "update:::added user %{username}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - ])); - - var msg162 = msg("AAA_ACCOUNTING_MESSAGE:22", part122); - - var part123 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", "update:::%{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part123); - - var part124 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport}) deleted", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part124); - - var part125 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport->} timeout:%{fld44->} retry:%{fld45->} tagList:trap params:%{fld46}) added", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part125); - - var part126 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to up", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part126); - - var part127 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to down", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg167 = msg("AAA_ACCOUNTING_MESSAGE:14", part127); - - var part128 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Performing configuration copy.", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part128); - - var part129 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1->} (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - dup41, - ])); - - var msg169 = msg("AAA_ACCOUNTING_MESSAGE:16", part129); - - var part130 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal length %{fld5}:%{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part130); - - var part131 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1->} (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - dup41, - ])); - - var msg171 = msg("AAA_ACCOUNTING_MESSAGE:01", part131); - - var part132 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_0", "nwparser.p0", "configure terminal ; ntp source-interface %{sinterface->} (%{p0}"); - - var part133 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_1", "nwparser.p0", "show ntp statistics peer ipaddr %{hostip->} (%{p0}"); - - var select26 = linear_select([ - part132, - part133, - ]); - - var all12 = all_match({ - processors: [ - dup42, - select26, - dup43, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - dup44, - ]), - }); - - var msg172 = msg("AAA_ACCOUNTING_MESSAGE:27", all12); - - var part134 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_0", "nwparser.p0", "clock set %{event_time_string->} (%{p0}"); - - var part135 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_1", "nwparser.p0", "show logging last %{fld1->} (%{p0}"); - - var select27 = linear_select([ - part134, - part135, - ]); - - var all13 = all_match({ - processors: [ - dup42, - select27, - dup43, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - dup44, - ]), - }); - - var msg173 = msg("AAA_ACCOUNTING_MESSAGE:28", all13); - - var part136 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info->} (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg174 = msg("AAA_ACCOUNTING_MESSAGE:20", part136); - - var part137 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:added user %{c_username}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup11, - dup17, - setc("event_description","Added user"), - dup44, - ])); - - var msg175 = msg("AAA_ACCOUNTING_MESSAGE:30", part137); - - var part138 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:deleted user %{c_username}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup11, - dup17, - setc("event_description","Deleted user"), - dup44, - ])); - - var msg176 = msg("AAA_ACCOUNTING_MESSAGE:29", part138); - - var part139 = match("MESSAGE#176:AAA_ACCOUNTING_MESSAGE:21", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg177 = msg("AAA_ACCOUNTING_MESSAGE:21", part139); - - var part140 = match("MESSAGE#177:AAA_ACCOUNTING_MESSAGE:07", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal width %{dclass_counter1}:%{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg178 = msg("AAA_ACCOUNTING_MESSAGE:07", part140); - - var part141 = match("MESSAGE#178:AAA_ACCOUNTING_MESSAGE:05", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal session-timeout %{fld5}:%{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg179 = msg("AAA_ACCOUNTING_MESSAGE:05", part141); - - var part142 = match("MESSAGE#179:AAA_ACCOUNTING_MESSAGE:10", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:copy %{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg180 = msg("AAA_ACCOUNTING_MESSAGE:10", part142); - - var part143 = match("MESSAGE#180:AAA_ACCOUNTING_MESSAGE:24", "nwparser.payload", "update:%{terminal}:%{username}: %{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg181 = msg("AAA_ACCOUNTING_MESSAGE:24", part143); - - var part144 = match("MESSAGE#181:AAA_ACCOUNTING_MESSAGE:06", "nwparser.payload", "stop:%{saddr}(%{fld3}):%{username}:shell terminated", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg182 = msg("AAA_ACCOUNTING_MESSAGE:06", part144); - - var part145 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:shell %{result}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","shell terminated"), - ])); - - var msg183 = msg("AAA_ACCOUNTING_MESSAGE:02", part145); - - var part146 = match("MESSAGE#183:AAA_ACCOUNTING_MESSAGE:25", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:%{fld40}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg184 = msg("AAA_ACCOUNTING_MESSAGE:25", part146); - - var part147 = match("MESSAGE#184:AAA_ACCOUNTING_MESSAGE:09", "nwparser.payload", "stop:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg185 = msg("AAA_ACCOUNTING_MESSAGE:09", part147); - - var part148 = match("MESSAGE#185:AAA_ACCOUNTING_MESSAGE:26", "nwparser.payload", "stop:%{terminal}:%{username}:", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg186 = msg("AAA_ACCOUNTING_MESSAGE:26", part148); - - var select28 = linear_select([ - msg156, - msg157, - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - msg174, - msg175, - msg176, - msg177, - msg178, - msg179, - msg180, - msg181, - msg182, - msg183, - msg184, - msg185, - msg186, - ]); - - var all14 = all_match({ - processors: [ - dup45, - dup98, - dup48, - dup99, - dup51, - dup98, - dup52, - dup99, - dup53, - dup100, - dup56, - dup101, - dup59, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","ACL Log Flow Interval"), - dup60, - ]), - }); - - var msg187 = msg("ACLLOG_FLOW_INTERVAL", all14); - - var part149 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3->} reached for number of flows", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg188 = msg("ACLLOG_MAXFLOW_REACHED", part149); - - var all15 = all_match({ - processors: [ - dup45, - dup98, - dup48, - dup99, - dup51, - dup98, - dup52, - dup99, - dup53, - dup100, - dup56, - dup101, - dup59, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","ACL Lof New Flow"), - dup60, - ]), - }); - - var msg189 = msg("ACLLOG_NEW_FLOW", all15); - - var part150 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process->} [%{process_id}] Source address of packet received from %{smacaddr->} on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Source address of packet received on vlan is duplicate of local virtual ip"), - ])); - - var msg190 = msg("DUP_VADDR_SRC_IP", part150); - - var part151 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are removed from suspended state.", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg191 = msg("IF_ERROR_VLANS_REMOVED", part151); - - var part152 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are being suspended. (Reason: %{info})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part152); - - var part153 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface->} is down(%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg193 = msg("IF_DOWN_CFG_CHANGE", part153); - - var part154 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock setting has been changed on the system. Please be aware that clock changes will force a recheckout of all existing VEM licenses. During this recheckout procedure, licensed VEMs which are offline will lose their licenses.%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg194 = msg("PFM_CLOCK_CHANGE", part154); - - var part155 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3->} causing standby to reset.", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg195 = msg("SYNC_FAILURE_STANDBY_RESET", part155); - - var part156 = match("MESSAGE#195:snmpd", "nwparser.payload", "snmp_pss_snapshot : Copying local engine DB PSS file to url%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg196 = msg("snmpd", part156); - - var part157 = match("MESSAGE#196:snmpd:01", "nwparser.payload", "SNMPD_SYSLOG_CONFIG_I: Configuration update from %{fld43}_%{saddr->} %{info}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg197 = msg("snmpd:01", part157); - - var select29 = linear_select([ - msg196, - msg197, - ]); - - var part158 = match("MESSAGE#197:CFGWRITE_USER_ABORT", "nwparser.payload", "Configuration copy aborted by the user.%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg198 = msg("CFGWRITE_USER_ABORT", part158); - - var msg199 = msg("IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED", dup95); - - var part159 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1->} time", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","last message repeated number of times."), - setc("dclass_counter1_string","Number of times repeated"), - ])); - - var msg200 = msg("last", part159); - - var part160 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service->} (PID %{parent_pid}) hasn't caught signal %{fld43->} (%{result}).", processor_chain([ - dup32, - dup2, - dup3, - dup4, - ])); - - var msg201 = msg("SERVICE_CRASHED", part160); - - var part161 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service->} lost on WCCP Client %{saddr}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - setc("event_description","Service lost on WCCP Client"), - ])); - - var msg202 = msg("SERVICELOST", part161); - - var part162 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface->} is allowed to come up even with SFP checksum error", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part162); - - var part163 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43->} failed or shut%{p0}"); - - var part164 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); - - var part165 = match("MESSAGE#203:PS_FAIL/1_1", "nwparser.p0", "down %{p0}"); - - var select30 = linear_select([ - part164, - part165, - ]); - - var part166 = match("MESSAGE#203:PS_FAIL/2", "nwparser.p0", "(Serial number %{serial_number})"); - - var all16 = all_match({ - processors: [ - part163, - select30, - part166, - ], - on_success: processor_chain([ - dup23, - dup2, - dup3, - dup4, - ]), - }); - - var msg204 = msg("PS_FAIL", all16); - - var msg205 = msg("INFORMATION", dup87); - - var msg206 = msg("EVENT", dup87); - - var part167 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Native VLAN mismatch discovered on %{interface}, with %{fld23}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg207 = msg("NATIVE_VLAN_MISMATCH", part167); - - var part168 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22->} discovered of type %{fld23->} with port %{fld24->} on incoming port %{interface->} with ip addr %{fld25->} and mgmt ip %{hostip}", processor_chain([ - dup29, - dup2, - dup3, - dup4, - ])); - - var msg208 = msg("NEIGHBOR_ADDED", part168); - - var part169 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22->} on port %{interface->} has been removed", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg209 = msg("NEIGHBOR_REMOVED", part169); - - var part170 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Interface %{interface},%{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var msg210 = msg("IF_BANDWIDTH_CHANGE", part170); - - var part171 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (Parent interface down)", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part171); - - var part172 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface->} is down", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg212 = msg("PORT_INDIVIDUAL_DOWN", part172); - - var part173 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface->} is suspended", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg213 = msg("PORT_SUSPENDED", part173); - - var part174 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22->} of Fex %{fld23->} that is connected with %{interface->} changed its status from %{change_old->} to %{change_new}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("change_attribute","status"), - ])); - - var msg214 = msg("FEX_PORT_STATUS_NOTI", part174); - - var msg215 = msg("NOHMS_DIAG_ERR_PS_FAIL", dup102); - - var msg216 = msg("NOHMS_DIAG_ERR_PS_RECOVERED", dup87); - - var msg217 = msg("ADJCHANGE", dup87); - - var part175 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan->} with role %{fld22}, state %{disposition}, %{info}", processor_chain([ - dup29, - dup2, - dup3, - dup4, - ])); - - var msg218 = msg("PORT_ADDED", part175); - - var part176 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface %{interface}, removed from VLAN%{vlan}", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var msg219 = msg("PORT_DELETED", part176); - - var part177 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} role changed to %{fld22}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - ])); - - var msg220 = msg("PORT_ROLE", part177); - - var part178 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} moving from %{change_old->} to %{change_new}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("change_attribute","Port state"), - ])); - - var msg221 = msg("PORT_STATE", part178); - - var part179 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol->} (%{result}) %{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var msg222 = msg("TACACS_ACCOUNTING_MESSAGE", part179); - - var part180 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}: enabled telnet", processor_chain([ - dup22, - dup37, - dup38, - dup17, - dup2, - dup3, - dup4, - dup39, - dup40, - ])); - - var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part180); - - var part181 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface->} (%{result})%{info}", processor_chain([ - dup63, - dup2, - dup4, - ])); - - var msg224 = msg("TACACS_ACCOUNTING_MESSAGE:04", part181); - - var part182 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/0", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: show %{p0}"); - - var part183 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_0", "nwparser.p0", "ntp statistics peer ipaddr %{hostip->} (%{p0}"); - - var part184 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_1", "nwparser.p0", "logging last %{fld3->} (%{p0}"); - - var select31 = linear_select([ - part183, - part184, - ]); - - var part185 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/2", "nwparser.p0", "%{result})%{info}"); - - var all17 = all_match({ - processors: [ - part182, - select31, - part185, - ], - on_success: processor_chain([ - dup63, - dup2, - dup4, - ]), - }); - - var msg225 = msg("TACACS_ACCOUNTING_MESSAGE:05", all17); - - var part186 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string->} (%{result})%{info}", processor_chain([ - dup63, - dup2, - dup4, - ])); - - var msg226 = msg("TACACS_ACCOUNTING_MESSAGE:06", part186); - - var part187 = match("MESSAGE#371:TACACS_ACCOUNTING_MESSAGE:08", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: Performing configuration copy. %{info}", processor_chain([ - dup63, - dup2, - dup4, - setc("event_description","Performing configuration copy"), - ])); - - var msg227 = msg("TACACS_ACCOUNTING_MESSAGE:08", part187); - - var part188 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/2", "nwparser.p0", "%{username}: shell terminated because of session timeout %{p0}"); - - var all18 = all_match({ - processors: [ - dup64, - dup103, - part188, - dup104, - ], - on_success: processor_chain([ - dup63, - dup2, - dup4, - setc("event_description","shell terminated because of session timeout"), - ]), - }); - - var msg228 = msg("TACACS_ACCOUNTING_MESSAGE:09", all18); - - var part189 = match("MESSAGE#373:TACACS_ACCOUNTING_MESSAGE:07/2", "nwparser.p0", "%{username}: %{event_description->} %{p0}"); - - var all19 = all_match({ - processors: [ - dup64, - dup103, - part189, - dup104, - ], - on_success: processor_chain([ - dup63, - dup2, - dup4, - ]), - }); - - var msg229 = msg("TACACS_ACCOUNTING_MESSAGE:07", all19); - - var select32 = linear_select([ - msg222, - msg223, - msg224, - msg225, - msg226, - msg227, - msg228, - msg229, - ]); - - var msg230 = msg("TACACS_ERROR_MESSAGE", dup102); - - var msg231 = msg("IF_SFP_WARNING", dup105); - - var msg232 = msg("IF_DOWN_TCP_MAX_RETRANSMIT", dup106); - - var msg233 = msg("FCIP_PEER_CAVIUM", dup87); - - var msg234 = msg("IF_DOWN_PEER_CLOSE", dup106); - - var msg235 = msg("IF_DOWN_PEER_RESET", dup106); - - var part190 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name->} configuration is not consistent (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","configuration is not consistent in domain"), - ])); - - var msg236 = msg("INTF_CONSISTENCY_FAILED", part190); - - var part191 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name->} configuration is consistent", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","configuration is consistent in domain"), - ])); - - var msg237 = msg("INTF_CONSISTENCY_SUCCESS", part191); - - var msg238 = msg("INTF_COUNTERS_CLEARED", dup105); - - var msg239 = msg("IF_HARDWARE", dup105); - - var part192 = match_copy("MESSAGE#233:HEARTBEAT_FAILURE", "nwparser.payload", "event_description", processor_chain([ - setc("eventcategory","1604010000"), - dup2, - dup3, - dup4, - ])); - - var msg240 = msg("HEARTBEAT_FAILURE", part192); - - var msg241 = msg("SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG", dup87); - - var msg242 = msg("PFM_FAN_FLTR_STATUS", dup87); - - var msg243 = msg("MOUNT", dup87); - - var msg244 = msg("LOG_CMP_UP", dup87); - - var part193 = match("MESSAGE#238:IF_XCVR_WARNING/2", "nwparser.p0", "Temperature Warning cleared%{}"); - - var all20 = all_match({ - processors: [ - dup69, - dup107, - part193, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg245 = msg("IF_XCVR_WARNING", all20); - - var msg246 = msg("IF_XCVR_WARNING:01", dup108); - - var select33 = linear_select([ - msg245, - msg246, - ]); - - var part194 = match("MESSAGE#240:IF_XCVR_ALARM/2", "nwparser.p0", "Temperature Alarm cleared%{}"); - - var all21 = all_match({ - processors: [ - dup69, - dup107, - part194, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg247 = msg("IF_XCVR_ALARM", all21); - - var msg248 = msg("IF_XCVR_ALARM:01", dup108); - - var select34 = linear_select([ - msg247, - msg248, - ]); - - var msg249 = msg("MEMORY_ALERT", dup87); - - var msg250 = msg("MEMORY_ALERT_RECOVERED", dup87); - - var part195 = match("MESSAGE#244:IF_SFP_ALARM/2", "nwparser.p0", "Rx Power Alarm cleared%{}"); - - var all22 = all_match({ - processors: [ - dup69, - dup107, - part195, - ], - on_success: processor_chain([ - dup15, - dup2, - dup3, - dup4, - ]), - }); - - var msg251 = msg("IF_SFP_ALARM", all22); - - var msg252 = msg("IF_SFP_ALARM:01", dup108); - - var select35 = linear_select([ - msg251, - msg252, - ]); - - var part196 = match_copy("MESSAGE#246:NBRCHANGE_DUAL", "nwparser.payload", "event_description", processor_chain([ - dup61, - dup2, - dup3, - dup4, - ])); - - var msg253 = msg("NBRCHANGE_DUAL", part196); - - var part197 = match("MESSAGE#247:SOHMS_DIAG_ERROR/0", "nwparser.payload", "%{} %{device->} %{p0}"); - - var part198 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_0", "nwparser.p0", "%{action}: System %{p0}"); - - var part199 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_1", "nwparser.p0", "System %{p0}"); - - var select36 = linear_select([ - part198, - part199, - ]); - - var part200 = match("MESSAGE#247:SOHMS_DIAG_ERROR/2", "nwparser.p0", "minor alarm on fans in fan tray %{dclass_counter1}"); - - var all23 = all_match({ - processors: [ - part197, - select36, - part200, - ], - on_success: processor_chain([ - dup61, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","System minor alarm on fans in fan tray"), - ]), - }); - - var msg254 = msg("SOHMS_DIAG_ERROR", all23); - - var part201 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device->} System minor alarm on power supply %{fld42}: %{result}", processor_chain([ - dup61, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","FEX-System minor alarm on power supply."), - ])); - - var msg255 = msg("SOHMS_DIAG_ERROR:01", part201); - - var part202 = match("MESSAGE#249:SOHMS_DIAG_ERROR:02", "nwparser.payload", "%{device}: %{event_description}", processor_chain([ - dup61, - dup38, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg256 = msg("SOHMS_DIAG_ERROR:02", part202); - - var select37 = linear_select([ - msg254, - msg255, - msg256, - ]); - - var part203 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device->} for group: %{fld1}, (%{fld2->} (%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ - dup73, - dup34, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","Failed to program the mac table"), - ])); - - var msg257 = msg("M2FIB_MAC_TBL_PRGMING", part203); - - var part204 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", "deleting expired user account:%{username}", processor_chain([ - dup19, - dup11, - dup20, - setc("ec_theme","UserGroup"), - dup2, - dup3, - dup4, - setc("event_description","deleting expired user account"), - ])); - - var msg258 = msg("DELETE_STALE_USER_ACCOUNT", part204); - - var part205 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface->} is admin up", processor_chain([ - dup30, - dup34, - dup38, - dup17, - dup2, - dup3, - dup4, - setc("event_description","Interface is admin up."), - ])); - - var msg259 = msg("IF_ADMIN_UP", part205); - - var part206 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name->} is configured", processor_chain([ - dup30, - dup34, - dup38, - dup17, - dup2, - dup3, - dup4, - setc("event_description","vPC is configured"), - dup74, - ])); - - var msg260 = msg("VPC_CFGD", part206); - - var part207 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Manager has received notification of %{info}", processor_chain([ - dup30, - dup38, - dup17, - dup2, - dup3, - dup4, - setc("event_description","System Manager has received notification of local module becoming online."), - ])); - - var msg261 = msg("MODULE_ONLINE", part207); - - var part208 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", "System booted from Primary BIOS Flash%{}", processor_chain([ - dup30, - dup75, - dup76, - dup2, - dup3, - dup4, - setc("event_description","System booted from Primary BIOS Flash"), - ])); - - var msg262 = msg("BIOS_DAEMON_LC_PRI_BOOT", part208); - - var part209 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name->} is down ()", processor_chain([ - dup77, - dup34, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","Peer vPC is down"), - dup74, - ])); - - var msg263 = msg("PEER_VPC_DOWN", part209); - - var part210 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/0", "nwparser.payload", "In domain %{domain}, %{p0}"); - - var part211 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_0", "nwparser.p0", "VPC%{p0}"); - - var part212 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_1", "nwparser.p0", "vPC%{p0}"); - - var select38 = linear_select([ - part211, - part212, - ]); - - var part213 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/2", "nwparser.p0", "%{}peer%{p0}"); - - var part214 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_0", "nwparser.p0", "-keepalive%{p0}"); - - var part215 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_1", "nwparser.p0", " keep-alive%{p0}"); - - var select39 = linear_select([ - part214, - part215, - ]); - - var part216 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/4", "nwparser.p0", "%{}received on interface %{interface}"); - - var all24 = all_match({ - processors: [ - part210, - select38, - part213, - select39, - part216, - ], - on_success: processor_chain([ - dup36, - dup2, - dup3, - dup4, - setc("event_description","In domain, VPC peer-keepalive received on interface"), - ]), - }); - - var msg264 = msg("PEER_KEEP_ALIVE_RECV_INT_LATEST", all24); - - var part217 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive receive is successful", processor_chain([ - dup36, - dup34, - dup78, - dup35, - dup17, - dup2, - dup3, - dup4, - setc("event_description","In domain, vPC peer keep-alive receive is successful"), - ])); - - var msg265 = msg("PEER_KEEP_ALIVE_RECV_SUCCESS", part217); - - var part218 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", "In domain %{domain}, VPC peer keep-alive receive has failed", processor_chain([ - dup77, - dup34, - dup78, - dup35, - dup14, - dup2, - dup3, - dup4, - setc("event_description","In domain, VPC peer keep-alive receive has failed"), - ])); - - var msg266 = msg("PEER_KEEP_ALIVE_RECV_FAIL", part218); - - var part219 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.payload", "In domain %{domain}, VPC peer-keepalive sent on interface %{interface}", processor_chain([ - dup36, - dup34, - dup79, - dup35, - dup2, - dup3, - dup4, - setc("event_description","In domain, VPC peer-keepalive sent on interface"), - ])); - - var msg267 = msg("PEER_KEEP_ALIVE_SEND_INT_LATEST", part219); - - var part220 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive send is successful", processor_chain([ - dup36, - dup34, - dup79, - dup35, - dup17, - dup2, - dup3, - dup4, - setc("event_description","In domain, vPC peer keep-alive send is successful"), - ])); - - var msg268 = msg("PEER_KEEP_ALIVE_SEND_SUCCESS", part220); - - var part221 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "In domain %{domain}, peer keep-alive status changed to %{change_new}", processor_chain([ - dup30, - dup34, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Peer keep-alive status changed."), - setc("change_attribute","peer keep-alive status"), - ])); - - var msg269 = msg("PEER_KEEP_ALIVE_STATUS", part221); - - var part222 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47->} has changed, %{info}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Ejectors' status in slot has changed."), - ])); - - var msg270 = msg("EJECTOR_STAT_CHANGED", part222); - - var part223 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41->} detected (Serial number %{fld42})", processor_chain([ - dup29, - setc("ec_activity","Detect"), - dup38, - dup2, - dup3, - dup4, - setc("event_description","Xbar detected"), - ])); - - var msg271 = msg("XBAR_DETECT", part223); - - var part224 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41->} powered up (Serial number %{fld42})", processor_chain([ - dup15, - dup75, - dup76, - dup2, - dup3, - dup4, - setc("event_description","Xbar powered up"), - ])); - - var msg272 = msg("XBAR_PWRUP", part224); - - var part225 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41->} powered down (Serial number %{fld42})", processor_chain([ - dup15, - dup75, - setc("ec_activity","Stop"), - dup2, - dup3, - dup4, - setc("event_description","Xbar powered down"), - ])); - - var msg273 = msg("XBAR_PWRDN", part225); - - var part226 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41->} is online (serial: %{fld42})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Xbar is online"), - ])); - - var msg274 = msg("XBAR_OK", part226); - - var part227 = match("MESSAGE#268:VPC_ISSU_START", "nwparser.payload", "Peer vPC switch ISSU start, locking configuration%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Peer vPC switch ISSU start, locking configuration"), - ])); - - var msg275 = msg("VPC_ISSU_START", part227); - - var part228 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC switch ISSU end, unlocking configuration%{}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - setc("event_description","Peer vPC switch ISSU end, unlocking configuration"), - ])); - - var msg276 = msg("VPC_ISSU_END", part228); - - var part229 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - setc("obj_type","new_role"), - ])); - - var msg277 = msg("PORT_RANGE_ROLE", part229); - - var part230 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - setc("obj_type","new_state"), - ])); - - var msg278 = msg("PORT_RANGE_STATE", part230); - - var part231 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface->} removed from mst=%{fld42}", processor_chain([ - dup24, - dup34, - dup20, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Interface removed from MST."), - ])); - - var msg279 = msg("PORT_RANGE_DELETED", part231); - - var part232 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface->} added to mst=%{fld42->} with %{info}", processor_chain([ - dup29, - dup34, - dup80, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Interface added to MST."), - ])); - - var msg280 = msg("PORT_RANGE_ADDED", part232); - - var part233 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname->} removed as MST Boundary port", processor_chain([ - dup24, - dup34, - dup20, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Port removed as MST Boundary port"), - ])); - - var msg281 = msg("MST_PORT_BOUNDARY", part233); - - var part234 = match("MESSAGE#275:PIXM_SYSLOG_MESSAGE_TYPE_CRIT", "nwparser.payload", "Non-transactional PIXM Error. Error Type: %{result}.%{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Non-transactional PIXM Error"), - ])); - - var msg282 = msg("PIXM_SYSLOG_MESSAGE_TYPE_CRIT", part234); - - var part235 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interface->} is %{obj_name->} in vdc %{fld43}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("obj_type"," Interface state"), - ])); - - var msg283 = msg("IM_INTF_STATE", part235); - - var part236 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43->} state changed to %{obj_name}", processor_chain([ - dup62, - dup34, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","VDC state changed."), - setc("obj_type"," VDC state"), - ])); - - var msg284 = msg("VDC_STATE_CHANGE", part236); - - var part237 = match("MESSAGE#278:SWITCHOVER_OVER", "nwparser.payload", "Switchover completed.%{}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - dup81, - ])); - - var msg285 = msg("SWITCHOVER_OVER", part237); - - var part238 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process}: Module type changed to %{obj_name}", processor_chain([ - dup62, - dup16, - dup38, - dup2, - dup3, - dup4, - dup81, - setc("obj_type"," New Module type"), - ])); - - var msg286 = msg("VDC_MODULETYPE", part238); - - var part239 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44->} for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ - dup77, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, - setc("event_description","Unable to sync HA sequence number for service"), - ])); - - var msg287 = msg("HASEQNO_SYNC_FAILED", part239); - - var part240 = match("MESSAGE#281:MSG_SEND_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in sending message to standby causing standby to reset.%{}", processor_chain([ - dup1, - dup34, - dup79, - dup35, - dup14, - dup2, - dup3, - dup4, - setc("event_description","Failure in sending message to standby causing standby to reset."), - ])); - - var msg288 = msg("MSG_SEND_FAILURE_STANDBY_RESET", part240); - - var part241 = match("MESSAGE#282:MODULE_LOCK_FAILED", "nwparser.payload", "Failed to lock the local module to avoid reset (error-id %{resultcode}).", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Failed to lock the local module to avoid reset"), - ])); - - var msg289 = msg("MODULE_LOCK_FAILED", part241); - - var part242 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", "Failed to send Mac New Learns/Mac moves due to mts send failure errno %{resultcode}", processor_chain([ - dup1, - dup34, - dup79, - dup35, - dup14, - dup2, - dup3, - dup4, - setc("event_description","Failed to send Mac New Learns/Mac moves due to mts send failure."), - ])); - - var msg290 = msg("L2FMC_NL_MTS_SEND_FAILURE", part242); - - var part243 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} management address %{fld46->} discovered on local port %{portname->} in vlan %{vlan->} %{info}", processor_chain([ - dup29, - dup80, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Server discovered on local in vlan 0 with enabled capability Station"), - ])); - - var msg291 = msg("SERVER_ADDED", part243); - - var part244 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} on local port %{portname->} has been removed", processor_chain([ - dup24, - dup20, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Server on local port has been removed"), - ])); - - var msg292 = msg("SERVER_REMOVED", part244); - - var part245 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ - dup23, - dup34, - dup72, - dup2, - dup3, - dup4, - dup25, - ])); - - var msg293 = msg("IF_DOWN_SUSPENDED_BY_SPEED", part245); - - var part246 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{portname->} is operationally individual", processor_chain([ - dup8, - dup2, - dup3, - dup4, - setc("event_description","port is operationally individual"), - ])); - - var msg294 = msg("PORT_INDIVIDUAL", part246); - - var part247 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ - dup23, - dup34, - dup38, - dup72, - dup2, - dup3, - dup4, - dup25, - ])); - - var msg295 = msg("IF_DOWN_CHANNEL_ADMIN_DOWN", part247); - - var part248 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface->} is being recovered from error disabled state %{info}", processor_chain([ - dup22, - dup2, - dup3, - dup4, - setc("event_description","Interface is being recovered from error disabled state"), - ])); - - var msg296 = msg("IF_ERRDIS_RECOVERY", part248); - - var part249 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface->} is detected", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Non-Cisco transceiver on interface is detected"), - ])); - - var msg297 = msg("IF_NON_CISCO_TRANSCEIVER", part249); - - var part250 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47->} is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Active supervisor is running with less memory than standby supervisor."), - ])); - - var msg298 = msg("ACTIVE_LOWER_MEM_THAN_STANDBY", part250); - - var part251 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configuration update started (PID %{process_id}).", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Configuration update started."), - ])); - - var msg299 = msg("READCONF_STARTED", part251); - - var part252 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47->} is running with less memory than active supervisor in slot %{fld48}", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Supervisor is running with less memory than active supervisor."), - ])); - - var msg300 = msg("SUP_POWERDOWN", part252); - - var part253 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Starting linecard upgrade%{}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Starting linecard upgrade"), - ])); - - var msg301 = msg("LC_UPGRADE_START", part253); - - var part254 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Rebooting linecard as a part of upgrade%{}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Rebooting linecard as a part of upgrade"), - ])); - - var msg302 = msg("LC_UPGRADE_REBOOT", part254); - - var part255 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload", "Runtime database controller started (PID %{process_id}).", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Runtime database controller started."), - ])); - - var msg303 = msg("RUNTIME_DB_RESTORE_STARTED", part255); - - var part256 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload", "Runtime database successfully restored.%{}", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Runtime database successfully restored."), - ])); - - var msg304 = msg("RUNTIME_DB_RESTORE_SUCCESS", part256); - - var part257 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49->} started", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Upgrade of module started"), - ])); - - var msg305 = msg("LCM_MODULE_UPGRADE_START", part257); - - var part258 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49->} ended", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Upgrade of module ended"), - ])); - - var msg306 = msg("LCM_MODULE_UPGRADE_END", part258); - - var part259 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recieved insert for %{fld50}", processor_chain([ - dup63, - dup34, - dup78, - dup35, - dup2, - dup3, - dup4, - setc("event_description","Recieved insert for lc mod"), - ])); - - var msg307 = msg("FIPS_POST_INFO_MSG", part259); - - var part260 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name->} is configured", processor_chain([ - dup30, - dup34, - dup38, - dup17, - dup2, - dup3, - dup4, - setc("event_description","peer vPC is configured"), - dup74, - ])); - - var msg308 = msg("PEER_VPC_CFGD", part260); - - var part261 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: Potential Interop issue on [%{interface}]: %{result}", processor_chain([ - dup73, - dup34, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","Potential Interop issue on interface."), - ])); - - var msg309 = msg("SYN_COLL_DIS_EN", part261); - - var part262 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device->} Off-line (Serial Number %{fld42})", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","FEX OFFLINE"), - ])); - - var msg310 = msg("NOHMS_ENV_FEX_OFFLINE", part262); - - var part263 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device->} On-line", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","FEX ONLINE"), - ])); - - var msg311 = msg("NOHMS_ENV_FEX_ONLINE", part263); - - var part264 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device->} is online", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Fex is online"), - ])); - - var msg312 = msg("FEX_STATUS_online", part264); - - var part265 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device->} is offline", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","Fex is offline"), - ])); - - var msg313 = msg("FEX_STATUS_offline", part265); - - var select40 = linear_select([ - msg312, - msg313, - ]); - - var part266 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41->} present but all AC/DC inputs are not connected, power redundancy might be affected", processor_chain([ - dup73, - dup38, - dup72, - dup2, - dup3, - dup4, - setc("event_description","Power supply present but all AC/DC inputs are not connected, power redundancy might be affected"), - ])); - - var msg314 = msg("PS_PWR_INPUT_MISSING", part266); - - var part267 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Power redundancy operational mode changed to %{change_new}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Power redundancy operational mode changed."), - setc("change_attribute","operational mode"), - ])); - - var msg315 = msg("PS_RED_MODE_RESTORED", part267); - - var part268 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", "All ejectors open, Module %{fld41->} will not be powered up (Serial number %{fld42})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","All ejectors open, Module will not be powered up."), - ])); - - var msg316 = msg("MOD_PWRFAIL_EJECTORS_OPEN", part268); - - var part269 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device->} pinning information is changed", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - setc("event_description","Fex pinning information is changed"), - ])); - - var msg317 = msg("PINNING_CHANGED", part269); - - var part270 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device->} Module %{fld41}: Cold boot", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","FEX-100 Module -Cold boot"), - ])); - - var msg318 = msg("SATCTRL", part270); - - var part271 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51->} [%{fld52}] Client %{fld43->} register more than once with same pid%{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Client register more than once with same pid"), - ])); - - var msg319 = msg("DUP_REGISTER", part271); - - var part272 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51->} [%{fld52}] Unknown mtype: %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - setc("event_description","Unknown mtype"), - ])); - - var msg320 = msg("UNKNOWN_MTYPE", part272); - - var part273 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} %{event_description}", processor_chain([ - dup30, - dup16, - dup38, - dup2, - dup3, - dup4, - ])); - - var msg321 = msg("SATCTRL_IMAGE", part273); - - var part274 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ - dup1, - setc("ec_subject","Process"), - dup14, - dup2, - dup3, - dup4, - ])); - - var msg322 = msg("API_FAILED", part274); - - var part275 = match_copy("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "event_description", processor_chain([ - dup8, - dup2, - dup3, - dup4, - ])); - - var msg323 = msg("SENSOR_MSG1", part275); - - var part276 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ - dup30, - dup2, - dup3, - dup4, - ])); - - var msg324 = msg("API_INIT_SEM_CLEAR", part276); - - var part277 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51->} has come online", processor_chain([ - dup30, - dup2, - dup3, - dup4, - setc("event_description","vdc has come online"), - ])); - - var msg325 = msg("VDC_ONLINE", part277); - - var part278 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname->} of port-channel %{interface->} not receiving any LACP BPDUs %{result}", processor_chain([ - dup77, - dup34, - dup78, - dup35, - dup72, - dup2, - dup3, - dup4, - setc("event_description","LACP port of port-channel not receiving any LACP BPDUs."), - ])); - - var msg326 = msg("LACP_SUSPEND_INDIVIDUAL", part278); - - var part279 = match("MESSAGE#320:dstats", "nwparser.payload", "%{process}: %{info}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - ])); - - var msg327 = msg("dstats", part279); - - var part280 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} logged OUT.", processor_chain([ - dup77, - dup34, - setc("ec_activity","Logoff"), - dup35, - dup2, - dup3, - dup4, - ])); - - var msg328 = msg("MSG_PORT_LOGGED_OUT", part280); - - var part281 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} with FCID %{fld54->} logged IN.", processor_chain([ - dup77, - dup34, - dup13, - dup35, - dup2, - dup3, - dup4, - ])); - - var msg329 = msg("MSG_PORT_LOGGED_IN", part281); - - var msg330 = msg("IF_DOWN_ELP_FAILURE_ISOLATION", dup96); - - var part282 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52->} Zone merge failure, isolating interface %{interface->} reason: %{result}:[%{resultcode}]", processor_chain([ - dup23, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, - ])); - - var msg331 = msg("ZS_MERGE_FAILED", part282); - - var msg332 = msg("IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION", dup96); - - var part283 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname->} in vlan %{vlan->} is flapping between port %{change_old->} and port %{change_new}", processor_chain([ - dup23, - dup34, - dup35, - dup2, - dup3, - dup4, - setc("change_attribute","Port"), - ])); - - var msg333 = msg("MAC_MOVE_NOTIFICATION", part283); - - var part284 = match("MESSAGE#327:zone", "nwparser.payload", "num_tlv greater than 1, %{result}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - ])); - - var msg334 = msg("zone", part284); - - var part285 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_description}: %{info}", processor_chain([ - dup1, - dup34, - dup35, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg335 = msg("ERROR", part285); - - var part286 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr->} on %{interface}", processor_chain([ - dup77, - dup34, - dup78, - dup35, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg336 = msg("INVAL_IP", part286); - - var part287 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{process}: message repeated %{dclass_counter1->} times in last %{duration}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var msg337 = msg("SYSLOG_SL_MSG_WARNING", part287); - - var part288 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex mismatch discovered on %{interface}, with %{fld55}", processor_chain([ - dup77, - dup34, - dup35, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg338 = msg("DUPLEX_MISMATCH", part288); - - var part289 = match("MESSAGE#332:NOHMS_DIAG_ERROR", "nwparser.payload", "Module %{fld20}: Runtime diag detected major event: Fabric port failure %{interface}", processor_chain([ - dup77, - dup34, - dup35, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg339 = msg("NOHMS_DIAG_ERROR", part289); - - var part290 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "Re enabling dynamic learning on all interfaces%{}", processor_chain([ - dup15, - dup34, - dup35, - dup2, - dup3, - dup4, - ])); - - var msg340 = msg("STM_LEARNING_RE_ENABLE", part290); - - var part291 = match("MESSAGE#334:UDLD_PORT_DISABLED", "nwparser.payload", "UDLD disabled interface %{interface}, %{result}", processor_chain([ - dup77, - dup34, - dup35, - dup72, - dup2, - dup3, - dup4, - ])); - - var msg341 = msg("UDLD_PORT_DISABLED", part291); - - var part292 = match("MESSAGE#335:ntpd", "nwparser.payload", "ntp:no servers reachable%{}", processor_chain([ - dup15, - dup2, - dup4, - ])); - - var msg342 = msg("ntpd", part292); - - var part293 = match("MESSAGE#336:ntpd:01", "nwparser.payload", "ntp:event EVNT_UNREACH %{saddr}", processor_chain([ - dup15, - dup2, - dup4, - ])); - - var msg343 = msg("ntpd:01", part293); - - var part294 = match("MESSAGE#337:ntpd:02", "nwparser.payload", "ntp:event EVNT_REACH %{saddr}", processor_chain([ - dup15, - dup2, - dup4, - ])); - - var msg344 = msg("ntpd:02", part294); - - var part295 = match("MESSAGE#338:ntpd:03", "nwparser.payload", "ntp:synchronized to %{saddr}, stratum %{fld9}", processor_chain([ - dup15, - dup2, - dup4, - ])); - - var msg345 = msg("ntpd:03", part295); - - var part296 = match("MESSAGE#339:ntpd:04", "nwparser.payload", "ntp:%{event_description}", processor_chain([ - dup15, - dup2, - dup4, - ])); - - var msg346 = msg("ntpd:04", part296); - - var select41 = linear_select([ - msg342, - msg343, - msg344, - msg345, - msg346, - ]); - - var part297 = match_copy("MESSAGE#340:PFM_ALERT", "nwparser.payload", "event_description", processor_chain([ - dup9, - dup2, - dup3, - dup4, - ])); - - var msg347 = msg("PFM_ALERT", part297); - - var part298 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Client %{saddr}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - setc("event_description","Service acquired on WCCP Client"), - ])); - - var msg348 = msg("SERVICEFOUND", part298); - - var part299 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Router %{saddr}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - setc("event_description","Service acquired on WCCP Router"), - ])); - - var msg349 = msg("ROUTERFOUND", part299); - - var part300 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "pam_aaa:Authentication failed from %{shost->} - %{agent}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - setc("event_description","Authentication failed"), - ])); - - var msg350 = msg("%AUTHPRIV-3-SYSTEM_MSG", part300); - - var part301 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ - dup18, - dup2, - dup12, - dup3, - dup4, - setc("event_description","New user added"), - ])); - - var msg351 = msg("%AUTHPRIV-5-SYSTEM_MSG", part301); - - var part302 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", "%{action}: %{service->} pid=%{process_id->} from=::ffff:%{saddr->} - %{agent}", processor_chain([ - dup10, - dup2, - dup12, - dup3, - dup4, - ])); - - var msg352 = msg("%AUTHPRIV-6-SYSTEM_MSG:01", part302); - - var part303 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "pam_unix(%{fld1}:session): session opened for user %{username->} by (uid=%{uid}) - %{agent}", processor_chain([ - dup10, - dup2, - dup12, - dup3, - dup4, - setc("event_description","session opened for user"), - ])); - - var msg353 = msg("%AUTHPRIV-6-SYSTEM_MSG", part303); - - var select42 = linear_select([ - msg352, - msg353, - ]); - - var part304 = match("MESSAGE#347:%USER-3-SYSTEM_MSG", "nwparser.payload", "error: %{result}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - ])); - - var msg354 = msg("%USER-3-SYSTEM_MSG", part304); - - var part305 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Invalid user %{username->} from %{saddr->} - %{agent}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup82, - ])); - - var msg355 = msg("%USER-6-SYSTEM_MSG", part305); - - var part306 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "input_userauth_request: invalid user %{username->} - %{agent}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - dup82, - ])); - - var msg356 = msg("%USER-6-SYSTEM_MSG:01", part306); - - var part307 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Failed none for invalid user %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ - dup5, - dup2, - dup3, - dup4, - setc("event_description","Failed none for invalid user"), - ])); - - var msg357 = msg("%USER-6-SYSTEM_MSG:02", part307); - - var part308 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ - dup83, - dup2, - dup3, - dup4, - setc("event_description","Accepted password for user"), - ])); - - var msg358 = msg("%USER-6-SYSTEM_MSG:03", part308); - - var part309 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "lastlog_openseek: Couldn't stat %{directory}: No such file or directory - %{agent}", processor_chain([ - dup83, - dup2, - dup3, - dup4, - setc("event_description","No such file or directory"), - ])); - - var msg359 = msg("%USER-6-SYSTEM_MSG:04", part309); - - var part310 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type->} - %{agent}", processor_chain([ - dup83, - dup2, - dup3, - dup4, - setc("event_description","Could not load host key"), - ])); - - var msg360 = msg("%USER-6-SYSTEM_MSG:05", part310); - - var part311 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description->} - %{agent}", processor_chain([ - dup83, - dup2, - dup3, - dup4, - ])); - - var msg361 = msg("%USER-6-SYSTEM_MSG:06", part311); - - var select43 = linear_select([ - msg355, - msg356, - msg357, - msg358, - msg359, - msg360, - msg361, - ]); - - var part312 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan->} for %{duration}s due to too many mac moves", processor_chain([ - dup30, - dup2, - dup4, - setc("ec_activity","Disable"), - ])); - - var msg362 = msg("L2FM_MAC_FLAP_DISABLE_LEARN", part312); - - var part313 = match("MESSAGE#356:L2FM_MAC_FLAP_RE_ENABLE_LEARN", "nwparser.payload", "Re-enabling learning in vlan %{vlan}", processor_chain([ - dup30, - dup2, - dup4, - dup37, - ])); - - var msg363 = msg("L2FM_MAC_FLAP_RE_ENABLE_LEARN", part313); - - var part314 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply %{fld1->} is %{disposition}, ps-redundancy might be affected", processor_chain([ - dup1, - dup2, - dup4, - ])); - - var msg364 = msg("PS_ABSENT", part314); - - var part315 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply %{fld1->} detected but %{disposition->} (Serial number %{serial_number})", processor_chain([ - dup1, - dup2, - dup4, - ])); - - var msg365 = msg("PS_DETECT", part315); - - var part316 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"System Manager (configuration controller)\" (PID %{process_id}) has finished with error code %{result->} (%{resultcode}).", processor_chain([ - dup1, - dup2, - dup4, - ])); - - var msg366 = msg("SUBPROC_TERMINATED", part316); - - var part317 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"%{service}\" (PID %{process_id}) has successfully exited with exit code %{result->} (%{resultcode}).", processor_chain([ - dup15, - dup2, - dup4, - dup84, - dup17, - ])); - - var msg367 = msg("SUBPROC_SUCCESS_EXIT", part317); - - var part318 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on Interface vlan %{vlan}, changed state to %{disposition}", processor_chain([ - dup30, - dup2, - dup4, - ])); - - var msg368 = msg("UPDOWN", part318); - - var part319 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr->} in vlan %{vlan->} has moved between %{change_old->} to %{change_new}", processor_chain([ - dup30, - dup2, - dup4, - setc("change_attribute","Interface"), - ])); - - var msg369 = msg("L2FM_MAC_MOVE2", part319); - - var part320 = match("MESSAGE#363:PFM_PS_RED_MODE_CHG", "nwparser.payload", "Power redundancy configured mode changed to %{event_state}", processor_chain([ - dup30, - dup2, - dup4, - dup38, - ])); - - var msg370 = msg("PFM_PS_RED_MODE_CHG", part320); - - var part321 = match("MESSAGE#364:PS_RED_MODE_CHG", "nwparser.payload", "Power supply operational redundancy mode changed to %{event_state}", processor_chain([ - dup30, - dup2, - dup4, - dup38, - ])); - - var msg371 = msg("PS_RED_MODE_CHG", part321); - - var part322 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr->} on %{vlan}", processor_chain([ - dup63, - dup2, - dup4, - ])); - - var msg372 = msg("INVAL_MAC", part322); - - var part323 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State for service \"%{service}\" changed from %{change_old->} to %{change_new->} in vdc %{fld1}.", processor_chain([ - dup15, - dup2, - dup4, - setc("change_attribute","Service status"), - ])); - - var msg373 = msg("SRVSTATE_CHANGED", part323); - - var part324 = match_copy("MESSAGE#367:INFO", "nwparser.payload", "event_description", processor_chain([ - dup63, - dup2, - dup4, - ])); - - var msg374 = msg("INFO", part324); - - var part325 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service \"%{service}\" in vdc %{fld1->} started with PID(%{process_id}).", processor_chain([ - dup15, - dup2, - dup4, - dup84, - dup76, - dup17, - ])); - - var msg375 = msg("SERVICE_STARTED", part325); - - var part326 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local Virtual ip, %{saddr}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - dup85, - ])); - - var msg376 = msg("DUP_VADDR_SRCIP_PROBE", part326); - - var part327 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local ip, %{saddr}", processor_chain([ - dup8, - dup2, - dup3, - dup4, - dup85, - ])); - - var msg377 = msg("DUP_SRCIP_PROBE", part327); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "%AUTHPRIV-3-SYSTEM_MSG": msg350, - "%AUTHPRIV-5-SYSTEM_MSG": msg351, - "%AUTHPRIV-6-SYSTEM_MSG": select42, - "%USER-3-SYSTEM_MSG": msg354, - "%USER-6-SYSTEM_MSG": select43, - "AAA_ACCOUNTING_MESSAGE": select28, - "ACLLOG_FLOW_INTERVAL": msg187, - "ACLLOG_MAXFLOW_REACHED": msg188, - "ACLLOG_NEW_FLOW": msg189, - "ACTIVE_LOWER_MEM_THAN_STANDBY": msg298, - "ACTIVE_SUP_OK": msg74, - "ADDON_IMG_DNLD_COMPLETE": msg60, - "ADDON_IMG_DNLD_STARTED": msg61, - "ADDON_IMG_DNLD_SUCCESSFUL": msg62, - "ADJCHANGE": msg217, - "API_FAILED": msg322, - "API_INIT_SEM_CLEAR": msg324, - "BIOS_DAEMON_LC_PRI_BOOT": msg262, - "CFGWRITE_ABORTED": msg135, - "CFGWRITE_ABORTED_LOCK": msg133, - "CFGWRITE_DONE": msg136, - "CFGWRITE_FAILED": msg134, - "CFGWRITE_STARTED": msg137, - "CFGWRITE_USER_ABORT": msg198, - "CHASSIS_CLKMODOK": msg80, - "CHASSIS_CLKSRC": msg81, - "CONN_CONNECT": msg145, - "CONN_DISCONNECT": msg146, - "CREATED": msg51, - "DELETE_STALE_USER_ACCOUNT": msg258, - "DISPUTE_CLEARED": msg77, - "DISPUTE_DETECTED": msg78, - "DOMAIN_CFG_SYNC_DONE": msg79, - "DUPLEX_MISMATCH": msg338, - "DUP_REGISTER": msg319, - "DUP_SRCIP_PROBE": msg377, - "DUP_VADDR_SRCIP_PROBE": msg376, - "DUP_VADDR_SRC_IP": msg190, - "DVPG_CREATE": msg147, - "DVPG_DELETE": msg148, - "DVS_HOSTMEMBER_INFO": msg149, - "DVS_NAME_CHANGE": msg150, - "EJECTOR_STAT_CHANGED": msg270, - "ERROR": msg335, - "ERR_MSG": msg131, - "EVENT": msg206, - "FAN_DETECT": msg97, - "FAN_OK": msg82, - "FCIP_PEER_CAVIUM": msg233, - "FEX_PORT_STATUS_NOTI": msg214, - "FEX_STATUS": select40, - "FIPS_POST_INFO_MSG": msg307, - "FOP_CHANGED": msg52, - "HASEQNO_SYNC_FAILED": msg287, - "HEARTBEAT_FAILURE": msg240, - "IF_ADMIN_UP": msg259, - "IF_ATTACHED": msg138, - "IF_BANDWIDTH_CHANGE": msg210, - "IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR": msg203, - "IF_DELETE_AUTO": msg139, - "IF_DETACHED": msg140, - "IF_DETACHED_MODULE_REMOVED": msg141, - "IF_DOWN_ADMIN_DOWN": select11, - "IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED": msg199, - "IF_DOWN_CFG_CHANGE": msg193, - "IF_DOWN_CHANNEL_ADMIN_DOWN": msg295, - "IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS": msg38, - "IF_DOWN_ELP_FAILURE_ISOLATION": msg330, - "IF_DOWN_ERROR_DISABLED": msg35, - "IF_DOWN_FCOT_NOT_PRESENT": select17, - "IF_DOWN_INACTIVE": msg142, - "IF_DOWN_INITIALIZING": select18, - "IF_DOWN_INTERFACE_REMOVED": msg39, - "IF_DOWN_LINK_FAILURE": select12, - "IF_DOWN_MODULE_REMOVED": msg42, - "IF_DOWN_NONE": select19, - "IF_DOWN_NON_PARTICIPATING": msg143, - "IF_DOWN_NOS_RCVD": select20, - "IF_DOWN_OFFLINE": msg114, - "IF_DOWN_OLS_RCVD": msg115, - "IF_DOWN_PARENT_ADMIN_DOWN": msg211, - "IF_DOWN_PEER_CLOSE": msg234, - "IF_DOWN_PEER_RESET": msg235, - "IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN": msg43, - "IF_DOWN_SOFTWARE_FAILURE": msg116, - "IF_DOWN_SRC_PORT_NOT_BOUND": msg117, - "IF_DOWN_SUSPENDED_BY_SPEED": msg293, - "IF_DOWN_TCP_MAX_RETRANSMIT": msg232, - "IF_DOWN_VEM_UNLICENSED": msg144, - "IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION": msg332, - "IF_DUPLEX": msg44, - "IF_ERRDIS_RECOVERY": msg296, - "IF_ERROR_VLANS_REMOVED": msg191, - "IF_ERROR_VLANS_SUSPENDED": msg192, - "IF_HARDWARE": msg239, - "IF_NON_CISCO_TRANSCEIVER": msg297, - "IF_PORTPROFILE_ATTACHED": msg125, - "IF_RX_FLOW_CONTROL": msg45, - "IF_SEQ_ERROR": msg46, - "IF_SFP_ALARM": select35, - "IF_SFP_WARNING": msg231, - "IF_TRUNK_DOWN": select21, - "IF_TRUNK_UP": select22, - "IF_TX_FLOW_CONTROL": msg47, - "IF_UP": select13, - "IF_XCVR_ALARM": select34, - "IF_XCVR_WARNING": select33, - "IMG_DNLD_COMPLETE": msg63, - "IMG_DNLD_STARTED": msg64, - "IM_INTF_STATE": msg283, - "IM_SEQ_ERROR": msg59, - "INFO": msg374, - "INFORMATION": msg205, - "INTF_CONSISTENCY_FAILED": msg236, - "INTF_CONSISTENCY_SUCCESS": msg237, - "INTF_COUNTERS_CLEARED": msg238, - "INVAL_IP": msg336, - "INVAL_MAC": msg372, - "L2FMC_NL_MTS_SEND_FAILURE": msg290, - "L2FM_MAC_FLAP_DISABLE_LEARN": msg362, - "L2FM_MAC_FLAP_RE_ENABLE_LEARN": msg363, - "L2FM_MAC_MOVE2": msg369, - "LACP_SUSPEND_INDIVIDUAL": msg326, - "LCM_MODULE_UPGRADE_END": msg306, - "LCM_MODULE_UPGRADE_START": msg305, - "LC_UPGRADE_REBOOT": msg302, - "LC_UPGRADE_START": msg301, - "LOG-7-SYSTEM_MSG": msg1, - "LOG_CMP_AAA_FAILURE": msg67, - "LOG_CMP_UP": msg244, - "LOG_LIC_N1K_EXPIRY_WARNING": msg68, - "M2FIB_MAC_TBL_PRGMING": msg257, - "MAC_MOVE_NOTIFICATION": msg333, - "MEMORY_ALERT": msg249, - "MEMORY_ALERT_RECOVERED": msg250, - "MESG": msg130, - "MODULE_LOCK_FAILED": msg289, - "MODULE_ONLINE": msg261, - "MOD_BRINGUP_MULTI_LIMIT": msg96, - "MOD_DETECT": msg83, - "MOD_FAIL": msg69, - "MOD_MAJORSWFAIL": msg70, - "MOD_OK": msg75, - "MOD_PWRDN": msg84, - "MOD_PWRFAIL_EJECTORS_OPEN": msg316, - "MOD_PWRUP": msg85, - "MOD_REMOVE": msg86, - "MOD_RESTART": msg76, - "MOD_SRG_NOT_COMPATIBLE": msg71, - "MOD_STATUS": msg98, - "MOD_WARNING": select14, - "MOUNT": msg243, - "MSG_PORT_LOGGED_IN": msg329, - "MSG_PORT_LOGGED_OUT": msg328, - "MSG_SEND_FAILURE_STANDBY_RESET": msg288, - "MSM_CRIT": msg66, - "MST_PORT_BOUNDARY": msg281, - "MTSERROR": msg34, - "MTS_DROP": msg57, - "NATIVE_VLAN_MISMATCH": msg207, - "NBRCHANGE_DUAL": msg253, - "NEIGHBOR_ADDED": msg208, - "NEIGHBOR_REMOVED": msg209, - "NEIGHBOR_UPDATE_AUTOCOPY": msg33, - "NOHMS_DIAG_ERROR": msg339, - "NOHMS_DIAG_ERR_PS_FAIL": msg215, - "NOHMS_DIAG_ERR_PS_RECOVERED": msg216, - "NOHMS_ENV_FEX_OFFLINE": msg310, - "NOHMS_ENV_FEX_ONLINE": msg311, - "PEER_KEEP_ALIVE_RECV_FAIL": msg266, - "PEER_KEEP_ALIVE_RECV_INT_LATEST": msg264, - "PEER_KEEP_ALIVE_RECV_SUCCESS": msg265, - "PEER_KEEP_ALIVE_SEND_INT_LATEST": msg267, - "PEER_KEEP_ALIVE_SEND_SUCCESS": msg268, - "PEER_KEEP_ALIVE_STATUS": msg269, - "PEER_VPC_CFGD": msg308, - "PEER_VPC_CFGD_VLANS_CHANGED": msg99, - "PEER_VPC_DELETED": msg100, - "PEER_VPC_DOWN": msg263, - "PFM_ALERT": msg347, - "PFM_CLOCK_CHANGE": msg194, - "PFM_FAN_FLTR_STATUS": msg242, - "PFM_MODULE_POWER_ON": msg87, - "PFM_PS_RED_MODE_CHG": msg370, - "PFM_SYSTEM_RESET": msg88, - "PFM_VEM_DETECTED": msg101, - "PFM_VEM_REMOVE_NO_HB": msg89, - "PFM_VEM_REMOVE_RESET": msg90, - "PFM_VEM_REMOVE_STATE_CONFLICT": msg91, - "PFM_VEM_REMOVE_TWO_ACT_VSM": msg92, - "PFM_VEM_UNLICENSED": msg93, - "PINNING_CHANGED": msg317, - "PIXM_SYSLOG_MESSAGE_TYPE_CRIT": msg282, - "POLICY_ACTIVATE_EVENT": msg27, - "POLICY_COMMIT_EVENT": msg28, - "POLICY_DEACTIVATE_EVENT": msg29, - "POLICY_LOOKUP_EVENT": select10, - "PORT_ADDED": msg218, - "PORT_DELETED": msg219, - "PORT_DOWN": msg53, - "PORT_INDIVIDUAL": msg294, - "PORT_INDIVIDUAL_DOWN": msg212, - "PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE": msg124, - "PORT_RANGE_ADDED": msg280, - "PORT_RANGE_DELETED": msg279, - "PORT_RANGE_ROLE": msg277, - "PORT_RANGE_STATE": msg278, - "PORT_ROLE": msg220, - "PORT_SOFTWARE_FAILURE": msg65, - "PORT_STATE": msg221, - "PORT_SUSPENDED": msg213, - "PORT_UP": msg54, - "PS_ABSENT": msg364, - "PS_CAPACITY_CHANGE": select16, - "PS_DETECT": msg365, - "PS_FAIL": msg204, - "PS_FANOK": msg94, - "PS_FOUND": msg102, - "PS_OK": msg95, - "PS_PWR_INPUT_MISSING": msg314, - "PS_RED_MODE_CHG": msg371, - "PS_RED_MODE_RESTORED": msg315, - "PS_STATUS": msg103, - "PVLAN_PPM_PORT_CONFIG_FAILED": msg129, - "READCONF_STARTED": msg299, - "RM_VICPP_RECREATE_ERROR": msg132, - "ROUTERFOUND": msg349, - "RUNTIME_DB_RESTORE_STARTED": msg303, - "RUNTIME_DB_RESTORE_SUCCESS": msg304, - "SATCTRL": msg318, - "SATCTRL_IMAGE": msg321, - "SENSOR_MSG1": msg323, - "SERVER_ADDED": msg291, - "SERVER_REMOVED": msg292, - "SERVICEFOUND": msg348, - "SERVICELOST": msg202, - "SERVICE_CRASHED": msg201, - "SERVICE_STARTED": msg375, - "SOHMS_DIAG_ERROR": select37, - "SPEED": msg50, - "SRVSTATE_CHANGED": msg373, - "STANDBY_SUP_OK": msg126, - "STM_LEARNING_RE_ENABLE": msg340, - "STM_LOOP_DETECT": msg127, - "SUBGROUP_ID_PORT_ADDED": msg55, - "SUBGROUP_ID_PORT_REMOVED": msg56, - "SUBPROC_SUCCESS_EXIT": msg367, - "SUBPROC_TERMINATED": msg366, - "SUP_POWERDOWN": msg300, - "SWITCHOVER_OVER": msg285, - "SYNC_COMPLETE": msg128, - "SYNC_FAILURE_STANDBY_RESET": msg195, - "SYN_COLL_DIS_EN": msg309, - "SYSLOG_LOG_WARNING": msg58, - "SYSLOG_SL_MSG_WARNING": msg337, - "SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG": msg241, - "SYSTEM_MSG": select9, - "TACACS_ACCOUNTING_MESSAGE": select32, - "TACACS_ERROR_MESSAGE": msg230, - "UDLD_PORT_DISABLED": msg341, - "UNKNOWN_MTYPE": msg320, - "UPDOWN": msg368, - "VDC_HOSTNAME_CHANGE": msg26, - "VDC_MODULETYPE": msg286, - "VDC_ONLINE": msg325, - "VDC_STATE_CHANGE": msg284, - "VMS_PPM_SYNC_COMPLETE": msg151, - "VPC_CFGD": msg260, - "VPC_DELETED": msg152, - "VPC_ISSU_END": msg276, - "VPC_ISSU_START": msg275, - "VPC_UP": msg153, - "VSHD_SYSLOG_CONFIG_I": select25, - "XBAR_DETECT": msg271, - "XBAR_OK": msg274, - "XBAR_PWRDN": msg273, - "XBAR_PWRUP": msg272, - "ZS_MERGE_FAILED": msg331, - "dstats": msg327, - "last": msg200, - "ntpd": select41, - "snmpd": select29, - "zone": msg334, - }), - ]); - - var part328 = match_copy("MESSAGE#24:SYSTEM_MSG:08/0_1", "nwparser.payload", "event_description"); - - var part329 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); - - var part330 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); - - var part331 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); - - var part332 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); - - var part333 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); - - var part334 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); - - var part335 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); - - var part336 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); - - var part337 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); - - var part338 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); - - var part339 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); - - var part340 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); - - var part341 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); - - var part342 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); - - var part343 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); - - var part344 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); - - var part345 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); - - var part346 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); - - var part347 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); - - var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); - - var part349 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); - - var part350 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); - - var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); - - var part352 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); - - var part353 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); - - var part354 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); - - var part355 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); - - var part356 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); - - var part357 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var part358 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var part359 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var part360 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var part361 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var part362 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var select44 = linear_select([ - dup26, - dup27, - ]); - - var part363 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ - dup1, - dup2, - dup3, - dup4, - ])); - - var part364 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ - dup24, - dup2, - dup3, - dup4, - ])); - - var part365 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var part366 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ - dup23, - dup34, - dup35, - dup14, - dup2, - dup3, - dup4, - ])); - - var part367 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ - dup33, - dup2, - dup3, - dup4, - ])); - - var select45 = linear_select([ - dup46, - dup47, - ]); - - var select46 = linear_select([ - dup49, - dup50, - ]); - - var select47 = linear_select([ - dup54, - dup55, - ]); - - var select48 = linear_select([ - dup57, - dup58, - ]); - - var part368 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var select49 = linear_select([ - dup65, - dup66, - ]); - - var select50 = linear_select([ - dup67, - dup68, - ]); - - var part369 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup15, - dup2, - dup3, - dup4, - ])); - - var part370 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ - dup23, - dup2, - dup3, - dup4, - ])); - - var select51 = linear_select([ - dup70, - dup71, - ]); - - var part371 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup61, - dup2, - dup3, - dup4, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/cisco_nexus/0.7.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_nexus/0.7.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 27e250da8d..0000000000 --- a/packages/cisco_nexus/0.7.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- -description: Pipeline for Cisco Nexus - -processors: - - set: - field: ecs.version - value: '8.4.0' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco_nexus/0.7.2/data_stream/log/fields/agent.yml b/packages/cisco_nexus/0.7.2/data_stream/log/fields/agent.yml deleted file mode 100755 index 38bb8dcec5..0000000000 --- a/packages/cisco_nexus/0.7.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,175 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/cisco_nexus/0.7.2/data_stream/log/fields/base-fields.yml b/packages/cisco_nexus/0.7.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index c0bd69c3bb..0000000000 --- a/packages/cisco_nexus/0.7.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,43 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_nexus -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_nexus.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/cisco_nexus/0.7.2/data_stream/log/fields/ecs.yml b/packages/cisco_nexus/0.7.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index f7e5c95752..0000000000 --- a/packages/cisco_nexus/0.7.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,547 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/cisco_nexus/0.7.2/data_stream/log/fields/fields.yml b/packages/cisco_nexus/0.7.2/data_stream/log/fields/fields.yml deleted file mode 100755 index 489a873293..0000000000 --- a/packages/cisco_nexus/0.7.2/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,1753 +0,0 @@ -- name: rsa - type: group - fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - description: Server domain. -- name: network.interface.name - type: keyword diff --git a/packages/cisco_nexus/0.7.2/data_stream/log/manifest.yml b/packages/cisco_nexus/0.7.2/data_stream/log/manifest.yml deleted file mode 100755 index a608512a5c..0000000000 --- a/packages/cisco_nexus/0.7.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,205 +0,0 @@ -title: Cisco Nexus logs -release: experimental -type: logs -streams: - - input: udp - title: Cisco Nexus logs - description: Collect Cisco Nexus logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-nexus - - forwarded - - name: udp_host - type: text - title: UDP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: UDP port to listen on - multi: false - required: true - show_user: true - default: 9506 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Cisco Nexus logs - description: Collect Cisco Nexus logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-nexus - - forwarded - - name: tcp_host - type: text - title: TCP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: TCP port to listen on - multi: false - required: true - show_user: true - default: 9506 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - enabled: false - title: Cisco Nexus logs - description: Collect Cisco Nexus logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/cisco-nexus.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-nexus - - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/cisco_nexus/0.7.2/data_stream/log/sample_event.json b/packages/cisco_nexus/0.7.2/data_stream/log/sample_event.json deleted file mode 100755 index 36fb5dc12d..0000000000 --- a/packages/cisco_nexus/0.7.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "@timestamp": "2022-01-25T12:10:52.945Z", - "agent": { - "ephemeral_id": "168bb285-37c0-4f83-9ac8-fb8599371dad", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "cisco_nexus.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "code": "pam_aaa", - "dataset": "cisco_nexus.log", - "ingested": "2022-01-25T12:10:53Z", - "original": "2012 Dec 18 14:51:08 Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user en from 2.2.2.1 - login\n", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.30.0.4:48333" - } - }, - "observer": { - "product": "Nexus", - "type": "Switches", - "vendor": "Cisco" - }, - "rsa": { - "internal": { - "messageid": "pam_aaa" - }, - "time": { - "timezone": "Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG" - } - }, - "tags": [ - "preserve_original_event", - "cisco-nexus", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/cisco_nexus/0.7.2/docs/README.md b/packages/cisco_nexus/0.7.2/docs/README.md deleted file mode 100755 index 36c6117484..0000000000 --- a/packages/cisco_nexus/0.7.2/docs/README.md +++ /dev/null @@ -1,914 +0,0 @@ -# Cisco Nexus Integration - -This integration is for [Cisco Nexus device](https://developer.cisco.com/docs/nx-os/) logs. It includes the following -datasets for receiving logs over syslog or read from a file: - -- `log` fileset: supports Cisco Nexus switch logs. - -## Logs - -### Nexus - -The `log` dataset collects Cisco Nexus logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2022-01-25T12:10:52.945Z", - "agent": { - "ephemeral_id": "168bb285-37c0-4f83-9ac8-fb8599371dad", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "cisco_nexus.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "code": "pam_aaa", - "dataset": "cisco_nexus.log", - "ingested": "2022-01-25T12:10:53Z", - "original": "2012 Dec 18 14:51:08 Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user en from 2.2.2.1 - login\n", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.30.0.4:48333" - } - }, - "observer": { - "product": "Nexus", - "type": "Switches", - "vendor": "Cisco" - }, - "rsa": { - "internal": { - "messageid": "pam_aaa" - }, - "time": { - "timezone": "Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG" - } - }, - "tags": [ - "preserve_original_event", - "cisco-nexus", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/cisco_nexus/0.7.2/img/cisco.svg b/packages/cisco_nexus/0.7.2/img/cisco.svg deleted file mode 100755 index 20ebebf197..0000000000 --- a/packages/cisco_nexus/0.7.2/img/cisco.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/cisco_nexus/0.7.2/manifest.yml b/packages/cisco_nexus/0.7.2/manifest.yml deleted file mode 100755 index bd7e06caa1..0000000000 --- a/packages/cisco_nexus/0.7.2/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -format_version: 1.0.0 -name: cisco_nexus -title: Cisco Nexus -version: "0.7.2" -license: basic -description: Collect logs from Cisco Nexus with Elastic Agent. -type: integration -categories: - - network - - security -release: experimental -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/cisco.svg - title: cisco - size: 216x216 - type: image/svg+xml -policy_templates: - - name: cisco_nexus - title: Cisco Nexus logs - description: Collect logs from Cisco Nexus instances - inputs: - - type: udp - title: Collect logs from Cisco Nexus via UDP - description: Collecting logs from Cisco Nexus via UDP - - type: tcp - title: Collect logs from Cisco Nexus via TCP - description: Collecting logs from Cisco Nexus via TCP - - type: logfile - title: Collect logs from Cisco Nexus via file - description: Collecting logs from Cisco Nexus via file -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_umbrella/1.3.3/LICENSE.txt b/packages/cisco_umbrella/1.3.3/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cisco_umbrella/1.3.3/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_umbrella/1.3.3/changelog.yml b/packages/cisco_umbrella/1.3.3/changelog.yml deleted file mode 100755 index 602c0ad07a..0000000000 --- a/packages/cisco_umbrella/1.3.3/changelog.yml +++ /dev/null @@ -1,116 +0,0 @@ -# newer versions go on top -- version: "1.3.3" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.3.2" - changes: - - description: Fix proxy log CSV fields - type: bugfix - link: https://github.com/elastic/integrations/pull/4085 -- version: "1.3.1" - changes: - - description: Set default endpoint to empty string - type: bugfix - link: https://github.com/elastic/integrations/pull/4103 -- version: "1.3.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3843 -- version: "1.2.2" - changes: - - description: Fix proxy URL documentation rendering. - type: bugfix - link: https://github.com/elastic/integrations/pull/3881 -- version: "1.2.1" - changes: - - description: Add missing proxy config to S3 input - type: enhancement - link: https://github.com/elastic/integrations/pull/3813 -- version: "1.2.0" - changes: - - description: Enrich DNS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3712 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.0.1" - changes: - - description: Update to readme. added link to Cisco documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3219 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.7.0" - changes: - - description: Add Audit Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/3332 -- version: "0.6.1" - changes: - - description: Fix use of destination.ip instead of source.nat.ip in DNS logs - type: bugfix - link: https://github.com/elastic/integrations/pull/3218 -- version: "0.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "0.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.5.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2396 -- version: "0.4.0" - changes: - - description: Update config to support Cisco Managed S3 - type: bugfix - link: https://github.com/elastic/integrations/pull/2462 -- version: "0.3.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.3.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "0.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2269 -- version: "0.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1959 -- version: "0.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1810 -- version: "0.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1787 -- version: "0.1.0" - changes: - - description: Initial migration from Filebeat Module - type: enhancement - link: https://github.com/elastic/integrations/pull/1646 diff --git a/packages/cisco_umbrella/1.3.3/data_stream/log/agent/stream/aws-s3.yml.hbs b/packages/cisco_umbrella/1.3.3/data_stream/log/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 85c9f3f249..0000000000 --- a/packages/cisco_umbrella/1.3.3/data_stream/log/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,73 +0,0 @@ -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}}/ -{{/if}} -{{#if bucket_list_prefix}} -file_selectors: - - regex: {{bucket_list_prefix}}/dnslogs/.+ - - regex: {{bucket_list_prefix}}/proxylogs/.+ - - regex: {{bucket_list_prefix}}/cloudfirewalllogs/.+ - - regex: {{bucket_list_prefix}}/iplogs/.+ - - regex: {{bucket_list_prefix}}/auditlogs/.+ -{{/if}} -{{#if region}} -default_region: {{region}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url }} -proxy_url: {{proxy_url}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if bucket_list_interval}} -bucket_list_interval: {{bucket_list_interval}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_umbrella/1.3.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_umbrella/1.3.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 4b4aeeb8e1..0000000000 --- a/packages/cisco_umbrella/1.3.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,441 +0,0 @@ ---- -description: Pipeline for Cisco Umbrella - -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: observer.vendor - value: Cisco - - set: - field: observer.product - value: Umbrella - - rename: - field: message - target_field: event.original - ############ - # DNS Logs # - ############ - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - user.name - - cisco.umbrella.identities - - source.address - - source.nat.ip - - cisco.umbrella.action - - dns.question.type - - dns.response_code - - dns.question.name - - cisco.umbrella.categories - - cisco.umbrella.policy_identity_type - - cisco.umbrella.identity_types - - cisco.umbrella.blocked_categories - if: ctx.log?.file?.path.contains('dnslogs') - - gsub: - description: Strip tailing dot from DNS names. - field: dns.question.name - pattern: '\.$' - replacement: '' - ignore_missing: true - - set: - field: observer.type - value: dns - if: ctx.log?.file?.path.contains('dnslogs') - ########### - # IP Logs # - ########### - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - user.name - - source.address - - source.port - - destination.address - - destination.port - - cisco.umbrella.categories - if: ctx.log?.file?.path.contains('iplogs') - - - set: - field: observer.type - value: firewall - if: ctx.log?.file?.path.contains('iplogs') - - ############## - # Proxy Logs # - ############## - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - cisco.umbrella.identity - - source.address - - source.nat.ip - - destination.address - - cisco.umbrella.content_type - - cisco.umbrella.verdict - - url.full - - http.request.referrer - - user_agent.original - - http.response.status_code - - http.request.bytes - - http.response.bytes - - http.response.body.bytes - - cisco.umbrella.sha_sha256 - - cisco.umbrella.categories - - cisco.umbrella.av_detections - - cisco.umbrella.puas - - cisco.umbrella.amp_disposition - - cisco.umbrella.amp_malware_name - - cisco.umbrella.amp_score - - cisco.umbrella.identity_types - - cisco.umbrella.blocked_categories - - cisco.umbrella.identities - - cisco.umbrella.identity_types - - cisco.umbrella.request_method - - cisco.umbrella.dlp_status - - cisco.umbrella.certificate_errors - - cisco.umbrella.file_name - - cisco.umbrella.ruleset_id - - cisco.umbrella.rule_id - - cisco.umbrella.destination_lists_id - if: ctx.log?.file?.path.contains('proxylogs') - - - set: - field: observer.type - value: proxy - if: ctx.log?.file?.path.contains('proxylogs') - - ####################### - # Cloud Firewall Logs # - ####################### - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - cisco.umbrella.origin_id - - user.name - - cisco.umbrella.identity_types - - cisco.umbrella.direction - - network.transport - - source.bytes - - source.address - - source.port - - destination.address - - destination.port - - cisco.umbrella.datacenter - - cisco.umbrella.ruleid - - cisco.umbrella.verdict - if: ctx.log?.file?.path.contains('cloudfirewalllogs') - - - set: - field: observer.type - value: firewall - if: ctx.log?.file?.path.contains('cloudfirewalllogs') - - ####################### - # Audit Logs # - ####################### - - csv: - field: event.original - target_fields: - - event.id - - cisco.umbrella._tmp.time - - user.email - - user.name - - cisco.umbrella.audit.type - - event.action - - source.address - - cisco.umbrella.audit.before - - cisco.umbrella.audit.after - if: ctx.log?.file?.path.contains('auditlogs') - - - uri_parts: - field: url.full - ignore_failure: true - if: ctx.url?.full != null - - # Identifies is a field that includes any sort of username, device or other asset that is included in the request. - # Converting this to an array to make it easier to use in searches and visualizations - - split: - field: cisco.umbrella.identities - separator: ",\\s*" - preserve_trailing: false - if: "ctx.cisco?.umbrella?.identities != null && (ctx.log?.file?.path.contains('dnslogs') || ctx.log?.file?.path.contains('proxylogs'))" - - split: - field: cisco.umbrella.categories - separator: ",\\s*" - preserve_trailing: false - if: "ctx.log?.file?.path.contains('dnslogs') && ctx.cisco?.umbrella?.categories != null" - - split: - field: cisco.umbrella.blocked_categories - separator: ",\\s*" - preserve_trailing: false - if: "ctx.log?.file?.path.contains('dnslogs') && ctx.cisco?.umbrella?.blocked_categories != null" - - split: - field: cisco.umbrella.identity_types - separator: ",\\s*" - preserve_trailing: false - if: "ctx.cisco?.umbrella?.identity_types != null" - - ###################### - # General ECS Fields # - ###################### - # This field is always in UTC, so no timezone should need to be set - - date: - field: cisco.umbrella._tmp.time - target_field: "@timestamp" - formats: - - "yyyy-MM-dd HH:mm:ss" - - ISO8601 - if: ctx.cisco?.umbrella?._tmp?.time != null - ################## - # DNS ECS Fields # - ################## - - set: - field: dns.type - value: query - if: ctx.cisco?.umbrella?.action != null - - registered_domain: - field: dns.question.name - target_field: dns.question - ignore_missing: true - ignore_failure: true - - remove: - field: dns.question.domain - ignore_missing: true - ###################### - # Network ECS Fields # - ###################### - - lowercase: - field: cisco.umbrella.direction - target_field: network.direction - if: ctx.cisco?.umbrella?.direction != null - - convert: - field: source.bytes - type: long - if: ctx.source?.bytes != null - - convert: - field: source.port - type: long - if: ctx.source?.port != null - - convert: - field: destination.port - type: long - if: ctx.destination?.port != null - ################### - # HTTP ECS Fields # - ################### - - convert: - field: http.request.bytes - type: long - if: ctx.http?.request?.bytes != null - - convert: - field: http.response.bytes - type: long - if: ctx.http?.response?.bytes != null - - convert: - field: http.response.status_code - type: long - if: ctx.http?.response?.status_code != null - ################### - # Rule ECS Fields # - ################### - - rename: - field: cisco.umbrella.ruleid - target_field: rule.id - if: ctx.cisco?.umbrella?.ruleid != null - - #################### - # Event ECS Fields # - #################### - - set: - field: event.action - value: "dns-request-{{cisco.umbrella.action}}" - if: ctx.cisco?.umbrella?.action != null - - set: - field: event.category - value: network - if: "!ctx.log?.file?.path.contains('auditlogs')" - - append: - field: event.type - value: allowed - if: "ctx.cisco?.umbrella?.action == 'Allowed' || ['ALLOWED','ALLOW'].contains(ctx.cisco?.umbrella?.verdict)" - - append: - field: event.type - value: denied - if: "ctx.cisco?.umbrella?.action == 'Blocked' || ['BLOCKED','BLOCK'].contains(ctx.cisco?.umbrella?.verdict)" - - append: - field: event.type - value: connection - if: ctx.cisco?.umbrella?.action != null - - set: - field: event.category - value: configuration - if: "ctx.log?.file?.path.contains('auditlogs')" - - append: - field: event.type - value: creation - if: "ctx.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'create'" - - append: - field: event.type - value: change - if: "ctx.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'update'" - - append: - field: event.type - value: deletion - if: "ctx.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'delete'" - # Converting address fields to either ip or domain - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - on_failure: - - set: - copy_from: source.address - field: source.domain - override: true - - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - set: - field: destination.domain - copy_from: destination.address - override: true - - # For nat, there's no address or domain subfield. - # If the value is not a valid IP, it must be removed - # or ingestion will fail. Probably just an empty value. - - convert: - field: source.nat.ip - type: ip - ignore_missing: true - on_failure: - - remove: - field: source.nat.ip - - - community_id: - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - ###################### - # Related ECS Fields # - ###################### - - append: - field: related.user - value: "{{user.name}}" - if: ctx.source?.user?.name != null - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{source.nat.ip}}" - if: ctx.source?.nat?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{source.domain}}" - if: ctx.source?.domain != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - if: ctx.dns?.question?.name != null - - append: - field: related.hash - value: "{{cisco.umbrella.sha_sha256}}" - if: ctx.cisco?.umbrella?.sha_sha256 != null - - script: - if: ctx.cisco?.umbrella?.identities != null && ctx.cisco.umbrella.identities instanceof List - lang: painless - description: "Extract user name values from ctx.cisco.umbrella.identities and append it to related.user" - source: |- - void addRelatedUser(def ctx, def x) { - if (ctx.related == null) { - Map map = new HashMap(); - ctx.put("related", map); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(x)) { - ctx.related.user.add(x); - } - } - for (cisco_identity in ctx.cisco.umbrella.identities) { - if (cisco_identity.contains('@')) { - addRelatedUser(ctx, cisco_identity); - } - } - - ########### - # Cleanup # - ########### - - remove: - field: - - cisco.umbrella._tmp - - cisco.umbrella.direction - - cisco.umbrella.action - - cisco.umbrella.verdict - ignore_missing: true - - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco_umbrella/1.3.3/data_stream/log/fields/agent.yml b/packages/cisco_umbrella/1.3.3/data_stream/log/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/cisco_umbrella/1.3.3/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/cisco_umbrella/1.3.3/data_stream/log/fields/base-fields.yml b/packages/cisco_umbrella/1.3.3/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 1fb9b67d57..0000000000 --- a/packages/cisco_umbrella/1.3.3/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_umbrella -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_umbrella.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword diff --git a/packages/cisco_umbrella/1.3.3/data_stream/log/fields/ecs.yml b/packages/cisco_umbrella/1.3.3/data_stream/log/fields/ecs.yml deleted file mode 100755 index b8fef2a8cb..0000000000 --- a/packages/cisco_umbrella/1.3.3/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,428 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword diff --git a/packages/cisco_umbrella/1.3.3/data_stream/log/fields/fields.yml b/packages/cisco_umbrella/1.3.3/data_stream/log/fields/fields.yml deleted file mode 100755 index 286baf6dd1..0000000000 --- a/packages/cisco_umbrella/1.3.3/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,104 +0,0 @@ -- name: cisco.umbrella - type: group - description: > - Fields for Cisco Umbrella. - - fields: - - name: identity - type: keyword - description: > - The identity that made the request. An identity can be a high-level entity within your system (e.g a network) or very granular (e.g a single user) - - - name: identities - type: keyword - description: > - An array of the different identities related to the event. - - - name: categories - type: keyword - description: > - The security or content categories that the destination matches. - - - name: policy_identity_type - type: keyword - description: > - The first identity type matched with this request. Available in version 3 and above. - - - name: identity_types - type: keyword - description: > - The type of identity that made the request. For example, Roaming Computer or Network. - - - name: blocked_categories - type: keyword - description: > - The categories that resulted in the destination being blocked. Available in version 4 and above. - - - name: content_type - type: keyword - description: > - The type of web content, typically text/html. - - - name: sha_sha256 - type: keyword - description: > - Hex digest of the response content. - - - name: av_detections - type: keyword - description: > - The detection name according to the antivirus engine used in file inspection. - - - name: puas - type: keyword - description: > - A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. - - - name: amp_disposition - type: keyword - description: > - The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. - - - name: amp_malware_name - type: keyword - description: > - If Malicious, the name of the malware according to AMP. - - - name: amp_score - type: keyword - description: > - The score of the malware from AMP. This field is not currently used and will be blank. - - - name: datacenter - type: keyword - description: > - The name of the Umbrella Data Center that processed the user-generated traffic. - - - name: origin_id - type: keyword - description: > - The unique identity of the network tunnel. - - - name: request_method - type: keyword - - name: dlp_status - type: keyword - - name: certificate_errors - type: keyword - - name: file_name - type: keyword - - name: ruleset_id - type: keyword - - name: rule_id - type: keyword - - name: destination_lists_id - type: keyword - - name: audit.type - type: keyword - description: Where the change was made, such as settings or a policy. - - name: audit.before - type: keyword - description: The policy or setting before the change was made. - - name: audit.after - type: keyword - description: The policy or setting after the change was made. diff --git a/packages/cisco_umbrella/1.3.3/data_stream/log/manifest.yml b/packages/cisco_umbrella/1.3.3/data_stream/log/manifest.yml deleted file mode 100755 index fe3d4455dd..0000000000 --- a/packages/cisco_umbrella/1.3.3/data_stream/log/manifest.yml +++ /dev/null @@ -1,155 +0,0 @@ -title: Cisco Umbrella logs -release: experimental -type: logs -streams: - - input: aws-s3 - enabled: false - title: Cisco Umbrella logs - description: Collect Cisco Umbrella logs - template_path: aws-s3.yml.hbs - vars: - - name: queue_url - type: text - title: Queue URL - multi: false - required: false - show_user: true - description: URL of the AWS SQS queue that messages will be received from. For Cisco Managed S3 buckets or S3 without SQS, use Bucket ARN. - - name: bucket_arn - type: text - title: Bucket ARN - multi: false - required: false - show_user: true - description: >- - Required for Cisco Managed S3. If the S3 bucket does not use SQS, this is the address for the S3 bucket, one example is `arn:aws:s3:::cisco-managed-eu-central-1` For a list of Cisco Managed buckets, please see https://docs.umbrella.com/mssp-deployment/docs/enable-logging-to-a-cisco-managed-s3-bucket. - - name: region - type: text - title: Bucket Region - multi: false - required: false - show_user: true - description: >- - Required for Cisco Managed S3. The region the bucket is located in. - - name: bucket_list_prefix - type: text - title: Bucket List Prefix - multi: false - required: false - show_user: true - description: >- - Required for Cisco Managed S3. This sets the root folder of the S3 bucket that should be monitored, found in the S3 Web UI. Example value: `1235_654vcasd23431e5dd6f7fsad457sdf1fd5`. Forward slash at the end required for Cisco Managed S3. - - name: number_of_workers - type: text - title: Number of Workers - multi: false - required: false - show_user: true - default: 1 - description: Required for Cisco Managed S3. Number of workers that will process the S3 objects listed. Minimum is 1. - - name: bucket_list_interval - type: text - title: Bucket List Interval - multi: false - required: false - show_user: true - description: Time interval for polling listing of the S3 bucket. Defaults to 120s. - - name: shared_credential_file - type: text - title: Shared Credential File - multi: false - required: false - show_user: false - description: Directory of the shared credentials file. - - name: credential_profile_name - type: text - title: Credential Profile Name - multi: false - required: false - show_user: false - - name: access_key_id - type: text - title: Access Key ID - multi: false - required: false - show_user: true - - name: secret_access_key - type: text - title: Secret Access Key - multi: false - required: false - show_user: true - - name: session_token - type: text - title: Session Token - multi: false - required: false - show_user: true - - name: role_arn - type: text - title: Role ARN - multi: false - required: false - show_user: false - - name: endpoint - type: text - title: Endpoint - multi: false - required: false - show_user: false - default: "" - description: URL of the entry point for an AWS web service. - - name: visibility_timeout - type: text - title: Visibility Timeout - multi: false - required: false - show_user: false - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: API Timeout - multi: false - required: false - show_user: false - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http\[s\]://:@: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-umbrella - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_umbrella/1.3.3/data_stream/log/sample_event.json b/packages/cisco_umbrella/1.3.3/data_stream/log/sample_event.json deleted file mode 100755 index 180f761add..0000000000 --- a/packages/cisco_umbrella/1.3.3/data_stream/log/sample_event.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "address": "8.8.8.8", - "ip": "8.8.8.8" - }, - "source": { - "nat": { - "ip": "1.1.1.1" - }, - "address": "192.168.1.1", - "ip": "192.168.1.1" - }, - "url": { - "path": "/blog/ext_id=Anyclip", - "original": "https://elastic.co/blog/ext_id=Anyclip", - "scheme": "https", - "domain": "elastic.co", - "full": "https://elastic.co/blog/ext_id=Anyclip" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "type": "proxy", - "product": "Umbrella", - "vendor": "Cisco" - }, - "@timestamp": "2020-07-23T23:48:56.000Z", - "ecs": { - "version": "8.3.0" - }, - "related": { - "hash": [ - "" - ], - "ip": [ - "192.168.1.1", - "1.1.1.1", - "8.8.8.8" - ] - }, - "http": { - "request": { - "referrer": "https://google.com/elastic", - "bytes": 850 - }, - "response": { - "status_code": 200 - } - }, - "event": { - "ingested": "2021-09-13T00:16:24.480432923Z", - "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", - "category": "network", - "type": [ - "allowed" - ] - }, - "cisco": { - "umbrella": { - "amp_score": "", - "puas": "Malicious", - "identities": [ - "someotheruser" - ], - "content_type": "", - "identity_types": "Roaming Computers", - "blocked_categories": "", - "sha_sha256": "", - "amp_disposition": "MalwareName", - "categories": "Business Services", - "av_detections": "AVDetectionName", - "amp_malware_name": "" - } - }, - "user": { - "name": "elasticuser" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36" - } -} \ No newline at end of file diff --git a/packages/cisco_umbrella/1.3.3/docs/README.md b/packages/cisco_umbrella/1.3.3/docs/README.md deleted file mode 100755 index f85909b1e3..0000000000 --- a/packages/cisco_umbrella/1.3.3/docs/README.md +++ /dev/null @@ -1,278 +0,0 @@ -# Cisco Umbrella Integration - -This integration is for [Cisco Umbrella](https://docs.umbrella.com/). It includes the following -datasets for receiving logs from an AWS S3 bucket using an SQS notification queue and Cisco Managed S3 bucket without SQS: - -- `log` dataset: supports Cisco Umbrella logs. - -## Logs - -### Umbrella - -When using Cisco Managed S3 buckets that does not use SQS there is no load balancing possibilities for multiple agents, a single agent should be configured to poll the S3 bucket for new and updated files, and the number of workers can be configured to scale vertically. - -The `log` dataset collects Cisco Umbrella logs. - -An example event for `log` looks as following: - -```json -{ - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "address": "8.8.8.8", - "ip": "8.8.8.8" - }, - "source": { - "nat": { - "ip": "1.1.1.1" - }, - "address": "192.168.1.1", - "ip": "192.168.1.1" - }, - "url": { - "path": "/blog/ext_id=Anyclip", - "original": "https://elastic.co/blog/ext_id=Anyclip", - "scheme": "https", - "domain": "elastic.co", - "full": "https://elastic.co/blog/ext_id=Anyclip" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "type": "proxy", - "product": "Umbrella", - "vendor": "Cisco" - }, - "@timestamp": "2020-07-23T23:48:56.000Z", - "ecs": { - "version": "8.3.0" - }, - "related": { - "hash": [ - "" - ], - "ip": [ - "192.168.1.1", - "1.1.1.1", - "8.8.8.8" - ] - }, - "http": { - "request": { - "referrer": "https://google.com/elastic", - "bytes": 850 - }, - "response": { - "status_code": 200 - } - }, - "event": { - "ingested": "2021-09-13T00:16:24.480432923Z", - "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", - "category": "network", - "type": [ - "allowed" - ] - }, - "cisco": { - "umbrella": { - "amp_score": "", - "puas": "Malicious", - "identities": [ - "someotheruser" - ], - "content_type": "", - "identity_types": "Roaming Computers", - "blocked_categories": "", - "sha_sha256": "", - "amp_disposition": "MalwareName", - "categories": "Business Services", - "av_detections": "AVDetectionName", - "amp_malware_name": "" - } - }, - "user": { - "name": "elasticuser" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cisco.umbrella.amp_disposition | The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. | keyword | -| cisco.umbrella.amp_malware_name | If Malicious, the name of the malware according to AMP. | keyword | -| cisco.umbrella.amp_score | The score of the malware from AMP. This field is not currently used and will be blank. | keyword | -| cisco.umbrella.audit.after | The policy or setting after the change was made. | keyword | -| cisco.umbrella.audit.before | The policy or setting before the change was made. | keyword | -| cisco.umbrella.audit.type | Where the change was made, such as settings or a policy. | keyword | -| cisco.umbrella.av_detections | The detection name according to the antivirus engine used in file inspection. | keyword | -| cisco.umbrella.blocked_categories | The categories that resulted in the destination being blocked. Available in version 4 and above. | keyword | -| cisco.umbrella.categories | The security or content categories that the destination matches. | keyword | -| cisco.umbrella.certificate_errors | | keyword | -| cisco.umbrella.content_type | The type of web content, typically text/html. | keyword | -| cisco.umbrella.datacenter | The name of the Umbrella Data Center that processed the user-generated traffic. | keyword | -| cisco.umbrella.destination_lists_id | | keyword | -| cisco.umbrella.dlp_status | | keyword | -| cisco.umbrella.file_name | | keyword | -| cisco.umbrella.identities | An array of the different identities related to the event. | keyword | -| cisco.umbrella.identity | The identity that made the request. An identity can be a high-level entity within your system (e.g a network) or very granular (e.g a single user) | keyword | -| cisco.umbrella.identity_types | The type of identity that made the request. For example, Roaming Computer or Network. | keyword | -| cisco.umbrella.origin_id | The unique identity of the network tunnel. | keyword | -| cisco.umbrella.policy_identity_type | The first identity type matched with this request. Available in version 3 and above. | keyword | -| cisco.umbrella.puas | A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. | keyword | -| cisco.umbrella.request_method | | keyword | -| cisco.umbrella.rule_id | | keyword | -| cisco.umbrella.ruleset_id | | keyword | -| cisco.umbrella.sha_sha256 | Hex digest of the response content. | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/cisco_umbrella/1.3.3/img/cisco.svg b/packages/cisco_umbrella/1.3.3/img/cisco.svg deleted file mode 100755 index 20ebebf197..0000000000 --- a/packages/cisco_umbrella/1.3.3/img/cisco.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/cisco_umbrella/1.3.3/manifest.yml b/packages/cisco_umbrella/1.3.3/manifest.yml deleted file mode 100755 index 3de9b22c3e..0000000000 --- a/packages/cisco_umbrella/1.3.3/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -format_version: 1.0.0 -name: cisco_umbrella -title: Cisco Umbrella -version: "1.3.3" -license: basic -description: Collect logs from Cisco Umbrella with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: "^8.0.0" -icons: - - src: /img/cisco.svg - title: cisco - size: 216x216 - type: image/svg+xml -policy_templates: - - name: cisco_umbrella - title: Cisco Umbrella logs - description: Collect logs from Cisco Umbrella instances - inputs: - - type: aws-s3 - title: Collect logs from Cisco Umbrella - description: Collecting logs from Cisco Umbrella -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_umbrella/1.4.0/LICENSE.txt b/packages/cisco_umbrella/1.4.0/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cisco_umbrella/1.4.0/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_umbrella/1.4.0/changelog.yml b/packages/cisco_umbrella/1.4.0/changelog.yml deleted file mode 100755 index 06d49120f9..0000000000 --- a/packages/cisco_umbrella/1.4.0/changelog.yml +++ /dev/null @@ -1,121 +0,0 @@ -# newer versions go on top -- version: "1.4.0" - changes: - - description: Expose Default Region setting to UI - type: enhancement - link: https://github.com/elastic/integrations/pull/4158 -- version: "1.3.3" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.3.2" - changes: - - description: Fix proxy log CSV fields - type: bugfix - link: https://github.com/elastic/integrations/pull/4085 -- version: "1.3.1" - changes: - - description: Set default endpoint to empty string - type: bugfix - link: https://github.com/elastic/integrations/pull/4103 -- version: "1.3.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3843 -- version: "1.2.2" - changes: - - description: Fix proxy URL documentation rendering. - type: bugfix - link: https://github.com/elastic/integrations/pull/3881 -- version: "1.2.1" - changes: - - description: Add missing proxy config to S3 input - type: enhancement - link: https://github.com/elastic/integrations/pull/3813 -- version: "1.2.0" - changes: - - description: Enrich DNS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3712 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.0.1" - changes: - - description: Update to readme. added link to Cisco documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3219 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.7.0" - changes: - - description: Add Audit Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/3332 -- version: "0.6.1" - changes: - - description: Fix use of destination.ip instead of source.nat.ip in DNS logs - type: bugfix - link: https://github.com/elastic/integrations/pull/3218 -- version: "0.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "0.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.5.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2396 -- version: "0.4.0" - changes: - - description: Update config to support Cisco Managed S3 - type: bugfix - link: https://github.com/elastic/integrations/pull/2462 -- version: "0.3.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.3.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "0.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2269 -- version: "0.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1959 -- version: "0.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1810 -- version: "0.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1787 -- version: "0.1.0" - changes: - - description: Initial migration from Filebeat Module - type: enhancement - link: https://github.com/elastic/integrations/pull/1646 diff --git a/packages/cisco_umbrella/1.4.0/data_stream/log/agent/stream/aws-s3.yml.hbs b/packages/cisco_umbrella/1.4.0/data_stream/log/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index caea4c7d2e..0000000000 --- a/packages/cisco_umbrella/1.4.0/data_stream/log/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,76 +0,0 @@ -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}}/ -{{/if}} -{{#if bucket_list_prefix}} -file_selectors: - - regex: {{bucket_list_prefix}}/dnslogs/.+ - - regex: {{bucket_list_prefix}}/proxylogs/.+ - - regex: {{bucket_list_prefix}}/cloudfirewalllogs/.+ - - regex: {{bucket_list_prefix}}/iplogs/.+ - - regex: {{bucket_list_prefix}}/auditlogs/.+ -{{/if}} -{{#if region}} -default_region: {{region}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url }} -proxy_url: {{proxy_url}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if bucket_list_interval}} -bucket_list_interval: {{bucket_list_interval}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_umbrella/1.4.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_umbrella/1.4.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 4b4aeeb8e1..0000000000 --- a/packages/cisco_umbrella/1.4.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,441 +0,0 @@ ---- -description: Pipeline for Cisco Umbrella - -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: observer.vendor - value: Cisco - - set: - field: observer.product - value: Umbrella - - rename: - field: message - target_field: event.original - ############ - # DNS Logs # - ############ - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - user.name - - cisco.umbrella.identities - - source.address - - source.nat.ip - - cisco.umbrella.action - - dns.question.type - - dns.response_code - - dns.question.name - - cisco.umbrella.categories - - cisco.umbrella.policy_identity_type - - cisco.umbrella.identity_types - - cisco.umbrella.blocked_categories - if: ctx.log?.file?.path.contains('dnslogs') - - gsub: - description: Strip tailing dot from DNS names. - field: dns.question.name - pattern: '\.$' - replacement: '' - ignore_missing: true - - set: - field: observer.type - value: dns - if: ctx.log?.file?.path.contains('dnslogs') - ########### - # IP Logs # - ########### - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - user.name - - source.address - - source.port - - destination.address - - destination.port - - cisco.umbrella.categories - if: ctx.log?.file?.path.contains('iplogs') - - - set: - field: observer.type - value: firewall - if: ctx.log?.file?.path.contains('iplogs') - - ############## - # Proxy Logs # - ############## - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - cisco.umbrella.identity - - source.address - - source.nat.ip - - destination.address - - cisco.umbrella.content_type - - cisco.umbrella.verdict - - url.full - - http.request.referrer - - user_agent.original - - http.response.status_code - - http.request.bytes - - http.response.bytes - - http.response.body.bytes - - cisco.umbrella.sha_sha256 - - cisco.umbrella.categories - - cisco.umbrella.av_detections - - cisco.umbrella.puas - - cisco.umbrella.amp_disposition - - cisco.umbrella.amp_malware_name - - cisco.umbrella.amp_score - - cisco.umbrella.identity_types - - cisco.umbrella.blocked_categories - - cisco.umbrella.identities - - cisco.umbrella.identity_types - - cisco.umbrella.request_method - - cisco.umbrella.dlp_status - - cisco.umbrella.certificate_errors - - cisco.umbrella.file_name - - cisco.umbrella.ruleset_id - - cisco.umbrella.rule_id - - cisco.umbrella.destination_lists_id - if: ctx.log?.file?.path.contains('proxylogs') - - - set: - field: observer.type - value: proxy - if: ctx.log?.file?.path.contains('proxylogs') - - ####################### - # Cloud Firewall Logs # - ####################### - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - cisco.umbrella.origin_id - - user.name - - cisco.umbrella.identity_types - - cisco.umbrella.direction - - network.transport - - source.bytes - - source.address - - source.port - - destination.address - - destination.port - - cisco.umbrella.datacenter - - cisco.umbrella.ruleid - - cisco.umbrella.verdict - if: ctx.log?.file?.path.contains('cloudfirewalllogs') - - - set: - field: observer.type - value: firewall - if: ctx.log?.file?.path.contains('cloudfirewalllogs') - - ####################### - # Audit Logs # - ####################### - - csv: - field: event.original - target_fields: - - event.id - - cisco.umbrella._tmp.time - - user.email - - user.name - - cisco.umbrella.audit.type - - event.action - - source.address - - cisco.umbrella.audit.before - - cisco.umbrella.audit.after - if: ctx.log?.file?.path.contains('auditlogs') - - - uri_parts: - field: url.full - ignore_failure: true - if: ctx.url?.full != null - - # Identifies is a field that includes any sort of username, device or other asset that is included in the request. - # Converting this to an array to make it easier to use in searches and visualizations - - split: - field: cisco.umbrella.identities - separator: ",\\s*" - preserve_trailing: false - if: "ctx.cisco?.umbrella?.identities != null && (ctx.log?.file?.path.contains('dnslogs') || ctx.log?.file?.path.contains('proxylogs'))" - - split: - field: cisco.umbrella.categories - separator: ",\\s*" - preserve_trailing: false - if: "ctx.log?.file?.path.contains('dnslogs') && ctx.cisco?.umbrella?.categories != null" - - split: - field: cisco.umbrella.blocked_categories - separator: ",\\s*" - preserve_trailing: false - if: "ctx.log?.file?.path.contains('dnslogs') && ctx.cisco?.umbrella?.blocked_categories != null" - - split: - field: cisco.umbrella.identity_types - separator: ",\\s*" - preserve_trailing: false - if: "ctx.cisco?.umbrella?.identity_types != null" - - ###################### - # General ECS Fields # - ###################### - # This field is always in UTC, so no timezone should need to be set - - date: - field: cisco.umbrella._tmp.time - target_field: "@timestamp" - formats: - - "yyyy-MM-dd HH:mm:ss" - - ISO8601 - if: ctx.cisco?.umbrella?._tmp?.time != null - ################## - # DNS ECS Fields # - ################## - - set: - field: dns.type - value: query - if: ctx.cisco?.umbrella?.action != null - - registered_domain: - field: dns.question.name - target_field: dns.question - ignore_missing: true - ignore_failure: true - - remove: - field: dns.question.domain - ignore_missing: true - ###################### - # Network ECS Fields # - ###################### - - lowercase: - field: cisco.umbrella.direction - target_field: network.direction - if: ctx.cisco?.umbrella?.direction != null - - convert: - field: source.bytes - type: long - if: ctx.source?.bytes != null - - convert: - field: source.port - type: long - if: ctx.source?.port != null - - convert: - field: destination.port - type: long - if: ctx.destination?.port != null - ################### - # HTTP ECS Fields # - ################### - - convert: - field: http.request.bytes - type: long - if: ctx.http?.request?.bytes != null - - convert: - field: http.response.bytes - type: long - if: ctx.http?.response?.bytes != null - - convert: - field: http.response.status_code - type: long - if: ctx.http?.response?.status_code != null - ################### - # Rule ECS Fields # - ################### - - rename: - field: cisco.umbrella.ruleid - target_field: rule.id - if: ctx.cisco?.umbrella?.ruleid != null - - #################### - # Event ECS Fields # - #################### - - set: - field: event.action - value: "dns-request-{{cisco.umbrella.action}}" - if: ctx.cisco?.umbrella?.action != null - - set: - field: event.category - value: network - if: "!ctx.log?.file?.path.contains('auditlogs')" - - append: - field: event.type - value: allowed - if: "ctx.cisco?.umbrella?.action == 'Allowed' || ['ALLOWED','ALLOW'].contains(ctx.cisco?.umbrella?.verdict)" - - append: - field: event.type - value: denied - if: "ctx.cisco?.umbrella?.action == 'Blocked' || ['BLOCKED','BLOCK'].contains(ctx.cisco?.umbrella?.verdict)" - - append: - field: event.type - value: connection - if: ctx.cisco?.umbrella?.action != null - - set: - field: event.category - value: configuration - if: "ctx.log?.file?.path.contains('auditlogs')" - - append: - field: event.type - value: creation - if: "ctx.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'create'" - - append: - field: event.type - value: change - if: "ctx.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'update'" - - append: - field: event.type - value: deletion - if: "ctx.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'delete'" - # Converting address fields to either ip or domain - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - on_failure: - - set: - copy_from: source.address - field: source.domain - override: true - - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - set: - field: destination.domain - copy_from: destination.address - override: true - - # For nat, there's no address or domain subfield. - # If the value is not a valid IP, it must be removed - # or ingestion will fail. Probably just an empty value. - - convert: - field: source.nat.ip - type: ip - ignore_missing: true - on_failure: - - remove: - field: source.nat.ip - - - community_id: - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - ###################### - # Related ECS Fields # - ###################### - - append: - field: related.user - value: "{{user.name}}" - if: ctx.source?.user?.name != null - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{source.nat.ip}}" - if: ctx.source?.nat?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{source.domain}}" - if: ctx.source?.domain != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - if: ctx.dns?.question?.name != null - - append: - field: related.hash - value: "{{cisco.umbrella.sha_sha256}}" - if: ctx.cisco?.umbrella?.sha_sha256 != null - - script: - if: ctx.cisco?.umbrella?.identities != null && ctx.cisco.umbrella.identities instanceof List - lang: painless - description: "Extract user name values from ctx.cisco.umbrella.identities and append it to related.user" - source: |- - void addRelatedUser(def ctx, def x) { - if (ctx.related == null) { - Map map = new HashMap(); - ctx.put("related", map); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(x)) { - ctx.related.user.add(x); - } - } - for (cisco_identity in ctx.cisco.umbrella.identities) { - if (cisco_identity.contains('@')) { - addRelatedUser(ctx, cisco_identity); - } - } - - ########### - # Cleanup # - ########### - - remove: - field: - - cisco.umbrella._tmp - - cisco.umbrella.direction - - cisco.umbrella.action - - cisco.umbrella.verdict - ignore_missing: true - - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco_umbrella/1.4.0/data_stream/log/fields/agent.yml b/packages/cisco_umbrella/1.4.0/data_stream/log/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/cisco_umbrella/1.4.0/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/cisco_umbrella/1.4.0/data_stream/log/fields/base-fields.yml b/packages/cisco_umbrella/1.4.0/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 1fb9b67d57..0000000000 --- a/packages/cisco_umbrella/1.4.0/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_umbrella -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_umbrella.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword diff --git a/packages/cisco_umbrella/1.4.0/data_stream/log/fields/ecs.yml b/packages/cisco_umbrella/1.4.0/data_stream/log/fields/ecs.yml deleted file mode 100755 index b8fef2a8cb..0000000000 --- a/packages/cisco_umbrella/1.4.0/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,428 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword diff --git a/packages/cisco_umbrella/1.4.0/data_stream/log/fields/fields.yml b/packages/cisco_umbrella/1.4.0/data_stream/log/fields/fields.yml deleted file mode 100755 index 286baf6dd1..0000000000 --- a/packages/cisco_umbrella/1.4.0/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,104 +0,0 @@ -- name: cisco.umbrella - type: group - description: > - Fields for Cisco Umbrella. - - fields: - - name: identity - type: keyword - description: > - The identity that made the request. An identity can be a high-level entity within your system (e.g a network) or very granular (e.g a single user) - - - name: identities - type: keyword - description: > - An array of the different identities related to the event. - - - name: categories - type: keyword - description: > - The security or content categories that the destination matches. - - - name: policy_identity_type - type: keyword - description: > - The first identity type matched with this request. Available in version 3 and above. - - - name: identity_types - type: keyword - description: > - The type of identity that made the request. For example, Roaming Computer or Network. - - - name: blocked_categories - type: keyword - description: > - The categories that resulted in the destination being blocked. Available in version 4 and above. - - - name: content_type - type: keyword - description: > - The type of web content, typically text/html. - - - name: sha_sha256 - type: keyword - description: > - Hex digest of the response content. - - - name: av_detections - type: keyword - description: > - The detection name according to the antivirus engine used in file inspection. - - - name: puas - type: keyword - description: > - A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. - - - name: amp_disposition - type: keyword - description: > - The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. - - - name: amp_malware_name - type: keyword - description: > - If Malicious, the name of the malware according to AMP. - - - name: amp_score - type: keyword - description: > - The score of the malware from AMP. This field is not currently used and will be blank. - - - name: datacenter - type: keyword - description: > - The name of the Umbrella Data Center that processed the user-generated traffic. - - - name: origin_id - type: keyword - description: > - The unique identity of the network tunnel. - - - name: request_method - type: keyword - - name: dlp_status - type: keyword - - name: certificate_errors - type: keyword - - name: file_name - type: keyword - - name: ruleset_id - type: keyword - - name: rule_id - type: keyword - - name: destination_lists_id - type: keyword - - name: audit.type - type: keyword - description: Where the change was made, such as settings or a policy. - - name: audit.before - type: keyword - description: The policy or setting before the change was made. - - name: audit.after - type: keyword - description: The policy or setting after the change was made. diff --git a/packages/cisco_umbrella/1.4.0/data_stream/log/manifest.yml b/packages/cisco_umbrella/1.4.0/data_stream/log/manifest.yml deleted file mode 100755 index 12015b7e89..0000000000 --- a/packages/cisco_umbrella/1.4.0/data_stream/log/manifest.yml +++ /dev/null @@ -1,163 +0,0 @@ -title: Cisco Umbrella logs -release: experimental -type: logs -streams: - - input: aws-s3 - enabled: false - title: Cisco Umbrella logs - description: Collect Cisco Umbrella logs - template_path: aws-s3.yml.hbs - vars: - - name: queue_url - type: text - title: Queue URL - multi: false - required: false - show_user: true - description: URL of the AWS SQS queue that messages will be received from. For Cisco Managed S3 buckets or S3 without SQS, use Bucket ARN. - - name: bucket_arn - type: text - title: Bucket ARN - multi: false - required: false - show_user: true - description: >- - Required for Cisco Managed S3. If the S3 bucket does not use SQS, this is the address for the S3 bucket, one example is `arn:aws:s3:::cisco-managed-eu-central-1` For a list of Cisco Managed buckets, please see https://docs.umbrella.com/mssp-deployment/docs/enable-logging-to-a-cisco-managed-s3-bucket. - - name: region - type: text - title: Bucket Region - multi: false - required: false - show_user: true - description: >- - Required for Cisco Managed S3. The region the bucket is located in. - - name: bucket_list_prefix - type: text - title: Bucket List Prefix - multi: false - required: false - show_user: true - description: >- - Required for Cisco Managed S3. This sets the root folder of the S3 bucket that should be monitored, found in the S3 Web UI. Example value: `1235_654vcasd23431e5dd6f7fsad457sdf1fd5`. Forward slash at the end required for Cisco Managed S3. - - name: number_of_workers - type: text - title: Number of Workers - multi: false - required: false - show_user: true - default: 1 - description: Required for Cisco Managed S3. Number of workers that will process the S3 objects listed. Minimum is 1. - - name: bucket_list_interval - type: text - title: Bucket List Interval - multi: false - required: false - show_user: true - description: Time interval for polling listing of the S3 bucket. Defaults to 120s. - - name: shared_credential_file - type: text - title: Shared Credential File - multi: false - required: false - show_user: false - description: Directory of the shared credentials file. - - name: credential_profile_name - type: text - title: Credential Profile Name - multi: false - required: false - show_user: false - - name: access_key_id - type: text - title: Access Key ID - multi: false - required: false - show_user: true - - name: secret_access_key - type: text - title: Secret Access Key - multi: false - required: false - show_user: true - - name: session_token - type: text - title: Session Token - multi: false - required: false - show_user: true - - name: role_arn - type: text - title: Role ARN - multi: false - required: false - show_user: false - - name: endpoint - type: text - title: Endpoint - multi: false - required: false - show_user: false - default: "" - description: URL of the entry point for an AWS web service. - - name: default_region - type: text - title: Default AWS Region - multi: false - required: false - show_user: false - default: "" - description: Default region to use prior to connecting to region specific services/endpoints if no AWS region is set from environment variable, credentials or instance profile. If none of the above are set and no default region is set as well, `us-east-1` is used. A region, either from environment variable, credentials or instance profile or from this default region setting, needs to be set when using regions in non-regular AWS environments such as AWS China or US Government Isolated. - - name: visibility_timeout - type: text - title: Visibility Timeout - multi: false - required: false - show_user: false - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: API Timeout - multi: false - required: false - show_user: false - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http\[s\]://:@: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-umbrella - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_umbrella/1.4.0/data_stream/log/sample_event.json b/packages/cisco_umbrella/1.4.0/data_stream/log/sample_event.json deleted file mode 100755 index 180f761add..0000000000 --- a/packages/cisco_umbrella/1.4.0/data_stream/log/sample_event.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "address": "8.8.8.8", - "ip": "8.8.8.8" - }, - "source": { - "nat": { - "ip": "1.1.1.1" - }, - "address": "192.168.1.1", - "ip": "192.168.1.1" - }, - "url": { - "path": "/blog/ext_id=Anyclip", - "original": "https://elastic.co/blog/ext_id=Anyclip", - "scheme": "https", - "domain": "elastic.co", - "full": "https://elastic.co/blog/ext_id=Anyclip" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "type": "proxy", - "product": "Umbrella", - "vendor": "Cisco" - }, - "@timestamp": "2020-07-23T23:48:56.000Z", - "ecs": { - "version": "8.3.0" - }, - "related": { - "hash": [ - "" - ], - "ip": [ - "192.168.1.1", - "1.1.1.1", - "8.8.8.8" - ] - }, - "http": { - "request": { - "referrer": "https://google.com/elastic", - "bytes": 850 - }, - "response": { - "status_code": 200 - } - }, - "event": { - "ingested": "2021-09-13T00:16:24.480432923Z", - "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", - "category": "network", - "type": [ - "allowed" - ] - }, - "cisco": { - "umbrella": { - "amp_score": "", - "puas": "Malicious", - "identities": [ - "someotheruser" - ], - "content_type": "", - "identity_types": "Roaming Computers", - "blocked_categories": "", - "sha_sha256": "", - "amp_disposition": "MalwareName", - "categories": "Business Services", - "av_detections": "AVDetectionName", - "amp_malware_name": "" - } - }, - "user": { - "name": "elasticuser" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36" - } -} \ No newline at end of file diff --git a/packages/cisco_umbrella/1.4.0/docs/README.md b/packages/cisco_umbrella/1.4.0/docs/README.md deleted file mode 100755 index f85909b1e3..0000000000 --- a/packages/cisco_umbrella/1.4.0/docs/README.md +++ /dev/null @@ -1,278 +0,0 @@ -# Cisco Umbrella Integration - -This integration is for [Cisco Umbrella](https://docs.umbrella.com/). It includes the following -datasets for receiving logs from an AWS S3 bucket using an SQS notification queue and Cisco Managed S3 bucket without SQS: - -- `log` dataset: supports Cisco Umbrella logs. - -## Logs - -### Umbrella - -When using Cisco Managed S3 buckets that does not use SQS there is no load balancing possibilities for multiple agents, a single agent should be configured to poll the S3 bucket for new and updated files, and the number of workers can be configured to scale vertically. - -The `log` dataset collects Cisco Umbrella logs. - -An example event for `log` looks as following: - -```json -{ - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "address": "8.8.8.8", - "ip": "8.8.8.8" - }, - "source": { - "nat": { - "ip": "1.1.1.1" - }, - "address": "192.168.1.1", - "ip": "192.168.1.1" - }, - "url": { - "path": "/blog/ext_id=Anyclip", - "original": "https://elastic.co/blog/ext_id=Anyclip", - "scheme": "https", - "domain": "elastic.co", - "full": "https://elastic.co/blog/ext_id=Anyclip" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "type": "proxy", - "product": "Umbrella", - "vendor": "Cisco" - }, - "@timestamp": "2020-07-23T23:48:56.000Z", - "ecs": { - "version": "8.3.0" - }, - "related": { - "hash": [ - "" - ], - "ip": [ - "192.168.1.1", - "1.1.1.1", - "8.8.8.8" - ] - }, - "http": { - "request": { - "referrer": "https://google.com/elastic", - "bytes": 850 - }, - "response": { - "status_code": 200 - } - }, - "event": { - "ingested": "2021-09-13T00:16:24.480432923Z", - "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", - "category": "network", - "type": [ - "allowed" - ] - }, - "cisco": { - "umbrella": { - "amp_score": "", - "puas": "Malicious", - "identities": [ - "someotheruser" - ], - "content_type": "", - "identity_types": "Roaming Computers", - "blocked_categories": "", - "sha_sha256": "", - "amp_disposition": "MalwareName", - "categories": "Business Services", - "av_detections": "AVDetectionName", - "amp_malware_name": "" - } - }, - "user": { - "name": "elasticuser" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cisco.umbrella.amp_disposition | The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. | keyword | -| cisco.umbrella.amp_malware_name | If Malicious, the name of the malware according to AMP. | keyword | -| cisco.umbrella.amp_score | The score of the malware from AMP. This field is not currently used and will be blank. | keyword | -| cisco.umbrella.audit.after | The policy or setting after the change was made. | keyword | -| cisco.umbrella.audit.before | The policy or setting before the change was made. | keyword | -| cisco.umbrella.audit.type | Where the change was made, such as settings or a policy. | keyword | -| cisco.umbrella.av_detections | The detection name according to the antivirus engine used in file inspection. | keyword | -| cisco.umbrella.blocked_categories | The categories that resulted in the destination being blocked. Available in version 4 and above. | keyword | -| cisco.umbrella.categories | The security or content categories that the destination matches. | keyword | -| cisco.umbrella.certificate_errors | | keyword | -| cisco.umbrella.content_type | The type of web content, typically text/html. | keyword | -| cisco.umbrella.datacenter | The name of the Umbrella Data Center that processed the user-generated traffic. | keyword | -| cisco.umbrella.destination_lists_id | | keyword | -| cisco.umbrella.dlp_status | | keyword | -| cisco.umbrella.file_name | | keyword | -| cisco.umbrella.identities | An array of the different identities related to the event. | keyword | -| cisco.umbrella.identity | The identity that made the request. An identity can be a high-level entity within your system (e.g a network) or very granular (e.g a single user) | keyword | -| cisco.umbrella.identity_types | The type of identity that made the request. For example, Roaming Computer or Network. | keyword | -| cisco.umbrella.origin_id | The unique identity of the network tunnel. | keyword | -| cisco.umbrella.policy_identity_type | The first identity type matched with this request. Available in version 3 and above. | keyword | -| cisco.umbrella.puas | A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. | keyword | -| cisco.umbrella.request_method | | keyword | -| cisco.umbrella.rule_id | | keyword | -| cisco.umbrella.ruleset_id | | keyword | -| cisco.umbrella.sha_sha256 | Hex digest of the response content. | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/cisco_umbrella/1.4.0/img/cisco.svg b/packages/cisco_umbrella/1.4.0/img/cisco.svg deleted file mode 100755 index 20ebebf197..0000000000 --- a/packages/cisco_umbrella/1.4.0/img/cisco.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/cisco_umbrella/1.4.0/manifest.yml b/packages/cisco_umbrella/1.4.0/manifest.yml deleted file mode 100755 index 0fae983452..0000000000 --- a/packages/cisco_umbrella/1.4.0/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -format_version: 1.0.0 -name: cisco_umbrella -title: Cisco Umbrella -version: "1.4.0" -license: basic -description: Collect logs from Cisco Umbrella with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: "^8.0.0" -icons: - - src: /img/cisco.svg - title: cisco - size: 216x216 - type: image/svg+xml -policy_templates: - - name: cisco_umbrella - title: Cisco Umbrella logs - description: Collect logs from Cisco Umbrella instances - inputs: - - type: aws-s3 - title: Collect logs from Cisco Umbrella - description: Collecting logs from Cisco Umbrella -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_umbrella/1.4.1/LICENSE.txt b/packages/cisco_umbrella/1.4.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cisco_umbrella/1.4.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_umbrella/1.4.1/changelog.yml b/packages/cisco_umbrella/1.4.1/changelog.yml deleted file mode 100755 index f21d13fc67..0000000000 --- a/packages/cisco_umbrella/1.4.1/changelog.yml +++ /dev/null @@ -1,126 +0,0 @@ -# newer versions go on top -- version: "1.4.1" - changes: - - description: Remove hint for cisco managed s3 Bucket List Prefix - type: bugfix - link: https://github.com/elastic/integrations/pull/4093 -- version: "1.4.0" - changes: - - description: Expose Default Region setting to UI - type: enhancement - link: https://github.com/elastic/integrations/pull/4158 -- version: "1.3.3" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.3.2" - changes: - - description: Fix proxy log CSV fields - type: bugfix - link: https://github.com/elastic/integrations/pull/4085 -- version: "1.3.1" - changes: - - description: Set default endpoint to empty string - type: bugfix - link: https://github.com/elastic/integrations/pull/4103 -- version: "1.3.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3843 -- version: "1.2.2" - changes: - - description: Fix proxy URL documentation rendering. - type: bugfix - link: https://github.com/elastic/integrations/pull/3881 -- version: "1.2.1" - changes: - - description: Add missing proxy config to S3 input - type: enhancement - link: https://github.com/elastic/integrations/pull/3813 -- version: "1.2.0" - changes: - - description: Enrich DNS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3712 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.0.1" - changes: - - description: Update to readme. added link to Cisco documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3219 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.7.0" - changes: - - description: Add Audit Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/3332 -- version: "0.6.1" - changes: - - description: Fix use of destination.ip instead of source.nat.ip in DNS logs - type: bugfix - link: https://github.com/elastic/integrations/pull/3218 -- version: "0.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "0.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.5.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2396 -- version: "0.4.0" - changes: - - description: Update config to support Cisco Managed S3 - type: bugfix - link: https://github.com/elastic/integrations/pull/2462 -- version: "0.3.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.3.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "0.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2269 -- version: "0.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1959 -- version: "0.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1810 -- version: "0.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1787 -- version: "0.1.0" - changes: - - description: Initial migration from Filebeat Module - type: enhancement - link: https://github.com/elastic/integrations/pull/1646 diff --git a/packages/cisco_umbrella/1.4.1/data_stream/log/agent/stream/aws-s3.yml.hbs b/packages/cisco_umbrella/1.4.1/data_stream/log/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index caea4c7d2e..0000000000 --- a/packages/cisco_umbrella/1.4.1/data_stream/log/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,76 +0,0 @@ -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}}/ -{{/if}} -{{#if bucket_list_prefix}} -file_selectors: - - regex: {{bucket_list_prefix}}/dnslogs/.+ - - regex: {{bucket_list_prefix}}/proxylogs/.+ - - regex: {{bucket_list_prefix}}/cloudfirewalllogs/.+ - - regex: {{bucket_list_prefix}}/iplogs/.+ - - regex: {{bucket_list_prefix}}/auditlogs/.+ -{{/if}} -{{#if region}} -default_region: {{region}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url }} -proxy_url: {{proxy_url}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if bucket_list_interval}} -bucket_list_interval: {{bucket_list_interval}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_umbrella/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_umbrella/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 4b4aeeb8e1..0000000000 --- a/packages/cisco_umbrella/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,441 +0,0 @@ ---- -description: Pipeline for Cisco Umbrella - -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: observer.vendor - value: Cisco - - set: - field: observer.product - value: Umbrella - - rename: - field: message - target_field: event.original - ############ - # DNS Logs # - ############ - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - user.name - - cisco.umbrella.identities - - source.address - - source.nat.ip - - cisco.umbrella.action - - dns.question.type - - dns.response_code - - dns.question.name - - cisco.umbrella.categories - - cisco.umbrella.policy_identity_type - - cisco.umbrella.identity_types - - cisco.umbrella.blocked_categories - if: ctx.log?.file?.path.contains('dnslogs') - - gsub: - description: Strip tailing dot from DNS names. - field: dns.question.name - pattern: '\.$' - replacement: '' - ignore_missing: true - - set: - field: observer.type - value: dns - if: ctx.log?.file?.path.contains('dnslogs') - ########### - # IP Logs # - ########### - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - user.name - - source.address - - source.port - - destination.address - - destination.port - - cisco.umbrella.categories - if: ctx.log?.file?.path.contains('iplogs') - - - set: - field: observer.type - value: firewall - if: ctx.log?.file?.path.contains('iplogs') - - ############## - # Proxy Logs # - ############## - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - cisco.umbrella.identity - - source.address - - source.nat.ip - - destination.address - - cisco.umbrella.content_type - - cisco.umbrella.verdict - - url.full - - http.request.referrer - - user_agent.original - - http.response.status_code - - http.request.bytes - - http.response.bytes - - http.response.body.bytes - - cisco.umbrella.sha_sha256 - - cisco.umbrella.categories - - cisco.umbrella.av_detections - - cisco.umbrella.puas - - cisco.umbrella.amp_disposition - - cisco.umbrella.amp_malware_name - - cisco.umbrella.amp_score - - cisco.umbrella.identity_types - - cisco.umbrella.blocked_categories - - cisco.umbrella.identities - - cisco.umbrella.identity_types - - cisco.umbrella.request_method - - cisco.umbrella.dlp_status - - cisco.umbrella.certificate_errors - - cisco.umbrella.file_name - - cisco.umbrella.ruleset_id - - cisco.umbrella.rule_id - - cisco.umbrella.destination_lists_id - if: ctx.log?.file?.path.contains('proxylogs') - - - set: - field: observer.type - value: proxy - if: ctx.log?.file?.path.contains('proxylogs') - - ####################### - # Cloud Firewall Logs # - ####################### - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - cisco.umbrella.origin_id - - user.name - - cisco.umbrella.identity_types - - cisco.umbrella.direction - - network.transport - - source.bytes - - source.address - - source.port - - destination.address - - destination.port - - cisco.umbrella.datacenter - - cisco.umbrella.ruleid - - cisco.umbrella.verdict - if: ctx.log?.file?.path.contains('cloudfirewalllogs') - - - set: - field: observer.type - value: firewall - if: ctx.log?.file?.path.contains('cloudfirewalllogs') - - ####################### - # Audit Logs # - ####################### - - csv: - field: event.original - target_fields: - - event.id - - cisco.umbrella._tmp.time - - user.email - - user.name - - cisco.umbrella.audit.type - - event.action - - source.address - - cisco.umbrella.audit.before - - cisco.umbrella.audit.after - if: ctx.log?.file?.path.contains('auditlogs') - - - uri_parts: - field: url.full - ignore_failure: true - if: ctx.url?.full != null - - # Identifies is a field that includes any sort of username, device or other asset that is included in the request. - # Converting this to an array to make it easier to use in searches and visualizations - - split: - field: cisco.umbrella.identities - separator: ",\\s*" - preserve_trailing: false - if: "ctx.cisco?.umbrella?.identities != null && (ctx.log?.file?.path.contains('dnslogs') || ctx.log?.file?.path.contains('proxylogs'))" - - split: - field: cisco.umbrella.categories - separator: ",\\s*" - preserve_trailing: false - if: "ctx.log?.file?.path.contains('dnslogs') && ctx.cisco?.umbrella?.categories != null" - - split: - field: cisco.umbrella.blocked_categories - separator: ",\\s*" - preserve_trailing: false - if: "ctx.log?.file?.path.contains('dnslogs') && ctx.cisco?.umbrella?.blocked_categories != null" - - split: - field: cisco.umbrella.identity_types - separator: ",\\s*" - preserve_trailing: false - if: "ctx.cisco?.umbrella?.identity_types != null" - - ###################### - # General ECS Fields # - ###################### - # This field is always in UTC, so no timezone should need to be set - - date: - field: cisco.umbrella._tmp.time - target_field: "@timestamp" - formats: - - "yyyy-MM-dd HH:mm:ss" - - ISO8601 - if: ctx.cisco?.umbrella?._tmp?.time != null - ################## - # DNS ECS Fields # - ################## - - set: - field: dns.type - value: query - if: ctx.cisco?.umbrella?.action != null - - registered_domain: - field: dns.question.name - target_field: dns.question - ignore_missing: true - ignore_failure: true - - remove: - field: dns.question.domain - ignore_missing: true - ###################### - # Network ECS Fields # - ###################### - - lowercase: - field: cisco.umbrella.direction - target_field: network.direction - if: ctx.cisco?.umbrella?.direction != null - - convert: - field: source.bytes - type: long - if: ctx.source?.bytes != null - - convert: - field: source.port - type: long - if: ctx.source?.port != null - - convert: - field: destination.port - type: long - if: ctx.destination?.port != null - ################### - # HTTP ECS Fields # - ################### - - convert: - field: http.request.bytes - type: long - if: ctx.http?.request?.bytes != null - - convert: - field: http.response.bytes - type: long - if: ctx.http?.response?.bytes != null - - convert: - field: http.response.status_code - type: long - if: ctx.http?.response?.status_code != null - ################### - # Rule ECS Fields # - ################### - - rename: - field: cisco.umbrella.ruleid - target_field: rule.id - if: ctx.cisco?.umbrella?.ruleid != null - - #################### - # Event ECS Fields # - #################### - - set: - field: event.action - value: "dns-request-{{cisco.umbrella.action}}" - if: ctx.cisco?.umbrella?.action != null - - set: - field: event.category - value: network - if: "!ctx.log?.file?.path.contains('auditlogs')" - - append: - field: event.type - value: allowed - if: "ctx.cisco?.umbrella?.action == 'Allowed' || ['ALLOWED','ALLOW'].contains(ctx.cisco?.umbrella?.verdict)" - - append: - field: event.type - value: denied - if: "ctx.cisco?.umbrella?.action == 'Blocked' || ['BLOCKED','BLOCK'].contains(ctx.cisco?.umbrella?.verdict)" - - append: - field: event.type - value: connection - if: ctx.cisco?.umbrella?.action != null - - set: - field: event.category - value: configuration - if: "ctx.log?.file?.path.contains('auditlogs')" - - append: - field: event.type - value: creation - if: "ctx.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'create'" - - append: - field: event.type - value: change - if: "ctx.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'update'" - - append: - field: event.type - value: deletion - if: "ctx.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'delete'" - # Converting address fields to either ip or domain - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - on_failure: - - set: - copy_from: source.address - field: source.domain - override: true - - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - set: - field: destination.domain - copy_from: destination.address - override: true - - # For nat, there's no address or domain subfield. - # If the value is not a valid IP, it must be removed - # or ingestion will fail. Probably just an empty value. - - convert: - field: source.nat.ip - type: ip - ignore_missing: true - on_failure: - - remove: - field: source.nat.ip - - - community_id: - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - ###################### - # Related ECS Fields # - ###################### - - append: - field: related.user - value: "{{user.name}}" - if: ctx.source?.user?.name != null - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{source.nat.ip}}" - if: ctx.source?.nat?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{source.domain}}" - if: ctx.source?.domain != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - if: ctx.dns?.question?.name != null - - append: - field: related.hash - value: "{{cisco.umbrella.sha_sha256}}" - if: ctx.cisco?.umbrella?.sha_sha256 != null - - script: - if: ctx.cisco?.umbrella?.identities != null && ctx.cisco.umbrella.identities instanceof List - lang: painless - description: "Extract user name values from ctx.cisco.umbrella.identities and append it to related.user" - source: |- - void addRelatedUser(def ctx, def x) { - if (ctx.related == null) { - Map map = new HashMap(); - ctx.put("related", map); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(x)) { - ctx.related.user.add(x); - } - } - for (cisco_identity in ctx.cisco.umbrella.identities) { - if (cisco_identity.contains('@')) { - addRelatedUser(ctx, cisco_identity); - } - } - - ########### - # Cleanup # - ########### - - remove: - field: - - cisco.umbrella._tmp - - cisco.umbrella.direction - - cisco.umbrella.action - - cisco.umbrella.verdict - ignore_missing: true - - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco_umbrella/1.4.1/data_stream/log/fields/agent.yml b/packages/cisco_umbrella/1.4.1/data_stream/log/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/cisco_umbrella/1.4.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/cisco_umbrella/1.4.1/data_stream/log/fields/base-fields.yml b/packages/cisco_umbrella/1.4.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 1fb9b67d57..0000000000 --- a/packages/cisco_umbrella/1.4.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_umbrella -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_umbrella.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword diff --git a/packages/cisco_umbrella/1.4.1/data_stream/log/fields/ecs.yml b/packages/cisco_umbrella/1.4.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index b8fef2a8cb..0000000000 --- a/packages/cisco_umbrella/1.4.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,428 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword diff --git a/packages/cisco_umbrella/1.4.1/data_stream/log/fields/fields.yml b/packages/cisco_umbrella/1.4.1/data_stream/log/fields/fields.yml deleted file mode 100755 index 286baf6dd1..0000000000 --- a/packages/cisco_umbrella/1.4.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,104 +0,0 @@ -- name: cisco.umbrella - type: group - description: > - Fields for Cisco Umbrella. - - fields: - - name: identity - type: keyword - description: > - The identity that made the request. An identity can be a high-level entity within your system (e.g a network) or very granular (e.g a single user) - - - name: identities - type: keyword - description: > - An array of the different identities related to the event. - - - name: categories - type: keyword - description: > - The security or content categories that the destination matches. - - - name: policy_identity_type - type: keyword - description: > - The first identity type matched with this request. Available in version 3 and above. - - - name: identity_types - type: keyword - description: > - The type of identity that made the request. For example, Roaming Computer or Network. - - - name: blocked_categories - type: keyword - description: > - The categories that resulted in the destination being blocked. Available in version 4 and above. - - - name: content_type - type: keyword - description: > - The type of web content, typically text/html. - - - name: sha_sha256 - type: keyword - description: > - Hex digest of the response content. - - - name: av_detections - type: keyword - description: > - The detection name according to the antivirus engine used in file inspection. - - - name: puas - type: keyword - description: > - A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. - - - name: amp_disposition - type: keyword - description: > - The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. - - - name: amp_malware_name - type: keyword - description: > - If Malicious, the name of the malware according to AMP. - - - name: amp_score - type: keyword - description: > - The score of the malware from AMP. This field is not currently used and will be blank. - - - name: datacenter - type: keyword - description: > - The name of the Umbrella Data Center that processed the user-generated traffic. - - - name: origin_id - type: keyword - description: > - The unique identity of the network tunnel. - - - name: request_method - type: keyword - - name: dlp_status - type: keyword - - name: certificate_errors - type: keyword - - name: file_name - type: keyword - - name: ruleset_id - type: keyword - - name: rule_id - type: keyword - - name: destination_lists_id - type: keyword - - name: audit.type - type: keyword - description: Where the change was made, such as settings or a policy. - - name: audit.before - type: keyword - description: The policy or setting before the change was made. - - name: audit.after - type: keyword - description: The policy or setting after the change was made. diff --git a/packages/cisco_umbrella/1.4.1/data_stream/log/manifest.yml b/packages/cisco_umbrella/1.4.1/data_stream/log/manifest.yml deleted file mode 100755 index 36ceaab941..0000000000 --- a/packages/cisco_umbrella/1.4.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,162 +0,0 @@ -title: Cisco Umbrella logs -release: experimental -type: logs -streams: - - input: aws-s3 - enabled: false - title: Cisco Umbrella logs - description: Collect Cisco Umbrella logs - template_path: aws-s3.yml.hbs - vars: - - name: queue_url - type: text - title: Queue URL - multi: false - required: false - show_user: true - description: URL of the AWS SQS queue that messages will be received from. For Cisco Managed S3 buckets or S3 without SQS, use Bucket ARN. - - name: bucket_arn - type: text - title: Bucket ARN - multi: false - required: false - show_user: true - description: >- - Required for Cisco Managed S3. If the S3 bucket does not use SQS, this is the address for the S3 bucket, one example is `arn:aws:s3:::cisco-managed-eu-central-1` For a list of Cisco Managed buckets, please see https://docs.umbrella.com/mssp-deployment/docs/enable-logging-to-a-cisco-managed-s3-bucket. - - name: region - type: text - title: Bucket Region - multi: false - required: false - show_user: true - description: >- - Required for Cisco Managed S3. The region the bucket is located in. - - name: bucket_list_prefix - type: text - title: Bucket List Prefix - multi: false - required: false - show_user: true - description: "Required for Cisco Managed S3. This sets the root folder of the S3 bucket that should be monitored, found in the S3 Web UI. Example value: `1235_654vcasd23431e5dd6f7fsad457sdf1fd5`. " - - name: number_of_workers - type: text - title: Number of Workers - multi: false - required: false - show_user: true - default: 1 - description: Required for Cisco Managed S3. Number of workers that will process the S3 objects listed. Minimum is 1. - - name: bucket_list_interval - type: text - title: Bucket List Interval - multi: false - required: false - show_user: true - description: Time interval for polling listing of the S3 bucket. Defaults to 120s. - - name: shared_credential_file - type: text - title: Shared Credential File - multi: false - required: false - show_user: false - description: Directory of the shared credentials file. - - name: credential_profile_name - type: text - title: Credential Profile Name - multi: false - required: false - show_user: false - - name: access_key_id - type: text - title: Access Key ID - multi: false - required: false - show_user: true - - name: secret_access_key - type: text - title: Secret Access Key - multi: false - required: false - show_user: true - - name: session_token - type: text - title: Session Token - multi: false - required: false - show_user: true - - name: role_arn - type: text - title: Role ARN - multi: false - required: false - show_user: false - - name: endpoint - type: text - title: Endpoint - multi: false - required: false - show_user: false - default: "" - description: URL of the entry point for an AWS web service. - - name: default_region - type: text - title: Default AWS Region - multi: false - required: false - show_user: false - default: "" - description: Default region to use prior to connecting to region specific services/endpoints if no AWS region is set from environment variable, credentials or instance profile. If none of the above are set and no default region is set as well, `us-east-1` is used. A region, either from environment variable, credentials or instance profile or from this default region setting, needs to be set when using regions in non-regular AWS environments such as AWS China or US Government Isolated. - - name: visibility_timeout - type: text - title: Visibility Timeout - multi: false - required: false - show_user: false - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: API Timeout - multi: false - required: false - show_user: false - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http\[s\]://:@: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-umbrella - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_umbrella/1.4.1/data_stream/log/sample_event.json b/packages/cisco_umbrella/1.4.1/data_stream/log/sample_event.json deleted file mode 100755 index 180f761add..0000000000 --- a/packages/cisco_umbrella/1.4.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "address": "8.8.8.8", - "ip": "8.8.8.8" - }, - "source": { - "nat": { - "ip": "1.1.1.1" - }, - "address": "192.168.1.1", - "ip": "192.168.1.1" - }, - "url": { - "path": "/blog/ext_id=Anyclip", - "original": "https://elastic.co/blog/ext_id=Anyclip", - "scheme": "https", - "domain": "elastic.co", - "full": "https://elastic.co/blog/ext_id=Anyclip" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "type": "proxy", - "product": "Umbrella", - "vendor": "Cisco" - }, - "@timestamp": "2020-07-23T23:48:56.000Z", - "ecs": { - "version": "8.3.0" - }, - "related": { - "hash": [ - "" - ], - "ip": [ - "192.168.1.1", - "1.1.1.1", - "8.8.8.8" - ] - }, - "http": { - "request": { - "referrer": "https://google.com/elastic", - "bytes": 850 - }, - "response": { - "status_code": 200 - } - }, - "event": { - "ingested": "2021-09-13T00:16:24.480432923Z", - "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", - "category": "network", - "type": [ - "allowed" - ] - }, - "cisco": { - "umbrella": { - "amp_score": "", - "puas": "Malicious", - "identities": [ - "someotheruser" - ], - "content_type": "", - "identity_types": "Roaming Computers", - "blocked_categories": "", - "sha_sha256": "", - "amp_disposition": "MalwareName", - "categories": "Business Services", - "av_detections": "AVDetectionName", - "amp_malware_name": "" - } - }, - "user": { - "name": "elasticuser" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36" - } -} \ No newline at end of file diff --git a/packages/cisco_umbrella/1.4.1/docs/README.md b/packages/cisco_umbrella/1.4.1/docs/README.md deleted file mode 100755 index f85909b1e3..0000000000 --- a/packages/cisco_umbrella/1.4.1/docs/README.md +++ /dev/null @@ -1,278 +0,0 @@ -# Cisco Umbrella Integration - -This integration is for [Cisco Umbrella](https://docs.umbrella.com/). It includes the following -datasets for receiving logs from an AWS S3 bucket using an SQS notification queue and Cisco Managed S3 bucket without SQS: - -- `log` dataset: supports Cisco Umbrella logs. - -## Logs - -### Umbrella - -When using Cisco Managed S3 buckets that does not use SQS there is no load balancing possibilities for multiple agents, a single agent should be configured to poll the S3 bucket for new and updated files, and the number of workers can be configured to scale vertically. - -The `log` dataset collects Cisco Umbrella logs. - -An example event for `log` looks as following: - -```json -{ - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "address": "8.8.8.8", - "ip": "8.8.8.8" - }, - "source": { - "nat": { - "ip": "1.1.1.1" - }, - "address": "192.168.1.1", - "ip": "192.168.1.1" - }, - "url": { - "path": "/blog/ext_id=Anyclip", - "original": "https://elastic.co/blog/ext_id=Anyclip", - "scheme": "https", - "domain": "elastic.co", - "full": "https://elastic.co/blog/ext_id=Anyclip" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "type": "proxy", - "product": "Umbrella", - "vendor": "Cisco" - }, - "@timestamp": "2020-07-23T23:48:56.000Z", - "ecs": { - "version": "8.3.0" - }, - "related": { - "hash": [ - "" - ], - "ip": [ - "192.168.1.1", - "1.1.1.1", - "8.8.8.8" - ] - }, - "http": { - "request": { - "referrer": "https://google.com/elastic", - "bytes": 850 - }, - "response": { - "status_code": 200 - } - }, - "event": { - "ingested": "2021-09-13T00:16:24.480432923Z", - "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", - "category": "network", - "type": [ - "allowed" - ] - }, - "cisco": { - "umbrella": { - "amp_score": "", - "puas": "Malicious", - "identities": [ - "someotheruser" - ], - "content_type": "", - "identity_types": "Roaming Computers", - "blocked_categories": "", - "sha_sha256": "", - "amp_disposition": "MalwareName", - "categories": "Business Services", - "av_detections": "AVDetectionName", - "amp_malware_name": "" - } - }, - "user": { - "name": "elasticuser" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cisco.umbrella.amp_disposition | The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. | keyword | -| cisco.umbrella.amp_malware_name | If Malicious, the name of the malware according to AMP. | keyword | -| cisco.umbrella.amp_score | The score of the malware from AMP. This field is not currently used and will be blank. | keyword | -| cisco.umbrella.audit.after | The policy or setting after the change was made. | keyword | -| cisco.umbrella.audit.before | The policy or setting before the change was made. | keyword | -| cisco.umbrella.audit.type | Where the change was made, such as settings or a policy. | keyword | -| cisco.umbrella.av_detections | The detection name according to the antivirus engine used in file inspection. | keyword | -| cisco.umbrella.blocked_categories | The categories that resulted in the destination being blocked. Available in version 4 and above. | keyword | -| cisco.umbrella.categories | The security or content categories that the destination matches. | keyword | -| cisco.umbrella.certificate_errors | | keyword | -| cisco.umbrella.content_type | The type of web content, typically text/html. | keyword | -| cisco.umbrella.datacenter | The name of the Umbrella Data Center that processed the user-generated traffic. | keyword | -| cisco.umbrella.destination_lists_id | | keyword | -| cisco.umbrella.dlp_status | | keyword | -| cisco.umbrella.file_name | | keyword | -| cisco.umbrella.identities | An array of the different identities related to the event. | keyword | -| cisco.umbrella.identity | The identity that made the request. An identity can be a high-level entity within your system (e.g a network) or very granular (e.g a single user) | keyword | -| cisco.umbrella.identity_types | The type of identity that made the request. For example, Roaming Computer or Network. | keyword | -| cisco.umbrella.origin_id | The unique identity of the network tunnel. | keyword | -| cisco.umbrella.policy_identity_type | The first identity type matched with this request. Available in version 3 and above. | keyword | -| cisco.umbrella.puas | A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. | keyword | -| cisco.umbrella.request_method | | keyword | -| cisco.umbrella.rule_id | | keyword | -| cisco.umbrella.ruleset_id | | keyword | -| cisco.umbrella.sha_sha256 | Hex digest of the response content. | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/cisco_umbrella/1.4.1/img/cisco.svg b/packages/cisco_umbrella/1.4.1/img/cisco.svg deleted file mode 100755 index 20ebebf197..0000000000 --- a/packages/cisco_umbrella/1.4.1/img/cisco.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/cisco_umbrella/1.4.1/manifest.yml b/packages/cisco_umbrella/1.4.1/manifest.yml deleted file mode 100755 index be89ad5e78..0000000000 --- a/packages/cisco_umbrella/1.4.1/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -format_version: 1.0.0 -name: cisco_umbrella -title: Cisco Umbrella -version: "1.4.1" -license: basic -description: Collect logs from Cisco Umbrella with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: "^8.0.0" -icons: - - src: /img/cisco.svg - title: cisco - size: 216x216 - type: image/svg+xml -policy_templates: - - name: cisco_umbrella - title: Cisco Umbrella logs - description: Collect logs from Cisco Umbrella instances - inputs: - - type: aws-s3 - title: Collect logs from Cisco Umbrella - description: Collecting logs from Cisco Umbrella -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_umbrella/1.4.2/LICENSE.txt b/packages/cisco_umbrella/1.4.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cisco_umbrella/1.4.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_umbrella/1.4.2/changelog.yml b/packages/cisco_umbrella/1.4.2/changelog.yml deleted file mode 100755 index 9e32bb8f4e..0000000000 --- a/packages/cisco_umbrella/1.4.2/changelog.yml +++ /dev/null @@ -1,131 +0,0 @@ -# newer versions go on top -- version: "1.4.2" - changes: - - description: Remove duplicate field. - type: enhancement - link: https://github.com/elastic/integrations/pull/4339 -- version: "1.4.1" - changes: - - description: Remove hint for cisco managed s3 Bucket List Prefix - type: bugfix - link: https://github.com/elastic/integrations/pull/4093 -- version: "1.4.0" - changes: - - description: Expose Default Region setting to UI - type: enhancement - link: https://github.com/elastic/integrations/pull/4158 -- version: "1.3.3" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.3.2" - changes: - - description: Fix proxy log CSV fields - type: bugfix - link: https://github.com/elastic/integrations/pull/4085 -- version: "1.3.1" - changes: - - description: Set default endpoint to empty string - type: bugfix - link: https://github.com/elastic/integrations/pull/4103 -- version: "1.3.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3843 -- version: "1.2.2" - changes: - - description: Fix proxy URL documentation rendering. - type: bugfix - link: https://github.com/elastic/integrations/pull/3881 -- version: "1.2.1" - changes: - - description: Add missing proxy config to S3 input - type: enhancement - link: https://github.com/elastic/integrations/pull/3813 -- version: "1.2.0" - changes: - - description: Enrich DNS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3712 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.0.1" - changes: - - description: Update to readme. added link to Cisco documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3219 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.7.0" - changes: - - description: Add Audit Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/3332 -- version: "0.6.1" - changes: - - description: Fix use of destination.ip instead of source.nat.ip in DNS logs - type: bugfix - link: https://github.com/elastic/integrations/pull/3218 -- version: "0.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "0.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.5.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2396 -- version: "0.4.0" - changes: - - description: Update config to support Cisco Managed S3 - type: bugfix - link: https://github.com/elastic/integrations/pull/2462 -- version: "0.3.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.3.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "0.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2269 -- version: "0.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1959 -- version: "0.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1810 -- version: "0.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1787 -- version: "0.1.0" - changes: - - description: Initial migration from Filebeat Module - type: enhancement - link: https://github.com/elastic/integrations/pull/1646 diff --git a/packages/cisco_umbrella/1.4.2/data_stream/log/agent/stream/aws-s3.yml.hbs b/packages/cisco_umbrella/1.4.2/data_stream/log/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index caea4c7d2e..0000000000 --- a/packages/cisco_umbrella/1.4.2/data_stream/log/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,76 +0,0 @@ -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}}/ -{{/if}} -{{#if bucket_list_prefix}} -file_selectors: - - regex: {{bucket_list_prefix}}/dnslogs/.+ - - regex: {{bucket_list_prefix}}/proxylogs/.+ - - regex: {{bucket_list_prefix}}/cloudfirewalllogs/.+ - - regex: {{bucket_list_prefix}}/iplogs/.+ - - regex: {{bucket_list_prefix}}/auditlogs/.+ -{{/if}} -{{#if region}} -default_region: {{region}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url }} -proxy_url: {{proxy_url}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if bucket_list_interval}} -bucket_list_interval: {{bucket_list_interval}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_umbrella/1.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_umbrella/1.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 4b4aeeb8e1..0000000000 --- a/packages/cisco_umbrella/1.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,441 +0,0 @@ ---- -description: Pipeline for Cisco Umbrella - -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: observer.vendor - value: Cisco - - set: - field: observer.product - value: Umbrella - - rename: - field: message - target_field: event.original - ############ - # DNS Logs # - ############ - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - user.name - - cisco.umbrella.identities - - source.address - - source.nat.ip - - cisco.umbrella.action - - dns.question.type - - dns.response_code - - dns.question.name - - cisco.umbrella.categories - - cisco.umbrella.policy_identity_type - - cisco.umbrella.identity_types - - cisco.umbrella.blocked_categories - if: ctx.log?.file?.path.contains('dnslogs') - - gsub: - description: Strip tailing dot from DNS names. - field: dns.question.name - pattern: '\.$' - replacement: '' - ignore_missing: true - - set: - field: observer.type - value: dns - if: ctx.log?.file?.path.contains('dnslogs') - ########### - # IP Logs # - ########### - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - user.name - - source.address - - source.port - - destination.address - - destination.port - - cisco.umbrella.categories - if: ctx.log?.file?.path.contains('iplogs') - - - set: - field: observer.type - value: firewall - if: ctx.log?.file?.path.contains('iplogs') - - ############## - # Proxy Logs # - ############## - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - cisco.umbrella.identity - - source.address - - source.nat.ip - - destination.address - - cisco.umbrella.content_type - - cisco.umbrella.verdict - - url.full - - http.request.referrer - - user_agent.original - - http.response.status_code - - http.request.bytes - - http.response.bytes - - http.response.body.bytes - - cisco.umbrella.sha_sha256 - - cisco.umbrella.categories - - cisco.umbrella.av_detections - - cisco.umbrella.puas - - cisco.umbrella.amp_disposition - - cisco.umbrella.amp_malware_name - - cisco.umbrella.amp_score - - cisco.umbrella.identity_types - - cisco.umbrella.blocked_categories - - cisco.umbrella.identities - - cisco.umbrella.identity_types - - cisco.umbrella.request_method - - cisco.umbrella.dlp_status - - cisco.umbrella.certificate_errors - - cisco.umbrella.file_name - - cisco.umbrella.ruleset_id - - cisco.umbrella.rule_id - - cisco.umbrella.destination_lists_id - if: ctx.log?.file?.path.contains('proxylogs') - - - set: - field: observer.type - value: proxy - if: ctx.log?.file?.path.contains('proxylogs') - - ####################### - # Cloud Firewall Logs # - ####################### - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - cisco.umbrella.origin_id - - user.name - - cisco.umbrella.identity_types - - cisco.umbrella.direction - - network.transport - - source.bytes - - source.address - - source.port - - destination.address - - destination.port - - cisco.umbrella.datacenter - - cisco.umbrella.ruleid - - cisco.umbrella.verdict - if: ctx.log?.file?.path.contains('cloudfirewalllogs') - - - set: - field: observer.type - value: firewall - if: ctx.log?.file?.path.contains('cloudfirewalllogs') - - ####################### - # Audit Logs # - ####################### - - csv: - field: event.original - target_fields: - - event.id - - cisco.umbrella._tmp.time - - user.email - - user.name - - cisco.umbrella.audit.type - - event.action - - source.address - - cisco.umbrella.audit.before - - cisco.umbrella.audit.after - if: ctx.log?.file?.path.contains('auditlogs') - - - uri_parts: - field: url.full - ignore_failure: true - if: ctx.url?.full != null - - # Identifies is a field that includes any sort of username, device or other asset that is included in the request. - # Converting this to an array to make it easier to use in searches and visualizations - - split: - field: cisco.umbrella.identities - separator: ",\\s*" - preserve_trailing: false - if: "ctx.cisco?.umbrella?.identities != null && (ctx.log?.file?.path.contains('dnslogs') || ctx.log?.file?.path.contains('proxylogs'))" - - split: - field: cisco.umbrella.categories - separator: ",\\s*" - preserve_trailing: false - if: "ctx.log?.file?.path.contains('dnslogs') && ctx.cisco?.umbrella?.categories != null" - - split: - field: cisco.umbrella.blocked_categories - separator: ",\\s*" - preserve_trailing: false - if: "ctx.log?.file?.path.contains('dnslogs') && ctx.cisco?.umbrella?.blocked_categories != null" - - split: - field: cisco.umbrella.identity_types - separator: ",\\s*" - preserve_trailing: false - if: "ctx.cisco?.umbrella?.identity_types != null" - - ###################### - # General ECS Fields # - ###################### - # This field is always in UTC, so no timezone should need to be set - - date: - field: cisco.umbrella._tmp.time - target_field: "@timestamp" - formats: - - "yyyy-MM-dd HH:mm:ss" - - ISO8601 - if: ctx.cisco?.umbrella?._tmp?.time != null - ################## - # DNS ECS Fields # - ################## - - set: - field: dns.type - value: query - if: ctx.cisco?.umbrella?.action != null - - registered_domain: - field: dns.question.name - target_field: dns.question - ignore_missing: true - ignore_failure: true - - remove: - field: dns.question.domain - ignore_missing: true - ###################### - # Network ECS Fields # - ###################### - - lowercase: - field: cisco.umbrella.direction - target_field: network.direction - if: ctx.cisco?.umbrella?.direction != null - - convert: - field: source.bytes - type: long - if: ctx.source?.bytes != null - - convert: - field: source.port - type: long - if: ctx.source?.port != null - - convert: - field: destination.port - type: long - if: ctx.destination?.port != null - ################### - # HTTP ECS Fields # - ################### - - convert: - field: http.request.bytes - type: long - if: ctx.http?.request?.bytes != null - - convert: - field: http.response.bytes - type: long - if: ctx.http?.response?.bytes != null - - convert: - field: http.response.status_code - type: long - if: ctx.http?.response?.status_code != null - ################### - # Rule ECS Fields # - ################### - - rename: - field: cisco.umbrella.ruleid - target_field: rule.id - if: ctx.cisco?.umbrella?.ruleid != null - - #################### - # Event ECS Fields # - #################### - - set: - field: event.action - value: "dns-request-{{cisco.umbrella.action}}" - if: ctx.cisco?.umbrella?.action != null - - set: - field: event.category - value: network - if: "!ctx.log?.file?.path.contains('auditlogs')" - - append: - field: event.type - value: allowed - if: "ctx.cisco?.umbrella?.action == 'Allowed' || ['ALLOWED','ALLOW'].contains(ctx.cisco?.umbrella?.verdict)" - - append: - field: event.type - value: denied - if: "ctx.cisco?.umbrella?.action == 'Blocked' || ['BLOCKED','BLOCK'].contains(ctx.cisco?.umbrella?.verdict)" - - append: - field: event.type - value: connection - if: ctx.cisco?.umbrella?.action != null - - set: - field: event.category - value: configuration - if: "ctx.log?.file?.path.contains('auditlogs')" - - append: - field: event.type - value: creation - if: "ctx.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'create'" - - append: - field: event.type - value: change - if: "ctx.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'update'" - - append: - field: event.type - value: deletion - if: "ctx.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'delete'" - # Converting address fields to either ip or domain - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - on_failure: - - set: - copy_from: source.address - field: source.domain - override: true - - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - set: - field: destination.domain - copy_from: destination.address - override: true - - # For nat, there's no address or domain subfield. - # If the value is not a valid IP, it must be removed - # or ingestion will fail. Probably just an empty value. - - convert: - field: source.nat.ip - type: ip - ignore_missing: true - on_failure: - - remove: - field: source.nat.ip - - - community_id: - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - ###################### - # Related ECS Fields # - ###################### - - append: - field: related.user - value: "{{user.name}}" - if: ctx.source?.user?.name != null - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{source.nat.ip}}" - if: ctx.source?.nat?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx.destination?.ip != null - - append: - field: related.hosts - value: "{{source.domain}}" - if: ctx.source?.domain != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - if: ctx.dns?.question?.name != null - - append: - field: related.hash - value: "{{cisco.umbrella.sha_sha256}}" - if: ctx.cisco?.umbrella?.sha_sha256 != null - - script: - if: ctx.cisco?.umbrella?.identities != null && ctx.cisco.umbrella.identities instanceof List - lang: painless - description: "Extract user name values from ctx.cisco.umbrella.identities and append it to related.user" - source: |- - void addRelatedUser(def ctx, def x) { - if (ctx.related == null) { - Map map = new HashMap(); - ctx.put("related", map); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(x)) { - ctx.related.user.add(x); - } - } - for (cisco_identity in ctx.cisco.umbrella.identities) { - if (cisco_identity.contains('@')) { - addRelatedUser(ctx, cisco_identity); - } - } - - ########### - # Cleanup # - ########### - - remove: - field: - - cisco.umbrella._tmp - - cisco.umbrella.direction - - cisco.umbrella.action - - cisco.umbrella.verdict - ignore_missing: true - - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco_umbrella/1.4.2/data_stream/log/fields/agent.yml b/packages/cisco_umbrella/1.4.2/data_stream/log/fields/agent.yml deleted file mode 100755 index e0f9e38998..0000000000 --- a/packages/cisco_umbrella/1.4.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,170 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/cisco_umbrella/1.4.2/data_stream/log/fields/base-fields.yml b/packages/cisco_umbrella/1.4.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 1fb9b67d57..0000000000 --- a/packages/cisco_umbrella/1.4.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_umbrella -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_umbrella.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword diff --git a/packages/cisco_umbrella/1.4.2/data_stream/log/fields/ecs.yml b/packages/cisco_umbrella/1.4.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index b8fef2a8cb..0000000000 --- a/packages/cisco_umbrella/1.4.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,428 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword diff --git a/packages/cisco_umbrella/1.4.2/data_stream/log/fields/fields.yml b/packages/cisco_umbrella/1.4.2/data_stream/log/fields/fields.yml deleted file mode 100755 index 286baf6dd1..0000000000 --- a/packages/cisco_umbrella/1.4.2/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,104 +0,0 @@ -- name: cisco.umbrella - type: group - description: > - Fields for Cisco Umbrella. - - fields: - - name: identity - type: keyword - description: > - The identity that made the request. An identity can be a high-level entity within your system (e.g a network) or very granular (e.g a single user) - - - name: identities - type: keyword - description: > - An array of the different identities related to the event. - - - name: categories - type: keyword - description: > - The security or content categories that the destination matches. - - - name: policy_identity_type - type: keyword - description: > - The first identity type matched with this request. Available in version 3 and above. - - - name: identity_types - type: keyword - description: > - The type of identity that made the request. For example, Roaming Computer or Network. - - - name: blocked_categories - type: keyword - description: > - The categories that resulted in the destination being blocked. Available in version 4 and above. - - - name: content_type - type: keyword - description: > - The type of web content, typically text/html. - - - name: sha_sha256 - type: keyword - description: > - Hex digest of the response content. - - - name: av_detections - type: keyword - description: > - The detection name according to the antivirus engine used in file inspection. - - - name: puas - type: keyword - description: > - A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. - - - name: amp_disposition - type: keyword - description: > - The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. - - - name: amp_malware_name - type: keyword - description: > - If Malicious, the name of the malware according to AMP. - - - name: amp_score - type: keyword - description: > - The score of the malware from AMP. This field is not currently used and will be blank. - - - name: datacenter - type: keyword - description: > - The name of the Umbrella Data Center that processed the user-generated traffic. - - - name: origin_id - type: keyword - description: > - The unique identity of the network tunnel. - - - name: request_method - type: keyword - - name: dlp_status - type: keyword - - name: certificate_errors - type: keyword - - name: file_name - type: keyword - - name: ruleset_id - type: keyword - - name: rule_id - type: keyword - - name: destination_lists_id - type: keyword - - name: audit.type - type: keyword - description: Where the change was made, such as settings or a policy. - - name: audit.before - type: keyword - description: The policy or setting before the change was made. - - name: audit.after - type: keyword - description: The policy or setting after the change was made. diff --git a/packages/cisco_umbrella/1.4.2/data_stream/log/manifest.yml b/packages/cisco_umbrella/1.4.2/data_stream/log/manifest.yml deleted file mode 100755 index 36ceaab941..0000000000 --- a/packages/cisco_umbrella/1.4.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,162 +0,0 @@ -title: Cisco Umbrella logs -release: experimental -type: logs -streams: - - input: aws-s3 - enabled: false - title: Cisco Umbrella logs - description: Collect Cisco Umbrella logs - template_path: aws-s3.yml.hbs - vars: - - name: queue_url - type: text - title: Queue URL - multi: false - required: false - show_user: true - description: URL of the AWS SQS queue that messages will be received from. For Cisco Managed S3 buckets or S3 without SQS, use Bucket ARN. - - name: bucket_arn - type: text - title: Bucket ARN - multi: false - required: false - show_user: true - description: >- - Required for Cisco Managed S3. If the S3 bucket does not use SQS, this is the address for the S3 bucket, one example is `arn:aws:s3:::cisco-managed-eu-central-1` For a list of Cisco Managed buckets, please see https://docs.umbrella.com/mssp-deployment/docs/enable-logging-to-a-cisco-managed-s3-bucket. - - name: region - type: text - title: Bucket Region - multi: false - required: false - show_user: true - description: >- - Required for Cisco Managed S3. The region the bucket is located in. - - name: bucket_list_prefix - type: text - title: Bucket List Prefix - multi: false - required: false - show_user: true - description: "Required for Cisco Managed S3. This sets the root folder of the S3 bucket that should be monitored, found in the S3 Web UI. Example value: `1235_654vcasd23431e5dd6f7fsad457sdf1fd5`. " - - name: number_of_workers - type: text - title: Number of Workers - multi: false - required: false - show_user: true - default: 1 - description: Required for Cisco Managed S3. Number of workers that will process the S3 objects listed. Minimum is 1. - - name: bucket_list_interval - type: text - title: Bucket List Interval - multi: false - required: false - show_user: true - description: Time interval for polling listing of the S3 bucket. Defaults to 120s. - - name: shared_credential_file - type: text - title: Shared Credential File - multi: false - required: false - show_user: false - description: Directory of the shared credentials file. - - name: credential_profile_name - type: text - title: Credential Profile Name - multi: false - required: false - show_user: false - - name: access_key_id - type: text - title: Access Key ID - multi: false - required: false - show_user: true - - name: secret_access_key - type: text - title: Secret Access Key - multi: false - required: false - show_user: true - - name: session_token - type: text - title: Session Token - multi: false - required: false - show_user: true - - name: role_arn - type: text - title: Role ARN - multi: false - required: false - show_user: false - - name: endpoint - type: text - title: Endpoint - multi: false - required: false - show_user: false - default: "" - description: URL of the entry point for an AWS web service. - - name: default_region - type: text - title: Default AWS Region - multi: false - required: false - show_user: false - default: "" - description: Default region to use prior to connecting to region specific services/endpoints if no AWS region is set from environment variable, credentials or instance profile. If none of the above are set and no default region is set as well, `us-east-1` is used. A region, either from environment variable, credentials or instance profile or from this default region setting, needs to be set when using regions in non-regular AWS environments such as AWS China or US Government Isolated. - - name: visibility_timeout - type: text - title: Visibility Timeout - multi: false - required: false - show_user: false - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: API Timeout - multi: false - required: false - show_user: false - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http\[s\]://:@: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-umbrella - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_umbrella/1.4.2/data_stream/log/sample_event.json b/packages/cisco_umbrella/1.4.2/data_stream/log/sample_event.json deleted file mode 100755 index 180f761add..0000000000 --- a/packages/cisco_umbrella/1.4.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "address": "8.8.8.8", - "ip": "8.8.8.8" - }, - "source": { - "nat": { - "ip": "1.1.1.1" - }, - "address": "192.168.1.1", - "ip": "192.168.1.1" - }, - "url": { - "path": "/blog/ext_id=Anyclip", - "original": "https://elastic.co/blog/ext_id=Anyclip", - "scheme": "https", - "domain": "elastic.co", - "full": "https://elastic.co/blog/ext_id=Anyclip" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "type": "proxy", - "product": "Umbrella", - "vendor": "Cisco" - }, - "@timestamp": "2020-07-23T23:48:56.000Z", - "ecs": { - "version": "8.3.0" - }, - "related": { - "hash": [ - "" - ], - "ip": [ - "192.168.1.1", - "1.1.1.1", - "8.8.8.8" - ] - }, - "http": { - "request": { - "referrer": "https://google.com/elastic", - "bytes": 850 - }, - "response": { - "status_code": 200 - } - }, - "event": { - "ingested": "2021-09-13T00:16:24.480432923Z", - "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", - "category": "network", - "type": [ - "allowed" - ] - }, - "cisco": { - "umbrella": { - "amp_score": "", - "puas": "Malicious", - "identities": [ - "someotheruser" - ], - "content_type": "", - "identity_types": "Roaming Computers", - "blocked_categories": "", - "sha_sha256": "", - "amp_disposition": "MalwareName", - "categories": "Business Services", - "av_detections": "AVDetectionName", - "amp_malware_name": "" - } - }, - "user": { - "name": "elasticuser" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36" - } -} \ No newline at end of file diff --git a/packages/cisco_umbrella/1.4.2/docs/README.md b/packages/cisco_umbrella/1.4.2/docs/README.md deleted file mode 100755 index f85909b1e3..0000000000 --- a/packages/cisco_umbrella/1.4.2/docs/README.md +++ /dev/null @@ -1,278 +0,0 @@ -# Cisco Umbrella Integration - -This integration is for [Cisco Umbrella](https://docs.umbrella.com/). It includes the following -datasets for receiving logs from an AWS S3 bucket using an SQS notification queue and Cisco Managed S3 bucket without SQS: - -- `log` dataset: supports Cisco Umbrella logs. - -## Logs - -### Umbrella - -When using Cisco Managed S3 buckets that does not use SQS there is no load balancing possibilities for multiple agents, a single agent should be configured to poll the S3 bucket for new and updated files, and the number of workers can be configured to scale vertically. - -The `log` dataset collects Cisco Umbrella logs. - -An example event for `log` looks as following: - -```json -{ - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "address": "8.8.8.8", - "ip": "8.8.8.8" - }, - "source": { - "nat": { - "ip": "1.1.1.1" - }, - "address": "192.168.1.1", - "ip": "192.168.1.1" - }, - "url": { - "path": "/blog/ext_id=Anyclip", - "original": "https://elastic.co/blog/ext_id=Anyclip", - "scheme": "https", - "domain": "elastic.co", - "full": "https://elastic.co/blog/ext_id=Anyclip" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "type": "proxy", - "product": "Umbrella", - "vendor": "Cisco" - }, - "@timestamp": "2020-07-23T23:48:56.000Z", - "ecs": { - "version": "8.3.0" - }, - "related": { - "hash": [ - "" - ], - "ip": [ - "192.168.1.1", - "1.1.1.1", - "8.8.8.8" - ] - }, - "http": { - "request": { - "referrer": "https://google.com/elastic", - "bytes": 850 - }, - "response": { - "status_code": 200 - } - }, - "event": { - "ingested": "2021-09-13T00:16:24.480432923Z", - "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", - "category": "network", - "type": [ - "allowed" - ] - }, - "cisco": { - "umbrella": { - "amp_score": "", - "puas": "Malicious", - "identities": [ - "someotheruser" - ], - "content_type": "", - "identity_types": "Roaming Computers", - "blocked_categories": "", - "sha_sha256": "", - "amp_disposition": "MalwareName", - "categories": "Business Services", - "av_detections": "AVDetectionName", - "amp_malware_name": "" - } - }, - "user": { - "name": "elasticuser" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cisco.umbrella.amp_disposition | The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. | keyword | -| cisco.umbrella.amp_malware_name | If Malicious, the name of the malware according to AMP. | keyword | -| cisco.umbrella.amp_score | The score of the malware from AMP. This field is not currently used and will be blank. | keyword | -| cisco.umbrella.audit.after | The policy or setting after the change was made. | keyword | -| cisco.umbrella.audit.before | The policy or setting before the change was made. | keyword | -| cisco.umbrella.audit.type | Where the change was made, such as settings or a policy. | keyword | -| cisco.umbrella.av_detections | The detection name according to the antivirus engine used in file inspection. | keyword | -| cisco.umbrella.blocked_categories | The categories that resulted in the destination being blocked. Available in version 4 and above. | keyword | -| cisco.umbrella.categories | The security or content categories that the destination matches. | keyword | -| cisco.umbrella.certificate_errors | | keyword | -| cisco.umbrella.content_type | The type of web content, typically text/html. | keyword | -| cisco.umbrella.datacenter | The name of the Umbrella Data Center that processed the user-generated traffic. | keyword | -| cisco.umbrella.destination_lists_id | | keyword | -| cisco.umbrella.dlp_status | | keyword | -| cisco.umbrella.file_name | | keyword | -| cisco.umbrella.identities | An array of the different identities related to the event. | keyword | -| cisco.umbrella.identity | The identity that made the request. An identity can be a high-level entity within your system (e.g a network) or very granular (e.g a single user) | keyword | -| cisco.umbrella.identity_types | The type of identity that made the request. For example, Roaming Computer or Network. | keyword | -| cisco.umbrella.origin_id | The unique identity of the network tunnel. | keyword | -| cisco.umbrella.policy_identity_type | The first identity type matched with this request. Available in version 3 and above. | keyword | -| cisco.umbrella.puas | A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. | keyword | -| cisco.umbrella.request_method | | keyword | -| cisco.umbrella.rule_id | | keyword | -| cisco.umbrella.ruleset_id | | keyword | -| cisco.umbrella.sha_sha256 | Hex digest of the response content. | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/cisco_umbrella/1.4.2/img/cisco.svg b/packages/cisco_umbrella/1.4.2/img/cisco.svg deleted file mode 100755 index 20ebebf197..0000000000 --- a/packages/cisco_umbrella/1.4.2/img/cisco.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/cisco_umbrella/1.4.2/manifest.yml b/packages/cisco_umbrella/1.4.2/manifest.yml deleted file mode 100755 index d980676225..0000000000 --- a/packages/cisco_umbrella/1.4.2/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -format_version: 1.0.0 -name: cisco_umbrella -title: Cisco Umbrella -version: "1.4.2" -license: basic -description: Collect logs from Cisco Umbrella with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: "^8.0.0" -icons: - - src: /img/cisco.svg - title: cisco - size: 216x216 - type: image/svg+xml -policy_templates: - - name: cisco_umbrella - title: Cisco Umbrella logs - description: Collect logs from Cisco Umbrella instances - inputs: - - type: aws-s3 - title: Collect logs from Cisco Umbrella - description: Collecting logs from Cisco Umbrella -owner: - github: elastic/security-external-integrations diff --git a/packages/cloudflare_logpush/0.2.0/LICENSE.txt b/packages/cloudflare_logpush/0.2.0/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cloudflare_logpush/0.2.0/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cloudflare_logpush/0.2.0/changelog.yml b/packages/cloudflare_logpush/0.2.0/changelog.yml deleted file mode 100755 index 977130bb05..0000000000 --- a/packages/cloudflare_logpush/0.2.0/changelog.yml +++ /dev/null @@ -1,16 +0,0 @@ -# newer versions go on top -- version: "0.2.0" - changes: - - description: Expose Default Region setting to UI - type: enhancement - link: https://github.com/elastic/integrations/pull/4158 -- version: "0.1.1" - changes: - - description: Fix line endings. - type: bugfix - link: https://github.com/elastic/integrations/pull/4181 -- version: "0.1.0" - changes: - - description: Initial Release. - type: enhancement - link: https://github.com/elastic/integrations/pull/3643 diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/audit/agent/stream/aws-s3.yml.hbs b/packages/cloudflare_logpush/0.2.0/data_stream/audit/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 6029a860d9..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/audit/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,88 +0,0 @@ -{{#if collect_s3_logs}} - -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if interval}} -bucket_list_interval: {{interval}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}} -{{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} -{{#if file_selectors}} -file_selectors: -{{file_selectors}} -{{/if}} - -{{/if}} - -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/audit/agent/stream/http_endpoint.yml.hbs b/packages/cloudflare_logpush/0.2.0/data_stream/audit/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 53229700cc..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/audit/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,36 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -url: {{url}} -content_type: "" -{{#if secret_header}} -secret.header: {{secret_header}} -{{/if}} -{{#if secret_value}} -secret.value: {{secret_value}} -{{/if}} -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} -{{#if preserve_duplicate_custom_fields}} -preserve_duplicate_custom_fields: true -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare_logpush/0.2.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index faf942743e..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,196 +0,0 @@ ---- -description: Pipeline for parsing Cloudflare Audit logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - set: - field: event.type - value: [info] - - set: - field: event.kind - value: event - - set: - field: event.category - value: [authentication] - - date: - field: json.When - if: ctx.json?.When != null && ctx.json.When != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: cloudflare_logpush.audit.timestamp - copy_from: '@timestamp' - ignore_failure: true - - rename: - field: json.ActionType - target_field: cloudflare_logpush.audit.action.type - ignore_missing: true - - set: - field: event.action - copy_from: cloudflare_logpush.audit.action.type - ignore_failure: true - - lowercase: - field: event.action - ignore_missing: true - - set: - field: cloudflare_logpush.audit.action.result - value: success - if: ctx.json?.ActionResult - - set: - field: cloudflare_logpush.audit.action.result - value: failure - if: '!ctx.json?.ActionResult' - - set: - field: event.outcome - copy_from: cloudflare_logpush.audit.action.result - ignore_failure: true - - rename: - field: json.ActorEmail - target_field: cloudflare_logpush.audit.actor.email - ignore_missing: true - - set: - field: user.email - copy_from: cloudflare_logpush.audit.actor.email - ignore_failure: true - - rename: - field: json.ActorID - target_field: cloudflare_logpush.audit.actor.id - ignore_missing: true - - set: - field: user.id - copy_from: cloudflare_logpush.audit.actor.id - ignore_failure: true - - convert: - field: json.ActorIP - target_field: cloudflare_logpush.audit.actor.ip - if: ctx.json?.ActorIP != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.ip - copy_from: cloudflare_logpush.audit.actor.ip - ignore_failure: true - - rename: - field: json.ActorType - target_field: cloudflare_logpush.audit.actor.type - ignore_missing: true - - rename: - field: json.ID - target_field: cloudflare_logpush.audit.id - ignore_missing: true - - set: - field: event.id - copy_from: cloudflare_logpush.audit.id - ignore_failure: true - - rename: - field: json.Interface - target_field: cloudflare_logpush.audit.interface - ignore_missing: true - if: ctx.json?.interface != '' - - set: - field: event.provider - copy_from: cloudflare_logpush.audit.interface - ignore_failure: true - - rename: - field: json.Metadata - target_field: cloudflare_logpush.audit.metadata - ignore_missing: true - - rename: - field: json.NewValue - target_field: cloudflare_logpush.audit.new_value - if: ctx.json?.NewValue != null - ignore_missing: true - - rename: - field: json.OldValue - target_field: cloudflare_logpush.audit.old_value - if: ctx.json?.OldValue != null - ignore_missing: true - - rename: - field: json.OwnerID - target_field: cloudflare_logpush.audit.owner.id - ignore_missing: true - - rename: - field: json.ResourceID - target_field: cloudflare_logpush.audit.resource.id - ignore_missing: true - - rename: - field: json.ResourceType - target_field: cloudflare_logpush.audit.resource.type - ignore_missing: true - - append: - field: related.user - value: '{{{user.id}}}' - if: ctx.user?.id != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null - allow_duplicates: false - ignore_failure: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - cloudflare_logpush.audit.timestamp - - cloudflare_logpush.audit.action.result - - cloudflare_logpush.audit.action.type - - cloudflare_logpush.audit.id - - cloudflare_logpush.audit.interface - - cloudflare_logpush.audit.actor.ip - - cloudflare_logpush.audit.actor.email - - cloudflare_logpush.audit.actor.id - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/audit/fields/agent.yml b/packages/cloudflare_logpush/0.2.0/data_stream/audit/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/audit/fields/base-fields.yml b/packages/cloudflare_logpush/0.2.0/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index d59dd05887..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: cloudflare_logpush.audit -- name: event.module - type: constant_keyword - description: Event module. - value: cloudflare_logpush diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/audit/fields/ecs.yml b/packages/cloudflare_logpush/0.2.0/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 8b345eedb8..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,86 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/audit/fields/fields.yml b/packages/cloudflare_logpush/0.2.0/data_stream/audit/fields/fields.yml deleted file mode 100755 index a0cdb32d32..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: cloudflare_logpush.audit - type: group - fields: - - name: action - type: group - fields: - - name: result - type: keyword - description: Whether the action was successful. - - name: type - type: keyword - description: Type of action taken. - - name: actor - type: group - fields: - - name: email - type: keyword - description: Email of the actor. - - name: id - type: keyword - description: Unique identifier of the actor in Cloudflare system. - - name: ip - type: ip - description: Physical network address of the actor. - - name: type - type: keyword - description: Type of user that started the audit trail. - - name: id - type: keyword - description: Unique identifier of an audit log. - - name: interface - type: text - description: Entry point or interface of the audit log. - - name: metadata - type: flattened - description: Additional audit log-specific information, Metadata is organized in key:value pairs, Key and Value formats can vary by ResourceType. - - name: new_value - type: flattened - description: Contains the new value for the audited item. - - name: old_value - type: flattened - description: Contains the old value for the audited item. - - name: owner - type: group - fields: - - name: id - type: keyword - description: The identifier of the user that was acting or was acted on behalf of. - - name: resource - type: group - fields: - - name: id - type: keyword - description: Unique identifier of the resource within Cloudflare system. - - name: type - type: keyword - description: The type of resource that was changed. - - name: timestamp - type: date - description: When the change happened. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/audit/manifest.yml b/packages/cloudflare_logpush/0.2.0/data_stream/audit/manifest.yml deleted file mode 100755 index de2640f915..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/audit/manifest.yml +++ /dev/null @@ -1,151 +0,0 @@ -title: Collect Audit logs from Cloudflare -type: logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: Audit logs - description: Collect Audit logs from Cloudflare. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number the listener binds to. - multi: false - required: true - show_user: true - default: 9560 - - name: url - type: text - title: URL - description: This option specifies which URL path to accept requests on. Defaults to /. - multi: false - required: false - show_user: false - default: / - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: aws-s3 - title: Audit logs via S3 or SQS - description: Collect Audit logs from Cloudflare. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: '[S3] Bucket Prefix' - multi: false - required: false - show_user: true - default: audit_logs - description: Prefix to apply for the list request to the S3 bucket. - - name: interval - type: text - title: '[S3] Interval' - multi: false - required: false - show_user: true - default: 1m - description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. - - name: number_of_workers - type: integer - title: '[S3] Number of Workers' - multi: false - required: false - show_user: true - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: visibility_timeout - type: text - title: '[SQS] Visibility Timeout' - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: '[SQS] API Timeout' - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: max_number_of_messages - type: integer - title: '[SQS] Maximum Concurrent SQS Messages' - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - - name: file_selectors - type: yaml - title: '[SQS] File Selectors' - multi: false - required: false - show_user: false - default: | - - regex: 'audit_logs/' - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/audit/sample_event.json b/packages/cloudflare_logpush/0.2.0/data_stream/audit/sample_event.json deleted file mode 100755 index 7f7c746974..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/audit/sample_event.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "@timestamp": "2021-11-30T20:19:48.000Z", - "agent": { - "ephemeral_id": "3605deda-1943-40cf-9ba2-a5d591fead25", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "audit": { - "action": { - "result": "success", - "type": "token_create" - }, - "actor": { - "email": "user@example.com", - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s", - "ip": "81.2.69.142", - "type": "user" - }, - "id": "73fd39ed-5aab-4a2a-b93c-c9a4abf0c425", - "interface": "UI", - "metadata": { - "token_name": "test", - "token_tag": "b7261c49a793a82678d12285f0bc1401" - }, - "new_value": { - "key1": "value1", - "key2": "value2" - }, - "old_value": { - "key3": "value4", - "key4": "value4" - }, - "owner": { - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" - }, - "resource": { - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s", - "type": "account" - }, - "timestamp": "2021-11-30T20:19:48.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "token_create", - "agent_id_status": "verified", - "category": [ - "authentication" - ], - "dataset": "cloudflare_logpush.audit", - "id": "73fd39ed-5aab-4a2a-b93c-c9a4abf0c425", - "ingested": "2022-09-01T10:05:51Z", - "kind": "event", - "original": "{\"ActionResult\":true,\"ActionType\":\"token_create\",\"ActorEmail\":\"user@example.com\",\"ActorID\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ActorIP\":\"81.2.69.142\",\"ActorType\":\"user\",\"ID\":\"73fd39ed-5aab-4a2a-b93c-c9a4abf0c425\",\"Interface\":\"UI\",\"Metadata\":{\"token_name\":\"test\",\"token_tag\":\"b7261c49a793a82678d12285f0bc1401\"},\"NewValue\":{\"key1\":\"value1\",\"key2\":\"value2\"},\"OldValue\":{\"key3\":\"value4\",\"key4\":\"value4\"},\"OwnerID\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ResourceID\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ResourceType\":\"account\",\"When\":\"2021-11-30T20:19:48Z\"}", - "outcome": "success", - "provider": "UI", - "type": [ - "info" - ] - }, - "input": { - "type": "http_endpoint" - }, - "related": { - "ip": [ - "81.2.69.142" - ], - "user": [ - "enl3j9du8rnx2swwd9l32qots7l54t9s" - ] - }, - "source": { - "ip": "81.2.69.142" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_audit" - ], - "user": { - "email": "user@example.com", - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" - } -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/dns/agent/stream/aws-s3.yml.hbs b/packages/cloudflare_logpush/0.2.0/data_stream/dns/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 6029a860d9..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/dns/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,88 +0,0 @@ -{{#if collect_s3_logs}} - -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if interval}} -bucket_list_interval: {{interval}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}} -{{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} -{{#if file_selectors}} -file_selectors: -{{file_selectors}} -{{/if}} - -{{/if}} - -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/dns/agent/stream/http_endpoint.yml.hbs b/packages/cloudflare_logpush/0.2.0/data_stream/dns/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 53229700cc..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/dns/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,36 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -url: {{url}} -content_type: "" -{{#if secret_header}} -secret.header: {{secret_header}} -{{/if}} -{{#if secret_value}} -secret.value: {{secret_value}} -{{/if}} -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} -{{#if preserve_duplicate_custom_fields}} -preserve_duplicate_custom_fields: true -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare_logpush/0.2.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ad6d37c7b9..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,167 +0,0 @@ ---- -description: Pipeline for parsing Cloudflare DNS logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - set: - field: event.category - value: [network] - - set: - field: event.kind - value: event - - set: - field: event.type - value: [info] - - date: - field: json.Timestamp - if: ctx.json?.Timestamp != null && ctx.json.Timestamp != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: cloudflare_logpush.dns.timestamp - copy_from: '@timestamp' - ignore_failure: true - - convert: - field: json.SourceIP - target_field: cloudflare_logpush.dns.source.ip - if: ctx.json?.SourceIP != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.ip - copy_from: cloudflare_logpush.dns.source.ip - ignore_failure: true - - rename: - field: json.QueryName - target_field: cloudflare_logpush.dns.query.name - ignore_missing: true - - set: - field: dns.question.name - copy_from: cloudflare_logpush.dns.query.name - ignore_failure: true - - convert: - field: json.QueryType - target_field: cloudflare_logpush.dns.query.type - if: ctx.json?.QueryType != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ColoCode - target_field: cloudflare_logpush.dns.colo.code - ignore_missing: true - - convert: - field: json.EDNSSubnet - target_field: cloudflare_logpush.dns.edns.subnet - if: ctx.json?.EDNSSubnet != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.EDNSSubnetLength - target_field: cloudflare_logpush.dns.edns.subnet_length - if: ctx.json?.EDNSSubnetLength != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ResponseCached - target_field: cloudflare_logpush.dns.response.cached - ignore_missing: true - - convert: - field: json.ResponseCode - target_field: cloudflare_logpush.dns.response.code - if: ctx.json?.ResponseCode != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - append: - field: related.hosts - value: '{{{dns.query.name}}}' - if: ctx.dns?.query?.name != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{cloudflare_logpush.dns.edns.subnet}}}' - if: ctx.cloudflare_logpush?.dns?.edns?.subnet != null - allow_duplicates: false - ignore_failure: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - cloudflare_logpush.dns.timestamp - - cloudflare_logpush.dns.query.name - - cloudflare_logpush.dns.source.ip - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/dns/fields/agent.yml b/packages/cloudflare_logpush/0.2.0/data_stream/dns/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/dns/fields/base-fields.yml b/packages/cloudflare_logpush/0.2.0/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index 7cd21a55f7..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: cloudflare_logpush.dns -- name: event.module - type: constant_keyword - description: Event module. - value: cloudflare_logpush diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/dns/fields/ecs.yml b/packages/cloudflare_logpush/0.2.0/data_stream/dns/fields/ecs.yml deleted file mode 100755 index b756dc928d..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,64 +0,0 @@ -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/dns/fields/fields.yml b/packages/cloudflare_logpush/0.2.0/data_stream/dns/fields/fields.yml deleted file mode 100755 index b23d3eb4ce..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,48 +0,0 @@ -- name: cloudflare_logpush.dns - type: group - fields: - - name: colo - type: group - fields: - - name: code - type: keyword - description: IATA airport code of data center that received the request. - - name: edns - type: group - fields: - - name: subnet - type: ip - description: EDNS Client Subnet (IPv4 or IPv6). - - name: subnet_length - type: long - description: EDNS Client Subnet length. - - name: query - type: group - fields: - - name: name - type: keyword - description: Name of the query that was sent. - - name: type - type: long - description: Integer value of query type. - - name: response - type: group - fields: - - name: cached - type: boolean - description: Whether the response was cached or not. - - name: code - type: long - description: Integer value of response code. - - name: source - type: group - fields: - - name: ip - type: ip - description: IP address of the client (IPv4 or IPv6). - - name: timestamp - type: date - description: Timestamp at which the query occurred. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/dns/manifest.yml b/packages/cloudflare_logpush/0.2.0/data_stream/dns/manifest.yml deleted file mode 100755 index 98c7468548..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/dns/manifest.yml +++ /dev/null @@ -1,151 +0,0 @@ -title: Collect DNS logs from Cloudflare -type: logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: DNS logs - description: Collect DNS logs from Cloudflare. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number the listener binds to. - multi: false - required: true - show_user: true - default: 9561 - - name: url - type: text - title: URL - description: This option specifies which URL path to accept requests on. Defaults to /. - multi: false - required: false - show_user: false - default: / - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: aws-s3 - title: DNS logs via S3 or SQS - description: Collect DNS logs from Cloudflare. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: '[S3] Bucket Prefix' - multi: false - required: false - show_user: true - default: dns - description: Prefix to apply for the list request to the S3 bucket. - - name: interval - type: text - title: '[S3] Interval' - multi: false - required: false - show_user: true - default: 1m - description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. - - name: number_of_workers - type: integer - title: '[S3] Number of Workers' - multi: false - required: false - show_user: true - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: visibility_timeout - type: text - title: '[SQS] Visibility Timeout' - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: '[SQS] API Timeout' - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: max_number_of_messages - type: integer - title: '[SQS] Maximum Concurrent SQS Messages' - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - - name: file_selectors - type: yaml - title: '[SQS] File Selectors' - multi: false - required: false - show_user: false - default: | - - regex: 'dns/' - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/dns/sample_event.json b/packages/cloudflare_logpush/0.2.0/data_stream/dns/sample_event.json deleted file mode 100755 index 0b930fbc2e..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/dns/sample_event.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "@timestamp": "2022-05-26T09:23:54.000Z", - "agent": { - "ephemeral_id": "5a08ea07-7e13-4f10-8bfa-5707606de846", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "dns": { - "colo": { - "code": "MRS" - }, - "edns": { - "subnet": "1.128.0.0", - "subnet_length": 0 - }, - "query": { - "name": "example.com", - "type": 65535 - }, - "response": { - "cached": false, - "code": 0 - }, - "source": { - "ip": "175.16.199.0" - }, - "timestamp": "2022-05-26T09:23:54.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "question": { - "name": "example.com" - } - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.dns", - "ingested": "2022-09-01T10:06:44Z", - "kind": "event", - "original": "{\"ColoCode\":\"MRS\",\"EDNSSubnet\":\"1.128.0.0\",\"EDNSSubnetLength\":0,\"QueryName\":\"example.com\",\"QueryType\":65535,\"ResponseCached\":false,\"ResponseCode\":0,\"SourceIP\":\"175.16.199.0\",\"Timestamp\":\"2022-05-26T09:23:54Z\"}", - "type": [ - "info" - ] - }, - "input": { - "type": "http_endpoint" - }, - "related": { - "ip": [ - "175.16.199.0", - "1.128.0.0" - ] - }, - "source": { - "ip": "175.16.199.0" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_dns" - ] -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/agent/stream/aws-s3.yml.hbs b/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 6029a860d9..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,88 +0,0 @@ -{{#if collect_s3_logs}} - -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if interval}} -bucket_list_interval: {{interval}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}} -{{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} -{{#if file_selectors}} -file_selectors: -{{file_selectors}} -{{/if}} - -{{/if}} - -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/agent/stream/http_endpoint.yml.hbs b/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 53229700cc..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,36 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -url: {{url}} -content_type: "" -{{#if secret_header}} -secret.header: {{secret_header}} -{{/if}} -{{#if secret_value}} -secret.value: {{secret_value}} -{{/if}} -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} -{{#if preserve_duplicate_custom_fields}} -preserve_duplicate_custom_fields: true -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 77ae2b3b93..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,287 +0,0 @@ ---- -description: Pipeline for parsing Cloudflare Firewall Event logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - set: - field: event.category - value: [network] - - set: - field: event.kind - value: event - - set: - field: event.type - value: [info] - - date: - field: json.Datetime - if: ctx.json?.Datetime != null && ctx.json.Datetime != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: cloudflare_logpush.firewall_event.timestamp - copy_from: '@timestamp' - ignore_failure: true - - rename: - field: json.Action - target_field: cloudflare_logpush.firewall_event.action - ignore_missing: true - - set: - field: event.action - copy_from: cloudflare_logpush.firewall_event.action - ignore_failure: true - - lowercase: - field: event.action - ignore_missing: true - - rename: - field: json.ClientRequestMethod - target_field: cloudflare_logpush.firewall_event.client.request.method - ignore_missing: true - - set: - field: http.request.method - copy_from: cloudflare_logpush.firewall_event.client.request.method - ignore_failure: true - - convert: - field: json.EdgeResponseStatus - target_field: cloudflare_logpush.firewall_event.edge.response.status - if: ctx.json?.EdgeResponseStatus != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: http.response.status_code - copy_from: cloudflare_logpush.firewall_event.edge.response.status - ignore_failure: true - - rename: - field: json.RuleID - target_field: cloudflare_logpush.firewall_event.rule.id - ignore_missing: true - - set: - field: rule.id - copy_from: cloudflare_logpush.firewall_event.rule.id - ignore_failure: true - - convert: - field: json.ClientASN - target_field: cloudflare_logpush.firewall_event.client.asn.value - if: ctx.json?.ClientASN != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.as.number - copy_from: cloudflare_logpush.firewall_event.client.asn.value - ignore_failure: true - - rename: - field: json.ClientCountry - target_field: cloudflare_logpush.firewall_event.client.country - ignore_missing: true - - set: - field: source.geo.country_iso_code - copy_from: cloudflare_logpush.firewall_event.client.country - ignore_failure: true - - convert: - field: json.ClientIP - target_field: cloudflare_logpush.firewall_event.client.ip - if: ctx.json?.ClientIP != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.ip - copy_from: cloudflare_logpush.firewall_event.client.ip - ignore_failure: true - - rename: - field: json.ClientASNDescription - target_field: cloudflare_logpush.firewall_event.client.asn.description - ignore_missing: true - - rename: - field: json.ClientIPClass - target_field: cloudflare_logpush.firewall_event.client.ip_class - ignore_missing: true - - rename: - field: json.ClientRefererHost - target_field: cloudflare_logpush.firewall_event.client.referer.host - ignore_missing: true - - rename: - field: json.ClientRefererPath - target_field: cloudflare_logpush.firewall_event.client.referer.path - ignore_missing: true - - rename: - field: json.ClientRefererQuery - target_field: cloudflare_logpush.firewall_event.client.referer.query - ignore_missing: true - - rename: - field: json.ClientRefererScheme - target_field: cloudflare_logpush.firewall_event.client.referer.scheme - ignore_missing: true - - rename: - field: json.ClientRequestHost - target_field: cloudflare_logpush.firewall_event.client.request.host - ignore_missing: true - - rename: - field: json.ClientRequestPath - target_field: cloudflare_logpush.firewall_event.client.request.path - ignore_missing: true - - rename: - field: json.ClientRequestProtocol - target_field: cloudflare_logpush.firewall_event.client.request.protocol - ignore_missing: true - - grok: - field: cloudflare_logpush.firewall_event.client.request.protocol - patterns: - - "^%{DATA:network.protocol}/%{DATA:http.version}$" - ignore_failure: true - - lowercase: - field: network.protocol - ignore_missing: true - - rename: - field: json.ClientRequestQuery - target_field: cloudflare_logpush.firewall_event.client.request.query - ignore_missing: true - - rename: - field: json.ClientRequestScheme - target_field: cloudflare_logpush.firewall_event.client.request.scheme - ignore_missing: true - - set: - field: url.scheme - copy_from: cloudflare_logpush.firewall_event.client.request.scheme - ignore_failure: true - - user_agent: - field: json.ClientRequestUserAgent - if: ctx.json?.ClientRequestUserAgent != '' - ignore_failure: true - - rename: - field: json.ClientRequestUserAgent - target_field: cloudflare_logpush.firewall_event.client.request.user.agent - ignore_missing: true - - rename: - field: json.EdgeColoCode - target_field: cloudflare_logpush.firewall_event.edge.colo.code - ignore_missing: true - - rename: - field: json.Kind - target_field: cloudflare_logpush.firewall_event.kind - ignore_missing: true - - convert: - field: json.MatchIndex - target_field: cloudflare_logpush.firewall_event.match_index - if: ctx.json?.MatchIndex != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.Metadata - target_field: cloudflare_logpush.firewall_event.meta_data - ignore_missing: true - - convert: - field: json.OriginResponseStatus - target_field: cloudflare_logpush.firewall_event.origin.response.status - if: ctx.json?.OriginResponseStatus != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.OriginatorRayID - target_field: cloudflare_logpush.firewall_event.origin.ray.id - ignore_missing: true - - rename: - field: json.RayID - target_field: cloudflare_logpush.firewall_event.ray.id - ignore_missing: true - - rename: - field: json.Source - target_field: cloudflare_logpush.firewall_event.source - ignore_missing: true - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: '{{{cloudflare_logpush.firewall_event.client.referer.host}}}' - if: ctx.cloudflare_logpush?.firewall_event?.client?.referer?.host != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: '{{{cloudflare_logpush.firewall_event.client.request.host}}}' - if: ctx.cloudflare_logpush?.firewall_event?.client?.request?.host != null - allow_duplicates: false - ignore_failure: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - cloudflare_logpush.firewall_event.timestamp - - cloudflare_logpush.firewall_event.action - - cloudflare_logpush.firewall_event.client.request.method - - cloudflare_logpush.firewall_event.edge.response.status - - cloudflare_logpush.firewall_event.rule.id - - cloudflare_logpush.firewall_event.client.asn.value - - cloudflare_logpush.firewall_event.client.country - - cloudflare_logpush.firewall_event.client.ip - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/fields/agent.yml b/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/fields/base-fields.yml b/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/fields/base-fields.yml deleted file mode 100755 index 958bad1989..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: cloudflare_logpush.firewall_event -- name: event.module - type: constant_keyword - description: Event module. - value: cloudflare_logpush diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/fields/ecs.yml b/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/fields/ecs.yml deleted file mode 100755 index e8caffe883..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/fields/ecs.yml +++ /dev/null @@ -1,124 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/fields/fields.yml b/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/fields/fields.yml deleted file mode 100755 index eb9b2fccb0..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/fields/fields.yml +++ /dev/null @@ -1,129 +0,0 @@ -- name: cloudflare_logpush.firewall_event - type: group - fields: - - name: action - type: keyword - description: The code of the first-class action the Cloudflare Firewall took on this request. - - name: client - type: group - fields: - - name: asn - type: group - fields: - - name: description - type: keyword - description: The ASN of the visitor as string. - - name: value - type: long - description: The ASN number of the visitor. - - name: country - type: keyword - description: Country from which request originated. - - name: ip - type: ip - description: The visitor IP address (IPv4 or IPv6). - - name: ip_class - type: keyword - description: The classification of the visitor IP address, possible values are:- 'unknown', 'badHost', 'searchEngine', 'allowlist', 'monitoringService', 'noRecord', 'scan' and 'tor'. - - name: referer - type: group - fields: - - name: host - type: keyword - description: The referer host. - - name: path - type: text - description: The referer path requested by visitor. - - name: query - type: keyword - description: The referer query-string was requested by the visitor. - - name: scheme - type: text - description: The referer URL scheme requested by the visitor. - - name: request - type: group - fields: - - name: host - type: keyword - description: The HTTP hostname requested by the visitor. - - name: method - type: keyword - description: The HTTP method used by the visitor. - - name: path - type: text - description: The path requested by visitor. - - name: protocol - type: keyword - description: The version of HTTP protocol requested by the visitor. - - name: query - type: keyword - description: The query-string was requested by the visitor. - - name: scheme - type: text - description: The URL scheme requested by the visitor. - - name: user - type: group - fields: - - name: agent - type: text - description: Visitor's user-agent string. - - name: edge - type: group - fields: - - name: colo - type: group - fields: - - name: code - type: keyword - description: The airport code of the Cloudflare datacenter that served this request. - - name: response - type: group - fields: - - name: status - type: long - description: HTTP response status code returned to browser. - - name: kind - type: keyword - description: The kind of event, currently only possible values are. - - name: match_index - type: long - description: Rules match index in the chain. - - name: meta_data - type: flattened - description: Additional product-specific information. - - name: origin - type: group - fields: - - name: ray - type: group - fields: - - name: id - type: keyword - description: HTTP origin response status code returned to browser. - - name: response - type: group - fields: - - name: status - type: long - description: The RayID of the request that issued the challenge/jschallenge. - - name: ray - type: group - fields: - - name: id - type: keyword - description: The RayID of the request. - - name: rule - type: group - fields: - - name: id - type: keyword - description: The Cloudflare security product-specific RuleID triggered by this request. - - name: source - type: keyword - description: The Cloudflare security product triggered by this request. - - name: timestamp - type: date - description: The date and time the event occurred at the edge. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/manifest.yml b/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/manifest.yml deleted file mode 100755 index 9d0297f947..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/manifest.yml +++ /dev/null @@ -1,151 +0,0 @@ -title: Collect Firewall Event logs from Cloudflare -type: logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: Firewall Event logs - description: Collect Firewall Event logs from Cloudflare. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number the listener binds to. - multi: false - required: true - show_user: true - default: 9562 - - name: url - type: text - title: URL - description: This option specifies which URL path to accept requests on. Defaults to /. - multi: false - required: false - show_user: false - default: / - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_firewall_event - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: aws-s3 - title: Firewall Event logs via S3 or SQS - description: Collect Firewall Event logs from Cloudflare. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: '[S3] Bucket Prefix' - multi: false - required: false - show_user: true - default: firewall_event - description: Prefix to apply for the list request to the S3 bucket. - - name: interval - type: text - title: '[S3] Interval' - multi: false - required: false - show_user: true - default: 1m - description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. - - name: number_of_workers - type: integer - title: '[S3] Number of Workers' - multi: false - required: false - show_user: true - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: visibility_timeout - type: text - title: '[SQS] Visibility Timeout' - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: '[SQS] API Timeout' - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: max_number_of_messages - type: integer - title: '[SQS] Maximum Concurrent SQS Messages' - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - - name: file_selectors - type: yaml - title: '[SQS] File Selectors' - multi: false - required: false - show_user: false - default: | - - regex: 'firewall_event/' - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_firewall_event - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/sample_event.json b/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/sample_event.json deleted file mode 100755 index e00847dbaa..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/firewall_event/sample_event.json +++ /dev/null @@ -1,157 +0,0 @@ -{ - "@timestamp": "2022-05-31T05:23:43.000Z", - "agent": { - "ephemeral_id": "75919903-db61-44c5-8c6c-9829fcfbd280", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "firewall_event": { - "action": "block", - "client": { - "asn": { - "description": "CLOUDFLARENET", - "value": 15169 - }, - "country": "us", - "ip": "175.16.199.0", - "ip_class": "searchEngine", - "referer": { - "host": "abc.example.com", - "path": "/abc/checkout", - "query": "?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))\u0026timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))", - "scheme": "referer URL scheme" - }, - "request": { - "host": "xyz.example.com", - "method": "GET", - "path": "/abc/checkout", - "protocol": "HTTP/1.1", - "query": "?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))\u0026timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))", - "scheme": "https", - "user": { - "agent": "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" - } - } - }, - "edge": { - "colo": { - "code": "IAD" - }, - "response": { - "status": 403 - } - }, - "kind": "firewall", - "match_index": 1, - "meta_data": { - "filter": "1ced07e066a34abf8b14f2a99593bc8d", - "type": "customer" - }, - "origin": { - "ray": { - "id": "00" - }, - "response": { - "status": 0 - } - }, - "ray": { - "id": "713d477539b55c29" - }, - "rule": { - "id": "7dc666e026974dab84884c73b3e2afe1" - }, - "source": "firewallrules", - "timestamp": "2022-05-31T05:23:43.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.firewall_event", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "block", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.firewall_event", - "ingested": "2022-09-01T10:07:34Z", - "kind": "event", - "original": "{\"Action\":\"block\",\"ClientASN\":15169,\"ClientASNDescription\":\"CLOUDFLARENET\",\"ClientCountry\":\"us\",\"ClientIP\":\"175.16.199.0\",\"ClientIPClass\":\"searchEngine\",\"ClientRefererHost\":\"abc.example.com\",\"ClientRefererPath\":\"/abc/checkout\",\"ClientRefererQuery\":\"?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))\\u0026timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))\",\"ClientRefererScheme\":\"referer URL scheme\",\"ClientRequestHost\":\"xyz.example.com\",\"ClientRequestMethod\":\"GET\",\"ClientRequestPath\":\"/abc/checkout\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestQuery\":\"?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))\\u0026timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))\",\"ClientRequestScheme\":\"https\",\"ClientRequestUserAgent\":\"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\",\"Datetime\":\"2022-05-31T05:23:43Z\",\"EdgeColoCode\":\"IAD\",\"EdgeResponseStatus\":403,\"Kind\":\"firewall\",\"MatchIndex\":1,\"Metadata\":{\"filter\":\"1ced07e066a34abf8b14f2a99593bc8d\",\"type\":\"customer\"},\"OriginResponseStatus\":0,\"OriginatorRayID\":\"00\",\"RayID\":\"713d477539b55c29\",\"RuleID\":\"7dc666e026974dab84884c73b3e2afe1\",\"Source\":\"firewallrules\"}", - "type": [ - "info" - ] - }, - "http": { - "request": { - "method": "GET" - }, - "response": { - "status_code": 403 - }, - "version": "1.1" - }, - "input": { - "type": "http_endpoint" - }, - "network": { - "protocol": "http" - }, - "related": { - "hosts": [ - "abc.example.com", - "xyz.example.com" - ], - "ip": [ - "175.16.199.0" - ] - }, - "rule": { - "id": "7dc666e026974dab84884c73b3e2afe1" - }, - "source": { - "as": { - "number": 15169 - }, - "geo": { - "country_iso_code": "us" - }, - "ip": "175.16.199.0" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_firewall_event" - ], - "url": { - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "Spider" - }, - "name": "Googlebot", - "original": "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", - "os": { - "full": "Android 6.0.1", - "name": "Android", - "version": "6.0.1" - }, - "version": "2.1" - } -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/agent/stream/aws-s3.yml.hbs b/packages/cloudflare_logpush/0.2.0/data_stream/http_request/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 6029a860d9..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,88 +0,0 @@ -{{#if collect_s3_logs}} - -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if interval}} -bucket_list_interval: {{interval}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}} -{{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} -{{#if file_selectors}} -file_selectors: -{{file_selectors}} -{{/if}} - -{{/if}} - -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/agent/stream/http_endpoint.yml.hbs b/packages/cloudflare_logpush/0.2.0/data_stream/http_request/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 53229700cc..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,36 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -url: {{url}} -content_type: "" -{{#if secret_header}} -secret.header: {{secret_header}} -{{/if}} -{{#if secret_value}} -secret.value: {{secret_value}} -{{/if}} -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} -{{#if preserve_duplicate_custom_fields}} -preserve_duplicate_custom_fields: true -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare_logpush/0.2.0/data_stream/http_request/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b45e0edbc5..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,716 +0,0 @@ ---- -description: Pipeline for parsing Cloudflare HTTP Request logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - set: - field: event.category - value: [network] - - set: - field: event.kind - value: event - - set: - field: event.type - value: [info] - - date: - field: json.EdgeEndTimestamp - if: ctx.json?.EdgeEndTimestamp != null && ctx.json.EdgeEndTimestamp != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - target_field: cloudflare_logpush.http_request.edge.end_time - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - date: - field: json.EdgeStartTimestamp - if: ctx.json?.EdgeStartTimestamp != null && ctx.json.EdgeStartTimestamp != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - target_field: cloudflare_logpush.http_request.edge.start_time - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - date: - field: json.OriginResponseHTTPExpires - if: ctx.json?.OriginResponseHTTPExpires != null && ctx.json.OriginResponseHTTPExpires != '' - formats: - - ISO8601 - - EEE, dd MMM yyyy HH:mm:ss zzz - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - target_field: cloudflare_logpush.http_request.origin.response.http.expires - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - date: - field: json.OriginResponseHTTPLastModified - if: ctx.json?.OriginResponseHTTPLastModified != null && ctx.json.OriginResponseHTTPLastModified != '' - timezone: UTC - formats: - - ISO8601 - - EEE, dd MMM yyyy HH:mm:ss zzz - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - target_field: cloudflare_logpush.http_request.origin.response.http.last_modified - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.OriginIP - target_field: cloudflare_logpush.http_request.origin.ip - if: ctx.json?.OriginIP != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: destination.ip - copy_from: cloudflare_logpush.http_request.origin.ip - ignore_failure: true - - rename: - field: json.ClientRequestMethod - target_field: cloudflare_logpush.http_request.client.request.method - ignore_missing: true - - set: - field: http.request.method - copy_from: cloudflare_logpush.http_request.client.request.method - ignore_failure: true - - rename: - field: json.EdgeResponseContentType - target_field: cloudflare_logpush.http_request.edge.response.content_type - ignore_missing: true - - set: - field: http.response.mime_type - copy_from: cloudflare_logpush.http_request.edge.response.content_type - ignore_failure: true - - convert: - field: json.EdgeResponseStatus - target_field: cloudflare_logpush.http_request.edge.response.status - if: ctx.json?.EdgeResponseStatus != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: http.response.status_code - copy_from: cloudflare_logpush.http_request.edge.response.status - ignore_failure: true - - convert: - field: json.ClientASN - target_field: cloudflare_logpush.http_request.client.asn - if: ctx.json?.ClientASN != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.as.number - copy_from: cloudflare_logpush.http_request.client.asn - ignore_failure: true - - rename: - field: json.ClientCountry - target_field: cloudflare_logpush.http_request.client.country - ignore_missing: true - - set: - field: source.geo.country_iso_code - copy_from: cloudflare_logpush.http_request.client.country - ignore_failure: true - - convert: - field: json.ClientIP - target_field: cloudflare_logpush.http_request.client.ip - if: ctx.json?.ClientIP != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.ip - copy_from: cloudflare_logpush.http_request.client.ip - ignore_failure: true - - convert: - field: json.BotScore - target_field: cloudflare_logpush.http_request.bot.score.value - if: ctx.json?.BotScore != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.BotScoreSrc - target_field: cloudflare_logpush.http_request.bot.score.src - ignore_missing: true - - rename: - field: json.BotTags - target_field: cloudflare_logpush.http_request.bot.tag - ignore_missing: true - - rename: - field: json.CacheCacheStatus - target_field: cloudflare_logpush.http_request.cache.status - ignore_missing: true - - convert: - field: json.CacheResponseBytes - target_field: cloudflare_logpush.http_request.cache.response.bytes - if: ctx.json?.CacheResponseBytes != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.CacheResponseStatus - target_field: cloudflare_logpush.http_request.cache.response.status - if: ctx.json?.CacheResponseStatus != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.CacheTieredFill - target_field: cloudflare_logpush.http_request.cache.tiered_fill - ignore_missing: true - - rename: - field: json.ClientDeviceType - target_field: cloudflare_logpush.http_request.client.device.type - ignore_missing: true - - rename: - field: json.ClientIPClass - target_field: cloudflare_logpush.http_request.client.ip_class - ignore_missing: true - - rename: - field: json.ClientMTLSAuthCertFingerprint - target_field: cloudflare_logpush.http_request.client.mtls.auth.fingerprint - ignore_missing: true - - rename: - field: json.ClientMTLSAuthStatus - target_field: cloudflare_logpush.http_request.client.mtls.auth.status - ignore_missing: true - - convert: - field: json.ClientRequestBytes - target_field: cloudflare_logpush.http_request.client.request.bytes - if: ctx.json?.ClientRequestBytes != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ClientRequestHost - target_field: cloudflare_logpush.http_request.client.request.host - ignore_missing: true - - rename: - field: json.ClientRequestPath - target_field: cloudflare_logpush.http_request.client.request.path - ignore_missing: true - - rename: - field: json.ClientRequestProtocol - target_field: cloudflare_logpush.http_request.client.request.protocol - ignore_missing: true - - grok: - field: cloudflare_logpush.http_request.client.request.protocol - patterns: - - "^%{DATA:network.protocol}/%{DATA:http.version}$" - - lowercase: - field: network.protocol - ignore_missing: true - - uri_parts: - field: json.ClientRequestReferer - ignore_failure: true - - rename: - field: json.ClientRequestReferer - target_field: cloudflare_logpush.http_request.client.request.referer - ignore_missing: true - - rename: - field: json.ClientRequestScheme - target_field: cloudflare_logpush.http_request.client.request.scheme - ignore_missing: true - - rename: - field: json.ClientRequestSource - target_field: cloudflare_logpush.http_request.client.request.source - ignore_missing: true - - rename: - field: json.ClientRequestURI - target_field: cloudflare_logpush.http_request.client.request.uri - ignore_missing: true - - user_agent: - field: json.ClientRequestUserAgent - if: ctx.json?.ClientRequestUserAgent != '' - ignore_failure: true - - rename: - field: json.ClientRequestUserAgent - target_field: cloudflare_logpush.http_request.client.request.user.agent - ignore_missing: true - - rename: - field: json.ClientSSLCipher - target_field: cloudflare_logpush.http_request.client.ssl.cipher - ignore_missing: true - - rename: - field: json.ClientSSLProtocol - target_field: cloudflare_logpush.http_request.client.ssl.protocol - ignore_missing: true - - grok: - if: ctx.json?.cloudflare_logpush?.http_request?.client?.ssl?.protocol != 'none' - field: cloudflare_logpush.http_request.client.ssl.protocol - patterns: - - "^%{DATA:tls.version_protocol}v%{DATA:tls.version}$" - ignore_failure: true - - lowercase: - field: tls.version_protocol - ignore_missing: true - - convert: - field: json.ClientSrcPort - target_field: cloudflare_logpush.http_request.client.src.port - if: ctx.json?.ClientSrcPort != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ClientTCPRTTMs - target_field: cloudflare_logpush.http_request.client.tcp_rtt.ms - if: ctx.json?.ClientTCPRTTMs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ClientXRequestedWith - target_field: cloudflare_logpush.http_request.client.xrequested_with - ignore_missing: true - - rename: - field: json.Cookies - target_field: cloudflare_logpush.http_request.cookies - ignore_missing: true - - rename: - field: json.EdgeCFConnectingO2O - target_field: cloudflare_logpush.http_request.edge.cf_connecting_o2o - ignore_missing: true - - rename: - field: json.EdgeColoCode - target_field: cloudflare_logpush.http_request.edge.colo.code - ignore_missing: true - - convert: - field: json.EdgeColoID - target_field: cloudflare_logpush.http_request.edge.colo.id - if: ctx.json?.EdgeColoID != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.EdgePathingOp - target_field: cloudflare_logpush.http_request.edge.pathing.op - ignore_missing: true - - rename: - field: json.EdgePathingSrc - target_field: cloudflare_logpush.http_request.edge.pathing.src - ignore_missing: true - - rename: - field: json.EdgePathingStatus - target_field: cloudflare_logpush.http_request.edge.pathing.status - ignore_missing: true - - rename: - field: json.EdgeRateLimitAction - target_field: cloudflare_logpush.http_request.edge.rate.limit.action - ignore_missing: true - - convert: - field: json.EdgeRateLimitID - target_field: cloudflare_logpush.http_request.edge.rate.limit.id - if: ctx.json?.EdgeRateLimitID != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.EdgeRequestHost - target_field: cloudflare_logpush.http_request.edge.request.host - ignore_missing: true - - convert: - field: json.EdgeResponseBodyBytes - target_field: cloudflare_logpush.http_request.edge.response.body_bytes - if: ctx.json?.EdgeResponseBodyBytes != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.EdgeResponseBytes - target_field: cloudflare_logpush.http_request.edge.response.bytes - if: ctx.json?.EdgeResponseBytes != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.EdgeResponseCompressionRatio - target_field: cloudflare_logpush.http_request.edge.response.compression_ratio - if: ctx.json?.EdgeResponseCompressionRatio != '' - type: double - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.EdgeServerIP - target_field: cloudflare_logpush.http_request.edge.server.ip - if: ctx.json?.EdgeServerIP != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.EdgeTimeToFirstByteMs - target_field: cloudflare_logpush.http_request.edge.time_to_first_byte.ms - if: ctx.json?.EdgeTimeToFirstByteMs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.FirewallMatchesActions - target_field: cloudflare_logpush.http_request.firewall.match.action - ignore_missing: true - - rename: - field: json.FirewallMatchesRuleIDs - target_field: cloudflare_logpush.http_request.firewall.match.rule.id - ignore_missing: true - - rename: - field: json.FirewallMatchesSources - target_field: cloudflare_logpush.http_request.firewall.match.source - ignore_missing: true - - rename: - field: json.JA3Hash - target_field: cloudflare_logpush.http_request.ja3_hash - ignore_missing: true - - convert: - field: json.OriginDNSResponseTimeMs - target_field: cloudflare_logpush.http_request.origin.dns_response_time.ms - if: ctx.json?.OriginDNSResponseTimeMs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.OriginRequestHeaderSendDurationMs - target_field: cloudflare_logpush.http_request.origin.request_header_send_duration.ms - if: ctx.json?.OriginRequestHeaderSendDurationMs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.OriginResponseBytes - target_field: cloudflare_logpush.http_request.origin.response.bytes - if: ctx.json?.OriginResponseBytes != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.OriginResponseDurationMs - target_field: cloudflare_logpush.http_request.origin.response.duration.ms - if: ctx.json?.OriginResponseDurationMs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.OriginResponseHeaderReceiveDurationMs - target_field: cloudflare_logpush.http_request.origin.response.header_receive_duration.ms - if: ctx.json?.OriginResponseHeaderReceiveDurationMs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.OriginResponseStatus - target_field: cloudflare_logpush.http_request.origin.response.status - if: ctx.json?.OriginResponseStatus != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.OriginResponseTime - target_field: cloudflare_logpush.http_request.origin.response.time - if: ctx.json?.OriginResponseTime != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.OriginSSLProtocol - target_field: cloudflare_logpush.http_request.origin.ssl_protocol - ignore_missing: true - - convert: - field: json.OriginTCPHandshakeDurationMs - target_field: cloudflare_logpush.http_request.origin.tcp_handshake_duration.ms - if: ctx.json?.OriginTCPHandshakeDurationMs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.OriginTLSHandshakeDurationMs - target_field: cloudflare_logpush.http_request.origin.tls_handshake_duration.ms - if: ctx.json?.OriginTLSHandshakeDurationMs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ParentRayID - target_field: cloudflare_logpush.http_request.parent_ray.id - ignore_missing: true - - rename: - field: json.RayID - target_field: cloudflare_logpush.http_request.ray.id - ignore_missing: true - - rename: - field: json.RequestHeaders - target_field: cloudflare_logpush.http_request.request.header - ignore_missing: true - - rename: - field: json.ResponseHeaders - target_field: cloudflare_logpush.http_request.response.header - ignore_missing: true - - rename: - field: json.SecurityLevel - target_field: cloudflare_logpush.http_request.security_level - ignore_missing: true - - convert: - field: json.SmartRouteColoID - target_field: cloudflare_logpush.http_request.smart_route.colo.id - if: ctx.json?.SmartRouteColoID != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.UpperTierColoID - target_field: cloudflare_logpush.http_request.upper_tier.colo.id - if: ctx.json?.UpperTierColoID != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.WAFAction - target_field: cloudflare_logpush.http_request.waf.action - ignore_missing: true - - rename: - field: json.WAFFlags - target_field: cloudflare_logpush.http_request.waf.flag - ignore_missing: true - - rename: - field: json.WAFMatchedVar - target_field: cloudflare_logpush.http_request.waf.matched_var - ignore_missing: true - - rename: - field: json.WAFProfile - target_field: cloudflare_logpush.http_request.waf.profile - ignore_missing: true - - rename: - field: json.WAFRuleID - target_field: cloudflare_logpush.http_request.waf.rule.id - ignore_missing: true - - rename: - field: json.WAFRuleMessage - target_field: cloudflare_logpush.http_request.waf.rule.message - ignore_missing: true - - convert: - field: json.WorkerCPUTime - target_field: cloudflare_logpush.http_request.worker.cpu_time - if: ctx.json?.WorkerCPUTime != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.WorkerStatus - target_field: cloudflare_logpush.http_request.worker.status - ignore_missing: true - - rename: - field: json.WorkerSubrequest - target_field: cloudflare_logpush.http_request.worker.subrequest.value - ignore_missing: true - - convert: - field: json.WorkerSubrequestCount - target_field: cloudflare_logpush.http_request.worker.subrequest.count - if: ctx.json?.WorkerSubrequestCount != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.WorkerWallTimeUs - target_field: cloudflare_logpush.http_request.worker.wall_time_us - if: ctx.json?.WorkerWallTimeUs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ZoneID - target_field: cloudflare_logpush.http_request.zone.id - if: ctx.json?.ZoneID != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ZoneName - target_field: cloudflare_logpush.http_request.zone.name - ignore_missing: true - - append: - field: related.hash - value: '{{{cloudflare_logpush.http_request.ja3_hash}}}' - if: ctx.cloudflare_logpush?.http_request?.ja3_hash != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{destination.ip}}}' - if: ctx.destination?.ip != null - allow_duplicates: false - ignore_failure: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - cloudflare_logpush.http_request.origin.ip - - cloudflare_logpush.http_request.client.request.method - - cloudflare_logpush.http_request.edge.response.content_type - - cloudflare_logpush.http_request.edge.response.status - - cloudflare_logpush.http_request.client.asn - - cloudflare_logpush.http_request.client.country - - cloudflare_logpush.http_request.client.ip - - cloudflare_logpush.http_request.client.request.user.agent - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/fields/agent.yml b/packages/cloudflare_logpush/0.2.0/data_stream/http_request/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/fields/base-fields.yml b/packages/cloudflare_logpush/0.2.0/data_stream/http_request/fields/base-fields.yml deleted file mode 100755 index 6f4d0762ca..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: cloudflare_logpush.http_request -- name: event.module - type: constant_keyword - description: Event module. - value: cloudflare_logpush diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/fields/ecs.yml b/packages/cloudflare_logpush/0.2.0/data_stream/http_request/fields/ecs.yml deleted file mode 100755 index c9709733af..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/fields/ecs.yml +++ /dev/null @@ -1,153 +0,0 @@ -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: |- - Mime type of the body of the response. - This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. - name: http.response.mime_type - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/fields/fields.yml b/packages/cloudflare_logpush/0.2.0/data_stream/http_request/fields/fields.yml deleted file mode 100755 index 94dfbab9f9..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/fields/fields.yml +++ /dev/null @@ -1,399 +0,0 @@ -- name: cloudflare_logpush.http_request - type: group - fields: - - name: bot - type: group - fields: - - name: score - type: group - fields: - - name: src - type: text - description: Detection engine responsible for generating the Bot Score. - - name: value - type: long - description: Cloudflare Bot Score, Scores below 30 are commonly associated with automated traffic. - - name: tag - type: text - description: Type of bot traffic (if available). - - name: cache - type: group - fields: - - name: response - type: group - fields: - - name: bytes - type: long - description: Number of bytes returned by the cache. - - name: status - type: long - description: Cache status. - - name: status - type: keyword - description: HTTP status code returned by the cache to the edge. - - name: tiered_fill - type: boolean - description: Tiered Cache was used to serve this request. - - name: client - type: group - fields: - - name: asn - type: long - description: Client AS number. - - name: country - type: keyword - description: Country of the client IP address. - - name: device - type: group - fields: - - name: type - type: keyword - description: Client device type. - - name: ip - type: ip - description: IP address of the client. - - name: ip_class - type: keyword - description: Class IP. - - name: mtls - type: group - fields: - - name: auth - type: group - fields: - - name: fingerprint - type: keyword - description: The SHA256 fingerprint of the certificate presented by the client during mTLS authentication. - - name: status - type: keyword - description: The status of mTLS authentication, Only populated on the first request on an mTLS connection. - - name: request - type: group - fields: - - name: bytes - type: long - description: Number of bytes in the client request. - - name: host - type: keyword - description: Host requested by the client. - - name: method - type: text - description: HTTP method of client request. - - name: path - type: text - description: URI path requested by the client. - - name: protocol - type: keyword - description: HTTP protocol of client request. - - name: referer - type: text - description: HTTP request referrer. - - name: scheme - type: text - description: The URL scheme requested by the visitor. - - name: source - type: keyword - description: Identifies requests as coming from an external source or another service within Cloudflare. - - name: uri - type: text - description: URI requested by the client. - - name: user - type: group - fields: - - name: agent - type: text - description: User agent reported by the client. - - name: src - type: group - fields: - - name: port - type: long - description: Client source port. - - name: ssl - type: group - fields: - - name: cipher - type: text - description: Client SSL cipher. - - name: protocol - type: keyword - description: Client SSL (TLS) protocol. - - name: tcp_rtt - type: group - fields: - - name: ms - type: long - description: The smoothed average of TCP round-trip time (SRTT), For the initial request on a connection, this is measured only during connection setup, For a subsequent request on the same connection, it is measured over the entire connection lifetime up until the time that request is received. - - name: xrequested_with - type: text - description: X-Requested-With HTTP header. - - name: cookies - type: flattened - description: String key-value pairs for Cookies. - - name: edge - type: group - fields: - - name: cf_connecting_o2o - type: boolean - description: True if the request looped through multiple zones on the Cloudflare edge. - - name: colo - type: group - fields: - - name: code - type: keyword - description: IATA airport code of data center that received the request. - - name: id - type: long - description: Cloudflare edge colo id. - - name: end_time - type: date - description: Timestamp at which the edge finished sending response to the client. - - name: pathing - type: group - fields: - - name: op - type: text - description: Indicates what type of response was issued for this request. - - name: src - type: text - description: Details how the request was classified based on security checks. - - name: status - type: text - description: Indicates what data was used to determine the handling of this request. - - name: rate - type: group - fields: - - name: limit - type: group - fields: - - name: action - type: keyword - description: The action taken by the blocking rule; empty if no action taken. - - name: id - type: long - description: The internal rule ID of the rate-limiting rule that triggered a block (ban) or log action. - - name: request - type: group - fields: - - name: host - type: keyword - description: Host header on the request from the edge to the origin. - - name: response - type: group - fields: - - name: body_bytes - type: long - description: Size of the HTTP response body returned to clients. - - name: bytes - type: long - description: Number of bytes returned by the edge to the client. - - name: compression_ratio - type: double - description: Edge response compression ratio. - - name: content_type - type: text - description: Edge response Content-Type header value. - - name: status - type: long - description: HTTP status code returned by Cloudflare to the client. - - name: server - type: group - fields: - - name: ip - type: ip - description: IP of the edge server making a request to the origin. - - name: start_time - type: date - description: Timestamp at which the edge received request from the client. - - name: time_to_first_byte - type: group - fields: - - name: ms - type: long - description: Total view of Time To First Byte as measured at Cloudflare edge. - - name: firewall - type: group - fields: - - name: matches - type: group - fields: - - name: action - type: nested - description: Array of actions the Cloudflare firewall products performed on this request. - - name: rule_id - type: nested - description: Array of RuleIDs of the firewall product that has matched the request. - - name: sources - type: nested - description: The firewall products that matched the request. - - name: ja3_hash - type: keyword - description: The MD5 hash of the JA3 fingerprint used to profile SSL/TLS clients. - - name: origin - type: group - fields: - - name: dns_response_time - type: group - fields: - - name: ms - type: long - description: Time taken to receive a DNS response for an origin name. - - name: ip - type: ip - description: IP of the origin server. - - name: request_header_send_duration - type: group - fields: - - name: ms - type: long - description: Time taken to send request headers to origin after establishing a connection. - - name: response - type: group - fields: - - name: bytes - type: long - description: Number of bytes returned by the origin server. - - name: duration - type: group - fields: - - name: ms - type: long - description: Upstream response time, measured from the first datacenter that receives a request. - - name: header_receive_duration - type: group - fields: - - name: ms - type: long - description: Time taken for origin to return response headers after Cloudflare finishes sending request headers. - - name: http - type: group - fields: - - name: expires - type: date - description: Value of the origin expires header in RFC1123 format. - - name: last_modified - type: date - description: Value of the origin last-modified header in RFC1123 format. - - name: status - type: long - description: Status returned by the origin server. - - name: time - type: long - description: Number of nanoseconds it took the origin to return the response to edge. - - name: ssl_protocol - type: text - description: SSL (TLS) protocol used to connect to the origin. - - name: tcp_handshake_duration - type: group - fields: - - name: ms - type: long - description: Time taken to complete TCP handshake with origin. - - name: tls_handshake_duration - type: group - fields: - - name: ms - type: long - description: Time taken to complete TLS handshake with origin. - - name: parent_ray - type: group - fields: - - name: id - type: keyword - description: Ray ID of the parent request if this request was made using a Worker script. - - name: ray - type: group - fields: - - name: id - type: keyword - description: ID of the request. - - name: request - type: group - fields: - - name: headers - type: flattened - description: String key-value pairs for RequestHeaders. - - name: response - type: group - fields: - - name: headers - type: flattened - description: String key-value pairs for ResponseHeaders. - - name: security_level - type: text - description: The security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation system. - - name: smart_route - type: group - fields: - - name: colo - type: group - fields: - - name: id - type: long - description: The Cloudflare datacenter used to connect to the origin server if Argo Smart Routing is used. Available in Logpush v2 only. - - name: upper_tier - type: group - fields: - - name: colo - type: group - fields: - - name: id - type: long - description: The “upper tier” datacenter that was checked for a cached copy if Tiered Cache is used. Available in Logpush v2 only. - - name: waf - type: group - fields: - - name: action - type: text - description: Action taken by the WAF, if triggered. - - name: flag - type: text - description: Additional configuration flags. - - name: matched_var - type: text - description: The full name of the most-recently matched variable. - - name: profile - type: keyword - description: The Profile of WAF. possible values are:- 'low', 'med', 'high'. - - name: rule - type: group - fields: - - name: id - type: keyword - description: ID of the applied WAF rule. - - name: message - type: text - description: Rule message associated with the triggered rule. - - name: worker - type: group - fields: - - name: cpu_time - type: long - description: Amount of time in microseconds spent executing a worker, if any. - - name: status - type: text - description: Status returned from worker daemon. - - name: subrequest - type: group - fields: - - name: count - type: long - description: Number of subrequests issued by a worker when handling this request. - - name: value - type: boolean - description: Whether or not this request was a worker subrequest. - - name: wall_time_us - type: long - description: Real-time in microseconds elapsed between start and end of worker invocation. - - name: zone - type: group - fields: - - name: id - type: long - description: Internal zone ID. - - name: name - type: keyword - description: The human-readable name of the zone. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/manifest.yml b/packages/cloudflare_logpush/0.2.0/data_stream/http_request/manifest.yml deleted file mode 100755 index c6f3c4dc98..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/manifest.yml +++ /dev/null @@ -1,151 +0,0 @@ -title: Collect HTTP Request logs from Cloudflare -type: logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: HTTP Request logs - description: Collect HTTP Request logs from Cloudflare. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number the listener binds to. - multi: false - required: true - show_user: true - default: 9563 - - name: url - type: text - title: URL - description: This option specifies which URL path to accept requests on. Defaults to /. - multi: false - required: false - show_user: false - default: / - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_http_request - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: aws-s3 - title: HTTP Request logs via S3 or SQS - description: Collect HTTP Request logs from Cloudflare. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: '[S3] Bucket Prefix' - multi: false - required: false - show_user: true - default: http_request - description: Prefix to apply for the list request to the S3 bucket. - - name: interval - type: text - title: '[S3] Interval' - multi: false - required: false - show_user: true - default: 1m - description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. - - name: number_of_workers - type: integer - title: '[S3] Number of Workers' - multi: false - required: false - show_user: true - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: visibility_timeout - type: text - title: '[SQS] Visibility Timeout' - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: '[SQS] API Timeout' - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: max_number_of_messages - type: integer - title: '[SQS] Maximum Concurrent SQS Messages' - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - - name: file_selectors - type: yaml - title: '[SQS] File Selectors' - multi: false - required: false - show_user: false - default: | - - regex: 'http_request/' - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_http_request - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/sample_event.json b/packages/cloudflare_logpush/0.2.0/data_stream/http_request/sample_event.json deleted file mode 100755 index adc72ad77d..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/http_request/sample_event.json +++ /dev/null @@ -1,269 +0,0 @@ -{ - "@timestamp": "2022-09-01T10:08:19.901Z", - "agent": { - "ephemeral_id": "799a05d5-4523-4df3-8588-0a26bce74843", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "http_request": { - "bot": { - "score": { - "src": "Verified Bot", - "value": 20 - }, - "tag": "bing" - }, - "cache": { - "response": { - "bytes": 983828, - "status": 200 - }, - "status": "dynamic", - "tiered_fill": false - }, - "client": { - "asn": 43766, - "country": "sa", - "device": { - "type": "desktop" - }, - "ip": "175.16.199.0", - "ip_class": "noRecord", - "mtls": { - "auth": { - "fingerprint": "Fingerprint", - "status": "unknown" - } - }, - "request": { - "bytes": 5800, - "host": "xyz.example.com", - "method": "POST", - "path": "/xyz/checkout", - "protocol": "HTTP/1.1", - "referer": "https://example.com/s/example/default?sourcerer=(default:(id:!n,selectedPatterns:!(example,%27logs-endpoint.*-example%27,%27logs-system.*-example%27,%27logs-windows.*-example%27)))\u0026timerange=(global:(linkTo:!(),timerange:(from:%272022-05-16T06:26:36.340Z%27,fromStr:now-24h,kind:relative,to:%272022-05-17T06:26:36.340Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272022-04-17T22:00:00.000Z%27,kind:absolute,to:%272022-04-18T21:59:59.999Z%27)))\u0026timeline=(activeTab:notes,graphEventId:%27%27,id:%279844bdd4-4dd6-5b22-ab40-3cd46fce8d6b%27,isOpen:!t)", - "scheme": "https", - "source": "edgeWorkerFetch", - "uri": "/s/example/api/telemetry/v2/clusters/_stats", - "user": { - "agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" - } - }, - "src": { - "port": 0 - }, - "ssl": { - "cipher": "NONE", - "protocol": "TLSv1.2" - }, - "tcp_rtt": { - "ms": 0 - }, - "xrequested_with": "Request With" - }, - "cookies": { - "key": "value" - }, - "edge": { - "cf_connecting_o2o": false, - "colo": { - "code": "RUH", - "id": 339 - }, - "end_time": "2022-05-25T13:25:32.000Z", - "pathing": { - "op": "wl", - "src": "macro", - "status": "nr" - }, - "rate": { - "limit": { - "action": "unknown", - "id": 0 - } - }, - "request": { - "host": "abc.example.com" - }, - "response": { - "body_bytes": 980397, - "bytes": 981308, - "compression_ratio": 0, - "content_type": "application/json", - "status": 200 - }, - "server": { - "ip": "1.128.0.0" - }, - "start_time": "2022-05-25T13:25:26.000Z", - "time_to_first_byte": { - "ms": 5333 - } - }, - "origin": { - "dns_response_time": { - "ms": 3 - }, - "ip": "67.43.156.0", - "request_header_send_duration": { - "ms": 0 - }, - "response": { - "bytes": 0, - "duration": { - "ms": 5319 - }, - "header_receive_duration": { - "ms": 5155 - }, - "http": { - "expires": "2022-05-27T13:25:26.000Z", - "last_modified": "2022-05-26T13:25:26.000Z" - }, - "status": 200, - "time": 5232000000 - }, - "ssl_protocol": "TLSv1.2", - "tcp_handshake_duration": { - "ms": 24 - }, - "tls_handshake_duration": { - "ms": 53 - } - }, - "parent_ray": { - "id": "710e98d93d50357d" - }, - "ray": { - "id": "710e98d9367f357d" - }, - "security_level": "off", - "smart_route": { - "colo": { - "id": 20 - } - }, - "upper_tier": { - "colo": { - "id": 0 - } - }, - "waf": { - "action": "unknown", - "flag": "0", - "matched_var": "example", - "profile": "unknown", - "rule": { - "id": "98d93d5", - "message": "matchad variable message" - } - }, - "worker": { - "cpu_time": 0, - "status": "unknown", - "subrequest": { - "count": 0, - "value": true - } - }, - "zone": { - "id": 393347122, - "name": "example.com" - } - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.http_request", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "67.43.156.0" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.http_request", - "ingested": "2022-09-01T10:08:20Z", - "kind": "event", - "original": "{\"BotScore\":\"20\",\"BotScoreSrc\":\"Verified Bot\",\"BotTags\":\"bing\",\"CacheCacheStatus\":\"dynamic\",\"CacheResponseBytes\":983828,\"CacheResponseStatus\":200,\"CacheTieredFill\":false,\"ClientASN\":43766,\"ClientCountry\":\"sa\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"175.16.199.0\",\"ClientIPClass\":\"noRecord\",\"ClientMTLSAuthCertFingerprint\":\"Fingerprint\",\"ClientMTLSAuthStatus\":\"unknown\",\"ClientRequestBytes\":5800,\"ClientRequestHost\":\"xyz.example.com\",\"ClientRequestMethod\":\"POST\",\"ClientRequestPath\":\"/xyz/checkout\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://example.com/s/example/default?sourcerer=(default:(id:!n,selectedPatterns:!(example,%27logs-endpoint.*-example%27,%27logs-system.*-example%27,%27logs-windows.*-example%27)))\\u0026timerange=(global:(linkTo:!(),timerange:(from:%272022-05-16T06:26:36.340Z%27,fromStr:now-24h,kind:relative,to:%272022-05-17T06:26:36.340Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272022-04-17T22:00:00.000Z%27,kind:absolute,to:%272022-04-18T21:59:59.999Z%27)))\\u0026timeline=(activeTab:notes,graphEventId:%27%27,id:%279844bdd4-4dd6-5b22-ab40-3cd46fce8d6b%27,isOpen:!t)\",\"ClientRequestScheme\":\"https\",\"ClientRequestSource\":\"edgeWorkerFetch\",\"ClientRequestURI\":\"/s/example/api/telemetry/v2/clusters/_stats\",\"ClientRequestUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36\",\"ClientSSLCipher\":\"NONE\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":0,\"ClientTCPRTTMs\":0,\"ClientXRequestedWith\":\"Request With\",\"Cookies\":{\"key\":\"value\"},\"EdgeCFConnectingO2O\":false,\"EdgeColoCode\":\"RUH\",\"EdgeColoID\":339,\"EdgeEndTimestamp\":\"2022-05-25T13:25:32Z\",\"EdgePathingOp\":\"wl\",\"EdgePathingSrc\":\"macro\",\"EdgePathingStatus\":\"nr\",\"EdgeRateLimitAction\":\"unknown\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"abc.example.com\",\"EdgeResponseBodyBytes\":980397,\"EdgeResponseBytes\":981308,\"EdgeResponseCompressionRatio\":0,\"EdgeResponseContentType\":\"application/json\",\"EdgeResponseStatus\":200,\"EdgeServerIP\":\"1.128.0.0\",\"EdgeStartTimestamp\":\"2022-05-25T13:25:26Z\",\"EdgeTimeToFirstByteMs\":5333,\"OriginDNSResponseTimeMs\":3,\"OriginIP\":\"67.43.156.0\",\"OriginRequestHeaderSendDurationMs\":0,\"OriginResponseBytes\":0,\"OriginResponseDurationMs\":5319,\"OriginResponseHTTPExpires\":\"2022-05-27T13:25:26Z\",\"OriginResponseHTTPLastModified\":\"2022-05-26T13:25:26Z\",\"OriginResponseHeaderReceiveDurationMs\":5155,\"OriginResponseStatus\":200,\"OriginResponseTime\":5232000000,\"OriginSSLProtocol\":\"TLSv1.2\",\"OriginTCPHandshakeDurationMs\":24,\"OriginTLSHandshakeDurationMs\":53,\"ParentRayID\":\"710e98d93d50357d\",\"RayID\":\"710e98d9367f357d\",\"SecurityLevel\":\"off\",\"SmartRouteColoID\":20,\"UpperTierColoID\":0,\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"example\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"98d93d5\",\"WAFRuleMessage\":\"matchad variable message\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":true,\"WorkerSubrequestCount\":0,\"ZoneID\":393347122,\"ZoneName\":\"example.com\"}", - "type": [ - "info" - ] - }, - "http": { - "request": { - "method": "POST" - }, - "response": { - "mime_type": "application/json", - "status_code": 200 - }, - "version": "1.1" - }, - "input": { - "type": "http_endpoint" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "175.16.199.0", - "67.43.156.0" - ] - }, - "source": { - "as": { - "number": 43766 - }, - "geo": { - "country_iso_code": "sa" - }, - "ip": "175.16.199.0" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_http_request" - ], - "tls": { - "version": "1.2", - "version_protocol": "tls" - }, - "url": { - "domain": "example.com", - "original": "https://example.com/s/example/default?sourcerer=(default:(id:!n,selectedPatterns:!(example,%27logs-endpoint.*-example%27,%27logs-system.*-example%27,%27logs-windows.*-example%27)))\u0026timerange=(global:(linkTo:!(),timerange:(from:%272022-05-16T06:26:36.340Z%27,fromStr:now-24h,kind:relative,to:%272022-05-17T06:26:36.340Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272022-04-17T22:00:00.000Z%27,kind:absolute,to:%272022-04-18T21:59:59.999Z%27)))\u0026timeline=(activeTab:notes,graphEventId:%27%27,id:%279844bdd4-4dd6-5b22-ab40-3cd46fce8d6b%27,isOpen:!t)", - "path": "/s/example/default", - "query": "sourcerer=(default:(id:!n,selectedPatterns:!(example,'logs-endpoint.*-example','logs-system.*-example','logs-windows.*-example')))\u0026timerange=(global:(linkTo:!(),timerange:(from:'2022-05-16T06:26:36.340Z',fromStr:now-24h,kind:relative,to:'2022-05-17T06:26:36.340Z',toStr:now)),timeline:(linkTo:!(),timerange:(from:'2022-04-17T22:00:00.000Z',kind:absolute,to:'2022-04-18T21:59:59.999Z')))\u0026timeline=(activeTab:notes,graphEventId:'',id:'9844bdd4-4dd6-5b22-ab40-3cd46fce8d6b',isOpen:!t)", - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36", - "os": { - "full": "Mac OS X 10.10.5", - "name": "Mac OS X", - "version": "10.10.5" - }, - "version": "51.0.2704.103" - } -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/agent/stream/aws-s3.yml.hbs b/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 6029a860d9..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,88 +0,0 @@ -{{#if collect_s3_logs}} - -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if interval}} -bucket_list_interval: {{interval}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}} -{{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} -{{#if file_selectors}} -file_selectors: -{{file_selectors}} -{{/if}} - -{{/if}} - -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/agent/stream/http_endpoint.yml.hbs b/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 53229700cc..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,36 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -url: {{url}} -content_type: "" -{{#if secret_header}} -secret.header: {{secret_header}} -{{/if}} -{{#if secret_value}} -secret.value: {{secret_value}} -{{/if}} -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} -{{#if preserve_duplicate_custom_fields}} -preserve_duplicate_custom_fields: true -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 52441fec75..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,112 +0,0 @@ ---- -description: Pipeline for parsing Cloudflare NEL Report logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - set: - field: event.category - value: [network] - - set: - field: event.kind - value: event - - set: - field: event.type - value: [info] - - date: - field: json.Timestamp - if: ctx.json?.Timestamp != null && ctx.json.Timestamp != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: cloudflare_logpush.nel_report.timestamp - copy_from: '@timestamp' - ignore_failure: true - - rename: - field: json.Type - target_field: cloudflare_logpush.nel_report.error.type - ignore_missing: true - - set: - field: error.type - copy_from: cloudflare_logpush.nel_report.error.type - ignore_failure: true - - convert: - field: json.ClientIPASN - target_field: cloudflare_logpush.nel_report.client.ip.asn.value - if: ctx.json?.ClientIPASN != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ClientIPASNDescription - target_field: cloudflare_logpush.nel_report.client.ip.asn.description - ignore_missing: true - - rename: - field: json.ClientIPCountry - target_field: cloudflare_logpush.nel_report.client.ip.country - ignore_missing: true - - rename: - field: json.LastKnownGoodColoCode - target_field: cloudflare_logpush.nel_report.last_known_good.colo.code - ignore_missing: true - - rename: - field: json.Phase - target_field: cloudflare_logpush.nel_report.phase - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - cloudflare_logpush.nel_report.timestamp - - cloudflare_logpush.nel_report.error.type - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/fields/agent.yml b/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/fields/base-fields.yml b/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/fields/base-fields.yml deleted file mode 100755 index 90a63ff65c..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: cloudflare_logpush.nel_report -- name: event.module - type: constant_keyword - description: Event module. - value: cloudflare_logpush diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/fields/ecs.yml b/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/fields/ecs.yml deleted file mode 100755 index 506250f569..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/fields/ecs.yml +++ /dev/null @@ -1,49 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: The type of the error, for example the class name of the exception. - name: error.type - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/fields/fields.yml b/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/fields/fields.yml deleted file mode 100755 index 547d5cce86..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/fields/fields.yml +++ /dev/null @@ -1,45 +0,0 @@ -- name: cloudflare_logpush.nel_report - type: group - fields: - - name: client - type: group - fields: - - name: ip - type: group - fields: - - name: asn - type: group - fields: - - name: value - type: long - description: Client ASN. - - name: description - type: keyword - description: Client ASN description. - - name: country - type: keyword - description: Client country. - - name: error - type: group - fields: - - name: type - type: keyword - description: The type of error in the phase. - - name: last_known_good - type: group - fields: - - name: colo - type: group - fields: - - name: code - type: keyword - description: IATA airport code of colo client connected to. - - name: phase - type: keyword - description: The phase of connection the error occurred in. - - name: timestamp - type: date - description: Timestamp for error report. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/manifest.yml b/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/manifest.yml deleted file mode 100755 index ad8bdbf47a..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/manifest.yml +++ /dev/null @@ -1,151 +0,0 @@ -title: Collect NEL Report logs from Cloudflare -type: logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: NEL Report logs - description: Collect NEL Report logs from Cloudflare. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number the listener binds to. - multi: false - required: true - show_user: true - default: 9564 - - name: url - type: text - title: URL - description: This option specifies which URL path to accept requests on. Defaults to /. - multi: false - required: false - show_user: false - default: / - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_nel_report - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: aws-s3 - title: NEL Report logs via S3 or SQS - description: Collect NEL Report logs from Cloudflare. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: '[S3] Bucket Prefix' - multi: false - required: false - show_user: true - default: nel_report - description: Prefix to apply for the list request to the S3 bucket. - - name: interval - type: text - title: '[S3] Interval' - multi: false - required: false - show_user: true - default: 1m - description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. - - name: number_of_workers - type: integer - title: '[S3] Number of Workers' - multi: false - required: false - show_user: true - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: visibility_timeout - type: text - title: '[SQS] Visibility Timeout' - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: '[SQS] API Timeout' - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: max_number_of_messages - type: integer - title: '[SQS] Maximum Concurrent SQS Messages' - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - - name: file_selectors - type: yaml - title: '[SQS] File Selectors' - multi: false - required: false - show_user: false - default: | - - regex: 'nel_report/' - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_nel_report - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/sample_event.json b/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/sample_event.json deleted file mode 100755 index a3c802be0e..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/nel_report/sample_event.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "@timestamp": "2021-07-27T00:01:07.000Z", - "agent": { - "ephemeral_id": "c38ba64f-2007-40ee-8ba6-7eead6aad5ee", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "nel_report": { - "client": { - "ip": { - "asn": { - "description": "CLOUDFLARENET", - "value": 13335 - }, - "country": "US" - } - }, - "error": { - "type": "network-error" - }, - "last_known_good": { - "colo": { - "code": "SJC" - } - }, - "phase": "connection", - "timestamp": "2021-07-27T00:01:07.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.nel_report", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "error": { - "type": "network-error" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.nel_report", - "ingested": "2022-09-01T10:09:13Z", - "kind": "event", - "original": "{\"ClientIPASN\":\"13335\",\"ClientIPASNDescription\":\"CLOUDFLARENET\",\"ClientIPCountry\":\"US\",\"LastKnownGoodColoCode\":\"SJC\",\"Phase\":\"connection\",\"Timestamp\":\"2021-07-27T00:01:07Z\",\"Type\":\"network-error\"}", - "type": [ - "info" - ] - }, - "input": { - "type": "http_endpoint" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_nel_report" - ] -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/agent/stream/aws-s3.yml.hbs b/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 6029a860d9..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,88 +0,0 @@ -{{#if collect_s3_logs}} - -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if interval}} -bucket_list_interval: {{interval}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}} -{{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} -{{#if file_selectors}} -file_selectors: -{{file_selectors}} -{{/if}} - -{{/if}} - -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/agent/stream/http_endpoint.yml.hbs b/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 53229700cc..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,36 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -url: {{url}} -content_type: "" -{{#if secret_header}} -secret.header: {{secret_header}} -{{/if}} -{{#if secret_value}} -secret.value: {{secret_value}} -{{/if}} -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} -{{#if preserve_duplicate_custom_fields}} -preserve_duplicate_custom_fields: true -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2025140c3c..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,787 +0,0 @@ ---- -description: Pipeline for parsing Cloudflare Network Analytics logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - set: - field: event.category - value: [network] - - set: - field: event.kind - value: event - - set: - field: event.type - value: [info] - - date: - field: json.Datetime - if: ctx.json?.Datetime != null && ctx.json.Datetime != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: cloudflare_logpush.network_analytics.timestamp - copy_from: '@timestamp' - ignore_failure: true - - set: - field: cloudflare_logpush.network_analytics.outcome - value: success - if: ctx.json?.Outcome == 'pass' - - set: - field: cloudflare_logpush.network_analytics.outcome - value: failure - if: ctx.json?.Outcome == 'drop' - - set: - field: event.outcome - copy_from: cloudflare_logpush.network_analytics.outcome - ignore_failure: true - - convert: - field: json.DestinationASN - target_field: cloudflare_logpush.network_analytics.destination.asn - if: ctx.json?.DestinationASN != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: destination.as.number - copy_from: cloudflare_logpush.network_analytics.destination.asn - ignore_failure: true - - convert: - field: json.IPDestinationAddress - target_field: cloudflare_logpush.network_analytics.destination.ip - if: ctx.json?.IPDestinationAddress != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: destination.ip - copy_from: cloudflare_logpush.network_analytics.destination.ip - ignore_failure: true - - convert: - field: json.DestinationPort - target_field: cloudflare_logpush.network_analytics.destination.port - if: ctx.json?.DestinationPort != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: destination.port - copy_from: cloudflare_logpush.network_analytics.destination.port - ignore_failure: true - - rename: - field: json.Direction - target_field: cloudflare_logpush.network_analytics.direction - ignore_missing: true - - set: - field: network.direction - copy_from: cloudflare_logpush.network_analytics.direction - ignore_failure: true - - rename: - field: json.IPProtocolName - target_field: cloudflare_logpush.network_analytics.ip.protocol.name - ignore_missing: true - - set: - field: network.transport - copy_from: cloudflare_logpush.network_analytics.ip.protocol.name - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - convert: - field: json.IPSourceAddress - target_field: cloudflare_logpush.network_analytics.source.ip - if: ctx.json?.IPSourceAddress != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.ip - copy_from: cloudflare_logpush.network_analytics.source.ip - ignore_failure: true - - convert: - field: json.SourceASN - target_field: cloudflare_logpush.network_analytics.source.asn - if: ctx.json?.SourceASN != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.as.number - copy_from: cloudflare_logpush.network_analytics.source.asn - ignore_failure: true - - convert: - field: json.SourcePort - target_field: cloudflare_logpush.network_analytics.source.port - if: ctx.json?.SourcePort != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.port - copy_from: cloudflare_logpush.network_analytics.source.port - ignore_failure: true - - rename: - field: json.RuleID - target_field: cloudflare_logpush.network_analytics.rule.id - ignore_missing: true - - set: - field: rule.id - copy_from: cloudflare_logpush.network_analytics.rule.id - ignore_failure: true - - rename: - field: json.AttackCampaignID - target_field: cloudflare_logpush.network_analytics.attack.campaign.id - ignore_missing: true - - rename: - field: json.AttackID - target_field: cloudflare_logpush.network_analytics.attack.id - ignore_missing: true - - rename: - field: json.ColoCountry - target_field: cloudflare_logpush.network_analytics.colo.country - ignore_missing: true - - rename: - field: json.ColoGeoHash - target_field: cloudflare_logpush.network_analytics.colo.geo_hash - ignore_missing: true - - set: - field: cloudflare_logpush.network_analytics.colo.geo_location - copy_from: cloudflare_logpush.network_analytics.colo.geo_hash - ignore_failure: true - - convert: - field: json.ColoID - target_field: cloudflare_logpush.network_analytics.colo.id - if: ctx.json?.ColoID != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ColoName - target_field: cloudflare_logpush.network_analytics.colo.name - ignore_missing: true - - rename: - field: json.DestinationASNDescription - target_field: cloudflare_logpush.network_analytics.destination.as.number.description - ignore_missing: true - - rename: - field: json.DestinationCountry - target_field: cloudflare_logpush.network_analytics.destination.country - ignore_missing: true - - rename: - field: json.DestinationGeoHash - target_field: cloudflare_logpush.network_analytics.destination.geo_hash - ignore_missing: true - - set: - field: cloudflare_logpush.network_analytics.destination.geo_location - copy_from: cloudflare_logpush.network_analytics.destination.geo_hash - ignore_failure: true - - convert: - field: json.GREChecksum - target_field: cloudflare_logpush.network_analytics.gre.checksum - if: ctx.json?.GREChecksum != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.GREEthertype - target_field: cloudflare_logpush.network_analytics.gre.ether.type - if: ctx.json?.GREEthertype != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.GREHeaderLength - target_field: cloudflare_logpush.network_analytics.gre.header.length - if: ctx.json?.GREHeaderLength != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.GREKey - target_field: cloudflare_logpush.network_analytics.gre.key - if: ctx.json?.GREKey != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.GRESequenceNumber - target_field: cloudflare_logpush.network_analytics.gre.sequence.number - if: ctx.json?.GRESequenceNumber != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.GREVersion - target_field: cloudflare_logpush.network_analytics.gre.version - if: ctx.json?.GREVersion != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ICMPChecksum - target_field: cloudflare_logpush.network_analytics.icmp.checksum - if: ctx.json?.ICMPChecksum != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ICMPCode - target_field: cloudflare_logpush.network_analytics.icmp.code - if: ctx.json?.ICMPCode != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ICMPType - target_field: cloudflare_logpush.network_analytics.icmp.type - if: ctx.json?.ICMPType != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.IPDestinationSubnet - target_field: cloudflare_logpush.network_analytics.ip.destination.subnet - ignore_missing: true - - convert: - field: json.IPFragmentOffset - target_field: cloudflare_logpush.network_analytics.ip.fragment.offset - if: ctx.json?.IPFragmentOffset != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPHeaderLength - target_field: cloudflare_logpush.network_analytics.ip.header.length - if: ctx.json?.IPHeaderLength != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPMoreFragments - target_field: cloudflare_logpush.network_analytics.ip.more.fragments - if: ctx.json?.IPMoreFragments != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPProtocol - target_field: cloudflare_logpush.network_analytics.ip.protocol.value - if: ctx.json?.IPProtocol != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.IPSourceSubnet - target_field: cloudflare_logpush.network_analytics.ip.source.subnet - ignore_missing: true - - convert: - field: json.IPTotalLength - target_field: cloudflare_logpush.network_analytics.ip.total.length.value - if: ctx.json?.IPTotalLength != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPTotalLengthBuckets - target_field: cloudflare_logpush.network_analytics.ip.total.length.buckets - if: ctx.json?.IPTotalLengthBuckets != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPTtl - target_field: cloudflare_logpush.network_analytics.ip.ttl.value - if: ctx.json?.IPTtl != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPTtlBuckets - target_field: cloudflare_logpush.network_analytics.ip.ttl.buckets - if: ctx.json?.IPTtlBuckets != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv4Checksum - target_field: cloudflare_logpush.network_analytics.ipv4.checksum - if: ctx.json?.IPv4Checksum != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv4DontFragment - target_field: cloudflare_logpush.network_analytics.ipv4.dont_fragment - if: ctx.json?.IPv4DontFragment != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv4Dscp - target_field: cloudflare_logpush.network_analytics.ipv4.dscp - if: ctx.json?.IPv4Dscp != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv4Ecn - target_field: cloudflare_logpush.network_analytics.ipv4.ecn - if: ctx.json?.IPv4Ecn != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv4Identification - target_field: cloudflare_logpush.network_analytics.ipv4.identification - if: ctx.json?.IPv4Identification != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv4Options - target_field: cloudflare_logpush.network_analytics.ipv4.options - if: ctx.json?.IPv4Options != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv6Dscp - target_field: cloudflare_logpush.network_analytics.ipv6.dscp - if: ctx.json?.IPv6Dscp != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv6Ecn - target_field: cloudflare_logpush.network_analytics.ipv6.ecn - if: ctx.json?.IPv6Ecn != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.IPv6ExtensionHeaders - target_field: cloudflare_logpush.network_analytics.ipv6.extension_headers - ignore_missing: true - - convert: - field: json.IPv6FlowLabel - target_field: cloudflare_logpush.network_analytics.ipv6.flow_label - if: ctx.json?.IPv6FlowLabel != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv6Identification - target_field: cloudflare_logpush.network_analytics.ipv6.identification - if: ctx.json?.IPv6Identification != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.MitigationReason - target_field: cloudflare_logpush.network_analytics.mitigation.reason - ignore_missing: true - - rename: - field: json.MitigationScope - target_field: cloudflare_logpush.network_analytics.mitigation.scope - ignore_missing: true - - rename: - field: json.MitigationSystem - target_field: cloudflare_logpush.network_analytics.mitigation.system - ignore_missing: true - - rename: - field: json.ProtocolState - target_field: cloudflare_logpush.network_analytics.protocol_state - ignore_missing: true - - rename: - field: json.RulesetID - target_field: cloudflare_logpush.network_analytics.rule.set.id - ignore_missing: true - - rename: - field: json.RulesetOverrideID - target_field: cloudflare_logpush.network_analytics.rule.set.override.id - ignore_missing: true - - convert: - field: json.SampleInterval - target_field: cloudflare_logpush.network_analytics.sample_interval - if: ctx.json?.SampleInterval != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.SourceASNDescription - target_field: cloudflare_logpush.network_analytics.source.as.number.description - ignore_missing: true - - rename: - field: json.SourceCountry - target_field: cloudflare_logpush.network_analytics.source.country - ignore_missing: true - - rename: - field: json.SourceGeoHash - target_field: cloudflare_logpush.network_analytics.source.geo_hash - ignore_missing: true - - set: - field: cloudflare_logpush.network_analytics.source.geo_location - copy_from: cloudflare_logpush.network_analytics.source.geo_hash - ignore_failure: true - - convert: - field: json.TCPAcknowledgementNumber - target_field: cloudflare_logpush.network_analytics.tcp.acknowledgement_number - if: ctx.json?.TCPAcknowledgementNumber != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPChecksum - target_field: cloudflare_logpush.network_analytics.tcp.checksum - if: ctx.json?.TCPChecksum != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPDataOffset - target_field: cloudflare_logpush.network_analytics.tcp.dataoffset - if: ctx.json?.TCPDataOffset != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPFlags - target_field: cloudflare_logpush.network_analytics.tcp.flags.value - if: ctx.json?.TCPFlags != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.TCPFlagsString - target_field: cloudflare_logpush.network_analytics.tcp.flags.string - ignore_missing: true - - convert: - field: json.TCPMss - target_field: cloudflare_logpush.network_analytics.tcp.mss - if: ctx.json?.TCPMss != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.TCPOptions - target_field: cloudflare_logpush.network_analytics.tcp.options - ignore_missing: true - - convert: - field: json.TCPSackBlocks - target_field: cloudflare_logpush.network_analytics.tcp.sack.blocks - if: ctx.json?.TCPSackBlocks != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPSacksPermitted - target_field: cloudflare_logpush.network_analytics.tcp.sack.permitted - if: ctx.json?.TCPSacksPermitted != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPSequenceNumber - target_field: cloudflare_logpush.network_analytics.tcp.sequence_number - if: ctx.json?.TCPSequenceNumber != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPTimestampEcr - target_field: cloudflare_logpush.network_analytics.tcp.timestamp.ecr - if: ctx.json?.TCPTimestampEcr != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPTimestampValue - target_field: cloudflare_logpush.network_analytics.tcp.timestamp.value - if: ctx.json?.TCPTimestampValue != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPUrgentPointer - target_field: cloudflare_logpush.network_analytics.tcp.urgent_pointer - if: ctx.json?.TCPUrgentPointer != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPWindowScale - target_field: cloudflare_logpush.network_analytics.tcp.window.scale - if: ctx.json?.TCPWindowScale != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPWindowSize - target_field: cloudflare_logpush.network_analytics.tcp.window.size - if: ctx.json?.TCPWindowSize != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.UDPChecksum - target_field: cloudflare_logpush.network_analytics.udp.checksum - if: ctx.json?.UDPChecksum != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.UDPPayloadLength - target_field: cloudflare_logpush.network_analytics.udp.payload_length - if: ctx.json?.UDPPayloadLength != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.Verdict - target_field: cloudflare_logpush.network_analytics.verdict - ignore_missing: true - - append: - field: related.hash - value: '{{{cloudflare_logpush.network_analytics.source.geo_hash}}}' - if: ctx.cloudflare_logpush?.network_analytics?.source?.geo_hash != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hash - value: '{{{cloudflare_logpush.network_analytics.destination.geo_hash}}}' - if: ctx.cloudflare_logpush?.network_analytics?.destination?.geo_hash != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hash - value: '{{{cloudflare_logpush.network_analytics.colo.geo_hash}}}' - if: ctx.cloudflare_logpush?.network_analytics?.colo?.geo_hash != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{destination.ip}}}' - if: ctx.destination?.ip != null - allow_duplicates: false - ignore_failure: true - - community_id: - target_field: network.community_id - ignore_failure: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - cloudflare_logpush.network_analytics.timestamp - - cloudflare_logpush.network_analytics.outcome - - cloudflare_logpush.network_analytics.destination.asn - - cloudflare_logpush.network_analytics.destination.ip - - cloudflare_logpush.network_analytics.destination.port - - cloudflare_logpush.network_analytics.direction - - cloudflare_logpush.network_analytics.ip.protocol.name - - cloudflare_logpush.network_analytics.source.ip - - cloudflare_logpush.network_analytics.source.asn - - cloudflare_logpush.network_analytics.source.port - - cloudflare_logpush.network_analytics.rule.id - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/fields/agent.yml b/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/fields/base-fields.yml b/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/fields/base-fields.yml deleted file mode 100755 index f25938756c..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: cloudflare_logpush.network_analytics -- name: event.module - type: constant_keyword - description: Event module. - value: cloudflare_logpush diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/fields/ecs.yml b/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/fields/ecs.yml deleted file mode 100755 index d416ec8f9a..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/fields/ecs.yml +++ /dev/null @@ -1,111 +0,0 @@ -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/fields/fields.yml b/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/fields/fields.yml deleted file mode 100755 index 2eca19d03c..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/fields/fields.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: cloudflare_logpush.network_analytics - type: group - fields: - - name: attack - type: group - fields: - - name: campaign - type: group - fields: - - name: id - type: keyword - description: Unique identifier of the attack campaign that this packet was a part of, if any. - - name: id - type: keyword - description: Unique identifier of the mitigation that matched the packet, if any. - - name: colo - type: group - fields: - - name: country - type: keyword - description: The country of colo that received the packet (ISO 3166-1 alpha-2). - - name: geo_hash - type: keyword - description: The Geo Hash where the colo that received the packet is located. - - name: geo_location - type: geo_point - description: The latitude and longitude where the colo that received the packet is located. - - name: id - type: long - description: The ID of the colo that received the DNS query. - - name: name - type: keyword - description: The name of the colo that received the DNS query. - - name: destination - type: group - fields: - - name: as - type: group - fields: - - name: number - type: group - fields: - - name: description - type: text - description: The ASN description associated with the destination IP of the packet. - - name: asn - type: long - description: The ASN associated with the destination IP of the packet. - - name: country - type: keyword - description: The country where the destination IP of the packet is located. - - name: geo_hash - type: keyword - description: The Geo Hash where the destination IP of the packet is located. - - name: geo_location - type: geo_point - description: The latitude and longitude where the destination IP of the packet is located. - - name: ip - type: ip - description: Value of the Destination Address header field in the IPv4 or IPv6 packet. - - name: port - type: long - description: Value of the Destination Port header field in the TCP or UDP packet. - - name: direction - type: keyword - description: The direction in relation to customer network. - - name: gre - type: group - fields: - - name: checksum - type: long - description: Value of the Checksum header field in the GRE packet. - - name: ether - type: group - fields: - - name: type - type: long - description: Value of the Ethertype header field in the GRE packet. - - name: header - type: group - fields: - - name: length - type: long - description: Length of the GRE packet header, in bytes. - - name: key - type: long - description: Value of the Key header field in the GRE packet. - - name: sequence - type: group - fields: - - name: number - type: long - description: Value of the Sequence Number header field in the GRE packet. - - name: version - type: long - description: Value of the Version header field in the GRE packet. - - name: icmp - type: group - fields: - - name: checksum - type: long - description: Value of the Checksum header field in the ICMP packet - - name: code - type: long - description: Value of the Code header field in the ICMP packet - - name: type - type: long - description: Value of the Type header field in the ICMP packet - - name: ip - type: group - fields: - - name: destination - type: group - fields: - - name: subnet - type: keyword - description: Computed subnet of the Destination Address header field in the IPv4 or IPv6 packet. - - name: fragment - type: group - fields: - - name: offset - type: long - description: Value of the Fragment Offset header field in the IPv4 or IPv6 packet. - - name: header - type: group - fields: - - name: length - type: long - description: Length of the IPv4 or IPv6 packet header, in bytes. - - name: more - type: group - fields: - - name: fragments - type: long - description: Value of the More Fragments header field in the IPv4 or IPv6 packet. - - name: protocol - type: group - fields: - - name: name - type: text - description: Name of the protocol specified by the Protocol header field in the IPv4 or IPv6 packet. - - name: value - type: long - description: Value of the Protocol header field in the IPv4 or IPv6 packet. - - name: source - type: group - fields: - - name: subnet - type: keyword - description: Computed subnet of the Source Address header field in the IPv4 or IPv6 packet. - - name: total - type: group - fields: - - name: length - type: group - fields: - - name: buckets - type: long - description: Total length of the IPv4 or IPv6 packet, in bytes, with the last two digits truncated. - - name: value - type: long - description: Total length of the IPv4 or IPv6 packet, in bytes. - - name: ttl - type: group - fields: - - name: buckets - type: long - description: Value of the TTL header field in the IPv4 packet or the Hop Limit header field in the IPv6 packet, with the last digit truncated. - - name: value - type: long - description: Value of the TTL header field in the IPv4 packet or the Hop Limit header field in the IPv6 packet. - - name: ipv4 - type: group - fields: - - name: checksum - type: long - description: Value of the Checksum header field in the IPv4 packet. - - name: dont_fragment - type: long - description: Value of the Don’t Fragment header field in the IPv4 packet. - - name: dscp - type: long - description: Value of the Differentiated Services Code Point header field in the IPv4 packet. - - name: ecn - type: long - description: Value of the Explicit Congestion Notification header field in the IPv4 packet. - - name: identification - type: long - description: Value of the Identification header field in the IPv4 packet. - - name: options - type: long - description: List of Options numbers included in the IPv4 packet header. - - name: ipv6 - type: group - fields: - - name: dscp - type: long - description: Value of the Differentiated Services Code Point header field in the IPv6 packet. - - name: ecn - type: long - description: Value of the Explicit Congestion Notification header field in the IPv6 packet. - - name: extension_headers - type: text - description: List of Extension Header numbers included in the IPv6 packet header. - - name: flow_label - type: long - description: Value of the Flow Label header field in the IPv6 packet. - - name: identification - type: long - description: Value of the Identification extension header field in the IPv6 packet. - - name: mitigation - type: group - fields: - - name: reason - type: keyword - description: Reason for applying a mitigation to the packet, if any. - - name: scope - type: keyword - description: Whether the packet matched a local or global mitigation, if any. - - name: system - type: keyword - description: Which Cloudflare system dropped the packet, if any. - - name: outcome - type: keyword - description: The action that Cloudflare systems took on the packet. - - name: protocol_state - type: keyword - description: State of the packet in the context of the protocol, if any. - - name: rule - type: group - fields: - - name: id - type: text - description: Unique identifier of the rule contained with the Cloudflare L3/4 managed ruleset that this packet matched, if any. - - name: set - type: group - fields: - - name: id - type: keyword - description: Unique identifier of the Cloudflare L3/4 managed ruleset containing the rule that this packet matched, if any. - - name: override - type: group - fields: - - name: id - type: text - description: Unique identifier of the rule within the accounts root ddos_l4 phase ruleset which resulted in an override of the default sensitivity or action being applied/evaluated, if any. - - name: sample_interval - type: long - description: The sample interval for this log. - - name: source - type: group - fields: - - name: as - type: group - fields: - - name: number - type: group - fields: - - name: description - type: text - description: The ASN description associated with the source IP of the packet. - - name: asn - type: long - description: The ASN associated with the source IP of the packet. - - name: country - type: keyword - description: The country where the source IP of the packet is located. - - name: geo_hash - type: keyword - description: The Geo Hash where the source IP of the packet is located. - - name: geo_location - type: geo_point - description: The latitude and longitude where the source IP of the packet is located. - - name: ip - type: ip - description: Value of the Source Address header field in the IPv4 or IPv6 packet. - - name: port - type: long - description: Value of the Source Port header field in the TCP or UDP packet. - - name: tcp - type: group - fields: - - name: acknowledgement_number - type: long - description: Value of the Acknowledgement Number header field in the TCP packet. - - name: checksum - type: long - description: Value of the Checksum header field in the TCP packet. - - name: dataoffset - type: long - description: Value of the Data Offset header field in the TCP packet. - - name: flags - type: group - fields: - - name: string - type: text - description: Human-readable string representation of the Flags header field in the TCP packet. - - name: value - type: long - description: Value of the Flags header field in the TCP packet. - - name: mss - type: long - description: Value of the MSS option header field in the TCP packet. - - name: options - type: text - description: List of Options numbers included in the TCP packet header. - - name: sack - type: group - fields: - - name: blocks - type: long - description: Value of the SACK Blocks option header in the TCP packet. - - name: permitted - type: long - description: Value of the SACK Permitted option header in the TCP packet. - - name: sequence_number - type: long - description: Value of the Sequence Number header field in the TCP packet. - - name: timestamp - type: group - fields: - - name: ecr - type: long - description: Value of the Timestamp Echo Reply option header in the TCP packet. - - name: value - type: long - description: Value of the Timestamp option header in the TCP packet. - - name: urgent_pointer - type: long - description: Value of the Urgent Pointer header field in the TCP packet. - - name: window - type: group - fields: - - name: scale - type: long - description: Value of the Window Scale option header in the TCP packet. - - name: size - type: long - description: Value of the Window Size header field in the TCP packet. - - name: timestamp - type: date - description: The date and time the event occurred at the edge. - - name: udp - type: group - fields: - - name: checksum - type: long - description: Value of the Checksum header field in the UDP packet. - - name: payload_length - type: long - description: Value of the Payload Length header field in the UDP packet. - - name: verdict - type: keyword - description: The action that Cloudflare systems think should be taken on the packet (pass | drop). -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/manifest.yml b/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/manifest.yml deleted file mode 100755 index f944ddec66..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/manifest.yml +++ /dev/null @@ -1,151 +0,0 @@ -title: Collect Network Analytics logs from Cloudflare -type: logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: Network Analytics logs - description: Collect Network Analytics logs from Cloudflare. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number the listener binds to. - multi: false - required: true - show_user: true - default: 9565 - - name: url - type: text - title: URL - description: This option specifies which URL path to accept requests on. Defaults to /. - multi: false - required: false - show_user: false - default: / - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_network_analytics - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: aws-s3 - title: Network Analytics logs via S3 or SQS - description: Collect Network Analytics logs from Cloudflare. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: '[S3] Bucket Prefix' - multi: false - required: false - show_user: true - default: network_analytics_logs - description: Prefix to apply for the list request to the S3 bucket. - - name: interval - type: text - title: '[S3] Interval' - multi: false - required: false - show_user: true - default: 1m - description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. - - name: number_of_workers - type: integer - title: '[S3] Number of Workers' - multi: false - required: false - show_user: true - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: visibility_timeout - type: text - title: '[SQS] Visibility Timeout' - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: '[SQS] API Timeout' - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: max_number_of_messages - type: integer - title: '[SQS] Maximum Concurrent SQS Messages' - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - - name: file_selectors - type: yaml - title: '[SQS] File Selectors' - multi: false - required: false - show_user: false - default: | - - regex: 'network_analytics_logs/' - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_network_analytics - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/sample_event.json b/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/sample_event.json deleted file mode 100755 index 28058d565a..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/network_analytics/sample_event.json +++ /dev/null @@ -1,234 +0,0 @@ -{ - "@timestamp": "2021-07-27T00:01:07.000Z", - "agent": { - "ephemeral_id": "a59f9c29-2b33-4505-be1c-b7bc89c786a7", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "network_analytics": { - "attack": { - "campaign": { - "id": "xyz987" - }, - "id": "abc777" - }, - "colo": { - "country": "AD", - "geo_hash": "gbuun", - "geo_location": "gbuun", - "id": 46, - "name": "SJC" - }, - "destination": { - "as": { - "number": { - "description": "asn description" - } - }, - "asn": 1900, - "country": "AD", - "geo_hash": "gbuun", - "geo_location": "gbuun", - "ip": "175.16.199.0", - "port": 0 - }, - "direction": "ingress", - "gre": { - "checksum": 10, - "ether": { - "type": 10 - }, - "header": { - "length": 1024 - }, - "key": 10, - "sequence": { - "number": 10 - }, - "version": 10 - }, - "icmp": { - "checksum": 10, - "code": 10, - "type": 10 - }, - "ip": { - "destination": { - "subnet": "/24" - }, - "fragment": { - "offset": 1480 - }, - "header": { - "length": 20 - }, - "more": { - "fragments": 1480 - }, - "protocol": { - "name": "tcp", - "value": 6 - }, - "source": { - "subnet": "/24" - }, - "total": { - "length": { - "buckets": 10, - "value": 1024 - } - }, - "ttl": { - "buckets": 2, - "value": 240 - } - }, - "ipv4": { - "checksum": 0, - "dont_fragment": 0, - "dscp": 46, - "ecn": 1, - "identification": 1, - "options": 1 - }, - "ipv6": { - "dscp": 46, - "ecn": 1, - "extension_headers": "header", - "flow_label": 1, - "identification": 1 - }, - "mitigation": { - "reason": "BLOCKED", - "scope": "local", - "system": "flowtrackd" - }, - "outcome": "success", - "protocol_state": "OPEN", - "rule": { - "id": "rule1", - "set": { - "id": "3b64149bfa6e4220bbbc2bd6db589552", - "override": { - "id": "id1" - } - } - }, - "sample_interval": 1, - "source": { - "as": { - "number": { - "description": "Source ASN Description" - } - }, - "asn": 1500, - "country": "AD", - "geo_hash": "gbuun", - "geo_location": "gbuun", - "ip": "67.43.156.0", - "port": 0 - }, - "tcp": { - "acknowledgement_number": 1000, - "checksum": 10, - "dataoffset": 0, - "flags": { - "string": "Human-readable flags string", - "value": 1 - }, - "mss": 512, - "options": "mss", - "sack": { - "blocks": 1, - "permitted": 1 - }, - "sequence_number": 100, - "timestamp": { - "ecr": 100, - "value": 100 - }, - "urgent_pointer": 10, - "window": { - "scale": 10, - "size": 10 - } - }, - "timestamp": "2021-07-27T00:01:07.000Z", - "udp": { - "checksum": 10, - "payload_length": 10 - }, - "verdict": "pass" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.network_analytics", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 1900 - }, - "ip": "175.16.199.0", - "port": 0 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.network_analytics", - "ingested": "2022-09-01T10:10:02Z", - "kind": "event", - "original": "{\"AttackCampaignID\":\"xyz987\",\"AttackID\":\"abc777\",\"ColoCountry\":\"AD\",\"ColoGeoHash\":\"gbuun\",\"ColoID\":46,\"ColoName\":\"SJC\",\"Datetime\":\"2021-07-27T00:01:07Z\",\"DestinationASN\":1900,\"DestinationASNDescription\":\"asn description\",\"DestinationCountry\":\"AD\",\"DestinationGeoHash\":\"gbuun\",\"DestinationPort\":0,\"Direction\":\"ingress\",\"GREChecksum\":10,\"GREEthertype\":10,\"GREHeaderLength\":1024,\"GREKey\":10,\"GRESequenceNumber\":10,\"GREVersion\":10,\"ICMPChecksum\":10,\"ICMPCode\":10,\"ICMPType\":10,\"IPDestinationAddress\":\"175.16.199.0\",\"IPDestinationSubnet\":\"/24\",\"IPFragmentOffset\":1480,\"IPHeaderLength\":20,\"IPMoreFragments\":1480,\"IPProtocol\":6,\"IPProtocolName\":\"tcp\",\"IPSourceAddress\":\"67.43.156.0\",\"IPSourceSubnet\":\"/24\",\"IPTotalLength\":1024,\"IPTotalLengthBuckets\":10,\"IPTtl\":240,\"IPTtlBuckets\":2,\"IPv4Checksum\":0,\"IPv4DontFragment\":0,\"IPv4Dscp\":46,\"IPv4Ecn\":1,\"IPv4Identification\":1,\"IPv4Options\":1,\"IPv6Dscp\":46,\"IPv6Ecn\":1,\"IPv6ExtensionHeaders\":\"header\",\"IPv6FlowLabel\":1,\"IPv6Identification\":1,\"MitigationReason\":\"BLOCKED\",\"MitigationScope\":\"local\",\"MitigationSystem\":\"flowtrackd\",\"Outcome\":\"pass\",\"ProtocolState\":\"OPEN\",\"RuleID\":\"rule1\",\"RulesetID\":\"3b64149bfa6e4220bbbc2bd6db589552\",\"RulesetOverrideID\":\"id1\",\"SampleInterval\":1,\"SourceASN\":1500,\"SourceASNDescription\":\"Source ASN Description\",\"SourceCountry\":\"AD\",\"SourceGeoHash\":\"gbuun\",\"SourcePort\":0,\"TCPAcknowledgementNumber\":1000,\"TCPChecksum\":10,\"TCPDataOffset\":0,\"TCPFlags\":1,\"TCPFlagsString\":\"Human-readable flags string\",\"TCPMss\":512,\"TCPOptions\":\"mss\",\"TCPSackBlocks\":1,\"TCPSacksPermitted\":1,\"TCPSequenceNumber\":100,\"TCPTimestampEcr\":100,\"TCPTimestampValue\":100,\"TCPUrgentPointer\":10,\"TCPWindowScale\":10,\"TCPWindowSize\":10,\"UDPChecksum\":10,\"UDPPayloadLength\":10,\"Verdict\":\"pass\"}", - "outcome": "success", - "type": [ - "info" - ] - }, - "input": { - "type": "http_endpoint" - }, - "network": { - "direction": "ingress", - "transport": "tcp" - }, - "related": { - "hash": [ - "gbuun" - ], - "ip": [ - "67.43.156.0", - "175.16.199.0" - ] - }, - "rule": { - "id": "rule1" - }, - "source": { - "as": { - "number": 1500 - }, - "ip": "67.43.156.0", - "port": 0 - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_network_analytics" - ] -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/agent/stream/aws-s3.yml.hbs b/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 6029a860d9..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,88 +0,0 @@ -{{#if collect_s3_logs}} - -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if interval}} -bucket_list_interval: {{interval}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}} -{{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} -{{#if file_selectors}} -file_selectors: -{{file_selectors}} -{{/if}} - -{{/if}} - -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/agent/stream/http_endpoint.yml.hbs b/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 53229700cc..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,36 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -url: {{url}} -content_type: "" -{{#if secret_header}} -secret.header: {{secret_header}} -{{/if}} -{{#if secret_value}} -secret.value: {{secret_value}} -{{/if}} -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} -{{#if preserve_duplicate_custom_fields}} -preserve_duplicate_custom_fields: true -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3ae34a0763..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,390 +0,0 @@ ---- -description: Pipeline for parsing Cloudflare Spectrum Event logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - set: - field: event.category - value: [network] - - set: - field: event.kind - value: event - - set: - field: event.type - value: [info] - - date: - field: json.Timestamp - if: ctx.json?.Timestamp != null && ctx.json.Timestamp != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: cloudflare_logpush.spectrum_event.timestamp - copy_from: '@timestamp' - ignore_failure: true - - date: - field: json.ConnectTimestamp - if: ctx.json?.ConnectTimestamp != null && ctx.json.ConnectTimestamp != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - target_field: cloudflare_logpush.spectrum_event.connect.time - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.start - copy_from: cloudflare_logpush.spectrum_event.connect.time - ignore_failure: true - - date: - field: json.DisconnectTimestamp - if: ctx.json?.DisconnectTimestamp != null && ctx.json.DisconnectTimestamp != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - target_field: cloudflare_logpush.spectrum_event.disconnect.time - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.end - copy_from: cloudflare_logpush.spectrum_event.disconnect.time - ignore_failure: true - - rename: - field: json.Event - target_field: cloudflare_logpush.spectrum_event.action - ignore_missing: true - - set: - field: event.action - copy_from: cloudflare_logpush.spectrum_event.action - ignore_failure: true - - lowercase: - field: event.action - ignore_missing: true - - convert: - field: json.OriginBytes - target_field: cloudflare_logpush.spectrum_event.origin.bytes - if: ctx.json?.OriginBytes != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: destination.bytes - copy_from: cloudflare_logpush.spectrum_event.origin.bytes - ignore_failure: true - - convert: - field: json.OriginIP - target_field: cloudflare_logpush.spectrum_event.origin.ip - if: ctx.json?.OriginIP != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: destination.ip - copy_from: cloudflare_logpush.spectrum_event.origin.ip - ignore_failure: true - - convert: - field: json.OriginPort - target_field: cloudflare_logpush.spectrum_event.origin.port - if: ctx.json?.OriginPort != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: destination.port - copy_from: cloudflare_logpush.spectrum_event.origin.port - ignore_failure: true - - rename: - field: json.Application - target_field: cloudflare_logpush.spectrum_event.application - ignore_missing: true - - set: - field: event.id - copy_from: cloudflare_logpush.spectrum_event.application - ignore_failure: true - - convert: - field: json.Status - target_field: cloudflare_logpush.spectrum_event.status - if: ctx.json?.Status != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: http.response.status_code - copy_from: cloudflare_logpush.spectrum_event.status - ignore_failure: true - - convert: - field: json.ClientAsn - target_field: cloudflare_logpush.spectrum_event.client.asn - if: ctx.json?.ClientAsn != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.as.number - copy_from: cloudflare_logpush.spectrum_event.client.asn - ignore_failure: true - - convert: - field: json.ClientBytes - target_field: cloudflare_logpush.spectrum_event.client.bytes - if: ctx.json?.ClientBytes != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.bytes - copy_from: cloudflare_logpush.spectrum_event.client.bytes - ignore_failure: true - - rename: - field: json.ClientCountry - target_field: cloudflare_logpush.spectrum_event.client.country - ignore_missing: true - - set: - field: source.geo.country_iso_code - copy_from: cloudflare_logpush.spectrum_event.client.country - ignore_failure: true - - convert: - field: json.ClientIP - target_field: cloudflare_logpush.spectrum_event.client.ip - if: ctx.json?.ClientIP != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.ip - copy_from: cloudflare_logpush.spectrum_event.client.ip - ignore_failure: true - - convert: - field: json.ClientPort - target_field: cloudflare_logpush.spectrum_event.client.port - if: ctx.json?.ClientPort != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.port - copy_from: cloudflare_logpush.spectrum_event.client.port - ignore_failure: true - - rename: - field: json.ClientMatchedIpFirewall - target_field: cloudflare_logpush.spectrum_event.client.matched_ip_firewall - ignore_missing: true - - rename: - field: json.ClientProto - target_field: cloudflare_logpush.spectrum_event.client.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: cloudflare_logpush.spectrum_event.client.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - convert: - field: json.ClientTcpRtt - target_field: cloudflare_logpush.spectrum_event.client.tcp_rtt - if: ctx.json?.ClientTcpRtt != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ClientTlsCipher - target_field: cloudflare_logpush.spectrum_event.client.tls.cipher - ignore_missing: true - - rename: - field: json.ClientTlsClientHelloServerName - target_field: cloudflare_logpush.spectrum_event.client.tls.client_hello_server_name - ignore_missing: true - - rename: - field: json.ClientTlsProtocol - target_field: cloudflare_logpush.spectrum_event.client.tls.protocol - ignore_missing: true - - grok: - if: ctx.json?.cloudflare_logpush?.spectrum_event?.client?.tls?.protocol != 'none' || ctx.json?.cloudflare_logpush?.spectrum_event?.client?.tls?.protocol != 'unknown' - field: cloudflare_logpush.spectrum_event.client.tls.protocol - patterns: - - "^%{DATA:tls.version_protocol}v%{DATA:tls.version}$" - ignore_failure: true - - lowercase: - field: tls.version_protocol - ignore_missing: true - - rename: - field: json.ClientTlsStatus - target_field: cloudflare_logpush.spectrum_event.client.tls.status - ignore_missing: true - - rename: - field: json.ColoCode - target_field: cloudflare_logpush.spectrum_event.colo.code - ignore_missing: true - - rename: - field: json.IpFirewall - target_field: cloudflare_logpush.spectrum_event.ip_firewall - ignore_missing: true - - rename: - field: json.OriginProto - target_field: cloudflare_logpush.spectrum_event.origin.protocol - ignore_missing: true - - convert: - field: json.OriginTcpRtt - target_field: cloudflare_logpush.spectrum_event.origin.tcp_rtt - if: ctx.json?.OriginTcpRtt != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.OriginTlsCipher - target_field: cloudflare_logpush.spectrum_event.origin.tls.cipher - ignore_missing: true - - rename: - field: json.OriginTlsFingerprint - target_field: cloudflare_logpush.spectrum_event.origin.tls.fingerprint - ignore_missing: true - - rename: - field: json.OriginTlsMode - target_field: cloudflare_logpush.spectrum_event.origin.tls.mode - ignore_missing: true - - rename: - field: json.OriginTlsProtocol - target_field: cloudflare_logpush.spectrum_event.origin.tls.protocol - ignore_missing: true - - rename: - field: json.OriginTlsStatus - target_field: cloudflare_logpush.spectrum_event.origin.tls.status - ignore_failure: true - - rename: - field: json.ProxyProtocol - target_field: cloudflare_logpush.spectrum_event.proxy.protocol - ignore_missing: true - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{cloudflare_logpush.spectrum_event.client.ip}}}' - if: ctx.cloudflare_logpush?.spectrum_event?.client?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{destination.ip}}}' - if: ctx.destination?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{cloudflare_logpush.spectrum_event.origin.ip}}}' - if: ctx.cloudflare_logpush?.spectrum_event?.origin?.ip != null - allow_duplicates: false - ignore_failure: true - - community_id: - target_field: network.community_id - ignore_failure: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - cloudflare_logpush.spectrum_event.timestamp - - cloudflare_logpush.spectrum_event.origin.bytes - - cloudflare_logpush.spectrum_event.origin.ip - - cloudflare_logpush.spectrum_event.origin.port - - cloudflare_logpush.spectrum_event.application - - cloudflare_logpush.spectrum_event.event_action - - cloudflare_logpush.spectrum_event.status - - cloudflare_logpush.spectrum_event.client.asn - - cloudflare_logpush.spectrum_event.client.bytes - - cloudflare_logpush.spectrum_event.client.country - - cloudflare_logpush.spectrum_event.client.ip - - cloudflare_logpush.spectrum_event.client.port - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/fields/agent.yml b/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/fields/base-fields.yml b/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/fields/base-fields.yml deleted file mode 100755 index 135b81f388..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: cloudflare_logpush.spectrum_event -- name: event.module - type: constant_keyword - description: Event module. - value: cloudflare_logpush diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/fields/ecs.yml b/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/fields/ecs.yml deleted file mode 100755 index 70a2286be9..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/fields/ecs.yml +++ /dev/null @@ -1,108 +0,0 @@ -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/fields/fields.yml b/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/fields/fields.yml deleted file mode 100755 index ffb46304b8..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/fields/fields.yml +++ /dev/null @@ -1,123 +0,0 @@ -- name: cloudflare_logpush.spectrum_event - type: group - fields: - - name: application - type: keyword - description: The unique public ID of the application on which the event occurred. - - name: client - type: group - fields: - - name: asn - type: long - description: Client AS number. - - name: bytes - type: long - description: The number of bytes read from the client by the Spectrum service. - - name: country - type: keyword - description: Country of the client IP address. - - name: ip - type: ip - description: Client IP address. - - name: matched_ip_firewall - type: keyword - description: Whether the connection matched any IP Firewall rules. - - name: port - type: long - description: Client port. - - name: protocol - type: keyword - description: Transport protocol used by client. - - name: tcp_rtt - type: long - description: The TCP round-trip time in nanoseconds between the client and Spectrum. - - name: tls - type: group - fields: - - name: cipher - type: keyword - description: The cipher negotiated between the client and Spectrum. - - name: client_hello_server_name - type: keyword - description: The server name in the Client Hello message from client to Spectrum. - - name: protocol - type: keyword - description: The TLS version negotiated between the client and Spectrum. - - name: status - type: keyword - description: Indicates state of TLS session from the client to Spectrum. - - name: colo - type: group - fields: - - name: code - type: keyword - description: IATA airport code of data center that received the request. - - name: connect - type: group - fields: - - name: time - type: date - description: Timestamp at which both legs of the connection (client/edge, edge/origin or nexthop) were established. - - name: disconnect - type: group - fields: - - name: time - type: date - description: Timestamp at which the connection was closed. - - name: action - type: keyword - description: Event Action. - - name: ip_firewall - type: boolean - description: Whether IP Firewall was enabled at time of connection. - - name: origin - type: group - fields: - - name: bytes - type: long - description: The number of bytes read from the origin by Spectrum. - - name: ip - type: ip - description: Origin IP address. - - name: port - type: long - description: Origin Port. - - name: protocol - type: keyword - description: Transport protocol used by origin. - - name: tcp_rtt - type: long - description: The TCP round-trip time in nanoseconds between Spectrum and the origin. - - name: tls - type: group - fields: - - name: cipher - type: keyword - description: The cipher negotiated between Spectrum and the origin. - - name: fingerprint - type: keyword - description: SHA256 hash of origin certificate. - - name: mode - type: keyword - description: If and how the upstream connection is encrypted. - - name: protocol - type: keyword - description: The TLS version negotiated between Spectrum and the origin. - - name: status - type: keyword - description: The state of the TLS session from Spectrum to the origin. - - name: proxy - type: group - fields: - - name: protocol - type: keyword - description: Which form of proxy protocol is applied to the given connection. - - name: status - type: long - description: A code indicating reason for connection closure. - - name: timestamp - type: date - description: Timestamp at which the event took place. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/manifest.yml b/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/manifest.yml deleted file mode 100755 index cec95a6319..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/manifest.yml +++ /dev/null @@ -1,151 +0,0 @@ -title: Collect Spectrum Event logs from Cloudflare -type: logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: Spectrum Event Logs - description: Collect Spectrum Event logs from Cloudflare. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number the listener binds to. - multi: false - required: true - show_user: true - default: 9566 - - name: url - type: text - title: URL - description: This option specifies which URL path to accept requests on. Defaults to /. - multi: false - required: false - show_user: false - default: / - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_spectrum_event - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: aws-s3 - title: Spectrum Event Logs via S3 or SQS - description: Collect Spectrum Event logs from Cloudflare. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: '[S3] Bucket Prefix' - multi: false - required: false - show_user: true - default: spectrum_event - description: Prefix to apply for the list request to the S3 bucket. - - name: interval - type: text - title: '[S3] Interval' - multi: false - required: false - show_user: true - default: 1m - description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. - - name: number_of_workers - type: integer - title: '[S3] Number of Workers' - multi: false - required: false - show_user: true - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: visibility_timeout - type: text - title: '[SQS] Visibility Timeout' - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: '[SQS] API Timeout' - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: max_number_of_messages - type: integer - title: '[SQS] Maximum Concurrent SQS Messages' - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - - name: file_selectors - type: yaml - title: '[SQS] File Selectors' - multi: false - required: false - show_user: false - default: | - - regex: 'spectrum_event/' - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_spectrum_event - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/sample_event.json b/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/sample_event.json deleted file mode 100755 index 4a5d3a43ef..0000000000 --- a/packages/cloudflare_logpush/0.2.0/data_stream/spectrum_event/sample_event.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "@timestamp": "2022-05-26T09:24:00.000Z", - "agent": { - "ephemeral_id": "34cad43e-ef45-4868-8da8-6e602991ef1a", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "spectrum_event": { - "action": "connect", - "application": "7ef659a2f8ef4810a9bade96fdad7c75", - "client": { - "asn": 200391, - "bytes": 0, - "country": "bg", - "ip": "67.43.156.0", - "matched_ip_firewall": "UNKNOWN", - "port": 40456, - "protocol": "tcp", - "tcp_rtt": 0, - "tls": { - "cipher": "UNK", - "client_hello_server_name": "server name", - "protocol": "unknown", - "status": "UNKNOWN" - } - }, - "colo": { - "code": "SOF" - }, - "connect": { - "time": "2022-05-26T09:24:00.000Z" - }, - "disconnect": { - "time": "1970-01-01T00:00:00.000Z" - }, - "ip_firewall": false, - "origin": { - "bytes": 0, - "ip": "175.16.199.0", - "port": 3389, - "protocol": "tcp", - "tcp_rtt": 0, - "tls": { - "cipher": "UNK", - "fingerprint": "0000000000000000000000000000000000000000000000000000000000000000.", - "mode": "off", - "protocol": "unknown", - "status": "UNKNOWN" - } - }, - "proxy": { - "protocol": "off" - }, - "status": 0, - "timestamp": "2022-05-26T09:24:00.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.spectrum_event", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 0, - "ip": "175.16.199.0", - "port": 3389 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "connect", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.spectrum_event", - "end": "1970-01-01T00:00:00.000Z", - "id": "7ef659a2f8ef4810a9bade96fdad7c75", - "ingested": "2022-09-01T10:10:53Z", - "kind": "event", - "original": "{\"Application\":\"7ef659a2f8ef4810a9bade96fdad7c75\",\"ClientAsn\":200391,\"ClientBytes\":0,\"ClientCountry\":\"bg\",\"ClientIP\":\"67.43.156.0\",\"ClientMatchedIpFirewall\":\"UNKNOWN\",\"ClientPort\":40456,\"ClientProto\":\"tcp\",\"ClientTcpRtt\":0,\"ClientTlsCipher\":\"UNK\",\"ClientTlsClientHelloServerName\":\"server name\",\"ClientTlsProtocol\":\"unknown\",\"ClientTlsStatus\":\"UNKNOWN\",\"ColoCode\":\"SOF\",\"ConnectTimestamp\":\"2022-05-26T09:24:00Z\",\"DisconnectTimestamp\":\"1970-01-01T00:00:00Z\",\"Event\":\"connect\",\"IpFirewall\":false,\"OriginBytes\":0,\"OriginIP\":\"175.16.199.0\",\"OriginPort\":3389,\"OriginProto\":\"tcp\",\"OriginTcpRtt\":0,\"OriginTlsCipher\":\"UNK\",\"OriginTlsFingerprint\":\"0000000000000000000000000000000000000000000000000000000000000000.\",\"OriginTlsMode\":\"off\",\"OriginTlsProtocol\":\"unknown\",\"OriginTlsStatus\":\"UNKNOWN\",\"ProxyProtocol\":\"off\",\"Status\":0,\"Timestamp\":\"2022-05-26T09:24:00Z\"}", - "start": "2022-05-26T09:24:00.000Z", - "type": [ - "info" - ] - }, - "http": { - "response": { - "status_code": 0 - } - }, - "input": { - "type": "http_endpoint" - }, - "network": { - "community_id": "1:X7lywUVKlduqRq5SyCRaBj4hLP0=", - "transport": "tcp" - }, - "related": { - "ip": [ - "67.43.156.0", - "175.16.199.0" - ] - }, - "source": { - "as": { - "number": 200391 - }, - "bytes": 0, - "geo": { - "country_iso_code": "bg" - }, - "ip": "67.43.156.0", - "port": 40456 - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_spectrum_event" - ] -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.0/docs/README.md b/packages/cloudflare_logpush/0.2.0/docs/README.md deleted file mode 100755 index 6432c30c12..0000000000 --- a/packages/cloudflare_logpush/0.2.0/docs/README.md +++ /dev/null @@ -1,1942 +0,0 @@ -# Cloudflare Logpush - -## Overview - -The [Cloudflare Logpush](https://www.cloudflare.com/) integration allows you to monitor Audit, DNS, Firewall Event, HTTP Request, NEL Report, Network Analytics and Spectrum Event Logs. Cloudflare is a content delivery network and DDoS mitigation company. Cloudflare provides a network designed to make everything you connect to the Internet secure, private, fast, and reliable; secure your websites, APIs, and Internet applications; protect corporate networks, employees, and devices; and write and deploy code that runs on the network edge. - -The Cloudflare Logpush integration can be used in three different modes to collect data: -- HTTP Endpoint mode - Cloudflare pushes logs directly to an HTTP endpoint hosted by your Elastic Agent. -- AWS S3 polling mode - Cloudflare writes data to S3 and Elastic Agent polls the S3 bucket by listing its contents and reading new files. -- AWS S3 SQS mode - Cloudflare writes data to S3, S3 pushes a new object notification to SQS, Elastic Agent receives the notification from SQS, and then reads the S3 object. Multiple Agents can be used in this mode. - -For example, you could use the data from this integration to know which websites have the highest traffic, which areas have the highest network traffic, or observe mitigation statistics. - -## Data streams - -The Cloudflare Logpush integration collects logs for seven types of events: Audit, DNS, Firewall Event, HTTP Request, NEL Report, Network Analytics, and Spectrum Event. - -**Audit**: See Example Schema [here](https://developers.cloudflare.com/logs/reference/log-fields/account/audit_logs/). - -**DNS**: See Example Schema [here](https://developers.cloudflare.com/logs/reference/log-fields/zone/dns_logs/). - -**Firewall Event**: See Example Schema [here](https://developers.cloudflare.com/logs/reference/log-fields/zone/firewall_events/). - -**HTTP Request**: See Example Schema [here](https://developers.cloudflare.com/logs/reference/log-fields/zone/http_requests/). - -**NEL Report**: See Example Schema [here](https://developers.cloudflare.com/logs/reference/log-fields/zone/nel_reports/). - -**Network Analytics**: See Example Schema [here](https://developers.cloudflare.com/logs/reference/log-fields/account/network_analytics_logs/). - -**Spectrum Event**: See Example Schema [here](https://developers.cloudflare.com/logs/reference/log-fields/zone/spectrum_events/). - -## Requirements - -You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. - -This module has been tested against **Cloudflare version v4**. - -**Note**: It is recommended to use AWS SQS for Cloudflare Logpush. - -## Setup - -### To collect data from AWS S3 Bucket, follow the below steps: -- Configure the [Data Forwarder](https://developers.cloudflare.com/logs/get-started/enable-destinations/aws-s3/) to ingest data into an AWS S3 bucket. -- The default value of the "Bucket List Prefix" is listed below. However, the user can set the parameter "Bucket List Prefix" according to the requirement. - - | Data Stream Name | Bucket List Prefix | - | ----------------- | ---------------------- | - | Audit Logs | audit_logs | - | DNS | dns | - | Firewall Event | firewall_event | - | HTTP Request | http_request | - | NEL Report | nel_report | - | Network Analytics | network_analytics_logs | - | Spectrum Event | spectrum_event | - -### To collect data from AWS SQS, follow the below steps: -1. If data forwarding to an AWS S3 Bucket hasn't been configured, then first setup an AWS S3 Bucket as mentioned in the above documentation. -2. To setup an SQS queue, follow "Step 1: Create an Amazon SQS queue" mentioned in the [Documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html). - - While creating an SQS Queue, please provide the same bucket ARN that has been generated after creating an AWS S3 Bucket. -3. Setup event notification for an S3 bucket. Follow this [Link](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications.html). - - The user has to perform Step 3 for all the data-streams individually, and each time prefix parameter should be set the same as the S3 Bucket List Prefix as created earlier. (for example, `audit_logs/` for audit data stream.) - - For all the event notifications that have been created, select the event type as s3:ObjectCreated:*, select the destination type SQS Queue, and select the queue that has been created in Step 2. - -**Note**: - - Credentials for the above AWS S3 and SQS input types should be configured using the [link](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-s3.html#aws-credentials-config). - - Data collection via AWS S3 Bucket and AWS SQS are mutually exclusive in this case. - -### To collect data from the Cloudflare HTTP Endpoint, follow the below steps: -- Reference link to [Enable HTTP destination](https://developers.cloudflare.com/logs/get-started/enable-destinations/http/) for Cloudflare Logpush. -- Add same custom header along with its value on both the side for additional security. -- For example, while creating a job along with a header and value for a particular dataset: -``` -curl --location --request POST 'https://api.cloudflare.com/client/v4/zones//logpush/jobs' \ ---header 'X-Auth-Key: ' \ ---header 'X-Auth-Email: ' \ ---header 'Authorization: ' \ ---header 'Content-Type: application/json' \ ---data-raw '{ - "name":"", - "destination_conf": "https://:?header_=", - "dataset": "http_requests", - "logpull_options": "fields=RayID,EdgeStartTimestamp×tamps=rfc3339" -}' -``` - -### Enabling the integration in Elastic -1. In Kibana, go to Management > Integrations -2. In the integrations search bar type **Cloudflare Logpush**. -3. Click the **Cloudflare Logpush** integration from the search results. -4. Click the **Add Cloudflare Logpush** button to add Cloudflare Logpush integration. -5. Enable the Integration with the HTTP Endpoint or AWS S3 input. -6. Under the AWS S3 input, there are two types of inputs: using AWS S3 Bucket or using SQS. -7. Configure Cloudflare to send logs to the Elastic Agent. - -## Logs reference - -### audit - -This is the `audit` dataset. -Default port for HTTP Endpoint: _9560_ - -#### Example - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2021-11-30T20:19:48.000Z", - "agent": { - "ephemeral_id": "3605deda-1943-40cf-9ba2-a5d591fead25", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "audit": { - "action": { - "result": "success", - "type": "token_create" - }, - "actor": { - "email": "user@example.com", - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s", - "ip": "81.2.69.142", - "type": "user" - }, - "id": "73fd39ed-5aab-4a2a-b93c-c9a4abf0c425", - "interface": "UI", - "metadata": { - "token_name": "test", - "token_tag": "b7261c49a793a82678d12285f0bc1401" - }, - "new_value": { - "key1": "value1", - "key2": "value2" - }, - "old_value": { - "key3": "value4", - "key4": "value4" - }, - "owner": { - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" - }, - "resource": { - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s", - "type": "account" - }, - "timestamp": "2021-11-30T20:19:48.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "token_create", - "agent_id_status": "verified", - "category": [ - "authentication" - ], - "dataset": "cloudflare_logpush.audit", - "id": "73fd39ed-5aab-4a2a-b93c-c9a4abf0c425", - "ingested": "2022-09-01T10:05:51Z", - "kind": "event", - "original": "{\"ActionResult\":true,\"ActionType\":\"token_create\",\"ActorEmail\":\"user@example.com\",\"ActorID\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ActorIP\":\"81.2.69.142\",\"ActorType\":\"user\",\"ID\":\"73fd39ed-5aab-4a2a-b93c-c9a4abf0c425\",\"Interface\":\"UI\",\"Metadata\":{\"token_name\":\"test\",\"token_tag\":\"b7261c49a793a82678d12285f0bc1401\"},\"NewValue\":{\"key1\":\"value1\",\"key2\":\"value2\"},\"OldValue\":{\"key3\":\"value4\",\"key4\":\"value4\"},\"OwnerID\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ResourceID\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ResourceType\":\"account\",\"When\":\"2021-11-30T20:19:48Z\"}", - "outcome": "success", - "provider": "UI", - "type": [ - "info" - ] - }, - "input": { - "type": "http_endpoint" - }, - "related": { - "ip": [ - "81.2.69.142" - ], - "user": [ - "enl3j9du8rnx2swwd9l32qots7l54t9s" - ] - }, - "source": { - "ip": "81.2.69.142" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_audit" - ], - "user": { - "email": "user@example.com", - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloudflare_logpush.audit.action.result | Whether the action was successful. | keyword | -| cloudflare_logpush.audit.action.type | Type of action taken. | keyword | -| cloudflare_logpush.audit.actor.email | Email of the actor. | keyword | -| cloudflare_logpush.audit.actor.id | Unique identifier of the actor in Cloudflare system. | keyword | -| cloudflare_logpush.audit.actor.ip | Physical network address of the actor. | ip | -| cloudflare_logpush.audit.actor.type | Type of user that started the audit trail. | keyword | -| cloudflare_logpush.audit.id | Unique identifier of an audit log. | keyword | -| cloudflare_logpush.audit.interface | Entry point or interface of the audit log. | text | -| cloudflare_logpush.audit.metadata | Additional audit log-specific information, Metadata is organized in key:value pairs, Key and Value formats can vary by ResourceType. | flattened | -| cloudflare_logpush.audit.new_value | Contains the new value for the audited item. | flattened | -| cloudflare_logpush.audit.old_value | Contains the old value for the audited item. | flattened | -| cloudflare_logpush.audit.owner.id | The identifier of the user that was acting or was acted on behalf of. | keyword | -| cloudflare_logpush.audit.resource.id | Unique identifier of the resource within Cloudflare system. | keyword | -| cloudflare_logpush.audit.resource.type | The type of resource that was changed. | keyword | -| cloudflare_logpush.audit.timestamp | When the change happened. | date | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | - - -### dns - -This is the `dns` dataset. -Default port for HTTP Endpoint: _9561_ - -#### Example - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-05-26T09:23:54.000Z", - "agent": { - "ephemeral_id": "5a08ea07-7e13-4f10-8bfa-5707606de846", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "dns": { - "colo": { - "code": "MRS" - }, - "edns": { - "subnet": "1.128.0.0", - "subnet_length": 0 - }, - "query": { - "name": "example.com", - "type": 65535 - }, - "response": { - "cached": false, - "code": 0 - }, - "source": { - "ip": "175.16.199.0" - }, - "timestamp": "2022-05-26T09:23:54.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "question": { - "name": "example.com" - } - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.dns", - "ingested": "2022-09-01T10:06:44Z", - "kind": "event", - "original": "{\"ColoCode\":\"MRS\",\"EDNSSubnet\":\"1.128.0.0\",\"EDNSSubnetLength\":0,\"QueryName\":\"example.com\",\"QueryType\":65535,\"ResponseCached\":false,\"ResponseCode\":0,\"SourceIP\":\"175.16.199.0\",\"Timestamp\":\"2022-05-26T09:23:54Z\"}", - "type": [ - "info" - ] - }, - "input": { - "type": "http_endpoint" - }, - "related": { - "ip": [ - "175.16.199.0", - "1.128.0.0" - ] - }, - "source": { - "ip": "175.16.199.0" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_dns" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloudflare_logpush.dns.colo.code | IATA airport code of data center that received the request. | keyword | -| cloudflare_logpush.dns.edns.subnet | EDNS Client Subnet (IPv4 or IPv6). | ip | -| cloudflare_logpush.dns.edns.subnet_length | EDNS Client Subnet length. | long | -| cloudflare_logpush.dns.query.name | Name of the query that was sent. | keyword | -| cloudflare_logpush.dns.query.type | Integer value of query type. | long | -| cloudflare_logpush.dns.response.cached | Whether the response was cached or not. | boolean | -| cloudflare_logpush.dns.response.code | Integer value of response code. | long | -| cloudflare_logpush.dns.source.ip | IP address of the client (IPv4 or IPv6). | ip | -| cloudflare_logpush.dns.timestamp | Timestamp at which the query occurred. | date | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -### firewall_event - -This is the `firewall_event` dataset. -Default port for HTTP Endpoint: _9562_ - -#### Example - -An example event for `firewall_event` looks as following: - -```json -{ - "@timestamp": "2022-05-31T05:23:43.000Z", - "agent": { - "ephemeral_id": "75919903-db61-44c5-8c6c-9829fcfbd280", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "firewall_event": { - "action": "block", - "client": { - "asn": { - "description": "CLOUDFLARENET", - "value": 15169 - }, - "country": "us", - "ip": "175.16.199.0", - "ip_class": "searchEngine", - "referer": { - "host": "abc.example.com", - "path": "/abc/checkout", - "query": "?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))\u0026timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))", - "scheme": "referer URL scheme" - }, - "request": { - "host": "xyz.example.com", - "method": "GET", - "path": "/abc/checkout", - "protocol": "HTTP/1.1", - "query": "?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))\u0026timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))", - "scheme": "https", - "user": { - "agent": "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" - } - } - }, - "edge": { - "colo": { - "code": "IAD" - }, - "response": { - "status": 403 - } - }, - "kind": "firewall", - "match_index": 1, - "meta_data": { - "filter": "1ced07e066a34abf8b14f2a99593bc8d", - "type": "customer" - }, - "origin": { - "ray": { - "id": "00" - }, - "response": { - "status": 0 - } - }, - "ray": { - "id": "713d477539b55c29" - }, - "rule": { - "id": "7dc666e026974dab84884c73b3e2afe1" - }, - "source": "firewallrules", - "timestamp": "2022-05-31T05:23:43.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.firewall_event", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "block", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.firewall_event", - "ingested": "2022-09-01T10:07:34Z", - "kind": "event", - "original": "{\"Action\":\"block\",\"ClientASN\":15169,\"ClientASNDescription\":\"CLOUDFLARENET\",\"ClientCountry\":\"us\",\"ClientIP\":\"175.16.199.0\",\"ClientIPClass\":\"searchEngine\",\"ClientRefererHost\":\"abc.example.com\",\"ClientRefererPath\":\"/abc/checkout\",\"ClientRefererQuery\":\"?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))\\u0026timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))\",\"ClientRefererScheme\":\"referer URL scheme\",\"ClientRequestHost\":\"xyz.example.com\",\"ClientRequestMethod\":\"GET\",\"ClientRequestPath\":\"/abc/checkout\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestQuery\":\"?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))\\u0026timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))\",\"ClientRequestScheme\":\"https\",\"ClientRequestUserAgent\":\"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\",\"Datetime\":\"2022-05-31T05:23:43Z\",\"EdgeColoCode\":\"IAD\",\"EdgeResponseStatus\":403,\"Kind\":\"firewall\",\"MatchIndex\":1,\"Metadata\":{\"filter\":\"1ced07e066a34abf8b14f2a99593bc8d\",\"type\":\"customer\"},\"OriginResponseStatus\":0,\"OriginatorRayID\":\"00\",\"RayID\":\"713d477539b55c29\",\"RuleID\":\"7dc666e026974dab84884c73b3e2afe1\",\"Source\":\"firewallrules\"}", - "type": [ - "info" - ] - }, - "http": { - "request": { - "method": "GET" - }, - "response": { - "status_code": 403 - }, - "version": "1.1" - }, - "input": { - "type": "http_endpoint" - }, - "network": { - "protocol": "http" - }, - "related": { - "hosts": [ - "abc.example.com", - "xyz.example.com" - ], - "ip": [ - "175.16.199.0" - ] - }, - "rule": { - "id": "7dc666e026974dab84884c73b3e2afe1" - }, - "source": { - "as": { - "number": 15169 - }, - "geo": { - "country_iso_code": "us" - }, - "ip": "175.16.199.0" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_firewall_event" - ], - "url": { - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "Spider" - }, - "name": "Googlebot", - "original": "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", - "os": { - "full": "Android 6.0.1", - "name": "Android", - "version": "6.0.1" - }, - "version": "2.1" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloudflare_logpush.firewall_event.action | The code of the first-class action the Cloudflare Firewall took on this request. | keyword | -| cloudflare_logpush.firewall_event.client.asn.description | The ASN of the visitor as string. | keyword | -| cloudflare_logpush.firewall_event.client.asn.value | The ASN number of the visitor. | long | -| cloudflare_logpush.firewall_event.client.country | Country from which request originated. | keyword | -| cloudflare_logpush.firewall_event.client.ip | The visitor IP address (IPv4 or IPv6). | ip | -| cloudflare_logpush.firewall_event.client.ip_class | The classification of the visitor IP address, possible values are:- 'unknown', 'badHost', 'searchEngine', 'allowlist', 'monitoringService', 'noRecord', 'scan' and 'tor'. | keyword | -| cloudflare_logpush.firewall_event.client.referer.host | The referer host. | keyword | -| cloudflare_logpush.firewall_event.client.referer.path | The referer path requested by visitor. | text | -| cloudflare_logpush.firewall_event.client.referer.query | The referer query-string was requested by the visitor. | keyword | -| cloudflare_logpush.firewall_event.client.referer.scheme | The referer URL scheme requested by the visitor. | text | -| cloudflare_logpush.firewall_event.client.request.host | The HTTP hostname requested by the visitor. | keyword | -| cloudflare_logpush.firewall_event.client.request.method | The HTTP method used by the visitor. | keyword | -| cloudflare_logpush.firewall_event.client.request.path | The path requested by visitor. | text | -| cloudflare_logpush.firewall_event.client.request.protocol | The version of HTTP protocol requested by the visitor. | keyword | -| cloudflare_logpush.firewall_event.client.request.query | The query-string was requested by the visitor. | keyword | -| cloudflare_logpush.firewall_event.client.request.scheme | The URL scheme requested by the visitor. | text | -| cloudflare_logpush.firewall_event.client.request.user.agent | Visitor's user-agent string. | text | -| cloudflare_logpush.firewall_event.edge.colo.code | The airport code of the Cloudflare datacenter that served this request. | keyword | -| cloudflare_logpush.firewall_event.edge.response.status | HTTP response status code returned to browser. | long | -| cloudflare_logpush.firewall_event.kind | The kind of event, currently only possible values are. | keyword | -| cloudflare_logpush.firewall_event.match_index | Rules match index in the chain. | long | -| cloudflare_logpush.firewall_event.meta_data | Additional product-specific information. | flattened | -| cloudflare_logpush.firewall_event.origin.ray.id | HTTP origin response status code returned to browser. | keyword | -| cloudflare_logpush.firewall_event.origin.response.status | The RayID of the request that issued the challenge/jschallenge. | long | -| cloudflare_logpush.firewall_event.ray.id | The RayID of the request. | keyword | -| cloudflare_logpush.firewall_event.rule.id | The Cloudflare security product-specific RuleID triggered by this request. | keyword | -| cloudflare_logpush.firewall_event.source | The Cloudflare security product triggered by this request. | keyword | -| cloudflare_logpush.firewall_event.timestamp | The date and time the event occurred at the edge. | date | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -### http_request - -This is the `http_request` dataset. -Default port for HTTP Endpoint: _9563_ - -#### Example - -An example event for `http_request` looks as following: - -```json -{ - "@timestamp": "2022-09-01T10:08:19.901Z", - "agent": { - "ephemeral_id": "799a05d5-4523-4df3-8588-0a26bce74843", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "http_request": { - "bot": { - "score": { - "src": "Verified Bot", - "value": 20 - }, - "tag": "bing" - }, - "cache": { - "response": { - "bytes": 983828, - "status": 200 - }, - "status": "dynamic", - "tiered_fill": false - }, - "client": { - "asn": 43766, - "country": "sa", - "device": { - "type": "desktop" - }, - "ip": "175.16.199.0", - "ip_class": "noRecord", - "mtls": { - "auth": { - "fingerprint": "Fingerprint", - "status": "unknown" - } - }, - "request": { - "bytes": 5800, - "host": "xyz.example.com", - "method": "POST", - "path": "/xyz/checkout", - "protocol": "HTTP/1.1", - "referer": "https://example.com/s/example/default?sourcerer=(default:(id:!n,selectedPatterns:!(example,%27logs-endpoint.*-example%27,%27logs-system.*-example%27,%27logs-windows.*-example%27)))\u0026timerange=(global:(linkTo:!(),timerange:(from:%272022-05-16T06:26:36.340Z%27,fromStr:now-24h,kind:relative,to:%272022-05-17T06:26:36.340Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272022-04-17T22:00:00.000Z%27,kind:absolute,to:%272022-04-18T21:59:59.999Z%27)))\u0026timeline=(activeTab:notes,graphEventId:%27%27,id:%279844bdd4-4dd6-5b22-ab40-3cd46fce8d6b%27,isOpen:!t)", - "scheme": "https", - "source": "edgeWorkerFetch", - "uri": "/s/example/api/telemetry/v2/clusters/_stats", - "user": { - "agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" - } - }, - "src": { - "port": 0 - }, - "ssl": { - "cipher": "NONE", - "protocol": "TLSv1.2" - }, - "tcp_rtt": { - "ms": 0 - }, - "xrequested_with": "Request With" - }, - "cookies": { - "key": "value" - }, - "edge": { - "cf_connecting_o2o": false, - "colo": { - "code": "RUH", - "id": 339 - }, - "end_time": "2022-05-25T13:25:32.000Z", - "pathing": { - "op": "wl", - "src": "macro", - "status": "nr" - }, - "rate": { - "limit": { - "action": "unknown", - "id": 0 - } - }, - "request": { - "host": "abc.example.com" - }, - "response": { - "body_bytes": 980397, - "bytes": 981308, - "compression_ratio": 0, - "content_type": "application/json", - "status": 200 - }, - "server": { - "ip": "1.128.0.0" - }, - "start_time": "2022-05-25T13:25:26.000Z", - "time_to_first_byte": { - "ms": 5333 - } - }, - "origin": { - "dns_response_time": { - "ms": 3 - }, - "ip": "67.43.156.0", - "request_header_send_duration": { - "ms": 0 - }, - "response": { - "bytes": 0, - "duration": { - "ms": 5319 - }, - "header_receive_duration": { - "ms": 5155 - }, - "http": { - "expires": "2022-05-27T13:25:26.000Z", - "last_modified": "2022-05-26T13:25:26.000Z" - }, - "status": 200, - "time": 5232000000 - }, - "ssl_protocol": "TLSv1.2", - "tcp_handshake_duration": { - "ms": 24 - }, - "tls_handshake_duration": { - "ms": 53 - } - }, - "parent_ray": { - "id": "710e98d93d50357d" - }, - "ray": { - "id": "710e98d9367f357d" - }, - "security_level": "off", - "smart_route": { - "colo": { - "id": 20 - } - }, - "upper_tier": { - "colo": { - "id": 0 - } - }, - "waf": { - "action": "unknown", - "flag": "0", - "matched_var": "example", - "profile": "unknown", - "rule": { - "id": "98d93d5", - "message": "matchad variable message" - } - }, - "worker": { - "cpu_time": 0, - "status": "unknown", - "subrequest": { - "count": 0, - "value": true - } - }, - "zone": { - "id": 393347122, - "name": "example.com" - } - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.http_request", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "67.43.156.0" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.http_request", - "ingested": "2022-09-01T10:08:20Z", - "kind": "event", - "original": "{\"BotScore\":\"20\",\"BotScoreSrc\":\"Verified Bot\",\"BotTags\":\"bing\",\"CacheCacheStatus\":\"dynamic\",\"CacheResponseBytes\":983828,\"CacheResponseStatus\":200,\"CacheTieredFill\":false,\"ClientASN\":43766,\"ClientCountry\":\"sa\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"175.16.199.0\",\"ClientIPClass\":\"noRecord\",\"ClientMTLSAuthCertFingerprint\":\"Fingerprint\",\"ClientMTLSAuthStatus\":\"unknown\",\"ClientRequestBytes\":5800,\"ClientRequestHost\":\"xyz.example.com\",\"ClientRequestMethod\":\"POST\",\"ClientRequestPath\":\"/xyz/checkout\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://example.com/s/example/default?sourcerer=(default:(id:!n,selectedPatterns:!(example,%27logs-endpoint.*-example%27,%27logs-system.*-example%27,%27logs-windows.*-example%27)))\\u0026timerange=(global:(linkTo:!(),timerange:(from:%272022-05-16T06:26:36.340Z%27,fromStr:now-24h,kind:relative,to:%272022-05-17T06:26:36.340Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272022-04-17T22:00:00.000Z%27,kind:absolute,to:%272022-04-18T21:59:59.999Z%27)))\\u0026timeline=(activeTab:notes,graphEventId:%27%27,id:%279844bdd4-4dd6-5b22-ab40-3cd46fce8d6b%27,isOpen:!t)\",\"ClientRequestScheme\":\"https\",\"ClientRequestSource\":\"edgeWorkerFetch\",\"ClientRequestURI\":\"/s/example/api/telemetry/v2/clusters/_stats\",\"ClientRequestUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36\",\"ClientSSLCipher\":\"NONE\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":0,\"ClientTCPRTTMs\":0,\"ClientXRequestedWith\":\"Request With\",\"Cookies\":{\"key\":\"value\"},\"EdgeCFConnectingO2O\":false,\"EdgeColoCode\":\"RUH\",\"EdgeColoID\":339,\"EdgeEndTimestamp\":\"2022-05-25T13:25:32Z\",\"EdgePathingOp\":\"wl\",\"EdgePathingSrc\":\"macro\",\"EdgePathingStatus\":\"nr\",\"EdgeRateLimitAction\":\"unknown\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"abc.example.com\",\"EdgeResponseBodyBytes\":980397,\"EdgeResponseBytes\":981308,\"EdgeResponseCompressionRatio\":0,\"EdgeResponseContentType\":\"application/json\",\"EdgeResponseStatus\":200,\"EdgeServerIP\":\"1.128.0.0\",\"EdgeStartTimestamp\":\"2022-05-25T13:25:26Z\",\"EdgeTimeToFirstByteMs\":5333,\"OriginDNSResponseTimeMs\":3,\"OriginIP\":\"67.43.156.0\",\"OriginRequestHeaderSendDurationMs\":0,\"OriginResponseBytes\":0,\"OriginResponseDurationMs\":5319,\"OriginResponseHTTPExpires\":\"2022-05-27T13:25:26Z\",\"OriginResponseHTTPLastModified\":\"2022-05-26T13:25:26Z\",\"OriginResponseHeaderReceiveDurationMs\":5155,\"OriginResponseStatus\":200,\"OriginResponseTime\":5232000000,\"OriginSSLProtocol\":\"TLSv1.2\",\"OriginTCPHandshakeDurationMs\":24,\"OriginTLSHandshakeDurationMs\":53,\"ParentRayID\":\"710e98d93d50357d\",\"RayID\":\"710e98d9367f357d\",\"SecurityLevel\":\"off\",\"SmartRouteColoID\":20,\"UpperTierColoID\":0,\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"example\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"98d93d5\",\"WAFRuleMessage\":\"matchad variable message\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":true,\"WorkerSubrequestCount\":0,\"ZoneID\":393347122,\"ZoneName\":\"example.com\"}", - "type": [ - "info" - ] - }, - "http": { - "request": { - "method": "POST" - }, - "response": { - "mime_type": "application/json", - "status_code": 200 - }, - "version": "1.1" - }, - "input": { - "type": "http_endpoint" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "175.16.199.0", - "67.43.156.0" - ] - }, - "source": { - "as": { - "number": 43766 - }, - "geo": { - "country_iso_code": "sa" - }, - "ip": "175.16.199.0" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_http_request" - ], - "tls": { - "version": "1.2", - "version_protocol": "tls" - }, - "url": { - "domain": "example.com", - "original": "https://example.com/s/example/default?sourcerer=(default:(id:!n,selectedPatterns:!(example,%27logs-endpoint.*-example%27,%27logs-system.*-example%27,%27logs-windows.*-example%27)))\u0026timerange=(global:(linkTo:!(),timerange:(from:%272022-05-16T06:26:36.340Z%27,fromStr:now-24h,kind:relative,to:%272022-05-17T06:26:36.340Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272022-04-17T22:00:00.000Z%27,kind:absolute,to:%272022-04-18T21:59:59.999Z%27)))\u0026timeline=(activeTab:notes,graphEventId:%27%27,id:%279844bdd4-4dd6-5b22-ab40-3cd46fce8d6b%27,isOpen:!t)", - "path": "/s/example/default", - "query": "sourcerer=(default:(id:!n,selectedPatterns:!(example,'logs-endpoint.*-example','logs-system.*-example','logs-windows.*-example')))\u0026timerange=(global:(linkTo:!(),timerange:(from:'2022-05-16T06:26:36.340Z',fromStr:now-24h,kind:relative,to:'2022-05-17T06:26:36.340Z',toStr:now)),timeline:(linkTo:!(),timerange:(from:'2022-04-17T22:00:00.000Z',kind:absolute,to:'2022-04-18T21:59:59.999Z')))\u0026timeline=(activeTab:notes,graphEventId:'',id:'9844bdd4-4dd6-5b22-ab40-3cd46fce8d6b',isOpen:!t)", - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36", - "os": { - "full": "Mac OS X 10.10.5", - "name": "Mac OS X", - "version": "10.10.5" - }, - "version": "51.0.2704.103" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloudflare_logpush.http_request.bot.score.src | Detection engine responsible for generating the Bot Score. | text | -| cloudflare_logpush.http_request.bot.score.value | Cloudflare Bot Score, Scores below 30 are commonly associated with automated traffic. | long | -| cloudflare_logpush.http_request.bot.tag | Type of bot traffic (if available). | text | -| cloudflare_logpush.http_request.cache.response.bytes | Number of bytes returned by the cache. | long | -| cloudflare_logpush.http_request.cache.response.status | Cache status. | long | -| cloudflare_logpush.http_request.cache.status | HTTP status code returned by the cache to the edge. | keyword | -| cloudflare_logpush.http_request.cache.tiered_fill | Tiered Cache was used to serve this request. | boolean | -| cloudflare_logpush.http_request.client.asn | Client AS number. | long | -| cloudflare_logpush.http_request.client.country | Country of the client IP address. | keyword | -| cloudflare_logpush.http_request.client.device.type | Client device type. | keyword | -| cloudflare_logpush.http_request.client.ip | IP address of the client. | ip | -| cloudflare_logpush.http_request.client.ip_class | Class IP. | keyword | -| cloudflare_logpush.http_request.client.mtls.auth.fingerprint | The SHA256 fingerprint of the certificate presented by the client during mTLS authentication. | keyword | -| cloudflare_logpush.http_request.client.mtls.auth.status | The status of mTLS authentication, Only populated on the first request on an mTLS connection. | keyword | -| cloudflare_logpush.http_request.client.request.bytes | Number of bytes in the client request. | long | -| cloudflare_logpush.http_request.client.request.host | Host requested by the client. | keyword | -| cloudflare_logpush.http_request.client.request.method | HTTP method of client request. | text | -| cloudflare_logpush.http_request.client.request.path | URI path requested by the client. | text | -| cloudflare_logpush.http_request.client.request.protocol | HTTP protocol of client request. | keyword | -| cloudflare_logpush.http_request.client.request.referer | HTTP request referrer. | text | -| cloudflare_logpush.http_request.client.request.scheme | The URL scheme requested by the visitor. | text | -| cloudflare_logpush.http_request.client.request.source | Identifies requests as coming from an external source or another service within Cloudflare. | keyword | -| cloudflare_logpush.http_request.client.request.uri | URI requested by the client. | text | -| cloudflare_logpush.http_request.client.request.user.agent | User agent reported by the client. | text | -| cloudflare_logpush.http_request.client.src.port | Client source port. | long | -| cloudflare_logpush.http_request.client.ssl.cipher | Client SSL cipher. | text | -| cloudflare_logpush.http_request.client.ssl.protocol | Client SSL (TLS) protocol. | keyword | -| cloudflare_logpush.http_request.client.tcp_rtt.ms | The smoothed average of TCP round-trip time (SRTT), For the initial request on a connection, this is measured only during connection setup, For a subsequent request on the same connection, it is measured over the entire connection lifetime up until the time that request is received. | long | -| cloudflare_logpush.http_request.client.xrequested_with | X-Requested-With HTTP header. | text | -| cloudflare_logpush.http_request.cookies | String key-value pairs for Cookies. | flattened | -| cloudflare_logpush.http_request.edge.cf_connecting_o2o | True if the request looped through multiple zones on the Cloudflare edge. | boolean | -| cloudflare_logpush.http_request.edge.colo.code | IATA airport code of data center that received the request. | keyword | -| cloudflare_logpush.http_request.edge.colo.id | Cloudflare edge colo id. | long | -| cloudflare_logpush.http_request.edge.end_time | Timestamp at which the edge finished sending response to the client. | date | -| cloudflare_logpush.http_request.edge.pathing.op | Indicates what type of response was issued for this request. | text | -| cloudflare_logpush.http_request.edge.pathing.src | Details how the request was classified based on security checks. | text | -| cloudflare_logpush.http_request.edge.pathing.status | Indicates what data was used to determine the handling of this request. | text | -| cloudflare_logpush.http_request.edge.rate.limit.action | The action taken by the blocking rule; empty if no action taken. | keyword | -| cloudflare_logpush.http_request.edge.rate.limit.id | The internal rule ID of the rate-limiting rule that triggered a block (ban) or log action. | long | -| cloudflare_logpush.http_request.edge.request.host | Host header on the request from the edge to the origin. | keyword | -| cloudflare_logpush.http_request.edge.response.body_bytes | Size of the HTTP response body returned to clients. | long | -| cloudflare_logpush.http_request.edge.response.bytes | Number of bytes returned by the edge to the client. | long | -| cloudflare_logpush.http_request.edge.response.compression_ratio | Edge response compression ratio. | double | -| cloudflare_logpush.http_request.edge.response.content_type | Edge response Content-Type header value. | text | -| cloudflare_logpush.http_request.edge.response.status | HTTP status code returned by Cloudflare to the client. | long | -| cloudflare_logpush.http_request.edge.server.ip | IP of the edge server making a request to the origin. | ip | -| cloudflare_logpush.http_request.edge.start_time | Timestamp at which the edge received request from the client. | date | -| cloudflare_logpush.http_request.edge.time_to_first_byte.ms | Total view of Time To First Byte as measured at Cloudflare edge. | long | -| cloudflare_logpush.http_request.firewall.matches.action | Array of actions the Cloudflare firewall products performed on this request. | nested | -| cloudflare_logpush.http_request.firewall.matches.rule_id | Array of RuleIDs of the firewall product that has matched the request. | nested | -| cloudflare_logpush.http_request.firewall.matches.sources | The firewall products that matched the request. | nested | -| cloudflare_logpush.http_request.ja3_hash | The MD5 hash of the JA3 fingerprint used to profile SSL/TLS clients. | keyword | -| cloudflare_logpush.http_request.origin.dns_response_time.ms | Time taken to receive a DNS response for an origin name. | long | -| cloudflare_logpush.http_request.origin.ip | IP of the origin server. | ip | -| cloudflare_logpush.http_request.origin.request_header_send_duration.ms | Time taken to send request headers to origin after establishing a connection. | long | -| cloudflare_logpush.http_request.origin.response.bytes | Number of bytes returned by the origin server. | long | -| cloudflare_logpush.http_request.origin.response.duration.ms | Upstream response time, measured from the first datacenter that receives a request. | long | -| cloudflare_logpush.http_request.origin.response.header_receive_duration.ms | Time taken for origin to return response headers after Cloudflare finishes sending request headers. | long | -| cloudflare_logpush.http_request.origin.response.http.expires | Value of the origin expires header in RFC1123 format. | date | -| cloudflare_logpush.http_request.origin.response.http.last_modified | Value of the origin last-modified header in RFC1123 format. | date | -| cloudflare_logpush.http_request.origin.response.status | Status returned by the origin server. | long | -| cloudflare_logpush.http_request.origin.response.time | Number of nanoseconds it took the origin to return the response to edge. | long | -| cloudflare_logpush.http_request.origin.ssl_protocol | SSL (TLS) protocol used to connect to the origin. | text | -| cloudflare_logpush.http_request.origin.tcp_handshake_duration.ms | Time taken to complete TCP handshake with origin. | long | -| cloudflare_logpush.http_request.origin.tls_handshake_duration.ms | Time taken to complete TLS handshake with origin. | long | -| cloudflare_logpush.http_request.parent_ray.id | Ray ID of the parent request if this request was made using a Worker script. | keyword | -| cloudflare_logpush.http_request.ray.id | ID of the request. | keyword | -| cloudflare_logpush.http_request.request.headers | String key-value pairs for RequestHeaders. | flattened | -| cloudflare_logpush.http_request.response.headers | String key-value pairs for ResponseHeaders. | flattened | -| cloudflare_logpush.http_request.security_level | The security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation system. | text | -| cloudflare_logpush.http_request.smart_route.colo.id | The Cloudflare datacenter used to connect to the origin server if Argo Smart Routing is used. Available in Logpush v2 only. | long | -| cloudflare_logpush.http_request.upper_tier.colo.id | The “upper tier” datacenter that was checked for a cached copy if Tiered Cache is used. Available in Logpush v2 only. | long | -| cloudflare_logpush.http_request.waf.action | Action taken by the WAF, if triggered. | text | -| cloudflare_logpush.http_request.waf.flag | Additional configuration flags. | text | -| cloudflare_logpush.http_request.waf.matched_var | The full name of the most-recently matched variable. | text | -| cloudflare_logpush.http_request.waf.profile | The Profile of WAF. possible values are:- 'low', 'med', 'high'. | keyword | -| cloudflare_logpush.http_request.waf.rule.id | ID of the applied WAF rule. | keyword | -| cloudflare_logpush.http_request.waf.rule.message | Rule message associated with the triggered rule. | text | -| cloudflare_logpush.http_request.worker.cpu_time | Amount of time in microseconds spent executing a worker, if any. | long | -| cloudflare_logpush.http_request.worker.status | Status returned from worker daemon. | text | -| cloudflare_logpush.http_request.worker.subrequest.count | Number of subrequests issued by a worker when handling this request. | long | -| cloudflare_logpush.http_request.worker.subrequest.value | Whether or not this request was a worker subrequest. | boolean | -| cloudflare_logpush.http_request.worker.wall_time_us | Real-time in microseconds elapsed between start and end of worker invocation. | long | -| cloudflare_logpush.http_request.zone.id | Internal zone ID. | long | -| cloudflare_logpush.http_request.zone.name | The human-readable name of the zone. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.response.mime_type | Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. | keyword | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -### nel_report - -This is the `nel_report` dataset. -Default port for HTTP Endpoint: _9564_ - -#### Example - -An example event for `nel_report` looks as following: - -```json -{ - "@timestamp": "2021-07-27T00:01:07.000Z", - "agent": { - "ephemeral_id": "c38ba64f-2007-40ee-8ba6-7eead6aad5ee", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "nel_report": { - "client": { - "ip": { - "asn": { - "description": "CLOUDFLARENET", - "value": 13335 - }, - "country": "US" - } - }, - "error": { - "type": "network-error" - }, - "last_known_good": { - "colo": { - "code": "SJC" - } - }, - "phase": "connection", - "timestamp": "2021-07-27T00:01:07.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.nel_report", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "error": { - "type": "network-error" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.nel_report", - "ingested": "2022-09-01T10:09:13Z", - "kind": "event", - "original": "{\"ClientIPASN\":\"13335\",\"ClientIPASNDescription\":\"CLOUDFLARENET\",\"ClientIPCountry\":\"US\",\"LastKnownGoodColoCode\":\"SJC\",\"Phase\":\"connection\",\"Timestamp\":\"2021-07-27T00:01:07Z\",\"Type\":\"network-error\"}", - "type": [ - "info" - ] - }, - "input": { - "type": "http_endpoint" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_nel_report" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloudflare_logpush.nel_report.client.ip.asn.description | Client ASN description. | keyword | -| cloudflare_logpush.nel_report.client.ip.asn.value | Client ASN. | long | -| cloudflare_logpush.nel_report.client.ip.country | Client country. | keyword | -| cloudflare_logpush.nel_report.error.type | The type of error in the phase. | keyword | -| cloudflare_logpush.nel_report.last_known_good.colo.code | IATA airport code of colo client connected to. | keyword | -| cloudflare_logpush.nel_report.phase | The phase of connection the error occurred in. | keyword | -| cloudflare_logpush.nel_report.timestamp | Timestamp for error report. | date | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.type | The type of the error, for example the class name of the exception. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | List of keywords used to tag each event. | keyword | - - -### network_analytics - -This is the `network_analytics` dataset. -Default port for HTTP Endpoint: _9565_ - -#### Example - -An example event for `network_analytics` looks as following: - -```json -{ - "@timestamp": "2021-07-27T00:01:07.000Z", - "agent": { - "ephemeral_id": "a59f9c29-2b33-4505-be1c-b7bc89c786a7", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "network_analytics": { - "attack": { - "campaign": { - "id": "xyz987" - }, - "id": "abc777" - }, - "colo": { - "country": "AD", - "geo_hash": "gbuun", - "geo_location": "gbuun", - "id": 46, - "name": "SJC" - }, - "destination": { - "as": { - "number": { - "description": "asn description" - } - }, - "asn": 1900, - "country": "AD", - "geo_hash": "gbuun", - "geo_location": "gbuun", - "ip": "175.16.199.0", - "port": 0 - }, - "direction": "ingress", - "gre": { - "checksum": 10, - "ether": { - "type": 10 - }, - "header": { - "length": 1024 - }, - "key": 10, - "sequence": { - "number": 10 - }, - "version": 10 - }, - "icmp": { - "checksum": 10, - "code": 10, - "type": 10 - }, - "ip": { - "destination": { - "subnet": "/24" - }, - "fragment": { - "offset": 1480 - }, - "header": { - "length": 20 - }, - "more": { - "fragments": 1480 - }, - "protocol": { - "name": "tcp", - "value": 6 - }, - "source": { - "subnet": "/24" - }, - "total": { - "length": { - "buckets": 10, - "value": 1024 - } - }, - "ttl": { - "buckets": 2, - "value": 240 - } - }, - "ipv4": { - "checksum": 0, - "dont_fragment": 0, - "dscp": 46, - "ecn": 1, - "identification": 1, - "options": 1 - }, - "ipv6": { - "dscp": 46, - "ecn": 1, - "extension_headers": "header", - "flow_label": 1, - "identification": 1 - }, - "mitigation": { - "reason": "BLOCKED", - "scope": "local", - "system": "flowtrackd" - }, - "outcome": "success", - "protocol_state": "OPEN", - "rule": { - "id": "rule1", - "set": { - "id": "3b64149bfa6e4220bbbc2bd6db589552", - "override": { - "id": "id1" - } - } - }, - "sample_interval": 1, - "source": { - "as": { - "number": { - "description": "Source ASN Description" - } - }, - "asn": 1500, - "country": "AD", - "geo_hash": "gbuun", - "geo_location": "gbuun", - "ip": "67.43.156.0", - "port": 0 - }, - "tcp": { - "acknowledgement_number": 1000, - "checksum": 10, - "dataoffset": 0, - "flags": { - "string": "Human-readable flags string", - "value": 1 - }, - "mss": 512, - "options": "mss", - "sack": { - "blocks": 1, - "permitted": 1 - }, - "sequence_number": 100, - "timestamp": { - "ecr": 100, - "value": 100 - }, - "urgent_pointer": 10, - "window": { - "scale": 10, - "size": 10 - } - }, - "timestamp": "2021-07-27T00:01:07.000Z", - "udp": { - "checksum": 10, - "payload_length": 10 - }, - "verdict": "pass" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.network_analytics", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 1900 - }, - "ip": "175.16.199.0", - "port": 0 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.network_analytics", - "ingested": "2022-09-01T10:10:02Z", - "kind": "event", - "original": "{\"AttackCampaignID\":\"xyz987\",\"AttackID\":\"abc777\",\"ColoCountry\":\"AD\",\"ColoGeoHash\":\"gbuun\",\"ColoID\":46,\"ColoName\":\"SJC\",\"Datetime\":\"2021-07-27T00:01:07Z\",\"DestinationASN\":1900,\"DestinationASNDescription\":\"asn description\",\"DestinationCountry\":\"AD\",\"DestinationGeoHash\":\"gbuun\",\"DestinationPort\":0,\"Direction\":\"ingress\",\"GREChecksum\":10,\"GREEthertype\":10,\"GREHeaderLength\":1024,\"GREKey\":10,\"GRESequenceNumber\":10,\"GREVersion\":10,\"ICMPChecksum\":10,\"ICMPCode\":10,\"ICMPType\":10,\"IPDestinationAddress\":\"175.16.199.0\",\"IPDestinationSubnet\":\"/24\",\"IPFragmentOffset\":1480,\"IPHeaderLength\":20,\"IPMoreFragments\":1480,\"IPProtocol\":6,\"IPProtocolName\":\"tcp\",\"IPSourceAddress\":\"67.43.156.0\",\"IPSourceSubnet\":\"/24\",\"IPTotalLength\":1024,\"IPTotalLengthBuckets\":10,\"IPTtl\":240,\"IPTtlBuckets\":2,\"IPv4Checksum\":0,\"IPv4DontFragment\":0,\"IPv4Dscp\":46,\"IPv4Ecn\":1,\"IPv4Identification\":1,\"IPv4Options\":1,\"IPv6Dscp\":46,\"IPv6Ecn\":1,\"IPv6ExtensionHeaders\":\"header\",\"IPv6FlowLabel\":1,\"IPv6Identification\":1,\"MitigationReason\":\"BLOCKED\",\"MitigationScope\":\"local\",\"MitigationSystem\":\"flowtrackd\",\"Outcome\":\"pass\",\"ProtocolState\":\"OPEN\",\"RuleID\":\"rule1\",\"RulesetID\":\"3b64149bfa6e4220bbbc2bd6db589552\",\"RulesetOverrideID\":\"id1\",\"SampleInterval\":1,\"SourceASN\":1500,\"SourceASNDescription\":\"Source ASN Description\",\"SourceCountry\":\"AD\",\"SourceGeoHash\":\"gbuun\",\"SourcePort\":0,\"TCPAcknowledgementNumber\":1000,\"TCPChecksum\":10,\"TCPDataOffset\":0,\"TCPFlags\":1,\"TCPFlagsString\":\"Human-readable flags string\",\"TCPMss\":512,\"TCPOptions\":\"mss\",\"TCPSackBlocks\":1,\"TCPSacksPermitted\":1,\"TCPSequenceNumber\":100,\"TCPTimestampEcr\":100,\"TCPTimestampValue\":100,\"TCPUrgentPointer\":10,\"TCPWindowScale\":10,\"TCPWindowSize\":10,\"UDPChecksum\":10,\"UDPPayloadLength\":10,\"Verdict\":\"pass\"}", - "outcome": "success", - "type": [ - "info" - ] - }, - "input": { - "type": "http_endpoint" - }, - "network": { - "direction": "ingress", - "transport": "tcp" - }, - "related": { - "hash": [ - "gbuun" - ], - "ip": [ - "67.43.156.0", - "175.16.199.0" - ] - }, - "rule": { - "id": "rule1" - }, - "source": { - "as": { - "number": 1500 - }, - "ip": "67.43.156.0", - "port": 0 - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_network_analytics" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloudflare_logpush.network_analytics.attack.campaign.id | Unique identifier of the attack campaign that this packet was a part of, if any. | keyword | -| cloudflare_logpush.network_analytics.attack.id | Unique identifier of the mitigation that matched the packet, if any. | keyword | -| cloudflare_logpush.network_analytics.colo.country | The country of colo that received the packet (ISO 3166-1 alpha-2). | keyword | -| cloudflare_logpush.network_analytics.colo.geo_hash | The Geo Hash where the colo that received the packet is located. | keyword | -| cloudflare_logpush.network_analytics.colo.geo_location | The latitude and longitude where the colo that received the packet is located. | geo_point | -| cloudflare_logpush.network_analytics.colo.id | The ID of the colo that received the DNS query. | long | -| cloudflare_logpush.network_analytics.colo.name | The name of the colo that received the DNS query. | keyword | -| cloudflare_logpush.network_analytics.destination.as.number.description | The ASN description associated with the destination IP of the packet. | text | -| cloudflare_logpush.network_analytics.destination.asn | The ASN associated with the destination IP of the packet. | long | -| cloudflare_logpush.network_analytics.destination.country | The country where the destination IP of the packet is located. | keyword | -| cloudflare_logpush.network_analytics.destination.geo_hash | The Geo Hash where the destination IP of the packet is located. | keyword | -| cloudflare_logpush.network_analytics.destination.geo_location | The latitude and longitude where the destination IP of the packet is located. | geo_point | -| cloudflare_logpush.network_analytics.destination.ip | Value of the Destination Address header field in the IPv4 or IPv6 packet. | ip | -| cloudflare_logpush.network_analytics.destination.port | Value of the Destination Port header field in the TCP or UDP packet. | long | -| cloudflare_logpush.network_analytics.direction | The direction in relation to customer network. | keyword | -| cloudflare_logpush.network_analytics.gre.checksum | Value of the Checksum header field in the GRE packet. | long | -| cloudflare_logpush.network_analytics.gre.ether.type | Value of the Ethertype header field in the GRE packet. | long | -| cloudflare_logpush.network_analytics.gre.header.length | Length of the GRE packet header, in bytes. | long | -| cloudflare_logpush.network_analytics.gre.key | Value of the Key header field in the GRE packet. | long | -| cloudflare_logpush.network_analytics.gre.sequence.number | Value of the Sequence Number header field in the GRE packet. | long | -| cloudflare_logpush.network_analytics.gre.version | Value of the Version header field in the GRE packet. | long | -| cloudflare_logpush.network_analytics.icmp.checksum | Value of the Checksum header field in the ICMP packet | long | -| cloudflare_logpush.network_analytics.icmp.code | Value of the Code header field in the ICMP packet | long | -| cloudflare_logpush.network_analytics.icmp.type | Value of the Type header field in the ICMP packet | long | -| cloudflare_logpush.network_analytics.ip.destination.subnet | Computed subnet of the Destination Address header field in the IPv4 or IPv6 packet. | keyword | -| cloudflare_logpush.network_analytics.ip.fragment.offset | Value of the Fragment Offset header field in the IPv4 or IPv6 packet. | long | -| cloudflare_logpush.network_analytics.ip.header.length | Length of the IPv4 or IPv6 packet header, in bytes. | long | -| cloudflare_logpush.network_analytics.ip.more.fragments | Value of the More Fragments header field in the IPv4 or IPv6 packet. | long | -| cloudflare_logpush.network_analytics.ip.protocol.name | Name of the protocol specified by the Protocol header field in the IPv4 or IPv6 packet. | text | -| cloudflare_logpush.network_analytics.ip.protocol.value | Value of the Protocol header field in the IPv4 or IPv6 packet. | long | -| cloudflare_logpush.network_analytics.ip.source.subnet | Computed subnet of the Source Address header field in the IPv4 or IPv6 packet. | keyword | -| cloudflare_logpush.network_analytics.ip.total.length.buckets | Total length of the IPv4 or IPv6 packet, in bytes, with the last two digits truncated. | long | -| cloudflare_logpush.network_analytics.ip.total.length.value | Total length of the IPv4 or IPv6 packet, in bytes. | long | -| cloudflare_logpush.network_analytics.ip.ttl.buckets | Value of the TTL header field in the IPv4 packet or the Hop Limit header field in the IPv6 packet, with the last digit truncated. | long | -| cloudflare_logpush.network_analytics.ip.ttl.value | Value of the TTL header field in the IPv4 packet or the Hop Limit header field in the IPv6 packet. | long | -| cloudflare_logpush.network_analytics.ipv4.checksum | Value of the Checksum header field in the IPv4 packet. | long | -| cloudflare_logpush.network_analytics.ipv4.dont_fragment | Value of the Don’t Fragment header field in the IPv4 packet. | long | -| cloudflare_logpush.network_analytics.ipv4.dscp | Value of the Differentiated Services Code Point header field in the IPv4 packet. | long | -| cloudflare_logpush.network_analytics.ipv4.ecn | Value of the Explicit Congestion Notification header field in the IPv4 packet. | long | -| cloudflare_logpush.network_analytics.ipv4.identification | Value of the Identification header field in the IPv4 packet. | long | -| cloudflare_logpush.network_analytics.ipv4.options | List of Options numbers included in the IPv4 packet header. | long | -| cloudflare_logpush.network_analytics.ipv6.dscp | Value of the Differentiated Services Code Point header field in the IPv6 packet. | long | -| cloudflare_logpush.network_analytics.ipv6.ecn | Value of the Explicit Congestion Notification header field in the IPv6 packet. | long | -| cloudflare_logpush.network_analytics.ipv6.extension_headers | List of Extension Header numbers included in the IPv6 packet header. | text | -| cloudflare_logpush.network_analytics.ipv6.flow_label | Value of the Flow Label header field in the IPv6 packet. | long | -| cloudflare_logpush.network_analytics.ipv6.identification | Value of the Identification extension header field in the IPv6 packet. | long | -| cloudflare_logpush.network_analytics.mitigation.reason | Reason for applying a mitigation to the packet, if any. | keyword | -| cloudflare_logpush.network_analytics.mitigation.scope | Whether the packet matched a local or global mitigation, if any. | keyword | -| cloudflare_logpush.network_analytics.mitigation.system | Which Cloudflare system dropped the packet, if any. | keyword | -| cloudflare_logpush.network_analytics.outcome | The action that Cloudflare systems took on the packet. | keyword | -| cloudflare_logpush.network_analytics.protocol_state | State of the packet in the context of the protocol, if any. | keyword | -| cloudflare_logpush.network_analytics.rule.id | Unique identifier of the rule contained with the Cloudflare L3/4 managed ruleset that this packet matched, if any. | text | -| cloudflare_logpush.network_analytics.rule.set.id | Unique identifier of the Cloudflare L3/4 managed ruleset containing the rule that this packet matched, if any. | keyword | -| cloudflare_logpush.network_analytics.rule.set.override.id | Unique identifier of the rule within the accounts root ddos_l4 phase ruleset which resulted in an override of the default sensitivity or action being applied/evaluated, if any. | text | -| cloudflare_logpush.network_analytics.sample_interval | The sample interval for this log. | long | -| cloudflare_logpush.network_analytics.source.as.number.description | The ASN description associated with the source IP of the packet. | text | -| cloudflare_logpush.network_analytics.source.asn | The ASN associated with the source IP of the packet. | long | -| cloudflare_logpush.network_analytics.source.country | The country where the source IP of the packet is located. | keyword | -| cloudflare_logpush.network_analytics.source.geo_hash | The Geo Hash where the source IP of the packet is located. | keyword | -| cloudflare_logpush.network_analytics.source.geo_location | The latitude and longitude where the source IP of the packet is located. | geo_point | -| cloudflare_logpush.network_analytics.source.ip | Value of the Source Address header field in the IPv4 or IPv6 packet. | ip | -| cloudflare_logpush.network_analytics.source.port | Value of the Source Port header field in the TCP or UDP packet. | long | -| cloudflare_logpush.network_analytics.tcp.acknowledgement_number | Value of the Acknowledgement Number header field in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.checksum | Value of the Checksum header field in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.dataoffset | Value of the Data Offset header field in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.flags.string | Human-readable string representation of the Flags header field in the TCP packet. | text | -| cloudflare_logpush.network_analytics.tcp.flags.value | Value of the Flags header field in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.mss | Value of the MSS option header field in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.options | List of Options numbers included in the TCP packet header. | text | -| cloudflare_logpush.network_analytics.tcp.sack.blocks | Value of the SACK Blocks option header in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.sack.permitted | Value of the SACK Permitted option header in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.sequence_number | Value of the Sequence Number header field in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.timestamp.ecr | Value of the Timestamp Echo Reply option header in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.timestamp.value | Value of the Timestamp option header in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.urgent_pointer | Value of the Urgent Pointer header field in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.window.scale | Value of the Window Scale option header in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.window.size | Value of the Window Size header field in the TCP packet. | long | -| cloudflare_logpush.network_analytics.timestamp | The date and time the event occurred at the edge. | date | -| cloudflare_logpush.network_analytics.udp.checksum | Value of the Checksum header field in the UDP packet. | long | -| cloudflare_logpush.network_analytics.udp.payload_length | Value of the Payload Length header field in the UDP packet. | long | -| cloudflare_logpush.network_analytics.verdict | The action that Cloudflare systems think should be taken on the packet (pass | drop). | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -### spectrum_event - -This is the `spectrum_event` dataset. -Default port for HTTP Endpoint: _9566_ - -#### Example - -An example event for `spectrum_event` looks as following: - -```json -{ - "@timestamp": "2022-05-26T09:24:00.000Z", - "agent": { - "ephemeral_id": "34cad43e-ef45-4868-8da8-6e602991ef1a", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "spectrum_event": { - "action": "connect", - "application": "7ef659a2f8ef4810a9bade96fdad7c75", - "client": { - "asn": 200391, - "bytes": 0, - "country": "bg", - "ip": "67.43.156.0", - "matched_ip_firewall": "UNKNOWN", - "port": 40456, - "protocol": "tcp", - "tcp_rtt": 0, - "tls": { - "cipher": "UNK", - "client_hello_server_name": "server name", - "protocol": "unknown", - "status": "UNKNOWN" - } - }, - "colo": { - "code": "SOF" - }, - "connect": { - "time": "2022-05-26T09:24:00.000Z" - }, - "disconnect": { - "time": "1970-01-01T00:00:00.000Z" - }, - "ip_firewall": false, - "origin": { - "bytes": 0, - "ip": "175.16.199.0", - "port": 3389, - "protocol": "tcp", - "tcp_rtt": 0, - "tls": { - "cipher": "UNK", - "fingerprint": "0000000000000000000000000000000000000000000000000000000000000000.", - "mode": "off", - "protocol": "unknown", - "status": "UNKNOWN" - } - }, - "proxy": { - "protocol": "off" - }, - "status": 0, - "timestamp": "2022-05-26T09:24:00.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.spectrum_event", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 0, - "ip": "175.16.199.0", - "port": 3389 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "connect", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.spectrum_event", - "end": "1970-01-01T00:00:00.000Z", - "id": "7ef659a2f8ef4810a9bade96fdad7c75", - "ingested": "2022-09-01T10:10:53Z", - "kind": "event", - "original": "{\"Application\":\"7ef659a2f8ef4810a9bade96fdad7c75\",\"ClientAsn\":200391,\"ClientBytes\":0,\"ClientCountry\":\"bg\",\"ClientIP\":\"67.43.156.0\",\"ClientMatchedIpFirewall\":\"UNKNOWN\",\"ClientPort\":40456,\"ClientProto\":\"tcp\",\"ClientTcpRtt\":0,\"ClientTlsCipher\":\"UNK\",\"ClientTlsClientHelloServerName\":\"server name\",\"ClientTlsProtocol\":\"unknown\",\"ClientTlsStatus\":\"UNKNOWN\",\"ColoCode\":\"SOF\",\"ConnectTimestamp\":\"2022-05-26T09:24:00Z\",\"DisconnectTimestamp\":\"1970-01-01T00:00:00Z\",\"Event\":\"connect\",\"IpFirewall\":false,\"OriginBytes\":0,\"OriginIP\":\"175.16.199.0\",\"OriginPort\":3389,\"OriginProto\":\"tcp\",\"OriginTcpRtt\":0,\"OriginTlsCipher\":\"UNK\",\"OriginTlsFingerprint\":\"0000000000000000000000000000000000000000000000000000000000000000.\",\"OriginTlsMode\":\"off\",\"OriginTlsProtocol\":\"unknown\",\"OriginTlsStatus\":\"UNKNOWN\",\"ProxyProtocol\":\"off\",\"Status\":0,\"Timestamp\":\"2022-05-26T09:24:00Z\"}", - "start": "2022-05-26T09:24:00.000Z", - "type": [ - "info" - ] - }, - "http": { - "response": { - "status_code": 0 - } - }, - "input": { - "type": "http_endpoint" - }, - "network": { - "community_id": "1:X7lywUVKlduqRq5SyCRaBj4hLP0=", - "transport": "tcp" - }, - "related": { - "ip": [ - "67.43.156.0", - "175.16.199.0" - ] - }, - "source": { - "as": { - "number": 200391 - }, - "bytes": 0, - "geo": { - "country_iso_code": "bg" - }, - "ip": "67.43.156.0", - "port": 40456 - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_spectrum_event" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloudflare_logpush.spectrum_event.action | Event Action. | keyword | -| cloudflare_logpush.spectrum_event.application | The unique public ID of the application on which the event occurred. | keyword | -| cloudflare_logpush.spectrum_event.client.asn | Client AS number. | long | -| cloudflare_logpush.spectrum_event.client.bytes | The number of bytes read from the client by the Spectrum service. | long | -| cloudflare_logpush.spectrum_event.client.country | Country of the client IP address. | keyword | -| cloudflare_logpush.spectrum_event.client.ip | Client IP address. | ip | -| cloudflare_logpush.spectrum_event.client.matched_ip_firewall | Whether the connection matched any IP Firewall rules. | keyword | -| cloudflare_logpush.spectrum_event.client.port | Client port. | long | -| cloudflare_logpush.spectrum_event.client.protocol | Transport protocol used by client. | keyword | -| cloudflare_logpush.spectrum_event.client.tcp_rtt | The TCP round-trip time in nanoseconds between the client and Spectrum. | long | -| cloudflare_logpush.spectrum_event.client.tls.cipher | The cipher negotiated between the client and Spectrum. | keyword | -| cloudflare_logpush.spectrum_event.client.tls.client_hello_server_name | The server name in the Client Hello message from client to Spectrum. | keyword | -| cloudflare_logpush.spectrum_event.client.tls.protocol | The TLS version negotiated between the client and Spectrum. | keyword | -| cloudflare_logpush.spectrum_event.client.tls.status | Indicates state of TLS session from the client to Spectrum. | keyword | -| cloudflare_logpush.spectrum_event.colo.code | IATA airport code of data center that received the request. | keyword | -| cloudflare_logpush.spectrum_event.connect.time | Timestamp at which both legs of the connection (client/edge, edge/origin or nexthop) were established. | date | -| cloudflare_logpush.spectrum_event.disconnect.time | Timestamp at which the connection was closed. | date | -| cloudflare_logpush.spectrum_event.ip_firewall | Whether IP Firewall was enabled at time of connection. | boolean | -| cloudflare_logpush.spectrum_event.origin.bytes | The number of bytes read from the origin by Spectrum. | long | -| cloudflare_logpush.spectrum_event.origin.ip | Origin IP address. | ip | -| cloudflare_logpush.spectrum_event.origin.port | Origin Port. | long | -| cloudflare_logpush.spectrum_event.origin.protocol | Transport protocol used by origin. | keyword | -| cloudflare_logpush.spectrum_event.origin.tcp_rtt | The TCP round-trip time in nanoseconds between Spectrum and the origin. | long | -| cloudflare_logpush.spectrum_event.origin.tls.cipher | The cipher negotiated between Spectrum and the origin. | keyword | -| cloudflare_logpush.spectrum_event.origin.tls.fingerprint | SHA256 hash of origin certificate. | keyword | -| cloudflare_logpush.spectrum_event.origin.tls.mode | If and how the upstream connection is encrypted. | keyword | -| cloudflare_logpush.spectrum_event.origin.tls.protocol | The TLS version negotiated between Spectrum and the origin. | keyword | -| cloudflare_logpush.spectrum_event.origin.tls.status | The state of the TLS session from Spectrum to the origin. | keyword | -| cloudflare_logpush.spectrum_event.proxy.protocol | Which form of proxy protocol is applied to the given connection. | keyword | -| cloudflare_logpush.spectrum_event.status | A code indicating reason for connection closure. | long | -| cloudflare_logpush.spectrum_event.timestamp | Timestamp at which the event took place. | date | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.response.status_code | HTTP response status code. | long | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | diff --git a/packages/cloudflare_logpush/0.2.0/img/cloudflare-logo.svg b/packages/cloudflare_logpush/0.2.0/img/cloudflare-logo.svg deleted file mode 100755 index 35c7495a8a..0000000000 --- a/packages/cloudflare_logpush/0.2.0/img/cloudflare-logo.svg +++ /dev/null @@ -1,50 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/cloudflare_logpush/0.2.0/img/cloudflare-screenshot.png b/packages/cloudflare_logpush/0.2.0/img/cloudflare-screenshot.png deleted file mode 100755 index 815fe5ad52..0000000000 Binary files a/packages/cloudflare_logpush/0.2.0/img/cloudflare-screenshot.png and /dev/null differ diff --git a/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-3da7bd20-dc45-11ec-b76d-adcfe05cc1fe.json b/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-3da7bd20-dc45-11ec-b76d-adcfe05cc1fe.json deleted file mode 100755 index c40945d42e..0000000000 --- a/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-3da7bd20-dc45-11ec-b76d-adcfe05cc1fe.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "description": "Overview of Cloudflare Logpush Network Analytics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c5ec283-013e-440d-ba37-5c07a17e1029\":{\"columnOrder\":[\"71696bca-c718-4577-911c-6d9a801a48a7\",\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\"],\"columns\":{\"71696bca-c718-4577-911c-6d9a801a48a7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Network Direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"71696bca-c718-4577-911c-6d9a801a48a7\"],\"layerId\":\"6c5ec283-013e-440d-ba37-5c07a17e1029\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"76dd9910-33ca-4380-84f9-0714b5162925\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"76dd9910-33ca-4380-84f9-0714b5162925\",\"title\":\"Distribution of Network Analytics Logs by Network Direction [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c5ec283-013e-440d-ba37-5c07a17e1029\":{\"columnOrder\":[\"71696bca-c718-4577-911c-6d9a801a48a7\",\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\"],\"columns\":{\"71696bca-c718-4577-911c-6d9a801a48a7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Mitigation Reason\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.network_analytics.mitigation.reason\"},\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"71696bca-c718-4577-911c-6d9a801a48a7\"],\"layerId\":\"6c5ec283-013e-440d-ba37-5c07a17e1029\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"db9bd60f-97ff-4128-ac14-f50aad75c349\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"db9bd60f-97ff-4128-ac14-f50aad75c349\",\"title\":\"Distribution of Network Analytics Logs by Mitigation Reason [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c5ec283-013e-440d-ba37-5c07a17e1029\":{\"columnOrder\":[\"71696bca-c718-4577-911c-6d9a801a48a7\",\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\"],\"columns\":{\"71696bca-c718-4577-911c-6d9a801a48a7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Mitigation Scope\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.network_analytics.mitigation.scope\"},\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"71696bca-c718-4577-911c-6d9a801a48a7\"],\"layerId\":\"6c5ec283-013e-440d-ba37-5c07a17e1029\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"a3ed8dcc-80c7-4b0b-b5ae-d367ca5399f2\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"a3ed8dcc-80c7-4b0b-b5ae-d367ca5399f2\",\"title\":\"Distribution of Network Analytics Logs by Mitigation Scope [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c5ec283-013e-440d-ba37-5c07a17e1029\":{\"columnOrder\":[\"71696bca-c718-4577-911c-6d9a801a48a7\",\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\"],\"columns\":{\"71696bca-c718-4577-911c-6d9a801a48a7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Mitigation System\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.network_analytics.mitigation.system\"},\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"71696bca-c718-4577-911c-6d9a801a48a7\"],\"layerId\":\"6c5ec283-013e-440d-ba37-5c07a17e1029\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f8d6e38e-14f7-41d2-be81-0831c73cb443\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"f8d6e38e-14f7-41d2-be81-0831c73cb443\",\"title\":\"Distribution of Network Analytics Logs by Mitigation System [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c5ec283-013e-440d-ba37-5c07a17e1029\":{\"columnOrder\":[\"71696bca-c718-4577-911c-6d9a801a48a7\",\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\"],\"columns\":{\"71696bca-c718-4577-911c-6d9a801a48a7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Outcome\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"},\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"71696bca-c718-4577-911c-6d9a801a48a7\"],\"layerId\":\"6c5ec283-013e-440d-ba37-5c07a17e1029\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"185e465f-bd48-48e2-a8be-59854a7c3021\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"185e465f-bd48-48e2-a8be-59854a7c3021\",\"title\":\"Distribution of Network Analytics Logs by Outcome [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c5ec283-013e-440d-ba37-5c07a17e1029\":{\"columnOrder\":[\"71696bca-c718-4577-911c-6d9a801a48a7\",\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\"],\"columns\":{\"71696bca-c718-4577-911c-6d9a801a48a7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Protocol State\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.network_analytics.protocol_state\"},\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"71696bca-c718-4577-911c-6d9a801a48a7\"],\"layerId\":\"6c5ec283-013e-440d-ba37-5c07a17e1029\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"6a86f194-8e17-4b6c-8100-3fe42fbb85b0\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"6a86f194-8e17-4b6c-8100-3fe42fbb85b0\",\"title\":\"Distribution of Network Analytics Logs by Protocol State [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-11a19196-0f9a-4d8f-9347-348869de935c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"11a19196-0f9a-4d8f-9347-348869de935c\":{\"columnOrder\":[\"339a62c8-a6a0-4c14-acc8-a438dc906a08\",\"620baa35-429f-469c-bc29-6e7bc91c4c4e\"],\"columns\":{\"339a62c8-a6a0-4c14-acc8-a438dc906a08\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination Country\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"620baa35-429f-469c-bc29-6e7bc91c4c4e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.network_analytics.destination.country\"},\"620baa35-429f-469c-bc29-6e7bc91c4c4e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"339a62c8-a6a0-4c14-acc8-a438dc906a08\"],\"layerId\":\"11a19196-0f9a-4d8f-9347-348869de935c\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"620baa35-429f-469c-bc29-6e7bc91c4c4e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fefc98e2-ac0a-4929-92a1-3a8dcc396a8c\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"fefc98e2-ac0a-4929-92a1-3a8dcc396a8c\",\"title\":\"Distribution of Network Analytics by Destination Country [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-11a19196-0f9a-4d8f-9347-348869de935c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"11a19196-0f9a-4d8f-9347-348869de935c\":{\"columnOrder\":[\"339a62c8-a6a0-4c14-acc8-a438dc906a08\",\"620baa35-429f-469c-bc29-6e7bc91c4c4e\"],\"columns\":{\"339a62c8-a6a0-4c14-acc8-a438dc906a08\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source Country\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"620baa35-429f-469c-bc29-6e7bc91c4c4e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.network_analytics.source.country\"},\"620baa35-429f-469c-bc29-6e7bc91c4c4e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"339a62c8-a6a0-4c14-acc8-a438dc906a08\"],\"layerId\":\"11a19196-0f9a-4d8f-9347-348869de935c\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"620baa35-429f-469c-bc29-6e7bc91c4c4e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"1b347819-7723-4250-9dfc-647d474d1044\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"1b347819-7723-4250-9dfc-647d474d1044\",\"title\":\"Distribution of Network Analytics by Source Country [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-11a19196-0f9a-4d8f-9347-348869de935c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"11a19196-0f9a-4d8f-9347-348869de935c\":{\"columnOrder\":[\"339a62c8-a6a0-4c14-acc8-a438dc906a08\",\"b29c086f-8c01-49ee-b4f4-b47bbe9f35dc\",\"620baa35-429f-469c-bc29-6e7bc91c4c4e\"],\"columns\":{\"339a62c8-a6a0-4c14-acc8-a438dc906a08\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"620baa35-429f-469c-bc29-6e7bc91c4c4e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"},\"620baa35-429f-469c-bc29-6e7bc91c4c4e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b29c086f-8c01-49ee-b4f4-b47bbe9f35dc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"620baa35-429f-469c-bc29-6e7bc91c4c4e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"columns\":[{\"columnId\":\"339a62c8-a6a0-4c14-acc8-a438dc906a08\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"620baa35-429f-469c-bc29-6e7bc91c4c4e\",\"isTransposed\":false},{\"columnId\":\"b29c086f-8c01-49ee-b4f4-b47bbe9f35dc\",\"isTransposed\":false}],\"layerId\":\"11a19196-0f9a-4d8f-9347-348869de935c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"108877cb-bc4f-4870-90d4-732d4755014f\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"108877cb-bc4f-4870-90d4-732d4755014f\",\"title\":\"Top 10 Source IP and Destination IP [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cloudflare Logpush] Network Analytics", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-3da7bd20-dc45-11ec-b76d-adcfe05cc1fe", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "76dd9910-33ca-4380-84f9-0714b5162925:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "76dd9910-33ca-4380-84f9-0714b5162925:indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db9bd60f-97ff-4128-ac14-f50aad75c349:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db9bd60f-97ff-4128-ac14-f50aad75c349:indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a3ed8dcc-80c7-4b0b-b5ae-d367ca5399f2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a3ed8dcc-80c7-4b0b-b5ae-d367ca5399f2:indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f8d6e38e-14f7-41d2-be81-0831c73cb443:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f8d6e38e-14f7-41d2-be81-0831c73cb443:indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "185e465f-bd48-48e2-a8be-59854a7c3021:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "185e465f-bd48-48e2-a8be-59854a7c3021:indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6a86f194-8e17-4b6c-8100-3fe42fbb85b0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6a86f194-8e17-4b6c-8100-3fe42fbb85b0:indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fefc98e2-ac0a-4929-92a1-3a8dcc396a8c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fefc98e2-ac0a-4929-92a1-3a8dcc396a8c:indexpattern-datasource-layer-11a19196-0f9a-4d8f-9347-348869de935c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1b347819-7723-4250-9dfc-647d474d1044:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1b347819-7723-4250-9dfc-647d474d1044:indexpattern-datasource-layer-11a19196-0f9a-4d8f-9347-348869de935c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "108877cb-bc4f-4870-90d4-732d4755014f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "108877cb-bc4f-4870-90d4-732d4755014f:indexpattern-datasource-layer-11a19196-0f9a-4d8f-9347-348869de935c", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-87f6ad60-dc44-11ec-b76d-adcfe05cc1fe.json b/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-87f6ad60-dc44-11ec-b76d-adcfe05cc1fe.json deleted file mode 100755 index 8666a736ca..0000000000 --- a/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-87f6ad60-dc44-11ec-b76d-adcfe05cc1fe.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "Overview of Cloudflare Logpush DNS", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.dns\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-03e29e55-afcb-437c-bb00-1f567fd1318c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"03e29e55-afcb-437c-bb00-1f567fd1318c\":{\"columnOrder\":[\"74abfc31-4cf6-459a-8dfb-156f029eb966\",\"53fe776d-6fe8-4603-942f-2ac32946d12b\"],\"columns\":{\"53fe776d-6fe8-4603-942f-2ac32946d12b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"74abfc31-4cf6-459a-8dfb-156f029eb966\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Query Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"dns.question.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.dns\"},\"visualization\":{\"columns\":[{\"columnId\":\"74abfc31-4cf6-459a-8dfb-156f029eb966\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"isTransposed\":false}],\"layerId\":\"03e29e55-afcb-437c-bb00-1f567fd1318c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8b2c5062-d0d3-42b5-9e76-426e3ac2d3fa\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"8b2c5062-d0d3-42b5-9e76-426e3ac2d3fa\",\"title\":\"Top 10 Query Name [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-03e29e55-afcb-437c-bb00-1f567fd1318c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"03e29e55-afcb-437c-bb00-1f567fd1318c\":{\"columnOrder\":[\"74abfc31-4cf6-459a-8dfb-156f029eb966\",\"53fe776d-6fe8-4603-942f-2ac32946d12b\"],\"columns\":{\"53fe776d-6fe8-4603-942f-2ac32946d12b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"74abfc31-4cf6-459a-8dfb-156f029eb966\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.dns\"},\"visualization\":{\"columns\":[{\"columnId\":\"74abfc31-4cf6-459a-8dfb-156f029eb966\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"isTransposed\":false}],\"layerId\":\"03e29e55-afcb-437c-bb00-1f567fd1318c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d6ed2af3-5357-4d8c-a56d-317a6e941516\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"d6ed2af3-5357-4d8c-a56d-317a6e941516\",\"title\":\"Top 10 Source IP [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-03e29e55-afcb-437c-bb00-1f567fd1318c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"03e29e55-afcb-437c-bb00-1f567fd1318c\":{\"columnOrder\":[\"74abfc31-4cf6-459a-8dfb-156f029eb966\",\"53fe776d-6fe8-4603-942f-2ac32946d12b\"],\"columns\":{\"53fe776d-6fe8-4603-942f-2ac32946d12b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"74abfc31-4cf6-459a-8dfb-156f029eb966\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"EDNS Subnet\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.dns.edns.subnet\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.dns\"},\"visualization\":{\"columns\":[{\"columnId\":\"74abfc31-4cf6-459a-8dfb-156f029eb966\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"isTransposed\":false}],\"layerId\":\"03e29e55-afcb-437c-bb00-1f567fd1318c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"959ef816-ed24-47cc-8e0d-b0cef0e700f9\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"959ef816-ed24-47cc-8e0d-b0cef0e700f9\",\"title\":\"Top 10 EDNS Subnet [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-03e29e55-afcb-437c-bb00-1f567fd1318c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"03e29e55-afcb-437c-bb00-1f567fd1318c\":{\"columnOrder\":[\"74abfc31-4cf6-459a-8dfb-156f029eb966\",\"1842a69c-e35f-4ebc-8deb-eb8572d6bb89\",\"09e7fa3c-0757-42c7-a96b-7d1d0c27c2a1\",\"53fe776d-6fe8-4603-942f-2ac32946d12b\"],\"columns\":{\"09e7fa3c-0757-42c7-a96b-7d1d0c27c2a1\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Response Code\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.dns.response.code\"},\"1842a69c-e35f-4ebc-8deb-eb8572d6bb89\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Query Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.dns.query.type\"},\"53fe776d-6fe8-4603-942f-2ac32946d12b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"74abfc31-4cf6-459a-8dfb-156f029eb966\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Query Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"dns.question.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.dns\"},\"visualization\":{\"columns\":[{\"columnId\":\"74abfc31-4cf6-459a-8dfb-156f029eb966\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"isTransposed\":false},{\"columnId\":\"1842a69c-e35f-4ebc-8deb-eb8572d6bb89\",\"isTransposed\":false},{\"columnId\":\"09e7fa3c-0757-42c7-a96b-7d1d0c27c2a1\",\"isTransposed\":false}],\"layerId\":\"03e29e55-afcb-437c-bb00-1f567fd1318c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8ec3f64a-33a1-463d-95a1-7bc3058a17d7\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"8ec3f64a-33a1-463d-95a1-7bc3058a17d7\",\"title\":\"Top 10 Query Name, Query Type and Response Code [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cloudflare Logpush] DNS", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-87f6ad60-dc44-11ec-b76d-adcfe05cc1fe", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "8b2c5062-d0d3-42b5-9e76-426e3ac2d3fa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8b2c5062-d0d3-42b5-9e76-426e3ac2d3fa:indexpattern-datasource-layer-03e29e55-afcb-437c-bb00-1f567fd1318c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6ed2af3-5357-4d8c-a56d-317a6e941516:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6ed2af3-5357-4d8c-a56d-317a6e941516:indexpattern-datasource-layer-03e29e55-afcb-437c-bb00-1f567fd1318c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "959ef816-ed24-47cc-8e0d-b0cef0e700f9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "959ef816-ed24-47cc-8e0d-b0cef0e700f9:indexpattern-datasource-layer-03e29e55-afcb-437c-bb00-1f567fd1318c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8ec3f64a-33a1-463d-95a1-7bc3058a17d7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8ec3f64a-33a1-463d-95a1-7bc3058a17d7:indexpattern-datasource-layer-03e29e55-afcb-437c-bb00-1f567fd1318c", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-a32a0690-dc44-11ec-b76d-adcfe05cc1fe.json b/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-a32a0690-dc44-11ec-b76d-adcfe05cc1fe.json deleted file mode 100755 index 5a2a659014..0000000000 --- a/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-a32a0690-dc44-11ec-b76d-adcfe05cc1fe.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "description": "Overview of Cloudflare Logpush Firewall Event", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e1387f16-fd92-452b-8630-fecce75da357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e1387f16-fd92-452b-8630-fecce75da357\":{\"columnOrder\":[\"1488c1f4-4def-4898-aa81-ab08402286b5\",\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\"],\"columns\":{\"1488c1f4-4def-4898-aa81-ab08402286b5\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"},\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1488c1f4-4def-4898-aa81-ab08402286b5\"],\"layerId\":\"e1387f16-fd92-452b-8630-fecce75da357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bde8d836-7f82-4729-a870-8ef3aa0cb150\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"bde8d836-7f82-4729-a870-8ef3aa0cb150\",\"title\":\"Distribution of Firewall Event by Event Action [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e1387f16-fd92-452b-8630-fecce75da357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e1387f16-fd92-452b-8630-fecce75da357\":{\"columnOrder\":[\"1488c1f4-4def-4898-aa81-ab08402286b5\",\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\"],\"columns\":{\"1488c1f4-4def-4898-aa81-ab08402286b5\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client IP Class\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.firewall_event.client.ip_class\"},\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"},\"visualization\":{\"layers\":[{\"accessors\":[\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\"],\"layerId\":\"e1387f16-fd92-452b-8630-fecce75da357\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"1488c1f4-4def-4898-aa81-ab08402286b5\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fa792bf5-0a98-4b40-8468-70c00d630e62\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"fa792bf5-0a98-4b40-8468-70c00d630e62\",\"title\":\"Distribution of Firewall Event by Client IP Class [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e1387f16-fd92-452b-8630-fecce75da357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e1387f16-fd92-452b-8630-fecce75da357\":{\"columnOrder\":[\"1488c1f4-4def-4898-aa81-ab08402286b5\",\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\"],\"columns\":{\"1488c1f4-4def-4898-aa81-ab08402286b5\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source Country\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.country_iso_code\"},\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1488c1f4-4def-4898-aa81-ab08402286b5\"],\"layerId\":\"e1387f16-fd92-452b-8630-fecce75da357\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f75dad7c-b8cc-472f-94e4-6b130f0c72a7\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"f75dad7c-b8cc-472f-94e4-6b130f0c72a7\",\"title\":\"Distribution of Firewall Event by Source Country [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-dc2bac47-d6ac-4216-8e62-356cb0dc1399\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"dc2bac47-d6ac-4216-8e62-356cb0dc1399\":{\"columnOrder\":[\"1a75cf43-6319-402f-8c32-7d0433f5ba7f\",\"7ae5d06e-c830-47b1-a134-b3aff58f3a53\"],\"columns\":{\"1a75cf43-6319-402f-8c32-7d0433f5ba7f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client Request Protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ae5d06e-c830-47b1-a134-b3aff58f3a53\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.firewall_event.client.request.protocol\"},\"7ae5d06e-c830-47b1-a134-b3aff58f3a53\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1a75cf43-6319-402f-8c32-7d0433f5ba7f\"],\"layerId\":\"dc2bac47-d6ac-4216-8e62-356cb0dc1399\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"7ae5d06e-c830-47b1-a134-b3aff58f3a53\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"30ebc076-8273-4106-b4a8-66c8bdec8934\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"30ebc076-8273-4106-b4a8-66c8bdec8934\",\"title\":\"Distribution of Firewall Event Class by Client Request Protocol [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-dc2bac47-d6ac-4216-8e62-356cb0dc1399\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"dc2bac47-d6ac-4216-8e62-356cb0dc1399\":{\"columnOrder\":[\"1a75cf43-6319-402f-8c32-7d0433f5ba7f\",\"7ae5d06e-c830-47b1-a134-b3aff58f3a53\"],\"columns\":{\"1a75cf43-6319-402f-8c32-7d0433f5ba7f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client Request Method\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ae5d06e-c830-47b1-a134-b3aff58f3a53\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"http.request.method\"},\"7ae5d06e-c830-47b1-a134-b3aff58f3a53\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1a75cf43-6319-402f-8c32-7d0433f5ba7f\"],\"layerId\":\"dc2bac47-d6ac-4216-8e62-356cb0dc1399\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"7ae5d06e-c830-47b1-a134-b3aff58f3a53\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"7d00d9d8-021f-4432-9e92-aa2ffc4eabd0\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"7d00d9d8-021f-4432-9e92-aa2ffc4eabd0\",\"title\":\"Distribution of Firewall Event Class by Client Request Method [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0ac3ca38-403b-49d6-8c88-2301f1e09129\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0ac3ca38-403b-49d6-8c88-2301f1e09129\":{\"columnOrder\":[\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\",\"82ca67a8-9f89-445e-9d36-9736717e55fd\"],\"columns\":{\"82ca67a8-9f89-445e-9d36-9736717e55fd\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"82ca67a8-9f89-445e-9d36-9736717e55fd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"},\"visualization\":{\"columns\":[{\"columnId\":\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"82ca67a8-9f89-445e-9d36-9736717e55fd\",\"isTransposed\":false}],\"layerId\":\"0ac3ca38-403b-49d6-8c88-2301f1e09129\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"9385681c-22a8-46aa-8353-af82880e6a05\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"9385681c-22a8-46aa-8353-af82880e6a05\",\"title\":\"Top 10 Source IP [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0ac3ca38-403b-49d6-8c88-2301f1e09129\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0ac3ca38-403b-49d6-8c88-2301f1e09129\":{\"columnOrder\":[\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\",\"c1742315-9a64-496e-9d80-48848cd4393f\",\"82ca67a8-9f89-445e-9d36-9736717e55fd\"],\"columns\":{\"82ca67a8-9f89-445e-9d36-9736717e55fd\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c1742315-9a64-496e-9d80-48848cd4393f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"ASN Description\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"82ca67a8-9f89-445e-9d36-9736717e55fd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.firewall_event.client.asn.description\"},\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"ASN \",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"82ca67a8-9f89-445e-9d36-9736717e55fd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.number\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"},\"visualization\":{\"columns\":[{\"columnId\":\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"82ca67a8-9f89-445e-9d36-9736717e55fd\",\"isTransposed\":false},{\"columnId\":\"c1742315-9a64-496e-9d80-48848cd4393f\",\"isTransposed\":false}],\"layerId\":\"0ac3ca38-403b-49d6-8c88-2301f1e09129\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ce0376c7-0c9c-4657-9569-bda33374e67b\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"ce0376c7-0c9c-4657-9569-bda33374e67b\",\"title\":\"Top 10 Source ASN and ASN Description [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0ac3ca38-403b-49d6-8c88-2301f1e09129\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0ac3ca38-403b-49d6-8c88-2301f1e09129\":{\"columnOrder\":[\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\",\"ce735bcf-ae0a-4c8d-b86a-4c2ca7400421\",\"82ca67a8-9f89-445e-9d36-9736717e55fd\"],\"columns\":{\"82ca67a8-9f89-445e-9d36-9736717e55fd\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client Referer Host\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"82ca67a8-9f89-445e-9d36-9736717e55fd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.firewall_event.client.referer.host\"},\"ce735bcf-ae0a-4c8d-b86a-4c2ca7400421\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client Request Host\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"82ca67a8-9f89-445e-9d36-9736717e55fd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.firewall_event.client.request.host\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"},\"visualization\":{\"columns\":[{\"columnId\":\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"82ca67a8-9f89-445e-9d36-9736717e55fd\",\"isTransposed\":false},{\"columnId\":\"ce735bcf-ae0a-4c8d-b86a-4c2ca7400421\",\"isTransposed\":false}],\"layerId\":\"0ac3ca38-403b-49d6-8c88-2301f1e09129\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"93ac4ff5-13c5-40d3-a7e9-14faca9ea9db\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"93ac4ff5-13c5-40d3-a7e9-14faca9ea9db\",\"title\":\"Top 10 Client Referer Host and Client Request Host [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cloudflare Logpush] Firewall Event", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-a32a0690-dc44-11ec-b76d-adcfe05cc1fe", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "bde8d836-7f82-4729-a870-8ef3aa0cb150:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bde8d836-7f82-4729-a870-8ef3aa0cb150:indexpattern-datasource-layer-e1387f16-fd92-452b-8630-fecce75da357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fa792bf5-0a98-4b40-8468-70c00d630e62:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fa792bf5-0a98-4b40-8468-70c00d630e62:indexpattern-datasource-layer-e1387f16-fd92-452b-8630-fecce75da357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f75dad7c-b8cc-472f-94e4-6b130f0c72a7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f75dad7c-b8cc-472f-94e4-6b130f0c72a7:indexpattern-datasource-layer-e1387f16-fd92-452b-8630-fecce75da357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "30ebc076-8273-4106-b4a8-66c8bdec8934:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "30ebc076-8273-4106-b4a8-66c8bdec8934:indexpattern-datasource-layer-dc2bac47-d6ac-4216-8e62-356cb0dc1399", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7d00d9d8-021f-4432-9e92-aa2ffc4eabd0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7d00d9d8-021f-4432-9e92-aa2ffc4eabd0:indexpattern-datasource-layer-dc2bac47-d6ac-4216-8e62-356cb0dc1399", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9385681c-22a8-46aa-8353-af82880e6a05:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9385681c-22a8-46aa-8353-af82880e6a05:indexpattern-datasource-layer-0ac3ca38-403b-49d6-8c88-2301f1e09129", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ce0376c7-0c9c-4657-9569-bda33374e67b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ce0376c7-0c9c-4657-9569-bda33374e67b:indexpattern-datasource-layer-0ac3ca38-403b-49d6-8c88-2301f1e09129", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93ac4ff5-13c5-40d3-a7e9-14faca9ea9db:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93ac4ff5-13c5-40d3-a7e9-14faca9ea9db:indexpattern-datasource-layer-0ac3ca38-403b-49d6-8c88-2301f1e09129", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-bb426420-dc44-11ec-b76d-adcfe05cc1fe.json b/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-bb426420-dc44-11ec-b76d-adcfe05cc1fe.json deleted file mode 100755 index 45f79b182a..0000000000 --- a/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-bb426420-dc44-11ec-b76d-adcfe05cc1fe.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "description": "Overview of Cloudflare Logpush HTTP Request", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-00280489-72e4-4070-a226-57e14a57080f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"00280489-72e4-4070-a226-57e14a57080f\":{\"columnOrder\":[\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\",\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\"],\"columns\":{\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\" Edge Rate Limit Action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.http_request.edge.rate.limit.action\"},\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\"],\"layerId\":\"00280489-72e4-4070-a226-57e14a57080f\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"6046f18e-7779-4ea6-b387-213bc81b36f0\",\"w\":15,\"x\":0,\"y\":0},\"panelIndex\":\"6046f18e-7779-4ea6-b387-213bc81b36f0\",\"title\":\"Distribution of HTTP Request by Edge Rate Limit Action [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-00280489-72e4-4070-a226-57e14a57080f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"00280489-72e4-4070-a226-57e14a57080f\":{\"columnOrder\":[\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\",\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\"],\"columns\":{\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client Request Method\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"http.request.method\"},\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\"],\"layerId\":\"00280489-72e4-4070-a226-57e14a57080f\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ec4ead06-9bbf-4f27-9dca-03dd92a55089\",\"w\":16,\"x\":15,\"y\":0},\"panelIndex\":\"ec4ead06-9bbf-4f27-9dca-03dd92a55089\",\"title\":\"Distribution of HTTP Request by Client Request Method [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-00280489-72e4-4070-a226-57e14a57080f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"00280489-72e4-4070-a226-57e14a57080f\":{\"columnOrder\":[\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\",\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\"],\"columns\":{\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client Device Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.http_request.client.device.type\"},\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\"],\"layerId\":\"00280489-72e4-4070-a226-57e14a57080f\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"9c4f4004-d4b0-471f-9535-09c11555e5a1\",\"w\":17,\"x\":31,\"y\":0},\"panelIndex\":\"9c4f4004-d4b0-471f-9535-09c11555e5a1\",\"title\":\"Distribution of HTTP Request by Client Device Type [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a3b36fd5-7e6e-4298-9c99-da41f685b6ac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a3b36fd5-7e6e-4298-9c99-da41f685b6ac\":{\"columnOrder\":[\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\",\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\"],\"columns\":{\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Cllient IP Class\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.http_request.client.ip_class\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"},\"visualization\":{\"layers\":[{\"accessors\":[\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\"],\"layerId\":\"a3b36fd5-7e6e-4298-9c99-da41f685b6ac\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"36ba08a4-1ebd-46bd-a95d-6855c7992a68\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"36ba08a4-1ebd-46bd-a95d-6855c7992a68\",\"title\":\"Distribution of HTTP Request by Client IP Class [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-00280489-72e4-4070-a226-57e14a57080f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"00280489-72e4-4070-a226-57e14a57080f\":{\"columnOrder\":[\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\",\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\"],\"columns\":{\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"WAF Profile\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.http_request.waf.profile\"},\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\"],\"layerId\":\"00280489-72e4-4070-a226-57e14a57080f\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"42860ae9-0100-4c5b-aad4-e9b9ebd8eb1d\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"42860ae9-0100-4c5b-aad4-e9b9ebd8eb1d\",\"title\":\"Distribution of HTTP Request by WAF Profile [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a3b36fd5-7e6e-4298-9c99-da41f685b6ac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a3b36fd5-7e6e-4298-9c99-da41f685b6ac\":{\"columnOrder\":[\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\",\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\"],\"columns\":{\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client MTLS Auth Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.http_request.client.mtls.auth.status\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"},\"visualization\":{\"layers\":[{\"accessors\":[\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\"],\"layerId\":\"a3b36fd5-7e6e-4298-9c99-da41f685b6ac\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"94b34910-bec2-4d2d-8cab-03339cee8eee\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"94b34910-bec2-4d2d-8cab-03339cee8eee\",\"title\":\"Distribution of HTTP Request by Client MTLS Auth Status [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a3b36fd5-7e6e-4298-9c99-da41f685b6ac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a3b36fd5-7e6e-4298-9c99-da41f685b6ac\":{\"columnOrder\":[\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\",\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\"],\"columns\":{\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source Country\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.country_iso_code\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\"],\"layerId\":\"a3b36fd5-7e6e-4298-9c99-da41f685b6ac\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ff959b8e-d7b9-4c5e-8d3b-e0381f0d1e35\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"ff959b8e-d7b9-4c5e-8d3b-e0381f0d1e35\",\"title\":\"Distribution of HTTP Request by Source Country [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"dbb10aab-b109-41f3-8e37-dfc4d3a2c4cd\",\"w\":48,\"x\":0,\"y\":45},\"panelIndex\":\"dbb10aab-b109-41f3-8e37-dfc4d3a2c4cd\",\"panelRefName\":\"panel_dbb10aab-b109-41f3-8e37-dfc4d3a2c4cd\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cloudflare Logpush] HTTP Request", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-bb426420-dc44-11ec-b76d-adcfe05cc1fe", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "6046f18e-7779-4ea6-b387-213bc81b36f0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6046f18e-7779-4ea6-b387-213bc81b36f0:indexpattern-datasource-layer-00280489-72e4-4070-a226-57e14a57080f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ec4ead06-9bbf-4f27-9dca-03dd92a55089:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ec4ead06-9bbf-4f27-9dca-03dd92a55089:indexpattern-datasource-layer-00280489-72e4-4070-a226-57e14a57080f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9c4f4004-d4b0-471f-9535-09c11555e5a1:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9c4f4004-d4b0-471f-9535-09c11555e5a1:indexpattern-datasource-layer-00280489-72e4-4070-a226-57e14a57080f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "36ba08a4-1ebd-46bd-a95d-6855c7992a68:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "36ba08a4-1ebd-46bd-a95d-6855c7992a68:indexpattern-datasource-layer-a3b36fd5-7e6e-4298-9c99-da41f685b6ac", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42860ae9-0100-4c5b-aad4-e9b9ebd8eb1d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42860ae9-0100-4c5b-aad4-e9b9ebd8eb1d:indexpattern-datasource-layer-00280489-72e4-4070-a226-57e14a57080f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "94b34910-bec2-4d2d-8cab-03339cee8eee:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "94b34910-bec2-4d2d-8cab-03339cee8eee:indexpattern-datasource-layer-a3b36fd5-7e6e-4298-9c99-da41f685b6ac", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ff959b8e-d7b9-4c5e-8d3b-e0381f0d1e35:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ff959b8e-d7b9-4c5e-8d3b-e0381f0d1e35:indexpattern-datasource-layer-a3b36fd5-7e6e-4298-9c99-da41f685b6ac", - "type": "index-pattern" - }, - { - "id": "cloudflare_logpush-a58b3a80-e257-11ec-b57d-b9b9d5221e36", - "name": "dbb10aab-b109-41f3-8e37-dfc4d3a2c4cd:panel_dbb10aab-b109-41f3-8e37-dfc4d3a2c4cd", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-cc375d30-dc44-11ec-b76d-adcfe05cc1fe.json b/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-cc375d30-dc44-11ec-b76d-adcfe05cc1fe.json deleted file mode 100755 index 0bc14f6cd8..0000000000 --- a/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-cc375d30-dc44-11ec-b76d-adcfe05cc1fe.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "Overview of Cloudflare Logpush NEL Report", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.nel_report\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-369c4c11-370e-43b1-9ecf-0e3d9fb66f98\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"369c4c11-370e-43b1-9ecf-0e3d9fb66f98\":{\"columnOrder\":[\"c81d383b-dcf1-4924-8443-8f2ff88e7ae9\",\"7a4f98bf-868e-44d7-a3a8-7133e4ba4837\",\"634cf9dc-2979-4708-b702-d3884ae339d1\"],\"columns\":{\"634cf9dc-2979-4708-b702-d3884ae339d1\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"7a4f98bf-868e-44d7-a3a8-7133e4ba4837\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"ASN Description\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"634cf9dc-2979-4708-b702-d3884ae339d1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.nel_report.client.ip.asn.description\"},\"c81d383b-dcf1-4924-8443-8f2ff88e7ae9\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"ASN\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"634cf9dc-2979-4708-b702-d3884ae339d1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.nel_report.client.ip.asn.value\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.nel_report\"},\"visualization\":{\"columns\":[{\"alignment\":\"left\",\"columnId\":\"c81d383b-dcf1-4924-8443-8f2ff88e7ae9\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"634cf9dc-2979-4708-b702-d3884ae339d1\",\"isTransposed\":false},{\"columnId\":\"7a4f98bf-868e-44d7-a3a8-7133e4ba4837\",\"isTransposed\":false}],\"layerId\":\"369c4c11-370e-43b1-9ecf-0e3d9fb66f98\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d6d36d84-cb11-4993-a30a-d82118413eda\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"d6d36d84-cb11-4993-a30a-d82118413eda\",\"title\":\"Top 10 Source ASN and ASN Description [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f9bf86eb-26ae-4ddb-9181-98538c308622\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f9bf86eb-26ae-4ddb-9181-98538c308622\":{\"columnOrder\":[\"72e4b51b-b59b-42ba-bfd8-bc61fe3fa8e0\",\"9a90d872-9aed-4dbe-9004-a8b6e34449c1\"],\"columns\":{\"72e4b51b-b59b-42ba-bfd8-bc61fe3fa8e0\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Error Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9a90d872-9aed-4dbe-9004-a8b6e34449c1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"error.type\"},\"9a90d872-9aed-4dbe-9004-a8b6e34449c1\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.nel_report\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"72e4b51b-b59b-42ba-bfd8-bc61fe3fa8e0\"],\"layerId\":\"f9bf86eb-26ae-4ddb-9181-98538c308622\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9a90d872-9aed-4dbe-9004-a8b6e34449c1\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e28f00db-dc65-4c0c-84ce-dbf64b568c70\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"e28f00db-dc65-4c0c-84ce-dbf64b568c70\",\"title\":\"Distribution of NEL Report by Error Type [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cloudflare Logpush] NEL Report", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-cc375d30-dc44-11ec-b76d-adcfe05cc1fe", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "d6d36d84-cb11-4993-a30a-d82118413eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6d36d84-cb11-4993-a30a-d82118413eda:indexpattern-datasource-layer-369c4c11-370e-43b1-9ecf-0e3d9fb66f98", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e28f00db-dc65-4c0c-84ce-dbf64b568c70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e28f00db-dc65-4c0c-84ce-dbf64b568c70:indexpattern-datasource-layer-f9bf86eb-26ae-4ddb-9181-98538c308622", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-da55ddb0-dc44-11ec-b76d-adcfe05cc1fe.json b/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-da55ddb0-dc44-11ec-b76d-adcfe05cc1fe.json deleted file mode 100755 index de57a36726..0000000000 --- a/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-da55ddb0-dc44-11ec-b76d-adcfe05cc1fe.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "description": "Overview of Cloudflare Logpush Spectrum Event", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.spectrum_event\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"656e0f51-b51d-4744-8d90-99c65f67f3fe\":{\"columnOrder\":[\"cb0fbef4-6069-46c6-a70a-04187fdfae13\",\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"columns\":{\"ca5a0691-0551-4ba4-982f-8693eab0715d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cb0fbef4-6069-46c6-a70a-04187fdfae13\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Spectrum Event\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.spectrum_event\"},\"visualization\":{\"layers\":[{\"accessors\":[\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"layerId\":\"656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"cb0fbef4-6069-46c6-a70a-04187fdfae13\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c537f5d4-d56c-4ebb-800d-258916a4f7e4\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"c537f5d4-d56c-4ebb-800d-258916a4f7e4\",\"title\":\"Distribution of Spectrum Event by Event Action [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"656e0f51-b51d-4744-8d90-99c65f67f3fe\":{\"columnOrder\":[\"cb0fbef4-6069-46c6-a70a-04187fdfae13\",\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"columns\":{\"ca5a0691-0551-4ba4-982f-8693eab0715d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cb0fbef4-6069-46c6-a70a-04187fdfae13\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source Country\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.country_iso_code\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.spectrum_event\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"cb0fbef4-6069-46c6-a70a-04187fdfae13\"],\"layerId\":\"656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"1082e6a0-ecee-43e0-bb9a-c6d108bdd2a9\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"1082e6a0-ecee-43e0-bb9a-c6d108bdd2a9\",\"title\":\"Distribution of Spectrum Event by Source Country [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"656e0f51-b51d-4744-8d90-99c65f67f3fe\":{\"columnOrder\":[\"cb0fbef4-6069-46c6-a70a-04187fdfae13\",\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"columns\":{\"ca5a0691-0551-4ba4-982f-8693eab0715d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cb0fbef4-6069-46c6-a70a-04187fdfae13\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client Matched IP Firewall\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.spectrum_event.client.matched_ip_firewall\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.spectrum_event\"},\"visualization\":{\"layers\":[{\"accessors\":[\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"layerId\":\"656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"cb0fbef4-6069-46c6-a70a-04187fdfae13\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"81514310-7291-4f6a-bfc9-e7c64b042c83\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"81514310-7291-4f6a-bfc9-e7c64b042c83\",\"title\":\"Distribution of Spectrum Event by Client Matched IP Firewall [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"656e0f51-b51d-4744-8d90-99c65f67f3fe\":{\"columnOrder\":[\"cb0fbef4-6069-46c6-a70a-04187fdfae13\",\"c8db770e-36ce-4d75-87e3-03bf47db4905\",\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"columns\":{\"c8db770e-36ce-4d75-87e3-03bf47db4905\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client TLS Protocol Version\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"tls.version\"},\"ca5a0691-0551-4ba4-982f-8693eab0715d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cb0fbef4-6069-46c6-a70a-04187fdfae13\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client TLS Protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"tls.version_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cloudflare_logpush.spectrum_event\\\" \"},\"visualization\":{\"columns\":[{\"columnId\":\"cb0fbef4-6069-46c6-a70a-04187fdfae13\"},{\"columnId\":\"c8db770e-36ce-4d75-87e3-03bf47db4905\"},{\"alignment\":\"left\",\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\"}],\"layerId\":\"656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"db83321b-3729-48c6-a417-f09cb192c6d2\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"db83321b-3729-48c6-a417-f09cb192c6d2\",\"title\":\"Top 10 Client TLS Protocol and TLS Version [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"656e0f51-b51d-4744-8d90-99c65f67f3fe\":{\"columnOrder\":[\"cb0fbef4-6069-46c6-a70a-04187fdfae13\",\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"columns\":{\"ca5a0691-0551-4ba4-982f-8693eab0715d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cb0fbef4-6069-46c6-a70a-04187fdfae13\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Origin TLS Protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.spectrum_event.origin.tls.protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.spectrum_event\"},\"visualization\":{\"layers\":[{\"accessors\":[\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"layerId\":\"656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"cb0fbef4-6069-46c6-a70a-04187fdfae13\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"73c0274d-7f24-4763-aac0-eef36b1a6904\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"73c0274d-7f24-4763-aac0-eef36b1a6904\",\"title\":\"Distribution of Spectrum Event by Origin TLS Protocol [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"656e0f51-b51d-4744-8d90-99c65f67f3fe\":{\"columnOrder\":[\"cb0fbef4-6069-46c6-a70a-04187fdfae13\",\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"columns\":{\"ca5a0691-0551-4ba4-982f-8693eab0715d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cb0fbef4-6069-46c6-a70a-04187fdfae13\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client TLS Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.spectrum_event.client.tls.status\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.spectrum_event\"},\"visualization\":{\"layers\":[{\"accessors\":[\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"layerId\":\"656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"cb0fbef4-6069-46c6-a70a-04187fdfae13\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0229b8d8-fe10-4ed5-938c-135fa3332836\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"0229b8d8-fe10-4ed5-938c-135fa3332836\",\"title\":\"Distribution of Spectrum Event by Client TLS Status [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"656e0f51-b51d-4744-8d90-99c65f67f3fe\":{\"columnOrder\":[\"cb0fbef4-6069-46c6-a70a-04187fdfae13\",\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"columns\":{\"ca5a0691-0551-4ba4-982f-8693eab0715d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cb0fbef4-6069-46c6-a70a-04187fdfae13\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Origin TLS Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.spectrum_event.origin.tls.status\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.spectrum_event\"},\"visualization\":{\"layers\":[{\"accessors\":[\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"layerId\":\"656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"cb0fbef4-6069-46c6-a70a-04187fdfae13\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e769bb45-9bb6-4902-aadd-9622b8ef0197\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"e769bb45-9bb6-4902-aadd-9622b8ef0197\",\"title\":\"Distribution of Spectrum Event by Origin TLS Status [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5a5b611e-8fa5-4b4d-ae6c-5b971bbcd71f\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"5a5b611e-8fa5-4b4d-ae6c-5b971bbcd71f\",\"panelRefName\":\"panel_5a5b611e-8fa5-4b4d-ae6c-5b971bbcd71f\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cloudflare Logpush] Spectrum Event", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-da55ddb0-dc44-11ec-b76d-adcfe05cc1fe", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "c537f5d4-d56c-4ebb-800d-258916a4f7e4:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c537f5d4-d56c-4ebb-800d-258916a4f7e4:indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1082e6a0-ecee-43e0-bb9a-c6d108bdd2a9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1082e6a0-ecee-43e0-bb9a-c6d108bdd2a9:indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "81514310-7291-4f6a-bfc9-e7c64b042c83:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "81514310-7291-4f6a-bfc9-e7c64b042c83:indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db83321b-3729-48c6-a417-f09cb192c6d2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db83321b-3729-48c6-a417-f09cb192c6d2:indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73c0274d-7f24-4763-aac0-eef36b1a6904:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73c0274d-7f24-4763-aac0-eef36b1a6904:indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0229b8d8-fe10-4ed5-938c-135fa3332836:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0229b8d8-fe10-4ed5-938c-135fa3332836:indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e769bb45-9bb6-4902-aadd-9622b8ef0197:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e769bb45-9bb6-4902-aadd-9622b8ef0197:indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe", - "type": "index-pattern" - }, - { - "id": "cloudflare_logpush-dc01afe0-e24d-11ec-b57d-b9b9d5221e36", - "name": "5a5b611e-8fa5-4b4d-ae6c-5b971bbcd71f:panel_5a5b611e-8fa5-4b4d-ae6c-5b971bbcd71f", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-e7a24120-dc44-11ec-b76d-adcfe05cc1fe.json b/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-e7a24120-dc44-11ec-b76d-adcfe05cc1fe.json deleted file mode 100755 index 33774d0e04..0000000000 --- a/packages/cloudflare_logpush/0.2.0/kibana/dashboard/cloudflare_logpush-e7a24120-dc44-11ec-b76d-adcfe05cc1fe.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Overview of Cloudflare Logpush Audit", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.audit\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-281645e8-8598-44df-802e-c85f2da569f3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"281645e8-8598-44df-802e-c85f2da569f3\":{\"columnOrder\":[\"0b8ca9d5-b895-4646-8c7a-00e333655530\",\"fa4abb57-b2ea-4ef4-a680-247411274de0\"],\"columns\":{\"0b8ca9d5-b895-4646-8c7a-00e333655530\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Actor Email\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fa4abb57-b2ea-4ef4-a680-247411274de0\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"user.email\"},\"fa4abb57-b2ea-4ef4-a680-247411274de0\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.audit\"},\"visualization\":{\"columns\":[{\"columnId\":\"0b8ca9d5-b895-4646-8c7a-00e333655530\"},{\"alignment\":\"left\",\"columnId\":\"fa4abb57-b2ea-4ef4-a680-247411274de0\"}],\"layerId\":\"281645e8-8598-44df-802e-c85f2da569f3\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bd8b3896-5f51-403e-83c3-c054ef0ea60c\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"bd8b3896-5f51-403e-83c3-c054ef0ea60c\",\"title\":\"Top 10 Actor Email [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2b1d1dcf-6ba1-4d88-8f09-81cea1f47e2d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2b1d1dcf-6ba1-4d88-8f09-81cea1f47e2d\":{\"columnOrder\":[\"3415516b-de49-4469-a162-05dd0d1d3af5\",\"c7854c23-c64e-4b66-944a-1620f451c034\"],\"columns\":{\"3415516b-de49-4469-a162-05dd0d1d3af5\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Resource Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c7854c23-c64e-4b66-944a-1620f451c034\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.audit.resource.type\"},\"c7854c23-c64e-4b66-944a-1620f451c034\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.audit\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3415516b-de49-4469-a162-05dd0d1d3af5\"],\"layerId\":\"2b1d1dcf-6ba1-4d88-8f09-81cea1f47e2d\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"c7854c23-c64e-4b66-944a-1620f451c034\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"75187ff6-4c3a-409a-ba03-6738649bedb3\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"75187ff6-4c3a-409a-ba03-6738649bedb3\",\"title\":\"Distribution of Audit by Resource Type [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2b1d1dcf-6ba1-4d88-8f09-81cea1f47e2d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2b1d1dcf-6ba1-4d88-8f09-81cea1f47e2d\":{\"columnOrder\":[\"3415516b-de49-4469-a162-05dd0d1d3af5\",\"c7854c23-c64e-4b66-944a-1620f451c034\"],\"columns\":{\"3415516b-de49-4469-a162-05dd0d1d3af5\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Action Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c7854c23-c64e-4b66-944a-1620f451c034\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"},\"c7854c23-c64e-4b66-944a-1620f451c034\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.audit\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3415516b-de49-4469-a162-05dd0d1d3af5\"],\"layerId\":\"2b1d1dcf-6ba1-4d88-8f09-81cea1f47e2d\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"c7854c23-c64e-4b66-944a-1620f451c034\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f10a2a4e-1638-4b92-81ff-65786579e5b7\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"f10a2a4e-1638-4b92-81ff-65786579e5b7\",\"title\":\"Distribution of Audit by Action Type [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cloudflare Logpush] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-e7a24120-dc44-11ec-b76d-adcfe05cc1fe", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "bd8b3896-5f51-403e-83c3-c054ef0ea60c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bd8b3896-5f51-403e-83c3-c054ef0ea60c:indexpattern-datasource-layer-281645e8-8598-44df-802e-c85f2da569f3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "75187ff6-4c3a-409a-ba03-6738649bedb3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "75187ff6-4c3a-409a-ba03-6738649bedb3:indexpattern-datasource-layer-2b1d1dcf-6ba1-4d88-8f09-81cea1f47e2d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f10a2a4e-1638-4b92-81ff-65786579e5b7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f10a2a4e-1638-4b92-81ff-65786579e5b7:indexpattern-datasource-layer-2b1d1dcf-6ba1-4d88-8f09-81cea1f47e2d", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.0/kibana/search/cloudflare_logpush-a58b3a80-e257-11ec-b57d-b9b9d5221e36.json b/packages/cloudflare_logpush/0.2.0/kibana/search/cloudflare_logpush-a58b3a80-e257-11ec-b57d-b9b9d5221e36.json deleted file mode 100755 index f85f44c0d5..0000000000 --- a/packages/cloudflare_logpush/0.2.0/kibana/search/cloudflare_logpush-a58b3a80-e257-11ec-b57d-b9b9d5221e36.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "cloudflare_logpush.http_request.client.request.host", - "source.ip", - "destination.ip", - "source.as.number" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "HTTP Request [Logs Cloudflare Logpush]" - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-a58b3a80-e257-11ec-b57d-b9b9d5221e36", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.0/kibana/search/cloudflare_logpush-dc01afe0-e24d-11ec-b57d-b9b9d5221e36.json b/packages/cloudflare_logpush/0.2.0/kibana/search/cloudflare_logpush-dc01afe0-e24d-11ec-b57d-b9b9d5221e36.json deleted file mode 100755 index febf9a1fcb..0000000000 --- a/packages/cloudflare_logpush/0.2.0/kibana/search/cloudflare_logpush-dc01afe0-e24d-11ec-b57d-b9b9d5221e36.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "columns": [ - "source.ip", - "destination.ip", - "cloudflare_logpush.spectrum_event.client.protocol" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.spectrum_event\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Spectrum Event [Logs Cloudflare Logpush]" - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-dc01afe0-e24d-11ec-b57d-b9b9d5221e36", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.0/manifest.yml b/packages/cloudflare_logpush/0.2.0/manifest.yml deleted file mode 100755 index da04da840b..0000000000 --- a/packages/cloudflare_logpush/0.2.0/manifest.yml +++ /dev/null @@ -1,180 +0,0 @@ -format_version: 1.0.0 -name: cloudflare_logpush -title: Cloudflare Logpush -version: 0.2.0 -license: basic -description: Collect and parse logs from Cloudflare API with Elastic Agent. -type: integration -categories: - - security -conditions: - kibana.version: ^8.0.0 -screenshots: - - src: /img/cloudflare-screenshot.png - title: Cloudflare Logpush DNS dashboard screenshot - size: 1847x950 - type: image/png -icons: - - src: /img/cloudflare-logo.svg - title: Cloudflare Logpush logo - size: 216x216 - type: image/svg+xml -policy_templates: - - name: cloudflare - title: Cloudflare Logpush logs - description: Collect logs from Cloudflare. - inputs: - - type: http_endpoint - title: Collect Cloudflare Logpush logs via HTTP Endpoint - description: Collecting Logpush logs from Cloudflare via HTTP Endpoint. - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for http endpoint connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: secret_header - type: text - title: Secret Header - description: The header to check for a specific value specified by `secret.value`. - required: false - show_user: false - - name: secret_value - type: password - title: Secret Value - description: The secret stored in the header name specified by `secret.header`. - required: false - show_user: false - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - - type: aws-s3 - title: Collect Cloudflare Logpush logs via AWS S3 or AWS SQS - description: Collecting Logpush logs from Cloudflare via AWS S3 or AWS SQS. - vars: - - name: collect_s3_logs - required: true - show_user: true - title: Collect logs via S3 Bucket - description: To Collect logs via S3 bucket enable the toggle switch. By default, it will collect logs via SQS Queue. - type: bool - multi: false - default: false - - name: bucket_arn - type: text - title: "[S3] Bucket ARN" - multi: false - required: false - show_user: true - description: It is a required parameter for collecting logs via the AWS S3 Bucket. - - name: queue_url - type: text - title: "[SQS] Queue URL" - multi: false - required: false - show_user: true - description: URL of the AWS SQS queue that messages will be received from. It is a required parameter for collecting logs via the AWS SQS. - - name: access_key_id - type: password - title: Access Key ID - multi: false - required: false - show_user: true - description: First part of access key. - - name: secret_access_key - type: password - title: Secret Access Key - multi: false - required: false - show_user: true - description: Second part of access key. - - name: session_token - type: text - title: Session Token - multi: false - required: false - show_user: true - description: Required when using temporary security credentials. - - name: shared_credential_file - type: text - title: Shared Credential File - multi: false - required: false - show_user: false - description: Directory of the shared credentials file. - - name: credential_profile_name - type: text - title: Credential Profile Name - multi: false - required: false - show_user: false - description: Profile name in shared credentials file. - - name: role_arn - type: text - title: Role ARN - multi: false - required: false - show_user: false - description: AWS IAM Role to assume. - - name: endpoint - type: text - title: Endpoint - multi: false - required: false - show_user: false - default: amazonaws.com - description: URL of the entry point for an AWS web service. - - name: default_region - type: text - title: Default AWS Region - multi: false - required: false - show_user: false - default: "" - description: Default region to use prior to connecting to region specific services/endpoints if no AWS region is set from environment variable, credentials or instance profile. If none of the above are set and no default region is set as well, `us-east-1` is used. A region, either from environment variable, credentials or instance profile or from this default region setting, needs to be set when using regions in non-regular AWS environments such as AWS China or US Government Isolated. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. -owner: - github: elastic/security-external-integrations diff --git a/packages/cloudflare_logpush/0.2.1/LICENSE.txt b/packages/cloudflare_logpush/0.2.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cloudflare_logpush/0.2.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cloudflare_logpush/0.2.1/changelog.yml b/packages/cloudflare_logpush/0.2.1/changelog.yml deleted file mode 100755 index b952316b70..0000000000 --- a/packages/cloudflare_logpush/0.2.1/changelog.yml +++ /dev/null @@ -1,21 +0,0 @@ -# newer versions go on top -- version: "0.2.1" - changes: - - description: Set default endpoint to empty string - type: bugfix - link: https://github.com/elastic/integrations/pull/4207 -- version: "0.2.0" - changes: - - description: Expose Default Region setting to UI - type: enhancement - link: https://github.com/elastic/integrations/pull/4158 -- version: "0.1.1" - changes: - - description: Fix line endings. - type: bugfix - link: https://github.com/elastic/integrations/pull/4181 -- version: "0.1.0" - changes: - - description: Initial Release. - type: enhancement - link: https://github.com/elastic/integrations/pull/3643 diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/audit/agent/stream/aws-s3.yml.hbs b/packages/cloudflare_logpush/0.2.1/data_stream/audit/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 6029a860d9..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/audit/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,88 +0,0 @@ -{{#if collect_s3_logs}} - -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if interval}} -bucket_list_interval: {{interval}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}} -{{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} -{{#if file_selectors}} -file_selectors: -{{file_selectors}} -{{/if}} - -{{/if}} - -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/audit/agent/stream/http_endpoint.yml.hbs b/packages/cloudflare_logpush/0.2.1/data_stream/audit/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 53229700cc..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/audit/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,36 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -url: {{url}} -content_type: "" -{{#if secret_header}} -secret.header: {{secret_header}} -{{/if}} -{{#if secret_value}} -secret.value: {{secret_value}} -{{/if}} -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} -{{#if preserve_duplicate_custom_fields}} -preserve_duplicate_custom_fields: true -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare_logpush/0.2.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index faf942743e..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,196 +0,0 @@ ---- -description: Pipeline for parsing Cloudflare Audit logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - set: - field: event.type - value: [info] - - set: - field: event.kind - value: event - - set: - field: event.category - value: [authentication] - - date: - field: json.When - if: ctx.json?.When != null && ctx.json.When != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: cloudflare_logpush.audit.timestamp - copy_from: '@timestamp' - ignore_failure: true - - rename: - field: json.ActionType - target_field: cloudflare_logpush.audit.action.type - ignore_missing: true - - set: - field: event.action - copy_from: cloudflare_logpush.audit.action.type - ignore_failure: true - - lowercase: - field: event.action - ignore_missing: true - - set: - field: cloudflare_logpush.audit.action.result - value: success - if: ctx.json?.ActionResult - - set: - field: cloudflare_logpush.audit.action.result - value: failure - if: '!ctx.json?.ActionResult' - - set: - field: event.outcome - copy_from: cloudflare_logpush.audit.action.result - ignore_failure: true - - rename: - field: json.ActorEmail - target_field: cloudflare_logpush.audit.actor.email - ignore_missing: true - - set: - field: user.email - copy_from: cloudflare_logpush.audit.actor.email - ignore_failure: true - - rename: - field: json.ActorID - target_field: cloudflare_logpush.audit.actor.id - ignore_missing: true - - set: - field: user.id - copy_from: cloudflare_logpush.audit.actor.id - ignore_failure: true - - convert: - field: json.ActorIP - target_field: cloudflare_logpush.audit.actor.ip - if: ctx.json?.ActorIP != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.ip - copy_from: cloudflare_logpush.audit.actor.ip - ignore_failure: true - - rename: - field: json.ActorType - target_field: cloudflare_logpush.audit.actor.type - ignore_missing: true - - rename: - field: json.ID - target_field: cloudflare_logpush.audit.id - ignore_missing: true - - set: - field: event.id - copy_from: cloudflare_logpush.audit.id - ignore_failure: true - - rename: - field: json.Interface - target_field: cloudflare_logpush.audit.interface - ignore_missing: true - if: ctx.json?.interface != '' - - set: - field: event.provider - copy_from: cloudflare_logpush.audit.interface - ignore_failure: true - - rename: - field: json.Metadata - target_field: cloudflare_logpush.audit.metadata - ignore_missing: true - - rename: - field: json.NewValue - target_field: cloudflare_logpush.audit.new_value - if: ctx.json?.NewValue != null - ignore_missing: true - - rename: - field: json.OldValue - target_field: cloudflare_logpush.audit.old_value - if: ctx.json?.OldValue != null - ignore_missing: true - - rename: - field: json.OwnerID - target_field: cloudflare_logpush.audit.owner.id - ignore_missing: true - - rename: - field: json.ResourceID - target_field: cloudflare_logpush.audit.resource.id - ignore_missing: true - - rename: - field: json.ResourceType - target_field: cloudflare_logpush.audit.resource.type - ignore_missing: true - - append: - field: related.user - value: '{{{user.id}}}' - if: ctx.user?.id != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null - allow_duplicates: false - ignore_failure: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - cloudflare_logpush.audit.timestamp - - cloudflare_logpush.audit.action.result - - cloudflare_logpush.audit.action.type - - cloudflare_logpush.audit.id - - cloudflare_logpush.audit.interface - - cloudflare_logpush.audit.actor.ip - - cloudflare_logpush.audit.actor.email - - cloudflare_logpush.audit.actor.id - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/audit/fields/agent.yml b/packages/cloudflare_logpush/0.2.1/data_stream/audit/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/audit/fields/base-fields.yml b/packages/cloudflare_logpush/0.2.1/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index d59dd05887..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: cloudflare_logpush.audit -- name: event.module - type: constant_keyword - description: Event module. - value: cloudflare_logpush diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/audit/fields/ecs.yml b/packages/cloudflare_logpush/0.2.1/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 8b345eedb8..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,86 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/audit/fields/fields.yml b/packages/cloudflare_logpush/0.2.1/data_stream/audit/fields/fields.yml deleted file mode 100755 index a0cdb32d32..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: cloudflare_logpush.audit - type: group - fields: - - name: action - type: group - fields: - - name: result - type: keyword - description: Whether the action was successful. - - name: type - type: keyword - description: Type of action taken. - - name: actor - type: group - fields: - - name: email - type: keyword - description: Email of the actor. - - name: id - type: keyword - description: Unique identifier of the actor in Cloudflare system. - - name: ip - type: ip - description: Physical network address of the actor. - - name: type - type: keyword - description: Type of user that started the audit trail. - - name: id - type: keyword - description: Unique identifier of an audit log. - - name: interface - type: text - description: Entry point or interface of the audit log. - - name: metadata - type: flattened - description: Additional audit log-specific information, Metadata is organized in key:value pairs, Key and Value formats can vary by ResourceType. - - name: new_value - type: flattened - description: Contains the new value for the audited item. - - name: old_value - type: flattened - description: Contains the old value for the audited item. - - name: owner - type: group - fields: - - name: id - type: keyword - description: The identifier of the user that was acting or was acted on behalf of. - - name: resource - type: group - fields: - - name: id - type: keyword - description: Unique identifier of the resource within Cloudflare system. - - name: type - type: keyword - description: The type of resource that was changed. - - name: timestamp - type: date - description: When the change happened. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/audit/manifest.yml b/packages/cloudflare_logpush/0.2.1/data_stream/audit/manifest.yml deleted file mode 100755 index de2640f915..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/audit/manifest.yml +++ /dev/null @@ -1,151 +0,0 @@ -title: Collect Audit logs from Cloudflare -type: logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: Audit logs - description: Collect Audit logs from Cloudflare. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number the listener binds to. - multi: false - required: true - show_user: true - default: 9560 - - name: url - type: text - title: URL - description: This option specifies which URL path to accept requests on. Defaults to /. - multi: false - required: false - show_user: false - default: / - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: aws-s3 - title: Audit logs via S3 or SQS - description: Collect Audit logs from Cloudflare. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: '[S3] Bucket Prefix' - multi: false - required: false - show_user: true - default: audit_logs - description: Prefix to apply for the list request to the S3 bucket. - - name: interval - type: text - title: '[S3] Interval' - multi: false - required: false - show_user: true - default: 1m - description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. - - name: number_of_workers - type: integer - title: '[S3] Number of Workers' - multi: false - required: false - show_user: true - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: visibility_timeout - type: text - title: '[SQS] Visibility Timeout' - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: '[SQS] API Timeout' - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: max_number_of_messages - type: integer - title: '[SQS] Maximum Concurrent SQS Messages' - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - - name: file_selectors - type: yaml - title: '[SQS] File Selectors' - multi: false - required: false - show_user: false - default: | - - regex: 'audit_logs/' - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/audit/sample_event.json b/packages/cloudflare_logpush/0.2.1/data_stream/audit/sample_event.json deleted file mode 100755 index 7f7c746974..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/audit/sample_event.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "@timestamp": "2021-11-30T20:19:48.000Z", - "agent": { - "ephemeral_id": "3605deda-1943-40cf-9ba2-a5d591fead25", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "audit": { - "action": { - "result": "success", - "type": "token_create" - }, - "actor": { - "email": "user@example.com", - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s", - "ip": "81.2.69.142", - "type": "user" - }, - "id": "73fd39ed-5aab-4a2a-b93c-c9a4abf0c425", - "interface": "UI", - "metadata": { - "token_name": "test", - "token_tag": "b7261c49a793a82678d12285f0bc1401" - }, - "new_value": { - "key1": "value1", - "key2": "value2" - }, - "old_value": { - "key3": "value4", - "key4": "value4" - }, - "owner": { - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" - }, - "resource": { - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s", - "type": "account" - }, - "timestamp": "2021-11-30T20:19:48.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "token_create", - "agent_id_status": "verified", - "category": [ - "authentication" - ], - "dataset": "cloudflare_logpush.audit", - "id": "73fd39ed-5aab-4a2a-b93c-c9a4abf0c425", - "ingested": "2022-09-01T10:05:51Z", - "kind": "event", - "original": "{\"ActionResult\":true,\"ActionType\":\"token_create\",\"ActorEmail\":\"user@example.com\",\"ActorID\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ActorIP\":\"81.2.69.142\",\"ActorType\":\"user\",\"ID\":\"73fd39ed-5aab-4a2a-b93c-c9a4abf0c425\",\"Interface\":\"UI\",\"Metadata\":{\"token_name\":\"test\",\"token_tag\":\"b7261c49a793a82678d12285f0bc1401\"},\"NewValue\":{\"key1\":\"value1\",\"key2\":\"value2\"},\"OldValue\":{\"key3\":\"value4\",\"key4\":\"value4\"},\"OwnerID\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ResourceID\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ResourceType\":\"account\",\"When\":\"2021-11-30T20:19:48Z\"}", - "outcome": "success", - "provider": "UI", - "type": [ - "info" - ] - }, - "input": { - "type": "http_endpoint" - }, - "related": { - "ip": [ - "81.2.69.142" - ], - "user": [ - "enl3j9du8rnx2swwd9l32qots7l54t9s" - ] - }, - "source": { - "ip": "81.2.69.142" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_audit" - ], - "user": { - "email": "user@example.com", - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" - } -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/dns/agent/stream/aws-s3.yml.hbs b/packages/cloudflare_logpush/0.2.1/data_stream/dns/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 6029a860d9..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/dns/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,88 +0,0 @@ -{{#if collect_s3_logs}} - -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if interval}} -bucket_list_interval: {{interval}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}} -{{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} -{{#if file_selectors}} -file_selectors: -{{file_selectors}} -{{/if}} - -{{/if}} - -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/dns/agent/stream/http_endpoint.yml.hbs b/packages/cloudflare_logpush/0.2.1/data_stream/dns/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 53229700cc..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/dns/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,36 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -url: {{url}} -content_type: "" -{{#if secret_header}} -secret.header: {{secret_header}} -{{/if}} -{{#if secret_value}} -secret.value: {{secret_value}} -{{/if}} -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} -{{#if preserve_duplicate_custom_fields}} -preserve_duplicate_custom_fields: true -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare_logpush/0.2.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ad6d37c7b9..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,167 +0,0 @@ ---- -description: Pipeline for parsing Cloudflare DNS logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - set: - field: event.category - value: [network] - - set: - field: event.kind - value: event - - set: - field: event.type - value: [info] - - date: - field: json.Timestamp - if: ctx.json?.Timestamp != null && ctx.json.Timestamp != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: cloudflare_logpush.dns.timestamp - copy_from: '@timestamp' - ignore_failure: true - - convert: - field: json.SourceIP - target_field: cloudflare_logpush.dns.source.ip - if: ctx.json?.SourceIP != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.ip - copy_from: cloudflare_logpush.dns.source.ip - ignore_failure: true - - rename: - field: json.QueryName - target_field: cloudflare_logpush.dns.query.name - ignore_missing: true - - set: - field: dns.question.name - copy_from: cloudflare_logpush.dns.query.name - ignore_failure: true - - convert: - field: json.QueryType - target_field: cloudflare_logpush.dns.query.type - if: ctx.json?.QueryType != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ColoCode - target_field: cloudflare_logpush.dns.colo.code - ignore_missing: true - - convert: - field: json.EDNSSubnet - target_field: cloudflare_logpush.dns.edns.subnet - if: ctx.json?.EDNSSubnet != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.EDNSSubnetLength - target_field: cloudflare_logpush.dns.edns.subnet_length - if: ctx.json?.EDNSSubnetLength != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ResponseCached - target_field: cloudflare_logpush.dns.response.cached - ignore_missing: true - - convert: - field: json.ResponseCode - target_field: cloudflare_logpush.dns.response.code - if: ctx.json?.ResponseCode != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - append: - field: related.hosts - value: '{{{dns.query.name}}}' - if: ctx.dns?.query?.name != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{cloudflare_logpush.dns.edns.subnet}}}' - if: ctx.cloudflare_logpush?.dns?.edns?.subnet != null - allow_duplicates: false - ignore_failure: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - cloudflare_logpush.dns.timestamp - - cloudflare_logpush.dns.query.name - - cloudflare_logpush.dns.source.ip - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/dns/fields/agent.yml b/packages/cloudflare_logpush/0.2.1/data_stream/dns/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/dns/fields/base-fields.yml b/packages/cloudflare_logpush/0.2.1/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index 7cd21a55f7..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: cloudflare_logpush.dns -- name: event.module - type: constant_keyword - description: Event module. - value: cloudflare_logpush diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/dns/fields/ecs.yml b/packages/cloudflare_logpush/0.2.1/data_stream/dns/fields/ecs.yml deleted file mode 100755 index b756dc928d..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,64 +0,0 @@ -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/dns/fields/fields.yml b/packages/cloudflare_logpush/0.2.1/data_stream/dns/fields/fields.yml deleted file mode 100755 index b23d3eb4ce..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,48 +0,0 @@ -- name: cloudflare_logpush.dns - type: group - fields: - - name: colo - type: group - fields: - - name: code - type: keyword - description: IATA airport code of data center that received the request. - - name: edns - type: group - fields: - - name: subnet - type: ip - description: EDNS Client Subnet (IPv4 or IPv6). - - name: subnet_length - type: long - description: EDNS Client Subnet length. - - name: query - type: group - fields: - - name: name - type: keyword - description: Name of the query that was sent. - - name: type - type: long - description: Integer value of query type. - - name: response - type: group - fields: - - name: cached - type: boolean - description: Whether the response was cached or not. - - name: code - type: long - description: Integer value of response code. - - name: source - type: group - fields: - - name: ip - type: ip - description: IP address of the client (IPv4 or IPv6). - - name: timestamp - type: date - description: Timestamp at which the query occurred. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/dns/manifest.yml b/packages/cloudflare_logpush/0.2.1/data_stream/dns/manifest.yml deleted file mode 100755 index 98c7468548..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/dns/manifest.yml +++ /dev/null @@ -1,151 +0,0 @@ -title: Collect DNS logs from Cloudflare -type: logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: DNS logs - description: Collect DNS logs from Cloudflare. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number the listener binds to. - multi: false - required: true - show_user: true - default: 9561 - - name: url - type: text - title: URL - description: This option specifies which URL path to accept requests on. Defaults to /. - multi: false - required: false - show_user: false - default: / - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: aws-s3 - title: DNS logs via S3 or SQS - description: Collect DNS logs from Cloudflare. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: '[S3] Bucket Prefix' - multi: false - required: false - show_user: true - default: dns - description: Prefix to apply for the list request to the S3 bucket. - - name: interval - type: text - title: '[S3] Interval' - multi: false - required: false - show_user: true - default: 1m - description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. - - name: number_of_workers - type: integer - title: '[S3] Number of Workers' - multi: false - required: false - show_user: true - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: visibility_timeout - type: text - title: '[SQS] Visibility Timeout' - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: '[SQS] API Timeout' - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: max_number_of_messages - type: integer - title: '[SQS] Maximum Concurrent SQS Messages' - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - - name: file_selectors - type: yaml - title: '[SQS] File Selectors' - multi: false - required: false - show_user: false - default: | - - regex: 'dns/' - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/dns/sample_event.json b/packages/cloudflare_logpush/0.2.1/data_stream/dns/sample_event.json deleted file mode 100755 index 0b930fbc2e..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/dns/sample_event.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "@timestamp": "2022-05-26T09:23:54.000Z", - "agent": { - "ephemeral_id": "5a08ea07-7e13-4f10-8bfa-5707606de846", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "dns": { - "colo": { - "code": "MRS" - }, - "edns": { - "subnet": "1.128.0.0", - "subnet_length": 0 - }, - "query": { - "name": "example.com", - "type": 65535 - }, - "response": { - "cached": false, - "code": 0 - }, - "source": { - "ip": "175.16.199.0" - }, - "timestamp": "2022-05-26T09:23:54.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "question": { - "name": "example.com" - } - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.dns", - "ingested": "2022-09-01T10:06:44Z", - "kind": "event", - "original": "{\"ColoCode\":\"MRS\",\"EDNSSubnet\":\"1.128.0.0\",\"EDNSSubnetLength\":0,\"QueryName\":\"example.com\",\"QueryType\":65535,\"ResponseCached\":false,\"ResponseCode\":0,\"SourceIP\":\"175.16.199.0\",\"Timestamp\":\"2022-05-26T09:23:54Z\"}", - "type": [ - "info" - ] - }, - "input": { - "type": "http_endpoint" - }, - "related": { - "ip": [ - "175.16.199.0", - "1.128.0.0" - ] - }, - "source": { - "ip": "175.16.199.0" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_dns" - ] -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/agent/stream/aws-s3.yml.hbs b/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 6029a860d9..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,88 +0,0 @@ -{{#if collect_s3_logs}} - -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if interval}} -bucket_list_interval: {{interval}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}} -{{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} -{{#if file_selectors}} -file_selectors: -{{file_selectors}} -{{/if}} - -{{/if}} - -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/agent/stream/http_endpoint.yml.hbs b/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 53229700cc..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,36 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -url: {{url}} -content_type: "" -{{#if secret_header}} -secret.header: {{secret_header}} -{{/if}} -{{#if secret_value}} -secret.value: {{secret_value}} -{{/if}} -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} -{{#if preserve_duplicate_custom_fields}} -preserve_duplicate_custom_fields: true -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 77ae2b3b93..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,287 +0,0 @@ ---- -description: Pipeline for parsing Cloudflare Firewall Event logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - set: - field: event.category - value: [network] - - set: - field: event.kind - value: event - - set: - field: event.type - value: [info] - - date: - field: json.Datetime - if: ctx.json?.Datetime != null && ctx.json.Datetime != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: cloudflare_logpush.firewall_event.timestamp - copy_from: '@timestamp' - ignore_failure: true - - rename: - field: json.Action - target_field: cloudflare_logpush.firewall_event.action - ignore_missing: true - - set: - field: event.action - copy_from: cloudflare_logpush.firewall_event.action - ignore_failure: true - - lowercase: - field: event.action - ignore_missing: true - - rename: - field: json.ClientRequestMethod - target_field: cloudflare_logpush.firewall_event.client.request.method - ignore_missing: true - - set: - field: http.request.method - copy_from: cloudflare_logpush.firewall_event.client.request.method - ignore_failure: true - - convert: - field: json.EdgeResponseStatus - target_field: cloudflare_logpush.firewall_event.edge.response.status - if: ctx.json?.EdgeResponseStatus != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: http.response.status_code - copy_from: cloudflare_logpush.firewall_event.edge.response.status - ignore_failure: true - - rename: - field: json.RuleID - target_field: cloudflare_logpush.firewall_event.rule.id - ignore_missing: true - - set: - field: rule.id - copy_from: cloudflare_logpush.firewall_event.rule.id - ignore_failure: true - - convert: - field: json.ClientASN - target_field: cloudflare_logpush.firewall_event.client.asn.value - if: ctx.json?.ClientASN != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.as.number - copy_from: cloudflare_logpush.firewall_event.client.asn.value - ignore_failure: true - - rename: - field: json.ClientCountry - target_field: cloudflare_logpush.firewall_event.client.country - ignore_missing: true - - set: - field: source.geo.country_iso_code - copy_from: cloudflare_logpush.firewall_event.client.country - ignore_failure: true - - convert: - field: json.ClientIP - target_field: cloudflare_logpush.firewall_event.client.ip - if: ctx.json?.ClientIP != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.ip - copy_from: cloudflare_logpush.firewall_event.client.ip - ignore_failure: true - - rename: - field: json.ClientASNDescription - target_field: cloudflare_logpush.firewall_event.client.asn.description - ignore_missing: true - - rename: - field: json.ClientIPClass - target_field: cloudflare_logpush.firewall_event.client.ip_class - ignore_missing: true - - rename: - field: json.ClientRefererHost - target_field: cloudflare_logpush.firewall_event.client.referer.host - ignore_missing: true - - rename: - field: json.ClientRefererPath - target_field: cloudflare_logpush.firewall_event.client.referer.path - ignore_missing: true - - rename: - field: json.ClientRefererQuery - target_field: cloudflare_logpush.firewall_event.client.referer.query - ignore_missing: true - - rename: - field: json.ClientRefererScheme - target_field: cloudflare_logpush.firewall_event.client.referer.scheme - ignore_missing: true - - rename: - field: json.ClientRequestHost - target_field: cloudflare_logpush.firewall_event.client.request.host - ignore_missing: true - - rename: - field: json.ClientRequestPath - target_field: cloudflare_logpush.firewall_event.client.request.path - ignore_missing: true - - rename: - field: json.ClientRequestProtocol - target_field: cloudflare_logpush.firewall_event.client.request.protocol - ignore_missing: true - - grok: - field: cloudflare_logpush.firewall_event.client.request.protocol - patterns: - - "^%{DATA:network.protocol}/%{DATA:http.version}$" - ignore_failure: true - - lowercase: - field: network.protocol - ignore_missing: true - - rename: - field: json.ClientRequestQuery - target_field: cloudflare_logpush.firewall_event.client.request.query - ignore_missing: true - - rename: - field: json.ClientRequestScheme - target_field: cloudflare_logpush.firewall_event.client.request.scheme - ignore_missing: true - - set: - field: url.scheme - copy_from: cloudflare_logpush.firewall_event.client.request.scheme - ignore_failure: true - - user_agent: - field: json.ClientRequestUserAgent - if: ctx.json?.ClientRequestUserAgent != '' - ignore_failure: true - - rename: - field: json.ClientRequestUserAgent - target_field: cloudflare_logpush.firewall_event.client.request.user.agent - ignore_missing: true - - rename: - field: json.EdgeColoCode - target_field: cloudflare_logpush.firewall_event.edge.colo.code - ignore_missing: true - - rename: - field: json.Kind - target_field: cloudflare_logpush.firewall_event.kind - ignore_missing: true - - convert: - field: json.MatchIndex - target_field: cloudflare_logpush.firewall_event.match_index - if: ctx.json?.MatchIndex != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.Metadata - target_field: cloudflare_logpush.firewall_event.meta_data - ignore_missing: true - - convert: - field: json.OriginResponseStatus - target_field: cloudflare_logpush.firewall_event.origin.response.status - if: ctx.json?.OriginResponseStatus != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.OriginatorRayID - target_field: cloudflare_logpush.firewall_event.origin.ray.id - ignore_missing: true - - rename: - field: json.RayID - target_field: cloudflare_logpush.firewall_event.ray.id - ignore_missing: true - - rename: - field: json.Source - target_field: cloudflare_logpush.firewall_event.source - ignore_missing: true - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: '{{{cloudflare_logpush.firewall_event.client.referer.host}}}' - if: ctx.cloudflare_logpush?.firewall_event?.client?.referer?.host != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: '{{{cloudflare_logpush.firewall_event.client.request.host}}}' - if: ctx.cloudflare_logpush?.firewall_event?.client?.request?.host != null - allow_duplicates: false - ignore_failure: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - cloudflare_logpush.firewall_event.timestamp - - cloudflare_logpush.firewall_event.action - - cloudflare_logpush.firewall_event.client.request.method - - cloudflare_logpush.firewall_event.edge.response.status - - cloudflare_logpush.firewall_event.rule.id - - cloudflare_logpush.firewall_event.client.asn.value - - cloudflare_logpush.firewall_event.client.country - - cloudflare_logpush.firewall_event.client.ip - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/fields/agent.yml b/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/fields/base-fields.yml b/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/fields/base-fields.yml deleted file mode 100755 index 958bad1989..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: cloudflare_logpush.firewall_event -- name: event.module - type: constant_keyword - description: Event module. - value: cloudflare_logpush diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/fields/ecs.yml b/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/fields/ecs.yml deleted file mode 100755 index e8caffe883..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/fields/ecs.yml +++ /dev/null @@ -1,124 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/fields/fields.yml b/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/fields/fields.yml deleted file mode 100755 index eb9b2fccb0..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/fields/fields.yml +++ /dev/null @@ -1,129 +0,0 @@ -- name: cloudflare_logpush.firewall_event - type: group - fields: - - name: action - type: keyword - description: The code of the first-class action the Cloudflare Firewall took on this request. - - name: client - type: group - fields: - - name: asn - type: group - fields: - - name: description - type: keyword - description: The ASN of the visitor as string. - - name: value - type: long - description: The ASN number of the visitor. - - name: country - type: keyword - description: Country from which request originated. - - name: ip - type: ip - description: The visitor IP address (IPv4 or IPv6). - - name: ip_class - type: keyword - description: The classification of the visitor IP address, possible values are:- 'unknown', 'badHost', 'searchEngine', 'allowlist', 'monitoringService', 'noRecord', 'scan' and 'tor'. - - name: referer - type: group - fields: - - name: host - type: keyword - description: The referer host. - - name: path - type: text - description: The referer path requested by visitor. - - name: query - type: keyword - description: The referer query-string was requested by the visitor. - - name: scheme - type: text - description: The referer URL scheme requested by the visitor. - - name: request - type: group - fields: - - name: host - type: keyword - description: The HTTP hostname requested by the visitor. - - name: method - type: keyword - description: The HTTP method used by the visitor. - - name: path - type: text - description: The path requested by visitor. - - name: protocol - type: keyword - description: The version of HTTP protocol requested by the visitor. - - name: query - type: keyword - description: The query-string was requested by the visitor. - - name: scheme - type: text - description: The URL scheme requested by the visitor. - - name: user - type: group - fields: - - name: agent - type: text - description: Visitor's user-agent string. - - name: edge - type: group - fields: - - name: colo - type: group - fields: - - name: code - type: keyword - description: The airport code of the Cloudflare datacenter that served this request. - - name: response - type: group - fields: - - name: status - type: long - description: HTTP response status code returned to browser. - - name: kind - type: keyword - description: The kind of event, currently only possible values are. - - name: match_index - type: long - description: Rules match index in the chain. - - name: meta_data - type: flattened - description: Additional product-specific information. - - name: origin - type: group - fields: - - name: ray - type: group - fields: - - name: id - type: keyword - description: HTTP origin response status code returned to browser. - - name: response - type: group - fields: - - name: status - type: long - description: The RayID of the request that issued the challenge/jschallenge. - - name: ray - type: group - fields: - - name: id - type: keyword - description: The RayID of the request. - - name: rule - type: group - fields: - - name: id - type: keyword - description: The Cloudflare security product-specific RuleID triggered by this request. - - name: source - type: keyword - description: The Cloudflare security product triggered by this request. - - name: timestamp - type: date - description: The date and time the event occurred at the edge. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/manifest.yml b/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/manifest.yml deleted file mode 100755 index 9d0297f947..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/manifest.yml +++ /dev/null @@ -1,151 +0,0 @@ -title: Collect Firewall Event logs from Cloudflare -type: logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: Firewall Event logs - description: Collect Firewall Event logs from Cloudflare. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number the listener binds to. - multi: false - required: true - show_user: true - default: 9562 - - name: url - type: text - title: URL - description: This option specifies which URL path to accept requests on. Defaults to /. - multi: false - required: false - show_user: false - default: / - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_firewall_event - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: aws-s3 - title: Firewall Event logs via S3 or SQS - description: Collect Firewall Event logs from Cloudflare. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: '[S3] Bucket Prefix' - multi: false - required: false - show_user: true - default: firewall_event - description: Prefix to apply for the list request to the S3 bucket. - - name: interval - type: text - title: '[S3] Interval' - multi: false - required: false - show_user: true - default: 1m - description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. - - name: number_of_workers - type: integer - title: '[S3] Number of Workers' - multi: false - required: false - show_user: true - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: visibility_timeout - type: text - title: '[SQS] Visibility Timeout' - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: '[SQS] API Timeout' - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: max_number_of_messages - type: integer - title: '[SQS] Maximum Concurrent SQS Messages' - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - - name: file_selectors - type: yaml - title: '[SQS] File Selectors' - multi: false - required: false - show_user: false - default: | - - regex: 'firewall_event/' - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_firewall_event - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/sample_event.json b/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/sample_event.json deleted file mode 100755 index e00847dbaa..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/firewall_event/sample_event.json +++ /dev/null @@ -1,157 +0,0 @@ -{ - "@timestamp": "2022-05-31T05:23:43.000Z", - "agent": { - "ephemeral_id": "75919903-db61-44c5-8c6c-9829fcfbd280", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "firewall_event": { - "action": "block", - "client": { - "asn": { - "description": "CLOUDFLARENET", - "value": 15169 - }, - "country": "us", - "ip": "175.16.199.0", - "ip_class": "searchEngine", - "referer": { - "host": "abc.example.com", - "path": "/abc/checkout", - "query": "?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))\u0026timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))", - "scheme": "referer URL scheme" - }, - "request": { - "host": "xyz.example.com", - "method": "GET", - "path": "/abc/checkout", - "protocol": "HTTP/1.1", - "query": "?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))\u0026timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))", - "scheme": "https", - "user": { - "agent": "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" - } - } - }, - "edge": { - "colo": { - "code": "IAD" - }, - "response": { - "status": 403 - } - }, - "kind": "firewall", - "match_index": 1, - "meta_data": { - "filter": "1ced07e066a34abf8b14f2a99593bc8d", - "type": "customer" - }, - "origin": { - "ray": { - "id": "00" - }, - "response": { - "status": 0 - } - }, - "ray": { - "id": "713d477539b55c29" - }, - "rule": { - "id": "7dc666e026974dab84884c73b3e2afe1" - }, - "source": "firewallrules", - "timestamp": "2022-05-31T05:23:43.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.firewall_event", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "block", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.firewall_event", - "ingested": "2022-09-01T10:07:34Z", - "kind": "event", - "original": "{\"Action\":\"block\",\"ClientASN\":15169,\"ClientASNDescription\":\"CLOUDFLARENET\",\"ClientCountry\":\"us\",\"ClientIP\":\"175.16.199.0\",\"ClientIPClass\":\"searchEngine\",\"ClientRefererHost\":\"abc.example.com\",\"ClientRefererPath\":\"/abc/checkout\",\"ClientRefererQuery\":\"?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))\\u0026timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))\",\"ClientRefererScheme\":\"referer URL scheme\",\"ClientRequestHost\":\"xyz.example.com\",\"ClientRequestMethod\":\"GET\",\"ClientRequestPath\":\"/abc/checkout\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestQuery\":\"?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))\\u0026timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))\",\"ClientRequestScheme\":\"https\",\"ClientRequestUserAgent\":\"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\",\"Datetime\":\"2022-05-31T05:23:43Z\",\"EdgeColoCode\":\"IAD\",\"EdgeResponseStatus\":403,\"Kind\":\"firewall\",\"MatchIndex\":1,\"Metadata\":{\"filter\":\"1ced07e066a34abf8b14f2a99593bc8d\",\"type\":\"customer\"},\"OriginResponseStatus\":0,\"OriginatorRayID\":\"00\",\"RayID\":\"713d477539b55c29\",\"RuleID\":\"7dc666e026974dab84884c73b3e2afe1\",\"Source\":\"firewallrules\"}", - "type": [ - "info" - ] - }, - "http": { - "request": { - "method": "GET" - }, - "response": { - "status_code": 403 - }, - "version": "1.1" - }, - "input": { - "type": "http_endpoint" - }, - "network": { - "protocol": "http" - }, - "related": { - "hosts": [ - "abc.example.com", - "xyz.example.com" - ], - "ip": [ - "175.16.199.0" - ] - }, - "rule": { - "id": "7dc666e026974dab84884c73b3e2afe1" - }, - "source": { - "as": { - "number": 15169 - }, - "geo": { - "country_iso_code": "us" - }, - "ip": "175.16.199.0" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_firewall_event" - ], - "url": { - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "Spider" - }, - "name": "Googlebot", - "original": "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", - "os": { - "full": "Android 6.0.1", - "name": "Android", - "version": "6.0.1" - }, - "version": "2.1" - } -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/agent/stream/aws-s3.yml.hbs b/packages/cloudflare_logpush/0.2.1/data_stream/http_request/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 6029a860d9..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,88 +0,0 @@ -{{#if collect_s3_logs}} - -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if interval}} -bucket_list_interval: {{interval}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}} -{{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} -{{#if file_selectors}} -file_selectors: -{{file_selectors}} -{{/if}} - -{{/if}} - -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/agent/stream/http_endpoint.yml.hbs b/packages/cloudflare_logpush/0.2.1/data_stream/http_request/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 53229700cc..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,36 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -url: {{url}} -content_type: "" -{{#if secret_header}} -secret.header: {{secret_header}} -{{/if}} -{{#if secret_value}} -secret.value: {{secret_value}} -{{/if}} -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} -{{#if preserve_duplicate_custom_fields}} -preserve_duplicate_custom_fields: true -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare_logpush/0.2.1/data_stream/http_request/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b45e0edbc5..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,716 +0,0 @@ ---- -description: Pipeline for parsing Cloudflare HTTP Request logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - set: - field: event.category - value: [network] - - set: - field: event.kind - value: event - - set: - field: event.type - value: [info] - - date: - field: json.EdgeEndTimestamp - if: ctx.json?.EdgeEndTimestamp != null && ctx.json.EdgeEndTimestamp != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - target_field: cloudflare_logpush.http_request.edge.end_time - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - date: - field: json.EdgeStartTimestamp - if: ctx.json?.EdgeStartTimestamp != null && ctx.json.EdgeStartTimestamp != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - target_field: cloudflare_logpush.http_request.edge.start_time - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - date: - field: json.OriginResponseHTTPExpires - if: ctx.json?.OriginResponseHTTPExpires != null && ctx.json.OriginResponseHTTPExpires != '' - formats: - - ISO8601 - - EEE, dd MMM yyyy HH:mm:ss zzz - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - target_field: cloudflare_logpush.http_request.origin.response.http.expires - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - date: - field: json.OriginResponseHTTPLastModified - if: ctx.json?.OriginResponseHTTPLastModified != null && ctx.json.OriginResponseHTTPLastModified != '' - timezone: UTC - formats: - - ISO8601 - - EEE, dd MMM yyyy HH:mm:ss zzz - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - target_field: cloudflare_logpush.http_request.origin.response.http.last_modified - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.OriginIP - target_field: cloudflare_logpush.http_request.origin.ip - if: ctx.json?.OriginIP != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: destination.ip - copy_from: cloudflare_logpush.http_request.origin.ip - ignore_failure: true - - rename: - field: json.ClientRequestMethod - target_field: cloudflare_logpush.http_request.client.request.method - ignore_missing: true - - set: - field: http.request.method - copy_from: cloudflare_logpush.http_request.client.request.method - ignore_failure: true - - rename: - field: json.EdgeResponseContentType - target_field: cloudflare_logpush.http_request.edge.response.content_type - ignore_missing: true - - set: - field: http.response.mime_type - copy_from: cloudflare_logpush.http_request.edge.response.content_type - ignore_failure: true - - convert: - field: json.EdgeResponseStatus - target_field: cloudflare_logpush.http_request.edge.response.status - if: ctx.json?.EdgeResponseStatus != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: http.response.status_code - copy_from: cloudflare_logpush.http_request.edge.response.status - ignore_failure: true - - convert: - field: json.ClientASN - target_field: cloudflare_logpush.http_request.client.asn - if: ctx.json?.ClientASN != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.as.number - copy_from: cloudflare_logpush.http_request.client.asn - ignore_failure: true - - rename: - field: json.ClientCountry - target_field: cloudflare_logpush.http_request.client.country - ignore_missing: true - - set: - field: source.geo.country_iso_code - copy_from: cloudflare_logpush.http_request.client.country - ignore_failure: true - - convert: - field: json.ClientIP - target_field: cloudflare_logpush.http_request.client.ip - if: ctx.json?.ClientIP != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.ip - copy_from: cloudflare_logpush.http_request.client.ip - ignore_failure: true - - convert: - field: json.BotScore - target_field: cloudflare_logpush.http_request.bot.score.value - if: ctx.json?.BotScore != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.BotScoreSrc - target_field: cloudflare_logpush.http_request.bot.score.src - ignore_missing: true - - rename: - field: json.BotTags - target_field: cloudflare_logpush.http_request.bot.tag - ignore_missing: true - - rename: - field: json.CacheCacheStatus - target_field: cloudflare_logpush.http_request.cache.status - ignore_missing: true - - convert: - field: json.CacheResponseBytes - target_field: cloudflare_logpush.http_request.cache.response.bytes - if: ctx.json?.CacheResponseBytes != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.CacheResponseStatus - target_field: cloudflare_logpush.http_request.cache.response.status - if: ctx.json?.CacheResponseStatus != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.CacheTieredFill - target_field: cloudflare_logpush.http_request.cache.tiered_fill - ignore_missing: true - - rename: - field: json.ClientDeviceType - target_field: cloudflare_logpush.http_request.client.device.type - ignore_missing: true - - rename: - field: json.ClientIPClass - target_field: cloudflare_logpush.http_request.client.ip_class - ignore_missing: true - - rename: - field: json.ClientMTLSAuthCertFingerprint - target_field: cloudflare_logpush.http_request.client.mtls.auth.fingerprint - ignore_missing: true - - rename: - field: json.ClientMTLSAuthStatus - target_field: cloudflare_logpush.http_request.client.mtls.auth.status - ignore_missing: true - - convert: - field: json.ClientRequestBytes - target_field: cloudflare_logpush.http_request.client.request.bytes - if: ctx.json?.ClientRequestBytes != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ClientRequestHost - target_field: cloudflare_logpush.http_request.client.request.host - ignore_missing: true - - rename: - field: json.ClientRequestPath - target_field: cloudflare_logpush.http_request.client.request.path - ignore_missing: true - - rename: - field: json.ClientRequestProtocol - target_field: cloudflare_logpush.http_request.client.request.protocol - ignore_missing: true - - grok: - field: cloudflare_logpush.http_request.client.request.protocol - patterns: - - "^%{DATA:network.protocol}/%{DATA:http.version}$" - - lowercase: - field: network.protocol - ignore_missing: true - - uri_parts: - field: json.ClientRequestReferer - ignore_failure: true - - rename: - field: json.ClientRequestReferer - target_field: cloudflare_logpush.http_request.client.request.referer - ignore_missing: true - - rename: - field: json.ClientRequestScheme - target_field: cloudflare_logpush.http_request.client.request.scheme - ignore_missing: true - - rename: - field: json.ClientRequestSource - target_field: cloudflare_logpush.http_request.client.request.source - ignore_missing: true - - rename: - field: json.ClientRequestURI - target_field: cloudflare_logpush.http_request.client.request.uri - ignore_missing: true - - user_agent: - field: json.ClientRequestUserAgent - if: ctx.json?.ClientRequestUserAgent != '' - ignore_failure: true - - rename: - field: json.ClientRequestUserAgent - target_field: cloudflare_logpush.http_request.client.request.user.agent - ignore_missing: true - - rename: - field: json.ClientSSLCipher - target_field: cloudflare_logpush.http_request.client.ssl.cipher - ignore_missing: true - - rename: - field: json.ClientSSLProtocol - target_field: cloudflare_logpush.http_request.client.ssl.protocol - ignore_missing: true - - grok: - if: ctx.json?.cloudflare_logpush?.http_request?.client?.ssl?.protocol != 'none' - field: cloudflare_logpush.http_request.client.ssl.protocol - patterns: - - "^%{DATA:tls.version_protocol}v%{DATA:tls.version}$" - ignore_failure: true - - lowercase: - field: tls.version_protocol - ignore_missing: true - - convert: - field: json.ClientSrcPort - target_field: cloudflare_logpush.http_request.client.src.port - if: ctx.json?.ClientSrcPort != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ClientTCPRTTMs - target_field: cloudflare_logpush.http_request.client.tcp_rtt.ms - if: ctx.json?.ClientTCPRTTMs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ClientXRequestedWith - target_field: cloudflare_logpush.http_request.client.xrequested_with - ignore_missing: true - - rename: - field: json.Cookies - target_field: cloudflare_logpush.http_request.cookies - ignore_missing: true - - rename: - field: json.EdgeCFConnectingO2O - target_field: cloudflare_logpush.http_request.edge.cf_connecting_o2o - ignore_missing: true - - rename: - field: json.EdgeColoCode - target_field: cloudflare_logpush.http_request.edge.colo.code - ignore_missing: true - - convert: - field: json.EdgeColoID - target_field: cloudflare_logpush.http_request.edge.colo.id - if: ctx.json?.EdgeColoID != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.EdgePathingOp - target_field: cloudflare_logpush.http_request.edge.pathing.op - ignore_missing: true - - rename: - field: json.EdgePathingSrc - target_field: cloudflare_logpush.http_request.edge.pathing.src - ignore_missing: true - - rename: - field: json.EdgePathingStatus - target_field: cloudflare_logpush.http_request.edge.pathing.status - ignore_missing: true - - rename: - field: json.EdgeRateLimitAction - target_field: cloudflare_logpush.http_request.edge.rate.limit.action - ignore_missing: true - - convert: - field: json.EdgeRateLimitID - target_field: cloudflare_logpush.http_request.edge.rate.limit.id - if: ctx.json?.EdgeRateLimitID != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.EdgeRequestHost - target_field: cloudflare_logpush.http_request.edge.request.host - ignore_missing: true - - convert: - field: json.EdgeResponseBodyBytes - target_field: cloudflare_logpush.http_request.edge.response.body_bytes - if: ctx.json?.EdgeResponseBodyBytes != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.EdgeResponseBytes - target_field: cloudflare_logpush.http_request.edge.response.bytes - if: ctx.json?.EdgeResponseBytes != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.EdgeResponseCompressionRatio - target_field: cloudflare_logpush.http_request.edge.response.compression_ratio - if: ctx.json?.EdgeResponseCompressionRatio != '' - type: double - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.EdgeServerIP - target_field: cloudflare_logpush.http_request.edge.server.ip - if: ctx.json?.EdgeServerIP != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.EdgeTimeToFirstByteMs - target_field: cloudflare_logpush.http_request.edge.time_to_first_byte.ms - if: ctx.json?.EdgeTimeToFirstByteMs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.FirewallMatchesActions - target_field: cloudflare_logpush.http_request.firewall.match.action - ignore_missing: true - - rename: - field: json.FirewallMatchesRuleIDs - target_field: cloudflare_logpush.http_request.firewall.match.rule.id - ignore_missing: true - - rename: - field: json.FirewallMatchesSources - target_field: cloudflare_logpush.http_request.firewall.match.source - ignore_missing: true - - rename: - field: json.JA3Hash - target_field: cloudflare_logpush.http_request.ja3_hash - ignore_missing: true - - convert: - field: json.OriginDNSResponseTimeMs - target_field: cloudflare_logpush.http_request.origin.dns_response_time.ms - if: ctx.json?.OriginDNSResponseTimeMs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.OriginRequestHeaderSendDurationMs - target_field: cloudflare_logpush.http_request.origin.request_header_send_duration.ms - if: ctx.json?.OriginRequestHeaderSendDurationMs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.OriginResponseBytes - target_field: cloudflare_logpush.http_request.origin.response.bytes - if: ctx.json?.OriginResponseBytes != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.OriginResponseDurationMs - target_field: cloudflare_logpush.http_request.origin.response.duration.ms - if: ctx.json?.OriginResponseDurationMs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.OriginResponseHeaderReceiveDurationMs - target_field: cloudflare_logpush.http_request.origin.response.header_receive_duration.ms - if: ctx.json?.OriginResponseHeaderReceiveDurationMs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.OriginResponseStatus - target_field: cloudflare_logpush.http_request.origin.response.status - if: ctx.json?.OriginResponseStatus != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.OriginResponseTime - target_field: cloudflare_logpush.http_request.origin.response.time - if: ctx.json?.OriginResponseTime != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.OriginSSLProtocol - target_field: cloudflare_logpush.http_request.origin.ssl_protocol - ignore_missing: true - - convert: - field: json.OriginTCPHandshakeDurationMs - target_field: cloudflare_logpush.http_request.origin.tcp_handshake_duration.ms - if: ctx.json?.OriginTCPHandshakeDurationMs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.OriginTLSHandshakeDurationMs - target_field: cloudflare_logpush.http_request.origin.tls_handshake_duration.ms - if: ctx.json?.OriginTLSHandshakeDurationMs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ParentRayID - target_field: cloudflare_logpush.http_request.parent_ray.id - ignore_missing: true - - rename: - field: json.RayID - target_field: cloudflare_logpush.http_request.ray.id - ignore_missing: true - - rename: - field: json.RequestHeaders - target_field: cloudflare_logpush.http_request.request.header - ignore_missing: true - - rename: - field: json.ResponseHeaders - target_field: cloudflare_logpush.http_request.response.header - ignore_missing: true - - rename: - field: json.SecurityLevel - target_field: cloudflare_logpush.http_request.security_level - ignore_missing: true - - convert: - field: json.SmartRouteColoID - target_field: cloudflare_logpush.http_request.smart_route.colo.id - if: ctx.json?.SmartRouteColoID != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.UpperTierColoID - target_field: cloudflare_logpush.http_request.upper_tier.colo.id - if: ctx.json?.UpperTierColoID != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.WAFAction - target_field: cloudflare_logpush.http_request.waf.action - ignore_missing: true - - rename: - field: json.WAFFlags - target_field: cloudflare_logpush.http_request.waf.flag - ignore_missing: true - - rename: - field: json.WAFMatchedVar - target_field: cloudflare_logpush.http_request.waf.matched_var - ignore_missing: true - - rename: - field: json.WAFProfile - target_field: cloudflare_logpush.http_request.waf.profile - ignore_missing: true - - rename: - field: json.WAFRuleID - target_field: cloudflare_logpush.http_request.waf.rule.id - ignore_missing: true - - rename: - field: json.WAFRuleMessage - target_field: cloudflare_logpush.http_request.waf.rule.message - ignore_missing: true - - convert: - field: json.WorkerCPUTime - target_field: cloudflare_logpush.http_request.worker.cpu_time - if: ctx.json?.WorkerCPUTime != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.WorkerStatus - target_field: cloudflare_logpush.http_request.worker.status - ignore_missing: true - - rename: - field: json.WorkerSubrequest - target_field: cloudflare_logpush.http_request.worker.subrequest.value - ignore_missing: true - - convert: - field: json.WorkerSubrequestCount - target_field: cloudflare_logpush.http_request.worker.subrequest.count - if: ctx.json?.WorkerSubrequestCount != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.WorkerWallTimeUs - target_field: cloudflare_logpush.http_request.worker.wall_time_us - if: ctx.json?.WorkerWallTimeUs != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ZoneID - target_field: cloudflare_logpush.http_request.zone.id - if: ctx.json?.ZoneID != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ZoneName - target_field: cloudflare_logpush.http_request.zone.name - ignore_missing: true - - append: - field: related.hash - value: '{{{cloudflare_logpush.http_request.ja3_hash}}}' - if: ctx.cloudflare_logpush?.http_request?.ja3_hash != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{destination.ip}}}' - if: ctx.destination?.ip != null - allow_duplicates: false - ignore_failure: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - cloudflare_logpush.http_request.origin.ip - - cloudflare_logpush.http_request.client.request.method - - cloudflare_logpush.http_request.edge.response.content_type - - cloudflare_logpush.http_request.edge.response.status - - cloudflare_logpush.http_request.client.asn - - cloudflare_logpush.http_request.client.country - - cloudflare_logpush.http_request.client.ip - - cloudflare_logpush.http_request.client.request.user.agent - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/fields/agent.yml b/packages/cloudflare_logpush/0.2.1/data_stream/http_request/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/fields/base-fields.yml b/packages/cloudflare_logpush/0.2.1/data_stream/http_request/fields/base-fields.yml deleted file mode 100755 index 6f4d0762ca..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: cloudflare_logpush.http_request -- name: event.module - type: constant_keyword - description: Event module. - value: cloudflare_logpush diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/fields/ecs.yml b/packages/cloudflare_logpush/0.2.1/data_stream/http_request/fields/ecs.yml deleted file mode 100755 index c9709733af..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/fields/ecs.yml +++ /dev/null @@ -1,153 +0,0 @@ -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: |- - Mime type of the body of the response. - This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. - name: http.response.mime_type - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/fields/fields.yml b/packages/cloudflare_logpush/0.2.1/data_stream/http_request/fields/fields.yml deleted file mode 100755 index 94dfbab9f9..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/fields/fields.yml +++ /dev/null @@ -1,399 +0,0 @@ -- name: cloudflare_logpush.http_request - type: group - fields: - - name: bot - type: group - fields: - - name: score - type: group - fields: - - name: src - type: text - description: Detection engine responsible for generating the Bot Score. - - name: value - type: long - description: Cloudflare Bot Score, Scores below 30 are commonly associated with automated traffic. - - name: tag - type: text - description: Type of bot traffic (if available). - - name: cache - type: group - fields: - - name: response - type: group - fields: - - name: bytes - type: long - description: Number of bytes returned by the cache. - - name: status - type: long - description: Cache status. - - name: status - type: keyword - description: HTTP status code returned by the cache to the edge. - - name: tiered_fill - type: boolean - description: Tiered Cache was used to serve this request. - - name: client - type: group - fields: - - name: asn - type: long - description: Client AS number. - - name: country - type: keyword - description: Country of the client IP address. - - name: device - type: group - fields: - - name: type - type: keyword - description: Client device type. - - name: ip - type: ip - description: IP address of the client. - - name: ip_class - type: keyword - description: Class IP. - - name: mtls - type: group - fields: - - name: auth - type: group - fields: - - name: fingerprint - type: keyword - description: The SHA256 fingerprint of the certificate presented by the client during mTLS authentication. - - name: status - type: keyword - description: The status of mTLS authentication, Only populated on the first request on an mTLS connection. - - name: request - type: group - fields: - - name: bytes - type: long - description: Number of bytes in the client request. - - name: host - type: keyword - description: Host requested by the client. - - name: method - type: text - description: HTTP method of client request. - - name: path - type: text - description: URI path requested by the client. - - name: protocol - type: keyword - description: HTTP protocol of client request. - - name: referer - type: text - description: HTTP request referrer. - - name: scheme - type: text - description: The URL scheme requested by the visitor. - - name: source - type: keyword - description: Identifies requests as coming from an external source or another service within Cloudflare. - - name: uri - type: text - description: URI requested by the client. - - name: user - type: group - fields: - - name: agent - type: text - description: User agent reported by the client. - - name: src - type: group - fields: - - name: port - type: long - description: Client source port. - - name: ssl - type: group - fields: - - name: cipher - type: text - description: Client SSL cipher. - - name: protocol - type: keyword - description: Client SSL (TLS) protocol. - - name: tcp_rtt - type: group - fields: - - name: ms - type: long - description: The smoothed average of TCP round-trip time (SRTT), For the initial request on a connection, this is measured only during connection setup, For a subsequent request on the same connection, it is measured over the entire connection lifetime up until the time that request is received. - - name: xrequested_with - type: text - description: X-Requested-With HTTP header. - - name: cookies - type: flattened - description: String key-value pairs for Cookies. - - name: edge - type: group - fields: - - name: cf_connecting_o2o - type: boolean - description: True if the request looped through multiple zones on the Cloudflare edge. - - name: colo - type: group - fields: - - name: code - type: keyword - description: IATA airport code of data center that received the request. - - name: id - type: long - description: Cloudflare edge colo id. - - name: end_time - type: date - description: Timestamp at which the edge finished sending response to the client. - - name: pathing - type: group - fields: - - name: op - type: text - description: Indicates what type of response was issued for this request. - - name: src - type: text - description: Details how the request was classified based on security checks. - - name: status - type: text - description: Indicates what data was used to determine the handling of this request. - - name: rate - type: group - fields: - - name: limit - type: group - fields: - - name: action - type: keyword - description: The action taken by the blocking rule; empty if no action taken. - - name: id - type: long - description: The internal rule ID of the rate-limiting rule that triggered a block (ban) or log action. - - name: request - type: group - fields: - - name: host - type: keyword - description: Host header on the request from the edge to the origin. - - name: response - type: group - fields: - - name: body_bytes - type: long - description: Size of the HTTP response body returned to clients. - - name: bytes - type: long - description: Number of bytes returned by the edge to the client. - - name: compression_ratio - type: double - description: Edge response compression ratio. - - name: content_type - type: text - description: Edge response Content-Type header value. - - name: status - type: long - description: HTTP status code returned by Cloudflare to the client. - - name: server - type: group - fields: - - name: ip - type: ip - description: IP of the edge server making a request to the origin. - - name: start_time - type: date - description: Timestamp at which the edge received request from the client. - - name: time_to_first_byte - type: group - fields: - - name: ms - type: long - description: Total view of Time To First Byte as measured at Cloudflare edge. - - name: firewall - type: group - fields: - - name: matches - type: group - fields: - - name: action - type: nested - description: Array of actions the Cloudflare firewall products performed on this request. - - name: rule_id - type: nested - description: Array of RuleIDs of the firewall product that has matched the request. - - name: sources - type: nested - description: The firewall products that matched the request. - - name: ja3_hash - type: keyword - description: The MD5 hash of the JA3 fingerprint used to profile SSL/TLS clients. - - name: origin - type: group - fields: - - name: dns_response_time - type: group - fields: - - name: ms - type: long - description: Time taken to receive a DNS response for an origin name. - - name: ip - type: ip - description: IP of the origin server. - - name: request_header_send_duration - type: group - fields: - - name: ms - type: long - description: Time taken to send request headers to origin after establishing a connection. - - name: response - type: group - fields: - - name: bytes - type: long - description: Number of bytes returned by the origin server. - - name: duration - type: group - fields: - - name: ms - type: long - description: Upstream response time, measured from the first datacenter that receives a request. - - name: header_receive_duration - type: group - fields: - - name: ms - type: long - description: Time taken for origin to return response headers after Cloudflare finishes sending request headers. - - name: http - type: group - fields: - - name: expires - type: date - description: Value of the origin expires header in RFC1123 format. - - name: last_modified - type: date - description: Value of the origin last-modified header in RFC1123 format. - - name: status - type: long - description: Status returned by the origin server. - - name: time - type: long - description: Number of nanoseconds it took the origin to return the response to edge. - - name: ssl_protocol - type: text - description: SSL (TLS) protocol used to connect to the origin. - - name: tcp_handshake_duration - type: group - fields: - - name: ms - type: long - description: Time taken to complete TCP handshake with origin. - - name: tls_handshake_duration - type: group - fields: - - name: ms - type: long - description: Time taken to complete TLS handshake with origin. - - name: parent_ray - type: group - fields: - - name: id - type: keyword - description: Ray ID of the parent request if this request was made using a Worker script. - - name: ray - type: group - fields: - - name: id - type: keyword - description: ID of the request. - - name: request - type: group - fields: - - name: headers - type: flattened - description: String key-value pairs for RequestHeaders. - - name: response - type: group - fields: - - name: headers - type: flattened - description: String key-value pairs for ResponseHeaders. - - name: security_level - type: text - description: The security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation system. - - name: smart_route - type: group - fields: - - name: colo - type: group - fields: - - name: id - type: long - description: The Cloudflare datacenter used to connect to the origin server if Argo Smart Routing is used. Available in Logpush v2 only. - - name: upper_tier - type: group - fields: - - name: colo - type: group - fields: - - name: id - type: long - description: The “upper tier” datacenter that was checked for a cached copy if Tiered Cache is used. Available in Logpush v2 only. - - name: waf - type: group - fields: - - name: action - type: text - description: Action taken by the WAF, if triggered. - - name: flag - type: text - description: Additional configuration flags. - - name: matched_var - type: text - description: The full name of the most-recently matched variable. - - name: profile - type: keyword - description: The Profile of WAF. possible values are:- 'low', 'med', 'high'. - - name: rule - type: group - fields: - - name: id - type: keyword - description: ID of the applied WAF rule. - - name: message - type: text - description: Rule message associated with the triggered rule. - - name: worker - type: group - fields: - - name: cpu_time - type: long - description: Amount of time in microseconds spent executing a worker, if any. - - name: status - type: text - description: Status returned from worker daemon. - - name: subrequest - type: group - fields: - - name: count - type: long - description: Number of subrequests issued by a worker when handling this request. - - name: value - type: boolean - description: Whether or not this request was a worker subrequest. - - name: wall_time_us - type: long - description: Real-time in microseconds elapsed between start and end of worker invocation. - - name: zone - type: group - fields: - - name: id - type: long - description: Internal zone ID. - - name: name - type: keyword - description: The human-readable name of the zone. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/manifest.yml b/packages/cloudflare_logpush/0.2.1/data_stream/http_request/manifest.yml deleted file mode 100755 index c6f3c4dc98..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/manifest.yml +++ /dev/null @@ -1,151 +0,0 @@ -title: Collect HTTP Request logs from Cloudflare -type: logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: HTTP Request logs - description: Collect HTTP Request logs from Cloudflare. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number the listener binds to. - multi: false - required: true - show_user: true - default: 9563 - - name: url - type: text - title: URL - description: This option specifies which URL path to accept requests on. Defaults to /. - multi: false - required: false - show_user: false - default: / - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_http_request - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: aws-s3 - title: HTTP Request logs via S3 or SQS - description: Collect HTTP Request logs from Cloudflare. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: '[S3] Bucket Prefix' - multi: false - required: false - show_user: true - default: http_request - description: Prefix to apply for the list request to the S3 bucket. - - name: interval - type: text - title: '[S3] Interval' - multi: false - required: false - show_user: true - default: 1m - description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. - - name: number_of_workers - type: integer - title: '[S3] Number of Workers' - multi: false - required: false - show_user: true - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: visibility_timeout - type: text - title: '[SQS] Visibility Timeout' - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: '[SQS] API Timeout' - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: max_number_of_messages - type: integer - title: '[SQS] Maximum Concurrent SQS Messages' - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - - name: file_selectors - type: yaml - title: '[SQS] File Selectors' - multi: false - required: false - show_user: false - default: | - - regex: 'http_request/' - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_http_request - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/sample_event.json b/packages/cloudflare_logpush/0.2.1/data_stream/http_request/sample_event.json deleted file mode 100755 index adc72ad77d..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/http_request/sample_event.json +++ /dev/null @@ -1,269 +0,0 @@ -{ - "@timestamp": "2022-09-01T10:08:19.901Z", - "agent": { - "ephemeral_id": "799a05d5-4523-4df3-8588-0a26bce74843", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "http_request": { - "bot": { - "score": { - "src": "Verified Bot", - "value": 20 - }, - "tag": "bing" - }, - "cache": { - "response": { - "bytes": 983828, - "status": 200 - }, - "status": "dynamic", - "tiered_fill": false - }, - "client": { - "asn": 43766, - "country": "sa", - "device": { - "type": "desktop" - }, - "ip": "175.16.199.0", - "ip_class": "noRecord", - "mtls": { - "auth": { - "fingerprint": "Fingerprint", - "status": "unknown" - } - }, - "request": { - "bytes": 5800, - "host": "xyz.example.com", - "method": "POST", - "path": "/xyz/checkout", - "protocol": "HTTP/1.1", - "referer": "https://example.com/s/example/default?sourcerer=(default:(id:!n,selectedPatterns:!(example,%27logs-endpoint.*-example%27,%27logs-system.*-example%27,%27logs-windows.*-example%27)))\u0026timerange=(global:(linkTo:!(),timerange:(from:%272022-05-16T06:26:36.340Z%27,fromStr:now-24h,kind:relative,to:%272022-05-17T06:26:36.340Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272022-04-17T22:00:00.000Z%27,kind:absolute,to:%272022-04-18T21:59:59.999Z%27)))\u0026timeline=(activeTab:notes,graphEventId:%27%27,id:%279844bdd4-4dd6-5b22-ab40-3cd46fce8d6b%27,isOpen:!t)", - "scheme": "https", - "source": "edgeWorkerFetch", - "uri": "/s/example/api/telemetry/v2/clusters/_stats", - "user": { - "agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" - } - }, - "src": { - "port": 0 - }, - "ssl": { - "cipher": "NONE", - "protocol": "TLSv1.2" - }, - "tcp_rtt": { - "ms": 0 - }, - "xrequested_with": "Request With" - }, - "cookies": { - "key": "value" - }, - "edge": { - "cf_connecting_o2o": false, - "colo": { - "code": "RUH", - "id": 339 - }, - "end_time": "2022-05-25T13:25:32.000Z", - "pathing": { - "op": "wl", - "src": "macro", - "status": "nr" - }, - "rate": { - "limit": { - "action": "unknown", - "id": 0 - } - }, - "request": { - "host": "abc.example.com" - }, - "response": { - "body_bytes": 980397, - "bytes": 981308, - "compression_ratio": 0, - "content_type": "application/json", - "status": 200 - }, - "server": { - "ip": "1.128.0.0" - }, - "start_time": "2022-05-25T13:25:26.000Z", - "time_to_first_byte": { - "ms": 5333 - } - }, - "origin": { - "dns_response_time": { - "ms": 3 - }, - "ip": "67.43.156.0", - "request_header_send_duration": { - "ms": 0 - }, - "response": { - "bytes": 0, - "duration": { - "ms": 5319 - }, - "header_receive_duration": { - "ms": 5155 - }, - "http": { - "expires": "2022-05-27T13:25:26.000Z", - "last_modified": "2022-05-26T13:25:26.000Z" - }, - "status": 200, - "time": 5232000000 - }, - "ssl_protocol": "TLSv1.2", - "tcp_handshake_duration": { - "ms": 24 - }, - "tls_handshake_duration": { - "ms": 53 - } - }, - "parent_ray": { - "id": "710e98d93d50357d" - }, - "ray": { - "id": "710e98d9367f357d" - }, - "security_level": "off", - "smart_route": { - "colo": { - "id": 20 - } - }, - "upper_tier": { - "colo": { - "id": 0 - } - }, - "waf": { - "action": "unknown", - "flag": "0", - "matched_var": "example", - "profile": "unknown", - "rule": { - "id": "98d93d5", - "message": "matchad variable message" - } - }, - "worker": { - "cpu_time": 0, - "status": "unknown", - "subrequest": { - "count": 0, - "value": true - } - }, - "zone": { - "id": 393347122, - "name": "example.com" - } - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.http_request", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "67.43.156.0" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.http_request", - "ingested": "2022-09-01T10:08:20Z", - "kind": "event", - "original": "{\"BotScore\":\"20\",\"BotScoreSrc\":\"Verified Bot\",\"BotTags\":\"bing\",\"CacheCacheStatus\":\"dynamic\",\"CacheResponseBytes\":983828,\"CacheResponseStatus\":200,\"CacheTieredFill\":false,\"ClientASN\":43766,\"ClientCountry\":\"sa\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"175.16.199.0\",\"ClientIPClass\":\"noRecord\",\"ClientMTLSAuthCertFingerprint\":\"Fingerprint\",\"ClientMTLSAuthStatus\":\"unknown\",\"ClientRequestBytes\":5800,\"ClientRequestHost\":\"xyz.example.com\",\"ClientRequestMethod\":\"POST\",\"ClientRequestPath\":\"/xyz/checkout\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://example.com/s/example/default?sourcerer=(default:(id:!n,selectedPatterns:!(example,%27logs-endpoint.*-example%27,%27logs-system.*-example%27,%27logs-windows.*-example%27)))\\u0026timerange=(global:(linkTo:!(),timerange:(from:%272022-05-16T06:26:36.340Z%27,fromStr:now-24h,kind:relative,to:%272022-05-17T06:26:36.340Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272022-04-17T22:00:00.000Z%27,kind:absolute,to:%272022-04-18T21:59:59.999Z%27)))\\u0026timeline=(activeTab:notes,graphEventId:%27%27,id:%279844bdd4-4dd6-5b22-ab40-3cd46fce8d6b%27,isOpen:!t)\",\"ClientRequestScheme\":\"https\",\"ClientRequestSource\":\"edgeWorkerFetch\",\"ClientRequestURI\":\"/s/example/api/telemetry/v2/clusters/_stats\",\"ClientRequestUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36\",\"ClientSSLCipher\":\"NONE\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":0,\"ClientTCPRTTMs\":0,\"ClientXRequestedWith\":\"Request With\",\"Cookies\":{\"key\":\"value\"},\"EdgeCFConnectingO2O\":false,\"EdgeColoCode\":\"RUH\",\"EdgeColoID\":339,\"EdgeEndTimestamp\":\"2022-05-25T13:25:32Z\",\"EdgePathingOp\":\"wl\",\"EdgePathingSrc\":\"macro\",\"EdgePathingStatus\":\"nr\",\"EdgeRateLimitAction\":\"unknown\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"abc.example.com\",\"EdgeResponseBodyBytes\":980397,\"EdgeResponseBytes\":981308,\"EdgeResponseCompressionRatio\":0,\"EdgeResponseContentType\":\"application/json\",\"EdgeResponseStatus\":200,\"EdgeServerIP\":\"1.128.0.0\",\"EdgeStartTimestamp\":\"2022-05-25T13:25:26Z\",\"EdgeTimeToFirstByteMs\":5333,\"OriginDNSResponseTimeMs\":3,\"OriginIP\":\"67.43.156.0\",\"OriginRequestHeaderSendDurationMs\":0,\"OriginResponseBytes\":0,\"OriginResponseDurationMs\":5319,\"OriginResponseHTTPExpires\":\"2022-05-27T13:25:26Z\",\"OriginResponseHTTPLastModified\":\"2022-05-26T13:25:26Z\",\"OriginResponseHeaderReceiveDurationMs\":5155,\"OriginResponseStatus\":200,\"OriginResponseTime\":5232000000,\"OriginSSLProtocol\":\"TLSv1.2\",\"OriginTCPHandshakeDurationMs\":24,\"OriginTLSHandshakeDurationMs\":53,\"ParentRayID\":\"710e98d93d50357d\",\"RayID\":\"710e98d9367f357d\",\"SecurityLevel\":\"off\",\"SmartRouteColoID\":20,\"UpperTierColoID\":0,\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"example\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"98d93d5\",\"WAFRuleMessage\":\"matchad variable message\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":true,\"WorkerSubrequestCount\":0,\"ZoneID\":393347122,\"ZoneName\":\"example.com\"}", - "type": [ - "info" - ] - }, - "http": { - "request": { - "method": "POST" - }, - "response": { - "mime_type": "application/json", - "status_code": 200 - }, - "version": "1.1" - }, - "input": { - "type": "http_endpoint" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "175.16.199.0", - "67.43.156.0" - ] - }, - "source": { - "as": { - "number": 43766 - }, - "geo": { - "country_iso_code": "sa" - }, - "ip": "175.16.199.0" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_http_request" - ], - "tls": { - "version": "1.2", - "version_protocol": "tls" - }, - "url": { - "domain": "example.com", - "original": "https://example.com/s/example/default?sourcerer=(default:(id:!n,selectedPatterns:!(example,%27logs-endpoint.*-example%27,%27logs-system.*-example%27,%27logs-windows.*-example%27)))\u0026timerange=(global:(linkTo:!(),timerange:(from:%272022-05-16T06:26:36.340Z%27,fromStr:now-24h,kind:relative,to:%272022-05-17T06:26:36.340Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272022-04-17T22:00:00.000Z%27,kind:absolute,to:%272022-04-18T21:59:59.999Z%27)))\u0026timeline=(activeTab:notes,graphEventId:%27%27,id:%279844bdd4-4dd6-5b22-ab40-3cd46fce8d6b%27,isOpen:!t)", - "path": "/s/example/default", - "query": "sourcerer=(default:(id:!n,selectedPatterns:!(example,'logs-endpoint.*-example','logs-system.*-example','logs-windows.*-example')))\u0026timerange=(global:(linkTo:!(),timerange:(from:'2022-05-16T06:26:36.340Z',fromStr:now-24h,kind:relative,to:'2022-05-17T06:26:36.340Z',toStr:now)),timeline:(linkTo:!(),timerange:(from:'2022-04-17T22:00:00.000Z',kind:absolute,to:'2022-04-18T21:59:59.999Z')))\u0026timeline=(activeTab:notes,graphEventId:'',id:'9844bdd4-4dd6-5b22-ab40-3cd46fce8d6b',isOpen:!t)", - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36", - "os": { - "full": "Mac OS X 10.10.5", - "name": "Mac OS X", - "version": "10.10.5" - }, - "version": "51.0.2704.103" - } -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/agent/stream/aws-s3.yml.hbs b/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 6029a860d9..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,88 +0,0 @@ -{{#if collect_s3_logs}} - -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if interval}} -bucket_list_interval: {{interval}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}} -{{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} -{{#if file_selectors}} -file_selectors: -{{file_selectors}} -{{/if}} - -{{/if}} - -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/agent/stream/http_endpoint.yml.hbs b/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 53229700cc..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,36 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -url: {{url}} -content_type: "" -{{#if secret_header}} -secret.header: {{secret_header}} -{{/if}} -{{#if secret_value}} -secret.value: {{secret_value}} -{{/if}} -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} -{{#if preserve_duplicate_custom_fields}} -preserve_duplicate_custom_fields: true -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 52441fec75..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,112 +0,0 @@ ---- -description: Pipeline for parsing Cloudflare NEL Report logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - set: - field: event.category - value: [network] - - set: - field: event.kind - value: event - - set: - field: event.type - value: [info] - - date: - field: json.Timestamp - if: ctx.json?.Timestamp != null && ctx.json.Timestamp != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: cloudflare_logpush.nel_report.timestamp - copy_from: '@timestamp' - ignore_failure: true - - rename: - field: json.Type - target_field: cloudflare_logpush.nel_report.error.type - ignore_missing: true - - set: - field: error.type - copy_from: cloudflare_logpush.nel_report.error.type - ignore_failure: true - - convert: - field: json.ClientIPASN - target_field: cloudflare_logpush.nel_report.client.ip.asn.value - if: ctx.json?.ClientIPASN != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ClientIPASNDescription - target_field: cloudflare_logpush.nel_report.client.ip.asn.description - ignore_missing: true - - rename: - field: json.ClientIPCountry - target_field: cloudflare_logpush.nel_report.client.ip.country - ignore_missing: true - - rename: - field: json.LastKnownGoodColoCode - target_field: cloudflare_logpush.nel_report.last_known_good.colo.code - ignore_missing: true - - rename: - field: json.Phase - target_field: cloudflare_logpush.nel_report.phase - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - cloudflare_logpush.nel_report.timestamp - - cloudflare_logpush.nel_report.error.type - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/fields/agent.yml b/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/fields/base-fields.yml b/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/fields/base-fields.yml deleted file mode 100755 index 90a63ff65c..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: cloudflare_logpush.nel_report -- name: event.module - type: constant_keyword - description: Event module. - value: cloudflare_logpush diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/fields/ecs.yml b/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/fields/ecs.yml deleted file mode 100755 index 506250f569..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/fields/ecs.yml +++ /dev/null @@ -1,49 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: The type of the error, for example the class name of the exception. - name: error.type - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/fields/fields.yml b/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/fields/fields.yml deleted file mode 100755 index 547d5cce86..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/fields/fields.yml +++ /dev/null @@ -1,45 +0,0 @@ -- name: cloudflare_logpush.nel_report - type: group - fields: - - name: client - type: group - fields: - - name: ip - type: group - fields: - - name: asn - type: group - fields: - - name: value - type: long - description: Client ASN. - - name: description - type: keyword - description: Client ASN description. - - name: country - type: keyword - description: Client country. - - name: error - type: group - fields: - - name: type - type: keyword - description: The type of error in the phase. - - name: last_known_good - type: group - fields: - - name: colo - type: group - fields: - - name: code - type: keyword - description: IATA airport code of colo client connected to. - - name: phase - type: keyword - description: The phase of connection the error occurred in. - - name: timestamp - type: date - description: Timestamp for error report. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/manifest.yml b/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/manifest.yml deleted file mode 100755 index ad8bdbf47a..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/manifest.yml +++ /dev/null @@ -1,151 +0,0 @@ -title: Collect NEL Report logs from Cloudflare -type: logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: NEL Report logs - description: Collect NEL Report logs from Cloudflare. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number the listener binds to. - multi: false - required: true - show_user: true - default: 9564 - - name: url - type: text - title: URL - description: This option specifies which URL path to accept requests on. Defaults to /. - multi: false - required: false - show_user: false - default: / - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_nel_report - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: aws-s3 - title: NEL Report logs via S3 or SQS - description: Collect NEL Report logs from Cloudflare. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: '[S3] Bucket Prefix' - multi: false - required: false - show_user: true - default: nel_report - description: Prefix to apply for the list request to the S3 bucket. - - name: interval - type: text - title: '[S3] Interval' - multi: false - required: false - show_user: true - default: 1m - description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. - - name: number_of_workers - type: integer - title: '[S3] Number of Workers' - multi: false - required: false - show_user: true - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: visibility_timeout - type: text - title: '[SQS] Visibility Timeout' - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: '[SQS] API Timeout' - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: max_number_of_messages - type: integer - title: '[SQS] Maximum Concurrent SQS Messages' - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - - name: file_selectors - type: yaml - title: '[SQS] File Selectors' - multi: false - required: false - show_user: false - default: | - - regex: 'nel_report/' - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_nel_report - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/sample_event.json b/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/sample_event.json deleted file mode 100755 index a3c802be0e..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/nel_report/sample_event.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "@timestamp": "2021-07-27T00:01:07.000Z", - "agent": { - "ephemeral_id": "c38ba64f-2007-40ee-8ba6-7eead6aad5ee", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "nel_report": { - "client": { - "ip": { - "asn": { - "description": "CLOUDFLARENET", - "value": 13335 - }, - "country": "US" - } - }, - "error": { - "type": "network-error" - }, - "last_known_good": { - "colo": { - "code": "SJC" - } - }, - "phase": "connection", - "timestamp": "2021-07-27T00:01:07.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.nel_report", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "error": { - "type": "network-error" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.nel_report", - "ingested": "2022-09-01T10:09:13Z", - "kind": "event", - "original": "{\"ClientIPASN\":\"13335\",\"ClientIPASNDescription\":\"CLOUDFLARENET\",\"ClientIPCountry\":\"US\",\"LastKnownGoodColoCode\":\"SJC\",\"Phase\":\"connection\",\"Timestamp\":\"2021-07-27T00:01:07Z\",\"Type\":\"network-error\"}", - "type": [ - "info" - ] - }, - "input": { - "type": "http_endpoint" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_nel_report" - ] -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/agent/stream/aws-s3.yml.hbs b/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 6029a860d9..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,88 +0,0 @@ -{{#if collect_s3_logs}} - -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if interval}} -bucket_list_interval: {{interval}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}} -{{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} -{{#if file_selectors}} -file_selectors: -{{file_selectors}} -{{/if}} - -{{/if}} - -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/agent/stream/http_endpoint.yml.hbs b/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 53229700cc..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,36 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -url: {{url}} -content_type: "" -{{#if secret_header}} -secret.header: {{secret_header}} -{{/if}} -{{#if secret_value}} -secret.value: {{secret_value}} -{{/if}} -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} -{{#if preserve_duplicate_custom_fields}} -preserve_duplicate_custom_fields: true -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2025140c3c..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,787 +0,0 @@ ---- -description: Pipeline for parsing Cloudflare Network Analytics logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - set: - field: event.category - value: [network] - - set: - field: event.kind - value: event - - set: - field: event.type - value: [info] - - date: - field: json.Datetime - if: ctx.json?.Datetime != null && ctx.json.Datetime != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: cloudflare_logpush.network_analytics.timestamp - copy_from: '@timestamp' - ignore_failure: true - - set: - field: cloudflare_logpush.network_analytics.outcome - value: success - if: ctx.json?.Outcome == 'pass' - - set: - field: cloudflare_logpush.network_analytics.outcome - value: failure - if: ctx.json?.Outcome == 'drop' - - set: - field: event.outcome - copy_from: cloudflare_logpush.network_analytics.outcome - ignore_failure: true - - convert: - field: json.DestinationASN - target_field: cloudflare_logpush.network_analytics.destination.asn - if: ctx.json?.DestinationASN != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: destination.as.number - copy_from: cloudflare_logpush.network_analytics.destination.asn - ignore_failure: true - - convert: - field: json.IPDestinationAddress - target_field: cloudflare_logpush.network_analytics.destination.ip - if: ctx.json?.IPDestinationAddress != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: destination.ip - copy_from: cloudflare_logpush.network_analytics.destination.ip - ignore_failure: true - - convert: - field: json.DestinationPort - target_field: cloudflare_logpush.network_analytics.destination.port - if: ctx.json?.DestinationPort != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: destination.port - copy_from: cloudflare_logpush.network_analytics.destination.port - ignore_failure: true - - rename: - field: json.Direction - target_field: cloudflare_logpush.network_analytics.direction - ignore_missing: true - - set: - field: network.direction - copy_from: cloudflare_logpush.network_analytics.direction - ignore_failure: true - - rename: - field: json.IPProtocolName - target_field: cloudflare_logpush.network_analytics.ip.protocol.name - ignore_missing: true - - set: - field: network.transport - copy_from: cloudflare_logpush.network_analytics.ip.protocol.name - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - convert: - field: json.IPSourceAddress - target_field: cloudflare_logpush.network_analytics.source.ip - if: ctx.json?.IPSourceAddress != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.ip - copy_from: cloudflare_logpush.network_analytics.source.ip - ignore_failure: true - - convert: - field: json.SourceASN - target_field: cloudflare_logpush.network_analytics.source.asn - if: ctx.json?.SourceASN != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.as.number - copy_from: cloudflare_logpush.network_analytics.source.asn - ignore_failure: true - - convert: - field: json.SourcePort - target_field: cloudflare_logpush.network_analytics.source.port - if: ctx.json?.SourcePort != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.port - copy_from: cloudflare_logpush.network_analytics.source.port - ignore_failure: true - - rename: - field: json.RuleID - target_field: cloudflare_logpush.network_analytics.rule.id - ignore_missing: true - - set: - field: rule.id - copy_from: cloudflare_logpush.network_analytics.rule.id - ignore_failure: true - - rename: - field: json.AttackCampaignID - target_field: cloudflare_logpush.network_analytics.attack.campaign.id - ignore_missing: true - - rename: - field: json.AttackID - target_field: cloudflare_logpush.network_analytics.attack.id - ignore_missing: true - - rename: - field: json.ColoCountry - target_field: cloudflare_logpush.network_analytics.colo.country - ignore_missing: true - - rename: - field: json.ColoGeoHash - target_field: cloudflare_logpush.network_analytics.colo.geo_hash - ignore_missing: true - - set: - field: cloudflare_logpush.network_analytics.colo.geo_location - copy_from: cloudflare_logpush.network_analytics.colo.geo_hash - ignore_failure: true - - convert: - field: json.ColoID - target_field: cloudflare_logpush.network_analytics.colo.id - if: ctx.json?.ColoID != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ColoName - target_field: cloudflare_logpush.network_analytics.colo.name - ignore_missing: true - - rename: - field: json.DestinationASNDescription - target_field: cloudflare_logpush.network_analytics.destination.as.number.description - ignore_missing: true - - rename: - field: json.DestinationCountry - target_field: cloudflare_logpush.network_analytics.destination.country - ignore_missing: true - - rename: - field: json.DestinationGeoHash - target_field: cloudflare_logpush.network_analytics.destination.geo_hash - ignore_missing: true - - set: - field: cloudflare_logpush.network_analytics.destination.geo_location - copy_from: cloudflare_logpush.network_analytics.destination.geo_hash - ignore_failure: true - - convert: - field: json.GREChecksum - target_field: cloudflare_logpush.network_analytics.gre.checksum - if: ctx.json?.GREChecksum != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.GREEthertype - target_field: cloudflare_logpush.network_analytics.gre.ether.type - if: ctx.json?.GREEthertype != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.GREHeaderLength - target_field: cloudflare_logpush.network_analytics.gre.header.length - if: ctx.json?.GREHeaderLength != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.GREKey - target_field: cloudflare_logpush.network_analytics.gre.key - if: ctx.json?.GREKey != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.GRESequenceNumber - target_field: cloudflare_logpush.network_analytics.gre.sequence.number - if: ctx.json?.GRESequenceNumber != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.GREVersion - target_field: cloudflare_logpush.network_analytics.gre.version - if: ctx.json?.GREVersion != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ICMPChecksum - target_field: cloudflare_logpush.network_analytics.icmp.checksum - if: ctx.json?.ICMPChecksum != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ICMPCode - target_field: cloudflare_logpush.network_analytics.icmp.code - if: ctx.json?.ICMPCode != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ICMPType - target_field: cloudflare_logpush.network_analytics.icmp.type - if: ctx.json?.ICMPType != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.IPDestinationSubnet - target_field: cloudflare_logpush.network_analytics.ip.destination.subnet - ignore_missing: true - - convert: - field: json.IPFragmentOffset - target_field: cloudflare_logpush.network_analytics.ip.fragment.offset - if: ctx.json?.IPFragmentOffset != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPHeaderLength - target_field: cloudflare_logpush.network_analytics.ip.header.length - if: ctx.json?.IPHeaderLength != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPMoreFragments - target_field: cloudflare_logpush.network_analytics.ip.more.fragments - if: ctx.json?.IPMoreFragments != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPProtocol - target_field: cloudflare_logpush.network_analytics.ip.protocol.value - if: ctx.json?.IPProtocol != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.IPSourceSubnet - target_field: cloudflare_logpush.network_analytics.ip.source.subnet - ignore_missing: true - - convert: - field: json.IPTotalLength - target_field: cloudflare_logpush.network_analytics.ip.total.length.value - if: ctx.json?.IPTotalLength != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPTotalLengthBuckets - target_field: cloudflare_logpush.network_analytics.ip.total.length.buckets - if: ctx.json?.IPTotalLengthBuckets != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPTtl - target_field: cloudflare_logpush.network_analytics.ip.ttl.value - if: ctx.json?.IPTtl != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPTtlBuckets - target_field: cloudflare_logpush.network_analytics.ip.ttl.buckets - if: ctx.json?.IPTtlBuckets != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv4Checksum - target_field: cloudflare_logpush.network_analytics.ipv4.checksum - if: ctx.json?.IPv4Checksum != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv4DontFragment - target_field: cloudflare_logpush.network_analytics.ipv4.dont_fragment - if: ctx.json?.IPv4DontFragment != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv4Dscp - target_field: cloudflare_logpush.network_analytics.ipv4.dscp - if: ctx.json?.IPv4Dscp != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv4Ecn - target_field: cloudflare_logpush.network_analytics.ipv4.ecn - if: ctx.json?.IPv4Ecn != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv4Identification - target_field: cloudflare_logpush.network_analytics.ipv4.identification - if: ctx.json?.IPv4Identification != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv4Options - target_field: cloudflare_logpush.network_analytics.ipv4.options - if: ctx.json?.IPv4Options != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv6Dscp - target_field: cloudflare_logpush.network_analytics.ipv6.dscp - if: ctx.json?.IPv6Dscp != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv6Ecn - target_field: cloudflare_logpush.network_analytics.ipv6.ecn - if: ctx.json?.IPv6Ecn != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.IPv6ExtensionHeaders - target_field: cloudflare_logpush.network_analytics.ipv6.extension_headers - ignore_missing: true - - convert: - field: json.IPv6FlowLabel - target_field: cloudflare_logpush.network_analytics.ipv6.flow_label - if: ctx.json?.IPv6FlowLabel != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.IPv6Identification - target_field: cloudflare_logpush.network_analytics.ipv6.identification - if: ctx.json?.IPv6Identification != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.MitigationReason - target_field: cloudflare_logpush.network_analytics.mitigation.reason - ignore_missing: true - - rename: - field: json.MitigationScope - target_field: cloudflare_logpush.network_analytics.mitigation.scope - ignore_missing: true - - rename: - field: json.MitigationSystem - target_field: cloudflare_logpush.network_analytics.mitigation.system - ignore_missing: true - - rename: - field: json.ProtocolState - target_field: cloudflare_logpush.network_analytics.protocol_state - ignore_missing: true - - rename: - field: json.RulesetID - target_field: cloudflare_logpush.network_analytics.rule.set.id - ignore_missing: true - - rename: - field: json.RulesetOverrideID - target_field: cloudflare_logpush.network_analytics.rule.set.override.id - ignore_missing: true - - convert: - field: json.SampleInterval - target_field: cloudflare_logpush.network_analytics.sample_interval - if: ctx.json?.SampleInterval != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.SourceASNDescription - target_field: cloudflare_logpush.network_analytics.source.as.number.description - ignore_missing: true - - rename: - field: json.SourceCountry - target_field: cloudflare_logpush.network_analytics.source.country - ignore_missing: true - - rename: - field: json.SourceGeoHash - target_field: cloudflare_logpush.network_analytics.source.geo_hash - ignore_missing: true - - set: - field: cloudflare_logpush.network_analytics.source.geo_location - copy_from: cloudflare_logpush.network_analytics.source.geo_hash - ignore_failure: true - - convert: - field: json.TCPAcknowledgementNumber - target_field: cloudflare_logpush.network_analytics.tcp.acknowledgement_number - if: ctx.json?.TCPAcknowledgementNumber != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPChecksum - target_field: cloudflare_logpush.network_analytics.tcp.checksum - if: ctx.json?.TCPChecksum != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPDataOffset - target_field: cloudflare_logpush.network_analytics.tcp.dataoffset - if: ctx.json?.TCPDataOffset != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPFlags - target_field: cloudflare_logpush.network_analytics.tcp.flags.value - if: ctx.json?.TCPFlags != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.TCPFlagsString - target_field: cloudflare_logpush.network_analytics.tcp.flags.string - ignore_missing: true - - convert: - field: json.TCPMss - target_field: cloudflare_logpush.network_analytics.tcp.mss - if: ctx.json?.TCPMss != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.TCPOptions - target_field: cloudflare_logpush.network_analytics.tcp.options - ignore_missing: true - - convert: - field: json.TCPSackBlocks - target_field: cloudflare_logpush.network_analytics.tcp.sack.blocks - if: ctx.json?.TCPSackBlocks != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPSacksPermitted - target_field: cloudflare_logpush.network_analytics.tcp.sack.permitted - if: ctx.json?.TCPSacksPermitted != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPSequenceNumber - target_field: cloudflare_logpush.network_analytics.tcp.sequence_number - if: ctx.json?.TCPSequenceNumber != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPTimestampEcr - target_field: cloudflare_logpush.network_analytics.tcp.timestamp.ecr - if: ctx.json?.TCPTimestampEcr != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPTimestampValue - target_field: cloudflare_logpush.network_analytics.tcp.timestamp.value - if: ctx.json?.TCPTimestampValue != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPUrgentPointer - target_field: cloudflare_logpush.network_analytics.tcp.urgent_pointer - if: ctx.json?.TCPUrgentPointer != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPWindowScale - target_field: cloudflare_logpush.network_analytics.tcp.window.scale - if: ctx.json?.TCPWindowScale != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.TCPWindowSize - target_field: cloudflare_logpush.network_analytics.tcp.window.size - if: ctx.json?.TCPWindowSize != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.UDPChecksum - target_field: cloudflare_logpush.network_analytics.udp.checksum - if: ctx.json?.UDPChecksum != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.UDPPayloadLength - target_field: cloudflare_logpush.network_analytics.udp.payload_length - if: ctx.json?.UDPPayloadLength != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.Verdict - target_field: cloudflare_logpush.network_analytics.verdict - ignore_missing: true - - append: - field: related.hash - value: '{{{cloudflare_logpush.network_analytics.source.geo_hash}}}' - if: ctx.cloudflare_logpush?.network_analytics?.source?.geo_hash != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hash - value: '{{{cloudflare_logpush.network_analytics.destination.geo_hash}}}' - if: ctx.cloudflare_logpush?.network_analytics?.destination?.geo_hash != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hash - value: '{{{cloudflare_logpush.network_analytics.colo.geo_hash}}}' - if: ctx.cloudflare_logpush?.network_analytics?.colo?.geo_hash != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{destination.ip}}}' - if: ctx.destination?.ip != null - allow_duplicates: false - ignore_failure: true - - community_id: - target_field: network.community_id - ignore_failure: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - cloudflare_logpush.network_analytics.timestamp - - cloudflare_logpush.network_analytics.outcome - - cloudflare_logpush.network_analytics.destination.asn - - cloudflare_logpush.network_analytics.destination.ip - - cloudflare_logpush.network_analytics.destination.port - - cloudflare_logpush.network_analytics.direction - - cloudflare_logpush.network_analytics.ip.protocol.name - - cloudflare_logpush.network_analytics.source.ip - - cloudflare_logpush.network_analytics.source.asn - - cloudflare_logpush.network_analytics.source.port - - cloudflare_logpush.network_analytics.rule.id - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/fields/agent.yml b/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/fields/base-fields.yml b/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/fields/base-fields.yml deleted file mode 100755 index f25938756c..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: cloudflare_logpush.network_analytics -- name: event.module - type: constant_keyword - description: Event module. - value: cloudflare_logpush diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/fields/ecs.yml b/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/fields/ecs.yml deleted file mode 100755 index d416ec8f9a..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/fields/ecs.yml +++ /dev/null @@ -1,111 +0,0 @@ -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/fields/fields.yml b/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/fields/fields.yml deleted file mode 100755 index 2eca19d03c..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/fields/fields.yml +++ /dev/null @@ -1,357 +0,0 @@ -- name: cloudflare_logpush.network_analytics - type: group - fields: - - name: attack - type: group - fields: - - name: campaign - type: group - fields: - - name: id - type: keyword - description: Unique identifier of the attack campaign that this packet was a part of, if any. - - name: id - type: keyword - description: Unique identifier of the mitigation that matched the packet, if any. - - name: colo - type: group - fields: - - name: country - type: keyword - description: The country of colo that received the packet (ISO 3166-1 alpha-2). - - name: geo_hash - type: keyword - description: The Geo Hash where the colo that received the packet is located. - - name: geo_location - type: geo_point - description: The latitude and longitude where the colo that received the packet is located. - - name: id - type: long - description: The ID of the colo that received the DNS query. - - name: name - type: keyword - description: The name of the colo that received the DNS query. - - name: destination - type: group - fields: - - name: as - type: group - fields: - - name: number - type: group - fields: - - name: description - type: text - description: The ASN description associated with the destination IP of the packet. - - name: asn - type: long - description: The ASN associated with the destination IP of the packet. - - name: country - type: keyword - description: The country where the destination IP of the packet is located. - - name: geo_hash - type: keyword - description: The Geo Hash where the destination IP of the packet is located. - - name: geo_location - type: geo_point - description: The latitude and longitude where the destination IP of the packet is located. - - name: ip - type: ip - description: Value of the Destination Address header field in the IPv4 or IPv6 packet. - - name: port - type: long - description: Value of the Destination Port header field in the TCP or UDP packet. - - name: direction - type: keyword - description: The direction in relation to customer network. - - name: gre - type: group - fields: - - name: checksum - type: long - description: Value of the Checksum header field in the GRE packet. - - name: ether - type: group - fields: - - name: type - type: long - description: Value of the Ethertype header field in the GRE packet. - - name: header - type: group - fields: - - name: length - type: long - description: Length of the GRE packet header, in bytes. - - name: key - type: long - description: Value of the Key header field in the GRE packet. - - name: sequence - type: group - fields: - - name: number - type: long - description: Value of the Sequence Number header field in the GRE packet. - - name: version - type: long - description: Value of the Version header field in the GRE packet. - - name: icmp - type: group - fields: - - name: checksum - type: long - description: Value of the Checksum header field in the ICMP packet - - name: code - type: long - description: Value of the Code header field in the ICMP packet - - name: type - type: long - description: Value of the Type header field in the ICMP packet - - name: ip - type: group - fields: - - name: destination - type: group - fields: - - name: subnet - type: keyword - description: Computed subnet of the Destination Address header field in the IPv4 or IPv6 packet. - - name: fragment - type: group - fields: - - name: offset - type: long - description: Value of the Fragment Offset header field in the IPv4 or IPv6 packet. - - name: header - type: group - fields: - - name: length - type: long - description: Length of the IPv4 or IPv6 packet header, in bytes. - - name: more - type: group - fields: - - name: fragments - type: long - description: Value of the More Fragments header field in the IPv4 or IPv6 packet. - - name: protocol - type: group - fields: - - name: name - type: text - description: Name of the protocol specified by the Protocol header field in the IPv4 or IPv6 packet. - - name: value - type: long - description: Value of the Protocol header field in the IPv4 or IPv6 packet. - - name: source - type: group - fields: - - name: subnet - type: keyword - description: Computed subnet of the Source Address header field in the IPv4 or IPv6 packet. - - name: total - type: group - fields: - - name: length - type: group - fields: - - name: buckets - type: long - description: Total length of the IPv4 or IPv6 packet, in bytes, with the last two digits truncated. - - name: value - type: long - description: Total length of the IPv4 or IPv6 packet, in bytes. - - name: ttl - type: group - fields: - - name: buckets - type: long - description: Value of the TTL header field in the IPv4 packet or the Hop Limit header field in the IPv6 packet, with the last digit truncated. - - name: value - type: long - description: Value of the TTL header field in the IPv4 packet or the Hop Limit header field in the IPv6 packet. - - name: ipv4 - type: group - fields: - - name: checksum - type: long - description: Value of the Checksum header field in the IPv4 packet. - - name: dont_fragment - type: long - description: Value of the Don’t Fragment header field in the IPv4 packet. - - name: dscp - type: long - description: Value of the Differentiated Services Code Point header field in the IPv4 packet. - - name: ecn - type: long - description: Value of the Explicit Congestion Notification header field in the IPv4 packet. - - name: identification - type: long - description: Value of the Identification header field in the IPv4 packet. - - name: options - type: long - description: List of Options numbers included in the IPv4 packet header. - - name: ipv6 - type: group - fields: - - name: dscp - type: long - description: Value of the Differentiated Services Code Point header field in the IPv6 packet. - - name: ecn - type: long - description: Value of the Explicit Congestion Notification header field in the IPv6 packet. - - name: extension_headers - type: text - description: List of Extension Header numbers included in the IPv6 packet header. - - name: flow_label - type: long - description: Value of the Flow Label header field in the IPv6 packet. - - name: identification - type: long - description: Value of the Identification extension header field in the IPv6 packet. - - name: mitigation - type: group - fields: - - name: reason - type: keyword - description: Reason for applying a mitigation to the packet, if any. - - name: scope - type: keyword - description: Whether the packet matched a local or global mitigation, if any. - - name: system - type: keyword - description: Which Cloudflare system dropped the packet, if any. - - name: outcome - type: keyword - description: The action that Cloudflare systems took on the packet. - - name: protocol_state - type: keyword - description: State of the packet in the context of the protocol, if any. - - name: rule - type: group - fields: - - name: id - type: text - description: Unique identifier of the rule contained with the Cloudflare L3/4 managed ruleset that this packet matched, if any. - - name: set - type: group - fields: - - name: id - type: keyword - description: Unique identifier of the Cloudflare L3/4 managed ruleset containing the rule that this packet matched, if any. - - name: override - type: group - fields: - - name: id - type: text - description: Unique identifier of the rule within the accounts root ddos_l4 phase ruleset which resulted in an override of the default sensitivity or action being applied/evaluated, if any. - - name: sample_interval - type: long - description: The sample interval for this log. - - name: source - type: group - fields: - - name: as - type: group - fields: - - name: number - type: group - fields: - - name: description - type: text - description: The ASN description associated with the source IP of the packet. - - name: asn - type: long - description: The ASN associated with the source IP of the packet. - - name: country - type: keyword - description: The country where the source IP of the packet is located. - - name: geo_hash - type: keyword - description: The Geo Hash where the source IP of the packet is located. - - name: geo_location - type: geo_point - description: The latitude and longitude where the source IP of the packet is located. - - name: ip - type: ip - description: Value of the Source Address header field in the IPv4 or IPv6 packet. - - name: port - type: long - description: Value of the Source Port header field in the TCP or UDP packet. - - name: tcp - type: group - fields: - - name: acknowledgement_number - type: long - description: Value of the Acknowledgement Number header field in the TCP packet. - - name: checksum - type: long - description: Value of the Checksum header field in the TCP packet. - - name: dataoffset - type: long - description: Value of the Data Offset header field in the TCP packet. - - name: flags - type: group - fields: - - name: string - type: text - description: Human-readable string representation of the Flags header field in the TCP packet. - - name: value - type: long - description: Value of the Flags header field in the TCP packet. - - name: mss - type: long - description: Value of the MSS option header field in the TCP packet. - - name: options - type: text - description: List of Options numbers included in the TCP packet header. - - name: sack - type: group - fields: - - name: blocks - type: long - description: Value of the SACK Blocks option header in the TCP packet. - - name: permitted - type: long - description: Value of the SACK Permitted option header in the TCP packet. - - name: sequence_number - type: long - description: Value of the Sequence Number header field in the TCP packet. - - name: timestamp - type: group - fields: - - name: ecr - type: long - description: Value of the Timestamp Echo Reply option header in the TCP packet. - - name: value - type: long - description: Value of the Timestamp option header in the TCP packet. - - name: urgent_pointer - type: long - description: Value of the Urgent Pointer header field in the TCP packet. - - name: window - type: group - fields: - - name: scale - type: long - description: Value of the Window Scale option header in the TCP packet. - - name: size - type: long - description: Value of the Window Size header field in the TCP packet. - - name: timestamp - type: date - description: The date and time the event occurred at the edge. - - name: udp - type: group - fields: - - name: checksum - type: long - description: Value of the Checksum header field in the UDP packet. - - name: payload_length - type: long - description: Value of the Payload Length header field in the UDP packet. - - name: verdict - type: keyword - description: The action that Cloudflare systems think should be taken on the packet (pass | drop). -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/manifest.yml b/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/manifest.yml deleted file mode 100755 index f944ddec66..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/manifest.yml +++ /dev/null @@ -1,151 +0,0 @@ -title: Collect Network Analytics logs from Cloudflare -type: logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: Network Analytics logs - description: Collect Network Analytics logs from Cloudflare. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number the listener binds to. - multi: false - required: true - show_user: true - default: 9565 - - name: url - type: text - title: URL - description: This option specifies which URL path to accept requests on. Defaults to /. - multi: false - required: false - show_user: false - default: / - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_network_analytics - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: aws-s3 - title: Network Analytics logs via S3 or SQS - description: Collect Network Analytics logs from Cloudflare. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: '[S3] Bucket Prefix' - multi: false - required: false - show_user: true - default: network_analytics_logs - description: Prefix to apply for the list request to the S3 bucket. - - name: interval - type: text - title: '[S3] Interval' - multi: false - required: false - show_user: true - default: 1m - description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. - - name: number_of_workers - type: integer - title: '[S3] Number of Workers' - multi: false - required: false - show_user: true - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: visibility_timeout - type: text - title: '[SQS] Visibility Timeout' - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: '[SQS] API Timeout' - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: max_number_of_messages - type: integer - title: '[SQS] Maximum Concurrent SQS Messages' - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - - name: file_selectors - type: yaml - title: '[SQS] File Selectors' - multi: false - required: false - show_user: false - default: | - - regex: 'network_analytics_logs/' - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_network_analytics - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/sample_event.json b/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/sample_event.json deleted file mode 100755 index 28058d565a..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/network_analytics/sample_event.json +++ /dev/null @@ -1,234 +0,0 @@ -{ - "@timestamp": "2021-07-27T00:01:07.000Z", - "agent": { - "ephemeral_id": "a59f9c29-2b33-4505-be1c-b7bc89c786a7", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "network_analytics": { - "attack": { - "campaign": { - "id": "xyz987" - }, - "id": "abc777" - }, - "colo": { - "country": "AD", - "geo_hash": "gbuun", - "geo_location": "gbuun", - "id": 46, - "name": "SJC" - }, - "destination": { - "as": { - "number": { - "description": "asn description" - } - }, - "asn": 1900, - "country": "AD", - "geo_hash": "gbuun", - "geo_location": "gbuun", - "ip": "175.16.199.0", - "port": 0 - }, - "direction": "ingress", - "gre": { - "checksum": 10, - "ether": { - "type": 10 - }, - "header": { - "length": 1024 - }, - "key": 10, - "sequence": { - "number": 10 - }, - "version": 10 - }, - "icmp": { - "checksum": 10, - "code": 10, - "type": 10 - }, - "ip": { - "destination": { - "subnet": "/24" - }, - "fragment": { - "offset": 1480 - }, - "header": { - "length": 20 - }, - "more": { - "fragments": 1480 - }, - "protocol": { - "name": "tcp", - "value": 6 - }, - "source": { - "subnet": "/24" - }, - "total": { - "length": { - "buckets": 10, - "value": 1024 - } - }, - "ttl": { - "buckets": 2, - "value": 240 - } - }, - "ipv4": { - "checksum": 0, - "dont_fragment": 0, - "dscp": 46, - "ecn": 1, - "identification": 1, - "options": 1 - }, - "ipv6": { - "dscp": 46, - "ecn": 1, - "extension_headers": "header", - "flow_label": 1, - "identification": 1 - }, - "mitigation": { - "reason": "BLOCKED", - "scope": "local", - "system": "flowtrackd" - }, - "outcome": "success", - "protocol_state": "OPEN", - "rule": { - "id": "rule1", - "set": { - "id": "3b64149bfa6e4220bbbc2bd6db589552", - "override": { - "id": "id1" - } - } - }, - "sample_interval": 1, - "source": { - "as": { - "number": { - "description": "Source ASN Description" - } - }, - "asn": 1500, - "country": "AD", - "geo_hash": "gbuun", - "geo_location": "gbuun", - "ip": "67.43.156.0", - "port": 0 - }, - "tcp": { - "acknowledgement_number": 1000, - "checksum": 10, - "dataoffset": 0, - "flags": { - "string": "Human-readable flags string", - "value": 1 - }, - "mss": 512, - "options": "mss", - "sack": { - "blocks": 1, - "permitted": 1 - }, - "sequence_number": 100, - "timestamp": { - "ecr": 100, - "value": 100 - }, - "urgent_pointer": 10, - "window": { - "scale": 10, - "size": 10 - } - }, - "timestamp": "2021-07-27T00:01:07.000Z", - "udp": { - "checksum": 10, - "payload_length": 10 - }, - "verdict": "pass" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.network_analytics", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 1900 - }, - "ip": "175.16.199.0", - "port": 0 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.network_analytics", - "ingested": "2022-09-01T10:10:02Z", - "kind": "event", - "original": "{\"AttackCampaignID\":\"xyz987\",\"AttackID\":\"abc777\",\"ColoCountry\":\"AD\",\"ColoGeoHash\":\"gbuun\",\"ColoID\":46,\"ColoName\":\"SJC\",\"Datetime\":\"2021-07-27T00:01:07Z\",\"DestinationASN\":1900,\"DestinationASNDescription\":\"asn description\",\"DestinationCountry\":\"AD\",\"DestinationGeoHash\":\"gbuun\",\"DestinationPort\":0,\"Direction\":\"ingress\",\"GREChecksum\":10,\"GREEthertype\":10,\"GREHeaderLength\":1024,\"GREKey\":10,\"GRESequenceNumber\":10,\"GREVersion\":10,\"ICMPChecksum\":10,\"ICMPCode\":10,\"ICMPType\":10,\"IPDestinationAddress\":\"175.16.199.0\",\"IPDestinationSubnet\":\"/24\",\"IPFragmentOffset\":1480,\"IPHeaderLength\":20,\"IPMoreFragments\":1480,\"IPProtocol\":6,\"IPProtocolName\":\"tcp\",\"IPSourceAddress\":\"67.43.156.0\",\"IPSourceSubnet\":\"/24\",\"IPTotalLength\":1024,\"IPTotalLengthBuckets\":10,\"IPTtl\":240,\"IPTtlBuckets\":2,\"IPv4Checksum\":0,\"IPv4DontFragment\":0,\"IPv4Dscp\":46,\"IPv4Ecn\":1,\"IPv4Identification\":1,\"IPv4Options\":1,\"IPv6Dscp\":46,\"IPv6Ecn\":1,\"IPv6ExtensionHeaders\":\"header\",\"IPv6FlowLabel\":1,\"IPv6Identification\":1,\"MitigationReason\":\"BLOCKED\",\"MitigationScope\":\"local\",\"MitigationSystem\":\"flowtrackd\",\"Outcome\":\"pass\",\"ProtocolState\":\"OPEN\",\"RuleID\":\"rule1\",\"RulesetID\":\"3b64149bfa6e4220bbbc2bd6db589552\",\"RulesetOverrideID\":\"id1\",\"SampleInterval\":1,\"SourceASN\":1500,\"SourceASNDescription\":\"Source ASN Description\",\"SourceCountry\":\"AD\",\"SourceGeoHash\":\"gbuun\",\"SourcePort\":0,\"TCPAcknowledgementNumber\":1000,\"TCPChecksum\":10,\"TCPDataOffset\":0,\"TCPFlags\":1,\"TCPFlagsString\":\"Human-readable flags string\",\"TCPMss\":512,\"TCPOptions\":\"mss\",\"TCPSackBlocks\":1,\"TCPSacksPermitted\":1,\"TCPSequenceNumber\":100,\"TCPTimestampEcr\":100,\"TCPTimestampValue\":100,\"TCPUrgentPointer\":10,\"TCPWindowScale\":10,\"TCPWindowSize\":10,\"UDPChecksum\":10,\"UDPPayloadLength\":10,\"Verdict\":\"pass\"}", - "outcome": "success", - "type": [ - "info" - ] - }, - "input": { - "type": "http_endpoint" - }, - "network": { - "direction": "ingress", - "transport": "tcp" - }, - "related": { - "hash": [ - "gbuun" - ], - "ip": [ - "67.43.156.0", - "175.16.199.0" - ] - }, - "rule": { - "id": "rule1" - }, - "source": { - "as": { - "number": 1500 - }, - "ip": "67.43.156.0", - "port": 0 - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_network_analytics" - ] -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/agent/stream/aws-s3.yml.hbs b/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 6029a860d9..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,88 +0,0 @@ -{{#if collect_s3_logs}} - -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if interval}} -bucket_list_interval: {{interval}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}} -{{/if}} - -{{else}} - -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if max_number_of_messages}} -max_number_of_messages: {{max_number_of_messages}} -{{/if}} -{{#if file_selectors}} -file_selectors: -{{file_selectors}} -{{/if}} - -{{/if}} - -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if collect_s3_logs}} - - collect_s3_logs -{{else}} - - collect_sqs_logs -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/agent/stream/http_endpoint.yml.hbs b/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 53229700cc..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,36 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -url: {{url}} -content_type: "" -{{#if secret_header}} -secret.header: {{secret_header}} -{{/if}} -{{#if secret_value}} -secret.value: {{secret_value}} -{{/if}} -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} -{{#if preserve_duplicate_custom_fields}} -preserve_duplicate_custom_fields: true -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3ae34a0763..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,390 +0,0 @@ ---- -description: Pipeline for parsing Cloudflare Spectrum Event logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - set: - field: event.category - value: [network] - - set: - field: event.kind - value: event - - set: - field: event.type - value: [info] - - date: - field: json.Timestamp - if: ctx.json?.Timestamp != null && ctx.json.Timestamp != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: cloudflare_logpush.spectrum_event.timestamp - copy_from: '@timestamp' - ignore_failure: true - - date: - field: json.ConnectTimestamp - if: ctx.json?.ConnectTimestamp != null && ctx.json.ConnectTimestamp != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - target_field: cloudflare_logpush.spectrum_event.connect.time - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.start - copy_from: cloudflare_logpush.spectrum_event.connect.time - ignore_failure: true - - date: - field: json.DisconnectTimestamp - if: ctx.json?.DisconnectTimestamp != null && ctx.json.DisconnectTimestamp != '' - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - target_field: cloudflare_logpush.spectrum_event.disconnect.time - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.end - copy_from: cloudflare_logpush.spectrum_event.disconnect.time - ignore_failure: true - - rename: - field: json.Event - target_field: cloudflare_logpush.spectrum_event.action - ignore_missing: true - - set: - field: event.action - copy_from: cloudflare_logpush.spectrum_event.action - ignore_failure: true - - lowercase: - field: event.action - ignore_missing: true - - convert: - field: json.OriginBytes - target_field: cloudflare_logpush.spectrum_event.origin.bytes - if: ctx.json?.OriginBytes != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: destination.bytes - copy_from: cloudflare_logpush.spectrum_event.origin.bytes - ignore_failure: true - - convert: - field: json.OriginIP - target_field: cloudflare_logpush.spectrum_event.origin.ip - if: ctx.json?.OriginIP != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: destination.ip - copy_from: cloudflare_logpush.spectrum_event.origin.ip - ignore_failure: true - - convert: - field: json.OriginPort - target_field: cloudflare_logpush.spectrum_event.origin.port - if: ctx.json?.OriginPort != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: destination.port - copy_from: cloudflare_logpush.spectrum_event.origin.port - ignore_failure: true - - rename: - field: json.Application - target_field: cloudflare_logpush.spectrum_event.application - ignore_missing: true - - set: - field: event.id - copy_from: cloudflare_logpush.spectrum_event.application - ignore_failure: true - - convert: - field: json.Status - target_field: cloudflare_logpush.spectrum_event.status - if: ctx.json?.Status != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: http.response.status_code - copy_from: cloudflare_logpush.spectrum_event.status - ignore_failure: true - - convert: - field: json.ClientAsn - target_field: cloudflare_logpush.spectrum_event.client.asn - if: ctx.json?.ClientAsn != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.as.number - copy_from: cloudflare_logpush.spectrum_event.client.asn - ignore_failure: true - - convert: - field: json.ClientBytes - target_field: cloudflare_logpush.spectrum_event.client.bytes - if: ctx.json?.ClientBytes != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.bytes - copy_from: cloudflare_logpush.spectrum_event.client.bytes - ignore_failure: true - - rename: - field: json.ClientCountry - target_field: cloudflare_logpush.spectrum_event.client.country - ignore_missing: true - - set: - field: source.geo.country_iso_code - copy_from: cloudflare_logpush.spectrum_event.client.country - ignore_failure: true - - convert: - field: json.ClientIP - target_field: cloudflare_logpush.spectrum_event.client.ip - if: ctx.json?.ClientIP != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.ip - copy_from: cloudflare_logpush.spectrum_event.client.ip - ignore_failure: true - - convert: - field: json.ClientPort - target_field: cloudflare_logpush.spectrum_event.client.port - if: ctx.json?.ClientPort != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: source.port - copy_from: cloudflare_logpush.spectrum_event.client.port - ignore_failure: true - - rename: - field: json.ClientMatchedIpFirewall - target_field: cloudflare_logpush.spectrum_event.client.matched_ip_firewall - ignore_missing: true - - rename: - field: json.ClientProto - target_field: cloudflare_logpush.spectrum_event.client.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: cloudflare_logpush.spectrum_event.client.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - convert: - field: json.ClientTcpRtt - target_field: cloudflare_logpush.spectrum_event.client.tcp_rtt - if: ctx.json?.ClientTcpRtt != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.ClientTlsCipher - target_field: cloudflare_logpush.spectrum_event.client.tls.cipher - ignore_missing: true - - rename: - field: json.ClientTlsClientHelloServerName - target_field: cloudflare_logpush.spectrum_event.client.tls.client_hello_server_name - ignore_missing: true - - rename: - field: json.ClientTlsProtocol - target_field: cloudflare_logpush.spectrum_event.client.tls.protocol - ignore_missing: true - - grok: - if: ctx.json?.cloudflare_logpush?.spectrum_event?.client?.tls?.protocol != 'none' || ctx.json?.cloudflare_logpush?.spectrum_event?.client?.tls?.protocol != 'unknown' - field: cloudflare_logpush.spectrum_event.client.tls.protocol - patterns: - - "^%{DATA:tls.version_protocol}v%{DATA:tls.version}$" - ignore_failure: true - - lowercase: - field: tls.version_protocol - ignore_missing: true - - rename: - field: json.ClientTlsStatus - target_field: cloudflare_logpush.spectrum_event.client.tls.status - ignore_missing: true - - rename: - field: json.ColoCode - target_field: cloudflare_logpush.spectrum_event.colo.code - ignore_missing: true - - rename: - field: json.IpFirewall - target_field: cloudflare_logpush.spectrum_event.ip_firewall - ignore_missing: true - - rename: - field: json.OriginProto - target_field: cloudflare_logpush.spectrum_event.origin.protocol - ignore_missing: true - - convert: - field: json.OriginTcpRtt - target_field: cloudflare_logpush.spectrum_event.origin.tcp_rtt - if: ctx.json?.OriginTcpRtt != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.OriginTlsCipher - target_field: cloudflare_logpush.spectrum_event.origin.tls.cipher - ignore_missing: true - - rename: - field: json.OriginTlsFingerprint - target_field: cloudflare_logpush.spectrum_event.origin.tls.fingerprint - ignore_missing: true - - rename: - field: json.OriginTlsMode - target_field: cloudflare_logpush.spectrum_event.origin.tls.mode - ignore_missing: true - - rename: - field: json.OriginTlsProtocol - target_field: cloudflare_logpush.spectrum_event.origin.tls.protocol - ignore_missing: true - - rename: - field: json.OriginTlsStatus - target_field: cloudflare_logpush.spectrum_event.origin.tls.status - ignore_failure: true - - rename: - field: json.ProxyProtocol - target_field: cloudflare_logpush.spectrum_event.proxy.protocol - ignore_missing: true - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{cloudflare_logpush.spectrum_event.client.ip}}}' - if: ctx.cloudflare_logpush?.spectrum_event?.client?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{destination.ip}}}' - if: ctx.destination?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{cloudflare_logpush.spectrum_event.origin.ip}}}' - if: ctx.cloudflare_logpush?.spectrum_event?.origin?.ip != null - allow_duplicates: false - ignore_failure: true - - community_id: - target_field: network.community_id - ignore_failure: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - cloudflare_logpush.spectrum_event.timestamp - - cloudflare_logpush.spectrum_event.origin.bytes - - cloudflare_logpush.spectrum_event.origin.ip - - cloudflare_logpush.spectrum_event.origin.port - - cloudflare_logpush.spectrum_event.application - - cloudflare_logpush.spectrum_event.event_action - - cloudflare_logpush.spectrum_event.status - - cloudflare_logpush.spectrum_event.client.asn - - cloudflare_logpush.spectrum_event.client.bytes - - cloudflare_logpush.spectrum_event.client.country - - cloudflare_logpush.spectrum_event.client.ip - - cloudflare_logpush.spectrum_event.client.port - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/fields/agent.yml b/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/fields/base-fields.yml b/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/fields/base-fields.yml deleted file mode 100755 index 135b81f388..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: cloudflare_logpush.spectrum_event -- name: event.module - type: constant_keyword - description: Event module. - value: cloudflare_logpush diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/fields/ecs.yml b/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/fields/ecs.yml deleted file mode 100755 index 70a2286be9..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/fields/ecs.yml +++ /dev/null @@ -1,108 +0,0 @@ -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/fields/fields.yml b/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/fields/fields.yml deleted file mode 100755 index ffb46304b8..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/fields/fields.yml +++ /dev/null @@ -1,123 +0,0 @@ -- name: cloudflare_logpush.spectrum_event - type: group - fields: - - name: application - type: keyword - description: The unique public ID of the application on which the event occurred. - - name: client - type: group - fields: - - name: asn - type: long - description: Client AS number. - - name: bytes - type: long - description: The number of bytes read from the client by the Spectrum service. - - name: country - type: keyword - description: Country of the client IP address. - - name: ip - type: ip - description: Client IP address. - - name: matched_ip_firewall - type: keyword - description: Whether the connection matched any IP Firewall rules. - - name: port - type: long - description: Client port. - - name: protocol - type: keyword - description: Transport protocol used by client. - - name: tcp_rtt - type: long - description: The TCP round-trip time in nanoseconds between the client and Spectrum. - - name: tls - type: group - fields: - - name: cipher - type: keyword - description: The cipher negotiated between the client and Spectrum. - - name: client_hello_server_name - type: keyword - description: The server name in the Client Hello message from client to Spectrum. - - name: protocol - type: keyword - description: The TLS version negotiated between the client and Spectrum. - - name: status - type: keyword - description: Indicates state of TLS session from the client to Spectrum. - - name: colo - type: group - fields: - - name: code - type: keyword - description: IATA airport code of data center that received the request. - - name: connect - type: group - fields: - - name: time - type: date - description: Timestamp at which both legs of the connection (client/edge, edge/origin or nexthop) were established. - - name: disconnect - type: group - fields: - - name: time - type: date - description: Timestamp at which the connection was closed. - - name: action - type: keyword - description: Event Action. - - name: ip_firewall - type: boolean - description: Whether IP Firewall was enabled at time of connection. - - name: origin - type: group - fields: - - name: bytes - type: long - description: The number of bytes read from the origin by Spectrum. - - name: ip - type: ip - description: Origin IP address. - - name: port - type: long - description: Origin Port. - - name: protocol - type: keyword - description: Transport protocol used by origin. - - name: tcp_rtt - type: long - description: The TCP round-trip time in nanoseconds between Spectrum and the origin. - - name: tls - type: group - fields: - - name: cipher - type: keyword - description: The cipher negotiated between Spectrum and the origin. - - name: fingerprint - type: keyword - description: SHA256 hash of origin certificate. - - name: mode - type: keyword - description: If and how the upstream connection is encrypted. - - name: protocol - type: keyword - description: The TLS version negotiated between Spectrum and the origin. - - name: status - type: keyword - description: The state of the TLS session from Spectrum to the origin. - - name: proxy - type: group - fields: - - name: protocol - type: keyword - description: Which form of proxy protocol is applied to the given connection. - - name: status - type: long - description: A code indicating reason for connection closure. - - name: timestamp - type: date - description: Timestamp at which the event took place. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/manifest.yml b/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/manifest.yml deleted file mode 100755 index cec95a6319..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/manifest.yml +++ /dev/null @@ -1,151 +0,0 @@ -title: Collect Spectrum Event logs from Cloudflare -type: logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: Spectrum Event Logs - description: Collect Spectrum Event logs from Cloudflare. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number the listener binds to. - multi: false - required: true - show_user: true - default: 9566 - - name: url - type: text - title: URL - description: This option specifies which URL path to accept requests on. Defaults to /. - multi: false - required: false - show_user: false - default: / - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_spectrum_event - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: aws-s3 - title: Spectrum Event Logs via S3 or SQS - description: Collect Spectrum Event logs from Cloudflare. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: '[S3] Bucket Prefix' - multi: false - required: false - show_user: true - default: spectrum_event - description: Prefix to apply for the list request to the S3 bucket. - - name: interval - type: text - title: '[S3] Interval' - multi: false - required: false - show_user: true - default: 1m - description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. - - name: number_of_workers - type: integer - title: '[S3] Number of Workers' - multi: false - required: false - show_user: true - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: visibility_timeout - type: text - title: '[SQS] Visibility Timeout' - multi: false - required: false - show_user: true - default: 300s - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: '[SQS] API Timeout' - multi: false - required: false - show_user: true - default: 120s - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: max_number_of_messages - type: integer - title: '[SQS] Maximum Concurrent SQS Messages' - required: false - show_user: true - default: 5 - description: The maximum number of SQS messages that can be inflight at any time. - - name: file_selectors - type: yaml - title: '[SQS] File Selectors' - multi: false - required: false - show_user: false - default: | - - regex: 'spectrum_event/' - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cloudflare_logpush_spectrum_event - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/sample_event.json b/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/sample_event.json deleted file mode 100755 index 4a5d3a43ef..0000000000 --- a/packages/cloudflare_logpush/0.2.1/data_stream/spectrum_event/sample_event.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "@timestamp": "2022-05-26T09:24:00.000Z", - "agent": { - "ephemeral_id": "34cad43e-ef45-4868-8da8-6e602991ef1a", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "spectrum_event": { - "action": "connect", - "application": "7ef659a2f8ef4810a9bade96fdad7c75", - "client": { - "asn": 200391, - "bytes": 0, - "country": "bg", - "ip": "67.43.156.0", - "matched_ip_firewall": "UNKNOWN", - "port": 40456, - "protocol": "tcp", - "tcp_rtt": 0, - "tls": { - "cipher": "UNK", - "client_hello_server_name": "server name", - "protocol": "unknown", - "status": "UNKNOWN" - } - }, - "colo": { - "code": "SOF" - }, - "connect": { - "time": "2022-05-26T09:24:00.000Z" - }, - "disconnect": { - "time": "1970-01-01T00:00:00.000Z" - }, - "ip_firewall": false, - "origin": { - "bytes": 0, - "ip": "175.16.199.0", - "port": 3389, - "protocol": "tcp", - "tcp_rtt": 0, - "tls": { - "cipher": "UNK", - "fingerprint": "0000000000000000000000000000000000000000000000000000000000000000.", - "mode": "off", - "protocol": "unknown", - "status": "UNKNOWN" - } - }, - "proxy": { - "protocol": "off" - }, - "status": 0, - "timestamp": "2022-05-26T09:24:00.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.spectrum_event", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 0, - "ip": "175.16.199.0", - "port": 3389 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "connect", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.spectrum_event", - "end": "1970-01-01T00:00:00.000Z", - "id": "7ef659a2f8ef4810a9bade96fdad7c75", - "ingested": "2022-09-01T10:10:53Z", - "kind": "event", - "original": "{\"Application\":\"7ef659a2f8ef4810a9bade96fdad7c75\",\"ClientAsn\":200391,\"ClientBytes\":0,\"ClientCountry\":\"bg\",\"ClientIP\":\"67.43.156.0\",\"ClientMatchedIpFirewall\":\"UNKNOWN\",\"ClientPort\":40456,\"ClientProto\":\"tcp\",\"ClientTcpRtt\":0,\"ClientTlsCipher\":\"UNK\",\"ClientTlsClientHelloServerName\":\"server name\",\"ClientTlsProtocol\":\"unknown\",\"ClientTlsStatus\":\"UNKNOWN\",\"ColoCode\":\"SOF\",\"ConnectTimestamp\":\"2022-05-26T09:24:00Z\",\"DisconnectTimestamp\":\"1970-01-01T00:00:00Z\",\"Event\":\"connect\",\"IpFirewall\":false,\"OriginBytes\":0,\"OriginIP\":\"175.16.199.0\",\"OriginPort\":3389,\"OriginProto\":\"tcp\",\"OriginTcpRtt\":0,\"OriginTlsCipher\":\"UNK\",\"OriginTlsFingerprint\":\"0000000000000000000000000000000000000000000000000000000000000000.\",\"OriginTlsMode\":\"off\",\"OriginTlsProtocol\":\"unknown\",\"OriginTlsStatus\":\"UNKNOWN\",\"ProxyProtocol\":\"off\",\"Status\":0,\"Timestamp\":\"2022-05-26T09:24:00Z\"}", - "start": "2022-05-26T09:24:00.000Z", - "type": [ - "info" - ] - }, - "http": { - "response": { - "status_code": 0 - } - }, - "input": { - "type": "http_endpoint" - }, - "network": { - "community_id": "1:X7lywUVKlduqRq5SyCRaBj4hLP0=", - "transport": "tcp" - }, - "related": { - "ip": [ - "67.43.156.0", - "175.16.199.0" - ] - }, - "source": { - "as": { - "number": 200391 - }, - "bytes": 0, - "geo": { - "country_iso_code": "bg" - }, - "ip": "67.43.156.0", - "port": 40456 - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_spectrum_event" - ] -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.1/docs/README.md b/packages/cloudflare_logpush/0.2.1/docs/README.md deleted file mode 100755 index 6432c30c12..0000000000 --- a/packages/cloudflare_logpush/0.2.1/docs/README.md +++ /dev/null @@ -1,1942 +0,0 @@ -# Cloudflare Logpush - -## Overview - -The [Cloudflare Logpush](https://www.cloudflare.com/) integration allows you to monitor Audit, DNS, Firewall Event, HTTP Request, NEL Report, Network Analytics and Spectrum Event Logs. Cloudflare is a content delivery network and DDoS mitigation company. Cloudflare provides a network designed to make everything you connect to the Internet secure, private, fast, and reliable; secure your websites, APIs, and Internet applications; protect corporate networks, employees, and devices; and write and deploy code that runs on the network edge. - -The Cloudflare Logpush integration can be used in three different modes to collect data: -- HTTP Endpoint mode - Cloudflare pushes logs directly to an HTTP endpoint hosted by your Elastic Agent. -- AWS S3 polling mode - Cloudflare writes data to S3 and Elastic Agent polls the S3 bucket by listing its contents and reading new files. -- AWS S3 SQS mode - Cloudflare writes data to S3, S3 pushes a new object notification to SQS, Elastic Agent receives the notification from SQS, and then reads the S3 object. Multiple Agents can be used in this mode. - -For example, you could use the data from this integration to know which websites have the highest traffic, which areas have the highest network traffic, or observe mitigation statistics. - -## Data streams - -The Cloudflare Logpush integration collects logs for seven types of events: Audit, DNS, Firewall Event, HTTP Request, NEL Report, Network Analytics, and Spectrum Event. - -**Audit**: See Example Schema [here](https://developers.cloudflare.com/logs/reference/log-fields/account/audit_logs/). - -**DNS**: See Example Schema [here](https://developers.cloudflare.com/logs/reference/log-fields/zone/dns_logs/). - -**Firewall Event**: See Example Schema [here](https://developers.cloudflare.com/logs/reference/log-fields/zone/firewall_events/). - -**HTTP Request**: See Example Schema [here](https://developers.cloudflare.com/logs/reference/log-fields/zone/http_requests/). - -**NEL Report**: See Example Schema [here](https://developers.cloudflare.com/logs/reference/log-fields/zone/nel_reports/). - -**Network Analytics**: See Example Schema [here](https://developers.cloudflare.com/logs/reference/log-fields/account/network_analytics_logs/). - -**Spectrum Event**: See Example Schema [here](https://developers.cloudflare.com/logs/reference/log-fields/zone/spectrum_events/). - -## Requirements - -You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. - -This module has been tested against **Cloudflare version v4**. - -**Note**: It is recommended to use AWS SQS for Cloudflare Logpush. - -## Setup - -### To collect data from AWS S3 Bucket, follow the below steps: -- Configure the [Data Forwarder](https://developers.cloudflare.com/logs/get-started/enable-destinations/aws-s3/) to ingest data into an AWS S3 bucket. -- The default value of the "Bucket List Prefix" is listed below. However, the user can set the parameter "Bucket List Prefix" according to the requirement. - - | Data Stream Name | Bucket List Prefix | - | ----------------- | ---------------------- | - | Audit Logs | audit_logs | - | DNS | dns | - | Firewall Event | firewall_event | - | HTTP Request | http_request | - | NEL Report | nel_report | - | Network Analytics | network_analytics_logs | - | Spectrum Event | spectrum_event | - -### To collect data from AWS SQS, follow the below steps: -1. If data forwarding to an AWS S3 Bucket hasn't been configured, then first setup an AWS S3 Bucket as mentioned in the above documentation. -2. To setup an SQS queue, follow "Step 1: Create an Amazon SQS queue" mentioned in the [Documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html). - - While creating an SQS Queue, please provide the same bucket ARN that has been generated after creating an AWS S3 Bucket. -3. Setup event notification for an S3 bucket. Follow this [Link](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications.html). - - The user has to perform Step 3 for all the data-streams individually, and each time prefix parameter should be set the same as the S3 Bucket List Prefix as created earlier. (for example, `audit_logs/` for audit data stream.) - - For all the event notifications that have been created, select the event type as s3:ObjectCreated:*, select the destination type SQS Queue, and select the queue that has been created in Step 2. - -**Note**: - - Credentials for the above AWS S3 and SQS input types should be configured using the [link](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-s3.html#aws-credentials-config). - - Data collection via AWS S3 Bucket and AWS SQS are mutually exclusive in this case. - -### To collect data from the Cloudflare HTTP Endpoint, follow the below steps: -- Reference link to [Enable HTTP destination](https://developers.cloudflare.com/logs/get-started/enable-destinations/http/) for Cloudflare Logpush. -- Add same custom header along with its value on both the side for additional security. -- For example, while creating a job along with a header and value for a particular dataset: -``` -curl --location --request POST 'https://api.cloudflare.com/client/v4/zones//logpush/jobs' \ ---header 'X-Auth-Key: ' \ ---header 'X-Auth-Email: ' \ ---header 'Authorization: ' \ ---header 'Content-Type: application/json' \ ---data-raw '{ - "name":"", - "destination_conf": "https://:?header_=", - "dataset": "http_requests", - "logpull_options": "fields=RayID,EdgeStartTimestamp×tamps=rfc3339" -}' -``` - -### Enabling the integration in Elastic -1. In Kibana, go to Management > Integrations -2. In the integrations search bar type **Cloudflare Logpush**. -3. Click the **Cloudflare Logpush** integration from the search results. -4. Click the **Add Cloudflare Logpush** button to add Cloudflare Logpush integration. -5. Enable the Integration with the HTTP Endpoint or AWS S3 input. -6. Under the AWS S3 input, there are two types of inputs: using AWS S3 Bucket or using SQS. -7. Configure Cloudflare to send logs to the Elastic Agent. - -## Logs reference - -### audit - -This is the `audit` dataset. -Default port for HTTP Endpoint: _9560_ - -#### Example - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2021-11-30T20:19:48.000Z", - "agent": { - "ephemeral_id": "3605deda-1943-40cf-9ba2-a5d591fead25", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "audit": { - "action": { - "result": "success", - "type": "token_create" - }, - "actor": { - "email": "user@example.com", - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s", - "ip": "81.2.69.142", - "type": "user" - }, - "id": "73fd39ed-5aab-4a2a-b93c-c9a4abf0c425", - "interface": "UI", - "metadata": { - "token_name": "test", - "token_tag": "b7261c49a793a82678d12285f0bc1401" - }, - "new_value": { - "key1": "value1", - "key2": "value2" - }, - "old_value": { - "key3": "value4", - "key4": "value4" - }, - "owner": { - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" - }, - "resource": { - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s", - "type": "account" - }, - "timestamp": "2021-11-30T20:19:48.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "token_create", - "agent_id_status": "verified", - "category": [ - "authentication" - ], - "dataset": "cloudflare_logpush.audit", - "id": "73fd39ed-5aab-4a2a-b93c-c9a4abf0c425", - "ingested": "2022-09-01T10:05:51Z", - "kind": "event", - "original": "{\"ActionResult\":true,\"ActionType\":\"token_create\",\"ActorEmail\":\"user@example.com\",\"ActorID\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ActorIP\":\"81.2.69.142\",\"ActorType\":\"user\",\"ID\":\"73fd39ed-5aab-4a2a-b93c-c9a4abf0c425\",\"Interface\":\"UI\",\"Metadata\":{\"token_name\":\"test\",\"token_tag\":\"b7261c49a793a82678d12285f0bc1401\"},\"NewValue\":{\"key1\":\"value1\",\"key2\":\"value2\"},\"OldValue\":{\"key3\":\"value4\",\"key4\":\"value4\"},\"OwnerID\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ResourceID\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ResourceType\":\"account\",\"When\":\"2021-11-30T20:19:48Z\"}", - "outcome": "success", - "provider": "UI", - "type": [ - "info" - ] - }, - "input": { - "type": "http_endpoint" - }, - "related": { - "ip": [ - "81.2.69.142" - ], - "user": [ - "enl3j9du8rnx2swwd9l32qots7l54t9s" - ] - }, - "source": { - "ip": "81.2.69.142" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_audit" - ], - "user": { - "email": "user@example.com", - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloudflare_logpush.audit.action.result | Whether the action was successful. | keyword | -| cloudflare_logpush.audit.action.type | Type of action taken. | keyword | -| cloudflare_logpush.audit.actor.email | Email of the actor. | keyword | -| cloudflare_logpush.audit.actor.id | Unique identifier of the actor in Cloudflare system. | keyword | -| cloudflare_logpush.audit.actor.ip | Physical network address of the actor. | ip | -| cloudflare_logpush.audit.actor.type | Type of user that started the audit trail. | keyword | -| cloudflare_logpush.audit.id | Unique identifier of an audit log. | keyword | -| cloudflare_logpush.audit.interface | Entry point or interface of the audit log. | text | -| cloudflare_logpush.audit.metadata | Additional audit log-specific information, Metadata is organized in key:value pairs, Key and Value formats can vary by ResourceType. | flattened | -| cloudflare_logpush.audit.new_value | Contains the new value for the audited item. | flattened | -| cloudflare_logpush.audit.old_value | Contains the old value for the audited item. | flattened | -| cloudflare_logpush.audit.owner.id | The identifier of the user that was acting or was acted on behalf of. | keyword | -| cloudflare_logpush.audit.resource.id | Unique identifier of the resource within Cloudflare system. | keyword | -| cloudflare_logpush.audit.resource.type | The type of resource that was changed. | keyword | -| cloudflare_logpush.audit.timestamp | When the change happened. | date | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | - - -### dns - -This is the `dns` dataset. -Default port for HTTP Endpoint: _9561_ - -#### Example - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-05-26T09:23:54.000Z", - "agent": { - "ephemeral_id": "5a08ea07-7e13-4f10-8bfa-5707606de846", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "dns": { - "colo": { - "code": "MRS" - }, - "edns": { - "subnet": "1.128.0.0", - "subnet_length": 0 - }, - "query": { - "name": "example.com", - "type": 65535 - }, - "response": { - "cached": false, - "code": 0 - }, - "source": { - "ip": "175.16.199.0" - }, - "timestamp": "2022-05-26T09:23:54.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "question": { - "name": "example.com" - } - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.dns", - "ingested": "2022-09-01T10:06:44Z", - "kind": "event", - "original": "{\"ColoCode\":\"MRS\",\"EDNSSubnet\":\"1.128.0.0\",\"EDNSSubnetLength\":0,\"QueryName\":\"example.com\",\"QueryType\":65535,\"ResponseCached\":false,\"ResponseCode\":0,\"SourceIP\":\"175.16.199.0\",\"Timestamp\":\"2022-05-26T09:23:54Z\"}", - "type": [ - "info" - ] - }, - "input": { - "type": "http_endpoint" - }, - "related": { - "ip": [ - "175.16.199.0", - "1.128.0.0" - ] - }, - "source": { - "ip": "175.16.199.0" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_dns" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloudflare_logpush.dns.colo.code | IATA airport code of data center that received the request. | keyword | -| cloudflare_logpush.dns.edns.subnet | EDNS Client Subnet (IPv4 or IPv6). | ip | -| cloudflare_logpush.dns.edns.subnet_length | EDNS Client Subnet length. | long | -| cloudflare_logpush.dns.query.name | Name of the query that was sent. | keyword | -| cloudflare_logpush.dns.query.type | Integer value of query type. | long | -| cloudflare_logpush.dns.response.cached | Whether the response was cached or not. | boolean | -| cloudflare_logpush.dns.response.code | Integer value of response code. | long | -| cloudflare_logpush.dns.source.ip | IP address of the client (IPv4 or IPv6). | ip | -| cloudflare_logpush.dns.timestamp | Timestamp at which the query occurred. | date | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -### firewall_event - -This is the `firewall_event` dataset. -Default port for HTTP Endpoint: _9562_ - -#### Example - -An example event for `firewall_event` looks as following: - -```json -{ - "@timestamp": "2022-05-31T05:23:43.000Z", - "agent": { - "ephemeral_id": "75919903-db61-44c5-8c6c-9829fcfbd280", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "firewall_event": { - "action": "block", - "client": { - "asn": { - "description": "CLOUDFLARENET", - "value": 15169 - }, - "country": "us", - "ip": "175.16.199.0", - "ip_class": "searchEngine", - "referer": { - "host": "abc.example.com", - "path": "/abc/checkout", - "query": "?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))\u0026timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))", - "scheme": "referer URL scheme" - }, - "request": { - "host": "xyz.example.com", - "method": "GET", - "path": "/abc/checkout", - "protocol": "HTTP/1.1", - "query": "?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))\u0026timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))", - "scheme": "https", - "user": { - "agent": "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" - } - } - }, - "edge": { - "colo": { - "code": "IAD" - }, - "response": { - "status": 403 - } - }, - "kind": "firewall", - "match_index": 1, - "meta_data": { - "filter": "1ced07e066a34abf8b14f2a99593bc8d", - "type": "customer" - }, - "origin": { - "ray": { - "id": "00" - }, - "response": { - "status": 0 - } - }, - "ray": { - "id": "713d477539b55c29" - }, - "rule": { - "id": "7dc666e026974dab84884c73b3e2afe1" - }, - "source": "firewallrules", - "timestamp": "2022-05-31T05:23:43.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.firewall_event", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "block", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.firewall_event", - "ingested": "2022-09-01T10:07:34Z", - "kind": "event", - "original": "{\"Action\":\"block\",\"ClientASN\":15169,\"ClientASNDescription\":\"CLOUDFLARENET\",\"ClientCountry\":\"us\",\"ClientIP\":\"175.16.199.0\",\"ClientIPClass\":\"searchEngine\",\"ClientRefererHost\":\"abc.example.com\",\"ClientRefererPath\":\"/abc/checkout\",\"ClientRefererQuery\":\"?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))\\u0026timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))\",\"ClientRefererScheme\":\"referer URL scheme\",\"ClientRequestHost\":\"xyz.example.com\",\"ClientRequestMethod\":\"GET\",\"ClientRequestPath\":\"/abc/checkout\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestQuery\":\"?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))\\u0026timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))\",\"ClientRequestScheme\":\"https\",\"ClientRequestUserAgent\":\"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\",\"Datetime\":\"2022-05-31T05:23:43Z\",\"EdgeColoCode\":\"IAD\",\"EdgeResponseStatus\":403,\"Kind\":\"firewall\",\"MatchIndex\":1,\"Metadata\":{\"filter\":\"1ced07e066a34abf8b14f2a99593bc8d\",\"type\":\"customer\"},\"OriginResponseStatus\":0,\"OriginatorRayID\":\"00\",\"RayID\":\"713d477539b55c29\",\"RuleID\":\"7dc666e026974dab84884c73b3e2afe1\",\"Source\":\"firewallrules\"}", - "type": [ - "info" - ] - }, - "http": { - "request": { - "method": "GET" - }, - "response": { - "status_code": 403 - }, - "version": "1.1" - }, - "input": { - "type": "http_endpoint" - }, - "network": { - "protocol": "http" - }, - "related": { - "hosts": [ - "abc.example.com", - "xyz.example.com" - ], - "ip": [ - "175.16.199.0" - ] - }, - "rule": { - "id": "7dc666e026974dab84884c73b3e2afe1" - }, - "source": { - "as": { - "number": 15169 - }, - "geo": { - "country_iso_code": "us" - }, - "ip": "175.16.199.0" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_firewall_event" - ], - "url": { - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "Spider" - }, - "name": "Googlebot", - "original": "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", - "os": { - "full": "Android 6.0.1", - "name": "Android", - "version": "6.0.1" - }, - "version": "2.1" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloudflare_logpush.firewall_event.action | The code of the first-class action the Cloudflare Firewall took on this request. | keyword | -| cloudflare_logpush.firewall_event.client.asn.description | The ASN of the visitor as string. | keyword | -| cloudflare_logpush.firewall_event.client.asn.value | The ASN number of the visitor. | long | -| cloudflare_logpush.firewall_event.client.country | Country from which request originated. | keyword | -| cloudflare_logpush.firewall_event.client.ip | The visitor IP address (IPv4 or IPv6). | ip | -| cloudflare_logpush.firewall_event.client.ip_class | The classification of the visitor IP address, possible values are:- 'unknown', 'badHost', 'searchEngine', 'allowlist', 'monitoringService', 'noRecord', 'scan' and 'tor'. | keyword | -| cloudflare_logpush.firewall_event.client.referer.host | The referer host. | keyword | -| cloudflare_logpush.firewall_event.client.referer.path | The referer path requested by visitor. | text | -| cloudflare_logpush.firewall_event.client.referer.query | The referer query-string was requested by the visitor. | keyword | -| cloudflare_logpush.firewall_event.client.referer.scheme | The referer URL scheme requested by the visitor. | text | -| cloudflare_logpush.firewall_event.client.request.host | The HTTP hostname requested by the visitor. | keyword | -| cloudflare_logpush.firewall_event.client.request.method | The HTTP method used by the visitor. | keyword | -| cloudflare_logpush.firewall_event.client.request.path | The path requested by visitor. | text | -| cloudflare_logpush.firewall_event.client.request.protocol | The version of HTTP protocol requested by the visitor. | keyword | -| cloudflare_logpush.firewall_event.client.request.query | The query-string was requested by the visitor. | keyword | -| cloudflare_logpush.firewall_event.client.request.scheme | The URL scheme requested by the visitor. | text | -| cloudflare_logpush.firewall_event.client.request.user.agent | Visitor's user-agent string. | text | -| cloudflare_logpush.firewall_event.edge.colo.code | The airport code of the Cloudflare datacenter that served this request. | keyword | -| cloudflare_logpush.firewall_event.edge.response.status | HTTP response status code returned to browser. | long | -| cloudflare_logpush.firewall_event.kind | The kind of event, currently only possible values are. | keyword | -| cloudflare_logpush.firewall_event.match_index | Rules match index in the chain. | long | -| cloudflare_logpush.firewall_event.meta_data | Additional product-specific information. | flattened | -| cloudflare_logpush.firewall_event.origin.ray.id | HTTP origin response status code returned to browser. | keyword | -| cloudflare_logpush.firewall_event.origin.response.status | The RayID of the request that issued the challenge/jschallenge. | long | -| cloudflare_logpush.firewall_event.ray.id | The RayID of the request. | keyword | -| cloudflare_logpush.firewall_event.rule.id | The Cloudflare security product-specific RuleID triggered by this request. | keyword | -| cloudflare_logpush.firewall_event.source | The Cloudflare security product triggered by this request. | keyword | -| cloudflare_logpush.firewall_event.timestamp | The date and time the event occurred at the edge. | date | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -### http_request - -This is the `http_request` dataset. -Default port for HTTP Endpoint: _9563_ - -#### Example - -An example event for `http_request` looks as following: - -```json -{ - "@timestamp": "2022-09-01T10:08:19.901Z", - "agent": { - "ephemeral_id": "799a05d5-4523-4df3-8588-0a26bce74843", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "http_request": { - "bot": { - "score": { - "src": "Verified Bot", - "value": 20 - }, - "tag": "bing" - }, - "cache": { - "response": { - "bytes": 983828, - "status": 200 - }, - "status": "dynamic", - "tiered_fill": false - }, - "client": { - "asn": 43766, - "country": "sa", - "device": { - "type": "desktop" - }, - "ip": "175.16.199.0", - "ip_class": "noRecord", - "mtls": { - "auth": { - "fingerprint": "Fingerprint", - "status": "unknown" - } - }, - "request": { - "bytes": 5800, - "host": "xyz.example.com", - "method": "POST", - "path": "/xyz/checkout", - "protocol": "HTTP/1.1", - "referer": "https://example.com/s/example/default?sourcerer=(default:(id:!n,selectedPatterns:!(example,%27logs-endpoint.*-example%27,%27logs-system.*-example%27,%27logs-windows.*-example%27)))\u0026timerange=(global:(linkTo:!(),timerange:(from:%272022-05-16T06:26:36.340Z%27,fromStr:now-24h,kind:relative,to:%272022-05-17T06:26:36.340Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272022-04-17T22:00:00.000Z%27,kind:absolute,to:%272022-04-18T21:59:59.999Z%27)))\u0026timeline=(activeTab:notes,graphEventId:%27%27,id:%279844bdd4-4dd6-5b22-ab40-3cd46fce8d6b%27,isOpen:!t)", - "scheme": "https", - "source": "edgeWorkerFetch", - "uri": "/s/example/api/telemetry/v2/clusters/_stats", - "user": { - "agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" - } - }, - "src": { - "port": 0 - }, - "ssl": { - "cipher": "NONE", - "protocol": "TLSv1.2" - }, - "tcp_rtt": { - "ms": 0 - }, - "xrequested_with": "Request With" - }, - "cookies": { - "key": "value" - }, - "edge": { - "cf_connecting_o2o": false, - "colo": { - "code": "RUH", - "id": 339 - }, - "end_time": "2022-05-25T13:25:32.000Z", - "pathing": { - "op": "wl", - "src": "macro", - "status": "nr" - }, - "rate": { - "limit": { - "action": "unknown", - "id": 0 - } - }, - "request": { - "host": "abc.example.com" - }, - "response": { - "body_bytes": 980397, - "bytes": 981308, - "compression_ratio": 0, - "content_type": "application/json", - "status": 200 - }, - "server": { - "ip": "1.128.0.0" - }, - "start_time": "2022-05-25T13:25:26.000Z", - "time_to_first_byte": { - "ms": 5333 - } - }, - "origin": { - "dns_response_time": { - "ms": 3 - }, - "ip": "67.43.156.0", - "request_header_send_duration": { - "ms": 0 - }, - "response": { - "bytes": 0, - "duration": { - "ms": 5319 - }, - "header_receive_duration": { - "ms": 5155 - }, - "http": { - "expires": "2022-05-27T13:25:26.000Z", - "last_modified": "2022-05-26T13:25:26.000Z" - }, - "status": 200, - "time": 5232000000 - }, - "ssl_protocol": "TLSv1.2", - "tcp_handshake_duration": { - "ms": 24 - }, - "tls_handshake_duration": { - "ms": 53 - } - }, - "parent_ray": { - "id": "710e98d93d50357d" - }, - "ray": { - "id": "710e98d9367f357d" - }, - "security_level": "off", - "smart_route": { - "colo": { - "id": 20 - } - }, - "upper_tier": { - "colo": { - "id": 0 - } - }, - "waf": { - "action": "unknown", - "flag": "0", - "matched_var": "example", - "profile": "unknown", - "rule": { - "id": "98d93d5", - "message": "matchad variable message" - } - }, - "worker": { - "cpu_time": 0, - "status": "unknown", - "subrequest": { - "count": 0, - "value": true - } - }, - "zone": { - "id": 393347122, - "name": "example.com" - } - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.http_request", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "67.43.156.0" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.http_request", - "ingested": "2022-09-01T10:08:20Z", - "kind": "event", - "original": "{\"BotScore\":\"20\",\"BotScoreSrc\":\"Verified Bot\",\"BotTags\":\"bing\",\"CacheCacheStatus\":\"dynamic\",\"CacheResponseBytes\":983828,\"CacheResponseStatus\":200,\"CacheTieredFill\":false,\"ClientASN\":43766,\"ClientCountry\":\"sa\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"175.16.199.0\",\"ClientIPClass\":\"noRecord\",\"ClientMTLSAuthCertFingerprint\":\"Fingerprint\",\"ClientMTLSAuthStatus\":\"unknown\",\"ClientRequestBytes\":5800,\"ClientRequestHost\":\"xyz.example.com\",\"ClientRequestMethod\":\"POST\",\"ClientRequestPath\":\"/xyz/checkout\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://example.com/s/example/default?sourcerer=(default:(id:!n,selectedPatterns:!(example,%27logs-endpoint.*-example%27,%27logs-system.*-example%27,%27logs-windows.*-example%27)))\\u0026timerange=(global:(linkTo:!(),timerange:(from:%272022-05-16T06:26:36.340Z%27,fromStr:now-24h,kind:relative,to:%272022-05-17T06:26:36.340Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272022-04-17T22:00:00.000Z%27,kind:absolute,to:%272022-04-18T21:59:59.999Z%27)))\\u0026timeline=(activeTab:notes,graphEventId:%27%27,id:%279844bdd4-4dd6-5b22-ab40-3cd46fce8d6b%27,isOpen:!t)\",\"ClientRequestScheme\":\"https\",\"ClientRequestSource\":\"edgeWorkerFetch\",\"ClientRequestURI\":\"/s/example/api/telemetry/v2/clusters/_stats\",\"ClientRequestUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36\",\"ClientSSLCipher\":\"NONE\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":0,\"ClientTCPRTTMs\":0,\"ClientXRequestedWith\":\"Request With\",\"Cookies\":{\"key\":\"value\"},\"EdgeCFConnectingO2O\":false,\"EdgeColoCode\":\"RUH\",\"EdgeColoID\":339,\"EdgeEndTimestamp\":\"2022-05-25T13:25:32Z\",\"EdgePathingOp\":\"wl\",\"EdgePathingSrc\":\"macro\",\"EdgePathingStatus\":\"nr\",\"EdgeRateLimitAction\":\"unknown\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"abc.example.com\",\"EdgeResponseBodyBytes\":980397,\"EdgeResponseBytes\":981308,\"EdgeResponseCompressionRatio\":0,\"EdgeResponseContentType\":\"application/json\",\"EdgeResponseStatus\":200,\"EdgeServerIP\":\"1.128.0.0\",\"EdgeStartTimestamp\":\"2022-05-25T13:25:26Z\",\"EdgeTimeToFirstByteMs\":5333,\"OriginDNSResponseTimeMs\":3,\"OriginIP\":\"67.43.156.0\",\"OriginRequestHeaderSendDurationMs\":0,\"OriginResponseBytes\":0,\"OriginResponseDurationMs\":5319,\"OriginResponseHTTPExpires\":\"2022-05-27T13:25:26Z\",\"OriginResponseHTTPLastModified\":\"2022-05-26T13:25:26Z\",\"OriginResponseHeaderReceiveDurationMs\":5155,\"OriginResponseStatus\":200,\"OriginResponseTime\":5232000000,\"OriginSSLProtocol\":\"TLSv1.2\",\"OriginTCPHandshakeDurationMs\":24,\"OriginTLSHandshakeDurationMs\":53,\"ParentRayID\":\"710e98d93d50357d\",\"RayID\":\"710e98d9367f357d\",\"SecurityLevel\":\"off\",\"SmartRouteColoID\":20,\"UpperTierColoID\":0,\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"example\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"98d93d5\",\"WAFRuleMessage\":\"matchad variable message\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":true,\"WorkerSubrequestCount\":0,\"ZoneID\":393347122,\"ZoneName\":\"example.com\"}", - "type": [ - "info" - ] - }, - "http": { - "request": { - "method": "POST" - }, - "response": { - "mime_type": "application/json", - "status_code": 200 - }, - "version": "1.1" - }, - "input": { - "type": "http_endpoint" - }, - "network": { - "protocol": "http" - }, - "related": { - "ip": [ - "175.16.199.0", - "67.43.156.0" - ] - }, - "source": { - "as": { - "number": 43766 - }, - "geo": { - "country_iso_code": "sa" - }, - "ip": "175.16.199.0" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_http_request" - ], - "tls": { - "version": "1.2", - "version_protocol": "tls" - }, - "url": { - "domain": "example.com", - "original": "https://example.com/s/example/default?sourcerer=(default:(id:!n,selectedPatterns:!(example,%27logs-endpoint.*-example%27,%27logs-system.*-example%27,%27logs-windows.*-example%27)))\u0026timerange=(global:(linkTo:!(),timerange:(from:%272022-05-16T06:26:36.340Z%27,fromStr:now-24h,kind:relative,to:%272022-05-17T06:26:36.340Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272022-04-17T22:00:00.000Z%27,kind:absolute,to:%272022-04-18T21:59:59.999Z%27)))\u0026timeline=(activeTab:notes,graphEventId:%27%27,id:%279844bdd4-4dd6-5b22-ab40-3cd46fce8d6b%27,isOpen:!t)", - "path": "/s/example/default", - "query": "sourcerer=(default:(id:!n,selectedPatterns:!(example,'logs-endpoint.*-example','logs-system.*-example','logs-windows.*-example')))\u0026timerange=(global:(linkTo:!(),timerange:(from:'2022-05-16T06:26:36.340Z',fromStr:now-24h,kind:relative,to:'2022-05-17T06:26:36.340Z',toStr:now)),timeline:(linkTo:!(),timerange:(from:'2022-04-17T22:00:00.000Z',kind:absolute,to:'2022-04-18T21:59:59.999Z')))\u0026timeline=(activeTab:notes,graphEventId:'',id:'9844bdd4-4dd6-5b22-ab40-3cd46fce8d6b',isOpen:!t)", - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36", - "os": { - "full": "Mac OS X 10.10.5", - "name": "Mac OS X", - "version": "10.10.5" - }, - "version": "51.0.2704.103" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloudflare_logpush.http_request.bot.score.src | Detection engine responsible for generating the Bot Score. | text | -| cloudflare_logpush.http_request.bot.score.value | Cloudflare Bot Score, Scores below 30 are commonly associated with automated traffic. | long | -| cloudflare_logpush.http_request.bot.tag | Type of bot traffic (if available). | text | -| cloudflare_logpush.http_request.cache.response.bytes | Number of bytes returned by the cache. | long | -| cloudflare_logpush.http_request.cache.response.status | Cache status. | long | -| cloudflare_logpush.http_request.cache.status | HTTP status code returned by the cache to the edge. | keyword | -| cloudflare_logpush.http_request.cache.tiered_fill | Tiered Cache was used to serve this request. | boolean | -| cloudflare_logpush.http_request.client.asn | Client AS number. | long | -| cloudflare_logpush.http_request.client.country | Country of the client IP address. | keyword | -| cloudflare_logpush.http_request.client.device.type | Client device type. | keyword | -| cloudflare_logpush.http_request.client.ip | IP address of the client. | ip | -| cloudflare_logpush.http_request.client.ip_class | Class IP. | keyword | -| cloudflare_logpush.http_request.client.mtls.auth.fingerprint | The SHA256 fingerprint of the certificate presented by the client during mTLS authentication. | keyword | -| cloudflare_logpush.http_request.client.mtls.auth.status | The status of mTLS authentication, Only populated on the first request on an mTLS connection. | keyword | -| cloudflare_logpush.http_request.client.request.bytes | Number of bytes in the client request. | long | -| cloudflare_logpush.http_request.client.request.host | Host requested by the client. | keyword | -| cloudflare_logpush.http_request.client.request.method | HTTP method of client request. | text | -| cloudflare_logpush.http_request.client.request.path | URI path requested by the client. | text | -| cloudflare_logpush.http_request.client.request.protocol | HTTP protocol of client request. | keyword | -| cloudflare_logpush.http_request.client.request.referer | HTTP request referrer. | text | -| cloudflare_logpush.http_request.client.request.scheme | The URL scheme requested by the visitor. | text | -| cloudflare_logpush.http_request.client.request.source | Identifies requests as coming from an external source or another service within Cloudflare. | keyword | -| cloudflare_logpush.http_request.client.request.uri | URI requested by the client. | text | -| cloudflare_logpush.http_request.client.request.user.agent | User agent reported by the client. | text | -| cloudflare_logpush.http_request.client.src.port | Client source port. | long | -| cloudflare_logpush.http_request.client.ssl.cipher | Client SSL cipher. | text | -| cloudflare_logpush.http_request.client.ssl.protocol | Client SSL (TLS) protocol. | keyword | -| cloudflare_logpush.http_request.client.tcp_rtt.ms | The smoothed average of TCP round-trip time (SRTT), For the initial request on a connection, this is measured only during connection setup, For a subsequent request on the same connection, it is measured over the entire connection lifetime up until the time that request is received. | long | -| cloudflare_logpush.http_request.client.xrequested_with | X-Requested-With HTTP header. | text | -| cloudflare_logpush.http_request.cookies | String key-value pairs for Cookies. | flattened | -| cloudflare_logpush.http_request.edge.cf_connecting_o2o | True if the request looped through multiple zones on the Cloudflare edge. | boolean | -| cloudflare_logpush.http_request.edge.colo.code | IATA airport code of data center that received the request. | keyword | -| cloudflare_logpush.http_request.edge.colo.id | Cloudflare edge colo id. | long | -| cloudflare_logpush.http_request.edge.end_time | Timestamp at which the edge finished sending response to the client. | date | -| cloudflare_logpush.http_request.edge.pathing.op | Indicates what type of response was issued for this request. | text | -| cloudflare_logpush.http_request.edge.pathing.src | Details how the request was classified based on security checks. | text | -| cloudflare_logpush.http_request.edge.pathing.status | Indicates what data was used to determine the handling of this request. | text | -| cloudflare_logpush.http_request.edge.rate.limit.action | The action taken by the blocking rule; empty if no action taken. | keyword | -| cloudflare_logpush.http_request.edge.rate.limit.id | The internal rule ID of the rate-limiting rule that triggered a block (ban) or log action. | long | -| cloudflare_logpush.http_request.edge.request.host | Host header on the request from the edge to the origin. | keyword | -| cloudflare_logpush.http_request.edge.response.body_bytes | Size of the HTTP response body returned to clients. | long | -| cloudflare_logpush.http_request.edge.response.bytes | Number of bytes returned by the edge to the client. | long | -| cloudflare_logpush.http_request.edge.response.compression_ratio | Edge response compression ratio. | double | -| cloudflare_logpush.http_request.edge.response.content_type | Edge response Content-Type header value. | text | -| cloudflare_logpush.http_request.edge.response.status | HTTP status code returned by Cloudflare to the client. | long | -| cloudflare_logpush.http_request.edge.server.ip | IP of the edge server making a request to the origin. | ip | -| cloudflare_logpush.http_request.edge.start_time | Timestamp at which the edge received request from the client. | date | -| cloudflare_logpush.http_request.edge.time_to_first_byte.ms | Total view of Time To First Byte as measured at Cloudflare edge. | long | -| cloudflare_logpush.http_request.firewall.matches.action | Array of actions the Cloudflare firewall products performed on this request. | nested | -| cloudflare_logpush.http_request.firewall.matches.rule_id | Array of RuleIDs of the firewall product that has matched the request. | nested | -| cloudflare_logpush.http_request.firewall.matches.sources | The firewall products that matched the request. | nested | -| cloudflare_logpush.http_request.ja3_hash | The MD5 hash of the JA3 fingerprint used to profile SSL/TLS clients. | keyword | -| cloudflare_logpush.http_request.origin.dns_response_time.ms | Time taken to receive a DNS response for an origin name. | long | -| cloudflare_logpush.http_request.origin.ip | IP of the origin server. | ip | -| cloudflare_logpush.http_request.origin.request_header_send_duration.ms | Time taken to send request headers to origin after establishing a connection. | long | -| cloudflare_logpush.http_request.origin.response.bytes | Number of bytes returned by the origin server. | long | -| cloudflare_logpush.http_request.origin.response.duration.ms | Upstream response time, measured from the first datacenter that receives a request. | long | -| cloudflare_logpush.http_request.origin.response.header_receive_duration.ms | Time taken for origin to return response headers after Cloudflare finishes sending request headers. | long | -| cloudflare_logpush.http_request.origin.response.http.expires | Value of the origin expires header in RFC1123 format. | date | -| cloudflare_logpush.http_request.origin.response.http.last_modified | Value of the origin last-modified header in RFC1123 format. | date | -| cloudflare_logpush.http_request.origin.response.status | Status returned by the origin server. | long | -| cloudflare_logpush.http_request.origin.response.time | Number of nanoseconds it took the origin to return the response to edge. | long | -| cloudflare_logpush.http_request.origin.ssl_protocol | SSL (TLS) protocol used to connect to the origin. | text | -| cloudflare_logpush.http_request.origin.tcp_handshake_duration.ms | Time taken to complete TCP handshake with origin. | long | -| cloudflare_logpush.http_request.origin.tls_handshake_duration.ms | Time taken to complete TLS handshake with origin. | long | -| cloudflare_logpush.http_request.parent_ray.id | Ray ID of the parent request if this request was made using a Worker script. | keyword | -| cloudflare_logpush.http_request.ray.id | ID of the request. | keyword | -| cloudflare_logpush.http_request.request.headers | String key-value pairs for RequestHeaders. | flattened | -| cloudflare_logpush.http_request.response.headers | String key-value pairs for ResponseHeaders. | flattened | -| cloudflare_logpush.http_request.security_level | The security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation system. | text | -| cloudflare_logpush.http_request.smart_route.colo.id | The Cloudflare datacenter used to connect to the origin server if Argo Smart Routing is used. Available in Logpush v2 only. | long | -| cloudflare_logpush.http_request.upper_tier.colo.id | The “upper tier” datacenter that was checked for a cached copy if Tiered Cache is used. Available in Logpush v2 only. | long | -| cloudflare_logpush.http_request.waf.action | Action taken by the WAF, if triggered. | text | -| cloudflare_logpush.http_request.waf.flag | Additional configuration flags. | text | -| cloudflare_logpush.http_request.waf.matched_var | The full name of the most-recently matched variable. | text | -| cloudflare_logpush.http_request.waf.profile | The Profile of WAF. possible values are:- 'low', 'med', 'high'. | keyword | -| cloudflare_logpush.http_request.waf.rule.id | ID of the applied WAF rule. | keyword | -| cloudflare_logpush.http_request.waf.rule.message | Rule message associated with the triggered rule. | text | -| cloudflare_logpush.http_request.worker.cpu_time | Amount of time in microseconds spent executing a worker, if any. | long | -| cloudflare_logpush.http_request.worker.status | Status returned from worker daemon. | text | -| cloudflare_logpush.http_request.worker.subrequest.count | Number of subrequests issued by a worker when handling this request. | long | -| cloudflare_logpush.http_request.worker.subrequest.value | Whether or not this request was a worker subrequest. | boolean | -| cloudflare_logpush.http_request.worker.wall_time_us | Real-time in microseconds elapsed between start and end of worker invocation. | long | -| cloudflare_logpush.http_request.zone.id | Internal zone ID. | long | -| cloudflare_logpush.http_request.zone.name | The human-readable name of the zone. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.response.mime_type | Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. | keyword | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -### nel_report - -This is the `nel_report` dataset. -Default port for HTTP Endpoint: _9564_ - -#### Example - -An example event for `nel_report` looks as following: - -```json -{ - "@timestamp": "2021-07-27T00:01:07.000Z", - "agent": { - "ephemeral_id": "c38ba64f-2007-40ee-8ba6-7eead6aad5ee", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "nel_report": { - "client": { - "ip": { - "asn": { - "description": "CLOUDFLARENET", - "value": 13335 - }, - "country": "US" - } - }, - "error": { - "type": "network-error" - }, - "last_known_good": { - "colo": { - "code": "SJC" - } - }, - "phase": "connection", - "timestamp": "2021-07-27T00:01:07.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.nel_report", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "error": { - "type": "network-error" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.nel_report", - "ingested": "2022-09-01T10:09:13Z", - "kind": "event", - "original": "{\"ClientIPASN\":\"13335\",\"ClientIPASNDescription\":\"CLOUDFLARENET\",\"ClientIPCountry\":\"US\",\"LastKnownGoodColoCode\":\"SJC\",\"Phase\":\"connection\",\"Timestamp\":\"2021-07-27T00:01:07Z\",\"Type\":\"network-error\"}", - "type": [ - "info" - ] - }, - "input": { - "type": "http_endpoint" - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_nel_report" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloudflare_logpush.nel_report.client.ip.asn.description | Client ASN description. | keyword | -| cloudflare_logpush.nel_report.client.ip.asn.value | Client ASN. | long | -| cloudflare_logpush.nel_report.client.ip.country | Client country. | keyword | -| cloudflare_logpush.nel_report.error.type | The type of error in the phase. | keyword | -| cloudflare_logpush.nel_report.last_known_good.colo.code | IATA airport code of colo client connected to. | keyword | -| cloudflare_logpush.nel_report.phase | The phase of connection the error occurred in. | keyword | -| cloudflare_logpush.nel_report.timestamp | Timestamp for error report. | date | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.type | The type of the error, for example the class name of the exception. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| tags | List of keywords used to tag each event. | keyword | - - -### network_analytics - -This is the `network_analytics` dataset. -Default port for HTTP Endpoint: _9565_ - -#### Example - -An example event for `network_analytics` looks as following: - -```json -{ - "@timestamp": "2021-07-27T00:01:07.000Z", - "agent": { - "ephemeral_id": "a59f9c29-2b33-4505-be1c-b7bc89c786a7", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "network_analytics": { - "attack": { - "campaign": { - "id": "xyz987" - }, - "id": "abc777" - }, - "colo": { - "country": "AD", - "geo_hash": "gbuun", - "geo_location": "gbuun", - "id": 46, - "name": "SJC" - }, - "destination": { - "as": { - "number": { - "description": "asn description" - } - }, - "asn": 1900, - "country": "AD", - "geo_hash": "gbuun", - "geo_location": "gbuun", - "ip": "175.16.199.0", - "port": 0 - }, - "direction": "ingress", - "gre": { - "checksum": 10, - "ether": { - "type": 10 - }, - "header": { - "length": 1024 - }, - "key": 10, - "sequence": { - "number": 10 - }, - "version": 10 - }, - "icmp": { - "checksum": 10, - "code": 10, - "type": 10 - }, - "ip": { - "destination": { - "subnet": "/24" - }, - "fragment": { - "offset": 1480 - }, - "header": { - "length": 20 - }, - "more": { - "fragments": 1480 - }, - "protocol": { - "name": "tcp", - "value": 6 - }, - "source": { - "subnet": "/24" - }, - "total": { - "length": { - "buckets": 10, - "value": 1024 - } - }, - "ttl": { - "buckets": 2, - "value": 240 - } - }, - "ipv4": { - "checksum": 0, - "dont_fragment": 0, - "dscp": 46, - "ecn": 1, - "identification": 1, - "options": 1 - }, - "ipv6": { - "dscp": 46, - "ecn": 1, - "extension_headers": "header", - "flow_label": 1, - "identification": 1 - }, - "mitigation": { - "reason": "BLOCKED", - "scope": "local", - "system": "flowtrackd" - }, - "outcome": "success", - "protocol_state": "OPEN", - "rule": { - "id": "rule1", - "set": { - "id": "3b64149bfa6e4220bbbc2bd6db589552", - "override": { - "id": "id1" - } - } - }, - "sample_interval": 1, - "source": { - "as": { - "number": { - "description": "Source ASN Description" - } - }, - "asn": 1500, - "country": "AD", - "geo_hash": "gbuun", - "geo_location": "gbuun", - "ip": "67.43.156.0", - "port": 0 - }, - "tcp": { - "acknowledgement_number": 1000, - "checksum": 10, - "dataoffset": 0, - "flags": { - "string": "Human-readable flags string", - "value": 1 - }, - "mss": 512, - "options": "mss", - "sack": { - "blocks": 1, - "permitted": 1 - }, - "sequence_number": 100, - "timestamp": { - "ecr": 100, - "value": 100 - }, - "urgent_pointer": 10, - "window": { - "scale": 10, - "size": 10 - } - }, - "timestamp": "2021-07-27T00:01:07.000Z", - "udp": { - "checksum": 10, - "payload_length": 10 - }, - "verdict": "pass" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.network_analytics", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 1900 - }, - "ip": "175.16.199.0", - "port": 0 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.network_analytics", - "ingested": "2022-09-01T10:10:02Z", - "kind": "event", - "original": "{\"AttackCampaignID\":\"xyz987\",\"AttackID\":\"abc777\",\"ColoCountry\":\"AD\",\"ColoGeoHash\":\"gbuun\",\"ColoID\":46,\"ColoName\":\"SJC\",\"Datetime\":\"2021-07-27T00:01:07Z\",\"DestinationASN\":1900,\"DestinationASNDescription\":\"asn description\",\"DestinationCountry\":\"AD\",\"DestinationGeoHash\":\"gbuun\",\"DestinationPort\":0,\"Direction\":\"ingress\",\"GREChecksum\":10,\"GREEthertype\":10,\"GREHeaderLength\":1024,\"GREKey\":10,\"GRESequenceNumber\":10,\"GREVersion\":10,\"ICMPChecksum\":10,\"ICMPCode\":10,\"ICMPType\":10,\"IPDestinationAddress\":\"175.16.199.0\",\"IPDestinationSubnet\":\"/24\",\"IPFragmentOffset\":1480,\"IPHeaderLength\":20,\"IPMoreFragments\":1480,\"IPProtocol\":6,\"IPProtocolName\":\"tcp\",\"IPSourceAddress\":\"67.43.156.0\",\"IPSourceSubnet\":\"/24\",\"IPTotalLength\":1024,\"IPTotalLengthBuckets\":10,\"IPTtl\":240,\"IPTtlBuckets\":2,\"IPv4Checksum\":0,\"IPv4DontFragment\":0,\"IPv4Dscp\":46,\"IPv4Ecn\":1,\"IPv4Identification\":1,\"IPv4Options\":1,\"IPv6Dscp\":46,\"IPv6Ecn\":1,\"IPv6ExtensionHeaders\":\"header\",\"IPv6FlowLabel\":1,\"IPv6Identification\":1,\"MitigationReason\":\"BLOCKED\",\"MitigationScope\":\"local\",\"MitigationSystem\":\"flowtrackd\",\"Outcome\":\"pass\",\"ProtocolState\":\"OPEN\",\"RuleID\":\"rule1\",\"RulesetID\":\"3b64149bfa6e4220bbbc2bd6db589552\",\"RulesetOverrideID\":\"id1\",\"SampleInterval\":1,\"SourceASN\":1500,\"SourceASNDescription\":\"Source ASN Description\",\"SourceCountry\":\"AD\",\"SourceGeoHash\":\"gbuun\",\"SourcePort\":0,\"TCPAcknowledgementNumber\":1000,\"TCPChecksum\":10,\"TCPDataOffset\":0,\"TCPFlags\":1,\"TCPFlagsString\":\"Human-readable flags string\",\"TCPMss\":512,\"TCPOptions\":\"mss\",\"TCPSackBlocks\":1,\"TCPSacksPermitted\":1,\"TCPSequenceNumber\":100,\"TCPTimestampEcr\":100,\"TCPTimestampValue\":100,\"TCPUrgentPointer\":10,\"TCPWindowScale\":10,\"TCPWindowSize\":10,\"UDPChecksum\":10,\"UDPPayloadLength\":10,\"Verdict\":\"pass\"}", - "outcome": "success", - "type": [ - "info" - ] - }, - "input": { - "type": "http_endpoint" - }, - "network": { - "direction": "ingress", - "transport": "tcp" - }, - "related": { - "hash": [ - "gbuun" - ], - "ip": [ - "67.43.156.0", - "175.16.199.0" - ] - }, - "rule": { - "id": "rule1" - }, - "source": { - "as": { - "number": 1500 - }, - "ip": "67.43.156.0", - "port": 0 - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_network_analytics" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloudflare_logpush.network_analytics.attack.campaign.id | Unique identifier of the attack campaign that this packet was a part of, if any. | keyword | -| cloudflare_logpush.network_analytics.attack.id | Unique identifier of the mitigation that matched the packet, if any. | keyword | -| cloudflare_logpush.network_analytics.colo.country | The country of colo that received the packet (ISO 3166-1 alpha-2). | keyword | -| cloudflare_logpush.network_analytics.colo.geo_hash | The Geo Hash where the colo that received the packet is located. | keyword | -| cloudflare_logpush.network_analytics.colo.geo_location | The latitude and longitude where the colo that received the packet is located. | geo_point | -| cloudflare_logpush.network_analytics.colo.id | The ID of the colo that received the DNS query. | long | -| cloudflare_logpush.network_analytics.colo.name | The name of the colo that received the DNS query. | keyword | -| cloudflare_logpush.network_analytics.destination.as.number.description | The ASN description associated with the destination IP of the packet. | text | -| cloudflare_logpush.network_analytics.destination.asn | The ASN associated with the destination IP of the packet. | long | -| cloudflare_logpush.network_analytics.destination.country | The country where the destination IP of the packet is located. | keyword | -| cloudflare_logpush.network_analytics.destination.geo_hash | The Geo Hash where the destination IP of the packet is located. | keyword | -| cloudflare_logpush.network_analytics.destination.geo_location | The latitude and longitude where the destination IP of the packet is located. | geo_point | -| cloudflare_logpush.network_analytics.destination.ip | Value of the Destination Address header field in the IPv4 or IPv6 packet. | ip | -| cloudflare_logpush.network_analytics.destination.port | Value of the Destination Port header field in the TCP or UDP packet. | long | -| cloudflare_logpush.network_analytics.direction | The direction in relation to customer network. | keyword | -| cloudflare_logpush.network_analytics.gre.checksum | Value of the Checksum header field in the GRE packet. | long | -| cloudflare_logpush.network_analytics.gre.ether.type | Value of the Ethertype header field in the GRE packet. | long | -| cloudflare_logpush.network_analytics.gre.header.length | Length of the GRE packet header, in bytes. | long | -| cloudflare_logpush.network_analytics.gre.key | Value of the Key header field in the GRE packet. | long | -| cloudflare_logpush.network_analytics.gre.sequence.number | Value of the Sequence Number header field in the GRE packet. | long | -| cloudflare_logpush.network_analytics.gre.version | Value of the Version header field in the GRE packet. | long | -| cloudflare_logpush.network_analytics.icmp.checksum | Value of the Checksum header field in the ICMP packet | long | -| cloudflare_logpush.network_analytics.icmp.code | Value of the Code header field in the ICMP packet | long | -| cloudflare_logpush.network_analytics.icmp.type | Value of the Type header field in the ICMP packet | long | -| cloudflare_logpush.network_analytics.ip.destination.subnet | Computed subnet of the Destination Address header field in the IPv4 or IPv6 packet. | keyword | -| cloudflare_logpush.network_analytics.ip.fragment.offset | Value of the Fragment Offset header field in the IPv4 or IPv6 packet. | long | -| cloudflare_logpush.network_analytics.ip.header.length | Length of the IPv4 or IPv6 packet header, in bytes. | long | -| cloudflare_logpush.network_analytics.ip.more.fragments | Value of the More Fragments header field in the IPv4 or IPv6 packet. | long | -| cloudflare_logpush.network_analytics.ip.protocol.name | Name of the protocol specified by the Protocol header field in the IPv4 or IPv6 packet. | text | -| cloudflare_logpush.network_analytics.ip.protocol.value | Value of the Protocol header field in the IPv4 or IPv6 packet. | long | -| cloudflare_logpush.network_analytics.ip.source.subnet | Computed subnet of the Source Address header field in the IPv4 or IPv6 packet. | keyword | -| cloudflare_logpush.network_analytics.ip.total.length.buckets | Total length of the IPv4 or IPv6 packet, in bytes, with the last two digits truncated. | long | -| cloudflare_logpush.network_analytics.ip.total.length.value | Total length of the IPv4 or IPv6 packet, in bytes. | long | -| cloudflare_logpush.network_analytics.ip.ttl.buckets | Value of the TTL header field in the IPv4 packet or the Hop Limit header field in the IPv6 packet, with the last digit truncated. | long | -| cloudflare_logpush.network_analytics.ip.ttl.value | Value of the TTL header field in the IPv4 packet or the Hop Limit header field in the IPv6 packet. | long | -| cloudflare_logpush.network_analytics.ipv4.checksum | Value of the Checksum header field in the IPv4 packet. | long | -| cloudflare_logpush.network_analytics.ipv4.dont_fragment | Value of the Don’t Fragment header field in the IPv4 packet. | long | -| cloudflare_logpush.network_analytics.ipv4.dscp | Value of the Differentiated Services Code Point header field in the IPv4 packet. | long | -| cloudflare_logpush.network_analytics.ipv4.ecn | Value of the Explicit Congestion Notification header field in the IPv4 packet. | long | -| cloudflare_logpush.network_analytics.ipv4.identification | Value of the Identification header field in the IPv4 packet. | long | -| cloudflare_logpush.network_analytics.ipv4.options | List of Options numbers included in the IPv4 packet header. | long | -| cloudflare_logpush.network_analytics.ipv6.dscp | Value of the Differentiated Services Code Point header field in the IPv6 packet. | long | -| cloudflare_logpush.network_analytics.ipv6.ecn | Value of the Explicit Congestion Notification header field in the IPv6 packet. | long | -| cloudflare_logpush.network_analytics.ipv6.extension_headers | List of Extension Header numbers included in the IPv6 packet header. | text | -| cloudflare_logpush.network_analytics.ipv6.flow_label | Value of the Flow Label header field in the IPv6 packet. | long | -| cloudflare_logpush.network_analytics.ipv6.identification | Value of the Identification extension header field in the IPv6 packet. | long | -| cloudflare_logpush.network_analytics.mitigation.reason | Reason for applying a mitigation to the packet, if any. | keyword | -| cloudflare_logpush.network_analytics.mitigation.scope | Whether the packet matched a local or global mitigation, if any. | keyword | -| cloudflare_logpush.network_analytics.mitigation.system | Which Cloudflare system dropped the packet, if any. | keyword | -| cloudflare_logpush.network_analytics.outcome | The action that Cloudflare systems took on the packet. | keyword | -| cloudflare_logpush.network_analytics.protocol_state | State of the packet in the context of the protocol, if any. | keyword | -| cloudflare_logpush.network_analytics.rule.id | Unique identifier of the rule contained with the Cloudflare L3/4 managed ruleset that this packet matched, if any. | text | -| cloudflare_logpush.network_analytics.rule.set.id | Unique identifier of the Cloudflare L3/4 managed ruleset containing the rule that this packet matched, if any. | keyword | -| cloudflare_logpush.network_analytics.rule.set.override.id | Unique identifier of the rule within the accounts root ddos_l4 phase ruleset which resulted in an override of the default sensitivity or action being applied/evaluated, if any. | text | -| cloudflare_logpush.network_analytics.sample_interval | The sample interval for this log. | long | -| cloudflare_logpush.network_analytics.source.as.number.description | The ASN description associated with the source IP of the packet. | text | -| cloudflare_logpush.network_analytics.source.asn | The ASN associated with the source IP of the packet. | long | -| cloudflare_logpush.network_analytics.source.country | The country where the source IP of the packet is located. | keyword | -| cloudflare_logpush.network_analytics.source.geo_hash | The Geo Hash where the source IP of the packet is located. | keyword | -| cloudflare_logpush.network_analytics.source.geo_location | The latitude and longitude where the source IP of the packet is located. | geo_point | -| cloudflare_logpush.network_analytics.source.ip | Value of the Source Address header field in the IPv4 or IPv6 packet. | ip | -| cloudflare_logpush.network_analytics.source.port | Value of the Source Port header field in the TCP or UDP packet. | long | -| cloudflare_logpush.network_analytics.tcp.acknowledgement_number | Value of the Acknowledgement Number header field in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.checksum | Value of the Checksum header field in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.dataoffset | Value of the Data Offset header field in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.flags.string | Human-readable string representation of the Flags header field in the TCP packet. | text | -| cloudflare_logpush.network_analytics.tcp.flags.value | Value of the Flags header field in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.mss | Value of the MSS option header field in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.options | List of Options numbers included in the TCP packet header. | text | -| cloudflare_logpush.network_analytics.tcp.sack.blocks | Value of the SACK Blocks option header in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.sack.permitted | Value of the SACK Permitted option header in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.sequence_number | Value of the Sequence Number header field in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.timestamp.ecr | Value of the Timestamp Echo Reply option header in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.timestamp.value | Value of the Timestamp option header in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.urgent_pointer | Value of the Urgent Pointer header field in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.window.scale | Value of the Window Scale option header in the TCP packet. | long | -| cloudflare_logpush.network_analytics.tcp.window.size | Value of the Window Size header field in the TCP packet. | long | -| cloudflare_logpush.network_analytics.timestamp | The date and time the event occurred at the edge. | date | -| cloudflare_logpush.network_analytics.udp.checksum | Value of the Checksum header field in the UDP packet. | long | -| cloudflare_logpush.network_analytics.udp.payload_length | Value of the Payload Length header field in the UDP packet. | long | -| cloudflare_logpush.network_analytics.verdict | The action that Cloudflare systems think should be taken on the packet (pass | drop). | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -### spectrum_event - -This is the `spectrum_event` dataset. -Default port for HTTP Endpoint: _9566_ - -#### Example - -An example event for `spectrum_event` looks as following: - -```json -{ - "@timestamp": "2022-05-26T09:24:00.000Z", - "agent": { - "ephemeral_id": "34cad43e-ef45-4868-8da8-6e602991ef1a", - "hostname": "docker-fleet-agent", - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloudflare_logpush": { - "spectrum_event": { - "action": "connect", - "application": "7ef659a2f8ef4810a9bade96fdad7c75", - "client": { - "asn": 200391, - "bytes": 0, - "country": "bg", - "ip": "67.43.156.0", - "matched_ip_firewall": "UNKNOWN", - "port": 40456, - "protocol": "tcp", - "tcp_rtt": 0, - "tls": { - "cipher": "UNK", - "client_hello_server_name": "server name", - "protocol": "unknown", - "status": "UNKNOWN" - } - }, - "colo": { - "code": "SOF" - }, - "connect": { - "time": "2022-05-26T09:24:00.000Z" - }, - "disconnect": { - "time": "1970-01-01T00:00:00.000Z" - }, - "ip_firewall": false, - "origin": { - "bytes": 0, - "ip": "175.16.199.0", - "port": 3389, - "protocol": "tcp", - "tcp_rtt": 0, - "tls": { - "cipher": "UNK", - "fingerprint": "0000000000000000000000000000000000000000000000000000000000000000.", - "mode": "off", - "protocol": "unknown", - "status": "UNKNOWN" - } - }, - "proxy": { - "protocol": "off" - }, - "status": 0, - "timestamp": "2022-05-26T09:24:00.000Z" - } - }, - "data_stream": { - "dataset": "cloudflare_logpush.spectrum_event", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 0, - "ip": "175.16.199.0", - "port": 3389 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "8539930e-8f7a-48ac-af3e-7f098b7d6ea2", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "connect", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cloudflare_logpush.spectrum_event", - "end": "1970-01-01T00:00:00.000Z", - "id": "7ef659a2f8ef4810a9bade96fdad7c75", - "ingested": "2022-09-01T10:10:53Z", - "kind": "event", - "original": "{\"Application\":\"7ef659a2f8ef4810a9bade96fdad7c75\",\"ClientAsn\":200391,\"ClientBytes\":0,\"ClientCountry\":\"bg\",\"ClientIP\":\"67.43.156.0\",\"ClientMatchedIpFirewall\":\"UNKNOWN\",\"ClientPort\":40456,\"ClientProto\":\"tcp\",\"ClientTcpRtt\":0,\"ClientTlsCipher\":\"UNK\",\"ClientTlsClientHelloServerName\":\"server name\",\"ClientTlsProtocol\":\"unknown\",\"ClientTlsStatus\":\"UNKNOWN\",\"ColoCode\":\"SOF\",\"ConnectTimestamp\":\"2022-05-26T09:24:00Z\",\"DisconnectTimestamp\":\"1970-01-01T00:00:00Z\",\"Event\":\"connect\",\"IpFirewall\":false,\"OriginBytes\":0,\"OriginIP\":\"175.16.199.0\",\"OriginPort\":3389,\"OriginProto\":\"tcp\",\"OriginTcpRtt\":0,\"OriginTlsCipher\":\"UNK\",\"OriginTlsFingerprint\":\"0000000000000000000000000000000000000000000000000000000000000000.\",\"OriginTlsMode\":\"off\",\"OriginTlsProtocol\":\"unknown\",\"OriginTlsStatus\":\"UNKNOWN\",\"ProxyProtocol\":\"off\",\"Status\":0,\"Timestamp\":\"2022-05-26T09:24:00Z\"}", - "start": "2022-05-26T09:24:00.000Z", - "type": [ - "info" - ] - }, - "http": { - "response": { - "status_code": 0 - } - }, - "input": { - "type": "http_endpoint" - }, - "network": { - "community_id": "1:X7lywUVKlduqRq5SyCRaBj4hLP0=", - "transport": "tcp" - }, - "related": { - "ip": [ - "67.43.156.0", - "175.16.199.0" - ] - }, - "source": { - "as": { - "number": 200391 - }, - "bytes": 0, - "geo": { - "country_iso_code": "bg" - }, - "ip": "67.43.156.0", - "port": 40456 - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "cloudflare_logpush_spectrum_event" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloudflare_logpush.spectrum_event.action | Event Action. | keyword | -| cloudflare_logpush.spectrum_event.application | The unique public ID of the application on which the event occurred. | keyword | -| cloudflare_logpush.spectrum_event.client.asn | Client AS number. | long | -| cloudflare_logpush.spectrum_event.client.bytes | The number of bytes read from the client by the Spectrum service. | long | -| cloudflare_logpush.spectrum_event.client.country | Country of the client IP address. | keyword | -| cloudflare_logpush.spectrum_event.client.ip | Client IP address. | ip | -| cloudflare_logpush.spectrum_event.client.matched_ip_firewall | Whether the connection matched any IP Firewall rules. | keyword | -| cloudflare_logpush.spectrum_event.client.port | Client port. | long | -| cloudflare_logpush.spectrum_event.client.protocol | Transport protocol used by client. | keyword | -| cloudflare_logpush.spectrum_event.client.tcp_rtt | The TCP round-trip time in nanoseconds between the client and Spectrum. | long | -| cloudflare_logpush.spectrum_event.client.tls.cipher | The cipher negotiated between the client and Spectrum. | keyword | -| cloudflare_logpush.spectrum_event.client.tls.client_hello_server_name | The server name in the Client Hello message from client to Spectrum. | keyword | -| cloudflare_logpush.spectrum_event.client.tls.protocol | The TLS version negotiated between the client and Spectrum. | keyword | -| cloudflare_logpush.spectrum_event.client.tls.status | Indicates state of TLS session from the client to Spectrum. | keyword | -| cloudflare_logpush.spectrum_event.colo.code | IATA airport code of data center that received the request. | keyword | -| cloudflare_logpush.spectrum_event.connect.time | Timestamp at which both legs of the connection (client/edge, edge/origin or nexthop) were established. | date | -| cloudflare_logpush.spectrum_event.disconnect.time | Timestamp at which the connection was closed. | date | -| cloudflare_logpush.spectrum_event.ip_firewall | Whether IP Firewall was enabled at time of connection. | boolean | -| cloudflare_logpush.spectrum_event.origin.bytes | The number of bytes read from the origin by Spectrum. | long | -| cloudflare_logpush.spectrum_event.origin.ip | Origin IP address. | ip | -| cloudflare_logpush.spectrum_event.origin.port | Origin Port. | long | -| cloudflare_logpush.spectrum_event.origin.protocol | Transport protocol used by origin. | keyword | -| cloudflare_logpush.spectrum_event.origin.tcp_rtt | The TCP round-trip time in nanoseconds between Spectrum and the origin. | long | -| cloudflare_logpush.spectrum_event.origin.tls.cipher | The cipher negotiated between Spectrum and the origin. | keyword | -| cloudflare_logpush.spectrum_event.origin.tls.fingerprint | SHA256 hash of origin certificate. | keyword | -| cloudflare_logpush.spectrum_event.origin.tls.mode | If and how the upstream connection is encrypted. | keyword | -| cloudflare_logpush.spectrum_event.origin.tls.protocol | The TLS version negotiated between Spectrum and the origin. | keyword | -| cloudflare_logpush.spectrum_event.origin.tls.status | The state of the TLS session from Spectrum to the origin. | keyword | -| cloudflare_logpush.spectrum_event.proxy.protocol | Which form of proxy protocol is applied to the given connection. | keyword | -| cloudflare_logpush.spectrum_event.status | A code indicating reason for connection closure. | long | -| cloudflare_logpush.spectrum_event.timestamp | Timestamp at which the event took place. | date | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.response.status_code | HTTP response status code. | long | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | diff --git a/packages/cloudflare_logpush/0.2.1/img/cloudflare-logo.svg b/packages/cloudflare_logpush/0.2.1/img/cloudflare-logo.svg deleted file mode 100755 index 35c7495a8a..0000000000 --- a/packages/cloudflare_logpush/0.2.1/img/cloudflare-logo.svg +++ /dev/null @@ -1,50 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/cloudflare_logpush/0.2.1/img/cloudflare-screenshot.png b/packages/cloudflare_logpush/0.2.1/img/cloudflare-screenshot.png deleted file mode 100755 index 815fe5ad52..0000000000 Binary files a/packages/cloudflare_logpush/0.2.1/img/cloudflare-screenshot.png and /dev/null differ diff --git a/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-3da7bd20-dc45-11ec-b76d-adcfe05cc1fe.json b/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-3da7bd20-dc45-11ec-b76d-adcfe05cc1fe.json deleted file mode 100755 index c40945d42e..0000000000 --- a/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-3da7bd20-dc45-11ec-b76d-adcfe05cc1fe.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "description": "Overview of Cloudflare Logpush Network Analytics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c5ec283-013e-440d-ba37-5c07a17e1029\":{\"columnOrder\":[\"71696bca-c718-4577-911c-6d9a801a48a7\",\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\"],\"columns\":{\"71696bca-c718-4577-911c-6d9a801a48a7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Network Direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"71696bca-c718-4577-911c-6d9a801a48a7\"],\"layerId\":\"6c5ec283-013e-440d-ba37-5c07a17e1029\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"76dd9910-33ca-4380-84f9-0714b5162925\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"76dd9910-33ca-4380-84f9-0714b5162925\",\"title\":\"Distribution of Network Analytics Logs by Network Direction [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c5ec283-013e-440d-ba37-5c07a17e1029\":{\"columnOrder\":[\"71696bca-c718-4577-911c-6d9a801a48a7\",\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\"],\"columns\":{\"71696bca-c718-4577-911c-6d9a801a48a7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Mitigation Reason\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.network_analytics.mitigation.reason\"},\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"71696bca-c718-4577-911c-6d9a801a48a7\"],\"layerId\":\"6c5ec283-013e-440d-ba37-5c07a17e1029\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"db9bd60f-97ff-4128-ac14-f50aad75c349\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"db9bd60f-97ff-4128-ac14-f50aad75c349\",\"title\":\"Distribution of Network Analytics Logs by Mitigation Reason [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c5ec283-013e-440d-ba37-5c07a17e1029\":{\"columnOrder\":[\"71696bca-c718-4577-911c-6d9a801a48a7\",\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\"],\"columns\":{\"71696bca-c718-4577-911c-6d9a801a48a7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Mitigation Scope\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.network_analytics.mitigation.scope\"},\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"71696bca-c718-4577-911c-6d9a801a48a7\"],\"layerId\":\"6c5ec283-013e-440d-ba37-5c07a17e1029\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"a3ed8dcc-80c7-4b0b-b5ae-d367ca5399f2\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"a3ed8dcc-80c7-4b0b-b5ae-d367ca5399f2\",\"title\":\"Distribution of Network Analytics Logs by Mitigation Scope [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c5ec283-013e-440d-ba37-5c07a17e1029\":{\"columnOrder\":[\"71696bca-c718-4577-911c-6d9a801a48a7\",\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\"],\"columns\":{\"71696bca-c718-4577-911c-6d9a801a48a7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Mitigation System\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.network_analytics.mitigation.system\"},\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"71696bca-c718-4577-911c-6d9a801a48a7\"],\"layerId\":\"6c5ec283-013e-440d-ba37-5c07a17e1029\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f8d6e38e-14f7-41d2-be81-0831c73cb443\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"f8d6e38e-14f7-41d2-be81-0831c73cb443\",\"title\":\"Distribution of Network Analytics Logs by Mitigation System [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c5ec283-013e-440d-ba37-5c07a17e1029\":{\"columnOrder\":[\"71696bca-c718-4577-911c-6d9a801a48a7\",\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\"],\"columns\":{\"71696bca-c718-4577-911c-6d9a801a48a7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Outcome\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"},\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"71696bca-c718-4577-911c-6d9a801a48a7\"],\"layerId\":\"6c5ec283-013e-440d-ba37-5c07a17e1029\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"185e465f-bd48-48e2-a8be-59854a7c3021\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"185e465f-bd48-48e2-a8be-59854a7c3021\",\"title\":\"Distribution of Network Analytics Logs by Outcome [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c5ec283-013e-440d-ba37-5c07a17e1029\":{\"columnOrder\":[\"71696bca-c718-4577-911c-6d9a801a48a7\",\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\"],\"columns\":{\"71696bca-c718-4577-911c-6d9a801a48a7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Protocol State\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.network_analytics.protocol_state\"},\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"71696bca-c718-4577-911c-6d9a801a48a7\"],\"layerId\":\"6c5ec283-013e-440d-ba37-5c07a17e1029\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9d568821-2c1e-40c4-8d25-9f7d69a66b9e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"6a86f194-8e17-4b6c-8100-3fe42fbb85b0\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"6a86f194-8e17-4b6c-8100-3fe42fbb85b0\",\"title\":\"Distribution of Network Analytics Logs by Protocol State [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-11a19196-0f9a-4d8f-9347-348869de935c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"11a19196-0f9a-4d8f-9347-348869de935c\":{\"columnOrder\":[\"339a62c8-a6a0-4c14-acc8-a438dc906a08\",\"620baa35-429f-469c-bc29-6e7bc91c4c4e\"],\"columns\":{\"339a62c8-a6a0-4c14-acc8-a438dc906a08\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination Country\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"620baa35-429f-469c-bc29-6e7bc91c4c4e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.network_analytics.destination.country\"},\"620baa35-429f-469c-bc29-6e7bc91c4c4e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"339a62c8-a6a0-4c14-acc8-a438dc906a08\"],\"layerId\":\"11a19196-0f9a-4d8f-9347-348869de935c\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"620baa35-429f-469c-bc29-6e7bc91c4c4e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fefc98e2-ac0a-4929-92a1-3a8dcc396a8c\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"fefc98e2-ac0a-4929-92a1-3a8dcc396a8c\",\"title\":\"Distribution of Network Analytics by Destination Country [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-11a19196-0f9a-4d8f-9347-348869de935c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"11a19196-0f9a-4d8f-9347-348869de935c\":{\"columnOrder\":[\"339a62c8-a6a0-4c14-acc8-a438dc906a08\",\"620baa35-429f-469c-bc29-6e7bc91c4c4e\"],\"columns\":{\"339a62c8-a6a0-4c14-acc8-a438dc906a08\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source Country\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"620baa35-429f-469c-bc29-6e7bc91c4c4e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.network_analytics.source.country\"},\"620baa35-429f-469c-bc29-6e7bc91c4c4e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"339a62c8-a6a0-4c14-acc8-a438dc906a08\"],\"layerId\":\"11a19196-0f9a-4d8f-9347-348869de935c\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"620baa35-429f-469c-bc29-6e7bc91c4c4e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"1b347819-7723-4250-9dfc-647d474d1044\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"1b347819-7723-4250-9dfc-647d474d1044\",\"title\":\"Distribution of Network Analytics by Source Country [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-11a19196-0f9a-4d8f-9347-348869de935c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"11a19196-0f9a-4d8f-9347-348869de935c\":{\"columnOrder\":[\"339a62c8-a6a0-4c14-acc8-a438dc906a08\",\"b29c086f-8c01-49ee-b4f4-b47bbe9f35dc\",\"620baa35-429f-469c-bc29-6e7bc91c4c4e\"],\"columns\":{\"339a62c8-a6a0-4c14-acc8-a438dc906a08\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"620baa35-429f-469c-bc29-6e7bc91c4c4e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"},\"620baa35-429f-469c-bc29-6e7bc91c4c4e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b29c086f-8c01-49ee-b4f4-b47bbe9f35dc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"620baa35-429f-469c-bc29-6e7bc91c4c4e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.network_analytics\"},\"visualization\":{\"columns\":[{\"columnId\":\"339a62c8-a6a0-4c14-acc8-a438dc906a08\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"620baa35-429f-469c-bc29-6e7bc91c4c4e\",\"isTransposed\":false},{\"columnId\":\"b29c086f-8c01-49ee-b4f4-b47bbe9f35dc\",\"isTransposed\":false}],\"layerId\":\"11a19196-0f9a-4d8f-9347-348869de935c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"108877cb-bc4f-4870-90d4-732d4755014f\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"108877cb-bc4f-4870-90d4-732d4755014f\",\"title\":\"Top 10 Source IP and Destination IP [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cloudflare Logpush] Network Analytics", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-3da7bd20-dc45-11ec-b76d-adcfe05cc1fe", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "76dd9910-33ca-4380-84f9-0714b5162925:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "76dd9910-33ca-4380-84f9-0714b5162925:indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db9bd60f-97ff-4128-ac14-f50aad75c349:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db9bd60f-97ff-4128-ac14-f50aad75c349:indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a3ed8dcc-80c7-4b0b-b5ae-d367ca5399f2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a3ed8dcc-80c7-4b0b-b5ae-d367ca5399f2:indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f8d6e38e-14f7-41d2-be81-0831c73cb443:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f8d6e38e-14f7-41d2-be81-0831c73cb443:indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "185e465f-bd48-48e2-a8be-59854a7c3021:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "185e465f-bd48-48e2-a8be-59854a7c3021:indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6a86f194-8e17-4b6c-8100-3fe42fbb85b0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6a86f194-8e17-4b6c-8100-3fe42fbb85b0:indexpattern-datasource-layer-6c5ec283-013e-440d-ba37-5c07a17e1029", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fefc98e2-ac0a-4929-92a1-3a8dcc396a8c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fefc98e2-ac0a-4929-92a1-3a8dcc396a8c:indexpattern-datasource-layer-11a19196-0f9a-4d8f-9347-348869de935c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1b347819-7723-4250-9dfc-647d474d1044:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1b347819-7723-4250-9dfc-647d474d1044:indexpattern-datasource-layer-11a19196-0f9a-4d8f-9347-348869de935c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "108877cb-bc4f-4870-90d4-732d4755014f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "108877cb-bc4f-4870-90d4-732d4755014f:indexpattern-datasource-layer-11a19196-0f9a-4d8f-9347-348869de935c", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-87f6ad60-dc44-11ec-b76d-adcfe05cc1fe.json b/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-87f6ad60-dc44-11ec-b76d-adcfe05cc1fe.json deleted file mode 100755 index 8666a736ca..0000000000 --- a/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-87f6ad60-dc44-11ec-b76d-adcfe05cc1fe.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "Overview of Cloudflare Logpush DNS", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.dns\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-03e29e55-afcb-437c-bb00-1f567fd1318c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"03e29e55-afcb-437c-bb00-1f567fd1318c\":{\"columnOrder\":[\"74abfc31-4cf6-459a-8dfb-156f029eb966\",\"53fe776d-6fe8-4603-942f-2ac32946d12b\"],\"columns\":{\"53fe776d-6fe8-4603-942f-2ac32946d12b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"74abfc31-4cf6-459a-8dfb-156f029eb966\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Query Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"dns.question.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.dns\"},\"visualization\":{\"columns\":[{\"columnId\":\"74abfc31-4cf6-459a-8dfb-156f029eb966\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"isTransposed\":false}],\"layerId\":\"03e29e55-afcb-437c-bb00-1f567fd1318c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8b2c5062-d0d3-42b5-9e76-426e3ac2d3fa\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"8b2c5062-d0d3-42b5-9e76-426e3ac2d3fa\",\"title\":\"Top 10 Query Name [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-03e29e55-afcb-437c-bb00-1f567fd1318c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"03e29e55-afcb-437c-bb00-1f567fd1318c\":{\"columnOrder\":[\"74abfc31-4cf6-459a-8dfb-156f029eb966\",\"53fe776d-6fe8-4603-942f-2ac32946d12b\"],\"columns\":{\"53fe776d-6fe8-4603-942f-2ac32946d12b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"74abfc31-4cf6-459a-8dfb-156f029eb966\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.dns\"},\"visualization\":{\"columns\":[{\"columnId\":\"74abfc31-4cf6-459a-8dfb-156f029eb966\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"isTransposed\":false}],\"layerId\":\"03e29e55-afcb-437c-bb00-1f567fd1318c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d6ed2af3-5357-4d8c-a56d-317a6e941516\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"d6ed2af3-5357-4d8c-a56d-317a6e941516\",\"title\":\"Top 10 Source IP [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-03e29e55-afcb-437c-bb00-1f567fd1318c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"03e29e55-afcb-437c-bb00-1f567fd1318c\":{\"columnOrder\":[\"74abfc31-4cf6-459a-8dfb-156f029eb966\",\"53fe776d-6fe8-4603-942f-2ac32946d12b\"],\"columns\":{\"53fe776d-6fe8-4603-942f-2ac32946d12b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"74abfc31-4cf6-459a-8dfb-156f029eb966\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"EDNS Subnet\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.dns.edns.subnet\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.dns\"},\"visualization\":{\"columns\":[{\"columnId\":\"74abfc31-4cf6-459a-8dfb-156f029eb966\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"isTransposed\":false}],\"layerId\":\"03e29e55-afcb-437c-bb00-1f567fd1318c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"959ef816-ed24-47cc-8e0d-b0cef0e700f9\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"959ef816-ed24-47cc-8e0d-b0cef0e700f9\",\"title\":\"Top 10 EDNS Subnet [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-03e29e55-afcb-437c-bb00-1f567fd1318c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"03e29e55-afcb-437c-bb00-1f567fd1318c\":{\"columnOrder\":[\"74abfc31-4cf6-459a-8dfb-156f029eb966\",\"1842a69c-e35f-4ebc-8deb-eb8572d6bb89\",\"09e7fa3c-0757-42c7-a96b-7d1d0c27c2a1\",\"53fe776d-6fe8-4603-942f-2ac32946d12b\"],\"columns\":{\"09e7fa3c-0757-42c7-a96b-7d1d0c27c2a1\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Response Code\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.dns.response.code\"},\"1842a69c-e35f-4ebc-8deb-eb8572d6bb89\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Query Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.dns.query.type\"},\"53fe776d-6fe8-4603-942f-2ac32946d12b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"74abfc31-4cf6-459a-8dfb-156f029eb966\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Query Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"dns.question.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.dns\"},\"visualization\":{\"columns\":[{\"columnId\":\"74abfc31-4cf6-459a-8dfb-156f029eb966\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"53fe776d-6fe8-4603-942f-2ac32946d12b\",\"isTransposed\":false},{\"columnId\":\"1842a69c-e35f-4ebc-8deb-eb8572d6bb89\",\"isTransposed\":false},{\"columnId\":\"09e7fa3c-0757-42c7-a96b-7d1d0c27c2a1\",\"isTransposed\":false}],\"layerId\":\"03e29e55-afcb-437c-bb00-1f567fd1318c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8ec3f64a-33a1-463d-95a1-7bc3058a17d7\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"8ec3f64a-33a1-463d-95a1-7bc3058a17d7\",\"title\":\"Top 10 Query Name, Query Type and Response Code [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cloudflare Logpush] DNS", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-87f6ad60-dc44-11ec-b76d-adcfe05cc1fe", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "8b2c5062-d0d3-42b5-9e76-426e3ac2d3fa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8b2c5062-d0d3-42b5-9e76-426e3ac2d3fa:indexpattern-datasource-layer-03e29e55-afcb-437c-bb00-1f567fd1318c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6ed2af3-5357-4d8c-a56d-317a6e941516:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6ed2af3-5357-4d8c-a56d-317a6e941516:indexpattern-datasource-layer-03e29e55-afcb-437c-bb00-1f567fd1318c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "959ef816-ed24-47cc-8e0d-b0cef0e700f9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "959ef816-ed24-47cc-8e0d-b0cef0e700f9:indexpattern-datasource-layer-03e29e55-afcb-437c-bb00-1f567fd1318c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8ec3f64a-33a1-463d-95a1-7bc3058a17d7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8ec3f64a-33a1-463d-95a1-7bc3058a17d7:indexpattern-datasource-layer-03e29e55-afcb-437c-bb00-1f567fd1318c", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-a32a0690-dc44-11ec-b76d-adcfe05cc1fe.json b/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-a32a0690-dc44-11ec-b76d-adcfe05cc1fe.json deleted file mode 100755 index 5a2a659014..0000000000 --- a/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-a32a0690-dc44-11ec-b76d-adcfe05cc1fe.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "description": "Overview of Cloudflare Logpush Firewall Event", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e1387f16-fd92-452b-8630-fecce75da357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e1387f16-fd92-452b-8630-fecce75da357\":{\"columnOrder\":[\"1488c1f4-4def-4898-aa81-ab08402286b5\",\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\"],\"columns\":{\"1488c1f4-4def-4898-aa81-ab08402286b5\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"},\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1488c1f4-4def-4898-aa81-ab08402286b5\"],\"layerId\":\"e1387f16-fd92-452b-8630-fecce75da357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bde8d836-7f82-4729-a870-8ef3aa0cb150\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"bde8d836-7f82-4729-a870-8ef3aa0cb150\",\"title\":\"Distribution of Firewall Event by Event Action [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e1387f16-fd92-452b-8630-fecce75da357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e1387f16-fd92-452b-8630-fecce75da357\":{\"columnOrder\":[\"1488c1f4-4def-4898-aa81-ab08402286b5\",\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\"],\"columns\":{\"1488c1f4-4def-4898-aa81-ab08402286b5\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client IP Class\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.firewall_event.client.ip_class\"},\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"},\"visualization\":{\"layers\":[{\"accessors\":[\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\"],\"layerId\":\"e1387f16-fd92-452b-8630-fecce75da357\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"1488c1f4-4def-4898-aa81-ab08402286b5\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fa792bf5-0a98-4b40-8468-70c00d630e62\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"fa792bf5-0a98-4b40-8468-70c00d630e62\",\"title\":\"Distribution of Firewall Event by Client IP Class [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e1387f16-fd92-452b-8630-fecce75da357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e1387f16-fd92-452b-8630-fecce75da357\":{\"columnOrder\":[\"1488c1f4-4def-4898-aa81-ab08402286b5\",\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\"],\"columns\":{\"1488c1f4-4def-4898-aa81-ab08402286b5\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source Country\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.country_iso_code\"},\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1488c1f4-4def-4898-aa81-ab08402286b5\"],\"layerId\":\"e1387f16-fd92-452b-8630-fecce75da357\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"2d0e21b7-6b91-41ef-9dd2-a01c1e5fc2bc\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f75dad7c-b8cc-472f-94e4-6b130f0c72a7\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"f75dad7c-b8cc-472f-94e4-6b130f0c72a7\",\"title\":\"Distribution of Firewall Event by Source Country [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-dc2bac47-d6ac-4216-8e62-356cb0dc1399\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"dc2bac47-d6ac-4216-8e62-356cb0dc1399\":{\"columnOrder\":[\"1a75cf43-6319-402f-8c32-7d0433f5ba7f\",\"7ae5d06e-c830-47b1-a134-b3aff58f3a53\"],\"columns\":{\"1a75cf43-6319-402f-8c32-7d0433f5ba7f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client Request Protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ae5d06e-c830-47b1-a134-b3aff58f3a53\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.firewall_event.client.request.protocol\"},\"7ae5d06e-c830-47b1-a134-b3aff58f3a53\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1a75cf43-6319-402f-8c32-7d0433f5ba7f\"],\"layerId\":\"dc2bac47-d6ac-4216-8e62-356cb0dc1399\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"7ae5d06e-c830-47b1-a134-b3aff58f3a53\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"30ebc076-8273-4106-b4a8-66c8bdec8934\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"30ebc076-8273-4106-b4a8-66c8bdec8934\",\"title\":\"Distribution of Firewall Event Class by Client Request Protocol [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-dc2bac47-d6ac-4216-8e62-356cb0dc1399\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"dc2bac47-d6ac-4216-8e62-356cb0dc1399\":{\"columnOrder\":[\"1a75cf43-6319-402f-8c32-7d0433f5ba7f\",\"7ae5d06e-c830-47b1-a134-b3aff58f3a53\"],\"columns\":{\"1a75cf43-6319-402f-8c32-7d0433f5ba7f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client Request Method\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ae5d06e-c830-47b1-a134-b3aff58f3a53\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"http.request.method\"},\"7ae5d06e-c830-47b1-a134-b3aff58f3a53\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1a75cf43-6319-402f-8c32-7d0433f5ba7f\"],\"layerId\":\"dc2bac47-d6ac-4216-8e62-356cb0dc1399\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"7ae5d06e-c830-47b1-a134-b3aff58f3a53\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"7d00d9d8-021f-4432-9e92-aa2ffc4eabd0\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"7d00d9d8-021f-4432-9e92-aa2ffc4eabd0\",\"title\":\"Distribution of Firewall Event Class by Client Request Method [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0ac3ca38-403b-49d6-8c88-2301f1e09129\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0ac3ca38-403b-49d6-8c88-2301f1e09129\":{\"columnOrder\":[\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\",\"82ca67a8-9f89-445e-9d36-9736717e55fd\"],\"columns\":{\"82ca67a8-9f89-445e-9d36-9736717e55fd\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"82ca67a8-9f89-445e-9d36-9736717e55fd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"},\"visualization\":{\"columns\":[{\"columnId\":\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"82ca67a8-9f89-445e-9d36-9736717e55fd\",\"isTransposed\":false}],\"layerId\":\"0ac3ca38-403b-49d6-8c88-2301f1e09129\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"9385681c-22a8-46aa-8353-af82880e6a05\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"9385681c-22a8-46aa-8353-af82880e6a05\",\"title\":\"Top 10 Source IP [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0ac3ca38-403b-49d6-8c88-2301f1e09129\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0ac3ca38-403b-49d6-8c88-2301f1e09129\":{\"columnOrder\":[\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\",\"c1742315-9a64-496e-9d80-48848cd4393f\",\"82ca67a8-9f89-445e-9d36-9736717e55fd\"],\"columns\":{\"82ca67a8-9f89-445e-9d36-9736717e55fd\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c1742315-9a64-496e-9d80-48848cd4393f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"ASN Description\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"82ca67a8-9f89-445e-9d36-9736717e55fd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.firewall_event.client.asn.description\"},\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"ASN \",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"82ca67a8-9f89-445e-9d36-9736717e55fd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.number\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"},\"visualization\":{\"columns\":[{\"columnId\":\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"82ca67a8-9f89-445e-9d36-9736717e55fd\",\"isTransposed\":false},{\"columnId\":\"c1742315-9a64-496e-9d80-48848cd4393f\",\"isTransposed\":false}],\"layerId\":\"0ac3ca38-403b-49d6-8c88-2301f1e09129\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ce0376c7-0c9c-4657-9569-bda33374e67b\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"ce0376c7-0c9c-4657-9569-bda33374e67b\",\"title\":\"Top 10 Source ASN and ASN Description [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0ac3ca38-403b-49d6-8c88-2301f1e09129\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0ac3ca38-403b-49d6-8c88-2301f1e09129\":{\"columnOrder\":[\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\",\"ce735bcf-ae0a-4c8d-b86a-4c2ca7400421\",\"82ca67a8-9f89-445e-9d36-9736717e55fd\"],\"columns\":{\"82ca67a8-9f89-445e-9d36-9736717e55fd\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client Referer Host\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"82ca67a8-9f89-445e-9d36-9736717e55fd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.firewall_event.client.referer.host\"},\"ce735bcf-ae0a-4c8d-b86a-4c2ca7400421\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client Request Host\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"82ca67a8-9f89-445e-9d36-9736717e55fd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.firewall_event.client.request.host\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.firewall_event\"},\"visualization\":{\"columns\":[{\"columnId\":\"c78c5d8b-bce8-4ee1-9a09-d015c1a9bebe\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"82ca67a8-9f89-445e-9d36-9736717e55fd\",\"isTransposed\":false},{\"columnId\":\"ce735bcf-ae0a-4c8d-b86a-4c2ca7400421\",\"isTransposed\":false}],\"layerId\":\"0ac3ca38-403b-49d6-8c88-2301f1e09129\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"93ac4ff5-13c5-40d3-a7e9-14faca9ea9db\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"93ac4ff5-13c5-40d3-a7e9-14faca9ea9db\",\"title\":\"Top 10 Client Referer Host and Client Request Host [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cloudflare Logpush] Firewall Event", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-a32a0690-dc44-11ec-b76d-adcfe05cc1fe", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "bde8d836-7f82-4729-a870-8ef3aa0cb150:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bde8d836-7f82-4729-a870-8ef3aa0cb150:indexpattern-datasource-layer-e1387f16-fd92-452b-8630-fecce75da357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fa792bf5-0a98-4b40-8468-70c00d630e62:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fa792bf5-0a98-4b40-8468-70c00d630e62:indexpattern-datasource-layer-e1387f16-fd92-452b-8630-fecce75da357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f75dad7c-b8cc-472f-94e4-6b130f0c72a7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f75dad7c-b8cc-472f-94e4-6b130f0c72a7:indexpattern-datasource-layer-e1387f16-fd92-452b-8630-fecce75da357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "30ebc076-8273-4106-b4a8-66c8bdec8934:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "30ebc076-8273-4106-b4a8-66c8bdec8934:indexpattern-datasource-layer-dc2bac47-d6ac-4216-8e62-356cb0dc1399", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7d00d9d8-021f-4432-9e92-aa2ffc4eabd0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7d00d9d8-021f-4432-9e92-aa2ffc4eabd0:indexpattern-datasource-layer-dc2bac47-d6ac-4216-8e62-356cb0dc1399", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9385681c-22a8-46aa-8353-af82880e6a05:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9385681c-22a8-46aa-8353-af82880e6a05:indexpattern-datasource-layer-0ac3ca38-403b-49d6-8c88-2301f1e09129", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ce0376c7-0c9c-4657-9569-bda33374e67b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ce0376c7-0c9c-4657-9569-bda33374e67b:indexpattern-datasource-layer-0ac3ca38-403b-49d6-8c88-2301f1e09129", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93ac4ff5-13c5-40d3-a7e9-14faca9ea9db:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93ac4ff5-13c5-40d3-a7e9-14faca9ea9db:indexpattern-datasource-layer-0ac3ca38-403b-49d6-8c88-2301f1e09129", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-bb426420-dc44-11ec-b76d-adcfe05cc1fe.json b/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-bb426420-dc44-11ec-b76d-adcfe05cc1fe.json deleted file mode 100755 index 45f79b182a..0000000000 --- a/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-bb426420-dc44-11ec-b76d-adcfe05cc1fe.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "description": "Overview of Cloudflare Logpush HTTP Request", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-00280489-72e4-4070-a226-57e14a57080f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"00280489-72e4-4070-a226-57e14a57080f\":{\"columnOrder\":[\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\",\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\"],\"columns\":{\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\" Edge Rate Limit Action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.http_request.edge.rate.limit.action\"},\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\"],\"layerId\":\"00280489-72e4-4070-a226-57e14a57080f\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"6046f18e-7779-4ea6-b387-213bc81b36f0\",\"w\":15,\"x\":0,\"y\":0},\"panelIndex\":\"6046f18e-7779-4ea6-b387-213bc81b36f0\",\"title\":\"Distribution of HTTP Request by Edge Rate Limit Action [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-00280489-72e4-4070-a226-57e14a57080f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"00280489-72e4-4070-a226-57e14a57080f\":{\"columnOrder\":[\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\",\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\"],\"columns\":{\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client Request Method\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"http.request.method\"},\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\"],\"layerId\":\"00280489-72e4-4070-a226-57e14a57080f\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ec4ead06-9bbf-4f27-9dca-03dd92a55089\",\"w\":16,\"x\":15,\"y\":0},\"panelIndex\":\"ec4ead06-9bbf-4f27-9dca-03dd92a55089\",\"title\":\"Distribution of HTTP Request by Client Request Method [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-00280489-72e4-4070-a226-57e14a57080f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"00280489-72e4-4070-a226-57e14a57080f\":{\"columnOrder\":[\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\",\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\"],\"columns\":{\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client Device Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.http_request.client.device.type\"},\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\"],\"layerId\":\"00280489-72e4-4070-a226-57e14a57080f\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"9c4f4004-d4b0-471f-9535-09c11555e5a1\",\"w\":17,\"x\":31,\"y\":0},\"panelIndex\":\"9c4f4004-d4b0-471f-9535-09c11555e5a1\",\"title\":\"Distribution of HTTP Request by Client Device Type [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a3b36fd5-7e6e-4298-9c99-da41f685b6ac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a3b36fd5-7e6e-4298-9c99-da41f685b6ac\":{\"columnOrder\":[\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\",\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\"],\"columns\":{\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Cllient IP Class\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.http_request.client.ip_class\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"},\"visualization\":{\"layers\":[{\"accessors\":[\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\"],\"layerId\":\"a3b36fd5-7e6e-4298-9c99-da41f685b6ac\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"36ba08a4-1ebd-46bd-a95d-6855c7992a68\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"36ba08a4-1ebd-46bd-a95d-6855c7992a68\",\"title\":\"Distribution of HTTP Request by Client IP Class [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-00280489-72e4-4070-a226-57e14a57080f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"00280489-72e4-4070-a226-57e14a57080f\":{\"columnOrder\":[\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\",\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\"],\"columns\":{\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"WAF Profile\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.http_request.waf.profile\"},\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"30a50e8b-fb9f-48dc-82ca-bd6069537dcc\"],\"layerId\":\"00280489-72e4-4070-a226-57e14a57080f\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"ce5dbaea-6c81-4e2f-89dd-78097bf4bd36\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"42860ae9-0100-4c5b-aad4-e9b9ebd8eb1d\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"42860ae9-0100-4c5b-aad4-e9b9ebd8eb1d\",\"title\":\"Distribution of HTTP Request by WAF Profile [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a3b36fd5-7e6e-4298-9c99-da41f685b6ac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a3b36fd5-7e6e-4298-9c99-da41f685b6ac\":{\"columnOrder\":[\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\",\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\"],\"columns\":{\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client MTLS Auth Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.http_request.client.mtls.auth.status\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"},\"visualization\":{\"layers\":[{\"accessors\":[\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\"],\"layerId\":\"a3b36fd5-7e6e-4298-9c99-da41f685b6ac\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"94b34910-bec2-4d2d-8cab-03339cee8eee\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"94b34910-bec2-4d2d-8cab-03339cee8eee\",\"title\":\"Distribution of HTTP Request by Client MTLS Auth Status [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a3b36fd5-7e6e-4298-9c99-da41f685b6ac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a3b36fd5-7e6e-4298-9c99-da41f685b6ac\":{\"columnOrder\":[\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\",\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\"],\"columns\":{\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source Country\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.country_iso_code\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"fe115b65-6c58-4088-ae8d-e8edbc1cf18c\"],\"layerId\":\"a3b36fd5-7e6e-4298-9c99-da41f685b6ac\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"21ca64f8-cd25-4535-afa2-a70bbaaa3295\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ff959b8e-d7b9-4c5e-8d3b-e0381f0d1e35\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"ff959b8e-d7b9-4c5e-8d3b-e0381f0d1e35\",\"title\":\"Distribution of HTTP Request by Source Country [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"dbb10aab-b109-41f3-8e37-dfc4d3a2c4cd\",\"w\":48,\"x\":0,\"y\":45},\"panelIndex\":\"dbb10aab-b109-41f3-8e37-dfc4d3a2c4cd\",\"panelRefName\":\"panel_dbb10aab-b109-41f3-8e37-dfc4d3a2c4cd\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cloudflare Logpush] HTTP Request", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-bb426420-dc44-11ec-b76d-adcfe05cc1fe", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "6046f18e-7779-4ea6-b387-213bc81b36f0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6046f18e-7779-4ea6-b387-213bc81b36f0:indexpattern-datasource-layer-00280489-72e4-4070-a226-57e14a57080f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ec4ead06-9bbf-4f27-9dca-03dd92a55089:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ec4ead06-9bbf-4f27-9dca-03dd92a55089:indexpattern-datasource-layer-00280489-72e4-4070-a226-57e14a57080f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9c4f4004-d4b0-471f-9535-09c11555e5a1:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9c4f4004-d4b0-471f-9535-09c11555e5a1:indexpattern-datasource-layer-00280489-72e4-4070-a226-57e14a57080f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "36ba08a4-1ebd-46bd-a95d-6855c7992a68:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "36ba08a4-1ebd-46bd-a95d-6855c7992a68:indexpattern-datasource-layer-a3b36fd5-7e6e-4298-9c99-da41f685b6ac", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42860ae9-0100-4c5b-aad4-e9b9ebd8eb1d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42860ae9-0100-4c5b-aad4-e9b9ebd8eb1d:indexpattern-datasource-layer-00280489-72e4-4070-a226-57e14a57080f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "94b34910-bec2-4d2d-8cab-03339cee8eee:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "94b34910-bec2-4d2d-8cab-03339cee8eee:indexpattern-datasource-layer-a3b36fd5-7e6e-4298-9c99-da41f685b6ac", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ff959b8e-d7b9-4c5e-8d3b-e0381f0d1e35:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ff959b8e-d7b9-4c5e-8d3b-e0381f0d1e35:indexpattern-datasource-layer-a3b36fd5-7e6e-4298-9c99-da41f685b6ac", - "type": "index-pattern" - }, - { - "id": "cloudflare_logpush-a58b3a80-e257-11ec-b57d-b9b9d5221e36", - "name": "dbb10aab-b109-41f3-8e37-dfc4d3a2c4cd:panel_dbb10aab-b109-41f3-8e37-dfc4d3a2c4cd", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-cc375d30-dc44-11ec-b76d-adcfe05cc1fe.json b/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-cc375d30-dc44-11ec-b76d-adcfe05cc1fe.json deleted file mode 100755 index 0bc14f6cd8..0000000000 --- a/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-cc375d30-dc44-11ec-b76d-adcfe05cc1fe.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "Overview of Cloudflare Logpush NEL Report", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.nel_report\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-369c4c11-370e-43b1-9ecf-0e3d9fb66f98\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"369c4c11-370e-43b1-9ecf-0e3d9fb66f98\":{\"columnOrder\":[\"c81d383b-dcf1-4924-8443-8f2ff88e7ae9\",\"7a4f98bf-868e-44d7-a3a8-7133e4ba4837\",\"634cf9dc-2979-4708-b702-d3884ae339d1\"],\"columns\":{\"634cf9dc-2979-4708-b702-d3884ae339d1\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"7a4f98bf-868e-44d7-a3a8-7133e4ba4837\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"ASN Description\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"634cf9dc-2979-4708-b702-d3884ae339d1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.nel_report.client.ip.asn.description\"},\"c81d383b-dcf1-4924-8443-8f2ff88e7ae9\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"ASN\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"634cf9dc-2979-4708-b702-d3884ae339d1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.nel_report.client.ip.asn.value\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.nel_report\"},\"visualization\":{\"columns\":[{\"alignment\":\"left\",\"columnId\":\"c81d383b-dcf1-4924-8443-8f2ff88e7ae9\",\"isTransposed\":false},{\"alignment\":\"left\",\"columnId\":\"634cf9dc-2979-4708-b702-d3884ae339d1\",\"isTransposed\":false},{\"columnId\":\"7a4f98bf-868e-44d7-a3a8-7133e4ba4837\",\"isTransposed\":false}],\"layerId\":\"369c4c11-370e-43b1-9ecf-0e3d9fb66f98\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d6d36d84-cb11-4993-a30a-d82118413eda\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"d6d36d84-cb11-4993-a30a-d82118413eda\",\"title\":\"Top 10 Source ASN and ASN Description [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f9bf86eb-26ae-4ddb-9181-98538c308622\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f9bf86eb-26ae-4ddb-9181-98538c308622\":{\"columnOrder\":[\"72e4b51b-b59b-42ba-bfd8-bc61fe3fa8e0\",\"9a90d872-9aed-4dbe-9004-a8b6e34449c1\"],\"columns\":{\"72e4b51b-b59b-42ba-bfd8-bc61fe3fa8e0\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Error Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9a90d872-9aed-4dbe-9004-a8b6e34449c1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"error.type\"},\"9a90d872-9aed-4dbe-9004-a8b6e34449c1\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.nel_report\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"72e4b51b-b59b-42ba-bfd8-bc61fe3fa8e0\"],\"layerId\":\"f9bf86eb-26ae-4ddb-9181-98538c308622\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9a90d872-9aed-4dbe-9004-a8b6e34449c1\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e28f00db-dc65-4c0c-84ce-dbf64b568c70\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"e28f00db-dc65-4c0c-84ce-dbf64b568c70\",\"title\":\"Distribution of NEL Report by Error Type [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cloudflare Logpush] NEL Report", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-cc375d30-dc44-11ec-b76d-adcfe05cc1fe", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "d6d36d84-cb11-4993-a30a-d82118413eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6d36d84-cb11-4993-a30a-d82118413eda:indexpattern-datasource-layer-369c4c11-370e-43b1-9ecf-0e3d9fb66f98", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e28f00db-dc65-4c0c-84ce-dbf64b568c70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e28f00db-dc65-4c0c-84ce-dbf64b568c70:indexpattern-datasource-layer-f9bf86eb-26ae-4ddb-9181-98538c308622", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-da55ddb0-dc44-11ec-b76d-adcfe05cc1fe.json b/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-da55ddb0-dc44-11ec-b76d-adcfe05cc1fe.json deleted file mode 100755 index de57a36726..0000000000 --- a/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-da55ddb0-dc44-11ec-b76d-adcfe05cc1fe.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "description": "Overview of Cloudflare Logpush Spectrum Event", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.spectrum_event\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"656e0f51-b51d-4744-8d90-99c65f67f3fe\":{\"columnOrder\":[\"cb0fbef4-6069-46c6-a70a-04187fdfae13\",\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"columns\":{\"ca5a0691-0551-4ba4-982f-8693eab0715d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cb0fbef4-6069-46c6-a70a-04187fdfae13\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Spectrum Event\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.spectrum_event\"},\"visualization\":{\"layers\":[{\"accessors\":[\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"layerId\":\"656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"cb0fbef4-6069-46c6-a70a-04187fdfae13\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c537f5d4-d56c-4ebb-800d-258916a4f7e4\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"c537f5d4-d56c-4ebb-800d-258916a4f7e4\",\"title\":\"Distribution of Spectrum Event by Event Action [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"656e0f51-b51d-4744-8d90-99c65f67f3fe\":{\"columnOrder\":[\"cb0fbef4-6069-46c6-a70a-04187fdfae13\",\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"columns\":{\"ca5a0691-0551-4ba4-982f-8693eab0715d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cb0fbef4-6069-46c6-a70a-04187fdfae13\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source Country\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.country_iso_code\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.spectrum_event\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"cb0fbef4-6069-46c6-a70a-04187fdfae13\"],\"layerId\":\"656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"1082e6a0-ecee-43e0-bb9a-c6d108bdd2a9\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"1082e6a0-ecee-43e0-bb9a-c6d108bdd2a9\",\"title\":\"Distribution of Spectrum Event by Source Country [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"656e0f51-b51d-4744-8d90-99c65f67f3fe\":{\"columnOrder\":[\"cb0fbef4-6069-46c6-a70a-04187fdfae13\",\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"columns\":{\"ca5a0691-0551-4ba4-982f-8693eab0715d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cb0fbef4-6069-46c6-a70a-04187fdfae13\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client Matched IP Firewall\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.spectrum_event.client.matched_ip_firewall\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.spectrum_event\"},\"visualization\":{\"layers\":[{\"accessors\":[\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"layerId\":\"656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"cb0fbef4-6069-46c6-a70a-04187fdfae13\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"81514310-7291-4f6a-bfc9-e7c64b042c83\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"81514310-7291-4f6a-bfc9-e7c64b042c83\",\"title\":\"Distribution of Spectrum Event by Client Matched IP Firewall [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"656e0f51-b51d-4744-8d90-99c65f67f3fe\":{\"columnOrder\":[\"cb0fbef4-6069-46c6-a70a-04187fdfae13\",\"c8db770e-36ce-4d75-87e3-03bf47db4905\",\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"columns\":{\"c8db770e-36ce-4d75-87e3-03bf47db4905\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client TLS Protocol Version\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"tls.version\"},\"ca5a0691-0551-4ba4-982f-8693eab0715d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cb0fbef4-6069-46c6-a70a-04187fdfae13\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client TLS Protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"tls.version_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cloudflare_logpush.spectrum_event\\\" \"},\"visualization\":{\"columns\":[{\"columnId\":\"cb0fbef4-6069-46c6-a70a-04187fdfae13\"},{\"columnId\":\"c8db770e-36ce-4d75-87e3-03bf47db4905\"},{\"alignment\":\"left\",\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\"}],\"layerId\":\"656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"db83321b-3729-48c6-a417-f09cb192c6d2\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"db83321b-3729-48c6-a417-f09cb192c6d2\",\"title\":\"Top 10 Client TLS Protocol and TLS Version [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"656e0f51-b51d-4744-8d90-99c65f67f3fe\":{\"columnOrder\":[\"cb0fbef4-6069-46c6-a70a-04187fdfae13\",\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"columns\":{\"ca5a0691-0551-4ba4-982f-8693eab0715d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cb0fbef4-6069-46c6-a70a-04187fdfae13\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Origin TLS Protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.spectrum_event.origin.tls.protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.spectrum_event\"},\"visualization\":{\"layers\":[{\"accessors\":[\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"layerId\":\"656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"cb0fbef4-6069-46c6-a70a-04187fdfae13\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"73c0274d-7f24-4763-aac0-eef36b1a6904\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"73c0274d-7f24-4763-aac0-eef36b1a6904\",\"title\":\"Distribution of Spectrum Event by Origin TLS Protocol [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"656e0f51-b51d-4744-8d90-99c65f67f3fe\":{\"columnOrder\":[\"cb0fbef4-6069-46c6-a70a-04187fdfae13\",\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"columns\":{\"ca5a0691-0551-4ba4-982f-8693eab0715d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cb0fbef4-6069-46c6-a70a-04187fdfae13\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Client TLS Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.spectrum_event.client.tls.status\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.spectrum_event\"},\"visualization\":{\"layers\":[{\"accessors\":[\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"layerId\":\"656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"cb0fbef4-6069-46c6-a70a-04187fdfae13\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0229b8d8-fe10-4ed5-938c-135fa3332836\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"0229b8d8-fe10-4ed5-938c-135fa3332836\",\"title\":\"Distribution of Spectrum Event by Client TLS Status [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"656e0f51-b51d-4744-8d90-99c65f67f3fe\":{\"columnOrder\":[\"cb0fbef4-6069-46c6-a70a-04187fdfae13\",\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"columns\":{\"ca5a0691-0551-4ba4-982f-8693eab0715d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cb0fbef4-6069-46c6-a70a-04187fdfae13\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Origin TLS Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ca5a0691-0551-4ba4-982f-8693eab0715d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.spectrum_event.origin.tls.status\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.spectrum_event\"},\"visualization\":{\"layers\":[{\"accessors\":[\"ca5a0691-0551-4ba4-982f-8693eab0715d\"],\"layerId\":\"656e0f51-b51d-4744-8d90-99c65f67f3fe\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"cb0fbef4-6069-46c6-a70a-04187fdfae13\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e769bb45-9bb6-4902-aadd-9622b8ef0197\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"e769bb45-9bb6-4902-aadd-9622b8ef0197\",\"title\":\"Distribution of Spectrum Event by Origin TLS Status [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5a5b611e-8fa5-4b4d-ae6c-5b971bbcd71f\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"5a5b611e-8fa5-4b4d-ae6c-5b971bbcd71f\",\"panelRefName\":\"panel_5a5b611e-8fa5-4b4d-ae6c-5b971bbcd71f\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cloudflare Logpush] Spectrum Event", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-da55ddb0-dc44-11ec-b76d-adcfe05cc1fe", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "c537f5d4-d56c-4ebb-800d-258916a4f7e4:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c537f5d4-d56c-4ebb-800d-258916a4f7e4:indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1082e6a0-ecee-43e0-bb9a-c6d108bdd2a9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1082e6a0-ecee-43e0-bb9a-c6d108bdd2a9:indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "81514310-7291-4f6a-bfc9-e7c64b042c83:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "81514310-7291-4f6a-bfc9-e7c64b042c83:indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db83321b-3729-48c6-a417-f09cb192c6d2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db83321b-3729-48c6-a417-f09cb192c6d2:indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73c0274d-7f24-4763-aac0-eef36b1a6904:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73c0274d-7f24-4763-aac0-eef36b1a6904:indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0229b8d8-fe10-4ed5-938c-135fa3332836:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0229b8d8-fe10-4ed5-938c-135fa3332836:indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e769bb45-9bb6-4902-aadd-9622b8ef0197:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e769bb45-9bb6-4902-aadd-9622b8ef0197:indexpattern-datasource-layer-656e0f51-b51d-4744-8d90-99c65f67f3fe", - "type": "index-pattern" - }, - { - "id": "cloudflare_logpush-dc01afe0-e24d-11ec-b57d-b9b9d5221e36", - "name": "5a5b611e-8fa5-4b4d-ae6c-5b971bbcd71f:panel_5a5b611e-8fa5-4b4d-ae6c-5b971bbcd71f", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-e7a24120-dc44-11ec-b76d-adcfe05cc1fe.json b/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-e7a24120-dc44-11ec-b76d-adcfe05cc1fe.json deleted file mode 100755 index 33774d0e04..0000000000 --- a/packages/cloudflare_logpush/0.2.1/kibana/dashboard/cloudflare_logpush-e7a24120-dc44-11ec-b76d-adcfe05cc1fe.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Overview of Cloudflare Logpush Audit", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.audit\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-281645e8-8598-44df-802e-c85f2da569f3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"281645e8-8598-44df-802e-c85f2da569f3\":{\"columnOrder\":[\"0b8ca9d5-b895-4646-8c7a-00e333655530\",\"fa4abb57-b2ea-4ef4-a680-247411274de0\"],\"columns\":{\"0b8ca9d5-b895-4646-8c7a-00e333655530\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Actor Email\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fa4abb57-b2ea-4ef4-a680-247411274de0\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"user.email\"},\"fa4abb57-b2ea-4ef4-a680-247411274de0\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.audit\"},\"visualization\":{\"columns\":[{\"columnId\":\"0b8ca9d5-b895-4646-8c7a-00e333655530\"},{\"alignment\":\"left\",\"columnId\":\"fa4abb57-b2ea-4ef4-a680-247411274de0\"}],\"layerId\":\"281645e8-8598-44df-802e-c85f2da569f3\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bd8b3896-5f51-403e-83c3-c054ef0ea60c\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"bd8b3896-5f51-403e-83c3-c054ef0ea60c\",\"title\":\"Top 10 Actor Email [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2b1d1dcf-6ba1-4d88-8f09-81cea1f47e2d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2b1d1dcf-6ba1-4d88-8f09-81cea1f47e2d\":{\"columnOrder\":[\"3415516b-de49-4469-a162-05dd0d1d3af5\",\"c7854c23-c64e-4b66-944a-1620f451c034\"],\"columns\":{\"3415516b-de49-4469-a162-05dd0d1d3af5\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Resource Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c7854c23-c64e-4b66-944a-1620f451c034\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloudflare_logpush.audit.resource.type\"},\"c7854c23-c64e-4b66-944a-1620f451c034\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.audit\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3415516b-de49-4469-a162-05dd0d1d3af5\"],\"layerId\":\"2b1d1dcf-6ba1-4d88-8f09-81cea1f47e2d\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"c7854c23-c64e-4b66-944a-1620f451c034\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"75187ff6-4c3a-409a-ba03-6738649bedb3\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"75187ff6-4c3a-409a-ba03-6738649bedb3\",\"title\":\"Distribution of Audit by Resource Type [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2b1d1dcf-6ba1-4d88-8f09-81cea1f47e2d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2b1d1dcf-6ba1-4d88-8f09-81cea1f47e2d\":{\"columnOrder\":[\"3415516b-de49-4469-a162-05dd0d1d3af5\",\"c7854c23-c64e-4b66-944a-1620f451c034\"],\"columns\":{\"3415516b-de49-4469-a162-05dd0d1d3af5\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Action Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c7854c23-c64e-4b66-944a-1620f451c034\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"},\"c7854c23-c64e-4b66-944a-1620f451c034\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Record\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.audit\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3415516b-de49-4469-a162-05dd0d1d3af5\"],\"layerId\":\"2b1d1dcf-6ba1-4d88-8f09-81cea1f47e2d\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"c7854c23-c64e-4b66-944a-1620f451c034\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f10a2a4e-1638-4b92-81ff-65786579e5b7\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"f10a2a4e-1638-4b92-81ff-65786579e5b7\",\"title\":\"Distribution of Audit by Action Type [Logs Cloudflare Logpush]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cloudflare Logpush] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-e7a24120-dc44-11ec-b76d-adcfe05cc1fe", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "bd8b3896-5f51-403e-83c3-c054ef0ea60c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bd8b3896-5f51-403e-83c3-c054ef0ea60c:indexpattern-datasource-layer-281645e8-8598-44df-802e-c85f2da569f3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "75187ff6-4c3a-409a-ba03-6738649bedb3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "75187ff6-4c3a-409a-ba03-6738649bedb3:indexpattern-datasource-layer-2b1d1dcf-6ba1-4d88-8f09-81cea1f47e2d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f10a2a4e-1638-4b92-81ff-65786579e5b7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f10a2a4e-1638-4b92-81ff-65786579e5b7:indexpattern-datasource-layer-2b1d1dcf-6ba1-4d88-8f09-81cea1f47e2d", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.1/kibana/search/cloudflare_logpush-a58b3a80-e257-11ec-b57d-b9b9d5221e36.json b/packages/cloudflare_logpush/0.2.1/kibana/search/cloudflare_logpush-a58b3a80-e257-11ec-b57d-b9b9d5221e36.json deleted file mode 100755 index f85f44c0d5..0000000000 --- a/packages/cloudflare_logpush/0.2.1/kibana/search/cloudflare_logpush-a58b3a80-e257-11ec-b57d-b9b9d5221e36.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "cloudflare_logpush.http_request.client.request.host", - "source.ip", - "destination.ip", - "source.as.number" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.http_request\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "HTTP Request [Logs Cloudflare Logpush]" - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-a58b3a80-e257-11ec-b57d-b9b9d5221e36", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.1/kibana/search/cloudflare_logpush-dc01afe0-e24d-11ec-b57d-b9b9d5221e36.json b/packages/cloudflare_logpush/0.2.1/kibana/search/cloudflare_logpush-dc01afe0-e24d-11ec-b57d-b9b9d5221e36.json deleted file mode 100755 index febf9a1fcb..0000000000 --- a/packages/cloudflare_logpush/0.2.1/kibana/search/cloudflare_logpush-dc01afe0-e24d-11ec-b57d-b9b9d5221e36.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "columns": [ - "source.ip", - "destination.ip", - "cloudflare_logpush.spectrum_event.client.protocol" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : cloudflare_logpush.spectrum_event\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Spectrum Event [Logs Cloudflare Logpush]" - }, - "coreMigrationVersion": "7.17.0", - "id": "cloudflare_logpush-dc01afe0-e24d-11ec-b57d-b9b9d5221e36", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cloudflare_logpush/0.2.1/manifest.yml b/packages/cloudflare_logpush/0.2.1/manifest.yml deleted file mode 100755 index 117cb95303..0000000000 --- a/packages/cloudflare_logpush/0.2.1/manifest.yml +++ /dev/null @@ -1,180 +0,0 @@ -format_version: 1.0.0 -name: cloudflare_logpush -title: Cloudflare Logpush -version: 0.2.1 -license: basic -description: Collect and parse logs from Cloudflare API with Elastic Agent. -type: integration -categories: - - security -conditions: - kibana.version: ^8.0.0 -screenshots: - - src: /img/cloudflare-screenshot.png - title: Cloudflare Logpush DNS dashboard screenshot - size: 1847x950 - type: image/png -icons: - - src: /img/cloudflare-logo.svg - title: Cloudflare Logpush logo - size: 216x216 - type: image/svg+xml -policy_templates: - - name: cloudflare - title: Cloudflare Logpush logs - description: Collect logs from Cloudflare. - inputs: - - type: http_endpoint - title: Collect Cloudflare Logpush logs via HTTP Endpoint - description: Collecting Logpush logs from Cloudflare via HTTP Endpoint. - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for http endpoint connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: secret_header - type: text - title: Secret Header - description: The header to check for a specific value specified by `secret.value`. - required: false - show_user: false - - name: secret_value - type: password - title: Secret Value - description: The secret stored in the header name specified by `secret.header`. - required: false - show_user: false - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - - type: aws-s3 - title: Collect Cloudflare Logpush logs via AWS S3 or AWS SQS - description: Collecting Logpush logs from Cloudflare via AWS S3 or AWS SQS. - vars: - - name: collect_s3_logs - required: true - show_user: true - title: Collect logs via S3 Bucket - description: To Collect logs via S3 bucket enable the toggle switch. By default, it will collect logs via SQS Queue. - type: bool - multi: false - default: false - - name: bucket_arn - type: text - title: "[S3] Bucket ARN" - multi: false - required: false - show_user: true - description: It is a required parameter for collecting logs via the AWS S3 Bucket. - - name: queue_url - type: text - title: "[SQS] Queue URL" - multi: false - required: false - show_user: true - description: URL of the AWS SQS queue that messages will be received from. It is a required parameter for collecting logs via the AWS SQS. - - name: access_key_id - type: password - title: Access Key ID - multi: false - required: false - show_user: true - description: First part of access key. - - name: secret_access_key - type: password - title: Secret Access Key - multi: false - required: false - show_user: true - description: Second part of access key. - - name: session_token - type: text - title: Session Token - multi: false - required: false - show_user: true - description: Required when using temporary security credentials. - - name: shared_credential_file - type: text - title: Shared Credential File - multi: false - required: false - show_user: false - description: Directory of the shared credentials file. - - name: credential_profile_name - type: text - title: Credential Profile Name - multi: false - required: false - show_user: false - description: Profile name in shared credentials file. - - name: role_arn - type: text - title: Role ARN - multi: false - required: false - show_user: false - description: AWS IAM Role to assume. - - name: endpoint - type: text - title: Endpoint - multi: false - required: false - show_user: false - default: "" - description: URL of the entry point for an AWS web service. - - name: default_region - type: text - title: Default AWS Region - multi: false - required: false - show_user: false - default: "" - description: Default region to use prior to connecting to region specific services/endpoints if no AWS region is set from environment variable, credentials or instance profile. If none of the above are set and no default region is set as well, `us-east-1` is used. A region, either from environment variable, credentials or instance profile or from this default region setting, needs to be set when using regions in non-regular AWS environments such as AWS China or US Government Isolated. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. -owner: - github: elastic/security-external-integrations diff --git a/packages/crowdstrike/1.7.0/LICENSE.txt b/packages/crowdstrike/1.7.0/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/crowdstrike/1.7.0/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/crowdstrike/1.7.0/changelog.yml b/packages/crowdstrike/1.7.0/changelog.yml deleted file mode 100755 index fde5200ff2..0000000000 --- a/packages/crowdstrike/1.7.0/changelog.yml +++ /dev/null @@ -1,210 +0,0 @@ -# newer versions go on top -- version: "1.7.0" - changes: - - description: Expose Default Region setting to UI - type: enhancement - link: https://github.com/elastic/integrations/pull/4158 -- version: "1.6.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.6.0" - changes: - - description: Parse executable for `process.name` in FDR data stream - type: enhancement - link: https://github.com/elastic/integrations/pull/4133 -- version: "1.5.1" - changes: - - description: Set default endpoint to empty string - type: bugfix - link: https://github.com/elastic/integrations/pull/4103 -- version: "1.5.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3843 -- version: "1.4.2" - changes: - - description: Fix proxy URL documentation rendering. - type: bugfix - link: https://github.com/elastic/integrations/pull/3881 -- version: "1.4.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "1.4.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.3.4" - changes: - - description: Prevent missing `@timestamp` field. - type: bugfix - link: https://github.com/elastic/integrations/pull/3484 -- version: "1.3.3" - changes: - - description: Optimize FDR pipeline script processor. - type: bugfix - link: https://github.com/elastic/integrations/pull/3302 -- version: "1.3.2" - changes: - - description: Format source.mac as per ECS. - type: bugfix - link: https://github.com/elastic/integrations/pull/3302 -- version: "1.3.1" - changes: - - description: Update readme file. Added link to CrowdStrike docs - type: enhancement - link: https://github.com/elastic/integrations/pull/3057 -- version: "1.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.2.7" - changes: - - description: Move invalid field value - type: enhancement - link: https://github.com/elastic/integrations/pull/3098 -- version: "1.2.6" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.5" - changes: - - description: Add date parsing for BiosReleaseDate field. - type: bugfix - link: https://github.com/elastic/integrations/pull/2867 -- version: "1.2.4" - changes: - - description: Add missing field mapping for several event and host fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/2869 -- version: "1.2.3" - changes: - - description: Change type of 'fdr_parsing_script' variable to 'yaml' so that the multi-line string creates a valid YAML config document. - type: bugfix - link: https://github.com/elastic/integrations/pull/2701 -- version: "1.2.2" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.2.1" - changes: - - description: Fix issue with "Is FDR Queue" selector having no effect. - type: bugfix - link: https://github.com/elastic/integrations/pull/2653 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2398 -- version: "1.1.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.1.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.1.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2229 -- version: "1.0.4" - changes: - - description: Add ability to read from both FDR provided and user owned SQS queues for FDR. - type: bugfix - link: https://github.com/elastic/integrations/pull/2198 - - description: Pipeline fixes for FDR - type: bugfix - link: https://github.com/elastic/integrations/pull/2198 -- version: "1.0.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2022 -- version: "1.0.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1961 -- version: "1.0.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1812 -- version: '1.0.0' - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1630 -- version: "0.9.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1655 -- version: "0.8.1" - changes: - - description: Add proxy config - type: enhancement - link: https://github.com/elastic/integrations/pull/1648 -- version: "0.8.0" - changes: - - description: Add FDR data stream. - type: enhancement - link: https://github.com/elastic/integrations/pull/1522 - - description: Change Falcon ECS fields definition to use references - type: enhancement - link: https://github.com/elastic/integrations/pull/1522 - - description: Add cleanup processor to Falcon - type: enhancement - link: https://github.com/elastic/integrations/pull/1522 -- version: '0.7.1' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1378 -- version: "0.7.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.6.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1258 -- version: "0.5.0" - changes: - - description: update to ECS 1.10.0 and add event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1036 -- version: "0.4.1" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/841 -- version: "0.4.0" - changes: - - description: Moves edge processing to ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/774 -- version: "0.3.1" - changes: - - description: Change kibana.version constraint to be more conservative. - type: bugfix - link: https://github.com/elastic/integrations/pull/749 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/182 diff --git a/packages/crowdstrike/1.7.0/data_stream/falcon/agent/stream/log.yml.hbs b/packages/crowdstrike/1.7.0/data_stream/falcon/agent/stream/log.yml.hbs deleted file mode 100755 index 79e1726037..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/falcon/agent/stream/log.yml.hbs +++ /dev/null @@ -1,25 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -# Crowdstrike Falcon SIEM connector logs are multiline JSON by default -multiline.pattern: '^{' -multiline.negate: true -multiline.match: after -multiline.max_lines: 5000 -multiline.timeout: 10 -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml b/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml deleted file mode 100755 index 1469046543..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: event - - append: - field: event.category - value: [authentication] - - append: - field: event.type - value: [change] - - convert: - field: crowdstrike.event.ServiceName - type: string - target_field: message - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.UserIp - target_field: source.ip - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" - - script: - lang: painless - source: | - def regex = /([a-z0-9])([A-Z])/; - def replacement = "$1_$2"; - def action = ctx?.crowdstrike?.event?.OperationName; - if (action == null || action == "") return; - ctx["event.action"] = regex.matcher(action).replaceAll(replacement).toLowerCase(); diff --git a/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a944e4da7d..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,423 +0,0 @@ ---- -description: Ingest pipeline for normalizing CrowdStrike Falcon logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: crowdstrike - - remove: - field: - - host.name - ignore_missing: true - - remove: - field: crowdstrike.event.ProcessStartTime - ignore_missing: true - if: ctx?.crowdstrike?.event?.ProcessStartTime == 0 - - date: - field: crowdstrike.event.ProcessStartTime - target_field: crowdstrike.event.ProcessStartTime - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.ProcessStartTime != null && - !(ctx.crowdstrike.event.ProcessStartTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.ProcessStartTime) + 1) >= 12 - - remove: - field: crowdstrike.event.ProcessEndTime - ignore_missing: true - if: ctx?.crowdstrike?.event?.ProcessEndTime == 0 - - date: - field: crowdstrike.event.ProcessEndTime - target_field: crowdstrike.event.ProcessEndTime - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.ProcessEndTime != null && - !(ctx.crowdstrike.event.ProcessEndTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.ProcessEndTime) + 1) >= 12 - - remove: - field: crowdstrike.event.IncidentStartTime - ignore_missing: true - if: ctx?.crowdstrike?.event?.IncidentStartTime == 0 - - date: - field: crowdstrike.event.IncidentStartTime - target_field: crowdstrike.event.IncidentStartTime - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.IncidentStartTime != null && - !(ctx.crowdstrike.event.IncidentStartTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.IncidentStartTime) + 1) >= 12 - - remove: - field: crowdstrike.event.IncidentEndTime - ignore_missing: true - if: ctx?.crowdstrike?.event?.IncidentEndTime == 0 - - date: - field: crowdstrike.event.IncidentEndTime - target_field: crowdstrike.event.IncidentEndTime - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.IncidentEndTime != null && - !(ctx.crowdstrike.event.IncidentEndTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.IncidentEndTime) + 1) >= 12 - - remove: - field: crowdstrike.event.StartTimestamp - ignore_missing: true - if: ctx?.crowdstrike?.event?.StartTimestamp == 0 - - date: - field: crowdstrike.event.StartTimestamp - target_field: crowdstrike.event.StartTimestamp - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.StartTimestamp != null && - !(ctx.crowdstrike.event.StartTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.StartTimestamp) + 1) >= 12 - - remove: - field: crowdstrike.event.EndTimestamp - ignore_missing: true - if: ctx?.crowdstrike?.event?.EndTimestamp == 0 - - date: - field: crowdstrike.event.EndTimestamp - target_field: crowdstrike.event.EndTimestamp - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.EndTimestamp != null && - !(ctx.crowdstrike.event.EndTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.EndTimestamp) + 1) >= 12 - - remove: - field: crowdstrike.event.UTCTimestamp - ignore_missing: true - if: ctx?.crowdstrike?.event?.UTCTimestamp == 0 - - date: - field: crowdstrike.event.UTCTimestamp - target_field: crowdstrike.event.UTCTimestamp - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.UTCTimestamp != null && - !(ctx.crowdstrike.event.UTCTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.UTCTimestamp) + 1) >= 12 - - remove: - field: crowdstrike.metadata.eventCreationTime - ignore_missing: true - if: ctx?.crowdstrike?.metadata?.eventCreationTime == 0 - - date: - field: crowdstrike.metadata.eventCreationTime - target_field: crowdstrike.metadata.eventCreationTime - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.metadata?.eventCreationTime != null && - !(ctx.crowdstrike.metadata.eventCreationTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.metadata.eventCreationTime) + 1) >= 12 - - date: - field: crowdstrike.event.ProcessStartTime - target_field: crowdstrike.event.ProcessStartTime - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.ProcessStartTime != null && - !(ctx.crowdstrike.event.ProcessStartTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.ProcessStartTime) + 1) < 12 - - date: - field: crowdstrike.event.ProcessEndTime - target_field: crowdstrike.event.ProcessEndTime - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.ProcessEndTime != null && - !(ctx.crowdstrike.event.ProcessEndTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.ProcessEndTime) + 1) < 12 - - date: - field: crowdstrike.event.IncidentStartTime - target_field: crowdstrike.event.IncidentStartTime - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.IncidentStartTime != null && - !(ctx.crowdstrike.event.IncidentStartTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.IncidentStartTime) + 1) < 12 - - date: - field: crowdstrike.event.IncidentEndTime - target_field: crowdstrike.event.IncidentEndTime - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.IncidentEndTime != null && - !(ctx.crowdstrike.event.IncidentEndTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.IncidentEndTime) + 1) < 12 - - date: - field: crowdstrike.event.StartTimestamp - target_field: crowdstrike.event.StartTimestamp - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.StartTimestamp != null && - !(ctx.crowdstrike.event.StartTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.StartTimestamp) + 1) < 12 - - date: - field: crowdstrike.event.EndTimestamp - target_field: crowdstrike.event.EndTimestamp - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.EndTimestamp != null && - !(ctx.crowdstrike.event.EndTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.EndTimestamp) + 1) < 12 - - date: - field: crowdstrike.event.UTCTimestamp - target_field: crowdstrike.event.UTCTimestamp - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.UTCTimestamp != null && - !(ctx.crowdstrike.event.UTCTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.UTCTimestamp) + 1) < 12 - - date: - field: crowdstrike.metadata.eventCreationTime - target_field: crowdstrike.metadata.eventCreationTime - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.metadata?.eventCreationTime != null && - !(ctx.crowdstrike.metadata.eventCreationTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.metadata.eventCreationTime) + 1) < 12 - - set: - field: event.outcome - value: success - if: ctx?.crowdstrike?.event?.Success == true - - set: - field: event.outcome - value: failure - if: ctx?.crowdstrike?.event?.Success == false - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - - convert: - field: crowdstrike.metadata.eventCreationTime - target_field: "@timestamp" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.LateralMovement - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.LocalPort - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.MatchCount - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.MatchCountSinceLastReport - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.PID - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.RemotePort - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: source.port - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: destination.port - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.UserName - target_field: user.name - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.UserId - target_field: user.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.user?.name == null || ctx?.user?.name == "" - - set: - field: user.email - value: "{{user.name}}" - ignore_empty_value: true - ignore_failure: true - if: ctx?.user?.name != null && /@/.split(ctx.user.name).length == 2 - - script: - lang: painless - source: | - def commandLine = ctx?.crowdstrike?.event?.CommandLine; - if (commandLine != null) { - - commandLine = commandLine.trim(); - - if (commandLine != "") { - def args = Arrays.asList(/ /.split(commandLine)); - args.removeIf(arg -> arg == ""); - - ctx["process.command_line"] = commandLine; - ctx["process.args"] = args; - ctx["process.executable"] = args.get(0); - } - } - - pipeline: - name: '{{ IngestPipeline "detection_summary" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "DetectionSummaryEvent" - - pipeline: - name: '{{ IngestPipeline "incident_summary" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "IncidentSummaryEvent" - - pipeline: - name: '{{ IngestPipeline "user_activity_audit" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "UserActivityAuditEvent" - - pipeline: - name: '{{ IngestPipeline "auth_activity_audit" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "AuthActivityAuditEvent" - - pipeline: - name: '{{ IngestPipeline "firewall_match" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "FirewallMatchEvent" - - pipeline: - name: '{{ IngestPipeline "remote_response_session_start" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "RemoteResponseSessionStartEvent" - - pipeline: - name: '{{ IngestPipeline "remote_response_session_end" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "RemoteResponseSessionEndEvent" - - script: - lang: painless - if: ctx?.crowdstrike?.event != null - params: - values: - - null - - '' - - '-' - - 'N/A' - - 'NA' - - 0 - source: | - ctx.crowdstrike.event.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); - - script: - lang: painless - if: ctx?.crowdstrike?.metadata != null - params: - values: - - null - - '' - - '-' - - 'N/A' - - 'NA' - source: | - ctx.crowdstrike.metadata.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); - - append: - field: related.user - value: "{{user.name}}" - allow_duplicates: false - ignore_failure: true - if: ctx?.user?.name != null && ctx?.user?.name != "" - - append: - field: related.ip - value: "{{source.ip}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - append: - field: related.hosts - value: "{{host.name}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.host?.name != null && ctx?.host?.name != "" - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml b/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml deleted file mode 100755 index 22bebe784e..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml +++ /dev/null @@ -1,161 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: alert - - append: - field: event.category - value: [malware] - - append: - field: event.type - value: [info] - - set: - field: agent.type - value: falcon - - convert: - field: crowdstrike.event.LocalIP - target_field: source.ip - type: string - ignore_failure: true - ignore_missing: true - if: ctx?.crowdstrike?.event?.LocalIP != null && ctx?.crowdstrike?.event?.LocalIP != "" - - convert: - field: crowdstrike.event.ProcessId - target_field: process.pid - ignore_failure: true - type: long - ignore_missing: true - - convert: - field: crowdstrike.event.ParentImageFileName - target_field: process.parent.executable - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.ParentCommandLine - target_field: process.parent.command_line - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.PatternDispositionDescription - target_field: event.action - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.FalconHostLink - target_field: event.url - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.Severity - target_field: event.severity - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.DetectDescription - target_field: message - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.FileName - target_field: process.name - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.UserName - target_field: user.name - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.MachineDomain - target_field: user.domain - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.SensorId - target_field: agent.id - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.ComputerName - target_field: host.name - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.SHA256String - target_field: file.hash.sha256 - type: string - ignore_failure: true - ignore_missing: true - - append: - field: related.hash - value: "{{file.hash.sha256}}" - allow_duplicates: false - ignore_failure: true - if: ctx?.file?.hash?.sha256 != null && ctx?.file?.hash?.sha256 != "" && !(/^0+$/.matcher(ctx.file.hash.sha256).matches()) - - convert: - field: crowdstrike.event.MD5String - target_field: file.hash.md5 - type: string - ignore_failure: true - ignore_missing: true - - append: - field: related.hash - value: "{{file.hash.md5}}" - allow_duplicates: false - ignore_failure: true - if: ctx?.file?.hash?.md5 != null && ctx?.file?.hash?.md5 != "" && !(/^0+$/.matcher(ctx.file.hash.md5).matches()) - - convert: - field: crowdstrike.event.SHA1String - target_field: file.hash.sha1 - type: string - ignore_failure: true - ignore_missing: true - - append: - field: related.hash - value: "{{file.hash.sha1}}" - allow_duplicates: false - ignore_failure: true - if: ctx?.file?.hash?.sha1 != null && ctx?.file?.hash?.sha1 != "" && !(/^0+$/.matcher(ctx.file.hash.sha1).matches()) - - convert: - field: crowdstrike.event.DetectName - target_field: rule.name - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.DetectDescription - target_field: rule.description - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.Technique - target_field: threat.technique.name - type: string - ignore_failure: true - ignore_missing: true - - lowercase: - field: threat.technique.name - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.Tactic - target_field: threat.tactic.name - type: string - ignore_failure: true - ignore_missing: true - - lowercase: - field: threat.tactic.name - ignore_missing: true - ignore_failure: true diff --git a/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml b/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml deleted file mode 100755 index 28dac8ccd0..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml +++ /dev/null @@ -1,135 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: event - - append: - field: event.category - value: [network] - - append: - field: event.action - value: [firewall_match_event] - - append: - field: event.type - value: [start, connection] - - set: - field: message - value: "Firewall Rule '{{crowdstrike.event.RuleName}}' triggered" - if: ctx?.crowdstrike?.event?.RuleName != null - ignore_failure: true - - convert: - field: "crowdstrike.event.Ipv" - target_field: "network.type" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.PID" - target_field: "process.pid" - ignore_failure: true - ignore_missing: true - type: "long" - - convert: - field: "crowdstrike.event.RuleId" - target_field: "rule.id" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.RuleName" - target_field: "rule.name" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.RuleGroupName" - target_field: "rule.ruleset" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.RuleDescription" - target_field: "rule.description" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.RuleFamilyID" - target_field: "rule.category" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.HostName" - target_field: "host.name" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.Ipv" - target_field: "network.type" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.EventType" - target_field: "event.code" - type: string - ignore_missing: true - ignore_failure: true - - set: - field: network.direction - value: ingress - if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" - - set: - field: source.ip - value: "{{crowdstrike.event.RemoteAddress}}" - ignore_empty_value: true - if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" - - convert: - field: crowdstrike.event.RemotePort - target_field: source.port - type: long - ignore_missing: true - ignore_failure: true - if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" - - set: - field: destination.ip - value: "{{crowdstrike.event.LocalAddress}}" - ignore_empty_value: true - if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" - - convert: - field: crowdstrike.event.LocalPort - target_field: destination.port - type: long - ignore_missing: true - ignore_failure: true - if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" - - set: - field: network.direction - value: ingress - if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" - - set: - field: destination.ip - value: "{{crowdstrike.event.RemoteAddress}}" - ignore_empty_value: true - if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" - - convert: - field: crowdstrike.event.RemotePort - target_field: destination.port - type: long - ignore_missing: true - ignore_failure: true - if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" - - set: - field: source.ip - value: "{{crowdstrike.event.LocalAddress}}" - ignore_empty_value: true - if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" - - convert: - field: crowdstrike.event.LocalPort - target_field: source.port - type: long - ignore_missing: true - ignore_failure: true - if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" diff --git a/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml b/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml deleted file mode 100755 index 667222dc79..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: alert - - append: - field: event.category - value: [malware] - - append: - field: event.type - value: [info] - - set: - field: event.action - value: incident - - set: - field: agent.type - value: falcon - - convert: - field: crowdstrike.event.FalconHostLink - target_field: event.url - type: string - ignore_failure: true - ignore_missing: true - - set: - field: message - value: "Incident score {{crowdstrike.event.FineScore}}" - if: ctx?.crowdstrike?.event?.FineScore != null diff --git a/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml b/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml deleted file mode 100755 index 7415f62e1d..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: event - - append: - field: event.category - value: [network, session] - - append: - field: event.action - value: [remote_response_session_end_event] - - append: - field: event.type - value: [end] - - set: - field: message - value: Remote response session ended. - - convert: - field: crowdstrike.event.HostnameField - target_field: host.name - type: string - ignore_failure: true - ignore_missing: true diff --git a/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml b/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml deleted file mode 100755 index d965bd8ac7..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: event - - append: - field: event.category - value: [network, session] - - append: - field: event.action - value: [remote_response_session_start_event] - - append: - field: event.type - value: [start] - - set: - field: message - value: Remote response session started. - - convert: - field: crowdstrike.event.HostnameField - target_field: host.name - type: string - ignore_failure: true - ignore_missing: true diff --git a/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml b/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml deleted file mode 100755 index 7d03e0115b..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: event - - append: - field: event.category - value: [iam] - - append: - field: event.type - value: [change] - - set: - field: event.action - value: user_activity_audit_event - - convert: - field: crowdstrike.event.OperationName - target_field: message - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.UserIp - target_field: source.ip - type: string - ignore_failure: true - ignore_missing: true - if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" diff --git a/packages/crowdstrike/1.7.0/data_stream/falcon/fields/agent.yml b/packages/crowdstrike/1.7.0/data_stream/falcon/fields/agent.yml deleted file mode 100755 index 5c9e2055ad..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/falcon/fields/agent.yml +++ /dev/null @@ -1,190 +0,0 @@ -- description: Fields related to the cloud or infrastructure the events are coming from. - fields: - - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - example: 666777888999 - ignore_above: 1024 - level: extended - name: account.id - type: keyword - - description: Availability zone in which this host is running. - example: us-east-1c - ignore_above: 1024 - level: extended - name: availability_zone - type: keyword - - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - ignore_above: 1024 - level: extended - name: instance.id - type: keyword - - description: Instance name of the host machine. - ignore_above: 1024 - level: extended - name: instance.name - type: keyword - - description: Machine type of the host machine. - example: t2.medium - ignore_above: 1024 - level: extended - name: machine.type - type: keyword - - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - ignore_above: 1024 - level: extended - name: provider - type: keyword - - description: Region in which this host is running. - example: us-east-1 - ignore_above: 1024 - level: extended - name: region - type: keyword - - description: Name of the project in Google Cloud. - name: project.id - type: keyword - - description: Image ID for the cloud instance. - name: image.id - type: keyword - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - group: 2 - name: cloud - title: Cloud - type: group -- description: |- - Container fields are used for meta information about the specific container that is the source of information. - These fields help correlate data based containers from any runtime. - fields: - - description: Unique container id. - name: id - type: keyword - - description: Name of the image the container was built on. - ignore_above: 1024 - level: extended - name: image.name - type: keyword - - description: Image labels. - level: extended - name: labels - object_type: keyword - type: object - - description: Container name. - ignore_above: 1024 - level: extended - name: name - type: keyword - group: 2 - name: container - title: Container - type: group -- description: |- - A host is defined as a general computing instance. - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. - fields: - - description: Operating system architecture. - example: x86_64 - ignore_above: 1024 - level: core - name: architecture - type: keyword - - default_field: false - description: |- - Name of the domain of which the host is a member. - For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - example: CONTOSO - ignore_above: 1024 - level: extended - name: domain - type: keyword - - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 - level: core - name: hostname - type: keyword - - description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - ignore_above: 1024 - level: core - name: id - type: keyword - - description: Host ip addresses. - level: core - name: ip - type: ip - - description: Host mac addresses. - ignore_above: 1024 - level: core - name: mac - type: keyword - - description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: name - type: keyword - - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - ignore_above: 1024 - level: extended - name: os.family - type: keyword - - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - ignore_above: 1024 - level: extended - name: os.kernel - type: keyword - - description: Operating system name, without the version. - example: Mac OS X - ignore_above: 1024 - level: extended - multi_fields: - - default_field: false - name: text - norms: false - type: text - name: os.name - type: keyword - - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - ignore_above: 1024 - level: extended - name: os.platform - type: keyword - - description: Operating system version as a raw string. - example: 10.14.1 - ignore_above: 1024 - level: extended - name: os.version - type: keyword - - description: |- - Type of host. - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. - ignore_above: 1024 - level: core - name: type - type: keyword - - description: | - If the host is a container. - name: containerized - type: boolean - - description: | - OS build information. - example: 18D109 - name: os.build - type: keyword - - description: | - OS codename, if any. - example: stretch - name: os.codename - type: keyword - group: 2 - name: host - title: Host - type: group diff --git a/packages/crowdstrike/1.7.0/data_stream/falcon/fields/base-fields.yml b/packages/crowdstrike/1.7.0/data_stream/falcon/fields/base-fields.yml deleted file mode 100755 index 8248c071b3..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/falcon/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: crowdstrike -- name: event.dataset - type: constant_keyword - description: Event dataset - value: crowdstrike.falcon -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/crowdstrike/1.7.0/data_stream/falcon/fields/beats.yml b/packages/crowdstrike/1.7.0/data_stream/falcon/fields/beats.yml deleted file mode 100755 index 986a819b29..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/falcon/fields/beats.yml +++ /dev/null @@ -1,14 +0,0 @@ -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword diff --git a/packages/crowdstrike/1.7.0/data_stream/falcon/fields/ecs.yml b/packages/crowdstrike/1.7.0/data_stream/falcon/fields/ecs.yml deleted file mode 100755 index 61f919ae38..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/falcon/fields/ecs.yml +++ /dev/null @@ -1,239 +0,0 @@ -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - URL linking to an external system to continue investigation of this event. - This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.url - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - multi_fields: - - name: text - type: match_only_text - name: threat.technique.name - normalize: - - array - type: keyword -- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) - name: threat.tactic.name - normalize: - - array - type: keyword -- description: Process id. - name: process.pid - type: long -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - normalize: - - array - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: |- - Custom name of the agent. - This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. - name: agent.name - type: keyword -- description: |- - Unique identifier of this agent (if one exists). - Example: For Beats this would be beat.id. - name: agent.id - type: keyword -- description: |- - Type of the agent. - The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - name: agent.type - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: The description of the rule generating the event. - name: rule.description - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - name: rule.ruleset - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/crowdstrike/1.7.0/data_stream/falcon/fields/fields.yml b/packages/crowdstrike/1.7.0/data_stream/falcon/fields/fields.yml deleted file mode 100755 index f8b93a2aaf..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/falcon/fields/fields.yml +++ /dev/null @@ -1,399 +0,0 @@ -- name: crowdstrike.metadata - title: Metadata fields - type: group - fields: - - name: eventType - type: keyword - description: | - DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent - - name: eventCreationTime - type: date - description: | - The time this event occurred on the endpoint in UTC UNIX_MS format. - - name: offset - type: integer - description: | - Offset number that tracks the location of the event in stream. This is used to identify unique detection events. - - name: customerIDString - type: keyword - description: | - Customer identifier - - name: version - type: keyword - description: | - Schema version -- name: crowdstrike.event - title: Event fields - type: group - fields: - - name: ProcessStartTime - type: date - description: | - The process start time in UTC UNIX_MS format. - - name: ProcessEndTime - type: date - description: | - The process termination time in UTC UNIX_MS format. - - name: ProcessId - type: integer - description: | - Process ID related to the detection. - - name: ParentProcessId - type: integer - description: | - Parent process ID related to the detection. - - name: ComputerName - type: keyword - description: | - Name of the computer where the detection occurred. - - name: UserName - type: keyword - description: | - User name associated with the detection. - - name: DetectName - type: keyword - description: | - Name of the detection. - - name: DetectDescription - type: keyword - description: | - Description of the detection. - - name: Severity - type: integer - description: | - Severity score of the detection. - - name: SeverityName - type: keyword - description: | - Severity score text. - - name: FileName - type: keyword - description: | - File name of the associated process for the detection. - - name: FilePath - type: keyword - description: | - Path of the executable associated with the detection. - - name: CommandLine - type: keyword - description: | - Executable path with command line arguments. - - name: SHA1String - type: keyword - description: | - SHA1 sum of the executable associated with the detection. - - name: SHA256String - type: keyword - description: | - SHA256 sum of the executable associated with the detection. - - name: MD5String - type: keyword - description: | - MD5 sum of the executable associated with the detection. - - name: MachineDomain - type: keyword - description: | - Domain for the machine associated with the detection. - - name: FalconHostLink - type: keyword - description: | - URL to view the detection in Falcon. - - name: SensorId - type: keyword - description: | - Unique ID associated with the Falcon sensor. - - name: DetectId - type: keyword - description: | - Unique ID associated with the detection. - - name: LocalIP - type: keyword - description: | - IP address of the host associated with the detection. - - name: MACAddress - type: keyword - description: | - MAC address of the host associated with the detection. - - name: Tactic - type: keyword - description: | - MITRE tactic category of the detection. - - name: Technique - type: keyword - description: | - MITRE technique category of the detection. - - name: Objective - type: keyword - description: | - Method of detection. - - name: PatternDispositionDescription - type: keyword - description: | - Action taken by Falcon. - - name: PatternDispositionValue - type: integer - description: | - Unique ID associated with action taken. - - name: PatternDispositionFlags - type: group - description: | - Flags indicating actions taken. - fields: - - name: Detect - type: boolean - - name: InddetMask - type: boolean - - name: Indicator - type: boolean - - name: KillParent - type: boolean - - name: KillProcess - type: boolean - - name: KillSubProcess - type: boolean - - name: OperationBlocked - type: boolean - - name: PolicyDisabled - type: boolean - - name: ProcessBlocked - type: boolean - - name: QuarantineFile - type: boolean - - name: QuarantineMachine - type: boolean - - name: Rooting - type: boolean - - name: SensorOnly - type: boolean - - name: BootupSafeguardEnabled - type: boolean - - name: CriticalProcessDisabled - type: boolean - - name: FsOperationBlocked - type: boolean - - name: RegistryOperationBlocked - type: boolean - - name: State - type: keyword - description: | - Whether the incident summary is open and ongoing or closed. - - name: IncidentStartTime - type: date - description: | - Start time for the incident in UTC UNIX format. - - name: IncidentEndTime - type: date - description: | - End time for the incident in UTC UNIX format. - - name: FineScore - type: float - description: | - Score for incident. - - name: UserId - type: keyword - description: | - Email address or user ID associated with the event. - - name: UserIp - type: keyword - description: | - IP address associated with the user. - - name: OperationName - type: keyword - description: | - Event subtype. - - name: ServiceName - type: keyword - description: | - Service associated with this event. - - name: Success - type: boolean - description: | - Indicator of whether or not this event was successful. - - name: UTCTimestamp - type: date - description: | - Timestamp associated with this event in UTC UNIX format. - - name: AuditKeyValues - type: nested - description: | - Fields that were changed in this event. - - name: ExecutablesWritten - type: nested - description: | - Detected executables written to disk by a process. - - name: SessionId - type: keyword - description: | - Session ID of the remote response session. - - name: HostnameField - type: keyword - description: | - Host name of the machine for the remote session. - - name: StartTimestamp - type: date - description: | - Start time for the remote session in UTC UNIX format. - - name: EndTimestamp - type: date - description: | - End time for the remote session in UTC UNIX format. - - name: LateralMovement - type: long - description: | - Lateral movement field for incident. - - name: ParentImageFileName - type: keyword - description: | - Path to the parent process. - - name: ParentCommandLine - type: keyword - description: | - Parent process command line arguments. - - name: GrandparentImageFileName - type: keyword - description: | - Path to the grandparent process. - - name: GrandparentCommandLine - type: keyword - description: | - Grandparent process command line arguments. - - name: IOCType - type: keyword - description: | - CrowdStrike type for indicator of compromise. - - name: IOCValue - type: keyword - description: | - CrowdStrike value for indicator of compromise. - - name: CustomerId - type: keyword - description: | - Customer identifier. - - name: DeviceId - type: keyword - description: | - Device on which the event occurred. - - name: Ipv - type: keyword - description: | - Protocol for network request. - - name: ConnectionDirection - type: keyword - description: | - Direction for network connection. - - name: EventType - type: keyword - description: | - CrowdStrike provided event type. - - name: HostName - type: keyword - description: | - Host name of the local machine. - - name: ICMPCode - type: keyword - description: | - RFC2780 ICMP Code field. - - name: ICMPType - type: keyword - description: | - RFC2780 ICMP Type field. - - name: ImageFileName - type: keyword - description: | - File name of the associated process for the detection. - - name: PID - type: long - description: | - Associated process id for the detection. - - name: LocalAddress - type: ip - description: | - IP address of local machine. - - name: LocalPort - type: long - description: | - Port of local machine. - - name: RemoteAddress - type: ip - description: | - IP address of remote machine. - - name: RemotePort - type: long - description: | - Port of remote machine. - - name: RuleAction - type: keyword - description: | - Firewall rule action. - - name: RuleDescription - type: keyword - description: | - Firewall rule description. - - name: RuleFamilyID - type: keyword - description: | - Firewall rule family id. - - name: RuleGroupName - type: keyword - description: | - Firewall rule group name. - - name: RuleName - type: keyword - description: | - Firewall rule name. - - name: RuleId - type: keyword - description: | - Firewall rule id. - - name: MatchCount - type: long - description: | - Number of firewall rule matches. - - name: MatchCountSinceLastReport - type: long - description: | - Number of firewall rule matches since the last report. - - name: Timestamp - type: date - description: | - Firewall rule triggered timestamp. - - name: Flags.Audit - type: boolean - description: | - CrowdStrike audit flag. - - name: Flags.Log - type: boolean - description: | - CrowdStrike log flag. - - name: Flags.Monitor - type: boolean - description: | - CrowdStrike monitor flag. - - name: Protocol - type: keyword - description: | - CrowdStrike provided protocol. - - name: NetworkProfile - type: keyword - description: | - CrowdStrike network profile. - - name: PolicyName - type: keyword - description: | - CrowdStrike policy name. - - name: PolicyID - type: keyword - description: | - CrowdStrike policy id. - - name: Status - type: keyword - description: | - CrowdStrike status. - - name: TreeID - type: keyword - description: | - CrowdStrike tree id. - - name: Commands - type: keyword - description: | - Commands run in a remote session. diff --git a/packages/crowdstrike/1.7.0/data_stream/falcon/manifest.yml b/packages/crowdstrike/1.7.0/data_stream/falcon/manifest.yml deleted file mode 100755 index 29fc804f02..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/falcon/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -type: logs -title: Crowdstrike falcon logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/crowdstrike/falconhoseclient/output - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - crowdstrike-falcon - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Crowdstrike falcon logs (log) - description: Collect Crowdstrike falcon logs using log input diff --git a/packages/crowdstrike/1.7.0/data_stream/falcon/sample_event.json b/packages/crowdstrike/1.7.0/data_stream/falcon/sample_event.json deleted file mode 100755 index e12d36b60c..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/falcon/sample_event.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "@timestamp": "2020-02-12T21:29:10.710Z", - "agent": { - "ephemeral_id": "cc9fb403-5b26-4fe7-aefc-41666b9f4575", - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "crowdstrike": { - "event": { - "AuditKeyValues": [ - { - "Key": "APIClientID", - "ValueString": "1234567890abcdefghijklmnopqr" - }, - { - "Key": "partition", - "ValueString": "0" - }, - { - "Key": "offset", - "ValueString": "-1" - }, - { - "Key": "appId", - "ValueString": "siem-connector-v2.0.0" - }, - { - "Key": "eventType", - "ValueString": "[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]" - } - ], - "OperationName": "streamStarted", - "ServiceName": "Crowdstrike Streaming API", - "Success": true, - "UTCTimestamp": "2020-02-12T21:29:10.000Z", - "UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", - "UserIp": "10.10.0.8" - }, - "metadata": { - "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "eventCreationTime": "2020-02-12T21:29:10.710Z", - "eventType": "AuthActivityAuditEvent", - "offset": 0, - "version": "1.0" - } - }, - "data_stream": { - "dataset": "crowdstrike.falcon", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "authentication" - ], - "dataset": "crowdstrike.falcon", - "ingested": "2022-05-09T16:35:19Z", - "kind": "event", - "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 0,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581542950710,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"api-client-id:1234567890abcdefghijklmnopqrstuvwxyz\",\n \"UserIp\": \"10.10.0.8\",\n \"OperationName\": \"streamStarted\",\n \"ServiceName\": \"Crowdstrike Streaming API\",\n \"Success\": true,\n \"UTCTimestamp\": 1581542950,\n \"AuditKeyValues\": [\n {\n \"Key\": \"APIClientID\",\n \"ValueString\": \"1234567890abcdefghijklmnopqr\"\n },\n {\n \"Key\": \"partition\",\n \"ValueString\": \"0\"\n },\n {\n \"Key\": \"offset\",\n \"ValueString\": \"-1\"\n },\n {\n \"Key\": \"appId\",\n \"ValueString\": \"siem-connector-v2.0.0\"\n },\n {\n \"Key\": \"eventType\",\n \"ValueString\": \"[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]\"\n }\n ]\n }\n}", - "outcome": "success", - "type": [ - "change" - ] - }, - "event.action": "stream_started", - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/falcon-audit-events.log" - }, - "flags": [ - "multiline" - ], - "offset": 910 - }, - "message": "Crowdstrike Streaming API", - "related": { - "ip": [ - "10.10.0.8" - ], - "user": [ - "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" - ] - }, - "source": { - "ip": "10.10.0.8" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "crowdstrike-falcon" - ], - "user": { - "name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" - } -} \ No newline at end of file diff --git a/packages/crowdstrike/1.7.0/data_stream/fdr/agent/stream/aws-s3.yml.hbs b/packages/crowdstrike/1.7.0/data_stream/fdr/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index d984f1b079..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/fdr/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -queue_url: {{queue_url}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if default_region}} -default_region: {{default_region}} -{{/if}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url }} -proxy_url: {{proxy_url}} -{{/if}} -{{#if is_fdr_queue}} -sqs.notification_parsing_script.source: {{fdr_parsing_script}} -{{/if}} -{{#if tags.length}} -tags: -{{else}} -{{#if preserve_original_event}} -tags: -{{/if}} -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/crowdstrike/1.7.0/data_stream/fdr/agent/stream/stream.yml.hbs b/packages/crowdstrike/1.7.0/data_stream/fdr/agent/stream/stream.yml.hbs deleted file mode 100755 index 51174aef53..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/fdr/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,26 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -{{#if tags.length}} -tags: -{{else}} -{{#if preserve_original_event}} -tags: -{{/if}} -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/crowdstrike/1.7.0/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/1.7.0/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index bbc76762b1..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,2303 +0,0 @@ ---- -description: Pipeline for processing sample logs -processors: - ## Message decoding. - - rename: - tag: message-to-original - field: message - target_field: event.original - - json: - tag: json-decoding - description: Decodes original JSON into `crowdstrike` field. - field: event.original - target_field: crowdstrike - - date: - tag: date-timestamp-utc - description: Parse timestamp from event. - field: crowdstrike.UTCTimestamp - target_field: event.created - formats: - - UNIX_MS - - ISO8601 - ignore_failure: true - if: ctx.event?.created == null - - date: - tag: date-timestamp - description: Parse timestamp from event. - field: crowdstrike.timestamp - target_field: event.created - formats: - - UNIX_MS - - ISO8601 - ignore_failure: true - if: ctx.event?.created == null - - date: - tag: date-event-created - description: Parse timestamp from event. - field: crowdstrike.CreationTimeStamp - target_field: event.created - formats: - - UNIX - - ISO8601 - ignore_failure: true - if: ctx.event?.created == null - - date: - tag: date-agent-local-time - description: Parse timestamp from event. - field: crowdstrike.AgentLocalTime - target_field: event.created - formats: - - ISO8601 - - UNIX - ignore_failure: true - if: ctx.event?.created == null - - set: - tag: set-timestamp - field: "@timestamp" - copy_from: event.created - if: ctx.event?.created != null && (ctx.crowdstrike?.ContextTimeStamp == null || ctx.crowdstrike?.ContextTimeStamp == "") - - set: - tag: set-timestamp-ingest - field: "@timestamp" - copy_from: _ingest.timestamp - if: ctx["@timestamp"] == null - - date: - tag: date-context-timestamp - if: ctx.crowdstrike?.ContextTimeStamp != null - field: crowdstrike.ContextTimeStamp - formats: - - UNIX - ignore_failure: true - - rename: - tag: rename-message - field: crowdstrike.message - target_field: message - ignore_missing: true - - ## ECS fields. - - set: - field: ecs.version - value: '8.4.0' - - ## Categorization. - - script: - tag: script-categorize-events - description: Categorize events. - lang: painless - params: - AcUninstallConfirmation: - category: [ package ] - type: [ deletion ] - kind: state - outcome: success - AcUnloadConfirmation: - category: [ package ] - type: [ deletion ] - kind: state - outcome: success - AgentConnect: - category: [ network, session ] - type: [ connection, info ] - kind: event - outcome: success - AgentOnline: - category: [ configuration, package, host ] - type: [ change, installation, start ] - kind: state - outcome: success - AmsiRegistrationStatus: - category: [ host ] - type: [ info ] - kind: state - outcome: success - AsepFileChange: - category: [ file ] - type: [ creation, change ] - kind: event - outcome: success - AsepKeyUpdate: - category: [ registry ] - type: [ change ] - kind: event - outcome: success - AsepValueUpdate: - category: [ registry ] - type: [ change ] - kind: event - outcome: success - AssociateIndicator: - category: [ malware ] - type: [ info ] - kind: alert - outcome: unknown - AssociateTreeIdWithRoot: - category: [ malware ] - type: [ info ] - kind: alert - outcome: success - BITSJobCreated: - category: [ network, file ] - type: [ connection, creation ] - kind: event - outcome: success - BZip2FileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - BehaviorWhitelisted: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - BrowserInjectedThread: - category: [ process ] - type: [ access, change ] - kind: event - outcome: success - CloudAssociateTreeIdWithRoot: - category: [ malware ] - type: [ deletion ] - kind: alert - outcome: success - CommandHistory: - category: [ process ] - type: [ end, info ] - kind: event - outcome: success - ConfigStateUpdate: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - CrashNotification: - category: [ host ] - type: [ info ] - kind: event - outcome: failure - CreateProcessArgs: - category: [ process ] - type: [ start ] - kind: state - outcome: success - CreateService: - category: [ host ] - type: [ change ] - kind: event - outcome: success - CreateThreadNoStartImage: - category: [ process ] - type: [ start ] - kind: event - outcome: success - CreateThreadReflectiveDll: - category: [ process ] - type: [ change ] - kind: event - outcome: success - CriticalEnvironmentVariableChanged: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - CriticalFileAccessed: - category: [ file ] - type: [ access ] - kind: alert - outcome: success - CriticalFileModified: - category: [ file ] - type: [ change ] - kind: alert - outcome: success - CurrentSystemTags: - category: [ host ] - type: [ info ] - kind: state - outcome: success - CustomIOABasicProcessDetectionInfoEvent: - category: [ malware ] - type: [ info ] - kind: alert - outcome: unknown - DCSyncAttempted: - category: [ configuration, iam ] - type: [ access ] - kind: event - outcome: unknown - DcOffline: - category: [ iam ] - type: [ info ] - kind: event - outcome: success - DcOnline: - category: [ iam ] - type: [ info ] - kind: event - outcome: success - DcStatus: - category: [ iam ] - type: [ info ] - kind: state - outcome: success - DetectAnalysis: - category: [ malware ] - type: [ info ] - kind: alert - outcome: success - DetectionExcluded: - category: [ configuration, malware ] - type: [ change, info ] - kind: alert - outcome: success - DirectoryCreate: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - DllInjection: - category: [ process ] - type: [ change ] - kind: event - outcome: success - DmpFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - DnsRequest: - category: [ network ] - type: [ protocol ] - kind: event - outcome: success - DocumentProgramInjectedThread: - category: [ process ] - type: [ access, change ] - kind: event - outcome: success - DriverLoad: - category: [ driver ] - type: [ start ] - kind: event - outcome: success - DwgFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - EarlyExploitPivotDetect: - category: [ malware ] - type: [ info ] - kind: event - outcome: unknown - EndOfProcess: - category: [ process ] - type: [ end ] - kind: event - outcome: success - ErrorEvent: - category: [ package ] - type: [ info ] - kind: alert - outcome: failure - EtwErrorEvent: - category: [ package, host ] - type: [ info ] - kind: event - outcome: failure - ExecutableDeleted: - category: [ file ] - type: [ deletion ] - kind: event - outcome: success - FalconHostRegTamperingInfo: - category: [ registry ] - type: [ change ] - kind: alert - outcome: unknown - FalconServiceStatus: - category: [ package ] - type: [ info ] - kind: state - outcome: unknown - FileCreateInfo: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - FileDeleteInfo: - category: [ file ] - type: [ deletion ] - kind: event - outcome: success - FileDetectInfo: - category: [ file ] - type: [ info ] - kind: alert - outcome: unknown - FileInfo: - category: [ file ] - type: [ info ] - kind: event - outcome: unknown - FileOpenInfo: - category: [ file ] - type: [ access ] - kind: event - outcome: success - FileRenameInfo: - category: [ file ] - type: [ change ] - kind: event - outcome: success - FileSystemOperationBlocked: - category: [ file ] - type: [ change, deletion ] - kind: event - outcome: failure - FileSystemOperationDetectInfo: - category: [ file ] - type: [ change, deletion ] - kind: alert - outcome: unknown - FileTimestampsModified: - category: [ file ] - type: [ change ] - kind: event - outcome: success - FirewallChangeOption: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - FirewallDeleteRule: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirewallDeleteRuleIP4: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirewallDeleteRuleIP6: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirewallDisabled: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - FirewallEnabled: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - FirewallSetRule: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirewallSetRuleIP4: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirewallSetRuleIP6: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirmwareAnalysisErrorEvent: - category: [ host ] - type: [ info ] - kind: state - outcome: failure - FirmwareAnalysisHardwareData: - category: [ host ] - type: [ info ] - kind: state - outcome: success - FirmwareAnalysisStatus: - category: [ host ] - type: [ info ] - kind: state - outcome: success - FlashThreadCreateProcess: - category: [ process ] - type: [ start ] - kind: event - outcome: success - FsPostOpenSnapshotFile: - category: [ file ] - type: [ access ] - kind: event - outcome: success - FsVolumeMounted: - category: [ host ] - type: [ change ] - kind: event - outcome: success - FsVolumeUnmounted: - category: [ host ] - type: [ change ] - kind: event - outcome: success - HostInfo: - category: [ host ] - type: [ info ] - kind: event - outcome: success - HostedServiceStarted: - category: [ package ] - type: [ start ] - kind: event - outcome: success - HostedServiceStopped: - category: [ package ] - type: [ end ] - kind: event - outcome: success - HostnameChanged: - category: [ host ] - type: [ change ] - kind: event - outcome: success - HttpRequestDetect: - category: [ network, session ] - type: [ connection, start ] - kind: event - outcome: success - HttpVisibilityStatus: - category: [ session ] - type: [ info ] - kind: state - outcome: unknown - IOServiceRegister: - category: [ package ] - type: [ change ] - kind: event - outcome: success - ImageHash: - category: [ process ] - type: [ change ] - kind: event - outcome: success - InjectedThread: - category: [ process ] - type: [ change ] - kind: event - outcome: success - InjectedThreadFromUnsignedModule: - category: [ process ] - type: [ change ] - kind: alert - outcome: success - InstallBundleDownloadComplete: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - InstallServiceDownloadComplete: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - InstalledApplication: - category: [ package ] - type: [ installation ] - kind: event - outcome: success - InstalledUpdates: - category: [ host, package ] - type: [ change, installation ] - kind: event - outcome: success - InstanceMetadata: - category: [ host ] - type: [ info ] - kind: state - outcome: unknown - IoSessionConnected: - category: [ session ] - type: [ start ] - kind: event - outcome: success - IoSessionLoggedOn: - category: [ session ] - type: [ end ] - kind: event - outcome: success - JarFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - JavaClassFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - JavaInjectedThread: - category: [ process ] - type: [ change ] - kind: event - outcome: success - KernelModeLoadImage: - category: [ driver ] - type: [ start ] - kind: event - outcome: success - KextLoad: - category: [ driver ] - type: [ start ] - kind: event - outcome: success - KextUnload: - category: [ driver ] - type: [ end ] - kind: event - outcome: success - LFODownloadConfirmation: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - LfoUploadDataComplete: - category: [ file ] - type: [ change ] - kind: event - outcome: success - LfoUploadDataFailed: - category: [ file ] - type: [ change ] - kind: event - outcome: failure - LfoUploadDataUnneeded: - category: [ file ] - type: [ change ] - kind: event - outcome: failure - LocalIpAddressIP4: - category: [ configuration, host ] - type: [ change ] - kind: state - outcome: success - LocalIpAddressIP6: - category: [ configuration, host ] - type: [ change ] - kind: state - outcome: success - LocalIpAddressRemovedIP4: - category: [ configuration, host ] - type: [ change ] - kind: state - outcome: success - LocalIpAddressRemovedIP6: - category: [ configuration, host ] - type: [ change ] - kind: state - outcome: success - LsassHandleFromUnsignedModule: - category: [ process ] - type: [ change ] - kind: alert - outcome: unknown - MachOFileWritten: - category: [ file ] - type: [ change ] - kind: event - outcome: success - ManifestDownloadComplete: - category: [ configuration, file ] - type: [ change, creation ] - kind: event - outcome: success - ModifyServiceBinary: - category: [ file ] - type: [ change ] - kind: alert - outcome: unknown - ModuleBlockedEvent: - category: [ process, malware ] - type: [ info, denied ] - kind: alert - outcome: success - ModuleBlockedEventWithPatternId: - category: [ process, malware ] - type: [ info ] - kind: event - outcome: unknown - ModuleDetectInfo: - category: [ process, malware ] - type: [ info ] - kind: event - outcome: unknown - NeighborListIP4: - category: [ host, network ] - type: [ info ] - kind: state - outcome: unknown - NeighborListIP6: - category: [ host, network ] - type: [ info ] - kind: state - outcome: unknown - NetShareAdd: - category: [ host ] - type: [ change ] - kind: event - outcome: success - NetShareDelete: - category: [ host ] - type: [ change ] - kind: event - outcome: success - NetShareSecurityModify: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - NetworkCloseIP4: - category: [ network ] - type: [ end, connection ] - kind: event - outcome: unknown - NetworkCloseIP6: - category: [ network ] - type: [ end, connection ] - kind: event - outcome: unknown - NetworkConnectIP4: - category: [ network ] - type: [ start, connection ] - kind: event - outcome: unknown - NetworkConnectIP6: - category: [ network ] - type: [ start, connection ] - kind: event - outcome: unknown - NetworkListenIP4: - category: [ network ] - type: [ start ] - kind: event - outcome: success - NetworkListenIP6: - category: [ network ] - type: [ start ] - kind: event - outcome: success - NetworkReceiveAcceptIP4: - category: [ network ] - type: [ allowed, access, connection ] - kind: event - outcome: unknown - NetworkReceiveAcceptIP6: - category: [ network ] - type: [ allowed, access, connection ] - kind: event - outcome: unknown - NewExecutableRenamed: - category: [ file ] - type: [ change ] - kind: event - outcome: success - NewExecutableWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - NewScriptWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - OciContainerTelemetry: - category: [ host ] - type: [ info ] - kind: state - outcome: unknown - OleFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - OoxmlFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - OsVersionInfo: - category: [ host ] - type: [ info ] - kind: event - outcome: success - PackedExecutableWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - PdfFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - PeFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - PeVersionInfo: - category: [ file ] - type: [ info ] - kind: event - outcome: success - PrivilegedProcessHandleFromUnsignedModule: - category: [ process ] - type: [ access ] - kind: alert - outcome: success - ProcessBlocked: - category: [ process ] - type: [ access ] - kind: alert - outcome: failure - ProcessExecOnPackedExecutable: - category: [ process, file ] - type: [ access ] - kind: alert - outcome: success - ProcessExecOnSMBFile: - category: [ process, file, network ] - type: [ access ] - kind: alert - outcome: success - ProcessHandleOpDetectInfo: - category: [ process, malware ] - type: [ info ] - kind: alert - outcome: success - ProcessInjection: - category: [ process ] - type: [ change ] - kind: event - outcome: success - ProcessRollup2: - category: [ process ] - type: [ start ] - kind: event - outcome: success - ProcessRollup2Stats: - category: [ process ] - type: [ info ] - kind: state - outcome: unknown - ProcessSelfDeleted: - category: [ process ] - type: [ end ] - kind: event - outcome: success - PromiscuousBindIP4: - category: [ host ] - type: [ change ] - kind: state - outcome: success - PtyCreated: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - QuarantineActionResult: - category: [ file ] - type: [ info ] - kind: alert - outcome: unknown - QuarantinedFile: - category: [ file ] - type: [ change ] - kind: alert - outcome: unknown - QuarantinedFileState: - category: [ file ] - type: [ info ] - kind: alert - outcome: unknown - QueueApcEtw: - category: [ file ] - type: [ creation ] - kind: alert - outcome: success - RansomwareCreateFile: - category: [ file ] - type: [ creation ] - kind: alert - outcome: success - RansomwareFileAccessPattern: - category: [ file ] - type: [ access ] - kind: alert - outcome: success - RansomwareOpenFile: - category: [ file ] - type: [ access ] - kind: alert - outcome: success - RarFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - RawBindIP4: - category: [ network ] - type: [ start, connection ] - kind: event - outcome: success - RawBindIP6: - category: [ network ] - type: [ start, connection ] - kind: event - outcome: success - ReflectiveDllOpenProcess: - category: [ process ] - type: [ access ] - kind: alert - outcome: success - RegGenericValueUpdate: - category: [ registry ] - type: [ change ] - kind: event - outcome: success - RegSystemConfigValueUpdate: - category: [ registry, host, configuration ] - type: [ change ] - kind: event - outcome: success - RegisterRawInputDevicesEtw: - category: [ host, configuration ] - type: [ change ] - kind: event - outcome: success - RegistryOperationDetectInfo: - category: [ malware, registry ] - type: [ info ] - kind: alert - outcome: success - RemoteBruteForceDetectInfo: - category: [ malware, authentication ] - type: [ info ] - kind: alert - outcome: success - RemovableDiskModuleLoadAttempt: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - RemovableMediaVolumeMounted: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - RtfFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - SAMHashDumpFromUnsignedModule: - category: [ registry, file ] - type: [ access, creation ] - kind: alert - outcome: success - ScheduledTaskDeleted: - category: [ configuration ] - type: [ deletion ] - kind: event - outcome: success - ScheduledTaskModified: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - ScheduledTaskRegistered: - category: [ configuration ] - type: [ creation ] - kind: event - outcome: success - ScreenshotTakenEtw: - category: [ process ] - type: [ access ] - kind: event - outcome: success - ScriptControlBlocked: - category: [ malware, file ] - type: [ info ] - kind: alert - outcome: success - ScriptControlDetectInfo: - category: [ malware, file ] - type: [ info ] - kind: alert - outcome: success - ScriptControlErrorEvent: - category: [ malware, file ] - type: [ info ] - kind: alert - outcome: failure - ScriptControlScanInfo: - category: [ malware, file ] - type: [ info ] - kind: state - outcome: success - ScriptControlScanTelemetry: - category: [ malware, file ] - type: [ info ] - kind: state - outcome: success - SensitiveWmiQuery: - category: [ malware, process ] - type: [ info ] - kind: alert - outcome: success - SensorHeartbeat: - category: [ package ] - type: [ info ] - kind: event - outcome: success - ServiceStarted: - category: [ process ] - type: [ start ] - kind: event - outcome: success - SetWinEventHookEtw: - category: [ host, configuration ] - type: [ change ] - kind: event - outcome: success - SevenZipFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - SignInfoError: - category: [ file ] - type: [ info ] - kind: state - outcome: failure - SignInfoWithCertAndContext: - category: [ file ] - type: [ info ] - kind: state - outcome: unknown - SignInfoWithContext: - category: [ file ] - type: [ info ] - kind: state - outcome: unknown - SmbClientNamedPipeConnectEtw: - category: [ network ] - type: [ connection ] - kind: event - outcome: success - SmbClientShareClosedEtw: - category: [ network ] - type: [ connection, end ] - kind: event - outcome: success - SmbClientShareOpenedEtw: - category: [ network ] - type: [ connection, start ] - kind: event - outcome: success - SmbServerShareOpenedEtw: - category: [ network ] - type: [ connection, start ] - kind: event - outcome: success - SmbServerV1AuditEtw: - category: [ network ] - type: [ connection ] - kind: state - outcome: unknown - SnapshotVolumeMounted: - category: [ host, configuration ] - type: [ change ] - kind: event - outcome: success - SuspiciousCreateSymbolicLink: - category: [ malware, file ] - type: [ creation, info ] - kind: alert - outcome: success - SuspiciousDnsRequest: - category: [ network ] - type: [ start, protocol ] - kind: alert - outcome: success - SuspiciousEseFileWritten: - category: [ malware, file ] - type: [ creation, info ] - kind: alert - outcome: success - SuspiciousRegAsepUpdate: - category: [ malware, registry, configuration ] - type: [ change, info ] - kind: alert - outcome: success - SuspiciousUserRemoteAPCAttempt: - category: [ malware, process ] - type: [ info ] - kind: alert - outcome: success - SyntheticProcessRollup2: - category: [ process ] - type: [ start ] - kind: event - outcome: success - SystemCapacity: - category: [ host ] - type: [ info ] - kind: state - outcome: success - TarFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - TelemetryCounters2: - category: [ host ] - type: [ info ] - kind: state - outcome: success - TelemetryNetworkConnections: - category: [ network ] - type: [ connection ] - kind: state - outcome: success - TelemetryStats: - category: [ host ] - type: [ info ] - kind: state - outcome: success - TerminateProcess: - category: [ process ] - type: [ end ] - kind: event - outcome: success - TokenImpersonated: - category: [ process, authentication ] - type: [ info, change ] - kind: event - outcome: success - UACCOMElevation: - category: [ process, authentication ] - type: [ info, change ] - kind: event - outcome: success - UACExeElevation: - category: [ process, authentication ] - type: [ info, change ] - kind: event - outcome: success - UACMSIElevation: - category: [ process, authentication ] - type: [ info, change ] - kind: event - outcome: success - UmppaErrorEvent: - category: [ package ] - type: [ info ] - kind: event - outcome: failure - UnsignedModuleLoad: - category: [ process ] - type: [ change ] - kind: alert - outcome: success - UpdateManifestDownloadComplete: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - UserAccountAddedToGroup: - category: [ configuration, iam ] - type: [ change, group ] - kind: event - outcome: success - UserAccountCreated: - category: [ configuration, iam ] - type: [ creation ] - kind: event - outcome: success - UserAccountDeleted: - category: [ configuration, iam ] - type: [ deletion ] - kind: event - outcome: success - UserExceptionDEP: - category: [ process, malware ] - type: [ info ] - kind: alert - outcome: success - UserFontLoad: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - UserIdentity: - category: [ authentication, iam ] - type: [ info, user ] - kind: event - outcome: success - UserLogoff: - category: [ authentication ] - type: [ end ] - kind: event - outcome: success - UserLogon: - category: [ authentication ] - type: [ start ] - kind: event - outcome: success - UserLogonFailed: - category: [ authentication ] - type: [ start ] - kind: event - outcome: failure - UserLogonFailed2: - category: [ authentication ] - type: [ start ] - kind: event - outcome: failure - VolumeSnapshotCreated: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - VolumeSnapshotDeleted: - category: [ file ] - type: [ deletion ] - kind: event - outcome: success - WfpFilterTamperingFilterAdded: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - WfpFilterTamperingFilterDeleted: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - WmiCreateProcess: - category: [ process ] - type: [ start ] - kind: event - outcome: success - WmiFilterConsumerBindingEtw: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - WmiProviderRegistrationEtw: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - WroteExeAndGeneratedServiceEvent: - category: [ process ] - type: [ access ] - kind: alert - outcome: success - XarFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - ZipFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - source: |- - def m = params.get(ctx.crowdstrike?.event_simpleName); - if (m != null) { - m.forEach((k, v) -> { - if (v instanceof List) { - ctx.event[k] = new ArrayList(v); - } else { - ctx.event[k] = v; - } - }); - } - - ## Event fields. - - rename: - field: crowdstrike.id - target_field: event.id - ignore_missing: true - - rename: - field: crowdstrike.event_simpleName - target_field: event.action - ignore_missing: true - -## Prepare data. - - script: - tag: convert-count-fields-to-long - description: Convert all count fields to number. - lang: painless - source: |- - for (entry in ctx.crowdstrike.entrySet()) { - def key = entry.getKey().toString(); - if (key.contains("Count") || key.contains("Port")) { - try { - ctx.crowdstrike[key] = Long.parseLong(entry.getValue().toString()); - } catch (Exception e) { - } - } - } - - script: - tag: remove-empty-hashes - description: Remove all 0's hashes. - lang: painless - params: - MD5HashData: md5 - SHA1HashData: sha1 - SHA256HashData: sha256 - source: |- - def hashIsEmpty(String hash) { - if (hash == null || hash == "") { - return true; - } - - Pattern emptyHashRegex = /^0*$/; - def matcher = emptyHashRegex.matcher(hash); - - return matcher.matches(); - } - - def hashes = new HashMap(); - def related = [ - "hash": new ArrayList() - ]; - for (entry in params.entrySet()) { - def key = entry.getKey().toString(); - def value = ctx.crowdstrike[key]; - ctx.crowdstrike.remove(key); - if (hashIsEmpty(value)) { - continue; - } - - hashes[entry.getValue().toString()] = value; - related.hash.add(value); - } - - ctx._temp = new HashMap(); - ctx._temp.hashes = hashes; - if (related.hash.length > 0) { - ctx.related = related; - } - - ## Observer fields. - - rename: - field: crowdstrike.aid - target_field: observer.serial_number - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.aip - type: ip - ignore_missing: true - - rename: - field: crowdstrike.aip - target_field: observer.ip - ignore_missing: true - ignore_failure: true - - set: - field: observer.address - copy_from: observer.ip - ignore_empty_value: true - - rename: - field: crowdstrike.AgentVersion - target_field: observer.version - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.ConfigBuild - target_field: observer.version - ignore_missing: true - ignore_failure: true - - set: - field: observer.vendor - value: crowdstrike - - set: - field: observer.type - value: agent - - append: - field: related.ip - value: "{{{observer.ip}}}" - allow_duplicates: false - if: ctx.observer?.ip != null && ctx.observer.ip != "" - - append: - field: related.hosts - value: "{{{observer.ip}}}" - allow_duplicates: false - if: ctx.observer?.ip != null && ctx.observer.ip != "" - - ## Host fields. - - rename: - field: crowdstrike.ComputerName - target_field: host.hostname - ignore_missing: true - ignore_failure: true - - set: - field: host.name - copy_from: host.hostname - ignore_empty_value: true - ignore_failure: true - - append: - field: related.hosts - value: "{{{host.name}}}" - allow_duplicates: false - if: ctx.host?.name != null - - rename: - field: crowdstrike.City - target_field: host.geo.city_name - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.Continent - target_field: host.geo.continent_name - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.Country - target_field: host.geo.country_name - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.Timezone - target_field: host.geo.timezone - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.MachineDomain - target_field: host.domain - ignore_missing: true - ignore_failure: true - - ## IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - ## IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - ## OS fields. - - set: - field: os.type - value: linux - if: ctx.crowdstrike?.event_platform != null && ctx.crowdstrike?.event_platform == "Lin" - - set: - field: os.type - value: macos - if: ctx.crowdstrike?.event_platform != null && ctx.crowdstrike?.event_platform == "Mac" - - set: - field: os.type - value: windows - if: ctx.crowdstrike?.event_platform != null && ctx.crowdstrike?.event_platform == "Win" - - rename: - field: crowdstrike.OSVersionString - target_field: os.version - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.Version - target_field: os.version - ignore_missing: true - ignore_failure: true - - ## Process fields. - - rename: - field: crowdstrike.CommandLine - target_field: process.command_line - ignore_missing: true - - script: - tag: split-command-line - description: Implements Windows-like SplitCommandLine - lang: painless - if: ctx.process?.command_line != null && ctx.process.command_line != "" && ctx.os?.type != null - source: |- - // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. - def appendBSBytes(StringBuilder b, int n) { - for (; n > 0; n--) { - b.append('\\'); - } - return b; - } - - // readNextArg splits command line string cmd into next - // argument and command line remainder. - def readNextArg(String cmd) { - def b = new StringBuilder(); - boolean inquote; - int nslash; - for (; cmd.length() > 0; cmd = cmd.substring(1)) { - def c = cmd.charAt(0); - if (c == (char)' ' || c == (char)0x09) { - if (!inquote) { - return [ - "arg": appendBSBytes(b, nslash).toString(), - "rest": cmd.substring(1) - ]; - } - } else if (c == (char)'"') { - b = appendBSBytes(b, nslash/2); - if (nslash%2 == 0) { - // use "Prior to 2008" rule from - // http://daviddeley.com/autohotkey/parameters/parameters.htm - // section 5.2 to deal with double double quotes - if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { - b.append(c); - cmd = cmd.substring(1); - } - inquote = !inquote; - } else { - b.append(c); - } - nslash = 0; - continue; - } else if (c == (char)'\\') { - nslash++; - continue; - } - b = appendBSBytes(b, nslash); - nslash = 0; - b.append(c); - } - return [ - "arg": appendBSBytes(b, nslash).toString(), - "rest": '' - ]; - } - - // commandLineToArgv splits a command line into individual argument - // strings, following the Windows conventions documented - // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV - // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 - def commandLineToArgv(String cmd) { - def args = new ArrayList(); - while (cmd.length() > 0) { - if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { - cmd = cmd.substring(1); - continue; - } - def next = readNextArg(cmd); - cmd = next.rest; - args.add(next.arg); - } - return args; - } - - ctx.process.args = commandLineToArgv(ctx.process.command_line); - ctx.process.args_count = ctx.process.args.length; - - - rename: - field: crowdstrike.ImageFileName - target_field: process.executable - ignore_missing: true - - script: - tag: process-name - lang: painless - description: Calculate process.name - source: |- - def executable = ctx.process.executable; - def exe_arr = []; - def name = executable; - if(executable.substring(0,1) == "\\") { - name = executable.splitOnToken("\\")[-1]; - } else if(executable.substring(0,1) == "/") { - name = executable.splitOnToken("/")[-1]; - } - ctx.process.put("name", name); - - if: ctx.process?.executable != null && ctx.process.executable != "" - - convert: - field: crowdstrike.ExitCode - type: long - ignore_missing: true - - rename: - field: crowdstrike.ExitCode - target_field: process.exit_code - ignore_missing: true - - script: - tag: process-uptime - lang: painless - description: Calculate process.uptime - source: |- - def d1 = Float.parseFloat(ctx.crowdstrike?.ProcessStartTime); - def d2 = Float.parseFloat(ctx.crowdstrike?.ProcessEndTime); - if (ctx.process == null) { - ctx.process = []; - } - ctx.process.uptime = (long) ((d2-d1)/1000); - if: ctx.crowdstrike?.ProcessStartTime != null && ctx.crowdstrike?.ProcessStartTime != "" && ctx.crowdstrike?.ProcessEndTime != null && ctx.crowdstrike?.ProcessEndTime != "" - - date: - field: crowdstrike.ProcessStartTime - target_field: crowdstrike.ProcessStartTime - formats: - - UNIX - if: ctx.crowdstrike?.ProcessStartTime != null && ctx.crowdstrike?.ProcessStartTime != "" - - rename: - field: crowdstrike.ProcessStartTime - target_field: process.start - ignore_missing: true - if: ctx.crowdstrike?.ProcessStartTime != "" - - date: - field: crowdstrike.ProcessEndTime - target_field: crowdstrike.ProcessEndTime - formats: - - UNIX - if: ctx.crowdstrike?.ProcessEndTime != null && ctx.crowdstrike?.ProcessEndTime != "" - - rename: - field: crowdstrike.ProcessEndTime - target_field: process.end - ignore_missing: true - if: ctx.crowdstrike?.ProcessEndTime != "" - - convert: - field: crowdstrike.RawProcessId - type: long - ignore_missing: true - - rename: - field: crowdstrike.RawProcessId - target_field: process.pid - ignore_missing: true - - rename: - field: crowdstrike.TargetProcessId - target_field: process.entity_id - ignore_missing: true - - rename: - field: crowdstrike.ParentProcessId - target_field: process.parent.entity_id - ignore_missing: true - - rename: - field: crowdstrike.ParentBaseFileName - target_field: process.parent.name - ignore_missing: true - - convert: - field: crowdstrike.ProcessGroupId - type: long - ignore_missing: true - - rename: - field: crowdstrike.ProcessGroupId - target_field: process.pgid - ignore_missing: true - - rename: - field: crowdstrike.ContextProcessId - target_field: process.entity_id - ignore_missing: true - ignore_failure: true - if: ctx.process?.entity_id == null - - convert: - field: crowdstrike.ContextThreadId - type: long - ignore_missing: true - if: ctx.process?.thread?.id == null - - rename: - field: crowdstrike.ContextThreadId - target_field: process.thread.id - ignore_missing: true - ignore_failure: true - if: ctx.process?.thread?.id == null - - convert: - field: crowdstrike.EtwRawProcessId - type: long - ignore_missing: true - - rename: - field: crowdstrike.EtwRawProcessId - target_field: process.pid - ignore_missing: true - if: ctx.process?.pid == null - - convert: - field: crowdstrike.EtwRawThreadId - type: long - ignore_missing: true - - rename: - field: crowdstrike.EtwRawThreadId - target_field: process.thread.id - ignore_missing: true - if: ctx.process?.thread?.id == null - - rename: - field: crowdstrike.ServiceDisplayName - target_field: process.title - ignore_missing: true - - rename: - field: _temp.hashes - target_field: process.hash - if: ctx.event?.action != null && (ctx.event.action.contains("Process") || ctx.event.action.contains("Service")) && ctx._temp?.hashes != null && ctx._temp?.hashes.size() > 0 - - ## User fields. - - rename: - field: crowdstrike.UID - target_field: user.id - ignore_missing: true - - rename: - field: crowdstrike.GID - target_field: user.group.id - ignore_missing: true - - rename: - field: crowdstrike.UserSid - target_field: user.id - ignore_missing: true - if: ctx.user?.id == null || ctx.user.id == "" - - append: - field: user.roles - value: admin - if: ctx.crowdstrike?.UserIsAdmin == "1" - - rename: - field: crowdstrike.UserName - target_field: user.name - ignore_missing: true - - split: - field: crowdstrike.UserPrincipal - target_field: "_temp.user_parts" - separator: '@' - if: ctx.crowdstrike?.UserPrincipal != null - - rename: - field: crowdstrike.UserPrincipal - target_field: user.email - ignore_missing: true - - set: - field: user.domain - value: "{{{_temp.user_parts.1}}}" - ignore_failure: true - ignore_empty_value: true - if: ctx._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 - - set: - field: user.full_name - value: "{{{_temp.user_parts.0}}}" - ignore_failure: true - ignore_empty_value: true - if: ctx._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 - - append: - field: related.user - value: "{{{user.name}}}" - ignore_failure: true - allow_duplicates: false - if: ctx.user?.name != null - - append: - field: related.user - value: "{{{user.full_name}}}" - ignore_failure: true - allow_duplicates: false - if: ctx.user?.full_name != null - - ## Networking fields. - - convert: - field: crowdstrike.LocalAddressIP4 - type: ip - ignore_missing: true - - rename: - field: crowdstrike.LocalAddressIP4 - target_field: source.ip - ignore_missing: true - - set: - field: source.address - copy_from: source.ip - ignore_empty_value: true - - convert: - field: crowdstrike.LocalAddressIP6 - type: ip - ignore_missing: true - - rename: - field: crowdstrike.LocalAddressIP6 - target_field: source.ip - ignore_missing: true - - set: - field: source.address - copy_from: source.ip - ignore_empty_value: true - - rename: - field: crowdstrike.LocalPort - target_field: source.port - ignore_missing: true - - convert: - field: crowdstrike.RemoteAddressIP4 - type: ip - ignore_missing: true - - rename: - field: crowdstrike.RemoteAddressIP4 - target_field: destination.ip - ignore_missing: true - - set: - field: destination.address - copy_from: destination.ip - ignore_empty_value: true - - convert: - field: crowdstrike.RemoteAddressIP6 - type: ip - ignore_missing: true - - rename: - field: crowdstrike.RemoteAddressIP6 - target_field: destination.ip - ignore_missing: true - - set: - field: destination.address - copy_from: destination.ip - ignore_empty_value: true - - rename: - field: crowdstrike.RemotePort - target_field: destination.port - ignore_missing: true - - rename: - field: crowdstrike.Protocol - target_field: network.iana_number - ignore_missing: true - - script: - tag: network-transport-lookup - lang: painless - ignore_failure: true - if: ctx.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - set: - field: network.direction - value: outbound - if: ctx.crowdstrike?.ConnectionDirection == "0" - - set: - field: network.direction - value: inbound - if: ctx.crowdstrike?.ConnectionDirection == "1" - - set: - field: network.direction - value: unknown - if: ctx.network?.direction == null && ctx.crowdstrike?.ConnectionDirection != null && ctx.crowdstrike.ConnectionDirection != "" - - community_id: - ignore_missing: true - ignore_failure: true - - append: - field: related.ip - value: "{{{source.ip}}}" - allow_duplicates: false - if: ctx.source?.ip != null && ctx.source.ip != "" - - append: - field: related.ip - value: "{{{destination.ip}}}" - allow_duplicates: false - if: ctx.destination?.ip != null && ctx.destination.ip != "" - - append: - field: related.hosts - value: "{{{source.ip}}}" - allow_duplicates: false - if: ctx.source?.ip != null && ctx.source.ip != "" - - append: - field: related.hosts - value: "{{{destination.ip}}}" - allow_duplicates: false - if: ctx.destination?.ip != null && ctx.destination.ip != "" - - rename: - field: crowdstrike.PhysicalAddress - target_field: source.mac - ignore_missing: true - - uppercase: - field: source.mac - ignore_missing: true - - rename: - field: crowdstrike.DownloadServer - target_field: server.address - ignore_missing: true - - rename: - field: crowdstrike.DownloadPath - target_field: url.path - ignore_missing: true - - ## URL fields. - - set: - field: url.path - value: "/{{url.path}}" - if: ctx.url?.path != null && !ctx.url.path.startsWith("/") - - registered_domain: - field: server.address - target_field: server - ignore_missing: true - - set: - field: url.scheme - value: https - if: ctx.crowdstrike?.DownloadPort == 443 - - set: - field: url.scheme - value: http - if: ctx.crowdstrike?.DownloadPort != 443 - - set: - field: url.full - value: "{{{url.scheme}}}://{{{server.address}}}{{{url.path}}}" - if: ctx.url?.scheme != null && ctx.server?.address != null && ctx.url?.path != null - - uri_parts: - field: url.full - ignore_failure: true - if: ctx.url?.full != null - - registered_domain: - field: url.domain - target_field: url - ignore_missing: true - ignore_failure: true - - ## IP Geolocation Lookup - - geoip: - field: observer.ip - target_field: observer.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - ## IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - ## DNS fields. - - set: - field: dns.type - value: query - if: ctx.event?.action == "DnsRequest" - - registered_domain: - field: crowdstrike.DomainName - target_field: dns.question - ignore_missing: true - if: ctx.event?.action == "DnsRequest" - - rename: - field: dns.question.domain - target_field: dns.question.name - ignore_missing: true - if: ctx.event?.action == "DnsRequest" - - script: - tag: dns-request-type-to-name - description: Map decimal DNS request type to its name. - lang: painless - params: - "1": A - "2": NS - "5": CNAME - "6": SOA - "12": PTR - "13": HINFO - "15": MX - "16": TXT - "17": RP - "18": AFSDB - "24": SIG - "25": KEY - "28": AAAA - "29": LOC - "33": SRV - "35": NAPTR - "36": KX - "37": CERT - "39": DNAME - "42": APL - "43": DS - "44": SSHFP - "45": IPSECKEY - "46": RRSIG - "47": NSEC - "48": DNSKEY - "49": DHCID - "50": NSEC3 - "51": NSEC3PARAM - "52": TLSA - "53": SMIMEA - "55": HIP - "59": CDS - "60": CDNSKEY - "61": OPENPGPKEY - "62": CSYNC - "63": ZONEMD - "64": SVCB - "65": HTTPS - "108": EUI48 - "109": EUI64 - "249": TKEY - "250": TSIG - "256": URI - "257": CAA - "32768": TA - "32769": DLV - if: ctx.event?.action == "DnsRequest" && ctx.crowdstrike?.RequestType != null && !ctx.crowdstrike.RequestType.isEmpty() - source: |- - def t = params[ctx.crowdstrike.RequestType]; - if (t != null) { - if (ctx.dns?.question == null) { - ctx.dns.question = new HashMap(); - } - ctx.dns.question.type = t; - ctx.crowdstrike.remove("RequestType"); - } - - ## File fields. - - convert: - field: crowdstrike.Size - type: long - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.Size - target_field: file.size - ignore_missing: true - - rename: - field: crowdstrike.FileIdentifier - target_field: file.inode - ignore_missing: true - - rename: - field: crowdstrike.SourceFileName - target_field: file.path - ignore_missing: true - - rename: - field: crowdstrike.TargetFileName - target_field: file.path - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.DiskParentDeviceInstanceId - target_field: file.device - ignore_missing: true - - set: - field: file.type - value: file - if: ctx.file?.path != null && !ctx.event.action.contains("Directory") - - set: - field: file.type - value: dir - if: ctx.file?.path != null && (ctx.event.action.contains("Directory") || ctx.file.path.endsWith("\\") || ctx.file.path.endsWith("/")) - - script: - tag: parse-file-path - description: Adds file information. - lang: painless - if: ctx.file?.path != null && ctx.file.path.length() > 1 - source: |- - def removeSuffix(String s, String suffix) { - if (s != null && suffix != null && s.endsWith(suffix)) { - return s.substring(0, s.length() - suffix.length()); - } - return s; - } - - def path = removeSuffix(ctx.file.path, "/"); - path = removeSuffix(path, "\\"); - def idx = path.lastIndexOf("\\"); - if (idx == -1) { - idx = path.lastIndexOf("/"); - } - if (idx > -1) { - if (ctx.file == null) { - ctx.file = new HashMap(); - } - ctx.file.name = path.substring(idx+1); - ctx.file.directory = path.substring(0, idx); - - def extIdx = ctx.file.name.lastIndexOf("."); - if (extIdx > -1 && ctx.file.type == "file") { - ctx.file.extension = ctx.file.name.substring(extIdx+1); - } - } - if (path.charAt(1) == ":") { - ctx.file.drive_letter = path.charAt(0).toUpperCase(); - } - - rename: - field: _temp.hashes - target_field: file.hash - if: ctx.event?.action != null && (ctx.event.action.contains("File") || ctx.event.action.contains("Directory") || ctx.event.action.contains("Executable")) && ctx._temp?.hashes != null && ctx._temp?.hashes.size() > 0 - - ## Crowdstrike fields. - - split: - field: crowdstrike.FalconGroupingTags - separator: ",\\s?" - ignore_missing: true - ignore_failure: true - - split: - field: crowdstrike.SensorGroupingTags - separator: ",\\s?" - ignore_missing: true - ignore_failure: true - - split: - field: crowdstrike.Tags - separator: ",\\s?" - ignore_missing: true - ignore_failure: true - - split: - field: crowdstrike.CallStackModuleNames - separator: "\\|" - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.UserTime - type: long - ignore_missing: true - - convert: - field: crowdstrike.KernelTime - type: long - ignore_missing: true - - convert: - field: crowdstrike.CycleTime - type: long - ignore_missing: true - - append: - field: related.hash - value: "{{{crowdstrike.ConfigStateHash}}}" - ignore_failure: true - allow_duplicates: false - if: ctx.crowdstrike?.ConfigStateHash != null && ctx.crowdstrike.ConfigStateHash != "" - - trim: - field: crowdstrike.BootArgs - ignore_missing: true - - split: - field: crowdstrike.BootArgs - separator: '\s+' - ignore_missing: true - - date: - field: crowdstrike.LogonTime - target_field: crowdstrike.LogonTime - formats: - - UNIX - if: ctx.crowdstrike?.LogonTime != null && ctx.crowdstrike?.LogonTime != "" - - date: - field: crowdstrike.LogoffTime - target_field: crowdstrike.LogoffTime - formats: - - UNIX - if: ctx.crowdstrike?.LogoffTime != null && ctx.crowdstrike?.LogoffTime != "" - - date: - field: crowdstrike.ConnectTime - target_field: crowdstrike.ConnectTime - formats: - - UNIX - if: ctx.crowdstrike?.ConnectTime != null && ctx.crowdstrike?.ConnectTime != "" - - date: - field: crowdstrike.PreviousConnectTime - target_field: crowdstrike.PreviousConnectTime - formats: - - UNIX - if: ctx.crowdstrike?.PreviousConnectTime != null && ctx.crowdstrike?.PreviousConnectTime != "" - - date: - field: crowdstrike.AgentLocalTime - target_field: crowdstrike.AgentLocalTime - formats: - - UNIX - if: ctx.crowdstrike?.AgentLocalTime != null && ctx.crowdstrike?.AgentLocalTime != "" - - date: - field: crowdstrike.FirstSeen - target_field: crowdstrike.FirstSeen - formats: - - UNIX - if: ctx.crowdstrike?.FirstSeen != null && ctx.crowdstrike?.FirstSeen != "" - - date: - field: crowdstrike.Time - target_field: crowdstrike.Time - formats: - - UNIX - if: ctx.crowdstrike?.Time != null && ctx.crowdstrike?.Time != "" - - date: - field: crowdstrike.BiosReleaseDate - target_field: crowdstrike.BiosReleaseDate - formats: - - MM/dd/yyyy - - strict_date_optional_time - if: ctx.crowdstrike?.BiosReleaseDate != null && ctx.crowdstrike?.BiosReleaseDate != "" - - convert: - field: crowdstrike.AgentTimeOffset - target_field: crowdstrike.AgentTimeOffset - type: float - ignore_missing: true - - convert: - field: crowdstrike.Timeout - type: long - ignore_missing: true - - convert: - field: crowdstrike.PhysicalAddressLength - type: long - ignore_missing: true - - convert: - field: crowdstrike.InterfaceIndex - type: long - ignore_missing: true - - convert: - field: crowdstrike.NetLuidIndex - type: long - ignore_missing: true - - convert: - field: crowdstrike.AttemptNumber - type: long - ignore_missing: true - - convert: - field: crowdstrike.SystemTableIndex - type: long - ignore_missing: true - - split: - field: crowdstrike.NeighborList - separator: '\|' - ignore_missing: true - - split: - field: crowdstrike.ConfigStateData - separator: '\|' - ignore_missing: true - - append: - field: related.hosts - value: "{{{crowdstrike.LogonServer}}}" - allow_duplicates: false - if: ctx.crowdstrike?.LogonServer != null - - append: - field: related.hosts - value: "{{{crowdstrike.ClientComputerName}}}" - allow_duplicates: false - if: ctx.crowdstrike?.ClientComputerName != null - - ## Cleanup. - - remove: - field: crowdstrike.event_platform - ignore_missing: true - ignore_failure: true - if: ctx.os?.type != null - - remove: - field: - - _temp - - crowdstrike.timestamp - - crowdstrike._time - - crowdstrike.ContextTimeStamp - - crowdstrike.CreationTimeStamp - - crowdstrike.DomainName - - crowdstrike.ConnectionDirection - - crowdstrike.UserIsAdmin - - crowdstrike.UTCTimestamp - - crowdstrike.TargetDirectoryName - ignore_missing: true - ignore_failure: true - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - tag: remove-nulls - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || v == '-' || v == 'none' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || v == '-' || v == 'none' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: - - set: - field: error.message - value: "Processor '{{ _ingest.on_failure_processor_type }}' with tag '{{ _ingest.on_failure_processor_tag }}' failed with message {{ _ingest.on_failure_message }}" diff --git a/packages/crowdstrike/1.7.0/data_stream/fdr/fields/base-fields.yml b/packages/crowdstrike/1.7.0/data_stream/fdr/fields/base-fields.yml deleted file mode 100755 index b701d8325a..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/fdr/fields/base-fields.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: input.type - type: keyword -- name: log.offset - type: long -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: crowdstrike -- name: event.dataset - type: constant_keyword - description: Event dataset - value: crowdstrike.fdr -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/crowdstrike/1.7.0/data_stream/fdr/fields/ecs.yml b/packages/crowdstrike/1.7.0/data_stream/fdr/fields/ecs.yml deleted file mode 100755 index a0704eabcc..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/fdr/fields/ecs.yml +++ /dev/null @@ -1,525 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Device that is the source of the file. - name: file.device - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: Inode representing the file in the filesystem. - name: file.inode - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: host.geo.city_name - type: keyword -- description: Name of the continent. - name: host.geo.continent_name - type: keyword -- description: Country name. - name: host.geo.country_name - type: keyword -- description: The time zone of the location, such as IANA time zone name. - name: host.geo.timezone - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: City name. - name: observer.geo.city_name - type: keyword -- description: Name of the continent. - name: observer.geo.continent_name - type: keyword -- description: Country ISO code. - name: observer.geo.country_iso_code - type: keyword -- description: Country name. - name: observer.geo.country_name - type: keyword -- description: Longitude and latitude. - name: observer.geo.location - type: geo_point -- description: Region ISO code. - name: observer.geo.region_iso_code - type: keyword -- description: Region name. - name: observer.geo.region_name - type: keyword -- description: IP addresses of the observer. - name: observer.ip - normalize: - - array - type: ip -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: os.type - type: keyword -- description: Operating system version as a raw string. - name: os.version - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - normalize: - - array - type: keyword -- description: |- - Length of the process.args array. - This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - name: process.args_count - type: long -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: The time the process ended. - name: process.end - type: date -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - The exit code of the process, if this is a termination event. - The field should be absent if there is no exit code for the event (e.g. process start). - name: process.exit_code - type: long -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - Identifier of the group of processes the process belongs to. - name: process.pgid - type: long -- description: Process id. - name: process.pid - type: long -- description: The time the process started. - name: process.start - type: date -- description: Thread ID. - name: process.thread.id - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: Seconds the process has been up. - name: process.uptime - type: long -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: url.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.group.id - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/crowdstrike/1.7.0/data_stream/fdr/fields/fields.yml b/packages/crowdstrike/1.7.0/data_stream/fdr/fields/fields.yml deleted file mode 100755 index 430dfe74b2..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/fdr/fields/fields.yml +++ /dev/null @@ -1,595 +0,0 @@ -- name: observer.address - type: keyword -- name: crowdstrike - type: group - fields: - - name: AgentTimeOffset - type: float - - name: AllocateVirtualMemoryCount - type: long - - name: ApiReturnValue - type: keyword - - name: ArchiveFileWrittenCount - type: long - - name: AsepWrittenCount - type: long - - name: AuthenticationId - type: keyword - - name: AuthenticationPackage - type: keyword - - name: BinaryExecutableWrittenCount - type: long - - name: BootArgs - type: keyword - - name: BundleID - type: keyword - - name: CLICreationCount - type: long - - name: CallStackModuleNames - type: keyword - - name: CallStackModuleNamesVersion - type: version - - name: ClientComputerName - type: keyword - - name: CompletionEventId - type: keyword - - name: ConfigBuild - type: keyword - - name: ConHostId - type: keyword - - name: ConHostProcessId - type: keyword - - name: ConfigStateHash - type: keyword - - name: ConnectionFlags - type: keyword - - name: ContextProcessId - type: keyword - - name: CreateProcessCount - type: long - - name: CreateProcessType - type: keyword - - name: CycleTime - type: long - - name: DesiredAccess - type: keyword - - name: DirectoryCreatedCount - type: long - - name: DirectoryEnumeratedCount - type: long - - name: DnsRequestCount - type: long - - name: DocumentFileWrittenCount - type: long - - name: DownloadPath - type: keyword - - name: DownloadPort - type: long - - name: DownloadServer - type: keyword - - name: DualRequest - type: keyword - - name: EffectiveTransmissionClass - type: keyword - - name: EnabledPrivilegesBitmask - type: keyword - - name: Entitlements - type: keyword - - name: ExeAndServiceCount - type: long - - name: ExecutableDeletedCount - type: long - - name: FalconGroupingTags - type: keyword - - name: FileAttributes - type: keyword - - name: FileDeletedCount - type: long - - name: FileEcpBitmask - type: keyword - - name: FileObject - type: keyword - - name: FirstSeen - type: date - - name: Flags - type: keyword - - name: GenericFileWrittenCount - type: long - - name: GrandParentBaseFileName - type: keyword - - name: HostHiddenStatus - type: keyword - - name: ImageSubsystem - type: keyword - - name: InContext - type: keyword - - name: Information - type: keyword - - name: InjectedDllCount - type: long - - name: InjectedThreadCount - type: long - - name: IntegrityLevel - type: keyword - - name: InterfaceGuid - type: keyword - - name: InterfaceIndex - type: long - - name: InterfaceVersion - type: keyword - - name: IrpFlags - type: keyword - - name: IsOnNetwork - type: keyword - - name: IsOnRemovableDisk - type: keyword - - name: IsTransactedFile - type: keyword - - name: KernelTime - type: long - - name: LogoffTime - type: date - - name: LogonDomain - type: keyword - - name: LogonId - type: keyword - - name: LogonServer - type: keyword - - name: LogonTime - type: date - - name: LogonType - type: keyword - - name: MachOSubType - type: keyword - - name: MajorFunction - type: keyword - - name: MaxThreadCount - type: long - - name: MinorFunction - type: keyword - - name: ModuleLoadCount - type: long - - name: NDRoot - type: keyword - - name: NetworkBindCount - type: long - - name: NetworkCapableAsepWriteCount - type: long - - name: NetworkCloseCount - type: long - - name: NetworkConnectCount - type: long - - name: NetworkConnectCountUdp - type: long - - name: NetworkListenCount - type: long - - name: NetworkModuleLoadCount - type: long - - name: NetworkRecvAcceptCount - type: long - - name: NewExecutableWrittenCount - type: long - - name: NewFileIdentifier - type: keyword - - name: OperationFlags - type: keyword - - name: Options - type: keyword - - name: OU - type: keyword - - name: ParentAuthenticationId - type: keyword - - name: PasswordLastSet - type: keyword - - name: PhysicalAddressLength - type: long - - name: PointerSize - type: keyword - - name: PrivilegedProcessHandleCount - type: long - - name: PrivilegesBitmask - type: keyword - - name: ProcessCreateFlags - type: keyword - - name: ProcessParameterFlags - type: keyword - - name: ProcessSxsFlags - type: keyword - - name: ProductType - type: keyword - - name: ProtectVirtualMemoryCount - type: long - - name: QueueApcCount - type: long - - name: RGID - type: keyword - - name: RUID - type: keyword - - name: RegKeySecurityDecreasedCount - type: long - - name: RemoteAccount - type: keyword - - name: RemovableDiskFileWrittenCount - type: long - - name: RequestType - type: keyword - - name: RpcClientProcessId - type: keyword - - name: RpcClientThreadId - type: keyword - - name: RpcNestingLevel - type: keyword - - name: RpcOpNum - type: keyword - - name: RunDllInvocationCount - type: long - - name: SVGID - type: keyword - - name: SVUID - type: keyword - - name: ScreenshotsTakenCount - type: long - - name: ScriptEngineInvocationCount - type: long - - name: SensorGroupingTags - type: keyword - - name: ServiceDisplayName - type: keyword - - name: ServiceEventCount - type: long - - name: ServicePackMajor - type: keyword - - name: SessionId - type: keyword - - name: SessionProcessId - type: keyword - - name: SetThreadContextCount - type: long - - name: ShareAccess - type: keyword - - name: Size - type: long - - name: SiteName - type: keyword - - name: SnapshotFileOpenCount - type: long - - name: SourceFileName - type: keyword - - name: SourceProcessId - type: keyword - - name: SourceThreadId - type: keyword - - name: Status - type: keyword - - name: SubStatus - type: keyword - - name: SuspectStackCount - type: long - - name: SuspiciousCredentialModuleLoadCount - type: long - - name: SuspiciousDnsRequestCount - type: long - - name: SuspiciousFontLoadCount - type: long - - name: SuspiciousRawDiskReadCount - type: long - - name: Tags - type: keyword - - name: TargetThreadId - type: keyword - - name: Time - type: date - - name: Timeout - type: long - - name: TokenType - type: keyword - - name: UnixMode - type: keyword - - name: UnsignedModuleLoadCount - type: long - - name: UserFlags - type: keyword - - name: UserGroupsBitmask - type: keyword - - name: UserLogoffType - type: keyword - - name: UserLogonFlags - type: keyword - - name: UserMemoryAllocateExecutableCount - type: long - - name: UserMemoryAllocateExecutableRemoteCount - type: long - - name: UserMemoryProtectExecutableCount - type: long - - name: UserMemoryProtectExecutableRemoteCount - type: long - - name: UserTime - type: long - - name: VnodeModificationType - type: keyword - - name: VnodeType - type: keyword - - name: VolumeDeviceCharacteristics - type: keyword - - name: VolumeDeviceObjectFlags - type: keyword - - name: VolumeDeviceType - type: keyword - - name: VolumeDriveLetter - type: keyword - - name: VolumeFileSystemDevice - type: keyword - - name: VolumeFileSystemDriver - type: keyword - - name: VolumeFileSystemType - type: keyword - - name: VolumeIsEncrypted - type: keyword - - name: VolumeIsNetwork - type: keyword - - name: VolumeMountPoint - type: keyword - - name: VolumeName - type: keyword - - name: VolumeRealDeviceName - type: keyword - - name: VolumeSectorSize - type: keyword - - name: cid - type: keyword - - name: name - type: keyword - - name: AgentLoadFlags - type: keyword - - name: AgentLocalTime - type: date - - name: AgentVersion - type: keyword - - name: AttemptNumber - type: long - - name: AuthenticationUuid - type: keyword - - name: AuthenticationUuidAsString - type: keyword - - name: BiosManufacturer - type: keyword - - name: BiosReleaseDate - type: date - - name: BiosVersion - type: keyword - - name: BootTimeFunctionalityLevel - type: keyword - - name: BoundedCount - type: long - - name: ChannelDiffStatus - type: keyword - - name: ChannelId - type: keyword - - name: ChannelVersion - type: keyword - - name: ChannelVersionRequired - type: keyword - - name: ChasisManufacturer - type: keyword - - name: ChassisType - type: keyword - - name: ConfigIDBase - type: keyword - - name: ConfigIDBuild - type: keyword - - name: ConfigIDPlatform - type: keyword - - name: ConfigStateData - type: keyword - - name: ConfigurationVersion - type: keyword - - name: ConnectTime - type: date - - name: ConnectType - type: keyword - - name: CpuClockSpeed - type: keyword - - name: CpuFeaturesMask - type: keyword - - name: CpuProcessorName - type: keyword - - name: CpuSignature - type: keyword - - name: CpuVendor - type: keyword - - name: CurrentFunctionalityLevel - type: keyword - - name: DeviceId - type: keyword - - name: ELFSubType - type: keyword - - name: ErrorCode - type: keyword - - name: ErrorStatus - type: keyword - - name: EtwRawThreadId - type: long - - name: FXFileSize - type: keyword - - name: Facility - type: keyword - - name: FailedConnectCount - type: long - - name: FeatureExtractionVersion - type: keyword - - name: FeatureVector - type: keyword - - name: File - type: keyword - - name: FirmwareAnalysisEclConsumerInterfaceVersion - type: keyword - - name: FirmwareAnalysisEclControlInterfaceVersion - type: keyword - - name: IOServiceClass - type: keyword - - name: IOServiceName - type: keyword - - name: IOServicePath - type: keyword - - name: InDiscards - type: keyword - - name: InErrors - type: keyword - - name: InMulticastPkts - type: keyword - - name: InOctets - type: keyword - - name: InUcastPkts - type: keyword - - name: InUnknownProtos - type: keyword - - name: InterfaceAlias - type: keyword - - name: InterfaceType - type: keyword - - name: LfoUploadFlags - type: keyword - - name: LightningLatencyState - type: keyword - - name: Line - type: keyword - - name: LogicalCoreCount - type: long - - name: LoginSessionId - type: keyword - - name: MLModelVersion - type: keyword - - name: MajorVersion - type: keyword - - name: Malicious - type: keyword - - name: MemoryTotal - type: keyword - - name: MicrocodeSignature - type: keyword - - name: MinorVersion - type: keyword - - name: MoboManufacturer - type: keyword - - name: MoboProductName - type: keyword - - name: ModelPrediction - type: keyword - - name: NeighborList - type: keyword - - name: NetLuidIndex - type: long - - name: NetworkContainmentState - type: keyword - - name: OSVersionFileData - type: keyword - - name: OSVersionFileName - type: keyword - - name: OutErrors - type: keyword - - name: OutMulticastPkts - type: keyword - - name: OutOctets - type: keyword - - name: OutUcastPkts - type: keyword - - name: Parameter1 - type: keyword - - name: Parameter2 - type: keyword - - name: Parameter3 - type: keyword - - name: PciAttachmentState - type: keyword - - name: PhysicalCoreCount - type: long - - name: PreviousConnectTime - type: date - - name: ProcessCount - type: long - - name: ProcessorPackageCount - type: long - - name: ProvisionState - type: keyword - - name: PupAdwareConfidence - type: keyword - - name: PupAdwareDecisionValue - type: keyword - - name: RFMState - type: keyword - - name: ReasonOfFunctionalityLevel - type: keyword - - name: SensorStateBitMap - type: keyword - - name: SuppressType - type: keyword - - name: SyntheticPR2Flags - type: keyword - - name: SystemManufacturer - type: keyword - - name: SystemProductName - type: keyword - - name: SystemSerialNumber - type: keyword - - name: SystemSku - type: keyword - - name: SystemTableIndex - type: long - - name: TargetFileName - type: keyword - - name: USN - type: keyword - - name: UploadId - type: keyword - - name: UserSid - type: keyword - - name: VerifiedCertificate - type: keyword - - name: VolumeAppearanceTime - type: keyword - - name: VolumeBusName - type: keyword - - name: VolumeBusPath - type: keyword - - name: VolumeDeviceInternal - type: keyword - - name: VolumeDeviceModel - type: keyword - - name: VolumeDevicePath - type: keyword - - name: VolumeDeviceProtocol - type: keyword - - name: VolumeDeviceRevision - type: keyword - - name: VolumeMediaBSDMajor - type: keyword - - name: VolumeMediaBSDMinor - type: keyword - - name: VolumeMediaBSDName - type: keyword - - name: VolumeMediaBSDUnit - type: keyword - - name: VolumeMediaContent - type: keyword - - name: VolumeMediaEjectable - type: keyword - - name: VolumeMediaName - type: keyword - - name: VolumeMediaPath - type: keyword - - name: VolumeMediaRemovable - type: keyword - - name: VolumeMediaSize - type: keyword - - name: VolumeMediaUUID - type: keyword - - name: VolumeMediaWhole - type: keyword - - name: VolumeMediaWritable - type: keyword - - name: VolumeType - type: keyword - - name: VolumeUUID - type: keyword - - name: WindowFlags - type: keyword diff --git a/packages/crowdstrike/1.7.0/data_stream/fdr/manifest.yml b/packages/crowdstrike/1.7.0/data_stream/fdr/manifest.yml deleted file mode 100755 index 17c00c1d0c..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/fdr/manifest.yml +++ /dev/null @@ -1,191 +0,0 @@ -title: "Falcon Data Replicator" -type: logs -streams: - - input: aws-s3 - template_path: aws-s3.yml.hbs - title: Falcon Data Replicator logs - description: Collect Falcon Data Replicator logs using s3 input - vars: - - name: access_key_id - type: text - title: Access Key ID - multi: false - required: false - show_user: true - - name: secret_access_key - type: text - title: Secret Access Key - multi: false - required: false - show_user: true - - name: session_token - type: text - title: Session Token - multi: false - required: false - show_user: true - - name: queue_url - type: text - title: Queue URL - multi: false - required: true - show_user: true - description: URL of the AWS SQS queue that messages will be received from. - - name: is_fdr_queue - type: bool - title: Is FDR queue - multi: false - required: true - show_user: true - description: | - By default the FDR queue is expected. This option must be set to `false` if you are using your own queue. - default: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: shared_credential_file - type: text - title: Shared Credential File - multi: false - required: false - show_user: false - description: Directory of the shared credentials file - - name: credential_profile_name - type: text - title: Credential Profile Name - multi: false - required: false - show_user: false - - name: role_arn - type: text - title: Role ARN - multi: false - required: false - show_user: false - - name: endpoint - type: text - title: Endpoint - multi: false - required: false - show_user: false - default: "" - description: URL of the entry point for an AWS web service - - name: default_region - type: text - title: Default AWS Region - multi: false - required: false - show_user: false - default: "" - description: Default region to use prior to connecting to region specific services/endpoints if no AWS region is set from environment variable, credentials or instance profile. If none of the above are set and no default region is set as well, `us-east-1` is used. A region, either from environment variable, credentials or instance profile or from this default region setting, needs to be set when using regions in non-regular AWS environments such as AWS China or US Government Isolated. - - name: visibility_timeout - type: text - title: Visibility Timeout - multi: false - required: false - show_user: false - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: API Timeout - multi: false - required: false - show_user: false - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http\[s\]://:@: - - name: fdr_parsing_script - type: yaml - title: FDR Notification Parsing Script - multi: false - required: true - show_user: false - description: The JS script used to parse the custom format of SQS FDR notifications. - default: | - function parse(n) { - var m = JSON.parse(n); - var evts = []; - var files = m.files; - var bucket = m.bucket; - if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") { - return evts; - } - files.forEach(function(f){ - var evt = new S3EventV2(); - evt.SetS3BucketName(bucket); - evt.SetS3ObjectKey(f.path); - evts.push(evt); - }); - return evts; - } - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - crowdstrike-fdr - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - title: Falcon Data Replicator logs - description: Collect Falcon Data Replicator logs using a log file - vars: - - name: paths - type: text - title: Paths - multi: true - default: - - /var/log/falcon_data_replicator.log - show_user: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - crowdstrike-fdr - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/crowdstrike/1.7.0/data_stream/fdr/sample_event.json b/packages/crowdstrike/1.7.0/data_stream/fdr/sample_event.json deleted file mode 100755 index 3b961e0361..0000000000 --- a/packages/crowdstrike/1.7.0/data_stream/fdr/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2020-11-08T09:58:32.519Z", - "agent": { - "ephemeral_id": "8cb3a21e-5542-440a-a909-8a2f161001ba", - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "crowdstrike": { - "ConfigStateHash": "1763245019", - "DesiredAccess": "1179785", - "EffectiveTransmissionClass": "3", - "Entitlements": "15", - "FileAttributes": "0", - "FileObject": "18446670458156489088", - "Information": "1", - "IrpFlags": "2180", - "MajorFunction": "0", - "MinorFunction": "0", - "OperationFlags": "0", - "Options": "16777312", - "ShareAccess": "5", - "Status": "0", - "cid": "ffffffff30a3407dae27d0503611022d", - "name": "RansomwareOpenFileV4" - }, - "data_stream": { - "dataset": "crowdstrike.fdr", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "RansomwareOpenFile", - "agent_id_status": "verified", - "category": [ - "file" - ], - "created": "2020-11-08T17:07:22.091Z", - "dataset": "crowdstrike.fdr", - "id": "ffffffff-1111-11eb-9756-06fe7f8f682f", - "ingested": "2022-05-09T16:39:37Z", - "kind": "alert", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}", - "outcome": "success", - "timezone": "+00:00", - "type": [ - "access" - ] - }, - "file": { - "directory": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads", - "extension": "pptx", - "inode": "7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00", - "name": "file.pptx", - "path": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads\\file.pptx", - "type": "file" - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/fdr-sample.log" - }, - "offset": 95203 - }, - "observer": { - "address": "67.43.156.14", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.14", - "serial_number": "ffffffffac4148947ed68497e89f3308", - "type": "agent", - "vendor": "crowdstrike", - "version": "1007.3.0011603.1" - }, - "os": { - "type": "windows" - }, - "process": { - "entity_id": "1016182570608", - "thread": { - "id": 37343520154472 - } - }, - "related": { - "hash": [ - "1763245019" - ], - "hosts": [ - "67.43.156.14" - ], - "ip": [ - "67.43.156.14" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "crowdstrike-fdr" - ], - "url": { - "scheme": "http" - } -} \ No newline at end of file diff --git a/packages/crowdstrike/1.7.0/docs/README.md b/packages/crowdstrike/1.7.0/docs/README.md deleted file mode 100755 index 27f0b4e121..0000000000 --- a/packages/crowdstrike/1.7.0/docs/README.md +++ /dev/null @@ -1,1026 +0,0 @@ -# CrowdStrike Integration - -This integration is for [CrowdStrike](https://www.crowdstrike.com/resources/?cs_query=type=5) products. It includes the -following datasets for receiving logs: - -- `falcon` dataset: consists of endpoint data and Falcon platform audit data forwarded from [Falcon SIEM Connector](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/). -- `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR). - -## Compatibility - -This integration supports CrowdStrike Falcon SIEM-Connector-v2.0. - -## Logs - -### Falcon - -Contains endpoint data and CrowdStrike Falcon platform audit data forwarded from Falcon SIEM Connector. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | -| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | -| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| crowdstrike.event.AuditKeyValues | Fields that were changed in this event. | nested | -| crowdstrike.event.CommandLine | Executable path with command line arguments. | keyword | -| crowdstrike.event.Commands | Commands run in a remote session. | keyword | -| crowdstrike.event.ComputerName | Name of the computer where the detection occurred. | keyword | -| crowdstrike.event.ConnectionDirection | Direction for network connection. | keyword | -| crowdstrike.event.CustomerId | Customer identifier. | keyword | -| crowdstrike.event.DetectDescription | Description of the detection. | keyword | -| crowdstrike.event.DetectId | Unique ID associated with the detection. | keyword | -| crowdstrike.event.DetectName | Name of the detection. | keyword | -| crowdstrike.event.DeviceId | Device on which the event occurred. | keyword | -| crowdstrike.event.EndTimestamp | End time for the remote session in UTC UNIX format. | date | -| crowdstrike.event.EventType | CrowdStrike provided event type. | keyword | -| crowdstrike.event.ExecutablesWritten | Detected executables written to disk by a process. | nested | -| crowdstrike.event.FalconHostLink | URL to view the detection in Falcon. | keyword | -| crowdstrike.event.FileName | File name of the associated process for the detection. | keyword | -| crowdstrike.event.FilePath | Path of the executable associated with the detection. | keyword | -| crowdstrike.event.FineScore | Score for incident. | float | -| crowdstrike.event.Flags.Audit | CrowdStrike audit flag. | boolean | -| crowdstrike.event.Flags.Log | CrowdStrike log flag. | boolean | -| crowdstrike.event.Flags.Monitor | CrowdStrike monitor flag. | boolean | -| crowdstrike.event.GrandparentCommandLine | Grandparent process command line arguments. | keyword | -| crowdstrike.event.GrandparentImageFileName | Path to the grandparent process. | keyword | -| crowdstrike.event.HostName | Host name of the local machine. | keyword | -| crowdstrike.event.HostnameField | Host name of the machine for the remote session. | keyword | -| crowdstrike.event.ICMPCode | RFC2780 ICMP Code field. | keyword | -| crowdstrike.event.ICMPType | RFC2780 ICMP Type field. | keyword | -| crowdstrike.event.IOCType | CrowdStrike type for indicator of compromise. | keyword | -| crowdstrike.event.IOCValue | CrowdStrike value for indicator of compromise. | keyword | -| crowdstrike.event.ImageFileName | File name of the associated process for the detection. | keyword | -| crowdstrike.event.IncidentEndTime | End time for the incident in UTC UNIX format. | date | -| crowdstrike.event.IncidentStartTime | Start time for the incident in UTC UNIX format. | date | -| crowdstrike.event.Ipv | Protocol for network request. | keyword | -| crowdstrike.event.LateralMovement | Lateral movement field for incident. | long | -| crowdstrike.event.LocalAddress | IP address of local machine. | ip | -| crowdstrike.event.LocalIP | IP address of the host associated with the detection. | keyword | -| crowdstrike.event.LocalPort | Port of local machine. | long | -| crowdstrike.event.MACAddress | MAC address of the host associated with the detection. | keyword | -| crowdstrike.event.MD5String | MD5 sum of the executable associated with the detection. | keyword | -| crowdstrike.event.MachineDomain | Domain for the machine associated with the detection. | keyword | -| crowdstrike.event.MatchCount | Number of firewall rule matches. | long | -| crowdstrike.event.MatchCountSinceLastReport | Number of firewall rule matches since the last report. | long | -| crowdstrike.event.NetworkProfile | CrowdStrike network profile. | keyword | -| crowdstrike.event.Objective | Method of detection. | keyword | -| crowdstrike.event.OperationName | Event subtype. | keyword | -| crowdstrike.event.PID | Associated process id for the detection. | long | -| crowdstrike.event.ParentCommandLine | Parent process command line arguments. | keyword | -| crowdstrike.event.ParentImageFileName | Path to the parent process. | keyword | -| crowdstrike.event.ParentProcessId | Parent process ID related to the detection. | integer | -| crowdstrike.event.PatternDispositionDescription | Action taken by Falcon. | keyword | -| crowdstrike.event.PatternDispositionFlags.BootupSafeguardEnabled | | boolean | -| crowdstrike.event.PatternDispositionFlags.CriticalProcessDisabled | | boolean | -| crowdstrike.event.PatternDispositionFlags.Detect | | boolean | -| crowdstrike.event.PatternDispositionFlags.FsOperationBlocked | | boolean | -| crowdstrike.event.PatternDispositionFlags.InddetMask | | boolean | -| crowdstrike.event.PatternDispositionFlags.Indicator | | boolean | -| crowdstrike.event.PatternDispositionFlags.KillParent | | boolean | -| crowdstrike.event.PatternDispositionFlags.KillProcess | | boolean | -| crowdstrike.event.PatternDispositionFlags.KillSubProcess | | boolean | -| crowdstrike.event.PatternDispositionFlags.OperationBlocked | | boolean | -| crowdstrike.event.PatternDispositionFlags.PolicyDisabled | | boolean | -| crowdstrike.event.PatternDispositionFlags.ProcessBlocked | | boolean | -| crowdstrike.event.PatternDispositionFlags.QuarantineFile | | boolean | -| crowdstrike.event.PatternDispositionFlags.QuarantineMachine | | boolean | -| crowdstrike.event.PatternDispositionFlags.RegistryOperationBlocked | | boolean | -| crowdstrike.event.PatternDispositionFlags.Rooting | | boolean | -| crowdstrike.event.PatternDispositionFlags.SensorOnly | | boolean | -| crowdstrike.event.PatternDispositionValue | Unique ID associated with action taken. | integer | -| crowdstrike.event.PolicyID | CrowdStrike policy id. | keyword | -| crowdstrike.event.PolicyName | CrowdStrike policy name. | keyword | -| crowdstrike.event.ProcessEndTime | The process termination time in UTC UNIX_MS format. | date | -| crowdstrike.event.ProcessId | Process ID related to the detection. | integer | -| crowdstrike.event.ProcessStartTime | The process start time in UTC UNIX_MS format. | date | -| crowdstrike.event.Protocol | CrowdStrike provided protocol. | keyword | -| crowdstrike.event.RemoteAddress | IP address of remote machine. | ip | -| crowdstrike.event.RemotePort | Port of remote machine. | long | -| crowdstrike.event.RuleAction | Firewall rule action. | keyword | -| crowdstrike.event.RuleDescription | Firewall rule description. | keyword | -| crowdstrike.event.RuleFamilyID | Firewall rule family id. | keyword | -| crowdstrike.event.RuleGroupName | Firewall rule group name. | keyword | -| crowdstrike.event.RuleId | Firewall rule id. | keyword | -| crowdstrike.event.RuleName | Firewall rule name. | keyword | -| crowdstrike.event.SHA1String | SHA1 sum of the executable associated with the detection. | keyword | -| crowdstrike.event.SHA256String | SHA256 sum of the executable associated with the detection. | keyword | -| crowdstrike.event.SensorId | Unique ID associated with the Falcon sensor. | keyword | -| crowdstrike.event.ServiceName | Service associated with this event. | keyword | -| crowdstrike.event.SessionId | Session ID of the remote response session. | keyword | -| crowdstrike.event.Severity | Severity score of the detection. | integer | -| crowdstrike.event.SeverityName | Severity score text. | keyword | -| crowdstrike.event.StartTimestamp | Start time for the remote session in UTC UNIX format. | date | -| crowdstrike.event.State | Whether the incident summary is open and ongoing or closed. | keyword | -| crowdstrike.event.Status | CrowdStrike status. | keyword | -| crowdstrike.event.Success | Indicator of whether or not this event was successful. | boolean | -| crowdstrike.event.Tactic | MITRE tactic category of the detection. | keyword | -| crowdstrike.event.Technique | MITRE technique category of the detection. | keyword | -| crowdstrike.event.Timestamp | Firewall rule triggered timestamp. | date | -| crowdstrike.event.TreeID | CrowdStrike tree id. | keyword | -| crowdstrike.event.UTCTimestamp | Timestamp associated with this event in UTC UNIX format. | date | -| crowdstrike.event.UserId | Email address or user ID associated with the event. | keyword | -| crowdstrike.event.UserIp | IP address associated with the user. | keyword | -| crowdstrike.event.UserName | User name associated with the detection. | keyword | -| crowdstrike.metadata.customerIDString | Customer identifier | keyword | -| crowdstrike.metadata.eventCreationTime | The time this event occurred on the endpoint in UTC UNIX_MS format. | date | -| crowdstrike.metadata.eventType | DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent | keyword | -| crowdstrike.metadata.offset | Offset number that tracks the location of the event in stream. This is used to identify unique detection events. | integer | -| crowdstrike.metadata.version | Schema version | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -An example event for `falcon` looks as following: - -```json -{ - "@timestamp": "2020-02-12T21:29:10.710Z", - "agent": { - "ephemeral_id": "cc9fb403-5b26-4fe7-aefc-41666b9f4575", - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "crowdstrike": { - "event": { - "AuditKeyValues": [ - { - "Key": "APIClientID", - "ValueString": "1234567890abcdefghijklmnopqr" - }, - { - "Key": "partition", - "ValueString": "0" - }, - { - "Key": "offset", - "ValueString": "-1" - }, - { - "Key": "appId", - "ValueString": "siem-connector-v2.0.0" - }, - { - "Key": "eventType", - "ValueString": "[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]" - } - ], - "OperationName": "streamStarted", - "ServiceName": "Crowdstrike Streaming API", - "Success": true, - "UTCTimestamp": "2020-02-12T21:29:10.000Z", - "UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", - "UserIp": "10.10.0.8" - }, - "metadata": { - "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "eventCreationTime": "2020-02-12T21:29:10.710Z", - "eventType": "AuthActivityAuditEvent", - "offset": 0, - "version": "1.0" - } - }, - "data_stream": { - "dataset": "crowdstrike.falcon", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "authentication" - ], - "dataset": "crowdstrike.falcon", - "ingested": "2022-05-09T16:35:19Z", - "kind": "event", - "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 0,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581542950710,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"api-client-id:1234567890abcdefghijklmnopqrstuvwxyz\",\n \"UserIp\": \"10.10.0.8\",\n \"OperationName\": \"streamStarted\",\n \"ServiceName\": \"Crowdstrike Streaming API\",\n \"Success\": true,\n \"UTCTimestamp\": 1581542950,\n \"AuditKeyValues\": [\n {\n \"Key\": \"APIClientID\",\n \"ValueString\": \"1234567890abcdefghijklmnopqr\"\n },\n {\n \"Key\": \"partition\",\n \"ValueString\": \"0\"\n },\n {\n \"Key\": \"offset\",\n \"ValueString\": \"-1\"\n },\n {\n \"Key\": \"appId\",\n \"ValueString\": \"siem-connector-v2.0.0\"\n },\n {\n \"Key\": \"eventType\",\n \"ValueString\": \"[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]\"\n }\n ]\n }\n}", - "outcome": "success", - "type": [ - "change" - ] - }, - "event.action": "stream_started", - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/falcon-audit-events.log" - }, - "flags": [ - "multiline" - ], - "offset": 910 - }, - "message": "Crowdstrike Streaming API", - "related": { - "ip": [ - "10.10.0.8" - ], - "user": [ - "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" - ] - }, - "source": { - "ip": "10.10.0.8" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "crowdstrike-falcon" - ], - "user": { - "name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" - } -} -``` - -### FDR - -The CrowdStrike Falcon Data Replicator (FDR) allows CrowdStrike users to replicate FDR data from CrowdStrike -managed S3 buckets. CrowdStrike writes notification events to a CrowdStrike managed SQS queue when new data is -available in S3. - -This integration can be used in two ways. It can consume SQS notifications directly from the CrowdStrike managed -SQS queue or it can be used in conjunction with the FDR tool that replicates the data to a self-managed S3 bucket -and the integration can read from there. - -In both cases SQS messages are deleted after they are processed. This allows you to operate more than one Elastic -Agent with this integration if needed and not have duplicate events, but it means you cannot ingest the data a second time. - -#### Use with CrowdStrike managed S3/SQS - -This is the simplest way to setup the integration, and also the default. - -You need to set the integration up with the SQS queue URL provided by Crowdstrike FDR. -Ensure the `Is FDR queue` option is enabled. - -#### Use with FDR tool and data replicated to a self-managed S3 bucket - -This option can be used if you want to archive the raw CrowdStrike data. - -You need to follow the steps below: - -- Create a S3 bucket to receive the logs. -- Create a SQS queue. -- Configure your S3 bucket to send object created notifications to your SQS queue. -- Follow the [FDR tool](https://github.com/CrowdStrike/FDR) instructions to replicate data to your own S3 bucket. -- Configure the integration to read from your self-managed SQS topic. -- Disable the `Is FDR queue` option in the integration. - -> NOTE: While the FDR tool can replicate the files from S3 to your local file system, this integration cannot read those files because they are gzip compressed, and the log file input does not support reading compressed files. - -#### Configuration for the S3 input - -AWS credentials are required for running this integration if you want to use the S3 input. - -##### Configuration parameters -* `access_key_id`: first part of access key. -* `secret_access_key`: second part of access key. -* `session_token`: required when using temporary security credentials. -* `credential_profile_name`: profile name in shared credentials file. -* `shared_credential_file`: directory of the shared credentials file. -* `endpoint`: URL of the entry point for an AWS web service. -* `role_arn`: AWS IAM Role to assume. - -##### Credential Types -There are three types of AWS credentials can be used: - -- access keys, -- temporary security credentials, and -- IAM role ARN. - -##### Access keys - -`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are the two parts of access keys. -They are long-term credentials for an IAM user, or the AWS account root user. -Please see [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) -for more details. - -##### Temporary security credentials - -Temporary security credentials has a limited lifetime and consists of an -access key ID, a secret access key, and a security token which typically returned -from `GetSessionToken`. - -MFA-enabled IAM users would need to submit an MFA code -while calling `GetSessionToken`. `default_region` identifies the AWS Region -whose servers you want to send your first API request to by default. - -This is typically the Region closest to you, but it can be any Region. Please see -[Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) -for more details. - -`sts get-session-token` AWS CLI can be used to generate temporary credentials. -For example. with MFA-enabled: -```js -aws> sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --duration-seconds 129600 --token-code 123456 -``` - -Because temporary security credentials are short term, after they expire, the -user needs to generate new ones and manually update the package configuration in -order to continue collecting `aws` metrics. - -This will cause data loss if the configuration is not updated with new credentials before the old ones expire. - -##### IAM role ARN - -An IAM role is an IAM identity that you can create in your account that has -specific permissions that determine what the identity can and cannot do in AWS. - -A role does not have standard long-term credentials such as a password or access -keys associated with it. Instead, when you assume a role, it provides you with -temporary security credentials for your role session. -IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate -temporary credentials. - -Please see [AssumeRole API documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) for more details. - -##### Supported Formats -1. Use access keys: Access keys include `access_key_id`, `secret_access_key` -and/or `session_token`. -2. Use `role_arn`: `role_arn` is used to specify which AWS IAM role to assume - for generating temporary credentials. - If `role_arn` is given, the package will check if access keys are given. - If not, the package will check for credential profile name. - If neither is given, default credential profile will be used. - - Please make sure credentials are given under either a credential profile or - access keys. -3. Use `credential_profile_name` and/or `shared_credential_file`: - If `access_key_id`, `secret_access_key` and `role_arn` are all not given, then - the package will check for `credential_profile_name`. - If you use different credentials for different tools or applications, you can use profiles to - configure multiple access keys in the same configuration file. - If there is no `credential_profile_name` given, the default profile will be used. - `shared_credential_file` is optional to specify the directory of your shared - credentials file. - If it's empty, the default directory will be used. - In Windows, shared credentials file is at `C:\Users\\.aws\credentials`. - For Linux, macOS or Unix, the file locates at `~/.aws/credentials`. - Please see[Create Shared Credentials File](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.html) - for more details. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| crowdstrike.AgentLoadFlags | | keyword | -| crowdstrike.AgentLocalTime | | date | -| crowdstrike.AgentTimeOffset | | float | -| crowdstrike.AgentVersion | | keyword | -| crowdstrike.AllocateVirtualMemoryCount | | long | -| crowdstrike.ApiReturnValue | | keyword | -| crowdstrike.ArchiveFileWrittenCount | | long | -| crowdstrike.AsepWrittenCount | | long | -| crowdstrike.AttemptNumber | | long | -| crowdstrike.AuthenticationId | | keyword | -| crowdstrike.AuthenticationPackage | | keyword | -| crowdstrike.AuthenticationUuid | | keyword | -| crowdstrike.AuthenticationUuidAsString | | keyword | -| crowdstrike.BinaryExecutableWrittenCount | | long | -| crowdstrike.BiosManufacturer | | keyword | -| crowdstrike.BiosReleaseDate | | date | -| crowdstrike.BiosVersion | | keyword | -| crowdstrike.BootArgs | | keyword | -| crowdstrike.BootTimeFunctionalityLevel | | keyword | -| crowdstrike.BoundedCount | | long | -| crowdstrike.BundleID | | keyword | -| crowdstrike.CLICreationCount | | long | -| crowdstrike.CallStackModuleNames | | keyword | -| crowdstrike.CallStackModuleNamesVersion | | version | -| crowdstrike.ChannelDiffStatus | | keyword | -| crowdstrike.ChannelId | | keyword | -| crowdstrike.ChannelVersion | | keyword | -| crowdstrike.ChannelVersionRequired | | keyword | -| crowdstrike.ChasisManufacturer | | keyword | -| crowdstrike.ChassisType | | keyword | -| crowdstrike.ClientComputerName | | keyword | -| crowdstrike.CompletionEventId | | keyword | -| crowdstrike.ConHostId | | keyword | -| crowdstrike.ConHostProcessId | | keyword | -| crowdstrike.ConfigBuild | | keyword | -| crowdstrike.ConfigIDBase | | keyword | -| crowdstrike.ConfigIDBuild | | keyword | -| crowdstrike.ConfigIDPlatform | | keyword | -| crowdstrike.ConfigStateData | | keyword | -| crowdstrike.ConfigStateHash | | keyword | -| crowdstrike.ConfigurationVersion | | keyword | -| crowdstrike.ConnectTime | | date | -| crowdstrike.ConnectType | | keyword | -| crowdstrike.ConnectionFlags | | keyword | -| crowdstrike.ContextProcessId | | keyword | -| crowdstrike.CpuClockSpeed | | keyword | -| crowdstrike.CpuFeaturesMask | | keyword | -| crowdstrike.CpuProcessorName | | keyword | -| crowdstrike.CpuSignature | | keyword | -| crowdstrike.CpuVendor | | keyword | -| crowdstrike.CreateProcessCount | | long | -| crowdstrike.CreateProcessType | | keyword | -| crowdstrike.CurrentFunctionalityLevel | | keyword | -| crowdstrike.CycleTime | | long | -| crowdstrike.DesiredAccess | | keyword | -| crowdstrike.DeviceId | | keyword | -| crowdstrike.DirectoryCreatedCount | | long | -| crowdstrike.DirectoryEnumeratedCount | | long | -| crowdstrike.DnsRequestCount | | long | -| crowdstrike.DocumentFileWrittenCount | | long | -| crowdstrike.DownloadPath | | keyword | -| crowdstrike.DownloadPort | | long | -| crowdstrike.DownloadServer | | keyword | -| crowdstrike.DualRequest | | keyword | -| crowdstrike.ELFSubType | | keyword | -| crowdstrike.EffectiveTransmissionClass | | keyword | -| crowdstrike.EnabledPrivilegesBitmask | | keyword | -| crowdstrike.Entitlements | | keyword | -| crowdstrike.ErrorCode | | keyword | -| crowdstrike.ErrorStatus | | keyword | -| crowdstrike.EtwRawThreadId | | long | -| crowdstrike.ExeAndServiceCount | | long | -| crowdstrike.ExecutableDeletedCount | | long | -| crowdstrike.FXFileSize | | keyword | -| crowdstrike.Facility | | keyword | -| crowdstrike.FailedConnectCount | | long | -| crowdstrike.FalconGroupingTags | | keyword | -| crowdstrike.FeatureExtractionVersion | | keyword | -| crowdstrike.FeatureVector | | keyword | -| crowdstrike.File | | keyword | -| crowdstrike.FileAttributes | | keyword | -| crowdstrike.FileDeletedCount | | long | -| crowdstrike.FileEcpBitmask | | keyword | -| crowdstrike.FileObject | | keyword | -| crowdstrike.FirmwareAnalysisEclConsumerInterfaceVersion | | keyword | -| crowdstrike.FirmwareAnalysisEclControlInterfaceVersion | | keyword | -| crowdstrike.FirstSeen | | date | -| crowdstrike.Flags | | keyword | -| crowdstrike.GenericFileWrittenCount | | long | -| crowdstrike.GrandParentBaseFileName | | keyword | -| crowdstrike.HostHiddenStatus | | keyword | -| crowdstrike.IOServiceClass | | keyword | -| crowdstrike.IOServiceName | | keyword | -| crowdstrike.IOServicePath | | keyword | -| crowdstrike.ImageSubsystem | | keyword | -| crowdstrike.InContext | | keyword | -| crowdstrike.InDiscards | | keyword | -| crowdstrike.InErrors | | keyword | -| crowdstrike.InMulticastPkts | | keyword | -| crowdstrike.InOctets | | keyword | -| crowdstrike.InUcastPkts | | keyword | -| crowdstrike.InUnknownProtos | | keyword | -| crowdstrike.Information | | keyword | -| crowdstrike.InjectedDllCount | | long | -| crowdstrike.InjectedThreadCount | | long | -| crowdstrike.IntegrityLevel | | keyword | -| crowdstrike.InterfaceAlias | | keyword | -| crowdstrike.InterfaceGuid | | keyword | -| crowdstrike.InterfaceIndex | | long | -| crowdstrike.InterfaceType | | keyword | -| crowdstrike.InterfaceVersion | | keyword | -| crowdstrike.IrpFlags | | keyword | -| crowdstrike.IsOnNetwork | | keyword | -| crowdstrike.IsOnRemovableDisk | | keyword | -| crowdstrike.IsTransactedFile | | keyword | -| crowdstrike.KernelTime | | long | -| crowdstrike.LfoUploadFlags | | keyword | -| crowdstrike.LightningLatencyState | | keyword | -| crowdstrike.Line | | keyword | -| crowdstrike.LogicalCoreCount | | long | -| crowdstrike.LoginSessionId | | keyword | -| crowdstrike.LogoffTime | | date | -| crowdstrike.LogonDomain | | keyword | -| crowdstrike.LogonId | | keyword | -| crowdstrike.LogonServer | | keyword | -| crowdstrike.LogonTime | | date | -| crowdstrike.LogonType | | keyword | -| crowdstrike.MLModelVersion | | keyword | -| crowdstrike.MachOSubType | | keyword | -| crowdstrike.MajorFunction | | keyword | -| crowdstrike.MajorVersion | | keyword | -| crowdstrike.Malicious | | keyword | -| crowdstrike.MaxThreadCount | | long | -| crowdstrike.MemoryTotal | | keyword | -| crowdstrike.MicrocodeSignature | | keyword | -| crowdstrike.MinorFunction | | keyword | -| crowdstrike.MinorVersion | | keyword | -| crowdstrike.MoboManufacturer | | keyword | -| crowdstrike.MoboProductName | | keyword | -| crowdstrike.ModelPrediction | | keyword | -| crowdstrike.ModuleLoadCount | | long | -| crowdstrike.NDRoot | | keyword | -| crowdstrike.NeighborList | | keyword | -| crowdstrike.NetLuidIndex | | long | -| crowdstrike.NetworkBindCount | | long | -| crowdstrike.NetworkCapableAsepWriteCount | | long | -| crowdstrike.NetworkCloseCount | | long | -| crowdstrike.NetworkConnectCount | | long | -| crowdstrike.NetworkConnectCountUdp | | long | -| crowdstrike.NetworkContainmentState | | keyword | -| crowdstrike.NetworkListenCount | | long | -| crowdstrike.NetworkModuleLoadCount | | long | -| crowdstrike.NetworkRecvAcceptCount | | long | -| crowdstrike.NewExecutableWrittenCount | | long | -| crowdstrike.NewFileIdentifier | | keyword | -| crowdstrike.OSVersionFileData | | keyword | -| crowdstrike.OSVersionFileName | | keyword | -| crowdstrike.OU | | keyword | -| crowdstrike.OperationFlags | | keyword | -| crowdstrike.Options | | keyword | -| crowdstrike.OutErrors | | keyword | -| crowdstrike.OutMulticastPkts | | keyword | -| crowdstrike.OutOctets | | keyword | -| crowdstrike.OutUcastPkts | | keyword | -| crowdstrike.Parameter1 | | keyword | -| crowdstrike.Parameter2 | | keyword | -| crowdstrike.Parameter3 | | keyword | -| crowdstrike.ParentAuthenticationId | | keyword | -| crowdstrike.PasswordLastSet | | keyword | -| crowdstrike.PciAttachmentState | | keyword | -| crowdstrike.PhysicalAddressLength | | long | -| crowdstrike.PhysicalCoreCount | | long | -| crowdstrike.PointerSize | | keyword | -| crowdstrike.PreviousConnectTime | | date | -| crowdstrike.PrivilegedProcessHandleCount | | long | -| crowdstrike.PrivilegesBitmask | | keyword | -| crowdstrike.ProcessCount | | long | -| crowdstrike.ProcessCreateFlags | | keyword | -| crowdstrike.ProcessParameterFlags | | keyword | -| crowdstrike.ProcessSxsFlags | | keyword | -| crowdstrike.ProcessorPackageCount | | long | -| crowdstrike.ProductType | | keyword | -| crowdstrike.ProtectVirtualMemoryCount | | long | -| crowdstrike.ProvisionState | | keyword | -| crowdstrike.PupAdwareConfidence | | keyword | -| crowdstrike.PupAdwareDecisionValue | | keyword | -| crowdstrike.QueueApcCount | | long | -| crowdstrike.RFMState | | keyword | -| crowdstrike.RGID | | keyword | -| crowdstrike.RUID | | keyword | -| crowdstrike.ReasonOfFunctionalityLevel | | keyword | -| crowdstrike.RegKeySecurityDecreasedCount | | long | -| crowdstrike.RemoteAccount | | keyword | -| crowdstrike.RemovableDiskFileWrittenCount | | long | -| crowdstrike.RequestType | | keyword | -| crowdstrike.RpcClientProcessId | | keyword | -| crowdstrike.RpcClientThreadId | | keyword | -| crowdstrike.RpcNestingLevel | | keyword | -| crowdstrike.RpcOpNum | | keyword | -| crowdstrike.RunDllInvocationCount | | long | -| crowdstrike.SVGID | | keyword | -| crowdstrike.SVUID | | keyword | -| crowdstrike.ScreenshotsTakenCount | | long | -| crowdstrike.ScriptEngineInvocationCount | | long | -| crowdstrike.SensorGroupingTags | | keyword | -| crowdstrike.SensorStateBitMap | | keyword | -| crowdstrike.ServiceDisplayName | | keyword | -| crowdstrike.ServiceEventCount | | long | -| crowdstrike.ServicePackMajor | | keyword | -| crowdstrike.SessionId | | keyword | -| crowdstrike.SessionProcessId | | keyword | -| crowdstrike.SetThreadContextCount | | long | -| crowdstrike.ShareAccess | | keyword | -| crowdstrike.SiteName | | keyword | -| crowdstrike.Size | | long | -| crowdstrike.SnapshotFileOpenCount | | long | -| crowdstrike.SourceFileName | | keyword | -| crowdstrike.SourceProcessId | | keyword | -| crowdstrike.SourceThreadId | | keyword | -| crowdstrike.Status | | keyword | -| crowdstrike.SubStatus | | keyword | -| crowdstrike.SuppressType | | keyword | -| crowdstrike.SuspectStackCount | | long | -| crowdstrike.SuspiciousCredentialModuleLoadCount | | long | -| crowdstrike.SuspiciousDnsRequestCount | | long | -| crowdstrike.SuspiciousFontLoadCount | | long | -| crowdstrike.SuspiciousRawDiskReadCount | | long | -| crowdstrike.SyntheticPR2Flags | | keyword | -| crowdstrike.SystemManufacturer | | keyword | -| crowdstrike.SystemProductName | | keyword | -| crowdstrike.SystemSerialNumber | | keyword | -| crowdstrike.SystemSku | | keyword | -| crowdstrike.SystemTableIndex | | long | -| crowdstrike.Tags | | keyword | -| crowdstrike.TargetFileName | | keyword | -| crowdstrike.TargetThreadId | | keyword | -| crowdstrike.Time | | date | -| crowdstrike.Timeout | | long | -| crowdstrike.TokenType | | keyword | -| crowdstrike.USN | | keyword | -| crowdstrike.UnixMode | | keyword | -| crowdstrike.UnsignedModuleLoadCount | | long | -| crowdstrike.UploadId | | keyword | -| crowdstrike.UserFlags | | keyword | -| crowdstrike.UserGroupsBitmask | | keyword | -| crowdstrike.UserLogoffType | | keyword | -| crowdstrike.UserLogonFlags | | keyword | -| crowdstrike.UserMemoryAllocateExecutableCount | | long | -| crowdstrike.UserMemoryAllocateExecutableRemoteCount | | long | -| crowdstrike.UserMemoryProtectExecutableCount | | long | -| crowdstrike.UserMemoryProtectExecutableRemoteCount | | long | -| crowdstrike.UserSid | | keyword | -| crowdstrike.UserTime | | long | -| crowdstrike.VerifiedCertificate | | keyword | -| crowdstrike.VnodeModificationType | | keyword | -| crowdstrike.VnodeType | | keyword | -| crowdstrike.VolumeAppearanceTime | | keyword | -| crowdstrike.VolumeBusName | | keyword | -| crowdstrike.VolumeBusPath | | keyword | -| crowdstrike.VolumeDeviceCharacteristics | | keyword | -| crowdstrike.VolumeDeviceInternal | | keyword | -| crowdstrike.VolumeDeviceModel | | keyword | -| crowdstrike.VolumeDeviceObjectFlags | | keyword | -| crowdstrike.VolumeDevicePath | | keyword | -| crowdstrike.VolumeDeviceProtocol | | keyword | -| crowdstrike.VolumeDeviceRevision | | keyword | -| crowdstrike.VolumeDeviceType | | keyword | -| crowdstrike.VolumeDriveLetter | | keyword | -| crowdstrike.VolumeFileSystemDevice | | keyword | -| crowdstrike.VolumeFileSystemDriver | | keyword | -| crowdstrike.VolumeFileSystemType | | keyword | -| crowdstrike.VolumeIsEncrypted | | keyword | -| crowdstrike.VolumeIsNetwork | | keyword | -| crowdstrike.VolumeMediaBSDMajor | | keyword | -| crowdstrike.VolumeMediaBSDMinor | | keyword | -| crowdstrike.VolumeMediaBSDName | | keyword | -| crowdstrike.VolumeMediaBSDUnit | | keyword | -| crowdstrike.VolumeMediaContent | | keyword | -| crowdstrike.VolumeMediaEjectable | | keyword | -| crowdstrike.VolumeMediaName | | keyword | -| crowdstrike.VolumeMediaPath | | keyword | -| crowdstrike.VolumeMediaRemovable | | keyword | -| crowdstrike.VolumeMediaSize | | keyword | -| crowdstrike.VolumeMediaUUID | | keyword | -| crowdstrike.VolumeMediaWhole | | keyword | -| crowdstrike.VolumeMediaWritable | | keyword | -| crowdstrike.VolumeMountPoint | | keyword | -| crowdstrike.VolumeName | | keyword | -| crowdstrike.VolumeRealDeviceName | | keyword | -| crowdstrike.VolumeSectorSize | | keyword | -| crowdstrike.VolumeType | | keyword | -| crowdstrike.VolumeUUID | | keyword | -| crowdstrike.WindowFlags | | keyword | -| crowdstrike.cid | | keyword | -| crowdstrike.name | | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.device | Device that is the source of the file. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| input.type | | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.address | | keyword | -| observer.geo.city_name | City name. | keyword | -| observer.geo.continent_name | Name of the continent. | keyword | -| observer.geo.country_iso_code | Country ISO code. | keyword | -| observer.geo.country_name | Country name. | keyword | -| observer.geo.location | Longitude and latitude. | geo_point | -| observer.geo.region_iso_code | Region ISO code. | keyword | -| observer.geo.region_name | Region name. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| os.version | Operating system version as a raw string. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.end | The time the process ended. | date | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| process.thread.id | Thread ID. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| process.uptime | Seconds the process has been up. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -An example event for `fdr` looks as following: - -```json -{ - "@timestamp": "2020-11-08T09:58:32.519Z", - "agent": { - "ephemeral_id": "8cb3a21e-5542-440a-a909-8a2f161001ba", - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "crowdstrike": { - "ConfigStateHash": "1763245019", - "DesiredAccess": "1179785", - "EffectiveTransmissionClass": "3", - "Entitlements": "15", - "FileAttributes": "0", - "FileObject": "18446670458156489088", - "Information": "1", - "IrpFlags": "2180", - "MajorFunction": "0", - "MinorFunction": "0", - "OperationFlags": "0", - "Options": "16777312", - "ShareAccess": "5", - "Status": "0", - "cid": "ffffffff30a3407dae27d0503611022d", - "name": "RansomwareOpenFileV4" - }, - "data_stream": { - "dataset": "crowdstrike.fdr", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "RansomwareOpenFile", - "agent_id_status": "verified", - "category": [ - "file" - ], - "created": "2020-11-08T17:07:22.091Z", - "dataset": "crowdstrike.fdr", - "id": "ffffffff-1111-11eb-9756-06fe7f8f682f", - "ingested": "2022-05-09T16:39:37Z", - "kind": "alert", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}", - "outcome": "success", - "timezone": "+00:00", - "type": [ - "access" - ] - }, - "file": { - "directory": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads", - "extension": "pptx", - "inode": "7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00", - "name": "file.pptx", - "path": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads\\file.pptx", - "type": "file" - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/fdr-sample.log" - }, - "offset": 95203 - }, - "observer": { - "address": "67.43.156.14", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.14", - "serial_number": "ffffffffac4148947ed68497e89f3308", - "type": "agent", - "vendor": "crowdstrike", - "version": "1007.3.0011603.1" - }, - "os": { - "type": "windows" - }, - "process": { - "entity_id": "1016182570608", - "thread": { - "id": 37343520154472 - } - }, - "related": { - "hash": [ - "1763245019" - ], - "hosts": [ - "67.43.156.14" - ], - "ip": [ - "67.43.156.14" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "crowdstrike-fdr" - ], - "url": { - "scheme": "http" - } -} -``` diff --git a/packages/crowdstrike/1.7.0/img/fdr-overview.png b/packages/crowdstrike/1.7.0/img/fdr-overview.png deleted file mode 100755 index a960bc3781..0000000000 Binary files a/packages/crowdstrike/1.7.0/img/fdr-overview.png and /dev/null differ diff --git a/packages/crowdstrike/1.7.0/img/logo-integrations-crowdstrike.svg b/packages/crowdstrike/1.7.0/img/logo-integrations-crowdstrike.svg deleted file mode 100755 index 1b2195a224..0000000000 --- a/packages/crowdstrike/1.7.0/img/logo-integrations-crowdstrike.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/crowdstrike/1.7.0/img/siem-alerts-cs.jpg b/packages/crowdstrike/1.7.0/img/siem-alerts-cs.jpg deleted file mode 100755 index b74edfe229..0000000000 Binary files a/packages/crowdstrike/1.7.0/img/siem-alerts-cs.jpg and /dev/null differ diff --git a/packages/crowdstrike/1.7.0/img/siem-events-cs.jpg b/packages/crowdstrike/1.7.0/img/siem-events-cs.jpg deleted file mode 100755 index 9839f73821..0000000000 Binary files a/packages/crowdstrike/1.7.0/img/siem-events-cs.jpg and /dev/null differ diff --git a/packages/crowdstrike/1.7.0/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json b/packages/crowdstrike/1.7.0/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json deleted file mode 100755 index a8960ff152..0000000000 --- a/packages/crowdstrike/1.7.0/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "description": "Summarised overview for Crowdstrike FDR events.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"crowdstrike.fdr\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"0307e118-9fac-4923-ad6e-b588a8bd939f\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"observer.geo.location\\\",\\\"filterByMapBounds\\\":true,\\\"scalingType\\\":\\\"CLUSTERS\\\",\\\"id\\\":\\\"4c8af7e5-4ec6-43de-84ea-8df092cea5f8\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"tooltipProperties\\\":[],\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSplitField\\\":\\\"\\\",\\\"topHitsSize\\\":1},\\\"id\\\":\\\"6b7c69d1-9248-4af3-b437-0abcef344b67\\\",\\\"label\\\":\\\"Agent locations\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":1}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"BLENDED_VECTOR\\\",\\\"joins\\\":[]},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"0314931e-5e8d-4609-be8a-b478a6afed11\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}]},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#494193\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"minSize\\\":1,\\\"maxSize\\\":10,\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"1b3c966b-6756-41dc-8875-a936e36dd0c2\\\",\\\"label\\\":\\\"Connections\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15M\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":360,\"minLat\":-85.05113,\"minLon\":-360},\"mapCenter\":{\"lat\":25.7461,\"lon\":0,\"zoom\":0.73},\"openTOCDetails\":[]},\"gridData\":{\"h\":17,\"i\":\"26961648-cc31-4ed6-a378-698523307b21\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"26961648-cc31-4ed6-a378-698523307b21\",\"title\":\"Agents and connections\",\"type\":\"map\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1928976e-020d-48bd-9887-d9fd1925f69e\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1928976e-020d-48bd-9887-d9fd1925f69e\":{\"columnOrder\":[\"7aaadac8-55b7-4979-9bf1-b02a9673b502\",\"5ec733a8-d11d-472d-9328-3c48b41a17ac\"],\"columns\":{\"5ec733a8-d11d-472d-9328-3c48b41a17ac\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"7aaadac8-55b7-4979-9bf1-b02a9673b502\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top events\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5ec733a8-d11d-472d-9328-3c48b41a17ac\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.kind\",\"negate\":true,\"params\":{\"query\":\"alert\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"alert\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7aaadac8-55b7-4979-9bf1-b02a9673b502\",\"isTransposed\":false},{\"alignment\":\"center\",\"columnId\":\"5ec733a8-d11d-472d-9328-3c48b41a17ac\",\"isTransposed\":false,\"summaryRow\":\"none\"}],\"layerId\":\"1928976e-020d-48bd-9887-d9fd1925f69e\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"7564f2a4-7167-4d71-8ce2-ece32f217487\",\"w\":10,\"x\":16,\"y\":0},\"panelIndex\":\"7564f2a4-7167-4d71-8ce2-ece32f217487\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-085f4952-432b-4bd3-9740-e99f42a7877b\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"085f4952-432b-4bd3-9740-e99f42a7877b\":{\"columnOrder\":[\"20a2e92b-1ebe-4ed0-b3ab-b446bd60edfd\",\"0a3ada5d-923b-461b-8885-e7fdcd948034\"],\"columns\":{\"0a3ada5d-923b-461b-8885-e7fdcd948034\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"20a2e92b-1ebe-4ed0-b3ab-b446bd60edfd\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0a3ada5d-923b-461b-8885-e7fdcd948034\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"dns.question.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"DnsRequest\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"DnsRequest\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"20a2e92b-1ebe-4ed0-b3ab-b446bd60edfd\",\"isTransposed\":false},{\"alignment\":\"center\",\"columnId\":\"0a3ada5d-923b-461b-8885-e7fdcd948034\",\"isTransposed\":false}],\"layerId\":\"085f4952-432b-4bd3-9740-e99f42a7877b\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"396c3ab7-572c-41dc-af21-e8d3d6ad3fe0\",\"w\":9,\"x\":26,\"y\":9},\"panelIndex\":\"396c3ab7-572c-41dc-af21-e8d3d6ad3fe0\",\"title\":\"Top DNS queries\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-880420b9-97fb-4f5a-8dd2-36f95cb02182\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"880420b9-97fb-4f5a-8dd2-36f95cb02182\":{\"columnOrder\":[\"45f3413c-e658-43ec-bf3a-ad25977fb32c\",\"c90d7c88-034f-42f4-94d2-605ae294940e\"],\"columns\":{\"45f3413c-e658-43ec-bf3a-ad25977fb32c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"user.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c90d7c88-034f-42f4-94d2-605ae294940e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"user.name\"},\"c90d7c88-034f-42f4-94d2-605ae294940e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"45f3413c-e658-43ec-bf3a-ad25977fb32c\",\"isTransposed\":false},{\"columnId\":\"c90d7c88-034f-42f4-94d2-605ae294940e\",\"hidden\":false,\"isTransposed\":false}],\"layerId\":\"880420b9-97fb-4f5a-8dd2-36f95cb02182\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"e48dfc31-ef5f-4696-904c-c5320e8dcac9\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"e48dfc31-ef5f-4696-904c-c5320e8dcac9\",\"title\":\"Top users\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a3aa7199-d806-4c69-afd1-ae1cbfa7865e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a3aa7199-d806-4c69-afd1-ae1cbfa7865e\":{\"columnOrder\":[\"3f895fa6-e7e2-4ad8-83bc-e476954007b0\",\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\"],\"columns\":{\"3f895fa6-e7e2-4ad8-83bc-e476954007b0\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of dns.question.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"dns.question.type\"},\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3f895fa6-e7e2-4ad8-83bc-e476954007b0\"],\"layerId\":\"a3aa7199-d806-4c69-afd1-ae1cbfa7865e\",\"legendDisplay\":\"default\",\"metric\":\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":6,\"i\":\"757dd906-982e-437f-aac0-b090310b9288\",\"w\":9,\"x\":26,\"y\":20},\"panelIndex\":\"757dd906-982e-437f-aac0-b090310b9288\",\"title\":\"DNS query types\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c8088761-74a6-433a-a405-f26c709cebe3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c8088761-74a6-433a-a405-f26c709cebe3\":{\"columnOrder\":[\"97e2d50d-d871-4922-b0f8-2d50b2ace84a\",\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\"],\"columns\":{\"97e2d50d-d871-4922-b0f8-2d50b2ace84a\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"file.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"file.name\"},\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"97e2d50d-d871-4922-b0f8-2d50b2ace84a\",\"isTransposed\":false},{\"columnId\":\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\",\"isTransposed\":false}],\"layerId\":\"c8088761-74a6-433a-a405-f26c709cebe3\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"355965cd-eb00-4357-bdd8-1640627d1191\",\"w\":13,\"x\":35,\"y\":12},\"panelIndex\":\"355965cd-eb00-4357-bdd8-1640627d1191\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-911bafb0-aeb7-4830-8a40-6166c96fb123\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"911bafb0-aeb7-4830-8a40-6166c96fb123\":{\"columnOrder\":[\"3c0eeb61-8b82-44b3-aba7-66c5b08fe8a9\",\"2c75b3a9-1b14-42d5-a8d0-44e461d4afab\"],\"columns\":{\"2c75b3a9-1b14-42d5-a8d0-44e461d4afab\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"3c0eeb61-8b82-44b3-aba7-66c5b08fe8a9\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"2c75b3a9-1b14-42d5-a8d0-44e461d4afab\"],\"layerId\":\"911bafb0-aeb7-4830-8a40-6166c96fb123\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"3c0eeb61-8b82-44b3-aba7-66c5b08fe8a9\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"0325f703-a3cc-4a43-b621-974baae08c00\",\"w\":26,\"x\":0,\"y\":17},\"panelIndex\":\"0325f703-a3cc-4a43-b621-974baae08c00\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-35e353f8-fd89-43a0-ad8c-c5d202f098d2\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"35e353f8-fd89-43a0-ad8c-c5d202f098d2\":{\"columnOrder\":[\"b00df131-3742-4fa3-8645-032847f0266b\",\"b89debc2-4203-43c7-ba15-6612030f67bd\"],\"columns\":{\"b00df131-3742-4fa3-8645-032847f0266b\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top alerts\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b89debc2-4203-43c7-ba15-6612030f67bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"},\"b89debc2-4203-43c7-ba15-6612030f67bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"alert\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"alert\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"crowdstrike.fdr\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"b00df131-3742-4fa3-8645-032847f0266b\",\"isTransposed\":false},{\"columnId\":\"b89debc2-4203-43c7-ba15-6612030f67bd\",\"isTransposed\":false}],\"layerId\":\"35e353f8-fd89-43a0-ad8c-c5d202f098d2\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"32c13eb0-f12d-44d8-8ec4-ea778840fabf\",\"w\":9,\"x\":26,\"y\":0},\"panelIndex\":\"32c13eb0-f12d-44d8-8ec4-ea778840fabf\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Crowdstrike] FDR Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "26961648-cc31-4ed6-a378-698523307b21:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "26961648-cc31-4ed6-a378-698523307b21:layer_2_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7564f2a4-7167-4d71-8ce2-ece32f217487:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7564f2a4-7167-4d71-8ce2-ece32f217487:indexpattern-datasource-layer-1928976e-020d-48bd-9887-d9fd1925f69e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7564f2a4-7167-4d71-8ce2-ece32f217487:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "396c3ab7-572c-41dc-af21-e8d3d6ad3fe0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "396c3ab7-572c-41dc-af21-e8d3d6ad3fe0:indexpattern-datasource-layer-085f4952-432b-4bd3-9740-e99f42a7877b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "396c3ab7-572c-41dc-af21-e8d3d6ad3fe0:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e48dfc31-ef5f-4696-904c-c5320e8dcac9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e48dfc31-ef5f-4696-904c-c5320e8dcac9:indexpattern-datasource-layer-880420b9-97fb-4f5a-8dd2-36f95cb02182", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "757dd906-982e-437f-aac0-b090310b9288:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "757dd906-982e-437f-aac0-b090310b9288:indexpattern-datasource-layer-a3aa7199-d806-4c69-afd1-ae1cbfa7865e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "355965cd-eb00-4357-bdd8-1640627d1191:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "355965cd-eb00-4357-bdd8-1640627d1191:indexpattern-datasource-layer-c8088761-74a6-433a-a405-f26c709cebe3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0325f703-a3cc-4a43-b621-974baae08c00:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0325f703-a3cc-4a43-b621-974baae08c00:indexpattern-datasource-layer-911bafb0-aeb7-4830-8a40-6166c96fb123", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "32c13eb0-f12d-44d8-8ec4-ea778840fabf:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "32c13eb0-f12d-44d8-8ec4-ea778840fabf:indexpattern-datasource-layer-35e353f8-fd89-43a0-ad8c-c5d202f098d2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "32c13eb0-f12d-44d8-8ec4-ea778840fabf:filter-index-pattern-0", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/crowdstrike/1.7.0/manifest.yml b/packages/crowdstrike/1.7.0/manifest.yml deleted file mode 100755 index e7c8b89340..0000000000 --- a/packages/crowdstrike/1.7.0/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: crowdstrike -title: CrowdStrike -version: "1.7.0" -description: Collect logs from Crowdstrike with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -release: ga -conditions: - kibana.version: "^8.0.0" -icons: - - src: /img/logo-integrations-crowdstrike.svg - title: CrowdStrike - size: 216x216 - type: image/svg+xml -screenshots: - - src: /img/siem-alerts-cs.jpg - title: CrowdStrike SIEM Alerts - size: 3360x1776 - type: image/jpg - - src: /img/siem-events-cs.jpg - title: CrowdStrike SIEM Events - size: 3360x1776 - type: image/jpg - - src: /img/fdr-overview.png - title: CrowdStrike FDR Overview - size: 1535x626 - type: image/png -policy_templates: - - name: crowdstrike - title: CrowdStrike - description: Collect logs from CrowdStrike Falcon and FDR - inputs: - - type: logfile - title: "Collect CrowdStrike Falcon and FDR logs (input: logfile)" - description: "Collecting logs from CrowdStrike Falcon and FDR (input: logfile)" - - type: aws-s3 - title: "Collect CrowdStrike Falcon Data Replicator logs (input: aws-s3)" - description: "Collecting logs from CrowdStrike Falcon Data Replicator (input: aws-s3)" -owner: - github: elastic/security-external-integrations diff --git a/packages/cyberark_pta/0.1.1/LICENSE.txt b/packages/cyberark_pta/0.1.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cyberark_pta/0.1.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cyberark_pta/0.1.1/changelog.yml b/packages/cyberark_pta/0.1.1/changelog.yml deleted file mode 100755 index 0d1732cddc..0000000000 --- a/packages/cyberark_pta/0.1.1/changelog.yml +++ /dev/null @@ -1,11 +0,0 @@ -# newer versions go on top -- version: "0.1.1" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "0.1.0" - changes: - - description: initial beta release - type: enhancement - link: https://github.com/elastic/integrations/pull/3908 diff --git a/packages/cyberark_pta/0.1.1/data_stream/events/agent/stream/tcp.yml.hbs b/packages/cyberark_pta/0.1.1/data_stream/events/agent/stream/tcp.yml.hbs deleted file mode 100755 index 6a3725e901..0000000000 --- a/packages/cyberark_pta/0.1.1/data_stream/events/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -tcp: -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -- add_locale: ~ -- rename: - fields: - - {from: "message", to: "event.original"} -- decode_cef: - field: event.original -{{#if processors}} -{{processors}} -{{/if}} -{{#if tcp_options}} -{{tcp_options}} -{{/if}} \ No newline at end of file diff --git a/packages/cyberark_pta/0.1.1/data_stream/events/agent/stream/udp.yml.hbs b/packages/cyberark_pta/0.1.1/data_stream/events/agent/stream/udp.yml.hbs deleted file mode 100755 index c31bfc1329..0000000000 --- a/packages/cyberark_pta/0.1.1/data_stream/events/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -udp: -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -- rename: - fields: - - {from: "message", to: "event.original"} -- decode_cef: - field: event.original -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/cyberark_pta/0.1.1/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/cyberark_pta/0.1.1/data_stream/events/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8dc9774227..0000000000 --- a/packages/cyberark_pta/0.1.1/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -description: Pipeline for CyberArk PTA - -processors: - - set: - field: ecs.version - value: '8.3.0' - - set: - field: event.action - value: "{{cef.extensions.deviceCustomString5}}" - if: "ctx?.cef?.extensions?.deviceCustomString5 != null && ctx?.cef?.extensions?.deviceCustomString5 != ''" - - set: - field: '@timestamp' - value: "{{cef.extensions.deviceCustomDate1}}" - ignore_empty_value: true - override: true - - set: - field: event.id - value: "{{cef.extensions.deviceCustomString2}}" - if: "ctx?.cef?.extensions?.deviceCustomString2 != null && ctx?.cef?.extensions?.deviceCustomString2 != ''" - - set: - field: event.reference - value: "{{cef.extensions.deviceCustomString3}}" - if: "ctx?.cef?.extensions?.deviceCustomString3 != null && ctx?.cef?.extensions?.deviceCustomString3 != ''" - - set: - field: event.url - value: "{{cef.extensions.deviceCustomString4}}" - if: "ctx?.cef?.extensions?.deviceCustomString4 != null && ctx?.cef?.extensions?.deviceCustomString4 != ''" - - set: - field: cyberark_pta.log.event_type - value: "{{cef.device.event_class_id}}" - if: "ctx?.cef?.device?.event_class_id != null && ctx?.cef?.device?.event_class_id != ''" - - rename: - field: message - target_field: event.reason - if: 'ctx.event?.reason == null' - - # cleanup 'None' for source or destination ip - - remove: - field: - - error - if: "ctx?.cef?.extensions?.sourceAddress == null || ctx?.cef?.extensions?.destinationAddress == null" - -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" - - set: - field: event.kind - value: pipeline_error diff --git a/packages/cyberark_pta/0.1.1/data_stream/events/fields/agent.yml b/packages/cyberark_pta/0.1.1/data_stream/events/fields/agent.yml deleted file mode 100755 index 0179324b40..0000000000 --- a/packages/cyberark_pta/0.1.1/data_stream/events/fields/agent.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. -- name: input.type - type: keyword - description: Input type diff --git a/packages/cyberark_pta/0.1.1/data_stream/events/fields/base-fields.yml b/packages/cyberark_pta/0.1.1/data_stream/events/fields/base-fields.yml deleted file mode 100755 index fa009b21a9..0000000000 --- a/packages/cyberark_pta/0.1.1/data_stream/events/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cyberark_pta -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cyberark_pta.events -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/cyberark_pta/0.1.1/data_stream/events/fields/cef.yml b/packages/cyberark_pta/0.1.1/data_stream/events/fields/cef.yml deleted file mode 100755 index db1dc69d84..0000000000 --- a/packages/cyberark_pta/0.1.1/data_stream/events/fields/cef.yml +++ /dev/null @@ -1,478 +0,0 @@ -- name: cef.name - type: keyword -- name: cef.severity - type: keyword -- name: cef.version - type: keyword -- name: destination.service.name - type: keyword -- name: source.service.name - type: keyword -- name: cef.device - type: group - fields: - - name: event_class_id - type: keyword - description: Unique identifier of the event type. - - name: product - type: keyword - description: Product of the device that produced the message. - - name: vendor - type: keyword - description: Vendor of the device that produced the message. - - name: version - type: keyword - description: Version of the product that produced the message. -- name: cef.extensions - type: group - fields: - - name: agentAddress - type: ip - description: The IP address of the ArcSight connector that processed the event. - - name: agentHostName - type: keyword - description: The hostname of the ArcSight connector that processed the event. - - name: agentId - type: keyword - description: The agent ID of the ArcSight connector that processed the event. - - name: agentReceiptTime - type: date - description: The time at which information about the event was received by the ArcSight connector. - - name: agentTimeZone - type: keyword - description: The agent time zone of the ArcSight connector that processed the event. - - name: agentType - type: keyword - description: The agent type of the ArcSight connector that processed the event. - - name: destinationHostName - type: keyword - description: Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. - - name: deviceTimeZone - type: keyword - description: The time zone for the device generating the event. - - name: requestUrlFileName - type: keyword - - name: startTime - type: date - description: The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). - - name: type - type: long - description: 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). - - name: agentVersion - type: keyword - description: The version of the ArcSight connector that processed the event. - - name: agentZoneURI - type: keyword - - name: deviceSeverity - type: keyword - - name: deviceZoneURI - type: keyword - description: Thee URI for the Zone that the device asset has been assigned to in ArcSight. - - name: fileType - type: keyword - description: Type of file (pipe, socket, etc.) - - name: filename - type: keyword - description: Name of the file only (without its path). - - name: managerReceiptTime - type: date - description: When the Arcsight ESM received the event. - - name: agentMacAddress - type: keyword - description: The MAC address of the ArcSight connector that processed the event. - - name: deviceProcessName - type: keyword - description: Process name associated with the event. An example might be the process generating the syslog entry in UNIX. - - name: baseEventCount - type: long - description: A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. - - name: dvc - type: ip - description: This field is used by Trend Micro if the hostname is an IPv4 address. - - name: dvchost - type: keyword - description: This field is used by Trend Micro for hostnames and IPv6 addresses. - - name: cp_app_risk - type: keyword - - name: cp_severity - type: keyword - - name: ifname - type: keyword - - name: inzone - type: keyword - - name: layer_uuid - type: keyword - - name: layer_name - type: keyword - - name: logid - type: keyword - - name: loguid - type: keyword - - name: match_id - type: keyword - - name: nat_addtnl_rulenum - type: keyword - - name: nat_rulenum - type: keyword - - name: origin - type: keyword - - name: originsicname - type: keyword - - name: outzone - type: keyword - - name: parent_rule - type: keyword - - name: product - type: keyword - - name: rule_action - type: keyword - - name: rule_uid - type: keyword - - name: sequencenum - type: keyword - - name: service_id - type: keyword - - name: version - type: keyword - - name: applicationProtocol - type: keyword - description: Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. - - name: categoryDeviceGroup - type: keyword - description: General device group like Firewall (ArcSight). - - name: categoryTechnique - type: keyword - description: Technique being used (e.g. /DoS) (ArcSight). - - name: deviceEventCategory - type: keyword - description: Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". - - name: sourceNtDomain - type: keyword - description: The Windows domain name for the source address. - - name: destinationNtDomain - type: keyword - description: Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). - - name: categoryOutcome - type: keyword - description: Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). - - name: categorySignificance - type: keyword - description: Characterization of the importance of the event (ArcSight). - - name: categoryObject - type: keyword - description: Object that the event is about. For example it can be an operating sytem, database, file, etc (ArcSight). - - name: categoryBehavior - type: keyword - description: Action or a behavior associated with an event. It's what is being done to the object (ArcSight). - - name: categoryDeviceType - type: keyword - description: Device type. Examples - Proxy, IDS, Web Server (ArcSight). - - name: bytesIn - type: long - description: Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. - - name: bytesOut - type: long - description: Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. - - name: destinationAddress - type: ip - description: Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. - - name: destinationPort - type: long - description: The valid port numbers are between 0 and 65535. - - name: destinationServiceName - type: keyword - description: The service targeted by this event. - - name: destinationTranslatedAddress - type: ip - description: Identifies the translated destination that the event refers to in an IP network. - - name: destinationTranslatedPort - type: long - description: Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. - - name: destinationUserName - type: keyword - description: Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. - - name: destinationUserPrivileges - type: keyword - description: The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". - - name: deviceAction - type: keyword - description: Action taken by the device. - - name: deviceAddress - type: ip - description: Identifies the device address that an event refers to in an IP network. - - name: deviceCustomDate1 - type: keyword - description: One of two timestamp fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomDate1Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomDate2 - type: keyword - description: One of two timestamp fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomDate2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address2 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address3 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address3Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomNumber1 - type: long - description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomNumber1Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomNumber2 - type: long - description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomNumber2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomNumber3 - type: long - description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomNumber3Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString1 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString1Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString2 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString3 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString3Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString4 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString4Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString5 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString5Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString6 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString6Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceDirection - type: long - description: Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. - - name: deviceExternalId - type: keyword - description: A name that uniquely identifies the device generating this event. - - name: deviceFacility - type: keyword - description: The facility generating this event. For example, Syslog has an explicit facility associated with every event. - - name: deviceHostName - type: keyword - description: The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. - - name: deviceOutboundInterface - type: keyword - description: Interface on which the packet or data left the device. - - name: deviceReceiptTime - type: keyword - description: The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) - - name: eventId - type: long - description: This is a unique ID that ArcSight assigns to each event. - - name: fileHash - type: keyword - description: Hash of a file. - - name: message - type: keyword - description: An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. - - name: oldFileHash - type: keyword - description: Hash of the old file. - - name: requestContext - type: keyword - description: Description of the content from which the request originated (for example, HTTP Referrer). - - name: requestMethod - type: keyword - description: The HTTP method used to access a URL. - - name: requestUrl - type: keyword - description: In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. - - name: method - type: keyword - description: HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - - name: sourceAddress - type: ip - description: Identifies the source that an event refers to in an IP network. - - name: sourceGeoLatitude - type: long - - name: sourceGeoLongitude - type: long - - name: sourcePort - type: long - description: The valid port numbers are 0 to 65535. - - name: sourceServiceName - type: keyword - description: The service that is responsible for generating this event. - - name: sourceTranslatedAddress - type: ip - description: Identifies the translated source that the event refers to in an IP network. - - name: sourceTranslatedPort - type: long - description: A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. - - name: sourceUserName - type: keyword - description: Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. - - name: sourceUserPrivileges - type: keyword - description: The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". - - name: transportProtocol - type: keyword - description: Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. - - name: ad - type: flattened - - name: TrendMicroDsDetectionConfidence - type: keyword - - name: TrendMicroDsFileMD5 - type: keyword - - name: TrendMicroDsFileSHA1 - type: keyword - - name: TrendMicroDsFileSHA256 - type: keyword - - name: TrendMicroDsFrameType - type: keyword - - name: TrendMicroDsMalwareTarget - type: keyword - - name: TrendMicroDsMalwareTargetType - type: keyword - - name: TrendMicroDsPacketData - type: keyword - - name: TrendMicroDsRelevantDetectionNames - type: keyword - - name: TrendMicroDsTenant - type: keyword - - name: TrendMicroDsTenantId - type: keyword - - name: assetCriticality - type: keyword - - name: deviceAssetId - type: keyword - - name: deviceCustomIPv6Address1 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address1Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address2 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address3 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address3Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address4 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address4Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceInboundInterface - type: keyword - description: Interface on which the packet or data entered the device. - - name: deviceZoneID - type: keyword - - name: eventAnnotationAuditTrail - type: keyword - - name: eventAnnotationEndTime - type: date - - name: eventAnnotationFlags - type: keyword - - name: eventAnnotationManagerReceiptTime - type: date - - name: eventAnnotationModificationTime - type: date - - name: eventAnnotationStageUpdateTime - type: date - - name: eventAnnotationVersion - type: keyword - - name: locality - type: keyword - - name: modelConfidence - type: keyword - - name: originalAgentAddress - type: keyword - - name: originalAgentHostName - type: keyword - - name: originalAgentId - type: keyword - - name: originalAgentType - type: keyword - - name: originalAgentVersion - type: keyword - - name: originalAgentZoneURI - type: keyword - - name: priority - type: keyword - - name: relevance - type: keyword - - name: severity - type: keyword - - name: sourceTranslatedZoneID - type: keyword - - name: sourceTranslatedZoneURI - type: keyword - description: The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. - - name: sourceZoneID - type: keyword - description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. - - name: sourceZoneURI - type: keyword - description: The URI for the Zone that the source asset has been assigned to in ArcSight. - - name: aggregationType - type: keyword - - name: destinationMacAddress - type: keyword - description: Six colon-separated hexadecimal numbers. - - name: filePath - type: keyword - description: Full path to the file, including file name itself. - - name: fileSize - type: long - description: Size of the file. - - name: repeatCount - type: keyword - - name: sourceHostName - type: keyword - description: Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. - - name: sourceMacAddress - type: keyword - description: Six colon-separated hexadecimal numbers. - - name: sourceUserId - type: keyword - description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. - - name: target - type: keyword diff --git a/packages/cyberark_pta/0.1.1/data_stream/events/fields/ecs.yml b/packages/cyberark_pta/0.1.1/data_stream/events/fields/ecs.yml deleted file mode 100755 index 7db289b877..0000000000 --- a/packages/cyberark_pta/0.1.1/data_stream/events/fields/ecs.yml +++ /dev/null @@ -1,89 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Reference URL linking to additional information about this event. - This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.reference - type: keyword -- description: |- - URL linking to an external system to continue investigation of this event. - This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.url - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/cyberark_pta/0.1.1/data_stream/events/fields/fields.yml b/packages/cyberark_pta/0.1.1/data_stream/events/fields/fields.yml deleted file mode 100755 index d6a6534db7..0000000000 --- a/packages/cyberark_pta/0.1.1/data_stream/events/fields/fields.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: cyberark_pta.log - type: group - fields: - - name: event_type - type: keyword - description: A unique ID that identifies the event that is reported. diff --git a/packages/cyberark_pta/0.1.1/data_stream/events/manifest.yml b/packages/cyberark_pta/0.1.1/data_stream/events/manifest.yml deleted file mode 100755 index 5d835d12a6..0000000000 --- a/packages/cyberark_pta/0.1.1/data_stream/events/manifest.yml +++ /dev/null @@ -1,113 +0,0 @@ -title: CyberArk PTA logs -type: logs -streams: - - input: udp - title: CyberArk PTA logs (UDP) - description: Collect CyberArk PTA logs using UDP input - template_path: udp.yml.hbs - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9301 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cyberark_pta - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: tcp - title: CyberArk PTA logs (TCP) - description: Collect CyberArk PTA logs using TCP input - template_path: tcp.yml.hbs - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9301 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cyberark_pta - - forwarded - - name: ssl - type: yaml - title: TLS configuration - multi: false - required: false - show_user: true - description: Options for enabling TLS mode. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - default: | - #certificate: "/etc/server/cert.pem" - #key: "/etc/server/key.pem" - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - max_message_size: 50KiB - #max_connections: 1 - #framing: delimiter - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cyberark_pta/0.1.1/data_stream/events/sample_event.json b/packages/cyberark_pta/0.1.1/data_stream/events/sample_event.json deleted file mode 100755 index 5ad7e32872..0000000000 --- a/packages/cyberark_pta/0.1.1/data_stream/events/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2014-01-01T12:05:00.000Z", - "agent": { - "ephemeral_id": "29757b50-508c-457f-b12f-4231a5e8dbb7", - "hostname": "docker-fleet-agent", - "id": "61c2aa93-e34e-4412-bd9b-ce85257847de", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cef": { - "device": { - "event_class_id": "1", - "product": "PTA", - "vendor": "CyberArk", - "version": "12.6" - }, - "extensions": { - "destinationAddress": "2.2.2.2", - "destinationHostName": "dev1.domain.com", - "destinationUserName": "andy@dev1.domain.com", - "deviceCustomDate1": "2014-01-01T12:05:00.000Z", - "deviceCustomDate1Label": "detectionDate", - "deviceCustomString1": "None", - "deviceCustomString1Label": "ExtraData", - "deviceCustomString2": "52b06812ec3500ed864c461e", - "deviceCustomString2Label": "EventID", - "deviceCustomString3": "https://1.1.1.1/incidents/52b06812ec3500ed864c461e", - "deviceCustomString3Label": "PTAlink", - "deviceCustomString4": "None", - "deviceCustomString4Label": "ExternalLink", - "sourceAddress": "1.1.1.1", - "sourceHostName": "prod1.domain.com", - "sourceUserName": "mike2@prod1.domain.com" - }, - "name": "Suspected credentials theft", - "severity": "8", - "version": "0" - }, - "cyberark_pta": { - "log": { - "event_type": "1" - } - }, - "data_stream": { - "dataset": "cyberark_pta.events", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "dev1.domain.com", - "ip": "2.2.2.2", - "user": { - "name": "andy@dev1.domain.com" - } - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "61c2aa93-e34e-4412-bd9b-ce85257847de", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "code": "1", - "dataset": "cyberark_pta.events", - "id": "52b06812ec3500ed864c461e", - "ingested": "2022-08-11T17:13:32Z", - "original": "CEF:0|CyberArk|PTA|12.6|1|Suspected credentials theft|8|suser=mike2@prod1.domain.com shost=prod1.domain.com src=1.1.1.1 duser=andy@dev1.domain.com dhost=dev1.domain.com dst=2.2.2.2 cs1Label=ExtraData cs1=None cs2Label=EventID cs2=52b06812ec3500ed864c461e deviceCustomDate1Label=detectionDate deviceCustomDate1=1388577900000 cs3Label=PTAlink cs3=https://1.1.1.1/incidents/52b06812ec3500ed864c461e cs4Label=ExternalLink cs4=None", - "reason": "Suspected credentials theft", - "reference": "https://1.1.1.1/incidents/52b06812ec3500ed864c461e", - "severity": 8, - "url": "None" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.16.4:45956" - } - }, - "observer": { - "product": "PTA", - "vendor": "CyberArk", - "version": "12.6" - }, - "source": { - "domain": "prod1.domain.com", - "ip": "1.1.1.1", - "user": { - "name": "mike2@prod1.domain.com" - } - }, - "tags": [ - "preserve_original_event", - "cyberark_pta", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/cyberark_pta/0.1.1/docs/README.md b/packages/cyberark_pta/0.1.1/docs/README.md deleted file mode 100755 index 0f06b54238..0000000000 --- a/packages/cyberark_pta/0.1.1/docs/README.md +++ /dev/null @@ -1,309 +0,0 @@ -# Cyberark Privileged Threat Analytics - -CyberArk's Privileged Threat Analytics (PTA) continuously monitors the use of privileged accounts that are managed in the CyberArk Privileged Access Security (PAS) platform. This integration collects analytics from PTA's syslog via CEF-formatted logs. - -### Configuration - -Follow the steps described under [Send PTA syslog records to SIEM](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PTA/Outbound-Sending-%20PTA-syslog-Records-to-SIEM.htm) documentation to setup the integration: - -- Sample syslog configuration for `systemparm.properties`: - -```ini -[SYSLOG] -syslog_outbound=[{"siem": "Elastic", "format": "CEF", "host": "SIEM_MACHINE_ADDRESS", "port": 9301, "protocol": "TCP"}] -``` - -### Example event -An example event for pta looks as following: - -```json -{ - "cef": { - "device": { - "event_class_id": "1", - "product": "PTA", - "vendor": "CyberArk", - "version": "12.6" - }, - "extensions": { - "destinationAddress": "175.16.199.0", - "destinationHostName": "dev1.domain.com", - "destinationUserName": "andy@dev1.domain.com", - "deviceCustomDate1": "2014-01-01T12:05:00.000Z", - "deviceCustomDate1Label": "detectionDate", - "deviceCustomString1": "None", - "deviceCustomString1Label": "ExtraData", - "deviceCustomString2": "52b06812ec3500ed864c461e", - "deviceCustomString2Label": "EventID", - "deviceCustomString3": "https://1.128.0.0/incidents/52b06812ec3500ed864c461e", - "deviceCustomString3Label": "PTAlink", - "deviceCustomString4": "https://myexternallink.com", - "deviceCustomString4Label": "ExternalLink", - "sourceAddress": "1.128.0.0", - "sourceHostName": "prod1.domain.com", - "sourceUserName": "mike2@prod1.domain.com" - }, - "name": "Suspected credentials theft", - "severity": "8", - "version": "0" - }, - "destination": { - "domain": "dev1.domain.com", - "ip": "175.16.199.0", - "user": { - "name": "andy@dev1.domain.com" - } - }, - "ecs": { - "version": "8.3.0" - }, - "event": { - "code": "1", - "created": [ - "2014-01-01T12:05:00.000Z" - ], - "id": [ - "52b06812ec3500ed864c461e" - ], - "ingested": "2022-07-28T14:05:49Z", - "original": "CEF:0|CyberArk|PTA|12.6|1|Suspected credentials theft|8|suser=mike2@prod1.domain.com shost=prod1.domain.com src=1.128.0.0 duser=andy@dev1.domain.com dhost=dev1.domain.com dst=175.16.199.0 cs1Label=ExtraData cs1=None cs2Label=EventID cs2=52b06812ec3500ed864c461e deviceCustomDate1Label=detectionDate deviceCustomDate1=1388577900000 cs3Label=PTAlink cs3=https://1.128.0.0/incidents/52b06812ec3500ed864c461e cs4Label=ExternalLink cs4=https://myexternallink.com", - "reference": [ - "https://1.128.0.0/incidents/52b06812ec3500ed864c461e" - ], - "severity": 8, - "url": [ - "https://myexternallink.com" - ] - }, - "message": "Suspected credentials theft", - "observer": { - "product": "PTA", - "vendor": "CyberArk", - "version": "12.6" - }, - "source": { - "domain": "prod1.domain.com", - "ip": "1.128.0.0", - "user": { - "name": "mike2@prod1.domain.com" - } - }, - "tags": [ - "cyberark_pta", - "forwarded" - ] -} -``` - -**Exported fields** - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cef.device.event_class_id | Unique identifier of the event type. | keyword | -| cef.device.product | Product of the device that produced the message. | keyword | -| cef.device.vendor | Vendor of the device that produced the message. | keyword | -| cef.device.version | Version of the product that produced the message. | keyword | -| cef.extensions.TrendMicroDsDetectionConfidence | | keyword | -| cef.extensions.TrendMicroDsFileMD5 | | keyword | -| cef.extensions.TrendMicroDsFileSHA1 | | keyword | -| cef.extensions.TrendMicroDsFileSHA256 | | keyword | -| cef.extensions.TrendMicroDsFrameType | | keyword | -| cef.extensions.TrendMicroDsMalwareTarget | | keyword | -| cef.extensions.TrendMicroDsMalwareTargetType | | keyword | -| cef.extensions.TrendMicroDsPacketData | | keyword | -| cef.extensions.TrendMicroDsRelevantDetectionNames | | keyword | -| cef.extensions.TrendMicroDsTenant | | keyword | -| cef.extensions.TrendMicroDsTenantId | | keyword | -| cef.extensions.ad | | flattened | -| cef.extensions.agentAddress | The IP address of the ArcSight connector that processed the event. | ip | -| cef.extensions.agentHostName | The hostname of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentId | The agent ID of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentMacAddress | The MAC address of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentReceiptTime | The time at which information about the event was received by the ArcSight connector. | date | -| cef.extensions.agentTimeZone | The agent time zone of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentType | The agent type of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentVersion | The version of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentZoneURI | | keyword | -| cef.extensions.aggregationType | | keyword | -| cef.extensions.applicationProtocol | Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. | keyword | -| cef.extensions.assetCriticality | | keyword | -| cef.extensions.baseEventCount | A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. | long | -| cef.extensions.bytesIn | Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. | long | -| cef.extensions.bytesOut | Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. | long | -| cef.extensions.categoryBehavior | Action or a behavior associated with an event. It's what is being done to the object (ArcSight). | keyword | -| cef.extensions.categoryDeviceGroup | General device group like Firewall (ArcSight). | keyword | -| cef.extensions.categoryDeviceType | Device type. Examples - Proxy, IDS, Web Server (ArcSight). | keyword | -| cef.extensions.categoryObject | Object that the event is about. For example it can be an operating sytem, database, file, etc (ArcSight). | keyword | -| cef.extensions.categoryOutcome | Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). | keyword | -| cef.extensions.categorySignificance | Characterization of the importance of the event (ArcSight). | keyword | -| cef.extensions.categoryTechnique | Technique being used (e.g. /DoS) (ArcSight). | keyword | -| cef.extensions.cp_app_risk | | keyword | -| cef.extensions.cp_severity | | keyword | -| cef.extensions.destinationAddress | Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. | ip | -| cef.extensions.destinationHostName | Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. | keyword | -| cef.extensions.destinationMacAddress | Six colon-separated hexadecimal numbers. | keyword | -| cef.extensions.destinationNtDomain | Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). | keyword | -| cef.extensions.destinationPort | The valid port numbers are between 0 and 65535. | long | -| cef.extensions.destinationServiceName | The service targeted by this event. | keyword | -| cef.extensions.destinationTranslatedAddress | Identifies the translated destination that the event refers to in an IP network. | ip | -| cef.extensions.destinationTranslatedPort | Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. | long | -| cef.extensions.destinationUserName | Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. | keyword | -| cef.extensions.destinationUserPrivileges | The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". | keyword | -| cef.extensions.deviceAction | Action taken by the device. | keyword | -| cef.extensions.deviceAddress | Identifies the device address that an event refers to in an IP network. | ip | -| cef.extensions.deviceAssetId | | keyword | -| cef.extensions.deviceCustomDate1 | One of two timestamp fields available to map fields that do not apply to any other in this dictionary. | keyword | -| cef.extensions.deviceCustomDate1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomDate2 | One of two timestamp fields available to map fields that do not apply to any other in this dictionary. | keyword | -| cef.extensions.deviceCustomDate2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomIPv6Address1 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | -| cef.extensions.deviceCustomIPv6Address1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomIPv6Address2 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | -| cef.extensions.deviceCustomIPv6Address2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomIPv6Address3 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | -| cef.extensions.deviceCustomIPv6Address3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomIPv6Address4 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | -| cef.extensions.deviceCustomIPv6Address4Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomNumber1 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | -| cef.extensions.deviceCustomNumber1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomNumber2 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | -| cef.extensions.deviceCustomNumber2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomNumber3 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | -| cef.extensions.deviceCustomNumber3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString1 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString2 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString3 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString4 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString4Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString5 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString5Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString6 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString6Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceDirection | Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. | long | -| cef.extensions.deviceEventCategory | Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". | keyword | -| cef.extensions.deviceExternalId | A name that uniquely identifies the device generating this event. | keyword | -| cef.extensions.deviceFacility | The facility generating this event. For example, Syslog has an explicit facility associated with every event. | keyword | -| cef.extensions.deviceHostName | The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. | keyword | -| cef.extensions.deviceInboundInterface | Interface on which the packet or data entered the device. | keyword | -| cef.extensions.deviceOutboundInterface | Interface on which the packet or data left the device. | keyword | -| cef.extensions.deviceProcessName | Process name associated with the event. An example might be the process generating the syslog entry in UNIX. | keyword | -| cef.extensions.deviceReceiptTime | The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) | keyword | -| cef.extensions.deviceSeverity | | keyword | -| cef.extensions.deviceTimeZone | The time zone for the device generating the event. | keyword | -| cef.extensions.deviceZoneID | | keyword | -| cef.extensions.deviceZoneURI | Thee URI for the Zone that the device asset has been assigned to in ArcSight. | keyword | -| cef.extensions.dvc | This field is used by Trend Micro if the hostname is an IPv4 address. | ip | -| cef.extensions.dvchost | This field is used by Trend Micro for hostnames and IPv6 addresses. | keyword | -| cef.extensions.eventAnnotationAuditTrail | | keyword | -| cef.extensions.eventAnnotationEndTime | | date | -| cef.extensions.eventAnnotationFlags | | keyword | -| cef.extensions.eventAnnotationManagerReceiptTime | | date | -| cef.extensions.eventAnnotationModificationTime | | date | -| cef.extensions.eventAnnotationStageUpdateTime | | date | -| cef.extensions.eventAnnotationVersion | | keyword | -| cef.extensions.eventId | This is a unique ID that ArcSight assigns to each event. | long | -| cef.extensions.fileHash | Hash of a file. | keyword | -| cef.extensions.filePath | Full path to the file, including file name itself. | keyword | -| cef.extensions.fileSize | Size of the file. | long | -| cef.extensions.fileType | Type of file (pipe, socket, etc.) | keyword | -| cef.extensions.filename | Name of the file only (without its path). | keyword | -| cef.extensions.ifname | | keyword | -| cef.extensions.inzone | | keyword | -| cef.extensions.layer_name | | keyword | -| cef.extensions.layer_uuid | | keyword | -| cef.extensions.locality | | keyword | -| cef.extensions.logid | | keyword | -| cef.extensions.loguid | | keyword | -| cef.extensions.managerReceiptTime | When the Arcsight ESM received the event. | date | -| cef.extensions.match_id | | keyword | -| cef.extensions.message | An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. | keyword | -| cef.extensions.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| cef.extensions.modelConfidence | | keyword | -| cef.extensions.nat_addtnl_rulenum | | keyword | -| cef.extensions.nat_rulenum | | keyword | -| cef.extensions.oldFileHash | Hash of the old file. | keyword | -| cef.extensions.origin | | keyword | -| cef.extensions.originalAgentAddress | | keyword | -| cef.extensions.originalAgentHostName | | keyword | -| cef.extensions.originalAgentId | | keyword | -| cef.extensions.originalAgentType | | keyword | -| cef.extensions.originalAgentVersion | | keyword | -| cef.extensions.originalAgentZoneURI | | keyword | -| cef.extensions.originsicname | | keyword | -| cef.extensions.outzone | | keyword | -| cef.extensions.parent_rule | | keyword | -| cef.extensions.priority | | keyword | -| cef.extensions.product | | keyword | -| cef.extensions.relevance | | keyword | -| cef.extensions.repeatCount | | keyword | -| cef.extensions.requestContext | Description of the content from which the request originated (for example, HTTP Referrer). | keyword | -| cef.extensions.requestMethod | The HTTP method used to access a URL. | keyword | -| cef.extensions.requestUrl | In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. | keyword | -| cef.extensions.requestUrlFileName | | keyword | -| cef.extensions.rule_action | | keyword | -| cef.extensions.rule_uid | | keyword | -| cef.extensions.sequencenum | | keyword | -| cef.extensions.service_id | | keyword | -| cef.extensions.severity | | keyword | -| cef.extensions.sourceAddress | Identifies the source that an event refers to in an IP network. | ip | -| cef.extensions.sourceGeoLatitude | | long | -| cef.extensions.sourceGeoLongitude | | long | -| cef.extensions.sourceHostName | Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. | keyword | -| cef.extensions.sourceMacAddress | Six colon-separated hexadecimal numbers. | keyword | -| cef.extensions.sourceNtDomain | The Windows domain name for the source address. | keyword | -| cef.extensions.sourcePort | The valid port numbers are 0 to 65535. | long | -| cef.extensions.sourceServiceName | The service that is responsible for generating this event. | keyword | -| cef.extensions.sourceTranslatedAddress | Identifies the translated source that the event refers to in an IP network. | ip | -| cef.extensions.sourceTranslatedPort | A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. | long | -| cef.extensions.sourceTranslatedZoneID | | keyword | -| cef.extensions.sourceTranslatedZoneURI | The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. | keyword | -| cef.extensions.sourceUserId | Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. | keyword | -| cef.extensions.sourceUserName | Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. | keyword | -| cef.extensions.sourceUserPrivileges | The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". | keyword | -| cef.extensions.sourceZoneID | Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. | keyword | -| cef.extensions.sourceZoneURI | The URI for the Zone that the source asset has been assigned to in ArcSight. | keyword | -| cef.extensions.startTime | The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). | date | -| cef.extensions.target | | keyword | -| cef.extensions.transportProtocol | Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. | keyword | -| cef.extensions.type | 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). | long | -| cef.extensions.version | | keyword | -| cef.name | | keyword | -| cef.severity | | keyword | -| cef.version | | keyword | -| cyberark_pta.log.event_type | A unique ID that identifies the event that is reported. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.service.name | | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Event module | constant_keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| input.type | Input type | keyword | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| observer.product | The product name of the observer. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.service.name | | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | diff --git a/packages/cyberark_pta/0.1.1/img/cyberarkpta-overview.png b/packages/cyberark_pta/0.1.1/img/cyberarkpta-overview.png deleted file mode 100755 index 0992ada152..0000000000 Binary files a/packages/cyberark_pta/0.1.1/img/cyberarkpta-overview.png and /dev/null differ diff --git a/packages/cyberark_pta/0.1.1/img/logo.svg b/packages/cyberark_pta/0.1.1/img/logo.svg deleted file mode 100755 index 04930adfd8..0000000000 --- a/packages/cyberark_pta/0.1.1/img/logo.svg +++ /dev/null @@ -1 +0,0 @@ -Asset 25 diff --git a/packages/cyberark_pta/0.1.1/kibana/dashboard/cyberark_pta-eea41650-18bd-11ed-9abd-41a4c44d6e7d.json b/packages/cyberark_pta/0.1.1/kibana/dashboard/cyberark_pta-eea41650-18bd-11ed-9abd-41a4c44d6e7d.json deleted file mode 100755 index d94d095b40..0000000000 --- a/packages/cyberark_pta/0.1.1/kibana/dashboard/cyberark_pta-eea41650-18bd-11ed-9abd-41a4c44d6e7d.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "Dashboard for CyberArk Privileged Threat Analytics events.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"query\":{\"match_phrase\":{\"event.dataset\":\"cyberark_pta.events\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3e6332a5-6ad3-41e6-9bb5-6ec2abd887f7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3e6332a5-6ad3-41e6-9bb5-6ec2abd887f7\":{\"columnOrder\":[\"74fa8240-d450-412a-8343-149d05d4d536\"],\"columns\":{\"74fa8240-d450-412a-8343-149d05d4d536\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\" \",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"74fa8240-d450-412a-8343-149d05d4d536\",\"layerId\":\"3e6332a5-6ad3-41e6-9bb5-6ec2abd887f7\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"562dd571-d7e2-4794-91e9-b78eff36e41c\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"562dd571-d7e2-4794-91e9-b78eff36e41c\",\"title\":\"[CyberArk PTA] Count of events\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-87eed888-756f-45b0-993b-44ad2b1e23a5\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"87eed888-756f-45b0-993b-44ad2b1e23a5\":{\"columnOrder\":[\"852d53bc-8cf4-47fc-8b40-98ed13472e85\",\"62d6a234-31da-42e3-8fe9-38d2744955b3\",\"2af7beda-39a4-4d42-b785-a609549ba02f\",\"9e57e808-1389-458e-8811-5018ea30823e\",\"e72df46d-8fd3-4442-a0ea-e39b53ba949a\"],\"columns\":{\"2af7beda-39a4-4d42-b785-a609549ba02f\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destintation IPs\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e72df46d-8fd3-4442-a0ea-e39b53ba949a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"62d6a234-31da-42e3-8fe9-38d2744955b3\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source users\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e72df46d-8fd3-4442-a0ea-e39b53ba949a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"source.user.name\"},\"852d53bc-8cf4-47fc-8b40-98ed13472e85\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IPs\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e72df46d-8fd3-4442-a0ea-e39b53ba949a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"},\"9e57e808-1389-458e-8811-5018ea30823e\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination users\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e72df46d-8fd3-4442-a0ea-e39b53ba949a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"destination.user.name\"},\"e72df46d-8fd3-4442-a0ea-e39b53ba949a\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"852d53bc-8cf4-47fc-8b40-98ed13472e85\",\"isTransposed\":false},{\"columnId\":\"62d6a234-31da-42e3-8fe9-38d2744955b3\",\"isTransposed\":false},{\"columnId\":\"2af7beda-39a4-4d42-b785-a609549ba02f\",\"isTransposed\":false},{\"columnId\":\"9e57e808-1389-458e-8811-5018ea30823e\",\"isTransposed\":false},{\"columnId\":\"e72df46d-8fd3-4442-a0ea-e39b53ba949a\",\"isTransposed\":false}],\"layerId\":\"87eed888-756f-45b0-993b-44ad2b1e23a5\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":18,\"i\":\"38bad184-b84b-4b7b-9f09-10b1ee987963\",\"w\":19,\"x\":8,\"y\":0},\"panelIndex\":\"38bad184-b84b-4b7b-9f09-10b1ee987963\",\"title\":\"[CyberArk PTA] Top 5 source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-5df39b58-343e-4c36-bc61-c70ebbb8ebb6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"5df39b58-343e-4c36-bc61-c70ebbb8ebb6\":{\"columnOrder\":[\"2aa9a568-b27e-4dbc-8a00-3f450389045b\",\"83a02722-c998-441f-88bb-84fb6a325083\",\"09539914-b19b-483b-a6cd-f60f284ad80e\"],\"columns\":{\"09539914-b19b-483b-a6cd-f60f284ad80e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\" \",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"2aa9a568-b27e-4dbc-8a00-3f450389045b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cyberark_pta.log.event_type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"09539914-b19b-483b-a6cd-f60f284ad80e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"cyberark_pta.log.event_type\"},\"83a02722-c998-441f-88bb-84fb6a325083\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"09539914-b19b-483b-a6cd-f60f284ad80e\"],\"layerId\":\"5df39b58-343e-4c36-bc61-c70ebbb8ebb6\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"2aa9a568-b27e-4dbc-8a00-3f450389045b\",\"xAccessor\":\"83a02722-c998-441f-88bb-84fb6a325083\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":18,\"i\":\"ab604797-4f60-4588-9fcd-76b81d288a51\",\"w\":21,\"x\":27,\"y\":0},\"panelIndex\":\"ab604797-4f60-4588-9fcd-76b81d288a51\",\"title\":\"[CyberArk PTA] Event types over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98a4e469-bec7-4f11-b02c-11ed260361bb\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98a4e469-bec7-4f11-b02c-11ed260361bb\":{\"columnOrder\":[\"8062269c-4098-4119-bad3-91a03e69f75d\",\"6f7d9103-48dd-4fc0-8240-fd9f6584ff57\"],\"columns\":{\"6f7d9103-48dd-4fc0-8240-fd9f6584ff57\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8062269c-4098-4119-bad3-91a03e69f75d\":{\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"event.severity\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"event.severity\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"8062269c-4098-4119-bad3-91a03e69f75d\"],\"layerId\":\"98a4e469-bec7-4f11-b02c-11ed260361bb\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6f7d9103-48dd-4fc0-8240-fd9f6584ff57\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"7f633d2a-b148-4b8c-bfe3-1a80bfe1d13b\",\"w\":8,\"x\":0,\"y\":7},\"panelIndex\":\"7f633d2a-b148-4b8c-bfe3-1a80bfe1d13b\",\"title\":\"[CyberArk PTA] Distribution of events by severity\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"3e7ba89f-9ab3-47ea-93bc-2a4e47d0c08d\",\"w\":48,\"x\":0,\"y\":18},\"panelIndex\":\"3e7ba89f-9ab3-47ea-93bc-2a4e47d0c08d\",\"panelRefName\":\"panel_3e7ba89f-9ab3-47ea-93bc-2a4e47d0c08d\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[CyberArk PTA] Event overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cyberark_pta-eea41650-18bd-11ed-9abd-41a4c44d6e7d", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "562dd571-d7e2-4794-91e9-b78eff36e41c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "562dd571-d7e2-4794-91e9-b78eff36e41c:indexpattern-datasource-layer-3e6332a5-6ad3-41e6-9bb5-6ec2abd887f7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "38bad184-b84b-4b7b-9f09-10b1ee987963:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "38bad184-b84b-4b7b-9f09-10b1ee987963:indexpattern-datasource-layer-87eed888-756f-45b0-993b-44ad2b1e23a5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "38bad184-b84b-4b7b-9f09-10b1ee987963:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab604797-4f60-4588-9fcd-76b81d288a51:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab604797-4f60-4588-9fcd-76b81d288a51:indexpattern-datasource-layer-5df39b58-343e-4c36-bc61-c70ebbb8ebb6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7f633d2a-b148-4b8c-bfe3-1a80bfe1d13b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7f633d2a-b148-4b8c-bfe3-1a80bfe1d13b:indexpattern-datasource-layer-98a4e469-bec7-4f11-b02c-11ed260361bb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7f633d2a-b148-4b8c-bfe3-1a80bfe1d13b:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "cyberark_pta-b36467d0-18c1-11ed-9abd-41a4c44d6e7d", - "name": "3e7ba89f-9ab3-47ea-93bc-2a4e47d0c08d:panel_3e7ba89f-9ab3-47ea-93bc-2a4e47d0c08d", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cyberark_pta/0.1.1/kibana/search/cyberark_pta-b36467d0-18c1-11ed-9abd-41a4c44d6e7d.json b/packages/cyberark_pta/0.1.1/kibana/search/cyberark_pta-b36467d0-18c1-11ed-9abd-41a4c44d6e7d.json deleted file mode 100755 index 2a4b107910..0000000000 --- a/packages/cyberark_pta/0.1.1/kibana/search/cyberark_pta-b36467d0-18c1-11ed-9abd-41a4c44d6e7d.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.reason", - "event.id", - "event.severity", - "event.reference" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":{\"query\":\"cyberark_pta.events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.dataset\":\"cyberark_pta.events\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[CyberArk PTA] Overview" - }, - "coreMigrationVersion": "7.17.0", - "id": "cyberark_pta-b36467d0-18c1-11ed-9abd-41a4c44d6e7d", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cyberark_pta/0.1.1/manifest.yml b/packages/cyberark_pta/0.1.1/manifest.yml deleted file mode 100755 index c312a39bad..0000000000 --- a/packages/cyberark_pta/0.1.1/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: cyberark_pta -title: Cyberark Privileged Threat Analytics -version: 0.1.1 -release: beta -license: basic -description: Collect security logs from Cyberark PTA integration. -type: integration -format_version: 1.0.0 -categories: ["security"] -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/cyberarkpta-overview.png - title: cyberark pta overview - size: 600x600 - type: image/png -policy_templates: - - name: cyberark_pta - title: CyberArk Privileged Threat Analytics logs - description: Collect logs from syslog - inputs: - - type: tcp - title: CyberArk PTA via TCP - description: 'Collecting from CyberArk PTA via TCP' - - type: udp - title: CyberArk PTA via UDP - description: 'Collecting logs from CyberArk PTA via UDP' -icons: - - src: /img/logo.svg - title: CyberArk logo - size: 32x32 - type: image/svg+xml -owner: - github: elastic/security-external-integrations diff --git a/packages/cyberarkpas/2.6.2/LICENSE.txt b/packages/cyberarkpas/2.6.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/cyberarkpas/2.6.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cyberarkpas/2.6.2/changelog.yml b/packages/cyberarkpas/2.6.2/changelog.yml deleted file mode 100755 index 7377142daa..0000000000 --- a/packages/cyberarkpas/2.6.2/changelog.yml +++ /dev/null @@ -1,139 +0,0 @@ -# newer versions go on top -- version: "2.6.2" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "2.6.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.6.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3843 -- version: "2.5.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "2.5.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "2.4.2" - changes: - - description: Fix broken file paths configuration variable - type: bugfix - link: https://github.com/elastic/integrations/pull/3497 -- version: "2.4.1" - changes: - - description: Update to readme. added link to vendor documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3222 -- version: "2.4.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "2.3.2" - changes: - - description: Fix error ingesting events with a single entry in the CAProperties field - type: bugfix - link: https://github.com/elastic/integrations/pull/2965 -- version: "2.3.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 - - description: Remove duplicated definition of `event.dataset` field. - type: bugfix - link: https://github.com/elastic/integrations/pull/2916 -- version: "2.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2400 -- version: "2.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "2.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "2.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2223 -- version: "2.1.4" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2024 -- version: "2.1.3" - changes: - - description: Remove dash from title for consistency with brand. - type: enhancement - link: https://github.com/elastic/integrations/pull/2004 -- version: "2.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1962 -- version: "2.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1814 -- version: "2.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1657 -- version: "2.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1631 -- version: "1.2.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1474 -- version: '1.2.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1380 -- version: "1.2.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "1.2.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "1.1.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1260 -- version: "1.0.1" - changes: - - description: updating ECS version and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1039 -- version: "1.0.0" - changes: - - description: initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/928 diff --git a/packages/cyberarkpas/2.6.2/data_stream/audit/agent/stream/log.yml.hbs b/packages/cyberarkpas/2.6.2/data_stream/audit/agent/stream/log.yml.hbs deleted file mode 100755 index 4a720c1d38..0000000000 --- a/packages/cyberarkpas/2.6.2/data_stream/audit/agent/stream/log.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -paths: -{{#each paths as |path i|}} -- {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cyberarkpas/2.6.2/data_stream/audit/agent/stream/tcp.yml.hbs b/packages/cyberarkpas/2.6.2/data_stream/audit/agent/stream/tcp.yml.hbs deleted file mode 100755 index 63b1142efc..0000000000 --- a/packages/cyberarkpas/2.6.2/data_stream/audit/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -tcp: -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/cyberarkpas/2.6.2/data_stream/audit/agent/stream/udp.yml.hbs b/packages/cyberarkpas/2.6.2/data_stream/audit/agent/stream/udp.yml.hbs deleted file mode 100755 index 3b9f36d9ca..0000000000 --- a/packages/cyberarkpas/2.6.2/data_stream/audit/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,17 +0,0 @@ -udp: -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/cyberarkpas/2.6.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/cyberarkpas/2.6.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 6ef36b3b73..0000000000 --- a/packages/cyberarkpas/2.6.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1193 +0,0 @@ ---- -description: Pipeline for CyberArk PAS - -processors: - # - # Set ECS version. - # - - set: - field: ecs.version - value: '8.4.0' - - # - # Set event.original from message, unless reindexing. - # - - rename: - field: message - target_field: event.original - if: 'ctx.event?.original == null' - - # - # Parse syslog headers (if any) and extract JSON payload. - # - - grok: - field: event.original - patterns: - # RFC5424 from CyberArk. - # UseLegacySyslogFormat=No - # <5>1 2021-03-04T17:28:23Z VAULT {"format":"elastic","version":"1.0",...} - - "^<%{NONNEGINT:log.syslog.priority:long}>%{NONNEGINT} %{TIMESTAMP_ISO8601:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}" - - # Legacy format. - # UseLegacySyslogFormat=Yes - # Mar 08 02:57:42 VAULT {"format":"elastic","version":"1.0",...} - - "^%{SYSLOGTIMESTAMP:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}" - - # Catch-all mode, just JSON payload. - - "%{JSON_PAYLOAD:_tmp.payload}" - pattern_definitions: - JSON_PAYLOAD: '{"format":"elastic","version":"1.0",.*}' - on_failure: - - fail: - message: "unexpected event format: {{{_ingest.on_failure_message}}}" - - - json: - field: _tmp.payload - target_field: _tmp.json - on_failure: - - fail: - message: "malformed JSON event: {{{_ingest.on_failure_message}}}" - - - rename: - field: _tmp.json.syslog.audit_record - target_field: cyberarkpas.audit - on_failure: - - fail: - message: "unexpected event structure: {{{_ingest.on_failure_message}}}" - - - # - # Remove all empty fields - # - - script: - lang: painless - description: 'Removes empty audit fields' - source: >- - ctx.cyberarkpas.audit.entrySet().removeIf(entry -> entry.getValue() == ""); - - - rename: - field: _tmp.json.raw - target_field: cyberarkpas.audit.raw - ignore_missing: true - - # The following processors populate @timestamp from the different sources that can exist in an event. - # In the following order of precedence: - # - IsoTimestamp field (expected ISO8601). Present when new syslog format is used (rfc5424: yes). - # - Timestamp (expected MMM dd HH:mm:ss). Also present only when new syslog format is used. - # - Syslog header timestamp. Either ISO8601 or legacy MMM dd HH:mm:ss, depending on the syslog format in use. - # - Original @timestamp from Filebeat. - - date: - if: 'ctx.cyberarkpas.audit.IsoTimestamp != null' - field: cyberarkpas.audit.IsoTimestamp - target_field: _tmp.timestamp - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: "failed to parse ISO timestamp field: {{{cyberarkpas.audit.IsoTimestamp}}}: {{{_ingest.on_failure_message}}}" - - - date: - if: 'ctx._tmp.timestamp == null && ctx.cyberarkpas.audit.Timestamp != null' - field: cyberarkpas.audit.Timestamp - target_field: _tmp.timestamp - formats: - # This is the default format. - - 'MMM dd HH:mm:ss' - # Drop a few other formats in case the above fails. - - ISO8601 - - 'MMM d HH:mm:ss' - - "EEE MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - - append: - field: error.message - value: "failed to parse timestamp field: {{{cyberarkpas.audit.Timestamp}}}: {{{_ingest.on_failure_message}}}" - - - date: - if: 'ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone == null' - field: _tmp.syslog_ts - target_field: _tmp.timestamp - formats: - # This is the default format. - - 'MMM dd HH:mm:ss' - # Drop a few other formats in case the above fails. - - ISO8601 - - 'MMM d HH:mm:ss' - - "EEE MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - - append: - field: error.message - value: "failed to parse legacy syslog timestamp: {{{_tmp.syslog_ts}}}: {{{_ingest.on_failure_message}}}" - - - date: - if: 'ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone != null' - field: _tmp.syslog_ts - target_field: _tmp.timestamp - timezone: '{{{event.timezone}}}' - formats: - # This is the default format. - - 'MMM dd HH:mm:ss' - # Drop a few other formats in case the above fails. - - ISO8601 - - 'MMM d HH:mm:ss' - - "EEE MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - - append: - field: error.message - value: "failed to parse legacy syslog timestamp: {{{_tmp.syslog_ts}}}: {{{_ingest.on_failure_message}}}" - - - set: - field: '@timestamp' - value: '{{{_tmp.timestamp}}}' - ignore_empty_value: true - override: true - - # This script ensures that CAProperties.CAProperty is an array. - # When there's a single property, it is serialised as an object instead - # of a single element array. - - script: - lang: painless - description: "Converts CAProperties into an array if necessary" - source: > - def props = ctx.cyberarkpas?.audit?.CAProperties?.CAProperty; - if (props != null && props instanceof Map) { - ctx.cyberarkpas.audit.CAProperties.CAProperty = [ props ]; - } - - # This script converts the nested object under cyberarkpas.audit.CAProperties.CAProperty - # into an object under cyberarkpas.audit.CAProperties: - # - # input: - # "cyberarkpas.audit.CAProperties.CAProperty": [ - # { - # "Name": "PolicyID", - # "Value": "LINUX-SSH" - # }, - # { - # "Name": "UserName", - # "Value": "test12" - # } - # output: - # "cyberarkpas.audit.CAProperties": - # { - # "PolicyID": "LINUX-SSH", - # "UserName": "test12" - # } - - foreach: - field: cyberarkpas.audit.CAProperties.CAProperty - ignore_missing: true - processor: - set: - field: 'cyberarkpas.audit.CAProperties.{{{_ingest._value.Name}}}' - value: '{{{_ingest._value.Value}}}' - on_failure: - - append: - field: error.message - value: "failed to process CAProperties array: {{{_ingest.on_failure_message}}}" - - remove: - field: cyberarkpas.audit.CAProperties.CAProperty - ignore_missing: true - - # Parse key-value pairs at ExtraDetails: - # input: - # "cyberarkpas.audit.ExtraDetails": "Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=[...]", - # - # output: - # "cyberarkpas.audit.ExtraDetails": - # { - # "Command": "ls \"/var/tmp\"", - # "ConnectionComponentId": "PSMP-SSH", - # "DstHost": [...] - # - # The original string can contain escaped separators, \= and \; - - kv: - field: cyberarkpas.audit.ExtraDetails - field_split: '(? - String to_snake_case(String s) { - /* faster code path for strings that won't need an underscore */ - if (s.chars().skip(1).noneMatch(Character::isUpperCase)) { - return s.toLowerCase(); - } - int run = 0; - boolean first = true; - StringBuilder result = new StringBuilder(); - for (char c : s.toCharArray()) { - char o = Character.toLowerCase(c); - if (c != o) { - if (run == 0 && !first) { - result.append('_'); - } - run ++; - } else { - if (run > 1) { - char prev = result.charAt(result.length()-1); - result.setCharAt(result.length()-1, (char)'_'); - result.append(prev); - } - run = 0; - first = false; - } - result.append(o); - } - return result.toString(); - } - def keys_to_snake_case_recursive(Map object) { - return object.entrySet().stream().collect( - Collectors.toMap( - e -> to_snake_case(e.getKey()), - e -> e.getValue() instanceof Map? keys_to_snake_case_recursive(e.getValue()) : e.getValue() - ) - ); - } - ctx.cyberarkpas.audit = keys_to_snake_case_recursive(ctx.cyberarkpas.audit); - - # - # Convert rfc5424 field to boolean. - # - - script: - description: 'Converts the rfc5424 audit field to a boolean' - lang: painless - source: > - def value = ctx.cyberarkpas.audit.rfc5424; - ctx.cyberarkpas.audit["rfc5424"] = value == 'yes'; - - ######################################################## - # ECS enrichment - # - # All processors from this point use the snake_case form - # to access CyberArk fields. - ######################################################## - - - set: - field: event.kind - value: event - - - lowercase: - field: cyberarkpas.audit.action - target_field: event.action - ignore_missing: true - - # Severity to number - # - # Possible values: - # Info -> 0 - # Error -> 7 - # Critical -> 10 - - set: - field: event.severity - value: 2 - if: 'ctx.cyberarkpas.audit.severity == "Info"' - - set: - field: event.severity - value: 7 - if: 'ctx.cyberarkpas.audit.severity == "Error"' - - set: - field: event.severity - value: 10 - if: 'ctx.cyberarkpas.audit.severity == "Critical"' - - set: - field: event.type - value: error - if: 'ctx.event?.severity > 6' - - - rename: - field: cyberarkpas.audit.message_id - target_field: event.code - ignore_missing: true - - - set: - field: source.address - value: '{{{cyberarkpas.audit.station}}}' - ignore_empty_value: true - - - set: - field: destination.address - value: '{{{cyberarkpas.audit.gateway_station}}}' - ignore_empty_value: true - - - set: - field: file.path - value: '{{{cyberarkpas.audit.file}}}' - if: 'ctx.cyberarkpas.audit?.file != null' - - # - # Observer fields - # - - rename: - field: cyberarkpas.audit.vendor - target_field: observer.vendor - ignore_missing: true - - rename: - field: cyberarkpas.audit.product - target_field: observer.product - ignore_missing: true - - rename: - field: cyberarkpas.audit.version - target_field: observer.version - ignore_missing: true - - rename: - field: cyberarkpas.audit.hostname - target_field: observer.hostname - ignore_missing: true - # Use hostname from syslog if audit record's Hostname field is missing. - - rename: - field: _tmp.hostname - target_field: observer.hostname - ignore_missing: true - if: 'ctx.observer?.hostname == null' - # - # Enrichment based on message_id - # - # This script is overly complicated (read_field) because at this time - # there is no processor that allows to set one field from a source - # field using indirection (it is possible with rename, but that - # removes the original field). - # - # Once something like this is possible: - # set: - # target_field: '{{{_ingest.value.to}}}' - # copy_from: '{{{_ingest.value.from}}}' - # - # ... this script can be updated to just create two output lists, one - # for value-to pairs, another for value-from pairs. - # - - script: - lang: painless - description: 'ECS enrichment based on message_id' - params: - # 4 - User Authentication - # - # Always a failure. - "4": - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["authentication"] - - set: event.type - value: ["error"] - - set: event.action - value: "authentication_failure" - - set: event.outcome - value: "failure" - - # 7 - Logon - # - # User logged on to the PVWA. - "7": - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: [ "authentication", "session"] - - set: event.type - value: [ "start"] - - set: event.action - value: "authentication_success" - - set: event.outcome - value: "success" - - # 8 - Logoff - # - # User logged of from the PVWA. - "8": # Logoff - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: [ "authentication", "session"] - - set: event.type - value: ["end"] - - set: event.outcome - value: "success" - - # 19 - Full gateway connection. - "19": - - set: source.user.name - from: cyberarkpas.audit.source_user - - set: user.name - from: cyberarkpas.audit.source_user - - set: destination.user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["network"] - - set: event.type - value: ["start"] - - set: event.outcome - value: "success" - - # 22 - CPM Verify Password - # - # Password on a target host is verified. - "22": - # Address of device that hosts the account. - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "info"] - - # 23 - Action on closed safe - # - # Nothing remarkable. - # - # "23": - - # 24 - CPM Change Password - "24": - - set: destination.address # This could be host.* or user.target.* (doesn't exists). - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change"] - - # 31 - CPM Reconcile Password - # - "31": - - set: destination.address # This could be host.* or user.target.* (doesn't exists). - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change"] - - # 32 - Add Owner - # - # Change owner of a Safe. - # source_user performs the action, docs suggest otherwise. - "32": - - set: user.name - from: cyberarkpas.audit.issuer - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.category - value: ["iam"] # How to best model Vault/Safes? An IAM system? A Database? - - set: event.type - value: ["admin", "change"] - - set: event.outcome - value: "success" - - # 33 - Update Owner - # - # Same as above - "33": - - set: user.name - from: cyberarkpas.audit.issuer - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.category - value: ["iam"] # How to best model Vault/Safes? An IAM system? A Database? - - set: event.type - value: ["admin", "change"] - - set: event.outcome - value: "success" - - # 38 - CPM Verify Password Failed - # - # Like 22 but failed. - "38": - # Address of device that hosts the account. - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - value: "failure" - - set: event.reason - from: cyberarkpas.audit.ca_properties.cpm_error_details - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["error"] - - # 50 - Store File - # - # I don't think it makes much sense to enrich Vault file events as "file" category. - # This will involve probably constructing a file.path prefixed by the safe name. - # Then these file events may be treated as file events in SIEM, which can have - # unwanted consequences. - # "50": - - # 57 - CPM Change Password Failed - "57": - - set: destination.address # This could be host.* or user.target.* (doesn't exists). - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - value: "failure" - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change", "error"] - - set: event.reason - from: cyberarkpas.audit.ca_properties.cpm_error_details - - # 60 - CPM Reconcile Password Failed - "60": - - set: destination.address # This could be host.* or user.target.* (doesn't exists). - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - value: "failure" - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change", "error"] - - set: event.reason - from: cyberarkpas.audit.ca_properties.cpm_error_details - - # 130 - CPM Disable Password - "130": - - set: event.outcome - value: "failure" - - set: user.target.name - from: cyberarkpas.audit.ca_properties.user_name - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["user", "change"] - - set: event.reason - from: cyberarkpas.audit.ca_properties.cpm_error_details - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - # 174 - Change User (untested) - "174": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "change"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 175 - Change Your User (untested) - "175": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "change"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 176 - Delete User (untested) - "176": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "deletion"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 177 - Delete Your User (untested) - "177": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "deletion"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 173 - Add User (alternative to 180, untested) - "173": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "creation"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 180 - Add User - "180": - - set: user.target.name - from: cyberarkpas.audit.source_user - - set: event.type - value: ["user", "creation"] - - set: event.category - value: ["iam"] - - set: event.outcome - value: "success" - - # 295 - Retrieve Password succeeded - "295": - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "access"] - - set: event.outcome - value: "success" - - set: event.reason - from: cyberarkpas.audit.reason - - # 300 - PSM Connect - "300": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: event.category - value: ["session"] - - set: event.type - value: ["start"] - - set: event.outcome - value: "success" - - # 302 - PSM Disconnect - "302": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: _tmp.duration_hms - from: cyberarkpas.audit.extra_details.session_duration - - set: event.category - value: ["session"] - - set: event.type - value: ["end"] - - set: event.outcome - value: "success" - - # 308 - Use Password - "308": - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "access"] - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: event.reason - from: cyberarkpas.audit.reason - - # 309 - Undefined user logon - # - "309": - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["authentication"] - - set: event.type - value: ["error"] - - set: event.action - value: "authentication_failure" - - set: event.outcome - value: "failure" - - # 361 - Keystroke logging - "361": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: event.category - value: ["session"] - - set: event.type - value: ["info"] - - # 412 - Keystroke logging (same as 361?) - "412": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: event.category - value: ["session"] - - set: event.type - value: ["info"] - - # 359 - SQL Command - "359": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: event.category - value: ["database"] - - set: event.type - value: ["access"] - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - # 411 - Window Title - "411": - - set: destination.address - from: cyberarkpas.audit.extra_details.dst_host - - set: destination.user.name - from: cyberarkpas.audit.extra_details.user - - set: source.address - from: cyberarkpas.audit.extra_details.src_host - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: network.application - from: cyberarkpas.audit.extra_details.protocol - - set: process.pid - from: cyberarkpas.audit.extra_details.process_id - - set: process.name - from: cyberarkpas.audit.extra_details.process_name - - set: event.category - value: ["process"] - - set: event.type - value: ["access", "info"] - - # 414 - CPM Verify SSH Key - # - # SSH-key on a target host is verified. - "414": - # Address of device that hosts the account. - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: event.outcome - from: cyberarkpas.audit.ca_properties.cpm_status - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "info"] - - # 428 - Retrieve SSH Key - "428": - - set: destination.address - from: cyberarkpas.audit.ca_properties.address - - set: destination.user.name - from: cyberarkpas.audit.ca_properties.user_name - - set: source.user.name - from: cyberarkpas.audit.issuer - - set: user.name - from: cyberarkpas.audit.issuer - - set: event.category - value: ["iam"] - - set: event.type - value: ["admin", "access"] - - set: event.outcome - value: "success" - - set: event.reason - from: cyberarkpas.audit.reason - - source: > - def clone(def val) { - return val instanceof List? new ArrayList(val) : val; - } - def read_field(def map, String name) { - if (map == null || !(map instanceof Map)) return null; - int pos = name.indexOf("."); - return pos == -1? map[name] - : read_field(map[name.substring(0, pos)], name.substring(pos+1)); - } - String msgID = ctx.event?.code; - def actions = params.get(msgID); - if (actions == null) return; - List values = new ArrayList(); - for (def item : actions) { - def val = item.value; - if (val == null && (val = read_field(ctx, item.from)) == null || val == "") continue; - values.add([ - "to": item.set, - "value": clone(val) - ]); - } - if (!values.isEmpty()) ctx._tmp["values"] = values; - - - foreach: - field: _tmp.values - ignore_missing: true - processor: - set: - field: '{{{_ingest._value.to}}}' - copy_from: '_ingest._value.value' - ignore_empty_value: true - override: true - - # - # Force event.outcome: unknown in case it gets a value other than one of the allowed. - # - - set: - field: event.outcome - value: 'unknown' - if: 'ctx.event?.outcome != null && !["success", "failure"].contains(ctx.event.outcome)' - - - # - # Set event.duration from the session duration ("hh:mm:ss") present in some messages. - # - - script: - lang: painless - description: 'Set event.duration from the session duration ("hh:mm:ss")' - if: "ctx._tmp?.duration_hms != null" - source: > - long parse_hms(String s) { - long cur = 0, total = 0; - for (char c: s.toCharArray()) { - if (c >= (char)'0' && c <= (char)'9') { - cur = (cur*10) + (long)c - (char)'0'; - } else if (c == (char)':') { - total = (total + cur) * 60; - cur = 0; - } else { - return 0; - } - } - return total + cur; - } - long nanos = parse_hms(ctx._tmp.duration_hms) * 1000000000L; - ctx.event['duration'] = nanos; - - # - # Populate ip/domain fields from address. - # - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - on_failure: - - set: - field: source.domain - copy_from: source.address - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - set: - field: destination.domain - copy_from: destination.address - - # - # Populate related.ip - # - - append: - field: related.ip - value: '{{{source.ip}}}' - if: 'ctx.source?.ip != null' - allow_duplicates: false - - append: - field: related.ip - value: '{{{destination.ip}}}' - if: 'ctx.destination?.ip != null' - allow_duplicates: false - - append: - field: related.ip - value: '{{{cyberarkpas.audit.station}}}' - if: 'ctx.cyberarkpas.audit.station != null' - allow_duplicates: false - - append: - field: related.ip - value: '{{{cyberarkpas.audit.gateway_station}}}' - if: 'ctx.cyberarkpas.audit.gateway_station != null' - allow_duplicates: false - - # - # Populate related.user - # - - append: - field: related.user - value: '{{{user.name}}}' - if: 'ctx.user?.name != null' - allow_duplicates: false - - append: - field: related.user - value: '{{{source.user.name}}}' - if: 'ctx.source?.user?.name != null' - allow_duplicates: false - - append: - field: related.user - value: '{{{destination.user.name}}}' - if: 'ctx.destination?.user?.name != null' - allow_duplicates: false - - append: - field: related.user - value: '{{{user.target.name}}}' - if: 'ctx.user?.target?.name != null' - allow_duplicates: false - - # - # sometimes application is capitalized. - # - - lowercase: - field: network.application - ignore_missing: true - - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # - # Set host.name - # This sets host.name from observer.hostname when the original event from Filebeat didn't - # have a host.name. This is the case of forwarded events (the tag "forwarded" is present). - # - - set: - field: host.name - value: '{{{observer.hostname}}}' - ignore_empty_value: true - if: 'ctx.host?.name == null' - - - network_direction: - ignore_missing: true - internal_networks: - - loopback - - private - - unspecified - - - convert: - field: process.pid - type: long - ignore_missing: true - - # - # Save only interesting fields under extra_fields and ca_properties - # to prevent mapping explosion. Keep the rest under .other (type flattened). - # - - script: - lang: painless - description: Map interesting fields from ca_properties and extra_details. - params: - ca_properties: - - address - - cpm_disabled - - cpm_error_details - - cpm_status - - creation_method - - customer - - database - - device_type - - dual_account_status - - group_name - - in_process - - index - - last_fail_date - - last_success_change - - last_success_reconciliation - - last_success_verification - - last_task - - logon_domain - - policy_id - - port - - privcloud - - reset_immediately - - retries_count - - sequence_id - - tags - - user_dn - - user_name - - virtual_username - extra_details: - - ad_process_id - - ad_process_name - - application_type - - command - - connection_component_id - - dst_host - - logon_account - - managed_account - - process_id - - process_name - - protocol - - psmid - - session_duration - - session_id - - src_host - - username - source: > - Map audit = ctx.cyberarkpas.audit; - params.entrySet().stream().filter(e -> audit.containsKey(e.getKey())).forEach(lst -> { - Map base = audit[lst.getKey()], - selected = new HashMap(); - lst.getValue().stream().filter(fld -> base.containsKey(fld)).forEach(fld -> { - selected[fld] = base.remove(fld); - }); - selected['other'] = base; - audit[lst.getKey()] = selected; - }); - # - # Cleanup - # - - remove: - field: _tmp - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - remove: - field: _tmp - ignore_missing: true - - set: - field: event.kind - value: pipeline_error diff --git a/packages/cyberarkpas/2.6.2/data_stream/audit/fields/base-fields.yml b/packages/cyberarkpas/2.6.2/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 4764f9b77e..0000000000 --- a/packages/cyberarkpas/2.6.2/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Name of the module this data is coming from. - value: cyberarkpas -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cyberarkpas.audit -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/cyberarkpas/2.6.2/data_stream/audit/fields/beats.yml b/packages/cyberarkpas/2.6.2/data_stream/audit/fields/beats.yml deleted file mode 100755 index 9275638f93..0000000000 --- a/packages/cyberarkpas/2.6.2/data_stream/audit/fields/beats.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/cyberarkpas/2.6.2/data_stream/audit/fields/ecs.yml b/packages/cyberarkpas/2.6.2/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 0bb795c5d3..0000000000 --- a/packages/cyberarkpas/2.6.2/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/cyberarkpas/2.6.2/data_stream/audit/fields/fields.yml b/packages/cyberarkpas/2.6.2/data_stream/audit/fields/fields.yml deleted file mode 100755 index df1d01fe1c..0000000000 --- a/packages/cyberarkpas/2.6.2/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,178 +0,0 @@ -- name: cyberarkpas.audit - type: group - fields: - - name: action - type: keyword - description: A description of the audit record. - - name: ca_properties - type: group - description: Account metadata. - fields: - - name: address - type: keyword - - name: cpm_disabled - type: keyword - - name: cpm_error_details - type: keyword - - name: cpm_status - type: keyword - - name: creation_method - type: keyword - - name: customer - type: keyword - - name: database - type: keyword - - name: device_type - type: keyword - - name: dual_account_status - type: keyword - - name: group_name - type: keyword - - name: in_process - type: keyword - - name: index - type: keyword - - name: last_fail_date - type: keyword - - name: last_success_change - type: keyword - - name: last_success_reconciliation - type: keyword - - name: last_success_verification - type: keyword - - name: last_task - type: keyword - - name: logon_domain - type: keyword - - name: policy_id - type: keyword - - name: port - type: keyword - - name: privcloud - type: keyword - - name: reset_immediately - type: keyword - - name: retries_count - type: keyword - - name: sequence_id - type: keyword - - name: tags - type: keyword - - name: user_dn - type: keyword - - name: user_name - type: keyword - - name: virtual_username - type: keyword - - name: other - type: flattened - - name: category - type: keyword - description: The category name (for category-related operations). - - name: desc - type: keyword - description: A static value that displays a description of the audit codes. - - name: extra_details - type: group - description: Specific extra details of the audit records. - fields: - - name: ad_process_id - type: keyword - - name: ad_process_name - type: keyword - - name: application_type - type: keyword - - name: command - type: keyword - - name: connection_component_id - type: keyword - - name: dst_host - type: keyword - - name: logon_account - type: keyword - - name: managed_account - type: keyword - - name: process_id - type: keyword - - name: process_name - type: keyword - - name: protocol - type: keyword - - name: psmid - type: keyword - - name: session_duration - type: keyword - - name: session_id - type: keyword - - name: src_host - type: keyword - - name: username - type: keyword - - name: other - type: flattened - - name: file - type: keyword - description: The name of the target file. - - name: gateway_station - type: ip - description: The IP of the web application machine (PVWA). - - name: hostname - type: keyword - description: The hostname, in upper case. - - name: iso_timestamp - type: date - description: The timestamp, in ISO Timestamp format (RFC 3339). - - name: issuer - type: keyword - description: The Vault user who wrote the audit. This is usually the user who performed the operation. - - name: location - type: keyword - description: The target Location (for Location operations). - ignore_above: 4096 - - name: message - type: keyword - description: A description of the audit records (same information as in the Desc field). - - name: message_id - type: keyword - description: The code ID of the audit records. - - name: product - type: keyword - description: A static value that represents the product. - - name: pvwa_details - type: flattened - description: Specific details of the PVWA audit records. - - name: raw - type: keyword - description: | - Raw XML for the original audit record. Only present when XSLT file has debugging enabled. - ignore_above: 4096 - - name: reason - type: text - description: The reason entered by the user. - - name: rfc5424 - type: boolean - description: Whether the syslog format complies with RFC5424. - - name: safe - type: keyword - description: The name of the target Safe. - - name: severity - type: keyword - description: The severity of the audit records. - - name: source_user - type: keyword - description: The name of the Vault user who performed the operation. - - name: station - type: ip - description: The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP. - - name: target_user - type: keyword - description: The name of the Vault user on which the operation was performed. - - name: timestamp - type: keyword - description: The timestamp, in MMM DD HH:MM:SS format. - - name: vendor - type: keyword - description: A static value that represents the vendor. - - name: version - type: keyword - description: A static value that represents the version of the Vault. diff --git a/packages/cyberarkpas/2.6.2/data_stream/audit/manifest.yml b/packages/cyberarkpas/2.6.2/data_stream/audit/manifest.yml deleted file mode 100755 index 7d7ee68cea..0000000000 --- a/packages/cyberarkpas/2.6.2/data_stream/audit/manifest.yml +++ /dev/null @@ -1,139 +0,0 @@ -type: logs -title: CyberArk PAS audit logs -streams: - - input: logfile - enabled: false - template_path: log.yml.hbs - title: CyberArk PAS audit logs - description: Collect CyberArk PAS audit logs from files. - vars: - - name: paths - type: text - title: Paths - multi: true - required: false - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - cyberarkpas-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - enabled: true - template_path: tcp.yml.hbs - title: CyberArk PAS audit logs (TCP) - description: Collect CyberArk PAS audit logs using TCP input - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9301 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cyberarkpas-audit - - forwarded - - name: ssl - type: yaml - title: TLS configuration - multi: false - required: false - show_user: true - description: Options for enabling TLS mode. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: udp - enabled: true - template_path: udp.yml.hbs - title: CyberArk PAS audit logs (UDP) - description: Collect CyberArk PAS audit logs using UDP input - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9301 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cyberarkpas-audit - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cyberarkpas/2.6.2/data_stream/audit/sample_event.json b/packages/cyberarkpas/2.6.2/data_stream/audit/sample_event.json deleted file mode 100755 index 2d0ff03f01..0000000000 --- a/packages/cyberarkpas/2.6.2/data_stream/audit/sample_event.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "@timestamp": "2021-03-08T18:07:51.000Z", - "agent": { - "ephemeral_id": "0c6c824f-931a-418f-9535-22af6210c402", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "cyberarkpas": { - "audit": { - "action": "Full Gateway Connection", - "desc": "Full Gateway Connection", - "gateway_station": "10.0.1.20", - "iso_timestamp": "2021-03-08T18:07:51Z", - "issuer": "Administrator", - "message": "Full Gateway Connection", - "rfc5424": true, - "severity": "Info", - "source_user": "PVWAGWUser", - "station": "127.0.0.1", - "timestamp": "Mar 08 10:07:51" - } - }, - "data_stream": { - "dataset": "cyberarkpas.audit", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.0.1.20", - "ip": "10.0.1.20", - "user": { - "name": "Administrator" - } - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "full gateway connection", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "19", - "dataset": "cyberarkpas.audit", - "ingested": "2022-02-03T12:51:00Z", - "kind": "event", - "outcome": "success", - "severity": 2, - "timezone": "+00:00", - "type": [ - "start" - ] - }, - "host": { - "name": "VAULT" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.19.0.7:35950" - }, - "syslog": { - "priority": 5 - } - }, - "network": { - "direction": "internal" - }, - "observer": { - "hostname": "VAULT", - "product": "Vault", - "vendor": "Cyber-Ark", - "version": "11.7.0000" - }, - "related": { - "ip": [ - "127.0.0.1", - "10.0.1.20" - ], - "user": [ - "PVWAGWUser", - "Administrator" - ] - }, - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1", - "user": { - "name": "PVWAGWUser" - } - }, - "tags": [ - "cyberarkpas-audit", - "forwarded" - ], - "user": { - "name": "PVWAGWUser" - } -} \ No newline at end of file diff --git a/packages/cyberarkpas/2.6.2/docs/README.md b/packages/cyberarkpas/2.6.2/docs/README.md deleted file mode 100755 index da946f83a3..0000000000 --- a/packages/cyberarkpas/2.6.2/docs/README.md +++ /dev/null @@ -1,297 +0,0 @@ -# CyberArk Privileged Access Security - -The CyberArk Privileged Access Security integration collects audit logs from [CyberArk's Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/Portal/Content/Resources/_TopNav/cc_Portal.htm) server. -## Audit - -The `audit` dataset receives Vault Audit logs for User and Safe activities over the syslog protocol. - -### Vault Configuration - -Follow the steps under [Security Information and Event Management (SIEM) Applications](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) documentation to setup the integration: - -- Copy the [elastic-json-v1.0.xsl](https://raw.githubusercontent.com/elastic/beats/master/x-pack/filebeat/module/cyberarkpas/_meta/assets/elastic-json-v1.0.xsl) XSL Translator file to -the `Server\Syslog` folder. - -- Sample syslog configuration for `DBPARM.ini`: - -```ini -[SYSLOG] -UseLegacySyslogFormat=No -SyslogTranslatorFile=Syslog\elastic-json-v1.0.xsl -SyslogServerIP= -SyslogServerPort= -SyslogServerProtocol=TCP -``` - -For proper timestamping of events, it's recommended to use the newer RFC5424 Syslog format -(`UseLegacySyslogFormat=No`). To avoid event loss, use `TCP` or `TLS` protocols instead of `UDP`. - -### Example event - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2021-03-08T18:07:51.000Z", - "agent": { - "ephemeral_id": "0c6c824f-931a-418f-9535-22af6210c402", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "cyberarkpas": { - "audit": { - "action": "Full Gateway Connection", - "desc": "Full Gateway Connection", - "gateway_station": "10.0.1.20", - "iso_timestamp": "2021-03-08T18:07:51Z", - "issuer": "Administrator", - "message": "Full Gateway Connection", - "rfc5424": true, - "severity": "Info", - "source_user": "PVWAGWUser", - "station": "127.0.0.1", - "timestamp": "Mar 08 10:07:51" - } - }, - "data_stream": { - "dataset": "cyberarkpas.audit", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.0.1.20", - "ip": "10.0.1.20", - "user": { - "name": "Administrator" - } - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "full gateway connection", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "19", - "dataset": "cyberarkpas.audit", - "ingested": "2022-02-03T12:51:00Z", - "kind": "event", - "outcome": "success", - "severity": 2, - "timezone": "+00:00", - "type": [ - "start" - ] - }, - "host": { - "name": "VAULT" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.19.0.7:35950" - }, - "syslog": { - "priority": 5 - } - }, - "network": { - "direction": "internal" - }, - "observer": { - "hostname": "VAULT", - "product": "Vault", - "vendor": "Cyber-Ark", - "version": "11.7.0000" - }, - "related": { - "ip": [ - "127.0.0.1", - "10.0.1.20" - ], - "user": [ - "PVWAGWUser", - "Administrator" - ] - }, - "source": { - "address": "127.0.0.1", - "ip": "127.0.0.1", - "user": { - "name": "PVWAGWUser" - } - }, - "tags": [ - "cyberarkpas-audit", - "forwarded" - ], - "user": { - "name": "PVWAGWUser" - } -} -``` - -**Exported fields** - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cyberarkpas.audit.action | A description of the audit record. | keyword | -| cyberarkpas.audit.ca_properties.address | | keyword | -| cyberarkpas.audit.ca_properties.cpm_disabled | | keyword | -| cyberarkpas.audit.ca_properties.cpm_error_details | | keyword | -| cyberarkpas.audit.ca_properties.cpm_status | | keyword | -| cyberarkpas.audit.ca_properties.creation_method | | keyword | -| cyberarkpas.audit.ca_properties.customer | | keyword | -| cyberarkpas.audit.ca_properties.database | | keyword | -| cyberarkpas.audit.ca_properties.device_type | | keyword | -| cyberarkpas.audit.ca_properties.dual_account_status | | keyword | -| cyberarkpas.audit.ca_properties.group_name | | keyword | -| cyberarkpas.audit.ca_properties.in_process | | keyword | -| cyberarkpas.audit.ca_properties.index | | keyword | -| cyberarkpas.audit.ca_properties.last_fail_date | | keyword | -| cyberarkpas.audit.ca_properties.last_success_change | | keyword | -| cyberarkpas.audit.ca_properties.last_success_reconciliation | | keyword | -| cyberarkpas.audit.ca_properties.last_success_verification | | keyword | -| cyberarkpas.audit.ca_properties.last_task | | keyword | -| cyberarkpas.audit.ca_properties.logon_domain | | keyword | -| cyberarkpas.audit.ca_properties.other | | flattened | -| cyberarkpas.audit.ca_properties.policy_id | | keyword | -| cyberarkpas.audit.ca_properties.port | | keyword | -| cyberarkpas.audit.ca_properties.privcloud | | keyword | -| cyberarkpas.audit.ca_properties.reset_immediately | | keyword | -| cyberarkpas.audit.ca_properties.retries_count | | keyword | -| cyberarkpas.audit.ca_properties.sequence_id | | keyword | -| cyberarkpas.audit.ca_properties.tags | | keyword | -| cyberarkpas.audit.ca_properties.user_dn | | keyword | -| cyberarkpas.audit.ca_properties.user_name | | keyword | -| cyberarkpas.audit.ca_properties.virtual_username | | keyword | -| cyberarkpas.audit.category | The category name (for category-related operations). | keyword | -| cyberarkpas.audit.desc | A static value that displays a description of the audit codes. | keyword | -| cyberarkpas.audit.extra_details.ad_process_id | | keyword | -| cyberarkpas.audit.extra_details.ad_process_name | | keyword | -| cyberarkpas.audit.extra_details.application_type | | keyword | -| cyberarkpas.audit.extra_details.command | | keyword | -| cyberarkpas.audit.extra_details.connection_component_id | | keyword | -| cyberarkpas.audit.extra_details.dst_host | | keyword | -| cyberarkpas.audit.extra_details.logon_account | | keyword | -| cyberarkpas.audit.extra_details.managed_account | | keyword | -| cyberarkpas.audit.extra_details.other | | flattened | -| cyberarkpas.audit.extra_details.process_id | | keyword | -| cyberarkpas.audit.extra_details.process_name | | keyword | -| cyberarkpas.audit.extra_details.protocol | | keyword | -| cyberarkpas.audit.extra_details.psmid | | keyword | -| cyberarkpas.audit.extra_details.session_duration | | keyword | -| cyberarkpas.audit.extra_details.session_id | | keyword | -| cyberarkpas.audit.extra_details.src_host | | keyword | -| cyberarkpas.audit.extra_details.username | | keyword | -| cyberarkpas.audit.file | The name of the target file. | keyword | -| cyberarkpas.audit.gateway_station | The IP of the web application machine (PVWA). | ip | -| cyberarkpas.audit.hostname | The hostname, in upper case. | keyword | -| cyberarkpas.audit.iso_timestamp | The timestamp, in ISO Timestamp format (RFC 3339). | date | -| cyberarkpas.audit.issuer | The Vault user who wrote the audit. This is usually the user who performed the operation. | keyword | -| cyberarkpas.audit.location | The target Location (for Location operations). | keyword | -| cyberarkpas.audit.message | A description of the audit records (same information as in the Desc field). | keyword | -| cyberarkpas.audit.message_id | The code ID of the audit records. | keyword | -| cyberarkpas.audit.product | A static value that represents the product. | keyword | -| cyberarkpas.audit.pvwa_details | Specific details of the PVWA audit records. | flattened | -| cyberarkpas.audit.raw | Raw XML for the original audit record. Only present when XSLT file has debugging enabled. | keyword | -| cyberarkpas.audit.reason | The reason entered by the user. | text | -| cyberarkpas.audit.rfc5424 | Whether the syslog format complies with RFC5424. | boolean | -| cyberarkpas.audit.safe | The name of the target Safe. | keyword | -| cyberarkpas.audit.severity | The severity of the audit records. | keyword | -| cyberarkpas.audit.source_user | The name of the Vault user who performed the operation. | keyword | -| cyberarkpas.audit.station | The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP. | ip | -| cyberarkpas.audit.target_user | The name of the Vault user on which the operation was performed. | keyword | -| cyberarkpas.audit.timestamp | The timestamp, in MMM DD HH:MM:SS format. | keyword | -| cyberarkpas.audit.vendor | A static value that represents the vendor. | keyword | -| cyberarkpas.audit.version | A static value that represents the version of the Vault. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Name of the module this data is coming from. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - diff --git a/packages/cyberarkpas/2.6.2/img/filebeat-cyberarkpas-overview.png b/packages/cyberarkpas/2.6.2/img/filebeat-cyberarkpas-overview.png deleted file mode 100755 index 768de75855..0000000000 Binary files a/packages/cyberarkpas/2.6.2/img/filebeat-cyberarkpas-overview.png and /dev/null differ diff --git a/packages/cyberarkpas/2.6.2/img/logo.svg b/packages/cyberarkpas/2.6.2/img/logo.svg deleted file mode 100755 index 04930adfd8..0000000000 --- a/packages/cyberarkpas/2.6.2/img/logo.svg +++ /dev/null @@ -1 +0,0 @@ -Asset 25 diff --git a/packages/cyberarkpas/2.6.2/kibana/dashboard/cyberarkpas-eb12ef60-96f6-11eb-bbf8-d77aef8ad7a6.json b/packages/cyberarkpas/2.6.2/kibana/dashboard/cyberarkpas-eb12ef60-96f6-11eb-bbf8-d77aef8ad7a6.json deleted file mode 100755 index 878b317f1f..0000000000 --- a/packages/cyberarkpas/2.6.2/kibana/dashboard/cyberarkpas-eb12ef60-96f6-11eb-bbf8-d77aef8ad7a6.json +++ /dev/null @@ -1,160 +0,0 @@ -{ - "attributes": { - "description": "Dashboard for CyberArk Privileged Access Security events.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cyberarkpas.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cyberarkpas.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"observer.hostname\",\"id\":\"1617726994032\",\"indexPattern\":\"logs-*\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\" By Vault host\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"event.code\",\"id\":\"1617811797137\",\"indexPattern\":\"logs-*\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"By event code\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"1007fa0d-a6a1-4682-a346-a90acc179da5\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"1007fa0d-a6a1-4682-a346-a90acc179da5\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"cyberarkpas.audit\\\" \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"hide_in_legend\":0,\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"rainbow\",\"params\":{\"colors\":[\"#68BC00\",\"#009CE0\",\"#B0BC00\",\"#16A5A5\",\"#D33115\",\"#E27300\",\"#FCC400\",\"#7B64FF\",\"#FA28FF\",\"#333333\",\"#808080\",\"#194D33\",\"#0062B1\",\"#808900\",\"#0C797D\",\"#9F0500\",\"#C45100\",\"#FB9E00\",\"#653294\",\"#AB149E\",\"#0F1419\",\"#666666\"],\"gradient\":false},\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":null,\"split_mode\":\"terms\",\"stacked\":\"stacked\",\"terms_field\":\"cyberarkpas.audit.desc\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":13,\"i\":\"f2dc3750-9b7c-4b0e-a45d-3d3b08f74f3e\",\"w\":38,\"x\":10,\"y\":0},\"panelIndex\":\"f2dc3750-9b7c-4b0e-a45d-3d3b08f74f3e\",\"title\":\"event types by time\",\"type\":\"visualization\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-33bc0096-e418-4f81-9c7c-7fdd16cc5203\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"33bc0096-e418-4f81-9c7c-7fdd16cc5203\":{\"columnOrder\":[\"eedd5aa8-a7c4-466a-b10b-3a8cba3bac12\"],\"columns\":{\"eedd5aa8-a7c4-466a-b10b-3a8cba3bac12\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\" \",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eedd5aa8-a7c4-466a-b10b-3a8cba3bac12\",\"layerId\":\"33bc0096-e418-4f81-9c7c-7fdd16cc5203\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":4,\"i\":\"af9e9f0b-a40c-411e-b441-2a779983ed24\",\"w\":10,\"x\":0,\"y\":9},\"panelIndex\":\"af9e9f0b-a40c-411e-b441-2a779983ed24\",\"title\":\"Count of events\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-de047c06-a965-47aa-8a15-8b0266d5abc3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"de047c06-a965-47aa-8a15-8b0266d5abc3\":{\"columnOrder\":[\"b916e5f5-a64a-49f1-b37a-ee1825fc61a4\",\"3effd03e-0ed9-4e2d-ba8e-d77ae505092e\"],\"columns\":{\"3effd03e-0ed9-4e2d-ba8e-d77ae505092e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b916e5f5-a64a-49f1-b37a-ee1825fc61a4\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.outcome\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"3effd03e-0ed9-4e2d-ba8e-d77ae505092e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b916e5f5-a64a-49f1-b37a-ee1825fc61a4\"],\"layerId\":\"de047c06-a965-47aa-8a15-8b0266d5abc3\",\"legendDisplay\":\"default\",\"metric\":\"3effd03e-0ed9-4e2d-ba8e-d77ae505092e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"7031905a-92ab-4e0e-aa58-72f1c07ff409\",\"w\":10,\"x\":0,\"y\":13},\"panelIndex\":\"7031905a-92ab-4e0e-aa58-72f1c07ff409\",\"title\":\"Breakdown by outcome\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-19858811-84d1-4f50-901c-dc1451972324\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"19858811-84d1-4f50-901c-dc1451972324\":{\"columnOrder\":[\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"e3526253-18e0-4122-b112-ee5b4b9e23d7\"],\"columns\":{\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.user.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"type\":\"alphabetical\"},\"orderDirection\":\"asc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.user.name\"},\"e3526253-18e0-4122-b112-ee5b4b9e23d7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cyberarkpas.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cyberarkpas.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"308\",\"22\",\"319\",\"295\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"308\"}},{\"match_phrase\":{\"event.code\":\"22\"}},{\"match_phrase\":{\"event.code\":\"319\"}},{\"match_phrase\":{\"event.code\":\"295\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\",\"81dcff19-b14a-4e4b-999e-dbbcbdfdf816\"],\"layerId\":\"19858811-84d1-4f50-901c-dc1451972324\",\"legendDisplay\":\"default\",\"metric\":\"e3526253-18e0-4122-b112-ee5b4b9e23d7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"a24b9c0c-da95-4016-9fe5-2c0d34005832\",\"w\":11,\"x\":10,\"y\":13},\"panelIndex\":\"a24b9c0c-da95-4016-9fe5-2c0d34005832\",\"title\":\"Top 10 user credentials accessed\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-50325938-6a9e-4a26-946e-4468e68c6591\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"50325938-6a9e-4a26-946e-4468e68c6591\":{\"columnOrder\":[\"8a965540-daa1-4848-80bb-96ddf53a328f\",\"c05a39ad-2983-4f4a-900d-a939ecbda504\",\"a808a872-71b5-4a76-a939-354f68991881\"],\"columns\":{\"8a965540-daa1-4848-80bb-96ddf53a328f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.outcome\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a808a872-71b5-4a76-a939-354f68991881\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":2},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"},\"a808a872-71b5-4a76-a939-354f68991881\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Credentials accessed\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c05a39ad-2983-4f4a-900d-a939ecbda504\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cyberarkpas.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cyberarkpas.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"308\",\"22\",\"319\",\"295\",\"38\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"308\"}},{\"match_phrase\":{\"event.code\":\"22\"}},{\"match_phrase\":{\"event.code\":\"319\"}},{\"match_phrase\":{\"event.code\":\"295\"}},{\"match_phrase\":{\"event.code\":\"38\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"layers\":[{\"accessors\":[\"a808a872-71b5-4a76-a939-354f68991881\"],\"layerId\":\"50325938-6a9e-4a26-946e-4468e68c6591\",\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"splitAccessor\":\"8a965540-daa1-4848-80bb-96ddf53a328f\",\"xAccessor\":\"c05a39ad-2983-4f4a-900d-a939ecbda504\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"area_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"1dc68cc6-e1b3-43ea-9b0e-f423d194b99a\",\"w\":27,\"x\":21,\"y\":13},\"panelIndex\":\"1dc68cc6-e1b3-43ea-9b0e-f423d194b99a\",\"title\":\"Credential access by time\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-105faf70-8330-46b3-a82a-573a383068fa\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"105faf70-8330-46b3-a82a-573a383068fa\":{\"columnOrder\":[\"c51d6847-2fcc-4d13-a44f-49786cb979ed\",\"d73b823b-ae68-4e73-bbe2-90a35bc825e7\",\"c0147524-accc-4dee-a4fc-44199e3459f1\"],\"columns\":{\"c0147524-accc-4dee-a4fc-44199e3459f1\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Authentications\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c51d6847-2fcc-4d13-a44f-49786cb979ed\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Users\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c0147524-accc-4dee-a4fc-44199e3459f1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":8},\"scale\":\"ordinal\",\"sourceField\":\"user.name\"},\"d73b823b-ae68-4e73-bbe2-90a35bc825e7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.outcome\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"type\":\"alphabetical\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":2},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.category\",\"negate\":false,\"params\":[\"authentication\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.category\":\"authentication\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"layers\":[{\"accessors\":[\"c0147524-accc-4dee-a4fc-44199e3459f1\"],\"layerId\":\"105faf70-8330-46b3-a82a-573a383068fa\",\"palette\":{\"name\":\"status\",\"type\":\"palette\"},\"position\":\"top\",\"seriesType\":\"bar_horizontal_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d73b823b-ae68-4e73-bbe2-90a35bc825e7\",\"xAccessor\":\"c51d6847-2fcc-4d13-a44f-49786cb979ed\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":false},\"preferredSeriesType\":\"bar_horizontal_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":23,\"i\":\"c56b3e4d-bfb6-4b06-a62b-282753b85f7a\",\"w\":15,\"x\":0,\"y\":26},\"panelIndex\":\"c56b3e4d-bfb6-4b06-a62b-282753b85f7a\",\"title\":\"Vault Authentication attempts\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"id\\\":null,\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"a3734143-d6e1-4551-b0b1-8282a37e151b\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"label\\\":\\\"logs-* | Source Point\\\",\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"source.geo.location\\\",\\\"scalingType\\\":\\\"TOP_HITS\\\",\\\"topHitsSplitField\\\":\\\"source.ip\\\",\\\"tooltipProperties\\\":[\\\"host.name\\\",\\\"source.ip\\\",\\\"source.domain\\\",\\\"source.geo.country_iso_code\\\",\\\"source.as.organization.name\\\"],\\\"id\\\":\\\"5f2b25a1-01ea-45ca-a4a2-f1a670c3b149\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"filterByMapBounds\\\":true,\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSize\\\":22},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"home\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#6092C0\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":2}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":8}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"icon\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"2ad8e318-4ef4-4e89-94f2-f37e395c488c\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]},{\\\"label\\\":\\\"logs-* | Destination point\\\",\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"scalingType\\\":\\\"TOP_HITS\\\",\\\"topHitsSplitField\\\":\\\"destination.ip\\\",\\\"tooltipProperties\\\":[\\\"host.name\\\",\\\"destination.ip\\\",\\\"destination.domain\\\",\\\"destination.geo.country_iso_code\\\",\\\"destination.as.organization.name\\\"],\\\"id\\\":\\\"bc95f479-964f-4498-be1e-376d34a01b0a\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"filterByMapBounds\\\":true,\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSize\\\":35},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#D36086\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":2}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":8}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"icon\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"dbb878c8-4039-49f1-b2ff-ab7fb942ba55\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]},{\\\"label\\\":\\\"logs-* | Line\\\",\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"destination.geo.location\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"},{\\\"type\\\":\\\"sum\\\",\\\"field\\\":\\\"destination.bytes\\\"}],\\\"id\\\":\\\"faf6884d-b7cb-41dd-ab86-95970d7c59d2\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#6092C0\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"minSize\\\":1,\\\"maxSize\\\":8,\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"9c450fbf-b009-4b53-9810-2f47ca8dcfa8\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.24,\\\"center\\\":{\\\"lon\\\":-49.38072,\\\"lat\\\":7.87497},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15w\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":148.88690000000003,\"maxLon\":438.09868,\"minLat\":-116.68142,\"minLon\":-417.60444},\"mapCenter\":{\"lat\":43.83453,\"lon\":10.24712,\"zoom\":1},\"openTOCDetails\":[]},\"gridData\":{\"h\":23,\"i\":\"cd1e20e7-706f-4d02-949c-d9f5908bad67\",\"w\":33,\"x\":15,\"y\":26},\"panelIndex\":\"cd1e20e7-706f-4d02-949c-d9f5908bad67\",\"title\":\"Network sources and destinations\",\"type\":\"map\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-028c5c1e-79f9-4999-8438-4889ac2b714c\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"028c5c1e-79f9-4999-8438-4889ac2b714c\":{\"columnOrder\":[\"e55346c7-87bc-49f4-9215-8a36931d05f4\",\"f2cd86e2-fb91-48b2-b8dd-e98395d28e00\"],\"columns\":{\"e55346c7-87bc-49f4-9215-8a36931d05f4\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Users\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f2cd86e2-fb91-48b2-b8dd-e98395d28e00\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"user.name\"},\"f2cd86e2-fb91-48b2-b8dd-e98395d28e00\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Failed authentications\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"authentication\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"authentication\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.outcome\",\"negate\":false,\"params\":{\"query\":\"failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.outcome\":\"failure\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"layers\":[{\"accessors\":[\"f2cd86e2-fb91-48b2-b8dd-e98395d28e00\"],\"layerId\":\"028c5c1e-79f9-4999-8438-4889ac2b714c\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"xAccessor\":\"e55346c7-87bc-49f4-9215-8a36931d05f4\",\"yConfig\":[{\"color\":\"#d36086\",\"forAccessor\":\"f2cd86e2-fb91-48b2-b8dd-e98395d28e00\"}]}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c6305b30-a7e2-4cc3-b49b-db99031f150e\",\"w\":15,\"x\":0,\"y\":49},\"panelIndex\":\"c6305b30-a7e2-4cc3-b49b-db99031f150e\",\"title\":\"Top users by failed authentications to Vault\",\"type\":\"lens\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"96a2c711-40a3-4dfc-87f5-4b193078e05a\",\"w\":33,\"x\":15,\"y\":49},\"panelIndex\":\"96a2c711-40a3-4dfc-87f5-4b193078e05a\",\"panelRefName\":\"panel_9\",\"title\":\"Credential Access\",\"version\":\"7.12.0\"},{\"embeddableConfig\":{\"columns\":[\"observer.hostname\",\"cyberarkpas.audit.action\",\"cyberarkpas.audit.issuer\",\"cyberarkpas.audit.safe\",\"file.path\"],\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":18,\"i\":\"6cd62115-65e7-416f-8da7-96b0d7a9d932\",\"w\":48,\"x\":0,\"y\":64},\"panelIndex\":\"6cd62115-65e7-416f-8da7-96b0d7a9d932\",\"panelRefName\":\"panel_10\",\"title\":\"All logs\",\"version\":\"7.12.0\"}]", - "timeRestore": false, - "title": "[Logs CyberArk PAS] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.12.0", - "id": "cyberarkpas-eb12ef60-96f6-11eb-bbf8-d77aef8ad7a6", - "migrationVersion": { - "dashboard": "7.11.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-33bc0096-e418-4f81-9c7c-7fdd16cc5203", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-de047c06-a965-47aa-8a15-8b0266d5abc3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-19858811-84d1-4f50-901c-dc1451972324", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-50325938-6a9e-4a26-946e-4468e68c6591", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-105faf70-8330-46b3-a82a-573a383068fa", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "layer_2_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "layer_3_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-028c5c1e-79f9-4999-8438-4889ac2b714c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "cyberarkpas-a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6", - "name": "panel_9", - "type": "search" - }, - { - "id": "cyberarkpas-fec0d170-96f7-11eb-bbf8-d77aef8ad7a6", - "name": "panel_10", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cyberarkpas/2.6.2/kibana/search/cyberarkpas-a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6.json b/packages/cyberarkpas/2.6.2/kibana/search/cyberarkpas-a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6.json deleted file mode 100755 index 7c7f726138..0000000000 --- a/packages/cyberarkpas/2.6.2/kibana/search/cyberarkpas-a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "event.outcome", - "source.address", - "source.user.name", - "destination.address", - "destination.user.name", - "event.reason" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cyberarkpas.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cyberarkpas.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"308\",\"319\",\"295\",\"22\",\"38\",\"300\",\"302\"],\"type\":\"phrases\",\"value\":\"308, 319, 295, 22, 38, 300, 302\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"308\"}},{\"match_phrase\":{\"event.code\":\"319\"}},{\"match_phrase\":{\"event.code\":\"295\"}},{\"match_phrase\":{\"event.code\":\"22\"}},{\"match_phrase\":{\"event.code\":\"38\"}},{\"match_phrase\":{\"event.code\":\"300\"}},{\"match_phrase\":{\"event.code\":\"302\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Credential Access logs [Logs CyberArk PAS]", - "version": 1 - }, - "coreMigrationVersion": "7.12.0", - "id": "cyberarkpas-a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cyberarkpas/2.6.2/kibana/search/cyberarkpas-fec0d170-96f7-11eb-bbf8-d77aef8ad7a6.json b/packages/cyberarkpas/2.6.2/kibana/search/cyberarkpas-fec0d170-96f7-11eb-bbf8-d77aef8ad7a6.json deleted file mode 100755 index dc7d982de3..0000000000 --- a/packages/cyberarkpas/2.6.2/kibana/search/cyberarkpas-fec0d170-96f7-11eb-bbf8-d77aef8ad7a6.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"cyberarkpas.audit\\\" \"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "All logs [Logs CyberArk PAS]", - "version": 1 - }, - "coreMigrationVersion": "7.12.0", - "id": "cyberarkpas-fec0d170-96f7-11eb-bbf8-d77aef8ad7a6", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cyberarkpas/2.6.2/manifest.yml b/packages/cyberarkpas/2.6.2/manifest.yml deleted file mode 100755 index c6fea8c732..0000000000 --- a/packages/cyberarkpas/2.6.2/manifest.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: cyberarkpas -title: CyberArk Privileged Access Security -version: 2.6.2 -release: ga -description: Collect logs from CyberArk Privileged Access Security with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: ["security"] -conditions: - kibana.version: ^7.16.0 || ^8.0.0 -screenshots: - - src: /img/filebeat-cyberarkpas-overview.png - title: filebeat cyberarkpas overview - size: 1792x2496 - type: image/png -policy_templates: - - name: cyberarkpas - title: CyberArk Privileged Access Security audit logs - description: Collect logs from Vault instances - inputs: - - type: tcp - title: 'Collect Vault audit logs via TCP' - description: 'Collecting Vault audit logs from CyberArk PAS via TCP' - - type: udp - title: 'Collect Vault audit logs via UDP' - description: 'Collecting Vault audit logs from CyberArk PAS via UDP' - - type: logfile - title: 'Collect Vault audit logs via file' - description: 'Collecting Vault audit logs from CyberArk PAS via file' -icons: - - src: /img/logo.svg - title: CyberArk logo - size: 32x32 - type: image/svg+xml -owner: - github: elastic/security-external-integrations diff --git a/packages/fireeye/1.6.1/LICENSE.txt b/packages/fireeye/1.6.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/fireeye/1.6.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/fireeye/1.6.1/changelog.yml b/packages/fireeye/1.6.1/changelog.yml deleted file mode 100755 index fae686d1a6..0000000000 --- a/packages/fireeye/1.6.1/changelog.yml +++ /dev/null @@ -1,80 +0,0 @@ -- version: "1.6.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.6.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3865 -- version: "1.5.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "1.5.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.4.0" - changes: - - description: Add JA3/JA3S to `related.hash` - type: enhancement - link: https://github.com/elastic/integrations/pull/3440 -- version: "1.3.1" - changes: - - description: Move invalid field value in sample event file - type: bugfix - link: https://github.com/elastic/integrations/pull/3331 -- version: "1.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.2.4" - changes: - - description: Move invalid field values - type: bugfix - link: https://github.com/elastic/integrations/pull/3099 -- version: "1.2.3" - changes: - - description: Fix typo in config template for ignoring host enrichment - type: bugfix - link: https://github.com/elastic/integrations/pull/3092 -- version: "1.2.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.1" - changes: - - description: Fix field mappings for `dns.id` and `network.iana_number` - type: enhancement - link: https://github.com/elastic/integrations/pull/2892 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2404 -- version: "1.1.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.1.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.1.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2225 -- version: "1.0.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/1887 diff --git a/packages/fireeye/1.6.1/data_stream/nx/agent/stream/stream.yml.hbs b/packages/fireeye/1.6.1/data_stream/nx/agent/stream/stream.yml.hbs deleted file mode 100755 index 2926520e1b..0000000000 --- a/packages/fireeye/1.6.1/data_stream/nx/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,17 +0,0 @@ -paths: -{{#each paths as |path i|}} -- {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} -- preserve_original_event -{{/if}} -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/fireeye/1.6.1/data_stream/nx/agent/stream/tcp.yml.hbs b/packages/fireeye/1.6.1/data_stream/nx/agent/stream/tcp.yml.hbs deleted file mode 100755 index 4cd8124d92..0000000000 --- a/packages/fireeye/1.6.1/data_stream/nx/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} -- preserve_original_event -{{/if}} -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -fields_under_root: true -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/fireeye/1.6.1/data_stream/nx/agent/stream/udp.yml.hbs b/packages/fireeye/1.6.1/data_stream/nx/agent/stream/udp.yml.hbs deleted file mode 100755 index 405544b01a..0000000000 --- a/packages/fireeye/1.6.1/data_stream/nx/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} -- preserve_original_event -{{/if}} -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -fields_under_root: true -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/fireeye/1.6.1/data_stream/nx/elasticsearch/ingest_pipeline/default.yml b/packages/fireeye/1.6.1/data_stream/nx/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2614c17c2f..0000000000 --- a/packages/fireeye/1.6.1/data_stream/nx/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,185 +0,0 @@ ---- -description: Pipeline for processing FireEye NX logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: observer.vendor - value: "Fireeye" - - set: - field: observer.product - value: "NX" - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - json: - field: json.rawmsg - target_field: rawmsg - ignore_failure: true - # rename raw fields - - pipeline: - name: '{{ IngestPipeline "renaming-raws" }}' - - date: - field: temp_ts - formats: - - strict_date_optional_time_nanos - - remove: - field: temp_ts - - geoip: - field: destination.address - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.address - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.address - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.address - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true - - - append: - field: event.category - value: network - if: "['dns', 'flow', 'tls'].contains(ctx?.event?.type)" - - append: - field: event.category - value: [web, network] - if: ctx?.event?.type == 'http' - - append: - field: event.category - value: [file, network] - if: ctx?.event?.type == 'fileinfo' - - set: - field: event.type - value: [info] - - # - # Normalize protocol names - # - - lowercase: - field: "network.transport" - ignore_missing: true - - lowercase: - field: "network.protocol" - ignore_missing: true - - lowercase: - field: "network.direction" - ignore_missing: true - - lowercase: - field: "network.type" - ignore_missing: true - # - # Populate network.iana_number from network.transport. Also does reverse - # mapping in case network.transport contains the iana_number. - # - - script: - if: "ctx?.network?.transport != null" - lang: painless - params: - icmp: '1' - igmp: '2' - ipv4: '4' - tcp: '6' - egp: '8' - igp: '9' - pup: '12' - udp: '17' - rdp: '27' - irtp: '28' - dccp: '33' - idpr: '35' - ipv6: '41' - ipv6-route: '43' - ipv6-frag: '44' - rsvp: '46' - gre: '47' - esp: '50' - ipv6-icmp: '58' - ipv6-nonxt: '59' - ipv6-opts: '60' - source: > - def net = ctx.network; - def iana = params[net.transport]; - if (iana != null) { - net['iana_number'] = iana; - return; - } - def reverse = new HashMap(); - def[] arr = new def[] { null }; - for (entry in params.entrySet()) { - arr[0] = entry.getValue(); - reverse.put(String.format("%d", arr), entry.getKey()); - } - def trans = reverse[net.transport]; - if (trans != null) { - net['iana_number'] = net.transport; - net['transport'] = trans; - } - - community_id: - target_field: network.community_id - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.hash - value: "{{tls.server.ja3s}}" - if: "ctx?.tls?.server?.ja3s != null" - - append: - field: related.hash - value: "{{tls.client.ja3}}" - if: "ctx?.tls?.client?.ja3 != null" - allow_duplicates: false - - remove: - field: - - rawmsg - - json - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fireeye/1.6.1/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml b/packages/fireeye/1.6.1/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml deleted file mode 100755 index 6009b81d76..0000000000 --- a/packages/fireeye/1.6.1/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml +++ /dev/null @@ -1,464 +0,0 @@ ---- -description: Pipeline for renaming raw fields from incoming event original. -processors: - - rename: - field: rawmsg.timestamp - target_field: temp_ts - ignore_missing: true - - rename: - field: rawmsg.proto - target_field: network.transport - ignore_missing: true - - rename: - field: rawmsg.app_proto - target_field: network.protocol - ignore_missing: true - - rename: - field: rawmsg.flow_id - target_field: fireeye.nx.flow_id - ignore_missing: true - - rename: - field: rawmsg.event_type - target_field: event.type - ignore_missing: true - - rename: - field: rawmsg.src_ip - target_field: source.address - ignore_missing: true - - set: - field: source.ip - copy_from: source.address - ignore_empty_value: true - - rename: - field: rawmsg.src_port - target_field: source.port - ignore_missing: true - - rename: - field: rawmsg.dest_ip - target_field: destination.address - ignore_missing: true - - set: - field: destination.ip - copy_from: destination.address - ignore_empty_value: true - - rename: - field: rawmsg.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: meta_sip4 - target_field: fireeye.nx.device_ip - ignore_missing: true - - rename: - field: meta_oml - target_field: fireeye.nx.device_oml - ignore_missing: true - - rename: - field: deviceid - target_field: fireeye.nx.deviceid - ignore_missing: true - - rename: - field: meta_cbname - target_field: fireeye.nx.hostname - ignore_missing: true - # flow event type fields - - rename: - field: rawmsg.proto_number - target_field: network.iana_number - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.pkts_toserver - target_field: source.packets - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.pkts_toclient - target_field: destination.packets - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.bytes_toserver - target_field: source.bytes - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.bytes_toclient - target_field: destination.bytes - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.start - target_field: fireeye.nx.flow.starttime - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.end - target_field: fireeye.nx.flow.endtime - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.age - target_field: fireeye.nx.flow.age - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.state - target_field: fireeye.nx.flow.state - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.reason - target_field: fireeye.nx.flow.reason - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.alerted - target_field: fireeye.nx.flow.alerted - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.tcp - target_field: fireeye.nx.tcp - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.icmp_code - target_field: fireeye.nx.flow.icmp_code - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.icmp_type - target_field: fireeye.nx.flow.icmp_type - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.response_icmp_code - target_field: fireeye.nx.flow.response_icmp_code - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.response_icmp_type - target_field: fireeye.nx.flow.response_icmp_type - if: ctx?.event?.type == 'flow' - ignore_missing: true - # fileinfo event type fields - - rename: - field: rawmsg.fileinfo.filename - target_field: fireeye.nx.fileinfo.filename - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.fileinfo.magic - target_field: fireeye.nx.fileinfo.magic - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.fileinfo.md5 - target_field: fireeye.nx.fileinfo.md5 - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.fileinfo.size - target_field: fireeye.nx.fileinfo.size - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.fileinfo.state - target_field: fireeye.nx.fileinfo.state - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.fileinfo.stored - target_field: fireeye.nx.fileinfo.stored - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.hostname - target_field: url.domain - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.http_content_type - target_field: http.request.mime_type - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.http_method - target_field: http.request.method - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.http_refer - target_field: http.request.referrer - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.http_user_agent - target_field: user_agent.original - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.length - target_field: http.response.bytes - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.protocol - target_field: http.version - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.status - target_field: http.response.status_code - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.url - target_field: url.path - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.iface - target_field: interface.name - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - # http event type fields - - rename: - field: rawmsg.http.hostname - target_field: url.domain - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.http_content_type - target_field: http.request.mime_type - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.http_method - target_field: http.request.method - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.http_refer - target_field: http.request.referrer - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.http_user_agent - target_field: user_agent.original - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.length - target_field: http.response.bytes - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.protocol - target_field: http.version - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.status - target_field: http.response.status_code - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.url - target_field: url.path - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.iface - target_field: interface.name - if: ctx?.event?.type == 'http' - ignore_missing: true - # http event type fields - - rename: - field: rawmsg.http.hostname - target_field: url.domain - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.http_content_type - target_field: http.request.mime_type - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.http_method - target_field: http.request.method - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.http_refer - target_field: http.request.referrer - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.http_user_agent - target_field: user_agent.original - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.length - target_field: http.response.bytes - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.protocol - target_field: http.version - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.status - target_field: http.response.status_code - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.url - target_field: url.path - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.iface - target_field: interface.name - if: ctx?.event?.type == 'http' - ignore_missing: true - # dns event type fields - - convert: - field: rawmsg.dns.id - target_field: dns.id - type: string - if: ctx?.event?.type == 'dns' - ignore_missing: true - - rename: - field: rawmsg.dns.rcode - target_field: dns.response_code - if: ctx?.event?.type == 'dns' - ignore_missing: true - - rename: - field: rawmsg.dns.rdata - target_field: dns.resolved_data - if: ctx?.event?.type == 'dns' - ignore_missing: true - - rename: - field: rawmsg.dns.rrname - target_field: dns.question.name - if: ctx?.event?.type == 'dns' - ignore_missing: true - - rename: - field: rawmsg.dns.rrtype - target_field: dns.question.type - if: ctx?.event?.type == 'dns' - ignore_missing: true - - rename: - field: rawmsg.dns.ttl - target_field: dns.answers.ttl - if: ctx?.event?.type == 'dns' - ignore_missing: true - - rename: - field: rawmsg.dns.type - target_field: dns.type - if: ctx?.event?.type == 'dns' - ignore_missing: true - - rename: - field: rawmsg.iface - target_field: interface.name - if: ctx?.event?.type == 'dns' - ignore_missing: true - # tls event type fields - - rename: - field: rawmsg.tls.client_ciphersuites - target_field: tls.client.ciphersuites - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.client_tls_exts - target_field: tls.client.tls_exts - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.fingerprint - target_field: tls.client.fingerprint - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.issuerdn - target_field: tls.client.issuer - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.ja3.hash - target_field: tls.client.ja3 - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.ja3.string - target_field: tls.client.ja3_string - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.ja3s.hash - target_field: tls.server.ja3s - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.ja3s.string - target_field: tls.server.ja3s_string - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.notbefore - target_field: tls.client.not_before - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.notafter - target_field: tls.client.not_after - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.pubkeylength - target_field: tls.public_keylength - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.server_ciphersuite - target_field: tls.server.ciphersuite - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.server_tls_exts - target_field: tls.server.tls_exts - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.sni - target_field: tls.client.server_name - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.subject - target_field: tls.client.subject - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.version - target_field: tls.version - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.fatal_alert - target_field: fireeye.nx.tls.fetal_alert - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.iface - target_field: interface.name - if: ctx?.event?.type == 'tls' - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fireeye/1.6.1/data_stream/nx/fields/agent.yml b/packages/fireeye/1.6.1/data_stream/nx/fields/agent.yml deleted file mode 100755 index a371c03d96..0000000000 --- a/packages/fireeye/1.6.1/data_stream/nx/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/fireeye/1.6.1/data_stream/nx/fields/base-fields.yml b/packages/fireeye/1.6.1/data_stream/nx/fields/base-fields.yml deleted file mode 100755 index cdff14cc88..0000000000 --- a/packages/fireeye/1.6.1/data_stream/nx/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: fireeye -- name: event.dataset - type: constant_keyword - description: Event dataset - value: fireeye.nx diff --git a/packages/fireeye/1.6.1/data_stream/nx/fields/ecs.yml b/packages/fireeye/1.6.1/data_stream/nx/fields/ecs.yml deleted file mode 100755 index 94926cab53..0000000000 --- a/packages/fireeye/1.6.1/data_stream/nx/fields/ecs.yml +++ /dev/null @@ -1,310 +0,0 @@ -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Mime type of the body of the request. - This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. - name: http.request.mime_type - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Interface name as reported by the system. - name: interface.name - type: keyword -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: Date/Time indicating when client certificate is first considered valid. - name: tls.client.not_before - type: date -- description: Date/Time indicating when client certificate is no longer considered valid. - name: tls.client.not_after - type: date -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: Distinguished name of subject of the x.509 certificate presented by the client. - name: tls.client.subject - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword diff --git a/packages/fireeye/1.6.1/data_stream/nx/fields/fields.yml b/packages/fireeye/1.6.1/data_stream/nx/fields/fields.yml deleted file mode 100755 index 8a25bb461f..0000000000 --- a/packages/fireeye/1.6.1/data_stream/nx/fields/fields.yml +++ /dev/null @@ -1,108 +0,0 @@ -- name: fireeye.nx - type: group - fields: - - name: flow_id - type: long - description: Flow ID of the event. - - name: flow - type: group - fields: - - name: age - type: long - description: Flow age. - - name: alerted - type: boolean - description: Flow alerted or not. - - name: endtime - type: date - description: Flow endtime. - - name: reason - type: keyword - description: Flow reason. - - name: starttime - type: date - description: Flow start time. - - name: state - type: keyword - description: Flow state. - - name: tcp - type: group - fields: - - name: ack - type: boolean - description: TCP acknowledgement. - - name: psh - type: boolean - description: TCP PSH. - - name: state - type: keyword - description: TCP connectin state. - - name: syn - type: boolean - description: TCP SYN. - - name: tcp_flags - type: keyword - description: TCP flags. - - name: tcp_flags_tc - type: keyword - description: TCP flags. - - name: tcp_flags_ts - type: keyword - description: TCP flags. - - name: fileinfo - type: group - fields: - - name: filename - type: keyword - description: File name. - - name: magic - type: keyword - description: Fileinfo magic. - - name: md5 - type: keyword - description: File hash. - - name: size - type: long - description: File size. - - name: state - type: keyword - description: File state. - - name: stored - type: boolean - description: File stored or not. -- name: tls - type: group - fields: - - name: client - type: group - fields: - - name: ciphersuites - type: array - description: TLS cipher suites by client. - - name: fingerprint - type: keyword - description: TLS fingerprint. - - name: ja3_string - type: keyword - description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - - name: tls_exts - type: array - description: TLS extensions set by client. - - name: server - type: group - fields: - - name: ciphersuite - type: array - description: TLS cipher suites by server. - - name: ja3s_string - type: keyword - description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - - name: tls_exts - type: array - description: TLS extensions set by server. - - name: public_keylength - type: long - description: TLS public key length. -- name: log.source.address - type: keyword - description: Logs Source Raw address. diff --git a/packages/fireeye/1.6.1/data_stream/nx/manifest.yml b/packages/fireeye/1.6.1/data_stream/nx/manifest.yml deleted file mode 100755 index c52d2799be..0000000000 --- a/packages/fireeye/1.6.1/data_stream/nx/manifest.yml +++ /dev/null @@ -1,149 +0,0 @@ -title: Fireeye NX -type: logs -streams: - - input: logfile - template_path: stream.yml.hbs - title: Fireeye NX logs - description: Collect fireye nx logs - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/fireeye-nx* - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fireeye-nx - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - multi: false - required: false - show_user: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: udp - title: Fireeye NX logs - description: Collect Fireeye NX logs using udp input - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fireeye-nx - - forwarded - - name: udp_host - type: text - title: UDP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: UDP port to listen on - multi: false - required: true - show_user: true - default: 9523 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - multi: false - required: false - show_user: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Fireeye NX logs - description: Collect Fireeye NX logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fireeye-nx - - forwarded - - name: tcp_host - type: text - title: TCP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: TCP port to listen on - multi: false - required: true - show_user: true - default: 9523 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - multi: false - required: false - show_user: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/fireeye/1.6.1/data_stream/nx/sample_event.json b/packages/fireeye/1.6.1/data_stream/nx/sample_event.json deleted file mode 100755 index 82e546ae4e..0000000000 --- a/packages/fireeye/1.6.1/data_stream/nx/sample_event.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "@timestamp": "2020-09-22T08:34:44.991Z", - "agent": { - "ephemeral_id": "9c10aabf-b5f2-46d4-af8d-eccd5dfe3597", - "id": "2411eb51-1c57-41d1-962f-cd06ac57198b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "data_stream": { - "dataset": "fireeye.nx", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "ff02:0000:0000:0000:0000:0000:0000:0001", - "bytes": 0, - "ip": "ff02:0000:0000:0000:0000:0000:0000:0001", - "packets": 0, - "port": 10001 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "2411eb51-1c57-41d1-962f-cd06ac57198b", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "fireeye.nx", - "ingested": "2022-05-12T06:20:01Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.991339+0000\\\",\\\"flow_id\\\":721570461162990,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":45944,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:12.761326+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:12.761348+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"timeout\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":520,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", - "timezone": "+00:00", - "type": [ - "info" - ] - }, - "fireeye": { - "nx": { - "flow": { - "age": 0, - "alerted": false, - "endtime": "2020-09-22T08:34:12.761348+0000", - "reason": "timeout", - "starttime": "2020-09-22T08:34:12.761326+0000", - "state": "new" - }, - "flow_id": 721570461162990 - } - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.16.7" - ], - "mac": [ - "02:42:c0:a8:10:07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/fireeye-nx.log" - }, - "offset": 0 - }, - "network": { - "community_id": "1:McNAQcsUcKZYOHHZYm0sD8JiBLc=", - "iana_number": "17", - "protocol": "failed", - "transport": "udp" - }, - "observer": { - "product": "NX", - "vendor": "Fireeye" - }, - "related": { - "ip": [ - "fe80:0000:0000:0000:feec:daff:fe31:b706", - "ff02:0000:0000:0000:0000:0000:0000:0001" - ] - }, - "source": { - "address": "fe80:0000:0000:0000:feec:daff:fe31:b706", - "bytes": 1680, - "ip": "fe80:0000:0000:0000:feec:daff:fe31:b706", - "packets": 8, - "port": 45944 - }, - "tags": [ - "fireeye-nx" - ] -} \ No newline at end of file diff --git a/packages/fireeye/1.6.1/docs/README.md b/packages/fireeye/1.6.1/docs/README.md deleted file mode 100755 index 1ff07b8299..0000000000 --- a/packages/fireeye/1.6.1/docs/README.md +++ /dev/null @@ -1,287 +0,0 @@ -# FireEye Integration - -This integration periodically fetches logs from [FireEye Network Security](https://www.fireeye.com/products/network-security.html) devices. - -## Compatibility - -The FireEye `nx` integration has been developed against FireEye Network Security 9.0.0.916432 but is expected to work with other versions. - -## Logs - -### NX - -The `nx` integration ingests network security logs from FireEye NX through TCP/UDP and file. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| fireeye.nx.fileinfo.filename | File name. | keyword | -| fireeye.nx.fileinfo.magic | Fileinfo magic. | keyword | -| fireeye.nx.fileinfo.md5 | File hash. | keyword | -| fireeye.nx.fileinfo.size | File size. | long | -| fireeye.nx.fileinfo.state | File state. | keyword | -| fireeye.nx.fileinfo.stored | File stored or not. | boolean | -| fireeye.nx.flow.age | Flow age. | long | -| fireeye.nx.flow.alerted | Flow alerted or not. | boolean | -| fireeye.nx.flow.endtime | Flow endtime. | date | -| fireeye.nx.flow.reason | Flow reason. | keyword | -| fireeye.nx.flow.starttime | Flow start time. | date | -| fireeye.nx.flow.state | Flow state. | keyword | -| fireeye.nx.flow_id | Flow ID of the event. | long | -| fireeye.nx.tcp.ack | TCP acknowledgement. | boolean | -| fireeye.nx.tcp.psh | TCP PSH. | boolean | -| fireeye.nx.tcp.state | TCP connectin state. | keyword | -| fireeye.nx.tcp.syn | TCP SYN. | boolean | -| fireeye.nx.tcp.tcp_flags | TCP flags. | keyword | -| fireeye.nx.tcp.tcp_flags_tc | TCP flags. | keyword | -| fireeye.nx.tcp.tcp_flags_ts | TCP flags. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.mime_type | Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| interface.name | Interface name as reported by the system. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| log.source.address | Logs Source Raw address. | keyword | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.client.ciphersuites | TLS cipher suites by client. | array | -| tls.client.fingerprint | TLS fingerprint. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.ja3_string | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | -| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | -| tls.client.tls_exts | TLS extensions set by client. | array | -| tls.public_keylength | TLS public key length. | long | -| tls.server.ciphersuite | TLS cipher suites by server. | array | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.ja3s_string | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.tls_exts | TLS extensions set by server. | array | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `nx` looks as following: - -```json -{ - "@timestamp": "2020-09-22T08:34:44.991Z", - "agent": { - "ephemeral_id": "9c10aabf-b5f2-46d4-af8d-eccd5dfe3597", - "id": "2411eb51-1c57-41d1-962f-cd06ac57198b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "data_stream": { - "dataset": "fireeye.nx", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "ff02:0000:0000:0000:0000:0000:0000:0001", - "bytes": 0, - "ip": "ff02:0000:0000:0000:0000:0000:0000:0001", - "packets": 0, - "port": 10001 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "2411eb51-1c57-41d1-962f-cd06ac57198b", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "fireeye.nx", - "ingested": "2022-05-12T06:20:01Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.991339+0000\\\",\\\"flow_id\\\":721570461162990,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":45944,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:12.761326+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:12.761348+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"timeout\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":520,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", - "timezone": "+00:00", - "type": [ - "info" - ] - }, - "fireeye": { - "nx": { - "flow": { - "age": 0, - "alerted": false, - "endtime": "2020-09-22T08:34:12.761348+0000", - "reason": "timeout", - "starttime": "2020-09-22T08:34:12.761326+0000", - "state": "new" - }, - "flow_id": 721570461162990 - } - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.16.7" - ], - "mac": [ - "02:42:c0:a8:10:07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/fireeye-nx.log" - }, - "offset": 0 - }, - "network": { - "community_id": "1:McNAQcsUcKZYOHHZYm0sD8JiBLc=", - "iana_number": "17", - "protocol": "failed", - "transport": "udp" - }, - "observer": { - "product": "NX", - "vendor": "Fireeye" - }, - "related": { - "ip": [ - "fe80:0000:0000:0000:feec:daff:fe31:b706", - "ff02:0000:0000:0000:0000:0000:0000:0001" - ] - }, - "source": { - "address": "fe80:0000:0000:0000:feec:daff:fe31:b706", - "bytes": 1680, - "ip": "fe80:0000:0000:0000:feec:daff:fe31:b706", - "packets": 8, - "port": 45944 - }, - "tags": [ - "fireeye-nx" - ] -} -``` \ No newline at end of file diff --git a/packages/fireeye/1.6.1/img/FireEye-logo.svg b/packages/fireeye/1.6.1/img/FireEye-logo.svg deleted file mode 100755 index 50906981f0..0000000000 --- a/packages/fireeye/1.6.1/img/FireEye-logo.svg +++ /dev/null @@ -1,21 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/fireeye/1.6.1/manifest.yml b/packages/fireeye/1.6.1/manifest.yml deleted file mode 100755 index 969382eefd..0000000000 --- a/packages/fireeye/1.6.1/manifest.yml +++ /dev/null @@ -1,35 +0,0 @@ -format_version: 1.0.0 -name: fireeye -title: "FireEye Network Security" -version: 1.6.1 -license: basic -description: Collect logs from FireEye NX with Elastic Agent. -type: integration -categories: - - monitoring - - network - - security -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/FireEye-logo.svg - title: Fireeye logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: fireeye - title: Fireeye NX logs - description: Collect Fireeye NX logs - inputs: - - type: logfile - title: Collect Fireeye NX logs from instances - description: Collecting Fireeye NX logs - - type: udp - title: Collect logs from Fireeye NXtwork Security via UDP - description: Collecting Fireeye NX logs via UDP - - type: tcp - title: Collect logs from Fireeye NXtwork Security via TCP - description: Collecting Fireeye NX logs via TCP -owner: - github: elastic/security-external-integrations diff --git a/packages/fortinet_forticlient/1.1.2/LICENSE.txt b/packages/fortinet_forticlient/1.1.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/fortinet_forticlient/1.1.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/fortinet_forticlient/1.1.2/changelog.yml b/packages/fortinet_forticlient/1.1.2/changelog.yml deleted file mode 100755 index 30eb3c1047..0000000000 --- a/packages/fortinet_forticlient/1.1.2/changelog.yml +++ /dev/null @@ -1,21 +0,0 @@ -# newer versions go on top -- version: "1.1.2" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "1.1.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.1.0" - changes: - - description: Update Ingest Pipeline with observer Fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3819 -- version: "1.0.0" - changes: - - description: Initial version of Fortinet FortiClient as separate package - type: enhancement - link: https://github.com/elastic/integrations/pull/3268 diff --git a/packages/fortinet_forticlient/1.1.2/data_stream/log/agent/stream/log.yml.hbs b/packages/fortinet_forticlient/1.1.2/data_stream/log/agent/stream/log.yml.hbs deleted file mode 100755 index 47e8e2489c..0000000000 --- a/packages/fortinet_forticlient/1.1.2/data_stream/log/agent/stream/log.yml.hbs +++ /dev/null @@ -1,2768 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup2, - dup8, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" proto="), - field("hprotocol"), - constant(" service="), - field("messageid"), - constant(" status="), - field("haction"), - constant(" src="), - field("hsaddr"), - constant(" dst="), - field("hdaddr"), - constant(" src_port="), - field("hsport"), - constant(" dst_port="), - field("hdport"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" ("), - field("messageid"), - constant(" "), - field("hfld5"), - constant(" times in last "), - field("hfld6"), - constant(") "), - field("hfld7"), - constant(" "), - field("hfld8"), - constant("::"), - field("p0"), - ], - }), - ])); - - var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" "), - field("messageid"), - constant(" "), - field("hfld5"), - constant("::"), - field("p0"), - ], - }), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - ]); - - var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} enter %{info}", processor_chain([ - dup1, - dup2, - ])); - - var msg1 = msg("enter", part1); - - var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} (repeated %{fld5->} times in last %{fld6}) enter %{info}", processor_chain([ - dup1, - dup2, - ])); - - var msg2 = msg("repeated", part2); - - var msg3 = msg("ms-wbt-server", dup9); - - var msg4 = msg("http", dup9); - - var msg5 = msg("https", dup9); - - var msg6 = msg("smtp", dup9); - - var msg7 = msg("pop3", dup9); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "enter": msg1, - "http": msg4, - "https": msg5, - "ms-wbt-server": msg3, - "pop3": msg7, - "repeated": msg2, - "smtp": msg6, - }), - ]); - - var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup2, - dup8, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet_forticlient/1.1.2/data_stream/log/agent/stream/tcp.yml.hbs b/packages/fortinet_forticlient/1.1.2/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 8b125a6554..0000000000 --- a/packages/fortinet_forticlient/1.1.2/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,2765 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup2, - dup8, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" proto="), - field("hprotocol"), - constant(" service="), - field("messageid"), - constant(" status="), - field("haction"), - constant(" src="), - field("hsaddr"), - constant(" dst="), - field("hdaddr"), - constant(" src_port="), - field("hsport"), - constant(" dst_port="), - field("hdport"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" ("), - field("messageid"), - constant(" "), - field("hfld5"), - constant(" times in last "), - field("hfld6"), - constant(") "), - field("hfld7"), - constant(" "), - field("hfld8"), - constant("::"), - field("p0"), - ], - }), - ])); - - var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" "), - field("messageid"), - constant(" "), - field("hfld5"), - constant("::"), - field("p0"), - ], - }), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - ]); - - var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} enter %{info}", processor_chain([ - dup1, - dup2, - ])); - - var msg1 = msg("enter", part1); - - var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} (repeated %{fld5->} times in last %{fld6}) enter %{info}", processor_chain([ - dup1, - dup2, - ])); - - var msg2 = msg("repeated", part2); - - var msg3 = msg("ms-wbt-server", dup9); - - var msg4 = msg("http", dup9); - - var msg5 = msg("https", dup9); - - var msg6 = msg("smtp", dup9); - - var msg7 = msg("pop3", dup9); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "enter": msg1, - "http": msg4, - "https": msg5, - "ms-wbt-server": msg3, - "pop3": msg7, - "repeated": msg2, - "smtp": msg6, - }), - ]); - - var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup2, - dup8, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet_forticlient/1.1.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/fortinet_forticlient/1.1.2/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index f0f156a3a8..0000000000 --- a/packages/fortinet_forticlient/1.1.2/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,2765 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup2, - dup8, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" proto="), - field("hprotocol"), - constant(" service="), - field("messageid"), - constant(" status="), - field("haction"), - constant(" src="), - field("hsaddr"), - constant(" dst="), - field("hdaddr"), - constant(" src_port="), - field("hsport"), - constant(" dst_port="), - field("hdport"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" ("), - field("messageid"), - constant(" "), - field("hfld5"), - constant(" times in last "), - field("hfld6"), - constant(") "), - field("hfld7"), - constant(" "), - field("hfld8"), - constant("::"), - field("p0"), - ], - }), - ])); - - var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" "), - field("messageid"), - constant(" "), - field("hfld5"), - constant("::"), - field("p0"), - ], - }), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - ]); - - var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} enter %{info}", processor_chain([ - dup1, - dup2, - ])); - - var msg1 = msg("enter", part1); - - var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} (repeated %{fld5->} times in last %{fld6}) enter %{info}", processor_chain([ - dup1, - dup2, - ])); - - var msg2 = msg("repeated", part2); - - var msg3 = msg("ms-wbt-server", dup9); - - var msg4 = msg("http", dup9); - - var msg5 = msg("https", dup9); - - var msg6 = msg("smtp", dup9); - - var msg7 = msg("pop3", dup9); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "enter": msg1, - "http": msg4, - "https": msg5, - "ms-wbt-server": msg3, - "pop3": msg7, - "repeated": msg2, - "smtp": msg6, - }), - ]); - - var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup2, - dup8, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet_forticlient/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet_forticlient/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ea298cf0e2..0000000000 --- a/packages/fortinet_forticlient/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,76 +0,0 @@ ---- -description: Pipeline for Fortinet FortiClient Endpoint Security -processors: - - set: - field: ecs.version - value: '8.3.0' - - set: - field: observer.vendor - value: Fortinet - - set: - field: observer.product - value: FortiClient - - set: - field: observer.type - value: anti-virus - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_forticlient/1.1.2/data_stream/log/fields/agent.yml b/packages/fortinet_forticlient/1.1.2/data_stream/log/fields/agent.yml deleted file mode 100755 index 38bb8dcec5..0000000000 --- a/packages/fortinet_forticlient/1.1.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,175 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/fortinet_forticlient/1.1.2/data_stream/log/fields/base-fields.yml b/packages/fortinet_forticlient/1.1.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 4c654c09dc..0000000000 --- a/packages/fortinet_forticlient/1.1.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,43 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: fortinet -- name: event.dataset - type: constant_keyword - description: Event dataset - value: fortinet_forticlient.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/fortinet_forticlient/1.1.2/data_stream/log/fields/ecs.yml b/packages/fortinet_forticlient/1.1.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index 86a7d52a55..0000000000 --- a/packages/fortinet_forticlient/1.1.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,556 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/fortinet_forticlient/1.1.2/data_stream/log/fields/fields.yml b/packages/fortinet_forticlient/1.1.2/data_stream/log/fields/fields.yml deleted file mode 100755 index ea69cd79e3..0000000000 --- a/packages/fortinet_forticlient/1.1.2/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,1754 +0,0 @@ -- name: rsa - type: group - fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - ignore_above: 1024 - description: Server domain. -- name: network.interface.name - type: keyword diff --git a/packages/fortinet_forticlient/1.1.2/data_stream/log/manifest.yml b/packages/fortinet_forticlient/1.1.2/data_stream/log/manifest.yml deleted file mode 100755 index 8bd443ba30..0000000000 --- a/packages/fortinet_forticlient/1.1.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,215 +0,0 @@ -title: Fortinet FortiClient Endpoint Security logs -release: experimental -type: logs -streams: - - input: udp - enabled: true - title: Fortinet FortiClient Endpoint Security logs - description: Collect Fortinet FortiClient Endpoint Security logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-clientendpoint - - fortinet-forticlient - - forwarded - - name: udp_host - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9509 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - enabled: false - title: Fortinet FortiClient Endpoint Security logs - description: Collect Fortinet FortiClient Endpoint Security logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-clientendpoint - - fortinet-forticlient - - forwarded - - name: tcp_host - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9509 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - enabled: false - title: Fortinet FortiClient Endpoint Security logs - template_path: log.yml.hbs - description: Collect Fortinet FortiClient Endpoint Security logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: false - default: - - /var/log/fortinet-clientendpoint.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-clientendpoint - - fortinet-forticlient - - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/fortinet_forticlient/1.1.2/data_stream/log/sample_event.json b/packages/fortinet_forticlient/1.1.2/data_stream/log/sample_event.json deleted file mode 100755 index be6f45153a..0000000000 --- a/packages/fortinet_forticlient/1.1.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "@timestamp": "2021-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "e212d683-d4b4-42ac-ba98-c8414ff62188", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "fortinet_forticlient.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": [ - "10.102.123.34" - ], - "port": 3994 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "deny", - "agent_id_status": "verified", - "code": "http", - "dataset": "fortinet_forticlient.log", - "ingested": "2022-01-25T12:25:45Z", - "original": "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure\n", - "outcome": "failure", - "timezone": "+00:00" - }, - "host": { - "name": "boNemoe4402.www.invalid" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.30.0.4:54478" - } - }, - "network": { - "direction": "external", - "protocol": "udp" - }, - "observer": { - "product": "FortiClient", - "type": "Anti-Virus", - "vendor": "Fortinet" - }, - "process": { - "pid": 7880 - }, - "related": { - "hosts": [ - "litesse6379.api.domain", - "boNemoe4402.www.invalid" - ], - "ip": [ - "10.150.92.220", - "10.102.123.34" - ], - "user": [ - "sumdo" - ] - }, - "rsa": { - "counters": { - "dclass_c1": 5286, - "dclass_c1_str": "block_count" - }, - "internal": { - "messageid": "http" - }, - "investigations": { - "ec_outcome": "Failure", - "ec_subject": "NetworkComm", - "ec_theme": "ALM" - }, - "misc": { - "action": [ - "deny" - ], - "result": "failure\n" - }, - "network": { - "alias_host": [ - "boNemoe4402.www.invalid" - ], - "domain": "litesse6379.api.domain", - "network_service": "http" - }, - "time": { - "event_time": "2021-01-29T06:09:59.000Z" - } - }, - "server": { - "domain": "litesse6379.api.domain", - "registered_domain": "api.domain", - "subdomain": "litesse6379", - "top_level_domain": "domain" - }, - "source": { - "ip": [ - "10.150.92.220" - ], - "port": 7178 - }, - "tags": [ - "preserve_original_event", - "fortinet-clientendpoint", - "forwarded" - ], - "user": { - "name": "sumdo" - } -} \ No newline at end of file diff --git a/packages/fortinet_forticlient/1.1.2/docs/README.md b/packages/fortinet_forticlient/1.1.2/docs/README.md deleted file mode 100755 index 459afe7812..0000000000 --- a/packages/fortinet_forticlient/1.1.2/docs/README.md +++ /dev/null @@ -1,981 +0,0 @@ -# Fortinet FortiClient Integration - -This integration is for Fortinet FortiClient logs sent in the syslog format. - -## Compatibility - -This integration has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested. - -### Log - -The `log` dataset collects JFortinet FortiClient logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "e212d683-d4b4-42ac-ba98-c8414ff62188", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "fortinet_forticlient.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": [ - "10.102.123.34" - ], - "port": 3994 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "deny", - "agent_id_status": "verified", - "code": "http", - "dataset": "fortinet_forticlient.log", - "ingested": "2022-01-25T12:25:45Z", - "original": "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure\n", - "outcome": "failure", - "timezone": "+00:00" - }, - "host": { - "name": "boNemoe4402.www.invalid" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.30.0.4:54478" - } - }, - "network": { - "direction": "external", - "protocol": "udp" - }, - "observer": { - "product": "FortiClient", - "type": "Anti-Virus", - "vendor": "Fortinet" - }, - "process": { - "pid": 7880 - }, - "related": { - "hosts": [ - "litesse6379.api.domain", - "boNemoe4402.www.invalid" - ], - "ip": [ - "10.150.92.220", - "10.102.123.34" - ], - "user": [ - "sumdo" - ] - }, - "rsa": { - "counters": { - "dclass_c1": 5286, - "dclass_c1_str": "block_count" - }, - "internal": { - "messageid": "http" - }, - "investigations": { - "ec_outcome": "Failure", - "ec_subject": "NetworkComm", - "ec_theme": "ALM" - }, - "misc": { - "action": [ - "deny" - ], - "result": "failure\n" - }, - "network": { - "alias_host": [ - "boNemoe4402.www.invalid" - ], - "domain": "litesse6379.api.domain", - "network_service": "http" - }, - "time": { - "event_time": "2021-01-29T06:09:59.000Z" - } - }, - "server": { - "domain": "litesse6379.api.domain", - "registered_domain": "api.domain", - "subdomain": "litesse6379", - "top_level_domain": "domain" - }, - "source": { - "ip": [ - "10.150.92.220" - ], - "port": 7178 - }, - "tags": [ - "preserve_original_event", - "fortinet-clientendpoint", - "forwarded" - ], - "user": { - "name": "sumdo" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/fortinet_forticlient/1.1.2/img/fortinet-logo.svg b/packages/fortinet_forticlient/1.1.2/img/fortinet-logo.svg deleted file mode 100755 index d6a8448f32..0000000000 --- a/packages/fortinet_forticlient/1.1.2/img/fortinet-logo.svg +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - diff --git a/packages/fortinet_forticlient/1.1.2/manifest.yml b/packages/fortinet_forticlient/1.1.2/manifest.yml deleted file mode 100755 index 3a3cd8e556..0000000000 --- a/packages/fortinet_forticlient/1.1.2/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: fortinet_forticlient -title: Fortinet FortiClient Logs -version: 1.1.2 -release: ga -description: Collect logs from Fortinet FortiClient instances with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: ["security"] -conditions: - kibana.version: "^7.14.1 || ^8.0.0" -icons: - - src: /img/fortinet-logo.svg - title: Fortinet - size: 216x216 - type: image/svg+xml -policy_templates: - - name: fortinet - title: Fortinet FortiClient logs - description: Collect logs from Fortinet FortiClient instances - inputs: - - type: logfile - title: "Collect Fortinet FortiClient logs (input: logfile)" - description: "Collecting logs from Fortinet FortiClient instances (input: logfile)" - - type: tcp - title: "Collect Fortinet FortiClient logs (input: tcp)" - description: "Collecting logs from Fortinet FortiClient instances (input: tcp)" - - type: udp - title: "Collect Fortinet FortiClient logs (input: udp)" - description: "Collecting logs from Fortinet FortiClient instances (input: udp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/fortinet_fortigate/1.2.1/LICENSE.txt b/packages/fortinet_fortigate/1.2.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/fortinet_fortigate/1.2.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/fortinet_fortigate/1.2.1/changelog.yml b/packages/fortinet_fortigate/1.2.1/changelog.yml deleted file mode 100755 index ed40d25fd8..0000000000 --- a/packages/fortinet_fortigate/1.2.1/changelog.yml +++ /dev/null @@ -1,29 +0,0 @@ -# newer versions go on top -- version: "1.2.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.2.0" - changes: - - description: Update Ingest Pipeline with observer Fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3819 -- version: "1.1.0" - changes: - - description: Add dashboard. - type: enhancement - link: https://github.com/elastic/integrations/pull/3832 - - description: Process syslog priority and facility. - type: enhancement - link: https://github.com/elastic/integrations/pull/3832 -- version: "1.0.1" - changes: - - description: Fix handling of sip events. - type: bugfix - link: https://github.com/elastic/integrations/pull/3901 -- version: "1.0.0" - changes: - - description: Initial version of Fortinet FortiGate as separate package - type: enhancement - link: https://github.com/elastic/integrations/pull/3265 diff --git a/packages/fortinet_fortigate/1.2.1/data_stream/log/agent/stream/log.yml.hbs b/packages/fortinet_fortigate/1.2.1/data_stream/log/agent/stream/log.yml.hbs deleted file mode 100755 index 225500de9f..0000000000 --- a/packages/fortinet_fortigate/1.2.1/data_stream/log/agent/stream/log.yml.hbs +++ /dev/null @@ -1,47 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if internal_interfaces.length}} -processors: -{{else}} -{{#if external_interfaces.length}} -processors: -{{else}} -{{#if processors}} -processors: -{{/if}} -{{/if}} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} -{{#if internal_interfaces.length}} - - add_fields: - target: _temp - fields: - internal_interfaces: - {{#each internal_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} -{{#if external_interfaces.length}} - - add_fields: - target: _temp - fields: - external_interfaces: - {{#each external_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} diff --git a/packages/fortinet_fortigate/1.2.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/fortinet_fortigate/1.2.1/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 6ca58d4fa8..0000000000 --- a/packages/fortinet_fortigate/1.2.1/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if internal_interfaces.length}} -processors: -{{else}} -{{#if external_interfaces.length}} -processors: -{{else}} -{{#if processors}} -processors: -{{/if}} -{{/if}} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} -{{#if internal_interfaces.length}} - - add_fields: - target: _temp - fields: - internal_interfaces: - {{#each internal_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} -{{#if external_interfaces.length}} - - add_fields: - target: _temp - fields: - external_interfaces: - {{#each external_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} -{{#if tcp_options}} -{{tcp_options}} -{{/if}} diff --git a/packages/fortinet_fortigate/1.2.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/fortinet_fortigate/1.2.1/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 852d6d18f0..0000000000 --- a/packages/fortinet_fortigate/1.2.1/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if internal_interfaces.length}} -processors: -{{else}} -{{#if external_interfaces.length}} -processors: -{{else}} -{{#if processors}} -processors: -{{/if}} -{{/if}} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} -{{#if internal_interfaces.length}} - - add_fields: - target: _temp - fields: - internal_interfaces: - {{#each internal_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} -{{#if external_interfaces.length}} - - add_fields: - target: _temp - fields: - external_interfaces: - {{#each external_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} diff --git a/packages/fortinet_fortigate/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet_fortigate/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 839fd37ff8..0000000000 --- a/packages/fortinet_fortigate/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,442 +0,0 @@ ---- -description: Pipeline for parsing fortinet firewall logs -processors: - - set: - field: ecs.version - value: '8.3.0' - - rename: - field: message - target_field: event.original - - grok: - field: event.original - ecs_compatibility: v1 - patterns: - - "%{SYSLOG5424PRI}%{GREEDYDATA:syslog5424_sd}$" - - script: - lang: painless - source: | - if (ctx.log?.syslog?.priority != null) { - def severity = new HashMap(); - severity['code'] = ctx.log.syslog.priority&0x7; - ctx.log.syslog['severity'] = severity; - def facility = new HashMap(); - facility['code'] = ctx.log.syslog.priority>>3; - ctx.log.syslog['facility'] = facility; - } - - kv: - field: syslog5424_sd - field_split: " (?=[a-z\\_\\-]+=)" - value_split: "=" - prefix: "fortinet.firewall." - ignore_missing: true - ignore_failure: false - trim_value: '"' - - script: - lang: painless - source: | - def fw = ctx?.fortinet?.firewall; - if (fw != null) { - fw.entrySet().removeIf(entry -> entry.getValue() == "N/A"); - } - - set: - field: observer.vendor - value: Fortinet - - set: - field: observer.product - value: Fortigate - - set: - field: observer.type - value: firewall - - set: - field: event.timezone - value: "{{fortinet.firewall.tz}}" - ignore_empty_value: true - - set: - field: _temp.time - value: "{{fortinet.firewall.date}} {{fortinet.firewall.time}} {{fortinet.firewall.tz}}" - if: "ctx.fortinet?.firewall?.tz != null" - - set: - field: _temp.time - value: "{{fortinet.firewall.date}} {{fortinet.firewall.time}}" - if: "ctx.fortinet?.firewall?.tz == null" - - date: - field: _temp.time - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss Z - - yyyy-MM-dd HH:mm:ss z - - ISO8601 - timezone: "{{fortinet.firewall.tz}}" - if: "ctx.fortinet?.firewall?.tz != null" - - date: - field: _temp.time - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss Z - - yyyy-MM-dd HH:mm:ss z - - ISO8601 - if: "ctx.fortinet?.firewall?.tz == null" - - gsub: - field: fortinet.firewall.eventtime - pattern: "\\d{6}$" - replacement: "" - if: "ctx.fortinet?.firewall?.eventtime != null && (ctx.fortinet?.firewall?.eventtime).length() > 18" - - date: - field: fortinet.firewall.eventtime - target_field: event.start - formats: - - UNIX_MS - timezone: "{{fortinet.firewall.tz}}" - if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() > 11" - - date: - field: fortinet.firewall.eventtime - target_field: event.start - formats: - - UNIX - timezone: "{{fortinet.firewall.tz}}" - if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - - date: - field: fortinet.firewall.eventtime - target_field: event.start - formats: - - UNIX_MS - if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() > 11" - - date: - field: fortinet.firewall.eventtime - target_field: event.start - formats: - - UNIX - if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - - rename: - field: fortinet.firewall.devname - target_field: observer.name - ignore_missing: true - - script: - lang: painless - source: "ctx.event.duration = Long.parseLong(ctx.fortinet.firewall.duration) * 1000000000" - if: "ctx.fortinet?.firewall?.duration != null" - - rename: - field: fortinet.firewall.devid - target_field: observer.serial_number - ignore_missing: true - - rename: - field: fortinet.firewall.dstintf - target_field: observer.egress.interface.name - ignore_missing: true - if: "ctx.observer?.egress?.interface?.name == null" - - rename: - field: fortinet.firewall.srcintf - target_field: observer.ingress.interface.name - ignore_missing: true - if: "ctx.observer?.ingress?.interface?.name == null" - - rename: - field: fortinet.firewall.dst_int - target_field: observer.egress.interface.name - ignore_missing: true - - rename: - field: fortinet.firewall.src_int - target_field: observer.ingress.interface.name - ignore_missing: true - - rename: - field: fortinet.firewall.level - target_field: log.level - ignore_missing: true - - append: - field: email.cc.address - value: "{{{fortinet.firewall.cc}}}" - if: "ctx?.fortinet?.cc?.address != null" - - set: - field: email.subject - copy_from: fortinet.firewall.subject - if: "ctx?.fortinet?.firewall?.subject != null" - - # Handle interface-based network directionality - - set: - field: network.direction - value: inbound - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.ingress?.interface?.name != null && - ctx?.observer?.egress?.interface?.name != null && - ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) && - ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) - - set: - field: network.direction - value: outbound - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.ingress?.interface?.name != null && - ctx?.observer?.egress?.interface?.name != null && - ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && - ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) - - set: - field: network.direction - value: internal - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.ingress?.interface?.name != null && - ctx?.observer?.egress?.interface?.name != null && - ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) && - ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) - - set: - field: network.direction - value: external - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.ingress?.interface?.name != null && - ctx?.observer?.egress?.interface?.name != null && - ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && - ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) - - set: - field: network.direction - value: unknown - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.egress?.interface?.name != null && - ctx?.observer?.ingress?.interface?.name != null && - ( - ( - !ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && - !ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) - ) || - ( - !ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) && - !ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) - ) - ) - - remove: - field: - - _temp.time - - _temp - - syslog5424_sd - - fortinet.firewall.tz - - fortinet.firewall.date - - fortinet.firewall.devid - - fortinet.firewall.eventtime - - fortinet.firewall.time - - fortinet.firewall.duration - - host - ignore_missing: true - - pipeline: - name: '{{ IngestPipeline "event" }}' - if: "ctx.fortinet?.firewall?.type == 'event'" - - pipeline: - name: '{{ IngestPipeline "traffic" }}' - if: "ctx.fortinet?.firewall?.type == 'traffic'" - - pipeline: - name: '{{ IngestPipeline "utm" }}' - if: "ctx.fortinet?.firewall?.type == 'utm' || ctx.fortinet?.firewall?.type == 'dns'" - - convert: - field: fortinet.firewall.quotamax - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.quotaused - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.size - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.disklograte - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.fazlograte - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.lanin - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.lanout - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.setuprate - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.wanin - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.wanout - type: long - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" - - geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - script: - lang: painless - source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" - ignore_failure: true - - script: - lang: painless - source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" - if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" - ignore_failure: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: "ctx.source?.user?.name != null" - allow_duplicates: false - - append: - field: related.user - value: "{{destination.user.name}}" - if: "ctx.destination?.user?.name != null" - allow_duplicates: false - - append: - field: related.hosts - value: "{{destination.address}}" - if: "ctx.destination?.address != null" - allow_duplicates: false - - append: - field: related.hosts - value: "{{source.address}}" - if: "ctx.source?.address != null" - allow_duplicates: false - - append: - field: related.hosts - value: "{{dns.question.name}}" - if: "ctx.dns?.question?.name != null" - allow_duplicates: false - - script: - lang: painless - source: | - def dnsIPs = ctx?.dns?.resolved_ip; - if (dnsIPs != null && dnsIPs instanceof List) { - if (ctx?.related?.ip == null) { - ctx.related.ip = []; - } - for (ip in dnsIPs) { - if (!ctx.related.ip.contains(ip)) { - ctx.related.ip.add(ip); - } - } - } - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_fortigate/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/event.yml b/packages/fortinet_fortigate/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/event.yml deleted file mode 100755 index 19f29c3b99..0000000000 --- a/packages/fortinet_fortigate/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/event.yml +++ /dev/null @@ -1,267 +0,0 @@ ---- -description: Pipeline for parsing fortinet firewall logs (event pipeline) -processors: - - set: - field: event.kind - value: event - - set: - field: event.outcome - value: failure - if: "ctx.fortinet?.firewall?.result == 'ERROR' || ctx.fortinet?.firewall?.status == 'negotiate_error'" - - set: - field: event.outcome - value: success - if: "ctx.fortinet?.firewall?.result == 'OK' || ['FSSO-logon', 'auth-logon', 'FSSO-logoff', 'auth-logout'].contains(ctx.fortinet?.firewall?.action)" - - append: - field: event.type - value: - - user - - start - if: "['FSSO-logon', 'auth-logon'].contains(ctx.fortinet?.firewall?.action)" - - append: - field: event.type - value: - - user - - end - if: "['FSSO-logoff', 'auth-logout'].contains(ctx.fortinet?.firewall?.action)" - - append: - field: event.type - value: connection - if: "ctx.fortinet?.firewall?.subtype == 'vpn'" - - append: - field: event.category - value: network - if: "ctx.fortinet?.firewall?.subtype == 'vpn'" - - append: - field: event.type - value: info - if: "ctx.fortinet?.firewall?.action == 'perf-stats'" - - append: - field: event.category - value: host - if: "ctx.fortinet?.firewall?.action == 'perf-stats'" - - append: - field: event.type - value: info - if: "ctx.fortinet?.firewall?.subtype == 'update'" - - append: - field: event.category - value: - - host - - malware - if: "ctx.fortinet?.firewall?.subtype == 'update'" - - append: - field: event.category - value: authentication - if: "ctx.fortinet?.firewall?.subtype == 'user'" - - rename: - field: fortinet.firewall.dstip - target_field: destination.ip - ignore_missing: true - - rename: - field: fortinet.firewall.remip - target_field: destination.ip - ignore_missing: true - if: "ctx.destination?.ip == null" - - convert: - field: fortinet.firewall.dstport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: fortinet.firewall.remport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.destination?.port == null" - - convert: - field: fortinet.firewall.rcvdbyte - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.daddr - target_field: destination.address - ignore_missing: true - - rename: - field: fortinet.firewall.dst_host - target_field: destination.address - ignore_missing: true - if: "ctx.destination?.address == null" - - rename: - field: fortinet.firewall.dst_host - target_field: destination.domain - ignore_missing: true - if: "ctx.destination?.address == null" - - rename: - field: fortinet.firewall.group - target_field: source.user.group.name - ignore_missing: true - - convert: - field: fortinet.firewall.sentbyte - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.srcip - target_field: source.ip - ignore_missing: true - - rename: - field: fortinet.firewall.locip - target_field: source.ip - ignore_missing: true - if: "ctx.source?.ip == null" - - rename: - field: fortinet.firewall.srcmac - target_field: source.mac - ignore_missing: true - - rename: - field: fortinet.firewall.source_mac - target_field: source.mac - ignore_missing: true - if: "ctx.source?.mac == null" - - convert: - field: fortinet.firewall.srcport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: fortinet.firewall.locport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.source?.port == null" - - rename: - field: fortinet.firewall.user - target_field: source.user.name - ignore_missing: true - - rename: - field: fortinet.firewall.saddr - target_field: source.address - ignore_missing: true - - rename: - field: fortinet.firewall.agent - target_field: user_agent.original - ignore_missing: true - - rename: - field: fortinet.firewall.file - target_field: file.name - ignore_missing: true - - convert: - field: fortinet.firewall.filesize - target_field: file.size - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.level - target_field: log.level - ignore_missing: true - - rename: - field: fortinet.firewall.logid - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" - - rename: - field: fortinet.firewall.msg - target_field: message - ignore_missing: true - - rename: - field: fortinet.firewall.policyid - target_field: rule.id - ignore_missing: true - - rename: - field: fortinet.firewall.proto - target_field: network.iana_number - ignore_missing: true - - rename: - field: fortinet.firewall.dir - target_field: network.direction - ignore_missing: true - if: "ctx.network?.direction == null" - - rename: - field: fortinet.firewall.direction - target_field: network.direction - ignore_missing: true - if: "ctx.network?.direction == null" - # Normalize the network direction - - script: - lang: painless - ignore_failure: true - params: - outgoing: outbound - incoming: inbound - source: >- - if (ctx.network?.direction == null) { - return; - } - def k = ctx.network?.direction.toLowerCase(); - def normalized = params.get(k); - if (normalized != null) { - ctx.network.direction = normalized; - return - } - ctx.network.direction = k; - - rename: - field: fortinet.firewall.service - target_field: network.protocol - ignore_missing: true - - lowercase: - field: network.protocol - ignore_missing: true - - rename: - field: fortinet.firewall.error_num - target_field: error.code - ignore_missing: true - - rename: - field: fortinet.firewall.hostname - target_field: url.domain - ignore_missing: true - - rename: - field: fortinet.firewall.logdesc - target_field: rule.description - ignore_missing: true - - rename: - field: fortinet.firewall.addr - target_field: fortinet.firewall.addrgrp - if: ctx.rule?.description == 'Dynamic address updated' - ignore_missing: true - - rename: - field: fortinet.firewall.url - target_field: url.path - ignore_missing: true - - convert: - field: fortinet.firewall.sess_duration - type: long - target_field: event.duration - ignore_failure: true - ignore_missing: true - if: "ctx.event?.duration == null" - - convert: - field: fortinet.firewall.mem - type: integer - ignore_failure: true - ignore_missing: true - - remove: - field: - - fortinet.firewall.dstport - - fortinet.firewall.remport - - fortinet.firewall.rcvdbyte - - fortinet.firewall.sentbyte - - fortinet.firewall.srcport - - fortinet.firewall.locport - - fortinet.firewall.filesize - - fortinet.firewall.sess_duration - - fortinet.firewall.dir - - fortinet.firewall.direction - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_fortigate/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml b/packages/fortinet_fortigate/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml deleted file mode 100755 index 90f65f53a0..0000000000 --- a/packages/fortinet_fortigate/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml +++ /dev/null @@ -1,218 +0,0 @@ ---- -description: Pipeline for parsing fortinet firewall logs (traffic pipeline) -processors: -- set: - field: event.kind - value: event -- set: - field: event.action - value: "{{fortinet.firewall.action}}" - ignore_empty_value: true -- set: - field: event.outcome - value: success - if: "ctx.fortinet?.firewall?.action != null" -- append: - field: event.category - value: network -- append: - field: event.type - value: connection -- append: - field: event.type - value: start - if: "ctx.fortinet?.firewall?.action == 'start'" -- append: - field: event.type - value: end - if: "ctx.fortinet?.firewall?.action != null && ctx.fortinet?.firewall?.action !='start'" -- append: - field: event.type - value: protocol - if: "ctx.fortinet?.firewall?.app != null && ctx.fortinet?.firewall?.action != 'deny'" -- append: - field: event.type - value: allowed - if: "ctx.fortinet?.firewall?.utmaction == null && ctx.fortinet?.firewall?.action != 'deny'" -- append: - field: event.type - value: denied - if: "ctx.fortinet?.firewall?.utmaction == 'block'" -- rename: - field: fortinet.firewall.dstip - target_field: destination.ip - ignore_missing: true -- rename: - field: fortinet.firewall.tranip - target_field: destination.nat.ip - ignore_missing: true -- convert: - field: fortinet.firewall.dstport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true -- convert: - field: fortinet.firewall.tranport - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true -- convert: - field: fortinet.firewall.rcvdbyte - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true -- convert: - field: fortinet.firewall.rcvdpkt - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true -- append: - field: email.to.address - value: "{{fortinet.firewall.dstcollectedemail}}" - if: "ctx?.fortinet?.firewall?.dstcollectedemail != null" -- rename: - field: fortinet.firewall.dstname - target_field: destination.address - ignore_missing: true -- rename: - field: fortinet.firewall.dstunauthuser - target_field: destination.user.name - ignore_missing: true -- rename: - field: fortinet.firewall.group - target_field: source.user.group.name - ignore_missing: true -- convert: - field: fortinet.firewall.sentbyte - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true -- rename: - field: fortinet.firewall.srcdomain - target_field: source.domain - ignore_missing: true -- rename: - field: fortinet.firewall.srcip - target_field: source.ip - ignore_missing: true -- rename: - field: fortinet.firewall.srcmac - target_field: source.mac - ignore_missing: true -- convert: - field: fortinet.firewall.srcport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true -- rename: - field: fortinet.firewall.unauthuser - target_field: source.user.name - ignore_missing: true -- rename: - field: fortinet.firewall.user - target_field: source.user.name - ignore_missing: true - if: "ctx.source?.user?.name == null" -- append: - field: email.from.address - value: "{{fortinet.firewall.collectedemail}}" - if: "ctx?.fortinet?.firewall?.collectedemail != null" -- convert: - field: fortinet.firewall.sentpkt - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true -- rename: - field: fortinet.firewall.transip - target_field: source.nat.ip - ignore_missing: true -- convert: - field: fortinet.firewall.transport - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true -- rename: - field: fortinet.firewall.app - target_field: network.application - ignore_missing: true -- rename: - field: fortinet.firewall.filename - target_field: file.name - ignore_missing: true -- rename: - field: fortinet.firewall.logid - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" -- rename: - field: fortinet.firewall.msg - target_field: message - ignore_missing: true -- rename: - field: fortinet.firewall.comment - target_field: rule.description - ignore_missing: true -- rename: - field: fortinet.firewall.policyid - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" -- rename: - field: fortinet.firewall.poluuid - target_field: rule.uuid - ignore_missing: true -- rename: - field: fortinet.firewall.policytype - target_field: rule.ruleset - ignore_missing: true -- rename: - field: fortinet.firewall.policyname - target_field: rule.name - ignore_missing: true -- rename: - field: fortinet.firewall.appcat - target_field: rule.category - ignore_missing: true -- gsub: - field: rule.category - pattern: "\\." - replacement: "-" - ignore_missing: true -- rename: - field: fortinet.firewall.proto - target_field: network.iana_number - ignore_missing: true -- rename: - field: fortinet.firewall.service - target_field: network.protocol - ignore_missing: true -- lowercase: - field: network.protocol - ignore_missing: true -- rename: - field: fortinet.firewall.url - target_field: url.path - ignore_missing: true -- remove: - field: - - fortinet.firewall.dstport - - fortinet.firewall.tranport - - fortinet.firewall.rcvdbyte - - fortinet.firewall.rcvdpkt - - fortinet.firewall.sentbyte - - fortinet.firewall.srcport - - fortinet.firewall.sentpkt - - fortinet.firewall.transport - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/fortinet_fortigate/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/utm.yml b/packages/fortinet_fortigate/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/utm.yml deleted file mode 100755 index d286bdfdfe..0000000000 --- a/packages/fortinet_fortigate/1.2.1/data_stream/log/elasticsearch/ingest_pipeline/utm.yml +++ /dev/null @@ -1,376 +0,0 @@ ---- -description: Pipeline for parsing fortinet firewall logs (utm pipeline) -processors: - - set: - field: event.kind - value: event - - append: - field: event.type - value: denied - if: "['block', 'blocked'].contains(ctx.fortinet?.firewall?.action)" - - append: - field: event.type - value: info - if: "ctx.fortinet?.firewall?.subtype == 'dns'" - - append: - field: event.type - value: allowed - if: "['pass', 'passthrough'].contains(ctx.fortinet?.firewall?.action)" - - set: - field: event.outcome - value: success - if: "ctx.fortinet?.firewall?.action != null" - - append: - field: event.category - value: network - - rename: - field: fortinet.firewall.dstip - target_field: destination.ip - ignore_missing: true - - rename: - field: fortinet.firewall.remip - target_field: destination.ip - ignore_missing: true - if: "ctx.destination?.ip == null" - - convert: - field: fortinet.firewall.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: fortinet.firewall.remport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.destination?.port == null" - - convert: - field: fortinet.firewall.dstport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.destination?.port == null" - - convert: - field: fortinet.firewall.rcvdbyte - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.recipient - target_field: email.to.address - ignore_missing: true - - append: - field: email.to.address - value: "{{fortinet.firewall.recipient}}" - if: "ctx?.fortinet?.firewall?.recipient != null" - - rename: - field: fortinet.firewall.group - target_field: source.user.group.name - ignore_missing: true - - rename: - field: fortinet.firewall.locip - target_field: source.ip - ignore_missing: true - - convert: - field: fortinet.firewall.locport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: fortinet.firewall.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.source?.port == null" - - convert: - field: fortinet.firewall.srcport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.source?.port == null" - - convert: - field: fortinet.firewall.sentbyte - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.srcdomain - target_field: source.domain - ignore_missing: true - - rename: - field: fortinet.firewall.srcip - target_field: source.ip - ignore_missing: true - if: "ctx.source?.ip == null" - - rename: - field: fortinet.firewall.srcmac - target_field: source.mac - ignore_missing: true - - rename: - field: fortinet.firewall.unauthuser - target_field: source.user.name - ignore_missing: true - - rename: - field: fortinet.firewall.user - target_field: source.user.name - ignore_missing: true - if: "ctx.source?.user?.name == null" - - append: - field: email.sender.address - value: "{{fortinet.firewall.sender}}" - if: "ctx?.fortinet?.firewall?.sender != null" - - append: - field: email.from.address - value: "{{fortinet.firewall.from}}" - if: "ctx?.fortinet?.firewall?.from != null" - - rename: - field: fortinet.firewall.agent - target_field: user_agent.original - ignore_missing: true - - rename: - field: fortinet.firewall.app - target_field: network.application - ignore_missing: true - - rename: - field: fortinet.firewall.appcat - target_field: rule.category - ignore_missing: true - - rename: - field: fortinet.firewall.applist - target_field: rule.ruleset - ignore_missing: true - - rename: - field: fortinet.firewall.catdesc - target_field: rule.category - ignore_missing: true - if: "ctx.rule?.category == null" - - gsub: - field: rule.category - pattern: "\\." - replacement: "-" - ignore_missing: true - if: "ctx.rule?.category != null" - - rename: - field: fortinet.firewall.dir - target_field: network.direction - ignore_missing: true - if: "ctx.network?.direction == null" - - rename: - field: fortinet.firewall.direction - target_field: network.direction - ignore_missing: true - if: "ctx.network?.direction == null" - # Normalize the network direction - - script: - lang: painless - ignore_failure: true - params: - outgoing: outbound - incoming: inbound - source: >- - if (ctx.network?.direction == null) { - return; - } - def k = ctx.network?.direction.toLowerCase(); - def normalized = params.get(k); - if (normalized != null) { - ctx.network.direction = normalized; - return - } - ctx.network.direction = k; - - rename: - field: fortinet.firewall.error - target_field: event.message - ignore_missing: true - - rename: - field: fortinet.firewall.errorcode - target_field: event.code - ignore_missing: true - - rename: - field: fortinet.firewall.event_id - target_field: event.id - ignore_missing: true - - rename: - field: fortinet.firewall.eventid - target_field: event.id - ignore_missing: true - if: "ctx.event?.id == null" - - rename: - field: fortinet.firewall.eventtype - target_field: event.action - ignore_missing: true - - rename: - field: fortinet.firewall.filename - target_field: file.name - ignore_missing: true - - convert: - field: fortinet.firewall.filesize - target_field: file.size - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.filetype - target_field: file.extension - ignore_missing: true - - rename: - field: fortinet.firewall.infectedfilename - target_field: file.name - ignore_missing: true - if: "ctx.file?.name == null" - - rename: - field: fortinet.firewall.infectedfilesize - target_field: file.size - ignore_missing: true - if: "ctx.file?.size == null" - - rename: - field: fortinet.firewall.infectedfiletype - target_field: file.extension - ignore_missing: true - if: "ctx.file?.extension == null" - - rename: - field: fortinet.firewall.matchedfilename - target_field: file.name - ignore_missing: true - if: "ctx.file?.name == null" - - rename: - field: fortinet.firewall.matchedfiletype - target_field: file.extension - ignore_missing: true - if: "ctx.file?.extension == null" - - rename: - field: fortinet.firewall.hostname - target_field: url.domain - ignore_missing: true - - rename: - field: fortinet.firewall.ipaddr - target_field: dns.resolved_ip - ignore_missing: true - - split: - field: dns.resolved_ip - separator: ", " - ignore_missing: true - - rename: - field: fortinet.firewall.level - target_field: log.level - ignore_missing: true - - rename: - field: fortinet.firewall.logid - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" - - rename: - field: fortinet.firewall.msg - target_field: message - ignore_missing: true - - rename: - field: fortinet.firewall.policy_id - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" - - rename: - field: fortinet.firewall.policyid - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" - - rename: - field: fortinet.firewall.profile - target_field: rule.ruleset - ignore_missing: true - if: "ctx.rule?.ruleset == null" - - rename: - field: fortinet.firewall.proto - target_field: network.iana_number - ignore_missing: true - - rename: - field: fortinet.firewall.qclass - target_field: dns.question.class - ignore_missing: true - - rename: - field: fortinet.firewall.qname - target_field: dns.question.name - ignore_missing: true - - rename: - field: fortinet.firewall.qtype - target_field: dns.question.type - ignore_missing: true - - rename: - field: fortinet.firewall.service - target_field: network.protocol - ignore_missing: true - - lowercase: - field: network.protocol - ignore_missing: true - - rename: - field: fortinet.firewall.url - target_field: url.path - ignore_missing: true - - rename: - field: fortinet.firewall.xid - target_field: dns.id - ignore_missing: true - - rename: - field: fortinet.firewall.scertcname - target_field: tls.server.x509.subject.common_name - ignore_missing: true - - rename: - field: fortinet.firewall.scertissuer - target_field: tls.server.issuer - ignore_missing: true - - set: - field: tls.server.x509.issuer.common_name - value: "{{tls.server.issuer}}" - ignore_empty_value: true - - rename: - field: fortinet.firewall.ccertissuer - target_field: tls.client.issuer - ignore_missing: true - - set: - field: tls.client.x509.issuer.common_name - value: "{{tls.client.issuer}}" - ignore_empty_value: true - - rename: - field: fortinet.firewall.sender - target_field: tls.server.issuer - ignore_missing: true - - rename: - field: fortinet.firewall.dtype - target_field: vulnerability.category - ignore_missing: true - - rename: - field: fortinet.firewall.ref - target_field: event.reference - ignore_missing: true - - rename: - field: fortinet.firewall.filehash - target_field: fortinet.file.hash.crc32 - ignore_missing: true - - append: - field: related.hash - value: "{{fortinet.file.hash.crc32}}" - if: "ctx.fortinet?.file?.hash?.crc32 != null" - - remove: - field: - - fortinet.firewall.dst_port - - fortinet.firewall.remport - - fortinet.firewall.dstport - - fortinet.firewall.rcvdbyte - - fortinet.firewall.locport - - fortinet.firewall.src_port - - fortinet.firewall.srcport - - fortinet.firewall.sentbyte - - fortinet.firewall.filesize - - fortinet.firewall.dir - - fortinet.firewall.direction - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_fortigate/1.2.1/data_stream/log/fields/agent.yml b/packages/fortinet_fortigate/1.2.1/data_stream/log/fields/agent.yml deleted file mode 100755 index f6127c3e22..0000000000 --- a/packages/fortinet_fortigate/1.2.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,183 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/fortinet_fortigate/1.2.1/data_stream/log/fields/base-fields.yml b/packages/fortinet_fortigate/1.2.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index c5f407f099..0000000000 --- a/packages/fortinet_fortigate/1.2.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: fortinet -- name: event.dataset - type: constant_keyword - description: Event dataset - value: fortinet_fortigate.log -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/fortinet_fortigate/1.2.1/data_stream/log/fields/beats.yml b/packages/fortinet_fortigate/1.2.1/data_stream/log/fields/beats.yml deleted file mode 100755 index 05a6db4740..0000000000 --- a/packages/fortinet_fortigate/1.2.1/data_stream/log/fields/beats.yml +++ /dev/null @@ -1,15 +0,0 @@ -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: Path to the log file. - name: log.file.path - type: keyword -- description: Log message optimized for viewing in a log viewer. - name: event.message - type: text diff --git a/packages/fortinet_fortigate/1.2.1/data_stream/log/fields/ecs.yml b/packages/fortinet_fortigate/1.2.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index f36917b4ae..0000000000 --- a/packages/fortinet_fortigate/1.2.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,487 +0,0 @@ -- description: Unique container id. - name: container.id - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: User email address. - name: destination.user.email - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: The email address of CC recipient - name: email.cc.address - normalize: - - array - type: keyword -- description: The email address of the sender, typically from the RFC 5322 `From:` header field. - name: email.from.address - normalize: - - array - type: keyword -- description: Per RFC 5322, specifies the address responsible for the actual transmission of the message. - name: email.sender.address - type: keyword -- description: The email address of recipient - name: email.to.address - normalize: - - array - type: keyword -- description: A brief summary of the topic of the message. - multi_fields: - - name: text - type: match_only_text - name: email.subject - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Name of the module this data is coming from. - If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. - name: event.module - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reference URL linking to additional information about this event. - This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.reference - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: The description of the rule generating the event. - name: rule.description - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - name: rule.ruleset - type: keyword -- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - name: rule.uuid - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: User email address. - name: source.user.email - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.client.x509.issuer.common_name - normalize: - - array - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - normalize: - - array - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: |- - The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) - This field must be an array. - name: vulnerability.category - normalize: - - array - type: keyword diff --git a/packages/fortinet_fortigate/1.2.1/data_stream/log/fields/fields.yml b/packages/fortinet_fortigate/1.2.1/data_stream/log/fields/fields.yml deleted file mode 100755 index d7fa9c281c..0000000000 --- a/packages/fortinet_fortigate/1.2.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,1727 +0,0 @@ -- name: fortinet - type: group - fields: - - name: file.hash.crc32 - type: keyword - description: | - CRC32 Hash of file - - name: firewall - type: group - release: beta - fields: - - name: acct_stat - type: keyword - description: | - Accounting state (RADIUS) - - name: acktime - type: keyword - description: | - Alarm Acknowledge Time - - name: act - type: keyword - description: | - Action - - name: action - type: keyword - description: | - Status of the session - - name: activity - type: keyword - description: | - HA activity message - - name: addr - type: ip - description: | - IP Address - - name: addr_type - type: keyword - description: | - Address Type - - name: addrgrp - type: keyword - description: | - Address Group - - name: adgroup - type: keyword - description: | - AD Group Name - - name: admin - type: keyword - description: | - Admin User - - name: age - type: integer - description: | - Time in seconds - time passed since last seen - - name: agent - type: keyword - description: | - User agent - eg. agent="Mozilla/5.0" - - name: alarmid - type: integer - description: | - Alarm ID - - name: alert - type: keyword - description: | - Alert - - name: analyticscksum - type: keyword - description: | - The checksum of the file submitted for analytics - - name: analyticssubmit - type: keyword - description: | - The flag for analytics submission - - name: ap - type: keyword - description: | - Access Point - - name: app-type - type: keyword - description: | - Address Type - - name: appact - type: keyword - description: | - The security action from app control - - name: appid - type: integer - description: | - Application ID - - name: applist - type: keyword - description: | - Application Control profile - - name: apprisk - type: keyword - description: | - Application Risk Level - - name: apscan - type: keyword - description: | - The name of the AP, which scanned and detected the rogue AP - - name: apsn - type: keyword - description: | - Access Point - - name: apstatus - type: keyword - description: | - Access Point status - - name: aptype - type: keyword - description: | - Access Point type - - name: assigned - type: ip - description: | - Assigned IP Address - - name: assignip - type: ip - description: | - Assigned IP Address - - name: attachment - type: keyword - description: | - The flag for email attachement - - name: attack - type: keyword - description: | - Attack Name - - name: attackcontext - type: keyword - description: | - The trigger patterns and the packetdata with base64 encoding - - name: attackcontextid - type: keyword - description: | - Attack context id / total - - name: attackid - type: integer - description: | - Attack ID - - name: auditid - type: long - description: | - Audit ID - - name: auditscore - type: keyword - description: | - The Audit Score - - name: audittime - type: long - description: | - The time of the audit - - name: authgrp - type: keyword - description: | - Authorization Group - - name: authid - type: keyword - description: | - Authentication ID - - name: authproto - type: keyword - description: | - The protocol that initiated the authentication - - name: authserver - type: keyword - description: | - Authentication server - - name: bandwidth - type: keyword - description: | - Bandwidth - - name: banned_rule - type: keyword - description: | - NAC quarantine Banned Rule Name - - name: banned_src - type: keyword - description: | - NAC quarantine Banned Source IP - - name: banword - type: keyword - description: | - Banned word - - name: botnetdomain - type: keyword - description: | - Botnet Domain Name - - name: botnetip - type: ip - description: | - Botnet IP Address - - name: bssid - type: keyword - description: | - Service Set ID - - name: call_id - type: keyword - description: | - Caller ID - - name: carrier_ep - type: keyword - description: | - The FortiOS Carrier end-point identification - - name: cat - type: integer - description: | - DNS category ID - - name: category - type: keyword - description: | - Authentication category - - name: cc - type: keyword - description: | - CC Email Address - - name: cdrcontent - type: keyword - description: | - Cdrcontent - - name: centralnatid - type: integer - description: | - Central NAT ID - - name: cert - type: keyword - description: | - Certificate - - name: cert-type - type: keyword - description: | - Certificate type - - name: certhash - type: keyword - description: | - Certificate hash - - name: cfgattr - type: keyword - description: | - Configuration attribute - - name: cfgobj - type: keyword - description: | - Configuration object - - name: cfgpath - type: keyword - description: | - Configuration path - - name: cfgtid - type: keyword - description: | - Configuration transaction ID - - name: cfgtxpower - type: integer - description: | - Configuration TX power - - name: channel - type: integer - description: | - Wireless Channel - - name: channeltype - type: keyword - description: | - SSH channel type - - name: chassisid - type: integer - description: | - Chassis ID - - name: checksum - type: keyword - description: | - The checksum of the scanned file - - name: chgheaders - type: keyword - description: | - HTTP Headers - - name: cldobjid - type: keyword - description: | - Connector object ID - - name: client_addr - type: keyword - description: | - Wifi client address - - name: cloudaction - type: keyword - description: | - Cloud Action - - name: clouduser - type: keyword - description: | - Cloud User - - name: column - type: integer - description: | - VOIP Column - - name: command - type: keyword - description: | - CLI Command - - name: community - type: keyword - description: | - SNMP Community - - name: configcountry - type: keyword - description: | - Configuration country - - name: connection_type - type: keyword - description: | - FortiClient Connection Type - - name: conserve - type: keyword - description: | - Flag for conserve mode - - name: constraint - type: keyword - description: | - WAF http protocol restrictions - - name: contentdisarmed - type: keyword - description: | - Email scanned content - - name: contenttype - type: keyword - description: | - Content Type from HTTP header - - name: cookies - type: keyword - description: | - VPN Cookie - - name: count - type: integer - description: | - Counts of action type - - name: countapp - type: integer - description: | - Number of App Ctrl logs associated with the session - - name: countav - type: integer - description: | - Number of AV logs associated with the session - - name: countcifs - type: integer - description: | - Number of CIFS logs associated with the session - - name: countdlp - type: integer - description: | - Number of DLP logs associated with the session - - name: countdns - type: integer - description: | - Number of DNS logs associated with the session - - name: countemail - type: integer - description: | - Number of email logs associated with the session - - name: countff - type: integer - description: | - Number of ff logs associated with the session - - name: countips - type: integer - description: | - Number of IPS logs associated with the session - - name: countssh - type: integer - description: | - Number of SSH logs associated with the session - - name: countssl - type: integer - description: | - Number of SSL logs associated with the session - - name: countwaf - type: integer - description: | - Number of WAF logs associated with the session - - name: countweb - type: integer - description: | - Number of Web filter logs associated with the session - - name: cpu - type: integer - description: | - CPU Usage - - name: craction - type: integer - description: | - Client Reputation Action - - name: criticalcount - type: integer - description: | - Number of critical ratings - - name: crl - type: keyword - description: | - Client Reputation Level - - name: crlevel - type: keyword - description: | - Client Reputation Level - - name: crscore - type: integer - description: | - Some description - - name: cveid - type: keyword - description: | - CVE ID - - name: daemon - type: keyword - description: | - Daemon name - - name: datarange - type: keyword - description: | - Data range for reports - - name: date - type: keyword - description: | - Date - - name: ddnsserver - type: ip - description: | - DDNS server - - name: desc - type: keyword - description: | - Description - - name: detectionmethod - type: keyword - description: | - Detection method - - name: devcategory - type: keyword - description: | - Device category - - name: devintfname - type: keyword - description: | - HA device Interface Name - - name: devtype - type: keyword - description: | - Device type - - name: dhcp_msg - type: keyword - description: | - DHCP Message - - name: dintf - type: keyword - description: | - Destination interface - - name: disk - type: keyword - description: | - Assosciated disk - - name: disklograte - type: long - description: | - Disk logging rate - - name: dlpextra - type: keyword - description: | - DLP extra information - - name: docsource - type: keyword - description: | - DLP fingerprint document source - - name: domainctrlauthstate - type: integer - description: | - CIFS domain auth state - - name: domainctrlauthtype - type: integer - description: | - CIFS domain auth type - - name: domainctrldomain - type: keyword - description: | - CIFS domain auth domain - - name: domainctrlip - type: ip - description: | - CIFS Domain IP - - name: domainctrlname - type: keyword - description: | - CIFS Domain name - - name: domainctrlprotocoltype - type: integer - description: | - CIFS Domain connection protocol - - name: domainctrlusername - type: keyword - description: | - CIFS Domain username - - name: domainfilteridx - type: integer - description: | - Domain filter ID - - name: domainfilterlist - type: keyword - description: | - Domain filter name - - name: ds - type: keyword - description: | - Direction with distribution system - - name: dst_int - type: keyword - description: | - Destination interface - - name: dstintfrole - type: keyword - description: | - Destination interface role - - name: dstcountry - type: keyword - description: | - Destination country - - name: dstdevcategory - type: keyword - description: | - Destination device category - - name: dstdevtype - type: keyword - description: | - Destination device type - - name: dstfamily - type: keyword - description: | - Destination OS family - - name: dsthwvendor - type: keyword - description: | - Destination HW vendor - - name: dsthwversion - type: keyword - description: | - Destination HW version - - name: dstinetsvc - type: keyword - description: | - Destination interface service - - name: dstosname - type: keyword - description: | - Destination OS name - - name: dstosversion - type: keyword - description: | - Destination OS version - - name: dstserver - type: integer - description: | - Destination server - - name: dstssid - type: keyword - description: | - Destination SSID - - name: dstswversion - type: keyword - description: | - Destination software version - - name: dstunauthusersource - type: keyword - description: | - Destination unauthenticated source - - name: dstuuid - type: keyword - description: | - UUID of the Destination IP address - - name: duid - type: keyword - description: | - DHCP UID - - name: eapolcnt - type: integer - description: | - EAPOL packet count - - name: eapoltype - type: keyword - description: | - EAPOL packet type - - name: encrypt - type: integer - description: | - Whether the packet is encrypted or not - - name: encryption - type: keyword - description: | - Encryption method - - name: epoch - type: integer - description: | - Epoch used for locating file - - name: espauth - type: keyword - description: | - ESP Authentication - - name: esptransform - type: keyword - description: | - ESP Transform - - name: exch - type: keyword - description: | - Mail Exchanges from DNS response answer section - - name: exchange - type: keyword - description: | - Mail Exchanges from DNS response answer section - - name: expectedsignature - type: keyword - description: | - Expected SSL signature - - name: expiry - type: keyword - description: | - FortiGuard override expiry timestamp - - name: fams_pause - type: integer - description: | - Fortinet Analysis and Management Service Pause - - name: fazlograte - type: long - description: | - FortiAnalyzer Logging Rate - - name: fctemssn - type: keyword - description: | - FortiClient Endpoint SSN - - name: fctuid - type: keyword - description: | - FortiClient UID - - name: field - type: keyword - description: | - NTP status field - - name: filefilter - type: keyword - description: | - The filter used to identify the affected file - - name: filehashsrc - type: keyword - description: | - Filehash source - - name: filtercat - type: keyword - description: | - DLP filter category - - name: filteridx - type: integer - description: | - DLP filter ID - - name: filtername - type: keyword - description: | - DLP rule name - - name: filtertype - type: keyword - description: | - DLP filter type - - name: fortiguardresp - type: keyword - description: | - Antispam ESP value - - name: forwardedfor - type: keyword - description: | - Email address forwarded - - name: fqdn - type: keyword - description: | - FQDN - - name: frametype - type: keyword - description: | - Wireless frametype - - name: freediskstorage - type: integer - description: | - Free disk integer - - name: from - type: keyword - description: | - From email address - - name: from_vcluster - type: integer - description: | - Source virtual cluster number - - name: fsaverdict - type: keyword - description: | - FSA verdict - - name: fwserver_name - type: keyword - description: | - Web proxy server name - - name: gateway - type: ip - description: | - Gateway ip address for PPPoE status report - - name: green - type: keyword - description: | - Memory status - - name: groupid - type: integer - description: | - User Group ID - - name: ha-prio - type: integer - description: | - HA Priority - - name: ha_group - type: keyword - description: | - HA Group - - name: ha_role - type: keyword - description: | - HA Role - - name: handshake - type: keyword - description: | - SSL Handshake - - name: hash - type: keyword - description: | - Hash value of downloaded file - - name: hbdn_reason - type: keyword - description: | - Heartbeat down reason - - name: highcount - type: integer - description: | - Highcount fabric summary - - name: host - type: keyword - description: | - Hostname - - name: iaid - type: keyword - description: | - DHCPv6 id - - name: icmpcode - type: keyword - description: | - Destination Port of the ICMP message - - name: icmpid - type: keyword - description: | - Source port of the ICMP message - - name: icmptype - type: keyword - description: | - The type of ICMP message - - name: identifier - type: integer - description: | - Network traffic identifier - - name: in_spi - type: keyword - description: | - IPSEC inbound SPI - - name: incidentserialno - type: integer - description: | - Incident serial number - - name: infected - type: integer - description: | - Infected MMS - - name: infectedfilelevel - type: integer - description: | - DLP infected file level - - name: informationsource - type: keyword - description: | - Information source - - name: init - type: keyword - description: | - IPSEC init stage - - name: initiator - type: keyword - description: | - Original login user name for Fortiguard override - - name: interface - type: keyword - description: | - Related interface - - name: intf - type: keyword - description: | - Related interface - - name: invalidmac - type: keyword - description: | - The MAC address with invalid OUI - - name: ip - type: ip - description: | - Related IP - - name: iptype - type: keyword - description: | - Related IP type - - name: keyword - type: keyword - description: | - Keyword used for search - - name: kind - type: keyword - description: | - VOIP kind - - name: lanin - type: long - description: | - LAN incoming traffic in bytes - - name: lanout - type: long - description: | - LAN outbound traffic in bytes - - name: lease - type: integer - description: | - DHCP lease - - name: license_limit - type: keyword - description: | - Maximum Number of FortiClients for the License - - name: limit - type: integer - description: | - Virtual Domain Resource Limit - - name: line - type: keyword - description: | - VOIP line - - name: live - type: integer - description: | - Time in seconds - - name: local - type: ip - description: | - Local IP for a PPPD Connection - - name: log - type: keyword - description: | - Log message - - name: login - type: keyword - description: | - SSH login - - name: lowcount - type: integer - description: | - Fabric lowcount - - name: mac - type: keyword - description: | - DHCP mac address - - name: malform_data - type: integer - description: | - VOIP malformed data - - name: malform_desc - type: keyword - description: | - VOIP malformed data description - - name: manuf - type: keyword - description: | - Manufacturer name - - name: masterdstmac - type: keyword - description: | - Master mac address for a host with multiple network interfaces - - name: mastersrcmac - type: keyword - description: | - The master MAC address for a host that has multiple network interfaces - - name: mediumcount - type: integer - description: | - Fabric medium count - - name: mem - type: integer - description: | - Memory usage system statistics - - name: meshmode - type: keyword - description: | - Wireless mesh mode - - name: message_type - type: keyword - description: | - VOIP message type - - name: method - type: keyword - description: | - HTTP method - - name: mgmtcnt - type: integer - description: | - The number of unauthorized client flooding managemet frames - - name: mode - type: keyword - description: | - IPSEC mode - - name: module - type: keyword - description: | - PCI-DSS module - - name: monitor-name - type: keyword - description: | - Health Monitor Name - - name: monitor-type - type: keyword - description: | - Health Monitor Type - - name: mpsk - type: keyword - description: | - Wireless MPSK - - name: msgproto - type: keyword - description: | - Message Protocol Number - - name: mtu - type: integer - description: | - Max Transmission Unit Value - - name: name - type: keyword - description: | - Name - - name: nat - type: keyword - description: | - NAT IP Address - - name: netid - type: keyword - description: | - Connector NetID - - name: new_status - type: keyword - description: | - New status on user change - - name: new_value - type: keyword - description: | - New Virtual Domain Name - - name: newchannel - type: integer - description: | - New Channel Number - - name: newchassisid - type: integer - description: | - New Chassis ID - - name: newslot - type: integer - description: | - New Slot Number - - name: nextstat - type: integer - description: | - Time interval in seconds for the next statistics. - - name: nf_type - type: keyword - description: | - Notification Type - - name: noise - type: integer - description: | - Wifi Noise - - name: old_status - type: keyword - description: | - Original Status - - name: old_value - type: keyword - description: | - Original Virtual Domain name - - name: oldchannel - type: integer - description: | - Original channel - - name: oldchassisid - type: integer - description: | - Original Chassis Number - - name: oldslot - type: integer - description: | - Original Slot Number - - name: oldsn - type: keyword - description: | - Old Serial number - - name: oldwprof - type: keyword - description: | - Old Web Filter Profile - - name: onwire - type: keyword - description: | - A flag to indicate if the AP is onwire or not - - name: opercountry - type: keyword - description: | - Operating Country - - name: opertxpower - type: integer - description: | - Operating TX power - - name: osname - type: keyword - description: | - Operating System name - - name: osversion - type: keyword - description: | - Operating System version - - name: out_spi - type: keyword - description: | - Out SPI - - name: outintf - type: keyword - description: | - Out interface - - name: passedcount - type: integer - description: | - Fabric passed count - - name: passwd - type: keyword - description: | - Changed user password information - - name: path - type: keyword - description: | - Path of looped configuration for security fabric - - name: peer - type: keyword - description: | - WAN optimization peer - - name: peer_notif - type: keyword - description: | - VPN peer notification - - name: phase2_name - type: keyword - description: | - VPN phase2 name - - name: phone - type: keyword - description: | - VOIP Phone - - name: pid - type: integer - description: | - Process ID - - name: policytype - type: keyword - description: | - Policy Type - - name: poolname - type: keyword - description: | - IP Pool name - - name: port - type: integer - description: | - Log upload error port - - name: portbegin - type: integer - description: | - IP Pool port number to begin - - name: portend - type: integer - description: | - IP Pool port number to end - - name: probeproto - type: keyword - description: | - Link Monitor Probe Protocol - - name: process - type: keyword - description: | - URL Filter process - - name: processtime - type: integer - description: | - Process time for reports - - name: profile - type: keyword - description: | - Profile Name - - name: profile_vd - type: keyword - description: | - Virtual Domain Name - - name: profilegroup - type: keyword - description: | - Profile Group Name - - name: profiletype - type: keyword - description: | - Profile Type - - name: qtypeval - type: integer - description: | - DNS question type value - - name: quarskip - type: keyword - description: | - Quarantine skip explanation - - name: quotaexceeded - type: keyword - description: | - If quota has been exceeded - - name: quotamax - type: long - description: | - Maximum quota allowed - in seconds if time-based - in bytes if traffic-based - - name: quotatype - type: keyword - description: | - Quota type - - name: quotaused - type: long - description: | - Quota used - in seconds if time-based - in bytes if trafficbased) - - name: radioband - type: keyword - description: | - Radio band - - name: radioid - type: integer - description: | - Radio ID - - name: radioidclosest - type: integer - description: | - Radio ID on the AP closest the rogue AP - - name: radioiddetected - type: integer - description: | - Radio ID on the AP which detected the rogue AP - - name: rate - type: keyword - description: | - Wireless rogue rate value - - name: rawdata - type: keyword - description: | - Raw data value - - name: rawdataid - type: keyword - description: | - Raw data ID - - name: rcvddelta - type: keyword - description: | - Received bytes delta - - name: reason - type: keyword - description: | - Alert reason - - name: received - type: integer - description: | - Server key exchange received - - name: receivedsignature - type: keyword - description: | - Server key exchange received signature - - name: red - type: keyword - description: | - Memory information in red - - name: referralurl - type: keyword - description: | - Web filter referralurl - - name: remote - type: ip - description: | - Remote PPP IP address - - name: remotewtptime - type: keyword - description: | - Remote Wifi Radius authentication time - - name: reporttype - type: keyword - description: | - Report type - - name: reqtype - type: keyword - description: | - Request type - - name: request_name - type: keyword - description: | - VOIP request name - - name: result - type: keyword - description: | - VPN phase result - - name: role - type: keyword - description: | - VPN Phase 2 role - - name: rssi - type: integer - description: | - Received signal strength indicator - - name: rsso_key - type: keyword - description: | - RADIUS SSO attribute value - - name: ruledata - type: keyword - description: | - Rule data - - name: ruletype - type: keyword - description: | - Rule type - - name: scanned - type: integer - description: | - Number of Scanned MMSs - - name: scantime - type: long - description: | - Scanned time - - name: scope - type: keyword - description: | - FortiGuard Override Scope - - name: security - type: keyword - description: | - Wireless rogue security - - name: sensitivity - type: keyword - description: | - Sensitivity for document fingerprint - - name: sensor - type: keyword - description: | - NAC Sensor Name - - name: sentdelta - type: keyword - description: | - Sent bytes delta - - name: seq - type: keyword - description: | - Sequence number - - name: serial - type: keyword - description: | - WAN optimisation serial - - name: serialno - type: keyword - description: | - Serial number - - name: server - type: keyword - description: | - AD server FQDN or IP - - name: session_id - type: keyword - description: | - Session ID - - name: sessionid - type: integer - description: | - WAD Session ID - - name: setuprate - type: long - description: | - Session Setup Rate - - name: severity - type: keyword - description: | - Severity - - name: shaperdroprcvdbyte - type: integer - description: | - Received bytes dropped by shaper - - name: shaperdropsentbyte - type: integer - description: | - Sent bytes dropped by shaper - - name: shaperperipdropbyte - type: integer - description: | - Dropped bytes per IP by shaper - - name: shaperperipname - type: keyword - description: | - Traffic shaper name (per IP) - - name: shaperrcvdname - type: keyword - description: | - Traffic shaper name for received traffic - - name: shapersentname - type: keyword - description: | - Traffic shaper name for sent traffic - - name: shapingpolicyid - type: integer - description: | - Traffic shaper policy ID - - name: signal - type: integer - description: | - Wireless rogue API signal - - name: size - type: long - description: | - Email size in bytes - - name: slot - type: integer - description: | - Slot number - - name: sn - type: keyword - description: | - Security fabric serial number - - name: snclosest - type: keyword - description: | - SN of the AP closest to the rogue AP - - name: sndetected - type: keyword - description: | - SN of the AP which detected the rogue AP - - name: snmeshparent - type: keyword - description: | - SN of the mesh parent - - name: spi - type: keyword - description: | - IPSEC SPI - - name: src_int - type: keyword - description: | - Source interface - - name: srcintfrole - type: keyword - description: | - Source interface role - - name: srccountry - type: keyword - description: | - Source country - - name: srcfamily - type: keyword - description: | - Source family - - name: srchwvendor - type: keyword - description: | - Source hardware vendor - - name: srchwversion - type: keyword - description: | - Source hardware version - - name: srcinetsvc - type: keyword - description: | - Source interface service - - name: srcname - type: keyword - description: | - Source name - - name: srcserver - type: integer - description: | - Source server - - name: srcssid - type: keyword - description: | - Source SSID - - name: srcswversion - type: keyword - description: | - Source software version - - name: srcuuid - type: keyword - description: | - Source UUID - - name: sscname - type: keyword - description: | - SSC name - - name: ssid - type: keyword - description: | - Base Service Set ID - - name: sslaction - type: keyword - description: | - SSL Action - - name: ssllocal - type: keyword - description: | - WAD SSL local - - name: sslremote - type: keyword - description: | - WAD SSL remote - - name: stacount - type: integer - description: | - Number of stations/clients - - name: stage - type: keyword - description: | - IPSEC stage - - name: stamac - type: keyword - description: | - 802.1x station mac - - name: state - type: keyword - description: | - Admin login state - - name: status - type: keyword - description: | - Status - - name: stitch - type: keyword - description: | - Automation stitch triggered - - name: subject - type: keyword - description: | - Email subject - - name: submodule - type: keyword - description: | - Configuration Sub-Module Name - - name: subservice - type: keyword - description: | - AV subservice - - name: subtype - type: keyword - description: | - Log subtype - - name: suspicious - type: integer - description: | - Number of Suspicious MMSs - - name: switchproto - type: keyword - description: | - Protocol change information - - name: sync_status - type: keyword - description: | - The sync status with the master - - name: sync_type - type: keyword - description: | - The sync type with the master - - name: sysuptime - type: keyword - description: | - System uptime - - name: tamac - type: keyword - description: | - the MAC address of Transmitter, if none, then Receiver - - name: threattype - type: keyword - description: | - WIDS threat type - - name: time - type: keyword - description: | - Time of the event - - name: to - type: keyword - description: | - Email to field - - name: to_vcluster - type: integer - description: | - destination virtual cluster number - - name: total - type: integer - description: | - Total memory - - name: totalsession - type: integer - description: | - Total Number of Sessions - - name: trace_id - type: keyword - description: | - Session clash trace ID - - name: trandisp - type: keyword - description: | - NAT translation type - - name: transid - type: integer - description: | - HTTP transaction ID - - name: translationid - type: keyword - description: | - DNS filter transaltion ID - - name: trigger - type: keyword - description: | - Automation stitch trigger - - name: trueclntip - type: ip - description: | - File filter true client IP - - name: tunnelid - type: integer - description: | - IPSEC tunnel ID - - name: tunnelip - type: ip - description: | - IPSEC tunnel IP - - name: tunneltype - type: keyword - description: | - IPSEC tunnel type - - name: type - type: keyword - description: | - Module type - - name: ui - type: keyword - description: | - Admin authentication UI type - - name: unauthusersource - type: keyword - description: | - Unauthenticated user source - - name: unit - type: integer - description: | - Power supply unit - - name: urlfilteridx - type: integer - description: | - URL filter ID - - name: urlfilterlist - type: keyword - description: | - URL filter list - - name: urlsource - type: keyword - description: | - URL filter source - - name: urltype - type: keyword - description: | - URL filter type - - name: used - type: integer - description: | - Number of Used IPs - - name: used_for_type - type: integer - description: | - Connection for the type - - name: utmaction - type: keyword - description: | - Security action performed by UTM - - name: vap - type: keyword - description: | - Virtual AP - - name: vapmode - type: keyword - description: | - Virtual AP mode - - name: vcluster - type: integer - description: | - virtual cluster id - - name: vcluster_member - type: integer - description: | - Virtual cluster member - - name: vcluster_state - type: keyword - description: | - Virtual cluster state - - name: vd - type: keyword - description: | - Virtual Domain Name - - name: vdname - type: keyword - description: | - Virtual Domain Name - - name: vendorurl - type: keyword - description: | - Vulnerability scan vendor name - - name: version - type: keyword - description: | - Version - - name: vip - type: keyword - description: | - Virtual IP - - name: virus - type: keyword - description: | - Virus name - - name: virusid - type: integer - description: | - Virus ID (unique virus identifier) - - name: voip_proto - type: keyword - description: | - VOIP protocol - - name: vpn - type: keyword - description: | - VPN description - - name: vpntunnel - type: keyword - description: | - IPsec Vpn Tunnel Name - - name: vpntype - type: keyword - description: | - The type of the VPN tunnel - - name: vrf - type: integer - description: | - VRF number - - name: vulncat - type: keyword - description: | - Vulnerability Category - - name: vulnid - type: integer - description: | - Vulnerability ID - - name: vulnname - type: keyword - description: | - Vulnerability name - - name: vwlid - type: integer - description: | - VWL ID - - name: vwlquality - type: keyword - description: | - VWL quality - - name: vwlservice - type: keyword - description: | - VWL service - - name: vwpvlanid - type: integer - description: | - VWP VLAN ID - - name: wanin - type: long - description: | - WAN incoming traffic in bytes - - name: wanoptapptype - type: keyword - description: | - WAN Optimization Application type - - name: wanout - type: long - description: | - WAN outgoing traffic in bytes - - name: weakwepiv - type: keyword - description: | - Weak Wep Initiation Vector - - name: xauthgroup - type: keyword - description: | - XAuth Group Name - - name: xauthuser - type: keyword - description: | - XAuth User Name - - name: xid - type: integer - description: | - Wireless X ID diff --git a/packages/fortinet_fortigate/1.2.1/data_stream/log/manifest.yml b/packages/fortinet_fortigate/1.2.1/data_stream/log/manifest.yml deleted file mode 100755 index 64911c6e36..0000000000 --- a/packages/fortinet_fortigate/1.2.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,192 +0,0 @@ -type: logs -title: Fortinet FortiGate logs -streams: - - input: tcp - vars: - - name: syslog_host - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9004 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortigate - - fortinet-firewall - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - #max_connections: 1 - #framing: delimitier - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. - template_path: tcp.yml.hbs - title: Fortinet firewall logs (tcp) - description: Collect Fortinet firewall logs using tcp input - - input: udp - vars: - - name: syslog_host - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9004 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortigate - - fortinet-firewall - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: udp.yml.hbs - title: Fortinet firewall logs (udp) - description: Collect Fortinet firewall logs using udp input - - input: logfile - enabled: false - vars: - - name: paths - type: text - title: Paths - multi: true - required: false - show_user: true - default: - - /var/log/fortinet-firewall.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortigate - - fortinet-firewall - - forwarded - - name: internal_interfaces - type: text - title: Internal Interfaces - multi: true - required: false - show_user: false - - name: external_interfaces - type: text - title: External Interfaces - multi: true - required: false - show_user: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Fortinet FortiGate logs (log) - description: Collect Fortinet FortiGate logs using log input diff --git a/packages/fortinet_fortigate/1.2.1/data_stream/log/sample_event.json b/packages/fortinet_fortigate/1.2.1/data_stream/log/sample_event.json deleted file mode 100755 index 8552aba271..0000000000 --- a/packages/fortinet_fortigate/1.2.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "@timestamp": "2019-05-15T18:03:36.000Z", - "agent": { - "ephemeral_id": "74b27709-c288-4314-b386-659dbc5a62ea", - "hostname": "docker-fleet-agent", - "id": "2164018d-05cd-45b4-979d-4032bdd775f6", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.14.0" - }, - "data_stream": { - "dataset": "fortinet_fortigate.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 41690, - "organization": { - "name": "Dailymotion S.A." - } - }, - "geo": { - "continent_name": "Europe", - "country_iso_code": "FR", - "country_name": "France", - "location": { - "lat": 48.8582, - "lon": 2.3387 - } - }, - "ip": "195.8.215.136", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "7cc48d16-ebf0-44b1-9094-fe2082d8f5a4", - "snapshot": true, - "version": "7.14.0" - }, - "event": { - "action": "app-ctrl-all", - "category": [ - "network" - ], - "code": "1059028704", - "dataset": "fortinet_fortigate.log", - "ingested": "2021-06-03T12:38:44.458586716Z", - "kind": "event", - "module": "fortinet", - "original": "\u003c190\u003edate=2019-05-15 time=18:03:36 logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"app-ctrl-all\" level=\"information\" vd=\"root\" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf=\"port10\" srcintfrole=\"lan\" dstintf=\"port9\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" direction=\"outgoing\" policyid=1 sessionid=4414 applist=\"block-social.media\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" action=\"pass\" hostname=\"www.dailymotion.com\" incidentserialno=1962906680 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"*.dailymotion.com\" scertissuer=\"DigiCert SHA2 High Assurance Server CA\"\n", - "outcome": "success", - "start": "2019-05-16T01:03:35.000Z", - "type": [ - "allowed" - ] - }, - "fortinet": { - "firewall": { - "action": "pass", - "appid": "40568", - "apprisk": "medium", - "dstintfrole": "wan", - "incidentserialno": "1962906680", - "sessionid": "4414", - "srcintfrole": "lan", - "subtype": "app-ctrl", - "type": "utm", - "vd": "root" - } - }, - "input": { - "type": "udp" - }, - "log": { - "level": "information", - "source": { - "address": "192.168.240.4:54617" - } - }, - "message": "Web.Client: HTTPS.BROWSER,", - "network": { - "application": "HTTPS.BROWSER", - "direction": "outbound", - "iana_number": "6", - "transport": "tcp", - "protocol": "https" - }, - "observer": { - "egress": { - "interface": { - "name": "port9" - } - }, - "ingress": { - "interface": { - "name": "port10" - } - }, - "product": "Fortigate", - "type": "firewall", - "vendor": "Fortinet" - }, - "related": { - "ip": [ - "10.1.100.22", - "195.8.215.136" - ] - }, - "rule": { - "category": "Web-Client", - "id": "1", - "ruleset": "block-social.media" - }, - "source": { - "ip": "10.1.100.22", - "port": 50798 - }, - "tags": [ - "fortinet-firewall", - "forwarded", - "preserve_original_event" - ], - "tls": { - "server": { - "issuer": "DigiCert SHA2 High Assurance Server CA", - "x509": { - "issuer": { - "common_name": "DigiCert SHA2 High Assurance Server CA" - }, - "subject": { - "common_name": "*.dailymotion.com" - } - } - } - }, - "url": { - "domain": "www.dailymotion.com", - "path": "/" - } -} \ No newline at end of file diff --git a/packages/fortinet_fortigate/1.2.1/docs/README.md b/packages/fortinet_fortigate/1.2.1/docs/README.md deleted file mode 100755 index d3c7a3ebc5..0000000000 --- a/packages/fortinet_fortigate/1.2.1/docs/README.md +++ /dev/null @@ -1,749 +0,0 @@ -# Fortinet FortiGate Integration - -This integration is for Fortinet FortiGate logs sent in the syslog format. - -## Compatibility - -This integration has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested. - -### Log - -The `log` dataset collects JFortinet FortiGate logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2019-05-15T18:03:36.000Z", - "agent": { - "ephemeral_id": "74b27709-c288-4314-b386-659dbc5a62ea", - "hostname": "docker-fleet-agent", - "id": "2164018d-05cd-45b4-979d-4032bdd775f6", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.14.0" - }, - "data_stream": { - "dataset": "fortinet_fortigate.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 41690, - "organization": { - "name": "Dailymotion S.A." - } - }, - "geo": { - "continent_name": "Europe", - "country_iso_code": "FR", - "country_name": "France", - "location": { - "lat": 48.8582, - "lon": 2.3387 - } - }, - "ip": "195.8.215.136", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "7cc48d16-ebf0-44b1-9094-fe2082d8f5a4", - "snapshot": true, - "version": "7.14.0" - }, - "event": { - "action": "app-ctrl-all", - "category": [ - "network" - ], - "code": "1059028704", - "dataset": "fortinet_fortigate.log", - "ingested": "2021-06-03T12:38:44.458586716Z", - "kind": "event", - "module": "fortinet", - "original": "\u003c190\u003edate=2019-05-15 time=18:03:36 logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"app-ctrl-all\" level=\"information\" vd=\"root\" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf=\"port10\" srcintfrole=\"lan\" dstintf=\"port9\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" direction=\"outgoing\" policyid=1 sessionid=4414 applist=\"block-social.media\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" action=\"pass\" hostname=\"www.dailymotion.com\" incidentserialno=1962906680 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"*.dailymotion.com\" scertissuer=\"DigiCert SHA2 High Assurance Server CA\"\n", - "outcome": "success", - "start": "2019-05-16T01:03:35.000Z", - "type": [ - "allowed" - ] - }, - "fortinet": { - "firewall": { - "action": "pass", - "appid": "40568", - "apprisk": "medium", - "dstintfrole": "wan", - "incidentserialno": "1962906680", - "sessionid": "4414", - "srcintfrole": "lan", - "subtype": "app-ctrl", - "type": "utm", - "vd": "root" - } - }, - "input": { - "type": "udp" - }, - "log": { - "level": "information", - "source": { - "address": "192.168.240.4:54617" - } - }, - "message": "Web.Client: HTTPS.BROWSER,", - "network": { - "application": "HTTPS.BROWSER", - "direction": "outbound", - "iana_number": "6", - "transport": "tcp", - "protocol": "https" - }, - "observer": { - "egress": { - "interface": { - "name": "port9" - } - }, - "ingress": { - "interface": { - "name": "port10" - } - }, - "product": "Fortigate", - "type": "firewall", - "vendor": "Fortinet" - }, - "related": { - "ip": [ - "10.1.100.22", - "195.8.215.136" - ] - }, - "rule": { - "category": "Web-Client", - "id": "1", - "ruleset": "block-social.media" - }, - "source": { - "ip": "10.1.100.22", - "port": 50798 - }, - "tags": [ - "fortinet-firewall", - "forwarded", - "preserve_original_event" - ], - "tls": { - "server": { - "issuer": "DigiCert SHA2 High Assurance Server CA", - "x509": { - "issuer": { - "common_name": "DigiCert SHA2 High Assurance Server CA" - }, - "subject": { - "common_name": "*.dailymotion.com" - } - } - } - }, - "url": { - "domain": "www.dailymotion.com", - "path": "/" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| destination.user.email | User email address. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.cc.address | The email address of CC recipient | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.sender.address | Per RFC 5322, specifies the address responsible for the actual transmission of the message. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.message | Log message optimized for viewing in a log viewer. | text | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| fortinet.file.hash.crc32 | CRC32 Hash of file | keyword | -| fortinet.firewall.acct_stat | Accounting state (RADIUS) | keyword | -| fortinet.firewall.acktime | Alarm Acknowledge Time | keyword | -| fortinet.firewall.act | Action | keyword | -| fortinet.firewall.action | Status of the session | keyword | -| fortinet.firewall.activity | HA activity message | keyword | -| fortinet.firewall.addr | IP Address | ip | -| fortinet.firewall.addr_type | Address Type | keyword | -| fortinet.firewall.addrgrp | Address Group | keyword | -| fortinet.firewall.adgroup | AD Group Name | keyword | -| fortinet.firewall.admin | Admin User | keyword | -| fortinet.firewall.age | Time in seconds - time passed since last seen | integer | -| fortinet.firewall.agent | User agent - eg. agent="Mozilla/5.0" | keyword | -| fortinet.firewall.alarmid | Alarm ID | integer | -| fortinet.firewall.alert | Alert | keyword | -| fortinet.firewall.analyticscksum | The checksum of the file submitted for analytics | keyword | -| fortinet.firewall.analyticssubmit | The flag for analytics submission | keyword | -| fortinet.firewall.ap | Access Point | keyword | -| fortinet.firewall.app-type | Address Type | keyword | -| fortinet.firewall.appact | The security action from app control | keyword | -| fortinet.firewall.appid | Application ID | integer | -| fortinet.firewall.applist | Application Control profile | keyword | -| fortinet.firewall.apprisk | Application Risk Level | keyword | -| fortinet.firewall.apscan | The name of the AP, which scanned and detected the rogue AP | keyword | -| fortinet.firewall.apsn | Access Point | keyword | -| fortinet.firewall.apstatus | Access Point status | keyword | -| fortinet.firewall.aptype | Access Point type | keyword | -| fortinet.firewall.assigned | Assigned IP Address | ip | -| fortinet.firewall.assignip | Assigned IP Address | ip | -| fortinet.firewall.attachment | The flag for email attachement | keyword | -| fortinet.firewall.attack | Attack Name | keyword | -| fortinet.firewall.attackcontext | The trigger patterns and the packetdata with base64 encoding | keyword | -| fortinet.firewall.attackcontextid | Attack context id / total | keyword | -| fortinet.firewall.attackid | Attack ID | integer | -| fortinet.firewall.auditid | Audit ID | long | -| fortinet.firewall.auditscore | The Audit Score | keyword | -| fortinet.firewall.audittime | The time of the audit | long | -| fortinet.firewall.authgrp | Authorization Group | keyword | -| fortinet.firewall.authid | Authentication ID | keyword | -| fortinet.firewall.authproto | The protocol that initiated the authentication | keyword | -| fortinet.firewall.authserver | Authentication server | keyword | -| fortinet.firewall.bandwidth | Bandwidth | keyword | -| fortinet.firewall.banned_rule | NAC quarantine Banned Rule Name | keyword | -| fortinet.firewall.banned_src | NAC quarantine Banned Source IP | keyword | -| fortinet.firewall.banword | Banned word | keyword | -| fortinet.firewall.botnetdomain | Botnet Domain Name | keyword | -| fortinet.firewall.botnetip | Botnet IP Address | ip | -| fortinet.firewall.bssid | Service Set ID | keyword | -| fortinet.firewall.call_id | Caller ID | keyword | -| fortinet.firewall.carrier_ep | The FortiOS Carrier end-point identification | keyword | -| fortinet.firewall.cat | DNS category ID | integer | -| fortinet.firewall.category | Authentication category | keyword | -| fortinet.firewall.cc | CC Email Address | keyword | -| fortinet.firewall.cdrcontent | Cdrcontent | keyword | -| fortinet.firewall.centralnatid | Central NAT ID | integer | -| fortinet.firewall.cert | Certificate | keyword | -| fortinet.firewall.cert-type | Certificate type | keyword | -| fortinet.firewall.certhash | Certificate hash | keyword | -| fortinet.firewall.cfgattr | Configuration attribute | keyword | -| fortinet.firewall.cfgobj | Configuration object | keyword | -| fortinet.firewall.cfgpath | Configuration path | keyword | -| fortinet.firewall.cfgtid | Configuration transaction ID | keyword | -| fortinet.firewall.cfgtxpower | Configuration TX power | integer | -| fortinet.firewall.channel | Wireless Channel | integer | -| fortinet.firewall.channeltype | SSH channel type | keyword | -| fortinet.firewall.chassisid | Chassis ID | integer | -| fortinet.firewall.checksum | The checksum of the scanned file | keyword | -| fortinet.firewall.chgheaders | HTTP Headers | keyword | -| fortinet.firewall.cldobjid | Connector object ID | keyword | -| fortinet.firewall.client_addr | Wifi client address | keyword | -| fortinet.firewall.cloudaction | Cloud Action | keyword | -| fortinet.firewall.clouduser | Cloud User | keyword | -| fortinet.firewall.column | VOIP Column | integer | -| fortinet.firewall.command | CLI Command | keyword | -| fortinet.firewall.community | SNMP Community | keyword | -| fortinet.firewall.configcountry | Configuration country | keyword | -| fortinet.firewall.connection_type | FortiClient Connection Type | keyword | -| fortinet.firewall.conserve | Flag for conserve mode | keyword | -| fortinet.firewall.constraint | WAF http protocol restrictions | keyword | -| fortinet.firewall.contentdisarmed | Email scanned content | keyword | -| fortinet.firewall.contenttype | Content Type from HTTP header | keyword | -| fortinet.firewall.cookies | VPN Cookie | keyword | -| fortinet.firewall.count | Counts of action type | integer | -| fortinet.firewall.countapp | Number of App Ctrl logs associated with the session | integer | -| fortinet.firewall.countav | Number of AV logs associated with the session | integer | -| fortinet.firewall.countcifs | Number of CIFS logs associated with the session | integer | -| fortinet.firewall.countdlp | Number of DLP logs associated with the session | integer | -| fortinet.firewall.countdns | Number of DNS logs associated with the session | integer | -| fortinet.firewall.countemail | Number of email logs associated with the session | integer | -| fortinet.firewall.countff | Number of ff logs associated with the session | integer | -| fortinet.firewall.countips | Number of IPS logs associated with the session | integer | -| fortinet.firewall.countssh | Number of SSH logs associated with the session | integer | -| fortinet.firewall.countssl | Number of SSL logs associated with the session | integer | -| fortinet.firewall.countwaf | Number of WAF logs associated with the session | integer | -| fortinet.firewall.countweb | Number of Web filter logs associated with the session | integer | -| fortinet.firewall.cpu | CPU Usage | integer | -| fortinet.firewall.craction | Client Reputation Action | integer | -| fortinet.firewall.criticalcount | Number of critical ratings | integer | -| fortinet.firewall.crl | Client Reputation Level | keyword | -| fortinet.firewall.crlevel | Client Reputation Level | keyword | -| fortinet.firewall.crscore | Some description | integer | -| fortinet.firewall.cveid | CVE ID | keyword | -| fortinet.firewall.daemon | Daemon name | keyword | -| fortinet.firewall.datarange | Data range for reports | keyword | -| fortinet.firewall.date | Date | keyword | -| fortinet.firewall.ddnsserver | DDNS server | ip | -| fortinet.firewall.desc | Description | keyword | -| fortinet.firewall.detectionmethod | Detection method | keyword | -| fortinet.firewall.devcategory | Device category | keyword | -| fortinet.firewall.devintfname | HA device Interface Name | keyword | -| fortinet.firewall.devtype | Device type | keyword | -| fortinet.firewall.dhcp_msg | DHCP Message | keyword | -| fortinet.firewall.dintf | Destination interface | keyword | -| fortinet.firewall.disk | Assosciated disk | keyword | -| fortinet.firewall.disklograte | Disk logging rate | long | -| fortinet.firewall.dlpextra | DLP extra information | keyword | -| fortinet.firewall.docsource | DLP fingerprint document source | keyword | -| fortinet.firewall.domainctrlauthstate | CIFS domain auth state | integer | -| fortinet.firewall.domainctrlauthtype | CIFS domain auth type | integer | -| fortinet.firewall.domainctrldomain | CIFS domain auth domain | keyword | -| fortinet.firewall.domainctrlip | CIFS Domain IP | ip | -| fortinet.firewall.domainctrlname | CIFS Domain name | keyword | -| fortinet.firewall.domainctrlprotocoltype | CIFS Domain connection protocol | integer | -| fortinet.firewall.domainctrlusername | CIFS Domain username | keyword | -| fortinet.firewall.domainfilteridx | Domain filter ID | integer | -| fortinet.firewall.domainfilterlist | Domain filter name | keyword | -| fortinet.firewall.ds | Direction with distribution system | keyword | -| fortinet.firewall.dst_int | Destination interface | keyword | -| fortinet.firewall.dstcountry | Destination country | keyword | -| fortinet.firewall.dstdevcategory | Destination device category | keyword | -| fortinet.firewall.dstdevtype | Destination device type | keyword | -| fortinet.firewall.dstfamily | Destination OS family | keyword | -| fortinet.firewall.dsthwvendor | Destination HW vendor | keyword | -| fortinet.firewall.dsthwversion | Destination HW version | keyword | -| fortinet.firewall.dstinetsvc | Destination interface service | keyword | -| fortinet.firewall.dstintfrole | Destination interface role | keyword | -| fortinet.firewall.dstosname | Destination OS name | keyword | -| fortinet.firewall.dstosversion | Destination OS version | keyword | -| fortinet.firewall.dstserver | Destination server | integer | -| fortinet.firewall.dstssid | Destination SSID | keyword | -| fortinet.firewall.dstswversion | Destination software version | keyword | -| fortinet.firewall.dstunauthusersource | Destination unauthenticated source | keyword | -| fortinet.firewall.dstuuid | UUID of the Destination IP address | keyword | -| fortinet.firewall.duid | DHCP UID | keyword | -| fortinet.firewall.eapolcnt | EAPOL packet count | integer | -| fortinet.firewall.eapoltype | EAPOL packet type | keyword | -| fortinet.firewall.encrypt | Whether the packet is encrypted or not | integer | -| fortinet.firewall.encryption | Encryption method | keyword | -| fortinet.firewall.epoch | Epoch used for locating file | integer | -| fortinet.firewall.espauth | ESP Authentication | keyword | -| fortinet.firewall.esptransform | ESP Transform | keyword | -| fortinet.firewall.exch | Mail Exchanges from DNS response answer section | keyword | -| fortinet.firewall.exchange | Mail Exchanges from DNS response answer section | keyword | -| fortinet.firewall.expectedsignature | Expected SSL signature | keyword | -| fortinet.firewall.expiry | FortiGuard override expiry timestamp | keyword | -| fortinet.firewall.fams_pause | Fortinet Analysis and Management Service Pause | integer | -| fortinet.firewall.fazlograte | FortiAnalyzer Logging Rate | long | -| fortinet.firewall.fctemssn | FortiClient Endpoint SSN | keyword | -| fortinet.firewall.fctuid | FortiClient UID | keyword | -| fortinet.firewall.field | NTP status field | keyword | -| fortinet.firewall.filefilter | The filter used to identify the affected file | keyword | -| fortinet.firewall.filehashsrc | Filehash source | keyword | -| fortinet.firewall.filtercat | DLP filter category | keyword | -| fortinet.firewall.filteridx | DLP filter ID | integer | -| fortinet.firewall.filtername | DLP rule name | keyword | -| fortinet.firewall.filtertype | DLP filter type | keyword | -| fortinet.firewall.fortiguardresp | Antispam ESP value | keyword | -| fortinet.firewall.forwardedfor | Email address forwarded | keyword | -| fortinet.firewall.fqdn | FQDN | keyword | -| fortinet.firewall.frametype | Wireless frametype | keyword | -| fortinet.firewall.freediskstorage | Free disk integer | integer | -| fortinet.firewall.from | From email address | keyword | -| fortinet.firewall.from_vcluster | Source virtual cluster number | integer | -| fortinet.firewall.fsaverdict | FSA verdict | keyword | -| fortinet.firewall.fwserver_name | Web proxy server name | keyword | -| fortinet.firewall.gateway | Gateway ip address for PPPoE status report | ip | -| fortinet.firewall.green | Memory status | keyword | -| fortinet.firewall.groupid | User Group ID | integer | -| fortinet.firewall.ha-prio | HA Priority | integer | -| fortinet.firewall.ha_group | HA Group | keyword | -| fortinet.firewall.ha_role | HA Role | keyword | -| fortinet.firewall.handshake | SSL Handshake | keyword | -| fortinet.firewall.hash | Hash value of downloaded file | keyword | -| fortinet.firewall.hbdn_reason | Heartbeat down reason | keyword | -| fortinet.firewall.highcount | Highcount fabric summary | integer | -| fortinet.firewall.host | Hostname | keyword | -| fortinet.firewall.iaid | DHCPv6 id | keyword | -| fortinet.firewall.icmpcode | Destination Port of the ICMP message | keyword | -| fortinet.firewall.icmpid | Source port of the ICMP message | keyword | -| fortinet.firewall.icmptype | The type of ICMP message | keyword | -| fortinet.firewall.identifier | Network traffic identifier | integer | -| fortinet.firewall.in_spi | IPSEC inbound SPI | keyword | -| fortinet.firewall.incidentserialno | Incident serial number | integer | -| fortinet.firewall.infected | Infected MMS | integer | -| fortinet.firewall.infectedfilelevel | DLP infected file level | integer | -| fortinet.firewall.informationsource | Information source | keyword | -| fortinet.firewall.init | IPSEC init stage | keyword | -| fortinet.firewall.initiator | Original login user name for Fortiguard override | keyword | -| fortinet.firewall.interface | Related interface | keyword | -| fortinet.firewall.intf | Related interface | keyword | -| fortinet.firewall.invalidmac | The MAC address with invalid OUI | keyword | -| fortinet.firewall.ip | Related IP | ip | -| fortinet.firewall.iptype | Related IP type | keyword | -| fortinet.firewall.keyword | Keyword used for search | keyword | -| fortinet.firewall.kind | VOIP kind | keyword | -| fortinet.firewall.lanin | LAN incoming traffic in bytes | long | -| fortinet.firewall.lanout | LAN outbound traffic in bytes | long | -| fortinet.firewall.lease | DHCP lease | integer | -| fortinet.firewall.license_limit | Maximum Number of FortiClients for the License | keyword | -| fortinet.firewall.limit | Virtual Domain Resource Limit | integer | -| fortinet.firewall.line | VOIP line | keyword | -| fortinet.firewall.live | Time in seconds | integer | -| fortinet.firewall.local | Local IP for a PPPD Connection | ip | -| fortinet.firewall.log | Log message | keyword | -| fortinet.firewall.login | SSH login | keyword | -| fortinet.firewall.lowcount | Fabric lowcount | integer | -| fortinet.firewall.mac | DHCP mac address | keyword | -| fortinet.firewall.malform_data | VOIP malformed data | integer | -| fortinet.firewall.malform_desc | VOIP malformed data description | keyword | -| fortinet.firewall.manuf | Manufacturer name | keyword | -| fortinet.firewall.masterdstmac | Master mac address for a host with multiple network interfaces | keyword | -| fortinet.firewall.mastersrcmac | The master MAC address for a host that has multiple network interfaces | keyword | -| fortinet.firewall.mediumcount | Fabric medium count | integer | -| fortinet.firewall.mem | Memory usage system statistics | integer | -| fortinet.firewall.meshmode | Wireless mesh mode | keyword | -| fortinet.firewall.message_type | VOIP message type | keyword | -| fortinet.firewall.method | HTTP method | keyword | -| fortinet.firewall.mgmtcnt | The number of unauthorized client flooding managemet frames | integer | -| fortinet.firewall.mode | IPSEC mode | keyword | -| fortinet.firewall.module | PCI-DSS module | keyword | -| fortinet.firewall.monitor-name | Health Monitor Name | keyword | -| fortinet.firewall.monitor-type | Health Monitor Type | keyword | -| fortinet.firewall.mpsk | Wireless MPSK | keyword | -| fortinet.firewall.msgproto | Message Protocol Number | keyword | -| fortinet.firewall.mtu | Max Transmission Unit Value | integer | -| fortinet.firewall.name | Name | keyword | -| fortinet.firewall.nat | NAT IP Address | keyword | -| fortinet.firewall.netid | Connector NetID | keyword | -| fortinet.firewall.new_status | New status on user change | keyword | -| fortinet.firewall.new_value | New Virtual Domain Name | keyword | -| fortinet.firewall.newchannel | New Channel Number | integer | -| fortinet.firewall.newchassisid | New Chassis ID | integer | -| fortinet.firewall.newslot | New Slot Number | integer | -| fortinet.firewall.nextstat | Time interval in seconds for the next statistics. | integer | -| fortinet.firewall.nf_type | Notification Type | keyword | -| fortinet.firewall.noise | Wifi Noise | integer | -| fortinet.firewall.old_status | Original Status | keyword | -| fortinet.firewall.old_value | Original Virtual Domain name | keyword | -| fortinet.firewall.oldchannel | Original channel | integer | -| fortinet.firewall.oldchassisid | Original Chassis Number | integer | -| fortinet.firewall.oldslot | Original Slot Number | integer | -| fortinet.firewall.oldsn | Old Serial number | keyword | -| fortinet.firewall.oldwprof | Old Web Filter Profile | keyword | -| fortinet.firewall.onwire | A flag to indicate if the AP is onwire or not | keyword | -| fortinet.firewall.opercountry | Operating Country | keyword | -| fortinet.firewall.opertxpower | Operating TX power | integer | -| fortinet.firewall.osname | Operating System name | keyword | -| fortinet.firewall.osversion | Operating System version | keyword | -| fortinet.firewall.out_spi | Out SPI | keyword | -| fortinet.firewall.outintf | Out interface | keyword | -| fortinet.firewall.passedcount | Fabric passed count | integer | -| fortinet.firewall.passwd | Changed user password information | keyword | -| fortinet.firewall.path | Path of looped configuration for security fabric | keyword | -| fortinet.firewall.peer | WAN optimization peer | keyword | -| fortinet.firewall.peer_notif | VPN peer notification | keyword | -| fortinet.firewall.phase2_name | VPN phase2 name | keyword | -| fortinet.firewall.phone | VOIP Phone | keyword | -| fortinet.firewall.pid | Process ID | integer | -| fortinet.firewall.policytype | Policy Type | keyword | -| fortinet.firewall.poolname | IP Pool name | keyword | -| fortinet.firewall.port | Log upload error port | integer | -| fortinet.firewall.portbegin | IP Pool port number to begin | integer | -| fortinet.firewall.portend | IP Pool port number to end | integer | -| fortinet.firewall.probeproto | Link Monitor Probe Protocol | keyword | -| fortinet.firewall.process | URL Filter process | keyword | -| fortinet.firewall.processtime | Process time for reports | integer | -| fortinet.firewall.profile | Profile Name | keyword | -| fortinet.firewall.profile_vd | Virtual Domain Name | keyword | -| fortinet.firewall.profilegroup | Profile Group Name | keyword | -| fortinet.firewall.profiletype | Profile Type | keyword | -| fortinet.firewall.qtypeval | DNS question type value | integer | -| fortinet.firewall.quarskip | Quarantine skip explanation | keyword | -| fortinet.firewall.quotaexceeded | If quota has been exceeded | keyword | -| fortinet.firewall.quotamax | Maximum quota allowed - in seconds if time-based - in bytes if traffic-based | long | -| fortinet.firewall.quotatype | Quota type | keyword | -| fortinet.firewall.quotaused | Quota used - in seconds if time-based - in bytes if trafficbased) | long | -| fortinet.firewall.radioband | Radio band | keyword | -| fortinet.firewall.radioid | Radio ID | integer | -| fortinet.firewall.radioidclosest | Radio ID on the AP closest the rogue AP | integer | -| fortinet.firewall.radioiddetected | Radio ID on the AP which detected the rogue AP | integer | -| fortinet.firewall.rate | Wireless rogue rate value | keyword | -| fortinet.firewall.rawdata | Raw data value | keyword | -| fortinet.firewall.rawdataid | Raw data ID | keyword | -| fortinet.firewall.rcvddelta | Received bytes delta | keyword | -| fortinet.firewall.reason | Alert reason | keyword | -| fortinet.firewall.received | Server key exchange received | integer | -| fortinet.firewall.receivedsignature | Server key exchange received signature | keyword | -| fortinet.firewall.red | Memory information in red | keyword | -| fortinet.firewall.referralurl | Web filter referralurl | keyword | -| fortinet.firewall.remote | Remote PPP IP address | ip | -| fortinet.firewall.remotewtptime | Remote Wifi Radius authentication time | keyword | -| fortinet.firewall.reporttype | Report type | keyword | -| fortinet.firewall.reqtype | Request type | keyword | -| fortinet.firewall.request_name | VOIP request name | keyword | -| fortinet.firewall.result | VPN phase result | keyword | -| fortinet.firewall.role | VPN Phase 2 role | keyword | -| fortinet.firewall.rssi | Received signal strength indicator | integer | -| fortinet.firewall.rsso_key | RADIUS SSO attribute value | keyword | -| fortinet.firewall.ruledata | Rule data | keyword | -| fortinet.firewall.ruletype | Rule type | keyword | -| fortinet.firewall.scanned | Number of Scanned MMSs | integer | -| fortinet.firewall.scantime | Scanned time | long | -| fortinet.firewall.scope | FortiGuard Override Scope | keyword | -| fortinet.firewall.security | Wireless rogue security | keyword | -| fortinet.firewall.sensitivity | Sensitivity for document fingerprint | keyword | -| fortinet.firewall.sensor | NAC Sensor Name | keyword | -| fortinet.firewall.sentdelta | Sent bytes delta | keyword | -| fortinet.firewall.seq | Sequence number | keyword | -| fortinet.firewall.serial | WAN optimisation serial | keyword | -| fortinet.firewall.serialno | Serial number | keyword | -| fortinet.firewall.server | AD server FQDN or IP | keyword | -| fortinet.firewall.session_id | Session ID | keyword | -| fortinet.firewall.sessionid | WAD Session ID | integer | -| fortinet.firewall.setuprate | Session Setup Rate | long | -| fortinet.firewall.severity | Severity | keyword | -| fortinet.firewall.shaperdroprcvdbyte | Received bytes dropped by shaper | integer | -| fortinet.firewall.shaperdropsentbyte | Sent bytes dropped by shaper | integer | -| fortinet.firewall.shaperperipdropbyte | Dropped bytes per IP by shaper | integer | -| fortinet.firewall.shaperperipname | Traffic shaper name (per IP) | keyword | -| fortinet.firewall.shaperrcvdname | Traffic shaper name for received traffic | keyword | -| fortinet.firewall.shapersentname | Traffic shaper name for sent traffic | keyword | -| fortinet.firewall.shapingpolicyid | Traffic shaper policy ID | integer | -| fortinet.firewall.signal | Wireless rogue API signal | integer | -| fortinet.firewall.size | Email size in bytes | long | -| fortinet.firewall.slot | Slot number | integer | -| fortinet.firewall.sn | Security fabric serial number | keyword | -| fortinet.firewall.snclosest | SN of the AP closest to the rogue AP | keyword | -| fortinet.firewall.sndetected | SN of the AP which detected the rogue AP | keyword | -| fortinet.firewall.snmeshparent | SN of the mesh parent | keyword | -| fortinet.firewall.spi | IPSEC SPI | keyword | -| fortinet.firewall.src_int | Source interface | keyword | -| fortinet.firewall.srccountry | Source country | keyword | -| fortinet.firewall.srcfamily | Source family | keyword | -| fortinet.firewall.srchwvendor | Source hardware vendor | keyword | -| fortinet.firewall.srchwversion | Source hardware version | keyword | -| fortinet.firewall.srcinetsvc | Source interface service | keyword | -| fortinet.firewall.srcintfrole | Source interface role | keyword | -| fortinet.firewall.srcname | Source name | keyword | -| fortinet.firewall.srcserver | Source server | integer | -| fortinet.firewall.srcssid | Source SSID | keyword | -| fortinet.firewall.srcswversion | Source software version | keyword | -| fortinet.firewall.srcuuid | Source UUID | keyword | -| fortinet.firewall.sscname | SSC name | keyword | -| fortinet.firewall.ssid | Base Service Set ID | keyword | -| fortinet.firewall.sslaction | SSL Action | keyword | -| fortinet.firewall.ssllocal | WAD SSL local | keyword | -| fortinet.firewall.sslremote | WAD SSL remote | keyword | -| fortinet.firewall.stacount | Number of stations/clients | integer | -| fortinet.firewall.stage | IPSEC stage | keyword | -| fortinet.firewall.stamac | 802.1x station mac | keyword | -| fortinet.firewall.state | Admin login state | keyword | -| fortinet.firewall.status | Status | keyword | -| fortinet.firewall.stitch | Automation stitch triggered | keyword | -| fortinet.firewall.subject | Email subject | keyword | -| fortinet.firewall.submodule | Configuration Sub-Module Name | keyword | -| fortinet.firewall.subservice | AV subservice | keyword | -| fortinet.firewall.subtype | Log subtype | keyword | -| fortinet.firewall.suspicious | Number of Suspicious MMSs | integer | -| fortinet.firewall.switchproto | Protocol change information | keyword | -| fortinet.firewall.sync_status | The sync status with the master | keyword | -| fortinet.firewall.sync_type | The sync type with the master | keyword | -| fortinet.firewall.sysuptime | System uptime | keyword | -| fortinet.firewall.tamac | the MAC address of Transmitter, if none, then Receiver | keyword | -| fortinet.firewall.threattype | WIDS threat type | keyword | -| fortinet.firewall.time | Time of the event | keyword | -| fortinet.firewall.to | Email to field | keyword | -| fortinet.firewall.to_vcluster | destination virtual cluster number | integer | -| fortinet.firewall.total | Total memory | integer | -| fortinet.firewall.totalsession | Total Number of Sessions | integer | -| fortinet.firewall.trace_id | Session clash trace ID | keyword | -| fortinet.firewall.trandisp | NAT translation type | keyword | -| fortinet.firewall.transid | HTTP transaction ID | integer | -| fortinet.firewall.translationid | DNS filter transaltion ID | keyword | -| fortinet.firewall.trigger | Automation stitch trigger | keyword | -| fortinet.firewall.trueclntip | File filter true client IP | ip | -| fortinet.firewall.tunnelid | IPSEC tunnel ID | integer | -| fortinet.firewall.tunnelip | IPSEC tunnel IP | ip | -| fortinet.firewall.tunneltype | IPSEC tunnel type | keyword | -| fortinet.firewall.type | Module type | keyword | -| fortinet.firewall.ui | Admin authentication UI type | keyword | -| fortinet.firewall.unauthusersource | Unauthenticated user source | keyword | -| fortinet.firewall.unit | Power supply unit | integer | -| fortinet.firewall.urlfilteridx | URL filter ID | integer | -| fortinet.firewall.urlfilterlist | URL filter list | keyword | -| fortinet.firewall.urlsource | URL filter source | keyword | -| fortinet.firewall.urltype | URL filter type | keyword | -| fortinet.firewall.used | Number of Used IPs | integer | -| fortinet.firewall.used_for_type | Connection for the type | integer | -| fortinet.firewall.utmaction | Security action performed by UTM | keyword | -| fortinet.firewall.vap | Virtual AP | keyword | -| fortinet.firewall.vapmode | Virtual AP mode | keyword | -| fortinet.firewall.vcluster | virtual cluster id | integer | -| fortinet.firewall.vcluster_member | Virtual cluster member | integer | -| fortinet.firewall.vcluster_state | Virtual cluster state | keyword | -| fortinet.firewall.vd | Virtual Domain Name | keyword | -| fortinet.firewall.vdname | Virtual Domain Name | keyword | -| fortinet.firewall.vendorurl | Vulnerability scan vendor name | keyword | -| fortinet.firewall.version | Version | keyword | -| fortinet.firewall.vip | Virtual IP | keyword | -| fortinet.firewall.virus | Virus name | keyword | -| fortinet.firewall.virusid | Virus ID (unique virus identifier) | integer | -| fortinet.firewall.voip_proto | VOIP protocol | keyword | -| fortinet.firewall.vpn | VPN description | keyword | -| fortinet.firewall.vpntunnel | IPsec Vpn Tunnel Name | keyword | -| fortinet.firewall.vpntype | The type of the VPN tunnel | keyword | -| fortinet.firewall.vrf | VRF number | integer | -| fortinet.firewall.vulncat | Vulnerability Category | keyword | -| fortinet.firewall.vulnid | Vulnerability ID | integer | -| fortinet.firewall.vulnname | Vulnerability name | keyword | -| fortinet.firewall.vwlid | VWL ID | integer | -| fortinet.firewall.vwlquality | VWL quality | keyword | -| fortinet.firewall.vwlservice | VWL service | keyword | -| fortinet.firewall.vwpvlanid | VWP VLAN ID | integer | -| fortinet.firewall.wanin | WAN incoming traffic in bytes | long | -| fortinet.firewall.wanoptapptype | WAN Optimization Application type | keyword | -| fortinet.firewall.wanout | WAN outgoing traffic in bytes | long | -| fortinet.firewall.weakwepiv | Weak Wep Initiation Vector | keyword | -| fortinet.firewall.xauthgroup | XAuth Group Name | keyword | -| fortinet.firewall.xauthuser | XAuth User Name | keyword | -| fortinet.firewall.xid | Wireless X ID | integer | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.user.email | User email address. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | diff --git a/packages/fortinet_fortigate/1.2.1/img/dashboard.png b/packages/fortinet_fortigate/1.2.1/img/dashboard.png deleted file mode 100755 index 268a29bd0e..0000000000 Binary files a/packages/fortinet_fortigate/1.2.1/img/dashboard.png and /dev/null differ diff --git a/packages/fortinet_fortigate/1.2.1/img/fortinet-logo.svg b/packages/fortinet_fortigate/1.2.1/img/fortinet-logo.svg deleted file mode 100755 index d6a8448f32..0000000000 --- a/packages/fortinet_fortigate/1.2.1/img/fortinet-logo.svg +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - diff --git a/packages/fortinet_fortigate/1.2.1/kibana/dashboard/fortinet_fortigate-d0cd8230-0c8b-11ed-bb95-158df2ca77e4.json b/packages/fortinet_fortigate/1.2.1/kibana/dashboard/fortinet_fortigate-d0cd8230-0c8b-11ed-bb95-158df2ca77e4.json deleted file mode 100755 index 7ea26c928a..0000000000 --- a/packages/fortinet_fortigate/1.2.1/kibana/dashboard/fortinet_fortigate-d0cd8230-0c8b-11ed-bb95-158df2ca77e4.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "attributes": { - "controlGroupInput": { - "chainingSystem": "NONE", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"eb2ef977-0de8-4bd4-a936-8bd25a74543c\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"event.category\",\"title\":\"Event Category\",\"id\":\"eb2ef977-0de8-4bd4-a936-8bd25a74543c\",\"enhancements\":{}}},\"cfa74479-5cd8-48b4-b302-86302d5cc8a6\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"event.outcome\",\"title\":\"Event Outcome\",\"id\":\"cfa74479-5cd8-48b4-b302-86302d5cc8a6\",\"enhancements\":{}}},\"ee56c2d4-3f4e-4914-bc04-74a600f57188\":{\"order\":4,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"log.level\",\"title\":\"Fortinet Log Level\",\"id\":\"ee56c2d4-3f4e-4914-bc04-74a600f57188\",\"enhancements\":{},\"selectedOptions\":[]}},\"ad683801-15c1-4243-a870-c533cf32c7e3\":{\"order\":3,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"title\":\"Event Action\",\"fieldName\":\"event.action\",\"selectedOptions\":[],\"id\":\"ad683801-15c1-4243-a870-c533cf32c7e3\",\"enhancements\":{}}},\"c66d9124-057b-40aa-bc0a-fab5624ed285\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"fortinet.firewall.type\",\"title\":\"Firewall Operation Type\",\"id\":\"c66d9124-057b-40aa-bc0a-fab5624ed285\",\"selectedOptions\":[],\"enhancements\":{}}}}" - }, - "description": "Overview of Fortinet FortiGate firewall events", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"fortinet_fortigate.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"fortinet_fortigate.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"aef92dcc-7959-4c94-90ef-373478d28419\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"aef92dcc-7959-4c94-90ef-373478d28419\",\"title\":\"Event Category\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of event.outcome\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"53ff2f86-bf06-4677-92d2-067155f609f3\",\"w\":12,\"x\":12,\"y\":0},\"panelIndex\":\"53ff2f86-bf06-4677-92d2-067155f609f3\",\"title\":\"Event Outcome\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of event.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"b3871313-73e1-4197-af66-2ff82506fafd\",\"w\":12,\"x\":24,\"y\":0},\"panelIndex\":\"b3871313-73e1-4197-af66-2ff82506fafd\",\"title\":\"Fortinet Log Level\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of log.level\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"log.level\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"941798ef-1ae4-4ebe-8867-a17eb8b1a4b9\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"941798ef-1ae4-4ebe-8867-a17eb8b1a4b9\",\"title\":\"Fortinet Log Level\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"f20139de-a0eb-463f-a9c8-183dce76b3fa\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"f20139de-a0eb-463f-a9c8-183dce76b3fa\",\"title\":\"Network Direction\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of network.transport\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.transport\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"14f2d7bc-a79b-4917-a0a3-9656891cc0d8\",\"w\":12,\"x\":12,\"y\":7},\"panelIndex\":\"14f2d7bc-a79b-4917-a0a3-9656891cc0d8\",\"title\":\"Network Transport\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Syslog Severity\",\"operationType\":\"range\",\"params\":{\"includeEmptyRows\":true,\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"log.syslog.severity.code\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"seriesType\":\"bar_stacked\",\"xAccessor\":\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"85b98bdc-73a7-4032-aef1-91921b5235ce\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"85b98bdc-73a7-4032-aef1-91921b5235ce\",\"title\":\"Syslog Severities\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Event Duration\",\"operationType\":\"range\",\"params\":{\"includeEmptyRows\":true,\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"event.duration\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"seriesType\":\"bar_stacked\",\"xAccessor\":\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"3652abe3-b251-4cc0-a014-a81bbe764d33\",\"w\":12,\"x\":24,\"y\":7},\"panelIndex\":\"3652abe3-b251-4cc0-a014-a81bbe764d33\",\"title\":\"Event Duration\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2573c22c-9787-4385-a01b-779b948ee617\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2573c22c-9787-4385-a01b-779b948ee617\":{\"columnOrder\":[\"2ae7b9f4-59a0-4614-970e-b9e0aa0f8979\",\"d18fd8ee-eba8-421c-ae32-a71f7e414f3f\"],\"columns\":{\"2ae7b9f4-59a0-4614-970e-b9e0aa0f8979\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d18fd8ee-eba8-421c-ae32-a71f7e414f3f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d18fd8ee-eba8-421c-ae32-a71f7e414f3f\"],\"layerId\":\"2573c22c-9787-4385-a01b-779b948ee617\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"2ae7b9f4-59a0-4614-970e-b9e0aa0f8979\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"c284fd4a-cd25-4fe3-8124-f2458aed0257\",\"w\":48,\"x\":0,\"y\":14},\"panelIndex\":\"c284fd4a-cd25-4fe3-8124-f2458aed0257\",\"title\":\"Requests Over Time\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-64b9d1d0-7503-4967-849c-be0201d51ac1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"64b9d1d0-7503-4967-849c-be0201d51ac1\":{\"columnOrder\":[\"e4b7b011-b2e7-41bf-895d-11b402493f26\",\"ed019e2d-fc96-4301-bf59-c2330c54b2f7\"],\"columns\":{\"e4b7b011-b2e7-41bf-895d-11b402493f26\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ed019e2d-fc96-4301-bf59-c2330c54b2f7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Median of network.bytes\",\"operationType\":\"median\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"ed019e2d-fc96-4301-bf59-c2330c54b2f7\"],\"layerId\":\"64b9d1d0-7503-4967-849c-be0201d51ac1\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"e4b7b011-b2e7-41bf-895d-11b402493f26\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"58884a18-ec0a-46f1-bf37-de86aba407ad\",\"w\":48,\"x\":0,\"y\":26},\"panelIndex\":\"58884a18-ec0a-46f1-bf37-de86aba407ad\",\"title\":\"Network Bytes Over Time\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"locale\\\":\\\"autoselect\\\",\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"639d6137-90ec-4d57-8478-e509f53ce69d\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"1eb41e3c-4868-4a02-a274-7e2d0c99395d\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"color\\\":\\\"Blues\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"lineWidth\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"minSize\\\":1,\\\"maxSize\\\":10,\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"849d4635-b0b9-48e8-a55e-2af1ad03cdc6\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"joins\\\":[]},{\\\"sourceDescriptor\\\":{\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"id\\\":\\\"2324e246-cacb-44b6-9b5d-adfe78680a50\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\",\\\"label\\\":\\\"\\\"}],\\\"indexPatternRefName\\\":\\\"layer_2_source_index_pattern\\\"},\\\"id\\\":\\\"8bcd1ead-bbd9-4e7f-8764-0042c69a815a\\\",\\\"label\\\":\\\"Destination Location\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"HEATMAP\\\",\\\"colorRampName\\\":\\\"Blues\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"HEATMAP\\\"},{\\\"sourceDescriptor\\\":{\\\"geoField\\\":\\\"source.geo.location\\\",\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"id\\\":\\\"89afbedd-118f-4a04-9015-57165b9b84dd\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"indexPatternRefName\\\":\\\"layer_3_source_index_pattern\\\"},\\\"id\\\":\\\"1c35d621-57d9-48b9-afa9-9755aae6c1ac\\\",\\\"label\\\":\\\"Source Location\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"HEATMAP\\\",\\\"colorRampName\\\":\\\"Yellow to Red\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"HEATMAP\\\"}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.64,\\\"center\\\":{\\\"lon\\\":90.00001,\\\"lat\\\":0},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"customIcons\\\":[],\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":89.78601,\"maxLon\":360,\"minLat\":-89.78601,\"minLon\":-180},\"mapCenter\":{\"lat\":0,\"lon\":90.00001,\"zoom\":0.38},\"openTOCDetails\":[]},\"gridData\":{\"h\":25,\"i\":\"3559260b-1b7d-4053-b958-d6eb5f4e839e\",\"w\":24,\"x\":0,\"y\":38},\"panelIndex\":\"3559260b-1b7d-4053-b958-d6eb5f4e839e\",\"title\":\"Connections\",\"type\":\"map\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b509c65-21ea-4bc9-98ac-38f059b301f9\":{\"columnOrder\":[\"d5104737-a960-4de0-950e-d33e797f9346\",\"f14b52f5-b58b-4cac-8878-20f877e4724e\"],\"columns\":{\"d5104737-a960-4de0-950e-d33e797f9346\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of source.geo.country_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.country_name\"},\"f14b52f5-b58b-4cac-8878-20f877e4724e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d5104737-a960-4de0-950e-d33e797f9346\"],\"layerId\":\"3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"9eb208d4-f6d7-468a-b558-a98ecc64e262\",\"w\":12,\"x\":24,\"y\":38},\"panelIndex\":\"9eb208d4-f6d7-468a-b558-a98ecc64e262\",\"title\":\"Source Country\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b509c65-21ea-4bc9-98ac-38f059b301f9\":{\"columnOrder\":[\"d5104737-a960-4de0-950e-d33e797f9346\",\"f14b52f5-b58b-4cac-8878-20f877e4724e\"],\"columns\":{\"d5104737-a960-4de0-950e-d33e797f9346\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of source.as.organization.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"f14b52f5-b58b-4cac-8878-20f877e4724e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d5104737-a960-4de0-950e-d33e797f9346\"],\"layerId\":\"3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"bbd15cda-94cf-4624-acfe-f255efbb5855\",\"w\":12,\"x\":36,\"y\":38},\"panelIndex\":\"bbd15cda-94cf-4624-acfe-f255efbb5855\",\"title\":\"Source Organization\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b509c65-21ea-4bc9-98ac-38f059b301f9\":{\"columnOrder\":[\"d5104737-a960-4de0-950e-d33e797f9346\",\"f14b52f5-b58b-4cac-8878-20f877e4724e\"],\"columns\":{\"d5104737-a960-4de0-950e-d33e797f9346\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of destination.geo.country_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.country_name\"},\"f14b52f5-b58b-4cac-8878-20f877e4724e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d5104737-a960-4de0-950e-d33e797f9346\"],\"layerId\":\"3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"83c59f55-5df1-4715-8fb1-d088f0e10019\",\"w\":12,\"x\":24,\"y\":51},\"panelIndex\":\"83c59f55-5df1-4715-8fb1-d088f0e10019\",\"title\":\"Destination Country\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b509c65-21ea-4bc9-98ac-38f059b301f9\":{\"columnOrder\":[\"d5104737-a960-4de0-950e-d33e797f9346\",\"f14b52f5-b58b-4cac-8878-20f877e4724e\"],\"columns\":{\"d5104737-a960-4de0-950e-d33e797f9346\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of destination.as.organization.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"f14b52f5-b58b-4cac-8878-20f877e4724e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d5104737-a960-4de0-950e-d33e797f9346\"],\"layerId\":\"3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"1e4ffbda-33d2-40eb-9746-4469775466f7\",\"w\":12,\"x\":36,\"y\":51},\"panelIndex\":\"1e4ffbda-33d2-40eb-9746-4469775466f7\",\"title\":\"Destination Organization\",\"type\":\"lens\",\"version\":\"8.3.2\"}]", - "timeRestore": false, - "title": "[Fortinet Fortigate] Firewall Overview", - "version": 1 - }, - "coreMigrationVersion": "8.3.2", - "id": "fortinet_fortigate-d0cd8230-0c8b-11ed-bb95-158df2ca77e4", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aef92dcc-7959-4c94-90ef-373478d28419:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "53ff2f86-bf06-4677-92d2-067155f609f3:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b3871313-73e1-4197-af66-2ff82506fafd:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "941798ef-1ae4-4ebe-8867-a17eb8b1a4b9:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f20139de-a0eb-463f-a9c8-183dce76b3fa:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "14f2d7bc-a79b-4917-a0a3-9656891cc0d8:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "85b98bdc-73a7-4032-aef1-91921b5235ce:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3652abe3-b251-4cc0-a014-a81bbe764d33:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c284fd4a-cd25-4fe3-8124-f2458aed0257:indexpattern-datasource-layer-2573c22c-9787-4385-a01b-779b948ee617", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58884a18-ec0a-46f1-bf37-de86aba407ad:indexpattern-datasource-layer-64b9d1d0-7503-4967-849c-be0201d51ac1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3559260b-1b7d-4053-b958-d6eb5f4e839e:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3559260b-1b7d-4053-b958-d6eb5f4e839e:layer_2_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3559260b-1b7d-4053-b958-d6eb5f4e839e:layer_3_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9eb208d4-f6d7-468a-b558-a98ecc64e262:indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bbd15cda-94cf-4624-acfe-f255efbb5855:indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "83c59f55-5df1-4715-8fb1-d088f0e10019:indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1e4ffbda-33d2-40eb-9746-4469775466f7:indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_eb2ef977-0de8-4bd4-a936-8bd25a74543c:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_cfa74479-5cd8-48b4-b302-86302d5cc8a6:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_ee56c2d4-3f4e-4914-bc04-74a600f57188:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_ad683801-15c1-4243-a870-c533cf32c7e3:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_c66d9124-057b-40aa-bc0a-fab5624ed285:optionsListDataView", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/fortinet_fortigate/1.2.1/manifest.yml b/packages/fortinet_fortigate/1.2.1/manifest.yml deleted file mode 100755 index 753235e83b..0000000000 --- a/packages/fortinet_fortigate/1.2.1/manifest.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: fortinet_fortigate -title: Fortinet FortiGate Firewall Logs -version: 1.2.1 -release: ga -description: Collect logs from Fortinet FortiGate firewalls with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: ["security"] -conditions: - kibana.version: "^8.3.0" -icons: - - src: /img/fortinet-logo.svg - title: Fortinet - size: 216x216 - type: image/svg+xml -screenshots: - - src: /img/dashboard.png - title: Fortinet FortiGate Overview - size: 3336x3120 - type: image/png -policy_templates: - - name: fortinet_fortigate - title: Fortinet FortiGate logs - description: Collect logs from Fortinet FortiGate instances - inputs: - - type: logfile - title: "Collect Fortinet FortiGate logs (input: logfile)" - description: "Collecting logs from Fortinet FortiGate instances (input: logfile)" - - type: tcp - title: "Collect Fortinet FortiGate logs (input: tcp)" - description: "Collecting logs from Fortinet FortiGate instances (input: tcp)" - - type: udp - title: "Collect Fortinet FortiGate logs (input: udp)" - description: "Collecting logs from Fortinet FortiGate instances (input: udp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/fortinet_fortigate/1.2.2/LICENSE.txt b/packages/fortinet_fortigate/1.2.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/fortinet_fortigate/1.2.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/fortinet_fortigate/1.2.2/changelog.yml b/packages/fortinet_fortigate/1.2.2/changelog.yml deleted file mode 100755 index 7d8a1b6902..0000000000 --- a/packages/fortinet_fortigate/1.2.2/changelog.yml +++ /dev/null @@ -1,34 +0,0 @@ -# newer versions go on top -- version: "1.2.2" - changes: - - description: Ensure network.direction values conform to ECS. - type: bugfix - link: https://github.com/elastic/integrations/issues/4283 -- version: "1.2.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.2.0" - changes: - - description: Update Ingest Pipeline with observer Fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3819 -- version: "1.1.0" - changes: - - description: Add dashboard. - type: enhancement - link: https://github.com/elastic/integrations/pull/3832 - - description: Process syslog priority and facility. - type: enhancement - link: https://github.com/elastic/integrations/pull/3832 -- version: "1.0.1" - changes: - - description: Fix handling of sip events. - type: bugfix - link: https://github.com/elastic/integrations/pull/3901 -- version: "1.0.0" - changes: - - description: Initial version of Fortinet FortiGate as separate package - type: enhancement - link: https://github.com/elastic/integrations/pull/3265 diff --git a/packages/fortinet_fortigate/1.2.2/data_stream/log/agent/stream/log.yml.hbs b/packages/fortinet_fortigate/1.2.2/data_stream/log/agent/stream/log.yml.hbs deleted file mode 100755 index 225500de9f..0000000000 --- a/packages/fortinet_fortigate/1.2.2/data_stream/log/agent/stream/log.yml.hbs +++ /dev/null @@ -1,47 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if internal_interfaces.length}} -processors: -{{else}} -{{#if external_interfaces.length}} -processors: -{{else}} -{{#if processors}} -processors: -{{/if}} -{{/if}} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} -{{#if internal_interfaces.length}} - - add_fields: - target: _temp - fields: - internal_interfaces: - {{#each internal_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} -{{#if external_interfaces.length}} - - add_fields: - target: _temp - fields: - external_interfaces: - {{#each external_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} diff --git a/packages/fortinet_fortigate/1.2.2/data_stream/log/agent/stream/tcp.yml.hbs b/packages/fortinet_fortigate/1.2.2/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 6ca58d4fa8..0000000000 --- a/packages/fortinet_fortigate/1.2.2/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if internal_interfaces.length}} -processors: -{{else}} -{{#if external_interfaces.length}} -processors: -{{else}} -{{#if processors}} -processors: -{{/if}} -{{/if}} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} -{{#if internal_interfaces.length}} - - add_fields: - target: _temp - fields: - internal_interfaces: - {{#each internal_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} -{{#if external_interfaces.length}} - - add_fields: - target: _temp - fields: - external_interfaces: - {{#each external_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} -{{#if tcp_options}} -{{tcp_options}} -{{/if}} diff --git a/packages/fortinet_fortigate/1.2.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/fortinet_fortigate/1.2.2/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 852d6d18f0..0000000000 --- a/packages/fortinet_fortigate/1.2.2/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if internal_interfaces.length}} -processors: -{{else}} -{{#if external_interfaces.length}} -processors: -{{else}} -{{#if processors}} -processors: -{{/if}} -{{/if}} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} -{{#if internal_interfaces.length}} - - add_fields: - target: _temp - fields: - internal_interfaces: - {{#each internal_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} -{{#if external_interfaces.length}} - - add_fields: - target: _temp - fields: - external_interfaces: - {{#each external_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} diff --git a/packages/fortinet_fortigate/1.2.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet_fortigate/1.2.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index de33da79fa..0000000000 --- a/packages/fortinet_fortigate/1.2.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,449 +0,0 @@ ---- -description: Pipeline for parsing fortinet firewall logs -processors: - - set: - field: ecs.version - value: '8.3.0' - - rename: - field: message - target_field: event.original - - grok: - field: event.original - ecs_compatibility: v1 - patterns: - - "%{SYSLOG5424PRI}%{GREEDYDATA:syslog5424_sd}$" - - script: - lang: painless - source: | - if (ctx.log?.syslog?.priority != null) { - def severity = new HashMap(); - severity['code'] = ctx.log.syslog.priority&0x7; - ctx.log.syslog['severity'] = severity; - def facility = new HashMap(); - facility['code'] = ctx.log.syslog.priority>>3; - ctx.log.syslog['facility'] = facility; - } - - kv: - field: syslog5424_sd - field_split: " (?=[a-z\\_\\-]+=)" - value_split: "=" - prefix: "fortinet.firewall." - ignore_missing: true - ignore_failure: false - trim_value: '"' - - script: - lang: painless - source: | - def fw = ctx?.fortinet?.firewall; - if (fw != null) { - fw.entrySet().removeIf(entry -> entry.getValue() == "N/A"); - } - - set: - field: observer.vendor - value: Fortinet - - set: - field: observer.product - value: Fortigate - - set: - field: observer.type - value: firewall - - set: - field: event.timezone - value: "{{fortinet.firewall.tz}}" - ignore_empty_value: true - - set: - field: _temp.time - value: "{{fortinet.firewall.date}} {{fortinet.firewall.time}} {{fortinet.firewall.tz}}" - if: "ctx.fortinet?.firewall?.tz != null" - - set: - field: _temp.time - value: "{{fortinet.firewall.date}} {{fortinet.firewall.time}}" - if: "ctx.fortinet?.firewall?.tz == null" - - date: - field: _temp.time - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss Z - - yyyy-MM-dd HH:mm:ss z - - ISO8601 - timezone: "{{fortinet.firewall.tz}}" - if: "ctx.fortinet?.firewall?.tz != null" - - date: - field: _temp.time - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss Z - - yyyy-MM-dd HH:mm:ss z - - ISO8601 - if: "ctx.fortinet?.firewall?.tz == null" - - gsub: - field: fortinet.firewall.eventtime - pattern: "\\d{6}$" - replacement: "" - if: "ctx.fortinet?.firewall?.eventtime != null && (ctx.fortinet?.firewall?.eventtime).length() > 18" - - date: - field: fortinet.firewall.eventtime - target_field: event.start - formats: - - UNIX_MS - timezone: "{{fortinet.firewall.tz}}" - if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() > 11" - - date: - field: fortinet.firewall.eventtime - target_field: event.start - formats: - - UNIX - timezone: "{{fortinet.firewall.tz}}" - if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - - date: - field: fortinet.firewall.eventtime - target_field: event.start - formats: - - UNIX_MS - if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() > 11" - - date: - field: fortinet.firewall.eventtime - target_field: event.start - formats: - - UNIX - if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - - rename: - field: fortinet.firewall.devname - target_field: observer.name - ignore_missing: true - - script: - lang: painless - source: "ctx.event.duration = Long.parseLong(ctx.fortinet.firewall.duration) * 1000000000" - if: "ctx.fortinet?.firewall?.duration != null" - - rename: - field: fortinet.firewall.devid - target_field: observer.serial_number - ignore_missing: true - - rename: - field: fortinet.firewall.dstintf - target_field: observer.egress.interface.name - ignore_missing: true - if: "ctx.observer?.egress?.interface?.name == null" - - rename: - field: fortinet.firewall.srcintf - target_field: observer.ingress.interface.name - ignore_missing: true - if: "ctx.observer?.ingress?.interface?.name == null" - - rename: - field: fortinet.firewall.dst_int - target_field: observer.egress.interface.name - ignore_missing: true - - rename: - field: fortinet.firewall.src_int - target_field: observer.ingress.interface.name - ignore_missing: true - - rename: - field: fortinet.firewall.level - target_field: log.level - ignore_missing: true - - append: - field: email.cc.address - value: "{{{fortinet.firewall.cc}}}" - if: "ctx?.fortinet?.cc?.address != null" - - set: - field: email.subject - copy_from: fortinet.firewall.subject - if: "ctx?.fortinet?.firewall?.subject != null" - - # Handle interface-based network directionality - - set: - field: network.direction - value: inbound - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.ingress?.interface?.name != null && - ctx?.observer?.egress?.interface?.name != null && - ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) && - ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) - - set: - field: network.direction - value: outbound - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.ingress?.interface?.name != null && - ctx?.observer?.egress?.interface?.name != null && - ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && - ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) - - set: - field: network.direction - value: internal - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.ingress?.interface?.name != null && - ctx?.observer?.egress?.interface?.name != null && - ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) && - ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) - - set: - field: network.direction - value: external - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.ingress?.interface?.name != null && - ctx?.observer?.egress?.interface?.name != null && - ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && - ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) - - set: - field: network.direction - value: unknown - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.egress?.interface?.name != null && - ctx?.observer?.ingress?.interface?.name != null && - ( - ( - !ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && - !ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) - ) || - ( - !ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) && - !ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) - ) - ) - - remove: - field: - - _temp.time - - _temp - - syslog5424_sd - - fortinet.firewall.tz - - fortinet.firewall.date - - fortinet.firewall.devid - - fortinet.firewall.eventtime - - fortinet.firewall.time - - fortinet.firewall.duration - - host - ignore_missing: true - - pipeline: - name: '{{ IngestPipeline "event" }}' - if: "ctx.fortinet?.firewall?.type == 'event'" - - pipeline: - name: '{{ IngestPipeline "traffic" }}' - if: "ctx.fortinet?.firewall?.type == 'traffic'" - - pipeline: - name: '{{ IngestPipeline "utm" }}' - if: "ctx.fortinet?.firewall?.type == 'utm' || ctx.fortinet?.firewall?.type == 'dns'" - - convert: - field: fortinet.firewall.quotamax - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.quotaused - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.size - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.disklograte - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.fazlograte - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.lanin - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.lanout - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.setuprate - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.wanin - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.wanout - type: long - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" - - geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - script: - lang: painless - source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" - ignore_failure: true - - script: - lang: painless - source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" - if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" - ignore_failure: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: "ctx.source?.user?.name != null" - allow_duplicates: false - - append: - field: related.user - value: "{{destination.user.name}}" - if: "ctx.destination?.user?.name != null" - allow_duplicates: false - - append: - field: related.hosts - value: "{{destination.address}}" - if: "ctx.destination?.address != null" - allow_duplicates: false - - append: - field: related.hosts - value: "{{source.address}}" - if: "ctx.source?.address != null" - allow_duplicates: false - - append: - field: related.hosts - value: "{{dns.question.name}}" - if: "ctx.dns?.question?.name != null" - allow_duplicates: false - - # Fix up network direction field to match ECS-allowable values. - - set: - field: network.direction - value: unknown - if: "ctx.network?.direction != null && !(['ingress', 'egress', 'inbound', 'outbound', 'internal', 'external'].contains(ctx.network.direction))" - - - script: - lang: painless - source: | - def dnsIPs = ctx?.dns?.resolved_ip; - if (dnsIPs != null && dnsIPs instanceof List) { - if (ctx?.related?.ip == null) { - ctx.related.ip = []; - } - for (ip in dnsIPs) { - if (!ctx.related.ip.contains(ip)) { - ctx.related.ip.add(ip); - } - } - } - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_fortigate/1.2.2/data_stream/log/elasticsearch/ingest_pipeline/event.yml b/packages/fortinet_fortigate/1.2.2/data_stream/log/elasticsearch/ingest_pipeline/event.yml deleted file mode 100755 index 19f29c3b99..0000000000 --- a/packages/fortinet_fortigate/1.2.2/data_stream/log/elasticsearch/ingest_pipeline/event.yml +++ /dev/null @@ -1,267 +0,0 @@ ---- -description: Pipeline for parsing fortinet firewall logs (event pipeline) -processors: - - set: - field: event.kind - value: event - - set: - field: event.outcome - value: failure - if: "ctx.fortinet?.firewall?.result == 'ERROR' || ctx.fortinet?.firewall?.status == 'negotiate_error'" - - set: - field: event.outcome - value: success - if: "ctx.fortinet?.firewall?.result == 'OK' || ['FSSO-logon', 'auth-logon', 'FSSO-logoff', 'auth-logout'].contains(ctx.fortinet?.firewall?.action)" - - append: - field: event.type - value: - - user - - start - if: "['FSSO-logon', 'auth-logon'].contains(ctx.fortinet?.firewall?.action)" - - append: - field: event.type - value: - - user - - end - if: "['FSSO-logoff', 'auth-logout'].contains(ctx.fortinet?.firewall?.action)" - - append: - field: event.type - value: connection - if: "ctx.fortinet?.firewall?.subtype == 'vpn'" - - append: - field: event.category - value: network - if: "ctx.fortinet?.firewall?.subtype == 'vpn'" - - append: - field: event.type - value: info - if: "ctx.fortinet?.firewall?.action == 'perf-stats'" - - append: - field: event.category - value: host - if: "ctx.fortinet?.firewall?.action == 'perf-stats'" - - append: - field: event.type - value: info - if: "ctx.fortinet?.firewall?.subtype == 'update'" - - append: - field: event.category - value: - - host - - malware - if: "ctx.fortinet?.firewall?.subtype == 'update'" - - append: - field: event.category - value: authentication - if: "ctx.fortinet?.firewall?.subtype == 'user'" - - rename: - field: fortinet.firewall.dstip - target_field: destination.ip - ignore_missing: true - - rename: - field: fortinet.firewall.remip - target_field: destination.ip - ignore_missing: true - if: "ctx.destination?.ip == null" - - convert: - field: fortinet.firewall.dstport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: fortinet.firewall.remport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.destination?.port == null" - - convert: - field: fortinet.firewall.rcvdbyte - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.daddr - target_field: destination.address - ignore_missing: true - - rename: - field: fortinet.firewall.dst_host - target_field: destination.address - ignore_missing: true - if: "ctx.destination?.address == null" - - rename: - field: fortinet.firewall.dst_host - target_field: destination.domain - ignore_missing: true - if: "ctx.destination?.address == null" - - rename: - field: fortinet.firewall.group - target_field: source.user.group.name - ignore_missing: true - - convert: - field: fortinet.firewall.sentbyte - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.srcip - target_field: source.ip - ignore_missing: true - - rename: - field: fortinet.firewall.locip - target_field: source.ip - ignore_missing: true - if: "ctx.source?.ip == null" - - rename: - field: fortinet.firewall.srcmac - target_field: source.mac - ignore_missing: true - - rename: - field: fortinet.firewall.source_mac - target_field: source.mac - ignore_missing: true - if: "ctx.source?.mac == null" - - convert: - field: fortinet.firewall.srcport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: fortinet.firewall.locport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.source?.port == null" - - rename: - field: fortinet.firewall.user - target_field: source.user.name - ignore_missing: true - - rename: - field: fortinet.firewall.saddr - target_field: source.address - ignore_missing: true - - rename: - field: fortinet.firewall.agent - target_field: user_agent.original - ignore_missing: true - - rename: - field: fortinet.firewall.file - target_field: file.name - ignore_missing: true - - convert: - field: fortinet.firewall.filesize - target_field: file.size - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.level - target_field: log.level - ignore_missing: true - - rename: - field: fortinet.firewall.logid - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" - - rename: - field: fortinet.firewall.msg - target_field: message - ignore_missing: true - - rename: - field: fortinet.firewall.policyid - target_field: rule.id - ignore_missing: true - - rename: - field: fortinet.firewall.proto - target_field: network.iana_number - ignore_missing: true - - rename: - field: fortinet.firewall.dir - target_field: network.direction - ignore_missing: true - if: "ctx.network?.direction == null" - - rename: - field: fortinet.firewall.direction - target_field: network.direction - ignore_missing: true - if: "ctx.network?.direction == null" - # Normalize the network direction - - script: - lang: painless - ignore_failure: true - params: - outgoing: outbound - incoming: inbound - source: >- - if (ctx.network?.direction == null) { - return; - } - def k = ctx.network?.direction.toLowerCase(); - def normalized = params.get(k); - if (normalized != null) { - ctx.network.direction = normalized; - return - } - ctx.network.direction = k; - - rename: - field: fortinet.firewall.service - target_field: network.protocol - ignore_missing: true - - lowercase: - field: network.protocol - ignore_missing: true - - rename: - field: fortinet.firewall.error_num - target_field: error.code - ignore_missing: true - - rename: - field: fortinet.firewall.hostname - target_field: url.domain - ignore_missing: true - - rename: - field: fortinet.firewall.logdesc - target_field: rule.description - ignore_missing: true - - rename: - field: fortinet.firewall.addr - target_field: fortinet.firewall.addrgrp - if: ctx.rule?.description == 'Dynamic address updated' - ignore_missing: true - - rename: - field: fortinet.firewall.url - target_field: url.path - ignore_missing: true - - convert: - field: fortinet.firewall.sess_duration - type: long - target_field: event.duration - ignore_failure: true - ignore_missing: true - if: "ctx.event?.duration == null" - - convert: - field: fortinet.firewall.mem - type: integer - ignore_failure: true - ignore_missing: true - - remove: - field: - - fortinet.firewall.dstport - - fortinet.firewall.remport - - fortinet.firewall.rcvdbyte - - fortinet.firewall.sentbyte - - fortinet.firewall.srcport - - fortinet.firewall.locport - - fortinet.firewall.filesize - - fortinet.firewall.sess_duration - - fortinet.firewall.dir - - fortinet.firewall.direction - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_fortigate/1.2.2/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml b/packages/fortinet_fortigate/1.2.2/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml deleted file mode 100755 index 90f65f53a0..0000000000 --- a/packages/fortinet_fortigate/1.2.2/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml +++ /dev/null @@ -1,218 +0,0 @@ ---- -description: Pipeline for parsing fortinet firewall logs (traffic pipeline) -processors: -- set: - field: event.kind - value: event -- set: - field: event.action - value: "{{fortinet.firewall.action}}" - ignore_empty_value: true -- set: - field: event.outcome - value: success - if: "ctx.fortinet?.firewall?.action != null" -- append: - field: event.category - value: network -- append: - field: event.type - value: connection -- append: - field: event.type - value: start - if: "ctx.fortinet?.firewall?.action == 'start'" -- append: - field: event.type - value: end - if: "ctx.fortinet?.firewall?.action != null && ctx.fortinet?.firewall?.action !='start'" -- append: - field: event.type - value: protocol - if: "ctx.fortinet?.firewall?.app != null && ctx.fortinet?.firewall?.action != 'deny'" -- append: - field: event.type - value: allowed - if: "ctx.fortinet?.firewall?.utmaction == null && ctx.fortinet?.firewall?.action != 'deny'" -- append: - field: event.type - value: denied - if: "ctx.fortinet?.firewall?.utmaction == 'block'" -- rename: - field: fortinet.firewall.dstip - target_field: destination.ip - ignore_missing: true -- rename: - field: fortinet.firewall.tranip - target_field: destination.nat.ip - ignore_missing: true -- convert: - field: fortinet.firewall.dstport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true -- convert: - field: fortinet.firewall.tranport - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true -- convert: - field: fortinet.firewall.rcvdbyte - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true -- convert: - field: fortinet.firewall.rcvdpkt - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true -- append: - field: email.to.address - value: "{{fortinet.firewall.dstcollectedemail}}" - if: "ctx?.fortinet?.firewall?.dstcollectedemail != null" -- rename: - field: fortinet.firewall.dstname - target_field: destination.address - ignore_missing: true -- rename: - field: fortinet.firewall.dstunauthuser - target_field: destination.user.name - ignore_missing: true -- rename: - field: fortinet.firewall.group - target_field: source.user.group.name - ignore_missing: true -- convert: - field: fortinet.firewall.sentbyte - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true -- rename: - field: fortinet.firewall.srcdomain - target_field: source.domain - ignore_missing: true -- rename: - field: fortinet.firewall.srcip - target_field: source.ip - ignore_missing: true -- rename: - field: fortinet.firewall.srcmac - target_field: source.mac - ignore_missing: true -- convert: - field: fortinet.firewall.srcport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true -- rename: - field: fortinet.firewall.unauthuser - target_field: source.user.name - ignore_missing: true -- rename: - field: fortinet.firewall.user - target_field: source.user.name - ignore_missing: true - if: "ctx.source?.user?.name == null" -- append: - field: email.from.address - value: "{{fortinet.firewall.collectedemail}}" - if: "ctx?.fortinet?.firewall?.collectedemail != null" -- convert: - field: fortinet.firewall.sentpkt - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true -- rename: - field: fortinet.firewall.transip - target_field: source.nat.ip - ignore_missing: true -- convert: - field: fortinet.firewall.transport - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true -- rename: - field: fortinet.firewall.app - target_field: network.application - ignore_missing: true -- rename: - field: fortinet.firewall.filename - target_field: file.name - ignore_missing: true -- rename: - field: fortinet.firewall.logid - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" -- rename: - field: fortinet.firewall.msg - target_field: message - ignore_missing: true -- rename: - field: fortinet.firewall.comment - target_field: rule.description - ignore_missing: true -- rename: - field: fortinet.firewall.policyid - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" -- rename: - field: fortinet.firewall.poluuid - target_field: rule.uuid - ignore_missing: true -- rename: - field: fortinet.firewall.policytype - target_field: rule.ruleset - ignore_missing: true -- rename: - field: fortinet.firewall.policyname - target_field: rule.name - ignore_missing: true -- rename: - field: fortinet.firewall.appcat - target_field: rule.category - ignore_missing: true -- gsub: - field: rule.category - pattern: "\\." - replacement: "-" - ignore_missing: true -- rename: - field: fortinet.firewall.proto - target_field: network.iana_number - ignore_missing: true -- rename: - field: fortinet.firewall.service - target_field: network.protocol - ignore_missing: true -- lowercase: - field: network.protocol - ignore_missing: true -- rename: - field: fortinet.firewall.url - target_field: url.path - ignore_missing: true -- remove: - field: - - fortinet.firewall.dstport - - fortinet.firewall.tranport - - fortinet.firewall.rcvdbyte - - fortinet.firewall.rcvdpkt - - fortinet.firewall.sentbyte - - fortinet.firewall.srcport - - fortinet.firewall.sentpkt - - fortinet.firewall.transport - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/fortinet_fortigate/1.2.2/data_stream/log/elasticsearch/ingest_pipeline/utm.yml b/packages/fortinet_fortigate/1.2.2/data_stream/log/elasticsearch/ingest_pipeline/utm.yml deleted file mode 100755 index d286bdfdfe..0000000000 --- a/packages/fortinet_fortigate/1.2.2/data_stream/log/elasticsearch/ingest_pipeline/utm.yml +++ /dev/null @@ -1,376 +0,0 @@ ---- -description: Pipeline for parsing fortinet firewall logs (utm pipeline) -processors: - - set: - field: event.kind - value: event - - append: - field: event.type - value: denied - if: "['block', 'blocked'].contains(ctx.fortinet?.firewall?.action)" - - append: - field: event.type - value: info - if: "ctx.fortinet?.firewall?.subtype == 'dns'" - - append: - field: event.type - value: allowed - if: "['pass', 'passthrough'].contains(ctx.fortinet?.firewall?.action)" - - set: - field: event.outcome - value: success - if: "ctx.fortinet?.firewall?.action != null" - - append: - field: event.category - value: network - - rename: - field: fortinet.firewall.dstip - target_field: destination.ip - ignore_missing: true - - rename: - field: fortinet.firewall.remip - target_field: destination.ip - ignore_missing: true - if: "ctx.destination?.ip == null" - - convert: - field: fortinet.firewall.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: fortinet.firewall.remport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.destination?.port == null" - - convert: - field: fortinet.firewall.dstport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.destination?.port == null" - - convert: - field: fortinet.firewall.rcvdbyte - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.recipient - target_field: email.to.address - ignore_missing: true - - append: - field: email.to.address - value: "{{fortinet.firewall.recipient}}" - if: "ctx?.fortinet?.firewall?.recipient != null" - - rename: - field: fortinet.firewall.group - target_field: source.user.group.name - ignore_missing: true - - rename: - field: fortinet.firewall.locip - target_field: source.ip - ignore_missing: true - - convert: - field: fortinet.firewall.locport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: fortinet.firewall.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.source?.port == null" - - convert: - field: fortinet.firewall.srcport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.source?.port == null" - - convert: - field: fortinet.firewall.sentbyte - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.srcdomain - target_field: source.domain - ignore_missing: true - - rename: - field: fortinet.firewall.srcip - target_field: source.ip - ignore_missing: true - if: "ctx.source?.ip == null" - - rename: - field: fortinet.firewall.srcmac - target_field: source.mac - ignore_missing: true - - rename: - field: fortinet.firewall.unauthuser - target_field: source.user.name - ignore_missing: true - - rename: - field: fortinet.firewall.user - target_field: source.user.name - ignore_missing: true - if: "ctx.source?.user?.name == null" - - append: - field: email.sender.address - value: "{{fortinet.firewall.sender}}" - if: "ctx?.fortinet?.firewall?.sender != null" - - append: - field: email.from.address - value: "{{fortinet.firewall.from}}" - if: "ctx?.fortinet?.firewall?.from != null" - - rename: - field: fortinet.firewall.agent - target_field: user_agent.original - ignore_missing: true - - rename: - field: fortinet.firewall.app - target_field: network.application - ignore_missing: true - - rename: - field: fortinet.firewall.appcat - target_field: rule.category - ignore_missing: true - - rename: - field: fortinet.firewall.applist - target_field: rule.ruleset - ignore_missing: true - - rename: - field: fortinet.firewall.catdesc - target_field: rule.category - ignore_missing: true - if: "ctx.rule?.category == null" - - gsub: - field: rule.category - pattern: "\\." - replacement: "-" - ignore_missing: true - if: "ctx.rule?.category != null" - - rename: - field: fortinet.firewall.dir - target_field: network.direction - ignore_missing: true - if: "ctx.network?.direction == null" - - rename: - field: fortinet.firewall.direction - target_field: network.direction - ignore_missing: true - if: "ctx.network?.direction == null" - # Normalize the network direction - - script: - lang: painless - ignore_failure: true - params: - outgoing: outbound - incoming: inbound - source: >- - if (ctx.network?.direction == null) { - return; - } - def k = ctx.network?.direction.toLowerCase(); - def normalized = params.get(k); - if (normalized != null) { - ctx.network.direction = normalized; - return - } - ctx.network.direction = k; - - rename: - field: fortinet.firewall.error - target_field: event.message - ignore_missing: true - - rename: - field: fortinet.firewall.errorcode - target_field: event.code - ignore_missing: true - - rename: - field: fortinet.firewall.event_id - target_field: event.id - ignore_missing: true - - rename: - field: fortinet.firewall.eventid - target_field: event.id - ignore_missing: true - if: "ctx.event?.id == null" - - rename: - field: fortinet.firewall.eventtype - target_field: event.action - ignore_missing: true - - rename: - field: fortinet.firewall.filename - target_field: file.name - ignore_missing: true - - convert: - field: fortinet.firewall.filesize - target_field: file.size - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.filetype - target_field: file.extension - ignore_missing: true - - rename: - field: fortinet.firewall.infectedfilename - target_field: file.name - ignore_missing: true - if: "ctx.file?.name == null" - - rename: - field: fortinet.firewall.infectedfilesize - target_field: file.size - ignore_missing: true - if: "ctx.file?.size == null" - - rename: - field: fortinet.firewall.infectedfiletype - target_field: file.extension - ignore_missing: true - if: "ctx.file?.extension == null" - - rename: - field: fortinet.firewall.matchedfilename - target_field: file.name - ignore_missing: true - if: "ctx.file?.name == null" - - rename: - field: fortinet.firewall.matchedfiletype - target_field: file.extension - ignore_missing: true - if: "ctx.file?.extension == null" - - rename: - field: fortinet.firewall.hostname - target_field: url.domain - ignore_missing: true - - rename: - field: fortinet.firewall.ipaddr - target_field: dns.resolved_ip - ignore_missing: true - - split: - field: dns.resolved_ip - separator: ", " - ignore_missing: true - - rename: - field: fortinet.firewall.level - target_field: log.level - ignore_missing: true - - rename: - field: fortinet.firewall.logid - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" - - rename: - field: fortinet.firewall.msg - target_field: message - ignore_missing: true - - rename: - field: fortinet.firewall.policy_id - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" - - rename: - field: fortinet.firewall.policyid - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" - - rename: - field: fortinet.firewall.profile - target_field: rule.ruleset - ignore_missing: true - if: "ctx.rule?.ruleset == null" - - rename: - field: fortinet.firewall.proto - target_field: network.iana_number - ignore_missing: true - - rename: - field: fortinet.firewall.qclass - target_field: dns.question.class - ignore_missing: true - - rename: - field: fortinet.firewall.qname - target_field: dns.question.name - ignore_missing: true - - rename: - field: fortinet.firewall.qtype - target_field: dns.question.type - ignore_missing: true - - rename: - field: fortinet.firewall.service - target_field: network.protocol - ignore_missing: true - - lowercase: - field: network.protocol - ignore_missing: true - - rename: - field: fortinet.firewall.url - target_field: url.path - ignore_missing: true - - rename: - field: fortinet.firewall.xid - target_field: dns.id - ignore_missing: true - - rename: - field: fortinet.firewall.scertcname - target_field: tls.server.x509.subject.common_name - ignore_missing: true - - rename: - field: fortinet.firewall.scertissuer - target_field: tls.server.issuer - ignore_missing: true - - set: - field: tls.server.x509.issuer.common_name - value: "{{tls.server.issuer}}" - ignore_empty_value: true - - rename: - field: fortinet.firewall.ccertissuer - target_field: tls.client.issuer - ignore_missing: true - - set: - field: tls.client.x509.issuer.common_name - value: "{{tls.client.issuer}}" - ignore_empty_value: true - - rename: - field: fortinet.firewall.sender - target_field: tls.server.issuer - ignore_missing: true - - rename: - field: fortinet.firewall.dtype - target_field: vulnerability.category - ignore_missing: true - - rename: - field: fortinet.firewall.ref - target_field: event.reference - ignore_missing: true - - rename: - field: fortinet.firewall.filehash - target_field: fortinet.file.hash.crc32 - ignore_missing: true - - append: - field: related.hash - value: "{{fortinet.file.hash.crc32}}" - if: "ctx.fortinet?.file?.hash?.crc32 != null" - - remove: - field: - - fortinet.firewall.dst_port - - fortinet.firewall.remport - - fortinet.firewall.dstport - - fortinet.firewall.rcvdbyte - - fortinet.firewall.locport - - fortinet.firewall.src_port - - fortinet.firewall.srcport - - fortinet.firewall.sentbyte - - fortinet.firewall.filesize - - fortinet.firewall.dir - - fortinet.firewall.direction - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_fortigate/1.2.2/data_stream/log/fields/agent.yml b/packages/fortinet_fortigate/1.2.2/data_stream/log/fields/agent.yml deleted file mode 100755 index f6127c3e22..0000000000 --- a/packages/fortinet_fortigate/1.2.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,183 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/fortinet_fortigate/1.2.2/data_stream/log/fields/base-fields.yml b/packages/fortinet_fortigate/1.2.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index c5f407f099..0000000000 --- a/packages/fortinet_fortigate/1.2.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: fortinet -- name: event.dataset - type: constant_keyword - description: Event dataset - value: fortinet_fortigate.log -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/fortinet_fortigate/1.2.2/data_stream/log/fields/beats.yml b/packages/fortinet_fortigate/1.2.2/data_stream/log/fields/beats.yml deleted file mode 100755 index 05a6db4740..0000000000 --- a/packages/fortinet_fortigate/1.2.2/data_stream/log/fields/beats.yml +++ /dev/null @@ -1,15 +0,0 @@ -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: Path to the log file. - name: log.file.path - type: keyword -- description: Log message optimized for viewing in a log viewer. - name: event.message - type: text diff --git a/packages/fortinet_fortigate/1.2.2/data_stream/log/fields/ecs.yml b/packages/fortinet_fortigate/1.2.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index f36917b4ae..0000000000 --- a/packages/fortinet_fortigate/1.2.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,487 +0,0 @@ -- description: Unique container id. - name: container.id - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: User email address. - name: destination.user.email - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: The email address of CC recipient - name: email.cc.address - normalize: - - array - type: keyword -- description: The email address of the sender, typically from the RFC 5322 `From:` header field. - name: email.from.address - normalize: - - array - type: keyword -- description: Per RFC 5322, specifies the address responsible for the actual transmission of the message. - name: email.sender.address - type: keyword -- description: The email address of recipient - name: email.to.address - normalize: - - array - type: keyword -- description: A brief summary of the topic of the message. - multi_fields: - - name: text - type: match_only_text - name: email.subject - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Name of the module this data is coming from. - If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. - name: event.module - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reference URL linking to additional information about this event. - This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.reference - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: The description of the rule generating the event. - name: rule.description - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - name: rule.ruleset - type: keyword -- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - name: rule.uuid - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: User email address. - name: source.user.email - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.client.x509.issuer.common_name - normalize: - - array - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - normalize: - - array - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: |- - The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) - This field must be an array. - name: vulnerability.category - normalize: - - array - type: keyword diff --git a/packages/fortinet_fortigate/1.2.2/data_stream/log/fields/fields.yml b/packages/fortinet_fortigate/1.2.2/data_stream/log/fields/fields.yml deleted file mode 100755 index d7fa9c281c..0000000000 --- a/packages/fortinet_fortigate/1.2.2/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,1727 +0,0 @@ -- name: fortinet - type: group - fields: - - name: file.hash.crc32 - type: keyword - description: | - CRC32 Hash of file - - name: firewall - type: group - release: beta - fields: - - name: acct_stat - type: keyword - description: | - Accounting state (RADIUS) - - name: acktime - type: keyword - description: | - Alarm Acknowledge Time - - name: act - type: keyword - description: | - Action - - name: action - type: keyword - description: | - Status of the session - - name: activity - type: keyword - description: | - HA activity message - - name: addr - type: ip - description: | - IP Address - - name: addr_type - type: keyword - description: | - Address Type - - name: addrgrp - type: keyword - description: | - Address Group - - name: adgroup - type: keyword - description: | - AD Group Name - - name: admin - type: keyword - description: | - Admin User - - name: age - type: integer - description: | - Time in seconds - time passed since last seen - - name: agent - type: keyword - description: | - User agent - eg. agent="Mozilla/5.0" - - name: alarmid - type: integer - description: | - Alarm ID - - name: alert - type: keyword - description: | - Alert - - name: analyticscksum - type: keyword - description: | - The checksum of the file submitted for analytics - - name: analyticssubmit - type: keyword - description: | - The flag for analytics submission - - name: ap - type: keyword - description: | - Access Point - - name: app-type - type: keyword - description: | - Address Type - - name: appact - type: keyword - description: | - The security action from app control - - name: appid - type: integer - description: | - Application ID - - name: applist - type: keyword - description: | - Application Control profile - - name: apprisk - type: keyword - description: | - Application Risk Level - - name: apscan - type: keyword - description: | - The name of the AP, which scanned and detected the rogue AP - - name: apsn - type: keyword - description: | - Access Point - - name: apstatus - type: keyword - description: | - Access Point status - - name: aptype - type: keyword - description: | - Access Point type - - name: assigned - type: ip - description: | - Assigned IP Address - - name: assignip - type: ip - description: | - Assigned IP Address - - name: attachment - type: keyword - description: | - The flag for email attachement - - name: attack - type: keyword - description: | - Attack Name - - name: attackcontext - type: keyword - description: | - The trigger patterns and the packetdata with base64 encoding - - name: attackcontextid - type: keyword - description: | - Attack context id / total - - name: attackid - type: integer - description: | - Attack ID - - name: auditid - type: long - description: | - Audit ID - - name: auditscore - type: keyword - description: | - The Audit Score - - name: audittime - type: long - description: | - The time of the audit - - name: authgrp - type: keyword - description: | - Authorization Group - - name: authid - type: keyword - description: | - Authentication ID - - name: authproto - type: keyword - description: | - The protocol that initiated the authentication - - name: authserver - type: keyword - description: | - Authentication server - - name: bandwidth - type: keyword - description: | - Bandwidth - - name: banned_rule - type: keyword - description: | - NAC quarantine Banned Rule Name - - name: banned_src - type: keyword - description: | - NAC quarantine Banned Source IP - - name: banword - type: keyword - description: | - Banned word - - name: botnetdomain - type: keyword - description: | - Botnet Domain Name - - name: botnetip - type: ip - description: | - Botnet IP Address - - name: bssid - type: keyword - description: | - Service Set ID - - name: call_id - type: keyword - description: | - Caller ID - - name: carrier_ep - type: keyword - description: | - The FortiOS Carrier end-point identification - - name: cat - type: integer - description: | - DNS category ID - - name: category - type: keyword - description: | - Authentication category - - name: cc - type: keyword - description: | - CC Email Address - - name: cdrcontent - type: keyword - description: | - Cdrcontent - - name: centralnatid - type: integer - description: | - Central NAT ID - - name: cert - type: keyword - description: | - Certificate - - name: cert-type - type: keyword - description: | - Certificate type - - name: certhash - type: keyword - description: | - Certificate hash - - name: cfgattr - type: keyword - description: | - Configuration attribute - - name: cfgobj - type: keyword - description: | - Configuration object - - name: cfgpath - type: keyword - description: | - Configuration path - - name: cfgtid - type: keyword - description: | - Configuration transaction ID - - name: cfgtxpower - type: integer - description: | - Configuration TX power - - name: channel - type: integer - description: | - Wireless Channel - - name: channeltype - type: keyword - description: | - SSH channel type - - name: chassisid - type: integer - description: | - Chassis ID - - name: checksum - type: keyword - description: | - The checksum of the scanned file - - name: chgheaders - type: keyword - description: | - HTTP Headers - - name: cldobjid - type: keyword - description: | - Connector object ID - - name: client_addr - type: keyword - description: | - Wifi client address - - name: cloudaction - type: keyword - description: | - Cloud Action - - name: clouduser - type: keyword - description: | - Cloud User - - name: column - type: integer - description: | - VOIP Column - - name: command - type: keyword - description: | - CLI Command - - name: community - type: keyword - description: | - SNMP Community - - name: configcountry - type: keyword - description: | - Configuration country - - name: connection_type - type: keyword - description: | - FortiClient Connection Type - - name: conserve - type: keyword - description: | - Flag for conserve mode - - name: constraint - type: keyword - description: | - WAF http protocol restrictions - - name: contentdisarmed - type: keyword - description: | - Email scanned content - - name: contenttype - type: keyword - description: | - Content Type from HTTP header - - name: cookies - type: keyword - description: | - VPN Cookie - - name: count - type: integer - description: | - Counts of action type - - name: countapp - type: integer - description: | - Number of App Ctrl logs associated with the session - - name: countav - type: integer - description: | - Number of AV logs associated with the session - - name: countcifs - type: integer - description: | - Number of CIFS logs associated with the session - - name: countdlp - type: integer - description: | - Number of DLP logs associated with the session - - name: countdns - type: integer - description: | - Number of DNS logs associated with the session - - name: countemail - type: integer - description: | - Number of email logs associated with the session - - name: countff - type: integer - description: | - Number of ff logs associated with the session - - name: countips - type: integer - description: | - Number of IPS logs associated with the session - - name: countssh - type: integer - description: | - Number of SSH logs associated with the session - - name: countssl - type: integer - description: | - Number of SSL logs associated with the session - - name: countwaf - type: integer - description: | - Number of WAF logs associated with the session - - name: countweb - type: integer - description: | - Number of Web filter logs associated with the session - - name: cpu - type: integer - description: | - CPU Usage - - name: craction - type: integer - description: | - Client Reputation Action - - name: criticalcount - type: integer - description: | - Number of critical ratings - - name: crl - type: keyword - description: | - Client Reputation Level - - name: crlevel - type: keyword - description: | - Client Reputation Level - - name: crscore - type: integer - description: | - Some description - - name: cveid - type: keyword - description: | - CVE ID - - name: daemon - type: keyword - description: | - Daemon name - - name: datarange - type: keyword - description: | - Data range for reports - - name: date - type: keyword - description: | - Date - - name: ddnsserver - type: ip - description: | - DDNS server - - name: desc - type: keyword - description: | - Description - - name: detectionmethod - type: keyword - description: | - Detection method - - name: devcategory - type: keyword - description: | - Device category - - name: devintfname - type: keyword - description: | - HA device Interface Name - - name: devtype - type: keyword - description: | - Device type - - name: dhcp_msg - type: keyword - description: | - DHCP Message - - name: dintf - type: keyword - description: | - Destination interface - - name: disk - type: keyword - description: | - Assosciated disk - - name: disklograte - type: long - description: | - Disk logging rate - - name: dlpextra - type: keyword - description: | - DLP extra information - - name: docsource - type: keyword - description: | - DLP fingerprint document source - - name: domainctrlauthstate - type: integer - description: | - CIFS domain auth state - - name: domainctrlauthtype - type: integer - description: | - CIFS domain auth type - - name: domainctrldomain - type: keyword - description: | - CIFS domain auth domain - - name: domainctrlip - type: ip - description: | - CIFS Domain IP - - name: domainctrlname - type: keyword - description: | - CIFS Domain name - - name: domainctrlprotocoltype - type: integer - description: | - CIFS Domain connection protocol - - name: domainctrlusername - type: keyword - description: | - CIFS Domain username - - name: domainfilteridx - type: integer - description: | - Domain filter ID - - name: domainfilterlist - type: keyword - description: | - Domain filter name - - name: ds - type: keyword - description: | - Direction with distribution system - - name: dst_int - type: keyword - description: | - Destination interface - - name: dstintfrole - type: keyword - description: | - Destination interface role - - name: dstcountry - type: keyword - description: | - Destination country - - name: dstdevcategory - type: keyword - description: | - Destination device category - - name: dstdevtype - type: keyword - description: | - Destination device type - - name: dstfamily - type: keyword - description: | - Destination OS family - - name: dsthwvendor - type: keyword - description: | - Destination HW vendor - - name: dsthwversion - type: keyword - description: | - Destination HW version - - name: dstinetsvc - type: keyword - description: | - Destination interface service - - name: dstosname - type: keyword - description: | - Destination OS name - - name: dstosversion - type: keyword - description: | - Destination OS version - - name: dstserver - type: integer - description: | - Destination server - - name: dstssid - type: keyword - description: | - Destination SSID - - name: dstswversion - type: keyword - description: | - Destination software version - - name: dstunauthusersource - type: keyword - description: | - Destination unauthenticated source - - name: dstuuid - type: keyword - description: | - UUID of the Destination IP address - - name: duid - type: keyword - description: | - DHCP UID - - name: eapolcnt - type: integer - description: | - EAPOL packet count - - name: eapoltype - type: keyword - description: | - EAPOL packet type - - name: encrypt - type: integer - description: | - Whether the packet is encrypted or not - - name: encryption - type: keyword - description: | - Encryption method - - name: epoch - type: integer - description: | - Epoch used for locating file - - name: espauth - type: keyword - description: | - ESP Authentication - - name: esptransform - type: keyword - description: | - ESP Transform - - name: exch - type: keyword - description: | - Mail Exchanges from DNS response answer section - - name: exchange - type: keyword - description: | - Mail Exchanges from DNS response answer section - - name: expectedsignature - type: keyword - description: | - Expected SSL signature - - name: expiry - type: keyword - description: | - FortiGuard override expiry timestamp - - name: fams_pause - type: integer - description: | - Fortinet Analysis and Management Service Pause - - name: fazlograte - type: long - description: | - FortiAnalyzer Logging Rate - - name: fctemssn - type: keyword - description: | - FortiClient Endpoint SSN - - name: fctuid - type: keyword - description: | - FortiClient UID - - name: field - type: keyword - description: | - NTP status field - - name: filefilter - type: keyword - description: | - The filter used to identify the affected file - - name: filehashsrc - type: keyword - description: | - Filehash source - - name: filtercat - type: keyword - description: | - DLP filter category - - name: filteridx - type: integer - description: | - DLP filter ID - - name: filtername - type: keyword - description: | - DLP rule name - - name: filtertype - type: keyword - description: | - DLP filter type - - name: fortiguardresp - type: keyword - description: | - Antispam ESP value - - name: forwardedfor - type: keyword - description: | - Email address forwarded - - name: fqdn - type: keyword - description: | - FQDN - - name: frametype - type: keyword - description: | - Wireless frametype - - name: freediskstorage - type: integer - description: | - Free disk integer - - name: from - type: keyword - description: | - From email address - - name: from_vcluster - type: integer - description: | - Source virtual cluster number - - name: fsaverdict - type: keyword - description: | - FSA verdict - - name: fwserver_name - type: keyword - description: | - Web proxy server name - - name: gateway - type: ip - description: | - Gateway ip address for PPPoE status report - - name: green - type: keyword - description: | - Memory status - - name: groupid - type: integer - description: | - User Group ID - - name: ha-prio - type: integer - description: | - HA Priority - - name: ha_group - type: keyword - description: | - HA Group - - name: ha_role - type: keyword - description: | - HA Role - - name: handshake - type: keyword - description: | - SSL Handshake - - name: hash - type: keyword - description: | - Hash value of downloaded file - - name: hbdn_reason - type: keyword - description: | - Heartbeat down reason - - name: highcount - type: integer - description: | - Highcount fabric summary - - name: host - type: keyword - description: | - Hostname - - name: iaid - type: keyword - description: | - DHCPv6 id - - name: icmpcode - type: keyword - description: | - Destination Port of the ICMP message - - name: icmpid - type: keyword - description: | - Source port of the ICMP message - - name: icmptype - type: keyword - description: | - The type of ICMP message - - name: identifier - type: integer - description: | - Network traffic identifier - - name: in_spi - type: keyword - description: | - IPSEC inbound SPI - - name: incidentserialno - type: integer - description: | - Incident serial number - - name: infected - type: integer - description: | - Infected MMS - - name: infectedfilelevel - type: integer - description: | - DLP infected file level - - name: informationsource - type: keyword - description: | - Information source - - name: init - type: keyword - description: | - IPSEC init stage - - name: initiator - type: keyword - description: | - Original login user name for Fortiguard override - - name: interface - type: keyword - description: | - Related interface - - name: intf - type: keyword - description: | - Related interface - - name: invalidmac - type: keyword - description: | - The MAC address with invalid OUI - - name: ip - type: ip - description: | - Related IP - - name: iptype - type: keyword - description: | - Related IP type - - name: keyword - type: keyword - description: | - Keyword used for search - - name: kind - type: keyword - description: | - VOIP kind - - name: lanin - type: long - description: | - LAN incoming traffic in bytes - - name: lanout - type: long - description: | - LAN outbound traffic in bytes - - name: lease - type: integer - description: | - DHCP lease - - name: license_limit - type: keyword - description: | - Maximum Number of FortiClients for the License - - name: limit - type: integer - description: | - Virtual Domain Resource Limit - - name: line - type: keyword - description: | - VOIP line - - name: live - type: integer - description: | - Time in seconds - - name: local - type: ip - description: | - Local IP for a PPPD Connection - - name: log - type: keyword - description: | - Log message - - name: login - type: keyword - description: | - SSH login - - name: lowcount - type: integer - description: | - Fabric lowcount - - name: mac - type: keyword - description: | - DHCP mac address - - name: malform_data - type: integer - description: | - VOIP malformed data - - name: malform_desc - type: keyword - description: | - VOIP malformed data description - - name: manuf - type: keyword - description: | - Manufacturer name - - name: masterdstmac - type: keyword - description: | - Master mac address for a host with multiple network interfaces - - name: mastersrcmac - type: keyword - description: | - The master MAC address for a host that has multiple network interfaces - - name: mediumcount - type: integer - description: | - Fabric medium count - - name: mem - type: integer - description: | - Memory usage system statistics - - name: meshmode - type: keyword - description: | - Wireless mesh mode - - name: message_type - type: keyword - description: | - VOIP message type - - name: method - type: keyword - description: | - HTTP method - - name: mgmtcnt - type: integer - description: | - The number of unauthorized client flooding managemet frames - - name: mode - type: keyword - description: | - IPSEC mode - - name: module - type: keyword - description: | - PCI-DSS module - - name: monitor-name - type: keyword - description: | - Health Monitor Name - - name: monitor-type - type: keyword - description: | - Health Monitor Type - - name: mpsk - type: keyword - description: | - Wireless MPSK - - name: msgproto - type: keyword - description: | - Message Protocol Number - - name: mtu - type: integer - description: | - Max Transmission Unit Value - - name: name - type: keyword - description: | - Name - - name: nat - type: keyword - description: | - NAT IP Address - - name: netid - type: keyword - description: | - Connector NetID - - name: new_status - type: keyword - description: | - New status on user change - - name: new_value - type: keyword - description: | - New Virtual Domain Name - - name: newchannel - type: integer - description: | - New Channel Number - - name: newchassisid - type: integer - description: | - New Chassis ID - - name: newslot - type: integer - description: | - New Slot Number - - name: nextstat - type: integer - description: | - Time interval in seconds for the next statistics. - - name: nf_type - type: keyword - description: | - Notification Type - - name: noise - type: integer - description: | - Wifi Noise - - name: old_status - type: keyword - description: | - Original Status - - name: old_value - type: keyword - description: | - Original Virtual Domain name - - name: oldchannel - type: integer - description: | - Original channel - - name: oldchassisid - type: integer - description: | - Original Chassis Number - - name: oldslot - type: integer - description: | - Original Slot Number - - name: oldsn - type: keyword - description: | - Old Serial number - - name: oldwprof - type: keyword - description: | - Old Web Filter Profile - - name: onwire - type: keyword - description: | - A flag to indicate if the AP is onwire or not - - name: opercountry - type: keyword - description: | - Operating Country - - name: opertxpower - type: integer - description: | - Operating TX power - - name: osname - type: keyword - description: | - Operating System name - - name: osversion - type: keyword - description: | - Operating System version - - name: out_spi - type: keyword - description: | - Out SPI - - name: outintf - type: keyword - description: | - Out interface - - name: passedcount - type: integer - description: | - Fabric passed count - - name: passwd - type: keyword - description: | - Changed user password information - - name: path - type: keyword - description: | - Path of looped configuration for security fabric - - name: peer - type: keyword - description: | - WAN optimization peer - - name: peer_notif - type: keyword - description: | - VPN peer notification - - name: phase2_name - type: keyword - description: | - VPN phase2 name - - name: phone - type: keyword - description: | - VOIP Phone - - name: pid - type: integer - description: | - Process ID - - name: policytype - type: keyword - description: | - Policy Type - - name: poolname - type: keyword - description: | - IP Pool name - - name: port - type: integer - description: | - Log upload error port - - name: portbegin - type: integer - description: | - IP Pool port number to begin - - name: portend - type: integer - description: | - IP Pool port number to end - - name: probeproto - type: keyword - description: | - Link Monitor Probe Protocol - - name: process - type: keyword - description: | - URL Filter process - - name: processtime - type: integer - description: | - Process time for reports - - name: profile - type: keyword - description: | - Profile Name - - name: profile_vd - type: keyword - description: | - Virtual Domain Name - - name: profilegroup - type: keyword - description: | - Profile Group Name - - name: profiletype - type: keyword - description: | - Profile Type - - name: qtypeval - type: integer - description: | - DNS question type value - - name: quarskip - type: keyword - description: | - Quarantine skip explanation - - name: quotaexceeded - type: keyword - description: | - If quota has been exceeded - - name: quotamax - type: long - description: | - Maximum quota allowed - in seconds if time-based - in bytes if traffic-based - - name: quotatype - type: keyword - description: | - Quota type - - name: quotaused - type: long - description: | - Quota used - in seconds if time-based - in bytes if trafficbased) - - name: radioband - type: keyword - description: | - Radio band - - name: radioid - type: integer - description: | - Radio ID - - name: radioidclosest - type: integer - description: | - Radio ID on the AP closest the rogue AP - - name: radioiddetected - type: integer - description: | - Radio ID on the AP which detected the rogue AP - - name: rate - type: keyword - description: | - Wireless rogue rate value - - name: rawdata - type: keyword - description: | - Raw data value - - name: rawdataid - type: keyword - description: | - Raw data ID - - name: rcvddelta - type: keyword - description: | - Received bytes delta - - name: reason - type: keyword - description: | - Alert reason - - name: received - type: integer - description: | - Server key exchange received - - name: receivedsignature - type: keyword - description: | - Server key exchange received signature - - name: red - type: keyword - description: | - Memory information in red - - name: referralurl - type: keyword - description: | - Web filter referralurl - - name: remote - type: ip - description: | - Remote PPP IP address - - name: remotewtptime - type: keyword - description: | - Remote Wifi Radius authentication time - - name: reporttype - type: keyword - description: | - Report type - - name: reqtype - type: keyword - description: | - Request type - - name: request_name - type: keyword - description: | - VOIP request name - - name: result - type: keyword - description: | - VPN phase result - - name: role - type: keyword - description: | - VPN Phase 2 role - - name: rssi - type: integer - description: | - Received signal strength indicator - - name: rsso_key - type: keyword - description: | - RADIUS SSO attribute value - - name: ruledata - type: keyword - description: | - Rule data - - name: ruletype - type: keyword - description: | - Rule type - - name: scanned - type: integer - description: | - Number of Scanned MMSs - - name: scantime - type: long - description: | - Scanned time - - name: scope - type: keyword - description: | - FortiGuard Override Scope - - name: security - type: keyword - description: | - Wireless rogue security - - name: sensitivity - type: keyword - description: | - Sensitivity for document fingerprint - - name: sensor - type: keyword - description: | - NAC Sensor Name - - name: sentdelta - type: keyword - description: | - Sent bytes delta - - name: seq - type: keyword - description: | - Sequence number - - name: serial - type: keyword - description: | - WAN optimisation serial - - name: serialno - type: keyword - description: | - Serial number - - name: server - type: keyword - description: | - AD server FQDN or IP - - name: session_id - type: keyword - description: | - Session ID - - name: sessionid - type: integer - description: | - WAD Session ID - - name: setuprate - type: long - description: | - Session Setup Rate - - name: severity - type: keyword - description: | - Severity - - name: shaperdroprcvdbyte - type: integer - description: | - Received bytes dropped by shaper - - name: shaperdropsentbyte - type: integer - description: | - Sent bytes dropped by shaper - - name: shaperperipdropbyte - type: integer - description: | - Dropped bytes per IP by shaper - - name: shaperperipname - type: keyword - description: | - Traffic shaper name (per IP) - - name: shaperrcvdname - type: keyword - description: | - Traffic shaper name for received traffic - - name: shapersentname - type: keyword - description: | - Traffic shaper name for sent traffic - - name: shapingpolicyid - type: integer - description: | - Traffic shaper policy ID - - name: signal - type: integer - description: | - Wireless rogue API signal - - name: size - type: long - description: | - Email size in bytes - - name: slot - type: integer - description: | - Slot number - - name: sn - type: keyword - description: | - Security fabric serial number - - name: snclosest - type: keyword - description: | - SN of the AP closest to the rogue AP - - name: sndetected - type: keyword - description: | - SN of the AP which detected the rogue AP - - name: snmeshparent - type: keyword - description: | - SN of the mesh parent - - name: spi - type: keyword - description: | - IPSEC SPI - - name: src_int - type: keyword - description: | - Source interface - - name: srcintfrole - type: keyword - description: | - Source interface role - - name: srccountry - type: keyword - description: | - Source country - - name: srcfamily - type: keyword - description: | - Source family - - name: srchwvendor - type: keyword - description: | - Source hardware vendor - - name: srchwversion - type: keyword - description: | - Source hardware version - - name: srcinetsvc - type: keyword - description: | - Source interface service - - name: srcname - type: keyword - description: | - Source name - - name: srcserver - type: integer - description: | - Source server - - name: srcssid - type: keyword - description: | - Source SSID - - name: srcswversion - type: keyword - description: | - Source software version - - name: srcuuid - type: keyword - description: | - Source UUID - - name: sscname - type: keyword - description: | - SSC name - - name: ssid - type: keyword - description: | - Base Service Set ID - - name: sslaction - type: keyword - description: | - SSL Action - - name: ssllocal - type: keyword - description: | - WAD SSL local - - name: sslremote - type: keyword - description: | - WAD SSL remote - - name: stacount - type: integer - description: | - Number of stations/clients - - name: stage - type: keyword - description: | - IPSEC stage - - name: stamac - type: keyword - description: | - 802.1x station mac - - name: state - type: keyword - description: | - Admin login state - - name: status - type: keyword - description: | - Status - - name: stitch - type: keyword - description: | - Automation stitch triggered - - name: subject - type: keyword - description: | - Email subject - - name: submodule - type: keyword - description: | - Configuration Sub-Module Name - - name: subservice - type: keyword - description: | - AV subservice - - name: subtype - type: keyword - description: | - Log subtype - - name: suspicious - type: integer - description: | - Number of Suspicious MMSs - - name: switchproto - type: keyword - description: | - Protocol change information - - name: sync_status - type: keyword - description: | - The sync status with the master - - name: sync_type - type: keyword - description: | - The sync type with the master - - name: sysuptime - type: keyword - description: | - System uptime - - name: tamac - type: keyword - description: | - the MAC address of Transmitter, if none, then Receiver - - name: threattype - type: keyword - description: | - WIDS threat type - - name: time - type: keyword - description: | - Time of the event - - name: to - type: keyword - description: | - Email to field - - name: to_vcluster - type: integer - description: | - destination virtual cluster number - - name: total - type: integer - description: | - Total memory - - name: totalsession - type: integer - description: | - Total Number of Sessions - - name: trace_id - type: keyword - description: | - Session clash trace ID - - name: trandisp - type: keyword - description: | - NAT translation type - - name: transid - type: integer - description: | - HTTP transaction ID - - name: translationid - type: keyword - description: | - DNS filter transaltion ID - - name: trigger - type: keyword - description: | - Automation stitch trigger - - name: trueclntip - type: ip - description: | - File filter true client IP - - name: tunnelid - type: integer - description: | - IPSEC tunnel ID - - name: tunnelip - type: ip - description: | - IPSEC tunnel IP - - name: tunneltype - type: keyword - description: | - IPSEC tunnel type - - name: type - type: keyword - description: | - Module type - - name: ui - type: keyword - description: | - Admin authentication UI type - - name: unauthusersource - type: keyword - description: | - Unauthenticated user source - - name: unit - type: integer - description: | - Power supply unit - - name: urlfilteridx - type: integer - description: | - URL filter ID - - name: urlfilterlist - type: keyword - description: | - URL filter list - - name: urlsource - type: keyword - description: | - URL filter source - - name: urltype - type: keyword - description: | - URL filter type - - name: used - type: integer - description: | - Number of Used IPs - - name: used_for_type - type: integer - description: | - Connection for the type - - name: utmaction - type: keyword - description: | - Security action performed by UTM - - name: vap - type: keyword - description: | - Virtual AP - - name: vapmode - type: keyword - description: | - Virtual AP mode - - name: vcluster - type: integer - description: | - virtual cluster id - - name: vcluster_member - type: integer - description: | - Virtual cluster member - - name: vcluster_state - type: keyword - description: | - Virtual cluster state - - name: vd - type: keyword - description: | - Virtual Domain Name - - name: vdname - type: keyword - description: | - Virtual Domain Name - - name: vendorurl - type: keyword - description: | - Vulnerability scan vendor name - - name: version - type: keyword - description: | - Version - - name: vip - type: keyword - description: | - Virtual IP - - name: virus - type: keyword - description: | - Virus name - - name: virusid - type: integer - description: | - Virus ID (unique virus identifier) - - name: voip_proto - type: keyword - description: | - VOIP protocol - - name: vpn - type: keyword - description: | - VPN description - - name: vpntunnel - type: keyword - description: | - IPsec Vpn Tunnel Name - - name: vpntype - type: keyword - description: | - The type of the VPN tunnel - - name: vrf - type: integer - description: | - VRF number - - name: vulncat - type: keyword - description: | - Vulnerability Category - - name: vulnid - type: integer - description: | - Vulnerability ID - - name: vulnname - type: keyword - description: | - Vulnerability name - - name: vwlid - type: integer - description: | - VWL ID - - name: vwlquality - type: keyword - description: | - VWL quality - - name: vwlservice - type: keyword - description: | - VWL service - - name: vwpvlanid - type: integer - description: | - VWP VLAN ID - - name: wanin - type: long - description: | - WAN incoming traffic in bytes - - name: wanoptapptype - type: keyword - description: | - WAN Optimization Application type - - name: wanout - type: long - description: | - WAN outgoing traffic in bytes - - name: weakwepiv - type: keyword - description: | - Weak Wep Initiation Vector - - name: xauthgroup - type: keyword - description: | - XAuth Group Name - - name: xauthuser - type: keyword - description: | - XAuth User Name - - name: xid - type: integer - description: | - Wireless X ID diff --git a/packages/fortinet_fortigate/1.2.2/data_stream/log/manifest.yml b/packages/fortinet_fortigate/1.2.2/data_stream/log/manifest.yml deleted file mode 100755 index 64911c6e36..0000000000 --- a/packages/fortinet_fortigate/1.2.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,192 +0,0 @@ -type: logs -title: Fortinet FortiGate logs -streams: - - input: tcp - vars: - - name: syslog_host - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9004 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortigate - - fortinet-firewall - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - #max_connections: 1 - #framing: delimitier - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. - template_path: tcp.yml.hbs - title: Fortinet firewall logs (tcp) - description: Collect Fortinet firewall logs using tcp input - - input: udp - vars: - - name: syslog_host - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9004 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortigate - - fortinet-firewall - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: udp.yml.hbs - title: Fortinet firewall logs (udp) - description: Collect Fortinet firewall logs using udp input - - input: logfile - enabled: false - vars: - - name: paths - type: text - title: Paths - multi: true - required: false - show_user: true - default: - - /var/log/fortinet-firewall.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortigate - - fortinet-firewall - - forwarded - - name: internal_interfaces - type: text - title: Internal Interfaces - multi: true - required: false - show_user: false - - name: external_interfaces - type: text - title: External Interfaces - multi: true - required: false - show_user: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Fortinet FortiGate logs (log) - description: Collect Fortinet FortiGate logs using log input diff --git a/packages/fortinet_fortigate/1.2.2/data_stream/log/sample_event.json b/packages/fortinet_fortigate/1.2.2/data_stream/log/sample_event.json deleted file mode 100755 index 8552aba271..0000000000 --- a/packages/fortinet_fortigate/1.2.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "@timestamp": "2019-05-15T18:03:36.000Z", - "agent": { - "ephemeral_id": "74b27709-c288-4314-b386-659dbc5a62ea", - "hostname": "docker-fleet-agent", - "id": "2164018d-05cd-45b4-979d-4032bdd775f6", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.14.0" - }, - "data_stream": { - "dataset": "fortinet_fortigate.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 41690, - "organization": { - "name": "Dailymotion S.A." - } - }, - "geo": { - "continent_name": "Europe", - "country_iso_code": "FR", - "country_name": "France", - "location": { - "lat": 48.8582, - "lon": 2.3387 - } - }, - "ip": "195.8.215.136", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "7cc48d16-ebf0-44b1-9094-fe2082d8f5a4", - "snapshot": true, - "version": "7.14.0" - }, - "event": { - "action": "app-ctrl-all", - "category": [ - "network" - ], - "code": "1059028704", - "dataset": "fortinet_fortigate.log", - "ingested": "2021-06-03T12:38:44.458586716Z", - "kind": "event", - "module": "fortinet", - "original": "\u003c190\u003edate=2019-05-15 time=18:03:36 logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"app-ctrl-all\" level=\"information\" vd=\"root\" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf=\"port10\" srcintfrole=\"lan\" dstintf=\"port9\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" direction=\"outgoing\" policyid=1 sessionid=4414 applist=\"block-social.media\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" action=\"pass\" hostname=\"www.dailymotion.com\" incidentserialno=1962906680 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"*.dailymotion.com\" scertissuer=\"DigiCert SHA2 High Assurance Server CA\"\n", - "outcome": "success", - "start": "2019-05-16T01:03:35.000Z", - "type": [ - "allowed" - ] - }, - "fortinet": { - "firewall": { - "action": "pass", - "appid": "40568", - "apprisk": "medium", - "dstintfrole": "wan", - "incidentserialno": "1962906680", - "sessionid": "4414", - "srcintfrole": "lan", - "subtype": "app-ctrl", - "type": "utm", - "vd": "root" - } - }, - "input": { - "type": "udp" - }, - "log": { - "level": "information", - "source": { - "address": "192.168.240.4:54617" - } - }, - "message": "Web.Client: HTTPS.BROWSER,", - "network": { - "application": "HTTPS.BROWSER", - "direction": "outbound", - "iana_number": "6", - "transport": "tcp", - "protocol": "https" - }, - "observer": { - "egress": { - "interface": { - "name": "port9" - } - }, - "ingress": { - "interface": { - "name": "port10" - } - }, - "product": "Fortigate", - "type": "firewall", - "vendor": "Fortinet" - }, - "related": { - "ip": [ - "10.1.100.22", - "195.8.215.136" - ] - }, - "rule": { - "category": "Web-Client", - "id": "1", - "ruleset": "block-social.media" - }, - "source": { - "ip": "10.1.100.22", - "port": 50798 - }, - "tags": [ - "fortinet-firewall", - "forwarded", - "preserve_original_event" - ], - "tls": { - "server": { - "issuer": "DigiCert SHA2 High Assurance Server CA", - "x509": { - "issuer": { - "common_name": "DigiCert SHA2 High Assurance Server CA" - }, - "subject": { - "common_name": "*.dailymotion.com" - } - } - } - }, - "url": { - "domain": "www.dailymotion.com", - "path": "/" - } -} \ No newline at end of file diff --git a/packages/fortinet_fortigate/1.2.2/docs/README.md b/packages/fortinet_fortigate/1.2.2/docs/README.md deleted file mode 100755 index d3c7a3ebc5..0000000000 --- a/packages/fortinet_fortigate/1.2.2/docs/README.md +++ /dev/null @@ -1,749 +0,0 @@ -# Fortinet FortiGate Integration - -This integration is for Fortinet FortiGate logs sent in the syslog format. - -## Compatibility - -This integration has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested. - -### Log - -The `log` dataset collects JFortinet FortiGate logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2019-05-15T18:03:36.000Z", - "agent": { - "ephemeral_id": "74b27709-c288-4314-b386-659dbc5a62ea", - "hostname": "docker-fleet-agent", - "id": "2164018d-05cd-45b4-979d-4032bdd775f6", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.14.0" - }, - "data_stream": { - "dataset": "fortinet_fortigate.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 41690, - "organization": { - "name": "Dailymotion S.A." - } - }, - "geo": { - "continent_name": "Europe", - "country_iso_code": "FR", - "country_name": "France", - "location": { - "lat": 48.8582, - "lon": 2.3387 - } - }, - "ip": "195.8.215.136", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "7cc48d16-ebf0-44b1-9094-fe2082d8f5a4", - "snapshot": true, - "version": "7.14.0" - }, - "event": { - "action": "app-ctrl-all", - "category": [ - "network" - ], - "code": "1059028704", - "dataset": "fortinet_fortigate.log", - "ingested": "2021-06-03T12:38:44.458586716Z", - "kind": "event", - "module": "fortinet", - "original": "\u003c190\u003edate=2019-05-15 time=18:03:36 logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"app-ctrl-all\" level=\"information\" vd=\"root\" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf=\"port10\" srcintfrole=\"lan\" dstintf=\"port9\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" direction=\"outgoing\" policyid=1 sessionid=4414 applist=\"block-social.media\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" action=\"pass\" hostname=\"www.dailymotion.com\" incidentserialno=1962906680 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"*.dailymotion.com\" scertissuer=\"DigiCert SHA2 High Assurance Server CA\"\n", - "outcome": "success", - "start": "2019-05-16T01:03:35.000Z", - "type": [ - "allowed" - ] - }, - "fortinet": { - "firewall": { - "action": "pass", - "appid": "40568", - "apprisk": "medium", - "dstintfrole": "wan", - "incidentserialno": "1962906680", - "sessionid": "4414", - "srcintfrole": "lan", - "subtype": "app-ctrl", - "type": "utm", - "vd": "root" - } - }, - "input": { - "type": "udp" - }, - "log": { - "level": "information", - "source": { - "address": "192.168.240.4:54617" - } - }, - "message": "Web.Client: HTTPS.BROWSER,", - "network": { - "application": "HTTPS.BROWSER", - "direction": "outbound", - "iana_number": "6", - "transport": "tcp", - "protocol": "https" - }, - "observer": { - "egress": { - "interface": { - "name": "port9" - } - }, - "ingress": { - "interface": { - "name": "port10" - } - }, - "product": "Fortigate", - "type": "firewall", - "vendor": "Fortinet" - }, - "related": { - "ip": [ - "10.1.100.22", - "195.8.215.136" - ] - }, - "rule": { - "category": "Web-Client", - "id": "1", - "ruleset": "block-social.media" - }, - "source": { - "ip": "10.1.100.22", - "port": 50798 - }, - "tags": [ - "fortinet-firewall", - "forwarded", - "preserve_original_event" - ], - "tls": { - "server": { - "issuer": "DigiCert SHA2 High Assurance Server CA", - "x509": { - "issuer": { - "common_name": "DigiCert SHA2 High Assurance Server CA" - }, - "subject": { - "common_name": "*.dailymotion.com" - } - } - } - }, - "url": { - "domain": "www.dailymotion.com", - "path": "/" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| destination.user.email | User email address. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.cc.address | The email address of CC recipient | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.sender.address | Per RFC 5322, specifies the address responsible for the actual transmission of the message. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.message | Log message optimized for viewing in a log viewer. | text | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| fortinet.file.hash.crc32 | CRC32 Hash of file | keyword | -| fortinet.firewall.acct_stat | Accounting state (RADIUS) | keyword | -| fortinet.firewall.acktime | Alarm Acknowledge Time | keyword | -| fortinet.firewall.act | Action | keyword | -| fortinet.firewall.action | Status of the session | keyword | -| fortinet.firewall.activity | HA activity message | keyword | -| fortinet.firewall.addr | IP Address | ip | -| fortinet.firewall.addr_type | Address Type | keyword | -| fortinet.firewall.addrgrp | Address Group | keyword | -| fortinet.firewall.adgroup | AD Group Name | keyword | -| fortinet.firewall.admin | Admin User | keyword | -| fortinet.firewall.age | Time in seconds - time passed since last seen | integer | -| fortinet.firewall.agent | User agent - eg. agent="Mozilla/5.0" | keyword | -| fortinet.firewall.alarmid | Alarm ID | integer | -| fortinet.firewall.alert | Alert | keyword | -| fortinet.firewall.analyticscksum | The checksum of the file submitted for analytics | keyword | -| fortinet.firewall.analyticssubmit | The flag for analytics submission | keyword | -| fortinet.firewall.ap | Access Point | keyword | -| fortinet.firewall.app-type | Address Type | keyword | -| fortinet.firewall.appact | The security action from app control | keyword | -| fortinet.firewall.appid | Application ID | integer | -| fortinet.firewall.applist | Application Control profile | keyword | -| fortinet.firewall.apprisk | Application Risk Level | keyword | -| fortinet.firewall.apscan | The name of the AP, which scanned and detected the rogue AP | keyword | -| fortinet.firewall.apsn | Access Point | keyword | -| fortinet.firewall.apstatus | Access Point status | keyword | -| fortinet.firewall.aptype | Access Point type | keyword | -| fortinet.firewall.assigned | Assigned IP Address | ip | -| fortinet.firewall.assignip | Assigned IP Address | ip | -| fortinet.firewall.attachment | The flag for email attachement | keyword | -| fortinet.firewall.attack | Attack Name | keyword | -| fortinet.firewall.attackcontext | The trigger patterns and the packetdata with base64 encoding | keyword | -| fortinet.firewall.attackcontextid | Attack context id / total | keyword | -| fortinet.firewall.attackid | Attack ID | integer | -| fortinet.firewall.auditid | Audit ID | long | -| fortinet.firewall.auditscore | The Audit Score | keyword | -| fortinet.firewall.audittime | The time of the audit | long | -| fortinet.firewall.authgrp | Authorization Group | keyword | -| fortinet.firewall.authid | Authentication ID | keyword | -| fortinet.firewall.authproto | The protocol that initiated the authentication | keyword | -| fortinet.firewall.authserver | Authentication server | keyword | -| fortinet.firewall.bandwidth | Bandwidth | keyword | -| fortinet.firewall.banned_rule | NAC quarantine Banned Rule Name | keyword | -| fortinet.firewall.banned_src | NAC quarantine Banned Source IP | keyword | -| fortinet.firewall.banword | Banned word | keyword | -| fortinet.firewall.botnetdomain | Botnet Domain Name | keyword | -| fortinet.firewall.botnetip | Botnet IP Address | ip | -| fortinet.firewall.bssid | Service Set ID | keyword | -| fortinet.firewall.call_id | Caller ID | keyword | -| fortinet.firewall.carrier_ep | The FortiOS Carrier end-point identification | keyword | -| fortinet.firewall.cat | DNS category ID | integer | -| fortinet.firewall.category | Authentication category | keyword | -| fortinet.firewall.cc | CC Email Address | keyword | -| fortinet.firewall.cdrcontent | Cdrcontent | keyword | -| fortinet.firewall.centralnatid | Central NAT ID | integer | -| fortinet.firewall.cert | Certificate | keyword | -| fortinet.firewall.cert-type | Certificate type | keyword | -| fortinet.firewall.certhash | Certificate hash | keyword | -| fortinet.firewall.cfgattr | Configuration attribute | keyword | -| fortinet.firewall.cfgobj | Configuration object | keyword | -| fortinet.firewall.cfgpath | Configuration path | keyword | -| fortinet.firewall.cfgtid | Configuration transaction ID | keyword | -| fortinet.firewall.cfgtxpower | Configuration TX power | integer | -| fortinet.firewall.channel | Wireless Channel | integer | -| fortinet.firewall.channeltype | SSH channel type | keyword | -| fortinet.firewall.chassisid | Chassis ID | integer | -| fortinet.firewall.checksum | The checksum of the scanned file | keyword | -| fortinet.firewall.chgheaders | HTTP Headers | keyword | -| fortinet.firewall.cldobjid | Connector object ID | keyword | -| fortinet.firewall.client_addr | Wifi client address | keyword | -| fortinet.firewall.cloudaction | Cloud Action | keyword | -| fortinet.firewall.clouduser | Cloud User | keyword | -| fortinet.firewall.column | VOIP Column | integer | -| fortinet.firewall.command | CLI Command | keyword | -| fortinet.firewall.community | SNMP Community | keyword | -| fortinet.firewall.configcountry | Configuration country | keyword | -| fortinet.firewall.connection_type | FortiClient Connection Type | keyword | -| fortinet.firewall.conserve | Flag for conserve mode | keyword | -| fortinet.firewall.constraint | WAF http protocol restrictions | keyword | -| fortinet.firewall.contentdisarmed | Email scanned content | keyword | -| fortinet.firewall.contenttype | Content Type from HTTP header | keyword | -| fortinet.firewall.cookies | VPN Cookie | keyword | -| fortinet.firewall.count | Counts of action type | integer | -| fortinet.firewall.countapp | Number of App Ctrl logs associated with the session | integer | -| fortinet.firewall.countav | Number of AV logs associated with the session | integer | -| fortinet.firewall.countcifs | Number of CIFS logs associated with the session | integer | -| fortinet.firewall.countdlp | Number of DLP logs associated with the session | integer | -| fortinet.firewall.countdns | Number of DNS logs associated with the session | integer | -| fortinet.firewall.countemail | Number of email logs associated with the session | integer | -| fortinet.firewall.countff | Number of ff logs associated with the session | integer | -| fortinet.firewall.countips | Number of IPS logs associated with the session | integer | -| fortinet.firewall.countssh | Number of SSH logs associated with the session | integer | -| fortinet.firewall.countssl | Number of SSL logs associated with the session | integer | -| fortinet.firewall.countwaf | Number of WAF logs associated with the session | integer | -| fortinet.firewall.countweb | Number of Web filter logs associated with the session | integer | -| fortinet.firewall.cpu | CPU Usage | integer | -| fortinet.firewall.craction | Client Reputation Action | integer | -| fortinet.firewall.criticalcount | Number of critical ratings | integer | -| fortinet.firewall.crl | Client Reputation Level | keyword | -| fortinet.firewall.crlevel | Client Reputation Level | keyword | -| fortinet.firewall.crscore | Some description | integer | -| fortinet.firewall.cveid | CVE ID | keyword | -| fortinet.firewall.daemon | Daemon name | keyword | -| fortinet.firewall.datarange | Data range for reports | keyword | -| fortinet.firewall.date | Date | keyword | -| fortinet.firewall.ddnsserver | DDNS server | ip | -| fortinet.firewall.desc | Description | keyword | -| fortinet.firewall.detectionmethod | Detection method | keyword | -| fortinet.firewall.devcategory | Device category | keyword | -| fortinet.firewall.devintfname | HA device Interface Name | keyword | -| fortinet.firewall.devtype | Device type | keyword | -| fortinet.firewall.dhcp_msg | DHCP Message | keyword | -| fortinet.firewall.dintf | Destination interface | keyword | -| fortinet.firewall.disk | Assosciated disk | keyword | -| fortinet.firewall.disklograte | Disk logging rate | long | -| fortinet.firewall.dlpextra | DLP extra information | keyword | -| fortinet.firewall.docsource | DLP fingerprint document source | keyword | -| fortinet.firewall.domainctrlauthstate | CIFS domain auth state | integer | -| fortinet.firewall.domainctrlauthtype | CIFS domain auth type | integer | -| fortinet.firewall.domainctrldomain | CIFS domain auth domain | keyword | -| fortinet.firewall.domainctrlip | CIFS Domain IP | ip | -| fortinet.firewall.domainctrlname | CIFS Domain name | keyword | -| fortinet.firewall.domainctrlprotocoltype | CIFS Domain connection protocol | integer | -| fortinet.firewall.domainctrlusername | CIFS Domain username | keyword | -| fortinet.firewall.domainfilteridx | Domain filter ID | integer | -| fortinet.firewall.domainfilterlist | Domain filter name | keyword | -| fortinet.firewall.ds | Direction with distribution system | keyword | -| fortinet.firewall.dst_int | Destination interface | keyword | -| fortinet.firewall.dstcountry | Destination country | keyword | -| fortinet.firewall.dstdevcategory | Destination device category | keyword | -| fortinet.firewall.dstdevtype | Destination device type | keyword | -| fortinet.firewall.dstfamily | Destination OS family | keyword | -| fortinet.firewall.dsthwvendor | Destination HW vendor | keyword | -| fortinet.firewall.dsthwversion | Destination HW version | keyword | -| fortinet.firewall.dstinetsvc | Destination interface service | keyword | -| fortinet.firewall.dstintfrole | Destination interface role | keyword | -| fortinet.firewall.dstosname | Destination OS name | keyword | -| fortinet.firewall.dstosversion | Destination OS version | keyword | -| fortinet.firewall.dstserver | Destination server | integer | -| fortinet.firewall.dstssid | Destination SSID | keyword | -| fortinet.firewall.dstswversion | Destination software version | keyword | -| fortinet.firewall.dstunauthusersource | Destination unauthenticated source | keyword | -| fortinet.firewall.dstuuid | UUID of the Destination IP address | keyword | -| fortinet.firewall.duid | DHCP UID | keyword | -| fortinet.firewall.eapolcnt | EAPOL packet count | integer | -| fortinet.firewall.eapoltype | EAPOL packet type | keyword | -| fortinet.firewall.encrypt | Whether the packet is encrypted or not | integer | -| fortinet.firewall.encryption | Encryption method | keyword | -| fortinet.firewall.epoch | Epoch used for locating file | integer | -| fortinet.firewall.espauth | ESP Authentication | keyword | -| fortinet.firewall.esptransform | ESP Transform | keyword | -| fortinet.firewall.exch | Mail Exchanges from DNS response answer section | keyword | -| fortinet.firewall.exchange | Mail Exchanges from DNS response answer section | keyword | -| fortinet.firewall.expectedsignature | Expected SSL signature | keyword | -| fortinet.firewall.expiry | FortiGuard override expiry timestamp | keyword | -| fortinet.firewall.fams_pause | Fortinet Analysis and Management Service Pause | integer | -| fortinet.firewall.fazlograte | FortiAnalyzer Logging Rate | long | -| fortinet.firewall.fctemssn | FortiClient Endpoint SSN | keyword | -| fortinet.firewall.fctuid | FortiClient UID | keyword | -| fortinet.firewall.field | NTP status field | keyword | -| fortinet.firewall.filefilter | The filter used to identify the affected file | keyword | -| fortinet.firewall.filehashsrc | Filehash source | keyword | -| fortinet.firewall.filtercat | DLP filter category | keyword | -| fortinet.firewall.filteridx | DLP filter ID | integer | -| fortinet.firewall.filtername | DLP rule name | keyword | -| fortinet.firewall.filtertype | DLP filter type | keyword | -| fortinet.firewall.fortiguardresp | Antispam ESP value | keyword | -| fortinet.firewall.forwardedfor | Email address forwarded | keyword | -| fortinet.firewall.fqdn | FQDN | keyword | -| fortinet.firewall.frametype | Wireless frametype | keyword | -| fortinet.firewall.freediskstorage | Free disk integer | integer | -| fortinet.firewall.from | From email address | keyword | -| fortinet.firewall.from_vcluster | Source virtual cluster number | integer | -| fortinet.firewall.fsaverdict | FSA verdict | keyword | -| fortinet.firewall.fwserver_name | Web proxy server name | keyword | -| fortinet.firewall.gateway | Gateway ip address for PPPoE status report | ip | -| fortinet.firewall.green | Memory status | keyword | -| fortinet.firewall.groupid | User Group ID | integer | -| fortinet.firewall.ha-prio | HA Priority | integer | -| fortinet.firewall.ha_group | HA Group | keyword | -| fortinet.firewall.ha_role | HA Role | keyword | -| fortinet.firewall.handshake | SSL Handshake | keyword | -| fortinet.firewall.hash | Hash value of downloaded file | keyword | -| fortinet.firewall.hbdn_reason | Heartbeat down reason | keyword | -| fortinet.firewall.highcount | Highcount fabric summary | integer | -| fortinet.firewall.host | Hostname | keyword | -| fortinet.firewall.iaid | DHCPv6 id | keyword | -| fortinet.firewall.icmpcode | Destination Port of the ICMP message | keyword | -| fortinet.firewall.icmpid | Source port of the ICMP message | keyword | -| fortinet.firewall.icmptype | The type of ICMP message | keyword | -| fortinet.firewall.identifier | Network traffic identifier | integer | -| fortinet.firewall.in_spi | IPSEC inbound SPI | keyword | -| fortinet.firewall.incidentserialno | Incident serial number | integer | -| fortinet.firewall.infected | Infected MMS | integer | -| fortinet.firewall.infectedfilelevel | DLP infected file level | integer | -| fortinet.firewall.informationsource | Information source | keyword | -| fortinet.firewall.init | IPSEC init stage | keyword | -| fortinet.firewall.initiator | Original login user name for Fortiguard override | keyword | -| fortinet.firewall.interface | Related interface | keyword | -| fortinet.firewall.intf | Related interface | keyword | -| fortinet.firewall.invalidmac | The MAC address with invalid OUI | keyword | -| fortinet.firewall.ip | Related IP | ip | -| fortinet.firewall.iptype | Related IP type | keyword | -| fortinet.firewall.keyword | Keyword used for search | keyword | -| fortinet.firewall.kind | VOIP kind | keyword | -| fortinet.firewall.lanin | LAN incoming traffic in bytes | long | -| fortinet.firewall.lanout | LAN outbound traffic in bytes | long | -| fortinet.firewall.lease | DHCP lease | integer | -| fortinet.firewall.license_limit | Maximum Number of FortiClients for the License | keyword | -| fortinet.firewall.limit | Virtual Domain Resource Limit | integer | -| fortinet.firewall.line | VOIP line | keyword | -| fortinet.firewall.live | Time in seconds | integer | -| fortinet.firewall.local | Local IP for a PPPD Connection | ip | -| fortinet.firewall.log | Log message | keyword | -| fortinet.firewall.login | SSH login | keyword | -| fortinet.firewall.lowcount | Fabric lowcount | integer | -| fortinet.firewall.mac | DHCP mac address | keyword | -| fortinet.firewall.malform_data | VOIP malformed data | integer | -| fortinet.firewall.malform_desc | VOIP malformed data description | keyword | -| fortinet.firewall.manuf | Manufacturer name | keyword | -| fortinet.firewall.masterdstmac | Master mac address for a host with multiple network interfaces | keyword | -| fortinet.firewall.mastersrcmac | The master MAC address for a host that has multiple network interfaces | keyword | -| fortinet.firewall.mediumcount | Fabric medium count | integer | -| fortinet.firewall.mem | Memory usage system statistics | integer | -| fortinet.firewall.meshmode | Wireless mesh mode | keyword | -| fortinet.firewall.message_type | VOIP message type | keyword | -| fortinet.firewall.method | HTTP method | keyword | -| fortinet.firewall.mgmtcnt | The number of unauthorized client flooding managemet frames | integer | -| fortinet.firewall.mode | IPSEC mode | keyword | -| fortinet.firewall.module | PCI-DSS module | keyword | -| fortinet.firewall.monitor-name | Health Monitor Name | keyword | -| fortinet.firewall.monitor-type | Health Monitor Type | keyword | -| fortinet.firewall.mpsk | Wireless MPSK | keyword | -| fortinet.firewall.msgproto | Message Protocol Number | keyword | -| fortinet.firewall.mtu | Max Transmission Unit Value | integer | -| fortinet.firewall.name | Name | keyword | -| fortinet.firewall.nat | NAT IP Address | keyword | -| fortinet.firewall.netid | Connector NetID | keyword | -| fortinet.firewall.new_status | New status on user change | keyword | -| fortinet.firewall.new_value | New Virtual Domain Name | keyword | -| fortinet.firewall.newchannel | New Channel Number | integer | -| fortinet.firewall.newchassisid | New Chassis ID | integer | -| fortinet.firewall.newslot | New Slot Number | integer | -| fortinet.firewall.nextstat | Time interval in seconds for the next statistics. | integer | -| fortinet.firewall.nf_type | Notification Type | keyword | -| fortinet.firewall.noise | Wifi Noise | integer | -| fortinet.firewall.old_status | Original Status | keyword | -| fortinet.firewall.old_value | Original Virtual Domain name | keyword | -| fortinet.firewall.oldchannel | Original channel | integer | -| fortinet.firewall.oldchassisid | Original Chassis Number | integer | -| fortinet.firewall.oldslot | Original Slot Number | integer | -| fortinet.firewall.oldsn | Old Serial number | keyword | -| fortinet.firewall.oldwprof | Old Web Filter Profile | keyword | -| fortinet.firewall.onwire | A flag to indicate if the AP is onwire or not | keyword | -| fortinet.firewall.opercountry | Operating Country | keyword | -| fortinet.firewall.opertxpower | Operating TX power | integer | -| fortinet.firewall.osname | Operating System name | keyword | -| fortinet.firewall.osversion | Operating System version | keyword | -| fortinet.firewall.out_spi | Out SPI | keyword | -| fortinet.firewall.outintf | Out interface | keyword | -| fortinet.firewall.passedcount | Fabric passed count | integer | -| fortinet.firewall.passwd | Changed user password information | keyword | -| fortinet.firewall.path | Path of looped configuration for security fabric | keyword | -| fortinet.firewall.peer | WAN optimization peer | keyword | -| fortinet.firewall.peer_notif | VPN peer notification | keyword | -| fortinet.firewall.phase2_name | VPN phase2 name | keyword | -| fortinet.firewall.phone | VOIP Phone | keyword | -| fortinet.firewall.pid | Process ID | integer | -| fortinet.firewall.policytype | Policy Type | keyword | -| fortinet.firewall.poolname | IP Pool name | keyword | -| fortinet.firewall.port | Log upload error port | integer | -| fortinet.firewall.portbegin | IP Pool port number to begin | integer | -| fortinet.firewall.portend | IP Pool port number to end | integer | -| fortinet.firewall.probeproto | Link Monitor Probe Protocol | keyword | -| fortinet.firewall.process | URL Filter process | keyword | -| fortinet.firewall.processtime | Process time for reports | integer | -| fortinet.firewall.profile | Profile Name | keyword | -| fortinet.firewall.profile_vd | Virtual Domain Name | keyword | -| fortinet.firewall.profilegroup | Profile Group Name | keyword | -| fortinet.firewall.profiletype | Profile Type | keyword | -| fortinet.firewall.qtypeval | DNS question type value | integer | -| fortinet.firewall.quarskip | Quarantine skip explanation | keyword | -| fortinet.firewall.quotaexceeded | If quota has been exceeded | keyword | -| fortinet.firewall.quotamax | Maximum quota allowed - in seconds if time-based - in bytes if traffic-based | long | -| fortinet.firewall.quotatype | Quota type | keyword | -| fortinet.firewall.quotaused | Quota used - in seconds if time-based - in bytes if trafficbased) | long | -| fortinet.firewall.radioband | Radio band | keyword | -| fortinet.firewall.radioid | Radio ID | integer | -| fortinet.firewall.radioidclosest | Radio ID on the AP closest the rogue AP | integer | -| fortinet.firewall.radioiddetected | Radio ID on the AP which detected the rogue AP | integer | -| fortinet.firewall.rate | Wireless rogue rate value | keyword | -| fortinet.firewall.rawdata | Raw data value | keyword | -| fortinet.firewall.rawdataid | Raw data ID | keyword | -| fortinet.firewall.rcvddelta | Received bytes delta | keyword | -| fortinet.firewall.reason | Alert reason | keyword | -| fortinet.firewall.received | Server key exchange received | integer | -| fortinet.firewall.receivedsignature | Server key exchange received signature | keyword | -| fortinet.firewall.red | Memory information in red | keyword | -| fortinet.firewall.referralurl | Web filter referralurl | keyword | -| fortinet.firewall.remote | Remote PPP IP address | ip | -| fortinet.firewall.remotewtptime | Remote Wifi Radius authentication time | keyword | -| fortinet.firewall.reporttype | Report type | keyword | -| fortinet.firewall.reqtype | Request type | keyword | -| fortinet.firewall.request_name | VOIP request name | keyword | -| fortinet.firewall.result | VPN phase result | keyword | -| fortinet.firewall.role | VPN Phase 2 role | keyword | -| fortinet.firewall.rssi | Received signal strength indicator | integer | -| fortinet.firewall.rsso_key | RADIUS SSO attribute value | keyword | -| fortinet.firewall.ruledata | Rule data | keyword | -| fortinet.firewall.ruletype | Rule type | keyword | -| fortinet.firewall.scanned | Number of Scanned MMSs | integer | -| fortinet.firewall.scantime | Scanned time | long | -| fortinet.firewall.scope | FortiGuard Override Scope | keyword | -| fortinet.firewall.security | Wireless rogue security | keyword | -| fortinet.firewall.sensitivity | Sensitivity for document fingerprint | keyword | -| fortinet.firewall.sensor | NAC Sensor Name | keyword | -| fortinet.firewall.sentdelta | Sent bytes delta | keyword | -| fortinet.firewall.seq | Sequence number | keyword | -| fortinet.firewall.serial | WAN optimisation serial | keyword | -| fortinet.firewall.serialno | Serial number | keyword | -| fortinet.firewall.server | AD server FQDN or IP | keyword | -| fortinet.firewall.session_id | Session ID | keyword | -| fortinet.firewall.sessionid | WAD Session ID | integer | -| fortinet.firewall.setuprate | Session Setup Rate | long | -| fortinet.firewall.severity | Severity | keyword | -| fortinet.firewall.shaperdroprcvdbyte | Received bytes dropped by shaper | integer | -| fortinet.firewall.shaperdropsentbyte | Sent bytes dropped by shaper | integer | -| fortinet.firewall.shaperperipdropbyte | Dropped bytes per IP by shaper | integer | -| fortinet.firewall.shaperperipname | Traffic shaper name (per IP) | keyword | -| fortinet.firewall.shaperrcvdname | Traffic shaper name for received traffic | keyword | -| fortinet.firewall.shapersentname | Traffic shaper name for sent traffic | keyword | -| fortinet.firewall.shapingpolicyid | Traffic shaper policy ID | integer | -| fortinet.firewall.signal | Wireless rogue API signal | integer | -| fortinet.firewall.size | Email size in bytes | long | -| fortinet.firewall.slot | Slot number | integer | -| fortinet.firewall.sn | Security fabric serial number | keyword | -| fortinet.firewall.snclosest | SN of the AP closest to the rogue AP | keyword | -| fortinet.firewall.sndetected | SN of the AP which detected the rogue AP | keyword | -| fortinet.firewall.snmeshparent | SN of the mesh parent | keyword | -| fortinet.firewall.spi | IPSEC SPI | keyword | -| fortinet.firewall.src_int | Source interface | keyword | -| fortinet.firewall.srccountry | Source country | keyword | -| fortinet.firewall.srcfamily | Source family | keyword | -| fortinet.firewall.srchwvendor | Source hardware vendor | keyword | -| fortinet.firewall.srchwversion | Source hardware version | keyword | -| fortinet.firewall.srcinetsvc | Source interface service | keyword | -| fortinet.firewall.srcintfrole | Source interface role | keyword | -| fortinet.firewall.srcname | Source name | keyword | -| fortinet.firewall.srcserver | Source server | integer | -| fortinet.firewall.srcssid | Source SSID | keyword | -| fortinet.firewall.srcswversion | Source software version | keyword | -| fortinet.firewall.srcuuid | Source UUID | keyword | -| fortinet.firewall.sscname | SSC name | keyword | -| fortinet.firewall.ssid | Base Service Set ID | keyword | -| fortinet.firewall.sslaction | SSL Action | keyword | -| fortinet.firewall.ssllocal | WAD SSL local | keyword | -| fortinet.firewall.sslremote | WAD SSL remote | keyword | -| fortinet.firewall.stacount | Number of stations/clients | integer | -| fortinet.firewall.stage | IPSEC stage | keyword | -| fortinet.firewall.stamac | 802.1x station mac | keyword | -| fortinet.firewall.state | Admin login state | keyword | -| fortinet.firewall.status | Status | keyword | -| fortinet.firewall.stitch | Automation stitch triggered | keyword | -| fortinet.firewall.subject | Email subject | keyword | -| fortinet.firewall.submodule | Configuration Sub-Module Name | keyword | -| fortinet.firewall.subservice | AV subservice | keyword | -| fortinet.firewall.subtype | Log subtype | keyword | -| fortinet.firewall.suspicious | Number of Suspicious MMSs | integer | -| fortinet.firewall.switchproto | Protocol change information | keyword | -| fortinet.firewall.sync_status | The sync status with the master | keyword | -| fortinet.firewall.sync_type | The sync type with the master | keyword | -| fortinet.firewall.sysuptime | System uptime | keyword | -| fortinet.firewall.tamac | the MAC address of Transmitter, if none, then Receiver | keyword | -| fortinet.firewall.threattype | WIDS threat type | keyword | -| fortinet.firewall.time | Time of the event | keyword | -| fortinet.firewall.to | Email to field | keyword | -| fortinet.firewall.to_vcluster | destination virtual cluster number | integer | -| fortinet.firewall.total | Total memory | integer | -| fortinet.firewall.totalsession | Total Number of Sessions | integer | -| fortinet.firewall.trace_id | Session clash trace ID | keyword | -| fortinet.firewall.trandisp | NAT translation type | keyword | -| fortinet.firewall.transid | HTTP transaction ID | integer | -| fortinet.firewall.translationid | DNS filter transaltion ID | keyword | -| fortinet.firewall.trigger | Automation stitch trigger | keyword | -| fortinet.firewall.trueclntip | File filter true client IP | ip | -| fortinet.firewall.tunnelid | IPSEC tunnel ID | integer | -| fortinet.firewall.tunnelip | IPSEC tunnel IP | ip | -| fortinet.firewall.tunneltype | IPSEC tunnel type | keyword | -| fortinet.firewall.type | Module type | keyword | -| fortinet.firewall.ui | Admin authentication UI type | keyword | -| fortinet.firewall.unauthusersource | Unauthenticated user source | keyword | -| fortinet.firewall.unit | Power supply unit | integer | -| fortinet.firewall.urlfilteridx | URL filter ID | integer | -| fortinet.firewall.urlfilterlist | URL filter list | keyword | -| fortinet.firewall.urlsource | URL filter source | keyword | -| fortinet.firewall.urltype | URL filter type | keyword | -| fortinet.firewall.used | Number of Used IPs | integer | -| fortinet.firewall.used_for_type | Connection for the type | integer | -| fortinet.firewall.utmaction | Security action performed by UTM | keyword | -| fortinet.firewall.vap | Virtual AP | keyword | -| fortinet.firewall.vapmode | Virtual AP mode | keyword | -| fortinet.firewall.vcluster | virtual cluster id | integer | -| fortinet.firewall.vcluster_member | Virtual cluster member | integer | -| fortinet.firewall.vcluster_state | Virtual cluster state | keyword | -| fortinet.firewall.vd | Virtual Domain Name | keyword | -| fortinet.firewall.vdname | Virtual Domain Name | keyword | -| fortinet.firewall.vendorurl | Vulnerability scan vendor name | keyword | -| fortinet.firewall.version | Version | keyword | -| fortinet.firewall.vip | Virtual IP | keyword | -| fortinet.firewall.virus | Virus name | keyword | -| fortinet.firewall.virusid | Virus ID (unique virus identifier) | integer | -| fortinet.firewall.voip_proto | VOIP protocol | keyword | -| fortinet.firewall.vpn | VPN description | keyword | -| fortinet.firewall.vpntunnel | IPsec Vpn Tunnel Name | keyword | -| fortinet.firewall.vpntype | The type of the VPN tunnel | keyword | -| fortinet.firewall.vrf | VRF number | integer | -| fortinet.firewall.vulncat | Vulnerability Category | keyword | -| fortinet.firewall.vulnid | Vulnerability ID | integer | -| fortinet.firewall.vulnname | Vulnerability name | keyword | -| fortinet.firewall.vwlid | VWL ID | integer | -| fortinet.firewall.vwlquality | VWL quality | keyword | -| fortinet.firewall.vwlservice | VWL service | keyword | -| fortinet.firewall.vwpvlanid | VWP VLAN ID | integer | -| fortinet.firewall.wanin | WAN incoming traffic in bytes | long | -| fortinet.firewall.wanoptapptype | WAN Optimization Application type | keyword | -| fortinet.firewall.wanout | WAN outgoing traffic in bytes | long | -| fortinet.firewall.weakwepiv | Weak Wep Initiation Vector | keyword | -| fortinet.firewall.xauthgroup | XAuth Group Name | keyword | -| fortinet.firewall.xauthuser | XAuth User Name | keyword | -| fortinet.firewall.xid | Wireless X ID | integer | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.user.email | User email address. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | diff --git a/packages/fortinet_fortigate/1.2.2/img/dashboard.png b/packages/fortinet_fortigate/1.2.2/img/dashboard.png deleted file mode 100755 index 268a29bd0e..0000000000 Binary files a/packages/fortinet_fortigate/1.2.2/img/dashboard.png and /dev/null differ diff --git a/packages/fortinet_fortigate/1.2.2/img/fortinet-logo.svg b/packages/fortinet_fortigate/1.2.2/img/fortinet-logo.svg deleted file mode 100755 index d6a8448f32..0000000000 --- a/packages/fortinet_fortigate/1.2.2/img/fortinet-logo.svg +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - diff --git a/packages/fortinet_fortigate/1.2.2/kibana/dashboard/fortinet_fortigate-d0cd8230-0c8b-11ed-bb95-158df2ca77e4.json b/packages/fortinet_fortigate/1.2.2/kibana/dashboard/fortinet_fortigate-d0cd8230-0c8b-11ed-bb95-158df2ca77e4.json deleted file mode 100755 index 7ea26c928a..0000000000 --- a/packages/fortinet_fortigate/1.2.2/kibana/dashboard/fortinet_fortigate-d0cd8230-0c8b-11ed-bb95-158df2ca77e4.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "attributes": { - "controlGroupInput": { - "chainingSystem": "NONE", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"eb2ef977-0de8-4bd4-a936-8bd25a74543c\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"event.category\",\"title\":\"Event Category\",\"id\":\"eb2ef977-0de8-4bd4-a936-8bd25a74543c\",\"enhancements\":{}}},\"cfa74479-5cd8-48b4-b302-86302d5cc8a6\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"event.outcome\",\"title\":\"Event Outcome\",\"id\":\"cfa74479-5cd8-48b4-b302-86302d5cc8a6\",\"enhancements\":{}}},\"ee56c2d4-3f4e-4914-bc04-74a600f57188\":{\"order\":4,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"log.level\",\"title\":\"Fortinet Log Level\",\"id\":\"ee56c2d4-3f4e-4914-bc04-74a600f57188\",\"enhancements\":{},\"selectedOptions\":[]}},\"ad683801-15c1-4243-a870-c533cf32c7e3\":{\"order\":3,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"title\":\"Event Action\",\"fieldName\":\"event.action\",\"selectedOptions\":[],\"id\":\"ad683801-15c1-4243-a870-c533cf32c7e3\",\"enhancements\":{}}},\"c66d9124-057b-40aa-bc0a-fab5624ed285\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"fortinet.firewall.type\",\"title\":\"Firewall Operation Type\",\"id\":\"c66d9124-057b-40aa-bc0a-fab5624ed285\",\"selectedOptions\":[],\"enhancements\":{}}}}" - }, - "description": "Overview of Fortinet FortiGate firewall events", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"fortinet_fortigate.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"fortinet_fortigate.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"aef92dcc-7959-4c94-90ef-373478d28419\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"aef92dcc-7959-4c94-90ef-373478d28419\",\"title\":\"Event Category\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of event.outcome\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"53ff2f86-bf06-4677-92d2-067155f609f3\",\"w\":12,\"x\":12,\"y\":0},\"panelIndex\":\"53ff2f86-bf06-4677-92d2-067155f609f3\",\"title\":\"Event Outcome\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of event.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"b3871313-73e1-4197-af66-2ff82506fafd\",\"w\":12,\"x\":24,\"y\":0},\"panelIndex\":\"b3871313-73e1-4197-af66-2ff82506fafd\",\"title\":\"Fortinet Log Level\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of log.level\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"log.level\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"941798ef-1ae4-4ebe-8867-a17eb8b1a4b9\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"941798ef-1ae4-4ebe-8867-a17eb8b1a4b9\",\"title\":\"Fortinet Log Level\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"f20139de-a0eb-463f-a9c8-183dce76b3fa\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"f20139de-a0eb-463f-a9c8-183dce76b3fa\",\"title\":\"Network Direction\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of network.transport\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.transport\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"14f2d7bc-a79b-4917-a0a3-9656891cc0d8\",\"w\":12,\"x\":12,\"y\":7},\"panelIndex\":\"14f2d7bc-a79b-4917-a0a3-9656891cc0d8\",\"title\":\"Network Transport\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Syslog Severity\",\"operationType\":\"range\",\"params\":{\"includeEmptyRows\":true,\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"log.syslog.severity.code\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"seriesType\":\"bar_stacked\",\"xAccessor\":\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"85b98bdc-73a7-4032-aef1-91921b5235ce\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"85b98bdc-73a7-4032-aef1-91921b5235ce\",\"title\":\"Syslog Severities\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Event Duration\",\"operationType\":\"range\",\"params\":{\"includeEmptyRows\":true,\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"event.duration\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"seriesType\":\"bar_stacked\",\"xAccessor\":\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"3652abe3-b251-4cc0-a014-a81bbe764d33\",\"w\":12,\"x\":24,\"y\":7},\"panelIndex\":\"3652abe3-b251-4cc0-a014-a81bbe764d33\",\"title\":\"Event Duration\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2573c22c-9787-4385-a01b-779b948ee617\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2573c22c-9787-4385-a01b-779b948ee617\":{\"columnOrder\":[\"2ae7b9f4-59a0-4614-970e-b9e0aa0f8979\",\"d18fd8ee-eba8-421c-ae32-a71f7e414f3f\"],\"columns\":{\"2ae7b9f4-59a0-4614-970e-b9e0aa0f8979\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d18fd8ee-eba8-421c-ae32-a71f7e414f3f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d18fd8ee-eba8-421c-ae32-a71f7e414f3f\"],\"layerId\":\"2573c22c-9787-4385-a01b-779b948ee617\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"2ae7b9f4-59a0-4614-970e-b9e0aa0f8979\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"c284fd4a-cd25-4fe3-8124-f2458aed0257\",\"w\":48,\"x\":0,\"y\":14},\"panelIndex\":\"c284fd4a-cd25-4fe3-8124-f2458aed0257\",\"title\":\"Requests Over Time\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-64b9d1d0-7503-4967-849c-be0201d51ac1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"64b9d1d0-7503-4967-849c-be0201d51ac1\":{\"columnOrder\":[\"e4b7b011-b2e7-41bf-895d-11b402493f26\",\"ed019e2d-fc96-4301-bf59-c2330c54b2f7\"],\"columns\":{\"e4b7b011-b2e7-41bf-895d-11b402493f26\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ed019e2d-fc96-4301-bf59-c2330c54b2f7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Median of network.bytes\",\"operationType\":\"median\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"ed019e2d-fc96-4301-bf59-c2330c54b2f7\"],\"layerId\":\"64b9d1d0-7503-4967-849c-be0201d51ac1\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"e4b7b011-b2e7-41bf-895d-11b402493f26\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"58884a18-ec0a-46f1-bf37-de86aba407ad\",\"w\":48,\"x\":0,\"y\":26},\"panelIndex\":\"58884a18-ec0a-46f1-bf37-de86aba407ad\",\"title\":\"Network Bytes Over Time\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"locale\\\":\\\"autoselect\\\",\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"639d6137-90ec-4d57-8478-e509f53ce69d\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"1eb41e3c-4868-4a02-a274-7e2d0c99395d\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"color\\\":\\\"Blues\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"lineWidth\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"minSize\\\":1,\\\"maxSize\\\":10,\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"849d4635-b0b9-48e8-a55e-2af1ad03cdc6\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"joins\\\":[]},{\\\"sourceDescriptor\\\":{\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"id\\\":\\\"2324e246-cacb-44b6-9b5d-adfe78680a50\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\",\\\"label\\\":\\\"\\\"}],\\\"indexPatternRefName\\\":\\\"layer_2_source_index_pattern\\\"},\\\"id\\\":\\\"8bcd1ead-bbd9-4e7f-8764-0042c69a815a\\\",\\\"label\\\":\\\"Destination Location\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"HEATMAP\\\",\\\"colorRampName\\\":\\\"Blues\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"HEATMAP\\\"},{\\\"sourceDescriptor\\\":{\\\"geoField\\\":\\\"source.geo.location\\\",\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"id\\\":\\\"89afbedd-118f-4a04-9015-57165b9b84dd\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"indexPatternRefName\\\":\\\"layer_3_source_index_pattern\\\"},\\\"id\\\":\\\"1c35d621-57d9-48b9-afa9-9755aae6c1ac\\\",\\\"label\\\":\\\"Source Location\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"HEATMAP\\\",\\\"colorRampName\\\":\\\"Yellow to Red\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"HEATMAP\\\"}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.64,\\\"center\\\":{\\\"lon\\\":90.00001,\\\"lat\\\":0},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"customIcons\\\":[],\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":89.78601,\"maxLon\":360,\"minLat\":-89.78601,\"minLon\":-180},\"mapCenter\":{\"lat\":0,\"lon\":90.00001,\"zoom\":0.38},\"openTOCDetails\":[]},\"gridData\":{\"h\":25,\"i\":\"3559260b-1b7d-4053-b958-d6eb5f4e839e\",\"w\":24,\"x\":0,\"y\":38},\"panelIndex\":\"3559260b-1b7d-4053-b958-d6eb5f4e839e\",\"title\":\"Connections\",\"type\":\"map\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b509c65-21ea-4bc9-98ac-38f059b301f9\":{\"columnOrder\":[\"d5104737-a960-4de0-950e-d33e797f9346\",\"f14b52f5-b58b-4cac-8878-20f877e4724e\"],\"columns\":{\"d5104737-a960-4de0-950e-d33e797f9346\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of source.geo.country_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.country_name\"},\"f14b52f5-b58b-4cac-8878-20f877e4724e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d5104737-a960-4de0-950e-d33e797f9346\"],\"layerId\":\"3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"9eb208d4-f6d7-468a-b558-a98ecc64e262\",\"w\":12,\"x\":24,\"y\":38},\"panelIndex\":\"9eb208d4-f6d7-468a-b558-a98ecc64e262\",\"title\":\"Source Country\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b509c65-21ea-4bc9-98ac-38f059b301f9\":{\"columnOrder\":[\"d5104737-a960-4de0-950e-d33e797f9346\",\"f14b52f5-b58b-4cac-8878-20f877e4724e\"],\"columns\":{\"d5104737-a960-4de0-950e-d33e797f9346\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of source.as.organization.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"f14b52f5-b58b-4cac-8878-20f877e4724e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d5104737-a960-4de0-950e-d33e797f9346\"],\"layerId\":\"3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"bbd15cda-94cf-4624-acfe-f255efbb5855\",\"w\":12,\"x\":36,\"y\":38},\"panelIndex\":\"bbd15cda-94cf-4624-acfe-f255efbb5855\",\"title\":\"Source Organization\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b509c65-21ea-4bc9-98ac-38f059b301f9\":{\"columnOrder\":[\"d5104737-a960-4de0-950e-d33e797f9346\",\"f14b52f5-b58b-4cac-8878-20f877e4724e\"],\"columns\":{\"d5104737-a960-4de0-950e-d33e797f9346\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of destination.geo.country_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.country_name\"},\"f14b52f5-b58b-4cac-8878-20f877e4724e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d5104737-a960-4de0-950e-d33e797f9346\"],\"layerId\":\"3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"83c59f55-5df1-4715-8fb1-d088f0e10019\",\"w\":12,\"x\":24,\"y\":51},\"panelIndex\":\"83c59f55-5df1-4715-8fb1-d088f0e10019\",\"title\":\"Destination Country\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b509c65-21ea-4bc9-98ac-38f059b301f9\":{\"columnOrder\":[\"d5104737-a960-4de0-950e-d33e797f9346\",\"f14b52f5-b58b-4cac-8878-20f877e4724e\"],\"columns\":{\"d5104737-a960-4de0-950e-d33e797f9346\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of destination.as.organization.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"f14b52f5-b58b-4cac-8878-20f877e4724e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d5104737-a960-4de0-950e-d33e797f9346\"],\"layerId\":\"3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"1e4ffbda-33d2-40eb-9746-4469775466f7\",\"w\":12,\"x\":36,\"y\":51},\"panelIndex\":\"1e4ffbda-33d2-40eb-9746-4469775466f7\",\"title\":\"Destination Organization\",\"type\":\"lens\",\"version\":\"8.3.2\"}]", - "timeRestore": false, - "title": "[Fortinet Fortigate] Firewall Overview", - "version": 1 - }, - "coreMigrationVersion": "8.3.2", - "id": "fortinet_fortigate-d0cd8230-0c8b-11ed-bb95-158df2ca77e4", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aef92dcc-7959-4c94-90ef-373478d28419:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "53ff2f86-bf06-4677-92d2-067155f609f3:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b3871313-73e1-4197-af66-2ff82506fafd:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "941798ef-1ae4-4ebe-8867-a17eb8b1a4b9:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f20139de-a0eb-463f-a9c8-183dce76b3fa:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "14f2d7bc-a79b-4917-a0a3-9656891cc0d8:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "85b98bdc-73a7-4032-aef1-91921b5235ce:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3652abe3-b251-4cc0-a014-a81bbe764d33:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c284fd4a-cd25-4fe3-8124-f2458aed0257:indexpattern-datasource-layer-2573c22c-9787-4385-a01b-779b948ee617", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58884a18-ec0a-46f1-bf37-de86aba407ad:indexpattern-datasource-layer-64b9d1d0-7503-4967-849c-be0201d51ac1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3559260b-1b7d-4053-b958-d6eb5f4e839e:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3559260b-1b7d-4053-b958-d6eb5f4e839e:layer_2_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3559260b-1b7d-4053-b958-d6eb5f4e839e:layer_3_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9eb208d4-f6d7-468a-b558-a98ecc64e262:indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bbd15cda-94cf-4624-acfe-f255efbb5855:indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "83c59f55-5df1-4715-8fb1-d088f0e10019:indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1e4ffbda-33d2-40eb-9746-4469775466f7:indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_eb2ef977-0de8-4bd4-a936-8bd25a74543c:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_cfa74479-5cd8-48b4-b302-86302d5cc8a6:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_ee56c2d4-3f4e-4914-bc04-74a600f57188:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_ad683801-15c1-4243-a870-c533cf32c7e3:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_c66d9124-057b-40aa-bc0a-fab5624ed285:optionsListDataView", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/fortinet_fortigate/1.2.2/manifest.yml b/packages/fortinet_fortigate/1.2.2/manifest.yml deleted file mode 100755 index e0a2f6f121..0000000000 --- a/packages/fortinet_fortigate/1.2.2/manifest.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: fortinet_fortigate -title: Fortinet FortiGate Firewall Logs -version: 1.2.2 -release: ga -description: Collect logs from Fortinet FortiGate firewalls with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: ["security"] -conditions: - kibana.version: "^8.3.0" -icons: - - src: /img/fortinet-logo.svg - title: Fortinet - size: 216x216 - type: image/svg+xml -screenshots: - - src: /img/dashboard.png - title: Fortinet FortiGate Overview - size: 3336x3120 - type: image/png -policy_templates: - - name: fortinet_fortigate - title: Fortinet FortiGate logs - description: Collect logs from Fortinet FortiGate instances - inputs: - - type: logfile - title: "Collect Fortinet FortiGate logs (input: logfile)" - description: "Collecting logs from Fortinet FortiGate instances (input: logfile)" - - type: tcp - title: "Collect Fortinet FortiGate logs (input: tcp)" - description: "Collecting logs from Fortinet FortiGate instances (input: tcp)" - - type: udp - title: "Collect Fortinet FortiGate logs (input: udp)" - description: "Collecting logs from Fortinet FortiGate instances (input: udp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/fortinet_fortigate/1.2.3/LICENSE.txt b/packages/fortinet_fortigate/1.2.3/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/fortinet_fortigate/1.2.3/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/fortinet_fortigate/1.2.3/changelog.yml b/packages/fortinet_fortigate/1.2.3/changelog.yml deleted file mode 100755 index e82be4bb65..0000000000 --- a/packages/fortinet_fortigate/1.2.3/changelog.yml +++ /dev/null @@ -1,39 +0,0 @@ -# newer versions go on top -- version: "1.2.3" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "1.2.2" - changes: - - description: Ensure network.direction values conform to ECS. - type: bugfix - link: https://github.com/elastic/integrations/issues/4283 -- version: "1.2.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.2.0" - changes: - - description: Update Ingest Pipeline with observer Fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3819 -- version: "1.1.0" - changes: - - description: Add dashboard. - type: enhancement - link: https://github.com/elastic/integrations/pull/3832 - - description: Process syslog priority and facility. - type: enhancement - link: https://github.com/elastic/integrations/pull/3832 -- version: "1.0.1" - changes: - - description: Fix handling of sip events. - type: bugfix - link: https://github.com/elastic/integrations/pull/3901 -- version: "1.0.0" - changes: - - description: Initial version of Fortinet FortiGate as separate package - type: enhancement - link: https://github.com/elastic/integrations/pull/3265 diff --git a/packages/fortinet_fortigate/1.2.3/data_stream/log/agent/stream/log.yml.hbs b/packages/fortinet_fortigate/1.2.3/data_stream/log/agent/stream/log.yml.hbs deleted file mode 100755 index 225500de9f..0000000000 --- a/packages/fortinet_fortigate/1.2.3/data_stream/log/agent/stream/log.yml.hbs +++ /dev/null @@ -1,47 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if internal_interfaces.length}} -processors: -{{else}} -{{#if external_interfaces.length}} -processors: -{{else}} -{{#if processors}} -processors: -{{/if}} -{{/if}} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} -{{#if internal_interfaces.length}} - - add_fields: - target: _temp - fields: - internal_interfaces: - {{#each internal_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} -{{#if external_interfaces.length}} - - add_fields: - target: _temp - fields: - external_interfaces: - {{#each external_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} diff --git a/packages/fortinet_fortigate/1.2.3/data_stream/log/agent/stream/tcp.yml.hbs b/packages/fortinet_fortigate/1.2.3/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 6ca58d4fa8..0000000000 --- a/packages/fortinet_fortigate/1.2.3/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if internal_interfaces.length}} -processors: -{{else}} -{{#if external_interfaces.length}} -processors: -{{else}} -{{#if processors}} -processors: -{{/if}} -{{/if}} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} -{{#if internal_interfaces.length}} - - add_fields: - target: _temp - fields: - internal_interfaces: - {{#each internal_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} -{{#if external_interfaces.length}} - - add_fields: - target: _temp - fields: - external_interfaces: - {{#each external_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} -{{#if tcp_options}} -{{tcp_options}} -{{/if}} diff --git a/packages/fortinet_fortigate/1.2.3/data_stream/log/agent/stream/udp.yml.hbs b/packages/fortinet_fortigate/1.2.3/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 852d6d18f0..0000000000 --- a/packages/fortinet_fortigate/1.2.3/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if internal_interfaces.length}} -processors: -{{else}} -{{#if external_interfaces.length}} -processors: -{{else}} -{{#if processors}} -processors: -{{/if}} -{{/if}} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} -{{#if internal_interfaces.length}} - - add_fields: - target: _temp - fields: - internal_interfaces: - {{#each internal_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} -{{#if external_interfaces.length}} - - add_fields: - target: _temp - fields: - external_interfaces: - {{#each external_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} diff --git a/packages/fortinet_fortigate/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet_fortigate/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index de33da79fa..0000000000 --- a/packages/fortinet_fortigate/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,449 +0,0 @@ ---- -description: Pipeline for parsing fortinet firewall logs -processors: - - set: - field: ecs.version - value: '8.3.0' - - rename: - field: message - target_field: event.original - - grok: - field: event.original - ecs_compatibility: v1 - patterns: - - "%{SYSLOG5424PRI}%{GREEDYDATA:syslog5424_sd}$" - - script: - lang: painless - source: | - if (ctx.log?.syslog?.priority != null) { - def severity = new HashMap(); - severity['code'] = ctx.log.syslog.priority&0x7; - ctx.log.syslog['severity'] = severity; - def facility = new HashMap(); - facility['code'] = ctx.log.syslog.priority>>3; - ctx.log.syslog['facility'] = facility; - } - - kv: - field: syslog5424_sd - field_split: " (?=[a-z\\_\\-]+=)" - value_split: "=" - prefix: "fortinet.firewall." - ignore_missing: true - ignore_failure: false - trim_value: '"' - - script: - lang: painless - source: | - def fw = ctx?.fortinet?.firewall; - if (fw != null) { - fw.entrySet().removeIf(entry -> entry.getValue() == "N/A"); - } - - set: - field: observer.vendor - value: Fortinet - - set: - field: observer.product - value: Fortigate - - set: - field: observer.type - value: firewall - - set: - field: event.timezone - value: "{{fortinet.firewall.tz}}" - ignore_empty_value: true - - set: - field: _temp.time - value: "{{fortinet.firewall.date}} {{fortinet.firewall.time}} {{fortinet.firewall.tz}}" - if: "ctx.fortinet?.firewall?.tz != null" - - set: - field: _temp.time - value: "{{fortinet.firewall.date}} {{fortinet.firewall.time}}" - if: "ctx.fortinet?.firewall?.tz == null" - - date: - field: _temp.time - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss Z - - yyyy-MM-dd HH:mm:ss z - - ISO8601 - timezone: "{{fortinet.firewall.tz}}" - if: "ctx.fortinet?.firewall?.tz != null" - - date: - field: _temp.time - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss Z - - yyyy-MM-dd HH:mm:ss z - - ISO8601 - if: "ctx.fortinet?.firewall?.tz == null" - - gsub: - field: fortinet.firewall.eventtime - pattern: "\\d{6}$" - replacement: "" - if: "ctx.fortinet?.firewall?.eventtime != null && (ctx.fortinet?.firewall?.eventtime).length() > 18" - - date: - field: fortinet.firewall.eventtime - target_field: event.start - formats: - - UNIX_MS - timezone: "{{fortinet.firewall.tz}}" - if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() > 11" - - date: - field: fortinet.firewall.eventtime - target_field: event.start - formats: - - UNIX - timezone: "{{fortinet.firewall.tz}}" - if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - - date: - field: fortinet.firewall.eventtime - target_field: event.start - formats: - - UNIX_MS - if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() > 11" - - date: - field: fortinet.firewall.eventtime - target_field: event.start - formats: - - UNIX - if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - - rename: - field: fortinet.firewall.devname - target_field: observer.name - ignore_missing: true - - script: - lang: painless - source: "ctx.event.duration = Long.parseLong(ctx.fortinet.firewall.duration) * 1000000000" - if: "ctx.fortinet?.firewall?.duration != null" - - rename: - field: fortinet.firewall.devid - target_field: observer.serial_number - ignore_missing: true - - rename: - field: fortinet.firewall.dstintf - target_field: observer.egress.interface.name - ignore_missing: true - if: "ctx.observer?.egress?.interface?.name == null" - - rename: - field: fortinet.firewall.srcintf - target_field: observer.ingress.interface.name - ignore_missing: true - if: "ctx.observer?.ingress?.interface?.name == null" - - rename: - field: fortinet.firewall.dst_int - target_field: observer.egress.interface.name - ignore_missing: true - - rename: - field: fortinet.firewall.src_int - target_field: observer.ingress.interface.name - ignore_missing: true - - rename: - field: fortinet.firewall.level - target_field: log.level - ignore_missing: true - - append: - field: email.cc.address - value: "{{{fortinet.firewall.cc}}}" - if: "ctx?.fortinet?.cc?.address != null" - - set: - field: email.subject - copy_from: fortinet.firewall.subject - if: "ctx?.fortinet?.firewall?.subject != null" - - # Handle interface-based network directionality - - set: - field: network.direction - value: inbound - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.ingress?.interface?.name != null && - ctx?.observer?.egress?.interface?.name != null && - ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) && - ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) - - set: - field: network.direction - value: outbound - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.ingress?.interface?.name != null && - ctx?.observer?.egress?.interface?.name != null && - ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && - ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) - - set: - field: network.direction - value: internal - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.ingress?.interface?.name != null && - ctx?.observer?.egress?.interface?.name != null && - ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) && - ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) - - set: - field: network.direction - value: external - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.ingress?.interface?.name != null && - ctx?.observer?.egress?.interface?.name != null && - ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && - ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) - - set: - field: network.direction - value: unknown - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.egress?.interface?.name != null && - ctx?.observer?.ingress?.interface?.name != null && - ( - ( - !ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && - !ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) - ) || - ( - !ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) && - !ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) - ) - ) - - remove: - field: - - _temp.time - - _temp - - syslog5424_sd - - fortinet.firewall.tz - - fortinet.firewall.date - - fortinet.firewall.devid - - fortinet.firewall.eventtime - - fortinet.firewall.time - - fortinet.firewall.duration - - host - ignore_missing: true - - pipeline: - name: '{{ IngestPipeline "event" }}' - if: "ctx.fortinet?.firewall?.type == 'event'" - - pipeline: - name: '{{ IngestPipeline "traffic" }}' - if: "ctx.fortinet?.firewall?.type == 'traffic'" - - pipeline: - name: '{{ IngestPipeline "utm" }}' - if: "ctx.fortinet?.firewall?.type == 'utm' || ctx.fortinet?.firewall?.type == 'dns'" - - convert: - field: fortinet.firewall.quotamax - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.quotaused - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.size - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.disklograte - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.fazlograte - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.lanin - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.lanout - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.setuprate - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.wanin - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.wanout - type: long - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" - - geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - script: - lang: painless - source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" - ignore_failure: true - - script: - lang: painless - source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" - if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" - ignore_failure: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: "ctx.source?.user?.name != null" - allow_duplicates: false - - append: - field: related.user - value: "{{destination.user.name}}" - if: "ctx.destination?.user?.name != null" - allow_duplicates: false - - append: - field: related.hosts - value: "{{destination.address}}" - if: "ctx.destination?.address != null" - allow_duplicates: false - - append: - field: related.hosts - value: "{{source.address}}" - if: "ctx.source?.address != null" - allow_duplicates: false - - append: - field: related.hosts - value: "{{dns.question.name}}" - if: "ctx.dns?.question?.name != null" - allow_duplicates: false - - # Fix up network direction field to match ECS-allowable values. - - set: - field: network.direction - value: unknown - if: "ctx.network?.direction != null && !(['ingress', 'egress', 'inbound', 'outbound', 'internal', 'external'].contains(ctx.network.direction))" - - - script: - lang: painless - source: | - def dnsIPs = ctx?.dns?.resolved_ip; - if (dnsIPs != null && dnsIPs instanceof List) { - if (ctx?.related?.ip == null) { - ctx.related.ip = []; - } - for (ip in dnsIPs) { - if (!ctx.related.ip.contains(ip)) { - ctx.related.ip.add(ip); - } - } - } - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_fortigate/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/event.yml b/packages/fortinet_fortigate/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/event.yml deleted file mode 100755 index 19f29c3b99..0000000000 --- a/packages/fortinet_fortigate/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/event.yml +++ /dev/null @@ -1,267 +0,0 @@ ---- -description: Pipeline for parsing fortinet firewall logs (event pipeline) -processors: - - set: - field: event.kind - value: event - - set: - field: event.outcome - value: failure - if: "ctx.fortinet?.firewall?.result == 'ERROR' || ctx.fortinet?.firewall?.status == 'negotiate_error'" - - set: - field: event.outcome - value: success - if: "ctx.fortinet?.firewall?.result == 'OK' || ['FSSO-logon', 'auth-logon', 'FSSO-logoff', 'auth-logout'].contains(ctx.fortinet?.firewall?.action)" - - append: - field: event.type - value: - - user - - start - if: "['FSSO-logon', 'auth-logon'].contains(ctx.fortinet?.firewall?.action)" - - append: - field: event.type - value: - - user - - end - if: "['FSSO-logoff', 'auth-logout'].contains(ctx.fortinet?.firewall?.action)" - - append: - field: event.type - value: connection - if: "ctx.fortinet?.firewall?.subtype == 'vpn'" - - append: - field: event.category - value: network - if: "ctx.fortinet?.firewall?.subtype == 'vpn'" - - append: - field: event.type - value: info - if: "ctx.fortinet?.firewall?.action == 'perf-stats'" - - append: - field: event.category - value: host - if: "ctx.fortinet?.firewall?.action == 'perf-stats'" - - append: - field: event.type - value: info - if: "ctx.fortinet?.firewall?.subtype == 'update'" - - append: - field: event.category - value: - - host - - malware - if: "ctx.fortinet?.firewall?.subtype == 'update'" - - append: - field: event.category - value: authentication - if: "ctx.fortinet?.firewall?.subtype == 'user'" - - rename: - field: fortinet.firewall.dstip - target_field: destination.ip - ignore_missing: true - - rename: - field: fortinet.firewall.remip - target_field: destination.ip - ignore_missing: true - if: "ctx.destination?.ip == null" - - convert: - field: fortinet.firewall.dstport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: fortinet.firewall.remport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.destination?.port == null" - - convert: - field: fortinet.firewall.rcvdbyte - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.daddr - target_field: destination.address - ignore_missing: true - - rename: - field: fortinet.firewall.dst_host - target_field: destination.address - ignore_missing: true - if: "ctx.destination?.address == null" - - rename: - field: fortinet.firewall.dst_host - target_field: destination.domain - ignore_missing: true - if: "ctx.destination?.address == null" - - rename: - field: fortinet.firewall.group - target_field: source.user.group.name - ignore_missing: true - - convert: - field: fortinet.firewall.sentbyte - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.srcip - target_field: source.ip - ignore_missing: true - - rename: - field: fortinet.firewall.locip - target_field: source.ip - ignore_missing: true - if: "ctx.source?.ip == null" - - rename: - field: fortinet.firewall.srcmac - target_field: source.mac - ignore_missing: true - - rename: - field: fortinet.firewall.source_mac - target_field: source.mac - ignore_missing: true - if: "ctx.source?.mac == null" - - convert: - field: fortinet.firewall.srcport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: fortinet.firewall.locport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.source?.port == null" - - rename: - field: fortinet.firewall.user - target_field: source.user.name - ignore_missing: true - - rename: - field: fortinet.firewall.saddr - target_field: source.address - ignore_missing: true - - rename: - field: fortinet.firewall.agent - target_field: user_agent.original - ignore_missing: true - - rename: - field: fortinet.firewall.file - target_field: file.name - ignore_missing: true - - convert: - field: fortinet.firewall.filesize - target_field: file.size - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.level - target_field: log.level - ignore_missing: true - - rename: - field: fortinet.firewall.logid - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" - - rename: - field: fortinet.firewall.msg - target_field: message - ignore_missing: true - - rename: - field: fortinet.firewall.policyid - target_field: rule.id - ignore_missing: true - - rename: - field: fortinet.firewall.proto - target_field: network.iana_number - ignore_missing: true - - rename: - field: fortinet.firewall.dir - target_field: network.direction - ignore_missing: true - if: "ctx.network?.direction == null" - - rename: - field: fortinet.firewall.direction - target_field: network.direction - ignore_missing: true - if: "ctx.network?.direction == null" - # Normalize the network direction - - script: - lang: painless - ignore_failure: true - params: - outgoing: outbound - incoming: inbound - source: >- - if (ctx.network?.direction == null) { - return; - } - def k = ctx.network?.direction.toLowerCase(); - def normalized = params.get(k); - if (normalized != null) { - ctx.network.direction = normalized; - return - } - ctx.network.direction = k; - - rename: - field: fortinet.firewall.service - target_field: network.protocol - ignore_missing: true - - lowercase: - field: network.protocol - ignore_missing: true - - rename: - field: fortinet.firewall.error_num - target_field: error.code - ignore_missing: true - - rename: - field: fortinet.firewall.hostname - target_field: url.domain - ignore_missing: true - - rename: - field: fortinet.firewall.logdesc - target_field: rule.description - ignore_missing: true - - rename: - field: fortinet.firewall.addr - target_field: fortinet.firewall.addrgrp - if: ctx.rule?.description == 'Dynamic address updated' - ignore_missing: true - - rename: - field: fortinet.firewall.url - target_field: url.path - ignore_missing: true - - convert: - field: fortinet.firewall.sess_duration - type: long - target_field: event.duration - ignore_failure: true - ignore_missing: true - if: "ctx.event?.duration == null" - - convert: - field: fortinet.firewall.mem - type: integer - ignore_failure: true - ignore_missing: true - - remove: - field: - - fortinet.firewall.dstport - - fortinet.firewall.remport - - fortinet.firewall.rcvdbyte - - fortinet.firewall.sentbyte - - fortinet.firewall.srcport - - fortinet.firewall.locport - - fortinet.firewall.filesize - - fortinet.firewall.sess_duration - - fortinet.firewall.dir - - fortinet.firewall.direction - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_fortigate/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml b/packages/fortinet_fortigate/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml deleted file mode 100755 index 90f65f53a0..0000000000 --- a/packages/fortinet_fortigate/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml +++ /dev/null @@ -1,218 +0,0 @@ ---- -description: Pipeline for parsing fortinet firewall logs (traffic pipeline) -processors: -- set: - field: event.kind - value: event -- set: - field: event.action - value: "{{fortinet.firewall.action}}" - ignore_empty_value: true -- set: - field: event.outcome - value: success - if: "ctx.fortinet?.firewall?.action != null" -- append: - field: event.category - value: network -- append: - field: event.type - value: connection -- append: - field: event.type - value: start - if: "ctx.fortinet?.firewall?.action == 'start'" -- append: - field: event.type - value: end - if: "ctx.fortinet?.firewall?.action != null && ctx.fortinet?.firewall?.action !='start'" -- append: - field: event.type - value: protocol - if: "ctx.fortinet?.firewall?.app != null && ctx.fortinet?.firewall?.action != 'deny'" -- append: - field: event.type - value: allowed - if: "ctx.fortinet?.firewall?.utmaction == null && ctx.fortinet?.firewall?.action != 'deny'" -- append: - field: event.type - value: denied - if: "ctx.fortinet?.firewall?.utmaction == 'block'" -- rename: - field: fortinet.firewall.dstip - target_field: destination.ip - ignore_missing: true -- rename: - field: fortinet.firewall.tranip - target_field: destination.nat.ip - ignore_missing: true -- convert: - field: fortinet.firewall.dstport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true -- convert: - field: fortinet.firewall.tranport - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true -- convert: - field: fortinet.firewall.rcvdbyte - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true -- convert: - field: fortinet.firewall.rcvdpkt - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true -- append: - field: email.to.address - value: "{{fortinet.firewall.dstcollectedemail}}" - if: "ctx?.fortinet?.firewall?.dstcollectedemail != null" -- rename: - field: fortinet.firewall.dstname - target_field: destination.address - ignore_missing: true -- rename: - field: fortinet.firewall.dstunauthuser - target_field: destination.user.name - ignore_missing: true -- rename: - field: fortinet.firewall.group - target_field: source.user.group.name - ignore_missing: true -- convert: - field: fortinet.firewall.sentbyte - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true -- rename: - field: fortinet.firewall.srcdomain - target_field: source.domain - ignore_missing: true -- rename: - field: fortinet.firewall.srcip - target_field: source.ip - ignore_missing: true -- rename: - field: fortinet.firewall.srcmac - target_field: source.mac - ignore_missing: true -- convert: - field: fortinet.firewall.srcport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true -- rename: - field: fortinet.firewall.unauthuser - target_field: source.user.name - ignore_missing: true -- rename: - field: fortinet.firewall.user - target_field: source.user.name - ignore_missing: true - if: "ctx.source?.user?.name == null" -- append: - field: email.from.address - value: "{{fortinet.firewall.collectedemail}}" - if: "ctx?.fortinet?.firewall?.collectedemail != null" -- convert: - field: fortinet.firewall.sentpkt - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true -- rename: - field: fortinet.firewall.transip - target_field: source.nat.ip - ignore_missing: true -- convert: - field: fortinet.firewall.transport - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true -- rename: - field: fortinet.firewall.app - target_field: network.application - ignore_missing: true -- rename: - field: fortinet.firewall.filename - target_field: file.name - ignore_missing: true -- rename: - field: fortinet.firewall.logid - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" -- rename: - field: fortinet.firewall.msg - target_field: message - ignore_missing: true -- rename: - field: fortinet.firewall.comment - target_field: rule.description - ignore_missing: true -- rename: - field: fortinet.firewall.policyid - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" -- rename: - field: fortinet.firewall.poluuid - target_field: rule.uuid - ignore_missing: true -- rename: - field: fortinet.firewall.policytype - target_field: rule.ruleset - ignore_missing: true -- rename: - field: fortinet.firewall.policyname - target_field: rule.name - ignore_missing: true -- rename: - field: fortinet.firewall.appcat - target_field: rule.category - ignore_missing: true -- gsub: - field: rule.category - pattern: "\\." - replacement: "-" - ignore_missing: true -- rename: - field: fortinet.firewall.proto - target_field: network.iana_number - ignore_missing: true -- rename: - field: fortinet.firewall.service - target_field: network.protocol - ignore_missing: true -- lowercase: - field: network.protocol - ignore_missing: true -- rename: - field: fortinet.firewall.url - target_field: url.path - ignore_missing: true -- remove: - field: - - fortinet.firewall.dstport - - fortinet.firewall.tranport - - fortinet.firewall.rcvdbyte - - fortinet.firewall.rcvdpkt - - fortinet.firewall.sentbyte - - fortinet.firewall.srcport - - fortinet.firewall.sentpkt - - fortinet.firewall.transport - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/fortinet_fortigate/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/utm.yml b/packages/fortinet_fortigate/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/utm.yml deleted file mode 100755 index d286bdfdfe..0000000000 --- a/packages/fortinet_fortigate/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/utm.yml +++ /dev/null @@ -1,376 +0,0 @@ ---- -description: Pipeline for parsing fortinet firewall logs (utm pipeline) -processors: - - set: - field: event.kind - value: event - - append: - field: event.type - value: denied - if: "['block', 'blocked'].contains(ctx.fortinet?.firewall?.action)" - - append: - field: event.type - value: info - if: "ctx.fortinet?.firewall?.subtype == 'dns'" - - append: - field: event.type - value: allowed - if: "['pass', 'passthrough'].contains(ctx.fortinet?.firewall?.action)" - - set: - field: event.outcome - value: success - if: "ctx.fortinet?.firewall?.action != null" - - append: - field: event.category - value: network - - rename: - field: fortinet.firewall.dstip - target_field: destination.ip - ignore_missing: true - - rename: - field: fortinet.firewall.remip - target_field: destination.ip - ignore_missing: true - if: "ctx.destination?.ip == null" - - convert: - field: fortinet.firewall.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: fortinet.firewall.remport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.destination?.port == null" - - convert: - field: fortinet.firewall.dstport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.destination?.port == null" - - convert: - field: fortinet.firewall.rcvdbyte - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.recipient - target_field: email.to.address - ignore_missing: true - - append: - field: email.to.address - value: "{{fortinet.firewall.recipient}}" - if: "ctx?.fortinet?.firewall?.recipient != null" - - rename: - field: fortinet.firewall.group - target_field: source.user.group.name - ignore_missing: true - - rename: - field: fortinet.firewall.locip - target_field: source.ip - ignore_missing: true - - convert: - field: fortinet.firewall.locport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: fortinet.firewall.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.source?.port == null" - - convert: - field: fortinet.firewall.srcport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.source?.port == null" - - convert: - field: fortinet.firewall.sentbyte - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.srcdomain - target_field: source.domain - ignore_missing: true - - rename: - field: fortinet.firewall.srcip - target_field: source.ip - ignore_missing: true - if: "ctx.source?.ip == null" - - rename: - field: fortinet.firewall.srcmac - target_field: source.mac - ignore_missing: true - - rename: - field: fortinet.firewall.unauthuser - target_field: source.user.name - ignore_missing: true - - rename: - field: fortinet.firewall.user - target_field: source.user.name - ignore_missing: true - if: "ctx.source?.user?.name == null" - - append: - field: email.sender.address - value: "{{fortinet.firewall.sender}}" - if: "ctx?.fortinet?.firewall?.sender != null" - - append: - field: email.from.address - value: "{{fortinet.firewall.from}}" - if: "ctx?.fortinet?.firewall?.from != null" - - rename: - field: fortinet.firewall.agent - target_field: user_agent.original - ignore_missing: true - - rename: - field: fortinet.firewall.app - target_field: network.application - ignore_missing: true - - rename: - field: fortinet.firewall.appcat - target_field: rule.category - ignore_missing: true - - rename: - field: fortinet.firewall.applist - target_field: rule.ruleset - ignore_missing: true - - rename: - field: fortinet.firewall.catdesc - target_field: rule.category - ignore_missing: true - if: "ctx.rule?.category == null" - - gsub: - field: rule.category - pattern: "\\." - replacement: "-" - ignore_missing: true - if: "ctx.rule?.category != null" - - rename: - field: fortinet.firewall.dir - target_field: network.direction - ignore_missing: true - if: "ctx.network?.direction == null" - - rename: - field: fortinet.firewall.direction - target_field: network.direction - ignore_missing: true - if: "ctx.network?.direction == null" - # Normalize the network direction - - script: - lang: painless - ignore_failure: true - params: - outgoing: outbound - incoming: inbound - source: >- - if (ctx.network?.direction == null) { - return; - } - def k = ctx.network?.direction.toLowerCase(); - def normalized = params.get(k); - if (normalized != null) { - ctx.network.direction = normalized; - return - } - ctx.network.direction = k; - - rename: - field: fortinet.firewall.error - target_field: event.message - ignore_missing: true - - rename: - field: fortinet.firewall.errorcode - target_field: event.code - ignore_missing: true - - rename: - field: fortinet.firewall.event_id - target_field: event.id - ignore_missing: true - - rename: - field: fortinet.firewall.eventid - target_field: event.id - ignore_missing: true - if: "ctx.event?.id == null" - - rename: - field: fortinet.firewall.eventtype - target_field: event.action - ignore_missing: true - - rename: - field: fortinet.firewall.filename - target_field: file.name - ignore_missing: true - - convert: - field: fortinet.firewall.filesize - target_field: file.size - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.filetype - target_field: file.extension - ignore_missing: true - - rename: - field: fortinet.firewall.infectedfilename - target_field: file.name - ignore_missing: true - if: "ctx.file?.name == null" - - rename: - field: fortinet.firewall.infectedfilesize - target_field: file.size - ignore_missing: true - if: "ctx.file?.size == null" - - rename: - field: fortinet.firewall.infectedfiletype - target_field: file.extension - ignore_missing: true - if: "ctx.file?.extension == null" - - rename: - field: fortinet.firewall.matchedfilename - target_field: file.name - ignore_missing: true - if: "ctx.file?.name == null" - - rename: - field: fortinet.firewall.matchedfiletype - target_field: file.extension - ignore_missing: true - if: "ctx.file?.extension == null" - - rename: - field: fortinet.firewall.hostname - target_field: url.domain - ignore_missing: true - - rename: - field: fortinet.firewall.ipaddr - target_field: dns.resolved_ip - ignore_missing: true - - split: - field: dns.resolved_ip - separator: ", " - ignore_missing: true - - rename: - field: fortinet.firewall.level - target_field: log.level - ignore_missing: true - - rename: - field: fortinet.firewall.logid - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" - - rename: - field: fortinet.firewall.msg - target_field: message - ignore_missing: true - - rename: - field: fortinet.firewall.policy_id - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" - - rename: - field: fortinet.firewall.policyid - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" - - rename: - field: fortinet.firewall.profile - target_field: rule.ruleset - ignore_missing: true - if: "ctx.rule?.ruleset == null" - - rename: - field: fortinet.firewall.proto - target_field: network.iana_number - ignore_missing: true - - rename: - field: fortinet.firewall.qclass - target_field: dns.question.class - ignore_missing: true - - rename: - field: fortinet.firewall.qname - target_field: dns.question.name - ignore_missing: true - - rename: - field: fortinet.firewall.qtype - target_field: dns.question.type - ignore_missing: true - - rename: - field: fortinet.firewall.service - target_field: network.protocol - ignore_missing: true - - lowercase: - field: network.protocol - ignore_missing: true - - rename: - field: fortinet.firewall.url - target_field: url.path - ignore_missing: true - - rename: - field: fortinet.firewall.xid - target_field: dns.id - ignore_missing: true - - rename: - field: fortinet.firewall.scertcname - target_field: tls.server.x509.subject.common_name - ignore_missing: true - - rename: - field: fortinet.firewall.scertissuer - target_field: tls.server.issuer - ignore_missing: true - - set: - field: tls.server.x509.issuer.common_name - value: "{{tls.server.issuer}}" - ignore_empty_value: true - - rename: - field: fortinet.firewall.ccertissuer - target_field: tls.client.issuer - ignore_missing: true - - set: - field: tls.client.x509.issuer.common_name - value: "{{tls.client.issuer}}" - ignore_empty_value: true - - rename: - field: fortinet.firewall.sender - target_field: tls.server.issuer - ignore_missing: true - - rename: - field: fortinet.firewall.dtype - target_field: vulnerability.category - ignore_missing: true - - rename: - field: fortinet.firewall.ref - target_field: event.reference - ignore_missing: true - - rename: - field: fortinet.firewall.filehash - target_field: fortinet.file.hash.crc32 - ignore_missing: true - - append: - field: related.hash - value: "{{fortinet.file.hash.crc32}}" - if: "ctx.fortinet?.file?.hash?.crc32 != null" - - remove: - field: - - fortinet.firewall.dst_port - - fortinet.firewall.remport - - fortinet.firewall.dstport - - fortinet.firewall.rcvdbyte - - fortinet.firewall.locport - - fortinet.firewall.src_port - - fortinet.firewall.srcport - - fortinet.firewall.sentbyte - - fortinet.firewall.filesize - - fortinet.firewall.dir - - fortinet.firewall.direction - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_fortigate/1.2.3/data_stream/log/fields/agent.yml b/packages/fortinet_fortigate/1.2.3/data_stream/log/fields/agent.yml deleted file mode 100755 index f6127c3e22..0000000000 --- a/packages/fortinet_fortigate/1.2.3/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,183 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/fortinet_fortigate/1.2.3/data_stream/log/fields/base-fields.yml b/packages/fortinet_fortigate/1.2.3/data_stream/log/fields/base-fields.yml deleted file mode 100755 index e29671260e..0000000000 --- a/packages/fortinet_fortigate/1.2.3/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Name of the module this data is coming from. - value: fortinet -- name: event.dataset - type: constant_keyword - description: Name of the dataset. - value: fortinet_fortigate.log -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/fortinet_fortigate/1.2.3/data_stream/log/fields/beats.yml b/packages/fortinet_fortigate/1.2.3/data_stream/log/fields/beats.yml deleted file mode 100755 index 05a6db4740..0000000000 --- a/packages/fortinet_fortigate/1.2.3/data_stream/log/fields/beats.yml +++ /dev/null @@ -1,15 +0,0 @@ -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: Path to the log file. - name: log.file.path - type: keyword -- description: Log message optimized for viewing in a log viewer. - name: event.message - type: text diff --git a/packages/fortinet_fortigate/1.2.3/data_stream/log/fields/ecs.yml b/packages/fortinet_fortigate/1.2.3/data_stream/log/fields/ecs.yml deleted file mode 100755 index 4d5b358960..0000000000 --- a/packages/fortinet_fortigate/1.2.3/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,476 +0,0 @@ -- description: Unique container id. - name: container.id - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: User email address. - name: destination.user.email - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: The email address of CC recipient - name: email.cc.address - normalize: - - array - type: keyword -- description: The email address of the sender, typically from the RFC 5322 `From:` header field. - name: email.from.address - normalize: - - array - type: keyword -- description: Per RFC 5322, specifies the address responsible for the actual transmission of the message. - name: email.sender.address - type: keyword -- description: The email address of recipient - name: email.to.address - normalize: - - array - type: keyword -- description: A brief summary of the topic of the message. - multi_fields: - - name: text - type: match_only_text - name: email.subject - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reference URL linking to additional information about this event. - This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.reference - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: The description of the rule generating the event. - name: rule.description - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - name: rule.ruleset - type: keyword -- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - name: rule.uuid - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: User email address. - name: source.user.email - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.client.x509.issuer.common_name - normalize: - - array - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - normalize: - - array - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: |- - The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) - This field must be an array. - name: vulnerability.category - normalize: - - array - type: keyword diff --git a/packages/fortinet_fortigate/1.2.3/data_stream/log/fields/fields.yml b/packages/fortinet_fortigate/1.2.3/data_stream/log/fields/fields.yml deleted file mode 100755 index d7fa9c281c..0000000000 --- a/packages/fortinet_fortigate/1.2.3/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,1727 +0,0 @@ -- name: fortinet - type: group - fields: - - name: file.hash.crc32 - type: keyword - description: | - CRC32 Hash of file - - name: firewall - type: group - release: beta - fields: - - name: acct_stat - type: keyword - description: | - Accounting state (RADIUS) - - name: acktime - type: keyword - description: | - Alarm Acknowledge Time - - name: act - type: keyword - description: | - Action - - name: action - type: keyword - description: | - Status of the session - - name: activity - type: keyword - description: | - HA activity message - - name: addr - type: ip - description: | - IP Address - - name: addr_type - type: keyword - description: | - Address Type - - name: addrgrp - type: keyword - description: | - Address Group - - name: adgroup - type: keyword - description: | - AD Group Name - - name: admin - type: keyword - description: | - Admin User - - name: age - type: integer - description: | - Time in seconds - time passed since last seen - - name: agent - type: keyword - description: | - User agent - eg. agent="Mozilla/5.0" - - name: alarmid - type: integer - description: | - Alarm ID - - name: alert - type: keyword - description: | - Alert - - name: analyticscksum - type: keyword - description: | - The checksum of the file submitted for analytics - - name: analyticssubmit - type: keyword - description: | - The flag for analytics submission - - name: ap - type: keyword - description: | - Access Point - - name: app-type - type: keyword - description: | - Address Type - - name: appact - type: keyword - description: | - The security action from app control - - name: appid - type: integer - description: | - Application ID - - name: applist - type: keyword - description: | - Application Control profile - - name: apprisk - type: keyword - description: | - Application Risk Level - - name: apscan - type: keyword - description: | - The name of the AP, which scanned and detected the rogue AP - - name: apsn - type: keyword - description: | - Access Point - - name: apstatus - type: keyword - description: | - Access Point status - - name: aptype - type: keyword - description: | - Access Point type - - name: assigned - type: ip - description: | - Assigned IP Address - - name: assignip - type: ip - description: | - Assigned IP Address - - name: attachment - type: keyword - description: | - The flag for email attachement - - name: attack - type: keyword - description: | - Attack Name - - name: attackcontext - type: keyword - description: | - The trigger patterns and the packetdata with base64 encoding - - name: attackcontextid - type: keyword - description: | - Attack context id / total - - name: attackid - type: integer - description: | - Attack ID - - name: auditid - type: long - description: | - Audit ID - - name: auditscore - type: keyword - description: | - The Audit Score - - name: audittime - type: long - description: | - The time of the audit - - name: authgrp - type: keyword - description: | - Authorization Group - - name: authid - type: keyword - description: | - Authentication ID - - name: authproto - type: keyword - description: | - The protocol that initiated the authentication - - name: authserver - type: keyword - description: | - Authentication server - - name: bandwidth - type: keyword - description: | - Bandwidth - - name: banned_rule - type: keyword - description: | - NAC quarantine Banned Rule Name - - name: banned_src - type: keyword - description: | - NAC quarantine Banned Source IP - - name: banword - type: keyword - description: | - Banned word - - name: botnetdomain - type: keyword - description: | - Botnet Domain Name - - name: botnetip - type: ip - description: | - Botnet IP Address - - name: bssid - type: keyword - description: | - Service Set ID - - name: call_id - type: keyword - description: | - Caller ID - - name: carrier_ep - type: keyword - description: | - The FortiOS Carrier end-point identification - - name: cat - type: integer - description: | - DNS category ID - - name: category - type: keyword - description: | - Authentication category - - name: cc - type: keyword - description: | - CC Email Address - - name: cdrcontent - type: keyword - description: | - Cdrcontent - - name: centralnatid - type: integer - description: | - Central NAT ID - - name: cert - type: keyword - description: | - Certificate - - name: cert-type - type: keyword - description: | - Certificate type - - name: certhash - type: keyword - description: | - Certificate hash - - name: cfgattr - type: keyword - description: | - Configuration attribute - - name: cfgobj - type: keyword - description: | - Configuration object - - name: cfgpath - type: keyword - description: | - Configuration path - - name: cfgtid - type: keyword - description: | - Configuration transaction ID - - name: cfgtxpower - type: integer - description: | - Configuration TX power - - name: channel - type: integer - description: | - Wireless Channel - - name: channeltype - type: keyword - description: | - SSH channel type - - name: chassisid - type: integer - description: | - Chassis ID - - name: checksum - type: keyword - description: | - The checksum of the scanned file - - name: chgheaders - type: keyword - description: | - HTTP Headers - - name: cldobjid - type: keyword - description: | - Connector object ID - - name: client_addr - type: keyword - description: | - Wifi client address - - name: cloudaction - type: keyword - description: | - Cloud Action - - name: clouduser - type: keyword - description: | - Cloud User - - name: column - type: integer - description: | - VOIP Column - - name: command - type: keyword - description: | - CLI Command - - name: community - type: keyword - description: | - SNMP Community - - name: configcountry - type: keyword - description: | - Configuration country - - name: connection_type - type: keyword - description: | - FortiClient Connection Type - - name: conserve - type: keyword - description: | - Flag for conserve mode - - name: constraint - type: keyword - description: | - WAF http protocol restrictions - - name: contentdisarmed - type: keyword - description: | - Email scanned content - - name: contenttype - type: keyword - description: | - Content Type from HTTP header - - name: cookies - type: keyword - description: | - VPN Cookie - - name: count - type: integer - description: | - Counts of action type - - name: countapp - type: integer - description: | - Number of App Ctrl logs associated with the session - - name: countav - type: integer - description: | - Number of AV logs associated with the session - - name: countcifs - type: integer - description: | - Number of CIFS logs associated with the session - - name: countdlp - type: integer - description: | - Number of DLP logs associated with the session - - name: countdns - type: integer - description: | - Number of DNS logs associated with the session - - name: countemail - type: integer - description: | - Number of email logs associated with the session - - name: countff - type: integer - description: | - Number of ff logs associated with the session - - name: countips - type: integer - description: | - Number of IPS logs associated with the session - - name: countssh - type: integer - description: | - Number of SSH logs associated with the session - - name: countssl - type: integer - description: | - Number of SSL logs associated with the session - - name: countwaf - type: integer - description: | - Number of WAF logs associated with the session - - name: countweb - type: integer - description: | - Number of Web filter logs associated with the session - - name: cpu - type: integer - description: | - CPU Usage - - name: craction - type: integer - description: | - Client Reputation Action - - name: criticalcount - type: integer - description: | - Number of critical ratings - - name: crl - type: keyword - description: | - Client Reputation Level - - name: crlevel - type: keyword - description: | - Client Reputation Level - - name: crscore - type: integer - description: | - Some description - - name: cveid - type: keyword - description: | - CVE ID - - name: daemon - type: keyword - description: | - Daemon name - - name: datarange - type: keyword - description: | - Data range for reports - - name: date - type: keyword - description: | - Date - - name: ddnsserver - type: ip - description: | - DDNS server - - name: desc - type: keyword - description: | - Description - - name: detectionmethod - type: keyword - description: | - Detection method - - name: devcategory - type: keyword - description: | - Device category - - name: devintfname - type: keyword - description: | - HA device Interface Name - - name: devtype - type: keyword - description: | - Device type - - name: dhcp_msg - type: keyword - description: | - DHCP Message - - name: dintf - type: keyword - description: | - Destination interface - - name: disk - type: keyword - description: | - Assosciated disk - - name: disklograte - type: long - description: | - Disk logging rate - - name: dlpextra - type: keyword - description: | - DLP extra information - - name: docsource - type: keyword - description: | - DLP fingerprint document source - - name: domainctrlauthstate - type: integer - description: | - CIFS domain auth state - - name: domainctrlauthtype - type: integer - description: | - CIFS domain auth type - - name: domainctrldomain - type: keyword - description: | - CIFS domain auth domain - - name: domainctrlip - type: ip - description: | - CIFS Domain IP - - name: domainctrlname - type: keyword - description: | - CIFS Domain name - - name: domainctrlprotocoltype - type: integer - description: | - CIFS Domain connection protocol - - name: domainctrlusername - type: keyword - description: | - CIFS Domain username - - name: domainfilteridx - type: integer - description: | - Domain filter ID - - name: domainfilterlist - type: keyword - description: | - Domain filter name - - name: ds - type: keyword - description: | - Direction with distribution system - - name: dst_int - type: keyword - description: | - Destination interface - - name: dstintfrole - type: keyword - description: | - Destination interface role - - name: dstcountry - type: keyword - description: | - Destination country - - name: dstdevcategory - type: keyword - description: | - Destination device category - - name: dstdevtype - type: keyword - description: | - Destination device type - - name: dstfamily - type: keyword - description: | - Destination OS family - - name: dsthwvendor - type: keyword - description: | - Destination HW vendor - - name: dsthwversion - type: keyword - description: | - Destination HW version - - name: dstinetsvc - type: keyword - description: | - Destination interface service - - name: dstosname - type: keyword - description: | - Destination OS name - - name: dstosversion - type: keyword - description: | - Destination OS version - - name: dstserver - type: integer - description: | - Destination server - - name: dstssid - type: keyword - description: | - Destination SSID - - name: dstswversion - type: keyword - description: | - Destination software version - - name: dstunauthusersource - type: keyword - description: | - Destination unauthenticated source - - name: dstuuid - type: keyword - description: | - UUID of the Destination IP address - - name: duid - type: keyword - description: | - DHCP UID - - name: eapolcnt - type: integer - description: | - EAPOL packet count - - name: eapoltype - type: keyword - description: | - EAPOL packet type - - name: encrypt - type: integer - description: | - Whether the packet is encrypted or not - - name: encryption - type: keyword - description: | - Encryption method - - name: epoch - type: integer - description: | - Epoch used for locating file - - name: espauth - type: keyword - description: | - ESP Authentication - - name: esptransform - type: keyword - description: | - ESP Transform - - name: exch - type: keyword - description: | - Mail Exchanges from DNS response answer section - - name: exchange - type: keyword - description: | - Mail Exchanges from DNS response answer section - - name: expectedsignature - type: keyword - description: | - Expected SSL signature - - name: expiry - type: keyword - description: | - FortiGuard override expiry timestamp - - name: fams_pause - type: integer - description: | - Fortinet Analysis and Management Service Pause - - name: fazlograte - type: long - description: | - FortiAnalyzer Logging Rate - - name: fctemssn - type: keyword - description: | - FortiClient Endpoint SSN - - name: fctuid - type: keyword - description: | - FortiClient UID - - name: field - type: keyword - description: | - NTP status field - - name: filefilter - type: keyword - description: | - The filter used to identify the affected file - - name: filehashsrc - type: keyword - description: | - Filehash source - - name: filtercat - type: keyword - description: | - DLP filter category - - name: filteridx - type: integer - description: | - DLP filter ID - - name: filtername - type: keyword - description: | - DLP rule name - - name: filtertype - type: keyword - description: | - DLP filter type - - name: fortiguardresp - type: keyword - description: | - Antispam ESP value - - name: forwardedfor - type: keyword - description: | - Email address forwarded - - name: fqdn - type: keyword - description: | - FQDN - - name: frametype - type: keyword - description: | - Wireless frametype - - name: freediskstorage - type: integer - description: | - Free disk integer - - name: from - type: keyword - description: | - From email address - - name: from_vcluster - type: integer - description: | - Source virtual cluster number - - name: fsaverdict - type: keyword - description: | - FSA verdict - - name: fwserver_name - type: keyword - description: | - Web proxy server name - - name: gateway - type: ip - description: | - Gateway ip address for PPPoE status report - - name: green - type: keyword - description: | - Memory status - - name: groupid - type: integer - description: | - User Group ID - - name: ha-prio - type: integer - description: | - HA Priority - - name: ha_group - type: keyword - description: | - HA Group - - name: ha_role - type: keyword - description: | - HA Role - - name: handshake - type: keyword - description: | - SSL Handshake - - name: hash - type: keyword - description: | - Hash value of downloaded file - - name: hbdn_reason - type: keyword - description: | - Heartbeat down reason - - name: highcount - type: integer - description: | - Highcount fabric summary - - name: host - type: keyword - description: | - Hostname - - name: iaid - type: keyword - description: | - DHCPv6 id - - name: icmpcode - type: keyword - description: | - Destination Port of the ICMP message - - name: icmpid - type: keyword - description: | - Source port of the ICMP message - - name: icmptype - type: keyword - description: | - The type of ICMP message - - name: identifier - type: integer - description: | - Network traffic identifier - - name: in_spi - type: keyword - description: | - IPSEC inbound SPI - - name: incidentserialno - type: integer - description: | - Incident serial number - - name: infected - type: integer - description: | - Infected MMS - - name: infectedfilelevel - type: integer - description: | - DLP infected file level - - name: informationsource - type: keyword - description: | - Information source - - name: init - type: keyword - description: | - IPSEC init stage - - name: initiator - type: keyword - description: | - Original login user name for Fortiguard override - - name: interface - type: keyword - description: | - Related interface - - name: intf - type: keyword - description: | - Related interface - - name: invalidmac - type: keyword - description: | - The MAC address with invalid OUI - - name: ip - type: ip - description: | - Related IP - - name: iptype - type: keyword - description: | - Related IP type - - name: keyword - type: keyword - description: | - Keyword used for search - - name: kind - type: keyword - description: | - VOIP kind - - name: lanin - type: long - description: | - LAN incoming traffic in bytes - - name: lanout - type: long - description: | - LAN outbound traffic in bytes - - name: lease - type: integer - description: | - DHCP lease - - name: license_limit - type: keyword - description: | - Maximum Number of FortiClients for the License - - name: limit - type: integer - description: | - Virtual Domain Resource Limit - - name: line - type: keyword - description: | - VOIP line - - name: live - type: integer - description: | - Time in seconds - - name: local - type: ip - description: | - Local IP for a PPPD Connection - - name: log - type: keyword - description: | - Log message - - name: login - type: keyword - description: | - SSH login - - name: lowcount - type: integer - description: | - Fabric lowcount - - name: mac - type: keyword - description: | - DHCP mac address - - name: malform_data - type: integer - description: | - VOIP malformed data - - name: malform_desc - type: keyword - description: | - VOIP malformed data description - - name: manuf - type: keyword - description: | - Manufacturer name - - name: masterdstmac - type: keyword - description: | - Master mac address for a host with multiple network interfaces - - name: mastersrcmac - type: keyword - description: | - The master MAC address for a host that has multiple network interfaces - - name: mediumcount - type: integer - description: | - Fabric medium count - - name: mem - type: integer - description: | - Memory usage system statistics - - name: meshmode - type: keyword - description: | - Wireless mesh mode - - name: message_type - type: keyword - description: | - VOIP message type - - name: method - type: keyword - description: | - HTTP method - - name: mgmtcnt - type: integer - description: | - The number of unauthorized client flooding managemet frames - - name: mode - type: keyword - description: | - IPSEC mode - - name: module - type: keyword - description: | - PCI-DSS module - - name: monitor-name - type: keyword - description: | - Health Monitor Name - - name: monitor-type - type: keyword - description: | - Health Monitor Type - - name: mpsk - type: keyword - description: | - Wireless MPSK - - name: msgproto - type: keyword - description: | - Message Protocol Number - - name: mtu - type: integer - description: | - Max Transmission Unit Value - - name: name - type: keyword - description: | - Name - - name: nat - type: keyword - description: | - NAT IP Address - - name: netid - type: keyword - description: | - Connector NetID - - name: new_status - type: keyword - description: | - New status on user change - - name: new_value - type: keyword - description: | - New Virtual Domain Name - - name: newchannel - type: integer - description: | - New Channel Number - - name: newchassisid - type: integer - description: | - New Chassis ID - - name: newslot - type: integer - description: | - New Slot Number - - name: nextstat - type: integer - description: | - Time interval in seconds for the next statistics. - - name: nf_type - type: keyword - description: | - Notification Type - - name: noise - type: integer - description: | - Wifi Noise - - name: old_status - type: keyword - description: | - Original Status - - name: old_value - type: keyword - description: | - Original Virtual Domain name - - name: oldchannel - type: integer - description: | - Original channel - - name: oldchassisid - type: integer - description: | - Original Chassis Number - - name: oldslot - type: integer - description: | - Original Slot Number - - name: oldsn - type: keyword - description: | - Old Serial number - - name: oldwprof - type: keyword - description: | - Old Web Filter Profile - - name: onwire - type: keyword - description: | - A flag to indicate if the AP is onwire or not - - name: opercountry - type: keyword - description: | - Operating Country - - name: opertxpower - type: integer - description: | - Operating TX power - - name: osname - type: keyword - description: | - Operating System name - - name: osversion - type: keyword - description: | - Operating System version - - name: out_spi - type: keyword - description: | - Out SPI - - name: outintf - type: keyword - description: | - Out interface - - name: passedcount - type: integer - description: | - Fabric passed count - - name: passwd - type: keyword - description: | - Changed user password information - - name: path - type: keyword - description: | - Path of looped configuration for security fabric - - name: peer - type: keyword - description: | - WAN optimization peer - - name: peer_notif - type: keyword - description: | - VPN peer notification - - name: phase2_name - type: keyword - description: | - VPN phase2 name - - name: phone - type: keyword - description: | - VOIP Phone - - name: pid - type: integer - description: | - Process ID - - name: policytype - type: keyword - description: | - Policy Type - - name: poolname - type: keyword - description: | - IP Pool name - - name: port - type: integer - description: | - Log upload error port - - name: portbegin - type: integer - description: | - IP Pool port number to begin - - name: portend - type: integer - description: | - IP Pool port number to end - - name: probeproto - type: keyword - description: | - Link Monitor Probe Protocol - - name: process - type: keyword - description: | - URL Filter process - - name: processtime - type: integer - description: | - Process time for reports - - name: profile - type: keyword - description: | - Profile Name - - name: profile_vd - type: keyword - description: | - Virtual Domain Name - - name: profilegroup - type: keyword - description: | - Profile Group Name - - name: profiletype - type: keyword - description: | - Profile Type - - name: qtypeval - type: integer - description: | - DNS question type value - - name: quarskip - type: keyword - description: | - Quarantine skip explanation - - name: quotaexceeded - type: keyword - description: | - If quota has been exceeded - - name: quotamax - type: long - description: | - Maximum quota allowed - in seconds if time-based - in bytes if traffic-based - - name: quotatype - type: keyword - description: | - Quota type - - name: quotaused - type: long - description: | - Quota used - in seconds if time-based - in bytes if trafficbased) - - name: radioband - type: keyword - description: | - Radio band - - name: radioid - type: integer - description: | - Radio ID - - name: radioidclosest - type: integer - description: | - Radio ID on the AP closest the rogue AP - - name: radioiddetected - type: integer - description: | - Radio ID on the AP which detected the rogue AP - - name: rate - type: keyword - description: | - Wireless rogue rate value - - name: rawdata - type: keyword - description: | - Raw data value - - name: rawdataid - type: keyword - description: | - Raw data ID - - name: rcvddelta - type: keyword - description: | - Received bytes delta - - name: reason - type: keyword - description: | - Alert reason - - name: received - type: integer - description: | - Server key exchange received - - name: receivedsignature - type: keyword - description: | - Server key exchange received signature - - name: red - type: keyword - description: | - Memory information in red - - name: referralurl - type: keyword - description: | - Web filter referralurl - - name: remote - type: ip - description: | - Remote PPP IP address - - name: remotewtptime - type: keyword - description: | - Remote Wifi Radius authentication time - - name: reporttype - type: keyword - description: | - Report type - - name: reqtype - type: keyword - description: | - Request type - - name: request_name - type: keyword - description: | - VOIP request name - - name: result - type: keyword - description: | - VPN phase result - - name: role - type: keyword - description: | - VPN Phase 2 role - - name: rssi - type: integer - description: | - Received signal strength indicator - - name: rsso_key - type: keyword - description: | - RADIUS SSO attribute value - - name: ruledata - type: keyword - description: | - Rule data - - name: ruletype - type: keyword - description: | - Rule type - - name: scanned - type: integer - description: | - Number of Scanned MMSs - - name: scantime - type: long - description: | - Scanned time - - name: scope - type: keyword - description: | - FortiGuard Override Scope - - name: security - type: keyword - description: | - Wireless rogue security - - name: sensitivity - type: keyword - description: | - Sensitivity for document fingerprint - - name: sensor - type: keyword - description: | - NAC Sensor Name - - name: sentdelta - type: keyword - description: | - Sent bytes delta - - name: seq - type: keyword - description: | - Sequence number - - name: serial - type: keyword - description: | - WAN optimisation serial - - name: serialno - type: keyword - description: | - Serial number - - name: server - type: keyword - description: | - AD server FQDN or IP - - name: session_id - type: keyword - description: | - Session ID - - name: sessionid - type: integer - description: | - WAD Session ID - - name: setuprate - type: long - description: | - Session Setup Rate - - name: severity - type: keyword - description: | - Severity - - name: shaperdroprcvdbyte - type: integer - description: | - Received bytes dropped by shaper - - name: shaperdropsentbyte - type: integer - description: | - Sent bytes dropped by shaper - - name: shaperperipdropbyte - type: integer - description: | - Dropped bytes per IP by shaper - - name: shaperperipname - type: keyword - description: | - Traffic shaper name (per IP) - - name: shaperrcvdname - type: keyword - description: | - Traffic shaper name for received traffic - - name: shapersentname - type: keyword - description: | - Traffic shaper name for sent traffic - - name: shapingpolicyid - type: integer - description: | - Traffic shaper policy ID - - name: signal - type: integer - description: | - Wireless rogue API signal - - name: size - type: long - description: | - Email size in bytes - - name: slot - type: integer - description: | - Slot number - - name: sn - type: keyword - description: | - Security fabric serial number - - name: snclosest - type: keyword - description: | - SN of the AP closest to the rogue AP - - name: sndetected - type: keyword - description: | - SN of the AP which detected the rogue AP - - name: snmeshparent - type: keyword - description: | - SN of the mesh parent - - name: spi - type: keyword - description: | - IPSEC SPI - - name: src_int - type: keyword - description: | - Source interface - - name: srcintfrole - type: keyword - description: | - Source interface role - - name: srccountry - type: keyword - description: | - Source country - - name: srcfamily - type: keyword - description: | - Source family - - name: srchwvendor - type: keyword - description: | - Source hardware vendor - - name: srchwversion - type: keyword - description: | - Source hardware version - - name: srcinetsvc - type: keyword - description: | - Source interface service - - name: srcname - type: keyword - description: | - Source name - - name: srcserver - type: integer - description: | - Source server - - name: srcssid - type: keyword - description: | - Source SSID - - name: srcswversion - type: keyword - description: | - Source software version - - name: srcuuid - type: keyword - description: | - Source UUID - - name: sscname - type: keyword - description: | - SSC name - - name: ssid - type: keyword - description: | - Base Service Set ID - - name: sslaction - type: keyword - description: | - SSL Action - - name: ssllocal - type: keyword - description: | - WAD SSL local - - name: sslremote - type: keyword - description: | - WAD SSL remote - - name: stacount - type: integer - description: | - Number of stations/clients - - name: stage - type: keyword - description: | - IPSEC stage - - name: stamac - type: keyword - description: | - 802.1x station mac - - name: state - type: keyword - description: | - Admin login state - - name: status - type: keyword - description: | - Status - - name: stitch - type: keyword - description: | - Automation stitch triggered - - name: subject - type: keyword - description: | - Email subject - - name: submodule - type: keyword - description: | - Configuration Sub-Module Name - - name: subservice - type: keyword - description: | - AV subservice - - name: subtype - type: keyword - description: | - Log subtype - - name: suspicious - type: integer - description: | - Number of Suspicious MMSs - - name: switchproto - type: keyword - description: | - Protocol change information - - name: sync_status - type: keyword - description: | - The sync status with the master - - name: sync_type - type: keyword - description: | - The sync type with the master - - name: sysuptime - type: keyword - description: | - System uptime - - name: tamac - type: keyword - description: | - the MAC address of Transmitter, if none, then Receiver - - name: threattype - type: keyword - description: | - WIDS threat type - - name: time - type: keyword - description: | - Time of the event - - name: to - type: keyword - description: | - Email to field - - name: to_vcluster - type: integer - description: | - destination virtual cluster number - - name: total - type: integer - description: | - Total memory - - name: totalsession - type: integer - description: | - Total Number of Sessions - - name: trace_id - type: keyword - description: | - Session clash trace ID - - name: trandisp - type: keyword - description: | - NAT translation type - - name: transid - type: integer - description: | - HTTP transaction ID - - name: translationid - type: keyword - description: | - DNS filter transaltion ID - - name: trigger - type: keyword - description: | - Automation stitch trigger - - name: trueclntip - type: ip - description: | - File filter true client IP - - name: tunnelid - type: integer - description: | - IPSEC tunnel ID - - name: tunnelip - type: ip - description: | - IPSEC tunnel IP - - name: tunneltype - type: keyword - description: | - IPSEC tunnel type - - name: type - type: keyword - description: | - Module type - - name: ui - type: keyword - description: | - Admin authentication UI type - - name: unauthusersource - type: keyword - description: | - Unauthenticated user source - - name: unit - type: integer - description: | - Power supply unit - - name: urlfilteridx - type: integer - description: | - URL filter ID - - name: urlfilterlist - type: keyword - description: | - URL filter list - - name: urlsource - type: keyword - description: | - URL filter source - - name: urltype - type: keyword - description: | - URL filter type - - name: used - type: integer - description: | - Number of Used IPs - - name: used_for_type - type: integer - description: | - Connection for the type - - name: utmaction - type: keyword - description: | - Security action performed by UTM - - name: vap - type: keyword - description: | - Virtual AP - - name: vapmode - type: keyword - description: | - Virtual AP mode - - name: vcluster - type: integer - description: | - virtual cluster id - - name: vcluster_member - type: integer - description: | - Virtual cluster member - - name: vcluster_state - type: keyword - description: | - Virtual cluster state - - name: vd - type: keyword - description: | - Virtual Domain Name - - name: vdname - type: keyword - description: | - Virtual Domain Name - - name: vendorurl - type: keyword - description: | - Vulnerability scan vendor name - - name: version - type: keyword - description: | - Version - - name: vip - type: keyword - description: | - Virtual IP - - name: virus - type: keyword - description: | - Virus name - - name: virusid - type: integer - description: | - Virus ID (unique virus identifier) - - name: voip_proto - type: keyword - description: | - VOIP protocol - - name: vpn - type: keyword - description: | - VPN description - - name: vpntunnel - type: keyword - description: | - IPsec Vpn Tunnel Name - - name: vpntype - type: keyword - description: | - The type of the VPN tunnel - - name: vrf - type: integer - description: | - VRF number - - name: vulncat - type: keyword - description: | - Vulnerability Category - - name: vulnid - type: integer - description: | - Vulnerability ID - - name: vulnname - type: keyword - description: | - Vulnerability name - - name: vwlid - type: integer - description: | - VWL ID - - name: vwlquality - type: keyword - description: | - VWL quality - - name: vwlservice - type: keyword - description: | - VWL service - - name: vwpvlanid - type: integer - description: | - VWP VLAN ID - - name: wanin - type: long - description: | - WAN incoming traffic in bytes - - name: wanoptapptype - type: keyword - description: | - WAN Optimization Application type - - name: wanout - type: long - description: | - WAN outgoing traffic in bytes - - name: weakwepiv - type: keyword - description: | - Weak Wep Initiation Vector - - name: xauthgroup - type: keyword - description: | - XAuth Group Name - - name: xauthuser - type: keyword - description: | - XAuth User Name - - name: xid - type: integer - description: | - Wireless X ID diff --git a/packages/fortinet_fortigate/1.2.3/data_stream/log/manifest.yml b/packages/fortinet_fortigate/1.2.3/data_stream/log/manifest.yml deleted file mode 100755 index 64911c6e36..0000000000 --- a/packages/fortinet_fortigate/1.2.3/data_stream/log/manifest.yml +++ /dev/null @@ -1,192 +0,0 @@ -type: logs -title: Fortinet FortiGate logs -streams: - - input: tcp - vars: - - name: syslog_host - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9004 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortigate - - fortinet-firewall - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - #max_connections: 1 - #framing: delimitier - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. - template_path: tcp.yml.hbs - title: Fortinet firewall logs (tcp) - description: Collect Fortinet firewall logs using tcp input - - input: udp - vars: - - name: syslog_host - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9004 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortigate - - fortinet-firewall - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: udp.yml.hbs - title: Fortinet firewall logs (udp) - description: Collect Fortinet firewall logs using udp input - - input: logfile - enabled: false - vars: - - name: paths - type: text - title: Paths - multi: true - required: false - show_user: true - default: - - /var/log/fortinet-firewall.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortigate - - fortinet-firewall - - forwarded - - name: internal_interfaces - type: text - title: Internal Interfaces - multi: true - required: false - show_user: false - - name: external_interfaces - type: text - title: External Interfaces - multi: true - required: false - show_user: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Fortinet FortiGate logs (log) - description: Collect Fortinet FortiGate logs using log input diff --git a/packages/fortinet_fortigate/1.2.3/data_stream/log/sample_event.json b/packages/fortinet_fortigate/1.2.3/data_stream/log/sample_event.json deleted file mode 100755 index 8552aba271..0000000000 --- a/packages/fortinet_fortigate/1.2.3/data_stream/log/sample_event.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "@timestamp": "2019-05-15T18:03:36.000Z", - "agent": { - "ephemeral_id": "74b27709-c288-4314-b386-659dbc5a62ea", - "hostname": "docker-fleet-agent", - "id": "2164018d-05cd-45b4-979d-4032bdd775f6", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.14.0" - }, - "data_stream": { - "dataset": "fortinet_fortigate.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 41690, - "organization": { - "name": "Dailymotion S.A." - } - }, - "geo": { - "continent_name": "Europe", - "country_iso_code": "FR", - "country_name": "France", - "location": { - "lat": 48.8582, - "lon": 2.3387 - } - }, - "ip": "195.8.215.136", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "7cc48d16-ebf0-44b1-9094-fe2082d8f5a4", - "snapshot": true, - "version": "7.14.0" - }, - "event": { - "action": "app-ctrl-all", - "category": [ - "network" - ], - "code": "1059028704", - "dataset": "fortinet_fortigate.log", - "ingested": "2021-06-03T12:38:44.458586716Z", - "kind": "event", - "module": "fortinet", - "original": "\u003c190\u003edate=2019-05-15 time=18:03:36 logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"app-ctrl-all\" level=\"information\" vd=\"root\" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf=\"port10\" srcintfrole=\"lan\" dstintf=\"port9\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" direction=\"outgoing\" policyid=1 sessionid=4414 applist=\"block-social.media\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" action=\"pass\" hostname=\"www.dailymotion.com\" incidentserialno=1962906680 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"*.dailymotion.com\" scertissuer=\"DigiCert SHA2 High Assurance Server CA\"\n", - "outcome": "success", - "start": "2019-05-16T01:03:35.000Z", - "type": [ - "allowed" - ] - }, - "fortinet": { - "firewall": { - "action": "pass", - "appid": "40568", - "apprisk": "medium", - "dstintfrole": "wan", - "incidentserialno": "1962906680", - "sessionid": "4414", - "srcintfrole": "lan", - "subtype": "app-ctrl", - "type": "utm", - "vd": "root" - } - }, - "input": { - "type": "udp" - }, - "log": { - "level": "information", - "source": { - "address": "192.168.240.4:54617" - } - }, - "message": "Web.Client: HTTPS.BROWSER,", - "network": { - "application": "HTTPS.BROWSER", - "direction": "outbound", - "iana_number": "6", - "transport": "tcp", - "protocol": "https" - }, - "observer": { - "egress": { - "interface": { - "name": "port9" - } - }, - "ingress": { - "interface": { - "name": "port10" - } - }, - "product": "Fortigate", - "type": "firewall", - "vendor": "Fortinet" - }, - "related": { - "ip": [ - "10.1.100.22", - "195.8.215.136" - ] - }, - "rule": { - "category": "Web-Client", - "id": "1", - "ruleset": "block-social.media" - }, - "source": { - "ip": "10.1.100.22", - "port": 50798 - }, - "tags": [ - "fortinet-firewall", - "forwarded", - "preserve_original_event" - ], - "tls": { - "server": { - "issuer": "DigiCert SHA2 High Assurance Server CA", - "x509": { - "issuer": { - "common_name": "DigiCert SHA2 High Assurance Server CA" - }, - "subject": { - "common_name": "*.dailymotion.com" - } - } - } - }, - "url": { - "domain": "www.dailymotion.com", - "path": "/" - } -} \ No newline at end of file diff --git a/packages/fortinet_fortigate/1.2.3/docs/README.md b/packages/fortinet_fortigate/1.2.3/docs/README.md deleted file mode 100755 index db4a079004..0000000000 --- a/packages/fortinet_fortigate/1.2.3/docs/README.md +++ /dev/null @@ -1,749 +0,0 @@ -# Fortinet FortiGate Integration - -This integration is for Fortinet FortiGate logs sent in the syslog format. - -## Compatibility - -This integration has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested. - -### Log - -The `log` dataset collects JFortinet FortiGate logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2019-05-15T18:03:36.000Z", - "agent": { - "ephemeral_id": "74b27709-c288-4314-b386-659dbc5a62ea", - "hostname": "docker-fleet-agent", - "id": "2164018d-05cd-45b4-979d-4032bdd775f6", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.14.0" - }, - "data_stream": { - "dataset": "fortinet_fortigate.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 41690, - "organization": { - "name": "Dailymotion S.A." - } - }, - "geo": { - "continent_name": "Europe", - "country_iso_code": "FR", - "country_name": "France", - "location": { - "lat": 48.8582, - "lon": 2.3387 - } - }, - "ip": "195.8.215.136", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "7cc48d16-ebf0-44b1-9094-fe2082d8f5a4", - "snapshot": true, - "version": "7.14.0" - }, - "event": { - "action": "app-ctrl-all", - "category": [ - "network" - ], - "code": "1059028704", - "dataset": "fortinet_fortigate.log", - "ingested": "2021-06-03T12:38:44.458586716Z", - "kind": "event", - "module": "fortinet", - "original": "\u003c190\u003edate=2019-05-15 time=18:03:36 logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"app-ctrl-all\" level=\"information\" vd=\"root\" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf=\"port10\" srcintfrole=\"lan\" dstintf=\"port9\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" direction=\"outgoing\" policyid=1 sessionid=4414 applist=\"block-social.media\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" action=\"pass\" hostname=\"www.dailymotion.com\" incidentserialno=1962906680 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"*.dailymotion.com\" scertissuer=\"DigiCert SHA2 High Assurance Server CA\"\n", - "outcome": "success", - "start": "2019-05-16T01:03:35.000Z", - "type": [ - "allowed" - ] - }, - "fortinet": { - "firewall": { - "action": "pass", - "appid": "40568", - "apprisk": "medium", - "dstintfrole": "wan", - "incidentserialno": "1962906680", - "sessionid": "4414", - "srcintfrole": "lan", - "subtype": "app-ctrl", - "type": "utm", - "vd": "root" - } - }, - "input": { - "type": "udp" - }, - "log": { - "level": "information", - "source": { - "address": "192.168.240.4:54617" - } - }, - "message": "Web.Client: HTTPS.BROWSER,", - "network": { - "application": "HTTPS.BROWSER", - "direction": "outbound", - "iana_number": "6", - "transport": "tcp", - "protocol": "https" - }, - "observer": { - "egress": { - "interface": { - "name": "port9" - } - }, - "ingress": { - "interface": { - "name": "port10" - } - }, - "product": "Fortigate", - "type": "firewall", - "vendor": "Fortinet" - }, - "related": { - "ip": [ - "10.1.100.22", - "195.8.215.136" - ] - }, - "rule": { - "category": "Web-Client", - "id": "1", - "ruleset": "block-social.media" - }, - "source": { - "ip": "10.1.100.22", - "port": 50798 - }, - "tags": [ - "fortinet-firewall", - "forwarded", - "preserve_original_event" - ], - "tls": { - "server": { - "issuer": "DigiCert SHA2 High Assurance Server CA", - "x509": { - "issuer": { - "common_name": "DigiCert SHA2 High Assurance Server CA" - }, - "subject": { - "common_name": "*.dailymotion.com" - } - } - } - }, - "url": { - "domain": "www.dailymotion.com", - "path": "/" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| destination.user.email | User email address. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.cc.address | The email address of CC recipient | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.sender.address | Per RFC 5322, specifies the address responsible for the actual transmission of the message. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Name of the dataset. | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.message | Log message optimized for viewing in a log viewer. | text | -| event.module | Name of the module this data is coming from. | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| fortinet.file.hash.crc32 | CRC32 Hash of file | keyword | -| fortinet.firewall.acct_stat | Accounting state (RADIUS) | keyword | -| fortinet.firewall.acktime | Alarm Acknowledge Time | keyword | -| fortinet.firewall.act | Action | keyword | -| fortinet.firewall.action | Status of the session | keyword | -| fortinet.firewall.activity | HA activity message | keyword | -| fortinet.firewall.addr | IP Address | ip | -| fortinet.firewall.addr_type | Address Type | keyword | -| fortinet.firewall.addrgrp | Address Group | keyword | -| fortinet.firewall.adgroup | AD Group Name | keyword | -| fortinet.firewall.admin | Admin User | keyword | -| fortinet.firewall.age | Time in seconds - time passed since last seen | integer | -| fortinet.firewall.agent | User agent - eg. agent="Mozilla/5.0" | keyword | -| fortinet.firewall.alarmid | Alarm ID | integer | -| fortinet.firewall.alert | Alert | keyword | -| fortinet.firewall.analyticscksum | The checksum of the file submitted for analytics | keyword | -| fortinet.firewall.analyticssubmit | The flag for analytics submission | keyword | -| fortinet.firewall.ap | Access Point | keyword | -| fortinet.firewall.app-type | Address Type | keyword | -| fortinet.firewall.appact | The security action from app control | keyword | -| fortinet.firewall.appid | Application ID | integer | -| fortinet.firewall.applist | Application Control profile | keyword | -| fortinet.firewall.apprisk | Application Risk Level | keyword | -| fortinet.firewall.apscan | The name of the AP, which scanned and detected the rogue AP | keyword | -| fortinet.firewall.apsn | Access Point | keyword | -| fortinet.firewall.apstatus | Access Point status | keyword | -| fortinet.firewall.aptype | Access Point type | keyword | -| fortinet.firewall.assigned | Assigned IP Address | ip | -| fortinet.firewall.assignip | Assigned IP Address | ip | -| fortinet.firewall.attachment | The flag for email attachement | keyword | -| fortinet.firewall.attack | Attack Name | keyword | -| fortinet.firewall.attackcontext | The trigger patterns and the packetdata with base64 encoding | keyword | -| fortinet.firewall.attackcontextid | Attack context id / total | keyword | -| fortinet.firewall.attackid | Attack ID | integer | -| fortinet.firewall.auditid | Audit ID | long | -| fortinet.firewall.auditscore | The Audit Score | keyword | -| fortinet.firewall.audittime | The time of the audit | long | -| fortinet.firewall.authgrp | Authorization Group | keyword | -| fortinet.firewall.authid | Authentication ID | keyword | -| fortinet.firewall.authproto | The protocol that initiated the authentication | keyword | -| fortinet.firewall.authserver | Authentication server | keyword | -| fortinet.firewall.bandwidth | Bandwidth | keyword | -| fortinet.firewall.banned_rule | NAC quarantine Banned Rule Name | keyword | -| fortinet.firewall.banned_src | NAC quarantine Banned Source IP | keyword | -| fortinet.firewall.banword | Banned word | keyword | -| fortinet.firewall.botnetdomain | Botnet Domain Name | keyword | -| fortinet.firewall.botnetip | Botnet IP Address | ip | -| fortinet.firewall.bssid | Service Set ID | keyword | -| fortinet.firewall.call_id | Caller ID | keyword | -| fortinet.firewall.carrier_ep | The FortiOS Carrier end-point identification | keyword | -| fortinet.firewall.cat | DNS category ID | integer | -| fortinet.firewall.category | Authentication category | keyword | -| fortinet.firewall.cc | CC Email Address | keyword | -| fortinet.firewall.cdrcontent | Cdrcontent | keyword | -| fortinet.firewall.centralnatid | Central NAT ID | integer | -| fortinet.firewall.cert | Certificate | keyword | -| fortinet.firewall.cert-type | Certificate type | keyword | -| fortinet.firewall.certhash | Certificate hash | keyword | -| fortinet.firewall.cfgattr | Configuration attribute | keyword | -| fortinet.firewall.cfgobj | Configuration object | keyword | -| fortinet.firewall.cfgpath | Configuration path | keyword | -| fortinet.firewall.cfgtid | Configuration transaction ID | keyword | -| fortinet.firewall.cfgtxpower | Configuration TX power | integer | -| fortinet.firewall.channel | Wireless Channel | integer | -| fortinet.firewall.channeltype | SSH channel type | keyword | -| fortinet.firewall.chassisid | Chassis ID | integer | -| fortinet.firewall.checksum | The checksum of the scanned file | keyword | -| fortinet.firewall.chgheaders | HTTP Headers | keyword | -| fortinet.firewall.cldobjid | Connector object ID | keyword | -| fortinet.firewall.client_addr | Wifi client address | keyword | -| fortinet.firewall.cloudaction | Cloud Action | keyword | -| fortinet.firewall.clouduser | Cloud User | keyword | -| fortinet.firewall.column | VOIP Column | integer | -| fortinet.firewall.command | CLI Command | keyword | -| fortinet.firewall.community | SNMP Community | keyword | -| fortinet.firewall.configcountry | Configuration country | keyword | -| fortinet.firewall.connection_type | FortiClient Connection Type | keyword | -| fortinet.firewall.conserve | Flag for conserve mode | keyword | -| fortinet.firewall.constraint | WAF http protocol restrictions | keyword | -| fortinet.firewall.contentdisarmed | Email scanned content | keyword | -| fortinet.firewall.contenttype | Content Type from HTTP header | keyword | -| fortinet.firewall.cookies | VPN Cookie | keyword | -| fortinet.firewall.count | Counts of action type | integer | -| fortinet.firewall.countapp | Number of App Ctrl logs associated with the session | integer | -| fortinet.firewall.countav | Number of AV logs associated with the session | integer | -| fortinet.firewall.countcifs | Number of CIFS logs associated with the session | integer | -| fortinet.firewall.countdlp | Number of DLP logs associated with the session | integer | -| fortinet.firewall.countdns | Number of DNS logs associated with the session | integer | -| fortinet.firewall.countemail | Number of email logs associated with the session | integer | -| fortinet.firewall.countff | Number of ff logs associated with the session | integer | -| fortinet.firewall.countips | Number of IPS logs associated with the session | integer | -| fortinet.firewall.countssh | Number of SSH logs associated with the session | integer | -| fortinet.firewall.countssl | Number of SSL logs associated with the session | integer | -| fortinet.firewall.countwaf | Number of WAF logs associated with the session | integer | -| fortinet.firewall.countweb | Number of Web filter logs associated with the session | integer | -| fortinet.firewall.cpu | CPU Usage | integer | -| fortinet.firewall.craction | Client Reputation Action | integer | -| fortinet.firewall.criticalcount | Number of critical ratings | integer | -| fortinet.firewall.crl | Client Reputation Level | keyword | -| fortinet.firewall.crlevel | Client Reputation Level | keyword | -| fortinet.firewall.crscore | Some description | integer | -| fortinet.firewall.cveid | CVE ID | keyword | -| fortinet.firewall.daemon | Daemon name | keyword | -| fortinet.firewall.datarange | Data range for reports | keyword | -| fortinet.firewall.date | Date | keyword | -| fortinet.firewall.ddnsserver | DDNS server | ip | -| fortinet.firewall.desc | Description | keyword | -| fortinet.firewall.detectionmethod | Detection method | keyword | -| fortinet.firewall.devcategory | Device category | keyword | -| fortinet.firewall.devintfname | HA device Interface Name | keyword | -| fortinet.firewall.devtype | Device type | keyword | -| fortinet.firewall.dhcp_msg | DHCP Message | keyword | -| fortinet.firewall.dintf | Destination interface | keyword | -| fortinet.firewall.disk | Assosciated disk | keyword | -| fortinet.firewall.disklograte | Disk logging rate | long | -| fortinet.firewall.dlpextra | DLP extra information | keyword | -| fortinet.firewall.docsource | DLP fingerprint document source | keyword | -| fortinet.firewall.domainctrlauthstate | CIFS domain auth state | integer | -| fortinet.firewall.domainctrlauthtype | CIFS domain auth type | integer | -| fortinet.firewall.domainctrldomain | CIFS domain auth domain | keyword | -| fortinet.firewall.domainctrlip | CIFS Domain IP | ip | -| fortinet.firewall.domainctrlname | CIFS Domain name | keyword | -| fortinet.firewall.domainctrlprotocoltype | CIFS Domain connection protocol | integer | -| fortinet.firewall.domainctrlusername | CIFS Domain username | keyword | -| fortinet.firewall.domainfilteridx | Domain filter ID | integer | -| fortinet.firewall.domainfilterlist | Domain filter name | keyword | -| fortinet.firewall.ds | Direction with distribution system | keyword | -| fortinet.firewall.dst_int | Destination interface | keyword | -| fortinet.firewall.dstcountry | Destination country | keyword | -| fortinet.firewall.dstdevcategory | Destination device category | keyword | -| fortinet.firewall.dstdevtype | Destination device type | keyword | -| fortinet.firewall.dstfamily | Destination OS family | keyword | -| fortinet.firewall.dsthwvendor | Destination HW vendor | keyword | -| fortinet.firewall.dsthwversion | Destination HW version | keyword | -| fortinet.firewall.dstinetsvc | Destination interface service | keyword | -| fortinet.firewall.dstintfrole | Destination interface role | keyword | -| fortinet.firewall.dstosname | Destination OS name | keyword | -| fortinet.firewall.dstosversion | Destination OS version | keyword | -| fortinet.firewall.dstserver | Destination server | integer | -| fortinet.firewall.dstssid | Destination SSID | keyword | -| fortinet.firewall.dstswversion | Destination software version | keyword | -| fortinet.firewall.dstunauthusersource | Destination unauthenticated source | keyword | -| fortinet.firewall.dstuuid | UUID of the Destination IP address | keyword | -| fortinet.firewall.duid | DHCP UID | keyword | -| fortinet.firewall.eapolcnt | EAPOL packet count | integer | -| fortinet.firewall.eapoltype | EAPOL packet type | keyword | -| fortinet.firewall.encrypt | Whether the packet is encrypted or not | integer | -| fortinet.firewall.encryption | Encryption method | keyword | -| fortinet.firewall.epoch | Epoch used for locating file | integer | -| fortinet.firewall.espauth | ESP Authentication | keyword | -| fortinet.firewall.esptransform | ESP Transform | keyword | -| fortinet.firewall.exch | Mail Exchanges from DNS response answer section | keyword | -| fortinet.firewall.exchange | Mail Exchanges from DNS response answer section | keyword | -| fortinet.firewall.expectedsignature | Expected SSL signature | keyword | -| fortinet.firewall.expiry | FortiGuard override expiry timestamp | keyword | -| fortinet.firewall.fams_pause | Fortinet Analysis and Management Service Pause | integer | -| fortinet.firewall.fazlograte | FortiAnalyzer Logging Rate | long | -| fortinet.firewall.fctemssn | FortiClient Endpoint SSN | keyword | -| fortinet.firewall.fctuid | FortiClient UID | keyword | -| fortinet.firewall.field | NTP status field | keyword | -| fortinet.firewall.filefilter | The filter used to identify the affected file | keyword | -| fortinet.firewall.filehashsrc | Filehash source | keyword | -| fortinet.firewall.filtercat | DLP filter category | keyword | -| fortinet.firewall.filteridx | DLP filter ID | integer | -| fortinet.firewall.filtername | DLP rule name | keyword | -| fortinet.firewall.filtertype | DLP filter type | keyword | -| fortinet.firewall.fortiguardresp | Antispam ESP value | keyword | -| fortinet.firewall.forwardedfor | Email address forwarded | keyword | -| fortinet.firewall.fqdn | FQDN | keyword | -| fortinet.firewall.frametype | Wireless frametype | keyword | -| fortinet.firewall.freediskstorage | Free disk integer | integer | -| fortinet.firewall.from | From email address | keyword | -| fortinet.firewall.from_vcluster | Source virtual cluster number | integer | -| fortinet.firewall.fsaverdict | FSA verdict | keyword | -| fortinet.firewall.fwserver_name | Web proxy server name | keyword | -| fortinet.firewall.gateway | Gateway ip address for PPPoE status report | ip | -| fortinet.firewall.green | Memory status | keyword | -| fortinet.firewall.groupid | User Group ID | integer | -| fortinet.firewall.ha-prio | HA Priority | integer | -| fortinet.firewall.ha_group | HA Group | keyword | -| fortinet.firewall.ha_role | HA Role | keyword | -| fortinet.firewall.handshake | SSL Handshake | keyword | -| fortinet.firewall.hash | Hash value of downloaded file | keyword | -| fortinet.firewall.hbdn_reason | Heartbeat down reason | keyword | -| fortinet.firewall.highcount | Highcount fabric summary | integer | -| fortinet.firewall.host | Hostname | keyword | -| fortinet.firewall.iaid | DHCPv6 id | keyword | -| fortinet.firewall.icmpcode | Destination Port of the ICMP message | keyword | -| fortinet.firewall.icmpid | Source port of the ICMP message | keyword | -| fortinet.firewall.icmptype | The type of ICMP message | keyword | -| fortinet.firewall.identifier | Network traffic identifier | integer | -| fortinet.firewall.in_spi | IPSEC inbound SPI | keyword | -| fortinet.firewall.incidentserialno | Incident serial number | integer | -| fortinet.firewall.infected | Infected MMS | integer | -| fortinet.firewall.infectedfilelevel | DLP infected file level | integer | -| fortinet.firewall.informationsource | Information source | keyword | -| fortinet.firewall.init | IPSEC init stage | keyword | -| fortinet.firewall.initiator | Original login user name for Fortiguard override | keyword | -| fortinet.firewall.interface | Related interface | keyword | -| fortinet.firewall.intf | Related interface | keyword | -| fortinet.firewall.invalidmac | The MAC address with invalid OUI | keyword | -| fortinet.firewall.ip | Related IP | ip | -| fortinet.firewall.iptype | Related IP type | keyword | -| fortinet.firewall.keyword | Keyword used for search | keyword | -| fortinet.firewall.kind | VOIP kind | keyword | -| fortinet.firewall.lanin | LAN incoming traffic in bytes | long | -| fortinet.firewall.lanout | LAN outbound traffic in bytes | long | -| fortinet.firewall.lease | DHCP lease | integer | -| fortinet.firewall.license_limit | Maximum Number of FortiClients for the License | keyword | -| fortinet.firewall.limit | Virtual Domain Resource Limit | integer | -| fortinet.firewall.line | VOIP line | keyword | -| fortinet.firewall.live | Time in seconds | integer | -| fortinet.firewall.local | Local IP for a PPPD Connection | ip | -| fortinet.firewall.log | Log message | keyword | -| fortinet.firewall.login | SSH login | keyword | -| fortinet.firewall.lowcount | Fabric lowcount | integer | -| fortinet.firewall.mac | DHCP mac address | keyword | -| fortinet.firewall.malform_data | VOIP malformed data | integer | -| fortinet.firewall.malform_desc | VOIP malformed data description | keyword | -| fortinet.firewall.manuf | Manufacturer name | keyword | -| fortinet.firewall.masterdstmac | Master mac address for a host with multiple network interfaces | keyword | -| fortinet.firewall.mastersrcmac | The master MAC address for a host that has multiple network interfaces | keyword | -| fortinet.firewall.mediumcount | Fabric medium count | integer | -| fortinet.firewall.mem | Memory usage system statistics | integer | -| fortinet.firewall.meshmode | Wireless mesh mode | keyword | -| fortinet.firewall.message_type | VOIP message type | keyword | -| fortinet.firewall.method | HTTP method | keyword | -| fortinet.firewall.mgmtcnt | The number of unauthorized client flooding managemet frames | integer | -| fortinet.firewall.mode | IPSEC mode | keyword | -| fortinet.firewall.module | PCI-DSS module | keyword | -| fortinet.firewall.monitor-name | Health Monitor Name | keyword | -| fortinet.firewall.monitor-type | Health Monitor Type | keyword | -| fortinet.firewall.mpsk | Wireless MPSK | keyword | -| fortinet.firewall.msgproto | Message Protocol Number | keyword | -| fortinet.firewall.mtu | Max Transmission Unit Value | integer | -| fortinet.firewall.name | Name | keyword | -| fortinet.firewall.nat | NAT IP Address | keyword | -| fortinet.firewall.netid | Connector NetID | keyword | -| fortinet.firewall.new_status | New status on user change | keyword | -| fortinet.firewall.new_value | New Virtual Domain Name | keyword | -| fortinet.firewall.newchannel | New Channel Number | integer | -| fortinet.firewall.newchassisid | New Chassis ID | integer | -| fortinet.firewall.newslot | New Slot Number | integer | -| fortinet.firewall.nextstat | Time interval in seconds for the next statistics. | integer | -| fortinet.firewall.nf_type | Notification Type | keyword | -| fortinet.firewall.noise | Wifi Noise | integer | -| fortinet.firewall.old_status | Original Status | keyword | -| fortinet.firewall.old_value | Original Virtual Domain name | keyword | -| fortinet.firewall.oldchannel | Original channel | integer | -| fortinet.firewall.oldchassisid | Original Chassis Number | integer | -| fortinet.firewall.oldslot | Original Slot Number | integer | -| fortinet.firewall.oldsn | Old Serial number | keyword | -| fortinet.firewall.oldwprof | Old Web Filter Profile | keyword | -| fortinet.firewall.onwire | A flag to indicate if the AP is onwire or not | keyword | -| fortinet.firewall.opercountry | Operating Country | keyword | -| fortinet.firewall.opertxpower | Operating TX power | integer | -| fortinet.firewall.osname | Operating System name | keyword | -| fortinet.firewall.osversion | Operating System version | keyword | -| fortinet.firewall.out_spi | Out SPI | keyword | -| fortinet.firewall.outintf | Out interface | keyword | -| fortinet.firewall.passedcount | Fabric passed count | integer | -| fortinet.firewall.passwd | Changed user password information | keyword | -| fortinet.firewall.path | Path of looped configuration for security fabric | keyword | -| fortinet.firewall.peer | WAN optimization peer | keyword | -| fortinet.firewall.peer_notif | VPN peer notification | keyword | -| fortinet.firewall.phase2_name | VPN phase2 name | keyword | -| fortinet.firewall.phone | VOIP Phone | keyword | -| fortinet.firewall.pid | Process ID | integer | -| fortinet.firewall.policytype | Policy Type | keyword | -| fortinet.firewall.poolname | IP Pool name | keyword | -| fortinet.firewall.port | Log upload error port | integer | -| fortinet.firewall.portbegin | IP Pool port number to begin | integer | -| fortinet.firewall.portend | IP Pool port number to end | integer | -| fortinet.firewall.probeproto | Link Monitor Probe Protocol | keyword | -| fortinet.firewall.process | URL Filter process | keyword | -| fortinet.firewall.processtime | Process time for reports | integer | -| fortinet.firewall.profile | Profile Name | keyword | -| fortinet.firewall.profile_vd | Virtual Domain Name | keyword | -| fortinet.firewall.profilegroup | Profile Group Name | keyword | -| fortinet.firewall.profiletype | Profile Type | keyword | -| fortinet.firewall.qtypeval | DNS question type value | integer | -| fortinet.firewall.quarskip | Quarantine skip explanation | keyword | -| fortinet.firewall.quotaexceeded | If quota has been exceeded | keyword | -| fortinet.firewall.quotamax | Maximum quota allowed - in seconds if time-based - in bytes if traffic-based | long | -| fortinet.firewall.quotatype | Quota type | keyword | -| fortinet.firewall.quotaused | Quota used - in seconds if time-based - in bytes if trafficbased) | long | -| fortinet.firewall.radioband | Radio band | keyword | -| fortinet.firewall.radioid | Radio ID | integer | -| fortinet.firewall.radioidclosest | Radio ID on the AP closest the rogue AP | integer | -| fortinet.firewall.radioiddetected | Radio ID on the AP which detected the rogue AP | integer | -| fortinet.firewall.rate | Wireless rogue rate value | keyword | -| fortinet.firewall.rawdata | Raw data value | keyword | -| fortinet.firewall.rawdataid | Raw data ID | keyword | -| fortinet.firewall.rcvddelta | Received bytes delta | keyword | -| fortinet.firewall.reason | Alert reason | keyword | -| fortinet.firewall.received | Server key exchange received | integer | -| fortinet.firewall.receivedsignature | Server key exchange received signature | keyword | -| fortinet.firewall.red | Memory information in red | keyword | -| fortinet.firewall.referralurl | Web filter referralurl | keyword | -| fortinet.firewall.remote | Remote PPP IP address | ip | -| fortinet.firewall.remotewtptime | Remote Wifi Radius authentication time | keyword | -| fortinet.firewall.reporttype | Report type | keyword | -| fortinet.firewall.reqtype | Request type | keyword | -| fortinet.firewall.request_name | VOIP request name | keyword | -| fortinet.firewall.result | VPN phase result | keyword | -| fortinet.firewall.role | VPN Phase 2 role | keyword | -| fortinet.firewall.rssi | Received signal strength indicator | integer | -| fortinet.firewall.rsso_key | RADIUS SSO attribute value | keyword | -| fortinet.firewall.ruledata | Rule data | keyword | -| fortinet.firewall.ruletype | Rule type | keyword | -| fortinet.firewall.scanned | Number of Scanned MMSs | integer | -| fortinet.firewall.scantime | Scanned time | long | -| fortinet.firewall.scope | FortiGuard Override Scope | keyword | -| fortinet.firewall.security | Wireless rogue security | keyword | -| fortinet.firewall.sensitivity | Sensitivity for document fingerprint | keyword | -| fortinet.firewall.sensor | NAC Sensor Name | keyword | -| fortinet.firewall.sentdelta | Sent bytes delta | keyword | -| fortinet.firewall.seq | Sequence number | keyword | -| fortinet.firewall.serial | WAN optimisation serial | keyword | -| fortinet.firewall.serialno | Serial number | keyword | -| fortinet.firewall.server | AD server FQDN or IP | keyword | -| fortinet.firewall.session_id | Session ID | keyword | -| fortinet.firewall.sessionid | WAD Session ID | integer | -| fortinet.firewall.setuprate | Session Setup Rate | long | -| fortinet.firewall.severity | Severity | keyword | -| fortinet.firewall.shaperdroprcvdbyte | Received bytes dropped by shaper | integer | -| fortinet.firewall.shaperdropsentbyte | Sent bytes dropped by shaper | integer | -| fortinet.firewall.shaperperipdropbyte | Dropped bytes per IP by shaper | integer | -| fortinet.firewall.shaperperipname | Traffic shaper name (per IP) | keyword | -| fortinet.firewall.shaperrcvdname | Traffic shaper name for received traffic | keyword | -| fortinet.firewall.shapersentname | Traffic shaper name for sent traffic | keyword | -| fortinet.firewall.shapingpolicyid | Traffic shaper policy ID | integer | -| fortinet.firewall.signal | Wireless rogue API signal | integer | -| fortinet.firewall.size | Email size in bytes | long | -| fortinet.firewall.slot | Slot number | integer | -| fortinet.firewall.sn | Security fabric serial number | keyword | -| fortinet.firewall.snclosest | SN of the AP closest to the rogue AP | keyword | -| fortinet.firewall.sndetected | SN of the AP which detected the rogue AP | keyword | -| fortinet.firewall.snmeshparent | SN of the mesh parent | keyword | -| fortinet.firewall.spi | IPSEC SPI | keyword | -| fortinet.firewall.src_int | Source interface | keyword | -| fortinet.firewall.srccountry | Source country | keyword | -| fortinet.firewall.srcfamily | Source family | keyword | -| fortinet.firewall.srchwvendor | Source hardware vendor | keyword | -| fortinet.firewall.srchwversion | Source hardware version | keyword | -| fortinet.firewall.srcinetsvc | Source interface service | keyword | -| fortinet.firewall.srcintfrole | Source interface role | keyword | -| fortinet.firewall.srcname | Source name | keyword | -| fortinet.firewall.srcserver | Source server | integer | -| fortinet.firewall.srcssid | Source SSID | keyword | -| fortinet.firewall.srcswversion | Source software version | keyword | -| fortinet.firewall.srcuuid | Source UUID | keyword | -| fortinet.firewall.sscname | SSC name | keyword | -| fortinet.firewall.ssid | Base Service Set ID | keyword | -| fortinet.firewall.sslaction | SSL Action | keyword | -| fortinet.firewall.ssllocal | WAD SSL local | keyword | -| fortinet.firewall.sslremote | WAD SSL remote | keyword | -| fortinet.firewall.stacount | Number of stations/clients | integer | -| fortinet.firewall.stage | IPSEC stage | keyword | -| fortinet.firewall.stamac | 802.1x station mac | keyword | -| fortinet.firewall.state | Admin login state | keyword | -| fortinet.firewall.status | Status | keyword | -| fortinet.firewall.stitch | Automation stitch triggered | keyword | -| fortinet.firewall.subject | Email subject | keyword | -| fortinet.firewall.submodule | Configuration Sub-Module Name | keyword | -| fortinet.firewall.subservice | AV subservice | keyword | -| fortinet.firewall.subtype | Log subtype | keyword | -| fortinet.firewall.suspicious | Number of Suspicious MMSs | integer | -| fortinet.firewall.switchproto | Protocol change information | keyword | -| fortinet.firewall.sync_status | The sync status with the master | keyword | -| fortinet.firewall.sync_type | The sync type with the master | keyword | -| fortinet.firewall.sysuptime | System uptime | keyword | -| fortinet.firewall.tamac | the MAC address of Transmitter, if none, then Receiver | keyword | -| fortinet.firewall.threattype | WIDS threat type | keyword | -| fortinet.firewall.time | Time of the event | keyword | -| fortinet.firewall.to | Email to field | keyword | -| fortinet.firewall.to_vcluster | destination virtual cluster number | integer | -| fortinet.firewall.total | Total memory | integer | -| fortinet.firewall.totalsession | Total Number of Sessions | integer | -| fortinet.firewall.trace_id | Session clash trace ID | keyword | -| fortinet.firewall.trandisp | NAT translation type | keyword | -| fortinet.firewall.transid | HTTP transaction ID | integer | -| fortinet.firewall.translationid | DNS filter transaltion ID | keyword | -| fortinet.firewall.trigger | Automation stitch trigger | keyword | -| fortinet.firewall.trueclntip | File filter true client IP | ip | -| fortinet.firewall.tunnelid | IPSEC tunnel ID | integer | -| fortinet.firewall.tunnelip | IPSEC tunnel IP | ip | -| fortinet.firewall.tunneltype | IPSEC tunnel type | keyword | -| fortinet.firewall.type | Module type | keyword | -| fortinet.firewall.ui | Admin authentication UI type | keyword | -| fortinet.firewall.unauthusersource | Unauthenticated user source | keyword | -| fortinet.firewall.unit | Power supply unit | integer | -| fortinet.firewall.urlfilteridx | URL filter ID | integer | -| fortinet.firewall.urlfilterlist | URL filter list | keyword | -| fortinet.firewall.urlsource | URL filter source | keyword | -| fortinet.firewall.urltype | URL filter type | keyword | -| fortinet.firewall.used | Number of Used IPs | integer | -| fortinet.firewall.used_for_type | Connection for the type | integer | -| fortinet.firewall.utmaction | Security action performed by UTM | keyword | -| fortinet.firewall.vap | Virtual AP | keyword | -| fortinet.firewall.vapmode | Virtual AP mode | keyword | -| fortinet.firewall.vcluster | virtual cluster id | integer | -| fortinet.firewall.vcluster_member | Virtual cluster member | integer | -| fortinet.firewall.vcluster_state | Virtual cluster state | keyword | -| fortinet.firewall.vd | Virtual Domain Name | keyword | -| fortinet.firewall.vdname | Virtual Domain Name | keyword | -| fortinet.firewall.vendorurl | Vulnerability scan vendor name | keyword | -| fortinet.firewall.version | Version | keyword | -| fortinet.firewall.vip | Virtual IP | keyword | -| fortinet.firewall.virus | Virus name | keyword | -| fortinet.firewall.virusid | Virus ID (unique virus identifier) | integer | -| fortinet.firewall.voip_proto | VOIP protocol | keyword | -| fortinet.firewall.vpn | VPN description | keyword | -| fortinet.firewall.vpntunnel | IPsec Vpn Tunnel Name | keyword | -| fortinet.firewall.vpntype | The type of the VPN tunnel | keyword | -| fortinet.firewall.vrf | VRF number | integer | -| fortinet.firewall.vulncat | Vulnerability Category | keyword | -| fortinet.firewall.vulnid | Vulnerability ID | integer | -| fortinet.firewall.vulnname | Vulnerability name | keyword | -| fortinet.firewall.vwlid | VWL ID | integer | -| fortinet.firewall.vwlquality | VWL quality | keyword | -| fortinet.firewall.vwlservice | VWL service | keyword | -| fortinet.firewall.vwpvlanid | VWP VLAN ID | integer | -| fortinet.firewall.wanin | WAN incoming traffic in bytes | long | -| fortinet.firewall.wanoptapptype | WAN Optimization Application type | keyword | -| fortinet.firewall.wanout | WAN outgoing traffic in bytes | long | -| fortinet.firewall.weakwepiv | Weak Wep Initiation Vector | keyword | -| fortinet.firewall.xauthgroup | XAuth Group Name | keyword | -| fortinet.firewall.xauthuser | XAuth User Name | keyword | -| fortinet.firewall.xid | Wireless X ID | integer | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.user.email | User email address. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | diff --git a/packages/fortinet_fortigate/1.2.3/img/dashboard.png b/packages/fortinet_fortigate/1.2.3/img/dashboard.png deleted file mode 100755 index 268a29bd0e..0000000000 Binary files a/packages/fortinet_fortigate/1.2.3/img/dashboard.png and /dev/null differ diff --git a/packages/fortinet_fortigate/1.2.3/img/fortinet-logo.svg b/packages/fortinet_fortigate/1.2.3/img/fortinet-logo.svg deleted file mode 100755 index d6a8448f32..0000000000 --- a/packages/fortinet_fortigate/1.2.3/img/fortinet-logo.svg +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - diff --git a/packages/fortinet_fortigate/1.2.3/kibana/dashboard/fortinet_fortigate-d0cd8230-0c8b-11ed-bb95-158df2ca77e4.json b/packages/fortinet_fortigate/1.2.3/kibana/dashboard/fortinet_fortigate-d0cd8230-0c8b-11ed-bb95-158df2ca77e4.json deleted file mode 100755 index 7ea26c928a..0000000000 --- a/packages/fortinet_fortigate/1.2.3/kibana/dashboard/fortinet_fortigate-d0cd8230-0c8b-11ed-bb95-158df2ca77e4.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "attributes": { - "controlGroupInput": { - "chainingSystem": "NONE", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"eb2ef977-0de8-4bd4-a936-8bd25a74543c\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"event.category\",\"title\":\"Event Category\",\"id\":\"eb2ef977-0de8-4bd4-a936-8bd25a74543c\",\"enhancements\":{}}},\"cfa74479-5cd8-48b4-b302-86302d5cc8a6\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"event.outcome\",\"title\":\"Event Outcome\",\"id\":\"cfa74479-5cd8-48b4-b302-86302d5cc8a6\",\"enhancements\":{}}},\"ee56c2d4-3f4e-4914-bc04-74a600f57188\":{\"order\":4,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"log.level\",\"title\":\"Fortinet Log Level\",\"id\":\"ee56c2d4-3f4e-4914-bc04-74a600f57188\",\"enhancements\":{},\"selectedOptions\":[]}},\"ad683801-15c1-4243-a870-c533cf32c7e3\":{\"order\":3,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"title\":\"Event Action\",\"fieldName\":\"event.action\",\"selectedOptions\":[],\"id\":\"ad683801-15c1-4243-a870-c533cf32c7e3\",\"enhancements\":{}}},\"c66d9124-057b-40aa-bc0a-fab5624ed285\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"fortinet.firewall.type\",\"title\":\"Firewall Operation Type\",\"id\":\"c66d9124-057b-40aa-bc0a-fab5624ed285\",\"selectedOptions\":[],\"enhancements\":{}}}}" - }, - "description": "Overview of Fortinet FortiGate firewall events", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"fortinet_fortigate.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"fortinet_fortigate.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"aef92dcc-7959-4c94-90ef-373478d28419\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"aef92dcc-7959-4c94-90ef-373478d28419\",\"title\":\"Event Category\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of event.outcome\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"53ff2f86-bf06-4677-92d2-067155f609f3\",\"w\":12,\"x\":12,\"y\":0},\"panelIndex\":\"53ff2f86-bf06-4677-92d2-067155f609f3\",\"title\":\"Event Outcome\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of event.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"b3871313-73e1-4197-af66-2ff82506fafd\",\"w\":12,\"x\":24,\"y\":0},\"panelIndex\":\"b3871313-73e1-4197-af66-2ff82506fafd\",\"title\":\"Fortinet Log Level\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of log.level\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"log.level\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"941798ef-1ae4-4ebe-8867-a17eb8b1a4b9\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"941798ef-1ae4-4ebe-8867-a17eb8b1a4b9\",\"title\":\"Fortinet Log Level\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"f20139de-a0eb-463f-a9c8-183dce76b3fa\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"f20139de-a0eb-463f-a9c8-183dce76b3fa\",\"title\":\"Network Direction\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of network.transport\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.transport\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"14f2d7bc-a79b-4917-a0a3-9656891cc0d8\",\"w\":12,\"x\":12,\"y\":7},\"panelIndex\":\"14f2d7bc-a79b-4917-a0a3-9656891cc0d8\",\"title\":\"Network Transport\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Syslog Severity\",\"operationType\":\"range\",\"params\":{\"includeEmptyRows\":true,\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"log.syslog.severity.code\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"seriesType\":\"bar_stacked\",\"xAccessor\":\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"85b98bdc-73a7-4032-aef1-91921b5235ce\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"85b98bdc-73a7-4032-aef1-91921b5235ce\",\"title\":\"Syslog Severities\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Event Duration\",\"operationType\":\"range\",\"params\":{\"includeEmptyRows\":true,\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"event.duration\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"seriesType\":\"bar_stacked\",\"xAccessor\":\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"3652abe3-b251-4cc0-a014-a81bbe764d33\",\"w\":12,\"x\":24,\"y\":7},\"panelIndex\":\"3652abe3-b251-4cc0-a014-a81bbe764d33\",\"title\":\"Event Duration\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2573c22c-9787-4385-a01b-779b948ee617\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2573c22c-9787-4385-a01b-779b948ee617\":{\"columnOrder\":[\"2ae7b9f4-59a0-4614-970e-b9e0aa0f8979\",\"d18fd8ee-eba8-421c-ae32-a71f7e414f3f\"],\"columns\":{\"2ae7b9f4-59a0-4614-970e-b9e0aa0f8979\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d18fd8ee-eba8-421c-ae32-a71f7e414f3f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d18fd8ee-eba8-421c-ae32-a71f7e414f3f\"],\"layerId\":\"2573c22c-9787-4385-a01b-779b948ee617\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"2ae7b9f4-59a0-4614-970e-b9e0aa0f8979\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"c284fd4a-cd25-4fe3-8124-f2458aed0257\",\"w\":48,\"x\":0,\"y\":14},\"panelIndex\":\"c284fd4a-cd25-4fe3-8124-f2458aed0257\",\"title\":\"Requests Over Time\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-64b9d1d0-7503-4967-849c-be0201d51ac1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"64b9d1d0-7503-4967-849c-be0201d51ac1\":{\"columnOrder\":[\"e4b7b011-b2e7-41bf-895d-11b402493f26\",\"ed019e2d-fc96-4301-bf59-c2330c54b2f7\"],\"columns\":{\"e4b7b011-b2e7-41bf-895d-11b402493f26\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ed019e2d-fc96-4301-bf59-c2330c54b2f7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Median of network.bytes\",\"operationType\":\"median\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"ed019e2d-fc96-4301-bf59-c2330c54b2f7\"],\"layerId\":\"64b9d1d0-7503-4967-849c-be0201d51ac1\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"e4b7b011-b2e7-41bf-895d-11b402493f26\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"58884a18-ec0a-46f1-bf37-de86aba407ad\",\"w\":48,\"x\":0,\"y\":26},\"panelIndex\":\"58884a18-ec0a-46f1-bf37-de86aba407ad\",\"title\":\"Network Bytes Over Time\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"locale\\\":\\\"autoselect\\\",\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"639d6137-90ec-4d57-8478-e509f53ce69d\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"1eb41e3c-4868-4a02-a274-7e2d0c99395d\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"color\\\":\\\"Blues\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"lineWidth\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"minSize\\\":1,\\\"maxSize\\\":10,\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"849d4635-b0b9-48e8-a55e-2af1ad03cdc6\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"joins\\\":[]},{\\\"sourceDescriptor\\\":{\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"id\\\":\\\"2324e246-cacb-44b6-9b5d-adfe78680a50\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\",\\\"label\\\":\\\"\\\"}],\\\"indexPatternRefName\\\":\\\"layer_2_source_index_pattern\\\"},\\\"id\\\":\\\"8bcd1ead-bbd9-4e7f-8764-0042c69a815a\\\",\\\"label\\\":\\\"Destination Location\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"HEATMAP\\\",\\\"colorRampName\\\":\\\"Blues\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"HEATMAP\\\"},{\\\"sourceDescriptor\\\":{\\\"geoField\\\":\\\"source.geo.location\\\",\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"id\\\":\\\"89afbedd-118f-4a04-9015-57165b9b84dd\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"indexPatternRefName\\\":\\\"layer_3_source_index_pattern\\\"},\\\"id\\\":\\\"1c35d621-57d9-48b9-afa9-9755aae6c1ac\\\",\\\"label\\\":\\\"Source Location\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"HEATMAP\\\",\\\"colorRampName\\\":\\\"Yellow to Red\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"HEATMAP\\\"}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.64,\\\"center\\\":{\\\"lon\\\":90.00001,\\\"lat\\\":0},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"customIcons\\\":[],\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":89.78601,\"maxLon\":360,\"minLat\":-89.78601,\"minLon\":-180},\"mapCenter\":{\"lat\":0,\"lon\":90.00001,\"zoom\":0.38},\"openTOCDetails\":[]},\"gridData\":{\"h\":25,\"i\":\"3559260b-1b7d-4053-b958-d6eb5f4e839e\",\"w\":24,\"x\":0,\"y\":38},\"panelIndex\":\"3559260b-1b7d-4053-b958-d6eb5f4e839e\",\"title\":\"Connections\",\"type\":\"map\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b509c65-21ea-4bc9-98ac-38f059b301f9\":{\"columnOrder\":[\"d5104737-a960-4de0-950e-d33e797f9346\",\"f14b52f5-b58b-4cac-8878-20f877e4724e\"],\"columns\":{\"d5104737-a960-4de0-950e-d33e797f9346\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of source.geo.country_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.country_name\"},\"f14b52f5-b58b-4cac-8878-20f877e4724e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d5104737-a960-4de0-950e-d33e797f9346\"],\"layerId\":\"3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"9eb208d4-f6d7-468a-b558-a98ecc64e262\",\"w\":12,\"x\":24,\"y\":38},\"panelIndex\":\"9eb208d4-f6d7-468a-b558-a98ecc64e262\",\"title\":\"Source Country\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b509c65-21ea-4bc9-98ac-38f059b301f9\":{\"columnOrder\":[\"d5104737-a960-4de0-950e-d33e797f9346\",\"f14b52f5-b58b-4cac-8878-20f877e4724e\"],\"columns\":{\"d5104737-a960-4de0-950e-d33e797f9346\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of source.as.organization.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"f14b52f5-b58b-4cac-8878-20f877e4724e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d5104737-a960-4de0-950e-d33e797f9346\"],\"layerId\":\"3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"bbd15cda-94cf-4624-acfe-f255efbb5855\",\"w\":12,\"x\":36,\"y\":38},\"panelIndex\":\"bbd15cda-94cf-4624-acfe-f255efbb5855\",\"title\":\"Source Organization\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b509c65-21ea-4bc9-98ac-38f059b301f9\":{\"columnOrder\":[\"d5104737-a960-4de0-950e-d33e797f9346\",\"f14b52f5-b58b-4cac-8878-20f877e4724e\"],\"columns\":{\"d5104737-a960-4de0-950e-d33e797f9346\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of destination.geo.country_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.country_name\"},\"f14b52f5-b58b-4cac-8878-20f877e4724e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d5104737-a960-4de0-950e-d33e797f9346\"],\"layerId\":\"3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"83c59f55-5df1-4715-8fb1-d088f0e10019\",\"w\":12,\"x\":24,\"y\":51},\"panelIndex\":\"83c59f55-5df1-4715-8fb1-d088f0e10019\",\"title\":\"Destination Country\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b509c65-21ea-4bc9-98ac-38f059b301f9\":{\"columnOrder\":[\"d5104737-a960-4de0-950e-d33e797f9346\",\"f14b52f5-b58b-4cac-8878-20f877e4724e\"],\"columns\":{\"d5104737-a960-4de0-950e-d33e797f9346\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of destination.as.organization.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"f14b52f5-b58b-4cac-8878-20f877e4724e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d5104737-a960-4de0-950e-d33e797f9346\"],\"layerId\":\"3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"1e4ffbda-33d2-40eb-9746-4469775466f7\",\"w\":12,\"x\":36,\"y\":51},\"panelIndex\":\"1e4ffbda-33d2-40eb-9746-4469775466f7\",\"title\":\"Destination Organization\",\"type\":\"lens\",\"version\":\"8.3.2\"}]", - "timeRestore": false, - "title": "[Fortinet Fortigate] Firewall Overview", - "version": 1 - }, - "coreMigrationVersion": "8.3.2", - "id": "fortinet_fortigate-d0cd8230-0c8b-11ed-bb95-158df2ca77e4", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aef92dcc-7959-4c94-90ef-373478d28419:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "53ff2f86-bf06-4677-92d2-067155f609f3:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b3871313-73e1-4197-af66-2ff82506fafd:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "941798ef-1ae4-4ebe-8867-a17eb8b1a4b9:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f20139de-a0eb-463f-a9c8-183dce76b3fa:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "14f2d7bc-a79b-4917-a0a3-9656891cc0d8:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "85b98bdc-73a7-4032-aef1-91921b5235ce:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3652abe3-b251-4cc0-a014-a81bbe764d33:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c284fd4a-cd25-4fe3-8124-f2458aed0257:indexpattern-datasource-layer-2573c22c-9787-4385-a01b-779b948ee617", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58884a18-ec0a-46f1-bf37-de86aba407ad:indexpattern-datasource-layer-64b9d1d0-7503-4967-849c-be0201d51ac1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3559260b-1b7d-4053-b958-d6eb5f4e839e:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3559260b-1b7d-4053-b958-d6eb5f4e839e:layer_2_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3559260b-1b7d-4053-b958-d6eb5f4e839e:layer_3_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9eb208d4-f6d7-468a-b558-a98ecc64e262:indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bbd15cda-94cf-4624-acfe-f255efbb5855:indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "83c59f55-5df1-4715-8fb1-d088f0e10019:indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1e4ffbda-33d2-40eb-9746-4469775466f7:indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_eb2ef977-0de8-4bd4-a936-8bd25a74543c:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_cfa74479-5cd8-48b4-b302-86302d5cc8a6:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_ee56c2d4-3f4e-4914-bc04-74a600f57188:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_ad683801-15c1-4243-a870-c533cf32c7e3:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_c66d9124-057b-40aa-bc0a-fab5624ed285:optionsListDataView", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/fortinet_fortigate/1.2.3/manifest.yml b/packages/fortinet_fortigate/1.2.3/manifest.yml deleted file mode 100755 index c22c877322..0000000000 --- a/packages/fortinet_fortigate/1.2.3/manifest.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: fortinet_fortigate -title: Fortinet FortiGate Firewall Logs -version: 1.2.3 -release: ga -description: Collect logs from Fortinet FortiGate firewalls with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: ["security"] -conditions: - kibana.version: "^8.3.0" -icons: - - src: /img/fortinet-logo.svg - title: Fortinet - size: 216x216 - type: image/svg+xml -screenshots: - - src: /img/dashboard.png - title: Fortinet FortiGate Overview - size: 3336x3120 - type: image/png -policy_templates: - - name: fortinet_fortigate - title: Fortinet FortiGate logs - description: Collect logs from Fortinet FortiGate instances - inputs: - - type: logfile - title: "Collect Fortinet FortiGate logs (input: logfile)" - description: "Collecting logs from Fortinet FortiGate instances (input: logfile)" - - type: tcp - title: "Collect Fortinet FortiGate logs (input: tcp)" - description: "Collecting logs from Fortinet FortiGate instances (input: tcp)" - - type: udp - title: "Collect Fortinet FortiGate logs (input: udp)" - description: "Collecting logs from Fortinet FortiGate instances (input: udp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/fortinet_fortimail/1.1.1/LICENSE.txt b/packages/fortinet_fortimail/1.1.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/fortinet_fortimail/1.1.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/fortinet_fortimail/1.1.1/changelog.yml b/packages/fortinet_fortimail/1.1.1/changelog.yml deleted file mode 100755 index 9adc7433ba..0000000000 --- a/packages/fortinet_fortimail/1.1.1/changelog.yml +++ /dev/null @@ -1,16 +0,0 @@ -# newer versions go on top -- version: "1.1.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.1.0" - changes: - - description: Update Ingest Pipeline with observer Fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3819 -- version: "1.0.0" - changes: - - description: Initial version of Fortinet FortiMail as separate package - type: enhancement - link: https://github.com/elastic/integrations/pull/3266 diff --git a/packages/fortinet_fortimail/1.1.1/data_stream/log/agent/stream/log.yml.hbs b/packages/fortinet_fortimail/1.1.1/data_stream/log/agent/stream/log.yml.hbs deleted file mode 100755 index aae90729e5..0000000000 --- a/packages/fortinet_fortimail/1.1.1/data_stream/log/agent/stream/log.yml.hbs +++ /dev/null @@ -1,4294 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} ui=%{p0}"); - - var dup3 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var dup4 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var dup5 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var dup6 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var dup7 = setc("eventcategory","1401000000"); - - var dup8 = setf("msg","$MSG"); - - var dup9 = date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup10 = setf("hardware_id","hfld1"); - - var dup11 = setf("id","hfld2"); - - var dup12 = setf("id1","hfld3"); - - var dup13 = setf("event_type","msgIdPart1"); - - var dup14 = setf("category","msgIdPart2"); - - var dup15 = setf("severity","hseverity"); - - var dup16 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var dup17 = setc("eventcategory","1602000000"); - - var dup18 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var dup19 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var dup20 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var dup21 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var dup22 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var dup23 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var dup24 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var dup25 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var dup26 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var dup27 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var dup28 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var dup29 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var dup30 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var dup31 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var dup32 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var dup33 = setc("eventcategory","1003010000"); - - var dup34 = setf("event_type","messageid"); - - var dup35 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var dup36 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var dup37 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var dup38 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var dup39 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var dup40 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var dup41 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var dup42 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var dup43 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var dup44 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var dup45 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var dup46 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var dup47 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var dup48 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var dup49 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var dup50 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var dup51 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var dup52 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var dup53 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var dup54 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var dup55 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var dup56 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var dup57 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var dup58 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var dup59 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var dup60 = setc("eventcategory","1207000000"); - - var dup61 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var dup62 = setc("eventcategory","1207040000"); - - var dup63 = linear_select([ - dup3, - dup4, - ]); - - var dup64 = linear_select([ - dup5, - dup6, - ]); - - var dup65 = linear_select([ - dup19, - dup20, - ]); - - var dup66 = linear_select([ - dup22, - dup23, - ]); - - var dup67 = linear_select([ - dup3, - dup20, - ]); - - var dup68 = linear_select([ - dup24, - dup25, - ]); - - var dup69 = linear_select([ - dup27, - dup28, - ]); - - var dup70 = linear_select([ - dup29, - dup30, - ]); - - var dup71 = linear_select([ - dup36, - dup37, - ]); - - var dup72 = linear_select([ - dup38, - dup39, - ]); - - var dup73 = linear_select([ - dup40, - dup41, - ]); - - var dup74 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var dup75 = linear_select([ - dup45, - dup46, - ]); - - var dup76 = linear_select([ - dup47, - dup48, - ]); - - var dup77 = linear_select([ - dup49, - dup50, - ]); - - var dup78 = linear_select([ - dup52, - dup53, - ]); - - var dup79 = linear_select([ - dup54, - dup55, - ]); - - var dup80 = linear_select([ - dup56, - dup57, - ]); - - var dup81 = linear_select([ - dup58, - dup59, - ]); - - var dup82 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0001"), - dup1, - ])); - - var hdr2 = match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, - ])); - - var hdr4 = match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - ]); - - var part1 = match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); - - var all1 = all_match({ - processors: [ - dup2, - dup63, - part1, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg1 = msg("event_admin", all1); - - var msg2 = msg("event_pop3", dup82); - - var all2 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg3 = msg("event_webmail", all2); - - var msg4 = msg("event_system", dup82); - - var msg5 = msg("event_imap", dup82); - - var part2 = match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); - - var part3 = match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); - - var part4 = match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); - - var select2 = linear_select([ - part3, - part4, - ]); - - var part5 = match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); - - var all3 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part2, - select2, - part5, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg6 = msg("event_smtp:01", all3); - - var part6 = match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); - - var all4 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg7 = msg("event_smtp:02", all4); - - var part7 = match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); - - var all5 = all_match({ - processors: [ - dup18, - dup65, - part7, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg8 = msg("event_smtp:03", all5); - - var part8 = match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); - - var part9 = match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); - - var part10 = match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); - - var select3 = linear_select([ - part9, - part10, - ]); - - var part11 = match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); - - var part12 = match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); - - var part13 = match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); - - var part14 = match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); - - var select4 = linear_select([ - part12, - part13, - part14, - ]); - - var all6 = all_match({ - processors: [ - part8, - select3, - part11, - select4, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg9 = msg("event_smtp:04", all6); - - var part15 = match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); - - var all7 = all_match({ - processors: [ - dup18, - dup67, - part15, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg10 = msg("event_smtp:05", all7); - - var part16 = match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); - - var part17 = match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); - - var part18 = match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); - - var select5 = linear_select([ - part17, - part18, - ]); - - var part19 = match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); - - var all8 = all_match({ - processors: [ - dup18, - dup65, - part16, - select5, - part19, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg11 = msg("event_smtp:06", all8); - - var part20 = match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); - - var all9 = all_match({ - processors: [ - dup18, - dup67, - part20, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg12 = msg("event_smtp:07", all9); - - var part21 = match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); - - var all10 = all_match({ - processors: [ - dup18, - dup67, - part21, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg13 = msg("event_smtp:08", all10); - - var part22 = match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); - - var all11 = all_match({ - processors: [ - dup18, - dup65, - part22, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg14 = msg("event_smtp:09", all11); - - var part23 = match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); - - var all12 = all_match({ - processors: [ - dup18, - dup65, - part23, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - setc("dclass_counter1_string","count"), - ]), - }); - - var msg15 = msg("event_smtp:10", all12); - - var part24 = match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); - - var part25 = match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); - - var part26 = match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); - - var part27 = match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); - - var part28 = match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); - - var select6 = linear_select([ - part25, - part26, - part27, - part28, - ]); - - var all13 = all_match({ - processors: [ - dup18, - dup65, - part24, - select6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg16 = msg("event_smtp:11", all13); - - var part29 = match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); - - var all14 = all_match({ - processors: [ - dup2, - dup63, - part29, - dup68, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg17 = msg("event_smtp", all14); - - var part30 = tagval("MESSAGE#17:event_smtp:12", "nwparser.payload", tvm, { - "action": "action", - "log_part": "id1", - "msg": "info", - "session_id": "sessionid", - "status": "event_state", - "ui": "network_service", - "user": "username", - }, processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ])); - - var msg18 = msg("event_smtp:12", part30); - - var select7 = linear_select([ - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - ]); - - var part31 = match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); - - var all15 = all_match({ - processors: [ - part31, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg19 = msg("event_update", all15); - - var part32 = match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); - - var part33 = match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); - - var select8 = linear_select([ - part32, - part33, - ]); - - var part34 = match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); - - var all16 = all_match({ - processors: [ - dup2, - select8, - part34, - dup64, - ], - on_success: processor_chain([ - setc("eventcategory","1701000000"), - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg20 = msg("event_config", all16); - - var select9 = linear_select([ - dup31, - dup32, - ]); - - var all17 = all_match({ - processors: [ - dup26, - dup69, - dup70, - select9, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg21 = msg("virus", all17); - - var part35 = match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); - - var part36 = match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); - - var select10 = linear_select([ - part35, - part36, - ]); - - var part37 = match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); - - var all18 = all_match({ - processors: [ - dup26, - dup69, - select10, - part37, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup15, - ]), - }); - - var msg22 = msg("virus_infected", all18); - - var part38 = match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); - - var part39 = match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); - - var select11 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); - - var part41 = match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); - - var part42 = match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); - - var part43 = match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); - - var select12 = linear_select([ - part40, - part41, - part42, - part43, - dup31, - dup32, - ]); - - var part44 = match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); - - var select13 = linear_select([ - part44, - dup5, - dup6, - ]); - - var all19 = all_match({ - processors: [ - select11, - dup70, - select12, - dup68, - select13, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg23 = msg("virus_file-signature", all19); - - var part45 = match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); - - var all20 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - part45, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg24 = msg("statistics", all20); - - var all21 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - dup61, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg25 = msg("statistics:01", all21); - - var part46 = match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); - - var part47 = match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); - - var select14 = linear_select([ - part46, - part47, - ]); - - var part48 = match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); - - var part49 = match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); - - var select15 = linear_select([ - part48, - part49, - ]); - - var part50 = match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); - - var part51 = match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); - - var select16 = linear_select([ - part50, - part51, - ]); - - var part52 = match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); - - var part53 = match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); - - var select17 = linear_select([ - part52, - part53, - ]); - - var part54 = match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); - - var part55 = match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); - - var select18 = linear_select([ - part54, - part55, - ]); - - var part56 = match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); - - var part57 = match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); - - var select19 = linear_select([ - part56, - part57, - ]); - - var part58 = match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); - - var all22 = all_match({ - processors: [ - dup35, - dup71, - dup69, - dup76, - select14, - select15, - select16, - select17, - dup74, - dup61, - select18, - select19, - part58, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg26 = msg("statistics:02", all22); - - var part59 = match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); - - var part60 = match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); - - var part61 = match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); - - var part62 = match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); - - var select20 = linear_select([ - part60, - part61, - part62, - ]); - - var part63 = match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); - - var part64 = match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); - - var part65 = match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); - - var select21 = linear_select([ - part64, - part65, - ]); - - var part66 = match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); - - var all23 = all_match({ - processors: [ - part59, - select20, - part63, - select21, - part66, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg27 = msg("statistics:03", all23); - - var part67 = match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); - - var part68 = match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); - - var select22 = linear_select([ - part67, - part68, - ]); - - var part69 = match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); - - var part70 = match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); - - var part71 = match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); - - var part72 = match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); - - var part73 = match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); - - var part74 = match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); - - var select23 = linear_select([ - part69, - part70, - part71, - part72, - part73, - part74, - ]); - - var part75 = match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); - - var part76 = match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); - - var select24 = linear_select([ - part75, - part76, - ]); - - var part77 = match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); - - var part78 = match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); - - var select25 = linear_select([ - part77, - part78, - ]); - - var part79 = match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); - - var part80 = match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); - - var select26 = linear_select([ - part79, - part80, - ]); - - var part81 = match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); - - var part82 = match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); - - var select27 = linear_select([ - part81, - part82, - ]); - - var part83 = match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); - - var part84 = match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); - - var select28 = linear_select([ - part83, - part84, - ]); - - var part85 = match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); - - var part86 = match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); - - var select29 = linear_select([ - part85, - part86, - ]); - - var part87 = match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); - - var part88 = match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); - - var select30 = linear_select([ - part87, - part88, - ]); - - var part89 = match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); - - var part90 = match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); - - var select31 = linear_select([ - part89, - part90, - ]); - - var part91 = match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); - - var part92 = match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); - - var select32 = linear_select([ - part91, - part92, - ]); - - var part93 = match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); - - var part94 = match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); - - var select33 = linear_select([ - part93, - part94, - ]); - - var part95 = match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); - - var part96 = match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); - - var select34 = linear_select([ - part95, - part96, - ]); - - var part97 = match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); - - var part98 = match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); - - var select35 = linear_select([ - part97, - part98, - ]); - - var all24 = all_match({ - processors: [ - dup35, - select22, - select23, - select24, - select25, - select26, - select27, - select28, - select29, - select30, - select31, - select32, - select33, - dup78, - dup79, - select34, - select35, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg28 = msg("statistics:04", all24); - - var part99 = tagval("MESSAGE#28:statistics:05", "nwparser.payload", tvm, { - "classifier": "filter", - "client_ip": "saddr", - "client_name": "fqdn", - "direction": "direction", - "disposition": "disposition", - "domain": "domain", - "dst_ip": "daddr", - "from": "from", - "hfrom": "fld3", - "mailer": "agent", - "message_length": "fld6", - "polid": "fld5", - "resolved": "context", - "session_id": "sessionid", - "src_type": "fld7", - "subject": "subject", - "to": "to", - "virus": "virusname", - }, processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg29 = msg("statistics:05", part99); - - var select36 = linear_select([ - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - ]); - - var part100 = match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); - - var part101 = match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); - - var select37 = linear_select([ - part100, - part101, - ]); - - var part102 = match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); - - var part103 = match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); - - var part104 = match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); - - var select38 = linear_select([ - part103, - part104, - ]); - - var part105 = match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); - - var part106 = match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); - - var select39 = linear_select([ - part105, - part106, - ]); - - var all25 = all_match({ - processors: [ - dup35, - select37, - dup74, - part102, - dup69, - select38, - select39, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg30 = msg("spam", all25); - - var part107 = match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg31 = msg("spam:04", part107); - - var part108 = match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); - - var part109 = match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); - - var part110 = match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); - - var select40 = linear_select([ - part109, - part110, - ]); - - var part111 = match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); - - var all26 = all_match({ - processors: [ - part108, - select40, - part111, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg32 = msg("spam:03", all26); - - var part112 = match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg33 = msg("spam:02", part112); - - var part113 = match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); - - var part114 = match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); - - var select41 = linear_select([ - part113, - part114, - ]); - - var all27 = all_match({ - processors: [ - dup35, - dup71, - dup69, - select41, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg34 = msg("spam:01", all27); - - var select42 = linear_select([ - msg30, - msg31, - msg32, - msg33, - msg34, - ]); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "event_admin": msg1, - "event_config": msg20, - "event_imap": msg5, - "event_pop3": msg2, - "event_smtp": select7, - "event_system": msg4, - "event_update": msg19, - "event_webmail": msg3, - "spam": select42, - "statistics": select36, - "virus": msg21, - "virus_file-signature": msg23, - "virus_infected": msg22, - }), - ]); - - var part115 = match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); - - var part116 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var part117 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var part118 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var part119 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var part120 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var part121 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var part122 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var part123 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var part124 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var part125 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var part126 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var part127 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var part128 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var part129 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var part130 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var part131 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var part132 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var part133 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var part134 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var part135 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var part136 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var part137 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var part138 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var part139 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var part140 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var part141 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var part142 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var part143 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var part144 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var part145 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var part146 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var part147 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var part148 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var part149 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var part150 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var part151 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var part152 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var part153 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var part154 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var part155 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var part156 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var part157 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var part158 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var part159 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var part160 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var part161 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var select43 = linear_select([ - dup3, - dup4, - ]); - - var select44 = linear_select([ - dup5, - dup6, - ]); - - var select45 = linear_select([ - dup19, - dup20, - ]); - - var select46 = linear_select([ - dup22, - dup23, - ]); - - var select47 = linear_select([ - dup3, - dup20, - ]); - - var select48 = linear_select([ - dup24, - dup25, - ]); - - var select49 = linear_select([ - dup27, - dup28, - ]); - - var select50 = linear_select([ - dup29, - dup30, - ]); - - var select51 = linear_select([ - dup36, - dup37, - ]); - - var select52 = linear_select([ - dup38, - dup39, - ]); - - var select53 = linear_select([ - dup40, - dup41, - ]); - - var select54 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var select55 = linear_select([ - dup45, - dup46, - ]); - - var select56 = linear_select([ - dup47, - dup48, - ]); - - var select57 = linear_select([ - dup49, - dup50, - ]); - - var select58 = linear_select([ - dup52, - dup53, - ]); - - var select59 = linear_select([ - dup54, - dup55, - ]); - - var select60 = linear_select([ - dup56, - dup57, - ]); - - var select61 = linear_select([ - dup58, - dup59, - ]); - - var all28 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet_fortimail/1.1.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/fortinet_fortimail/1.1.1/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index cc108a4d8e..0000000000 --- a/packages/fortinet_fortimail/1.1.1/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,4291 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} ui=%{p0}"); - - var dup3 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var dup4 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var dup5 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var dup6 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var dup7 = setc("eventcategory","1401000000"); - - var dup8 = setf("msg","$MSG"); - - var dup9 = date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup10 = setf("hardware_id","hfld1"); - - var dup11 = setf("id","hfld2"); - - var dup12 = setf("id1","hfld3"); - - var dup13 = setf("event_type","msgIdPart1"); - - var dup14 = setf("category","msgIdPart2"); - - var dup15 = setf("severity","hseverity"); - - var dup16 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var dup17 = setc("eventcategory","1602000000"); - - var dup18 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var dup19 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var dup20 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var dup21 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var dup22 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var dup23 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var dup24 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var dup25 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var dup26 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var dup27 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var dup28 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var dup29 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var dup30 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var dup31 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var dup32 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var dup33 = setc("eventcategory","1003010000"); - - var dup34 = setf("event_type","messageid"); - - var dup35 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var dup36 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var dup37 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var dup38 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var dup39 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var dup40 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var dup41 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var dup42 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var dup43 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var dup44 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var dup45 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var dup46 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var dup47 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var dup48 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var dup49 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var dup50 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var dup51 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var dup52 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var dup53 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var dup54 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var dup55 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var dup56 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var dup57 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var dup58 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var dup59 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var dup60 = setc("eventcategory","1207000000"); - - var dup61 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var dup62 = setc("eventcategory","1207040000"); - - var dup63 = linear_select([ - dup3, - dup4, - ]); - - var dup64 = linear_select([ - dup5, - dup6, - ]); - - var dup65 = linear_select([ - dup19, - dup20, - ]); - - var dup66 = linear_select([ - dup22, - dup23, - ]); - - var dup67 = linear_select([ - dup3, - dup20, - ]); - - var dup68 = linear_select([ - dup24, - dup25, - ]); - - var dup69 = linear_select([ - dup27, - dup28, - ]); - - var dup70 = linear_select([ - dup29, - dup30, - ]); - - var dup71 = linear_select([ - dup36, - dup37, - ]); - - var dup72 = linear_select([ - dup38, - dup39, - ]); - - var dup73 = linear_select([ - dup40, - dup41, - ]); - - var dup74 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var dup75 = linear_select([ - dup45, - dup46, - ]); - - var dup76 = linear_select([ - dup47, - dup48, - ]); - - var dup77 = linear_select([ - dup49, - dup50, - ]); - - var dup78 = linear_select([ - dup52, - dup53, - ]); - - var dup79 = linear_select([ - dup54, - dup55, - ]); - - var dup80 = linear_select([ - dup56, - dup57, - ]); - - var dup81 = linear_select([ - dup58, - dup59, - ]); - - var dup82 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0001"), - dup1, - ])); - - var hdr2 = match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, - ])); - - var hdr4 = match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - ]); - - var part1 = match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); - - var all1 = all_match({ - processors: [ - dup2, - dup63, - part1, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg1 = msg("event_admin", all1); - - var msg2 = msg("event_pop3", dup82); - - var all2 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg3 = msg("event_webmail", all2); - - var msg4 = msg("event_system", dup82); - - var msg5 = msg("event_imap", dup82); - - var part2 = match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); - - var part3 = match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); - - var part4 = match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); - - var select2 = linear_select([ - part3, - part4, - ]); - - var part5 = match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); - - var all3 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part2, - select2, - part5, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg6 = msg("event_smtp:01", all3); - - var part6 = match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); - - var all4 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg7 = msg("event_smtp:02", all4); - - var part7 = match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); - - var all5 = all_match({ - processors: [ - dup18, - dup65, - part7, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg8 = msg("event_smtp:03", all5); - - var part8 = match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); - - var part9 = match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); - - var part10 = match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); - - var select3 = linear_select([ - part9, - part10, - ]); - - var part11 = match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); - - var part12 = match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); - - var part13 = match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); - - var part14 = match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); - - var select4 = linear_select([ - part12, - part13, - part14, - ]); - - var all6 = all_match({ - processors: [ - part8, - select3, - part11, - select4, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg9 = msg("event_smtp:04", all6); - - var part15 = match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); - - var all7 = all_match({ - processors: [ - dup18, - dup67, - part15, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg10 = msg("event_smtp:05", all7); - - var part16 = match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); - - var part17 = match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); - - var part18 = match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); - - var select5 = linear_select([ - part17, - part18, - ]); - - var part19 = match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); - - var all8 = all_match({ - processors: [ - dup18, - dup65, - part16, - select5, - part19, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg11 = msg("event_smtp:06", all8); - - var part20 = match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); - - var all9 = all_match({ - processors: [ - dup18, - dup67, - part20, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg12 = msg("event_smtp:07", all9); - - var part21 = match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); - - var all10 = all_match({ - processors: [ - dup18, - dup67, - part21, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg13 = msg("event_smtp:08", all10); - - var part22 = match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); - - var all11 = all_match({ - processors: [ - dup18, - dup65, - part22, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg14 = msg("event_smtp:09", all11); - - var part23 = match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); - - var all12 = all_match({ - processors: [ - dup18, - dup65, - part23, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - setc("dclass_counter1_string","count"), - ]), - }); - - var msg15 = msg("event_smtp:10", all12); - - var part24 = match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); - - var part25 = match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); - - var part26 = match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); - - var part27 = match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); - - var part28 = match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); - - var select6 = linear_select([ - part25, - part26, - part27, - part28, - ]); - - var all13 = all_match({ - processors: [ - dup18, - dup65, - part24, - select6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg16 = msg("event_smtp:11", all13); - - var part29 = match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); - - var all14 = all_match({ - processors: [ - dup2, - dup63, - part29, - dup68, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg17 = msg("event_smtp", all14); - - var part30 = tagval("MESSAGE#17:event_smtp:12", "nwparser.payload", tvm, { - "action": "action", - "log_part": "id1", - "msg": "info", - "session_id": "sessionid", - "status": "event_state", - "ui": "network_service", - "user": "username", - }, processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ])); - - var msg18 = msg("event_smtp:12", part30); - - var select7 = linear_select([ - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - ]); - - var part31 = match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); - - var all15 = all_match({ - processors: [ - part31, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg19 = msg("event_update", all15); - - var part32 = match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); - - var part33 = match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); - - var select8 = linear_select([ - part32, - part33, - ]); - - var part34 = match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); - - var all16 = all_match({ - processors: [ - dup2, - select8, - part34, - dup64, - ], - on_success: processor_chain([ - setc("eventcategory","1701000000"), - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg20 = msg("event_config", all16); - - var select9 = linear_select([ - dup31, - dup32, - ]); - - var all17 = all_match({ - processors: [ - dup26, - dup69, - dup70, - select9, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg21 = msg("virus", all17); - - var part35 = match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); - - var part36 = match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); - - var select10 = linear_select([ - part35, - part36, - ]); - - var part37 = match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); - - var all18 = all_match({ - processors: [ - dup26, - dup69, - select10, - part37, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup15, - ]), - }); - - var msg22 = msg("virus_infected", all18); - - var part38 = match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); - - var part39 = match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); - - var select11 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); - - var part41 = match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); - - var part42 = match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); - - var part43 = match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); - - var select12 = linear_select([ - part40, - part41, - part42, - part43, - dup31, - dup32, - ]); - - var part44 = match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); - - var select13 = linear_select([ - part44, - dup5, - dup6, - ]); - - var all19 = all_match({ - processors: [ - select11, - dup70, - select12, - dup68, - select13, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg23 = msg("virus_file-signature", all19); - - var part45 = match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); - - var all20 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - part45, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg24 = msg("statistics", all20); - - var all21 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - dup61, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg25 = msg("statistics:01", all21); - - var part46 = match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); - - var part47 = match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); - - var select14 = linear_select([ - part46, - part47, - ]); - - var part48 = match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); - - var part49 = match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); - - var select15 = linear_select([ - part48, - part49, - ]); - - var part50 = match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); - - var part51 = match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); - - var select16 = linear_select([ - part50, - part51, - ]); - - var part52 = match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); - - var part53 = match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); - - var select17 = linear_select([ - part52, - part53, - ]); - - var part54 = match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); - - var part55 = match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); - - var select18 = linear_select([ - part54, - part55, - ]); - - var part56 = match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); - - var part57 = match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); - - var select19 = linear_select([ - part56, - part57, - ]); - - var part58 = match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); - - var all22 = all_match({ - processors: [ - dup35, - dup71, - dup69, - dup76, - select14, - select15, - select16, - select17, - dup74, - dup61, - select18, - select19, - part58, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg26 = msg("statistics:02", all22); - - var part59 = match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); - - var part60 = match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); - - var part61 = match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); - - var part62 = match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); - - var select20 = linear_select([ - part60, - part61, - part62, - ]); - - var part63 = match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); - - var part64 = match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); - - var part65 = match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); - - var select21 = linear_select([ - part64, - part65, - ]); - - var part66 = match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); - - var all23 = all_match({ - processors: [ - part59, - select20, - part63, - select21, - part66, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg27 = msg("statistics:03", all23); - - var part67 = match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); - - var part68 = match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); - - var select22 = linear_select([ - part67, - part68, - ]); - - var part69 = match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); - - var part70 = match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); - - var part71 = match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); - - var part72 = match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); - - var part73 = match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); - - var part74 = match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); - - var select23 = linear_select([ - part69, - part70, - part71, - part72, - part73, - part74, - ]); - - var part75 = match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); - - var part76 = match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); - - var select24 = linear_select([ - part75, - part76, - ]); - - var part77 = match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); - - var part78 = match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); - - var select25 = linear_select([ - part77, - part78, - ]); - - var part79 = match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); - - var part80 = match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); - - var select26 = linear_select([ - part79, - part80, - ]); - - var part81 = match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); - - var part82 = match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); - - var select27 = linear_select([ - part81, - part82, - ]); - - var part83 = match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); - - var part84 = match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); - - var select28 = linear_select([ - part83, - part84, - ]); - - var part85 = match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); - - var part86 = match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); - - var select29 = linear_select([ - part85, - part86, - ]); - - var part87 = match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); - - var part88 = match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); - - var select30 = linear_select([ - part87, - part88, - ]); - - var part89 = match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); - - var part90 = match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); - - var select31 = linear_select([ - part89, - part90, - ]); - - var part91 = match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); - - var part92 = match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); - - var select32 = linear_select([ - part91, - part92, - ]); - - var part93 = match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); - - var part94 = match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); - - var select33 = linear_select([ - part93, - part94, - ]); - - var part95 = match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); - - var part96 = match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); - - var select34 = linear_select([ - part95, - part96, - ]); - - var part97 = match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); - - var part98 = match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); - - var select35 = linear_select([ - part97, - part98, - ]); - - var all24 = all_match({ - processors: [ - dup35, - select22, - select23, - select24, - select25, - select26, - select27, - select28, - select29, - select30, - select31, - select32, - select33, - dup78, - dup79, - select34, - select35, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg28 = msg("statistics:04", all24); - - var part99 = tagval("MESSAGE#28:statistics:05", "nwparser.payload", tvm, { - "classifier": "filter", - "client_ip": "saddr", - "client_name": "fqdn", - "direction": "direction", - "disposition": "disposition", - "domain": "domain", - "dst_ip": "daddr", - "from": "from", - "hfrom": "fld3", - "mailer": "agent", - "message_length": "fld6", - "polid": "fld5", - "resolved": "context", - "session_id": "sessionid", - "src_type": "fld7", - "subject": "subject", - "to": "to", - "virus": "virusname", - }, processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg29 = msg("statistics:05", part99); - - var select36 = linear_select([ - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - ]); - - var part100 = match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); - - var part101 = match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); - - var select37 = linear_select([ - part100, - part101, - ]); - - var part102 = match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); - - var part103 = match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); - - var part104 = match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); - - var select38 = linear_select([ - part103, - part104, - ]); - - var part105 = match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); - - var part106 = match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); - - var select39 = linear_select([ - part105, - part106, - ]); - - var all25 = all_match({ - processors: [ - dup35, - select37, - dup74, - part102, - dup69, - select38, - select39, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg30 = msg("spam", all25); - - var part107 = match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg31 = msg("spam:04", part107); - - var part108 = match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); - - var part109 = match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); - - var part110 = match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); - - var select40 = linear_select([ - part109, - part110, - ]); - - var part111 = match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); - - var all26 = all_match({ - processors: [ - part108, - select40, - part111, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg32 = msg("spam:03", all26); - - var part112 = match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg33 = msg("spam:02", part112); - - var part113 = match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); - - var part114 = match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); - - var select41 = linear_select([ - part113, - part114, - ]); - - var all27 = all_match({ - processors: [ - dup35, - dup71, - dup69, - select41, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg34 = msg("spam:01", all27); - - var select42 = linear_select([ - msg30, - msg31, - msg32, - msg33, - msg34, - ]); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "event_admin": msg1, - "event_config": msg20, - "event_imap": msg5, - "event_pop3": msg2, - "event_smtp": select7, - "event_system": msg4, - "event_update": msg19, - "event_webmail": msg3, - "spam": select42, - "statistics": select36, - "virus": msg21, - "virus_file-signature": msg23, - "virus_infected": msg22, - }), - ]); - - var part115 = match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); - - var part116 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var part117 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var part118 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var part119 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var part120 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var part121 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var part122 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var part123 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var part124 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var part125 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var part126 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var part127 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var part128 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var part129 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var part130 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var part131 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var part132 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var part133 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var part134 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var part135 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var part136 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var part137 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var part138 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var part139 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var part140 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var part141 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var part142 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var part143 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var part144 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var part145 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var part146 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var part147 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var part148 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var part149 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var part150 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var part151 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var part152 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var part153 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var part154 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var part155 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var part156 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var part157 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var part158 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var part159 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var part160 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var part161 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var select43 = linear_select([ - dup3, - dup4, - ]); - - var select44 = linear_select([ - dup5, - dup6, - ]); - - var select45 = linear_select([ - dup19, - dup20, - ]); - - var select46 = linear_select([ - dup22, - dup23, - ]); - - var select47 = linear_select([ - dup3, - dup20, - ]); - - var select48 = linear_select([ - dup24, - dup25, - ]); - - var select49 = linear_select([ - dup27, - dup28, - ]); - - var select50 = linear_select([ - dup29, - dup30, - ]); - - var select51 = linear_select([ - dup36, - dup37, - ]); - - var select52 = linear_select([ - dup38, - dup39, - ]); - - var select53 = linear_select([ - dup40, - dup41, - ]); - - var select54 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var select55 = linear_select([ - dup45, - dup46, - ]); - - var select56 = linear_select([ - dup47, - dup48, - ]); - - var select57 = linear_select([ - dup49, - dup50, - ]); - - var select58 = linear_select([ - dup52, - dup53, - ]); - - var select59 = linear_select([ - dup54, - dup55, - ]); - - var select60 = linear_select([ - dup56, - dup57, - ]); - - var select61 = linear_select([ - dup58, - dup59, - ]); - - var all28 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet_fortimail/1.1.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/fortinet_fortimail/1.1.1/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 62ba2d5ec0..0000000000 --- a/packages/fortinet_fortimail/1.1.1/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,4291 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} ui=%{p0}"); - - var dup3 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var dup4 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var dup5 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var dup6 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var dup7 = setc("eventcategory","1401000000"); - - var dup8 = setf("msg","$MSG"); - - var dup9 = date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup10 = setf("hardware_id","hfld1"); - - var dup11 = setf("id","hfld2"); - - var dup12 = setf("id1","hfld3"); - - var dup13 = setf("event_type","msgIdPart1"); - - var dup14 = setf("category","msgIdPart2"); - - var dup15 = setf("severity","hseverity"); - - var dup16 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var dup17 = setc("eventcategory","1602000000"); - - var dup18 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var dup19 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var dup20 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var dup21 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var dup22 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var dup23 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var dup24 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var dup25 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var dup26 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var dup27 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var dup28 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var dup29 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var dup30 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var dup31 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var dup32 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var dup33 = setc("eventcategory","1003010000"); - - var dup34 = setf("event_type","messageid"); - - var dup35 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var dup36 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var dup37 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var dup38 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var dup39 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var dup40 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var dup41 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var dup42 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var dup43 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var dup44 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var dup45 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var dup46 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var dup47 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var dup48 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var dup49 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var dup50 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var dup51 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var dup52 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var dup53 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var dup54 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var dup55 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var dup56 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var dup57 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var dup58 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var dup59 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var dup60 = setc("eventcategory","1207000000"); - - var dup61 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var dup62 = setc("eventcategory","1207040000"); - - var dup63 = linear_select([ - dup3, - dup4, - ]); - - var dup64 = linear_select([ - dup5, - dup6, - ]); - - var dup65 = linear_select([ - dup19, - dup20, - ]); - - var dup66 = linear_select([ - dup22, - dup23, - ]); - - var dup67 = linear_select([ - dup3, - dup20, - ]); - - var dup68 = linear_select([ - dup24, - dup25, - ]); - - var dup69 = linear_select([ - dup27, - dup28, - ]); - - var dup70 = linear_select([ - dup29, - dup30, - ]); - - var dup71 = linear_select([ - dup36, - dup37, - ]); - - var dup72 = linear_select([ - dup38, - dup39, - ]); - - var dup73 = linear_select([ - dup40, - dup41, - ]); - - var dup74 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var dup75 = linear_select([ - dup45, - dup46, - ]); - - var dup76 = linear_select([ - dup47, - dup48, - ]); - - var dup77 = linear_select([ - dup49, - dup50, - ]); - - var dup78 = linear_select([ - dup52, - dup53, - ]); - - var dup79 = linear_select([ - dup54, - dup55, - ]); - - var dup80 = linear_select([ - dup56, - dup57, - ]); - - var dup81 = linear_select([ - dup58, - dup59, - ]); - - var dup82 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0001"), - dup1, - ])); - - var hdr2 = match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, - ])); - - var hdr4 = match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - ]); - - var part1 = match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); - - var all1 = all_match({ - processors: [ - dup2, - dup63, - part1, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg1 = msg("event_admin", all1); - - var msg2 = msg("event_pop3", dup82); - - var all2 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg3 = msg("event_webmail", all2); - - var msg4 = msg("event_system", dup82); - - var msg5 = msg("event_imap", dup82); - - var part2 = match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); - - var part3 = match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); - - var part4 = match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); - - var select2 = linear_select([ - part3, - part4, - ]); - - var part5 = match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); - - var all3 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part2, - select2, - part5, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg6 = msg("event_smtp:01", all3); - - var part6 = match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); - - var all4 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg7 = msg("event_smtp:02", all4); - - var part7 = match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); - - var all5 = all_match({ - processors: [ - dup18, - dup65, - part7, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg8 = msg("event_smtp:03", all5); - - var part8 = match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); - - var part9 = match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); - - var part10 = match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); - - var select3 = linear_select([ - part9, - part10, - ]); - - var part11 = match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); - - var part12 = match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); - - var part13 = match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); - - var part14 = match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); - - var select4 = linear_select([ - part12, - part13, - part14, - ]); - - var all6 = all_match({ - processors: [ - part8, - select3, - part11, - select4, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg9 = msg("event_smtp:04", all6); - - var part15 = match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); - - var all7 = all_match({ - processors: [ - dup18, - dup67, - part15, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg10 = msg("event_smtp:05", all7); - - var part16 = match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); - - var part17 = match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); - - var part18 = match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); - - var select5 = linear_select([ - part17, - part18, - ]); - - var part19 = match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); - - var all8 = all_match({ - processors: [ - dup18, - dup65, - part16, - select5, - part19, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg11 = msg("event_smtp:06", all8); - - var part20 = match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); - - var all9 = all_match({ - processors: [ - dup18, - dup67, - part20, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg12 = msg("event_smtp:07", all9); - - var part21 = match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); - - var all10 = all_match({ - processors: [ - dup18, - dup67, - part21, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg13 = msg("event_smtp:08", all10); - - var part22 = match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); - - var all11 = all_match({ - processors: [ - dup18, - dup65, - part22, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg14 = msg("event_smtp:09", all11); - - var part23 = match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); - - var all12 = all_match({ - processors: [ - dup18, - dup65, - part23, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - setc("dclass_counter1_string","count"), - ]), - }); - - var msg15 = msg("event_smtp:10", all12); - - var part24 = match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); - - var part25 = match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); - - var part26 = match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); - - var part27 = match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); - - var part28 = match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); - - var select6 = linear_select([ - part25, - part26, - part27, - part28, - ]); - - var all13 = all_match({ - processors: [ - dup18, - dup65, - part24, - select6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg16 = msg("event_smtp:11", all13); - - var part29 = match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); - - var all14 = all_match({ - processors: [ - dup2, - dup63, - part29, - dup68, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg17 = msg("event_smtp", all14); - - var part30 = tagval("MESSAGE#17:event_smtp:12", "nwparser.payload", tvm, { - "action": "action", - "log_part": "id1", - "msg": "info", - "session_id": "sessionid", - "status": "event_state", - "ui": "network_service", - "user": "username", - }, processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ])); - - var msg18 = msg("event_smtp:12", part30); - - var select7 = linear_select([ - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - ]); - - var part31 = match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); - - var all15 = all_match({ - processors: [ - part31, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg19 = msg("event_update", all15); - - var part32 = match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); - - var part33 = match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); - - var select8 = linear_select([ - part32, - part33, - ]); - - var part34 = match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); - - var all16 = all_match({ - processors: [ - dup2, - select8, - part34, - dup64, - ], - on_success: processor_chain([ - setc("eventcategory","1701000000"), - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg20 = msg("event_config", all16); - - var select9 = linear_select([ - dup31, - dup32, - ]); - - var all17 = all_match({ - processors: [ - dup26, - dup69, - dup70, - select9, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg21 = msg("virus", all17); - - var part35 = match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); - - var part36 = match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); - - var select10 = linear_select([ - part35, - part36, - ]); - - var part37 = match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); - - var all18 = all_match({ - processors: [ - dup26, - dup69, - select10, - part37, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup15, - ]), - }); - - var msg22 = msg("virus_infected", all18); - - var part38 = match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); - - var part39 = match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); - - var select11 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); - - var part41 = match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); - - var part42 = match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); - - var part43 = match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); - - var select12 = linear_select([ - part40, - part41, - part42, - part43, - dup31, - dup32, - ]); - - var part44 = match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); - - var select13 = linear_select([ - part44, - dup5, - dup6, - ]); - - var all19 = all_match({ - processors: [ - select11, - dup70, - select12, - dup68, - select13, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg23 = msg("virus_file-signature", all19); - - var part45 = match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); - - var all20 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - part45, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg24 = msg("statistics", all20); - - var all21 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - dup61, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg25 = msg("statistics:01", all21); - - var part46 = match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); - - var part47 = match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); - - var select14 = linear_select([ - part46, - part47, - ]); - - var part48 = match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); - - var part49 = match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); - - var select15 = linear_select([ - part48, - part49, - ]); - - var part50 = match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); - - var part51 = match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); - - var select16 = linear_select([ - part50, - part51, - ]); - - var part52 = match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); - - var part53 = match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); - - var select17 = linear_select([ - part52, - part53, - ]); - - var part54 = match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); - - var part55 = match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); - - var select18 = linear_select([ - part54, - part55, - ]); - - var part56 = match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); - - var part57 = match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); - - var select19 = linear_select([ - part56, - part57, - ]); - - var part58 = match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); - - var all22 = all_match({ - processors: [ - dup35, - dup71, - dup69, - dup76, - select14, - select15, - select16, - select17, - dup74, - dup61, - select18, - select19, - part58, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg26 = msg("statistics:02", all22); - - var part59 = match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); - - var part60 = match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); - - var part61 = match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); - - var part62 = match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); - - var select20 = linear_select([ - part60, - part61, - part62, - ]); - - var part63 = match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); - - var part64 = match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); - - var part65 = match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); - - var select21 = linear_select([ - part64, - part65, - ]); - - var part66 = match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); - - var all23 = all_match({ - processors: [ - part59, - select20, - part63, - select21, - part66, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg27 = msg("statistics:03", all23); - - var part67 = match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); - - var part68 = match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); - - var select22 = linear_select([ - part67, - part68, - ]); - - var part69 = match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); - - var part70 = match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); - - var part71 = match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); - - var part72 = match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); - - var part73 = match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); - - var part74 = match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); - - var select23 = linear_select([ - part69, - part70, - part71, - part72, - part73, - part74, - ]); - - var part75 = match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); - - var part76 = match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); - - var select24 = linear_select([ - part75, - part76, - ]); - - var part77 = match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); - - var part78 = match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); - - var select25 = linear_select([ - part77, - part78, - ]); - - var part79 = match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); - - var part80 = match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); - - var select26 = linear_select([ - part79, - part80, - ]); - - var part81 = match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); - - var part82 = match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); - - var select27 = linear_select([ - part81, - part82, - ]); - - var part83 = match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); - - var part84 = match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); - - var select28 = linear_select([ - part83, - part84, - ]); - - var part85 = match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); - - var part86 = match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); - - var select29 = linear_select([ - part85, - part86, - ]); - - var part87 = match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); - - var part88 = match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); - - var select30 = linear_select([ - part87, - part88, - ]); - - var part89 = match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); - - var part90 = match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); - - var select31 = linear_select([ - part89, - part90, - ]); - - var part91 = match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); - - var part92 = match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); - - var select32 = linear_select([ - part91, - part92, - ]); - - var part93 = match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); - - var part94 = match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); - - var select33 = linear_select([ - part93, - part94, - ]); - - var part95 = match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); - - var part96 = match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); - - var select34 = linear_select([ - part95, - part96, - ]); - - var part97 = match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); - - var part98 = match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); - - var select35 = linear_select([ - part97, - part98, - ]); - - var all24 = all_match({ - processors: [ - dup35, - select22, - select23, - select24, - select25, - select26, - select27, - select28, - select29, - select30, - select31, - select32, - select33, - dup78, - dup79, - select34, - select35, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg28 = msg("statistics:04", all24); - - var part99 = tagval("MESSAGE#28:statistics:05", "nwparser.payload", tvm, { - "classifier": "filter", - "client_ip": "saddr", - "client_name": "fqdn", - "direction": "direction", - "disposition": "disposition", - "domain": "domain", - "dst_ip": "daddr", - "from": "from", - "hfrom": "fld3", - "mailer": "agent", - "message_length": "fld6", - "polid": "fld5", - "resolved": "context", - "session_id": "sessionid", - "src_type": "fld7", - "subject": "subject", - "to": "to", - "virus": "virusname", - }, processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg29 = msg("statistics:05", part99); - - var select36 = linear_select([ - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - ]); - - var part100 = match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); - - var part101 = match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); - - var select37 = linear_select([ - part100, - part101, - ]); - - var part102 = match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); - - var part103 = match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); - - var part104 = match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); - - var select38 = linear_select([ - part103, - part104, - ]); - - var part105 = match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); - - var part106 = match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); - - var select39 = linear_select([ - part105, - part106, - ]); - - var all25 = all_match({ - processors: [ - dup35, - select37, - dup74, - part102, - dup69, - select38, - select39, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg30 = msg("spam", all25); - - var part107 = match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg31 = msg("spam:04", part107); - - var part108 = match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); - - var part109 = match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); - - var part110 = match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); - - var select40 = linear_select([ - part109, - part110, - ]); - - var part111 = match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); - - var all26 = all_match({ - processors: [ - part108, - select40, - part111, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg32 = msg("spam:03", all26); - - var part112 = match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg33 = msg("spam:02", part112); - - var part113 = match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); - - var part114 = match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); - - var select41 = linear_select([ - part113, - part114, - ]); - - var all27 = all_match({ - processors: [ - dup35, - dup71, - dup69, - select41, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg34 = msg("spam:01", all27); - - var select42 = linear_select([ - msg30, - msg31, - msg32, - msg33, - msg34, - ]); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "event_admin": msg1, - "event_config": msg20, - "event_imap": msg5, - "event_pop3": msg2, - "event_smtp": select7, - "event_system": msg4, - "event_update": msg19, - "event_webmail": msg3, - "spam": select42, - "statistics": select36, - "virus": msg21, - "virus_file-signature": msg23, - "virus_infected": msg22, - }), - ]); - - var part115 = match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); - - var part116 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var part117 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var part118 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var part119 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var part120 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var part121 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var part122 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var part123 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var part124 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var part125 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var part126 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var part127 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var part128 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var part129 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var part130 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var part131 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var part132 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var part133 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var part134 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var part135 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var part136 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var part137 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var part138 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var part139 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var part140 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var part141 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var part142 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var part143 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var part144 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var part145 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var part146 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var part147 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var part148 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var part149 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var part150 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var part151 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var part152 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var part153 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var part154 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var part155 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var part156 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var part157 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var part158 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var part159 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var part160 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var part161 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var select43 = linear_select([ - dup3, - dup4, - ]); - - var select44 = linear_select([ - dup5, - dup6, - ]); - - var select45 = linear_select([ - dup19, - dup20, - ]); - - var select46 = linear_select([ - dup22, - dup23, - ]); - - var select47 = linear_select([ - dup3, - dup20, - ]); - - var select48 = linear_select([ - dup24, - dup25, - ]); - - var select49 = linear_select([ - dup27, - dup28, - ]); - - var select50 = linear_select([ - dup29, - dup30, - ]); - - var select51 = linear_select([ - dup36, - dup37, - ]); - - var select52 = linear_select([ - dup38, - dup39, - ]); - - var select53 = linear_select([ - dup40, - dup41, - ]); - - var select54 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var select55 = linear_select([ - dup45, - dup46, - ]); - - var select56 = linear_select([ - dup47, - dup48, - ]); - - var select57 = linear_select([ - dup49, - dup50, - ]); - - var select58 = linear_select([ - dup52, - dup53, - ]); - - var select59 = linear_select([ - dup54, - dup55, - ]); - - var select60 = linear_select([ - dup56, - dup57, - ]); - - var select61 = linear_select([ - dup58, - dup59, - ]); - - var all28 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet_fortimail/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet_fortimail/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ccb35fd2e4..0000000000 --- a/packages/fortinet_fortimail/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,76 +0,0 @@ ---- -description: Pipeline for Fortinet FortiMail -processors: - - set: - field: ecs.version - value: '8.3.0' - - set: - field: observer.vendor - value: Fortinet - - set: - field: observer.product - value: FortiMail - - set: - field: observer.type - value: firewall - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_fortimail/1.1.1/data_stream/log/fields/agent.yml b/packages/fortinet_fortimail/1.1.1/data_stream/log/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/fortinet_fortimail/1.1.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/fortinet_fortimail/1.1.1/data_stream/log/fields/base-fields.yml b/packages/fortinet_fortimail/1.1.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 2f99925390..0000000000 --- a/packages/fortinet_fortimail/1.1.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,46 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: fortinet -- name: event.dataset - type: constant_keyword - description: Event dataset - value: fortinet_fortimail.log -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/fortinet_fortimail/1.1.1/data_stream/log/fields/ecs.yml b/packages/fortinet_fortimail/1.1.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index 86a7d52a55..0000000000 --- a/packages/fortinet_fortimail/1.1.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,556 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/fortinet_fortimail/1.1.1/data_stream/log/fields/fields.yml b/packages/fortinet_fortimail/1.1.1/data_stream/log/fields/fields.yml deleted file mode 100755 index ea69cd79e3..0000000000 --- a/packages/fortinet_fortimail/1.1.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,1754 +0,0 @@ -- name: rsa - type: group - fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - ignore_above: 1024 - description: Server domain. -- name: network.interface.name - type: keyword diff --git a/packages/fortinet_fortimail/1.1.1/data_stream/log/manifest.yml b/packages/fortinet_fortimail/1.1.1/data_stream/log/manifest.yml deleted file mode 100755 index 4acfba2e32..0000000000 --- a/packages/fortinet_fortimail/1.1.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,210 +0,0 @@ -title: Fortinet FortiMail logs -release: experimental -type: logs -streams: - - input: udp - title: Fortinet FortiMail logs - description: Collect Fortinet FortiMail logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortimail - - forwarded - - name: udp_host - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9529 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Fortinet FortiMail logs - description: Collect Fortinet FortiMail logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortimail - - forwarded - - name: tcp_host - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9529 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - enabled: false - title: Fortinet FortiMail logs - description: Collect Fortinet FortiMail logs from file - template_path: log.yml.hbs - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/fortinet-fortimail.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortimail - - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/fortinet_fortimail/1.1.1/data_stream/log/sample_event.json b/packages/fortinet_fortimail/1.1.1/data_stream/log/sample_event.json deleted file mode 100755 index f6886ac301..0000000000 --- a/packages/fortinet_fortimail/1.1.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,70 +0,0 @@ -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "821504b9-6e80-4572-aae7-c5bb3cf38906", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "fortinet_fortimail.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "event", - "agent_id_status": "verified", - "code": "nes", - "dataset": "fortinet_fortimail.log", - "ingested": "2022-01-25T12:29:32Z", - "original": "date=2016-1-29 time=06:09:59 device_id=pexe log_id=nes log_part=eab type=event subtype=update pri=high msg=\"boNemoe\"\n", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "high", - "source": { - "address": "172.30.0.4:44540" - } - }, - "observer": { - "product": "FortiMail", - "type": "Firewall", - "vendor": "Fortinet" - }, - "rsa": { - "internal": { - "event_desc": "boNemoe", - "messageid": "event_update" - }, - "misc": { - "category": "update", - "event_type": "event", - "hardware_id": "pexe", - "msgIdPart1": "event", - "msgIdPart2": "update", - "reference_id": "nes", - "reference_id1": "eab", - "severity": "high" - }, - "time": { - "event_time": "2016-01-29T06:09:59.000Z" - } - }, - "tags": [ - "preserve_original_event", - "fortinet-fortimail", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/fortinet_fortimail/1.1.1/docs/README.md b/packages/fortinet_fortimail/1.1.1/docs/README.md deleted file mode 100755 index 4fa561ec8c..0000000000 --- a/packages/fortinet_fortimail/1.1.1/docs/README.md +++ /dev/null @@ -1,926 +0,0 @@ -# Fortinet FortiMail Integration - -This integration is for Fortinet FortiMail logs sent in the syslog format. - -## Compatibility - -This integration has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested. - -### Log - -The `log` dataset collects Fortinet FortiMail logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "821504b9-6e80-4572-aae7-c5bb3cf38906", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "fortinet_fortimail.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "event", - "agent_id_status": "verified", - "code": "nes", - "dataset": "fortinet_fortimail.log", - "ingested": "2022-01-25T12:29:32Z", - "original": "date=2016-1-29 time=06:09:59 device_id=pexe log_id=nes log_part=eab type=event subtype=update pri=high msg=\"boNemoe\"\n", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "high", - "source": { - "address": "172.30.0.4:44540" - } - }, - "observer": { - "product": "FortiMail", - "type": "Firewall", - "vendor": "Fortinet" - }, - "rsa": { - "internal": { - "event_desc": "boNemoe", - "messageid": "event_update" - }, - "misc": { - "category": "update", - "event_type": "event", - "hardware_id": "pexe", - "msgIdPart1": "event", - "msgIdPart2": "update", - "reference_id": "nes", - "reference_id1": "eab", - "severity": "high" - }, - "time": { - "event_time": "2016-01-29T06:09:59.000Z" - } - }, - "tags": [ - "preserve_original_event", - "fortinet-fortimail", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/fortinet_fortimail/1.1.1/img/fortinet-logo.svg b/packages/fortinet_fortimail/1.1.1/img/fortinet-logo.svg deleted file mode 100755 index d6a8448f32..0000000000 --- a/packages/fortinet_fortimail/1.1.1/img/fortinet-logo.svg +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - diff --git a/packages/fortinet_fortimail/1.1.1/manifest.yml b/packages/fortinet_fortimail/1.1.1/manifest.yml deleted file mode 100755 index 8b8b96278b..0000000000 --- a/packages/fortinet_fortimail/1.1.1/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: fortinet_fortimail -title: Fortinet FortiMail Logs -version: 1.1.1 -release: ga -description: Collect logs from Fortinet FortiMail instances with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: ["security"] -conditions: - kibana.version: "^7.14.1 || ^8.0.0" -icons: - - src: /img/fortinet-logo.svg - title: Fortinet - size: 216x216 - type: image/svg+xml -policy_templates: - - name: fortinet_fortimail - title: Fortinet FortiMail logs - description: Collect logs from Fortinet FortiMail instances - inputs: - - type: logfile - title: "Collect Fortinet FortiMail logs (input: logfile)" - description: "Collecting logs from Fortinet FortiMail instances (input: logfile)" - - type: tcp - title: "Collect Fortinet FortiMail logs (input: tcp)" - description: "Collecting logs from Fortinet FortiMail instances (input: tcp)" - - type: udp - title: "Collect Fortinet FortiMail logs (input: udp)" - description: "Collecting logs from Fortinet FortiMail instances (input: udp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/fortinet_fortimail/1.1.2/LICENSE.txt b/packages/fortinet_fortimail/1.1.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/fortinet_fortimail/1.1.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/fortinet_fortimail/1.1.2/changelog.yml b/packages/fortinet_fortimail/1.1.2/changelog.yml deleted file mode 100755 index 6c5192c2fa..0000000000 --- a/packages/fortinet_fortimail/1.1.2/changelog.yml +++ /dev/null @@ -1,21 +0,0 @@ -# newer versions go on top -- version: "1.1.2" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "1.1.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.1.0" - changes: - - description: Update Ingest Pipeline with observer Fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3819 -- version: "1.0.0" - changes: - - description: Initial version of Fortinet FortiMail as separate package - type: enhancement - link: https://github.com/elastic/integrations/pull/3266 diff --git a/packages/fortinet_fortimail/1.1.2/data_stream/log/agent/stream/log.yml.hbs b/packages/fortinet_fortimail/1.1.2/data_stream/log/agent/stream/log.yml.hbs deleted file mode 100755 index aae90729e5..0000000000 --- a/packages/fortinet_fortimail/1.1.2/data_stream/log/agent/stream/log.yml.hbs +++ /dev/null @@ -1,4294 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} ui=%{p0}"); - - var dup3 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var dup4 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var dup5 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var dup6 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var dup7 = setc("eventcategory","1401000000"); - - var dup8 = setf("msg","$MSG"); - - var dup9 = date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup10 = setf("hardware_id","hfld1"); - - var dup11 = setf("id","hfld2"); - - var dup12 = setf("id1","hfld3"); - - var dup13 = setf("event_type","msgIdPart1"); - - var dup14 = setf("category","msgIdPart2"); - - var dup15 = setf("severity","hseverity"); - - var dup16 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var dup17 = setc("eventcategory","1602000000"); - - var dup18 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var dup19 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var dup20 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var dup21 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var dup22 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var dup23 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var dup24 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var dup25 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var dup26 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var dup27 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var dup28 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var dup29 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var dup30 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var dup31 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var dup32 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var dup33 = setc("eventcategory","1003010000"); - - var dup34 = setf("event_type","messageid"); - - var dup35 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var dup36 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var dup37 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var dup38 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var dup39 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var dup40 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var dup41 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var dup42 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var dup43 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var dup44 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var dup45 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var dup46 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var dup47 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var dup48 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var dup49 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var dup50 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var dup51 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var dup52 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var dup53 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var dup54 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var dup55 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var dup56 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var dup57 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var dup58 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var dup59 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var dup60 = setc("eventcategory","1207000000"); - - var dup61 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var dup62 = setc("eventcategory","1207040000"); - - var dup63 = linear_select([ - dup3, - dup4, - ]); - - var dup64 = linear_select([ - dup5, - dup6, - ]); - - var dup65 = linear_select([ - dup19, - dup20, - ]); - - var dup66 = linear_select([ - dup22, - dup23, - ]); - - var dup67 = linear_select([ - dup3, - dup20, - ]); - - var dup68 = linear_select([ - dup24, - dup25, - ]); - - var dup69 = linear_select([ - dup27, - dup28, - ]); - - var dup70 = linear_select([ - dup29, - dup30, - ]); - - var dup71 = linear_select([ - dup36, - dup37, - ]); - - var dup72 = linear_select([ - dup38, - dup39, - ]); - - var dup73 = linear_select([ - dup40, - dup41, - ]); - - var dup74 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var dup75 = linear_select([ - dup45, - dup46, - ]); - - var dup76 = linear_select([ - dup47, - dup48, - ]); - - var dup77 = linear_select([ - dup49, - dup50, - ]); - - var dup78 = linear_select([ - dup52, - dup53, - ]); - - var dup79 = linear_select([ - dup54, - dup55, - ]); - - var dup80 = linear_select([ - dup56, - dup57, - ]); - - var dup81 = linear_select([ - dup58, - dup59, - ]); - - var dup82 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0001"), - dup1, - ])); - - var hdr2 = match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, - ])); - - var hdr4 = match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - ]); - - var part1 = match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); - - var all1 = all_match({ - processors: [ - dup2, - dup63, - part1, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg1 = msg("event_admin", all1); - - var msg2 = msg("event_pop3", dup82); - - var all2 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg3 = msg("event_webmail", all2); - - var msg4 = msg("event_system", dup82); - - var msg5 = msg("event_imap", dup82); - - var part2 = match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); - - var part3 = match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); - - var part4 = match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); - - var select2 = linear_select([ - part3, - part4, - ]); - - var part5 = match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); - - var all3 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part2, - select2, - part5, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg6 = msg("event_smtp:01", all3); - - var part6 = match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); - - var all4 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg7 = msg("event_smtp:02", all4); - - var part7 = match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); - - var all5 = all_match({ - processors: [ - dup18, - dup65, - part7, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg8 = msg("event_smtp:03", all5); - - var part8 = match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); - - var part9 = match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); - - var part10 = match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); - - var select3 = linear_select([ - part9, - part10, - ]); - - var part11 = match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); - - var part12 = match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); - - var part13 = match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); - - var part14 = match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); - - var select4 = linear_select([ - part12, - part13, - part14, - ]); - - var all6 = all_match({ - processors: [ - part8, - select3, - part11, - select4, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg9 = msg("event_smtp:04", all6); - - var part15 = match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); - - var all7 = all_match({ - processors: [ - dup18, - dup67, - part15, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg10 = msg("event_smtp:05", all7); - - var part16 = match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); - - var part17 = match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); - - var part18 = match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); - - var select5 = linear_select([ - part17, - part18, - ]); - - var part19 = match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); - - var all8 = all_match({ - processors: [ - dup18, - dup65, - part16, - select5, - part19, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg11 = msg("event_smtp:06", all8); - - var part20 = match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); - - var all9 = all_match({ - processors: [ - dup18, - dup67, - part20, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg12 = msg("event_smtp:07", all9); - - var part21 = match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); - - var all10 = all_match({ - processors: [ - dup18, - dup67, - part21, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg13 = msg("event_smtp:08", all10); - - var part22 = match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); - - var all11 = all_match({ - processors: [ - dup18, - dup65, - part22, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg14 = msg("event_smtp:09", all11); - - var part23 = match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); - - var all12 = all_match({ - processors: [ - dup18, - dup65, - part23, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - setc("dclass_counter1_string","count"), - ]), - }); - - var msg15 = msg("event_smtp:10", all12); - - var part24 = match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); - - var part25 = match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); - - var part26 = match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); - - var part27 = match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); - - var part28 = match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); - - var select6 = linear_select([ - part25, - part26, - part27, - part28, - ]); - - var all13 = all_match({ - processors: [ - dup18, - dup65, - part24, - select6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg16 = msg("event_smtp:11", all13); - - var part29 = match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); - - var all14 = all_match({ - processors: [ - dup2, - dup63, - part29, - dup68, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg17 = msg("event_smtp", all14); - - var part30 = tagval("MESSAGE#17:event_smtp:12", "nwparser.payload", tvm, { - "action": "action", - "log_part": "id1", - "msg": "info", - "session_id": "sessionid", - "status": "event_state", - "ui": "network_service", - "user": "username", - }, processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ])); - - var msg18 = msg("event_smtp:12", part30); - - var select7 = linear_select([ - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - ]); - - var part31 = match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); - - var all15 = all_match({ - processors: [ - part31, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg19 = msg("event_update", all15); - - var part32 = match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); - - var part33 = match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); - - var select8 = linear_select([ - part32, - part33, - ]); - - var part34 = match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); - - var all16 = all_match({ - processors: [ - dup2, - select8, - part34, - dup64, - ], - on_success: processor_chain([ - setc("eventcategory","1701000000"), - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg20 = msg("event_config", all16); - - var select9 = linear_select([ - dup31, - dup32, - ]); - - var all17 = all_match({ - processors: [ - dup26, - dup69, - dup70, - select9, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg21 = msg("virus", all17); - - var part35 = match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); - - var part36 = match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); - - var select10 = linear_select([ - part35, - part36, - ]); - - var part37 = match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); - - var all18 = all_match({ - processors: [ - dup26, - dup69, - select10, - part37, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup15, - ]), - }); - - var msg22 = msg("virus_infected", all18); - - var part38 = match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); - - var part39 = match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); - - var select11 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); - - var part41 = match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); - - var part42 = match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); - - var part43 = match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); - - var select12 = linear_select([ - part40, - part41, - part42, - part43, - dup31, - dup32, - ]); - - var part44 = match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); - - var select13 = linear_select([ - part44, - dup5, - dup6, - ]); - - var all19 = all_match({ - processors: [ - select11, - dup70, - select12, - dup68, - select13, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg23 = msg("virus_file-signature", all19); - - var part45 = match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); - - var all20 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - part45, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg24 = msg("statistics", all20); - - var all21 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - dup61, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg25 = msg("statistics:01", all21); - - var part46 = match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); - - var part47 = match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); - - var select14 = linear_select([ - part46, - part47, - ]); - - var part48 = match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); - - var part49 = match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); - - var select15 = linear_select([ - part48, - part49, - ]); - - var part50 = match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); - - var part51 = match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); - - var select16 = linear_select([ - part50, - part51, - ]); - - var part52 = match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); - - var part53 = match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); - - var select17 = linear_select([ - part52, - part53, - ]); - - var part54 = match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); - - var part55 = match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); - - var select18 = linear_select([ - part54, - part55, - ]); - - var part56 = match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); - - var part57 = match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); - - var select19 = linear_select([ - part56, - part57, - ]); - - var part58 = match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); - - var all22 = all_match({ - processors: [ - dup35, - dup71, - dup69, - dup76, - select14, - select15, - select16, - select17, - dup74, - dup61, - select18, - select19, - part58, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg26 = msg("statistics:02", all22); - - var part59 = match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); - - var part60 = match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); - - var part61 = match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); - - var part62 = match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); - - var select20 = linear_select([ - part60, - part61, - part62, - ]); - - var part63 = match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); - - var part64 = match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); - - var part65 = match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); - - var select21 = linear_select([ - part64, - part65, - ]); - - var part66 = match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); - - var all23 = all_match({ - processors: [ - part59, - select20, - part63, - select21, - part66, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg27 = msg("statistics:03", all23); - - var part67 = match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); - - var part68 = match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); - - var select22 = linear_select([ - part67, - part68, - ]); - - var part69 = match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); - - var part70 = match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); - - var part71 = match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); - - var part72 = match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); - - var part73 = match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); - - var part74 = match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); - - var select23 = linear_select([ - part69, - part70, - part71, - part72, - part73, - part74, - ]); - - var part75 = match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); - - var part76 = match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); - - var select24 = linear_select([ - part75, - part76, - ]); - - var part77 = match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); - - var part78 = match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); - - var select25 = linear_select([ - part77, - part78, - ]); - - var part79 = match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); - - var part80 = match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); - - var select26 = linear_select([ - part79, - part80, - ]); - - var part81 = match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); - - var part82 = match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); - - var select27 = linear_select([ - part81, - part82, - ]); - - var part83 = match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); - - var part84 = match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); - - var select28 = linear_select([ - part83, - part84, - ]); - - var part85 = match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); - - var part86 = match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); - - var select29 = linear_select([ - part85, - part86, - ]); - - var part87 = match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); - - var part88 = match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); - - var select30 = linear_select([ - part87, - part88, - ]); - - var part89 = match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); - - var part90 = match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); - - var select31 = linear_select([ - part89, - part90, - ]); - - var part91 = match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); - - var part92 = match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); - - var select32 = linear_select([ - part91, - part92, - ]); - - var part93 = match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); - - var part94 = match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); - - var select33 = linear_select([ - part93, - part94, - ]); - - var part95 = match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); - - var part96 = match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); - - var select34 = linear_select([ - part95, - part96, - ]); - - var part97 = match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); - - var part98 = match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); - - var select35 = linear_select([ - part97, - part98, - ]); - - var all24 = all_match({ - processors: [ - dup35, - select22, - select23, - select24, - select25, - select26, - select27, - select28, - select29, - select30, - select31, - select32, - select33, - dup78, - dup79, - select34, - select35, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg28 = msg("statistics:04", all24); - - var part99 = tagval("MESSAGE#28:statistics:05", "nwparser.payload", tvm, { - "classifier": "filter", - "client_ip": "saddr", - "client_name": "fqdn", - "direction": "direction", - "disposition": "disposition", - "domain": "domain", - "dst_ip": "daddr", - "from": "from", - "hfrom": "fld3", - "mailer": "agent", - "message_length": "fld6", - "polid": "fld5", - "resolved": "context", - "session_id": "sessionid", - "src_type": "fld7", - "subject": "subject", - "to": "to", - "virus": "virusname", - }, processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg29 = msg("statistics:05", part99); - - var select36 = linear_select([ - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - ]); - - var part100 = match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); - - var part101 = match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); - - var select37 = linear_select([ - part100, - part101, - ]); - - var part102 = match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); - - var part103 = match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); - - var part104 = match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); - - var select38 = linear_select([ - part103, - part104, - ]); - - var part105 = match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); - - var part106 = match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); - - var select39 = linear_select([ - part105, - part106, - ]); - - var all25 = all_match({ - processors: [ - dup35, - select37, - dup74, - part102, - dup69, - select38, - select39, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg30 = msg("spam", all25); - - var part107 = match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg31 = msg("spam:04", part107); - - var part108 = match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); - - var part109 = match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); - - var part110 = match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); - - var select40 = linear_select([ - part109, - part110, - ]); - - var part111 = match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); - - var all26 = all_match({ - processors: [ - part108, - select40, - part111, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg32 = msg("spam:03", all26); - - var part112 = match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg33 = msg("spam:02", part112); - - var part113 = match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); - - var part114 = match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); - - var select41 = linear_select([ - part113, - part114, - ]); - - var all27 = all_match({ - processors: [ - dup35, - dup71, - dup69, - select41, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg34 = msg("spam:01", all27); - - var select42 = linear_select([ - msg30, - msg31, - msg32, - msg33, - msg34, - ]); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "event_admin": msg1, - "event_config": msg20, - "event_imap": msg5, - "event_pop3": msg2, - "event_smtp": select7, - "event_system": msg4, - "event_update": msg19, - "event_webmail": msg3, - "spam": select42, - "statistics": select36, - "virus": msg21, - "virus_file-signature": msg23, - "virus_infected": msg22, - }), - ]); - - var part115 = match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); - - var part116 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var part117 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var part118 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var part119 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var part120 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var part121 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var part122 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var part123 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var part124 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var part125 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var part126 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var part127 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var part128 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var part129 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var part130 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var part131 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var part132 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var part133 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var part134 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var part135 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var part136 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var part137 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var part138 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var part139 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var part140 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var part141 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var part142 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var part143 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var part144 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var part145 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var part146 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var part147 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var part148 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var part149 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var part150 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var part151 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var part152 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var part153 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var part154 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var part155 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var part156 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var part157 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var part158 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var part159 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var part160 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var part161 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var select43 = linear_select([ - dup3, - dup4, - ]); - - var select44 = linear_select([ - dup5, - dup6, - ]); - - var select45 = linear_select([ - dup19, - dup20, - ]); - - var select46 = linear_select([ - dup22, - dup23, - ]); - - var select47 = linear_select([ - dup3, - dup20, - ]); - - var select48 = linear_select([ - dup24, - dup25, - ]); - - var select49 = linear_select([ - dup27, - dup28, - ]); - - var select50 = linear_select([ - dup29, - dup30, - ]); - - var select51 = linear_select([ - dup36, - dup37, - ]); - - var select52 = linear_select([ - dup38, - dup39, - ]); - - var select53 = linear_select([ - dup40, - dup41, - ]); - - var select54 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var select55 = linear_select([ - dup45, - dup46, - ]); - - var select56 = linear_select([ - dup47, - dup48, - ]); - - var select57 = linear_select([ - dup49, - dup50, - ]); - - var select58 = linear_select([ - dup52, - dup53, - ]); - - var select59 = linear_select([ - dup54, - dup55, - ]); - - var select60 = linear_select([ - dup56, - dup57, - ]); - - var select61 = linear_select([ - dup58, - dup59, - ]); - - var all28 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet_fortimail/1.1.2/data_stream/log/agent/stream/tcp.yml.hbs b/packages/fortinet_fortimail/1.1.2/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index cc108a4d8e..0000000000 --- a/packages/fortinet_fortimail/1.1.2/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,4291 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} ui=%{p0}"); - - var dup3 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var dup4 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var dup5 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var dup6 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var dup7 = setc("eventcategory","1401000000"); - - var dup8 = setf("msg","$MSG"); - - var dup9 = date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup10 = setf("hardware_id","hfld1"); - - var dup11 = setf("id","hfld2"); - - var dup12 = setf("id1","hfld3"); - - var dup13 = setf("event_type","msgIdPart1"); - - var dup14 = setf("category","msgIdPart2"); - - var dup15 = setf("severity","hseverity"); - - var dup16 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var dup17 = setc("eventcategory","1602000000"); - - var dup18 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var dup19 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var dup20 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var dup21 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var dup22 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var dup23 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var dup24 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var dup25 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var dup26 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var dup27 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var dup28 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var dup29 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var dup30 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var dup31 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var dup32 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var dup33 = setc("eventcategory","1003010000"); - - var dup34 = setf("event_type","messageid"); - - var dup35 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var dup36 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var dup37 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var dup38 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var dup39 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var dup40 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var dup41 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var dup42 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var dup43 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var dup44 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var dup45 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var dup46 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var dup47 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var dup48 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var dup49 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var dup50 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var dup51 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var dup52 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var dup53 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var dup54 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var dup55 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var dup56 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var dup57 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var dup58 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var dup59 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var dup60 = setc("eventcategory","1207000000"); - - var dup61 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var dup62 = setc("eventcategory","1207040000"); - - var dup63 = linear_select([ - dup3, - dup4, - ]); - - var dup64 = linear_select([ - dup5, - dup6, - ]); - - var dup65 = linear_select([ - dup19, - dup20, - ]); - - var dup66 = linear_select([ - dup22, - dup23, - ]); - - var dup67 = linear_select([ - dup3, - dup20, - ]); - - var dup68 = linear_select([ - dup24, - dup25, - ]); - - var dup69 = linear_select([ - dup27, - dup28, - ]); - - var dup70 = linear_select([ - dup29, - dup30, - ]); - - var dup71 = linear_select([ - dup36, - dup37, - ]); - - var dup72 = linear_select([ - dup38, - dup39, - ]); - - var dup73 = linear_select([ - dup40, - dup41, - ]); - - var dup74 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var dup75 = linear_select([ - dup45, - dup46, - ]); - - var dup76 = linear_select([ - dup47, - dup48, - ]); - - var dup77 = linear_select([ - dup49, - dup50, - ]); - - var dup78 = linear_select([ - dup52, - dup53, - ]); - - var dup79 = linear_select([ - dup54, - dup55, - ]); - - var dup80 = linear_select([ - dup56, - dup57, - ]); - - var dup81 = linear_select([ - dup58, - dup59, - ]); - - var dup82 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0001"), - dup1, - ])); - - var hdr2 = match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, - ])); - - var hdr4 = match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - ]); - - var part1 = match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); - - var all1 = all_match({ - processors: [ - dup2, - dup63, - part1, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg1 = msg("event_admin", all1); - - var msg2 = msg("event_pop3", dup82); - - var all2 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg3 = msg("event_webmail", all2); - - var msg4 = msg("event_system", dup82); - - var msg5 = msg("event_imap", dup82); - - var part2 = match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); - - var part3 = match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); - - var part4 = match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); - - var select2 = linear_select([ - part3, - part4, - ]); - - var part5 = match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); - - var all3 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part2, - select2, - part5, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg6 = msg("event_smtp:01", all3); - - var part6 = match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); - - var all4 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg7 = msg("event_smtp:02", all4); - - var part7 = match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); - - var all5 = all_match({ - processors: [ - dup18, - dup65, - part7, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg8 = msg("event_smtp:03", all5); - - var part8 = match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); - - var part9 = match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); - - var part10 = match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); - - var select3 = linear_select([ - part9, - part10, - ]); - - var part11 = match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); - - var part12 = match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); - - var part13 = match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); - - var part14 = match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); - - var select4 = linear_select([ - part12, - part13, - part14, - ]); - - var all6 = all_match({ - processors: [ - part8, - select3, - part11, - select4, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg9 = msg("event_smtp:04", all6); - - var part15 = match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); - - var all7 = all_match({ - processors: [ - dup18, - dup67, - part15, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg10 = msg("event_smtp:05", all7); - - var part16 = match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); - - var part17 = match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); - - var part18 = match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); - - var select5 = linear_select([ - part17, - part18, - ]); - - var part19 = match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); - - var all8 = all_match({ - processors: [ - dup18, - dup65, - part16, - select5, - part19, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg11 = msg("event_smtp:06", all8); - - var part20 = match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); - - var all9 = all_match({ - processors: [ - dup18, - dup67, - part20, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg12 = msg("event_smtp:07", all9); - - var part21 = match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); - - var all10 = all_match({ - processors: [ - dup18, - dup67, - part21, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg13 = msg("event_smtp:08", all10); - - var part22 = match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); - - var all11 = all_match({ - processors: [ - dup18, - dup65, - part22, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg14 = msg("event_smtp:09", all11); - - var part23 = match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); - - var all12 = all_match({ - processors: [ - dup18, - dup65, - part23, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - setc("dclass_counter1_string","count"), - ]), - }); - - var msg15 = msg("event_smtp:10", all12); - - var part24 = match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); - - var part25 = match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); - - var part26 = match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); - - var part27 = match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); - - var part28 = match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); - - var select6 = linear_select([ - part25, - part26, - part27, - part28, - ]); - - var all13 = all_match({ - processors: [ - dup18, - dup65, - part24, - select6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg16 = msg("event_smtp:11", all13); - - var part29 = match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); - - var all14 = all_match({ - processors: [ - dup2, - dup63, - part29, - dup68, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg17 = msg("event_smtp", all14); - - var part30 = tagval("MESSAGE#17:event_smtp:12", "nwparser.payload", tvm, { - "action": "action", - "log_part": "id1", - "msg": "info", - "session_id": "sessionid", - "status": "event_state", - "ui": "network_service", - "user": "username", - }, processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ])); - - var msg18 = msg("event_smtp:12", part30); - - var select7 = linear_select([ - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - ]); - - var part31 = match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); - - var all15 = all_match({ - processors: [ - part31, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg19 = msg("event_update", all15); - - var part32 = match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); - - var part33 = match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); - - var select8 = linear_select([ - part32, - part33, - ]); - - var part34 = match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); - - var all16 = all_match({ - processors: [ - dup2, - select8, - part34, - dup64, - ], - on_success: processor_chain([ - setc("eventcategory","1701000000"), - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg20 = msg("event_config", all16); - - var select9 = linear_select([ - dup31, - dup32, - ]); - - var all17 = all_match({ - processors: [ - dup26, - dup69, - dup70, - select9, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg21 = msg("virus", all17); - - var part35 = match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); - - var part36 = match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); - - var select10 = linear_select([ - part35, - part36, - ]); - - var part37 = match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); - - var all18 = all_match({ - processors: [ - dup26, - dup69, - select10, - part37, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup15, - ]), - }); - - var msg22 = msg("virus_infected", all18); - - var part38 = match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); - - var part39 = match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); - - var select11 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); - - var part41 = match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); - - var part42 = match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); - - var part43 = match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); - - var select12 = linear_select([ - part40, - part41, - part42, - part43, - dup31, - dup32, - ]); - - var part44 = match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); - - var select13 = linear_select([ - part44, - dup5, - dup6, - ]); - - var all19 = all_match({ - processors: [ - select11, - dup70, - select12, - dup68, - select13, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg23 = msg("virus_file-signature", all19); - - var part45 = match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); - - var all20 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - part45, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg24 = msg("statistics", all20); - - var all21 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - dup61, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg25 = msg("statistics:01", all21); - - var part46 = match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); - - var part47 = match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); - - var select14 = linear_select([ - part46, - part47, - ]); - - var part48 = match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); - - var part49 = match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); - - var select15 = linear_select([ - part48, - part49, - ]); - - var part50 = match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); - - var part51 = match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); - - var select16 = linear_select([ - part50, - part51, - ]); - - var part52 = match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); - - var part53 = match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); - - var select17 = linear_select([ - part52, - part53, - ]); - - var part54 = match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); - - var part55 = match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); - - var select18 = linear_select([ - part54, - part55, - ]); - - var part56 = match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); - - var part57 = match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); - - var select19 = linear_select([ - part56, - part57, - ]); - - var part58 = match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); - - var all22 = all_match({ - processors: [ - dup35, - dup71, - dup69, - dup76, - select14, - select15, - select16, - select17, - dup74, - dup61, - select18, - select19, - part58, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg26 = msg("statistics:02", all22); - - var part59 = match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); - - var part60 = match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); - - var part61 = match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); - - var part62 = match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); - - var select20 = linear_select([ - part60, - part61, - part62, - ]); - - var part63 = match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); - - var part64 = match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); - - var part65 = match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); - - var select21 = linear_select([ - part64, - part65, - ]); - - var part66 = match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); - - var all23 = all_match({ - processors: [ - part59, - select20, - part63, - select21, - part66, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg27 = msg("statistics:03", all23); - - var part67 = match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); - - var part68 = match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); - - var select22 = linear_select([ - part67, - part68, - ]); - - var part69 = match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); - - var part70 = match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); - - var part71 = match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); - - var part72 = match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); - - var part73 = match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); - - var part74 = match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); - - var select23 = linear_select([ - part69, - part70, - part71, - part72, - part73, - part74, - ]); - - var part75 = match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); - - var part76 = match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); - - var select24 = linear_select([ - part75, - part76, - ]); - - var part77 = match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); - - var part78 = match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); - - var select25 = linear_select([ - part77, - part78, - ]); - - var part79 = match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); - - var part80 = match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); - - var select26 = linear_select([ - part79, - part80, - ]); - - var part81 = match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); - - var part82 = match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); - - var select27 = linear_select([ - part81, - part82, - ]); - - var part83 = match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); - - var part84 = match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); - - var select28 = linear_select([ - part83, - part84, - ]); - - var part85 = match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); - - var part86 = match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); - - var select29 = linear_select([ - part85, - part86, - ]); - - var part87 = match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); - - var part88 = match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); - - var select30 = linear_select([ - part87, - part88, - ]); - - var part89 = match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); - - var part90 = match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); - - var select31 = linear_select([ - part89, - part90, - ]); - - var part91 = match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); - - var part92 = match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); - - var select32 = linear_select([ - part91, - part92, - ]); - - var part93 = match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); - - var part94 = match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); - - var select33 = linear_select([ - part93, - part94, - ]); - - var part95 = match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); - - var part96 = match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); - - var select34 = linear_select([ - part95, - part96, - ]); - - var part97 = match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); - - var part98 = match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); - - var select35 = linear_select([ - part97, - part98, - ]); - - var all24 = all_match({ - processors: [ - dup35, - select22, - select23, - select24, - select25, - select26, - select27, - select28, - select29, - select30, - select31, - select32, - select33, - dup78, - dup79, - select34, - select35, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg28 = msg("statistics:04", all24); - - var part99 = tagval("MESSAGE#28:statistics:05", "nwparser.payload", tvm, { - "classifier": "filter", - "client_ip": "saddr", - "client_name": "fqdn", - "direction": "direction", - "disposition": "disposition", - "domain": "domain", - "dst_ip": "daddr", - "from": "from", - "hfrom": "fld3", - "mailer": "agent", - "message_length": "fld6", - "polid": "fld5", - "resolved": "context", - "session_id": "sessionid", - "src_type": "fld7", - "subject": "subject", - "to": "to", - "virus": "virusname", - }, processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg29 = msg("statistics:05", part99); - - var select36 = linear_select([ - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - ]); - - var part100 = match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); - - var part101 = match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); - - var select37 = linear_select([ - part100, - part101, - ]); - - var part102 = match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); - - var part103 = match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); - - var part104 = match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); - - var select38 = linear_select([ - part103, - part104, - ]); - - var part105 = match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); - - var part106 = match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); - - var select39 = linear_select([ - part105, - part106, - ]); - - var all25 = all_match({ - processors: [ - dup35, - select37, - dup74, - part102, - dup69, - select38, - select39, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg30 = msg("spam", all25); - - var part107 = match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg31 = msg("spam:04", part107); - - var part108 = match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); - - var part109 = match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); - - var part110 = match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); - - var select40 = linear_select([ - part109, - part110, - ]); - - var part111 = match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); - - var all26 = all_match({ - processors: [ - part108, - select40, - part111, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg32 = msg("spam:03", all26); - - var part112 = match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg33 = msg("spam:02", part112); - - var part113 = match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); - - var part114 = match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); - - var select41 = linear_select([ - part113, - part114, - ]); - - var all27 = all_match({ - processors: [ - dup35, - dup71, - dup69, - select41, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg34 = msg("spam:01", all27); - - var select42 = linear_select([ - msg30, - msg31, - msg32, - msg33, - msg34, - ]); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "event_admin": msg1, - "event_config": msg20, - "event_imap": msg5, - "event_pop3": msg2, - "event_smtp": select7, - "event_system": msg4, - "event_update": msg19, - "event_webmail": msg3, - "spam": select42, - "statistics": select36, - "virus": msg21, - "virus_file-signature": msg23, - "virus_infected": msg22, - }), - ]); - - var part115 = match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); - - var part116 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var part117 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var part118 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var part119 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var part120 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var part121 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var part122 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var part123 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var part124 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var part125 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var part126 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var part127 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var part128 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var part129 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var part130 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var part131 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var part132 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var part133 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var part134 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var part135 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var part136 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var part137 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var part138 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var part139 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var part140 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var part141 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var part142 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var part143 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var part144 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var part145 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var part146 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var part147 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var part148 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var part149 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var part150 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var part151 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var part152 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var part153 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var part154 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var part155 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var part156 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var part157 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var part158 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var part159 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var part160 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var part161 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var select43 = linear_select([ - dup3, - dup4, - ]); - - var select44 = linear_select([ - dup5, - dup6, - ]); - - var select45 = linear_select([ - dup19, - dup20, - ]); - - var select46 = linear_select([ - dup22, - dup23, - ]); - - var select47 = linear_select([ - dup3, - dup20, - ]); - - var select48 = linear_select([ - dup24, - dup25, - ]); - - var select49 = linear_select([ - dup27, - dup28, - ]); - - var select50 = linear_select([ - dup29, - dup30, - ]); - - var select51 = linear_select([ - dup36, - dup37, - ]); - - var select52 = linear_select([ - dup38, - dup39, - ]); - - var select53 = linear_select([ - dup40, - dup41, - ]); - - var select54 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var select55 = linear_select([ - dup45, - dup46, - ]); - - var select56 = linear_select([ - dup47, - dup48, - ]); - - var select57 = linear_select([ - dup49, - dup50, - ]); - - var select58 = linear_select([ - dup52, - dup53, - ]); - - var select59 = linear_select([ - dup54, - dup55, - ]); - - var select60 = linear_select([ - dup56, - dup57, - ]); - - var select61 = linear_select([ - dup58, - dup59, - ]); - - var all28 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet_fortimail/1.1.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/fortinet_fortimail/1.1.2/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 62ba2d5ec0..0000000000 --- a/packages/fortinet_fortimail/1.1.2/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,4291 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} ui=%{p0}"); - - var dup3 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var dup4 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var dup5 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var dup6 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var dup7 = setc("eventcategory","1401000000"); - - var dup8 = setf("msg","$MSG"); - - var dup9 = date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup10 = setf("hardware_id","hfld1"); - - var dup11 = setf("id","hfld2"); - - var dup12 = setf("id1","hfld3"); - - var dup13 = setf("event_type","msgIdPart1"); - - var dup14 = setf("category","msgIdPart2"); - - var dup15 = setf("severity","hseverity"); - - var dup16 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var dup17 = setc("eventcategory","1602000000"); - - var dup18 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var dup19 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var dup20 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var dup21 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var dup22 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var dup23 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var dup24 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var dup25 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var dup26 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var dup27 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var dup28 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var dup29 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var dup30 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var dup31 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var dup32 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var dup33 = setc("eventcategory","1003010000"); - - var dup34 = setf("event_type","messageid"); - - var dup35 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var dup36 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var dup37 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var dup38 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var dup39 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var dup40 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var dup41 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var dup42 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var dup43 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var dup44 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var dup45 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var dup46 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var dup47 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var dup48 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var dup49 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var dup50 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var dup51 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var dup52 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var dup53 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var dup54 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var dup55 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var dup56 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var dup57 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var dup58 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var dup59 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var dup60 = setc("eventcategory","1207000000"); - - var dup61 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var dup62 = setc("eventcategory","1207040000"); - - var dup63 = linear_select([ - dup3, - dup4, - ]); - - var dup64 = linear_select([ - dup5, - dup6, - ]); - - var dup65 = linear_select([ - dup19, - dup20, - ]); - - var dup66 = linear_select([ - dup22, - dup23, - ]); - - var dup67 = linear_select([ - dup3, - dup20, - ]); - - var dup68 = linear_select([ - dup24, - dup25, - ]); - - var dup69 = linear_select([ - dup27, - dup28, - ]); - - var dup70 = linear_select([ - dup29, - dup30, - ]); - - var dup71 = linear_select([ - dup36, - dup37, - ]); - - var dup72 = linear_select([ - dup38, - dup39, - ]); - - var dup73 = linear_select([ - dup40, - dup41, - ]); - - var dup74 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var dup75 = linear_select([ - dup45, - dup46, - ]); - - var dup76 = linear_select([ - dup47, - dup48, - ]); - - var dup77 = linear_select([ - dup49, - dup50, - ]); - - var dup78 = linear_select([ - dup52, - dup53, - ]); - - var dup79 = linear_select([ - dup54, - dup55, - ]); - - var dup80 = linear_select([ - dup56, - dup57, - ]); - - var dup81 = linear_select([ - dup58, - dup59, - ]); - - var dup82 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0001"), - dup1, - ])); - - var hdr2 = match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, - ])); - - var hdr4 = match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - ]); - - var part1 = match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); - - var all1 = all_match({ - processors: [ - dup2, - dup63, - part1, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg1 = msg("event_admin", all1); - - var msg2 = msg("event_pop3", dup82); - - var all2 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg3 = msg("event_webmail", all2); - - var msg4 = msg("event_system", dup82); - - var msg5 = msg("event_imap", dup82); - - var part2 = match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); - - var part3 = match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); - - var part4 = match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); - - var select2 = linear_select([ - part3, - part4, - ]); - - var part5 = match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); - - var all3 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part2, - select2, - part5, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg6 = msg("event_smtp:01", all3); - - var part6 = match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); - - var all4 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg7 = msg("event_smtp:02", all4); - - var part7 = match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); - - var all5 = all_match({ - processors: [ - dup18, - dup65, - part7, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg8 = msg("event_smtp:03", all5); - - var part8 = match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); - - var part9 = match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); - - var part10 = match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); - - var select3 = linear_select([ - part9, - part10, - ]); - - var part11 = match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); - - var part12 = match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); - - var part13 = match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); - - var part14 = match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); - - var select4 = linear_select([ - part12, - part13, - part14, - ]); - - var all6 = all_match({ - processors: [ - part8, - select3, - part11, - select4, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg9 = msg("event_smtp:04", all6); - - var part15 = match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); - - var all7 = all_match({ - processors: [ - dup18, - dup67, - part15, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg10 = msg("event_smtp:05", all7); - - var part16 = match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); - - var part17 = match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); - - var part18 = match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); - - var select5 = linear_select([ - part17, - part18, - ]); - - var part19 = match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); - - var all8 = all_match({ - processors: [ - dup18, - dup65, - part16, - select5, - part19, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg11 = msg("event_smtp:06", all8); - - var part20 = match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); - - var all9 = all_match({ - processors: [ - dup18, - dup67, - part20, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg12 = msg("event_smtp:07", all9); - - var part21 = match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); - - var all10 = all_match({ - processors: [ - dup18, - dup67, - part21, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg13 = msg("event_smtp:08", all10); - - var part22 = match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); - - var all11 = all_match({ - processors: [ - dup18, - dup65, - part22, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg14 = msg("event_smtp:09", all11); - - var part23 = match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); - - var all12 = all_match({ - processors: [ - dup18, - dup65, - part23, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - setc("dclass_counter1_string","count"), - ]), - }); - - var msg15 = msg("event_smtp:10", all12); - - var part24 = match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); - - var part25 = match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); - - var part26 = match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); - - var part27 = match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); - - var part28 = match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); - - var select6 = linear_select([ - part25, - part26, - part27, - part28, - ]); - - var all13 = all_match({ - processors: [ - dup18, - dup65, - part24, - select6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg16 = msg("event_smtp:11", all13); - - var part29 = match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); - - var all14 = all_match({ - processors: [ - dup2, - dup63, - part29, - dup68, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg17 = msg("event_smtp", all14); - - var part30 = tagval("MESSAGE#17:event_smtp:12", "nwparser.payload", tvm, { - "action": "action", - "log_part": "id1", - "msg": "info", - "session_id": "sessionid", - "status": "event_state", - "ui": "network_service", - "user": "username", - }, processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ])); - - var msg18 = msg("event_smtp:12", part30); - - var select7 = linear_select([ - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - ]); - - var part31 = match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); - - var all15 = all_match({ - processors: [ - part31, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg19 = msg("event_update", all15); - - var part32 = match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); - - var part33 = match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); - - var select8 = linear_select([ - part32, - part33, - ]); - - var part34 = match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); - - var all16 = all_match({ - processors: [ - dup2, - select8, - part34, - dup64, - ], - on_success: processor_chain([ - setc("eventcategory","1701000000"), - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg20 = msg("event_config", all16); - - var select9 = linear_select([ - dup31, - dup32, - ]); - - var all17 = all_match({ - processors: [ - dup26, - dup69, - dup70, - select9, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg21 = msg("virus", all17); - - var part35 = match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); - - var part36 = match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); - - var select10 = linear_select([ - part35, - part36, - ]); - - var part37 = match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); - - var all18 = all_match({ - processors: [ - dup26, - dup69, - select10, - part37, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup15, - ]), - }); - - var msg22 = msg("virus_infected", all18); - - var part38 = match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); - - var part39 = match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); - - var select11 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); - - var part41 = match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); - - var part42 = match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); - - var part43 = match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); - - var select12 = linear_select([ - part40, - part41, - part42, - part43, - dup31, - dup32, - ]); - - var part44 = match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); - - var select13 = linear_select([ - part44, - dup5, - dup6, - ]); - - var all19 = all_match({ - processors: [ - select11, - dup70, - select12, - dup68, - select13, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg23 = msg("virus_file-signature", all19); - - var part45 = match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); - - var all20 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - part45, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg24 = msg("statistics", all20); - - var all21 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - dup61, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg25 = msg("statistics:01", all21); - - var part46 = match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); - - var part47 = match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); - - var select14 = linear_select([ - part46, - part47, - ]); - - var part48 = match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); - - var part49 = match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); - - var select15 = linear_select([ - part48, - part49, - ]); - - var part50 = match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); - - var part51 = match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); - - var select16 = linear_select([ - part50, - part51, - ]); - - var part52 = match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); - - var part53 = match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); - - var select17 = linear_select([ - part52, - part53, - ]); - - var part54 = match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); - - var part55 = match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); - - var select18 = linear_select([ - part54, - part55, - ]); - - var part56 = match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); - - var part57 = match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); - - var select19 = linear_select([ - part56, - part57, - ]); - - var part58 = match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); - - var all22 = all_match({ - processors: [ - dup35, - dup71, - dup69, - dup76, - select14, - select15, - select16, - select17, - dup74, - dup61, - select18, - select19, - part58, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg26 = msg("statistics:02", all22); - - var part59 = match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); - - var part60 = match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); - - var part61 = match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); - - var part62 = match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); - - var select20 = linear_select([ - part60, - part61, - part62, - ]); - - var part63 = match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); - - var part64 = match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); - - var part65 = match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); - - var select21 = linear_select([ - part64, - part65, - ]); - - var part66 = match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); - - var all23 = all_match({ - processors: [ - part59, - select20, - part63, - select21, - part66, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg27 = msg("statistics:03", all23); - - var part67 = match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); - - var part68 = match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); - - var select22 = linear_select([ - part67, - part68, - ]); - - var part69 = match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); - - var part70 = match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); - - var part71 = match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); - - var part72 = match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); - - var part73 = match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); - - var part74 = match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); - - var select23 = linear_select([ - part69, - part70, - part71, - part72, - part73, - part74, - ]); - - var part75 = match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); - - var part76 = match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); - - var select24 = linear_select([ - part75, - part76, - ]); - - var part77 = match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); - - var part78 = match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); - - var select25 = linear_select([ - part77, - part78, - ]); - - var part79 = match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); - - var part80 = match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); - - var select26 = linear_select([ - part79, - part80, - ]); - - var part81 = match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); - - var part82 = match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); - - var select27 = linear_select([ - part81, - part82, - ]); - - var part83 = match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); - - var part84 = match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); - - var select28 = linear_select([ - part83, - part84, - ]); - - var part85 = match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); - - var part86 = match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); - - var select29 = linear_select([ - part85, - part86, - ]); - - var part87 = match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); - - var part88 = match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); - - var select30 = linear_select([ - part87, - part88, - ]); - - var part89 = match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); - - var part90 = match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); - - var select31 = linear_select([ - part89, - part90, - ]); - - var part91 = match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); - - var part92 = match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); - - var select32 = linear_select([ - part91, - part92, - ]); - - var part93 = match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); - - var part94 = match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); - - var select33 = linear_select([ - part93, - part94, - ]); - - var part95 = match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); - - var part96 = match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); - - var select34 = linear_select([ - part95, - part96, - ]); - - var part97 = match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); - - var part98 = match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); - - var select35 = linear_select([ - part97, - part98, - ]); - - var all24 = all_match({ - processors: [ - dup35, - select22, - select23, - select24, - select25, - select26, - select27, - select28, - select29, - select30, - select31, - select32, - select33, - dup78, - dup79, - select34, - select35, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg28 = msg("statistics:04", all24); - - var part99 = tagval("MESSAGE#28:statistics:05", "nwparser.payload", tvm, { - "classifier": "filter", - "client_ip": "saddr", - "client_name": "fqdn", - "direction": "direction", - "disposition": "disposition", - "domain": "domain", - "dst_ip": "daddr", - "from": "from", - "hfrom": "fld3", - "mailer": "agent", - "message_length": "fld6", - "polid": "fld5", - "resolved": "context", - "session_id": "sessionid", - "src_type": "fld7", - "subject": "subject", - "to": "to", - "virus": "virusname", - }, processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg29 = msg("statistics:05", part99); - - var select36 = linear_select([ - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - ]); - - var part100 = match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); - - var part101 = match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); - - var select37 = linear_select([ - part100, - part101, - ]); - - var part102 = match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); - - var part103 = match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); - - var part104 = match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); - - var select38 = linear_select([ - part103, - part104, - ]); - - var part105 = match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); - - var part106 = match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); - - var select39 = linear_select([ - part105, - part106, - ]); - - var all25 = all_match({ - processors: [ - dup35, - select37, - dup74, - part102, - dup69, - select38, - select39, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg30 = msg("spam", all25); - - var part107 = match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg31 = msg("spam:04", part107); - - var part108 = match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); - - var part109 = match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); - - var part110 = match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); - - var select40 = linear_select([ - part109, - part110, - ]); - - var part111 = match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); - - var all26 = all_match({ - processors: [ - part108, - select40, - part111, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg32 = msg("spam:03", all26); - - var part112 = match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg33 = msg("spam:02", part112); - - var part113 = match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); - - var part114 = match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); - - var select41 = linear_select([ - part113, - part114, - ]); - - var all27 = all_match({ - processors: [ - dup35, - dup71, - dup69, - select41, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg34 = msg("spam:01", all27); - - var select42 = linear_select([ - msg30, - msg31, - msg32, - msg33, - msg34, - ]); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "event_admin": msg1, - "event_config": msg20, - "event_imap": msg5, - "event_pop3": msg2, - "event_smtp": select7, - "event_system": msg4, - "event_update": msg19, - "event_webmail": msg3, - "spam": select42, - "statistics": select36, - "virus": msg21, - "virus_file-signature": msg23, - "virus_infected": msg22, - }), - ]); - - var part115 = match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); - - var part116 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var part117 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var part118 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var part119 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var part120 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var part121 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var part122 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var part123 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var part124 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var part125 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var part126 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var part127 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var part128 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var part129 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var part130 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var part131 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var part132 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var part133 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var part134 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var part135 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var part136 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var part137 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var part138 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var part139 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var part140 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var part141 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var part142 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var part143 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var part144 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var part145 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var part146 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var part147 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var part148 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var part149 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var part150 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var part151 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var part152 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var part153 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var part154 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var part155 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var part156 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var part157 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var part158 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var part159 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var part160 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var part161 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var select43 = linear_select([ - dup3, - dup4, - ]); - - var select44 = linear_select([ - dup5, - dup6, - ]); - - var select45 = linear_select([ - dup19, - dup20, - ]); - - var select46 = linear_select([ - dup22, - dup23, - ]); - - var select47 = linear_select([ - dup3, - dup20, - ]); - - var select48 = linear_select([ - dup24, - dup25, - ]); - - var select49 = linear_select([ - dup27, - dup28, - ]); - - var select50 = linear_select([ - dup29, - dup30, - ]); - - var select51 = linear_select([ - dup36, - dup37, - ]); - - var select52 = linear_select([ - dup38, - dup39, - ]); - - var select53 = linear_select([ - dup40, - dup41, - ]); - - var select54 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var select55 = linear_select([ - dup45, - dup46, - ]); - - var select56 = linear_select([ - dup47, - dup48, - ]); - - var select57 = linear_select([ - dup49, - dup50, - ]); - - var select58 = linear_select([ - dup52, - dup53, - ]); - - var select59 = linear_select([ - dup54, - dup55, - ]); - - var select60 = linear_select([ - dup56, - dup57, - ]); - - var select61 = linear_select([ - dup58, - dup59, - ]); - - var all28 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet_fortimail/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet_fortimail/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ccb35fd2e4..0000000000 --- a/packages/fortinet_fortimail/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,76 +0,0 @@ ---- -description: Pipeline for Fortinet FortiMail -processors: - - set: - field: ecs.version - value: '8.3.0' - - set: - field: observer.vendor - value: Fortinet - - set: - field: observer.product - value: FortiMail - - set: - field: observer.type - value: firewall - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_fortimail/1.1.2/data_stream/log/fields/agent.yml b/packages/fortinet_fortimail/1.1.2/data_stream/log/fields/agent.yml deleted file mode 100755 index 38bb8dcec5..0000000000 --- a/packages/fortinet_fortimail/1.1.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,175 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/fortinet_fortimail/1.1.2/data_stream/log/fields/base-fields.yml b/packages/fortinet_fortimail/1.1.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 141913f4ee..0000000000 --- a/packages/fortinet_fortimail/1.1.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,43 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: fortinet -- name: event.dataset - type: constant_keyword - description: Event dataset - value: fortinet_fortimail.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/fortinet_fortimail/1.1.2/data_stream/log/fields/ecs.yml b/packages/fortinet_fortimail/1.1.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index 86a7d52a55..0000000000 --- a/packages/fortinet_fortimail/1.1.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,556 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/fortinet_fortimail/1.1.2/data_stream/log/fields/fields.yml b/packages/fortinet_fortimail/1.1.2/data_stream/log/fields/fields.yml deleted file mode 100755 index ea69cd79e3..0000000000 --- a/packages/fortinet_fortimail/1.1.2/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,1754 +0,0 @@ -- name: rsa - type: group - fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - ignore_above: 1024 - description: Server domain. -- name: network.interface.name - type: keyword diff --git a/packages/fortinet_fortimail/1.1.2/data_stream/log/manifest.yml b/packages/fortinet_fortimail/1.1.2/data_stream/log/manifest.yml deleted file mode 100755 index 4acfba2e32..0000000000 --- a/packages/fortinet_fortimail/1.1.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,210 +0,0 @@ -title: Fortinet FortiMail logs -release: experimental -type: logs -streams: - - input: udp - title: Fortinet FortiMail logs - description: Collect Fortinet FortiMail logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortimail - - forwarded - - name: udp_host - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9529 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Fortinet FortiMail logs - description: Collect Fortinet FortiMail logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortimail - - forwarded - - name: tcp_host - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9529 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - enabled: false - title: Fortinet FortiMail logs - description: Collect Fortinet FortiMail logs from file - template_path: log.yml.hbs - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/fortinet-fortimail.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortimail - - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/fortinet_fortimail/1.1.2/data_stream/log/sample_event.json b/packages/fortinet_fortimail/1.1.2/data_stream/log/sample_event.json deleted file mode 100755 index f6886ac301..0000000000 --- a/packages/fortinet_fortimail/1.1.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,70 +0,0 @@ -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "821504b9-6e80-4572-aae7-c5bb3cf38906", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "fortinet_fortimail.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "event", - "agent_id_status": "verified", - "code": "nes", - "dataset": "fortinet_fortimail.log", - "ingested": "2022-01-25T12:29:32Z", - "original": "date=2016-1-29 time=06:09:59 device_id=pexe log_id=nes log_part=eab type=event subtype=update pri=high msg=\"boNemoe\"\n", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "high", - "source": { - "address": "172.30.0.4:44540" - } - }, - "observer": { - "product": "FortiMail", - "type": "Firewall", - "vendor": "Fortinet" - }, - "rsa": { - "internal": { - "event_desc": "boNemoe", - "messageid": "event_update" - }, - "misc": { - "category": "update", - "event_type": "event", - "hardware_id": "pexe", - "msgIdPart1": "event", - "msgIdPart2": "update", - "reference_id": "nes", - "reference_id1": "eab", - "severity": "high" - }, - "time": { - "event_time": "2016-01-29T06:09:59.000Z" - } - }, - "tags": [ - "preserve_original_event", - "fortinet-fortimail", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/fortinet_fortimail/1.1.2/docs/README.md b/packages/fortinet_fortimail/1.1.2/docs/README.md deleted file mode 100755 index 4fa561ec8c..0000000000 --- a/packages/fortinet_fortimail/1.1.2/docs/README.md +++ /dev/null @@ -1,926 +0,0 @@ -# Fortinet FortiMail Integration - -This integration is for Fortinet FortiMail logs sent in the syslog format. - -## Compatibility - -This integration has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested. - -### Log - -The `log` dataset collects Fortinet FortiMail logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "821504b9-6e80-4572-aae7-c5bb3cf38906", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "fortinet_fortimail.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "event", - "agent_id_status": "verified", - "code": "nes", - "dataset": "fortinet_fortimail.log", - "ingested": "2022-01-25T12:29:32Z", - "original": "date=2016-1-29 time=06:09:59 device_id=pexe log_id=nes log_part=eab type=event subtype=update pri=high msg=\"boNemoe\"\n", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "high", - "source": { - "address": "172.30.0.4:44540" - } - }, - "observer": { - "product": "FortiMail", - "type": "Firewall", - "vendor": "Fortinet" - }, - "rsa": { - "internal": { - "event_desc": "boNemoe", - "messageid": "event_update" - }, - "misc": { - "category": "update", - "event_type": "event", - "hardware_id": "pexe", - "msgIdPart1": "event", - "msgIdPart2": "update", - "reference_id": "nes", - "reference_id1": "eab", - "severity": "high" - }, - "time": { - "event_time": "2016-01-29T06:09:59.000Z" - } - }, - "tags": [ - "preserve_original_event", - "fortinet-fortimail", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/fortinet_fortimail/1.1.2/img/fortinet-logo.svg b/packages/fortinet_fortimail/1.1.2/img/fortinet-logo.svg deleted file mode 100755 index d6a8448f32..0000000000 --- a/packages/fortinet_fortimail/1.1.2/img/fortinet-logo.svg +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - diff --git a/packages/fortinet_fortimail/1.1.2/manifest.yml b/packages/fortinet_fortimail/1.1.2/manifest.yml deleted file mode 100755 index 5b0bd837f7..0000000000 --- a/packages/fortinet_fortimail/1.1.2/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: fortinet_fortimail -title: Fortinet FortiMail Logs -version: 1.1.2 -release: ga -description: Collect logs from Fortinet FortiMail instances with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: ["security"] -conditions: - kibana.version: "^7.14.1 || ^8.0.0" -icons: - - src: /img/fortinet-logo.svg - title: Fortinet - size: 216x216 - type: image/svg+xml -policy_templates: - - name: fortinet_fortimail - title: Fortinet FortiMail logs - description: Collect logs from Fortinet FortiMail instances - inputs: - - type: logfile - title: "Collect Fortinet FortiMail logs (input: logfile)" - description: "Collecting logs from Fortinet FortiMail instances (input: logfile)" - - type: tcp - title: "Collect Fortinet FortiMail logs (input: tcp)" - description: "Collecting logs from Fortinet FortiMail instances (input: tcp)" - - type: udp - title: "Collect Fortinet FortiMail logs (input: udp)" - description: "Collecting logs from Fortinet FortiMail instances (input: udp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/fortinet_fortimanager/1.1.2/LICENSE.txt b/packages/fortinet_fortimanager/1.1.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/fortinet_fortimanager/1.1.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/fortinet_fortimanager/1.1.2/changelog.yml b/packages/fortinet_fortimanager/1.1.2/changelog.yml deleted file mode 100755 index 5390f3a721..0000000000 --- a/packages/fortinet_fortimanager/1.1.2/changelog.yml +++ /dev/null @@ -1,21 +0,0 @@ -# newer versions go on top -- version: "1.1.2" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "1.1.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.1.0" - changes: - - description: Update Ingest Pipeline with observer Fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3819 -- version: "1.0.0" - changes: - - description: Initial version of Fortinet FortiManager as separate package - type: enhancement - link: https://github.com/elastic/integrations/pull/3267 diff --git a/packages/fortinet_fortimanager/1.1.2/data_stream/log/agent/stream/log.yml.hbs b/packages/fortinet_fortimanager/1.1.2/data_stream/log/agent/stream/log.yml.hbs deleted file mode 100755 index a9ee14498d..0000000000 --- a/packages/fortinet_fortimanager/1.1.2/data_stream/log/agent/stream/log.yml.hbs +++ /dev/null @@ -1,3094 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.messageid", - fn: STRCAT, - args: [ - field("hfld2"), - constant("_fortinetmgr"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ - setc("header_id","0002"), - dup1, - ])); - - var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, - ])); - - var hdr4 = match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ - setc("header_id","0004"), - dup2, - ])); - - var hdr5 = match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ - setc("header_id","0005"), - dup2, - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - ]); - - var part1 = match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg1 = msg("fortinetmgr:01", part1); - - var part2 = match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg2 = msg("fortinetmgr", part2); - - var part3 = match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); - - var part4 = match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); - - var part5 = match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); - - var select2 = linear_select([ - part4, - part5, - ]); - - var part6 = match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); - - var part7 = match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); - - var part8 = match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); - - var select3 = linear_select([ - part7, - part8, - ]); - - var part9 = match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); - - var part10 = match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); - - var part11 = match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); - - var select4 = linear_select([ - part10, - part11, - ]); - - var all1 = all_match({ - processors: [ - part3, - select2, - part6, - select3, - part9, - select4, - ], - on_success: processor_chain([ - dup11, - dup4, - lookup({ - dest: "nwparser.event_cat", - map: map_getEventLegacyCategory, - key: field("fld5"), - }), - dup22, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ]), - }); - - var msg3 = msg("fortinetmgr:04", all1); - - var part12 = match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg4 = msg("fortinetmgr:02", part12); - - var part13 = match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ - dup11, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - lookup({ - dest: "nwparser.event_cat", - map: map_getEventLegacyCategory, - key: field("result"), - }), - dup22, - ])); - - var msg5 = msg("fortinetmgr:03", part13); - - var part14 = match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); - - var part15 = match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); - - var part16 = match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); - - var select5 = linear_select([ - part15, - part16, - ]); - - var part17 = match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); - - var all2 = all_match({ - processors: [ - part14, - select5, - part17, - ], - on_success: processor_chain([ - dup13, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ]), - }); - - var msg6 = msg("fortinetmgr:05", all2); - - var part18 = tagval("MESSAGE#6:event_fortinetmgr_tvm", "nwparser.payload", tvm, { - "action": "action", - "adom": "domain", - "desc": "event_description", - "msg": "info", - "session_id": "sessionid", - "user": "username", - "userfrom": "fld1", - }, processor_chain([ - dup11, - dup4, - dup5, - dup6, - dup7, - setf("event_type","hfld2"), - dup9, - dup10, - ])); - - var msg7 = msg("event_fortinetmgr_tvm", part18); - - var select6 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - ]); - - var part19 = tagval("MESSAGE#7:generic_fortinetmgr", "nwparser.payload", tvm, { - "action": "action", - "adminprof": "fld13", - "cat": "fcatnum", - "catdesc": "filter", - "cipher_suite": "fld24", - "content_switch_name": "fld15", - "craction": "fld9", - "crlevel": "fld10", - "crscore": "reputation_num", - "dev_id": "fld100", - "device_id": "hardware_id", - "devid": "hardware_id", - "devname": "event_source", - "devtype": "fld7", - "direction": "direction", - "dst": "daddr", - "dst_port": "dport", - "dstintf": "dinterface", - "dstip": "daddr", - "dstport": "dport", - "duration": "duration", - "eventtype": "vendor_event_cat", - "false_positive_mitigation": "fld17", - "ftp_cmd": "fld23", - "ftp_mode": "fld22", - "history_threat_weight": "fld21", - "hostname": "hostname", - "http_agent": "agent", - "http_host": "web_ref_domain", - "http_method": "web_method", - "http_refer": "web_referer", - "http_session_id": "sessionid", - "http_url": "web_query", - "http_version": "fld19", - "level": "severity", - "log_id": "id", - "logid": "id", - "main_type": "fld37", - "mastersrcmac": "fld8", - "method": "fld12", - "monitor_status": "fld18", - "msg": "event_description", - "msg_id": "fld25", - "osname": "os", - "osversion": "version", - "policy": "policyname", - "policyid": "policy_id", - "poluuid": "fld5", - "pri": "severity", - "profile": "rulename", - "proto": "fld6", - "rcvdbyte": "rbytes", - "reqtype": "fld11", - "sentbyte": "sbytes", - "server_pool_name": "fld16", - "service": "network_service", - "sessionid": "sessionid", - "severity_level": "fld101", - "signature_id": "sigid", - "signature_subclass": "fld14", - "src": "saddr", - "src_port": "sport", - "srccountry": "location_src", - "srcintf": "sinterface", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "sub_type": "category", - "subtype": "category", - "threat_level": "threat_val", - "threat_weight": "fld20", - "timezone": "timezone", - "trandisp": "context", - "trigger_policy": "fld39", - "type": "event_type", - "url": "url", - "user": "username", - "user_name": "username", - "userfrom": "fld30", - "vd": "vsys", - }, processor_chain([ - dup13, - dup4, - dup5, - dup14, - dup23, - ])); - - var msg8 = msg("generic_fortinetmgr", part19); - - var part20 = tagval("MESSAGE#8:generic_fortinetmgr_1", "nwparser.payload", tvm, { - "action": "action", - "app": "obj_name", - "appcat": "fld33", - "craction": "fld9", - "crlevel": "fld10", - "crscore": "reputation_num", - "date": "fld1", - "dstcountry": "location_dst", - "dstintf": "dinterface", - "dstintfrole": "fld31", - "dstip": "daddr", - "dstport": "dport", - "duration": "duration", - "eventtime": "event_time_string", - "level": "severity", - "logid": "id", - "logtime": "fld35", - "policyid": "policy_id", - "policytype": "fld34", - "poluuid": "fld5", - "proto": "fld6", - "rcvdbyte": "rbytes", - "sentbyte": "sbytes", - "sentpkt": "fld15", - "service": "network_service", - "sessionid": "sessionid", - "srccountry": "location_src", - "srcintf": "sinterface", - "srcintfrole": "fld30", - "srcip": "saddr", - "srcport": "sport", - "subtype": "category", - "time": "fld2", - "trandisp": "context", - "tranip": "dtransaddr", - "tranport": "dtransport", - "type": "event_type", - "vd": "vsys", - }, processor_chain([ - dup13, - dup4, - date_time({ - dest: "event_time", - args: ["fld1","fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], - }), - dup6, - setf("hardware_id","hfld2"), - dup14, - dup23, - ])); - - var msg9 = msg("generic_fortinetmgr_1", part20); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "event_fortinetmgr": select6, - "generic_fortinetmgr": msg8, - "generic_fortinetmgr_1": msg9, - }), - ]); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet_fortimanager/1.1.2/data_stream/log/agent/stream/tcp.yml.hbs b/packages/fortinet_fortimanager/1.1.2/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 7d3dfcbe1b..0000000000 --- a/packages/fortinet_fortimanager/1.1.2/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,3091 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.messageid", - fn: STRCAT, - args: [ - field("hfld2"), - constant("_fortinetmgr"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ - setc("header_id","0002"), - dup1, - ])); - - var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, - ])); - - var hdr4 = match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ - setc("header_id","0004"), - dup2, - ])); - - var hdr5 = match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ - setc("header_id","0005"), - dup2, - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - ]); - - var part1 = match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg1 = msg("fortinetmgr:01", part1); - - var part2 = match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg2 = msg("fortinetmgr", part2); - - var part3 = match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); - - var part4 = match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); - - var part5 = match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); - - var select2 = linear_select([ - part4, - part5, - ]); - - var part6 = match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); - - var part7 = match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); - - var part8 = match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); - - var select3 = linear_select([ - part7, - part8, - ]); - - var part9 = match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); - - var part10 = match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); - - var part11 = match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); - - var select4 = linear_select([ - part10, - part11, - ]); - - var all1 = all_match({ - processors: [ - part3, - select2, - part6, - select3, - part9, - select4, - ], - on_success: processor_chain([ - dup11, - dup4, - lookup({ - dest: "nwparser.event_cat", - map: map_getEventLegacyCategory, - key: field("fld5"), - }), - dup22, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ]), - }); - - var msg3 = msg("fortinetmgr:04", all1); - - var part12 = match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg4 = msg("fortinetmgr:02", part12); - - var part13 = match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ - dup11, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - lookup({ - dest: "nwparser.event_cat", - map: map_getEventLegacyCategory, - key: field("result"), - }), - dup22, - ])); - - var msg5 = msg("fortinetmgr:03", part13); - - var part14 = match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); - - var part15 = match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); - - var part16 = match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); - - var select5 = linear_select([ - part15, - part16, - ]); - - var part17 = match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); - - var all2 = all_match({ - processors: [ - part14, - select5, - part17, - ], - on_success: processor_chain([ - dup13, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ]), - }); - - var msg6 = msg("fortinetmgr:05", all2); - - var part18 = tagval("MESSAGE#6:event_fortinetmgr_tvm", "nwparser.payload", tvm, { - "action": "action", - "adom": "domain", - "desc": "event_description", - "msg": "info", - "session_id": "sessionid", - "user": "username", - "userfrom": "fld1", - }, processor_chain([ - dup11, - dup4, - dup5, - dup6, - dup7, - setf("event_type","hfld2"), - dup9, - dup10, - ])); - - var msg7 = msg("event_fortinetmgr_tvm", part18); - - var select6 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - ]); - - var part19 = tagval("MESSAGE#7:generic_fortinetmgr", "nwparser.payload", tvm, { - "action": "action", - "adminprof": "fld13", - "cat": "fcatnum", - "catdesc": "filter", - "cipher_suite": "fld24", - "content_switch_name": "fld15", - "craction": "fld9", - "crlevel": "fld10", - "crscore": "reputation_num", - "dev_id": "fld100", - "device_id": "hardware_id", - "devid": "hardware_id", - "devname": "event_source", - "devtype": "fld7", - "direction": "direction", - "dst": "daddr", - "dst_port": "dport", - "dstintf": "dinterface", - "dstip": "daddr", - "dstport": "dport", - "duration": "duration", - "eventtype": "vendor_event_cat", - "false_positive_mitigation": "fld17", - "ftp_cmd": "fld23", - "ftp_mode": "fld22", - "history_threat_weight": "fld21", - "hostname": "hostname", - "http_agent": "agent", - "http_host": "web_ref_domain", - "http_method": "web_method", - "http_refer": "web_referer", - "http_session_id": "sessionid", - "http_url": "web_query", - "http_version": "fld19", - "level": "severity", - "log_id": "id", - "logid": "id", - "main_type": "fld37", - "mastersrcmac": "fld8", - "method": "fld12", - "monitor_status": "fld18", - "msg": "event_description", - "msg_id": "fld25", - "osname": "os", - "osversion": "version", - "policy": "policyname", - "policyid": "policy_id", - "poluuid": "fld5", - "pri": "severity", - "profile": "rulename", - "proto": "fld6", - "rcvdbyte": "rbytes", - "reqtype": "fld11", - "sentbyte": "sbytes", - "server_pool_name": "fld16", - "service": "network_service", - "sessionid": "sessionid", - "severity_level": "fld101", - "signature_id": "sigid", - "signature_subclass": "fld14", - "src": "saddr", - "src_port": "sport", - "srccountry": "location_src", - "srcintf": "sinterface", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "sub_type": "category", - "subtype": "category", - "threat_level": "threat_val", - "threat_weight": "fld20", - "timezone": "timezone", - "trandisp": "context", - "trigger_policy": "fld39", - "type": "event_type", - "url": "url", - "user": "username", - "user_name": "username", - "userfrom": "fld30", - "vd": "vsys", - }, processor_chain([ - dup13, - dup4, - dup5, - dup14, - dup23, - ])); - - var msg8 = msg("generic_fortinetmgr", part19); - - var part20 = tagval("MESSAGE#8:generic_fortinetmgr_1", "nwparser.payload", tvm, { - "action": "action", - "app": "obj_name", - "appcat": "fld33", - "craction": "fld9", - "crlevel": "fld10", - "crscore": "reputation_num", - "date": "fld1", - "dstcountry": "location_dst", - "dstintf": "dinterface", - "dstintfrole": "fld31", - "dstip": "daddr", - "dstport": "dport", - "duration": "duration", - "eventtime": "event_time_string", - "level": "severity", - "logid": "id", - "logtime": "fld35", - "policyid": "policy_id", - "policytype": "fld34", - "poluuid": "fld5", - "proto": "fld6", - "rcvdbyte": "rbytes", - "sentbyte": "sbytes", - "sentpkt": "fld15", - "service": "network_service", - "sessionid": "sessionid", - "srccountry": "location_src", - "srcintf": "sinterface", - "srcintfrole": "fld30", - "srcip": "saddr", - "srcport": "sport", - "subtype": "category", - "time": "fld2", - "trandisp": "context", - "tranip": "dtransaddr", - "tranport": "dtransport", - "type": "event_type", - "vd": "vsys", - }, processor_chain([ - dup13, - dup4, - date_time({ - dest: "event_time", - args: ["fld1","fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], - }), - dup6, - setf("hardware_id","hfld2"), - dup14, - dup23, - ])); - - var msg9 = msg("generic_fortinetmgr_1", part20); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "event_fortinetmgr": select6, - "generic_fortinetmgr": msg8, - "generic_fortinetmgr_1": msg9, - }), - ]); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet_fortimanager/1.1.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/fortinet_fortimanager/1.1.2/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 89adc08993..0000000000 --- a/packages/fortinet_fortimanager/1.1.2/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,3091 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.messageid", - fn: STRCAT, - args: [ - field("hfld2"), - constant("_fortinetmgr"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ - setc("header_id","0002"), - dup1, - ])); - - var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, - ])); - - var hdr4 = match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ - setc("header_id","0004"), - dup2, - ])); - - var hdr5 = match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ - setc("header_id","0005"), - dup2, - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - ]); - - var part1 = match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg1 = msg("fortinetmgr:01", part1); - - var part2 = match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg2 = msg("fortinetmgr", part2); - - var part3 = match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); - - var part4 = match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); - - var part5 = match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); - - var select2 = linear_select([ - part4, - part5, - ]); - - var part6 = match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); - - var part7 = match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); - - var part8 = match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); - - var select3 = linear_select([ - part7, - part8, - ]); - - var part9 = match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); - - var part10 = match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); - - var part11 = match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); - - var select4 = linear_select([ - part10, - part11, - ]); - - var all1 = all_match({ - processors: [ - part3, - select2, - part6, - select3, - part9, - select4, - ], - on_success: processor_chain([ - dup11, - dup4, - lookup({ - dest: "nwparser.event_cat", - map: map_getEventLegacyCategory, - key: field("fld5"), - }), - dup22, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ]), - }); - - var msg3 = msg("fortinetmgr:04", all1); - - var part12 = match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg4 = msg("fortinetmgr:02", part12); - - var part13 = match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ - dup11, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - lookup({ - dest: "nwparser.event_cat", - map: map_getEventLegacyCategory, - key: field("result"), - }), - dup22, - ])); - - var msg5 = msg("fortinetmgr:03", part13); - - var part14 = match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); - - var part15 = match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); - - var part16 = match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); - - var select5 = linear_select([ - part15, - part16, - ]); - - var part17 = match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); - - var all2 = all_match({ - processors: [ - part14, - select5, - part17, - ], - on_success: processor_chain([ - dup13, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ]), - }); - - var msg6 = msg("fortinetmgr:05", all2); - - var part18 = tagval("MESSAGE#6:event_fortinetmgr_tvm", "nwparser.payload", tvm, { - "action": "action", - "adom": "domain", - "desc": "event_description", - "msg": "info", - "session_id": "sessionid", - "user": "username", - "userfrom": "fld1", - }, processor_chain([ - dup11, - dup4, - dup5, - dup6, - dup7, - setf("event_type","hfld2"), - dup9, - dup10, - ])); - - var msg7 = msg("event_fortinetmgr_tvm", part18); - - var select6 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - ]); - - var part19 = tagval("MESSAGE#7:generic_fortinetmgr", "nwparser.payload", tvm, { - "action": "action", - "adminprof": "fld13", - "cat": "fcatnum", - "catdesc": "filter", - "cipher_suite": "fld24", - "content_switch_name": "fld15", - "craction": "fld9", - "crlevel": "fld10", - "crscore": "reputation_num", - "dev_id": "fld100", - "device_id": "hardware_id", - "devid": "hardware_id", - "devname": "event_source", - "devtype": "fld7", - "direction": "direction", - "dst": "daddr", - "dst_port": "dport", - "dstintf": "dinterface", - "dstip": "daddr", - "dstport": "dport", - "duration": "duration", - "eventtype": "vendor_event_cat", - "false_positive_mitigation": "fld17", - "ftp_cmd": "fld23", - "ftp_mode": "fld22", - "history_threat_weight": "fld21", - "hostname": "hostname", - "http_agent": "agent", - "http_host": "web_ref_domain", - "http_method": "web_method", - "http_refer": "web_referer", - "http_session_id": "sessionid", - "http_url": "web_query", - "http_version": "fld19", - "level": "severity", - "log_id": "id", - "logid": "id", - "main_type": "fld37", - "mastersrcmac": "fld8", - "method": "fld12", - "monitor_status": "fld18", - "msg": "event_description", - "msg_id": "fld25", - "osname": "os", - "osversion": "version", - "policy": "policyname", - "policyid": "policy_id", - "poluuid": "fld5", - "pri": "severity", - "profile": "rulename", - "proto": "fld6", - "rcvdbyte": "rbytes", - "reqtype": "fld11", - "sentbyte": "sbytes", - "server_pool_name": "fld16", - "service": "network_service", - "sessionid": "sessionid", - "severity_level": "fld101", - "signature_id": "sigid", - "signature_subclass": "fld14", - "src": "saddr", - "src_port": "sport", - "srccountry": "location_src", - "srcintf": "sinterface", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "sub_type": "category", - "subtype": "category", - "threat_level": "threat_val", - "threat_weight": "fld20", - "timezone": "timezone", - "trandisp": "context", - "trigger_policy": "fld39", - "type": "event_type", - "url": "url", - "user": "username", - "user_name": "username", - "userfrom": "fld30", - "vd": "vsys", - }, processor_chain([ - dup13, - dup4, - dup5, - dup14, - dup23, - ])); - - var msg8 = msg("generic_fortinetmgr", part19); - - var part20 = tagval("MESSAGE#8:generic_fortinetmgr_1", "nwparser.payload", tvm, { - "action": "action", - "app": "obj_name", - "appcat": "fld33", - "craction": "fld9", - "crlevel": "fld10", - "crscore": "reputation_num", - "date": "fld1", - "dstcountry": "location_dst", - "dstintf": "dinterface", - "dstintfrole": "fld31", - "dstip": "daddr", - "dstport": "dport", - "duration": "duration", - "eventtime": "event_time_string", - "level": "severity", - "logid": "id", - "logtime": "fld35", - "policyid": "policy_id", - "policytype": "fld34", - "poluuid": "fld5", - "proto": "fld6", - "rcvdbyte": "rbytes", - "sentbyte": "sbytes", - "sentpkt": "fld15", - "service": "network_service", - "sessionid": "sessionid", - "srccountry": "location_src", - "srcintf": "sinterface", - "srcintfrole": "fld30", - "srcip": "saddr", - "srcport": "sport", - "subtype": "category", - "time": "fld2", - "trandisp": "context", - "tranip": "dtransaddr", - "tranport": "dtransport", - "type": "event_type", - "vd": "vsys", - }, processor_chain([ - dup13, - dup4, - date_time({ - dest: "event_time", - args: ["fld1","fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], - }), - dup6, - setf("hardware_id","hfld2"), - dup14, - dup23, - ])); - - var msg9 = msg("generic_fortinetmgr_1", part20); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "event_fortinetmgr": select6, - "generic_fortinetmgr": msg8, - "generic_fortinetmgr_1": msg9, - }), - ]); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet_fortimanager/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet_fortimanager/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a24b95d589..0000000000 --- a/packages/fortinet_fortimanager/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,117 +0,0 @@ ---- -description: Pipeline for Fortinet Manager/Analyzer -processors: - - set: - field: ecs.version - value: '8.3.0' - - set: - field: observer.vendor - value: Fortinet - - set: - field: observer.product - value: FortiManager - - set: - field: observer.type - value: configuration - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # URL - - uri_parts: - field: url.original - target_field: _temp_.url - ignore_failure: true - if: ctx?.url?.original != null - - script: - lang: painless - description: Updates the URL ECS fields from the results of the URI parts processor to not overwrite the RSA mappings - if: ctx?._temp_?.url != null - source: | - for (entry in ctx._temp_.url.entrySet()) { - if (entry != null && entry.getValue() != null) { - if(ctx.url[entry.getKey()] == null) { - ctx.url[entry.getKey()] = entry.getValue(); - } else if (!ctx.url[entry.getKey()].contains(entry.getValue())) { - ctx.url[entry.getKey()] = [ctx.url[entry.getKey()]]; - ctx.url[entry.getKey()].add(entry.getValue()); - } - } - } - - remove: - field: _temp_ - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -# Ensure source.mac and destination.mac are formatted to ECS specifications. - - gsub: - field: destination.mac - ignore_missing: true - pattern: '[:.]' - replacement: '-' - - gsub: - field: source.mac - ignore_missing: true - pattern: '[:.]' - replacement: '-' - - uppercase: - field: destination.mac - ignore_missing: true - - uppercase: - field: source.mac - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_fortimanager/1.1.2/data_stream/log/fields/agent.yml b/packages/fortinet_fortimanager/1.1.2/data_stream/log/fields/agent.yml deleted file mode 100755 index 38bb8dcec5..0000000000 --- a/packages/fortinet_fortimanager/1.1.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,175 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/fortinet_fortimanager/1.1.2/data_stream/log/fields/base-fields.yml b/packages/fortinet_fortimanager/1.1.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 9c4bf744d1..0000000000 --- a/packages/fortinet_fortimanager/1.1.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,43 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: fortinet -- name: event.dataset - type: constant_keyword - description: Event dataset - value: fortinet_fortimanager.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/fortinet_fortimanager/1.1.2/data_stream/log/fields/ecs.yml b/packages/fortinet_fortimanager/1.1.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index cb322fbe1d..0000000000 --- a/packages/fortinet_fortimanager/1.1.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,573 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/fortinet_fortimanager/1.1.2/data_stream/log/fields/fields.yml b/packages/fortinet_fortimanager/1.1.2/data_stream/log/fields/fields.yml deleted file mode 100755 index ea69cd79e3..0000000000 --- a/packages/fortinet_fortimanager/1.1.2/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,1754 +0,0 @@ -- name: rsa - type: group - fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - ignore_above: 1024 - description: Server domain. -- name: network.interface.name - type: keyword diff --git a/packages/fortinet_fortimanager/1.1.2/data_stream/log/manifest.yml b/packages/fortinet_fortimanager/1.1.2/data_stream/log/manifest.yml deleted file mode 100755 index c6aacc111a..0000000000 --- a/packages/fortinet_fortimanager/1.1.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,210 +0,0 @@ -title: Fortinet Manager/Analyzer logs -release: experimental -type: logs -streams: - - input: udp - title: Fortinet Manager/Analyzer logs - description: Collect Fortinet Manager/Analyzer logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortimanager - - forwarded - - name: udp_host - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9530 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Fortinet Manager/Analyzer logs - description: Collect Fortinet Manager/Analyzer logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortimanager - - forwarded - - name: tcp_host - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9530 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - enabled: false - title: Fortinet Manager/Analyzer logs - description: Collect Fortinet Manager/Analyzer logs from file - template_path: log.yml.hbs - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/fortinet-fortimanager.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortimanager - - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/fortinet_fortimanager/1.1.2/data_stream/log/sample_event.json b/packages/fortinet_fortimanager/1.1.2/data_stream/log/sample_event.json deleted file mode 100755 index 0959ccecbb..0000000000 --- a/packages/fortinet_fortimanager/1.1.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,131 +0,0 @@ -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "607e3bda-a938-4637-8dd4-02613e9144ac", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "fortinet_fortimanager.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 449, - "geo": { - "country_name": "sequa" - }, - "ip": [ - "10.44.173.44" - ], - "nat": { - "ip": "10.189.58.145", - "port": 5273 - }, - "port": 6125 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "allow", - "agent_id_status": "verified", - "code": "sse", - "dataset": "fortinet_fortimanager.log", - "ingested": "2022-01-25T12:33:50Z", - "original": "logver=iusm devname=\"modtempo\" devid=\"olab\" vd=nto date=2016-1-29 time=6:09:59 logid=sse type=exercita subtype=der level=very-high eventtime=odoco logtime=ria srcip=10.20.234.169 srcport=1001 srcintf=eth5722 srcintfrole=vol dstip=10.44.173.44 dstport=6125 dstintf=enp0s3068 dstintfrole=nseq poluuid=itinvol sessionid=psa proto=21 action=allow policyid=ntium policytype=psaq crscore=13.800000 craction=eab crlevel=aliqu appcat=Ute service=lupt srccountry=dolore dstcountry=sequa trandisp=abo tranip=10.189.58.145 tranport=5273 duration=14.119000 sentbyte=7880 rcvdbyte=449 sentpkt=mqui app=nci\n", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "very-high", - "source": { - "address": "172.30.0.4:60997" - } - }, - "network": { - "bytes": 8329 - }, - "observer": { - "egress": { - "interface": { - "name": "enp0s3068" - } - }, - "ingress": { - "interface": { - "name": "eth5722" - } - }, - "product": "FortiManager", - "type": "Configuration", - "vendor": "Fortinet" - }, - "related": { - "hosts": [ - "modtempo" - ], - "ip": [ - "10.189.58.145", - "10.20.234.169", - "10.44.173.44" - ] - }, - "rsa": { - "internal": { - "messageid": "generic_fortinetmgr_1" - }, - "misc": { - "action": [ - "allow" - ], - "category": "der", - "context": "abo", - "event_source": "modtempo", - "event_type": "exercita", - "hardware_id": "olab", - "log_session_id": "psa", - "policy_id": "ntium", - "reference_id": "sse", - "severity": "very-high", - "vsys": "nto" - }, - "network": { - "dinterface": "enp0s3068", - "network_service": "lupt", - "sinterface": "eth5722" - }, - "time": { - "duration_time": 14.119, - "event_time": "2016-01-29T06:09:59.000Z", - "event_time_str": "odoco" - }, - "web": { - "reputation_num": 13.8 - } - }, - "source": { - "bytes": 7880, - "geo": { - "country_name": "dolore" - }, - "ip": [ - "10.20.234.169" - ], - "port": 1001 - }, - "tags": [ - "preserve_original_event", - "fortinet-fortimanager", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/fortinet_fortimanager/1.1.2/docs/README.md b/packages/fortinet_fortimanager/1.1.2/docs/README.md deleted file mode 100755 index 11dc58117b..0000000000 --- a/packages/fortinet_fortimanager/1.1.2/docs/README.md +++ /dev/null @@ -1,990 +0,0 @@ -# Fortinet FortiManager Integration - -This integration is for Fortinet FortiManager logs sent in the syslog format. - -## Compatibility - -This integration has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested. - -### Log - -The `log` dataset collects JFortinet FortiManager logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "607e3bda-a938-4637-8dd4-02613e9144ac", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "fortinet_fortimanager.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 449, - "geo": { - "country_name": "sequa" - }, - "ip": [ - "10.44.173.44" - ], - "nat": { - "ip": "10.189.58.145", - "port": 5273 - }, - "port": 6125 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "allow", - "agent_id_status": "verified", - "code": "sse", - "dataset": "fortinet_fortimanager.log", - "ingested": "2022-01-25T12:33:50Z", - "original": "logver=iusm devname=\"modtempo\" devid=\"olab\" vd=nto date=2016-1-29 time=6:09:59 logid=sse type=exercita subtype=der level=very-high eventtime=odoco logtime=ria srcip=10.20.234.169 srcport=1001 srcintf=eth5722 srcintfrole=vol dstip=10.44.173.44 dstport=6125 dstintf=enp0s3068 dstintfrole=nseq poluuid=itinvol sessionid=psa proto=21 action=allow policyid=ntium policytype=psaq crscore=13.800000 craction=eab crlevel=aliqu appcat=Ute service=lupt srccountry=dolore dstcountry=sequa trandisp=abo tranip=10.189.58.145 tranport=5273 duration=14.119000 sentbyte=7880 rcvdbyte=449 sentpkt=mqui app=nci\n", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "very-high", - "source": { - "address": "172.30.0.4:60997" - } - }, - "network": { - "bytes": 8329 - }, - "observer": { - "egress": { - "interface": { - "name": "enp0s3068" - } - }, - "ingress": { - "interface": { - "name": "eth5722" - } - }, - "product": "FortiManager", - "type": "Configuration", - "vendor": "Fortinet" - }, - "related": { - "hosts": [ - "modtempo" - ], - "ip": [ - "10.189.58.145", - "10.20.234.169", - "10.44.173.44" - ] - }, - "rsa": { - "internal": { - "messageid": "generic_fortinetmgr_1" - }, - "misc": { - "action": [ - "allow" - ], - "category": "der", - "context": "abo", - "event_source": "modtempo", - "event_type": "exercita", - "hardware_id": "olab", - "log_session_id": "psa", - "policy_id": "ntium", - "reference_id": "sse", - "severity": "very-high", - "vsys": "nto" - }, - "network": { - "dinterface": "enp0s3068", - "network_service": "lupt", - "sinterface": "eth5722" - }, - "time": { - "duration_time": 14.119, - "event_time": "2016-01-29T06:09:59.000Z", - "event_time_str": "odoco" - }, - "web": { - "reputation_num": 13.8 - } - }, - "source": { - "bytes": 7880, - "geo": { - "country_name": "dolore" - }, - "ip": [ - "10.20.234.169" - ], - "port": 1001 - }, - "tags": [ - "preserve_original_event", - "fortinet-fortimanager", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/fortinet_fortimanager/1.1.2/img/fortinet-logo.svg b/packages/fortinet_fortimanager/1.1.2/img/fortinet-logo.svg deleted file mode 100755 index d6a8448f32..0000000000 --- a/packages/fortinet_fortimanager/1.1.2/img/fortinet-logo.svg +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - diff --git a/packages/fortinet_fortimanager/1.1.2/manifest.yml b/packages/fortinet_fortimanager/1.1.2/manifest.yml deleted file mode 100755 index 4c40073a85..0000000000 --- a/packages/fortinet_fortimanager/1.1.2/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: fortinet_fortimanager -title: Fortinet FortiManager Logs -version: 1.1.2 -release: ga -description: Collect logs from Fortinet FortiManager instances with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: ["security"] -conditions: - kibana.version: "^7.14.1 || ^8.0.0" -icons: - - src: /img/fortinet-logo.svg - title: Fortinet - size: 216x216 - type: image/svg+xml -policy_templates: - - name: fortinet_fortimanager - title: Fortinet FortiManager logs - description: Collect logs from Fortinet FortiManager instances - inputs: - - type: logfile - title: "Collect Fortinet FortiManager logs (input: logfile)" - description: "Collecting logs from Fortinet FortiManager instances (input: logfile)" - - type: tcp - title: "Collect Fortinet FortiManager logs (input: tcp)" - description: "Collecting logs from Fortinet FortiManager instances (input: tcp)" - - type: udp - title: "Collect Fortinet FortiManager logs (input: udp)" - description: "Collecting logs from Fortinet FortiManager instances (input: udp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/hid_bravura_monitor/1.2.2/LICENSE.txt b/packages/hid_bravura_monitor/1.2.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/hid_bravura_monitor/1.2.2/changelog.yml b/packages/hid_bravura_monitor/1.2.2/changelog.yml deleted file mode 100755 index 18bd9c98b7..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/changelog.yml +++ /dev/null @@ -1,41 +0,0 @@ -# newer versions go on top -- version: "1.2.2" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.2.1" - changes: - - description: Remove unused visualizations - type: enhancement - link: https://github.com/elastic/integrations/issues/3975 -- version: "1.2.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3866 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.0.3" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3108 -- version: "1.0.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.0.1" - changes: - - description: Documentation update - type: enhancement - link: https://github.com/elastic/integrations/pull/2654 -- version: "1.0.0" - changes: - - description: full release - type: enhancement - link: https://github.com/elastic/integrations/pull/1912 diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/log/agent/stream/filestream.yml.hbs b/packages/hid_bravura_monitor/1.2.2/data_stream/log/agent/stream/filestream.yml.hbs deleted file mode 100755 index e926888e7f..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/log/agent/stream/filestream.yml.hbs +++ /dev/null @@ -1,34 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -prospector.scanner.exclude_files: [".gz$"] -line_terminator: carriage_return_line_feed -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} - {{processors}} -{{/if}} - - add_fields: - target: '' - fields: - hid_bravura_monitor.instancename: {{instancename}} - hid_bravura_monitor.node: {{node}} - hid_bravura_monitor.environment: {{environment}} - hid_bravura_monitor.instancetype: {{instancetype}} - event.timezone: {{timezone}} -parsers: - - multiline: - type: pattern - pattern: ^[[:cntrl:]] - negate: true - match: after \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/hid_bravura_monitor/1.2.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3a9e7b70e5..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,196 +0,0 @@ ---- -description: Pipeline for parsing hid_bravura_monitor logs -processors: - - set: - field: ecs.version - value: '8.4.0' - description: Set ecs.version to 1.12.0 - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - rename: - field: message - target_field: event.original - ignore_missing: true - - grok: - field: event.original - patterns: - - >- - (^[[:cntrl:]])?%{TIMESTAMP_ISO8601:logdate}.%{NONNEGINT} - - \[(%{DATA:pslogid})?\] %{DATA:log.logger} - \[%{NONNEGINT:process.pid},%{NONNEGINT:process.thread.id}\] - %{DATA:log.level}: %{MULTILINEDATA:msg} - pattern_definitions: - MULTILINEDATA: |- - (.| - )* - description: Initial parse - - drop: - if: ctx?.msg.contains('last message repeated') - description: Drop repeated log message - - grok: - field: event.original - patterns: - - >- - (^[[:cntrl:]])?%{TIMESTAMP_ISO8601}.%{NONNEGINT} - \[%{DATA}\] %{DATA} - \[%{NONNEGINT},%{NONNEGINT}\] %{DATA}: - %{NOTSPACE:hid_bravura_monitor.perf.kind}. %{GREEDYDATA:kvpairs} - ignore_missing: true - if: ctx?.log?.level.contains('Perf') - description: Parse Perf messages - - set: - field: log.level - value: Perf - if: ctx?.log?.level.contains('Perf') - description: Set log.level to Perf - - kv: - if: ctx?.log?.level.contains('Perf') - trim_key: ' \r\n' - trim_value: ' {}\r\n' - value_split: ': ' - target_field: hid_bravura_monitor.perf - ignore_missing: true - description: Separate perf info - field: kvpairs - field_split: ' \| ' - - rename: - if: ctx?.hid_bravura_monitor?.perf?.kind == 'PerfAjax' - target_field: user.id - field: hid_bravura_monitor.perf.User - ignore_missing: true - description: Rename hid_bravura_monitor.perf.User to user.id - - script: - if: ctx?.log?.level.contains('Perf') - source: >- - Map m = new HashMap(); ctx['hid_bravura_monitor']['perf'].forEach((k,v) - -> m.put(k.toLowerCase(), v)); - ctx['hid_bravura_monitor'].remove('perf'); - ctx['hid_bravura_monitor']['perf'] = new HashMap(); m.forEach((k,v) -> - ctx['hid_bravura_monitor']['perf'][k] = v ); - description: lowercase perf fields - - set: - if: ctx?.hid_bravura_monitor?.perf?.kind == 'PerfExe' - field: hid_bravura_monitor.perf.exe - copy_from: log.logger - ignore_empty_value: true - description: Copy log.logger to hid_bravura_monitor.perf.exe - - remove: - field: kvpairs - ignore_missing: true - description: Remove kvpairs - - grok: - field: pslogid - patterns: - - >- - %{UUID:hid_bravura_monitor.request.id} - - >- - %{[A-Fa-f0-9]{32}:hid_bravura_monitor.request.id} - ignore_missing: true - ignore_failure: true - description: Set requestid if batchid - - rename: - target_field: user.id - field: pslogid - ignore_missing: true - if: ctx.hid_bravura_monitor?.request?.id == null && ctx?.hid_bravura_monitor?.perf?.kind != 'PerfAjax' - description: Set userid if not a guid - - remove: - field: pslogid - ignore_missing: true - description: Remove pslogid - - date: - field: logdate - formats: - - 'yyyy-MM-dd HH:mm:ss.SSS' - timezone: '{{event.timezone}}' - description: Convert logdate to @timestamp - - rename: - target_field: message - field: msg - description: Override message - - remove: - field: logdate - description: Remove logdate - - set: - if: ctx?.hid_bravura_monitor?.node == '0.0.0.0' - field: hid_bravura_monitor.node - copy_from: host.name - ignore_empty_value: true - description: Copy host.name to hid_bravura_monitor.node if left as default - - convert: - field: process.pid - type: long - ignore_missing: true - description: process.pid to Long - - convert: - field: process.thread.id - type: long - ignore_missing: true - description: process.thread.id to Long - - convert: - field: hid_bravura_monitor.perf.duration - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.duration to Long - - convert: - field: hid_bravura_monitor.perf.kernel - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.kernel to Long - - convert: - field: hid_bravura_monitor.perf.user - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.user to Long - - dot_expander: - field: hid_bravura_monitor.perf.kind - ignore_failure: true - description: move hid_bravura_monitor.perf.kind to object - - convert: - field: hid_bravura_monitor.perf.line - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.line to Long - - convert: - field: hid_bravura_monitor.perf.records - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.records to Long - - convert: - field: hid_bravura_monitor.perf.result - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.result to Long - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/log/fields/agent.yml b/packages/hid_bravura_monitor/1.2.2/data_stream/log/fields/agent.yml deleted file mode 100755 index d38a70bd6b..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/log/fields/base-fields.yml b/packages/hid_bravura_monitor/1.2.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index cf3e4e1384..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: hid_bravura_monitor -- name: event.dataset - type: constant_keyword - description: Event dataset - value: hid_bravura_monitor.log -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/log/fields/ecs.yml b/packages/hid_bravura_monitor/1.2.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index 9c07522301..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,490 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: client.user.name - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Custom key/value pairs. - Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. - Example: `docker` and `k8s` labels. - name: labels - type: object -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) - name: network.inner - type: object -- description: VLAN ID as reported by the observer. - name: network.inner.vlan.id - type: keyword -- description: Optional VLAN name as reported by the observer. - name: network.inner.vlan.name - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: IP addresses of the observer. - name: observer.ip - normalize: - - array - type: ip -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Thread ID. - name: process.thread.id - type: long -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: url.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: Port of the server. - name: server.port - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Port of the client. - name: client.port - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/log/fields/fields.yml b/packages/hid_bravura_monitor/1.2.2/data_stream/log/fields/fields.yml deleted file mode 100755 index 79a0312e10..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,99 +0,0 @@ -- name: hid_bravura_monitor.environment - type: keyword - description: Instance environment -- name: hid_bravura_monitor.instancename - type: keyword - description: Instance name -- name: hid_bravura_monitor.instancetype - type: keyword - description: Instance type -- name: hid_bravura_monitor.node - type: keyword - description: Node -- name: hid_bravura_monitor.request - type: group - fields: - - name: id - type: keyword - description: Request ID -- name: hid_bravura_monitor.perf - type: group - fields: - - name: address - type: wildcard - description: Server address - - name: adminid - type: keyword - description: Administrator ID - - name: caller - type: keyword - description: Application caller - - name: dbcommand - type: keyword - description: Database command - - name: destination - type: wildcard - description: Destination URL - - name: duration - type: long - description: Performance duration - - name: event - type: keyword - description: Event - - name: exe - type: keyword - description: Executable - - name: file - type: keyword - description: Source file - - name: function - type: keyword - description: Performance function - - name: kernel - type: long - description: Kernel Time - - name: kind - type: keyword - description: Performance type (ie. PerfExe, PerfAjax, PerfFileRep, etc.) - - name: line - type: long - description: Line number - - name: message - type: wildcard - description: Performance message - multi_fields: - - name: keyword - type: keyword - - name: operation - type: keyword - description: Operation - - name: receivequeue - type: keyword - description: Receive queue - - name: records - type: long - description: Database records - - name: result - type: long - description: Result - - name: sessionid - type: keyword - description: Session ID - - name: sysid - type: keyword - description: System ID - - name: table - type: keyword - description: Database table - - name: targetid - type: keyword - description: Target ID - - name: transid - type: keyword - description: Transaction ID - - name: type - type: keyword - description: IDWFM type - - name: user - type: long - description: User time diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/log/manifest.yml b/packages/hid_bravura_monitor/1.2.2/data_stream/log/manifest.yml deleted file mode 100755 index 30213ea82e..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,70 +0,0 @@ -type: logs -title: Hitachi ID Bravura Monitor -streams: - - input: filestream - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - C:/Program Files/Hitachi ID/IDM Suite/Logs/default*/idmsuite*.log - description: "Path to IDM Suite log files" - - name: node - type: text - title: Node - multi: false - required: true - show_user: true - default: 0.0.0.0 - description: "If set to 0.0.0.0, `hid_bravura_monitor.node` will be set to the value of `host.name`" - - name: instancename - type: text - title: Instance name - multi: false - required: true - show_user: true - default: default - - name: timezone - type: text - title: Timezone - multi: false - required: true - show_user: true - default: UTC - - name: environment - type: text - title: Environment - multi: false - required: true - show_user: true - default: PRODUCTION - - name: instancetype - type: text - title: Instance type - multi: false - required: true - show_user: true - default: Privilege-Identity-Password - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: filestream.yml.hbs - title: Hitachi ID Bravura Monitor - description: Collect Hitachi ID Security Fabric logs using filestream input diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/log/sample_event.json b/packages/hid_bravura_monitor/1.2.2/data_stream/log/sample_event.json deleted file mode 100755 index a6619fa684..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "@timestamp": "2021-01-16T00:35:25.258Z", - "agent": { - "ephemeral_id": "00124c53-af5e-4d5f-818c-ff189690109e", - "hostname": "docker-fleet-agent", - "id": "9bcd741c-af93-434c-ad55-1ec23d08ab89", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.0" - }, - "data_stream": { - "dataset": "hid_bravura_monitor.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "9bcd741c-af93-434c-ad55-1ec23d08ab89", - "snapshot": true, - "version": "7.16.0" - }, - "event": { - "agent_id_status": "verified", - "dataset": "hid_bravura_monitor.log", - "ingested": "2021-10-29T18:19:35Z", - "original": "\u00182021-01-16 00:35:25.258.7085 - [] pamlws.exe [44408,52004] Error: LWS [HID-TEST] foundcomputer record not found", - "timezone": "UTC" - }, - "hid_bravura_monitor": { - "environment": "PRODUCTION", - "instancename": "default", - "instancetype": "Privilege-Identity-Password", - "node": "docker-fleet-agent" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "3bfbf225479aac5f850ea38f5d9d8a02", - "ip": [ - "192.168.192.7" - ], - "mac": [ - "02:42:c0:a8:c0:07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.10.16.3-microsoft-standard-WSL2", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "input": { - "type": "filestream" - }, - "log": { - "file": { - "path": "/tmp/service_logs/hid_bravura_monitor.log" - }, - "level": "Error", - "logger": "pamlws.exe", - "offset": 218 - }, - "message": "LWS [HID-TEST] foundcomputer record not found", - "process": { - "pid": 44408, - "thread": { - "id": 52004 - } - }, - "tags": [ - "preserve_original_event" - ], - "user": { - "id": "" - } -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/agent/stream/winlog.yml.hbs b/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/agent/stream/winlog.yml.hbs deleted file mode 100755 index f3f26f16ee..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -name: Hitachi-Hitachi ID Systems-Hitachi ID Suite/Operational -condition: ${host.platform} == 'windows' -{{#if event_id}} -event_id: {{event_id}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/elasticsearch/ingest_pipeline/default.yml b/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a7eb3c92bd..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,399 +0,0 @@ ---- -description: Pipeline for Hitachi ID Suite events -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - - convert: - field: event.code - type: string - ignore_missing: true - - - rename: - field: message - target_field: event.original - ignore_missing: true - - - grok: - field: event.original - patterns: - - >- - %{DATA:winlog.event_data.Message}\|%{GREEDYDATA:kvpairs} - - - kv: - field: kvpairs - field_split: '\|' - value_split: '=' - target_field: winlog.event_data - ignore_missing: false - ignore_failure: false - - - remove: - field: kvpairs - ignore_missing: true - ignore_failure: true - - - split: - field: winlog.event_data.ClientIPs - separator: "," - preserve_trailing: true - ignore_missing: true - - - split: - field: winlog.event_data.FailedTargets - separator: "," - preserve_trailing: true - ignore_missing: true - - - script: - lang: painless - ignore_failure: false - tag: Decode symbolic id table - description: Decode symbolic id table - params: - "1": "AUTH_CHAIN_FAILURE" - "2": "AUTH_CHAIN_SUCCESS" - "3": "USER_LOGIN_LOCKOUT" - "4": "DB_COMMIT_SUSPEND" - "5": "DB_COMMIT_RESUME" - "6": "DB_REPLICATION_CONN_FAILURE" - "7": "DB_REPLICATION_CONN_RESTORED" - "8": "DB_REPLICATION_TRANS_FAILURE" - "9": "DB_QUEUE_INSERT_FAILURE" - "10": "DB_FAILED_PROC_RECORDED" - "11": "PAMSA_ORCHESTRATION_START_FAILURE" - "12": "PAMSA_ORCHESTRATION_END_FAILURE" - "13": "UPDATE_RESOURCE_FAILURE" - "14": "GSET_CHECKIN_FAILURE" - "15": "GSET_CHECKIN_PARTIAL" - "16": "GSET_CHECKIN_SUCCESS" - "17": "GSET_CHECKOUT_SUCCESS" - "18": "GSET_CHECKOUT_FAILURE" - "19": "GSET_CHECKOUT_PARTIAL" - "20": "PWD_CHECKOUT_SUCCESS" - "21": "PWD_CHECKOUT_FAILURE" - "22": "PWD_CHECKIN_SUCCESS" - "23": "PWD_CHECKIN_FAILURE" - "24": "WSTN_VIEW_PASSWORD_SUCCESS" - "25": "WSTN_VIEW_PASSWORD_FAILURE" - "26": "WSTN_VIEW_PASSWORD_HIS_SUCCESS" - "27": "WSTN_VIEW_PASSWORD_HIS_FAILURE" - "28": "ADMIN_ENABLE_ADMIN" - "29": "ADMIN_ENABLE_USER" - "30": "ADMIN_DISABLE_ADMIN" - "31": "ADMIN_DISABLE_USER" - "32": "ADMIN_UNLOCK_ADMIN" - "33": "ADMIN_UNLOCK_USER" - "34": "SMON_SESSION_START" - "35": "SMON_SESSION_END" - "36": "SMON_ADMIN_SESS_TERM_REQ" - "37": "PSUPDATE_START" - "38": "PSUPDATE_FINISH" - "39": "IDAPI_LOGIN_SUCCESS" - "40": "IDAPI_LOGIN_FAILURE" - "41": "MAQ_CHECKIN_FAILURE" - "42": "MAQ_CHECKIN_SUCCESS" - "43": "MAQ_CHECKOUT_FAILURE" - "44": "MAQ_CHECKOUT_SUCCESS" - "45": "TARGET_DEPLOYMENT_FAILURE" - "46": "TARGET_DEPLOYMENT_SUCCESS" - "47": "OPERATION_IMPORT_TARGET" - "48": "WSTN_ADD_WSTN_SUCCESS" - "49": "WSTN_ADD_WSTN_FAILURE" - "50": "IDWFM_EVENT_ABORT" - "51": "IDWFM_EVENT_FAILURE" - "52": "USER_QA_ADD_SUCCESS" - "53": "USER_QA_ADD_FAILURE" - "54": "USER_QA_UPDATE_SUCCESS" - "55": "USER_QA_UPDATE_FAILURE" - "56": "USER_QA_DELETE_SUCCESS" - "57": "ADMIN_QA_ADD_SUCCESS" - "58": "ADMIN_QA_ADD_FAILURE" - "59": "ADMIN_QA_UPDATE_SUCCESS" - "60": "ADMIN_QA_UPDATE_FAILURE" - "61": "ADMIN_QA_DELETE_SUCCESS" - "62": "USER_PW_RESET_START" - "63": "USER_PW_RESET_SUCCESS" - "64": "USER_PW_RESET_FAILURE" - "65": "ADMIN_PW_RESET_START" - "66": "ADMIN_PW_RESET_SUCCESS" - "67": "ADMIN_PW_RESET_FAILURE" - "68": "USER_ACCT_UNLOCK_START" - "69": "USER_ACCT_UNLOCK_SUCCESS" - "70": "USER_ACCT_UNLOCK_FAILURE" - "71": "ADMIN_ACCT_UNLOCK_START" - "72": "ADMIN_ACCT_UNLOCK_SUCCESS" - "73": "ADMIN_ACCT_UNLOCK_FAILURE" - "74": "DB_REPLICATION_WATERMARK_WARN" - "75": "USER_ALIAS_ALREADY_CLAIMED" - "76": "ADMIN_ALIAS_ALREADY_CLAIMED" - "77": "CONNECTOR_TIMEOUT" - "78": "FILE_REPLICATION_FAILURE" - "79": "IDPM_GROUP_SUCCESS" - "80": "IDPM_GROUP_FAILURE" - "81": "WF_REQUEST_BATCH_APPROVED" - "82": "WF_REQUEST_BATCH_REJECTED" - "83": "WF_REQUEST_BATCH_CANCELED" - "84": "WF_REQUEST_BATCH_REVOKED" - "85": "WF_REQUEST_BATCH_PROCESSED" - "86": "DID_REGISTER_SUCCESS" - "87": "DID_REGISTER_FAILURE" - "88": "DID_UPDATE_SUCCESS" - "89": "DID_SEND_SUCCESS" - "90": "USER_IDENTIFY_SUCCESS" - "91": "USER_IDENTIFY_FAILURE" - "92": "USER_LOGIN_SUCCESS" - "93": "USER_LOGIN_FAILURE" - "94": "FEDIDP_IDENTIFY_SUCCESS" - "95": "FEDIDP_IDENTIFY_FAILURE" - "96": "FEDIDP_AUTH_SUCCESS" - "97": "FEDIDP_AUTH_FAILURE" - "98": "DB_STORED_PROC_FAILURE" - "99": "ADMIN_CRED_FAILURE" - "100": "ADMIN_CRED_SUCCESS" - "101": "FEDIDP_SSO_SESSION_CREATE" - "102": "FEDIDP_SSO_SESSION_DESTROY" - "103": "PAM_CHECKOUT_SUCCESS" - "104": "PAM_CHECKOUT_PARTIAL" - "105": "PAM_CHECKOUT_FAILURE" - "106": "PAM_CHECKIN_SUCCESS" - "107": "PAM_CHECKIN_PARTIAL" - "108": "PAM_CHECKIN_FAILURE" - "109": "PAM_CHECKOUT_EXPIRY" - "110": "PAM_CHECKOUT_LIMIT_REACHED" - "111": "PAM_CHECKOUT_OPERATION_SUCCESS" - "112": "PAM_CHECKOUT_OPERATION_FAILURE" - "113": "PAM_CHECKIN_OPERATION_SUCCESS" - "114": "PAM_CHECKIN_OPERATION_FAILURE" - "115": "FEDSP_SAMLAUTH_ASR_FAILURE" - "116": "FEDSP_SAMLAUTH_ASR_SUCCESS" - "117": "FEDSP_SAMLAUTH_ISSUED" - "118": "DB_REPLICATION_QUEUE_DELAY_PAST_THRESHOLD" - "119": "USER_HDD_RECOVERY_SUCCESS" - "120": "USER_HDD_RECOVERY_FAILURE" - "121": "USER_MOBILE_DEVICE_REGISTRATION" - source: |- - if (ctx?.winlog?.event_id == null) { - return; - } - def t = params.get(ctx.winlog.event_id); - if (t == null) { - return; - } - ctx.winlog.put("symbolic_id", t) - - - script: - lang: painless - ignore_failure: false - tag: Decode description table - description: Decode description table - params: - "1": "User failed to authenticate" - "2": "User successfully authenticated" - "3": "User lockout triggered" - "4": "Database commits suspended, replication queue full" - "5": "Database commits resuming" - "6": "Connectivity to replica database lost" - "7": "Connectivity to replica database restored" - "8": "Failed to replicate database transaction" - "9": "Failed to insert data into database replication queue" - "10": "ed to run stored procedure on replica server" - "11": "Subscriber orchestration failed to start" - "12": "Subscriber orchestration completed with failures" - "13": "Failed to update subscriber password" - "14": "Failed to check-in managed group set" - "15": "Failed to fully check-in managed group set, some memberships were not revoked" - "16": "Managed group set successfully checked in" - "17": "Managed group set successfully checked out" - "18": "Failed to check out managed group set" - "19": "Managed group set partially checked out, some memberships were not granted" - "20": "Managed account password successfully checked out" - "21": "Failed to check-out managed account password" - "22": "Managed account password successfully checked in" - "23": "Failed to check-in managed account password" - "24": "Managed account password viewed" - "25": "Failed to view managed account password" - "26": "Historical managed account password viewed" - "27": "Failed to view historical managed account password" - "28": "Administrative profile enabled" - "29": "User profile enabled" - "30": "Administrative profile disabled" - "31": "User profile disabled" - "32": "Administrative profile unlocked" - "33": "User profile unlocked" - "34": "Privileged access session recording started" - "35": "Privileged access session recording ended" - "36": "Privileged access session termination requested by administrator" - "37": "Nightly discovery process started" - "38": "Nightly discovery process finished" - "39": "API login succeeded" - "40": "API login failure" - "41": "Failed to check in system and account query based access" - "42": "Succeeded in checking in system and account query based access" - "43": "Failed to check out system and account query based access" - "44": "Succeeded in checking out system and account query based access" - "45": "Target deployment finished with a failure." - "46": "Successfully finished target deployment." - "47": "Successfully imported a single target." - "48": "Successfully finished target deployment." - "49": "Target deployment finished with a failure." - "50": "Workflow manager aborted event processing." - "51": "Workflow manager failed to process event." - "52": "Security question successfully added." - "53": "Failed to add security question." - "54": "Security question successfully updated." - "55": "Failed to update security question." - "56": "Security question successfully deleted." - "57": "Security question successfully added." - "58": "Failed to add security question." - "59": "Security question successfully updated." - "60": "Failed to update security question." - "61": "Security question successfully deleted." - "62": "Self-service password reset started." - "63": "Self-service password reset successful." - "64": "Self-service password reset failed." - "65": "Help-desk assisted password reset started." - "66": "Help-desk assisted password reset successful." - "67": "Help-desk assisted password reset failed." - "68": "Self-service account unlock started." - "69": "Self-service account unlock successful." - "70": "Self-service account unlock failed." - "71": "Help-desk assisted account unlock started." - "72": "Help-desk assisted account unlock successful." - "73": "Help-desk assisted password reset failed." - "74": "Database replication watermark hit." - "75": "User attempted to claim alias that is already claimed." - "76": "Admin attempted to assign alias that is already claimed." - "77": "Connector timed out while performing operation." - "78": "Error occured during file replication to remote nodes." - "79": "All passwords successfully synchronized." - "80": "One or more passwords failed to be synchronized." - "81": "Workflow request has been approved." - "82": "Workflow request has been rejected." - "83": "Workflow request has been canceled." - "84": "Workflow request has been revoked." - "85": "Workflow request has been processed." - "86": "Successfully registered Digital ID." - "87": "Failed to register Digital ID." - "88": "Successfully updated Digital ID." - "89": "Digital ID successfully downloaded." - "90": "User successfully identified" - "91": "Failed to identify user." - "92": "User successfully logged in." - "93": "User failed to log in." - "94": "Federated authn request successfully parsed." - "95": "Federated authn request failed to be parsed." - "96": "Federated assertion successfully generated." - "97": "Federated assertion failed to be generated." - "98": "Failed to execute stored procedure." - "99": "Target creation failure: Could not establish credentials." - "100": "Target creation successful: Credentials set successfully." - "101": "New federated SSO session created." - "102": "Federated SSO session terminated." - "103": "Generic access check-out successful." - "104": "Generic access check-out partially successful." - "105": "Generic access check-out failed." - "106": "Generic access check-in successful." - "107": "Generic access check-in partially successful." - "108": "Generic access check-in failed." - "109": "Generic access check-out expired." - "110": "Generic access check-out cannot be performed because it would exceed the check-out limit of one of its targets." - "111": "An operation run as part of a generic access check-out succeeded." - "112": "An operation run as part of a generic access check-out failed." - "113": "An operation run as part of a generic access check-in succeeded." - "114": "An operation run as part of a generic access check-in failed." - "115": "Failed to validate a SAML assertion." - "116": "Successfully validated a SAML assertion." - "117": "Issued SAML AuthNRequest." - "118": "Database replication queue delay exceeded configured threshold." - "119": "Self-service encrypted drive recovery successful." - "120": "Self-service encrypted drive recovery failure." - "121": "Self-service mobile device registration." - source: |- - if (ctx?.winlog?.event_id == null) { - return; - } - def t = params.get(ctx.winlog.event_id); - if (t == null) { - return; - } - if (ctx?.winlog?.event_data == null ) { - Map map = new HashMap(); - ctx.winlog.put("event_data", map); - } - ctx.winlog.event_data.put("Description", t) - - - convert: - field: winlog.record_id - type: string - ignore_missing: true - - - convert: - field: winlog.event_id - type: string - ignore_missing: true - - - convert: - field: winlog.event_data.DelayThreshold - type: long - ignore_missing: true - - - convert: - field: winlog.event_data.QueueDelay - type: long - ignore_missing: true - - - convert: - field: winlog.event_data.QueueSize - type: long - ignore_missing: true - - - convert: - field: winlog.event_data.Runtime - type: long - ignore_missing: true - - - set: - field: ecs.version - value: '8.4.0' - - - set: - field: log.level - copy_from: winlog.level - ignore_empty_value: true - ignore_failure: true - if: ctx?.winlog?.level != "" - - - date: - field: winlog.time_created - formats: - - ISO8601 - ignore_failure: true - if: ctx?.winlog?.time_created != null - - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - - remove: - field: [ - "winlog.event_data.Value1", - "winlog.event_data.Value2", - "winlog.event_data.Value3", - "winlog.event_data.Value4", - "winlog.event_data.Value5", - "winlog.event_data.Value6", - "winlog.event_data.Value7", - "winlog.event_data.Value8", - "winlog.event_data.Value9" - ] - ignore_missing: true - -on_failure: - - set: - field: error.message - value: |- - Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/agent.yml b/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/base-fields.yml b/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/base-fields.yml deleted file mode 100755 index ecf4acb535..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/base-fields.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. - value: logs -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: hid_bravura_monitor -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: hid_bravura_monitor.winlog -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/beats.yml b/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/beats.yml deleted file mode 100755 index 3c48f1f224..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/beats.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/ecs.yml b/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/ecs.yml deleted file mode 100755 index b54851cd6c..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/ecs.yml +++ /dev/null @@ -1,239 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Name of the module this data is coming from. - If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. - name: event.module - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - normalize: - - array - type: keyword -- description: |- - Length of the process.args array. - This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - name: process.args_count - type: long -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/fields.yml b/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/fields.yml deleted file mode 100755 index c2676bab52..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/fields.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: winlog.symbolic_id - type: keyword - description: Symbolic event id -- name: message - type: keyword - description: initial raw message diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/winlog.yml b/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/winlog.yml deleted file mode 100755 index 9d6d57c747..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/fields/winlog.yml +++ /dev/null @@ -1,344 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: computerObject - type: group - description: > - computer Object data - - fields: - - name: domain - type: keyword - - name: id - type: keyword - - name: name - type: keyword - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: Account - type: keyword - description: An object on a target system that establishes a user’s identity on that target system. - - name: Action - type: keyword - - name: ActionId - type: keyword - - name: Arguments - type: keyword - - name: AuthChain - type: keyword - description: Authentication chains offer a flexible authentication infrastructure, allowing you to customize the end-user authentication experience. An authentication chain contains authentication methods offered by available authentication modules. - - name: AuthUser - type: keyword - description: Authentication user. - - name: BatchSig - type: keyword - description: Request batch ID. - - name: Binding - type: keyword - - name: CanceledBy - type: keyword - description: The user who canceled the request. - - name: ChangedBy - type: keyword - description: The user who made the change. - - name: Checkout - type: keyword - - name: ClientIPs - type: ip - - name: DelayThreshold - type: long - - name: Description - type: keyword - - name: EffectiveUser - type: keyword - - name: ErrorCode - type: keyword - - name: Event - type: keyword - - name: EventID - type: keyword - - name: FailedTargets - type: keyword - - name: GroupSet - type: keyword - - name: Hostname - type: keyword - - name: Identity - type: keyword - description: Identify users. - - name: Initiator - type: keyword - - name: Instance - type: keyword - - name: Issuer - type: keyword - - name: Language - type: keyword - description: Language used. - - name: LoginURL - type: keyword - description: User login URL. - - name: LogonDomain - type: keyword - - name: LogonSystem - type: keyword - - name: LogonUser - type: keyword - - name: MAQ - type: keyword - description: Account set access. - - name: Message - type: keyword - - name: MessageType - type: keyword - - name: Method - type: keyword - - name: Module - type: keyword - - name: Node - type: keyword - - name: Operation - type: keyword - - name: Orchestration - type: keyword - description: Subscriber orchestration. - - name: OSLogin - type: keyword - - name: OTPLogin - type: keyword - description: API login. - - name: Owner - type: keyword - - name: Platform - type: keyword - - name: Policy - type: keyword - - name: Port - type: keyword - - name: Procedure - type: keyword - - name: Profile - type: keyword - - name: QSetID - type: keyword - description: Question set ID. - - name: QSetType - type: keyword - description: Question set type. - - name: QueueDelay - type: long - description: Database replication queue delay. - - name: QueueSize - type: long - description: Database replication queue size. - - name: QueueType - type: keyword - description: Database replication queue type. - - name: Reason - type: keyword - - name: Recipient - type: keyword - description: Recipient of the request. - - name: Replica - type: keyword - description: Replica database or server. - - name: Requester - type: keyword - - name: RequestID - type: keyword - - name: Result - type: keyword - - name: RevokedBy - type: keyword - description: Workflow request has been revoked by. - - name: Runtime - type: long - - name: SessionID - type: keyword - - name: Skin - type: keyword - description: Skin for Bravura Security Fabric instance. - - name: Source - type: keyword - - name: SPFolder - type: keyword - description: Service provider folder. - - name: StoredProc - type: keyword - description: Stored procedure. - - name: System - type: keyword - - name: Target - type: keyword - - name: TargetName - type: keyword - - name: TermintedBy - type: keyword - description: Request terminated by. - - name: Type - type: keyword - - name: URI - type: keyword - description: The HTTP(S) address of the SOAP API of the Bravura Security Fabric server. - - name: WaterMark - type: keyword - description: Database replication watermark. - - name: Workstation - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: level - type: keyword - required: false - description: > - The event severity. Levels are Critical, Error, Warning and Information, Verbose - - - name: outcome - type: keyword - required: false - description: > - Success or Failure of the event. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: time_created - type: keyword - required: false - description: > - Time event was created - - - name: trustAttribute - type: keyword - required: false - - name: trustDirection - type: keyword - required: false - - name: trustType - type: keyword - required: false - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - description: > - Identifier of the user associated with this event. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/manifest.yml b/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/manifest.yml deleted file mode 100755 index 9600e70d24..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/manifest.yml +++ /dev/null @@ -1,37 +0,0 @@ -type: logs -title: Hitachi ID Security Fabric logs -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Hitachi ID Operational - description: 'Collect Hitachi-Hitachi ID Systems-Hitachi ID Suite/Operational channel logs' - vars: - - name: event_id - type: text - title: Event ID - multi: false - required: false - show_user: false - description: >- - A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs. - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - name: tags - type: text - title: Tags - multi: true - show_user: false diff --git a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/sample_event.json b/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/sample_event.json deleted file mode 100755 index 0fdff9a525..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/data_stream/winlog/sample_event.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "@timestamp": "2021-10-29T14:05:50.739Z", - "cloud": { - "provider": "aws", - "instance": { - "id": "i-043997b05c5fa45ee" - }, - "machine": { - "type": "t3a.xlarge" - }, - "region": "us-east-1", - "availability_zone": "us-east-1a", - "account": { - "id": "753231555564" - }, - "image": { - "id": "ami-0e6ddc753bf04d004" - } - }, - "log": { - "level": "information" - }, - "message": "User successfully logged in.|Profile=JOHND|Language=|Skin=", - "winlog": { - "record_id": 1548167, - "api": "wineventlog", - "opcode": "Info", - "provider_guid": "{5a744344-18a9-480d-8a3a-0560ac58b841}", - "channel": "Hitachi-Hitachi ID Systems-Hitachi ID Suite/Operational", - "activity_id": "{4ffdfadd-63f2-41b2-9a4f-13534a729c54}", - "user": { - "identifier": "S-1-5-21-1512184445-966971527-3399726218-1035", - "name": "psadmin", - "domain": "DOMAIN1", - "type": "User" - }, - "event_data": { - "Module": "psf.exe", - "Profile": "JOHND", - "Instance": "pmim" - }, - "event_id": 92, - "computer_name": "hitachi1.corp", - "provider_name": "Hitachi-Hitachi ID Systems-Hitachi ID Suite", - "task": "", - "process": { - "pid": 6368, - "thread": { - "id": 9064 - } - } - }, - "event": { - "kind": "event", - "code": 92, - "provider": "Hitachi-Hitachi ID Systems-Hitachi ID Suite", - "created": "2021-10-29T14:05:52.111Z" - }, - "host": { - "name": "hitachi1.corp", - "architecture": "x86_64", - "os": { - "family": "windows", - "name": "Windows Server 2019 Datacenter", - "kernel": "10.0.17763.1999 (WinBuild.160101.0800)", - "build": "17763.1999", - "platform": "windows", - "version": "10.0" - }, - "id": "a9d2b7f5-6d62-46b3-8fbe-35a7e83d1dc8", - "ip": [ - "0.0.0.0" - ], - "mac": [ - "0a:a5:af:ad:d3:ab" - ], - "hostname": "node1" - }, - "agent": { - "version": "8.0.0", - "hostname": "node1", - "ephemeral_id": "d061bfcf-e51b-4586-9ace-3d5b15f86e37", - "id": "aa12ad42-61bc-466c-8887-1a15d4646fc7", - "name": "node1", - "type": "filebeat" - }, - "ecs": { - "version": "8.3.0" - } -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/docs/README.md b/packages/hid_bravura_monitor/1.2.2/docs/README.md deleted file mode 100755 index d13aef5154..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/docs/README.md +++ /dev/null @@ -1,728 +0,0 @@ -# Hitachi ID Bravura Monitor Integration - -The Hitachi ID Bravura Monitor integration fetches and parses logs from a [Bravura Security Fabric](https://docs.hitachi-id.net/#/index/10/11) instance. - -When you run the integration, it performs the following tasks automatically: - -* Sets the default paths to the log files (you can override the -defaults) - -* Makes sure each multiline log event gets sent as a single event - -* Uses ingest pipelines to parse and process the log lines, shaping the data into a structure suitable -for visualizing in Kibana - -* Deploys dashboards for visualizing the log data - -## Compatibility - -The Hitachi ID Bravura Monitor integration was tested with logs from `Bravura Security Fabric 12.3.0` running on Windows Server 2016. - -The integration was also tested with Bravura Security Fabric/IDM Suite 11.x, 12.x series. - -This integration is not available for Linux or Mac. - -The integration is by default configured to read logs files stored in the `default` instance log directory. -However it can be configured for any file path. See the following example. - -```yaml -- id: b5e895ed-0726-4fa3-870c-464379d1c27b - name: hid_bravura_monitor-1 - revision: 1 - type: filestream - use_output: default - meta: - package: - name: hid_bravura_monitor - version: 1.0.0 - data_stream: - namespace: default - streams: - - id: >- - filestream-hid_bravura_monitor.log-b5e895ed-0726-4fa3-870c-464379d1c27b - data_stream: - dataset: hid_bravura_monitor.log - type: logs - paths: - - 'C:/Program Files/Hitachi ID/IDM Suite/Logs/default*/idmsuite*.log' - prospector.scanner.exclude_files: - - .gz$ - line_terminator: carriage_return_line_feed - tags: null - processors: - - add_fields: - target: '' - fields: - hid_bravura_monitor.instancename: default - hid_bravura_monitor.node: 0.0.0.0 - hid_bravura_monitor.environment: PRODUCTION - hid_bravura_monitor.instancetype: Privilege-Identity-Password - event.timezone: UTC - parsers: - - multiline: - type: pattern - pattern: '^[[:cntrl:]]' - negate: true - match: after -``` - -*`hid_bravura_monitor.instancename`* - -The name of the Bravura Security Fabric instance. The default is `default`. For example: - -```yaml -processors: - - add_fields: - target: '' - fields: - hid_bravura_monitor.instancename: default - ... -``` - -*`hid_bravura_monitor.node`* - -The address of the instance node. If the default `0.0.0.0` is left, the value is filled with `host.name`. For example: - -```yaml -processors: - - add_fields: - target: '' - fields: - hid_bravura_monitor.node: 127.0.0.1 - ... -``` - -*`event.timezone`* - -The timezone for the given instance server. The default is `UTC`. For example: - -```yaml -processors: - - add_fields: - target: '' - fields: - event.timezone: Canada/Mountain - ... -``` - -*`hid_bravura_monitor.environment`* - -The environment of the Bravura Security Fabric instance; choices are DEVELOPMENT, TESTING, PRODUCTION. The default is `PRODUCTION`. For example: - -```yaml -processors: - - add_fields: - target: '' - fields: - hid_bravura_monitor.environment: DEVELOPMENT - ... -``` - -*`hid_bravura_monitor.instancetype`* - -The type of Bravura Security Fabric instance installed; choices are any combinations of Privilege, Identity or Password. The default is `Privilege-Identity-Password`. For example: - -```yaml -processors: - - add_fields: - target: '' - fields: - hid_bravura_monitor.instancetype: Identity - ... -``` - -*`paths`* - -An array of glob-based paths that specify where to look for the log files. All -patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) -are also supported here. - -For example, you can use wildcards to fetch all files -from a predefined level of subdirectories: `/path/to/log/*/*.log`. This -fetches all `.log` files from the subfolders of `/path/to/log`. It does not -fetch log files from the `/path/to/log` folder itself. If this setting is left -empty, the integration will choose log paths based on your operating system. - -## Logs - -### log - -The `log` dataset collects the Hitachi ID Bravura Security Fabric application logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-01-16T00:35:25.258Z", - "agent": { - "ephemeral_id": "00124c53-af5e-4d5f-818c-ff189690109e", - "hostname": "docker-fleet-agent", - "id": "9bcd741c-af93-434c-ad55-1ec23d08ab89", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.0" - }, - "data_stream": { - "dataset": "hid_bravura_monitor.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "9bcd741c-af93-434c-ad55-1ec23d08ab89", - "snapshot": true, - "version": "7.16.0" - }, - "event": { - "agent_id_status": "verified", - "dataset": "hid_bravura_monitor.log", - "ingested": "2021-10-29T18:19:35Z", - "original": "\u00182021-01-16 00:35:25.258.7085 - [] pamlws.exe [44408,52004] Error: LWS [HID-TEST] foundcomputer record not found", - "timezone": "UTC" - }, - "hid_bravura_monitor": { - "environment": "PRODUCTION", - "instancename": "default", - "instancetype": "Privilege-Identity-Password", - "node": "docker-fleet-agent" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "3bfbf225479aac5f850ea38f5d9d8a02", - "ip": [ - "192.168.192.7" - ], - "mac": [ - "02:42:c0:a8:c0:07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.10.16.3-microsoft-standard-WSL2", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "input": { - "type": "filestream" - }, - "log": { - "file": { - "path": "/tmp/service_logs/hid_bravura_monitor.log" - }, - "level": "Error", - "logger": "pamlws.exe", - "offset": 218 - }, - "message": "LWS [HID-TEST] foundcomputer record not found", - "process": { - "pid": 44408, - "thread": { - "id": 52004 - } - }, - "tags": [ - "preserve_original_event" - ], - "user": { - "id": "" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| hid_bravura_monitor.environment | Instance environment | keyword | -| hid_bravura_monitor.instancename | Instance name | keyword | -| hid_bravura_monitor.instancetype | Instance type | keyword | -| hid_bravura_monitor.node | Node | keyword | -| hid_bravura_monitor.perf.address | Server address | wildcard | -| hid_bravura_monitor.perf.adminid | Administrator ID | keyword | -| hid_bravura_monitor.perf.caller | Application caller | keyword | -| hid_bravura_monitor.perf.dbcommand | Database command | keyword | -| hid_bravura_monitor.perf.destination | Destination URL | wildcard | -| hid_bravura_monitor.perf.duration | Performance duration | long | -| hid_bravura_monitor.perf.event | Event | keyword | -| hid_bravura_monitor.perf.exe | Executable | keyword | -| hid_bravura_monitor.perf.file | Source file | keyword | -| hid_bravura_monitor.perf.function | Performance function | keyword | -| hid_bravura_monitor.perf.kernel | Kernel Time | long | -| hid_bravura_monitor.perf.kind | Performance type (ie. PerfExe, PerfAjax, PerfFileRep, etc.) | keyword | -| hid_bravura_monitor.perf.line | Line number | long | -| hid_bravura_monitor.perf.message | Performance message | wildcard | -| hid_bravura_monitor.perf.message.keyword | Multi-field of `hid_bravura_monitor.perf.message`. | keyword | -| hid_bravura_monitor.perf.operation | Operation | keyword | -| hid_bravura_monitor.perf.receivequeue | Receive queue | keyword | -| hid_bravura_monitor.perf.records | Database records | long | -| hid_bravura_monitor.perf.result | Result | long | -| hid_bravura_monitor.perf.sessionid | Session ID | keyword | -| hid_bravura_monitor.perf.sysid | System ID | keyword | -| hid_bravura_monitor.perf.table | Database table | keyword | -| hid_bravura_monitor.perf.targetid | Target ID | keyword | -| hid_bravura_monitor.perf.transid | Transaction ID | keyword | -| hid_bravura_monitor.perf.type | IDWFM type | keyword | -| hid_bravura_monitor.perf.user | User time | long | -| hid_bravura_monitor.request.id | Request ID | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| process.thread.id | Thread ID. | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -### winlog - -The `winglog` dataset collects the Hitachi ID Bravura Security Fabric event logs. - -An example event for `winlog` looks as following: - -```json -{ - "@timestamp": "2021-10-29T14:05:50.739Z", - "cloud": { - "provider": "aws", - "instance": { - "id": "i-043997b05c5fa45ee" - }, - "machine": { - "type": "t3a.xlarge" - }, - "region": "us-east-1", - "availability_zone": "us-east-1a", - "account": { - "id": "753231555564" - }, - "image": { - "id": "ami-0e6ddc753bf04d004" - } - }, - "log": { - "level": "information" - }, - "message": "User successfully logged in.|Profile=JOHND|Language=|Skin=", - "winlog": { - "record_id": 1548167, - "api": "wineventlog", - "opcode": "Info", - "provider_guid": "{5a744344-18a9-480d-8a3a-0560ac58b841}", - "channel": "Hitachi-Hitachi ID Systems-Hitachi ID Suite/Operational", - "activity_id": "{4ffdfadd-63f2-41b2-9a4f-13534a729c54}", - "user": { - "identifier": "S-1-5-21-1512184445-966971527-3399726218-1035", - "name": "psadmin", - "domain": "DOMAIN1", - "type": "User" - }, - "event_data": { - "Module": "psf.exe", - "Profile": "JOHND", - "Instance": "pmim" - }, - "event_id": 92, - "computer_name": "hitachi1.corp", - "provider_name": "Hitachi-Hitachi ID Systems-Hitachi ID Suite", - "task": "", - "process": { - "pid": 6368, - "thread": { - "id": 9064 - } - } - }, - "event": { - "kind": "event", - "code": 92, - "provider": "Hitachi-Hitachi ID Systems-Hitachi ID Suite", - "created": "2021-10-29T14:05:52.111Z" - }, - "host": { - "name": "hitachi1.corp", - "architecture": "x86_64", - "os": { - "family": "windows", - "name": "Windows Server 2019 Datacenter", - "kernel": "10.0.17763.1999 (WinBuild.160101.0800)", - "build": "17763.1999", - "platform": "windows", - "version": "10.0" - }, - "id": "a9d2b7f5-6d62-46b3-8fbe-35a7e83d1dc8", - "ip": [ - "0.0.0.0" - ], - "mac": [ - "0a:a5:af:ad:d3:ab" - ], - "hostname": "node1" - }, - "agent": { - "version": "8.0.0", - "hostname": "node1", - "ephemeral_id": "d061bfcf-e51b-4586-9ace-3d5b15f86e37", - "id": "aa12ad42-61bc-466c-8887-1a15d4646fc7", - "name": "node1", - "type": "filebeat" - }, - "ecs": { - "version": "8.3.0" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| message | initial raw message | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computerObject.domain | | keyword | -| winlog.computerObject.id | | keyword | -| winlog.computerObject.name | | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.Account | An object on a target system that establishes a user’s identity on that target system. | keyword | -| winlog.event_data.Action | | keyword | -| winlog.event_data.ActionId | | keyword | -| winlog.event_data.Arguments | | keyword | -| winlog.event_data.AuthChain | Authentication chains offer a flexible authentication infrastructure, allowing you to customize the end-user authentication experience. An authentication chain contains authentication methods offered by available authentication modules. | keyword | -| winlog.event_data.AuthUser | Authentication user. | keyword | -| winlog.event_data.BatchSig | Request batch ID. | keyword | -| winlog.event_data.Binding | | keyword | -| winlog.event_data.CanceledBy | The user who canceled the request. | keyword | -| winlog.event_data.ChangedBy | The user who made the change. | keyword | -| winlog.event_data.Checkout | | keyword | -| winlog.event_data.ClientIPs | | ip | -| winlog.event_data.DelayThreshold | | long | -| winlog.event_data.Description | | keyword | -| winlog.event_data.EffectiveUser | | keyword | -| winlog.event_data.ErrorCode | | keyword | -| winlog.event_data.Event | | keyword | -| winlog.event_data.EventID | | keyword | -| winlog.event_data.FailedTargets | | keyword | -| winlog.event_data.GroupSet | | keyword | -| winlog.event_data.Hostname | | keyword | -| winlog.event_data.Identity | Identify users. | keyword | -| winlog.event_data.Initiator | | keyword | -| winlog.event_data.Instance | | keyword | -| winlog.event_data.Issuer | | keyword | -| winlog.event_data.Language | Language used. | keyword | -| winlog.event_data.LoginURL | User login URL. | keyword | -| winlog.event_data.LogonDomain | | keyword | -| winlog.event_data.LogonSystem | | keyword | -| winlog.event_data.LogonUser | | keyword | -| winlog.event_data.MAQ | Account set access. | keyword | -| winlog.event_data.Message | | keyword | -| winlog.event_data.MessageType | | keyword | -| winlog.event_data.Method | | keyword | -| winlog.event_data.Module | | keyword | -| winlog.event_data.Node | | keyword | -| winlog.event_data.OSLogin | | keyword | -| winlog.event_data.OTPLogin | API login. | keyword | -| winlog.event_data.Operation | | keyword | -| winlog.event_data.Orchestration | Subscriber orchestration. | keyword | -| winlog.event_data.Owner | | keyword | -| winlog.event_data.Platform | | keyword | -| winlog.event_data.Policy | | keyword | -| winlog.event_data.Port | | keyword | -| winlog.event_data.Procedure | | keyword | -| winlog.event_data.Profile | | keyword | -| winlog.event_data.QSetID | Question set ID. | keyword | -| winlog.event_data.QSetType | Question set type. | keyword | -| winlog.event_data.QueueDelay | Database replication queue delay. | long | -| winlog.event_data.QueueSize | Database replication queue size. | long | -| winlog.event_data.QueueType | Database replication queue type. | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.Recipient | Recipient of the request. | keyword | -| winlog.event_data.Replica | Replica database or server. | keyword | -| winlog.event_data.RequestID | | keyword | -| winlog.event_data.Requester | | keyword | -| winlog.event_data.Result | | keyword | -| winlog.event_data.RevokedBy | Workflow request has been revoked by. | keyword | -| winlog.event_data.Runtime | | long | -| winlog.event_data.SPFolder | Service provider folder. | keyword | -| winlog.event_data.SessionID | | keyword | -| winlog.event_data.Skin | Skin for Bravura Security Fabric instance. | keyword | -| winlog.event_data.Source | | keyword | -| winlog.event_data.StoredProc | Stored procedure. | keyword | -| winlog.event_data.System | | keyword | -| winlog.event_data.Target | | keyword | -| winlog.event_data.TargetName | | keyword | -| winlog.event_data.TermintedBy | Request terminated by. | keyword | -| winlog.event_data.Type | | keyword | -| winlog.event_data.URI | The HTTP(S) address of the SOAP API of the Bravura Security Fabric server. | keyword | -| winlog.event_data.WaterMark | Database replication watermark. | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.level | The event severity. Levels are Critical, Error, Warning and Information, Verbose | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.outcome | Success or Failure of the event. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.symbolic_id | Symbolic event id | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.time_created | Time event was created | keyword | -| winlog.trustAttribute | | keyword | -| winlog.trustDirection | | keyword | -| winlog.trustType | | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | Identifier of the user associated with this event. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | diff --git a/packages/hid_bravura_monitor/1.2.2/img/kibana-hid_bravura_monitor-admin.png b/packages/hid_bravura_monitor/1.2.2/img/kibana-hid_bravura_monitor-admin.png deleted file mode 100755 index f4596df81e..0000000000 Binary files a/packages/hid_bravura_monitor/1.2.2/img/kibana-hid_bravura_monitor-admin.png and /dev/null differ diff --git a/packages/hid_bravura_monitor/1.2.2/img/kibana-hid_bravura_monitor-connectors.png b/packages/hid_bravura_monitor/1.2.2/img/kibana-hid_bravura_monitor-connectors.png deleted file mode 100755 index ccdc4d043a..0000000000 Binary files a/packages/hid_bravura_monitor/1.2.2/img/kibana-hid_bravura_monitor-connectors.png and /dev/null differ diff --git a/packages/hid_bravura_monitor/1.2.2/img/kibana-hid_bravura_monitor-db-replication.png b/packages/hid_bravura_monitor/1.2.2/img/kibana-hid_bravura_monitor-db-replication.png deleted file mode 100755 index 46507bebc3..0000000000 Binary files a/packages/hid_bravura_monitor/1.2.2/img/kibana-hid_bravura_monitor-db-replication.png and /dev/null differ diff --git a/packages/hid_bravura_monitor/1.2.2/img/kibana-hid_bravura_monitor-log-issues.png b/packages/hid_bravura_monitor/1.2.2/img/kibana-hid_bravura_monitor-log-issues.png deleted file mode 100755 index c69ee309e5..0000000000 Binary files a/packages/hid_bravura_monitor/1.2.2/img/kibana-hid_bravura_monitor-log-issues.png and /dev/null differ diff --git a/packages/hid_bravura_monitor/1.2.2/img/kibana-hid_bravura_monitor-overview.png b/packages/hid_bravura_monitor/1.2.2/img/kibana-hid_bravura_monitor-overview.png deleted file mode 100755 index c56709bf9b..0000000000 Binary files a/packages/hid_bravura_monitor/1.2.2/img/kibana-hid_bravura_monitor-overview.png and /dev/null differ diff --git a/packages/hid_bravura_monitor/1.2.2/img/logo_hid_bravura_monitor.svg b/packages/hid_bravura_monitor/1.2.2/img/logo_hid_bravura_monitor.svg deleted file mode 100755 index d5f6071f00..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/img/logo_hid_bravura_monitor.svg +++ /dev/null @@ -1,21 +0,0 @@ - - - - - - - diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-0665f160-f956-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-0665f160-f956-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index dc0de076a5..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-0665f160-f956-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"16ceee80-adfc-4ecd-99f4-3f3160dce1f4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"16ceee80-adfc-4ecd-99f4-3f3160dce1f4\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"b64ac48c-d9e4-4dfa-9ddd-05117c054c44\",\"w\":16,\"x\":0,\"y\":15},\"panelIndex\":\"b64ac48c-d9e4-4dfa-9ddd-05117c054c44\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"8b200051-1ac1-4008-b031-ba62127cb7b4\",\"w\":16,\"x\":16,\"y\":15},\"panelIndex\":\"8b200051-1ac1-4008-b031-ba62127cb7b4\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"9cd7264a-0271-4e4a-9fe7-67f7fc60d349\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"9cd7264a-0271-4e4a-9fe7-67f7fc60d349\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Log issues - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-0665f160-f956-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-24823410-1464-11eb-bb7b-bb041e8cf289", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-76cb60d0-1463-11eb-bb7b-bb041e8cf289", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-a950c4e0-1464-11eb-bb7b-bb041e8cf289", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d66fb2a0-3ed6-11eb-9549-63f6cd998f21", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-0db75ff0-f9f4-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-0db75ff0-f9f4-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index e6d8ca2d40..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-0db75ff0-f9f4-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"6a0834a4-8c2b-4484-9f5e-c55faf0deac6\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"6a0834a4-8c2b-4484-9f5e-c55faf0deac6\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"3b23d41e-170f-4423-8ba8-2971e9b68782\",\"w\":35,\"x\":13,\"y\":0},\"panelIndex\":\"3b23d41e-170f-4423-8ba8-2971e9b68782\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Administrative - Disabled Profiles", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-0db75ff0-f9f4-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-c318d000-d83d-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-c85815c0-d83e-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-1a431f90-fa01-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-1a431f90-fa01-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index edfde69098..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-1a431f90-fa01-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"6d898178-6f51-4199-ae7e-44bd35e60bc8\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"6d898178-6f51-4199-ae7e-44bd35e60bc8\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"47c424ec-b1cc-4ab1-abfc-e9d0382a79ee\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"47c424ec-b1cc-4ab1-abfc-e9d0382a79ee\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"70c9467e-31cb-4617-beab-2e7012046222\",\"w\":48,\"x\":0,\"y\":25},\"panelIndex\":\"70c9467e-31cb-4617-beab-2e7012046222\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Discovery", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1a431f90-fa01-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-64035e60-25db-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d3897a80-25db-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-23a89d20-fa07-11eb-96cd-db0fb11a40f3.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-23a89d20-fa07-11eb-96cd-db0fb11a40f3.json deleted file mode 100755 index 3442fffb55..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-23a89d20-fa07-11eb-96cd-db0fb11a40f3.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"a3abfe8b-3ddd-492a-b081-2e3a3d76e84f\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"a3abfe8b-3ddd-492a-b081-2e3a3d76e84f\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"31e162b4-565d-4dce-90f1-e0a43ed54a70\",\"w\":38,\"x\":10,\"y\":0},\"panelIndex\":\"31e162b4-565d-4dce-90f1-e0a43ed54a70\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"21a44db8-a29a-4a18-b63e-ca0da9606909\",\"w\":10,\"x\":0,\"y\":21},\"panelIndex\":\"21a44db8-a29a-4a18-b63e-ca0da9606909\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"efaeb9a6-ef0b-4f77-b397-1c8577f38cbf\",\"w\":38,\"x\":10,\"y\":21},\"panelIndex\":\"efaeb9a6-ef0b-4f77-b397-1c8577f38cbf\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":27,\"i\":\"1494c062-2f24-4571-8e69-793a894392d7\",\"w\":24,\"x\":0,\"y\":42},\"panelIndex\":\"1494c062-2f24-4571-8e69-793a894392d7\",\"panelRefName\":\"panel_4\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":27,\"i\":\"5fb347ad-ad70-4cfb-8023-f61468be8a07\",\"w\":24,\"x\":24,\"y\":42},\"panelIndex\":\"5fb347ad-ad70-4cfb-8023-f61468be8a07\",\"panelRefName\":\"panel_5\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Windows Event Analysis - Problems", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-23a89d20-fa07-11eb-96cd-db0fb11a40f3", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-66c884f0-2382-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-23133620-238b-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-a29a1cc0-238a-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-dbc305e0-245a-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-489a4f50-2453-11eb-abcf-effcd51852fa", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-8ec75c50-2383-11eb-abcf-effcd51852fa", - "name": "panel_5", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-28db2060-fa02-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-28db2060-fa02-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index b491b8e1fc..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-28db2060-fa02-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"27066e19-96ff-46db-989c-2ed0650bfb32\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"27066e19-96ff-46db-989c-2ed0650bfb32\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9a662dac-12e2-44ce-ad7d-eaca9ec5b478\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"9a662dac-12e2-44ce-ad7d-eaca9ec5b478\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"51a5c05f-6a26-4138-9f95-f4c6b01c4d78\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"51a5c05f-6a26-4138-9f95-f4c6b01c4d78\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Discovery - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-28db2060-fa02-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-77701bc0-25bb-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-82277da0-25d5-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-82432550-25bc-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-3f403100-f9f4-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-3f403100-f9f4-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index dc4a543829..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-3f403100-f9f4-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"292870cf-80ba-4071-ac33-6ddc10eef5ee\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"292870cf-80ba-4071-ac33-6ddc10eef5ee\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"c81e1947-6ef2-4f8f-8497-c6defed48569\",\"w\":35,\"x\":13,\"y\":0},\"panelIndex\":\"c81e1947-6ef2-4f8f-8497-c6defed48569\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Administrative - Unlocked Profiles", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-3f403100-f9f4-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2ffbfc20-d83d-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9a75fb00-d83d-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-49fa7e40-f9fc-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-49fa7e40-f9fc-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index a543c8bad3..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-49fa7e40-f9fc-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"aed09807-f936-4881-960d-30039d3fb5cd\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"aed09807-f936-4881-960d-30039d3fb5cd\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"fa9c7f19-26bc-489f-ad23-1774eaf8dcc6\",\"w\":16,\"x\":0,\"y\":14},\"panelIndex\":\"fa9c7f19-26bc-489f-ad23-1774eaf8dcc6\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"ded4c445-2a0a-448c-9318-38b166d11d73\",\"w\":16,\"x\":16,\"y\":14},\"panelIndex\":\"ded4c445-2a0a-448c-9318-38b166d11d73\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"a58e223b-2453-4dcd-9de5-8a6101d9964d\",\"w\":16,\"x\":32,\"y\":14},\"panelIndex\":\"a58e223b-2453-4dcd-9de5-8a6101d9964d\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"4909f0f5-c8df-40f8-bc49-df24cb056b8c\",\"w\":48,\"x\":0,\"y\":34},\"panelIndex\":\"4909f0f5-c8df-40f8-bc49-df24cb056b8c\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Users - Issues", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-49fa7e40-f9fc-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-fe363790-1a1a-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-20a85000-1a1c-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-db3f9af0-1a1b-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-670cf140-1a1c-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "name": "panel_4", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-4bf327b0-fa01-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-4bf327b0-fa01-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 0140835288..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-4bf327b0-fa01-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"63969223-a0de-4d10-aa3a-5a7de19681c2\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"63969223-a0de-4d10-aa3a-5a7de19681c2\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"37dcff04-67ca-46e6-bea3-b6be4a08bce8\",\"w\":35,\"x\":13,\"y\":0},\"panelIndex\":\"37dcff04-67ca-46e6-bea3-b6be4a08bce8\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"250f87a6-96dc-417f-a704-ee29e9669992\",\"w\":48,\"x\":0,\"y\":25},\"panelIndex\":\"250f87a6-96dc-417f-a704-ee29e9669992\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Search", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-4bf327b0-fa01-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-59482290-25da-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-ef5b4da0-2b6d-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-4ee19fa0-fa02-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-4ee19fa0-fa02-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 668f8ebc02..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-4ee19fa0-fa02-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"annotations\":[],\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"24e4b310-069e-11ec-8d63-433b7d9c06cf\"}],\"bar_color_rules\":[{\"id\":\"015e0b70-069f-11ec-8d63-433b7d9c06cf\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"hid_bravura_monitor.perf.kind: PerfExe AND NOT (hid_bravura_monitor.perf.exe: *plugin*)\"},\"gauge_color_rules\":[{\"id\":\"040388f0-069f-11ec-8d63-433b7d9c06cf\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_bars\":80,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"hid_bravura_monitor.perf.duration\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_exclude\":\"\",\"terms_field\":\"hid_bravura_monitor.perf.exe\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"tooltip_mode\":\"show_all\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Executable Average Duration\",\"type\":\"metrics\",\"uiState\":{}},\"type\":\"visualization\"},\"gridData\":{\"h\":17,\"i\":\"d09c2c16-f29a-48e2-bb74-471b6de1fc03\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"d09c2c16-f29a-48e2-bb74-471b6de1fc03\",\"type\":\"visualization\",\"version\":\"7.15.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"198257f3-2b86-41f1-83cf-2090465b56a8\",\"w\":48,\"x\":0,\"y\":17},\"panelIndex\":\"198257f3-2b86-41f1-83cf-2090465b56a8\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Processes - Executables", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-4ee19fa0-fa02-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-f9ed0ec0-2eab-11eb-b6a1-bdb7d768b585", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-52cf42a0-fa04-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-52cf42a0-fa04-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index dd04c65524..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-52cf42a0-fa04-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2852a22c-425f-45b2-b953-6b0f3d214447\",\"w\":11,\"x\":0,\"y\":0},\"panelIndex\":\"2852a22c-425f-45b2-b953-6b0f3d214447\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"9e84cdcf-b3f1-44b5-bdc4-67bb7cb7b7ac\",\"w\":37,\"x\":11,\"y\":0},\"panelIndex\":\"9e84cdcf-b3f1-44b5-bdc4-67bb7cb7b7ac\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c3a20836-de82-44e2-a23c-38ac861cc7df\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"c3a20836-de82-44e2-a23c-38ac861cc7df\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"aa105229-2ee8-417b-a85b-ab83300357ee\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"aa105229-2ee8-417b-a85b-ab83300357ee\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Workflow - Summary (Logs)", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-52cf42a0-fa04-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-77f6f520-1add-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-0cf3f020-1add-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-0cb6caa0-1ade-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-578cb360-f9f3-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-578cb360-f9f3-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index c48e8c460b..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-578cb360-f9f3-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"647b541e-ba69-4580-8b5c-82b99e9141db\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"647b541e-ba69-4580-8b5c-82b99e9141db\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3d4e7a89-9376-40e8-a110-aea6fad8704d\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"3d4e7a89-9376-40e8-a110-aea6fad8704d\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"c530e489-474a-4a2a-8498-860233140305\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"c530e489-474a-4a2a-8498-860233140305\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Administrative - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-578cb360-f9f3-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-07f86e00-d835-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-33258a00-d398-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "panel_2", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-6ebde770-fa02-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-6ebde770-fa02-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 02a9b3f565..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-6ebde770-fa02-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"hid_bravura_monitor.perf.kind: PerfExe AND hid_bravura_monitor.perf.exe: *plugin*\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_bars\":70,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"hid_bravura_monitor.perf.duration\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"hid_bravura_monitor.perf.exe\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"tooltip_mode\":\"show_all\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}},\"type\":\"visualization\"},\"gridData\":{\"h\":17,\"i\":\"9f0e186d-5e7d-495b-968b-65a909a63c78\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"9f0e186d-5e7d-495b-968b-65a909a63c78\",\"title\":\"Plugin Average Duration\",\"type\":\"visualization\",\"version\":\"7.15.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"f71897e4-f55e-4fb5-93e1-8825546d3116\",\"w\":48,\"x\":0,\"y\":17},\"panelIndex\":\"f71897e4-f55e-4fb5-93e1-8825546d3116\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Processes - Plugins", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-6ebde770-fa02-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1a2adb70-2f44-11eb-b6a1-bdb7d768b585", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-7c5c1ef0-fa03-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-7c5c1ef0-fa03-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index e3f3fa0368..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-7c5c1ef0-fa03-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"11dfd31e-217a-468c-b9a4-1d171916550b\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"11dfd31e-217a-468c-b9a4-1d171916550b\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"ecfdce59-b9f9-4b92-bf44-fc2b0b30940e\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"ecfdce59-b9f9-4b92-bf44-fc2b0b30940e\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"8e87968f-419b-416a-88b4-69575d6ca6c8\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"8e87968f-419b-416a-88b4-69575d6ca6c8\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"d8250cb1-181e-4c67-8a07-2b5adaa631e1\",\"w\":12,\"x\":0,\"y\":17},\"panelIndex\":\"d8250cb1-181e-4c67-8a07-2b5adaa631e1\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"10e16f9a-7072-491a-a67f-3b37e4d2d6fe\",\"w\":9,\"x\":12,\"y\":17},\"panelIndex\":\"10e16f9a-7072-491a-a67f-3b37e4d2d6fe\",\"panelRefName\":\"panel_4\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"4e305609-b4cd-47c1-b927-9bbb1905f879\",\"w\":9,\"x\":21,\"y\":17},\"panelIndex\":\"4e305609-b4cd-47c1-b927-9bbb1905f879\",\"panelRefName\":\"panel_5\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"50d3505b-77d3-4128-a8f2-dd42c7e33ac0\",\"w\":18,\"x\":30,\"y\":17},\"panelIndex\":\"50d3505b-77d3-4128-a8f2-dd42c7e33ac0\",\"panelRefName\":\"panel_6\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5added44-f55b-4d64-bac0-af8514792e8c\",\"w\":48,\"x\":0,\"y\":36},\"panelIndex\":\"5added44-f55b-4d64-bac0-af8514792e8c\",\"panelRefName\":\"panel_7\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Integrations - Connector Return Code", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-7c5c1ef0-fa03-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-4bfcdae0-2dcd-11eb-b6a1-bdb7d768b585", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d7dc3680-1add-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-979ecd00-1abd-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-4b0765d0-1ade-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-878feb30-1ade-11eb-abcf-effcd51852fa", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-cf6ea950-1ade-11eb-abcf-effcd51852fa", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-f596ebf0-1adf-11eb-abcf-effcd51852fa", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "panel_7", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-8187dcb0-fa04-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-8187dcb0-fa04-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 64441e3537..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-8187dcb0-fa04-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"bbd62230-da7b-4a8d-8048-164a39c870a6\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"bbd62230-da7b-4a8d-8048-164a39c870a6\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"006c196d-830d-4713-bf84-1bf393366bdc\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"006c196d-830d-4713-bf84-1bf393366bdc\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Dataset - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-8187dcb0-fa04-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1b439670-25d8-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-8c755c30-25d7-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-91029280-0520-11ec-853c-2bf1ec8ddeef.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-91029280-0520-11ec-853c-2bf1ec8ddeef.json deleted file mode 100755 index 6c461459fa..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-91029280-0520-11ec-853c-2bf1ec8ddeef.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b525b8b8-13fc-4a51-82b0-233acc227625\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"b525b8b8-13fc-4a51-82b0-233acc227625\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"16f346a5-a0bf-421a-ba88-c678b4fffb2a\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"16f346a5-a0bf-421a-ba88-c678b4fffb2a\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c23d8833-8154-4aa8-af8e-44dccd8cc199\",\"w\":16,\"x\":0,\"y\":15},\"panelIndex\":\"c23d8833-8154-4aa8-af8e-44dccd8cc199\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"085c710d-1038-4a6a-be6f-21039079b15b\",\"w\":16,\"x\":16,\"y\":15},\"panelIndex\":\"085c710d-1038-4a6a-be6f-21039079b15b\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"33ae3b0f-db67-48f5-abb8-192c029c5d98\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"33ae3b0f-db67-48f5-abb8-192c029c5d98\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a70a3621-2a8e-48ed-8870-201731c7e08a\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"a70a3621-2a8e-48ed-8870-201731c7e08a\",\"panelRefName\":\"panel_5\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Replication (Windows Event)", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-91029280-0520-11ec-853c-2bf1ec8ddeef", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-fddce510-d387-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-2722d7e0-d388-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-5b5237e0-d388-11eb-9e70-edcbba448215", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-80efbc20-d388-11eb-9e70-edcbba448215", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9a513b80-d388-11eb-9e70-edcbba448215", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9a787d10-0521-11ec-853c-2bf1ec8ddeef", - "name": "panel_5", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-a8739000-f9fd-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-a8739000-f9fd-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index d28ef16730..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-a8739000-f9fd-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"486bc4b4-3c64-46f8-a319-01204f38c3be\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"486bc4b4-3c64-46f8-a319-01204f38c3be\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"b5abbb3d-eb82-45a8-a972-13b692b11c16\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"b5abbb3d-eb82-45a8-a972-13b692b11c16\",\"panelRefName\":\"panel_1\",\"title\":\"Users: Pages: Node Usage\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":18,\"i\":\"f1b6be80-c65b-4d88-861a-e8a66275bd62\",\"w\":10,\"x\":0,\"y\":10},\"panelIndex\":\"f1b6be80-c65b-4d88-861a-e8a66275bd62\",\"panelRefName\":\"panel_2\",\"title\":\"Users: Pages: User Logins\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"09961de3-ede6-4ecf-a45a-ebe3040366f0\",\"w\":38,\"x\":10,\"y\":10},\"panelIndex\":\"09961de3-ede6-4ecf-a45a-ebe3040366f0\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"144da17a-d86d-49a2-9dfa-db606fb73c54\",\"w\":48,\"x\":0,\"y\":28},\"panelIndex\":\"144da17a-d86d-49a2-9dfa-db606fb73c54\",\"panelRefName\":\"panel_4\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Users - Pages", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-a8739000-f9fd-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-552d3e80-1a26-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-00cbeab0-1a28-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243", - "name": "panel_4", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-a9ea8420-f9f3-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-a9ea8420-f9f3-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 656bd39b30..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-a9ea8420-f9f3-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"5d50c25d-870c-4aa5-a1f9-5c79904db3d1\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"5d50c25d-870c-4aa5-a1f9-5c79904db3d1\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"11298d56-d098-45e3-b23a-6992c24c5652\",\"w\":35,\"x\":13,\"y\":0},\"panelIndex\":\"11298d56-d098-45e3-b23a-6992c24c5652\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Administrative - Password Resets", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-a9ea8420-f9f3-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-b8f9a5c0-d83f-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-fe779080-d83f-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-b0fd1f50-06a2-11ec-a72d-e52b79e13120.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-b0fd1f50-06a2-11ec-a72d-e52b79e13120.json deleted file mode 100755 index 9e7e6d4034..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-b0fd1f50-06a2-11ec-a72d-e52b79e13120.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"84ac5874-8913-4514-8d51-f2b3cd522a49\",\"w\":11,\"x\":0,\"y\":0},\"panelIndex\":\"84ac5874-8913-4514-8d51-f2b3cd522a49\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":30,\"i\":\"9f39a308-2152-471a-911f-5bb8e316262e\",\"w\":37,\"x\":11,\"y\":0},\"panelIndex\":\"9f39a308-2152-471a-911f-5bb8e316262e\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93f64f12-ac6d-4462-96c2-53d0c477a0ca\",\"w\":11,\"x\":0,\"y\":15},\"panelIndex\":\"93f64f12-ac6d-4462-96c2-53d0c477a0ca\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"87039932-a528-4dba-875e-bed137149330\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"87039932-a528-4dba-875e-bed137149330\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Workflow - Summary (Windows Event)", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-b0fd1f50-06a2-11ec-a72d-e52b79e13120", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1211f840-d90a-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-6ac75200-d90a-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-3ec54c70-d90a-11eb-9e70-edcbba448215", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-b66f3780-fa03-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-b66f3780-fa03-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 02dd9de7a8..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-b66f3780-fa03-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9ccdc869-ebc2-4871-a11a-8d594aff7ccd\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"9ccdc869-ebc2-4871-a11a-8d594aff7ccd\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"b68e2e9c-13fa-4a90-baa2-40caefe3cb38\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"b68e2e9c-13fa-4a90-baa2-40caefe3cb38\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Integrations - Connector Performance", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-b66f3780-fa03-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-ec082d90-1aaf-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-b9bc5190-fa01-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-b9bc5190-fa01-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 4bf412d86b..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-b9bc5190-fa01-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f5d8eb70-30ce-4899-9905-2aa35954d01d\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f5d8eb70-30ce-4899-9905-2aa35954d01d\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a5499566-62cb-421c-8276-7a9398643a06\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"a5499566-62cb-421c-8276-7a9398643a06\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5fc759c3-9678-4b3c-b0d5-dcfad77adfe8\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"5fc759c3-9678-4b3c-b0d5-dcfad77adfe8\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"84970d7a-efbd-451d-9619-25381510ab94\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"84970d7a-efbd-451d-9619-25381510ab94\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Replication (Logs)", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-b9bc5190-fa01-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-a8002430-25d7-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-95fb9a70-25d8-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-341531e0-25d8-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-c5417bd0-f9fc-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-c5417bd0-f9fc-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 7315087291..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-c5417bd0-f9fc-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"f71be298-074a-43c0-a3fe-1035fd98a8a7\",\"w\":6,\"x\":0,\"y\":0},\"panelIndex\":\"f71be298-074a-43c0-a3fe-1035fd98a8a7\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"b80b0e2a-b786-48ec-88a5-bc8104ddbd42\",\"w\":42,\"x\":6,\"y\":0},\"panelIndex\":\"b80b0e2a-b786-48ec-88a5-bc8104ddbd42\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"60432682-b874-48c8-9b8b-3bbf4e650385\",\"w\":12,\"x\":0,\"y\":13},\"panelIndex\":\"60432682-b874-48c8-9b8b-3bbf4e650385\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"2af36389-5601-4930-b3ec-b44c671c56ff\",\"w\":13,\"x\":12,\"y\":13},\"panelIndex\":\"2af36389-5601-4930-b3ec-b44c671c56ff\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"ed2e421f-36f7-4501-9e4e-34ddae454f07\",\"w\":23,\"x\":25,\"y\":13},\"panelIndex\":\"ed2e421f-36f7-4501-9e4e-34ddae454f07\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"7dd049bb-de23-4838-9bec-3d66ef9c07bc\",\"w\":48,\"x\":0,\"y\":31},\"panelIndex\":\"7dd049bb-de23-4838-9bec-3d66ef9c07bc\",\"panelRefName\":\"panel_5\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Users - API", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-c5417bd0-f9fc-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-be6560d0-1a21-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-05cb9390-1a22-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9357e910-2b67-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-3bd92210-1a25-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-0799ca70-2b66-11eb-abcf-effcd51852fa", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "name": "panel_5", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-cc6c9cf0-fa06-11eb-96cd-db0fb11a40f3.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-cc6c9cf0-fa06-11eb-96cd-db0fb11a40f3.json deleted file mode 100755 index c5ba0bc63a..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-cc6c9cf0-fa06-11eb-96cd-db0fb11a40f3.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"5d934c5f-f909-4f75-a036-ac6253f5f974\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"5d934c5f-f909-4f75-a036-ac6253f5f974\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"7d27410b-537a-4c95-a1d8-8a64f363b90c\",\"w\":39,\"x\":9,\"y\":0},\"panelIndex\":\"7d27410b-537a-4c95-a1d8-8a64f363b90c\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"27bdc4ea-7adc-4dee-9526-402fb6ec6d8b\",\"w\":30,\"x\":0,\"y\":18},\"panelIndex\":\"27bdc4ea-7adc-4dee-9526-402fb6ec6d8b\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"4c4f5228-f158-4ccc-afa5-e90d73bca46d\",\"w\":18,\"x\":30,\"y\":18},\"panelIndex\":\"4c4f5228-f158-4ccc-afa5-e90d73bca46d\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Windows Event Analysis - Logins", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-cc6c9cf0-fa06-11eb-96cd-db0fb11a40f3", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-42dc53c0-243e-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-2a088ae0-243d-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-aabca810-2456-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-cc0f81c0-243f-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-d17be4f0-f9fa-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-d17be4f0-f9fa-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 0b45fe2cd7..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-d17be4f0-f9fa-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"b8ac330d-572e-459e-9266-bd44fc9ac283\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"b8ac330d-572e-459e-9266-bd44fc9ac283\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"3316ec90-b61b-4f5a-9c43-02e7bda7604f\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"3316ec90-b61b-4f5a-9c43-02e7bda7604f\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Users - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d17be4f0-f9fa-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-d3a33820-fa02-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-d3a33820-fa02-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index ec02c160af..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-d3a33820-fa02-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"a8b8efc3-5a4e-470b-9229-7ad661fb5012\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"a8b8efc3-5a4e-470b-9229-7ad661fb5012\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"aea7ed7d-82b6-4939-975e-fd4deb845e39\",\"w\":8,\"x\":0,\"y\":13},\"panelIndex\":\"aea7ed7d-82b6-4939-975e-fd4deb845e39\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"def5b420-7c49-4363-a30f-7c0c6c13929d\",\"w\":8,\"x\":8,\"y\":13},\"panelIndex\":\"def5b420-7c49-4363-a30f-7c0c6c13929d\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"f3e25e5c-0f66-4eb3-916e-8243184f2b0d\",\"w\":8,\"x\":16,\"y\":13},\"panelIndex\":\"f3e25e5c-0f66-4eb3-916e-8243184f2b0d\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c04915c9-e5d6-4c1f-815a-efc1c0b35c7d\",\"w\":8,\"x\":24,\"y\":13},\"panelIndex\":\"c04915c9-e5d6-4c1f-815a-efc1c0b35c7d\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"b7966004-1c02-4fa5-a8ce-5a3362adfb5a\",\"w\":16,\"x\":32,\"y\":13},\"panelIndex\":\"b7966004-1c02-4fa5-a8ce-5a3362adfb5a\",\"panelRefName\":\"panel_5\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1efe3f34-de43-4ffb-992d-8b21cbb771a0\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"1efe3f34-de43-4ffb-992d-8b21cbb771a0\",\"panelRefName\":\"panel_6\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"81a7ce31-d928-48c7-9b8d-acd00a43d08e\",\"w\":48,\"x\":0,\"y\":45},\"panelIndex\":\"81a7ce31-d928-48c7-9b8d-acd00a43d08e\",\"panelRefName\":\"panel_7\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Integrations - Connectors", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d3a33820-fa02-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-db898d80-1a21-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-00dc0a80-1adc-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-06fb9d30-1a24-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-1ddd3300-1a25-11eb-abcf-effcd51852fa", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d5dcbf40-1a28-11eb-abcf-effcd51852fa", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-85943290-1a2b-11eb-abcf-effcd51852fa", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-bfc7f7c0-1473-11eb-bb7b-bb041e8cf289", - "name": "panel_7", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-d59177c0-f9fb-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-d59177c0-f9fb-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 678b3b629f..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-d59177c0-f9fb-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"5d1eb62a-f7dd-4f14-8961-96a768f70c07\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"5d1eb62a-f7dd-4f14-8961-96a768f70c07\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"013b41ba-55b7-4ed3-9c9e-5c3984651cd8\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"013b41ba-55b7-4ed3-9c9e-5c3984651cd8\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"d68fe28e-8def-4ea8-b848-ef2b97430924\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"d68fe28e-8def-4ea8-b848-ef2b97430924\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"63b07db7-cd19-4cb8-839d-e7801ef7c5f8\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"63b07db7-cd19-4cb8-839d-e7801ef7c5f8\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Users - Authentication", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d59177c0-f9fb-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-6ad826b0-d37f-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-211feda0-d37f-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9036f440-d37f-11eb-9e70-edcbba448215", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-70a8f8e0-d392-11eb-9e70-edcbba448215", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-db22d850-fa00-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-db22d850-fa00-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 3a21872d84..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-db22d850-fa00-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"ef0f2d41-363f-4573-b92a-9ecb0af8b1fd\",\"w\":11,\"x\":0,\"y\":0},\"panelIndex\":\"ef0f2d41-363f-4573-b92a-9ecb0af8b1fd\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"bb8e09a0-aadf-48a8-a5a9-af581d3b42d1\",\"w\":37,\"x\":11,\"y\":0},\"panelIndex\":\"bb8e09a0-aadf-48a8-a5a9-af581d3b42d1\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-db22d850-fa00-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-89e6a260-25d4-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d5fae950-25d3-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-e9fa5320-fa01-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-e9fa5320-fa01-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 5d1e91e916..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-e9fa5320-fa01-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"7fcb881a-1fac-40f3-8344-abc9d970bea0\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"7fcb881a-1fac-40f3-8344-abc9d970bea0\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"41db8b4e-a061-4e68-a8dc-4fe557771bdc\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"41db8b4e-a061-4e68-a8dc-4fe557771bdc\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"67513776-5611-456a-bafd-42938542c90a\",\"w\":48,\"x\":0,\"y\":18},\"panelIndex\":\"67513776-5611-456a-bafd-42938542c90a\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"25a4e2bd-b92e-445c-bec4-15ca828c88a8\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"25a4e2bd-b92e-445c-bec4-15ca828c88a8\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Stored Procedure Performance", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-e9fa5320-fa01-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-37fb60d0-1481-11eb-bb7b-bb041e8cf289", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-b9fb36b0-1480-11eb-bb7b-bb041e8cf289", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-1498e300-1482-11eb-bb7b-bb041e8cf289", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-f8112090-fa03-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-f8112090-fa03-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 44afdf5fe9..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/dashboard/hid_bravura_monitor-f8112090-fa03-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"05d010e5-934c-4b70-ad98-d3b3a191b9e2\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"05d010e5-934c-4b70-ad98-d3b3a191b9e2\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"8ffb10cd-0ea2-4036-8003-8c65e128a201\",\"w\":11,\"x\":0,\"y\":14},\"panelIndex\":\"8ffb10cd-0ea2-4036-8003-8c65e128a201\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"674a1c30-76cd-429f-a9e6-941aef3e982d\",\"w\":37,\"x\":11,\"y\":14},\"panelIndex\":\"674a1c30-76cd-429f-a9e6-941aef3e982d\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a75010c7-9c3b-44c2-bf63-676e9aebd54e\",\"w\":48,\"x\":0,\"y\":33},\"panelIndex\":\"a75010c7-9c3b-44c2-bf63-676e9aebd54e\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] API - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-f8112090-fa03-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-659dad40-25b6-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-c0e79490-25b6-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-87baab60-25b8-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 14951ba72f..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfSproc\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfSproc\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"hid_bravura_monitor.perf.function : *Search*\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Search Stored Procedures", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215.json deleted file mode 100755 index a97c94b1ee..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Hitachi ID Windows Event Logs", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa.json deleted file mode 100755 index cab36ac889..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.level\",\"negate\":false,\"params\":[\"error\",\"warning\",\"critical\"],\"type\":\"phrases\",\"value\":\"error, warning, critical\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"log.level\":\"error\"}},{\"match_phrase\":{\"log.level\":\"warning\"}},{\"match_phrase\":{\"log.level\":\"critical\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Windows Event Log Problems", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa.json deleted file mode 100755 index d315f3429e..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.level\",\"log.logger\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"message\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.domain\",\"user.email\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.roles\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"winlog.activity_id\",\"winlog.api\",\"winlog.channel\",\"winlog.computer_name\",\"winlog.event_data.Address\",\"winlog.event_data.AdvancedOptions\",\"winlog.event_data.AlgorithmName\",\"winlog.event_data.AppId\",\"winlog.event_data.AuthenticationPackageName\",\"winlog.event_data.Binary\",\"winlog.event_data.BitlockerUserInputTime\",\"winlog.event_data.BootAppStatus\",\"winlog.event_data.BootMenuPolicy\",\"winlog.event_data.BootMode\",\"winlog.event_data.BootType\",\"winlog.event_data.BugcheckCode\",\"winlog.event_data.BugcheckParameter1\",\"winlog.event_data.BugcheckParameter2\",\"winlog.event_data.BugcheckParameter3\",\"winlog.event_data.BugcheckParameter4\",\"winlog.event_data.BuildVersion\",\"winlog.event_data.CallerProcessId\",\"winlog.event_data.CallerProcessName\",\"winlog.event_data.Checkpoint\",\"winlog.event_data.Company\",\"winlog.event_data.Config\",\"winlog.event_data.ConfigAccessPolicy\",\"winlog.event_data.ConfigurationReader\",\"winlog.event_data.ConnectedStandbyInProgress\",\"winlog.event_data.CorruptionActionState\",\"winlog.event_data.CreationUtcTime\",\"winlog.event_data.CsEntryScenarioInstanceId\",\"winlog.event_data.Default SD String:\",\"winlog.event_data.Description\",\"winlog.event_data.Detail\",\"winlog.event_data.DeviceName\",\"winlog.event_data.DeviceNameLength\",\"winlog.event_data.DeviceTime\",\"winlog.event_data.DeviceVersionMajor\",\"winlog.event_data.DeviceVersionMinor\",\"winlog.event_data.DirtyPages\",\"winlog.event_data.DisableIntegrityChecks\",\"winlog.event_data.DriveName\",\"winlog.event_data.DriverName\",\"winlog.event_data.DriverNameLength\",\"winlog.event_data.DwordVal\",\"winlog.event_data.ElevatedToken\",\"winlog.event_data.EnableDisableReason\",\"winlog.event_data.EntryCount\",\"winlog.event_data.ErrorCode\",\"winlog.event_data.ExtraInfo\",\"winlog.event_data.ExtraInfoLength\",\"winlog.event_data.ExtraInfoString\",\"winlog.event_data.FailureName\",\"winlog.event_data.FailureNameLength\",\"winlog.event_data.FileVersion\",\"winlog.event_data.FilterID\",\"winlog.event_data.FinalStatus\",\"winlog.event_data.FlightSigning\",\"winlog.event_data.Group\",\"winlog.event_data.HiveName\",\"winlog.event_data.HiveNameLength\",\"winlog.event_data.HypervisorDebug\",\"winlog.event_data.HypervisorLaunchType\",\"winlog.event_data.HypervisorLoadOptions\",\"winlog.event_data.IdleImplementation\",\"winlog.event_data.IdleStateCount\",\"winlog.event_data.ImpersonationLevel\",\"winlog.event_data.IntegrityLevel\",\"winlog.event_data.Interface\",\"winlog.event_data.IpAddress\",\"winlog.event_data.IpPort\",\"winlog.event_data.IsTestConfig\",\"winlog.event_data.KernelDebug\",\"winlog.event_data.KeyFilePath\",\"winlog.event_data.KeyLength\",\"winlog.event_data.KeyName\",\"winlog.event_data.KeyType\",\"winlog.event_data.KeysUpdated\",\"winlog.event_data.LastBootGood\",\"winlog.event_data.LastShutdownGood\",\"winlog.event_data.ListenerAdapterProtocol\",\"winlog.event_data.LmPackageName\",\"winlog.event_data.LoadOptions\",\"winlog.event_data.LogonGuid\",\"winlog.event_data.LogonId\",\"winlog.event_data.LogonProcessName\",\"winlog.event_data.LogonType\",\"winlog.event_data.MajorVersion\",\"winlog.event_data.MandatoryLabel\",\"winlog.event_data.MaximumPerformancePercent\",\"winlog.event_data.MemberName\",\"winlog.event_data.MemberSid\",\"winlog.event_data.MinimumPerformancePercent\",\"winlog.event_data.MinimumThrottlePercent\",\"winlog.event_data.MinorVersion\",\"winlog.event_data.NewProcessId\",\"winlog.event_data.NewProcessName\",\"winlog.event_data.NewSchemeGuid\",\"winlog.event_data.NewSize\",\"winlog.event_data.NewTime\",\"winlog.event_data.NominalFrequency\",\"winlog.event_data.Number\",\"winlog.event_data.OldSchemeGuid\",\"winlog.event_data.OldTime\",\"winlog.event_data.Operation\",\"winlog.event_data.OriginalFileName\",\"winlog.event_data.OriginalSize\",\"winlog.event_data.PackageName\",\"winlog.event_data.Path\",\"winlog.event_data.PerformanceImplementation\",\"winlog.event_data.PowerButtonTimestamp\",\"winlog.event_data.PreviousCreationUtcTime\",\"winlog.event_data.PreviousTime\",\"winlog.event_data.PrivilegeList\",\"winlog.event_data.ProcessId\",\"winlog.event_data.ProcessName\",\"winlog.event_data.ProcessPath\",\"winlog.event_data.ProcessPid\",\"winlog.event_data.Product\",\"winlog.event_data.ProtocolType\",\"winlog.event_data.ProviderName\",\"winlog.event_data.PuaCount\",\"winlog.event_data.PuaPolicyId\",\"winlog.event_data.QfeVersion\",\"winlog.event_data.Reason\",\"winlog.event_data.RemoteEventLogging\",\"winlog.event_data.RestrictedAdminMode\",\"winlog.event_data.ReturnCode\",\"winlog.event_data.RunningMode\",\"winlog.event_data.SchemaVersion\",\"winlog.event_data.ScriptBlockText\",\"winlog.event_data.ServiceName\",\"winlog.event_data.ServiceVersion\",\"winlog.event_data.ShutdownActionType\",\"winlog.event_data.ShutdownEventCode\",\"winlog.event_data.ShutdownReason\",\"winlog.event_data.Signature\",\"winlog.event_data.SignatureStatus\",\"winlog.event_data.Signed\",\"winlog.event_data.SleepInProgress\",\"winlog.event_data.StartTime\",\"winlog.event_data.State\",\"winlog.event_data.Status\",\"winlog.event_data.StopTime\",\"winlog.event_data.SubjectDomainName\",\"winlog.event_data.SubjectLogonId\",\"winlog.event_data.SubjectUserName\",\"winlog.event_data.SubjectUserSid\",\"winlog.event_data.SystemSleepTransitionsToOn\",\"winlog.event_data.TSId\",\"winlog.event_data.TargetDomainName\",\"winlog.event_data.TargetInfo\",\"winlog.event_data.TargetLinkedLogonId\",\"winlog.event_data.TargetLogonGuid\",\"winlog.event_data.TargetLogonId\",\"winlog.event_data.TargetOutboundDomainName\",\"winlog.event_data.TargetOutboundUserName\",\"winlog.event_data.TargetServerName\",\"winlog.event_data.TargetSid\",\"winlog.event_data.TargetUserName\",\"winlog.event_data.TargetUserSid\",\"winlog.event_data.TerminalSessionId\",\"winlog.event_data.TestSigning\",\"winlog.event_data.TimeSource\",\"winlog.event_data.TokenElevationType\",\"winlog.event_data.TransmittedServices\",\"winlog.event_data.UserSid\",\"winlog.event_data.Version\",\"winlog.event_data.VirtualAccount\",\"winlog.event_data.VsmLaunchType\",\"winlog.event_data.VsmPolicy\",\"winlog.event_data.Workstation\",\"winlog.event_data.param1\",\"winlog.event_data.param10\",\"winlog.event_data.param11\",\"winlog.event_data.param12\",\"winlog.event_data.param2\",\"winlog.event_data.param3\",\"winlog.event_data.param4\",\"winlog.event_data.param5\",\"winlog.event_data.param6\",\"winlog.event_data.param7\",\"winlog.event_data.param8\",\"winlog.event_data.param9\",\"winlog.event_data.serviceGuid\",\"winlog.event_data.updateGuid\",\"winlog.event_data.updateRevisionNumber\",\"winlog.event_data.updateTitle\",\"winlog.event_id\",\"winlog.keywords\",\"winlog.logon.failure.status\",\"winlog.logon.id\",\"winlog.logon.type\",\"winlog.opcode\",\"winlog.process.pid\",\"winlog.process.thread.id\",\"winlog.provider_guid\",\"winlog.provider_name\",\"winlog.record_id\",\"winlog.related_activity_id\",\"winlog.task\",\"winlog.user.domain\",\"winlog.user.identifier\",\"winlog.user.name\",\"winlog.user.type\",\"winlog.user_data.Reason\",\"winlog.user_data.binaryData\",\"winlog.user_data.binaryDataSize\",\"winlog.user_data.param1\",\"winlog.user_data.param2\",\"winlog.user_data.xml_name\",\"winlog.version\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.action\",\"negate\":false,\"params\":[\"logged-in\",\"logged-in-special\"],\"type\":\"phrases\",\"value\":\"logged-in, logged-in-special\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.action\":\"logged-in\"}},{\"match_phrase\":{\"event.action\":\"logged-in-special\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Windows Event Log Logins", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a.json deleted file mode 100755 index 434c4272a2..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfReplication\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfReplication\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Database: Replication: Search", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 50b65c5ba3..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "message", - "host.name", - "log.level", - "log.logger" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"hid_bravura_monitor.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"hid_bravura_monitor.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"log.level\",\"negate\":false,\"params\":[\"Warning\",\"Error\"],\"type\":\"phrases\",\"value\":\"Warning, Error\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"log.level\":\"Warning\"}},{\"match_phrase\":{\"log.level\":\"Error\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "IDM Suite Errors and Warnings", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-39072a50-2f42-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-39072a50-2f42-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index d8a9246524..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-39072a50-2f42-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"log.logger: plugin_*\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfExe - Plugins", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-39072a50-2f42-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa.json deleted file mode 100755 index ae380d7a7e..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":[\"iddiscover.exe\",\"pamlws.exe\"],\"type\":\"phrases\",\"value\":\"iddiscover.exe, pamlws.exe\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"log.logger\":\"iddiscover.exe\"}},{\"match_phrase\":{\"log.logger\":\"pamlws.exe\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfSproc\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfSproc\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Discovery Stored Procedures", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-4215e410-2f42-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-4215e410-2f42-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index 4f92395e4e..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-4215e410-2f42-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfExe", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-4215e410-2f42-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-465760e0-25d7-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-465760e0-25d7-11eb-abcf-effcd51852fa.json deleted file mode 100755 index b67cb2881a..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-465760e0-25d7-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"hid_bravura_monitor.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"hid_bravura_monitor.log\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Dataset", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-465760e0-25d7-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215.json deleted file mode 100755 index 21f0920379..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"81\",\"82\",\"83\",\"84\",\"85\"],\"type\":\"phrases\",\"value\":\"81, 82, 83, 84, 85\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"81\"}},{\"match_phrase\":{\"event.code\":\"82\"}},{\"match_phrase\":{\"event.code\":\"83\"}},{\"match_phrase\":{\"event.code\":\"84\"}},{\"match_phrase\":{\"event.code\":\"85\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Hitachi ID Windows Event Logs - Workflow", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 78345eb6c9..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Connector Return Code", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243.json deleted file mode 100755 index c617f5e303..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.transid\",\"negate\":true,\"params\":{\"query\":\"\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.transid\":\"\"}}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"hid_bravura_monitor.perf.transid\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"hid_bravura_monitor.perf.transid\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Users: Pages: Search", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index b8bd09d7f6..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.name", - "hid_bravura_monitor.perf.duration", - "hid_bravura_monitor.perf.caller", - "log.logger" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfSproc\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfSproc\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfSproc", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-95032a30-2eab-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-95032a30-2eab-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index 777347bc45..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-95032a30-2eab-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "hid_bravura_monitor.perf.duration", - "log.logger", - "hid_bravura_monitor.perf.user", - "hid_bravura_monitor.perf.kernel", - "process.pid", - "process.thread.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"NOT log.logger: plugin_*\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfExe - Executables", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-95032a30-2eab-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 08411d94b0..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "log.logger", - "input.type", - "hid_bravura_monitor.perf.function", - "host.name", - "@timestamp", - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfIDAPI\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfIDAPI\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfIDAPI", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-9a787d10-0521-11ec-853c-2bf1ec8ddeef.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-9a787d10-0521-11ec-853c-2bf1ec8ddeef.json deleted file mode 100755 index 1933bda0f2..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-9a787d10-0521-11ec-853c-2bf1ec8ddeef.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"8\",\"9\",\"10\",\"6\",\"78\"],\"type\":\"phrases\",\"value\":\"8, 9, 10, 6, 78\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"8\"}},{\"match_phrase\":{\"event.code\":\"9\"}},{\"match_phrase\":{\"event.code\":\"10\"}},{\"match_phrase\":{\"event.code\":\"6\"}},{\"match_phrase\":{\"event.code\":\"78\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Hitachi ID Windows Event Logs - Replication", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9a787d10-0521-11ec-853c-2bf1ec8ddeef", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa.json deleted file mode 100755 index baafc6c4e5..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":[\"ajaxsvc.exe\",\"psf.exe\",\"psa.exe\"],\"type\":\"phrases\",\"value\":\"ajaxsvc.exe, psf.exe, psa.exe\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"log.logger\":\"ajaxsvc.exe\"}},{\"match_phrase\":{\"log.logger\":\"psf.exe\"}},{\"match_phrase\":{\"log.logger\":\"psa.exe\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"log.level\",\"negate\":false,\"params\":[\"Error\",\"Warning\"],\"type\":\"phrases\",\"value\":\"Error, Warning\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"log.level\":\"Error\"}},{\"match_phrase\":{\"log.level\":\"Warning\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"user.id\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"user.id\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "User Issue Logs", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 7d2a1af5bf..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfAjax\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfAjax\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfAjax", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-be8c8b60-874f-11eb-a5be-4d72a1654030.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-be8c8b60-874f-11eb-a5be-4d72a1654030.json deleted file mode 100755 index 1dcfec3f81..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-be8c8b60-874f-11eb-a5be-4d72a1654030.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":{\"query\":\"iddb.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"log.logger\":\"iddb.exe\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Database Events", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-be8c8b60-874f-11eb-a5be-4d72a1654030", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-bfc7f7c0-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-bfc7f7c0-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index f0c5cffd71..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-bfc7f7c0-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfConnector", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-bfc7f7c0-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index c6b4369c88..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.name", - "hid_bravura_monitor.request.id", - "log.logger", - "hid_bravura_monitor.perf.duration", - "process.pid", - "process.thread.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfIDWFM\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfIDWFM\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfIDWFM", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215.json deleted file mode 100755 index 122f899b44..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"28\",\"29\",\"30\",\"31\",\"32\",\"33\",\"52\",\"53\",\"54\",\"55\",\"56\",\"57\",\"58\",\"59\",\"60\",\"61\",\"62\",\"63\",\"64\",\"65\",\"66\",\"67\",\"68\",\"69\",\"70\",\"71\",\"72\",\"73\",\"121\"],\"type\":\"phrases\",\"value\":\"28, 29, 30, 31, 32, 33, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 121\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"28\"}},{\"match_phrase\":{\"event.code\":\"29\"}},{\"match_phrase\":{\"event.code\":\"30\"}},{\"match_phrase\":{\"event.code\":\"31\"}},{\"match_phrase\":{\"event.code\":\"32\"}},{\"match_phrase\":{\"event.code\":\"33\"}},{\"match_phrase\":{\"event.code\":\"52\"}},{\"match_phrase\":{\"event.code\":\"53\"}},{\"match_phrase\":{\"event.code\":\"54\"}},{\"match_phrase\":{\"event.code\":\"55\"}},{\"match_phrase\":{\"event.code\":\"56\"}},{\"match_phrase\":{\"event.code\":\"57\"}},{\"match_phrase\":{\"event.code\":\"58\"}},{\"match_phrase\":{\"event.code\":\"59\"}},{\"match_phrase\":{\"event.code\":\"60\"}},{\"match_phrase\":{\"event.code\":\"61\"}},{\"match_phrase\":{\"event.code\":\"62\"}},{\"match_phrase\":{\"event.code\":\"63\"}},{\"match_phrase\":{\"event.code\":\"64\"}},{\"match_phrase\":{\"event.code\":\"65\"}},{\"match_phrase\":{\"event.code\":\"66\"}},{\"match_phrase\":{\"event.code\":\"67\"}},{\"match_phrase\":{\"event.code\":\"68\"}},{\"match_phrase\":{\"event.code\":\"69\"}},{\"match_phrase\":{\"event.code\":\"70\"}},{\"match_phrase\":{\"event.code\":\"71\"}},{\"match_phrase\":{\"event.code\":\"72\"}},{\"match_phrase\":{\"event.code\":\"73\"}},{\"match_phrase\":{\"event.code\":\"121\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Hitachi ID Windows Event Logs - Administrative", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-dd637750-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-dd637750-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index b7502c0511..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/search/hid_bravura_monitor-dd637750-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfPsupdate\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfPsupdate\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfPsupdate", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-dd637750-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-00cbeab0-1a28-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-00cbeab0-1a28-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 0df883fdb2..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-00cbeab0-1a28-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Transaction is NULL\",\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.transid\",\"negate\":true,\"params\":{\"query\":\"\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.transid\":\"\"}}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"hid_bravura_monitor.perf.transid\"},\"meta\":{\"alias\":\"Transaction exists\",\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"hid_bravura_monitor.perf.transid\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: Pages: UI Transactions", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"UI Transaction\",\"field\":\"hid_bravura_monitor.perf.transid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Executable\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Min (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Max (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: Pages: UI Transactions\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-00cbeab0-1a28-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-00dc0a80-1adc-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-00dc0a80-1adc-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 70be8c7e8f..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-00dc0a80-1adc-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Operations Per Node", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Operations Per Node\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-00dc0a80-1adc-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-05cb9390-1a22-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-05cb9390-1a22-11eb-abcf-effcd51852fa.json deleted file mode 100755 index ffa350420f..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-05cb9390-1a22-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: API: Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Users: API: Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-05cb9390-1a22-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-06fb9d30-1a24-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-06fb9d30-1a24-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 10a036dbb9..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-06fb9d30-1a24-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Operation List", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Operation\",\"field\":\"hid_bravura_monitor.perf.operation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Operation List\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-06fb9d30-1a24-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-0799ca70-2b66-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-0799ca70-2b66-11eb-abcf-effcd51852fa.json deleted file mode 100755 index afb95c51b9..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-0799ca70-2b66-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: API: Function Performance", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Function\",\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: API: Function Performance\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-0799ca70-2b66-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-07f86e00-d835-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-07f86e00-d835-11eb-9e70-edcbba448215.json deleted file mode 100755 index 9727c2554d..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-07f86e00-d835-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Administrative Summary Table", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Integration\",\"field\":\"winlog.event_data.Module\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Administrative Summary Table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-07f86e00-d835-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-0cb6caa0-1ade-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-0cb6caa0-1ade-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 709de00be4..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-0cb6caa0-1ade-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Workflow: Operations", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event\",\"field\":\"hid_bravura_monitor.perf.event\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Max (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Workflow: Operations\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-0cb6caa0-1ade-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-0cf3f020-1add-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-0cf3f020-1add-11eb-abcf-effcd51852fa.json deleted file mode 100755 index bff36e3274..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-0cf3f020-1add-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Workflow: Operation Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event\",\"field\":\"hid_bravura_monitor.perf.event\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Workflow: Operation Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-0cf3f020-1add-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1211f840-d90a-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1211f840-d90a-11eb-9e70-edcbba448215.json deleted file mode 100755 index d65570252d..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1211f840-d90a-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":true,\"params\":{\"query\":\"85\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"85\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Requesters", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Requester\",\"field\":\"winlog.event_data.Requester\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Requesters\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1211f840-d90a-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 379e10846d..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"hid_bravura_monitor.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"hid_bravura_monitor.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Users: Summary: Node Usage", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count of unique User ID\",\"field\":\"user.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"row\":true,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count of unique User ID\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count of unique User ID\"},\"type\":\"value\"}]},\"title\":\"Users: Summary: Node Usage\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1498e300-1482-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1498e300-1482-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 2e3839a607..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1498e300-1482-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Stored Procedure Runtime Statistics", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Function\",\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Max (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"row\":true,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Stored Procedure Runtime Statistics\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1498e300-1482-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1a2adb70-2f44-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1a2adb70-2f44-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index 6a73900e1d..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1a2adb70-2f44-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Plugin: Performance", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Plugin\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Plugin: Performance\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1a2adb70-2f44-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-39072a50-2f42-11eb-b6a1-bdb7d768b585", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1b439670-25d8-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1b439670-25d8-11eb-abcf-effcd51852fa.json deleted file mode 100755 index e32c74fc4f..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1b439670-25d8-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Dataset: Log Type Counts", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Log Type\",\"field\":\"hid_bravura_monitor.perf.kind\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Dataset: Log Type Counts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1b439670-25d8-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1ddd3300-1a25-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1ddd3300-1a25-11eb-abcf-effcd51852fa.json deleted file mode 100755 index fbf41a8bc4..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-1ddd3300-1a25-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Return Code", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Result\",\"field\":\"hid_bravura_monitor.perf.result\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Return Code\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1ddd3300-1a25-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-20a85000-1a1c-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-20a85000-1a1c-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 6258eeea60..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-20a85000-1a1c-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: Issues: Nodes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: Issues: Nodes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-20a85000-1a1c-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-211feda0-d37f-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-211feda0-d37f-11eb-9e70-edcbba448215.json deleted file mode 100755 index 8aa0d744cc..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-211feda0-d37f-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"1\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"1\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Login Failures", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"User Login Failures\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-211feda0-d37f-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-23133620-238b-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-23133620-238b-11eb-abcf-effcd51852fa.json deleted file mode 100755 index b90f37bce3..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-23133620-238b-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Problem Provider Distribution", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"winlog.channel\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Problem Provider Distribution\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-23133620-238b-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-24823410-1464-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-24823410-1464-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 3d69b5f3dd..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-24823410-1464-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "IDM Suite: Log issues histogram", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Error\":\"#BF1B00\",\"Warning\":\"#E5AC0E\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"IDM Suite: Log issues histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-24823410-1464-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-2722d7e0-d388-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-2722d7e0-d388-11eb-9e70-edcbba448215.json deleted file mode 100755 index b6c265aa5d..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-2722d7e0-d388-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"8\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"8\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Replication Database Transaction Failures", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Replication Database Transaction Failures\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-2722d7e0-d388-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-2a088ae0-243d-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-2a088ae0-243d-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 18ab353128..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-2a088ae0-243d-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Login Attempts", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Login Attempts\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-2a088ae0-243d-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-2ffbfc20-d83d-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-2ffbfc20-d83d-11eb-9e70-edcbba448215.json deleted file mode 100755 index 178c39c293..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-2ffbfc20-d83d-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"32\",\"33\"],\"type\":\"phrases\",\"value\":\"32, 33\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"32\"}},{\"match_phrase\":{\"event.code\":\"33\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Unlocked Profiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Profile\",\"field\":\"winlog.event_data.Profile\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Unlocked Profiles\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-2ffbfc20-d83d-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-33258a00-d398-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-33258a00-d398-11eb-9e70-edcbba448215.json deleted file mode 100755 index 1477920457..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-33258a00-d398-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Administrative Summary", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Administrative Summary\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-33258a00-d398-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-341531e0-25d8-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-341531e0-25d8-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 99eccfe59c..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-341531e0-25d8-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Replication: Load by queue", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Queue\",\"field\":\"hid_bravura_monitor.perf.receivequeue\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Replication: Load by queue\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-341531e0-25d8-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-37fb60d0-1481-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-37fb60d0-1481-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index da63f8966b..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-37fb60d0-1481-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Host Usage", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Host Usage\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-37fb60d0-1481-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-3bd92210-1a25-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-3bd92210-1a25-11eb-abcf-effcd51852fa.json deleted file mode 100755 index a078bbc6f6..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-3bd92210-1a25-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: API: Calls per Node", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: API: Calls per Node\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-3bd92210-1a25-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-3ec54c70-d90a-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-3ec54c70-d90a-11eb-9e70-edcbba448215.json deleted file mode 100755 index 50921b0ee7..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-3ec54c70-d90a-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":true,\"params\":{\"query\":\"85\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"85\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Recipients", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Recipient\",\"field\":\"winlog.event_data.Recipient\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Recipients\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-3ec54c70-d90a-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-42dc53c0-243e-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-42dc53c0-243e-11eb-abcf-effcd51852fa.json deleted file mode 100755 index d1c2372322..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-42dc53c0-243e-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Logins", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"User Logins\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-42dc53c0-243e-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-489a4f50-2453-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-489a4f50-2453-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 4bb8713e15..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-489a4f50-2453-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Problem Events", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event ID\",\"field\":\"winlog.event_id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Source\",\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Event Log\",\"field\":\"winlog.channel\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":20,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Problem Events\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-489a4f50-2453-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-4b0765d0-1ade-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-4b0765d0-1ade-11eb-abcf-effcd51852fa.json deleted file mode 100755 index bab3fb6adb..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-4b0765d0-1ade-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Connector Return Code: Operation count", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Operation\",\"field\":\"hid_bravura_monitor.perf.operation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector Return Code: Operation count\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-4b0765d0-1ade-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-4bfcdae0-2dcd-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-4bfcdae0-2dcd-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index cdcd472e01..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-4bfcdae0-2dcd-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Bravura: Selector: Return Code", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"hid_bravura_monitor.perf.result\",\"id\":\"1606164462534\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Return Code\",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":10,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Bravura: Selector: Return Code\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-4bfcdae0-2dcd-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-552d3e80-1a26-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-552d3e80-1a26-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 82bba8ecdd..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-552d3e80-1a26-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Users: Pages: Help", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"Transactions represent a UI page the user sees.\\n\\nWhat pages are people calling and what performance are they experiencing?\",\"openLinksInNewTab\":false},\"title\":\"Users: Pages: Help\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-552d3e80-1a26-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-59482290-25da-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-59482290-25da-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 87ec7841f2..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-59482290-25da-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Database: Search: Help", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"Search engines need to return quickly since users are waiting on their results. There is a direct correlation between search time and user experience.\\n\\nAs a general rule, Search stored procedures should take less than a second to run on average. \\n\\nSearch stored procedure performance is impacted by elements such as:\\n\\n* Data size. Larger data consumes more CPU, Ram, Disk I/O on the database server. \\n* Policies such as acls, filtering, etc. \\n* Indexes. Sometimes they fragment degrading overall performance. \\n* Table/Index Locking with other database actions.\\n\\nStrategies for improving database search performance include:\\n\\n* Rebuild fragmented database indexes.\\n* Evaluate if more RAM/CPU\\n\\nWhen these don't work, Developers will need database execution plans to review options.\",\"openLinksInNewTab\":false},\"title\":\"Database: Search: Help\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-59482290-25da-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-5b5237e0-d388-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-5b5237e0-d388-11eb-9e70-edcbba448215.json deleted file mode 100755 index 7ead2be0b3..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-5b5237e0-d388-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "Failed to insert data into database replication queue", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"9\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"9\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Replication Queue Insert Failures", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Replication Queue Insert Failures\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-5b5237e0-d388-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-64035e60-25db-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-64035e60-25db-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 8ddd8dffec..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-64035e60-25db-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Database: Discovery: Help", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"Discovery stored procedures are involved with loading data from integrations ( Connectors and LWS ) into the product database to learn about changes in the environment we are managing Identities and Access in. \\n\\nSome general rules of thumbs:\\n\\n* LWS stored procdures need to be quick. None should take a second.\\n* Iddiscover.exe stored procedures can run for much longer. Minutes to hours in large environments to process large changes in bulk. \\n\\nStrategies for improving the performance of these stored procedures include:\\n\\n* Rebuild fragmented database indexes\\n* Review if database is low on RAM, CPU, or I/O bandwidth.\\n\\nIf you continue to encounter problems developers will require database execution plans to review the operation of these procedures. \",\"openLinksInNewTab\":false},\"title\":\"Database: Discovery: Help\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-64035e60-25db-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 7db6a1b1ac..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Operation Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"hid_bravura_monitor.perf.operation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Connector: Operation Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-659dad40-25b6-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-659dad40-25b6-11eb-abcf-effcd51852fa.json deleted file mode 100755 index ecd3fe7dfe..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-659dad40-25b6-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "API: Calls per node historgram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"API: Calls per node historgram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-659dad40-25b6-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-66c884f0-2382-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-66c884f0-2382-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 858cd4ce71..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-66c884f0-2382-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Problem Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"asc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":59,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Problem Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-66c884f0-2382-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-670cf140-1a1c-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-670cf140-1a1c-11eb-abcf-effcd51852fa.json deleted file mode 100755 index e39391cfb7..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-670cf140-1a1c-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: Issues: Affected users", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Users\",\"field\":\"user.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: Issues: Affected users\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-670cf140-1a1c-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-6ac75200-d90a-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-6ac75200-d90a-11eb-9e70-edcbba448215.json deleted file mode 100755 index b7bfd7f4a3..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-6ac75200-d90a-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "81 - Approved\n82 - Denied\n83 - Cancelled\n84 - Revoked\n85 - Processed", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Workflow Request Trend", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Workflow Request Trend\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-6ac75200-d90a-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-6ad826b0-d37f-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-6ad826b0-d37f-11eb-9e70-edcbba448215.json deleted file mode 100755 index 4925675408..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-6ad826b0-d37f-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"2\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"2\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Login Success", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"User Login Success\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-6ad826b0-d37f-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-70a8f8e0-d392-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-70a8f8e0-d392-11eb-9e70-edcbba448215.json deleted file mode 100755 index f9952b85fb..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-70a8f8e0-d392-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"39\",\"40\"],\"type\":\"phrases\",\"value\":\"39, 40\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"39\"}},{\"match_phrase\":{\"event.code\":\"40\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "IDAPI Login Attempts", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"IDAPI Login Attempts\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-70a8f8e0-d392-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-76cb60d0-1463-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-76cb60d0-1463-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 0326ec1e77..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-76cb60d0-1463-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "IDM Suite: Errors/Warnings by node", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Instance\",\"field\":\"agent.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"IDM Suite: Errors/Warnings by node\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-76cb60d0-1463-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-77701bc0-25bb-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-77701bc0-25bb-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 6edd1a8f96..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-77701bc0-25bb-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":{\"query\":\"psupdate.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"log.logger\":\"psupdate.exe\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Discovery Runtimes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Sum of Duration (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2021-01-11T07:00:00.000Z\",\"to\":\"2021-01-18T07:00:00.000Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of Duration (ms)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Sum of Duration (ms)\"},\"type\":\"value\"}]},\"title\":\"Discovery Runtimes\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-77701bc0-25bb-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-77f6f520-1add-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-77f6f520-1add-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 0259683b0d..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-77f6f520-1add-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Workflow: Operations per Node", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Workflow: Operations per Node\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-77f6f520-1add-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-80efbc20-d388-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-80efbc20-d388-11eb-9e70-edcbba448215.json deleted file mode 100755 index a0e5fcd50a..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-80efbc20-d388-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "Failed to run stored procedure on replication database.", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"10\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"10\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Replication Database Stored Procedure Failures", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Replication Database Stored Procedure Failures\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-80efbc20-d388-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-82277da0-25d5-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-82277da0-25d5-11eb-abcf-effcd51852fa.json deleted file mode 100755 index ed57c27d0a..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-82277da0-25d5-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Discovery Events", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event\",\"field\":\"hid_bravura_monitor.perf.event\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Max (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Discovery Events\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-82277da0-25d5-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-dd637750-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-82432550-25bc-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-82432550-25bc-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 562b4d6f66..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-82432550-25bc-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"hid_bravura_monitor.perf.exe\",\"negate\":false,\"params\":{\"query\":\"psupdate.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.exe\":\"psupdate.exe\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Discovery Runtime Table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Runtime (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Discovery ID\",\"field\":\"user.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Discovery Runtime Table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-82432550-25bc-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-85943290-1a2b-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-85943290-1a2b-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 567c658708..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-85943290-1a2b-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector List", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target ID\",\"field\":\"hid_bravura_monitor.perf.targetid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Address\",\"field\":\"hid_bravura_monitor.perf.address\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Process\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector List\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-85943290-1a2b-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-878feb30-1ade-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-878feb30-1ade-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 6f2874777a..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-878feb30-1ade-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Connector Return Code: Executable Count", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Executable\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector Return Code: Executable Count\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-878feb30-1ade-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-87baab60-25b8-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-87baab60-25b8-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 22abdbd1a4..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-87baab60-25b8-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "API: Function runtimes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"API: Function runtimes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-87baab60-25b8-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-89e6a260-25d4-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-89e6a260-25d4-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 730b9b47b5..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-89e6a260-25d4-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":{\"query\":\"iddb.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"log.logger\":\"iddb.exe\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Database: Severity Counts", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":40,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Database: Severity Counts\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-89e6a260-25d4-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-8c755c30-25d7-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-8c755c30-25d7-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 04cc20f45d..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-8c755c30-25d7-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Dataset: Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Dataset: Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-8c755c30-25d7-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-465760e0-25d7-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-8ec75c50-2383-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-8ec75c50-2383-11eb-abcf-effcd51852fa.json deleted file mode 100755 index f4e3b0a06b..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-8ec75c50-2383-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Problem Distribution", - "uiStateJSON": "{\"vis\":{\"colors\":{\"error\":\"#EF843C\",\"warning\":\"#EAB839\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Problem Distribution\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-8ec75c50-2383-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-9036f440-d37f-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-9036f440-d37f-11eb-9e70-edcbba448215.json deleted file mode 100755 index 60028e9750..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-9036f440-d37f-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"3\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"3\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Login Lockout", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"User Login Lockout\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9036f440-d37f-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-9357e910-2b67-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-9357e910-2b67-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 91932e1810..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-9357e910-2b67-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: API: Users", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: API: Users\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9357e910-2b67-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-95fb9a70-25d8-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-95fb9a70-25d8-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 6e743b35ed..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-95fb9a70-25d8-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Replication: Stored Procedures", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Function\",\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Replication: Stored Procedures\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-95fb9a70-25d8-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-979ecd00-1abd-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-979ecd00-1abd-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 7007bcc7c5..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-979ecd00-1abd-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector Return Code: Legend", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"Success - 0\\n\\nUnknown Error - 1\\n\\nCannot Connect - 3\\n\\nInvalid Server - 5\\n\\nAccess Denied - 11\\n\\nVerify Failed - 14\",\"openLinksInNewTab\":false},\"title\":\"Connector Return Code: Legend\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-979ecd00-1abd-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-9a513b80-d388-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-9a513b80-d388-11eb-9e70-edcbba448215.json deleted file mode 100755 index 67069cd556..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-9a513b80-d388-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"78\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"78\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "File Replication Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"File Replication Errors\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9a513b80-d388-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-9a75fb00-d83d-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-9a75fb00-d83d-11eb-9e70-edcbba448215.json deleted file mode 100755 index 5b0c8576c0..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-9a75fb00-d83d-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"32\",\"33\"],\"type\":\"phrases\",\"value\":\"32, 33\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"32\"}},{\"match_phrase\":{\"event.code\":\"33\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unlocked Profile Trend", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Unlocked Profile Trend\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9a75fb00-d83d-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-a29a1cc0-238a-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-a29a1cc0-238a-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 72dcb208bf..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-a29a1cc0-238a-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Problem Distribution", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"User Problem Distribution\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-a29a1cc0-238a-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-a8002430-25d7-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-a8002430-25d7-11eb-abcf-effcd51852fa.json deleted file mode 100755 index a2be43fb06..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-a8002430-25d7-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Replication: Total over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total (ms)\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total (ms)\"},\"type\":\"value\"}]},\"title\":\"Database: Replication: Total over time\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-a8002430-25d7-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-a950c4e0-1464-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-a950c4e0-1464-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index fc468116cc..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-a950c4e0-1464-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "IDM Suite: Errors/Warnings by level", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Level\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"IDM Suite: Errors/Warnings by level\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-a950c4e0-1464-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-aabca810-2456-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-aabca810-2456-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 58cd9378d3..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-aabca810-2456-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.event_id\",\"negate\":false,\"params\":[\"4740\",\"4728\",\"4732\",\"4756\",\"4735\",\"4624\",\"4625\",\"4648\"],\"type\":\"phrases\",\"value\":\"4740, 4728, 4732, 4756, 4735, 4624, 4625, 4648\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"winlog.event_id\":\"4740\"}},{\"match_phrase\":{\"winlog.event_id\":\"4728\"}},{\"match_phrase\":{\"winlog.event_id\":\"4732\"}},{\"match_phrase\":{\"winlog.event_id\":\"4756\"}},{\"match_phrase\":{\"winlog.event_id\":\"4735\"}},{\"match_phrase\":{\"winlog.event_id\":\"4624\"}},{\"match_phrase\":{\"winlog.event_id\":\"4625\"}},{\"match_phrase\":{\"winlog.event_id\":\"4648\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Login Activity", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event ID\",\"field\":\"winlog.event_id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Event Category\",\"field\":\"event.category\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Login Activity\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-aabca810-2456-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-b8f9a5c0-d83f-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-b8f9a5c0-d83f-11eb-9e70-edcbba448215.json deleted file mode 100755 index ccc4f18a5a..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-b8f9a5c0-d83f-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "62 - Self-service password reset\n65 - Help-desk assisted password reset", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"62\",\"65\"],\"type\":\"phrases\",\"value\":\"62, 65\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"62\"}},{\"match_phrase\":{\"event.code\":\"65\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Password Resets Started", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Password Resets Started\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-b8f9a5c0-d83f-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-b9fb36b0-1480-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-b9fb36b0-1480-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 6833d91789..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-b9fb36b0-1480-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Stored Procedure Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Database: Stored Procedure Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-b9fb36b0-1480-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 0fe0c3af4e..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":{\"query\":\"psf.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"log.logger\":\"psf.exe\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"hid_bravura_monitor.perf.transid\",\"negate\":false,\"params\":{\"query\":\"C_AUTHCHAIN_LOGIN\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.transid\":\"C_AUTHCHAIN_LOGIN\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Users: Summary: User Logins", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User Name\",\"field\":\"user.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: Summary: User Logins\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-be6560d0-1a21-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-be6560d0-1a21-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 97d263851a..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-be6560d0-1a21-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Users: API: Help", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"Ajax is a REST like API used by the UI.\\n\\nWhat actions are people calling and what performance are they experiencing?\",\"openLinksInNewTab\":false},\"title\":\"Users: API: Help\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-be6560d0-1a21-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-c0e79490-25b6-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-c0e79490-25b6-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 301a791343..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-c0e79490-25b6-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "API: Calls per node", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"API: Calls per node\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-c0e79490-25b6-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-c318d000-d83d-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-c318d000-d83d-11eb-9e70-edcbba448215.json deleted file mode 100755 index d848a393fe..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-c318d000-d83d-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"30\",\"31\"],\"type\":\"phrases\",\"value\":\"30, 31\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"30\"}},{\"match_phrase\":{\"event.code\":\"31\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Disabled Profiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Profile\",\"field\":\"winlog.event_data.Profile\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Disabled Profiles\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-c318d000-d83d-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-c85815c0-d83e-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-c85815c0-d83e-11eb-9e70-edcbba448215.json deleted file mode 100755 index f58e4943dd..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-c85815c0-d83e-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"30\",\"31\"],\"type\":\"phrases\",\"value\":\"30, 31\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"30\"}},{\"match_phrase\":{\"event.code\":\"31\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Disabled Profiles Trend", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Disabled Profiles Trend\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-c85815c0-d83e-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-cc0f81c0-243f-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-cc0f81c0-243f-11eb-abcf-effcd51852fa.json deleted file mode 100755 index cefcd08264..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-cc0f81c0-243f-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Provider Login Distribution", - "uiStateJSON": "{\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"success\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Provider\",\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Outcome\",\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Provider Login Distribution\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-cc0f81c0-243f-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-cf6ea950-1ade-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-cf6ea950-1ade-11eb-abcf-effcd51852fa.json deleted file mode 100755 index ad665e2928..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-cf6ea950-1ade-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Connector Return Code: Node counts", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector Return Code: Node counts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-cf6ea950-1ade-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-d3897a80-25db-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-d3897a80-25db-11eb-abcf-effcd51852fa.json deleted file mode 100755 index c994df3988..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-d3897a80-25db-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Discovery procedures", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Function\",\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Process\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"split\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"row\":true,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Discovery procedures\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d3897a80-25db-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-d5dcbf40-1a28-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-d5dcbf40-1a28-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 4fe4d640eb..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-d5dcbf40-1a28-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Error Messages", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Message\",\"field\":\"hid_bravura_monitor.perf.message\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Error Messages\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d5dcbf40-1a28-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-d5fae950-25d3-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-d5fae950-25d3-11eb-abcf-effcd51852fa.json deleted file mode 100755 index e379b37f89..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-d5fae950-25d3-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":{\"query\":\"iddb.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"log.logger\":\"iddb.exe\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Database: Log Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Database: Log Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d5fae950-25d3-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-d66fb2a0-3ed6-11eb-9549-63f6cd998f21.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-d66fb2a0-3ed6-11eb-9549-63f6cd998f21.json deleted file mode 100755 index e0b25e4cfb..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-d66fb2a0-3ed6-11eb-9549-63f6cd998f21.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "IDM Suite: Errors/Warnings by process", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"IDM Suite: Errors/Warnings by process\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d66fb2a0-3ed6-11eb-9549-63f6cd998f21", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-d7dc3680-1add-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-d7dc3680-1add-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 00ab38e3b7..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-d7dc3680-1add-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Connector Return Code: Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Connector Return Code: Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d7dc3680-1add-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-db3f9af0-1a1b-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-db3f9af0-1a1b-11eb-abcf-effcd51852fa.json deleted file mode 100755 index b9ff373e67..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-db3f9af0-1a1b-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: Issues: Processes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: Issues: Processes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-db3f9af0-1a1b-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-db898d80-1a21-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-db898d80-1a21-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 6a17858df5..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-db898d80-1a21-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Targets", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Targets\",\"field\":\"hid_bravura_monitor.perf.targetid\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Connector\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Targets\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-db898d80-1a21-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-dbc305e0-245a-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-dbc305e0-245a-11eb-abcf-effcd51852fa.json deleted file mode 100755 index a3d17ef983..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-dbc305e0-245a-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Problem Heat Map", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"asc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Problem Heat Map\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-dbc305e0-245a-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-ec082d90-1aaf-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-ec082d90-1aaf-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 80ed8dc196..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-ec082d90-1aaf-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Target Performance", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target ID\",\"field\":\"hid_bravura_monitor.perf.targetid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Max (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Target Performance\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-ec082d90-1aaf-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-ef5b4da0-2b6d-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-ef5b4da0-2b6d-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 44d1ab6b92..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-ef5b4da0-2b6d-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Search performance", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Function\",\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Search performance\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-ef5b4da0-2b6d-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-f596ebf0-1adf-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-f596ebf0-1adf-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 8cbf6b5d89..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-f596ebf0-1adf-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Connector Return Code: Messages", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Message\",\"field\":\"hid_bravura_monitor.perf.message\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector Return Code: Messages\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-f596ebf0-1adf-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-f9ed0ec0-2eab-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-f9ed0ec0-2eab-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index eacd663506..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-f9ed0ec0-2eab-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Executables: Performance", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Executables: Performance\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-f9ed0ec0-2eab-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-95032a30-2eab-11eb-b6a1-bdb7d768b585", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-fddce510-d387-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-fddce510-d387-11eb-9e70-edcbba448215.json deleted file mode 100755 index 0638184891..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-fddce510-d387-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"6\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"6\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Replication Database Connection Failures", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Replication Database Connection Failures\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-fddce510-d387-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-fe363790-1a1a-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-fe363790-1a1a-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 7a6059ca37..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-fe363790-1a1a-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: Issues: Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Users: Issues: Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-fe363790-1a1a-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-fe779080-d83f-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-fe779080-d83f-11eb-9e70-edcbba448215.json deleted file mode 100755 index c251939956..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/kibana/visualization/hid_bravura_monitor-fe779080-d83f-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "63 - Self-service password reset successful.\n64 - Self-service password reset failed.\n66 - Help-desk assisted password reset successful.\n67 - Help-desk assisted password reset failed.", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"63\",\"64\",\"66\",\"67\"],\"type\":\"phrases\",\"value\":\"63, 64, 66, 67\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"63\"}},{\"match_phrase\":{\"event.code\":\"64\"}},{\"match_phrase\":{\"event.code\":\"66\"}},{\"match_phrase\":{\"event.code\":\"67\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Password Resets Trend", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Password Resets Trend\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-fe779080-d83f-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.2/manifest.yml b/packages/hid_bravura_monitor/1.2.2/manifest.yml deleted file mode 100755 index 2ea6ef6135..0000000000 --- a/packages/hid_bravura_monitor/1.2.2/manifest.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: hid_bravura_monitor -title: Hitachi ID Bravura Monitor -version: "1.2.2" -categories: ["security"] -release: ga -description: Collect logs from Hitachi ID Security Fabric with Elastic Agent. -type: integration -icons: - - src: /img/logo_hid_bravura_monitor.svg - title: logo Hitachi ID Bravura Monitor - size: 50x50 - type: image/svg+xml -conditions: - kibana: - version: ^7.16.0 || ^8.0.0 -screenshots: - - src: /img/kibana-hid_bravura_monitor-overview.png - title: Kibana Hitachi ID Bravura Monitor overview - size: 1907x971 - type: image/png - - src: /img/kibana-hid_bravura_monitor-log-issues.png - title: Kibana Hitachi ID Bravura Monitor dashboard example 1 - size: 1902x972 - type: image/png - - src: /img/kibana-hid_bravura_monitor-db-replication.png - title: Kibana Hitachi ID Bravura Monitor dashboard example 2 - size: 1903x969 - type: image/png - - src: /img/kibana-hid_bravura_monitor-connectors.png - title: Kibana Hitachi ID Bravura Monitor dashboard example 3 - size: 1896x971 - type: image/png - - src: /img/kibana-hid_bravura_monitor-admin.png - title: Kibana Hitachi ID Bravura Monitor dashboard example 4 - size: 1904x971 - type: image/png -owner: - github: elastic/security-external-integrations -format_version: 1.0.0 -license: basic -policy_templates: - - name: hid_bravura_monitor - title: Hitachi ID Bravura Monitor logs - description: Collect logs from Hitachi ID Bravura Monitor instances - inputs: - - type: filestream - title: 'Collect Hitachi ID Bravura Monitor application logs (input: filestream)' - description: 'Collecting application logs from Hitachi ID Bravura Monitor instances (input: filestream)' - - type: winlog - title: 'Collect Hitachi ID Bravura Monitor event logs (input: winlog)' - description: 'Collecting Windows Event logs from Hitachi ID Suite channel (input: winlog)' diff --git a/packages/hid_bravura_monitor/1.2.3/LICENSE.txt b/packages/hid_bravura_monitor/1.2.3/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/hid_bravura_monitor/1.2.3/changelog.yml b/packages/hid_bravura_monitor/1.2.3/changelog.yml deleted file mode 100755 index b091e68773..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/changelog.yml +++ /dev/null @@ -1,46 +0,0 @@ -# newer versions go on top -- version: "1.2.3" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "1.2.2" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.2.1" - changes: - - description: Remove unused visualizations - type: enhancement - link: https://github.com/elastic/integrations/issues/3975 -- version: "1.2.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3866 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.0.3" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3108 -- version: "1.0.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.0.1" - changes: - - description: Documentation update - type: enhancement - link: https://github.com/elastic/integrations/pull/2654 -- version: "1.0.0" - changes: - - description: full release - type: enhancement - link: https://github.com/elastic/integrations/pull/1912 diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/log/agent/stream/filestream.yml.hbs b/packages/hid_bravura_monitor/1.2.3/data_stream/log/agent/stream/filestream.yml.hbs deleted file mode 100755 index e926888e7f..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/log/agent/stream/filestream.yml.hbs +++ /dev/null @@ -1,34 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -prospector.scanner.exclude_files: [".gz$"] -line_terminator: carriage_return_line_feed -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} - {{processors}} -{{/if}} - - add_fields: - target: '' - fields: - hid_bravura_monitor.instancename: {{instancename}} - hid_bravura_monitor.node: {{node}} - hid_bravura_monitor.environment: {{environment}} - hid_bravura_monitor.instancetype: {{instancetype}} - event.timezone: {{timezone}} -parsers: - - multiline: - type: pattern - pattern: ^[[:cntrl:]] - negate: true - match: after \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/hid_bravura_monitor/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3a9e7b70e5..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,196 +0,0 @@ ---- -description: Pipeline for parsing hid_bravura_monitor logs -processors: - - set: - field: ecs.version - value: '8.4.0' - description: Set ecs.version to 1.12.0 - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - rename: - field: message - target_field: event.original - ignore_missing: true - - grok: - field: event.original - patterns: - - >- - (^[[:cntrl:]])?%{TIMESTAMP_ISO8601:logdate}.%{NONNEGINT} - - \[(%{DATA:pslogid})?\] %{DATA:log.logger} - \[%{NONNEGINT:process.pid},%{NONNEGINT:process.thread.id}\] - %{DATA:log.level}: %{MULTILINEDATA:msg} - pattern_definitions: - MULTILINEDATA: |- - (.| - )* - description: Initial parse - - drop: - if: ctx?.msg.contains('last message repeated') - description: Drop repeated log message - - grok: - field: event.original - patterns: - - >- - (^[[:cntrl:]])?%{TIMESTAMP_ISO8601}.%{NONNEGINT} - \[%{DATA}\] %{DATA} - \[%{NONNEGINT},%{NONNEGINT}\] %{DATA}: - %{NOTSPACE:hid_bravura_monitor.perf.kind}. %{GREEDYDATA:kvpairs} - ignore_missing: true - if: ctx?.log?.level.contains('Perf') - description: Parse Perf messages - - set: - field: log.level - value: Perf - if: ctx?.log?.level.contains('Perf') - description: Set log.level to Perf - - kv: - if: ctx?.log?.level.contains('Perf') - trim_key: ' \r\n' - trim_value: ' {}\r\n' - value_split: ': ' - target_field: hid_bravura_monitor.perf - ignore_missing: true - description: Separate perf info - field: kvpairs - field_split: ' \| ' - - rename: - if: ctx?.hid_bravura_monitor?.perf?.kind == 'PerfAjax' - target_field: user.id - field: hid_bravura_monitor.perf.User - ignore_missing: true - description: Rename hid_bravura_monitor.perf.User to user.id - - script: - if: ctx?.log?.level.contains('Perf') - source: >- - Map m = new HashMap(); ctx['hid_bravura_monitor']['perf'].forEach((k,v) - -> m.put(k.toLowerCase(), v)); - ctx['hid_bravura_monitor'].remove('perf'); - ctx['hid_bravura_monitor']['perf'] = new HashMap(); m.forEach((k,v) -> - ctx['hid_bravura_monitor']['perf'][k] = v ); - description: lowercase perf fields - - set: - if: ctx?.hid_bravura_monitor?.perf?.kind == 'PerfExe' - field: hid_bravura_monitor.perf.exe - copy_from: log.logger - ignore_empty_value: true - description: Copy log.logger to hid_bravura_monitor.perf.exe - - remove: - field: kvpairs - ignore_missing: true - description: Remove kvpairs - - grok: - field: pslogid - patterns: - - >- - %{UUID:hid_bravura_monitor.request.id} - - >- - %{[A-Fa-f0-9]{32}:hid_bravura_monitor.request.id} - ignore_missing: true - ignore_failure: true - description: Set requestid if batchid - - rename: - target_field: user.id - field: pslogid - ignore_missing: true - if: ctx.hid_bravura_monitor?.request?.id == null && ctx?.hid_bravura_monitor?.perf?.kind != 'PerfAjax' - description: Set userid if not a guid - - remove: - field: pslogid - ignore_missing: true - description: Remove pslogid - - date: - field: logdate - formats: - - 'yyyy-MM-dd HH:mm:ss.SSS' - timezone: '{{event.timezone}}' - description: Convert logdate to @timestamp - - rename: - target_field: message - field: msg - description: Override message - - remove: - field: logdate - description: Remove logdate - - set: - if: ctx?.hid_bravura_monitor?.node == '0.0.0.0' - field: hid_bravura_monitor.node - copy_from: host.name - ignore_empty_value: true - description: Copy host.name to hid_bravura_monitor.node if left as default - - convert: - field: process.pid - type: long - ignore_missing: true - description: process.pid to Long - - convert: - field: process.thread.id - type: long - ignore_missing: true - description: process.thread.id to Long - - convert: - field: hid_bravura_monitor.perf.duration - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.duration to Long - - convert: - field: hid_bravura_monitor.perf.kernel - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.kernel to Long - - convert: - field: hid_bravura_monitor.perf.user - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.user to Long - - dot_expander: - field: hid_bravura_monitor.perf.kind - ignore_failure: true - description: move hid_bravura_monitor.perf.kind to object - - convert: - field: hid_bravura_monitor.perf.line - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.line to Long - - convert: - field: hid_bravura_monitor.perf.records - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.records to Long - - convert: - field: hid_bravura_monitor.perf.result - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.result to Long - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/log/fields/agent.yml b/packages/hid_bravura_monitor/1.2.3/data_stream/log/fields/agent.yml deleted file mode 100755 index d38a70bd6b..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/log/fields/base-fields.yml b/packages/hid_bravura_monitor/1.2.3/data_stream/log/fields/base-fields.yml deleted file mode 100755 index b25d7f5d59..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: hid_bravura_monitor -- name: event.dataset - type: constant_keyword - description: Event dataset - value: hid_bravura_monitor.log -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/log/fields/ecs.yml b/packages/hid_bravura_monitor/1.2.3/data_stream/log/fields/ecs.yml deleted file mode 100755 index 9c07522301..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,490 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: client.user.name - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Custom key/value pairs. - Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. - Example: `docker` and `k8s` labels. - name: labels - type: object -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) - name: network.inner - type: object -- description: VLAN ID as reported by the observer. - name: network.inner.vlan.id - type: keyword -- description: Optional VLAN name as reported by the observer. - name: network.inner.vlan.name - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: IP addresses of the observer. - name: observer.ip - normalize: - - array - type: ip -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Thread ID. - name: process.thread.id - type: long -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: url.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: Port of the server. - name: server.port - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Port of the client. - name: client.port - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/log/fields/fields.yml b/packages/hid_bravura_monitor/1.2.3/data_stream/log/fields/fields.yml deleted file mode 100755 index 79a0312e10..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,99 +0,0 @@ -- name: hid_bravura_monitor.environment - type: keyword - description: Instance environment -- name: hid_bravura_monitor.instancename - type: keyword - description: Instance name -- name: hid_bravura_monitor.instancetype - type: keyword - description: Instance type -- name: hid_bravura_monitor.node - type: keyword - description: Node -- name: hid_bravura_monitor.request - type: group - fields: - - name: id - type: keyword - description: Request ID -- name: hid_bravura_monitor.perf - type: group - fields: - - name: address - type: wildcard - description: Server address - - name: adminid - type: keyword - description: Administrator ID - - name: caller - type: keyword - description: Application caller - - name: dbcommand - type: keyword - description: Database command - - name: destination - type: wildcard - description: Destination URL - - name: duration - type: long - description: Performance duration - - name: event - type: keyword - description: Event - - name: exe - type: keyword - description: Executable - - name: file - type: keyword - description: Source file - - name: function - type: keyword - description: Performance function - - name: kernel - type: long - description: Kernel Time - - name: kind - type: keyword - description: Performance type (ie. PerfExe, PerfAjax, PerfFileRep, etc.) - - name: line - type: long - description: Line number - - name: message - type: wildcard - description: Performance message - multi_fields: - - name: keyword - type: keyword - - name: operation - type: keyword - description: Operation - - name: receivequeue - type: keyword - description: Receive queue - - name: records - type: long - description: Database records - - name: result - type: long - description: Result - - name: sessionid - type: keyword - description: Session ID - - name: sysid - type: keyword - description: System ID - - name: table - type: keyword - description: Database table - - name: targetid - type: keyword - description: Target ID - - name: transid - type: keyword - description: Transaction ID - - name: type - type: keyword - description: IDWFM type - - name: user - type: long - description: User time diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/log/manifest.yml b/packages/hid_bravura_monitor/1.2.3/data_stream/log/manifest.yml deleted file mode 100755 index 30213ea82e..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/log/manifest.yml +++ /dev/null @@ -1,70 +0,0 @@ -type: logs -title: Hitachi ID Bravura Monitor -streams: - - input: filestream - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - C:/Program Files/Hitachi ID/IDM Suite/Logs/default*/idmsuite*.log - description: "Path to IDM Suite log files" - - name: node - type: text - title: Node - multi: false - required: true - show_user: true - default: 0.0.0.0 - description: "If set to 0.0.0.0, `hid_bravura_monitor.node` will be set to the value of `host.name`" - - name: instancename - type: text - title: Instance name - multi: false - required: true - show_user: true - default: default - - name: timezone - type: text - title: Timezone - multi: false - required: true - show_user: true - default: UTC - - name: environment - type: text - title: Environment - multi: false - required: true - show_user: true - default: PRODUCTION - - name: instancetype - type: text - title: Instance type - multi: false - required: true - show_user: true - default: Privilege-Identity-Password - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: filestream.yml.hbs - title: Hitachi ID Bravura Monitor - description: Collect Hitachi ID Security Fabric logs using filestream input diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/log/sample_event.json b/packages/hid_bravura_monitor/1.2.3/data_stream/log/sample_event.json deleted file mode 100755 index a6619fa684..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/log/sample_event.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "@timestamp": "2021-01-16T00:35:25.258Z", - "agent": { - "ephemeral_id": "00124c53-af5e-4d5f-818c-ff189690109e", - "hostname": "docker-fleet-agent", - "id": "9bcd741c-af93-434c-ad55-1ec23d08ab89", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.0" - }, - "data_stream": { - "dataset": "hid_bravura_monitor.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "9bcd741c-af93-434c-ad55-1ec23d08ab89", - "snapshot": true, - "version": "7.16.0" - }, - "event": { - "agent_id_status": "verified", - "dataset": "hid_bravura_monitor.log", - "ingested": "2021-10-29T18:19:35Z", - "original": "\u00182021-01-16 00:35:25.258.7085 - [] pamlws.exe [44408,52004] Error: LWS [HID-TEST] foundcomputer record not found", - "timezone": "UTC" - }, - "hid_bravura_monitor": { - "environment": "PRODUCTION", - "instancename": "default", - "instancetype": "Privilege-Identity-Password", - "node": "docker-fleet-agent" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "3bfbf225479aac5f850ea38f5d9d8a02", - "ip": [ - "192.168.192.7" - ], - "mac": [ - "02:42:c0:a8:c0:07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.10.16.3-microsoft-standard-WSL2", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "input": { - "type": "filestream" - }, - "log": { - "file": { - "path": "/tmp/service_logs/hid_bravura_monitor.log" - }, - "level": "Error", - "logger": "pamlws.exe", - "offset": 218 - }, - "message": "LWS [HID-TEST] foundcomputer record not found", - "process": { - "pid": 44408, - "thread": { - "id": 52004 - } - }, - "tags": [ - "preserve_original_event" - ], - "user": { - "id": "" - } -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/agent/stream/winlog.yml.hbs b/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/agent/stream/winlog.yml.hbs deleted file mode 100755 index f3f26f16ee..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -name: Hitachi-Hitachi ID Systems-Hitachi ID Suite/Operational -condition: ${host.platform} == 'windows' -{{#if event_id}} -event_id: {{event_id}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/elasticsearch/ingest_pipeline/default.yml b/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a7eb3c92bd..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,399 +0,0 @@ ---- -description: Pipeline for Hitachi ID Suite events -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - - convert: - field: event.code - type: string - ignore_missing: true - - - rename: - field: message - target_field: event.original - ignore_missing: true - - - grok: - field: event.original - patterns: - - >- - %{DATA:winlog.event_data.Message}\|%{GREEDYDATA:kvpairs} - - - kv: - field: kvpairs - field_split: '\|' - value_split: '=' - target_field: winlog.event_data - ignore_missing: false - ignore_failure: false - - - remove: - field: kvpairs - ignore_missing: true - ignore_failure: true - - - split: - field: winlog.event_data.ClientIPs - separator: "," - preserve_trailing: true - ignore_missing: true - - - split: - field: winlog.event_data.FailedTargets - separator: "," - preserve_trailing: true - ignore_missing: true - - - script: - lang: painless - ignore_failure: false - tag: Decode symbolic id table - description: Decode symbolic id table - params: - "1": "AUTH_CHAIN_FAILURE" - "2": "AUTH_CHAIN_SUCCESS" - "3": "USER_LOGIN_LOCKOUT" - "4": "DB_COMMIT_SUSPEND" - "5": "DB_COMMIT_RESUME" - "6": "DB_REPLICATION_CONN_FAILURE" - "7": "DB_REPLICATION_CONN_RESTORED" - "8": "DB_REPLICATION_TRANS_FAILURE" - "9": "DB_QUEUE_INSERT_FAILURE" - "10": "DB_FAILED_PROC_RECORDED" - "11": "PAMSA_ORCHESTRATION_START_FAILURE" - "12": "PAMSA_ORCHESTRATION_END_FAILURE" - "13": "UPDATE_RESOURCE_FAILURE" - "14": "GSET_CHECKIN_FAILURE" - "15": "GSET_CHECKIN_PARTIAL" - "16": "GSET_CHECKIN_SUCCESS" - "17": "GSET_CHECKOUT_SUCCESS" - "18": "GSET_CHECKOUT_FAILURE" - "19": "GSET_CHECKOUT_PARTIAL" - "20": "PWD_CHECKOUT_SUCCESS" - "21": "PWD_CHECKOUT_FAILURE" - "22": "PWD_CHECKIN_SUCCESS" - "23": "PWD_CHECKIN_FAILURE" - "24": "WSTN_VIEW_PASSWORD_SUCCESS" - "25": "WSTN_VIEW_PASSWORD_FAILURE" - "26": "WSTN_VIEW_PASSWORD_HIS_SUCCESS" - "27": "WSTN_VIEW_PASSWORD_HIS_FAILURE" - "28": "ADMIN_ENABLE_ADMIN" - "29": "ADMIN_ENABLE_USER" - "30": "ADMIN_DISABLE_ADMIN" - "31": "ADMIN_DISABLE_USER" - "32": "ADMIN_UNLOCK_ADMIN" - "33": "ADMIN_UNLOCK_USER" - "34": "SMON_SESSION_START" - "35": "SMON_SESSION_END" - "36": "SMON_ADMIN_SESS_TERM_REQ" - "37": "PSUPDATE_START" - "38": "PSUPDATE_FINISH" - "39": "IDAPI_LOGIN_SUCCESS" - "40": "IDAPI_LOGIN_FAILURE" - "41": "MAQ_CHECKIN_FAILURE" - "42": "MAQ_CHECKIN_SUCCESS" - "43": "MAQ_CHECKOUT_FAILURE" - "44": "MAQ_CHECKOUT_SUCCESS" - "45": "TARGET_DEPLOYMENT_FAILURE" - "46": "TARGET_DEPLOYMENT_SUCCESS" - "47": "OPERATION_IMPORT_TARGET" - "48": "WSTN_ADD_WSTN_SUCCESS" - "49": "WSTN_ADD_WSTN_FAILURE" - "50": "IDWFM_EVENT_ABORT" - "51": "IDWFM_EVENT_FAILURE" - "52": "USER_QA_ADD_SUCCESS" - "53": "USER_QA_ADD_FAILURE" - "54": "USER_QA_UPDATE_SUCCESS" - "55": "USER_QA_UPDATE_FAILURE" - "56": "USER_QA_DELETE_SUCCESS" - "57": "ADMIN_QA_ADD_SUCCESS" - "58": "ADMIN_QA_ADD_FAILURE" - "59": "ADMIN_QA_UPDATE_SUCCESS" - "60": "ADMIN_QA_UPDATE_FAILURE" - "61": "ADMIN_QA_DELETE_SUCCESS" - "62": "USER_PW_RESET_START" - "63": "USER_PW_RESET_SUCCESS" - "64": "USER_PW_RESET_FAILURE" - "65": "ADMIN_PW_RESET_START" - "66": "ADMIN_PW_RESET_SUCCESS" - "67": "ADMIN_PW_RESET_FAILURE" - "68": "USER_ACCT_UNLOCK_START" - "69": "USER_ACCT_UNLOCK_SUCCESS" - "70": "USER_ACCT_UNLOCK_FAILURE" - "71": "ADMIN_ACCT_UNLOCK_START" - "72": "ADMIN_ACCT_UNLOCK_SUCCESS" - "73": "ADMIN_ACCT_UNLOCK_FAILURE" - "74": "DB_REPLICATION_WATERMARK_WARN" - "75": "USER_ALIAS_ALREADY_CLAIMED" - "76": "ADMIN_ALIAS_ALREADY_CLAIMED" - "77": "CONNECTOR_TIMEOUT" - "78": "FILE_REPLICATION_FAILURE" - "79": "IDPM_GROUP_SUCCESS" - "80": "IDPM_GROUP_FAILURE" - "81": "WF_REQUEST_BATCH_APPROVED" - "82": "WF_REQUEST_BATCH_REJECTED" - "83": "WF_REQUEST_BATCH_CANCELED" - "84": "WF_REQUEST_BATCH_REVOKED" - "85": "WF_REQUEST_BATCH_PROCESSED" - "86": "DID_REGISTER_SUCCESS" - "87": "DID_REGISTER_FAILURE" - "88": "DID_UPDATE_SUCCESS" - "89": "DID_SEND_SUCCESS" - "90": "USER_IDENTIFY_SUCCESS" - "91": "USER_IDENTIFY_FAILURE" - "92": "USER_LOGIN_SUCCESS" - "93": "USER_LOGIN_FAILURE" - "94": "FEDIDP_IDENTIFY_SUCCESS" - "95": "FEDIDP_IDENTIFY_FAILURE" - "96": "FEDIDP_AUTH_SUCCESS" - "97": "FEDIDP_AUTH_FAILURE" - "98": "DB_STORED_PROC_FAILURE" - "99": "ADMIN_CRED_FAILURE" - "100": "ADMIN_CRED_SUCCESS" - "101": "FEDIDP_SSO_SESSION_CREATE" - "102": "FEDIDP_SSO_SESSION_DESTROY" - "103": "PAM_CHECKOUT_SUCCESS" - "104": "PAM_CHECKOUT_PARTIAL" - "105": "PAM_CHECKOUT_FAILURE" - "106": "PAM_CHECKIN_SUCCESS" - "107": "PAM_CHECKIN_PARTIAL" - "108": "PAM_CHECKIN_FAILURE" - "109": "PAM_CHECKOUT_EXPIRY" - "110": "PAM_CHECKOUT_LIMIT_REACHED" - "111": "PAM_CHECKOUT_OPERATION_SUCCESS" - "112": "PAM_CHECKOUT_OPERATION_FAILURE" - "113": "PAM_CHECKIN_OPERATION_SUCCESS" - "114": "PAM_CHECKIN_OPERATION_FAILURE" - "115": "FEDSP_SAMLAUTH_ASR_FAILURE" - "116": "FEDSP_SAMLAUTH_ASR_SUCCESS" - "117": "FEDSP_SAMLAUTH_ISSUED" - "118": "DB_REPLICATION_QUEUE_DELAY_PAST_THRESHOLD" - "119": "USER_HDD_RECOVERY_SUCCESS" - "120": "USER_HDD_RECOVERY_FAILURE" - "121": "USER_MOBILE_DEVICE_REGISTRATION" - source: |- - if (ctx?.winlog?.event_id == null) { - return; - } - def t = params.get(ctx.winlog.event_id); - if (t == null) { - return; - } - ctx.winlog.put("symbolic_id", t) - - - script: - lang: painless - ignore_failure: false - tag: Decode description table - description: Decode description table - params: - "1": "User failed to authenticate" - "2": "User successfully authenticated" - "3": "User lockout triggered" - "4": "Database commits suspended, replication queue full" - "5": "Database commits resuming" - "6": "Connectivity to replica database lost" - "7": "Connectivity to replica database restored" - "8": "Failed to replicate database transaction" - "9": "Failed to insert data into database replication queue" - "10": "ed to run stored procedure on replica server" - "11": "Subscriber orchestration failed to start" - "12": "Subscriber orchestration completed with failures" - "13": "Failed to update subscriber password" - "14": "Failed to check-in managed group set" - "15": "Failed to fully check-in managed group set, some memberships were not revoked" - "16": "Managed group set successfully checked in" - "17": "Managed group set successfully checked out" - "18": "Failed to check out managed group set" - "19": "Managed group set partially checked out, some memberships were not granted" - "20": "Managed account password successfully checked out" - "21": "Failed to check-out managed account password" - "22": "Managed account password successfully checked in" - "23": "Failed to check-in managed account password" - "24": "Managed account password viewed" - "25": "Failed to view managed account password" - "26": "Historical managed account password viewed" - "27": "Failed to view historical managed account password" - "28": "Administrative profile enabled" - "29": "User profile enabled" - "30": "Administrative profile disabled" - "31": "User profile disabled" - "32": "Administrative profile unlocked" - "33": "User profile unlocked" - "34": "Privileged access session recording started" - "35": "Privileged access session recording ended" - "36": "Privileged access session termination requested by administrator" - "37": "Nightly discovery process started" - "38": "Nightly discovery process finished" - "39": "API login succeeded" - "40": "API login failure" - "41": "Failed to check in system and account query based access" - "42": "Succeeded in checking in system and account query based access" - "43": "Failed to check out system and account query based access" - "44": "Succeeded in checking out system and account query based access" - "45": "Target deployment finished with a failure." - "46": "Successfully finished target deployment." - "47": "Successfully imported a single target." - "48": "Successfully finished target deployment." - "49": "Target deployment finished with a failure." - "50": "Workflow manager aborted event processing." - "51": "Workflow manager failed to process event." - "52": "Security question successfully added." - "53": "Failed to add security question." - "54": "Security question successfully updated." - "55": "Failed to update security question." - "56": "Security question successfully deleted." - "57": "Security question successfully added." - "58": "Failed to add security question." - "59": "Security question successfully updated." - "60": "Failed to update security question." - "61": "Security question successfully deleted." - "62": "Self-service password reset started." - "63": "Self-service password reset successful." - "64": "Self-service password reset failed." - "65": "Help-desk assisted password reset started." - "66": "Help-desk assisted password reset successful." - "67": "Help-desk assisted password reset failed." - "68": "Self-service account unlock started." - "69": "Self-service account unlock successful." - "70": "Self-service account unlock failed." - "71": "Help-desk assisted account unlock started." - "72": "Help-desk assisted account unlock successful." - "73": "Help-desk assisted password reset failed." - "74": "Database replication watermark hit." - "75": "User attempted to claim alias that is already claimed." - "76": "Admin attempted to assign alias that is already claimed." - "77": "Connector timed out while performing operation." - "78": "Error occured during file replication to remote nodes." - "79": "All passwords successfully synchronized." - "80": "One or more passwords failed to be synchronized." - "81": "Workflow request has been approved." - "82": "Workflow request has been rejected." - "83": "Workflow request has been canceled." - "84": "Workflow request has been revoked." - "85": "Workflow request has been processed." - "86": "Successfully registered Digital ID." - "87": "Failed to register Digital ID." - "88": "Successfully updated Digital ID." - "89": "Digital ID successfully downloaded." - "90": "User successfully identified" - "91": "Failed to identify user." - "92": "User successfully logged in." - "93": "User failed to log in." - "94": "Federated authn request successfully parsed." - "95": "Federated authn request failed to be parsed." - "96": "Federated assertion successfully generated." - "97": "Federated assertion failed to be generated." - "98": "Failed to execute stored procedure." - "99": "Target creation failure: Could not establish credentials." - "100": "Target creation successful: Credentials set successfully." - "101": "New federated SSO session created." - "102": "Federated SSO session terminated." - "103": "Generic access check-out successful." - "104": "Generic access check-out partially successful." - "105": "Generic access check-out failed." - "106": "Generic access check-in successful." - "107": "Generic access check-in partially successful." - "108": "Generic access check-in failed." - "109": "Generic access check-out expired." - "110": "Generic access check-out cannot be performed because it would exceed the check-out limit of one of its targets." - "111": "An operation run as part of a generic access check-out succeeded." - "112": "An operation run as part of a generic access check-out failed." - "113": "An operation run as part of a generic access check-in succeeded." - "114": "An operation run as part of a generic access check-in failed." - "115": "Failed to validate a SAML assertion." - "116": "Successfully validated a SAML assertion." - "117": "Issued SAML AuthNRequest." - "118": "Database replication queue delay exceeded configured threshold." - "119": "Self-service encrypted drive recovery successful." - "120": "Self-service encrypted drive recovery failure." - "121": "Self-service mobile device registration." - source: |- - if (ctx?.winlog?.event_id == null) { - return; - } - def t = params.get(ctx.winlog.event_id); - if (t == null) { - return; - } - if (ctx?.winlog?.event_data == null ) { - Map map = new HashMap(); - ctx.winlog.put("event_data", map); - } - ctx.winlog.event_data.put("Description", t) - - - convert: - field: winlog.record_id - type: string - ignore_missing: true - - - convert: - field: winlog.event_id - type: string - ignore_missing: true - - - convert: - field: winlog.event_data.DelayThreshold - type: long - ignore_missing: true - - - convert: - field: winlog.event_data.QueueDelay - type: long - ignore_missing: true - - - convert: - field: winlog.event_data.QueueSize - type: long - ignore_missing: true - - - convert: - field: winlog.event_data.Runtime - type: long - ignore_missing: true - - - set: - field: ecs.version - value: '8.4.0' - - - set: - field: log.level - copy_from: winlog.level - ignore_empty_value: true - ignore_failure: true - if: ctx?.winlog?.level != "" - - - date: - field: winlog.time_created - formats: - - ISO8601 - ignore_failure: true - if: ctx?.winlog?.time_created != null - - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - - remove: - field: [ - "winlog.event_data.Value1", - "winlog.event_data.Value2", - "winlog.event_data.Value3", - "winlog.event_data.Value4", - "winlog.event_data.Value5", - "winlog.event_data.Value6", - "winlog.event_data.Value7", - "winlog.event_data.Value8", - "winlog.event_data.Value9" - ] - ignore_missing: true - -on_failure: - - set: - field: error.message - value: |- - Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/agent.yml b/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/base-fields.yml b/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/base-fields.yml deleted file mode 100755 index ecf4acb535..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/base-fields.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. - value: logs -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: hid_bravura_monitor -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: hid_bravura_monitor.winlog -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/beats.yml b/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/beats.yml deleted file mode 100755 index 3c48f1f224..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/beats.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/ecs.yml b/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/ecs.yml deleted file mode 100755 index b54851cd6c..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/ecs.yml +++ /dev/null @@ -1,239 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Name of the module this data is coming from. - If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. - name: event.module - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - normalize: - - array - type: keyword -- description: |- - Length of the process.args array. - This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - name: process.args_count - type: long -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/fields.yml b/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/fields.yml deleted file mode 100755 index c2676bab52..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/fields.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: winlog.symbolic_id - type: keyword - description: Symbolic event id -- name: message - type: keyword - description: initial raw message diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/winlog.yml b/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/winlog.yml deleted file mode 100755 index 9d6d57c747..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/fields/winlog.yml +++ /dev/null @@ -1,344 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: computerObject - type: group - description: > - computer Object data - - fields: - - name: domain - type: keyword - - name: id - type: keyword - - name: name - type: keyword - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: Account - type: keyword - description: An object on a target system that establishes a user’s identity on that target system. - - name: Action - type: keyword - - name: ActionId - type: keyword - - name: Arguments - type: keyword - - name: AuthChain - type: keyword - description: Authentication chains offer a flexible authentication infrastructure, allowing you to customize the end-user authentication experience. An authentication chain contains authentication methods offered by available authentication modules. - - name: AuthUser - type: keyword - description: Authentication user. - - name: BatchSig - type: keyword - description: Request batch ID. - - name: Binding - type: keyword - - name: CanceledBy - type: keyword - description: The user who canceled the request. - - name: ChangedBy - type: keyword - description: The user who made the change. - - name: Checkout - type: keyword - - name: ClientIPs - type: ip - - name: DelayThreshold - type: long - - name: Description - type: keyword - - name: EffectiveUser - type: keyword - - name: ErrorCode - type: keyword - - name: Event - type: keyword - - name: EventID - type: keyword - - name: FailedTargets - type: keyword - - name: GroupSet - type: keyword - - name: Hostname - type: keyword - - name: Identity - type: keyword - description: Identify users. - - name: Initiator - type: keyword - - name: Instance - type: keyword - - name: Issuer - type: keyword - - name: Language - type: keyword - description: Language used. - - name: LoginURL - type: keyword - description: User login URL. - - name: LogonDomain - type: keyword - - name: LogonSystem - type: keyword - - name: LogonUser - type: keyword - - name: MAQ - type: keyword - description: Account set access. - - name: Message - type: keyword - - name: MessageType - type: keyword - - name: Method - type: keyword - - name: Module - type: keyword - - name: Node - type: keyword - - name: Operation - type: keyword - - name: Orchestration - type: keyword - description: Subscriber orchestration. - - name: OSLogin - type: keyword - - name: OTPLogin - type: keyword - description: API login. - - name: Owner - type: keyword - - name: Platform - type: keyword - - name: Policy - type: keyword - - name: Port - type: keyword - - name: Procedure - type: keyword - - name: Profile - type: keyword - - name: QSetID - type: keyword - description: Question set ID. - - name: QSetType - type: keyword - description: Question set type. - - name: QueueDelay - type: long - description: Database replication queue delay. - - name: QueueSize - type: long - description: Database replication queue size. - - name: QueueType - type: keyword - description: Database replication queue type. - - name: Reason - type: keyword - - name: Recipient - type: keyword - description: Recipient of the request. - - name: Replica - type: keyword - description: Replica database or server. - - name: Requester - type: keyword - - name: RequestID - type: keyword - - name: Result - type: keyword - - name: RevokedBy - type: keyword - description: Workflow request has been revoked by. - - name: Runtime - type: long - - name: SessionID - type: keyword - - name: Skin - type: keyword - description: Skin for Bravura Security Fabric instance. - - name: Source - type: keyword - - name: SPFolder - type: keyword - description: Service provider folder. - - name: StoredProc - type: keyword - description: Stored procedure. - - name: System - type: keyword - - name: Target - type: keyword - - name: TargetName - type: keyword - - name: TermintedBy - type: keyword - description: Request terminated by. - - name: Type - type: keyword - - name: URI - type: keyword - description: The HTTP(S) address of the SOAP API of the Bravura Security Fabric server. - - name: WaterMark - type: keyword - description: Database replication watermark. - - name: Workstation - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: level - type: keyword - required: false - description: > - The event severity. Levels are Critical, Error, Warning and Information, Verbose - - - name: outcome - type: keyword - required: false - description: > - Success or Failure of the event. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: time_created - type: keyword - required: false - description: > - Time event was created - - - name: trustAttribute - type: keyword - required: false - - name: trustDirection - type: keyword - required: false - - name: trustType - type: keyword - required: false - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - description: > - Identifier of the user associated with this event. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/manifest.yml b/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/manifest.yml deleted file mode 100755 index 9600e70d24..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/manifest.yml +++ /dev/null @@ -1,37 +0,0 @@ -type: logs -title: Hitachi ID Security Fabric logs -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Hitachi ID Operational - description: 'Collect Hitachi-Hitachi ID Systems-Hitachi ID Suite/Operational channel logs' - vars: - - name: event_id - type: text - title: Event ID - multi: false - required: false - show_user: false - description: >- - A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs. - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - name: tags - type: text - title: Tags - multi: true - show_user: false diff --git a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/sample_event.json b/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/sample_event.json deleted file mode 100755 index 0fdff9a525..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/data_stream/winlog/sample_event.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "@timestamp": "2021-10-29T14:05:50.739Z", - "cloud": { - "provider": "aws", - "instance": { - "id": "i-043997b05c5fa45ee" - }, - "machine": { - "type": "t3a.xlarge" - }, - "region": "us-east-1", - "availability_zone": "us-east-1a", - "account": { - "id": "753231555564" - }, - "image": { - "id": "ami-0e6ddc753bf04d004" - } - }, - "log": { - "level": "information" - }, - "message": "User successfully logged in.|Profile=JOHND|Language=|Skin=", - "winlog": { - "record_id": 1548167, - "api": "wineventlog", - "opcode": "Info", - "provider_guid": "{5a744344-18a9-480d-8a3a-0560ac58b841}", - "channel": "Hitachi-Hitachi ID Systems-Hitachi ID Suite/Operational", - "activity_id": "{4ffdfadd-63f2-41b2-9a4f-13534a729c54}", - "user": { - "identifier": "S-1-5-21-1512184445-966971527-3399726218-1035", - "name": "psadmin", - "domain": "DOMAIN1", - "type": "User" - }, - "event_data": { - "Module": "psf.exe", - "Profile": "JOHND", - "Instance": "pmim" - }, - "event_id": 92, - "computer_name": "hitachi1.corp", - "provider_name": "Hitachi-Hitachi ID Systems-Hitachi ID Suite", - "task": "", - "process": { - "pid": 6368, - "thread": { - "id": 9064 - } - } - }, - "event": { - "kind": "event", - "code": 92, - "provider": "Hitachi-Hitachi ID Systems-Hitachi ID Suite", - "created": "2021-10-29T14:05:52.111Z" - }, - "host": { - "name": "hitachi1.corp", - "architecture": "x86_64", - "os": { - "family": "windows", - "name": "Windows Server 2019 Datacenter", - "kernel": "10.0.17763.1999 (WinBuild.160101.0800)", - "build": "17763.1999", - "platform": "windows", - "version": "10.0" - }, - "id": "a9d2b7f5-6d62-46b3-8fbe-35a7e83d1dc8", - "ip": [ - "0.0.0.0" - ], - "mac": [ - "0a:a5:af:ad:d3:ab" - ], - "hostname": "node1" - }, - "agent": { - "version": "8.0.0", - "hostname": "node1", - "ephemeral_id": "d061bfcf-e51b-4586-9ace-3d5b15f86e37", - "id": "aa12ad42-61bc-466c-8887-1a15d4646fc7", - "name": "node1", - "type": "filebeat" - }, - "ecs": { - "version": "8.3.0" - } -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/docs/README.md b/packages/hid_bravura_monitor/1.2.3/docs/README.md deleted file mode 100755 index 48383fa128..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/docs/README.md +++ /dev/null @@ -1,728 +0,0 @@ -# Hitachi ID Bravura Monitor Integration - -The Hitachi ID Bravura Monitor integration fetches and parses logs from a [Bravura Security Fabric](https://docs.hitachi-id.net/#/index/10/11) instance. - -When you run the integration, it performs the following tasks automatically: - -* Sets the default paths to the log files (you can override the -defaults) - -* Makes sure each multiline log event gets sent as a single event - -* Uses ingest pipelines to parse and process the log lines, shaping the data into a structure suitable -for visualizing in Kibana - -* Deploys dashboards for visualizing the log data - -## Compatibility - -The Hitachi ID Bravura Monitor integration was tested with logs from `Bravura Security Fabric 12.3.0` running on Windows Server 2016. - -The integration was also tested with Bravura Security Fabric/IDM Suite 11.x, 12.x series. - -This integration is not available for Linux or Mac. - -The integration is by default configured to read logs files stored in the `default` instance log directory. -However it can be configured for any file path. See the following example. - -```yaml -- id: b5e895ed-0726-4fa3-870c-464379d1c27b - name: hid_bravura_monitor-1 - revision: 1 - type: filestream - use_output: default - meta: - package: - name: hid_bravura_monitor - version: 1.0.0 - data_stream: - namespace: default - streams: - - id: >- - filestream-hid_bravura_monitor.log-b5e895ed-0726-4fa3-870c-464379d1c27b - data_stream: - dataset: hid_bravura_monitor.log - type: logs - paths: - - 'C:/Program Files/Hitachi ID/IDM Suite/Logs/default*/idmsuite*.log' - prospector.scanner.exclude_files: - - .gz$ - line_terminator: carriage_return_line_feed - tags: null - processors: - - add_fields: - target: '' - fields: - hid_bravura_monitor.instancename: default - hid_bravura_monitor.node: 0.0.0.0 - hid_bravura_monitor.environment: PRODUCTION - hid_bravura_monitor.instancetype: Privilege-Identity-Password - event.timezone: UTC - parsers: - - multiline: - type: pattern - pattern: '^[[:cntrl:]]' - negate: true - match: after -``` - -*`hid_bravura_monitor.instancename`* - -The name of the Bravura Security Fabric instance. The default is `default`. For example: - -```yaml -processors: - - add_fields: - target: '' - fields: - hid_bravura_monitor.instancename: default - ... -``` - -*`hid_bravura_monitor.node`* - -The address of the instance node. If the default `0.0.0.0` is left, the value is filled with `host.name`. For example: - -```yaml -processors: - - add_fields: - target: '' - fields: - hid_bravura_monitor.node: 127.0.0.1 - ... -``` - -*`event.timezone`* - -The timezone for the given instance server. The default is `UTC`. For example: - -```yaml -processors: - - add_fields: - target: '' - fields: - event.timezone: Canada/Mountain - ... -``` - -*`hid_bravura_monitor.environment`* - -The environment of the Bravura Security Fabric instance; choices are DEVELOPMENT, TESTING, PRODUCTION. The default is `PRODUCTION`. For example: - -```yaml -processors: - - add_fields: - target: '' - fields: - hid_bravura_monitor.environment: DEVELOPMENT - ... -``` - -*`hid_bravura_monitor.instancetype`* - -The type of Bravura Security Fabric instance installed; choices are any combinations of Privilege, Identity or Password. The default is `Privilege-Identity-Password`. For example: - -```yaml -processors: - - add_fields: - target: '' - fields: - hid_bravura_monitor.instancetype: Identity - ... -``` - -*`paths`* - -An array of glob-based paths that specify where to look for the log files. All -patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) -are also supported here. - -For example, you can use wildcards to fetch all files -from a predefined level of subdirectories: `/path/to/log/*/*.log`. This -fetches all `.log` files from the subfolders of `/path/to/log`. It does not -fetch log files from the `/path/to/log` folder itself. If this setting is left -empty, the integration will choose log paths based on your operating system. - -## Logs - -### log - -The `log` dataset collects the Hitachi ID Bravura Security Fabric application logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-01-16T00:35:25.258Z", - "agent": { - "ephemeral_id": "00124c53-af5e-4d5f-818c-ff189690109e", - "hostname": "docker-fleet-agent", - "id": "9bcd741c-af93-434c-ad55-1ec23d08ab89", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.0" - }, - "data_stream": { - "dataset": "hid_bravura_monitor.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "9bcd741c-af93-434c-ad55-1ec23d08ab89", - "snapshot": true, - "version": "7.16.0" - }, - "event": { - "agent_id_status": "verified", - "dataset": "hid_bravura_monitor.log", - "ingested": "2021-10-29T18:19:35Z", - "original": "\u00182021-01-16 00:35:25.258.7085 - [] pamlws.exe [44408,52004] Error: LWS [HID-TEST] foundcomputer record not found", - "timezone": "UTC" - }, - "hid_bravura_monitor": { - "environment": "PRODUCTION", - "instancename": "default", - "instancetype": "Privilege-Identity-Password", - "node": "docker-fleet-agent" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "3bfbf225479aac5f850ea38f5d9d8a02", - "ip": [ - "192.168.192.7" - ], - "mac": [ - "02:42:c0:a8:c0:07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.10.16.3-microsoft-standard-WSL2", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "input": { - "type": "filestream" - }, - "log": { - "file": { - "path": "/tmp/service_logs/hid_bravura_monitor.log" - }, - "level": "Error", - "logger": "pamlws.exe", - "offset": 218 - }, - "message": "LWS [HID-TEST] foundcomputer record not found", - "process": { - "pid": 44408, - "thread": { - "id": 52004 - } - }, - "tags": [ - "preserve_original_event" - ], - "user": { - "id": "" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| hid_bravura_monitor.environment | Instance environment | keyword | -| hid_bravura_monitor.instancename | Instance name | keyword | -| hid_bravura_monitor.instancetype | Instance type | keyword | -| hid_bravura_monitor.node | Node | keyword | -| hid_bravura_monitor.perf.address | Server address | wildcard | -| hid_bravura_monitor.perf.adminid | Administrator ID | keyword | -| hid_bravura_monitor.perf.caller | Application caller | keyword | -| hid_bravura_monitor.perf.dbcommand | Database command | keyword | -| hid_bravura_monitor.perf.destination | Destination URL | wildcard | -| hid_bravura_monitor.perf.duration | Performance duration | long | -| hid_bravura_monitor.perf.event | Event | keyword | -| hid_bravura_monitor.perf.exe | Executable | keyword | -| hid_bravura_monitor.perf.file | Source file | keyword | -| hid_bravura_monitor.perf.function | Performance function | keyword | -| hid_bravura_monitor.perf.kernel | Kernel Time | long | -| hid_bravura_monitor.perf.kind | Performance type (ie. PerfExe, PerfAjax, PerfFileRep, etc.) | keyword | -| hid_bravura_monitor.perf.line | Line number | long | -| hid_bravura_monitor.perf.message | Performance message | wildcard | -| hid_bravura_monitor.perf.message.keyword | Multi-field of `hid_bravura_monitor.perf.message`. | keyword | -| hid_bravura_monitor.perf.operation | Operation | keyword | -| hid_bravura_monitor.perf.receivequeue | Receive queue | keyword | -| hid_bravura_monitor.perf.records | Database records | long | -| hid_bravura_monitor.perf.result | Result | long | -| hid_bravura_monitor.perf.sessionid | Session ID | keyword | -| hid_bravura_monitor.perf.sysid | System ID | keyword | -| hid_bravura_monitor.perf.table | Database table | keyword | -| hid_bravura_monitor.perf.targetid | Target ID | keyword | -| hid_bravura_monitor.perf.transid | Transaction ID | keyword | -| hid_bravura_monitor.perf.type | IDWFM type | keyword | -| hid_bravura_monitor.perf.user | User time | long | -| hid_bravura_monitor.request.id | Request ID | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| process.thread.id | Thread ID. | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -### winlog - -The `winglog` dataset collects the Hitachi ID Bravura Security Fabric event logs. - -An example event for `winlog` looks as following: - -```json -{ - "@timestamp": "2021-10-29T14:05:50.739Z", - "cloud": { - "provider": "aws", - "instance": { - "id": "i-043997b05c5fa45ee" - }, - "machine": { - "type": "t3a.xlarge" - }, - "region": "us-east-1", - "availability_zone": "us-east-1a", - "account": { - "id": "753231555564" - }, - "image": { - "id": "ami-0e6ddc753bf04d004" - } - }, - "log": { - "level": "information" - }, - "message": "User successfully logged in.|Profile=JOHND|Language=|Skin=", - "winlog": { - "record_id": 1548167, - "api": "wineventlog", - "opcode": "Info", - "provider_guid": "{5a744344-18a9-480d-8a3a-0560ac58b841}", - "channel": "Hitachi-Hitachi ID Systems-Hitachi ID Suite/Operational", - "activity_id": "{4ffdfadd-63f2-41b2-9a4f-13534a729c54}", - "user": { - "identifier": "S-1-5-21-1512184445-966971527-3399726218-1035", - "name": "psadmin", - "domain": "DOMAIN1", - "type": "User" - }, - "event_data": { - "Module": "psf.exe", - "Profile": "JOHND", - "Instance": "pmim" - }, - "event_id": 92, - "computer_name": "hitachi1.corp", - "provider_name": "Hitachi-Hitachi ID Systems-Hitachi ID Suite", - "task": "", - "process": { - "pid": 6368, - "thread": { - "id": 9064 - } - } - }, - "event": { - "kind": "event", - "code": 92, - "provider": "Hitachi-Hitachi ID Systems-Hitachi ID Suite", - "created": "2021-10-29T14:05:52.111Z" - }, - "host": { - "name": "hitachi1.corp", - "architecture": "x86_64", - "os": { - "family": "windows", - "name": "Windows Server 2019 Datacenter", - "kernel": "10.0.17763.1999 (WinBuild.160101.0800)", - "build": "17763.1999", - "platform": "windows", - "version": "10.0" - }, - "id": "a9d2b7f5-6d62-46b3-8fbe-35a7e83d1dc8", - "ip": [ - "0.0.0.0" - ], - "mac": [ - "0a:a5:af:ad:d3:ab" - ], - "hostname": "node1" - }, - "agent": { - "version": "8.0.0", - "hostname": "node1", - "ephemeral_id": "d061bfcf-e51b-4586-9ace-3d5b15f86e37", - "id": "aa12ad42-61bc-466c-8887-1a15d4646fc7", - "name": "node1", - "type": "filebeat" - }, - "ecs": { - "version": "8.3.0" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| message | initial raw message | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computerObject.domain | | keyword | -| winlog.computerObject.id | | keyword | -| winlog.computerObject.name | | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.Account | An object on a target system that establishes a user’s identity on that target system. | keyword | -| winlog.event_data.Action | | keyword | -| winlog.event_data.ActionId | | keyword | -| winlog.event_data.Arguments | | keyword | -| winlog.event_data.AuthChain | Authentication chains offer a flexible authentication infrastructure, allowing you to customize the end-user authentication experience. An authentication chain contains authentication methods offered by available authentication modules. | keyword | -| winlog.event_data.AuthUser | Authentication user. | keyword | -| winlog.event_data.BatchSig | Request batch ID. | keyword | -| winlog.event_data.Binding | | keyword | -| winlog.event_data.CanceledBy | The user who canceled the request. | keyword | -| winlog.event_data.ChangedBy | The user who made the change. | keyword | -| winlog.event_data.Checkout | | keyword | -| winlog.event_data.ClientIPs | | ip | -| winlog.event_data.DelayThreshold | | long | -| winlog.event_data.Description | | keyword | -| winlog.event_data.EffectiveUser | | keyword | -| winlog.event_data.ErrorCode | | keyword | -| winlog.event_data.Event | | keyword | -| winlog.event_data.EventID | | keyword | -| winlog.event_data.FailedTargets | | keyword | -| winlog.event_data.GroupSet | | keyword | -| winlog.event_data.Hostname | | keyword | -| winlog.event_data.Identity | Identify users. | keyword | -| winlog.event_data.Initiator | | keyword | -| winlog.event_data.Instance | | keyword | -| winlog.event_data.Issuer | | keyword | -| winlog.event_data.Language | Language used. | keyword | -| winlog.event_data.LoginURL | User login URL. | keyword | -| winlog.event_data.LogonDomain | | keyword | -| winlog.event_data.LogonSystem | | keyword | -| winlog.event_data.LogonUser | | keyword | -| winlog.event_data.MAQ | Account set access. | keyword | -| winlog.event_data.Message | | keyword | -| winlog.event_data.MessageType | | keyword | -| winlog.event_data.Method | | keyword | -| winlog.event_data.Module | | keyword | -| winlog.event_data.Node | | keyword | -| winlog.event_data.OSLogin | | keyword | -| winlog.event_data.OTPLogin | API login. | keyword | -| winlog.event_data.Operation | | keyword | -| winlog.event_data.Orchestration | Subscriber orchestration. | keyword | -| winlog.event_data.Owner | | keyword | -| winlog.event_data.Platform | | keyword | -| winlog.event_data.Policy | | keyword | -| winlog.event_data.Port | | keyword | -| winlog.event_data.Procedure | | keyword | -| winlog.event_data.Profile | | keyword | -| winlog.event_data.QSetID | Question set ID. | keyword | -| winlog.event_data.QSetType | Question set type. | keyword | -| winlog.event_data.QueueDelay | Database replication queue delay. | long | -| winlog.event_data.QueueSize | Database replication queue size. | long | -| winlog.event_data.QueueType | Database replication queue type. | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.Recipient | Recipient of the request. | keyword | -| winlog.event_data.Replica | Replica database or server. | keyword | -| winlog.event_data.RequestID | | keyword | -| winlog.event_data.Requester | | keyword | -| winlog.event_data.Result | | keyword | -| winlog.event_data.RevokedBy | Workflow request has been revoked by. | keyword | -| winlog.event_data.Runtime | | long | -| winlog.event_data.SPFolder | Service provider folder. | keyword | -| winlog.event_data.SessionID | | keyword | -| winlog.event_data.Skin | Skin for Bravura Security Fabric instance. | keyword | -| winlog.event_data.Source | | keyword | -| winlog.event_data.StoredProc | Stored procedure. | keyword | -| winlog.event_data.System | | keyword | -| winlog.event_data.Target | | keyword | -| winlog.event_data.TargetName | | keyword | -| winlog.event_data.TermintedBy | Request terminated by. | keyword | -| winlog.event_data.Type | | keyword | -| winlog.event_data.URI | The HTTP(S) address of the SOAP API of the Bravura Security Fabric server. | keyword | -| winlog.event_data.WaterMark | Database replication watermark. | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.level | The event severity. Levels are Critical, Error, Warning and Information, Verbose | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.outcome | Success or Failure of the event. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.symbolic_id | Symbolic event id | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.time_created | Time event was created | keyword | -| winlog.trustAttribute | | keyword | -| winlog.trustDirection | | keyword | -| winlog.trustType | | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | Identifier of the user associated with this event. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | diff --git a/packages/hid_bravura_monitor/1.2.3/img/kibana-hid_bravura_monitor-admin.png b/packages/hid_bravura_monitor/1.2.3/img/kibana-hid_bravura_monitor-admin.png deleted file mode 100755 index f4596df81e..0000000000 Binary files a/packages/hid_bravura_monitor/1.2.3/img/kibana-hid_bravura_monitor-admin.png and /dev/null differ diff --git a/packages/hid_bravura_monitor/1.2.3/img/kibana-hid_bravura_monitor-connectors.png b/packages/hid_bravura_monitor/1.2.3/img/kibana-hid_bravura_monitor-connectors.png deleted file mode 100755 index ccdc4d043a..0000000000 Binary files a/packages/hid_bravura_monitor/1.2.3/img/kibana-hid_bravura_monitor-connectors.png and /dev/null differ diff --git a/packages/hid_bravura_monitor/1.2.3/img/kibana-hid_bravura_monitor-db-replication.png b/packages/hid_bravura_monitor/1.2.3/img/kibana-hid_bravura_monitor-db-replication.png deleted file mode 100755 index 46507bebc3..0000000000 Binary files a/packages/hid_bravura_monitor/1.2.3/img/kibana-hid_bravura_monitor-db-replication.png and /dev/null differ diff --git a/packages/hid_bravura_monitor/1.2.3/img/kibana-hid_bravura_monitor-log-issues.png b/packages/hid_bravura_monitor/1.2.3/img/kibana-hid_bravura_monitor-log-issues.png deleted file mode 100755 index c69ee309e5..0000000000 Binary files a/packages/hid_bravura_monitor/1.2.3/img/kibana-hid_bravura_monitor-log-issues.png and /dev/null differ diff --git a/packages/hid_bravura_monitor/1.2.3/img/kibana-hid_bravura_monitor-overview.png b/packages/hid_bravura_monitor/1.2.3/img/kibana-hid_bravura_monitor-overview.png deleted file mode 100755 index c56709bf9b..0000000000 Binary files a/packages/hid_bravura_monitor/1.2.3/img/kibana-hid_bravura_monitor-overview.png and /dev/null differ diff --git a/packages/hid_bravura_monitor/1.2.3/img/logo_hid_bravura_monitor.svg b/packages/hid_bravura_monitor/1.2.3/img/logo_hid_bravura_monitor.svg deleted file mode 100755 index d5f6071f00..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/img/logo_hid_bravura_monitor.svg +++ /dev/null @@ -1,21 +0,0 @@ - - - - - - - diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-0665f160-f956-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-0665f160-f956-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index dc0de076a5..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-0665f160-f956-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"16ceee80-adfc-4ecd-99f4-3f3160dce1f4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"16ceee80-adfc-4ecd-99f4-3f3160dce1f4\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"b64ac48c-d9e4-4dfa-9ddd-05117c054c44\",\"w\":16,\"x\":0,\"y\":15},\"panelIndex\":\"b64ac48c-d9e4-4dfa-9ddd-05117c054c44\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"8b200051-1ac1-4008-b031-ba62127cb7b4\",\"w\":16,\"x\":16,\"y\":15},\"panelIndex\":\"8b200051-1ac1-4008-b031-ba62127cb7b4\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"9cd7264a-0271-4e4a-9fe7-67f7fc60d349\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"9cd7264a-0271-4e4a-9fe7-67f7fc60d349\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Log issues - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-0665f160-f956-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-24823410-1464-11eb-bb7b-bb041e8cf289", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-76cb60d0-1463-11eb-bb7b-bb041e8cf289", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-a950c4e0-1464-11eb-bb7b-bb041e8cf289", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d66fb2a0-3ed6-11eb-9549-63f6cd998f21", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-0db75ff0-f9f4-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-0db75ff0-f9f4-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index e6d8ca2d40..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-0db75ff0-f9f4-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"6a0834a4-8c2b-4484-9f5e-c55faf0deac6\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"6a0834a4-8c2b-4484-9f5e-c55faf0deac6\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"3b23d41e-170f-4423-8ba8-2971e9b68782\",\"w\":35,\"x\":13,\"y\":0},\"panelIndex\":\"3b23d41e-170f-4423-8ba8-2971e9b68782\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Administrative - Disabled Profiles", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-0db75ff0-f9f4-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-c318d000-d83d-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-c85815c0-d83e-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-1a431f90-fa01-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-1a431f90-fa01-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index edfde69098..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-1a431f90-fa01-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"6d898178-6f51-4199-ae7e-44bd35e60bc8\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"6d898178-6f51-4199-ae7e-44bd35e60bc8\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"47c424ec-b1cc-4ab1-abfc-e9d0382a79ee\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"47c424ec-b1cc-4ab1-abfc-e9d0382a79ee\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"70c9467e-31cb-4617-beab-2e7012046222\",\"w\":48,\"x\":0,\"y\":25},\"panelIndex\":\"70c9467e-31cb-4617-beab-2e7012046222\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Discovery", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1a431f90-fa01-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-64035e60-25db-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d3897a80-25db-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-23a89d20-fa07-11eb-96cd-db0fb11a40f3.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-23a89d20-fa07-11eb-96cd-db0fb11a40f3.json deleted file mode 100755 index 3442fffb55..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-23a89d20-fa07-11eb-96cd-db0fb11a40f3.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"a3abfe8b-3ddd-492a-b081-2e3a3d76e84f\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"a3abfe8b-3ddd-492a-b081-2e3a3d76e84f\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"31e162b4-565d-4dce-90f1-e0a43ed54a70\",\"w\":38,\"x\":10,\"y\":0},\"panelIndex\":\"31e162b4-565d-4dce-90f1-e0a43ed54a70\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"21a44db8-a29a-4a18-b63e-ca0da9606909\",\"w\":10,\"x\":0,\"y\":21},\"panelIndex\":\"21a44db8-a29a-4a18-b63e-ca0da9606909\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"efaeb9a6-ef0b-4f77-b397-1c8577f38cbf\",\"w\":38,\"x\":10,\"y\":21},\"panelIndex\":\"efaeb9a6-ef0b-4f77-b397-1c8577f38cbf\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":27,\"i\":\"1494c062-2f24-4571-8e69-793a894392d7\",\"w\":24,\"x\":0,\"y\":42},\"panelIndex\":\"1494c062-2f24-4571-8e69-793a894392d7\",\"panelRefName\":\"panel_4\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":27,\"i\":\"5fb347ad-ad70-4cfb-8023-f61468be8a07\",\"w\":24,\"x\":24,\"y\":42},\"panelIndex\":\"5fb347ad-ad70-4cfb-8023-f61468be8a07\",\"panelRefName\":\"panel_5\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Windows Event Analysis - Problems", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-23a89d20-fa07-11eb-96cd-db0fb11a40f3", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-66c884f0-2382-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-23133620-238b-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-a29a1cc0-238a-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-dbc305e0-245a-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-489a4f50-2453-11eb-abcf-effcd51852fa", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-8ec75c50-2383-11eb-abcf-effcd51852fa", - "name": "panel_5", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-28db2060-fa02-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-28db2060-fa02-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index b491b8e1fc..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-28db2060-fa02-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"27066e19-96ff-46db-989c-2ed0650bfb32\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"27066e19-96ff-46db-989c-2ed0650bfb32\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9a662dac-12e2-44ce-ad7d-eaca9ec5b478\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"9a662dac-12e2-44ce-ad7d-eaca9ec5b478\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"51a5c05f-6a26-4138-9f95-f4c6b01c4d78\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"51a5c05f-6a26-4138-9f95-f4c6b01c4d78\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Discovery - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-28db2060-fa02-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-77701bc0-25bb-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-82277da0-25d5-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-82432550-25bc-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-3f403100-f9f4-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-3f403100-f9f4-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index dc4a543829..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-3f403100-f9f4-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"292870cf-80ba-4071-ac33-6ddc10eef5ee\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"292870cf-80ba-4071-ac33-6ddc10eef5ee\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"c81e1947-6ef2-4f8f-8497-c6defed48569\",\"w\":35,\"x\":13,\"y\":0},\"panelIndex\":\"c81e1947-6ef2-4f8f-8497-c6defed48569\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Administrative - Unlocked Profiles", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-3f403100-f9f4-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2ffbfc20-d83d-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9a75fb00-d83d-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-49fa7e40-f9fc-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-49fa7e40-f9fc-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index a543c8bad3..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-49fa7e40-f9fc-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"aed09807-f936-4881-960d-30039d3fb5cd\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"aed09807-f936-4881-960d-30039d3fb5cd\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"fa9c7f19-26bc-489f-ad23-1774eaf8dcc6\",\"w\":16,\"x\":0,\"y\":14},\"panelIndex\":\"fa9c7f19-26bc-489f-ad23-1774eaf8dcc6\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"ded4c445-2a0a-448c-9318-38b166d11d73\",\"w\":16,\"x\":16,\"y\":14},\"panelIndex\":\"ded4c445-2a0a-448c-9318-38b166d11d73\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"a58e223b-2453-4dcd-9de5-8a6101d9964d\",\"w\":16,\"x\":32,\"y\":14},\"panelIndex\":\"a58e223b-2453-4dcd-9de5-8a6101d9964d\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"4909f0f5-c8df-40f8-bc49-df24cb056b8c\",\"w\":48,\"x\":0,\"y\":34},\"panelIndex\":\"4909f0f5-c8df-40f8-bc49-df24cb056b8c\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Users - Issues", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-49fa7e40-f9fc-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-fe363790-1a1a-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-20a85000-1a1c-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-db3f9af0-1a1b-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-670cf140-1a1c-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "name": "panel_4", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-4bf327b0-fa01-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-4bf327b0-fa01-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 0140835288..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-4bf327b0-fa01-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"63969223-a0de-4d10-aa3a-5a7de19681c2\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"63969223-a0de-4d10-aa3a-5a7de19681c2\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"37dcff04-67ca-46e6-bea3-b6be4a08bce8\",\"w\":35,\"x\":13,\"y\":0},\"panelIndex\":\"37dcff04-67ca-46e6-bea3-b6be4a08bce8\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"250f87a6-96dc-417f-a704-ee29e9669992\",\"w\":48,\"x\":0,\"y\":25},\"panelIndex\":\"250f87a6-96dc-417f-a704-ee29e9669992\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Search", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-4bf327b0-fa01-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-59482290-25da-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-ef5b4da0-2b6d-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-4ee19fa0-fa02-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-4ee19fa0-fa02-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 668f8ebc02..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-4ee19fa0-fa02-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"annotations\":[],\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"24e4b310-069e-11ec-8d63-433b7d9c06cf\"}],\"bar_color_rules\":[{\"id\":\"015e0b70-069f-11ec-8d63-433b7d9c06cf\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"hid_bravura_monitor.perf.kind: PerfExe AND NOT (hid_bravura_monitor.perf.exe: *plugin*)\"},\"gauge_color_rules\":[{\"id\":\"040388f0-069f-11ec-8d63-433b7d9c06cf\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_bars\":80,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"hid_bravura_monitor.perf.duration\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_exclude\":\"\",\"terms_field\":\"hid_bravura_monitor.perf.exe\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"tooltip_mode\":\"show_all\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Executable Average Duration\",\"type\":\"metrics\",\"uiState\":{}},\"type\":\"visualization\"},\"gridData\":{\"h\":17,\"i\":\"d09c2c16-f29a-48e2-bb74-471b6de1fc03\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"d09c2c16-f29a-48e2-bb74-471b6de1fc03\",\"type\":\"visualization\",\"version\":\"7.15.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"198257f3-2b86-41f1-83cf-2090465b56a8\",\"w\":48,\"x\":0,\"y\":17},\"panelIndex\":\"198257f3-2b86-41f1-83cf-2090465b56a8\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Processes - Executables", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-4ee19fa0-fa02-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-f9ed0ec0-2eab-11eb-b6a1-bdb7d768b585", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-52cf42a0-fa04-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-52cf42a0-fa04-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index dd04c65524..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-52cf42a0-fa04-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2852a22c-425f-45b2-b953-6b0f3d214447\",\"w\":11,\"x\":0,\"y\":0},\"panelIndex\":\"2852a22c-425f-45b2-b953-6b0f3d214447\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"9e84cdcf-b3f1-44b5-bdc4-67bb7cb7b7ac\",\"w\":37,\"x\":11,\"y\":0},\"panelIndex\":\"9e84cdcf-b3f1-44b5-bdc4-67bb7cb7b7ac\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c3a20836-de82-44e2-a23c-38ac861cc7df\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"c3a20836-de82-44e2-a23c-38ac861cc7df\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"aa105229-2ee8-417b-a85b-ab83300357ee\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"aa105229-2ee8-417b-a85b-ab83300357ee\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Workflow - Summary (Logs)", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-52cf42a0-fa04-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-77f6f520-1add-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-0cf3f020-1add-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-0cb6caa0-1ade-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-578cb360-f9f3-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-578cb360-f9f3-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index c48e8c460b..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-578cb360-f9f3-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"647b541e-ba69-4580-8b5c-82b99e9141db\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"647b541e-ba69-4580-8b5c-82b99e9141db\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3d4e7a89-9376-40e8-a110-aea6fad8704d\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"3d4e7a89-9376-40e8-a110-aea6fad8704d\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"c530e489-474a-4a2a-8498-860233140305\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"c530e489-474a-4a2a-8498-860233140305\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Administrative - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-578cb360-f9f3-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-07f86e00-d835-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-33258a00-d398-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "panel_2", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-6ebde770-fa02-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-6ebde770-fa02-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 02a9b3f565..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-6ebde770-fa02-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"hid_bravura_monitor.perf.kind: PerfExe AND hid_bravura_monitor.perf.exe: *plugin*\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_bars\":70,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"hid_bravura_monitor.perf.duration\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"hid_bravura_monitor.perf.exe\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"tooltip_mode\":\"show_all\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}},\"type\":\"visualization\"},\"gridData\":{\"h\":17,\"i\":\"9f0e186d-5e7d-495b-968b-65a909a63c78\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"9f0e186d-5e7d-495b-968b-65a909a63c78\",\"title\":\"Plugin Average Duration\",\"type\":\"visualization\",\"version\":\"7.15.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"f71897e4-f55e-4fb5-93e1-8825546d3116\",\"w\":48,\"x\":0,\"y\":17},\"panelIndex\":\"f71897e4-f55e-4fb5-93e1-8825546d3116\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Processes - Plugins", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-6ebde770-fa02-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1a2adb70-2f44-11eb-b6a1-bdb7d768b585", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-7c5c1ef0-fa03-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-7c5c1ef0-fa03-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index e3f3fa0368..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-7c5c1ef0-fa03-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"11dfd31e-217a-468c-b9a4-1d171916550b\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"11dfd31e-217a-468c-b9a4-1d171916550b\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"ecfdce59-b9f9-4b92-bf44-fc2b0b30940e\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"ecfdce59-b9f9-4b92-bf44-fc2b0b30940e\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"8e87968f-419b-416a-88b4-69575d6ca6c8\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"8e87968f-419b-416a-88b4-69575d6ca6c8\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"d8250cb1-181e-4c67-8a07-2b5adaa631e1\",\"w\":12,\"x\":0,\"y\":17},\"panelIndex\":\"d8250cb1-181e-4c67-8a07-2b5adaa631e1\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"10e16f9a-7072-491a-a67f-3b37e4d2d6fe\",\"w\":9,\"x\":12,\"y\":17},\"panelIndex\":\"10e16f9a-7072-491a-a67f-3b37e4d2d6fe\",\"panelRefName\":\"panel_4\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"4e305609-b4cd-47c1-b927-9bbb1905f879\",\"w\":9,\"x\":21,\"y\":17},\"panelIndex\":\"4e305609-b4cd-47c1-b927-9bbb1905f879\",\"panelRefName\":\"panel_5\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"50d3505b-77d3-4128-a8f2-dd42c7e33ac0\",\"w\":18,\"x\":30,\"y\":17},\"panelIndex\":\"50d3505b-77d3-4128-a8f2-dd42c7e33ac0\",\"panelRefName\":\"panel_6\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5added44-f55b-4d64-bac0-af8514792e8c\",\"w\":48,\"x\":0,\"y\":36},\"panelIndex\":\"5added44-f55b-4d64-bac0-af8514792e8c\",\"panelRefName\":\"panel_7\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Integrations - Connector Return Code", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-7c5c1ef0-fa03-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-4bfcdae0-2dcd-11eb-b6a1-bdb7d768b585", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d7dc3680-1add-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-979ecd00-1abd-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-4b0765d0-1ade-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-878feb30-1ade-11eb-abcf-effcd51852fa", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-cf6ea950-1ade-11eb-abcf-effcd51852fa", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-f596ebf0-1adf-11eb-abcf-effcd51852fa", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "panel_7", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-8187dcb0-fa04-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-8187dcb0-fa04-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 64441e3537..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-8187dcb0-fa04-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"bbd62230-da7b-4a8d-8048-164a39c870a6\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"bbd62230-da7b-4a8d-8048-164a39c870a6\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"006c196d-830d-4713-bf84-1bf393366bdc\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"006c196d-830d-4713-bf84-1bf393366bdc\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Dataset - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-8187dcb0-fa04-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1b439670-25d8-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-8c755c30-25d7-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-91029280-0520-11ec-853c-2bf1ec8ddeef.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-91029280-0520-11ec-853c-2bf1ec8ddeef.json deleted file mode 100755 index 6c461459fa..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-91029280-0520-11ec-853c-2bf1ec8ddeef.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b525b8b8-13fc-4a51-82b0-233acc227625\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"b525b8b8-13fc-4a51-82b0-233acc227625\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"16f346a5-a0bf-421a-ba88-c678b4fffb2a\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"16f346a5-a0bf-421a-ba88-c678b4fffb2a\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c23d8833-8154-4aa8-af8e-44dccd8cc199\",\"w\":16,\"x\":0,\"y\":15},\"panelIndex\":\"c23d8833-8154-4aa8-af8e-44dccd8cc199\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"085c710d-1038-4a6a-be6f-21039079b15b\",\"w\":16,\"x\":16,\"y\":15},\"panelIndex\":\"085c710d-1038-4a6a-be6f-21039079b15b\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"33ae3b0f-db67-48f5-abb8-192c029c5d98\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"33ae3b0f-db67-48f5-abb8-192c029c5d98\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a70a3621-2a8e-48ed-8870-201731c7e08a\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"a70a3621-2a8e-48ed-8870-201731c7e08a\",\"panelRefName\":\"panel_5\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Replication (Windows Event)", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-91029280-0520-11ec-853c-2bf1ec8ddeef", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-fddce510-d387-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-2722d7e0-d388-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-5b5237e0-d388-11eb-9e70-edcbba448215", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-80efbc20-d388-11eb-9e70-edcbba448215", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9a513b80-d388-11eb-9e70-edcbba448215", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9a787d10-0521-11ec-853c-2bf1ec8ddeef", - "name": "panel_5", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-a8739000-f9fd-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-a8739000-f9fd-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index d28ef16730..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-a8739000-f9fd-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"486bc4b4-3c64-46f8-a319-01204f38c3be\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"486bc4b4-3c64-46f8-a319-01204f38c3be\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"b5abbb3d-eb82-45a8-a972-13b692b11c16\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"b5abbb3d-eb82-45a8-a972-13b692b11c16\",\"panelRefName\":\"panel_1\",\"title\":\"Users: Pages: Node Usage\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":18,\"i\":\"f1b6be80-c65b-4d88-861a-e8a66275bd62\",\"w\":10,\"x\":0,\"y\":10},\"panelIndex\":\"f1b6be80-c65b-4d88-861a-e8a66275bd62\",\"panelRefName\":\"panel_2\",\"title\":\"Users: Pages: User Logins\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"09961de3-ede6-4ecf-a45a-ebe3040366f0\",\"w\":38,\"x\":10,\"y\":10},\"panelIndex\":\"09961de3-ede6-4ecf-a45a-ebe3040366f0\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"144da17a-d86d-49a2-9dfa-db606fb73c54\",\"w\":48,\"x\":0,\"y\":28},\"panelIndex\":\"144da17a-d86d-49a2-9dfa-db606fb73c54\",\"panelRefName\":\"panel_4\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Users - Pages", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-a8739000-f9fd-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-552d3e80-1a26-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-00cbeab0-1a28-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243", - "name": "panel_4", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-a9ea8420-f9f3-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-a9ea8420-f9f3-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 656bd39b30..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-a9ea8420-f9f3-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"5d50c25d-870c-4aa5-a1f9-5c79904db3d1\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"5d50c25d-870c-4aa5-a1f9-5c79904db3d1\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"11298d56-d098-45e3-b23a-6992c24c5652\",\"w\":35,\"x\":13,\"y\":0},\"panelIndex\":\"11298d56-d098-45e3-b23a-6992c24c5652\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Administrative - Password Resets", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-a9ea8420-f9f3-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-b8f9a5c0-d83f-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-fe779080-d83f-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-b0fd1f50-06a2-11ec-a72d-e52b79e13120.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-b0fd1f50-06a2-11ec-a72d-e52b79e13120.json deleted file mode 100755 index 9e7e6d4034..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-b0fd1f50-06a2-11ec-a72d-e52b79e13120.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"84ac5874-8913-4514-8d51-f2b3cd522a49\",\"w\":11,\"x\":0,\"y\":0},\"panelIndex\":\"84ac5874-8913-4514-8d51-f2b3cd522a49\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":30,\"i\":\"9f39a308-2152-471a-911f-5bb8e316262e\",\"w\":37,\"x\":11,\"y\":0},\"panelIndex\":\"9f39a308-2152-471a-911f-5bb8e316262e\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93f64f12-ac6d-4462-96c2-53d0c477a0ca\",\"w\":11,\"x\":0,\"y\":15},\"panelIndex\":\"93f64f12-ac6d-4462-96c2-53d0c477a0ca\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"87039932-a528-4dba-875e-bed137149330\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"87039932-a528-4dba-875e-bed137149330\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Workflow - Summary (Windows Event)", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-b0fd1f50-06a2-11ec-a72d-e52b79e13120", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1211f840-d90a-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-6ac75200-d90a-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-3ec54c70-d90a-11eb-9e70-edcbba448215", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-b66f3780-fa03-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-b66f3780-fa03-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 02dd9de7a8..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-b66f3780-fa03-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9ccdc869-ebc2-4871-a11a-8d594aff7ccd\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"9ccdc869-ebc2-4871-a11a-8d594aff7ccd\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"b68e2e9c-13fa-4a90-baa2-40caefe3cb38\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"b68e2e9c-13fa-4a90-baa2-40caefe3cb38\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Integrations - Connector Performance", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-b66f3780-fa03-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-ec082d90-1aaf-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-b9bc5190-fa01-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-b9bc5190-fa01-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 4bf412d86b..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-b9bc5190-fa01-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f5d8eb70-30ce-4899-9905-2aa35954d01d\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f5d8eb70-30ce-4899-9905-2aa35954d01d\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a5499566-62cb-421c-8276-7a9398643a06\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"a5499566-62cb-421c-8276-7a9398643a06\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5fc759c3-9678-4b3c-b0d5-dcfad77adfe8\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"5fc759c3-9678-4b3c-b0d5-dcfad77adfe8\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"84970d7a-efbd-451d-9619-25381510ab94\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"84970d7a-efbd-451d-9619-25381510ab94\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Replication (Logs)", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-b9bc5190-fa01-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-a8002430-25d7-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-95fb9a70-25d8-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-341531e0-25d8-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-c5417bd0-f9fc-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-c5417bd0-f9fc-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 7315087291..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-c5417bd0-f9fc-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"f71be298-074a-43c0-a3fe-1035fd98a8a7\",\"w\":6,\"x\":0,\"y\":0},\"panelIndex\":\"f71be298-074a-43c0-a3fe-1035fd98a8a7\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"b80b0e2a-b786-48ec-88a5-bc8104ddbd42\",\"w\":42,\"x\":6,\"y\":0},\"panelIndex\":\"b80b0e2a-b786-48ec-88a5-bc8104ddbd42\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"60432682-b874-48c8-9b8b-3bbf4e650385\",\"w\":12,\"x\":0,\"y\":13},\"panelIndex\":\"60432682-b874-48c8-9b8b-3bbf4e650385\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"2af36389-5601-4930-b3ec-b44c671c56ff\",\"w\":13,\"x\":12,\"y\":13},\"panelIndex\":\"2af36389-5601-4930-b3ec-b44c671c56ff\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"ed2e421f-36f7-4501-9e4e-34ddae454f07\",\"w\":23,\"x\":25,\"y\":13},\"panelIndex\":\"ed2e421f-36f7-4501-9e4e-34ddae454f07\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"7dd049bb-de23-4838-9bec-3d66ef9c07bc\",\"w\":48,\"x\":0,\"y\":31},\"panelIndex\":\"7dd049bb-de23-4838-9bec-3d66ef9c07bc\",\"panelRefName\":\"panel_5\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Users - API", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-c5417bd0-f9fc-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-be6560d0-1a21-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-05cb9390-1a22-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9357e910-2b67-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-3bd92210-1a25-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-0799ca70-2b66-11eb-abcf-effcd51852fa", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "name": "panel_5", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-cc6c9cf0-fa06-11eb-96cd-db0fb11a40f3.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-cc6c9cf0-fa06-11eb-96cd-db0fb11a40f3.json deleted file mode 100755 index c5ba0bc63a..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-cc6c9cf0-fa06-11eb-96cd-db0fb11a40f3.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"5d934c5f-f909-4f75-a036-ac6253f5f974\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"5d934c5f-f909-4f75-a036-ac6253f5f974\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"7d27410b-537a-4c95-a1d8-8a64f363b90c\",\"w\":39,\"x\":9,\"y\":0},\"panelIndex\":\"7d27410b-537a-4c95-a1d8-8a64f363b90c\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"27bdc4ea-7adc-4dee-9526-402fb6ec6d8b\",\"w\":30,\"x\":0,\"y\":18},\"panelIndex\":\"27bdc4ea-7adc-4dee-9526-402fb6ec6d8b\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"4c4f5228-f158-4ccc-afa5-e90d73bca46d\",\"w\":18,\"x\":30,\"y\":18},\"panelIndex\":\"4c4f5228-f158-4ccc-afa5-e90d73bca46d\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Windows Event Analysis - Logins", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-cc6c9cf0-fa06-11eb-96cd-db0fb11a40f3", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-42dc53c0-243e-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-2a088ae0-243d-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-aabca810-2456-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-cc0f81c0-243f-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-d17be4f0-f9fa-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-d17be4f0-f9fa-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 0b45fe2cd7..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-d17be4f0-f9fa-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"b8ac330d-572e-459e-9266-bd44fc9ac283\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"b8ac330d-572e-459e-9266-bd44fc9ac283\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"3316ec90-b61b-4f5a-9c43-02e7bda7604f\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"3316ec90-b61b-4f5a-9c43-02e7bda7604f\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Users - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d17be4f0-f9fa-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-d3a33820-fa02-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-d3a33820-fa02-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index ec02c160af..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-d3a33820-fa02-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"a8b8efc3-5a4e-470b-9229-7ad661fb5012\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"a8b8efc3-5a4e-470b-9229-7ad661fb5012\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"aea7ed7d-82b6-4939-975e-fd4deb845e39\",\"w\":8,\"x\":0,\"y\":13},\"panelIndex\":\"aea7ed7d-82b6-4939-975e-fd4deb845e39\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"def5b420-7c49-4363-a30f-7c0c6c13929d\",\"w\":8,\"x\":8,\"y\":13},\"panelIndex\":\"def5b420-7c49-4363-a30f-7c0c6c13929d\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"f3e25e5c-0f66-4eb3-916e-8243184f2b0d\",\"w\":8,\"x\":16,\"y\":13},\"panelIndex\":\"f3e25e5c-0f66-4eb3-916e-8243184f2b0d\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c04915c9-e5d6-4c1f-815a-efc1c0b35c7d\",\"w\":8,\"x\":24,\"y\":13},\"panelIndex\":\"c04915c9-e5d6-4c1f-815a-efc1c0b35c7d\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"b7966004-1c02-4fa5-a8ce-5a3362adfb5a\",\"w\":16,\"x\":32,\"y\":13},\"panelIndex\":\"b7966004-1c02-4fa5-a8ce-5a3362adfb5a\",\"panelRefName\":\"panel_5\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1efe3f34-de43-4ffb-992d-8b21cbb771a0\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"1efe3f34-de43-4ffb-992d-8b21cbb771a0\",\"panelRefName\":\"panel_6\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"81a7ce31-d928-48c7-9b8d-acd00a43d08e\",\"w\":48,\"x\":0,\"y\":45},\"panelIndex\":\"81a7ce31-d928-48c7-9b8d-acd00a43d08e\",\"panelRefName\":\"panel_7\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Integrations - Connectors", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d3a33820-fa02-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-db898d80-1a21-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-00dc0a80-1adc-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-06fb9d30-1a24-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-1ddd3300-1a25-11eb-abcf-effcd51852fa", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d5dcbf40-1a28-11eb-abcf-effcd51852fa", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-85943290-1a2b-11eb-abcf-effcd51852fa", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-bfc7f7c0-1473-11eb-bb7b-bb041e8cf289", - "name": "panel_7", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-d59177c0-f9fb-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-d59177c0-f9fb-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 678b3b629f..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-d59177c0-f9fb-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"5d1eb62a-f7dd-4f14-8961-96a768f70c07\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"5d1eb62a-f7dd-4f14-8961-96a768f70c07\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"013b41ba-55b7-4ed3-9c9e-5c3984651cd8\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"013b41ba-55b7-4ed3-9c9e-5c3984651cd8\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"d68fe28e-8def-4ea8-b848-ef2b97430924\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"d68fe28e-8def-4ea8-b848-ef2b97430924\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"63b07db7-cd19-4cb8-839d-e7801ef7c5f8\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"63b07db7-cd19-4cb8-839d-e7801ef7c5f8\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Users - Authentication", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d59177c0-f9fb-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-6ad826b0-d37f-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-211feda0-d37f-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9036f440-d37f-11eb-9e70-edcbba448215", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-70a8f8e0-d392-11eb-9e70-edcbba448215", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-db22d850-fa00-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-db22d850-fa00-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 3a21872d84..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-db22d850-fa00-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"ef0f2d41-363f-4573-b92a-9ecb0af8b1fd\",\"w\":11,\"x\":0,\"y\":0},\"panelIndex\":\"ef0f2d41-363f-4573-b92a-9ecb0af8b1fd\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"bb8e09a0-aadf-48a8-a5a9-af581d3b42d1\",\"w\":37,\"x\":11,\"y\":0},\"panelIndex\":\"bb8e09a0-aadf-48a8-a5a9-af581d3b42d1\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-db22d850-fa00-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-89e6a260-25d4-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d5fae950-25d3-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-e9fa5320-fa01-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-e9fa5320-fa01-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 5d1e91e916..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-e9fa5320-fa01-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"7fcb881a-1fac-40f3-8344-abc9d970bea0\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"7fcb881a-1fac-40f3-8344-abc9d970bea0\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"41db8b4e-a061-4e68-a8dc-4fe557771bdc\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"41db8b4e-a061-4e68-a8dc-4fe557771bdc\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"67513776-5611-456a-bafd-42938542c90a\",\"w\":48,\"x\":0,\"y\":18},\"panelIndex\":\"67513776-5611-456a-bafd-42938542c90a\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"25a4e2bd-b92e-445c-bec4-15ca828c88a8\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"25a4e2bd-b92e-445c-bec4-15ca828c88a8\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Stored Procedure Performance", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-e9fa5320-fa01-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-37fb60d0-1481-11eb-bb7b-bb041e8cf289", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-b9fb36b0-1480-11eb-bb7b-bb041e8cf289", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-1498e300-1482-11eb-bb7b-bb041e8cf289", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-f8112090-fa03-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-f8112090-fa03-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 44afdf5fe9..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/dashboard/hid_bravura_monitor-f8112090-fa03-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"05d010e5-934c-4b70-ad98-d3b3a191b9e2\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"05d010e5-934c-4b70-ad98-d3b3a191b9e2\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"8ffb10cd-0ea2-4036-8003-8c65e128a201\",\"w\":11,\"x\":0,\"y\":14},\"panelIndex\":\"8ffb10cd-0ea2-4036-8003-8c65e128a201\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"674a1c30-76cd-429f-a9e6-941aef3e982d\",\"w\":37,\"x\":11,\"y\":14},\"panelIndex\":\"674a1c30-76cd-429f-a9e6-941aef3e982d\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a75010c7-9c3b-44c2-bf63-676e9aebd54e\",\"w\":48,\"x\":0,\"y\":33},\"panelIndex\":\"a75010c7-9c3b-44c2-bf63-676e9aebd54e\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] API - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-f8112090-fa03-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-659dad40-25b6-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-c0e79490-25b6-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-87baab60-25b8-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 14951ba72f..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfSproc\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfSproc\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"hid_bravura_monitor.perf.function : *Search*\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Search Stored Procedures", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215.json deleted file mode 100755 index a97c94b1ee..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Hitachi ID Windows Event Logs", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa.json deleted file mode 100755 index cab36ac889..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.level\",\"negate\":false,\"params\":[\"error\",\"warning\",\"critical\"],\"type\":\"phrases\",\"value\":\"error, warning, critical\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"log.level\":\"error\"}},{\"match_phrase\":{\"log.level\":\"warning\"}},{\"match_phrase\":{\"log.level\":\"critical\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Windows Event Log Problems", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa.json deleted file mode 100755 index d315f3429e..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.level\",\"log.logger\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"message\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.domain\",\"user.email\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.roles\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"winlog.activity_id\",\"winlog.api\",\"winlog.channel\",\"winlog.computer_name\",\"winlog.event_data.Address\",\"winlog.event_data.AdvancedOptions\",\"winlog.event_data.AlgorithmName\",\"winlog.event_data.AppId\",\"winlog.event_data.AuthenticationPackageName\",\"winlog.event_data.Binary\",\"winlog.event_data.BitlockerUserInputTime\",\"winlog.event_data.BootAppStatus\",\"winlog.event_data.BootMenuPolicy\",\"winlog.event_data.BootMode\",\"winlog.event_data.BootType\",\"winlog.event_data.BugcheckCode\",\"winlog.event_data.BugcheckParameter1\",\"winlog.event_data.BugcheckParameter2\",\"winlog.event_data.BugcheckParameter3\",\"winlog.event_data.BugcheckParameter4\",\"winlog.event_data.BuildVersion\",\"winlog.event_data.CallerProcessId\",\"winlog.event_data.CallerProcessName\",\"winlog.event_data.Checkpoint\",\"winlog.event_data.Company\",\"winlog.event_data.Config\",\"winlog.event_data.ConfigAccessPolicy\",\"winlog.event_data.ConfigurationReader\",\"winlog.event_data.ConnectedStandbyInProgress\",\"winlog.event_data.CorruptionActionState\",\"winlog.event_data.CreationUtcTime\",\"winlog.event_data.CsEntryScenarioInstanceId\",\"winlog.event_data.Default SD String:\",\"winlog.event_data.Description\",\"winlog.event_data.Detail\",\"winlog.event_data.DeviceName\",\"winlog.event_data.DeviceNameLength\",\"winlog.event_data.DeviceTime\",\"winlog.event_data.DeviceVersionMajor\",\"winlog.event_data.DeviceVersionMinor\",\"winlog.event_data.DirtyPages\",\"winlog.event_data.DisableIntegrityChecks\",\"winlog.event_data.DriveName\",\"winlog.event_data.DriverName\",\"winlog.event_data.DriverNameLength\",\"winlog.event_data.DwordVal\",\"winlog.event_data.ElevatedToken\",\"winlog.event_data.EnableDisableReason\",\"winlog.event_data.EntryCount\",\"winlog.event_data.ErrorCode\",\"winlog.event_data.ExtraInfo\",\"winlog.event_data.ExtraInfoLength\",\"winlog.event_data.ExtraInfoString\",\"winlog.event_data.FailureName\",\"winlog.event_data.FailureNameLength\",\"winlog.event_data.FileVersion\",\"winlog.event_data.FilterID\",\"winlog.event_data.FinalStatus\",\"winlog.event_data.FlightSigning\",\"winlog.event_data.Group\",\"winlog.event_data.HiveName\",\"winlog.event_data.HiveNameLength\",\"winlog.event_data.HypervisorDebug\",\"winlog.event_data.HypervisorLaunchType\",\"winlog.event_data.HypervisorLoadOptions\",\"winlog.event_data.IdleImplementation\",\"winlog.event_data.IdleStateCount\",\"winlog.event_data.ImpersonationLevel\",\"winlog.event_data.IntegrityLevel\",\"winlog.event_data.Interface\",\"winlog.event_data.IpAddress\",\"winlog.event_data.IpPort\",\"winlog.event_data.IsTestConfig\",\"winlog.event_data.KernelDebug\",\"winlog.event_data.KeyFilePath\",\"winlog.event_data.KeyLength\",\"winlog.event_data.KeyName\",\"winlog.event_data.KeyType\",\"winlog.event_data.KeysUpdated\",\"winlog.event_data.LastBootGood\",\"winlog.event_data.LastShutdownGood\",\"winlog.event_data.ListenerAdapterProtocol\",\"winlog.event_data.LmPackageName\",\"winlog.event_data.LoadOptions\",\"winlog.event_data.LogonGuid\",\"winlog.event_data.LogonId\",\"winlog.event_data.LogonProcessName\",\"winlog.event_data.LogonType\",\"winlog.event_data.MajorVersion\",\"winlog.event_data.MandatoryLabel\",\"winlog.event_data.MaximumPerformancePercent\",\"winlog.event_data.MemberName\",\"winlog.event_data.MemberSid\",\"winlog.event_data.MinimumPerformancePercent\",\"winlog.event_data.MinimumThrottlePercent\",\"winlog.event_data.MinorVersion\",\"winlog.event_data.NewProcessId\",\"winlog.event_data.NewProcessName\",\"winlog.event_data.NewSchemeGuid\",\"winlog.event_data.NewSize\",\"winlog.event_data.NewTime\",\"winlog.event_data.NominalFrequency\",\"winlog.event_data.Number\",\"winlog.event_data.OldSchemeGuid\",\"winlog.event_data.OldTime\",\"winlog.event_data.Operation\",\"winlog.event_data.OriginalFileName\",\"winlog.event_data.OriginalSize\",\"winlog.event_data.PackageName\",\"winlog.event_data.Path\",\"winlog.event_data.PerformanceImplementation\",\"winlog.event_data.PowerButtonTimestamp\",\"winlog.event_data.PreviousCreationUtcTime\",\"winlog.event_data.PreviousTime\",\"winlog.event_data.PrivilegeList\",\"winlog.event_data.ProcessId\",\"winlog.event_data.ProcessName\",\"winlog.event_data.ProcessPath\",\"winlog.event_data.ProcessPid\",\"winlog.event_data.Product\",\"winlog.event_data.ProtocolType\",\"winlog.event_data.ProviderName\",\"winlog.event_data.PuaCount\",\"winlog.event_data.PuaPolicyId\",\"winlog.event_data.QfeVersion\",\"winlog.event_data.Reason\",\"winlog.event_data.RemoteEventLogging\",\"winlog.event_data.RestrictedAdminMode\",\"winlog.event_data.ReturnCode\",\"winlog.event_data.RunningMode\",\"winlog.event_data.SchemaVersion\",\"winlog.event_data.ScriptBlockText\",\"winlog.event_data.ServiceName\",\"winlog.event_data.ServiceVersion\",\"winlog.event_data.ShutdownActionType\",\"winlog.event_data.ShutdownEventCode\",\"winlog.event_data.ShutdownReason\",\"winlog.event_data.Signature\",\"winlog.event_data.SignatureStatus\",\"winlog.event_data.Signed\",\"winlog.event_data.SleepInProgress\",\"winlog.event_data.StartTime\",\"winlog.event_data.State\",\"winlog.event_data.Status\",\"winlog.event_data.StopTime\",\"winlog.event_data.SubjectDomainName\",\"winlog.event_data.SubjectLogonId\",\"winlog.event_data.SubjectUserName\",\"winlog.event_data.SubjectUserSid\",\"winlog.event_data.SystemSleepTransitionsToOn\",\"winlog.event_data.TSId\",\"winlog.event_data.TargetDomainName\",\"winlog.event_data.TargetInfo\",\"winlog.event_data.TargetLinkedLogonId\",\"winlog.event_data.TargetLogonGuid\",\"winlog.event_data.TargetLogonId\",\"winlog.event_data.TargetOutboundDomainName\",\"winlog.event_data.TargetOutboundUserName\",\"winlog.event_data.TargetServerName\",\"winlog.event_data.TargetSid\",\"winlog.event_data.TargetUserName\",\"winlog.event_data.TargetUserSid\",\"winlog.event_data.TerminalSessionId\",\"winlog.event_data.TestSigning\",\"winlog.event_data.TimeSource\",\"winlog.event_data.TokenElevationType\",\"winlog.event_data.TransmittedServices\",\"winlog.event_data.UserSid\",\"winlog.event_data.Version\",\"winlog.event_data.VirtualAccount\",\"winlog.event_data.VsmLaunchType\",\"winlog.event_data.VsmPolicy\",\"winlog.event_data.Workstation\",\"winlog.event_data.param1\",\"winlog.event_data.param10\",\"winlog.event_data.param11\",\"winlog.event_data.param12\",\"winlog.event_data.param2\",\"winlog.event_data.param3\",\"winlog.event_data.param4\",\"winlog.event_data.param5\",\"winlog.event_data.param6\",\"winlog.event_data.param7\",\"winlog.event_data.param8\",\"winlog.event_data.param9\",\"winlog.event_data.serviceGuid\",\"winlog.event_data.updateGuid\",\"winlog.event_data.updateRevisionNumber\",\"winlog.event_data.updateTitle\",\"winlog.event_id\",\"winlog.keywords\",\"winlog.logon.failure.status\",\"winlog.logon.id\",\"winlog.logon.type\",\"winlog.opcode\",\"winlog.process.pid\",\"winlog.process.thread.id\",\"winlog.provider_guid\",\"winlog.provider_name\",\"winlog.record_id\",\"winlog.related_activity_id\",\"winlog.task\",\"winlog.user.domain\",\"winlog.user.identifier\",\"winlog.user.name\",\"winlog.user.type\",\"winlog.user_data.Reason\",\"winlog.user_data.binaryData\",\"winlog.user_data.binaryDataSize\",\"winlog.user_data.param1\",\"winlog.user_data.param2\",\"winlog.user_data.xml_name\",\"winlog.version\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.action\",\"negate\":false,\"params\":[\"logged-in\",\"logged-in-special\"],\"type\":\"phrases\",\"value\":\"logged-in, logged-in-special\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.action\":\"logged-in\"}},{\"match_phrase\":{\"event.action\":\"logged-in-special\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Windows Event Log Logins", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a.json deleted file mode 100755 index 434c4272a2..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfReplication\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfReplication\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Database: Replication: Search", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 50b65c5ba3..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "message", - "host.name", - "log.level", - "log.logger" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"hid_bravura_monitor.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"hid_bravura_monitor.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"log.level\",\"negate\":false,\"params\":[\"Warning\",\"Error\"],\"type\":\"phrases\",\"value\":\"Warning, Error\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"log.level\":\"Warning\"}},{\"match_phrase\":{\"log.level\":\"Error\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "IDM Suite Errors and Warnings", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-39072a50-2f42-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-39072a50-2f42-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index d8a9246524..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-39072a50-2f42-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"log.logger: plugin_*\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfExe - Plugins", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-39072a50-2f42-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa.json deleted file mode 100755 index ae380d7a7e..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":[\"iddiscover.exe\",\"pamlws.exe\"],\"type\":\"phrases\",\"value\":\"iddiscover.exe, pamlws.exe\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"log.logger\":\"iddiscover.exe\"}},{\"match_phrase\":{\"log.logger\":\"pamlws.exe\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfSproc\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfSproc\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Discovery Stored Procedures", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-4215e410-2f42-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-4215e410-2f42-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index 4f92395e4e..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-4215e410-2f42-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfExe", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-4215e410-2f42-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-465760e0-25d7-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-465760e0-25d7-11eb-abcf-effcd51852fa.json deleted file mode 100755 index b67cb2881a..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-465760e0-25d7-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"hid_bravura_monitor.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"hid_bravura_monitor.log\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Dataset", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-465760e0-25d7-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215.json deleted file mode 100755 index 21f0920379..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"81\",\"82\",\"83\",\"84\",\"85\"],\"type\":\"phrases\",\"value\":\"81, 82, 83, 84, 85\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"81\"}},{\"match_phrase\":{\"event.code\":\"82\"}},{\"match_phrase\":{\"event.code\":\"83\"}},{\"match_phrase\":{\"event.code\":\"84\"}},{\"match_phrase\":{\"event.code\":\"85\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Hitachi ID Windows Event Logs - Workflow", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 78345eb6c9..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Connector Return Code", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243.json deleted file mode 100755 index c617f5e303..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.transid\",\"negate\":true,\"params\":{\"query\":\"\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.transid\":\"\"}}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"hid_bravura_monitor.perf.transid\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"hid_bravura_monitor.perf.transid\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Users: Pages: Search", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index b8bd09d7f6..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.name", - "hid_bravura_monitor.perf.duration", - "hid_bravura_monitor.perf.caller", - "log.logger" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfSproc\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfSproc\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfSproc", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-95032a30-2eab-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-95032a30-2eab-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index 777347bc45..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-95032a30-2eab-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "hid_bravura_monitor.perf.duration", - "log.logger", - "hid_bravura_monitor.perf.user", - "hid_bravura_monitor.perf.kernel", - "process.pid", - "process.thread.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"NOT log.logger: plugin_*\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfExe - Executables", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-95032a30-2eab-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 08411d94b0..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "log.logger", - "input.type", - "hid_bravura_monitor.perf.function", - "host.name", - "@timestamp", - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfIDAPI\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfIDAPI\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfIDAPI", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-9a787d10-0521-11ec-853c-2bf1ec8ddeef.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-9a787d10-0521-11ec-853c-2bf1ec8ddeef.json deleted file mode 100755 index 1933bda0f2..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-9a787d10-0521-11ec-853c-2bf1ec8ddeef.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"8\",\"9\",\"10\",\"6\",\"78\"],\"type\":\"phrases\",\"value\":\"8, 9, 10, 6, 78\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"8\"}},{\"match_phrase\":{\"event.code\":\"9\"}},{\"match_phrase\":{\"event.code\":\"10\"}},{\"match_phrase\":{\"event.code\":\"6\"}},{\"match_phrase\":{\"event.code\":\"78\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Hitachi ID Windows Event Logs - Replication", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9a787d10-0521-11ec-853c-2bf1ec8ddeef", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa.json deleted file mode 100755 index baafc6c4e5..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":[\"ajaxsvc.exe\",\"psf.exe\",\"psa.exe\"],\"type\":\"phrases\",\"value\":\"ajaxsvc.exe, psf.exe, psa.exe\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"log.logger\":\"ajaxsvc.exe\"}},{\"match_phrase\":{\"log.logger\":\"psf.exe\"}},{\"match_phrase\":{\"log.logger\":\"psa.exe\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"log.level\",\"negate\":false,\"params\":[\"Error\",\"Warning\"],\"type\":\"phrases\",\"value\":\"Error, Warning\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"log.level\":\"Error\"}},{\"match_phrase\":{\"log.level\":\"Warning\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"user.id\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"user.id\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "User Issue Logs", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 7d2a1af5bf..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfAjax\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfAjax\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfAjax", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-be8c8b60-874f-11eb-a5be-4d72a1654030.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-be8c8b60-874f-11eb-a5be-4d72a1654030.json deleted file mode 100755 index 1dcfec3f81..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-be8c8b60-874f-11eb-a5be-4d72a1654030.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":{\"query\":\"iddb.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"log.logger\":\"iddb.exe\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Database Events", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-be8c8b60-874f-11eb-a5be-4d72a1654030", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-bfc7f7c0-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-bfc7f7c0-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index f0c5cffd71..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-bfc7f7c0-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfConnector", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-bfc7f7c0-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index c6b4369c88..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.name", - "hid_bravura_monitor.request.id", - "log.logger", - "hid_bravura_monitor.perf.duration", - "process.pid", - "process.thread.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfIDWFM\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfIDWFM\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfIDWFM", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215.json deleted file mode 100755 index 122f899b44..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"28\",\"29\",\"30\",\"31\",\"32\",\"33\",\"52\",\"53\",\"54\",\"55\",\"56\",\"57\",\"58\",\"59\",\"60\",\"61\",\"62\",\"63\",\"64\",\"65\",\"66\",\"67\",\"68\",\"69\",\"70\",\"71\",\"72\",\"73\",\"121\"],\"type\":\"phrases\",\"value\":\"28, 29, 30, 31, 32, 33, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 121\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"28\"}},{\"match_phrase\":{\"event.code\":\"29\"}},{\"match_phrase\":{\"event.code\":\"30\"}},{\"match_phrase\":{\"event.code\":\"31\"}},{\"match_phrase\":{\"event.code\":\"32\"}},{\"match_phrase\":{\"event.code\":\"33\"}},{\"match_phrase\":{\"event.code\":\"52\"}},{\"match_phrase\":{\"event.code\":\"53\"}},{\"match_phrase\":{\"event.code\":\"54\"}},{\"match_phrase\":{\"event.code\":\"55\"}},{\"match_phrase\":{\"event.code\":\"56\"}},{\"match_phrase\":{\"event.code\":\"57\"}},{\"match_phrase\":{\"event.code\":\"58\"}},{\"match_phrase\":{\"event.code\":\"59\"}},{\"match_phrase\":{\"event.code\":\"60\"}},{\"match_phrase\":{\"event.code\":\"61\"}},{\"match_phrase\":{\"event.code\":\"62\"}},{\"match_phrase\":{\"event.code\":\"63\"}},{\"match_phrase\":{\"event.code\":\"64\"}},{\"match_phrase\":{\"event.code\":\"65\"}},{\"match_phrase\":{\"event.code\":\"66\"}},{\"match_phrase\":{\"event.code\":\"67\"}},{\"match_phrase\":{\"event.code\":\"68\"}},{\"match_phrase\":{\"event.code\":\"69\"}},{\"match_phrase\":{\"event.code\":\"70\"}},{\"match_phrase\":{\"event.code\":\"71\"}},{\"match_phrase\":{\"event.code\":\"72\"}},{\"match_phrase\":{\"event.code\":\"73\"}},{\"match_phrase\":{\"event.code\":\"121\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Hitachi ID Windows Event Logs - Administrative", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-dd637750-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-dd637750-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index b7502c0511..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/search/hid_bravura_monitor-dd637750-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfPsupdate\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfPsupdate\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfPsupdate", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-dd637750-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-00cbeab0-1a28-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-00cbeab0-1a28-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 0df883fdb2..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-00cbeab0-1a28-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Transaction is NULL\",\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.transid\",\"negate\":true,\"params\":{\"query\":\"\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.transid\":\"\"}}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"hid_bravura_monitor.perf.transid\"},\"meta\":{\"alias\":\"Transaction exists\",\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"hid_bravura_monitor.perf.transid\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: Pages: UI Transactions", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"UI Transaction\",\"field\":\"hid_bravura_monitor.perf.transid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Executable\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Min (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Max (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: Pages: UI Transactions\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-00cbeab0-1a28-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-00dc0a80-1adc-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-00dc0a80-1adc-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 70be8c7e8f..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-00dc0a80-1adc-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Operations Per Node", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Operations Per Node\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-00dc0a80-1adc-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-05cb9390-1a22-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-05cb9390-1a22-11eb-abcf-effcd51852fa.json deleted file mode 100755 index ffa350420f..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-05cb9390-1a22-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: API: Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Users: API: Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-05cb9390-1a22-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-06fb9d30-1a24-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-06fb9d30-1a24-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 10a036dbb9..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-06fb9d30-1a24-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Operation List", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Operation\",\"field\":\"hid_bravura_monitor.perf.operation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Operation List\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-06fb9d30-1a24-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-0799ca70-2b66-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-0799ca70-2b66-11eb-abcf-effcd51852fa.json deleted file mode 100755 index afb95c51b9..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-0799ca70-2b66-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: API: Function Performance", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Function\",\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: API: Function Performance\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-0799ca70-2b66-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-07f86e00-d835-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-07f86e00-d835-11eb-9e70-edcbba448215.json deleted file mode 100755 index 9727c2554d..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-07f86e00-d835-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Administrative Summary Table", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Integration\",\"field\":\"winlog.event_data.Module\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Administrative Summary Table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-07f86e00-d835-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-0cb6caa0-1ade-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-0cb6caa0-1ade-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 709de00be4..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-0cb6caa0-1ade-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Workflow: Operations", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event\",\"field\":\"hid_bravura_monitor.perf.event\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Max (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Workflow: Operations\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-0cb6caa0-1ade-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-0cf3f020-1add-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-0cf3f020-1add-11eb-abcf-effcd51852fa.json deleted file mode 100755 index bff36e3274..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-0cf3f020-1add-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Workflow: Operation Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event\",\"field\":\"hid_bravura_monitor.perf.event\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Workflow: Operation Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-0cf3f020-1add-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1211f840-d90a-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1211f840-d90a-11eb-9e70-edcbba448215.json deleted file mode 100755 index d65570252d..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1211f840-d90a-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":true,\"params\":{\"query\":\"85\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"85\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Requesters", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Requester\",\"field\":\"winlog.event_data.Requester\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Requesters\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1211f840-d90a-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 379e10846d..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"hid_bravura_monitor.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"hid_bravura_monitor.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Users: Summary: Node Usage", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count of unique User ID\",\"field\":\"user.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"row\":true,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count of unique User ID\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count of unique User ID\"},\"type\":\"value\"}]},\"title\":\"Users: Summary: Node Usage\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1498e300-1482-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1498e300-1482-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 2e3839a607..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1498e300-1482-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Stored Procedure Runtime Statistics", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Function\",\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Max (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"row\":true,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Stored Procedure Runtime Statistics\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1498e300-1482-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1a2adb70-2f44-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1a2adb70-2f44-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index 6a73900e1d..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1a2adb70-2f44-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Plugin: Performance", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Plugin\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Plugin: Performance\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1a2adb70-2f44-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-39072a50-2f42-11eb-b6a1-bdb7d768b585", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1b439670-25d8-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1b439670-25d8-11eb-abcf-effcd51852fa.json deleted file mode 100755 index e32c74fc4f..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1b439670-25d8-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Dataset: Log Type Counts", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Log Type\",\"field\":\"hid_bravura_monitor.perf.kind\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Dataset: Log Type Counts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1b439670-25d8-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1ddd3300-1a25-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1ddd3300-1a25-11eb-abcf-effcd51852fa.json deleted file mode 100755 index fbf41a8bc4..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-1ddd3300-1a25-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Return Code", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Result\",\"field\":\"hid_bravura_monitor.perf.result\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Return Code\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1ddd3300-1a25-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-20a85000-1a1c-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-20a85000-1a1c-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 6258eeea60..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-20a85000-1a1c-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: Issues: Nodes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: Issues: Nodes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-20a85000-1a1c-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-211feda0-d37f-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-211feda0-d37f-11eb-9e70-edcbba448215.json deleted file mode 100755 index 8aa0d744cc..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-211feda0-d37f-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"1\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"1\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Login Failures", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"User Login Failures\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-211feda0-d37f-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-23133620-238b-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-23133620-238b-11eb-abcf-effcd51852fa.json deleted file mode 100755 index b90f37bce3..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-23133620-238b-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Problem Provider Distribution", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"winlog.channel\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Problem Provider Distribution\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-23133620-238b-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-24823410-1464-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-24823410-1464-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 3d69b5f3dd..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-24823410-1464-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "IDM Suite: Log issues histogram", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Error\":\"#BF1B00\",\"Warning\":\"#E5AC0E\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"IDM Suite: Log issues histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-24823410-1464-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-2722d7e0-d388-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-2722d7e0-d388-11eb-9e70-edcbba448215.json deleted file mode 100755 index b6c265aa5d..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-2722d7e0-d388-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"8\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"8\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Replication Database Transaction Failures", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Replication Database Transaction Failures\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-2722d7e0-d388-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-2a088ae0-243d-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-2a088ae0-243d-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 18ab353128..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-2a088ae0-243d-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Login Attempts", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Login Attempts\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-2a088ae0-243d-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-2ffbfc20-d83d-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-2ffbfc20-d83d-11eb-9e70-edcbba448215.json deleted file mode 100755 index 178c39c293..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-2ffbfc20-d83d-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"32\",\"33\"],\"type\":\"phrases\",\"value\":\"32, 33\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"32\"}},{\"match_phrase\":{\"event.code\":\"33\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Unlocked Profiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Profile\",\"field\":\"winlog.event_data.Profile\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Unlocked Profiles\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-2ffbfc20-d83d-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-33258a00-d398-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-33258a00-d398-11eb-9e70-edcbba448215.json deleted file mode 100755 index 1477920457..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-33258a00-d398-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Administrative Summary", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Administrative Summary\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-33258a00-d398-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-341531e0-25d8-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-341531e0-25d8-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 99eccfe59c..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-341531e0-25d8-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Replication: Load by queue", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Queue\",\"field\":\"hid_bravura_monitor.perf.receivequeue\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Replication: Load by queue\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-341531e0-25d8-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-37fb60d0-1481-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-37fb60d0-1481-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index da63f8966b..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-37fb60d0-1481-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Host Usage", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Host Usage\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-37fb60d0-1481-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-3bd92210-1a25-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-3bd92210-1a25-11eb-abcf-effcd51852fa.json deleted file mode 100755 index a078bbc6f6..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-3bd92210-1a25-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: API: Calls per Node", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: API: Calls per Node\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-3bd92210-1a25-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-3ec54c70-d90a-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-3ec54c70-d90a-11eb-9e70-edcbba448215.json deleted file mode 100755 index 50921b0ee7..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-3ec54c70-d90a-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":true,\"params\":{\"query\":\"85\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"85\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Recipients", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Recipient\",\"field\":\"winlog.event_data.Recipient\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Recipients\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-3ec54c70-d90a-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-42dc53c0-243e-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-42dc53c0-243e-11eb-abcf-effcd51852fa.json deleted file mode 100755 index d1c2372322..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-42dc53c0-243e-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Logins", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"User Logins\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-42dc53c0-243e-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-489a4f50-2453-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-489a4f50-2453-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 4bb8713e15..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-489a4f50-2453-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Problem Events", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event ID\",\"field\":\"winlog.event_id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Source\",\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Event Log\",\"field\":\"winlog.channel\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":20,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Problem Events\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-489a4f50-2453-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-4b0765d0-1ade-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-4b0765d0-1ade-11eb-abcf-effcd51852fa.json deleted file mode 100755 index bab3fb6adb..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-4b0765d0-1ade-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Connector Return Code: Operation count", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Operation\",\"field\":\"hid_bravura_monitor.perf.operation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector Return Code: Operation count\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-4b0765d0-1ade-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-4bfcdae0-2dcd-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-4bfcdae0-2dcd-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index cdcd472e01..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-4bfcdae0-2dcd-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Bravura: Selector: Return Code", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"hid_bravura_monitor.perf.result\",\"id\":\"1606164462534\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Return Code\",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":10,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Bravura: Selector: Return Code\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-4bfcdae0-2dcd-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-552d3e80-1a26-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-552d3e80-1a26-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 82bba8ecdd..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-552d3e80-1a26-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Users: Pages: Help", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"Transactions represent a UI page the user sees.\\n\\nWhat pages are people calling and what performance are they experiencing?\",\"openLinksInNewTab\":false},\"title\":\"Users: Pages: Help\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-552d3e80-1a26-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-59482290-25da-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-59482290-25da-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 87ec7841f2..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-59482290-25da-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Database: Search: Help", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"Search engines need to return quickly since users are waiting on their results. There is a direct correlation between search time and user experience.\\n\\nAs a general rule, Search stored procedures should take less than a second to run on average. \\n\\nSearch stored procedure performance is impacted by elements such as:\\n\\n* Data size. Larger data consumes more CPU, Ram, Disk I/O on the database server. \\n* Policies such as acls, filtering, etc. \\n* Indexes. Sometimes they fragment degrading overall performance. \\n* Table/Index Locking with other database actions.\\n\\nStrategies for improving database search performance include:\\n\\n* Rebuild fragmented database indexes.\\n* Evaluate if more RAM/CPU\\n\\nWhen these don't work, Developers will need database execution plans to review options.\",\"openLinksInNewTab\":false},\"title\":\"Database: Search: Help\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-59482290-25da-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-5b5237e0-d388-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-5b5237e0-d388-11eb-9e70-edcbba448215.json deleted file mode 100755 index 7ead2be0b3..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-5b5237e0-d388-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "Failed to insert data into database replication queue", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"9\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"9\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Replication Queue Insert Failures", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Replication Queue Insert Failures\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-5b5237e0-d388-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-64035e60-25db-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-64035e60-25db-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 8ddd8dffec..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-64035e60-25db-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Database: Discovery: Help", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"Discovery stored procedures are involved with loading data from integrations ( Connectors and LWS ) into the product database to learn about changes in the environment we are managing Identities and Access in. \\n\\nSome general rules of thumbs:\\n\\n* LWS stored procdures need to be quick. None should take a second.\\n* Iddiscover.exe stored procedures can run for much longer. Minutes to hours in large environments to process large changes in bulk. \\n\\nStrategies for improving the performance of these stored procedures include:\\n\\n* Rebuild fragmented database indexes\\n* Review if database is low on RAM, CPU, or I/O bandwidth.\\n\\nIf you continue to encounter problems developers will require database execution plans to review the operation of these procedures. \",\"openLinksInNewTab\":false},\"title\":\"Database: Discovery: Help\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-64035e60-25db-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 7db6a1b1ac..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Operation Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"hid_bravura_monitor.perf.operation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Connector: Operation Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-659dad40-25b6-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-659dad40-25b6-11eb-abcf-effcd51852fa.json deleted file mode 100755 index ecd3fe7dfe..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-659dad40-25b6-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "API: Calls per node historgram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"API: Calls per node historgram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-659dad40-25b6-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-66c884f0-2382-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-66c884f0-2382-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 858cd4ce71..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-66c884f0-2382-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Problem Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"asc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":59,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Problem Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-66c884f0-2382-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-670cf140-1a1c-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-670cf140-1a1c-11eb-abcf-effcd51852fa.json deleted file mode 100755 index e39391cfb7..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-670cf140-1a1c-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: Issues: Affected users", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Users\",\"field\":\"user.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: Issues: Affected users\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-670cf140-1a1c-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-6ac75200-d90a-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-6ac75200-d90a-11eb-9e70-edcbba448215.json deleted file mode 100755 index b7bfd7f4a3..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-6ac75200-d90a-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "81 - Approved\n82 - Denied\n83 - Cancelled\n84 - Revoked\n85 - Processed", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Workflow Request Trend", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Workflow Request Trend\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-6ac75200-d90a-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-6ad826b0-d37f-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-6ad826b0-d37f-11eb-9e70-edcbba448215.json deleted file mode 100755 index 4925675408..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-6ad826b0-d37f-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"2\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"2\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Login Success", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"User Login Success\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-6ad826b0-d37f-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-70a8f8e0-d392-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-70a8f8e0-d392-11eb-9e70-edcbba448215.json deleted file mode 100755 index f9952b85fb..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-70a8f8e0-d392-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"39\",\"40\"],\"type\":\"phrases\",\"value\":\"39, 40\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"39\"}},{\"match_phrase\":{\"event.code\":\"40\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "IDAPI Login Attempts", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"IDAPI Login Attempts\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-70a8f8e0-d392-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-76cb60d0-1463-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-76cb60d0-1463-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 0326ec1e77..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-76cb60d0-1463-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "IDM Suite: Errors/Warnings by node", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Instance\",\"field\":\"agent.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"IDM Suite: Errors/Warnings by node\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-76cb60d0-1463-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-77701bc0-25bb-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-77701bc0-25bb-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 6edd1a8f96..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-77701bc0-25bb-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":{\"query\":\"psupdate.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"log.logger\":\"psupdate.exe\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Discovery Runtimes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Sum of Duration (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2021-01-11T07:00:00.000Z\",\"to\":\"2021-01-18T07:00:00.000Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of Duration (ms)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Sum of Duration (ms)\"},\"type\":\"value\"}]},\"title\":\"Discovery Runtimes\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-77701bc0-25bb-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-77f6f520-1add-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-77f6f520-1add-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 0259683b0d..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-77f6f520-1add-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Workflow: Operations per Node", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Workflow: Operations per Node\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-77f6f520-1add-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-80efbc20-d388-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-80efbc20-d388-11eb-9e70-edcbba448215.json deleted file mode 100755 index a0e5fcd50a..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-80efbc20-d388-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "Failed to run stored procedure on replication database.", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"10\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"10\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Replication Database Stored Procedure Failures", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Replication Database Stored Procedure Failures\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-80efbc20-d388-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-82277da0-25d5-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-82277da0-25d5-11eb-abcf-effcd51852fa.json deleted file mode 100755 index ed57c27d0a..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-82277da0-25d5-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Discovery Events", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event\",\"field\":\"hid_bravura_monitor.perf.event\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Max (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Discovery Events\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-82277da0-25d5-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-dd637750-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-82432550-25bc-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-82432550-25bc-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 562b4d6f66..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-82432550-25bc-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"hid_bravura_monitor.perf.exe\",\"negate\":false,\"params\":{\"query\":\"psupdate.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.exe\":\"psupdate.exe\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Discovery Runtime Table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Runtime (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Discovery ID\",\"field\":\"user.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Discovery Runtime Table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-82432550-25bc-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-85943290-1a2b-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-85943290-1a2b-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 567c658708..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-85943290-1a2b-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector List", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target ID\",\"field\":\"hid_bravura_monitor.perf.targetid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Address\",\"field\":\"hid_bravura_monitor.perf.address\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Process\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector List\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-85943290-1a2b-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-878feb30-1ade-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-878feb30-1ade-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 6f2874777a..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-878feb30-1ade-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Connector Return Code: Executable Count", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Executable\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector Return Code: Executable Count\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-878feb30-1ade-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-87baab60-25b8-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-87baab60-25b8-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 22abdbd1a4..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-87baab60-25b8-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "API: Function runtimes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"API: Function runtimes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-87baab60-25b8-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-89e6a260-25d4-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-89e6a260-25d4-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 730b9b47b5..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-89e6a260-25d4-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":{\"query\":\"iddb.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"log.logger\":\"iddb.exe\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Database: Severity Counts", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":40,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Database: Severity Counts\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-89e6a260-25d4-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-8c755c30-25d7-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-8c755c30-25d7-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 04cc20f45d..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-8c755c30-25d7-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Dataset: Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Dataset: Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-8c755c30-25d7-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-465760e0-25d7-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-8ec75c50-2383-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-8ec75c50-2383-11eb-abcf-effcd51852fa.json deleted file mode 100755 index f4e3b0a06b..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-8ec75c50-2383-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Problem Distribution", - "uiStateJSON": "{\"vis\":{\"colors\":{\"error\":\"#EF843C\",\"warning\":\"#EAB839\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Problem Distribution\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-8ec75c50-2383-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-9036f440-d37f-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-9036f440-d37f-11eb-9e70-edcbba448215.json deleted file mode 100755 index 60028e9750..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-9036f440-d37f-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"3\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"3\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Login Lockout", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"User Login Lockout\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9036f440-d37f-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-9357e910-2b67-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-9357e910-2b67-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 91932e1810..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-9357e910-2b67-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: API: Users", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: API: Users\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9357e910-2b67-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-95fb9a70-25d8-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-95fb9a70-25d8-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 6e743b35ed..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-95fb9a70-25d8-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Replication: Stored Procedures", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Function\",\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Replication: Stored Procedures\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-95fb9a70-25d8-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-979ecd00-1abd-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-979ecd00-1abd-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 7007bcc7c5..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-979ecd00-1abd-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector Return Code: Legend", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"Success - 0\\n\\nUnknown Error - 1\\n\\nCannot Connect - 3\\n\\nInvalid Server - 5\\n\\nAccess Denied - 11\\n\\nVerify Failed - 14\",\"openLinksInNewTab\":false},\"title\":\"Connector Return Code: Legend\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-979ecd00-1abd-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-9a513b80-d388-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-9a513b80-d388-11eb-9e70-edcbba448215.json deleted file mode 100755 index 67069cd556..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-9a513b80-d388-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"78\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"78\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "File Replication Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"File Replication Errors\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9a513b80-d388-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-9a75fb00-d83d-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-9a75fb00-d83d-11eb-9e70-edcbba448215.json deleted file mode 100755 index 5b0c8576c0..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-9a75fb00-d83d-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"32\",\"33\"],\"type\":\"phrases\",\"value\":\"32, 33\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"32\"}},{\"match_phrase\":{\"event.code\":\"33\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unlocked Profile Trend", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Unlocked Profile Trend\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9a75fb00-d83d-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-a29a1cc0-238a-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-a29a1cc0-238a-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 72dcb208bf..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-a29a1cc0-238a-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Problem Distribution", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"User Problem Distribution\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-a29a1cc0-238a-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-a8002430-25d7-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-a8002430-25d7-11eb-abcf-effcd51852fa.json deleted file mode 100755 index a2be43fb06..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-a8002430-25d7-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Replication: Total over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total (ms)\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total (ms)\"},\"type\":\"value\"}]},\"title\":\"Database: Replication: Total over time\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-a8002430-25d7-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-a950c4e0-1464-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-a950c4e0-1464-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index fc468116cc..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-a950c4e0-1464-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "IDM Suite: Errors/Warnings by level", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Level\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"IDM Suite: Errors/Warnings by level\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-a950c4e0-1464-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-aabca810-2456-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-aabca810-2456-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 58cd9378d3..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-aabca810-2456-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.event_id\",\"negate\":false,\"params\":[\"4740\",\"4728\",\"4732\",\"4756\",\"4735\",\"4624\",\"4625\",\"4648\"],\"type\":\"phrases\",\"value\":\"4740, 4728, 4732, 4756, 4735, 4624, 4625, 4648\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"winlog.event_id\":\"4740\"}},{\"match_phrase\":{\"winlog.event_id\":\"4728\"}},{\"match_phrase\":{\"winlog.event_id\":\"4732\"}},{\"match_phrase\":{\"winlog.event_id\":\"4756\"}},{\"match_phrase\":{\"winlog.event_id\":\"4735\"}},{\"match_phrase\":{\"winlog.event_id\":\"4624\"}},{\"match_phrase\":{\"winlog.event_id\":\"4625\"}},{\"match_phrase\":{\"winlog.event_id\":\"4648\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Login Activity", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event ID\",\"field\":\"winlog.event_id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Event Category\",\"field\":\"event.category\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Login Activity\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-aabca810-2456-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-b8f9a5c0-d83f-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-b8f9a5c0-d83f-11eb-9e70-edcbba448215.json deleted file mode 100755 index ccc4f18a5a..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-b8f9a5c0-d83f-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "62 - Self-service password reset\n65 - Help-desk assisted password reset", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"62\",\"65\"],\"type\":\"phrases\",\"value\":\"62, 65\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"62\"}},{\"match_phrase\":{\"event.code\":\"65\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Password Resets Started", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Password Resets Started\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-b8f9a5c0-d83f-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-b9fb36b0-1480-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-b9fb36b0-1480-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 6833d91789..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-b9fb36b0-1480-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Stored Procedure Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Database: Stored Procedure Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-b9fb36b0-1480-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 0fe0c3af4e..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":{\"query\":\"psf.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"log.logger\":\"psf.exe\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"hid_bravura_monitor.perf.transid\",\"negate\":false,\"params\":{\"query\":\"C_AUTHCHAIN_LOGIN\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.transid\":\"C_AUTHCHAIN_LOGIN\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Users: Summary: User Logins", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User Name\",\"field\":\"user.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: Summary: User Logins\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-be6560d0-1a21-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-be6560d0-1a21-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 97d263851a..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-be6560d0-1a21-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Users: API: Help", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"Ajax is a REST like API used by the UI.\\n\\nWhat actions are people calling and what performance are they experiencing?\",\"openLinksInNewTab\":false},\"title\":\"Users: API: Help\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-be6560d0-1a21-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-c0e79490-25b6-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-c0e79490-25b6-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 301a791343..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-c0e79490-25b6-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "API: Calls per node", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"API: Calls per node\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-c0e79490-25b6-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-c318d000-d83d-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-c318d000-d83d-11eb-9e70-edcbba448215.json deleted file mode 100755 index d848a393fe..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-c318d000-d83d-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"30\",\"31\"],\"type\":\"phrases\",\"value\":\"30, 31\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"30\"}},{\"match_phrase\":{\"event.code\":\"31\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Disabled Profiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Profile\",\"field\":\"winlog.event_data.Profile\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Disabled Profiles\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-c318d000-d83d-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-c85815c0-d83e-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-c85815c0-d83e-11eb-9e70-edcbba448215.json deleted file mode 100755 index f58e4943dd..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-c85815c0-d83e-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"30\",\"31\"],\"type\":\"phrases\",\"value\":\"30, 31\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"30\"}},{\"match_phrase\":{\"event.code\":\"31\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Disabled Profiles Trend", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Disabled Profiles Trend\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-c85815c0-d83e-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-cc0f81c0-243f-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-cc0f81c0-243f-11eb-abcf-effcd51852fa.json deleted file mode 100755 index cefcd08264..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-cc0f81c0-243f-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Provider Login Distribution", - "uiStateJSON": "{\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"success\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Provider\",\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Outcome\",\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Provider Login Distribution\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-cc0f81c0-243f-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-cf6ea950-1ade-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-cf6ea950-1ade-11eb-abcf-effcd51852fa.json deleted file mode 100755 index ad665e2928..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-cf6ea950-1ade-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Connector Return Code: Node counts", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector Return Code: Node counts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-cf6ea950-1ade-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-d3897a80-25db-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-d3897a80-25db-11eb-abcf-effcd51852fa.json deleted file mode 100755 index c994df3988..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-d3897a80-25db-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Discovery procedures", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Function\",\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Process\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"split\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"row\":true,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Discovery procedures\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d3897a80-25db-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-d5dcbf40-1a28-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-d5dcbf40-1a28-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 4fe4d640eb..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-d5dcbf40-1a28-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Error Messages", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Message\",\"field\":\"hid_bravura_monitor.perf.message\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Error Messages\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d5dcbf40-1a28-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-d5fae950-25d3-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-d5fae950-25d3-11eb-abcf-effcd51852fa.json deleted file mode 100755 index e379b37f89..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-d5fae950-25d3-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":{\"query\":\"iddb.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"log.logger\":\"iddb.exe\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Database: Log Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Database: Log Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d5fae950-25d3-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-d66fb2a0-3ed6-11eb-9549-63f6cd998f21.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-d66fb2a0-3ed6-11eb-9549-63f6cd998f21.json deleted file mode 100755 index e0b25e4cfb..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-d66fb2a0-3ed6-11eb-9549-63f6cd998f21.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "IDM Suite: Errors/Warnings by process", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"IDM Suite: Errors/Warnings by process\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d66fb2a0-3ed6-11eb-9549-63f6cd998f21", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-d7dc3680-1add-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-d7dc3680-1add-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 00ab38e3b7..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-d7dc3680-1add-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Connector Return Code: Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Connector Return Code: Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d7dc3680-1add-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-db3f9af0-1a1b-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-db3f9af0-1a1b-11eb-abcf-effcd51852fa.json deleted file mode 100755 index b9ff373e67..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-db3f9af0-1a1b-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: Issues: Processes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: Issues: Processes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-db3f9af0-1a1b-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-db898d80-1a21-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-db898d80-1a21-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 6a17858df5..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-db898d80-1a21-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Targets", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Targets\",\"field\":\"hid_bravura_monitor.perf.targetid\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Connector\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Targets\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-db898d80-1a21-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-dbc305e0-245a-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-dbc305e0-245a-11eb-abcf-effcd51852fa.json deleted file mode 100755 index a3d17ef983..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-dbc305e0-245a-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Problem Heat Map", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"asc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Problem Heat Map\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-dbc305e0-245a-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-ec082d90-1aaf-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-ec082d90-1aaf-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 80ed8dc196..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-ec082d90-1aaf-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Target Performance", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target ID\",\"field\":\"hid_bravura_monitor.perf.targetid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Max (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Target Performance\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-ec082d90-1aaf-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-ef5b4da0-2b6d-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-ef5b4da0-2b6d-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 44d1ab6b92..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-ef5b4da0-2b6d-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Search performance", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Function\",\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Search performance\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-ef5b4da0-2b6d-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-f596ebf0-1adf-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-f596ebf0-1adf-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 8cbf6b5d89..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-f596ebf0-1adf-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Connector Return Code: Messages", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Message\",\"field\":\"hid_bravura_monitor.perf.message\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector Return Code: Messages\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-f596ebf0-1adf-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-f9ed0ec0-2eab-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-f9ed0ec0-2eab-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index eacd663506..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-f9ed0ec0-2eab-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Executables: Performance", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Executables: Performance\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-f9ed0ec0-2eab-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-95032a30-2eab-11eb-b6a1-bdb7d768b585", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-fddce510-d387-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-fddce510-d387-11eb-9e70-edcbba448215.json deleted file mode 100755 index 0638184891..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-fddce510-d387-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"6\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"6\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Replication Database Connection Failures", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Replication Database Connection Failures\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-fddce510-d387-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-fe363790-1a1a-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-fe363790-1a1a-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 7a6059ca37..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-fe363790-1a1a-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: Issues: Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Users: Issues: Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-fe363790-1a1a-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-fe779080-d83f-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-fe779080-d83f-11eb-9e70-edcbba448215.json deleted file mode 100755 index c251939956..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/kibana/visualization/hid_bravura_monitor-fe779080-d83f-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "63 - Self-service password reset successful.\n64 - Self-service password reset failed.\n66 - Help-desk assisted password reset successful.\n67 - Help-desk assisted password reset failed.", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"63\",\"64\",\"66\",\"67\"],\"type\":\"phrases\",\"value\":\"63, 64, 66, 67\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"63\"}},{\"match_phrase\":{\"event.code\":\"64\"}},{\"match_phrase\":{\"event.code\":\"66\"}},{\"match_phrase\":{\"event.code\":\"67\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Password Resets Trend", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Password Resets Trend\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-fe779080-d83f-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.2.3/manifest.yml b/packages/hid_bravura_monitor/1.2.3/manifest.yml deleted file mode 100755 index eb84150dae..0000000000 --- a/packages/hid_bravura_monitor/1.2.3/manifest.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: hid_bravura_monitor -title: Hitachi ID Bravura Monitor -version: "1.2.3" -categories: ["security"] -release: ga -description: Collect logs from Hitachi ID Security Fabric with Elastic Agent. -type: integration -icons: - - src: /img/logo_hid_bravura_monitor.svg - title: logo Hitachi ID Bravura Monitor - size: 50x50 - type: image/svg+xml -conditions: - kibana: - version: ^7.16.0 || ^8.0.0 -screenshots: - - src: /img/kibana-hid_bravura_monitor-overview.png - title: Kibana Hitachi ID Bravura Monitor overview - size: 1907x971 - type: image/png - - src: /img/kibana-hid_bravura_monitor-log-issues.png - title: Kibana Hitachi ID Bravura Monitor dashboard example 1 - size: 1902x972 - type: image/png - - src: /img/kibana-hid_bravura_monitor-db-replication.png - title: Kibana Hitachi ID Bravura Monitor dashboard example 2 - size: 1903x969 - type: image/png - - src: /img/kibana-hid_bravura_monitor-connectors.png - title: Kibana Hitachi ID Bravura Monitor dashboard example 3 - size: 1896x971 - type: image/png - - src: /img/kibana-hid_bravura_monitor-admin.png - title: Kibana Hitachi ID Bravura Monitor dashboard example 4 - size: 1904x971 - type: image/png -owner: - github: elastic/security-external-integrations -format_version: 1.0.0 -license: basic -policy_templates: - - name: hid_bravura_monitor - title: Hitachi ID Bravura Monitor logs - description: Collect logs from Hitachi ID Bravura Monitor instances - inputs: - - type: filestream - title: 'Collect Hitachi ID Bravura Monitor application logs (input: filestream)' - description: 'Collecting application logs from Hitachi ID Bravura Monitor instances (input: filestream)' - - type: winlog - title: 'Collect Hitachi ID Bravura Monitor event logs (input: winlog)' - description: 'Collecting Windows Event logs from Hitachi ID Suite channel (input: winlog)' diff --git a/packages/imperva/0.10.1/LICENSE.txt b/packages/imperva/0.10.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/imperva/0.10.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/imperva/0.10.1/changelog.yml b/packages/imperva/0.10.1/changelog.yml deleted file mode 100755 index 9ee48eae3d..0000000000 --- a/packages/imperva/0.10.1/changelog.yml +++ /dev/null @@ -1,101 +0,0 @@ -# newer versions go on top -- version: "0.10.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "0.10.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3866 -- version: "0.9.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "0.8.0" - changes: - - description: Update to ECS 8.2.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "0.7.0" - changes: - - description: Update to ECS 8.0.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2586 -- version: "0.6.1" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.6.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2274 -- version: "0.5.4" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2103 -- version: "0.5.3" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1968 -- version: "0.5.2" - changes: - - description: Fixed a bug that prevents the package from working in 7.16. - type: bugfix - link: https://github.com/elastic/integrations/pull/1882 -- version: "0.5.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1823 -- version: "0.5.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1663 -- version: "0.4.3" - changes: - - description: Requires version 7.14.1 of the stack - type: bugfix - link: https://github.com/elastic/integrations/pull/1541 -- version: "0.4.2" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1482 -- version: '0.4.1' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1389 -- version: "0.4.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.3.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1264 -- version: "0.2.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1055 -- version: "0.1.4" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/850 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/package-storage/pull/181 diff --git a/packages/imperva/0.10.1/data_stream/securesphere/agent/stream/stream.yml.hbs b/packages/imperva/0.10.1/data_stream/securesphere/agent/stream/stream.yml.hbs deleted file mode 100755 index dbe9758e0d..0000000000 --- a/packages/imperva/0.10.1/data_stream/securesphere/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,2910 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Imperva" - product: "Secure" - type: "WAF" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg1 = msg("IMPERVA_ALERT:02", part1); - - var part2 = match("MESSAGE#1:IMPERVA_ALERT", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([ - dup1, - dup4, - dup3, - ])); - - var msg2 = msg("IMPERVA_ALERT", part2); - - var part3 = match("MESSAGE#2:IMPERVA_ALERT:03", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg3 = msg("IMPERVA_ALERT:03", part3); - - var part4 = match("MESSAGE#3:IMPERVA_ALERT:01", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([ - dup1, - dup4, - dup3, - ])); - - var msg4 = msg("IMPERVA_ALERT:01", part4); - - var part5 = match("MESSAGE#4:IMPERVA_EVENT:01", "nwparser.payload", "event#=%{fld77},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([ - dup5, - dup2, - dup3, - ])); - - var msg5 = msg("IMPERVA_EVENT:01", part5); - - var part6 = match("MESSAGE#5:IMPERVA_EVENT", "nwparser.payload", "event#=%{fld77},createTime=%{fld79},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([ - dup5, - dup4, - dup3, - ])); - - var msg6 = msg("IMPERVA_EVENT", part6); - - var part7 = match("MESSAGE#6:IMPERVA_DATABASE_ACTIVITY:03", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup3, - dup13, - ])); - - var msg7 = msg("IMPERVA_DATABASE_ACTIVITY:03", part7); - - var part8 = match("MESSAGE#7:IMPERVA_DATABASE_ACTIVITY:06", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup14, - dup7, - dup8, - dup9, - dup15, - dup11, - dup12, - dup3, - dup13, - ])); - - var msg8 = msg("IMPERVA_DATABASE_ACTIVITY:06", part8); - - var part9 = match("MESSAGE#8:IMPERVA_DATABASE_ACTIVITY:01", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup16, - dup3, - dup13, - ])); - - var msg9 = msg("IMPERVA_DATABASE_ACTIVITY:01", part9); - - var part10 = match("MESSAGE#9:IMPERVA_DATABASE_ACTIVITY:07", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup14, - dup7, - dup8, - dup9, - dup15, - dup11, - dup16, - dup3, - dup13, - ])); - - var msg10 = msg("IMPERVA_DATABASE_ACTIVITY:07", part10); - - var part11 = match("MESSAGE#10:IMPERVA_DATABASE_ACTIVITY:04", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup17, - dup7, - dup18, - dup9, - dup10, - dup19, - dup12, - dup3, - dup13, - ])); - - var msg11 = msg("IMPERVA_DATABASE_ACTIVITY:04", part11); - - var part12 = match("MESSAGE#11:IMPERVA_DATABASE_ACTIVITY:08", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup17, - dup7, - dup18, - dup9, - dup15, - dup19, - dup12, - dup3, - dup13, - ])); - - var msg12 = msg("IMPERVA_DATABASE_ACTIVITY:08", part12); - - var part13 = match("MESSAGE#12:IMPERVA_DATABASE_ACTIVITY:02", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup17, - dup7, - dup18, - dup9, - dup10, - dup19, - dup4, - dup3, - dup13, - ])); - - var msg13 = msg("IMPERVA_DATABASE_ACTIVITY:02", part13); - - var part14 = match("MESSAGE#13:IMPERVA_DATABASE_ACTIVITY:09", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup17, - dup7, - dup18, - dup9, - dup15, - dup19, - dup4, - dup3, - dup13, - ])); - - var msg14 = msg("IMPERVA_DATABASE_ACTIVITY:09", part14); - - var part15 = match("MESSAGE#14:IMPERVA_DATABASE_ACTIVITY:10", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([ - dup17, - dup20, - dup12, - dup3, - dup13, - ])); - - var msg15 = msg("IMPERVA_DATABASE_ACTIVITY:10", part15); - - var part16 = match("MESSAGE#15:IMPERVA_DATABASE_ACTIVITY:11", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([ - dup17, - dup20, - dup12, - dup3, - dup13, - ])); - - var msg16 = msg("IMPERVA_DATABASE_ACTIVITY:11", part16); - - var part17 = match("MESSAGE#16:IMPERVA_DATABASE_ACTIVITY:12", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},srvGroup=%{group_object},service=%{service},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=%{fld99},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result}", processor_chain([ - setc("eventcategory","1401050200"), - dup20, - dup12, - dup3, - dup13, - ])); - - var msg17 = msg("IMPERVA_DATABASE_ACTIVITY:12", part17); - - var part18 = match("MESSAGE#17:IMPERVA_DATABASE_ACTIVITY", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=%{event_type},usrGroup=%{group},usrAuth=%{fld83},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - setc("eventcategory","1206000000"), - dup4, - dup3, - dup13, - ])); - - var msg18 = msg("IMPERVA_DATABASE_ACTIVITY", part18); - - var select2 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - ]); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "Imperva": select2, - }), - ]); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/imperva/0.10.1/data_stream/securesphere/agent/stream/tcp.yml.hbs b/packages/imperva/0.10.1/data_stream/securesphere/agent/stream/tcp.yml.hbs deleted file mode 100755 index 2045ddd9bf..0000000000 --- a/packages/imperva/0.10.1/data_stream/securesphere/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,2907 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Imperva" - product: "Secure" - type: "WAF" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg1 = msg("IMPERVA_ALERT:02", part1); - - var part2 = match("MESSAGE#1:IMPERVA_ALERT", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([ - dup1, - dup4, - dup3, - ])); - - var msg2 = msg("IMPERVA_ALERT", part2); - - var part3 = match("MESSAGE#2:IMPERVA_ALERT:03", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg3 = msg("IMPERVA_ALERT:03", part3); - - var part4 = match("MESSAGE#3:IMPERVA_ALERT:01", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([ - dup1, - dup4, - dup3, - ])); - - var msg4 = msg("IMPERVA_ALERT:01", part4); - - var part5 = match("MESSAGE#4:IMPERVA_EVENT:01", "nwparser.payload", "event#=%{fld77},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([ - dup5, - dup2, - dup3, - ])); - - var msg5 = msg("IMPERVA_EVENT:01", part5); - - var part6 = match("MESSAGE#5:IMPERVA_EVENT", "nwparser.payload", "event#=%{fld77},createTime=%{fld79},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([ - dup5, - dup4, - dup3, - ])); - - var msg6 = msg("IMPERVA_EVENT", part6); - - var part7 = match("MESSAGE#6:IMPERVA_DATABASE_ACTIVITY:03", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup3, - dup13, - ])); - - var msg7 = msg("IMPERVA_DATABASE_ACTIVITY:03", part7); - - var part8 = match("MESSAGE#7:IMPERVA_DATABASE_ACTIVITY:06", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup14, - dup7, - dup8, - dup9, - dup15, - dup11, - dup12, - dup3, - dup13, - ])); - - var msg8 = msg("IMPERVA_DATABASE_ACTIVITY:06", part8); - - var part9 = match("MESSAGE#8:IMPERVA_DATABASE_ACTIVITY:01", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup16, - dup3, - dup13, - ])); - - var msg9 = msg("IMPERVA_DATABASE_ACTIVITY:01", part9); - - var part10 = match("MESSAGE#9:IMPERVA_DATABASE_ACTIVITY:07", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup14, - dup7, - dup8, - dup9, - dup15, - dup11, - dup16, - dup3, - dup13, - ])); - - var msg10 = msg("IMPERVA_DATABASE_ACTIVITY:07", part10); - - var part11 = match("MESSAGE#10:IMPERVA_DATABASE_ACTIVITY:04", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup17, - dup7, - dup18, - dup9, - dup10, - dup19, - dup12, - dup3, - dup13, - ])); - - var msg11 = msg("IMPERVA_DATABASE_ACTIVITY:04", part11); - - var part12 = match("MESSAGE#11:IMPERVA_DATABASE_ACTIVITY:08", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup17, - dup7, - dup18, - dup9, - dup15, - dup19, - dup12, - dup3, - dup13, - ])); - - var msg12 = msg("IMPERVA_DATABASE_ACTIVITY:08", part12); - - var part13 = match("MESSAGE#12:IMPERVA_DATABASE_ACTIVITY:02", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup17, - dup7, - dup18, - dup9, - dup10, - dup19, - dup4, - dup3, - dup13, - ])); - - var msg13 = msg("IMPERVA_DATABASE_ACTIVITY:02", part13); - - var part14 = match("MESSAGE#13:IMPERVA_DATABASE_ACTIVITY:09", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup17, - dup7, - dup18, - dup9, - dup15, - dup19, - dup4, - dup3, - dup13, - ])); - - var msg14 = msg("IMPERVA_DATABASE_ACTIVITY:09", part14); - - var part15 = match("MESSAGE#14:IMPERVA_DATABASE_ACTIVITY:10", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([ - dup17, - dup20, - dup12, - dup3, - dup13, - ])); - - var msg15 = msg("IMPERVA_DATABASE_ACTIVITY:10", part15); - - var part16 = match("MESSAGE#15:IMPERVA_DATABASE_ACTIVITY:11", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([ - dup17, - dup20, - dup12, - dup3, - dup13, - ])); - - var msg16 = msg("IMPERVA_DATABASE_ACTIVITY:11", part16); - - var part17 = match("MESSAGE#16:IMPERVA_DATABASE_ACTIVITY:12", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},srvGroup=%{group_object},service=%{service},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=%{fld99},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result}", processor_chain([ - setc("eventcategory","1401050200"), - dup20, - dup12, - dup3, - dup13, - ])); - - var msg17 = msg("IMPERVA_DATABASE_ACTIVITY:12", part17); - - var part18 = match("MESSAGE#17:IMPERVA_DATABASE_ACTIVITY", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=%{event_type},usrGroup=%{group},usrAuth=%{fld83},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - setc("eventcategory","1206000000"), - dup4, - dup3, - dup13, - ])); - - var msg18 = msg("IMPERVA_DATABASE_ACTIVITY", part18); - - var select2 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - ]); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "Imperva": select2, - }), - ]); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/imperva/0.10.1/data_stream/securesphere/agent/stream/udp.yml.hbs b/packages/imperva/0.10.1/data_stream/securesphere/agent/stream/udp.yml.hbs deleted file mode 100755 index 2cf999b966..0000000000 --- a/packages/imperva/0.10.1/data_stream/securesphere/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,2907 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Imperva" - product: "Secure" - type: "WAF" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg1 = msg("IMPERVA_ALERT:02", part1); - - var part2 = match("MESSAGE#1:IMPERVA_ALERT", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=\"%{action}\",errormsg=\"%{result}\"", processor_chain([ - dup1, - dup4, - dup3, - ])); - - var msg2 = msg("IMPERVA_ALERT", part2); - - var part3 = match("MESSAGE#2:IMPERVA_ALERT:03", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},updateTime=%{fld8},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg3 = msg("IMPERVA_ALERT:03", part3); - - var part4 = match("MESSAGE#3:IMPERVA_ALERT:01", "nwparser.payload", "alert#=%{operation_id},event#=%{fld7},createTime=%{fld79},updateTime=%{fld80},alertSev=%{severity},group=%{group},ruleName=\"%{rulename}\",evntDesc=\"%{event_description}\",category=%{category},disposition=%{disposition},eventType=%{event_type},proto=%{protocol},srcPort=%{sport},srcIP=%{saddr},dstPort=%{dport},dstIP=%{daddr},policyName=\"%{policyname}\",occurrences=%{event_counter},httpHost=%{web_host},webMethod=%{web_method},url=\"%{url}\",webQuery=\"%{web_query}\",soapAction=%{fld83},resultCode=%{resultcode},sessionID=%{sessionid},username=%{username},addUsername=%{fld84},responseTime=%{fld85},responseSize=%{fld86},direction=%{direction},dbUsername=%{fld87},queryGroup=%{fld88},application=\"%{application}\",srcHost=%{shost},osUsername=%{c_username},schemaName=%{owner},dbName=%{db_name},hdrName=%{fld92},action=%{action}", processor_chain([ - dup1, - dup4, - dup3, - ])); - - var msg4 = msg("IMPERVA_ALERT:01", part4); - - var part5 = match("MESSAGE#4:IMPERVA_EVENT:01", "nwparser.payload", "event#=%{fld77},createTime=%{fld78->} %{fld79->} %{fld80->} %{fld81->} %{timezone->} %{fld82},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([ - dup5, - dup2, - dup3, - ])); - - var msg5 = msg("IMPERVA_EVENT:01", part5); - - var part6 = match("MESSAGE#5:IMPERVA_EVENT", "nwparser.payload", "event#=%{fld77},createTime=%{fld79},eventType=%{event_type},eventSev=%{severity},username=%{username},subsystem=%{fld7},message=\"%{event_description}\"", processor_chain([ - dup5, - dup4, - dup3, - ])); - - var msg6 = msg("IMPERVA_EVENT", part6); - - var part7 = match("MESSAGE#6:IMPERVA_DATABASE_ACTIVITY:03", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup3, - dup13, - ])); - - var msg7 = msg("IMPERVA_DATABASE_ACTIVITY:03", part7); - - var part8 = match("MESSAGE#7:IMPERVA_DATABASE_ACTIVITY:06", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup14, - dup7, - dup8, - dup9, - dup15, - dup11, - dup12, - dup3, - dup13, - ])); - - var msg8 = msg("IMPERVA_DATABASE_ACTIVITY:06", part8); - - var part9 = match("MESSAGE#8:IMPERVA_DATABASE_ACTIVITY:01", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup6, - dup7, - dup8, - dup9, - dup10, - dup11, - dup16, - dup3, - dup13, - ])); - - var msg9 = msg("IMPERVA_DATABASE_ACTIVITY:01", part9); - - var part10 = match("MESSAGE#9:IMPERVA_DATABASE_ACTIVITY:07", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup14, - dup7, - dup8, - dup9, - dup15, - dup11, - dup16, - dup3, - dup13, - ])); - - var msg10 = msg("IMPERVA_DATABASE_ACTIVITY:07", part10); - - var part11 = match("MESSAGE#10:IMPERVA_DATABASE_ACTIVITY:04", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup17, - dup7, - dup18, - dup9, - dup10, - dup19, - dup12, - dup3, - dup13, - ])); - - var msg11 = msg("IMPERVA_DATABASE_ACTIVITY:04", part11); - - var part12 = match("MESSAGE#11:IMPERVA_DATABASE_ACTIVITY:08", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup17, - dup7, - dup18, - dup9, - dup15, - dup19, - dup12, - dup3, - dup13, - ])); - - var msg12 = msg("IMPERVA_DATABASE_ACTIVITY:08", part12); - - var part13 = match("MESSAGE#12:IMPERVA_DATABASE_ACTIVITY:02", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup17, - dup7, - dup18, - dup9, - dup10, - dup19, - dup4, - dup3, - dup13, - ])); - - var msg13 = msg("IMPERVA_DATABASE_ACTIVITY:02", part13); - - var part14 = match("MESSAGE#13:IMPERVA_DATABASE_ACTIVITY:09", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Logout,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - dup17, - dup7, - dup18, - dup9, - dup15, - dup19, - dup4, - dup3, - dup13, - ])); - - var msg14 = msg("IMPERVA_DATABASE_ACTIVITY:09", part14); - - var part15 = match("MESSAGE#14:IMPERVA_DATABASE_ACTIVITY:10", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=True,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([ - dup17, - dup20, - dup12, - dup3, - dup13, - ])); - - var msg15 = msg("IMPERVA_DATABASE_ACTIVITY:10", part15); - - var part16 = match("MESSAGE#15:IMPERVA_DATABASE_ACTIVITY:11", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},,srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=Query,usrGroup=%{group},usrAuth=False,application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86}", processor_chain([ - dup17, - dup20, - dup12, - dup3, - dup13, - ])); - - var msg16 = msg("IMPERVA_DATABASE_ACTIVITY:11", part16); - - var part17 = match("MESSAGE#16:IMPERVA_DATABASE_ACTIVITY:12", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79->} %{fld22->} %{fld23->} %{fld24},srvGroup=%{group_object},service=%{service},appName=%{fld81},event#=%{fld82},eventType=Login,usrGroup=%{group},usrAuth=%{fld99},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result}", processor_chain([ - setc("eventcategory","1401050200"), - dup20, - dup12, - dup3, - dup13, - ])); - - var msg17 = msg("IMPERVA_DATABASE_ACTIVITY:12", part17); - - var part18 = match("MESSAGE#17:IMPERVA_DATABASE_ACTIVITY", "nwparser.payload", "dstIP=%{daddr},dstPort=%{dport},dbUsername=%{username},srcIP=%{saddr},srcPort=%{sport},creatTime=%{fld79},srvGroup=%{group_object},service=%{fld88},appName=%{fld81},event#=%{fld82},eventType=%{event_type},usrGroup=%{group},usrAuth=%{fld83},application=\"%{application}\",osUsername=%{c_username},srcHost=%{shost},dbName=%{db_name},schemaName=%{owner},bindVar=%{fld86},sqlError=%{result},respSize=%{dclass_counter1},respTime=%{duration},affRows=%{fld87},action=\"%{action}\",rawQuery=\"%{info}\"", processor_chain([ - setc("eventcategory","1206000000"), - dup4, - dup3, - dup13, - ])); - - var msg18 = msg("IMPERVA_DATABASE_ACTIVITY", part18); - - var select2 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - ]); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "Imperva": select2, - }), - ]); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/imperva/0.10.1/data_stream/securesphere/elasticsearch/ingest_pipeline/default.yml b/packages/imperva/0.10.1/data_stream/securesphere/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 5b5ae67afe..0000000000 --- a/packages/imperva/0.10.1/data_stream/securesphere/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- -description: Pipeline for Imperva SecureSphere - -processors: - - set: - field: ecs.version - value: '8.4.0' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/imperva/0.10.1/data_stream/securesphere/fields/base-fields.yml b/packages/imperva/0.10.1/data_stream/securesphere/fields/base-fields.yml deleted file mode 100755 index dc56d4aaff..0000000000 --- a/packages/imperva/0.10.1/data_stream/securesphere/fields/base-fields.yml +++ /dev/null @@ -1,46 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: imperva -- name: event.dataset - type: constant_keyword - description: Event dataset - value: imperva.securesphere -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/imperva/0.10.1/data_stream/securesphere/fields/ecs.yml b/packages/imperva/0.10.1/data_stream/securesphere/fields/ecs.yml deleted file mode 100755 index f7e5c95752..0000000000 --- a/packages/imperva/0.10.1/data_stream/securesphere/fields/ecs.yml +++ /dev/null @@ -1,547 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/imperva/0.10.1/data_stream/securesphere/fields/fields.yml b/packages/imperva/0.10.1/data_stream/securesphere/fields/fields.yml deleted file mode 100755 index ea69cd79e3..0000000000 --- a/packages/imperva/0.10.1/data_stream/securesphere/fields/fields.yml +++ /dev/null @@ -1,1754 +0,0 @@ -- name: rsa - type: group - fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - ignore_above: 1024 - description: Server domain. -- name: network.interface.name - type: keyword diff --git a/packages/imperva/0.10.1/data_stream/securesphere/manifest.yml b/packages/imperva/0.10.1/data_stream/securesphere/manifest.yml deleted file mode 100755 index 87767561e1..0000000000 --- a/packages/imperva/0.10.1/data_stream/securesphere/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -title: Imperva SecureSphere logs -release: experimental -type: logs -streams: - - input: udp - title: Imperva SecureSphere logs - description: Collect Imperva SecureSphere logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - imperva-securesphere - - forwarded - - name: udp_host - type: text - title: UDP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: UDP port to listen on - multi: false - required: true - show_user: true - default: 9531 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Imperva SecureSphere logs - description: Collect Imperva SecureSphere logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - imperva-securesphere - - forwarded - - name: tcp_host - type: text - title: TCP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: TCP port to listen on - multi: false - required: true - show_user: true - default: 9531 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - enabled: false - title: Imperva SecureSphere logs - description: Collect Imperva SecureSphere logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/imperva-securesphere.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - imperva-securesphere - - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/imperva/0.10.1/data_stream/securesphere/sample_event.json b/packages/imperva/0.10.1/data_stream/securesphere/sample_event.json deleted file mode 100755 index 83db52d402..0000000000 --- a/packages/imperva/0.10.1/data_stream/securesphere/sample_event.json +++ /dev/null @@ -1,120 +0,0 @@ -{ - "@timestamp": "2022-01-25T12:37:56.536Z", - "agent": { - "ephemeral_id": "4c941ea0-5fb0-4f63-904a-7df24792748b", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "imperva.securesphere", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": [ - "10.70.155.35" - ], - "port": 892 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "cancel", - "agent_id_status": "verified", - "code": "Imperva", - "dataset": "imperva.securesphere", - "ingested": "2022-01-25T12:37:57Z", - "outcome": "success", - "timezone": "+00:00" - }, - "group": { - "name": "ommod" - }, - "host": { - "hostname": "radipis5408.mail.local" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.30.0.4:40817" - } - }, - "network": { - "application": "scivel" - }, - "observer": { - "product": "Secure", - "type": "WAF", - "vendor": "Imperva" - }, - "related": { - "hosts": [ - "radipis5408.mail.local" - ], - "ip": [ - "10.70.155.35", - "10.81.122.126" - ], - "user": [ - "aqui", - "magn", - "tatno" - ] - }, - "rsa": { - "counters": { - "dclass_c1": 5910, - "dclass_c1_str": "Affected Rows" - }, - "db": { - "database": "enatuse", - "index": "sit" - }, - "internal": { - "messageid": "Imperva" - }, - "investigations": { - "ec_activity": "Logon", - "ec_outcome": "Success", - "ec_subject": "User", - "ec_theme": "Authentication" - }, - "misc": { - "action": [ - "cancel" - ], - "event_type": "Login", - "group": "ommod", - "group_object": "uam", - "result": "failure" - }, - "time": { - "duration_time": 10.347, - "starttime": "2016-01-29T06:09:59.000Z" - } - }, - "source": { - "address": "radipis5408.mail.local", - "ip": [ - "10.81.122.126" - ], - "port": 4141 - }, - "tags": [ - "imperva-securesphere", - "forwarded" - ], - "user": { - "name": "tatno" - } -} \ No newline at end of file diff --git a/packages/imperva/0.10.1/docs/README.md b/packages/imperva/0.10.1/docs/README.md deleted file mode 100755 index e37330551d..0000000000 --- a/packages/imperva/0.10.1/docs/README.md +++ /dev/null @@ -1,796 +0,0 @@ -# Imperva integration - -This integration is for Imperva device's logs. It includes the following -datasets for receiving logs over syslog or read from a file: -- `securesphere` dataset: supports Imperva SecureSphere logs. - -### Securesphere - -The `securesphere` dataset collects Imperva SecureSphere logs. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| container.id | Unique container id. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | Destination domain. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location.lat | | double | -| destination.geo.location.lon | | double | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| error.message | Error message. | text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | -| event.original | Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | -| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.pid | Process id. | long | -| process.ppid | Parent process' pid. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names seen on your event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | This key is used to capture the directory of the target process or file | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | Server domain. | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | Source domain. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location.lat | | double | -| source.geo.location.lon | | double | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | -| url.path | Path of the request, such as "/search". | keyword | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | - diff --git a/packages/imperva/0.10.1/manifest.yml b/packages/imperva/0.10.1/manifest.yml deleted file mode 100755 index eeba87bf5d..0000000000 --- a/packages/imperva/0.10.1/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -format_version: 1.0.0 -name: imperva -title: Imperva SecureSphere Logs -version: "0.10.1" -description: Collect SecureSphere logs from Imperva devices with Elastic Agent. -categories: ["network", "security"] -release: experimental -license: basic -type: integration -conditions: - kibana.version: "^7.14.1 || ^8.0.0" -policy_templates: - - name: securesphere - title: Imperva SecureSphere - description: Collect Imperva SecureSphere logs from syslog or a file. - inputs: - - type: udp - title: Collect logs from Imperva SecureSphere via UDP - description: Collecting syslog from Imperva SecureSphere via UDP - - type: tcp - title: Collect logs from Imperva SecureSphere via TCP - description: Collecting syslog from Imperva SecureSphere via TCP - - type: logfile - title: Collect logs from Imperva SecureSphere via file - description: Collecting syslog from Imperva SecureSphere via file. -owner: - github: elastic/security-external-integrations diff --git a/packages/infoblox_bloxone_ddi/0.1.0/LICENSE.txt b/packages/infoblox_bloxone_ddi/0.1.0/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/infoblox_bloxone_ddi/0.1.0/changelog.yml b/packages/infoblox_bloxone_ddi/0.1.0/changelog.yml deleted file mode 100755 index e12c1ac6cd..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/changelog.yml +++ /dev/null @@ -1,6 +0,0 @@ -# newer versions go on top -- version: '0.1.0' - changes: - - description: Initial Release. - type: enhancement - link: https://github.com/elastic/integrations/pull/4118 diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/agent/stream/httpjson.yml.hbs b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/agent/stream/httpjson.yml.hbs deleted file mode 100755 index aefcd7c934..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,54 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/api/ddi/v1/dhcp/lease -request.transforms: - - set: - target: header.Authorization - value: 'Token {{api_key}}' - - set: - target: url.params._offset - value: 0 - - set: - target: url.params._limit - value: 100 - - set: - target: url.params._order_by - value: 'last_updated asc' - - set: - target: url.params._filter - value: 'last_updated>="[[(formatDate (parseDate .cursor.last_updated_at) "2006-01-02T15:04:05.999Z")]]"' - default: 'last_updated>="[[(formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.999Z")]]"' -response.pagination: - - set: - target: url.params._offset - value: '[[if (eq (len .last_response.body.results) 100)]][[add (toInt (.last_response.url.params.Get "_offset")) 100]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_updated_at: - value: '[[.last_event.last_updated]]' -response.split: - target: body.results -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/elasticsearch/ingest_pipeline/default.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b0f1d73624..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,244 +0,0 @@ ---- -description: Pipeline for parsing DHCP lease logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: [network] - - set: - field: event.type - value: [protocol] - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - fingerprint: - fields: - - json.starts - - json.last_updated - - json.ends - target_field: _id - ignore_missing: true - - convert: - field: json.address - target_field: infoblox_bloxone_ddi.dhcp_lease.address - if: ctx.json?.address != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - append: - field: related.ip - value: '{{{infoblox_bloxone_ddi.dhcp_lease.address}}}' - allow_duplicates: false - ignore_failure: true - - rename: - field: json.client_id - target_field: infoblox_bloxone_ddi.dhcp_lease.client_id - ignore_missing: true - - set: - field: client.user.id - copy_from: infoblox_bloxone_ddi.dhcp_lease.client_id - ignore_failure: true - - date: - field: json.ends - target_field: infoblox_bloxone_ddi.dhcp_lease.ends - if: ctx.json?.ends != null && ctx.json.ends != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.end - copy_from: infoblox_bloxone_ddi.dhcp_lease.ends - ignore_failure: true - - rename: - field: json.fingerprint - target_field: infoblox_bloxone_ddi.dhcp_lease.fingerprint.value - ignore_missing: true - - rename: - field: json.fingerprint_processed - target_field: infoblox_bloxone_ddi.dhcp_lease.fingerprint.processed - ignore_missing: true - - rename: - field: json.ha_group - target_field: infoblox_bloxone_ddi.dhcp_lease.ha_group - ignore_missing: true - - gsub: - field: json.hardware - pattern: '[:.]' - replacement: '-' - ignore_missing: true - - uppercase: - field: json.hardware - ignore_missing: true - - rename: - field: json.hardware - target_field: infoblox_bloxone_ddi.dhcp_lease.hardware - ignore_missing: true - - rename: - field: json.host - target_field: infoblox_bloxone_ddi.dhcp_lease.host - ignore_missing: true - - set: - field: host.name - copy_from: infoblox_bloxone_ddi.dhcp_lease.host - ignore_failure: true - - append: - field: related.hosts - value: '{{{host.name}}}' - if: ctx.host?.name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.hostname - target_field: infoblox_bloxone_ddi.dhcp_lease.hostname - ignore_missing: true - - set: - field: host.hostname - copy_from: infoblox_bloxone_ddi.dhcp_lease.hostname - ignore_failure: true - - append: - field: related.hosts - value: '{{{host.hostname}}}' - if: ctx.host?.hostname != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.iaid - target_field: infoblox_bloxone_ddi.dhcp_lease.iaid - if: ctx.json?.iaid != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - date: - field: json.last_updated - target_field: infoblox_bloxone_ddi.dhcp_lease.last_updated - if: ctx.json?.last_updated != null && ctx.json.last_updated != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: '@timestamp' - copy_from: infoblox_bloxone_ddi.dhcp_lease.last_updated - ignore_failure: true - - rename: - field: json.options - target_field: infoblox_bloxone_ddi.dhcp_lease.options - ignore_missing: true - - date: - field: json.preferred_lifetime - target_field: infoblox_bloxone_ddi.dhcp_lease.preferred_lifetime - if: ctx.json?.preferred_lifetime != null && ctx.json.preferred_lifetime != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: json.protocol - value: ipv4 - if: ctx.json?.protocol == 'ip4' - ignore_failure: true - - set: - field: json.protocol - value: ipv6 - if: ctx.json?.protocol == 'ip6' - ignore_failure: true - - rename: - field: json.protocol - target_field: infoblox_bloxone_ddi.dhcp_lease.protocol - ignore_missing: true - - set: - field: network.type - copy_from: infoblox_bloxone_ddi.dhcp_lease.protocol - ignore_failure: true - - lowercase: - field: network.type - ignore_failure: true - - rename: - field: json.space - target_field: infoblox_bloxone_ddi.dhcp_lease.space - ignore_missing: true - - date: - field: json.starts - target_field: infoblox_bloxone_ddi.dhcp_lease.starts - if: ctx.json?.starts != null && ctx.json.starts != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.start - copy_from: infoblox_bloxone_ddi.dhcp_lease.starts - ignore_failure: true - - rename: - field: json.state - target_field: infoblox_bloxone_ddi.dhcp_lease.state - ignore_missing: true - - rename: - field: json.type - target_field: infoblox_bloxone_ddi.dhcp_lease.type - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - infoblox_bloxone_ddi.dhcp_lease.last_updated - - infoblox_bloxone_ddi.dhcp_lease.client_id - - infoblox_bloxone_ddi.dhcp_lease.ends - - infoblox_bloxone_ddi.dhcp_lease.starts - - infoblox_bloxone_ddi.dhcp_lease.hostname - - infoblox_bloxone_ddi.dhcp_lease.host - - infoblox_bloxone_ddi.dhcp_lease.protocol - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/fields/agent.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/fields/base-fields.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/fields/base-fields.yml deleted file mode 100755 index 4b10727c63..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: infoblox_bloxone_ddi -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: infoblox_bloxone_ddi.dhcp_lease diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/fields/ecs.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/fields/ecs.yml deleted file mode 100755 index 36437b3e68..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/fields/ecs.yml +++ /dev/null @@ -1,80 +0,0 @@ -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/fields/fields.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/fields/fields.yml deleted file mode 100755 index 2aa51045d1..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/fields/fields.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: infoblox_bloxone_ddi.dhcp_lease - type: group - fields: - - name: address - type: ip - description: The IP address of the DHCP lease in the format "a.b.c.d". This address will be marked as leased in IPAM while the lease exists. - - name: client_id - type: keyword - description: The client ID of the DHCP lease. It might be empty. - - name: ends - type: date - description: The time when the DHCP lease will expire. - - name: fingerprint - type: group - fields: - - name: processed - type: keyword - description: Indicates if the DHCP lease has been fingerprinted. - - name: value - type: keyword - description: The DHCP fingerprint of the lease. - - name: ha_group - type: keyword - description: The resource identifier. - - name: hardware - type: keyword - description: The hardware address of the DHCP lease. This specifies the MAC address of the network interface on which the lease will be used. It consists of six groups of two hex digits in lower-case separated by colons. For example, "aa:bb:cc:dd:ee:ff". - - name: host - type: keyword - description: The resource identifier. - - name: hostname - type: keyword - description: The client hostname of the DHCP lease. This specifies the host name that the DHCP client sends to the DHCP server using DHCP option 12. It is a fully qualified domain name, consisting of a series of labels separated by dots. For example, "www.infoblox.com". It might be empty. - - name: iaid - type: long - description: Identity Association Identifier (IAID) of the lease. Applicable only for DHCPv6. - - name: last_updated - type: date - description: The time when the DHCP lease was last updated. - - name: options - type: flattened - description: The DHCP options of the lease in JSON format. - - name: preferred_lifetime - type: date - description: The preferred time when the DHCP lease should expire. Applicable only for DHCPv6. - - name: protocol - type: keyword - description: Lease protocol type. - - name: space - type: keyword - description: The resource identifier. - - name: starts - type: date - description: The time when the DHCP lease was issued. - - name: state - type: keyword - description: The state of the DHCP lease. - - name: type - type: keyword - description: Lease type. diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/manifest.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/manifest.yml deleted file mode 100755 index 1b94fb56d2..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/manifest.yml +++ /dev/null @@ -1,57 +0,0 @@ -title: Collect DHCP Lease logs from Infoblox BloxOne DDI -type: logs -streams: - - input: httpjson - title: DHCP Lease logs - description: Collect DHCP Lease logs from Infoblox BloxOne DDI. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the DHCP Lease events from Infoblox BloxOne DDI. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the Infoblox BloxOne DDI API. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - infoblox_bloxone_ddi_dhcp_lease - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/sample_event.json b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/sample_event.json deleted file mode 100755 index 9af8ef3ada..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dhcp_lease/sample_event.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "@timestamp": "2022-07-11T11:51:15.417Z", - "agent": { - "ephemeral_id": "a4b27e2a-c005-43ce-9542-7548dcc7b414", - "hostname": "docker-fleet-agent", - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "client": { - "user": { - "id": "abc3212abc" - } - }, - "data_stream": { - "dataset": "infoblox_bloxone_ddi.dhcp_lease", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-09-22T08:27:40.118Z", - "dataset": "infoblox_bloxone_ddi.dhcp_lease", - "end": "2022-07-11T11:51:15.417Z", - "ingested": "2022-09-22T08:27:43Z", - "kind": "event", - "original": "{\"address\":\"81.2.69.192\",\"client_id\":\"abc3212abc\",\"ends\":\"2022-07-11T11:51:15.417Z\",\"fingerprint\":\"ab3213cbabab/abc23bca\",\"fingerprint_processed\":\"12abca32bca32abcd\",\"ha_group\":\"abc321cdcbda321\",\"hardware\":\"00:00:5E:00:53:00\",\"host\":\"admin\",\"hostname\":\"Host1\",\"iaid\":0,\"last_updated\":\"2022-07-11T11:51:15.417Z\",\"options\":{\"message\":\"Hello\"},\"preferred_lifetime\":\"2022-07-11T11:51:15.417Z\",\"protocol\":\"ip4\",\"space\":\"DHCP lease Space\",\"starts\":\"2022-07-14T11:51:15.417Z\",\"state\":\"used\",\"type\":\"DHCP lease Type\"}", - "start": "2022-07-14T11:51:15.417Z", - "type": [ - "protocol" - ] - }, - "host": { - "hostname": "Host1", - "name": "admin" - }, - "infoblox_bloxone_ddi": { - "dhcp_lease": { - "address": "81.2.69.192", - "client_id": "abc3212abc", - "ends": "2022-07-11T11:51:15.417Z", - "fingerprint": { - "processed": "12abca32bca32abcd", - "value": "ab3213cbabab/abc23bca" - }, - "ha_group": "abc321cdcbda321", - "hardware": "00-00-5E-00-53-00", - "host": "admin", - "hostname": "Host1", - "iaid": 0, - "last_updated": "2022-07-11T11:51:15.417Z", - "options": { - "message": "Hello" - }, - "preferred_lifetime": "2022-07-11T11:51:15.417Z", - "protocol": "ipv4", - "space": "DHCP lease Space", - "starts": "2022-07-14T11:51:15.417Z", - "state": "used", - "type": "DHCP lease Type" - } - }, - "input": { - "type": "httpjson" - }, - "network": { - "type": "ipv4" - }, - "related": { - "hosts": [ - "admin", - "Host1" - ], - "ip": [ - "81.2.69.192" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "infoblox_bloxone_ddi_dhcp_lease" - ] -} \ No newline at end of file diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/agent/stream/httpjson.yml.hbs b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/agent/stream/httpjson.yml.hbs deleted file mode 100755 index a0e6e01a69..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,54 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/api/ddi/v1/dns/view -request.transforms: - - set: - target: header.Authorization - value: 'Token {{api_key}}' - - set: - target: url.params._offset - value: 0 - - set: - target: url.params._limit - value: 100 - - set: - target: url.params._order_by - value: 'updated_at asc' - - set: - target: url.params._filter - value: 'updated_at>="[[(formatDate (parseDate .cursor.last_updated_at) "2006-01-02T15:04:05.999Z")]]"' - default: 'updated_at>="[[(formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.999Z")]]"' -response.pagination: - - set: - target: url.params._offset - value: '[[if (eq (len .last_response.body.results) 100)]][[add (toInt (.last_response.url.params.Get "_offset")) 100]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_updated_at: - value: '[[.last_event.updated_at]]' -response.split: - target: body.results -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/elasticsearch/ingest_pipeline/default.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 0e61d025ff..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1993 +0,0 @@ ---- -description: Pipeline for parsing DNS config logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: [network] - - set: - field: event.type - value: [protocol] - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - fingerprint: - fields: - - json.created_at - - json.updated_at - - json.id - target_field: _id - ignore_missing: true - - convert: - field: json.add_edns_option_in_outgoing_query - target_field: infoblox_bloxone_ddi.dns_config.add_edns.option_in.outgoing_query - if: ctx.json?.add_edns_option_in_outgoing_query != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.comment - target_field: infoblox_bloxone_ddi.dns_config.comment - ignore_missing: true - - date: - field: json.created_at - target_field: infoblox_bloxone_ddi.dns_config.created_at - if: ctx.json?.created_at != null && ctx.json.created_at != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.created - copy_from: infoblox_bloxone_ddi.dns_config.created_at - ignore_failure: true - - foreach: - field: json.custom_root_ns - if: ctx.json?.custom_root_ns instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.custom_root_ns - if: ctx.json?.custom_root_ns instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.custom_root_ns - if: ctx.json?.custom_root_ns instanceof List - processor: - rename: - field: _ingest._value.protocol_fqdn - target_field: _ingest._value.protocol.fqdn - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.custom_root_ns - target_field: infoblox_bloxone_ddi.dns_config.custom_root_ns - ignore_missing: true - - convert: - field: json.custom_root_ns_enabled - target_field: infoblox_bloxone_ddi.dns_config.custom_root_ns_enabled - if: ctx.json?.custom_root_ns_enabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.disabled - target_field: infoblox_bloxone_ddi.dns_config.disabled - if: ctx.json?.disabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.dnssec_enable_validation - target_field: infoblox_bloxone_ddi.dns_config.dnssec.enable_validation - if: ctx.json?.dnssec_enable_validation != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.dnssec_enabled - target_field: infoblox_bloxone_ddi.dns_config.dnssec.enabled - if: ctx.json?.dnssec_enabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.dnssec_root_keys - if: ctx.json?.dnssec_root_keys instanceof List - processor: - convert: - field: _ingest._value.algorithm - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.algorithm - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.dnssec_root_keys - if: ctx.json?.dnssec_root_keys instanceof List - processor: - rename: - field: _ingest._value.protocol_zone - target_field: _ingest._value.protocol.zone - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.dnssec_root_keys - if: ctx.json?.dnssec_root_keys instanceof List - processor: - rename: - field: _ingest._value.public_key - target_field: _ingest._value.public - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.dnssec_root_keys - if: ctx.json?.dnssec_root_keys instanceof List - processor: - convert: - field: _ingest._value.sep - type: boolean - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.sep - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - rename: - field: json.dnssec_root_keys - target_field: infoblox_bloxone_ddi.dns_config.dnssec.root_keys - ignore_missing: true - - foreach: - field: json.dnssec_trust_anchors - if: ctx.json?.dnssec_trust_anchors instanceof List - processor: - convert: - field: _ingest._value.algorithm - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.algorithm - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.dnssec_trust_anchors - if: ctx.json?.dnssec_trust_anchors instanceof List - processor: - rename: - field: _ingest._value.protocol_zone - target_field: _ingest._value.protocol.zone - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.dnssec_trust_anchors - if: ctx.json?.dnssec_trust_anchors instanceof List - processor: - convert: - field: _ingest._value.sep - type: boolean - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.sep - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - rename: - field: json.dnssec_trust_anchors - target_field: infoblox_bloxone_ddi.dns_config.dnssec.trust_anchors - ignore_missing: true - - convert: - field: json.dnssec_validate_expiry - target_field: infoblox_bloxone_ddi.dns_config.dnssec.validate_expiry - if: ctx.json?.dnssec_validate_expiry != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ecs_enabled - target_field: infoblox_bloxone_ddi.dns_config.ecs.enabled - if: ctx.json?.ecs_enabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ecs_forwarding - target_field: infoblox_bloxone_ddi.dns_config.ecs.forwarding - if: ctx.json?.ecs_forwarding != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ecs_prefix_v4 - target_field: infoblox_bloxone_ddi.dns_config.ecs.prefix_v4 - if: ctx.json?.ecs_prefix_v4 != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.ecs_prefix_v6 - target_field: infoblox_bloxone_ddi.dns_config.ecs.prefix_v6 - if: ctx.json?.ecs_prefix_v6 != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.ecs_zones - if: ctx.json?.ecs_zones instanceof List - processor: - rename: - field: _ingest._value.protocol_fqdn - target_field: _ingest._value.protocol.fqdn - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.ecs_zones - target_field: infoblox_bloxone_ddi.dns_config.ecs.zones - ignore_missing: true - - convert: - field: json.edns_udp_size - target_field: infoblox_bloxone_ddi.dns_config.edns.udp.size - if: ctx.json?.edns_udp_size != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.forwarders - if: ctx.json?.forwarders instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.forwarders - if: ctx.json?.forwarders instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.forwarders - if: ctx.json?.forwarders instanceof List - processor: - rename: - field: _ingest._value.protocol_fqdn - target_field: _ingest._value.protocol.fqdn - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.forwarders - target_field: infoblox_bloxone_ddi.dns_config.forwarders - ignore_missing: true - - convert: - field: json.forwarders_only - target_field: infoblox_bloxone_ddi.dns_config.forwarders_only - if: ctx.json?.forwarders_only != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.gss_tsig_enabled - target_field: infoblox_bloxone_ddi.dns_config.gss_tsig_enabled - if: ctx.json?.gss_tsig_enabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.id - target_field: infoblox_bloxone_ddi.dns_config.id - ignore_missing: true - - set: - field: event.id - copy_from: infoblox_bloxone_ddi.dns_config.id - ignore_failure: true - - rename: - field: json.inheritance_sources.add_edns_option_in_outgoing_query.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.action - ignore_missing: true - - rename: - field: json.inheritance_sources.add_edns_option_in_outgoing_query.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.add_edns_option_in_outgoing_query.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.source - ignore_missing: true - - convert: - field: json.inheritance_sources.add_edns_option_in_outgoing_query.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.value - if: ctx.json?.inheritance_sources?.add_edns_option_in_outgoing_query?.value != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.custom_root_ns_block.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.action - ignore_missing: true - - rename: - field: json.inheritance_sources.custom_root_ns_block.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.custom_root_ns_block.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.source - ignore_missing: true - - foreach: - field: json.inheritance_sources.custom_root_ns_block.value.custom_root_ns - if: ctx.json?.inheritance_sources?.custom_root_ns_block?.value?.custom_root_ns instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.custom_root_ns_block.value.custom_root_ns - if: ctx.json?.inheritance_sources?.custom_root_ns_block?.value?.custom_root_ns instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.custom_root_ns_block.value.custom_root_ns - if: ctx.json?.inheritance_sources?.custom_root_ns_block?.value?.custom_root_ns instanceof List - processor: - rename: - field: _ingest._value.protocol_fqdn - target_field: _ingest._value.protocol.fqdn - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.inheritance_sources.custom_root_ns_block.value.custom_root_ns - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.value - ignore_missing: true - - convert: - field: json.inheritance_sources.custom_root_ns_block.value.custom_root_ns_enabled - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.value_enabled - if: ctx.json?.inheritance_sources?.custom_root_ns_block?.value?.custom_root_ns_enabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.dnssec_validation_block.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.action - ignore_missing: true - - rename: - field: json.inheritance_sources.dnssec_validation_block.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.dnssec_validation_block.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.source - ignore_missing: true - - convert: - field: json.inheritance_sources.dnssec_validation_block.value.dnssec_enable_validation - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.enable - if: ctx.json?.inheritance_sources?.dnssec_validation_block?.value?.dnssec_enable_validation != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.inheritance_sources.dnssec_validation_block.value.dnssec_enabled - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.enabled - if: ctx.json?.inheritance_sources?.dnssec_validation_block?.value?.dnssec_enabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.inheritance_sources.dnssec_validation_block.value.dnssec_trust_anchors - if: ctx.json?.inheritance_sources?.dnssec_validation_block?.value?.dnssec_trust_anchors instanceof List - processor: - convert: - field: _ingest._value.algorithm - type: long - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.algorithm - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.dnssec_validation_block.value.dnssec_trust_anchors - if: ctx.json?.inheritance_sources?.dnssec_validation_block?.value?.dnssec_trust_anchors instanceof List - processor: - rename: - field: _ingest._value.protocol_zone - target_field: _ingest._value.protocol.zone - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.dnssec_validation_block.value.dnssec_trust_anchors - if: ctx.json?.inheritance_sources?.dnssec_validation_block?.value?.dnssec_trust_anchors instanceof List - processor: - convert: - field: _ingest._value.sep - type: boolean - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.sep - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - rename: - field: json.inheritance_sources.dnssec_validation_block.value.dnssec_trust_anchors - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.trust_anchors - ignore_missing: true - - convert: - field: json.inheritance_sources.dnssec_validation_block.value.dnssec_validate_expiry - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.validate_expiry - if: ctx.json?.inheritance_sources?.dnssec_validation_block?.value?.dnssec_validate_expiry != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.ecs_block.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.action - ignore_missing: true - - rename: - field: json.inheritance_sources.ecs_block.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.ecs_block.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.source - ignore_missing: true - - convert: - field: json.inheritance_sources.ecs_block.value.ecs_enabled - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.enabled - if: ctx.json?.inheritance_sources?.ecs_block?.value?.ecs_enabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.inheritance_sources.ecs_block.value.ecs_forwarding - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.forwarding - if: ctx.json?.inheritance_sources?.ecs_block?.value?.ecs_forwarding != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.inheritance_sources.ecs_block.value.ecs_prefix_v4 - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.prefix_v4 - if: ctx.json?.inheritance_sources?.ecs_block?.value?.ecs_prefix_v4 != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.inheritance_sources.ecs_block.value.ecs_prefix_v6 - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.prefix_v6 - if: ctx.json?.inheritance_sources?.ecs_block?.value?.ecs_prefix_v6 != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.inheritance_sources.ecs_block.value.ecs_zones - if: ctx.json?.inheritance_sources?.ecs_block?.value?.ecs_zones instanceof List - processor: - rename: - field: _ingest._value.protocol_fqdn - target_field: _ingest._value.protocol.fqdn - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.inheritance_sources.ecs_block.value.ecs_zones - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.zones - ignore_missing: true - - rename: - field: json.inheritance_sources.edns_udp_size.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.edns.udp.size.action - ignore_missing: true - - rename: - field: json.inheritance_sources.edns_udp_size.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.edns.udp.size.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.edns_udp_size.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.edns.udp.size.source - ignore_missing: true - - convert: - field: json.inheritance_sources.edns_udp_size.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.edns.udp.size.value - if: ctx.json?.inheritance_sources?.edns_udp_size?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.forwarders_block.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.action - ignore_missing: true - - rename: - field: json.inheritance_sources.forwarders_block.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.forwarders_block.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.source - ignore_missing: true - - foreach: - field: json.inheritance_sources.forwarders_block.value.forwarders - if: ctx.json?.inheritance_sources?.forwarders_block?.value?.forwarders instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.forwarders_block.value.forwarders - if: ctx.json?.inheritance_sources?.forwarders_block?.value?.forwarders instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.forwarders_block.value.forwarders - if: ctx.json?.inheritance_sources?.forwarders_block?.value?.forwarders instanceof List - processor: - rename: - field: _ingest._value.protocol_fqdn - target_field: _ingest._value.protocol.fqdn - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.inheritance_sources.forwarders_block.value.forwarders - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.value - ignore_missing: true - - convert: - field: json.inheritance_sources.forwarders_block.value.forwarders_only - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.value_only - if: ctx.json?.inheritance_sources?.forwarders_block?.value?.forwarders_only != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.gss_tsig_enabled.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.gss_tsig_enabled.action - ignore_missing: true - - rename: - field: json.inheritance_sources.gss_tsig_enabled.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.gss_tsig_enabled.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.gss_tsig_enabled.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.gss_tsig_enabled.source - ignore_missing: true - - convert: - field: json.inheritance_sources.gss_tsig_enabled.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.gss_tsig_enabled.value - if: ctx.json?.inheritance_sources?.gss_tsig_enabled?.value != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.lame_ttl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.lame_ttl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.lame_ttl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.lame_ttl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.lame_ttl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.lame_ttl.source - ignore_missing: true - - convert: - field: json.inheritance_sources.lame_ttl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.lame_ttl.value - if: ctx.json?.inheritance_sources?.lame_ttl?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.match_recursive_only.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.match_recursive_only.action - ignore_missing: true - - rename: - field: json.inheritance_sources.match_recursive_only.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.match_recursive_only.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.match_recursive_only.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.match_recursive_only.source - ignore_missing: true - - convert: - field: json.inheritance_sources.match_recursive_only.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.match_recursive_only.value - if: ctx.json?.inheritance_sources?.match_recursive_only?.value != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.max_cache_ttl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_cache_ttl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.max_cache_ttl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_cache_ttl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.max_cache_ttl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_cache_ttl.source - ignore_missing: true - - convert: - field: json.inheritance_sources.max_cache_ttl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_cache_ttl.value - if: ctx.json?.inheritance_sources?.max_cache_ttl?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.max_negative_ttl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_negative_ttl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.max_negative_ttl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_negative_ttl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.max_negative_ttl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_negative_ttl.source - ignore_missing: true - - convert: - field: json.inheritance_sources.max_negative_ttl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_negative_ttl.value - if: ctx.json?.inheritance_sources?.max_negative_ttl?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.max_udp_size.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_udp_size.action - ignore_missing: true - - rename: - field: json.inheritance_sources.max_udp_size.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_udp_size.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.max_udp_size.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_udp_size.source - ignore_missing: true - - convert: - field: json.inheritance_sources.max_udp_size.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.max_udp_size.value - if: ctx.json?.inheritance_sources?.max_udp_size?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.minimal_responses.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.minimal_responses.action - ignore_missing: true - - rename: - field: json.inheritance_sources.minimal_responses.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.minimal_responses.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.minimal_responses.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.minimal_responses.source - ignore_missing: true - - convert: - field: json.inheritance_sources.minimal_responses.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.minimal_responses.value - if: ctx.json?.inheritance_sources?.minimal_responses?.value != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.notify.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.notify.action - ignore_missing: true - - rename: - field: json.inheritance_sources.notify.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.notify.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.notify.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.notify.source - ignore_missing: true - - convert: - field: json.inheritance_sources.notify.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.notify.value - if: ctx.json?.inheritance_sources?.notify?.value != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.query_acl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.query_acl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.query_acl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.source - ignore_missing: true - - foreach: - field: json.inheritance_sources.query_acl.value - if: ctx.json?.inheritance_sources?.query_acl?.value instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.query_acl.value - if: ctx.json?.inheritance_sources?.query_acl?.value instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.query_acl.value - if: ctx.json?.inheritance_sources?.query_acl?.value instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.query_acl.value - if: ctx.json?.inheritance_sources?.query_acl?.value instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.inheritance_sources.query_acl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value - ignore_missing: true - - rename: - field: json.inheritance_sources.recursion_acl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.recursion_acl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.recursion_acl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.source - ignore_missing: true - - foreach: - field: json.inheritance_sources.recursion_acl.value - if: ctx.json?.inheritance_sources?.recursion_acl?.value instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.recursion_acl.value - if: ctx.json?.inheritance_sources?.recursion_acl?.value instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.recursion_acl.value - if: ctx.json?.inheritance_sources?.recursion_acl?.value instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.recursion_acl.value - if: ctx.json?.inheritance_sources?.recursion_acl?.value instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.inheritance_sources.recursion_acl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value - ignore_missing: true - - rename: - field: json.inheritance_sources.recursion_enabled.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_enabled.action - ignore_missing: true - - rename: - field: json.inheritance_sources.recursion_enabled.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_enabled.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.recursion_enabled.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_enabled.source - ignore_missing: true - - convert: - field: json.inheritance_sources.recursion_enabled.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_enabled.value - if: ctx.json?.inheritance_sources?.recursion_enabled?.value != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.synthesize_address_records_from_https.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.synthesize.address_records_from_https.action - ignore_missing: true - - rename: - field: json.inheritance_sources.synthesize_address_records_from_https.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.synthesize.address_records_from_https.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.synthesize_address_records_from_https.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.synthesize.address_records_from_https.name - ignore_missing: true - - convert: - field: json.inheritance_sources.synthesize_address_records_from_https.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.synthesize.address_records_from_https.value - if: ctx.json?.inheritance_sources?.synthesize_address_records_from_https?.value != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.transfer_acl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.transfer_acl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.transfer_acl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.source - ignore_missing: true - - foreach: - field: json.inheritance_sources.transfer_acl.value - if: ctx.json?.inheritance_sources?.transfer_acl?.value instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.transfer_acl.value - if: ctx.json?.inheritance_sources?.transfer_acl?.value instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.transfer_acl.value - if: ctx.json?.inheritance_sources?.transfer_acl?.value instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.transfer_acl.value - if: ctx.json?.inheritance_sources?.transfer_acl?.value instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.inheritance_sources.transfer_acl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value - ignore_missing: true - - rename: - field: json.inheritance_sources.update_acl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.update_acl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.update_acl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.source - ignore_missing: true - - foreach: - field: json.inheritance_sources.update_acl.value - if: ctx.json?.inheritance_sources?.update_acl?.value instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.update_acl.value - if: ctx.json?.inheritance_sources?.update_acl?.value instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.update_acl.value - if: ctx.json?.inheritance_sources?.update_acl?.value instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.inheritance_sources.update_acl.value - if: ctx.json?.inheritance_sources?.update_acl?.value instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.inheritance_sources.update_acl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value - ignore_missing: true - - rename: - field: json.inheritance_sources.use_forwarders_for_subzones.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.use_forwarders_for_subzones.action - ignore_missing: true - - rename: - field: json.inheritance_sources.use_forwarders_for_subzones.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.use_forwarders_for_subzones.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.use_forwarders_for_subzones.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.use_forwarders_for_subzones.source - ignore_missing: true - - convert: - field: json.inheritance_sources.use_forwarders_for_subzones.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.use_forwarders_for_subzones.value - if: ctx.json?.inheritance_sources?.use_forwarders_for_subzones?.value != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.zone_authority.default_ttl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.default_ttl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.default_ttl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.source - ignore_missing: true - - convert: - field: json.inheritance_sources.zone_authority.default_ttl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.value - if: ctx.json?.inheritance_sources?.zone_authority?.default_ttl?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.zone_authority.expire.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.expire.action - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.expire.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.expire.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.expire.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.expire.source - ignore_missing: true - - convert: - field: json.inheritance_sources.zone_authority.expire.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.expire.value - if: ctx.json?.inheritance_sources?.zone_authority?.expire?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.zone_authority.mname_block.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.action - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.mname_block.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.mname_block.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.source - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.mname_block.value.mname - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block_value - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.mname_block.value.protocol_mname - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.value.protocol.mname - ignore_missing: true - - convert: - field: json.inheritance_sources.zone_authority.mname_block.value.use_default_mname - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.value.isdefault - if: ctx.json?.inheritance_sources?.zone_authority?.mname_block?.value?.use_default_mname != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.zone_authority.negative_ttl.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.negative_ttl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.negative_ttl.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.negative_ttl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.negative_ttl.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.negative_ttl.source - ignore_missing: true - - convert: - field: json.inheritance_sources.zone_authority.negative_ttl.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.negative_ttl.value - if: ctx.json?.inheritance_sources?.zone_authority?.negative_ttl?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.zone_authority.protocol_rname.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.protocol_rname.action - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.protocol_rname.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.protocol_rname.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.protocol_rname.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.protocol_rname.source - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.protocol_rname.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.protocol_rname.value - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.refresh.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.refresh.action - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.refresh.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.refresh.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.refresh.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.refresh.source - ignore_missing: true - - convert: - field: json.inheritance_sources.zone_authority.refresh.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.refresh.value - if: ctx.json?.inheritance_sources?.zone_authority?.refresh?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.zone_authority.retry.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.retry.action - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.retry.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.retry.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.retry.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.retry.source - ignore_missing: true - - convert: - field: json.inheritance_sources.zone_authority.retry.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.retry.value - if: ctx.json?.inheritance_sources?.zone_authority?.retry?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.inheritance_sources.zone_authority.rname.action - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.rname.action - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.rname.display_name - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.rname.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.rname.source - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.rname.source - ignore_missing: true - - rename: - field: json.inheritance_sources.zone_authority.rname.value - target_field: infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.rname.value - ignore_missing: true - - rename: - field: json.ip_spaces - target_field: infoblox_bloxone_ddi.dns_config.ip_spaces - ignore_missing: true - - convert: - field: json.lame_ttl - target_field: infoblox_bloxone_ddi.dns_config.lame_ttl - if: ctx.json?.lame_ttl != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: dns.answers.ttl - copy_from: infoblox_bloxone_ddi.dns_config.lame_ttl - ignore_failure: true - - foreach: - field: json.match_clients_acl - if: ctx.json?.match_clients_acl instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.match_clients_acl - if: ctx.json?.match_clients_acl instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.match_clients_acl - if: ctx.json?.match_clients_acl instanceof List - processor: - rename: - field: _ingest._value.acl - target_field: _ingest._value.value - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.match_clients_acl - if: ctx.json?.match_clients_acl instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.match_clients_acl - if: ctx.json?.match_clients_acl instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.match_clients_acl - target_field: infoblox_bloxone_ddi.dns_config.match_clients_acl - ignore_missing: true - - foreach: - field: json.match_destinations_acl - if: ctx.json?.match_destinations_acl instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.match_destinations_acl - if: ctx.json?.match_destinations_acl instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.match_destinations_acl - if: ctx.json?.match_destinations_acl instanceof List - processor: - rename: - field: _ingest._value.acl - target_field: _ingest._value.value - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.match_destinations_acl - if: ctx.json?.match_destinations_acl instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.match_destinations_acl - if: ctx.json?.match_destinations_acl instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.match_destinations_acl - target_field: infoblox_bloxone_ddi.dns_config.match_destinations_acl - ignore_missing: true - - convert: - field: json.match_recursive_only - target_field: infoblox_bloxone_ddi.dns_config.match_recursive_only - if: ctx.json?.match_recursive_only != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.max_cache_ttl - target_field: infoblox_bloxone_ddi.dns_config.max_cache_ttl - if: ctx.json?.max_cache_ttl != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.max_negative_ttl - target_field: infoblox_bloxone_ddi.dns_config.max_negative_ttl - if: ctx.json?.max_negative_ttl != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.max_udp_size - target_field: infoblox_bloxone_ddi.dns_config.max_udp_size - if: ctx.json?.max_udp_size != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.minimal_responses - target_field: infoblox_bloxone_ddi.dns_config.minimal_responses - if: ctx.json?.minimal_responses != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.name - target_field: infoblox_bloxone_ddi.dns_config.name - ignore_missing: true - - convert: - field: json.notify - target_field: infoblox_bloxone_ddi.dns_config.notify - if: ctx.json?.notify != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - foreach: - field: json.query_acl - if: ctx.json?.query_acl instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.query_acl - if: ctx.json?.query_acl instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.query_acl - if: ctx.json?.query_acl instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.query_acl - if: ctx.json?.query_acl instanceof List - processor: - rename: - field: _ingest._value.acl - target_field: _ingest._value.value - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.query_acl - if: ctx.json?.query_acl instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.query_acl - target_field: infoblox_bloxone_ddi.dns_config.query_acl - ignore_missing: true - - foreach: - field: json.recursion_acl - if: ctx.json?.recursion_acl instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.recursion_acl - if: ctx.json?.recursion_acl instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.recursion_acl - if: ctx.json?.recursion_acl instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.recursion_acl - if: ctx.json?.recursion_acl instanceof List - processor: - rename: - field: _ingest._value.acl - target_field: _ingest._value.value - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.recursion_acl - if: ctx.json?.recursion_acl instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.recursion_acl - target_field: infoblox_bloxone_ddi.dns_config.recursion_acl - ignore_missing: true - - convert: - field: json.recursion_enabled - target_field: infoblox_bloxone_ddi.dns_config.recursion_enabled - if: ctx.json?.recursion_enabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.synthesize_address_records_from_https - target_field: infoblox_bloxone_ddi.dns_config.synthesize.address_records_from_https - if: ctx.json?.synthesize_address_records_from_https != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.tags - target_field: infoblox_bloxone_ddi.dns_config.tags - ignore_missing: true - - foreach: - field: json.transfer_acl - if: ctx.json?.transfer_acl instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.transfer_acl - if: ctx.json?.transfer_acl instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.transfer_acl - if: ctx.json?.transfer_acl instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.transfer_acl - if: ctx.json?.transfer_acl instanceof List - processor: - rename: - field: _ingest._value.acl - target_field: _ingest._value.value - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.transfer_acl - if: ctx.json?.transfer_acl instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.transfer_acl - target_field: infoblox_bloxone_ddi.dns_config.transfer_acl - ignore_missing: true - - foreach: - field: json.update_acl - if: ctx.json?.update_acl instanceof List - processor: - convert: - field: _ingest._value.address - type: ip - ignore_missing: true - on_failure: - - remove: - field: _ingest._value.address - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - ignore_missing: true - ignore_failure: true - - foreach: - field: json.update_acl - if: ctx.json?.update_acl instanceof List - processor: - append: - field: related.ip - value: '{{{_ingest._value.address}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.update_acl - if: ctx.json?.update_acl instanceof List - processor: - append: - field: related.hash - value: '{{{_ingest._value.tsig_key.algorithm}}}' - allow_duplicates: false - ignore_failure: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.update_acl - if: ctx.json?.update_acl instanceof List - processor: - rename: - field: _ingest._value.acl - target_field: _ingest._value.value - ignore_missing: true - ignore_missing: true - ignore_failure: true - - foreach: - field: json.update_acl - if: ctx.json?.update_acl instanceof List - processor: - rename: - field: _ingest._value.tsig_key.protocol_name - target_field: _ingest._value.tsig_key.protocol.name - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.update_acl - target_field: infoblox_bloxone_ddi.dns_config.update_acl - ignore_missing: true - - date: - field: json.updated_at - target_field: infoblox_bloxone_ddi.dns_config.updated_at - if: ctx.json?.updated_at != null && ctx.json.updated_at != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: '@timestamp' - copy_from: infoblox_bloxone_ddi.dns_config.updated_at - ignore_failure: true - - convert: - field: json.use_forwarders_for_subzones - target_field: infoblox_bloxone_ddi.dns_config.use_forwarders_for_subzones - if: ctx.json?.use_forwarders_for_subzones != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.zone_authority.default_ttl - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.default_ttl - if: ctx.json?.zone_authority?.default_ttl != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.zone_authority.expire - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.expire - if: ctx.json?.zone_authority?.expire != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.zone_authority.mname - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.mname - ignore_missing: true - - convert: - field: json.zone_authority.negative_ttl - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.negative_ttl - if: ctx.json?.zone_authority?.negative_ttl != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.zone_authority.protocol_mname - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.protocol.mname - ignore_missing: true - - rename: - field: json.zone_authority.protocol_rname - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.protocol.rname - ignore_missing: true - - convert: - field: json.zone_authority.refresh - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.refresh - if: ctx.json?.zone_authority?.refresh != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.zone_authority.retry - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.retry - if: ctx.json?.zone_authority?.retry != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.zone_authority.rname - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.rname - ignore_missing: true - - convert: - field: json.zone_authority.use_default_mname - target_field: infoblox_bloxone_ddi.dns_config.zone_authority.use_default_mname - if: ctx.json?.zone_authority?.use_default_mname != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - remove: - field: json - ignore_missing: true - - remove: - field: - - infoblox_bloxone_ddi.dns_config.updated_at - - infoblox_bloxone_ddi.dns_config.lame_ttl - - infoblox_bloxone_ddi.dns_config.created_at - - infoblox_bloxone_ddi.dns_config.id - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/fields/agent.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/fields/base-fields.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/fields/base-fields.yml deleted file mode 100755 index f98584bba2..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: infoblox_bloxone_ddi -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: infoblox_bloxone_ddi.dns_config diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/fields/ecs.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/fields/ecs.yml deleted file mode 100755 index bcb862f2c4..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/fields/ecs.yml +++ /dev/null @@ -1,62 +0,0 @@ -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/fields/fields.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/fields/fields.yml deleted file mode 100755 index 423cf2bcc0..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/fields/fields.yml +++ /dev/null @@ -1,1276 +0,0 @@ -- name: infoblox_bloxone_ddi.dns_config - type: group - fields: - - name: add_edns - type: group - fields: - - name: option_in - type: group - fields: - - name: outgoing_query - type: boolean - description: add_edns_option_in_outgoing_query adds client IP, MAC address and view name into outgoing recursive query. - - name: comment - type: keyword - description: Optional. Comment for view. - - name: created_at - type: date - description: The timestamp when the object has been created. - - name: custom_root_ns_enabled - type: boolean - description: Optional. true to use custom root nameservers instead of the default ones. - - name: custom_root_ns - type: group - description: List of custom root nameservers. The order does not matter. - fields: - - name: address - type: ip - description: IPv4 address. - - name: fqdn - type: keyword - description: FQDN. - - name: protocol - type: group - fields: - - name: fqdn - type: keyword - description: FQDN in punycode. - - name: disabled - type: boolean - description: Optional. true to disable object. A disabled object is effectively non-existent when generating configuration. - - name: dnssec - type: group - fields: - - name: enable_validation - type: boolean - description: Optional. true to perform DNSSEC validation. - - name: enabled - type: boolean - description: Optional. Master toggle for all DNSSEC processing. - - name: root_keys - type: group - fields: - - name: algorithm - type: long - description: Key algorithm. Algorithm values are as per standards. - - name: protocol - type: group - fields: - - name: zone - type: keyword - description: Zone FQDN in punycode. - - name: public - type: keyword - description: DNSSEC key data. Non-empty, valid base64 string. - - name: sep - type: boolean - description: Optional. Secure Entry Point flag. - - name: zone - type: keyword - description: Zone FQDN. - - name: trust_anchors - type: group - fields: - - name: algorithm - type: long - description: Key algorithm. Algorithm values are as per standards. - - name: protocol - type: group - fields: - - name: zone - type: keyword - description: Zone FQDN in punycode. - - name: public_key - type: keyword - description: DNSSEC key data. Non-empty, valid base64 string. - - name: sep - type: boolean - description: Optional. Secure Entry Point flag. - - name: zone - type: keyword - description: Zone FQDN. - - name: validate_expiry - type: boolean - description: Optional. true to reject expired DNSSEC keys. - - name: ecs - type: group - fields: - - name: enabled - type: boolean - description: Optional. true to enable EDNS client subnet for recursive queries. - - name: forwarding - type: boolean - description: Optional. true to enable ECS options in outbound queries. This functionality has additional overhead so it is disabled by default. - - name: prefix_v4 - type: long - description: Optional. Maximum scope length for v4 ECS. - - name: prefix_v6 - type: long - description: Optional. Maximum scope length for v6 ECS. - - name: zones - type: group - fields: - - name: access - type: keyword - description: Access control for zone. - - name: fqdn - type: keyword - description: Zone FQDN. - - name: protocol - type: group - fields: - - name: fqdn - type: keyword - description: Zone FQDN in punycode. - - name: edns - type: group - fields: - - name: udp - type: group - fields: - - name: size - type: long - description: Optional. edns_udp_size represents the edns UDP size. - - name: forwarders_only - type: boolean - description: Optional. true to only forward. - - name: forwarders - type: group - fields: - - name: address - type: ip - description: Server IP address. - - name: fqdn - type: keyword - description: Server FQDN. - - name: protocol - type: group - fields: - - name: fqdn - type: keyword - description: Server FQDN in punycode. - - name: gss_tsig_enabled - type: boolean - description: gss_tsig_enabled enables/disables GSS-TSIG signed dynamic updates. - - name: id - type: keyword - description: The resource identifier. - - name: inheritance - type: group - fields: - - name: sources - type: group - fields: - - name: add_edns - type: group - fields: - - name: option_in - type: group - fields: - - name: outgoing_query - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: boolean - description: The inherited value. - - name: custom_root_ns - type: group - fields: - - name: block - type: group - fields: - - name: action - type: keyword - description: Defaults to inherit. - - name: display - type: group - fields: - - name: name - type: keyword - description: Human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: group - fields: - - name: address - type: ip - description: IPv4 address. - - name: fqdn - type: keyword - description: Optional. Field config for custom_root_ns_enabled field. - - name: protocol - type: group - fields: - - name: fqdn - type: keyword - description: FQDN. - - name: value_enabled - type: boolean - description: FQDN in punycode. - - name: dnssec - type: group - fields: - - name: validation - type: group - fields: - - name: block - type: group - fields: - - name: action - type: keyword - description: Defaults to inherit. - - name: display - type: group - fields: - - name: name - type: keyword - description: Human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: group - fields: - - name: enable - type: boolean - description: Optional. Field config for dnssec_enable_validation field. - - name: enabled - type: boolean - description: Optional. Field config for dnssec_enabled field. - - name: trust_anchors - type: group - fields: - - name: algorithm - type: long - description: Key algorithm. Algorithm values are as per standards. - - name: protocol - type: group - fields: - - name: zone - type: keyword - description: Zone FQDN in punycode. - - name: public_key - type: keyword - description: DNSSEC key data. Non-empty, valid base64 string. - - name: sep - type: boolean - description: Optional. Secure Entry Point flag. - - name: zone - type: keyword - description: Zone FQDN. - - name: validate_expiry - type: boolean - description: Optional. Field config for dnssec_validate_expiry field. - - name: ecs - type: group - fields: - - name: block - type: group - fields: - - name: action - type: keyword - description: Defaults to inherit. - - name: display - type: group - fields: - - name: name - type: keyword - description: Human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: group - fields: - - name: enabled - type: boolean - description: Optional. Field config for ecs_enabled field. - - name: forwarding - type: boolean - description: Optional. Field config for ecs_forwarding field. - - name: prefix_v4 - type: long - description: Optional. Field config for ecs_prefix_v4 field. - - name: prefix_v6 - type: long - description: Optional. Field config for ecs_prefix_v6 field. - - name: zones - type: group - fields: - - name: access - type: keyword - description: Access control for zone. - - name: fqdn - type: keyword - description: Zone FQDN. - - name: protocol - type: group - fields: - - name: fqdn - type: keyword - description: Zone FQDN in punycode. - - name: edns - type: group - fields: - - name: udp - type: group - fields: - - name: size - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: forwarders - type: group - fields: - - name: block - type: group - fields: - - name: action - type: keyword - description: Defaults to inherit. - - name: display - type: group - fields: - - name: name - type: keyword - description: Human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value_only - type: boolean - description: Optional. Field config for forwarders_only field. - - name: value - type: group - fields: - - name: address - type: ip - description: Server IP address. - - name: fqdn - type: keyword - description: Server FQDN. - - name: protocol - type: group - fields: - - name: fqdn - type: keyword - description: Server FQDN in punycode. - - name: gss_tsig_enabled - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: boolean - description: The inherited value. - - name: lame_ttl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: match_recursive_only - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: boolean - description: The inherited value. - - name: max_cache_ttl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: max_negative_ttl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: max_udp_size - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: minimal_responses - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: boolean - description: The inherited value. - - name: notify - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: boolean - description: The inherited value. - - name: query_acl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: acl - type: keyword - description: The resource identifier. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: recursion_acl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: acl - type: keyword - description: The resource identifier. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: recursion_enabled - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: boolean - description: The inherited value. - - name: synthesize - type: group - fields: - - name: address_records_from_https - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: name - type: keyword - description: The resource identifier. - - name: value - type: boolean - description: The inherited value. - - name: transfer_acl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: acl - type: keyword - description: The resource identifier. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: update_acl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: acl - type: keyword - description: The resource identifier. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: use_forwarders_for_subzones - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: boolean - description: The inherited value. - - name: zone_authority - type: group - fields: - - name: default_ttl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: expire - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: mname_block_value - type: keyword - description: Defaults to empty. - - name: mname_block - type: group - fields: - - name: action - type: keyword - description: Defaults to inherit. - - name: display - type: group - fields: - - name: name - type: keyword - description: Human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: group - fields: - - name: isdefault - type: boolean - description: Optional. Use default value for master name server. Defaults to true. - - name: protocol - type: group - fields: - - name: mname - type: keyword - description: Optional. Master name server in punycode. Defaults to empty. - - name: negative_ttl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: protocol_rname - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: keyword - description: The inherited value. - - name: refresh - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: retry - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: rname - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: keyword - description: The inherited value. - - name: ip_spaces - type: keyword - description: The resource identifier. - - name: lame_ttl - type: long - description: Optional. Unused in the current on-prem DNS server implementation. - - name: match_clients_acl - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: value - type: keyword - description: The resource identifier. - - name: match_destinations_acl - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: value - type: keyword - description: The resource identifier. - - name: match_recursive_only - type: boolean - description: Optional. If true only recursive queries from matching clients access the view. - - name: max_cache_ttl - type: long - description: Optional. Seconds to cache positive responses. - - name: max_negative_ttl - type: long - description: Optional. Seconds to cache negative responses. - - name: max_udp_size - type: long - description: Optional. max_udp_size represents maximum UDP payload size. - - name: minimal_responses - type: boolean - description: Optional. When enabled, the DNS server will only add records to the authority and additional data sections when they are required. - - name: name - type: keyword - description: Name of view. - - name: notify - type: boolean - description: notify all external secondary DNS servers. - - name: query_acl - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: value - type: keyword - description: The resource identifier. - - name: recursion_acl - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: value - type: keyword - description: The resource identifier. - - name: recursion_enabled - type: boolean - description: Optional. true to allow recursive DNS queries. - - name: synthesize - type: group - fields: - - name: address_records_from_https - type: boolean - description: synthesize_address_records_from_https enables/disables creation of A/AAAA records from HTTPS RR. - - name: tags - type: flattened - description: Tagging specifics. - - name: transfer_acl - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: value - type: keyword - description: The resource identifier. - - name: update_acl - type: group - fields: - - name: access - type: keyword - description: Access permission for element. - - name: address - type: ip - description: Optional. Data for ip element. - - name: element - type: keyword - description: Type of element. - - name: tsig_key - type: group - fields: - - name: algorithm - type: keyword - description: TSIG key algorithm. - - name: comment - type: keyword - description: Comment for TSIG key. - - name: key - type: keyword - description: The resource identifier. - - name: name - type: keyword - description: TSIG key name, FQDN. - - name: protocol - type: group - fields: - - name: name - type: keyword - description: TSIG key name in punycode. - - name: secret - type: keyword - description: TSIG key secret, base64 string. - - name: value - type: keyword - description: The resource identifier. - - name: updated_at - type: date - description: The timestamp when the object has been updated. Equals to created_at if not updated after creation. - - name: use_forwarders_for_subzones - type: boolean - description: Optional. Use default forwarders to resolve queries for subzones. - - name: zone_authority - type: group - fields: - - name: default_ttl - type: long - description: Optional. ZoneAuthority default ttl for resource records in zone (value in seconds). - - name: expire - type: long - description: Optional. ZoneAuthority expire time in seconds. Defaults to 2419200. - - name: mname - type: keyword - description: Optional. ZoneAuthority master name server (partially qualified domain name) Defaults to empty. - - name: negative_ttl - type: long - description: Optional. ZoneAuthority negative caching (minimum) ttl in seconds. - - name: protocol - type: group - fields: - - name: mname - type: keyword - description: Optional. ZoneAuthority master name server in punycode. Defaults to empty. - - name: rname - type: keyword - description: Optional. A domain name which specifies the mailbox of the person responsible for this zone. Defaults to empty. - - name: refresh - type: long - description: Optional. ZoneAuthority refresh. Defaults to 10800. - - name: retry - type: long - description: Optional. ZoneAuthority retry. Defaults to 3600. - - name: rname - type: keyword - description: Optional. ZoneAuthority rname. Defaults to empty. - - name: use_default_mname - type: boolean - description: Optional. Use default value for master name server. Defaults to true. diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/manifest.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/manifest.yml deleted file mode 100755 index b83c320597..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/manifest.yml +++ /dev/null @@ -1,57 +0,0 @@ -title: Collect DNS Config logs from Infoblox BloxOne DDI -type: logs -streams: - - input: httpjson - title: DNS Config logs - description: Collect DNS Config logs from Infoblox BloxOne DDI. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the DHCP Lease events from Infoblox BloxOne DDI. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the Infoblox BloxOne DDI API. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - infoblox_bloxone_ddi_dns_config - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/sample_event.json b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/sample_event.json deleted file mode 100755 index c2849e4b32..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_config/sample_event.json +++ /dev/null @@ -1,670 +0,0 @@ -{ - "@timestamp": "2022-07-15T06:55:25.978Z", - "agent": { - "ephemeral_id": "72747b3e-5f2e-4261-a994-aff0ac9b5be1", - "hostname": "docker-fleet-agent", - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "infoblox_bloxone_ddi.dns_config", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": { - "ttl": 350 - } - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-07-15T06:55:25.978Z", - "dataset": "infoblox_bloxone_ddi.dns_config", - "id": "adv12rgfh", - "ingested": "2022-09-22T08:28:25Z", - "kind": "event", - "original": "{\"add_edns_option_in_outgoing_query\":true,\"comment\":\"DNS Config Comment\",\"created_at\":\"2022-07-15T06:55:25.978Z\",\"custom_root_ns\":[{\"address\":\"81.2.69.192\",\"fqdn\":\"custom fqdn\",\"protocol_fqdn\":\"custom protocol fqdn\"}],\"custom_root_ns_enabled\":true,\"disabled\":true,\"dnssec_enable_validation\":true,\"dnssec_enabled\":true,\"dnssec_root_keys\":[{\"algorithm\":30,\"protocol_zone\":\"Dnssec root protocol zone\",\"public_key\":\"Dnssec root Public Key\",\"sep\":true,\"zone\":\"Dnssec root Zone\"}],\"dnssec_trust_anchors\":[{\"algorithm\":10,\"protocol_zone\":\"Dnssec trust protocol zone\",\"public_key\":\"Dnssec trust Public Key\",\"sep\":true,\"zone\":\"Dnssec trust zone\"}],\"dnssec_validate_expiry\":true,\"ecs_enabled\":true,\"ecs_forwarding\":true,\"ecs_prefix_v4\":22,\"ecs_prefix_v6\":33,\"ecs_zones\":[{\"access\":\"ecs zones access\",\"fqdn\":\"ecs zones fqdn\",\"protocol_fqdn\":\"ecs zones protocol fqdn\"}],\"edns_udp_size\":568,\"forwarders\":[{\"address\":\"81.2.69.192\",\"fqdn\":\"forwarders fqdn\",\"protocol_fqdn\":\"forwarders protocol fqdn\"}],\"forwarders_only\":true,\"gss_tsig_enabled\":true,\"id\":\"adv12rgfh\",\"inheritance_sources\":{\"add_edns_option_in_outgoing_query\":{\"action\":\"inherit\",\"display_name\":\"displaynameadd_edns_option_in_outgoing_query\",\"source\":\"sourceadd_edns_option_in_outgoing_query\",\"value\":true},\"custom_root_ns_block\":{\"action\":\"override\",\"display_name\":\"displaynamecustom_root_ns_block\",\"source\":\"sourcecustom_root_ns_block\",\"value\":{\"custom_root_ns\":[{\"address\":\"67.43.156.0\",\"fqdn\":\"fqdn_custom_root_ns\",\"protocol_fqdn\":\"protocolfqdn_custom_root_ns\"}],\"custom_root_ns_enabled\":true}},\"dnssec_validation_block\":{\"action\":\"inherit\",\"display_name\":\"displaynamednssec_validation_block\",\"source\":\"sourcednssec_validation_block\",\"value\":{\"dnssec_enable_validation\":true,\"dnssec_enabled\":true,\"dnssec_trust_anchors\":[{\"algorithm\":8,\"protocol_zone\":\"protocolzonednssec_trust_anchors\",\"public_key\":\"publickeydnssec_trust_anchors\",\"sep\":false,\"zone\":\"is3zone\"}],\"dnssec_validate_expiry\":true}},\"ecs_block\":{\"action\":\"inherit\",\"display_name\":\"displaynameecs_block\",\"source\":\"sourceecs_block\",\"value\":{\"ecs_enabled\":false,\"ecs_forwarding\":true,\"ecs_prefix_v4\":4,\"ecs_prefix_v6\":10,\"ecs_zones\":[{\"access\":\"inherit\",\"fqdn\":\"fqdnecs_block\",\"protocol_fqdn\":\"protocol_fqdnecs_block\"}]}},\"ecs_zones\":{\"action\":\"override\",\"display_name\":\"displaynameecs_zones\",\"source\":\"sourceecs_zones\",\"value\":{\"ecs_enabled\":false,\"ecs_forwarding\":true,\"ecs_prefix_v4\":4,\"ecs_prefix_v6\":12,\"ecs_zones\":[{\"access\":\"access_ecs_zones\",\"fqdn\":\"fqdn_ecs_zones\",\"protocol_fqdn\":\"protocolfqdn_ecs_zones\"}]}},\"edns_udp_size\":{\"action\":\"inherit\",\"display_name\":\"displaynameedns_udp_size\",\"source\":\"sourceedns_udp_size\",\"value\":55},\"forwarders_block\":{\"action\":\"inherit\",\"display_name\":\"displaynameforwarders_block\",\"source\":\"sourceforwarders_block\",\"value\":{\"forwarders\":[{\"address\":\"89.160.20.128\",\"fqdn\":\"forwarders_fqdn\",\"protocol_fqdn\":\"forwarders_protocolfqdn\"}],\"forwarders_only\":true}},\"gss_tsig_enabled\":{\"action\":\"inherit\",\"display_name\":\"displaynamegss_tsig_enabled\",\"source\":\"sourcegss_tsig_enabled\",\"value\":true},\"lame_ttl\":{\"action\":\"inherit\",\"display_name\":\"displaynamelame_ttl\",\"source\":\"sourcelame_ttl\",\"value\":45},\"match_recursive_only\":{\"action\":\"inherit\",\"display_name\":\"displaynamematch_recursive_only\",\"source\":\"sourcematch_recursive_only\",\"value\":false},\"max_cache_ttl\":{\"action\":\"inherit\",\"display_name\":\"displaynamemax_cache_ttl\",\"source\":\"sourcemax_cache_ttl\",\"value\":13},\"max_negative_ttl\":{\"action\":\"inherit\",\"display_name\":\"displaynamemax_negative_ttl\",\"source\":\"sourcemax_negative_ttl\",\"value\":12},\"max_udp_size\":{\"action\":\"inherit\",\"display_name\":\"displaynamemax_udp_size\",\"source\":\"sourcemax_udp_size\",\"value\":11},\"minimal_responses\":{\"action\":\"inherit\",\"display_name\":\"displaynameminimal_responses\",\"source\":\"sourceminimal_responses\",\"value\":true},\"notify\":{\"action\":\"inherit\",\"display_name\":\"displayname_notify\",\"source\":\"source_notify\",\"value\":true},\"query_acl\":{\"action\":\"override\",\"display_name\":\"displaynamequery_acl\",\"source\":\"sourcequery_acl\",\"value\":[{\"access\":\"allow\",\"acl\":\"aclvalue_query_acl\",\"address\":\"89.160.20.128\",\"element\":\"elementvaluequery_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha256\",\"comment\":\"commentquery_acl\",\"key\":\"keyquery_acl\",\"name\":\"namequery_acl\",\"protocol_name\":\"protocolname_query_acl\",\"secret\":\"secretquery_acl\"}}]},\"recursion_acl\":{\"action\":\"override\",\"display_name\":\"displaynamerecursion_acl\",\"source\":\"sourcerecursion_acl\",\"value\":[{\"access\":\"deny\",\"acl\":\"aclrecursion_acl\",\"address\":\"89.160.20.128\",\"element\":\"elementrecursion_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha384\",\"comment\":\"commentrecursion_acl\",\"key\":\"keyrecursion_acl\",\"name\":\"namerecursion_acl\",\"protocol_name\":\"protocolnamerecursion_acl\",\"secret\":\"secretrecursion_acl\"}}]},\"recursion_enabled\":{\"action\":\"inherit\",\"display_name\":\"displaynamerecursion_enabled\",\"source\":\"sourcerecursion_enabled\",\"value\":true},\"synthesize_address_records_from_https\":{\"action\":\"inherit\",\"display_name\":\"displaynamesynthesize_address_records_from_https\",\"source\":\"sourcesynthesize_address_records_from_https\",\"value\":true},\"transfer_acl\":{\"action\":\"inherit\",\"display_name\":\"displaynametransfer_acl\",\"source\":\"sourcetransfer_acl\",\"value\":[{\"access\":\"allow\",\"acl\":\"acltransfer_acl\",\"address\":\"216.160.83.56\",\"element\":\"elementtransfer_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha224\",\"comment\":\"commenttransfer_acl\",\"key\":\"keytransfer_acl\",\"name\":\"nametransfer_acl\",\"protocol_name\":\"protocolnametransfer_acl\",\"secret\":\"secrettransfer_acl\"}}]},\"update_acl\":{\"action\":\"override\",\"display_name\":\"displaynameupdate_acl\",\"source\":\"sourceupdate_acl\",\"value\":[{\"access\":\"allow\",\"acl\":\"aclupdate_acl\",\"address\":\"216.160.83.56\",\"element\":\"elementupdate_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha384\",\"comment\":\"commentupdate_acl\",\"key\":\"keyupdate_acl\",\"name\":\"nameupdate_acl\",\"protocol_name\":\"protocolnameupdate_acl\",\"secret\":\"secretupdate_acl\"}}]},\"use_forwarders_for_subzones\":{\"action\":\"override\",\"display_name\":\"displaynameuse_forwarders_for_subzones\",\"source\":\"sourceuse_forwarders_for_subzones\",\"value\":false},\"zone_authority\":{\"default_ttl\":{\"action\":\"override\",\"display_name\":\"displaynamezone_authority\",\"source\":\"sourcezone_authority\",\"value\":50},\"expire\":{\"action\":\"inherit\",\"display_name\":\"displaynameexpire\",\"source\":\"sourceexpire\",\"value\":70},\"mname_block\":{\"action\":\"inherit\",\"display_name\":\"displaynamemname_block\",\"source\":\"sourcemname_block\",\"value\":{\"mname\":\"mnamevaluemname_block\",\"protocol_mname\":\"protocolmnamemname_block\",\"use_default_mname\":true}},\"negative_ttl\":{\"action\":\"inherit\",\"display_name\":\"displaynamenegative_ttl\",\"source\":\"sourcenegative_ttl\",\"value\":90},\"protocol_rname\":{\"action\":\"inherit\",\"display_name\":\"displaynameprotocol_rname\",\"source\":\"sourceprotocol_rname\",\"value\":\"valueprotocol_rname\"},\"refresh\":{\"action\":\"inherit\",\"display_name\":\"displayname_refresh\",\"source\":\"source_refresh\",\"value\":40},\"retry\":{\"action\":\"inherit\",\"display_name\":\"displayname_retry\",\"source\":\"source_retry\",\"value\":570},\"rname\":{\"action\":\"inherit\",\"display_name\":\"displayname_rname\",\"source\":\"source_rname\",\"value\":\"value_rname\"}}},\"ip_spaces\":[\"testipspaces\"],\"lame_ttl\":350,\"match_clients_acl\":[{\"access\":\"deny\",\"acl\":\"aclmatch_clients_acl\",\"address\":\"81.2.69.192\",\"element\":\"elementmatch_clients_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha512\",\"comment\":\"commentmatch_clients_acl\",\"key\":\"keymatch_clients_acl\",\"name\":\"namematch_clients_acl\",\"protocol_name\":\"protocolnamematch_clients_acl\",\"secret\":\"secretmatch_clients_acl\"}}],\"match_destinations_acl\":[{\"access\":\"allow\",\"acl\":\"aclmatch_destinations_acl\",\"address\":\"81.2.69.192\",\"element\":\"elementmatch_destinations_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha384\",\"comment\":\"commentmatch_destinations_acl\",\"key\":\"keymatch_destinations_acl\",\"name\":\"namematch_destinations_acl\",\"protocol_name\":\"protocolnamematch_destinations_acl\",\"secret\":\"secretmatch_destinations_acl\"}}],\"match_recursive_only\":true,\"max_cache_ttl\":90,\"max_negative_ttl\":500,\"max_udp_size\":890,\"minimal_responses\":true,\"name\":\"string\",\"notify\":true,\"query_acl\":[{\"access\":\"accessquery_acl\",\"acl\":\"aclquery_acl\",\"address\":\"81.2.69.192\",\"element\":\"elementquery_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha224\",\"comment\":\"commentquery_acl\",\"key\":\"keyquery_acl\",\"name\":\"namequery_acl\",\"protocol_name\":\"protocolnamequery_acl\",\"secret\":\"secretquery_acl\"}}],\"recursion_acl\":[{\"access\":\"allow\",\"acl\":\"aclrecursion_acl\",\"address\":\"81.2.69.192\",\"element\":\"elementrecursion_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha1\",\"comment\":\"commentrecursion_acl\",\"key\":\"keyrecursion_acl\",\"name\":\"namerecursion_acl\",\"protocol_name\":\"protocolnamerecursion_acl\",\"secret\":\"secretrecursion_acl\"}}],\"recursion_enabled\":true,\"synthesize_address_records_from_https\":false,\"tags\":{\"message\":\"Hello\"},\"transfer_acl\":[{\"access\":\"allow\",\"acl\":\"acltransfer_acl\",\"address\":\"216.160.83.56\",\"element\":\"elementtransfer_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha224\",\"comment\":\"commenttransfer_acl\",\"key\":\"keytransfer_acl\",\"name\":\"nametransfer_acl\",\"protocol_name\":\"protocolnametransfer_acl\",\"secret\":\"secrettransfer_acl\"}}],\"update_acl\":[{\"access\":\"allow\",\"acl\":\"aclupdate_acl\",\"address\":\"216.160.83.56\",\"element\":\"elementupdate_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha1\",\"comment\":\"commentupdate_acl\",\"key\":\"keyupdate_acl\",\"name\":\"nameupdate_acl\",\"protocol_name\":\"protocolnameupdate_acl\",\"secret\":\"secretupdate_acl\"}}],\"updated_at\":\"2022-07-15T06:55:25.978Z\",\"use_forwarders_for_subzones\":true,\"zone_authority\":{\"default_ttl\":20,\"expire\":10,\"mname\":\"mnamezone_authority\",\"negative_ttl\":30,\"protocol_mname\":\"protocolmnamezone_authority\",\"protocol_rname\":\"protocolrnamezone_authority\",\"refresh\":50,\"retry\":100,\"rname\":\"string\",\"use_default_mname\":true}}", - "type": [ - "protocol" - ] - }, - "infoblox_bloxone_ddi": { - "dns_config": { - "add_edns": { - "option_in": { - "outgoing_query": true - } - }, - "comment": "DNS Config Comment", - "created_at": "2022-07-15T06:55:25.978Z", - "custom_root_ns": [ - { - "address": "81.2.69.192", - "fqdn": "custom fqdn", - "protocol": { - "fqdn": "custom protocol fqdn" - } - } - ], - "custom_root_ns_enabled": true, - "disabled": true, - "dnssec": { - "enable_validation": true, - "enabled": true, - "root_keys": [ - { - "algorithm": 30, - "protocol": { - "zone": "Dnssec root protocol zone" - }, - "public": "Dnssec root Public Key", - "sep": true, - "zone": "Dnssec root Zone" - } - ], - "trust_anchors": [ - { - "algorithm": 10, - "protocol": { - "zone": "Dnssec trust protocol zone" - }, - "public_key": "Dnssec trust Public Key", - "sep": true, - "zone": "Dnssec trust zone" - } - ], - "validate_expiry": true - }, - "ecs": { - "enabled": true, - "forwarding": true, - "prefix_v4": 22, - "prefix_v6": 33, - "zones": [ - { - "access": "ecs zones access", - "fqdn": "ecs zones fqdn", - "protocol": { - "fqdn": "ecs zones protocol fqdn" - } - } - ] - }, - "edns": { - "udp": { - "size": 568 - } - }, - "forwarders": [ - { - "address": "81.2.69.192", - "fqdn": "forwarders fqdn", - "protocol": { - "fqdn": "forwarders protocol fqdn" - } - } - ], - "forwarders_only": true, - "gss_tsig_enabled": true, - "id": "adv12rgfh", - "inheritance": { - "sources": { - "add_edns": { - "option_in": { - "outgoing_query": { - "action": "inherit", - "display": { - "name": "displaynameadd_edns_option_in_outgoing_query" - }, - "source": "sourceadd_edns_option_in_outgoing_query", - "value": true - } - } - }, - "custom_root_ns": { - "block": { - "action": "override", - "display": { - "name": "displaynamecustom_root_ns_block" - }, - "source": "sourcecustom_root_ns_block", - "value": [ - { - "address": "67.43.156.0", - "fqdn": "fqdn_custom_root_ns", - "protocol": { - "fqdn": "protocolfqdn_custom_root_ns" - } - } - ], - "value_enabled": true - } - }, - "dnssec": { - "validation": { - "block": { - "action": "inherit", - "display": { - "name": "displaynamednssec_validation_block" - }, - "source": "sourcednssec_validation_block", - "value": { - "enable": true, - "enabled": true, - "trust_anchors": [ - { - "algorithm": 8, - "protocol": { - "zone": "protocolzonednssec_trust_anchors" - }, - "public_key": "publickeydnssec_trust_anchors", - "sep": false, - "zone": "is3zone" - } - ], - "validate_expiry": true - } - } - } - }, - "ecs": { - "block": { - "action": "inherit", - "display": { - "name": "displaynameecs_block" - }, - "source": "sourceecs_block", - "value": { - "enabled": false, - "forwarding": true, - "prefix_v4": 4, - "prefix_v6": 10, - "zones": [ - { - "access": "inherit", - "fqdn": "fqdnecs_block", - "protocol": { - "fqdn": "protocol_fqdnecs_block" - } - } - ] - } - } - }, - "edns": { - "udp": { - "size": { - "action": "inherit", - "display": { - "name": "displaynameedns_udp_size" - }, - "source": "sourceedns_udp_size", - "value": 55 - } - } - }, - "forwarders": { - "block": { - "action": "inherit", - "display": { - "name": "displaynameforwarders_block" - }, - "source": "sourceforwarders_block", - "value": [ - { - "address": "89.160.20.128", - "fqdn": "forwarders_fqdn", - "protocol": { - "fqdn": "forwarders_protocolfqdn" - } - } - ], - "value_only": true - } - }, - "gss_tsig_enabled": { - "action": "inherit", - "display": { - "name": "displaynamegss_tsig_enabled" - }, - "source": "sourcegss_tsig_enabled", - "value": true - }, - "lame_ttl": { - "action": "inherit", - "display": { - "name": "displaynamelame_ttl" - }, - "source": "sourcelame_ttl", - "value": 45 - }, - "match_recursive_only": { - "action": "inherit", - "display": { - "name": "displaynamematch_recursive_only" - }, - "source": "sourcematch_recursive_only", - "value": false - }, - "max_cache_ttl": { - "action": "inherit", - "display": { - "name": "displaynamemax_cache_ttl" - }, - "source": "sourcemax_cache_ttl", - "value": 13 - }, - "max_negative_ttl": { - "action": "inherit", - "display": { - "name": "displaynamemax_negative_ttl" - }, - "source": "sourcemax_negative_ttl", - "value": 12 - }, - "max_udp_size": { - "action": "inherit", - "display": { - "name": "displaynamemax_udp_size" - }, - "source": "sourcemax_udp_size", - "value": 11 - }, - "minimal_responses": { - "action": "inherit", - "display": { - "name": "displaynameminimal_responses" - }, - "source": "sourceminimal_responses", - "value": true - }, - "notify": { - "action": "inherit", - "display": { - "name": "displayname_notify" - }, - "source": "source_notify", - "value": true - }, - "query_acl": { - "action": "override", - "display": { - "name": "displaynamequery_acl" - }, - "source": "sourcequery_acl", - "value": [ - { - "access": "allow", - "acl": "aclvalue_query_acl", - "address": "89.160.20.128", - "element": "elementvaluequery_acl", - "tsig_key": { - "algorithm": "hmac_sha256", - "comment": "commentquery_acl", - "key": "keyquery_acl", - "name": "namequery_acl", - "protocol": { - "name": "protocolname_query_acl" - }, - "secret": "secretquery_acl" - } - } - ] - }, - "recursion_acl": { - "action": "override", - "display": { - "name": "displaynamerecursion_acl" - }, - "source": "sourcerecursion_acl", - "value": [ - { - "access": "deny", - "acl": "aclrecursion_acl", - "address": "89.160.20.128", - "element": "elementrecursion_acl", - "tsig_key": { - "algorithm": "hmac_sha384", - "comment": "commentrecursion_acl", - "key": "keyrecursion_acl", - "name": "namerecursion_acl", - "protocol": { - "name": "protocolnamerecursion_acl" - }, - "secret": "secretrecursion_acl" - } - } - ] - }, - "recursion_enabled": { - "action": "inherit", - "display": { - "name": "displaynamerecursion_enabled" - }, - "source": "sourcerecursion_enabled", - "value": true - }, - "synthesize": { - "address_records_from_https": { - "action": "inherit", - "display": { - "name": "displaynamesynthesize_address_records_from_https" - }, - "name": "sourcesynthesize_address_records_from_https", - "value": true - } - }, - "transfer_acl": { - "action": "inherit", - "display": { - "name": "displaynametransfer_acl" - }, - "source": "sourcetransfer_acl", - "value": [ - { - "access": "allow", - "acl": "acltransfer_acl", - "address": "216.160.83.56", - "element": "elementtransfer_acl", - "tsig_key": { - "algorithm": "hmac_sha224", - "comment": "commenttransfer_acl", - "key": "keytransfer_acl", - "name": "nametransfer_acl", - "protocol": { - "name": "protocolnametransfer_acl" - }, - "secret": "secrettransfer_acl" - } - } - ] - }, - "update_acl": { - "action": "override", - "display": { - "name": "displaynameupdate_acl" - }, - "source": "sourceupdate_acl", - "value": [ - { - "access": "allow", - "acl": "aclupdate_acl", - "address": "216.160.83.56", - "element": "elementupdate_acl", - "tsig_key": { - "algorithm": "hmac_sha384", - "comment": "commentupdate_acl", - "key": "keyupdate_acl", - "name": "nameupdate_acl", - "protocol": { - "name": "protocolnameupdate_acl" - }, - "secret": "secretupdate_acl" - } - } - ] - }, - "use_forwarders_for_subzones": { - "action": "override", - "display": { - "name": "displaynameuse_forwarders_for_subzones" - }, - "source": "sourceuse_forwarders_for_subzones", - "value": false - }, - "zone_authority": { - "default_ttl": { - "action": "override", - "display": { - "name": "displaynamezone_authority" - }, - "source": "sourcezone_authority", - "value": 50 - }, - "expire": { - "action": "inherit", - "display": { - "name": "displaynameexpire" - }, - "source": "sourceexpire", - "value": 70 - }, - "mname_block": { - "action": "inherit", - "display": { - "name": "displaynamemname_block" - }, - "source": "sourcemname_block", - "value": { - "isdefault": true, - "protocol": { - "mname": "protocolmnamemname_block" - } - } - }, - "mname_block_value": "mnamevaluemname_block", - "negative_ttl": { - "action": "inherit", - "display": { - "name": "displaynamenegative_ttl" - }, - "source": "sourcenegative_ttl", - "value": 90 - }, - "protocol_rname": { - "action": "inherit", - "display": { - "name": "displaynameprotocol_rname" - }, - "source": "sourceprotocol_rname", - "value": "valueprotocol_rname" - }, - "refresh": { - "action": "inherit", - "display": { - "name": "displayname_refresh" - }, - "source": "source_refresh", - "value": 40 - }, - "retry": { - "action": "inherit", - "display": { - "name": "displayname_retry" - }, - "source": "source_retry", - "value": 570 - }, - "rname": { - "action": "inherit", - "display": { - "name": "displayname_rname" - }, - "source": "source_rname", - "value": "value_rname" - } - } - } - }, - "ip_spaces": [ - "testipspaces" - ], - "lame_ttl": 350, - "match_clients_acl": [ - { - "access": "deny", - "address": "81.2.69.192", - "element": "elementmatch_clients_acl", - "tsig_key": { - "algorithm": "hmac_sha512", - "comment": "commentmatch_clients_acl", - "key": "keymatch_clients_acl", - "name": "namematch_clients_acl", - "protocol": { - "name": "protocolnamematch_clients_acl" - }, - "secret": "secretmatch_clients_acl" - }, - "value": "aclmatch_clients_acl" - } - ], - "match_destinations_acl": [ - { - "access": "allow", - "address": "81.2.69.192", - "element": "elementmatch_destinations_acl", - "tsig_key": { - "algorithm": "hmac_sha384", - "comment": "commentmatch_destinations_acl", - "key": "keymatch_destinations_acl", - "name": "namematch_destinations_acl", - "protocol": { - "name": "protocolnamematch_destinations_acl" - }, - "secret": "secretmatch_destinations_acl" - }, - "value": "aclmatch_destinations_acl" - } - ], - "match_recursive_only": true, - "max_cache_ttl": 90, - "max_negative_ttl": 500, - "max_udp_size": 890, - "minimal_responses": true, - "name": "string", - "notify": true, - "query_acl": [ - { - "access": "accessquery_acl", - "address": "81.2.69.192", - "element": "elementquery_acl", - "tsig_key": { - "algorithm": "hmac_sha224", - "comment": "commentquery_acl", - "key": "keyquery_acl", - "name": "namequery_acl", - "protocol": { - "name": "protocolnamequery_acl" - }, - "secret": "secretquery_acl" - }, - "value": "aclquery_acl" - } - ], - "recursion_acl": [ - { - "access": "allow", - "address": "81.2.69.192", - "element": "elementrecursion_acl", - "tsig_key": { - "algorithm": "hmac_sha1", - "comment": "commentrecursion_acl", - "key": "keyrecursion_acl", - "name": "namerecursion_acl", - "protocol": { - "name": "protocolnamerecursion_acl" - }, - "secret": "secretrecursion_acl" - }, - "value": "aclrecursion_acl" - } - ], - "recursion_enabled": true, - "synthesize": { - "address_records_from_https": false - }, - "tags": { - "message": "Hello" - }, - "transfer_acl": [ - { - "access": "allow", - "address": "216.160.83.56", - "element": "elementtransfer_acl", - "tsig_key": { - "algorithm": "hmac_sha224", - "comment": "commenttransfer_acl", - "key": "keytransfer_acl", - "name": "nametransfer_acl", - "protocol": { - "name": "protocolnametransfer_acl" - }, - "secret": "secrettransfer_acl" - }, - "value": "acltransfer_acl" - } - ], - "update_acl": [ - { - "access": "allow", - "address": "216.160.83.56", - "element": "elementupdate_acl", - "tsig_key": { - "algorithm": "hmac_sha1", - "comment": "commentupdate_acl", - "key": "keyupdate_acl", - "name": "nameupdate_acl", - "protocol": { - "name": "protocolnameupdate_acl" - }, - "secret": "secretupdate_acl" - }, - "value": "aclupdate_acl" - } - ], - "updated_at": "2022-07-15T06:55:25.978Z", - "use_forwarders_for_subzones": true, - "zone_authority": { - "default_ttl": 20, - "expire": 10, - "mname": "mnamezone_authority", - "negative_ttl": 30, - "protocol": { - "mname": "protocolmnamezone_authority", - "rname": "protocolrnamezone_authority" - }, - "refresh": 50, - "retry": 100, - "rname": "string", - "use_default_mname": true - } - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hash": [ - "hmac_sha256", - "hmac_sha384", - "hmac_sha224", - "hmac_sha512", - "hmac_sha1" - ], - "ip": [ - "81.2.69.192", - "67.43.156.0", - "89.160.20.128", - "216.160.83.56" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "infoblox_bloxone_ddi_dns_config" - ] -} \ No newline at end of file diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/agent/stream/httpjson.yml.hbs b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 1e7a1351da..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,54 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/api/ddi/v1/dns/record -request.transforms: - - set: - target: header.Authorization - value: 'Token {{api_key}}' - - set: - target: url.params._offset - value: 0 - - set: - target: url.params._limit - value: 100 - - set: - target: url.params._order_by - value: 'updated_at asc' - - set: - target: url.params._filter - value: 'updated_at>="[[(formatDate (parseDate .cursor.last_updated_at) "2006-01-02T15:04:05.999Z")]]"' - default: 'updated_at>="[[(formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.999Z")]]"' -response.pagination: - - set: - target: url.params._offset - value: '[[if (eq (len .last_response.body.results) 100)]][[add (toInt (.last_response.url.params.Get "_offset")) 100]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_updated_at: - value: '[[.last_event.updated_at]]' -response.split: - target: body.results -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#if preserve_duplicate_custom_fields}} - - preserve_duplicate_custom_fields -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/elasticsearch/ingest_pipeline/default.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 63d1e8b369..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,433 +0,0 @@ ---- -description: Pipeline for parsing DNS data logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: [network] - - set: - field: event.type - value: [protocol] - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - fingerprint: - fields: - - json.created_at - - json.updated_at - - json.id - target_field: _id - ignore_missing: true - - rename: - field: json.absolute_name_spec - target_field: infoblox_bloxone_ddi.dns_data.absolute_name.spec - ignore_missing: true - - rename: - field: json.absolute_zone_name - target_field: infoblox_bloxone_ddi.dns_data.absolute_zone.name - ignore_missing: true - - rename: - field: json.comment - target_field: infoblox_bloxone_ddi.dns_data.comment - ignore_missing: true - - date: - field: json.created_at - target_field: infoblox_bloxone_ddi.dns_data.created_at - if: ctx.json?.created_at != null && ctx.json.created_at != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: event.created - copy_from: infoblox_bloxone_ddi.dns_data.created_at - ignore_failure: true - - rename: - field: json.delegation - target_field: infoblox_bloxone_ddi.dns_data.delegation - ignore_missing: true - - convert: - field: json.disabled - target_field: infoblox_bloxone_ddi.dns_data.disabled - if: ctx.json?.disabled != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.dns_absolute_name_spec - target_field: infoblox_bloxone_ddi.dns_data.absolute.name.spec - ignore_missing: true - - rename: - field: json.dns_absolute_zone_name - target_field: infoblox_bloxone_ddi.dns_data.absolute.zone.name - ignore_missing: true - - rename: - field: json.dns_name_in_zone - target_field: infoblox_bloxone_ddi.dns_data.name_in.zone - ignore_missing: true - - rename: - field: json.dns_rdata - target_field: infoblox_bloxone_ddi.dns_data.rdata_value - ignore_missing: true - - rename: - field: json.id - target_field: infoblox_bloxone_ddi.dns_data.id - ignore_missing: true - - set: - field: event.id - copy_from: infoblox_bloxone_ddi.dns_data.id - ignore_failure: true - - rename: - field: json.inheritance_sources.ttl.action - target_field: infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.action - ignore_missing: true - - rename: - field: json.inheritance_sources.ttl.display_name - target_field: infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.display.name - ignore_missing: true - - rename: - field: json.inheritance_sources.ttl.source - target_field: infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.source - ignore_missing: true - - convert: - field: json.inheritance_sources.ttl.value - target_field: infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.value - if: ctx.json?.inheritance_sources?.ttl?.value != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.name_in_zone - target_field: infoblox_bloxone_ddi.dns_data.name_in_zone - ignore_missing: true - - convert: - field: json.options.create_ptr - target_field: infoblox_bloxone_ddi.dns_data.options.create_ptr - if: ctx.json?.options?.create_ptr != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.options.check_rmz - target_field: infoblox_bloxone_ddi.dns_data.options.check_rmz - if: ctx.json?.options?.check_rmz != '' - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.options.address - target_field: infoblox_bloxone_ddi.dns_data.options.address - if: ctx.json?.options?.address != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - append: - field: related.ip - value: '{{{infoblox_bloxone_ddi.dns_data.options.address}}}' - allow_duplicates: false - ignore_failure: true - - rename: - field: json.provider_metadata - target_field: infoblox_bloxone_ddi.dns_data.provider_metadata - ignore_missing: true - - convert: - field: json.rdata.address - target_field: infoblox_bloxone_ddi.dns_data.rdata.address - if: ctx.json?.rdata?.address != '' - type: ip - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - append: - field: related.ip - value: '{{{infoblox_bloxone_ddi.dns_data.rdata.address}}}' - allow_duplicates: false - ignore_failure: true - - rename: - field: json.rdata.flags - target_field: infoblox_bloxone_ddi.dns_data.rdata.flags - ignore_missing: true - - rename: - field: json.rdata.tag - target_field: infoblox_bloxone_ddi.dns_data.rdata.tag - ignore_missing: true - - rename: - field: json.rdata.value - target_field: infoblox_bloxone_ddi.dns_data.rdata.value - ignore_missing: true - - rename: - field: json.rdata.cname - target_field: infoblox_bloxone_ddi.dns_data.rdata.cname - ignore_missing: true - - rename: - field: json.rdata.target - target_field: infoblox_bloxone_ddi.dns_data.rdata.target - ignore_missing: true - - rename: - field: json.rdata.dhcid - target_field: infoblox_bloxone_ddi.dns_data.rdata.dhcid - ignore_missing: true - - rename: - field: json.rdata.exchange - target_field: infoblox_bloxone_ddi.dns_data.rdata.exchange - ignore_missing: true - - convert: - field: json.rdata.preference - target_field: infoblox_bloxone_ddi.dns_data.rdata.preference - if: ctx.json?.rdata?.preference != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.rdata.order - target_field: infoblox_bloxone_ddi.dns_data.rdata.order - if: ctx.json?.rdata?.order != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.rdata.regexp - target_field: infoblox_bloxone_ddi.dns_data.rdata.regexp - ignore_missing: true - - rename: - field: json.rdata.replacement - target_field: infoblox_bloxone_ddi.dns_data.rdata.replacement - ignore_missing: true - - rename: - field: json.rdata.services - target_field: infoblox_bloxone_ddi.dns_data.rdata.services - ignore_missing: true - - rename: - field: json.rdata.dname - target_field: infoblox_bloxone_ddi.dns_data.rdata.dname - ignore_missing: true - - convert: - field: json.rdata.expire - target_field: infoblox_bloxone_ddi.dns_data.rdata.expire - if: ctx.json?.rdata?.expire != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.rdata.mname - target_field: infoblox_bloxone_ddi.dns_data.rdata.mname - ignore_missing: true - - convert: - field: json.rdata.negative_ttl - target_field: infoblox_bloxone_ddi.dns_data.rdata.negative_ttl - if: ctx.json?.rdata?.negative_ttl != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.rdata.refresh - target_field: infoblox_bloxone_ddi.dns_data.rdata.refresh - if: ctx.json?.rdata?.refresh != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.rdata.retry - target_field: infoblox_bloxone_ddi.dns_data.rdata.retry - if: ctx.json?.rdata?.retry != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.rdata.rname - target_field: infoblox_bloxone_ddi.dns_data.rdata.rname - ignore_missing: true - - convert: - field: json.rdata.serial - target_field: infoblox_bloxone_ddi.dns_data.rdata.serial - if: ctx.json?.rdata?.serial != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.rdata.port - target_field: infoblox_bloxone_ddi.dns_data.rdata.port - if: ctx.json?.rdata?.port != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.rdata.priority - target_field: infoblox_bloxone_ddi.dns_data.rdata.priority - if: ctx.json?.rdata?.priority != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - convert: - field: json.rdata.weight - target_field: infoblox_bloxone_ddi.dns_data.rdata.weight - if: ctx.json?.rdata?.weight != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.rdata.text - target_field: infoblox_bloxone_ddi.dns_data.rdata.text - ignore_missing: true - - rename: - field: json.rdata.type - target_field: infoblox_bloxone_ddi.dns_data.rdata.type - ignore_missing: true - - convert: - field: json.rdata.length_kind - target_field: infoblox_bloxone_ddi.dns_data.rdata.length_kind - if: ctx.json?.rdata?.length_kind != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - rename: - field: json.tags - target_field: infoblox_bloxone_ddi.dns_data.tags - ignore_missing: true - - rename: - field: json.source - target_field: infoblox_bloxone_ddi.dns_data.source - ignore_missing: true - - convert: - field: json.ttl - target_field: infoblox_bloxone_ddi.dns_data.ttl - if: ctx.json?.ttl != '' - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: dns.answers.ttl - copy_from: infoblox_bloxone_ddi.dns_data.ttl - ignore_failure: true - - rename: - field: json.type - target_field: infoblox_bloxone_ddi.dns_data.type - ignore_missing: true - - date: - field: json.updated_at - target_field: infoblox_bloxone_ddi.dns_data.updated_at - if: ctx.json?.updated_at != null && ctx.json.updated_at != '' - formats: - - ISO8601 - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - set: - field: '@timestamp' - copy_from: infoblox_bloxone_ddi.dns_data.updated_at - ignore_failure: true - - rename: - field: json.view - target_field: infoblox_bloxone_ddi.dns_data.view - ignore_missing: true - - rename: - field: json.view_name - target_field: infoblox_bloxone_ddi.dns_data.view_name - ignore_missing: true - - rename: - field: json.zone - target_field: infoblox_bloxone_ddi.dns_data.zone - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: - - infoblox_bloxone_ddi.dns_data.updated_at - - infoblox_bloxone_ddi.dns_data.lame_ttl - - infoblox_bloxone_ddi.dns_data.created_at - - infoblox_bloxone_ddi.dns_data.id - if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) - ignore_failure: true - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/fields/agent.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/fields/base-fields.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/fields/base-fields.yml deleted file mode 100755 index e0810a683a..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: infoblox_bloxone_ddi -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: infoblox_bloxone_ddi.dns_data diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/fields/ecs.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/fields/ecs.yml deleted file mode 100755 index 0198616504..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/fields/ecs.yml +++ /dev/null @@ -1,62 +0,0 @@ -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/fields/fields.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/fields/fields.yml deleted file mode 100755 index 357c431732..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/fields/fields.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: infoblox_bloxone_ddi.dns_data - type: group - fields: - - name: absolute_name - type: group - fields: - - name: spec - type: keyword - description: Synthetic field, used to determine zone and/or name_in_zone field for records. - - name: absolute_zone - type: group - fields: - - name: name - type: keyword - description: The absolute domain name of the zone where this record belongs. - - name: absolute - type: group - fields: - - name: name - type: group - fields: - - name: spec - type: keyword - description: The DNS protocol textual representation of absolute_name_spec. - - name: zone - type: group - fields: - - name: name - type: keyword - description: The DNS protocol textual representation of the absolute domain name of the zone where this record belongs. - - name: comment - type: keyword - description: The description for the DNS resource record. May contain 0 to 1024 characters. Can include UTF-8. - - name: created_at - type: date - description: The timestamp when the object has been created. - - name: delegation - type: keyword - description: The resource identifier. - - name: disabled - type: boolean - description: Indicates if the DNS resource record is disabled. A disabled object is effectively non-existent when generating configuration. - - name: id - type: keyword - description: The resource identifier. - - name: inheritance - type: group - fields: - - name: sources - type: group - fields: - - name: ttl - type: group - fields: - - name: action - type: keyword - description: The inheritance setting for a field. - - name: display - type: group - fields: - - name: name - type: keyword - description: The human-readable display name for the object referred to by source. - - name: source - type: keyword - description: The resource identifier. - - name: value - type: long - description: The inherited value. - - name: name_in_zone - type: keyword - description: The relative owner name to the zone origin. Must be specified for creating the DNS resource record and is read only for other operations. - - name: name_in - type: group - fields: - - name: zone - type: keyword - description: The DNS protocol textual representation of the relative owner name for the DNS zone. - - name: options - type: group - fields: - - name: address - type: ip - description: For GET operation it contains the IPv4 or IPv6 address represented by the PTR record and for POST and PATCH operations it can be used to create/update a PTR record based on the IP address it represents. In this case, in addition to the address in the options field, need to specify the view field. - - name: check_rmz - type: boolean - description: A boolean flag which can be set to true for POST operation to check the existence of reverse zone for creating the corresponding PTR record. Only applicable if the create_ptr option is set to true. - - name: create_ptr - type: boolean - description: A boolean flag which can be set to true for POST operation to automatically create the corresponding PTR record. - - name: provider_metadata - type: flattened - description: external DNS provider metadata. - - name: rdata_value - type: keyword - description: The DNS protocol textual representation of the DNS resource record data. - - name: rdata - type: group - fields: - - name: address - type: ip - description: The IPv4/IPv6 address of the host. - - name: cname - type: keyword - description: A domain name which specifies the canonical or primary name for the owner. The owner name is an alias. Can be empty. - - name: dhcid - type: keyword - description: The Base64 encoded string which contains DHCP client information. - - name: dname - type: keyword - description: A domain-name which specifies a host which should be authoritative for the specified class and domain. Can be absolute or relative domain name and include UTF-8. - - name: exchange - type: keyword - description: A domain name which specifies a host willing to act as a mail exchange for the owner name. - - name: expire - type: long - description: The time interval in seconds after which zone data will expire and secondary server stops answering requests for the zone. - - name: flags - type: keyword - description: An unsigned 8-bit integer which specifies the CAA record flags. RFC 6844 defines one (highest) bit in flag octet, remaining bits are deferred for future use. This bit is referenced as Critical. When the bit is set (flag value == 128), issuers must not issue certificates in case CAA records contain unknown property tags. - - name: length_kind - type: long - description: A string indicating the size in bits of a sub-subfield that is prepended to the value and encodes the length of the value. - - name: mname - type: keyword - description: The domain name for the master server for the zone. Can be absolute or relative domain name. - - name: negative_ttl - type: long - description: The time interval in seconds for which name servers can cache negative responses for zone. - - name: order - type: long - description: A 16-bit unsigned integer specifying the order in which the NAPTR records must be processed. Low numbers are processed before high numbers, and once a NAPTR is found whose rule “matches” the target, the client must not consider any NAPTRs with a higher value for order (except as noted below for the “flags” field. The range of the value is 0 to 65535. - - name: port - type: long - description: An unsigned 16-bit integer which specifies the port on this target host of this service. The range of the value is 0 to 65535. This is often as specified in Assigned Numbers but need not be. - - name: preference - type: long - description: An unsigned 16-bit integer which specifies the preference given to this RR among others at the same owner. Lower values are preferred. The range of the value is 0 to 65535. - - name: priority - type: long - description: An unsigned 16-bit integer which specifies the priority of this target host. The range of the value is 0 to 65535. A client must attempt to contact the target host with the lowest-numbered priority it can reach. Target hosts with the same priority should be tried in an order defined by the weight field. - - name: refresh - type: long - description: The time interval in seconds that specifies how often secondary servers need to send a message to the primary server for a zone to check that their data is current, and retrieve fresh data if it is not. - - name: regexp - type: keyword - description: A string containing a substitution expression that is applied to the original string held by the client in order to construct the next domain name to lookup. - - name: replacement - type: keyword - description: The next name to query for NAPTR, SRV, or address records depending on the value of the flags field. This can be an absolute or relative domain name. Can be empty. - - name: retry - type: long - description: The time interval in seconds for which the secondary server will wait before attempting to recontact the primary server after a connection failure occurs. - - name: rname - type: keyword - description: The domain name which specifies the mailbox of the person responsible for this zone. - - name: serial - type: long - description: An unsigned 32-bit integer that specifies the serial number of the zone. Used to indicate that zone data was updated, so the secondary name server can initiate zone transfer. The range of the value is 0 to 4294967295. - - name: services - type: keyword - description: Specifies the service(s) available down this rewrite path. It may also specify the particular protocol that is used to talk with a service. A protocol must be specified if the flags field states that the NAPTR is terminal. If a protocol is specified, but the flags field does not state that the NAPTR is terminal, the next lookup must be for a NAPTR. The client may choose not to perform the next lookup if the protocol is unknown, but that behavior must not be relied upon. - - name: tag - type: keyword - description: The CAA record property tag string which indicates the type of CAA record. - - name: target - type: keyword - description: The target domain name to which the zone will be mapped. Can be empty. - - name: text - type: keyword - description: The semantics of the text depends on the domain where it is found. - - name: type - type: keyword - description: Type of TXT (Text) record. - - name: value - type: keyword - description: A string which contains the CAA record property value. - - name: weight - type: long - description: An unsigned 16-bit integer which specifies a relative weight for entries with the same priority. The range of the value is 0 to 65535. Larger weights should be given a proportionately higher probability of being selected. Domain administrators should use weight 0 when there isn’t any server selection to do, to make the RR easier to read for humans (less noisy). In the presence of records containing weights greater than 0, records with weight 0 should have a very small chance of being selected. - - name: source - type: keyword - description: The DNS resource record type-specific non-protocol source. The source is a combination of indicators, each tracking how the DNS resource record appeared in system. - - name: tags - type: flattened - description: The tags for the DNS resource record in JSON format. - - name: ttl - type: long - description: The record time to live value in seconds. The range of this value is 0 to 2147483647. Defaults to TTL value from the SOA record of the zone. - - name: type - type: keyword - description: The DNS resource record type specified in the textual mnemonic format or in the “TYPEnnn” format where “nnn” indicates the numeric type value. - - name: updated_at - type: date - description: The timestamp when the object has been updated. Equals to created_at if not updated after creation. - - name: view - type: keyword - description: The resource identifier. - - name: view_name - type: keyword - description: The display name of the DNS view that contains the parent zone of the DNS resource record. - - name: zone - type: keyword - description: The resource identifier. diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/manifest.yml b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/manifest.yml deleted file mode 100755 index 49b5d9f6a1..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/manifest.yml +++ /dev/null @@ -1,57 +0,0 @@ -title: Collect DNS Data logs from Infoblox BloxOne DDI -type: logs -streams: - - input: httpjson - title: DNS Data logs - description: Collect DNS Data logs from Infoblox BloxOne DDI. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the DHCP Lease events from Infoblox BloxOne DDI. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the BloxOne DDI API. NOTE:- Supported units for this parameter are h/m/s. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - bloxone_ddi_dns_data - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: preserve_duplicate_custom_fields - required: true - show_user: true - title: Preserve duplicate custom fields - description: Preserve custom fields for all ECS mappings. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/sample_event.json b/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/sample_event.json deleted file mode 100755 index 9c800807b8..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/data_stream/dns_data/sample_event.json +++ /dev/null @@ -1,145 +0,0 @@ -{ - "@timestamp": "2022-07-20T09:59:59.184Z", - "agent": { - "ephemeral_id": "eb4c7711-a048-4458-a48c-5d2045f2d6b1", - "hostname": "docker-fleet-agent", - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "infoblox_bloxone_ddi.dns_data", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": { - "ttl": 0 - } - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-07-20T09:59:59.184Z", - "dataset": "infoblox_bloxone_ddi.dns_data", - "id": "ghr123ghf", - "ingested": "2022-09-22T08:29:03Z", - "kind": "event", - "original": "{\"absolute_name_spec\":\"DNS Data Absolute Name\",\"absolute_zone_name\":\"DNS Data Absolute Zone Name\",\"comment\":\"DNS Data Comment\",\"created_at\":\"2022-07-20T09:59:59.184Z\",\"delegation\":\"DNS Data Delegation\",\"disabled\":true,\"dns_absolute_name_spec\":\"DNS Absolute Name\",\"dns_absolute_zone_name\":\"DNS Absolute Zone Name\",\"dns_name_in_zone\":\"DNS Name in Zone\",\"dns_rdata\":\"DNS RData\",\"id\":\"ghr123ghf\",\"inheritance_sources\":{\"ttl\":{\"action\":\"DNS Data Action\",\"display_name\":\"DNS Display Name\",\"source\":\"DNS Data Source\",\"value\":10}},\"name_in_zone\":\"DNS Data Name in zone\",\"options\":{\"address\":\"67.43.156.0\",\"check_rmz\":true,\"create_ptr\":false},\"rdata\":{\"address\":\"81.2.69.192\",\"cname\":\"DNS Data Canonical Name\",\"dhcid\":\"122zbczba12\",\"dname\":\"DNS Data dname\",\"exchange\":\"DNS Data Exchange\",\"expire\":23131,\"flags\":\"DNS Data Flags\",\"length_kind\":8,\"mname\":\"DNS Data mname\",\"negative_ttl\":213342,\"order\":123124,\"port\":80,\"preference\":12345363467,\"priority\":44,\"refresh\":10800,\"regexp\":\"none\",\"replacement\":\"DNS Data Replacement\",\"retry\":3600,\"rname\":\"DNS Data rname\",\"serial\":12314114,\"services\":\"DNS Data Test Services\",\"tag\":\"issue\",\"target\":\"DNS Data Target\",\"text\":\"DNS Data text field\",\"type\":\"32BIT\",\"value\":\"DNS Data Value\",\"weight\":0},\"source\":[\"STATIC\"],\"tags\":{\"message\":\"Hello\"},\"ttl\":0,\"type\":\"DNS Data Type\",\"updated_at\":\"2022-07-20T09:59:59.184Z\",\"view\":\"DNS Data View\",\"view_name\":\"DNS Data View Name\",\"zone\":\"DNS Data Zone\"}", - "type": [ - "protocol" - ] - }, - "infoblox_bloxone_ddi": { - "dns_data": { - "absolute": { - "name": { - "spec": "DNS Absolute Name" - }, - "zone": { - "name": "DNS Absolute Zone Name" - } - }, - "absolute_name": { - "spec": "DNS Data Absolute Name" - }, - "absolute_zone": { - "name": "DNS Data Absolute Zone Name" - }, - "comment": "DNS Data Comment", - "created_at": "2022-07-20T09:59:59.184Z", - "delegation": "DNS Data Delegation", - "disabled": true, - "id": "ghr123ghf", - "inheritance": { - "sources": { - "ttl": { - "action": "DNS Data Action", - "display": { - "name": "DNS Display Name" - }, - "source": "DNS Data Source", - "value": 10 - } - } - }, - "name_in": { - "zone": "DNS Name in Zone" - }, - "name_in_zone": "DNS Data Name in zone", - "options": { - "address": "67.43.156.0", - "check_rmz": true, - "create_ptr": false - }, - "rdata": { - "address": "81.2.69.192", - "cname": "DNS Data Canonical Name", - "dhcid": "122zbczba12", - "dname": "DNS Data dname", - "exchange": "DNS Data Exchange", - "expire": 23131, - "flags": "DNS Data Flags", - "length_kind": 8, - "mname": "DNS Data mname", - "negative_ttl": 213342, - "order": 123124, - "port": 80, - "preference": 12345363467, - "priority": 44, - "refresh": 10800, - "regexp": "none", - "replacement": "DNS Data Replacement", - "retry": 3600, - "rname": "DNS Data rname", - "serial": 12314114, - "services": "DNS Data Test Services", - "tag": "issue", - "target": "DNS Data Target", - "text": "DNS Data text field", - "type": "32BIT", - "value": "DNS Data Value", - "weight": 0 - }, - "rdata_value": "DNS RData", - "source": [ - "STATIC" - ], - "tags": { - "message": "Hello" - }, - "ttl": 0, - "type": "DNS Data Type", - "updated_at": "2022-07-20T09:59:59.184Z", - "view": "DNS Data View", - "view_name": "DNS Data View Name", - "zone": "DNS Data Zone" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "ip": [ - "67.43.156.0", - "81.2.69.192" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "bloxone_ddi_dns_data" - ] -} \ No newline at end of file diff --git a/packages/infoblox_bloxone_ddi/0.1.0/docs/README.md b/packages/infoblox_bloxone_ddi/0.1.0/docs/README.md deleted file mode 100755 index ae21bac5ce..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/docs/README.md +++ /dev/null @@ -1,1522 +0,0 @@ -# Infoblox BloxOne DDI - -## Overview - -The [Infoblox BloxOne DDI](https://www.infoblox.com/products/bloxone-ddi/) integration allows you to monitor DNS, DHCP and IP address management activity. DDI is the foundation of core network services that enables all communications over an IP-based network. - -Use the Infoblox BloxOne DDI integration to collects and parses data from the REST APIs and then visualize that data in Kibana. - -## Data streams - -The Infoblox BloxOne DDI integration collects logs for three types of events: DHCP lease, DNS data and DNS config. - -**DHCP Lease** is a Infoblox BloxOne DDI service that stores information about leases. See more details about its API [here](https://csp.infoblox.com/apidoc?url=https%3A%2F%2Fcsp.infoblox.com%2Fapidoc%2Fdocs%2FDhcpLeases). - -**DNS Config** is a Infoblox BloxOne DDI service that provides cloud-based DNS configuration with on-prem host serving DNS protocol. See more details about its API [here](https://csp.infoblox.com/apidoc?url=https%3A%2F%2Fcsp.infoblox.com%2Fapidoc%2Fdocs%2FDnsConfig). - -**DNS Data** is a Infoblox BloxOne DDI service providing primary authoritative zone support. DNS Data is authoritative for all DNS resource records and is acting as a primary DNS server. See more details about its API [here](https://csp.infoblox.com/apidoc?url=https%3A%2F%2Fcsp.infoblox.com%2Fapidoc%2Fdocs%2FDnsData). - -## Requirements - -You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. - -This module has been tested against `Infoblox BloxOne DDI API (v1)`. - -## Setup - -### To collect data from Infoblox BloxOne DDI APIs, the user must have API Key. To create an API key follow the below steps: - -1. Log on to the Cloud Services Portal. -2. Go to ** -> User Profile**. -3. Go to **User API Keys** page. -4. Click **Create** to create a new API key. Specify the following: - - **Name**: Specify the name of the key. - - **Expires at**: Specify the expiry. -5. Click **Save & Close**. The API Access Key Generated dialog is shown. -6. Click **Copy**. - -### Enabling the integration in Elastic - -1. In Kibana go to **Management > Integrations**. -2. In the "Search for integrations" search bar, type **Infoblox BloxOne DDI**. -3. Click on **Infoblox BloxOne DDI** integration from the search results. -4. Click on **Add Infoblox BloxOne DDI** button to add Infoblox BloxOne DDI integration. -5. Enable the Integration to collect logs via API. - -## Logs Reference - -### dhcp_lease - -This is the `dhcp_lease` dataset. - -#### Example - -An example event for `dhcp_lease` looks as following: - -```json -{ - "@timestamp": "2022-07-11T11:51:15.417Z", - "agent": { - "ephemeral_id": "a4b27e2a-c005-43ce-9542-7548dcc7b414", - "hostname": "docker-fleet-agent", - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "client": { - "user": { - "id": "abc3212abc" - } - }, - "data_stream": { - "dataset": "infoblox_bloxone_ddi.dhcp_lease", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-09-22T08:27:40.118Z", - "dataset": "infoblox_bloxone_ddi.dhcp_lease", - "end": "2022-07-11T11:51:15.417Z", - "ingested": "2022-09-22T08:27:43Z", - "kind": "event", - "original": "{\"address\":\"81.2.69.192\",\"client_id\":\"abc3212abc\",\"ends\":\"2022-07-11T11:51:15.417Z\",\"fingerprint\":\"ab3213cbabab/abc23bca\",\"fingerprint_processed\":\"12abca32bca32abcd\",\"ha_group\":\"abc321cdcbda321\",\"hardware\":\"00:00:5E:00:53:00\",\"host\":\"admin\",\"hostname\":\"Host1\",\"iaid\":0,\"last_updated\":\"2022-07-11T11:51:15.417Z\",\"options\":{\"message\":\"Hello\"},\"preferred_lifetime\":\"2022-07-11T11:51:15.417Z\",\"protocol\":\"ip4\",\"space\":\"DHCP lease Space\",\"starts\":\"2022-07-14T11:51:15.417Z\",\"state\":\"used\",\"type\":\"DHCP lease Type\"}", - "start": "2022-07-14T11:51:15.417Z", - "type": [ - "protocol" - ] - }, - "host": { - "hostname": "Host1", - "name": "admin" - }, - "infoblox_bloxone_ddi": { - "dhcp_lease": { - "address": "81.2.69.192", - "client_id": "abc3212abc", - "ends": "2022-07-11T11:51:15.417Z", - "fingerprint": { - "processed": "12abca32bca32abcd", - "value": "ab3213cbabab/abc23bca" - }, - "ha_group": "abc321cdcbda321", - "hardware": "00-00-5E-00-53-00", - "host": "admin", - "hostname": "Host1", - "iaid": 0, - "last_updated": "2022-07-11T11:51:15.417Z", - "options": { - "message": "Hello" - }, - "preferred_lifetime": "2022-07-11T11:51:15.417Z", - "protocol": "ipv4", - "space": "DHCP lease Space", - "starts": "2022-07-14T11:51:15.417Z", - "state": "used", - "type": "DHCP lease Type" - } - }, - "input": { - "type": "httpjson" - }, - "network": { - "type": "ipv4" - }, - "related": { - "hosts": [ - "admin", - "Host1" - ], - "ip": [ - "81.2.69.192" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "infoblox_bloxone_ddi_dhcp_lease" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.address | The IP address of the DHCP lease in the format "a.b.c.d". This address will be marked as leased in IPAM while the lease exists. | ip | -| infoblox_bloxone_ddi.dhcp_lease.client_id | The client ID of the DHCP lease. It might be empty. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.ends | The time when the DHCP lease will expire. | date | -| infoblox_bloxone_ddi.dhcp_lease.fingerprint.processed | Indicates if the DHCP lease has been fingerprinted. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.fingerprint.value | The DHCP fingerprint of the lease. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.ha_group | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.hardware | The hardware address of the DHCP lease. This specifies the MAC address of the network interface on which the lease will be used. It consists of six groups of two hex digits in lower-case separated by colons. For example, "aa:bb:cc:dd:ee:ff". | keyword | -| infoblox_bloxone_ddi.dhcp_lease.host | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.hostname | The client hostname of the DHCP lease. This specifies the host name that the DHCP client sends to the DHCP server using DHCP option 12. It is a fully qualified domain name, consisting of a series of labels separated by dots. For example, "www.infoblox.com". It might be empty. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.iaid | Identity Association Identifier (IAID) of the lease. Applicable only for DHCPv6. | long | -| infoblox_bloxone_ddi.dhcp_lease.last_updated | The time when the DHCP lease was last updated. | date | -| infoblox_bloxone_ddi.dhcp_lease.options | The DHCP options of the lease in JSON format. | flattened | -| infoblox_bloxone_ddi.dhcp_lease.preferred_lifetime | The preferred time when the DHCP lease should expire. Applicable only for DHCPv6. | date | -| infoblox_bloxone_ddi.dhcp_lease.protocol | Lease protocol type. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.space | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.starts | The time when the DHCP lease was issued. | date | -| infoblox_bloxone_ddi.dhcp_lease.state | The state of the DHCP lease. | keyword | -| infoblox_bloxone_ddi.dhcp_lease.type | Lease type. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | - - -### dns_config - -This is the `dns_config` dataset. - -#### Example - -An example event for `dns_config` looks as following: - -```json -{ - "@timestamp": "2022-07-15T06:55:25.978Z", - "agent": { - "ephemeral_id": "72747b3e-5f2e-4261-a994-aff0ac9b5be1", - "hostname": "docker-fleet-agent", - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "infoblox_bloxone_ddi.dns_config", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": { - "ttl": 350 - } - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-07-15T06:55:25.978Z", - "dataset": "infoblox_bloxone_ddi.dns_config", - "id": "adv12rgfh", - "ingested": "2022-09-22T08:28:25Z", - "kind": "event", - "original": "{\"add_edns_option_in_outgoing_query\":true,\"comment\":\"DNS Config Comment\",\"created_at\":\"2022-07-15T06:55:25.978Z\",\"custom_root_ns\":[{\"address\":\"81.2.69.192\",\"fqdn\":\"custom fqdn\",\"protocol_fqdn\":\"custom protocol fqdn\"}],\"custom_root_ns_enabled\":true,\"disabled\":true,\"dnssec_enable_validation\":true,\"dnssec_enabled\":true,\"dnssec_root_keys\":[{\"algorithm\":30,\"protocol_zone\":\"Dnssec root protocol zone\",\"public_key\":\"Dnssec root Public Key\",\"sep\":true,\"zone\":\"Dnssec root Zone\"}],\"dnssec_trust_anchors\":[{\"algorithm\":10,\"protocol_zone\":\"Dnssec trust protocol zone\",\"public_key\":\"Dnssec trust Public Key\",\"sep\":true,\"zone\":\"Dnssec trust zone\"}],\"dnssec_validate_expiry\":true,\"ecs_enabled\":true,\"ecs_forwarding\":true,\"ecs_prefix_v4\":22,\"ecs_prefix_v6\":33,\"ecs_zones\":[{\"access\":\"ecs zones access\",\"fqdn\":\"ecs zones fqdn\",\"protocol_fqdn\":\"ecs zones protocol fqdn\"}],\"edns_udp_size\":568,\"forwarders\":[{\"address\":\"81.2.69.192\",\"fqdn\":\"forwarders fqdn\",\"protocol_fqdn\":\"forwarders protocol fqdn\"}],\"forwarders_only\":true,\"gss_tsig_enabled\":true,\"id\":\"adv12rgfh\",\"inheritance_sources\":{\"add_edns_option_in_outgoing_query\":{\"action\":\"inherit\",\"display_name\":\"displaynameadd_edns_option_in_outgoing_query\",\"source\":\"sourceadd_edns_option_in_outgoing_query\",\"value\":true},\"custom_root_ns_block\":{\"action\":\"override\",\"display_name\":\"displaynamecustom_root_ns_block\",\"source\":\"sourcecustom_root_ns_block\",\"value\":{\"custom_root_ns\":[{\"address\":\"67.43.156.0\",\"fqdn\":\"fqdn_custom_root_ns\",\"protocol_fqdn\":\"protocolfqdn_custom_root_ns\"}],\"custom_root_ns_enabled\":true}},\"dnssec_validation_block\":{\"action\":\"inherit\",\"display_name\":\"displaynamednssec_validation_block\",\"source\":\"sourcednssec_validation_block\",\"value\":{\"dnssec_enable_validation\":true,\"dnssec_enabled\":true,\"dnssec_trust_anchors\":[{\"algorithm\":8,\"protocol_zone\":\"protocolzonednssec_trust_anchors\",\"public_key\":\"publickeydnssec_trust_anchors\",\"sep\":false,\"zone\":\"is3zone\"}],\"dnssec_validate_expiry\":true}},\"ecs_block\":{\"action\":\"inherit\",\"display_name\":\"displaynameecs_block\",\"source\":\"sourceecs_block\",\"value\":{\"ecs_enabled\":false,\"ecs_forwarding\":true,\"ecs_prefix_v4\":4,\"ecs_prefix_v6\":10,\"ecs_zones\":[{\"access\":\"inherit\",\"fqdn\":\"fqdnecs_block\",\"protocol_fqdn\":\"protocol_fqdnecs_block\"}]}},\"ecs_zones\":{\"action\":\"override\",\"display_name\":\"displaynameecs_zones\",\"source\":\"sourceecs_zones\",\"value\":{\"ecs_enabled\":false,\"ecs_forwarding\":true,\"ecs_prefix_v4\":4,\"ecs_prefix_v6\":12,\"ecs_zones\":[{\"access\":\"access_ecs_zones\",\"fqdn\":\"fqdn_ecs_zones\",\"protocol_fqdn\":\"protocolfqdn_ecs_zones\"}]}},\"edns_udp_size\":{\"action\":\"inherit\",\"display_name\":\"displaynameedns_udp_size\",\"source\":\"sourceedns_udp_size\",\"value\":55},\"forwarders_block\":{\"action\":\"inherit\",\"display_name\":\"displaynameforwarders_block\",\"source\":\"sourceforwarders_block\",\"value\":{\"forwarders\":[{\"address\":\"89.160.20.128\",\"fqdn\":\"forwarders_fqdn\",\"protocol_fqdn\":\"forwarders_protocolfqdn\"}],\"forwarders_only\":true}},\"gss_tsig_enabled\":{\"action\":\"inherit\",\"display_name\":\"displaynamegss_tsig_enabled\",\"source\":\"sourcegss_tsig_enabled\",\"value\":true},\"lame_ttl\":{\"action\":\"inherit\",\"display_name\":\"displaynamelame_ttl\",\"source\":\"sourcelame_ttl\",\"value\":45},\"match_recursive_only\":{\"action\":\"inherit\",\"display_name\":\"displaynamematch_recursive_only\",\"source\":\"sourcematch_recursive_only\",\"value\":false},\"max_cache_ttl\":{\"action\":\"inherit\",\"display_name\":\"displaynamemax_cache_ttl\",\"source\":\"sourcemax_cache_ttl\",\"value\":13},\"max_negative_ttl\":{\"action\":\"inherit\",\"display_name\":\"displaynamemax_negative_ttl\",\"source\":\"sourcemax_negative_ttl\",\"value\":12},\"max_udp_size\":{\"action\":\"inherit\",\"display_name\":\"displaynamemax_udp_size\",\"source\":\"sourcemax_udp_size\",\"value\":11},\"minimal_responses\":{\"action\":\"inherit\",\"display_name\":\"displaynameminimal_responses\",\"source\":\"sourceminimal_responses\",\"value\":true},\"notify\":{\"action\":\"inherit\",\"display_name\":\"displayname_notify\",\"source\":\"source_notify\",\"value\":true},\"query_acl\":{\"action\":\"override\",\"display_name\":\"displaynamequery_acl\",\"source\":\"sourcequery_acl\",\"value\":[{\"access\":\"allow\",\"acl\":\"aclvalue_query_acl\",\"address\":\"89.160.20.128\",\"element\":\"elementvaluequery_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha256\",\"comment\":\"commentquery_acl\",\"key\":\"keyquery_acl\",\"name\":\"namequery_acl\",\"protocol_name\":\"protocolname_query_acl\",\"secret\":\"secretquery_acl\"}}]},\"recursion_acl\":{\"action\":\"override\",\"display_name\":\"displaynamerecursion_acl\",\"source\":\"sourcerecursion_acl\",\"value\":[{\"access\":\"deny\",\"acl\":\"aclrecursion_acl\",\"address\":\"89.160.20.128\",\"element\":\"elementrecursion_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha384\",\"comment\":\"commentrecursion_acl\",\"key\":\"keyrecursion_acl\",\"name\":\"namerecursion_acl\",\"protocol_name\":\"protocolnamerecursion_acl\",\"secret\":\"secretrecursion_acl\"}}]},\"recursion_enabled\":{\"action\":\"inherit\",\"display_name\":\"displaynamerecursion_enabled\",\"source\":\"sourcerecursion_enabled\",\"value\":true},\"synthesize_address_records_from_https\":{\"action\":\"inherit\",\"display_name\":\"displaynamesynthesize_address_records_from_https\",\"source\":\"sourcesynthesize_address_records_from_https\",\"value\":true},\"transfer_acl\":{\"action\":\"inherit\",\"display_name\":\"displaynametransfer_acl\",\"source\":\"sourcetransfer_acl\",\"value\":[{\"access\":\"allow\",\"acl\":\"acltransfer_acl\",\"address\":\"216.160.83.56\",\"element\":\"elementtransfer_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha224\",\"comment\":\"commenttransfer_acl\",\"key\":\"keytransfer_acl\",\"name\":\"nametransfer_acl\",\"protocol_name\":\"protocolnametransfer_acl\",\"secret\":\"secrettransfer_acl\"}}]},\"update_acl\":{\"action\":\"override\",\"display_name\":\"displaynameupdate_acl\",\"source\":\"sourceupdate_acl\",\"value\":[{\"access\":\"allow\",\"acl\":\"aclupdate_acl\",\"address\":\"216.160.83.56\",\"element\":\"elementupdate_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha384\",\"comment\":\"commentupdate_acl\",\"key\":\"keyupdate_acl\",\"name\":\"nameupdate_acl\",\"protocol_name\":\"protocolnameupdate_acl\",\"secret\":\"secretupdate_acl\"}}]},\"use_forwarders_for_subzones\":{\"action\":\"override\",\"display_name\":\"displaynameuse_forwarders_for_subzones\",\"source\":\"sourceuse_forwarders_for_subzones\",\"value\":false},\"zone_authority\":{\"default_ttl\":{\"action\":\"override\",\"display_name\":\"displaynamezone_authority\",\"source\":\"sourcezone_authority\",\"value\":50},\"expire\":{\"action\":\"inherit\",\"display_name\":\"displaynameexpire\",\"source\":\"sourceexpire\",\"value\":70},\"mname_block\":{\"action\":\"inherit\",\"display_name\":\"displaynamemname_block\",\"source\":\"sourcemname_block\",\"value\":{\"mname\":\"mnamevaluemname_block\",\"protocol_mname\":\"protocolmnamemname_block\",\"use_default_mname\":true}},\"negative_ttl\":{\"action\":\"inherit\",\"display_name\":\"displaynamenegative_ttl\",\"source\":\"sourcenegative_ttl\",\"value\":90},\"protocol_rname\":{\"action\":\"inherit\",\"display_name\":\"displaynameprotocol_rname\",\"source\":\"sourceprotocol_rname\",\"value\":\"valueprotocol_rname\"},\"refresh\":{\"action\":\"inherit\",\"display_name\":\"displayname_refresh\",\"source\":\"source_refresh\",\"value\":40},\"retry\":{\"action\":\"inherit\",\"display_name\":\"displayname_retry\",\"source\":\"source_retry\",\"value\":570},\"rname\":{\"action\":\"inherit\",\"display_name\":\"displayname_rname\",\"source\":\"source_rname\",\"value\":\"value_rname\"}}},\"ip_spaces\":[\"testipspaces\"],\"lame_ttl\":350,\"match_clients_acl\":[{\"access\":\"deny\",\"acl\":\"aclmatch_clients_acl\",\"address\":\"81.2.69.192\",\"element\":\"elementmatch_clients_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha512\",\"comment\":\"commentmatch_clients_acl\",\"key\":\"keymatch_clients_acl\",\"name\":\"namematch_clients_acl\",\"protocol_name\":\"protocolnamematch_clients_acl\",\"secret\":\"secretmatch_clients_acl\"}}],\"match_destinations_acl\":[{\"access\":\"allow\",\"acl\":\"aclmatch_destinations_acl\",\"address\":\"81.2.69.192\",\"element\":\"elementmatch_destinations_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha384\",\"comment\":\"commentmatch_destinations_acl\",\"key\":\"keymatch_destinations_acl\",\"name\":\"namematch_destinations_acl\",\"protocol_name\":\"protocolnamematch_destinations_acl\",\"secret\":\"secretmatch_destinations_acl\"}}],\"match_recursive_only\":true,\"max_cache_ttl\":90,\"max_negative_ttl\":500,\"max_udp_size\":890,\"minimal_responses\":true,\"name\":\"string\",\"notify\":true,\"query_acl\":[{\"access\":\"accessquery_acl\",\"acl\":\"aclquery_acl\",\"address\":\"81.2.69.192\",\"element\":\"elementquery_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha224\",\"comment\":\"commentquery_acl\",\"key\":\"keyquery_acl\",\"name\":\"namequery_acl\",\"protocol_name\":\"protocolnamequery_acl\",\"secret\":\"secretquery_acl\"}}],\"recursion_acl\":[{\"access\":\"allow\",\"acl\":\"aclrecursion_acl\",\"address\":\"81.2.69.192\",\"element\":\"elementrecursion_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha1\",\"comment\":\"commentrecursion_acl\",\"key\":\"keyrecursion_acl\",\"name\":\"namerecursion_acl\",\"protocol_name\":\"protocolnamerecursion_acl\",\"secret\":\"secretrecursion_acl\"}}],\"recursion_enabled\":true,\"synthesize_address_records_from_https\":false,\"tags\":{\"message\":\"Hello\"},\"transfer_acl\":[{\"access\":\"allow\",\"acl\":\"acltransfer_acl\",\"address\":\"216.160.83.56\",\"element\":\"elementtransfer_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha224\",\"comment\":\"commenttransfer_acl\",\"key\":\"keytransfer_acl\",\"name\":\"nametransfer_acl\",\"protocol_name\":\"protocolnametransfer_acl\",\"secret\":\"secrettransfer_acl\"}}],\"update_acl\":[{\"access\":\"allow\",\"acl\":\"aclupdate_acl\",\"address\":\"216.160.83.56\",\"element\":\"elementupdate_acl\",\"tsig_key\":{\"algorithm\":\"hmac_sha1\",\"comment\":\"commentupdate_acl\",\"key\":\"keyupdate_acl\",\"name\":\"nameupdate_acl\",\"protocol_name\":\"protocolnameupdate_acl\",\"secret\":\"secretupdate_acl\"}}],\"updated_at\":\"2022-07-15T06:55:25.978Z\",\"use_forwarders_for_subzones\":true,\"zone_authority\":{\"default_ttl\":20,\"expire\":10,\"mname\":\"mnamezone_authority\",\"negative_ttl\":30,\"protocol_mname\":\"protocolmnamezone_authority\",\"protocol_rname\":\"protocolrnamezone_authority\",\"refresh\":50,\"retry\":100,\"rname\":\"string\",\"use_default_mname\":true}}", - "type": [ - "protocol" - ] - }, - "infoblox_bloxone_ddi": { - "dns_config": { - "add_edns": { - "option_in": { - "outgoing_query": true - } - }, - "comment": "DNS Config Comment", - "created_at": "2022-07-15T06:55:25.978Z", - "custom_root_ns": [ - { - "address": "81.2.69.192", - "fqdn": "custom fqdn", - "protocol": { - "fqdn": "custom protocol fqdn" - } - } - ], - "custom_root_ns_enabled": true, - "disabled": true, - "dnssec": { - "enable_validation": true, - "enabled": true, - "root_keys": [ - { - "algorithm": 30, - "protocol": { - "zone": "Dnssec root protocol zone" - }, - "public": "Dnssec root Public Key", - "sep": true, - "zone": "Dnssec root Zone" - } - ], - "trust_anchors": [ - { - "algorithm": 10, - "protocol": { - "zone": "Dnssec trust protocol zone" - }, - "public_key": "Dnssec trust Public Key", - "sep": true, - "zone": "Dnssec trust zone" - } - ], - "validate_expiry": true - }, - "ecs": { - "enabled": true, - "forwarding": true, - "prefix_v4": 22, - "prefix_v6": 33, - "zones": [ - { - "access": "ecs zones access", - "fqdn": "ecs zones fqdn", - "protocol": { - "fqdn": "ecs zones protocol fqdn" - } - } - ] - }, - "edns": { - "udp": { - "size": 568 - } - }, - "forwarders": [ - { - "address": "81.2.69.192", - "fqdn": "forwarders fqdn", - "protocol": { - "fqdn": "forwarders protocol fqdn" - } - } - ], - "forwarders_only": true, - "gss_tsig_enabled": true, - "id": "adv12rgfh", - "inheritance": { - "sources": { - "add_edns": { - "option_in": { - "outgoing_query": { - "action": "inherit", - "display": { - "name": "displaynameadd_edns_option_in_outgoing_query" - }, - "source": "sourceadd_edns_option_in_outgoing_query", - "value": true - } - } - }, - "custom_root_ns": { - "block": { - "action": "override", - "display": { - "name": "displaynamecustom_root_ns_block" - }, - "source": "sourcecustom_root_ns_block", - "value": [ - { - "address": "67.43.156.0", - "fqdn": "fqdn_custom_root_ns", - "protocol": { - "fqdn": "protocolfqdn_custom_root_ns" - } - } - ], - "value_enabled": true - } - }, - "dnssec": { - "validation": { - "block": { - "action": "inherit", - "display": { - "name": "displaynamednssec_validation_block" - }, - "source": "sourcednssec_validation_block", - "value": { - "enable": true, - "enabled": true, - "trust_anchors": [ - { - "algorithm": 8, - "protocol": { - "zone": "protocolzonednssec_trust_anchors" - }, - "public_key": "publickeydnssec_trust_anchors", - "sep": false, - "zone": "is3zone" - } - ], - "validate_expiry": true - } - } - } - }, - "ecs": { - "block": { - "action": "inherit", - "display": { - "name": "displaynameecs_block" - }, - "source": "sourceecs_block", - "value": { - "enabled": false, - "forwarding": true, - "prefix_v4": 4, - "prefix_v6": 10, - "zones": [ - { - "access": "inherit", - "fqdn": "fqdnecs_block", - "protocol": { - "fqdn": "protocol_fqdnecs_block" - } - } - ] - } - } - }, - "edns": { - "udp": { - "size": { - "action": "inherit", - "display": { - "name": "displaynameedns_udp_size" - }, - "source": "sourceedns_udp_size", - "value": 55 - } - } - }, - "forwarders": { - "block": { - "action": "inherit", - "display": { - "name": "displaynameforwarders_block" - }, - "source": "sourceforwarders_block", - "value": [ - { - "address": "89.160.20.128", - "fqdn": "forwarders_fqdn", - "protocol": { - "fqdn": "forwarders_protocolfqdn" - } - } - ], - "value_only": true - } - }, - "gss_tsig_enabled": { - "action": "inherit", - "display": { - "name": "displaynamegss_tsig_enabled" - }, - "source": "sourcegss_tsig_enabled", - "value": true - }, - "lame_ttl": { - "action": "inherit", - "display": { - "name": "displaynamelame_ttl" - }, - "source": "sourcelame_ttl", - "value": 45 - }, - "match_recursive_only": { - "action": "inherit", - "display": { - "name": "displaynamematch_recursive_only" - }, - "source": "sourcematch_recursive_only", - "value": false - }, - "max_cache_ttl": { - "action": "inherit", - "display": { - "name": "displaynamemax_cache_ttl" - }, - "source": "sourcemax_cache_ttl", - "value": 13 - }, - "max_negative_ttl": { - "action": "inherit", - "display": { - "name": "displaynamemax_negative_ttl" - }, - "source": "sourcemax_negative_ttl", - "value": 12 - }, - "max_udp_size": { - "action": "inherit", - "display": { - "name": "displaynamemax_udp_size" - }, - "source": "sourcemax_udp_size", - "value": 11 - }, - "minimal_responses": { - "action": "inherit", - "display": { - "name": "displaynameminimal_responses" - }, - "source": "sourceminimal_responses", - "value": true - }, - "notify": { - "action": "inherit", - "display": { - "name": "displayname_notify" - }, - "source": "source_notify", - "value": true - }, - "query_acl": { - "action": "override", - "display": { - "name": "displaynamequery_acl" - }, - "source": "sourcequery_acl", - "value": [ - { - "access": "allow", - "acl": "aclvalue_query_acl", - "address": "89.160.20.128", - "element": "elementvaluequery_acl", - "tsig_key": { - "algorithm": "hmac_sha256", - "comment": "commentquery_acl", - "key": "keyquery_acl", - "name": "namequery_acl", - "protocol": { - "name": "protocolname_query_acl" - }, - "secret": "secretquery_acl" - } - } - ] - }, - "recursion_acl": { - "action": "override", - "display": { - "name": "displaynamerecursion_acl" - }, - "source": "sourcerecursion_acl", - "value": [ - { - "access": "deny", - "acl": "aclrecursion_acl", - "address": "89.160.20.128", - "element": "elementrecursion_acl", - "tsig_key": { - "algorithm": "hmac_sha384", - "comment": "commentrecursion_acl", - "key": "keyrecursion_acl", - "name": "namerecursion_acl", - "protocol": { - "name": "protocolnamerecursion_acl" - }, - "secret": "secretrecursion_acl" - } - } - ] - }, - "recursion_enabled": { - "action": "inherit", - "display": { - "name": "displaynamerecursion_enabled" - }, - "source": "sourcerecursion_enabled", - "value": true - }, - "synthesize": { - "address_records_from_https": { - "action": "inherit", - "display": { - "name": "displaynamesynthesize_address_records_from_https" - }, - "name": "sourcesynthesize_address_records_from_https", - "value": true - } - }, - "transfer_acl": { - "action": "inherit", - "display": { - "name": "displaynametransfer_acl" - }, - "source": "sourcetransfer_acl", - "value": [ - { - "access": "allow", - "acl": "acltransfer_acl", - "address": "216.160.83.56", - "element": "elementtransfer_acl", - "tsig_key": { - "algorithm": "hmac_sha224", - "comment": "commenttransfer_acl", - "key": "keytransfer_acl", - "name": "nametransfer_acl", - "protocol": { - "name": "protocolnametransfer_acl" - }, - "secret": "secrettransfer_acl" - } - } - ] - }, - "update_acl": { - "action": "override", - "display": { - "name": "displaynameupdate_acl" - }, - "source": "sourceupdate_acl", - "value": [ - { - "access": "allow", - "acl": "aclupdate_acl", - "address": "216.160.83.56", - "element": "elementupdate_acl", - "tsig_key": { - "algorithm": "hmac_sha384", - "comment": "commentupdate_acl", - "key": "keyupdate_acl", - "name": "nameupdate_acl", - "protocol": { - "name": "protocolnameupdate_acl" - }, - "secret": "secretupdate_acl" - } - } - ] - }, - "use_forwarders_for_subzones": { - "action": "override", - "display": { - "name": "displaynameuse_forwarders_for_subzones" - }, - "source": "sourceuse_forwarders_for_subzones", - "value": false - }, - "zone_authority": { - "default_ttl": { - "action": "override", - "display": { - "name": "displaynamezone_authority" - }, - "source": "sourcezone_authority", - "value": 50 - }, - "expire": { - "action": "inherit", - "display": { - "name": "displaynameexpire" - }, - "source": "sourceexpire", - "value": 70 - }, - "mname_block": { - "action": "inherit", - "display": { - "name": "displaynamemname_block" - }, - "source": "sourcemname_block", - "value": { - "isdefault": true, - "protocol": { - "mname": "protocolmnamemname_block" - } - } - }, - "mname_block_value": "mnamevaluemname_block", - "negative_ttl": { - "action": "inherit", - "display": { - "name": "displaynamenegative_ttl" - }, - "source": "sourcenegative_ttl", - "value": 90 - }, - "protocol_rname": { - "action": "inherit", - "display": { - "name": "displaynameprotocol_rname" - }, - "source": "sourceprotocol_rname", - "value": "valueprotocol_rname" - }, - "refresh": { - "action": "inherit", - "display": { - "name": "displayname_refresh" - }, - "source": "source_refresh", - "value": 40 - }, - "retry": { - "action": "inherit", - "display": { - "name": "displayname_retry" - }, - "source": "source_retry", - "value": 570 - }, - "rname": { - "action": "inherit", - "display": { - "name": "displayname_rname" - }, - "source": "source_rname", - "value": "value_rname" - } - } - } - }, - "ip_spaces": [ - "testipspaces" - ], - "lame_ttl": 350, - "match_clients_acl": [ - { - "access": "deny", - "address": "81.2.69.192", - "element": "elementmatch_clients_acl", - "tsig_key": { - "algorithm": "hmac_sha512", - "comment": "commentmatch_clients_acl", - "key": "keymatch_clients_acl", - "name": "namematch_clients_acl", - "protocol": { - "name": "protocolnamematch_clients_acl" - }, - "secret": "secretmatch_clients_acl" - }, - "value": "aclmatch_clients_acl" - } - ], - "match_destinations_acl": [ - { - "access": "allow", - "address": "81.2.69.192", - "element": "elementmatch_destinations_acl", - "tsig_key": { - "algorithm": "hmac_sha384", - "comment": "commentmatch_destinations_acl", - "key": "keymatch_destinations_acl", - "name": "namematch_destinations_acl", - "protocol": { - "name": "protocolnamematch_destinations_acl" - }, - "secret": "secretmatch_destinations_acl" - }, - "value": "aclmatch_destinations_acl" - } - ], - "match_recursive_only": true, - "max_cache_ttl": 90, - "max_negative_ttl": 500, - "max_udp_size": 890, - "minimal_responses": true, - "name": "string", - "notify": true, - "query_acl": [ - { - "access": "accessquery_acl", - "address": "81.2.69.192", - "element": "elementquery_acl", - "tsig_key": { - "algorithm": "hmac_sha224", - "comment": "commentquery_acl", - "key": "keyquery_acl", - "name": "namequery_acl", - "protocol": { - "name": "protocolnamequery_acl" - }, - "secret": "secretquery_acl" - }, - "value": "aclquery_acl" - } - ], - "recursion_acl": [ - { - "access": "allow", - "address": "81.2.69.192", - "element": "elementrecursion_acl", - "tsig_key": { - "algorithm": "hmac_sha1", - "comment": "commentrecursion_acl", - "key": "keyrecursion_acl", - "name": "namerecursion_acl", - "protocol": { - "name": "protocolnamerecursion_acl" - }, - "secret": "secretrecursion_acl" - }, - "value": "aclrecursion_acl" - } - ], - "recursion_enabled": true, - "synthesize": { - "address_records_from_https": false - }, - "tags": { - "message": "Hello" - }, - "transfer_acl": [ - { - "access": "allow", - "address": "216.160.83.56", - "element": "elementtransfer_acl", - "tsig_key": { - "algorithm": "hmac_sha224", - "comment": "commenttransfer_acl", - "key": "keytransfer_acl", - "name": "nametransfer_acl", - "protocol": { - "name": "protocolnametransfer_acl" - }, - "secret": "secrettransfer_acl" - }, - "value": "acltransfer_acl" - } - ], - "update_acl": [ - { - "access": "allow", - "address": "216.160.83.56", - "element": "elementupdate_acl", - "tsig_key": { - "algorithm": "hmac_sha1", - "comment": "commentupdate_acl", - "key": "keyupdate_acl", - "name": "nameupdate_acl", - "protocol": { - "name": "protocolnameupdate_acl" - }, - "secret": "secretupdate_acl" - }, - "value": "aclupdate_acl" - } - ], - "updated_at": "2022-07-15T06:55:25.978Z", - "use_forwarders_for_subzones": true, - "zone_authority": { - "default_ttl": 20, - "expire": 10, - "mname": "mnamezone_authority", - "negative_ttl": 30, - "protocol": { - "mname": "protocolmnamezone_authority", - "rname": "protocolrnamezone_authority" - }, - "refresh": 50, - "retry": 100, - "rname": "string", - "use_default_mname": true - } - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hash": [ - "hmac_sha256", - "hmac_sha384", - "hmac_sha224", - "hmac_sha512", - "hmac_sha1" - ], - "ip": [ - "81.2.69.192", - "67.43.156.0", - "89.160.20.128", - "216.160.83.56" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "infoblox_bloxone_ddi_dns_config" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| infoblox_bloxone_ddi.dns_config.add_edns.option_in.outgoing_query | add_edns_option_in_outgoing_query adds client IP, MAC address and view name into outgoing recursive query. | boolean | -| infoblox_bloxone_ddi.dns_config.comment | Optional. Comment for view. | keyword | -| infoblox_bloxone_ddi.dns_config.created_at | The timestamp when the object has been created. | date | -| infoblox_bloxone_ddi.dns_config.custom_root_ns.address | IPv4 address. | ip | -| infoblox_bloxone_ddi.dns_config.custom_root_ns.fqdn | FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.custom_root_ns.protocol.fqdn | FQDN in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.custom_root_ns_enabled | Optional. true to use custom root nameservers instead of the default ones. | boolean | -| infoblox_bloxone_ddi.dns_config.disabled | Optional. true to disable object. A disabled object is effectively non-existent when generating configuration. | boolean | -| infoblox_bloxone_ddi.dns_config.dnssec.enable_validation | Optional. true to perform DNSSEC validation. | boolean | -| infoblox_bloxone_ddi.dns_config.dnssec.enabled | Optional. Master toggle for all DNSSEC processing. | boolean | -| infoblox_bloxone_ddi.dns_config.dnssec.root_keys.algorithm | Key algorithm. Algorithm values are as per standards. | long | -| infoblox_bloxone_ddi.dns_config.dnssec.root_keys.protocol.zone | Zone FQDN in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.dnssec.root_keys.public | DNSSEC key data. Non-empty, valid base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.dnssec.root_keys.sep | Optional. Secure Entry Point flag. | boolean | -| infoblox_bloxone_ddi.dns_config.dnssec.root_keys.zone | Zone FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.dnssec.trust_anchors.algorithm | Key algorithm. Algorithm values are as per standards. | long | -| infoblox_bloxone_ddi.dns_config.dnssec.trust_anchors.protocol.zone | Zone FQDN in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.dnssec.trust_anchors.public_key | DNSSEC key data. Non-empty, valid base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.dnssec.trust_anchors.sep | Optional. Secure Entry Point flag. | boolean | -| infoblox_bloxone_ddi.dns_config.dnssec.trust_anchors.zone | Zone FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.dnssec.validate_expiry | Optional. true to reject expired DNSSEC keys. | boolean | -| infoblox_bloxone_ddi.dns_config.ecs.enabled | Optional. true to enable EDNS client subnet for recursive queries. | boolean | -| infoblox_bloxone_ddi.dns_config.ecs.forwarding | Optional. true to enable ECS options in outbound queries. This functionality has additional overhead so it is disabled by default. | boolean | -| infoblox_bloxone_ddi.dns_config.ecs.prefix_v4 | Optional. Maximum scope length for v4 ECS. | long | -| infoblox_bloxone_ddi.dns_config.ecs.prefix_v6 | Optional. Maximum scope length for v6 ECS. | long | -| infoblox_bloxone_ddi.dns_config.ecs.zones.access | Access control for zone. | keyword | -| infoblox_bloxone_ddi.dns_config.ecs.zones.fqdn | Zone FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.ecs.zones.protocol.fqdn | Zone FQDN in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.edns.udp.size | Optional. edns_udp_size represents the edns UDP size. | long | -| infoblox_bloxone_ddi.dns_config.forwarders.address | Server IP address. | ip | -| infoblox_bloxone_ddi.dns_config.forwarders.fqdn | Server FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.forwarders.protocol.fqdn | Server FQDN in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.forwarders_only | Optional. true to only forward. | boolean | -| infoblox_bloxone_ddi.dns_config.gss_tsig_enabled | gss_tsig_enabled enables/disables GSS-TSIG signed dynamic updates. | boolean | -| infoblox_bloxone_ddi.dns_config.id | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.value | The inherited value. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.action | Defaults to inherit. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.display.name | Human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.value.address | IPv4 address. | ip | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.value.fqdn | Optional. Field config for custom_root_ns_enabled field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.value.protocol.fqdn | FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.custom_root_ns.block.value_enabled | FQDN in punycode. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.action | Defaults to inherit. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.display.name | Human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.enable | Optional. Field config for dnssec_enable_validation field. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.enabled | Optional. Field config for dnssec_enabled field. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.trust_anchors.algorithm | Key algorithm. Algorithm values are as per standards. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.trust_anchors.protocol.zone | Zone FQDN in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.trust_anchors.public_key | DNSSEC key data. Non-empty, valid base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.trust_anchors.sep | Optional. Secure Entry Point flag. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.trust_anchors.zone | Zone FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.validate_expiry | Optional. Field config for dnssec_validate_expiry field. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.action | Defaults to inherit. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.display.name | Human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.enabled | Optional. Field config for ecs_enabled field. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.forwarding | Optional. Field config for ecs_forwarding field. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.prefix_v4 | Optional. Field config for ecs_prefix_v4 field. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.prefix_v6 | Optional. Field config for ecs_prefix_v6 field. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.zones.access | Access control for zone. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.zones.fqdn | Zone FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.value.zones.protocol.fqdn | Zone FQDN in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.edns.udp.size.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.edns.udp.size.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.edns.udp.size.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.edns.udp.size.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.action | Defaults to inherit. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.display.name | Human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.value.address | Server IP address. | ip | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.value.fqdn | Server FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.value.protocol.fqdn | Server FQDN in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.forwarders.block.value_only | Optional. Field config for forwarders_only field. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.gss_tsig_enabled.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.gss_tsig_enabled.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.gss_tsig_enabled.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.gss_tsig_enabled.value | The inherited value. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.lame_ttl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.lame_ttl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.lame_ttl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.lame_ttl.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.match_recursive_only.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.match_recursive_only.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.match_recursive_only.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.match_recursive_only.value | The inherited value. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_cache_ttl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_cache_ttl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_cache_ttl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_cache_ttl.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_negative_ttl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_negative_ttl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_negative_ttl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_negative_ttl.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_udp_size.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_udp_size.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_udp_size.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.max_udp_size.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.minimal_responses.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.minimal_responses.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.minimal_responses.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.minimal_responses.value | The inherited value. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.notify.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.notify.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.notify.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.notify.value | The inherited value. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.acl | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.query_acl.value.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.acl | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_acl.value.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_enabled.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_enabled.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_enabled.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.recursion_enabled.value | The inherited value. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.synthesize.address_records_from_https.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.synthesize.address_records_from_https.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.synthesize.address_records_from_https.name | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.synthesize.address_records_from_https.value | The inherited value. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.acl | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.transfer_acl.value.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.acl | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.update_acl.value.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.use_forwarders_for_subzones.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.use_forwarders_for_subzones.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.use_forwarders_for_subzones.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.use_forwarders_for_subzones.value | The inherited value. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.expire.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.expire.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.expire.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.expire.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.action | Defaults to inherit. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.display.name | Human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.value.isdefault | Optional. Use default value for master name server. Defaults to true. | boolean | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block.value.protocol.mname | Optional. Master name server in punycode. Defaults to empty. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.mname_block_value | Defaults to empty. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.negative_ttl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.negative_ttl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.negative_ttl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.negative_ttl.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.protocol_rname.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.protocol_rname.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.protocol_rname.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.protocol_rname.value | The inherited value. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.refresh.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.refresh.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.refresh.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.refresh.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.retry.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.retry.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.retry.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.retry.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.rname.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.rname.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.rname.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.rname.value | The inherited value. | keyword | -| infoblox_bloxone_ddi.dns_config.ip_spaces | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.lame_ttl | Optional. Unused in the current on-prem DNS server implementation. | long | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.match_clients_acl.value | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.match_destinations_acl.value | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.match_recursive_only | Optional. If true only recursive queries from matching clients access the view. | boolean | -| infoblox_bloxone_ddi.dns_config.max_cache_ttl | Optional. Seconds to cache positive responses. | long | -| infoblox_bloxone_ddi.dns_config.max_negative_ttl | Optional. Seconds to cache negative responses. | long | -| infoblox_bloxone_ddi.dns_config.max_udp_size | Optional. max_udp_size represents maximum UDP payload size. | long | -| infoblox_bloxone_ddi.dns_config.minimal_responses | Optional. When enabled, the DNS server will only add records to the authority and additional data sections when they are required. | boolean | -| infoblox_bloxone_ddi.dns_config.name | Name of view. | keyword | -| infoblox_bloxone_ddi.dns_config.notify | notify all external secondary DNS servers. | boolean | -| infoblox_bloxone_ddi.dns_config.query_acl.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.query_acl.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.query_acl.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.query_acl.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.query_acl.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.query_acl.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.query_acl.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.query_acl.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.query_acl.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.query_acl.value | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.recursion_acl.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_acl.value | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.recursion_enabled | Optional. true to allow recursive DNS queries. | boolean | -| infoblox_bloxone_ddi.dns_config.synthesize.address_records_from_https | synthesize_address_records_from_https enables/disables creation of A/AAAA records from HTTPS RR. | boolean | -| infoblox_bloxone_ddi.dns_config.tags | Tagging specifics. | flattened | -| infoblox_bloxone_ddi.dns_config.transfer_acl.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.transfer_acl.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.transfer_acl.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.transfer_acl.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.transfer_acl.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.transfer_acl.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.transfer_acl.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.transfer_acl.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.transfer_acl.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.transfer_acl.value | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.access | Access permission for element. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.address | Optional. Data for ip element. | ip | -| infoblox_bloxone_ddi.dns_config.update_acl.element | Type of element. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.tsig_key.algorithm | TSIG key algorithm. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.tsig_key.comment | Comment for TSIG key. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.tsig_key.key | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.tsig_key.name | TSIG key name, FQDN. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.tsig_key.protocol.name | TSIG key name in punycode. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.tsig_key.secret | TSIG key secret, base64 string. | keyword | -| infoblox_bloxone_ddi.dns_config.update_acl.value | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_config.updated_at | The timestamp when the object has been updated. Equals to created_at if not updated after creation. | date | -| infoblox_bloxone_ddi.dns_config.use_forwarders_for_subzones | Optional. Use default forwarders to resolve queries for subzones. | boolean | -| infoblox_bloxone_ddi.dns_config.zone_authority.default_ttl | Optional. ZoneAuthority default ttl for resource records in zone (value in seconds). | long | -| infoblox_bloxone_ddi.dns_config.zone_authority.expire | Optional. ZoneAuthority expire time in seconds. Defaults to 2419200. | long | -| infoblox_bloxone_ddi.dns_config.zone_authority.mname | Optional. ZoneAuthority master name server (partially qualified domain name) Defaults to empty. | keyword | -| infoblox_bloxone_ddi.dns_config.zone_authority.negative_ttl | Optional. ZoneAuthority negative caching (minimum) ttl in seconds. | long | -| infoblox_bloxone_ddi.dns_config.zone_authority.protocol.mname | Optional. ZoneAuthority master name server in punycode. Defaults to empty. | keyword | -| infoblox_bloxone_ddi.dns_config.zone_authority.protocol.rname | Optional. A domain name which specifies the mailbox of the person responsible for this zone. Defaults to empty. | keyword | -| infoblox_bloxone_ddi.dns_config.zone_authority.refresh | Optional. ZoneAuthority refresh. Defaults to 10800. | long | -| infoblox_bloxone_ddi.dns_config.zone_authority.retry | Optional. ZoneAuthority retry. Defaults to 3600. | long | -| infoblox_bloxone_ddi.dns_config.zone_authority.rname | Optional. ZoneAuthority rname. Defaults to empty. | keyword | -| infoblox_bloxone_ddi.dns_config.zone_authority.use_default_mname | Optional. Use default value for master name server. Defaults to true. | boolean | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | - - -### dns_data - -This is the `dns_data` dataset. - -#### Example - -An example event for `dns_data` looks as following: - -```json -{ - "@timestamp": "2022-07-20T09:59:59.184Z", - "agent": { - "ephemeral_id": "eb4c7711-a048-4458-a48c-5d2045f2d6b1", - "hostname": "docker-fleet-agent", - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "infoblox_bloxone_ddi.dns_data", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": { - "ttl": 0 - } - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "40a09f39-a5b9-4b21-8605-6f6e9cd36138", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-07-20T09:59:59.184Z", - "dataset": "infoblox_bloxone_ddi.dns_data", - "id": "ghr123ghf", - "ingested": "2022-09-22T08:29:03Z", - "kind": "event", - "original": "{\"absolute_name_spec\":\"DNS Data Absolute Name\",\"absolute_zone_name\":\"DNS Data Absolute Zone Name\",\"comment\":\"DNS Data Comment\",\"created_at\":\"2022-07-20T09:59:59.184Z\",\"delegation\":\"DNS Data Delegation\",\"disabled\":true,\"dns_absolute_name_spec\":\"DNS Absolute Name\",\"dns_absolute_zone_name\":\"DNS Absolute Zone Name\",\"dns_name_in_zone\":\"DNS Name in Zone\",\"dns_rdata\":\"DNS RData\",\"id\":\"ghr123ghf\",\"inheritance_sources\":{\"ttl\":{\"action\":\"DNS Data Action\",\"display_name\":\"DNS Display Name\",\"source\":\"DNS Data Source\",\"value\":10}},\"name_in_zone\":\"DNS Data Name in zone\",\"options\":{\"address\":\"67.43.156.0\",\"check_rmz\":true,\"create_ptr\":false},\"rdata\":{\"address\":\"81.2.69.192\",\"cname\":\"DNS Data Canonical Name\",\"dhcid\":\"122zbczba12\",\"dname\":\"DNS Data dname\",\"exchange\":\"DNS Data Exchange\",\"expire\":23131,\"flags\":\"DNS Data Flags\",\"length_kind\":8,\"mname\":\"DNS Data mname\",\"negative_ttl\":213342,\"order\":123124,\"port\":80,\"preference\":12345363467,\"priority\":44,\"refresh\":10800,\"regexp\":\"none\",\"replacement\":\"DNS Data Replacement\",\"retry\":3600,\"rname\":\"DNS Data rname\",\"serial\":12314114,\"services\":\"DNS Data Test Services\",\"tag\":\"issue\",\"target\":\"DNS Data Target\",\"text\":\"DNS Data text field\",\"type\":\"32BIT\",\"value\":\"DNS Data Value\",\"weight\":0},\"source\":[\"STATIC\"],\"tags\":{\"message\":\"Hello\"},\"ttl\":0,\"type\":\"DNS Data Type\",\"updated_at\":\"2022-07-20T09:59:59.184Z\",\"view\":\"DNS Data View\",\"view_name\":\"DNS Data View Name\",\"zone\":\"DNS Data Zone\"}", - "type": [ - "protocol" - ] - }, - "infoblox_bloxone_ddi": { - "dns_data": { - "absolute": { - "name": { - "spec": "DNS Absolute Name" - }, - "zone": { - "name": "DNS Absolute Zone Name" - } - }, - "absolute_name": { - "spec": "DNS Data Absolute Name" - }, - "absolute_zone": { - "name": "DNS Data Absolute Zone Name" - }, - "comment": "DNS Data Comment", - "created_at": "2022-07-20T09:59:59.184Z", - "delegation": "DNS Data Delegation", - "disabled": true, - "id": "ghr123ghf", - "inheritance": { - "sources": { - "ttl": { - "action": "DNS Data Action", - "display": { - "name": "DNS Display Name" - }, - "source": "DNS Data Source", - "value": 10 - } - } - }, - "name_in": { - "zone": "DNS Name in Zone" - }, - "name_in_zone": "DNS Data Name in zone", - "options": { - "address": "67.43.156.0", - "check_rmz": true, - "create_ptr": false - }, - "rdata": { - "address": "81.2.69.192", - "cname": "DNS Data Canonical Name", - "dhcid": "122zbczba12", - "dname": "DNS Data dname", - "exchange": "DNS Data Exchange", - "expire": 23131, - "flags": "DNS Data Flags", - "length_kind": 8, - "mname": "DNS Data mname", - "negative_ttl": 213342, - "order": 123124, - "port": 80, - "preference": 12345363467, - "priority": 44, - "refresh": 10800, - "regexp": "none", - "replacement": "DNS Data Replacement", - "retry": 3600, - "rname": "DNS Data rname", - "serial": 12314114, - "services": "DNS Data Test Services", - "tag": "issue", - "target": "DNS Data Target", - "text": "DNS Data text field", - "type": "32BIT", - "value": "DNS Data Value", - "weight": 0 - }, - "rdata_value": "DNS RData", - "source": [ - "STATIC" - ], - "tags": { - "message": "Hello" - }, - "ttl": 0, - "type": "DNS Data Type", - "updated_at": "2022-07-20T09:59:59.184Z", - "view": "DNS Data View", - "view_name": "DNS Data View Name", - "zone": "DNS Data Zone" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "ip": [ - "67.43.156.0", - "81.2.69.192" - ] - }, - "tags": [ - "preserve_original_event", - "preserve_duplicate_custom_fields", - "forwarded", - "bloxone_ddi_dns_data" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| infoblox_bloxone_ddi.dns_data.absolute.name.spec | The DNS protocol textual representation of absolute_name_spec. | keyword | -| infoblox_bloxone_ddi.dns_data.absolute.zone.name | The DNS protocol textual representation of the absolute domain name of the zone where this record belongs. | keyword | -| infoblox_bloxone_ddi.dns_data.absolute_name.spec | Synthetic field, used to determine zone and/or name_in_zone field for records. | keyword | -| infoblox_bloxone_ddi.dns_data.absolute_zone.name | The absolute domain name of the zone where this record belongs. | keyword | -| infoblox_bloxone_ddi.dns_data.comment | The description for the DNS resource record. May contain 0 to 1024 characters. Can include UTF-8. | keyword | -| infoblox_bloxone_ddi.dns_data.created_at | The timestamp when the object has been created. | date | -| infoblox_bloxone_ddi.dns_data.delegation | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_data.disabled | Indicates if the DNS resource record is disabled. A disabled object is effectively non-existent when generating configuration. | boolean | -| infoblox_bloxone_ddi.dns_data.id | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.action | The inheritance setting for a field. | keyword | -| infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.display.name | The human-readable display name for the object referred to by source. | keyword | -| infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.source | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.value | The inherited value. | long | -| infoblox_bloxone_ddi.dns_data.name_in.zone | The DNS protocol textual representation of the relative owner name for the DNS zone. | keyword | -| infoblox_bloxone_ddi.dns_data.name_in_zone | The relative owner name to the zone origin. Must be specified for creating the DNS resource record and is read only for other operations. | keyword | -| infoblox_bloxone_ddi.dns_data.options.address | For GET operation it contains the IPv4 or IPv6 address represented by the PTR record and for POST and PATCH operations it can be used to create/update a PTR record based on the IP address it represents. In this case, in addition to the address in the options field, need to specify the view field. | ip | -| infoblox_bloxone_ddi.dns_data.options.check_rmz | A boolean flag which can be set to true for POST operation to check the existence of reverse zone for creating the corresponding PTR record. Only applicable if the create_ptr option is set to true. | boolean | -| infoblox_bloxone_ddi.dns_data.options.create_ptr | A boolean flag which can be set to true for POST operation to automatically create the corresponding PTR record. | boolean | -| infoblox_bloxone_ddi.dns_data.provider_metadata | external DNS provider metadata. | flattened | -| infoblox_bloxone_ddi.dns_data.rdata.address | The IPv4/IPv6 address of the host. | ip | -| infoblox_bloxone_ddi.dns_data.rdata.cname | A domain name which specifies the canonical or primary name for the owner. The owner name is an alias. Can be empty. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.dhcid | The Base64 encoded string which contains DHCP client information. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.dname | A domain-name which specifies a host which should be authoritative for the specified class and domain. Can be absolute or relative domain name and include UTF-8. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.exchange | A domain name which specifies a host willing to act as a mail exchange for the owner name. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.expire | The time interval in seconds after which zone data will expire and secondary server stops answering requests for the zone. | long | -| infoblox_bloxone_ddi.dns_data.rdata.flags | An unsigned 8-bit integer which specifies the CAA record flags. RFC 6844 defines one (highest) bit in flag octet, remaining bits are deferred for future use. This bit is referenced as Critical. When the bit is set (flag value == 128), issuers must not issue certificates in case CAA records contain unknown property tags. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.length_kind | A string indicating the size in bits of a sub-subfield that is prepended to the value and encodes the length of the value. | long | -| infoblox_bloxone_ddi.dns_data.rdata.mname | The domain name for the master server for the zone. Can be absolute or relative domain name. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.negative_ttl | The time interval in seconds for which name servers can cache negative responses for zone. | long | -| infoblox_bloxone_ddi.dns_data.rdata.order | A 16-bit unsigned integer specifying the order in which the NAPTR records must be processed. Low numbers are processed before high numbers, and once a NAPTR is found whose rule “matches” the target, the client must not consider any NAPTRs with a higher value for order (except as noted below for the “flags” field. The range of the value is 0 to 65535. | long | -| infoblox_bloxone_ddi.dns_data.rdata.port | An unsigned 16-bit integer which specifies the port on this target host of this service. The range of the value is 0 to 65535. This is often as specified in Assigned Numbers but need not be. | long | -| infoblox_bloxone_ddi.dns_data.rdata.preference | An unsigned 16-bit integer which specifies the preference given to this RR among others at the same owner. Lower values are preferred. The range of the value is 0 to 65535. | long | -| infoblox_bloxone_ddi.dns_data.rdata.priority | An unsigned 16-bit integer which specifies the priority of this target host. The range of the value is 0 to 65535. A client must attempt to contact the target host with the lowest-numbered priority it can reach. Target hosts with the same priority should be tried in an order defined by the weight field. | long | -| infoblox_bloxone_ddi.dns_data.rdata.refresh | The time interval in seconds that specifies how often secondary servers need to send a message to the primary server for a zone to check that their data is current, and retrieve fresh data if it is not. | long | -| infoblox_bloxone_ddi.dns_data.rdata.regexp | A string containing a substitution expression that is applied to the original string held by the client in order to construct the next domain name to lookup. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.replacement | The next name to query for NAPTR, SRV, or address records depending on the value of the flags field. This can be an absolute or relative domain name. Can be empty. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.retry | The time interval in seconds for which the secondary server will wait before attempting to recontact the primary server after a connection failure occurs. | long | -| infoblox_bloxone_ddi.dns_data.rdata.rname | The domain name which specifies the mailbox of the person responsible for this zone. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.serial | An unsigned 32-bit integer that specifies the serial number of the zone. Used to indicate that zone data was updated, so the secondary name server can initiate zone transfer. The range of the value is 0 to 4294967295. | long | -| infoblox_bloxone_ddi.dns_data.rdata.services | Specifies the service(s) available down this rewrite path. It may also specify the particular protocol that is used to talk with a service. A protocol must be specified if the flags field states that the NAPTR is terminal. If a protocol is specified, but the flags field does not state that the NAPTR is terminal, the next lookup must be for a NAPTR. The client may choose not to perform the next lookup if the protocol is unknown, but that behavior must not be relied upon. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.tag | The CAA record property tag string which indicates the type of CAA record. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.target | The target domain name to which the zone will be mapped. Can be empty. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.text | The semantics of the text depends on the domain where it is found. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.type | Type of TXT (Text) record. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.value | A string which contains the CAA record property value. | keyword | -| infoblox_bloxone_ddi.dns_data.rdata.weight | An unsigned 16-bit integer which specifies a relative weight for entries with the same priority. The range of the value is 0 to 65535. Larger weights should be given a proportionately higher probability of being selected. Domain administrators should use weight 0 when there isn’t any server selection to do, to make the RR easier to read for humans (less noisy). In the presence of records containing weights greater than 0, records with weight 0 should have a very small chance of being selected. | long | -| infoblox_bloxone_ddi.dns_data.rdata_value | The DNS protocol textual representation of the DNS resource record data. | keyword | -| infoblox_bloxone_ddi.dns_data.source | The DNS resource record type-specific non-protocol source. The source is a combination of indicators, each tracking how the DNS resource record appeared in system. | keyword | -| infoblox_bloxone_ddi.dns_data.tags | The tags for the DNS resource record in JSON format. | flattened | -| infoblox_bloxone_ddi.dns_data.ttl | The record time to live value in seconds. The range of this value is 0 to 2147483647. Defaults to TTL value from the SOA record of the zone. | long | -| infoblox_bloxone_ddi.dns_data.type | The DNS resource record type specified in the textual mnemonic format or in the “TYPEnnn” format where “nnn” indicates the numeric type value. | keyword | -| infoblox_bloxone_ddi.dns_data.updated_at | The timestamp when the object has been updated. Equals to created_at if not updated after creation. | date | -| infoblox_bloxone_ddi.dns_data.view | The resource identifier. | keyword | -| infoblox_bloxone_ddi.dns_data.view_name | The display name of the DNS view that contains the parent zone of the DNS resource record. | keyword | -| infoblox_bloxone_ddi.dns_data.zone | The resource identifier. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | - diff --git a/packages/infoblox_bloxone_ddi/0.1.0/img/infoblox-bloxone-ddi-logo.svg b/packages/infoblox_bloxone_ddi/0.1.0/img/infoblox-bloxone-ddi-logo.svg deleted file mode 100755 index 57b4d23b16..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/img/infoblox-bloxone-ddi-logo.svg +++ /dev/null @@ -1,93 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/infoblox_bloxone_ddi/0.1.0/img/infoblox-bloxone-ddi-screenshot.png b/packages/infoblox_bloxone_ddi/0.1.0/img/infoblox-bloxone-ddi-screenshot.png deleted file mode 100755 index 4a1e34f087..0000000000 Binary files a/packages/infoblox_bloxone_ddi/0.1.0/img/infoblox-bloxone-ddi-screenshot.png and /dev/null differ diff --git a/packages/infoblox_bloxone_ddi/0.1.0/kibana/dashboard/infoblox_bloxone_ddi-85daef90-0ce7-11ed-8a96-d11b53f3d359.json b/packages/infoblox_bloxone_ddi/0.1.0/kibana/dashboard/infoblox_bloxone_ddi-85daef90-0ce7-11ed-8a96-d11b53f3d359.json deleted file mode 100755 index b153b8b77e..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/kibana/dashboard/infoblox_bloxone_ddi-85daef90-0ce7-11ed-8a96-d11b53f3d359.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "description": "Overview of Infoblox BloxOne DDI DHCP Lease.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dhcp_lease\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f39755d-9919-4b22-baf7-aaef264be212\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f39755d-9919-4b22-baf7-aaef264be212\":{\"columnOrder\":[\"bd2479de-d037-4d8c-9ef2-4721ffd44bec\",\"cf1300db-9b2d-425b-8402-adabebe05f79\"],\"columns\":{\"bd2479de-d037-4d8c-9ef2-4721ffd44bec\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"cf1300db-9b2d-425b-8402-adabebe05f79\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"network.type\"},\"cf1300db-9b2d-425b-8402-adabebe05f79\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dhcp_lease\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"cf1300db-9b2d-425b-8402-adabebe05f79\"],\"layerId\":\"0f39755d-9919-4b22-baf7-aaef264be212\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"bd2479de-d037-4d8c-9ef2-4721ffd44bec\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"787837bf-ae0a-4079-a028-2e31a1e3774e\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"787837bf-ae0a-4079-a028-2e31a1e3774e\",\"title\":\"Distribution of Events by Protocol [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6c6f049f-acb4-4fcb-a794-5bc75829aa4c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c6f049f-acb4-4fcb-a794-5bc75829aa4c\":{\"columnOrder\":[\"5575e5c2-6223-4317-9a33-5370ed22f610\",\"139ac0cd-8d04-4adb-946d-f59d28818ad8\"],\"columns\":{\"139ac0cd-8d04-4adb-946d-f59d28818ad8\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"5575e5c2-6223-4317-9a33-5370ed22f610\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Host Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"139ac0cd-8d04-4adb-946d-f59d28818ad8\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dhcp_lease\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"5575e5c2-6223-4317-9a33-5370ed22f610\",\"isTransposed\":false},{\"columnId\":\"139ac0cd-8d04-4adb-946d-f59d28818ad8\",\"isTransposed\":false}],\"layerId\":\"6c6f049f-acb4-4fcb-a794-5bc75829aa4c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"96e5e038-7865-4a0a-bdd3-8b915c7be91b\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"96e5e038-7865-4a0a-bdd3-8b915c7be91b\",\"title\":\"Top 10 Host Name [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-19f9c3d5-3fd4-4142-92e2-1b3c57af397a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"19f9c3d5-3fd4-4142-92e2-1b3c57af397a\":{\"columnOrder\":[\"f1f10540-9928-411e-afd6-9deed825c323\",\"17c881a1-b60e-430e-9836-de551602c8c3\"],\"columns\":{\"17c881a1-b60e-430e-9836-de551602c8c3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f1f10540-9928-411e-afd6-9deed825c323\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"17c881a1-b60e-430e-9836-de551602c8c3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dhcp_lease.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dhcp_lease\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"f1f10540-9928-411e-afd6-9deed825c323\"],\"layerId\":\"19f9c3d5-3fd4-4142-92e2-1b3c57af397a\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"17c881a1-b60e-430e-9836-de551602c8c3\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"9baea1e0-7803-4bbe-b4e2-ed03e1589afa\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"9baea1e0-7803-4bbe-b4e2-ed03e1589afa\",\"title\":\"Distribution of Events by Type [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e0e5694c-e3bb-4186-9f26-7e734c94ad83\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e0e5694c-e3bb-4186-9f26-7e734c94ad83\":{\"columnOrder\":[\"bfb244af-5bbc-4f29-a50b-6d4bbabc1fcb\",\"a7b437d6-9d78-4392-980b-a8548cb5ac20\"],\"columns\":{\"a7b437d6-9d78-4392-980b-a8548cb5ac20\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"bfb244af-5bbc-4f29-a50b-6d4bbabc1fcb\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Host\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a7b437d6-9d78-4392-980b-a8548cb5ac20\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"host.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dhcp_lease\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"bfb244af-5bbc-4f29-a50b-6d4bbabc1fcb\"],\"layerId\":\"e0e5694c-e3bb-4186-9f26-7e734c94ad83\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a7b437d6-9d78-4392-980b-a8548cb5ac20\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d9edc7fd-4587-4423-9f62-bb383b52ef28\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"d9edc7fd-4587-4423-9f62-bb383b52ef28\",\"title\":\"Distribution of Events by Host [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4f508d4b-b035-447c-98ea-d2072e82dd85\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4f508d4b-b035-447c-98ea-d2072e82dd85\":{\"columnOrder\":[\"69cf7012-abd8-47f8-852b-21721be5b14e\",\"6e50bc10-f378-4b90-a523-b34082257272\"],\"columns\":{\"69cf7012-abd8-47f8-852b-21721be5b14e\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"State\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6e50bc10-f378-4b90-a523-b34082257272\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dhcp_lease.state\"},\"6e50bc10-f378-4b90-a523-b34082257272\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dhcp_lease\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"6e50bc10-f378-4b90-a523-b34082257272\"],\"layerId\":\"4f508d4b-b035-447c-98ea-d2072e82dd85\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"69cf7012-abd8-47f8-852b-21721be5b14e\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"68968f24-d04d-4f57-a575-4a82672e67eb\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"68968f24-d04d-4f57-a575-4a82672e67eb\",\"title\":\"Distribution of Events by State [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Infoblox BloxOne DDI] DHCP Lease", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_bloxone_ddi-85daef90-0ce7-11ed-8a96-d11b53f3d359", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "787837bf-ae0a-4079-a028-2e31a1e3774e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "787837bf-ae0a-4079-a028-2e31a1e3774e:indexpattern-datasource-layer-0f39755d-9919-4b22-baf7-aaef264be212", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "96e5e038-7865-4a0a-bdd3-8b915c7be91b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "96e5e038-7865-4a0a-bdd3-8b915c7be91b:indexpattern-datasource-layer-6c6f049f-acb4-4fcb-a794-5bc75829aa4c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9baea1e0-7803-4bbe-b4e2-ed03e1589afa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9baea1e0-7803-4bbe-b4e2-ed03e1589afa:indexpattern-datasource-layer-19f9c3d5-3fd4-4142-92e2-1b3c57af397a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d9edc7fd-4587-4423-9f62-bb383b52ef28:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d9edc7fd-4587-4423-9f62-bb383b52ef28:indexpattern-datasource-layer-e0e5694c-e3bb-4186-9f26-7e734c94ad83", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "68968f24-d04d-4f57-a575-4a82672e67eb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "68968f24-d04d-4f57-a575-4a82672e67eb:indexpattern-datasource-layer-4f508d4b-b035-447c-98ea-d2072e82dd85", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/infoblox_bloxone_ddi/0.1.0/kibana/dashboard/infoblox_bloxone_ddi-b8497140-0cdd-11ed-8a96-d11b53f3d359.json b/packages/infoblox_bloxone_ddi/0.1.0/kibana/dashboard/infoblox_bloxone_ddi-b8497140-0cdd-11ed-8a96-d11b53f3d359.json deleted file mode 100755 index ec3a938133..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/kibana/dashboard/infoblox_bloxone_ddi-b8497140-0cdd-11ed-8a96-d11b53f3d359.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "description": "Overview of Infoblox BloxOne DDI DNS Data.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-492dce9b-ecc9-466a-ad17-c801a56b2578\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"492dce9b-ecc9-466a-ad17-c801a56b2578\":{\"columnOrder\":[\"f5b2adb7-c7f0-47d1-afef-cffbe74cbed3\",\"44d341d2-7182-4c93-9788-8975ce86921c\"],\"columns\":{\"44d341d2-7182-4c93-9788-8975ce86921c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f5b2adb7-c7f0-47d1-afef-cffbe74cbed3\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"TTL Action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"44d341d2-7182-4c93-9788-8975ce86921c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"44d341d2-7182-4c93-9788-8975ce86921c\"],\"layerId\":\"492dce9b-ecc9-466a-ad17-c801a56b2578\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"f5b2adb7-c7f0-47d1-afef-cffbe74cbed3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d0d0f6b9-d632-47de-bcc6-54bce4e679f2\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"d0d0f6b9-d632-47de-bcc6-54bce4e679f2\",\"title\":\"Distribution of Events by TTL Action [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4948d9b6-bab5-48f2-a031-46e87a884637\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4948d9b6-bab5-48f2-a031-46e87a884637\":{\"columnOrder\":[\"eb2e31f6-4e2c-4eaf-8120-fa19e2db7008\",\"95ff9931-dc16-4e1d-87b5-44a5afdb1b4f\"],\"columns\":{\"95ff9931-dc16-4e1d-87b5-44a5afdb1b4f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"eb2e31f6-4e2c-4eaf-8120-fa19e2db7008\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"TTL Source Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95ff9931-dc16-4e1d-87b5-44a5afdb1b4f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.source\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"eb2e31f6-4e2c-4eaf-8120-fa19e2db7008\",\"isTransposed\":false},{\"columnId\":\"95ff9931-dc16-4e1d-87b5-44a5afdb1b4f\",\"isTransposed\":false}],\"layerId\":\"4948d9b6-bab5-48f2-a031-46e87a884637\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"7eb4f1b6-29ea-45f9-bab5-a0343594726b\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"7eb4f1b6-29ea-45f9-bab5-a0343594726b\",\"title\":\"Top 10 TTL Source Name [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c0b7ca44-dfc2-4e69-9fdf-a67439d1b290\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c0b7ca44-dfc2-4e69-9fdf-a67439d1b290\":{\"columnOrder\":[\"af4e6514-1ab8-4963-994e-f25bee46936b\",\"83233299-085a-4f13-8916-0f254e2fbb7a\"],\"columns\":{\"83233299-085a-4f13-8916-0f254e2fbb7a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"af4e6514-1ab8-4963-994e-f25bee46936b\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"DNS Absolute Zone Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"83233299-085a-4f13-8916-0f254e2fbb7a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.absolute.zone.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"af4e6514-1ab8-4963-994e-f25bee46936b\"],\"layerId\":\"c0b7ca44-dfc2-4e69-9fdf-a67439d1b290\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"83233299-085a-4f13-8916-0f254e2fbb7a\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"a8079745-b78b-4daa-bb29-638e498e4c96\",\"w\":17,\"x\":0,\"y\":15},\"panelIndex\":\"a8079745-b78b-4daa-bb29-638e498e4c96\",\"title\":\"Distribution of Events by DNS Absolute Zone Name [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-040c65c3-7b12-43b0-bfa5-e2c535634de6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"040c65c3-7b12-43b0-bfa5-e2c535634de6\":{\"columnOrder\":[\"232a8505-70be-447c-9286-218aeaabddc7\",\"ec8a44d6-1b97-4077-9e93-986973e7acff\"],\"columns\":{\"232a8505-70be-447c-9286-218aeaabddc7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ec8a44d6-1b97-4077-9e93-986973e7acff\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.type\"},\"ec8a44d6-1b97-4077-9e93-986973e7acff\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"232a8505-70be-447c-9286-218aeaabddc7\"],\"layerId\":\"040c65c3-7b12-43b0-bfa5-e2c535634de6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"ec8a44d6-1b97-4077-9e93-986973e7acff\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fecabbc6-727d-4798-8eaa-f5f553a53d47\",\"w\":16,\"x\":17,\"y\":15},\"panelIndex\":\"fecabbc6-727d-4798-8eaa-f5f553a53d47\",\"title\":\"Distribution of Events by Type [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7db7df97-c91b-417a-a146-72c6f2ac8d91\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7db7df97-c91b-417a-a146-72c6f2ac8d91\":{\"columnOrder\":[\"5a0c5a1b-a645-4579-a7b4-d24d4d128175\",\"e1bea059-147f-4dea-a55f-f3d1a5f41e2e\"],\"columns\":{\"5a0c5a1b-a645-4579-a7b4-d24d4d128175\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"View Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e1bea059-147f-4dea-a55f-f3d1a5f41e2e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.view_name\"},\"e1bea059-147f-4dea-a55f-f3d1a5f41e2e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"5a0c5a1b-a645-4579-a7b4-d24d4d128175\"],\"layerId\":\"7db7df97-c91b-417a-a146-72c6f2ac8d91\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e1bea059-147f-4dea-a55f-f3d1a5f41e2e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"63226a08-6f74-4817-9a08-21d93d3dc00f\",\"w\":15,\"x\":33,\"y\":15},\"panelIndex\":\"63226a08-6f74-4817-9a08-21d93d3dc00f\",\"title\":\"Distribution of Events by View Name [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6b9c902-06c7-4274-8831-8fab7e860319\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6b9c902-06c7-4274-8831-8fab7e860319\":{\"columnOrder\":[\"1189fdd0-3651-47cd-9943-46668da81407\",\"834d4e0a-e326-430e-ba1c-b21b409e11ce\"],\"columns\":{\"1189fdd0-3651-47cd-9943-46668da81407\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Host Address\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"834d4e0a-e326-430e-ba1c-b21b409e11ce\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.rdata.address\"},\"834d4e0a-e326-430e-ba1c-b21b409e11ce\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"1189fdd0-3651-47cd-9943-46668da81407\",\"isTransposed\":false},{\"columnId\":\"834d4e0a-e326-430e-ba1c-b21b409e11ce\",\"isTransposed\":false}],\"layerId\":\"a6b9c902-06c7-4274-8831-8fab7e860319\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8f0234c4-f3f1-48c8-8f43-4731cd958b70\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"8f0234c4-f3f1-48c8-8f43-4731cd958b70\",\"title\":\"Top 10 Host Address [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1cb8734b-97ec-4693-916c-950178d12555\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1cb8734b-97ec-4693-916c-950178d12555\":{\"columnOrder\":[\"9a412a97-ba89-4765-8f22-0413ec2db942\",\"5324359a-19f9-4039-be9b-2817abe8d788\"],\"columns\":{\"5324359a-19f9-4039-be9b-2817abe8d788\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9a412a97-ba89-4765-8f22-0413ec2db942\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Resource Record Value\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5324359a-19f9-4039-be9b-2817abe8d788\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.rdata.value\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9a412a97-ba89-4765-8f22-0413ec2db942\"],\"layerId\":\"1cb8734b-97ec-4693-916c-950178d12555\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5324359a-19f9-4039-be9b-2817abe8d788\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"a549ae88-b384-4a37-bbe9-8d5fd54f1a2b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"a549ae88-b384-4a37-bbe9-8d5fd54f1a2b\",\"title\":\"Distribution of Events by Resource Record Value [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-42c0d34a-142e-4761-8619-137862ca3e49\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"42c0d34a-142e-4761-8619-137862ca3e49\":{\"columnOrder\":[\"e47e7765-58a0-4694-ba84-1c973f735455\",\"df2daecc-3bde-4973-99c2-052ae6346963\"],\"columns\":{\"df2daecc-3bde-4973-99c2-052ae6346963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"e47e7765-58a0-4694-ba84-1c973f735455\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Canonical Owner Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df2daecc-3bde-4973-99c2-052ae6346963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.rdata.cname\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"df2daecc-3bde-4973-99c2-052ae6346963\"],\"layerId\":\"42c0d34a-142e-4761-8619-137862ca3e49\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"e47e7765-58a0-4694-ba84-1c973f735455\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab1a9322-c074-44d4-a12c-d6b4d394b8fd\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"ab1a9322-c074-44d4-a12c-d6b4d394b8fd\",\"title\":\"Distribution of Events by Canonical Owner Name [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9011083b-774e-4cc5-a099-ac6130fce672\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9011083b-774e-4cc5-a099-ac6130fce672\":{\"columnOrder\":[\"b9a3ffe3-6c09-4a3f-bcb8-cff54b24a9b1\",\"27a04a1c-883b-4514-bf1d-0f51885ed8f6\"],\"columns\":{\"27a04a1c-883b-4514-bf1d-0f51885ed8f6\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b9a3ffe3-6c09-4a3f-bcb8-cff54b24a9b1\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Resource Record Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"27a04a1c-883b-4514-bf1d-0f51885ed8f6\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_data.rdata.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_data\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b9a3ffe3-6c09-4a3f-bcb8-cff54b24a9b1\"],\"layerId\":\"9011083b-774e-4cc5-a099-ac6130fce672\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"27a04a1c-883b-4514-bf1d-0f51885ed8f6\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"00a91cfd-1761-4308-8443-b2a2208c8630\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"00a91cfd-1761-4308-8443-b2a2208c8630\",\"title\":\"Distribution of Events by Resource Record Type [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Infoblox BloxOne DDI] DNS Data", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_bloxone_ddi-b8497140-0cdd-11ed-8a96-d11b53f3d359", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "d0d0f6b9-d632-47de-bcc6-54bce4e679f2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d0d0f6b9-d632-47de-bcc6-54bce4e679f2:indexpattern-datasource-layer-492dce9b-ecc9-466a-ad17-c801a56b2578", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7eb4f1b6-29ea-45f9-bab5-a0343594726b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7eb4f1b6-29ea-45f9-bab5-a0343594726b:indexpattern-datasource-layer-4948d9b6-bab5-48f2-a031-46e87a884637", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a8079745-b78b-4daa-bb29-638e498e4c96:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a8079745-b78b-4daa-bb29-638e498e4c96:indexpattern-datasource-layer-c0b7ca44-dfc2-4e69-9fdf-a67439d1b290", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fecabbc6-727d-4798-8eaa-f5f553a53d47:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fecabbc6-727d-4798-8eaa-f5f553a53d47:indexpattern-datasource-layer-040c65c3-7b12-43b0-bfa5-e2c535634de6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63226a08-6f74-4817-9a08-21d93d3dc00f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63226a08-6f74-4817-9a08-21d93d3dc00f:indexpattern-datasource-layer-7db7df97-c91b-417a-a146-72c6f2ac8d91", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8f0234c4-f3f1-48c8-8f43-4731cd958b70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8f0234c4-f3f1-48c8-8f43-4731cd958b70:indexpattern-datasource-layer-a6b9c902-06c7-4274-8831-8fab7e860319", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a549ae88-b384-4a37-bbe9-8d5fd54f1a2b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a549ae88-b384-4a37-bbe9-8d5fd54f1a2b:indexpattern-datasource-layer-1cb8734b-97ec-4693-916c-950178d12555", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab1a9322-c074-44d4-a12c-d6b4d394b8fd:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab1a9322-c074-44d4-a12c-d6b4d394b8fd:indexpattern-datasource-layer-42c0d34a-142e-4761-8619-137862ca3e49", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "00a91cfd-1761-4308-8443-b2a2208c8630:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "00a91cfd-1761-4308-8443-b2a2208c8630:indexpattern-datasource-layer-9011083b-774e-4cc5-a099-ac6130fce672", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/infoblox_bloxone_ddi/0.1.0/kibana/dashboard/infoblox_bloxone_ddi-d3f8a270-0ce3-11ed-8a96-d11b53f3d359.json b/packages/infoblox_bloxone_ddi/0.1.0/kibana/dashboard/infoblox_bloxone_ddi-d3f8a270-0ce3-11ed-8a96-d11b53f3d359.json deleted file mode 100755 index 0ee79b258d..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/kibana/dashboard/infoblox_bloxone_ddi-d3f8a270-0ce3-11ed-8a96-d11b53f3d359.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "description": "Overview of Infoblox BloxOne DDI DNS Config.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-cba386eb-2f07-4c35-9a1c-57937a5d37db\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"cba386eb-2f07-4c35-9a1c-57937a5d37db\":{\"columnOrder\":[\"46922848-22a1-4583-add0-66c83d05e7fc\",\"436c97a5-6d6f-4d61-b698-061ed8d1ca6c\"],\"columns\":{\"436c97a5-6d6f-4d61-b698-061ed8d1ca6c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"46922848-22a1-4583-add0-66c83d05e7fc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Custom Root Name Server FQDN\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"436c97a5-6d6f-4d61-b698-061ed8d1ca6c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_config.custom_root_ns.fqdn\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"46922848-22a1-4583-add0-66c83d05e7fc\",\"isTransposed\":false},{\"columnId\":\"436c97a5-6d6f-4d61-b698-061ed8d1ca6c\",\"isTransposed\":false}],\"layerId\":\"cba386eb-2f07-4c35-9a1c-57937a5d37db\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8a5670b8-9772-40e6-adc9-743fddfcb93a\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"8a5670b8-9772-40e6-adc9-743fddfcb93a\",\"title\":\"Top 10 Custom Root Name Server FQDN [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49c44c59-cb39-48ca-8c38-6d604857fae7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49c44c59-cb39-48ca-8c38-6d604857fae7\":{\"columnOrder\":[\"6945ac46-ff4f-4d1c-9314-1e8ddbf0d3a6\",\"707209ce-b61a-4765-9303-530ed1a26b33\"],\"columns\":{\"6945ac46-ff4f-4d1c-9314-1e8ddbf0d3a6\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Outgoing Query Action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"707209ce-b61a-4765-9303-530ed1a26b33\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.action\"},\"707209ce-b61a-4765-9303-530ed1a26b33\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"6945ac46-ff4f-4d1c-9314-1e8ddbf0d3a6\"],\"layerId\":\"49c44c59-cb39-48ca-8c38-6d604857fae7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"707209ce-b61a-4765-9303-530ed1a26b33\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"9367e11d-a6ff-4e4d-8c91-ab8c3aa3bd28\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9367e11d-a6ff-4e4d-8c91-ab8c3aa3bd28\",\"title\":\"Distribution of Events by Outgoing Query Action [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-dd5c94ed-e107-49e3-ab06-d9cb924653ed\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"dd5c94ed-e107-49e3-ab06-d9cb924653ed\":{\"columnOrder\":[\"cc7b0f96-eddc-4c03-84fc-3d4d28167d63\",\"4443908b-190a-4856-8b66-69db9199df32\"],\"columns\":{\"4443908b-190a-4856-8b66-69db9199df32\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cc7b0f96-eddc-4c03-84fc-3d4d28167d63\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"ECS Block Action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4443908b-190a-4856-8b66-69db9199df32\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_config.inheritance.sources.ecs.block.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"4443908b-190a-4856-8b66-69db9199df32\"],\"layerId\":\"dd5c94ed-e107-49e3-ab06-d9cb924653ed\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"cc7b0f96-eddc-4c03-84fc-3d4d28167d63\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d6f2c59a-ce94-4356-98af-91e7bc6cceed\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"d6f2c59a-ce94-4356-98af-91e7bc6cceed\",\"title\":\"Distribution of Events by ECS Block Action [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Custom Root Name Server Address\",\"field\":\"infoblox_bloxone_ddi.dns_config.custom_root_ns.address\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9d6f4983-8608-429b-95e7-56117041b778\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"9d6f4983-8608-429b-95e7-56117041b778\",\"title\":\"Top Custom Root Name Server Address [Logs Infoblox BloxOne DDI]\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-eb849a44-0dfe-427d-99dd-be95e3050965\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"eb849a44-0dfe-427d-99dd-be95e3050965\":{\"columnOrder\":[\"90e03992-a3cd-4c07-952b-f5332cd81db4\",\"a499cd19-0ca6-4886-aac6-99bcd5e61153\"],\"columns\":{\"90e03992-a3cd-4c07-952b-f5332cd81db4\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"ECS Zone Access\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a499cd19-0ca6-4886-aac6-99bcd5e61153\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_config.ecs.zones.access\"},\"a499cd19-0ca6-4886-aac6-99bcd5e61153\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"a499cd19-0ca6-4886-aac6-99bcd5e61153\"],\"layerId\":\"eb849a44-0dfe-427d-99dd-be95e3050965\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"90e03992-a3cd-4c07-952b-f5332cd81db4\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f6643ae2-2e62-46ae-a200-5012ac25de36\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"f6643ae2-2e62-46ae-a200-5012ac25de36\",\"title\":\"Distribution of Events by ECS Zone Access [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6b2013f5-e5d1-45e6-8760-439e960800f3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6b2013f5-e5d1-45e6-8760-439e960800f3\":{\"columnOrder\":[\"bed778ca-a359-43be-ad4c-5e32e7ba22d8\",\"6121b332-c55b-4b89-b3d3-45dbd76c1cfe\"],\"columns\":{\"6121b332-c55b-4b89-b3d3-45dbd76c1cfe\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"bed778ca-a359-43be-ad4c-5e32e7ba22d8\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Outgoing Query Source\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6121b332-c55b-4b89-b3d3-45dbd76c1cfe\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_config.inheritance.sources.add_edns.option_in.outgoing_query.source\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"bed778ca-a359-43be-ad4c-5e32e7ba22d8\",\"isTransposed\":false},{\"columnId\":\"6121b332-c55b-4b89-b3d3-45dbd76c1cfe\",\"isTransposed\":false}],\"layerId\":\"6b2013f5-e5d1-45e6-8760-439e960800f3\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3ef011d9-9870-4357-bf7b-8b4baa0ae570\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"3ef011d9-9870-4357-bf7b-8b4baa0ae570\",\"title\":\"Top 10 Outgoing Query Source [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4f221e65-f5b8-446f-90d3-a05571f889ed\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4f221e65-f5b8-446f-90d3-a05571f889ed\":{\"columnOrder\":[\"8235e883-949c-4216-ba74-cd53c5ad3b41\",\"33c6bac1-bfb5-4b6c-a4e5-e85a5193621c\"],\"columns\":{\"33c6bac1-bfb5-4b6c-a4e5-e85a5193621c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8235e883-949c-4216-ba74-cd53c5ad3b41\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Protocol Mname\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"33c6bac1-bfb5-4b6c-a4e5-e85a5193621c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_config.zone_authority.protocol.mname\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"8235e883-949c-4216-ba74-cd53c5ad3b41\"],\"layerId\":\"4f221e65-f5b8-446f-90d3-a05571f889ed\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"33c6bac1-bfb5-4b6c-a4e5-e85a5193621c\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"2f7542b5-9c17-4e1c-944d-3820afa497ce\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"2f7542b5-9c17-4e1c-944d-3820afa497ce\",\"title\":\"Distribution of Events by Zone Authority Master Name [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ca4bfffe-6a9f-413a-869c-58d1646363f2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ca4bfffe-6a9f-413a-869c-58d1646363f2\":{\"columnOrder\":[\"f15cb334-4cde-4a69-ac70-14739f098e98\",\"5f223db3-7560-49ec-a024-7266360e5e5f\"],\"columns\":{\"5f223db3-7560-49ec-a024-7266360e5e5f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f15cb334-4cde-4a69-ac70-14739f098e98\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Default TTL Source\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5f223db3-7560-49ec-a024-7266360e5e5f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"infoblox_bloxone_ddi.dns_config.inheritance.sources.zone_authority.default_ttl.source\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"f15cb334-4cde-4a69-ac70-14739f098e98\"],\"layerId\":\"ca4bfffe-6a9f-413a-869c-58d1646363f2\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5f223db3-7560-49ec-a024-7266360e5e5f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"2c27ed27-b814-4462-bd64-e99cd0d4f363\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"2c27ed27-b814-4462-bd64-e99cd0d4f363\",\"title\":\"Distribution of Events by Default TTL source [Logs Infoblox BloxOne DDI]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"f288d1dd-c4dc-472c-a7ac-6c5173b348a1\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"f288d1dd-c4dc-472c-a7ac-6c5173b348a1\",\"panelRefName\":\"panel_f288d1dd-c4dc-472c-a7ac-6c5173b348a1\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Infoblox BloxOne DDI] DNS Config", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_bloxone_ddi-d3f8a270-0ce3-11ed-8a96-d11b53f3d359", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "8a5670b8-9772-40e6-adc9-743fddfcb93a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8a5670b8-9772-40e6-adc9-743fddfcb93a:indexpattern-datasource-layer-cba386eb-2f07-4c35-9a1c-57937a5d37db", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9367e11d-a6ff-4e4d-8c91-ab8c3aa3bd28:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9367e11d-a6ff-4e4d-8c91-ab8c3aa3bd28:indexpattern-datasource-layer-49c44c59-cb39-48ca-8c38-6d604857fae7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6f2c59a-ce94-4356-98af-91e7bc6cceed:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6f2c59a-ce94-4356-98af-91e7bc6cceed:indexpattern-datasource-layer-dd5c94ed-e107-49e3-ab06-d9cb924653ed", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d6f4983-8608-429b-95e7-56117041b778:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f6643ae2-2e62-46ae-a200-5012ac25de36:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f6643ae2-2e62-46ae-a200-5012ac25de36:indexpattern-datasource-layer-eb849a44-0dfe-427d-99dd-be95e3050965", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3ef011d9-9870-4357-bf7b-8b4baa0ae570:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3ef011d9-9870-4357-bf7b-8b4baa0ae570:indexpattern-datasource-layer-6b2013f5-e5d1-45e6-8760-439e960800f3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2f7542b5-9c17-4e1c-944d-3820afa497ce:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2f7542b5-9c17-4e1c-944d-3820afa497ce:indexpattern-datasource-layer-4f221e65-f5b8-446f-90d3-a05571f889ed", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2c27ed27-b814-4462-bd64-e99cd0d4f363:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2c27ed27-b814-4462-bd64-e99cd0d4f363:indexpattern-datasource-layer-ca4bfffe-6a9f-413a-869c-58d1646363f2", - "type": "index-pattern" - }, - { - "id": "infoblox_bloxone_ddi-86860980-34f0-11ed-a2eb-7fc0c8a128fe", - "name": "f288d1dd-c4dc-472c-a7ac-6c5173b348a1:panel_f288d1dd-c4dc-472c-a7ac-6c5173b348a1", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/infoblox_bloxone_ddi/0.1.0/kibana/search/infoblox_bloxone_ddi-86860980-34f0-11ed-a2eb-7fc0c8a128fe.json b/packages/infoblox_bloxone_ddi/0.1.0/kibana/search/infoblox_bloxone_ddi-86860980-34f0-11ed-a2eb-7fc0c8a128fe.json deleted file mode 100755 index 2acf2927b1..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/kibana/search/infoblox_bloxone_ddi-86860980-34f0-11ed-a2eb-7fc0c8a128fe.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "columns": [ - "infoblox_bloxone_ddi.dns_config.dnssec.root_keys.protocol.zone", - "infoblox_bloxone_ddi.dns_config.dnssec.trust_anchors.protocol.zone", - "infoblox_bloxone_ddi.dns_config.inheritance.sources.dnssec.validation.block.value.trust_anchors.protocol.zone" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_bloxone_ddi.dns_config\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "DNS Config Events by Protocol Zone [Logs Infoblox BloxOne DDI]" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_bloxone_ddi-86860980-34f0-11ed-a2eb-7fc0c8a128fe", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/infoblox_bloxone_ddi/0.1.0/manifest.yml b/packages/infoblox_bloxone_ddi/0.1.0/manifest.yml deleted file mode 100755 index 500bafeec8..0000000000 --- a/packages/infoblox_bloxone_ddi/0.1.0/manifest.yml +++ /dev/null @@ -1,83 +0,0 @@ -format_version: 1.0.0 -name: infoblox_bloxone_ddi -title: Infoblox BloxOne DDI -version: '0.1.0' -license: basic -description: Collect logs from Infoblox BloxOne DDI with Elastic Agent. -type: integration -categories: - - security -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/infoblox-bloxone-ddi-screenshot.png - title: Infoblox BloxOne DDI dashboard screenshot - size: 600x600 - type: image/png -icons: - - src: /img/infoblox-bloxone-ddi-logo.svg - title: Infoblox BloxOne DDI logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: infoblox_bloxone_ddi - title: Infoblox BloxOne DDI - description: Collect logs from Infoblox BloxOne DDI. - inputs: - - type: httpjson - title: Collect Infoblox BloxOne DDI logs via API - description: Collecting Infoblox BloxOne DDI logs via API. - vars: - - name: url - type: text - title: URL - description: Infoblox BloxOne DDI URL. - multi: false - required: true - show_user: true - default: https://csp.infoblox.com - - name: api_key - type: password - title: API Key - description: API Key. - multi: false - required: true - show_user: true - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- -owner: - github: elastic/security-external-integrations diff --git a/packages/infoblox_nios/1.3.1/LICENSE.txt b/packages/infoblox_nios/1.3.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/infoblox_nios/1.3.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/infoblox_nios/1.3.1/changelog.yml b/packages/infoblox_nios/1.3.1/changelog.yml deleted file mode 100755 index 4683448197..0000000000 --- a/packages/infoblox_nios/1.3.1/changelog.yml +++ /dev/null @@ -1,44 +0,0 @@ -# newer versions go on top -- version: "1.3.1" - changes: - - description: Fix config page options for file inputs. - type: bugfix - link: https://github.com/elastic/integrations/pull/4233 -- version: "1.3.0" - changes: - - description: Allow configuration of timezone. - type: enhancement - link: https://github.com/elastic/integrations/pull/4201 -- version: "1.2.0" - changes: - - description: Add support for file inputs. - type: enhancement - link: https://github.com/elastic/integrations/pull/4137 -- version: "1.1.0" - changes: - - description: Add support for parsing DHCPOFFER and DHCPACK logs from the ISC dhcp process. And add support for parsing Encapsulated Solicit, Advertise NA, Encapsulating Advertise, Sending Relay-reply, and Relay-forward logs from the ISC dhcpv6 process. - type: enhancement - link: https://github.com/elastic/integrations/pull/3883 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3859 -- version: "0.3.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3893 - - description: Switch to ECS allowed values in dns.header_flags, original values now in infoblox_nios.log.dns.header_flags - type: enhancement - link: https://github.com/elastic/integrations/pull/3893 -- version: "0.2.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "0.1.0" - changes: - - description: Initial draft of the package. - type: enhancement - link: https://github.com/elastic/integrations/pull/3129 diff --git a/packages/infoblox_nios/1.3.1/data_stream/log/agent/stream/log.yml.hbs b/packages/infoblox_nios/1.3.1/data_stream/log/agent/stream/log.yml.hbs deleted file mode 100755 index 100bcd967c..0000000000 --- a/packages/infoblox_nios/1.3.1/data_stream/log/agent/stream/log.yml.hbs +++ /dev/null @@ -1,26 +0,0 @@ -paths: -{{#each paths as |path|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if tz_offset}} -fields_under_root: true -fields: - _conf: - tz_offset: {{tz_offset}} -{{/if}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/infoblox_nios/1.3.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/infoblox_nios/1.3.1/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index ca7007e08a..0000000000 --- a/packages/infoblox_nios/1.3.1/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if tz_offset}} -fields_under_root: true -fields: - _conf: - tz_offset: {{tz_offset}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/infoblox_nios/1.3.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/infoblox_nios/1.3.1/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 7cbc27e3d7..0000000000 --- a/packages/infoblox_nios/1.3.1/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if tz_offset}} -fields_under_root: true -fields: - _conf: - tz_offset: {{tz_offset}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/infoblox_nios/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/infoblox_nios/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2767f8dbc0..0000000000 --- a/packages/infoblox_nios/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,116 +0,0 @@ ---- -description: Pipeline for parsing Infoblox NIOS logs. -processors: - - rename: - field: message - target_field: event.original - ignore_missing: true - - set: - field: ecs.version - value: '8.4.0' - - grok: - field: event.original - patterns: - - "^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:event.created}\\s+%{NOTSPACE:host.domain}\\s+%{IP:host.ip}\\s+%{DATA:infoblox_nios.log.service_name}\\[?%{NUMBER:process.pid:long}?\\]?:\\s+%{GREEDYDATA:message}$" - - "^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:event.created}\\s+(%{IP:host.ip}|%{NOTSPACE:host.domain})\\s+%{DATA:infoblox_nios.log.service_name}\\[?%{NUMBER:process.pid:long}?\\]?:\\s+%{GREEDYDATA:message}$" - - "^%{GREEDYDATA:message}$" - - rename: - field: _conf.tz_offset - target_field: event.timezone - if: "ctx?._conf?.tz_offset != null && ctx._conf.tz_offset != 'local'" - ignore_missing: true - ignore_failure: true - - date: - field: event.created - target_field: event.created - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - dd-MMM-yyyy HH:mm:ss.SSS - ignore_failure: true - timezone: "{{{event.timezone}}}" - if: ctx.event?.timezone != null - - date: - field: event.created - target_field: event.created - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - dd-MMM-yyyy HH:mm:ss.SSS - ignore_failure: true - if: ctx.event?.timezone == null - - set: - field: infoblox_nios.log.type - value: 'DHCP' - if: ctx.infoblox_nios?.log?.service_name == "dhcpd" || ctx.infoblox_nios?.log?.service_name == "dhcpdv6" - - set: - field: infoblox_nios.log.type - value: 'DNS' - if: ctx.infoblox_nios?.log?.service_name == "named" - - set: - field: infoblox_nios.log.type - value: 'AUDIT' - if: ctx.infoblox_nios?.log?.service_name == "httpd" - - pipeline: - name: '{{ IngestPipeline "pipeline_audit" }}' - if: ctx.infoblox_nios?.log?.type == "AUDIT" - - pipeline: - name: '{{ IngestPipeline "pipeline_dhcp" }}' - if: ctx.infoblox_nios?.log?.type == "DHCP" - - pipeline: - name: '{{ IngestPipeline "pipeline_dns" }}' - if: ctx.infoblox_nios?.log?.type == "DNS" - - append: - field: related.ip - value: '{{{host.ip}}}' - if: ctx.host?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: '{{{host.domain}}}' - if: ctx.host?.domain != null - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: '{{{host.ip}}}' - if: ctx.host?.ip != null - allow_duplicates: false - ignore_failure: true - - lowercase: - field: event.action - if: ctx.event?.action != null - ignore_failure: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - ((Map) o).values().removeIf(v -> drop(v)); - return (((Map) o).size() == 0); - } else if (o instanceof List) { - ((List) o).removeIf(v -> drop(v)); - return (((List) o).length == 0); - } - return false; - } - drop(ctx); - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - remove: - field: _conf - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{{_ingest.on_failure_message}}}' diff --git a/packages/infoblox_nios/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml b/packages/infoblox_nios/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml deleted file mode 100755 index 39fec54d87..0000000000 --- a/packages/infoblox_nios/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml +++ /dev/null @@ -1,121 +0,0 @@ ---- -description: Pipeline for parsing Infoblox NIOS Audit logs. -processors: - - grok: - field: message - if: ctx.message.contains("Created") || ctx.message.contains("Modified") || ctx.message.contains("Deleted") - patterns: - - "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} %{DATA:infoblox_nios.log.audit.object.name} %{DATA:infoblox_nios.log.audit.object.value}:? %{GREEDYDATA:infoblox_nios.log.audit.message}$" - - "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} %{GREEDYDATA:infoblox_nios.log.audit.message}$" - - "^%{GREEDYDATA:infoblox_nios.log.audit.message}$" - - grok: - field: message - if: ctx.message.contains("Called") - patterns: - - "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} - %{WORD:infoblox_nios.log.audit.object.name}:? %{GREEDYDATA:infoblox_nios.log.audit.message}$" - - "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} - %{GREEDYDATA:infoblox_nios.log.audit.message}$" - - "^%{GREEDYDATA:infoblox_nios.log.audit.message}$" - - grok: - field: message - if: ctx.event?.action == null - patterns: - - "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} - - %{GREEDYDATA:details}$" - - "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} %{GREEDYDATA:infoblox_nios.log.audit.message}$" - - "^%{GREEDYDATA:timestamp} %{GREEDYDATA:infoblox_nios.log.audit.message}$" - - "^%{GREEDYDATA:infoblox_nios.log.audit.message}$" - - date: - field: timestamp - target_field: '@timestamp' - formats: - - dd-MMM-yyyy HH:mm:ss.SSS - - yyyy-MM-dd HH:mm:ss.SSS'Z' - ignore_failure: true - - kv: - field: details - target_field: audit - field_split: ' ' - value_split: '=' - ignore_missing: true - - lowercase: - field: event.action - if: ctx.event?.action != null - ignore_failure: true - - set: - field: event.outcome - if: ctx.event?.action == "login_allowed" - value: 'success' - ignore_failure: true - - append: - field: event.type - if: ctx.event?.action == "login_allowed" - value: 'start' - ignore_failure: true - - append: - field: event.category - if: ctx.event?.action == "login_allowed" - value: 'authentication' - ignore_failure: true - - set: - field: event.outcome - if: ctx.event?.action == "login_denied" - value: 'failure' - ignore_failure: true - - append: - field: event.category - if: ctx.event?.action == "login_denied" - value: 'authentication' - ignore_failure: true - - append: - field: event.type - if: ctx.event?.action == "logout" - value: 'end' - ignore_failure: true - - append: - field: event.category - if: ctx.event?.action == "logout" - value: 'authentication' - ignore_failure: true - - script: - description: Add kv fields under the infoblox_nios.log.audit. - lang: painless - if: ctx.audit != null - source: | - if (ctx.infoblox_nios == null) { - ctx["infoblox_nios"] = new HashMap(); - } - if (ctx.infoblox_nios?.log == null) { - ctx.infoblox_nios["log"] = new HashMap(); - } - if (ctx.infoblox_nios?.log?.audit == null) { - ctx.infoblox_nios.log["audit"] = new HashMap(); - } - for (Map.Entry m : ctx.audit.entrySet()) { - def value = m.getValue(); - if (value instanceof String) { - value = value.replace("\\040", " ") - } - ctx.infoblox_nios.log.audit[m.getKey()] = value; - } - - append: - field: related.ip - value: '{{{infoblox_nios.log.audit.ip}}}' - if: ctx.infoblox_nios?.log?.audit?.ip != null - allow_duplicates: false - ignore_failure: true - - gsub: - field: user.name - ignore_missing: true - pattern: '\\040' - replacement: ' ' - - remove: - field: - - details - - audit - - timestamp - ignore_missing: true - - append: - field: related.user - value: '{{{user.name}}}' - if: ctx.user?.name != null - allow_duplicates: false - ignore_failure: true diff --git a/packages/infoblox_nios/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dhcp.yml b/packages/infoblox_nios/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dhcp.yml deleted file mode 100755 index 862ee32b37..0000000000 --- a/packages/infoblox_nios/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dhcp.yml +++ /dev/null @@ -1,185 +0,0 @@ ---- -description: Pipeline for parsing Infoblox NIOS DHCP logs. -processors: - - grok: - field: message - if: ctx.message.contains("DHCPDISCOVER") - patterns: - - "^%{WORD:event.action} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" - - "^%{WORD:event.action} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id}: network %{DATA:infoblox_nios.log.dhcp.network}: %{GREEDYDATA:infoblox_nios.log.dhcp.discover.message}$" - - "^%{WORD:event.action} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{GREEDYDATA:infoblox_nios.log.dhcp.trans_id}$" - - "^%{WORD:event.action} from %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" - - "^%{WORD:event.action} from %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{GREEDYDATA:infoblox_nios.log.dhcp.trans_id}$" - - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" - - grok: - field: message - if: ctx.message.contains("DHCPOFFER") - patterns: - - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} offered-duration %{NUMBER:infoblox_nios.log.dhcp.offered_duration:long} uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" - - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} offered-duration %{GREEDYDATA:infoblox_nios.log.dhcp.offered_duration:long}$" - - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} offered-duration %{GREEDYDATA:infoblox_nios.log.dhcp.offered_duration:long} uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" - - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} offered-duration %{GREEDYDATA:infoblox_nios.log.dhcp.offered_duration:long}$" - - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" - - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{GREEDYDATA:infoblox_nios.log.dhcp.lease.duration:long}$" - - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" - - grok: - field: message - if: ctx.message.contains("DHCPREQUEST") - patterns: - - "^%{WORD:event.action} for %{IP:client.ip} \\(%{IP:infoblox_nios.log.dhcp.router.ip}\\) from %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{DATA:infoblox_nios.log.dhcp.uid} \\(%{GREEDYDATA:infoblox_nios.log.dhcp.lease.message}\\)$" - - "^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{DATA:infoblox_nios.log.dhcp.uid} \\(%{GREEDYDATA:infoblox_nios.log.dhcp.lease.message}\\)$" - - "^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{DATA:infoblox_nios.log.dhcp.uid}: %{GREEDYDATA:infoblox_nios.log.dhcp.request.message}$" - - "^%{WORD:event.action} for %{IP:client.ip} \\(%{IP:infoblox_nios.log.dhcp.router.ip}\\) from %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" - - "^%{WORD:event.action} for %{IP:client.ip} \\(%{IP:infoblox_nios.log.dhcp.router.ip}\\) from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} \\(%{GREEDYDATA:infoblox_nios.log.dhcp.lease.message}\\)$" - - "^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{DATA:infoblox_nios.log.dhcp.uid} \\(%{GREEDYDATA:infoblox_nios.log.dhcp.lease.message}\\)$" - - "^%{WORD:event.action} for %{IP:client.ip} \\(%{IP:infoblox_nios.log.dhcp.router.ip}\\) from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id}: %{GREEDYDATA:infoblox_nios.log.dhcp.request.message}$" - - "^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id}: %{GREEDYDATA:infoblox_nios.log.dhcp.request.message}$" - - "^%{WORD:event.action} for %{IP:client.ip} \\(%{IP:infoblox_nios.log.dhcp.router.ip}\\) from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{GREEDYDATA:infoblox_nios.log.dhcp.trans_id}$" - - "^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" - - "^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{GREEDYDATA:infoblox_nios.log.dhcp.trans_id}$" - - "^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name})$" - - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" - - grok: - field: message - if: ctx.message.contains("DHCPACK") - patterns: - - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} \\(%{DATA:infoblox_nios.log.dhcp.lease.message}\\) uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" - - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} \\(%{DATA:infoblox_nios.log.dhcp.lease.message}\\) uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" - - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} \\(%{DATA:infoblox_nios.log.dhcp.lease.message}\\)$" - - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} \\(%{GREEDYDATA:infoblox_nios.log.dhcp.lease.message}\\)$" - - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" - - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{GREEDYDATA:infoblox_nios.log.dhcp.lease.duration:long}$" - - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{GREEDYDATA:infoblox_nios.log.dhcp.lease.duration:long}$" - - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" - - grok: - field: message - if: ctx.message.contains("DHCPRELEASE") - patterns: - - "^%{WORD:event.action} of %{IP:client.ip} from %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) \\(%{DATA:infoblox_nios.log.dhcp.release.info}\\) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" - - "^%{WORD:event.action} of %{IP:client.ip} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) \\(%{DATA:infoblox_nios.log.dhcp.release.info}\\) TransID %{GREEDYDATA:infoblox_nios.log.dhcp.trans_id}$" - - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" - - grok: - field: message - if: ctx.message.contains("DHCPEXPIRE") - patterns: - - "^%{WORD:event.action} on %{IP:client.ip} to %{GREEDYDATA:client.mac}$" - - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" - - grok: - field: message - if: ctx.message.contains("DHCPINFORM") - patterns: - - "^%{WORD:event.action} from %{IP:client.ip} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id}: %{GREEDYDATA:infoblox_nios.log.dhcp.inform.message}$" - - "^%{WORD:event.action} from %{IP:client.ip} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{GREEDYDATA:infoblox_nios.log.dhcp.trans_id}$" - - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" - - grok: - field: message - if: ctx.message.contains("DHCPDECLINE") - patterns: - - "^%{WORD:event.action} of %{IP:client.ip} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id}: %{GREEDYDATA:infoblox_nios.log.dhcp.decline.message}$" - - "^%{WORD:event.action} of %{IP:client.ip} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}): %{GREEDYDATA:infoblox_nios.log.dhcp.decline.message}$" - - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" - - grok: - field: message - if: ctx.message.contains("DHCPNAK") - patterns: - - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name})$" - - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" - - grok: - field: message - if: ctx.message.contains("DHCPLEASEQUERY") - patterns: - - "^%{WORD:event.action} from %{IP:client.ip}: %{GREEDYDATA:infoblox_nios.log.dhcp.lease_query.message}$" - - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" - - grok: - field: message - if: ctx.message.contains("Encapsulated Solicit") - patterns: - - "^%{DATA:event.action} message from %{IP:client.ip} port %{NUMBER:client.port:long} from client DUID %{GREEDYDATA:infoblox_nios.log.dhcp.duid}, transaction ID %{GREEDYDATA:infoblox_nios.log.dhcp.trans_id}$" - - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" - - grok: - field: message - if: ctx.message.contains("Advertise NA") - patterns: - - "^%{DATA:event.action}: address %{IP:client.ip} to client with duid %{GREEDYDATA:infoblox_nios.log.dhcp.duid} iaid = -%{GREEDYDATA:infoblox_nios.log.dhcp.iaid} valid for %{NUMBER:infoblox_nios.log.dhcp.validation_second:long} seconds$" - - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" - - grok: - field: message - if: ctx.message.contains("Relay-forward") - patterns: - - "^%{DATA:event.action} message from %{IP:client.ip} port %{NUMBER:client.port:long}, link address %{IP:infoblox_nios.log.dhcp.link_address}, peer address %{IP:infoblox_nios.log.dhcp.peer_address}$" - - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" - - grok: - field: message - if: ctx.message.contains("Encapsulating Advertise") - patterns: - - "^%{DATA:event.action} message to send to %{IP:client.ip} port %{NUMBER:client.port:long}$" - - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" - - grok: - field: message - if: ctx.message.contains("Sending Relay-reply") - patterns: - - "^%{DATA:event.action} message to %{IP:client.ip} port %{NUMBER:client.port:long}$" - - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" - - grok: - field: message - if: ctx.event?.action == null - patterns: - - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" - - set: - field: '@timestamp' - value: '{{{event.created}}}' - if: ctx.event?.created != null - - lowercase: - field: event.action - ignore_failure: true - ignore_missing: true - - gsub: - field: client.mac - ignore_missing: true - pattern: '[-:.]' - replacement: '-' - - uppercase: - field: client.mac - ignore_missing: true - - append: - field: related.ip - value: '{{{client.ip}}}' - if: ctx.client?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{infoblox_nios.log.dhcp.link_address}}}' - if: ctx.infoblox_nios?.log?.dhcp?.link_address != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{infoblox_nios.log.dhcp.peer_address}}}' - if: ctx.infoblox_nios?.log?.dhcp?.peer_address != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{infoblox_nios.log.dhcp.router.ip}}}' - if: ctx.infoblox_nios?.log?.dhcp?.router?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{infoblox_nios.log.dhcp.interface.ip}}}' - if: ctx.infoblox_nios?.log?.dhcp?.interface?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{infoblox_nios.log.dhcp.relay.interface.ip}}}' - if: ctx.infoblox_nios?.log?.dhcp?.relay?.interface?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: '{{{infoblox_nios.log.dhcp.client_hostname}}}' - if: ctx.infoblox_nios?.log?.dhcp?.client_hostname != null - allow_duplicates: false - ignore_failure: true diff --git a/packages/infoblox_nios/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml b/packages/infoblox_nios/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml deleted file mode 100755 index 733d88b201..0000000000 --- a/packages/infoblox_nios/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml +++ /dev/null @@ -1,147 +0,0 @@ ---- -description: Pipeline for parsing Infoblox NIOS DNS logs. -processors: - - grok: - field: message - patterns: - - "^zone %{DATA:dns.question.name}/%{DATA:dns.question.class}: notify from %{IP:client.ip}#%{NUMBER:client.port:long}:? %{GREEDYDATA:infoblox_nios.log.dns.message}$" - - "^transfer of '%{DATA:dns.question.name}/%{DATA:dns.question.class}' from %{IP:client.ip}#%{NUMBER:client.port:long}:? %{GREEDYDATA:infoblox_nios.log.dns.message}$" - - "^validating %{DATA:dns.question.name}/%{WORD:dns.question.type}: %{GREEDYDATA:infoblox_nios.log.dns.message}$" - - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*client %{DATA} %{IP:client.ip}#%{NUMBER:client.port:long}:? updating zone '%{DATA:dns.question.name}/%{DATA:dns.question.class}': %{GREEDYDATA:infoblox_nios.log.dns.message}$" - - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*client %{DATA} %{IP:client.ip}#%{NUMBER:client.port:long}:? \\(%{DATA:client.domain}\\): query failed %{GREEDYDATA:infoblox_nios.log.dns.message}$" - - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*client %{DATA} %{IP:client.ip}#%{NUMBER:client.port:long}:? \\(%{DATA:infoblox_nios.log.dns.before_query}\\): rewriting query name %{DATA} to '%{DATA:infoblox_nios.log.dns.after_query}', type %{DATA:dns.question.type}$" - - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*client %{DATA} %{IP:client.ip}#%{NUMBER:client.port:long}:? \\(%{DATA:client.domain}\\): query: %{DATA:dns.question.name} %{DATA:dns.question.class} %{WORD:dns.question.type} %{DATA:infoblox_nios.log.dns.header_flags} \\(%{IP:server.ip}\\)$" - - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*client %{IP:client.ip}#%{NUMBER:client.port:long}:? %{DATA:network.transport}: query: %{DATA:dns.question.name} %{DATA:dns.question.class} %{WORD:dns.question.type} response: %{DATA:dns.response_code} %{DATA:infoblox_nios.log.dns.header_flags}$" - - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*client %{DATA} %{IP:client.ip}#%{NUMBER:client.port:long}:? \\(%{DATA:client.domain}\\): transfer of '%{DATA:dns.question.name}/%{DATA:dns.question.class}': %{GREEDYDATA:infoblox_nios.log.dns.message}$" - - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*CEF:0\\|Infoblox\\|NIOS\\|%{GREEDYDATA:infoblox_nios.log.dns.version}\\|RPZ-%{DATA:dns.answers.type}\\|%{DATA:infoblox_nios.log.dns.answers_policy}\\|\\d+\\|app=DNS dst=%{IP:server.ip} src=%{IP:client.ip} spt=%{NUMBER:client.port:long} view=%{DATA:infoblox_nios.log.dns.view_name} qtype=%{WORD:dns.question.type} msg=%{GREEDYDATA:infoblox_nios.log.dns.message}$" - - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*%{GREEDYDATA:timestamp} client %{IP:client.ip}#%{NUMBER:client.port:long}:? %{DATA:network.transport}: query: %{DATA:dns.question.name} %{DATA:dns.question.class} %{WORD:dns.question.type} response: %{DATA:dns.response_code} %{DATA:infoblox_nios.log.dns.header_flags} %{GREEDYDATA:repeat_message}$" - - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*%{GREEDYDATA:timestamp} client %{IP:client.ip}#%{NUMBER:client.port:long}:? %{DATA:network.transport}: query: %{DATA:dns.question.name} %{DATA:dns.question.class} %{WORD:dns.question.type} response: %{DATA:dns.response_code} %{DATA:infoblox_nios.log.dns.header_flags}$" - - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*client %{DATA} %{IP:client.ip}#%{NUMBER:client.port:long}:? %{GREEDYDATA:infoblox_nios.log.dns.message}$" - - "^%{GREEDYDATA:infoblox_nios.log.dns.message}$" - - date: - field: timestamp - if: ctx.timestamp != null - formats: - - dd-MMM-yyyy HH:mm:ss.SSS - - yyyy-MM-dd HH:mm:ss.SSS'Z' - ignore_failure: true - - split: - field: repeat_message - if: ctx.repeat_message != null - separator: ';' - ignore_missing: true - - trim: - field: repeat_message - ignore_missing: true - ignore_failure: true - - script: - lang: painless - if: ctx.repeat_message != null - source: - Map map = new HashMap(); - def arr = ctx.repeat_message; - map.put("name", new ArrayList()); - map.put("ttl", new ArrayList()); - map.put("class", new ArrayList()); - map.put("type", new ArrayList()); - map.put("data", new ArrayList()); - - for (def i = 0; i < arr?.length; i++) { - def response = arr[i].splitOnToken(" "); - map["name"].add(response[0]); - map["ttl"].add(response[1]); - map["class"].add(response[2]); - map["type"].add(response[3]); - map["data"].add(response[4]); - } - ctx.dns.answers = map; - - convert: - field: dns.answers.ttl - type: long - ignore_missing: true - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - ignore_failure: true - - foreach: - field: dns.answers.data - if: ctx.dns?.answers?.data != null - processor: - grok: - field: '_ingest._value' - patterns: - - "%{IP:related.ip}" - - "%{HOSTNAME:related.hosts}" - ignore_failure: true - - append: - field: related.ip - value: '{{{client.ip}}}' - if: ctx.client?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{server.ip}}}' - if: ctx.server?.ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: '{{{client.domain}}}' - if: ctx.client?.domain != null - allow_duplicates: false - ignore_failure: true - - foreach: - field: dns.answers.name - if: ctx.dns?.answers?.name != null - processor: - append: - field: related.hosts - value: '{{_ingest._value}}' - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: '{{{dns.question.name}}}' - if: ctx.dns?.question?.name != null - allow_duplicates: false - ignore_failure: true - - script: - lang: painless - if: ctx.infoblox_nios?.log?.dns?.header_flags != null && ctx.infoblox_nios.log.dns.header_flags != "" - params: - 'A': 'AA' - 't': 'TC' - 'C': 'CD' - 'D': 'DO' - source: | - ArrayList hf = new ArrayList(); - for (entry in params.entrySet()) { - if (ctx.infoblox_nios.log.dns.header_flags.contains(entry.getKey())) { - hf.add(entry.getValue()); - } - } - if (ctx.dns?.response_code != null && ctx.dns.response_code != "") { - if (ctx.infoblox_nios.log.dns.header_flags.contains("+")) { - hf.add("RA") - } - } else { - if (ctx.infoblox_nios.log.dns.header_flags.contains("+")) { - hf.add("RD") - } - } - if (hf.length == 0) { - return; - } - if (ctx.dns == null) { - HashMap hm = new HashMap(); - ctx.put("dns", hm); - } - ctx.dns.put("header_flags", hf); - - - remove: - field: - - timestamp - - repeat_message - ignore_missing: true diff --git a/packages/infoblox_nios/1.3.1/data_stream/log/fields/agent.yml b/packages/infoblox_nios/1.3.1/data_stream/log/fields/agent.yml deleted file mode 100755 index 6639aec94a..0000000000 --- a/packages/infoblox_nios/1.3.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,189 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset -- name: log.source.address - type: keyword - description: Log source address diff --git a/packages/infoblox_nios/1.3.1/data_stream/log/fields/base-fields.yml b/packages/infoblox_nios/1.3.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/infoblox_nios/1.3.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/infoblox_nios/1.3.1/data_stream/log/fields/ecs.yml b/packages/infoblox_nios/1.3.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index 97e76af642..0000000000 --- a/packages/infoblox_nios/1.3.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,158 +0,0 @@ -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - MAC address of the client. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: client.mac - type: keyword -- description: Port of the client. - name: client.port - type: long -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: Array of 2 letter DNS header flags. - name: dns.header_flags - normalize: - - array - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: Interface name as reported by the system. - name: interface.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: Process id. - name: process.pid - type: long -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/infoblox_nios/1.3.1/data_stream/log/fields/fields.yml b/packages/infoblox_nios/1.3.1/data_stream/log/fields/fields.yml deleted file mode 100755 index 46da64bf9b..0000000000 --- a/packages/infoblox_nios/1.3.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,138 +0,0 @@ -- name: infoblox_nios.log - type: group - fields: - - name: audit - type: group - fields: - - name: apparently_via - type: keyword - - name: auth - type: keyword - - name: error - type: text - - name: group - type: keyword - - name: info - type: text - - name: ip - type: ip - - name: message - type: text - - name: object - type: group - fields: - - name: name - type: keyword - - name: value - type: keyword - - name: to - type: keyword - - name: trigger_event - type: keyword - - name: dhcp - type: group - fields: - - name: client_hostname - type: keyword - - name: decline - type: group - fields: - - name: message - type: keyword - - name: duid - type: keyword - - name: discover - type: group - fields: - - name: message - type: keyword - - name: iaid - type: keyword - - name: inform - type: group - fields: - - name: message - type: keyword - - name: interface - type: group - fields: - - name: ip - type: ip - - name: lease - type: group - fields: - - name: duration - type: long - - name: message - type: keyword - - name: lease_query - type: group - fields: - - name: message - type: keyword - - name: link_address - type: keyword - - name: message - type: text - - name: network - type: keyword - - name: offered_duration - type: long - - name: peer_address - type: keyword - - name: relay - type: group - fields: - - name: interface - type: group - fields: - - name: ip - type: ip - - name: name - type: keyword - - name: release - type: group - fields: - - name: info - type: keyword - - name: request - type: group - fields: - - name: message - type: keyword - - name: router - type: group - fields: - - name: ip - type: ip - - name: trans_id - type: keyword - - name: uid - type: keyword - - name: validation_second - type: long - - name: dns - type: group - fields: - - name: after_query - type: text - - name: answers_policy - type: text - - name: before_query - type: text - - name: category - type: text - - name: failed_message - type: text - - name: message - type: text - - name: view_name - type: text - - name: version - type: text - - name: header_flags - type: keyword - - name: service_name - type: keyword - - name: type - type: keyword diff --git a/packages/infoblox_nios/1.3.1/data_stream/log/manifest.yml b/packages/infoblox_nios/1.3.1/data_stream/log/manifest.yml deleted file mode 100755 index 6c3a4495b2..0000000000 --- a/packages/infoblox_nios/1.3.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,120 +0,0 @@ -title: Infoblox NIOS logs -type: logs -streams: - - input: logfile - title: Infoblox NIOS logs - description: Collect Infoblox NIOS logs via file input. - template_path: log.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - infoblox_nios-log - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: tcp - title: Infoblox NIOS logs - description: Collect Infoblox NIOS logs via TCP input. - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - infoblox_nios-log - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: udp - title: Infoblox NIOS logs - description: Collect Infoblox NIOS logs via UDP input. - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - infoblox_nios-log - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/infoblox_nios/1.3.1/data_stream/log/sample_event.json b/packages/infoblox_nios/1.3.1/data_stream/log/sample_event.json deleted file mode 100755 index dcfa26a665..0000000000 --- a/packages/infoblox_nios/1.3.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "@timestamp": "2011-10-19T12:43:47.375Z", - "agent": { - "ephemeral_id": "5181186c-7367-49da-8ad7-8120c441b527", - "hostname": "docker-fleet-agent", - "id": "9f26844a-9c52-4403-b9e6-9312b9761765", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "infoblox_nios.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "9f26844a-9c52-4403-b9e6-9312b9761765", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "first_login", - "agent_id_status": "verified", - "created": "2022-03-22T14:26:54.000Z", - "dataset": "infoblox_nios.log", - "ingested": "2022-08-08T11:02:32Z" - }, - "host": { - "ip": "10.0.0.1" - }, - "infoblox_nios": { - "log": { - "audit": { - "apparently_via": "GUI first login", - "auth": "LOCAL", - "group": "admin-group", - "ip": "10.0.0.2", - "to": "AdminConnector" - }, - "service_name": "httpd", - "type": "AUDIT" - } - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "192.168.192.7:57184" - }, - "syslog": { - "priority": 29 - } - }, - "message": "2011-10-19 12:43:47.375Z [user]: First_Login - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=admin-group apparently_via=GUI\\040first\\040login", - "related": { - "ip": [ - "10.0.0.2", - "10.0.0.1" - ], - "user": [ - "user" - ] - }, - "tags": [ - "forwarded", - "infoblox_nios-log" - ], - "user": { - "name": "user" - } -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/docs/README.md b/packages/infoblox_nios/1.3.1/docs/README.md deleted file mode 100755 index e04bf926cc..0000000000 --- a/packages/infoblox_nios/1.3.1/docs/README.md +++ /dev/null @@ -1,345 +0,0 @@ -# Infoblox NIOS - -The Infoblox NIOS integration collects and parses DNS, DHCP, and Audit data collected from [Infoblox NIOS](https://www.infoblox.com/products/nios8/) via TCP/UDP or logfile. - -## Setup steps -1. Enable the integration with TCP/UDP input. -2. Log in to the NIOS appliance. -3. Configure the NIOS appliance to send messages to a Syslog server using the following steps. For further information, refer to [Using a Syslog Server](https://docs.infoblox.com/display/NAG8/Using+a+Syslog+Server#UsingaSyslogServer-SpecifyingSyslogServers). - 1. From the Grid tab, select the Grid Manager tab -> Members tab, and then navigate to Grid Properties -> Edit -> Monitoring from the Toolbar. - 2. Select **Log to External Syslog Servers** to send messages to a specified Syslog server. - 3. Click the **Add** icon to define a new Syslog server. - 4. Enter the IP **Address** of the Elastic Agent that is running the integration. - 5. Select **Transport** to connect to the external Syslog server. - 6. If you are using Secure TCP transport, upload a self-signed or a CA-signed **Server Certificate**. - 7. From the drop-down list select the **Interface** through which the appliance sends Syslog messages to the Syslog server. - 8. Select **Source** as **Any** so that the appliance sends both internal and external Syslog messages. - 9. From the drop-down list, select **Node ID** i.e. the host or node identification string that identifies the appliance from which Syslog messages are originated. - 10. Enter the **Port** of the Elastic Agent that is running the integration. - 11. Select **Debug** **Severity** so that the appliance sends all Syslog messages to the server. - 12. Select the following **Logging categories**: - - Common Authentication - - DHCP Process - - DNS Client - - DNSSEC - - DNS General - - DNS Notifies - - DNS Queries - - DNS Query Rewrites - - DNS Resolver - - DNS Responses - - DNS RPZ - - DNS Updates - - Non-system Authentication - - Zone Transfer In - - Zone Transfer Out - 13. Enable **Copy Audit Log Message to Syslog** to include audit log messages it sends to the Syslog server. - 14. Select **Syslog Facility** that determines the processes from which the log messages are generated. - -## Compatibility - -This module has been tested against `Infoblox NIOS version 8.6.1` with the below-given logs pattern. - -## Log samples -Below are the samples logs of the respective category: - -## Audit Logs: -``` -<141>Apr 13 22:14:36 ns1.infoblox.localdomain 10.50.1.227 httpd: 2022-04-13 16:44:36.850Z [user\040name]: Login_Denied - - to=AdminConnector ip=10.50.0.1 info=Local apparently_via=GUI -<29>Mar 21 09:53:51 infoblox.localdomain 10.0.0.1 httpd: 2022-03-21 08:53:51.087Z [service_account_test]: Login_Allowed - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=some-Group apparently_via=API -<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 19:48:37.299Z [admin]: Login_Allowed - - to=Serial\040Console apparently_via=Direct auth=Local group=admin-group -<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 14:02:32.750Z [admin]: Login_Denied - - to=Serial\040Console apparently_via=Direct error=invalid\040login\040or\040password -<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 12:43:47.375Z [user]: First_Login - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=admin-group apparently_via=GUI\040first\040login -<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 13:07:33.343Z [user]: Password_Reset_Error - - to=AdminConnector auth=LOCALgroup=admin-group apparently_via=GUI -<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-21 17:19:02.204Z [admin]: Modified Network 192.168.0.0/24 network_view=default: Changed dhcp_members:[]->[[grid_member=Member:infoblox.localdomain]] -<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-24 09:37:29.261Z [admin]: Created Network 192.168.0.0/24 network_view=default: Set extensible_attributes=[],address="192.168.2.0",auto_create_reversezone=False,cidr=24,comment="",common_properties=[domain_name_servers=[],routers=[]],dhcp_members=[[grid_member=Member:infoblox.localdomain]],disabled=False,discovery_member=NULL,enable_discovery=False,enable_immediate_discovery=False,network_view=NetworkView:default,use_basic_polling_settings=False,use_member_enable_discovery=False,vlans=[] -<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-18 11:46:38.877Z [admin]: Modified MemberDhcp infoblox.localdomain: Changed enable_service:False->True -<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 19:29:20.468Z [admin]: Called - RestartService: Args services=["ALL"],parents=[],force=True,mode="GROUPED" -<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 18:30:58.656Z [admin]: Created Ruleset Block: Set comment="",disabled=True,name="Block",type="BLACKLIST" -<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-24 09:28:24.476Z [admin]: Called - TransferTrafficCapture message=Download\040Traffic\040capture\040file: Args message="Download Traffic capture file",members=[Member:infoblox.localdomain] -<29>Mar 21 16:08:08 10.0.0.1 httpd: 2022-03-21 15:08:08.238Z [service_account_test]: Created HostAddress 10.0.0.1 network_view=default: Set address="10.0.0.1",configure_for_dhcp=False,match_option="MAC_ADDRESS",parent=HostRecord:._default.tld.domain.subdomain.hostrecord -<29>Mar 21 16:08:08 10.0.0.1 httpd: 2022-03-21 15:08:08.239Z [service_account_test]: Created HostRecord somerecord.subdomain.domain.tld DnsView=default alias=somealias.subdomain.domain.tld address=10.0.0.1: Set extensible_attributes=[[name="NAC-Policy",value="Host"]],addresses=[address="10.0.0.1"],aliases=[HostAlias:._default.tld.domain.subdomain.somealias.._default.tld.domain.subdomain.somehostrecord],fqdn="somerecord.subdomain.domain.tld" -<29>Mar 21 16:08:48 10.0.0.1 httpd: 2022-03-21 15:08:48.455Z [service_account_test]: Deleted HostRecord somerecord.subdomain.domain.tld DnsView=default address=10.0.0.0 -<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Deleted CaaRecord somecaarecord.domain.tld DnsView=default -<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Created HostAddress 192.168.0.0 network_view=default: Set address="192.168.0.0",configure_for_dhcp=True,mac_address="01:01:01:01:01:01",match_option="MAC_ADDRESS",network=Network:192.168.0.0/24\054network_view\075default,parent=HostRecord:._default.test.test3,reserved_interface=NULL,use_for_ea_inheritance=True -<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Modified Network 192.168.0.0/24 network_view=default: Changed dhcp_members:[]->[[grid_member=Member:infoblox.localdomain]] -<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-18 12:40:05.241Z [adminuser]: Modified Grid Unibe-DNS-Grid: Changed backup_setting:[password="******",restore_password="******"]->[password="******",restore_password="******"],csp_api_config:[password="******"]->[password="******"],csp_settings:[csp_join_token="******"]->[csp_join_token="******"],download_member_conf:[[interface="ANY",is_online=True,member="Member:Grid Master"]]->[[interface="ANY",is_online=True,member=NULL]],email_setting:[password="******"]->[password="******"],http_proxy_server_setting:NULL->[password="******"],snmp_setting:[snmpv3_queries_users=NULL]->[snmpv3_queries_users=[]],syslog_servers:[[address="10.0.0.2"],[address="10.0.0.3"]]->[[address="10.0.0.4"]] -``` -## DNS Logs: -``` -<45>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#50565 UDP: query: test.com IN A response: REFUSED - -<30>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a2.foo.com IN A response: NOERROR +AED a2.foo.com 28800 IN A 192.168.0.3; -<30>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: non-exist.foo.com IN A response: NXDOMAIN +ED -<45>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a1.foo.com IN A response: NOERROR +ED a1.foo.com 28800 IN A 192.168.0.2; a1.foo.com 28800 IN A 192.168.0.3; -<30>Mar 9 23:59:59 infoblox.localdomain named[17742]: client @0x7f1dd4114af0 192.168.0.1#59735 (config.nos-avg.cz): query failed (REFUSED) for config.nos-avg.cz/IN/TXT at query.c:10288 -<30>Mar 9 23:59:59 infoblox.localdomain named[17742]: client @0x7f1dd4114af0 192.168.0.1#59735 (config.nos-avg.cz): query: config.nos-avg.cz IN TXT + (192.168.0.1) -<30>Mar 11 23:51:31 infoblox.localdomain named[27014]: rpz: rpz1.com: reload start -<30>Mar 11 23:51:31 infoblox.localdomain named[29914]: client @0x7ff42c168b50 192.168.0.1#50460 (test.com): rewriting query name 'test.com' to 'query123-10-120-20-93.test.com', type A -<30>Mar 11 23:51:31 infoblox.localdomain named[19204]: client @0x7fec7c11dab0 192.168.0.1#36483: updating zone 'test1.com/IN': adding an RR at 'a6.test1.com' A 192.168.0.2 -<30>Mar 11 23:51:31 infoblox.localdomain named[28468]: CEF:0|Infoblox|NIOS|8.6.2-49634-e88e9df276a8|RPZ-QNAME|NXDOMAIN|7|app=DNS dst=192.168.0.1 src=192.168.0.1 spt=51424 view=_default qtype=A msg="rpz QNAME NXDOMAIN rewrite nxd1.com [A] via nxd1.com.rpz1.com" CAT=RPZ -<30>Mar 11 23:51:31 infoblox.localdomain named[7741]: zone local_7.com/IN: notify from 192.168.0.1#46982: zone is up to date -<30>Mar 11 23:51:31 infoblox.localdomain named[7741]: responses: client @0x7fb550117f90 192.168.0.1#46982: received notify for zone 'local_14.com' -<30>Mar 11 23:51:31 infoblox.localdomain named[15242]: transfer of 'test.com/IN' from 192.168.0.1#53: Transfer status: success -<30>Mar 11 23:51:31 infoblox.localdomain named[15242]: transfer of 'test.com/IN' from 192.168.0.1#53: Transfer completed: 1 messages, 9 records, 326 bytes, 0.001 secs (326000 bytes/sec) -<30>Mar 11 23:51:31 infoblox.localdomain named[56199]: client @0x7f7e6c2809f0 192.168.0.1#57027 (test.com): transfer of 'test.com/IN': AXFR started (serial 3) -<30>Mar 11 23:51:31 infoblox.localdomain named[56199]: client @0x7f7e6c2809f0 192.168.0.1#57027 (test.com): transfer of 'test.com/IN': AXFR ended -<30>Mar 11 23:51:31 infoblox.localdomain named[30325]: resolver priming query complete -<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating test.com/DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for 'test.com' -<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating test.com/NSEC: bad cache hit (test.com/DNSKEY) -<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating hostrec3.test.com/NSEC: bad cache hit (test.com/DNSKEY) -<30>Apr 14 16:17:20 10.0.0.1 named[2588]: infoblox-responses: 14-Apr-2022 16:17:20.046 client 192.168.0.1#57738: UDP: query: settings-win.data.microsoft.com IN A response: REFUSED - -<30>Apr 14 16:16:05 10.0.0.1 named[2588]: queries: client @0x7f97e40eb500 192.168.0.1#64727 (ocsp.digicert.com): query: ocsp.digicert.com IN A + (192.168.1.10) -<30>Apr 14 16:16:05 10.0.0.1 named[2588]: query-errors: client @0x7f97e40eb500 192.168.0.1#64727 (ocsp.digicert.com): query failed (REFUSED) for ocsp.digicert.com/IN/A at query.c:10288 -``` -## DHCP Logs: -``` -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPDISCOVER from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID a76ecf84 uid 01:00:50:56:83:6c:a0 -<30>Mar 27 08:32:59 infoblox.localdomain 10.0.0.1 dhcpd[7024]: DHCPDISCOVER from 00:50:56:83:6c:a0 via eth3 TransID b5e92c59 uid 01:00:50:56:83:6c:a0 -<30>Mar 27 08:32:59 10.0.0.1 dhcpd[2750]: DHCPDISCOVER from 00:50:56:83:d0:f6 via eth1 TransID 6214ab45: network 10.50.0.0/20: no free leases -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPDISCOVER from 00:50:56:83:6c:a0 via eth3 TransID 748f30ab -<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPDISCOVER from 00:00:00:00:00:00 (h000000000000) via 192.168.0.2 TransID 01000000 -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPOFFER on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 119 offered-duration 1800 uid 01:00:50:56:83:6c:a0 -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPOFFER on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 120 offered-duration 1800 -<30>Mar 31 15:30:05 10.0.0.1 dhcpd[15752]: DHCPOFFER on 192.168.0.4 to 26:9a:76:87:8a:06 via eth2 relay 192.168.0.3 lease-duration 1795 uid 01:26:9a:76:87:8a:06 -<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPOFFER on 192.168.0.4 to 00:00:00:00:00:00 via eth1 relay 192.168.0.3 lease-duration 43137 offered-duration 43200 -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPOFFER on 192.168.0.4 to cc:bb:cc:dd:ee:ff via eth1 relay 192.168.0.3 lease-duration 120 -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 54737448 uid 01:00:50:56:83:6c:a0 (RENEW) -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 8767dc3c uid 01:00:50:56:83:6c:a0 -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[4495]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 54ade258 uid 01:00:50:56:83:6c:a0 (RENEW) -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[4495]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 TransID a18a70a0 uid 01:00:50:56:83:6c:a0 -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[25637]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:d3:83 via eth1 TransID 3ca1e0b7: unknown lease 192.168.0.4. -<30>Apr 6 10:13:31 infoblox.localdomain dhcpd[22730]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 542900fa uid 01:00:50:56:83:6c:a0: database update failed -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 via eth3 TransID 748f30ab -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[30827]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:96:03 via eth1 TransID 9cf7c9e9: ignored (not authoritative). -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 TransID 2d422d0c -<30>Mar 31 15:30:06 10.0.0.1 dhcpd[15752]: DHCPREQUEST for 192.168.0.4 from 9a:df:6e:f6:1f:23 via 192.168.0.2 TransID 15ca711f uid 01:9a:df:6e:f6:1f:23 (RENEW) -<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:00:00:00:00:00 via 192.168.0.3 TransID 01000000 (RENEW) -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[17530]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 (RENEW) uid 01:00:50:56:83:6c:a0 -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 uid 01:00:50:56:83:6c:a0 -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 -<30>Mar 27 08:32:59 10.0.0.1 dhcpd[15752]: DHCPACK on 192.168.0.4 to 9a:df:6e:f6:1f:23 via eth2 relay 192.168.0.3 lease-duration 7257600 (RENEW) uid 01:9a:df:6e:f6:1f:23 -<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPACK on 192.168.0.4 to 00:00:00:00:00:00 (h000000000000) via eth1 relay 192.168.0.3 lease-duration 43200 (RENEW) -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPACK on 192.168.0.4 to cc:bb:cc:dd:ee:ff via eth1 relay 192.168.0.3 lease-duration 43200 -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPRELEASE of 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 (found) TransID 0286f3d0 uid 01:00:50:56:83:6c:a0 -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPRELEASE of 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 (not found) TransID 665fd9f1 -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPEXPIRE on 192.168.0.4 to 00:50:56:83:6c:a0 -<30>Mar 18 13:35:15 10.0.0.1 dhcpd[18078]: DHCPINFORM from 192.168.0.4 via 192.168.0.2 TransID 5713b740 -<30>Mar 18 13:35:15 10.0.0.1 dhcpd[18078]: DHCPINFORM from 192.168.0.4 via eth2 TransID 5713b740 -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPINFORM from 192.168.0.4 via 192.168.0.2 TransID 78563412: not authoritative for subnet 10.0.0.0 -<30>Mar 18 11:44:52 10.0.0.1 dhcpd[32243]: DHCPDECLINE of 192.168.0.4 from 34:29:8f:71:b8:99 via 192.168.0.2 TransID 00000000: not found -<30>Mar 7 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPDECLINE of 192.168.0.4 from 00:c0:dd:07:18:e2 via 192.168.0.2: abandoned\n -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPNAK on 192.168.0.4 to f4:30:b9:17:ab:0e via 192.168.0.2 -<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPLEASEQUERY from 192.168.0.4: LEASEQUERY not allowed, query ignored -<30>Jul 12 15:07:57 67.43.156.0 dhcpd[8061]: DHCPOFFER on 67.43.156.0 to 9a:df:6e:f6:1f:23 via eth2 relay 67.43.156.0 lease-duration 40977 offered-duration 43200 uid 01:9a:df:6e:f6:1f:23 -<30>Jul 12 15:10:48 67.43.156.0 dhcpd[13468]: DHCPACK on 67.43.156.0 to 9a:df:6e:f6:1f:23 via eth2 relay 67.43.156.0 lease-duration 7257600 (RENEW) -<30>Jul 12 15:55:55 67.43.156.0 dhcpdv6[12271]: Encapsulated Solicit message from 2a02:cf40:: port 547 from client DUID 01:9a:df:6e:f6:1f:23:01:9a:df:6e:f6:1f:23, transaction ID 0x698AD400 -<30>Jul 12 15:55:55 67.43.156.0 dhcpdv6[12271]: Advertise NA: address 2a02:cf40:: to client with duid 01:9a:df:6e:f6:1f:23:01:9a:df:6e:f6:1f:23 iaid = -1620146908 valid for 43200 seconds -<30>Jul 12 15:55:55 67.43.156.0 dhcpdv6[12271]: Relay-forward message from 2a02:cf40:: port 547, link address 2a02:cf40::1, peer address 2a02:cf40::2 -<30>Jul 12 15:55:55 67.43.156.0 dhcpdv6[12271]: Encapsulating Advertise message to send to 2a02:cf40:: port 547 -<30>Jul 12 15:55:55 67.43.156.0 dhcpdv6[12271]: Sending Relay-reply message to 2a02:cf40:: port 547 -``` - -## Logs - -This is the `log` dataset. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2011-10-19T12:43:47.375Z", - "agent": { - "ephemeral_id": "5181186c-7367-49da-8ad7-8120c441b527", - "hostname": "docker-fleet-agent", - "id": "9f26844a-9c52-4403-b9e6-9312b9761765", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "infoblox_nios.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "9f26844a-9c52-4403-b9e6-9312b9761765", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "first_login", - "agent_id_status": "verified", - "created": "2022-03-22T14:26:54.000Z", - "dataset": "infoblox_nios.log", - "ingested": "2022-08-08T11:02:32Z" - }, - "host": { - "ip": "10.0.0.1" - }, - "infoblox_nios": { - "log": { - "audit": { - "apparently_via": "GUI first login", - "auth": "LOCAL", - "group": "admin-group", - "ip": "10.0.0.2", - "to": "AdminConnector" - }, - "service_name": "httpd", - "type": "AUDIT" - } - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "192.168.192.7:57184" - }, - "syslog": { - "priority": 29 - } - }, - "message": "2011-10-19 12:43:47.375Z [user]: First_Login - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=admin-group apparently_via=GUI\\040first\\040login", - "related": { - "ip": [ - "10.0.0.2", - "10.0.0.1" - ], - "user": [ - "user" - ] - }, - "tags": [ - "forwarded", - "infoblox_nios-log" - ], - "user": { - "name": "user" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.header_flags | Array of 2 letter DNS header flags. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| infoblox_nios.log.audit.apparently_via | | keyword | -| infoblox_nios.log.audit.auth | | keyword | -| infoblox_nios.log.audit.error | | text | -| infoblox_nios.log.audit.group | | keyword | -| infoblox_nios.log.audit.info | | text | -| infoblox_nios.log.audit.ip | | ip | -| infoblox_nios.log.audit.message | | text | -| infoblox_nios.log.audit.object.name | | keyword | -| infoblox_nios.log.audit.object.value | | keyword | -| infoblox_nios.log.audit.to | | keyword | -| infoblox_nios.log.audit.trigger_event | | keyword | -| infoblox_nios.log.dhcp.client_hostname | | keyword | -| infoblox_nios.log.dhcp.decline.message | | keyword | -| infoblox_nios.log.dhcp.discover.message | | keyword | -| infoblox_nios.log.dhcp.duid | | keyword | -| infoblox_nios.log.dhcp.iaid | | keyword | -| infoblox_nios.log.dhcp.inform.message | | keyword | -| infoblox_nios.log.dhcp.interface.ip | | ip | -| infoblox_nios.log.dhcp.lease.duration | | long | -| infoblox_nios.log.dhcp.lease.message | | keyword | -| infoblox_nios.log.dhcp.lease_query.message | | keyword | -| infoblox_nios.log.dhcp.link_address | | keyword | -| infoblox_nios.log.dhcp.message | | text | -| infoblox_nios.log.dhcp.network | | keyword | -| infoblox_nios.log.dhcp.offered_duration | | long | -| infoblox_nios.log.dhcp.peer_address | | keyword | -| infoblox_nios.log.dhcp.relay.interface.ip | | ip | -| infoblox_nios.log.dhcp.relay.interface.name | | keyword | -| infoblox_nios.log.dhcp.release.info | | keyword | -| infoblox_nios.log.dhcp.request.message | | keyword | -| infoblox_nios.log.dhcp.router.ip | | ip | -| infoblox_nios.log.dhcp.trans_id | | keyword | -| infoblox_nios.log.dhcp.uid | | keyword | -| infoblox_nios.log.dhcp.validation_second | | long | -| infoblox_nios.log.dns.after_query | | text | -| infoblox_nios.log.dns.answers_policy | | text | -| infoblox_nios.log.dns.before_query | | text | -| infoblox_nios.log.dns.category | | text | -| infoblox_nios.log.dns.failed_message | | text | -| infoblox_nios.log.dns.header_flags | | keyword | -| infoblox_nios.log.dns.message | | text | -| infoblox_nios.log.dns.version | | text | -| infoblox_nios.log.dns.view_name | | text | -| infoblox_nios.log.service_name | | keyword | -| infoblox_nios.log.type | | keyword | -| input.type | Input type | keyword | -| interface.name | Interface name as reported by the system. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| log.source.address | Log source address | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| process.pid | Process id. | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - diff --git a/packages/infoblox_nios/1.3.1/img/infoblox-logo.svg b/packages/infoblox_nios/1.3.1/img/infoblox-logo.svg deleted file mode 100755 index 57b4d23b16..0000000000 --- a/packages/infoblox_nios/1.3.1/img/infoblox-logo.svg +++ /dev/null @@ -1,93 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/infoblox_nios/1.3.1/img/infoblox-nios-screenshot.png b/packages/infoblox_nios/1.3.1/img/infoblox-nios-screenshot.png deleted file mode 100755 index ea8b7935ca..0000000000 Binary files a/packages/infoblox_nios/1.3.1/img/infoblox-nios-screenshot.png and /dev/null differ diff --git a/packages/infoblox_nios/1.3.1/kibana/dashboard/infoblox_nios-27c573b0-b4d8-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/dashboard/infoblox_nios-27c573b0-b4d8-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index 7b6a74c275..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/dashboard/infoblox_nios-27c573b0-b4d8-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_nios.log\\\" and infoblox_nios.log.type : \\\"DHCP\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e82ae83d-3d73-4648-9ce6-3dc1fd98830e\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"e82ae83d-3d73-4648-9ce6-3dc1fd98830e\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d0884783-30e6-47ed-bfca-99d4b0b423e9\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"d0884783-30e6-47ed-bfca-99d4b0b423e9\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"eb62be57-7cb6-4431-96fd-6b1c7f8ecd8b\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"eb62be57-7cb6-4431-96fd-6b1c7f8ecd8b\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5ab31944-bb04-4fcd-9734-6dd0a050581b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"5ab31944-bb04-4fcd-9734-6dd0a050581b\",\"panelRefName\":\"panel_3\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e143f9bd-b200-4a66-b58b-e0ecda3bb8b9\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"e143f9bd-b200-4a66-b58b-e0ecda3bb8b9\",\"panelRefName\":\"panel_4\",\"title\":\"Top 10 MAC Address [Logs Infoblox NIOS]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2720e747-2fe6-431c-ba1c-ca7f7cb648ba\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"2720e747-2fe6-431c-ba1c-ca7f7cb648ba\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b3562120-30fb-4068-8f51-016a4d463d54\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"b3562120-30fb-4068-8f51-016a4d463d54\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"76c2205b-d288-41b8-bd79-33e76a42289a\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"76c2205b-d288-41b8-bd79-33e76a42289a\",\"panelRefName\":\"panel_7\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"76cacd94-5599-43e7-bcde-e1e19c7d8e96\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"76cacd94-5599-43e7-bcde-e1e19c7d8e96\",\"panelRefName\":\"panel_8\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Infoblox NIOS] DHCP", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-27c573b0-b4d8-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "infoblox_nios-b9dd7a20-b57a-11ec-80e1-4bd67c5762eb", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "infoblox_nios-be579090-b57a-11ec-80e1-4bd67c5762eb", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "infoblox_nios-c5a9cd40-b57a-11ec-80e1-4bd67c5762eb", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "infoblox_nios-71f7a570-b4dd-11ec-80e1-4bd67c5762eb", - "name": "panel_3", - "type": "search" - }, - { - "id": "infoblox_nios-b1504c70-b57a-11ec-80e1-4bd67c5762eb", - "name": "panel_4", - "type": "lens" - }, - { - "id": "infoblox_nios-7103abb0-b4e1-11ec-80e1-4bd67c5762eb", - "name": "panel_5", - "type": "search" - }, - { - "id": "infoblox_nios-ce5187d0-b57a-11ec-80e1-4bd67c5762eb", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "infoblox_nios-4559ff50-b4e1-11ec-80e1-4bd67c5762eb", - "name": "panel_7", - "type": "search" - }, - { - "id": "infoblox_nios-8d55bb50-b4e1-11ec-80e1-4bd67c5762eb", - "name": "panel_8", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/dashboard/infoblox_nios-c3abc8b0-b4dd-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/dashboard/infoblox_nios-c3abc8b0-b4dd-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index 6a7b2aa492..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/dashboard/infoblox_nios-c3abc8b0-b4dd-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_nios.log\\\" and infoblox_nios.log.type : \\\"AUDIT\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8dbce535-f9f6-45ac-b34a-dcea6e26d7ad\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8dbce535-f9f6-45ac-b34a-dcea6e26d7ad\",\"panelRefName\":\"panel_0\",\"title\":\"Distribution of Audit Events by Event Action [Logs Infoblox NIOS]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"253a71f1-a7c2-4b3e-bf37-89383b11fd76\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"253a71f1-a7c2-4b3e-bf37-89383b11fd76\",\"panelRefName\":\"panel_1\",\"title\":\"Top 10 User Login Failures [Logs Infoblox NIOS]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"cfd78a10-0dc4-4062-97e5-9ff83ead6947\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"cfd78a10-0dc4-4062-97e5-9ff83ead6947\",\"panelRefName\":\"panel_2\",\"title\":\"Top 10 Login User Name [Logs Infoblox NIOS]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"efab2208-7c53-44d0-ab95-44e4f536b001\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"efab2208-7c53-44d0-ab95-44e4f536b001\",\"panelRefName\":\"panel_3\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ae1e8f76-fa42-4a6a-8a7e-08a96bd1e58d\",\"w\":48,\"x\":0,\"y\":45},\"panelIndex\":\"ae1e8f76-fa42-4a6a-8a7e-08a96bd1e58d\",\"panelRefName\":\"panel_4\",\"title\":\"Created and Deleted Objects [Logs Infoblox NIOS]\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Infoblox NIOS] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-c3abc8b0-b4dd-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "infoblox_nios-ee190f20-b57a-11ec-80e1-4bd67c5762eb", - "name": "panel_0", - "type": "lens" - }, - { - "id": "infoblox_nios-5bde4960-bee7-11ec-a230-b1548ff82828", - "name": "panel_1", - "type": "lens" - }, - { - "id": "infoblox_nios-e2809d40-b57a-11ec-80e1-4bd67c5762eb", - "name": "panel_2", - "type": "lens" - }, - { - "id": "infoblox_nios-b3b496f0-b4e5-11ec-80e1-4bd67c5762eb", - "name": "panel_3", - "type": "search" - }, - { - "id": "infoblox_nios-854739b0-b735-11ec-8ec2-49017af276c3", - "name": "panel_4", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/dashboard/infoblox_nios-f8d86480-b4c9-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/dashboard/infoblox_nios-f8d86480-b4c9-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index f6205665b6..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/dashboard/infoblox_nios-f8d86480-b4c9-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_nios.log\\\" and infoblox_nios.log.type : \\\"DNS\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab55c4cf-b8e2-47e1-b548-ed8db4a5dcc1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"ab55c4cf-b8e2-47e1-b548-ed8db4a5dcc1\",\"panelRefName\":\"panel_0\",\"title\":\"Distribution of DNS Events by Response Code [Logs Infoblox NIOS]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"41ccc6e6-e2f7-4f0f-8e38-806add9d12a5\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"41ccc6e6-e2f7-4f0f-8e38-806add9d12a5\",\"panelRefName\":\"panel_1\",\"title\":\"Distribution of DNS Events by Response Flag [Logs Infoblox NIOS]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"7809e922-929c-4836-80d9-1fbd3a9fb8e8\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"7809e922-929c-4836-80d9-1fbd3a9fb8e8\",\"panelRefName\":\"panel_2\",\"title\":\"Distribution of DNS Events by Question Class [Logs Infoblox NIOS]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"179440ac-a8bb-4686-8ab1-8ad93b7717fb\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"179440ac-a8bb-4686-8ab1-8ad93b7717fb\",\"panelRefName\":\"panel_3\",\"title\":\"Top 10 IP Used by Client [Logs Infoblox NIOS]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d91a4b30-da3a-402b-a7b7-542680808c83\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"d91a4b30-da3a-402b-a7b7-542680808c83\",\"panelRefName\":\"panel_4\",\"title\":\"Top 10 Port Used by Client [Logs Infoblox NIOS]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"820c618a-04ef-4d1d-95e4-76be0a783c03\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"820c618a-04ef-4d1d-95e4-76be0a783c03\",\"panelRefName\":\"panel_5\",\"title\":\"Top 10 Answer Name [Logs Infoblox NIOS]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"1129632e-0004-4421-bf56-406d8499a2bb\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"1129632e-0004-4421-bf56-406d8499a2bb\",\"panelRefName\":\"panel_6\",\"title\":\"Top 10 Question Name [Logs Infoblox NIOS]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8c9c23a3-c26e-497a-9b62-99dbcf30c2ca\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"8c9c23a3-c26e-497a-9b62-99dbcf30c2ca\",\"panelRefName\":\"panel_7\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"33030bbb-3670-4b20-ab01-b0eb157ea4e5\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"33030bbb-3670-4b20-ab01-b0eb157ea4e5\",\"panelRefName\":\"panel_8\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"5a855a3a-e38e-432e-b09a-0960167960cd\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"5a855a3a-e38e-432e-b09a-0960167960cd\",\"panelRefName\":\"panel_9\",\"title\":\"Top 10 Query Type [Logs Infoblox NIOS]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Infoblox NIOS] DNS", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-f8d86480-b4c9-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "infoblox_nios-52a20470-b57a-11ec-80e1-4bd67c5762eb", - "name": "panel_0", - "type": "lens" - }, - { - "id": "infoblox_nios-63ad1d90-b57a-11ec-80e1-4bd67c5762eb", - "name": "panel_1", - "type": "lens" - }, - { - "id": "infoblox_nios-69c26d70-b57a-11ec-80e1-4bd67c5762eb", - "name": "panel_2", - "type": "lens" - }, - { - "id": "infoblox_nios-4d682070-b57a-11ec-80e1-4bd67c5762eb", - "name": "panel_3", - "type": "lens" - }, - { - "id": "infoblox_nios-47a3afb0-b57a-11ec-80e1-4bd67c5762eb", - "name": "panel_4", - "type": "lens" - }, - { - "id": "infoblox_nios-710eddc0-b57a-11ec-80e1-4bd67c5762eb", - "name": "panel_5", - "type": "lens" - }, - { - "id": "infoblox_nios-771b5400-b57a-11ec-80e1-4bd67c5762eb", - "name": "panel_6", - "type": "lens" - }, - { - "id": "infoblox_nios-5cc295e0-b4d6-11ec-80e1-4bd67c5762eb", - "name": "panel_7", - "type": "search" - }, - { - "id": "infoblox_nios-f3899090-b4d7-11ec-80e1-4bd67c5762eb", - "name": "panel_8", - "type": "search" - }, - { - "id": "infoblox_nios-7ce4a6c0-b57a-11ec-80e1-4bd67c5762eb", - "name": "panel_9", - "type": "lens" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-47a3afb0-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-47a3afb0-b57a-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index 0e6cd96ba5..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-47a3afb0-b57a-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "description": null, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "c7c1c1df-9311-48ff-8df3-6c0ac873f606": { - "columnOrder": [ - "24e0ec78-4202-4d4d-9d1d-88df3ac6c639", - "0a304308-6952-4598-a14b-66b0ae5c6fd6" - ], - "columns": { - "0a304308-6952-4598-a14b-66b0ae5c6fd6": { - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "24e0ec78-4202-4d4d-9d1d-88df3ac6c639": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Client Port", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "client.port" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" - }, - "visualization": { - "columns": [ - { - "alignment": "left", - "columnId": "24e0ec78-4202-4d4d-9d1d-88df3ac6c639" - }, - { - "alignment": "left", - "colorMode": "none", - "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", - "hidden": false - } - ], - "layerId": "c7c1c1df-9311-48ff-8df3-6c0ac873f606", - "layerType": "data" - } - }, - "title": "Top 10 Port Used by Client [Logs Infoblox NIOS]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-47a3afb0-b57a-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-c7c1c1df-9311-48ff-8df3-6c0ac873f606", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-4d682070-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-4d682070-b57a-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index 952f75cf39..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-4d682070-b57a-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": null, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "c7c1c1df-9311-48ff-8df3-6c0ac873f606": { - "columnOrder": [ - "24e0ec78-4202-4d4d-9d1d-88df3ac6c639", - "0a304308-6952-4598-a14b-66b0ae5c6fd6" - ], - "columns": { - "0a304308-6952-4598-a14b-66b0ae5c6fd6": { - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "24e0ec78-4202-4d4d-9d1d-88df3ac6c639": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Client IP", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "client.ip" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" - }, - "visualization": { - "columns": [ - { - "columnId": "24e0ec78-4202-4d4d-9d1d-88df3ac6c639" - }, - { - "alignment": "left", - "colorMode": "none", - "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", - "hidden": false - } - ], - "layerId": "c7c1c1df-9311-48ff-8df3-6c0ac873f606", - "layerType": "data" - } - }, - "title": "Top 10 IP Used by Client [Logs Infoblox NIOS]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-4d682070-b57a-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-c7c1c1df-9311-48ff-8df3-6c0ac873f606", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-52a20470-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-52a20470-b57a-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index d39fa8c48b..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-52a20470-b57a-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "description": null, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "362936ac-2262-4cd0-8e06-c28015a829c5": { - "columnOrder": [ - "199ebb9a-2861-4db3-ac9d-d5801b764292", - "d759196e-f983-426d-bdd4-b6fea637f20d" - ], - "columns": { - "199ebb9a-2861-4db3-ac9d-d5801b764292": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Response Code", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "d759196e-f983-426d-bdd4-b6fea637f20d", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "dns.response_code" - }, - "d759196e-f983-426d-bdd4-b6fea637f20d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "199ebb9a-2861-4db3-ac9d-d5801b764292" - ], - "layerId": "362936ac-2262-4cd0-8e06-c28015a829c5", - "layerType": "data", - "legendDisplay": "show", - "legendMaxLines": 1, - "legendPosition": "right", - "metric": "d759196e-f983-426d-bdd4-b6fea637f20d", - "nestedLegend": false, - "numberDisplay": "percent", - "truncateLegend": false - } - ], - "shape": "pie" - } - }, - "title": "Distribution of DNS Events by Response Code [Logs Infoblox NIOS]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-52a20470-b57a-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-362936ac-2262-4cd0-8e06-c28015a829c5", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-5bde4960-bee7-11ec-a230-b1548ff82828.json b/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-5bde4960-bee7-11ec-a230-b1548ff82828.json deleted file mode 100755 index 3a97290bff..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-5bde4960-bee7-11ec-a230-b1548ff82828.json +++ /dev/null @@ -1,163 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "3b197aef-e049-44df-a30f-fc807fdb1718": { - "columnOrder": [ - "e9c4594f-2e2d-4750-9b04-eb1632f13753", - "6786ed8f-346e-419e-b8a7-1eea3d76b317", - "fe7f037e-6294-43af-94f9-3d73fe39d2a0", - "4eb788c2-ebce-473d-bfb0-ee0409862740" - ], - "columns": { - "4eb788c2-ebce-473d-bfb0-ee0409862740": { - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "6786ed8f-346e-419e-b8a7-1eea3d76b317": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Login Failure", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "4eb788c2-ebce-473d-bfb0-ee0409862740", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "event.action" - }, - "e9c4594f-2e2d-4750-9b04-eb1632f13753": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "User Name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "4eb788c2-ebce-473d-bfb0-ee0409862740", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "user.name" - }, - "fe7f037e-6294-43af-94f9-3d73fe39d2a0": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Login Via", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "4eb788c2-ebce-473d-bfb0-ee0409862740", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "infoblox_nios.log.audit.apparently_via" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "filter-index-pattern-0", - "key": "event.action", - "negate": false, - "params": { - "query": "login_denied" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.action": "login_denied" - } - } - } - ], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"AUDIT\"" - }, - "visualization": { - "columns": [ - { - "columnId": "e9c4594f-2e2d-4750-9b04-eb1632f13753", - "isTransposed": false - }, - { - "columnId": "6786ed8f-346e-419e-b8a7-1eea3d76b317", - "isTransposed": false - }, - { - "columnId": "fe7f037e-6294-43af-94f9-3d73fe39d2a0", - "isTransposed": false - }, - { - "alignment": "left", - "columnId": "4eb788c2-ebce-473d-bfb0-ee0409862740", - "isTransposed": false - } - ], - "layerId": "3b197aef-e049-44df-a30f-fc807fdb1718", - "layerType": "data" - } - }, - "title": "Top 10 User Login Failures [Logs Infoblox NIOS]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-5bde4960-bee7-11ec-a230-b1548ff82828", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-3b197aef-e049-44df-a30f-fc807fdb1718", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "filter-index-pattern-0", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-63ad1d90-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-63ad1d90-b57a-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index af7022e8da..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-63ad1d90-b57a-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "description": null, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "362936ac-2262-4cd0-8e06-c28015a829c5": { - "columnOrder": [ - "199ebb9a-2861-4db3-ac9d-d5801b764292", - "d759196e-f983-426d-bdd4-b6fea637f20d" - ], - "columns": { - "199ebb9a-2861-4db3-ac9d-d5801b764292": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Response Flag", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "d759196e-f983-426d-bdd4-b6fea637f20d", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "dns.header_flags" - }, - "d759196e-f983-426d-bdd4-b6fea637f20d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "199ebb9a-2861-4db3-ac9d-d5801b764292" - ], - "layerId": "362936ac-2262-4cd0-8e06-c28015a829c5", - "layerType": "data", - "legendDisplay": "show", - "legendMaxLines": 1, - "legendPosition": "right", - "metric": "d759196e-f983-426d-bdd4-b6fea637f20d", - "nestedLegend": false, - "numberDisplay": "percent", - "truncateLegend": false - } - ], - "shape": "pie" - } - }, - "title": "Distribution of DNS Events by Response Flag [Logs Infoblox NIOS]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-63ad1d90-b57a-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-362936ac-2262-4cd0-8e06-c28015a829c5", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-69c26d70-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-69c26d70-b57a-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index f264ba388f..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-69c26d70-b57a-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "attributes": { - "description": null, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "362936ac-2262-4cd0-8e06-c28015a829c5": { - "columnOrder": [ - "199ebb9a-2861-4db3-ac9d-d5801b764292", - "d759196e-f983-426d-bdd4-b6fea637f20d" - ], - "columns": { - "199ebb9a-2861-4db3-ac9d-d5801b764292": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Question Class", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "d759196e-f983-426d-bdd4-b6fea637f20d", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "dns.question.class" - }, - "d759196e-f983-426d-bdd4-b6fea637f20d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "199ebb9a-2861-4db3-ac9d-d5801b764292" - ], - "layerId": "362936ac-2262-4cd0-8e06-c28015a829c5", - "layerType": "data", - "legendDisplay": "show", - "legendMaxLines": 1, - "legendPosition": "right", - "metric": "d759196e-f983-426d-bdd4-b6fea637f20d", - "nestedLegend": false, - "numberDisplay": "percent", - "truncateLegend": false - } - ], - "shape": "pie" - } - }, - "title": "Distribution of DNS Events by Question Class [Logs Infoblox NIOS]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-69c26d70-b57a-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-362936ac-2262-4cd0-8e06-c28015a829c5", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-710eddc0-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-710eddc0-b57a-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index 8b7ba150de..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-710eddc0-b57a-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": null, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "c7c1c1df-9311-48ff-8df3-6c0ac873f606": { - "columnOrder": [ - "24e0ec78-4202-4d4d-9d1d-88df3ac6c639", - "0a304308-6952-4598-a14b-66b0ae5c6fd6" - ], - "columns": { - "0a304308-6952-4598-a14b-66b0ae5c6fd6": { - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "24e0ec78-4202-4d4d-9d1d-88df3ac6c639": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Answer Name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "dns.answers.name" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" - }, - "visualization": { - "columns": [ - { - "columnId": "24e0ec78-4202-4d4d-9d1d-88df3ac6c639" - }, - { - "alignment": "left", - "colorMode": "none", - "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", - "hidden": false - } - ], - "layerId": "c7c1c1df-9311-48ff-8df3-6c0ac873f606", - "layerType": "data" - } - }, - "title": "Top 10 Answer Name [Logs Infoblox NIOS]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-710eddc0-b57a-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-c7c1c1df-9311-48ff-8df3-6c0ac873f606", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-771b5400-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-771b5400-b57a-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index 28023508a4..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-771b5400-b57a-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": null, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "c7c1c1df-9311-48ff-8df3-6c0ac873f606": { - "columnOrder": [ - "24e0ec78-4202-4d4d-9d1d-88df3ac6c639", - "0a304308-6952-4598-a14b-66b0ae5c6fd6" - ], - "columns": { - "0a304308-6952-4598-a14b-66b0ae5c6fd6": { - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "24e0ec78-4202-4d4d-9d1d-88df3ac6c639": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Question Name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "dns.question.name" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" - }, - "visualization": { - "columns": [ - { - "columnId": "24e0ec78-4202-4d4d-9d1d-88df3ac6c639" - }, - { - "alignment": "left", - "colorMode": "none", - "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", - "hidden": false - } - ], - "layerId": "c7c1c1df-9311-48ff-8df3-6c0ac873f606", - "layerType": "data" - } - }, - "title": "Top 10 Question Name [Logs Infoblox NIOS]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-771b5400-b57a-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-c7c1c1df-9311-48ff-8df3-6c0ac873f606", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-7ce4a6c0-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-7ce4a6c0-b57a-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index eef58c03a3..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-7ce4a6c0-b57a-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": null, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "c7c1c1df-9311-48ff-8df3-6c0ac873f606": { - "columnOrder": [ - "24e0ec78-4202-4d4d-9d1d-88df3ac6c639", - "0a304308-6952-4598-a14b-66b0ae5c6fd6" - ], - "columns": { - "0a304308-6952-4598-a14b-66b0ae5c6fd6": { - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "24e0ec78-4202-4d4d-9d1d-88df3ac6c639": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Query Type", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "dns.question.type" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" - }, - "visualization": { - "columns": [ - { - "columnId": "24e0ec78-4202-4d4d-9d1d-88df3ac6c639" - }, - { - "alignment": "left", - "colorMode": "none", - "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", - "hidden": false - } - ], - "layerId": "c7c1c1df-9311-48ff-8df3-6c0ac873f606", - "layerType": "data" - } - }, - "title": "Top 10 Query Type [Logs Infoblox NIOS]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-7ce4a6c0-b57a-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-c7c1c1df-9311-48ff-8df3-6c0ac873f606", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-b1504c70-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-b1504c70-b57a-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index 6ecfadae96..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-b1504c70-b57a-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": null, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "310773ab-50b9-45eb-b84b-d5ac4dd962ff": { - "columnOrder": [ - "24491aaa-9a7c-4f4e-aea5-9621bc64c38a", - "0552e5bb-f6f0-4619-a623-b95cbb3c3561" - ], - "columns": { - "0552e5bb-f6f0-4619-a623-b95cbb3c3561": { - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "24491aaa-9a7c-4f4e-aea5-9621bc64c38a": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "MAC Address", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "0552e5bb-f6f0-4619-a623-b95cbb3c3561", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "client.mac" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DHCP\"" - }, - "visualization": { - "columns": [ - { - "columnId": "24491aaa-9a7c-4f4e-aea5-9621bc64c38a", - "isTransposed": false - }, - { - "alignment": "left", - "columnId": "0552e5bb-f6f0-4619-a623-b95cbb3c3561", - "isTransposed": false - } - ], - "layerId": "310773ab-50b9-45eb-b84b-d5ac4dd962ff", - "layerType": "data" - } - }, - "title": "Top 10 MAC Address [Logs Infoblox NIOS]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-b1504c70-b57a-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-310773ab-50b9-45eb-b84b-d5ac4dd962ff", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-e2809d40-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-e2809d40-b57a-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index c51fe7d5cf..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-e2809d40-b57a-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": null, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "9688c841-6bb3-4369-8c27-894421c9ea56": { - "columnOrder": [ - "392073ca-09fb-4349-826e-fe44effa2a8e", - "7d1fb2f4-74e5-420a-bf2e-d5bae039d0b8" - ], - "columns": { - "392073ca-09fb-4349-826e-fe44effa2a8e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Login User Name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "7d1fb2f4-74e5-420a-bf2e-d5bae039d0b8", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "user.name" - }, - "7d1fb2f4-74e5-420a-bf2e-d5bae039d0b8": { - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"AUDIT\"" - }, - "visualization": { - "columns": [ - { - "columnId": "392073ca-09fb-4349-826e-fe44effa2a8e", - "isTransposed": false - }, - { - "alignment": "left", - "columnId": "7d1fb2f4-74e5-420a-bf2e-d5bae039d0b8", - "isTransposed": false - } - ], - "layerId": "9688c841-6bb3-4369-8c27-894421c9ea56", - "layerType": "data" - } - }, - "title": "Top 10 Login User Name [Logs Infoblox NIOS]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-e2809d40-b57a-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-9688c841-6bb3-4369-8c27-894421c9ea56", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-ee190f20-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-ee190f20-b57a-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index 9240018521..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/lens/infoblox_nios-ee190f20-b57a-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "attributes": { - "description": null, - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "b651497c-3650-4eb9-ab9c-e90f27c1fc75": { - "columnOrder": [ - "fcb0dd34-08f1-4b12-a947-66514002a247", - "3c8dadb3-4770-4830-9d0f-3a157d0a0f97" - ], - "columns": { - "3c8dadb3-4770-4830-9d0f-3a157d0a0f97": { - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "fcb0dd34-08f1-4b12-a947-66514002a247": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Event Action", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "3c8dadb3-4770-4830-9d0f-3a157d0a0f97", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "event.action" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"AUDIT\"" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "3c8dadb3-4770-4830-9d0f-3a157d0a0f97" - ], - "layerId": "b651497c-3650-4eb9-ab9c-e90f27c1fc75", - "layerType": "data", - "seriesType": "bar_horizontal", - "xAccessor": "fcb0dd34-08f1-4b12-a947-66514002a247", - "yConfig": [ - { - "color": "#d36086", - "forAccessor": "3c8dadb3-4770-4830-9d0f-3a157d0a0f97" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": false - }, - "preferredSeriesType": "bar_horizontal", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } - }, - "title": "Distribution of Audit Events by Event Action [Logs Infoblox NIOS]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-ee190f20-b57a-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-b651497c-3650-4eb9-ab9c-e90f27c1fc75", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-4559ff50-b4e1-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-4559ff50-b4e1-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index 733ffb0f9f..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-4559ff50-b4e1-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.mac" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"dhcpdecline\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"dhcpdecline\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_nios.log\\\" and infoblox_nios.log.type : \\\"DHCP\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Declined Leases [Logs Infoblox NIOS]" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-4559ff50-b4e1-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-5cc295e0-b4d6-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-5cc295e0-b4d6-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index 8a6f7e4581..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-5cc295e0-b4d6-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "columns": [ - "dns.response_code", - "dns.answers.name", - "dns.answers.data" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"dns.response_code\",\"negate\":false,\"params\":{\"query\":\"REFUSED\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"dns.response_code\":\"REFUSED\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_nios.log\\\" and infoblox_nios.log.type : \\\"DNS\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "DNS Decline Response [Logs Infoblox NIOS]" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-5cc295e0-b4d6-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-7103abb0-b4e1-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-7103abb0-b4e1-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index a0cb307607..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-7103abb0-b4e1-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.mac" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"infoblox_nios.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"infoblox_nios.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"dhcpexpire\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"dhcpexpire\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_nios.log\\\" and infoblox_nios.log.type : \\\"DHCP\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Expired Leases [Logs Infoblox NIOS]" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-7103abb0-b4e1-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-71f7a570-b4dd-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-71f7a570-b4dd-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index d309812420..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-71f7a570-b4dd-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.mac", - "infoblox_nios.log.dhcp.client_hostname" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"infoblox_nios.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"infoblox_nios.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"infoblox_nios.log.dhcp.lease.message\",\"negate\":false,\"params\":{\"query\":\"RENEW\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"infoblox_nios.log.dhcp.lease.message\":\"RENEW\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"dhcpack\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"dhcpack\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_nios.log\\\" and infoblox_nios.log.type : \\\"DHCP\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Renewed Leases [Logs Infoblox NIOS]" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-71f7a570-b4dd-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-854739b0-b735-11ec-8ec2-49017af276c3.json b/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-854739b0-b735-11ec-8ec2-49017af276c3.json deleted file mode 100755 index 9a1feeacb0..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-854739b0-b735-11ec-8ec2-49017af276c3.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "infoblox_nios.log.service_name", - "infoblox_nios.log.type", - "infoblox_nios.log.audit.message" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.action\",\"negate\":false,\"params\":[\"created\",\"deleted\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.action\":\"created\"}},{\"match_phrase\":{\"event.action\":\"deleted\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_nios.log\\\" and infoblox_nios.log.type : \\\"AUDIT\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Created and Deleted Objects [Logs Infoblox NIOS]" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-854739b0-b735-11ec-8ec2-49017af276c3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-8d55bb50-b4e1-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-8d55bb50-b4e1-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index e4621e033e..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-8d55bb50-b4e1-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.mac", - "infoblox_nios.log.dhcp.client_hostname" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"infoblox_nios.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"infoblox_nios.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"dhcprelease\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"dhcprelease\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_nios.log\\\" and infoblox_nios.log.type : \\\"DHCP\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Released Leases [Logs Infoblox NIOS]" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-8d55bb50-b4e1-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-b3b496f0-b4e5-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-b3b496f0-b4e5-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index c75925a125..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-b3b496f0-b4e5-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "user.name", - "infoblox_nios.log.audit.auth", - "infoblox_nios.log.audit.ip" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"login_allowed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"login_allowed\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"infoblox_nios.log.service_name\",\"negate\":false,\"params\":{\"query\":\"httpd\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"infoblox_nios.log.service_name\":\"httpd\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_nios.log\\\" and infoblox_nios.log.type : \\\"AUDIT\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Login Allowed [Logs Infoblox NIOS]" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-b3b496f0-b4e5-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-f3899090-b4d7-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-f3899090-b4d7-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index 9e5e452de5..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/search/infoblox_nios-f3899090-b4d7-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "columns": [ - "dns.question.class", - "dns.question.name", - "dns.question.type" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_nios.log\\\" and infoblox_nios.log.type : \\\"DNS\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "DNS Query by Class [Logs Infoblox NIOS]" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-f3899090-b4d7-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/visualization/infoblox_nios-b9dd7a20-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/visualization/infoblox_nios-b9dd7a20-b57a-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index 82db613b7a..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/visualization/infoblox_nios-b9dd7a20-b57a-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_nios.log\\\" and infoblox_nios.log.type : \\\"DHCP\\\"\"}}" - }, - "title": "Count of Leases Renewed Over Time [Logs Infoblox NIOS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"99bb2283-08ad-483a-8912-5039ced3b47e\",\"index_pattern_ref_name\":\"metrics_0_index_pattern\",\"interval\":\"1d\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"d12231fe-9878-4b9f-860f-ff926684e751\",\"label\":\"Count\",\"line_width\":1,\"metrics\":[{\"id\":\"6bd0749b-2071-4cb9-9287-2e7fe244c469\",\"type\":\"count\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":null,\"split_filters\":[{\"color\":\"#68BC00\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.action : \\\"dhcpack\\\"\"},\"id\":\"53443750-b50b-11ec-b3d6-27b037885c54\",\"label\":\"Count\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":0,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Count of Leases Renewed Over Time [Logs Infoblox NIOS]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-b9dd7a20-b57a-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "metrics_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/visualization/infoblox_nios-be579090-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/visualization/infoblox_nios-be579090-b57a-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index b2434b7bde..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/visualization/infoblox_nios-be579090-b57a-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_nios.log\\\" and infoblox_nios.log.type : \\\"DHCP\\\"\"}}" - }, - "title": "Count of Leases Declined Over Time [Logs Infoblox NIOS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"99bb2283-08ad-483a-8912-5039ced3b47e\",\"index_pattern_ref_name\":\"metrics_0_index_pattern\",\"interval\":\"1d\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"d12231fe-9878-4b9f-860f-ff926684e751\",\"label\":\"Count\",\"line_width\":1,\"metrics\":[{\"id\":\"6bd0749b-2071-4cb9-9287-2e7fe244c469\",\"type\":\"count\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":null,\"split_filters\":[{\"color\":\"#68BC00\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.action : \\\"dhcpdecline\\\"\"},\"id\":\"53443750-b50b-11ec-b3d6-27b037885c54\",\"label\":\"Count\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":0,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Count of Leases Declined Over Time [Logs Infoblox NIOS]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-be579090-b57a-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "metrics_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/visualization/infoblox_nios-c5a9cd40-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/visualization/infoblox_nios-c5a9cd40-b57a-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index 06be69b2c9..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/visualization/infoblox_nios-c5a9cd40-b57a-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_nios.log\\\" and infoblox_nios.log.type : \\\"DHCP\\\"\"}}" - }, - "title": "Count of Leases Expired Over Time [Logs Infoblox NIOS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"99bb2283-08ad-483a-8912-5039ced3b47e\",\"index_pattern_ref_name\":\"metrics_0_index_pattern\",\"interval\":\"1d\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"d12231fe-9878-4b9f-860f-ff926684e751\",\"label\":\"Count\",\"line_width\":1,\"metrics\":[{\"id\":\"6bd0749b-2071-4cb9-9287-2e7fe244c469\",\"type\":\"count\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":null,\"split_filters\":[{\"color\":\"#68BC00\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.action : \\\"dhcpexpire\\\"\"},\"id\":\"53443750-b50b-11ec-b3d6-27b037885c54\",\"label\":\"Count\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":0,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Count of Leases Expired Over Time [Logs Infoblox NIOS]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-c5a9cd40-b57a-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "metrics_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/kibana/visualization/infoblox_nios-ce5187d0-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/1.3.1/kibana/visualization/infoblox_nios-ce5187d0-b57a-11ec-80e1-4bd67c5762eb.json deleted file mode 100755 index 5d12bd9de5..0000000000 --- a/packages/infoblox_nios/1.3.1/kibana/visualization/infoblox_nios-ce5187d0-b57a-11ec-80e1-4bd67c5762eb.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"infoblox_nios.log\\\" and infoblox_nios.log.type : \\\"DHCP\\\"\"}}" - }, - "title": "Count of Leases Released Over Time [Logs Infoblox NIOS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"99bb2283-08ad-483a-8912-5039ced3b47e\",\"index_pattern_ref_name\":\"metrics_0_index_pattern\",\"interval\":\"1d\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"d12231fe-9878-4b9f-860f-ff926684e751\",\"label\":\"Count\",\"line_width\":1,\"metrics\":[{\"id\":\"6bd0749b-2071-4cb9-9287-2e7fe244c469\",\"type\":\"count\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":null,\"split_filters\":[{\"color\":\"#68BC00\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.action : \\\"dhcprelease\\\"\"},\"id\":\"53443750-b50b-11ec-b3d6-27b037885c54\",\"label\":\"Count\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":0,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Count of Leases Released Over Time [Logs Infoblox NIOS]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "infoblox_nios-ce5187d0-b57a-11ec-80e1-4bd67c5762eb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "metrics_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/infoblox_nios/1.3.1/manifest.yml b/packages/infoblox_nios/1.3.1/manifest.yml deleted file mode 100755 index cf0444836f..0000000000 --- a/packages/infoblox_nios/1.3.1/manifest.yml +++ /dev/null @@ -1,108 +0,0 @@ -format_version: 1.0.0 -name: infoblox_nios -title: Infoblox NIOS -version: "1.3.1" -license: basic -description: Collect logs from Infoblox NIOS with Elastic Agent. -type: integration -categories: - - security -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/infoblox-nios-screenshot.png - title: Infoblox NIOS dashboard screenshot - size: 600x600 - type: image/png -icons: - - src: /img/infoblox-logo.svg - title: Infoblox NIOS logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: Infoblox NIOS - title: Infoblox NIOS logs - description: Collect Infoblox NIOS logs. - inputs: - - type: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - title: Collect logs from Infoblox NIOS via File input - description: Collecting syslog from Infoblox NIOS via File input. - - type: tcp - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9027 - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - title: Collect logs from Infoblox NIOS via TCP input - description: Collecting logs from Infoblox NIOS via TCP input. - - type: udp - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9028 - title: Collect logs from Infoblox NIOS via UDP input - description: Collecting syslog from Infoblox NIOS via UDP input. -owner: - github: elastic/security-external-integrations diff --git a/packages/jamf_compliance_reporter/0.2.1/LICENSE.txt b/packages/jamf_compliance_reporter/0.2.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/jamf_compliance_reporter/0.2.1/changelog.yml b/packages/jamf_compliance_reporter/0.2.1/changelog.yml deleted file mode 100755 index 2468e638dc..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/changelog.yml +++ /dev/null @@ -1,26 +0,0 @@ -# newer versions go on top -- version: "0.2.1" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "0.2.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3906 -- version: "0.1.2" - changes: - - description: Update docs to align with new docs guidelines. - type: enhancement - link: https://github.com/elastic/integrations/pull/3862 -- version: "0.1.1" - changes: - - description: Improve SSL config description and example. - type: enhancement - link: https://github.com/elastic/integrations/pull/3763 -- version: "0.1.0" - changes: - - description: Initial Release - type: enhancement - link: https://github.com/elastic/integrations/pull/3210 diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/agent/stream/http_endpoint.yml.hbs b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index e2f005add3..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -url: {{url}} -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index bb13c4892c..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,18 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c46da7db37..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - pipeline: - name: '{{ IngestPipeline "pipeline_app_metrics" }}' - if: ctx.json?.header?.event_name == 'APP_METRICS' - - pipeline: - name: '{{ IngestPipeline "pipeline_audit" }}' - if: ctx.json?.header?.event_name != null && ctx.json?.header?.event_name.startsWith('AUE_') - - pipeline: - name: '{{ IngestPipeline "pipeline_event" }}' - if: "['AUDIO_VIDEO_DEVICE_EVENT','AUDIT_CLASS_VERIFICATION_EVENT','COMPLIANCE_REPORTER_TAMPER_EVENT','FILE_EVENT','GATEKEEPER_INFO_EVENT','GATEKEEPER_MANUAL_OVERRIDES','GATEKEEPER_QUARANTINE_LOG','HARDWARE_EVENT','LICENSE_INFO_EVENT','PREFERENCE_LIST_EVENT','PRINT_EVENT_INFORMATION','PROHIBITED_APP_BLOCKED','SIGNAL_EVENT','UNIFIED_LOG_EVENT','XPROTECT_DEFINITIONS_VERSION_INFO','XPROTECT_EVENT_LOG'].contains(ctx.json?.header?.event_name)" - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - remove: - field: json - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == '') { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_app_metrics.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_app_metrics.yml deleted file mode 100755 index e19a4d4515..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_app_metrics.yml +++ /dev/null @@ -1,112 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter app metrics logs. -processors: - - append: - field: event.type - value: info - - set: - field: event.kind - value: event - - set: - field: jamf_compliance_reporter.log.dataset - value: app_metrics - - set: - field: host.os.type - value: macos - - append: - field: event.category - value: process - - convert: - field: json._event_score - type: long - target_field: jamf_compliance_reporter.log.event_score - ignore_failure: true - - convert: - field: json.app_metric_info.cpu_percentage - type: double - target_field: jamf_compliance_reporter.log.app_metric_info.cpu_percentage - ignore_failure: true - - convert: - field: json.app_metric_info.cpu_time_seconds - type: double - target_field: jamf_compliance_reporter.log.app_metric_info.cpu_time_seconds - ignore_failure: true - - convert: - field: json.app_metric_info.interrupt_wakeups - type: long - target_field: jamf_compliance_reporter.log.app_metric_info.interrupt_wakeups - ignore_failure: true - - convert: - field: json.app_metric_info.platform_idle_wakeups - type: long - target_field: jamf_compliance_reporter.log.app_metric_info.platform_idle_wakeups - ignore_failure: true - - convert: - field: json.app_metric_info.resident_memory_size_mb - type: double - target_field: jamf_compliance_reporter.log.app_metric_info.resident_memory_size.mb - ignore_failure: true - - convert: - field: json.app_metric_info.virtual_memory_size_mb - type: double - target_field: jamf_compliance_reporter.log.app_metric_info.virtual_memory_size.mb - ignore_failure: true - - rename: - field: json.header.event_name - target_field: event.action - ignore_missing: true - - lowercase: - field: event.action - ignore_missing: true - - date: - field: json.header.time_seconds_epoch - if: ctx.json?.header?.time_seconds_epoch != 0 - ignore_failure: true - formats: - - UNIX - - rename: - field: json.host_info.host_name - target_field: host.hostname - ignore_missing: true - - append: - field: related.hosts - value: '{{{host.hostname}}}' - if: ctx.host?.hostname != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.host_info.host_uuid - target_field: jamf_compliance_reporter.log.host_info.host.uuid - ignore_missing: true - - rename: - field: json.host_info.osversion - target_field: host.os.version - ignore_missing: true - - append: - field: host.mac - value: '{{{json.host_info.primary_mac_address}}}' - if: ctx.json?.host_info?.primary_mac_address != null - allow_duplicates: false - ignore_failure: true - - gsub: - field: host.mac - pattern: '[-:.]' - replacement: '-' - ignore_missing: true - - uppercase: - field: host.mac - ignore_missing: true - - rename: - field: json.host_info.serial_number - target_field: host.id - ignore_missing: true - - script: - lang: painless - if: ctx.json?.app_metric_info?.cpu_percentage != null - source: | - ctx.host.cpu = new HashMap(); - ctx.host.cpu.usage = Math.round(ctx.json?.app_metric_info?.cpu_percentage *10) / 1000.0; -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audio_video_device_event.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audio_video_device_event.yml deleted file mode 100755 index d75f709196..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audio_video_device_event.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter audio video device event logs. -processors: - - rename: - field: json.audio_video_device_info.audio_device_creator - target_field: jamf_compliance_reporter.log.audio_video_device_info.audio_device.creator - ignore_missing: true - - convert: - field: json.audio_video_device_info.audio_device_hog_mode - target_field: jamf_compliance_reporter.log.audio_video_device_info.audio_device.hog_mode - type: string - ignore_failure: true - - convert: - field: json.audio_video_device_info.audio_device_id - target_field: jamf_compliance_reporter.log.audio_video_device_info.audio_device.id - type: string - ignore_failure: true - - rename: - field: json.audio_video_device_info.audio_device_manufacturer - target_field: jamf_compliance_reporter.log.audio_video_device_info.audio_device.manufacturer - ignore_missing: true - - convert: - field: json.audio_video_device_info.audio_device_running - target_field: jamf_compliance_reporter.log.audio_video_device_info.audio_device.running - type: long - ignore_failure: true - - rename: - field: json.audio_video_device_info.audio_device_uuid - target_field: jamf_compliance_reporter.log.audio_video_device_info.audio_device.uuid - ignore_missing: true - - rename: - field: json.audio_video_device_info.device_status - target_field: jamf_compliance_reporter.log.audio_video_device_info.device_status - ignore_missing: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml deleted file mode 100755 index a9c3639535..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml +++ /dev/null @@ -1,324 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter audit logs. -processors: - - set: - field: jamf_compliance_reporter.log.dataset - value: audit - - convert: - field: json._event_score - target_field: jamf_compliance_reporter.log.event_score - type: long - ignore_failure: true - - convert: - field: json.header.event_id - target_field: event.code - type: string - ignore_failure: true - - convert: - field: json.header.event_modifier - target_field: jamf_compliance_reporter.log.header.event_modifier - type: string - ignore_failure: true - - rename: - field: json.header.event_name - target_field: event.action - ignore_missing: true - - lowercase: - field: event.action - ignore_missing: true - - script: - lang: painless - if: ctx.json?.header?.time_seconds_epoch != 0 - source: | - ctx.json.time_milliseconds = (long)ctx.json?.header?.time_seconds_epoch * 1000 + (long)ctx.json?.header?.time_milliseconds_offset; - - date: - field: json.time_milliseconds - ignore_failure: true - formats: - - UNIX_MS - - convert: - field: json.header.version - target_field: jamf_compliance_reporter.log.header.version - type: string - ignore_failure: true - - rename: - field: json.host_info.host_name - target_field: host.hostname - ignore_missing: true - - append: - field: related.hosts - value: '{{{host.hostname}}}' - if: ctx.host?.hostname != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.host_info.host_uuid - target_field: jamf_compliance_reporter.log.host_info.host.uuid - ignore_missing: true - - rename: - field: json.host_info.osversion - target_field: host.os.version - ignore_missing: true - - append: - field: host.mac - value: '{{{json.host_info.primary_mac_address}}}' - if: ctx.json?.host_info?.primary_mac_address != null - allow_duplicates: false - ignore_failure: true - - gsub: - field: host.mac - pattern: '[-:.]' - replacement: '-' - ignore_missing: true - - uppercase: - field: host.mac - ignore_missing: true - - rename: - field: json.host_info.serial_number - target_field: host.id - ignore_missing: true - - rename: - field: json.return.description - target_field: jamf_compliance_reporter.log.return.description - ignore_missing: true - - convert: - field: json.return.error - target_field: error.code - type: string - ignore_failure: true - - set: - field: event.outcome - value: 'success' - if: ctx.error?.code == '0' - - set: - field: event.outcome - value: 'failure' - if: ctx.error?.code != '0' - - convert: - field: json.return.return_value - target_field: process.exit_code - type: long - ignore_failure: true - - convert: - field: json.subject.audit_id - target_field: process.real_user.id - type: string - ignore_failure: true - - rename: - field: json.subject.audit_user_name - target_field: process.real_user.name - ignore_missing: true - - append: - field: related.user - value: '{{{process.real_user.name}}}' - if: ctx.process?.real_user?.name != null - allow_duplicates: false - ignore_failure: true - - append: - field: user.name - value: '{{{json.subject.audit_user_name}}}' - if: ctx.json?.subject?.audit_user_name != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.subject.effective_group_id - target_field: jamf_compliance_reporter.log.subject.effective.group.id - type: string - ignore_failure: true - - rename: - field: json.subject.effective_group_name - target_field: jamf_compliance_reporter.log.subject.effective.group.name - ignore_missing: true - - convert: - field: json.subject.effective_user_id - target_field: process.user.id - type: string - ignore_failure: true - - append: - field: user.name - value: '{{{json.subject.effective_user_name}}}' - if: ctx.json?.subject?.effective_user_name != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.user - value: '{{{json.subject.effective_user_name}}}' - if: ctx.json?.subject?.effective_user_name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.subject.effective_user_name - target_field: process.user.name - ignore_missing: true - - convert: - field: json.subject.group_id - target_field: process.real_group.id - type: string - ignore_failure: true - - rename: - field: json.subject.group_name - target_field: process.real_group.name - ignore_missing: true - - rename: - field: json.subject.process_hash - target_field: process.hash.sha1 - ignore_missing: true - - append: - field: related.hash - value: '{{{process.hash.sha1}}}' - if: ctx.process?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.subject.process_id - target_field: jamf_compliance_reporter.log.subject.process.pid - type: long - ignore_failure: true - - rename: - field: json.subject.process_name - target_field: jamf_compliance_reporter.log.subject.process.name - ignore_missing: true - - convert: - field: json.subject.session_id - target_field: jamf_compliance_reporter.log.subject.session.id - type: string - ignore_failure: true - - convert: - field: json.subject.terminal_id.addr - target_field: jamf_compliance_reporter.log.subject.terminal_id.addr - type: string - ignore_failure: true - - convert: - field: json.subject.terminal_id.ip_address - type: ip - ignore_failure: true - - append: - field: host.ip - value: '{{{json.subject.terminal_id.ip_address}}}' - if: ctx.json?.subject?.terminal_id?.ip_address != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{json.subject.terminal_id.ip_address}}}' - if: ctx.json?.subject?.terminal_id?.ip_address != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.subject.terminal_id.port - target_field: jamf_compliance_reporter.log.subject.terminal_id.port - type: long - ignore_failure: true - - convert: - field: json.subject.terminal_id.type - target_field: jamf_compliance_reporter.log.subject.terminal_id.type - type: string - ignore_failure: true - - convert: - field: json.subject.user_id - target_field: user.id - type: string - ignore_failure: true - - append: - field: user.name - value: '{{{json.subject.user_name}}}' - if: ctx.json?.subject?.user_name != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.user - value: '{{{json.subject.user_name}}}' - if: ctx.json?.subject?.user_name != null - allow_duplicates: false - ignore_failure: true - - set: - field: event.type - value: [info] - - set: - field: event.kind - value: event - - set: - field: event.category - value: [authentication] - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_accept" }}' - if: ctx.event?.action == 'aue_accept' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_auth" }}' - if: '["aue_auth_user", "aue_ssauthorize", "aue_ssauthmech"].contains(ctx.event?.action)' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_bind_and_aue_connect" }}' - if: '["aue_bind", "aue_connect"].contains(ctx.event?.action)' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_chdir" }}' - if: ctx.event?.action == 'aue_chdir' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_chroot" }}' - if: ctx.event?.action == 'aue_chroot' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_execve" }}' - if: ctx.event?.action == 'aue_execve' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_exit" }}' - if: ctx.event?.action == 'aue_exit' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_kill" }}' - if: ctx.event?.action == 'aue_kill' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_mount" }}' - if: ctx.event?.action == 'aue_mount' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_posix_spawn" }}' - if: ctx.event?.action == 'aue_posix_spawn' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_remove_from_group_and_aue_mac_set_proc" }}' - if: '["aue_remove_from_group", "aue_mac_set_proc"].contains(ctx.event?.action)' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_session" }}' - if: '["aue_session_end", "aue_session_update", "aue_session_close", "aue_session_start"].contains(ctx.event?.action)' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_arguments" }}' - if: '["aue_setsockopt", "aue_shutdown"].contains(ctx.event?.action)' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_ssauthint" }}' - if: ctx.event?.action == 'aue_ssauthint' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_tasknameforpid" }}' - if: ctx.event?.action == 'aue_tasknameforpid' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_unmount" }}' - if: ctx.event?.action == 'aue_unmount' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_fork" }}' - if: ctx.event?.action == 'aue_fork' - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' - if: '["aue_getauid", "aue_lw_login", "aue_settimeofday"].contains(ctx.event?.action)' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_listen" }}' - if: ctx.event?.action == 'aue_listen' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_logout" }}' - if: ctx.event?.action == 'aue_logout' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_pidfortask" }}' - if: ctx.event?.action == 'aue_pidfortask' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_ptrace" }}' - if: ctx.event?.action == 'aue_ptrace' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_setpriority" }}' - if: ctx.event?.action == 'aue_setpriority' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_socketpair" }}' - if: ctx.event?.action == 'aue_socketpair' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_taskforpid" }}' - if: ctx.event?.action == 'aue_taskforpid' - - pipeline: - name: '{{ IngestPipeline "pipeline_aue_wait4" }}' - if: ctx.event?.action == 'aue_wait4' -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit_class_verification_event.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit_class_verification_event.yml deleted file mode 100755 index 3bd9dde8c3..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit_class_verification_event.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter audit class verification event logs. -processors: - - rename: - field: json.audit_class_verification_info.contents - target_field: jamf_compliance_reporter.log.audit_class_verification_info.contents - ignore_missing: true - - rename: - field: json.audit_class_verification_info.osversion - target_field: jamf_compliance_reporter.log.audit_class_verification_info.os.version - ignore_missing: true - - convert: - field: json.audit_class_verification_info.restored_default - target_field: jamf_compliance_reporter.log.audit_class_verification_info.restored_default - type: boolean - ignore_failure: true - - convert: - field: json.audit_class_verification_info.status - target_field: jamf_compliance_reporter.log.audit_class_verification_info.status - type: string - ignore_failure: true - - rename: - field: json.audit_class_verification_info.status_str - target_field: jamf_compliance_reporter.log.audit_class_verification_info.status_str - ignore_missing: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_accept.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_accept.yml deleted file mode 100755 index edbe338cbe..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_accept.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_accept audit logs. -processors: - - rename: - field: json.path - target_field: jamf_compliance_reporter.log.path - ignore_missing: true - - convert: - field: json.socket_unix.family - target_field: json.inet_family - type: string - ignore_failure: true - - rename: - field: json.socket_unix.path - target_field: jamf_compliance_reporter.log.socket.unix.path - ignore_missing: true - - convert: - field: json.arguments.fd - target_field: jamf_compliance_reporter.log.arguments.fd - type: string - ignore_failure: true - - script: - description: Dynamically map Socket Address Families. - lang: painless - if: ctx.json?.inet_family != null - source: | - Map map = new HashMap(); - map.put("0", 'AF_UNSPEC'); - map.put("1", "AF_LOCAL"); - map.put("AF_LOCAL", "AF_UNIX"); - map.put("2", "AF_INET"); - map.put("3", "AF_ImapPLINK"); - map.put("4", "AF_PUP"); - map.put("5", "AF_CHAOS"); - map.put("6", "AF_NS"); - map.put("7", "AF_ISO"); - map.put("AF_ISO", "AF_OSI"); - map.put("8", "AF_ECmapA"); - map.put("9", "AF_DATAKIT"); - map.put("10", "AF_CCITT"); - map.put("11", "AF_SNA"); - map.put("12", "AF_DECnet"); - map.put("13", "AF_DLI"); - map.put("14", "AF_LAT"); - map.put("15", "AF_HYLINK"); - map.put("16", "AF_APPLETALK"); - map.put("17", "AF_ROUTE"); - map.put("18", "AF_LINK"); - map.put("19", "pseudo_AF_XTP"); - map.put("20", "AF_COIP"); - map.put("21", "AF_CNT"); - map.put("22", "pseudo_AF_RTIP"); - map.put("23", "AF_IPX"); - map.put("24", "AF_SIP"); - map.put("25", "pseudo_AF_PIP"); - ctx.jamf_compliance_reporter.log.socket.unix.family = map.get(ctx.json.inet_family); - - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_arguments.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_arguments.yml deleted file mode 100755 index f0e659017d..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_arguments.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_arguments audit logs. -processors: - - convert: - field: json.arguments.fd - target_field: jamf_compliance_reporter.log.arguments.fd - type: string - ignore_failure: true - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_auth.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_auth.yml deleted file mode 100755 index c6059358a3..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_auth.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_auth audit logs. -processors: - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' - - rename: - field: json.texts - target_field: jamf_compliance_reporter.log.texts - ignore_missing: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_bind_and_aue_connect.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_bind_and_aue_connect.yml deleted file mode 100755 index 469d153314..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_bind_and_aue_connect.yml +++ /dev/null @@ -1,77 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_bind and aue_connect audit logs. -processors: - - convert: - field: json.socket_inet.addr - target_field: jamf_compliance_reporter.log.socket.inet.addr - type: string - ignore_failure: true - - convert: - field: json.arguments.fd - target_field: jamf_compliance_reporter.log.arguments.fd - type: string - ignore_failure: true - - convert: - field: json.socket_inet.family - target_field: json.inet_family - type: string - ignore_failure: true - - convert: - field: json.socket_inet.id - target_field: jamf_compliance_reporter.log.socket.inet.id - type: string - ignore_failure: true - - convert: - field: json.socket_inet.ip_address - target_field: server.ip - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{server.ip}}}' - if: ctx.server?.ip != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.socket_inet.port - target_field: server.port - type: long - ignore_failure: true - - script: - description: Dynamically map Socket Address Families. - lang: painless - if: ctx.json?.inet_family != null - source: | - Map map = new HashMap(); - map.put("0", 'AF_UNSPEC'); - map.put("1", "AF_LOCAL"); - map.put("AF_LOCAL", "AF_UNIX"); - map.put("2", "AF_INET"); - map.put("3", "AF_ImapPLINK"); - map.put("4", "AF_PUP"); - map.put("5", "AF_CHAOS"); - map.put("6", "AF_NS"); - map.put("7", "AF_ISO"); - map.put("AF_ISO", "AF_OSI"); - map.put("8", "AF_ECmapA"); - map.put("9", "AF_DATAKIT"); - map.put("10", "AF_CCITT"); - map.put("11", "AF_SNA"); - map.put("12", "AF_DECnet"); - map.put("13", "AF_DLI"); - map.put("14", "AF_LAT"); - map.put("15", "AF_HYLINK"); - map.put("16", "AF_APPLETALK"); - map.put("17", "AF_ROUTE"); - map.put("18", "AF_LINK"); - map.put("19", "pseudo_AF_XTP"); - map.put("20", "AF_COIP"); - map.put("21", "AF_CNT"); - map.put("22", "pseudo_AF_RTIP"); - map.put("23", "AF_IPX"); - map.put("24", "AF_SIP"); - map.put("25", "pseudo_AF_PIP"); - ctx.jamf_compliance_reporter.log.socket.inet.family = map.get(ctx.json.inet_family); - - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_chdir.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_chdir.yml deleted file mode 100755 index 2e2e55a973..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_chdir.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_chdir audit logs. -processors: - - convert: - field: json.attributes.device - target_field: jamf_compliance_reporter.log.attributes.device - type: string - ignore_failure: true - - rename: - field: json.attributes.file_access_mode - target_field: json.file_access_mode - ignore_failure: true - - convert: - field: json.attributes.file_system_id - target_field: jamf_compliance_reporter.log.attributes.file.system.id - type: string - ignore_failure: true - - convert: - field: json.attributes.node_id - target_field: jamf_compliance_reporter.log.attributes.node.id - type: string - ignore_failure: true - - convert: - field: json.attributes.owner_group_id - target_field: user.group.id - type: string - ignore_failure: true - - rename: - field: json.attributes.owner_group_name - target_field: user.group.name - ignore_missing: true - - convert: - field: json.attributes.owner_user_id - type: string - ignore_failure: true - - append: - field: user.id - value: '{{{json.attributes.owner_user_id}}}' - if: ctx.json?.attributes?.owner_user_id != null - allow_duplicates: false - ignore_failure: true - - append: - field: user.name - value: '{{{json.attributes.owner_user_name}}}' - if: ctx.json?.attributes?.owner_user_name != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.user - value: '{{{json.attributes.owner_user_name}}}' - if: ctx.json?.attributes?.owner_user_name != null - allow_duplicates: false - ignore_failure: true - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' - - rename: - field: json.path - target_field: jamf_compliance_reporter.log.path - ignore_missing: true - - script: - description: Convert Decimal into Octal. - lang: painless - source: | - int temp = (int)ctx.json?.file_access_mode; - ctx.jamf_compliance_reporter.log.attributes.file.access_mode = Integer.toOctalString(temp); \ No newline at end of file diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_chroot.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_chroot.yml deleted file mode 100755 index 68d8e0a280..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_chroot.yml +++ /dev/null @@ -1,67 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_chroot audit logs. -processors: - - convert: - field: json.attributes.device - target_field: jamf_compliance_reporter.log.attributes.device - type: string - ignore_failure: true - - rename: - field: json.attributes.file_access_mode - target_field: json.file_access_mode - ignore_missing: true - - convert: - field: json.attributes.file_system_id - target_field: jamf_compliance_reporter.log.attributes.file.system.id - type: string - ignore_failure: true - - convert: - field: json.attributes.node_id - target_field: jamf_compliance_reporter.log.attributes.node.id - type: string - ignore_failure: true - - convert: - field: json.attributes.owner_group_id - target_field: user.group.id - type: string - ignore_failure: true - - rename: - field: json.attributes.owner_group_name - target_field: user.group.name - ignore_missing: true - - convert: - field: json.attributes.owner_user_id - type: string - ignore_failure: true - - append: - field: user.id - value: '{{{json.attributes.owner_user_id}}}' - if: ctx.json?.attributes?.owner_user_id != null - allow_duplicates: false - ignore_failure: true - - append: - field: user.name - value: '{{{json.attributes.owner_user_name}}}' - if: ctx.json?.attributes?.owner_user_name != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.user - value: '{{{json.attributes.owner_user_name}}}' - if: ctx.json?.attributes?.owner_user_name != null - allow_duplicates: false - ignore_failure: true - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' - - rename: - field: json.path - target_field: jamf_compliance_reporter.log.path - ignore_missing: true - - pipeline: - name: '{{ IngestPipeline "pipeline_exec_chain_child_object" }}' - - script: - description: Convert Decimal into Octal. - lang: painless - source: | - int temp = (int)ctx.json?.file_access_mode; - ctx.jamf_compliance_reporter.log.attributes.file.access_mode = Integer.toOctalString(temp); diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_execve.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_execve.yml deleted file mode 100755 index 28c7b1ab87..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_execve.yml +++ /dev/null @@ -1,141 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_execve audit logs. -processors: - - convert: - field: json.attributes.device - target_field: jamf_compliance_reporter.log.attributes.device - type: string - ignore_failure: true - - rename: - field: json.attributes.file_access_mode - target_field: json.file_access_mode - ignore_failure: true - - convert: - field: json.attributes.file_system_id - target_field: jamf_compliance_reporter.log.attributes.file.system.id - type: string - ignore_failure: true - - convert: - field: json.attributes.node_id - target_field: jamf_compliance_reporter.log.attributes.node.id - type: string - ignore_failure: true - - convert: - field: json.attributes.owner_group_id - target_field: user.group.id - type: string - ignore_failure: true - - rename: - field: json.attributes.owner_group_name - target_field: user.group.name - ignore_missing: true - - convert: - field: json.attributes.owner_user_id - type: string - ignore_failure: true - - append: - field: user.id - value: '{{{json.attributes.owner_user_id}}}' - if: ctx.json?.attributes?.owner_user_id != null - allow_duplicates: false - ignore_failure: true - - append: - field: user.name - value: '{{{json.attributes.owner_user_name}}}' - if: ctx.json?.attributes?.owner_user_name != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.user - value: '{{{json.attributes.owner_user_name}}}' - if: ctx.json?.attributes?.owner_user_name != null - allow_duplicates: false - ignore_failure: true - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' - - rename: - field: json.path - target_field: jamf_compliance_reporter.log.path - ignore_missing: true - - pipeline: - name: '{{ IngestPipeline "pipeline_exec_chain_child_object" }}' - - rename: - field: json.exec_args.args - target_field: json.args - ignore_missing: true - - rename: - field: json.exec_args.args_compiled - target_field: jamf_compliance_reporter.log.exec_args.args_compiled - ignore_missing: true - - script: - lang: painless - if: ctx.json?.exec_env?.env?.ARCH != null && ctx.json.exec_env.env.ARCH != "" - params: - 'allowed': - - linux - - macos - - unix - - windows - - ios - - android - 'replacements': - 'macintosh': macos - source: | - for (entry in params.replacements.entrySet()) { - if (ctx.json.exec_env.env.ARCH == entry.getKey()) { - ctx.json.exec_env.env.put("ARCH", entry.getValue()); - } - } - if (!params.allowed.contains(ctx.json.exec_env.env.ARCH)) { - return; - } - if (ctx.host == null) { - HashMap hm = new HashMap(); - ctx.put("host", hm); - } - if (ctx.host.os == null) { - HashMap hm = new HashMap(); - ctx.host.put("os", hm); - } - ctx.host.os.put("type", ctx.json.exec_env.env.ARCH); - ctx.json.exec_env.env.remove("ARCH"); - - - rename: - field: json.exec_env.env.CPU - target_field: host.architecture - ignore_missing: true - - rename: - field: json.exec_env.env.MALWAREBYTES_GROUP - target_field: jamf_compliance_reporter.log.exec_env.env.malwarebytes_group - ignore_missing: true - - rename: - field: json.exec_env.env.PATH - target_field: jamf_compliance_reporter.log.exec_env.env.path - ignore_missing: true - - rename: - field: json.exec_env.env.XPC_FLAGS - target_field: jamf_compliance_reporter.log.exec_env.env.xpc.flags - ignore_missing: true - - rename: - field: json.exec_env.env.XPC_SERVICE_NAME - target_field: jamf_compliance_reporter.log.exec_env.env.xpc.service_name - ignore_missing: true - - rename: - field: json.exec_env.env_compiled - target_field: jamf_compliance_reporter.log.exec_env.env.compiled - ignore_missing: true - - script: - description: Convert Object into Array. - lang: painless - source: | - def args_list = new ArrayList(); - ctx.process.args = args_list; - for (Map.Entry m : ctx.json?.args.entrySet()) { - ctx.process?.args.add(m.getValue()); - } - - script: - description: Convert Decimal into Octal. - lang: painless - source: | - int temp = (int)ctx.json?.file_access_mode; - ctx.jamf_compliance_reporter.log.attributes.file.access_mode = Integer.toOctalString(temp); diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_exit.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_exit.yml deleted file mode 100755 index da2a5e7497..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_exit.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_exit audit logs. -processors: - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' - - pipeline: - name: '{{ IngestPipeline "pipeline_exec_chain_child_object" }}' - - convert: - field: json.exit.return_value - target_field: jamf_compliance_reporter.log.exit.return.value - type: long - ignore_failure: true - - convert: - field: json.exit.status - target_field: jamf_compliance_reporter.log.exit.status - type: string - ignore_failure: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_fork.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_fork.yml deleted file mode 100755 index dc41d64592..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_fork.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_fork audit logs. -processors: - - rename: - field: json.exec_chain_parent.uuid - target_field: jamf_compliance_reporter.log.exec_chain_parent.uuid - ignore_missing: true - - convert: - field: json.arguments.child_PID - target_field: jamf_compliance_reporter.log.arguments.child.pid - type: long - ignore_failure: true - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_kill.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_kill.yml deleted file mode 100755 index b244e8f9ef..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_kill.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_kill audit logs. -processors: - - convert: - field: json.arguments.signal - target_field: jamf_compliance_reporter.log.arguments.signal - type: string - ignore_failure: true - - pipeline: - name: '{{ IngestPipeline "pipeline_process_object" }}' - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_listen.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_listen.yml deleted file mode 100755 index e996ee0509..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_listen.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_listen audit logs. -processors: - - convert: - field: json.arguments.fd - target_field: jamf_compliance_reporter.log.arguments.fd - type: string - ignore_failure: true - - pipeline: - name: '{{ IngestPipeline "pipeline_exec_chain_child_object" }}' - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_logout.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_logout.yml deleted file mode 100755 index 6b4cde9174..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_logout.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_logout audit logs. -processors: - - pipeline: - name: '{{ IngestPipeline "pipeline_exec_chain_child_object" }}' - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_mount.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_mount.yml deleted file mode 100755 index 1b2cc1d01d..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_mount.yml +++ /dev/null @@ -1,76 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_mount audit logs. -processors: - - rename: - field: json.texts - target_field: jamf_compliance_reporter.log.texts - ignore_missing: true - - pipeline: - name: '{{ IngestPipeline "pipeline_exec_chain_child_object" }}' - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' - - rename: - field: json.path - target_field: jamf_compliance_reporter.log.path - ignore_missing: true - - convert: - field: json.attributes.device - target_field: jamf_compliance_reporter.log.attributes.device - type: string - ignore_failure: true - - rename: - field: json.attributes.file_access_mode - target_field: json.file_access_mode - ignore_missing: true - - convert: - field: json.attributes.file_system_id - target_field: jamf_compliance_reporter.log.attributes.file.system.id - type: string - ignore_failure: true - - convert: - field: json.attributes.node_id - target_field: jamf_compliance_reporter.log.attributes.node.id - type: string - ignore_failure: true - - convert: - field: json.attributes.owner_group_id - target_field: jamf_compliance_reporter.log.attributes.owner.group.id - type: string - ignore_failure: true - - rename: - field: json.attributes.owner_group_name - target_field: jamf_compliance_reporter.log.attributes.owner.group.name - ignore_missing: true - - convert: - field: json.attributes.owner_user_id - type: string - ignore_failure: true - - append: - field: user.id - value: '{{{json.attributes.owner_user_id}}}' - if: ctx.json?.attributes?.owner_user_id != null - allow_duplicates: false - ignore_failure: true - - append: - field: user.name - value: '{{{json.attributes.owner_user_name}}}' - if: ctx.json?.attributes?.owner_user_name != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.user - value: '{{{json.attributes.owner_user_name}}}' - if: ctx.json?.attributes?.owner_user_name != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.arguments.flags - target_field: jamf_compliance_reporter.log.arguments.flags - type: string - ignore_failure: true - - script: - description: Convert Decimal into Octal. - lang: painless - source: | - int temp = (int)ctx.json?.file_access_mode; - ctx.jamf_compliance_reporter.log.attributes.file.access_mode = Integer.toOctalString(temp); diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_pidfortask.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_pidfortask.yml deleted file mode 100755 index 0706845a5d..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_pidfortask.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_pidfortask audit logs. -processors: - - convert: - field: json.arguments.pid - target_field: jamf_compliance_reporter.log.arguments.pid - type: long - ignore_failure: true - - convert: - field: json.arguments.port - target_field: jamf_compliance_reporter.log.arguments.port - type: long - ignore_failure: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_posix_spawn.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_posix_spawn.yml deleted file mode 100755 index e24258d8b8..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_posix_spawn.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_posix_spawn audit logs. -processors: - - convert: - field: json.arguments.child_PID - target_field: jamf_compliance_reporter.log.arguments.child.pid - type: long - ignore_failure: true - - rename: - field: json.exec_args.args - target_field: json.args - ignore_missing: true - - rename: - field: json.exec_args.args_compiled - target_field: jamf_compliance_reporter.log.exec_args.args_compiled - ignore_missing: true - - rename: - field: json.exec_env.env.XPC_FLAGS - target_field: jamf_compliance_reporter.log.exec_env.env.xpc.flags - ignore_missing: true - - rename: - field: json.exec_env.env_compiled - target_field: jamf_compliance_reporter.log.exec_env.env.compiled - ignore_missing: true - - rename: - field: json.path - target_field: jamf_compliance_reporter.log.path - ignore_missing: true - - rename: - field: json.exec_chain_parent.uuid - target_field: jamf_compliance_reporter.log.exec_chain_parent.uuid - ignore_missing: true - - script: - description: Convert Object into Array. - lang: painless - source: | - def args_list = new ArrayList(); - ctx.process.args = args_list; - for (Map.Entry m : ctx.json?.args.entrySet()) { - ctx.process?.args.add(m.getValue()); - } - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_ptrace.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_ptrace.yml deleted file mode 100755 index b1619bc388..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_ptrace.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_ptrace audit logs. -processors: - - convert: - field: json.arguments.addr - target_field: jamf_compliance_reporter.log.arguments.addr - type: string - ignore_failure: true - - convert: - field: json.arguments.data - target_field: jamf_compliance_reporter.log.arguments.data - type: string - ignore_failure: true - - convert: - field: json.arguments.process - target_field: jamf_compliance_reporter.log.arguments.process - type: string - ignore_failure: true - - convert: - field: json.arguments.request - target_field: jamf_compliance_reporter.log.arguments.request - type: string - ignore_failure: true - - pipeline: - name: '{{ IngestPipeline "pipeline_exec_chain_child_object" }}' - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_remove_from_group_and_aue_mac_set_proc.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_remove_from_group_and_aue_mac_set_proc.yml deleted file mode 100755 index d2aec94964..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_remove_from_group_and_aue_mac_set_proc.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_remove_from_group and aue_mac_set_proc audit logs. -processors: - - rename: - field: json.texts - target_field: jamf_compliance_reporter.log.texts - ignore_missing: true - - pipeline: - name: '{{ IngestPipeline "pipeline_exec_chain_child_object" }}' - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_session.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_session.yml deleted file mode 100755 index 229090e3cb..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_session.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_session_start, aue_session_end, aue_session_update and aue_session_close audit logs. -processors: - - convert: - field: json.arguments.am_failure - target_field: jamf_compliance_reporter.log.arguments.am_failure - type: string - ignore_failure: true - - convert: - field: json.arguments.am_success - target_field: jamf_compliance_reporter.log.arguments.am_success - type: string - ignore_failure: true - - convert: - field: json.arguments.sflags - target_field: jamf_compliance_reporter.log.arguments.sflags - type: string - ignore_failure: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_setpriority.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_setpriority.yml deleted file mode 100755 index 4cc69459f7..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_setpriority.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_setpriority audit logs. -processors: - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' - - convert: - field: json.arguments.priority - target_field: jamf_compliance_reporter.log.arguments.priority - type: long - ignore_failure: true - - convert: - field: json.arguments.which - target_field: jamf_compliance_reporter.log.arguments.which - type: string - ignore_failure: true - - convert: - field: json.arguments.who - target_field: jamf_compliance_reporter.log.arguments.who - type: string - ignore_failure: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_socketpair.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_socketpair.yml deleted file mode 100755 index ba06557378..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_socketpair.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_socketpair audit logs. -processors: - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' - - convert: - field: json.arguments.domain - target_field: jamf_compliance_reporter.log.arguments.domain - type: string - ignore_failure: true - - convert: - field: json.arguments.protocol - target_field: jamf_compliance_reporter.log.arguments.protocol - type: string - ignore_failure: true - - convert: - field: json.arguments.type - target_field: jamf_compliance_reporter.log.arguments.type - type: string - ignore_failure: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_ssauthint.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_ssauthint.yml deleted file mode 100755 index 3dcffd8209..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_ssauthint.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_ssauthint audit logs. -processors: - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' - - rename: - field: json.texts - target_field: jamf_compliance_reporter.log.texts - ignore_missing: true - - convert: - field: json.arguments.known_UID_ - target_field: jamf_compliance_reporter.log.arguments.known_uid - type: string - ignore_failure: true - - rename: - field: json.arguments - target_field: jamf_compliance_reporter.log.arguments.flattened - ignore_missing: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml deleted file mode 100755 index cb45801240..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_taskforpid audit logs. -processors: - - convert: - field: json.arguments.target_port - target_field: jamf_compliance_reporter.log.arguments.target.port - type: long - ignore_failure: true - - convert: - field: json.arguments.task_port - target_field: jamf_compliance_reporter.log.arguments.task.port - type: long - ignore_failure: true - - pipeline: - name: '{{ IngestPipeline "pipeline_process_object" }}' diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml deleted file mode 100755 index 1dee934f4d..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_tasknameforpid audit logs. -processors: - - convert: - field: json.arguments.process - target_field: jamf_compliance_reporter.log.arguments.process - type: string - ignore_failure: true - - convert: - field: json.arguments.target_port - target_field: jamf_compliance_reporter.log.arguments.target.port - type: long - ignore_failure: true - - convert: - field: json.arguments.task_port - target_field: jamf_compliance_reporter.log.arguments.task.port - type: long - ignore_failure: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_unmount.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_unmount.yml deleted file mode 100755 index 3b0868ae8d..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_unmount.yml +++ /dev/null @@ -1,67 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_unmount audit logs. -processors: - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' - - pipeline: - name: '{{ IngestPipeline "pipeline_exec_chain_child_object" }}' - - rename: - field: json.path - target_field: jamf_compliance_reporter.log.path - ignore_missing: true - - convert: - field: json.attributes.device - target_field: jamf_compliance_reporter.log.attributes.device - type: string - ignore_failure: true - - rename: - field: json.attributes.file_access_mode - target_field: json.file_access_mode - ignore_missing: true - - convert: - field: json.attributes.file_system_id - target_field: jamf_compliance_reporter.log.attributes.file.system.id - type: string - ignore_failure: true - - convert: - field: json.attributes.node_id - target_field: jamf_compliance_reporter.log.attributes.node.id - type: string - ignore_failure: true - - convert: - field: json.attributes.owner_group_id - target_field: jamf_compliance_reporter.log.attributes.owner.group.id - type: string - ignore_failure: true - - rename: - field: json.attributes.owner_group_name - target_field: jamf_compliance_reporter.log.attributes.owner.group.name - ignore_missing: true - - convert: - field: json.attributes.owner_user_id - type: string - ignore_failure: true - - append: - field: user.id - value: '{{{json.attributes.owner_user_id}}}' - if: ctx.json?.attributes?.owner_user_id != null - allow_duplicates: false - ignore_failure: true - - append: - field: user.name - value: '{{{json.attributes.owner_user_name}}}' - if: ctx.json?.attributes?.owner_user_name != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.user - value: '{{{json.attributes.owner_user_name}}}' - if: ctx.json?.attributes?.owner_user_name != null - allow_duplicates: false - ignore_failure: true - - script: - description: Convert Decimal into Octal. - lang: painless - source: | - int temp = (int)ctx.json?.file_access_mode; - ctx.jamf_compliance_reporter.log.attributes.file.access_mode = Integer.toOctalString(temp); \ No newline at end of file diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_wait4.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_wait4.yml deleted file mode 100755 index 213645f763..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_wait4.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter aue_wait4 audit logs. -processors: - - convert: - field: json.arguments.pid - target_field: process.pid - type: long - ignore_failure: true - - pipeline: - name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_compliance_reporter_tamper_event_and_file_event_info.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_compliance_reporter_tamper_event_and_file_event_info.yml deleted file mode 100755 index 05aff4b36f..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_compliance_reporter_tamper_event_and_file_event_info.yml +++ /dev/null @@ -1,137 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter temper event and file event info event logs. -processors: - - convert: - field: json.file_event_info.eventid_wrapped - target_field: jamf_compliance_reporter.log.file_event_info.eventid_wrapped - type: boolean - ignore_failure: true - - rename: - field: json.file_event_info.hash - target_field: file.hash.sha1 - ignore_missing: true - - append: - field: related.hash - value: '{{{file.hash.sha1}}}' - if: ctx.file?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.file_event_info.history_done - target_field: jamf_compliance_reporter.log.file_event_info.history_done - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.item_change_owner - target_field: jamf_compliance_reporter.log.file_event_info.item.change_owner - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.item_cloned - target_field: jamf_compliance_reporter.log.file_event_info.item.cloned - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.item_created - target_field: jamf_compliance_reporter.log.file_event_info.item.created - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.item_extended_attribute_modified - target_field: jamf_compliance_reporter.log.file_event_info.item.extended_attribute_modified - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.item_finder_info_modified - target_field: jamf_compliance_reporter.log.file_event_info.item.finder_info_modified - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.item_inode_metadata_modified - target_field: jamf_compliance_reporter.log.file_event_info.item.inode_metadata_modified - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.item_is_directory - target_field: jamf_compliance_reporter.log.file_event_info.item.is_directory - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.item_is_file - target_field: jamf_compliance_reporter.log.file_event_info.item.is_file - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.item_is_hard_link - target_field: jamf_compliance_reporter.log.file_event_info.item.is_hard_link - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.item_is_last_hard_link - target_field: jamf_compliance_reporter.log.file_event_info.item.is_last_hard_link - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.item_is_sym_link - target_field: jamf_compliance_reporter.log.file_event_info.item.is_sym_link - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.item_removed - target_field: jamf_compliance_reporter.log.file_event_info.item.removed - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.item_renamed - target_field: jamf_compliance_reporter.log.file_event_info.item.renamed - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.item_updated - target_field: jamf_compliance_reporter.log.file_event_info.item.updated - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.kernel_dropped - target_field: jamf_compliance_reporter.log.file_event_info.kernel_dropped - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.mount - target_field: jamf_compliance_reporter.log.file_event_info.mount - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.must_scan_sub_dir - target_field: jamf_compliance_reporter.log.file_event_info.must_scan_sub_dir - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.none - target_field: jamf_compliance_reporter.log.file_event_info.none - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.own_event - target_field: jamf_compliance_reporter.log.file_event_info.own_event - type: boolean - ignore_failure: true - - rename: - field: json.file_event_info.path - target_field: file.path - ignore_missing: true - - convert: - field: json.file_event_info.root_changed - target_field: jamf_compliance_reporter.log.file_event_info.root_changed - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.unmount - target_field: jamf_compliance_reporter.log.file_event_info.unmount - type: boolean - ignore_failure: true - - convert: - field: json.file_event_info.user_dropped - target_field: jamf_compliance_reporter.log.file_event_info.user_dropped - type: boolean - ignore_failure: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_event.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_event.yml deleted file mode 100755 index d0e84b970c..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_event.yml +++ /dev/null @@ -1,122 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter event logs. -processors: - - set: - field: event.kind - value: event - - set: - field: jamf_compliance_reporter.log.dataset - value: event - - set: - field: event.category - value: [process] - - set: - field: host.os.type - value: macos - - set: - field: event.type - value: [info] - if: '!["UNIFIED_LOG_EVENT","XPROTECT_EVENT_LOG"].contains(ctx.json.header.event_name)' - - convert: - field: json._event_score - target_field: jamf_compliance_reporter.log.event_score - type: long - ignore_failure: true - - rename: - field: json.header.event_name - target_field: event.action - ignore_missing: true - - lowercase: - field: event.action - ignore_missing: true - - date: - field: json.header.time_seconds_epoch - if: ctx.json?.header?.time_seconds_epoch != 0 - ignore_failure: true - formats: - - UNIX - - rename: - field: json.host_info.host_name - target_field: host.hostname - ignore_missing: true - - append: - field: related.hosts - value: '{{{host.hostname}}}' - if: ctx.host?.hostname != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.host_info.host_uuid - target_field: jamf_compliance_reporter.log.host_info.host.uuid - ignore_missing: true - - rename: - field: json.host_info.osversion - target_field: host.os.version - ignore_missing: true - - append: - field: host.mac - value: '{{{json.host_info.primary_mac_address}}}' - if: ctx.json?.host_info?.primary_mac_address != null - allow_duplicates: false - ignore_failure: true - - gsub: - field: host.mac - pattern: '[-:.]' - replacement: '-' - ignore_missing: true - - uppercase: - field: host.mac - ignore_missing: true - - rename: - field: json.host_info.serial_number - target_field: host.id - ignore_missing: true - - pipeline: - name: '{{ IngestPipeline "pipeline_audio_video_device_event" }}' - if: ctx.event?.action == 'audio_video_device_event' - - pipeline: - name: '{{ IngestPipeline "pipeline_audit_class_verification_event" }}' - if: ctx.event?.action == 'audit_class_verification_event' - - pipeline: - name: '{{ IngestPipeline "pipeline_compliance_reporter_tamper_event_and_file_event_info" }}' - if: '["compliance_reporter_tamper_event", "file_event"].contains(ctx.event?.action)' - - pipeline: - name: '{{ IngestPipeline "pipeline_gatekeeper_info_event" }}' - if: ctx.event?.action == 'gatekeeper_info_event' - - pipeline: - name: '{{ IngestPipeline "pipeline_gatekeeper_manual_overrides" }}' - if: ctx.event?.action == 'gatekeeper_manual_overrides' - - pipeline: - name: '{{ IngestPipeline "pipeline_gatekeeper_quarantine_log" }}' - if: ctx.event?.action == 'gatekeeper_quarantine_log' - - pipeline: - name: '{{ IngestPipeline "pipeline_hardware_event" }}' - if: ctx.event?.action == 'hardware_event' - - pipeline: - name: '{{ IngestPipeline "pipeline_license_info_event" }}' - if: ctx.event?.action == 'license_info_event' - - pipeline: - name: '{{ IngestPipeline "pipeline_preference_list_event" }}' - if: ctx.event?.action == 'preference_list_event' - - pipeline: - name: '{{ IngestPipeline "pipeline_print_event_information" }}' - if: ctx.event?.action == 'print_event_information' - - pipeline: - name: '{{ IngestPipeline "pipeline_prohibited_app_blocked" }}' - if: ctx.event?.action == 'prohibited_app_blocked' - - pipeline: - name: '{{ IngestPipeline "pipeline_signal_event" }}' - if: ctx.event?.action == 'signal_event' - - pipeline: - name: '{{ IngestPipeline "pipeline_unified_log_event" }}' - if: ctx.event?.action == 'unified_log_event' - - pipeline: - name: '{{ IngestPipeline "pipeline_xprotect_definitions_version_info" }}' - if: ctx.event?.action == 'xprotect_definitions_version_info' - - pipeline: - name: '{{ IngestPipeline "pipeline_xprotect_event_log" }}' - if: ctx.event?.action == 'xprotect_event_log' -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_exec_chain_child_object.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_exec_chain_child_object.yml deleted file mode 100755 index 1cb2fe2337..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_exec_chain_child_object.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter exec_chain_child_object audit logs. -processors: - - rename: - field: json.exec_chain_child.parent_path - target_field: jamf_compliance_reporter.log.exec_chain_child.parent.path - ignore_missing: true - - convert: - field: json.exec_chain_child.parent_pid - target_field: process.parent.pid - type: long - ignore_failure: true - - rename: - field: json.exec_chain_child.parent_uuid - target_field: jamf_compliance_reporter.log.exec_chain_child.parent.uuid - ignore_missing: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_gatekeeper_info_event.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_gatekeeper_info_event.yml deleted file mode 100755 index 4d8099ec26..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_gatekeeper_info_event.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter gatekeeper info event logs. -processors: - - convert: - field: json.event_attributes.assessments_enabled - target_field: jamf_compliance_reporter.log.event_attributes.assessments_enabled - type: long - ignore_failure: true - - convert: - field: json.event_attributes.dev_id_enabled - target_field: jamf_compliance_reporter.log.event_attributes.dev_id_enabled - type: long - ignore_failure: true - - rename: - field: json.event_attributes.opaque_version - target_field: jamf_compliance_reporter.log.event_attributes.opaque_version - ignore_missing: true - - rename: - field: json.event_attributes.version - target_field: jamf_compliance_reporter.log.event_attributes.version - ignore_missing: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_gatekeeper_manual_overrides.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_gatekeeper_manual_overrides.yml deleted file mode 100755 index 5857e248d4..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_gatekeeper_manual_overrides.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter gatekeeper manual overrides event logs. -processors: - - foreach: - field: json.event_attributes.attributes - processor: - date: - field: _ingest._value.ctime - target_field: _ingest._value.ctime - ignore_failure: true - formats: - - UNIX - - foreach: - field: json.event_attributes.attributes - processor: - date: - field: _ingest._value.mtime - target_field: _ingest._value.mtime - ignore_failure: true - formats: - - UNIX - - rename: - field: json.event_attributes.attributes - target_field: jamf_compliance_reporter.log.event_attributes.attributes - ignore_missing: true - - rename: - field: json.event_attributes.path - target_field: jamf_compliance_reporter.log.event_attributes.path - ignore_missing: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_gatekeeper_quarantine_log.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_gatekeeper_quarantine_log.yml deleted file mode 100755 index d46de09adf..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_gatekeeper_quarantine_log.yml +++ /dev/null @@ -1,61 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter gatekeeper quarantine event logs. -processors: - - foreach: - field: json.event_attributes.attributes - processor: - rename: - field: _ingest._value.QuarantineAgentBundleIdentifier - target_field: _ingest._value.quarantine.agent_bundle_identifier - ignore_failure: true - - foreach: - field: json.event_attributes.attributes - processor: - rename: - field: _ingest._value.QuarantineAgentName - target_field: _ingest._value.quarantine.agent_name - ignore_failure: true - - foreach: - field: json.event_attributes.attributes - processor: - rename: - field: _ingest._value.QuarantineDataURLString - target_field: _ingest._value.quarantine.data_url_string - ignore_failure: true - - foreach: - field: json.event_attributes.attributes - processor: - rename: - field: _ingest._value.QuarantineEventIdentifier - target_field: _ingest._value.quarantine.event_identifier - ignore_failure: true - - foreach: - field: json.event_attributes.attributes - processor: - rename: - field: _ingest._value.QuarantineOriginURLString - target_field: _ingest._value.quarantine.origin_url_string - ignore_failure: true - - foreach: - field: json.event_attributes.attributes - processor: - date: - field: _ingest._value.QuarantineTimeStamp - target_field: _ingest._value.quarantine.timestamp - ignore_failure: true - formats: - - UNIX - - foreach: - field: json.event_attributes.attributes - processor: - remove: - field: _ingest._value.QuarantineTimeStamp - ignore_failure: true - - rename: - field: json.event_attributes.attributes - target_field: jamf_compliance_reporter.log.event_attributes.attributes - ignore_missing: true - - rename: - field: json.event_attributes.path - target_field: jamf_compliance_reporter.log.event_attributes.path - ignore_missing: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_hardware_event.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_hardware_event.yml deleted file mode 100755 index dce94ced8e..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_hardware_event.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter hardware event logs. -processors: - - rename: - field: json.hardware_event_info.device_attributes.IOCFPlugInTypes - target_field: jamf_compliance_reporter.log.hardware_event_info.device_attributes.io.cf_plugin_types - ignore_missing: true - - rename: - field: json.hardware_event_info.device_attributes.IOClassNameOverride - target_field: jamf_compliance_reporter.log.hardware_event_info.device_attributes.io.class_name_override - ignore_missing: true - - convert: - field: json.hardware_event_info.device_attributes.IOPowerManagement.CapabilityFlags - target_field: jamf_compliance_reporter.log.hardware_event_info.device_attributes.io.power_management.capability_flags - type: string - ignore_failure: true - - convert: - field: json.hardware_event_info.device_attributes.IOPowerManagement.CurrentPowerState - target_field: jamf_compliance_reporter.log.hardware_event_info.device_attributes.io.power_management.current_power_state - type: long - ignore_failure: true - - convert: - field: json.hardware_event_info.device_attributes.IOPowerManagement.DevicePowerState - target_field: jamf_compliance_reporter.log.hardware_event_info.device_attributes.io.power_management.device_power_state - type: long - ignore_failure: true - - convert: - field: json.hardware_event_info.device_attributes.IOPowerManagement.DriverPowerState - target_field: jamf_compliance_reporter.log.hardware_event_info.device_attributes.io.power_management.driver_power_state - type: long - ignore_failure: true - - convert: - field: json.hardware_event_info.device_attributes.IOPowerManagement.MaxPowerState - target_field: jamf_compliance_reporter.log.hardware_event_info.device_attributes.io.power_management.max_power_state - type: long - ignore_failure: true - - rename: - field: json.hardware_event_info.device_attributes.Removable - target_field: jamf_compliance_reporter.log.hardware_event_info.device_attributes.removable - ignore_missing: true - - rename: - field: json.hardware_event_info.device_attributes.USB Product Name - target_field: jamf_compliance_reporter.log.hardware_event_info.device_attributes.usb.product_name - ignore_missing: true - - rename: - field: json.hardware_event_info.device_attributes.USB Vendor Name - target_field: jamf_compliance_reporter.log.hardware_event_info.device_attributes.usb.vendor_name - ignore_missing: true - - convert: - field: json.hardware_event_info.device_attributes.iSerialNumber - target_field: jamf_compliance_reporter.log.hardware_event_info.device_attributes.iserial_number - type: long - ignore_failure: true - - rename: - field: json.hardware_event_info.device_class - target_field: jamf_compliance_reporter.log.hardware_event_info.device.class - ignore_missing: true - - rename: - field: json.hardware_event_info.device_name - target_field: jamf_compliance_reporter.log.hardware_event_info.device.name - ignore_missing: true - - rename: - field: json.hardware_event_info.device_status - target_field: jamf_compliance_reporter.log.hardware_event_info.device.status - ignore_missing: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_object.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_object.yml deleted file mode 100755 index 0cc7f539ab..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_object.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter identity_object audit logs. -processors: - - rename: - field: json.identity.cd_hash - target_field: jamf_compliance_reporter.log.identity.cd_hash - ignore_missing: true - - append: - field: related.hash - value: '{{{jamf_compliance_reporter.log.identity.cd_hash}}}' - if: ctx.jamf_compliance_reporter?.log?.identity?.cd_hash != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.identity.signer_id - target_field: jamf_compliance_reporter.log.identity.signer.id - ignore_missing: true - - convert: - field: json.identity.signer_id_truncated - target_field: jamf_compliance_reporter.log.identity.signer.id_truncated - type: string - ignore_failure: true - - convert: - field: json.identity.signer_type - target_field: jamf_compliance_reporter.log.identity.signer.type - type: string - ignore_failure: true - - rename: - field: json.identity.team_id - target_field: jamf_compliance_reporter.log.identity.team.id - ignore_missing: true - - convert: - field: json.identity.team_id_truncated - target_field: jamf_compliance_reporter.log.identity.team.id_truncated - type: string - ignore_failure: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_license_info_event.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_license_info_event.yml deleted file mode 100755 index 8df003bcbc..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_license_info_event.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter license info event logs. -processors: - - rename: - field: json.ComplianceReporter_license_info.email - target_field: user.email - ignore_missing: true - - append: - field: related.user - value: '{{{user.email}}}' - if: ctx.user?.email != null - allow_duplicates: false - ignore_failure: true - - date: - field: json.ComplianceReporter_license_info.expiration_date - target_field: jamf_compliance_reporter.log.compliancereporter_license_info.expiration_date - if: ctx.json?.compliancereporter_license_info?.expiration_date != 0 - ignore_failure: true - formats: - - dd/MM/yyyy - - rename: - field: json.ComplianceReporter_license_info.status - target_field: jamf_compliance_reporter.log.compliancereporter_license_info.status - ignore_missing: true - - date: - field: json.ComplianceReporter_license_info.time_seconds_epoch - target_field: jamf_compliance_reporter.log.compliancereporter_license_info.time - if: ctx.json?.compliancereporter_license_info?.time_seconds_epoch != '0' - ignore_failure: true - formats: - - UNIX - - rename: - field: json.ComplianceReporter_license_info.type - target_field: jamf_compliance_reporter.log.compliancereporter_license_info.type - ignore_missing: true - - rename: - field: json.ComplianceReporter_license_info.version - target_field: jamf_compliance_reporter.log.compliancereporter_license_info.version - ignore_missing: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_preference_list_event.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_preference_list_event.yml deleted file mode 100755 index 4cca6db043..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_preference_list_event.yml +++ /dev/null @@ -1,121 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter preference list event logs. -processors: - - rename: - field: json.event_attributes.AuditEventExcludedProcesses - target_field: jamf_compliance_reporter.log.event_attributes.audit_event.excluded_processes - ignore_missing: true - - rename: - field: json.event_attributes.AuditEventExcludedUsers - target_field: jamf_compliance_reporter.log.event_attributes.audit_event.excluded_users - ignore_missing: true - - convert: - field: json.event_attributes.AuditEventLogVerboseMessages - target_field: jamf_compliance_reporter.log.event_attributes.audit_event_log_verbose_messages - type: string - ignore_failure: true - - convert: - field: json.event_attributes.AuditLevel - target_field: jamf_compliance_reporter.log.event_attributes.audit_level - type: long - ignore_failure: true - - rename: - field: json.event_attributes.FileEventExclusionPaths - target_field: jamf_compliance_reporter.log.event_attributes.file_event.exclusion_paths - ignore_missing: true - - rename: - field: json.event_attributes.FileEventInclusionPaths - target_field: jamf_compliance_reporter.log.event_attributes.file_event.inclusion_paths - ignore_missing: true - - convert: - field: json.event_attributes.FileEventUseFuzzyMatch - target_field: jamf_compliance_reporter.log.event_attributes.file_event.use_fuzzy_match - type: long - ignore_failure: true - - rename: - field: json.event_attributes.FileLicenseInfo.LicenseEmail - target_field: user.email - ignore_missing: true - - append: - field: related.user - value: '{{{user.email}}}' - if: ctx.user?.email != null - allow_duplicates: false - ignore_failure: true - - date: - field: json.event_attributes.FileLicenseInfo.LicenseExpirationDate - target_field: jamf_compliance_reporter.log.event_attributes.file_license_info.license_expiration_date - if: ctx.json?.event_attributes?.FileLicenseInfo?.LicenseExpirationDate != '0' - ignore_failure: true - formats: - - dd/MM/yyyy - - rename: - field: json.event_attributes.FileLicenseInfo.LicenseKey - target_field: jamf_compliance_reporter.log.event_attributes.file_license_info.license_key - ignore_missing: true - - rename: - field: json.event_attributes.FileLicenseInfo.LicenseType - target_field: jamf_compliance_reporter.log.event_attributes.file_license_info.license_type - ignore_missing: true - - rename: - field: json.event_attributes.FileLicenseInfo.LicenseVersion - target_field: jamf_compliance_reporter.log.event_attributes.file_license_info.license_version - ignore_missing: true - - rename: - field: json.event_attributes.LogFileLocation - target_field: jamf_compliance_reporter.log.event_attributes.log.file.location - ignore_missing: true - - convert: - field: json.event_attributes.LogFileMaxNumberBackups - target_field: jamf_compliance_reporter.log.event_attributes.log.file.max_number_backups - type: long - ignore_failure: true - - convert: - field: json.event_attributes.LogFileMaxSizeMegaBytes - target_field: jamf_compliance_reporter.log.event_attributes.log.file.max_size_mega_bytes - type: long - ignore_failure: true - - rename: - field: json.event_attributes.LogFileOwnership - target_field: jamf_compliance_reporter.log.event_attributes.log.file.ownership - ignore_missing: true - - rename: - field: json.event_attributes.LogFilePermission - target_field: jamf_compliance_reporter.log.event_attributes.log.file.permission - ignore_missing: true - - rename: - field: json.event_attributes.LogRemoteEndpointEnabled - target_field: jamf_compliance_reporter.log.event_attributes.log.remote_endpoint_enabled - ignore_missing: true - - rename: - field: json.event_attributes.LogRemoteEndpointType - target_field: jamf_compliance_reporter.log.event_attributes.log.remote_endpoint_type - ignore_missing: true - - rename: - field: json.event_attributes.LogRemoteEndpointTypeAWSKinesis.AccessKeyId - target_field: jamf_compliance_reporter.log.event_attributes.log.remote_endpoint_type_awskinesis.access_key_id - ignore_missing: true - - rename: - field: json.event_attributes.LogRemoteEndpointTypeAWSKinesis.Region - target_field: jamf_compliance_reporter.log.event_attributes.log.remote_endpoint_type_awskinesis.region - ignore_missing: true - - rename: - field: json.event_attributes.LogRemoteEndpointTypeAWSKinesis.SecretKey - target_field: jamf_compliance_reporter.log.event_attributes.log.remote_endpoint_type_awskinesis.secret_key - ignore_missing: true - - rename: - field: json.event_attributes.LogRemoteEndpointTypeAWSKinesis.StreamName - target_field: jamf_compliance_reporter.log.event_attributes.log.remote_endpoint_type_awskinesis.stream_name - ignore_missing: true - - rename: - field: json.event_attributes.LogRemoteEndpointURL - target_field: jamf_compliance_reporter.log.event_attributes.log.remote_endpoint_url - ignore_missing: true - - rename: - field: json.event_attributes.UnifiedLogPredicates - target_field: jamf_compliance_reporter.log.event_attributes.unified_log_predicates - ignore_missing: true - - rename: - field: json.event_attributes.Version - target_field: jamf_compliance_reporter.log.event_attributes.version - ignore_missing: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_print_event_information.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_print_event_information.yml deleted file mode 100755 index 0edf9b8b37..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_print_event_information.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter print information event logs. -processors: - - date: - field: json.event_attributes.job_completed_time - target_field: jamf_compliance_reporter.log.event_attributes.job.completed_time - if: ctx.json?.event_attributes?.job_completed_time != 0 - ignore_failure: true - formats: - - UNIX - - date: - field: json.event_attributes.job_creation_time - target_field: jamf_compliance_reporter.log.event_attributes.job.creation_time - if: ctx.json?.event_attributes?.job_creation_time != 0 - ignore_failure: true - formats: - - UNIX - - rename: - field: json.event_attributes.job_destination - target_field: jamf_compliance_reporter.log.event_attributes.job.destination - ignore_missing: true - - rename: - field: json.event_attributes.job_format - target_field: jamf_compliance_reporter.log.event_attributes.job.format - ignore_missing: true - - convert: - field: json.event_attributes.job_id - target_field: jamf_compliance_reporter.log.event_attributes.job.id - type: string - ignore_failure: true - - date: - field: json.event_attributes.job_processing_time - target_field: jamf_compliance_reporter.log.event_attributes.job.processing_time - if: ctx.json?.event_attributes?.job_processing_time != 0 - ignore_failure: true - formats: - - UNIX - - rename: - field: json.event_attributes.job_size - target_field: jamf_compliance_reporter.log.event_attributes.job.size - ignore_missing: true - - rename: - field: json.event_attributes.job_state - target_field: jamf_compliance_reporter.log.event_attributes.job.state - ignore_missing: true - - rename: - field: json.event_attributes.job_title - target_field: jamf_compliance_reporter.log.event_attributes.job.title - ignore_missing: true - - rename: - field: json.event_attributes.job_user - target_field: jamf_compliance_reporter.log.event_attributes.job.user - ignore_missing: true - - append: - field: related.user - value: '{{{jamf_compliance_reporter.log.event_attributes.job.user}}}' - if: ctx.jamf_compliance_reporter?.log?.event_attributes?.job?.user != null - allow_duplicates: false - ignore_failure: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_process_object.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_process_object.yml deleted file mode 100755 index c99628542d..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_process_object.yml +++ /dev/null @@ -1,120 +0,0 @@ ---- -description: Pipeline for Jamf process_object audit logs. -processors: - - convert: - field: json.process.audit_id - target_field: jamf_compliance_reporter.log.process.pid - type: long - ignore_failure: true - - convert: - field: json.process.effective_group_id - target_field: jamf_compliance_reporter.log.process.effective.group.id - type: string - ignore_failure: true - - rename: - field: json.process.effective_group_name - target_field: jamf_compliance_reporter.log.process.effective.group.name - ignore_missing: true - - convert: - field: json.process.effective_user_id - target_field: jamf_compliance_reporter.log.process.effective.user.id - type: string - ignore_failure: true - - append: - field: user.effective.id - value: '{{{json.process.effective_user_id}}}' - if: ctx.json?.process?.effective_user_id != null - allow_duplicates: false - ignore_failure: true - - append: - field: user.effective.name - value: '{{{json.process.effective_user_name}}}' - if: ctx.json?.process?.effective_user_name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.process.effective_user_name - target_field: jamf_compliance_reporter.log.process.effective.user.name - ignore_missing: true - - append: - field: related.user - value: '{{{jamf_compliance_reporter.log.process.effective.user.name}}}' - if: ctx.jamf_compliance_reporter?.log?.process?.effective?.user?.name != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.process.group_id - target_field: jamf_compliance_reporter.log.process.group.id - type: string - ignore_failure: true - - rename: - field: json.process.group_name - target_field: jamf_compliance_reporter.log.process.group.name - ignore_missing: true - - append: - field: process.hash.sha1 - value: '{{{json.process.process_hash}}}' - if: ctx.json?.process?.process_hash != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hash - value: '{{{json.process.process_hash}}}' - if: ctx.json?.process?.process_hash != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.process.process_id - target_field: jamf_compliance_reporter.log.process.pid - type: long - ignore_failure: true - - rename: - field: json.process.process_name - target_field: process.name - ignore_missing: true - - convert: - field: json.process.session_id - target_field: jamf_compliance_reporter.log.process.session.id - type: string - ignore_failure: true - - convert: - field: json.process.terminal_id.addr - target_field: jamf_compliance_reporter.log.process.terminal_id.addr - type: string - ignore_failure: true - - convert: - field: json.process.terminal_id.ip_address - target_field: jamf_compliance_reporter.log.process.terminal_id.ip_address - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{jamf_compliance_reporter.log.process.terminal_id.ip_address}}}' - if: ctx.jamf_compliance_reporter?.log?.process?.terminal_id?.ip_address != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.process.terminal_id.port - target_field: jamf_compliance_reporter.log.process.terminal_id.port - type: long - ignore_failure: true - - convert: - field: json.process.terminal_id.type - target_field: jamf_compliance_reporter.log.process.terminal_id.type - type: string - ignore_failure: true - - convert: - field: json.process.user_id - target_field: jamf_compliance_reporter.log.process.user.id - type: string - ignore_failure: true - - rename: - field: json.process.user_name - target_field: jamf_compliance_reporter.log.process.user.name - ignore_missing: true - - append: - field: related.user - value: '{{{jamf_compliance_reporter.log.process.user.name}}}' - if: ctx.jamf_compliance_reporter?.log?.process?.user?.name != null - allow_duplicates: false - ignore_failure: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_prohibited_app_blocked.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_prohibited_app_blocked.yml deleted file mode 100755 index b527f550d9..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_prohibited_app_blocked.yml +++ /dev/null @@ -1,240 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter prohibited app blocked event logs. -processors: - - rename: - field: json.header.action - target_field: jamf_compliance_reporter.log.header.action - ignore_missing: true - - rename: - field: json.exec_args.args - target_field: json.args - ignore_missing: true - - rename: - field: json.exec_args.args_compiled - target_field: jamf_compliance_reporter.log.exec_args.args_compiled - ignore_missing: true - - rename: - field: json.exec_env.env.PATH - target_field: jamf_compliance_reporter.log.exec_env.env.path - ignore_missing: true - - rename: - field: json.exec_env.env.SHELL - target_field: jamf_compliance_reporter.log.exec_env.env.shell - ignore_missing: true - - rename: - field: json.exec_env.env.SSH_AUTH_SOCK - target_field: jamf_compliance_reporter.log.exec_env.env.ssh_auth_sock - ignore_missing: true - - rename: - field: json.exec_env.env.TMPDIR - target_field: jamf_compliance_reporter.log.exec_env.env.tmpdir - ignore_missing: true - - append: - field: user.name - value: '{{{json.exec_env.env.USER}}}' - if: ctx.json?.exec_env?.env?.USER != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.user - value: '{{{json.exec_env.env.USER}}}' - if: ctx.json?.exec_env?.env?.USER != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.exec_env.env.XPC_FLAGS - target_field: jamf_compliance_reporter.log.exec_env.env.xpc.flags - ignore_missing: true - - rename: - field: json.exec_env.env.XPC_SERVICE_NAME - target_field: jamf_compliance_reporter.log.exec_env.env.xpc.service_name - ignore_missing: true - - rename: - field: json.exec_env.env_compiled - target_field: jamf_compliance_reporter.log.exec_env.env_compiled - ignore_missing: true - - rename: - field: json.identity.cd_hash - target_field: jamf_compliance_reporter.log.identity.cd_hash - ignore_missing: true - - append: - field: related.hash - value: '{{{jamf_compliance_reporter.log.identity.cd_hash}}}' - if: ctx.jamf_compliance_reporter?.log?.identity?.cd_hash != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.identity.signer_id - target_field: jamf_compliance_reporter.log.identity.signer.id - type: string - ignore_failure: true - - convert: - field: json.identity.signer_id_truncated - target_field: jamf_compliance_reporter.log.identity.signer.id_truncated - type: string - ignore_failure: true - - convert: - field: json.identity.signer_type - target_field: jamf_compliance_reporter.log.identity.signer.type - type: string - ignore_failure: true - - convert: - field: json.identity.team_id - target_field: jamf_compliance_reporter.log.identity.team.id - type: string - ignore_failure: true - - convert: - field: json.identity.team_id_truncated - target_field: jamf_compliance_reporter.log.identity.team.id_truncated - type: string - ignore_failure: true - - convert: - field: json.subject.audit_id - target_field: process.real_user.id - type: string - ignore_failure: true - - rename: - field: json.subject.audit_user_name - target_field: process.real_user.name - ignore_missing: true - - convert: - field: json.subject.effective_group_id - target_field: jamf_compliance_reporter.log.subject.effective.group.id - type: string - ignore_failure: true - - rename: - field: json.subject.effective_group_name - target_field: jamf_compliance_reporter.log.subject.effective.group.name - ignore_missing: true - - convert: - field: json.subject.effective_user_id - target_field: user.effective.id - type: string - ignore_failure: true - - set: - field: jamf_compliance_reporter.log.subject.effective.user.id - copy_from: user.effective.id - ignore_failure: true - - append: - field: user.name - value: '{{{json.subject.effective_user_name}}}' - if: ctx.json?.subject?.effective_user_name != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.user - value: '{{{json.subject.effective_user_name}}}' - if: ctx.json?.subject?.effective_user_name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.subject.effective_user_name - target_field: user.effective.name - ignore_missing: true - - set: - field: jamf_compliance_reporter.log.subject.effective.user.name - copy_from: user.effective.name - ignore_failure: true - - convert: - field: json.subject.group_id - target_field: user.group.id - type: string - ignore_failure: true - - rename: - field: json.subject.group_name - target_field: user.group.name - ignore_missing: true - - rename: - field: json.subject.process_hash - target_field: process.hash.sha1 - ignore_missing: true - - append: - field: related.hash - value: '{{{process.hash.sha1}}}' - if: ctx.process?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.subject.process_id - target_field: jamf_compliance_reporter.log.subject.process.pid - type: long - ignore_failure: true - - rename: - field: json.subject.process_information - target_field: jamf_compliance_reporter.log.subject.process.information - ignore_missing: true - - rename: - field: json.subject.process_name - target_field: process.name - ignore_missing: true - - convert: - field: json.subject.responsible_process_id - target_field: jamf_compliance_reporter.log.subject.responsible.process.id - type: string - ignore_failure: true - - rename: - field: json.subject.responsible_process_name - target_field: jamf_compliance_reporter.log.subject.responsible.process.name - ignore_missing: true - - convert: - field: json.subject.session_id - target_field: jamf_compliance_reporter.log.subject.session.id - type: string - ignore_failure: true - - convert: - field: json.subject.terminal_id.ip_address - target_field: json.subject.terminal_id.ip_address - type: ip - ignore_failure: true - - append: - field: host.ip - value: '{{{json.subject.terminal_id.ip_address}}}' - if: ctx.json?.subject?.terminal_id?.ip_address != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{json.subject.terminal_id.ip_address}}}' - if: ctx.json?.subject?.terminal_id?.ip_address != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.subject.terminal_id.port - target_field: jamf_compliance_reporter.log.subject.terminal_id.port - type: long - ignore_failure: true - - convert: - field: json.subject.terminal_id.type - target_field: jamf_compliance_reporter.log.subject.terminal_id.type - type: string - ignore_failure: true - - convert: - field: json.subject.user_id - target_field: user.id - type: string - ignore_failure: true - - append: - field: user.name - value: '{{{json.subject.user_name}}}' - if: ctx.json?.subject?.user_name != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.user - value: '{{{json.subject.user_name}}}' - if: ctx.json?.subject?.user_name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.texts - target_field: jamf_compliance_reporter.log.texts - ignore_missing: true - - script: - description: Convert Object into Array. - lang: painless - source: | - def args_list = new ArrayList(); - ctx.process.args = args_list; - for (Map.Entry m : ctx.json?.args.entrySet()) { - ctx.process?.args.add(m.getValue()); - } \ No newline at end of file diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_signal_event.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_signal_event.yml deleted file mode 100755 index 0bbc62a0f3..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_signal_event.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter signal event logs. -processors: - - convert: - field: json.signal_event_info.signal - target_field: jamf_compliance_reporter.log.signal_event_info.signal - type: long - ignore_failure: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_unified_log_event.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_unified_log_event.yml deleted file mode 100755 index 9f44924f4e..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_unified_log_event.yml +++ /dev/null @@ -1,123 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter unified event logs. -processors: - - convert: - field: json.event_attributes.activityIdentifier - target_field: jamf_compliance_reporter.log.event_attributes.activity_identifier - type: string - ignore_failure: true - - foreach: - field: json.event_attributes.backtrace.frames - processor: - convert: - field: _ingest._value.imageOffset - target_field: _ingest._value.image_offset - type: long - ignore_failure: true - - foreach: - field: json.event_attributes.backtrace.frames - processor: - remove: - field: _ingest._value.imageOffset - ignore_failure: true - - foreach: - field: json.event_attributes.backtrace.frames - processor: - rename: - field: _ingest._value.imageUUID - target_field: _ingest._value.image_uuid - ignore_failure: true - - rename: - field: json.event_attributes.backtrace.frames - target_field: jamf_compliance_reporter.log.event_attributes.backtrace.frames - ignore_missing: true - - rename: - field: json.event_attributes.category - target_field: jamf_compliance_reporter.log.event_attributes.category - ignore_missing: true - - rename: - field: json.event_attributes.eventMessage - target_field: jamf_compliance_reporter.log.event_attributes.event.message - ignore_missing: true - - rename: - field: json.event_attributes.eventType - target_field: jamf_compliance_reporter.log.event_attributes.event.type - ignore_missing: true - - rename: - field: json.event_attributes.formatString - target_field: jamf_compliance_reporter.log.event_attributes.format_string - ignore_missing: true - - convert: - field: json.event_attributes.machTimestamp - target_field: jamf_compliance_reporter.log.event_attributes.mach_timestamp - type: string - ignore_failure: true - - append: - field: event.type - value: '{{{json.event_attributes.messageType}}}' - if: ctx.json?.event_attributes?.messageType != null - allow_duplicates: false - ignore_failure: true - - lowercase: - field: event.type - ignore_failure: true - - convert: - field: json.event_attributes.parentActivityIdentifier - target_field: jamf_compliance_reporter.log.event_attributes.parent_activity_identifier - type: string - ignore_failure: true - - convert: - field: json.event_attributes.processID - target_field: jamf_compliance_reporter.log.event_attributes.process.id - type: long - ignore_failure: true - - rename: - field: json.event_attributes.processImagePath - target_field: jamf_compliance_reporter.log.event_attributes.process.image.path - ignore_missing: true - - rename: - field: json.event_attributes.processImageUUID - target_field: jamf_compliance_reporter.log.event_attributes.process.image.uuid - ignore_missing: true - - rename: - field: json.event_attributes.senderImagePath - target_field: jamf_compliance_reporter.log.event_attributes.sender.image.path - ignore_missing: true - - rename: - field: json.event_attributes.senderImageUUID - target_field: jamf_compliance_reporter.log.event_attributes.sender.image.uuid - ignore_missing: true - - convert: - field: json.event_attributes.senderProgramCounter - target_field: jamf_compliance_reporter.log.event_attributes.sender.program_counter - type: long - ignore_failure: true - - rename: - field: json.event_attributes.source - target_field: jamf_compliance_reporter.log.event_attributes.source - ignore_missing: true - - rename: - field: json.event_attributes.subsystem - target_field: jamf_compliance_reporter.log.event_attributes.subsystem - ignore_missing: true - - convert: - field: json.event_attributes.threadID - target_field: jamf_compliance_reporter.log.event_attributes.thread_id - type: string - ignore_failure: true - - date: - field: json.event_attributes.timestamp - target_field: jamf_compliance_reporter.log.event_attributes.timestamp - if: ctx.json?.event_attributes?.timestamp != 0 - ignore_failure: true - formats: - - yyyy-MM-dd HH:mm:ss.SSSSSSZ - - rename: - field: json.event_attributes.timezoneName - target_field: jamf_compliance_reporter.log.event_attributes.timezone_name - ignore_missing: true - - convert: - field: json.event_attributes.traceID - target_field: jamf_compliance_reporter.log.event_attributes.trace_id - type: string - ignore_failure: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_xprotect_definitions_version_info.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_xprotect_definitions_version_info.yml deleted file mode 100755 index fe995a9a19..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_xprotect_definitions_version_info.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter xprotect definitions version info event logs. -processors: - - rename: - field: json.event_attributes.BuildAliasOf - target_field: jamf_compliance_reporter.log.event_attributes.build_alias_of - ignore_missing: true - - rename: - field: json.event_attributes.BuildVersion - target_field: jamf_compliance_reporter.log.event_attributes.build_version - ignore_missing: true - - rename: - field: json.event_attributes.CFBundleShortVersionString - target_field: jamf_compliance_reporter.log.event_attributes.cf_bundle_short_version_string - ignore_missing: true - - rename: - field: json.event_attributes.CFBundleVersion - target_field: jamf_compliance_reporter.log.event_attributes.cf_bundle_version - ignore_missing: true - - rename: - field: json.event_attributes.ProjectName - target_field: jamf_compliance_reporter.log.event_attributes.project_name - ignore_missing: true - - rename: - field: json.event_attributes.SourceVersion - target_field: jamf_compliance_reporter.log.event_attributes.source_version - ignore_missing: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_xprotect_event_log.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_xprotect_event_log.yml deleted file mode 100755 index 922d9e7a8b..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_xprotect_event_log.yml +++ /dev/null @@ -1,231 +0,0 @@ ---- -description: Pipeline for Jamf Compliance Reporter xprotect event logs. -processors: - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.activity_identifier - value: '{{{_ingest._value.activityIdentifier}}}' - allow_duplicates: false - ignore_failure: true - - convert: - field: jamf_compliance_reporter.log.event_attributes.activity_identifier - target_field: jamf_compliance_reporter.log.event_attributes.activity_identifier - type: string - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - foreach: - field: _ingest._value.backtrace.frames - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.backtrace.frames.image_offset - value: '{{{_ingest._value.imageOffset}}}' - allow_duplicates: false - ignore_failure: true - - convert: - field: jamf_compliance_reporter.log.event_attributes.backtrace.frames.image_offset - target_field: jamf_compliance_reporter.log.event_attributes.backtrace.frames.image_offset - type: long - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - foreach: - field: _ingest._value.backtrace.frames - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.backtrace.frames.image_uuid - value: '{{{_ingest._value.imageUUID}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.category - value: '{{{_ingest._value.category}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.event.message - value: '{{{_ingest._value.eventMessage}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.event.type - value: '{{{_ingest._value.eventType}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.format_string - value: '{{{_ingest._value.formatString}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - convert: - field: _ingest._value.machTimestamp - target_field: jamf_compliance_reporter.log.event_attributes.mach_timestamp - type: string - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - append: - field: event.type - value: '{{{_ingest._value.messageType}}}' - allow_duplicates: false - ignore_failure: true - - lowercase: - field: event.type - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.parent_activity_identifier - value: '{{{_ingest._value.parentActivityIdentifier}}}' - allow_duplicates: false - ignore_failure: true - - convert: - field: jamf_compliance_reporter.log.event_attributes.parent_activity_identifier - target_field: jamf_compliance_reporter.log.event_attributes.parent_activity_identifier - type: string - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.process.id - value: '{{{_ingest._value.processID}}}' - allow_duplicates: false - ignore_failure: true - - convert: - field: jamf_compliance_reporter.log.event_attributes.process.id - target_field: jamf_compliance_reporter.log.event_attributes.process.id - type: long - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.process.image.path - value: '{{{_ingest._value.processImagePath}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.process.image.uuid - value: '{{{_ingest._value.processImageUUID}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.sender.image.path - value: '{{{_ingest._value.senderImagePath}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.sender.image.uuid - value: '{{{_ingest._value.senderImageUUID}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.sender.program_counter - value: '{{{_ingest._value.senderProgramCounter}}}' - allow_duplicates: false - ignore_failure: true - - convert: - field: jamf_compliance_reporter.log.event_attributes.sender.program_counter - target_field: jamf_compliance_reporter.log.event_attributes.sender.program_counter - type: long - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.source - value: '{{{_ingest._value.source}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.subsystem - value: '{{{_ingest._value.subsystem}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.thread_id - value: '{{{_ingest._value.threadID}}}' - allow_duplicates: false - ignore_failure: true - - convert: - field: jamf_compliance_reporter.log.event_attributes.thread_id - target_field: jamf_compliance_reporter.log.event_attributes.thread_id - type: string - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - date: - field: _ingest._value.timestamp - target_field: jamf_compliance_reporter.log.event_attributes.timestamp - formats: - - yyyy-MM-dd HH:mm:ss.SSSSSSZ - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.timezone_name - value: '{{{_ingest._value.timezone_name}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.timezoneName - value: '{{{_ingest._value.timezoneName}}}' - allow_duplicates: false - ignore_failure: true - - foreach: - field: json.event_attributes - processor: - append: - field: jamf_compliance_reporter.log.event_attributes.trace_id - value: '{{{_ingest._value.traceID}}}' - allow_duplicates: false - ignore_failure: true - - convert: - field: jamf_compliance_reporter.log.event_attributes.trace_id - target_field: jamf_compliance_reporter.log.event_attributes.trace_id - type: string - ignore_failure: true diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/fields/agent.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/fields/base-fields.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index e2abf39bd5..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: event.dataset - type: constant_keyword - description: Name of the dataset. - value: jamf_compliance_reporter.log -- name: event.module - type: constant_keyword - description: Event module. - value: jamf_compliance_reporter -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/fields/ecs.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index 079db8bc9f..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,187 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - normalize: - - array - type: keyword -- description: |- - The exit code of the process, if this is a termination event. - The field should be absent if there is no exit code for the event (e.g. process start). - name: process.exit_code - type: long -- description: SHA1 hash. - name: process.hash.sha1 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: Unique identifier for the group on the system/platform. - name: process.real_group.id - type: keyword -- description: Name of the group. - name: process.real_group.name - type: keyword -- description: Unique identifier of the user. - name: process.real_user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: process.real_user.name - type: keyword -- description: Unique identifier of the user. - name: process.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: process.user.name - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Unique identifier of the user. - name: user.effective.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.effective.name - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.group.id - type: keyword -- description: Name of the group. - name: user.group.name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/fields/fields.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/fields/fields.yml deleted file mode 100755 index 97ac1504ef..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,726 +0,0 @@ -- name: jamf_compliance_reporter.log - type: group - fields: - - name: app_metric_info - type: group - fields: - - name: cpu_percentage - type: double - - name: cpu_time_seconds - type: double - - name: interrupt_wakeups - type: long - - name: platform_idle_wakeups - type: long - - name: resident_memory_size - type: group - fields: - - name: mb - type: double - - name: virtual_memory_size - type: group - fields: - - name: mb - type: double - - name: arguments - type: group - fields: - - name: addr - type: keyword - - name: am_failure - type: keyword - - name: am_success - type: keyword - - name: authenticated - type: flattened - - name: child - type: group - fields: - - name: pid - type: long - - name: data - type: keyword - - name: detail - type: keyword - - name: domain - type: keyword - - name: fd - type: keyword - - name: flags - type: keyword - - name: flattened - type: flattened - - name: known_uid - type: keyword - - name: pid - type: long - - name: port - type: long - - name: priority - type: long - - name: process - type: keyword - - name: protocol - type: keyword - - name: request - type: keyword - - name: sflags - type: keyword - - name: signal - type: keyword - - name: target - type: group - fields: - - name: port - type: long - - name: task - type: group - fields: - - name: port - type: long - - name: type - type: keyword - - name: which - type: keyword - - name: who - type: keyword - - name: attributes - type: group - fields: - - name: device - type: keyword - - name: file - type: group - fields: - - name: access_mode - type: keyword - - name: system - type: group - fields: - - name: id - type: keyword - - name: node - type: group - fields: - - name: id - type: keyword - - name: owner - type: group - fields: - - name: group - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - - name: audio_video_device_info - type: group - fields: - - name: audio_device - type: group - fields: - - name: creator - type: keyword - - name: hog_mode - type: keyword - - name: id - type: keyword - - name: manufacturer - type: keyword - - name: running - type: long - - name: uuid - type: keyword - - name: device_status - type: keyword - - name: audit_class_verification_info - type: group - fields: - - name: contents - type: text - - name: os - type: group - fields: - - name: version - type: keyword - - name: restored_default - type: boolean - - name: status - type: keyword - - name: status_str - type: keyword - - name: compliancereporter_license_info - type: group - fields: - - name: expiration_date - type: date - - name: status - type: keyword - - name: time - type: date - - name: type - type: keyword - - name: version - type: keyword - - name: dataset - type: keyword - - name: event_attributes - type: group - fields: - - name: activity_identifier - type: keyword - - name: assessments_enabled - type: long - - name: attributes - type: group - fields: - - name: ctime - type: date - - name: mtime - type: date - - name: path - type: keyword - - name: quarantine - type: group - fields: - - name: agent_bundle_identifier - type: keyword - - name: agent_name - type: keyword - - name: data_url_string - type: keyword - - name: event_identifier - type: keyword - - name: origin_url_string - type: keyword - - name: timestamp - type: date - - name: requirement - type: keyword - - name: audit_event - type: group - fields: - - name: excluded_processes - type: keyword - - name: excluded_users - type: keyword - - name: audit_event_log_verbose_messages - type: keyword - - name: audit_level - type: long - - name: backtrace - type: group - fields: - - name: frames - type: group - fields: - - name: image_offset - type: long - - name: image_uuid - type: keyword - - name: build_alias_of - type: keyword - - name: build_version - type: keyword - - name: category - type: keyword - - name: cf_bundle_short_version_string - type: keyword - - name: cf_bundle_version - type: keyword - - name: dev_id_enabled - type: long - - name: event - type: group - fields: - - name: message - type: keyword - - name: type - type: keyword - - name: file_event - type: group - fields: - - name: exclusion_paths - type: keyword - - name: inclusion_paths - type: keyword - - name: use_fuzzy_match - type: long - - name: file_license_info - type: group - fields: - - name: license_expiration_date - type: date - - name: license_key - type: keyword - - name: license_type - type: keyword - - name: license_version - type: keyword - - name: format_string - type: keyword - - name: job - type: group - fields: - - name: completed_time - type: date - - name: creation_time - type: date - - name: destination - type: keyword - - name: format - type: keyword - - name: id - type: keyword - - name: processing_time - type: date - - name: size - type: keyword - - name: state - type: keyword - - name: title - type: keyword - - name: user - type: keyword - - name: log - type: group - fields: - - name: file - type: group - fields: - - name: location - type: keyword - - name: max_number_backups - type: long - - name: max_size_mega_bytes - type: long - - name: ownership - type: keyword - - name: permission - type: keyword - - name: remote_endpoint_enabled - type: long - - name: remote_endpoint_type - type: keyword - - name: remote_endpoint_type_awskinesis - type: group - fields: - - name: access_key_id - type: keyword - - name: region - type: keyword - - name: secret_key - type: keyword - - name: stream_name - type: keyword - - name: remote_endpoint_url - type: keyword - - name: mach_timestamp - type: keyword - - name: opaque_version - type: keyword - - name: parent_activity_identifier - type: keyword - - name: path - type: keyword - - name: process - type: group - fields: - - name: id - type: long - - name: image - type: group - fields: - - name: path - type: keyword - - name: uuid - type: keyword - - name: project_name - type: keyword - - name: sender - type: group - fields: - - name: id - type: long - - name: image - type: group - fields: - - name: path - type: keyword - - name: uuid - type: keyword - - name: program_counter - type: long - - name: source - type: keyword - - name: source_version - type: keyword - - name: subsystem - type: keyword - - name: timestamp - type: date - - name: timezone_name - type: keyword - - name: thread_id - type: keyword - - name: trace_id - type: keyword - - name: unified_log_predicates - type: keyword - - name: version - type: keyword - - name: event_score - type: long - - name: exec_args - type: group - fields: - - name: args - type: flattened - - name: args_compiled - type: keyword - - name: exec_chain_child - type: group - fields: - - name: parent - type: group - fields: - - name: path - type: text - - name: uuid - type: keyword - - name: exec_chain_parent - type: group - fields: - - name: uuid - type: keyword - - name: exec_env - type: group - fields: - - name: env - type: group - fields: - - name: arch - type: keyword - - name: compiled - type: keyword - - name: malwarebytes_group - type: keyword - - name: path - type: text - - name: shell - type: keyword - - name: ssh_auth_sock - type: keyword - - name: tmpdir - type: keyword - - name: xpc - type: group - fields: - - name: flags - type: keyword - - name: service_name - type: keyword - - name: env_compiled - type: keyword - - name: exit - type: group - fields: - - name: return - type: group - fields: - - name: value - type: long - - name: status - type: keyword - - name: file_event_info - type: group - fields: - - name: eventid_wrapped - type: boolean - - name: history_done - type: boolean - - name: item - type: group - fields: - - name: change_owner - type: boolean - - name: cloned - type: boolean - - name: created - type: boolean - - name: extended_attribute_modified - type: boolean - - name: finder_info_modified - type: boolean - - name: inode_metadata_modified - type: boolean - - name: is_directory - type: boolean - - name: is_file - type: boolean - - name: is_hard_link - type: boolean - - name: is_last_hard_link - type: boolean - - name: is_sym_link - type: boolean - - name: removed - type: boolean - - name: renamed - type: boolean - - name: updated - type: boolean - - name: kernel_dropped - type: boolean - - name: mount - type: boolean - - name: must_scan_sub_dir - type: boolean - - name: none - type: boolean - - name: own_event - type: boolean - - name: root_changed - type: boolean - - name: unmount - type: boolean - - name: user_dropped - type: boolean - - name: hardware_event_info - type: group - fields: - - name: device - type: group - fields: - - name: class - type: keyword - - name: name - type: keyword - - name: status - type: keyword - - name: device_attributes - type: group - fields: - - name: io - type: group - fields: - - name: cf_plugin_types - type: flattened - - name: class_name_override - type: keyword - - name: power_management - type: group - fields: - - name: capability_flags - type: keyword - - name: current_power_state - type: long - - name: device_power_state - type: long - - name: driver_power_state - type: long - - name: max_power_state - type: long - - name: iserial_number - type: long - - name: removable - type: keyword - - name: usb - type: group - fields: - - name: product_name - type: keyword - - name: vendor_name - type: keyword - - name: header - type: group - fields: - - name: action - type: keyword - - name: event_modifier - type: keyword - - name: time_milliseconds_offset - type: long - - name: version - type: keyword - - name: host_info - type: group - fields: - - name: host - type: group - fields: - - name: uuid - type: keyword - - name: identity - type: group - fields: - - name: cd_hash - type: keyword - - name: signer - type: group - fields: - - name: id - type: keyword - - name: id_truncated - type: keyword - - name: type - type: keyword - - name: team - type: group - fields: - - name: id - type: keyword - - name: id_truncated - type: keyword - - name: path - type: keyword - - name: process - type: group - fields: - - name: effective - type: group - fields: - - name: group - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - - name: user - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - - name: group - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - - name: pid - type: long - - name: name - type: keyword - - name: session - type: group - fields: - - name: id - type: keyword - - name: terminal_id - type: group - fields: - - name: addr - type: keyword - - name: ip_address - type: ip - - name: port - type: long - - name: type - type: keyword - - name: user - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - - name: return - type: group - fields: - - name: description - type: keyword - - name: signal_event_info - type: group - fields: - - name: signal - type: long - - name: socket - type: group - fields: - - name: inet - type: group - fields: - - name: addr - type: keyword - - name: family - type: keyword - - name: id - type: keyword - - name: unix - type: group - fields: - - name: family - type: keyword - - name: path - type: text - - name: subject - type: group - fields: - - name: audit - type: group - fields: - - name: id - type: keyword - - name: user - type: group - fields: - - name: name - type: keyword - - name: effective - type: group - fields: - - name: group - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - - name: user - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - - name: process - type: group - fields: - - name: name - type: keyword - - name: pid - type: long - - name: responsible - type: group - fields: - - name: process - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - - name: session - type: group - fields: - - name: id - type: keyword - - name: terminal_id - type: group - fields: - - name: addr - type: keyword - - name: port - type: long - - name: type - type: keyword - - name: texts - type: keyword -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/manifest.yml b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/manifest.yml deleted file mode 100755 index f8449267b9..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,142 +0,0 @@ -title: Jamf Compliance Reporter logs -type: logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: Jamf Compliance Reporter logs - description: Collect Jamf Compliance Reporter logs via HTTP Endpoint. - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for http endpoint connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The port number on which listener binds to. - multi: false - required: true - show_user: true - default: 9551 - - name: url - type: text - title: URL - description: This options specific which URL path to accept requests on. Defaults to /. - multi: false - required: false - show_user: false - default: / - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - jamf_compliance_reporter_log - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: tcp - template_path: tcp.yml.hbs - title: Jamf Compliance Reporter logs - description: Collect Jamf Compliance Reporter logs via TCP input. - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9552 - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate, keys, supported_protocols, verification_mode etc. See [SSL](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details. - multi: false - required: false - show_user: false - default: | - #certificate: "/etc/server/cert.pem" - #key: "/etc/server/key.pem" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - jamf_compliance_reporter_log - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/sample_event.json b/packages/jamf_compliance_reporter/0.2.1/data_stream/log/sample_event.json deleted file mode 100755 index 3cb55d3218..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "@timestamp": "2019-10-02T16:17:08.000Z", - "agent": { - "ephemeral_id": "248e5163-7fd7-4ec4-b24f-4fecc38a54e8", - "hostname": "docker-fleet-agent", - "id": "985a5119-d47f-4fe6-82fb-657252e78af0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "jamf_compliance_reporter.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "985a5119-d47f-4fe6-82fb-657252e78af0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "preference_list_event", - "agent_id_status": "verified", - "category": [ - "process" - ], - "dataset": "jamf_compliance_reporter.log", - "ingested": "2022-07-05T06:48:27Z", - "kind": "event", - "type": [ - "info" - ] - }, - "host": { - "hostname": "macbook_pro", - "id": "X03XX889XXX3", - "mac": [ - "38-F9-E8-15-5A-82" - ], - "os": { - "type": "macos", - "version": "Version 10.14.6 (Build 18G95)" - } - }, - "input": { - "type": "tcp" - }, - "jamf_compliance_reporter": { - "log": { - "dataset": "event", - "event_attributes": { - "audit_event": { - "excluded_processes": [ - "/usr/bin/log", - "/usr/sbin/syslogd" - ], - "excluded_users": [ - "_spotlight", - "_windowserver" - ] - }, - "audit_event_log_verbose_messages": "1", - "audit_level": 3, - "file_event": { - "exclusion_paths": [ - "/Users/.*/Library/.*" - ], - "inclusion_paths": [ - "/Users/.*" - ], - "use_fuzzy_match": 0 - }, - "file_license_info": { - "license_expiration_date": "2020-01-01T00:00:00.000Z", - "license_key": "43cafc3da47e792939ea82c70...", - "license_type": "Annual", - "license_version": "1" - }, - "log": { - "file": { - "location": "/var/log/JamfComplianceReporter.log", - "max_number_backups": 10, - "max_size_mega_bytes": 10, - "ownership": "root:wheel", - "permission": "640" - }, - "remote_endpoint_enabled": 1, - "remote_endpoint_type": "AWSKinesis", - "remote_endpoint_type_awskinesis": { - "access_key_id": "AKIAQFE...", - "region": "us-east-1", - "secret_key": "JAdcoRIo4zsPz...", - "stream_name": "compliancereporter_testing" - } - }, - "unified_log_predicates": [ - "'(subsystem == \"com.example.networkstatistics\")'", - "'(subsystem == \"com.apple.CryptoTokenKit\" AND category == \"AHP\")'" - ], - "version": "3.1b43" - }, - "event_score": 0, - "host_info": { - "host": { - "uuid": "3X6E4X3X-9285-4X7X-9X0X-X3X62XX379XX" - } - } - } - }, - "log": { - "source": { - "address": "172.27.0.5:39166" - } - }, - "related": { - "hosts": [ - "macbook_pro" - ], - "user": [ - "dan@email.com" - ] - }, - "tags": [ - "forwarded", - "jamf_compliance_reporter_log" - ], - "user": { - "email": "dan@email.com" - } -} \ No newline at end of file diff --git a/packages/jamf_compliance_reporter/0.2.1/docs/README.md b/packages/jamf_compliance_reporter/0.2.1/docs/README.md deleted file mode 100755 index 1bdc04b9e3..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/docs/README.md +++ /dev/null @@ -1,529 +0,0 @@ -# Jamf Compliance Reporter - -The Jamf Compliance Reporter integration collects and parses data received from [Jamf Compliance Reporter](https://docs.jamf.com/compliance-reporter/documentation/Compliance_Reporter_Overview.html) using a TLS or HTTP endpoint. - -Use the Jamf Compliance Reporter integration to collect logs from your machines. -Then visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference data when troubleshooting an issue. - -For example, if you wanted to monitor shell script commands performed by the root user, you could [configure Jamf to monitor those events](https://docs.jamf.com/compliance-reporter/documentation/Audit_Log_Levels_in_Compliance_Reporter.html) and then send them to Elastic for further investigation. - -## Data streams - -The Jamf Compliance Reporter integration collects one type of data stream: logs. - -**Logs** help you keep a record of events happening on computers using Jamf. -The log data stream collected by the Jamf Compliance Reporter integration includes events that are related to security compliance requirements. See more details in the [Logs](#logs-reference). - -## Requirements - -You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. -You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. - -Note: This package has been tested for Compliance Reporter against Jamf Pro version 10.39.0 and Jamf Compliance Reporter version 1.0.4. - -## Setup - -To use this integration, you will also need to: -- Enable the integration in Elastic -- Configure Jamf Compliance Reporter to send logs to the Elastic Agent - -### Enable the integration in Elastic - -For step-by-step instructions on how to set up an new integration in Elastic, see the -[Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. -When setting up the integration, you will choose to collect logs either via TLS or HTTP Endpoint. - -### Configure Jamf Compliance Reporter - -After validating settings, you can use a configuration profile in Jamf Pro to deploy certificates to endpoints in production. -For more information on using configuration profiles in Jamf Pro, see [Creating a Configuration Profile](https://docs.jamf.com/compliance-reporter/documentation/Configuring_Compliance_Reporter_Properties_Using_Jamf_Pro.html). - -Then, follow _one_ of the below methods to collect logs from Jamf Compliance Reporter: - -**REST Endpoint Remote logging**: -1. Read [Jamf's REST Endpoint Remote logging documentation](https://docs.jamf.com/compliance-reporter/documentation/REST_Endpoint_Remote_Logging.html). -2. In your Jamf Configuration Profile, form the full URL with port using this format: `http[s]://{AGENT_ADDRESS}:{AGENT_PORT}/{URL}`. - -**TLS Remote Logging**: -1. Read [Jamf's TLS Remote Logging documentation](https://docs.jamf.com/compliance-reporter/documentation/TLS_Remote_Logging.html). -2. In your Jamf Configuration Profile, form the full URL with port using this format: `tls://{AGENT_ADDRESS}:{AGENT_PORT}`. - -**Configure the Jamf Compliance Reporter integration with REST Endpoint Remote logging for Rest Endpoint Input**: -1. Enter values for "Listen Address", "Listen Port" and "URL" to form the endpoint URL. Make note of the **Endpoint URL** `http[s]://{AGENT_ADDRESS}:{AGENT_PORT}/{URL}`. - -**Configure the Jamf Compliance Reporter integration with TLS Remote Logging for TCP Input**: -1. Enter values for "Listen Address" and "Listen Port" to form the TLS. - -## Logs reference - -### log - -- Default port for HTTP Endpoint: _9551_ -- Default port for TLS: _9552_ - -This is the `log` data stream. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2019-10-02T16:17:08.000Z", - "agent": { - "ephemeral_id": "248e5163-7fd7-4ec4-b24f-4fecc38a54e8", - "hostname": "docker-fleet-agent", - "id": "985a5119-d47f-4fe6-82fb-657252e78af0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "jamf_compliance_reporter.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "985a5119-d47f-4fe6-82fb-657252e78af0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "preference_list_event", - "agent_id_status": "verified", - "category": [ - "process" - ], - "dataset": "jamf_compliance_reporter.log", - "ingested": "2022-07-05T06:48:27Z", - "kind": "event", - "type": [ - "info" - ] - }, - "host": { - "hostname": "macbook_pro", - "id": "X03XX889XXX3", - "mac": [ - "38-F9-E8-15-5A-82" - ], - "os": { - "type": "macos", - "version": "Version 10.14.6 (Build 18G95)" - } - }, - "input": { - "type": "tcp" - }, - "jamf_compliance_reporter": { - "log": { - "dataset": "event", - "event_attributes": { - "audit_event": { - "excluded_processes": [ - "/usr/bin/log", - "/usr/sbin/syslogd" - ], - "excluded_users": [ - "_spotlight", - "_windowserver" - ] - }, - "audit_event_log_verbose_messages": "1", - "audit_level": 3, - "file_event": { - "exclusion_paths": [ - "/Users/.*/Library/.*" - ], - "inclusion_paths": [ - "/Users/.*" - ], - "use_fuzzy_match": 0 - }, - "file_license_info": { - "license_expiration_date": "2020-01-01T00:00:00.000Z", - "license_key": "43cafc3da47e792939ea82c70...", - "license_type": "Annual", - "license_version": "1" - }, - "log": { - "file": { - "location": "/var/log/JamfComplianceReporter.log", - "max_number_backups": 10, - "max_size_mega_bytes": 10, - "ownership": "root:wheel", - "permission": "640" - }, - "remote_endpoint_enabled": 1, - "remote_endpoint_type": "AWSKinesis", - "remote_endpoint_type_awskinesis": { - "access_key_id": "AKIAQFE...", - "region": "us-east-1", - "secret_key": "JAdcoRIo4zsPz...", - "stream_name": "compliancereporter_testing" - } - }, - "unified_log_predicates": [ - "'(subsystem == \"com.example.networkstatistics\")'", - "'(subsystem == \"com.apple.CryptoTokenKit\" AND category == \"AHP\")'" - ], - "version": "3.1b43" - }, - "event_score": 0, - "host_info": { - "host": { - "uuid": "3X6E4X3X-9285-4X7X-9X0X-X3X62XX379XX" - } - } - } - }, - "log": { - "source": { - "address": "172.27.0.5:39166" - } - }, - "related": { - "hosts": [ - "macbook_pro" - ], - "user": [ - "dan@email.com" - ] - }, - "tags": [ - "forwarded", - "jamf_compliance_reporter_log" - ], - "user": { - "email": "dan@email.com" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Name of the dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| jamf_compliance_reporter.log.app_metric_info.cpu_percentage | | double | -| jamf_compliance_reporter.log.app_metric_info.cpu_time_seconds | | double | -| jamf_compliance_reporter.log.app_metric_info.interrupt_wakeups | | long | -| jamf_compliance_reporter.log.app_metric_info.platform_idle_wakeups | | long | -| jamf_compliance_reporter.log.app_metric_info.resident_memory_size.mb | | double | -| jamf_compliance_reporter.log.app_metric_info.virtual_memory_size.mb | | double | -| jamf_compliance_reporter.log.arguments.addr | | keyword | -| jamf_compliance_reporter.log.arguments.am_failure | | keyword | -| jamf_compliance_reporter.log.arguments.am_success | | keyword | -| jamf_compliance_reporter.log.arguments.authenticated | | flattened | -| jamf_compliance_reporter.log.arguments.child.pid | | long | -| jamf_compliance_reporter.log.arguments.data | | keyword | -| jamf_compliance_reporter.log.arguments.detail | | keyword | -| jamf_compliance_reporter.log.arguments.domain | | keyword | -| jamf_compliance_reporter.log.arguments.fd | | keyword | -| jamf_compliance_reporter.log.arguments.flags | | keyword | -| jamf_compliance_reporter.log.arguments.flattened | | flattened | -| jamf_compliance_reporter.log.arguments.known_uid | | keyword | -| jamf_compliance_reporter.log.arguments.pid | | long | -| jamf_compliance_reporter.log.arguments.port | | long | -| jamf_compliance_reporter.log.arguments.priority | | long | -| jamf_compliance_reporter.log.arguments.process | | keyword | -| jamf_compliance_reporter.log.arguments.protocol | | keyword | -| jamf_compliance_reporter.log.arguments.request | | keyword | -| jamf_compliance_reporter.log.arguments.sflags | | keyword | -| jamf_compliance_reporter.log.arguments.signal | | keyword | -| jamf_compliance_reporter.log.arguments.target.port | | long | -| jamf_compliance_reporter.log.arguments.task.port | | long | -| jamf_compliance_reporter.log.arguments.type | | keyword | -| jamf_compliance_reporter.log.arguments.which | | keyword | -| jamf_compliance_reporter.log.arguments.who | | keyword | -| jamf_compliance_reporter.log.attributes.device | | keyword | -| jamf_compliance_reporter.log.attributes.file.access_mode | | keyword | -| jamf_compliance_reporter.log.attributes.file.system.id | | keyword | -| jamf_compliance_reporter.log.attributes.node.id | | keyword | -| jamf_compliance_reporter.log.attributes.owner.group.id | | keyword | -| jamf_compliance_reporter.log.attributes.owner.group.name | | keyword | -| jamf_compliance_reporter.log.audio_video_device_info.audio_device.creator | | keyword | -| jamf_compliance_reporter.log.audio_video_device_info.audio_device.hog_mode | | keyword | -| jamf_compliance_reporter.log.audio_video_device_info.audio_device.id | | keyword | -| jamf_compliance_reporter.log.audio_video_device_info.audio_device.manufacturer | | keyword | -| jamf_compliance_reporter.log.audio_video_device_info.audio_device.running | | long | -| jamf_compliance_reporter.log.audio_video_device_info.audio_device.uuid | | keyword | -| jamf_compliance_reporter.log.audio_video_device_info.device_status | | keyword | -| jamf_compliance_reporter.log.audit_class_verification_info.contents | | text | -| jamf_compliance_reporter.log.audit_class_verification_info.os.version | | keyword | -| jamf_compliance_reporter.log.audit_class_verification_info.restored_default | | boolean | -| jamf_compliance_reporter.log.audit_class_verification_info.status | | keyword | -| jamf_compliance_reporter.log.audit_class_verification_info.status_str | | keyword | -| jamf_compliance_reporter.log.compliancereporter_license_info.expiration_date | | date | -| jamf_compliance_reporter.log.compliancereporter_license_info.status | | keyword | -| jamf_compliance_reporter.log.compliancereporter_license_info.time | | date | -| jamf_compliance_reporter.log.compliancereporter_license_info.type | | keyword | -| jamf_compliance_reporter.log.compliancereporter_license_info.version | | keyword | -| jamf_compliance_reporter.log.dataset | | keyword | -| jamf_compliance_reporter.log.event_attributes.activity_identifier | | keyword | -| jamf_compliance_reporter.log.event_attributes.assessments_enabled | | long | -| jamf_compliance_reporter.log.event_attributes.attributes.ctime | | date | -| jamf_compliance_reporter.log.event_attributes.attributes.mtime | | date | -| jamf_compliance_reporter.log.event_attributes.attributes.path | | keyword | -| jamf_compliance_reporter.log.event_attributes.attributes.quarantine.agent_bundle_identifier | | keyword | -| jamf_compliance_reporter.log.event_attributes.attributes.quarantine.agent_name | | keyword | -| jamf_compliance_reporter.log.event_attributes.attributes.quarantine.data_url_string | | keyword | -| jamf_compliance_reporter.log.event_attributes.attributes.quarantine.event_identifier | | keyword | -| jamf_compliance_reporter.log.event_attributes.attributes.quarantine.origin_url_string | | keyword | -| jamf_compliance_reporter.log.event_attributes.attributes.quarantine.timestamp | | date | -| jamf_compliance_reporter.log.event_attributes.attributes.requirement | | keyword | -| jamf_compliance_reporter.log.event_attributes.audit_event.excluded_processes | | keyword | -| jamf_compliance_reporter.log.event_attributes.audit_event.excluded_users | | keyword | -| jamf_compliance_reporter.log.event_attributes.audit_event_log_verbose_messages | | keyword | -| jamf_compliance_reporter.log.event_attributes.audit_level | | long | -| jamf_compliance_reporter.log.event_attributes.backtrace.frames.image_offset | | long | -| jamf_compliance_reporter.log.event_attributes.backtrace.frames.image_uuid | | keyword | -| jamf_compliance_reporter.log.event_attributes.build_alias_of | | keyword | -| jamf_compliance_reporter.log.event_attributes.build_version | | keyword | -| jamf_compliance_reporter.log.event_attributes.category | | keyword | -| jamf_compliance_reporter.log.event_attributes.cf_bundle_short_version_string | | keyword | -| jamf_compliance_reporter.log.event_attributes.cf_bundle_version | | keyword | -| jamf_compliance_reporter.log.event_attributes.dev_id_enabled | | long | -| jamf_compliance_reporter.log.event_attributes.event.message | | keyword | -| jamf_compliance_reporter.log.event_attributes.event.type | | keyword | -| jamf_compliance_reporter.log.event_attributes.file_event.exclusion_paths | | keyword | -| jamf_compliance_reporter.log.event_attributes.file_event.inclusion_paths | | keyword | -| jamf_compliance_reporter.log.event_attributes.file_event.use_fuzzy_match | | long | -| jamf_compliance_reporter.log.event_attributes.file_license_info.license_expiration_date | | date | -| jamf_compliance_reporter.log.event_attributes.file_license_info.license_key | | keyword | -| jamf_compliance_reporter.log.event_attributes.file_license_info.license_type | | keyword | -| jamf_compliance_reporter.log.event_attributes.file_license_info.license_version | | keyword | -| jamf_compliance_reporter.log.event_attributes.format_string | | keyword | -| jamf_compliance_reporter.log.event_attributes.job.completed_time | | date | -| jamf_compliance_reporter.log.event_attributes.job.creation_time | | date | -| jamf_compliance_reporter.log.event_attributes.job.destination | | keyword | -| jamf_compliance_reporter.log.event_attributes.job.format | | keyword | -| jamf_compliance_reporter.log.event_attributes.job.id | | keyword | -| jamf_compliance_reporter.log.event_attributes.job.processing_time | | date | -| jamf_compliance_reporter.log.event_attributes.job.size | | keyword | -| jamf_compliance_reporter.log.event_attributes.job.state | | keyword | -| jamf_compliance_reporter.log.event_attributes.job.title | | keyword | -| jamf_compliance_reporter.log.event_attributes.job.user | | keyword | -| jamf_compliance_reporter.log.event_attributes.log.file.location | | keyword | -| jamf_compliance_reporter.log.event_attributes.log.file.max_number_backups | | long | -| jamf_compliance_reporter.log.event_attributes.log.file.max_size_mega_bytes | | long | -| jamf_compliance_reporter.log.event_attributes.log.file.ownership | | keyword | -| jamf_compliance_reporter.log.event_attributes.log.file.permission | | keyword | -| jamf_compliance_reporter.log.event_attributes.log.remote_endpoint_enabled | | long | -| jamf_compliance_reporter.log.event_attributes.log.remote_endpoint_type | | keyword | -| jamf_compliance_reporter.log.event_attributes.log.remote_endpoint_type_awskinesis.access_key_id | | keyword | -| jamf_compliance_reporter.log.event_attributes.log.remote_endpoint_type_awskinesis.region | | keyword | -| jamf_compliance_reporter.log.event_attributes.log.remote_endpoint_type_awskinesis.secret_key | | keyword | -| jamf_compliance_reporter.log.event_attributes.log.remote_endpoint_type_awskinesis.stream_name | | keyword | -| jamf_compliance_reporter.log.event_attributes.log.remote_endpoint_url | | keyword | -| jamf_compliance_reporter.log.event_attributes.mach_timestamp | | keyword | -| jamf_compliance_reporter.log.event_attributes.opaque_version | | keyword | -| jamf_compliance_reporter.log.event_attributes.parent_activity_identifier | | keyword | -| jamf_compliance_reporter.log.event_attributes.path | | keyword | -| jamf_compliance_reporter.log.event_attributes.process.id | | long | -| jamf_compliance_reporter.log.event_attributes.process.image.path | | keyword | -| jamf_compliance_reporter.log.event_attributes.process.image.uuid | | keyword | -| jamf_compliance_reporter.log.event_attributes.project_name | | keyword | -| jamf_compliance_reporter.log.event_attributes.sender.id | | long | -| jamf_compliance_reporter.log.event_attributes.sender.image.path | | keyword | -| jamf_compliance_reporter.log.event_attributes.sender.image.uuid | | keyword | -| jamf_compliance_reporter.log.event_attributes.sender.program_counter | | long | -| jamf_compliance_reporter.log.event_attributes.source | | keyword | -| jamf_compliance_reporter.log.event_attributes.source_version | | keyword | -| jamf_compliance_reporter.log.event_attributes.subsystem | | keyword | -| jamf_compliance_reporter.log.event_attributes.thread_id | | keyword | -| jamf_compliance_reporter.log.event_attributes.timestamp | | date | -| jamf_compliance_reporter.log.event_attributes.timezone_name | | keyword | -| jamf_compliance_reporter.log.event_attributes.trace_id | | keyword | -| jamf_compliance_reporter.log.event_attributes.unified_log_predicates | | keyword | -| jamf_compliance_reporter.log.event_attributes.version | | keyword | -| jamf_compliance_reporter.log.event_score | | long | -| jamf_compliance_reporter.log.exec_args.args | | flattened | -| jamf_compliance_reporter.log.exec_args.args_compiled | | keyword | -| jamf_compliance_reporter.log.exec_chain_child.parent.path | | text | -| jamf_compliance_reporter.log.exec_chain_child.parent.uuid | | keyword | -| jamf_compliance_reporter.log.exec_chain_parent.uuid | | keyword | -| jamf_compliance_reporter.log.exec_env.env.arch | | keyword | -| jamf_compliance_reporter.log.exec_env.env.compiled | | keyword | -| jamf_compliance_reporter.log.exec_env.env.malwarebytes_group | | keyword | -| jamf_compliance_reporter.log.exec_env.env.path | | text | -| jamf_compliance_reporter.log.exec_env.env.shell | | keyword | -| jamf_compliance_reporter.log.exec_env.env.ssh_auth_sock | | keyword | -| jamf_compliance_reporter.log.exec_env.env.tmpdir | | keyword | -| jamf_compliance_reporter.log.exec_env.env.xpc.flags | | keyword | -| jamf_compliance_reporter.log.exec_env.env.xpc.service_name | | keyword | -| jamf_compliance_reporter.log.exec_env.env_compiled | | keyword | -| jamf_compliance_reporter.log.exit.return.value | | long | -| jamf_compliance_reporter.log.exit.status | | keyword | -| jamf_compliance_reporter.log.file_event_info.eventid_wrapped | | boolean | -| jamf_compliance_reporter.log.file_event_info.history_done | | boolean | -| jamf_compliance_reporter.log.file_event_info.item.change_owner | | boolean | -| jamf_compliance_reporter.log.file_event_info.item.cloned | | boolean | -| jamf_compliance_reporter.log.file_event_info.item.created | | boolean | -| jamf_compliance_reporter.log.file_event_info.item.extended_attribute_modified | | boolean | -| jamf_compliance_reporter.log.file_event_info.item.finder_info_modified | | boolean | -| jamf_compliance_reporter.log.file_event_info.item.inode_metadata_modified | | boolean | -| jamf_compliance_reporter.log.file_event_info.item.is_directory | | boolean | -| jamf_compliance_reporter.log.file_event_info.item.is_file | | boolean | -| jamf_compliance_reporter.log.file_event_info.item.is_hard_link | | boolean | -| jamf_compliance_reporter.log.file_event_info.item.is_last_hard_link | | boolean | -| jamf_compliance_reporter.log.file_event_info.item.is_sym_link | | boolean | -| jamf_compliance_reporter.log.file_event_info.item.removed | | boolean | -| jamf_compliance_reporter.log.file_event_info.item.renamed | | boolean | -| jamf_compliance_reporter.log.file_event_info.item.updated | | boolean | -| jamf_compliance_reporter.log.file_event_info.kernel_dropped | | boolean | -| jamf_compliance_reporter.log.file_event_info.mount | | boolean | -| jamf_compliance_reporter.log.file_event_info.must_scan_sub_dir | | boolean | -| jamf_compliance_reporter.log.file_event_info.none | | boolean | -| jamf_compliance_reporter.log.file_event_info.own_event | | boolean | -| jamf_compliance_reporter.log.file_event_info.root_changed | | boolean | -| jamf_compliance_reporter.log.file_event_info.unmount | | boolean | -| jamf_compliance_reporter.log.file_event_info.user_dropped | | boolean | -| jamf_compliance_reporter.log.hardware_event_info.device.class | | keyword | -| jamf_compliance_reporter.log.hardware_event_info.device.name | | keyword | -| jamf_compliance_reporter.log.hardware_event_info.device.status | | keyword | -| jamf_compliance_reporter.log.hardware_event_info.device_attributes.io.cf_plugin_types | | flattened | -| jamf_compliance_reporter.log.hardware_event_info.device_attributes.io.class_name_override | | keyword | -| jamf_compliance_reporter.log.hardware_event_info.device_attributes.io.power_management.capability_flags | | keyword | -| jamf_compliance_reporter.log.hardware_event_info.device_attributes.io.power_management.current_power_state | | long | -| jamf_compliance_reporter.log.hardware_event_info.device_attributes.io.power_management.device_power_state | | long | -| jamf_compliance_reporter.log.hardware_event_info.device_attributes.io.power_management.driver_power_state | | long | -| jamf_compliance_reporter.log.hardware_event_info.device_attributes.io.power_management.max_power_state | | long | -| jamf_compliance_reporter.log.hardware_event_info.device_attributes.iserial_number | | long | -| jamf_compliance_reporter.log.hardware_event_info.device_attributes.removable | | keyword | -| jamf_compliance_reporter.log.hardware_event_info.device_attributes.usb.product_name | | keyword | -| jamf_compliance_reporter.log.hardware_event_info.device_attributes.usb.vendor_name | | keyword | -| jamf_compliance_reporter.log.header.action | | keyword | -| jamf_compliance_reporter.log.header.event_modifier | | keyword | -| jamf_compliance_reporter.log.header.time_milliseconds_offset | | long | -| jamf_compliance_reporter.log.header.version | | keyword | -| jamf_compliance_reporter.log.host_info.host.uuid | | keyword | -| jamf_compliance_reporter.log.identity.cd_hash | | keyword | -| jamf_compliance_reporter.log.identity.signer.id | | keyword | -| jamf_compliance_reporter.log.identity.signer.id_truncated | | keyword | -| jamf_compliance_reporter.log.identity.signer.type | | keyword | -| jamf_compliance_reporter.log.identity.team.id | | keyword | -| jamf_compliance_reporter.log.identity.team.id_truncated | | keyword | -| jamf_compliance_reporter.log.path | | keyword | -| jamf_compliance_reporter.log.process.effective.group.id | | keyword | -| jamf_compliance_reporter.log.process.effective.group.name | | keyword | -| jamf_compliance_reporter.log.process.effective.user.id | | keyword | -| jamf_compliance_reporter.log.process.effective.user.name | | keyword | -| jamf_compliance_reporter.log.process.group.id | | keyword | -| jamf_compliance_reporter.log.process.group.name | | keyword | -| jamf_compliance_reporter.log.process.name | | keyword | -| jamf_compliance_reporter.log.process.pid | | long | -| jamf_compliance_reporter.log.process.session.id | | keyword | -| jamf_compliance_reporter.log.process.terminal_id.addr | | keyword | -| jamf_compliance_reporter.log.process.terminal_id.ip_address | | ip | -| jamf_compliance_reporter.log.process.terminal_id.port | | long | -| jamf_compliance_reporter.log.process.terminal_id.type | | keyword | -| jamf_compliance_reporter.log.process.user.id | | keyword | -| jamf_compliance_reporter.log.process.user.name | | keyword | -| jamf_compliance_reporter.log.return.description | | keyword | -| jamf_compliance_reporter.log.signal_event_info.signal | | long | -| jamf_compliance_reporter.log.socket.inet.addr | | keyword | -| jamf_compliance_reporter.log.socket.inet.family | | keyword | -| jamf_compliance_reporter.log.socket.inet.id | | keyword | -| jamf_compliance_reporter.log.socket.unix.family | | keyword | -| jamf_compliance_reporter.log.socket.unix.path | | text | -| jamf_compliance_reporter.log.subject.audit.id | | keyword | -| jamf_compliance_reporter.log.subject.audit.user.name | | keyword | -| jamf_compliance_reporter.log.subject.effective.group.id | | keyword | -| jamf_compliance_reporter.log.subject.effective.group.name | | keyword | -| jamf_compliance_reporter.log.subject.effective.user.id | | keyword | -| jamf_compliance_reporter.log.subject.effective.user.name | | keyword | -| jamf_compliance_reporter.log.subject.process.name | | keyword | -| jamf_compliance_reporter.log.subject.process.pid | | long | -| jamf_compliance_reporter.log.subject.responsible.process.id | | keyword | -| jamf_compliance_reporter.log.subject.responsible.process.name | | keyword | -| jamf_compliance_reporter.log.subject.session.id | | keyword | -| jamf_compliance_reporter.log.subject.terminal_id.addr | | keyword | -| jamf_compliance_reporter.log.subject.terminal_id.port | | long | -| jamf_compliance_reporter.log.subject.terminal_id.type | | keyword | -| jamf_compliance_reporter.log.texts | | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| process.real_group.id | Unique identifier for the group on the system/platform. | keyword | -| process.real_group.name | Name of the group. | keyword | -| process.real_user.id | Unique identifier of the user. | keyword | -| process.real_user.name | Short name or login of the user. | keyword | -| process.real_user.name.text | Multi-field of `process.real_user.name`. | match_only_text | -| process.user.id | Unique identifier of the user. | keyword | -| process.user.name | Short name or login of the user. | keyword | -| process.user.name.text | Multi-field of `process.user.name`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.effective.id | Unique identifier of the user. | keyword | -| user.effective.name | Short name or login of the user. | keyword | -| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | -| user.email | User email address. | keyword | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.group.name | Name of the group. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - diff --git a/packages/jamf_compliance_reporter/0.2.1/img/jamf-compliance-reporter-logo.svg b/packages/jamf_compliance_reporter/0.2.1/img/jamf-compliance-reporter-logo.svg deleted file mode 100755 index 31b8cc74cc..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/img/jamf-compliance-reporter-logo.svg +++ /dev/null @@ -1,564 +0,0 @@ - - - - diff --git a/packages/jamf_compliance_reporter/0.2.1/img/jamf-compliance-reporter-screenshot.png b/packages/jamf_compliance_reporter/0.2.1/img/jamf-compliance-reporter-screenshot.png deleted file mode 100755 index 522cc01e46..0000000000 Binary files a/packages/jamf_compliance_reporter/0.2.1/img/jamf-compliance-reporter-screenshot.png and /dev/null differ diff --git a/packages/jamf_compliance_reporter/0.2.1/kibana/dashboard/jamf_compliance_reporter-8351fc80-b58c-11ec-a813-df29637f29df.json b/packages/jamf_compliance_reporter/0.2.1/kibana/dashboard/jamf_compliance_reporter-8351fc80-b58c-11ec-a813-df29637f29df.json deleted file mode 100755 index 5516488b63..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/kibana/dashboard/jamf_compliance_reporter-8351fc80-b58c-11ec-a813-df29637f29df.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"audit\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"description\":null,\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-75d7a5a3-51eb-4651-919f-aa2e631f733a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"75d7a5a3-51eb-4651-919f-aa2e631f733a\":{\"columnOrder\":[\"75ac55c5-4754-4e59-8a57-2a468d8071ab\",\"a4e53fa9-7ec8-4af9-816c-33b1cb90bb0f\"],\"columns\":{\"75ac55c5-4754-4e59-8a57-2a468d8071ab\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Return Description\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a4e53fa9-7ec8-4af9-816c-33b1cb90bb0f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"},\"a4e53fa9-7ec8-4af9-816c-33b1cb90bb0f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"audit\\\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"a4e53fa9-7ec8-4af9-816c-33b1cb90bb0f\"],\"layerId\":\"75d7a5a3-51eb-4651-919f-aa2e631f733a\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar\",\"showGridlines\":false,\"xAccessor\":\"75ac55c5-4754-4e59-8a57-2a468d8071ab\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Audit Events by Return Description [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"31b29984-3ac9-42a8-a953-a9d3bd62ac7e\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"31b29984-3ac9-42a8-a953-a9d3bd62ac7e\",\"title\":\"Distribution of Audit Events by Return Description [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a9476fe9-d7bc-4cf9-9974-39a2c4602cfd\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a9476fe9-d7bc-4cf9-9974-39a2c4602cfd\":{\"columnOrder\":[\"7d2929e4-764e-45a0-8242-966ca8499b94\",\"9fa49f57-f6e3-4c76-b37b-1bc5d6bc72f8\"],\"columns\":{\"7d2929e4-764e-45a0-8242-966ca8499b94\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"OS Version\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9fa49f57-f6e3-4c76-b37b-1bc5d6bc72f8\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"host.os.version\"},\"9fa49f57-f6e3-4c76-b37b-1bc5d6bc72f8\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"audit\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"7d2929e4-764e-45a0-8242-966ca8499b94\"],\"layerId\":\"a9476fe9-d7bc-4cf9-9974-39a2c4602cfd\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9fa49f57-f6e3-4c76-b37b-1bc5d6bc72f8\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Audit Events by Host OS Version [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e4990652-7cd9-495d-abef-683a370b7c76\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"e4990652-7cd9-495d-abef-683a370b7c76\",\"title\":\"Distribution of Audit Events by Host OS Version [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":null,\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-21b86cfe-db52-415d-82ed-c8b87d2224ee\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"21b86cfe-db52-415d-82ed-c8b87d2224ee\":{\"columnOrder\":[\"9895c632-98d6-46e0-8925-c6abf0275b92\",\"fdab9592-e2b7-43a4-a25f-9276f145d710\"],\"columns\":{\"9895c632-98d6-46e0-8925-c6abf0275b92\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Host Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fdab9592-e2b7-43a4-a25f-9276f145d710\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\"},\"fdab9592-e2b7-43a4-a25f-9276f145d710\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"audit\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"9895c632-98d6-46e0-8925-c6abf0275b92\",\"isTransposed\":false},{\"columnId\":\"fdab9592-e2b7-43a4-a25f-9276f145d710\",\"isTransposed\":false}],\"layerId\":\"21b86cfe-db52-415d-82ed-c8b87d2224ee\",\"layerType\":\"data\"}},\"title\":\"Top 10 Host Name [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"413d94dd-512a-46cc-b635-38f52627cd67\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"413d94dd-512a-46cc-b635-38f52627cd67\",\"title\":\"Top 10 Host Name [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-602a9bc7-89cd-42de-91ef-3ae97c4d8c47\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"602a9bc7-89cd-42de-91ef-3ae97c4d8c47\":{\"columnOrder\":[\"1ecde91a-d905-4e8e-827f-a41af5b2e675\",\"baa8de65-deac-4cf8-99e8-470b82de1c19\"],\"columns\":{\"1ecde91a-d905-4e8e-827f-a41af5b2e675\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Event Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"baa8de65-deac-4cf8-99e8-470b82de1c19\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"},\"baa8de65-deac-4cf8-99e8-470b82de1c19\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"audit\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ecde91a-d905-4e8e-827f-a41af5b2e675\"],\"layerId\":\"602a9bc7-89cd-42de-91ef-3ae97c4d8c47\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"baa8de65-deac-4cf8-99e8-470b82de1c19\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Audit Events by Event Name [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3519cad4-7e76-4459-b44d-80623cabbcfb\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"3519cad4-7e76-4459-b44d-80623cabbcfb\",\"title\":\"Distribution of Audit Events by Event Name [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":null,\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0ac4d2d0-01d2-41ec-a398-f70992b9cdc5\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0ac4d2d0-01d2-41ec-a398-f70992b9cdc5\":{\"columnOrder\":[\"44ed01c4-ebd8-4de7-9c6d-28c6bb7df5bb\",\"084ddf4f-db79-4ef2-be4c-78b11d1e4080\"],\"columns\":{\"084ddf4f-db79-4ef2-be4c-78b11d1e4080\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"44ed01c4-ebd8-4de7-9c6d-28c6bb7df5bb\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Group Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"084ddf4f-db79-4ef2-be4c-78b11d1e4080\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"user.group.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"audit\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"44ed01c4-ebd8-4de7-9c6d-28c6bb7df5bb\"},{\"columnId\":\"084ddf4f-db79-4ef2-be4c-78b11d1e4080\"}],\"layerId\":\"0ac4d2d0-01d2-41ec-a398-f70992b9cdc5\",\"layerType\":\"data\"}},\"title\":\"Top 10 Group Name [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"186d3b1c-415b-43d7-9ad7-21238d2b07ef\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"186d3b1c-415b-43d7-9ad7-21238d2b07ef\",\"title\":\"Top 10 Group Name [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":null,\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3ecddbbb-2392-457a-ab8f-965a26f154db\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3ecddbbb-2392-457a-ab8f-965a26f154db\":{\"columnOrder\":[\"1c55f9dd-2cfc-448e-a8e8-f97636dd50d5\",\"c84292dd-ae53-4acd-8f45-5611d8a60658\"],\"columns\":{\"1c55f9dd-2cfc-448e-a8e8-f97636dd50d5\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"User Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c84292dd-ae53-4acd-8f45-5611d8a60658\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"user.name\"},\"c84292dd-ae53-4acd-8f45-5611d8a60658\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"audit\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"1c55f9dd-2cfc-448e-a8e8-f97636dd50d5\"},{\"columnId\":\"c84292dd-ae53-4acd-8f45-5611d8a60658\"}],\"layerId\":\"3ecddbbb-2392-457a-ab8f-965a26f154db\",\"layerType\":\"data\"}},\"title\":\"Top 10 User Name [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"05f51b9b-ec7b-4834-99f7-68e797bc4fe2\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"05f51b9b-ec7b-4834-99f7-68e797bc4fe2\",\"title\":\"Top 10 User Name [Logs Jamf Compliance Reporter] \",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":null,\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b3d2bd68-514b-486f-8741-933a0f0f1242\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b3d2bd68-514b-486f-8741-933a0f0f1242\":{\"columnOrder\":[\"06926299-62c5-495d-aad8-4a0c516d08da\",\"f724de33-3912-484b-b76f-509e15b8b217\"],\"columns\":{\"06926299-62c5-495d-aad8-4a0c516d08da\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Process User Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f724de33-3912-484b-b76f-509e15b8b217\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"process.user.name\"},\"f724de33-3912-484b-b76f-509e15b8b217\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"audit\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"06926299-62c5-495d-aad8-4a0c516d08da\",\"isTransposed\":false},{\"columnId\":\"f724de33-3912-484b-b76f-509e15b8b217\",\"isTransposed\":false}],\"layerId\":\"b3d2bd68-514b-486f-8741-933a0f0f1242\",\"layerType\":\"data\"}},\"title\":\"Top 10 Process User Name for AUE_KILL and AUE_TASK Audit Events [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d8a48988-c438-4031-b66b-297d6bbc3628\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"d8a48988-c438-4031-b66b-297d6bbc3628\",\"title\":\"Top 10 Process User Name for AUE_KILL and AUE_TASK Audit Events [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-54f391c9-12b8-4305-93dd-6710d4c2458d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"54f391c9-12b8-4305-93dd-6710d4c2458d\":{\"columnOrder\":[\"7af571ef-1ae1-456a-92d5-eb4ed16f2d3f\",\"4111ec60-b9e0-4eee-8583-236d8da63e4f\"],\"columns\":{\"4111ec60-b9e0-4eee-8583-236d8da63e4f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"7af571ef-1ae1-456a-92d5-eb4ed16f2d3f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Event Score\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4111ec60-b9e0-4eee-8583-236d8da63e4f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.event_score\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"audit\\\"\"},\"visualization\":{\"columns\":[{\"alignment\":\"left\",\"columnId\":\"7af571ef-1ae1-456a-92d5-eb4ed16f2d3f\",\"isTransposed\":false},{\"columnId\":\"4111ec60-b9e0-4eee-8583-236d8da63e4f\",\"isTransposed\":false}],\"layerId\":\"54f391c9-12b8-4305-93dd-6710d4c2458d\",\"layerType\":\"data\"}},\"title\":\"Top 10 Event Score [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"83d65eb5-0d74-43ca-bbe9-ab5ec1aaec46\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"83d65eb5-0d74-43ca-bbe9-ab5ec1aaec46\",\"title\":\"Top 10 Event Score [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Jamf Compliance Reporter] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "jamf_compliance_reporter-8351fc80-b58c-11ec-a813-df29637f29df", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "31b29984-3ac9-42a8-a953-a9d3bd62ac7e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "31b29984-3ac9-42a8-a953-a9d3bd62ac7e:indexpattern-datasource-layer-75d7a5a3-51eb-4651-919f-aa2e631f733a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e4990652-7cd9-495d-abef-683a370b7c76:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e4990652-7cd9-495d-abef-683a370b7c76:indexpattern-datasource-layer-a9476fe9-d7bc-4cf9-9974-39a2c4602cfd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "413d94dd-512a-46cc-b635-38f52627cd67:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "413d94dd-512a-46cc-b635-38f52627cd67:indexpattern-datasource-layer-21b86cfe-db52-415d-82ed-c8b87d2224ee", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3519cad4-7e76-4459-b44d-80623cabbcfb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3519cad4-7e76-4459-b44d-80623cabbcfb:indexpattern-datasource-layer-602a9bc7-89cd-42de-91ef-3ae97c4d8c47", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "186d3b1c-415b-43d7-9ad7-21238d2b07ef:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "186d3b1c-415b-43d7-9ad7-21238d2b07ef:indexpattern-datasource-layer-0ac4d2d0-01d2-41ec-a398-f70992b9cdc5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "05f51b9b-ec7b-4834-99f7-68e797bc4fe2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "05f51b9b-ec7b-4834-99f7-68e797bc4fe2:indexpattern-datasource-layer-3ecddbbb-2392-457a-ab8f-965a26f154db", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d8a48988-c438-4031-b66b-297d6bbc3628:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d8a48988-c438-4031-b66b-297d6bbc3628:indexpattern-datasource-layer-b3d2bd68-514b-486f-8741-933a0f0f1242", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "83d65eb5-0d74-43ca-bbe9-ab5ec1aaec46:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "83d65eb5-0d74-43ca-bbe9-ab5ec1aaec46:indexpattern-datasource-layer-54f391c9-12b8-4305-93dd-6710d4c2458d", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/jamf_compliance_reporter/0.2.1/kibana/dashboard/jamf_compliance_reporter-dd0ea730-b557-11ec-a813-df29637f29df.json b/packages/jamf_compliance_reporter/0.2.1/kibana/dashboard/jamf_compliance_reporter-dd0ea730-b557-11ec-a813-df29637f29df.json deleted file mode 100755 index e1da5845d2..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/kibana/dashboard/jamf_compliance_reporter-dd0ea730-b557-11ec-a813-df29637f29df.json +++ /dev/null @@ -1,272 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-dcd69ebb-72a3-4bc6-8a68-aca6570839c4\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"dcd69ebb-72a3-4bc6-8a68-aca6570839c4\":{\"columnOrder\":[\"24d71291-5bf6-4b24-8093-d41a22d03ccb\",\"218ddc14-154c-4fa9-bd43-d9206d2ec7f7\"],\"columns\":{\"218ddc14-154c-4fa9-bd43-d9206d2ec7f7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"24d71291-5bf6-4b24-8093-d41a22d03ccb\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"OS Version\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"218ddc14-154c-4fa9-bd43-d9206d2ec7f7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"host.os.version\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"24d71291-5bf6-4b24-8093-d41a22d03ccb\"],\"layerId\":\"dcd69ebb-72a3-4bc6-8a68-aca6570839c4\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"218ddc14-154c-4fa9-bd43-d9206d2ec7f7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Events by OS Version [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f28205e4-886e-4779-a8ea-db77dba9a68c\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"f28205e4-886e-4779-a8ea-db77dba9a68c\",\"title\":\"Distribution of Events by OS Version [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7c7ea45e-c87f-4cb2-b9d6-89a48ce29ff1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7c7ea45e-c87f-4cb2-b9d6-89a48ce29ff1\":{\"columnOrder\":[\"0e74bed0-d28e-4e06-a2d5-82307342929f\",\"9679ae52-ab95-4f5d-b3ae-6fa541a740e2\"],\"columns\":{\"0e74bed0-d28e-4e06-a2d5-82307342929f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Audio-Video Device Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9679ae52-ab95-4f5d-b3ae-6fa541a740e2\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.audio_video_device_info.device_status\"},\"9679ae52-ab95-4f5d-b3ae-6fa541a740e2\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"0e74bed0-d28e-4e06-a2d5-82307342929f\"],\"layerId\":\"7c7ea45e-c87f-4cb2-b9d6-89a48ce29ff1\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9679ae52-ab95-4f5d-b3ae-6fa541a740e2\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Audio-Video Device Events by Device Status [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d6fd6b7c-d5ff-45ba-b34c-5e17f1d877e1\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"d6fd6b7c-d5ff-45ba-b34c-5e17f1d877e1\",\"title\":\"Distribution of Audio-Video Device Events by Device Status [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-21cb8b72-ef0b-4afc-8b9f-6a0c7cc17217\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"21cb8b72-ef0b-4afc-8b9f-6a0c7cc17217\":{\"columnOrder\":[\"0921b26e-7205-46b3-a34b-919c037be1e8\",\"f55e245c-4b5c-45be-a2c1-f25f1acdc0aa\"],\"columns\":{\"0921b26e-7205-46b3-a34b-919c037be1e8\":{\"customLabel\":true,\"dataType\":\"boolean\",\"isBucketed\":true,\"label\":\"Restored Default\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f55e245c-4b5c-45be-a2c1-f25f1acdc0aa\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.audit_class_verification_info.restored_default\"},\"f55e245c-4b5c-45be-a2c1-f25f1acdc0aa\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"0921b26e-7205-46b3-a34b-919c037be1e8\"],\"layerId\":\"21cb8b72-ef0b-4afc-8b9f-6a0c7cc17217\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f55e245c-4b5c-45be-a2c1-f25f1acdc0aa\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Audit Class Verification Info Events by Restored Default [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d73f23b2-bd81-4c6f-86dd-bf792212a813\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"d73f23b2-bd81-4c6f-86dd-bf792212a813\",\"title\":\"Distribution of Audit Class Verification Info Events by Restored Default [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7b72f6ca-f0b1-4c09-b1ff-11990af5c585\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7b72f6ca-f0b1-4c09-b1ff-11990af5c585\":{\"columnOrder\":[\"b49b1b2a-c3cd-4bcf-88c2-4c4a356b72cf\",\"5bae7737-7914-41f8-bcfd-e67162193c46\"],\"columns\":{\"5bae7737-7914-41f8-bcfd-e67162193c46\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b49b1b2a-c3cd-4bcf-88c2-4c4a356b72cf\":{\"customLabel\":true,\"dataType\":\"boolean\",\"isBucketed\":true,\"label\":\"Item Created\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5bae7737-7914-41f8-bcfd-e67162193c46\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.file_event_info.item.created\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b49b1b2a-c3cd-4bcf-88c2-4c4a356b72cf\"],\"layerId\":\"7b72f6ca-f0b1-4c09-b1ff-11990af5c585\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5bae7737-7914-41f8-bcfd-e67162193c46\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Events by Item Created [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"18a9850d-21a1-45ea-85c3-a9c78f764f46\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"18a9850d-21a1-45ea-85c3-a9c78f764f46\",\"title\":\"Distribution of Events by Item Created [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-81b3e742-4ad8-4120-9b3b-a9893773795a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"81b3e742-4ad8-4120-9b3b-a9893773795a\":{\"columnOrder\":[\"86771b4a-0cac-452c-b89e-0f8aa2c65c78\",\"20349cf6-37d1-4aaf-ba3d-f572e756e36d\"],\"columns\":{\"20349cf6-37d1-4aaf-ba3d-f572e756e36d\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"86771b4a-0cac-452c-b89e-0f8aa2c65c78\":{\"customLabel\":true,\"dataType\":\"boolean\",\"isBucketed\":true,\"label\":\"Item Removed\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"20349cf6-37d1-4aaf-ba3d-f572e756e36d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.file_event_info.item.removed\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"86771b4a-0cac-452c-b89e-0f8aa2c65c78\"],\"layerId\":\"81b3e742-4ad8-4120-9b3b-a9893773795a\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"20349cf6-37d1-4aaf-ba3d-f572e756e36d\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Events by Item Removed [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f990bb47-c91a-4c84-88c2-0ed775024099\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"f990bb47-c91a-4c84-88c2-0ed775024099\",\"title\":\"Distribution of Events by Item Removed [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ad610b62-5183-4e71-86d4-52beca5327d7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ad610b62-5183-4e71-86d4-52beca5327d7\":{\"columnOrder\":[\"2f2be0d6-224d-4a5a-bcc2-d6b62913955b\",\"9608dee3-3f0b-4eaa-9af8-9b1d6ca38b38\"],\"columns\":{\"2f2be0d6-224d-4a5a-bcc2-d6b62913955b\":{\"customLabel\":true,\"dataType\":\"boolean\",\"isBucketed\":true,\"label\":\"Item is File\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9608dee3-3f0b-4eaa-9af8-9b1d6ca38b38\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.file_event_info.item.is_file\"},\"9608dee3-3f0b-4eaa-9af8-9b1d6ca38b38\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"2f2be0d6-224d-4a5a-bcc2-d6b62913955b\"],\"layerId\":\"ad610b62-5183-4e71-86d4-52beca5327d7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9608dee3-3f0b-4eaa-9af8-9b1d6ca38b38\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Events by Item is File [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c80a59ad-5830-4463-9978-642de750f3ff\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"c80a59ad-5830-4463-9978-642de750f3ff\",\"title\":\"Distribution of Events by Item is File [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-46eadc93-b435-41bd-8d5b-f31b5f6353e2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"46eadc93-b435-41bd-8d5b-f31b5f6353e2\":{\"columnOrder\":[\"76bd9f5a-bbec-4a66-a070-df50aefd7bc4\",\"7ee52937-5505-4880-9489-4386bf2f5f43\"],\"columns\":{\"76bd9f5a-bbec-4a66-a070-df50aefd7bc4\":{\"customLabel\":true,\"dataType\":\"boolean\",\"isBucketed\":true,\"label\":\"Item is Directory\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ee52937-5505-4880-9489-4386bf2f5f43\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.file_event_info.item.is_directory\"},\"7ee52937-5505-4880-9489-4386bf2f5f43\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"76bd9f5a-bbec-4a66-a070-df50aefd7bc4\"],\"layerId\":\"46eadc93-b435-41bd-8d5b-f31b5f6353e2\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"7ee52937-5505-4880-9489-4386bf2f5f43\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Events by Item is Directory [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"2ba7af74-63e2-46b7-a37f-63415014804d\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"2ba7af74-63e2-46b7-a37f-63415014804d\",\"title\":\"Distribution of Events by Item is Directory [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e218b2a3-f801-4263-b10c-0d0a5c871703\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e218b2a3-f801-4263-b10c-0d0a5c871703\":{\"columnOrder\":[\"233cd86a-9b66-4ddc-a4e6-b4e0cb2a12b3\",\"2471e331-80ae-4d1c-befa-d5f5bf38c5fc\"],\"columns\":{\"233cd86a-9b66-4ddc-a4e6-b4e0cb2a12b3\":{\"customLabel\":true,\"dataType\":\"boolean\",\"isBucketed\":true,\"label\":\"User Dropped\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2471e331-80ae-4d1c-befa-d5f5bf38c5fc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.file_event_info.user_dropped\"},\"2471e331-80ae-4d1c-befa-d5f5bf38c5fc\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"233cd86a-9b66-4ddc-a4e6-b4e0cb2a12b3\"],\"layerId\":\"e218b2a3-f801-4263-b10c-0d0a5c871703\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"2471e331-80ae-4d1c-befa-d5f5bf38c5fc\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Events by User Dropped [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c294926e-9b33-4805-8ef9-bd4bcc2634d1\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"c294926e-9b33-4805-8ef9-bd4bcc2634d1\",\"title\":\"Distribution of Events by User Dropped [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a031233f-898d-4756-bf10-f33c73a72081\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a031233f-898d-4756-bf10-f33c73a72081\":{\"columnOrder\":[\"78e02bc2-9a25-4182-b865-96e07cb92680\",\"1204835b-321c-416c-9f9b-898c1360199d\"],\"columns\":{\"1204835b-321c-416c-9f9b-898c1360199d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"78e02bc2-9a25-4182-b865-96e07cb92680\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Device Power State\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"1204835b-321c-416c-9f9b-898c1360199d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.hardware_event_info.device_attributes.io.power_management.device_power_state\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"1204835b-321c-416c-9f9b-898c1360199d\"],\"layerId\":\"a031233f-898d-4756-bf10-f33c73a72081\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar\",\"showGridlines\":false,\"xAccessor\":\"78e02bc2-9a25-4182-b865-96e07cb92680\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Hardware Events by IO Power Management Device Power State [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"a2a956f4-162b-47db-908e-dd1027c6f00c\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"a2a956f4-162b-47db-908e-dd1027c6f00c\",\"title\":\"Distribution of Hardware Events by IO Power Management Device Power State [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0ad21e03-f895-413e-a7e0-55a45a77146c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0ad21e03-f895-413e-a7e0-55a45a77146c\":{\"columnOrder\":[\"fa04e8b1-655f-4f3b-b7b7-501ddc9fc324\",\"a64a0339-f186-471d-9e43-a3b1559e89a7\"],\"columns\":{\"a64a0339-f186-471d-9e43-a3b1559e89a7\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"fa04e8b1-655f-4f3b-b7b7-501ddc9fc324\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Device Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a64a0339-f186-471d-9e43-a3b1559e89a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.hardware_event_info.device.status\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"fa04e8b1-655f-4f3b-b7b7-501ddc9fc324\"],\"layerId\":\"0ad21e03-f895-413e-a7e0-55a45a77146c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a64a0339-f186-471d-9e43-a3b1559e89a7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Hardware Events by Device Status [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e2121f67-3794-4e56-a0f5-5bdd6fb1213b\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"e2121f67-3794-4e56-a0f5-5bdd6fb1213b\",\"title\":\"Distribution of Hardware Events by Device Status [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d31c80d7-fb2d-4cd8-8aef-59543b605404\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d31c80d7-fb2d-4cd8-8aef-59543b605404\":{\"columnOrder\":[\"c8fe4889-0293-4464-b8b4-c8f92c638cec\",\"42386a24-c912-46b5-8a86-27c1496123fc\"],\"columns\":{\"42386a24-c912-46b5-8a86-27c1496123fc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c8fe4889-0293-4464-b8b4-c8f92c638cec\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"License Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"42386a24-c912-46b5-8a86-27c1496123fc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.compliancereporter_license_info.status\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"c8fe4889-0293-4464-b8b4-c8f92c638cec\"],\"layerId\":\"d31c80d7-fb2d-4cd8-8aef-59543b605404\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"42386a24-c912-46b5-8a86-27c1496123fc\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of License Info Events by License Status [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"81f9f687-beb7-454d-8ed4-ea234a2c3272\",\"w\":16,\"x\":0,\"y\":75},\"panelIndex\":\"81f9f687-beb7-454d-8ed4-ea234a2c3272\",\"title\":\"Distribution of License Info Events by License Status [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-795c6a4c-3830-4cb3-be63-b55780d773d7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"795c6a4c-3830-4cb3-be63-b55780d773d7\":{\"columnOrder\":[\"985125ce-3b93-4b72-a077-0b3f200f0dbf\",\"357042c6-1675-414e-ba3e-6c74b1a6c740\"],\"columns\":{\"357042c6-1675-414e-ba3e-6c74b1a6c740\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"985125ce-3b93-4b72-a077-0b3f200f0dbf\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"License Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"357042c6-1675-414e-ba3e-6c74b1a6c740\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.compliancereporter_license_info.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"985125ce-3b93-4b72-a077-0b3f200f0dbf\"],\"layerId\":\"795c6a4c-3830-4cb3-be63-b55780d773d7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"357042c6-1675-414e-ba3e-6c74b1a6c740\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of License Info Events by License Type [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"51aeea4e-4bb1-4ce2-8738-dc582041496d\",\"w\":16,\"x\":16,\"y\":75},\"panelIndex\":\"51aeea4e-4bb1-4ce2-8738-dc582041496d\",\"title\":\"Distribution of License Info Events by License Type [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ae3e7f06-1bed-44cc-9880-7ff89d7743df\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ae3e7f06-1bed-44cc-9880-7ff89d7743df\":{\"columnOrder\":[\"3968784a-d4fb-4b89-9abd-250a07b2266c\",\"d80ef2e1-cf94-4904-8ef7-207328f5a502\"],\"columns\":{\"3968784a-d4fb-4b89-9abd-250a07b2266c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Header Action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d80ef2e1-cf94-4904-8ef7-207328f5a502\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.header.action\"},\"d80ef2e1-cf94-4904-8ef7-207328f5a502\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3968784a-d4fb-4b89-9abd-250a07b2266c\"],\"layerId\":\"ae3e7f06-1bed-44cc-9880-7ff89d7743df\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d80ef2e1-cf94-4904-8ef7-207328f5a502\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Prohibited App Blocked Events by Header Action [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"16a293c0-18f7-4ffb-b8f6-6e60afd5c4ac\",\"w\":16,\"x\":32,\"y\":75},\"panelIndex\":\"16a293c0-18f7-4ffb-b8f6-6e60afd5c4ac\",\"title\":\"Distribution of Prohibited App Blocked Events by Header Action [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-19353d2e-e7a5-425f-85f3-b7333b0abf21\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"19353d2e-e7a5-425f-85f3-b7333b0abf21\":{\"columnOrder\":[\"4ffd24ec-c9ee-4d29-873b-896ef7c4096b\",\"219edb2a-c4b4-42ce-824c-6e3437097d35\"],\"columns\":{\"219edb2a-c4b4-42ce-824c-6e3437097d35\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4ffd24ec-c9ee-4d29-873b-896ef7c4096b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Audit Level\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"219edb2a-c4b4-42ce-824c-6e3437097d35\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.event_attributes.audit_level\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"4ffd24ec-c9ee-4d29-873b-896ef7c4096b\"],\"layerId\":\"19353d2e-e7a5-425f-85f3-b7333b0abf21\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"219edb2a-c4b4-42ce-824c-6e3437097d35\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Preference List Events by Audit Level [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0379b610-4693-47f0-b86d-77fd3edee591\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"0379b610-4693-47f0-b86d-77fd3edee591\",\"title\":\"Distribution of Preference List Events by Audit Level [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-479ee952-5f14-4578-8a20-de63e17627c5\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"479ee952-5f14-4578-8a20-de63e17627c5\":{\"columnOrder\":[\"2bb4f93f-f448-467d-a12d-64aae556a412\",\"d66e72ff-55c4-4916-8540-9d594f1c383c\"],\"columns\":{\"2bb4f93f-f448-467d-a12d-64aae556a412\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"License Version\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d66e72ff-55c4-4916-8540-9d594f1c383c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.event_attributes.file_license_info.license_version\"},\"d66e72ff-55c4-4916-8540-9d594f1c383c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d66e72ff-55c4-4916-8540-9d594f1c383c\"],\"layerId\":\"479ee952-5f14-4578-8a20-de63e17627c5\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar\",\"showGridlines\":false,\"xAccessor\":\"2bb4f93f-f448-467d-a12d-64aae556a412\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Preference List Events by License Version [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"03a41353-2e3c-4a6c-9593-2b9a0a5f0e1a\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"03a41353-2e3c-4a6c-9593-2b9a0a5f0e1a\",\"title\":\"Distribution of Preference List Events by License Version [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b4273567-51c1-40d5-abd8-8e33f06e1dcd\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b4273567-51c1-40d5-abd8-8e33f06e1dcd\":{\"columnOrder\":[\"c14d4d84-ff8e-4553-bf3e-75b0e5ca8005\",\"7de412b8-43e2-4c9a-8585-341239ee78aa\"],\"columns\":{\"7de412b8-43e2-4c9a-8585-341239ee78aa\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c14d4d84-ff8e-4553-bf3e-75b0e5ca8005\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"License Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7de412b8-43e2-4c9a-8585-341239ee78aa\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.event_attributes.file_license_info.license_type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"7de412b8-43e2-4c9a-8585-341239ee78aa\"],\"layerId\":\"b4273567-51c1-40d5-abd8-8e33f06e1dcd\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar\",\"showGridlines\":false,\"xAccessor\":\"c14d4d84-ff8e-4553-bf3e-75b0e5ca8005\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Preference List Events by License Type [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d44ee3a0-59e0-46e1-85c8-c70c33353029\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"d44ee3a0-59e0-46e1-85c8-c70c33353029\",\"title\":\"Distribution of Preference List Events by License Type [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e5f2943e-d6a7-4eb5-adf4-965ed238082c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e5f2943e-d6a7-4eb5-adf4-965ed238082c\":{\"columnOrder\":[\"1a74900b-aa29-4baa-a390-877af62b93b0\",\"87b7cdc9-a3fe-4b6a-aba5-8e59ae730fa4\"],\"columns\":{\"1a74900b-aa29-4baa-a390-877af62b93b0\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Job State\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"87b7cdc9-a3fe-4b6a-aba5-8e59ae730fa4\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.event_attributes.job.state\"},\"87b7cdc9-a3fe-4b6a-aba5-8e59ae730fa4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1a74900b-aa29-4baa-a390-877af62b93b0\"],\"layerId\":\"e5f2943e-d6a7-4eb5-adf4-965ed238082c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"87b7cdc9-a3fe-4b6a-aba5-8e59ae730fa4\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Print Events Information by Job State [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8d99b054-cbe9-43cb-9977-7367eb5085c3\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"8d99b054-cbe9-43cb-9977-7367eb5085c3\",\"title\":\"Distribution of Print Events Information by Job State [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ad2d2003-f5ae-4aa9-a78e-680c8bcba23c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ad2d2003-f5ae-4aa9-a78e-680c8bcba23c\":{\"columnOrder\":[\"46af0cb1-1688-43ab-82e1-29e96748723f\",\"c517f15b-453c-4b92-89e8-b3677bd90b38\"],\"columns\":{\"46af0cb1-1688-43ab-82e1-29e96748723f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Host Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c517f15b-453c-4b92-89e8-b3677bd90b38\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\"},\"c517f15b-453c-4b92-89e8-b3677bd90b38\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"46af0cb1-1688-43ab-82e1-29e96748723f\",\"isTransposed\":false},{\"columnId\":\"c517f15b-453c-4b92-89e8-b3677bd90b38\",\"isTransposed\":false}],\"layerId\":\"ad2d2003-f5ae-4aa9-a78e-680c8bcba23c\",\"layerType\":\"data\"}},\"title\":\"Top 10 Host Name [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"6f1b595d-131c-481b-a60b-8a32f6cf6042\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"6f1b595d-131c-481b-a60b-8a32f6cf6042\",\"title\":\"Top 10 Host Name [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4b411163-e685-45c0-a1b0-756ce6d0a1eb\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4b411163-e685-45c0-a1b0-756ce6d0a1eb\":{\"columnOrder\":[\"ff57ece0-cf0e-45ff-951e-5300793e2d33\",\"ff9b7388-67c0-44ba-a589-f21f5740cf2a\"],\"columns\":{\"ff57ece0-cf0e-45ff-951e-5300793e2d33\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Device Manufacturer\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ff9b7388-67c0-44ba-a589-f21f5740cf2a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.audio_video_device_info.audio_device.manufacturer\"},\"ff9b7388-67c0-44ba-a589-f21f5740cf2a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"ff57ece0-cf0e-45ff-951e-5300793e2d33\",\"isTransposed\":false},{\"columnId\":\"ff9b7388-67c0-44ba-a589-f21f5740cf2a\",\"isTransposed\":false}],\"layerId\":\"4b411163-e685-45c0-a1b0-756ce6d0a1eb\",\"layerType\":\"data\"}},\"title\":\"Top 10 Audio Device Manufacturer of Audio-Video Device Events [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0bb50df3-d3d2-4f48-962a-0085fb070327\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"0bb50df3-d3d2-4f48-962a-0085fb070327\",\"title\":\"Top 10 Audio Device Manufacturer of Audio-Video Device Events [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9784b039-9999-4347-bbe5-b6429a3bc2eb\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9784b039-9999-4347-bbe5-b6429a3bc2eb\":{\"columnOrder\":[\"4386dfbe-42f1-4fc3-9712-7bd7b45a4189\",\"7fcb1371-7579-4125-b721-74f0e3f8303e\"],\"columns\":{\"4386dfbe-42f1-4fc3-9712-7bd7b45a4189\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"USB Vendor Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7fcb1371-7579-4125-b721-74f0e3f8303e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.hardware_event_info.device_attributes.usb.vendor_name\"},\"7fcb1371-7579-4125-b721-74f0e3f8303e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"4386dfbe-42f1-4fc3-9712-7bd7b45a4189\"},{\"columnId\":\"7fcb1371-7579-4125-b721-74f0e3f8303e\"}],\"layerId\":\"9784b039-9999-4347-bbe5-b6429a3bc2eb\",\"layerType\":\"data\"}},\"title\":\"Top 10 USB Vendor Name of Hardware Events [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"592418e3-3172-448b-915e-0d12808b46d7\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"592418e3-3172-448b-915e-0d12808b46d7\",\"title\":\"Top 10 USB Vendor Name of Hardware Events [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f0047360-8ac5-42d2-b35f-fe490b61d3a7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f0047360-8ac5-42d2-b35f-fe490b61d3a7\":{\"columnOrder\":[\"c1044f5d-5db2-4c8f-9434-ff6e6dc9b8d7\",\"7bfeb0c8-c19d-4e30-afe3-9769f374a414\"],\"columns\":{\"7bfeb0c8-c19d-4e30-afe3-9769f374a414\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c1044f5d-5db2-4c8f-9434-ff6e6dc9b8d7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"USB Product Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7bfeb0c8-c19d-4e30-afe3-9769f374a414\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.hardware_event_info.device_attributes.usb.product_name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"c1044f5d-5db2-4c8f-9434-ff6e6dc9b8d7\",\"isTransposed\":false},{\"columnId\":\"7bfeb0c8-c19d-4e30-afe3-9769f374a414\",\"isTransposed\":false}],\"layerId\":\"f0047360-8ac5-42d2-b35f-fe490b61d3a7\",\"layerType\":\"data\"}},\"title\":\"Top 10 USB Product Name of Hardware Events [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e87863af-fbee-466c-a3e8-a5880304a82a\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"e87863af-fbee-466c-a3e8-a5880304a82a\",\"title\":\"Top 10 USB Product Name of Hardware Events [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-97ddbe50-1740-4998-b2ba-ff5e13a64e36\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"97ddbe50-1740-4998-b2ba-ff5e13a64e36\":{\"columnOrder\":[\"e3a1bfeb-104f-4dd9-9f71-8326afccd2c2\",\"ae33950f-9a79-42d1-b6fd-26dd2ff30310\"],\"columns\":{\"ae33950f-9a79-42d1-b6fd-26dd2ff30310\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"e3a1bfeb-104f-4dd9-9f71-8326afccd2c2\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Quarantine Agent Bundle Identifier\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ae33950f-9a79-42d1-b6fd-26dd2ff30310\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.event_attributes.attributes.quarantine.agent_bundle_identifier\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"e3a1bfeb-104f-4dd9-9f71-8326afccd2c2\"},{\"columnId\":\"ae33950f-9a79-42d1-b6fd-26dd2ff30310\"}],\"layerId\":\"97ddbe50-1740-4998-b2ba-ff5e13a64e36\",\"layerType\":\"data\"}},\"title\":\"Top 10 Quarantine Agent Bundle Identifier of Gatekeeper Quarantine Log Events [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"b274f4a7-d788-4ff4-81ea-aed7756fedf9\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"b274f4a7-d788-4ff4-81ea-aed7756fedf9\",\"title\":\"Top 10 Quarantine Agent Bundle Identifier of Gatekeeper Quarantine Log Events [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6dba6e01-ce8c-4bb4-be06-6d9ee868f043\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6dba6e01-ce8c-4bb4-be06-6d9ee868f043\":{\"columnOrder\":[\"3bd44a0a-8bda-4270-9239-b1da49129a14\",\"9117b9e9-9278-4b9a-90ff-70a7df73a138\"],\"columns\":{\"3bd44a0a-8bda-4270-9239-b1da49129a14\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Quarantine Agent Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9117b9e9-9278-4b9a-90ff-70a7df73a138\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.event_attributes.attributes.quarantine.agent_name\"},\"9117b9e9-9278-4b9a-90ff-70a7df73a138\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"3bd44a0a-8bda-4270-9239-b1da49129a14\"},{\"columnId\":\"9117b9e9-9278-4b9a-90ff-70a7df73a138\"}],\"layerId\":\"6dba6e01-ce8c-4bb4-be06-6d9ee868f043\",\"layerType\":\"data\"}},\"title\":\"Top 10 Quarantine Agent Name of Gatekeeper Quarantine Log Events [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"5049dc95-bcb6-4e0e-8919-422050d8a54c\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"5049dc95-bcb6-4e0e-8919-422050d8a54c\",\"title\":\"Top 10 Quarantine Agent Name of Gatekeeper Quarantine Log Events [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":null,\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7e99d2b3-a231-4553-a927-3553d056cc16\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7e99d2b3-a231-4553-a927-3553d056cc16\":{\"columnOrder\":[\"a0bea5bf-3444-46db-b6f0-953d21c31e16\",\"1aa2131a-839f-4338-b98d-0b07e2879d99\"],\"columns\":{\"1aa2131a-839f-4338-b98d-0b07e2879d99\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"a0bea5bf-3444-46db-b6f0-953d21c31e16\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Device Class\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"1aa2131a-839f-4338-b98d-0b07e2879d99\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.hardware_event_info.device.class\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"a0bea5bf-3444-46db-b6f0-953d21c31e16\"},{\"columnId\":\"1aa2131a-839f-4338-b98d-0b07e2879d99\"}],\"layerId\":\"7e99d2b3-a231-4553-a927-3553d056cc16\",\"layerType\":\"data\"}},\"title\":\"Top 10 Device Class of Hardware Events [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"b26730ed-d34f-4ebe-8739-d6fc5fc220fa\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"b26730ed-d34f-4ebe-8739-d6fc5fc220fa\",\"title\":\"Top 10 Device Class of Hardware Events [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c8a0c482-513b-4fca-8b1e-198b6c35a7d7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c8a0c482-513b-4fca-8b1e-198b6c35a7d7\":{\"columnOrder\":[\"19746121-180d-4195-81e8-29df90d8ecba\",\"1c2e7075-3625-4789-8817-66df1a97af08\"],\"columns\":{\"19746121-180d-4195-81e8-29df90d8ecba\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Remote Endpoint Type AWSKinesis Region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"1c2e7075-3625-4789-8817-66df1a97af08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"jamf_compliance_reporter.log.event_attributes.log.remote_endpoint_type_awskinesis.region\"},\"1c2e7075-3625-4789-8817-66df1a97af08\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"event\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"19746121-180d-4195-81e8-29df90d8ecba\"},{\"columnId\":\"1c2e7075-3625-4789-8817-66df1a97af08\"}],\"layerId\":\"c8a0c482-513b-4fca-8b1e-198b6c35a7d7\",\"layerType\":\"data\"}},\"title\":\"Top 10 Remote Endpoint Type by AWSKinesis Region of Preference List Events [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bb689dd4-ecdd-4b67-a91e-289347474dc2\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"bb689dd4-ecdd-4b67-a91e-289347474dc2\",\"title\":\"Top 10 Remote Endpoint Type by AWSKinesis Region of Preference List Events [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Jamf Compliance Reporter] Event", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "jamf_compliance_reporter-dd0ea730-b557-11ec-a813-df29637f29df", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "f28205e4-886e-4779-a8ea-db77dba9a68c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f28205e4-886e-4779-a8ea-db77dba9a68c:indexpattern-datasource-layer-dcd69ebb-72a3-4bc6-8a68-aca6570839c4", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6fd6b7c-d5ff-45ba-b34c-5e17f1d877e1:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6fd6b7c-d5ff-45ba-b34c-5e17f1d877e1:indexpattern-datasource-layer-7c7ea45e-c87f-4cb2-b9d6-89a48ce29ff1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d73f23b2-bd81-4c6f-86dd-bf792212a813:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d73f23b2-bd81-4c6f-86dd-bf792212a813:indexpattern-datasource-layer-21cb8b72-ef0b-4afc-8b9f-6a0c7cc17217", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "18a9850d-21a1-45ea-85c3-a9c78f764f46:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "18a9850d-21a1-45ea-85c3-a9c78f764f46:indexpattern-datasource-layer-7b72f6ca-f0b1-4c09-b1ff-11990af5c585", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f990bb47-c91a-4c84-88c2-0ed775024099:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f990bb47-c91a-4c84-88c2-0ed775024099:indexpattern-datasource-layer-81b3e742-4ad8-4120-9b3b-a9893773795a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c80a59ad-5830-4463-9978-642de750f3ff:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c80a59ad-5830-4463-9978-642de750f3ff:indexpattern-datasource-layer-ad610b62-5183-4e71-86d4-52beca5327d7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2ba7af74-63e2-46b7-a37f-63415014804d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2ba7af74-63e2-46b7-a37f-63415014804d:indexpattern-datasource-layer-46eadc93-b435-41bd-8d5b-f31b5f6353e2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c294926e-9b33-4805-8ef9-bd4bcc2634d1:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c294926e-9b33-4805-8ef9-bd4bcc2634d1:indexpattern-datasource-layer-e218b2a3-f801-4263-b10c-0d0a5c871703", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a2a956f4-162b-47db-908e-dd1027c6f00c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a2a956f4-162b-47db-908e-dd1027c6f00c:indexpattern-datasource-layer-a031233f-898d-4756-bf10-f33c73a72081", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e2121f67-3794-4e56-a0f5-5bdd6fb1213b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e2121f67-3794-4e56-a0f5-5bdd6fb1213b:indexpattern-datasource-layer-0ad21e03-f895-413e-a7e0-55a45a77146c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "81f9f687-beb7-454d-8ed4-ea234a2c3272:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "81f9f687-beb7-454d-8ed4-ea234a2c3272:indexpattern-datasource-layer-d31c80d7-fb2d-4cd8-8aef-59543b605404", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "51aeea4e-4bb1-4ce2-8738-dc582041496d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "51aeea4e-4bb1-4ce2-8738-dc582041496d:indexpattern-datasource-layer-795c6a4c-3830-4cb3-be63-b55780d773d7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "16a293c0-18f7-4ffb-b8f6-6e60afd5c4ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "16a293c0-18f7-4ffb-b8f6-6e60afd5c4ac:indexpattern-datasource-layer-ae3e7f06-1bed-44cc-9880-7ff89d7743df", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0379b610-4693-47f0-b86d-77fd3edee591:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0379b610-4693-47f0-b86d-77fd3edee591:indexpattern-datasource-layer-19353d2e-e7a5-425f-85f3-b7333b0abf21", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "03a41353-2e3c-4a6c-9593-2b9a0a5f0e1a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "03a41353-2e3c-4a6c-9593-2b9a0a5f0e1a:indexpattern-datasource-layer-479ee952-5f14-4578-8a20-de63e17627c5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d44ee3a0-59e0-46e1-85c8-c70c33353029:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d44ee3a0-59e0-46e1-85c8-c70c33353029:indexpattern-datasource-layer-b4273567-51c1-40d5-abd8-8e33f06e1dcd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8d99b054-cbe9-43cb-9977-7367eb5085c3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8d99b054-cbe9-43cb-9977-7367eb5085c3:indexpattern-datasource-layer-e5f2943e-d6a7-4eb5-adf4-965ed238082c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f1b595d-131c-481b-a60b-8a32f6cf6042:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f1b595d-131c-481b-a60b-8a32f6cf6042:indexpattern-datasource-layer-ad2d2003-f5ae-4aa9-a78e-680c8bcba23c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0bb50df3-d3d2-4f48-962a-0085fb070327:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0bb50df3-d3d2-4f48-962a-0085fb070327:indexpattern-datasource-layer-4b411163-e685-45c0-a1b0-756ce6d0a1eb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "592418e3-3172-448b-915e-0d12808b46d7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "592418e3-3172-448b-915e-0d12808b46d7:indexpattern-datasource-layer-9784b039-9999-4347-bbe5-b6429a3bc2eb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e87863af-fbee-466c-a3e8-a5880304a82a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e87863af-fbee-466c-a3e8-a5880304a82a:indexpattern-datasource-layer-f0047360-8ac5-42d2-b35f-fe490b61d3a7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b274f4a7-d788-4ff4-81ea-aed7756fedf9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b274f4a7-d788-4ff4-81ea-aed7756fedf9:indexpattern-datasource-layer-97ddbe50-1740-4998-b2ba-ff5e13a64e36", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5049dc95-bcb6-4e0e-8919-422050d8a54c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5049dc95-bcb6-4e0e-8919-422050d8a54c:indexpattern-datasource-layer-6dba6e01-ce8c-4bb4-be06-6d9ee868f043", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b26730ed-d34f-4ebe-8739-d6fc5fc220fa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b26730ed-d34f-4ebe-8739-d6fc5fc220fa:indexpattern-datasource-layer-7e99d2b3-a231-4553-a927-3553d056cc16", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bb689dd4-ecdd-4b67-a91e-289347474dc2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bb689dd4-ecdd-4b67-a91e-289347474dc2:indexpattern-datasource-layer-c8a0c482-513b-4fca-8b1e-198b6c35a7d7", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/jamf_compliance_reporter/0.2.1/kibana/dashboard/jamf_compliance_reporter-dd28ec80-b584-11ec-a813-df29637f29df.json b/packages/jamf_compliance_reporter/0.2.1/kibana/dashboard/jamf_compliance_reporter-dd28ec80-b584-11ec-a813-df29637f29df.json deleted file mode 100755 index adf6c98c62..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/kibana/dashboard/jamf_compliance_reporter-dd28ec80-b584-11ec-a813-df29637f29df.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"app_metrics\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"app_metrics\\\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"fa25f9df-c199-49e4-b929-cfcedeadcf54\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"ccb0ffc8-0599-411d-a5e9-7cc3908789ab\",\"label\":\"CPU Percentage\",\"line_width\":1,\"metrics\":[{\"field\":\"jamf_compliance_reporter.log.app_metric_info.cpu_percentage\",\"id\":\"a832b9ad-31a4-4800-a774-ff440e3293a6\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"CPU Utilization Over Time [Logs Jamf Compliance Reporter]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4dd382d1-e84a-4351-bced-36a6625b3e8e\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"4dd382d1-e84a-4351-bced-36a6625b3e8e\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e3280c4e-9935-45c1-8716-c6be28f1b2bf\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e3280c4e-9935-45c1-8716-c6be28f1b2bf\":{\"columnOrder\":[\"bc98875f-49d7-4a57-829e-5cb7ccb143d3\",\"d388bcb3-cead-43bb-b177-34082d218734\"],\"columns\":{\"bc98875f-49d7-4a57-829e-5cb7ccb143d3\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"OS Version\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d388bcb3-cead-43bb-b177-34082d218734\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"host.os.version\"},\"d388bcb3-cead-43bb-b177-34082d218734\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"app_metrics\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"bc98875f-49d7-4a57-829e-5cb7ccb143d3\"],\"layerId\":\"e3280c4e-9935-45c1-8716-c6be28f1b2bf\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d388bcb3-cead-43bb-b177-34082d218734\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of App Metrics Events by Host OS Version [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"4a142331-39c2-428e-af3c-b693e89e68eb\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4a142331-39c2-428e-af3c-b693e89e68eb\",\"title\":\"Distribution of App Metrics Events by Host OS Version [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-47994ee6-4086-45d0-9b05-3607e2aff799\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"47994ee6-4086-45d0-9b05-3607e2aff799\":{\"columnOrder\":[\"2075f97d-4358-41ce-a75b-e1e1d8284ce4\",\"00c36b12-671f-424b-9768-895bce4a69e3\"],\"columns\":{\"00c36b12-671f-424b-9768-895bce4a69e3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"2075f97d-4358-41ce-a75b-e1e1d8284ce4\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Host Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"00c36b12-671f-424b-9768-895bce4a69e3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"app_metrics\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"2075f97d-4358-41ce-a75b-e1e1d8284ce4\",\"isTransposed\":false},{\"columnId\":\"00c36b12-671f-424b-9768-895bce4a69e3\",\"isTransposed\":false}],\"layerId\":\"47994ee6-4086-45d0-9b05-3607e2aff799\",\"layerType\":\"data\"}},\"title\":\"Top 10 Host Name [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d2f744c1-549b-4f27-aa67-f5a7ddaa85af\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"d2f744c1-549b-4f27-aa67-f5a7ddaa85af\",\"title\":\"Top 10 Host Name [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6aeac12b-c950-45ee-b62d-e16771eec500\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6aeac12b-c950-45ee-b62d-e16771eec500\":{\"columnOrder\":[\"f88280b9-1eb1-42f2-abb7-aef75cf84910\",\"adc701b8-ea7d-496f-87e5-fba5e78766cf\"],\"columns\":{\"adc701b8-ea7d-496f-87e5-fba5e78766cf\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Maximum CPU Percentage \",\"operationType\":\"max\",\"scale\":\"ratio\",\"sourceField\":\"jamf_compliance_reporter.log.app_metric_info.cpu_percentage\"},\"f88280b9-1eb1-42f2-abb7-aef75cf84910\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Host Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"adc701b8-ea7d-496f-87e5-fba5e78766cf\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"jamf_compliance_reporter.log\\\" and jamf_compliance_reporter.log.dataset : \\\"app_metrics\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"f88280b9-1eb1-42f2-abb7-aef75cf84910\",\"isTransposed\":false},{\"columnId\":\"adc701b8-ea7d-496f-87e5-fba5e78766cf\",\"isTransposed\":false}],\"layerId\":\"6aeac12b-c950-45ee-b62d-e16771eec500\",\"layerType\":\"data\"}},\"title\":\"Max CPU Utilization per Host [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"74afe262-2bf2-4ea8-966c-2c51b623f27d\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"74afe262-2bf2-4ea8-966c-2c51b623f27d\",\"title\":\"Max CPU Utilization per Host [Logs Jamf Compliance Reporter]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Jamf Compliance Reporter] App Metrics", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "jamf_compliance_reporter-dd28ec80-b584-11ec-a813-df29637f29df", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "4a142331-39c2-428e-af3c-b693e89e68eb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a142331-39c2-428e-af3c-b693e89e68eb:indexpattern-datasource-layer-e3280c4e-9935-45c1-8716-c6be28f1b2bf", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2f744c1-549b-4f27-aa67-f5a7ddaa85af:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2f744c1-549b-4f27-aa67-f5a7ddaa85af:indexpattern-datasource-layer-47994ee6-4086-45d0-9b05-3607e2aff799", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "74afe262-2bf2-4ea8-966c-2c51b623f27d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "74afe262-2bf2-4ea8-966c-2c51b623f27d:indexpattern-datasource-layer-6aeac12b-c950-45ee-b62d-e16771eec500", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/jamf_compliance_reporter/0.2.1/manifest.yml b/packages/jamf_compliance_reporter/0.2.1/manifest.yml deleted file mode 100755 index abca6d1074..0000000000 --- a/packages/jamf_compliance_reporter/0.2.1/manifest.yml +++ /dev/null @@ -1,35 +0,0 @@ -format_version: 1.0.0 -name: jamf_compliance_reporter -title: Jamf Compliance Reporter -version: 0.2.1 -license: basic -description: Collect logs from Jamf Compliance Reporter with Elastic Agent. -type: integration -categories: - - security -release: beta -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/jamf-compliance-reporter-screenshot.png - title: Jamf Compliance Reporter Screenshot - size: 600x600 - type: image/png -icons: - - src: /img/jamf-compliance-reporter-logo.svg - title: Jamf Compliance Reporter Logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: Jamf Compliance Reporter - title: Jamf Compliance Reporter logs - description: Collect Jamf Compliance Reporter logs. - inputs: - - type: http_endpoint - title: Collect Jamf Compliance Reporter logs via HTTP Endpoint - description: Collecting Jamf Compliance Reporter logs. - - type: tcp - title: Collect Jamf Compliance Reporter logs via TCP - description: Collecting Jamf Compliance Reporter logs via TCP. -owner: - github: elastic/security-external-integrations diff --git a/packages/juniper_junos/0.4.2/LICENSE.txt b/packages/juniper_junos/0.4.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/juniper_junos/0.4.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/juniper_junos/0.4.2/changelog.yml b/packages/juniper_junos/0.4.2/changelog.yml deleted file mode 100755 index 6f1e621514..0000000000 --- a/packages/juniper_junos/0.4.2/changelog.yml +++ /dev/null @@ -1,51 +0,0 @@ -# newer versions go on top -- version: "0.4.2" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "0.4.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "0.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3866 -- version: "0.3.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "0.2.1" - changes: - - description: Added link to Jupiter Junos documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3133 -- version: "0.2.0" - changes: - - description: Update to ECS 8.2.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "0.1.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.1.0" - changes: - - description: Update to ECS 8.0.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2589 -- version: "0.0.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.0.1" - changes: - - description: Initial release of new package split from oroginal Juniper package - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/2069 diff --git a/packages/juniper_junos/0.4.2/data_stream/log/agent/stream/stream.yml.hbs b/packages/juniper_junos/0.4.2/data_stream/log/agent/stream/stream.yml.hbs deleted file mode 100755 index 6f91e74ff3..0000000000 --- a/packages/juniper_junos/0.4.2/data_stream/log/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12572 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -prospector.scanner.exclude_files: ['\.gz$'] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Juniper" - product: "Junos" - type: "Routers" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{day->} %{time->} %{p0}"); - - var dup2 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); - - var dup3 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); - - var dup4 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); - - var dup5 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); - - var dup6 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); - - var dup7 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); - - var dup8 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); - - var dup9 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup10 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" "), - field("p0"), - ], - }); - - var dup11 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup12 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup13 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" ["), - field("p0"), - ], - }); - - var dup14 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); - - var dup15 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); - - var dup16 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); - - var dup17 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); - - var dup18 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var dup19 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("pid"), - constant("]: "), - field("p0"), - ], - }); - - var dup20 = setc("messageid","JUNOSROUTER_GENERIC"); - - var dup21 = setc("eventcategory","1605000000"); - - var dup22 = setf("msg","$MSG"); - - var dup23 = date_time({ - dest: "event_time", - args: ["month","day","time"], - fmts: [ - [dB,dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup24 = setf("hostname","hhost"); - - var dup25 = setc("event_description","AUDIT"); - - var dup26 = setc("event_description","CRON command"); - - var dup27 = setc("eventcategory","1801030000"); - - var dup28 = setc("eventcategory","1801020000"); - - var dup29 = setc("eventcategory","1605010000"); - - var dup30 = setc("eventcategory","1603000000"); - - var dup31 = setc("event_description","Process mode"); - - var dup32 = setc("event_description","NTP Server Unreachable"); - - var dup33 = setc("eventcategory","1401060000"); - - var dup34 = setc("ec_theme","Authentication"); - - var dup35 = setc("ec_subject","User"); - - var dup36 = setc("ec_activity","Logon"); - - var dup37 = setc("ec_outcome","Success"); - - var dup38 = setc("event_description","rpd proceeding"); - - var dup39 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); - - var dup40 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); - - var dup41 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); - - var dup42 = setc("eventcategory","1701010000"); - - var dup43 = setc("ec_outcome","Failure"); - - var dup44 = setc("eventcategory","1401030000"); - - var dup45 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); - - var dup46 = setc("eventcategory","1803000000"); - - var dup47 = setc("event_type","VPN"); - - var dup48 = setc("eventcategory","1605020000"); - - var dup49 = setc("eventcategory","1602020000"); - - var dup50 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); - - var dup51 = setc("eventcategory","1603020000"); - - var dup52 = date_time({ - dest: "event_time", - args: ["hfld32"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup53 = setc("ec_subject","NetworkComm"); - - var dup54 = setc("ec_activity","Create"); - - var dup55 = setc("ec_activity","Stop"); - - var dup56 = setc("event_description","Trap state change"); - - var dup57 = setc("event_description","peer NLRI mismatch"); - - var dup58 = setc("eventcategory","1605030000"); - - var dup59 = setc("eventcategory","1603010000"); - - var dup60 = setc("eventcategory","1606000000"); - - var dup61 = setf("hostname","hhostname"); - - var dup62 = date_time({ - dest: "event_time", - args: ["hfld6"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup63 = setc("eventcategory","1401050200"); - - var dup64 = setc("event_description","Memory allocation failed during initialization for configuration load"); - - var dup65 = setc("event_description","unable to run in the background as a daemon"); - - var dup66 = setc("event_description","Another copy of this program is running"); - - var dup67 = setc("event_description","Unable to lock PID file"); - - var dup68 = setc("event_description","Unable to update process PID file"); - - var dup69 = setc("eventcategory","1301000000"); - - var dup70 = setc("event_description","Command stopped"); - - var dup71 = setc("event_description","Unable to create pipes for command"); - - var dup72 = setc("event_description","Command exited"); - - var dup73 = setc("eventcategory","1603050000"); - - var dup74 = setc("eventcategory","1801010000"); - - var dup75 = setc("event_description","Login failure"); - - var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); - - var dup77 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); - - var dup78 = setc("event_description","Unable to open file"); - - var dup79 = setc("event_description","SNMP index assigned changed"); - - var dup80 = setc("eventcategory","1302000000"); - - var dup81 = setc("eventcategory","1001020300"); - - var dup82 = setc("event_description","PFE FW SYSLOG_IP"); - - var dup83 = setc("event_description","process_mode"); - - var dup84 = setc("event_description","Logical interface collision"); - - var dup85 = setc("event_description","excessive runtime time during action of module"); - - var dup86 = setc("event_description","Reinitializing"); - - var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); - - var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); - - var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); - - var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); - - var dup92 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); - - var dup93 = setc("eventcategory","1803010000"); - - var dup94 = setc("ec_activity","Deny"); - - var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); - - var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); - - var dup97 = setc("event_description","session denied"); - - var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var dup100 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); - - var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); - - var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); - - var dup103 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); - - var dup104 = setc("dclass_counter1_string","No.of packets from client"); - - var dup105 = setc("event_description","SNMPD AUTH FAILURE"); - - var dup106 = setc("event_description","send send-type (index1) failure"); - - var dup107 = setc("event_description","SNMP trap error"); - - var dup108 = setc("event_description","SNMP TRAP LINK DOWN"); - - var dup109 = setc("event_description","SNMP TRAP LINK UP"); - - var dup110 = setc("event_description","Login Failure"); - - var dup111 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); - - var dup112 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); - - var dup113 = setc("eventcategory","1701020000"); - - var dup114 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); - - var dup115 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); - - var dup116 = setc("event_description","User set command"); - - var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); - - var dup118 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); - - var dup119 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); - - var dup120 = setc("event_description","User set groups to secret"); - - var dup121 = setc("event_description","UI CMDLINE READ LINE"); - - var dup122 = setc("event_description","User commit"); - - var dup123 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); - - var dup124 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); - - var dup125 = setc("eventcategory","1401070000"); - - var dup126 = setc("ec_activity","Logoff"); - - var dup127 = setc("event_description","Successful login"); - - var dup128 = setf("hostname","hostip"); - - var dup129 = setc("event_description","TACACS+ failure"); - - var dup130 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); - - var dup131 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); - - var dup132 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); - - var dup133 = setc("eventcategory","1003010000"); - - var dup134 = setc("eventcategory","1901000000"); - - var dup135 = linear_select([ - dup14, - dup15, - dup16, - dup17, - ]); - - var dup136 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ - dup13, - ])); - - var dup137 = linear_select([ - dup40, - dup41, - ]); - - var dup138 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ - dup21, - dup22, - dup56, - dup23, - ])); - - var dup139 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ - dup51, - dup22, - dup64, - dup23, - ])); - - var dup140 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ - dup30, - dup22, - dup65, - dup23, - ])); - - var dup141 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ - dup30, - dup22, - dup66, - dup23, - ])); - - var dup142 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ - dup30, - dup22, - dup67, - dup23, - ])); - - var dup143 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ - dup30, - dup22, - dup68, - dup23, - ])); - - var dup144 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - dup71, - dup23, - ])); - - var dup145 = linear_select([ - dup76, - dup77, - ]); - - var dup146 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ - dup30, - dup22, - dup79, - dup23, - ])); - - var dup147 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ - dup30, - dup22, - dup84, - dup23, - ])); - - var dup148 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ - dup30, - dup22, - dup85, - dup23, - ])); - - var dup149 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ - dup21, - dup22, - dup86, - dup23, - ])); - - var dup150 = linear_select([ - dup88, - dup89, - ]); - - var dup151 = linear_select([ - dup90, - dup45, - ]); - - var dup152 = linear_select([ - dup95, - dup96, - ]); - - var dup153 = linear_select([ - dup101, - dup91, - ]); - - var dup154 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var dup155 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ - dup27, - dup22, - dup52, - ])); - - var dup156 = linear_select([ - dup118, - dup119, - ]); - - var dup157 = linear_select([ - dup123, - dup124, - ]); - - var dup158 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var dup159 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ - dup48, - dup47, - dup23, - dup22, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": restart "), - field("p0"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" message repeated "), - field("p0"), - ], - }), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("("), - field("hfld1"), - constant("): "), - field("p0"), - ], - }), - ])); - - var part1 = match("HEADER#3:0004/1_6", "nwparser.p0", "fpc6 %{p0}"); - - var part2 = match("HEADER#3:0004/1_7", "nwparser.p0", "fpc7 %{p0}"); - - var part3 = match("HEADER#3:0004/1_8", "nwparser.p0", "fpc8 %{p0}"); - - var part4 = match("HEADER#3:0004/1_9", "nwparser.p0", "fpc9 %{p0}"); - - var part5 = match("HEADER#3:0004/1_10", "nwparser.p0", "cfeb %{p0}"); - - var select1 = linear_select([ - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - part1, - part2, - part3, - part4, - part5, - dup8, - ]); - - var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{p0}", processor_chain([ - dup9, - ])); - - var all1 = all_match({ - processors: [ - dup1, - select1, - part6, - ], - on_success: processor_chain([ - setc("header_id","0004"), - ]), - }); - - var select2 = linear_select([ - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - ]); - - var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{p0}", processor_chain([ - dup10, - ])); - - var all2 = all_match({ - processors: [ - dup1, - select2, - part7, - ], - on_success: processor_chain([ - setc("header_id","0005"), - ]), - }); - - var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0007"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant("["), - field("hpid"), - constant("]: "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{p0}", processor_chain([ - setc("header_id","0008"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hpid"), - constant("]: "), - field("p0"), - ], - }), - ])); - - var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{p0}", processor_chain([ - setc("header_id","0009"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" IFP trace> "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0010"), - dup11, - ])); - - var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0029"), - dup12, - ])); - - var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0015"), - dup12, - ])); - - var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0011"), - dup11, - ])); - - var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0027"), - dup9, - ])); - - var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0012"), - dup9, - ])); - - var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{p0}", processor_chain([ - setc("header_id","0013"), - dup13, - ])); - - var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var all3 = all_match({ - processors: [ - hdr14, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026.upd.a"), - ]), - }); - - var all4 = all_match({ - processors: [ - dup18, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026.upd.b"), - ]), - }); - - var all5 = all_match({ - processors: [ - dup18, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026"), - ]), - }); - - var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{p0}", processor_chain([ - setc("header_id","0014"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant("["), - field("hpid"), - constant("]: "), - field("p0"), - ], - }), - ])); - - var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0016"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant(": "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{p0}", processor_chain([ - setc("header_id","0017"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0018"), - dup19, - ])); - - var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0028"), - dup19, - ])); - - var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0019"), - dup9, - ])); - - var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0020"), - dup19, - ])); - - var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{p0}", processor_chain([ - setc("header_id","0021"), - dup9, - ])); - - var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0022"), - dup9, - ])); - - var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0023"), - dup19, - ])); - - var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0024"), - dup9, - ])); - - var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","0025"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{p0}", processor_chain([ - setc("header_id","0031"), - dup10, - ])); - - var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0032"), - dup19, - ])); - - var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0033"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant(" "), - field("hhostname"), - constant(" "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr30 = match("HEADER#33:3336", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid}: %{payload}", processor_chain([ - setc("header_id","3336"), - ])); - - var hdr31 = match("HEADER#34:3339", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid->} %{payload}", processor_chain([ - setc("header_id","3339"), - ])); - - var hdr32 = match("HEADER#35:3337", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","3337"), - ])); - - var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","3341"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("hfld3"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid->} %{payload}", processor_chain([ - setc("header_id","3338"), - ])); - - var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{hfld1}.fpc%{p0}", processor_chain([ - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hhost"), - constant(" node"), - field("hfld1"), - constant(".fpc"), - field("p0"), - ], - }), - ])); - - var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld2}.pic%{hfld3->} %{p0}"); - - var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld2->} %{p0}"); - - var select3 = linear_select([ - part8, - part9, - ]); - - var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{p0}"); - - var all6 = all_match({ - processors: [ - hdr35, - select3, - part10, - ], - on_success: processor_chain([ - setc("header_id","3340"), - setc("messageid","node"), - ]), - }); - - var hdr36 = match("HEADER#39:9997/0_0", "message", "mgd[%{p0}"); - - var hdr37 = match("HEADER#39:9997/0_1", "message", "rpd[%{p0}"); - - var hdr38 = match("HEADER#39:9997/0_2", "message", "dcd[%{p0}"); - - var select4 = linear_select([ - hdr36, - hdr37, - hdr38, - ]); - - var part11 = match("HEADER#39:9997/1", "nwparser.p0", "%{process_id}]:%{payload}"); - - var all7 = all_match({ - processors: [ - select4, - part11, - ], - on_success: processor_chain([ - setc("header_id","9997"), - dup20, - ]), - }); - - var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{p0}", processor_chain([ - setc("header_id","9995"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hfld3"), - constant("]:"), - field("p0"), - ], - }), - ])); - - var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{p0}", processor_chain([ - setc("header_id","9994"), - setc("messageid","qsfp"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("hfld1"), - constant(" qsfp "), - field("p0"), - ], - }), - ])); - - var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{p0}", processor_chain([ - setc("header_id","9999"), - dup20, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hevent_type"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{p0}", processor_chain([ - setc("header_id","9998"), - dup20, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("process"), - constant(": "), - field("p0"), - ], - }), - ])); - - var select5 = linear_select([ - hdr1, - hdr2, - hdr3, - all1, - all2, - hdr4, - hdr5, - hdr6, - hdr7, - hdr8, - hdr9, - hdr10, - hdr11, - hdr12, - hdr13, - all3, - all4, - all5, - hdr15, - hdr16, - hdr17, - hdr18, - hdr19, - hdr20, - hdr21, - hdr22, - hdr23, - hdr24, - hdr25, - hdr26, - hdr27, - hdr28, - hdr29, - hdr30, - hdr31, - hdr32, - hdr33, - hdr34, - all6, - all7, - hdr39, - hdr40, - hdr41, - hdr42, - ]); - - var part12 = match("MESSAGE#0:/usr/sbin/sshd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","sshd exit status"), - dup23, - ])); - - var msg1 = msg("/usr/sbin/sshd", part12); - - var part13 = match("MESSAGE#1:/usr/libexec/telnetd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","telnetd exit status"), - dup23, - ])); - - var msg2 = msg("/usr/libexec/telnetd", part13); - - var part14 = match("MESSAGE#2:alarmd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License color=%{severity}, class=%{device}, reason=%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Alarm Set or Cleared"), - dup23, - ])); - - var msg3 = msg("alarmd", part14); - - var part15 = match("MESSAGE#3:bigd", "nwparser.payload", "%{process}: Node detected UP for %{node}", processor_chain([ - dup21, - dup22, - setc("event_description","Node detected UP"), - dup23, - ])); - - var msg4 = msg("bigd", part15); - - var part16 = match("MESSAGE#4:bigd:01", "nwparser.payload", "%{process}: Monitor template id is %{id}", processor_chain([ - dup21, - dup22, - setc("event_description","Monitor template id"), - dup23, - ])); - - var msg5 = msg("bigd:01", part16); - - var select6 = linear_select([ - msg4, - msg5, - ]); - - var part17 = match("MESSAGE#5:bigpipe", "nwparser.payload", "%{process}: Loading the configuration file %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","Loading configuration file"), - dup23, - ])); - - var msg6 = msg("bigpipe", part17); - - var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begin config install operation %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","Begin config install operation"), - dup23, - ])); - - var msg7 = msg("bigpipe:01", part18); - - var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - setc("event_description","Audit"), - dup23, - ])); - - var msg8 = msg("bigpipe:02", part19); - - var select7 = linear_select([ - msg6, - msg7, - msg8, - ]); - - var part20 = match("MESSAGE#8:bigstart", "nwparser.payload", "%{process}: shutdown %{service}", processor_chain([ - dup21, - dup22, - setc("event_description","portal shutdown"), - dup23, - ])); - - var msg9 = msg("bigstart", part20); - - var part21 = match("MESSAGE#9:cgatool", "nwparser.payload", "%{process}: %{event_type}: generated address is %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","cga address genration"), - dup23, - ])); - - var msg10 = msg("cgatool", part21); - - var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{process_id}]:%{fld12}", processor_chain([ - dup21, - dup22, - dup23, - dup24, - ])); - - var msg11 = msg("chassisd:01", part22); - - var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - dup25, - dup23, - ])); - - var msg12 = msg("checkd", part23); - - var part24 = match("MESSAGE#12:checkd:01", "nwparser.payload", "%{process}: exiting", processor_chain([ - dup21, - dup22, - setc("event_description","checkd exiting"), - dup23, - ])); - - var msg13 = msg("checkd:01", part24); - - var select8 = linear_select([ - msg12, - msg13, - ]); - - var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1->} for intf %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","link protection for interface"), - dup23, - ])); - - var msg14 = msg("cosd", part25); - - var part26 = match("MESSAGE#14:craftd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}, %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","License expiration warning"), - dup23, - ])); - - var msg15 = msg("craftd", part26); - - var part27 = match("MESSAGE#15:CRON/0", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{p0}"); - - var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result})"); - - var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}'"); - - var select9 = linear_select([ - part28, - part29, - ]); - - var all8 = all_match({ - processors: [ - part27, - select9, - ], - on_success: processor_chain([ - dup21, - dup22, - dup26, - dup23, - ]), - }); - - var msg16 = msg("CRON", all8); - - var part30 = match("MESSAGE#16:Cmerror/0_0", "nwparser.payload", "%{hostname->} %{node}Cmerror: Level%{level}count increment %{dclass_counter1->} %{fld1}"); - - var part31 = match_copy("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "fld2"); - - var select10 = linear_select([ - part30, - part31, - ]); - - var all9 = all_match({ - processors: [ - select10, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg17 = msg("Cmerror", all9); - - var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action->} (%{filename})", processor_chain([ - dup21, - dup22, - setc("event_description","cron RELOAD"), - dup23, - ])); - - var msg18 = msg("cron", part32); - - var part33 = match("MESSAGE#18:CROND", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ - dup21, - dup22, - dup23, - dup24, - ])); - - var msg19 = msg("CROND", part33); - - var part34 = match("MESSAGE#20:CROND:02", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session closed for user %{username}", processor_chain([ - dup27, - dup22, - dup23, - dup24, - ])); - - var msg20 = msg("CROND:02", part34); - - var select11 = linear_select([ - msg19, - msg20, - ]); - - var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username->} by (uid=%{uid})", processor_chain([ - dup28, - dup22, - dup23, - dup24, - ])); - - var msg21 = msg("crond:01", part35); - - var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result->} Setting ignored, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Setting ignored"), - dup23, - ])); - - var msg22 = msg("dcd", part36); - - var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface->} index %{resultcode->} %{p0}"); - - var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{p0}"); - - var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{p0}"); - - var select12 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#22:EVENT/2", "nwparser.p0", ">%{result}"); - - var all10 = all_match({ - processors: [ - part37, - select12, - part40, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","EVENT"), - dup23, - ]), - }); - - var msg23 = msg("EVENT", all10); - - var part41 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([ - setc("eventcategory","1802000000"), - dup22, - setc("event_description","ftpd connection"), - dup23, - ])); - - var msg24 = msg("ftpd", part41); - - var part42 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([ - dup29, - dup23, - dup22, - ])); - - var msg25 = msg("ha_rto_stats_handler", part42); - - var part43 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","LDAP Connection not bound correctly"), - dup23, - ])); - - var msg26 = msg("hostinit", part43); - - var part44 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug - Added entry"), - dup23, - ])); - - var msg27 = msg("ifinfo", part44); - - var part45 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug Initializing spu"), - dup23, - ])); - - var msg28 = msg("ifinfo:01", part45); - - var part46 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug delete from list"), - dup23, - ])); - - var msg29 = msg("ifinfo:02", part46); - - var select13 = linear_select([ - msg27, - msg28, - msg29, - ]); - - var part47 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([ - dup21, - dup22, - setc("event_description","IFL anydown change event"), - dup23, - ])); - - var msg30 = msg("ifp_ifl_anydown_change_event", part47); - - var part48 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([ - dup21, - dup22, - setc("event_description","ifp ifl config_event"), - dup23, - ])); - - var msg31 = msg("ifp_ifl_config_event", part48); - - var part49 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([ - dup21, - dup22, - setc("event_description","ifp_ifl_ext_chg"), - dup23, - ])); - - var msg32 = msg("ifp_ifl_ext_chg", part49); - - var part50 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","connection exceeded count limit"), - dup23, - ])); - - var msg33 = msg("inetd", part50); - - var part51 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","exited"), - dup23, - ])); - - var msg34 = msg("inetd:01", part51); - - var select14 = linear_select([ - msg33, - msg34, - ]); - - var part52 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ - dup21, - dup22, - dup31, - dup23, - ])); - - var msg35 = msg("init:04", part52); - - var part53 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([ - dup21, - dup22, - dup31, - dup23, - ])); - - var msg36 = msg("init", part53); - - var part54 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","failure target for routing set"), - dup23, - ])); - - var msg37 = msg("init:01", part54); - - var part55 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([ - dup21, - dup22, - setc("event_description","ntp started"), - dup23, - ])); - - var msg38 = msg("init:02", part55); - - var part56 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([ - dup21, - dup22, - setc("event_description","product mask and model info"), - dup23, - ])); - - var msg39 = msg("init:03", part56); - - var select15 = linear_select([ - msg35, - msg36, - msg37, - msg38, - msg39, - ]); - - var part57 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","IPC message exceeds MTU"), - dup23, - ])); - - var msg40 = msg("ipc_msg_write", part57); - - var part58 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([ - dup28, - dup22, - setc("event_description","listener connection established"), - dup23, - ])); - - var msg41 = msg("connection_established", part58); - - var part59 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}"); - - var part60 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport}"); - - var part61 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}"); - - var select16 = linear_select([ - part60, - part61, - ]); - - var all11 = all_match({ - processors: [ - part59, - select16, - ], - on_success: processor_chain([ - dup27, - dup22, - setc("event_description","connection dropped"), - dup23, - ]), - }); - - var msg42 = msg("connection_dropped", all11); - - var part62 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Asserting SONET alarm(s)"), - dup23, - ])); - - var msg43 = msg("kernel", part62); - - var part63 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([ - dup21, - dup22, - setc("event_description","interface down"), - dup23, - ])); - - var msg44 = msg("kernel:01", part63); - - var part64 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","loopback suspected om interface"), - dup23, - ])); - - var msg45 = msg("kernel:02", part64); - - var part65 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","soreceive error"), - dup23, - ])); - - var msg46 = msg("kernel:03", part65); - - var part66 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","pfe_peer_alloc state 4"), - dup23, - ])); - - var msg47 = msg("kernel:04", part66); - - var part67 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg48 = msg("kernel:05", part67); - - var part68 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg49 = msg("kernel:06", part68); - - var select17 = linear_select([ - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - ]); - - var part69 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","successful user login"), - dup23, - ])); - - var msg50 = msg("successful_login", part69); - - var part70 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup22, - setc("event_description","user login attempt"), - dup23, - ])); - - var msg51 = msg("login_attempt", part70); - - var part71 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup33, - dup34, - dup37, - dup22, - setc("event_description","PAM module return from login"), - dup23, - ])); - - var msg52 = msg("login", part71); - - var select18 = linear_select([ - msg50, - msg51, - msg52, - ]); - - var part72 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","processing lsys root-logical-system"), - dup23, - ])); - - var msg53 = msg("lsys_ssam_handler", part72); - - var part73 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Removing mif from group"), - dup23, - ])); - - var msg54 = msg("mcsn", part73); - - var part74 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([ - dup30, - dup22, - setc("event_description","Firewall rows could not be redirected on device"), - dup23, - ])); - - var msg55 = msg("mrvl_dfw_log_effuse_status", part74); - - var part75 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([ - dup30, - dup22, - setc("event_description","mfilter already exists for add"), - dup23, - ])); - - var msg56 = msg("MRVL-L2", part75); - - var part76 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","processing profile SP-root"), - dup23, - ])); - - var msg57 = msg("profile_ssam_handler", part76); - - var part77 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","can't get resource bucket"), - dup23, - ])); - - var msg58 = msg("pst_nat_binding_set_profile", part77); - - var part78 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","reinitializing done"), - dup23, - ])); - - var msg59 = msg("task_reconfigure", part78); - - var part79 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode}"); - - var part80 = match_copy("MESSAGE#59:tnetd/0_1", "nwparser.payload", "fld3"); - - var select19 = linear_select([ - part79, - part80, - ]); - - var all12 = all_match({ - processors: [ - select19, - ], - on_success: processor_chain([ - dup21, - dup22, - dup23, - dup24, - ]), - }); - - var msg60 = msg("tnetd", all12); - - var part81 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([ - dup21, - dup22, - setc("event_description","Session manager active"), - dup23, - ])); - - var msg61 = msg("PFEMAN", part81); - - var part82 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([ - dup30, - dup22, - setc("event_description","Could not send message to service"), - dup23, - ])); - - var msg62 = msg("mgd", part82); - - var part83 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Resolve request came for an address matching on Wrong nh"), - dup23, - ])); - - var msg63 = msg("Resolve", part83); - - var part84 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","service exited with status"), - dup23, - ])); - - var msg64 = msg("respawn", part84); - - var part85 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([ - dup30, - dup22, - setc("event_description","system does not have 3-DNS or Link Controller enabled"), - dup23, - ])); - - var msg65 = msg("root", part85); - - var part86 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","Received data for interface"), - dup23, - ])); - - var msg66 = msg("rpd", part86); - - var part87 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","RSVP neighbor up on interface "), - dup23, - ])); - - var msg67 = msg("rpd:01", part87); - - var part88 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([ - dup21, - dup22, - setc("event_description","reseting pending active connection"), - dup23, - ])); - - var msg68 = msg("rpd:02", part88); - - var part89 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([ - dup21, - dup22, - dup38, - dup23, - ])); - - var msg69 = msg("rpd_proceeding", part89); - - var select20 = linear_select([ - msg66, - msg67, - msg68, - msg69, - ]); - - var part90 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","user issuing command as root"), - dup23, - ])); - - var msg70 = msg("rshd", part90); - - var part91 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([ - dup21, - dup22, - setc("event_description","sfd waiting on accept"), - dup23, - ])); - - var msg71 = msg("sfd", part91); - - var part92 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","Accepted password"), - dup23, - ])); - - var msg72 = msg("sshd", part92); - - var part93 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","Received disconnect"), - dup23, - ])); - - var msg73 = msg("sshd:02", part93); - - var part94 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([ - dup30, - dup22, - setc("result","no identification string"), - setc("event_description","Did not receive identification string from peer"), - dup23, - ])); - - var msg74 = msg("sshd:03", part94); - - var part95 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([ - dup30, - dup22, - setc("event_description","Could not write ident string"), - dup23, - ])); - - var msg75 = msg("sshd:04", part95); - - var part96 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([ - dup21, - dup22, - setc("event_description","subsystem request for netconf"), - dup23, - ])); - - var msg76 = msg("sshd:05", part96); - - var part97 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "sendmsg to %{saddr}(%{shost}).%{sport}: %{info}"); - - var all13 = all_match({ - processors: [ - dup39, - dup137, - part97, - ], - on_success: processor_chain([ - dup29, - dup22, - setc("event_description","send message stats"), - dup23, - ]), - }); - - var msg77 = msg("sshd:06", all13); - - var part98 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "Added radius server %{saddr}(%{shost})"); - - var all14 = all_match({ - processors: [ - dup39, - dup137, - part98, - ], - on_success: processor_chain([ - dup42, - setc("ec_theme","Configuration"), - setc("ec_activity","Modify"), - dup37, - dup22, - setc("event_description","Added radius server"), - dup23, - ]), - }); - - var msg78 = msg("sshd:07", all14); - - var part99 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([ - setc("eventcategory","1301020000"), - dup34, - dup43, - dup22, - setc("event_description","authentication error"), - dup23, - ])); - - var msg79 = msg("sshd:08", part99); - - var part100 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([ - dup30, - dup22, - setc("event_description","unrecognized attribute in policy"), - dup23, - ])); - - var msg80 = msg("sshd:09", part100); - - var part101 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","PAM module return from sshd"), - dup23, - ])); - - var msg81 = msg("sshd:10", part101); - - var part102 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","PAM authentication chain return"), - dup23, - ])); - - var msg82 = msg("sshd:11", part102); - - var part103 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","can't get client address"), - dup23, - ])); - - var msg83 = msg("sshd:12", part103); - - var part104 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([ - dup30, - dup22, - setc("event_description","auth server unresponsive"), - dup23, - ])); - - var msg84 = msg("sshd:13", part104); - - var part105 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([ - dup30, - dup22, - setc("event_description","No valid RADIUS responses received"), - dup23, - ])); - - var msg85 = msg("sshd:14", part105); - - var part106 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([ - dup21, - dup22, - setc("event_description","Moving to next server"), - dup23, - ])); - - var msg86 = msg("sshd:15", part106); - - var part107 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","Login failed for user"), - dup23, - ])); - - var msg87 = msg("sshd:16", part107); - - var select21 = linear_select([ - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - ]); - - var part108 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}"); - - var part109 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}"); - - var part110 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}"); - - var select22 = linear_select([ - part109, - part110, - dup45, - ]); - - var part111 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{username->} from %{saddr->} port %{sport->} %{protocol}"); - - var all15 = all_match({ - processors: [ - part108, - select22, - part111, - ], - on_success: processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - setc("event_description","authentication failure"), - dup23, - ]), - }); - - var msg88 = msg("Failed:05", all15); - - var part112 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}"); - - var part113 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}"); - - var part114 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}"); - - var select23 = linear_select([ - part113, - part114, - ]); - - var part115 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}"); - - var all16 = all_match({ - processors: [ - part112, - select23, - part115, - ], - on_success: processor_chain([ - dup46, - dup47, - dup23, - dup22, - ]), - }); - - var msg89 = msg("Failed", all16); - - var part116 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([ - dup46, - dup23, - dup22, - ])); - - var msg90 = msg("Failed:01", part116); - - var part117 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice"); - - var part118 = match_copy("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "fld10"); - - var select24 = linear_select([ - part117, - part118, - ]); - - var all17 = all_match({ - processors: [ - select24, - ], - on_success: processor_chain([ - dup46, - dup23, - dup22, - setf("hostname","hfld1"), - ]), - }); - - var msg91 = msg("Failed:02", all17); - - var select25 = linear_select([ - msg88, - msg89, - msg90, - msg91, - ]); - - var part119 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([ - dup21, - dup22, - setc("event_description","syslog daemon restart"), - dup23, - ])); - - var msg92 = msg("syslogd", part119); - - var part120 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - dup25, - dup23, - ])); - - var msg93 = msg("ucd-snmp", part120); - - var part121 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([ - dup21, - dup22, - setc("event_description","Received TERM or STOP signal"), - dup23, - ])); - - var msg94 = msg("ucd-snmp:01", part121); - - var select26 = linear_select([ - msg93, - msg94, - ]); - - var part122 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([ - dup27, - dup22, - setc("event_description","failed to connect to the server"), - dup23, - ])); - - var msg95 = msg("usp_ipc_client_reconnect", part122); - - var part123 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","Trace client disconnected"), - dup23, - ])); - - var msg96 = msg("usp_trace_ipc_disconnect", part123); - - var part124 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([ - dup30, - dup22, - setc("event_description","USP trace client cannot reconnect to server"), - dup23, - ])); - - var msg97 = msg("usp_trace_ipc_reconnect", part124); - - var part125 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","flow_print_session_summary_output received"), - dup23, - ])); - - var msg98 = msg("uspinfo", part125); - - var part126 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([ - dup21, - dup22, - setc("event_description","Version build date"), - dup23, - ])); - - var msg99 = msg("Version", part126); - - var part127 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","frequency initialized from file"), - dup23, - ])); - - var msg100 = msg("xntpd", part127); - - var part128 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","nptd version build"), - dup23, - ])); - - var msg101 = msg("xntpd:01", part128); - - var part129 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","kernel time sync enabled"), - dup23, - ])); - - var msg102 = msg("xntpd:02", part129); - - var part130 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg103 = msg("xntpd:03", part130); - - var select27 = linear_select([ - msg100, - msg101, - msg102, - msg103, - ]); - - var part131 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([ - dup21, - dup22, - setc("event_description","last message repeated"), - dup23, - ])); - - var msg104 = msg("last", part131); - - var part132 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([ - dup48, - dup47, - dup23, - dup22, - dup24, - ])); - - var msg105 = msg("last:01", part132); - - var select28 = linear_select([ - msg104, - msg105, - ]); - - var part133 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([ - dup30, - dup22, - setc("event_description","cannot write ucode mask reg"), - dup23, - ])); - - var msg106 = msg("BCHIP", part133); - - var part134 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([ - dup21, - dup22, - setc("event_description","Slot on-line"), - dup23, - ])); - - var msg107 = msg("CM", part134); - - var part135 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Received FC Q map"), - dup23, - ])); - - var msg108 = msg("COS", part135); - - var part136 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","ifd error"), - dup23, - ])); - - var msg109 = msg("COSFPC", part136); - - var part137 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","delete class to ifl link"), - dup23, - ])); - - var msg110 = msg("COSMAN", part137); - - var part138 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","Keepalive timeout"), - dup23, - ])); - - var msg111 = msg("RDP", part138); - - var part139 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([ - dup30, - dup22, - setc("event_description","Initial time of day set"), - dup23, - ])); - - var msg112 = msg("SNTPD", part139); - - var part140 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([ - dup21, - dup22, - setc("event_description","Slot serial number"), - dup23, - ])); - - var msg113 = msg("SSB", part140); - - var part141 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected error"), - dup23, - ])); - - var msg114 = msg("ACCT_ACCOUNTING_FERROR", part141); - - var part142 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to open file"), - dup23, - ])); - - var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part142); - - var part143 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([ - dup49, - dup22, - setc("event_description","File size mismatch"), - dup23, - ])); - - var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part143); - - var part144 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([ - dup49, - dup22, - setc("event_description","Invalid statistics record"), - dup23, - ])); - - var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part144); - - var part145 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([ - dup49, - dup22, - setc("event_description","Class usage statistics error for interface"), - dup23, - ])); - - var msg118 = msg("ACCT_CU_RTSLIB_error", part145); - - var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}"); - - var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}"); - - var select29 = linear_select([ - part146, - part147, - ]); - - var part148 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "to get hostname%{}"); - - var all18 = all_match({ - processors: [ - dup50, - select29, - part148, - ], - on_success: processor_chain([ - dup49, - dup22, - setc("event_description","error trying to get hostname"), - dup23, - ]), - }); - - var msg119 = msg("ACCT_GETHOSTNAME_error", all18); - - var part149 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([ - dup51, - dup22, - setc("event_description","Memory allocation failure"), - dup23, - ])); - - var msg120 = msg("ACCT_MALLOC_FAILURE", part149); - - var part150 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([ - dup30, - dup22, - setc("event_description","Accounting profile counter not defined in firewall"), - dup23, - ])); - - var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part150); - - var part151 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([ - dup30, - dup22, - setc("event_description","ACCT_XFER_FAILED"), - dup23, - ])); - - var msg122 = msg("ACCT_XFER_FAILED", part151); - - var part152 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","POPEN FAIL invoking command command to transfer file"), - dup23, - ])); - - var msg123 = msg("ACCT_XFER_POPEN_FAIL", part152); - - var part153 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([ - dup28, - dup22, - dup52, - ])); - - var msg124 = msg("APPQOS_LOG_EVENT", part153); - - var part154 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup54, - dup22, - setc("result","AppTrack session created"), - dup23, - ])); - - var msg125 = msg("APPTRACK_SESSION_CREATE", part154); - - var part155 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup28, - dup53, - dup55, - dup22, - dup52, - ])); - - var msg126 = msg("APPTRACK_SESSION_CLOSE", part155); - - var part156 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup55, - dup22, - dup23, - ])); - - var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part156); - - var select30 = linear_select([ - msg126, - msg127, - ]); - - var part157 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup28, - dup53, - dup22, - dup52, - ])); - - var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part157); - - var part158 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup22, - dup23, - ])); - - var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part158); - - var select31 = linear_select([ - msg128, - msg129, - ]); - - var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup138); - - var msg131 = msg("BFDD_TRAP_STATE_UP", dup138); - - var part159 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp connect error"), - dup23, - ])); - - var msg132 = msg("bgp_connect_start", part159); - - var part160 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp peer state change"), - dup23, - ])); - - var msg133 = msg("bgp_event", part160); - - var part161 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Connection attempt from unconfigured neighbor"), - dup23, - ])); - - var msg134 = msg("bgp_listen_accept", part161); - - var part162 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp reset"), - dup23, - ])); - - var msg135 = msg("bgp_listen_reset", part162); - - var part163 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","peer next hop local"), - dup23, - ])); - - var msg136 = msg("bgp_nexthop_sanity", part163); - - var part164 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([ - dup30, - dup22, - setc("event_description","code RED error NOTIFICATION sent"), - dup23, - ])); - - var msg137 = msg("bgp_process_caps", part164); - - var part165 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ - dup30, - dup22, - dup57, - dup23, - ])); - - var msg138 = msg("bgp_process_caps:01", part165); - - var select32 = linear_select([ - msg137, - msg138, - ]); - - var part166 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([ - dup30, - dup22, - setc("event_description","connection collision"), - setc("result","dropping connection to peer"), - dup23, - ])); - - var msg139 = msg("bgp_pp_recv", part166); - - var part167 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([ - dup30, - dup22, - setc("event_description","peer received unexpected EOF"), - dup23, - ])); - - var msg140 = msg("bgp_pp_recv:01", part167); - - var select33 = linear_select([ - msg139, - msg140, - ]); - - var part168 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","bgp send blocked error"), - dup23, - ])); - - var msg141 = msg("bgp_send", part168); - - var part169 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","bgp timeout NOTIFICATION sent"), - dup23, - ])); - - var msg142 = msg("bgp_traffic_timeout", part169); - - var part170 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","boot argument error"), - dup23, - ])); - - var msg143 = msg("BOOTPD_ARG_ERR", part170); - - var part171 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","boot unexpected Id value"), - dup23, - ])); - - var msg144 = msg("BOOTPD_BAD_ID", part171); - - var part172 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","Invalid boot string"), - dup23, - ])); - - var msg145 = msg("BOOTPD_BOOTSTRING", part172); - - var part173 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","configuration file error"), - dup23, - ])); - - var msg146 = msg("BOOTPD_CONFIG_ERR", part173); - - var part174 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to open configuration file"), - dup23, - ])); - - var msg147 = msg("BOOTPD_CONF_OPEN", part174); - - var part175 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([ - dup30, - dup22, - setc("event_description","boot - Duplicate revision"), - dup23, - ])); - - var msg148 = msg("BOOTPD_DUP_REV", part175); - - var part176 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([ - dup30, - dup22, - setc("event_description","boot - duplicate slot"), - dup23, - ])); - - var msg149 = msg("BOOTPD_DUP_SLOT", part176); - - var part177 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected ID for model"), - dup23, - ])); - - var msg150 = msg("BOOTPD_MODEL_CHK", part177); - - var part178 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unsupported model"), - dup23, - ])); - - var msg151 = msg("BOOTPD_MODEL_ERR", part178); - - var part179 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([ - dup21, - dup22, - setc("event_description","New configuration installed"), - dup23, - ])); - - var msg152 = msg("BOOTPD_NEW_CONF", part179); - - var part180 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","No boot string found"), - dup23, - ])); - - var msg153 = msg("BOOTPD_NO_BOOTSTRING", part180); - - var part181 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","No configuration file found"), - dup23, - ])); - - var msg154 = msg("BOOTPD_NO_CONFIG", part181); - - var part182 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([ - dup30, - dup22, - setc("event_description","parse errors on SIGHUP"), - dup23, - ])); - - var msg155 = msg("BOOTPD_PARSE_ERR", part182); - - var part183 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","Reparsing configuration file"), - dup23, - ])); - - var msg156 = msg("BOOTPD_REPARSE", part183); - - var part184 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","select error"), - dup23, - ])); - - var msg157 = msg("BOOTPD_SELECT_ERR", part184); - - var part185 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([ - dup30, - dup22, - setc("event_description","timeout unreasonable"), - dup23, - ])); - - var msg158 = msg("BOOTPD_TIMEOUT", part185); - - var part186 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([ - dup21, - dup22, - setc("event_description","boot version built"), - dup23, - ])); - - var msg159 = msg("BOOTPD_VERSION", part186); - - var part187 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([ - dup58, - dup22, - setc("event_description","CHASSISD release built"), - dup23, - ])); - - var msg160 = msg("CHASSISD", part187); - - var part188 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD Unknown option"), - dup23, - ])); - - var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part188); - - var part189 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([ - dup21, - dup22, - setc("event_description","Fans and impellers are now running at normal speed"), - dup23, - ])); - - var msg162 = msg("CHASSISD_BLOWERS_SPEED", part189); - - var part190 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([ - dup21, - dup22, - setc("event_description","Fans and impellers being set to full speed"), - dup23, - ])); - - var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part190); - - var part191 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","reading midplane ID EEPROM"), - dup23, - ])); - - var msg164 = msg("CHASSISD_CB_READ", part191); - - var part192 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD COMMAND ACK ERROR"), - dup23, - ])); - - var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part192); - - var part193 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD COMMAND ACK SF ERROR"), - dup23, - ])); - - var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part193); - - var part194 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Cannot set no-concatenated mode for FPC"), - dup23, - ])); - - var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part194); - - var part195 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CONFIG File Problem"), - dup23, - ])); - - var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part195); - - var part196 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD CONFIG WARNING"), - dup23, - ])); - - var msg169 = msg("CHASSISD_CONFIG_WARNING", part196); - - var part197 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","chassisd already running"), - dup23, - ])); - - var msg170 = msg("CHASSISD_EXISTS", part197); - - var part198 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([ - dup21, - dup22, - setc("event_description","Killing existing chassisd and exiting"), - dup23, - ])); - - var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part198); - - var part199 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","file open error"), - dup23, - ])); - - var msg172 = msg("CHASSISD_FILE_OPEN", part199); - - var part200 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD file statistics error"), - dup23, - ])); - - var msg173 = msg("CHASSISD_FILE_STAT", part200); - - var part201 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD received restart EVENT"), - dup23, - ])); - - var msg174 = msg("CHASSISD_FRU_EVENT", part201); - - var part202 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD restart WRITE_ERROR"), - dup23, - ])); - - var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part202); - - var part203 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD FRU STEP ERROR"), - dup23, - ])); - - var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part203); - - var part204 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected error from gettimeofday"), - dup23, - ])); - - var msg177 = msg("CHASSISD_GETTIMEOFDAY", part204); - - var part205 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([ - dup21, - dup22, - setc("event_description","reading host temperature sensor"), - dup23, - ])); - - var msg178 = msg("CHASSISD_HOST_TEMP_READ", part205); - - var part206 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ - dup21, - dup22, - setc("event_description","detaching all pseudo devices"), - dup23, - ])); - - var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part206); - - var part207 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH FPC"), - dup23, - ])); - - var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part207); - - var part208 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH PIC"), - dup23, - ])); - - var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part208); - - var part209 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH PSEUDO"), - dup23, - ])); - - var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part209); - - var part210 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"), - dup23, - ])); - - var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part210); - - var part211 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","rtslib_ifdm_get_by_index failed"), - dup23, - ])); - - var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part211); - - var part212 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Message Queue full"), - dup23, - ])); - - var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part212); - - var part213 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Received unexpected message"), - dup23, - ])); - - var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part213); - - var part214 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FRU has no connection pipe"), - dup23, - ])); - - var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part214); - - var part215 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FRU has no connection arguments"), - dup23, - ])); - - var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part215); - - var part216 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([ - dup30, - dup22, - setc("event_description","chassisd MAC address allocation error"), - dup23, - ])); - - var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part216); - - var part217 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([ - dup21, - dup22, - setc("event_description","Using default MAC address base"), - dup23, - ])); - - var msg190 = msg("CHASSISD_MAC_DEFAULT", part217); - - var part218 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([ - dup30, - dup22, - setc("event_description","management bus failed sanity test"), - dup23, - ])); - - var msg191 = msg("CHASSISD_MBUS_ERROR", part218); - - var part219 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([ - dup21, - dup22, - setc("event_description","Using new configuration"), - dup23, - ])); - - var msg192 = msg("CHASSISD_PARSE_COMPLETE", part219); - - var part220 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD PARSE ERROR"), - dup23, - ])); - - var msg193 = msg("CHASSISD_PARSE_ERROR", part220); - - var part221 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","Parsing configuration file"), - dup23, - ])); - - var msg194 = msg("CHASSISD_PARSE_INIT", part221); - - var part222 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to open PID file"), - dup23, - ])); - - var msg195 = msg("CHASSISD_PIDFILE_OPEN", part222); - - var part223 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Pipe error"), - dup23, - ])); - - var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part223); - - var part224 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([ - dup59, - dup22, - setc("event_description","device not powering up"), - dup23, - ])); - - var msg197 = msg("CHASSISD_POWER_CHECK", part224); - - var part225 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([ - dup21, - dup22, - setc("event_description","Successful reconnect on soft restart"), - dup23, - ])); - - var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part225); - - var part226 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([ - dup21, - dup22, - setc("event_description","Release mastership notification"), - dup23, - ])); - - var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part226); - - var part227 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","re_init Invalid RE slot"), - dup23, - ])); - - var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part227); - - var part228 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine mount point for root directory"), - dup23, - ])); - - var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part228); - - var part229 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","ifmsg sequence gap"), - dup23, - ])); - - var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part229); - - var part230 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ - setc("eventcategory","1603040000"), - dup22, - setc("event_description","Version mismatch"), - dup23, - ])); - - var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part230); - - var part231 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Serial ID read error"), - dup23, - ])); - - var msg204 = msg("CHASSISD_SERIAL_ID", part231); - - var part232 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","fpga download not complete"), - dup23, - ])); - - var msg205 = msg("CHASSISD_SMB_ERROR", part232); - - var part233 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([ - dup58, - dup22, - setc("event_description","SNMP Trap6 generated"), - dup23, - ])); - - var msg206 = msg("CHASSISD_SNMP_TRAP6", part233); - - var part234 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP Trap7 generated"), - dup23, - ])); - - var msg207 = msg("CHASSISD_SNMP_TRAP7", part234); - - var part235 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP trap - FRU power on"), - dup23, - ])); - - var msg208 = msg("CHASSISD_SNMP_TRAP10", part235); - - var part236 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([ - dup60, - dup22, - setc("event_description","Received SIGTERM request"), - dup23, - ])); - - var msg209 = msg("CHASSISD_TERM_SIGNAL", part236); - - var part237 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","Taking PIC offline"), - dup23, - ])); - - var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part237); - - var part238 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","UNEXPECTED EXIT"), - dup23, - ])); - - var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part238); - - var part239 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([ - dup59, - dup22, - setc("event_description","Model number unsupported with this version of chassisd"), - dup23, - ])); - - var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part239); - - var part240 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ - dup59, - dup22, - setc("event_description","Chassisd Version mismatch"), - dup23, - ])); - - var msg213 = msg("CHASSISD_VERSION_MISMATCH", part240); - - var part241 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([ - dup59, - dup22, - setc("event_description","CHASSISD HIGH TEMP CONDITION"), - dup61, - dup62, - ])); - - var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part241); - - var part242 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([ - dup21, - dup22, - setc("event_description","process RESTART mode"), - dup23, - ])); - - var msg215 = msg("clean_process", part242); - - var part243 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([ - dup21, - dup22, - setc("event_description","Chassis Linklocal to MAC"), - dup23, - ])); - - var msg216 = msg("CM_JAVA", part243); - - var part244 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","DCD must be run as root"), - dup23, - ])); - - var msg217 = msg("DCD_AS_ROOT", part244); - - var part245 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([ - dup30, - dup22, - setc("event_description","Filter library initialization failed"), - dup23, - ])); - - var msg218 = msg("DCD_FILTER_LIB_ERROR", part245); - - var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup139); - - var part246 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing configuration file"), - dup23, - ])); - - var msg220 = msg("DCD_PARSE_EMERGENCY", part246); - - var part247 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing filter index file"), - dup23, - ])); - - var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part247); - - var part248 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing configuration overlay"), - dup23, - ])); - - var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part248); - - var part249 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([ - dup30, - dup22, - setc("event_description","unhandled state was encountered during interface parsing"), - dup23, - ])); - - var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part249); - - var part250 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing policer indexfile"), - dup23, - ])); - - var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part250); - - var part251 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to pull file"), - dup23, - ])); - - var msg225 = msg("DCD_PULL_LOG_FAILURE", part251); - - var part252 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DFWD ARGUMENT ERROR"), - dup23, - ])); - - var msg226 = msg("DFWD_ARGUMENT_ERROR", part252); - - var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup139); - - var part253 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([ - dup30, - dup22, - setc("event_description","errors encountered while parsing filter index file"), - dup23, - ])); - - var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part253); - - var part254 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([ - dup30, - dup22, - setc("event_description","encountered unhandled state while parsing interface"), - dup23, - ])); - - var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part254); - - var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup140); - - var msg231 = msg("ECCD_DUPLICATE", dup141); - - var part255 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD LOOP EXIT FAILURE"), - dup23, - ])); - - var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part255); - - var part256 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","ECCD Must be run as root"), - dup23, - ])); - - var msg233 = msg("ECCD_NOT_ROOT", part256); - - var part257 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD PCI FILE OPEN FAILED"), - dup23, - ])); - - var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part257); - - var part258 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PCI read failure"), - dup23, - ])); - - var msg235 = msg("ECCD_PCI_READ_FAILED", part258); - - var part259 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PCI write failure"), - dup23, - ])); - - var msg236 = msg("ECCD_PCI_WRITE_FAILED", part259); - - var msg237 = msg("ECCD_PID_FILE_LOCK", dup142); - - var msg238 = msg("ECCD_PID_FILE_UPDATE", dup143); - - var part260 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD TRACE FILE OPEN FAILURE"), - dup23, - ])); - - var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part260); - - var part261 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","ECCD Usage"), - dup23, - ])); - - var msg240 = msg("ECCD_usage", part261); - - var part262 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([ - dup21, - dup22, - setc("event_description","User viewed security audit log with arguments"), - dup23, - ])); - - var msg241 = msg("EVENTD_AUDIT_SHOW", part262); - - var part263 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part263); - - var part264 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to change owner of file"), - dup23, - ])); - - var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part264); - - var part265 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FSAD CONFIG ERROR"), - dup23, - ])); - - var msg244 = msg("FSAD_CONFIG_ERROR", part265); - - var part266 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([ - dup30, - dup22, - setc("event_description","Connection timed out to client"), - dup23, - ])); - - var msg245 = msg("FSAD_CONNTIMEDOUT", part266); - - var part267 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FSAD_FAILED"), - dup23, - ])); - - var msg246 = msg("FSAD_FAILED", part267); - - var part268 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([ - dup30, - dup22, - setc("event_description","Fetch to server to get file timed out"), - dup23, - ])); - - var msg247 = msg("FSAD_FETCHTIMEDOUT", part268); - - var part269 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","fn failed for file"), - dup23, - ])); - - var msg248 = msg("FSAD_FILE_FAILED", part269); - - var part270 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to remove file"), - dup23, - ])); - - var msg249 = msg("FSAD_FILE_REMOVE", part270); - - var part271 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to rename file"), - dup23, - ])); - - var msg250 = msg("FSAD_FILE_RENAME", part271); - - var part272 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","stat failed for file"), - dup23, - ])); - - var msg251 = msg("FSAD_FILE_STAT", part272); - - var part273 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to sync file"), - dup23, - ])); - - var msg252 = msg("FSAD_FILE_SYNC", part273); - - var part274 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([ - dup30, - dup22, - setc("event_description","Upper limit reached in fsad"), - dup23, - ])); - - var msg253 = msg("FSAD_MAXCONN", part274); - - var part275 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([ - dup51, - dup22, - setc("event_description","FSAD MEMORYALLOC FAILED"), - dup23, - ])); - - var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part275); - - var part276 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","FSAD must be run as root"), - dup23, - ])); - - var msg255 = msg("FSAD_NOT_ROOT", part276); - - var part277 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","invalid directory"), - dup23, - ])); - - var msg256 = msg("FSAD_PARENT_DIRECTORY", part277); - - var part278 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([ - dup30, - dup22, - setc("event_description","File path cannot be a directory"), - dup23, - ])); - - var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part278); - - var part279 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([ - dup30, - dup22, - setc("event_description","Not a regular file"), - dup23, - ])); - - var msg258 = msg("FSAD_PATH_IS_SPECIAL", part279); - - var part280 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([ - dup30, - dup22, - setc("event_description","fsad received error message from client"), - dup23, - ])); - - var msg259 = msg("FSAD_RECVERROR", part280); - - var part281 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","FSAD TERMINATED CONNECTION"), - dup23, - ])); - - var msg260 = msg("FSAD_TERMINATED_CONNECTION", part281); - - var part282 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Received terminating signal"), - dup23, - ])); - - var msg261 = msg("FSAD_TERMINATING_SIGNAL", part282); - - var part283 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Open operation on trace file failed"), - dup23, - ])); - - var msg262 = msg("FSAD_TRACEOPEN_FAILED", part283); - - var part284 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Incorrect FSAD usage"), - dup23, - ])); - - var msg263 = msg("FSAD_USAGE", part284); - - var part285 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","GGSN ALARM TRAP FAILED"), - dup23, - ])); - - var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part285); - - var part286 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","GGSN ALARM TRAP SEND FAILED"), - dup23, - ])); - - var msg265 = msg("GGSN_ALARM_TRAP_SEND", part286); - - var part287 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown trap request type"), - dup23, - ])); - - var msg266 = msg("GGSN_TRAP_SEND", part287); - - var part288 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([ - dup69, - dup34, - setc("ec_subject","Service"), - dup43, - dup22, - setc("event_description","Authorization failed"), - dup23, - ])); - - var msg267 = msg("JADE_AUTH_ERROR", part288); - - var part289 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JADE EXEC ERROR"), - dup23, - ])); - - var msg268 = msg("JADE_EXEC_ERROR", part289); - - var part290 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([ - dup30, - dup22, - setc("event_description","Local user does not exist"), - dup23, - ])); - - var msg269 = msg("JADE_NO_LOCAL_USER", part290); - - var part291 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JADE PAM error"), - dup23, - ])); - - var msg270 = msg("JADE_PAM_ERROR", part291); - - var part292 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to get local username from PAM"), - dup23, - ])); - - var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part292); - - var part293 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([ - dup30, - dup22, - setc("event_description","arp info overwritten"), - dup23, - ])); - - var msg272 = msg("KERN_ARP_ADDR_CHANGE", part293); - - var part294 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([ - dup30, - dup22, - setc("event_description","security association has been established"), - dup23, - ])); - - var msg273 = msg("KMD_PM_SA_ESTABLISHED", part294); - - var part295 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([ - dup21, - dup22, - setc("event_description","Task Reinitialized"), - dup61, - dup23, - ])); - - var msg274 = msg("L2CPD_TASK_REINIT", part295); - - var part296 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([ - dup21, - dup22, - dup70, - dup23, - ])); - - var msg275 = msg("LIBJNX_EXEC_EXITED", part296); - - var part297 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Child exec failed for command"), - dup23, - ])); - - var msg276 = msg("LIBJNX_EXEC_FAILED", part297); - - var msg277 = msg("LIBJNX_EXEC_PIPE", dup144); - - var part298 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([ - dup30, - dup22, - setc("event_description","Command received signal"), - dup23, - ])); - - var msg278 = msg("LIBJNX_EXEC_SIGNALED", part298); - - var part299 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ - dup21, - dup22, - dup72, - dup23, - ])); - - var msg279 = msg("LIBJNX_EXEC_WEXIT", part299); - - var part300 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([ - dup73, - dup22, - setc("event_description","copy_file_to_transfer_dir failed to copy"), - dup23, - ])); - - var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part300); - - var part301 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Unable to lower privilege level"), - dup23, - ])); - - var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part301); - - var part302 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Unable to raise privilege level"), - dup23, - ])); - - var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part302); - - var part303 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","rcp failed"), - dup23, - ])); - - var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part303); - - var part304 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","ROTATE COMPRESS EXEC FAILED"), - dup23, - ])); - - var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part304); - - var part305 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([ - dup74, - dup22, - setc("event_description","Client connection error"), - dup23, - ])); - - var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part305); - - var part306 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Outbound request failed for command"), - dup23, - ])); - - var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part306); - - var part307 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([ - dup27, - dup22, - setc("event_description","Connection closed while receiving from client"), - dup23, - ])); - - var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part307); - - var part308 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to bind socket"), - dup23, - ])); - - var msg288 = msg("LIBSERVICED_SOCKET_BIND", part308); - - var part309 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to attach socket to management routing instance"), - dup23, - ])); - - var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part309); - - var part310 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LICENSE EXPIRED"), - dup23, - ])); - - var msg290 = msg("LICENSE_EXPIRED", part310); - - var part311 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([ - dup21, - dup22, - setc("event_description","License key has expired"), - dup23, - ])); - - var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part311); - - var part312 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","License key expiration soon"), - dup23, - ])); - - var msg292 = msg("LICENSE_NEARING_EXPIRY", part312); - - var part313 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([ - dup30, - dup22, - setc("event_description","client aborted login"), - dup23, - ])); - - var msg293 = msg("LOGIN_ABORTED", part313); - - var part314 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - dup23, - ])); - - var msg294 = msg("LOGIN_FAILED", part314); - - var part315 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Incorrect password for user"), - dup23, - ])); - - var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part315); - - var part316 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Failed to set context for user"), - dup23, - ])); - - var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part316); - - var part317 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Failed to set login ID for user"), - dup23, - ])); - - var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part317); - - var part318 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Unable to resolve hostname"), - dup23, - ])); - - var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part318); - - var part319 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{event_type}: %{p0}"); - - var part320 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{username->} logged in from host %{dhost->} on %{p0}"); - - var part321 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}"); - - var select34 = linear_select([ - part321, - dup45, - ]); - - var part322 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{terminal}"); - - var all19 = all_match({ - processors: [ - dup39, - dup137, - part319, - dup145, - part320, - select34, - part322, - ], - on_success: processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","Successful Login"), - dup23, - ]), - }); - - var msg299 = msg("LOGIN_INFORMATION", all19); - - var part323 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","No entry in local password file for user"), - dup23, - ])); - - var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part323); - - var part324 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Invalid username"), - dup23, - ])); - - var msg301 = msg("LOGIN_MALFORMED_USER", part324); - - var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}"); - - var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}"); - - var select35 = linear_select([ - part325, - part326, - ]); - - var part327 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{username}"); - - var all20 = all_match({ - processors: [ - dup50, - select35, - part327, - ], - on_success: processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","PAM authentication error for user"), - dup23, - ]), - }); - - var msg302 = msg("LOGIN_PAM_AUTHENTICATION_ERROR", all20); - - var part328 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - setc("event_description","PAM authentication failure"), - setc("result","Failure while authenticating user"), - dup23, - ])); - - var msg303 = msg("LOGIN_PAM_ERROR", part328); - - var part329 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Too many retries while authenticating user"), - dup23, - ])); - - var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part329); - - var part330 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","User authenticated but has no local login ID"), - dup23, - ])); - - var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part330); - - var part331 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([ - setc("eventcategory","1303000000"), - dup34, - dup43, - dup22, - setc("event_description","Failed to end PAM session"), - dup23, - ])); - - var msg306 = msg("LOGIN_PAM_STOP", part331); - - var part332 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Attempt to authenticate unknown user"), - dup23, - ])); - - var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part332); - - var part333 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Forcing change of expired password for user"), - dup23, - ])); - - var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part333); - - var part334 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Login of user refused"), - dup23, - ])); - - var msg309 = msg("LOGIN_REFUSED", part334); - - var part335 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","successful login as root"), - setc("result","User logged in as root"), - dup23, - ])); - - var msg310 = msg("LOGIN_ROOT", part335); - - var part336 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([ - dup44, - dup34, - dup36, - dup43, - dup22, - dup75, - setc("result","Login attempt timed out"), - dup23, - ])); - - var msg311 = msg("LOGIN_TIMED_OUT", part336); - - var part337 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D ATM ERROR"), - dup23, - ])); - - var msg312 = msg("MIB2D_ATM_ERROR", part337); - - var part338 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CONFIG CHECK FAILED"), - dup23, - ])); - - var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part338); - - var part339 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - dup78, - dup23, - ])); - - var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part339); - - var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup146); - - var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup146); - - var part340 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","mib2d initialization failure"), - dup23, - ])); - - var msg317 = msg("MIB2D_INIT_FAILURE", part340); - - var part341 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D KVM FAILURE"), - dup23, - ])); - - var msg318 = msg("MIB2D_KVM_FAILURE", part341); - - var part342 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D RTSLIB READ FAILURE"), - dup23, - ])); - - var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part342); - - var part343 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([ - dup30, - dup22, - setc("event_description","RTSLIB sequence mismatch"), - dup23, - ])); - - var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part343); - - var part344 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D SYSCTL FAILURE"), - dup23, - ])); - - var msg321 = msg("MIB2D_SYSCTL_FAILURE", part344); - - var part345 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([ - dup30, - dup22, - setc("event_description","trap_request_header failed"), - dup23, - ])); - - var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part345); - - var part346 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D TRAP SEND FAILURE"), - dup23, - ])); - - var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part346); - - var part347 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","user sighupped"), - dup23, - ])); - - var msg324 = msg("Multiuser", part347); - - var part348 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate authentication handle"), - dup23, - ])); - - var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part348); - - var part349 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([ - dup80, - dup34, - dup43, - dup22, - setc("event_description","authentication already in progress"), - dup23, - ])); - - var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part349); - - var part350 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to obtain hostname for outgoing CHAP message"), - dup23, - ])); - - var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part350); - - var part351 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP INVALID_CHAP IDENTIFIER"), - dup23, - ])); - - var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part351); - - var part352 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP INVALID OPCODE"), - dup23, - ])); - - var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part352); - - var part353 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine value for username in outgoing CHAP packet"), - dup23, - ])); - - var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part353); - - var part354 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP MESSAGE UNEXPECTED"), - dup23, - ])); - - var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part354); - - var part355 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([ - dup81, - dup22, - setc("event_description","CHAP REPLAY ATTACK DETECTED"), - dup23, - ])); - - var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part355); - - var part356 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine last modified time of JUNOS configuration database"), - dup23, - ])); - - var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part356); - - var msg334 = msg("NASD_DAEMONIZE_FAILED", dup140); - - var part357 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate database object"), - dup23, - ])); - - var msg335 = msg("NASD_DB_ALLOC_FAILURE", part357); - - var part358 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DB TABLE CREATE FAILURE"), - dup23, - ])); - - var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part358); - - var msg337 = msg("NASD_DUPLICATE", dup141); - - var part359 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","EVLIB CREATE FAILURE"), - dup23, - ])); - - var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part359); - - var part360 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","EVLIB EXIT FAILURE"), - dup23, - ])); - - var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part360); - - var part361 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate LOCAL module handle"), - dup23, - ])); - - var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part361); - - var part362 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","NASD must be run as root"), - dup23, - ])); - - var msg341 = msg("NASD_NOT_ROOT", part362); - - var msg342 = msg("NASD_PID_FILE_LOCK", dup142); - - var msg343 = msg("NASD_PID_FILE_UPDATE", dup143); - - var part363 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","POST CONFIGURE EVENT FAILED"), - dup23, - ])); - - var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part363); - - var part364 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PPP READ FAILURE"), - dup23, - ])); - - var msg345 = msg("NASD_PPP_READ_FAILURE", part364); - - var part365 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to send message"), - dup23, - ])); - - var msg346 = msg("NASD_PPP_SEND_FAILURE", part365); - - var part366 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to send all of message"), - dup23, - ])); - - var msg347 = msg("NASD_PPP_SEND_PARTIAL", part366); - - var part367 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([ - dup30, - dup22, - setc("event_description","Unrecognized authentication protocol"), - dup23, - ])); - - var msg348 = msg("NASD_PPP_UNRECOGNIZED", part367); - - var part368 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS password allocation failure"), - dup23, - ])); - - var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part368); - - var part369 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS CONFIG FAILED"), - dup23, - ])); - - var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part369); - - var part370 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate RADIUS module handle"), - dup23, - ])); - - var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part370); - - var part371 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS CREATE REQUEST FAILED"), - dup23, - ])); - - var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part371); - - var part372 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain hostname for outgoing RADIUS message"), - dup23, - ])); - - var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part372); - - var part373 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown response from RADIUS server"), - dup23, - ])); - - var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part373); - - var part374 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS OPEN FAILED"), - dup23, - ])); - - var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part374); - - var part375 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS SELECT FAILED"), - dup23, - ])); - - var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part375); - - var part376 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS SET TIMER FAILED"), - dup23, - ])); - - var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part376); - - var part377 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TRACE FILE OPEN FAILED"), - dup23, - ])); - - var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part377); - - var part378 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","NASD Usage"), - dup23, - ])); - - var msg359 = msg("NASD_usage", part378); - - var part379 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg360 = msg("NOTICE", part379); - - var part380 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ - dup21, - dup22, - dup82, - dup23, - ])); - - var msg361 = msg("PFE_FW_SYSLOG_IP", part380); - - var part381 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ - dup21, - dup22, - dup82, - dup23, - ])); - - var msg362 = msg("PFE_FW_SYSLOG_IP:01", part381); - - var select36 = linear_select([ - msg361, - msg362, - ]); - - var part382 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ - dup21, - dup22, - setc("event_description","Next-hop resolution requests throttled"), - dup23, - ])); - - var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part382); - - var part383 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","PING TEST COMPLETED"), - dup23, - ])); - - var msg364 = msg("PING_TEST_COMPLETED", part383); - - var part384 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","PING TEST FAILED"), - dup23, - ])); - - var msg365 = msg("PING_TEST_FAILED", part384); - - var part385 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{p0}"); - - var part386 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}"); - - var part387 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}"); - - var select37 = linear_select([ - part386, - part387, - ]); - - var part388 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "mode=%{protocol->} cmd=%{action->} master_mode=%{result}"); - - var all21 = all_match({ - processors: [ - dup39, - dup137, - part385, - select37, - part388, - ], - on_success: processor_chain([ - dup21, - dup22, - dup83, - dup23, - ]), - }); - - var msg366 = msg("process_mode", all21); - - var part389 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ - dup21, - dup22, - dup83, - dup23, - ])); - - var msg367 = msg("process_mode:01", part389); - - var select38 = linear_select([ - msg366, - msg367, - ]); - - var part390 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","process exit with status"), - dup23, - ])); - - var msg368 = msg("PWC_EXIT", part390); - - var part391 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([ - dup21, - dup22, - setc("event_description","Process released child from state"), - dup23, - ])); - - var msg369 = msg("PWC_HOLD_RELEASE", part391); - - var part392 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","invalid runs argument"), - dup23, - ])); - - var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part392); - - var part393 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","INVALID TIMEOUT ARGUMENT"), - dup23, - ])); - - var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part393); - - var part394 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([ - dup21, - dup22, - setc("event_description","pwc process received terminating signal"), - dup23, - ])); - - var msg372 = msg("PWC_KILLED_BY_SIGNAL", part394); - - var part395 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([ - dup30, - dup22, - setc("event_description","pwc is sending kill event to child"), - dup23, - ])); - - var msg373 = msg("PWC_KILL_EVENT", part395); - - var part396 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to kill process"), - dup23, - ])); - - var msg374 = msg("PWC_KILL_FAILED", part396); - - var part397 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","kevent failed"), - dup23, - ])); - - var msg375 = msg("PWC_KQUEUE_ERROR", part397); - - var part398 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create kqueue"), - dup23, - ])); - - var msg376 = msg("PWC_KQUEUE_INIT", part398); - - var part399 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to register kqueue filter"), - dup23, - ])); - - var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part399); - - var part400 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file has bad format"), - dup23, - ])); - - var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part400); - - var part401 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file error"), - dup23, - ])); - - var msg379 = msg("PWC_LOCKFILE_ERROR", part401); - - var part402 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file not found"), - dup23, - ])); - - var msg380 = msg("PWC_LOCKFILE_MISSING", part402); - - var part403 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file not locked"), - dup23, - ])); - - var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part403); - - var part404 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([ - dup30, - dup22, - setc("event_description","No process specified for PWC"), - dup23, - ])); - - var msg382 = msg("PWC_NO_PROCESS", part404); - - var part405 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","pwc process exited with status"), - dup23, - ])); - - var msg383 = msg("PWC_PROCESS_EXIT", part405); - - var part406 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([ - dup21, - dup22, - setc("event_description","Process forcing hold down of child until signalled"), - dup23, - ])); - - var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part406); - - var part407 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([ - dup21, - dup22, - setc("event_description","Process holding down child until signalled"), - dup23, - ])); - - var msg385 = msg("PWC_PROCESS_HOLD", part407); - - var part408 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Process not holding down child"), - dup23, - ])); - - var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part408); - - var part409 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to create child process with pidpopen"), - dup23, - ])); - - var msg387 = msg("PWC_PROCESS_OPEN", part409); - - var part410 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Process holding down child"), - dup23, - ])); - - var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part410); - - var part411 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Child process timed out"), - dup23, - ])); - - var msg389 = msg("PWC_PROCESS_TIMEOUT", part411); - - var part412 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","signal failure"), - dup23, - ])); - - var msg390 = msg("PWC_SIGNAL_INIT", part412); - - var part413 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to connect socket to service"), - dup23, - ])); - - var msg391 = msg("PWC_SOCKET_CONNECT", part413); - - var part414 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to create socket"), - dup23, - ])); - - var msg392 = msg("PWC_SOCKET_CREATE", part414); - - var part415 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to set socket option"), - dup23, - ])); - - var msg393 = msg("PWC_SOCKET_OPTION", part415); - - var part416 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Write to stdout failed"), - dup23, - ])); - - var msg394 = msg("PWC_STDOUT_WRITE", part416); - - var part417 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","PWC SYSTEM CALL"), - dup23, - ])); - - var msg395 = msg("PWC_SYSTEM_CALL", part417); - - var part418 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown kill option"), - dup23, - ])); - - var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part418); - - var part419 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([ - dup30, - dup22, - setc("event_description","Multicast address not allowed"), - dup23, - ])); - - var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part419); - - var part420 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RMOPD ADDRESS SOURCE INVALID"), - dup23, - ])); - - var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part420); - - var part421 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to convert numeric address to string"), - dup23, - ])); - - var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part421); - - var part422 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","rmop_util_set_address status message invalid"), - dup23, - ])); - - var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part422); - - var msg401 = msg("RMOPD_DUPLICATE", dup141); - - var part423 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([ - dup30, - dup22, - setc("event_description","Only IPv4 source address is supported"), - dup23, - ])); - - var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part423); - - var part424 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([ - dup30, - dup22, - setc("event_description","No route to host"), - dup23, - ])); - - var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part424); - - var part425 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","IFINDEX NOT ACTIVE"), - dup23, - ])); - - var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part425); - - var part426 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IFINDEX NO INFO"), - dup23, - ])); - - var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part426); - - var part427 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","RMOPD IFNAME NOT ACTIVE"), - dup23, - ])); - - var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part427); - - var part428 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IFNAME NO INFO"), - dup23, - ])); - - var msg407 = msg("RMOPD_IFNAME_NO_INFO", part428); - - var part429 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","RMOPD Must be run as root"), - dup23, - ])); - - var msg408 = msg("RMOPD_NOT_ROOT", part429); - - var part430 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","No information for routing instance"), - dup23, - ])); - - var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part430); - - var part431 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TRACEROUTE ERROR"), - dup23, - ])); - - var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part431); - - var part432 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","RMOPD usage"), - dup23, - ])); - - var msg411 = msg("RMOPD_usage", part432); - - var part433 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD ABORT"), - dup23, - ])); - - var msg412 = msg("RPD_ABORT", part433); - - var part434 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD exiting with active tasks"), - dup23, - ])); - - var msg413 = msg("RPD_ACTIVE_TERMINATE", part434); - - var part435 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD Assertion failed"), - dup23, - ])); - - var msg414 = msg("RPD_ASSERT", part435); - - var part436 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD Soft assertion failed"), - dup23, - ])); - - var msg415 = msg("RPD_ASSERT_SOFT", part436); - - var part437 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([ - dup21, - dup22, - setc("event_description","RPD EXIT"), - dup23, - ])); - - var msg416 = msg("RPD_EXIT", part437); - - var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup147); - - var msg418 = msg("RPD_IFL_NAMECOLLISION", dup147); - - var part438 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS lost adjacency"), - dup23, - ])); - - var msg419 = msg("RPD_ISIS_ADJDOWN", part438); - - var part439 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","IS-IS new adjacency"), - dup23, - ])); - - var msg420 = msg("RPD_ISIS_ADJUP", part439); - - var part440 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS new adjacency without an address"), - dup23, - ])); - - var msg421 = msg("RPD_ISIS_ADJUPNOIP", part440); - - var part441 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS LSP checksum error on iterface"), - dup23, - ])); - - var msg422 = msg("RPD_ISIS_LSPCKSUM", part441); - - var part442 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS database overload"), - dup23, - ])); - - var msg423 = msg("RPD_ISIS_OVERLOAD", part442); - - var part443 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","message with unsupported address family received"), - dup23, - ])); - - var msg424 = msg("RPD_KRT_AFUNSUPRT", part443); - - var part444 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([ - dup30, - dup22, - setc("event_description","RPD KRT CCC IFL MODIFY"), - dup23, - ])); - - var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part444); - - var part445 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","received deleted routing table from kernel"), - dup23, - ])); - - var msg426 = msg("RPD_KRT_DELETED_RTT", part445); - - var part446 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifa generation mismatch"), - dup23, - ])); - - var msg427 = msg("RPD_KRT_IFA_GENERATION", part446); - - var part447 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","CHANGE for ifd failed"), - dup23, - ])); - - var msg428 = msg("RPD_KRT_IFDCHANGE", part447); - - var part448 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","GET SERVICE failure on interface"), - dup23, - ])); - - var msg429 = msg("RPD_KRT_IFDEST_GET", part448); - - var part449 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","GET index for ifd interface failed"), - dup23, - ])); - - var msg430 = msg("RPD_KRT_IFDGET", part449); - - var part450 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifd generation mismatch"), - dup23, - ])); - - var msg431 = msg("RPD_KRT_IFD_GENERATION", part450); - - var part451 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","KRT IFL CELL RELAY MODE INVALID"), - dup23, - ])); - - var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part451); - - var part452 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"), - dup23, - ])); - - var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part452); - - var part453 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifl generation mismatch"), - dup23, - ])); - - var msg434 = msg("RPD_KRT_IFL_GENERATION", part453); - - var part454 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","lost interface for route"), - dup23, - ])); - - var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part454); - - var part455 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","number of next hops exceeded the maximum"), - dup23, - ])); - - var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part455); - - var part456 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","No device for interface"), - dup23, - ])); - - var msg437 = msg("RPD_KRT_NOIFD", part456); - - var part457 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","received routing table message for unknown table"), - dup23, - ])); - - var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part457); - - var part458 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket version mismatch"), - dup23, - ])); - - var msg439 = msg("RPD_KRT_VERSION", part458); - - var part459 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket message type not supported by kernel"), - dup23, - ])); - - var msg440 = msg("RPD_KRT_VERSIONNONE", part459); - - var part460 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket message type version is older than expected"), - dup23, - ])); - - var msg441 = msg("RPD_KRT_VERSIONOLD", part460); - - var part461 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Duplicate session ID detected"), - dup23, - ])); - - var msg442 = msg("RPD_LDP_INTF_BLOCKED", part461); - - var part462 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","LDP interface now unblocked"), - dup23, - ])); - - var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part462); - - var part463 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ - setc("eventcategory","1603030000"), - dup22, - setc("event_description","LDP neighbor down"), - dup23, - ])); - - var msg444 = msg("RPD_LDP_NBRDOWN", part463); - - var part464 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","LDP neighbor up"), - dup23, - ])); - - var msg445 = msg("RPD_LDP_NBRUP", part464); - - var part465 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LDP session down"), - dup23, - ])); - - var msg446 = msg("RPD_LDP_SESSIONDOWN", part465); - - var part466 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([ - dup21, - dup22, - setc("event_description","LDP session up"), - dup23, - ])); - - var msg447 = msg("RPD_LDP_SESSIONUP", part466); - - var part467 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain a lock"), - dup23, - ])); - - var msg448 = msg("RPD_LOCK_FLOCKED", part467); - - var part468 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain service lock"), - dup23, - ])); - - var msg449 = msg("RPD_LOCK_LOCKED", part468); - - var part469 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP CHANGE"), - dup23, - ])); - - var msg450 = msg("RPD_MPLS_LSP_CHANGE", part469); - - var part470 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MPLS LSP DOWN"), - dup23, - ])); - - var msg451 = msg("RPD_MPLS_LSP_DOWN", part470); - - var part471 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP SWITCH"), - dup23, - ])); - - var msg452 = msg("RPD_MPLS_LSP_SWITCH", part471); - - var part472 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP UP"), - dup23, - ])); - - var msg453 = msg("RPD_MPLS_LSP_UP", part472); - - var part473 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MSDP PEER DOWN"), - dup23, - ])); - - var msg454 = msg("RPD_MSDP_PEER_DOWN", part473); - - var part474 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","MSDP PEER UP"), - dup23, - ])); - - var msg455 = msg("RPD_MSDP_PEER_UP", part474); - - var part475 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","OSPF neighbor down"), - dup23, - ])); - - var msg456 = msg("RPD_OSPF_NBRDOWN", part475); - - var part476 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","OSPF neighbor up"), - dup23, - ])); - - var msg457 = msg("RPD_OSPF_NBRUP", part476); - - var part477 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([ - dup51, - dup22, - setc("event_description","OS MEMHIGH"), - dup23, - ])); - - var msg458 = msg("RPD_OS_MEMHIGH", part477); - - var part478 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","PIM neighbor down"), - setc("result","timeout"), - dup23, - ])); - - var msg459 = msg("RPD_PIM_NBRDOWN", part478); - - var part479 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","PIM neighbor up"), - dup23, - ])); - - var msg460 = msg("RPD_PIM_NBRUP", part479); - - var part480 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Bad checksum for router solicitation"), - dup23, - ])); - - var msg461 = msg("RPD_RDISC_CKSUM", part480); - - var part481 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Ignoring interface"), - dup23, - ])); - - var msg462 = msg("RPD_RDISC_NOMULTI", part481); - - var part482 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to locate interface for router"), - dup23, - ])); - - var msg463 = msg("RPD_RDISC_NORECVIF", part482); - - var part483 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Expected multicast for router solicitation"), - dup23, - ])); - - var msg464 = msg("RPD_RDISC_SOLICITADDR", part483); - - var part484 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Nonzero ICMP code for router solicitation"), - dup23, - ])); - - var msg465 = msg("RPD_RDISC_SOLICITICMP", part484); - - var part485 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Insufficient length for router solicitation"), - dup23, - ])); - - var msg466 = msg("RPD_RDISC_SOLICITLEN", part485); - - var part486 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([ - dup30, - dup22, - setc("event_description","RIP update with invalid authentication"), - dup23, - ])); - - var msg467 = msg("RPD_RIP_AUTH", part486); - - var part487 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RIP - unable to get broadcast address"), - dup23, - ])); - - var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part487); - - var part488 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RIP - Unable to join multicast group"), - dup23, - ])); - - var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part488); - - var part489 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","RIP interface up"), - dup23, - ])); - - var msg470 = msg("RPD_RT_IFUP", part489); - - var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup148); - - var part490 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([ - dup30, - dup22, - setc("event_description","excessive runtime after action of module"), - dup23, - ])); - - var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part490); - - var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup148); - - var part491 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ - dup30, - dup22, - setc("event_description","task extended runtime"), - dup23, - ])); - - var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part491); - - var part492 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([ - dup30, - dup22, - setc("event_description","termination signal received for service"), - dup23, - ])); - - var msg475 = msg("RPD_SIGNAL_TERMINATE", part492); - - var part493 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","version built"), - dup23, - ])); - - var msg476 = msg("RPD_START", part493); - - var part494 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","system command"), - dup23, - ])); - - var msg477 = msg("RPD_SYSTEM", part494); - - var part495 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([ - dup21, - dup22, - setc("event_description","Commencing routing updates"), - dup23, - ])); - - var msg478 = msg("RPD_TASK_BEGIN", part495); - - var part496 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","task killed by signal"), - dup23, - ])); - - var msg479 = msg("RPD_TASK_CHILDKILLED", part496); - - var part497 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","task stopped by signal"), - dup23, - ])); - - var msg480 = msg("RPD_TASK_CHILDSTOPPED", part497); - - var part498 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fork task"), - dup23, - ])); - - var msg481 = msg("RPD_TASK_FORK", part498); - - var part499 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","RPD TASK GETWD"), - dup23, - ])); - - var msg482 = msg("RPD_TASK_GETWD", part499); - - var part500 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([ - dup30, - dup22, - setc("event_description","Reinitialization not possible"), - dup23, - ])); - - var msg483 = msg("RPD_TASK_NOREINIT", part500); - - var part501 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to close and remove task"), - dup23, - ])); - - var msg484 = msg("RPD_TASK_PIDCLOSED", part501); - - var part502 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD TASK PIDFLOCK"), - dup23, - ])); - - var msg485 = msg("RPD_TASK_PIDFLOCK", part502); - - var part503 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to write"), - dup23, - ])); - - var msg486 = msg("RPD_TASK_PIDWRITE", part503); - - var msg487 = msg("RPD_TASK_REINIT", dup149); - - var part504 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","ignoring task signal"), - dup23, - ])); - - var msg488 = msg("RPD_TASK_SIGNALIGNORE", part504); - - var part505 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","COS IPC op failed"), - dup23, - ])); - - var msg489 = msg("RT_COS", part505); - - var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}"); - - var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{p0}"); - - var select39 = linear_select([ - part508, - dup91, - ]); - - var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "\"%{fld11->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); - - var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}"); - - var select40 = linear_select([ - part510, - dup45, - ]); - - var all22 = all_match({ - processors: [ - dup87, - dup150, - part506, - dup151, - part507, - select39, - part509, - select40, - dup92, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - dup52, - ]), - }); - - var msg490 = msg("RT_FLOW_SESSION_CREATE:02", all22); - - var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", " service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}"); - - var select41 = linear_select([ - part511, - dup45, - ]); - - var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\"%{p0}"); - - var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", " source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}"); - - var select42 = linear_select([ - part513, - dup45, - ]); - - var all23 = all_match({ - processors: [ - dup87, - select41, - part512, - select42, - dup92, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - dup52, - ]), - }); - - var msg491 = msg("RT_FLOW_SESSION_CREATE", all23); - - var part514 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created %{p0}"); - - var part515 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created %{p0}"); - - var select43 = linear_select([ - part514, - part515, - ]); - - var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}"); - - var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN"); - - var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15}"); - - var part519 = match_copy("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "info"); - - var select44 = linear_select([ - part517, - part518, - part519, - ]); - - var all24 = all_match({ - processors: [ - select43, - part516, - select44, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - setc("event_description","session created"), - dup23, - ]), - }); - - var msg492 = msg("RT_FLOW_SESSION_CREATE:01", all24); - - var select45 = linear_select([ - msg490, - msg491, - msg492, - ]); - - var part520 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); - - var part521 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", " encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}"); - - var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", " encrypted=%{fld16->} reason=\"%{result}\"%{p0}"); - - var select46 = linear_select([ - part521, - part522, - dup45, - ]); - - var all25 = all_match({ - processors: [ - dup87, - dup150, - part520, - select46, - dup92, - ], - on_success: processor_chain([ - dup93, - dup53, - dup94, - dup22, - dup52, - ]), - }); - - var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25); - - var part523 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([ - dup93, - dup53, - dup94, - dup22, - dup52, - ])); - - var msg494 = msg("RT_FLOW_SESSION_DENY", part523); - - var part524 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}"); - - var all26 = all_match({ - processors: [ - dup152, - part524, - ], - on_success: processor_chain([ - dup27, - dup53, - dup94, - dup22, - dup97, - dup23, - ]), - }); - - var msg495 = msg("RT_FLOW_SESSION_DENY:03", all26); - - var part525 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}"); - - var all27 = all_match({ - processors: [ - dup152, - part525, - ], - on_success: processor_chain([ - dup27, - dup53, - dup94, - dup22, - dup97, - dup23, - ]), - }); - - var msg496 = msg("RT_FLOW_SESSION_DENY:01", all27); - - var select47 = linear_select([ - msg493, - msg494, - msg495, - msg496, - ]); - - var select48 = linear_select([ - dup103, - dup45, - ]); - - var all28 = all_match({ - processors: [ - dup98, - dup150, - dup99, - dup151, - dup100, - dup153, - dup102, - select48, - dup92, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup104, - dup22, - dup52, - ]), - }); - - var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28); - - var part526 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup27, - dup53, - dup55, - dup22, - dup52, - ])); - - var msg498 = msg("RT_FLOW_SESSION_CLOSE", part526); - - var part527 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed %{p0}"); - - var part528 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed %{p0}"); - - var select49 = linear_select([ - part527, - part528, - ]); - - var part529 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}"); - - var all29 = all_match({ - processors: [ - select49, - part529, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup22, - setc("event_description","session closed"), - dup23, - ]), - }); - - var msg499 = msg("RT_FLOW_SESSION_CLOSE:02", all29); - - var part530 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}"); - - var select50 = linear_select([ - dup103, - part530, - dup45, - ]); - - var part531 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}"); - - var all30 = all_match({ - processors: [ - dup98, - dup150, - dup99, - dup151, - dup100, - dup153, - dup102, - select50, - part531, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup104, - dup22, - dup52, - dup61, - ]), - }); - - var msg500 = msg("RT_FLOW_SESSION_CLOSE:03", all30); - - var select51 = linear_select([ - msg497, - msg498, - msg499, - msg500, - ]); - - var part532 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","Fragmented traffic"), - dup23, - ])); - - var msg501 = msg("RT_SCREEN_IP", part532); - - var part533 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg502 = msg("RT_SCREEN_IP:01", part533); - - var select52 = linear_select([ - msg501, - msg502, - ]); - - var msg503 = msg("RT_SCREEN_TCP", dup154); - - var part534 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part534); - - var msg505 = msg("RT_SCREEN_UDP", dup154); - - var part535 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","attempt to connect to interface failed"), - dup23, - ])); - - var msg506 = msg("SERVICED_CLIENT_CONNECT", part535); - - var part536 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([ - dup27, - dup22, - setc("event_description","unexpected termination of connection"), - dup23, - ])); - - var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part536); - - var part537 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","client interface connection failure"), - dup23, - ])); - - var msg508 = msg("SERVICED_CLIENT_ERROR", part537); - - var part538 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","remote command execution failed"), - dup23, - ])); - - var msg509 = msg("SERVICED_COMMAND_FAILED", part538); - - var part539 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","client commit configuration failed"), - dup23, - ])); - - var msg510 = msg("SERVICED_COMMIT_FAILED", part539); - - var part540 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","configuration process failed"), - dup23, - ])); - - var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part540); - - var part541 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SERVICED CONFIG ERROR"), - dup23, - ])); - - var msg512 = msg("SERVICED_CONFIG_ERROR", part541); - - var part542 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","service failed to read path"), - dup23, - ])); - - var msg513 = msg("SERVICED_CONFIG_FILE", part542); - - var part543 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SERVICED CONNECTION ERROR"), - dup23, - ])); - - var msg514 = msg("SERVICED_CONNECTION_ERROR", part543); - - var part544 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","GGSN services disabled"), - dup23, - ])); - - var msg515 = msg("SERVICED_DISABLED_GGSN", part544); - - var msg516 = msg("SERVICED_DUPLICATE", dup141); - - var part545 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","event function failed"), - dup23, - ])); - - var msg517 = msg("SERVICED_EVENT_FAILED", part545); - - var part546 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","service initialization failed"), - dup23, - ])); - - var msg518 = msg("SERVICED_INIT_FAILED", part546); - - var part547 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","memory allocation failure"), - dup23, - ])); - - var msg519 = msg("SERVICED_MALLOC_FAILURE", part547); - - var part548 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","NETWORK FAILURE"), - dup23, - ])); - - var msg520 = msg("SERVICED_NETWORK_FAILURE", part548); - - var part549 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","SERVICED must be run as root"), - dup23, - ])); - - var msg521 = msg("SERVICED_NOT_ROOT", part549); - - var msg522 = msg("SERVICED_PID_FILE_LOCK", dup142); - - var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup143); - - var part550 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","routing socket sequence error"), - dup23, - ])); - - var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part550); - - var part551 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","set up of signal name handler failed"), - dup23, - ])); - - var msg525 = msg("SERVICED_SIGNAL_HANDLER", part551); - - var part552 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","socket create failed with error"), - dup23, - ])); - - var msg526 = msg("SERVICED_SOCKET_CREATE", part552); - - var part553 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","socket function failed"), - dup23, - ])); - - var msg527 = msg("SERVICED_SOCKET_IO", part553); - - var part554 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to set socket option"), - dup23, - ])); - - var msg528 = msg("SERVICED_SOCKET_OPTION", part554); - - var part555 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","STDLIB FAILURE"), - dup23, - ])); - - var msg529 = msg("SERVICED_STDLIB_FAILURE", part555); - - var part556 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Incorrect service usage"), - dup23, - ])); - - var msg530 = msg("SERVICED_USAGE", part556); - - var part557 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","object has unexpected value"), - dup23, - ])); - - var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part557); - - var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup155); - - var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup155); - - var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup155); - - var part558 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([ - dup21, - dup22, - setc("event_description","AgentX subagent connected"), - dup61, - dup23, - ])); - - var msg535 = msg("SNMP_NS_LOG_INFO", part558); - - var part559 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([ - dup21, - dup22, - setc("event_description","ns_subagent registering rows"), - dup61, - dup23, - ])); - - var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part559); - - var part560 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD ACCESS GROUP ERROR"), - dup23, - ])); - - var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part560); - - var part561 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","unauthorized SNMP community to unknown community name"), - dup23, - ])); - - var msg538 = msg("SNMPD_AUTH_FAILURE", part561); - - var part562 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","failed input interface authorization to unknown"), - dup23, - ])); - - var msg539 = msg("SNMPD_AUTH_FAILURE:01", part562); - - var part563 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","unauthorized SNMP community "), - dup23, - ])); - - var msg540 = msg("SNMPD_AUTH_FAILURE:02", part563); - - var part564 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([ - dup30, - dup22, - dup105, - dup61, - dup62, - ])); - - var msg541 = msg("SNMPD_AUTH_FAILURE:03", part564); - - var select53 = linear_select([ - msg538, - msg539, - msg540, - msg541, - ]); - - var part565 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP request exceeded community privileges"), - dup23, - ])); - - var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part565); - - var part566 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([ - dup48, - dup22, - setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"), - setc("result","request not allowed"), - dup23, - ])); - - var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part566); - - var part567 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unauthorized SNMP PDU type"), - dup23, - ])); - - var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part567); - - var part568 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([ - dup30, - dup22, - setc("event_description","Configuration database has errors"), - dup23, - ])); - - var msg545 = msg("SNMPD_CONFIG_ERROR", part568); - - var part569 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD CONTEXT ERROR"), - dup23, - ])); - - var msg546 = msg("SNMPD_CONTEXT_ERROR", part569); - - var part570 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD ENGINE FILE FAILURE"), - dup23, - ])); - - var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part570); - - var part571 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([ - dup30, - dup22, - setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"), - dup23, - ])); - - var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part571); - - var part572 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD FILE FAILURE"), - dup23, - ])); - - var msg549 = msg("SNMPD_FILE_FAILURE", part572); - - var part573 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD GROUP ERROR"), - dup23, - ])); - - var msg550 = msg("SNMPD_GROUP_ERROR", part573); - - var part574 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","snmpd initialization failure"), - dup23, - ])); - - var msg551 = msg("SNMPD_INIT_FAILED", part574); - - var part575 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LIBJUNIPER FAILURE"), - dup23, - ])); - - var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part575); - - var part576 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LOOPBACK ADDR ERROR"), - dup23, - ])); - - var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part576); - - var part577 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([ - dup30, - dup22, - setc("event_description","duplicate memory free"), - dup23, - ])); - - var msg554 = msg("SNMPD_MEMORY_FREED", part577); - - var part578 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","radix_add failed"), - dup23, - ])); - - var msg555 = msg("SNMPD_RADIX_FAILURE", part578); - - var part579 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD RECEIVE FAILURE"), - dup23, - ])); - - var msg556 = msg("SNMPD_RECEIVE_FAILURE", part579); - - var part580 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RMONFILE FAILURE"), - dup23, - ])); - - var msg557 = msg("SNMPD_RMONFILE_FAILURE", part580); - - var part581 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([ - dup30, - dup22, - setc("event_description","Null cookie"), - dup23, - ])); - - var msg558 = msg("SNMPD_RMON_COOKIE", part581); - - var part582 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","RMON EVENTLOG"), - dup23, - ])); - - var msg559 = msg("SNMPD_RMON_EVENTLOG", part582); - - var part583 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Received io error"), - dup23, - ])); - - var msg560 = msg("SNMPD_RMON_IOERROR", part583); - - var part584 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","internal Get request error"), - dup23, - ])); - - var msg561 = msg("SNMPD_RMON_MIBERROR", part584); - - var part585 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","sequence mismatch"), - dup23, - ])); - - var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part585); - - var part586 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([ - dup30, - dup22, - dup106, - dup23, - ])); - - var msg563 = msg("SNMPD_SEND_FAILURE", part586); - - var part587 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([ - dup30, - dup22, - dup106, - dup23, - ])); - - var msg564 = msg("SNMPD_SEND_FAILURE:01", part587); - - var select54 = linear_select([ - msg563, - msg564, - ]); - - var part588 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD SOCKET FAILURE"), - dup23, - ])); - - var msg565 = msg("SNMPD_SOCKET_FAILURE", part588); - - var part589 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([ - dup30, - dup22, - setc("event_description","No buffers available for subagent"), - dup23, - ])); - - var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part589); - - var part590 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Send to subagent failed"), - dup23, - ])); - - var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part590); - - var part591 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","system function failed"), - dup23, - ])); - - var msg568 = msg("SNMPD_SYSLIB_FAILURE", part591); - - var part592 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([ - dup21, - dup22, - setc("event_description","cleared all throttled traps"), - dup23, - ])); - - var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part592); - - var part593 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP trap: cold start"), - dup23, - ])); - - var msg570 = msg("SNMPD_TRAP_COLD_START", part593); - - var part594 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([ - dup30, - dup22, - dup107, - dup23, - ])); - - var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part594); - - var part595 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([ - dup30, - dup22, - dup107, - dup23, - ])); - - var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part595); - - var part596 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP INVALID DATA"), - dup23, - ])); - - var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part596); - - var part597 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP ERROR"), - dup23, - ])); - - var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part597); - - var part598 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([ - dup21, - dup22, - setc("event_description","Adding trap to queue"), - dup23, - ])); - - var msg575 = msg("SNMPD_TRAP_QUEUED", part598); - - var part599 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([ - dup21, - dup22, - setc("event_description","traps queued - sent successfully"), - dup23, - ])); - - var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part599); - - var part600 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"), - dup23, - ])); - - var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part600); - - var part601 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP maximum queue size exceeded"), - dup23, - ])); - - var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part601); - - var part602 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP traps throttled"), - dup23, - ])); - - var msg579 = msg("SNMPD_TRAP_THROTTLED", part602); - - var part603 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([ - dup30, - dup22, - setc("event_description","unknown SNMP trap type requested"), - dup23, - ])); - - var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part603); - - var part604 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"), - dup23, - ])); - - var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part604); - - var part605 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP ERROR - invalid version signature"), - dup23, - ])); - - var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part605); - - var part606 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([ - dup21, - dup22, - setc("event_description","SNMPD TRAP WARM START"), - dup23, - ])); - - var msg583 = msg("SNMPD_TRAP_WARM_START", part606); - - var part607 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD USER ERROR"), - dup23, - ])); - - var msg584 = msg("SNMPD_USER_ERROR", part607); - - var part608 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP deleting view"), - dup23, - ])); - - var msg585 = msg("SNMPD_VIEW_DELETE", part608); - - var part609 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","installing default SNMP view"), - dup23, - ])); - - var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part609); - - var part610 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","oid parsing failed for SNMP view"), - dup23, - ])); - - var msg587 = msg("SNMPD_VIEW_OID_PARSE", part610); - - var part611 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP_GET_ERROR 1"), - dup23, - ])); - - var msg588 = msg("SNMP_GET_ERROR1", part611); - - var part612 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 2"), - dup23, - ])); - - var msg589 = msg("SNMP_GET_ERROR2", part612); - - var part613 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 3"), - dup23, - ])); - - var msg590 = msg("SNMP_GET_ERROR3", part613); - - var part614 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 4"), - dup23, - ])); - - var msg591 = msg("SNMP_GET_ERROR4", part614); - - var part615 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP RTSLIB FAILURE"), - dup23, - ])); - - var msg592 = msg("SNMP_RTSLIB_FAILURE", part615); - - var part616 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ - dup30, - dup22, - dup108, - dup23, - ])); - - var msg593 = msg("SNMP_TRAP_LINK_DOWN", part616); - - var part617 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([ - dup30, - dup22, - dup108, - dup61, - dup62, - ])); - - var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part617); - - var select55 = linear_select([ - msg593, - msg594, - ]); - - var part618 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ - dup21, - dup22, - dup109, - dup23, - ])); - - var msg595 = msg("SNMP_TRAP_LINK_UP", part618); - - var part619 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([ - dup21, - dup22, - dup109, - dup61, - dup62, - ])); - - var msg596 = msg("SNMP_TRAP_LINK_UP:01", part619); - - var select56 = linear_select([ - msg595, - msg596, - ]); - - var part620 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP PING PROBE FAILED"), - dup23, - ])); - - var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part620); - - var part621 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP PING TEST COMPLETED"), - dup23, - ])); - - var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part621); - - var part622 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP PING TEST FAILED"), - dup23, - ])); - - var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part622); - - var part623 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"), - dup23, - ])); - - var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part623); - - var part624 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"), - dup23, - ])); - - var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part624); - - var part625 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"), - dup23, - ])); - - var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part625); - - var part626 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup110, - dup23, - ])); - - var msg603 = msg("SSHD_LOGIN_FAILED", part626); - - var part627 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup110, - dup61, - dup52, - setf("process","hfld33"), - ])); - - var msg604 = msg("SSHD_LOGIN_FAILED:01", part627); - - var select57 = linear_select([ - msg603, - msg604, - ]); - - var part628 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","task connect failure"), - dup23, - ])); - - var msg605 = msg("task_connect", part628); - - var msg606 = msg("TASK_TASK_REINIT", dup149); - - var part629 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected address family"), - dup23, - ])); - - var msg607 = msg("TFTPD_AF_ERR", part629); - - var part630 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD BIND ERROR"), - dup23, - ])); - - var msg608 = msg("TFTPD_BIND_ERR", part630); - - var part631 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD CONNECT ERROR"), - dup23, - ])); - - var msg609 = msg("TFTPD_CONNECT_ERR", part631); - - var part632 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD CONNECT INFO"), - dup23, - ])); - - var msg610 = msg("TFTPD_CONNECT_INFO", part632); - - var part633 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD CREATE ERROR"), - dup23, - ])); - - var msg611 = msg("TFTPD_CREATE_ERR", part633); - - var part634 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD FIO ERR"), - dup23, - ])); - - var msg612 = msg("TFTPD_FIO_ERR", part634); - - var part635 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD FORK ERROR"), - dup23, - ])); - - var msg613 = msg("TFTPD_FORK_ERR", part635); - - var part636 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD NAK ERROR"), - dup23, - ])); - - var msg614 = msg("TFTPD_NAK_ERR", part636); - - var part637 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([ - dup30, - dup22, - dup78, - dup23, - ])); - - var msg615 = msg("TFTPD_OPEN_ERR", part637); - - var part638 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD RECVCOMPLETE INFO"), - dup23, - ])); - - var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part638); - - var part639 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD RECVFROM ERROR"), - dup23, - ])); - - var msg617 = msg("TFTPD_RECVFROM_ERR", part639); - - var part640 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD RECV ERROR"), - dup23, - ])); - - var msg618 = msg("TFTPD_RECV_ERR", part640); - - var part641 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD SENDCOMPLETE INFO"), - dup23, - ])); - - var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part641); - - var part642 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD SEND ERROR"), - dup23, - ])); - - var msg620 = msg("TFTPD_SEND_ERR", part642); - - var part643 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD SOCKET ERROR"), - dup23, - ])); - - var msg621 = msg("TFTPD_SOCKET_ERR", part643); - - var part644 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD STATFS ERROR"), - dup23, - ])); - - var msg622 = msg("TFTPD_STATFS_ERR", part644); - - var part645 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","adding neighbor to interface"), - dup23, - ])); - - var msg623 = msg("TNP", part645); - - var part646 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([ - dup21, - dup22, - setc("event_description","tracing to file"), - dup23, - call({ - dest: "nwparser.filename", - fn: RMQ, - args: [ - field("fld33"), - ], - }), - ])); - - var msg624 = msg("trace_on", part646); - - var part647 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","trace rotating file"), - dup23, - ])); - - var msg625 = msg("trace_rotate", part647); - - var part648 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","transfered file"), - dup23, - ])); - - var msg626 = msg("transfer-file", part648); - - var part649 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","ttloop - peer died"), - dup23, - ])); - - var msg627 = msg("ttloop", part649); - - var part650 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([ - dup80, - dup34, - dup35, - dup37, - dup22, - setc("event_description","Authenticated user"), - dup23, - ])); - - var msg628 = msg("UI_AUTH_EVENT", part650); - - var part651 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([ - dup30, - dup22, - setc("event_description","Received invalid authentication challenge for user response"), - dup23, - ])); - - var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part651); - - var part652 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fetch boot time"), - dup23, - ])); - - var msg630 = msg("UI_BOOTTIME_FAILED", part652); - - var part653 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([ - dup30, - dup22, - setc("event_description","user path unknown"), - dup23, - ])); - - var msg631 = msg("UI_CFG_AUDIT_NEW", part653); - - var part654 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([ - dup42, - dup22, - setc("event_description"," user Inserted Security Policies in config"), - dup23, - ])); - - var msg632 = msg("UI_CFG_AUDIT_NEW:01", part654); - - var select58 = linear_select([ - msg631, - msg632, - ]); - - var part655 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([ - dup21, - dup22, - setc("event_description","User deleted file"), - setc("action","delete"), - dup23, - ])); - - var msg633 = msg("UI_CFG_AUDIT_OTHER", part655); - - var part656 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","User rollback file"), - dup23, - ])); - - var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part656); - - var part657 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\""); - - var select59 = linear_select([ - part657, - dup112, - ]); - - var all31 = all_match({ - processors: [ - dup111, - select59, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","User set"), - dup23, - ]), - }); - - var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31); - - var part658 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([ - dup21, - dup22, - setc("event_description","User config replace"), - setc("action","replace"), - dup23, - ])); - - var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part658); - - var part659 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([ - setc("eventcategory","1701070000"), - dup22, - setc("event_description","User deactivating group(s)"), - setc("action","deactivate"), - dup23, - ])); - - var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part659); - - var part660 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([ - dup113, - dup22, - setc("event_description","User updates config file"), - setc("action","update"), - dup23, - ])); - - var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part660); - - var select60 = linear_select([ - msg633, - msg634, - msg635, - msg636, - msg637, - msg638, - ]); - - var part661 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}"); - - var select61 = linear_select([ - part661, - dup114, - ]); - - var all32 = all_match({ - processors: [ - dup111, - select61, - dup115, - ], - on_success: processor_chain([ - dup21, - dup22, - dup116, - dup23, - ]), - }); - - var msg639 = msg("UI_CFG_AUDIT_SET:01", all32); - - var part662 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}"); - - var select62 = linear_select([ - part662, - dup114, - ]); - - var all33 = all_match({ - processors: [ - dup111, - select62, - dup115, - ], - on_success: processor_chain([ - dup21, - dup22, - dup116, - dup23, - ]), - }); - - var msg640 = msg("UI_CFG_AUDIT_SET:02", all33); - - var part663 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ - dup21, - dup22, - setc("event_description","User replace config application(s)"), - dup23, - ])); - - var msg641 = msg("UI_CFG_AUDIT_SET", part663); - - var select63 = linear_select([ - msg639, - msg640, - msg641, - ]); - - var part664 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]"); - - var all34 = all_match({ - processors: [ - dup117, - dup156, - part664, - ], - on_success: processor_chain([ - dup113, - dup22, - dup120, - dup23, - ]), - }); - - var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34); - - var part665 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]"); - - var all35 = all_match({ - processors: [ - dup117, - dup156, - part665, - ], - on_success: processor_chain([ - dup113, - dup22, - dup120, - dup23, - ]), - }); - - var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35); - - var part666 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([ - dup21, - dup22, - setc("event_description","UI CFG AUDIT SET SECRET"), - dup23, - ])); - - var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part666); - - var select64 = linear_select([ - msg642, - msg643, - msg644, - ]); - - var part667 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([ - dup30, - dup22, - setc("event_description","Too many arguments for child process"), - dup23, - ])); - - var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part667); - - var part668 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to switch to local user"), - dup23, - ])); - - var msg646 = msg("UI_CHILD_CHANGE_USER", part668); - - var part669 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Child exec failed"), - dup23, - ])); - - var msg647 = msg("UI_CHILD_EXEC", part669); - - var part670 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ - dup30, - dup22, - setc("event_description","Child exited"), - dup23, - ])); - - var msg648 = msg("UI_CHILD_EXITED", part670); - - var part671 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to append to log"), - dup23, - ])); - - var msg649 = msg("UI_CHILD_FOPEN", part671); - - var part672 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create pipe for command"), - dup23, - ])); - - var msg650 = msg("UI_CHILD_PIPE_FAILED", part672); - - var part673 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([ - dup21, - dup22, - dup61, - setc("event_description","Child received signal"), - dup23, - ])); - - var msg651 = msg("UI_CHILD_SIGNALED", part673); - - var part674 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([ - dup21, - dup22, - setc("event_description","Child stopped"), - dup23, - ])); - - var msg652 = msg("UI_CHILD_STOPPED", part674); - - var part675 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([ - dup21, - dup22, - setc("event_description","Starting child"), - dup23, - ])); - - var msg653 = msg("UI_CHILD_START", part675); - - var part676 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Cleanup child"), - dup23, - ])); - - var msg654 = msg("UI_CHILD_STATUS", part676); - - var part677 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","waitpid failed"), - dup23, - ])); - - var msg655 = msg("UI_CHILD_WAITPID", part677); - - var part678 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Idle timeout for user exceeded"), - dup23, - ])); - - var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part678); - - var part679 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([ - dup21, - dup22, - dup121, - dup23, - ])); - - var msg657 = msg("UI_CMDLINE_READ_LINE", part679); - - var part680 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Command execution failed"), - dup23, - ])); - - var msg658 = msg("UI_CMDSET_EXEC_FAILED", part680); - - var part681 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fork command"), - dup23, - ])); - - var msg659 = msg("UI_CMDSET_FORK_FAILED", part681); - - var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup144); - - var part682 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([ - dup30, - dup22, - dup70, - dup23, - ])); - - var msg661 = msg("UI_CMDSET_STOPPED", part682); - - var part683 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([ - dup30, - dup22, - dup72, - dup23, - ])); - - var msg662 = msg("UI_CMDSET_WEXITED", part683); - - var part684 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Invalid regexp command"), - dup23, - ])); - - var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part684); - - var part685 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info})"); - - var part686 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action}"); - - var select65 = linear_select([ - part685, - part686, - ]); - - var all36 = all_match({ - processors: [ - dup117, - select65, - ], - on_success: processor_chain([ - dup21, - dup22, - dup122, - dup23, - ]), - }); - - var msg664 = msg("UI_COMMIT", all36); - - var part687 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([ - dup21, - dup22, - dup122, - dup23, - ])); - - var msg665 = msg("UI_COMMIT_AT", part687); - - var part688 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([ - dup21, - dup22, - setc("event_description","User commit successful"), - dup23, - ])); - - var msg666 = msg("UI_COMMIT_AT_COMPLETED", part688); - - var part689 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([ - dup30, - dup22, - setc("event_description","User commit failed"), - dup23, - ])); - - var msg667 = msg("UI_COMMIT_AT_FAILED", part689); - - var part690 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to compress file"), - dup23, - ])); - - var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part690); - - var part691 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","UI COMMIT CONFIRMED"), - dup23, - ])); - - var msg669 = msg("UI_COMMIT_CONFIRMED", part691); - - var part692 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}"); - - var part693 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1}"); - - var part694 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes"); - - var select66 = linear_select([ - part693, - part694, - ]); - - var all37 = all_match({ - processors: [ - part692, - select66, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT must be confirmed within # minutes"), - dup23, - ]), - }); - - var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37); - - var part695 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "'%{username}' performed '%{action}'"); - - var all38 = all_match({ - processors: [ - dup50, - dup145, - part695, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","user performed commit confirm"), - dup23, - ]), - }); - - var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38); - - var part696 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Skipped empty object"), - dup23, - ])); - - var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part696); - - var part697 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","COMMIT NOT CONFIRMED"), - dup23, - ])); - - var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part697); - - var part698 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}"); - - var part699 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}"); - - var select67 = linear_select([ - part698, - part699, - ]); - - var part700 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}"); - - var all39 = all_match({ - processors: [ - dup50, - select67, - part700, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","Commit operation in progress"), - dup23, - ]), - }); - - var msg674 = msg("UI_COMMIT_PROGRESS", all39); - - var part701 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT QUIT"), - dup23, - ])); - - var msg675 = msg("UI_COMMIT_QUIT", part701); - - var part702 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([ - dup30, - dup22, - setc("event_description","Automatic rollback failed"), - dup23, - ])); - - var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part702); - - var part703 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT SYNC"), - dup23, - ])); - - var msg677 = msg("UI_COMMIT_SYNC", part703); - - var part704 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","All logins to local configuration database were terminated"), - dup23, - ])); - - var msg678 = msg("UI_COMMIT_SYNC_FORCE", part704); - - var part705 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}"); - - var part706 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}"); - - var part707 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}"); - - var select68 = linear_select([ - part706, - part707, - ]); - - var part708 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "statement: %{info->} %{p0}"); - - var part709 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} "); - - var select69 = linear_select([ - part709, - dup112, - ]); - - var all40 = all_match({ - processors: [ - part705, - select68, - part708, - select69, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","CONFIGURATION ERROR"), - dup23, - ]), - }); - - var msg679 = msg("UI_CONFIGURATION_ERROR", all40); - - var part710 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "socket connection accept failed: %{result}"); - - var all41 = all_match({ - processors: [ - dup50, - dup157, - part710, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","socket connection accept failed"), - dup23, - ]), - }); - - var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41); - - var part711 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create session child"), - dup23, - ])); - - var msg681 = msg("UI_DAEMON_FORK_FAILED", part711); - - var part712 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DAEMON SELECT FAILED"), - dup23, - ])); - - var msg682 = msg("UI_DAEMON_SELECT_FAILED", part712); - - var part713 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "socket create failed: %{result}"); - - var all42 = all_match({ - processors: [ - dup50, - dup157, - part713, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","socket create failed"), - dup23, - ]), - }); - - var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42); - - var part714 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to reaccess database file"), - dup23, - ])); - - var msg684 = msg("UI_DBASE_ACCESS_FAILED", part714); - - var part715 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([ - dup30, - dup22, - setc("event_description","Database is out of data"), - dup23, - ])); - - var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part715); - - var part716 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to extend database file"), - dup23, - ])); - - var msg686 = msg("UI_DBASE_EXTEND_FAILED", part716); - - var part717 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","User entering configuration mode"), - dup23, - ])); - - var msg687 = msg("UI_DBASE_LOGIN_EVENT", part717); - - var part718 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","User exiting configuration mode"), - dup23, - ])); - - var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part718); - - var part719 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header extent mismatch"), - dup23, - ])); - - var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part719); - - var part720 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header major version number mismatch"), - dup23, - ])); - - var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part720); - - var part721 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header minor version number mismatch"), - dup23, - ])); - - var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part721); - - var part722 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Database header sequence numbers mismatch"), - dup23, - ])); - - var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part722); - - var part723 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header size mismatch"), - dup23, - ])); - - var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part723); - - var part724 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Database open failed"), - dup23, - ])); - - var msg694 = msg("UI_DBASE_OPEN_FAILED", part724); - - var part725 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([ - dup30, - dup22, - setc("event_description","DBASE REBUILD FAILED"), - dup23, - ])); - - var msg695 = msg("UI_DBASE_REBUILD_FAILED", part725); - - var part726 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([ - dup30, - dup22, - setc("event_description","Automatic rebuild of the database failed"), - dup23, - ])); - - var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part726); - - var part727 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}"); - - var select70 = linear_select([ - dup76, - part727, - ]); - - var part728 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{username->} rebuild/rollback of the database '%{filename}' started"); - - var all43 = all_match({ - processors: [ - dup50, - select70, - part728, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","DBASE REBUILD STARTED"), - dup23, - ]), - }); - - var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43); - - var part729 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([ - dup21, - dup22, - setc("event_description","user attempting database re-creation"), - dup23, - ])); - - var msg698 = msg("UI_DBASE_RECREATE", part729); - - var part730 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([ - dup30, - dup22, - setc("event_description","Reopen of the database failed"), - dup23, - ])); - - var msg699 = msg("UI_DBASE_REOPEN_FAILED", part730); - - var part731 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([ - dup30, - dup22, - setc("event_description","Users have the same UID"), - dup23, - ])); - - var msg700 = msg("UI_DUPLICATE_UID", part731); - - var part732 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([ - setc("eventcategory","1401050100"), - dup22, - setc("event_description","User used JUNOScript client to run command"), - dup23, - ])); - - var msg701 = msg("UI_JUNOSCRIPT_CMD", part732); - - var part733 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JUNOScript error"), - dup23, - ])); - - var msg702 = msg("UI_JUNOSCRIPT_ERROR", part733); - - var part734 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","User command"), - dup23, - ])); - - var msg703 = msg("UI_LOAD_EVENT", part734); - - var part735 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([ - setc("eventcategory","1701040000"), - dup22, - setc("event_description","Loading default config from file"), - dup23, - ])); - - var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part735); - - var part736 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - dup127, - dup128, - dup23, - ])); - - var msg705 = msg("UI_LOGIN_EVENT:01", part736); - - var part737 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - dup127, - dup23, - ])); - - var msg706 = msg("UI_LOGIN_EVENT", part737); - - var select71 = linear_select([ - msg705, - msg706, - ]); - - var part738 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","User logout"), - dup23, - ])); - - var msg707 = msg("UI_LOGOUT_EVENT", part738); - - var part739 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","Lost connection to daemon"), - dup23, - ])); - - var msg708 = msg("UI_LOST_CONN", part739); - - var part740 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([ - dup21, - dup22, - setc("event_description","MASTERSHIP EVENT"), - dup23, - ])); - - var msg709 = msg("UI_MASTERSHIP_EVENT", part740); - - var part741 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","Terminating operation"), - dup23, - ])); - - var msg710 = msg("UI_MGD_TERMINATE", part741); - - var part742 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([ - dup29, - dup22, - setc("event_description","User used NETCONF client to run command"), - dup23, - ])); - - var msg711 = msg("UI_NETCONF_CMD", part742); - - var part743 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","read failed for peer"), - dup23, - ])); - - var msg712 = msg("UI_READ_FAILED", part743); - - var part744 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([ - dup30, - dup22, - setc("event_description","Timeout on read of peer"), - dup23, - ])); - - var msg713 = msg("UI_READ_TIMEOUT", part744); - - var part745 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([ - dup60, - dup22, - setc("event_description","System reboot or halt"), - dup23, - ])); - - var msg714 = msg("UI_REBOOT_EVENT", part745); - - var part746 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([ - dup29, - dup22, - setc("event_description","user restarting daemon"), - dup23, - ])); - - var msg715 = msg("UI_RESTART_EVENT", part746); - - var part747 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema is out of date"), - dup23, - ])); - - var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part747); - - var part748 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema major version mismatch"), - dup23, - ])); - - var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part748); - - var part749 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema minor version mismatch"), - dup23, - ])); - - var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part749); - - var part750 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema header sequence numbers mismatch"), - dup23, - ])); - - var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part750); - - var part751 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([ - dup30, - dup22, - setc("event_description","Schema sequence number mismatch"), - dup23, - ])); - - var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part751); - - var part752 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Configuration synchronization with remote Routing Engine"), - dup23, - ])); - - var msg721 = msg("UI_SYNC_OTHER_RE", part752); - - var part753 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([ - dup30, - dup22, - dup129, - dup23, - ])); - - var msg722 = msg("UI_TACPLUS_ERROR", part753); - - var part754 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fetch system version"), - dup23, - ])); - - var msg723 = msg("UI_VERSION_FAILED", part754); - - var part755 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([ - dup21, - dup22, - setc("event_description","Re-establishing connection to peer"), - dup23, - ])); - - var msg724 = msg("UI_WRITE_RECONNECT", part755); - - var part756 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([ - dup21, - dup22, - setc("event_description","Interface new master for User"), - dup23, - ])); - - var msg725 = msg("VRRPD_NEWMASTER_TRAP", part756); - - var part757 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([ - dup69, - dup34, - dup35, - dup43, - dup22, - setc("event_description","Unable to authenticate client"), - dup23, - ])); - - var msg726 = msg("WEB_AUTH_FAIL", part757); - - var part758 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([ - dup80, - dup34, - dup35, - dup37, - dup22, - setc("event_description","Authenticated client"), - dup23, - ])); - - var msg727 = msg("WEB_AUTH_SUCCESS", part758); - - var part759 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([ - setc("eventcategory","1001030300"), - dup22, - setc("event_description","web request from unauthorized interface"), - dup23, - ])); - - var msg728 = msg("WEB_INTERFACE_UNAUTH", part759); - - var part760 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([ - dup74, - dup22, - setc("event_description","Unable to read from client"), - dup23, - ])); - - var msg729 = msg("WEB_READ", part760); - - var part761 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([ - setc("eventcategory","1204020100"), - dup22, - setc("event_description","failed to check web request"), - dup23, - ])); - - var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part761); - - var part762 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ - dup74, - dup53, - dup43, - dup22, - dup52, - ])); - - var msg731 = msg("FLOW_REASSEMBLE_FAIL", part762); - - var part763 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([ - dup29, - dup22, - setc("event_description","Bridge Address"), - dup23, - ])); - - var msg732 = msg("eswd", part763); - - var part764 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([ - dup29, - dup22, - setc("event_description","ESWD STP State Change Info"), - dup23, - ])); - - var msg733 = msg("eswd:01", part764); - - var select72 = linear_select([ - msg732, - msg733, - ]); - - var part765 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([ - dup29, - dup22, - dup26, - dup23, - ])); - - var msg734 = msg("/usr/sbin/cron", part765); - - var part766 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","Link status change event"), - dup23, - ])); - - var msg735 = msg("chassism:02", part766); - - var part767 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","ifd process flaps"), - dup23, - ])); - - var msg736 = msg("chassism:01", part767); - - var part768 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","IFCM "), - dup23, - ])); - - var msg737 = msg("chassism", part768); - - var select73 = linear_select([ - msg735, - msg736, - msg737, - ]); - - var msg738 = msg("WEBFILTER_URL_PERMITTED", dup158); - - var part769 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part769); - - var part770 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part770); - - var part771 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part771); - - var select74 = linear_select([ - msg738, - msg739, - msg740, - msg741, - ]); - - var msg742 = msg("WEBFILTER_URL_BLOCKED", dup158); - - var part772 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part772); - - var select75 = linear_select([ - msg742, - msg743, - ]); - - var part773 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part773); - - var part774 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([ - dup46, - dup47, - dup23, - ])); - - var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part774); - - var part775 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part775); - - var part776 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg747 = msg("SECINTEL_ERROR_OTHERS", part776); - - var part777 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([ - dup48, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part777); - - var part778 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg749 = msg("LACPD_TIMEOUT", part778); - - var msg750 = msg("cli", dup159); - - var msg751 = msg("pfed", dup159); - - var msg752 = msg("idpinfo", dup159); - - var msg753 = msg("kmd", dup159); - - var part779 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg754 = msg("node:01", part779); - - var part780 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg755 = msg("node:02", part780); - - var part781 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg756 = msg("node:03", part781); - - var part782 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg757 = msg("node:04", part782); - - var select76 = linear_select([ - dup131, - dup132, - ]); - - var part783 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}"); - - var select77 = linear_select([ - dup132, - dup131, - ]); - - var part784 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}"); - - var all44 = all_match({ - processors: [ - dup130, - select76, - part783, - select77, - part784, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg758 = msg("node:05", all44); - - var part785 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}"); - - var part786 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}"); - - var select78 = linear_select([ - part785, - part786, - ]); - - var all45 = all_match({ - processors: [ - dup130, - select78, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg759 = msg("node:06", all45); - - var part787 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg760 = msg("node:07", part787); - - var part788 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg761 = msg("node:08", part788); - - var part789 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg762 = msg("node:09", part789); - - var select79 = linear_select([ - msg754, - msg755, - msg756, - msg757, - msg758, - msg759, - msg760, - msg761, - msg762, - ]); - - var part790 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg763 = msg("(FPC:01", part790); - - var part791 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg764 = msg("(FPC:02", part791); - - var part792 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}"); - - var part793 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); - - var part794 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}"); - - var select80 = linear_select([ - part793, - part794, - ]); - - var part795 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "received for interface %{interface}, member of %{fld4}"); - - var all46 = all_match({ - processors: [ - part792, - select80, - part795, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - dup24, - ]), - }); - - var msg765 = msg("(FPC:03", all46); - - var part796 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg766 = msg("(FPC:04", part796); - - var part797 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg767 = msg("(FPC:05", part797); - - var part798 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg768 = msg("(FPC", part798); - - var select81 = linear_select([ - msg763, - msg764, - msg765, - msg766, - msg767, - msg768, - ]); - - var part799 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([ - dup48, - dup23, - dup22, - dup24, - ])); - - var msg769 = msg("tnp.bootpd", part799); - - var part800 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ - dup48, - dup52, - dup22, - dup61, - ])); - - var msg770 = msg("AAMW_ACTION_LOG", part800); - - var part801 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ - dup133, - dup52, - dup22, - dup61, - ])); - - var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part801); - - var part802 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ - dup133, - dup52, - dup22, - ])); - - var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part802); - - var part803 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ - dup81, - dup52, - dup22, - dup61, - ])); - - var msg773 = msg("IDP_ATTACK_LOG_EVENT", part803); - - var part804 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ - dup81, - dup52, - dup22, - dup61, - ])); - - var msg774 = msg("RT_SCREEN_ICMP", part804); - - var part805 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ - dup46, - dup52, - dup22, - dup61, - ])); - - var msg775 = msg("SECINTEL_ACTION_LOG", part805); - - var part806 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{fld2->} %{p0}"); - - var part807 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld3->} %{process}: qsfp-%{p0}"); - - var part808 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "qsfp-%{p0}"); - - var select82 = linear_select([ - part807, - part808, - ]); - - var part809 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{}Chan# %{interface->} %{fld5}:%{event_description}"); - - var all47 = all_match({ - processors: [ - part806, - select82, - part809, - ], - on_success: processor_chain([ - dup21, - dup22, - dup23, - ]), - }); - - var msg776 = msg("qsfp", all47); - - var part810 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([ - dup21, - dup22, - dup121, - dup23, - ])); - - var msg777 = msg("JUNOSROUTER_GENERIC:03", part810); - - var part811 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","LOGOUT"), - dup23, - ])); - - var msg778 = msg("JUNOSROUTER_GENERIC:04", part811); - - var part812 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([ - dup30, - dup22, - dup129, - dup23, - ])); - - var msg779 = msg("JUNOSROUTER_GENERIC:05", part812); - - var part813 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ - dup30, - dup22, - dup57, - dup23, - ])); - - var msg780 = msg("JUNOSROUTER_GENERIC:06", part813); - - var part814 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ - dup21, - dup22, - dup38, - dup23, - ])); - - var msg781 = msg("JUNOSROUTER_GENERIC:07", part814); - - var part815 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{daddr->} (%{dhost}): code %{resultcode->} (%{action})%{p0}"); - - var part816 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", ", socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}"); - - var part817 = match_copy("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", ""); - - var select83 = linear_select([ - part816, - part817, - ]); - - var all48 = all_match({ - processors: [ - part815, - select83, - ], - on_success: processor_chain([ - dup21, - dup22, - dup38, - dup23, - ]), - }); - - var msg782 = msg("JUNOSROUTER_GENERIC:08", all48); - - var part818 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg783 = msg("JUNOSROUTER_GENERIC:09", part818); - - var part819 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - setc("event_description","Interface Monitor failed "), - dup24, - ])); - - var msg784 = msg("JUNOSROUTER_GENERIC:01", part819); - - var part820 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - setc("event_description","Interface Monitor failure recovered"), - dup24, - ])); - - var msg785 = msg("JUNOSROUTER_GENERIC:02", part820); - - var part821 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - dup24, - ])); - - var msg786 = msg("JUNOSROUTER_GENERIC", part821); - - var select84 = linear_select([ - msg777, - msg778, - msg779, - msg780, - msg781, - msg782, - msg783, - msg784, - msg785, - msg786, - ]); - - var chain1 = processor_chain([ - select5, - msgid_select({ - "(FPC": select81, - "/usr/libexec/telnetd": msg2, - "/usr/sbin/cron": msg734, - "/usr/sbin/sshd": msg1, - "AAMWD_NETWORK_CONNECT_FAILED": msg745, - "AAMW_ACTION_LOG": msg770, - "AAMW_HOST_INFECTED_EVENT_LOG": msg771, - "AAMW_MALWARE_EVENT_LOG": msg772, - "ACCT_ACCOUNTING_FERROR": msg114, - "ACCT_ACCOUNTING_FOPEN_ERROR": msg115, - "ACCT_ACCOUNTING_SMALL_FILE_SIZE": msg116, - "ACCT_BAD_RECORD_FORMAT": msg117, - "ACCT_CU_RTSLIB_error": msg118, - "ACCT_GETHOSTNAME_error": msg119, - "ACCT_MALLOC_FAILURE": msg120, - "ACCT_UNDEFINED_COUNTER_NAME": msg121, - "ACCT_XFER_FAILED": msg122, - "ACCT_XFER_POPEN_FAIL": msg123, - "APPQOS_LOG_EVENT": msg124, - "APPTRACK_SESSION_CLOSE": select30, - "APPTRACK_SESSION_CREATE": msg125, - "APPTRACK_SESSION_VOL_UPDATE": select31, - "BCHIP": msg106, - "BFDD_TRAP_STATE_DOWN": msg130, - "BFDD_TRAP_STATE_UP": msg131, - "BOOTPD_ARG_ERR": msg143, - "BOOTPD_BAD_ID": msg144, - "BOOTPD_BOOTSTRING": msg145, - "BOOTPD_CONFIG_ERR": msg146, - "BOOTPD_CONF_OPEN": msg147, - "BOOTPD_DUP_REV": msg148, - "BOOTPD_DUP_SLOT": msg149, - "BOOTPD_MODEL_CHK": msg150, - "BOOTPD_MODEL_ERR": msg151, - "BOOTPD_NEW_CONF": msg152, - "BOOTPD_NO_BOOTSTRING": msg153, - "BOOTPD_NO_CONFIG": msg154, - "BOOTPD_PARSE_ERR": msg155, - "BOOTPD_REPARSE": msg156, - "BOOTPD_SELECT_ERR": msg157, - "BOOTPD_TIMEOUT": msg158, - "BOOTPD_VERSION": msg159, - "CHASSISD": msg160, - "CHASSISD_ARGUMENT_ERROR": msg161, - "CHASSISD_BLOWERS_SPEED": msg162, - "CHASSISD_BLOWERS_SPEED_FULL": msg163, - "CHASSISD_CB_READ": msg164, - "CHASSISD_COMMAND_ACK_ERROR": msg165, - "CHASSISD_COMMAND_ACK_SF_ERROR": msg166, - "CHASSISD_CONCAT_MODE_ERROR": msg167, - "CHASSISD_CONFIG_INIT_ERROR": msg168, - "CHASSISD_CONFIG_WARNING": msg169, - "CHASSISD_EXISTS": msg170, - "CHASSISD_EXISTS_TERM_OTHER": msg171, - "CHASSISD_FILE_OPEN": msg172, - "CHASSISD_FILE_STAT": msg173, - "CHASSISD_FRU_EVENT": msg174, - "CHASSISD_FRU_IPC_WRITE_ERROR_EXT": msg175, - "CHASSISD_FRU_STEP_ERROR": msg176, - "CHASSISD_GETTIMEOFDAY": msg177, - "CHASSISD_HIGH_TEMP_CONDITION": msg214, - "CHASSISD_HOST_TEMP_READ": msg178, - "CHASSISD_IFDEV_DETACH_ALL_PSEUDO": msg179, - "CHASSISD_IFDEV_DETACH_FPC": msg180, - "CHASSISD_IFDEV_DETACH_PIC": msg181, - "CHASSISD_IFDEV_DETACH_PSEUDO": msg182, - "CHASSISD_IFDEV_DETACH_TLV_ERROR": msg183, - "CHASSISD_IFDEV_GET_BY_INDEX_FAIL": msg184, - "CHASSISD_IPC_MSG_QFULL_ERROR": msg185, - "CHASSISD_IPC_UNEXPECTED_RECV": msg186, - "CHASSISD_IPC_WRITE_ERR_NO_PIPE": msg187, - "CHASSISD_IPC_WRITE_ERR_NULL_ARGS": msg188, - "CHASSISD_MAC_ADDRESS_ERROR": msg189, - "CHASSISD_MAC_DEFAULT": msg190, - "CHASSISD_MBUS_ERROR": msg191, - "CHASSISD_PARSE_COMPLETE": msg192, - "CHASSISD_PARSE_ERROR": msg193, - "CHASSISD_PARSE_INIT": msg194, - "CHASSISD_PIDFILE_OPEN": msg195, - "CHASSISD_PIPE_WRITE_ERROR": msg196, - "CHASSISD_POWER_CHECK": msg197, - "CHASSISD_RECONNECT_SUCCESSFUL": msg198, - "CHASSISD_RELEASE_MASTERSHIP": msg199, - "CHASSISD_RE_INIT_INVALID_RE_SLOT": msg200, - "CHASSISD_ROOT_MOUNT_ERROR": msg201, - "CHASSISD_RTS_SEQ_ERROR": msg202, - "CHASSISD_SBOARD_VERSION_MISMATCH": msg203, - "CHASSISD_SERIAL_ID": msg204, - "CHASSISD_SMB_ERROR": msg205, - "CHASSISD_SNMP_TRAP10": msg208, - "CHASSISD_SNMP_TRAP6": msg206, - "CHASSISD_SNMP_TRAP7": msg207, - "CHASSISD_TERM_SIGNAL": msg209, - "CHASSISD_TRACE_PIC_OFFLINE": msg210, - "CHASSISD_UNEXPECTED_EXIT": msg211, - "CHASSISD_UNSUPPORTED_MODEL": msg212, - "CHASSISD_VERSION_MISMATCH": msg213, - "CM": msg107, - "CM_JAVA": msg216, - "COS": msg108, - "COSFPC": msg109, - "COSMAN": msg110, - "CRON": msg16, - "CROND": select11, - "Cmerror": msg17, - "DCD_AS_ROOT": msg217, - "DCD_FILTER_LIB_ERROR": msg218, - "DCD_MALLOC_FAILED_INIT": msg219, - "DCD_PARSE_EMERGENCY": msg220, - "DCD_PARSE_FILTER_EMERGENCY": msg221, - "DCD_PARSE_MINI_EMERGENCY": msg222, - "DCD_PARSE_STATE_EMERGENCY": msg223, - "DCD_POLICER_PARSE_EMERGENCY": msg224, - "DCD_PULL_LOG_FAILURE": msg225, - "DFWD_ARGUMENT_ERROR": msg226, - "DFWD_MALLOC_FAILED_INIT": msg227, - "DFWD_PARSE_FILTER_EMERGENCY": msg228, - "DFWD_PARSE_STATE_EMERGENCY": msg229, - "ECCD_DAEMONIZE_FAILED": msg230, - "ECCD_DUPLICATE": msg231, - "ECCD_LOOP_EXIT_FAILURE": msg232, - "ECCD_NOT_ROOT": msg233, - "ECCD_PCI_FILE_OPEN_FAILED": msg234, - "ECCD_PCI_READ_FAILED": msg235, - "ECCD_PCI_WRITE_FAILED": msg236, - "ECCD_PID_FILE_LOCK": msg237, - "ECCD_PID_FILE_UPDATE": msg238, - "ECCD_TRACE_FILE_OPEN_FAILED": msg239, - "ECCD_usage": msg240, - "EVENT": msg23, - "EVENTD_AUDIT_SHOW": msg241, - "FLOW_REASSEMBLE_FAIL": msg731, - "FLOW_REASSEMBLE_SUCCEED": msg242, - "FSAD_CHANGE_FILE_OWNER": msg243, - "FSAD_CONFIG_ERROR": msg244, - "FSAD_CONNTIMEDOUT": msg245, - "FSAD_FAILED": msg246, - "FSAD_FETCHTIMEDOUT": msg247, - "FSAD_FILE_FAILED": msg248, - "FSAD_FILE_REMOVE": msg249, - "FSAD_FILE_RENAME": msg250, - "FSAD_FILE_STAT": msg251, - "FSAD_FILE_SYNC": msg252, - "FSAD_MAXCONN": msg253, - "FSAD_MEMORYALLOC_FAILED": msg254, - "FSAD_NOT_ROOT": msg255, - "FSAD_PARENT_DIRECTORY": msg256, - "FSAD_PATH_IS_DIRECTORY": msg257, - "FSAD_PATH_IS_SPECIAL": msg258, - "FSAD_RECVERROR": msg259, - "FSAD_TERMINATED_CONNECTION": msg260, - "FSAD_TERMINATING_SIGNAL": msg261, - "FSAD_TRACEOPEN_FAILED": msg262, - "FSAD_USAGE": msg263, - "Failed": select25, - "GGSN_ALARM_TRAP_FAILED": msg264, - "GGSN_ALARM_TRAP_SEND": msg265, - "GGSN_TRAP_SEND": msg266, - "IDP_ATTACK_LOG_EVENT": msg773, - "JADE_AUTH_ERROR": msg267, - "JADE_EXEC_ERROR": msg268, - "JADE_NO_LOCAL_USER": msg269, - "JADE_PAM_ERROR": msg270, - "JADE_PAM_NO_LOCAL_USER": msg271, - "JSRPD_HA_CONTROL_LINK_UP": msg748, - "JUNOSROUTER_GENERIC": select84, - "KERN_ARP_ADDR_CHANGE": msg272, - "KMD_PM_SA_ESTABLISHED": msg273, - "L2CPD_TASK_REINIT": msg274, - "LACPD_TIMEOUT": msg749, - "LIBJNX_EXEC_EXITED": msg275, - "LIBJNX_EXEC_FAILED": msg276, - "LIBJNX_EXEC_PIPE": msg277, - "LIBJNX_EXEC_SIGNALED": msg278, - "LIBJNX_EXEC_WEXIT": msg279, - "LIBJNX_FILE_COPY_FAILED": msg280, - "LIBJNX_PRIV_LOWER_FAILED": msg281, - "LIBJNX_PRIV_RAISE_FAILED": msg282, - "LIBJNX_REPLICATE_RCP_EXEC_FAILED": msg283, - "LIBJNX_ROTATE_COMPRESS_EXEC_FAILED": msg284, - "LIBSERVICED_CLIENT_CONNECTION": msg285, - "LIBSERVICED_OUTBOUND_REQUEST": msg286, - "LIBSERVICED_SNMP_LOST_CONNECTION": msg287, - "LIBSERVICED_SOCKET_BIND": msg288, - "LIBSERVICED_SOCKET_PRIVATIZE": msg289, - "LICENSE_EXPIRED": msg290, - "LICENSE_EXPIRED_KEY_DELETED": msg291, - "LICENSE_NEARING_EXPIRY": msg292, - "LOGIN_ABORTED": msg293, - "LOGIN_FAILED": msg294, - "LOGIN_FAILED_INCORRECT_PASSWORD": msg295, - "LOGIN_FAILED_SET_CONTEXT": msg296, - "LOGIN_FAILED_SET_LOGIN": msg297, - "LOGIN_HOSTNAME_UNRESOLVED": msg298, - "LOGIN_INFORMATION": msg299, - "LOGIN_INVALID_LOCAL_USER": msg300, - "LOGIN_MALFORMED_USER": msg301, - "LOGIN_PAM_AUTHENTICATION_ERROR": msg302, - "LOGIN_PAM_ERROR": msg303, - "LOGIN_PAM_MAX_RETRIES": msg304, - "LOGIN_PAM_NONLOCAL_USER": msg305, - "LOGIN_PAM_STOP": msg306, - "LOGIN_PAM_USER_UNKNOWN": msg307, - "LOGIN_PASSWORD_EXPIRED": msg308, - "LOGIN_REFUSED": msg309, - "LOGIN_ROOT": msg310, - "LOGIN_TIMED_OUT": msg311, - "MIB2D_ATM_ERROR": msg312, - "MIB2D_CONFIG_CHECK_FAILED": msg313, - "MIB2D_FILE_OPEN_FAILURE": msg314, - "MIB2D_IFD_IFINDEX_FAILURE": msg315, - "MIB2D_IFL_IFINDEX_FAILURE": msg316, - "MIB2D_INIT_FAILURE": msg317, - "MIB2D_KVM_FAILURE": msg318, - "MIB2D_RTSLIB_READ_FAILURE": msg319, - "MIB2D_RTSLIB_SEQ_MISMATCH": msg320, - "MIB2D_SYSCTL_FAILURE": msg321, - "MIB2D_TRAP_HEADER_FAILURE": msg322, - "MIB2D_TRAP_SEND_FAILURE": msg323, - "MRVL-L2": msg56, - "Multiuser": msg324, - "NASD_AUTHENTICATION_CREATE_FAILED": msg325, - "NASD_CHAP_AUTHENTICATION_IN_PROGRESS": msg326, - "NASD_CHAP_GETHOSTNAME_FAILED": msg327, - "NASD_CHAP_INVALID_CHAP_IDENTIFIER": msg328, - "NASD_CHAP_INVALID_OPCODE": msg329, - "NASD_CHAP_LOCAL_NAME_UNAVAILABLE": msg330, - "NASD_CHAP_MESSAGE_UNEXPECTED": msg331, - "NASD_CHAP_REPLAY_ATTACK_DETECTED": msg332, - "NASD_CONFIG_GET_LAST_MODIFIED_FAILED": msg333, - "NASD_DAEMONIZE_FAILED": msg334, - "NASD_DB_ALLOC_FAILURE": msg335, - "NASD_DB_TABLE_CREATE_FAILURE": msg336, - "NASD_DUPLICATE": msg337, - "NASD_EVLIB_CREATE_FAILURE": msg338, - "NASD_EVLIB_EXIT_FAILURE": msg339, - "NASD_LOCAL_CREATE_FAILED": msg340, - "NASD_NOT_ROOT": msg341, - "NASD_PID_FILE_LOCK": msg342, - "NASD_PID_FILE_UPDATE": msg343, - "NASD_POST_CONFIGURE_EVENT_FAILED": msg344, - "NASD_PPP_READ_FAILURE": msg345, - "NASD_PPP_SEND_FAILURE": msg346, - "NASD_PPP_SEND_PARTIAL": msg347, - "NASD_PPP_UNRECOGNIZED": msg348, - "NASD_RADIUS_ALLOCATE_PASSWORD_FAILED": msg349, - "NASD_RADIUS_CONFIG_FAILED": msg350, - "NASD_RADIUS_CREATE_FAILED": msg351, - "NASD_RADIUS_CREATE_REQUEST_FAILED": msg352, - "NASD_RADIUS_GETHOSTNAME_FAILED": msg353, - "NASD_RADIUS_MESSAGE_UNEXPECTED": msg354, - "NASD_RADIUS_OPEN_FAILED": msg355, - "NASD_RADIUS_SELECT_FAILED": msg356, - "NASD_RADIUS_SET_TIMER_FAILED": msg357, - "NASD_TRACE_FILE_OPEN_FAILED": msg358, - "NASD_usage": msg359, - "NOTICE": msg360, - "PFEMAN": msg61, - "PFE_FW_SYSLOG_IP": select36, - "PFE_NH_RESOLVE_THROTTLED": msg363, - "PING_TEST_COMPLETED": msg364, - "PING_TEST_FAILED": msg365, - "PKID_UNABLE_TO_GET_CRL": msg746, - "PWC_EXIT": msg368, - "PWC_HOLD_RELEASE": msg369, - "PWC_INVALID_RUNS_ARGUMENT": msg370, - "PWC_INVALID_TIMEOUT_ARGUMENT": msg371, - "PWC_KILLED_BY_SIGNAL": msg372, - "PWC_KILL_EVENT": msg373, - "PWC_KILL_FAILED": msg374, - "PWC_KQUEUE_ERROR": msg375, - "PWC_KQUEUE_INIT": msg376, - "PWC_KQUEUE_REGISTER_FILTER": msg377, - "PWC_LOCKFILE_BAD_FORMAT": msg378, - "PWC_LOCKFILE_ERROR": msg379, - "PWC_LOCKFILE_MISSING": msg380, - "PWC_LOCKFILE_NOT_LOCKED": msg381, - "PWC_NO_PROCESS": msg382, - "PWC_PROCESS_EXIT": msg383, - "PWC_PROCESS_FORCED_HOLD": msg384, - "PWC_PROCESS_HOLD": msg385, - "PWC_PROCESS_HOLD_SKIPPED": msg386, - "PWC_PROCESS_OPEN": msg387, - "PWC_PROCESS_TIMED_HOLD": msg388, - "PWC_PROCESS_TIMEOUT": msg389, - "PWC_SIGNAL_INIT": msg390, - "PWC_SOCKET_CONNECT": msg391, - "PWC_SOCKET_CREATE": msg392, - "PWC_SOCKET_OPTION": msg393, - "PWC_STDOUT_WRITE": msg394, - "PWC_SYSTEM_CALL": msg395, - "PWC_UNKNOWN_KILL_OPTION": msg396, - "RDP": msg111, - "RMOPD_ADDRESS_MULTICAST_INVALID": msg397, - "RMOPD_ADDRESS_SOURCE_INVALID": msg398, - "RMOPD_ADDRESS_STRING_FAILURE": msg399, - "RMOPD_ADDRESS_TARGET_INVALID": msg400, - "RMOPD_DUPLICATE": msg401, - "RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED": msg402, - "RMOPD_ICMP_SENDMSG_FAILURE": msg403, - "RMOPD_IFINDEX_NOT_ACTIVE": msg404, - "RMOPD_IFINDEX_NO_INFO": msg405, - "RMOPD_IFNAME_NOT_ACTIVE": msg406, - "RMOPD_IFNAME_NO_INFO": msg407, - "RMOPD_NOT_ROOT": msg408, - "RMOPD_ROUTING_INSTANCE_NO_INFO": msg409, - "RMOPD_TRACEROUTE_ERROR": msg410, - "RMOPD_usage": msg411, - "RPD_ABORT": msg412, - "RPD_ACTIVE_TERMINATE": msg413, - "RPD_ASSERT": msg414, - "RPD_ASSERT_SOFT": msg415, - "RPD_EXIT": msg416, - "RPD_IFL_INDEXCOLLISION": msg417, - "RPD_IFL_NAMECOLLISION": msg418, - "RPD_ISIS_ADJDOWN": msg419, - "RPD_ISIS_ADJUP": msg420, - "RPD_ISIS_ADJUPNOIP": msg421, - "RPD_ISIS_LSPCKSUM": msg422, - "RPD_ISIS_OVERLOAD": msg423, - "RPD_KRT_AFUNSUPRT": msg424, - "RPD_KRT_CCC_IFL_MODIFY": msg425, - "RPD_KRT_DELETED_RTT": msg426, - "RPD_KRT_IFA_GENERATION": msg427, - "RPD_KRT_IFDCHANGE": msg428, - "RPD_KRT_IFDEST_GET": msg429, - "RPD_KRT_IFDGET": msg430, - "RPD_KRT_IFD_GENERATION": msg431, - "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID": msg432, - "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED": msg433, - "RPD_KRT_IFL_GENERATION": msg434, - "RPD_KRT_KERNEL_BAD_ROUTE": msg435, - "RPD_KRT_NEXTHOP_OVERFLOW": msg436, - "RPD_KRT_NOIFD": msg437, - "RPD_KRT_UNKNOWN_RTT": msg438, - "RPD_KRT_VERSION": msg439, - "RPD_KRT_VERSIONNONE": msg440, - "RPD_KRT_VERSIONOLD": msg441, - "RPD_LDP_INTF_BLOCKED": msg442, - "RPD_LDP_INTF_UNBLOCKED": msg443, - "RPD_LDP_NBRDOWN": msg444, - "RPD_LDP_NBRUP": msg445, - "RPD_LDP_SESSIONDOWN": msg446, - "RPD_LDP_SESSIONUP": msg447, - "RPD_LOCK_FLOCKED": msg448, - "RPD_LOCK_LOCKED": msg449, - "RPD_MPLS_LSP_CHANGE": msg450, - "RPD_MPLS_LSP_DOWN": msg451, - "RPD_MPLS_LSP_SWITCH": msg452, - "RPD_MPLS_LSP_UP": msg453, - "RPD_MSDP_PEER_DOWN": msg454, - "RPD_MSDP_PEER_UP": msg455, - "RPD_OSPF_NBRDOWN": msg456, - "RPD_OSPF_NBRUP": msg457, - "RPD_OS_MEMHIGH": msg458, - "RPD_PIM_NBRDOWN": msg459, - "RPD_PIM_NBRUP": msg460, - "RPD_RDISC_CKSUM": msg461, - "RPD_RDISC_NOMULTI": msg462, - "RPD_RDISC_NORECVIF": msg463, - "RPD_RDISC_SOLICITADDR": msg464, - "RPD_RDISC_SOLICITICMP": msg465, - "RPD_RDISC_SOLICITLEN": msg466, - "RPD_RIP_AUTH": msg467, - "RPD_RIP_JOIN_BROADCAST": msg468, - "RPD_RIP_JOIN_MULTICAST": msg469, - "RPD_RT_IFUP": msg470, - "RPD_SCHED_CALLBACK_LONGRUNTIME": msg471, - "RPD_SCHED_CUMULATIVE_LONGRUNTIME": msg472, - "RPD_SCHED_MODULE_LONGRUNTIME": msg473, - "RPD_SCHED_TASK_LONGRUNTIME": msg474, - "RPD_SIGNAL_TERMINATE": msg475, - "RPD_START": msg476, - "RPD_SYSTEM": msg477, - "RPD_TASK_BEGIN": msg478, - "RPD_TASK_CHILDKILLED": msg479, - "RPD_TASK_CHILDSTOPPED": msg480, - "RPD_TASK_FORK": msg481, - "RPD_TASK_GETWD": msg482, - "RPD_TASK_NOREINIT": msg483, - "RPD_TASK_PIDCLOSED": msg484, - "RPD_TASK_PIDFLOCK": msg485, - "RPD_TASK_PIDWRITE": msg486, - "RPD_TASK_REINIT": msg487, - "RPD_TASK_SIGNALIGNORE": msg488, - "RT_COS": msg489, - "RT_FLOW_SESSION_CLOSE": select51, - "RT_FLOW_SESSION_CREATE": select45, - "RT_FLOW_SESSION_DENY": select47, - "RT_SCREEN_ICMP": msg774, - "RT_SCREEN_IP": select52, - "RT_SCREEN_SESSION_LIMIT": msg504, - "RT_SCREEN_TCP": msg503, - "RT_SCREEN_UDP": msg505, - "Resolve": msg63, - "SECINTEL_ACTION_LOG": msg775, - "SECINTEL_ERROR_OTHERS": msg747, - "SECINTEL_NETWORK_CONNECT_FAILED": msg744, - "SERVICED_CLIENT_CONNECT": msg506, - "SERVICED_CLIENT_DISCONNECTED": msg507, - "SERVICED_CLIENT_ERROR": msg508, - "SERVICED_COMMAND_FAILED": msg509, - "SERVICED_COMMIT_FAILED": msg510, - "SERVICED_CONFIGURATION_FAILED": msg511, - "SERVICED_CONFIG_ERROR": msg512, - "SERVICED_CONFIG_FILE": msg513, - "SERVICED_CONNECTION_ERROR": msg514, - "SERVICED_DISABLED_GGSN": msg515, - "SERVICED_DUPLICATE": msg516, - "SERVICED_EVENT_FAILED": msg517, - "SERVICED_INIT_FAILED": msg518, - "SERVICED_MALLOC_FAILURE": msg519, - "SERVICED_NETWORK_FAILURE": msg520, - "SERVICED_NOT_ROOT": msg521, - "SERVICED_PID_FILE_LOCK": msg522, - "SERVICED_PID_FILE_UPDATE": msg523, - "SERVICED_RTSOCK_SEQUENCE": msg524, - "SERVICED_SIGNAL_HANDLER": msg525, - "SERVICED_SOCKET_CREATE": msg526, - "SERVICED_SOCKET_IO": msg527, - "SERVICED_SOCKET_OPTION": msg528, - "SERVICED_STDLIB_FAILURE": msg529, - "SERVICED_USAGE": msg530, - "SERVICED_WORK_INCONSISTENCY": msg531, - "SNMPD_ACCESS_GROUP_ERROR": msg537, - "SNMPD_AUTH_FAILURE": select53, - "SNMPD_AUTH_PRIVILEGES_EXCEEDED": msg542, - "SNMPD_AUTH_RESTRICTED_ADDRESS": msg543, - "SNMPD_AUTH_WRONG_PDU_TYPE": msg544, - "SNMPD_CONFIG_ERROR": msg545, - "SNMPD_CONTEXT_ERROR": msg546, - "SNMPD_ENGINE_FILE_FAILURE": msg547, - "SNMPD_ENGINE_PROCESS_ERROR": msg548, - "SNMPD_FILE_FAILURE": msg549, - "SNMPD_GROUP_ERROR": msg550, - "SNMPD_INIT_FAILED": msg551, - "SNMPD_LIBJUNIPER_FAILURE": msg552, - "SNMPD_LOOPBACK_ADDR_ERROR": msg553, - "SNMPD_MEMORY_FREED": msg554, - "SNMPD_RADIX_FAILURE": msg555, - "SNMPD_RECEIVE_FAILURE": msg556, - "SNMPD_RMONFILE_FAILURE": msg557, - "SNMPD_RMON_COOKIE": msg558, - "SNMPD_RMON_EVENTLOG": msg559, - "SNMPD_RMON_IOERROR": msg560, - "SNMPD_RMON_MIBERROR": msg561, - "SNMPD_RTSLIB_ASYNC_EVENT": msg562, - "SNMPD_SEND_FAILURE": select54, - "SNMPD_SOCKET_FAILURE": msg565, - "SNMPD_SUBAGENT_NO_BUFFERS": msg566, - "SNMPD_SUBAGENT_SEND_FAILED": msg567, - "SNMPD_SYSLIB_FAILURE": msg568, - "SNMPD_THROTTLE_QUEUE_DRAINED": msg569, - "SNMPD_TRAP_COLD_START": msg570, - "SNMPD_TRAP_GEN_FAILURE": msg571, - "SNMPD_TRAP_GEN_FAILURE2": msg572, - "SNMPD_TRAP_INVALID_DATA": msg573, - "SNMPD_TRAP_NOT_ENOUGH_VARBINDS": msg574, - "SNMPD_TRAP_QUEUED": msg575, - "SNMPD_TRAP_QUEUE_DRAINED": msg576, - "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS": msg577, - "SNMPD_TRAP_QUEUE_MAX_SIZE": msg578, - "SNMPD_TRAP_THROTTLED": msg579, - "SNMPD_TRAP_TYPE_ERROR": msg580, - "SNMPD_TRAP_VARBIND_TYPE_ERROR": msg581, - "SNMPD_TRAP_VERSION_ERROR": msg582, - "SNMPD_TRAP_WARM_START": msg583, - "SNMPD_USER_ERROR": msg584, - "SNMPD_VIEW_DELETE": msg585, - "SNMPD_VIEW_INSTALL_DEFAULT": msg586, - "SNMPD_VIEW_OID_PARSE": msg587, - "SNMP_GET_ERROR1": msg588, - "SNMP_GET_ERROR2": msg589, - "SNMP_GET_ERROR3": msg590, - "SNMP_GET_ERROR4": msg591, - "SNMP_NS_LOG_INFO": msg535, - "SNMP_RTSLIB_FAILURE": msg592, - "SNMP_SUBAGENT_IPC_REG_ROWS": msg536, - "SNMP_TRAP_LINK_DOWN": select55, - "SNMP_TRAP_LINK_UP": select56, - "SNMP_TRAP_PING_PROBE_FAILED": msg597, - "SNMP_TRAP_PING_TEST_COMPLETED": msg598, - "SNMP_TRAP_PING_TEST_FAILED": msg599, - "SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE": msg600, - "SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED": msg601, - "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED": msg602, - "SNTPD": msg112, - "SSB": msg113, - "SSHD_LOGIN_FAILED": select57, - "SSL_PROXY_SESSION_IGNORE": msg534, - "SSL_PROXY_SSL_SESSION_ALLOW": msg532, - "SSL_PROXY_SSL_SESSION_DROP": msg533, - "TASK_TASK_REINIT": msg606, - "TFTPD_AF_ERR": msg607, - "TFTPD_BIND_ERR": msg608, - "TFTPD_CONNECT_ERR": msg609, - "TFTPD_CONNECT_INFO": msg610, - "TFTPD_CREATE_ERR": msg611, - "TFTPD_FIO_ERR": msg612, - "TFTPD_FORK_ERR": msg613, - "TFTPD_NAK_ERR": msg614, - "TFTPD_OPEN_ERR": msg615, - "TFTPD_RECVCOMPLETE_INFO": msg616, - "TFTPD_RECVFROM_ERR": msg617, - "TFTPD_RECV_ERR": msg618, - "TFTPD_SENDCOMPLETE_INFO": msg619, - "TFTPD_SEND_ERR": msg620, - "TFTPD_SOCKET_ERR": msg621, - "TFTPD_STATFS_ERR": msg622, - "TNP": msg623, - "UI_AUTH_EVENT": msg628, - "UI_AUTH_INVALID_CHALLENGE": msg629, - "UI_BOOTTIME_FAILED": msg630, - "UI_CFG_AUDIT_NEW": select58, - "UI_CFG_AUDIT_OTHER": select60, - "UI_CFG_AUDIT_SET": select63, - "UI_CFG_AUDIT_SET_SECRET": select64, - "UI_CHILD_ARGS_EXCEEDED": msg645, - "UI_CHILD_CHANGE_USER": msg646, - "UI_CHILD_EXEC": msg647, - "UI_CHILD_EXITED": msg648, - "UI_CHILD_FOPEN": msg649, - "UI_CHILD_PIPE_FAILED": msg650, - "UI_CHILD_SIGNALED": msg651, - "UI_CHILD_START": msg653, - "UI_CHILD_STATUS": msg654, - "UI_CHILD_STOPPED": msg652, - "UI_CHILD_WAITPID": msg655, - "UI_CLI_IDLE_TIMEOUT": msg656, - "UI_CMDLINE_READ_LINE": msg657, - "UI_CMDSET_EXEC_FAILED": msg658, - "UI_CMDSET_FORK_FAILED": msg659, - "UI_CMDSET_PIPE_FAILED": msg660, - "UI_CMDSET_STOPPED": msg661, - "UI_CMDSET_WEXITED": msg662, - "UI_CMD_AUTH_REGEX_INVALID": msg663, - "UI_COMMIT": msg664, - "UI_COMMIT_AT": msg665, - "UI_COMMIT_AT_COMPLETED": msg666, - "UI_COMMIT_AT_FAILED": msg667, - "UI_COMMIT_COMPRESS_FAILED": msg668, - "UI_COMMIT_CONFIRMED": msg669, - "UI_COMMIT_CONFIRMED_REMINDER": msg670, - "UI_COMMIT_CONFIRMED_TIMED": msg671, - "UI_COMMIT_EMPTY_CONTAINER": msg672, - "UI_COMMIT_NOT_CONFIRMED": msg673, - "UI_COMMIT_PROGRESS": msg674, - "UI_COMMIT_QUIT": msg675, - "UI_COMMIT_ROLLBACK_FAILED": msg676, - "UI_COMMIT_SYNC": msg677, - "UI_COMMIT_SYNC_FORCE": msg678, - "UI_CONFIGURATION_ERROR": msg679, - "UI_DAEMON_ACCEPT_FAILED": msg680, - "UI_DAEMON_FORK_FAILED": msg681, - "UI_DAEMON_SELECT_FAILED": msg682, - "UI_DAEMON_SOCKET_FAILED": msg683, - "UI_DBASE_ACCESS_FAILED": msg684, - "UI_DBASE_CHECKOUT_FAILED": msg685, - "UI_DBASE_EXTEND_FAILED": msg686, - "UI_DBASE_LOGIN_EVENT": msg687, - "UI_DBASE_LOGOUT_EVENT": msg688, - "UI_DBASE_MISMATCH_EXTENT": msg689, - "UI_DBASE_MISMATCH_MAJOR": msg690, - "UI_DBASE_MISMATCH_MINOR": msg691, - "UI_DBASE_MISMATCH_SEQUENCE": msg692, - "UI_DBASE_MISMATCH_SIZE": msg693, - "UI_DBASE_OPEN_FAILED": msg694, - "UI_DBASE_REBUILD_FAILED": msg695, - "UI_DBASE_REBUILD_SCHEMA_FAILED": msg696, - "UI_DBASE_REBUILD_STARTED": msg697, - "UI_DBASE_RECREATE": msg698, - "UI_DBASE_REOPEN_FAILED": msg699, - "UI_DUPLICATE_UID": msg700, - "UI_JUNOSCRIPT_CMD": msg701, - "UI_JUNOSCRIPT_ERROR": msg702, - "UI_LOAD_EVENT": msg703, - "UI_LOAD_JUNOS_DEFAULT_FILE_EVENT": msg704, - "UI_LOGIN_EVENT": select71, - "UI_LOGOUT_EVENT": msg707, - "UI_LOST_CONN": msg708, - "UI_MASTERSHIP_EVENT": msg709, - "UI_MGD_TERMINATE": msg710, - "UI_NETCONF_CMD": msg711, - "UI_READ_FAILED": msg712, - "UI_READ_TIMEOUT": msg713, - "UI_REBOOT_EVENT": msg714, - "UI_RESTART_EVENT": msg715, - "UI_SCHEMA_CHECKOUT_FAILED": msg716, - "UI_SCHEMA_MISMATCH_MAJOR": msg717, - "UI_SCHEMA_MISMATCH_MINOR": msg718, - "UI_SCHEMA_MISMATCH_SEQUENCE": msg719, - "UI_SCHEMA_SEQUENCE_ERROR": msg720, - "UI_SYNC_OTHER_RE": msg721, - "UI_TACPLUS_ERROR": msg722, - "UI_VERSION_FAILED": msg723, - "UI_WRITE_RECONNECT": msg724, - "VRRPD_NEWMASTER_TRAP": msg725, - "Version": msg99, - "WEBFILTER_REQUEST_NOT_CHECKED": msg730, - "WEBFILTER_URL_BLOCKED": select75, - "WEBFILTER_URL_PERMITTED": select74, - "WEB_AUTH_FAIL": msg726, - "WEB_AUTH_SUCCESS": msg727, - "WEB_INTERFACE_UNAUTH": msg728, - "WEB_READ": msg729, - "alarmd": msg3, - "bgp_connect_start": msg132, - "bgp_event": msg133, - "bgp_listen_accept": msg134, - "bgp_listen_reset": msg135, - "bgp_nexthop_sanity": msg136, - "bgp_pp_recv": select33, - "bgp_process_caps": select32, - "bgp_send": msg141, - "bgp_traffic_timeout": msg142, - "bigd": select6, - "bigpipe": select7, - "bigstart": msg9, - "cgatool": msg10, - "chassisd": msg11, - "chassism": select73, - "checkd": select8, - "clean_process": msg215, - "cli": msg750, - "cosd": msg14, - "craftd": msg15, - "cron": msg18, - "crond": msg21, - "dcd": msg22, - "eswd": select72, - "ftpd": msg24, - "ha_rto_stats_handler": msg25, - "hostinit": msg26, - "idpinfo": msg752, - "ifinfo": select13, - "ifp_ifl_anydown_change_event": msg30, - "ifp_ifl_config_event": msg31, - "ifp_ifl_ext_chg": msg32, - "inetd": select14, - "init": select15, - "ipc_msg_write": msg40, - "kernel": select17, - "kmd": msg753, - "last": select28, - "login": select18, - "lsys_ssam_handler": msg53, - "mcsn": msg54, - "mgd": msg62, - "mrvl_dfw_log_effuse_status": msg55, - "node": select79, - "pfed": msg751, - "process_mode": select38, - "profile_ssam_handler": msg57, - "pst_nat_binding_set_profile": msg58, - "qsfp": msg776, - "respawn": msg64, - "root": msg65, - "rpd": select20, - "rshd": msg70, - "sfd": msg71, - "sshd": select21, - "syslogd": msg92, - "task_connect": msg605, - "task_reconfigure": msg59, - "tnetd": msg60, - "tnp.bootpd": msg769, - "trace_on": msg624, - "trace_rotate": msg625, - "transfer-file": msg626, - "ttloop": msg627, - "ucd-snmp": select26, - "usp_ipc_client_reconnect": msg95, - "usp_trace_ipc_disconnect": msg96, - "usp_trace_ipc_reconnect": msg97, - "uspinfo": msg98, - "xntpd": select27, - }), - ]); - - var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}"); - - var part822 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); - - var part823 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); - - var part824 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); - - var part825 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); - - var part826 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); - - var part827 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); - - var part828 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); - - var part829 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); - - var part830 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); - - var part831 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); - - var part832 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); - - var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var part833 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); - - var part834 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); - - var part835 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); - - var part836 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); - - var part837 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); - - var part838 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); - - var part839 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); - - var part840 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var part841 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); - - var part842 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); - - var part843 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); - - var part844 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); - - var part845 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); - - var part846 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); - - var part847 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); - - var part848 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var part849 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var part850 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); - - var part851 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); - - var part852 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); - - var part853 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); - - var part854 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); - - var part855 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); - - var part856 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); - - var part857 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); - - var part858 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); - - var part859 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); - - var part860 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); - - var part861 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); - - var part862 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); - - var part863 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); - - var part864 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); - - var part865 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); - - var select85 = linear_select([ - dup14, - dup15, - dup16, - dup17, - ]); - - var part866 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ - dup13, - ])); - - var select86 = linear_select([ - dup40, - dup41, - ]); - - var part867 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ - dup21, - dup22, - dup56, - dup23, - ])); - - var part868 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ - dup51, - dup22, - dup64, - dup23, - ])); - - var part869 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ - dup30, - dup22, - dup65, - dup23, - ])); - - var part870 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ - dup30, - dup22, - dup66, - dup23, - ])); - - var part871 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ - dup30, - dup22, - dup67, - dup23, - ])); - - var part872 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ - dup30, - dup22, - dup68, - dup23, - ])); - - var part873 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - dup71, - dup23, - ])); - - var select87 = linear_select([ - dup76, - dup77, - ]); - - var part874 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ - dup30, - dup22, - dup79, - dup23, - ])); - - var part875 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ - dup30, - dup22, - dup84, - dup23, - ])); - - var part876 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ - dup30, - dup22, - dup85, - dup23, - ])); - - var part877 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ - dup21, - dup22, - dup86, - dup23, - ])); - - var select88 = linear_select([ - dup88, - dup89, - ]); - - var select89 = linear_select([ - dup90, - dup45, - ]); - - var select90 = linear_select([ - dup95, - dup96, - ]); - - var select91 = linear_select([ - dup101, - dup91, - ]); - - var part878 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var part879 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ - dup27, - dup22, - dup52, - ])); - - var select92 = linear_select([ - dup118, - dup119, - ]); - - var select93 = linear_select([ - dup123, - dup124, - ]); - - var part880 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var part881 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ - dup48, - dup47, - dup23, - dup22, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/juniper_junos/0.4.2/data_stream/log/agent/stream/tcp.yml.hbs b/packages/juniper_junos/0.4.2/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 1d71b4b9f8..0000000000 --- a/packages/juniper_junos/0.4.2/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,12569 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Juniper" - product: "Junos" - type: "Routers" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{day->} %{time->} %{p0}"); - - var dup2 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); - - var dup3 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); - - var dup4 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); - - var dup5 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); - - var dup6 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); - - var dup7 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); - - var dup8 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); - - var dup9 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup10 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" "), - field("p0"), - ], - }); - - var dup11 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup12 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup13 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" ["), - field("p0"), - ], - }); - - var dup14 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); - - var dup15 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); - - var dup16 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); - - var dup17 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); - - var dup18 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var dup19 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("pid"), - constant("]: "), - field("p0"), - ], - }); - - var dup20 = setc("messageid","JUNOSROUTER_GENERIC"); - - var dup21 = setc("eventcategory","1605000000"); - - var dup22 = setf("msg","$MSG"); - - var dup23 = date_time({ - dest: "event_time", - args: ["month","day","time"], - fmts: [ - [dB,dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup24 = setf("hostname","hhost"); - - var dup25 = setc("event_description","AUDIT"); - - var dup26 = setc("event_description","CRON command"); - - var dup27 = setc("eventcategory","1801030000"); - - var dup28 = setc("eventcategory","1801020000"); - - var dup29 = setc("eventcategory","1605010000"); - - var dup30 = setc("eventcategory","1603000000"); - - var dup31 = setc("event_description","Process mode"); - - var dup32 = setc("event_description","NTP Server Unreachable"); - - var dup33 = setc("eventcategory","1401060000"); - - var dup34 = setc("ec_theme","Authentication"); - - var dup35 = setc("ec_subject","User"); - - var dup36 = setc("ec_activity","Logon"); - - var dup37 = setc("ec_outcome","Success"); - - var dup38 = setc("event_description","rpd proceeding"); - - var dup39 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); - - var dup40 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); - - var dup41 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); - - var dup42 = setc("eventcategory","1701010000"); - - var dup43 = setc("ec_outcome","Failure"); - - var dup44 = setc("eventcategory","1401030000"); - - var dup45 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); - - var dup46 = setc("eventcategory","1803000000"); - - var dup47 = setc("event_type","VPN"); - - var dup48 = setc("eventcategory","1605020000"); - - var dup49 = setc("eventcategory","1602020000"); - - var dup50 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); - - var dup51 = setc("eventcategory","1603020000"); - - var dup52 = date_time({ - dest: "event_time", - args: ["hfld32"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup53 = setc("ec_subject","NetworkComm"); - - var dup54 = setc("ec_activity","Create"); - - var dup55 = setc("ec_activity","Stop"); - - var dup56 = setc("event_description","Trap state change"); - - var dup57 = setc("event_description","peer NLRI mismatch"); - - var dup58 = setc("eventcategory","1605030000"); - - var dup59 = setc("eventcategory","1603010000"); - - var dup60 = setc("eventcategory","1606000000"); - - var dup61 = setf("hostname","hhostname"); - - var dup62 = date_time({ - dest: "event_time", - args: ["hfld6"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup63 = setc("eventcategory","1401050200"); - - var dup64 = setc("event_description","Memory allocation failed during initialization for configuration load"); - - var dup65 = setc("event_description","unable to run in the background as a daemon"); - - var dup66 = setc("event_description","Another copy of this program is running"); - - var dup67 = setc("event_description","Unable to lock PID file"); - - var dup68 = setc("event_description","Unable to update process PID file"); - - var dup69 = setc("eventcategory","1301000000"); - - var dup70 = setc("event_description","Command stopped"); - - var dup71 = setc("event_description","Unable to create pipes for command"); - - var dup72 = setc("event_description","Command exited"); - - var dup73 = setc("eventcategory","1603050000"); - - var dup74 = setc("eventcategory","1801010000"); - - var dup75 = setc("event_description","Login failure"); - - var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); - - var dup77 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); - - var dup78 = setc("event_description","Unable to open file"); - - var dup79 = setc("event_description","SNMP index assigned changed"); - - var dup80 = setc("eventcategory","1302000000"); - - var dup81 = setc("eventcategory","1001020300"); - - var dup82 = setc("event_description","PFE FW SYSLOG_IP"); - - var dup83 = setc("event_description","process_mode"); - - var dup84 = setc("event_description","Logical interface collision"); - - var dup85 = setc("event_description","excessive runtime time during action of module"); - - var dup86 = setc("event_description","Reinitializing"); - - var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); - - var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); - - var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); - - var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); - - var dup92 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); - - var dup93 = setc("eventcategory","1803010000"); - - var dup94 = setc("ec_activity","Deny"); - - var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); - - var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); - - var dup97 = setc("event_description","session denied"); - - var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var dup100 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); - - var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); - - var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); - - var dup103 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); - - var dup104 = setc("dclass_counter1_string","No.of packets from client"); - - var dup105 = setc("event_description","SNMPD AUTH FAILURE"); - - var dup106 = setc("event_description","send send-type (index1) failure"); - - var dup107 = setc("event_description","SNMP trap error"); - - var dup108 = setc("event_description","SNMP TRAP LINK DOWN"); - - var dup109 = setc("event_description","SNMP TRAP LINK UP"); - - var dup110 = setc("event_description","Login Failure"); - - var dup111 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); - - var dup112 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); - - var dup113 = setc("eventcategory","1701020000"); - - var dup114 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); - - var dup115 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); - - var dup116 = setc("event_description","User set command"); - - var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); - - var dup118 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); - - var dup119 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); - - var dup120 = setc("event_description","User set groups to secret"); - - var dup121 = setc("event_description","UI CMDLINE READ LINE"); - - var dup122 = setc("event_description","User commit"); - - var dup123 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); - - var dup124 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); - - var dup125 = setc("eventcategory","1401070000"); - - var dup126 = setc("ec_activity","Logoff"); - - var dup127 = setc("event_description","Successful login"); - - var dup128 = setf("hostname","hostip"); - - var dup129 = setc("event_description","TACACS+ failure"); - - var dup130 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); - - var dup131 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); - - var dup132 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); - - var dup133 = setc("eventcategory","1003010000"); - - var dup134 = setc("eventcategory","1901000000"); - - var dup135 = linear_select([ - dup14, - dup15, - dup16, - dup17, - ]); - - var dup136 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ - dup13, - ])); - - var dup137 = linear_select([ - dup40, - dup41, - ]); - - var dup138 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ - dup21, - dup22, - dup56, - dup23, - ])); - - var dup139 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ - dup51, - dup22, - dup64, - dup23, - ])); - - var dup140 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ - dup30, - dup22, - dup65, - dup23, - ])); - - var dup141 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ - dup30, - dup22, - dup66, - dup23, - ])); - - var dup142 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ - dup30, - dup22, - dup67, - dup23, - ])); - - var dup143 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ - dup30, - dup22, - dup68, - dup23, - ])); - - var dup144 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - dup71, - dup23, - ])); - - var dup145 = linear_select([ - dup76, - dup77, - ]); - - var dup146 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ - dup30, - dup22, - dup79, - dup23, - ])); - - var dup147 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ - dup30, - dup22, - dup84, - dup23, - ])); - - var dup148 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ - dup30, - dup22, - dup85, - dup23, - ])); - - var dup149 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ - dup21, - dup22, - dup86, - dup23, - ])); - - var dup150 = linear_select([ - dup88, - dup89, - ]); - - var dup151 = linear_select([ - dup90, - dup45, - ]); - - var dup152 = linear_select([ - dup95, - dup96, - ]); - - var dup153 = linear_select([ - dup101, - dup91, - ]); - - var dup154 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var dup155 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ - dup27, - dup22, - dup52, - ])); - - var dup156 = linear_select([ - dup118, - dup119, - ]); - - var dup157 = linear_select([ - dup123, - dup124, - ]); - - var dup158 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var dup159 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ - dup48, - dup47, - dup23, - dup22, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": restart "), - field("p0"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" message repeated "), - field("p0"), - ], - }), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("("), - field("hfld1"), - constant("): "), - field("p0"), - ], - }), - ])); - - var part1 = match("HEADER#3:0004/1_6", "nwparser.p0", "fpc6 %{p0}"); - - var part2 = match("HEADER#3:0004/1_7", "nwparser.p0", "fpc7 %{p0}"); - - var part3 = match("HEADER#3:0004/1_8", "nwparser.p0", "fpc8 %{p0}"); - - var part4 = match("HEADER#3:0004/1_9", "nwparser.p0", "fpc9 %{p0}"); - - var part5 = match("HEADER#3:0004/1_10", "nwparser.p0", "cfeb %{p0}"); - - var select1 = linear_select([ - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - part1, - part2, - part3, - part4, - part5, - dup8, - ]); - - var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{p0}", processor_chain([ - dup9, - ])); - - var all1 = all_match({ - processors: [ - dup1, - select1, - part6, - ], - on_success: processor_chain([ - setc("header_id","0004"), - ]), - }); - - var select2 = linear_select([ - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - ]); - - var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{p0}", processor_chain([ - dup10, - ])); - - var all2 = all_match({ - processors: [ - dup1, - select2, - part7, - ], - on_success: processor_chain([ - setc("header_id","0005"), - ]), - }); - - var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0007"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant("["), - field("hpid"), - constant("]: "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{p0}", processor_chain([ - setc("header_id","0008"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hpid"), - constant("]: "), - field("p0"), - ], - }), - ])); - - var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{p0}", processor_chain([ - setc("header_id","0009"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" IFP trace> "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0010"), - dup11, - ])); - - var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0029"), - dup12, - ])); - - var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0015"), - dup12, - ])); - - var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0011"), - dup11, - ])); - - var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0027"), - dup9, - ])); - - var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0012"), - dup9, - ])); - - var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{p0}", processor_chain([ - setc("header_id","0013"), - dup13, - ])); - - var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var all3 = all_match({ - processors: [ - hdr14, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026.upd.a"), - ]), - }); - - var all4 = all_match({ - processors: [ - dup18, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026.upd.b"), - ]), - }); - - var all5 = all_match({ - processors: [ - dup18, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026"), - ]), - }); - - var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{p0}", processor_chain([ - setc("header_id","0014"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant("["), - field("hpid"), - constant("]: "), - field("p0"), - ], - }), - ])); - - var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0016"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant(": "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{p0}", processor_chain([ - setc("header_id","0017"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0018"), - dup19, - ])); - - var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0028"), - dup19, - ])); - - var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0019"), - dup9, - ])); - - var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0020"), - dup19, - ])); - - var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{p0}", processor_chain([ - setc("header_id","0021"), - dup9, - ])); - - var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0022"), - dup9, - ])); - - var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0023"), - dup19, - ])); - - var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0024"), - dup9, - ])); - - var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","0025"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{p0}", processor_chain([ - setc("header_id","0031"), - dup10, - ])); - - var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0032"), - dup19, - ])); - - var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0033"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant(" "), - field("hhostname"), - constant(" "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr30 = match("HEADER#33:3336", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid}: %{payload}", processor_chain([ - setc("header_id","3336"), - ])); - - var hdr31 = match("HEADER#34:3339", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid->} %{payload}", processor_chain([ - setc("header_id","3339"), - ])); - - var hdr32 = match("HEADER#35:3337", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","3337"), - ])); - - var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","3341"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("hfld3"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid->} %{payload}", processor_chain([ - setc("header_id","3338"), - ])); - - var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{hfld1}.fpc%{p0}", processor_chain([ - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hhost"), - constant(" node"), - field("hfld1"), - constant(".fpc"), - field("p0"), - ], - }), - ])); - - var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld2}.pic%{hfld3->} %{p0}"); - - var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld2->} %{p0}"); - - var select3 = linear_select([ - part8, - part9, - ]); - - var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{p0}"); - - var all6 = all_match({ - processors: [ - hdr35, - select3, - part10, - ], - on_success: processor_chain([ - setc("header_id","3340"), - setc("messageid","node"), - ]), - }); - - var hdr36 = match("HEADER#39:9997/0_0", "message", "mgd[%{p0}"); - - var hdr37 = match("HEADER#39:9997/0_1", "message", "rpd[%{p0}"); - - var hdr38 = match("HEADER#39:9997/0_2", "message", "dcd[%{p0}"); - - var select4 = linear_select([ - hdr36, - hdr37, - hdr38, - ]); - - var part11 = match("HEADER#39:9997/1", "nwparser.p0", "%{process_id}]:%{payload}"); - - var all7 = all_match({ - processors: [ - select4, - part11, - ], - on_success: processor_chain([ - setc("header_id","9997"), - dup20, - ]), - }); - - var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{p0}", processor_chain([ - setc("header_id","9995"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hfld3"), - constant("]:"), - field("p0"), - ], - }), - ])); - - var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{p0}", processor_chain([ - setc("header_id","9994"), - setc("messageid","qsfp"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("hfld1"), - constant(" qsfp "), - field("p0"), - ], - }), - ])); - - var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{p0}", processor_chain([ - setc("header_id","9999"), - dup20, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hevent_type"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{p0}", processor_chain([ - setc("header_id","9998"), - dup20, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("process"), - constant(": "), - field("p0"), - ], - }), - ])); - - var select5 = linear_select([ - hdr1, - hdr2, - hdr3, - all1, - all2, - hdr4, - hdr5, - hdr6, - hdr7, - hdr8, - hdr9, - hdr10, - hdr11, - hdr12, - hdr13, - all3, - all4, - all5, - hdr15, - hdr16, - hdr17, - hdr18, - hdr19, - hdr20, - hdr21, - hdr22, - hdr23, - hdr24, - hdr25, - hdr26, - hdr27, - hdr28, - hdr29, - hdr30, - hdr31, - hdr32, - hdr33, - hdr34, - all6, - all7, - hdr39, - hdr40, - hdr41, - hdr42, - ]); - - var part12 = match("MESSAGE#0:/usr/sbin/sshd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","sshd exit status"), - dup23, - ])); - - var msg1 = msg("/usr/sbin/sshd", part12); - - var part13 = match("MESSAGE#1:/usr/libexec/telnetd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","telnetd exit status"), - dup23, - ])); - - var msg2 = msg("/usr/libexec/telnetd", part13); - - var part14 = match("MESSAGE#2:alarmd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License color=%{severity}, class=%{device}, reason=%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Alarm Set or Cleared"), - dup23, - ])); - - var msg3 = msg("alarmd", part14); - - var part15 = match("MESSAGE#3:bigd", "nwparser.payload", "%{process}: Node detected UP for %{node}", processor_chain([ - dup21, - dup22, - setc("event_description","Node detected UP"), - dup23, - ])); - - var msg4 = msg("bigd", part15); - - var part16 = match("MESSAGE#4:bigd:01", "nwparser.payload", "%{process}: Monitor template id is %{id}", processor_chain([ - dup21, - dup22, - setc("event_description","Monitor template id"), - dup23, - ])); - - var msg5 = msg("bigd:01", part16); - - var select6 = linear_select([ - msg4, - msg5, - ]); - - var part17 = match("MESSAGE#5:bigpipe", "nwparser.payload", "%{process}: Loading the configuration file %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","Loading configuration file"), - dup23, - ])); - - var msg6 = msg("bigpipe", part17); - - var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begin config install operation %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","Begin config install operation"), - dup23, - ])); - - var msg7 = msg("bigpipe:01", part18); - - var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - setc("event_description","Audit"), - dup23, - ])); - - var msg8 = msg("bigpipe:02", part19); - - var select7 = linear_select([ - msg6, - msg7, - msg8, - ]); - - var part20 = match("MESSAGE#8:bigstart", "nwparser.payload", "%{process}: shutdown %{service}", processor_chain([ - dup21, - dup22, - setc("event_description","portal shutdown"), - dup23, - ])); - - var msg9 = msg("bigstart", part20); - - var part21 = match("MESSAGE#9:cgatool", "nwparser.payload", "%{process}: %{event_type}: generated address is %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","cga address genration"), - dup23, - ])); - - var msg10 = msg("cgatool", part21); - - var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{process_id}]:%{fld12}", processor_chain([ - dup21, - dup22, - dup23, - dup24, - ])); - - var msg11 = msg("chassisd:01", part22); - - var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - dup25, - dup23, - ])); - - var msg12 = msg("checkd", part23); - - var part24 = match("MESSAGE#12:checkd:01", "nwparser.payload", "%{process}: exiting", processor_chain([ - dup21, - dup22, - setc("event_description","checkd exiting"), - dup23, - ])); - - var msg13 = msg("checkd:01", part24); - - var select8 = linear_select([ - msg12, - msg13, - ]); - - var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1->} for intf %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","link protection for interface"), - dup23, - ])); - - var msg14 = msg("cosd", part25); - - var part26 = match("MESSAGE#14:craftd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}, %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","License expiration warning"), - dup23, - ])); - - var msg15 = msg("craftd", part26); - - var part27 = match("MESSAGE#15:CRON/0", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{p0}"); - - var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result})"); - - var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}'"); - - var select9 = linear_select([ - part28, - part29, - ]); - - var all8 = all_match({ - processors: [ - part27, - select9, - ], - on_success: processor_chain([ - dup21, - dup22, - dup26, - dup23, - ]), - }); - - var msg16 = msg("CRON", all8); - - var part30 = match("MESSAGE#16:Cmerror/0_0", "nwparser.payload", "%{hostname->} %{node}Cmerror: Level%{level}count increment %{dclass_counter1->} %{fld1}"); - - var part31 = match_copy("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "fld2"); - - var select10 = linear_select([ - part30, - part31, - ]); - - var all9 = all_match({ - processors: [ - select10, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg17 = msg("Cmerror", all9); - - var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action->} (%{filename})", processor_chain([ - dup21, - dup22, - setc("event_description","cron RELOAD"), - dup23, - ])); - - var msg18 = msg("cron", part32); - - var part33 = match("MESSAGE#18:CROND", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ - dup21, - dup22, - dup23, - dup24, - ])); - - var msg19 = msg("CROND", part33); - - var part34 = match("MESSAGE#20:CROND:02", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session closed for user %{username}", processor_chain([ - dup27, - dup22, - dup23, - dup24, - ])); - - var msg20 = msg("CROND:02", part34); - - var select11 = linear_select([ - msg19, - msg20, - ]); - - var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username->} by (uid=%{uid})", processor_chain([ - dup28, - dup22, - dup23, - dup24, - ])); - - var msg21 = msg("crond:01", part35); - - var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result->} Setting ignored, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Setting ignored"), - dup23, - ])); - - var msg22 = msg("dcd", part36); - - var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface->} index %{resultcode->} %{p0}"); - - var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{p0}"); - - var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{p0}"); - - var select12 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#22:EVENT/2", "nwparser.p0", ">%{result}"); - - var all10 = all_match({ - processors: [ - part37, - select12, - part40, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","EVENT"), - dup23, - ]), - }); - - var msg23 = msg("EVENT", all10); - - var part41 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([ - setc("eventcategory","1802000000"), - dup22, - setc("event_description","ftpd connection"), - dup23, - ])); - - var msg24 = msg("ftpd", part41); - - var part42 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([ - dup29, - dup23, - dup22, - ])); - - var msg25 = msg("ha_rto_stats_handler", part42); - - var part43 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","LDAP Connection not bound correctly"), - dup23, - ])); - - var msg26 = msg("hostinit", part43); - - var part44 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug - Added entry"), - dup23, - ])); - - var msg27 = msg("ifinfo", part44); - - var part45 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug Initializing spu"), - dup23, - ])); - - var msg28 = msg("ifinfo:01", part45); - - var part46 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug delete from list"), - dup23, - ])); - - var msg29 = msg("ifinfo:02", part46); - - var select13 = linear_select([ - msg27, - msg28, - msg29, - ]); - - var part47 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([ - dup21, - dup22, - setc("event_description","IFL anydown change event"), - dup23, - ])); - - var msg30 = msg("ifp_ifl_anydown_change_event", part47); - - var part48 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([ - dup21, - dup22, - setc("event_description","ifp ifl config_event"), - dup23, - ])); - - var msg31 = msg("ifp_ifl_config_event", part48); - - var part49 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([ - dup21, - dup22, - setc("event_description","ifp_ifl_ext_chg"), - dup23, - ])); - - var msg32 = msg("ifp_ifl_ext_chg", part49); - - var part50 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","connection exceeded count limit"), - dup23, - ])); - - var msg33 = msg("inetd", part50); - - var part51 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","exited"), - dup23, - ])); - - var msg34 = msg("inetd:01", part51); - - var select14 = linear_select([ - msg33, - msg34, - ]); - - var part52 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ - dup21, - dup22, - dup31, - dup23, - ])); - - var msg35 = msg("init:04", part52); - - var part53 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([ - dup21, - dup22, - dup31, - dup23, - ])); - - var msg36 = msg("init", part53); - - var part54 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","failure target for routing set"), - dup23, - ])); - - var msg37 = msg("init:01", part54); - - var part55 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([ - dup21, - dup22, - setc("event_description","ntp started"), - dup23, - ])); - - var msg38 = msg("init:02", part55); - - var part56 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([ - dup21, - dup22, - setc("event_description","product mask and model info"), - dup23, - ])); - - var msg39 = msg("init:03", part56); - - var select15 = linear_select([ - msg35, - msg36, - msg37, - msg38, - msg39, - ]); - - var part57 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","IPC message exceeds MTU"), - dup23, - ])); - - var msg40 = msg("ipc_msg_write", part57); - - var part58 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([ - dup28, - dup22, - setc("event_description","listener connection established"), - dup23, - ])); - - var msg41 = msg("connection_established", part58); - - var part59 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}"); - - var part60 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport}"); - - var part61 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}"); - - var select16 = linear_select([ - part60, - part61, - ]); - - var all11 = all_match({ - processors: [ - part59, - select16, - ], - on_success: processor_chain([ - dup27, - dup22, - setc("event_description","connection dropped"), - dup23, - ]), - }); - - var msg42 = msg("connection_dropped", all11); - - var part62 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Asserting SONET alarm(s)"), - dup23, - ])); - - var msg43 = msg("kernel", part62); - - var part63 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([ - dup21, - dup22, - setc("event_description","interface down"), - dup23, - ])); - - var msg44 = msg("kernel:01", part63); - - var part64 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","loopback suspected om interface"), - dup23, - ])); - - var msg45 = msg("kernel:02", part64); - - var part65 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","soreceive error"), - dup23, - ])); - - var msg46 = msg("kernel:03", part65); - - var part66 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","pfe_peer_alloc state 4"), - dup23, - ])); - - var msg47 = msg("kernel:04", part66); - - var part67 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg48 = msg("kernel:05", part67); - - var part68 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg49 = msg("kernel:06", part68); - - var select17 = linear_select([ - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - ]); - - var part69 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","successful user login"), - dup23, - ])); - - var msg50 = msg("successful_login", part69); - - var part70 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup22, - setc("event_description","user login attempt"), - dup23, - ])); - - var msg51 = msg("login_attempt", part70); - - var part71 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup33, - dup34, - dup37, - dup22, - setc("event_description","PAM module return from login"), - dup23, - ])); - - var msg52 = msg("login", part71); - - var select18 = linear_select([ - msg50, - msg51, - msg52, - ]); - - var part72 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","processing lsys root-logical-system"), - dup23, - ])); - - var msg53 = msg("lsys_ssam_handler", part72); - - var part73 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Removing mif from group"), - dup23, - ])); - - var msg54 = msg("mcsn", part73); - - var part74 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([ - dup30, - dup22, - setc("event_description","Firewall rows could not be redirected on device"), - dup23, - ])); - - var msg55 = msg("mrvl_dfw_log_effuse_status", part74); - - var part75 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([ - dup30, - dup22, - setc("event_description","mfilter already exists for add"), - dup23, - ])); - - var msg56 = msg("MRVL-L2", part75); - - var part76 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","processing profile SP-root"), - dup23, - ])); - - var msg57 = msg("profile_ssam_handler", part76); - - var part77 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","can't get resource bucket"), - dup23, - ])); - - var msg58 = msg("pst_nat_binding_set_profile", part77); - - var part78 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","reinitializing done"), - dup23, - ])); - - var msg59 = msg("task_reconfigure", part78); - - var part79 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode}"); - - var part80 = match_copy("MESSAGE#59:tnetd/0_1", "nwparser.payload", "fld3"); - - var select19 = linear_select([ - part79, - part80, - ]); - - var all12 = all_match({ - processors: [ - select19, - ], - on_success: processor_chain([ - dup21, - dup22, - dup23, - dup24, - ]), - }); - - var msg60 = msg("tnetd", all12); - - var part81 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([ - dup21, - dup22, - setc("event_description","Session manager active"), - dup23, - ])); - - var msg61 = msg("PFEMAN", part81); - - var part82 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([ - dup30, - dup22, - setc("event_description","Could not send message to service"), - dup23, - ])); - - var msg62 = msg("mgd", part82); - - var part83 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Resolve request came for an address matching on Wrong nh"), - dup23, - ])); - - var msg63 = msg("Resolve", part83); - - var part84 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","service exited with status"), - dup23, - ])); - - var msg64 = msg("respawn", part84); - - var part85 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([ - dup30, - dup22, - setc("event_description","system does not have 3-DNS or Link Controller enabled"), - dup23, - ])); - - var msg65 = msg("root", part85); - - var part86 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","Received data for interface"), - dup23, - ])); - - var msg66 = msg("rpd", part86); - - var part87 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","RSVP neighbor up on interface "), - dup23, - ])); - - var msg67 = msg("rpd:01", part87); - - var part88 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([ - dup21, - dup22, - setc("event_description","reseting pending active connection"), - dup23, - ])); - - var msg68 = msg("rpd:02", part88); - - var part89 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([ - dup21, - dup22, - dup38, - dup23, - ])); - - var msg69 = msg("rpd_proceeding", part89); - - var select20 = linear_select([ - msg66, - msg67, - msg68, - msg69, - ]); - - var part90 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","user issuing command as root"), - dup23, - ])); - - var msg70 = msg("rshd", part90); - - var part91 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([ - dup21, - dup22, - setc("event_description","sfd waiting on accept"), - dup23, - ])); - - var msg71 = msg("sfd", part91); - - var part92 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","Accepted password"), - dup23, - ])); - - var msg72 = msg("sshd", part92); - - var part93 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","Received disconnect"), - dup23, - ])); - - var msg73 = msg("sshd:02", part93); - - var part94 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([ - dup30, - dup22, - setc("result","no identification string"), - setc("event_description","Did not receive identification string from peer"), - dup23, - ])); - - var msg74 = msg("sshd:03", part94); - - var part95 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([ - dup30, - dup22, - setc("event_description","Could not write ident string"), - dup23, - ])); - - var msg75 = msg("sshd:04", part95); - - var part96 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([ - dup21, - dup22, - setc("event_description","subsystem request for netconf"), - dup23, - ])); - - var msg76 = msg("sshd:05", part96); - - var part97 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "sendmsg to %{saddr}(%{shost}).%{sport}: %{info}"); - - var all13 = all_match({ - processors: [ - dup39, - dup137, - part97, - ], - on_success: processor_chain([ - dup29, - dup22, - setc("event_description","send message stats"), - dup23, - ]), - }); - - var msg77 = msg("sshd:06", all13); - - var part98 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "Added radius server %{saddr}(%{shost})"); - - var all14 = all_match({ - processors: [ - dup39, - dup137, - part98, - ], - on_success: processor_chain([ - dup42, - setc("ec_theme","Configuration"), - setc("ec_activity","Modify"), - dup37, - dup22, - setc("event_description","Added radius server"), - dup23, - ]), - }); - - var msg78 = msg("sshd:07", all14); - - var part99 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([ - setc("eventcategory","1301020000"), - dup34, - dup43, - dup22, - setc("event_description","authentication error"), - dup23, - ])); - - var msg79 = msg("sshd:08", part99); - - var part100 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([ - dup30, - dup22, - setc("event_description","unrecognized attribute in policy"), - dup23, - ])); - - var msg80 = msg("sshd:09", part100); - - var part101 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","PAM module return from sshd"), - dup23, - ])); - - var msg81 = msg("sshd:10", part101); - - var part102 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","PAM authentication chain return"), - dup23, - ])); - - var msg82 = msg("sshd:11", part102); - - var part103 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","can't get client address"), - dup23, - ])); - - var msg83 = msg("sshd:12", part103); - - var part104 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([ - dup30, - dup22, - setc("event_description","auth server unresponsive"), - dup23, - ])); - - var msg84 = msg("sshd:13", part104); - - var part105 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([ - dup30, - dup22, - setc("event_description","No valid RADIUS responses received"), - dup23, - ])); - - var msg85 = msg("sshd:14", part105); - - var part106 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([ - dup21, - dup22, - setc("event_description","Moving to next server"), - dup23, - ])); - - var msg86 = msg("sshd:15", part106); - - var part107 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","Login failed for user"), - dup23, - ])); - - var msg87 = msg("sshd:16", part107); - - var select21 = linear_select([ - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - ]); - - var part108 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}"); - - var part109 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}"); - - var part110 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}"); - - var select22 = linear_select([ - part109, - part110, - dup45, - ]); - - var part111 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{username->} from %{saddr->} port %{sport->} %{protocol}"); - - var all15 = all_match({ - processors: [ - part108, - select22, - part111, - ], - on_success: processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - setc("event_description","authentication failure"), - dup23, - ]), - }); - - var msg88 = msg("Failed:05", all15); - - var part112 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}"); - - var part113 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}"); - - var part114 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}"); - - var select23 = linear_select([ - part113, - part114, - ]); - - var part115 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}"); - - var all16 = all_match({ - processors: [ - part112, - select23, - part115, - ], - on_success: processor_chain([ - dup46, - dup47, - dup23, - dup22, - ]), - }); - - var msg89 = msg("Failed", all16); - - var part116 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([ - dup46, - dup23, - dup22, - ])); - - var msg90 = msg("Failed:01", part116); - - var part117 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice"); - - var part118 = match_copy("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "fld10"); - - var select24 = linear_select([ - part117, - part118, - ]); - - var all17 = all_match({ - processors: [ - select24, - ], - on_success: processor_chain([ - dup46, - dup23, - dup22, - setf("hostname","hfld1"), - ]), - }); - - var msg91 = msg("Failed:02", all17); - - var select25 = linear_select([ - msg88, - msg89, - msg90, - msg91, - ]); - - var part119 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([ - dup21, - dup22, - setc("event_description","syslog daemon restart"), - dup23, - ])); - - var msg92 = msg("syslogd", part119); - - var part120 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - dup25, - dup23, - ])); - - var msg93 = msg("ucd-snmp", part120); - - var part121 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([ - dup21, - dup22, - setc("event_description","Received TERM or STOP signal"), - dup23, - ])); - - var msg94 = msg("ucd-snmp:01", part121); - - var select26 = linear_select([ - msg93, - msg94, - ]); - - var part122 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([ - dup27, - dup22, - setc("event_description","failed to connect to the server"), - dup23, - ])); - - var msg95 = msg("usp_ipc_client_reconnect", part122); - - var part123 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","Trace client disconnected"), - dup23, - ])); - - var msg96 = msg("usp_trace_ipc_disconnect", part123); - - var part124 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([ - dup30, - dup22, - setc("event_description","USP trace client cannot reconnect to server"), - dup23, - ])); - - var msg97 = msg("usp_trace_ipc_reconnect", part124); - - var part125 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","flow_print_session_summary_output received"), - dup23, - ])); - - var msg98 = msg("uspinfo", part125); - - var part126 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([ - dup21, - dup22, - setc("event_description","Version build date"), - dup23, - ])); - - var msg99 = msg("Version", part126); - - var part127 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","frequency initialized from file"), - dup23, - ])); - - var msg100 = msg("xntpd", part127); - - var part128 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","nptd version build"), - dup23, - ])); - - var msg101 = msg("xntpd:01", part128); - - var part129 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","kernel time sync enabled"), - dup23, - ])); - - var msg102 = msg("xntpd:02", part129); - - var part130 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg103 = msg("xntpd:03", part130); - - var select27 = linear_select([ - msg100, - msg101, - msg102, - msg103, - ]); - - var part131 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([ - dup21, - dup22, - setc("event_description","last message repeated"), - dup23, - ])); - - var msg104 = msg("last", part131); - - var part132 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([ - dup48, - dup47, - dup23, - dup22, - dup24, - ])); - - var msg105 = msg("last:01", part132); - - var select28 = linear_select([ - msg104, - msg105, - ]); - - var part133 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([ - dup30, - dup22, - setc("event_description","cannot write ucode mask reg"), - dup23, - ])); - - var msg106 = msg("BCHIP", part133); - - var part134 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([ - dup21, - dup22, - setc("event_description","Slot on-line"), - dup23, - ])); - - var msg107 = msg("CM", part134); - - var part135 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Received FC Q map"), - dup23, - ])); - - var msg108 = msg("COS", part135); - - var part136 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","ifd error"), - dup23, - ])); - - var msg109 = msg("COSFPC", part136); - - var part137 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","delete class to ifl link"), - dup23, - ])); - - var msg110 = msg("COSMAN", part137); - - var part138 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","Keepalive timeout"), - dup23, - ])); - - var msg111 = msg("RDP", part138); - - var part139 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([ - dup30, - dup22, - setc("event_description","Initial time of day set"), - dup23, - ])); - - var msg112 = msg("SNTPD", part139); - - var part140 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([ - dup21, - dup22, - setc("event_description","Slot serial number"), - dup23, - ])); - - var msg113 = msg("SSB", part140); - - var part141 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected error"), - dup23, - ])); - - var msg114 = msg("ACCT_ACCOUNTING_FERROR", part141); - - var part142 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to open file"), - dup23, - ])); - - var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part142); - - var part143 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([ - dup49, - dup22, - setc("event_description","File size mismatch"), - dup23, - ])); - - var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part143); - - var part144 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([ - dup49, - dup22, - setc("event_description","Invalid statistics record"), - dup23, - ])); - - var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part144); - - var part145 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([ - dup49, - dup22, - setc("event_description","Class usage statistics error for interface"), - dup23, - ])); - - var msg118 = msg("ACCT_CU_RTSLIB_error", part145); - - var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}"); - - var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}"); - - var select29 = linear_select([ - part146, - part147, - ]); - - var part148 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "to get hostname%{}"); - - var all18 = all_match({ - processors: [ - dup50, - select29, - part148, - ], - on_success: processor_chain([ - dup49, - dup22, - setc("event_description","error trying to get hostname"), - dup23, - ]), - }); - - var msg119 = msg("ACCT_GETHOSTNAME_error", all18); - - var part149 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([ - dup51, - dup22, - setc("event_description","Memory allocation failure"), - dup23, - ])); - - var msg120 = msg("ACCT_MALLOC_FAILURE", part149); - - var part150 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([ - dup30, - dup22, - setc("event_description","Accounting profile counter not defined in firewall"), - dup23, - ])); - - var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part150); - - var part151 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([ - dup30, - dup22, - setc("event_description","ACCT_XFER_FAILED"), - dup23, - ])); - - var msg122 = msg("ACCT_XFER_FAILED", part151); - - var part152 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","POPEN FAIL invoking command command to transfer file"), - dup23, - ])); - - var msg123 = msg("ACCT_XFER_POPEN_FAIL", part152); - - var part153 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([ - dup28, - dup22, - dup52, - ])); - - var msg124 = msg("APPQOS_LOG_EVENT", part153); - - var part154 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup54, - dup22, - setc("result","AppTrack session created"), - dup23, - ])); - - var msg125 = msg("APPTRACK_SESSION_CREATE", part154); - - var part155 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup28, - dup53, - dup55, - dup22, - dup52, - ])); - - var msg126 = msg("APPTRACK_SESSION_CLOSE", part155); - - var part156 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup55, - dup22, - dup23, - ])); - - var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part156); - - var select30 = linear_select([ - msg126, - msg127, - ]); - - var part157 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup28, - dup53, - dup22, - dup52, - ])); - - var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part157); - - var part158 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup22, - dup23, - ])); - - var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part158); - - var select31 = linear_select([ - msg128, - msg129, - ]); - - var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup138); - - var msg131 = msg("BFDD_TRAP_STATE_UP", dup138); - - var part159 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp connect error"), - dup23, - ])); - - var msg132 = msg("bgp_connect_start", part159); - - var part160 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp peer state change"), - dup23, - ])); - - var msg133 = msg("bgp_event", part160); - - var part161 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Connection attempt from unconfigured neighbor"), - dup23, - ])); - - var msg134 = msg("bgp_listen_accept", part161); - - var part162 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp reset"), - dup23, - ])); - - var msg135 = msg("bgp_listen_reset", part162); - - var part163 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","peer next hop local"), - dup23, - ])); - - var msg136 = msg("bgp_nexthop_sanity", part163); - - var part164 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([ - dup30, - dup22, - setc("event_description","code RED error NOTIFICATION sent"), - dup23, - ])); - - var msg137 = msg("bgp_process_caps", part164); - - var part165 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ - dup30, - dup22, - dup57, - dup23, - ])); - - var msg138 = msg("bgp_process_caps:01", part165); - - var select32 = linear_select([ - msg137, - msg138, - ]); - - var part166 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([ - dup30, - dup22, - setc("event_description","connection collision"), - setc("result","dropping connection to peer"), - dup23, - ])); - - var msg139 = msg("bgp_pp_recv", part166); - - var part167 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([ - dup30, - dup22, - setc("event_description","peer received unexpected EOF"), - dup23, - ])); - - var msg140 = msg("bgp_pp_recv:01", part167); - - var select33 = linear_select([ - msg139, - msg140, - ]); - - var part168 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","bgp send blocked error"), - dup23, - ])); - - var msg141 = msg("bgp_send", part168); - - var part169 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","bgp timeout NOTIFICATION sent"), - dup23, - ])); - - var msg142 = msg("bgp_traffic_timeout", part169); - - var part170 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","boot argument error"), - dup23, - ])); - - var msg143 = msg("BOOTPD_ARG_ERR", part170); - - var part171 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","boot unexpected Id value"), - dup23, - ])); - - var msg144 = msg("BOOTPD_BAD_ID", part171); - - var part172 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","Invalid boot string"), - dup23, - ])); - - var msg145 = msg("BOOTPD_BOOTSTRING", part172); - - var part173 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","configuration file error"), - dup23, - ])); - - var msg146 = msg("BOOTPD_CONFIG_ERR", part173); - - var part174 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to open configuration file"), - dup23, - ])); - - var msg147 = msg("BOOTPD_CONF_OPEN", part174); - - var part175 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([ - dup30, - dup22, - setc("event_description","boot - Duplicate revision"), - dup23, - ])); - - var msg148 = msg("BOOTPD_DUP_REV", part175); - - var part176 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([ - dup30, - dup22, - setc("event_description","boot - duplicate slot"), - dup23, - ])); - - var msg149 = msg("BOOTPD_DUP_SLOT", part176); - - var part177 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected ID for model"), - dup23, - ])); - - var msg150 = msg("BOOTPD_MODEL_CHK", part177); - - var part178 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unsupported model"), - dup23, - ])); - - var msg151 = msg("BOOTPD_MODEL_ERR", part178); - - var part179 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([ - dup21, - dup22, - setc("event_description","New configuration installed"), - dup23, - ])); - - var msg152 = msg("BOOTPD_NEW_CONF", part179); - - var part180 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","No boot string found"), - dup23, - ])); - - var msg153 = msg("BOOTPD_NO_BOOTSTRING", part180); - - var part181 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","No configuration file found"), - dup23, - ])); - - var msg154 = msg("BOOTPD_NO_CONFIG", part181); - - var part182 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([ - dup30, - dup22, - setc("event_description","parse errors on SIGHUP"), - dup23, - ])); - - var msg155 = msg("BOOTPD_PARSE_ERR", part182); - - var part183 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","Reparsing configuration file"), - dup23, - ])); - - var msg156 = msg("BOOTPD_REPARSE", part183); - - var part184 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","select error"), - dup23, - ])); - - var msg157 = msg("BOOTPD_SELECT_ERR", part184); - - var part185 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([ - dup30, - dup22, - setc("event_description","timeout unreasonable"), - dup23, - ])); - - var msg158 = msg("BOOTPD_TIMEOUT", part185); - - var part186 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([ - dup21, - dup22, - setc("event_description","boot version built"), - dup23, - ])); - - var msg159 = msg("BOOTPD_VERSION", part186); - - var part187 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([ - dup58, - dup22, - setc("event_description","CHASSISD release built"), - dup23, - ])); - - var msg160 = msg("CHASSISD", part187); - - var part188 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD Unknown option"), - dup23, - ])); - - var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part188); - - var part189 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([ - dup21, - dup22, - setc("event_description","Fans and impellers are now running at normal speed"), - dup23, - ])); - - var msg162 = msg("CHASSISD_BLOWERS_SPEED", part189); - - var part190 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([ - dup21, - dup22, - setc("event_description","Fans and impellers being set to full speed"), - dup23, - ])); - - var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part190); - - var part191 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","reading midplane ID EEPROM"), - dup23, - ])); - - var msg164 = msg("CHASSISD_CB_READ", part191); - - var part192 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD COMMAND ACK ERROR"), - dup23, - ])); - - var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part192); - - var part193 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD COMMAND ACK SF ERROR"), - dup23, - ])); - - var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part193); - - var part194 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Cannot set no-concatenated mode for FPC"), - dup23, - ])); - - var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part194); - - var part195 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CONFIG File Problem"), - dup23, - ])); - - var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part195); - - var part196 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD CONFIG WARNING"), - dup23, - ])); - - var msg169 = msg("CHASSISD_CONFIG_WARNING", part196); - - var part197 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","chassisd already running"), - dup23, - ])); - - var msg170 = msg("CHASSISD_EXISTS", part197); - - var part198 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([ - dup21, - dup22, - setc("event_description","Killing existing chassisd and exiting"), - dup23, - ])); - - var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part198); - - var part199 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","file open error"), - dup23, - ])); - - var msg172 = msg("CHASSISD_FILE_OPEN", part199); - - var part200 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD file statistics error"), - dup23, - ])); - - var msg173 = msg("CHASSISD_FILE_STAT", part200); - - var part201 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD received restart EVENT"), - dup23, - ])); - - var msg174 = msg("CHASSISD_FRU_EVENT", part201); - - var part202 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD restart WRITE_ERROR"), - dup23, - ])); - - var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part202); - - var part203 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD FRU STEP ERROR"), - dup23, - ])); - - var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part203); - - var part204 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected error from gettimeofday"), - dup23, - ])); - - var msg177 = msg("CHASSISD_GETTIMEOFDAY", part204); - - var part205 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([ - dup21, - dup22, - setc("event_description","reading host temperature sensor"), - dup23, - ])); - - var msg178 = msg("CHASSISD_HOST_TEMP_READ", part205); - - var part206 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ - dup21, - dup22, - setc("event_description","detaching all pseudo devices"), - dup23, - ])); - - var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part206); - - var part207 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH FPC"), - dup23, - ])); - - var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part207); - - var part208 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH PIC"), - dup23, - ])); - - var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part208); - - var part209 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH PSEUDO"), - dup23, - ])); - - var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part209); - - var part210 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"), - dup23, - ])); - - var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part210); - - var part211 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","rtslib_ifdm_get_by_index failed"), - dup23, - ])); - - var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part211); - - var part212 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Message Queue full"), - dup23, - ])); - - var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part212); - - var part213 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Received unexpected message"), - dup23, - ])); - - var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part213); - - var part214 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FRU has no connection pipe"), - dup23, - ])); - - var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part214); - - var part215 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FRU has no connection arguments"), - dup23, - ])); - - var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part215); - - var part216 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([ - dup30, - dup22, - setc("event_description","chassisd MAC address allocation error"), - dup23, - ])); - - var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part216); - - var part217 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([ - dup21, - dup22, - setc("event_description","Using default MAC address base"), - dup23, - ])); - - var msg190 = msg("CHASSISD_MAC_DEFAULT", part217); - - var part218 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([ - dup30, - dup22, - setc("event_description","management bus failed sanity test"), - dup23, - ])); - - var msg191 = msg("CHASSISD_MBUS_ERROR", part218); - - var part219 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([ - dup21, - dup22, - setc("event_description","Using new configuration"), - dup23, - ])); - - var msg192 = msg("CHASSISD_PARSE_COMPLETE", part219); - - var part220 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD PARSE ERROR"), - dup23, - ])); - - var msg193 = msg("CHASSISD_PARSE_ERROR", part220); - - var part221 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","Parsing configuration file"), - dup23, - ])); - - var msg194 = msg("CHASSISD_PARSE_INIT", part221); - - var part222 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to open PID file"), - dup23, - ])); - - var msg195 = msg("CHASSISD_PIDFILE_OPEN", part222); - - var part223 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Pipe error"), - dup23, - ])); - - var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part223); - - var part224 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([ - dup59, - dup22, - setc("event_description","device not powering up"), - dup23, - ])); - - var msg197 = msg("CHASSISD_POWER_CHECK", part224); - - var part225 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([ - dup21, - dup22, - setc("event_description","Successful reconnect on soft restart"), - dup23, - ])); - - var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part225); - - var part226 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([ - dup21, - dup22, - setc("event_description","Release mastership notification"), - dup23, - ])); - - var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part226); - - var part227 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","re_init Invalid RE slot"), - dup23, - ])); - - var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part227); - - var part228 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine mount point for root directory"), - dup23, - ])); - - var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part228); - - var part229 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","ifmsg sequence gap"), - dup23, - ])); - - var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part229); - - var part230 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ - setc("eventcategory","1603040000"), - dup22, - setc("event_description","Version mismatch"), - dup23, - ])); - - var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part230); - - var part231 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Serial ID read error"), - dup23, - ])); - - var msg204 = msg("CHASSISD_SERIAL_ID", part231); - - var part232 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","fpga download not complete"), - dup23, - ])); - - var msg205 = msg("CHASSISD_SMB_ERROR", part232); - - var part233 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([ - dup58, - dup22, - setc("event_description","SNMP Trap6 generated"), - dup23, - ])); - - var msg206 = msg("CHASSISD_SNMP_TRAP6", part233); - - var part234 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP Trap7 generated"), - dup23, - ])); - - var msg207 = msg("CHASSISD_SNMP_TRAP7", part234); - - var part235 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP trap - FRU power on"), - dup23, - ])); - - var msg208 = msg("CHASSISD_SNMP_TRAP10", part235); - - var part236 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([ - dup60, - dup22, - setc("event_description","Received SIGTERM request"), - dup23, - ])); - - var msg209 = msg("CHASSISD_TERM_SIGNAL", part236); - - var part237 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","Taking PIC offline"), - dup23, - ])); - - var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part237); - - var part238 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","UNEXPECTED EXIT"), - dup23, - ])); - - var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part238); - - var part239 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([ - dup59, - dup22, - setc("event_description","Model number unsupported with this version of chassisd"), - dup23, - ])); - - var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part239); - - var part240 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ - dup59, - dup22, - setc("event_description","Chassisd Version mismatch"), - dup23, - ])); - - var msg213 = msg("CHASSISD_VERSION_MISMATCH", part240); - - var part241 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([ - dup59, - dup22, - setc("event_description","CHASSISD HIGH TEMP CONDITION"), - dup61, - dup62, - ])); - - var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part241); - - var part242 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([ - dup21, - dup22, - setc("event_description","process RESTART mode"), - dup23, - ])); - - var msg215 = msg("clean_process", part242); - - var part243 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([ - dup21, - dup22, - setc("event_description","Chassis Linklocal to MAC"), - dup23, - ])); - - var msg216 = msg("CM_JAVA", part243); - - var part244 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","DCD must be run as root"), - dup23, - ])); - - var msg217 = msg("DCD_AS_ROOT", part244); - - var part245 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([ - dup30, - dup22, - setc("event_description","Filter library initialization failed"), - dup23, - ])); - - var msg218 = msg("DCD_FILTER_LIB_ERROR", part245); - - var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup139); - - var part246 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing configuration file"), - dup23, - ])); - - var msg220 = msg("DCD_PARSE_EMERGENCY", part246); - - var part247 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing filter index file"), - dup23, - ])); - - var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part247); - - var part248 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing configuration overlay"), - dup23, - ])); - - var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part248); - - var part249 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([ - dup30, - dup22, - setc("event_description","unhandled state was encountered during interface parsing"), - dup23, - ])); - - var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part249); - - var part250 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing policer indexfile"), - dup23, - ])); - - var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part250); - - var part251 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to pull file"), - dup23, - ])); - - var msg225 = msg("DCD_PULL_LOG_FAILURE", part251); - - var part252 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DFWD ARGUMENT ERROR"), - dup23, - ])); - - var msg226 = msg("DFWD_ARGUMENT_ERROR", part252); - - var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup139); - - var part253 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([ - dup30, - dup22, - setc("event_description","errors encountered while parsing filter index file"), - dup23, - ])); - - var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part253); - - var part254 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([ - dup30, - dup22, - setc("event_description","encountered unhandled state while parsing interface"), - dup23, - ])); - - var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part254); - - var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup140); - - var msg231 = msg("ECCD_DUPLICATE", dup141); - - var part255 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD LOOP EXIT FAILURE"), - dup23, - ])); - - var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part255); - - var part256 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","ECCD Must be run as root"), - dup23, - ])); - - var msg233 = msg("ECCD_NOT_ROOT", part256); - - var part257 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD PCI FILE OPEN FAILED"), - dup23, - ])); - - var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part257); - - var part258 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PCI read failure"), - dup23, - ])); - - var msg235 = msg("ECCD_PCI_READ_FAILED", part258); - - var part259 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PCI write failure"), - dup23, - ])); - - var msg236 = msg("ECCD_PCI_WRITE_FAILED", part259); - - var msg237 = msg("ECCD_PID_FILE_LOCK", dup142); - - var msg238 = msg("ECCD_PID_FILE_UPDATE", dup143); - - var part260 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD TRACE FILE OPEN FAILURE"), - dup23, - ])); - - var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part260); - - var part261 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","ECCD Usage"), - dup23, - ])); - - var msg240 = msg("ECCD_usage", part261); - - var part262 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([ - dup21, - dup22, - setc("event_description","User viewed security audit log with arguments"), - dup23, - ])); - - var msg241 = msg("EVENTD_AUDIT_SHOW", part262); - - var part263 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part263); - - var part264 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to change owner of file"), - dup23, - ])); - - var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part264); - - var part265 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FSAD CONFIG ERROR"), - dup23, - ])); - - var msg244 = msg("FSAD_CONFIG_ERROR", part265); - - var part266 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([ - dup30, - dup22, - setc("event_description","Connection timed out to client"), - dup23, - ])); - - var msg245 = msg("FSAD_CONNTIMEDOUT", part266); - - var part267 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FSAD_FAILED"), - dup23, - ])); - - var msg246 = msg("FSAD_FAILED", part267); - - var part268 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([ - dup30, - dup22, - setc("event_description","Fetch to server to get file timed out"), - dup23, - ])); - - var msg247 = msg("FSAD_FETCHTIMEDOUT", part268); - - var part269 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","fn failed for file"), - dup23, - ])); - - var msg248 = msg("FSAD_FILE_FAILED", part269); - - var part270 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to remove file"), - dup23, - ])); - - var msg249 = msg("FSAD_FILE_REMOVE", part270); - - var part271 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to rename file"), - dup23, - ])); - - var msg250 = msg("FSAD_FILE_RENAME", part271); - - var part272 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","stat failed for file"), - dup23, - ])); - - var msg251 = msg("FSAD_FILE_STAT", part272); - - var part273 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to sync file"), - dup23, - ])); - - var msg252 = msg("FSAD_FILE_SYNC", part273); - - var part274 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([ - dup30, - dup22, - setc("event_description","Upper limit reached in fsad"), - dup23, - ])); - - var msg253 = msg("FSAD_MAXCONN", part274); - - var part275 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([ - dup51, - dup22, - setc("event_description","FSAD MEMORYALLOC FAILED"), - dup23, - ])); - - var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part275); - - var part276 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","FSAD must be run as root"), - dup23, - ])); - - var msg255 = msg("FSAD_NOT_ROOT", part276); - - var part277 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","invalid directory"), - dup23, - ])); - - var msg256 = msg("FSAD_PARENT_DIRECTORY", part277); - - var part278 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([ - dup30, - dup22, - setc("event_description","File path cannot be a directory"), - dup23, - ])); - - var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part278); - - var part279 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([ - dup30, - dup22, - setc("event_description","Not a regular file"), - dup23, - ])); - - var msg258 = msg("FSAD_PATH_IS_SPECIAL", part279); - - var part280 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([ - dup30, - dup22, - setc("event_description","fsad received error message from client"), - dup23, - ])); - - var msg259 = msg("FSAD_RECVERROR", part280); - - var part281 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","FSAD TERMINATED CONNECTION"), - dup23, - ])); - - var msg260 = msg("FSAD_TERMINATED_CONNECTION", part281); - - var part282 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Received terminating signal"), - dup23, - ])); - - var msg261 = msg("FSAD_TERMINATING_SIGNAL", part282); - - var part283 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Open operation on trace file failed"), - dup23, - ])); - - var msg262 = msg("FSAD_TRACEOPEN_FAILED", part283); - - var part284 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Incorrect FSAD usage"), - dup23, - ])); - - var msg263 = msg("FSAD_USAGE", part284); - - var part285 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","GGSN ALARM TRAP FAILED"), - dup23, - ])); - - var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part285); - - var part286 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","GGSN ALARM TRAP SEND FAILED"), - dup23, - ])); - - var msg265 = msg("GGSN_ALARM_TRAP_SEND", part286); - - var part287 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown trap request type"), - dup23, - ])); - - var msg266 = msg("GGSN_TRAP_SEND", part287); - - var part288 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([ - dup69, - dup34, - setc("ec_subject","Service"), - dup43, - dup22, - setc("event_description","Authorization failed"), - dup23, - ])); - - var msg267 = msg("JADE_AUTH_ERROR", part288); - - var part289 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JADE EXEC ERROR"), - dup23, - ])); - - var msg268 = msg("JADE_EXEC_ERROR", part289); - - var part290 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([ - dup30, - dup22, - setc("event_description","Local user does not exist"), - dup23, - ])); - - var msg269 = msg("JADE_NO_LOCAL_USER", part290); - - var part291 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JADE PAM error"), - dup23, - ])); - - var msg270 = msg("JADE_PAM_ERROR", part291); - - var part292 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to get local username from PAM"), - dup23, - ])); - - var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part292); - - var part293 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([ - dup30, - dup22, - setc("event_description","arp info overwritten"), - dup23, - ])); - - var msg272 = msg("KERN_ARP_ADDR_CHANGE", part293); - - var part294 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([ - dup30, - dup22, - setc("event_description","security association has been established"), - dup23, - ])); - - var msg273 = msg("KMD_PM_SA_ESTABLISHED", part294); - - var part295 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([ - dup21, - dup22, - setc("event_description","Task Reinitialized"), - dup61, - dup23, - ])); - - var msg274 = msg("L2CPD_TASK_REINIT", part295); - - var part296 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([ - dup21, - dup22, - dup70, - dup23, - ])); - - var msg275 = msg("LIBJNX_EXEC_EXITED", part296); - - var part297 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Child exec failed for command"), - dup23, - ])); - - var msg276 = msg("LIBJNX_EXEC_FAILED", part297); - - var msg277 = msg("LIBJNX_EXEC_PIPE", dup144); - - var part298 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([ - dup30, - dup22, - setc("event_description","Command received signal"), - dup23, - ])); - - var msg278 = msg("LIBJNX_EXEC_SIGNALED", part298); - - var part299 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ - dup21, - dup22, - dup72, - dup23, - ])); - - var msg279 = msg("LIBJNX_EXEC_WEXIT", part299); - - var part300 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([ - dup73, - dup22, - setc("event_description","copy_file_to_transfer_dir failed to copy"), - dup23, - ])); - - var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part300); - - var part301 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Unable to lower privilege level"), - dup23, - ])); - - var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part301); - - var part302 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Unable to raise privilege level"), - dup23, - ])); - - var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part302); - - var part303 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","rcp failed"), - dup23, - ])); - - var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part303); - - var part304 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","ROTATE COMPRESS EXEC FAILED"), - dup23, - ])); - - var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part304); - - var part305 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([ - dup74, - dup22, - setc("event_description","Client connection error"), - dup23, - ])); - - var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part305); - - var part306 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Outbound request failed for command"), - dup23, - ])); - - var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part306); - - var part307 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([ - dup27, - dup22, - setc("event_description","Connection closed while receiving from client"), - dup23, - ])); - - var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part307); - - var part308 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to bind socket"), - dup23, - ])); - - var msg288 = msg("LIBSERVICED_SOCKET_BIND", part308); - - var part309 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to attach socket to management routing instance"), - dup23, - ])); - - var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part309); - - var part310 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LICENSE EXPIRED"), - dup23, - ])); - - var msg290 = msg("LICENSE_EXPIRED", part310); - - var part311 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([ - dup21, - dup22, - setc("event_description","License key has expired"), - dup23, - ])); - - var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part311); - - var part312 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","License key expiration soon"), - dup23, - ])); - - var msg292 = msg("LICENSE_NEARING_EXPIRY", part312); - - var part313 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([ - dup30, - dup22, - setc("event_description","client aborted login"), - dup23, - ])); - - var msg293 = msg("LOGIN_ABORTED", part313); - - var part314 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - dup23, - ])); - - var msg294 = msg("LOGIN_FAILED", part314); - - var part315 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Incorrect password for user"), - dup23, - ])); - - var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part315); - - var part316 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Failed to set context for user"), - dup23, - ])); - - var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part316); - - var part317 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Failed to set login ID for user"), - dup23, - ])); - - var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part317); - - var part318 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Unable to resolve hostname"), - dup23, - ])); - - var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part318); - - var part319 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{event_type}: %{p0}"); - - var part320 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{username->} logged in from host %{dhost->} on %{p0}"); - - var part321 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}"); - - var select34 = linear_select([ - part321, - dup45, - ]); - - var part322 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{terminal}"); - - var all19 = all_match({ - processors: [ - dup39, - dup137, - part319, - dup145, - part320, - select34, - part322, - ], - on_success: processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","Successful Login"), - dup23, - ]), - }); - - var msg299 = msg("LOGIN_INFORMATION", all19); - - var part323 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","No entry in local password file for user"), - dup23, - ])); - - var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part323); - - var part324 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Invalid username"), - dup23, - ])); - - var msg301 = msg("LOGIN_MALFORMED_USER", part324); - - var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}"); - - var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}"); - - var select35 = linear_select([ - part325, - part326, - ]); - - var part327 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{username}"); - - var all20 = all_match({ - processors: [ - dup50, - select35, - part327, - ], - on_success: processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","PAM authentication error for user"), - dup23, - ]), - }); - - var msg302 = msg("LOGIN_PAM_AUTHENTICATION_ERROR", all20); - - var part328 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - setc("event_description","PAM authentication failure"), - setc("result","Failure while authenticating user"), - dup23, - ])); - - var msg303 = msg("LOGIN_PAM_ERROR", part328); - - var part329 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Too many retries while authenticating user"), - dup23, - ])); - - var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part329); - - var part330 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","User authenticated but has no local login ID"), - dup23, - ])); - - var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part330); - - var part331 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([ - setc("eventcategory","1303000000"), - dup34, - dup43, - dup22, - setc("event_description","Failed to end PAM session"), - dup23, - ])); - - var msg306 = msg("LOGIN_PAM_STOP", part331); - - var part332 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Attempt to authenticate unknown user"), - dup23, - ])); - - var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part332); - - var part333 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Forcing change of expired password for user"), - dup23, - ])); - - var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part333); - - var part334 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Login of user refused"), - dup23, - ])); - - var msg309 = msg("LOGIN_REFUSED", part334); - - var part335 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","successful login as root"), - setc("result","User logged in as root"), - dup23, - ])); - - var msg310 = msg("LOGIN_ROOT", part335); - - var part336 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([ - dup44, - dup34, - dup36, - dup43, - dup22, - dup75, - setc("result","Login attempt timed out"), - dup23, - ])); - - var msg311 = msg("LOGIN_TIMED_OUT", part336); - - var part337 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D ATM ERROR"), - dup23, - ])); - - var msg312 = msg("MIB2D_ATM_ERROR", part337); - - var part338 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CONFIG CHECK FAILED"), - dup23, - ])); - - var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part338); - - var part339 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - dup78, - dup23, - ])); - - var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part339); - - var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup146); - - var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup146); - - var part340 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","mib2d initialization failure"), - dup23, - ])); - - var msg317 = msg("MIB2D_INIT_FAILURE", part340); - - var part341 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D KVM FAILURE"), - dup23, - ])); - - var msg318 = msg("MIB2D_KVM_FAILURE", part341); - - var part342 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D RTSLIB READ FAILURE"), - dup23, - ])); - - var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part342); - - var part343 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([ - dup30, - dup22, - setc("event_description","RTSLIB sequence mismatch"), - dup23, - ])); - - var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part343); - - var part344 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D SYSCTL FAILURE"), - dup23, - ])); - - var msg321 = msg("MIB2D_SYSCTL_FAILURE", part344); - - var part345 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([ - dup30, - dup22, - setc("event_description","trap_request_header failed"), - dup23, - ])); - - var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part345); - - var part346 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D TRAP SEND FAILURE"), - dup23, - ])); - - var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part346); - - var part347 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","user sighupped"), - dup23, - ])); - - var msg324 = msg("Multiuser", part347); - - var part348 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate authentication handle"), - dup23, - ])); - - var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part348); - - var part349 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([ - dup80, - dup34, - dup43, - dup22, - setc("event_description","authentication already in progress"), - dup23, - ])); - - var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part349); - - var part350 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to obtain hostname for outgoing CHAP message"), - dup23, - ])); - - var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part350); - - var part351 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP INVALID_CHAP IDENTIFIER"), - dup23, - ])); - - var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part351); - - var part352 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP INVALID OPCODE"), - dup23, - ])); - - var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part352); - - var part353 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine value for username in outgoing CHAP packet"), - dup23, - ])); - - var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part353); - - var part354 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP MESSAGE UNEXPECTED"), - dup23, - ])); - - var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part354); - - var part355 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([ - dup81, - dup22, - setc("event_description","CHAP REPLAY ATTACK DETECTED"), - dup23, - ])); - - var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part355); - - var part356 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine last modified time of JUNOS configuration database"), - dup23, - ])); - - var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part356); - - var msg334 = msg("NASD_DAEMONIZE_FAILED", dup140); - - var part357 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate database object"), - dup23, - ])); - - var msg335 = msg("NASD_DB_ALLOC_FAILURE", part357); - - var part358 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DB TABLE CREATE FAILURE"), - dup23, - ])); - - var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part358); - - var msg337 = msg("NASD_DUPLICATE", dup141); - - var part359 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","EVLIB CREATE FAILURE"), - dup23, - ])); - - var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part359); - - var part360 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","EVLIB EXIT FAILURE"), - dup23, - ])); - - var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part360); - - var part361 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate LOCAL module handle"), - dup23, - ])); - - var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part361); - - var part362 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","NASD must be run as root"), - dup23, - ])); - - var msg341 = msg("NASD_NOT_ROOT", part362); - - var msg342 = msg("NASD_PID_FILE_LOCK", dup142); - - var msg343 = msg("NASD_PID_FILE_UPDATE", dup143); - - var part363 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","POST CONFIGURE EVENT FAILED"), - dup23, - ])); - - var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part363); - - var part364 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PPP READ FAILURE"), - dup23, - ])); - - var msg345 = msg("NASD_PPP_READ_FAILURE", part364); - - var part365 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to send message"), - dup23, - ])); - - var msg346 = msg("NASD_PPP_SEND_FAILURE", part365); - - var part366 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to send all of message"), - dup23, - ])); - - var msg347 = msg("NASD_PPP_SEND_PARTIAL", part366); - - var part367 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([ - dup30, - dup22, - setc("event_description","Unrecognized authentication protocol"), - dup23, - ])); - - var msg348 = msg("NASD_PPP_UNRECOGNIZED", part367); - - var part368 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS password allocation failure"), - dup23, - ])); - - var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part368); - - var part369 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS CONFIG FAILED"), - dup23, - ])); - - var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part369); - - var part370 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate RADIUS module handle"), - dup23, - ])); - - var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part370); - - var part371 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS CREATE REQUEST FAILED"), - dup23, - ])); - - var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part371); - - var part372 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain hostname for outgoing RADIUS message"), - dup23, - ])); - - var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part372); - - var part373 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown response from RADIUS server"), - dup23, - ])); - - var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part373); - - var part374 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS OPEN FAILED"), - dup23, - ])); - - var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part374); - - var part375 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS SELECT FAILED"), - dup23, - ])); - - var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part375); - - var part376 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS SET TIMER FAILED"), - dup23, - ])); - - var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part376); - - var part377 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TRACE FILE OPEN FAILED"), - dup23, - ])); - - var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part377); - - var part378 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","NASD Usage"), - dup23, - ])); - - var msg359 = msg("NASD_usage", part378); - - var part379 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg360 = msg("NOTICE", part379); - - var part380 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ - dup21, - dup22, - dup82, - dup23, - ])); - - var msg361 = msg("PFE_FW_SYSLOG_IP", part380); - - var part381 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ - dup21, - dup22, - dup82, - dup23, - ])); - - var msg362 = msg("PFE_FW_SYSLOG_IP:01", part381); - - var select36 = linear_select([ - msg361, - msg362, - ]); - - var part382 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ - dup21, - dup22, - setc("event_description","Next-hop resolution requests throttled"), - dup23, - ])); - - var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part382); - - var part383 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","PING TEST COMPLETED"), - dup23, - ])); - - var msg364 = msg("PING_TEST_COMPLETED", part383); - - var part384 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","PING TEST FAILED"), - dup23, - ])); - - var msg365 = msg("PING_TEST_FAILED", part384); - - var part385 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{p0}"); - - var part386 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}"); - - var part387 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}"); - - var select37 = linear_select([ - part386, - part387, - ]); - - var part388 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "mode=%{protocol->} cmd=%{action->} master_mode=%{result}"); - - var all21 = all_match({ - processors: [ - dup39, - dup137, - part385, - select37, - part388, - ], - on_success: processor_chain([ - dup21, - dup22, - dup83, - dup23, - ]), - }); - - var msg366 = msg("process_mode", all21); - - var part389 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ - dup21, - dup22, - dup83, - dup23, - ])); - - var msg367 = msg("process_mode:01", part389); - - var select38 = linear_select([ - msg366, - msg367, - ]); - - var part390 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","process exit with status"), - dup23, - ])); - - var msg368 = msg("PWC_EXIT", part390); - - var part391 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([ - dup21, - dup22, - setc("event_description","Process released child from state"), - dup23, - ])); - - var msg369 = msg("PWC_HOLD_RELEASE", part391); - - var part392 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","invalid runs argument"), - dup23, - ])); - - var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part392); - - var part393 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","INVALID TIMEOUT ARGUMENT"), - dup23, - ])); - - var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part393); - - var part394 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([ - dup21, - dup22, - setc("event_description","pwc process received terminating signal"), - dup23, - ])); - - var msg372 = msg("PWC_KILLED_BY_SIGNAL", part394); - - var part395 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([ - dup30, - dup22, - setc("event_description","pwc is sending kill event to child"), - dup23, - ])); - - var msg373 = msg("PWC_KILL_EVENT", part395); - - var part396 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to kill process"), - dup23, - ])); - - var msg374 = msg("PWC_KILL_FAILED", part396); - - var part397 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","kevent failed"), - dup23, - ])); - - var msg375 = msg("PWC_KQUEUE_ERROR", part397); - - var part398 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create kqueue"), - dup23, - ])); - - var msg376 = msg("PWC_KQUEUE_INIT", part398); - - var part399 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to register kqueue filter"), - dup23, - ])); - - var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part399); - - var part400 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file has bad format"), - dup23, - ])); - - var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part400); - - var part401 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file error"), - dup23, - ])); - - var msg379 = msg("PWC_LOCKFILE_ERROR", part401); - - var part402 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file not found"), - dup23, - ])); - - var msg380 = msg("PWC_LOCKFILE_MISSING", part402); - - var part403 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file not locked"), - dup23, - ])); - - var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part403); - - var part404 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([ - dup30, - dup22, - setc("event_description","No process specified for PWC"), - dup23, - ])); - - var msg382 = msg("PWC_NO_PROCESS", part404); - - var part405 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","pwc process exited with status"), - dup23, - ])); - - var msg383 = msg("PWC_PROCESS_EXIT", part405); - - var part406 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([ - dup21, - dup22, - setc("event_description","Process forcing hold down of child until signalled"), - dup23, - ])); - - var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part406); - - var part407 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([ - dup21, - dup22, - setc("event_description","Process holding down child until signalled"), - dup23, - ])); - - var msg385 = msg("PWC_PROCESS_HOLD", part407); - - var part408 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Process not holding down child"), - dup23, - ])); - - var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part408); - - var part409 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to create child process with pidpopen"), - dup23, - ])); - - var msg387 = msg("PWC_PROCESS_OPEN", part409); - - var part410 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Process holding down child"), - dup23, - ])); - - var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part410); - - var part411 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Child process timed out"), - dup23, - ])); - - var msg389 = msg("PWC_PROCESS_TIMEOUT", part411); - - var part412 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","signal failure"), - dup23, - ])); - - var msg390 = msg("PWC_SIGNAL_INIT", part412); - - var part413 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to connect socket to service"), - dup23, - ])); - - var msg391 = msg("PWC_SOCKET_CONNECT", part413); - - var part414 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to create socket"), - dup23, - ])); - - var msg392 = msg("PWC_SOCKET_CREATE", part414); - - var part415 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to set socket option"), - dup23, - ])); - - var msg393 = msg("PWC_SOCKET_OPTION", part415); - - var part416 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Write to stdout failed"), - dup23, - ])); - - var msg394 = msg("PWC_STDOUT_WRITE", part416); - - var part417 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","PWC SYSTEM CALL"), - dup23, - ])); - - var msg395 = msg("PWC_SYSTEM_CALL", part417); - - var part418 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown kill option"), - dup23, - ])); - - var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part418); - - var part419 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([ - dup30, - dup22, - setc("event_description","Multicast address not allowed"), - dup23, - ])); - - var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part419); - - var part420 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RMOPD ADDRESS SOURCE INVALID"), - dup23, - ])); - - var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part420); - - var part421 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to convert numeric address to string"), - dup23, - ])); - - var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part421); - - var part422 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","rmop_util_set_address status message invalid"), - dup23, - ])); - - var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part422); - - var msg401 = msg("RMOPD_DUPLICATE", dup141); - - var part423 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([ - dup30, - dup22, - setc("event_description","Only IPv4 source address is supported"), - dup23, - ])); - - var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part423); - - var part424 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([ - dup30, - dup22, - setc("event_description","No route to host"), - dup23, - ])); - - var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part424); - - var part425 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","IFINDEX NOT ACTIVE"), - dup23, - ])); - - var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part425); - - var part426 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IFINDEX NO INFO"), - dup23, - ])); - - var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part426); - - var part427 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","RMOPD IFNAME NOT ACTIVE"), - dup23, - ])); - - var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part427); - - var part428 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IFNAME NO INFO"), - dup23, - ])); - - var msg407 = msg("RMOPD_IFNAME_NO_INFO", part428); - - var part429 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","RMOPD Must be run as root"), - dup23, - ])); - - var msg408 = msg("RMOPD_NOT_ROOT", part429); - - var part430 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","No information for routing instance"), - dup23, - ])); - - var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part430); - - var part431 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TRACEROUTE ERROR"), - dup23, - ])); - - var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part431); - - var part432 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","RMOPD usage"), - dup23, - ])); - - var msg411 = msg("RMOPD_usage", part432); - - var part433 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD ABORT"), - dup23, - ])); - - var msg412 = msg("RPD_ABORT", part433); - - var part434 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD exiting with active tasks"), - dup23, - ])); - - var msg413 = msg("RPD_ACTIVE_TERMINATE", part434); - - var part435 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD Assertion failed"), - dup23, - ])); - - var msg414 = msg("RPD_ASSERT", part435); - - var part436 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD Soft assertion failed"), - dup23, - ])); - - var msg415 = msg("RPD_ASSERT_SOFT", part436); - - var part437 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([ - dup21, - dup22, - setc("event_description","RPD EXIT"), - dup23, - ])); - - var msg416 = msg("RPD_EXIT", part437); - - var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup147); - - var msg418 = msg("RPD_IFL_NAMECOLLISION", dup147); - - var part438 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS lost adjacency"), - dup23, - ])); - - var msg419 = msg("RPD_ISIS_ADJDOWN", part438); - - var part439 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","IS-IS new adjacency"), - dup23, - ])); - - var msg420 = msg("RPD_ISIS_ADJUP", part439); - - var part440 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS new adjacency without an address"), - dup23, - ])); - - var msg421 = msg("RPD_ISIS_ADJUPNOIP", part440); - - var part441 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS LSP checksum error on iterface"), - dup23, - ])); - - var msg422 = msg("RPD_ISIS_LSPCKSUM", part441); - - var part442 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS database overload"), - dup23, - ])); - - var msg423 = msg("RPD_ISIS_OVERLOAD", part442); - - var part443 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","message with unsupported address family received"), - dup23, - ])); - - var msg424 = msg("RPD_KRT_AFUNSUPRT", part443); - - var part444 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([ - dup30, - dup22, - setc("event_description","RPD KRT CCC IFL MODIFY"), - dup23, - ])); - - var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part444); - - var part445 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","received deleted routing table from kernel"), - dup23, - ])); - - var msg426 = msg("RPD_KRT_DELETED_RTT", part445); - - var part446 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifa generation mismatch"), - dup23, - ])); - - var msg427 = msg("RPD_KRT_IFA_GENERATION", part446); - - var part447 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","CHANGE for ifd failed"), - dup23, - ])); - - var msg428 = msg("RPD_KRT_IFDCHANGE", part447); - - var part448 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","GET SERVICE failure on interface"), - dup23, - ])); - - var msg429 = msg("RPD_KRT_IFDEST_GET", part448); - - var part449 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","GET index for ifd interface failed"), - dup23, - ])); - - var msg430 = msg("RPD_KRT_IFDGET", part449); - - var part450 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifd generation mismatch"), - dup23, - ])); - - var msg431 = msg("RPD_KRT_IFD_GENERATION", part450); - - var part451 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","KRT IFL CELL RELAY MODE INVALID"), - dup23, - ])); - - var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part451); - - var part452 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"), - dup23, - ])); - - var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part452); - - var part453 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifl generation mismatch"), - dup23, - ])); - - var msg434 = msg("RPD_KRT_IFL_GENERATION", part453); - - var part454 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","lost interface for route"), - dup23, - ])); - - var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part454); - - var part455 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","number of next hops exceeded the maximum"), - dup23, - ])); - - var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part455); - - var part456 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","No device for interface"), - dup23, - ])); - - var msg437 = msg("RPD_KRT_NOIFD", part456); - - var part457 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","received routing table message for unknown table"), - dup23, - ])); - - var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part457); - - var part458 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket version mismatch"), - dup23, - ])); - - var msg439 = msg("RPD_KRT_VERSION", part458); - - var part459 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket message type not supported by kernel"), - dup23, - ])); - - var msg440 = msg("RPD_KRT_VERSIONNONE", part459); - - var part460 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket message type version is older than expected"), - dup23, - ])); - - var msg441 = msg("RPD_KRT_VERSIONOLD", part460); - - var part461 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Duplicate session ID detected"), - dup23, - ])); - - var msg442 = msg("RPD_LDP_INTF_BLOCKED", part461); - - var part462 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","LDP interface now unblocked"), - dup23, - ])); - - var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part462); - - var part463 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ - setc("eventcategory","1603030000"), - dup22, - setc("event_description","LDP neighbor down"), - dup23, - ])); - - var msg444 = msg("RPD_LDP_NBRDOWN", part463); - - var part464 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","LDP neighbor up"), - dup23, - ])); - - var msg445 = msg("RPD_LDP_NBRUP", part464); - - var part465 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LDP session down"), - dup23, - ])); - - var msg446 = msg("RPD_LDP_SESSIONDOWN", part465); - - var part466 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([ - dup21, - dup22, - setc("event_description","LDP session up"), - dup23, - ])); - - var msg447 = msg("RPD_LDP_SESSIONUP", part466); - - var part467 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain a lock"), - dup23, - ])); - - var msg448 = msg("RPD_LOCK_FLOCKED", part467); - - var part468 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain service lock"), - dup23, - ])); - - var msg449 = msg("RPD_LOCK_LOCKED", part468); - - var part469 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP CHANGE"), - dup23, - ])); - - var msg450 = msg("RPD_MPLS_LSP_CHANGE", part469); - - var part470 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MPLS LSP DOWN"), - dup23, - ])); - - var msg451 = msg("RPD_MPLS_LSP_DOWN", part470); - - var part471 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP SWITCH"), - dup23, - ])); - - var msg452 = msg("RPD_MPLS_LSP_SWITCH", part471); - - var part472 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP UP"), - dup23, - ])); - - var msg453 = msg("RPD_MPLS_LSP_UP", part472); - - var part473 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MSDP PEER DOWN"), - dup23, - ])); - - var msg454 = msg("RPD_MSDP_PEER_DOWN", part473); - - var part474 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","MSDP PEER UP"), - dup23, - ])); - - var msg455 = msg("RPD_MSDP_PEER_UP", part474); - - var part475 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","OSPF neighbor down"), - dup23, - ])); - - var msg456 = msg("RPD_OSPF_NBRDOWN", part475); - - var part476 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","OSPF neighbor up"), - dup23, - ])); - - var msg457 = msg("RPD_OSPF_NBRUP", part476); - - var part477 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([ - dup51, - dup22, - setc("event_description","OS MEMHIGH"), - dup23, - ])); - - var msg458 = msg("RPD_OS_MEMHIGH", part477); - - var part478 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","PIM neighbor down"), - setc("result","timeout"), - dup23, - ])); - - var msg459 = msg("RPD_PIM_NBRDOWN", part478); - - var part479 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","PIM neighbor up"), - dup23, - ])); - - var msg460 = msg("RPD_PIM_NBRUP", part479); - - var part480 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Bad checksum for router solicitation"), - dup23, - ])); - - var msg461 = msg("RPD_RDISC_CKSUM", part480); - - var part481 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Ignoring interface"), - dup23, - ])); - - var msg462 = msg("RPD_RDISC_NOMULTI", part481); - - var part482 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to locate interface for router"), - dup23, - ])); - - var msg463 = msg("RPD_RDISC_NORECVIF", part482); - - var part483 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Expected multicast for router solicitation"), - dup23, - ])); - - var msg464 = msg("RPD_RDISC_SOLICITADDR", part483); - - var part484 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Nonzero ICMP code for router solicitation"), - dup23, - ])); - - var msg465 = msg("RPD_RDISC_SOLICITICMP", part484); - - var part485 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Insufficient length for router solicitation"), - dup23, - ])); - - var msg466 = msg("RPD_RDISC_SOLICITLEN", part485); - - var part486 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([ - dup30, - dup22, - setc("event_description","RIP update with invalid authentication"), - dup23, - ])); - - var msg467 = msg("RPD_RIP_AUTH", part486); - - var part487 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RIP - unable to get broadcast address"), - dup23, - ])); - - var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part487); - - var part488 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RIP - Unable to join multicast group"), - dup23, - ])); - - var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part488); - - var part489 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","RIP interface up"), - dup23, - ])); - - var msg470 = msg("RPD_RT_IFUP", part489); - - var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup148); - - var part490 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([ - dup30, - dup22, - setc("event_description","excessive runtime after action of module"), - dup23, - ])); - - var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part490); - - var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup148); - - var part491 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ - dup30, - dup22, - setc("event_description","task extended runtime"), - dup23, - ])); - - var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part491); - - var part492 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([ - dup30, - dup22, - setc("event_description","termination signal received for service"), - dup23, - ])); - - var msg475 = msg("RPD_SIGNAL_TERMINATE", part492); - - var part493 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","version built"), - dup23, - ])); - - var msg476 = msg("RPD_START", part493); - - var part494 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","system command"), - dup23, - ])); - - var msg477 = msg("RPD_SYSTEM", part494); - - var part495 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([ - dup21, - dup22, - setc("event_description","Commencing routing updates"), - dup23, - ])); - - var msg478 = msg("RPD_TASK_BEGIN", part495); - - var part496 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","task killed by signal"), - dup23, - ])); - - var msg479 = msg("RPD_TASK_CHILDKILLED", part496); - - var part497 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","task stopped by signal"), - dup23, - ])); - - var msg480 = msg("RPD_TASK_CHILDSTOPPED", part497); - - var part498 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fork task"), - dup23, - ])); - - var msg481 = msg("RPD_TASK_FORK", part498); - - var part499 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","RPD TASK GETWD"), - dup23, - ])); - - var msg482 = msg("RPD_TASK_GETWD", part499); - - var part500 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([ - dup30, - dup22, - setc("event_description","Reinitialization not possible"), - dup23, - ])); - - var msg483 = msg("RPD_TASK_NOREINIT", part500); - - var part501 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to close and remove task"), - dup23, - ])); - - var msg484 = msg("RPD_TASK_PIDCLOSED", part501); - - var part502 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD TASK PIDFLOCK"), - dup23, - ])); - - var msg485 = msg("RPD_TASK_PIDFLOCK", part502); - - var part503 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to write"), - dup23, - ])); - - var msg486 = msg("RPD_TASK_PIDWRITE", part503); - - var msg487 = msg("RPD_TASK_REINIT", dup149); - - var part504 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","ignoring task signal"), - dup23, - ])); - - var msg488 = msg("RPD_TASK_SIGNALIGNORE", part504); - - var part505 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","COS IPC op failed"), - dup23, - ])); - - var msg489 = msg("RT_COS", part505); - - var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}"); - - var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{p0}"); - - var select39 = linear_select([ - part508, - dup91, - ]); - - var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "\"%{fld11->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); - - var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}"); - - var select40 = linear_select([ - part510, - dup45, - ]); - - var all22 = all_match({ - processors: [ - dup87, - dup150, - part506, - dup151, - part507, - select39, - part509, - select40, - dup92, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - dup52, - ]), - }); - - var msg490 = msg("RT_FLOW_SESSION_CREATE:02", all22); - - var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", " service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}"); - - var select41 = linear_select([ - part511, - dup45, - ]); - - var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\"%{p0}"); - - var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", " source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}"); - - var select42 = linear_select([ - part513, - dup45, - ]); - - var all23 = all_match({ - processors: [ - dup87, - select41, - part512, - select42, - dup92, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - dup52, - ]), - }); - - var msg491 = msg("RT_FLOW_SESSION_CREATE", all23); - - var part514 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created %{p0}"); - - var part515 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created %{p0}"); - - var select43 = linear_select([ - part514, - part515, - ]); - - var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}"); - - var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN"); - - var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15}"); - - var part519 = match_copy("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "info"); - - var select44 = linear_select([ - part517, - part518, - part519, - ]); - - var all24 = all_match({ - processors: [ - select43, - part516, - select44, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - setc("event_description","session created"), - dup23, - ]), - }); - - var msg492 = msg("RT_FLOW_SESSION_CREATE:01", all24); - - var select45 = linear_select([ - msg490, - msg491, - msg492, - ]); - - var part520 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); - - var part521 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", " encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}"); - - var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", " encrypted=%{fld16->} reason=\"%{result}\"%{p0}"); - - var select46 = linear_select([ - part521, - part522, - dup45, - ]); - - var all25 = all_match({ - processors: [ - dup87, - dup150, - part520, - select46, - dup92, - ], - on_success: processor_chain([ - dup93, - dup53, - dup94, - dup22, - dup52, - ]), - }); - - var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25); - - var part523 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([ - dup93, - dup53, - dup94, - dup22, - dup52, - ])); - - var msg494 = msg("RT_FLOW_SESSION_DENY", part523); - - var part524 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}"); - - var all26 = all_match({ - processors: [ - dup152, - part524, - ], - on_success: processor_chain([ - dup27, - dup53, - dup94, - dup22, - dup97, - dup23, - ]), - }); - - var msg495 = msg("RT_FLOW_SESSION_DENY:03", all26); - - var part525 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}"); - - var all27 = all_match({ - processors: [ - dup152, - part525, - ], - on_success: processor_chain([ - dup27, - dup53, - dup94, - dup22, - dup97, - dup23, - ]), - }); - - var msg496 = msg("RT_FLOW_SESSION_DENY:01", all27); - - var select47 = linear_select([ - msg493, - msg494, - msg495, - msg496, - ]); - - var select48 = linear_select([ - dup103, - dup45, - ]); - - var all28 = all_match({ - processors: [ - dup98, - dup150, - dup99, - dup151, - dup100, - dup153, - dup102, - select48, - dup92, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup104, - dup22, - dup52, - ]), - }); - - var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28); - - var part526 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup27, - dup53, - dup55, - dup22, - dup52, - ])); - - var msg498 = msg("RT_FLOW_SESSION_CLOSE", part526); - - var part527 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed %{p0}"); - - var part528 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed %{p0}"); - - var select49 = linear_select([ - part527, - part528, - ]); - - var part529 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}"); - - var all29 = all_match({ - processors: [ - select49, - part529, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup22, - setc("event_description","session closed"), - dup23, - ]), - }); - - var msg499 = msg("RT_FLOW_SESSION_CLOSE:02", all29); - - var part530 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}"); - - var select50 = linear_select([ - dup103, - part530, - dup45, - ]); - - var part531 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}"); - - var all30 = all_match({ - processors: [ - dup98, - dup150, - dup99, - dup151, - dup100, - dup153, - dup102, - select50, - part531, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup104, - dup22, - dup52, - dup61, - ]), - }); - - var msg500 = msg("RT_FLOW_SESSION_CLOSE:03", all30); - - var select51 = linear_select([ - msg497, - msg498, - msg499, - msg500, - ]); - - var part532 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","Fragmented traffic"), - dup23, - ])); - - var msg501 = msg("RT_SCREEN_IP", part532); - - var part533 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg502 = msg("RT_SCREEN_IP:01", part533); - - var select52 = linear_select([ - msg501, - msg502, - ]); - - var msg503 = msg("RT_SCREEN_TCP", dup154); - - var part534 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part534); - - var msg505 = msg("RT_SCREEN_UDP", dup154); - - var part535 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","attempt to connect to interface failed"), - dup23, - ])); - - var msg506 = msg("SERVICED_CLIENT_CONNECT", part535); - - var part536 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([ - dup27, - dup22, - setc("event_description","unexpected termination of connection"), - dup23, - ])); - - var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part536); - - var part537 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","client interface connection failure"), - dup23, - ])); - - var msg508 = msg("SERVICED_CLIENT_ERROR", part537); - - var part538 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","remote command execution failed"), - dup23, - ])); - - var msg509 = msg("SERVICED_COMMAND_FAILED", part538); - - var part539 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","client commit configuration failed"), - dup23, - ])); - - var msg510 = msg("SERVICED_COMMIT_FAILED", part539); - - var part540 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","configuration process failed"), - dup23, - ])); - - var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part540); - - var part541 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SERVICED CONFIG ERROR"), - dup23, - ])); - - var msg512 = msg("SERVICED_CONFIG_ERROR", part541); - - var part542 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","service failed to read path"), - dup23, - ])); - - var msg513 = msg("SERVICED_CONFIG_FILE", part542); - - var part543 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SERVICED CONNECTION ERROR"), - dup23, - ])); - - var msg514 = msg("SERVICED_CONNECTION_ERROR", part543); - - var part544 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","GGSN services disabled"), - dup23, - ])); - - var msg515 = msg("SERVICED_DISABLED_GGSN", part544); - - var msg516 = msg("SERVICED_DUPLICATE", dup141); - - var part545 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","event function failed"), - dup23, - ])); - - var msg517 = msg("SERVICED_EVENT_FAILED", part545); - - var part546 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","service initialization failed"), - dup23, - ])); - - var msg518 = msg("SERVICED_INIT_FAILED", part546); - - var part547 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","memory allocation failure"), - dup23, - ])); - - var msg519 = msg("SERVICED_MALLOC_FAILURE", part547); - - var part548 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","NETWORK FAILURE"), - dup23, - ])); - - var msg520 = msg("SERVICED_NETWORK_FAILURE", part548); - - var part549 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","SERVICED must be run as root"), - dup23, - ])); - - var msg521 = msg("SERVICED_NOT_ROOT", part549); - - var msg522 = msg("SERVICED_PID_FILE_LOCK", dup142); - - var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup143); - - var part550 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","routing socket sequence error"), - dup23, - ])); - - var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part550); - - var part551 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","set up of signal name handler failed"), - dup23, - ])); - - var msg525 = msg("SERVICED_SIGNAL_HANDLER", part551); - - var part552 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","socket create failed with error"), - dup23, - ])); - - var msg526 = msg("SERVICED_SOCKET_CREATE", part552); - - var part553 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","socket function failed"), - dup23, - ])); - - var msg527 = msg("SERVICED_SOCKET_IO", part553); - - var part554 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to set socket option"), - dup23, - ])); - - var msg528 = msg("SERVICED_SOCKET_OPTION", part554); - - var part555 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","STDLIB FAILURE"), - dup23, - ])); - - var msg529 = msg("SERVICED_STDLIB_FAILURE", part555); - - var part556 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Incorrect service usage"), - dup23, - ])); - - var msg530 = msg("SERVICED_USAGE", part556); - - var part557 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","object has unexpected value"), - dup23, - ])); - - var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part557); - - var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup155); - - var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup155); - - var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup155); - - var part558 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([ - dup21, - dup22, - setc("event_description","AgentX subagent connected"), - dup61, - dup23, - ])); - - var msg535 = msg("SNMP_NS_LOG_INFO", part558); - - var part559 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([ - dup21, - dup22, - setc("event_description","ns_subagent registering rows"), - dup61, - dup23, - ])); - - var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part559); - - var part560 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD ACCESS GROUP ERROR"), - dup23, - ])); - - var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part560); - - var part561 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","unauthorized SNMP community to unknown community name"), - dup23, - ])); - - var msg538 = msg("SNMPD_AUTH_FAILURE", part561); - - var part562 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","failed input interface authorization to unknown"), - dup23, - ])); - - var msg539 = msg("SNMPD_AUTH_FAILURE:01", part562); - - var part563 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","unauthorized SNMP community "), - dup23, - ])); - - var msg540 = msg("SNMPD_AUTH_FAILURE:02", part563); - - var part564 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([ - dup30, - dup22, - dup105, - dup61, - dup62, - ])); - - var msg541 = msg("SNMPD_AUTH_FAILURE:03", part564); - - var select53 = linear_select([ - msg538, - msg539, - msg540, - msg541, - ]); - - var part565 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP request exceeded community privileges"), - dup23, - ])); - - var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part565); - - var part566 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([ - dup48, - dup22, - setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"), - setc("result","request not allowed"), - dup23, - ])); - - var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part566); - - var part567 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unauthorized SNMP PDU type"), - dup23, - ])); - - var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part567); - - var part568 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([ - dup30, - dup22, - setc("event_description","Configuration database has errors"), - dup23, - ])); - - var msg545 = msg("SNMPD_CONFIG_ERROR", part568); - - var part569 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD CONTEXT ERROR"), - dup23, - ])); - - var msg546 = msg("SNMPD_CONTEXT_ERROR", part569); - - var part570 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD ENGINE FILE FAILURE"), - dup23, - ])); - - var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part570); - - var part571 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([ - dup30, - dup22, - setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"), - dup23, - ])); - - var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part571); - - var part572 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD FILE FAILURE"), - dup23, - ])); - - var msg549 = msg("SNMPD_FILE_FAILURE", part572); - - var part573 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD GROUP ERROR"), - dup23, - ])); - - var msg550 = msg("SNMPD_GROUP_ERROR", part573); - - var part574 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","snmpd initialization failure"), - dup23, - ])); - - var msg551 = msg("SNMPD_INIT_FAILED", part574); - - var part575 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LIBJUNIPER FAILURE"), - dup23, - ])); - - var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part575); - - var part576 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LOOPBACK ADDR ERROR"), - dup23, - ])); - - var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part576); - - var part577 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([ - dup30, - dup22, - setc("event_description","duplicate memory free"), - dup23, - ])); - - var msg554 = msg("SNMPD_MEMORY_FREED", part577); - - var part578 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","radix_add failed"), - dup23, - ])); - - var msg555 = msg("SNMPD_RADIX_FAILURE", part578); - - var part579 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD RECEIVE FAILURE"), - dup23, - ])); - - var msg556 = msg("SNMPD_RECEIVE_FAILURE", part579); - - var part580 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RMONFILE FAILURE"), - dup23, - ])); - - var msg557 = msg("SNMPD_RMONFILE_FAILURE", part580); - - var part581 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([ - dup30, - dup22, - setc("event_description","Null cookie"), - dup23, - ])); - - var msg558 = msg("SNMPD_RMON_COOKIE", part581); - - var part582 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","RMON EVENTLOG"), - dup23, - ])); - - var msg559 = msg("SNMPD_RMON_EVENTLOG", part582); - - var part583 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Received io error"), - dup23, - ])); - - var msg560 = msg("SNMPD_RMON_IOERROR", part583); - - var part584 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","internal Get request error"), - dup23, - ])); - - var msg561 = msg("SNMPD_RMON_MIBERROR", part584); - - var part585 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","sequence mismatch"), - dup23, - ])); - - var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part585); - - var part586 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([ - dup30, - dup22, - dup106, - dup23, - ])); - - var msg563 = msg("SNMPD_SEND_FAILURE", part586); - - var part587 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([ - dup30, - dup22, - dup106, - dup23, - ])); - - var msg564 = msg("SNMPD_SEND_FAILURE:01", part587); - - var select54 = linear_select([ - msg563, - msg564, - ]); - - var part588 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD SOCKET FAILURE"), - dup23, - ])); - - var msg565 = msg("SNMPD_SOCKET_FAILURE", part588); - - var part589 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([ - dup30, - dup22, - setc("event_description","No buffers available for subagent"), - dup23, - ])); - - var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part589); - - var part590 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Send to subagent failed"), - dup23, - ])); - - var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part590); - - var part591 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","system function failed"), - dup23, - ])); - - var msg568 = msg("SNMPD_SYSLIB_FAILURE", part591); - - var part592 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([ - dup21, - dup22, - setc("event_description","cleared all throttled traps"), - dup23, - ])); - - var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part592); - - var part593 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP trap: cold start"), - dup23, - ])); - - var msg570 = msg("SNMPD_TRAP_COLD_START", part593); - - var part594 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([ - dup30, - dup22, - dup107, - dup23, - ])); - - var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part594); - - var part595 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([ - dup30, - dup22, - dup107, - dup23, - ])); - - var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part595); - - var part596 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP INVALID DATA"), - dup23, - ])); - - var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part596); - - var part597 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP ERROR"), - dup23, - ])); - - var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part597); - - var part598 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([ - dup21, - dup22, - setc("event_description","Adding trap to queue"), - dup23, - ])); - - var msg575 = msg("SNMPD_TRAP_QUEUED", part598); - - var part599 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([ - dup21, - dup22, - setc("event_description","traps queued - sent successfully"), - dup23, - ])); - - var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part599); - - var part600 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"), - dup23, - ])); - - var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part600); - - var part601 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP maximum queue size exceeded"), - dup23, - ])); - - var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part601); - - var part602 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP traps throttled"), - dup23, - ])); - - var msg579 = msg("SNMPD_TRAP_THROTTLED", part602); - - var part603 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([ - dup30, - dup22, - setc("event_description","unknown SNMP trap type requested"), - dup23, - ])); - - var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part603); - - var part604 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"), - dup23, - ])); - - var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part604); - - var part605 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP ERROR - invalid version signature"), - dup23, - ])); - - var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part605); - - var part606 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([ - dup21, - dup22, - setc("event_description","SNMPD TRAP WARM START"), - dup23, - ])); - - var msg583 = msg("SNMPD_TRAP_WARM_START", part606); - - var part607 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD USER ERROR"), - dup23, - ])); - - var msg584 = msg("SNMPD_USER_ERROR", part607); - - var part608 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP deleting view"), - dup23, - ])); - - var msg585 = msg("SNMPD_VIEW_DELETE", part608); - - var part609 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","installing default SNMP view"), - dup23, - ])); - - var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part609); - - var part610 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","oid parsing failed for SNMP view"), - dup23, - ])); - - var msg587 = msg("SNMPD_VIEW_OID_PARSE", part610); - - var part611 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP_GET_ERROR 1"), - dup23, - ])); - - var msg588 = msg("SNMP_GET_ERROR1", part611); - - var part612 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 2"), - dup23, - ])); - - var msg589 = msg("SNMP_GET_ERROR2", part612); - - var part613 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 3"), - dup23, - ])); - - var msg590 = msg("SNMP_GET_ERROR3", part613); - - var part614 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 4"), - dup23, - ])); - - var msg591 = msg("SNMP_GET_ERROR4", part614); - - var part615 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP RTSLIB FAILURE"), - dup23, - ])); - - var msg592 = msg("SNMP_RTSLIB_FAILURE", part615); - - var part616 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ - dup30, - dup22, - dup108, - dup23, - ])); - - var msg593 = msg("SNMP_TRAP_LINK_DOWN", part616); - - var part617 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([ - dup30, - dup22, - dup108, - dup61, - dup62, - ])); - - var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part617); - - var select55 = linear_select([ - msg593, - msg594, - ]); - - var part618 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ - dup21, - dup22, - dup109, - dup23, - ])); - - var msg595 = msg("SNMP_TRAP_LINK_UP", part618); - - var part619 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([ - dup21, - dup22, - dup109, - dup61, - dup62, - ])); - - var msg596 = msg("SNMP_TRAP_LINK_UP:01", part619); - - var select56 = linear_select([ - msg595, - msg596, - ]); - - var part620 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP PING PROBE FAILED"), - dup23, - ])); - - var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part620); - - var part621 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP PING TEST COMPLETED"), - dup23, - ])); - - var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part621); - - var part622 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP PING TEST FAILED"), - dup23, - ])); - - var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part622); - - var part623 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"), - dup23, - ])); - - var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part623); - - var part624 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"), - dup23, - ])); - - var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part624); - - var part625 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"), - dup23, - ])); - - var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part625); - - var part626 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup110, - dup23, - ])); - - var msg603 = msg("SSHD_LOGIN_FAILED", part626); - - var part627 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup110, - dup61, - dup52, - setf("process","hfld33"), - ])); - - var msg604 = msg("SSHD_LOGIN_FAILED:01", part627); - - var select57 = linear_select([ - msg603, - msg604, - ]); - - var part628 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","task connect failure"), - dup23, - ])); - - var msg605 = msg("task_connect", part628); - - var msg606 = msg("TASK_TASK_REINIT", dup149); - - var part629 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected address family"), - dup23, - ])); - - var msg607 = msg("TFTPD_AF_ERR", part629); - - var part630 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD BIND ERROR"), - dup23, - ])); - - var msg608 = msg("TFTPD_BIND_ERR", part630); - - var part631 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD CONNECT ERROR"), - dup23, - ])); - - var msg609 = msg("TFTPD_CONNECT_ERR", part631); - - var part632 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD CONNECT INFO"), - dup23, - ])); - - var msg610 = msg("TFTPD_CONNECT_INFO", part632); - - var part633 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD CREATE ERROR"), - dup23, - ])); - - var msg611 = msg("TFTPD_CREATE_ERR", part633); - - var part634 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD FIO ERR"), - dup23, - ])); - - var msg612 = msg("TFTPD_FIO_ERR", part634); - - var part635 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD FORK ERROR"), - dup23, - ])); - - var msg613 = msg("TFTPD_FORK_ERR", part635); - - var part636 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD NAK ERROR"), - dup23, - ])); - - var msg614 = msg("TFTPD_NAK_ERR", part636); - - var part637 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([ - dup30, - dup22, - dup78, - dup23, - ])); - - var msg615 = msg("TFTPD_OPEN_ERR", part637); - - var part638 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD RECVCOMPLETE INFO"), - dup23, - ])); - - var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part638); - - var part639 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD RECVFROM ERROR"), - dup23, - ])); - - var msg617 = msg("TFTPD_RECVFROM_ERR", part639); - - var part640 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD RECV ERROR"), - dup23, - ])); - - var msg618 = msg("TFTPD_RECV_ERR", part640); - - var part641 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD SENDCOMPLETE INFO"), - dup23, - ])); - - var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part641); - - var part642 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD SEND ERROR"), - dup23, - ])); - - var msg620 = msg("TFTPD_SEND_ERR", part642); - - var part643 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD SOCKET ERROR"), - dup23, - ])); - - var msg621 = msg("TFTPD_SOCKET_ERR", part643); - - var part644 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD STATFS ERROR"), - dup23, - ])); - - var msg622 = msg("TFTPD_STATFS_ERR", part644); - - var part645 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","adding neighbor to interface"), - dup23, - ])); - - var msg623 = msg("TNP", part645); - - var part646 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([ - dup21, - dup22, - setc("event_description","tracing to file"), - dup23, - call({ - dest: "nwparser.filename", - fn: RMQ, - args: [ - field("fld33"), - ], - }), - ])); - - var msg624 = msg("trace_on", part646); - - var part647 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","trace rotating file"), - dup23, - ])); - - var msg625 = msg("trace_rotate", part647); - - var part648 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","transfered file"), - dup23, - ])); - - var msg626 = msg("transfer-file", part648); - - var part649 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","ttloop - peer died"), - dup23, - ])); - - var msg627 = msg("ttloop", part649); - - var part650 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([ - dup80, - dup34, - dup35, - dup37, - dup22, - setc("event_description","Authenticated user"), - dup23, - ])); - - var msg628 = msg("UI_AUTH_EVENT", part650); - - var part651 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([ - dup30, - dup22, - setc("event_description","Received invalid authentication challenge for user response"), - dup23, - ])); - - var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part651); - - var part652 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fetch boot time"), - dup23, - ])); - - var msg630 = msg("UI_BOOTTIME_FAILED", part652); - - var part653 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([ - dup30, - dup22, - setc("event_description","user path unknown"), - dup23, - ])); - - var msg631 = msg("UI_CFG_AUDIT_NEW", part653); - - var part654 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([ - dup42, - dup22, - setc("event_description"," user Inserted Security Policies in config"), - dup23, - ])); - - var msg632 = msg("UI_CFG_AUDIT_NEW:01", part654); - - var select58 = linear_select([ - msg631, - msg632, - ]); - - var part655 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([ - dup21, - dup22, - setc("event_description","User deleted file"), - setc("action","delete"), - dup23, - ])); - - var msg633 = msg("UI_CFG_AUDIT_OTHER", part655); - - var part656 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","User rollback file"), - dup23, - ])); - - var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part656); - - var part657 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\""); - - var select59 = linear_select([ - part657, - dup112, - ]); - - var all31 = all_match({ - processors: [ - dup111, - select59, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","User set"), - dup23, - ]), - }); - - var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31); - - var part658 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([ - dup21, - dup22, - setc("event_description","User config replace"), - setc("action","replace"), - dup23, - ])); - - var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part658); - - var part659 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([ - setc("eventcategory","1701070000"), - dup22, - setc("event_description","User deactivating group(s)"), - setc("action","deactivate"), - dup23, - ])); - - var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part659); - - var part660 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([ - dup113, - dup22, - setc("event_description","User updates config file"), - setc("action","update"), - dup23, - ])); - - var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part660); - - var select60 = linear_select([ - msg633, - msg634, - msg635, - msg636, - msg637, - msg638, - ]); - - var part661 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}"); - - var select61 = linear_select([ - part661, - dup114, - ]); - - var all32 = all_match({ - processors: [ - dup111, - select61, - dup115, - ], - on_success: processor_chain([ - dup21, - dup22, - dup116, - dup23, - ]), - }); - - var msg639 = msg("UI_CFG_AUDIT_SET:01", all32); - - var part662 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}"); - - var select62 = linear_select([ - part662, - dup114, - ]); - - var all33 = all_match({ - processors: [ - dup111, - select62, - dup115, - ], - on_success: processor_chain([ - dup21, - dup22, - dup116, - dup23, - ]), - }); - - var msg640 = msg("UI_CFG_AUDIT_SET:02", all33); - - var part663 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ - dup21, - dup22, - setc("event_description","User replace config application(s)"), - dup23, - ])); - - var msg641 = msg("UI_CFG_AUDIT_SET", part663); - - var select63 = linear_select([ - msg639, - msg640, - msg641, - ]); - - var part664 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]"); - - var all34 = all_match({ - processors: [ - dup117, - dup156, - part664, - ], - on_success: processor_chain([ - dup113, - dup22, - dup120, - dup23, - ]), - }); - - var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34); - - var part665 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]"); - - var all35 = all_match({ - processors: [ - dup117, - dup156, - part665, - ], - on_success: processor_chain([ - dup113, - dup22, - dup120, - dup23, - ]), - }); - - var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35); - - var part666 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([ - dup21, - dup22, - setc("event_description","UI CFG AUDIT SET SECRET"), - dup23, - ])); - - var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part666); - - var select64 = linear_select([ - msg642, - msg643, - msg644, - ]); - - var part667 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([ - dup30, - dup22, - setc("event_description","Too many arguments for child process"), - dup23, - ])); - - var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part667); - - var part668 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to switch to local user"), - dup23, - ])); - - var msg646 = msg("UI_CHILD_CHANGE_USER", part668); - - var part669 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Child exec failed"), - dup23, - ])); - - var msg647 = msg("UI_CHILD_EXEC", part669); - - var part670 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ - dup30, - dup22, - setc("event_description","Child exited"), - dup23, - ])); - - var msg648 = msg("UI_CHILD_EXITED", part670); - - var part671 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to append to log"), - dup23, - ])); - - var msg649 = msg("UI_CHILD_FOPEN", part671); - - var part672 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create pipe for command"), - dup23, - ])); - - var msg650 = msg("UI_CHILD_PIPE_FAILED", part672); - - var part673 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([ - dup21, - dup22, - dup61, - setc("event_description","Child received signal"), - dup23, - ])); - - var msg651 = msg("UI_CHILD_SIGNALED", part673); - - var part674 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([ - dup21, - dup22, - setc("event_description","Child stopped"), - dup23, - ])); - - var msg652 = msg("UI_CHILD_STOPPED", part674); - - var part675 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([ - dup21, - dup22, - setc("event_description","Starting child"), - dup23, - ])); - - var msg653 = msg("UI_CHILD_START", part675); - - var part676 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Cleanup child"), - dup23, - ])); - - var msg654 = msg("UI_CHILD_STATUS", part676); - - var part677 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","waitpid failed"), - dup23, - ])); - - var msg655 = msg("UI_CHILD_WAITPID", part677); - - var part678 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Idle timeout for user exceeded"), - dup23, - ])); - - var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part678); - - var part679 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([ - dup21, - dup22, - dup121, - dup23, - ])); - - var msg657 = msg("UI_CMDLINE_READ_LINE", part679); - - var part680 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Command execution failed"), - dup23, - ])); - - var msg658 = msg("UI_CMDSET_EXEC_FAILED", part680); - - var part681 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fork command"), - dup23, - ])); - - var msg659 = msg("UI_CMDSET_FORK_FAILED", part681); - - var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup144); - - var part682 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([ - dup30, - dup22, - dup70, - dup23, - ])); - - var msg661 = msg("UI_CMDSET_STOPPED", part682); - - var part683 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([ - dup30, - dup22, - dup72, - dup23, - ])); - - var msg662 = msg("UI_CMDSET_WEXITED", part683); - - var part684 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Invalid regexp command"), - dup23, - ])); - - var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part684); - - var part685 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info})"); - - var part686 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action}"); - - var select65 = linear_select([ - part685, - part686, - ]); - - var all36 = all_match({ - processors: [ - dup117, - select65, - ], - on_success: processor_chain([ - dup21, - dup22, - dup122, - dup23, - ]), - }); - - var msg664 = msg("UI_COMMIT", all36); - - var part687 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([ - dup21, - dup22, - dup122, - dup23, - ])); - - var msg665 = msg("UI_COMMIT_AT", part687); - - var part688 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([ - dup21, - dup22, - setc("event_description","User commit successful"), - dup23, - ])); - - var msg666 = msg("UI_COMMIT_AT_COMPLETED", part688); - - var part689 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([ - dup30, - dup22, - setc("event_description","User commit failed"), - dup23, - ])); - - var msg667 = msg("UI_COMMIT_AT_FAILED", part689); - - var part690 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to compress file"), - dup23, - ])); - - var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part690); - - var part691 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","UI COMMIT CONFIRMED"), - dup23, - ])); - - var msg669 = msg("UI_COMMIT_CONFIRMED", part691); - - var part692 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}"); - - var part693 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1}"); - - var part694 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes"); - - var select66 = linear_select([ - part693, - part694, - ]); - - var all37 = all_match({ - processors: [ - part692, - select66, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT must be confirmed within # minutes"), - dup23, - ]), - }); - - var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37); - - var part695 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "'%{username}' performed '%{action}'"); - - var all38 = all_match({ - processors: [ - dup50, - dup145, - part695, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","user performed commit confirm"), - dup23, - ]), - }); - - var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38); - - var part696 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Skipped empty object"), - dup23, - ])); - - var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part696); - - var part697 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","COMMIT NOT CONFIRMED"), - dup23, - ])); - - var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part697); - - var part698 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}"); - - var part699 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}"); - - var select67 = linear_select([ - part698, - part699, - ]); - - var part700 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}"); - - var all39 = all_match({ - processors: [ - dup50, - select67, - part700, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","Commit operation in progress"), - dup23, - ]), - }); - - var msg674 = msg("UI_COMMIT_PROGRESS", all39); - - var part701 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT QUIT"), - dup23, - ])); - - var msg675 = msg("UI_COMMIT_QUIT", part701); - - var part702 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([ - dup30, - dup22, - setc("event_description","Automatic rollback failed"), - dup23, - ])); - - var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part702); - - var part703 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT SYNC"), - dup23, - ])); - - var msg677 = msg("UI_COMMIT_SYNC", part703); - - var part704 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","All logins to local configuration database were terminated"), - dup23, - ])); - - var msg678 = msg("UI_COMMIT_SYNC_FORCE", part704); - - var part705 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}"); - - var part706 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}"); - - var part707 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}"); - - var select68 = linear_select([ - part706, - part707, - ]); - - var part708 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "statement: %{info->} %{p0}"); - - var part709 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} "); - - var select69 = linear_select([ - part709, - dup112, - ]); - - var all40 = all_match({ - processors: [ - part705, - select68, - part708, - select69, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","CONFIGURATION ERROR"), - dup23, - ]), - }); - - var msg679 = msg("UI_CONFIGURATION_ERROR", all40); - - var part710 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "socket connection accept failed: %{result}"); - - var all41 = all_match({ - processors: [ - dup50, - dup157, - part710, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","socket connection accept failed"), - dup23, - ]), - }); - - var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41); - - var part711 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create session child"), - dup23, - ])); - - var msg681 = msg("UI_DAEMON_FORK_FAILED", part711); - - var part712 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DAEMON SELECT FAILED"), - dup23, - ])); - - var msg682 = msg("UI_DAEMON_SELECT_FAILED", part712); - - var part713 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "socket create failed: %{result}"); - - var all42 = all_match({ - processors: [ - dup50, - dup157, - part713, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","socket create failed"), - dup23, - ]), - }); - - var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42); - - var part714 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to reaccess database file"), - dup23, - ])); - - var msg684 = msg("UI_DBASE_ACCESS_FAILED", part714); - - var part715 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([ - dup30, - dup22, - setc("event_description","Database is out of data"), - dup23, - ])); - - var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part715); - - var part716 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to extend database file"), - dup23, - ])); - - var msg686 = msg("UI_DBASE_EXTEND_FAILED", part716); - - var part717 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","User entering configuration mode"), - dup23, - ])); - - var msg687 = msg("UI_DBASE_LOGIN_EVENT", part717); - - var part718 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","User exiting configuration mode"), - dup23, - ])); - - var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part718); - - var part719 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header extent mismatch"), - dup23, - ])); - - var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part719); - - var part720 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header major version number mismatch"), - dup23, - ])); - - var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part720); - - var part721 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header minor version number mismatch"), - dup23, - ])); - - var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part721); - - var part722 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Database header sequence numbers mismatch"), - dup23, - ])); - - var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part722); - - var part723 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header size mismatch"), - dup23, - ])); - - var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part723); - - var part724 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Database open failed"), - dup23, - ])); - - var msg694 = msg("UI_DBASE_OPEN_FAILED", part724); - - var part725 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([ - dup30, - dup22, - setc("event_description","DBASE REBUILD FAILED"), - dup23, - ])); - - var msg695 = msg("UI_DBASE_REBUILD_FAILED", part725); - - var part726 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([ - dup30, - dup22, - setc("event_description","Automatic rebuild of the database failed"), - dup23, - ])); - - var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part726); - - var part727 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}"); - - var select70 = linear_select([ - dup76, - part727, - ]); - - var part728 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{username->} rebuild/rollback of the database '%{filename}' started"); - - var all43 = all_match({ - processors: [ - dup50, - select70, - part728, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","DBASE REBUILD STARTED"), - dup23, - ]), - }); - - var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43); - - var part729 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([ - dup21, - dup22, - setc("event_description","user attempting database re-creation"), - dup23, - ])); - - var msg698 = msg("UI_DBASE_RECREATE", part729); - - var part730 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([ - dup30, - dup22, - setc("event_description","Reopen of the database failed"), - dup23, - ])); - - var msg699 = msg("UI_DBASE_REOPEN_FAILED", part730); - - var part731 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([ - dup30, - dup22, - setc("event_description","Users have the same UID"), - dup23, - ])); - - var msg700 = msg("UI_DUPLICATE_UID", part731); - - var part732 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([ - setc("eventcategory","1401050100"), - dup22, - setc("event_description","User used JUNOScript client to run command"), - dup23, - ])); - - var msg701 = msg("UI_JUNOSCRIPT_CMD", part732); - - var part733 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JUNOScript error"), - dup23, - ])); - - var msg702 = msg("UI_JUNOSCRIPT_ERROR", part733); - - var part734 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","User command"), - dup23, - ])); - - var msg703 = msg("UI_LOAD_EVENT", part734); - - var part735 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([ - setc("eventcategory","1701040000"), - dup22, - setc("event_description","Loading default config from file"), - dup23, - ])); - - var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part735); - - var part736 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - dup127, - dup128, - dup23, - ])); - - var msg705 = msg("UI_LOGIN_EVENT:01", part736); - - var part737 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - dup127, - dup23, - ])); - - var msg706 = msg("UI_LOGIN_EVENT", part737); - - var select71 = linear_select([ - msg705, - msg706, - ]); - - var part738 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","User logout"), - dup23, - ])); - - var msg707 = msg("UI_LOGOUT_EVENT", part738); - - var part739 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","Lost connection to daemon"), - dup23, - ])); - - var msg708 = msg("UI_LOST_CONN", part739); - - var part740 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([ - dup21, - dup22, - setc("event_description","MASTERSHIP EVENT"), - dup23, - ])); - - var msg709 = msg("UI_MASTERSHIP_EVENT", part740); - - var part741 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","Terminating operation"), - dup23, - ])); - - var msg710 = msg("UI_MGD_TERMINATE", part741); - - var part742 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([ - dup29, - dup22, - setc("event_description","User used NETCONF client to run command"), - dup23, - ])); - - var msg711 = msg("UI_NETCONF_CMD", part742); - - var part743 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","read failed for peer"), - dup23, - ])); - - var msg712 = msg("UI_READ_FAILED", part743); - - var part744 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([ - dup30, - dup22, - setc("event_description","Timeout on read of peer"), - dup23, - ])); - - var msg713 = msg("UI_READ_TIMEOUT", part744); - - var part745 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([ - dup60, - dup22, - setc("event_description","System reboot or halt"), - dup23, - ])); - - var msg714 = msg("UI_REBOOT_EVENT", part745); - - var part746 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([ - dup29, - dup22, - setc("event_description","user restarting daemon"), - dup23, - ])); - - var msg715 = msg("UI_RESTART_EVENT", part746); - - var part747 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema is out of date"), - dup23, - ])); - - var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part747); - - var part748 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema major version mismatch"), - dup23, - ])); - - var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part748); - - var part749 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema minor version mismatch"), - dup23, - ])); - - var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part749); - - var part750 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema header sequence numbers mismatch"), - dup23, - ])); - - var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part750); - - var part751 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([ - dup30, - dup22, - setc("event_description","Schema sequence number mismatch"), - dup23, - ])); - - var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part751); - - var part752 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Configuration synchronization with remote Routing Engine"), - dup23, - ])); - - var msg721 = msg("UI_SYNC_OTHER_RE", part752); - - var part753 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([ - dup30, - dup22, - dup129, - dup23, - ])); - - var msg722 = msg("UI_TACPLUS_ERROR", part753); - - var part754 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fetch system version"), - dup23, - ])); - - var msg723 = msg("UI_VERSION_FAILED", part754); - - var part755 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([ - dup21, - dup22, - setc("event_description","Re-establishing connection to peer"), - dup23, - ])); - - var msg724 = msg("UI_WRITE_RECONNECT", part755); - - var part756 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([ - dup21, - dup22, - setc("event_description","Interface new master for User"), - dup23, - ])); - - var msg725 = msg("VRRPD_NEWMASTER_TRAP", part756); - - var part757 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([ - dup69, - dup34, - dup35, - dup43, - dup22, - setc("event_description","Unable to authenticate client"), - dup23, - ])); - - var msg726 = msg("WEB_AUTH_FAIL", part757); - - var part758 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([ - dup80, - dup34, - dup35, - dup37, - dup22, - setc("event_description","Authenticated client"), - dup23, - ])); - - var msg727 = msg("WEB_AUTH_SUCCESS", part758); - - var part759 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([ - setc("eventcategory","1001030300"), - dup22, - setc("event_description","web request from unauthorized interface"), - dup23, - ])); - - var msg728 = msg("WEB_INTERFACE_UNAUTH", part759); - - var part760 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([ - dup74, - dup22, - setc("event_description","Unable to read from client"), - dup23, - ])); - - var msg729 = msg("WEB_READ", part760); - - var part761 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([ - setc("eventcategory","1204020100"), - dup22, - setc("event_description","failed to check web request"), - dup23, - ])); - - var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part761); - - var part762 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ - dup74, - dup53, - dup43, - dup22, - dup52, - ])); - - var msg731 = msg("FLOW_REASSEMBLE_FAIL", part762); - - var part763 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([ - dup29, - dup22, - setc("event_description","Bridge Address"), - dup23, - ])); - - var msg732 = msg("eswd", part763); - - var part764 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([ - dup29, - dup22, - setc("event_description","ESWD STP State Change Info"), - dup23, - ])); - - var msg733 = msg("eswd:01", part764); - - var select72 = linear_select([ - msg732, - msg733, - ]); - - var part765 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([ - dup29, - dup22, - dup26, - dup23, - ])); - - var msg734 = msg("/usr/sbin/cron", part765); - - var part766 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","Link status change event"), - dup23, - ])); - - var msg735 = msg("chassism:02", part766); - - var part767 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","ifd process flaps"), - dup23, - ])); - - var msg736 = msg("chassism:01", part767); - - var part768 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","IFCM "), - dup23, - ])); - - var msg737 = msg("chassism", part768); - - var select73 = linear_select([ - msg735, - msg736, - msg737, - ]); - - var msg738 = msg("WEBFILTER_URL_PERMITTED", dup158); - - var part769 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part769); - - var part770 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part770); - - var part771 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part771); - - var select74 = linear_select([ - msg738, - msg739, - msg740, - msg741, - ]); - - var msg742 = msg("WEBFILTER_URL_BLOCKED", dup158); - - var part772 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part772); - - var select75 = linear_select([ - msg742, - msg743, - ]); - - var part773 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part773); - - var part774 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([ - dup46, - dup47, - dup23, - ])); - - var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part774); - - var part775 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part775); - - var part776 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg747 = msg("SECINTEL_ERROR_OTHERS", part776); - - var part777 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([ - dup48, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part777); - - var part778 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg749 = msg("LACPD_TIMEOUT", part778); - - var msg750 = msg("cli", dup159); - - var msg751 = msg("pfed", dup159); - - var msg752 = msg("idpinfo", dup159); - - var msg753 = msg("kmd", dup159); - - var part779 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg754 = msg("node:01", part779); - - var part780 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg755 = msg("node:02", part780); - - var part781 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg756 = msg("node:03", part781); - - var part782 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg757 = msg("node:04", part782); - - var select76 = linear_select([ - dup131, - dup132, - ]); - - var part783 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}"); - - var select77 = linear_select([ - dup132, - dup131, - ]); - - var part784 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}"); - - var all44 = all_match({ - processors: [ - dup130, - select76, - part783, - select77, - part784, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg758 = msg("node:05", all44); - - var part785 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}"); - - var part786 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}"); - - var select78 = linear_select([ - part785, - part786, - ]); - - var all45 = all_match({ - processors: [ - dup130, - select78, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg759 = msg("node:06", all45); - - var part787 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg760 = msg("node:07", part787); - - var part788 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg761 = msg("node:08", part788); - - var part789 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg762 = msg("node:09", part789); - - var select79 = linear_select([ - msg754, - msg755, - msg756, - msg757, - msg758, - msg759, - msg760, - msg761, - msg762, - ]); - - var part790 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg763 = msg("(FPC:01", part790); - - var part791 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg764 = msg("(FPC:02", part791); - - var part792 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}"); - - var part793 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); - - var part794 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}"); - - var select80 = linear_select([ - part793, - part794, - ]); - - var part795 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "received for interface %{interface}, member of %{fld4}"); - - var all46 = all_match({ - processors: [ - part792, - select80, - part795, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - dup24, - ]), - }); - - var msg765 = msg("(FPC:03", all46); - - var part796 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg766 = msg("(FPC:04", part796); - - var part797 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg767 = msg("(FPC:05", part797); - - var part798 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg768 = msg("(FPC", part798); - - var select81 = linear_select([ - msg763, - msg764, - msg765, - msg766, - msg767, - msg768, - ]); - - var part799 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([ - dup48, - dup23, - dup22, - dup24, - ])); - - var msg769 = msg("tnp.bootpd", part799); - - var part800 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ - dup48, - dup52, - dup22, - dup61, - ])); - - var msg770 = msg("AAMW_ACTION_LOG", part800); - - var part801 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ - dup133, - dup52, - dup22, - dup61, - ])); - - var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part801); - - var part802 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ - dup133, - dup52, - dup22, - ])); - - var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part802); - - var part803 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ - dup81, - dup52, - dup22, - dup61, - ])); - - var msg773 = msg("IDP_ATTACK_LOG_EVENT", part803); - - var part804 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ - dup81, - dup52, - dup22, - dup61, - ])); - - var msg774 = msg("RT_SCREEN_ICMP", part804); - - var part805 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ - dup46, - dup52, - dup22, - dup61, - ])); - - var msg775 = msg("SECINTEL_ACTION_LOG", part805); - - var part806 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{fld2->} %{p0}"); - - var part807 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld3->} %{process}: qsfp-%{p0}"); - - var part808 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "qsfp-%{p0}"); - - var select82 = linear_select([ - part807, - part808, - ]); - - var part809 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{}Chan# %{interface->} %{fld5}:%{event_description}"); - - var all47 = all_match({ - processors: [ - part806, - select82, - part809, - ], - on_success: processor_chain([ - dup21, - dup22, - dup23, - ]), - }); - - var msg776 = msg("qsfp", all47); - - var part810 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([ - dup21, - dup22, - dup121, - dup23, - ])); - - var msg777 = msg("JUNOSROUTER_GENERIC:03", part810); - - var part811 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","LOGOUT"), - dup23, - ])); - - var msg778 = msg("JUNOSROUTER_GENERIC:04", part811); - - var part812 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([ - dup30, - dup22, - dup129, - dup23, - ])); - - var msg779 = msg("JUNOSROUTER_GENERIC:05", part812); - - var part813 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ - dup30, - dup22, - dup57, - dup23, - ])); - - var msg780 = msg("JUNOSROUTER_GENERIC:06", part813); - - var part814 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ - dup21, - dup22, - dup38, - dup23, - ])); - - var msg781 = msg("JUNOSROUTER_GENERIC:07", part814); - - var part815 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{daddr->} (%{dhost}): code %{resultcode->} (%{action})%{p0}"); - - var part816 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", ", socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}"); - - var part817 = match_copy("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", ""); - - var select83 = linear_select([ - part816, - part817, - ]); - - var all48 = all_match({ - processors: [ - part815, - select83, - ], - on_success: processor_chain([ - dup21, - dup22, - dup38, - dup23, - ]), - }); - - var msg782 = msg("JUNOSROUTER_GENERIC:08", all48); - - var part818 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg783 = msg("JUNOSROUTER_GENERIC:09", part818); - - var part819 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - setc("event_description","Interface Monitor failed "), - dup24, - ])); - - var msg784 = msg("JUNOSROUTER_GENERIC:01", part819); - - var part820 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - setc("event_description","Interface Monitor failure recovered"), - dup24, - ])); - - var msg785 = msg("JUNOSROUTER_GENERIC:02", part820); - - var part821 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - dup24, - ])); - - var msg786 = msg("JUNOSROUTER_GENERIC", part821); - - var select84 = linear_select([ - msg777, - msg778, - msg779, - msg780, - msg781, - msg782, - msg783, - msg784, - msg785, - msg786, - ]); - - var chain1 = processor_chain([ - select5, - msgid_select({ - "(FPC": select81, - "/usr/libexec/telnetd": msg2, - "/usr/sbin/cron": msg734, - "/usr/sbin/sshd": msg1, - "AAMWD_NETWORK_CONNECT_FAILED": msg745, - "AAMW_ACTION_LOG": msg770, - "AAMW_HOST_INFECTED_EVENT_LOG": msg771, - "AAMW_MALWARE_EVENT_LOG": msg772, - "ACCT_ACCOUNTING_FERROR": msg114, - "ACCT_ACCOUNTING_FOPEN_ERROR": msg115, - "ACCT_ACCOUNTING_SMALL_FILE_SIZE": msg116, - "ACCT_BAD_RECORD_FORMAT": msg117, - "ACCT_CU_RTSLIB_error": msg118, - "ACCT_GETHOSTNAME_error": msg119, - "ACCT_MALLOC_FAILURE": msg120, - "ACCT_UNDEFINED_COUNTER_NAME": msg121, - "ACCT_XFER_FAILED": msg122, - "ACCT_XFER_POPEN_FAIL": msg123, - "APPQOS_LOG_EVENT": msg124, - "APPTRACK_SESSION_CLOSE": select30, - "APPTRACK_SESSION_CREATE": msg125, - "APPTRACK_SESSION_VOL_UPDATE": select31, - "BCHIP": msg106, - "BFDD_TRAP_STATE_DOWN": msg130, - "BFDD_TRAP_STATE_UP": msg131, - "BOOTPD_ARG_ERR": msg143, - "BOOTPD_BAD_ID": msg144, - "BOOTPD_BOOTSTRING": msg145, - "BOOTPD_CONFIG_ERR": msg146, - "BOOTPD_CONF_OPEN": msg147, - "BOOTPD_DUP_REV": msg148, - "BOOTPD_DUP_SLOT": msg149, - "BOOTPD_MODEL_CHK": msg150, - "BOOTPD_MODEL_ERR": msg151, - "BOOTPD_NEW_CONF": msg152, - "BOOTPD_NO_BOOTSTRING": msg153, - "BOOTPD_NO_CONFIG": msg154, - "BOOTPD_PARSE_ERR": msg155, - "BOOTPD_REPARSE": msg156, - "BOOTPD_SELECT_ERR": msg157, - "BOOTPD_TIMEOUT": msg158, - "BOOTPD_VERSION": msg159, - "CHASSISD": msg160, - "CHASSISD_ARGUMENT_ERROR": msg161, - "CHASSISD_BLOWERS_SPEED": msg162, - "CHASSISD_BLOWERS_SPEED_FULL": msg163, - "CHASSISD_CB_READ": msg164, - "CHASSISD_COMMAND_ACK_ERROR": msg165, - "CHASSISD_COMMAND_ACK_SF_ERROR": msg166, - "CHASSISD_CONCAT_MODE_ERROR": msg167, - "CHASSISD_CONFIG_INIT_ERROR": msg168, - "CHASSISD_CONFIG_WARNING": msg169, - "CHASSISD_EXISTS": msg170, - "CHASSISD_EXISTS_TERM_OTHER": msg171, - "CHASSISD_FILE_OPEN": msg172, - "CHASSISD_FILE_STAT": msg173, - "CHASSISD_FRU_EVENT": msg174, - "CHASSISD_FRU_IPC_WRITE_ERROR_EXT": msg175, - "CHASSISD_FRU_STEP_ERROR": msg176, - "CHASSISD_GETTIMEOFDAY": msg177, - "CHASSISD_HIGH_TEMP_CONDITION": msg214, - "CHASSISD_HOST_TEMP_READ": msg178, - "CHASSISD_IFDEV_DETACH_ALL_PSEUDO": msg179, - "CHASSISD_IFDEV_DETACH_FPC": msg180, - "CHASSISD_IFDEV_DETACH_PIC": msg181, - "CHASSISD_IFDEV_DETACH_PSEUDO": msg182, - "CHASSISD_IFDEV_DETACH_TLV_ERROR": msg183, - "CHASSISD_IFDEV_GET_BY_INDEX_FAIL": msg184, - "CHASSISD_IPC_MSG_QFULL_ERROR": msg185, - "CHASSISD_IPC_UNEXPECTED_RECV": msg186, - "CHASSISD_IPC_WRITE_ERR_NO_PIPE": msg187, - "CHASSISD_IPC_WRITE_ERR_NULL_ARGS": msg188, - "CHASSISD_MAC_ADDRESS_ERROR": msg189, - "CHASSISD_MAC_DEFAULT": msg190, - "CHASSISD_MBUS_ERROR": msg191, - "CHASSISD_PARSE_COMPLETE": msg192, - "CHASSISD_PARSE_ERROR": msg193, - "CHASSISD_PARSE_INIT": msg194, - "CHASSISD_PIDFILE_OPEN": msg195, - "CHASSISD_PIPE_WRITE_ERROR": msg196, - "CHASSISD_POWER_CHECK": msg197, - "CHASSISD_RECONNECT_SUCCESSFUL": msg198, - "CHASSISD_RELEASE_MASTERSHIP": msg199, - "CHASSISD_RE_INIT_INVALID_RE_SLOT": msg200, - "CHASSISD_ROOT_MOUNT_ERROR": msg201, - "CHASSISD_RTS_SEQ_ERROR": msg202, - "CHASSISD_SBOARD_VERSION_MISMATCH": msg203, - "CHASSISD_SERIAL_ID": msg204, - "CHASSISD_SMB_ERROR": msg205, - "CHASSISD_SNMP_TRAP10": msg208, - "CHASSISD_SNMP_TRAP6": msg206, - "CHASSISD_SNMP_TRAP7": msg207, - "CHASSISD_TERM_SIGNAL": msg209, - "CHASSISD_TRACE_PIC_OFFLINE": msg210, - "CHASSISD_UNEXPECTED_EXIT": msg211, - "CHASSISD_UNSUPPORTED_MODEL": msg212, - "CHASSISD_VERSION_MISMATCH": msg213, - "CM": msg107, - "CM_JAVA": msg216, - "COS": msg108, - "COSFPC": msg109, - "COSMAN": msg110, - "CRON": msg16, - "CROND": select11, - "Cmerror": msg17, - "DCD_AS_ROOT": msg217, - "DCD_FILTER_LIB_ERROR": msg218, - "DCD_MALLOC_FAILED_INIT": msg219, - "DCD_PARSE_EMERGENCY": msg220, - "DCD_PARSE_FILTER_EMERGENCY": msg221, - "DCD_PARSE_MINI_EMERGENCY": msg222, - "DCD_PARSE_STATE_EMERGENCY": msg223, - "DCD_POLICER_PARSE_EMERGENCY": msg224, - "DCD_PULL_LOG_FAILURE": msg225, - "DFWD_ARGUMENT_ERROR": msg226, - "DFWD_MALLOC_FAILED_INIT": msg227, - "DFWD_PARSE_FILTER_EMERGENCY": msg228, - "DFWD_PARSE_STATE_EMERGENCY": msg229, - "ECCD_DAEMONIZE_FAILED": msg230, - "ECCD_DUPLICATE": msg231, - "ECCD_LOOP_EXIT_FAILURE": msg232, - "ECCD_NOT_ROOT": msg233, - "ECCD_PCI_FILE_OPEN_FAILED": msg234, - "ECCD_PCI_READ_FAILED": msg235, - "ECCD_PCI_WRITE_FAILED": msg236, - "ECCD_PID_FILE_LOCK": msg237, - "ECCD_PID_FILE_UPDATE": msg238, - "ECCD_TRACE_FILE_OPEN_FAILED": msg239, - "ECCD_usage": msg240, - "EVENT": msg23, - "EVENTD_AUDIT_SHOW": msg241, - "FLOW_REASSEMBLE_FAIL": msg731, - "FLOW_REASSEMBLE_SUCCEED": msg242, - "FSAD_CHANGE_FILE_OWNER": msg243, - "FSAD_CONFIG_ERROR": msg244, - "FSAD_CONNTIMEDOUT": msg245, - "FSAD_FAILED": msg246, - "FSAD_FETCHTIMEDOUT": msg247, - "FSAD_FILE_FAILED": msg248, - "FSAD_FILE_REMOVE": msg249, - "FSAD_FILE_RENAME": msg250, - "FSAD_FILE_STAT": msg251, - "FSAD_FILE_SYNC": msg252, - "FSAD_MAXCONN": msg253, - "FSAD_MEMORYALLOC_FAILED": msg254, - "FSAD_NOT_ROOT": msg255, - "FSAD_PARENT_DIRECTORY": msg256, - "FSAD_PATH_IS_DIRECTORY": msg257, - "FSAD_PATH_IS_SPECIAL": msg258, - "FSAD_RECVERROR": msg259, - "FSAD_TERMINATED_CONNECTION": msg260, - "FSAD_TERMINATING_SIGNAL": msg261, - "FSAD_TRACEOPEN_FAILED": msg262, - "FSAD_USAGE": msg263, - "Failed": select25, - "GGSN_ALARM_TRAP_FAILED": msg264, - "GGSN_ALARM_TRAP_SEND": msg265, - "GGSN_TRAP_SEND": msg266, - "IDP_ATTACK_LOG_EVENT": msg773, - "JADE_AUTH_ERROR": msg267, - "JADE_EXEC_ERROR": msg268, - "JADE_NO_LOCAL_USER": msg269, - "JADE_PAM_ERROR": msg270, - "JADE_PAM_NO_LOCAL_USER": msg271, - "JSRPD_HA_CONTROL_LINK_UP": msg748, - "JUNOSROUTER_GENERIC": select84, - "KERN_ARP_ADDR_CHANGE": msg272, - "KMD_PM_SA_ESTABLISHED": msg273, - "L2CPD_TASK_REINIT": msg274, - "LACPD_TIMEOUT": msg749, - "LIBJNX_EXEC_EXITED": msg275, - "LIBJNX_EXEC_FAILED": msg276, - "LIBJNX_EXEC_PIPE": msg277, - "LIBJNX_EXEC_SIGNALED": msg278, - "LIBJNX_EXEC_WEXIT": msg279, - "LIBJNX_FILE_COPY_FAILED": msg280, - "LIBJNX_PRIV_LOWER_FAILED": msg281, - "LIBJNX_PRIV_RAISE_FAILED": msg282, - "LIBJNX_REPLICATE_RCP_EXEC_FAILED": msg283, - "LIBJNX_ROTATE_COMPRESS_EXEC_FAILED": msg284, - "LIBSERVICED_CLIENT_CONNECTION": msg285, - "LIBSERVICED_OUTBOUND_REQUEST": msg286, - "LIBSERVICED_SNMP_LOST_CONNECTION": msg287, - "LIBSERVICED_SOCKET_BIND": msg288, - "LIBSERVICED_SOCKET_PRIVATIZE": msg289, - "LICENSE_EXPIRED": msg290, - "LICENSE_EXPIRED_KEY_DELETED": msg291, - "LICENSE_NEARING_EXPIRY": msg292, - "LOGIN_ABORTED": msg293, - "LOGIN_FAILED": msg294, - "LOGIN_FAILED_INCORRECT_PASSWORD": msg295, - "LOGIN_FAILED_SET_CONTEXT": msg296, - "LOGIN_FAILED_SET_LOGIN": msg297, - "LOGIN_HOSTNAME_UNRESOLVED": msg298, - "LOGIN_INFORMATION": msg299, - "LOGIN_INVALID_LOCAL_USER": msg300, - "LOGIN_MALFORMED_USER": msg301, - "LOGIN_PAM_AUTHENTICATION_ERROR": msg302, - "LOGIN_PAM_ERROR": msg303, - "LOGIN_PAM_MAX_RETRIES": msg304, - "LOGIN_PAM_NONLOCAL_USER": msg305, - "LOGIN_PAM_STOP": msg306, - "LOGIN_PAM_USER_UNKNOWN": msg307, - "LOGIN_PASSWORD_EXPIRED": msg308, - "LOGIN_REFUSED": msg309, - "LOGIN_ROOT": msg310, - "LOGIN_TIMED_OUT": msg311, - "MIB2D_ATM_ERROR": msg312, - "MIB2D_CONFIG_CHECK_FAILED": msg313, - "MIB2D_FILE_OPEN_FAILURE": msg314, - "MIB2D_IFD_IFINDEX_FAILURE": msg315, - "MIB2D_IFL_IFINDEX_FAILURE": msg316, - "MIB2D_INIT_FAILURE": msg317, - "MIB2D_KVM_FAILURE": msg318, - "MIB2D_RTSLIB_READ_FAILURE": msg319, - "MIB2D_RTSLIB_SEQ_MISMATCH": msg320, - "MIB2D_SYSCTL_FAILURE": msg321, - "MIB2D_TRAP_HEADER_FAILURE": msg322, - "MIB2D_TRAP_SEND_FAILURE": msg323, - "MRVL-L2": msg56, - "Multiuser": msg324, - "NASD_AUTHENTICATION_CREATE_FAILED": msg325, - "NASD_CHAP_AUTHENTICATION_IN_PROGRESS": msg326, - "NASD_CHAP_GETHOSTNAME_FAILED": msg327, - "NASD_CHAP_INVALID_CHAP_IDENTIFIER": msg328, - "NASD_CHAP_INVALID_OPCODE": msg329, - "NASD_CHAP_LOCAL_NAME_UNAVAILABLE": msg330, - "NASD_CHAP_MESSAGE_UNEXPECTED": msg331, - "NASD_CHAP_REPLAY_ATTACK_DETECTED": msg332, - "NASD_CONFIG_GET_LAST_MODIFIED_FAILED": msg333, - "NASD_DAEMONIZE_FAILED": msg334, - "NASD_DB_ALLOC_FAILURE": msg335, - "NASD_DB_TABLE_CREATE_FAILURE": msg336, - "NASD_DUPLICATE": msg337, - "NASD_EVLIB_CREATE_FAILURE": msg338, - "NASD_EVLIB_EXIT_FAILURE": msg339, - "NASD_LOCAL_CREATE_FAILED": msg340, - "NASD_NOT_ROOT": msg341, - "NASD_PID_FILE_LOCK": msg342, - "NASD_PID_FILE_UPDATE": msg343, - "NASD_POST_CONFIGURE_EVENT_FAILED": msg344, - "NASD_PPP_READ_FAILURE": msg345, - "NASD_PPP_SEND_FAILURE": msg346, - "NASD_PPP_SEND_PARTIAL": msg347, - "NASD_PPP_UNRECOGNIZED": msg348, - "NASD_RADIUS_ALLOCATE_PASSWORD_FAILED": msg349, - "NASD_RADIUS_CONFIG_FAILED": msg350, - "NASD_RADIUS_CREATE_FAILED": msg351, - "NASD_RADIUS_CREATE_REQUEST_FAILED": msg352, - "NASD_RADIUS_GETHOSTNAME_FAILED": msg353, - "NASD_RADIUS_MESSAGE_UNEXPECTED": msg354, - "NASD_RADIUS_OPEN_FAILED": msg355, - "NASD_RADIUS_SELECT_FAILED": msg356, - "NASD_RADIUS_SET_TIMER_FAILED": msg357, - "NASD_TRACE_FILE_OPEN_FAILED": msg358, - "NASD_usage": msg359, - "NOTICE": msg360, - "PFEMAN": msg61, - "PFE_FW_SYSLOG_IP": select36, - "PFE_NH_RESOLVE_THROTTLED": msg363, - "PING_TEST_COMPLETED": msg364, - "PING_TEST_FAILED": msg365, - "PKID_UNABLE_TO_GET_CRL": msg746, - "PWC_EXIT": msg368, - "PWC_HOLD_RELEASE": msg369, - "PWC_INVALID_RUNS_ARGUMENT": msg370, - "PWC_INVALID_TIMEOUT_ARGUMENT": msg371, - "PWC_KILLED_BY_SIGNAL": msg372, - "PWC_KILL_EVENT": msg373, - "PWC_KILL_FAILED": msg374, - "PWC_KQUEUE_ERROR": msg375, - "PWC_KQUEUE_INIT": msg376, - "PWC_KQUEUE_REGISTER_FILTER": msg377, - "PWC_LOCKFILE_BAD_FORMAT": msg378, - "PWC_LOCKFILE_ERROR": msg379, - "PWC_LOCKFILE_MISSING": msg380, - "PWC_LOCKFILE_NOT_LOCKED": msg381, - "PWC_NO_PROCESS": msg382, - "PWC_PROCESS_EXIT": msg383, - "PWC_PROCESS_FORCED_HOLD": msg384, - "PWC_PROCESS_HOLD": msg385, - "PWC_PROCESS_HOLD_SKIPPED": msg386, - "PWC_PROCESS_OPEN": msg387, - "PWC_PROCESS_TIMED_HOLD": msg388, - "PWC_PROCESS_TIMEOUT": msg389, - "PWC_SIGNAL_INIT": msg390, - "PWC_SOCKET_CONNECT": msg391, - "PWC_SOCKET_CREATE": msg392, - "PWC_SOCKET_OPTION": msg393, - "PWC_STDOUT_WRITE": msg394, - "PWC_SYSTEM_CALL": msg395, - "PWC_UNKNOWN_KILL_OPTION": msg396, - "RDP": msg111, - "RMOPD_ADDRESS_MULTICAST_INVALID": msg397, - "RMOPD_ADDRESS_SOURCE_INVALID": msg398, - "RMOPD_ADDRESS_STRING_FAILURE": msg399, - "RMOPD_ADDRESS_TARGET_INVALID": msg400, - "RMOPD_DUPLICATE": msg401, - "RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED": msg402, - "RMOPD_ICMP_SENDMSG_FAILURE": msg403, - "RMOPD_IFINDEX_NOT_ACTIVE": msg404, - "RMOPD_IFINDEX_NO_INFO": msg405, - "RMOPD_IFNAME_NOT_ACTIVE": msg406, - "RMOPD_IFNAME_NO_INFO": msg407, - "RMOPD_NOT_ROOT": msg408, - "RMOPD_ROUTING_INSTANCE_NO_INFO": msg409, - "RMOPD_TRACEROUTE_ERROR": msg410, - "RMOPD_usage": msg411, - "RPD_ABORT": msg412, - "RPD_ACTIVE_TERMINATE": msg413, - "RPD_ASSERT": msg414, - "RPD_ASSERT_SOFT": msg415, - "RPD_EXIT": msg416, - "RPD_IFL_INDEXCOLLISION": msg417, - "RPD_IFL_NAMECOLLISION": msg418, - "RPD_ISIS_ADJDOWN": msg419, - "RPD_ISIS_ADJUP": msg420, - "RPD_ISIS_ADJUPNOIP": msg421, - "RPD_ISIS_LSPCKSUM": msg422, - "RPD_ISIS_OVERLOAD": msg423, - "RPD_KRT_AFUNSUPRT": msg424, - "RPD_KRT_CCC_IFL_MODIFY": msg425, - "RPD_KRT_DELETED_RTT": msg426, - "RPD_KRT_IFA_GENERATION": msg427, - "RPD_KRT_IFDCHANGE": msg428, - "RPD_KRT_IFDEST_GET": msg429, - "RPD_KRT_IFDGET": msg430, - "RPD_KRT_IFD_GENERATION": msg431, - "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID": msg432, - "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED": msg433, - "RPD_KRT_IFL_GENERATION": msg434, - "RPD_KRT_KERNEL_BAD_ROUTE": msg435, - "RPD_KRT_NEXTHOP_OVERFLOW": msg436, - "RPD_KRT_NOIFD": msg437, - "RPD_KRT_UNKNOWN_RTT": msg438, - "RPD_KRT_VERSION": msg439, - "RPD_KRT_VERSIONNONE": msg440, - "RPD_KRT_VERSIONOLD": msg441, - "RPD_LDP_INTF_BLOCKED": msg442, - "RPD_LDP_INTF_UNBLOCKED": msg443, - "RPD_LDP_NBRDOWN": msg444, - "RPD_LDP_NBRUP": msg445, - "RPD_LDP_SESSIONDOWN": msg446, - "RPD_LDP_SESSIONUP": msg447, - "RPD_LOCK_FLOCKED": msg448, - "RPD_LOCK_LOCKED": msg449, - "RPD_MPLS_LSP_CHANGE": msg450, - "RPD_MPLS_LSP_DOWN": msg451, - "RPD_MPLS_LSP_SWITCH": msg452, - "RPD_MPLS_LSP_UP": msg453, - "RPD_MSDP_PEER_DOWN": msg454, - "RPD_MSDP_PEER_UP": msg455, - "RPD_OSPF_NBRDOWN": msg456, - "RPD_OSPF_NBRUP": msg457, - "RPD_OS_MEMHIGH": msg458, - "RPD_PIM_NBRDOWN": msg459, - "RPD_PIM_NBRUP": msg460, - "RPD_RDISC_CKSUM": msg461, - "RPD_RDISC_NOMULTI": msg462, - "RPD_RDISC_NORECVIF": msg463, - "RPD_RDISC_SOLICITADDR": msg464, - "RPD_RDISC_SOLICITICMP": msg465, - "RPD_RDISC_SOLICITLEN": msg466, - "RPD_RIP_AUTH": msg467, - "RPD_RIP_JOIN_BROADCAST": msg468, - "RPD_RIP_JOIN_MULTICAST": msg469, - "RPD_RT_IFUP": msg470, - "RPD_SCHED_CALLBACK_LONGRUNTIME": msg471, - "RPD_SCHED_CUMULATIVE_LONGRUNTIME": msg472, - "RPD_SCHED_MODULE_LONGRUNTIME": msg473, - "RPD_SCHED_TASK_LONGRUNTIME": msg474, - "RPD_SIGNAL_TERMINATE": msg475, - "RPD_START": msg476, - "RPD_SYSTEM": msg477, - "RPD_TASK_BEGIN": msg478, - "RPD_TASK_CHILDKILLED": msg479, - "RPD_TASK_CHILDSTOPPED": msg480, - "RPD_TASK_FORK": msg481, - "RPD_TASK_GETWD": msg482, - "RPD_TASK_NOREINIT": msg483, - "RPD_TASK_PIDCLOSED": msg484, - "RPD_TASK_PIDFLOCK": msg485, - "RPD_TASK_PIDWRITE": msg486, - "RPD_TASK_REINIT": msg487, - "RPD_TASK_SIGNALIGNORE": msg488, - "RT_COS": msg489, - "RT_FLOW_SESSION_CLOSE": select51, - "RT_FLOW_SESSION_CREATE": select45, - "RT_FLOW_SESSION_DENY": select47, - "RT_SCREEN_ICMP": msg774, - "RT_SCREEN_IP": select52, - "RT_SCREEN_SESSION_LIMIT": msg504, - "RT_SCREEN_TCP": msg503, - "RT_SCREEN_UDP": msg505, - "Resolve": msg63, - "SECINTEL_ACTION_LOG": msg775, - "SECINTEL_ERROR_OTHERS": msg747, - "SECINTEL_NETWORK_CONNECT_FAILED": msg744, - "SERVICED_CLIENT_CONNECT": msg506, - "SERVICED_CLIENT_DISCONNECTED": msg507, - "SERVICED_CLIENT_ERROR": msg508, - "SERVICED_COMMAND_FAILED": msg509, - "SERVICED_COMMIT_FAILED": msg510, - "SERVICED_CONFIGURATION_FAILED": msg511, - "SERVICED_CONFIG_ERROR": msg512, - "SERVICED_CONFIG_FILE": msg513, - "SERVICED_CONNECTION_ERROR": msg514, - "SERVICED_DISABLED_GGSN": msg515, - "SERVICED_DUPLICATE": msg516, - "SERVICED_EVENT_FAILED": msg517, - "SERVICED_INIT_FAILED": msg518, - "SERVICED_MALLOC_FAILURE": msg519, - "SERVICED_NETWORK_FAILURE": msg520, - "SERVICED_NOT_ROOT": msg521, - "SERVICED_PID_FILE_LOCK": msg522, - "SERVICED_PID_FILE_UPDATE": msg523, - "SERVICED_RTSOCK_SEQUENCE": msg524, - "SERVICED_SIGNAL_HANDLER": msg525, - "SERVICED_SOCKET_CREATE": msg526, - "SERVICED_SOCKET_IO": msg527, - "SERVICED_SOCKET_OPTION": msg528, - "SERVICED_STDLIB_FAILURE": msg529, - "SERVICED_USAGE": msg530, - "SERVICED_WORK_INCONSISTENCY": msg531, - "SNMPD_ACCESS_GROUP_ERROR": msg537, - "SNMPD_AUTH_FAILURE": select53, - "SNMPD_AUTH_PRIVILEGES_EXCEEDED": msg542, - "SNMPD_AUTH_RESTRICTED_ADDRESS": msg543, - "SNMPD_AUTH_WRONG_PDU_TYPE": msg544, - "SNMPD_CONFIG_ERROR": msg545, - "SNMPD_CONTEXT_ERROR": msg546, - "SNMPD_ENGINE_FILE_FAILURE": msg547, - "SNMPD_ENGINE_PROCESS_ERROR": msg548, - "SNMPD_FILE_FAILURE": msg549, - "SNMPD_GROUP_ERROR": msg550, - "SNMPD_INIT_FAILED": msg551, - "SNMPD_LIBJUNIPER_FAILURE": msg552, - "SNMPD_LOOPBACK_ADDR_ERROR": msg553, - "SNMPD_MEMORY_FREED": msg554, - "SNMPD_RADIX_FAILURE": msg555, - "SNMPD_RECEIVE_FAILURE": msg556, - "SNMPD_RMONFILE_FAILURE": msg557, - "SNMPD_RMON_COOKIE": msg558, - "SNMPD_RMON_EVENTLOG": msg559, - "SNMPD_RMON_IOERROR": msg560, - "SNMPD_RMON_MIBERROR": msg561, - "SNMPD_RTSLIB_ASYNC_EVENT": msg562, - "SNMPD_SEND_FAILURE": select54, - "SNMPD_SOCKET_FAILURE": msg565, - "SNMPD_SUBAGENT_NO_BUFFERS": msg566, - "SNMPD_SUBAGENT_SEND_FAILED": msg567, - "SNMPD_SYSLIB_FAILURE": msg568, - "SNMPD_THROTTLE_QUEUE_DRAINED": msg569, - "SNMPD_TRAP_COLD_START": msg570, - "SNMPD_TRAP_GEN_FAILURE": msg571, - "SNMPD_TRAP_GEN_FAILURE2": msg572, - "SNMPD_TRAP_INVALID_DATA": msg573, - "SNMPD_TRAP_NOT_ENOUGH_VARBINDS": msg574, - "SNMPD_TRAP_QUEUED": msg575, - "SNMPD_TRAP_QUEUE_DRAINED": msg576, - "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS": msg577, - "SNMPD_TRAP_QUEUE_MAX_SIZE": msg578, - "SNMPD_TRAP_THROTTLED": msg579, - "SNMPD_TRAP_TYPE_ERROR": msg580, - "SNMPD_TRAP_VARBIND_TYPE_ERROR": msg581, - "SNMPD_TRAP_VERSION_ERROR": msg582, - "SNMPD_TRAP_WARM_START": msg583, - "SNMPD_USER_ERROR": msg584, - "SNMPD_VIEW_DELETE": msg585, - "SNMPD_VIEW_INSTALL_DEFAULT": msg586, - "SNMPD_VIEW_OID_PARSE": msg587, - "SNMP_GET_ERROR1": msg588, - "SNMP_GET_ERROR2": msg589, - "SNMP_GET_ERROR3": msg590, - "SNMP_GET_ERROR4": msg591, - "SNMP_NS_LOG_INFO": msg535, - "SNMP_RTSLIB_FAILURE": msg592, - "SNMP_SUBAGENT_IPC_REG_ROWS": msg536, - "SNMP_TRAP_LINK_DOWN": select55, - "SNMP_TRAP_LINK_UP": select56, - "SNMP_TRAP_PING_PROBE_FAILED": msg597, - "SNMP_TRAP_PING_TEST_COMPLETED": msg598, - "SNMP_TRAP_PING_TEST_FAILED": msg599, - "SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE": msg600, - "SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED": msg601, - "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED": msg602, - "SNTPD": msg112, - "SSB": msg113, - "SSHD_LOGIN_FAILED": select57, - "SSL_PROXY_SESSION_IGNORE": msg534, - "SSL_PROXY_SSL_SESSION_ALLOW": msg532, - "SSL_PROXY_SSL_SESSION_DROP": msg533, - "TASK_TASK_REINIT": msg606, - "TFTPD_AF_ERR": msg607, - "TFTPD_BIND_ERR": msg608, - "TFTPD_CONNECT_ERR": msg609, - "TFTPD_CONNECT_INFO": msg610, - "TFTPD_CREATE_ERR": msg611, - "TFTPD_FIO_ERR": msg612, - "TFTPD_FORK_ERR": msg613, - "TFTPD_NAK_ERR": msg614, - "TFTPD_OPEN_ERR": msg615, - "TFTPD_RECVCOMPLETE_INFO": msg616, - "TFTPD_RECVFROM_ERR": msg617, - "TFTPD_RECV_ERR": msg618, - "TFTPD_SENDCOMPLETE_INFO": msg619, - "TFTPD_SEND_ERR": msg620, - "TFTPD_SOCKET_ERR": msg621, - "TFTPD_STATFS_ERR": msg622, - "TNP": msg623, - "UI_AUTH_EVENT": msg628, - "UI_AUTH_INVALID_CHALLENGE": msg629, - "UI_BOOTTIME_FAILED": msg630, - "UI_CFG_AUDIT_NEW": select58, - "UI_CFG_AUDIT_OTHER": select60, - "UI_CFG_AUDIT_SET": select63, - "UI_CFG_AUDIT_SET_SECRET": select64, - "UI_CHILD_ARGS_EXCEEDED": msg645, - "UI_CHILD_CHANGE_USER": msg646, - "UI_CHILD_EXEC": msg647, - "UI_CHILD_EXITED": msg648, - "UI_CHILD_FOPEN": msg649, - "UI_CHILD_PIPE_FAILED": msg650, - "UI_CHILD_SIGNALED": msg651, - "UI_CHILD_START": msg653, - "UI_CHILD_STATUS": msg654, - "UI_CHILD_STOPPED": msg652, - "UI_CHILD_WAITPID": msg655, - "UI_CLI_IDLE_TIMEOUT": msg656, - "UI_CMDLINE_READ_LINE": msg657, - "UI_CMDSET_EXEC_FAILED": msg658, - "UI_CMDSET_FORK_FAILED": msg659, - "UI_CMDSET_PIPE_FAILED": msg660, - "UI_CMDSET_STOPPED": msg661, - "UI_CMDSET_WEXITED": msg662, - "UI_CMD_AUTH_REGEX_INVALID": msg663, - "UI_COMMIT": msg664, - "UI_COMMIT_AT": msg665, - "UI_COMMIT_AT_COMPLETED": msg666, - "UI_COMMIT_AT_FAILED": msg667, - "UI_COMMIT_COMPRESS_FAILED": msg668, - "UI_COMMIT_CONFIRMED": msg669, - "UI_COMMIT_CONFIRMED_REMINDER": msg670, - "UI_COMMIT_CONFIRMED_TIMED": msg671, - "UI_COMMIT_EMPTY_CONTAINER": msg672, - "UI_COMMIT_NOT_CONFIRMED": msg673, - "UI_COMMIT_PROGRESS": msg674, - "UI_COMMIT_QUIT": msg675, - "UI_COMMIT_ROLLBACK_FAILED": msg676, - "UI_COMMIT_SYNC": msg677, - "UI_COMMIT_SYNC_FORCE": msg678, - "UI_CONFIGURATION_ERROR": msg679, - "UI_DAEMON_ACCEPT_FAILED": msg680, - "UI_DAEMON_FORK_FAILED": msg681, - "UI_DAEMON_SELECT_FAILED": msg682, - "UI_DAEMON_SOCKET_FAILED": msg683, - "UI_DBASE_ACCESS_FAILED": msg684, - "UI_DBASE_CHECKOUT_FAILED": msg685, - "UI_DBASE_EXTEND_FAILED": msg686, - "UI_DBASE_LOGIN_EVENT": msg687, - "UI_DBASE_LOGOUT_EVENT": msg688, - "UI_DBASE_MISMATCH_EXTENT": msg689, - "UI_DBASE_MISMATCH_MAJOR": msg690, - "UI_DBASE_MISMATCH_MINOR": msg691, - "UI_DBASE_MISMATCH_SEQUENCE": msg692, - "UI_DBASE_MISMATCH_SIZE": msg693, - "UI_DBASE_OPEN_FAILED": msg694, - "UI_DBASE_REBUILD_FAILED": msg695, - "UI_DBASE_REBUILD_SCHEMA_FAILED": msg696, - "UI_DBASE_REBUILD_STARTED": msg697, - "UI_DBASE_RECREATE": msg698, - "UI_DBASE_REOPEN_FAILED": msg699, - "UI_DUPLICATE_UID": msg700, - "UI_JUNOSCRIPT_CMD": msg701, - "UI_JUNOSCRIPT_ERROR": msg702, - "UI_LOAD_EVENT": msg703, - "UI_LOAD_JUNOS_DEFAULT_FILE_EVENT": msg704, - "UI_LOGIN_EVENT": select71, - "UI_LOGOUT_EVENT": msg707, - "UI_LOST_CONN": msg708, - "UI_MASTERSHIP_EVENT": msg709, - "UI_MGD_TERMINATE": msg710, - "UI_NETCONF_CMD": msg711, - "UI_READ_FAILED": msg712, - "UI_READ_TIMEOUT": msg713, - "UI_REBOOT_EVENT": msg714, - "UI_RESTART_EVENT": msg715, - "UI_SCHEMA_CHECKOUT_FAILED": msg716, - "UI_SCHEMA_MISMATCH_MAJOR": msg717, - "UI_SCHEMA_MISMATCH_MINOR": msg718, - "UI_SCHEMA_MISMATCH_SEQUENCE": msg719, - "UI_SCHEMA_SEQUENCE_ERROR": msg720, - "UI_SYNC_OTHER_RE": msg721, - "UI_TACPLUS_ERROR": msg722, - "UI_VERSION_FAILED": msg723, - "UI_WRITE_RECONNECT": msg724, - "VRRPD_NEWMASTER_TRAP": msg725, - "Version": msg99, - "WEBFILTER_REQUEST_NOT_CHECKED": msg730, - "WEBFILTER_URL_BLOCKED": select75, - "WEBFILTER_URL_PERMITTED": select74, - "WEB_AUTH_FAIL": msg726, - "WEB_AUTH_SUCCESS": msg727, - "WEB_INTERFACE_UNAUTH": msg728, - "WEB_READ": msg729, - "alarmd": msg3, - "bgp_connect_start": msg132, - "bgp_event": msg133, - "bgp_listen_accept": msg134, - "bgp_listen_reset": msg135, - "bgp_nexthop_sanity": msg136, - "bgp_pp_recv": select33, - "bgp_process_caps": select32, - "bgp_send": msg141, - "bgp_traffic_timeout": msg142, - "bigd": select6, - "bigpipe": select7, - "bigstart": msg9, - "cgatool": msg10, - "chassisd": msg11, - "chassism": select73, - "checkd": select8, - "clean_process": msg215, - "cli": msg750, - "cosd": msg14, - "craftd": msg15, - "cron": msg18, - "crond": msg21, - "dcd": msg22, - "eswd": select72, - "ftpd": msg24, - "ha_rto_stats_handler": msg25, - "hostinit": msg26, - "idpinfo": msg752, - "ifinfo": select13, - "ifp_ifl_anydown_change_event": msg30, - "ifp_ifl_config_event": msg31, - "ifp_ifl_ext_chg": msg32, - "inetd": select14, - "init": select15, - "ipc_msg_write": msg40, - "kernel": select17, - "kmd": msg753, - "last": select28, - "login": select18, - "lsys_ssam_handler": msg53, - "mcsn": msg54, - "mgd": msg62, - "mrvl_dfw_log_effuse_status": msg55, - "node": select79, - "pfed": msg751, - "process_mode": select38, - "profile_ssam_handler": msg57, - "pst_nat_binding_set_profile": msg58, - "qsfp": msg776, - "respawn": msg64, - "root": msg65, - "rpd": select20, - "rshd": msg70, - "sfd": msg71, - "sshd": select21, - "syslogd": msg92, - "task_connect": msg605, - "task_reconfigure": msg59, - "tnetd": msg60, - "tnp.bootpd": msg769, - "trace_on": msg624, - "trace_rotate": msg625, - "transfer-file": msg626, - "ttloop": msg627, - "ucd-snmp": select26, - "usp_ipc_client_reconnect": msg95, - "usp_trace_ipc_disconnect": msg96, - "usp_trace_ipc_reconnect": msg97, - "uspinfo": msg98, - "xntpd": select27, - }), - ]); - - var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}"); - - var part822 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); - - var part823 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); - - var part824 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); - - var part825 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); - - var part826 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); - - var part827 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); - - var part828 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); - - var part829 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); - - var part830 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); - - var part831 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); - - var part832 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); - - var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var part833 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); - - var part834 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); - - var part835 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); - - var part836 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); - - var part837 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); - - var part838 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); - - var part839 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); - - var part840 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var part841 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); - - var part842 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); - - var part843 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); - - var part844 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); - - var part845 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); - - var part846 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); - - var part847 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); - - var part848 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var part849 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var part850 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); - - var part851 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); - - var part852 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); - - var part853 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); - - var part854 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); - - var part855 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); - - var part856 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); - - var part857 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); - - var part858 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); - - var part859 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); - - var part860 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); - - var part861 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); - - var part862 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); - - var part863 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); - - var part864 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); - - var part865 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); - - var select85 = linear_select([ - dup14, - dup15, - dup16, - dup17, - ]); - - var part866 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ - dup13, - ])); - - var select86 = linear_select([ - dup40, - dup41, - ]); - - var part867 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ - dup21, - dup22, - dup56, - dup23, - ])); - - var part868 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ - dup51, - dup22, - dup64, - dup23, - ])); - - var part869 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ - dup30, - dup22, - dup65, - dup23, - ])); - - var part870 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ - dup30, - dup22, - dup66, - dup23, - ])); - - var part871 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ - dup30, - dup22, - dup67, - dup23, - ])); - - var part872 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ - dup30, - dup22, - dup68, - dup23, - ])); - - var part873 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - dup71, - dup23, - ])); - - var select87 = linear_select([ - dup76, - dup77, - ]); - - var part874 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ - dup30, - dup22, - dup79, - dup23, - ])); - - var part875 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ - dup30, - dup22, - dup84, - dup23, - ])); - - var part876 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ - dup30, - dup22, - dup85, - dup23, - ])); - - var part877 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ - dup21, - dup22, - dup86, - dup23, - ])); - - var select88 = linear_select([ - dup88, - dup89, - ]); - - var select89 = linear_select([ - dup90, - dup45, - ]); - - var select90 = linear_select([ - dup95, - dup96, - ]); - - var select91 = linear_select([ - dup101, - dup91, - ]); - - var part878 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var part879 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ - dup27, - dup22, - dup52, - ])); - - var select92 = linear_select([ - dup118, - dup119, - ]); - - var select93 = linear_select([ - dup123, - dup124, - ]); - - var part880 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var part881 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ - dup48, - dup47, - dup23, - dup22, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/juniper_junos/0.4.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/juniper_junos/0.4.2/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 2abb5c1182..0000000000 --- a/packages/juniper_junos/0.4.2/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,12569 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Juniper" - product: "Junos" - type: "Routers" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{day->} %{time->} %{p0}"); - - var dup2 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); - - var dup3 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); - - var dup4 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); - - var dup5 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); - - var dup6 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); - - var dup7 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); - - var dup8 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); - - var dup9 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup10 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" "), - field("p0"), - ], - }); - - var dup11 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup12 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup13 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" ["), - field("p0"), - ], - }); - - var dup14 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); - - var dup15 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); - - var dup16 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); - - var dup17 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); - - var dup18 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var dup19 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("pid"), - constant("]: "), - field("p0"), - ], - }); - - var dup20 = setc("messageid","JUNOSROUTER_GENERIC"); - - var dup21 = setc("eventcategory","1605000000"); - - var dup22 = setf("msg","$MSG"); - - var dup23 = date_time({ - dest: "event_time", - args: ["month","day","time"], - fmts: [ - [dB,dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup24 = setf("hostname","hhost"); - - var dup25 = setc("event_description","AUDIT"); - - var dup26 = setc("event_description","CRON command"); - - var dup27 = setc("eventcategory","1801030000"); - - var dup28 = setc("eventcategory","1801020000"); - - var dup29 = setc("eventcategory","1605010000"); - - var dup30 = setc("eventcategory","1603000000"); - - var dup31 = setc("event_description","Process mode"); - - var dup32 = setc("event_description","NTP Server Unreachable"); - - var dup33 = setc("eventcategory","1401060000"); - - var dup34 = setc("ec_theme","Authentication"); - - var dup35 = setc("ec_subject","User"); - - var dup36 = setc("ec_activity","Logon"); - - var dup37 = setc("ec_outcome","Success"); - - var dup38 = setc("event_description","rpd proceeding"); - - var dup39 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); - - var dup40 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); - - var dup41 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); - - var dup42 = setc("eventcategory","1701010000"); - - var dup43 = setc("ec_outcome","Failure"); - - var dup44 = setc("eventcategory","1401030000"); - - var dup45 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); - - var dup46 = setc("eventcategory","1803000000"); - - var dup47 = setc("event_type","VPN"); - - var dup48 = setc("eventcategory","1605020000"); - - var dup49 = setc("eventcategory","1602020000"); - - var dup50 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); - - var dup51 = setc("eventcategory","1603020000"); - - var dup52 = date_time({ - dest: "event_time", - args: ["hfld32"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup53 = setc("ec_subject","NetworkComm"); - - var dup54 = setc("ec_activity","Create"); - - var dup55 = setc("ec_activity","Stop"); - - var dup56 = setc("event_description","Trap state change"); - - var dup57 = setc("event_description","peer NLRI mismatch"); - - var dup58 = setc("eventcategory","1605030000"); - - var dup59 = setc("eventcategory","1603010000"); - - var dup60 = setc("eventcategory","1606000000"); - - var dup61 = setf("hostname","hhostname"); - - var dup62 = date_time({ - dest: "event_time", - args: ["hfld6"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup63 = setc("eventcategory","1401050200"); - - var dup64 = setc("event_description","Memory allocation failed during initialization for configuration load"); - - var dup65 = setc("event_description","unable to run in the background as a daemon"); - - var dup66 = setc("event_description","Another copy of this program is running"); - - var dup67 = setc("event_description","Unable to lock PID file"); - - var dup68 = setc("event_description","Unable to update process PID file"); - - var dup69 = setc("eventcategory","1301000000"); - - var dup70 = setc("event_description","Command stopped"); - - var dup71 = setc("event_description","Unable to create pipes for command"); - - var dup72 = setc("event_description","Command exited"); - - var dup73 = setc("eventcategory","1603050000"); - - var dup74 = setc("eventcategory","1801010000"); - - var dup75 = setc("event_description","Login failure"); - - var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); - - var dup77 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); - - var dup78 = setc("event_description","Unable to open file"); - - var dup79 = setc("event_description","SNMP index assigned changed"); - - var dup80 = setc("eventcategory","1302000000"); - - var dup81 = setc("eventcategory","1001020300"); - - var dup82 = setc("event_description","PFE FW SYSLOG_IP"); - - var dup83 = setc("event_description","process_mode"); - - var dup84 = setc("event_description","Logical interface collision"); - - var dup85 = setc("event_description","excessive runtime time during action of module"); - - var dup86 = setc("event_description","Reinitializing"); - - var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); - - var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); - - var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); - - var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); - - var dup92 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); - - var dup93 = setc("eventcategory","1803010000"); - - var dup94 = setc("ec_activity","Deny"); - - var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); - - var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); - - var dup97 = setc("event_description","session denied"); - - var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var dup100 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); - - var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); - - var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); - - var dup103 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); - - var dup104 = setc("dclass_counter1_string","No.of packets from client"); - - var dup105 = setc("event_description","SNMPD AUTH FAILURE"); - - var dup106 = setc("event_description","send send-type (index1) failure"); - - var dup107 = setc("event_description","SNMP trap error"); - - var dup108 = setc("event_description","SNMP TRAP LINK DOWN"); - - var dup109 = setc("event_description","SNMP TRAP LINK UP"); - - var dup110 = setc("event_description","Login Failure"); - - var dup111 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); - - var dup112 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); - - var dup113 = setc("eventcategory","1701020000"); - - var dup114 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); - - var dup115 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); - - var dup116 = setc("event_description","User set command"); - - var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); - - var dup118 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); - - var dup119 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); - - var dup120 = setc("event_description","User set groups to secret"); - - var dup121 = setc("event_description","UI CMDLINE READ LINE"); - - var dup122 = setc("event_description","User commit"); - - var dup123 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); - - var dup124 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); - - var dup125 = setc("eventcategory","1401070000"); - - var dup126 = setc("ec_activity","Logoff"); - - var dup127 = setc("event_description","Successful login"); - - var dup128 = setf("hostname","hostip"); - - var dup129 = setc("event_description","TACACS+ failure"); - - var dup130 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); - - var dup131 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); - - var dup132 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); - - var dup133 = setc("eventcategory","1003010000"); - - var dup134 = setc("eventcategory","1901000000"); - - var dup135 = linear_select([ - dup14, - dup15, - dup16, - dup17, - ]); - - var dup136 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ - dup13, - ])); - - var dup137 = linear_select([ - dup40, - dup41, - ]); - - var dup138 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ - dup21, - dup22, - dup56, - dup23, - ])); - - var dup139 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ - dup51, - dup22, - dup64, - dup23, - ])); - - var dup140 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ - dup30, - dup22, - dup65, - dup23, - ])); - - var dup141 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ - dup30, - dup22, - dup66, - dup23, - ])); - - var dup142 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ - dup30, - dup22, - dup67, - dup23, - ])); - - var dup143 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ - dup30, - dup22, - dup68, - dup23, - ])); - - var dup144 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - dup71, - dup23, - ])); - - var dup145 = linear_select([ - dup76, - dup77, - ]); - - var dup146 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ - dup30, - dup22, - dup79, - dup23, - ])); - - var dup147 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ - dup30, - dup22, - dup84, - dup23, - ])); - - var dup148 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ - dup30, - dup22, - dup85, - dup23, - ])); - - var dup149 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ - dup21, - dup22, - dup86, - dup23, - ])); - - var dup150 = linear_select([ - dup88, - dup89, - ]); - - var dup151 = linear_select([ - dup90, - dup45, - ]); - - var dup152 = linear_select([ - dup95, - dup96, - ]); - - var dup153 = linear_select([ - dup101, - dup91, - ]); - - var dup154 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var dup155 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ - dup27, - dup22, - dup52, - ])); - - var dup156 = linear_select([ - dup118, - dup119, - ]); - - var dup157 = linear_select([ - dup123, - dup124, - ]); - - var dup158 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var dup159 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ - dup48, - dup47, - dup23, - dup22, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": restart "), - field("p0"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" message repeated "), - field("p0"), - ], - }), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("("), - field("hfld1"), - constant("): "), - field("p0"), - ], - }), - ])); - - var part1 = match("HEADER#3:0004/1_6", "nwparser.p0", "fpc6 %{p0}"); - - var part2 = match("HEADER#3:0004/1_7", "nwparser.p0", "fpc7 %{p0}"); - - var part3 = match("HEADER#3:0004/1_8", "nwparser.p0", "fpc8 %{p0}"); - - var part4 = match("HEADER#3:0004/1_9", "nwparser.p0", "fpc9 %{p0}"); - - var part5 = match("HEADER#3:0004/1_10", "nwparser.p0", "cfeb %{p0}"); - - var select1 = linear_select([ - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - part1, - part2, - part3, - part4, - part5, - dup8, - ]); - - var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{p0}", processor_chain([ - dup9, - ])); - - var all1 = all_match({ - processors: [ - dup1, - select1, - part6, - ], - on_success: processor_chain([ - setc("header_id","0004"), - ]), - }); - - var select2 = linear_select([ - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - ]); - - var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{p0}", processor_chain([ - dup10, - ])); - - var all2 = all_match({ - processors: [ - dup1, - select2, - part7, - ], - on_success: processor_chain([ - setc("header_id","0005"), - ]), - }); - - var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0007"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant("["), - field("hpid"), - constant("]: "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{p0}", processor_chain([ - setc("header_id","0008"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hpid"), - constant("]: "), - field("p0"), - ], - }), - ])); - - var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{p0}", processor_chain([ - setc("header_id","0009"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" IFP trace> "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0010"), - dup11, - ])); - - var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0029"), - dup12, - ])); - - var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0015"), - dup12, - ])); - - var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0011"), - dup11, - ])); - - var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0027"), - dup9, - ])); - - var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0012"), - dup9, - ])); - - var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{p0}", processor_chain([ - setc("header_id","0013"), - dup13, - ])); - - var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var all3 = all_match({ - processors: [ - hdr14, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026.upd.a"), - ]), - }); - - var all4 = all_match({ - processors: [ - dup18, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026.upd.b"), - ]), - }); - - var all5 = all_match({ - processors: [ - dup18, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026"), - ]), - }); - - var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{p0}", processor_chain([ - setc("header_id","0014"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant("["), - field("hpid"), - constant("]: "), - field("p0"), - ], - }), - ])); - - var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0016"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant(": "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{p0}", processor_chain([ - setc("header_id","0017"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0018"), - dup19, - ])); - - var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0028"), - dup19, - ])); - - var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0019"), - dup9, - ])); - - var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0020"), - dup19, - ])); - - var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{p0}", processor_chain([ - setc("header_id","0021"), - dup9, - ])); - - var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0022"), - dup9, - ])); - - var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0023"), - dup19, - ])); - - var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0024"), - dup9, - ])); - - var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","0025"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{p0}", processor_chain([ - setc("header_id","0031"), - dup10, - ])); - - var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0032"), - dup19, - ])); - - var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0033"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant(" "), - field("hhostname"), - constant(" "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr30 = match("HEADER#33:3336", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid}: %{payload}", processor_chain([ - setc("header_id","3336"), - ])); - - var hdr31 = match("HEADER#34:3339", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid->} %{payload}", processor_chain([ - setc("header_id","3339"), - ])); - - var hdr32 = match("HEADER#35:3337", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","3337"), - ])); - - var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","3341"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("hfld3"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid->} %{payload}", processor_chain([ - setc("header_id","3338"), - ])); - - var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{hfld1}.fpc%{p0}", processor_chain([ - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hhost"), - constant(" node"), - field("hfld1"), - constant(".fpc"), - field("p0"), - ], - }), - ])); - - var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld2}.pic%{hfld3->} %{p0}"); - - var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld2->} %{p0}"); - - var select3 = linear_select([ - part8, - part9, - ]); - - var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{p0}"); - - var all6 = all_match({ - processors: [ - hdr35, - select3, - part10, - ], - on_success: processor_chain([ - setc("header_id","3340"), - setc("messageid","node"), - ]), - }); - - var hdr36 = match("HEADER#39:9997/0_0", "message", "mgd[%{p0}"); - - var hdr37 = match("HEADER#39:9997/0_1", "message", "rpd[%{p0}"); - - var hdr38 = match("HEADER#39:9997/0_2", "message", "dcd[%{p0}"); - - var select4 = linear_select([ - hdr36, - hdr37, - hdr38, - ]); - - var part11 = match("HEADER#39:9997/1", "nwparser.p0", "%{process_id}]:%{payload}"); - - var all7 = all_match({ - processors: [ - select4, - part11, - ], - on_success: processor_chain([ - setc("header_id","9997"), - dup20, - ]), - }); - - var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{p0}", processor_chain([ - setc("header_id","9995"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hfld3"), - constant("]:"), - field("p0"), - ], - }), - ])); - - var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{p0}", processor_chain([ - setc("header_id","9994"), - setc("messageid","qsfp"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("hfld1"), - constant(" qsfp "), - field("p0"), - ], - }), - ])); - - var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{p0}", processor_chain([ - setc("header_id","9999"), - dup20, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hevent_type"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{p0}", processor_chain([ - setc("header_id","9998"), - dup20, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("process"), - constant(": "), - field("p0"), - ], - }), - ])); - - var select5 = linear_select([ - hdr1, - hdr2, - hdr3, - all1, - all2, - hdr4, - hdr5, - hdr6, - hdr7, - hdr8, - hdr9, - hdr10, - hdr11, - hdr12, - hdr13, - all3, - all4, - all5, - hdr15, - hdr16, - hdr17, - hdr18, - hdr19, - hdr20, - hdr21, - hdr22, - hdr23, - hdr24, - hdr25, - hdr26, - hdr27, - hdr28, - hdr29, - hdr30, - hdr31, - hdr32, - hdr33, - hdr34, - all6, - all7, - hdr39, - hdr40, - hdr41, - hdr42, - ]); - - var part12 = match("MESSAGE#0:/usr/sbin/sshd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","sshd exit status"), - dup23, - ])); - - var msg1 = msg("/usr/sbin/sshd", part12); - - var part13 = match("MESSAGE#1:/usr/libexec/telnetd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","telnetd exit status"), - dup23, - ])); - - var msg2 = msg("/usr/libexec/telnetd", part13); - - var part14 = match("MESSAGE#2:alarmd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License color=%{severity}, class=%{device}, reason=%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Alarm Set or Cleared"), - dup23, - ])); - - var msg3 = msg("alarmd", part14); - - var part15 = match("MESSAGE#3:bigd", "nwparser.payload", "%{process}: Node detected UP for %{node}", processor_chain([ - dup21, - dup22, - setc("event_description","Node detected UP"), - dup23, - ])); - - var msg4 = msg("bigd", part15); - - var part16 = match("MESSAGE#4:bigd:01", "nwparser.payload", "%{process}: Monitor template id is %{id}", processor_chain([ - dup21, - dup22, - setc("event_description","Monitor template id"), - dup23, - ])); - - var msg5 = msg("bigd:01", part16); - - var select6 = linear_select([ - msg4, - msg5, - ]); - - var part17 = match("MESSAGE#5:bigpipe", "nwparser.payload", "%{process}: Loading the configuration file %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","Loading configuration file"), - dup23, - ])); - - var msg6 = msg("bigpipe", part17); - - var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begin config install operation %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","Begin config install operation"), - dup23, - ])); - - var msg7 = msg("bigpipe:01", part18); - - var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - setc("event_description","Audit"), - dup23, - ])); - - var msg8 = msg("bigpipe:02", part19); - - var select7 = linear_select([ - msg6, - msg7, - msg8, - ]); - - var part20 = match("MESSAGE#8:bigstart", "nwparser.payload", "%{process}: shutdown %{service}", processor_chain([ - dup21, - dup22, - setc("event_description","portal shutdown"), - dup23, - ])); - - var msg9 = msg("bigstart", part20); - - var part21 = match("MESSAGE#9:cgatool", "nwparser.payload", "%{process}: %{event_type}: generated address is %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","cga address genration"), - dup23, - ])); - - var msg10 = msg("cgatool", part21); - - var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{process_id}]:%{fld12}", processor_chain([ - dup21, - dup22, - dup23, - dup24, - ])); - - var msg11 = msg("chassisd:01", part22); - - var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - dup25, - dup23, - ])); - - var msg12 = msg("checkd", part23); - - var part24 = match("MESSAGE#12:checkd:01", "nwparser.payload", "%{process}: exiting", processor_chain([ - dup21, - dup22, - setc("event_description","checkd exiting"), - dup23, - ])); - - var msg13 = msg("checkd:01", part24); - - var select8 = linear_select([ - msg12, - msg13, - ]); - - var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1->} for intf %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","link protection for interface"), - dup23, - ])); - - var msg14 = msg("cosd", part25); - - var part26 = match("MESSAGE#14:craftd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}, %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","License expiration warning"), - dup23, - ])); - - var msg15 = msg("craftd", part26); - - var part27 = match("MESSAGE#15:CRON/0", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{p0}"); - - var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result})"); - - var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}'"); - - var select9 = linear_select([ - part28, - part29, - ]); - - var all8 = all_match({ - processors: [ - part27, - select9, - ], - on_success: processor_chain([ - dup21, - dup22, - dup26, - dup23, - ]), - }); - - var msg16 = msg("CRON", all8); - - var part30 = match("MESSAGE#16:Cmerror/0_0", "nwparser.payload", "%{hostname->} %{node}Cmerror: Level%{level}count increment %{dclass_counter1->} %{fld1}"); - - var part31 = match_copy("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "fld2"); - - var select10 = linear_select([ - part30, - part31, - ]); - - var all9 = all_match({ - processors: [ - select10, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg17 = msg("Cmerror", all9); - - var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action->} (%{filename})", processor_chain([ - dup21, - dup22, - setc("event_description","cron RELOAD"), - dup23, - ])); - - var msg18 = msg("cron", part32); - - var part33 = match("MESSAGE#18:CROND", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ - dup21, - dup22, - dup23, - dup24, - ])); - - var msg19 = msg("CROND", part33); - - var part34 = match("MESSAGE#20:CROND:02", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session closed for user %{username}", processor_chain([ - dup27, - dup22, - dup23, - dup24, - ])); - - var msg20 = msg("CROND:02", part34); - - var select11 = linear_select([ - msg19, - msg20, - ]); - - var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username->} by (uid=%{uid})", processor_chain([ - dup28, - dup22, - dup23, - dup24, - ])); - - var msg21 = msg("crond:01", part35); - - var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result->} Setting ignored, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Setting ignored"), - dup23, - ])); - - var msg22 = msg("dcd", part36); - - var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface->} index %{resultcode->} %{p0}"); - - var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{p0}"); - - var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{p0}"); - - var select12 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#22:EVENT/2", "nwparser.p0", ">%{result}"); - - var all10 = all_match({ - processors: [ - part37, - select12, - part40, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","EVENT"), - dup23, - ]), - }); - - var msg23 = msg("EVENT", all10); - - var part41 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([ - setc("eventcategory","1802000000"), - dup22, - setc("event_description","ftpd connection"), - dup23, - ])); - - var msg24 = msg("ftpd", part41); - - var part42 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([ - dup29, - dup23, - dup22, - ])); - - var msg25 = msg("ha_rto_stats_handler", part42); - - var part43 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","LDAP Connection not bound correctly"), - dup23, - ])); - - var msg26 = msg("hostinit", part43); - - var part44 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug - Added entry"), - dup23, - ])); - - var msg27 = msg("ifinfo", part44); - - var part45 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug Initializing spu"), - dup23, - ])); - - var msg28 = msg("ifinfo:01", part45); - - var part46 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug delete from list"), - dup23, - ])); - - var msg29 = msg("ifinfo:02", part46); - - var select13 = linear_select([ - msg27, - msg28, - msg29, - ]); - - var part47 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([ - dup21, - dup22, - setc("event_description","IFL anydown change event"), - dup23, - ])); - - var msg30 = msg("ifp_ifl_anydown_change_event", part47); - - var part48 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([ - dup21, - dup22, - setc("event_description","ifp ifl config_event"), - dup23, - ])); - - var msg31 = msg("ifp_ifl_config_event", part48); - - var part49 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([ - dup21, - dup22, - setc("event_description","ifp_ifl_ext_chg"), - dup23, - ])); - - var msg32 = msg("ifp_ifl_ext_chg", part49); - - var part50 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","connection exceeded count limit"), - dup23, - ])); - - var msg33 = msg("inetd", part50); - - var part51 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","exited"), - dup23, - ])); - - var msg34 = msg("inetd:01", part51); - - var select14 = linear_select([ - msg33, - msg34, - ]); - - var part52 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ - dup21, - dup22, - dup31, - dup23, - ])); - - var msg35 = msg("init:04", part52); - - var part53 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([ - dup21, - dup22, - dup31, - dup23, - ])); - - var msg36 = msg("init", part53); - - var part54 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","failure target for routing set"), - dup23, - ])); - - var msg37 = msg("init:01", part54); - - var part55 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([ - dup21, - dup22, - setc("event_description","ntp started"), - dup23, - ])); - - var msg38 = msg("init:02", part55); - - var part56 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([ - dup21, - dup22, - setc("event_description","product mask and model info"), - dup23, - ])); - - var msg39 = msg("init:03", part56); - - var select15 = linear_select([ - msg35, - msg36, - msg37, - msg38, - msg39, - ]); - - var part57 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","IPC message exceeds MTU"), - dup23, - ])); - - var msg40 = msg("ipc_msg_write", part57); - - var part58 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([ - dup28, - dup22, - setc("event_description","listener connection established"), - dup23, - ])); - - var msg41 = msg("connection_established", part58); - - var part59 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}"); - - var part60 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport}"); - - var part61 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}"); - - var select16 = linear_select([ - part60, - part61, - ]); - - var all11 = all_match({ - processors: [ - part59, - select16, - ], - on_success: processor_chain([ - dup27, - dup22, - setc("event_description","connection dropped"), - dup23, - ]), - }); - - var msg42 = msg("connection_dropped", all11); - - var part62 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Asserting SONET alarm(s)"), - dup23, - ])); - - var msg43 = msg("kernel", part62); - - var part63 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([ - dup21, - dup22, - setc("event_description","interface down"), - dup23, - ])); - - var msg44 = msg("kernel:01", part63); - - var part64 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","loopback suspected om interface"), - dup23, - ])); - - var msg45 = msg("kernel:02", part64); - - var part65 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","soreceive error"), - dup23, - ])); - - var msg46 = msg("kernel:03", part65); - - var part66 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","pfe_peer_alloc state 4"), - dup23, - ])); - - var msg47 = msg("kernel:04", part66); - - var part67 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg48 = msg("kernel:05", part67); - - var part68 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg49 = msg("kernel:06", part68); - - var select17 = linear_select([ - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - ]); - - var part69 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","successful user login"), - dup23, - ])); - - var msg50 = msg("successful_login", part69); - - var part70 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup22, - setc("event_description","user login attempt"), - dup23, - ])); - - var msg51 = msg("login_attempt", part70); - - var part71 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup33, - dup34, - dup37, - dup22, - setc("event_description","PAM module return from login"), - dup23, - ])); - - var msg52 = msg("login", part71); - - var select18 = linear_select([ - msg50, - msg51, - msg52, - ]); - - var part72 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","processing lsys root-logical-system"), - dup23, - ])); - - var msg53 = msg("lsys_ssam_handler", part72); - - var part73 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Removing mif from group"), - dup23, - ])); - - var msg54 = msg("mcsn", part73); - - var part74 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([ - dup30, - dup22, - setc("event_description","Firewall rows could not be redirected on device"), - dup23, - ])); - - var msg55 = msg("mrvl_dfw_log_effuse_status", part74); - - var part75 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([ - dup30, - dup22, - setc("event_description","mfilter already exists for add"), - dup23, - ])); - - var msg56 = msg("MRVL-L2", part75); - - var part76 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","processing profile SP-root"), - dup23, - ])); - - var msg57 = msg("profile_ssam_handler", part76); - - var part77 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","can't get resource bucket"), - dup23, - ])); - - var msg58 = msg("pst_nat_binding_set_profile", part77); - - var part78 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","reinitializing done"), - dup23, - ])); - - var msg59 = msg("task_reconfigure", part78); - - var part79 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode}"); - - var part80 = match_copy("MESSAGE#59:tnetd/0_1", "nwparser.payload", "fld3"); - - var select19 = linear_select([ - part79, - part80, - ]); - - var all12 = all_match({ - processors: [ - select19, - ], - on_success: processor_chain([ - dup21, - dup22, - dup23, - dup24, - ]), - }); - - var msg60 = msg("tnetd", all12); - - var part81 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([ - dup21, - dup22, - setc("event_description","Session manager active"), - dup23, - ])); - - var msg61 = msg("PFEMAN", part81); - - var part82 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([ - dup30, - dup22, - setc("event_description","Could not send message to service"), - dup23, - ])); - - var msg62 = msg("mgd", part82); - - var part83 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Resolve request came for an address matching on Wrong nh"), - dup23, - ])); - - var msg63 = msg("Resolve", part83); - - var part84 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","service exited with status"), - dup23, - ])); - - var msg64 = msg("respawn", part84); - - var part85 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([ - dup30, - dup22, - setc("event_description","system does not have 3-DNS or Link Controller enabled"), - dup23, - ])); - - var msg65 = msg("root", part85); - - var part86 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","Received data for interface"), - dup23, - ])); - - var msg66 = msg("rpd", part86); - - var part87 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","RSVP neighbor up on interface "), - dup23, - ])); - - var msg67 = msg("rpd:01", part87); - - var part88 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([ - dup21, - dup22, - setc("event_description","reseting pending active connection"), - dup23, - ])); - - var msg68 = msg("rpd:02", part88); - - var part89 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([ - dup21, - dup22, - dup38, - dup23, - ])); - - var msg69 = msg("rpd_proceeding", part89); - - var select20 = linear_select([ - msg66, - msg67, - msg68, - msg69, - ]); - - var part90 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","user issuing command as root"), - dup23, - ])); - - var msg70 = msg("rshd", part90); - - var part91 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([ - dup21, - dup22, - setc("event_description","sfd waiting on accept"), - dup23, - ])); - - var msg71 = msg("sfd", part91); - - var part92 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","Accepted password"), - dup23, - ])); - - var msg72 = msg("sshd", part92); - - var part93 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","Received disconnect"), - dup23, - ])); - - var msg73 = msg("sshd:02", part93); - - var part94 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([ - dup30, - dup22, - setc("result","no identification string"), - setc("event_description","Did not receive identification string from peer"), - dup23, - ])); - - var msg74 = msg("sshd:03", part94); - - var part95 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([ - dup30, - dup22, - setc("event_description","Could not write ident string"), - dup23, - ])); - - var msg75 = msg("sshd:04", part95); - - var part96 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([ - dup21, - dup22, - setc("event_description","subsystem request for netconf"), - dup23, - ])); - - var msg76 = msg("sshd:05", part96); - - var part97 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "sendmsg to %{saddr}(%{shost}).%{sport}: %{info}"); - - var all13 = all_match({ - processors: [ - dup39, - dup137, - part97, - ], - on_success: processor_chain([ - dup29, - dup22, - setc("event_description","send message stats"), - dup23, - ]), - }); - - var msg77 = msg("sshd:06", all13); - - var part98 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "Added radius server %{saddr}(%{shost})"); - - var all14 = all_match({ - processors: [ - dup39, - dup137, - part98, - ], - on_success: processor_chain([ - dup42, - setc("ec_theme","Configuration"), - setc("ec_activity","Modify"), - dup37, - dup22, - setc("event_description","Added radius server"), - dup23, - ]), - }); - - var msg78 = msg("sshd:07", all14); - - var part99 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([ - setc("eventcategory","1301020000"), - dup34, - dup43, - dup22, - setc("event_description","authentication error"), - dup23, - ])); - - var msg79 = msg("sshd:08", part99); - - var part100 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([ - dup30, - dup22, - setc("event_description","unrecognized attribute in policy"), - dup23, - ])); - - var msg80 = msg("sshd:09", part100); - - var part101 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","PAM module return from sshd"), - dup23, - ])); - - var msg81 = msg("sshd:10", part101); - - var part102 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","PAM authentication chain return"), - dup23, - ])); - - var msg82 = msg("sshd:11", part102); - - var part103 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","can't get client address"), - dup23, - ])); - - var msg83 = msg("sshd:12", part103); - - var part104 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([ - dup30, - dup22, - setc("event_description","auth server unresponsive"), - dup23, - ])); - - var msg84 = msg("sshd:13", part104); - - var part105 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([ - dup30, - dup22, - setc("event_description","No valid RADIUS responses received"), - dup23, - ])); - - var msg85 = msg("sshd:14", part105); - - var part106 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([ - dup21, - dup22, - setc("event_description","Moving to next server"), - dup23, - ])); - - var msg86 = msg("sshd:15", part106); - - var part107 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","Login failed for user"), - dup23, - ])); - - var msg87 = msg("sshd:16", part107); - - var select21 = linear_select([ - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - ]); - - var part108 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}"); - - var part109 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}"); - - var part110 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}"); - - var select22 = linear_select([ - part109, - part110, - dup45, - ]); - - var part111 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{username->} from %{saddr->} port %{sport->} %{protocol}"); - - var all15 = all_match({ - processors: [ - part108, - select22, - part111, - ], - on_success: processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - setc("event_description","authentication failure"), - dup23, - ]), - }); - - var msg88 = msg("Failed:05", all15); - - var part112 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}"); - - var part113 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}"); - - var part114 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}"); - - var select23 = linear_select([ - part113, - part114, - ]); - - var part115 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}"); - - var all16 = all_match({ - processors: [ - part112, - select23, - part115, - ], - on_success: processor_chain([ - dup46, - dup47, - dup23, - dup22, - ]), - }); - - var msg89 = msg("Failed", all16); - - var part116 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([ - dup46, - dup23, - dup22, - ])); - - var msg90 = msg("Failed:01", part116); - - var part117 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice"); - - var part118 = match_copy("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "fld10"); - - var select24 = linear_select([ - part117, - part118, - ]); - - var all17 = all_match({ - processors: [ - select24, - ], - on_success: processor_chain([ - dup46, - dup23, - dup22, - setf("hostname","hfld1"), - ]), - }); - - var msg91 = msg("Failed:02", all17); - - var select25 = linear_select([ - msg88, - msg89, - msg90, - msg91, - ]); - - var part119 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([ - dup21, - dup22, - setc("event_description","syslog daemon restart"), - dup23, - ])); - - var msg92 = msg("syslogd", part119); - - var part120 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - dup25, - dup23, - ])); - - var msg93 = msg("ucd-snmp", part120); - - var part121 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([ - dup21, - dup22, - setc("event_description","Received TERM or STOP signal"), - dup23, - ])); - - var msg94 = msg("ucd-snmp:01", part121); - - var select26 = linear_select([ - msg93, - msg94, - ]); - - var part122 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([ - dup27, - dup22, - setc("event_description","failed to connect to the server"), - dup23, - ])); - - var msg95 = msg("usp_ipc_client_reconnect", part122); - - var part123 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","Trace client disconnected"), - dup23, - ])); - - var msg96 = msg("usp_trace_ipc_disconnect", part123); - - var part124 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([ - dup30, - dup22, - setc("event_description","USP trace client cannot reconnect to server"), - dup23, - ])); - - var msg97 = msg("usp_trace_ipc_reconnect", part124); - - var part125 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","flow_print_session_summary_output received"), - dup23, - ])); - - var msg98 = msg("uspinfo", part125); - - var part126 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([ - dup21, - dup22, - setc("event_description","Version build date"), - dup23, - ])); - - var msg99 = msg("Version", part126); - - var part127 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","frequency initialized from file"), - dup23, - ])); - - var msg100 = msg("xntpd", part127); - - var part128 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","nptd version build"), - dup23, - ])); - - var msg101 = msg("xntpd:01", part128); - - var part129 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","kernel time sync enabled"), - dup23, - ])); - - var msg102 = msg("xntpd:02", part129); - - var part130 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg103 = msg("xntpd:03", part130); - - var select27 = linear_select([ - msg100, - msg101, - msg102, - msg103, - ]); - - var part131 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([ - dup21, - dup22, - setc("event_description","last message repeated"), - dup23, - ])); - - var msg104 = msg("last", part131); - - var part132 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([ - dup48, - dup47, - dup23, - dup22, - dup24, - ])); - - var msg105 = msg("last:01", part132); - - var select28 = linear_select([ - msg104, - msg105, - ]); - - var part133 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([ - dup30, - dup22, - setc("event_description","cannot write ucode mask reg"), - dup23, - ])); - - var msg106 = msg("BCHIP", part133); - - var part134 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([ - dup21, - dup22, - setc("event_description","Slot on-line"), - dup23, - ])); - - var msg107 = msg("CM", part134); - - var part135 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Received FC Q map"), - dup23, - ])); - - var msg108 = msg("COS", part135); - - var part136 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","ifd error"), - dup23, - ])); - - var msg109 = msg("COSFPC", part136); - - var part137 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","delete class to ifl link"), - dup23, - ])); - - var msg110 = msg("COSMAN", part137); - - var part138 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","Keepalive timeout"), - dup23, - ])); - - var msg111 = msg("RDP", part138); - - var part139 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([ - dup30, - dup22, - setc("event_description","Initial time of day set"), - dup23, - ])); - - var msg112 = msg("SNTPD", part139); - - var part140 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([ - dup21, - dup22, - setc("event_description","Slot serial number"), - dup23, - ])); - - var msg113 = msg("SSB", part140); - - var part141 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected error"), - dup23, - ])); - - var msg114 = msg("ACCT_ACCOUNTING_FERROR", part141); - - var part142 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to open file"), - dup23, - ])); - - var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part142); - - var part143 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([ - dup49, - dup22, - setc("event_description","File size mismatch"), - dup23, - ])); - - var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part143); - - var part144 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([ - dup49, - dup22, - setc("event_description","Invalid statistics record"), - dup23, - ])); - - var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part144); - - var part145 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([ - dup49, - dup22, - setc("event_description","Class usage statistics error for interface"), - dup23, - ])); - - var msg118 = msg("ACCT_CU_RTSLIB_error", part145); - - var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}"); - - var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}"); - - var select29 = linear_select([ - part146, - part147, - ]); - - var part148 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "to get hostname%{}"); - - var all18 = all_match({ - processors: [ - dup50, - select29, - part148, - ], - on_success: processor_chain([ - dup49, - dup22, - setc("event_description","error trying to get hostname"), - dup23, - ]), - }); - - var msg119 = msg("ACCT_GETHOSTNAME_error", all18); - - var part149 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([ - dup51, - dup22, - setc("event_description","Memory allocation failure"), - dup23, - ])); - - var msg120 = msg("ACCT_MALLOC_FAILURE", part149); - - var part150 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([ - dup30, - dup22, - setc("event_description","Accounting profile counter not defined in firewall"), - dup23, - ])); - - var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part150); - - var part151 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([ - dup30, - dup22, - setc("event_description","ACCT_XFER_FAILED"), - dup23, - ])); - - var msg122 = msg("ACCT_XFER_FAILED", part151); - - var part152 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","POPEN FAIL invoking command command to transfer file"), - dup23, - ])); - - var msg123 = msg("ACCT_XFER_POPEN_FAIL", part152); - - var part153 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([ - dup28, - dup22, - dup52, - ])); - - var msg124 = msg("APPQOS_LOG_EVENT", part153); - - var part154 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup54, - dup22, - setc("result","AppTrack session created"), - dup23, - ])); - - var msg125 = msg("APPTRACK_SESSION_CREATE", part154); - - var part155 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup28, - dup53, - dup55, - dup22, - dup52, - ])); - - var msg126 = msg("APPTRACK_SESSION_CLOSE", part155); - - var part156 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup55, - dup22, - dup23, - ])); - - var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part156); - - var select30 = linear_select([ - msg126, - msg127, - ]); - - var part157 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup28, - dup53, - dup22, - dup52, - ])); - - var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part157); - - var part158 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup22, - dup23, - ])); - - var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part158); - - var select31 = linear_select([ - msg128, - msg129, - ]); - - var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup138); - - var msg131 = msg("BFDD_TRAP_STATE_UP", dup138); - - var part159 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp connect error"), - dup23, - ])); - - var msg132 = msg("bgp_connect_start", part159); - - var part160 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp peer state change"), - dup23, - ])); - - var msg133 = msg("bgp_event", part160); - - var part161 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Connection attempt from unconfigured neighbor"), - dup23, - ])); - - var msg134 = msg("bgp_listen_accept", part161); - - var part162 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp reset"), - dup23, - ])); - - var msg135 = msg("bgp_listen_reset", part162); - - var part163 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","peer next hop local"), - dup23, - ])); - - var msg136 = msg("bgp_nexthop_sanity", part163); - - var part164 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([ - dup30, - dup22, - setc("event_description","code RED error NOTIFICATION sent"), - dup23, - ])); - - var msg137 = msg("bgp_process_caps", part164); - - var part165 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ - dup30, - dup22, - dup57, - dup23, - ])); - - var msg138 = msg("bgp_process_caps:01", part165); - - var select32 = linear_select([ - msg137, - msg138, - ]); - - var part166 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([ - dup30, - dup22, - setc("event_description","connection collision"), - setc("result","dropping connection to peer"), - dup23, - ])); - - var msg139 = msg("bgp_pp_recv", part166); - - var part167 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([ - dup30, - dup22, - setc("event_description","peer received unexpected EOF"), - dup23, - ])); - - var msg140 = msg("bgp_pp_recv:01", part167); - - var select33 = linear_select([ - msg139, - msg140, - ]); - - var part168 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","bgp send blocked error"), - dup23, - ])); - - var msg141 = msg("bgp_send", part168); - - var part169 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","bgp timeout NOTIFICATION sent"), - dup23, - ])); - - var msg142 = msg("bgp_traffic_timeout", part169); - - var part170 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","boot argument error"), - dup23, - ])); - - var msg143 = msg("BOOTPD_ARG_ERR", part170); - - var part171 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","boot unexpected Id value"), - dup23, - ])); - - var msg144 = msg("BOOTPD_BAD_ID", part171); - - var part172 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","Invalid boot string"), - dup23, - ])); - - var msg145 = msg("BOOTPD_BOOTSTRING", part172); - - var part173 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","configuration file error"), - dup23, - ])); - - var msg146 = msg("BOOTPD_CONFIG_ERR", part173); - - var part174 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to open configuration file"), - dup23, - ])); - - var msg147 = msg("BOOTPD_CONF_OPEN", part174); - - var part175 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([ - dup30, - dup22, - setc("event_description","boot - Duplicate revision"), - dup23, - ])); - - var msg148 = msg("BOOTPD_DUP_REV", part175); - - var part176 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([ - dup30, - dup22, - setc("event_description","boot - duplicate slot"), - dup23, - ])); - - var msg149 = msg("BOOTPD_DUP_SLOT", part176); - - var part177 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected ID for model"), - dup23, - ])); - - var msg150 = msg("BOOTPD_MODEL_CHK", part177); - - var part178 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unsupported model"), - dup23, - ])); - - var msg151 = msg("BOOTPD_MODEL_ERR", part178); - - var part179 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([ - dup21, - dup22, - setc("event_description","New configuration installed"), - dup23, - ])); - - var msg152 = msg("BOOTPD_NEW_CONF", part179); - - var part180 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","No boot string found"), - dup23, - ])); - - var msg153 = msg("BOOTPD_NO_BOOTSTRING", part180); - - var part181 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","No configuration file found"), - dup23, - ])); - - var msg154 = msg("BOOTPD_NO_CONFIG", part181); - - var part182 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([ - dup30, - dup22, - setc("event_description","parse errors on SIGHUP"), - dup23, - ])); - - var msg155 = msg("BOOTPD_PARSE_ERR", part182); - - var part183 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","Reparsing configuration file"), - dup23, - ])); - - var msg156 = msg("BOOTPD_REPARSE", part183); - - var part184 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","select error"), - dup23, - ])); - - var msg157 = msg("BOOTPD_SELECT_ERR", part184); - - var part185 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([ - dup30, - dup22, - setc("event_description","timeout unreasonable"), - dup23, - ])); - - var msg158 = msg("BOOTPD_TIMEOUT", part185); - - var part186 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([ - dup21, - dup22, - setc("event_description","boot version built"), - dup23, - ])); - - var msg159 = msg("BOOTPD_VERSION", part186); - - var part187 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([ - dup58, - dup22, - setc("event_description","CHASSISD release built"), - dup23, - ])); - - var msg160 = msg("CHASSISD", part187); - - var part188 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD Unknown option"), - dup23, - ])); - - var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part188); - - var part189 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([ - dup21, - dup22, - setc("event_description","Fans and impellers are now running at normal speed"), - dup23, - ])); - - var msg162 = msg("CHASSISD_BLOWERS_SPEED", part189); - - var part190 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([ - dup21, - dup22, - setc("event_description","Fans and impellers being set to full speed"), - dup23, - ])); - - var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part190); - - var part191 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","reading midplane ID EEPROM"), - dup23, - ])); - - var msg164 = msg("CHASSISD_CB_READ", part191); - - var part192 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD COMMAND ACK ERROR"), - dup23, - ])); - - var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part192); - - var part193 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD COMMAND ACK SF ERROR"), - dup23, - ])); - - var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part193); - - var part194 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Cannot set no-concatenated mode for FPC"), - dup23, - ])); - - var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part194); - - var part195 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CONFIG File Problem"), - dup23, - ])); - - var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part195); - - var part196 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD CONFIG WARNING"), - dup23, - ])); - - var msg169 = msg("CHASSISD_CONFIG_WARNING", part196); - - var part197 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","chassisd already running"), - dup23, - ])); - - var msg170 = msg("CHASSISD_EXISTS", part197); - - var part198 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([ - dup21, - dup22, - setc("event_description","Killing existing chassisd and exiting"), - dup23, - ])); - - var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part198); - - var part199 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","file open error"), - dup23, - ])); - - var msg172 = msg("CHASSISD_FILE_OPEN", part199); - - var part200 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD file statistics error"), - dup23, - ])); - - var msg173 = msg("CHASSISD_FILE_STAT", part200); - - var part201 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD received restart EVENT"), - dup23, - ])); - - var msg174 = msg("CHASSISD_FRU_EVENT", part201); - - var part202 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD restart WRITE_ERROR"), - dup23, - ])); - - var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part202); - - var part203 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD FRU STEP ERROR"), - dup23, - ])); - - var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part203); - - var part204 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected error from gettimeofday"), - dup23, - ])); - - var msg177 = msg("CHASSISD_GETTIMEOFDAY", part204); - - var part205 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([ - dup21, - dup22, - setc("event_description","reading host temperature sensor"), - dup23, - ])); - - var msg178 = msg("CHASSISD_HOST_TEMP_READ", part205); - - var part206 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ - dup21, - dup22, - setc("event_description","detaching all pseudo devices"), - dup23, - ])); - - var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part206); - - var part207 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH FPC"), - dup23, - ])); - - var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part207); - - var part208 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH PIC"), - dup23, - ])); - - var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part208); - - var part209 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH PSEUDO"), - dup23, - ])); - - var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part209); - - var part210 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"), - dup23, - ])); - - var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part210); - - var part211 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","rtslib_ifdm_get_by_index failed"), - dup23, - ])); - - var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part211); - - var part212 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Message Queue full"), - dup23, - ])); - - var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part212); - - var part213 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Received unexpected message"), - dup23, - ])); - - var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part213); - - var part214 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FRU has no connection pipe"), - dup23, - ])); - - var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part214); - - var part215 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FRU has no connection arguments"), - dup23, - ])); - - var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part215); - - var part216 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([ - dup30, - dup22, - setc("event_description","chassisd MAC address allocation error"), - dup23, - ])); - - var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part216); - - var part217 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([ - dup21, - dup22, - setc("event_description","Using default MAC address base"), - dup23, - ])); - - var msg190 = msg("CHASSISD_MAC_DEFAULT", part217); - - var part218 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([ - dup30, - dup22, - setc("event_description","management bus failed sanity test"), - dup23, - ])); - - var msg191 = msg("CHASSISD_MBUS_ERROR", part218); - - var part219 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([ - dup21, - dup22, - setc("event_description","Using new configuration"), - dup23, - ])); - - var msg192 = msg("CHASSISD_PARSE_COMPLETE", part219); - - var part220 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD PARSE ERROR"), - dup23, - ])); - - var msg193 = msg("CHASSISD_PARSE_ERROR", part220); - - var part221 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","Parsing configuration file"), - dup23, - ])); - - var msg194 = msg("CHASSISD_PARSE_INIT", part221); - - var part222 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to open PID file"), - dup23, - ])); - - var msg195 = msg("CHASSISD_PIDFILE_OPEN", part222); - - var part223 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Pipe error"), - dup23, - ])); - - var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part223); - - var part224 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([ - dup59, - dup22, - setc("event_description","device not powering up"), - dup23, - ])); - - var msg197 = msg("CHASSISD_POWER_CHECK", part224); - - var part225 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([ - dup21, - dup22, - setc("event_description","Successful reconnect on soft restart"), - dup23, - ])); - - var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part225); - - var part226 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([ - dup21, - dup22, - setc("event_description","Release mastership notification"), - dup23, - ])); - - var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part226); - - var part227 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","re_init Invalid RE slot"), - dup23, - ])); - - var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part227); - - var part228 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine mount point for root directory"), - dup23, - ])); - - var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part228); - - var part229 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","ifmsg sequence gap"), - dup23, - ])); - - var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part229); - - var part230 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ - setc("eventcategory","1603040000"), - dup22, - setc("event_description","Version mismatch"), - dup23, - ])); - - var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part230); - - var part231 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Serial ID read error"), - dup23, - ])); - - var msg204 = msg("CHASSISD_SERIAL_ID", part231); - - var part232 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","fpga download not complete"), - dup23, - ])); - - var msg205 = msg("CHASSISD_SMB_ERROR", part232); - - var part233 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([ - dup58, - dup22, - setc("event_description","SNMP Trap6 generated"), - dup23, - ])); - - var msg206 = msg("CHASSISD_SNMP_TRAP6", part233); - - var part234 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP Trap7 generated"), - dup23, - ])); - - var msg207 = msg("CHASSISD_SNMP_TRAP7", part234); - - var part235 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP trap - FRU power on"), - dup23, - ])); - - var msg208 = msg("CHASSISD_SNMP_TRAP10", part235); - - var part236 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([ - dup60, - dup22, - setc("event_description","Received SIGTERM request"), - dup23, - ])); - - var msg209 = msg("CHASSISD_TERM_SIGNAL", part236); - - var part237 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","Taking PIC offline"), - dup23, - ])); - - var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part237); - - var part238 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","UNEXPECTED EXIT"), - dup23, - ])); - - var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part238); - - var part239 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([ - dup59, - dup22, - setc("event_description","Model number unsupported with this version of chassisd"), - dup23, - ])); - - var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part239); - - var part240 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ - dup59, - dup22, - setc("event_description","Chassisd Version mismatch"), - dup23, - ])); - - var msg213 = msg("CHASSISD_VERSION_MISMATCH", part240); - - var part241 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([ - dup59, - dup22, - setc("event_description","CHASSISD HIGH TEMP CONDITION"), - dup61, - dup62, - ])); - - var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part241); - - var part242 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([ - dup21, - dup22, - setc("event_description","process RESTART mode"), - dup23, - ])); - - var msg215 = msg("clean_process", part242); - - var part243 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([ - dup21, - dup22, - setc("event_description","Chassis Linklocal to MAC"), - dup23, - ])); - - var msg216 = msg("CM_JAVA", part243); - - var part244 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","DCD must be run as root"), - dup23, - ])); - - var msg217 = msg("DCD_AS_ROOT", part244); - - var part245 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([ - dup30, - dup22, - setc("event_description","Filter library initialization failed"), - dup23, - ])); - - var msg218 = msg("DCD_FILTER_LIB_ERROR", part245); - - var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup139); - - var part246 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing configuration file"), - dup23, - ])); - - var msg220 = msg("DCD_PARSE_EMERGENCY", part246); - - var part247 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing filter index file"), - dup23, - ])); - - var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part247); - - var part248 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing configuration overlay"), - dup23, - ])); - - var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part248); - - var part249 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([ - dup30, - dup22, - setc("event_description","unhandled state was encountered during interface parsing"), - dup23, - ])); - - var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part249); - - var part250 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing policer indexfile"), - dup23, - ])); - - var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part250); - - var part251 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to pull file"), - dup23, - ])); - - var msg225 = msg("DCD_PULL_LOG_FAILURE", part251); - - var part252 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DFWD ARGUMENT ERROR"), - dup23, - ])); - - var msg226 = msg("DFWD_ARGUMENT_ERROR", part252); - - var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup139); - - var part253 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([ - dup30, - dup22, - setc("event_description","errors encountered while parsing filter index file"), - dup23, - ])); - - var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part253); - - var part254 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([ - dup30, - dup22, - setc("event_description","encountered unhandled state while parsing interface"), - dup23, - ])); - - var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part254); - - var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup140); - - var msg231 = msg("ECCD_DUPLICATE", dup141); - - var part255 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD LOOP EXIT FAILURE"), - dup23, - ])); - - var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part255); - - var part256 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","ECCD Must be run as root"), - dup23, - ])); - - var msg233 = msg("ECCD_NOT_ROOT", part256); - - var part257 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD PCI FILE OPEN FAILED"), - dup23, - ])); - - var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part257); - - var part258 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PCI read failure"), - dup23, - ])); - - var msg235 = msg("ECCD_PCI_READ_FAILED", part258); - - var part259 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PCI write failure"), - dup23, - ])); - - var msg236 = msg("ECCD_PCI_WRITE_FAILED", part259); - - var msg237 = msg("ECCD_PID_FILE_LOCK", dup142); - - var msg238 = msg("ECCD_PID_FILE_UPDATE", dup143); - - var part260 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD TRACE FILE OPEN FAILURE"), - dup23, - ])); - - var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part260); - - var part261 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","ECCD Usage"), - dup23, - ])); - - var msg240 = msg("ECCD_usage", part261); - - var part262 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([ - dup21, - dup22, - setc("event_description","User viewed security audit log with arguments"), - dup23, - ])); - - var msg241 = msg("EVENTD_AUDIT_SHOW", part262); - - var part263 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part263); - - var part264 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to change owner of file"), - dup23, - ])); - - var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part264); - - var part265 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FSAD CONFIG ERROR"), - dup23, - ])); - - var msg244 = msg("FSAD_CONFIG_ERROR", part265); - - var part266 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([ - dup30, - dup22, - setc("event_description","Connection timed out to client"), - dup23, - ])); - - var msg245 = msg("FSAD_CONNTIMEDOUT", part266); - - var part267 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FSAD_FAILED"), - dup23, - ])); - - var msg246 = msg("FSAD_FAILED", part267); - - var part268 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([ - dup30, - dup22, - setc("event_description","Fetch to server to get file timed out"), - dup23, - ])); - - var msg247 = msg("FSAD_FETCHTIMEDOUT", part268); - - var part269 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","fn failed for file"), - dup23, - ])); - - var msg248 = msg("FSAD_FILE_FAILED", part269); - - var part270 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to remove file"), - dup23, - ])); - - var msg249 = msg("FSAD_FILE_REMOVE", part270); - - var part271 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to rename file"), - dup23, - ])); - - var msg250 = msg("FSAD_FILE_RENAME", part271); - - var part272 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","stat failed for file"), - dup23, - ])); - - var msg251 = msg("FSAD_FILE_STAT", part272); - - var part273 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to sync file"), - dup23, - ])); - - var msg252 = msg("FSAD_FILE_SYNC", part273); - - var part274 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([ - dup30, - dup22, - setc("event_description","Upper limit reached in fsad"), - dup23, - ])); - - var msg253 = msg("FSAD_MAXCONN", part274); - - var part275 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([ - dup51, - dup22, - setc("event_description","FSAD MEMORYALLOC FAILED"), - dup23, - ])); - - var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part275); - - var part276 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","FSAD must be run as root"), - dup23, - ])); - - var msg255 = msg("FSAD_NOT_ROOT", part276); - - var part277 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","invalid directory"), - dup23, - ])); - - var msg256 = msg("FSAD_PARENT_DIRECTORY", part277); - - var part278 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([ - dup30, - dup22, - setc("event_description","File path cannot be a directory"), - dup23, - ])); - - var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part278); - - var part279 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([ - dup30, - dup22, - setc("event_description","Not a regular file"), - dup23, - ])); - - var msg258 = msg("FSAD_PATH_IS_SPECIAL", part279); - - var part280 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([ - dup30, - dup22, - setc("event_description","fsad received error message from client"), - dup23, - ])); - - var msg259 = msg("FSAD_RECVERROR", part280); - - var part281 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","FSAD TERMINATED CONNECTION"), - dup23, - ])); - - var msg260 = msg("FSAD_TERMINATED_CONNECTION", part281); - - var part282 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Received terminating signal"), - dup23, - ])); - - var msg261 = msg("FSAD_TERMINATING_SIGNAL", part282); - - var part283 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Open operation on trace file failed"), - dup23, - ])); - - var msg262 = msg("FSAD_TRACEOPEN_FAILED", part283); - - var part284 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Incorrect FSAD usage"), - dup23, - ])); - - var msg263 = msg("FSAD_USAGE", part284); - - var part285 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","GGSN ALARM TRAP FAILED"), - dup23, - ])); - - var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part285); - - var part286 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","GGSN ALARM TRAP SEND FAILED"), - dup23, - ])); - - var msg265 = msg("GGSN_ALARM_TRAP_SEND", part286); - - var part287 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown trap request type"), - dup23, - ])); - - var msg266 = msg("GGSN_TRAP_SEND", part287); - - var part288 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([ - dup69, - dup34, - setc("ec_subject","Service"), - dup43, - dup22, - setc("event_description","Authorization failed"), - dup23, - ])); - - var msg267 = msg("JADE_AUTH_ERROR", part288); - - var part289 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JADE EXEC ERROR"), - dup23, - ])); - - var msg268 = msg("JADE_EXEC_ERROR", part289); - - var part290 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([ - dup30, - dup22, - setc("event_description","Local user does not exist"), - dup23, - ])); - - var msg269 = msg("JADE_NO_LOCAL_USER", part290); - - var part291 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JADE PAM error"), - dup23, - ])); - - var msg270 = msg("JADE_PAM_ERROR", part291); - - var part292 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to get local username from PAM"), - dup23, - ])); - - var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part292); - - var part293 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([ - dup30, - dup22, - setc("event_description","arp info overwritten"), - dup23, - ])); - - var msg272 = msg("KERN_ARP_ADDR_CHANGE", part293); - - var part294 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([ - dup30, - dup22, - setc("event_description","security association has been established"), - dup23, - ])); - - var msg273 = msg("KMD_PM_SA_ESTABLISHED", part294); - - var part295 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([ - dup21, - dup22, - setc("event_description","Task Reinitialized"), - dup61, - dup23, - ])); - - var msg274 = msg("L2CPD_TASK_REINIT", part295); - - var part296 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([ - dup21, - dup22, - dup70, - dup23, - ])); - - var msg275 = msg("LIBJNX_EXEC_EXITED", part296); - - var part297 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Child exec failed for command"), - dup23, - ])); - - var msg276 = msg("LIBJNX_EXEC_FAILED", part297); - - var msg277 = msg("LIBJNX_EXEC_PIPE", dup144); - - var part298 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([ - dup30, - dup22, - setc("event_description","Command received signal"), - dup23, - ])); - - var msg278 = msg("LIBJNX_EXEC_SIGNALED", part298); - - var part299 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ - dup21, - dup22, - dup72, - dup23, - ])); - - var msg279 = msg("LIBJNX_EXEC_WEXIT", part299); - - var part300 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([ - dup73, - dup22, - setc("event_description","copy_file_to_transfer_dir failed to copy"), - dup23, - ])); - - var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part300); - - var part301 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Unable to lower privilege level"), - dup23, - ])); - - var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part301); - - var part302 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Unable to raise privilege level"), - dup23, - ])); - - var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part302); - - var part303 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","rcp failed"), - dup23, - ])); - - var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part303); - - var part304 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","ROTATE COMPRESS EXEC FAILED"), - dup23, - ])); - - var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part304); - - var part305 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([ - dup74, - dup22, - setc("event_description","Client connection error"), - dup23, - ])); - - var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part305); - - var part306 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Outbound request failed for command"), - dup23, - ])); - - var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part306); - - var part307 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([ - dup27, - dup22, - setc("event_description","Connection closed while receiving from client"), - dup23, - ])); - - var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part307); - - var part308 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to bind socket"), - dup23, - ])); - - var msg288 = msg("LIBSERVICED_SOCKET_BIND", part308); - - var part309 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to attach socket to management routing instance"), - dup23, - ])); - - var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part309); - - var part310 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LICENSE EXPIRED"), - dup23, - ])); - - var msg290 = msg("LICENSE_EXPIRED", part310); - - var part311 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([ - dup21, - dup22, - setc("event_description","License key has expired"), - dup23, - ])); - - var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part311); - - var part312 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","License key expiration soon"), - dup23, - ])); - - var msg292 = msg("LICENSE_NEARING_EXPIRY", part312); - - var part313 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([ - dup30, - dup22, - setc("event_description","client aborted login"), - dup23, - ])); - - var msg293 = msg("LOGIN_ABORTED", part313); - - var part314 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - dup23, - ])); - - var msg294 = msg("LOGIN_FAILED", part314); - - var part315 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Incorrect password for user"), - dup23, - ])); - - var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part315); - - var part316 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Failed to set context for user"), - dup23, - ])); - - var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part316); - - var part317 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Failed to set login ID for user"), - dup23, - ])); - - var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part317); - - var part318 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Unable to resolve hostname"), - dup23, - ])); - - var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part318); - - var part319 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{event_type}: %{p0}"); - - var part320 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{username->} logged in from host %{dhost->} on %{p0}"); - - var part321 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}"); - - var select34 = linear_select([ - part321, - dup45, - ]); - - var part322 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{terminal}"); - - var all19 = all_match({ - processors: [ - dup39, - dup137, - part319, - dup145, - part320, - select34, - part322, - ], - on_success: processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","Successful Login"), - dup23, - ]), - }); - - var msg299 = msg("LOGIN_INFORMATION", all19); - - var part323 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","No entry in local password file for user"), - dup23, - ])); - - var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part323); - - var part324 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Invalid username"), - dup23, - ])); - - var msg301 = msg("LOGIN_MALFORMED_USER", part324); - - var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}"); - - var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}"); - - var select35 = linear_select([ - part325, - part326, - ]); - - var part327 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{username}"); - - var all20 = all_match({ - processors: [ - dup50, - select35, - part327, - ], - on_success: processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","PAM authentication error for user"), - dup23, - ]), - }); - - var msg302 = msg("LOGIN_PAM_AUTHENTICATION_ERROR", all20); - - var part328 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - setc("event_description","PAM authentication failure"), - setc("result","Failure while authenticating user"), - dup23, - ])); - - var msg303 = msg("LOGIN_PAM_ERROR", part328); - - var part329 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Too many retries while authenticating user"), - dup23, - ])); - - var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part329); - - var part330 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","User authenticated but has no local login ID"), - dup23, - ])); - - var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part330); - - var part331 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([ - setc("eventcategory","1303000000"), - dup34, - dup43, - dup22, - setc("event_description","Failed to end PAM session"), - dup23, - ])); - - var msg306 = msg("LOGIN_PAM_STOP", part331); - - var part332 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Attempt to authenticate unknown user"), - dup23, - ])); - - var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part332); - - var part333 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Forcing change of expired password for user"), - dup23, - ])); - - var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part333); - - var part334 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Login of user refused"), - dup23, - ])); - - var msg309 = msg("LOGIN_REFUSED", part334); - - var part335 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","successful login as root"), - setc("result","User logged in as root"), - dup23, - ])); - - var msg310 = msg("LOGIN_ROOT", part335); - - var part336 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([ - dup44, - dup34, - dup36, - dup43, - dup22, - dup75, - setc("result","Login attempt timed out"), - dup23, - ])); - - var msg311 = msg("LOGIN_TIMED_OUT", part336); - - var part337 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D ATM ERROR"), - dup23, - ])); - - var msg312 = msg("MIB2D_ATM_ERROR", part337); - - var part338 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CONFIG CHECK FAILED"), - dup23, - ])); - - var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part338); - - var part339 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - dup78, - dup23, - ])); - - var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part339); - - var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup146); - - var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup146); - - var part340 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","mib2d initialization failure"), - dup23, - ])); - - var msg317 = msg("MIB2D_INIT_FAILURE", part340); - - var part341 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D KVM FAILURE"), - dup23, - ])); - - var msg318 = msg("MIB2D_KVM_FAILURE", part341); - - var part342 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D RTSLIB READ FAILURE"), - dup23, - ])); - - var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part342); - - var part343 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([ - dup30, - dup22, - setc("event_description","RTSLIB sequence mismatch"), - dup23, - ])); - - var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part343); - - var part344 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D SYSCTL FAILURE"), - dup23, - ])); - - var msg321 = msg("MIB2D_SYSCTL_FAILURE", part344); - - var part345 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([ - dup30, - dup22, - setc("event_description","trap_request_header failed"), - dup23, - ])); - - var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part345); - - var part346 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D TRAP SEND FAILURE"), - dup23, - ])); - - var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part346); - - var part347 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","user sighupped"), - dup23, - ])); - - var msg324 = msg("Multiuser", part347); - - var part348 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate authentication handle"), - dup23, - ])); - - var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part348); - - var part349 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([ - dup80, - dup34, - dup43, - dup22, - setc("event_description","authentication already in progress"), - dup23, - ])); - - var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part349); - - var part350 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to obtain hostname for outgoing CHAP message"), - dup23, - ])); - - var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part350); - - var part351 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP INVALID_CHAP IDENTIFIER"), - dup23, - ])); - - var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part351); - - var part352 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP INVALID OPCODE"), - dup23, - ])); - - var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part352); - - var part353 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine value for username in outgoing CHAP packet"), - dup23, - ])); - - var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part353); - - var part354 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP MESSAGE UNEXPECTED"), - dup23, - ])); - - var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part354); - - var part355 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([ - dup81, - dup22, - setc("event_description","CHAP REPLAY ATTACK DETECTED"), - dup23, - ])); - - var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part355); - - var part356 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine last modified time of JUNOS configuration database"), - dup23, - ])); - - var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part356); - - var msg334 = msg("NASD_DAEMONIZE_FAILED", dup140); - - var part357 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate database object"), - dup23, - ])); - - var msg335 = msg("NASD_DB_ALLOC_FAILURE", part357); - - var part358 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DB TABLE CREATE FAILURE"), - dup23, - ])); - - var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part358); - - var msg337 = msg("NASD_DUPLICATE", dup141); - - var part359 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","EVLIB CREATE FAILURE"), - dup23, - ])); - - var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part359); - - var part360 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","EVLIB EXIT FAILURE"), - dup23, - ])); - - var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part360); - - var part361 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate LOCAL module handle"), - dup23, - ])); - - var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part361); - - var part362 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","NASD must be run as root"), - dup23, - ])); - - var msg341 = msg("NASD_NOT_ROOT", part362); - - var msg342 = msg("NASD_PID_FILE_LOCK", dup142); - - var msg343 = msg("NASD_PID_FILE_UPDATE", dup143); - - var part363 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","POST CONFIGURE EVENT FAILED"), - dup23, - ])); - - var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part363); - - var part364 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PPP READ FAILURE"), - dup23, - ])); - - var msg345 = msg("NASD_PPP_READ_FAILURE", part364); - - var part365 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to send message"), - dup23, - ])); - - var msg346 = msg("NASD_PPP_SEND_FAILURE", part365); - - var part366 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to send all of message"), - dup23, - ])); - - var msg347 = msg("NASD_PPP_SEND_PARTIAL", part366); - - var part367 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([ - dup30, - dup22, - setc("event_description","Unrecognized authentication protocol"), - dup23, - ])); - - var msg348 = msg("NASD_PPP_UNRECOGNIZED", part367); - - var part368 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS password allocation failure"), - dup23, - ])); - - var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part368); - - var part369 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS CONFIG FAILED"), - dup23, - ])); - - var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part369); - - var part370 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate RADIUS module handle"), - dup23, - ])); - - var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part370); - - var part371 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS CREATE REQUEST FAILED"), - dup23, - ])); - - var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part371); - - var part372 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain hostname for outgoing RADIUS message"), - dup23, - ])); - - var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part372); - - var part373 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown response from RADIUS server"), - dup23, - ])); - - var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part373); - - var part374 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS OPEN FAILED"), - dup23, - ])); - - var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part374); - - var part375 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS SELECT FAILED"), - dup23, - ])); - - var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part375); - - var part376 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS SET TIMER FAILED"), - dup23, - ])); - - var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part376); - - var part377 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TRACE FILE OPEN FAILED"), - dup23, - ])); - - var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part377); - - var part378 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","NASD Usage"), - dup23, - ])); - - var msg359 = msg("NASD_usage", part378); - - var part379 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg360 = msg("NOTICE", part379); - - var part380 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ - dup21, - dup22, - dup82, - dup23, - ])); - - var msg361 = msg("PFE_FW_SYSLOG_IP", part380); - - var part381 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ - dup21, - dup22, - dup82, - dup23, - ])); - - var msg362 = msg("PFE_FW_SYSLOG_IP:01", part381); - - var select36 = linear_select([ - msg361, - msg362, - ]); - - var part382 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ - dup21, - dup22, - setc("event_description","Next-hop resolution requests throttled"), - dup23, - ])); - - var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part382); - - var part383 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","PING TEST COMPLETED"), - dup23, - ])); - - var msg364 = msg("PING_TEST_COMPLETED", part383); - - var part384 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","PING TEST FAILED"), - dup23, - ])); - - var msg365 = msg("PING_TEST_FAILED", part384); - - var part385 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{p0}"); - - var part386 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}"); - - var part387 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}"); - - var select37 = linear_select([ - part386, - part387, - ]); - - var part388 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "mode=%{protocol->} cmd=%{action->} master_mode=%{result}"); - - var all21 = all_match({ - processors: [ - dup39, - dup137, - part385, - select37, - part388, - ], - on_success: processor_chain([ - dup21, - dup22, - dup83, - dup23, - ]), - }); - - var msg366 = msg("process_mode", all21); - - var part389 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ - dup21, - dup22, - dup83, - dup23, - ])); - - var msg367 = msg("process_mode:01", part389); - - var select38 = linear_select([ - msg366, - msg367, - ]); - - var part390 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","process exit with status"), - dup23, - ])); - - var msg368 = msg("PWC_EXIT", part390); - - var part391 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([ - dup21, - dup22, - setc("event_description","Process released child from state"), - dup23, - ])); - - var msg369 = msg("PWC_HOLD_RELEASE", part391); - - var part392 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","invalid runs argument"), - dup23, - ])); - - var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part392); - - var part393 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","INVALID TIMEOUT ARGUMENT"), - dup23, - ])); - - var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part393); - - var part394 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([ - dup21, - dup22, - setc("event_description","pwc process received terminating signal"), - dup23, - ])); - - var msg372 = msg("PWC_KILLED_BY_SIGNAL", part394); - - var part395 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([ - dup30, - dup22, - setc("event_description","pwc is sending kill event to child"), - dup23, - ])); - - var msg373 = msg("PWC_KILL_EVENT", part395); - - var part396 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to kill process"), - dup23, - ])); - - var msg374 = msg("PWC_KILL_FAILED", part396); - - var part397 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","kevent failed"), - dup23, - ])); - - var msg375 = msg("PWC_KQUEUE_ERROR", part397); - - var part398 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create kqueue"), - dup23, - ])); - - var msg376 = msg("PWC_KQUEUE_INIT", part398); - - var part399 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to register kqueue filter"), - dup23, - ])); - - var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part399); - - var part400 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file has bad format"), - dup23, - ])); - - var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part400); - - var part401 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file error"), - dup23, - ])); - - var msg379 = msg("PWC_LOCKFILE_ERROR", part401); - - var part402 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file not found"), - dup23, - ])); - - var msg380 = msg("PWC_LOCKFILE_MISSING", part402); - - var part403 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file not locked"), - dup23, - ])); - - var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part403); - - var part404 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([ - dup30, - dup22, - setc("event_description","No process specified for PWC"), - dup23, - ])); - - var msg382 = msg("PWC_NO_PROCESS", part404); - - var part405 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","pwc process exited with status"), - dup23, - ])); - - var msg383 = msg("PWC_PROCESS_EXIT", part405); - - var part406 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([ - dup21, - dup22, - setc("event_description","Process forcing hold down of child until signalled"), - dup23, - ])); - - var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part406); - - var part407 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([ - dup21, - dup22, - setc("event_description","Process holding down child until signalled"), - dup23, - ])); - - var msg385 = msg("PWC_PROCESS_HOLD", part407); - - var part408 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Process not holding down child"), - dup23, - ])); - - var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part408); - - var part409 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to create child process with pidpopen"), - dup23, - ])); - - var msg387 = msg("PWC_PROCESS_OPEN", part409); - - var part410 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Process holding down child"), - dup23, - ])); - - var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part410); - - var part411 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Child process timed out"), - dup23, - ])); - - var msg389 = msg("PWC_PROCESS_TIMEOUT", part411); - - var part412 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","signal failure"), - dup23, - ])); - - var msg390 = msg("PWC_SIGNAL_INIT", part412); - - var part413 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to connect socket to service"), - dup23, - ])); - - var msg391 = msg("PWC_SOCKET_CONNECT", part413); - - var part414 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to create socket"), - dup23, - ])); - - var msg392 = msg("PWC_SOCKET_CREATE", part414); - - var part415 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to set socket option"), - dup23, - ])); - - var msg393 = msg("PWC_SOCKET_OPTION", part415); - - var part416 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Write to stdout failed"), - dup23, - ])); - - var msg394 = msg("PWC_STDOUT_WRITE", part416); - - var part417 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","PWC SYSTEM CALL"), - dup23, - ])); - - var msg395 = msg("PWC_SYSTEM_CALL", part417); - - var part418 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown kill option"), - dup23, - ])); - - var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part418); - - var part419 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([ - dup30, - dup22, - setc("event_description","Multicast address not allowed"), - dup23, - ])); - - var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part419); - - var part420 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RMOPD ADDRESS SOURCE INVALID"), - dup23, - ])); - - var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part420); - - var part421 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to convert numeric address to string"), - dup23, - ])); - - var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part421); - - var part422 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","rmop_util_set_address status message invalid"), - dup23, - ])); - - var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part422); - - var msg401 = msg("RMOPD_DUPLICATE", dup141); - - var part423 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([ - dup30, - dup22, - setc("event_description","Only IPv4 source address is supported"), - dup23, - ])); - - var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part423); - - var part424 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([ - dup30, - dup22, - setc("event_description","No route to host"), - dup23, - ])); - - var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part424); - - var part425 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","IFINDEX NOT ACTIVE"), - dup23, - ])); - - var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part425); - - var part426 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IFINDEX NO INFO"), - dup23, - ])); - - var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part426); - - var part427 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","RMOPD IFNAME NOT ACTIVE"), - dup23, - ])); - - var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part427); - - var part428 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IFNAME NO INFO"), - dup23, - ])); - - var msg407 = msg("RMOPD_IFNAME_NO_INFO", part428); - - var part429 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","RMOPD Must be run as root"), - dup23, - ])); - - var msg408 = msg("RMOPD_NOT_ROOT", part429); - - var part430 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","No information for routing instance"), - dup23, - ])); - - var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part430); - - var part431 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TRACEROUTE ERROR"), - dup23, - ])); - - var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part431); - - var part432 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","RMOPD usage"), - dup23, - ])); - - var msg411 = msg("RMOPD_usage", part432); - - var part433 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD ABORT"), - dup23, - ])); - - var msg412 = msg("RPD_ABORT", part433); - - var part434 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD exiting with active tasks"), - dup23, - ])); - - var msg413 = msg("RPD_ACTIVE_TERMINATE", part434); - - var part435 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD Assertion failed"), - dup23, - ])); - - var msg414 = msg("RPD_ASSERT", part435); - - var part436 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD Soft assertion failed"), - dup23, - ])); - - var msg415 = msg("RPD_ASSERT_SOFT", part436); - - var part437 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([ - dup21, - dup22, - setc("event_description","RPD EXIT"), - dup23, - ])); - - var msg416 = msg("RPD_EXIT", part437); - - var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup147); - - var msg418 = msg("RPD_IFL_NAMECOLLISION", dup147); - - var part438 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS lost adjacency"), - dup23, - ])); - - var msg419 = msg("RPD_ISIS_ADJDOWN", part438); - - var part439 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","IS-IS new adjacency"), - dup23, - ])); - - var msg420 = msg("RPD_ISIS_ADJUP", part439); - - var part440 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS new adjacency without an address"), - dup23, - ])); - - var msg421 = msg("RPD_ISIS_ADJUPNOIP", part440); - - var part441 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS LSP checksum error on iterface"), - dup23, - ])); - - var msg422 = msg("RPD_ISIS_LSPCKSUM", part441); - - var part442 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS database overload"), - dup23, - ])); - - var msg423 = msg("RPD_ISIS_OVERLOAD", part442); - - var part443 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","message with unsupported address family received"), - dup23, - ])); - - var msg424 = msg("RPD_KRT_AFUNSUPRT", part443); - - var part444 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([ - dup30, - dup22, - setc("event_description","RPD KRT CCC IFL MODIFY"), - dup23, - ])); - - var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part444); - - var part445 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","received deleted routing table from kernel"), - dup23, - ])); - - var msg426 = msg("RPD_KRT_DELETED_RTT", part445); - - var part446 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifa generation mismatch"), - dup23, - ])); - - var msg427 = msg("RPD_KRT_IFA_GENERATION", part446); - - var part447 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","CHANGE for ifd failed"), - dup23, - ])); - - var msg428 = msg("RPD_KRT_IFDCHANGE", part447); - - var part448 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","GET SERVICE failure on interface"), - dup23, - ])); - - var msg429 = msg("RPD_KRT_IFDEST_GET", part448); - - var part449 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","GET index for ifd interface failed"), - dup23, - ])); - - var msg430 = msg("RPD_KRT_IFDGET", part449); - - var part450 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifd generation mismatch"), - dup23, - ])); - - var msg431 = msg("RPD_KRT_IFD_GENERATION", part450); - - var part451 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","KRT IFL CELL RELAY MODE INVALID"), - dup23, - ])); - - var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part451); - - var part452 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"), - dup23, - ])); - - var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part452); - - var part453 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifl generation mismatch"), - dup23, - ])); - - var msg434 = msg("RPD_KRT_IFL_GENERATION", part453); - - var part454 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","lost interface for route"), - dup23, - ])); - - var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part454); - - var part455 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","number of next hops exceeded the maximum"), - dup23, - ])); - - var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part455); - - var part456 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","No device for interface"), - dup23, - ])); - - var msg437 = msg("RPD_KRT_NOIFD", part456); - - var part457 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","received routing table message for unknown table"), - dup23, - ])); - - var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part457); - - var part458 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket version mismatch"), - dup23, - ])); - - var msg439 = msg("RPD_KRT_VERSION", part458); - - var part459 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket message type not supported by kernel"), - dup23, - ])); - - var msg440 = msg("RPD_KRT_VERSIONNONE", part459); - - var part460 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket message type version is older than expected"), - dup23, - ])); - - var msg441 = msg("RPD_KRT_VERSIONOLD", part460); - - var part461 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Duplicate session ID detected"), - dup23, - ])); - - var msg442 = msg("RPD_LDP_INTF_BLOCKED", part461); - - var part462 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","LDP interface now unblocked"), - dup23, - ])); - - var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part462); - - var part463 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ - setc("eventcategory","1603030000"), - dup22, - setc("event_description","LDP neighbor down"), - dup23, - ])); - - var msg444 = msg("RPD_LDP_NBRDOWN", part463); - - var part464 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","LDP neighbor up"), - dup23, - ])); - - var msg445 = msg("RPD_LDP_NBRUP", part464); - - var part465 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LDP session down"), - dup23, - ])); - - var msg446 = msg("RPD_LDP_SESSIONDOWN", part465); - - var part466 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([ - dup21, - dup22, - setc("event_description","LDP session up"), - dup23, - ])); - - var msg447 = msg("RPD_LDP_SESSIONUP", part466); - - var part467 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain a lock"), - dup23, - ])); - - var msg448 = msg("RPD_LOCK_FLOCKED", part467); - - var part468 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain service lock"), - dup23, - ])); - - var msg449 = msg("RPD_LOCK_LOCKED", part468); - - var part469 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP CHANGE"), - dup23, - ])); - - var msg450 = msg("RPD_MPLS_LSP_CHANGE", part469); - - var part470 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MPLS LSP DOWN"), - dup23, - ])); - - var msg451 = msg("RPD_MPLS_LSP_DOWN", part470); - - var part471 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP SWITCH"), - dup23, - ])); - - var msg452 = msg("RPD_MPLS_LSP_SWITCH", part471); - - var part472 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP UP"), - dup23, - ])); - - var msg453 = msg("RPD_MPLS_LSP_UP", part472); - - var part473 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MSDP PEER DOWN"), - dup23, - ])); - - var msg454 = msg("RPD_MSDP_PEER_DOWN", part473); - - var part474 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","MSDP PEER UP"), - dup23, - ])); - - var msg455 = msg("RPD_MSDP_PEER_UP", part474); - - var part475 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","OSPF neighbor down"), - dup23, - ])); - - var msg456 = msg("RPD_OSPF_NBRDOWN", part475); - - var part476 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","OSPF neighbor up"), - dup23, - ])); - - var msg457 = msg("RPD_OSPF_NBRUP", part476); - - var part477 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([ - dup51, - dup22, - setc("event_description","OS MEMHIGH"), - dup23, - ])); - - var msg458 = msg("RPD_OS_MEMHIGH", part477); - - var part478 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","PIM neighbor down"), - setc("result","timeout"), - dup23, - ])); - - var msg459 = msg("RPD_PIM_NBRDOWN", part478); - - var part479 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","PIM neighbor up"), - dup23, - ])); - - var msg460 = msg("RPD_PIM_NBRUP", part479); - - var part480 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Bad checksum for router solicitation"), - dup23, - ])); - - var msg461 = msg("RPD_RDISC_CKSUM", part480); - - var part481 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Ignoring interface"), - dup23, - ])); - - var msg462 = msg("RPD_RDISC_NOMULTI", part481); - - var part482 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to locate interface for router"), - dup23, - ])); - - var msg463 = msg("RPD_RDISC_NORECVIF", part482); - - var part483 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Expected multicast for router solicitation"), - dup23, - ])); - - var msg464 = msg("RPD_RDISC_SOLICITADDR", part483); - - var part484 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Nonzero ICMP code for router solicitation"), - dup23, - ])); - - var msg465 = msg("RPD_RDISC_SOLICITICMP", part484); - - var part485 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Insufficient length for router solicitation"), - dup23, - ])); - - var msg466 = msg("RPD_RDISC_SOLICITLEN", part485); - - var part486 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([ - dup30, - dup22, - setc("event_description","RIP update with invalid authentication"), - dup23, - ])); - - var msg467 = msg("RPD_RIP_AUTH", part486); - - var part487 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RIP - unable to get broadcast address"), - dup23, - ])); - - var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part487); - - var part488 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RIP - Unable to join multicast group"), - dup23, - ])); - - var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part488); - - var part489 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","RIP interface up"), - dup23, - ])); - - var msg470 = msg("RPD_RT_IFUP", part489); - - var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup148); - - var part490 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([ - dup30, - dup22, - setc("event_description","excessive runtime after action of module"), - dup23, - ])); - - var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part490); - - var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup148); - - var part491 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ - dup30, - dup22, - setc("event_description","task extended runtime"), - dup23, - ])); - - var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part491); - - var part492 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([ - dup30, - dup22, - setc("event_description","termination signal received for service"), - dup23, - ])); - - var msg475 = msg("RPD_SIGNAL_TERMINATE", part492); - - var part493 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","version built"), - dup23, - ])); - - var msg476 = msg("RPD_START", part493); - - var part494 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","system command"), - dup23, - ])); - - var msg477 = msg("RPD_SYSTEM", part494); - - var part495 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([ - dup21, - dup22, - setc("event_description","Commencing routing updates"), - dup23, - ])); - - var msg478 = msg("RPD_TASK_BEGIN", part495); - - var part496 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","task killed by signal"), - dup23, - ])); - - var msg479 = msg("RPD_TASK_CHILDKILLED", part496); - - var part497 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","task stopped by signal"), - dup23, - ])); - - var msg480 = msg("RPD_TASK_CHILDSTOPPED", part497); - - var part498 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fork task"), - dup23, - ])); - - var msg481 = msg("RPD_TASK_FORK", part498); - - var part499 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","RPD TASK GETWD"), - dup23, - ])); - - var msg482 = msg("RPD_TASK_GETWD", part499); - - var part500 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([ - dup30, - dup22, - setc("event_description","Reinitialization not possible"), - dup23, - ])); - - var msg483 = msg("RPD_TASK_NOREINIT", part500); - - var part501 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to close and remove task"), - dup23, - ])); - - var msg484 = msg("RPD_TASK_PIDCLOSED", part501); - - var part502 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD TASK PIDFLOCK"), - dup23, - ])); - - var msg485 = msg("RPD_TASK_PIDFLOCK", part502); - - var part503 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to write"), - dup23, - ])); - - var msg486 = msg("RPD_TASK_PIDWRITE", part503); - - var msg487 = msg("RPD_TASK_REINIT", dup149); - - var part504 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","ignoring task signal"), - dup23, - ])); - - var msg488 = msg("RPD_TASK_SIGNALIGNORE", part504); - - var part505 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","COS IPC op failed"), - dup23, - ])); - - var msg489 = msg("RT_COS", part505); - - var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}"); - - var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{p0}"); - - var select39 = linear_select([ - part508, - dup91, - ]); - - var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "\"%{fld11->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); - - var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}"); - - var select40 = linear_select([ - part510, - dup45, - ]); - - var all22 = all_match({ - processors: [ - dup87, - dup150, - part506, - dup151, - part507, - select39, - part509, - select40, - dup92, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - dup52, - ]), - }); - - var msg490 = msg("RT_FLOW_SESSION_CREATE:02", all22); - - var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", " service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}"); - - var select41 = linear_select([ - part511, - dup45, - ]); - - var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\"%{p0}"); - - var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", " source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}"); - - var select42 = linear_select([ - part513, - dup45, - ]); - - var all23 = all_match({ - processors: [ - dup87, - select41, - part512, - select42, - dup92, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - dup52, - ]), - }); - - var msg491 = msg("RT_FLOW_SESSION_CREATE", all23); - - var part514 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created %{p0}"); - - var part515 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created %{p0}"); - - var select43 = linear_select([ - part514, - part515, - ]); - - var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}"); - - var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN"); - - var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15}"); - - var part519 = match_copy("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "info"); - - var select44 = linear_select([ - part517, - part518, - part519, - ]); - - var all24 = all_match({ - processors: [ - select43, - part516, - select44, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - setc("event_description","session created"), - dup23, - ]), - }); - - var msg492 = msg("RT_FLOW_SESSION_CREATE:01", all24); - - var select45 = linear_select([ - msg490, - msg491, - msg492, - ]); - - var part520 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); - - var part521 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", " encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}"); - - var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", " encrypted=%{fld16->} reason=\"%{result}\"%{p0}"); - - var select46 = linear_select([ - part521, - part522, - dup45, - ]); - - var all25 = all_match({ - processors: [ - dup87, - dup150, - part520, - select46, - dup92, - ], - on_success: processor_chain([ - dup93, - dup53, - dup94, - dup22, - dup52, - ]), - }); - - var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25); - - var part523 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([ - dup93, - dup53, - dup94, - dup22, - dup52, - ])); - - var msg494 = msg("RT_FLOW_SESSION_DENY", part523); - - var part524 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}"); - - var all26 = all_match({ - processors: [ - dup152, - part524, - ], - on_success: processor_chain([ - dup27, - dup53, - dup94, - dup22, - dup97, - dup23, - ]), - }); - - var msg495 = msg("RT_FLOW_SESSION_DENY:03", all26); - - var part525 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}"); - - var all27 = all_match({ - processors: [ - dup152, - part525, - ], - on_success: processor_chain([ - dup27, - dup53, - dup94, - dup22, - dup97, - dup23, - ]), - }); - - var msg496 = msg("RT_FLOW_SESSION_DENY:01", all27); - - var select47 = linear_select([ - msg493, - msg494, - msg495, - msg496, - ]); - - var select48 = linear_select([ - dup103, - dup45, - ]); - - var all28 = all_match({ - processors: [ - dup98, - dup150, - dup99, - dup151, - dup100, - dup153, - dup102, - select48, - dup92, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup104, - dup22, - dup52, - ]), - }); - - var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28); - - var part526 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup27, - dup53, - dup55, - dup22, - dup52, - ])); - - var msg498 = msg("RT_FLOW_SESSION_CLOSE", part526); - - var part527 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed %{p0}"); - - var part528 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed %{p0}"); - - var select49 = linear_select([ - part527, - part528, - ]); - - var part529 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}"); - - var all29 = all_match({ - processors: [ - select49, - part529, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup22, - setc("event_description","session closed"), - dup23, - ]), - }); - - var msg499 = msg("RT_FLOW_SESSION_CLOSE:02", all29); - - var part530 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}"); - - var select50 = linear_select([ - dup103, - part530, - dup45, - ]); - - var part531 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}"); - - var all30 = all_match({ - processors: [ - dup98, - dup150, - dup99, - dup151, - dup100, - dup153, - dup102, - select50, - part531, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup104, - dup22, - dup52, - dup61, - ]), - }); - - var msg500 = msg("RT_FLOW_SESSION_CLOSE:03", all30); - - var select51 = linear_select([ - msg497, - msg498, - msg499, - msg500, - ]); - - var part532 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","Fragmented traffic"), - dup23, - ])); - - var msg501 = msg("RT_SCREEN_IP", part532); - - var part533 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg502 = msg("RT_SCREEN_IP:01", part533); - - var select52 = linear_select([ - msg501, - msg502, - ]); - - var msg503 = msg("RT_SCREEN_TCP", dup154); - - var part534 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part534); - - var msg505 = msg("RT_SCREEN_UDP", dup154); - - var part535 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","attempt to connect to interface failed"), - dup23, - ])); - - var msg506 = msg("SERVICED_CLIENT_CONNECT", part535); - - var part536 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([ - dup27, - dup22, - setc("event_description","unexpected termination of connection"), - dup23, - ])); - - var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part536); - - var part537 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","client interface connection failure"), - dup23, - ])); - - var msg508 = msg("SERVICED_CLIENT_ERROR", part537); - - var part538 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","remote command execution failed"), - dup23, - ])); - - var msg509 = msg("SERVICED_COMMAND_FAILED", part538); - - var part539 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","client commit configuration failed"), - dup23, - ])); - - var msg510 = msg("SERVICED_COMMIT_FAILED", part539); - - var part540 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","configuration process failed"), - dup23, - ])); - - var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part540); - - var part541 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SERVICED CONFIG ERROR"), - dup23, - ])); - - var msg512 = msg("SERVICED_CONFIG_ERROR", part541); - - var part542 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","service failed to read path"), - dup23, - ])); - - var msg513 = msg("SERVICED_CONFIG_FILE", part542); - - var part543 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SERVICED CONNECTION ERROR"), - dup23, - ])); - - var msg514 = msg("SERVICED_CONNECTION_ERROR", part543); - - var part544 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","GGSN services disabled"), - dup23, - ])); - - var msg515 = msg("SERVICED_DISABLED_GGSN", part544); - - var msg516 = msg("SERVICED_DUPLICATE", dup141); - - var part545 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","event function failed"), - dup23, - ])); - - var msg517 = msg("SERVICED_EVENT_FAILED", part545); - - var part546 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","service initialization failed"), - dup23, - ])); - - var msg518 = msg("SERVICED_INIT_FAILED", part546); - - var part547 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","memory allocation failure"), - dup23, - ])); - - var msg519 = msg("SERVICED_MALLOC_FAILURE", part547); - - var part548 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","NETWORK FAILURE"), - dup23, - ])); - - var msg520 = msg("SERVICED_NETWORK_FAILURE", part548); - - var part549 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","SERVICED must be run as root"), - dup23, - ])); - - var msg521 = msg("SERVICED_NOT_ROOT", part549); - - var msg522 = msg("SERVICED_PID_FILE_LOCK", dup142); - - var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup143); - - var part550 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","routing socket sequence error"), - dup23, - ])); - - var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part550); - - var part551 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","set up of signal name handler failed"), - dup23, - ])); - - var msg525 = msg("SERVICED_SIGNAL_HANDLER", part551); - - var part552 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","socket create failed with error"), - dup23, - ])); - - var msg526 = msg("SERVICED_SOCKET_CREATE", part552); - - var part553 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","socket function failed"), - dup23, - ])); - - var msg527 = msg("SERVICED_SOCKET_IO", part553); - - var part554 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to set socket option"), - dup23, - ])); - - var msg528 = msg("SERVICED_SOCKET_OPTION", part554); - - var part555 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","STDLIB FAILURE"), - dup23, - ])); - - var msg529 = msg("SERVICED_STDLIB_FAILURE", part555); - - var part556 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Incorrect service usage"), - dup23, - ])); - - var msg530 = msg("SERVICED_USAGE", part556); - - var part557 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","object has unexpected value"), - dup23, - ])); - - var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part557); - - var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup155); - - var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup155); - - var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup155); - - var part558 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([ - dup21, - dup22, - setc("event_description","AgentX subagent connected"), - dup61, - dup23, - ])); - - var msg535 = msg("SNMP_NS_LOG_INFO", part558); - - var part559 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([ - dup21, - dup22, - setc("event_description","ns_subagent registering rows"), - dup61, - dup23, - ])); - - var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part559); - - var part560 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD ACCESS GROUP ERROR"), - dup23, - ])); - - var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part560); - - var part561 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","unauthorized SNMP community to unknown community name"), - dup23, - ])); - - var msg538 = msg("SNMPD_AUTH_FAILURE", part561); - - var part562 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","failed input interface authorization to unknown"), - dup23, - ])); - - var msg539 = msg("SNMPD_AUTH_FAILURE:01", part562); - - var part563 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","unauthorized SNMP community "), - dup23, - ])); - - var msg540 = msg("SNMPD_AUTH_FAILURE:02", part563); - - var part564 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([ - dup30, - dup22, - dup105, - dup61, - dup62, - ])); - - var msg541 = msg("SNMPD_AUTH_FAILURE:03", part564); - - var select53 = linear_select([ - msg538, - msg539, - msg540, - msg541, - ]); - - var part565 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP request exceeded community privileges"), - dup23, - ])); - - var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part565); - - var part566 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([ - dup48, - dup22, - setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"), - setc("result","request not allowed"), - dup23, - ])); - - var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part566); - - var part567 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unauthorized SNMP PDU type"), - dup23, - ])); - - var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part567); - - var part568 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([ - dup30, - dup22, - setc("event_description","Configuration database has errors"), - dup23, - ])); - - var msg545 = msg("SNMPD_CONFIG_ERROR", part568); - - var part569 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD CONTEXT ERROR"), - dup23, - ])); - - var msg546 = msg("SNMPD_CONTEXT_ERROR", part569); - - var part570 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD ENGINE FILE FAILURE"), - dup23, - ])); - - var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part570); - - var part571 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([ - dup30, - dup22, - setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"), - dup23, - ])); - - var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part571); - - var part572 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD FILE FAILURE"), - dup23, - ])); - - var msg549 = msg("SNMPD_FILE_FAILURE", part572); - - var part573 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD GROUP ERROR"), - dup23, - ])); - - var msg550 = msg("SNMPD_GROUP_ERROR", part573); - - var part574 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","snmpd initialization failure"), - dup23, - ])); - - var msg551 = msg("SNMPD_INIT_FAILED", part574); - - var part575 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LIBJUNIPER FAILURE"), - dup23, - ])); - - var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part575); - - var part576 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LOOPBACK ADDR ERROR"), - dup23, - ])); - - var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part576); - - var part577 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([ - dup30, - dup22, - setc("event_description","duplicate memory free"), - dup23, - ])); - - var msg554 = msg("SNMPD_MEMORY_FREED", part577); - - var part578 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","radix_add failed"), - dup23, - ])); - - var msg555 = msg("SNMPD_RADIX_FAILURE", part578); - - var part579 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD RECEIVE FAILURE"), - dup23, - ])); - - var msg556 = msg("SNMPD_RECEIVE_FAILURE", part579); - - var part580 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RMONFILE FAILURE"), - dup23, - ])); - - var msg557 = msg("SNMPD_RMONFILE_FAILURE", part580); - - var part581 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([ - dup30, - dup22, - setc("event_description","Null cookie"), - dup23, - ])); - - var msg558 = msg("SNMPD_RMON_COOKIE", part581); - - var part582 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","RMON EVENTLOG"), - dup23, - ])); - - var msg559 = msg("SNMPD_RMON_EVENTLOG", part582); - - var part583 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Received io error"), - dup23, - ])); - - var msg560 = msg("SNMPD_RMON_IOERROR", part583); - - var part584 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","internal Get request error"), - dup23, - ])); - - var msg561 = msg("SNMPD_RMON_MIBERROR", part584); - - var part585 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","sequence mismatch"), - dup23, - ])); - - var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part585); - - var part586 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([ - dup30, - dup22, - dup106, - dup23, - ])); - - var msg563 = msg("SNMPD_SEND_FAILURE", part586); - - var part587 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([ - dup30, - dup22, - dup106, - dup23, - ])); - - var msg564 = msg("SNMPD_SEND_FAILURE:01", part587); - - var select54 = linear_select([ - msg563, - msg564, - ]); - - var part588 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD SOCKET FAILURE"), - dup23, - ])); - - var msg565 = msg("SNMPD_SOCKET_FAILURE", part588); - - var part589 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([ - dup30, - dup22, - setc("event_description","No buffers available for subagent"), - dup23, - ])); - - var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part589); - - var part590 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Send to subagent failed"), - dup23, - ])); - - var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part590); - - var part591 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","system function failed"), - dup23, - ])); - - var msg568 = msg("SNMPD_SYSLIB_FAILURE", part591); - - var part592 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([ - dup21, - dup22, - setc("event_description","cleared all throttled traps"), - dup23, - ])); - - var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part592); - - var part593 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP trap: cold start"), - dup23, - ])); - - var msg570 = msg("SNMPD_TRAP_COLD_START", part593); - - var part594 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([ - dup30, - dup22, - dup107, - dup23, - ])); - - var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part594); - - var part595 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([ - dup30, - dup22, - dup107, - dup23, - ])); - - var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part595); - - var part596 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP INVALID DATA"), - dup23, - ])); - - var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part596); - - var part597 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP ERROR"), - dup23, - ])); - - var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part597); - - var part598 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([ - dup21, - dup22, - setc("event_description","Adding trap to queue"), - dup23, - ])); - - var msg575 = msg("SNMPD_TRAP_QUEUED", part598); - - var part599 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([ - dup21, - dup22, - setc("event_description","traps queued - sent successfully"), - dup23, - ])); - - var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part599); - - var part600 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"), - dup23, - ])); - - var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part600); - - var part601 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP maximum queue size exceeded"), - dup23, - ])); - - var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part601); - - var part602 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP traps throttled"), - dup23, - ])); - - var msg579 = msg("SNMPD_TRAP_THROTTLED", part602); - - var part603 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([ - dup30, - dup22, - setc("event_description","unknown SNMP trap type requested"), - dup23, - ])); - - var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part603); - - var part604 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"), - dup23, - ])); - - var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part604); - - var part605 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP ERROR - invalid version signature"), - dup23, - ])); - - var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part605); - - var part606 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([ - dup21, - dup22, - setc("event_description","SNMPD TRAP WARM START"), - dup23, - ])); - - var msg583 = msg("SNMPD_TRAP_WARM_START", part606); - - var part607 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD USER ERROR"), - dup23, - ])); - - var msg584 = msg("SNMPD_USER_ERROR", part607); - - var part608 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP deleting view"), - dup23, - ])); - - var msg585 = msg("SNMPD_VIEW_DELETE", part608); - - var part609 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","installing default SNMP view"), - dup23, - ])); - - var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part609); - - var part610 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","oid parsing failed for SNMP view"), - dup23, - ])); - - var msg587 = msg("SNMPD_VIEW_OID_PARSE", part610); - - var part611 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP_GET_ERROR 1"), - dup23, - ])); - - var msg588 = msg("SNMP_GET_ERROR1", part611); - - var part612 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 2"), - dup23, - ])); - - var msg589 = msg("SNMP_GET_ERROR2", part612); - - var part613 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 3"), - dup23, - ])); - - var msg590 = msg("SNMP_GET_ERROR3", part613); - - var part614 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 4"), - dup23, - ])); - - var msg591 = msg("SNMP_GET_ERROR4", part614); - - var part615 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP RTSLIB FAILURE"), - dup23, - ])); - - var msg592 = msg("SNMP_RTSLIB_FAILURE", part615); - - var part616 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ - dup30, - dup22, - dup108, - dup23, - ])); - - var msg593 = msg("SNMP_TRAP_LINK_DOWN", part616); - - var part617 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([ - dup30, - dup22, - dup108, - dup61, - dup62, - ])); - - var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part617); - - var select55 = linear_select([ - msg593, - msg594, - ]); - - var part618 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ - dup21, - dup22, - dup109, - dup23, - ])); - - var msg595 = msg("SNMP_TRAP_LINK_UP", part618); - - var part619 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([ - dup21, - dup22, - dup109, - dup61, - dup62, - ])); - - var msg596 = msg("SNMP_TRAP_LINK_UP:01", part619); - - var select56 = linear_select([ - msg595, - msg596, - ]); - - var part620 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP PING PROBE FAILED"), - dup23, - ])); - - var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part620); - - var part621 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP PING TEST COMPLETED"), - dup23, - ])); - - var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part621); - - var part622 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP PING TEST FAILED"), - dup23, - ])); - - var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part622); - - var part623 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"), - dup23, - ])); - - var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part623); - - var part624 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"), - dup23, - ])); - - var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part624); - - var part625 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"), - dup23, - ])); - - var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part625); - - var part626 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup110, - dup23, - ])); - - var msg603 = msg("SSHD_LOGIN_FAILED", part626); - - var part627 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup110, - dup61, - dup52, - setf("process","hfld33"), - ])); - - var msg604 = msg("SSHD_LOGIN_FAILED:01", part627); - - var select57 = linear_select([ - msg603, - msg604, - ]); - - var part628 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","task connect failure"), - dup23, - ])); - - var msg605 = msg("task_connect", part628); - - var msg606 = msg("TASK_TASK_REINIT", dup149); - - var part629 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected address family"), - dup23, - ])); - - var msg607 = msg("TFTPD_AF_ERR", part629); - - var part630 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD BIND ERROR"), - dup23, - ])); - - var msg608 = msg("TFTPD_BIND_ERR", part630); - - var part631 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD CONNECT ERROR"), - dup23, - ])); - - var msg609 = msg("TFTPD_CONNECT_ERR", part631); - - var part632 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD CONNECT INFO"), - dup23, - ])); - - var msg610 = msg("TFTPD_CONNECT_INFO", part632); - - var part633 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD CREATE ERROR"), - dup23, - ])); - - var msg611 = msg("TFTPD_CREATE_ERR", part633); - - var part634 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD FIO ERR"), - dup23, - ])); - - var msg612 = msg("TFTPD_FIO_ERR", part634); - - var part635 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD FORK ERROR"), - dup23, - ])); - - var msg613 = msg("TFTPD_FORK_ERR", part635); - - var part636 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD NAK ERROR"), - dup23, - ])); - - var msg614 = msg("TFTPD_NAK_ERR", part636); - - var part637 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([ - dup30, - dup22, - dup78, - dup23, - ])); - - var msg615 = msg("TFTPD_OPEN_ERR", part637); - - var part638 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD RECVCOMPLETE INFO"), - dup23, - ])); - - var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part638); - - var part639 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD RECVFROM ERROR"), - dup23, - ])); - - var msg617 = msg("TFTPD_RECVFROM_ERR", part639); - - var part640 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD RECV ERROR"), - dup23, - ])); - - var msg618 = msg("TFTPD_RECV_ERR", part640); - - var part641 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD SENDCOMPLETE INFO"), - dup23, - ])); - - var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part641); - - var part642 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD SEND ERROR"), - dup23, - ])); - - var msg620 = msg("TFTPD_SEND_ERR", part642); - - var part643 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD SOCKET ERROR"), - dup23, - ])); - - var msg621 = msg("TFTPD_SOCKET_ERR", part643); - - var part644 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD STATFS ERROR"), - dup23, - ])); - - var msg622 = msg("TFTPD_STATFS_ERR", part644); - - var part645 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","adding neighbor to interface"), - dup23, - ])); - - var msg623 = msg("TNP", part645); - - var part646 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([ - dup21, - dup22, - setc("event_description","tracing to file"), - dup23, - call({ - dest: "nwparser.filename", - fn: RMQ, - args: [ - field("fld33"), - ], - }), - ])); - - var msg624 = msg("trace_on", part646); - - var part647 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","trace rotating file"), - dup23, - ])); - - var msg625 = msg("trace_rotate", part647); - - var part648 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","transfered file"), - dup23, - ])); - - var msg626 = msg("transfer-file", part648); - - var part649 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","ttloop - peer died"), - dup23, - ])); - - var msg627 = msg("ttloop", part649); - - var part650 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([ - dup80, - dup34, - dup35, - dup37, - dup22, - setc("event_description","Authenticated user"), - dup23, - ])); - - var msg628 = msg("UI_AUTH_EVENT", part650); - - var part651 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([ - dup30, - dup22, - setc("event_description","Received invalid authentication challenge for user response"), - dup23, - ])); - - var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part651); - - var part652 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fetch boot time"), - dup23, - ])); - - var msg630 = msg("UI_BOOTTIME_FAILED", part652); - - var part653 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([ - dup30, - dup22, - setc("event_description","user path unknown"), - dup23, - ])); - - var msg631 = msg("UI_CFG_AUDIT_NEW", part653); - - var part654 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([ - dup42, - dup22, - setc("event_description"," user Inserted Security Policies in config"), - dup23, - ])); - - var msg632 = msg("UI_CFG_AUDIT_NEW:01", part654); - - var select58 = linear_select([ - msg631, - msg632, - ]); - - var part655 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([ - dup21, - dup22, - setc("event_description","User deleted file"), - setc("action","delete"), - dup23, - ])); - - var msg633 = msg("UI_CFG_AUDIT_OTHER", part655); - - var part656 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","User rollback file"), - dup23, - ])); - - var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part656); - - var part657 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\""); - - var select59 = linear_select([ - part657, - dup112, - ]); - - var all31 = all_match({ - processors: [ - dup111, - select59, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","User set"), - dup23, - ]), - }); - - var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31); - - var part658 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([ - dup21, - dup22, - setc("event_description","User config replace"), - setc("action","replace"), - dup23, - ])); - - var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part658); - - var part659 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([ - setc("eventcategory","1701070000"), - dup22, - setc("event_description","User deactivating group(s)"), - setc("action","deactivate"), - dup23, - ])); - - var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part659); - - var part660 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([ - dup113, - dup22, - setc("event_description","User updates config file"), - setc("action","update"), - dup23, - ])); - - var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part660); - - var select60 = linear_select([ - msg633, - msg634, - msg635, - msg636, - msg637, - msg638, - ]); - - var part661 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}"); - - var select61 = linear_select([ - part661, - dup114, - ]); - - var all32 = all_match({ - processors: [ - dup111, - select61, - dup115, - ], - on_success: processor_chain([ - dup21, - dup22, - dup116, - dup23, - ]), - }); - - var msg639 = msg("UI_CFG_AUDIT_SET:01", all32); - - var part662 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}"); - - var select62 = linear_select([ - part662, - dup114, - ]); - - var all33 = all_match({ - processors: [ - dup111, - select62, - dup115, - ], - on_success: processor_chain([ - dup21, - dup22, - dup116, - dup23, - ]), - }); - - var msg640 = msg("UI_CFG_AUDIT_SET:02", all33); - - var part663 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ - dup21, - dup22, - setc("event_description","User replace config application(s)"), - dup23, - ])); - - var msg641 = msg("UI_CFG_AUDIT_SET", part663); - - var select63 = linear_select([ - msg639, - msg640, - msg641, - ]); - - var part664 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]"); - - var all34 = all_match({ - processors: [ - dup117, - dup156, - part664, - ], - on_success: processor_chain([ - dup113, - dup22, - dup120, - dup23, - ]), - }); - - var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34); - - var part665 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]"); - - var all35 = all_match({ - processors: [ - dup117, - dup156, - part665, - ], - on_success: processor_chain([ - dup113, - dup22, - dup120, - dup23, - ]), - }); - - var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35); - - var part666 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([ - dup21, - dup22, - setc("event_description","UI CFG AUDIT SET SECRET"), - dup23, - ])); - - var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part666); - - var select64 = linear_select([ - msg642, - msg643, - msg644, - ]); - - var part667 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([ - dup30, - dup22, - setc("event_description","Too many arguments for child process"), - dup23, - ])); - - var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part667); - - var part668 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to switch to local user"), - dup23, - ])); - - var msg646 = msg("UI_CHILD_CHANGE_USER", part668); - - var part669 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Child exec failed"), - dup23, - ])); - - var msg647 = msg("UI_CHILD_EXEC", part669); - - var part670 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ - dup30, - dup22, - setc("event_description","Child exited"), - dup23, - ])); - - var msg648 = msg("UI_CHILD_EXITED", part670); - - var part671 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to append to log"), - dup23, - ])); - - var msg649 = msg("UI_CHILD_FOPEN", part671); - - var part672 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create pipe for command"), - dup23, - ])); - - var msg650 = msg("UI_CHILD_PIPE_FAILED", part672); - - var part673 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([ - dup21, - dup22, - dup61, - setc("event_description","Child received signal"), - dup23, - ])); - - var msg651 = msg("UI_CHILD_SIGNALED", part673); - - var part674 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([ - dup21, - dup22, - setc("event_description","Child stopped"), - dup23, - ])); - - var msg652 = msg("UI_CHILD_STOPPED", part674); - - var part675 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([ - dup21, - dup22, - setc("event_description","Starting child"), - dup23, - ])); - - var msg653 = msg("UI_CHILD_START", part675); - - var part676 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Cleanup child"), - dup23, - ])); - - var msg654 = msg("UI_CHILD_STATUS", part676); - - var part677 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","waitpid failed"), - dup23, - ])); - - var msg655 = msg("UI_CHILD_WAITPID", part677); - - var part678 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Idle timeout for user exceeded"), - dup23, - ])); - - var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part678); - - var part679 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([ - dup21, - dup22, - dup121, - dup23, - ])); - - var msg657 = msg("UI_CMDLINE_READ_LINE", part679); - - var part680 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Command execution failed"), - dup23, - ])); - - var msg658 = msg("UI_CMDSET_EXEC_FAILED", part680); - - var part681 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fork command"), - dup23, - ])); - - var msg659 = msg("UI_CMDSET_FORK_FAILED", part681); - - var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup144); - - var part682 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([ - dup30, - dup22, - dup70, - dup23, - ])); - - var msg661 = msg("UI_CMDSET_STOPPED", part682); - - var part683 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([ - dup30, - dup22, - dup72, - dup23, - ])); - - var msg662 = msg("UI_CMDSET_WEXITED", part683); - - var part684 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Invalid regexp command"), - dup23, - ])); - - var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part684); - - var part685 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info})"); - - var part686 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action}"); - - var select65 = linear_select([ - part685, - part686, - ]); - - var all36 = all_match({ - processors: [ - dup117, - select65, - ], - on_success: processor_chain([ - dup21, - dup22, - dup122, - dup23, - ]), - }); - - var msg664 = msg("UI_COMMIT", all36); - - var part687 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([ - dup21, - dup22, - dup122, - dup23, - ])); - - var msg665 = msg("UI_COMMIT_AT", part687); - - var part688 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([ - dup21, - dup22, - setc("event_description","User commit successful"), - dup23, - ])); - - var msg666 = msg("UI_COMMIT_AT_COMPLETED", part688); - - var part689 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([ - dup30, - dup22, - setc("event_description","User commit failed"), - dup23, - ])); - - var msg667 = msg("UI_COMMIT_AT_FAILED", part689); - - var part690 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to compress file"), - dup23, - ])); - - var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part690); - - var part691 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","UI COMMIT CONFIRMED"), - dup23, - ])); - - var msg669 = msg("UI_COMMIT_CONFIRMED", part691); - - var part692 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}"); - - var part693 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1}"); - - var part694 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes"); - - var select66 = linear_select([ - part693, - part694, - ]); - - var all37 = all_match({ - processors: [ - part692, - select66, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT must be confirmed within # minutes"), - dup23, - ]), - }); - - var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37); - - var part695 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "'%{username}' performed '%{action}'"); - - var all38 = all_match({ - processors: [ - dup50, - dup145, - part695, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","user performed commit confirm"), - dup23, - ]), - }); - - var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38); - - var part696 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Skipped empty object"), - dup23, - ])); - - var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part696); - - var part697 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","COMMIT NOT CONFIRMED"), - dup23, - ])); - - var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part697); - - var part698 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}"); - - var part699 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}"); - - var select67 = linear_select([ - part698, - part699, - ]); - - var part700 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}"); - - var all39 = all_match({ - processors: [ - dup50, - select67, - part700, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","Commit operation in progress"), - dup23, - ]), - }); - - var msg674 = msg("UI_COMMIT_PROGRESS", all39); - - var part701 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT QUIT"), - dup23, - ])); - - var msg675 = msg("UI_COMMIT_QUIT", part701); - - var part702 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([ - dup30, - dup22, - setc("event_description","Automatic rollback failed"), - dup23, - ])); - - var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part702); - - var part703 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT SYNC"), - dup23, - ])); - - var msg677 = msg("UI_COMMIT_SYNC", part703); - - var part704 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","All logins to local configuration database were terminated"), - dup23, - ])); - - var msg678 = msg("UI_COMMIT_SYNC_FORCE", part704); - - var part705 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}"); - - var part706 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}"); - - var part707 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}"); - - var select68 = linear_select([ - part706, - part707, - ]); - - var part708 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "statement: %{info->} %{p0}"); - - var part709 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} "); - - var select69 = linear_select([ - part709, - dup112, - ]); - - var all40 = all_match({ - processors: [ - part705, - select68, - part708, - select69, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","CONFIGURATION ERROR"), - dup23, - ]), - }); - - var msg679 = msg("UI_CONFIGURATION_ERROR", all40); - - var part710 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "socket connection accept failed: %{result}"); - - var all41 = all_match({ - processors: [ - dup50, - dup157, - part710, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","socket connection accept failed"), - dup23, - ]), - }); - - var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41); - - var part711 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create session child"), - dup23, - ])); - - var msg681 = msg("UI_DAEMON_FORK_FAILED", part711); - - var part712 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DAEMON SELECT FAILED"), - dup23, - ])); - - var msg682 = msg("UI_DAEMON_SELECT_FAILED", part712); - - var part713 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "socket create failed: %{result}"); - - var all42 = all_match({ - processors: [ - dup50, - dup157, - part713, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","socket create failed"), - dup23, - ]), - }); - - var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42); - - var part714 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to reaccess database file"), - dup23, - ])); - - var msg684 = msg("UI_DBASE_ACCESS_FAILED", part714); - - var part715 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([ - dup30, - dup22, - setc("event_description","Database is out of data"), - dup23, - ])); - - var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part715); - - var part716 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to extend database file"), - dup23, - ])); - - var msg686 = msg("UI_DBASE_EXTEND_FAILED", part716); - - var part717 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","User entering configuration mode"), - dup23, - ])); - - var msg687 = msg("UI_DBASE_LOGIN_EVENT", part717); - - var part718 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","User exiting configuration mode"), - dup23, - ])); - - var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part718); - - var part719 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header extent mismatch"), - dup23, - ])); - - var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part719); - - var part720 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header major version number mismatch"), - dup23, - ])); - - var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part720); - - var part721 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header minor version number mismatch"), - dup23, - ])); - - var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part721); - - var part722 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Database header sequence numbers mismatch"), - dup23, - ])); - - var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part722); - - var part723 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header size mismatch"), - dup23, - ])); - - var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part723); - - var part724 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Database open failed"), - dup23, - ])); - - var msg694 = msg("UI_DBASE_OPEN_FAILED", part724); - - var part725 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([ - dup30, - dup22, - setc("event_description","DBASE REBUILD FAILED"), - dup23, - ])); - - var msg695 = msg("UI_DBASE_REBUILD_FAILED", part725); - - var part726 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([ - dup30, - dup22, - setc("event_description","Automatic rebuild of the database failed"), - dup23, - ])); - - var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part726); - - var part727 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}"); - - var select70 = linear_select([ - dup76, - part727, - ]); - - var part728 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{username->} rebuild/rollback of the database '%{filename}' started"); - - var all43 = all_match({ - processors: [ - dup50, - select70, - part728, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","DBASE REBUILD STARTED"), - dup23, - ]), - }); - - var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43); - - var part729 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([ - dup21, - dup22, - setc("event_description","user attempting database re-creation"), - dup23, - ])); - - var msg698 = msg("UI_DBASE_RECREATE", part729); - - var part730 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([ - dup30, - dup22, - setc("event_description","Reopen of the database failed"), - dup23, - ])); - - var msg699 = msg("UI_DBASE_REOPEN_FAILED", part730); - - var part731 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([ - dup30, - dup22, - setc("event_description","Users have the same UID"), - dup23, - ])); - - var msg700 = msg("UI_DUPLICATE_UID", part731); - - var part732 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([ - setc("eventcategory","1401050100"), - dup22, - setc("event_description","User used JUNOScript client to run command"), - dup23, - ])); - - var msg701 = msg("UI_JUNOSCRIPT_CMD", part732); - - var part733 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JUNOScript error"), - dup23, - ])); - - var msg702 = msg("UI_JUNOSCRIPT_ERROR", part733); - - var part734 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","User command"), - dup23, - ])); - - var msg703 = msg("UI_LOAD_EVENT", part734); - - var part735 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([ - setc("eventcategory","1701040000"), - dup22, - setc("event_description","Loading default config from file"), - dup23, - ])); - - var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part735); - - var part736 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - dup127, - dup128, - dup23, - ])); - - var msg705 = msg("UI_LOGIN_EVENT:01", part736); - - var part737 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - dup127, - dup23, - ])); - - var msg706 = msg("UI_LOGIN_EVENT", part737); - - var select71 = linear_select([ - msg705, - msg706, - ]); - - var part738 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","User logout"), - dup23, - ])); - - var msg707 = msg("UI_LOGOUT_EVENT", part738); - - var part739 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","Lost connection to daemon"), - dup23, - ])); - - var msg708 = msg("UI_LOST_CONN", part739); - - var part740 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([ - dup21, - dup22, - setc("event_description","MASTERSHIP EVENT"), - dup23, - ])); - - var msg709 = msg("UI_MASTERSHIP_EVENT", part740); - - var part741 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","Terminating operation"), - dup23, - ])); - - var msg710 = msg("UI_MGD_TERMINATE", part741); - - var part742 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([ - dup29, - dup22, - setc("event_description","User used NETCONF client to run command"), - dup23, - ])); - - var msg711 = msg("UI_NETCONF_CMD", part742); - - var part743 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","read failed for peer"), - dup23, - ])); - - var msg712 = msg("UI_READ_FAILED", part743); - - var part744 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([ - dup30, - dup22, - setc("event_description","Timeout on read of peer"), - dup23, - ])); - - var msg713 = msg("UI_READ_TIMEOUT", part744); - - var part745 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([ - dup60, - dup22, - setc("event_description","System reboot or halt"), - dup23, - ])); - - var msg714 = msg("UI_REBOOT_EVENT", part745); - - var part746 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([ - dup29, - dup22, - setc("event_description","user restarting daemon"), - dup23, - ])); - - var msg715 = msg("UI_RESTART_EVENT", part746); - - var part747 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema is out of date"), - dup23, - ])); - - var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part747); - - var part748 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema major version mismatch"), - dup23, - ])); - - var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part748); - - var part749 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema minor version mismatch"), - dup23, - ])); - - var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part749); - - var part750 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema header sequence numbers mismatch"), - dup23, - ])); - - var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part750); - - var part751 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([ - dup30, - dup22, - setc("event_description","Schema sequence number mismatch"), - dup23, - ])); - - var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part751); - - var part752 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Configuration synchronization with remote Routing Engine"), - dup23, - ])); - - var msg721 = msg("UI_SYNC_OTHER_RE", part752); - - var part753 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([ - dup30, - dup22, - dup129, - dup23, - ])); - - var msg722 = msg("UI_TACPLUS_ERROR", part753); - - var part754 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fetch system version"), - dup23, - ])); - - var msg723 = msg("UI_VERSION_FAILED", part754); - - var part755 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([ - dup21, - dup22, - setc("event_description","Re-establishing connection to peer"), - dup23, - ])); - - var msg724 = msg("UI_WRITE_RECONNECT", part755); - - var part756 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([ - dup21, - dup22, - setc("event_description","Interface new master for User"), - dup23, - ])); - - var msg725 = msg("VRRPD_NEWMASTER_TRAP", part756); - - var part757 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([ - dup69, - dup34, - dup35, - dup43, - dup22, - setc("event_description","Unable to authenticate client"), - dup23, - ])); - - var msg726 = msg("WEB_AUTH_FAIL", part757); - - var part758 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([ - dup80, - dup34, - dup35, - dup37, - dup22, - setc("event_description","Authenticated client"), - dup23, - ])); - - var msg727 = msg("WEB_AUTH_SUCCESS", part758); - - var part759 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([ - setc("eventcategory","1001030300"), - dup22, - setc("event_description","web request from unauthorized interface"), - dup23, - ])); - - var msg728 = msg("WEB_INTERFACE_UNAUTH", part759); - - var part760 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([ - dup74, - dup22, - setc("event_description","Unable to read from client"), - dup23, - ])); - - var msg729 = msg("WEB_READ", part760); - - var part761 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([ - setc("eventcategory","1204020100"), - dup22, - setc("event_description","failed to check web request"), - dup23, - ])); - - var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part761); - - var part762 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ - dup74, - dup53, - dup43, - dup22, - dup52, - ])); - - var msg731 = msg("FLOW_REASSEMBLE_FAIL", part762); - - var part763 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([ - dup29, - dup22, - setc("event_description","Bridge Address"), - dup23, - ])); - - var msg732 = msg("eswd", part763); - - var part764 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([ - dup29, - dup22, - setc("event_description","ESWD STP State Change Info"), - dup23, - ])); - - var msg733 = msg("eswd:01", part764); - - var select72 = linear_select([ - msg732, - msg733, - ]); - - var part765 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([ - dup29, - dup22, - dup26, - dup23, - ])); - - var msg734 = msg("/usr/sbin/cron", part765); - - var part766 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","Link status change event"), - dup23, - ])); - - var msg735 = msg("chassism:02", part766); - - var part767 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","ifd process flaps"), - dup23, - ])); - - var msg736 = msg("chassism:01", part767); - - var part768 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","IFCM "), - dup23, - ])); - - var msg737 = msg("chassism", part768); - - var select73 = linear_select([ - msg735, - msg736, - msg737, - ]); - - var msg738 = msg("WEBFILTER_URL_PERMITTED", dup158); - - var part769 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part769); - - var part770 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part770); - - var part771 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part771); - - var select74 = linear_select([ - msg738, - msg739, - msg740, - msg741, - ]); - - var msg742 = msg("WEBFILTER_URL_BLOCKED", dup158); - - var part772 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part772); - - var select75 = linear_select([ - msg742, - msg743, - ]); - - var part773 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part773); - - var part774 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([ - dup46, - dup47, - dup23, - ])); - - var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part774); - - var part775 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part775); - - var part776 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg747 = msg("SECINTEL_ERROR_OTHERS", part776); - - var part777 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([ - dup48, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part777); - - var part778 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg749 = msg("LACPD_TIMEOUT", part778); - - var msg750 = msg("cli", dup159); - - var msg751 = msg("pfed", dup159); - - var msg752 = msg("idpinfo", dup159); - - var msg753 = msg("kmd", dup159); - - var part779 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg754 = msg("node:01", part779); - - var part780 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg755 = msg("node:02", part780); - - var part781 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg756 = msg("node:03", part781); - - var part782 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg757 = msg("node:04", part782); - - var select76 = linear_select([ - dup131, - dup132, - ]); - - var part783 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}"); - - var select77 = linear_select([ - dup132, - dup131, - ]); - - var part784 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}"); - - var all44 = all_match({ - processors: [ - dup130, - select76, - part783, - select77, - part784, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg758 = msg("node:05", all44); - - var part785 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}"); - - var part786 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}"); - - var select78 = linear_select([ - part785, - part786, - ]); - - var all45 = all_match({ - processors: [ - dup130, - select78, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg759 = msg("node:06", all45); - - var part787 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg760 = msg("node:07", part787); - - var part788 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg761 = msg("node:08", part788); - - var part789 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg762 = msg("node:09", part789); - - var select79 = linear_select([ - msg754, - msg755, - msg756, - msg757, - msg758, - msg759, - msg760, - msg761, - msg762, - ]); - - var part790 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg763 = msg("(FPC:01", part790); - - var part791 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg764 = msg("(FPC:02", part791); - - var part792 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}"); - - var part793 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); - - var part794 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}"); - - var select80 = linear_select([ - part793, - part794, - ]); - - var part795 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "received for interface %{interface}, member of %{fld4}"); - - var all46 = all_match({ - processors: [ - part792, - select80, - part795, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - dup24, - ]), - }); - - var msg765 = msg("(FPC:03", all46); - - var part796 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg766 = msg("(FPC:04", part796); - - var part797 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg767 = msg("(FPC:05", part797); - - var part798 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg768 = msg("(FPC", part798); - - var select81 = linear_select([ - msg763, - msg764, - msg765, - msg766, - msg767, - msg768, - ]); - - var part799 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([ - dup48, - dup23, - dup22, - dup24, - ])); - - var msg769 = msg("tnp.bootpd", part799); - - var part800 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ - dup48, - dup52, - dup22, - dup61, - ])); - - var msg770 = msg("AAMW_ACTION_LOG", part800); - - var part801 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ - dup133, - dup52, - dup22, - dup61, - ])); - - var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part801); - - var part802 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ - dup133, - dup52, - dup22, - ])); - - var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part802); - - var part803 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ - dup81, - dup52, - dup22, - dup61, - ])); - - var msg773 = msg("IDP_ATTACK_LOG_EVENT", part803); - - var part804 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ - dup81, - dup52, - dup22, - dup61, - ])); - - var msg774 = msg("RT_SCREEN_ICMP", part804); - - var part805 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ - dup46, - dup52, - dup22, - dup61, - ])); - - var msg775 = msg("SECINTEL_ACTION_LOG", part805); - - var part806 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{fld2->} %{p0}"); - - var part807 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld3->} %{process}: qsfp-%{p0}"); - - var part808 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "qsfp-%{p0}"); - - var select82 = linear_select([ - part807, - part808, - ]); - - var part809 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{}Chan# %{interface->} %{fld5}:%{event_description}"); - - var all47 = all_match({ - processors: [ - part806, - select82, - part809, - ], - on_success: processor_chain([ - dup21, - dup22, - dup23, - ]), - }); - - var msg776 = msg("qsfp", all47); - - var part810 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([ - dup21, - dup22, - dup121, - dup23, - ])); - - var msg777 = msg("JUNOSROUTER_GENERIC:03", part810); - - var part811 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","LOGOUT"), - dup23, - ])); - - var msg778 = msg("JUNOSROUTER_GENERIC:04", part811); - - var part812 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([ - dup30, - dup22, - dup129, - dup23, - ])); - - var msg779 = msg("JUNOSROUTER_GENERIC:05", part812); - - var part813 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ - dup30, - dup22, - dup57, - dup23, - ])); - - var msg780 = msg("JUNOSROUTER_GENERIC:06", part813); - - var part814 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ - dup21, - dup22, - dup38, - dup23, - ])); - - var msg781 = msg("JUNOSROUTER_GENERIC:07", part814); - - var part815 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{daddr->} (%{dhost}): code %{resultcode->} (%{action})%{p0}"); - - var part816 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", ", socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}"); - - var part817 = match_copy("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", ""); - - var select83 = linear_select([ - part816, - part817, - ]); - - var all48 = all_match({ - processors: [ - part815, - select83, - ], - on_success: processor_chain([ - dup21, - dup22, - dup38, - dup23, - ]), - }); - - var msg782 = msg("JUNOSROUTER_GENERIC:08", all48); - - var part818 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg783 = msg("JUNOSROUTER_GENERIC:09", part818); - - var part819 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - setc("event_description","Interface Monitor failed "), - dup24, - ])); - - var msg784 = msg("JUNOSROUTER_GENERIC:01", part819); - - var part820 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - setc("event_description","Interface Monitor failure recovered"), - dup24, - ])); - - var msg785 = msg("JUNOSROUTER_GENERIC:02", part820); - - var part821 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - dup24, - ])); - - var msg786 = msg("JUNOSROUTER_GENERIC", part821); - - var select84 = linear_select([ - msg777, - msg778, - msg779, - msg780, - msg781, - msg782, - msg783, - msg784, - msg785, - msg786, - ]); - - var chain1 = processor_chain([ - select5, - msgid_select({ - "(FPC": select81, - "/usr/libexec/telnetd": msg2, - "/usr/sbin/cron": msg734, - "/usr/sbin/sshd": msg1, - "AAMWD_NETWORK_CONNECT_FAILED": msg745, - "AAMW_ACTION_LOG": msg770, - "AAMW_HOST_INFECTED_EVENT_LOG": msg771, - "AAMW_MALWARE_EVENT_LOG": msg772, - "ACCT_ACCOUNTING_FERROR": msg114, - "ACCT_ACCOUNTING_FOPEN_ERROR": msg115, - "ACCT_ACCOUNTING_SMALL_FILE_SIZE": msg116, - "ACCT_BAD_RECORD_FORMAT": msg117, - "ACCT_CU_RTSLIB_error": msg118, - "ACCT_GETHOSTNAME_error": msg119, - "ACCT_MALLOC_FAILURE": msg120, - "ACCT_UNDEFINED_COUNTER_NAME": msg121, - "ACCT_XFER_FAILED": msg122, - "ACCT_XFER_POPEN_FAIL": msg123, - "APPQOS_LOG_EVENT": msg124, - "APPTRACK_SESSION_CLOSE": select30, - "APPTRACK_SESSION_CREATE": msg125, - "APPTRACK_SESSION_VOL_UPDATE": select31, - "BCHIP": msg106, - "BFDD_TRAP_STATE_DOWN": msg130, - "BFDD_TRAP_STATE_UP": msg131, - "BOOTPD_ARG_ERR": msg143, - "BOOTPD_BAD_ID": msg144, - "BOOTPD_BOOTSTRING": msg145, - "BOOTPD_CONFIG_ERR": msg146, - "BOOTPD_CONF_OPEN": msg147, - "BOOTPD_DUP_REV": msg148, - "BOOTPD_DUP_SLOT": msg149, - "BOOTPD_MODEL_CHK": msg150, - "BOOTPD_MODEL_ERR": msg151, - "BOOTPD_NEW_CONF": msg152, - "BOOTPD_NO_BOOTSTRING": msg153, - "BOOTPD_NO_CONFIG": msg154, - "BOOTPD_PARSE_ERR": msg155, - "BOOTPD_REPARSE": msg156, - "BOOTPD_SELECT_ERR": msg157, - "BOOTPD_TIMEOUT": msg158, - "BOOTPD_VERSION": msg159, - "CHASSISD": msg160, - "CHASSISD_ARGUMENT_ERROR": msg161, - "CHASSISD_BLOWERS_SPEED": msg162, - "CHASSISD_BLOWERS_SPEED_FULL": msg163, - "CHASSISD_CB_READ": msg164, - "CHASSISD_COMMAND_ACK_ERROR": msg165, - "CHASSISD_COMMAND_ACK_SF_ERROR": msg166, - "CHASSISD_CONCAT_MODE_ERROR": msg167, - "CHASSISD_CONFIG_INIT_ERROR": msg168, - "CHASSISD_CONFIG_WARNING": msg169, - "CHASSISD_EXISTS": msg170, - "CHASSISD_EXISTS_TERM_OTHER": msg171, - "CHASSISD_FILE_OPEN": msg172, - "CHASSISD_FILE_STAT": msg173, - "CHASSISD_FRU_EVENT": msg174, - "CHASSISD_FRU_IPC_WRITE_ERROR_EXT": msg175, - "CHASSISD_FRU_STEP_ERROR": msg176, - "CHASSISD_GETTIMEOFDAY": msg177, - "CHASSISD_HIGH_TEMP_CONDITION": msg214, - "CHASSISD_HOST_TEMP_READ": msg178, - "CHASSISD_IFDEV_DETACH_ALL_PSEUDO": msg179, - "CHASSISD_IFDEV_DETACH_FPC": msg180, - "CHASSISD_IFDEV_DETACH_PIC": msg181, - "CHASSISD_IFDEV_DETACH_PSEUDO": msg182, - "CHASSISD_IFDEV_DETACH_TLV_ERROR": msg183, - "CHASSISD_IFDEV_GET_BY_INDEX_FAIL": msg184, - "CHASSISD_IPC_MSG_QFULL_ERROR": msg185, - "CHASSISD_IPC_UNEXPECTED_RECV": msg186, - "CHASSISD_IPC_WRITE_ERR_NO_PIPE": msg187, - "CHASSISD_IPC_WRITE_ERR_NULL_ARGS": msg188, - "CHASSISD_MAC_ADDRESS_ERROR": msg189, - "CHASSISD_MAC_DEFAULT": msg190, - "CHASSISD_MBUS_ERROR": msg191, - "CHASSISD_PARSE_COMPLETE": msg192, - "CHASSISD_PARSE_ERROR": msg193, - "CHASSISD_PARSE_INIT": msg194, - "CHASSISD_PIDFILE_OPEN": msg195, - "CHASSISD_PIPE_WRITE_ERROR": msg196, - "CHASSISD_POWER_CHECK": msg197, - "CHASSISD_RECONNECT_SUCCESSFUL": msg198, - "CHASSISD_RELEASE_MASTERSHIP": msg199, - "CHASSISD_RE_INIT_INVALID_RE_SLOT": msg200, - "CHASSISD_ROOT_MOUNT_ERROR": msg201, - "CHASSISD_RTS_SEQ_ERROR": msg202, - "CHASSISD_SBOARD_VERSION_MISMATCH": msg203, - "CHASSISD_SERIAL_ID": msg204, - "CHASSISD_SMB_ERROR": msg205, - "CHASSISD_SNMP_TRAP10": msg208, - "CHASSISD_SNMP_TRAP6": msg206, - "CHASSISD_SNMP_TRAP7": msg207, - "CHASSISD_TERM_SIGNAL": msg209, - "CHASSISD_TRACE_PIC_OFFLINE": msg210, - "CHASSISD_UNEXPECTED_EXIT": msg211, - "CHASSISD_UNSUPPORTED_MODEL": msg212, - "CHASSISD_VERSION_MISMATCH": msg213, - "CM": msg107, - "CM_JAVA": msg216, - "COS": msg108, - "COSFPC": msg109, - "COSMAN": msg110, - "CRON": msg16, - "CROND": select11, - "Cmerror": msg17, - "DCD_AS_ROOT": msg217, - "DCD_FILTER_LIB_ERROR": msg218, - "DCD_MALLOC_FAILED_INIT": msg219, - "DCD_PARSE_EMERGENCY": msg220, - "DCD_PARSE_FILTER_EMERGENCY": msg221, - "DCD_PARSE_MINI_EMERGENCY": msg222, - "DCD_PARSE_STATE_EMERGENCY": msg223, - "DCD_POLICER_PARSE_EMERGENCY": msg224, - "DCD_PULL_LOG_FAILURE": msg225, - "DFWD_ARGUMENT_ERROR": msg226, - "DFWD_MALLOC_FAILED_INIT": msg227, - "DFWD_PARSE_FILTER_EMERGENCY": msg228, - "DFWD_PARSE_STATE_EMERGENCY": msg229, - "ECCD_DAEMONIZE_FAILED": msg230, - "ECCD_DUPLICATE": msg231, - "ECCD_LOOP_EXIT_FAILURE": msg232, - "ECCD_NOT_ROOT": msg233, - "ECCD_PCI_FILE_OPEN_FAILED": msg234, - "ECCD_PCI_READ_FAILED": msg235, - "ECCD_PCI_WRITE_FAILED": msg236, - "ECCD_PID_FILE_LOCK": msg237, - "ECCD_PID_FILE_UPDATE": msg238, - "ECCD_TRACE_FILE_OPEN_FAILED": msg239, - "ECCD_usage": msg240, - "EVENT": msg23, - "EVENTD_AUDIT_SHOW": msg241, - "FLOW_REASSEMBLE_FAIL": msg731, - "FLOW_REASSEMBLE_SUCCEED": msg242, - "FSAD_CHANGE_FILE_OWNER": msg243, - "FSAD_CONFIG_ERROR": msg244, - "FSAD_CONNTIMEDOUT": msg245, - "FSAD_FAILED": msg246, - "FSAD_FETCHTIMEDOUT": msg247, - "FSAD_FILE_FAILED": msg248, - "FSAD_FILE_REMOVE": msg249, - "FSAD_FILE_RENAME": msg250, - "FSAD_FILE_STAT": msg251, - "FSAD_FILE_SYNC": msg252, - "FSAD_MAXCONN": msg253, - "FSAD_MEMORYALLOC_FAILED": msg254, - "FSAD_NOT_ROOT": msg255, - "FSAD_PARENT_DIRECTORY": msg256, - "FSAD_PATH_IS_DIRECTORY": msg257, - "FSAD_PATH_IS_SPECIAL": msg258, - "FSAD_RECVERROR": msg259, - "FSAD_TERMINATED_CONNECTION": msg260, - "FSAD_TERMINATING_SIGNAL": msg261, - "FSAD_TRACEOPEN_FAILED": msg262, - "FSAD_USAGE": msg263, - "Failed": select25, - "GGSN_ALARM_TRAP_FAILED": msg264, - "GGSN_ALARM_TRAP_SEND": msg265, - "GGSN_TRAP_SEND": msg266, - "IDP_ATTACK_LOG_EVENT": msg773, - "JADE_AUTH_ERROR": msg267, - "JADE_EXEC_ERROR": msg268, - "JADE_NO_LOCAL_USER": msg269, - "JADE_PAM_ERROR": msg270, - "JADE_PAM_NO_LOCAL_USER": msg271, - "JSRPD_HA_CONTROL_LINK_UP": msg748, - "JUNOSROUTER_GENERIC": select84, - "KERN_ARP_ADDR_CHANGE": msg272, - "KMD_PM_SA_ESTABLISHED": msg273, - "L2CPD_TASK_REINIT": msg274, - "LACPD_TIMEOUT": msg749, - "LIBJNX_EXEC_EXITED": msg275, - "LIBJNX_EXEC_FAILED": msg276, - "LIBJNX_EXEC_PIPE": msg277, - "LIBJNX_EXEC_SIGNALED": msg278, - "LIBJNX_EXEC_WEXIT": msg279, - "LIBJNX_FILE_COPY_FAILED": msg280, - "LIBJNX_PRIV_LOWER_FAILED": msg281, - "LIBJNX_PRIV_RAISE_FAILED": msg282, - "LIBJNX_REPLICATE_RCP_EXEC_FAILED": msg283, - "LIBJNX_ROTATE_COMPRESS_EXEC_FAILED": msg284, - "LIBSERVICED_CLIENT_CONNECTION": msg285, - "LIBSERVICED_OUTBOUND_REQUEST": msg286, - "LIBSERVICED_SNMP_LOST_CONNECTION": msg287, - "LIBSERVICED_SOCKET_BIND": msg288, - "LIBSERVICED_SOCKET_PRIVATIZE": msg289, - "LICENSE_EXPIRED": msg290, - "LICENSE_EXPIRED_KEY_DELETED": msg291, - "LICENSE_NEARING_EXPIRY": msg292, - "LOGIN_ABORTED": msg293, - "LOGIN_FAILED": msg294, - "LOGIN_FAILED_INCORRECT_PASSWORD": msg295, - "LOGIN_FAILED_SET_CONTEXT": msg296, - "LOGIN_FAILED_SET_LOGIN": msg297, - "LOGIN_HOSTNAME_UNRESOLVED": msg298, - "LOGIN_INFORMATION": msg299, - "LOGIN_INVALID_LOCAL_USER": msg300, - "LOGIN_MALFORMED_USER": msg301, - "LOGIN_PAM_AUTHENTICATION_ERROR": msg302, - "LOGIN_PAM_ERROR": msg303, - "LOGIN_PAM_MAX_RETRIES": msg304, - "LOGIN_PAM_NONLOCAL_USER": msg305, - "LOGIN_PAM_STOP": msg306, - "LOGIN_PAM_USER_UNKNOWN": msg307, - "LOGIN_PASSWORD_EXPIRED": msg308, - "LOGIN_REFUSED": msg309, - "LOGIN_ROOT": msg310, - "LOGIN_TIMED_OUT": msg311, - "MIB2D_ATM_ERROR": msg312, - "MIB2D_CONFIG_CHECK_FAILED": msg313, - "MIB2D_FILE_OPEN_FAILURE": msg314, - "MIB2D_IFD_IFINDEX_FAILURE": msg315, - "MIB2D_IFL_IFINDEX_FAILURE": msg316, - "MIB2D_INIT_FAILURE": msg317, - "MIB2D_KVM_FAILURE": msg318, - "MIB2D_RTSLIB_READ_FAILURE": msg319, - "MIB2D_RTSLIB_SEQ_MISMATCH": msg320, - "MIB2D_SYSCTL_FAILURE": msg321, - "MIB2D_TRAP_HEADER_FAILURE": msg322, - "MIB2D_TRAP_SEND_FAILURE": msg323, - "MRVL-L2": msg56, - "Multiuser": msg324, - "NASD_AUTHENTICATION_CREATE_FAILED": msg325, - "NASD_CHAP_AUTHENTICATION_IN_PROGRESS": msg326, - "NASD_CHAP_GETHOSTNAME_FAILED": msg327, - "NASD_CHAP_INVALID_CHAP_IDENTIFIER": msg328, - "NASD_CHAP_INVALID_OPCODE": msg329, - "NASD_CHAP_LOCAL_NAME_UNAVAILABLE": msg330, - "NASD_CHAP_MESSAGE_UNEXPECTED": msg331, - "NASD_CHAP_REPLAY_ATTACK_DETECTED": msg332, - "NASD_CONFIG_GET_LAST_MODIFIED_FAILED": msg333, - "NASD_DAEMONIZE_FAILED": msg334, - "NASD_DB_ALLOC_FAILURE": msg335, - "NASD_DB_TABLE_CREATE_FAILURE": msg336, - "NASD_DUPLICATE": msg337, - "NASD_EVLIB_CREATE_FAILURE": msg338, - "NASD_EVLIB_EXIT_FAILURE": msg339, - "NASD_LOCAL_CREATE_FAILED": msg340, - "NASD_NOT_ROOT": msg341, - "NASD_PID_FILE_LOCK": msg342, - "NASD_PID_FILE_UPDATE": msg343, - "NASD_POST_CONFIGURE_EVENT_FAILED": msg344, - "NASD_PPP_READ_FAILURE": msg345, - "NASD_PPP_SEND_FAILURE": msg346, - "NASD_PPP_SEND_PARTIAL": msg347, - "NASD_PPP_UNRECOGNIZED": msg348, - "NASD_RADIUS_ALLOCATE_PASSWORD_FAILED": msg349, - "NASD_RADIUS_CONFIG_FAILED": msg350, - "NASD_RADIUS_CREATE_FAILED": msg351, - "NASD_RADIUS_CREATE_REQUEST_FAILED": msg352, - "NASD_RADIUS_GETHOSTNAME_FAILED": msg353, - "NASD_RADIUS_MESSAGE_UNEXPECTED": msg354, - "NASD_RADIUS_OPEN_FAILED": msg355, - "NASD_RADIUS_SELECT_FAILED": msg356, - "NASD_RADIUS_SET_TIMER_FAILED": msg357, - "NASD_TRACE_FILE_OPEN_FAILED": msg358, - "NASD_usage": msg359, - "NOTICE": msg360, - "PFEMAN": msg61, - "PFE_FW_SYSLOG_IP": select36, - "PFE_NH_RESOLVE_THROTTLED": msg363, - "PING_TEST_COMPLETED": msg364, - "PING_TEST_FAILED": msg365, - "PKID_UNABLE_TO_GET_CRL": msg746, - "PWC_EXIT": msg368, - "PWC_HOLD_RELEASE": msg369, - "PWC_INVALID_RUNS_ARGUMENT": msg370, - "PWC_INVALID_TIMEOUT_ARGUMENT": msg371, - "PWC_KILLED_BY_SIGNAL": msg372, - "PWC_KILL_EVENT": msg373, - "PWC_KILL_FAILED": msg374, - "PWC_KQUEUE_ERROR": msg375, - "PWC_KQUEUE_INIT": msg376, - "PWC_KQUEUE_REGISTER_FILTER": msg377, - "PWC_LOCKFILE_BAD_FORMAT": msg378, - "PWC_LOCKFILE_ERROR": msg379, - "PWC_LOCKFILE_MISSING": msg380, - "PWC_LOCKFILE_NOT_LOCKED": msg381, - "PWC_NO_PROCESS": msg382, - "PWC_PROCESS_EXIT": msg383, - "PWC_PROCESS_FORCED_HOLD": msg384, - "PWC_PROCESS_HOLD": msg385, - "PWC_PROCESS_HOLD_SKIPPED": msg386, - "PWC_PROCESS_OPEN": msg387, - "PWC_PROCESS_TIMED_HOLD": msg388, - "PWC_PROCESS_TIMEOUT": msg389, - "PWC_SIGNAL_INIT": msg390, - "PWC_SOCKET_CONNECT": msg391, - "PWC_SOCKET_CREATE": msg392, - "PWC_SOCKET_OPTION": msg393, - "PWC_STDOUT_WRITE": msg394, - "PWC_SYSTEM_CALL": msg395, - "PWC_UNKNOWN_KILL_OPTION": msg396, - "RDP": msg111, - "RMOPD_ADDRESS_MULTICAST_INVALID": msg397, - "RMOPD_ADDRESS_SOURCE_INVALID": msg398, - "RMOPD_ADDRESS_STRING_FAILURE": msg399, - "RMOPD_ADDRESS_TARGET_INVALID": msg400, - "RMOPD_DUPLICATE": msg401, - "RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED": msg402, - "RMOPD_ICMP_SENDMSG_FAILURE": msg403, - "RMOPD_IFINDEX_NOT_ACTIVE": msg404, - "RMOPD_IFINDEX_NO_INFO": msg405, - "RMOPD_IFNAME_NOT_ACTIVE": msg406, - "RMOPD_IFNAME_NO_INFO": msg407, - "RMOPD_NOT_ROOT": msg408, - "RMOPD_ROUTING_INSTANCE_NO_INFO": msg409, - "RMOPD_TRACEROUTE_ERROR": msg410, - "RMOPD_usage": msg411, - "RPD_ABORT": msg412, - "RPD_ACTIVE_TERMINATE": msg413, - "RPD_ASSERT": msg414, - "RPD_ASSERT_SOFT": msg415, - "RPD_EXIT": msg416, - "RPD_IFL_INDEXCOLLISION": msg417, - "RPD_IFL_NAMECOLLISION": msg418, - "RPD_ISIS_ADJDOWN": msg419, - "RPD_ISIS_ADJUP": msg420, - "RPD_ISIS_ADJUPNOIP": msg421, - "RPD_ISIS_LSPCKSUM": msg422, - "RPD_ISIS_OVERLOAD": msg423, - "RPD_KRT_AFUNSUPRT": msg424, - "RPD_KRT_CCC_IFL_MODIFY": msg425, - "RPD_KRT_DELETED_RTT": msg426, - "RPD_KRT_IFA_GENERATION": msg427, - "RPD_KRT_IFDCHANGE": msg428, - "RPD_KRT_IFDEST_GET": msg429, - "RPD_KRT_IFDGET": msg430, - "RPD_KRT_IFD_GENERATION": msg431, - "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID": msg432, - "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED": msg433, - "RPD_KRT_IFL_GENERATION": msg434, - "RPD_KRT_KERNEL_BAD_ROUTE": msg435, - "RPD_KRT_NEXTHOP_OVERFLOW": msg436, - "RPD_KRT_NOIFD": msg437, - "RPD_KRT_UNKNOWN_RTT": msg438, - "RPD_KRT_VERSION": msg439, - "RPD_KRT_VERSIONNONE": msg440, - "RPD_KRT_VERSIONOLD": msg441, - "RPD_LDP_INTF_BLOCKED": msg442, - "RPD_LDP_INTF_UNBLOCKED": msg443, - "RPD_LDP_NBRDOWN": msg444, - "RPD_LDP_NBRUP": msg445, - "RPD_LDP_SESSIONDOWN": msg446, - "RPD_LDP_SESSIONUP": msg447, - "RPD_LOCK_FLOCKED": msg448, - "RPD_LOCK_LOCKED": msg449, - "RPD_MPLS_LSP_CHANGE": msg450, - "RPD_MPLS_LSP_DOWN": msg451, - "RPD_MPLS_LSP_SWITCH": msg452, - "RPD_MPLS_LSP_UP": msg453, - "RPD_MSDP_PEER_DOWN": msg454, - "RPD_MSDP_PEER_UP": msg455, - "RPD_OSPF_NBRDOWN": msg456, - "RPD_OSPF_NBRUP": msg457, - "RPD_OS_MEMHIGH": msg458, - "RPD_PIM_NBRDOWN": msg459, - "RPD_PIM_NBRUP": msg460, - "RPD_RDISC_CKSUM": msg461, - "RPD_RDISC_NOMULTI": msg462, - "RPD_RDISC_NORECVIF": msg463, - "RPD_RDISC_SOLICITADDR": msg464, - "RPD_RDISC_SOLICITICMP": msg465, - "RPD_RDISC_SOLICITLEN": msg466, - "RPD_RIP_AUTH": msg467, - "RPD_RIP_JOIN_BROADCAST": msg468, - "RPD_RIP_JOIN_MULTICAST": msg469, - "RPD_RT_IFUP": msg470, - "RPD_SCHED_CALLBACK_LONGRUNTIME": msg471, - "RPD_SCHED_CUMULATIVE_LONGRUNTIME": msg472, - "RPD_SCHED_MODULE_LONGRUNTIME": msg473, - "RPD_SCHED_TASK_LONGRUNTIME": msg474, - "RPD_SIGNAL_TERMINATE": msg475, - "RPD_START": msg476, - "RPD_SYSTEM": msg477, - "RPD_TASK_BEGIN": msg478, - "RPD_TASK_CHILDKILLED": msg479, - "RPD_TASK_CHILDSTOPPED": msg480, - "RPD_TASK_FORK": msg481, - "RPD_TASK_GETWD": msg482, - "RPD_TASK_NOREINIT": msg483, - "RPD_TASK_PIDCLOSED": msg484, - "RPD_TASK_PIDFLOCK": msg485, - "RPD_TASK_PIDWRITE": msg486, - "RPD_TASK_REINIT": msg487, - "RPD_TASK_SIGNALIGNORE": msg488, - "RT_COS": msg489, - "RT_FLOW_SESSION_CLOSE": select51, - "RT_FLOW_SESSION_CREATE": select45, - "RT_FLOW_SESSION_DENY": select47, - "RT_SCREEN_ICMP": msg774, - "RT_SCREEN_IP": select52, - "RT_SCREEN_SESSION_LIMIT": msg504, - "RT_SCREEN_TCP": msg503, - "RT_SCREEN_UDP": msg505, - "Resolve": msg63, - "SECINTEL_ACTION_LOG": msg775, - "SECINTEL_ERROR_OTHERS": msg747, - "SECINTEL_NETWORK_CONNECT_FAILED": msg744, - "SERVICED_CLIENT_CONNECT": msg506, - "SERVICED_CLIENT_DISCONNECTED": msg507, - "SERVICED_CLIENT_ERROR": msg508, - "SERVICED_COMMAND_FAILED": msg509, - "SERVICED_COMMIT_FAILED": msg510, - "SERVICED_CONFIGURATION_FAILED": msg511, - "SERVICED_CONFIG_ERROR": msg512, - "SERVICED_CONFIG_FILE": msg513, - "SERVICED_CONNECTION_ERROR": msg514, - "SERVICED_DISABLED_GGSN": msg515, - "SERVICED_DUPLICATE": msg516, - "SERVICED_EVENT_FAILED": msg517, - "SERVICED_INIT_FAILED": msg518, - "SERVICED_MALLOC_FAILURE": msg519, - "SERVICED_NETWORK_FAILURE": msg520, - "SERVICED_NOT_ROOT": msg521, - "SERVICED_PID_FILE_LOCK": msg522, - "SERVICED_PID_FILE_UPDATE": msg523, - "SERVICED_RTSOCK_SEQUENCE": msg524, - "SERVICED_SIGNAL_HANDLER": msg525, - "SERVICED_SOCKET_CREATE": msg526, - "SERVICED_SOCKET_IO": msg527, - "SERVICED_SOCKET_OPTION": msg528, - "SERVICED_STDLIB_FAILURE": msg529, - "SERVICED_USAGE": msg530, - "SERVICED_WORK_INCONSISTENCY": msg531, - "SNMPD_ACCESS_GROUP_ERROR": msg537, - "SNMPD_AUTH_FAILURE": select53, - "SNMPD_AUTH_PRIVILEGES_EXCEEDED": msg542, - "SNMPD_AUTH_RESTRICTED_ADDRESS": msg543, - "SNMPD_AUTH_WRONG_PDU_TYPE": msg544, - "SNMPD_CONFIG_ERROR": msg545, - "SNMPD_CONTEXT_ERROR": msg546, - "SNMPD_ENGINE_FILE_FAILURE": msg547, - "SNMPD_ENGINE_PROCESS_ERROR": msg548, - "SNMPD_FILE_FAILURE": msg549, - "SNMPD_GROUP_ERROR": msg550, - "SNMPD_INIT_FAILED": msg551, - "SNMPD_LIBJUNIPER_FAILURE": msg552, - "SNMPD_LOOPBACK_ADDR_ERROR": msg553, - "SNMPD_MEMORY_FREED": msg554, - "SNMPD_RADIX_FAILURE": msg555, - "SNMPD_RECEIVE_FAILURE": msg556, - "SNMPD_RMONFILE_FAILURE": msg557, - "SNMPD_RMON_COOKIE": msg558, - "SNMPD_RMON_EVENTLOG": msg559, - "SNMPD_RMON_IOERROR": msg560, - "SNMPD_RMON_MIBERROR": msg561, - "SNMPD_RTSLIB_ASYNC_EVENT": msg562, - "SNMPD_SEND_FAILURE": select54, - "SNMPD_SOCKET_FAILURE": msg565, - "SNMPD_SUBAGENT_NO_BUFFERS": msg566, - "SNMPD_SUBAGENT_SEND_FAILED": msg567, - "SNMPD_SYSLIB_FAILURE": msg568, - "SNMPD_THROTTLE_QUEUE_DRAINED": msg569, - "SNMPD_TRAP_COLD_START": msg570, - "SNMPD_TRAP_GEN_FAILURE": msg571, - "SNMPD_TRAP_GEN_FAILURE2": msg572, - "SNMPD_TRAP_INVALID_DATA": msg573, - "SNMPD_TRAP_NOT_ENOUGH_VARBINDS": msg574, - "SNMPD_TRAP_QUEUED": msg575, - "SNMPD_TRAP_QUEUE_DRAINED": msg576, - "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS": msg577, - "SNMPD_TRAP_QUEUE_MAX_SIZE": msg578, - "SNMPD_TRAP_THROTTLED": msg579, - "SNMPD_TRAP_TYPE_ERROR": msg580, - "SNMPD_TRAP_VARBIND_TYPE_ERROR": msg581, - "SNMPD_TRAP_VERSION_ERROR": msg582, - "SNMPD_TRAP_WARM_START": msg583, - "SNMPD_USER_ERROR": msg584, - "SNMPD_VIEW_DELETE": msg585, - "SNMPD_VIEW_INSTALL_DEFAULT": msg586, - "SNMPD_VIEW_OID_PARSE": msg587, - "SNMP_GET_ERROR1": msg588, - "SNMP_GET_ERROR2": msg589, - "SNMP_GET_ERROR3": msg590, - "SNMP_GET_ERROR4": msg591, - "SNMP_NS_LOG_INFO": msg535, - "SNMP_RTSLIB_FAILURE": msg592, - "SNMP_SUBAGENT_IPC_REG_ROWS": msg536, - "SNMP_TRAP_LINK_DOWN": select55, - "SNMP_TRAP_LINK_UP": select56, - "SNMP_TRAP_PING_PROBE_FAILED": msg597, - "SNMP_TRAP_PING_TEST_COMPLETED": msg598, - "SNMP_TRAP_PING_TEST_FAILED": msg599, - "SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE": msg600, - "SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED": msg601, - "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED": msg602, - "SNTPD": msg112, - "SSB": msg113, - "SSHD_LOGIN_FAILED": select57, - "SSL_PROXY_SESSION_IGNORE": msg534, - "SSL_PROXY_SSL_SESSION_ALLOW": msg532, - "SSL_PROXY_SSL_SESSION_DROP": msg533, - "TASK_TASK_REINIT": msg606, - "TFTPD_AF_ERR": msg607, - "TFTPD_BIND_ERR": msg608, - "TFTPD_CONNECT_ERR": msg609, - "TFTPD_CONNECT_INFO": msg610, - "TFTPD_CREATE_ERR": msg611, - "TFTPD_FIO_ERR": msg612, - "TFTPD_FORK_ERR": msg613, - "TFTPD_NAK_ERR": msg614, - "TFTPD_OPEN_ERR": msg615, - "TFTPD_RECVCOMPLETE_INFO": msg616, - "TFTPD_RECVFROM_ERR": msg617, - "TFTPD_RECV_ERR": msg618, - "TFTPD_SENDCOMPLETE_INFO": msg619, - "TFTPD_SEND_ERR": msg620, - "TFTPD_SOCKET_ERR": msg621, - "TFTPD_STATFS_ERR": msg622, - "TNP": msg623, - "UI_AUTH_EVENT": msg628, - "UI_AUTH_INVALID_CHALLENGE": msg629, - "UI_BOOTTIME_FAILED": msg630, - "UI_CFG_AUDIT_NEW": select58, - "UI_CFG_AUDIT_OTHER": select60, - "UI_CFG_AUDIT_SET": select63, - "UI_CFG_AUDIT_SET_SECRET": select64, - "UI_CHILD_ARGS_EXCEEDED": msg645, - "UI_CHILD_CHANGE_USER": msg646, - "UI_CHILD_EXEC": msg647, - "UI_CHILD_EXITED": msg648, - "UI_CHILD_FOPEN": msg649, - "UI_CHILD_PIPE_FAILED": msg650, - "UI_CHILD_SIGNALED": msg651, - "UI_CHILD_START": msg653, - "UI_CHILD_STATUS": msg654, - "UI_CHILD_STOPPED": msg652, - "UI_CHILD_WAITPID": msg655, - "UI_CLI_IDLE_TIMEOUT": msg656, - "UI_CMDLINE_READ_LINE": msg657, - "UI_CMDSET_EXEC_FAILED": msg658, - "UI_CMDSET_FORK_FAILED": msg659, - "UI_CMDSET_PIPE_FAILED": msg660, - "UI_CMDSET_STOPPED": msg661, - "UI_CMDSET_WEXITED": msg662, - "UI_CMD_AUTH_REGEX_INVALID": msg663, - "UI_COMMIT": msg664, - "UI_COMMIT_AT": msg665, - "UI_COMMIT_AT_COMPLETED": msg666, - "UI_COMMIT_AT_FAILED": msg667, - "UI_COMMIT_COMPRESS_FAILED": msg668, - "UI_COMMIT_CONFIRMED": msg669, - "UI_COMMIT_CONFIRMED_REMINDER": msg670, - "UI_COMMIT_CONFIRMED_TIMED": msg671, - "UI_COMMIT_EMPTY_CONTAINER": msg672, - "UI_COMMIT_NOT_CONFIRMED": msg673, - "UI_COMMIT_PROGRESS": msg674, - "UI_COMMIT_QUIT": msg675, - "UI_COMMIT_ROLLBACK_FAILED": msg676, - "UI_COMMIT_SYNC": msg677, - "UI_COMMIT_SYNC_FORCE": msg678, - "UI_CONFIGURATION_ERROR": msg679, - "UI_DAEMON_ACCEPT_FAILED": msg680, - "UI_DAEMON_FORK_FAILED": msg681, - "UI_DAEMON_SELECT_FAILED": msg682, - "UI_DAEMON_SOCKET_FAILED": msg683, - "UI_DBASE_ACCESS_FAILED": msg684, - "UI_DBASE_CHECKOUT_FAILED": msg685, - "UI_DBASE_EXTEND_FAILED": msg686, - "UI_DBASE_LOGIN_EVENT": msg687, - "UI_DBASE_LOGOUT_EVENT": msg688, - "UI_DBASE_MISMATCH_EXTENT": msg689, - "UI_DBASE_MISMATCH_MAJOR": msg690, - "UI_DBASE_MISMATCH_MINOR": msg691, - "UI_DBASE_MISMATCH_SEQUENCE": msg692, - "UI_DBASE_MISMATCH_SIZE": msg693, - "UI_DBASE_OPEN_FAILED": msg694, - "UI_DBASE_REBUILD_FAILED": msg695, - "UI_DBASE_REBUILD_SCHEMA_FAILED": msg696, - "UI_DBASE_REBUILD_STARTED": msg697, - "UI_DBASE_RECREATE": msg698, - "UI_DBASE_REOPEN_FAILED": msg699, - "UI_DUPLICATE_UID": msg700, - "UI_JUNOSCRIPT_CMD": msg701, - "UI_JUNOSCRIPT_ERROR": msg702, - "UI_LOAD_EVENT": msg703, - "UI_LOAD_JUNOS_DEFAULT_FILE_EVENT": msg704, - "UI_LOGIN_EVENT": select71, - "UI_LOGOUT_EVENT": msg707, - "UI_LOST_CONN": msg708, - "UI_MASTERSHIP_EVENT": msg709, - "UI_MGD_TERMINATE": msg710, - "UI_NETCONF_CMD": msg711, - "UI_READ_FAILED": msg712, - "UI_READ_TIMEOUT": msg713, - "UI_REBOOT_EVENT": msg714, - "UI_RESTART_EVENT": msg715, - "UI_SCHEMA_CHECKOUT_FAILED": msg716, - "UI_SCHEMA_MISMATCH_MAJOR": msg717, - "UI_SCHEMA_MISMATCH_MINOR": msg718, - "UI_SCHEMA_MISMATCH_SEQUENCE": msg719, - "UI_SCHEMA_SEQUENCE_ERROR": msg720, - "UI_SYNC_OTHER_RE": msg721, - "UI_TACPLUS_ERROR": msg722, - "UI_VERSION_FAILED": msg723, - "UI_WRITE_RECONNECT": msg724, - "VRRPD_NEWMASTER_TRAP": msg725, - "Version": msg99, - "WEBFILTER_REQUEST_NOT_CHECKED": msg730, - "WEBFILTER_URL_BLOCKED": select75, - "WEBFILTER_URL_PERMITTED": select74, - "WEB_AUTH_FAIL": msg726, - "WEB_AUTH_SUCCESS": msg727, - "WEB_INTERFACE_UNAUTH": msg728, - "WEB_READ": msg729, - "alarmd": msg3, - "bgp_connect_start": msg132, - "bgp_event": msg133, - "bgp_listen_accept": msg134, - "bgp_listen_reset": msg135, - "bgp_nexthop_sanity": msg136, - "bgp_pp_recv": select33, - "bgp_process_caps": select32, - "bgp_send": msg141, - "bgp_traffic_timeout": msg142, - "bigd": select6, - "bigpipe": select7, - "bigstart": msg9, - "cgatool": msg10, - "chassisd": msg11, - "chassism": select73, - "checkd": select8, - "clean_process": msg215, - "cli": msg750, - "cosd": msg14, - "craftd": msg15, - "cron": msg18, - "crond": msg21, - "dcd": msg22, - "eswd": select72, - "ftpd": msg24, - "ha_rto_stats_handler": msg25, - "hostinit": msg26, - "idpinfo": msg752, - "ifinfo": select13, - "ifp_ifl_anydown_change_event": msg30, - "ifp_ifl_config_event": msg31, - "ifp_ifl_ext_chg": msg32, - "inetd": select14, - "init": select15, - "ipc_msg_write": msg40, - "kernel": select17, - "kmd": msg753, - "last": select28, - "login": select18, - "lsys_ssam_handler": msg53, - "mcsn": msg54, - "mgd": msg62, - "mrvl_dfw_log_effuse_status": msg55, - "node": select79, - "pfed": msg751, - "process_mode": select38, - "profile_ssam_handler": msg57, - "pst_nat_binding_set_profile": msg58, - "qsfp": msg776, - "respawn": msg64, - "root": msg65, - "rpd": select20, - "rshd": msg70, - "sfd": msg71, - "sshd": select21, - "syslogd": msg92, - "task_connect": msg605, - "task_reconfigure": msg59, - "tnetd": msg60, - "tnp.bootpd": msg769, - "trace_on": msg624, - "trace_rotate": msg625, - "transfer-file": msg626, - "ttloop": msg627, - "ucd-snmp": select26, - "usp_ipc_client_reconnect": msg95, - "usp_trace_ipc_disconnect": msg96, - "usp_trace_ipc_reconnect": msg97, - "uspinfo": msg98, - "xntpd": select27, - }), - ]); - - var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}"); - - var part822 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); - - var part823 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); - - var part824 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); - - var part825 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); - - var part826 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); - - var part827 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); - - var part828 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); - - var part829 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); - - var part830 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); - - var part831 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); - - var part832 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); - - var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var part833 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); - - var part834 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); - - var part835 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); - - var part836 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); - - var part837 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); - - var part838 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); - - var part839 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); - - var part840 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var part841 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); - - var part842 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); - - var part843 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); - - var part844 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); - - var part845 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); - - var part846 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); - - var part847 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); - - var part848 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var part849 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var part850 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); - - var part851 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); - - var part852 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); - - var part853 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); - - var part854 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); - - var part855 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); - - var part856 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); - - var part857 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); - - var part858 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); - - var part859 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); - - var part860 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); - - var part861 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); - - var part862 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); - - var part863 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); - - var part864 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); - - var part865 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); - - var select85 = linear_select([ - dup14, - dup15, - dup16, - dup17, - ]); - - var part866 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ - dup13, - ])); - - var select86 = linear_select([ - dup40, - dup41, - ]); - - var part867 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ - dup21, - dup22, - dup56, - dup23, - ])); - - var part868 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ - dup51, - dup22, - dup64, - dup23, - ])); - - var part869 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ - dup30, - dup22, - dup65, - dup23, - ])); - - var part870 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ - dup30, - dup22, - dup66, - dup23, - ])); - - var part871 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ - dup30, - dup22, - dup67, - dup23, - ])); - - var part872 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ - dup30, - dup22, - dup68, - dup23, - ])); - - var part873 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - dup71, - dup23, - ])); - - var select87 = linear_select([ - dup76, - dup77, - ]); - - var part874 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ - dup30, - dup22, - dup79, - dup23, - ])); - - var part875 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ - dup30, - dup22, - dup84, - dup23, - ])); - - var part876 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ - dup30, - dup22, - dup85, - dup23, - ])); - - var part877 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ - dup21, - dup22, - dup86, - dup23, - ])); - - var select88 = linear_select([ - dup88, - dup89, - ]); - - var select89 = linear_select([ - dup90, - dup45, - ]); - - var select90 = linear_select([ - dup95, - dup96, - ]); - - var select91 = linear_select([ - dup101, - dup91, - ]); - - var part878 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var part879 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ - dup27, - dup22, - dup52, - ])); - - var select92 = linear_select([ - dup118, - dup119, - ]); - - var select93 = linear_select([ - dup123, - dup124, - ]); - - var part880 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var part881 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ - dup48, - dup47, - dup23, - dup22, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/juniper_junos/0.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/juniper_junos/0.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 62c896785b..0000000000 --- a/packages/juniper_junos/0.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,67 +0,0 @@ ---- -description: Pipeline for Juniper JUNOS - -processors: - - set: - field: ecs.version - value: '8.4.0' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/juniper_junos/0.4.2/data_stream/log/fields/agent.yml b/packages/juniper_junos/0.4.2/data_stream/log/fields/agent.yml deleted file mode 100755 index 38bb8dcec5..0000000000 --- a/packages/juniper_junos/0.4.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,175 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/juniper_junos/0.4.2/data_stream/log/fields/base-fields.yml b/packages/juniper_junos/0.4.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 9def860af3..0000000000 --- a/packages/juniper_junos/0.4.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,43 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: juniper_junos -- name: event.dataset - type: constant_keyword - description: Event dataset - value: juniper_junos.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/juniper_junos/0.4.2/data_stream/log/fields/ecs.yml b/packages/juniper_junos/0.4.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index f7e5c95752..0000000000 --- a/packages/juniper_junos/0.4.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,547 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/juniper_junos/0.4.2/data_stream/log/fields/fields.yml b/packages/juniper_junos/0.4.2/data_stream/log/fields/fields.yml deleted file mode 100755 index ea69cd79e3..0000000000 --- a/packages/juniper_junos/0.4.2/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,1754 +0,0 @@ -- name: rsa - type: group - fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - ignore_above: 1024 - description: Server domain. -- name: network.interface.name - type: keyword diff --git a/packages/juniper_junos/0.4.2/data_stream/log/manifest.yml b/packages/juniper_junos/0.4.2/data_stream/log/manifest.yml deleted file mode 100755 index 43a7a807a9..0000000000 --- a/packages/juniper_junos/0.4.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -title: Juniper JUNOS logs -release: experimental -type: logs -streams: - - input: udp - title: Juniper JUNOS logs - description: Collect Juniper JUNOS logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-junos - - forwarded - - name: udp_host - type: text - title: UDP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: UDP port to listen on - multi: false - required: true - show_user: true - default: 9512 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Juniper JUNOS logs - description: Collect Juniper JUNOS logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-junos - - forwarded - - name: tcp_host - type: text - title: TCP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: TCP port to listen on - multi: false - required: true - show_user: true - default: 9512 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: filestream - enabled: false - title: Juniper JUNOS logs - description: Collect Juniper JUNOS logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/juniper-junos.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-junos - - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/juniper_junos/0.4.2/data_stream/log/sample_event.json b/packages/juniper_junos/0.4.2/data_stream/log/sample_event.json deleted file mode 100755 index e37da3517d..0000000000 --- a/packages/juniper_junos/0.4.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,73 +0,0 @@ -{ - "@timestamp": "2021-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "6a56393e-9900-4580-9cd7-a2468e6398de", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "juniper_junos.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "RPD_SCHED_TASK_LONGRUNTIME", - "agent_id_status": "verified", - "code": "RPD_SCHED_TASK_LONGRUNTIME", - "dataset": "juniper_junos.log", - "ingested": "2022-01-25T12:44:44Z", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.30.0.4:36281" - } - }, - "message": "task extended runtime", - "observer": { - "product": "Junos", - "type": "Routers", - "vendor": "Juniper" - }, - "process": { - "name": "ceroinBC.exe", - "pid": 6713 - }, - "rsa": { - "counters": { - "dclass_c1": 7309, - "dclass_c2": 5049 - }, - "internal": { - "event_desc": "task extended runtime", - "messageid": "RPD_SCHED_TASK_LONGRUNTIME" - }, - "misc": { - "client": ": exe", - "event_type": "RPD_SCHED_TASK_LONGRUNTIME", - "pid": "6713" - }, - "time": { - "day": "29", - "event_time": "2021-01-29T06:09:59.000Z", - "month": "Jan" - } - }, - "tags": [ - "juniper-junos", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/juniper_junos/0.4.2/docs/README.md b/packages/juniper_junos/0.4.2/docs/README.md deleted file mode 100755 index 35e66eba67..0000000000 --- a/packages/juniper_junos/0.4.2/docs/README.md +++ /dev/null @@ -1,925 +0,0 @@ -# Juniper JunOS integration - -This is an integration for ingesting logs from [Juniper JunOS](https://www.juniper.net/documentation/product/us/en/junos-os). For more information on sending syslog messages from JunOS to a remote destination such as a file / syslog host, see: [Directing System Log Messages to a Remote Machine or the Other Routing Engine](https://www.juniper.net/documentation/us/en/software/junos/network-mgmt/topics/topic-map/directing-system-log-messages-to-a-remote-destination.html). - -### Log - -The `log` dataset collects Juniper JunOS logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "6a56393e-9900-4580-9cd7-a2468e6398de", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "juniper_junos.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "RPD_SCHED_TASK_LONGRUNTIME", - "agent_id_status": "verified", - "code": "RPD_SCHED_TASK_LONGRUNTIME", - "dataset": "juniper_junos.log", - "ingested": "2022-01-25T12:44:44Z", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.30.0.4:36281" - } - }, - "message": "task extended runtime", - "observer": { - "product": "Junos", - "type": "Routers", - "vendor": "Juniper" - }, - "process": { - "name": "ceroinBC.exe", - "pid": 6713 - }, - "rsa": { - "counters": { - "dclass_c1": 7309, - "dclass_c2": 5049 - }, - "internal": { - "event_desc": "task extended runtime", - "messageid": "RPD_SCHED_TASK_LONGRUNTIME" - }, - "misc": { - "client": ": exe", - "event_type": "RPD_SCHED_TASK_LONGRUNTIME", - "pid": "6713" - }, - "time": { - "day": "29", - "event_time": "2021-01-29T06:09:59.000Z", - "month": "Jan" - } - }, - "tags": [ - "juniper-junos", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/juniper_junos/0.4.2/img/logo.svg b/packages/juniper_junos/0.4.2/img/logo.svg deleted file mode 100755 index 8802414a5a..0000000000 --- a/packages/juniper_junos/0.4.2/img/logo.svg +++ /dev/null @@ -1,72 +0,0 @@ - -image/svg+xml \ No newline at end of file diff --git a/packages/juniper_junos/0.4.2/manifest.yml b/packages/juniper_junos/0.4.2/manifest.yml deleted file mode 100755 index 5c42b41dd6..0000000000 --- a/packages/juniper_junos/0.4.2/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -format_version: 1.0.0 -name: juniper_junos -title: Juniper JunOS -version: "0.4.2" -description: Collect logs from Juniper JunOS with Elastic Agent. -categories: ["network", "security"] -release: experimental -license: basic -type: integration -conditions: - kibana.version: "^8.0.0" -policy_templates: - - name: juniper - title: Juniper JunOS logs - description: Collect Juniper JunOS logs from syslog or a file. - inputs: - - type: udp - title: Collect logs from Juniper JunOS via UDP - description: Collecting syslog from Juniper JunOS via UDP. - - type: tcp - title: Collect logs from Juniper JunOS via TCP - description: Collecting syslog from Juniper JunOS via TCP. - - type: filestream - title: Collect logs from Juniper JunOS via file - description: Collecting syslog from Juniper JunOS via file. -icons: - - src: /img/logo.svg - title: Juniper logo - size: 32x32 - type: image/svg+xml -owner: - github: elastic/security-external-integrations diff --git a/packages/juniper_netscreen/0.4.1/LICENSE.txt b/packages/juniper_netscreen/0.4.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/juniper_netscreen/0.4.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/juniper_netscreen/0.4.1/changelog.yml b/packages/juniper_netscreen/0.4.1/changelog.yml deleted file mode 100755 index 192ec0ed7c..0000000000 --- a/packages/juniper_netscreen/0.4.1/changelog.yml +++ /dev/null @@ -1,46 +0,0 @@ -# newer versions go on top -- version: "0.4.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "0.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3867 -- version: "0.3.1" - changes: - - description: Add documentation link to juniper documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3134 -- version: "0.3.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "0.2.0" - changes: - - description: Update to ECS 8.2.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "0.1.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.1.0" - changes: - - description: Update to ECS 8.0.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2590 -- version: "0.0.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.0.1" - changes: - - description: Initial release of new package split from oroginal Juniper package - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/2070 diff --git a/packages/juniper_netscreen/0.4.1/data_stream/log/agent/stream/logfile.yml.hbs b/packages/juniper_netscreen/0.4.1/data_stream/log/agent/stream/logfile.yml.hbs deleted file mode 100755 index 36eb610dff..0000000000 --- a/packages/juniper_netscreen/0.4.1/data_stream/log/agent/stream/logfile.yml.hbs +++ /dev/null @@ -1,26357 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -prospector.scanner.exclude_files: ['\.gz$'] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Juniper" - product: "Netscreen" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} for %{p0}"); - - var dup7 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); - - var dup8 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); - - var dup9 = date_time({ - dest: "event_time", - args: ["fld1"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup10 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); - - var dup11 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); - - var dup12 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); - - var dup13 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); - - var dup14 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); - - var dup15 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); - - var dup16 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); - - var dup17 = setc("eventcategory","1502000000"); - - var dup18 = setc("eventcategory","1703000000"); - - var dup19 = setc("eventcategory","1603000000"); - - var dup20 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); - - var dup21 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); - - var dup22 = setc("eventcategory","1502050000"); - - var dup23 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); - - var dup24 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); - - var dup25 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); - - var dup26 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); - - var dup27 = setc("eventcategory","1801010000"); - - var dup28 = setc("eventcategory","1401060000"); - - var dup29 = setc("ec_subject","User"); - - var dup30 = setc("ec_activity","Logon"); - - var dup31 = setc("ec_theme","Authentication"); - - var dup32 = setc("ec_outcome","Success"); - - var dup33 = setc("eventcategory","1401070000"); - - var dup34 = setc("ec_activity","Logoff"); - - var dup35 = setc("eventcategory","1303000000"); - - var dup36 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); - - var dup37 = setc("eventcategory","1402020200"); - - var dup38 = setc("ec_theme","UserGroup"); - - var dup39 = setc("ec_outcome","Error"); - - var dup40 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); - - var dup41 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); - - var dup42 = setc("eventcategory","1402020300"); - - var dup43 = setc("ec_activity","Modify"); - - var dup44 = setc("eventcategory","1605000000"); - - var dup45 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); - - var dup46 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); - - var dup47 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); - - var dup48 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); - - var dup49 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); - - var dup50 = setc("eventcategory","1701020000"); - - var dup51 = setc("ec_theme","Configuration"); - - var dup52 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); - - var dup53 = setc("eventcategory","1301000000"); - - var dup54 = setc("ec_outcome","Failure"); - - var dup55 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); - - var dup56 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); - - var dup57 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); - - var dup58 = setc("eventcategory","1001000000"); - - var dup59 = setc("dclass_counter1_string","Number of times the attack occurred"); - - var dup60 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("saddr"), - field("daddr"), - ], - }); - - var dup61 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("saddr"), - field("daddr"), - field("sport"), - field("dport"), - ], - }); - - var dup62 = setc("eventcategory","1608010000"); - - var dup63 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); - - var dup64 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); - - var dup65 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); - - var dup66 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); - - var dup67 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup68 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); - - var dup69 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); - - var dup70 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); - - var dup71 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); - - var dup72 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); - - var dup73 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); - - var dup74 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); - - var dup75 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); - - var dup76 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); - - var dup77 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); - - var dup78 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); - - var dup79 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); - - var dup80 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup81 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); - - var dup82 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); - - var dup83 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup84 = setc("eventcategory","1002020000"); - - var dup85 = setc("eventcategory","1002000000"); - - var dup86 = setc("eventcategory","1603110000"); - - var dup87 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); - - var dup88 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); - - var dup89 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); - - var dup90 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); - - var dup91 = setc("eventcategory","1613040200"); - - var dup92 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); - - var dup93 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); - - var dup94 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); - - var dup95 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); - - var dup96 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); - - var dup97 = setc("eventcategory","1613050200"); - - var dup98 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); - - var dup99 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); - - var dup100 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); - - var dup101 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); - - var dup102 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); - - var dup103 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); - - var dup104 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); - - var dup105 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); - - var dup106 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); - - var dup107 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); - - var dup108 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); - - var dup109 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); - - var dup110 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); - - var dup111 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); - - var dup112 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); - - var dup113 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); - - var dup114 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); - - var dup115 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); - - var dup116 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); - - var dup117 = setc("eventcategory","1603090000"); - - var dup118 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); - - var dup119 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); - - var dup120 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); - - var dup121 = setc("eventcategory","1603030000"); - - var dup122 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); - - var dup123 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); - - var dup124 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); - - var dup125 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); - - var dup126 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); - - var dup127 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); - - var dup128 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); - - var dup129 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); - - var dup130 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); - - var dup131 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup132 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup133 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); - - var dup134 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); - - var dup135 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); - - var dup136 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); - - var dup137 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); - - var dup138 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); - - var dup139 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); - - var dup140 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); - - var dup141 = setc("eventcategory","1702030000"); - - var dup142 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); - - var dup143 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); - - var dup144 = setc("eventcategory","1601000000"); - - var dup145 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); - - var dup146 = date_time({ - dest: "event_time", - args: ["fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup147 = setc("eventcategory","1103000000"); - - var dup148 = setc("ec_subject","NetworkComm"); - - var dup149 = setc("ec_activity","Scan"); - - var dup150 = setc("ec_theme","TEV"); - - var dup151 = setc("eventcategory","1103010000"); - - var dup152 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); - - var dup153 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); - - var dup154 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); - - var dup155 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); - - var dup156 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); - - var dup157 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); - - var dup158 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); - - var dup159 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); - - var dup160 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); - - var dup161 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); - - var dup162 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); - - var dup163 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); - - var dup164 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); - - var dup165 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); - - var dup166 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); - - var dup167 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); - - var dup168 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); - - var dup169 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); - - var dup170 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); - - var dup171 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); - - var dup172 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); - - var dup173 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); - - var dup174 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); - - var dup175 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); - - var dup176 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); - - var dup177 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); - - var dup178 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); - - var dup179 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); - - var dup180 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); - - var dup181 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); - - var dup182 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); - - var dup183 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); - - var dup184 = setc("eventcategory","1603020000"); - - var dup185 = setc("eventcategory","1803000000"); - - var dup186 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); - - var dup187 = setc("eventcategory","1603010000"); - - var dup188 = setc("eventcategory","1603100000"); - - var dup189 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); - - var dup190 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); - - var dup191 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); - - var dup192 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); - - var dup193 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); - - var dup194 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); - - var dup195 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); - - var dup196 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); - - var dup197 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); - - var dup198 = setc("eventcategory","1801030000"); - - var dup199 = setc("eventcategory","1302010200"); - - var dup200 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); - - var dup201 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); - - var dup202 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); - - var dup203 = setc("eventcategory","1304000000"); - - var dup204 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); - - var dup205 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); - - var dup206 = setc("eventcategory","1401030000"); - - var dup207 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); - - var dup208 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); - - var dup209 = setc("eventcategory","1605020000"); - - var dup210 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); - - var dup211 = setc("ec_subject","Certificate"); - - var dup212 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); - - var dup213 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); - - var dup214 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); - - var dup215 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); - - var dup216 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); - - var dup217 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); - - var dup218 = setc("ec_subject","CryptoKey"); - - var dup219 = setc("ec_subject","Configuration"); - - var dup220 = setc("ec_activity","Request"); - - var dup221 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); - - var dup222 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); - - var dup223 = setc("eventcategory","1612000000"); - - var dup224 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); - - var dup225 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); - - var dup226 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); - - var dup227 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); - - var dup228 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); - - var dup229 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); - - var dup230 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); - - var dup231 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); - - var dup232 = setc("eventcategory","1201000000"); - - var dup233 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); - - var dup234 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); - - var dup235 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); - - var dup236 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); - - var dup237 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); - - var dup238 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); - - var dup239 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup240 = setc("eventcategory","1401000000"); - - var dup241 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); - - var dup242 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); - - var dup243 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); - - var dup244 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); - - var dup245 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); - - var dup246 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); - - var dup247 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); - - var dup248 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); - - var dup249 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); - - var dup250 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); - - var dup251 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); - - var dup252 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); - - var dup253 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); - - var dup254 = setc("eventcategory","1608000000"); - - var dup255 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); - - var dup256 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); - - var dup257 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); - - var dup258 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); - - var dup259 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); - - var dup260 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); - - var dup261 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); - - var dup262 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); - - var dup263 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); - - var dup264 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); - - var dup265 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); - - var dup266 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var dup267 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); - - var dup268 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); - - var dup269 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); - - var dup270 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); - - var dup271 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var dup272 = setc("eventcategory","1805010000"); - - var dup273 = setc("eventcategory","1805000000"); - - var dup274 = date_time({ - dest: "starttime", - args: ["fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup275 = call({ - dest: "nwparser.bytes", - fn: CALC, - args: [ - field("sbytes"), - constant("+"), - field("rbytes"), - ], - }); - - var dup276 = setc("action","Deny"); - - var dup277 = setc("disposition","Deny"); - - var dup278 = setc("direction","outgoing"); - - var dup279 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("saddr"), - field("daddr"), - field("sport"), - field("dport"), - ], - }); - - var dup280 = setc("direction","incoming"); - - var dup281 = setc("eventcategory","1801000000"); - - var dup282 = setf("action","disposition"); - - var dup283 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); - - var dup284 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); - - var dup285 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); - - var dup286 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); - - var dup287 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); - - var dup288 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); - - var dup289 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); - - var dup290 = setc("eventcategory","1401050200"); - - var dup291 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("daddr"), - field("saddr"), - ], - }); - - var dup292 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("daddr"), - field("saddr"), - field("dport"), - field("sport"), - ], - }); - - var dup293 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); - - var dup294 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); - - var dup295 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); - - var dup296 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup297 = setc("eventcategory","1204000000"); - - var dup298 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup299 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var dup300 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); - - var dup301 = setc("eventcategory","1801020000"); - - var dup302 = setc("disposition","failed"); - - var dup303 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); - - var dup304 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); - - var dup305 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); - - var dup306 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); - - var dup307 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); - - var dup308 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); - - var dup309 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); - - var dup310 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); - - var dup311 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); - - var dup312 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); - - var dup313 = setc("eventcategory","1803020000"); - - var dup314 = setc("eventcategory","1613030000"); - - var dup315 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); - - var dup316 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); - - var dup317 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); - - var dup318 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); - - var dup319 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); - - var dup320 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); - - var dup321 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); - - var dup322 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); - - var dup323 = setc("event_description","Cannot connect to NSM server"); - - var dup324 = setc("eventcategory","1603040000"); - - var dup325 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); - - var dup326 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); - - var dup327 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); - - var dup328 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); - - var dup329 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); - - var dup330 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); - - var dup331 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); - - var dup332 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("daddr"), - field("saddr"), - field("dport"), - field("sport"), - ], - }); - - var dup333 = linear_select([ - dup10, - dup11, - ]); - - var dup334 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup335 = linear_select([ - dup13, - dup14, - ]); - - var dup336 = linear_select([ - dup15, - dup16, - ]); - - var dup337 = linear_select([ - dup56, - dup57, - ]); - - var dup338 = linear_select([ - dup65, - dup66, - ]); - - var dup339 = linear_select([ - dup68, - dup69, - ]); - - var dup340 = linear_select([ - dup71, - dup72, - ]); - - var dup341 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var dup342 = linear_select([ - dup74, - dup75, - ]); - - var dup343 = linear_select([ - dup81, - dup82, - ]); - - var dup344 = linear_select([ - dup24, - dup90, - ]); - - var dup345 = linear_select([ - dup94, - dup95, - ]); - - var dup346 = linear_select([ - dup98, - dup99, - ]); - - var dup347 = linear_select([ - dup100, - dup101, - dup102, - ]); - - var dup348 = linear_select([ - dup113, - dup114, - ]); - - var dup349 = linear_select([ - dup111, - dup16, - ]); - - var dup350 = linear_select([ - dup127, - dup107, - ]); - - var dup351 = linear_select([ - dup8, - dup21, - ]); - - var dup352 = linear_select([ - dup122, - dup133, - ]); - - var dup353 = linear_select([ - dup142, - dup143, - ]); - - var dup354 = linear_select([ - dup145, - dup21, - ]); - - var dup355 = linear_select([ - dup127, - dup106, - ]); - - var dup356 = linear_select([ - dup152, - dup96, - ]); - - var dup357 = linear_select([ - dup154, - dup155, - ]); - - var dup358 = linear_select([ - dup156, - dup157, - ]); - - var dup359 = linear_select([ - dup99, - dup134, - ]); - - var dup360 = linear_select([ - dup158, - dup159, - ]); - - var dup361 = linear_select([ - dup161, - dup162, - ]); - - var dup362 = linear_select([ - dup163, - dup103, - ]); - - var dup363 = linear_select([ - dup162, - dup161, - ]); - - var dup364 = linear_select([ - dup46, - dup47, - ]); - - var dup365 = linear_select([ - dup166, - dup167, - ]); - - var dup366 = linear_select([ - dup172, - dup173, - ]); - - var dup367 = linear_select([ - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - ]); - - var dup368 = linear_select([ - dup49, - dup21, - ]); - - var dup369 = linear_select([ - dup189, - dup190, - ]); - - var dup370 = linear_select([ - dup96, - dup152, - ]); - - var dup371 = linear_select([ - dup196, - dup197, - ]); - - var dup372 = linear_select([ - dup24, - dup200, - ]); - - var dup373 = linear_select([ - dup103, - dup163, - ]); - - var dup374 = linear_select([ - dup205, - dup118, - ]); - - var dup375 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup376 = linear_select([ - dup212, - dup213, - ]); - - var dup377 = linear_select([ - dup215, - dup216, - ]); - - var dup378 = linear_select([ - dup222, - dup215, - ]); - - var dup379 = linear_select([ - dup224, - dup225, - ]); - - var dup380 = linear_select([ - dup231, - dup124, - ]); - - var dup381 = linear_select([ - dup229, - dup230, - ]); - - var dup382 = linear_select([ - dup233, - dup234, - ]); - - var dup383 = linear_select([ - dup236, - dup237, - ]); - - var dup384 = linear_select([ - dup242, - dup243, - ]); - - var dup385 = linear_select([ - dup245, - dup246, - ]); - - var dup386 = linear_select([ - dup247, - dup248, - ]); - - var dup387 = linear_select([ - dup249, - dup250, - ]); - - var dup388 = linear_select([ - dup251, - dup252, - ]); - - var dup389 = linear_select([ - dup260, - dup261, - ]); - - var dup390 = linear_select([ - dup264, - dup265, - ]); - - var dup391 = linear_select([ - dup268, - dup269, - ]); - - var dup392 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup393 = linear_select([ - dup284, - dup285, - ]); - - var dup394 = linear_select([ - dup287, - dup288, - ]); - - var dup395 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup60, - ])); - - var dup396 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var dup397 = linear_select([ - dup300, - dup26, - ]); - - var dup398 = linear_select([ - dup115, - dup303, - ]); - - var dup399 = linear_select([ - dup125, - dup96, - ]); - - var dup400 = linear_select([ - dup189, - dup308, - dup309, - ]); - - var dup401 = linear_select([ - dup310, - dup16, - ]); - - var dup402 = linear_select([ - dup317, - dup318, - ]); - - var dup403 = linear_select([ - dup319, - dup315, - ]); - - var dup404 = linear_select([ - dup322, - dup250, - ]); - - var dup405 = linear_select([ - dup327, - dup329, - ]); - - var dup406 = linear_select([ - dup330, - dup129, - ]); - - var dup407 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var dup408 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup60, - ])); - - var dup409 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var dup410 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var dup411 = all_match({ - processors: [ - dup263, - dup390, - dup266, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var dup412 = all_match({ - processors: [ - dup267, - dup391, - dup270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var dup413 = all_match({ - processors: [ - dup80, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var dup414 = all_match({ - processors: [ - dup296, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var dup415 = all_match({ - processors: [ - dup298, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0003"), - ])); - - var hdr3 = match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var hdr4 = match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}"); - - var part1 = match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}"); - - var part2 = match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}"); - - var part3 = match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}"); - - var select1 = linear_select([ - part1, - part2, - part3, - ]); - - var part4 = match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}"); - - var all1 = all_match({ - processors: [ - hdr4, - select1, - part4, - ], - on_success: processor_chain([ - setc("header_id","0002"), - ]), - }); - - var select2 = linear_select([ - hdr1, - hdr2, - hdr3, - all1, - ]); - - var part5 = match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1 = msg("00001", part5); - - var part6 = match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg2 = msg("00001:01", part6); - - var part7 = match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}"); - - var select3 = linear_select([ - part7, - dup7, - ]); - - var part8 = match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}"); - - var all2 = all_match({ - processors: [ - dup6, - select3, - part8, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg3 = msg("00001:02", all2); - - var part9 = match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg4 = msg("00001:03", part9); - - var part10 = match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}"); - - var select4 = linear_select([ - part10, - dup7, - ]); - - var part11 = match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}"); - - var part12 = match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}"); - - var select5 = linear_select([ - dup8, - part12, - ]); - - var all3 = all_match({ - processors: [ - dup6, - select4, - part11, - select5, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg5 = msg("00001:04", all3); - - var part13 = match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}"); - - var all4 = all_match({ - processors: [ - part13, - dup333, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg6 = msg("00001:05", all4); - - var part14 = match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg7 = msg("00001:06", part14); - - var msg8 = msg("00001:07", dup334); - - var part15 = match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}"); - - var part16 = match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})"); - - var all5 = all_match({ - processors: [ - dup12, - dup335, - part15, - dup336, - part16, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg9 = msg("00001:08", all5); - - var part17 = match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})"); - - var all6 = all_match({ - processors: [ - dup12, - dup335, - part17, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg10 = msg("00001:09", all6); - - var select6 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - ]); - - var part18 = match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg11 = msg("00002:03", part18); - - var part19 = match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg12 = msg("00002:04", part19); - - var part20 = match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg13 = msg("00002:05", part20); - - var part21 = match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg14 = msg("00002:06", part21); - - var part22 = match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg15 = msg("00002:07", part22); - - var part23 = match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg16 = msg("00002:55", part23); - - var part24 = match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg17 = msg("00002:08", part24); - - var part25 = match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg18 = msg("00002:09", part25); - - var part26 = match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg19 = msg("00002:10", part26); - - var part27 = match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg20 = msg("00002:11", part27); - - var part28 = match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg21 = msg("00002:12", part28); - - var part29 = match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg22 = msg("00002:15", part29); - - var msg23 = msg("00002:17", dup334); - - var part30 = match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}"); - - var part31 = match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}"); - - var part32 = match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}"); - - var select7 = linear_select([ - part31, - part32, - ]); - - var part33 = match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):"); - - var all7 = all_match({ - processors: [ - part30, - select7, - part33, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg24 = msg("00002:18", all7); - - var part34 = match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg25 = msg("00002:19", part34); - - var part35 = match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}"); - - var part36 = match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}"); - - var select8 = linear_select([ - part36, - dup20, - dup21, - ]); - - var all8 = all_match({ - processors: [ - part35, - select8, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg26 = msg("00002:20", all8); - - var part37 = match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}"); - - var part38 = match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}"); - - var select9 = linear_select([ - part37, - part38, - ]); - - var select10 = linear_select([ - dup24, - dup25, - ]); - - var part39 = match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}"); - - var all9 = all_match({ - processors: [ - select9, - dup23, - select10, - part39, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg27 = msg("00002:21", all9); - - var part40 = match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}"); - - var part41 = match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console"); - - var part42 = match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}"); - - var select11 = linear_select([ - part41, - part42, - dup26, - ]); - - var all10 = all_match({ - processors: [ - part40, - select11, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg28 = msg("00002:22", all10); - - var part43 = match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}"); - - var part44 = match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}"); - - var select12 = linear_select([ - dup20, - part44, - dup21, - ]); - - var all11 = all_match({ - processors: [ - part43, - select12, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg29 = msg("00002:23", all11); - - var part45 = match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}"); - - var part46 = match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}"); - - var part47 = match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}"); - - var select13 = linear_select([ - part46, - part47, - ]); - - var all12 = all_match({ - processors: [ - part45, - select13, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg30 = msg("00002:24", all12); - - var part48 = match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - setc("eventcategory","1402000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg31 = msg("00002:25", part48); - - var part49 = match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg32 = msg("00002:26", part49); - - var part50 = match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg33 = msg("00002:27", part50); - - var part51 = match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg34 = msg("00002:28", part51); - - var part52 = match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg35 = msg("00002:29", part52); - - var part53 = match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ - dup28, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg36 = msg("00002:30", part53); - - var part54 = match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ - dup33, - dup29, - dup34, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg37 = msg("00002:41", part54); - - var part55 = match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ - dup35, - dup29, - dup30, - dup31, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg38 = msg("00002:31", part55); - - var part56 = match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}"); - - var part57 = match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}"); - - var select14 = linear_select([ - part56, - part57, - ]); - - var part58 = match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}"); - - var all13 = all_match({ - processors: [ - select14, - part58, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg39 = msg("00002:32", all13); - - var part59 = match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg40 = msg("00002:35", part59); - - var part60 = match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}"); - - var part61 = match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}"); - - var part62 = match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}"); - - var select15 = linear_select([ - part61, - part62, - ]); - - var part63 = match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}"); - - var all14 = all_match({ - processors: [ - part60, - select15, - part63, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg41 = msg("00002:36", all14); - - var part64 = match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}"); - - var part65 = match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}"); - - var part66 = match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}"); - - var part67 = match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}"); - - var part68 = match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}"); - - var select16 = linear_select([ - part65, - part66, - part67, - part68, - ]); - - var part69 = match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}"); - - var all15 = all_match({ - processors: [ - part64, - select16, - part69, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg42 = msg("00002:37", all15); - - var part70 = match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}"); - - var part71 = match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}"); - - var select17 = linear_select([ - part71, - dup36, - ]); - - var all16 = all_match({ - processors: [ - part70, - select17, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg43 = msg("00002:38", all16); - - var part72 = match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg44 = msg("00002:39", part72); - - var part73 = match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ - dup37, - dup29, - setc("ec_activity","Create"), - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg45 = msg("00002:40", part73); - - var part74 = match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg46 = msg("00002:44", part74); - - var part75 = match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}"); - - var part76 = match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}"); - - var select18 = linear_select([ - part76, - dup40, - ]); - - var part77 = match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}"); - - var part78 = match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}"); - - var part79 = match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}"); - - var select19 = linear_select([ - part78, - part79, - ]); - - var all17 = all_match({ - processors: [ - part75, - select18, - part77, - select19, - dup41, - ], - on_success: processor_chain([ - dup42, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg47 = msg("00002:42", all17); - - var part80 = match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}"); - - var part81 = match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}"); - - var part82 = match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}"); - - var select20 = linear_select([ - part81, - part82, - ]); - - var part83 = match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all18 = all_match({ - processors: [ - part80, - select20, - part83, - ], - on_success: processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg48 = msg("00002:43", all18); - - var part84 = match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg49 = msg("00002:50", part84); - - var part85 = match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg50 = msg("00002:51", part85); - - var part86 = match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg51 = msg("00002:45", part86); - - var part87 = match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}"); - - var part88 = match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}"); - - var part89 = match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}"); - - var part90 = match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}"); - - var part91 = match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}"); - - var select21 = linear_select([ - part87, - part88, - part89, - part90, - part91, - ]); - - var part92 = match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})"); - - var all19 = all_match({ - processors: [ - select21, - part92, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg52 = msg("00002:47", all19); - - var part93 = match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}"); - - var part94 = match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}"); - - var part95 = match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}"); - - var select22 = linear_select([ - part94, - part95, - ]); - - var part96 = match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}"); - - var part97 = match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}"); - - var select23 = linear_select([ - part97, - dup45, - ]); - - var all20 = all_match({ - processors: [ - part93, - select22, - part96, - select23, - dup41, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg53 = msg("00002:48", all20); - - var part98 = match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}"); - - var part99 = match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}"); - - var part100 = match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}"); - - var part101 = match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}"); - - var part102 = match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}"); - - var select24 = linear_select([ - part99, - part100, - part101, - part102, - ]); - - var part103 = match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}"); - - var part104 = match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}"); - - var select25 = linear_select([ - dup46, - part104, - dup47, - ]); - - var select26 = linear_select([ - dup48, - dup45, - ]); - - var all21 = all_match({ - processors: [ - part98, - select24, - part103, - select25, - select26, - dup41, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg54 = msg("00002:52", all21); - - var part105 = match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([ - dup42, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg55 = msg("00002:53", part105); - - var part106 = match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}"); - - var part107 = match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}"); - - var part108 = match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}"); - - var select27 = linear_select([ - part107, - part108, - ]); - - var all22 = all_match({ - processors: [ - part106, - select27, - dup49, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg56 = msg("00002:54", all22); - - var part109 = match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}"); - - var part110 = match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}"); - - var select28 = linear_select([ - part110, - dup52, - ]); - - var part111 = match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}"); - - var all23 = all_match({ - processors: [ - part109, - select28, - part111, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg57 = msg("00002", all23); - - var part112 = match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([ - dup53, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg58 = msg("00002:56", part112); - - var select29 = linear_select([ - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - msg38, - msg39, - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, - ]); - - var part113 = match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ - dup53, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg59 = msg("00003", part113); - - var part114 = match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([ - dup53, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg60 = msg("00003:01", part114); - - var part115 = match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg61 = msg("00003:02", part115); - - var part116 = match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg62 = msg("00003:03", part116); - - var part117 = match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}"); - - var part118 = match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}"); - - var select30 = linear_select([ - part117, - part118, - ]); - - var part119 = match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}."); - - var all24 = all_match({ - processors: [ - dup55, - select30, - part119, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg63 = msg("00003:05", all24); - - var select31 = linear_select([ - msg59, - msg60, - msg61, - msg62, - msg63, - ]); - - var part120 = match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg64 = msg("00004", part120); - - var part121 = match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg65 = msg("00004:01", part121); - - var part122 = match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg66 = msg("00004:02", part122); - - var part123 = match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg67 = msg("00004:03", part123); - - var part124 = match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}"); - - var part125 = match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times"); - - var all25 = all_match({ - processors: [ - part124, - dup337, - part125, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup59, - dup3, - dup60, - ]), - }); - - var msg68 = msg("00004:04", all25); - - var part126 = match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg69 = msg("00004:05", part126); - - var part127 = match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg70 = msg("00004:06", part127); - - var part128 = match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg71 = msg("00004:07", part128); - - var part129 = match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg72 = msg("00004:08", part129); - - var part130 = match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg73 = msg("00004:09", part130); - - var part131 = match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg74 = msg("00004:10", part131); - - var part132 = match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg75 = msg("00004:11", part132); - - var part133 = match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg76 = msg("00004:12", part133); - - var part134 = match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg77 = msg("00004:13", part134); - - var part135 = match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}"); - - var part136 = match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}"); - - var select32 = linear_select([ - part135, - part136, - ]); - - var all26 = all_match({ - processors: [ - dup63, - select32, - dup49, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg78 = msg("00004:14", all26); - - var part137 = match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg79 = msg("00004:15", part137); - - var part138 = match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg80 = msg("00004:16", part138); - - var all27 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup9, - dup5, - dup3, - dup60, - ]), - }); - - var msg81 = msg("00004:17", all27); - - var select33 = linear_select([ - msg64, - msg65, - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - ]); - - var part139 = match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg82 = msg("00005", part139); - - var part140 = match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg83 = msg("00005:01", part140); - - var part141 = match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg84 = msg("00005:02", part141); - - var part142 = match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); - - var part143 = match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}"); - - var part144 = match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}"); - - var select34 = linear_select([ - part144, - dup73, - ]); - - var part145 = match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times"); - - var all28 = all_match({ - processors: [ - part142, - dup339, - dup70, - dup340, - part143, - select34, - part145, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ]), - }); - - var msg85 = msg("00005:03", all28); - - var msg86 = msg("00005:04", dup341); - - var part146 = match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([ - setc("eventcategory","1001020100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg87 = msg("00005:05", part146); - - var part147 = match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}."); - - var all29 = all_match({ - processors: [ - dup342, - part147, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg88 = msg("00005:06", all29); - - var part148 = match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}"); - - var part149 = match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}"); - - var part150 = match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}"); - - var part151 = match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}"); - - var part152 = match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}"); - - var select35 = linear_select([ - part149, - part150, - dup76, - part151, - part152, - ]); - - var part153 = match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}."); - - var all30 = all_match({ - processors: [ - part148, - select35, - part153, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg89 = msg("00005:07", all30); - - var part154 = match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}"); - - var select36 = linear_select([ - dup77, - dup78, - ]); - - var part155 = match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}."); - - var all31 = all_match({ - processors: [ - dup342, - part154, - select36, - part155, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg90 = msg("00005:08", all31); - - var part156 = match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg91 = msg("00005:09", part156); - - var part157 = match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg92 = msg("00005:10", part157); - - var part158 = match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}"); - - var part159 = match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}"); - - var part160 = match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}"); - - var part161 = match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}"); - - var part162 = match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}"); - - var part163 = match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}"); - - var select37 = linear_select([ - part159, - part160, - part161, - part162, - part163, - ]); - - var all32 = all_match({ - processors: [ - part158, - select37, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg93 = msg("00005:11", all32); - - var part164 = match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg94 = msg("00005:12", part164); - - var part165 = match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg95 = msg("00005:13", part165); - - var part166 = match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg96 = msg("00005:14", part166); - - var part167 = match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg97 = msg("00005:15", part167); - - var part168 = match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg98 = msg("00005:16", part168); - - var part169 = match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}"); - - var part170 = match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}"); - - var select38 = linear_select([ - part169, - part170, - ]); - - var part171 = match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}."); - - var all33 = all_match({ - processors: [ - dup79, - select38, - part171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg99 = msg("00005:17", all33); - - var all34 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg100 = msg("00005:18", all34); - - var part172 = match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup84, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg101 = msg("00005:19", part172); - - var part173 = match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ - dup84, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg102 = msg("00005:20", part173); - - var select39 = linear_select([ - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, - msg89, - msg90, - msg91, - msg92, - msg93, - msg94, - msg95, - msg96, - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, - ]); - - var part174 = match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg103 = msg("00006", part174); - - var part175 = match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg104 = msg("00006:01", part175); - - var part176 = match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg105 = msg("00006:02", part176); - - var part177 = match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg106 = msg("00006:03", part177); - - var part178 = match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var all35 = all_match({ - processors: [ - part178, - dup338, - dup67, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg107 = msg("00006:04", all35); - - var all36 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg108 = msg("00006:05", all36); - - var select40 = linear_select([ - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, - ]); - - var part179 = match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg109 = msg("00007", part179); - - var part180 = match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg110 = msg("00007:01", part180); - - var part181 = match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}"); - - var part182 = match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}"); - - var part183 = match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}"); - - var select41 = linear_select([ - part182, - part183, - ]); - - var all37 = all_match({ - processors: [ - part181, - select41, - ], - on_success: processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg111 = msg("00007:02", all37); - - var part184 = match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg112 = msg("00007:03", part184); - - var select42 = linear_select([ - dup88, - dup89, - ]); - - var part185 = match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}"); - - var all38 = all_match({ - processors: [ - dup87, - select42, - dup23, - dup344, - part185, - ], - on_success: processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg113 = msg("00007:04", all38); - - var part186 = match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg114 = msg("00007:05", part186); - - var part187 = match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg115 = msg("00007:06", part187); - - var part188 = match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg116 = msg("00007:07", part188); - - var part189 = match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg117 = msg("00007:08", part189); - - var part190 = match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg118 = msg("00007:09", part190); - - var part191 = match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg119 = msg("00007:10", part191); - - var part192 = match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}"); - - var select43 = linear_select([ - dup92, - dup93, - ]); - - var all39 = all_match({ - processors: [ - part192, - select43, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg120 = msg("00007:11", all39); - - var part193 = match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg121 = msg("00007:12", part193); - - var part194 = match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg122 = msg("00007:13", part194); - - var part195 = match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup60, - ])); - - var msg123 = msg("00007:14", part195); - - var part196 = match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg124 = msg("00007:15", part196); - - var part197 = match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg125 = msg("00007:16", part197); - - var part198 = match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg126 = msg("00007:17", part198); - - var part199 = match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}"); - - var part200 = match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}"); - - var part201 = match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}"); - - var select44 = linear_select([ - part200, - part201, - ]); - - var part202 = match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}"); - - var part203 = match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}"); - - var part204 = match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}"); - - var select45 = linear_select([ - part203, - part204, - ]); - - var all40 = all_match({ - processors: [ - part199, - select44, - part202, - select45, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg127 = msg("00007:18", all40); - - var part205 = match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg128 = msg("00007:20", part205); - - var part206 = match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}"); - - var all41 = all_match({ - processors: [ - part206, - dup345, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg129 = msg("00007:21", all41); - - var part207 = match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg130 = msg("00007:22", part207); - - var part208 = match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg131 = msg("00007:23", part208); - - var part209 = match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg132 = msg("00007:24", part209); - - var part210 = match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg133 = msg("00007:25", part210); - - var part211 = match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}"); - - var part212 = match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}"); - - var part213 = match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}"); - - var select46 = linear_select([ - part212, - part213, - ]); - - var all42 = all_match({ - processors: [ - part211, - select46, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg134 = msg("00007:26", all42); - - var part214 = match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg135 = msg("00007:27", part214); - - var part215 = match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg136 = msg("00007:28", part215); - - var part216 = match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}"); - - var part217 = match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}"); - - var part218 = match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}"); - - var part219 = match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}"); - - var part220 = match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}"); - - var part221 = match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}"); - - var select47 = linear_select([ - part217, - part218, - part219, - part220, - part221, - ]); - - var all43 = all_match({ - processors: [ - part216, - select47, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg137 = msg("00007:29", all43); - - var part222 = match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg138 = msg("00007:30", part222); - - var part223 = match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}"); - - var all44 = all_match({ - processors: [ - part223, - dup345, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg139 = msg("00007:31", all44); - - var part224 = match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}"); - - var select48 = linear_select([ - dup89, - dup88, - ]); - - var part225 = match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}"); - - var all45 = all_match({ - processors: [ - part224, - select48, - dup23, - dup344, - part225, - ], - on_success: processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg140 = msg("00007:32", all45); - - var part226 = match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}"); - - var part227 = match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}"); - - var select49 = linear_select([ - part226, - part227, - ]); - - var part228 = match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}"); - - var part229 = match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}"); - - var select50 = linear_select([ - part229, - dup96, - ]); - - var part230 = match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode."); - - var all46 = all_match({ - processors: [ - select49, - part228, - select50, - part230, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg141 = msg("00007:33", all46); - - var part231 = match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([ - dup97, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg142 = msg("00007:34", part231); - - var part232 = match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg143 = msg("00007:35", part232); - - var part233 = match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg144 = msg("00007:36", part233); - - var part234 = match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}"); - - var all47 = all_match({ - processors: [ - part234, - dup346, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg145 = msg("00007:37", all47); - - var part235 = match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}"); - - var part236 = match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}"); - - var part237 = match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}"); - - var part238 = match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}"); - - var select51 = linear_select([ - part237, - part238, - ]); - - var all48 = all_match({ - processors: [ - part235, - dup347, - dup103, - dup347, - part236, - select51, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg146 = msg("00007:38", all48); - - var part239 = match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}"); - - var all49 = all_match({ - processors: [ - part239, - dup346, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg147 = msg("00007:39", all49); - - var part240 = match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg148 = msg("00007:40", part240); - - var part241 = match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg149 = msg("00007:41", part241); - - var part242 = match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg150 = msg("00007:42", part242); - - var part243 = match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg151 = msg("00007:43", part243); - - var part244 = match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg152 = msg("00007:44", part244); - - var part245 = match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg153 = msg("00007:45", part245); - - var part246 = match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup60, - ])); - - var msg154 = msg("00007:46", part246); - - var part247 = match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg155 = msg("00007:47", part247); - - var part248 = match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([ - dup97, - dup2, - dup3, - dup4, - setc("disposition","dropped"), - setc("result","Invalid encryption Password"), - ])); - - var msg156 = msg("00007:48", part248); - - var part249 = match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([ - setc("eventcategory","1604000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg157 = msg("00007:49", part249); - - var part250 = match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}"); - - var part251 = match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}"); - - var part252 = match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}"); - - var select52 = linear_select([ - part251, - part252, - ]); - - var part253 = match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}"); - - var all50 = all_match({ - processors: [ - part250, - select52, - part253, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg158 = msg("00007:50", all50); - - var part254 = match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}"); - - var part255 = match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}"); - - var select53 = linear_select([ - dup104, - part255, - ]); - - var select54 = linear_select([ - dup105, - dup73, - ]); - - var part256 = match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}"); - - var select55 = linear_select([ - dup106, - dup107, - ]); - - var all51 = all_match({ - processors: [ - part254, - select53, - dup23, - select54, - part256, - select55, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg159 = msg("00007:51", all51); - - var part257 = match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg160 = msg("00007:52", part257); - - var part258 = match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg161 = msg("00007:53", part258); - - var part259 = match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg162 = msg("00007:54", part259); - - var part260 = match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg163 = msg("00007:55", part260); - - var part261 = match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg164 = msg("00007:56", part261); - - var select56 = linear_select([ - dup109, - dup110, - ]); - - var select57 = linear_select([ - dup111, - dup112, - ]); - - var part262 = match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}"); - - var all52 = all_match({ - processors: [ - dup55, - select56, - dup23, - select57, - part262, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg165 = msg("00007:57", all52); - - var part263 = match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg166 = msg("00007:58", part263); - - var part264 = match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg167 = msg("00007:59", part264); - - var part265 = match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg168 = msg("00007:60", part265); - - var part266 = match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg169 = msg("00007:61", part266); - - var part267 = match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg170 = msg("00007:62", part267); - - var part268 = match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg171 = msg("00007:63", part268); - - var part269 = match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}"); - - var part270 = match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}"); - - var all53 = all_match({ - processors: [ - dup348, - part269, - dup349, - part270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg172 = msg("00007:64", all53); - - var part271 = match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}"); - - var part272 = match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}"); - - var part273 = match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}"); - - var select58 = linear_select([ - part272, - part273, - ]); - - var part274 = match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}"); - - var part275 = match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}"); - - var all54 = all_match({ - processors: [ - dup348, - part271, - select58, - part274, - dup349, - part275, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg173 = msg("00007:65", all54); - - var part276 = match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}"); - - var part277 = match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}"); - - var select59 = linear_select([ - part276, - part277, - ]); - - var part278 = match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}"); - - var part279 = match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}"); - - var select60 = linear_select([ - part279, - dup115, - ]); - - var all55 = all_match({ - processors: [ - select59, - part278, - select60, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg174 = msg("00007:66", all55); - - var part280 = match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg175 = msg("00007:67", part280); - - var part281 = match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}"); - - var part282 = match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}"); - - var part283 = match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}"); - - var select61 = linear_select([ - part282, - part283, - ]); - - var part284 = match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}"); - - var part285 = match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}"); - - var part286 = match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}"); - - var select62 = linear_select([ - part285, - part286, - ]); - - var all56 = all_match({ - processors: [ - part281, - select61, - part284, - select62, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg176 = msg("00007:68", all56); - - var part287 = match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg177 = msg("00007:69", part287); - - var part288 = match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg178 = msg("00007:70", part288); - - var part289 = match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg179 = msg("00007:71", part289); - - var part290 = match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg180 = msg("00007:72", part290); - - var select63 = linear_select([ - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, - msg138, - msg139, - msg140, - msg141, - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, - msg156, - msg157, - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - msg174, - msg175, - msg176, - msg177, - msg178, - msg179, - msg180, - ]); - - var part291 = match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg181 = msg("00008", part291); - - var msg182 = msg("00008:01", dup341); - - var part292 = match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg183 = msg("00008:02", part292); - - var part293 = match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg184 = msg("00008:03", part293); - - var part294 = match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}"); - - var part295 = match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}"); - - var part296 = match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}"); - - var part297 = match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}"); - - var select64 = linear_select([ - part295, - part296, - part297, - ]); - - var part298 = match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}"); - - var part299 = match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}"); - - var part300 = match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})"); - - var part301 = match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}"); - - var part302 = match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}"); - - var part303 = match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}"); - - var select65 = linear_select([ - part299, - part300, - part301, - part302, - part303, - dup21, - ]); - - var all57 = all_match({ - processors: [ - part294, - select64, - part298, - select65, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg185 = msg("00008:04", all57); - - var part304 = match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg186 = msg("00008:05", part304); - - var part305 = match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg187 = msg("00008:06", part305); - - var part306 = match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup60, - ])); - - var msg188 = msg("00008:07", part306); - - var part307 = match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup60, - ])); - - var msg189 = msg("00008:08", part307); - - var part308 = match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg190 = msg("00008:09", part308); - - var part309 = match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}"); - - var all58 = all_match({ - processors: [ - part309, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ]), - }); - - var msg191 = msg("00008:10", all58); - - var select66 = linear_select([ - msg181, - msg182, - msg183, - msg184, - msg185, - msg186, - msg187, - msg188, - msg189, - msg190, - msg191, - ]); - - var part310 = match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg192 = msg("00009", part310); - - var part311 = match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg193 = msg("00009:01", part311); - - var part312 = match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg194 = msg("00009:02", part312); - - var part313 = match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg195 = msg("00009:03", part313); - - var part314 = match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg196 = msg("00009:05", part314); - - var part315 = match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}"); - - var part316 = match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}"); - - var select67 = linear_select([ - part315, - part316, - ]); - - var select68 = linear_select([ - dup119, - dup16, - ]); - - var part317 = match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}"); - - var part318 = match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}"); - - var select69 = linear_select([ - dup120, - part318, - ]); - - var part319 = match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}"); - - var part320 = match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info"); - - var select70 = linear_select([ - part319, - part320, - ]); - - var all59 = all_match({ - processors: [ - select67, - dup118, - select68, - part317, - select69, - dup23, - select70, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg197 = msg("00009:06", all59); - - var part321 = match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}"); - - var part322 = match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}"); - - var part323 = match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}"); - - var part324 = match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}"); - - var select71 = linear_select([ - part323, - part324, - ]); - - var part325 = match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}"); - - var all60 = all_match({ - processors: [ - part321, - dup337, - part322, - select71, - part325, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg198 = msg("00009:07", all60); - - var part326 = match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg199 = msg("00009:09", part326); - - var part327 = match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}"); - - var part328 = match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}"); - - var part329 = match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}"); - - var select72 = linear_select([ - part328, - part329, - ]); - - var all61 = all_match({ - processors: [ - part327, - select72, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg200 = msg("00009:10", all61); - - var part330 = match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}"); - - var part331 = match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}"); - - var select73 = linear_select([ - part330, - part331, - ]); - - var part332 = match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}"); - - var all62 = all_match({ - processors: [ - select73, - part332, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg201 = msg("00009:11", all62); - - var part333 = match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg202 = msg("00009:12", part333); - - var part334 = match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg203 = msg("00009:13", part334); - - var part335 = match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}"); - - var part336 = match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}"); - - var part337 = match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}"); - - var select74 = linear_select([ - part335, - part336, - part337, - ]); - - var part338 = match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}"); - - var select75 = linear_select([ - dup122, - dup123, - ]); - - var part339 = match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})"); - - var select76 = linear_select([ - part339, - dup124, - ]); - - var all63 = all_match({ - processors: [ - select74, - part338, - select75, - dup23, - select76, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg204 = msg("00009:14", all63); - - var part340 = match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}"); - - var part341 = match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}"); - - var select77 = linear_select([ - part341, - dup125, - ]); - - var all64 = all_match({ - processors: [ - part340, - select77, - dup126, - dup350, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg205 = msg("00009:15", all64); - - var part342 = match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}"); - - var part343 = match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}"); - - var select78 = linear_select([ - dup129, - dup130, - part343, - ]); - - var part344 = match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}."); - - var all65 = all_match({ - processors: [ - part342, - dup350, - dup23, - select78, - part344, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg206 = msg("00009:16", all65); - - var part345 = match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}"); - - var part346 = match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}"); - - var part347 = match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}"); - - var select79 = linear_select([ - part346, - part347, - ]); - - var part348 = match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}."); - - var all66 = all_match({ - processors: [ - part345, - select79, - part348, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg207 = msg("00009:17", all66); - - var part349 = match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg208 = msg("00009:18", part349); - - var part350 = match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg209 = msg("00009:19", part350); - - var part351 = match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg210 = msg("00009:27", part351); - - var part352 = match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}"); - - var part353 = match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}"); - - var select80 = linear_select([ - part352, - part353, - ]); - - var part354 = match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}"); - - var part355 = match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}"); - - var part356 = match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}"); - - var part357 = match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}"); - - var part358 = match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})"); - - var select81 = linear_select([ - part355, - part356, - part357, - part358, - ]); - - var all67 = all_match({ - processors: [ - select80, - part354, - select81, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg211 = msg("00009:20", all67); - - var part359 = match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var all68 = all_match({ - processors: [ - part359, - dup343, - dup131, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ]), - }); - - var msg212 = msg("00009:21", all68); - - var part360 = match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg213 = msg("00009:22", part360); - - var part361 = match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg214 = msg("00009:23", part361); - - var part362 = match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}"); - - var part363 = match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}"); - - var part364 = match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}"); - - var select82 = linear_select([ - part363, - part364, - ]); - - var part365 = match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}"); - - var all69 = all_match({ - processors: [ - part362, - select82, - part365, - ], - on_success: processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg215 = msg("00009:24", all69); - - var part366 = match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg216 = msg("00009:25", part366); - - var part367 = match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}"); - - var all70 = all_match({ - processors: [ - part367, - dup333, - ], - on_success: processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg217 = msg("00009:26", all70); - - var select83 = linear_select([ - msg192, - msg193, - msg194, - msg195, - msg196, - msg197, - msg198, - msg199, - msg200, - msg201, - msg202, - msg203, - msg204, - msg205, - msg206, - msg207, - msg208, - msg209, - msg210, - msg211, - msg212, - msg213, - msg214, - msg215, - msg216, - msg217, - ]); - - var part368 = match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}"); - - var part369 = match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}"); - - var part370 = match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}"); - - var select84 = linear_select([ - part369, - part370, - ]); - - var part371 = match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}"); - - var part372 = match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}"); - - var part373 = match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}"); - - var select85 = linear_select([ - part372, - part373, - dup126, - ]); - - var part374 = match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}"); - - var all71 = all_match({ - processors: [ - part368, - select84, - part371, - select85, - part374, - dup351, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup5, - dup9, - dup3, - dup61, - ]), - }); - - var msg218 = msg("00010", all71); - - var part375 = match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg219 = msg("00010:01", part375); - - var part376 = match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg220 = msg("00010:02", part376); - - var all72 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup9, - dup3, - dup60, - ]), - }); - - var msg221 = msg("00010:03", all72); - - var select86 = linear_select([ - msg218, - msg219, - msg220, - msg221, - ]); - - var part377 = match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg222 = msg("00011", part377); - - var part378 = match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}"); - - var select87 = linear_select([ - dup57, - dup56, - ]); - - var part379 = match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}"); - - var all73 = all_match({ - processors: [ - part378, - select87, - part379, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg223 = msg("00011:01", all73); - - var part380 = match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg224 = msg("00011:02", part380); - - var part381 = match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}"); - - var part382 = match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}"); - - var part383 = match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}"); - - var select88 = linear_select([ - part382, - part383, - ]); - - var part384 = match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}"); - - var part385 = match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}"); - - var part386 = match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}"); - - var select89 = linear_select([ - part385, - part386, - ]); - - var all74 = all_match({ - processors: [ - part381, - select88, - part384, - select89, - dup36, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg225 = msg("00011:03", all74); - - var part387 = match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}"); - - var part388 = match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}"); - - var all75 = all_match({ - processors: [ - part387, - dup352, - part388, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg226 = msg("00011:04", all75); - - var part389 = match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}"); - - var part390 = match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}"); - - var select90 = linear_select([ - part389, - part390, - ]); - - var part391 = match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}"); - - var all76 = all_match({ - processors: [ - dup79, - select90, - part391, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg227 = msg("00011:05", all76); - - var part392 = match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup59, - dup3, - dup60, - ])); - - var msg228 = msg("00011:07", part392); - - var part393 = match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg229 = msg("00011:08", part393); - - var part394 = match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg230 = msg("00011:09", part394); - - var part395 = match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg231 = msg("00011:10", part395); - - var part396 = match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg232 = msg("00011:11", part396); - - var part397 = match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg233 = msg("00011:12", part397); - - var part398 = match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg234 = msg("00011:13", part398); - - var part399 = match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}"); - - var part400 = match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}"); - - var select91 = linear_select([ - dup134, - part400, - ]); - - var all77 = all_match({ - processors: [ - part399, - select91, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg235 = msg("00011:14", all77); - - var part401 = match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg236 = msg("00011:15", part401); - - var part402 = match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg237 = msg("00011:16", part402); - - var part403 = match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}"); - - var part404 = match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}"); - - var part405 = match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}"); - - var part406 = match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}"); - - var select92 = linear_select([ - part404, - part405, - part406, - ]); - - var all78 = all_match({ - processors: [ - part403, - select92, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg238 = msg("00011:17", all78); - - var part407 = match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}"); - - var part408 = match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}"); - - var select93 = linear_select([ - part407, - part408, - ]); - - var part409 = match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}"); - - var part410 = match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}"); - - var part411 = match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}"); - - var select94 = linear_select([ - part410, - part411, - ]); - - var part412 = match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}"); - - var part413 = match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}"); - - var select95 = linear_select([ - part413, - dup135, - ]); - - var part414 = match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}"); - - var all79 = all_match({ - processors: [ - select93, - part409, - select94, - part412, - select95, - part414, - dup350, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg239 = msg("00011:18", all79); - - var part415 = match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}"); - - var part416 = match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}"); - - var part417 = match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}"); - - var select96 = linear_select([ - part416, - part417, - ]); - - var part418 = match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}"); - - var part419 = match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}"); - - var select97 = linear_select([ - part419, - dup135, - ]); - - var part420 = match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}"); - - var part421 = match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}"); - - var select98 = linear_select([ - dup107, - part421, - ]); - - var all80 = all_match({ - processors: [ - part415, - select96, - part418, - select97, - part420, - select98, - dup136, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg240 = msg("00011:19", all80); - - var part422 = match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}"); - - var select99 = linear_select([ - part422, - dup79, - ]); - - var part423 = match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\""); - - var all81 = all_match({ - processors: [ - select99, - part423, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg241 = msg("00011:20", all81); - - var part424 = match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg242 = msg("00011:21", part424); - - var part425 = match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg243 = msg("00011:22", part425); - - var all82 = all_match({ - processors: [ - dup132, - dup343, - dup131, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("saddr"), - field("daddr"), - ], - }), - ]), - }); - - var msg244 = msg("00011:23", all82); - - var part426 = match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg245 = msg("00011:24", part426); - - var part427 = match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg246 = msg("00011:25", part427); - - var part428 = match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg247 = msg("00011:26", part428); - - var select100 = linear_select([ - msg222, - msg223, - msg224, - msg225, - msg226, - msg227, - msg228, - msg229, - msg230, - msg231, - msg232, - msg233, - msg234, - msg235, - msg236, - msg237, - msg238, - msg239, - msg240, - msg241, - msg242, - msg243, - msg244, - msg245, - msg246, - msg247, - ]); - - var part429 = match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg248 = msg("00012:02", part429); - - var part430 = match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg249 = msg("00012:03", part430); - - var part431 = match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg250 = msg("00012:04", part431); - - var part432 = match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg251 = msg("00012:05", part432); - - var part433 = match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg252 = msg("00012:06", part433); - - var part434 = match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - dup59, - ])); - - var msg253 = msg("00012:07", part434); - - var part435 = match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg254 = msg("00012:08", part435); - - var all83 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg255 = msg("00012:09", all83); - - var all84 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg256 = msg("00012:10", all84); - - var part436 = match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup9, - dup61, - ])); - - var msg257 = msg("00012:11", part436); - - var part437 = match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg258 = msg("00012:12", part437); - - var part438 = match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg259 = msg("00012", part438); - - var part439 = match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg260 = msg("00012:01", part439); - - var select101 = linear_select([ - msg248, - msg249, - msg250, - msg251, - msg252, - msg253, - msg254, - msg255, - msg256, - msg257, - msg258, - msg259, - msg260, - ]); - - var part440 = match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg261 = msg("00013", part440); - - var part441 = match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - setc("signame","An Attempt to connect to NetScreen-Global Manager Port."), - ])); - - var msg262 = msg("00013:01", part441); - - var part442 = match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg263 = msg("00013:02", part442); - - var part443 = match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg264 = msg("00013:03", part443); - - var select102 = linear_select([ - msg261, - msg262, - msg263, - msg264, - ]); - - var part444 = match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg265 = msg("00014", part444); - - var part445 = match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}"); - - var part446 = match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}"); - - var part447 = match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}"); - - var select103 = linear_select([ - part446, - part447, - ]); - - var all85 = all_match({ - processors: [ - part445, - select103, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg266 = msg("00014:01", all85); - - var part448 = match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg267 = msg("00014:02", part448); - - var part449 = match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg268 = msg("00014:03", part449); - - var part450 = match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg269 = msg("00014:04", part450); - - var part451 = match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg270 = msg("00014:05", part451); - - var part452 = match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg271 = msg("00014:06", part452); - - var part453 = match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg272 = msg("00014:07", part453); - - var part454 = match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([ - dup27, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg273 = msg("00014:08", part454); - - var select104 = linear_select([ - msg265, - msg266, - msg267, - msg268, - msg269, - msg270, - msg271, - msg272, - msg273, - ]); - - var part455 = match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg274 = msg("00015", part455); - - var part456 = match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg275 = msg("00015:01", part456); - - var part457 = match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}"); - - var part458 = match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}"); - - var part459 = match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}"); - - var part460 = match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}"); - - var select105 = linear_select([ - part458, - dup137, - part459, - part460, - ]); - - var all86 = all_match({ - processors: [ - part457, - select105, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg276 = msg("00015:02", all86); - - var part461 = match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg277 = msg("00015:03", part461); - - var part462 = match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}"); - - var part463 = match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}"); - - var select106 = linear_select([ - dup139, - dup140, - part463, - ]); - - var all87 = all_match({ - processors: [ - part462, - select106, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg278 = msg("00015:04", all87); - - var part464 = match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}"); - - var part465 = match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}"); - - var part466 = match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}"); - - var part467 = match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}"); - - var select107 = linear_select([ - part465, - part466, - dup76, - part467, - ]); - - var all88 = all_match({ - processors: [ - part464, - select107, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg279 = msg("00015:05", all88); - - var part468 = match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}"); - - var part469 = match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}"); - - var select108 = linear_select([ - part468, - part469, - ]); - - var part470 = match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}"); - - var all89 = all_match({ - processors: [ - select108, - part470, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg280 = msg("00015:06", all89); - - var part471 = match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg281 = msg("00015:07", part471); - - var part472 = match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([ - dup141, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg282 = msg("00015:08", part472); - - var part473 = match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}"); - - var part474 = match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}"); - - var select109 = linear_select([ - part473, - part474, - ]); - - var part475 = match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}"); - - var all90 = all_match({ - processors: [ - select109, - part475, - ], - on_success: processor_chain([ - dup141, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg283 = msg("00015:09", all90); - - var part476 = match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg284 = msg("00015:10", part476); - - var part477 = match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg285 = msg("00015:11", part477); - - var part478 = match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}"); - - var part479 = match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}"); - - var select110 = linear_select([ - part478, - part479, - ]); - - var part480 = match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}"); - - var part481 = match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})"); - - var all91 = all_match({ - processors: [ - dup87, - select110, - part480, - dup353, - dup103, - dup353, - part481, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg286 = msg("00015:12", all91); - - var part482 = match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg287 = msg("00015:13", part482); - - var part483 = match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}"); - - var all92 = all_match({ - processors: [ - part483, - dup353, - dup116, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg288 = msg("00015:14", all92); - - var part484 = match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg289 = msg("00015:15", part484); - - var part485 = match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg290 = msg("00015:16", part485); - - var part486 = match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg291 = msg("00015:17", part486); - - var part487 = match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - setc("change_attribute","RTO mirror group"), - ])); - - var msg292 = msg("00015:18", part487); - - var part488 = match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg293 = msg("00015:19", part488); - - var part489 = match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg294 = msg("00015:20", part489); - - var part490 = match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}"); - - var part491 = match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}"); - - var part492 = match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}"); - - var select111 = linear_select([ - part491, - part492, - ]); - - var all93 = all_match({ - processors: [ - part490, - select111, - dup116, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg295 = msg("00015:21", all93); - - var part493 = match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}"); - - var part494 = match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}"); - - var part495 = match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}"); - - var select112 = linear_select([ - part493, - part494, - part495, - ]); - - var part496 = match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}"); - - var all94 = all_match({ - processors: [ - select112, - part496, - dup354, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg296 = msg("00015:22", all94); - - var part497 = match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg297 = msg("00015:23", part497); - - var part498 = match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg298 = msg("00015:24", part498); - - var part499 = match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([ - setc("eventcategory","1613050100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg299 = msg("00015:25", part499); - - var part500 = match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([ - dup97, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg300 = msg("00015:29", part500); - - var part501 = match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}"); - - var part502 = match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}"); - - var part503 = match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}"); - - var select113 = linear_select([ - part502, - part503, - ]); - - var all95 = all_match({ - processors: [ - part501, - select113, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg301 = msg("00015:26", all95); - - var part504 = match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - dup146, - ])); - - var msg302 = msg("00015:33", part504); - - var part505 = match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg303 = msg("00015:27", part505); - - var part506 = match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg304 = msg("00015:28", part506); - - var part507 = match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}"); - - var part508 = match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})"); - - var all96 = all_match({ - processors: [ - part507, - dup355, - part508, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg305 = msg("00015:30", all96); - - var part509 = match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg306 = msg("00015:31", part509); - - var part510 = match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg307 = msg("00015:32", part510); - - var select114 = linear_select([ - msg274, - msg275, - msg276, - msg277, - msg278, - msg279, - msg280, - msg281, - msg282, - msg283, - msg284, - msg285, - msg286, - msg287, - msg288, - msg289, - msg290, - msg291, - msg292, - msg293, - msg294, - msg295, - msg296, - msg297, - msg298, - msg299, - msg300, - msg301, - msg302, - msg303, - msg304, - msg305, - msg306, - msg307, - ]); - - var part511 = match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg308 = msg("00016", part511); - - var part512 = match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg309 = msg("00016:01", part512); - - var part513 = match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([ - dup1, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg310 = msg("00016:02", part513); - - var part514 = match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg311 = msg("00016:03", part514); - - var part515 = match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg312 = msg("00016:05", part515); - - var part516 = match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg313 = msg("00016:06", part516); - - var part517 = match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}"); - - var all97 = all_match({ - processors: [ - part517, - dup338, - dup67, - ], - on_success: processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg314 = msg("00016:07", all97); - - var part518 = match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - setc("eventcategory","1001020305"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg315 = msg("00016:08", part518); - - var part519 = match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - setc("eventcategory","1001030305"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg316 = msg("00016:09", part519); - - var select115 = linear_select([ - msg308, - msg309, - msg310, - msg311, - msg312, - msg313, - msg314, - msg315, - msg316, - ]); - - var part520 = match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ])); - - var msg317 = msg("00017", part520); - - var part521 = match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}"); - - var part522 = match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}"); - - var part523 = match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}"); - - var select116 = linear_select([ - part522, - part523, - ]); - - var part524 = match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}"); - - var all98 = all_match({ - processors: [ - part521, - select116, - part524, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg318 = msg("00017:23", all98); - - var part525 = match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}"); - - var part526 = match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}"); - - var select117 = linear_select([ - part525, - part526, - ]); - - var part527 = match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}"); - - var part528 = match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}"); - - var all99 = all_match({ - processors: [ - select117, - part527, - dup356, - part528, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg319 = msg("00017:01", all99); - - var part529 = match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg320 = msg("00017:02", part529); - - var part530 = match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg321 = msg("00017:03", part530); - - var part531 = match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}"); - - var all100 = all_match({ - processors: [ - dup153, - dup357, - part531, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg322 = msg("00017:04", all100); - - var part532 = match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg323 = msg("00017:05", part532); - - var part533 = match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}"); - - var part534 = match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}"); - - var part535 = match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}"); - - var select118 = linear_select([ - part534, - dup101, - part535, - ]); - - var all101 = all_match({ - processors: [ - part533, - select118, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg324 = msg("00017:06", all101); - - var part536 = match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}"); - - var part537 = match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}"); - - var part538 = match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}"); - - var part539 = match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}"); - - var part540 = match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}"); - - var select119 = linear_select([ - part537, - part538, - dup98, - part539, - part540, - ]); - - var all102 = all_match({ - processors: [ - part536, - select119, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg325 = msg("00017:07", all102); - - var part541 = match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg326 = msg("00017:08", part541); - - var part542 = match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}"); - - var part543 = match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}"); - - var select120 = linear_select([ - part542, - part543, - ]); - - var part544 = match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}"); - - var part545 = match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}"); - - var part546 = match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}"); - - var part547 = match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}"); - - var select121 = linear_select([ - part545, - part546, - part547, - ]); - - var part548 = match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}"); - - var part549 = match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit"); - - var part550 = match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}"); - - var select122 = linear_select([ - part549, - part550, - dup36, - ]); - - var all103 = all_match({ - processors: [ - select120, - part544, - select121, - part548, - select122, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg327 = msg("00017:09", all103); - - var part551 = match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}"); - - var all104 = all_match({ - processors: [ - part551, - dup358, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg328 = msg("00017:10", all104); - - var part552 = match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg329 = msg("00017:11", part552); - - var part553 = match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}"); - - var part554 = match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}"); - - var select123 = linear_select([ - dup109, - dup110, - part554, - ]); - - var all105 = all_match({ - processors: [ - part553, - select123, - dup127, - dup359, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg330 = msg("00017:12", all105); - - var part555 = match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg331 = msg("00017:26", part555); - - var part556 = match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg332 = msg("00017:13", part556); - - var part557 = match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup9, - dup5, - ])); - - var msg333 = msg("00017:14", part557); - - var part558 = match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}"); - - var part559 = match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}."); - - var all106 = all_match({ - processors: [ - part558, - dup360, - part559, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg334 = msg("00017:15", all106); - - var part560 = match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}"); - - var part561 = match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}."); - - var all107 = all_match({ - processors: [ - part560, - dup360, - part561, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg335 = msg("00017:31", all107); - - var part562 = match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}"); - - var all108 = all_match({ - processors: [ - part562, - dup359, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg336 = msg("00017:16", all108); - - var part563 = match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}"); - - var select124 = linear_select([ - dup99, - dup93, - ]); - - var all109 = all_match({ - processors: [ - part563, - select124, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg337 = msg("00017:17", all109); - - var part564 = match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}"); - - var all110 = all_match({ - processors: [ - dup153, - dup357, - part564, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg338 = msg("00017:18", all110); - - var part565 = match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}"); - - var part566 = match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all111 = all_match({ - processors: [ - part565, - dup337, - part566, - ], - on_success: processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ]), - }); - - var msg339 = msg("00017:19", all111); - - var all112 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup151, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - ]), - }); - - var msg340 = msg("00017:20", all112); - - var part567 = match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ])); - - var msg341 = msg("00017:21", part567); - - var part568 = match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg342 = msg("00017:22", part568); - - var part569 = match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg343 = msg("00017:24", part569); - - var part570 = match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg344 = msg("00017:25", part570); - - var part571 = match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg345 = msg("00017:28", part571); - - var part572 = match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg346 = msg("00017:29", part572); - - var select125 = linear_select([ - msg317, - msg318, - msg319, - msg320, - msg321, - msg322, - msg323, - msg324, - msg325, - msg326, - msg327, - msg328, - msg329, - msg330, - msg331, - msg332, - msg333, - msg334, - msg335, - msg336, - msg337, - msg338, - msg339, - msg340, - msg341, - msg342, - msg343, - msg344, - msg345, - msg346, - ]); - - var part573 = match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg347 = msg("00018", part573); - - var part574 = match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([ - setc("eventcategory","1502010000"), - dup2, - dup4, - dup5, - dup3, - ])); - - var msg348 = msg("00018:01", part574); - - var part575 = match("MESSAGE#347:00018:02", "nwparser.payload", "Device%{quote}s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg349 = msg("00018:02", part575); - - var part576 = match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg350 = msg("00018:04", part576); - - var part577 = match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg351 = msg("00018:16", part577); - - var part578 = match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}"); - - var part579 = match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}"); - - var part580 = match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}"); - - var select126 = linear_select([ - part579, - part580, - ]); - - var part581 = match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}"); - - var all113 = all_match({ - processors: [ - part578, - select126, - part581, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg352 = msg("00018:06", all113); - - var part582 = match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg353 = msg("00018:08", part582); - - var part583 = match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup3, - dup2, - dup9, - dup4, - dup5, - ])); - - var msg354 = msg("00018:09", part583); - - var part584 = match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}"); - - var part585 = match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}"); - - var part586 = match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}"); - - var select127 = linear_select([ - part585, - part586, - ]); - - var part587 = match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})"); - - var all114 = all_match({ - processors: [ - part584, - select127, - part587, - ], - on_success: processor_chain([ - dup17, - dup3, - dup2, - dup9, - dup4, - dup5, - ]), - }); - - var msg355 = msg("00018:10", all114); - - var part588 = match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}"); - - var part589 = match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}"); - - var select128 = linear_select([ - part588, - part589, - ]); - - var part590 = match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}"); - - var part591 = match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}"); - - var select129 = linear_select([ - part591, - dup16, - ]); - - var all115 = all_match({ - processors: [ - dup160, - select128, - part590, - select129, - dup10, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg356 = msg("00018:11", all115); - - var part592 = match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}"); - - var part593 = match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}"); - - var part594 = match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}"); - - var part595 = match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}"); - - var select130 = linear_select([ - part593, - part594, - part595, - ]); - - var part596 = match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all116 = all_match({ - processors: [ - part592, - select130, - part596, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg357 = msg("00018:12", all116); - - var part597 = match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}"); - - var all117 = all_match({ - processors: [ - dup361, - part597, - dup362, - dup164, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg358 = msg("00018:32", all117); - - var part598 = match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}"); - - var all118 = all_match({ - processors: [ - dup361, - part598, - dup362, - dup164, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg359 = msg("00018:22", all118); - - var part599 = match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}"); - - var select131 = linear_select([ - dup78, - dup77, - ]); - - var part600 = match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer"); - - var all119 = all_match({ - processors: [ - part599, - select131, - part600, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg360 = msg("00018:15", all119); - - var part601 = match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}"); - - var part602 = match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}"); - - var part603 = match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}"); - - var select132 = linear_select([ - part602, - part603, - ]); - - var part604 = match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}"); - - var part605 = match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}"); - - var part606 = match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}"); - - var part607 = match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}"); - - var select133 = linear_select([ - part605, - part606, - part607, - ]); - - var part608 = match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all120 = all_match({ - processors: [ - part601, - select132, - part604, - select133, - part608, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg361 = msg("00018:14", all120); - - var part609 = match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg362 = msg("00018:29", part609); - - var part610 = match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg363 = msg("00018:07", part610); - - var part611 = match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg364 = msg("00018:18", part611); - - var part612 = match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg365 = msg("00018:17", part612); - - var part613 = match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg366 = msg("00018:19", part613); - - var part614 = match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}"); - - var part615 = match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}"); - - var select134 = linear_select([ - part614, - part615, - ]); - - var part616 = match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}"); - - var part617 = match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}"); - - var select135 = linear_select([ - part617, - dup103, - ]); - - var part618 = match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}"); - - var part619 = match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}"); - - var select136 = linear_select([ - part618, - part619, - ]); - - var part620 = match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})"); - - var all121 = all_match({ - processors: [ - select134, - part616, - select135, - dup23, - select136, - part620, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg367 = msg("00018:23", all121); - - var part621 = match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg368 = msg("00018:21", part621); - - var part622 = match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg369 = msg("00018:24", part622); - - var part623 = match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); - - var all122 = all_match({ - processors: [ - dup363, - part623, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg370 = msg("00018:25", all122); - - var part624 = match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); - - var all123 = all_match({ - processors: [ - dup363, - part624, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg371 = msg("00018:30", all123); - - var part625 = match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}"); - - var part626 = match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}"); - - var select137 = linear_select([ - dup48, - part626, - ]); - - var all124 = all_match({ - processors: [ - part625, - dup364, - select137, - dup41, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg372 = msg("00018:26", all124); - - var part627 = match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg373 = msg("00018:27", part627); - - var part628 = match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup4, - dup5, - dup9, - setc("info","the DI attack component was modified"), - ])); - - var msg374 = msg("00018:28", part628); - - var part629 = match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg375 = msg("00018:03", part629); - - var part630 = match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg376 = msg("00018:31", part630); - - var select138 = linear_select([ - msg347, - msg348, - msg349, - msg350, - msg351, - msg352, - msg353, - msg354, - msg355, - msg356, - msg357, - msg358, - msg359, - msg360, - msg361, - msg362, - msg363, - msg364, - msg365, - msg366, - msg367, - msg368, - msg369, - msg370, - msg371, - msg372, - msg373, - msg374, - msg375, - msg376, - ]); - - var part631 = match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg377 = msg("00019", part631); - - var part632 = match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured"); - - var all125 = all_match({ - processors: [ - dup165, - dup365, - part632, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg378 = msg("00019:01", all125); - - var part633 = match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}"); - - var part634 = match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}"); - - var part635 = match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}"); - - var select139 = linear_select([ - part634, - part635, - ]); - - var all126 = all_match({ - processors: [ - part633, - select139, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg379 = msg("00019:02", all126); - - var part636 = match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg380 = msg("00019:03", part636); - - var select140 = linear_select([ - dup169, - dup78, - ]); - - var select141 = linear_select([ - dup139, - dup170, - dup137, - dup122, - ]); - - var all127 = all_match({ - processors: [ - dup168, - select140, - dup23, - select141, - dup171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg381 = msg("00019:04", all127); - - var part637 = match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}"); - - var part638 = match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}"); - - var part639 = match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}"); - - var part640 = match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}"); - - var part641 = match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}"); - - var part642 = match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}"); - - var part643 = match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}"); - - var part644 = match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}"); - - var part645 = match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}"); - - var select142 = linear_select([ - part638, - part639, - part640, - part641, - part642, - part643, - part644, - part645, - ]); - - var all128 = all_match({ - processors: [ - part637, - select142, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg382 = msg("00019:05", all128); - - var part646 = match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}"); - - var all129 = all_match({ - processors: [ - dup168, - dup366, - part646, - dup367, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg383 = msg("00019:06", all129); - - var part647 = match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg384 = msg("00019:07", part647); - - var part648 = match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg385 = msg("00019:08", part648); - - var part649 = match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}"); - - var select143 = linear_select([ - dup139, - dup170, - dup137, - ]); - - var all130 = all_match({ - processors: [ - part649, - select143, - dup171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg386 = msg("00019:09", all130); - - var part650 = match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}"); - - var part651 = match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}"); - - var select144 = linear_select([ - part650, - part651, - ]); - - var all131 = all_match({ - processors: [ - dup183, - select144, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg387 = msg("00019:10", all131); - - var part652 = match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined"); - - var all132 = all_match({ - processors: [ - dup165, - dup365, - part652, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg388 = msg("00019:11", all132); - - var part653 = match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg389 = msg("00019:12", part653); - - var part654 = match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}"); - - var select145 = linear_select([ - dup107, - dup106, - ]); - - var part655 = match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}"); - - var all133 = all_match({ - processors: [ - part654, - select145, - part655, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg390 = msg("00019:13", all133); - - var part656 = match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}"); - - var all134 = all_match({ - processors: [ - dup168, - dup366, - part656, - dup367, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg391 = msg("00019:14", all134); - - var part657 = match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg392 = msg("00019:15", part657); - - var part658 = match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([ - setc("eventcategory","1701030000"), - setc("ec_activity","Delete"), - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg393 = msg("00019:16", part658); - - var part659 = match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg394 = msg("00019:17", part659); - - var part660 = match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}"); - - var part661 = match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}"); - - var part662 = match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}"); - - var select146 = linear_select([ - part661, - part662, - ]); - - var all135 = all_match({ - processors: [ - part660, - select146, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg395 = msg("00019:18", all135); - - var part663 = match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg396 = msg("00019:19", part663); - - var part664 = match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg397 = msg("00019:20", part664); - - var select147 = linear_select([ - msg377, - msg378, - msg379, - msg380, - msg381, - msg382, - msg383, - msg384, - msg385, - msg386, - msg387, - msg388, - msg389, - msg390, - msg391, - msg392, - msg393, - msg394, - msg395, - msg396, - msg397, - ]); - - var part665 = match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg398 = msg("00020", part665); - - var part666 = match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}"); - - var part667 = match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}"); - - var select148 = linear_select([ - dup152, - part667, - ]); - - var part668 = match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}"); - - var part669 = match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes"); - - var part670 = match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total"); - - var select149 = linear_select([ - part669, - part670, - ]); - - var all136 = all_match({ - processors: [ - part666, - select148, - part668, - select149, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg399 = msg("00020:01", all136); - - var part671 = match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg400 = msg("00020:02", part671); - - var select150 = linear_select([ - msg398, - msg399, - msg400, - ]); - - var part672 = match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg401 = msg("00021", part672); - - var part673 = match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg402 = msg("00021:01", part673); - - var part674 = match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg403 = msg("00021:02", part674); - - var part675 = match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([ - dup185, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg404 = msg("00021:03", part675); - - var part676 = match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg405 = msg("00021:04", part676); - - var part677 = match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg406 = msg("00021:05", part677); - - var part678 = match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - setc("info","DIP port-translation stickiness was modified"), - ])); - - var msg407 = msg("00021:06", part678); - - var select151 = linear_select([ - msg401, - msg402, - msg403, - msg404, - msg405, - msg406, - msg407, - ]); - - var part679 = match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}"); - - var part680 = match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}"); - - var select152 = linear_select([ - part679, - part680, - ]); - - var part681 = match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly"); - - var all137 = all_match({ - processors: [ - dup186, - select152, - part681, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg408 = msg("00022", all137); - - var part682 = match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}"); - - var part683 = match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}"); - - var part684 = match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}"); - - var select153 = linear_select([ - part682, - part683, - part684, - ]); - - var part685 = match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}"); - - var all138 = all_match({ - processors: [ - select153, - part685, - dup368, - ], - on_success: processor_chain([ - dup187, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg409 = msg("00022:01", all138); - - var part686 = match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg410 = msg("00022:02", part686); - - var part687 = match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg411 = msg("00022:03", part687); - - var part688 = match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}"); - - var part689 = match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}"); - - var part690 = match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}"); - - var part691 = match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}"); - - var part692 = match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}"); - - var select154 = linear_select([ - part689, - part690, - part691, - part692, - ]); - - var part693 = match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}"); - - var all139 = all_match({ - processors: [ - part688, - select154, - part693, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg412 = msg("00022:04", all139); - - var part694 = match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg413 = msg("00022:05", part694); - - var part695 = match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}"); - - var part696 = match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}"); - - var part697 = match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}"); - - var select155 = linear_select([ - part696, - part697, - ]); - - var part698 = match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}"); - - var all140 = all_match({ - processors: [ - part695, - select155, - part698, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg414 = msg("00022:06", all140); - - var part699 = match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg415 = msg("00022:07", part699); - - var part700 = match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}"); - - var part701 = match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}"); - - var part702 = match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}"); - - var select156 = linear_select([ - part700, - part701, - part702, - ]); - - var part703 = match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}"); - - var part704 = match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}"); - - var select157 = linear_select([ - part704, - dup96, - ]); - - var part705 = match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}"); - - var part706 = match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}"); - - var select158 = linear_select([ - part706, - dup96, - ]); - - var part707 = match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}"); - - var all141 = all_match({ - processors: [ - select156, - part703, - select157, - part705, - select158, - part707, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg416 = msg("00022:08", all141); - - var part708 = match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}"); - - var select159 = linear_select([ - dup191, - dup192, - ]); - - var part709 = match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}"); - - var all142 = all_match({ - processors: [ - dup55, - dup369, - part708, - select159, - part709, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg417 = msg("00022:09", all142); - - var part710 = match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}"); - - var part711 = match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}"); - - var part712 = match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}"); - - var select160 = linear_select([ - part711, - part712, - ]); - - var all143 = all_match({ - processors: [ - part710, - select160, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg418 = msg("00022:10", all143); - - var part713 = match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}"); - - var part714 = match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}"); - - var part715 = match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}"); - - var select161 = linear_select([ - part714, - part715, - ]); - - var all144 = all_match({ - processors: [ - part713, - select161, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg419 = msg("00022:11", all144); - - var part716 = match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}"); - - var select162 = linear_select([ - dup192, - dup191, - ]); - - var part717 = match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}"); - - var all145 = all_match({ - processors: [ - part716, - select162, - part717, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg420 = msg("00022:12", all145); - - var part718 = match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg421 = msg("00022:13", part718); - - var part719 = match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg422 = msg("00022:14", part719); - - var select163 = linear_select([ - msg408, - msg409, - msg410, - msg411, - msg412, - msg413, - msg414, - msg415, - msg416, - msg417, - msg418, - msg419, - msg420, - msg421, - msg422, - ]); - - var part720 = match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg423 = msg("00023", part720); - - var part721 = match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg424 = msg("00023:01", part721); - - var part722 = match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg425 = msg("00023:02", part722); - - var select164 = linear_select([ - msg423, - msg424, - msg425, - ]); - - var part723 = match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}"); - - var part724 = match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}"); - - var select165 = linear_select([ - part723, - part724, - ]); - - var part725 = match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}"); - - var part726 = match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}"); - - var select166 = linear_select([ - part725, - part726, - ]); - - var all146 = all_match({ - processors: [ - select165, - dup193, - select166, - dup52, - dup368, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg426 = msg("00024", all146); - - var part727 = match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}"); - - var part728 = match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}"); - - var part729 = match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}"); - - var part730 = match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}"); - - var part731 = match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}"); - - var select167 = linear_select([ - part727, - part728, - part729, - part730, - part731, - ]); - - var part732 = match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}"); - - var all147 = all_match({ - processors: [ - select167, - part732, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg427 = msg("00024:01", all147); - - var part733 = match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}"); - - var part734 = match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}"); - - var part735 = match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}"); - - var select168 = linear_select([ - part734, - part735, - ]); - - var part736 = match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})"); - - var all148 = all_match({ - processors: [ - part733, - select168, - part736, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg428 = msg("00024:02", all148); - - var part737 = match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}"); - - var select169 = linear_select([ - dup194, - dup106, - ]); - - var part738 = match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})"); - - var all149 = all_match({ - processors: [ - part737, - select169, - part738, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg429 = msg("00024:03", all149); - - var select170 = linear_select([ - msg426, - msg427, - msg428, - msg429, - ]); - - var part739 = match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg430 = msg("00025", part739); - - var part740 = match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg431 = msg("00025:01", part740); - - var part741 = match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg432 = msg("00025:02", part741); - - var part742 = match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg433 = msg("00025:03", part742); - - var part743 = match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg434 = msg("00025:04", part743); - - var select171 = linear_select([ - msg430, - msg431, - msg432, - msg433, - msg434, - ]); - - var part744 = match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg435 = msg("00026", part744); - - var part745 = match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg436 = msg("00026:13", part745); - - var part746 = match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}"); - - var part747 = match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})"); - - var all150 = all_match({ - processors: [ - dup195, - dup370, - part746, - dup371, - part747, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg437 = msg("00026:01", all150); - - var part748 = match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}"); - - var select172 = linear_select([ - part748, - dup96, - ]); - - var part749 = match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}"); - - var part750 = match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}"); - - var part751 = match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}"); - - var select173 = linear_select([ - part750, - part751, - ]); - - var all151 = all_match({ - processors: [ - dup195, - select172, - part749, - select173, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg438 = msg("00026:02", all151); - - var part752 = match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}"); - - var all152 = all_match({ - processors: [ - dup195, - dup370, - part752, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg439 = msg("00026:03", all152); - - var part753 = match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([ - dup198, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg440 = msg("00026:04", part753); - - var part754 = match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([ - dup198, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg441 = msg("00026:05", part754); - - var part755 = match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg442 = msg("00026:06", part755); - - var part756 = match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg443 = msg("00026:07", part756); - - var part757 = match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}"); - - var part758 = match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]"); - - var all153 = all_match({ - processors: [ - part757, - dup372, - part758, - ], - on_success: processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg444 = msg("00026:08", all153); - - var part759 = match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg445 = msg("00026:09", part759); - - var part760 = match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}"); - - var part761 = match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}"); - - var part762 = match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}"); - - var select174 = linear_select([ - part761, - part762, - ]); - - var part763 = match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}"); - - var select175 = linear_select([ - part763, - dup201, - ]); - - var part764 = match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})"); - - var all154 = all_match({ - processors: [ - part760, - select174, - dup103, - select175, - dup202, - dup373, - part764, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg446 = msg("00026:10", all154); - - var part765 = match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg447 = msg("00026:11", part765); - - var part766 = match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg448 = msg("00026:12", part766); - - var select176 = linear_select([ - msg435, - msg436, - msg437, - msg438, - msg439, - msg440, - msg441, - msg442, - msg443, - msg444, - msg445, - msg446, - msg447, - msg448, - ]); - - var part767 = match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}"); - - var part768 = match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}"); - - var part769 = match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}"); - - var part770 = match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}"); - - var select177 = linear_select([ - part768, - part769, - part770, - ]); - - var all155 = all_match({ - processors: [ - dup204, - dup374, - part767, - select177, - ], - on_success: processor_chain([ - dup206, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg449 = msg("00027", all155); - - var part771 = match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg450 = msg("00027:01", part771); - - var part772 = match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg451 = msg("00027:02", part772); - - var part773 = match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg452 = msg("00027:03", part773); - - var part774 = match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg453 = msg("00027:04", part774); - - var part775 = match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}"); - - var part776 = match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}"); - - var part777 = match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}"); - - var select178 = linear_select([ - part776, - part777, - ]); - - var part778 = match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}"); - - var part779 = match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}"); - - var select179 = linear_select([ - part779, - dup127, - ]); - - var select180 = linear_select([ - dup207, - dup208, - ]); - - var all156 = all_match({ - processors: [ - part775, - select178, - part778, - select179, - dup23, - select180, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg454 = msg("00027:05", all156); - - var part780 = match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}"); - - var select181 = linear_select([ - dup208, - dup207, - ]); - - var all157 = all_match({ - processors: [ - part780, - select181, - ], - on_success: processor_chain([ - setc("eventcategory","1606000000"), - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg455 = msg("00027:06", all157); - - var part781 = match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg456 = msg("00027:07", part781); - - var part782 = match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg457 = msg("00027:08", part782); - - var part783 = match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg458 = msg("00027:09", part783); - - var part784 = match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg459 = msg("00027:10", part784); - - var part785 = match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg460 = msg("00027:11", part785); - - var part786 = match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}"); - - var part787 = match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}"); - - var select182 = linear_select([ - part787, - dup193, - ]); - - var part788 = match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}"); - - var all158 = all_match({ - processors: [ - part786, - select182, - part788, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg461 = msg("00027:12", all158); - - var part789 = match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}"); - - var all159 = all_match({ - processors: [ - dup204, - dup374, - part789, - ], - on_success: processor_chain([ - dup206, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg462 = msg("00027:13", all159); - - var part790 = match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}"); - - var part791 = match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}"); - - var part792 = match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}"); - - var select183 = linear_select([ - part791, - part792, - ]); - - var part793 = match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})"); - - var all160 = all_match({ - processors: [ - part790, - select183, - part793, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg463 = msg("00027:14", all160); - - var part794 = match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg464 = msg("00027:15", part794); - - var part795 = match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg465 = msg("00027:16", part795); - - var part796 = match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg466 = msg("00027:17", part796); - - var part797 = match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg467 = msg("00027:18", part797); - - var part798 = match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg468 = msg("00027:19", part798); - - var select184 = linear_select([ - msg449, - msg450, - msg451, - msg452, - msg453, - msg454, - msg455, - msg456, - msg457, - msg458, - msg459, - msg460, - msg461, - msg462, - msg463, - msg464, - msg465, - msg466, - msg467, - msg468, - ]); - - var part799 = match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}"); - - var part800 = match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}"); - - var part801 = match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}"); - - var select185 = linear_select([ - part799, - part800, - part801, - ]); - - var part802 = match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all161 = all_match({ - processors: [ - select185, - part802, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - setc("signame","Attempt to Connect to the NetScreen-Global Port"), - ]), - }); - - var msg469 = msg("00028", all161); - - var part803 = match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg470 = msg("00029", part803); - - var part804 = match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg471 = msg("00029:01", part804); - - var part805 = match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}"); - - var part806 = match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}"); - - var part807 = match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}"); - - var select186 = linear_select([ - part806, - part807, - ]); - - var part808 = match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}"); - - var all162 = all_match({ - processors: [ - part805, - select186, - part808, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg472 = msg("00029:02", all162); - - var part809 = match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}"); - - var part810 = match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}"); - - var part811 = match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}"); - - var select187 = linear_select([ - part810, - part811, - ]); - - var part812 = match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}"); - - var all163 = all_match({ - processors: [ - dup210, - dup337, - part809, - select187, - part812, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg473 = msg("00029:03", all163); - - var part813 = match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg474 = msg("00029:04", part813); - - var select188 = linear_select([ - msg470, - msg471, - msg472, - msg473, - msg474, - ]); - - var part814 = match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg475 = msg("00030", part814); - - var part815 = match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}"); - - var part816 = match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}"); - - var part817 = match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}"); - - var select189 = linear_select([ - part816, - part817, - ]); - - var all164 = all_match({ - processors: [ - part815, - select189, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg476 = msg("00030:01", all164); - - var part818 = match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg477 = msg("00030:05", part818); - - var part819 = match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg478 = msg("00030:06", part819); - - var part820 = match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg479 = msg("00030:07", part820); - - var part821 = match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg480 = msg("00030:10", part821); - - var part822 = match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg481 = msg("00030:12", part822); - - var part823 = match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}"); - - var part824 = match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}"); - - var part825 = match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}"); - - var select190 = linear_select([ - part824, - part825, - ]); - - var all165 = all_match({ - processors: [ - part823, - select190, - ], - on_success: processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg482 = msg("00030:13", all165); - - var part826 = match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}"); - - var part827 = match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}"); - - var part828 = match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}"); - - var part829 = match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}"); - - var select191 = linear_select([ - part826, - part827, - part828, - part829, - ]); - - var part830 = match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}"); - - var part831 = match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}"); - - var select192 = linear_select([ - part831, - dup16, - ]); - - var part832 = match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}"); - - var all166 = all_match({ - processors: [ - dup55, - select191, - part830, - select192, - part832, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg483 = msg("00030:14", all166); - - var msg484 = msg("00030:02", dup375); - - var part833 = match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg485 = msg("00030:15", part833); - - var part834 = match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg486 = msg("00030:16", part834); - - var part835 = match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg487 = msg("00030:18", part835); - - var part836 = match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}"); - - var part837 = match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}"); - - var part838 = match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}"); - - var select193 = linear_select([ - part837, - part838, - ]); - - var part839 = match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}"); - - var all167 = all_match({ - processors: [ - part836, - select193, - part839, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg488 = msg("00030:19", all167); - - var part840 = match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg489 = msg("00030:30", part840); - - var part841 = match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg490 = msg("00030:31", part841); - - var part842 = match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg491 = msg("00030:32", part842); - - var part843 = match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg492 = msg("00030:33", part843); - - var part844 = match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg493 = msg("00030:34", part844); - - var part845 = match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg494 = msg("00030:35", part845); - - var part846 = match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg495 = msg("00030:36", part846); - - var part847 = match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg496 = msg("00030:37", part847); - - var part848 = match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg497 = msg("00030:38", part848); - - var part849 = match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}"); - - var part850 = match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}"); - - var select194 = linear_select([ - part850, - dup16, - ]); - - var part851 = match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}"); - - var all168 = all_match({ - processors: [ - part849, - select194, - part851, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg498 = msg("00030:39", all168); - - var part852 = match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}"); - - var part853 = match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}"); - - var all169 = all_match({ - processors: [ - part852, - dup376, - part853, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg499 = msg("00030:17", all169); - - var part854 = match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}"); - - var part855 = match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}"); - - var select195 = linear_select([ - dup214, - part855, - ]); - - var part856 = match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}"); - - var all170 = all_match({ - processors: [ - part854, - select195, - part856, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg500 = msg("00030:40", all170); - - var part857 = match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg501 = msg("00030:41", part857); - - var part858 = match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg502 = msg("00030:42", part858); - - var part859 = match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg503 = msg("00030:43", part859); - - var part860 = match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg504 = msg("00030:44", part860); - - var part861 = match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg505 = msg("00030:45", part861); - - var part862 = match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg506 = msg("00030:46", part862); - - var part863 = match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg507 = msg("00030:47", part863); - - var part864 = match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg508 = msg("00030:48", part864); - - var part865 = match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg509 = msg("00030:49", part865); - - var part866 = match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg510 = msg("00030:50", part866); - - var part867 = match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg511 = msg("00030:51", part867); - - var part868 = match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg512 = msg("00030:52", part868); - - var part869 = match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg513 = msg("00030:53", part869); - - var part870 = match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([ - dup44, - dup211, - dup31, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg514 = msg("00030:54", part870); - - var part871 = match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}"); - - var all171 = all_match({ - processors: [ - part871, - dup377, - dup217, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg515 = msg("00030:55", all171); - - var part872 = match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg516 = msg("00030:56", part872); - - var part873 = match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([ - dup35, - dup218, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg517 = msg("00030:57", part873); - - var part874 = match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([ - dup86, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg518 = msg("00030:58", part874); - - var part875 = match("MESSAGE#512:00030:59", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{quote}s signer certificate.", processor_chain([ - dup35, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg519 = msg("00030:59", part875); - - var part876 = match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([ - dup35, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg520 = msg("00030:60", part876); - - var part877 = match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg521 = msg("00030:61", part877); - - var part878 = match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg522 = msg("00030:62", part878); - - var part879 = match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([ - dup18, - dup219, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg523 = msg("00030:63", part879); - - var part880 = match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg524 = msg("00030:64", part880); - - var part881 = match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg525 = msg("00030:65", part881); - - var part882 = match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg526 = msg("00030:66", part882); - - var part883 = match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg527 = msg("00030:67", part883); - - var part884 = match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg528 = msg("00030:68", part884); - - var part885 = match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg529 = msg("00030:69", part885); - - var part886 = match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}"); - - var all172 = all_match({ - processors: [ - part886, - dup377, - dup217, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg530 = msg("00030:70", all172); - - var part887 = match("MESSAGE#524:00030:71", "nwparser.payload", "PKI: The public key of image%{quote}s signer has been loaded successfully, for future image authentication.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg531 = msg("00030:71", part887); - - var part888 = match("MESSAGE#525:00030:72", "nwparser.payload", "PKI: The signature of the image%{quote}s signer certificate cannot be verified.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg532 = msg("00030:72", part888); - - var part889 = match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}"); - - var part890 = match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}"); - - var part891 = match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}"); - - var part892 = match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}"); - - var select196 = linear_select([ - part890, - part891, - part892, - ]); - - var part893 = match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}."); - - var all173 = all_match({ - processors: [ - part889, - select196, - part893, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg533 = msg("00030:73", all173); - - var part894 = match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg534 = msg("00030:74", part894); - - var part895 = match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg535 = msg("00030:75", part895); - - var part896 = match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}"); - - var part897 = match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}."); - - var all174 = all_match({ - processors: [ - part896, - dup376, - part897, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg536 = msg("00030:76", all174); - - var part898 = match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg537 = msg("00030:77", part898); - - var part899 = match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([ - dup35, - dup211, - dup220, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg538 = msg("00030:78", part899); - - var part900 = match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([ - dup35, - dup211, - dup220, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg539 = msg("00030:79", part900); - - var part901 = match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg540 = msg("00030:80", part901); - - var part902 = match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg541 = msg("00030:81", part902); - - var part903 = match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg542 = msg("00030:82", part903); - - var part904 = match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg543 = msg("00030:83", part904); - - var part905 = match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg544 = msg("00030:84", part905); - - var part906 = match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([ - setc("eventcategory","1603080000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg545 = msg("00030:85", part906); - - var part907 = match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})"); - - var all175 = all_match({ - processors: [ - dup221, - dup378, - part907, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg546 = msg("00030:86", all175); - - var part908 = match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg547 = msg("00030:87", part908); - - var part909 = match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>"); - - var all176 = all_match({ - processors: [ - dup221, - dup378, - part909, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg548 = msg("00030:88", all176); - - var select197 = linear_select([ - msg475, - msg476, - msg477, - msg478, - msg479, - msg480, - msg481, - msg482, - msg483, - msg484, - msg485, - msg486, - msg487, - msg488, - msg489, - msg490, - msg491, - msg492, - msg493, - msg494, - msg495, - msg496, - msg497, - msg498, - msg499, - msg500, - msg501, - msg502, - msg503, - msg504, - msg505, - msg506, - msg507, - msg508, - msg509, - msg510, - msg511, - msg512, - msg513, - msg514, - msg515, - msg516, - msg517, - msg518, - msg519, - msg520, - msg521, - msg522, - msg523, - msg524, - msg525, - msg526, - msg527, - msg528, - msg529, - msg530, - msg531, - msg532, - msg533, - msg534, - msg535, - msg536, - msg537, - msg538, - msg539, - msg540, - msg541, - msg542, - msg543, - msg544, - msg545, - msg546, - msg547, - msg548, - ]); - - var part910 = match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg549 = msg("00031:13", part910); - - var part911 = match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg550 = msg("00031", part911); - - var part912 = match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg551 = msg("00031:01", part912); - - var part913 = match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}"); - - var part914 = match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}"); - - var part915 = match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}"); - - var part916 = match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}"); - - var all177 = all_match({ - processors: [ - part913, - dup379, - part914, - dup379, - part915, - dup379, - part916, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg552 = msg("00031:02", all177); - - var part917 = match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}"); - - var select198 = linear_select([ - dup130, - dup129, - ]); - - var part918 = match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}"); - - var all178 = all_match({ - processors: [ - part917, - select198, - part918, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg553 = msg("00031:03", all178); - - var part919 = match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}"); - - var part920 = match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}"); - - var select199 = linear_select([ - part920, - dup226, - ]); - - var part921 = match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}"); - - var all179 = all_match({ - processors: [ - part919, - select199, - part921, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg554 = msg("00031:04", all179); - - var part922 = match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}"); - - var select200 = linear_select([ - dup226, - dup25, - ]); - - var part923 = match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})"); - - var all180 = all_match({ - processors: [ - part922, - select200, - part923, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg555 = msg("00031:11", all180); - - var part924 = match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}"); - - var part925 = match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}"); - - var part926 = match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}"); - - var select201 = linear_select([ - part925, - part926, - ]); - - var part927 = match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}"); - - var part928 = match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}"); - - var part929 = match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}"); - - var part930 = match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}"); - - var part931 = match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}"); - - var select202 = linear_select([ - part931, - dup96, - ]); - - var part932 = match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}"); - - var all181 = all_match({ - processors: [ - part924, - select201, - part927, - dup379, - part928, - dup379, - part929, - dup379, - part930, - select202, - part932, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg556 = msg("00031:08", all181); - - var part933 = match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}"); - - var all182 = all_match({ - processors: [ - part933, - dup337, - dup227, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg557 = msg("00031:05", all182); - - var part934 = match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}"); - - var select203 = linear_select([ - part934, - dup229, - dup230, - ]); - - var part935 = match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}"); - - var select204 = linear_select([ - dup105, - dup96, - ]); - - var part936 = match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}"); - - var part937 = match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}"); - - var all183 = all_match({ - processors: [ - dup228, - select203, - part935, - select204, - part936, - dup356, - part937, - dup352, - dup23, - dup380, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg558 = msg("00031:06", all183); - - var part938 = match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}"); - - var all184 = all_match({ - processors: [ - dup228, - dup381, - part938, - dup337, - dup227, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg559 = msg("00031:07", all184); - - var part939 = match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}"); - - var all185 = all_match({ - processors: [ - dup228, - dup381, - part939, - dup380, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg560 = msg("00031:09", all185); - - var part940 = match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg561 = msg("00031:10", part940); - - var part941 = match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg562 = msg("00031:12", part941); - - var select205 = linear_select([ - msg549, - msg550, - msg551, - msg552, - msg553, - msg554, - msg555, - msg556, - msg557, - msg558, - msg559, - msg560, - msg561, - msg562, - ]); - - var part942 = match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup232, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg563 = msg("00032", part942); - - var part943 = match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg564 = msg("00032:01", part943); - - var part944 = match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}"); - - var part945 = match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}"); - - var part946 = match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}"); - - var part947 = match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}"); - - var part948 = match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}"); - - var select206 = linear_select([ - part945, - part946, - part947, - part948, - ]); - - var all186 = all_match({ - processors: [ - part944, - select206, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg565 = msg("00032:03", all186); - - var part949 = match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg566 = msg("00032:04", part949); - - var part950 = match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg567 = msg("00032:05", part950); - - var msg568 = msg("00032:02", dup375); - - var select207 = linear_select([ - msg563, - msg564, - msg565, - msg566, - msg567, - msg568, - ]); - - var part951 = match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("agent","NSM"), - ])); - - var msg569 = msg("00033:25", part951); - - var part952 = match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}"); - - var part953 = match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}"); - - var select208 = linear_select([ - dup52, - part953, - ]); - - var part954 = match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}"); - - var all187 = all_match({ - processors: [ - dup382, - part952, - select208, - part954, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg570 = msg("00033", all187); - - var part955 = match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}"); - - var part956 = match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}"); - - var select209 = linear_select([ - part955, - part956, - ]); - - var part957 = match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}"); - - var all188 = all_match({ - processors: [ - dup160, - select209, - dup23, - dup369, - part957, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg571 = msg("00033:03", all188); - - var part958 = match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}"); - - var all189 = all_match({ - processors: [ - dup382, - dup23, - dup369, - part958, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg572 = msg("00033:02", all189); - - var part959 = match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg573 = msg("00033:04", part959); - - var part960 = match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg574 = msg("00033:05", part960); - - var part961 = match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([ - dup27, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg575 = msg("00033:06", part961); - - var part962 = match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([ - dup27, - dup2, - dup3, - setc("dclass_counter1_string","Number of times the threshold was exceeded"), - dup4, - dup5, - dup61, - ])); - - var msg576 = msg("00033:01", part962); - - var part963 = match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg577 = msg("00033:07", part963); - - var part964 = match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}"); - - var all190 = all_match({ - processors: [ - dup235, - dup383, - part964, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg578 = msg("00033:08", all190); - - var part965 = match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}"); - - var all191 = all_match({ - processors: [ - dup235, - dup383, - part965, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg579 = msg("00033:09", all191); - - var part966 = match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}"); - - var part967 = match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}"); - - var select210 = linear_select([ - part967, - dup238, - ]); - - var all192 = all_match({ - processors: [ - dup235, - dup383, - part966, - select210, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg580 = msg("00033:10", all192); - - var part968 = match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}"); - - var part969 = match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}"); - - var all193 = all_match({ - processors: [ - dup235, - dup383, - part968, - dup383, - part969, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg581 = msg("00033:11", all193); - - var part970 = match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}"); - - var select211 = linear_select([ - dup101, - dup238, - ]); - - var all194 = all_match({ - processors: [ - dup235, - dup383, - part970, - select211, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg582 = msg("00033:12", all194); - - var part971 = match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}"); - - var part972 = match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}"); - - var part973 = match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}."); - - var select212 = linear_select([ - part972, - part973, - ]); - - var all195 = all_match({ - processors: [ - dup235, - dup383, - part971, - select212, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg583 = msg("00033:13", all195); - - var part974 = match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}."); - - var all196 = all_match({ - processors: [ - dup235, - dup383, - part974, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg584 = msg("00033:14", all196); - - var part975 = match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}."); - - var all197 = all_match({ - processors: [ - dup235, - dup383, - part975, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg585 = msg("00033:15", all197); - - var part976 = match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}."); - - var all198 = all_match({ - processors: [ - dup235, - dup383, - part976, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg586 = msg("00033:16", all198); - - var part977 = match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}"); - - var part978 = match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}"); - - var part979 = match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}"); - - var select213 = linear_select([ - part978, - part979, - ]); - - var all199 = all_match({ - processors: [ - dup235, - dup383, - part977, - select213, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg587 = msg("00033:17", all199); - - var part980 = match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); - - var part981 = match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time."); - - var all200 = all_match({ - processors: [ - part980, - dup339, - dup70, - dup340, - part981, - ], - on_success: processor_chain([ - dup27, - dup2, - dup4, - dup5, - dup3, - dup59, - dup61, - ]), - }); - - var msg588 = msg("00033:19", all200); - - var part982 = match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([ - dup27, - dup2, - dup4, - dup5, - dup3, - dup59, - dup60, - ])); - - var msg589 = msg("00033:20", part982); - - var all201 = all_match({ - processors: [ - dup239, - dup343, - dup83, - ], - on_success: processor_chain([ - dup27, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg590 = msg("00033:21", all201); - - var part983 = match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var all202 = all_match({ - processors: [ - part983, - dup343, - dup83, - ], - on_success: processor_chain([ - dup27, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg591 = msg("00033:22", all202); - - var part984 = match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg592 = msg("00033:23", part984); - - var part985 = match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([ - setc("eventcategory","1001030500"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg593 = msg("00033:24", part985); - - var select214 = linear_select([ - msg569, - msg570, - msg571, - msg572, - msg573, - msg574, - msg575, - msg576, - msg577, - msg578, - msg579, - msg580, - msg581, - msg582, - msg583, - msg584, - msg585, - msg586, - msg587, - msg588, - msg589, - msg590, - msg591, - msg592, - msg593, - ]); - - var part986 = match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}"); - - var part987 = match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}"); - - var select215 = linear_select([ - part986, - part987, - ]); - - var part988 = match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}"); - - var part989 = match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}"); - - var select216 = linear_select([ - part988, - dup201, - part989, - ]); - - var select217 = linear_select([ - dup196, - dup103, - dup163, - ]); - - var part990 = match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})"); - - var all203 = all_match({ - processors: [ - select215, - dup103, - select216, - dup202, - select217, - part990, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg594 = msg("00034", all203); - - var part991 = match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}"); - - var part992 = match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}"); - - var select218 = linear_select([ - part991, - part992, - ]); - - var part993 = match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}"); - - var part994 = match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}"); - - var select219 = linear_select([ - part994, - dup241, - ]); - - var part995 = match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}"); - - var all204 = all_match({ - processors: [ - select218, - part993, - select219, - part995, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg595 = msg("00034:01", all204); - - var part996 = match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg596 = msg("00034:02", part996); - - var part997 = match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}"); - - var all205 = all_match({ - processors: [ - dup384, - part997, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg597 = msg("00034:03", all205); - - var part998 = match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg598 = msg("00034:04", part998); - - var part999 = match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg599 = msg("00034:05", part999); - - var part1000 = match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}"); - - var part1001 = match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}"); - - var part1002 = match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}"); - - var select220 = linear_select([ - part1001, - part1002, - ]); - - var part1003 = match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}"); - - var all206 = all_match({ - processors: [ - dup384, - part1000, - select220, - part1003, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg600 = msg("00034:06", all206); - - var part1004 = match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg601 = msg("00034:07", part1004); - - var part1005 = match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg602 = msg("00034:08", part1005); - - var part1006 = match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg603 = msg("00034:09", part1006); - - var part1007 = match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}"); - - var part1008 = match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}"); - - var part1009 = match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}"); - - var part1010 = match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}"); - - var select221 = linear_select([ - part1009, - part1010, - ]); - - var part1011 = match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}"); - - var all207 = all_match({ - processors: [ - dup244, - dup385, - part1007, - dup352, - part1008, - select221, - part1011, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg604 = msg("00034:10", all207); - - var part1012 = match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}"); - - var part1013 = match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}"); - - var all208 = all_match({ - processors: [ - dup244, - dup385, - part1012, - dup386, - part1013, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg605 = msg("00034:12", all208); - - var part1014 = match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}"); - - var part1015 = match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}"); - - var all209 = all_match({ - processors: [ - dup244, - dup385, - part1014, - dup386, - part1015, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg606 = msg("00034:11", all209); - - var part1016 = match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg607 = msg("00034:15", part1016); - - var part1017 = match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}"); - - var all210 = all_match({ - processors: [ - dup244, - dup387, - part1017, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg608 = msg("00034:18", all210); - - var part1018 = match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge"); - - var all211 = all_match({ - processors: [ - dup244, - dup387, - part1018, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg609 = msg("00034:20", all211); - - var part1019 = match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}"); - - var part1020 = match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}"); - - var part1021 = match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}"); - - var select222 = linear_select([ - part1021, - dup156, - ]); - - var part1022 = match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}"); - - var part1023 = match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}"); - - var part1024 = match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}"); - - var select223 = linear_select([ - part1023, - part1024, - ]); - - var all212 = all_match({ - processors: [ - dup244, - dup387, - part1019, - dup372, - part1020, - select222, - part1022, - select223, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg610 = msg("00034:21", all212); - - var part1025 = match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg611 = msg("00034:22", part1025); - - var part1026 = match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}"); - - var part1027 = match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}"); - - var select224 = linear_select([ - part1026, - part1027, - ]); - - var part1028 = match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}"); - - var all213 = all_match({ - processors: [ - dup160, - select224, - part1028, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg612 = msg("00034:23", all213); - - var part1029 = match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg613 = msg("00034:24", part1029); - - var part1030 = match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg614 = msg("00034:25", part1030); - - var part1031 = match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg615 = msg("00034:26", part1031); - - var part1032 = match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg616 = msg("00034:27", part1032); - - var part1033 = match("MESSAGE#608:00034:28", "nwparser.payload", "PPPoE%{quote}s session closed by AC", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg617 = msg("00034:28", part1033); - - var part1034 = match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg618 = msg("00034:29", part1034); - - var part1035 = match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg619 = msg("00034:30", part1035); - - var part1036 = match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg620 = msg("00034:31", part1036); - - var part1037 = match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg621 = msg("00034:32", part1037); - - var part1038 = match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg622 = msg("00034:33", part1038); - - var part1039 = match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg623 = msg("00034:34", part1039); - - var part1040 = match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg624 = msg("00034:35", part1040); - - var part1041 = match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg625 = msg("00034:36", part1041); - - var part1042 = match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg626 = msg("00034:37", part1042); - - var part1043 = match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg627 = msg("00034:38", part1043); - - var part1044 = match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg628 = msg("00034:39", part1044); - - var part1045 = match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg629 = msg("00034:40", part1045); - - var part1046 = match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}"); - - var part1047 = match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}"); - - var all214 = all_match({ - processors: [ - part1046, - dup373, - part1047, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg630 = msg("00034:41", all214); - - var part1048 = match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg631 = msg("00034:42", part1048); - - var part1049 = match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg632 = msg("00034:43", part1049); - - var part1050 = match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg633 = msg("00034:44", part1050); - - var select225 = linear_select([ - msg594, - msg595, - msg596, - msg597, - msg598, - msg599, - msg600, - msg601, - msg602, - msg603, - msg604, - msg605, - msg606, - msg607, - msg608, - msg609, - msg610, - msg611, - msg612, - msg613, - msg614, - msg615, - msg616, - msg617, - msg618, - msg619, - msg620, - msg621, - msg622, - msg623, - msg624, - msg625, - msg626, - msg627, - msg628, - msg629, - msg630, - msg631, - msg632, - msg633, - ]); - - var part1051 = match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg634 = msg("00035", part1051); - - var part1052 = match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg635 = msg("00035:01", part1052); - - var part1053 = match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg636 = msg("00035:02", part1053); - - var part1054 = match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg637 = msg("00035:03", part1054); - - var part1055 = match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}"); - - var part1056 = match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}"); - - var part1057 = match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}"); - - var part1058 = match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}"); - - var select226 = linear_select([ - part1056, - part1057, - part1058, - ]); - - var part1059 = match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}"); - - var all215 = all_match({ - processors: [ - part1055, - select226, - part1059, - ], - on_success: processor_chain([ - dup117, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg638 = msg("00035:04", all215); - - var part1060 = match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg639 = msg("00035:05", part1060); - - var part1061 = match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}"); - - var part1062 = match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}"); - - var all216 = all_match({ - processors: [ - part1061, - dup388, - part1062, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg640 = msg("00035:06", all216); - - var part1063 = match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg641 = msg("00035:07", part1063); - - var part1064 = match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg642 = msg("00035:08", part1064); - - var part1065 = match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}"); - - var select227 = linear_select([ - part1065, - dup92, - ]); - - var all217 = all_match({ - processors: [ - dup253, - select227, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg643 = msg("00035:09", all217); - - var part1066 = match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}"); - - var part1067 = match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}"); - - var part1068 = match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}"); - - var select228 = linear_select([ - part1067, - part1068, - ]); - - var all218 = all_match({ - processors: [ - part1066, - select228, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg644 = msg("00035:10", all218); - - var part1069 = match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}"); - - var part1070 = match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}"); - - var part1071 = match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}"); - - var select229 = linear_select([ - part1070, - part1071, - ]); - - var all219 = all_match({ - processors: [ - part1069, - select229, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg645 = msg("00035:11", all219); - - var part1072 = match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}"); - - var part1073 = match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}"); - - var all220 = all_match({ - processors: [ - part1072, - dup388, - part1073, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg646 = msg("00035:12", all220); - - var part1074 = match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}"); - - var select230 = linear_select([ - dup101, - part1074, - ]); - - var part1075 = match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}"); - - var all221 = all_match({ - processors: [ - dup253, - select230, - part1075, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg647 = msg("00035:13", all221); - - var part1076 = match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg648 = msg("00035:14", part1076); - - var part1077 = match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}"); - - var part1078 = match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}"); - - var part1079 = match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}"); - - var select231 = linear_select([ - part1078, - part1079, - ]); - - var all222 = all_match({ - processors: [ - part1077, - select231, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg649 = msg("00035:15", all222); - - var part1080 = match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg650 = msg("00035:16", part1080); - - var select232 = linear_select([ - msg634, - msg635, - msg636, - msg637, - msg638, - msg639, - msg640, - msg641, - msg642, - msg643, - msg644, - msg645, - msg646, - msg647, - msg648, - msg649, - msg650, - ]); - - var part1081 = match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg651 = msg("00036", part1081); - - var part1082 = match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}"); - - var part1083 = match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}"); - - var select233 = linear_select([ - dup214, - part1083, - ]); - - var part1084 = match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}"); - - var all223 = all_match({ - processors: [ - part1082, - select233, - part1084, - ], - on_success: processor_chain([ - dup254, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg652 = msg("00036:01", all223); - - var select234 = linear_select([ - msg651, - msg652, - ]); - - var part1085 = match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}"); - - var part1086 = match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}"); - - var part1087 = match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}"); - - var select235 = linear_select([ - part1086, - part1087, - ]); - - var all224 = all_match({ - processors: [ - part1085, - select235, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg653 = msg("00037", all224); - - var part1088 = match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}"); - - var select236 = linear_select([ - dup255, - dup256, - ]); - - var part1089 = match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}"); - - var all225 = all_match({ - processors: [ - part1088, - select236, - part1089, - dup351, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg654 = msg("00037:01", all225); - - var part1090 = match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg655 = msg("00037:02", part1090); - - var part1091 = match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}"); - - var part1092 = match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}"); - - var select237 = linear_select([ - part1091, - part1092, - ]); - - var part1093 = match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}"); - - var part1094 = match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})"); - - var part1095 = match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}."); - - var select238 = linear_select([ - part1094, - part1095, - ]); - - var all226 = all_match({ - processors: [ - dup113, - select237, - dup371, - part1093, - select238, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg656 = msg("00037:03", all226); - - var part1096 = match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg657 = msg("00037:04", part1096); - - var part1097 = match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}"); - - var select239 = linear_select([ - dup256, - dup255, - ]); - - var part1098 = match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}"); - - var part1099 = match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space"); - - var select240 = linear_select([ - dup10, - part1099, - ]); - - var all227 = all_match({ - processors: [ - part1097, - select239, - part1098, - select240, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg658 = msg("00037:05", all227); - - var part1100 = match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg659 = msg("00037:06", part1100); - - var select241 = linear_select([ - msg653, - msg654, - msg655, - msg656, - msg657, - msg658, - msg659, - ]); - - var part1101 = match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}"); - - var part1102 = match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}"); - - var part1103 = match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}"); - - var select242 = linear_select([ - part1102, - part1103, - ]); - - var all228 = all_match({ - processors: [ - part1101, - select242, - dup36, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg660 = msg("00038", all228); - - var part1104 = match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg661 = msg("00039", part1104); - - var part1105 = match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}"); - - var part1106 = match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}"); - - var select243 = linear_select([ - part1105, - part1106, - ]); - - var part1107 = match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}"); - - var all229 = all_match({ - processors: [ - select243, - part1107, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg662 = msg("00040", all229); - - var part1108 = match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg663 = msg("00040:01", part1108); - - var select244 = linear_select([ - msg662, - msg663, - ]); - - var part1109 = match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg664 = msg("00041", part1109); - - var part1110 = match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg665 = msg("00041:01", part1110); - - var select245 = linear_select([ - msg664, - msg665, - ]); - - var part1111 = match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg666 = msg("00042", part1111); - - var part1112 = match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup9, - dup4, - dup5, - dup60, - ])); - - var msg667 = msg("00042:01", part1112); - - var select246 = linear_select([ - msg666, - msg667, - ]); - - var part1113 = match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg668 = msg("00043", part1113); - - var part1114 = match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}"); - - var part1115 = match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}"); - - var select247 = linear_select([ - dup257, - part1115, - ]); - - var part1116 = match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}"); - - var all230 = all_match({ - processors: [ - part1114, - select247, - part1116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg669 = msg("00044", all230); - - var part1117 = match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg670 = msg("00044:01", part1117); - - var select248 = linear_select([ - msg669, - msg670, - ]); - - var part1118 = match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg671 = msg("00045", part1118); - - var part1119 = match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}"); - - var part1120 = match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}"); - - var select249 = linear_select([ - part1119, - part1120, - ]); - - var part1121 = match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})"); - - var all231 = all_match({ - processors: [ - dup183, - select249, - part1121, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg672 = msg("00047", all231); - - var part1122 = match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}"); - - var part1123 = match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}"); - - var part1124 = match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}"); - - var select250 = linear_select([ - part1123, - part1124, - ]); - - var part1125 = match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}"); - - var part1126 = match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}"); - - var select251 = linear_select([ - part1126, - dup112, - ]); - - var part1127 = match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}"); - - var select252 = linear_select([ - part1127, - dup139, - ]); - - var part1128 = match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}"); - - var part1129 = match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}"); - - var select253 = linear_select([ - part1129, - dup16, - ]); - - var part1130 = match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}"); - - var part1131 = match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}"); - - var select254 = linear_select([ - part1131, - dup129, - ]); - - var part1132 = match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})"); - - var all232 = all_match({ - processors: [ - part1122, - select250, - part1125, - select251, - dup257, - select252, - part1128, - select253, - part1130, - select254, - part1132, - ], - on_success: processor_chain([ - setc("eventcategory","1501000000"), - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg673 = msg("00048", all232); - - var part1133 = match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}"); - - var part1134 = match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}"); - - var part1135 = match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}"); - - var select255 = linear_select([ - part1134, - part1135, - ]); - - var part1136 = match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}"); - - var part1137 = match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}"); - - var select256 = linear_select([ - part1137, - dup105, - ]); - - var part1138 = match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})"); - - var all233 = all_match({ - processors: [ - part1133, - select255, - part1136, - select256, - part1138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg674 = msg("00048:01", all233); - - var part1139 = match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([ - dup209, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg675 = msg("00048:02", part1139); - - var select257 = linear_select([ - msg673, - msg674, - msg675, - ]); - - var part1140 = match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg676 = msg("00049", part1140); - - var part1141 = match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg677 = msg("00049:01", part1141); - - var part1142 = match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg678 = msg("00049:02", part1142); - - var part1143 = match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg679 = msg("00049:03", part1143); - - var part1144 = match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg680 = msg("00049:04", part1144); - - var part1145 = match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg681 = msg("00049:05", part1145); - - var select258 = linear_select([ - msg676, - msg677, - msg678, - msg679, - msg680, - msg681, - ]); - - var part1146 = match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg682 = msg("00050", part1146); - - var part1147 = match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg683 = msg("00051", part1147); - - var part1148 = match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg684 = msg("00052", part1148); - - var part1149 = match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}"); - - var select259 = linear_select([ - dup169, - part1149, - ]); - - var part1150 = match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}."); - - var all234 = all_match({ - processors: [ - dup258, - select259, - part1150, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg685 = msg("00055", all234); - - var part1151 = match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}"); - - var part1152 = match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}"); - - var select260 = linear_select([ - part1151, - part1152, - ]); - - var part1153 = match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}."); - - var all235 = all_match({ - processors: [ - dup258, - select260, - part1153, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg686 = msg("00055:01", all235); - - var part1154 = match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}."); - - var all236 = all_match({ - processors: [ - dup259, - dup389, - part1154, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg687 = msg("00055:02", all236); - - var part1155 = match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}."); - - var all237 = all_match({ - processors: [ - dup259, - dup389, - part1155, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg688 = msg("00055:03", all237); - - var part1156 = match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg689 = msg("00055:04", part1156); - - var part1157 = match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}"); - - var part1158 = match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}"); - - var select261 = linear_select([ - dup110, - part1158, - ]); - - var part1159 = match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}"); - - var all238 = all_match({ - processors: [ - part1157, - select261, - part1159, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg690 = msg("00055:05", all238); - - var part1160 = match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}"); - - var part1161 = match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}"); - - var part1162 = match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}"); - - var select262 = linear_select([ - part1161, - part1162, - ]); - - var part1163 = match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}."); - - var all239 = all_match({ - processors: [ - part1160, - select262, - part1163, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg691 = msg("00055:06", all239); - - var part1164 = match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}"); - - var part1165 = match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}"); - - var part1166 = match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}"); - - var select263 = linear_select([ - part1164, - part1165, - part1166, - ]); - - var part1167 = match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}."); - - var all240 = all_match({ - processors: [ - dup258, - select263, - part1167, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg692 = msg("00055:07", all240); - - var part1168 = match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}"); - - var part1169 = match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}"); - - var select264 = linear_select([ - part1168, - part1169, - ]); - - var part1170 = match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}."); - - var all241 = all_match({ - processors: [ - dup258, - select264, - part1170, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg693 = msg("00055:08", all241); - - var part1171 = match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg694 = msg("00055:09", part1171); - - var part1172 = match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg695 = msg("00055:10", part1172); - - var select265 = linear_select([ - msg685, - msg686, - msg687, - msg688, - msg689, - msg690, - msg691, - msg692, - msg693, - msg694, - msg695, - ]); - - var part1173 = match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg696 = msg("00056", part1173); - - var part1174 = match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg697 = msg("00057", part1174); - - var part1175 = match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg698 = msg("00058", part1175); - - var part1176 = match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}"); - - var part1177 = match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}"); - - var select266 = linear_select([ - part1177, - dup262, - dup157, - dup156, - ]); - - var all242 = all_match({ - processors: [ - part1176, - select266, - dup116, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg699 = msg("00059", all242); - - var part1178 = match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}"); - - var part1179 = match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}"); - - var part1180 = match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}"); - - var select267 = linear_select([ - part1179, - part1180, - ]); - - var part1181 = match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}"); - - var all243 = all_match({ - processors: [ - part1178, - select267, - part1181, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg700 = msg("00059:02", all243); - - var part1182 = match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg701 = msg("00059:03", part1182); - - var part1183 = match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg702 = msg("00059:04", part1183); - - var part1184 = match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}"); - - var part1185 = match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}"); - - var part1186 = match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}"); - - var part1187 = match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}"); - - var select268 = linear_select([ - part1184, - part1185, - part1186, - part1187, - ]); - - var part1188 = match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared."); - - var all244 = all_match({ - processors: [ - select268, - part1188, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg703 = msg("00059:05", all244); - - var part1189 = match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg704 = msg("00059:06", part1189); - - var part1190 = match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg705 = msg("00059:07", part1190); - - var part1191 = match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}"); - - var part1192 = match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}"); - - var select269 = linear_select([ - part1191, - part1192, - ]); - - var part1193 = match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3})."); - - var all245 = all_match({ - processors: [ - select269, - part1193, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg706 = msg("00059:08", all245); - - var part1194 = match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}"); - - var part1195 = match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}"); - - var select270 = linear_select([ - part1194, - part1195, - ]); - - var part1196 = match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}"); - - var part1197 = match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}"); - - var select271 = linear_select([ - dup261, - part1197, - ]); - - var part1198 = match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\""); - - var all246 = all_match({ - processors: [ - dup160, - select270, - part1196, - select271, - part1198, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg707 = msg("00059:09", all246); - - var part1199 = match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg708 = msg("00059:01", part1199); - - var select272 = linear_select([ - msg699, - msg700, - msg701, - msg702, - msg703, - msg704, - msg705, - msg706, - msg707, - msg708, - ]); - - var part1200 = match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP failed"), - ])); - - var msg709 = msg("00062:01", part1200); - - var part1201 = match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP failure reached threshold"), - ])); - - var msg710 = msg("00062:02", part1201); - - var part1202 = match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP succeeded"), - ])); - - var msg711 = msg("00062:03", part1202); - - var part1203 = match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg712 = msg("00062", part1203); - - var select273 = linear_select([ - msg709, - msg710, - msg711, - msg712, - ]); - - var part1204 = match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg713 = msg("00063", part1204); - - var part1205 = match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg714 = msg("00064", part1205); - - var part1206 = match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg715 = msg("00064:01", part1206); - - var part1207 = match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg716 = msg("00064:02", part1207); - - var select274 = linear_select([ - msg714, - msg715, - msg716, - ]); - - var msg717 = msg("00070", dup411); - - var part1208 = match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}"); - - var part1209 = match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}"); - - var part1210 = match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})"); - - var select275 = linear_select([ - part1209, - part1210, - ]); - - var all247 = all_match({ - processors: [ - dup267, - dup391, - part1208, - select275, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg718 = msg("00070:01", all247); - - var part1211 = match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg719 = msg("00070:02", part1211); - - var select276 = linear_select([ - msg717, - msg718, - msg719, - ]); - - var msg720 = msg("00071", dup411); - - var part1212 = match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg721 = msg("00071:01", part1212); - - var select277 = linear_select([ - msg720, - msg721, - ]); - - var msg722 = msg("00072", dup411); - - var msg723 = msg("00072:01", dup412); - - var select278 = linear_select([ - msg722, - msg723, - ]); - - var msg724 = msg("00073", dup411); - - var msg725 = msg("00073:01", dup412); - - var select279 = linear_select([ - msg724, - msg725, - ]); - - var msg726 = msg("00074", dup392); - - var all248 = all_match({ - processors: [ - dup263, - dup390, - dup271, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg727 = msg("00075", all248); - - var part1213 = match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","local device in the Virtual Security Device group changed state to inoperable"), - ])); - - var msg728 = msg("00075:02", part1213); - - var part1214 = match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg729 = msg("00075:01", part1214); - - var select280 = linear_select([ - msg727, - msg728, - msg729, - ]); - - var msg730 = msg("00076", dup392); - - var part1215 = match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}"); - - var all249 = all_match({ - processors: [ - dup263, - dup390, - part1215, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg731 = msg("00076:01", all249); - - var select281 = linear_select([ - msg730, - msg731, - ]); - - var part1216 = match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg732 = msg("00077", part1216); - - var all250 = all_match({ - processors: [ - dup263, - dup390, - dup271, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg733 = msg("00077:01", all250); - - var part1217 = match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([ - setc("eventcategory","1607000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg734 = msg("00077:02", part1217); - - var select282 = linear_select([ - msg732, - msg733, - msg734, - ]); - - var part1218 = match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg735 = msg("00084", part1218); - - var part1219 = match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}"); - - var part1220 = match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}"); - - var select283 = linear_select([ - part1219, - part1220, - ]); - - var part1221 = match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}"); - - var all251 = all_match({ - processors: [ - select283, - dup103, - dup369, - part1221, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg736 = msg("00090", all251); - - var part1222 = match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg737 = msg("00200", part1222); - - var part1223 = match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg738 = msg("00201", part1223); - - var part1224 = match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([ - dup272, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg739 = msg("00202", part1224); - - var part1225 = match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([ - dup272, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg740 = msg("00203", part1225); - - var part1226 = match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}"); - - var part1227 = match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}"); - - var part1228 = match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}"); - - var select284 = linear_select([ - part1227, - part1228, - ]); - - var part1229 = match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})"); - - var all252 = all_match({ - processors: [ - part1226, - select284, - part1229, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg741 = msg("00206", all252); - - var part1230 = match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}"); - - var part1231 = match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet."); - - var all253 = all_match({ - processors: [ - part1230, - dup352, - part1231, - ], - on_success: processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg742 = msg("00206:01", all253); - - var part1232 = match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}"); - - var part1233 = match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet."); - - var all254 = all_match({ - processors: [ - part1232, - dup352, - part1233, - ], - on_success: processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg743 = msg("00206:02", all254); - - var part1234 = match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg744 = msg("00206:03", part1234); - - var part1235 = match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg745 = msg("00206:04", part1235); - - var select285 = linear_select([ - msg741, - msg742, - msg743, - msg744, - msg745, - ]); - - var part1236 = match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg746 = msg("00207", part1236); - - var part1237 = match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg747 = msg("00207:01", part1237); - - var part1238 = match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg748 = msg("00207:02", part1238); - - var part1239 = match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg749 = msg("00207:03", part1239); - - var select286 = linear_select([ - msg746, - msg747, - msg748, - msg749, - ]); - - var part1240 = match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - dup278, - ])); - - var msg750 = msg("00257", part1240); - - var part1241 = match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup279, - dup276, - dup277, - dup280, - ])); - - var msg751 = msg("00257:14", part1241); - - var part1242 = match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - dup278, - ])); - - var msg752 = msg("00257:01", part1242); - - var part1243 = match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup279, - dup282, - dup280, - ])); - - var msg753 = msg("00257:15", part1243); - - var part1244 = match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ])); - - var msg754 = msg("00257:02", part1244); - - var part1245 = match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg755 = msg("00257:03", part1245); - - var part1246 = match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ])); - - var msg756 = msg("00257:04", part1246); - - var part1247 = match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg757 = msg("00257:05", part1247); - - var part1248 = match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}"); - - var all255 = all_match({ - processors: [ - dup283, - dup393, - part1248, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg758 = msg("00257:19", all255); - - var part1249 = match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}"); - - var all256 = all_match({ - processors: [ - dup283, - dup393, - part1249, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg759 = msg("00257:16", all256); - - var part1250 = match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}"); - - var all257 = all_match({ - processors: [ - dup283, - dup393, - part1250, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ]), - }); - - var msg760 = msg("00257:17", all257); - - var part1251 = match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}"); - - var all258 = all_match({ - processors: [ - dup283, - dup393, - part1251, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ]), - }); - - var msg761 = msg("00257:18", all258); - - var part1252 = match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}"); - - var part1253 = match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}"); - - var part1254 = match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport"); - - var select287 = linear_select([ - part1253, - part1254, - ]); - - var all259 = all_match({ - processors: [ - part1252, - select287, - ], - on_success: processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ]), - }); - - var msg762 = msg("00257:06", all259); - - var part1255 = match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg763 = msg("00257:07", part1255); - - var part1256 = match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup276, - dup277, - ])); - - var msg764 = msg("00257:08", part1256); - - var part1257 = match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}"); - - var part1258 = match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}"); - - var part1259 = match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}"); - - var part1260 = match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype"); - - var select288 = linear_select([ - part1258, - part1259, - part1260, - ]); - - var all260 = all_match({ - processors: [ - part1257, - select288, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg765 = msg("00257:09", all260); - - var part1261 = match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); - - var part1262 = match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}"); - - var select289 = linear_select([ - part1262, - dup286, - ]); - - var all261 = all_match({ - processors: [ - part1261, - select289, - ], - on_success: processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup276, - dup277, - ]), - }); - - var msg766 = msg("00257:10", all261); - - var part1263 = match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); - - var part1264 = match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}"); - - var select290 = linear_select([ - part1264, - dup286, - ]); - - var all262 = all_match({ - processors: [ - part1263, - select290, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg767 = msg("00257:11", all262); - - var part1265 = match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ])); - - var msg768 = msg("00257:12", part1265); - - var part1266 = match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup274, - dup4, - dup5, - ])); - - var msg769 = msg("00257:13", part1266); - - var select291 = linear_select([ - msg750, - msg751, - msg752, - msg753, - msg754, - msg755, - msg756, - msg757, - msg758, - msg759, - msg760, - msg761, - msg762, - msg763, - msg764, - msg765, - msg766, - msg767, - msg768, - msg769, - ]); - - var part1267 = match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}"); - - var part1268 = match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}"); - - var select292 = linear_select([ - part1268, - dup289, - dup241, - ]); - - var part1269 = match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}"); - - var all263 = all_match({ - processors: [ - dup394, - part1267, - select292, - part1269, - ], - on_success: processor_chain([ - dup28, - dup29, - dup30, - dup31, - dup32, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg770 = msg("00259", all263); - - var part1270 = match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}"); - - var all264 = all_match({ - processors: [ - dup394, - part1270, - ], - on_success: processor_chain([ - dup33, - dup29, - dup34, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg771 = msg("00259:07", all264); - - var part1271 = match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg772 = msg("00259:01", part1271); - - var part1272 = match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg773 = msg("00259:02", part1272); - - var part1273 = match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg774 = msg("00259:03", part1273); - - var part1274 = match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg775 = msg("00259:04", part1274); - - var part1275 = match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}"); - - var part1276 = match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}"); - - var select293 = linear_select([ - dup241, - dup289, - part1276, - ]); - - var part1277 = match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}"); - - var all265 = all_match({ - processors: [ - part1275, - select293, - part1277, - ], - on_success: processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg776 = msg("00259:05", all265); - - var part1278 = match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg777 = msg("00259:06", part1278); - - var select294 = linear_select([ - msg770, - msg771, - msg772, - msg773, - msg774, - msg775, - msg776, - msg777, - ]); - - var part1279 = match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg778 = msg("00262", part1279); - - var part1280 = match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([ - setc("eventcategory","1401050100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg779 = msg("00263", part1280); - - var part1281 = match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}"); - - var part1282 = match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}"); - - var part1283 = match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}"); - - var part1284 = match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}"); - - var select295 = linear_select([ - part1281, - part1282, - part1283, - part1284, - ]); - - var part1285 = match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}"); - - var all266 = all_match({ - processors: [ - select295, - part1285, - ], - on_success: processor_chain([ - setc("eventcategory","1003000000"), - dup2, - dup4, - dup5, - dup3, - dup61, - ]), - }); - - var msg780 = msg("00400", all266); - - var part1286 = match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg781 = msg("00401", part1286); - - var part1287 = match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup292, - ])); - - var msg782 = msg("00402", part1287); - - var part1288 = match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}"); - - var part1289 = match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}"); - - var all267 = all_match({ - processors: [ - part1288, - dup337, - part1289, - ], - on_success: processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup292, - ]), - }); - - var msg783 = msg("00402:01", all267); - - var select296 = linear_select([ - msg782, - msg783, - ]); - - var part1290 = match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg784 = msg("00403", part1290); - - var part1291 = match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup4, - dup5, - dup3, - dup292, - ])); - - var msg785 = msg("00404", part1291); - - var part1292 = match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup147, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg786 = msg("00405", part1292); - - var msg787 = msg("00406", dup413); - - var msg788 = msg("00407", dup413); - - var msg789 = msg("00408", dup413); - - var all268 = all_match({ - processors: [ - dup132, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg790 = msg("00409", all268); - - var msg791 = msg("00410", dup413); - - var part1293 = match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup60, - ])); - - var msg792 = msg("00410:01", part1293); - - var select297 = linear_select([ - msg791, - msg792, - ]); - - var part1294 = match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}"); - - var all269 = all_match({ - processors: [ - part1294, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg793 = msg("00411", all269); - - var part1295 = match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}"); - - var part1296 = match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all270 = all_match({ - processors: [ - part1295, - dup337, - part1296, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg794 = msg("00413", all270); - - var part1297 = match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}"); - - var all271 = all_match({ - processors: [ - part1297, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup61, - ]), - }); - - var msg795 = msg("00413:01", all271); - - var part1298 = match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup9, - ])); - - var msg796 = msg("00413:02", part1298); - - var select298 = linear_select([ - msg794, - msg795, - msg796, - ]); - - var part1299 = match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg797 = msg("00414", part1299); - - var part1300 = match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup9, - ])); - - var msg798 = msg("00414:01", part1300); - - var select299 = linear_select([ - msg797, - msg798, - ]); - - var part1301 = match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg799 = msg("00415", part1301); - - var all272 = all_match({ - processors: [ - dup132, - dup343, - dup294, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg800 = msg("00423", all272); - - var all273 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup60, - ]), - }); - - var msg801 = msg("00429", all273); - - var all274 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup60, - ]), - }); - - var msg802 = msg("00429:01", all274); - - var select300 = linear_select([ - msg801, - msg802, - ]); - - var all275 = all_match({ - processors: [ - dup80, - dup343, - dup295, - dup351, - ], - on_success: processor_chain([ - dup85, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ]), - }); - - var msg803 = msg("00430", all275); - - var all276 = all_match({ - processors: [ - dup132, - dup343, - dup295, - dup351, - ], - on_success: processor_chain([ - dup85, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup60, - ]), - }); - - var msg804 = msg("00430:01", all276); - - var select301 = linear_select([ - msg803, - msg804, - ]); - - var msg805 = msg("00431", dup414); - - var msg806 = msg("00432", dup414); - - var msg807 = msg("00433", dup415); - - var msg808 = msg("00434", dup415); - - var msg809 = msg("00435", dup395); - - var all277 = all_match({ - processors: [ - dup132, - dup343, - dup294, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup5, - dup3, - dup60, - ]), - }); - - var msg810 = msg("00435:01", all277); - - var select302 = linear_select([ - msg809, - msg810, - ]); - - var msg811 = msg("00436", dup395); - - var all278 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup4, - dup5, - dup3, - dup60, - ]), - }); - - var msg812 = msg("00436:01", all278); - - var select303 = linear_select([ - msg811, - msg812, - ]); - - var part1302 = match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg813 = msg("00437", part1302); - - var all279 = all_match({ - processors: [ - dup299, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - dup9, - ]), - }); - - var msg814 = msg("00437:01", all279); - - var part1303 = match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - dup9, - ])); - - var msg815 = msg("00437:02", part1303); - - var select304 = linear_select([ - msg813, - msg814, - msg815, - ]); - - var part1304 = match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg816 = msg("00438", part1304); - - var part1305 = match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg817 = msg("00438:01", part1305); - - var all280 = all_match({ - processors: [ - dup299, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup61, - ]), - }); - - var msg818 = msg("00438:02", all280); - - var select305 = linear_select([ - msg816, - msg817, - msg818, - ]); - - var part1306 = match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ])); - - var msg819 = msg("00440", part1306); - - var part1307 = match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg820 = msg("00440:02", part1307); - - var all281 = all_match({ - processors: [ - dup239, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup9, - dup61, - ]), - }); - - var msg821 = msg("00440:01", all281); - - var part1308 = match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}"); - - var all282 = all_match({ - processors: [ - part1308, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup9, - dup60, - ]), - }); - - var msg822 = msg("00440:03", all282); - - var select306 = linear_select([ - msg819, - msg820, - msg821, - msg822, - ]); - - var part1309 = match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var msg823 = msg("00441", part1309); - - var msg824 = msg("00442", dup396); - - var msg825 = msg("00443", dup396); - - var part1310 = match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg826 = msg("00511", part1310); - - var part1311 = match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}"); - - var all283 = all_match({ - processors: [ - part1311, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg827 = msg("00511:01", all283); - - var part1312 = match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg828 = msg("00511:02", part1312); - - var part1313 = match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}"); - - var all284 = all_match({ - processors: [ - part1313, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg829 = msg("00511:03", all284); - - var part1314 = match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}"); - - var all285 = all_match({ - processors: [ - part1314, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg830 = msg("00511:04", all285); - - var part1315 = match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}"); - - var all286 = all_match({ - processors: [ - part1315, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg831 = msg("00511:05", all286); - - var part1316 = match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}"); - - var all287 = all_match({ - processors: [ - part1316, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg832 = msg("00511:06", all287); - - var part1317 = match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}"); - - var all288 = all_match({ - processors: [ - part1317, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg833 = msg("00511:07", all288); - - var part1318 = match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}"); - - var all289 = all_match({ - processors: [ - part1318, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg834 = msg("00511:08", all289); - - var part1319 = match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}"); - - var all290 = all_match({ - processors: [ - part1319, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg835 = msg("00511:09", all290); - - var part1320 = match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}"); - - var all291 = all_match({ - processors: [ - part1320, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg836 = msg("00511:10", all291); - - var part1321 = match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}"); - - var all292 = all_match({ - processors: [ - part1321, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg837 = msg("00511:11", all292); - - var part1322 = match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}"); - - var all293 = all_match({ - processors: [ - part1322, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg838 = msg("00511:12", all293); - - var part1323 = match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}"); - - var all294 = all_match({ - processors: [ - part1323, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg839 = msg("00511:13", all294); - - var part1324 = match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg840 = msg("00511:14", part1324); - - var select307 = linear_select([ - msg826, - msg827, - msg828, - msg829, - msg830, - msg831, - msg832, - msg833, - msg834, - msg835, - msg836, - msg837, - msg838, - msg839, - msg840, - ]); - - var part1325 = match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}"); - - var part1326 = match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}"); - - var select308 = linear_select([ - dup123, - part1326, - dup122, - ]); - - var part1327 = match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}"); - - var part1328 = match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})"); - - var part1329 = match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result"); - - var select309 = linear_select([ - part1328, - part1329, - ]); - - var all295 = all_match({ - processors: [ - part1325, - select308, - part1327, - select309, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg841 = msg("00513", all295); - - var part1330 = match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}"); - - var select310 = linear_select([ - part1330, - dup287, - ]); - - var part1331 = match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}"); - - var part1332 = match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}"); - - var select311 = linear_select([ - dup96, - part1332, - ]); - - var part1333 = match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}"); - - var all296 = all_match({ - processors: [ - select310, - part1331, - select311, - part1333, - ], - on_success: processor_chain([ - dup301, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg842 = msg("00515", all296); - - var part1334 = match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}"); - - var part1335 = match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}"); - - var part1336 = match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}"); - - var select312 = linear_select([ - part1335, - part1336, - ]); - - var part1337 = match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2"); - - var all297 = all_match({ - processors: [ - part1334, - select312, - part1337, - ], - on_success: processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup4, - dup5, - dup302, - dup3, - ]), - }); - - var msg843 = msg("00515:01", all297); - - var part1338 = match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}"); - - var part1339 = match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}"); - - var part1340 = match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}"); - - var select313 = linear_select([ - part1339, - part1340, - ]); - - var part1341 = match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}"); - - var part1342 = match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}"); - - var select314 = linear_select([ - part1341, - part1342, - dup15, - ]); - - var part1343 = match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out"); - - var all298 = all_match({ - processors: [ - part1338, - select313, - select314, - part1343, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg844 = msg("00515:02", all298); - - var part1344 = match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}"); - - var part1345 = match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}"); - - var select315 = linear_select([ - part1344, - part1345, - ]); - - var part1346 = match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}"); - - var part1347 = match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type"); - - var select316 = linear_select([ - dup304, - part1347, - ]); - - var all299 = all_match({ - processors: [ - select315, - part1346, - dup398, - dup40, - select316, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg845 = msg("00515:04", all299); - - var part1348 = match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg846 = msg("00515:06", part1348); - - var part1349 = match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}"); - - var select317 = linear_select([ - dup305, - dup16, - ]); - - var part1350 = match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}"); - - var part1351 = match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})"); - - var select318 = linear_select([ - dup306, - part1351, - dup304, - ]); - - var all300 = all_match({ - processors: [ - part1349, - select317, - part1350, - dup398, - dup40, - select318, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg847 = msg("00515:05", all300); - - var part1352 = match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg848 = msg("00515:07", part1352); - - var part1353 = match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}"); - - var part1354 = match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}"); - - var part1355 = match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}"); - - var select319 = linear_select([ - part1354, - part1355, - ]); - - var part1356 = match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}"); - - var all301 = all_match({ - processors: [ - part1353, - select319, - part1356, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg849 = msg("00515:08", all301); - - var part1357 = match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg850 = msg("00515:09", part1357); - - var part1358 = match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg851 = msg("00515:10", part1358); - - var part1359 = match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg852 = msg("00515:11", part1359); - - var part1360 = match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}"); - - var part1361 = match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})"); - - var all302 = all_match({ - processors: [ - part1360, - dup399, - part1361, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg853 = msg("00515:12", all302); - - var select320 = linear_select([ - dup288, - dup287, - ]); - - var part1362 = match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}"); - - var select321 = linear_select([ - dup306, - dup304, - ]); - - var all303 = all_match({ - processors: [ - select320, - part1362, - dup398, - dup40, - select321, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg854 = msg("00515:13", all303); - - var part1363 = match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}"); - - var part1364 = match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}"); - - var select322 = linear_select([ - part1363, - part1364, - ]); - - var part1365 = match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}"); - - var part1366 = match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session."); - - var part1367 = match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})"); - - var part1368 = match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}"); - - var select323 = linear_select([ - part1366, - part1367, - part1368, - ]); - - var all304 = all_match({ - processors: [ - select322, - dup398, - part1365, - select323, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg855 = msg("00515:14", all304); - - var part1369 = match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}"); - - var part1370 = match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}"); - - var part1371 = match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}"); - - var select324 = linear_select([ - part1370, - part1371, - ]); - - var all305 = all_match({ - processors: [ - part1369, - dup398, - dup40, - select324, - dup41, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg856 = msg("00515:15", all305); - - var part1372 = match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}"); - - var select325 = linear_select([ - part1372, - dup287, - ]); - - var part1373 = match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}"); - - var part1374 = match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})"); - - var all306 = all_match({ - processors: [ - select325, - part1373, - dup399, - part1374, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg857 = msg("00515:16", all306); - - var part1375 = match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}"); - - var part1376 = match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}"); - - var part1377 = match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}"); - - var select326 = linear_select([ - part1376, - part1377, - ]); - - var part1378 = match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}"); - - var all307 = all_match({ - processors: [ - part1375, - select326, - part1378, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg858 = msg("00515:17", all307); - - var part1379 = match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg859 = msg("00515:18", part1379); - - var part1380 = match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}"); - - var part1381 = match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}"); - - var part1382 = match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}"); - - var select327 = linear_select([ - part1381, - part1382, - ]); - - var all308 = all_match({ - processors: [ - part1380, - select327, - dup41, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg860 = msg("00515:19", all308); - - var part1383 = match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg861 = msg("00515:20", part1383); - - var select328 = linear_select([ - msg842, - msg843, - msg844, - msg845, - msg846, - msg847, - msg848, - msg849, - msg850, - msg851, - msg852, - msg853, - msg854, - msg855, - msg856, - msg857, - msg858, - msg859, - msg860, - msg861, - ]); - - var part1384 = match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg862 = msg("00518", part1384); - - var part1385 = match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg863 = msg("00518:17", part1385); - - var part1386 = match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg864 = msg("00518:01", part1386); - - var part1387 = match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg865 = msg("00518:02", part1387); - - var part1388 = match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg866 = msg("00518:03", part1388); - - var part1389 = match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg867 = msg("00518:04", part1389); - - var part1390 = match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg868 = msg("00518:05", part1390); - - var part1391 = match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([ - dup35, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg869 = msg("00518:06", part1391); - - var part1392 = match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}"); - - var part1393 = match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}"); - - var select329 = linear_select([ - dup24, - part1393, - ]); - - var part1394 = match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}"); - - var all309 = all_match({ - processors: [ - part1392, - select329, - part1394, - ], - on_success: processor_chain([ - dup53, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg870 = msg("00518:07", all309); - - var part1395 = match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([ - dup35, - dup29, - dup31, - dup39, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg871 = msg("00518:08", part1395); - - var part1396 = match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg872 = msg("00518:09", part1396); - - var part1397 = match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup4, - dup9, - dup5, - dup3, - dup302, - ])); - - var msg873 = msg("00518:10", part1397); - - var part1398 = match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}"); - - var part1399 = match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}"); - - var part1400 = match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}"); - - var select330 = linear_select([ - part1399, - part1400, - ]); - - var part1401 = match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})"); - - var all310 = all_match({ - processors: [ - part1398, - select330, - part1401, - ], - on_success: processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup9, - dup4, - dup5, - dup3, - ]), - }); - - var msg874 = msg("00518:11", all310); - - var part1402 = match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup9, - dup5, - dup3, - ])); - - var msg875 = msg("00518:12", part1402); - - var part1403 = match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup9, - dup5, - ])); - - var msg876 = msg("00518:13", part1403); - - var part1404 = match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([ - dup290, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg877 = msg("00518:14", part1404); - - var select331 = linear_select([ - msg862, - msg863, - msg864, - msg865, - msg866, - msg867, - msg868, - msg869, - msg870, - msg871, - msg872, - msg873, - msg874, - msg875, - msg876, - msg877, - ]); - - var part1405 = match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}"); - - var part1406 = match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}"); - - var part1407 = match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}"); - - var select332 = linear_select([ - dup194, - part1406, - part1407, - ]); - - var part1408 = match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}"); - - var part1409 = match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}"); - - var select333 = linear_select([ - part1409, - dup16, - ]); - - var part1410 = match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}"); - - var all311 = all_match({ - processors: [ - part1405, - select332, - part1408, - select333, - part1410, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg878 = msg("00519", all311); - - var part1411 = match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}"); - - var select334 = linear_select([ - dup307, - dup305, - ]); - - var part1412 = match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}"); - - var all312 = all_match({ - processors: [ - part1411, - select334, - part1412, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg879 = msg("00519:01", all312); - - var part1413 = match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}"); - - var select335 = linear_select([ - dup307, - part1413, - ]); - - var part1414 = match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}"); - - var all313 = all_match({ - processors: [ - dup160, - select335, - part1414, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg880 = msg("00519:02", all313); - - var part1415 = match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg881 = msg("00519:03", part1415); - - var part1416 = match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg882 = msg("00519:04", part1416); - - var part1417 = match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg883 = msg("00519:05", part1417); - - var select336 = linear_select([ - msg878, - msg879, - msg880, - msg881, - msg882, - msg883, - ]); - - var part1418 = match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg884 = msg("00520", part1418); - - var part1419 = match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}"); - - var part1420 = match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}"); - - var part1421 = match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}"); - - var part1422 = match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}"); - - var part1423 = match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}"); - - var select337 = linear_select([ - part1420, - part1421, - part1422, - part1423, - ]); - - var part1424 = match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}"); - - var all314 = all_match({ - processors: [ - part1419, - select337, - part1424, - ], - on_success: processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg885 = msg("00520:01", all314); - - var part1425 = match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}"); - - var part1426 = match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}"); - - var all315 = all_match({ - processors: [ - part1425, - dup400, - part1426, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg886 = msg("00520:02", all315); - - var part1427 = match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}"); - - var part1428 = match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}"); - - var part1429 = match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}"); - - var select338 = linear_select([ - part1427, - part1428, - part1429, - ]); - - var part1430 = match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}"); - - var part1431 = match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}"); - - var part1432 = match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed"); - - var all316 = all_match({ - processors: [ - dup160, - select338, - part1430, - dup400, - part1431, - dup400, - part1432, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg887 = msg("00520:03", all316); - - var part1433 = match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg888 = msg("00520:04", part1433); - - var part1434 = match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg889 = msg("00520:05", part1434); - - var select339 = linear_select([ - msg884, - msg885, - msg886, - msg887, - msg888, - msg889, - ]); - - var part1435 = match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg890 = msg("00521", part1435); - - var part1436 = match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg891 = msg("00522", part1436); - - var part1437 = match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg892 = msg("00523", part1437); - - var part1438 = match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg893 = msg("00524", part1438); - - var part1439 = match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg894 = msg("00524:02", part1439); - - var part1440 = match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg895 = msg("00524:03", part1440); - - var part1441 = match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg896 = msg("00524:04", part1441); - - var part1442 = match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg897 = msg("00524:05", part1442); - - var part1443 = match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg898 = msg("00524:06", part1443); - - var part1444 = match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg899 = msg("00524:12", part1444); - - var part1445 = match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([ - dup19, - dup2, - dup4, - setc("result","the SNMP version type is incorrect"), - dup5, - dup9, - ])); - - var msg900 = msg("00524:14", part1445); - - var part1446 = match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}"); - - var part1447 = match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}"); - - var all317 = all_match({ - processors: [ - part1446, - dup401, - part1447, - ], - on_success: processor_chain([ - dup18, - dup2, - dup4, - dup5, - ]), - }); - - var msg901 = msg("00524:13", all317); - - var part1448 = match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg902 = msg("00524:07", part1448); - - var part1449 = match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg903 = msg("00524:08", part1449); - - var part1450 = match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg904 = msg("00524:09", part1450); - - var part1451 = match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg905 = msg("00524:10", part1451); - - var part1452 = match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg906 = msg("00524:11", part1452); - - var part1453 = match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg907 = msg("00524:16", part1453); - - var select340 = linear_select([ - msg893, - msg894, - msg895, - msg896, - msg897, - msg898, - msg899, - msg900, - msg901, - msg902, - msg903, - msg904, - msg905, - msg906, - msg907, - ]); - - var part1454 = match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([ - dup203, - setc("ec_subject","Password"), - dup38, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg908 = msg("00525", part1454); - - var part1455 = match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg909 = msg("00525:01", part1455); - - var part1456 = match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg910 = msg("00525:02", part1456); - - var part1457 = match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg911 = msg("00525:03", part1457); - - var select341 = linear_select([ - msg908, - msg909, - msg910, - msg911, - ]); - - var part1458 = match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([ - dup37, - dup219, - dup38, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg912 = msg("00526", part1458); - - var part1459 = match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}"); - - var part1460 = match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}"); - - var select342 = linear_select([ - dup311, - part1460, - ]); - - var part1461 = match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}"); - - var part1462 = match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}"); - - var part1463 = match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}"); - - var select343 = linear_select([ - dup312, - part1462, - part1463, - ]); - - var all318 = all_match({ - processors: [ - part1459, - select342, - part1461, - select343, - dup108, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg913 = msg("00527", all318); - - var part1464 = match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg914 = msg("00527:01", part1464); - - var part1465 = match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}"); - - var part1466 = match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}"); - - var part1467 = match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}"); - - var select344 = linear_select([ - dup311, - part1466, - part1467, - ]); - - var part1468 = match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}"); - - var all319 = all_match({ - processors: [ - part1465, - select344, - part1468, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg915 = msg("00527:02", all319); - - var part1469 = match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg916 = msg("00527:03", part1469); - - var part1470 = match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg917 = msg("00527:04", part1470); - - var part1471 = match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated."); - - var all320 = all_match({ - processors: [ - dup210, - dup337, - part1471, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg918 = msg("00527:05", all320); - - var part1472 = match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}"); - - var select345 = linear_select([ - dup106, - dup127, - ]); - - var part1473 = match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}"); - - var select346 = linear_select([ - dup312, - part1473, - ]); - - var part1474 = match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})"); - - var all321 = all_match({ - processors: [ - part1472, - select345, - dup23, - select346, - part1474, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg919 = msg("00527:06", all321); - - var part1475 = match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg920 = msg("00527:07", part1475); - - var part1476 = match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg921 = msg("00527:08", part1476); - - var part1477 = match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}"); - - var part1478 = match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}"); - - var part1479 = match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}"); - - var select347 = linear_select([ - part1478, - part1479, - ]); - - var all322 = all_match({ - processors: [ - part1477, - select347, - dup41, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg922 = msg("00527:09", all322); - - var part1480 = match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg923 = msg("00527:10", part1480); - - var select348 = linear_select([ - msg913, - msg914, - msg915, - msg916, - msg917, - msg918, - msg919, - msg920, - msg921, - msg922, - msg923, - ]); - - var part1481 = match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([ - setc("eventcategory","1302010000"), - dup29, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg924 = msg("00528", part1481); - - var part1482 = match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg925 = msg("00528:01", part1482); - - var part1483 = match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg926 = msg("00528:02", part1483); - - var part1484 = match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg927 = msg("00528:03", part1484); - - var part1485 = match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg928 = msg("00528:04", part1485); - - var part1486 = match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg929 = msg("00528:05", part1486); - - var part1487 = match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([ - dup313, - dup2, - dup3, - dup4, - dup5, - setc("result","invalid version string"), - ])); - - var msg930 = msg("00528:06", part1487); - - var part1488 = match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}"); - - var part1489 = match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}"); - - var part1490 = match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}"); - - var part1491 = match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}"); - - var select349 = linear_select([ - dup88, - part1489, - part1490, - part1491, - ]); - - var part1492 = match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}"); - - var all323 = all_match({ - processors: [ - part1488, - select349, - part1492, - ], - on_success: processor_chain([ - dup314, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg931 = msg("00528:07", all323); - - var part1493 = match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([ - dup314, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg932 = msg("00528:08", part1493); - - var part1494 = match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg933 = msg("00528:09", part1494); - - var part1495 = match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg934 = msg("00528:10", part1495); - - var part1496 = match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg935 = msg("00528:11", part1496); - - var part1497 = match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("disposition","disabled"), - ])); - - var msg936 = msg("00528:12", part1497); - - var part1498 = match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}"); - - var part1499 = match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}"); - - var part1500 = match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}"); - - var select350 = linear_select([ - part1499, - part1500, - ]); - - var part1501 = match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}"); - - var part1502 = match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}"); - - var part1503 = match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}"); - - var select351 = linear_select([ - part1503, - dup157, - ]); - - var part1504 = match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}"); - - var all324 = all_match({ - processors: [ - part1498, - select350, - part1501, - dup337, - part1502, - select351, - part1504, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg937 = msg("00528:13", all324); - - var part1505 = match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg938 = msg("00528:14", part1505); - - var part1506 = match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}"); - - var part1507 = match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}"); - - var select352 = linear_select([ - dup315, - part1507, - ]); - - var part1508 = match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}"); - - var part1509 = match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}"); - - var part1510 = match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}"); - - var select353 = linear_select([ - part1509, - part1510, - ]); - - var all325 = all_match({ - processors: [ - part1506, - select352, - part1508, - select353, - dup108, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg939 = msg("00528:15", all325); - - var part1511 = match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg940 = msg("00528:16", part1511); - - var part1512 = match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg941 = msg("00528:17", part1512); - - var part1513 = match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}"); - - var all326 = all_match({ - processors: [ - dup316, - dup402, - part1513, - dup403, - dup320, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("disposition","successful"), - setc("event_description","authentication successful for admin user"), - ]), - }); - - var msg942 = msg("00528:18", all326); - - var part1514 = match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}"); - - var all327 = all_match({ - processors: [ - dup316, - dup402, - part1514, - dup403, - dup320, - ], - on_success: processor_chain([ - dup206, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup302, - dup3, - setc("event_description","authentication failed for admin user"), - ]), - }); - - var msg943 = msg("00528:26", all327); - - var part1515 = match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}"); - - var all328 = all_match({ - processors: [ - dup321, - dup404, - part1515, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg944 = msg("00528:19", all328); - - var part1516 = match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}"); - - var all329 = all_match({ - processors: [ - dup321, - dup404, - part1516, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg945 = msg("00528:20", all329); - - var part1517 = match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg946 = msg("00528:21", part1517); - - var part1518 = match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}"); - - var part1519 = match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface."); - - var all330 = all_match({ - processors: [ - part1518, - dup337, - part1519, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("result","SCS is not enabled for that interface"), - ]), - }); - - var msg947 = msg("00528:22", all330); - - var part1520 = match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("result","SCS cannot generate the host and server keys before timing out"), - ])); - - var msg948 = msg("00528:23", part1520); - - var part1521 = match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg949 = msg("00528:24", part1521); - - var part1522 = match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}"); - - var part1523 = match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled."); - - var all331 = all_match({ - processors: [ - part1522, - dup403, - part1523, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg950 = msg("00528:25", all331); - - var select354 = linear_select([ - msg924, - msg925, - msg926, - msg927, - msg928, - msg929, - msg930, - msg931, - msg932, - msg933, - msg934, - msg935, - msg936, - msg937, - msg938, - msg939, - msg940, - msg941, - msg942, - msg943, - msg944, - msg945, - msg946, - msg947, - msg948, - msg949, - msg950, - ]); - - var part1524 = match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}"); - - var part1525 = match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}"); - - var select355 = linear_select([ - part1524, - part1525, - ]); - - var part1526 = match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}"); - - var all332 = all_match({ - processors: [ - dup63, - select355, - part1526, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg951 = msg("00529", all332); - - var part1527 = match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}"); - - var part1528 = match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}"); - - var part1529 = match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}"); - - var select356 = linear_select([ - part1528, - part1529, - ]); - - var all333 = all_match({ - processors: [ - part1527, - select356, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg952 = msg("00529:01", all333); - - var select357 = linear_select([ - msg951, - msg952, - ]); - - var part1530 = match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg953 = msg("00530", part1530); - - var part1531 = match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}"); - - var part1532 = match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released"); - - var all334 = all_match({ - processors: [ - part1531, - dup337, - part1532, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg954 = msg("00530:01", all334); - - var part1533 = match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg955 = msg("00530:02", part1533); - - var part1534 = match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg956 = msg("00530:03", part1534); - - var part1535 = match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg957 = msg("00530:04", part1535); - - var part1536 = match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg958 = msg("00530:05", part1536); - - var part1537 = match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg959 = msg("00530:06", part1537); - - var select358 = linear_select([ - msg953, - msg954, - msg955, - msg956, - msg957, - msg958, - msg959, - ]); - - var part1538 = match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}"); - - var all335 = all_match({ - processors: [ - part1538, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg960 = msg("00531", all335); - - var part1539 = match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg961 = msg("00531:01", part1539); - - var part1540 = match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg962 = msg("00531:02", part1540); - - var part1541 = match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}"); - - var part1542 = match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}"); - - var select359 = linear_select([ - part1542, - dup115, - ]); - - var part1543 = match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}"); - - var part1544 = match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})"); - - var part1545 = match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5"); - - var select360 = linear_select([ - part1544, - part1545, - ]); - - var all336 = all_match({ - processors: [ - part1541, - select359, - part1543, - select360, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup146, - ]), - }); - - var msg963 = msg("00531:03", all336); - - var part1546 = match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}"); - - var part1547 = match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}"); - - var part1548 = match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}"); - - var select361 = linear_select([ - part1547, - part1548, - dup189, - ]); - - var part1549 = match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}"); - - var all337 = all_match({ - processors: [ - part1546, - select361, - part1549, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg964 = msg("00531:04", all337); - - var part1550 = match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg965 = msg("00531:05", part1550); - - var part1551 = match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg966 = msg("00531:06", part1551); - - var part1552 = match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg967 = msg("00531:07", part1552); - - var part1553 = match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg968 = msg("00531:08", part1553); - - var part1554 = match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg969 = msg("00531:09", part1554); - - var part1555 = match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg970 = msg("00531:10", part1555); - - var part1556 = match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","system clock changed based on receive from primary NTP server"), - ])); - - var msg971 = msg("00531:11", part1556); - - var part1557 = match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg972 = msg("00531:12", part1557); - - var select362 = linear_select([ - msg960, - msg961, - msg962, - msg963, - msg964, - msg965, - msg966, - msg967, - msg968, - msg969, - msg970, - msg971, - msg972, - ]); - - var part1558 = match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg973 = msg("00533", part1558); - - var part1559 = match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg974 = msg("00534", part1559); - - var part1560 = match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg975 = msg("00535", part1560); - - var part1561 = match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg976 = msg("00535:01", part1561); - - var part1562 = match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg977 = msg("00535:02", part1562); - - var part1563 = match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg978 = msg("00535:03", part1563); - - var part1564 = match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - setc("result","SCEP_FAILURE message"), - ])); - - var msg979 = msg("00535:04", part1564); - - var part1565 = match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg980 = msg("00535:05", part1565); - - var part1566 = match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Saved CA configuration - cert subject name"), - ])); - - var msg981 = msg("00535:06", part1566); - - var select363 = linear_select([ - msg975, - msg976, - msg977, - msg978, - msg979, - msg980, - msg981, - ]); - - var part1567 = match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}"); - - var part1568 = match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}"); - - var part1569 = match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}"); - - var part1570 = match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}"); - - var part1571 = match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}"); - - var select364 = linear_select([ - part1568, - part1569, - part1570, - part1571, - ]); - - var all338 = all_match({ - processors: [ - part1567, - select364, - dup10, - ], - on_success: processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg982 = msg("00536:49", all338); - - var part1572 = match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg983 = msg("00536", part1572); - - var part1573 = match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg984 = msg("00536:01", part1573); - - var part1574 = match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg985 = msg("00536:02", part1574); - - var part1575 = match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg986 = msg("00536:03", part1575); - - var part1576 = match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([ - setc("eventcategory","1801010100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg987 = msg("00536:04", part1576); - - var part1577 = match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg988 = msg("00536:05", part1577); - - var part1578 = match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg989 = msg("00536:06", part1578); - - var part1579 = match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg990 = msg("00536:07", part1579); - - var part1580 = match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg991 = msg("00536:08", part1580); - - var part1581 = match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg992 = msg("00536:09", part1581); - - var part1582 = match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg993 = msg("00536:10", part1582); - - var part1583 = match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg994 = msg("00536:11", part1583); - - var part1584 = match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg995 = msg("00536:12", part1584); - - var part1585 = match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg996 = msg("00536:13", part1585); - - var part1586 = match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}"); - - var part1587 = match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}"); - - var all339 = all_match({ - processors: [ - part1586, - dup383, - part1587, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg997 = msg("00536:14", all339); - - var part1588 = match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg998 = msg("00536:50", part1588); - - var part1589 = match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg999 = msg("00536:15", part1589); - - var part1590 = match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1000 = msg("00536:16", part1590); - - var part1591 = match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1001 = msg("00536:17", part1591); - - var part1592 = match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1002 = msg("00536:18", part1592); - - var part1593 = match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1003 = msg("00536:19", part1593); - - var part1594 = match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1004 = msg("00536:20", part1594); - - var part1595 = match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1005 = msg("00536:21", part1595); - - var part1596 = match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("result","Negotiations failed"), - ])); - - var msg1006 = msg("00536:22", part1596); - - var part1597 = match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("result","The time limit has elapsed"), - setc("disposition","Aborted"), - ])); - - var msg1007 = msg("00536:23", part1597); - - var part1598 = match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1008 = msg("00536:24", part1598); - - var part1599 = match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1009 = msg("00536:25", part1599); - - var part1600 = match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1010 = msg("00536:26", part1600); - - var part1601 = match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1011 = msg("00536:27", part1601); - - var part1602 = match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1012 = msg("00536:28", part1602); - - var part1603 = match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1013 = msg("00536:29", part1603); - - var part1604 = match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1014 = msg("00536:30", part1604); - - var part1605 = match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1015 = msg("00536:31", part1605); - - var part1606 = match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1016 = msg("00536:32", part1606); - - var part1607 = match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1017 = msg("00536:33", part1607); - - var part1608 = match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1018 = msg("00536:34", part1608); - - var part1609 = match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1019 = msg("00536:35", part1609); - - var part1610 = match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}"); - - var part1611 = match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first"); - - var all340 = all_match({ - processors: [ - part1610, - dup401, - part1611, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1020 = msg("00536:36", all340); - - var part1612 = match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1021 = msg("00536:37", part1612); - - var part1613 = match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1022 = msg("00536:38", part1613); - - var part1614 = match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1023 = msg("00536:39", part1614); - - var part1615 = match("MESSAGE#1011:00536:40", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{quote}s gateway has a dynamic IP address and negotiations are in Main mode", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1024 = msg("00536:40", part1615); - - var part1616 = match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1025 = msg("00536:47", part1616); - - var part1617 = match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1026 = msg("00536:41", part1617); - - var part1618 = match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1027 = msg("00536:42", part1618); - - var part1619 = match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1028 = msg("00536:43", part1619); - - var part1620 = match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1029 = msg("00536:44", part1620); - - var part1621 = match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1030 = msg("00536:45", part1621); - - var part1622 = match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Received an IKE packet on interface"), - ])); - - var msg1031 = msg("00536:48", part1622); - - var part1623 = match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1032 = msg("00536:46", part1623); - - var select365 = linear_select([ - msg982, - msg983, - msg984, - msg985, - msg986, - msg987, - msg988, - msg989, - msg990, - msg991, - msg992, - msg993, - msg994, - msg995, - msg996, - msg997, - msg998, - msg999, - msg1000, - msg1001, - msg1002, - msg1003, - msg1004, - msg1005, - msg1006, - msg1007, - msg1008, - msg1009, - msg1010, - msg1011, - msg1012, - msg1013, - msg1014, - msg1015, - msg1016, - msg1017, - msg1018, - msg1019, - msg1020, - msg1021, - msg1022, - msg1023, - msg1024, - msg1025, - msg1026, - msg1027, - msg1028, - msg1029, - msg1030, - msg1031, - msg1032, - ]); - - var part1624 = match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg1033 = msg("00537", part1624); - - var part1625 = match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1034 = msg("00537:01", part1625); - - var part1626 = match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1035 = msg("00537:02", part1626); - - var part1627 = match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1036 = msg("00537:03", part1627); - - var select366 = linear_select([ - msg1033, - msg1034, - msg1035, - msg1036, - ]); - - var part1628 = match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}"); - - var select367 = linear_select([ - dup111, - dup119, - ]); - - var part1629 = match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}"); - - var all341 = all_match({ - processors: [ - part1628, - select367, - part1629, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1037 = msg("00538", all341); - - var part1630 = match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1038 = msg("00538:01", part1630); - - var part1631 = match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1039 = msg("00538:02", part1631); - - var part1632 = match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([ - dup19, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg1040 = msg("00538:03", part1632); - - var part1633 = match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1041 = msg("00538:04", part1633); - - var part1634 = match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}"); - - var part1635 = match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}"); - - var part1636 = match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}"); - - var select368 = linear_select([ - part1635, - part1636, - ]); - - var part1637 = match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}"); - - var all342 = all_match({ - processors: [ - part1634, - select368, - part1637, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1042 = msg("00538:05", all342); - - var part1638 = match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}"); - - var part1639 = match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}"); - - var part1640 = match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}"); - - var select369 = linear_select([ - part1639, - part1640, - ]); - - var part1641 = match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip"); - - var all343 = all_match({ - processors: [ - part1638, - select369, - part1641, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1043 = msg("00538:06", all343); - - var part1642 = match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}"); - - var part1643 = match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}"); - - var select370 = linear_select([ - part1643, - dup16, - ]); - - var all344 = all_match({ - processors: [ - part1642, - select370, - dup136, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1044 = msg("00538:07", all344); - - var part1644 = match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1045 = msg("00538:08", part1644); - - var part1645 = match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([ - dup301, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Connected to NSM server"), - ])); - - var msg1046 = msg("00538:09", part1645); - - var part1646 = match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}"); - - var part1647 = match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})"); - - var select371 = linear_select([ - part1647, - dup41, - ]); - - var all345 = all_match({ - processors: [ - part1646, - select371, - ], - on_success: processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Connection to NSM server is down"), - ]), - }); - - var msg1047 = msg("00538:10", all345); - - var part1648 = match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - dup323, - ])); - - var msg1048 = msg("00538:11", part1648); - - var part1649 = match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - dup323, - ])); - - var msg1049 = msg("00538:12", part1649); - - var part1650 = match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Sent 2B message"), - ])); - - var msg1050 = msg("00538:13", part1650); - - var select372 = linear_select([ - msg1037, - msg1038, - msg1039, - msg1040, - msg1041, - msg1042, - msg1043, - msg1044, - msg1045, - msg1046, - msg1047, - msg1048, - msg1049, - msg1050, - ]); - - var part1651 = match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1051 = msg("00539", part1651); - - var part1652 = match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1052 = msg("00539:01", part1652); - - var part1653 = match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1053 = msg("00539:02", part1653); - - var part1654 = match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1054 = msg("00539:03", part1654); - - var part1655 = match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1055 = msg("00539:04", part1655); - - var part1656 = match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1056 = msg("00539:05", part1656); - - var part1657 = match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1057 = msg("00539:06", part1657); - - var select373 = linear_select([ - msg1051, - msg1052, - msg1053, - msg1054, - msg1055, - msg1056, - msg1057, - ]); - - var part1658 = match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([ - dup324, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1058 = msg("00541", part1658); - - var part1659 = match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([ - dup273, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1059 = msg("00541:01", part1659); - - var part1660 = match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([ - dup273, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1060 = msg("00541:02", part1660); - - var part1661 = match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}"); - - var part1662 = match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>"); - - var select374 = linear_select([ - part1662, - dup21, - ]); - - var all346 = all_match({ - processors: [ - part1661, - select374, - ], - on_success: processor_chain([ - dup44, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1061 = msg("00541:03", all346); - - var select375 = linear_select([ - msg1058, - msg1059, - msg1060, - msg1061, - ]); - - var part1663 = match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1062 = msg("00542", part1663); - - var part1664 = match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}"); - - var part1665 = match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}"); - - var part1666 = match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}"); - - var select376 = linear_select([ - part1665, - part1666, - ]); - - var part1667 = match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}"); - - var part1668 = match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}"); - - var select377 = linear_select([ - part1668, - dup106, - ]); - - var part1669 = match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})"); - - var all347 = all_match({ - processors: [ - part1664, - select376, - part1667, - select377, - part1669, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup9, - dup3, - ]), - }); - - var msg1063 = msg("00543", all347); - - var part1670 = match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup60, - setc("action","RADIUS server challenge"), - ])); - - var msg1064 = msg("00544", part1670); - - var part1671 = match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1065 = msg("00546", part1671); - - var part1672 = match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg1066 = msg("00547", part1672); - - var part1673 = match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg1067 = msg("00547:01", part1673); - - var part1674 = match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1068 = msg("00547:02", part1674); - - var part1675 = match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}"); - - var part1676 = match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}"); - - var part1677 = match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}"); - - var select378 = linear_select([ - part1676, - part1677, - ]); - - var part1678 = match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})"); - - var all348 = all_match({ - processors: [ - part1675, - select378, - part1678, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Content is bypassed for connection"), - ]), - }); - - var msg1069 = msg("00547:03", all348); - - var select379 = linear_select([ - msg1066, - msg1067, - msg1068, - msg1069, - ]); - - var part1679 = match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1070 = msg("00549", part1679); - - var part1680 = match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1071 = msg("00551", part1680); - - var part1681 = match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1072 = msg("00551:01", part1681); - - var part1682 = match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}"); - - var part1683 = match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}"); - - var select380 = linear_select([ - part1683, - dup89, - ]); - - var all349 = all_match({ - processors: [ - part1682, - select380, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1073 = msg("00551:02", all349); - - var part1684 = match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([ - dup18, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1074 = msg("00551:03", part1684); - - var part1685 = match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1075 = msg("00551:04", part1685); - - var select381 = linear_select([ - msg1071, - msg1072, - msg1073, - msg1074, - msg1075, - ]); - - var part1686 = match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}"); - - var part1687 = match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}"); - - var part1688 = match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}"); - - var part1689 = match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}"); - - var select382 = linear_select([ - part1687, - part1688, - part1689, - ]); - - var all350 = all_match({ - processors: [ - part1686, - select382, - dup325, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1076 = msg("00553", all350); - - var part1690 = match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1077 = msg("00553:01", part1690); - - var part1691 = match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1078 = msg("00553:02", part1691); - - var part1692 = match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1079 = msg("00553:03", part1692); - - var part1693 = match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}"); - - var select383 = linear_select([ - dup326, - dup327, - ]); - - var part1694 = match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}."); - - var all351 = all_match({ - processors: [ - part1693, - select383, - part1694, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1080 = msg("00553:04", all351); - - var part1695 = match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1081 = msg("00553:05", part1695); - - var part1696 = match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1082 = msg("00553:06", part1696); - - var part1697 = match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1083 = msg("00553:07", part1697); - - var part1698 = match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}"); - - var select384 = linear_select([ - dup327, - dup326, - ]); - - var all352 = all_match({ - processors: [ - part1698, - select384, - dup328, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1084 = msg("00553:08", all352); - - var part1699 = match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1085 = msg("00553:09", part1699); - - var part1700 = match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1086 = msg("00553:10", part1700); - - var part1701 = match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1087 = msg("00553:11", part1701); - - var part1702 = match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1088 = msg("00553:12", part1702); - - var part1703 = match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1089 = msg("00553:13", part1703); - - var part1704 = match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1090 = msg("00553:14", part1704); - - var part1705 = match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1091 = msg("00553:15", part1705); - - var part1706 = match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1092 = msg("00553:16", part1706); - - var part1707 = match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1093 = msg("00553:17", part1707); - - var part1708 = match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1094 = msg("00553:18", part1708); - - var part1709 = match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1095 = msg("00553:19", part1709); - - var part1710 = match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1096 = msg("00553:20", part1710); - - var part1711 = match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1097 = msg("00553:21", part1711); - - var part1712 = match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1098 = msg("00553:22", part1712); - - var select385 = linear_select([ - msg1076, - msg1077, - msg1078, - msg1079, - msg1080, - msg1081, - msg1082, - msg1083, - msg1084, - msg1085, - msg1086, - msg1087, - msg1088, - msg1089, - msg1090, - msg1091, - msg1092, - msg1093, - msg1094, - msg1095, - msg1096, - msg1097, - msg1098, - ]); - - var part1713 = match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}"); - - var part1714 = match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}"); - - var part1715 = match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}"); - - var part1716 = match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}"); - - var select386 = linear_select([ - part1714, - part1715, - part1716, - ]); - - var all353 = all_match({ - processors: [ - part1713, - select386, - dup325, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1099 = msg("00554", all353); - - var part1717 = match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1100 = msg("00554:01", part1717); - - var part1718 = match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1101 = msg("00554:02", part1718); - - var part1719 = match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1102 = msg("00554:03", part1719); - - var part1720 = match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}"); - - var part1721 = match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}."); - - var all354 = all_match({ - processors: [ - part1720, - dup405, - part1721, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1103 = msg("00554:04", all354); - - var part1722 = match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}"); - - var part1723 = match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}"); - - var part1724 = match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}"); - - var select387 = linear_select([ - part1723, - part1724, - ]); - - var all355 = all_match({ - processors: [ - part1722, - select387, - dup116, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1104 = msg("00554:05", all355); - - var part1725 = match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1105 = msg("00554:06", part1725); - - var part1726 = match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}"); - - var all356 = all_match({ - processors: [ - part1726, - dup405, - dup328, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1106 = msg("00554:07", all356); - - var part1727 = match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}"); - - var part1728 = match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}"); - - var part1729 = match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}"); - - var part1730 = match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}"); - - var select388 = linear_select([ - part1728, - part1729, - part1730, - ]); - - var all357 = all_match({ - processors: [ - part1727, - select388, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1107 = msg("00554:08", all357); - - var part1731 = match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1108 = msg("00554:09", part1731); - - var part1732 = match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1109 = msg("00554:10", part1732); - - var part1733 = match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1110 = msg("00554:11", part1733); - - var part1734 = match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}"); - - var part1735 = match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}"); - - var part1736 = match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}"); - - var select389 = linear_select([ - part1735, - part1736, - ]); - - var part1737 = match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}"); - - var part1738 = match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}"); - - var part1739 = match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}"); - - var select390 = linear_select([ - part1738, - part1739, - ]); - - var part1740 = match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}"); - - var all358 = all_match({ - processors: [ - part1734, - select389, - part1737, - select390, - part1740, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1111 = msg("00554:12", all358); - - var part1741 = match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1112 = msg("00554:13", part1741); - - var part1742 = match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1113 = msg("00554:14", part1742); - - var part1743 = match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1114 = msg("00554:15", part1743); - - var part1744 = match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1115 = msg("00554:16", part1744); - - var part1745 = match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1116 = msg("00554:17", part1745); - - var select391 = linear_select([ - msg1099, - msg1100, - msg1101, - msg1102, - msg1103, - msg1104, - msg1105, - msg1106, - msg1107, - msg1108, - msg1109, - msg1110, - msg1111, - msg1112, - msg1113, - msg1114, - msg1115, - msg1116, - ]); - - var part1746 = match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1117 = msg("00555", part1746); - - var part1747 = match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1118 = msg("00556", part1747); - - var part1748 = match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1119 = msg("00556:01", part1748); - - var part1749 = match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}"); - - var part1750 = match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}"); - - var part1751 = match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}"); - - var select392 = linear_select([ - part1750, - part1751, - ]); - - var part1752 = match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}"); - - var part1753 = match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}"); - - var part1754 = match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}"); - - var select393 = linear_select([ - part1753, - part1754, - ]); - - var part1755 = match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3})."); - - var all359 = all_match({ - processors: [ - part1749, - select392, - part1752, - select393, - part1755, - ], - on_success: processor_chain([ - dup254, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1120 = msg("00556:02", all359); - - var part1756 = match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}"); - - var part1757 = match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}"); - - var part1758 = match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}"); - - var select394 = linear_select([ - part1757, - part1758, - ]); - - var part1759 = match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}"); - - var all360 = all_match({ - processors: [ - part1756, - select394, - part1759, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1121 = msg("00556:03", all360); - - var part1760 = match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1122 = msg("00556:04", part1760); - - var part1761 = match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1123 = msg("00556:05", part1761); - - var part1762 = match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1124 = msg("00556:06", part1762); - - var part1763 = match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1125 = msg("00556:07", part1763); - - var part1764 = match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}"); - - var all361 = all_match({ - processors: [ - part1764, - dup358, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1126 = msg("00556:08", all361); - - var part1765 = match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - dup282, - ])); - - var msg1127 = msg("00556:09", part1765); - - var part1766 = match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1128 = msg("00556:10", part1766); - - var part1767 = match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1129 = msg("00556:11", part1767); - - var part1768 = match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}"); - - var select395 = linear_select([ - dup140, - dup169, - ]); - - var part1769 = match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}."); - - var all362 = all_match({ - processors: [ - part1768, - select395, - part1769, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1130 = msg("00556:12", all362); - - var part1770 = match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1131 = msg("00556:13", part1770); - - var part1771 = match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}"); - - var part1772 = match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}."); - - var all363 = all_match({ - processors: [ - part1771, - dup406, - part1772, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1132 = msg("00556:14", all363); - - var part1773 = match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}"); - - var part1774 = match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}."); - - var all364 = all_match({ - processors: [ - part1773, - dup406, - part1774, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - dup282, - ]), - }); - - var msg1133 = msg("00556:15", all364); - - var part1775 = match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}"); - - var part1776 = match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}"); - - var part1777 = match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}"); - - var select396 = linear_select([ - part1776, - part1777, - ]); - - var part1778 = match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}"); - - var select397 = linear_select([ - dup104, - dup120, - ]); - - var all365 = all_match({ - processors: [ - part1775, - select396, - part1778, - select397, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1134 = msg("00556:16", all365); - - var part1779 = match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}"); - - var part1780 = match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}"); - - var part1781 = match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}"); - - var select398 = linear_select([ - part1780, - part1781, - ]); - - var part1782 = match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}"); - - var all366 = all_match({ - processors: [ - part1779, - select398, - part1782, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1135 = msg("00556:17", all366); - - var part1783 = match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}"); - - var part1784 = match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}"); - - var select399 = linear_select([ - dup101, - part1784, - ]); - - var part1785 = match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}."); - - var all367 = all_match({ - processors: [ - part1783, - select399, - part1785, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1136 = msg("00556:18", all367); - - var part1786 = match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}"); - - var part1787 = match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}"); - - var select400 = linear_select([ - dup103, - dup96, - ]); - - var part1788 = match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}"); - - var all368 = all_match({ - processors: [ - part1786, - dup355, - part1787, - select400, - part1788, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1137 = msg("00556:20", all368); - - var part1789 = match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([ - dup232, - dup2, - dup3, - dup9, - dup4, - dup5, - dup282, - ])); - - var msg1138 = msg("00556:21", part1789); - - var part1790 = match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([ - dup232, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1139 = msg("00556:22", part1790); - - var select401 = linear_select([ - msg1118, - msg1119, - msg1120, - msg1121, - msg1122, - msg1123, - msg1124, - msg1125, - msg1126, - msg1127, - msg1128, - msg1129, - msg1130, - msg1131, - msg1132, - msg1133, - msg1134, - msg1135, - msg1136, - msg1137, - msg1138, - msg1139, - ]); - - var part1791 = match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1140 = msg("00572", part1791); - - var part1792 = match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1141 = msg("00572:01", part1792); - - var part1793 = match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1142 = msg("00572:03", part1793); - - var select402 = linear_select([ - msg1140, - msg1141, - msg1142, - ]); - - var part1794 = match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1143 = msg("00615", part1794); - - var part1795 = match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1144 = msg("00615:01", part1795); - - var select403 = linear_select([ - msg1143, - msg1144, - ]); - - var part1796 = match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ])); - - var msg1145 = msg("00601", part1796); - - var part1797 = match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ])); - - var msg1146 = msg("00601:01", part1797); - - var part1798 = match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1147 = msg("00601:18", part1798); - - var select404 = linear_select([ - msg1145, - msg1146, - msg1147, - ]); - - var part1799 = match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1148 = msg("00602", part1799); - - var part1800 = match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}"); - - var part1801 = match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}"); - - var part1802 = match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}"); - - var part1803 = match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}"); - - var select405 = linear_select([ - part1802, - part1803, - ]); - - var part1804 = match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}"); - - var part1805 = match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}"); - - var select406 = linear_select([ - part1805, - dup96, - ]); - - var part1806 = match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})"); - - var all369 = all_match({ - processors: [ - part1800, - dup353, - part1801, - select405, - part1804, - select406, - part1806, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1149 = msg("00612", all369); - - var part1807 = match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1150 = msg("00620", part1807); - - var part1808 = match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}"); - - var part1809 = match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}"); - - var part1810 = match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}"); - - var select407 = linear_select([ - part1809, - part1810, - ]); - - var part1811 = match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})"); - - var all370 = all_match({ - processors: [ - part1808, - select407, - part1811, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1151 = msg("00620:01", all370); - - var part1812 = match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1152 = msg("00620:02", part1812); - - var part1813 = match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1153 = msg("00620:03", part1813); - - var part1814 = match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1154 = msg("00620:04", part1814); - - var select408 = linear_select([ - msg1150, - msg1151, - msg1152, - msg1153, - msg1154, - ]); - - var part1815 = match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([ - dup273, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1155 = msg("00622", part1815); - - var part1816 = match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}"); - - var part1817 = match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}"); - - var part1818 = match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}"); - - var select409 = linear_select([ - part1817, - part1818, - ]); - - var all371 = all_match({ - processors: [ - part1816, - select409, - dup49, - ], - on_success: processor_chain([ - dup273, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1156 = msg("00625", all371); - - var part1819 = match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}"); - - var part1820 = match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}"); - - var part1821 = match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}"); - - var part1822 = match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}"); - - var select410 = linear_select([ - part1820, - part1821, - part1822, - ]); - - var part1823 = match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})"); - - var all372 = all_match({ - processors: [ - part1819, - select410, - part1823, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1157 = msg("00628", all372); - - var part1824 = match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - dup282, - ])); - - var msg1158 = msg("00767:50", part1824); - - var part1825 = match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1159 = msg("00767:51", part1825); - - var part1826 = match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1160 = msg("00767:52", part1826); - - var part1827 = match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1161 = msg("00767:53", part1827); - - var part1828 = match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([ - dup27, - setc("ec_theme","Communication"), - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1162 = msg("00767", part1828); - - var part1829 = match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}"); - - var part1830 = match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}"); - - var part1831 = match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}"); - - var select411 = linear_select([ - part1830, - part1831, - ]); - - var all373 = all_match({ - processors: [ - part1829, - select411, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1163 = msg("00767:01", all373); - - var part1832 = match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([ - setc("eventcategory","1702000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1164 = msg("00767:02", part1832); - - var part1833 = match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1165 = msg("00767:03", part1833); - - var part1834 = match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1166 = msg("00767:04", part1834); - - var part1835 = match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1167 = msg("00767:05", part1835); - - var part1836 = match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1168 = msg("00767:06", part1836); - - var part1837 = match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1169 = msg("00767:07", part1837); - - var part1838 = match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}"); - - var all374 = all_match({ - processors: [ - part1838, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1170 = msg("00767:08", all374); - - var part1839 = match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}"); - - var part1840 = match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}"); - - var part1841 = match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}"); - - var select412 = linear_select([ - part1840, - part1841, - ]); - - var all375 = all_match({ - processors: [ - part1839, - select412, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1171 = msg("00767:09", all375); - - var part1842 = match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}"); - - var all376 = all_match({ - processors: [ - part1842, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1172 = msg("00767:10", all376); - - var part1843 = match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}"); - - var part1844 = match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}"); - - var select413 = linear_select([ - dup331, - part1844, - ]); - - var part1845 = match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}"); - - var part1846 = match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}"); - - var select414 = linear_select([ - dup331, - part1846, - ]); - - var part1847 = match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}"); - - var all377 = all_match({ - processors: [ - part1843, - select413, - part1845, - select414, - part1847, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1173 = msg("00767:11", all377); - - var part1848 = match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1174 = msg("00767:12", part1848); - - var part1849 = match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}"); - - var all378 = all_match({ - processors: [ - part1849, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1175 = msg("00767:13", all378); - - var part1850 = match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}"); - - var part1851 = match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}"); - - var select415 = linear_select([ - part1851, - dup262, - ]); - - var part1852 = match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}"); - - var part1853 = match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}"); - - var part1854 = match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username"); - - var select416 = linear_select([ - part1853, - part1854, - ]); - - var all379 = all_match({ - processors: [ - part1850, - select415, - part1852, - select416, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1176 = msg("00767:14", all379); - - var part1855 = match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}"); - - var part1856 = match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}"); - - var part1857 = match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}"); - - var select417 = linear_select([ - part1855, - part1856, - part1857, - ]); - - var part1858 = match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}"); - - var part1859 = match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}."); - - var all380 = all_match({ - processors: [ - dup183, - select417, - part1858, - dup336, - part1859, - ], - on_success: processor_chain([ - dup223, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1177 = msg("00767:15", all380); - - var part1860 = match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1178 = msg("00767:16", part1860); - - var part1861 = match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}"); - - var all381 = all_match({ - processors: [ - part1861, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1179 = msg("00767:17", all381); - - var part1862 = match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1180 = msg("00767:18", part1862); - - var part1863 = match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1181 = msg("00767:19", part1863); - - var part1864 = match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1182 = msg("00767:20", part1864); - - var part1865 = match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1183 = msg("00767:21", part1865); - - var part1866 = match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}"); - - var part1867 = match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}"); - - var part1868 = match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}"); - - var select418 = linear_select([ - part1867, - part1868, - ]); - - var part1869 = match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}"); - - var part1870 = match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}"); - - var part1871 = match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}"); - - var select419 = linear_select([ - part1870, - part1871, - ]); - - var part1872 = match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}"); - - var all382 = all_match({ - processors: [ - part1866, - select418, - part1869, - select419, - part1872, - dup354, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1184 = msg("00767:22", all382); - - var part1873 = match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1185 = msg("00767:23", part1873); - - var part1874 = match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}"); - - var select420 = linear_select([ - dup169, - dup16, - ]); - - var part1875 = match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}"); - - var part1876 = match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}"); - - var select421 = linear_select([ - part1875, - part1876, - ]); - - var all383 = all_match({ - processors: [ - part1874, - select420, - dup23, - select421, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1186 = msg("00767:25", all383); - - var part1877 = match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}"); - - var part1878 = match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}"); - - var part1879 = match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}"); - - var select422 = linear_select([ - part1878, - part1879, - ]); - - var part1880 = match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}"); - - var part1881 = match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}"); - - var part1882 = match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})"); - - var select423 = linear_select([ - part1881, - part1882, - ]); - - var all384 = all_match({ - processors: [ - part1877, - select422, - part1880, - select423, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1187 = msg("00767:26", all384); - - var part1883 = match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}"); - - var part1884 = match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})"); - - var part1885 = match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3"); - - var select424 = linear_select([ - part1884, - part1885, - ]); - - var all385 = all_match({ - processors: [ - part1883, - select424, - ], - on_success: processor_chain([ - dup223, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1188 = msg("00767:27", all385); - - var part1886 = match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1189 = msg("00767:28", part1886); - - var part1887 = match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1190 = msg("00767:29", part1887); - - var part1888 = match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1191 = msg("00767:30", part1888); - - var part1889 = match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}"); - - var part1890 = match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}"); - - var select425 = linear_select([ - part1889, - part1890, - ]); - - var part1891 = match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}"); - - var all386 = all_match({ - processors: [ - dup186, - select425, - part1891, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1192 = msg("00767:31", all386); - - var part1892 = match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}"); - - var part1893 = match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}"); - - var part1894 = match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}"); - - var select426 = linear_select([ - part1893, - part1894, - ]); - - var part1895 = match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})"); - - var all387 = all_match({ - processors: [ - part1892, - select426, - part1895, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1193 = msg("00767:32", all387); - - var part1896 = match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1194 = msg("00767:33", part1896); - - var part1897 = match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([ - dup313, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1195 = msg("00767:34", part1897); - - var part1898 = match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1196 = msg("00767:35", part1898); - - var part1899 = match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1197 = msg("00767:36", part1899); - - var part1900 = match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([ - dup254, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1198 = msg("00767:37", part1900); - - var part1901 = match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([ - setc("eventcategory","1602000000"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1199 = msg("00767:38", part1901); - - var part1902 = match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}"); - - var part1903 = match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}"); - - var part1904 = match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}"); - - var select427 = linear_select([ - part1903, - part1904, - ]); - - var part1905 = match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}"); - - var part1906 = match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}"); - - var part1907 = match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}"); - - var select428 = linear_select([ - part1906, - part1907, - ]); - - var all388 = all_match({ - processors: [ - part1902, - select427, - part1905, - select428, - dup10, - ], - on_success: processor_chain([ - dup324, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1200 = msg("00767:39", all388); - - var part1908 = match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([ - dup62, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1201 = msg("00767:40", part1908); - - var part1909 = match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1202 = msg("00767:42", part1909); - - var part1910 = match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1203 = msg("00767:43", part1910); - - var part1911 = match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1204 = msg("00767:44", part1911); - - var part1912 = match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1205 = msg("00767:45", part1912); - - var part1913 = match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1206 = msg("00767:46", part1913); - - var part1914 = match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg1207 = msg("00767:47", part1914); - - var part1915 = match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}"); - - var part1916 = match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})"); - - var all389 = all_match({ - processors: [ - part1915, - dup364, - part1916, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1208 = msg("00767:24", all389); - - var part1917 = match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1209 = msg("00767:48", part1917); - - var part1918 = match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}"); - - var part1919 = match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}"); - - var part1920 = match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}"); - - var select429 = linear_select([ - part1919, - part1920, - ]); - - var part1921 = match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})"); - - var all390 = all_match({ - processors: [ - part1918, - select429, - part1921, - ], - on_success: processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1210 = msg("00767:49", all390); - - var select430 = linear_select([ - msg1158, - msg1159, - msg1160, - msg1161, - msg1162, - msg1163, - msg1164, - msg1165, - msg1166, - msg1167, - msg1168, - msg1169, - msg1170, - msg1171, - msg1172, - msg1173, - msg1174, - msg1175, - msg1176, - msg1177, - msg1178, - msg1179, - msg1180, - msg1181, - msg1182, - msg1183, - msg1184, - msg1185, - msg1186, - msg1187, - msg1188, - msg1189, - msg1190, - msg1191, - msg1192, - msg1193, - msg1194, - msg1195, - msg1196, - msg1197, - msg1198, - msg1199, - msg1200, - msg1201, - msg1202, - msg1203, - msg1204, - msg1205, - msg1206, - msg1207, - msg1208, - msg1209, - msg1210, - ]); - - var part1922 = match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup277, - dup3, - dup275, - dup60, - ])); - - var msg1211 = msg("01269", part1922); - - var msg1212 = msg("01269:01", dup407); - - var msg1213 = msg("01269:02", dup408); - - var msg1214 = msg("01269:03", dup409); - - var select431 = linear_select([ - msg1211, - msg1212, - msg1213, - msg1214, - ]); - - var part1923 = match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup276, - dup277, - dup275, - dup332, - ])); - - var msg1215 = msg("17852", part1923); - - var part1924 = match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1216 = msg("17852:01", part1924); - - var part1925 = match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var msg1217 = msg("17852:02", part1925); - - var part1926 = match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1218 = msg("17852:03", part1926); - - var select432 = linear_select([ - msg1215, - msg1216, - msg1217, - msg1218, - ]); - - var msg1219 = msg("23184", dup410); - - var part1927 = match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup61, - dup282, - ])); - - var msg1220 = msg("23184:01", part1927); - - var part1928 = match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup276, - dup277, - dup275, - dup61, - ])); - - var msg1221 = msg("23184:02", part1928); - - var part1929 = match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1222 = msg("23184:03", part1929); - - var select433 = linear_select([ - msg1219, - msg1220, - msg1221, - msg1222, - ]); - - var msg1223 = msg("27052", dup410); - - var part1930 = match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup61, - dup282, - ])); - - var msg1224 = msg("27052:01", part1930); - - var select434 = linear_select([ - msg1223, - msg1224, - ]); - - var part1931 = match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup277, - dup5, - dup274, - dup3, - dup275, - dup276, - dup60, - ])); - - var msg1225 = msg("39568", part1931); - - var msg1226 = msg("39568:01", dup407); - - var msg1227 = msg("39568:02", dup408); - - var msg1228 = msg("39568:03", dup409); - - var select435 = linear_select([ - msg1225, - msg1226, - msg1227, - msg1228, - ]); - - var chain1 = processor_chain([ - select2, - msgid_select({ - "00001": select6, - "00002": select29, - "00003": select31, - "00004": select33, - "00005": select39, - "00006": select40, - "00007": select63, - "00008": select66, - "00009": select83, - "00010": select86, - "00011": select100, - "00012": select101, - "00013": select102, - "00014": select104, - "00015": select114, - "00016": select115, - "00017": select125, - "00018": select138, - "00019": select147, - "00020": select150, - "00021": select151, - "00022": select163, - "00023": select164, - "00024": select170, - "00025": select171, - "00026": select176, - "00027": select184, - "00028": msg469, - "00029": select188, - "00030": select197, - "00031": select205, - "00032": select207, - "00033": select214, - "00034": select225, - "00035": select232, - "00036": select234, - "00037": select241, - "00038": msg660, - "00039": msg661, - "00040": select244, - "00041": select245, - "00042": select246, - "00043": msg668, - "00044": select248, - "00045": msg671, - "00047": msg672, - "00048": select257, - "00049": select258, - "00050": msg682, - "00051": msg683, - "00052": msg684, - "00055": select265, - "00056": msg696, - "00057": msg697, - "00058": msg698, - "00059": select272, - "00062": select273, - "00063": msg713, - "00064": select274, - "00070": select276, - "00071": select277, - "00072": select278, - "00073": select279, - "00074": msg726, - "00075": select280, - "00076": select281, - "00077": select282, - "00084": msg735, - "00090": msg736, - "00200": msg737, - "00201": msg738, - "00202": msg739, - "00203": msg740, - "00206": select285, - "00207": select286, - "00257": select291, - "00259": select294, - "00262": msg778, - "00263": msg779, - "00400": msg780, - "00401": msg781, - "00402": select296, - "00403": msg784, - "00404": msg785, - "00405": msg786, - "00406": msg787, - "00407": msg788, - "00408": msg789, - "00409": msg790, - "00410": select297, - "00411": msg793, - "00413": select298, - "00414": select299, - "00415": msg799, - "00423": msg800, - "00429": select300, - "00430": select301, - "00431": msg805, - "00432": msg806, - "00433": msg807, - "00434": msg808, - "00435": select302, - "00436": select303, - "00437": select304, - "00438": select305, - "00440": select306, - "00441": msg823, - "00442": msg824, - "00443": msg825, - "00511": select307, - "00513": msg841, - "00515": select328, - "00518": select331, - "00519": select336, - "00520": select339, - "00521": msg890, - "00522": msg891, - "00523": msg892, - "00524": select340, - "00525": select341, - "00526": msg912, - "00527": select348, - "00528": select354, - "00529": select357, - "00530": select358, - "00531": select362, - "00533": msg973, - "00534": msg974, - "00535": select363, - "00536": select365, - "00537": select366, - "00538": select372, - "00539": select373, - "00541": select375, - "00542": msg1062, - "00543": msg1063, - "00544": msg1064, - "00546": msg1065, - "00547": select379, - "00549": msg1070, - "00551": select381, - "00553": select385, - "00554": select391, - "00555": msg1117, - "00556": select401, - "00572": select402, - "00601": select404, - "00602": msg1148, - "00612": msg1149, - "00615": select403, - "00620": select408, - "00622": msg1155, - "00625": msg1156, - "00628": msg1157, - "00767": select430, - "01269": select431, - "17852": select432, - "23184": select433, - "27052": select434, - "39568": select435, - }), - ]); - - var part1932 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); - - var part1933 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); - - var part1934 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); - - var part1935 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); - - var part1936 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); - - var part1937 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); - - var part1938 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); - - var part1939 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); - - var part1940 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); - - var part1941 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); - - var part1942 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); - - var part1943 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); - - var part1944 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); - - var part1945 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); - - var part1946 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); - - var part1947 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); - - var part1948 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); - - var part1949 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); - - var part1950 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); - - var part1951 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); - - var part1952 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); - - var part1953 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); - - var part1954 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); - - var part1955 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); - - var part1956 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); - - var part1957 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); - - var part1958 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); - - var part1959 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); - - var part1960 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); - - var part1961 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); - - var part1962 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); - - var part1963 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); - - var part1964 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part1965 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); - - var part1966 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); - - var part1967 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); - - var part1968 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); - - var part1969 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); - - var part1970 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); - - var part1971 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); - - var part1972 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); - - var part1973 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); - - var part1974 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); - - var part1975 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); - - var part1976 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); - - var part1977 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part1978 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); - - var part1979 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); - - var part1980 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part1981 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); - - var part1982 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); - - var part1983 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); - - var part1984 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); - - var part1985 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); - - var part1986 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); - - var part1987 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); - - var part1988 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); - - var part1989 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); - - var part1990 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); - - var part1991 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); - - var part1992 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); - - var part1993 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); - - var part1994 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); - - var part1995 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); - - var part1996 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); - - var part1997 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); - - var part1998 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); - - var part1999 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); - - var part2000 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); - - var part2001 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); - - var part2002 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); - - var part2003 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); - - var part2004 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); - - var part2005 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); - - var part2006 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); - - var part2007 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); - - var part2008 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); - - var part2009 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); - - var part2010 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); - - var part2011 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); - - var part2012 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); - - var part2013 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); - - var part2014 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); - - var part2015 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); - - var part2016 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); - - var part2017 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); - - var part2018 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); - - var part2019 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); - - var part2020 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); - - var part2021 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part2022 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2023 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); - - var part2024 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); - - var part2025 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); - - var part2026 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); - - var part2027 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); - - var part2028 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); - - var part2029 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); - - var part2030 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); - - var part2031 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); - - var part2032 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); - - var part2033 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); - - var part2034 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); - - var part2035 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); - - var part2036 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); - - var part2037 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); - - var part2038 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); - - var part2039 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); - - var part2040 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); - - var part2041 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); - - var part2042 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); - - var part2043 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); - - var part2044 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); - - var part2045 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); - - var part2046 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); - - var part2047 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); - - var part2048 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); - - var part2049 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); - - var part2050 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); - - var part2051 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); - - var part2052 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); - - var part2053 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); - - var part2054 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); - - var part2055 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); - - var part2056 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); - - var part2057 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); - - var part2058 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); - - var part2059 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); - - var part2060 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); - - var part2061 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); - - var part2062 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); - - var part2063 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); - - var part2064 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); - - var part2065 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); - - var part2066 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); - - var part2067 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); - - var part2068 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); - - var part2069 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); - - var part2070 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); - - var part2071 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); - - var part2072 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); - - var part2073 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); - - var part2074 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); - - var part2075 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); - - var part2076 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); - - var part2077 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); - - var part2078 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); - - var part2079 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); - - var part2080 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); - - var part2081 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); - - var part2082 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); - - var part2083 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); - - var part2084 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); - - var part2085 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); - - var part2086 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); - - var part2087 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); - - var part2088 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); - - var part2089 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); - - var part2090 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); - - var part2091 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); - - var part2092 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); - - var part2093 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); - - var part2094 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); - - var part2095 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); - - var part2096 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); - - var part2097 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); - - var part2098 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); - - var part2099 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); - - var part2100 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); - - var part2101 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); - - var part2102 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); - - var part2103 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); - - var part2104 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); - - var part2105 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); - - var part2106 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2107 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); - - var part2108 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); - - var part2109 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); - - var part2110 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); - - var part2111 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); - - var part2112 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); - - var part2113 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); - - var part2114 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); - - var part2115 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); - - var part2116 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); - - var part2117 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); - - var part2118 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); - - var part2119 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); - - var part2120 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); - - var part2121 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); - - var part2122 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); - - var part2123 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); - - var part2124 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); - - var part2125 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); - - var part2126 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); - - var part2127 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); - - var part2128 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); - - var part2129 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); - - var part2130 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); - - var part2131 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var part2132 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); - - var part2133 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); - - var part2134 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); - - var part2135 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); - - var part2136 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var part2137 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); - - var part2138 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); - - var part2139 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); - - var part2140 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); - - var part2141 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); - - var part2142 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); - - var part2143 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); - - var part2144 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); - - var part2145 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); - - var part2146 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); - - var part2147 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2148 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2149 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var part2150 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); - - var part2151 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); - - var part2152 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); - - var part2153 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); - - var part2154 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); - - var part2155 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); - - var part2156 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); - - var part2157 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); - - var part2158 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); - - var part2159 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); - - var part2160 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); - - var part2161 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); - - var part2162 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); - - var part2163 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); - - var part2164 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); - - var part2165 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); - - var part2166 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); - - var part2167 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); - - var part2168 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); - - var part2169 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); - - var part2170 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); - - var part2171 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); - - var part2172 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); - - var part2173 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); - - var part2174 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); - - var part2175 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); - - var select436 = linear_select([ - dup10, - dup11, - ]); - - var part2176 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select437 = linear_select([ - dup13, - dup14, - ]); - - var select438 = linear_select([ - dup15, - dup16, - ]); - - var select439 = linear_select([ - dup56, - dup57, - ]); - - var select440 = linear_select([ - dup65, - dup66, - ]); - - var select441 = linear_select([ - dup68, - dup69, - ]); - - var select442 = linear_select([ - dup71, - dup72, - ]); - - var part2177 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var select443 = linear_select([ - dup74, - dup75, - ]); - - var select444 = linear_select([ - dup81, - dup82, - ]); - - var select445 = linear_select([ - dup24, - dup90, - ]); - - var select446 = linear_select([ - dup94, - dup95, - ]); - - var select447 = linear_select([ - dup98, - dup99, - ]); - - var select448 = linear_select([ - dup100, - dup101, - dup102, - ]); - - var select449 = linear_select([ - dup113, - dup114, - ]); - - var select450 = linear_select([ - dup111, - dup16, - ]); - - var select451 = linear_select([ - dup127, - dup107, - ]); - - var select452 = linear_select([ - dup8, - dup21, - ]); - - var select453 = linear_select([ - dup122, - dup133, - ]); - - var select454 = linear_select([ - dup142, - dup143, - ]); - - var select455 = linear_select([ - dup145, - dup21, - ]); - - var select456 = linear_select([ - dup127, - dup106, - ]); - - var select457 = linear_select([ - dup152, - dup96, - ]); - - var select458 = linear_select([ - dup154, - dup155, - ]); - - var select459 = linear_select([ - dup156, - dup157, - ]); - - var select460 = linear_select([ - dup99, - dup134, - ]); - - var select461 = linear_select([ - dup158, - dup159, - ]); - - var select462 = linear_select([ - dup161, - dup162, - ]); - - var select463 = linear_select([ - dup163, - dup103, - ]); - - var select464 = linear_select([ - dup162, - dup161, - ]); - - var select465 = linear_select([ - dup46, - dup47, - ]); - - var select466 = linear_select([ - dup166, - dup167, - ]); - - var select467 = linear_select([ - dup172, - dup173, - ]); - - var select468 = linear_select([ - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - ]); - - var select469 = linear_select([ - dup49, - dup21, - ]); - - var select470 = linear_select([ - dup189, - dup190, - ]); - - var select471 = linear_select([ - dup96, - dup152, - ]); - - var select472 = linear_select([ - dup196, - dup197, - ]); - - var select473 = linear_select([ - dup24, - dup200, - ]); - - var select474 = linear_select([ - dup103, - dup163, - ]); - - var select475 = linear_select([ - dup205, - dup118, - ]); - - var part2178 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select476 = linear_select([ - dup212, - dup213, - ]); - - var select477 = linear_select([ - dup215, - dup216, - ]); - - var select478 = linear_select([ - dup222, - dup215, - ]); - - var select479 = linear_select([ - dup224, - dup225, - ]); - - var select480 = linear_select([ - dup231, - dup124, - ]); - - var select481 = linear_select([ - dup229, - dup230, - ]); - - var select482 = linear_select([ - dup233, - dup234, - ]); - - var select483 = linear_select([ - dup236, - dup237, - ]); - - var select484 = linear_select([ - dup242, - dup243, - ]); - - var select485 = linear_select([ - dup245, - dup246, - ]); - - var select486 = linear_select([ - dup247, - dup248, - ]); - - var select487 = linear_select([ - dup249, - dup250, - ]); - - var select488 = linear_select([ - dup251, - dup252, - ]); - - var select489 = linear_select([ - dup260, - dup261, - ]); - - var select490 = linear_select([ - dup264, - dup265, - ]); - - var select491 = linear_select([ - dup268, - dup269, - ]); - - var part2179 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select492 = linear_select([ - dup284, - dup285, - ]); - - var select493 = linear_select([ - dup287, - dup288, - ]); - - var part2180 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup60, - ])); - - var part2181 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var select494 = linear_select([ - dup300, - dup26, - ]); - - var select495 = linear_select([ - dup115, - dup303, - ]); - - var select496 = linear_select([ - dup125, - dup96, - ]); - - var select497 = linear_select([ - dup189, - dup308, - dup309, - ]); - - var select498 = linear_select([ - dup310, - dup16, - ]); - - var select499 = linear_select([ - dup317, - dup318, - ]); - - var select500 = linear_select([ - dup319, - dup315, - ]); - - var select501 = linear_select([ - dup322, - dup250, - ]); - - var select502 = linear_select([ - dup327, - dup329, - ]); - - var select503 = linear_select([ - dup330, - dup129, - ]); - - var part2182 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var part2183 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup60, - ])); - - var part2184 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var part2185 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var all391 = all_match({ - processors: [ - dup263, - dup390, - dup266, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var all392 = all_match({ - processors: [ - dup267, - dup391, - dup270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var all393 = all_match({ - processors: [ - dup80, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var all394 = all_match({ - processors: [ - dup296, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var all395 = all_match({ - processors: [ - dup298, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/juniper_netscreen/0.4.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/juniper_netscreen/0.4.1/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 0a6ba053fa..0000000000 --- a/packages/juniper_netscreen/0.4.1/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,26354 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Juniper" - product: "Netscreen" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} for %{p0}"); - - var dup7 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); - - var dup8 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); - - var dup9 = date_time({ - dest: "event_time", - args: ["fld1"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup10 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); - - var dup11 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); - - var dup12 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); - - var dup13 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); - - var dup14 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); - - var dup15 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); - - var dup16 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); - - var dup17 = setc("eventcategory","1502000000"); - - var dup18 = setc("eventcategory","1703000000"); - - var dup19 = setc("eventcategory","1603000000"); - - var dup20 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); - - var dup21 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); - - var dup22 = setc("eventcategory","1502050000"); - - var dup23 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); - - var dup24 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); - - var dup25 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); - - var dup26 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); - - var dup27 = setc("eventcategory","1801010000"); - - var dup28 = setc("eventcategory","1401060000"); - - var dup29 = setc("ec_subject","User"); - - var dup30 = setc("ec_activity","Logon"); - - var dup31 = setc("ec_theme","Authentication"); - - var dup32 = setc("ec_outcome","Success"); - - var dup33 = setc("eventcategory","1401070000"); - - var dup34 = setc("ec_activity","Logoff"); - - var dup35 = setc("eventcategory","1303000000"); - - var dup36 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); - - var dup37 = setc("eventcategory","1402020200"); - - var dup38 = setc("ec_theme","UserGroup"); - - var dup39 = setc("ec_outcome","Error"); - - var dup40 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); - - var dup41 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); - - var dup42 = setc("eventcategory","1402020300"); - - var dup43 = setc("ec_activity","Modify"); - - var dup44 = setc("eventcategory","1605000000"); - - var dup45 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); - - var dup46 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); - - var dup47 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); - - var dup48 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); - - var dup49 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); - - var dup50 = setc("eventcategory","1701020000"); - - var dup51 = setc("ec_theme","Configuration"); - - var dup52 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); - - var dup53 = setc("eventcategory","1301000000"); - - var dup54 = setc("ec_outcome","Failure"); - - var dup55 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); - - var dup56 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); - - var dup57 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); - - var dup58 = setc("eventcategory","1001000000"); - - var dup59 = setc("dclass_counter1_string","Number of times the attack occurred"); - - var dup60 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("saddr"), - field("daddr"), - ], - }); - - var dup61 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("saddr"), - field("daddr"), - field("sport"), - field("dport"), - ], - }); - - var dup62 = setc("eventcategory","1608010000"); - - var dup63 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); - - var dup64 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); - - var dup65 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); - - var dup66 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); - - var dup67 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup68 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); - - var dup69 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); - - var dup70 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); - - var dup71 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); - - var dup72 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); - - var dup73 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); - - var dup74 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); - - var dup75 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); - - var dup76 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); - - var dup77 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); - - var dup78 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); - - var dup79 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); - - var dup80 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup81 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); - - var dup82 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); - - var dup83 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup84 = setc("eventcategory","1002020000"); - - var dup85 = setc("eventcategory","1002000000"); - - var dup86 = setc("eventcategory","1603110000"); - - var dup87 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); - - var dup88 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); - - var dup89 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); - - var dup90 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); - - var dup91 = setc("eventcategory","1613040200"); - - var dup92 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); - - var dup93 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); - - var dup94 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); - - var dup95 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); - - var dup96 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); - - var dup97 = setc("eventcategory","1613050200"); - - var dup98 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); - - var dup99 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); - - var dup100 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); - - var dup101 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); - - var dup102 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); - - var dup103 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); - - var dup104 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); - - var dup105 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); - - var dup106 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); - - var dup107 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); - - var dup108 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); - - var dup109 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); - - var dup110 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); - - var dup111 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); - - var dup112 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); - - var dup113 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); - - var dup114 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); - - var dup115 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); - - var dup116 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); - - var dup117 = setc("eventcategory","1603090000"); - - var dup118 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); - - var dup119 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); - - var dup120 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); - - var dup121 = setc("eventcategory","1603030000"); - - var dup122 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); - - var dup123 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); - - var dup124 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); - - var dup125 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); - - var dup126 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); - - var dup127 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); - - var dup128 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); - - var dup129 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); - - var dup130 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); - - var dup131 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup132 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup133 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); - - var dup134 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); - - var dup135 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); - - var dup136 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); - - var dup137 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); - - var dup138 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); - - var dup139 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); - - var dup140 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); - - var dup141 = setc("eventcategory","1702030000"); - - var dup142 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); - - var dup143 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); - - var dup144 = setc("eventcategory","1601000000"); - - var dup145 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); - - var dup146 = date_time({ - dest: "event_time", - args: ["fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup147 = setc("eventcategory","1103000000"); - - var dup148 = setc("ec_subject","NetworkComm"); - - var dup149 = setc("ec_activity","Scan"); - - var dup150 = setc("ec_theme","TEV"); - - var dup151 = setc("eventcategory","1103010000"); - - var dup152 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); - - var dup153 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); - - var dup154 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); - - var dup155 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); - - var dup156 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); - - var dup157 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); - - var dup158 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); - - var dup159 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); - - var dup160 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); - - var dup161 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); - - var dup162 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); - - var dup163 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); - - var dup164 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); - - var dup165 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); - - var dup166 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); - - var dup167 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); - - var dup168 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); - - var dup169 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); - - var dup170 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); - - var dup171 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); - - var dup172 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); - - var dup173 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); - - var dup174 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); - - var dup175 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); - - var dup176 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); - - var dup177 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); - - var dup178 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); - - var dup179 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); - - var dup180 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); - - var dup181 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); - - var dup182 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); - - var dup183 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); - - var dup184 = setc("eventcategory","1603020000"); - - var dup185 = setc("eventcategory","1803000000"); - - var dup186 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); - - var dup187 = setc("eventcategory","1603010000"); - - var dup188 = setc("eventcategory","1603100000"); - - var dup189 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); - - var dup190 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); - - var dup191 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); - - var dup192 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); - - var dup193 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); - - var dup194 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); - - var dup195 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); - - var dup196 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); - - var dup197 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); - - var dup198 = setc("eventcategory","1801030000"); - - var dup199 = setc("eventcategory","1302010200"); - - var dup200 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); - - var dup201 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); - - var dup202 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); - - var dup203 = setc("eventcategory","1304000000"); - - var dup204 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); - - var dup205 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); - - var dup206 = setc("eventcategory","1401030000"); - - var dup207 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); - - var dup208 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); - - var dup209 = setc("eventcategory","1605020000"); - - var dup210 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); - - var dup211 = setc("ec_subject","Certificate"); - - var dup212 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); - - var dup213 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); - - var dup214 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); - - var dup215 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); - - var dup216 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); - - var dup217 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); - - var dup218 = setc("ec_subject","CryptoKey"); - - var dup219 = setc("ec_subject","Configuration"); - - var dup220 = setc("ec_activity","Request"); - - var dup221 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); - - var dup222 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); - - var dup223 = setc("eventcategory","1612000000"); - - var dup224 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); - - var dup225 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); - - var dup226 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); - - var dup227 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); - - var dup228 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); - - var dup229 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); - - var dup230 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); - - var dup231 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); - - var dup232 = setc("eventcategory","1201000000"); - - var dup233 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); - - var dup234 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); - - var dup235 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); - - var dup236 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); - - var dup237 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); - - var dup238 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); - - var dup239 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup240 = setc("eventcategory","1401000000"); - - var dup241 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); - - var dup242 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); - - var dup243 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); - - var dup244 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); - - var dup245 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); - - var dup246 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); - - var dup247 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); - - var dup248 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); - - var dup249 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); - - var dup250 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); - - var dup251 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); - - var dup252 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); - - var dup253 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); - - var dup254 = setc("eventcategory","1608000000"); - - var dup255 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); - - var dup256 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); - - var dup257 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); - - var dup258 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); - - var dup259 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); - - var dup260 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); - - var dup261 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); - - var dup262 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); - - var dup263 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); - - var dup264 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); - - var dup265 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); - - var dup266 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var dup267 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); - - var dup268 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); - - var dup269 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); - - var dup270 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); - - var dup271 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var dup272 = setc("eventcategory","1805010000"); - - var dup273 = setc("eventcategory","1805000000"); - - var dup274 = date_time({ - dest: "starttime", - args: ["fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup275 = call({ - dest: "nwparser.bytes", - fn: CALC, - args: [ - field("sbytes"), - constant("+"), - field("rbytes"), - ], - }); - - var dup276 = setc("action","Deny"); - - var dup277 = setc("disposition","Deny"); - - var dup278 = setc("direction","outgoing"); - - var dup279 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("saddr"), - field("daddr"), - field("sport"), - field("dport"), - ], - }); - - var dup280 = setc("direction","incoming"); - - var dup281 = setc("eventcategory","1801000000"); - - var dup282 = setf("action","disposition"); - - var dup283 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); - - var dup284 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); - - var dup285 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); - - var dup286 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); - - var dup287 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); - - var dup288 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); - - var dup289 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); - - var dup290 = setc("eventcategory","1401050200"); - - var dup291 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("daddr"), - field("saddr"), - ], - }); - - var dup292 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("daddr"), - field("saddr"), - field("dport"), - field("sport"), - ], - }); - - var dup293 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); - - var dup294 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); - - var dup295 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); - - var dup296 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup297 = setc("eventcategory","1204000000"); - - var dup298 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup299 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var dup300 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); - - var dup301 = setc("eventcategory","1801020000"); - - var dup302 = setc("disposition","failed"); - - var dup303 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); - - var dup304 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); - - var dup305 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); - - var dup306 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); - - var dup307 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); - - var dup308 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); - - var dup309 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); - - var dup310 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); - - var dup311 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); - - var dup312 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); - - var dup313 = setc("eventcategory","1803020000"); - - var dup314 = setc("eventcategory","1613030000"); - - var dup315 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); - - var dup316 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); - - var dup317 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); - - var dup318 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); - - var dup319 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); - - var dup320 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); - - var dup321 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); - - var dup322 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); - - var dup323 = setc("event_description","Cannot connect to NSM server"); - - var dup324 = setc("eventcategory","1603040000"); - - var dup325 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); - - var dup326 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); - - var dup327 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); - - var dup328 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); - - var dup329 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); - - var dup330 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); - - var dup331 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); - - var dup332 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("daddr"), - field("saddr"), - field("dport"), - field("sport"), - ], - }); - - var dup333 = linear_select([ - dup10, - dup11, - ]); - - var dup334 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup335 = linear_select([ - dup13, - dup14, - ]); - - var dup336 = linear_select([ - dup15, - dup16, - ]); - - var dup337 = linear_select([ - dup56, - dup57, - ]); - - var dup338 = linear_select([ - dup65, - dup66, - ]); - - var dup339 = linear_select([ - dup68, - dup69, - ]); - - var dup340 = linear_select([ - dup71, - dup72, - ]); - - var dup341 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var dup342 = linear_select([ - dup74, - dup75, - ]); - - var dup343 = linear_select([ - dup81, - dup82, - ]); - - var dup344 = linear_select([ - dup24, - dup90, - ]); - - var dup345 = linear_select([ - dup94, - dup95, - ]); - - var dup346 = linear_select([ - dup98, - dup99, - ]); - - var dup347 = linear_select([ - dup100, - dup101, - dup102, - ]); - - var dup348 = linear_select([ - dup113, - dup114, - ]); - - var dup349 = linear_select([ - dup111, - dup16, - ]); - - var dup350 = linear_select([ - dup127, - dup107, - ]); - - var dup351 = linear_select([ - dup8, - dup21, - ]); - - var dup352 = linear_select([ - dup122, - dup133, - ]); - - var dup353 = linear_select([ - dup142, - dup143, - ]); - - var dup354 = linear_select([ - dup145, - dup21, - ]); - - var dup355 = linear_select([ - dup127, - dup106, - ]); - - var dup356 = linear_select([ - dup152, - dup96, - ]); - - var dup357 = linear_select([ - dup154, - dup155, - ]); - - var dup358 = linear_select([ - dup156, - dup157, - ]); - - var dup359 = linear_select([ - dup99, - dup134, - ]); - - var dup360 = linear_select([ - dup158, - dup159, - ]); - - var dup361 = linear_select([ - dup161, - dup162, - ]); - - var dup362 = linear_select([ - dup163, - dup103, - ]); - - var dup363 = linear_select([ - dup162, - dup161, - ]); - - var dup364 = linear_select([ - dup46, - dup47, - ]); - - var dup365 = linear_select([ - dup166, - dup167, - ]); - - var dup366 = linear_select([ - dup172, - dup173, - ]); - - var dup367 = linear_select([ - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - ]); - - var dup368 = linear_select([ - dup49, - dup21, - ]); - - var dup369 = linear_select([ - dup189, - dup190, - ]); - - var dup370 = linear_select([ - dup96, - dup152, - ]); - - var dup371 = linear_select([ - dup196, - dup197, - ]); - - var dup372 = linear_select([ - dup24, - dup200, - ]); - - var dup373 = linear_select([ - dup103, - dup163, - ]); - - var dup374 = linear_select([ - dup205, - dup118, - ]); - - var dup375 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup376 = linear_select([ - dup212, - dup213, - ]); - - var dup377 = linear_select([ - dup215, - dup216, - ]); - - var dup378 = linear_select([ - dup222, - dup215, - ]); - - var dup379 = linear_select([ - dup224, - dup225, - ]); - - var dup380 = linear_select([ - dup231, - dup124, - ]); - - var dup381 = linear_select([ - dup229, - dup230, - ]); - - var dup382 = linear_select([ - dup233, - dup234, - ]); - - var dup383 = linear_select([ - dup236, - dup237, - ]); - - var dup384 = linear_select([ - dup242, - dup243, - ]); - - var dup385 = linear_select([ - dup245, - dup246, - ]); - - var dup386 = linear_select([ - dup247, - dup248, - ]); - - var dup387 = linear_select([ - dup249, - dup250, - ]); - - var dup388 = linear_select([ - dup251, - dup252, - ]); - - var dup389 = linear_select([ - dup260, - dup261, - ]); - - var dup390 = linear_select([ - dup264, - dup265, - ]); - - var dup391 = linear_select([ - dup268, - dup269, - ]); - - var dup392 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup393 = linear_select([ - dup284, - dup285, - ]); - - var dup394 = linear_select([ - dup287, - dup288, - ]); - - var dup395 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup60, - ])); - - var dup396 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var dup397 = linear_select([ - dup300, - dup26, - ]); - - var dup398 = linear_select([ - dup115, - dup303, - ]); - - var dup399 = linear_select([ - dup125, - dup96, - ]); - - var dup400 = linear_select([ - dup189, - dup308, - dup309, - ]); - - var dup401 = linear_select([ - dup310, - dup16, - ]); - - var dup402 = linear_select([ - dup317, - dup318, - ]); - - var dup403 = linear_select([ - dup319, - dup315, - ]); - - var dup404 = linear_select([ - dup322, - dup250, - ]); - - var dup405 = linear_select([ - dup327, - dup329, - ]); - - var dup406 = linear_select([ - dup330, - dup129, - ]); - - var dup407 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var dup408 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup60, - ])); - - var dup409 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var dup410 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var dup411 = all_match({ - processors: [ - dup263, - dup390, - dup266, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var dup412 = all_match({ - processors: [ - dup267, - dup391, - dup270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var dup413 = all_match({ - processors: [ - dup80, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var dup414 = all_match({ - processors: [ - dup296, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var dup415 = all_match({ - processors: [ - dup298, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0003"), - ])); - - var hdr3 = match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var hdr4 = match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}"); - - var part1 = match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}"); - - var part2 = match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}"); - - var part3 = match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}"); - - var select1 = linear_select([ - part1, - part2, - part3, - ]); - - var part4 = match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}"); - - var all1 = all_match({ - processors: [ - hdr4, - select1, - part4, - ], - on_success: processor_chain([ - setc("header_id","0002"), - ]), - }); - - var select2 = linear_select([ - hdr1, - hdr2, - hdr3, - all1, - ]); - - var part5 = match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1 = msg("00001", part5); - - var part6 = match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg2 = msg("00001:01", part6); - - var part7 = match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}"); - - var select3 = linear_select([ - part7, - dup7, - ]); - - var part8 = match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}"); - - var all2 = all_match({ - processors: [ - dup6, - select3, - part8, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg3 = msg("00001:02", all2); - - var part9 = match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg4 = msg("00001:03", part9); - - var part10 = match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}"); - - var select4 = linear_select([ - part10, - dup7, - ]); - - var part11 = match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}"); - - var part12 = match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}"); - - var select5 = linear_select([ - dup8, - part12, - ]); - - var all3 = all_match({ - processors: [ - dup6, - select4, - part11, - select5, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg5 = msg("00001:04", all3); - - var part13 = match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}"); - - var all4 = all_match({ - processors: [ - part13, - dup333, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg6 = msg("00001:05", all4); - - var part14 = match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg7 = msg("00001:06", part14); - - var msg8 = msg("00001:07", dup334); - - var part15 = match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}"); - - var part16 = match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})"); - - var all5 = all_match({ - processors: [ - dup12, - dup335, - part15, - dup336, - part16, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg9 = msg("00001:08", all5); - - var part17 = match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})"); - - var all6 = all_match({ - processors: [ - dup12, - dup335, - part17, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg10 = msg("00001:09", all6); - - var select6 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - ]); - - var part18 = match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg11 = msg("00002:03", part18); - - var part19 = match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg12 = msg("00002:04", part19); - - var part20 = match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg13 = msg("00002:05", part20); - - var part21 = match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg14 = msg("00002:06", part21); - - var part22 = match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg15 = msg("00002:07", part22); - - var part23 = match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg16 = msg("00002:55", part23); - - var part24 = match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg17 = msg("00002:08", part24); - - var part25 = match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg18 = msg("00002:09", part25); - - var part26 = match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg19 = msg("00002:10", part26); - - var part27 = match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg20 = msg("00002:11", part27); - - var part28 = match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg21 = msg("00002:12", part28); - - var part29 = match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg22 = msg("00002:15", part29); - - var msg23 = msg("00002:17", dup334); - - var part30 = match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}"); - - var part31 = match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}"); - - var part32 = match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}"); - - var select7 = linear_select([ - part31, - part32, - ]); - - var part33 = match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):"); - - var all7 = all_match({ - processors: [ - part30, - select7, - part33, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg24 = msg("00002:18", all7); - - var part34 = match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg25 = msg("00002:19", part34); - - var part35 = match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}"); - - var part36 = match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}"); - - var select8 = linear_select([ - part36, - dup20, - dup21, - ]); - - var all8 = all_match({ - processors: [ - part35, - select8, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg26 = msg("00002:20", all8); - - var part37 = match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}"); - - var part38 = match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}"); - - var select9 = linear_select([ - part37, - part38, - ]); - - var select10 = linear_select([ - dup24, - dup25, - ]); - - var part39 = match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}"); - - var all9 = all_match({ - processors: [ - select9, - dup23, - select10, - part39, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg27 = msg("00002:21", all9); - - var part40 = match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}"); - - var part41 = match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console"); - - var part42 = match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}"); - - var select11 = linear_select([ - part41, - part42, - dup26, - ]); - - var all10 = all_match({ - processors: [ - part40, - select11, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg28 = msg("00002:22", all10); - - var part43 = match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}"); - - var part44 = match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}"); - - var select12 = linear_select([ - dup20, - part44, - dup21, - ]); - - var all11 = all_match({ - processors: [ - part43, - select12, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg29 = msg("00002:23", all11); - - var part45 = match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}"); - - var part46 = match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}"); - - var part47 = match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}"); - - var select13 = linear_select([ - part46, - part47, - ]); - - var all12 = all_match({ - processors: [ - part45, - select13, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg30 = msg("00002:24", all12); - - var part48 = match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - setc("eventcategory","1402000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg31 = msg("00002:25", part48); - - var part49 = match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg32 = msg("00002:26", part49); - - var part50 = match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg33 = msg("00002:27", part50); - - var part51 = match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg34 = msg("00002:28", part51); - - var part52 = match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg35 = msg("00002:29", part52); - - var part53 = match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ - dup28, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg36 = msg("00002:30", part53); - - var part54 = match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ - dup33, - dup29, - dup34, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg37 = msg("00002:41", part54); - - var part55 = match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ - dup35, - dup29, - dup30, - dup31, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg38 = msg("00002:31", part55); - - var part56 = match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}"); - - var part57 = match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}"); - - var select14 = linear_select([ - part56, - part57, - ]); - - var part58 = match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}"); - - var all13 = all_match({ - processors: [ - select14, - part58, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg39 = msg("00002:32", all13); - - var part59 = match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg40 = msg("00002:35", part59); - - var part60 = match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}"); - - var part61 = match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}"); - - var part62 = match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}"); - - var select15 = linear_select([ - part61, - part62, - ]); - - var part63 = match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}"); - - var all14 = all_match({ - processors: [ - part60, - select15, - part63, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg41 = msg("00002:36", all14); - - var part64 = match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}"); - - var part65 = match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}"); - - var part66 = match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}"); - - var part67 = match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}"); - - var part68 = match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}"); - - var select16 = linear_select([ - part65, - part66, - part67, - part68, - ]); - - var part69 = match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}"); - - var all15 = all_match({ - processors: [ - part64, - select16, - part69, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg42 = msg("00002:37", all15); - - var part70 = match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}"); - - var part71 = match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}"); - - var select17 = linear_select([ - part71, - dup36, - ]); - - var all16 = all_match({ - processors: [ - part70, - select17, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg43 = msg("00002:38", all16); - - var part72 = match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg44 = msg("00002:39", part72); - - var part73 = match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ - dup37, - dup29, - setc("ec_activity","Create"), - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg45 = msg("00002:40", part73); - - var part74 = match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg46 = msg("00002:44", part74); - - var part75 = match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}"); - - var part76 = match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}"); - - var select18 = linear_select([ - part76, - dup40, - ]); - - var part77 = match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}"); - - var part78 = match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}"); - - var part79 = match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}"); - - var select19 = linear_select([ - part78, - part79, - ]); - - var all17 = all_match({ - processors: [ - part75, - select18, - part77, - select19, - dup41, - ], - on_success: processor_chain([ - dup42, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg47 = msg("00002:42", all17); - - var part80 = match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}"); - - var part81 = match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}"); - - var part82 = match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}"); - - var select20 = linear_select([ - part81, - part82, - ]); - - var part83 = match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all18 = all_match({ - processors: [ - part80, - select20, - part83, - ], - on_success: processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg48 = msg("00002:43", all18); - - var part84 = match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg49 = msg("00002:50", part84); - - var part85 = match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg50 = msg("00002:51", part85); - - var part86 = match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg51 = msg("00002:45", part86); - - var part87 = match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}"); - - var part88 = match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}"); - - var part89 = match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}"); - - var part90 = match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}"); - - var part91 = match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}"); - - var select21 = linear_select([ - part87, - part88, - part89, - part90, - part91, - ]); - - var part92 = match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})"); - - var all19 = all_match({ - processors: [ - select21, - part92, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg52 = msg("00002:47", all19); - - var part93 = match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}"); - - var part94 = match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}"); - - var part95 = match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}"); - - var select22 = linear_select([ - part94, - part95, - ]); - - var part96 = match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}"); - - var part97 = match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}"); - - var select23 = linear_select([ - part97, - dup45, - ]); - - var all20 = all_match({ - processors: [ - part93, - select22, - part96, - select23, - dup41, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg53 = msg("00002:48", all20); - - var part98 = match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}"); - - var part99 = match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}"); - - var part100 = match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}"); - - var part101 = match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}"); - - var part102 = match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}"); - - var select24 = linear_select([ - part99, - part100, - part101, - part102, - ]); - - var part103 = match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}"); - - var part104 = match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}"); - - var select25 = linear_select([ - dup46, - part104, - dup47, - ]); - - var select26 = linear_select([ - dup48, - dup45, - ]); - - var all21 = all_match({ - processors: [ - part98, - select24, - part103, - select25, - select26, - dup41, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg54 = msg("00002:52", all21); - - var part105 = match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([ - dup42, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg55 = msg("00002:53", part105); - - var part106 = match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}"); - - var part107 = match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}"); - - var part108 = match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}"); - - var select27 = linear_select([ - part107, - part108, - ]); - - var all22 = all_match({ - processors: [ - part106, - select27, - dup49, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg56 = msg("00002:54", all22); - - var part109 = match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}"); - - var part110 = match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}"); - - var select28 = linear_select([ - part110, - dup52, - ]); - - var part111 = match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}"); - - var all23 = all_match({ - processors: [ - part109, - select28, - part111, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg57 = msg("00002", all23); - - var part112 = match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([ - dup53, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg58 = msg("00002:56", part112); - - var select29 = linear_select([ - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - msg38, - msg39, - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, - ]); - - var part113 = match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ - dup53, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg59 = msg("00003", part113); - - var part114 = match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([ - dup53, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg60 = msg("00003:01", part114); - - var part115 = match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg61 = msg("00003:02", part115); - - var part116 = match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg62 = msg("00003:03", part116); - - var part117 = match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}"); - - var part118 = match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}"); - - var select30 = linear_select([ - part117, - part118, - ]); - - var part119 = match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}."); - - var all24 = all_match({ - processors: [ - dup55, - select30, - part119, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg63 = msg("00003:05", all24); - - var select31 = linear_select([ - msg59, - msg60, - msg61, - msg62, - msg63, - ]); - - var part120 = match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg64 = msg("00004", part120); - - var part121 = match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg65 = msg("00004:01", part121); - - var part122 = match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg66 = msg("00004:02", part122); - - var part123 = match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg67 = msg("00004:03", part123); - - var part124 = match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}"); - - var part125 = match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times"); - - var all25 = all_match({ - processors: [ - part124, - dup337, - part125, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup59, - dup3, - dup60, - ]), - }); - - var msg68 = msg("00004:04", all25); - - var part126 = match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg69 = msg("00004:05", part126); - - var part127 = match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg70 = msg("00004:06", part127); - - var part128 = match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg71 = msg("00004:07", part128); - - var part129 = match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg72 = msg("00004:08", part129); - - var part130 = match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg73 = msg("00004:09", part130); - - var part131 = match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg74 = msg("00004:10", part131); - - var part132 = match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg75 = msg("00004:11", part132); - - var part133 = match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg76 = msg("00004:12", part133); - - var part134 = match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg77 = msg("00004:13", part134); - - var part135 = match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}"); - - var part136 = match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}"); - - var select32 = linear_select([ - part135, - part136, - ]); - - var all26 = all_match({ - processors: [ - dup63, - select32, - dup49, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg78 = msg("00004:14", all26); - - var part137 = match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg79 = msg("00004:15", part137); - - var part138 = match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg80 = msg("00004:16", part138); - - var all27 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup9, - dup5, - dup3, - dup60, - ]), - }); - - var msg81 = msg("00004:17", all27); - - var select33 = linear_select([ - msg64, - msg65, - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - ]); - - var part139 = match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg82 = msg("00005", part139); - - var part140 = match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg83 = msg("00005:01", part140); - - var part141 = match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg84 = msg("00005:02", part141); - - var part142 = match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); - - var part143 = match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}"); - - var part144 = match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}"); - - var select34 = linear_select([ - part144, - dup73, - ]); - - var part145 = match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times"); - - var all28 = all_match({ - processors: [ - part142, - dup339, - dup70, - dup340, - part143, - select34, - part145, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ]), - }); - - var msg85 = msg("00005:03", all28); - - var msg86 = msg("00005:04", dup341); - - var part146 = match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([ - setc("eventcategory","1001020100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg87 = msg("00005:05", part146); - - var part147 = match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}."); - - var all29 = all_match({ - processors: [ - dup342, - part147, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg88 = msg("00005:06", all29); - - var part148 = match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}"); - - var part149 = match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}"); - - var part150 = match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}"); - - var part151 = match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}"); - - var part152 = match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}"); - - var select35 = linear_select([ - part149, - part150, - dup76, - part151, - part152, - ]); - - var part153 = match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}."); - - var all30 = all_match({ - processors: [ - part148, - select35, - part153, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg89 = msg("00005:07", all30); - - var part154 = match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}"); - - var select36 = linear_select([ - dup77, - dup78, - ]); - - var part155 = match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}."); - - var all31 = all_match({ - processors: [ - dup342, - part154, - select36, - part155, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg90 = msg("00005:08", all31); - - var part156 = match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg91 = msg("00005:09", part156); - - var part157 = match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg92 = msg("00005:10", part157); - - var part158 = match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}"); - - var part159 = match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}"); - - var part160 = match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}"); - - var part161 = match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}"); - - var part162 = match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}"); - - var part163 = match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}"); - - var select37 = linear_select([ - part159, - part160, - part161, - part162, - part163, - ]); - - var all32 = all_match({ - processors: [ - part158, - select37, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg93 = msg("00005:11", all32); - - var part164 = match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg94 = msg("00005:12", part164); - - var part165 = match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg95 = msg("00005:13", part165); - - var part166 = match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg96 = msg("00005:14", part166); - - var part167 = match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg97 = msg("00005:15", part167); - - var part168 = match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg98 = msg("00005:16", part168); - - var part169 = match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}"); - - var part170 = match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}"); - - var select38 = linear_select([ - part169, - part170, - ]); - - var part171 = match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}."); - - var all33 = all_match({ - processors: [ - dup79, - select38, - part171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg99 = msg("00005:17", all33); - - var all34 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg100 = msg("00005:18", all34); - - var part172 = match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup84, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg101 = msg("00005:19", part172); - - var part173 = match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ - dup84, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg102 = msg("00005:20", part173); - - var select39 = linear_select([ - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, - msg89, - msg90, - msg91, - msg92, - msg93, - msg94, - msg95, - msg96, - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, - ]); - - var part174 = match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg103 = msg("00006", part174); - - var part175 = match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg104 = msg("00006:01", part175); - - var part176 = match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg105 = msg("00006:02", part176); - - var part177 = match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg106 = msg("00006:03", part177); - - var part178 = match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var all35 = all_match({ - processors: [ - part178, - dup338, - dup67, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg107 = msg("00006:04", all35); - - var all36 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg108 = msg("00006:05", all36); - - var select40 = linear_select([ - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, - ]); - - var part179 = match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg109 = msg("00007", part179); - - var part180 = match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg110 = msg("00007:01", part180); - - var part181 = match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}"); - - var part182 = match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}"); - - var part183 = match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}"); - - var select41 = linear_select([ - part182, - part183, - ]); - - var all37 = all_match({ - processors: [ - part181, - select41, - ], - on_success: processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg111 = msg("00007:02", all37); - - var part184 = match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg112 = msg("00007:03", part184); - - var select42 = linear_select([ - dup88, - dup89, - ]); - - var part185 = match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}"); - - var all38 = all_match({ - processors: [ - dup87, - select42, - dup23, - dup344, - part185, - ], - on_success: processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg113 = msg("00007:04", all38); - - var part186 = match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg114 = msg("00007:05", part186); - - var part187 = match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg115 = msg("00007:06", part187); - - var part188 = match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg116 = msg("00007:07", part188); - - var part189 = match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg117 = msg("00007:08", part189); - - var part190 = match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg118 = msg("00007:09", part190); - - var part191 = match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg119 = msg("00007:10", part191); - - var part192 = match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}"); - - var select43 = linear_select([ - dup92, - dup93, - ]); - - var all39 = all_match({ - processors: [ - part192, - select43, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg120 = msg("00007:11", all39); - - var part193 = match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg121 = msg("00007:12", part193); - - var part194 = match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg122 = msg("00007:13", part194); - - var part195 = match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup60, - ])); - - var msg123 = msg("00007:14", part195); - - var part196 = match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg124 = msg("00007:15", part196); - - var part197 = match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg125 = msg("00007:16", part197); - - var part198 = match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg126 = msg("00007:17", part198); - - var part199 = match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}"); - - var part200 = match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}"); - - var part201 = match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}"); - - var select44 = linear_select([ - part200, - part201, - ]); - - var part202 = match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}"); - - var part203 = match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}"); - - var part204 = match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}"); - - var select45 = linear_select([ - part203, - part204, - ]); - - var all40 = all_match({ - processors: [ - part199, - select44, - part202, - select45, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg127 = msg("00007:18", all40); - - var part205 = match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg128 = msg("00007:20", part205); - - var part206 = match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}"); - - var all41 = all_match({ - processors: [ - part206, - dup345, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg129 = msg("00007:21", all41); - - var part207 = match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg130 = msg("00007:22", part207); - - var part208 = match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg131 = msg("00007:23", part208); - - var part209 = match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg132 = msg("00007:24", part209); - - var part210 = match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg133 = msg("00007:25", part210); - - var part211 = match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}"); - - var part212 = match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}"); - - var part213 = match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}"); - - var select46 = linear_select([ - part212, - part213, - ]); - - var all42 = all_match({ - processors: [ - part211, - select46, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg134 = msg("00007:26", all42); - - var part214 = match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg135 = msg("00007:27", part214); - - var part215 = match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg136 = msg("00007:28", part215); - - var part216 = match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}"); - - var part217 = match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}"); - - var part218 = match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}"); - - var part219 = match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}"); - - var part220 = match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}"); - - var part221 = match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}"); - - var select47 = linear_select([ - part217, - part218, - part219, - part220, - part221, - ]); - - var all43 = all_match({ - processors: [ - part216, - select47, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg137 = msg("00007:29", all43); - - var part222 = match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg138 = msg("00007:30", part222); - - var part223 = match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}"); - - var all44 = all_match({ - processors: [ - part223, - dup345, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg139 = msg("00007:31", all44); - - var part224 = match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}"); - - var select48 = linear_select([ - dup89, - dup88, - ]); - - var part225 = match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}"); - - var all45 = all_match({ - processors: [ - part224, - select48, - dup23, - dup344, - part225, - ], - on_success: processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg140 = msg("00007:32", all45); - - var part226 = match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}"); - - var part227 = match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}"); - - var select49 = linear_select([ - part226, - part227, - ]); - - var part228 = match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}"); - - var part229 = match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}"); - - var select50 = linear_select([ - part229, - dup96, - ]); - - var part230 = match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode."); - - var all46 = all_match({ - processors: [ - select49, - part228, - select50, - part230, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg141 = msg("00007:33", all46); - - var part231 = match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([ - dup97, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg142 = msg("00007:34", part231); - - var part232 = match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg143 = msg("00007:35", part232); - - var part233 = match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg144 = msg("00007:36", part233); - - var part234 = match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}"); - - var all47 = all_match({ - processors: [ - part234, - dup346, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg145 = msg("00007:37", all47); - - var part235 = match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}"); - - var part236 = match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}"); - - var part237 = match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}"); - - var part238 = match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}"); - - var select51 = linear_select([ - part237, - part238, - ]); - - var all48 = all_match({ - processors: [ - part235, - dup347, - dup103, - dup347, - part236, - select51, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg146 = msg("00007:38", all48); - - var part239 = match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}"); - - var all49 = all_match({ - processors: [ - part239, - dup346, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg147 = msg("00007:39", all49); - - var part240 = match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg148 = msg("00007:40", part240); - - var part241 = match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg149 = msg("00007:41", part241); - - var part242 = match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg150 = msg("00007:42", part242); - - var part243 = match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg151 = msg("00007:43", part243); - - var part244 = match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg152 = msg("00007:44", part244); - - var part245 = match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg153 = msg("00007:45", part245); - - var part246 = match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup60, - ])); - - var msg154 = msg("00007:46", part246); - - var part247 = match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg155 = msg("00007:47", part247); - - var part248 = match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([ - dup97, - dup2, - dup3, - dup4, - setc("disposition","dropped"), - setc("result","Invalid encryption Password"), - ])); - - var msg156 = msg("00007:48", part248); - - var part249 = match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([ - setc("eventcategory","1604000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg157 = msg("00007:49", part249); - - var part250 = match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}"); - - var part251 = match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}"); - - var part252 = match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}"); - - var select52 = linear_select([ - part251, - part252, - ]); - - var part253 = match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}"); - - var all50 = all_match({ - processors: [ - part250, - select52, - part253, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg158 = msg("00007:50", all50); - - var part254 = match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}"); - - var part255 = match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}"); - - var select53 = linear_select([ - dup104, - part255, - ]); - - var select54 = linear_select([ - dup105, - dup73, - ]); - - var part256 = match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}"); - - var select55 = linear_select([ - dup106, - dup107, - ]); - - var all51 = all_match({ - processors: [ - part254, - select53, - dup23, - select54, - part256, - select55, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg159 = msg("00007:51", all51); - - var part257 = match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg160 = msg("00007:52", part257); - - var part258 = match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg161 = msg("00007:53", part258); - - var part259 = match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg162 = msg("00007:54", part259); - - var part260 = match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg163 = msg("00007:55", part260); - - var part261 = match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg164 = msg("00007:56", part261); - - var select56 = linear_select([ - dup109, - dup110, - ]); - - var select57 = linear_select([ - dup111, - dup112, - ]); - - var part262 = match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}"); - - var all52 = all_match({ - processors: [ - dup55, - select56, - dup23, - select57, - part262, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg165 = msg("00007:57", all52); - - var part263 = match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg166 = msg("00007:58", part263); - - var part264 = match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg167 = msg("00007:59", part264); - - var part265 = match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg168 = msg("00007:60", part265); - - var part266 = match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg169 = msg("00007:61", part266); - - var part267 = match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg170 = msg("00007:62", part267); - - var part268 = match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg171 = msg("00007:63", part268); - - var part269 = match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}"); - - var part270 = match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}"); - - var all53 = all_match({ - processors: [ - dup348, - part269, - dup349, - part270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg172 = msg("00007:64", all53); - - var part271 = match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}"); - - var part272 = match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}"); - - var part273 = match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}"); - - var select58 = linear_select([ - part272, - part273, - ]); - - var part274 = match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}"); - - var part275 = match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}"); - - var all54 = all_match({ - processors: [ - dup348, - part271, - select58, - part274, - dup349, - part275, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg173 = msg("00007:65", all54); - - var part276 = match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}"); - - var part277 = match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}"); - - var select59 = linear_select([ - part276, - part277, - ]); - - var part278 = match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}"); - - var part279 = match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}"); - - var select60 = linear_select([ - part279, - dup115, - ]); - - var all55 = all_match({ - processors: [ - select59, - part278, - select60, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg174 = msg("00007:66", all55); - - var part280 = match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg175 = msg("00007:67", part280); - - var part281 = match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}"); - - var part282 = match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}"); - - var part283 = match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}"); - - var select61 = linear_select([ - part282, - part283, - ]); - - var part284 = match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}"); - - var part285 = match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}"); - - var part286 = match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}"); - - var select62 = linear_select([ - part285, - part286, - ]); - - var all56 = all_match({ - processors: [ - part281, - select61, - part284, - select62, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg176 = msg("00007:68", all56); - - var part287 = match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg177 = msg("00007:69", part287); - - var part288 = match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg178 = msg("00007:70", part288); - - var part289 = match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg179 = msg("00007:71", part289); - - var part290 = match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg180 = msg("00007:72", part290); - - var select63 = linear_select([ - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, - msg138, - msg139, - msg140, - msg141, - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, - msg156, - msg157, - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - msg174, - msg175, - msg176, - msg177, - msg178, - msg179, - msg180, - ]); - - var part291 = match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg181 = msg("00008", part291); - - var msg182 = msg("00008:01", dup341); - - var part292 = match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg183 = msg("00008:02", part292); - - var part293 = match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg184 = msg("00008:03", part293); - - var part294 = match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}"); - - var part295 = match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}"); - - var part296 = match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}"); - - var part297 = match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}"); - - var select64 = linear_select([ - part295, - part296, - part297, - ]); - - var part298 = match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}"); - - var part299 = match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}"); - - var part300 = match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})"); - - var part301 = match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}"); - - var part302 = match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}"); - - var part303 = match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}"); - - var select65 = linear_select([ - part299, - part300, - part301, - part302, - part303, - dup21, - ]); - - var all57 = all_match({ - processors: [ - part294, - select64, - part298, - select65, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg185 = msg("00008:04", all57); - - var part304 = match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg186 = msg("00008:05", part304); - - var part305 = match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg187 = msg("00008:06", part305); - - var part306 = match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup60, - ])); - - var msg188 = msg("00008:07", part306); - - var part307 = match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup60, - ])); - - var msg189 = msg("00008:08", part307); - - var part308 = match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg190 = msg("00008:09", part308); - - var part309 = match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}"); - - var all58 = all_match({ - processors: [ - part309, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ]), - }); - - var msg191 = msg("00008:10", all58); - - var select66 = linear_select([ - msg181, - msg182, - msg183, - msg184, - msg185, - msg186, - msg187, - msg188, - msg189, - msg190, - msg191, - ]); - - var part310 = match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg192 = msg("00009", part310); - - var part311 = match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg193 = msg("00009:01", part311); - - var part312 = match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg194 = msg("00009:02", part312); - - var part313 = match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg195 = msg("00009:03", part313); - - var part314 = match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg196 = msg("00009:05", part314); - - var part315 = match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}"); - - var part316 = match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}"); - - var select67 = linear_select([ - part315, - part316, - ]); - - var select68 = linear_select([ - dup119, - dup16, - ]); - - var part317 = match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}"); - - var part318 = match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}"); - - var select69 = linear_select([ - dup120, - part318, - ]); - - var part319 = match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}"); - - var part320 = match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info"); - - var select70 = linear_select([ - part319, - part320, - ]); - - var all59 = all_match({ - processors: [ - select67, - dup118, - select68, - part317, - select69, - dup23, - select70, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg197 = msg("00009:06", all59); - - var part321 = match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}"); - - var part322 = match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}"); - - var part323 = match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}"); - - var part324 = match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}"); - - var select71 = linear_select([ - part323, - part324, - ]); - - var part325 = match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}"); - - var all60 = all_match({ - processors: [ - part321, - dup337, - part322, - select71, - part325, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg198 = msg("00009:07", all60); - - var part326 = match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg199 = msg("00009:09", part326); - - var part327 = match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}"); - - var part328 = match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}"); - - var part329 = match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}"); - - var select72 = linear_select([ - part328, - part329, - ]); - - var all61 = all_match({ - processors: [ - part327, - select72, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg200 = msg("00009:10", all61); - - var part330 = match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}"); - - var part331 = match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}"); - - var select73 = linear_select([ - part330, - part331, - ]); - - var part332 = match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}"); - - var all62 = all_match({ - processors: [ - select73, - part332, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg201 = msg("00009:11", all62); - - var part333 = match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg202 = msg("00009:12", part333); - - var part334 = match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg203 = msg("00009:13", part334); - - var part335 = match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}"); - - var part336 = match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}"); - - var part337 = match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}"); - - var select74 = linear_select([ - part335, - part336, - part337, - ]); - - var part338 = match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}"); - - var select75 = linear_select([ - dup122, - dup123, - ]); - - var part339 = match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})"); - - var select76 = linear_select([ - part339, - dup124, - ]); - - var all63 = all_match({ - processors: [ - select74, - part338, - select75, - dup23, - select76, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg204 = msg("00009:14", all63); - - var part340 = match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}"); - - var part341 = match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}"); - - var select77 = linear_select([ - part341, - dup125, - ]); - - var all64 = all_match({ - processors: [ - part340, - select77, - dup126, - dup350, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg205 = msg("00009:15", all64); - - var part342 = match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}"); - - var part343 = match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}"); - - var select78 = linear_select([ - dup129, - dup130, - part343, - ]); - - var part344 = match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}."); - - var all65 = all_match({ - processors: [ - part342, - dup350, - dup23, - select78, - part344, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg206 = msg("00009:16", all65); - - var part345 = match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}"); - - var part346 = match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}"); - - var part347 = match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}"); - - var select79 = linear_select([ - part346, - part347, - ]); - - var part348 = match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}."); - - var all66 = all_match({ - processors: [ - part345, - select79, - part348, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg207 = msg("00009:17", all66); - - var part349 = match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg208 = msg("00009:18", part349); - - var part350 = match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg209 = msg("00009:19", part350); - - var part351 = match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg210 = msg("00009:27", part351); - - var part352 = match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}"); - - var part353 = match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}"); - - var select80 = linear_select([ - part352, - part353, - ]); - - var part354 = match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}"); - - var part355 = match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}"); - - var part356 = match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}"); - - var part357 = match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}"); - - var part358 = match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})"); - - var select81 = linear_select([ - part355, - part356, - part357, - part358, - ]); - - var all67 = all_match({ - processors: [ - select80, - part354, - select81, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg211 = msg("00009:20", all67); - - var part359 = match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var all68 = all_match({ - processors: [ - part359, - dup343, - dup131, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ]), - }); - - var msg212 = msg("00009:21", all68); - - var part360 = match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg213 = msg("00009:22", part360); - - var part361 = match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg214 = msg("00009:23", part361); - - var part362 = match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}"); - - var part363 = match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}"); - - var part364 = match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}"); - - var select82 = linear_select([ - part363, - part364, - ]); - - var part365 = match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}"); - - var all69 = all_match({ - processors: [ - part362, - select82, - part365, - ], - on_success: processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg215 = msg("00009:24", all69); - - var part366 = match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg216 = msg("00009:25", part366); - - var part367 = match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}"); - - var all70 = all_match({ - processors: [ - part367, - dup333, - ], - on_success: processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg217 = msg("00009:26", all70); - - var select83 = linear_select([ - msg192, - msg193, - msg194, - msg195, - msg196, - msg197, - msg198, - msg199, - msg200, - msg201, - msg202, - msg203, - msg204, - msg205, - msg206, - msg207, - msg208, - msg209, - msg210, - msg211, - msg212, - msg213, - msg214, - msg215, - msg216, - msg217, - ]); - - var part368 = match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}"); - - var part369 = match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}"); - - var part370 = match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}"); - - var select84 = linear_select([ - part369, - part370, - ]); - - var part371 = match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}"); - - var part372 = match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}"); - - var part373 = match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}"); - - var select85 = linear_select([ - part372, - part373, - dup126, - ]); - - var part374 = match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}"); - - var all71 = all_match({ - processors: [ - part368, - select84, - part371, - select85, - part374, - dup351, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup5, - dup9, - dup3, - dup61, - ]), - }); - - var msg218 = msg("00010", all71); - - var part375 = match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg219 = msg("00010:01", part375); - - var part376 = match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg220 = msg("00010:02", part376); - - var all72 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup9, - dup3, - dup60, - ]), - }); - - var msg221 = msg("00010:03", all72); - - var select86 = linear_select([ - msg218, - msg219, - msg220, - msg221, - ]); - - var part377 = match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg222 = msg("00011", part377); - - var part378 = match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}"); - - var select87 = linear_select([ - dup57, - dup56, - ]); - - var part379 = match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}"); - - var all73 = all_match({ - processors: [ - part378, - select87, - part379, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg223 = msg("00011:01", all73); - - var part380 = match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg224 = msg("00011:02", part380); - - var part381 = match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}"); - - var part382 = match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}"); - - var part383 = match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}"); - - var select88 = linear_select([ - part382, - part383, - ]); - - var part384 = match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}"); - - var part385 = match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}"); - - var part386 = match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}"); - - var select89 = linear_select([ - part385, - part386, - ]); - - var all74 = all_match({ - processors: [ - part381, - select88, - part384, - select89, - dup36, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg225 = msg("00011:03", all74); - - var part387 = match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}"); - - var part388 = match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}"); - - var all75 = all_match({ - processors: [ - part387, - dup352, - part388, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg226 = msg("00011:04", all75); - - var part389 = match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}"); - - var part390 = match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}"); - - var select90 = linear_select([ - part389, - part390, - ]); - - var part391 = match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}"); - - var all76 = all_match({ - processors: [ - dup79, - select90, - part391, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg227 = msg("00011:05", all76); - - var part392 = match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup59, - dup3, - dup60, - ])); - - var msg228 = msg("00011:07", part392); - - var part393 = match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg229 = msg("00011:08", part393); - - var part394 = match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg230 = msg("00011:09", part394); - - var part395 = match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg231 = msg("00011:10", part395); - - var part396 = match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg232 = msg("00011:11", part396); - - var part397 = match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg233 = msg("00011:12", part397); - - var part398 = match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg234 = msg("00011:13", part398); - - var part399 = match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}"); - - var part400 = match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}"); - - var select91 = linear_select([ - dup134, - part400, - ]); - - var all77 = all_match({ - processors: [ - part399, - select91, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg235 = msg("00011:14", all77); - - var part401 = match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg236 = msg("00011:15", part401); - - var part402 = match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg237 = msg("00011:16", part402); - - var part403 = match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}"); - - var part404 = match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}"); - - var part405 = match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}"); - - var part406 = match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}"); - - var select92 = linear_select([ - part404, - part405, - part406, - ]); - - var all78 = all_match({ - processors: [ - part403, - select92, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg238 = msg("00011:17", all78); - - var part407 = match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}"); - - var part408 = match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}"); - - var select93 = linear_select([ - part407, - part408, - ]); - - var part409 = match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}"); - - var part410 = match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}"); - - var part411 = match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}"); - - var select94 = linear_select([ - part410, - part411, - ]); - - var part412 = match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}"); - - var part413 = match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}"); - - var select95 = linear_select([ - part413, - dup135, - ]); - - var part414 = match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}"); - - var all79 = all_match({ - processors: [ - select93, - part409, - select94, - part412, - select95, - part414, - dup350, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg239 = msg("00011:18", all79); - - var part415 = match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}"); - - var part416 = match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}"); - - var part417 = match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}"); - - var select96 = linear_select([ - part416, - part417, - ]); - - var part418 = match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}"); - - var part419 = match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}"); - - var select97 = linear_select([ - part419, - dup135, - ]); - - var part420 = match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}"); - - var part421 = match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}"); - - var select98 = linear_select([ - dup107, - part421, - ]); - - var all80 = all_match({ - processors: [ - part415, - select96, - part418, - select97, - part420, - select98, - dup136, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg240 = msg("00011:19", all80); - - var part422 = match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}"); - - var select99 = linear_select([ - part422, - dup79, - ]); - - var part423 = match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\""); - - var all81 = all_match({ - processors: [ - select99, - part423, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg241 = msg("00011:20", all81); - - var part424 = match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg242 = msg("00011:21", part424); - - var part425 = match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg243 = msg("00011:22", part425); - - var all82 = all_match({ - processors: [ - dup132, - dup343, - dup131, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("saddr"), - field("daddr"), - ], - }), - ]), - }); - - var msg244 = msg("00011:23", all82); - - var part426 = match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg245 = msg("00011:24", part426); - - var part427 = match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg246 = msg("00011:25", part427); - - var part428 = match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg247 = msg("00011:26", part428); - - var select100 = linear_select([ - msg222, - msg223, - msg224, - msg225, - msg226, - msg227, - msg228, - msg229, - msg230, - msg231, - msg232, - msg233, - msg234, - msg235, - msg236, - msg237, - msg238, - msg239, - msg240, - msg241, - msg242, - msg243, - msg244, - msg245, - msg246, - msg247, - ]); - - var part429 = match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg248 = msg("00012:02", part429); - - var part430 = match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg249 = msg("00012:03", part430); - - var part431 = match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg250 = msg("00012:04", part431); - - var part432 = match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg251 = msg("00012:05", part432); - - var part433 = match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg252 = msg("00012:06", part433); - - var part434 = match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - dup59, - ])); - - var msg253 = msg("00012:07", part434); - - var part435 = match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg254 = msg("00012:08", part435); - - var all83 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg255 = msg("00012:09", all83); - - var all84 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg256 = msg("00012:10", all84); - - var part436 = match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup9, - dup61, - ])); - - var msg257 = msg("00012:11", part436); - - var part437 = match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg258 = msg("00012:12", part437); - - var part438 = match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg259 = msg("00012", part438); - - var part439 = match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg260 = msg("00012:01", part439); - - var select101 = linear_select([ - msg248, - msg249, - msg250, - msg251, - msg252, - msg253, - msg254, - msg255, - msg256, - msg257, - msg258, - msg259, - msg260, - ]); - - var part440 = match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg261 = msg("00013", part440); - - var part441 = match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - setc("signame","An Attempt to connect to NetScreen-Global Manager Port."), - ])); - - var msg262 = msg("00013:01", part441); - - var part442 = match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg263 = msg("00013:02", part442); - - var part443 = match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg264 = msg("00013:03", part443); - - var select102 = linear_select([ - msg261, - msg262, - msg263, - msg264, - ]); - - var part444 = match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg265 = msg("00014", part444); - - var part445 = match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}"); - - var part446 = match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}"); - - var part447 = match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}"); - - var select103 = linear_select([ - part446, - part447, - ]); - - var all85 = all_match({ - processors: [ - part445, - select103, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg266 = msg("00014:01", all85); - - var part448 = match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg267 = msg("00014:02", part448); - - var part449 = match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg268 = msg("00014:03", part449); - - var part450 = match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg269 = msg("00014:04", part450); - - var part451 = match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg270 = msg("00014:05", part451); - - var part452 = match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg271 = msg("00014:06", part452); - - var part453 = match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg272 = msg("00014:07", part453); - - var part454 = match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([ - dup27, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg273 = msg("00014:08", part454); - - var select104 = linear_select([ - msg265, - msg266, - msg267, - msg268, - msg269, - msg270, - msg271, - msg272, - msg273, - ]); - - var part455 = match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg274 = msg("00015", part455); - - var part456 = match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg275 = msg("00015:01", part456); - - var part457 = match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}"); - - var part458 = match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}"); - - var part459 = match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}"); - - var part460 = match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}"); - - var select105 = linear_select([ - part458, - dup137, - part459, - part460, - ]); - - var all86 = all_match({ - processors: [ - part457, - select105, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg276 = msg("00015:02", all86); - - var part461 = match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg277 = msg("00015:03", part461); - - var part462 = match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}"); - - var part463 = match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}"); - - var select106 = linear_select([ - dup139, - dup140, - part463, - ]); - - var all87 = all_match({ - processors: [ - part462, - select106, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg278 = msg("00015:04", all87); - - var part464 = match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}"); - - var part465 = match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}"); - - var part466 = match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}"); - - var part467 = match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}"); - - var select107 = linear_select([ - part465, - part466, - dup76, - part467, - ]); - - var all88 = all_match({ - processors: [ - part464, - select107, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg279 = msg("00015:05", all88); - - var part468 = match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}"); - - var part469 = match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}"); - - var select108 = linear_select([ - part468, - part469, - ]); - - var part470 = match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}"); - - var all89 = all_match({ - processors: [ - select108, - part470, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg280 = msg("00015:06", all89); - - var part471 = match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg281 = msg("00015:07", part471); - - var part472 = match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([ - dup141, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg282 = msg("00015:08", part472); - - var part473 = match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}"); - - var part474 = match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}"); - - var select109 = linear_select([ - part473, - part474, - ]); - - var part475 = match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}"); - - var all90 = all_match({ - processors: [ - select109, - part475, - ], - on_success: processor_chain([ - dup141, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg283 = msg("00015:09", all90); - - var part476 = match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg284 = msg("00015:10", part476); - - var part477 = match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg285 = msg("00015:11", part477); - - var part478 = match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}"); - - var part479 = match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}"); - - var select110 = linear_select([ - part478, - part479, - ]); - - var part480 = match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}"); - - var part481 = match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})"); - - var all91 = all_match({ - processors: [ - dup87, - select110, - part480, - dup353, - dup103, - dup353, - part481, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg286 = msg("00015:12", all91); - - var part482 = match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg287 = msg("00015:13", part482); - - var part483 = match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}"); - - var all92 = all_match({ - processors: [ - part483, - dup353, - dup116, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg288 = msg("00015:14", all92); - - var part484 = match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg289 = msg("00015:15", part484); - - var part485 = match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg290 = msg("00015:16", part485); - - var part486 = match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg291 = msg("00015:17", part486); - - var part487 = match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - setc("change_attribute","RTO mirror group"), - ])); - - var msg292 = msg("00015:18", part487); - - var part488 = match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg293 = msg("00015:19", part488); - - var part489 = match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg294 = msg("00015:20", part489); - - var part490 = match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}"); - - var part491 = match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}"); - - var part492 = match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}"); - - var select111 = linear_select([ - part491, - part492, - ]); - - var all93 = all_match({ - processors: [ - part490, - select111, - dup116, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg295 = msg("00015:21", all93); - - var part493 = match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}"); - - var part494 = match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}"); - - var part495 = match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}"); - - var select112 = linear_select([ - part493, - part494, - part495, - ]); - - var part496 = match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}"); - - var all94 = all_match({ - processors: [ - select112, - part496, - dup354, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg296 = msg("00015:22", all94); - - var part497 = match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg297 = msg("00015:23", part497); - - var part498 = match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg298 = msg("00015:24", part498); - - var part499 = match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([ - setc("eventcategory","1613050100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg299 = msg("00015:25", part499); - - var part500 = match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([ - dup97, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg300 = msg("00015:29", part500); - - var part501 = match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}"); - - var part502 = match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}"); - - var part503 = match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}"); - - var select113 = linear_select([ - part502, - part503, - ]); - - var all95 = all_match({ - processors: [ - part501, - select113, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg301 = msg("00015:26", all95); - - var part504 = match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - dup146, - ])); - - var msg302 = msg("00015:33", part504); - - var part505 = match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg303 = msg("00015:27", part505); - - var part506 = match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg304 = msg("00015:28", part506); - - var part507 = match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}"); - - var part508 = match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})"); - - var all96 = all_match({ - processors: [ - part507, - dup355, - part508, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg305 = msg("00015:30", all96); - - var part509 = match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg306 = msg("00015:31", part509); - - var part510 = match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg307 = msg("00015:32", part510); - - var select114 = linear_select([ - msg274, - msg275, - msg276, - msg277, - msg278, - msg279, - msg280, - msg281, - msg282, - msg283, - msg284, - msg285, - msg286, - msg287, - msg288, - msg289, - msg290, - msg291, - msg292, - msg293, - msg294, - msg295, - msg296, - msg297, - msg298, - msg299, - msg300, - msg301, - msg302, - msg303, - msg304, - msg305, - msg306, - msg307, - ]); - - var part511 = match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg308 = msg("00016", part511); - - var part512 = match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg309 = msg("00016:01", part512); - - var part513 = match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([ - dup1, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg310 = msg("00016:02", part513); - - var part514 = match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg311 = msg("00016:03", part514); - - var part515 = match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg312 = msg("00016:05", part515); - - var part516 = match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg313 = msg("00016:06", part516); - - var part517 = match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}"); - - var all97 = all_match({ - processors: [ - part517, - dup338, - dup67, - ], - on_success: processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg314 = msg("00016:07", all97); - - var part518 = match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - setc("eventcategory","1001020305"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg315 = msg("00016:08", part518); - - var part519 = match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - setc("eventcategory","1001030305"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg316 = msg("00016:09", part519); - - var select115 = linear_select([ - msg308, - msg309, - msg310, - msg311, - msg312, - msg313, - msg314, - msg315, - msg316, - ]); - - var part520 = match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ])); - - var msg317 = msg("00017", part520); - - var part521 = match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}"); - - var part522 = match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}"); - - var part523 = match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}"); - - var select116 = linear_select([ - part522, - part523, - ]); - - var part524 = match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}"); - - var all98 = all_match({ - processors: [ - part521, - select116, - part524, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg318 = msg("00017:23", all98); - - var part525 = match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}"); - - var part526 = match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}"); - - var select117 = linear_select([ - part525, - part526, - ]); - - var part527 = match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}"); - - var part528 = match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}"); - - var all99 = all_match({ - processors: [ - select117, - part527, - dup356, - part528, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg319 = msg("00017:01", all99); - - var part529 = match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg320 = msg("00017:02", part529); - - var part530 = match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg321 = msg("00017:03", part530); - - var part531 = match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}"); - - var all100 = all_match({ - processors: [ - dup153, - dup357, - part531, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg322 = msg("00017:04", all100); - - var part532 = match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg323 = msg("00017:05", part532); - - var part533 = match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}"); - - var part534 = match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}"); - - var part535 = match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}"); - - var select118 = linear_select([ - part534, - dup101, - part535, - ]); - - var all101 = all_match({ - processors: [ - part533, - select118, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg324 = msg("00017:06", all101); - - var part536 = match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}"); - - var part537 = match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}"); - - var part538 = match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}"); - - var part539 = match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}"); - - var part540 = match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}"); - - var select119 = linear_select([ - part537, - part538, - dup98, - part539, - part540, - ]); - - var all102 = all_match({ - processors: [ - part536, - select119, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg325 = msg("00017:07", all102); - - var part541 = match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg326 = msg("00017:08", part541); - - var part542 = match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}"); - - var part543 = match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}"); - - var select120 = linear_select([ - part542, - part543, - ]); - - var part544 = match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}"); - - var part545 = match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}"); - - var part546 = match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}"); - - var part547 = match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}"); - - var select121 = linear_select([ - part545, - part546, - part547, - ]); - - var part548 = match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}"); - - var part549 = match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit"); - - var part550 = match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}"); - - var select122 = linear_select([ - part549, - part550, - dup36, - ]); - - var all103 = all_match({ - processors: [ - select120, - part544, - select121, - part548, - select122, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg327 = msg("00017:09", all103); - - var part551 = match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}"); - - var all104 = all_match({ - processors: [ - part551, - dup358, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg328 = msg("00017:10", all104); - - var part552 = match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg329 = msg("00017:11", part552); - - var part553 = match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}"); - - var part554 = match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}"); - - var select123 = linear_select([ - dup109, - dup110, - part554, - ]); - - var all105 = all_match({ - processors: [ - part553, - select123, - dup127, - dup359, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg330 = msg("00017:12", all105); - - var part555 = match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg331 = msg("00017:26", part555); - - var part556 = match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg332 = msg("00017:13", part556); - - var part557 = match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup9, - dup5, - ])); - - var msg333 = msg("00017:14", part557); - - var part558 = match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}"); - - var part559 = match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}."); - - var all106 = all_match({ - processors: [ - part558, - dup360, - part559, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg334 = msg("00017:15", all106); - - var part560 = match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}"); - - var part561 = match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}."); - - var all107 = all_match({ - processors: [ - part560, - dup360, - part561, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg335 = msg("00017:31", all107); - - var part562 = match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}"); - - var all108 = all_match({ - processors: [ - part562, - dup359, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg336 = msg("00017:16", all108); - - var part563 = match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}"); - - var select124 = linear_select([ - dup99, - dup93, - ]); - - var all109 = all_match({ - processors: [ - part563, - select124, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg337 = msg("00017:17", all109); - - var part564 = match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}"); - - var all110 = all_match({ - processors: [ - dup153, - dup357, - part564, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg338 = msg("00017:18", all110); - - var part565 = match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}"); - - var part566 = match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all111 = all_match({ - processors: [ - part565, - dup337, - part566, - ], - on_success: processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ]), - }); - - var msg339 = msg("00017:19", all111); - - var all112 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup151, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - ]), - }); - - var msg340 = msg("00017:20", all112); - - var part567 = match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ])); - - var msg341 = msg("00017:21", part567); - - var part568 = match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg342 = msg("00017:22", part568); - - var part569 = match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg343 = msg("00017:24", part569); - - var part570 = match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg344 = msg("00017:25", part570); - - var part571 = match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg345 = msg("00017:28", part571); - - var part572 = match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg346 = msg("00017:29", part572); - - var select125 = linear_select([ - msg317, - msg318, - msg319, - msg320, - msg321, - msg322, - msg323, - msg324, - msg325, - msg326, - msg327, - msg328, - msg329, - msg330, - msg331, - msg332, - msg333, - msg334, - msg335, - msg336, - msg337, - msg338, - msg339, - msg340, - msg341, - msg342, - msg343, - msg344, - msg345, - msg346, - ]); - - var part573 = match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg347 = msg("00018", part573); - - var part574 = match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([ - setc("eventcategory","1502010000"), - dup2, - dup4, - dup5, - dup3, - ])); - - var msg348 = msg("00018:01", part574); - - var part575 = match("MESSAGE#347:00018:02", "nwparser.payload", "Device%{quote}s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg349 = msg("00018:02", part575); - - var part576 = match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg350 = msg("00018:04", part576); - - var part577 = match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg351 = msg("00018:16", part577); - - var part578 = match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}"); - - var part579 = match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}"); - - var part580 = match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}"); - - var select126 = linear_select([ - part579, - part580, - ]); - - var part581 = match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}"); - - var all113 = all_match({ - processors: [ - part578, - select126, - part581, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg352 = msg("00018:06", all113); - - var part582 = match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg353 = msg("00018:08", part582); - - var part583 = match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup3, - dup2, - dup9, - dup4, - dup5, - ])); - - var msg354 = msg("00018:09", part583); - - var part584 = match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}"); - - var part585 = match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}"); - - var part586 = match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}"); - - var select127 = linear_select([ - part585, - part586, - ]); - - var part587 = match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})"); - - var all114 = all_match({ - processors: [ - part584, - select127, - part587, - ], - on_success: processor_chain([ - dup17, - dup3, - dup2, - dup9, - dup4, - dup5, - ]), - }); - - var msg355 = msg("00018:10", all114); - - var part588 = match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}"); - - var part589 = match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}"); - - var select128 = linear_select([ - part588, - part589, - ]); - - var part590 = match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}"); - - var part591 = match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}"); - - var select129 = linear_select([ - part591, - dup16, - ]); - - var all115 = all_match({ - processors: [ - dup160, - select128, - part590, - select129, - dup10, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg356 = msg("00018:11", all115); - - var part592 = match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}"); - - var part593 = match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}"); - - var part594 = match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}"); - - var part595 = match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}"); - - var select130 = linear_select([ - part593, - part594, - part595, - ]); - - var part596 = match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all116 = all_match({ - processors: [ - part592, - select130, - part596, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg357 = msg("00018:12", all116); - - var part597 = match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}"); - - var all117 = all_match({ - processors: [ - dup361, - part597, - dup362, - dup164, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg358 = msg("00018:32", all117); - - var part598 = match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}"); - - var all118 = all_match({ - processors: [ - dup361, - part598, - dup362, - dup164, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg359 = msg("00018:22", all118); - - var part599 = match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}"); - - var select131 = linear_select([ - dup78, - dup77, - ]); - - var part600 = match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer"); - - var all119 = all_match({ - processors: [ - part599, - select131, - part600, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg360 = msg("00018:15", all119); - - var part601 = match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}"); - - var part602 = match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}"); - - var part603 = match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}"); - - var select132 = linear_select([ - part602, - part603, - ]); - - var part604 = match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}"); - - var part605 = match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}"); - - var part606 = match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}"); - - var part607 = match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}"); - - var select133 = linear_select([ - part605, - part606, - part607, - ]); - - var part608 = match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all120 = all_match({ - processors: [ - part601, - select132, - part604, - select133, - part608, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg361 = msg("00018:14", all120); - - var part609 = match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg362 = msg("00018:29", part609); - - var part610 = match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg363 = msg("00018:07", part610); - - var part611 = match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg364 = msg("00018:18", part611); - - var part612 = match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg365 = msg("00018:17", part612); - - var part613 = match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg366 = msg("00018:19", part613); - - var part614 = match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}"); - - var part615 = match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}"); - - var select134 = linear_select([ - part614, - part615, - ]); - - var part616 = match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}"); - - var part617 = match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}"); - - var select135 = linear_select([ - part617, - dup103, - ]); - - var part618 = match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}"); - - var part619 = match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}"); - - var select136 = linear_select([ - part618, - part619, - ]); - - var part620 = match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})"); - - var all121 = all_match({ - processors: [ - select134, - part616, - select135, - dup23, - select136, - part620, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg367 = msg("00018:23", all121); - - var part621 = match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg368 = msg("00018:21", part621); - - var part622 = match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg369 = msg("00018:24", part622); - - var part623 = match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); - - var all122 = all_match({ - processors: [ - dup363, - part623, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg370 = msg("00018:25", all122); - - var part624 = match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); - - var all123 = all_match({ - processors: [ - dup363, - part624, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg371 = msg("00018:30", all123); - - var part625 = match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}"); - - var part626 = match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}"); - - var select137 = linear_select([ - dup48, - part626, - ]); - - var all124 = all_match({ - processors: [ - part625, - dup364, - select137, - dup41, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg372 = msg("00018:26", all124); - - var part627 = match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg373 = msg("00018:27", part627); - - var part628 = match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup4, - dup5, - dup9, - setc("info","the DI attack component was modified"), - ])); - - var msg374 = msg("00018:28", part628); - - var part629 = match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg375 = msg("00018:03", part629); - - var part630 = match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg376 = msg("00018:31", part630); - - var select138 = linear_select([ - msg347, - msg348, - msg349, - msg350, - msg351, - msg352, - msg353, - msg354, - msg355, - msg356, - msg357, - msg358, - msg359, - msg360, - msg361, - msg362, - msg363, - msg364, - msg365, - msg366, - msg367, - msg368, - msg369, - msg370, - msg371, - msg372, - msg373, - msg374, - msg375, - msg376, - ]); - - var part631 = match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg377 = msg("00019", part631); - - var part632 = match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured"); - - var all125 = all_match({ - processors: [ - dup165, - dup365, - part632, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg378 = msg("00019:01", all125); - - var part633 = match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}"); - - var part634 = match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}"); - - var part635 = match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}"); - - var select139 = linear_select([ - part634, - part635, - ]); - - var all126 = all_match({ - processors: [ - part633, - select139, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg379 = msg("00019:02", all126); - - var part636 = match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg380 = msg("00019:03", part636); - - var select140 = linear_select([ - dup169, - dup78, - ]); - - var select141 = linear_select([ - dup139, - dup170, - dup137, - dup122, - ]); - - var all127 = all_match({ - processors: [ - dup168, - select140, - dup23, - select141, - dup171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg381 = msg("00019:04", all127); - - var part637 = match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}"); - - var part638 = match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}"); - - var part639 = match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}"); - - var part640 = match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}"); - - var part641 = match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}"); - - var part642 = match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}"); - - var part643 = match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}"); - - var part644 = match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}"); - - var part645 = match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}"); - - var select142 = linear_select([ - part638, - part639, - part640, - part641, - part642, - part643, - part644, - part645, - ]); - - var all128 = all_match({ - processors: [ - part637, - select142, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg382 = msg("00019:05", all128); - - var part646 = match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}"); - - var all129 = all_match({ - processors: [ - dup168, - dup366, - part646, - dup367, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg383 = msg("00019:06", all129); - - var part647 = match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg384 = msg("00019:07", part647); - - var part648 = match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg385 = msg("00019:08", part648); - - var part649 = match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}"); - - var select143 = linear_select([ - dup139, - dup170, - dup137, - ]); - - var all130 = all_match({ - processors: [ - part649, - select143, - dup171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg386 = msg("00019:09", all130); - - var part650 = match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}"); - - var part651 = match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}"); - - var select144 = linear_select([ - part650, - part651, - ]); - - var all131 = all_match({ - processors: [ - dup183, - select144, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg387 = msg("00019:10", all131); - - var part652 = match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined"); - - var all132 = all_match({ - processors: [ - dup165, - dup365, - part652, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg388 = msg("00019:11", all132); - - var part653 = match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg389 = msg("00019:12", part653); - - var part654 = match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}"); - - var select145 = linear_select([ - dup107, - dup106, - ]); - - var part655 = match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}"); - - var all133 = all_match({ - processors: [ - part654, - select145, - part655, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg390 = msg("00019:13", all133); - - var part656 = match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}"); - - var all134 = all_match({ - processors: [ - dup168, - dup366, - part656, - dup367, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg391 = msg("00019:14", all134); - - var part657 = match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg392 = msg("00019:15", part657); - - var part658 = match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([ - setc("eventcategory","1701030000"), - setc("ec_activity","Delete"), - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg393 = msg("00019:16", part658); - - var part659 = match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg394 = msg("00019:17", part659); - - var part660 = match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}"); - - var part661 = match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}"); - - var part662 = match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}"); - - var select146 = linear_select([ - part661, - part662, - ]); - - var all135 = all_match({ - processors: [ - part660, - select146, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg395 = msg("00019:18", all135); - - var part663 = match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg396 = msg("00019:19", part663); - - var part664 = match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg397 = msg("00019:20", part664); - - var select147 = linear_select([ - msg377, - msg378, - msg379, - msg380, - msg381, - msg382, - msg383, - msg384, - msg385, - msg386, - msg387, - msg388, - msg389, - msg390, - msg391, - msg392, - msg393, - msg394, - msg395, - msg396, - msg397, - ]); - - var part665 = match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg398 = msg("00020", part665); - - var part666 = match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}"); - - var part667 = match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}"); - - var select148 = linear_select([ - dup152, - part667, - ]); - - var part668 = match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}"); - - var part669 = match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes"); - - var part670 = match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total"); - - var select149 = linear_select([ - part669, - part670, - ]); - - var all136 = all_match({ - processors: [ - part666, - select148, - part668, - select149, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg399 = msg("00020:01", all136); - - var part671 = match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg400 = msg("00020:02", part671); - - var select150 = linear_select([ - msg398, - msg399, - msg400, - ]); - - var part672 = match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg401 = msg("00021", part672); - - var part673 = match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg402 = msg("00021:01", part673); - - var part674 = match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg403 = msg("00021:02", part674); - - var part675 = match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([ - dup185, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg404 = msg("00021:03", part675); - - var part676 = match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg405 = msg("00021:04", part676); - - var part677 = match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg406 = msg("00021:05", part677); - - var part678 = match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - setc("info","DIP port-translation stickiness was modified"), - ])); - - var msg407 = msg("00021:06", part678); - - var select151 = linear_select([ - msg401, - msg402, - msg403, - msg404, - msg405, - msg406, - msg407, - ]); - - var part679 = match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}"); - - var part680 = match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}"); - - var select152 = linear_select([ - part679, - part680, - ]); - - var part681 = match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly"); - - var all137 = all_match({ - processors: [ - dup186, - select152, - part681, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg408 = msg("00022", all137); - - var part682 = match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}"); - - var part683 = match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}"); - - var part684 = match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}"); - - var select153 = linear_select([ - part682, - part683, - part684, - ]); - - var part685 = match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}"); - - var all138 = all_match({ - processors: [ - select153, - part685, - dup368, - ], - on_success: processor_chain([ - dup187, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg409 = msg("00022:01", all138); - - var part686 = match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg410 = msg("00022:02", part686); - - var part687 = match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg411 = msg("00022:03", part687); - - var part688 = match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}"); - - var part689 = match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}"); - - var part690 = match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}"); - - var part691 = match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}"); - - var part692 = match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}"); - - var select154 = linear_select([ - part689, - part690, - part691, - part692, - ]); - - var part693 = match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}"); - - var all139 = all_match({ - processors: [ - part688, - select154, - part693, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg412 = msg("00022:04", all139); - - var part694 = match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg413 = msg("00022:05", part694); - - var part695 = match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}"); - - var part696 = match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}"); - - var part697 = match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}"); - - var select155 = linear_select([ - part696, - part697, - ]); - - var part698 = match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}"); - - var all140 = all_match({ - processors: [ - part695, - select155, - part698, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg414 = msg("00022:06", all140); - - var part699 = match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg415 = msg("00022:07", part699); - - var part700 = match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}"); - - var part701 = match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}"); - - var part702 = match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}"); - - var select156 = linear_select([ - part700, - part701, - part702, - ]); - - var part703 = match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}"); - - var part704 = match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}"); - - var select157 = linear_select([ - part704, - dup96, - ]); - - var part705 = match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}"); - - var part706 = match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}"); - - var select158 = linear_select([ - part706, - dup96, - ]); - - var part707 = match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}"); - - var all141 = all_match({ - processors: [ - select156, - part703, - select157, - part705, - select158, - part707, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg416 = msg("00022:08", all141); - - var part708 = match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}"); - - var select159 = linear_select([ - dup191, - dup192, - ]); - - var part709 = match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}"); - - var all142 = all_match({ - processors: [ - dup55, - dup369, - part708, - select159, - part709, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg417 = msg("00022:09", all142); - - var part710 = match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}"); - - var part711 = match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}"); - - var part712 = match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}"); - - var select160 = linear_select([ - part711, - part712, - ]); - - var all143 = all_match({ - processors: [ - part710, - select160, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg418 = msg("00022:10", all143); - - var part713 = match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}"); - - var part714 = match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}"); - - var part715 = match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}"); - - var select161 = linear_select([ - part714, - part715, - ]); - - var all144 = all_match({ - processors: [ - part713, - select161, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg419 = msg("00022:11", all144); - - var part716 = match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}"); - - var select162 = linear_select([ - dup192, - dup191, - ]); - - var part717 = match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}"); - - var all145 = all_match({ - processors: [ - part716, - select162, - part717, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg420 = msg("00022:12", all145); - - var part718 = match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg421 = msg("00022:13", part718); - - var part719 = match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg422 = msg("00022:14", part719); - - var select163 = linear_select([ - msg408, - msg409, - msg410, - msg411, - msg412, - msg413, - msg414, - msg415, - msg416, - msg417, - msg418, - msg419, - msg420, - msg421, - msg422, - ]); - - var part720 = match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg423 = msg("00023", part720); - - var part721 = match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg424 = msg("00023:01", part721); - - var part722 = match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg425 = msg("00023:02", part722); - - var select164 = linear_select([ - msg423, - msg424, - msg425, - ]); - - var part723 = match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}"); - - var part724 = match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}"); - - var select165 = linear_select([ - part723, - part724, - ]); - - var part725 = match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}"); - - var part726 = match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}"); - - var select166 = linear_select([ - part725, - part726, - ]); - - var all146 = all_match({ - processors: [ - select165, - dup193, - select166, - dup52, - dup368, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg426 = msg("00024", all146); - - var part727 = match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}"); - - var part728 = match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}"); - - var part729 = match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}"); - - var part730 = match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}"); - - var part731 = match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}"); - - var select167 = linear_select([ - part727, - part728, - part729, - part730, - part731, - ]); - - var part732 = match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}"); - - var all147 = all_match({ - processors: [ - select167, - part732, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg427 = msg("00024:01", all147); - - var part733 = match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}"); - - var part734 = match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}"); - - var part735 = match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}"); - - var select168 = linear_select([ - part734, - part735, - ]); - - var part736 = match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})"); - - var all148 = all_match({ - processors: [ - part733, - select168, - part736, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg428 = msg("00024:02", all148); - - var part737 = match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}"); - - var select169 = linear_select([ - dup194, - dup106, - ]); - - var part738 = match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})"); - - var all149 = all_match({ - processors: [ - part737, - select169, - part738, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg429 = msg("00024:03", all149); - - var select170 = linear_select([ - msg426, - msg427, - msg428, - msg429, - ]); - - var part739 = match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg430 = msg("00025", part739); - - var part740 = match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg431 = msg("00025:01", part740); - - var part741 = match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg432 = msg("00025:02", part741); - - var part742 = match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg433 = msg("00025:03", part742); - - var part743 = match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg434 = msg("00025:04", part743); - - var select171 = linear_select([ - msg430, - msg431, - msg432, - msg433, - msg434, - ]); - - var part744 = match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg435 = msg("00026", part744); - - var part745 = match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg436 = msg("00026:13", part745); - - var part746 = match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}"); - - var part747 = match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})"); - - var all150 = all_match({ - processors: [ - dup195, - dup370, - part746, - dup371, - part747, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg437 = msg("00026:01", all150); - - var part748 = match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}"); - - var select172 = linear_select([ - part748, - dup96, - ]); - - var part749 = match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}"); - - var part750 = match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}"); - - var part751 = match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}"); - - var select173 = linear_select([ - part750, - part751, - ]); - - var all151 = all_match({ - processors: [ - dup195, - select172, - part749, - select173, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg438 = msg("00026:02", all151); - - var part752 = match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}"); - - var all152 = all_match({ - processors: [ - dup195, - dup370, - part752, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg439 = msg("00026:03", all152); - - var part753 = match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([ - dup198, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg440 = msg("00026:04", part753); - - var part754 = match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([ - dup198, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg441 = msg("00026:05", part754); - - var part755 = match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg442 = msg("00026:06", part755); - - var part756 = match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg443 = msg("00026:07", part756); - - var part757 = match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}"); - - var part758 = match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]"); - - var all153 = all_match({ - processors: [ - part757, - dup372, - part758, - ], - on_success: processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg444 = msg("00026:08", all153); - - var part759 = match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg445 = msg("00026:09", part759); - - var part760 = match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}"); - - var part761 = match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}"); - - var part762 = match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}"); - - var select174 = linear_select([ - part761, - part762, - ]); - - var part763 = match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}"); - - var select175 = linear_select([ - part763, - dup201, - ]); - - var part764 = match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})"); - - var all154 = all_match({ - processors: [ - part760, - select174, - dup103, - select175, - dup202, - dup373, - part764, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg446 = msg("00026:10", all154); - - var part765 = match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg447 = msg("00026:11", part765); - - var part766 = match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg448 = msg("00026:12", part766); - - var select176 = linear_select([ - msg435, - msg436, - msg437, - msg438, - msg439, - msg440, - msg441, - msg442, - msg443, - msg444, - msg445, - msg446, - msg447, - msg448, - ]); - - var part767 = match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}"); - - var part768 = match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}"); - - var part769 = match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}"); - - var part770 = match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}"); - - var select177 = linear_select([ - part768, - part769, - part770, - ]); - - var all155 = all_match({ - processors: [ - dup204, - dup374, - part767, - select177, - ], - on_success: processor_chain([ - dup206, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg449 = msg("00027", all155); - - var part771 = match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg450 = msg("00027:01", part771); - - var part772 = match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg451 = msg("00027:02", part772); - - var part773 = match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg452 = msg("00027:03", part773); - - var part774 = match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg453 = msg("00027:04", part774); - - var part775 = match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}"); - - var part776 = match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}"); - - var part777 = match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}"); - - var select178 = linear_select([ - part776, - part777, - ]); - - var part778 = match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}"); - - var part779 = match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}"); - - var select179 = linear_select([ - part779, - dup127, - ]); - - var select180 = linear_select([ - dup207, - dup208, - ]); - - var all156 = all_match({ - processors: [ - part775, - select178, - part778, - select179, - dup23, - select180, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg454 = msg("00027:05", all156); - - var part780 = match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}"); - - var select181 = linear_select([ - dup208, - dup207, - ]); - - var all157 = all_match({ - processors: [ - part780, - select181, - ], - on_success: processor_chain([ - setc("eventcategory","1606000000"), - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg455 = msg("00027:06", all157); - - var part781 = match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg456 = msg("00027:07", part781); - - var part782 = match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg457 = msg("00027:08", part782); - - var part783 = match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg458 = msg("00027:09", part783); - - var part784 = match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg459 = msg("00027:10", part784); - - var part785 = match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg460 = msg("00027:11", part785); - - var part786 = match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}"); - - var part787 = match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}"); - - var select182 = linear_select([ - part787, - dup193, - ]); - - var part788 = match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}"); - - var all158 = all_match({ - processors: [ - part786, - select182, - part788, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg461 = msg("00027:12", all158); - - var part789 = match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}"); - - var all159 = all_match({ - processors: [ - dup204, - dup374, - part789, - ], - on_success: processor_chain([ - dup206, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg462 = msg("00027:13", all159); - - var part790 = match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}"); - - var part791 = match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}"); - - var part792 = match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}"); - - var select183 = linear_select([ - part791, - part792, - ]); - - var part793 = match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})"); - - var all160 = all_match({ - processors: [ - part790, - select183, - part793, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg463 = msg("00027:14", all160); - - var part794 = match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg464 = msg("00027:15", part794); - - var part795 = match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg465 = msg("00027:16", part795); - - var part796 = match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg466 = msg("00027:17", part796); - - var part797 = match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg467 = msg("00027:18", part797); - - var part798 = match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg468 = msg("00027:19", part798); - - var select184 = linear_select([ - msg449, - msg450, - msg451, - msg452, - msg453, - msg454, - msg455, - msg456, - msg457, - msg458, - msg459, - msg460, - msg461, - msg462, - msg463, - msg464, - msg465, - msg466, - msg467, - msg468, - ]); - - var part799 = match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}"); - - var part800 = match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}"); - - var part801 = match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}"); - - var select185 = linear_select([ - part799, - part800, - part801, - ]); - - var part802 = match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all161 = all_match({ - processors: [ - select185, - part802, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - setc("signame","Attempt to Connect to the NetScreen-Global Port"), - ]), - }); - - var msg469 = msg("00028", all161); - - var part803 = match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg470 = msg("00029", part803); - - var part804 = match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg471 = msg("00029:01", part804); - - var part805 = match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}"); - - var part806 = match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}"); - - var part807 = match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}"); - - var select186 = linear_select([ - part806, - part807, - ]); - - var part808 = match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}"); - - var all162 = all_match({ - processors: [ - part805, - select186, - part808, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg472 = msg("00029:02", all162); - - var part809 = match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}"); - - var part810 = match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}"); - - var part811 = match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}"); - - var select187 = linear_select([ - part810, - part811, - ]); - - var part812 = match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}"); - - var all163 = all_match({ - processors: [ - dup210, - dup337, - part809, - select187, - part812, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg473 = msg("00029:03", all163); - - var part813 = match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg474 = msg("00029:04", part813); - - var select188 = linear_select([ - msg470, - msg471, - msg472, - msg473, - msg474, - ]); - - var part814 = match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg475 = msg("00030", part814); - - var part815 = match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}"); - - var part816 = match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}"); - - var part817 = match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}"); - - var select189 = linear_select([ - part816, - part817, - ]); - - var all164 = all_match({ - processors: [ - part815, - select189, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg476 = msg("00030:01", all164); - - var part818 = match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg477 = msg("00030:05", part818); - - var part819 = match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg478 = msg("00030:06", part819); - - var part820 = match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg479 = msg("00030:07", part820); - - var part821 = match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg480 = msg("00030:10", part821); - - var part822 = match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg481 = msg("00030:12", part822); - - var part823 = match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}"); - - var part824 = match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}"); - - var part825 = match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}"); - - var select190 = linear_select([ - part824, - part825, - ]); - - var all165 = all_match({ - processors: [ - part823, - select190, - ], - on_success: processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg482 = msg("00030:13", all165); - - var part826 = match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}"); - - var part827 = match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}"); - - var part828 = match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}"); - - var part829 = match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}"); - - var select191 = linear_select([ - part826, - part827, - part828, - part829, - ]); - - var part830 = match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}"); - - var part831 = match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}"); - - var select192 = linear_select([ - part831, - dup16, - ]); - - var part832 = match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}"); - - var all166 = all_match({ - processors: [ - dup55, - select191, - part830, - select192, - part832, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg483 = msg("00030:14", all166); - - var msg484 = msg("00030:02", dup375); - - var part833 = match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg485 = msg("00030:15", part833); - - var part834 = match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg486 = msg("00030:16", part834); - - var part835 = match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg487 = msg("00030:18", part835); - - var part836 = match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}"); - - var part837 = match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}"); - - var part838 = match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}"); - - var select193 = linear_select([ - part837, - part838, - ]); - - var part839 = match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}"); - - var all167 = all_match({ - processors: [ - part836, - select193, - part839, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg488 = msg("00030:19", all167); - - var part840 = match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg489 = msg("00030:30", part840); - - var part841 = match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg490 = msg("00030:31", part841); - - var part842 = match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg491 = msg("00030:32", part842); - - var part843 = match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg492 = msg("00030:33", part843); - - var part844 = match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg493 = msg("00030:34", part844); - - var part845 = match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg494 = msg("00030:35", part845); - - var part846 = match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg495 = msg("00030:36", part846); - - var part847 = match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg496 = msg("00030:37", part847); - - var part848 = match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg497 = msg("00030:38", part848); - - var part849 = match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}"); - - var part850 = match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}"); - - var select194 = linear_select([ - part850, - dup16, - ]); - - var part851 = match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}"); - - var all168 = all_match({ - processors: [ - part849, - select194, - part851, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg498 = msg("00030:39", all168); - - var part852 = match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}"); - - var part853 = match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}"); - - var all169 = all_match({ - processors: [ - part852, - dup376, - part853, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg499 = msg("00030:17", all169); - - var part854 = match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}"); - - var part855 = match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}"); - - var select195 = linear_select([ - dup214, - part855, - ]); - - var part856 = match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}"); - - var all170 = all_match({ - processors: [ - part854, - select195, - part856, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg500 = msg("00030:40", all170); - - var part857 = match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg501 = msg("00030:41", part857); - - var part858 = match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg502 = msg("00030:42", part858); - - var part859 = match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg503 = msg("00030:43", part859); - - var part860 = match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg504 = msg("00030:44", part860); - - var part861 = match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg505 = msg("00030:45", part861); - - var part862 = match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg506 = msg("00030:46", part862); - - var part863 = match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg507 = msg("00030:47", part863); - - var part864 = match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg508 = msg("00030:48", part864); - - var part865 = match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg509 = msg("00030:49", part865); - - var part866 = match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg510 = msg("00030:50", part866); - - var part867 = match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg511 = msg("00030:51", part867); - - var part868 = match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg512 = msg("00030:52", part868); - - var part869 = match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg513 = msg("00030:53", part869); - - var part870 = match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([ - dup44, - dup211, - dup31, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg514 = msg("00030:54", part870); - - var part871 = match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}"); - - var all171 = all_match({ - processors: [ - part871, - dup377, - dup217, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg515 = msg("00030:55", all171); - - var part872 = match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg516 = msg("00030:56", part872); - - var part873 = match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([ - dup35, - dup218, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg517 = msg("00030:57", part873); - - var part874 = match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([ - dup86, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg518 = msg("00030:58", part874); - - var part875 = match("MESSAGE#512:00030:59", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{quote}s signer certificate.", processor_chain([ - dup35, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg519 = msg("00030:59", part875); - - var part876 = match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([ - dup35, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg520 = msg("00030:60", part876); - - var part877 = match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg521 = msg("00030:61", part877); - - var part878 = match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg522 = msg("00030:62", part878); - - var part879 = match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([ - dup18, - dup219, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg523 = msg("00030:63", part879); - - var part880 = match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg524 = msg("00030:64", part880); - - var part881 = match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg525 = msg("00030:65", part881); - - var part882 = match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg526 = msg("00030:66", part882); - - var part883 = match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg527 = msg("00030:67", part883); - - var part884 = match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg528 = msg("00030:68", part884); - - var part885 = match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg529 = msg("00030:69", part885); - - var part886 = match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}"); - - var all172 = all_match({ - processors: [ - part886, - dup377, - dup217, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg530 = msg("00030:70", all172); - - var part887 = match("MESSAGE#524:00030:71", "nwparser.payload", "PKI: The public key of image%{quote}s signer has been loaded successfully, for future image authentication.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg531 = msg("00030:71", part887); - - var part888 = match("MESSAGE#525:00030:72", "nwparser.payload", "PKI: The signature of the image%{quote}s signer certificate cannot be verified.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg532 = msg("00030:72", part888); - - var part889 = match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}"); - - var part890 = match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}"); - - var part891 = match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}"); - - var part892 = match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}"); - - var select196 = linear_select([ - part890, - part891, - part892, - ]); - - var part893 = match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}."); - - var all173 = all_match({ - processors: [ - part889, - select196, - part893, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg533 = msg("00030:73", all173); - - var part894 = match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg534 = msg("00030:74", part894); - - var part895 = match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg535 = msg("00030:75", part895); - - var part896 = match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}"); - - var part897 = match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}."); - - var all174 = all_match({ - processors: [ - part896, - dup376, - part897, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg536 = msg("00030:76", all174); - - var part898 = match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg537 = msg("00030:77", part898); - - var part899 = match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([ - dup35, - dup211, - dup220, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg538 = msg("00030:78", part899); - - var part900 = match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([ - dup35, - dup211, - dup220, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg539 = msg("00030:79", part900); - - var part901 = match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg540 = msg("00030:80", part901); - - var part902 = match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg541 = msg("00030:81", part902); - - var part903 = match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg542 = msg("00030:82", part903); - - var part904 = match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg543 = msg("00030:83", part904); - - var part905 = match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg544 = msg("00030:84", part905); - - var part906 = match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([ - setc("eventcategory","1603080000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg545 = msg("00030:85", part906); - - var part907 = match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})"); - - var all175 = all_match({ - processors: [ - dup221, - dup378, - part907, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg546 = msg("00030:86", all175); - - var part908 = match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg547 = msg("00030:87", part908); - - var part909 = match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>"); - - var all176 = all_match({ - processors: [ - dup221, - dup378, - part909, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg548 = msg("00030:88", all176); - - var select197 = linear_select([ - msg475, - msg476, - msg477, - msg478, - msg479, - msg480, - msg481, - msg482, - msg483, - msg484, - msg485, - msg486, - msg487, - msg488, - msg489, - msg490, - msg491, - msg492, - msg493, - msg494, - msg495, - msg496, - msg497, - msg498, - msg499, - msg500, - msg501, - msg502, - msg503, - msg504, - msg505, - msg506, - msg507, - msg508, - msg509, - msg510, - msg511, - msg512, - msg513, - msg514, - msg515, - msg516, - msg517, - msg518, - msg519, - msg520, - msg521, - msg522, - msg523, - msg524, - msg525, - msg526, - msg527, - msg528, - msg529, - msg530, - msg531, - msg532, - msg533, - msg534, - msg535, - msg536, - msg537, - msg538, - msg539, - msg540, - msg541, - msg542, - msg543, - msg544, - msg545, - msg546, - msg547, - msg548, - ]); - - var part910 = match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg549 = msg("00031:13", part910); - - var part911 = match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg550 = msg("00031", part911); - - var part912 = match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg551 = msg("00031:01", part912); - - var part913 = match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}"); - - var part914 = match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}"); - - var part915 = match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}"); - - var part916 = match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}"); - - var all177 = all_match({ - processors: [ - part913, - dup379, - part914, - dup379, - part915, - dup379, - part916, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg552 = msg("00031:02", all177); - - var part917 = match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}"); - - var select198 = linear_select([ - dup130, - dup129, - ]); - - var part918 = match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}"); - - var all178 = all_match({ - processors: [ - part917, - select198, - part918, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg553 = msg("00031:03", all178); - - var part919 = match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}"); - - var part920 = match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}"); - - var select199 = linear_select([ - part920, - dup226, - ]); - - var part921 = match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}"); - - var all179 = all_match({ - processors: [ - part919, - select199, - part921, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg554 = msg("00031:04", all179); - - var part922 = match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}"); - - var select200 = linear_select([ - dup226, - dup25, - ]); - - var part923 = match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})"); - - var all180 = all_match({ - processors: [ - part922, - select200, - part923, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg555 = msg("00031:11", all180); - - var part924 = match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}"); - - var part925 = match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}"); - - var part926 = match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}"); - - var select201 = linear_select([ - part925, - part926, - ]); - - var part927 = match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}"); - - var part928 = match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}"); - - var part929 = match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}"); - - var part930 = match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}"); - - var part931 = match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}"); - - var select202 = linear_select([ - part931, - dup96, - ]); - - var part932 = match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}"); - - var all181 = all_match({ - processors: [ - part924, - select201, - part927, - dup379, - part928, - dup379, - part929, - dup379, - part930, - select202, - part932, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg556 = msg("00031:08", all181); - - var part933 = match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}"); - - var all182 = all_match({ - processors: [ - part933, - dup337, - dup227, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg557 = msg("00031:05", all182); - - var part934 = match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}"); - - var select203 = linear_select([ - part934, - dup229, - dup230, - ]); - - var part935 = match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}"); - - var select204 = linear_select([ - dup105, - dup96, - ]); - - var part936 = match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}"); - - var part937 = match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}"); - - var all183 = all_match({ - processors: [ - dup228, - select203, - part935, - select204, - part936, - dup356, - part937, - dup352, - dup23, - dup380, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg558 = msg("00031:06", all183); - - var part938 = match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}"); - - var all184 = all_match({ - processors: [ - dup228, - dup381, - part938, - dup337, - dup227, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg559 = msg("00031:07", all184); - - var part939 = match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}"); - - var all185 = all_match({ - processors: [ - dup228, - dup381, - part939, - dup380, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg560 = msg("00031:09", all185); - - var part940 = match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg561 = msg("00031:10", part940); - - var part941 = match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg562 = msg("00031:12", part941); - - var select205 = linear_select([ - msg549, - msg550, - msg551, - msg552, - msg553, - msg554, - msg555, - msg556, - msg557, - msg558, - msg559, - msg560, - msg561, - msg562, - ]); - - var part942 = match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup232, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg563 = msg("00032", part942); - - var part943 = match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg564 = msg("00032:01", part943); - - var part944 = match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}"); - - var part945 = match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}"); - - var part946 = match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}"); - - var part947 = match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}"); - - var part948 = match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}"); - - var select206 = linear_select([ - part945, - part946, - part947, - part948, - ]); - - var all186 = all_match({ - processors: [ - part944, - select206, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg565 = msg("00032:03", all186); - - var part949 = match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg566 = msg("00032:04", part949); - - var part950 = match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg567 = msg("00032:05", part950); - - var msg568 = msg("00032:02", dup375); - - var select207 = linear_select([ - msg563, - msg564, - msg565, - msg566, - msg567, - msg568, - ]); - - var part951 = match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("agent","NSM"), - ])); - - var msg569 = msg("00033:25", part951); - - var part952 = match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}"); - - var part953 = match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}"); - - var select208 = linear_select([ - dup52, - part953, - ]); - - var part954 = match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}"); - - var all187 = all_match({ - processors: [ - dup382, - part952, - select208, - part954, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg570 = msg("00033", all187); - - var part955 = match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}"); - - var part956 = match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}"); - - var select209 = linear_select([ - part955, - part956, - ]); - - var part957 = match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}"); - - var all188 = all_match({ - processors: [ - dup160, - select209, - dup23, - dup369, - part957, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg571 = msg("00033:03", all188); - - var part958 = match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}"); - - var all189 = all_match({ - processors: [ - dup382, - dup23, - dup369, - part958, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg572 = msg("00033:02", all189); - - var part959 = match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg573 = msg("00033:04", part959); - - var part960 = match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg574 = msg("00033:05", part960); - - var part961 = match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([ - dup27, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg575 = msg("00033:06", part961); - - var part962 = match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([ - dup27, - dup2, - dup3, - setc("dclass_counter1_string","Number of times the threshold was exceeded"), - dup4, - dup5, - dup61, - ])); - - var msg576 = msg("00033:01", part962); - - var part963 = match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg577 = msg("00033:07", part963); - - var part964 = match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}"); - - var all190 = all_match({ - processors: [ - dup235, - dup383, - part964, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg578 = msg("00033:08", all190); - - var part965 = match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}"); - - var all191 = all_match({ - processors: [ - dup235, - dup383, - part965, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg579 = msg("00033:09", all191); - - var part966 = match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}"); - - var part967 = match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}"); - - var select210 = linear_select([ - part967, - dup238, - ]); - - var all192 = all_match({ - processors: [ - dup235, - dup383, - part966, - select210, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg580 = msg("00033:10", all192); - - var part968 = match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}"); - - var part969 = match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}"); - - var all193 = all_match({ - processors: [ - dup235, - dup383, - part968, - dup383, - part969, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg581 = msg("00033:11", all193); - - var part970 = match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}"); - - var select211 = linear_select([ - dup101, - dup238, - ]); - - var all194 = all_match({ - processors: [ - dup235, - dup383, - part970, - select211, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg582 = msg("00033:12", all194); - - var part971 = match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}"); - - var part972 = match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}"); - - var part973 = match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}."); - - var select212 = linear_select([ - part972, - part973, - ]); - - var all195 = all_match({ - processors: [ - dup235, - dup383, - part971, - select212, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg583 = msg("00033:13", all195); - - var part974 = match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}."); - - var all196 = all_match({ - processors: [ - dup235, - dup383, - part974, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg584 = msg("00033:14", all196); - - var part975 = match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}."); - - var all197 = all_match({ - processors: [ - dup235, - dup383, - part975, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg585 = msg("00033:15", all197); - - var part976 = match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}."); - - var all198 = all_match({ - processors: [ - dup235, - dup383, - part976, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg586 = msg("00033:16", all198); - - var part977 = match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}"); - - var part978 = match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}"); - - var part979 = match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}"); - - var select213 = linear_select([ - part978, - part979, - ]); - - var all199 = all_match({ - processors: [ - dup235, - dup383, - part977, - select213, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg587 = msg("00033:17", all199); - - var part980 = match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); - - var part981 = match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time."); - - var all200 = all_match({ - processors: [ - part980, - dup339, - dup70, - dup340, - part981, - ], - on_success: processor_chain([ - dup27, - dup2, - dup4, - dup5, - dup3, - dup59, - dup61, - ]), - }); - - var msg588 = msg("00033:19", all200); - - var part982 = match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([ - dup27, - dup2, - dup4, - dup5, - dup3, - dup59, - dup60, - ])); - - var msg589 = msg("00033:20", part982); - - var all201 = all_match({ - processors: [ - dup239, - dup343, - dup83, - ], - on_success: processor_chain([ - dup27, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg590 = msg("00033:21", all201); - - var part983 = match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var all202 = all_match({ - processors: [ - part983, - dup343, - dup83, - ], - on_success: processor_chain([ - dup27, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg591 = msg("00033:22", all202); - - var part984 = match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg592 = msg("00033:23", part984); - - var part985 = match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([ - setc("eventcategory","1001030500"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg593 = msg("00033:24", part985); - - var select214 = linear_select([ - msg569, - msg570, - msg571, - msg572, - msg573, - msg574, - msg575, - msg576, - msg577, - msg578, - msg579, - msg580, - msg581, - msg582, - msg583, - msg584, - msg585, - msg586, - msg587, - msg588, - msg589, - msg590, - msg591, - msg592, - msg593, - ]); - - var part986 = match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}"); - - var part987 = match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}"); - - var select215 = linear_select([ - part986, - part987, - ]); - - var part988 = match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}"); - - var part989 = match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}"); - - var select216 = linear_select([ - part988, - dup201, - part989, - ]); - - var select217 = linear_select([ - dup196, - dup103, - dup163, - ]); - - var part990 = match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})"); - - var all203 = all_match({ - processors: [ - select215, - dup103, - select216, - dup202, - select217, - part990, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg594 = msg("00034", all203); - - var part991 = match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}"); - - var part992 = match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}"); - - var select218 = linear_select([ - part991, - part992, - ]); - - var part993 = match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}"); - - var part994 = match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}"); - - var select219 = linear_select([ - part994, - dup241, - ]); - - var part995 = match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}"); - - var all204 = all_match({ - processors: [ - select218, - part993, - select219, - part995, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg595 = msg("00034:01", all204); - - var part996 = match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg596 = msg("00034:02", part996); - - var part997 = match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}"); - - var all205 = all_match({ - processors: [ - dup384, - part997, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg597 = msg("00034:03", all205); - - var part998 = match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg598 = msg("00034:04", part998); - - var part999 = match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg599 = msg("00034:05", part999); - - var part1000 = match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}"); - - var part1001 = match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}"); - - var part1002 = match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}"); - - var select220 = linear_select([ - part1001, - part1002, - ]); - - var part1003 = match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}"); - - var all206 = all_match({ - processors: [ - dup384, - part1000, - select220, - part1003, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg600 = msg("00034:06", all206); - - var part1004 = match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg601 = msg("00034:07", part1004); - - var part1005 = match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg602 = msg("00034:08", part1005); - - var part1006 = match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg603 = msg("00034:09", part1006); - - var part1007 = match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}"); - - var part1008 = match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}"); - - var part1009 = match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}"); - - var part1010 = match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}"); - - var select221 = linear_select([ - part1009, - part1010, - ]); - - var part1011 = match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}"); - - var all207 = all_match({ - processors: [ - dup244, - dup385, - part1007, - dup352, - part1008, - select221, - part1011, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg604 = msg("00034:10", all207); - - var part1012 = match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}"); - - var part1013 = match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}"); - - var all208 = all_match({ - processors: [ - dup244, - dup385, - part1012, - dup386, - part1013, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg605 = msg("00034:12", all208); - - var part1014 = match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}"); - - var part1015 = match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}"); - - var all209 = all_match({ - processors: [ - dup244, - dup385, - part1014, - dup386, - part1015, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg606 = msg("00034:11", all209); - - var part1016 = match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg607 = msg("00034:15", part1016); - - var part1017 = match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}"); - - var all210 = all_match({ - processors: [ - dup244, - dup387, - part1017, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg608 = msg("00034:18", all210); - - var part1018 = match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge"); - - var all211 = all_match({ - processors: [ - dup244, - dup387, - part1018, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg609 = msg("00034:20", all211); - - var part1019 = match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}"); - - var part1020 = match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}"); - - var part1021 = match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}"); - - var select222 = linear_select([ - part1021, - dup156, - ]); - - var part1022 = match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}"); - - var part1023 = match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}"); - - var part1024 = match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}"); - - var select223 = linear_select([ - part1023, - part1024, - ]); - - var all212 = all_match({ - processors: [ - dup244, - dup387, - part1019, - dup372, - part1020, - select222, - part1022, - select223, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg610 = msg("00034:21", all212); - - var part1025 = match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg611 = msg("00034:22", part1025); - - var part1026 = match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}"); - - var part1027 = match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}"); - - var select224 = linear_select([ - part1026, - part1027, - ]); - - var part1028 = match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}"); - - var all213 = all_match({ - processors: [ - dup160, - select224, - part1028, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg612 = msg("00034:23", all213); - - var part1029 = match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg613 = msg("00034:24", part1029); - - var part1030 = match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg614 = msg("00034:25", part1030); - - var part1031 = match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg615 = msg("00034:26", part1031); - - var part1032 = match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg616 = msg("00034:27", part1032); - - var part1033 = match("MESSAGE#608:00034:28", "nwparser.payload", "PPPoE%{quote}s session closed by AC", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg617 = msg("00034:28", part1033); - - var part1034 = match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg618 = msg("00034:29", part1034); - - var part1035 = match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg619 = msg("00034:30", part1035); - - var part1036 = match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg620 = msg("00034:31", part1036); - - var part1037 = match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg621 = msg("00034:32", part1037); - - var part1038 = match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg622 = msg("00034:33", part1038); - - var part1039 = match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg623 = msg("00034:34", part1039); - - var part1040 = match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg624 = msg("00034:35", part1040); - - var part1041 = match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg625 = msg("00034:36", part1041); - - var part1042 = match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg626 = msg("00034:37", part1042); - - var part1043 = match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg627 = msg("00034:38", part1043); - - var part1044 = match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg628 = msg("00034:39", part1044); - - var part1045 = match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg629 = msg("00034:40", part1045); - - var part1046 = match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}"); - - var part1047 = match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}"); - - var all214 = all_match({ - processors: [ - part1046, - dup373, - part1047, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg630 = msg("00034:41", all214); - - var part1048 = match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg631 = msg("00034:42", part1048); - - var part1049 = match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg632 = msg("00034:43", part1049); - - var part1050 = match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg633 = msg("00034:44", part1050); - - var select225 = linear_select([ - msg594, - msg595, - msg596, - msg597, - msg598, - msg599, - msg600, - msg601, - msg602, - msg603, - msg604, - msg605, - msg606, - msg607, - msg608, - msg609, - msg610, - msg611, - msg612, - msg613, - msg614, - msg615, - msg616, - msg617, - msg618, - msg619, - msg620, - msg621, - msg622, - msg623, - msg624, - msg625, - msg626, - msg627, - msg628, - msg629, - msg630, - msg631, - msg632, - msg633, - ]); - - var part1051 = match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg634 = msg("00035", part1051); - - var part1052 = match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg635 = msg("00035:01", part1052); - - var part1053 = match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg636 = msg("00035:02", part1053); - - var part1054 = match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg637 = msg("00035:03", part1054); - - var part1055 = match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}"); - - var part1056 = match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}"); - - var part1057 = match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}"); - - var part1058 = match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}"); - - var select226 = linear_select([ - part1056, - part1057, - part1058, - ]); - - var part1059 = match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}"); - - var all215 = all_match({ - processors: [ - part1055, - select226, - part1059, - ], - on_success: processor_chain([ - dup117, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg638 = msg("00035:04", all215); - - var part1060 = match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg639 = msg("00035:05", part1060); - - var part1061 = match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}"); - - var part1062 = match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}"); - - var all216 = all_match({ - processors: [ - part1061, - dup388, - part1062, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg640 = msg("00035:06", all216); - - var part1063 = match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg641 = msg("00035:07", part1063); - - var part1064 = match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg642 = msg("00035:08", part1064); - - var part1065 = match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}"); - - var select227 = linear_select([ - part1065, - dup92, - ]); - - var all217 = all_match({ - processors: [ - dup253, - select227, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg643 = msg("00035:09", all217); - - var part1066 = match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}"); - - var part1067 = match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}"); - - var part1068 = match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}"); - - var select228 = linear_select([ - part1067, - part1068, - ]); - - var all218 = all_match({ - processors: [ - part1066, - select228, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg644 = msg("00035:10", all218); - - var part1069 = match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}"); - - var part1070 = match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}"); - - var part1071 = match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}"); - - var select229 = linear_select([ - part1070, - part1071, - ]); - - var all219 = all_match({ - processors: [ - part1069, - select229, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg645 = msg("00035:11", all219); - - var part1072 = match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}"); - - var part1073 = match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}"); - - var all220 = all_match({ - processors: [ - part1072, - dup388, - part1073, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg646 = msg("00035:12", all220); - - var part1074 = match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}"); - - var select230 = linear_select([ - dup101, - part1074, - ]); - - var part1075 = match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}"); - - var all221 = all_match({ - processors: [ - dup253, - select230, - part1075, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg647 = msg("00035:13", all221); - - var part1076 = match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg648 = msg("00035:14", part1076); - - var part1077 = match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}"); - - var part1078 = match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}"); - - var part1079 = match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}"); - - var select231 = linear_select([ - part1078, - part1079, - ]); - - var all222 = all_match({ - processors: [ - part1077, - select231, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg649 = msg("00035:15", all222); - - var part1080 = match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg650 = msg("00035:16", part1080); - - var select232 = linear_select([ - msg634, - msg635, - msg636, - msg637, - msg638, - msg639, - msg640, - msg641, - msg642, - msg643, - msg644, - msg645, - msg646, - msg647, - msg648, - msg649, - msg650, - ]); - - var part1081 = match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg651 = msg("00036", part1081); - - var part1082 = match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}"); - - var part1083 = match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}"); - - var select233 = linear_select([ - dup214, - part1083, - ]); - - var part1084 = match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}"); - - var all223 = all_match({ - processors: [ - part1082, - select233, - part1084, - ], - on_success: processor_chain([ - dup254, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg652 = msg("00036:01", all223); - - var select234 = linear_select([ - msg651, - msg652, - ]); - - var part1085 = match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}"); - - var part1086 = match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}"); - - var part1087 = match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}"); - - var select235 = linear_select([ - part1086, - part1087, - ]); - - var all224 = all_match({ - processors: [ - part1085, - select235, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg653 = msg("00037", all224); - - var part1088 = match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}"); - - var select236 = linear_select([ - dup255, - dup256, - ]); - - var part1089 = match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}"); - - var all225 = all_match({ - processors: [ - part1088, - select236, - part1089, - dup351, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg654 = msg("00037:01", all225); - - var part1090 = match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg655 = msg("00037:02", part1090); - - var part1091 = match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}"); - - var part1092 = match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}"); - - var select237 = linear_select([ - part1091, - part1092, - ]); - - var part1093 = match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}"); - - var part1094 = match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})"); - - var part1095 = match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}."); - - var select238 = linear_select([ - part1094, - part1095, - ]); - - var all226 = all_match({ - processors: [ - dup113, - select237, - dup371, - part1093, - select238, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg656 = msg("00037:03", all226); - - var part1096 = match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg657 = msg("00037:04", part1096); - - var part1097 = match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}"); - - var select239 = linear_select([ - dup256, - dup255, - ]); - - var part1098 = match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}"); - - var part1099 = match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space"); - - var select240 = linear_select([ - dup10, - part1099, - ]); - - var all227 = all_match({ - processors: [ - part1097, - select239, - part1098, - select240, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg658 = msg("00037:05", all227); - - var part1100 = match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg659 = msg("00037:06", part1100); - - var select241 = linear_select([ - msg653, - msg654, - msg655, - msg656, - msg657, - msg658, - msg659, - ]); - - var part1101 = match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}"); - - var part1102 = match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}"); - - var part1103 = match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}"); - - var select242 = linear_select([ - part1102, - part1103, - ]); - - var all228 = all_match({ - processors: [ - part1101, - select242, - dup36, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg660 = msg("00038", all228); - - var part1104 = match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg661 = msg("00039", part1104); - - var part1105 = match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}"); - - var part1106 = match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}"); - - var select243 = linear_select([ - part1105, - part1106, - ]); - - var part1107 = match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}"); - - var all229 = all_match({ - processors: [ - select243, - part1107, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg662 = msg("00040", all229); - - var part1108 = match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg663 = msg("00040:01", part1108); - - var select244 = linear_select([ - msg662, - msg663, - ]); - - var part1109 = match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg664 = msg("00041", part1109); - - var part1110 = match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg665 = msg("00041:01", part1110); - - var select245 = linear_select([ - msg664, - msg665, - ]); - - var part1111 = match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg666 = msg("00042", part1111); - - var part1112 = match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup9, - dup4, - dup5, - dup60, - ])); - - var msg667 = msg("00042:01", part1112); - - var select246 = linear_select([ - msg666, - msg667, - ]); - - var part1113 = match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg668 = msg("00043", part1113); - - var part1114 = match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}"); - - var part1115 = match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}"); - - var select247 = linear_select([ - dup257, - part1115, - ]); - - var part1116 = match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}"); - - var all230 = all_match({ - processors: [ - part1114, - select247, - part1116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg669 = msg("00044", all230); - - var part1117 = match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg670 = msg("00044:01", part1117); - - var select248 = linear_select([ - msg669, - msg670, - ]); - - var part1118 = match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg671 = msg("00045", part1118); - - var part1119 = match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}"); - - var part1120 = match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}"); - - var select249 = linear_select([ - part1119, - part1120, - ]); - - var part1121 = match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})"); - - var all231 = all_match({ - processors: [ - dup183, - select249, - part1121, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg672 = msg("00047", all231); - - var part1122 = match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}"); - - var part1123 = match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}"); - - var part1124 = match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}"); - - var select250 = linear_select([ - part1123, - part1124, - ]); - - var part1125 = match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}"); - - var part1126 = match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}"); - - var select251 = linear_select([ - part1126, - dup112, - ]); - - var part1127 = match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}"); - - var select252 = linear_select([ - part1127, - dup139, - ]); - - var part1128 = match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}"); - - var part1129 = match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}"); - - var select253 = linear_select([ - part1129, - dup16, - ]); - - var part1130 = match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}"); - - var part1131 = match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}"); - - var select254 = linear_select([ - part1131, - dup129, - ]); - - var part1132 = match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})"); - - var all232 = all_match({ - processors: [ - part1122, - select250, - part1125, - select251, - dup257, - select252, - part1128, - select253, - part1130, - select254, - part1132, - ], - on_success: processor_chain([ - setc("eventcategory","1501000000"), - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg673 = msg("00048", all232); - - var part1133 = match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}"); - - var part1134 = match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}"); - - var part1135 = match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}"); - - var select255 = linear_select([ - part1134, - part1135, - ]); - - var part1136 = match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}"); - - var part1137 = match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}"); - - var select256 = linear_select([ - part1137, - dup105, - ]); - - var part1138 = match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})"); - - var all233 = all_match({ - processors: [ - part1133, - select255, - part1136, - select256, - part1138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg674 = msg("00048:01", all233); - - var part1139 = match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([ - dup209, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg675 = msg("00048:02", part1139); - - var select257 = linear_select([ - msg673, - msg674, - msg675, - ]); - - var part1140 = match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg676 = msg("00049", part1140); - - var part1141 = match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg677 = msg("00049:01", part1141); - - var part1142 = match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg678 = msg("00049:02", part1142); - - var part1143 = match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg679 = msg("00049:03", part1143); - - var part1144 = match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg680 = msg("00049:04", part1144); - - var part1145 = match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg681 = msg("00049:05", part1145); - - var select258 = linear_select([ - msg676, - msg677, - msg678, - msg679, - msg680, - msg681, - ]); - - var part1146 = match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg682 = msg("00050", part1146); - - var part1147 = match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg683 = msg("00051", part1147); - - var part1148 = match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg684 = msg("00052", part1148); - - var part1149 = match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}"); - - var select259 = linear_select([ - dup169, - part1149, - ]); - - var part1150 = match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}."); - - var all234 = all_match({ - processors: [ - dup258, - select259, - part1150, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg685 = msg("00055", all234); - - var part1151 = match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}"); - - var part1152 = match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}"); - - var select260 = linear_select([ - part1151, - part1152, - ]); - - var part1153 = match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}."); - - var all235 = all_match({ - processors: [ - dup258, - select260, - part1153, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg686 = msg("00055:01", all235); - - var part1154 = match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}."); - - var all236 = all_match({ - processors: [ - dup259, - dup389, - part1154, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg687 = msg("00055:02", all236); - - var part1155 = match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}."); - - var all237 = all_match({ - processors: [ - dup259, - dup389, - part1155, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg688 = msg("00055:03", all237); - - var part1156 = match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg689 = msg("00055:04", part1156); - - var part1157 = match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}"); - - var part1158 = match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}"); - - var select261 = linear_select([ - dup110, - part1158, - ]); - - var part1159 = match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}"); - - var all238 = all_match({ - processors: [ - part1157, - select261, - part1159, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg690 = msg("00055:05", all238); - - var part1160 = match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}"); - - var part1161 = match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}"); - - var part1162 = match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}"); - - var select262 = linear_select([ - part1161, - part1162, - ]); - - var part1163 = match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}."); - - var all239 = all_match({ - processors: [ - part1160, - select262, - part1163, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg691 = msg("00055:06", all239); - - var part1164 = match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}"); - - var part1165 = match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}"); - - var part1166 = match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}"); - - var select263 = linear_select([ - part1164, - part1165, - part1166, - ]); - - var part1167 = match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}."); - - var all240 = all_match({ - processors: [ - dup258, - select263, - part1167, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg692 = msg("00055:07", all240); - - var part1168 = match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}"); - - var part1169 = match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}"); - - var select264 = linear_select([ - part1168, - part1169, - ]); - - var part1170 = match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}."); - - var all241 = all_match({ - processors: [ - dup258, - select264, - part1170, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg693 = msg("00055:08", all241); - - var part1171 = match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg694 = msg("00055:09", part1171); - - var part1172 = match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg695 = msg("00055:10", part1172); - - var select265 = linear_select([ - msg685, - msg686, - msg687, - msg688, - msg689, - msg690, - msg691, - msg692, - msg693, - msg694, - msg695, - ]); - - var part1173 = match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg696 = msg("00056", part1173); - - var part1174 = match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg697 = msg("00057", part1174); - - var part1175 = match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg698 = msg("00058", part1175); - - var part1176 = match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}"); - - var part1177 = match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}"); - - var select266 = linear_select([ - part1177, - dup262, - dup157, - dup156, - ]); - - var all242 = all_match({ - processors: [ - part1176, - select266, - dup116, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg699 = msg("00059", all242); - - var part1178 = match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}"); - - var part1179 = match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}"); - - var part1180 = match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}"); - - var select267 = linear_select([ - part1179, - part1180, - ]); - - var part1181 = match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}"); - - var all243 = all_match({ - processors: [ - part1178, - select267, - part1181, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg700 = msg("00059:02", all243); - - var part1182 = match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg701 = msg("00059:03", part1182); - - var part1183 = match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg702 = msg("00059:04", part1183); - - var part1184 = match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}"); - - var part1185 = match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}"); - - var part1186 = match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}"); - - var part1187 = match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}"); - - var select268 = linear_select([ - part1184, - part1185, - part1186, - part1187, - ]); - - var part1188 = match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared."); - - var all244 = all_match({ - processors: [ - select268, - part1188, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg703 = msg("00059:05", all244); - - var part1189 = match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg704 = msg("00059:06", part1189); - - var part1190 = match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg705 = msg("00059:07", part1190); - - var part1191 = match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}"); - - var part1192 = match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}"); - - var select269 = linear_select([ - part1191, - part1192, - ]); - - var part1193 = match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3})."); - - var all245 = all_match({ - processors: [ - select269, - part1193, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg706 = msg("00059:08", all245); - - var part1194 = match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}"); - - var part1195 = match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}"); - - var select270 = linear_select([ - part1194, - part1195, - ]); - - var part1196 = match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}"); - - var part1197 = match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}"); - - var select271 = linear_select([ - dup261, - part1197, - ]); - - var part1198 = match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\""); - - var all246 = all_match({ - processors: [ - dup160, - select270, - part1196, - select271, - part1198, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg707 = msg("00059:09", all246); - - var part1199 = match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg708 = msg("00059:01", part1199); - - var select272 = linear_select([ - msg699, - msg700, - msg701, - msg702, - msg703, - msg704, - msg705, - msg706, - msg707, - msg708, - ]); - - var part1200 = match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP failed"), - ])); - - var msg709 = msg("00062:01", part1200); - - var part1201 = match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP failure reached threshold"), - ])); - - var msg710 = msg("00062:02", part1201); - - var part1202 = match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP succeeded"), - ])); - - var msg711 = msg("00062:03", part1202); - - var part1203 = match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg712 = msg("00062", part1203); - - var select273 = linear_select([ - msg709, - msg710, - msg711, - msg712, - ]); - - var part1204 = match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg713 = msg("00063", part1204); - - var part1205 = match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg714 = msg("00064", part1205); - - var part1206 = match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg715 = msg("00064:01", part1206); - - var part1207 = match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg716 = msg("00064:02", part1207); - - var select274 = linear_select([ - msg714, - msg715, - msg716, - ]); - - var msg717 = msg("00070", dup411); - - var part1208 = match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}"); - - var part1209 = match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}"); - - var part1210 = match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})"); - - var select275 = linear_select([ - part1209, - part1210, - ]); - - var all247 = all_match({ - processors: [ - dup267, - dup391, - part1208, - select275, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg718 = msg("00070:01", all247); - - var part1211 = match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg719 = msg("00070:02", part1211); - - var select276 = linear_select([ - msg717, - msg718, - msg719, - ]); - - var msg720 = msg("00071", dup411); - - var part1212 = match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg721 = msg("00071:01", part1212); - - var select277 = linear_select([ - msg720, - msg721, - ]); - - var msg722 = msg("00072", dup411); - - var msg723 = msg("00072:01", dup412); - - var select278 = linear_select([ - msg722, - msg723, - ]); - - var msg724 = msg("00073", dup411); - - var msg725 = msg("00073:01", dup412); - - var select279 = linear_select([ - msg724, - msg725, - ]); - - var msg726 = msg("00074", dup392); - - var all248 = all_match({ - processors: [ - dup263, - dup390, - dup271, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg727 = msg("00075", all248); - - var part1213 = match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","local device in the Virtual Security Device group changed state to inoperable"), - ])); - - var msg728 = msg("00075:02", part1213); - - var part1214 = match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg729 = msg("00075:01", part1214); - - var select280 = linear_select([ - msg727, - msg728, - msg729, - ]); - - var msg730 = msg("00076", dup392); - - var part1215 = match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}"); - - var all249 = all_match({ - processors: [ - dup263, - dup390, - part1215, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg731 = msg("00076:01", all249); - - var select281 = linear_select([ - msg730, - msg731, - ]); - - var part1216 = match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg732 = msg("00077", part1216); - - var all250 = all_match({ - processors: [ - dup263, - dup390, - dup271, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg733 = msg("00077:01", all250); - - var part1217 = match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([ - setc("eventcategory","1607000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg734 = msg("00077:02", part1217); - - var select282 = linear_select([ - msg732, - msg733, - msg734, - ]); - - var part1218 = match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg735 = msg("00084", part1218); - - var part1219 = match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}"); - - var part1220 = match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}"); - - var select283 = linear_select([ - part1219, - part1220, - ]); - - var part1221 = match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}"); - - var all251 = all_match({ - processors: [ - select283, - dup103, - dup369, - part1221, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg736 = msg("00090", all251); - - var part1222 = match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg737 = msg("00200", part1222); - - var part1223 = match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg738 = msg("00201", part1223); - - var part1224 = match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([ - dup272, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg739 = msg("00202", part1224); - - var part1225 = match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([ - dup272, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg740 = msg("00203", part1225); - - var part1226 = match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}"); - - var part1227 = match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}"); - - var part1228 = match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}"); - - var select284 = linear_select([ - part1227, - part1228, - ]); - - var part1229 = match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})"); - - var all252 = all_match({ - processors: [ - part1226, - select284, - part1229, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg741 = msg("00206", all252); - - var part1230 = match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}"); - - var part1231 = match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet."); - - var all253 = all_match({ - processors: [ - part1230, - dup352, - part1231, - ], - on_success: processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg742 = msg("00206:01", all253); - - var part1232 = match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}"); - - var part1233 = match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet."); - - var all254 = all_match({ - processors: [ - part1232, - dup352, - part1233, - ], - on_success: processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg743 = msg("00206:02", all254); - - var part1234 = match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg744 = msg("00206:03", part1234); - - var part1235 = match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg745 = msg("00206:04", part1235); - - var select285 = linear_select([ - msg741, - msg742, - msg743, - msg744, - msg745, - ]); - - var part1236 = match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg746 = msg("00207", part1236); - - var part1237 = match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg747 = msg("00207:01", part1237); - - var part1238 = match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg748 = msg("00207:02", part1238); - - var part1239 = match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg749 = msg("00207:03", part1239); - - var select286 = linear_select([ - msg746, - msg747, - msg748, - msg749, - ]); - - var part1240 = match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - dup278, - ])); - - var msg750 = msg("00257", part1240); - - var part1241 = match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup279, - dup276, - dup277, - dup280, - ])); - - var msg751 = msg("00257:14", part1241); - - var part1242 = match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - dup278, - ])); - - var msg752 = msg("00257:01", part1242); - - var part1243 = match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup279, - dup282, - dup280, - ])); - - var msg753 = msg("00257:15", part1243); - - var part1244 = match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ])); - - var msg754 = msg("00257:02", part1244); - - var part1245 = match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg755 = msg("00257:03", part1245); - - var part1246 = match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ])); - - var msg756 = msg("00257:04", part1246); - - var part1247 = match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg757 = msg("00257:05", part1247); - - var part1248 = match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}"); - - var all255 = all_match({ - processors: [ - dup283, - dup393, - part1248, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg758 = msg("00257:19", all255); - - var part1249 = match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}"); - - var all256 = all_match({ - processors: [ - dup283, - dup393, - part1249, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg759 = msg("00257:16", all256); - - var part1250 = match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}"); - - var all257 = all_match({ - processors: [ - dup283, - dup393, - part1250, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ]), - }); - - var msg760 = msg("00257:17", all257); - - var part1251 = match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}"); - - var all258 = all_match({ - processors: [ - dup283, - dup393, - part1251, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ]), - }); - - var msg761 = msg("00257:18", all258); - - var part1252 = match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}"); - - var part1253 = match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}"); - - var part1254 = match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport"); - - var select287 = linear_select([ - part1253, - part1254, - ]); - - var all259 = all_match({ - processors: [ - part1252, - select287, - ], - on_success: processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ]), - }); - - var msg762 = msg("00257:06", all259); - - var part1255 = match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg763 = msg("00257:07", part1255); - - var part1256 = match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup276, - dup277, - ])); - - var msg764 = msg("00257:08", part1256); - - var part1257 = match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}"); - - var part1258 = match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}"); - - var part1259 = match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}"); - - var part1260 = match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype"); - - var select288 = linear_select([ - part1258, - part1259, - part1260, - ]); - - var all260 = all_match({ - processors: [ - part1257, - select288, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg765 = msg("00257:09", all260); - - var part1261 = match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); - - var part1262 = match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}"); - - var select289 = linear_select([ - part1262, - dup286, - ]); - - var all261 = all_match({ - processors: [ - part1261, - select289, - ], - on_success: processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup276, - dup277, - ]), - }); - - var msg766 = msg("00257:10", all261); - - var part1263 = match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); - - var part1264 = match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}"); - - var select290 = linear_select([ - part1264, - dup286, - ]); - - var all262 = all_match({ - processors: [ - part1263, - select290, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg767 = msg("00257:11", all262); - - var part1265 = match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ])); - - var msg768 = msg("00257:12", part1265); - - var part1266 = match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup274, - dup4, - dup5, - ])); - - var msg769 = msg("00257:13", part1266); - - var select291 = linear_select([ - msg750, - msg751, - msg752, - msg753, - msg754, - msg755, - msg756, - msg757, - msg758, - msg759, - msg760, - msg761, - msg762, - msg763, - msg764, - msg765, - msg766, - msg767, - msg768, - msg769, - ]); - - var part1267 = match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}"); - - var part1268 = match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}"); - - var select292 = linear_select([ - part1268, - dup289, - dup241, - ]); - - var part1269 = match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}"); - - var all263 = all_match({ - processors: [ - dup394, - part1267, - select292, - part1269, - ], - on_success: processor_chain([ - dup28, - dup29, - dup30, - dup31, - dup32, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg770 = msg("00259", all263); - - var part1270 = match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}"); - - var all264 = all_match({ - processors: [ - dup394, - part1270, - ], - on_success: processor_chain([ - dup33, - dup29, - dup34, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg771 = msg("00259:07", all264); - - var part1271 = match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg772 = msg("00259:01", part1271); - - var part1272 = match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg773 = msg("00259:02", part1272); - - var part1273 = match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg774 = msg("00259:03", part1273); - - var part1274 = match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg775 = msg("00259:04", part1274); - - var part1275 = match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}"); - - var part1276 = match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}"); - - var select293 = linear_select([ - dup241, - dup289, - part1276, - ]); - - var part1277 = match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}"); - - var all265 = all_match({ - processors: [ - part1275, - select293, - part1277, - ], - on_success: processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg776 = msg("00259:05", all265); - - var part1278 = match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg777 = msg("00259:06", part1278); - - var select294 = linear_select([ - msg770, - msg771, - msg772, - msg773, - msg774, - msg775, - msg776, - msg777, - ]); - - var part1279 = match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg778 = msg("00262", part1279); - - var part1280 = match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([ - setc("eventcategory","1401050100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg779 = msg("00263", part1280); - - var part1281 = match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}"); - - var part1282 = match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}"); - - var part1283 = match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}"); - - var part1284 = match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}"); - - var select295 = linear_select([ - part1281, - part1282, - part1283, - part1284, - ]); - - var part1285 = match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}"); - - var all266 = all_match({ - processors: [ - select295, - part1285, - ], - on_success: processor_chain([ - setc("eventcategory","1003000000"), - dup2, - dup4, - dup5, - dup3, - dup61, - ]), - }); - - var msg780 = msg("00400", all266); - - var part1286 = match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg781 = msg("00401", part1286); - - var part1287 = match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup292, - ])); - - var msg782 = msg("00402", part1287); - - var part1288 = match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}"); - - var part1289 = match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}"); - - var all267 = all_match({ - processors: [ - part1288, - dup337, - part1289, - ], - on_success: processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup292, - ]), - }); - - var msg783 = msg("00402:01", all267); - - var select296 = linear_select([ - msg782, - msg783, - ]); - - var part1290 = match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg784 = msg("00403", part1290); - - var part1291 = match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup4, - dup5, - dup3, - dup292, - ])); - - var msg785 = msg("00404", part1291); - - var part1292 = match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup147, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg786 = msg("00405", part1292); - - var msg787 = msg("00406", dup413); - - var msg788 = msg("00407", dup413); - - var msg789 = msg("00408", dup413); - - var all268 = all_match({ - processors: [ - dup132, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg790 = msg("00409", all268); - - var msg791 = msg("00410", dup413); - - var part1293 = match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup60, - ])); - - var msg792 = msg("00410:01", part1293); - - var select297 = linear_select([ - msg791, - msg792, - ]); - - var part1294 = match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}"); - - var all269 = all_match({ - processors: [ - part1294, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg793 = msg("00411", all269); - - var part1295 = match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}"); - - var part1296 = match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all270 = all_match({ - processors: [ - part1295, - dup337, - part1296, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg794 = msg("00413", all270); - - var part1297 = match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}"); - - var all271 = all_match({ - processors: [ - part1297, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup61, - ]), - }); - - var msg795 = msg("00413:01", all271); - - var part1298 = match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup9, - ])); - - var msg796 = msg("00413:02", part1298); - - var select298 = linear_select([ - msg794, - msg795, - msg796, - ]); - - var part1299 = match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg797 = msg("00414", part1299); - - var part1300 = match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup9, - ])); - - var msg798 = msg("00414:01", part1300); - - var select299 = linear_select([ - msg797, - msg798, - ]); - - var part1301 = match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg799 = msg("00415", part1301); - - var all272 = all_match({ - processors: [ - dup132, - dup343, - dup294, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg800 = msg("00423", all272); - - var all273 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup60, - ]), - }); - - var msg801 = msg("00429", all273); - - var all274 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup60, - ]), - }); - - var msg802 = msg("00429:01", all274); - - var select300 = linear_select([ - msg801, - msg802, - ]); - - var all275 = all_match({ - processors: [ - dup80, - dup343, - dup295, - dup351, - ], - on_success: processor_chain([ - dup85, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ]), - }); - - var msg803 = msg("00430", all275); - - var all276 = all_match({ - processors: [ - dup132, - dup343, - dup295, - dup351, - ], - on_success: processor_chain([ - dup85, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup60, - ]), - }); - - var msg804 = msg("00430:01", all276); - - var select301 = linear_select([ - msg803, - msg804, - ]); - - var msg805 = msg("00431", dup414); - - var msg806 = msg("00432", dup414); - - var msg807 = msg("00433", dup415); - - var msg808 = msg("00434", dup415); - - var msg809 = msg("00435", dup395); - - var all277 = all_match({ - processors: [ - dup132, - dup343, - dup294, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup5, - dup3, - dup60, - ]), - }); - - var msg810 = msg("00435:01", all277); - - var select302 = linear_select([ - msg809, - msg810, - ]); - - var msg811 = msg("00436", dup395); - - var all278 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup4, - dup5, - dup3, - dup60, - ]), - }); - - var msg812 = msg("00436:01", all278); - - var select303 = linear_select([ - msg811, - msg812, - ]); - - var part1302 = match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg813 = msg("00437", part1302); - - var all279 = all_match({ - processors: [ - dup299, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - dup9, - ]), - }); - - var msg814 = msg("00437:01", all279); - - var part1303 = match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - dup9, - ])); - - var msg815 = msg("00437:02", part1303); - - var select304 = linear_select([ - msg813, - msg814, - msg815, - ]); - - var part1304 = match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg816 = msg("00438", part1304); - - var part1305 = match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg817 = msg("00438:01", part1305); - - var all280 = all_match({ - processors: [ - dup299, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup61, - ]), - }); - - var msg818 = msg("00438:02", all280); - - var select305 = linear_select([ - msg816, - msg817, - msg818, - ]); - - var part1306 = match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ])); - - var msg819 = msg("00440", part1306); - - var part1307 = match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg820 = msg("00440:02", part1307); - - var all281 = all_match({ - processors: [ - dup239, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup9, - dup61, - ]), - }); - - var msg821 = msg("00440:01", all281); - - var part1308 = match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}"); - - var all282 = all_match({ - processors: [ - part1308, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup9, - dup60, - ]), - }); - - var msg822 = msg("00440:03", all282); - - var select306 = linear_select([ - msg819, - msg820, - msg821, - msg822, - ]); - - var part1309 = match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var msg823 = msg("00441", part1309); - - var msg824 = msg("00442", dup396); - - var msg825 = msg("00443", dup396); - - var part1310 = match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg826 = msg("00511", part1310); - - var part1311 = match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}"); - - var all283 = all_match({ - processors: [ - part1311, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg827 = msg("00511:01", all283); - - var part1312 = match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg828 = msg("00511:02", part1312); - - var part1313 = match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}"); - - var all284 = all_match({ - processors: [ - part1313, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg829 = msg("00511:03", all284); - - var part1314 = match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}"); - - var all285 = all_match({ - processors: [ - part1314, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg830 = msg("00511:04", all285); - - var part1315 = match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}"); - - var all286 = all_match({ - processors: [ - part1315, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg831 = msg("00511:05", all286); - - var part1316 = match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}"); - - var all287 = all_match({ - processors: [ - part1316, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg832 = msg("00511:06", all287); - - var part1317 = match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}"); - - var all288 = all_match({ - processors: [ - part1317, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg833 = msg("00511:07", all288); - - var part1318 = match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}"); - - var all289 = all_match({ - processors: [ - part1318, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg834 = msg("00511:08", all289); - - var part1319 = match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}"); - - var all290 = all_match({ - processors: [ - part1319, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg835 = msg("00511:09", all290); - - var part1320 = match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}"); - - var all291 = all_match({ - processors: [ - part1320, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg836 = msg("00511:10", all291); - - var part1321 = match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}"); - - var all292 = all_match({ - processors: [ - part1321, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg837 = msg("00511:11", all292); - - var part1322 = match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}"); - - var all293 = all_match({ - processors: [ - part1322, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg838 = msg("00511:12", all293); - - var part1323 = match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}"); - - var all294 = all_match({ - processors: [ - part1323, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg839 = msg("00511:13", all294); - - var part1324 = match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg840 = msg("00511:14", part1324); - - var select307 = linear_select([ - msg826, - msg827, - msg828, - msg829, - msg830, - msg831, - msg832, - msg833, - msg834, - msg835, - msg836, - msg837, - msg838, - msg839, - msg840, - ]); - - var part1325 = match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}"); - - var part1326 = match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}"); - - var select308 = linear_select([ - dup123, - part1326, - dup122, - ]); - - var part1327 = match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}"); - - var part1328 = match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})"); - - var part1329 = match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result"); - - var select309 = linear_select([ - part1328, - part1329, - ]); - - var all295 = all_match({ - processors: [ - part1325, - select308, - part1327, - select309, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg841 = msg("00513", all295); - - var part1330 = match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}"); - - var select310 = linear_select([ - part1330, - dup287, - ]); - - var part1331 = match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}"); - - var part1332 = match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}"); - - var select311 = linear_select([ - dup96, - part1332, - ]); - - var part1333 = match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}"); - - var all296 = all_match({ - processors: [ - select310, - part1331, - select311, - part1333, - ], - on_success: processor_chain([ - dup301, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg842 = msg("00515", all296); - - var part1334 = match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}"); - - var part1335 = match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}"); - - var part1336 = match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}"); - - var select312 = linear_select([ - part1335, - part1336, - ]); - - var part1337 = match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2"); - - var all297 = all_match({ - processors: [ - part1334, - select312, - part1337, - ], - on_success: processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup4, - dup5, - dup302, - dup3, - ]), - }); - - var msg843 = msg("00515:01", all297); - - var part1338 = match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}"); - - var part1339 = match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}"); - - var part1340 = match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}"); - - var select313 = linear_select([ - part1339, - part1340, - ]); - - var part1341 = match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}"); - - var part1342 = match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}"); - - var select314 = linear_select([ - part1341, - part1342, - dup15, - ]); - - var part1343 = match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out"); - - var all298 = all_match({ - processors: [ - part1338, - select313, - select314, - part1343, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg844 = msg("00515:02", all298); - - var part1344 = match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}"); - - var part1345 = match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}"); - - var select315 = linear_select([ - part1344, - part1345, - ]); - - var part1346 = match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}"); - - var part1347 = match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type"); - - var select316 = linear_select([ - dup304, - part1347, - ]); - - var all299 = all_match({ - processors: [ - select315, - part1346, - dup398, - dup40, - select316, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg845 = msg("00515:04", all299); - - var part1348 = match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg846 = msg("00515:06", part1348); - - var part1349 = match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}"); - - var select317 = linear_select([ - dup305, - dup16, - ]); - - var part1350 = match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}"); - - var part1351 = match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})"); - - var select318 = linear_select([ - dup306, - part1351, - dup304, - ]); - - var all300 = all_match({ - processors: [ - part1349, - select317, - part1350, - dup398, - dup40, - select318, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg847 = msg("00515:05", all300); - - var part1352 = match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg848 = msg("00515:07", part1352); - - var part1353 = match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}"); - - var part1354 = match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}"); - - var part1355 = match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}"); - - var select319 = linear_select([ - part1354, - part1355, - ]); - - var part1356 = match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}"); - - var all301 = all_match({ - processors: [ - part1353, - select319, - part1356, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg849 = msg("00515:08", all301); - - var part1357 = match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg850 = msg("00515:09", part1357); - - var part1358 = match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg851 = msg("00515:10", part1358); - - var part1359 = match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg852 = msg("00515:11", part1359); - - var part1360 = match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}"); - - var part1361 = match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})"); - - var all302 = all_match({ - processors: [ - part1360, - dup399, - part1361, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg853 = msg("00515:12", all302); - - var select320 = linear_select([ - dup288, - dup287, - ]); - - var part1362 = match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}"); - - var select321 = linear_select([ - dup306, - dup304, - ]); - - var all303 = all_match({ - processors: [ - select320, - part1362, - dup398, - dup40, - select321, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg854 = msg("00515:13", all303); - - var part1363 = match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}"); - - var part1364 = match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}"); - - var select322 = linear_select([ - part1363, - part1364, - ]); - - var part1365 = match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}"); - - var part1366 = match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session."); - - var part1367 = match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})"); - - var part1368 = match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}"); - - var select323 = linear_select([ - part1366, - part1367, - part1368, - ]); - - var all304 = all_match({ - processors: [ - select322, - dup398, - part1365, - select323, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg855 = msg("00515:14", all304); - - var part1369 = match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}"); - - var part1370 = match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}"); - - var part1371 = match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}"); - - var select324 = linear_select([ - part1370, - part1371, - ]); - - var all305 = all_match({ - processors: [ - part1369, - dup398, - dup40, - select324, - dup41, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg856 = msg("00515:15", all305); - - var part1372 = match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}"); - - var select325 = linear_select([ - part1372, - dup287, - ]); - - var part1373 = match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}"); - - var part1374 = match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})"); - - var all306 = all_match({ - processors: [ - select325, - part1373, - dup399, - part1374, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg857 = msg("00515:16", all306); - - var part1375 = match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}"); - - var part1376 = match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}"); - - var part1377 = match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}"); - - var select326 = linear_select([ - part1376, - part1377, - ]); - - var part1378 = match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}"); - - var all307 = all_match({ - processors: [ - part1375, - select326, - part1378, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg858 = msg("00515:17", all307); - - var part1379 = match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg859 = msg("00515:18", part1379); - - var part1380 = match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}"); - - var part1381 = match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}"); - - var part1382 = match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}"); - - var select327 = linear_select([ - part1381, - part1382, - ]); - - var all308 = all_match({ - processors: [ - part1380, - select327, - dup41, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg860 = msg("00515:19", all308); - - var part1383 = match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg861 = msg("00515:20", part1383); - - var select328 = linear_select([ - msg842, - msg843, - msg844, - msg845, - msg846, - msg847, - msg848, - msg849, - msg850, - msg851, - msg852, - msg853, - msg854, - msg855, - msg856, - msg857, - msg858, - msg859, - msg860, - msg861, - ]); - - var part1384 = match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg862 = msg("00518", part1384); - - var part1385 = match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg863 = msg("00518:17", part1385); - - var part1386 = match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg864 = msg("00518:01", part1386); - - var part1387 = match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg865 = msg("00518:02", part1387); - - var part1388 = match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg866 = msg("00518:03", part1388); - - var part1389 = match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg867 = msg("00518:04", part1389); - - var part1390 = match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg868 = msg("00518:05", part1390); - - var part1391 = match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([ - dup35, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg869 = msg("00518:06", part1391); - - var part1392 = match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}"); - - var part1393 = match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}"); - - var select329 = linear_select([ - dup24, - part1393, - ]); - - var part1394 = match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}"); - - var all309 = all_match({ - processors: [ - part1392, - select329, - part1394, - ], - on_success: processor_chain([ - dup53, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg870 = msg("00518:07", all309); - - var part1395 = match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([ - dup35, - dup29, - dup31, - dup39, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg871 = msg("00518:08", part1395); - - var part1396 = match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg872 = msg("00518:09", part1396); - - var part1397 = match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup4, - dup9, - dup5, - dup3, - dup302, - ])); - - var msg873 = msg("00518:10", part1397); - - var part1398 = match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}"); - - var part1399 = match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}"); - - var part1400 = match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}"); - - var select330 = linear_select([ - part1399, - part1400, - ]); - - var part1401 = match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})"); - - var all310 = all_match({ - processors: [ - part1398, - select330, - part1401, - ], - on_success: processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup9, - dup4, - dup5, - dup3, - ]), - }); - - var msg874 = msg("00518:11", all310); - - var part1402 = match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup9, - dup5, - dup3, - ])); - - var msg875 = msg("00518:12", part1402); - - var part1403 = match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup9, - dup5, - ])); - - var msg876 = msg("00518:13", part1403); - - var part1404 = match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([ - dup290, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg877 = msg("00518:14", part1404); - - var select331 = linear_select([ - msg862, - msg863, - msg864, - msg865, - msg866, - msg867, - msg868, - msg869, - msg870, - msg871, - msg872, - msg873, - msg874, - msg875, - msg876, - msg877, - ]); - - var part1405 = match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}"); - - var part1406 = match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}"); - - var part1407 = match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}"); - - var select332 = linear_select([ - dup194, - part1406, - part1407, - ]); - - var part1408 = match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}"); - - var part1409 = match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}"); - - var select333 = linear_select([ - part1409, - dup16, - ]); - - var part1410 = match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}"); - - var all311 = all_match({ - processors: [ - part1405, - select332, - part1408, - select333, - part1410, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg878 = msg("00519", all311); - - var part1411 = match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}"); - - var select334 = linear_select([ - dup307, - dup305, - ]); - - var part1412 = match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}"); - - var all312 = all_match({ - processors: [ - part1411, - select334, - part1412, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg879 = msg("00519:01", all312); - - var part1413 = match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}"); - - var select335 = linear_select([ - dup307, - part1413, - ]); - - var part1414 = match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}"); - - var all313 = all_match({ - processors: [ - dup160, - select335, - part1414, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg880 = msg("00519:02", all313); - - var part1415 = match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg881 = msg("00519:03", part1415); - - var part1416 = match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg882 = msg("00519:04", part1416); - - var part1417 = match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg883 = msg("00519:05", part1417); - - var select336 = linear_select([ - msg878, - msg879, - msg880, - msg881, - msg882, - msg883, - ]); - - var part1418 = match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg884 = msg("00520", part1418); - - var part1419 = match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}"); - - var part1420 = match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}"); - - var part1421 = match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}"); - - var part1422 = match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}"); - - var part1423 = match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}"); - - var select337 = linear_select([ - part1420, - part1421, - part1422, - part1423, - ]); - - var part1424 = match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}"); - - var all314 = all_match({ - processors: [ - part1419, - select337, - part1424, - ], - on_success: processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg885 = msg("00520:01", all314); - - var part1425 = match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}"); - - var part1426 = match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}"); - - var all315 = all_match({ - processors: [ - part1425, - dup400, - part1426, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg886 = msg("00520:02", all315); - - var part1427 = match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}"); - - var part1428 = match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}"); - - var part1429 = match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}"); - - var select338 = linear_select([ - part1427, - part1428, - part1429, - ]); - - var part1430 = match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}"); - - var part1431 = match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}"); - - var part1432 = match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed"); - - var all316 = all_match({ - processors: [ - dup160, - select338, - part1430, - dup400, - part1431, - dup400, - part1432, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg887 = msg("00520:03", all316); - - var part1433 = match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg888 = msg("00520:04", part1433); - - var part1434 = match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg889 = msg("00520:05", part1434); - - var select339 = linear_select([ - msg884, - msg885, - msg886, - msg887, - msg888, - msg889, - ]); - - var part1435 = match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg890 = msg("00521", part1435); - - var part1436 = match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg891 = msg("00522", part1436); - - var part1437 = match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg892 = msg("00523", part1437); - - var part1438 = match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg893 = msg("00524", part1438); - - var part1439 = match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg894 = msg("00524:02", part1439); - - var part1440 = match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg895 = msg("00524:03", part1440); - - var part1441 = match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg896 = msg("00524:04", part1441); - - var part1442 = match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg897 = msg("00524:05", part1442); - - var part1443 = match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg898 = msg("00524:06", part1443); - - var part1444 = match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg899 = msg("00524:12", part1444); - - var part1445 = match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([ - dup19, - dup2, - dup4, - setc("result","the SNMP version type is incorrect"), - dup5, - dup9, - ])); - - var msg900 = msg("00524:14", part1445); - - var part1446 = match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}"); - - var part1447 = match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}"); - - var all317 = all_match({ - processors: [ - part1446, - dup401, - part1447, - ], - on_success: processor_chain([ - dup18, - dup2, - dup4, - dup5, - ]), - }); - - var msg901 = msg("00524:13", all317); - - var part1448 = match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg902 = msg("00524:07", part1448); - - var part1449 = match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg903 = msg("00524:08", part1449); - - var part1450 = match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg904 = msg("00524:09", part1450); - - var part1451 = match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg905 = msg("00524:10", part1451); - - var part1452 = match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg906 = msg("00524:11", part1452); - - var part1453 = match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg907 = msg("00524:16", part1453); - - var select340 = linear_select([ - msg893, - msg894, - msg895, - msg896, - msg897, - msg898, - msg899, - msg900, - msg901, - msg902, - msg903, - msg904, - msg905, - msg906, - msg907, - ]); - - var part1454 = match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([ - dup203, - setc("ec_subject","Password"), - dup38, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg908 = msg("00525", part1454); - - var part1455 = match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg909 = msg("00525:01", part1455); - - var part1456 = match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg910 = msg("00525:02", part1456); - - var part1457 = match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg911 = msg("00525:03", part1457); - - var select341 = linear_select([ - msg908, - msg909, - msg910, - msg911, - ]); - - var part1458 = match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([ - dup37, - dup219, - dup38, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg912 = msg("00526", part1458); - - var part1459 = match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}"); - - var part1460 = match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}"); - - var select342 = linear_select([ - dup311, - part1460, - ]); - - var part1461 = match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}"); - - var part1462 = match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}"); - - var part1463 = match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}"); - - var select343 = linear_select([ - dup312, - part1462, - part1463, - ]); - - var all318 = all_match({ - processors: [ - part1459, - select342, - part1461, - select343, - dup108, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg913 = msg("00527", all318); - - var part1464 = match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg914 = msg("00527:01", part1464); - - var part1465 = match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}"); - - var part1466 = match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}"); - - var part1467 = match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}"); - - var select344 = linear_select([ - dup311, - part1466, - part1467, - ]); - - var part1468 = match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}"); - - var all319 = all_match({ - processors: [ - part1465, - select344, - part1468, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg915 = msg("00527:02", all319); - - var part1469 = match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg916 = msg("00527:03", part1469); - - var part1470 = match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg917 = msg("00527:04", part1470); - - var part1471 = match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated."); - - var all320 = all_match({ - processors: [ - dup210, - dup337, - part1471, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg918 = msg("00527:05", all320); - - var part1472 = match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}"); - - var select345 = linear_select([ - dup106, - dup127, - ]); - - var part1473 = match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}"); - - var select346 = linear_select([ - dup312, - part1473, - ]); - - var part1474 = match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})"); - - var all321 = all_match({ - processors: [ - part1472, - select345, - dup23, - select346, - part1474, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg919 = msg("00527:06", all321); - - var part1475 = match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg920 = msg("00527:07", part1475); - - var part1476 = match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg921 = msg("00527:08", part1476); - - var part1477 = match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}"); - - var part1478 = match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}"); - - var part1479 = match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}"); - - var select347 = linear_select([ - part1478, - part1479, - ]); - - var all322 = all_match({ - processors: [ - part1477, - select347, - dup41, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg922 = msg("00527:09", all322); - - var part1480 = match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg923 = msg("00527:10", part1480); - - var select348 = linear_select([ - msg913, - msg914, - msg915, - msg916, - msg917, - msg918, - msg919, - msg920, - msg921, - msg922, - msg923, - ]); - - var part1481 = match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([ - setc("eventcategory","1302010000"), - dup29, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg924 = msg("00528", part1481); - - var part1482 = match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg925 = msg("00528:01", part1482); - - var part1483 = match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg926 = msg("00528:02", part1483); - - var part1484 = match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg927 = msg("00528:03", part1484); - - var part1485 = match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg928 = msg("00528:04", part1485); - - var part1486 = match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg929 = msg("00528:05", part1486); - - var part1487 = match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([ - dup313, - dup2, - dup3, - dup4, - dup5, - setc("result","invalid version string"), - ])); - - var msg930 = msg("00528:06", part1487); - - var part1488 = match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}"); - - var part1489 = match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}"); - - var part1490 = match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}"); - - var part1491 = match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}"); - - var select349 = linear_select([ - dup88, - part1489, - part1490, - part1491, - ]); - - var part1492 = match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}"); - - var all323 = all_match({ - processors: [ - part1488, - select349, - part1492, - ], - on_success: processor_chain([ - dup314, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg931 = msg("00528:07", all323); - - var part1493 = match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([ - dup314, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg932 = msg("00528:08", part1493); - - var part1494 = match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg933 = msg("00528:09", part1494); - - var part1495 = match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg934 = msg("00528:10", part1495); - - var part1496 = match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg935 = msg("00528:11", part1496); - - var part1497 = match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("disposition","disabled"), - ])); - - var msg936 = msg("00528:12", part1497); - - var part1498 = match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}"); - - var part1499 = match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}"); - - var part1500 = match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}"); - - var select350 = linear_select([ - part1499, - part1500, - ]); - - var part1501 = match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}"); - - var part1502 = match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}"); - - var part1503 = match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}"); - - var select351 = linear_select([ - part1503, - dup157, - ]); - - var part1504 = match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}"); - - var all324 = all_match({ - processors: [ - part1498, - select350, - part1501, - dup337, - part1502, - select351, - part1504, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg937 = msg("00528:13", all324); - - var part1505 = match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg938 = msg("00528:14", part1505); - - var part1506 = match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}"); - - var part1507 = match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}"); - - var select352 = linear_select([ - dup315, - part1507, - ]); - - var part1508 = match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}"); - - var part1509 = match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}"); - - var part1510 = match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}"); - - var select353 = linear_select([ - part1509, - part1510, - ]); - - var all325 = all_match({ - processors: [ - part1506, - select352, - part1508, - select353, - dup108, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg939 = msg("00528:15", all325); - - var part1511 = match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg940 = msg("00528:16", part1511); - - var part1512 = match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg941 = msg("00528:17", part1512); - - var part1513 = match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}"); - - var all326 = all_match({ - processors: [ - dup316, - dup402, - part1513, - dup403, - dup320, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("disposition","successful"), - setc("event_description","authentication successful for admin user"), - ]), - }); - - var msg942 = msg("00528:18", all326); - - var part1514 = match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}"); - - var all327 = all_match({ - processors: [ - dup316, - dup402, - part1514, - dup403, - dup320, - ], - on_success: processor_chain([ - dup206, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup302, - dup3, - setc("event_description","authentication failed for admin user"), - ]), - }); - - var msg943 = msg("00528:26", all327); - - var part1515 = match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}"); - - var all328 = all_match({ - processors: [ - dup321, - dup404, - part1515, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg944 = msg("00528:19", all328); - - var part1516 = match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}"); - - var all329 = all_match({ - processors: [ - dup321, - dup404, - part1516, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg945 = msg("00528:20", all329); - - var part1517 = match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg946 = msg("00528:21", part1517); - - var part1518 = match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}"); - - var part1519 = match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface."); - - var all330 = all_match({ - processors: [ - part1518, - dup337, - part1519, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("result","SCS is not enabled for that interface"), - ]), - }); - - var msg947 = msg("00528:22", all330); - - var part1520 = match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("result","SCS cannot generate the host and server keys before timing out"), - ])); - - var msg948 = msg("00528:23", part1520); - - var part1521 = match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg949 = msg("00528:24", part1521); - - var part1522 = match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}"); - - var part1523 = match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled."); - - var all331 = all_match({ - processors: [ - part1522, - dup403, - part1523, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg950 = msg("00528:25", all331); - - var select354 = linear_select([ - msg924, - msg925, - msg926, - msg927, - msg928, - msg929, - msg930, - msg931, - msg932, - msg933, - msg934, - msg935, - msg936, - msg937, - msg938, - msg939, - msg940, - msg941, - msg942, - msg943, - msg944, - msg945, - msg946, - msg947, - msg948, - msg949, - msg950, - ]); - - var part1524 = match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}"); - - var part1525 = match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}"); - - var select355 = linear_select([ - part1524, - part1525, - ]); - - var part1526 = match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}"); - - var all332 = all_match({ - processors: [ - dup63, - select355, - part1526, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg951 = msg("00529", all332); - - var part1527 = match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}"); - - var part1528 = match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}"); - - var part1529 = match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}"); - - var select356 = linear_select([ - part1528, - part1529, - ]); - - var all333 = all_match({ - processors: [ - part1527, - select356, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg952 = msg("00529:01", all333); - - var select357 = linear_select([ - msg951, - msg952, - ]); - - var part1530 = match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg953 = msg("00530", part1530); - - var part1531 = match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}"); - - var part1532 = match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released"); - - var all334 = all_match({ - processors: [ - part1531, - dup337, - part1532, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg954 = msg("00530:01", all334); - - var part1533 = match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg955 = msg("00530:02", part1533); - - var part1534 = match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg956 = msg("00530:03", part1534); - - var part1535 = match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg957 = msg("00530:04", part1535); - - var part1536 = match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg958 = msg("00530:05", part1536); - - var part1537 = match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg959 = msg("00530:06", part1537); - - var select358 = linear_select([ - msg953, - msg954, - msg955, - msg956, - msg957, - msg958, - msg959, - ]); - - var part1538 = match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}"); - - var all335 = all_match({ - processors: [ - part1538, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg960 = msg("00531", all335); - - var part1539 = match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg961 = msg("00531:01", part1539); - - var part1540 = match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg962 = msg("00531:02", part1540); - - var part1541 = match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}"); - - var part1542 = match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}"); - - var select359 = linear_select([ - part1542, - dup115, - ]); - - var part1543 = match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}"); - - var part1544 = match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})"); - - var part1545 = match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5"); - - var select360 = linear_select([ - part1544, - part1545, - ]); - - var all336 = all_match({ - processors: [ - part1541, - select359, - part1543, - select360, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup146, - ]), - }); - - var msg963 = msg("00531:03", all336); - - var part1546 = match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}"); - - var part1547 = match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}"); - - var part1548 = match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}"); - - var select361 = linear_select([ - part1547, - part1548, - dup189, - ]); - - var part1549 = match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}"); - - var all337 = all_match({ - processors: [ - part1546, - select361, - part1549, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg964 = msg("00531:04", all337); - - var part1550 = match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg965 = msg("00531:05", part1550); - - var part1551 = match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg966 = msg("00531:06", part1551); - - var part1552 = match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg967 = msg("00531:07", part1552); - - var part1553 = match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg968 = msg("00531:08", part1553); - - var part1554 = match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg969 = msg("00531:09", part1554); - - var part1555 = match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg970 = msg("00531:10", part1555); - - var part1556 = match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","system clock changed based on receive from primary NTP server"), - ])); - - var msg971 = msg("00531:11", part1556); - - var part1557 = match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg972 = msg("00531:12", part1557); - - var select362 = linear_select([ - msg960, - msg961, - msg962, - msg963, - msg964, - msg965, - msg966, - msg967, - msg968, - msg969, - msg970, - msg971, - msg972, - ]); - - var part1558 = match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg973 = msg("00533", part1558); - - var part1559 = match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg974 = msg("00534", part1559); - - var part1560 = match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg975 = msg("00535", part1560); - - var part1561 = match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg976 = msg("00535:01", part1561); - - var part1562 = match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg977 = msg("00535:02", part1562); - - var part1563 = match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg978 = msg("00535:03", part1563); - - var part1564 = match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - setc("result","SCEP_FAILURE message"), - ])); - - var msg979 = msg("00535:04", part1564); - - var part1565 = match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg980 = msg("00535:05", part1565); - - var part1566 = match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Saved CA configuration - cert subject name"), - ])); - - var msg981 = msg("00535:06", part1566); - - var select363 = linear_select([ - msg975, - msg976, - msg977, - msg978, - msg979, - msg980, - msg981, - ]); - - var part1567 = match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}"); - - var part1568 = match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}"); - - var part1569 = match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}"); - - var part1570 = match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}"); - - var part1571 = match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}"); - - var select364 = linear_select([ - part1568, - part1569, - part1570, - part1571, - ]); - - var all338 = all_match({ - processors: [ - part1567, - select364, - dup10, - ], - on_success: processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg982 = msg("00536:49", all338); - - var part1572 = match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg983 = msg("00536", part1572); - - var part1573 = match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg984 = msg("00536:01", part1573); - - var part1574 = match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg985 = msg("00536:02", part1574); - - var part1575 = match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg986 = msg("00536:03", part1575); - - var part1576 = match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([ - setc("eventcategory","1801010100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg987 = msg("00536:04", part1576); - - var part1577 = match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg988 = msg("00536:05", part1577); - - var part1578 = match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg989 = msg("00536:06", part1578); - - var part1579 = match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg990 = msg("00536:07", part1579); - - var part1580 = match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg991 = msg("00536:08", part1580); - - var part1581 = match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg992 = msg("00536:09", part1581); - - var part1582 = match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg993 = msg("00536:10", part1582); - - var part1583 = match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg994 = msg("00536:11", part1583); - - var part1584 = match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg995 = msg("00536:12", part1584); - - var part1585 = match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg996 = msg("00536:13", part1585); - - var part1586 = match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}"); - - var part1587 = match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}"); - - var all339 = all_match({ - processors: [ - part1586, - dup383, - part1587, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg997 = msg("00536:14", all339); - - var part1588 = match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg998 = msg("00536:50", part1588); - - var part1589 = match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg999 = msg("00536:15", part1589); - - var part1590 = match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1000 = msg("00536:16", part1590); - - var part1591 = match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1001 = msg("00536:17", part1591); - - var part1592 = match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1002 = msg("00536:18", part1592); - - var part1593 = match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1003 = msg("00536:19", part1593); - - var part1594 = match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1004 = msg("00536:20", part1594); - - var part1595 = match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1005 = msg("00536:21", part1595); - - var part1596 = match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("result","Negotiations failed"), - ])); - - var msg1006 = msg("00536:22", part1596); - - var part1597 = match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("result","The time limit has elapsed"), - setc("disposition","Aborted"), - ])); - - var msg1007 = msg("00536:23", part1597); - - var part1598 = match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1008 = msg("00536:24", part1598); - - var part1599 = match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1009 = msg("00536:25", part1599); - - var part1600 = match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1010 = msg("00536:26", part1600); - - var part1601 = match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1011 = msg("00536:27", part1601); - - var part1602 = match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1012 = msg("00536:28", part1602); - - var part1603 = match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1013 = msg("00536:29", part1603); - - var part1604 = match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1014 = msg("00536:30", part1604); - - var part1605 = match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1015 = msg("00536:31", part1605); - - var part1606 = match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1016 = msg("00536:32", part1606); - - var part1607 = match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1017 = msg("00536:33", part1607); - - var part1608 = match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1018 = msg("00536:34", part1608); - - var part1609 = match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1019 = msg("00536:35", part1609); - - var part1610 = match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}"); - - var part1611 = match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first"); - - var all340 = all_match({ - processors: [ - part1610, - dup401, - part1611, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1020 = msg("00536:36", all340); - - var part1612 = match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1021 = msg("00536:37", part1612); - - var part1613 = match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1022 = msg("00536:38", part1613); - - var part1614 = match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1023 = msg("00536:39", part1614); - - var part1615 = match("MESSAGE#1011:00536:40", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{quote}s gateway has a dynamic IP address and negotiations are in Main mode", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1024 = msg("00536:40", part1615); - - var part1616 = match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1025 = msg("00536:47", part1616); - - var part1617 = match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1026 = msg("00536:41", part1617); - - var part1618 = match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1027 = msg("00536:42", part1618); - - var part1619 = match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1028 = msg("00536:43", part1619); - - var part1620 = match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1029 = msg("00536:44", part1620); - - var part1621 = match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1030 = msg("00536:45", part1621); - - var part1622 = match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Received an IKE packet on interface"), - ])); - - var msg1031 = msg("00536:48", part1622); - - var part1623 = match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1032 = msg("00536:46", part1623); - - var select365 = linear_select([ - msg982, - msg983, - msg984, - msg985, - msg986, - msg987, - msg988, - msg989, - msg990, - msg991, - msg992, - msg993, - msg994, - msg995, - msg996, - msg997, - msg998, - msg999, - msg1000, - msg1001, - msg1002, - msg1003, - msg1004, - msg1005, - msg1006, - msg1007, - msg1008, - msg1009, - msg1010, - msg1011, - msg1012, - msg1013, - msg1014, - msg1015, - msg1016, - msg1017, - msg1018, - msg1019, - msg1020, - msg1021, - msg1022, - msg1023, - msg1024, - msg1025, - msg1026, - msg1027, - msg1028, - msg1029, - msg1030, - msg1031, - msg1032, - ]); - - var part1624 = match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg1033 = msg("00537", part1624); - - var part1625 = match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1034 = msg("00537:01", part1625); - - var part1626 = match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1035 = msg("00537:02", part1626); - - var part1627 = match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1036 = msg("00537:03", part1627); - - var select366 = linear_select([ - msg1033, - msg1034, - msg1035, - msg1036, - ]); - - var part1628 = match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}"); - - var select367 = linear_select([ - dup111, - dup119, - ]); - - var part1629 = match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}"); - - var all341 = all_match({ - processors: [ - part1628, - select367, - part1629, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1037 = msg("00538", all341); - - var part1630 = match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1038 = msg("00538:01", part1630); - - var part1631 = match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1039 = msg("00538:02", part1631); - - var part1632 = match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([ - dup19, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg1040 = msg("00538:03", part1632); - - var part1633 = match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1041 = msg("00538:04", part1633); - - var part1634 = match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}"); - - var part1635 = match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}"); - - var part1636 = match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}"); - - var select368 = linear_select([ - part1635, - part1636, - ]); - - var part1637 = match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}"); - - var all342 = all_match({ - processors: [ - part1634, - select368, - part1637, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1042 = msg("00538:05", all342); - - var part1638 = match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}"); - - var part1639 = match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}"); - - var part1640 = match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}"); - - var select369 = linear_select([ - part1639, - part1640, - ]); - - var part1641 = match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip"); - - var all343 = all_match({ - processors: [ - part1638, - select369, - part1641, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1043 = msg("00538:06", all343); - - var part1642 = match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}"); - - var part1643 = match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}"); - - var select370 = linear_select([ - part1643, - dup16, - ]); - - var all344 = all_match({ - processors: [ - part1642, - select370, - dup136, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1044 = msg("00538:07", all344); - - var part1644 = match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1045 = msg("00538:08", part1644); - - var part1645 = match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([ - dup301, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Connected to NSM server"), - ])); - - var msg1046 = msg("00538:09", part1645); - - var part1646 = match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}"); - - var part1647 = match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})"); - - var select371 = linear_select([ - part1647, - dup41, - ]); - - var all345 = all_match({ - processors: [ - part1646, - select371, - ], - on_success: processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Connection to NSM server is down"), - ]), - }); - - var msg1047 = msg("00538:10", all345); - - var part1648 = match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - dup323, - ])); - - var msg1048 = msg("00538:11", part1648); - - var part1649 = match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - dup323, - ])); - - var msg1049 = msg("00538:12", part1649); - - var part1650 = match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Sent 2B message"), - ])); - - var msg1050 = msg("00538:13", part1650); - - var select372 = linear_select([ - msg1037, - msg1038, - msg1039, - msg1040, - msg1041, - msg1042, - msg1043, - msg1044, - msg1045, - msg1046, - msg1047, - msg1048, - msg1049, - msg1050, - ]); - - var part1651 = match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1051 = msg("00539", part1651); - - var part1652 = match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1052 = msg("00539:01", part1652); - - var part1653 = match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1053 = msg("00539:02", part1653); - - var part1654 = match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1054 = msg("00539:03", part1654); - - var part1655 = match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1055 = msg("00539:04", part1655); - - var part1656 = match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1056 = msg("00539:05", part1656); - - var part1657 = match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1057 = msg("00539:06", part1657); - - var select373 = linear_select([ - msg1051, - msg1052, - msg1053, - msg1054, - msg1055, - msg1056, - msg1057, - ]); - - var part1658 = match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([ - dup324, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1058 = msg("00541", part1658); - - var part1659 = match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([ - dup273, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1059 = msg("00541:01", part1659); - - var part1660 = match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([ - dup273, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1060 = msg("00541:02", part1660); - - var part1661 = match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}"); - - var part1662 = match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>"); - - var select374 = linear_select([ - part1662, - dup21, - ]); - - var all346 = all_match({ - processors: [ - part1661, - select374, - ], - on_success: processor_chain([ - dup44, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1061 = msg("00541:03", all346); - - var select375 = linear_select([ - msg1058, - msg1059, - msg1060, - msg1061, - ]); - - var part1663 = match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1062 = msg("00542", part1663); - - var part1664 = match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}"); - - var part1665 = match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}"); - - var part1666 = match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}"); - - var select376 = linear_select([ - part1665, - part1666, - ]); - - var part1667 = match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}"); - - var part1668 = match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}"); - - var select377 = linear_select([ - part1668, - dup106, - ]); - - var part1669 = match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})"); - - var all347 = all_match({ - processors: [ - part1664, - select376, - part1667, - select377, - part1669, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup9, - dup3, - ]), - }); - - var msg1063 = msg("00543", all347); - - var part1670 = match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup60, - setc("action","RADIUS server challenge"), - ])); - - var msg1064 = msg("00544", part1670); - - var part1671 = match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1065 = msg("00546", part1671); - - var part1672 = match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg1066 = msg("00547", part1672); - - var part1673 = match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg1067 = msg("00547:01", part1673); - - var part1674 = match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1068 = msg("00547:02", part1674); - - var part1675 = match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}"); - - var part1676 = match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}"); - - var part1677 = match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}"); - - var select378 = linear_select([ - part1676, - part1677, - ]); - - var part1678 = match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})"); - - var all348 = all_match({ - processors: [ - part1675, - select378, - part1678, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Content is bypassed for connection"), - ]), - }); - - var msg1069 = msg("00547:03", all348); - - var select379 = linear_select([ - msg1066, - msg1067, - msg1068, - msg1069, - ]); - - var part1679 = match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1070 = msg("00549", part1679); - - var part1680 = match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1071 = msg("00551", part1680); - - var part1681 = match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1072 = msg("00551:01", part1681); - - var part1682 = match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}"); - - var part1683 = match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}"); - - var select380 = linear_select([ - part1683, - dup89, - ]); - - var all349 = all_match({ - processors: [ - part1682, - select380, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1073 = msg("00551:02", all349); - - var part1684 = match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([ - dup18, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1074 = msg("00551:03", part1684); - - var part1685 = match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1075 = msg("00551:04", part1685); - - var select381 = linear_select([ - msg1071, - msg1072, - msg1073, - msg1074, - msg1075, - ]); - - var part1686 = match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}"); - - var part1687 = match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}"); - - var part1688 = match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}"); - - var part1689 = match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}"); - - var select382 = linear_select([ - part1687, - part1688, - part1689, - ]); - - var all350 = all_match({ - processors: [ - part1686, - select382, - dup325, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1076 = msg("00553", all350); - - var part1690 = match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1077 = msg("00553:01", part1690); - - var part1691 = match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1078 = msg("00553:02", part1691); - - var part1692 = match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1079 = msg("00553:03", part1692); - - var part1693 = match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}"); - - var select383 = linear_select([ - dup326, - dup327, - ]); - - var part1694 = match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}."); - - var all351 = all_match({ - processors: [ - part1693, - select383, - part1694, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1080 = msg("00553:04", all351); - - var part1695 = match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1081 = msg("00553:05", part1695); - - var part1696 = match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1082 = msg("00553:06", part1696); - - var part1697 = match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1083 = msg("00553:07", part1697); - - var part1698 = match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}"); - - var select384 = linear_select([ - dup327, - dup326, - ]); - - var all352 = all_match({ - processors: [ - part1698, - select384, - dup328, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1084 = msg("00553:08", all352); - - var part1699 = match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1085 = msg("00553:09", part1699); - - var part1700 = match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1086 = msg("00553:10", part1700); - - var part1701 = match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1087 = msg("00553:11", part1701); - - var part1702 = match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1088 = msg("00553:12", part1702); - - var part1703 = match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1089 = msg("00553:13", part1703); - - var part1704 = match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1090 = msg("00553:14", part1704); - - var part1705 = match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1091 = msg("00553:15", part1705); - - var part1706 = match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1092 = msg("00553:16", part1706); - - var part1707 = match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1093 = msg("00553:17", part1707); - - var part1708 = match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1094 = msg("00553:18", part1708); - - var part1709 = match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1095 = msg("00553:19", part1709); - - var part1710 = match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1096 = msg("00553:20", part1710); - - var part1711 = match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1097 = msg("00553:21", part1711); - - var part1712 = match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1098 = msg("00553:22", part1712); - - var select385 = linear_select([ - msg1076, - msg1077, - msg1078, - msg1079, - msg1080, - msg1081, - msg1082, - msg1083, - msg1084, - msg1085, - msg1086, - msg1087, - msg1088, - msg1089, - msg1090, - msg1091, - msg1092, - msg1093, - msg1094, - msg1095, - msg1096, - msg1097, - msg1098, - ]); - - var part1713 = match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}"); - - var part1714 = match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}"); - - var part1715 = match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}"); - - var part1716 = match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}"); - - var select386 = linear_select([ - part1714, - part1715, - part1716, - ]); - - var all353 = all_match({ - processors: [ - part1713, - select386, - dup325, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1099 = msg("00554", all353); - - var part1717 = match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1100 = msg("00554:01", part1717); - - var part1718 = match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1101 = msg("00554:02", part1718); - - var part1719 = match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1102 = msg("00554:03", part1719); - - var part1720 = match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}"); - - var part1721 = match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}."); - - var all354 = all_match({ - processors: [ - part1720, - dup405, - part1721, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1103 = msg("00554:04", all354); - - var part1722 = match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}"); - - var part1723 = match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}"); - - var part1724 = match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}"); - - var select387 = linear_select([ - part1723, - part1724, - ]); - - var all355 = all_match({ - processors: [ - part1722, - select387, - dup116, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1104 = msg("00554:05", all355); - - var part1725 = match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1105 = msg("00554:06", part1725); - - var part1726 = match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}"); - - var all356 = all_match({ - processors: [ - part1726, - dup405, - dup328, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1106 = msg("00554:07", all356); - - var part1727 = match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}"); - - var part1728 = match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}"); - - var part1729 = match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}"); - - var part1730 = match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}"); - - var select388 = linear_select([ - part1728, - part1729, - part1730, - ]); - - var all357 = all_match({ - processors: [ - part1727, - select388, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1107 = msg("00554:08", all357); - - var part1731 = match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1108 = msg("00554:09", part1731); - - var part1732 = match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1109 = msg("00554:10", part1732); - - var part1733 = match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1110 = msg("00554:11", part1733); - - var part1734 = match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}"); - - var part1735 = match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}"); - - var part1736 = match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}"); - - var select389 = linear_select([ - part1735, - part1736, - ]); - - var part1737 = match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}"); - - var part1738 = match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}"); - - var part1739 = match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}"); - - var select390 = linear_select([ - part1738, - part1739, - ]); - - var part1740 = match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}"); - - var all358 = all_match({ - processors: [ - part1734, - select389, - part1737, - select390, - part1740, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1111 = msg("00554:12", all358); - - var part1741 = match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1112 = msg("00554:13", part1741); - - var part1742 = match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1113 = msg("00554:14", part1742); - - var part1743 = match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1114 = msg("00554:15", part1743); - - var part1744 = match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1115 = msg("00554:16", part1744); - - var part1745 = match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1116 = msg("00554:17", part1745); - - var select391 = linear_select([ - msg1099, - msg1100, - msg1101, - msg1102, - msg1103, - msg1104, - msg1105, - msg1106, - msg1107, - msg1108, - msg1109, - msg1110, - msg1111, - msg1112, - msg1113, - msg1114, - msg1115, - msg1116, - ]); - - var part1746 = match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1117 = msg("00555", part1746); - - var part1747 = match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1118 = msg("00556", part1747); - - var part1748 = match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1119 = msg("00556:01", part1748); - - var part1749 = match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}"); - - var part1750 = match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}"); - - var part1751 = match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}"); - - var select392 = linear_select([ - part1750, - part1751, - ]); - - var part1752 = match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}"); - - var part1753 = match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}"); - - var part1754 = match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}"); - - var select393 = linear_select([ - part1753, - part1754, - ]); - - var part1755 = match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3})."); - - var all359 = all_match({ - processors: [ - part1749, - select392, - part1752, - select393, - part1755, - ], - on_success: processor_chain([ - dup254, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1120 = msg("00556:02", all359); - - var part1756 = match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}"); - - var part1757 = match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}"); - - var part1758 = match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}"); - - var select394 = linear_select([ - part1757, - part1758, - ]); - - var part1759 = match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}"); - - var all360 = all_match({ - processors: [ - part1756, - select394, - part1759, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1121 = msg("00556:03", all360); - - var part1760 = match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1122 = msg("00556:04", part1760); - - var part1761 = match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1123 = msg("00556:05", part1761); - - var part1762 = match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1124 = msg("00556:06", part1762); - - var part1763 = match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1125 = msg("00556:07", part1763); - - var part1764 = match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}"); - - var all361 = all_match({ - processors: [ - part1764, - dup358, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1126 = msg("00556:08", all361); - - var part1765 = match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - dup282, - ])); - - var msg1127 = msg("00556:09", part1765); - - var part1766 = match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1128 = msg("00556:10", part1766); - - var part1767 = match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1129 = msg("00556:11", part1767); - - var part1768 = match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}"); - - var select395 = linear_select([ - dup140, - dup169, - ]); - - var part1769 = match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}."); - - var all362 = all_match({ - processors: [ - part1768, - select395, - part1769, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1130 = msg("00556:12", all362); - - var part1770 = match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1131 = msg("00556:13", part1770); - - var part1771 = match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}"); - - var part1772 = match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}."); - - var all363 = all_match({ - processors: [ - part1771, - dup406, - part1772, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1132 = msg("00556:14", all363); - - var part1773 = match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}"); - - var part1774 = match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}."); - - var all364 = all_match({ - processors: [ - part1773, - dup406, - part1774, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - dup282, - ]), - }); - - var msg1133 = msg("00556:15", all364); - - var part1775 = match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}"); - - var part1776 = match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}"); - - var part1777 = match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}"); - - var select396 = linear_select([ - part1776, - part1777, - ]); - - var part1778 = match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}"); - - var select397 = linear_select([ - dup104, - dup120, - ]); - - var all365 = all_match({ - processors: [ - part1775, - select396, - part1778, - select397, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1134 = msg("00556:16", all365); - - var part1779 = match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}"); - - var part1780 = match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}"); - - var part1781 = match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}"); - - var select398 = linear_select([ - part1780, - part1781, - ]); - - var part1782 = match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}"); - - var all366 = all_match({ - processors: [ - part1779, - select398, - part1782, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1135 = msg("00556:17", all366); - - var part1783 = match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}"); - - var part1784 = match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}"); - - var select399 = linear_select([ - dup101, - part1784, - ]); - - var part1785 = match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}."); - - var all367 = all_match({ - processors: [ - part1783, - select399, - part1785, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1136 = msg("00556:18", all367); - - var part1786 = match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}"); - - var part1787 = match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}"); - - var select400 = linear_select([ - dup103, - dup96, - ]); - - var part1788 = match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}"); - - var all368 = all_match({ - processors: [ - part1786, - dup355, - part1787, - select400, - part1788, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1137 = msg("00556:20", all368); - - var part1789 = match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([ - dup232, - dup2, - dup3, - dup9, - dup4, - dup5, - dup282, - ])); - - var msg1138 = msg("00556:21", part1789); - - var part1790 = match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([ - dup232, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1139 = msg("00556:22", part1790); - - var select401 = linear_select([ - msg1118, - msg1119, - msg1120, - msg1121, - msg1122, - msg1123, - msg1124, - msg1125, - msg1126, - msg1127, - msg1128, - msg1129, - msg1130, - msg1131, - msg1132, - msg1133, - msg1134, - msg1135, - msg1136, - msg1137, - msg1138, - msg1139, - ]); - - var part1791 = match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1140 = msg("00572", part1791); - - var part1792 = match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1141 = msg("00572:01", part1792); - - var part1793 = match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1142 = msg("00572:03", part1793); - - var select402 = linear_select([ - msg1140, - msg1141, - msg1142, - ]); - - var part1794 = match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1143 = msg("00615", part1794); - - var part1795 = match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1144 = msg("00615:01", part1795); - - var select403 = linear_select([ - msg1143, - msg1144, - ]); - - var part1796 = match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ])); - - var msg1145 = msg("00601", part1796); - - var part1797 = match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ])); - - var msg1146 = msg("00601:01", part1797); - - var part1798 = match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1147 = msg("00601:18", part1798); - - var select404 = linear_select([ - msg1145, - msg1146, - msg1147, - ]); - - var part1799 = match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1148 = msg("00602", part1799); - - var part1800 = match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}"); - - var part1801 = match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}"); - - var part1802 = match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}"); - - var part1803 = match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}"); - - var select405 = linear_select([ - part1802, - part1803, - ]); - - var part1804 = match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}"); - - var part1805 = match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}"); - - var select406 = linear_select([ - part1805, - dup96, - ]); - - var part1806 = match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})"); - - var all369 = all_match({ - processors: [ - part1800, - dup353, - part1801, - select405, - part1804, - select406, - part1806, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1149 = msg("00612", all369); - - var part1807 = match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1150 = msg("00620", part1807); - - var part1808 = match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}"); - - var part1809 = match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}"); - - var part1810 = match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}"); - - var select407 = linear_select([ - part1809, - part1810, - ]); - - var part1811 = match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})"); - - var all370 = all_match({ - processors: [ - part1808, - select407, - part1811, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1151 = msg("00620:01", all370); - - var part1812 = match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1152 = msg("00620:02", part1812); - - var part1813 = match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1153 = msg("00620:03", part1813); - - var part1814 = match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1154 = msg("00620:04", part1814); - - var select408 = linear_select([ - msg1150, - msg1151, - msg1152, - msg1153, - msg1154, - ]); - - var part1815 = match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([ - dup273, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1155 = msg("00622", part1815); - - var part1816 = match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}"); - - var part1817 = match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}"); - - var part1818 = match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}"); - - var select409 = linear_select([ - part1817, - part1818, - ]); - - var all371 = all_match({ - processors: [ - part1816, - select409, - dup49, - ], - on_success: processor_chain([ - dup273, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1156 = msg("00625", all371); - - var part1819 = match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}"); - - var part1820 = match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}"); - - var part1821 = match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}"); - - var part1822 = match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}"); - - var select410 = linear_select([ - part1820, - part1821, - part1822, - ]); - - var part1823 = match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})"); - - var all372 = all_match({ - processors: [ - part1819, - select410, - part1823, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1157 = msg("00628", all372); - - var part1824 = match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - dup282, - ])); - - var msg1158 = msg("00767:50", part1824); - - var part1825 = match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1159 = msg("00767:51", part1825); - - var part1826 = match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1160 = msg("00767:52", part1826); - - var part1827 = match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1161 = msg("00767:53", part1827); - - var part1828 = match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([ - dup27, - setc("ec_theme","Communication"), - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1162 = msg("00767", part1828); - - var part1829 = match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}"); - - var part1830 = match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}"); - - var part1831 = match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}"); - - var select411 = linear_select([ - part1830, - part1831, - ]); - - var all373 = all_match({ - processors: [ - part1829, - select411, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1163 = msg("00767:01", all373); - - var part1832 = match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([ - setc("eventcategory","1702000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1164 = msg("00767:02", part1832); - - var part1833 = match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1165 = msg("00767:03", part1833); - - var part1834 = match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1166 = msg("00767:04", part1834); - - var part1835 = match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1167 = msg("00767:05", part1835); - - var part1836 = match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1168 = msg("00767:06", part1836); - - var part1837 = match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1169 = msg("00767:07", part1837); - - var part1838 = match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}"); - - var all374 = all_match({ - processors: [ - part1838, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1170 = msg("00767:08", all374); - - var part1839 = match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}"); - - var part1840 = match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}"); - - var part1841 = match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}"); - - var select412 = linear_select([ - part1840, - part1841, - ]); - - var all375 = all_match({ - processors: [ - part1839, - select412, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1171 = msg("00767:09", all375); - - var part1842 = match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}"); - - var all376 = all_match({ - processors: [ - part1842, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1172 = msg("00767:10", all376); - - var part1843 = match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}"); - - var part1844 = match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}"); - - var select413 = linear_select([ - dup331, - part1844, - ]); - - var part1845 = match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}"); - - var part1846 = match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}"); - - var select414 = linear_select([ - dup331, - part1846, - ]); - - var part1847 = match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}"); - - var all377 = all_match({ - processors: [ - part1843, - select413, - part1845, - select414, - part1847, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1173 = msg("00767:11", all377); - - var part1848 = match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1174 = msg("00767:12", part1848); - - var part1849 = match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}"); - - var all378 = all_match({ - processors: [ - part1849, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1175 = msg("00767:13", all378); - - var part1850 = match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}"); - - var part1851 = match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}"); - - var select415 = linear_select([ - part1851, - dup262, - ]); - - var part1852 = match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}"); - - var part1853 = match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}"); - - var part1854 = match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username"); - - var select416 = linear_select([ - part1853, - part1854, - ]); - - var all379 = all_match({ - processors: [ - part1850, - select415, - part1852, - select416, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1176 = msg("00767:14", all379); - - var part1855 = match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}"); - - var part1856 = match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}"); - - var part1857 = match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}"); - - var select417 = linear_select([ - part1855, - part1856, - part1857, - ]); - - var part1858 = match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}"); - - var part1859 = match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}."); - - var all380 = all_match({ - processors: [ - dup183, - select417, - part1858, - dup336, - part1859, - ], - on_success: processor_chain([ - dup223, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1177 = msg("00767:15", all380); - - var part1860 = match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1178 = msg("00767:16", part1860); - - var part1861 = match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}"); - - var all381 = all_match({ - processors: [ - part1861, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1179 = msg("00767:17", all381); - - var part1862 = match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1180 = msg("00767:18", part1862); - - var part1863 = match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1181 = msg("00767:19", part1863); - - var part1864 = match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1182 = msg("00767:20", part1864); - - var part1865 = match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1183 = msg("00767:21", part1865); - - var part1866 = match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}"); - - var part1867 = match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}"); - - var part1868 = match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}"); - - var select418 = linear_select([ - part1867, - part1868, - ]); - - var part1869 = match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}"); - - var part1870 = match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}"); - - var part1871 = match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}"); - - var select419 = linear_select([ - part1870, - part1871, - ]); - - var part1872 = match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}"); - - var all382 = all_match({ - processors: [ - part1866, - select418, - part1869, - select419, - part1872, - dup354, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1184 = msg("00767:22", all382); - - var part1873 = match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1185 = msg("00767:23", part1873); - - var part1874 = match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}"); - - var select420 = linear_select([ - dup169, - dup16, - ]); - - var part1875 = match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}"); - - var part1876 = match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}"); - - var select421 = linear_select([ - part1875, - part1876, - ]); - - var all383 = all_match({ - processors: [ - part1874, - select420, - dup23, - select421, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1186 = msg("00767:25", all383); - - var part1877 = match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}"); - - var part1878 = match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}"); - - var part1879 = match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}"); - - var select422 = linear_select([ - part1878, - part1879, - ]); - - var part1880 = match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}"); - - var part1881 = match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}"); - - var part1882 = match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})"); - - var select423 = linear_select([ - part1881, - part1882, - ]); - - var all384 = all_match({ - processors: [ - part1877, - select422, - part1880, - select423, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1187 = msg("00767:26", all384); - - var part1883 = match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}"); - - var part1884 = match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})"); - - var part1885 = match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3"); - - var select424 = linear_select([ - part1884, - part1885, - ]); - - var all385 = all_match({ - processors: [ - part1883, - select424, - ], - on_success: processor_chain([ - dup223, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1188 = msg("00767:27", all385); - - var part1886 = match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1189 = msg("00767:28", part1886); - - var part1887 = match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1190 = msg("00767:29", part1887); - - var part1888 = match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1191 = msg("00767:30", part1888); - - var part1889 = match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}"); - - var part1890 = match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}"); - - var select425 = linear_select([ - part1889, - part1890, - ]); - - var part1891 = match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}"); - - var all386 = all_match({ - processors: [ - dup186, - select425, - part1891, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1192 = msg("00767:31", all386); - - var part1892 = match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}"); - - var part1893 = match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}"); - - var part1894 = match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}"); - - var select426 = linear_select([ - part1893, - part1894, - ]); - - var part1895 = match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})"); - - var all387 = all_match({ - processors: [ - part1892, - select426, - part1895, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1193 = msg("00767:32", all387); - - var part1896 = match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1194 = msg("00767:33", part1896); - - var part1897 = match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([ - dup313, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1195 = msg("00767:34", part1897); - - var part1898 = match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1196 = msg("00767:35", part1898); - - var part1899 = match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1197 = msg("00767:36", part1899); - - var part1900 = match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([ - dup254, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1198 = msg("00767:37", part1900); - - var part1901 = match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([ - setc("eventcategory","1602000000"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1199 = msg("00767:38", part1901); - - var part1902 = match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}"); - - var part1903 = match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}"); - - var part1904 = match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}"); - - var select427 = linear_select([ - part1903, - part1904, - ]); - - var part1905 = match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}"); - - var part1906 = match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}"); - - var part1907 = match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}"); - - var select428 = linear_select([ - part1906, - part1907, - ]); - - var all388 = all_match({ - processors: [ - part1902, - select427, - part1905, - select428, - dup10, - ], - on_success: processor_chain([ - dup324, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1200 = msg("00767:39", all388); - - var part1908 = match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([ - dup62, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1201 = msg("00767:40", part1908); - - var part1909 = match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1202 = msg("00767:42", part1909); - - var part1910 = match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1203 = msg("00767:43", part1910); - - var part1911 = match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1204 = msg("00767:44", part1911); - - var part1912 = match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1205 = msg("00767:45", part1912); - - var part1913 = match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1206 = msg("00767:46", part1913); - - var part1914 = match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg1207 = msg("00767:47", part1914); - - var part1915 = match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}"); - - var part1916 = match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})"); - - var all389 = all_match({ - processors: [ - part1915, - dup364, - part1916, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1208 = msg("00767:24", all389); - - var part1917 = match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1209 = msg("00767:48", part1917); - - var part1918 = match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}"); - - var part1919 = match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}"); - - var part1920 = match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}"); - - var select429 = linear_select([ - part1919, - part1920, - ]); - - var part1921 = match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})"); - - var all390 = all_match({ - processors: [ - part1918, - select429, - part1921, - ], - on_success: processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1210 = msg("00767:49", all390); - - var select430 = linear_select([ - msg1158, - msg1159, - msg1160, - msg1161, - msg1162, - msg1163, - msg1164, - msg1165, - msg1166, - msg1167, - msg1168, - msg1169, - msg1170, - msg1171, - msg1172, - msg1173, - msg1174, - msg1175, - msg1176, - msg1177, - msg1178, - msg1179, - msg1180, - msg1181, - msg1182, - msg1183, - msg1184, - msg1185, - msg1186, - msg1187, - msg1188, - msg1189, - msg1190, - msg1191, - msg1192, - msg1193, - msg1194, - msg1195, - msg1196, - msg1197, - msg1198, - msg1199, - msg1200, - msg1201, - msg1202, - msg1203, - msg1204, - msg1205, - msg1206, - msg1207, - msg1208, - msg1209, - msg1210, - ]); - - var part1922 = match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup277, - dup3, - dup275, - dup60, - ])); - - var msg1211 = msg("01269", part1922); - - var msg1212 = msg("01269:01", dup407); - - var msg1213 = msg("01269:02", dup408); - - var msg1214 = msg("01269:03", dup409); - - var select431 = linear_select([ - msg1211, - msg1212, - msg1213, - msg1214, - ]); - - var part1923 = match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup276, - dup277, - dup275, - dup332, - ])); - - var msg1215 = msg("17852", part1923); - - var part1924 = match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1216 = msg("17852:01", part1924); - - var part1925 = match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var msg1217 = msg("17852:02", part1925); - - var part1926 = match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1218 = msg("17852:03", part1926); - - var select432 = linear_select([ - msg1215, - msg1216, - msg1217, - msg1218, - ]); - - var msg1219 = msg("23184", dup410); - - var part1927 = match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup61, - dup282, - ])); - - var msg1220 = msg("23184:01", part1927); - - var part1928 = match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup276, - dup277, - dup275, - dup61, - ])); - - var msg1221 = msg("23184:02", part1928); - - var part1929 = match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1222 = msg("23184:03", part1929); - - var select433 = linear_select([ - msg1219, - msg1220, - msg1221, - msg1222, - ]); - - var msg1223 = msg("27052", dup410); - - var part1930 = match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup61, - dup282, - ])); - - var msg1224 = msg("27052:01", part1930); - - var select434 = linear_select([ - msg1223, - msg1224, - ]); - - var part1931 = match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup277, - dup5, - dup274, - dup3, - dup275, - dup276, - dup60, - ])); - - var msg1225 = msg("39568", part1931); - - var msg1226 = msg("39568:01", dup407); - - var msg1227 = msg("39568:02", dup408); - - var msg1228 = msg("39568:03", dup409); - - var select435 = linear_select([ - msg1225, - msg1226, - msg1227, - msg1228, - ]); - - var chain1 = processor_chain([ - select2, - msgid_select({ - "00001": select6, - "00002": select29, - "00003": select31, - "00004": select33, - "00005": select39, - "00006": select40, - "00007": select63, - "00008": select66, - "00009": select83, - "00010": select86, - "00011": select100, - "00012": select101, - "00013": select102, - "00014": select104, - "00015": select114, - "00016": select115, - "00017": select125, - "00018": select138, - "00019": select147, - "00020": select150, - "00021": select151, - "00022": select163, - "00023": select164, - "00024": select170, - "00025": select171, - "00026": select176, - "00027": select184, - "00028": msg469, - "00029": select188, - "00030": select197, - "00031": select205, - "00032": select207, - "00033": select214, - "00034": select225, - "00035": select232, - "00036": select234, - "00037": select241, - "00038": msg660, - "00039": msg661, - "00040": select244, - "00041": select245, - "00042": select246, - "00043": msg668, - "00044": select248, - "00045": msg671, - "00047": msg672, - "00048": select257, - "00049": select258, - "00050": msg682, - "00051": msg683, - "00052": msg684, - "00055": select265, - "00056": msg696, - "00057": msg697, - "00058": msg698, - "00059": select272, - "00062": select273, - "00063": msg713, - "00064": select274, - "00070": select276, - "00071": select277, - "00072": select278, - "00073": select279, - "00074": msg726, - "00075": select280, - "00076": select281, - "00077": select282, - "00084": msg735, - "00090": msg736, - "00200": msg737, - "00201": msg738, - "00202": msg739, - "00203": msg740, - "00206": select285, - "00207": select286, - "00257": select291, - "00259": select294, - "00262": msg778, - "00263": msg779, - "00400": msg780, - "00401": msg781, - "00402": select296, - "00403": msg784, - "00404": msg785, - "00405": msg786, - "00406": msg787, - "00407": msg788, - "00408": msg789, - "00409": msg790, - "00410": select297, - "00411": msg793, - "00413": select298, - "00414": select299, - "00415": msg799, - "00423": msg800, - "00429": select300, - "00430": select301, - "00431": msg805, - "00432": msg806, - "00433": msg807, - "00434": msg808, - "00435": select302, - "00436": select303, - "00437": select304, - "00438": select305, - "00440": select306, - "00441": msg823, - "00442": msg824, - "00443": msg825, - "00511": select307, - "00513": msg841, - "00515": select328, - "00518": select331, - "00519": select336, - "00520": select339, - "00521": msg890, - "00522": msg891, - "00523": msg892, - "00524": select340, - "00525": select341, - "00526": msg912, - "00527": select348, - "00528": select354, - "00529": select357, - "00530": select358, - "00531": select362, - "00533": msg973, - "00534": msg974, - "00535": select363, - "00536": select365, - "00537": select366, - "00538": select372, - "00539": select373, - "00541": select375, - "00542": msg1062, - "00543": msg1063, - "00544": msg1064, - "00546": msg1065, - "00547": select379, - "00549": msg1070, - "00551": select381, - "00553": select385, - "00554": select391, - "00555": msg1117, - "00556": select401, - "00572": select402, - "00601": select404, - "00602": msg1148, - "00612": msg1149, - "00615": select403, - "00620": select408, - "00622": msg1155, - "00625": msg1156, - "00628": msg1157, - "00767": select430, - "01269": select431, - "17852": select432, - "23184": select433, - "27052": select434, - "39568": select435, - }), - ]); - - var part1932 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); - - var part1933 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); - - var part1934 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); - - var part1935 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); - - var part1936 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); - - var part1937 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); - - var part1938 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); - - var part1939 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); - - var part1940 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); - - var part1941 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); - - var part1942 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); - - var part1943 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); - - var part1944 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); - - var part1945 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); - - var part1946 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); - - var part1947 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); - - var part1948 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); - - var part1949 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); - - var part1950 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); - - var part1951 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); - - var part1952 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); - - var part1953 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); - - var part1954 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); - - var part1955 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); - - var part1956 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); - - var part1957 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); - - var part1958 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); - - var part1959 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); - - var part1960 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); - - var part1961 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); - - var part1962 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); - - var part1963 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); - - var part1964 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part1965 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); - - var part1966 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); - - var part1967 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); - - var part1968 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); - - var part1969 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); - - var part1970 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); - - var part1971 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); - - var part1972 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); - - var part1973 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); - - var part1974 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); - - var part1975 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); - - var part1976 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); - - var part1977 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part1978 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); - - var part1979 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); - - var part1980 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part1981 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); - - var part1982 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); - - var part1983 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); - - var part1984 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); - - var part1985 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); - - var part1986 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); - - var part1987 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); - - var part1988 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); - - var part1989 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); - - var part1990 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); - - var part1991 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); - - var part1992 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); - - var part1993 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); - - var part1994 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); - - var part1995 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); - - var part1996 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); - - var part1997 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); - - var part1998 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); - - var part1999 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); - - var part2000 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); - - var part2001 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); - - var part2002 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); - - var part2003 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); - - var part2004 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); - - var part2005 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); - - var part2006 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); - - var part2007 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); - - var part2008 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); - - var part2009 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); - - var part2010 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); - - var part2011 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); - - var part2012 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); - - var part2013 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); - - var part2014 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); - - var part2015 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); - - var part2016 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); - - var part2017 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); - - var part2018 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); - - var part2019 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); - - var part2020 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); - - var part2021 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part2022 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2023 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); - - var part2024 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); - - var part2025 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); - - var part2026 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); - - var part2027 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); - - var part2028 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); - - var part2029 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); - - var part2030 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); - - var part2031 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); - - var part2032 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); - - var part2033 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); - - var part2034 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); - - var part2035 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); - - var part2036 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); - - var part2037 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); - - var part2038 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); - - var part2039 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); - - var part2040 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); - - var part2041 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); - - var part2042 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); - - var part2043 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); - - var part2044 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); - - var part2045 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); - - var part2046 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); - - var part2047 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); - - var part2048 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); - - var part2049 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); - - var part2050 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); - - var part2051 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); - - var part2052 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); - - var part2053 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); - - var part2054 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); - - var part2055 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); - - var part2056 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); - - var part2057 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); - - var part2058 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); - - var part2059 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); - - var part2060 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); - - var part2061 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); - - var part2062 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); - - var part2063 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); - - var part2064 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); - - var part2065 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); - - var part2066 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); - - var part2067 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); - - var part2068 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); - - var part2069 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); - - var part2070 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); - - var part2071 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); - - var part2072 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); - - var part2073 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); - - var part2074 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); - - var part2075 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); - - var part2076 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); - - var part2077 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); - - var part2078 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); - - var part2079 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); - - var part2080 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); - - var part2081 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); - - var part2082 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); - - var part2083 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); - - var part2084 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); - - var part2085 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); - - var part2086 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); - - var part2087 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); - - var part2088 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); - - var part2089 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); - - var part2090 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); - - var part2091 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); - - var part2092 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); - - var part2093 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); - - var part2094 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); - - var part2095 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); - - var part2096 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); - - var part2097 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); - - var part2098 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); - - var part2099 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); - - var part2100 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); - - var part2101 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); - - var part2102 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); - - var part2103 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); - - var part2104 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); - - var part2105 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); - - var part2106 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2107 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); - - var part2108 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); - - var part2109 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); - - var part2110 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); - - var part2111 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); - - var part2112 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); - - var part2113 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); - - var part2114 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); - - var part2115 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); - - var part2116 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); - - var part2117 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); - - var part2118 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); - - var part2119 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); - - var part2120 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); - - var part2121 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); - - var part2122 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); - - var part2123 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); - - var part2124 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); - - var part2125 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); - - var part2126 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); - - var part2127 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); - - var part2128 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); - - var part2129 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); - - var part2130 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); - - var part2131 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var part2132 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); - - var part2133 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); - - var part2134 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); - - var part2135 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); - - var part2136 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var part2137 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); - - var part2138 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); - - var part2139 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); - - var part2140 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); - - var part2141 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); - - var part2142 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); - - var part2143 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); - - var part2144 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); - - var part2145 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); - - var part2146 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); - - var part2147 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2148 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2149 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var part2150 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); - - var part2151 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); - - var part2152 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); - - var part2153 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); - - var part2154 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); - - var part2155 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); - - var part2156 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); - - var part2157 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); - - var part2158 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); - - var part2159 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); - - var part2160 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); - - var part2161 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); - - var part2162 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); - - var part2163 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); - - var part2164 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); - - var part2165 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); - - var part2166 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); - - var part2167 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); - - var part2168 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); - - var part2169 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); - - var part2170 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); - - var part2171 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); - - var part2172 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); - - var part2173 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); - - var part2174 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); - - var part2175 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); - - var select436 = linear_select([ - dup10, - dup11, - ]); - - var part2176 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select437 = linear_select([ - dup13, - dup14, - ]); - - var select438 = linear_select([ - dup15, - dup16, - ]); - - var select439 = linear_select([ - dup56, - dup57, - ]); - - var select440 = linear_select([ - dup65, - dup66, - ]); - - var select441 = linear_select([ - dup68, - dup69, - ]); - - var select442 = linear_select([ - dup71, - dup72, - ]); - - var part2177 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var select443 = linear_select([ - dup74, - dup75, - ]); - - var select444 = linear_select([ - dup81, - dup82, - ]); - - var select445 = linear_select([ - dup24, - dup90, - ]); - - var select446 = linear_select([ - dup94, - dup95, - ]); - - var select447 = linear_select([ - dup98, - dup99, - ]); - - var select448 = linear_select([ - dup100, - dup101, - dup102, - ]); - - var select449 = linear_select([ - dup113, - dup114, - ]); - - var select450 = linear_select([ - dup111, - dup16, - ]); - - var select451 = linear_select([ - dup127, - dup107, - ]); - - var select452 = linear_select([ - dup8, - dup21, - ]); - - var select453 = linear_select([ - dup122, - dup133, - ]); - - var select454 = linear_select([ - dup142, - dup143, - ]); - - var select455 = linear_select([ - dup145, - dup21, - ]); - - var select456 = linear_select([ - dup127, - dup106, - ]); - - var select457 = linear_select([ - dup152, - dup96, - ]); - - var select458 = linear_select([ - dup154, - dup155, - ]); - - var select459 = linear_select([ - dup156, - dup157, - ]); - - var select460 = linear_select([ - dup99, - dup134, - ]); - - var select461 = linear_select([ - dup158, - dup159, - ]); - - var select462 = linear_select([ - dup161, - dup162, - ]); - - var select463 = linear_select([ - dup163, - dup103, - ]); - - var select464 = linear_select([ - dup162, - dup161, - ]); - - var select465 = linear_select([ - dup46, - dup47, - ]); - - var select466 = linear_select([ - dup166, - dup167, - ]); - - var select467 = linear_select([ - dup172, - dup173, - ]); - - var select468 = linear_select([ - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - ]); - - var select469 = linear_select([ - dup49, - dup21, - ]); - - var select470 = linear_select([ - dup189, - dup190, - ]); - - var select471 = linear_select([ - dup96, - dup152, - ]); - - var select472 = linear_select([ - dup196, - dup197, - ]); - - var select473 = linear_select([ - dup24, - dup200, - ]); - - var select474 = linear_select([ - dup103, - dup163, - ]); - - var select475 = linear_select([ - dup205, - dup118, - ]); - - var part2178 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select476 = linear_select([ - dup212, - dup213, - ]); - - var select477 = linear_select([ - dup215, - dup216, - ]); - - var select478 = linear_select([ - dup222, - dup215, - ]); - - var select479 = linear_select([ - dup224, - dup225, - ]); - - var select480 = linear_select([ - dup231, - dup124, - ]); - - var select481 = linear_select([ - dup229, - dup230, - ]); - - var select482 = linear_select([ - dup233, - dup234, - ]); - - var select483 = linear_select([ - dup236, - dup237, - ]); - - var select484 = linear_select([ - dup242, - dup243, - ]); - - var select485 = linear_select([ - dup245, - dup246, - ]); - - var select486 = linear_select([ - dup247, - dup248, - ]); - - var select487 = linear_select([ - dup249, - dup250, - ]); - - var select488 = linear_select([ - dup251, - dup252, - ]); - - var select489 = linear_select([ - dup260, - dup261, - ]); - - var select490 = linear_select([ - dup264, - dup265, - ]); - - var select491 = linear_select([ - dup268, - dup269, - ]); - - var part2179 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select492 = linear_select([ - dup284, - dup285, - ]); - - var select493 = linear_select([ - dup287, - dup288, - ]); - - var part2180 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup60, - ])); - - var part2181 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var select494 = linear_select([ - dup300, - dup26, - ]); - - var select495 = linear_select([ - dup115, - dup303, - ]); - - var select496 = linear_select([ - dup125, - dup96, - ]); - - var select497 = linear_select([ - dup189, - dup308, - dup309, - ]); - - var select498 = linear_select([ - dup310, - dup16, - ]); - - var select499 = linear_select([ - dup317, - dup318, - ]); - - var select500 = linear_select([ - dup319, - dup315, - ]); - - var select501 = linear_select([ - dup322, - dup250, - ]); - - var select502 = linear_select([ - dup327, - dup329, - ]); - - var select503 = linear_select([ - dup330, - dup129, - ]); - - var part2182 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var part2183 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup60, - ])); - - var part2184 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var part2185 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var all391 = all_match({ - processors: [ - dup263, - dup390, - dup266, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var all392 = all_match({ - processors: [ - dup267, - dup391, - dup270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var all393 = all_match({ - processors: [ - dup80, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var all394 = all_match({ - processors: [ - dup296, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var all395 = all_match({ - processors: [ - dup298, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/juniper_netscreen/0.4.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/juniper_netscreen/0.4.1/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 63a0c266a8..0000000000 --- a/packages/juniper_netscreen/0.4.1/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,26354 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Juniper" - product: "Netscreen" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} for %{p0}"); - - var dup7 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); - - var dup8 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); - - var dup9 = date_time({ - dest: "event_time", - args: ["fld1"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup10 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); - - var dup11 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); - - var dup12 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); - - var dup13 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); - - var dup14 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); - - var dup15 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); - - var dup16 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); - - var dup17 = setc("eventcategory","1502000000"); - - var dup18 = setc("eventcategory","1703000000"); - - var dup19 = setc("eventcategory","1603000000"); - - var dup20 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); - - var dup21 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); - - var dup22 = setc("eventcategory","1502050000"); - - var dup23 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); - - var dup24 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); - - var dup25 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); - - var dup26 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); - - var dup27 = setc("eventcategory","1801010000"); - - var dup28 = setc("eventcategory","1401060000"); - - var dup29 = setc("ec_subject","User"); - - var dup30 = setc("ec_activity","Logon"); - - var dup31 = setc("ec_theme","Authentication"); - - var dup32 = setc("ec_outcome","Success"); - - var dup33 = setc("eventcategory","1401070000"); - - var dup34 = setc("ec_activity","Logoff"); - - var dup35 = setc("eventcategory","1303000000"); - - var dup36 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); - - var dup37 = setc("eventcategory","1402020200"); - - var dup38 = setc("ec_theme","UserGroup"); - - var dup39 = setc("ec_outcome","Error"); - - var dup40 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); - - var dup41 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); - - var dup42 = setc("eventcategory","1402020300"); - - var dup43 = setc("ec_activity","Modify"); - - var dup44 = setc("eventcategory","1605000000"); - - var dup45 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); - - var dup46 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); - - var dup47 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); - - var dup48 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); - - var dup49 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); - - var dup50 = setc("eventcategory","1701020000"); - - var dup51 = setc("ec_theme","Configuration"); - - var dup52 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); - - var dup53 = setc("eventcategory","1301000000"); - - var dup54 = setc("ec_outcome","Failure"); - - var dup55 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); - - var dup56 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); - - var dup57 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); - - var dup58 = setc("eventcategory","1001000000"); - - var dup59 = setc("dclass_counter1_string","Number of times the attack occurred"); - - var dup60 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("saddr"), - field("daddr"), - ], - }); - - var dup61 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("saddr"), - field("daddr"), - field("sport"), - field("dport"), - ], - }); - - var dup62 = setc("eventcategory","1608010000"); - - var dup63 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); - - var dup64 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); - - var dup65 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); - - var dup66 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); - - var dup67 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup68 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); - - var dup69 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); - - var dup70 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); - - var dup71 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); - - var dup72 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); - - var dup73 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); - - var dup74 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); - - var dup75 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); - - var dup76 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); - - var dup77 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); - - var dup78 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); - - var dup79 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); - - var dup80 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup81 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); - - var dup82 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); - - var dup83 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup84 = setc("eventcategory","1002020000"); - - var dup85 = setc("eventcategory","1002000000"); - - var dup86 = setc("eventcategory","1603110000"); - - var dup87 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); - - var dup88 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); - - var dup89 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); - - var dup90 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); - - var dup91 = setc("eventcategory","1613040200"); - - var dup92 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); - - var dup93 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); - - var dup94 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); - - var dup95 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); - - var dup96 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); - - var dup97 = setc("eventcategory","1613050200"); - - var dup98 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); - - var dup99 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); - - var dup100 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); - - var dup101 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); - - var dup102 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); - - var dup103 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); - - var dup104 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); - - var dup105 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); - - var dup106 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); - - var dup107 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); - - var dup108 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); - - var dup109 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); - - var dup110 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); - - var dup111 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); - - var dup112 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); - - var dup113 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); - - var dup114 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); - - var dup115 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); - - var dup116 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); - - var dup117 = setc("eventcategory","1603090000"); - - var dup118 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); - - var dup119 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); - - var dup120 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); - - var dup121 = setc("eventcategory","1603030000"); - - var dup122 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); - - var dup123 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); - - var dup124 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); - - var dup125 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); - - var dup126 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); - - var dup127 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); - - var dup128 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); - - var dup129 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); - - var dup130 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); - - var dup131 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup132 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup133 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); - - var dup134 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); - - var dup135 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); - - var dup136 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); - - var dup137 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); - - var dup138 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); - - var dup139 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); - - var dup140 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); - - var dup141 = setc("eventcategory","1702030000"); - - var dup142 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); - - var dup143 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); - - var dup144 = setc("eventcategory","1601000000"); - - var dup145 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); - - var dup146 = date_time({ - dest: "event_time", - args: ["fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup147 = setc("eventcategory","1103000000"); - - var dup148 = setc("ec_subject","NetworkComm"); - - var dup149 = setc("ec_activity","Scan"); - - var dup150 = setc("ec_theme","TEV"); - - var dup151 = setc("eventcategory","1103010000"); - - var dup152 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); - - var dup153 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); - - var dup154 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); - - var dup155 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); - - var dup156 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); - - var dup157 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); - - var dup158 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); - - var dup159 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); - - var dup160 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); - - var dup161 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); - - var dup162 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); - - var dup163 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); - - var dup164 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); - - var dup165 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); - - var dup166 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); - - var dup167 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); - - var dup168 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); - - var dup169 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); - - var dup170 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); - - var dup171 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); - - var dup172 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); - - var dup173 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); - - var dup174 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); - - var dup175 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); - - var dup176 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); - - var dup177 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); - - var dup178 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); - - var dup179 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); - - var dup180 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); - - var dup181 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); - - var dup182 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); - - var dup183 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); - - var dup184 = setc("eventcategory","1603020000"); - - var dup185 = setc("eventcategory","1803000000"); - - var dup186 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); - - var dup187 = setc("eventcategory","1603010000"); - - var dup188 = setc("eventcategory","1603100000"); - - var dup189 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); - - var dup190 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); - - var dup191 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); - - var dup192 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); - - var dup193 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); - - var dup194 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); - - var dup195 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); - - var dup196 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); - - var dup197 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); - - var dup198 = setc("eventcategory","1801030000"); - - var dup199 = setc("eventcategory","1302010200"); - - var dup200 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); - - var dup201 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); - - var dup202 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); - - var dup203 = setc("eventcategory","1304000000"); - - var dup204 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); - - var dup205 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); - - var dup206 = setc("eventcategory","1401030000"); - - var dup207 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); - - var dup208 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); - - var dup209 = setc("eventcategory","1605020000"); - - var dup210 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); - - var dup211 = setc("ec_subject","Certificate"); - - var dup212 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); - - var dup213 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); - - var dup214 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); - - var dup215 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); - - var dup216 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); - - var dup217 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); - - var dup218 = setc("ec_subject","CryptoKey"); - - var dup219 = setc("ec_subject","Configuration"); - - var dup220 = setc("ec_activity","Request"); - - var dup221 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); - - var dup222 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); - - var dup223 = setc("eventcategory","1612000000"); - - var dup224 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); - - var dup225 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); - - var dup226 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); - - var dup227 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); - - var dup228 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); - - var dup229 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); - - var dup230 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); - - var dup231 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); - - var dup232 = setc("eventcategory","1201000000"); - - var dup233 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); - - var dup234 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); - - var dup235 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); - - var dup236 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); - - var dup237 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); - - var dup238 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); - - var dup239 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup240 = setc("eventcategory","1401000000"); - - var dup241 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); - - var dup242 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); - - var dup243 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); - - var dup244 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); - - var dup245 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); - - var dup246 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); - - var dup247 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); - - var dup248 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); - - var dup249 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); - - var dup250 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); - - var dup251 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); - - var dup252 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); - - var dup253 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); - - var dup254 = setc("eventcategory","1608000000"); - - var dup255 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); - - var dup256 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); - - var dup257 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); - - var dup258 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); - - var dup259 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); - - var dup260 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); - - var dup261 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); - - var dup262 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); - - var dup263 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); - - var dup264 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); - - var dup265 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); - - var dup266 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var dup267 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); - - var dup268 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); - - var dup269 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); - - var dup270 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); - - var dup271 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var dup272 = setc("eventcategory","1805010000"); - - var dup273 = setc("eventcategory","1805000000"); - - var dup274 = date_time({ - dest: "starttime", - args: ["fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup275 = call({ - dest: "nwparser.bytes", - fn: CALC, - args: [ - field("sbytes"), - constant("+"), - field("rbytes"), - ], - }); - - var dup276 = setc("action","Deny"); - - var dup277 = setc("disposition","Deny"); - - var dup278 = setc("direction","outgoing"); - - var dup279 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("saddr"), - field("daddr"), - field("sport"), - field("dport"), - ], - }); - - var dup280 = setc("direction","incoming"); - - var dup281 = setc("eventcategory","1801000000"); - - var dup282 = setf("action","disposition"); - - var dup283 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); - - var dup284 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); - - var dup285 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); - - var dup286 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); - - var dup287 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); - - var dup288 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); - - var dup289 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); - - var dup290 = setc("eventcategory","1401050200"); - - var dup291 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("daddr"), - field("saddr"), - ], - }); - - var dup292 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("daddr"), - field("saddr"), - field("dport"), - field("sport"), - ], - }); - - var dup293 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); - - var dup294 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); - - var dup295 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); - - var dup296 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup297 = setc("eventcategory","1204000000"); - - var dup298 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup299 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var dup300 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); - - var dup301 = setc("eventcategory","1801020000"); - - var dup302 = setc("disposition","failed"); - - var dup303 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); - - var dup304 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); - - var dup305 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); - - var dup306 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); - - var dup307 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); - - var dup308 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); - - var dup309 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); - - var dup310 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); - - var dup311 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); - - var dup312 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); - - var dup313 = setc("eventcategory","1803020000"); - - var dup314 = setc("eventcategory","1613030000"); - - var dup315 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); - - var dup316 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); - - var dup317 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); - - var dup318 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); - - var dup319 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); - - var dup320 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); - - var dup321 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); - - var dup322 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); - - var dup323 = setc("event_description","Cannot connect to NSM server"); - - var dup324 = setc("eventcategory","1603040000"); - - var dup325 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); - - var dup326 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); - - var dup327 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); - - var dup328 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); - - var dup329 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); - - var dup330 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); - - var dup331 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); - - var dup332 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("daddr"), - field("saddr"), - field("dport"), - field("sport"), - ], - }); - - var dup333 = linear_select([ - dup10, - dup11, - ]); - - var dup334 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup335 = linear_select([ - dup13, - dup14, - ]); - - var dup336 = linear_select([ - dup15, - dup16, - ]); - - var dup337 = linear_select([ - dup56, - dup57, - ]); - - var dup338 = linear_select([ - dup65, - dup66, - ]); - - var dup339 = linear_select([ - dup68, - dup69, - ]); - - var dup340 = linear_select([ - dup71, - dup72, - ]); - - var dup341 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var dup342 = linear_select([ - dup74, - dup75, - ]); - - var dup343 = linear_select([ - dup81, - dup82, - ]); - - var dup344 = linear_select([ - dup24, - dup90, - ]); - - var dup345 = linear_select([ - dup94, - dup95, - ]); - - var dup346 = linear_select([ - dup98, - dup99, - ]); - - var dup347 = linear_select([ - dup100, - dup101, - dup102, - ]); - - var dup348 = linear_select([ - dup113, - dup114, - ]); - - var dup349 = linear_select([ - dup111, - dup16, - ]); - - var dup350 = linear_select([ - dup127, - dup107, - ]); - - var dup351 = linear_select([ - dup8, - dup21, - ]); - - var dup352 = linear_select([ - dup122, - dup133, - ]); - - var dup353 = linear_select([ - dup142, - dup143, - ]); - - var dup354 = linear_select([ - dup145, - dup21, - ]); - - var dup355 = linear_select([ - dup127, - dup106, - ]); - - var dup356 = linear_select([ - dup152, - dup96, - ]); - - var dup357 = linear_select([ - dup154, - dup155, - ]); - - var dup358 = linear_select([ - dup156, - dup157, - ]); - - var dup359 = linear_select([ - dup99, - dup134, - ]); - - var dup360 = linear_select([ - dup158, - dup159, - ]); - - var dup361 = linear_select([ - dup161, - dup162, - ]); - - var dup362 = linear_select([ - dup163, - dup103, - ]); - - var dup363 = linear_select([ - dup162, - dup161, - ]); - - var dup364 = linear_select([ - dup46, - dup47, - ]); - - var dup365 = linear_select([ - dup166, - dup167, - ]); - - var dup366 = linear_select([ - dup172, - dup173, - ]); - - var dup367 = linear_select([ - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - ]); - - var dup368 = linear_select([ - dup49, - dup21, - ]); - - var dup369 = linear_select([ - dup189, - dup190, - ]); - - var dup370 = linear_select([ - dup96, - dup152, - ]); - - var dup371 = linear_select([ - dup196, - dup197, - ]); - - var dup372 = linear_select([ - dup24, - dup200, - ]); - - var dup373 = linear_select([ - dup103, - dup163, - ]); - - var dup374 = linear_select([ - dup205, - dup118, - ]); - - var dup375 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup376 = linear_select([ - dup212, - dup213, - ]); - - var dup377 = linear_select([ - dup215, - dup216, - ]); - - var dup378 = linear_select([ - dup222, - dup215, - ]); - - var dup379 = linear_select([ - dup224, - dup225, - ]); - - var dup380 = linear_select([ - dup231, - dup124, - ]); - - var dup381 = linear_select([ - dup229, - dup230, - ]); - - var dup382 = linear_select([ - dup233, - dup234, - ]); - - var dup383 = linear_select([ - dup236, - dup237, - ]); - - var dup384 = linear_select([ - dup242, - dup243, - ]); - - var dup385 = linear_select([ - dup245, - dup246, - ]); - - var dup386 = linear_select([ - dup247, - dup248, - ]); - - var dup387 = linear_select([ - dup249, - dup250, - ]); - - var dup388 = linear_select([ - dup251, - dup252, - ]); - - var dup389 = linear_select([ - dup260, - dup261, - ]); - - var dup390 = linear_select([ - dup264, - dup265, - ]); - - var dup391 = linear_select([ - dup268, - dup269, - ]); - - var dup392 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup393 = linear_select([ - dup284, - dup285, - ]); - - var dup394 = linear_select([ - dup287, - dup288, - ]); - - var dup395 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup60, - ])); - - var dup396 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var dup397 = linear_select([ - dup300, - dup26, - ]); - - var dup398 = linear_select([ - dup115, - dup303, - ]); - - var dup399 = linear_select([ - dup125, - dup96, - ]); - - var dup400 = linear_select([ - dup189, - dup308, - dup309, - ]); - - var dup401 = linear_select([ - dup310, - dup16, - ]); - - var dup402 = linear_select([ - dup317, - dup318, - ]); - - var dup403 = linear_select([ - dup319, - dup315, - ]); - - var dup404 = linear_select([ - dup322, - dup250, - ]); - - var dup405 = linear_select([ - dup327, - dup329, - ]); - - var dup406 = linear_select([ - dup330, - dup129, - ]); - - var dup407 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var dup408 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup60, - ])); - - var dup409 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var dup410 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var dup411 = all_match({ - processors: [ - dup263, - dup390, - dup266, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var dup412 = all_match({ - processors: [ - dup267, - dup391, - dup270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var dup413 = all_match({ - processors: [ - dup80, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var dup414 = all_match({ - processors: [ - dup296, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var dup415 = all_match({ - processors: [ - dup298, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0003"), - ])); - - var hdr3 = match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var hdr4 = match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}"); - - var part1 = match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}"); - - var part2 = match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}"); - - var part3 = match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}"); - - var select1 = linear_select([ - part1, - part2, - part3, - ]); - - var part4 = match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}"); - - var all1 = all_match({ - processors: [ - hdr4, - select1, - part4, - ], - on_success: processor_chain([ - setc("header_id","0002"), - ]), - }); - - var select2 = linear_select([ - hdr1, - hdr2, - hdr3, - all1, - ]); - - var part5 = match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1 = msg("00001", part5); - - var part6 = match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg2 = msg("00001:01", part6); - - var part7 = match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}"); - - var select3 = linear_select([ - part7, - dup7, - ]); - - var part8 = match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}"); - - var all2 = all_match({ - processors: [ - dup6, - select3, - part8, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg3 = msg("00001:02", all2); - - var part9 = match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg4 = msg("00001:03", part9); - - var part10 = match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}"); - - var select4 = linear_select([ - part10, - dup7, - ]); - - var part11 = match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}"); - - var part12 = match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}"); - - var select5 = linear_select([ - dup8, - part12, - ]); - - var all3 = all_match({ - processors: [ - dup6, - select4, - part11, - select5, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg5 = msg("00001:04", all3); - - var part13 = match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}"); - - var all4 = all_match({ - processors: [ - part13, - dup333, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg6 = msg("00001:05", all4); - - var part14 = match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg7 = msg("00001:06", part14); - - var msg8 = msg("00001:07", dup334); - - var part15 = match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}"); - - var part16 = match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})"); - - var all5 = all_match({ - processors: [ - dup12, - dup335, - part15, - dup336, - part16, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg9 = msg("00001:08", all5); - - var part17 = match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})"); - - var all6 = all_match({ - processors: [ - dup12, - dup335, - part17, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg10 = msg("00001:09", all6); - - var select6 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - ]); - - var part18 = match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg11 = msg("00002:03", part18); - - var part19 = match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg12 = msg("00002:04", part19); - - var part20 = match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg13 = msg("00002:05", part20); - - var part21 = match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg14 = msg("00002:06", part21); - - var part22 = match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg15 = msg("00002:07", part22); - - var part23 = match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg16 = msg("00002:55", part23); - - var part24 = match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg17 = msg("00002:08", part24); - - var part25 = match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg18 = msg("00002:09", part25); - - var part26 = match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg19 = msg("00002:10", part26); - - var part27 = match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg20 = msg("00002:11", part27); - - var part28 = match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg21 = msg("00002:12", part28); - - var part29 = match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg22 = msg("00002:15", part29); - - var msg23 = msg("00002:17", dup334); - - var part30 = match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}"); - - var part31 = match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}"); - - var part32 = match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}"); - - var select7 = linear_select([ - part31, - part32, - ]); - - var part33 = match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):"); - - var all7 = all_match({ - processors: [ - part30, - select7, - part33, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg24 = msg("00002:18", all7); - - var part34 = match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg25 = msg("00002:19", part34); - - var part35 = match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}"); - - var part36 = match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}"); - - var select8 = linear_select([ - part36, - dup20, - dup21, - ]); - - var all8 = all_match({ - processors: [ - part35, - select8, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg26 = msg("00002:20", all8); - - var part37 = match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}"); - - var part38 = match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}"); - - var select9 = linear_select([ - part37, - part38, - ]); - - var select10 = linear_select([ - dup24, - dup25, - ]); - - var part39 = match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}"); - - var all9 = all_match({ - processors: [ - select9, - dup23, - select10, - part39, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg27 = msg("00002:21", all9); - - var part40 = match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}"); - - var part41 = match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console"); - - var part42 = match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}"); - - var select11 = linear_select([ - part41, - part42, - dup26, - ]); - - var all10 = all_match({ - processors: [ - part40, - select11, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg28 = msg("00002:22", all10); - - var part43 = match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}"); - - var part44 = match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}"); - - var select12 = linear_select([ - dup20, - part44, - dup21, - ]); - - var all11 = all_match({ - processors: [ - part43, - select12, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg29 = msg("00002:23", all11); - - var part45 = match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}"); - - var part46 = match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}"); - - var part47 = match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}"); - - var select13 = linear_select([ - part46, - part47, - ]); - - var all12 = all_match({ - processors: [ - part45, - select13, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg30 = msg("00002:24", all12); - - var part48 = match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - setc("eventcategory","1402000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg31 = msg("00002:25", part48); - - var part49 = match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg32 = msg("00002:26", part49); - - var part50 = match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg33 = msg("00002:27", part50); - - var part51 = match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg34 = msg("00002:28", part51); - - var part52 = match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg35 = msg("00002:29", part52); - - var part53 = match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ - dup28, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg36 = msg("00002:30", part53); - - var part54 = match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ - dup33, - dup29, - dup34, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg37 = msg("00002:41", part54); - - var part55 = match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ - dup35, - dup29, - dup30, - dup31, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg38 = msg("00002:31", part55); - - var part56 = match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}"); - - var part57 = match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}"); - - var select14 = linear_select([ - part56, - part57, - ]); - - var part58 = match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}"); - - var all13 = all_match({ - processors: [ - select14, - part58, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg39 = msg("00002:32", all13); - - var part59 = match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg40 = msg("00002:35", part59); - - var part60 = match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}"); - - var part61 = match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}"); - - var part62 = match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}"); - - var select15 = linear_select([ - part61, - part62, - ]); - - var part63 = match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}"); - - var all14 = all_match({ - processors: [ - part60, - select15, - part63, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg41 = msg("00002:36", all14); - - var part64 = match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}"); - - var part65 = match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}"); - - var part66 = match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}"); - - var part67 = match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}"); - - var part68 = match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}"); - - var select16 = linear_select([ - part65, - part66, - part67, - part68, - ]); - - var part69 = match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}"); - - var all15 = all_match({ - processors: [ - part64, - select16, - part69, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg42 = msg("00002:37", all15); - - var part70 = match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}"); - - var part71 = match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}"); - - var select17 = linear_select([ - part71, - dup36, - ]); - - var all16 = all_match({ - processors: [ - part70, - select17, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg43 = msg("00002:38", all16); - - var part72 = match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg44 = msg("00002:39", part72); - - var part73 = match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ - dup37, - dup29, - setc("ec_activity","Create"), - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg45 = msg("00002:40", part73); - - var part74 = match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg46 = msg("00002:44", part74); - - var part75 = match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}"); - - var part76 = match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}"); - - var select18 = linear_select([ - part76, - dup40, - ]); - - var part77 = match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}"); - - var part78 = match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}"); - - var part79 = match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}"); - - var select19 = linear_select([ - part78, - part79, - ]); - - var all17 = all_match({ - processors: [ - part75, - select18, - part77, - select19, - dup41, - ], - on_success: processor_chain([ - dup42, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg47 = msg("00002:42", all17); - - var part80 = match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}"); - - var part81 = match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}"); - - var part82 = match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}"); - - var select20 = linear_select([ - part81, - part82, - ]); - - var part83 = match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all18 = all_match({ - processors: [ - part80, - select20, - part83, - ], - on_success: processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg48 = msg("00002:43", all18); - - var part84 = match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg49 = msg("00002:50", part84); - - var part85 = match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg50 = msg("00002:51", part85); - - var part86 = match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg51 = msg("00002:45", part86); - - var part87 = match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}"); - - var part88 = match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}"); - - var part89 = match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}"); - - var part90 = match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}"); - - var part91 = match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}"); - - var select21 = linear_select([ - part87, - part88, - part89, - part90, - part91, - ]); - - var part92 = match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})"); - - var all19 = all_match({ - processors: [ - select21, - part92, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg52 = msg("00002:47", all19); - - var part93 = match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}"); - - var part94 = match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}"); - - var part95 = match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}"); - - var select22 = linear_select([ - part94, - part95, - ]); - - var part96 = match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}"); - - var part97 = match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}"); - - var select23 = linear_select([ - part97, - dup45, - ]); - - var all20 = all_match({ - processors: [ - part93, - select22, - part96, - select23, - dup41, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg53 = msg("00002:48", all20); - - var part98 = match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}"); - - var part99 = match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}"); - - var part100 = match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}"); - - var part101 = match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}"); - - var part102 = match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}"); - - var select24 = linear_select([ - part99, - part100, - part101, - part102, - ]); - - var part103 = match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}"); - - var part104 = match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}"); - - var select25 = linear_select([ - dup46, - part104, - dup47, - ]); - - var select26 = linear_select([ - dup48, - dup45, - ]); - - var all21 = all_match({ - processors: [ - part98, - select24, - part103, - select25, - select26, - dup41, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg54 = msg("00002:52", all21); - - var part105 = match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([ - dup42, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg55 = msg("00002:53", part105); - - var part106 = match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}"); - - var part107 = match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}"); - - var part108 = match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}"); - - var select27 = linear_select([ - part107, - part108, - ]); - - var all22 = all_match({ - processors: [ - part106, - select27, - dup49, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg56 = msg("00002:54", all22); - - var part109 = match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}"); - - var part110 = match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}"); - - var select28 = linear_select([ - part110, - dup52, - ]); - - var part111 = match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}"); - - var all23 = all_match({ - processors: [ - part109, - select28, - part111, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg57 = msg("00002", all23); - - var part112 = match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([ - dup53, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg58 = msg("00002:56", part112); - - var select29 = linear_select([ - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - msg38, - msg39, - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, - ]); - - var part113 = match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ - dup53, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg59 = msg("00003", part113); - - var part114 = match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([ - dup53, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg60 = msg("00003:01", part114); - - var part115 = match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg61 = msg("00003:02", part115); - - var part116 = match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg62 = msg("00003:03", part116); - - var part117 = match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}"); - - var part118 = match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}"); - - var select30 = linear_select([ - part117, - part118, - ]); - - var part119 = match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}."); - - var all24 = all_match({ - processors: [ - dup55, - select30, - part119, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg63 = msg("00003:05", all24); - - var select31 = linear_select([ - msg59, - msg60, - msg61, - msg62, - msg63, - ]); - - var part120 = match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg64 = msg("00004", part120); - - var part121 = match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg65 = msg("00004:01", part121); - - var part122 = match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg66 = msg("00004:02", part122); - - var part123 = match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg67 = msg("00004:03", part123); - - var part124 = match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}"); - - var part125 = match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times"); - - var all25 = all_match({ - processors: [ - part124, - dup337, - part125, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup59, - dup3, - dup60, - ]), - }); - - var msg68 = msg("00004:04", all25); - - var part126 = match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg69 = msg("00004:05", part126); - - var part127 = match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg70 = msg("00004:06", part127); - - var part128 = match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg71 = msg("00004:07", part128); - - var part129 = match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg72 = msg("00004:08", part129); - - var part130 = match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg73 = msg("00004:09", part130); - - var part131 = match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg74 = msg("00004:10", part131); - - var part132 = match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg75 = msg("00004:11", part132); - - var part133 = match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg76 = msg("00004:12", part133); - - var part134 = match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg77 = msg("00004:13", part134); - - var part135 = match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}"); - - var part136 = match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}"); - - var select32 = linear_select([ - part135, - part136, - ]); - - var all26 = all_match({ - processors: [ - dup63, - select32, - dup49, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg78 = msg("00004:14", all26); - - var part137 = match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg79 = msg("00004:15", part137); - - var part138 = match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg80 = msg("00004:16", part138); - - var all27 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup9, - dup5, - dup3, - dup60, - ]), - }); - - var msg81 = msg("00004:17", all27); - - var select33 = linear_select([ - msg64, - msg65, - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - ]); - - var part139 = match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg82 = msg("00005", part139); - - var part140 = match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg83 = msg("00005:01", part140); - - var part141 = match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg84 = msg("00005:02", part141); - - var part142 = match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); - - var part143 = match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}"); - - var part144 = match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}"); - - var select34 = linear_select([ - part144, - dup73, - ]); - - var part145 = match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times"); - - var all28 = all_match({ - processors: [ - part142, - dup339, - dup70, - dup340, - part143, - select34, - part145, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ]), - }); - - var msg85 = msg("00005:03", all28); - - var msg86 = msg("00005:04", dup341); - - var part146 = match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([ - setc("eventcategory","1001020100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg87 = msg("00005:05", part146); - - var part147 = match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}."); - - var all29 = all_match({ - processors: [ - dup342, - part147, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg88 = msg("00005:06", all29); - - var part148 = match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}"); - - var part149 = match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}"); - - var part150 = match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}"); - - var part151 = match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}"); - - var part152 = match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}"); - - var select35 = linear_select([ - part149, - part150, - dup76, - part151, - part152, - ]); - - var part153 = match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}."); - - var all30 = all_match({ - processors: [ - part148, - select35, - part153, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg89 = msg("00005:07", all30); - - var part154 = match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}"); - - var select36 = linear_select([ - dup77, - dup78, - ]); - - var part155 = match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}."); - - var all31 = all_match({ - processors: [ - dup342, - part154, - select36, - part155, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg90 = msg("00005:08", all31); - - var part156 = match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg91 = msg("00005:09", part156); - - var part157 = match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg92 = msg("00005:10", part157); - - var part158 = match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}"); - - var part159 = match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}"); - - var part160 = match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}"); - - var part161 = match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}"); - - var part162 = match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}"); - - var part163 = match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}"); - - var select37 = linear_select([ - part159, - part160, - part161, - part162, - part163, - ]); - - var all32 = all_match({ - processors: [ - part158, - select37, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg93 = msg("00005:11", all32); - - var part164 = match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg94 = msg("00005:12", part164); - - var part165 = match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg95 = msg("00005:13", part165); - - var part166 = match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg96 = msg("00005:14", part166); - - var part167 = match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg97 = msg("00005:15", part167); - - var part168 = match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg98 = msg("00005:16", part168); - - var part169 = match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}"); - - var part170 = match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}"); - - var select38 = linear_select([ - part169, - part170, - ]); - - var part171 = match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}."); - - var all33 = all_match({ - processors: [ - dup79, - select38, - part171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg99 = msg("00005:17", all33); - - var all34 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg100 = msg("00005:18", all34); - - var part172 = match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup84, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg101 = msg("00005:19", part172); - - var part173 = match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ - dup84, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg102 = msg("00005:20", part173); - - var select39 = linear_select([ - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, - msg89, - msg90, - msg91, - msg92, - msg93, - msg94, - msg95, - msg96, - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, - ]); - - var part174 = match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg103 = msg("00006", part174); - - var part175 = match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg104 = msg("00006:01", part175); - - var part176 = match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg105 = msg("00006:02", part176); - - var part177 = match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg106 = msg("00006:03", part177); - - var part178 = match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var all35 = all_match({ - processors: [ - part178, - dup338, - dup67, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg107 = msg("00006:04", all35); - - var all36 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg108 = msg("00006:05", all36); - - var select40 = linear_select([ - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, - ]); - - var part179 = match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg109 = msg("00007", part179); - - var part180 = match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg110 = msg("00007:01", part180); - - var part181 = match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}"); - - var part182 = match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}"); - - var part183 = match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}"); - - var select41 = linear_select([ - part182, - part183, - ]); - - var all37 = all_match({ - processors: [ - part181, - select41, - ], - on_success: processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg111 = msg("00007:02", all37); - - var part184 = match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg112 = msg("00007:03", part184); - - var select42 = linear_select([ - dup88, - dup89, - ]); - - var part185 = match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}"); - - var all38 = all_match({ - processors: [ - dup87, - select42, - dup23, - dup344, - part185, - ], - on_success: processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg113 = msg("00007:04", all38); - - var part186 = match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg114 = msg("00007:05", part186); - - var part187 = match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg115 = msg("00007:06", part187); - - var part188 = match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg116 = msg("00007:07", part188); - - var part189 = match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg117 = msg("00007:08", part189); - - var part190 = match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg118 = msg("00007:09", part190); - - var part191 = match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg119 = msg("00007:10", part191); - - var part192 = match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}"); - - var select43 = linear_select([ - dup92, - dup93, - ]); - - var all39 = all_match({ - processors: [ - part192, - select43, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg120 = msg("00007:11", all39); - - var part193 = match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg121 = msg("00007:12", part193); - - var part194 = match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg122 = msg("00007:13", part194); - - var part195 = match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup60, - ])); - - var msg123 = msg("00007:14", part195); - - var part196 = match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg124 = msg("00007:15", part196); - - var part197 = match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg125 = msg("00007:16", part197); - - var part198 = match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg126 = msg("00007:17", part198); - - var part199 = match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}"); - - var part200 = match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}"); - - var part201 = match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}"); - - var select44 = linear_select([ - part200, - part201, - ]); - - var part202 = match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}"); - - var part203 = match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}"); - - var part204 = match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}"); - - var select45 = linear_select([ - part203, - part204, - ]); - - var all40 = all_match({ - processors: [ - part199, - select44, - part202, - select45, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg127 = msg("00007:18", all40); - - var part205 = match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg128 = msg("00007:20", part205); - - var part206 = match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}"); - - var all41 = all_match({ - processors: [ - part206, - dup345, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg129 = msg("00007:21", all41); - - var part207 = match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg130 = msg("00007:22", part207); - - var part208 = match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg131 = msg("00007:23", part208); - - var part209 = match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg132 = msg("00007:24", part209); - - var part210 = match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg133 = msg("00007:25", part210); - - var part211 = match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}"); - - var part212 = match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}"); - - var part213 = match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}"); - - var select46 = linear_select([ - part212, - part213, - ]); - - var all42 = all_match({ - processors: [ - part211, - select46, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg134 = msg("00007:26", all42); - - var part214 = match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg135 = msg("00007:27", part214); - - var part215 = match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg136 = msg("00007:28", part215); - - var part216 = match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}"); - - var part217 = match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}"); - - var part218 = match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}"); - - var part219 = match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}"); - - var part220 = match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}"); - - var part221 = match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}"); - - var select47 = linear_select([ - part217, - part218, - part219, - part220, - part221, - ]); - - var all43 = all_match({ - processors: [ - part216, - select47, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg137 = msg("00007:29", all43); - - var part222 = match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg138 = msg("00007:30", part222); - - var part223 = match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}"); - - var all44 = all_match({ - processors: [ - part223, - dup345, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg139 = msg("00007:31", all44); - - var part224 = match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}"); - - var select48 = linear_select([ - dup89, - dup88, - ]); - - var part225 = match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}"); - - var all45 = all_match({ - processors: [ - part224, - select48, - dup23, - dup344, - part225, - ], - on_success: processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg140 = msg("00007:32", all45); - - var part226 = match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}"); - - var part227 = match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}"); - - var select49 = linear_select([ - part226, - part227, - ]); - - var part228 = match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}"); - - var part229 = match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}"); - - var select50 = linear_select([ - part229, - dup96, - ]); - - var part230 = match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode."); - - var all46 = all_match({ - processors: [ - select49, - part228, - select50, - part230, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg141 = msg("00007:33", all46); - - var part231 = match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([ - dup97, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg142 = msg("00007:34", part231); - - var part232 = match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg143 = msg("00007:35", part232); - - var part233 = match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg144 = msg("00007:36", part233); - - var part234 = match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}"); - - var all47 = all_match({ - processors: [ - part234, - dup346, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg145 = msg("00007:37", all47); - - var part235 = match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}"); - - var part236 = match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}"); - - var part237 = match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}"); - - var part238 = match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}"); - - var select51 = linear_select([ - part237, - part238, - ]); - - var all48 = all_match({ - processors: [ - part235, - dup347, - dup103, - dup347, - part236, - select51, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg146 = msg("00007:38", all48); - - var part239 = match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}"); - - var all49 = all_match({ - processors: [ - part239, - dup346, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg147 = msg("00007:39", all49); - - var part240 = match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg148 = msg("00007:40", part240); - - var part241 = match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg149 = msg("00007:41", part241); - - var part242 = match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg150 = msg("00007:42", part242); - - var part243 = match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg151 = msg("00007:43", part243); - - var part244 = match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg152 = msg("00007:44", part244); - - var part245 = match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg153 = msg("00007:45", part245); - - var part246 = match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup60, - ])); - - var msg154 = msg("00007:46", part246); - - var part247 = match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg155 = msg("00007:47", part247); - - var part248 = match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([ - dup97, - dup2, - dup3, - dup4, - setc("disposition","dropped"), - setc("result","Invalid encryption Password"), - ])); - - var msg156 = msg("00007:48", part248); - - var part249 = match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([ - setc("eventcategory","1604000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg157 = msg("00007:49", part249); - - var part250 = match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}"); - - var part251 = match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}"); - - var part252 = match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}"); - - var select52 = linear_select([ - part251, - part252, - ]); - - var part253 = match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}"); - - var all50 = all_match({ - processors: [ - part250, - select52, - part253, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg158 = msg("00007:50", all50); - - var part254 = match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}"); - - var part255 = match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}"); - - var select53 = linear_select([ - dup104, - part255, - ]); - - var select54 = linear_select([ - dup105, - dup73, - ]); - - var part256 = match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}"); - - var select55 = linear_select([ - dup106, - dup107, - ]); - - var all51 = all_match({ - processors: [ - part254, - select53, - dup23, - select54, - part256, - select55, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg159 = msg("00007:51", all51); - - var part257 = match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg160 = msg("00007:52", part257); - - var part258 = match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg161 = msg("00007:53", part258); - - var part259 = match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg162 = msg("00007:54", part259); - - var part260 = match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg163 = msg("00007:55", part260); - - var part261 = match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg164 = msg("00007:56", part261); - - var select56 = linear_select([ - dup109, - dup110, - ]); - - var select57 = linear_select([ - dup111, - dup112, - ]); - - var part262 = match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}"); - - var all52 = all_match({ - processors: [ - dup55, - select56, - dup23, - select57, - part262, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg165 = msg("00007:57", all52); - - var part263 = match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg166 = msg("00007:58", part263); - - var part264 = match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg167 = msg("00007:59", part264); - - var part265 = match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg168 = msg("00007:60", part265); - - var part266 = match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg169 = msg("00007:61", part266); - - var part267 = match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg170 = msg("00007:62", part267); - - var part268 = match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg171 = msg("00007:63", part268); - - var part269 = match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}"); - - var part270 = match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}"); - - var all53 = all_match({ - processors: [ - dup348, - part269, - dup349, - part270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg172 = msg("00007:64", all53); - - var part271 = match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}"); - - var part272 = match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}"); - - var part273 = match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}"); - - var select58 = linear_select([ - part272, - part273, - ]); - - var part274 = match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}"); - - var part275 = match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}"); - - var all54 = all_match({ - processors: [ - dup348, - part271, - select58, - part274, - dup349, - part275, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg173 = msg("00007:65", all54); - - var part276 = match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}"); - - var part277 = match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}"); - - var select59 = linear_select([ - part276, - part277, - ]); - - var part278 = match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}"); - - var part279 = match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}"); - - var select60 = linear_select([ - part279, - dup115, - ]); - - var all55 = all_match({ - processors: [ - select59, - part278, - select60, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg174 = msg("00007:66", all55); - - var part280 = match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg175 = msg("00007:67", part280); - - var part281 = match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}"); - - var part282 = match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}"); - - var part283 = match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}"); - - var select61 = linear_select([ - part282, - part283, - ]); - - var part284 = match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}"); - - var part285 = match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}"); - - var part286 = match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}"); - - var select62 = linear_select([ - part285, - part286, - ]); - - var all56 = all_match({ - processors: [ - part281, - select61, - part284, - select62, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg176 = msg("00007:68", all56); - - var part287 = match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg177 = msg("00007:69", part287); - - var part288 = match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg178 = msg("00007:70", part288); - - var part289 = match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg179 = msg("00007:71", part289); - - var part290 = match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg180 = msg("00007:72", part290); - - var select63 = linear_select([ - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, - msg138, - msg139, - msg140, - msg141, - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, - msg156, - msg157, - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - msg174, - msg175, - msg176, - msg177, - msg178, - msg179, - msg180, - ]); - - var part291 = match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg181 = msg("00008", part291); - - var msg182 = msg("00008:01", dup341); - - var part292 = match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg183 = msg("00008:02", part292); - - var part293 = match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg184 = msg("00008:03", part293); - - var part294 = match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}"); - - var part295 = match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}"); - - var part296 = match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}"); - - var part297 = match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}"); - - var select64 = linear_select([ - part295, - part296, - part297, - ]); - - var part298 = match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}"); - - var part299 = match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}"); - - var part300 = match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})"); - - var part301 = match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}"); - - var part302 = match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}"); - - var part303 = match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}"); - - var select65 = linear_select([ - part299, - part300, - part301, - part302, - part303, - dup21, - ]); - - var all57 = all_match({ - processors: [ - part294, - select64, - part298, - select65, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg185 = msg("00008:04", all57); - - var part304 = match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg186 = msg("00008:05", part304); - - var part305 = match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg187 = msg("00008:06", part305); - - var part306 = match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup60, - ])); - - var msg188 = msg("00008:07", part306); - - var part307 = match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup60, - ])); - - var msg189 = msg("00008:08", part307); - - var part308 = match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg190 = msg("00008:09", part308); - - var part309 = match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}"); - - var all58 = all_match({ - processors: [ - part309, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ]), - }); - - var msg191 = msg("00008:10", all58); - - var select66 = linear_select([ - msg181, - msg182, - msg183, - msg184, - msg185, - msg186, - msg187, - msg188, - msg189, - msg190, - msg191, - ]); - - var part310 = match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg192 = msg("00009", part310); - - var part311 = match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg193 = msg("00009:01", part311); - - var part312 = match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg194 = msg("00009:02", part312); - - var part313 = match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg195 = msg("00009:03", part313); - - var part314 = match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg196 = msg("00009:05", part314); - - var part315 = match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}"); - - var part316 = match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}"); - - var select67 = linear_select([ - part315, - part316, - ]); - - var select68 = linear_select([ - dup119, - dup16, - ]); - - var part317 = match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}"); - - var part318 = match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}"); - - var select69 = linear_select([ - dup120, - part318, - ]); - - var part319 = match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}"); - - var part320 = match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info"); - - var select70 = linear_select([ - part319, - part320, - ]); - - var all59 = all_match({ - processors: [ - select67, - dup118, - select68, - part317, - select69, - dup23, - select70, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg197 = msg("00009:06", all59); - - var part321 = match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}"); - - var part322 = match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}"); - - var part323 = match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}"); - - var part324 = match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}"); - - var select71 = linear_select([ - part323, - part324, - ]); - - var part325 = match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}"); - - var all60 = all_match({ - processors: [ - part321, - dup337, - part322, - select71, - part325, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg198 = msg("00009:07", all60); - - var part326 = match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg199 = msg("00009:09", part326); - - var part327 = match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}"); - - var part328 = match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}"); - - var part329 = match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}"); - - var select72 = linear_select([ - part328, - part329, - ]); - - var all61 = all_match({ - processors: [ - part327, - select72, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg200 = msg("00009:10", all61); - - var part330 = match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}"); - - var part331 = match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}"); - - var select73 = linear_select([ - part330, - part331, - ]); - - var part332 = match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}"); - - var all62 = all_match({ - processors: [ - select73, - part332, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg201 = msg("00009:11", all62); - - var part333 = match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg202 = msg("00009:12", part333); - - var part334 = match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg203 = msg("00009:13", part334); - - var part335 = match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}"); - - var part336 = match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}"); - - var part337 = match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}"); - - var select74 = linear_select([ - part335, - part336, - part337, - ]); - - var part338 = match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}"); - - var select75 = linear_select([ - dup122, - dup123, - ]); - - var part339 = match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})"); - - var select76 = linear_select([ - part339, - dup124, - ]); - - var all63 = all_match({ - processors: [ - select74, - part338, - select75, - dup23, - select76, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg204 = msg("00009:14", all63); - - var part340 = match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}"); - - var part341 = match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}"); - - var select77 = linear_select([ - part341, - dup125, - ]); - - var all64 = all_match({ - processors: [ - part340, - select77, - dup126, - dup350, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg205 = msg("00009:15", all64); - - var part342 = match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}"); - - var part343 = match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}"); - - var select78 = linear_select([ - dup129, - dup130, - part343, - ]); - - var part344 = match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}."); - - var all65 = all_match({ - processors: [ - part342, - dup350, - dup23, - select78, - part344, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg206 = msg("00009:16", all65); - - var part345 = match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}"); - - var part346 = match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}"); - - var part347 = match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}"); - - var select79 = linear_select([ - part346, - part347, - ]); - - var part348 = match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}."); - - var all66 = all_match({ - processors: [ - part345, - select79, - part348, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg207 = msg("00009:17", all66); - - var part349 = match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg208 = msg("00009:18", part349); - - var part350 = match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg209 = msg("00009:19", part350); - - var part351 = match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg210 = msg("00009:27", part351); - - var part352 = match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}"); - - var part353 = match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}"); - - var select80 = linear_select([ - part352, - part353, - ]); - - var part354 = match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}"); - - var part355 = match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}"); - - var part356 = match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}"); - - var part357 = match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}"); - - var part358 = match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})"); - - var select81 = linear_select([ - part355, - part356, - part357, - part358, - ]); - - var all67 = all_match({ - processors: [ - select80, - part354, - select81, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg211 = msg("00009:20", all67); - - var part359 = match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var all68 = all_match({ - processors: [ - part359, - dup343, - dup131, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ]), - }); - - var msg212 = msg("00009:21", all68); - - var part360 = match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg213 = msg("00009:22", part360); - - var part361 = match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg214 = msg("00009:23", part361); - - var part362 = match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}"); - - var part363 = match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}"); - - var part364 = match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}"); - - var select82 = linear_select([ - part363, - part364, - ]); - - var part365 = match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}"); - - var all69 = all_match({ - processors: [ - part362, - select82, - part365, - ], - on_success: processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg215 = msg("00009:24", all69); - - var part366 = match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg216 = msg("00009:25", part366); - - var part367 = match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}"); - - var all70 = all_match({ - processors: [ - part367, - dup333, - ], - on_success: processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg217 = msg("00009:26", all70); - - var select83 = linear_select([ - msg192, - msg193, - msg194, - msg195, - msg196, - msg197, - msg198, - msg199, - msg200, - msg201, - msg202, - msg203, - msg204, - msg205, - msg206, - msg207, - msg208, - msg209, - msg210, - msg211, - msg212, - msg213, - msg214, - msg215, - msg216, - msg217, - ]); - - var part368 = match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}"); - - var part369 = match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}"); - - var part370 = match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}"); - - var select84 = linear_select([ - part369, - part370, - ]); - - var part371 = match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}"); - - var part372 = match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}"); - - var part373 = match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}"); - - var select85 = linear_select([ - part372, - part373, - dup126, - ]); - - var part374 = match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}"); - - var all71 = all_match({ - processors: [ - part368, - select84, - part371, - select85, - part374, - dup351, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup5, - dup9, - dup3, - dup61, - ]), - }); - - var msg218 = msg("00010", all71); - - var part375 = match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg219 = msg("00010:01", part375); - - var part376 = match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg220 = msg("00010:02", part376); - - var all72 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup9, - dup3, - dup60, - ]), - }); - - var msg221 = msg("00010:03", all72); - - var select86 = linear_select([ - msg218, - msg219, - msg220, - msg221, - ]); - - var part377 = match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg222 = msg("00011", part377); - - var part378 = match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}"); - - var select87 = linear_select([ - dup57, - dup56, - ]); - - var part379 = match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}"); - - var all73 = all_match({ - processors: [ - part378, - select87, - part379, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg223 = msg("00011:01", all73); - - var part380 = match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg224 = msg("00011:02", part380); - - var part381 = match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}"); - - var part382 = match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}"); - - var part383 = match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}"); - - var select88 = linear_select([ - part382, - part383, - ]); - - var part384 = match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}"); - - var part385 = match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}"); - - var part386 = match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}"); - - var select89 = linear_select([ - part385, - part386, - ]); - - var all74 = all_match({ - processors: [ - part381, - select88, - part384, - select89, - dup36, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg225 = msg("00011:03", all74); - - var part387 = match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}"); - - var part388 = match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}"); - - var all75 = all_match({ - processors: [ - part387, - dup352, - part388, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg226 = msg("00011:04", all75); - - var part389 = match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}"); - - var part390 = match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}"); - - var select90 = linear_select([ - part389, - part390, - ]); - - var part391 = match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}"); - - var all76 = all_match({ - processors: [ - dup79, - select90, - part391, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg227 = msg("00011:05", all76); - - var part392 = match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup59, - dup3, - dup60, - ])); - - var msg228 = msg("00011:07", part392); - - var part393 = match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg229 = msg("00011:08", part393); - - var part394 = match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg230 = msg("00011:09", part394); - - var part395 = match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg231 = msg("00011:10", part395); - - var part396 = match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg232 = msg("00011:11", part396); - - var part397 = match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg233 = msg("00011:12", part397); - - var part398 = match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg234 = msg("00011:13", part398); - - var part399 = match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}"); - - var part400 = match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}"); - - var select91 = linear_select([ - dup134, - part400, - ]); - - var all77 = all_match({ - processors: [ - part399, - select91, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg235 = msg("00011:14", all77); - - var part401 = match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg236 = msg("00011:15", part401); - - var part402 = match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg237 = msg("00011:16", part402); - - var part403 = match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}"); - - var part404 = match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}"); - - var part405 = match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}"); - - var part406 = match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}"); - - var select92 = linear_select([ - part404, - part405, - part406, - ]); - - var all78 = all_match({ - processors: [ - part403, - select92, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg238 = msg("00011:17", all78); - - var part407 = match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}"); - - var part408 = match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}"); - - var select93 = linear_select([ - part407, - part408, - ]); - - var part409 = match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}"); - - var part410 = match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}"); - - var part411 = match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}"); - - var select94 = linear_select([ - part410, - part411, - ]); - - var part412 = match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}"); - - var part413 = match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}"); - - var select95 = linear_select([ - part413, - dup135, - ]); - - var part414 = match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}"); - - var all79 = all_match({ - processors: [ - select93, - part409, - select94, - part412, - select95, - part414, - dup350, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg239 = msg("00011:18", all79); - - var part415 = match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}"); - - var part416 = match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}"); - - var part417 = match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}"); - - var select96 = linear_select([ - part416, - part417, - ]); - - var part418 = match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}"); - - var part419 = match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}"); - - var select97 = linear_select([ - part419, - dup135, - ]); - - var part420 = match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}"); - - var part421 = match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}"); - - var select98 = linear_select([ - dup107, - part421, - ]); - - var all80 = all_match({ - processors: [ - part415, - select96, - part418, - select97, - part420, - select98, - dup136, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg240 = msg("00011:19", all80); - - var part422 = match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}"); - - var select99 = linear_select([ - part422, - dup79, - ]); - - var part423 = match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\""); - - var all81 = all_match({ - processors: [ - select99, - part423, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg241 = msg("00011:20", all81); - - var part424 = match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg242 = msg("00011:21", part424); - - var part425 = match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg243 = msg("00011:22", part425); - - var all82 = all_match({ - processors: [ - dup132, - dup343, - dup131, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("saddr"), - field("daddr"), - ], - }), - ]), - }); - - var msg244 = msg("00011:23", all82); - - var part426 = match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg245 = msg("00011:24", part426); - - var part427 = match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg246 = msg("00011:25", part427); - - var part428 = match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg247 = msg("00011:26", part428); - - var select100 = linear_select([ - msg222, - msg223, - msg224, - msg225, - msg226, - msg227, - msg228, - msg229, - msg230, - msg231, - msg232, - msg233, - msg234, - msg235, - msg236, - msg237, - msg238, - msg239, - msg240, - msg241, - msg242, - msg243, - msg244, - msg245, - msg246, - msg247, - ]); - - var part429 = match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg248 = msg("00012:02", part429); - - var part430 = match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg249 = msg("00012:03", part430); - - var part431 = match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg250 = msg("00012:04", part431); - - var part432 = match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg251 = msg("00012:05", part432); - - var part433 = match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg252 = msg("00012:06", part433); - - var part434 = match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - dup59, - ])); - - var msg253 = msg("00012:07", part434); - - var part435 = match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg254 = msg("00012:08", part435); - - var all83 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg255 = msg("00012:09", all83); - - var all84 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg256 = msg("00012:10", all84); - - var part436 = match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup9, - dup61, - ])); - - var msg257 = msg("00012:11", part436); - - var part437 = match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg258 = msg("00012:12", part437); - - var part438 = match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg259 = msg("00012", part438); - - var part439 = match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg260 = msg("00012:01", part439); - - var select101 = linear_select([ - msg248, - msg249, - msg250, - msg251, - msg252, - msg253, - msg254, - msg255, - msg256, - msg257, - msg258, - msg259, - msg260, - ]); - - var part440 = match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg261 = msg("00013", part440); - - var part441 = match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - setc("signame","An Attempt to connect to NetScreen-Global Manager Port."), - ])); - - var msg262 = msg("00013:01", part441); - - var part442 = match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg263 = msg("00013:02", part442); - - var part443 = match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg264 = msg("00013:03", part443); - - var select102 = linear_select([ - msg261, - msg262, - msg263, - msg264, - ]); - - var part444 = match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg265 = msg("00014", part444); - - var part445 = match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}"); - - var part446 = match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}"); - - var part447 = match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}"); - - var select103 = linear_select([ - part446, - part447, - ]); - - var all85 = all_match({ - processors: [ - part445, - select103, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg266 = msg("00014:01", all85); - - var part448 = match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg267 = msg("00014:02", part448); - - var part449 = match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg268 = msg("00014:03", part449); - - var part450 = match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg269 = msg("00014:04", part450); - - var part451 = match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg270 = msg("00014:05", part451); - - var part452 = match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg271 = msg("00014:06", part452); - - var part453 = match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg272 = msg("00014:07", part453); - - var part454 = match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([ - dup27, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg273 = msg("00014:08", part454); - - var select104 = linear_select([ - msg265, - msg266, - msg267, - msg268, - msg269, - msg270, - msg271, - msg272, - msg273, - ]); - - var part455 = match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg274 = msg("00015", part455); - - var part456 = match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg275 = msg("00015:01", part456); - - var part457 = match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}"); - - var part458 = match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}"); - - var part459 = match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}"); - - var part460 = match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}"); - - var select105 = linear_select([ - part458, - dup137, - part459, - part460, - ]); - - var all86 = all_match({ - processors: [ - part457, - select105, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg276 = msg("00015:02", all86); - - var part461 = match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg277 = msg("00015:03", part461); - - var part462 = match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}"); - - var part463 = match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}"); - - var select106 = linear_select([ - dup139, - dup140, - part463, - ]); - - var all87 = all_match({ - processors: [ - part462, - select106, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg278 = msg("00015:04", all87); - - var part464 = match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}"); - - var part465 = match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}"); - - var part466 = match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}"); - - var part467 = match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}"); - - var select107 = linear_select([ - part465, - part466, - dup76, - part467, - ]); - - var all88 = all_match({ - processors: [ - part464, - select107, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg279 = msg("00015:05", all88); - - var part468 = match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}"); - - var part469 = match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}"); - - var select108 = linear_select([ - part468, - part469, - ]); - - var part470 = match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}"); - - var all89 = all_match({ - processors: [ - select108, - part470, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg280 = msg("00015:06", all89); - - var part471 = match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg281 = msg("00015:07", part471); - - var part472 = match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([ - dup141, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg282 = msg("00015:08", part472); - - var part473 = match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}"); - - var part474 = match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}"); - - var select109 = linear_select([ - part473, - part474, - ]); - - var part475 = match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}"); - - var all90 = all_match({ - processors: [ - select109, - part475, - ], - on_success: processor_chain([ - dup141, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg283 = msg("00015:09", all90); - - var part476 = match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg284 = msg("00015:10", part476); - - var part477 = match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg285 = msg("00015:11", part477); - - var part478 = match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}"); - - var part479 = match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}"); - - var select110 = linear_select([ - part478, - part479, - ]); - - var part480 = match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}"); - - var part481 = match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})"); - - var all91 = all_match({ - processors: [ - dup87, - select110, - part480, - dup353, - dup103, - dup353, - part481, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg286 = msg("00015:12", all91); - - var part482 = match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg287 = msg("00015:13", part482); - - var part483 = match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}"); - - var all92 = all_match({ - processors: [ - part483, - dup353, - dup116, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg288 = msg("00015:14", all92); - - var part484 = match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg289 = msg("00015:15", part484); - - var part485 = match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg290 = msg("00015:16", part485); - - var part486 = match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg291 = msg("00015:17", part486); - - var part487 = match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - setc("change_attribute","RTO mirror group"), - ])); - - var msg292 = msg("00015:18", part487); - - var part488 = match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg293 = msg("00015:19", part488); - - var part489 = match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg294 = msg("00015:20", part489); - - var part490 = match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}"); - - var part491 = match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}"); - - var part492 = match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}"); - - var select111 = linear_select([ - part491, - part492, - ]); - - var all93 = all_match({ - processors: [ - part490, - select111, - dup116, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg295 = msg("00015:21", all93); - - var part493 = match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}"); - - var part494 = match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}"); - - var part495 = match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}"); - - var select112 = linear_select([ - part493, - part494, - part495, - ]); - - var part496 = match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}"); - - var all94 = all_match({ - processors: [ - select112, - part496, - dup354, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg296 = msg("00015:22", all94); - - var part497 = match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg297 = msg("00015:23", part497); - - var part498 = match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg298 = msg("00015:24", part498); - - var part499 = match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([ - setc("eventcategory","1613050100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg299 = msg("00015:25", part499); - - var part500 = match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([ - dup97, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg300 = msg("00015:29", part500); - - var part501 = match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}"); - - var part502 = match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}"); - - var part503 = match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}"); - - var select113 = linear_select([ - part502, - part503, - ]); - - var all95 = all_match({ - processors: [ - part501, - select113, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg301 = msg("00015:26", all95); - - var part504 = match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - dup146, - ])); - - var msg302 = msg("00015:33", part504); - - var part505 = match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg303 = msg("00015:27", part505); - - var part506 = match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg304 = msg("00015:28", part506); - - var part507 = match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}"); - - var part508 = match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})"); - - var all96 = all_match({ - processors: [ - part507, - dup355, - part508, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg305 = msg("00015:30", all96); - - var part509 = match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg306 = msg("00015:31", part509); - - var part510 = match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg307 = msg("00015:32", part510); - - var select114 = linear_select([ - msg274, - msg275, - msg276, - msg277, - msg278, - msg279, - msg280, - msg281, - msg282, - msg283, - msg284, - msg285, - msg286, - msg287, - msg288, - msg289, - msg290, - msg291, - msg292, - msg293, - msg294, - msg295, - msg296, - msg297, - msg298, - msg299, - msg300, - msg301, - msg302, - msg303, - msg304, - msg305, - msg306, - msg307, - ]); - - var part511 = match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg308 = msg("00016", part511); - - var part512 = match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg309 = msg("00016:01", part512); - - var part513 = match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([ - dup1, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg310 = msg("00016:02", part513); - - var part514 = match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg311 = msg("00016:03", part514); - - var part515 = match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg312 = msg("00016:05", part515); - - var part516 = match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg313 = msg("00016:06", part516); - - var part517 = match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}"); - - var all97 = all_match({ - processors: [ - part517, - dup338, - dup67, - ], - on_success: processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg314 = msg("00016:07", all97); - - var part518 = match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - setc("eventcategory","1001020305"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg315 = msg("00016:08", part518); - - var part519 = match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - setc("eventcategory","1001030305"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg316 = msg("00016:09", part519); - - var select115 = linear_select([ - msg308, - msg309, - msg310, - msg311, - msg312, - msg313, - msg314, - msg315, - msg316, - ]); - - var part520 = match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ])); - - var msg317 = msg("00017", part520); - - var part521 = match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}"); - - var part522 = match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}"); - - var part523 = match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}"); - - var select116 = linear_select([ - part522, - part523, - ]); - - var part524 = match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}"); - - var all98 = all_match({ - processors: [ - part521, - select116, - part524, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg318 = msg("00017:23", all98); - - var part525 = match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}"); - - var part526 = match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}"); - - var select117 = linear_select([ - part525, - part526, - ]); - - var part527 = match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}"); - - var part528 = match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}"); - - var all99 = all_match({ - processors: [ - select117, - part527, - dup356, - part528, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg319 = msg("00017:01", all99); - - var part529 = match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg320 = msg("00017:02", part529); - - var part530 = match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg321 = msg("00017:03", part530); - - var part531 = match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}"); - - var all100 = all_match({ - processors: [ - dup153, - dup357, - part531, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg322 = msg("00017:04", all100); - - var part532 = match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg323 = msg("00017:05", part532); - - var part533 = match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}"); - - var part534 = match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}"); - - var part535 = match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}"); - - var select118 = linear_select([ - part534, - dup101, - part535, - ]); - - var all101 = all_match({ - processors: [ - part533, - select118, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg324 = msg("00017:06", all101); - - var part536 = match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}"); - - var part537 = match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}"); - - var part538 = match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}"); - - var part539 = match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}"); - - var part540 = match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}"); - - var select119 = linear_select([ - part537, - part538, - dup98, - part539, - part540, - ]); - - var all102 = all_match({ - processors: [ - part536, - select119, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg325 = msg("00017:07", all102); - - var part541 = match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg326 = msg("00017:08", part541); - - var part542 = match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}"); - - var part543 = match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}"); - - var select120 = linear_select([ - part542, - part543, - ]); - - var part544 = match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}"); - - var part545 = match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}"); - - var part546 = match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}"); - - var part547 = match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}"); - - var select121 = linear_select([ - part545, - part546, - part547, - ]); - - var part548 = match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}"); - - var part549 = match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit"); - - var part550 = match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}"); - - var select122 = linear_select([ - part549, - part550, - dup36, - ]); - - var all103 = all_match({ - processors: [ - select120, - part544, - select121, - part548, - select122, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg327 = msg("00017:09", all103); - - var part551 = match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}"); - - var all104 = all_match({ - processors: [ - part551, - dup358, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg328 = msg("00017:10", all104); - - var part552 = match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg329 = msg("00017:11", part552); - - var part553 = match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}"); - - var part554 = match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}"); - - var select123 = linear_select([ - dup109, - dup110, - part554, - ]); - - var all105 = all_match({ - processors: [ - part553, - select123, - dup127, - dup359, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg330 = msg("00017:12", all105); - - var part555 = match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg331 = msg("00017:26", part555); - - var part556 = match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg332 = msg("00017:13", part556); - - var part557 = match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup9, - dup5, - ])); - - var msg333 = msg("00017:14", part557); - - var part558 = match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}"); - - var part559 = match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}."); - - var all106 = all_match({ - processors: [ - part558, - dup360, - part559, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg334 = msg("00017:15", all106); - - var part560 = match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}"); - - var part561 = match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}."); - - var all107 = all_match({ - processors: [ - part560, - dup360, - part561, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg335 = msg("00017:31", all107); - - var part562 = match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}"); - - var all108 = all_match({ - processors: [ - part562, - dup359, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg336 = msg("00017:16", all108); - - var part563 = match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}"); - - var select124 = linear_select([ - dup99, - dup93, - ]); - - var all109 = all_match({ - processors: [ - part563, - select124, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg337 = msg("00017:17", all109); - - var part564 = match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}"); - - var all110 = all_match({ - processors: [ - dup153, - dup357, - part564, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg338 = msg("00017:18", all110); - - var part565 = match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}"); - - var part566 = match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all111 = all_match({ - processors: [ - part565, - dup337, - part566, - ], - on_success: processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ]), - }); - - var msg339 = msg("00017:19", all111); - - var all112 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup151, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - ]), - }); - - var msg340 = msg("00017:20", all112); - - var part567 = match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ])); - - var msg341 = msg("00017:21", part567); - - var part568 = match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg342 = msg("00017:22", part568); - - var part569 = match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg343 = msg("00017:24", part569); - - var part570 = match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg344 = msg("00017:25", part570); - - var part571 = match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg345 = msg("00017:28", part571); - - var part572 = match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg346 = msg("00017:29", part572); - - var select125 = linear_select([ - msg317, - msg318, - msg319, - msg320, - msg321, - msg322, - msg323, - msg324, - msg325, - msg326, - msg327, - msg328, - msg329, - msg330, - msg331, - msg332, - msg333, - msg334, - msg335, - msg336, - msg337, - msg338, - msg339, - msg340, - msg341, - msg342, - msg343, - msg344, - msg345, - msg346, - ]); - - var part573 = match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg347 = msg("00018", part573); - - var part574 = match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([ - setc("eventcategory","1502010000"), - dup2, - dup4, - dup5, - dup3, - ])); - - var msg348 = msg("00018:01", part574); - - var part575 = match("MESSAGE#347:00018:02", "nwparser.payload", "Device%{quote}s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg349 = msg("00018:02", part575); - - var part576 = match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg350 = msg("00018:04", part576); - - var part577 = match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg351 = msg("00018:16", part577); - - var part578 = match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}"); - - var part579 = match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}"); - - var part580 = match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}"); - - var select126 = linear_select([ - part579, - part580, - ]); - - var part581 = match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}"); - - var all113 = all_match({ - processors: [ - part578, - select126, - part581, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg352 = msg("00018:06", all113); - - var part582 = match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg353 = msg("00018:08", part582); - - var part583 = match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup3, - dup2, - dup9, - dup4, - dup5, - ])); - - var msg354 = msg("00018:09", part583); - - var part584 = match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}"); - - var part585 = match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}"); - - var part586 = match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}"); - - var select127 = linear_select([ - part585, - part586, - ]); - - var part587 = match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})"); - - var all114 = all_match({ - processors: [ - part584, - select127, - part587, - ], - on_success: processor_chain([ - dup17, - dup3, - dup2, - dup9, - dup4, - dup5, - ]), - }); - - var msg355 = msg("00018:10", all114); - - var part588 = match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}"); - - var part589 = match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}"); - - var select128 = linear_select([ - part588, - part589, - ]); - - var part590 = match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}"); - - var part591 = match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}"); - - var select129 = linear_select([ - part591, - dup16, - ]); - - var all115 = all_match({ - processors: [ - dup160, - select128, - part590, - select129, - dup10, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg356 = msg("00018:11", all115); - - var part592 = match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}"); - - var part593 = match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}"); - - var part594 = match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}"); - - var part595 = match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}"); - - var select130 = linear_select([ - part593, - part594, - part595, - ]); - - var part596 = match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all116 = all_match({ - processors: [ - part592, - select130, - part596, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg357 = msg("00018:12", all116); - - var part597 = match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}"); - - var all117 = all_match({ - processors: [ - dup361, - part597, - dup362, - dup164, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg358 = msg("00018:32", all117); - - var part598 = match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}"); - - var all118 = all_match({ - processors: [ - dup361, - part598, - dup362, - dup164, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg359 = msg("00018:22", all118); - - var part599 = match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}"); - - var select131 = linear_select([ - dup78, - dup77, - ]); - - var part600 = match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer"); - - var all119 = all_match({ - processors: [ - part599, - select131, - part600, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg360 = msg("00018:15", all119); - - var part601 = match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}"); - - var part602 = match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}"); - - var part603 = match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}"); - - var select132 = linear_select([ - part602, - part603, - ]); - - var part604 = match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}"); - - var part605 = match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}"); - - var part606 = match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}"); - - var part607 = match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}"); - - var select133 = linear_select([ - part605, - part606, - part607, - ]); - - var part608 = match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all120 = all_match({ - processors: [ - part601, - select132, - part604, - select133, - part608, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg361 = msg("00018:14", all120); - - var part609 = match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg362 = msg("00018:29", part609); - - var part610 = match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg363 = msg("00018:07", part610); - - var part611 = match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg364 = msg("00018:18", part611); - - var part612 = match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg365 = msg("00018:17", part612); - - var part613 = match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg366 = msg("00018:19", part613); - - var part614 = match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}"); - - var part615 = match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}"); - - var select134 = linear_select([ - part614, - part615, - ]); - - var part616 = match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}"); - - var part617 = match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}"); - - var select135 = linear_select([ - part617, - dup103, - ]); - - var part618 = match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}"); - - var part619 = match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}"); - - var select136 = linear_select([ - part618, - part619, - ]); - - var part620 = match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})"); - - var all121 = all_match({ - processors: [ - select134, - part616, - select135, - dup23, - select136, - part620, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg367 = msg("00018:23", all121); - - var part621 = match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg368 = msg("00018:21", part621); - - var part622 = match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg369 = msg("00018:24", part622); - - var part623 = match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); - - var all122 = all_match({ - processors: [ - dup363, - part623, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg370 = msg("00018:25", all122); - - var part624 = match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); - - var all123 = all_match({ - processors: [ - dup363, - part624, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg371 = msg("00018:30", all123); - - var part625 = match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}"); - - var part626 = match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}"); - - var select137 = linear_select([ - dup48, - part626, - ]); - - var all124 = all_match({ - processors: [ - part625, - dup364, - select137, - dup41, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg372 = msg("00018:26", all124); - - var part627 = match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg373 = msg("00018:27", part627); - - var part628 = match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup4, - dup5, - dup9, - setc("info","the DI attack component was modified"), - ])); - - var msg374 = msg("00018:28", part628); - - var part629 = match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg375 = msg("00018:03", part629); - - var part630 = match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg376 = msg("00018:31", part630); - - var select138 = linear_select([ - msg347, - msg348, - msg349, - msg350, - msg351, - msg352, - msg353, - msg354, - msg355, - msg356, - msg357, - msg358, - msg359, - msg360, - msg361, - msg362, - msg363, - msg364, - msg365, - msg366, - msg367, - msg368, - msg369, - msg370, - msg371, - msg372, - msg373, - msg374, - msg375, - msg376, - ]); - - var part631 = match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg377 = msg("00019", part631); - - var part632 = match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured"); - - var all125 = all_match({ - processors: [ - dup165, - dup365, - part632, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg378 = msg("00019:01", all125); - - var part633 = match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}"); - - var part634 = match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}"); - - var part635 = match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}"); - - var select139 = linear_select([ - part634, - part635, - ]); - - var all126 = all_match({ - processors: [ - part633, - select139, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg379 = msg("00019:02", all126); - - var part636 = match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg380 = msg("00019:03", part636); - - var select140 = linear_select([ - dup169, - dup78, - ]); - - var select141 = linear_select([ - dup139, - dup170, - dup137, - dup122, - ]); - - var all127 = all_match({ - processors: [ - dup168, - select140, - dup23, - select141, - dup171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg381 = msg("00019:04", all127); - - var part637 = match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}"); - - var part638 = match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}"); - - var part639 = match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}"); - - var part640 = match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}"); - - var part641 = match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}"); - - var part642 = match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}"); - - var part643 = match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}"); - - var part644 = match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}"); - - var part645 = match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}"); - - var select142 = linear_select([ - part638, - part639, - part640, - part641, - part642, - part643, - part644, - part645, - ]); - - var all128 = all_match({ - processors: [ - part637, - select142, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg382 = msg("00019:05", all128); - - var part646 = match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}"); - - var all129 = all_match({ - processors: [ - dup168, - dup366, - part646, - dup367, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg383 = msg("00019:06", all129); - - var part647 = match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg384 = msg("00019:07", part647); - - var part648 = match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg385 = msg("00019:08", part648); - - var part649 = match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}"); - - var select143 = linear_select([ - dup139, - dup170, - dup137, - ]); - - var all130 = all_match({ - processors: [ - part649, - select143, - dup171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg386 = msg("00019:09", all130); - - var part650 = match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}"); - - var part651 = match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}"); - - var select144 = linear_select([ - part650, - part651, - ]); - - var all131 = all_match({ - processors: [ - dup183, - select144, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg387 = msg("00019:10", all131); - - var part652 = match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined"); - - var all132 = all_match({ - processors: [ - dup165, - dup365, - part652, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg388 = msg("00019:11", all132); - - var part653 = match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg389 = msg("00019:12", part653); - - var part654 = match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}"); - - var select145 = linear_select([ - dup107, - dup106, - ]); - - var part655 = match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}"); - - var all133 = all_match({ - processors: [ - part654, - select145, - part655, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg390 = msg("00019:13", all133); - - var part656 = match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}"); - - var all134 = all_match({ - processors: [ - dup168, - dup366, - part656, - dup367, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg391 = msg("00019:14", all134); - - var part657 = match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg392 = msg("00019:15", part657); - - var part658 = match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([ - setc("eventcategory","1701030000"), - setc("ec_activity","Delete"), - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg393 = msg("00019:16", part658); - - var part659 = match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg394 = msg("00019:17", part659); - - var part660 = match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}"); - - var part661 = match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}"); - - var part662 = match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}"); - - var select146 = linear_select([ - part661, - part662, - ]); - - var all135 = all_match({ - processors: [ - part660, - select146, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg395 = msg("00019:18", all135); - - var part663 = match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg396 = msg("00019:19", part663); - - var part664 = match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg397 = msg("00019:20", part664); - - var select147 = linear_select([ - msg377, - msg378, - msg379, - msg380, - msg381, - msg382, - msg383, - msg384, - msg385, - msg386, - msg387, - msg388, - msg389, - msg390, - msg391, - msg392, - msg393, - msg394, - msg395, - msg396, - msg397, - ]); - - var part665 = match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg398 = msg("00020", part665); - - var part666 = match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}"); - - var part667 = match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}"); - - var select148 = linear_select([ - dup152, - part667, - ]); - - var part668 = match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}"); - - var part669 = match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes"); - - var part670 = match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total"); - - var select149 = linear_select([ - part669, - part670, - ]); - - var all136 = all_match({ - processors: [ - part666, - select148, - part668, - select149, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg399 = msg("00020:01", all136); - - var part671 = match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg400 = msg("00020:02", part671); - - var select150 = linear_select([ - msg398, - msg399, - msg400, - ]); - - var part672 = match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg401 = msg("00021", part672); - - var part673 = match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg402 = msg("00021:01", part673); - - var part674 = match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg403 = msg("00021:02", part674); - - var part675 = match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([ - dup185, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg404 = msg("00021:03", part675); - - var part676 = match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg405 = msg("00021:04", part676); - - var part677 = match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg406 = msg("00021:05", part677); - - var part678 = match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - setc("info","DIP port-translation stickiness was modified"), - ])); - - var msg407 = msg("00021:06", part678); - - var select151 = linear_select([ - msg401, - msg402, - msg403, - msg404, - msg405, - msg406, - msg407, - ]); - - var part679 = match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}"); - - var part680 = match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}"); - - var select152 = linear_select([ - part679, - part680, - ]); - - var part681 = match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly"); - - var all137 = all_match({ - processors: [ - dup186, - select152, - part681, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg408 = msg("00022", all137); - - var part682 = match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}"); - - var part683 = match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}"); - - var part684 = match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}"); - - var select153 = linear_select([ - part682, - part683, - part684, - ]); - - var part685 = match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}"); - - var all138 = all_match({ - processors: [ - select153, - part685, - dup368, - ], - on_success: processor_chain([ - dup187, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg409 = msg("00022:01", all138); - - var part686 = match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg410 = msg("00022:02", part686); - - var part687 = match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg411 = msg("00022:03", part687); - - var part688 = match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}"); - - var part689 = match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}"); - - var part690 = match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}"); - - var part691 = match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}"); - - var part692 = match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}"); - - var select154 = linear_select([ - part689, - part690, - part691, - part692, - ]); - - var part693 = match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}"); - - var all139 = all_match({ - processors: [ - part688, - select154, - part693, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg412 = msg("00022:04", all139); - - var part694 = match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg413 = msg("00022:05", part694); - - var part695 = match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}"); - - var part696 = match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}"); - - var part697 = match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}"); - - var select155 = linear_select([ - part696, - part697, - ]); - - var part698 = match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}"); - - var all140 = all_match({ - processors: [ - part695, - select155, - part698, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg414 = msg("00022:06", all140); - - var part699 = match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg415 = msg("00022:07", part699); - - var part700 = match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}"); - - var part701 = match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}"); - - var part702 = match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}"); - - var select156 = linear_select([ - part700, - part701, - part702, - ]); - - var part703 = match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}"); - - var part704 = match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}"); - - var select157 = linear_select([ - part704, - dup96, - ]); - - var part705 = match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}"); - - var part706 = match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}"); - - var select158 = linear_select([ - part706, - dup96, - ]); - - var part707 = match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}"); - - var all141 = all_match({ - processors: [ - select156, - part703, - select157, - part705, - select158, - part707, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg416 = msg("00022:08", all141); - - var part708 = match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}"); - - var select159 = linear_select([ - dup191, - dup192, - ]); - - var part709 = match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}"); - - var all142 = all_match({ - processors: [ - dup55, - dup369, - part708, - select159, - part709, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg417 = msg("00022:09", all142); - - var part710 = match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}"); - - var part711 = match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}"); - - var part712 = match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}"); - - var select160 = linear_select([ - part711, - part712, - ]); - - var all143 = all_match({ - processors: [ - part710, - select160, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg418 = msg("00022:10", all143); - - var part713 = match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}"); - - var part714 = match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}"); - - var part715 = match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}"); - - var select161 = linear_select([ - part714, - part715, - ]); - - var all144 = all_match({ - processors: [ - part713, - select161, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg419 = msg("00022:11", all144); - - var part716 = match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}"); - - var select162 = linear_select([ - dup192, - dup191, - ]); - - var part717 = match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}"); - - var all145 = all_match({ - processors: [ - part716, - select162, - part717, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg420 = msg("00022:12", all145); - - var part718 = match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg421 = msg("00022:13", part718); - - var part719 = match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg422 = msg("00022:14", part719); - - var select163 = linear_select([ - msg408, - msg409, - msg410, - msg411, - msg412, - msg413, - msg414, - msg415, - msg416, - msg417, - msg418, - msg419, - msg420, - msg421, - msg422, - ]); - - var part720 = match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg423 = msg("00023", part720); - - var part721 = match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg424 = msg("00023:01", part721); - - var part722 = match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg425 = msg("00023:02", part722); - - var select164 = linear_select([ - msg423, - msg424, - msg425, - ]); - - var part723 = match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}"); - - var part724 = match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}"); - - var select165 = linear_select([ - part723, - part724, - ]); - - var part725 = match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}"); - - var part726 = match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}"); - - var select166 = linear_select([ - part725, - part726, - ]); - - var all146 = all_match({ - processors: [ - select165, - dup193, - select166, - dup52, - dup368, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg426 = msg("00024", all146); - - var part727 = match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}"); - - var part728 = match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}"); - - var part729 = match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}"); - - var part730 = match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}"); - - var part731 = match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}"); - - var select167 = linear_select([ - part727, - part728, - part729, - part730, - part731, - ]); - - var part732 = match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}"); - - var all147 = all_match({ - processors: [ - select167, - part732, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg427 = msg("00024:01", all147); - - var part733 = match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}"); - - var part734 = match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}"); - - var part735 = match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}"); - - var select168 = linear_select([ - part734, - part735, - ]); - - var part736 = match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})"); - - var all148 = all_match({ - processors: [ - part733, - select168, - part736, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg428 = msg("00024:02", all148); - - var part737 = match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}"); - - var select169 = linear_select([ - dup194, - dup106, - ]); - - var part738 = match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})"); - - var all149 = all_match({ - processors: [ - part737, - select169, - part738, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg429 = msg("00024:03", all149); - - var select170 = linear_select([ - msg426, - msg427, - msg428, - msg429, - ]); - - var part739 = match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg430 = msg("00025", part739); - - var part740 = match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg431 = msg("00025:01", part740); - - var part741 = match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg432 = msg("00025:02", part741); - - var part742 = match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg433 = msg("00025:03", part742); - - var part743 = match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg434 = msg("00025:04", part743); - - var select171 = linear_select([ - msg430, - msg431, - msg432, - msg433, - msg434, - ]); - - var part744 = match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg435 = msg("00026", part744); - - var part745 = match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg436 = msg("00026:13", part745); - - var part746 = match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}"); - - var part747 = match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})"); - - var all150 = all_match({ - processors: [ - dup195, - dup370, - part746, - dup371, - part747, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg437 = msg("00026:01", all150); - - var part748 = match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}"); - - var select172 = linear_select([ - part748, - dup96, - ]); - - var part749 = match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}"); - - var part750 = match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}"); - - var part751 = match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}"); - - var select173 = linear_select([ - part750, - part751, - ]); - - var all151 = all_match({ - processors: [ - dup195, - select172, - part749, - select173, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg438 = msg("00026:02", all151); - - var part752 = match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}"); - - var all152 = all_match({ - processors: [ - dup195, - dup370, - part752, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg439 = msg("00026:03", all152); - - var part753 = match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([ - dup198, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg440 = msg("00026:04", part753); - - var part754 = match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([ - dup198, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg441 = msg("00026:05", part754); - - var part755 = match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg442 = msg("00026:06", part755); - - var part756 = match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg443 = msg("00026:07", part756); - - var part757 = match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}"); - - var part758 = match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]"); - - var all153 = all_match({ - processors: [ - part757, - dup372, - part758, - ], - on_success: processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg444 = msg("00026:08", all153); - - var part759 = match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg445 = msg("00026:09", part759); - - var part760 = match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}"); - - var part761 = match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}"); - - var part762 = match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}"); - - var select174 = linear_select([ - part761, - part762, - ]); - - var part763 = match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}"); - - var select175 = linear_select([ - part763, - dup201, - ]); - - var part764 = match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})"); - - var all154 = all_match({ - processors: [ - part760, - select174, - dup103, - select175, - dup202, - dup373, - part764, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg446 = msg("00026:10", all154); - - var part765 = match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg447 = msg("00026:11", part765); - - var part766 = match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg448 = msg("00026:12", part766); - - var select176 = linear_select([ - msg435, - msg436, - msg437, - msg438, - msg439, - msg440, - msg441, - msg442, - msg443, - msg444, - msg445, - msg446, - msg447, - msg448, - ]); - - var part767 = match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}"); - - var part768 = match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}"); - - var part769 = match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}"); - - var part770 = match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}"); - - var select177 = linear_select([ - part768, - part769, - part770, - ]); - - var all155 = all_match({ - processors: [ - dup204, - dup374, - part767, - select177, - ], - on_success: processor_chain([ - dup206, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg449 = msg("00027", all155); - - var part771 = match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg450 = msg("00027:01", part771); - - var part772 = match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg451 = msg("00027:02", part772); - - var part773 = match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg452 = msg("00027:03", part773); - - var part774 = match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg453 = msg("00027:04", part774); - - var part775 = match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}"); - - var part776 = match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}"); - - var part777 = match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}"); - - var select178 = linear_select([ - part776, - part777, - ]); - - var part778 = match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}"); - - var part779 = match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}"); - - var select179 = linear_select([ - part779, - dup127, - ]); - - var select180 = linear_select([ - dup207, - dup208, - ]); - - var all156 = all_match({ - processors: [ - part775, - select178, - part778, - select179, - dup23, - select180, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg454 = msg("00027:05", all156); - - var part780 = match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}"); - - var select181 = linear_select([ - dup208, - dup207, - ]); - - var all157 = all_match({ - processors: [ - part780, - select181, - ], - on_success: processor_chain([ - setc("eventcategory","1606000000"), - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg455 = msg("00027:06", all157); - - var part781 = match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg456 = msg("00027:07", part781); - - var part782 = match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg457 = msg("00027:08", part782); - - var part783 = match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg458 = msg("00027:09", part783); - - var part784 = match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg459 = msg("00027:10", part784); - - var part785 = match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg460 = msg("00027:11", part785); - - var part786 = match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}"); - - var part787 = match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}"); - - var select182 = linear_select([ - part787, - dup193, - ]); - - var part788 = match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}"); - - var all158 = all_match({ - processors: [ - part786, - select182, - part788, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg461 = msg("00027:12", all158); - - var part789 = match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}"); - - var all159 = all_match({ - processors: [ - dup204, - dup374, - part789, - ], - on_success: processor_chain([ - dup206, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg462 = msg("00027:13", all159); - - var part790 = match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}"); - - var part791 = match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}"); - - var part792 = match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}"); - - var select183 = linear_select([ - part791, - part792, - ]); - - var part793 = match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})"); - - var all160 = all_match({ - processors: [ - part790, - select183, - part793, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg463 = msg("00027:14", all160); - - var part794 = match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg464 = msg("00027:15", part794); - - var part795 = match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg465 = msg("00027:16", part795); - - var part796 = match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg466 = msg("00027:17", part796); - - var part797 = match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg467 = msg("00027:18", part797); - - var part798 = match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg468 = msg("00027:19", part798); - - var select184 = linear_select([ - msg449, - msg450, - msg451, - msg452, - msg453, - msg454, - msg455, - msg456, - msg457, - msg458, - msg459, - msg460, - msg461, - msg462, - msg463, - msg464, - msg465, - msg466, - msg467, - msg468, - ]); - - var part799 = match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}"); - - var part800 = match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}"); - - var part801 = match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}"); - - var select185 = linear_select([ - part799, - part800, - part801, - ]); - - var part802 = match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all161 = all_match({ - processors: [ - select185, - part802, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - setc("signame","Attempt to Connect to the NetScreen-Global Port"), - ]), - }); - - var msg469 = msg("00028", all161); - - var part803 = match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg470 = msg("00029", part803); - - var part804 = match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg471 = msg("00029:01", part804); - - var part805 = match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}"); - - var part806 = match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}"); - - var part807 = match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}"); - - var select186 = linear_select([ - part806, - part807, - ]); - - var part808 = match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}"); - - var all162 = all_match({ - processors: [ - part805, - select186, - part808, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg472 = msg("00029:02", all162); - - var part809 = match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}"); - - var part810 = match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}"); - - var part811 = match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}"); - - var select187 = linear_select([ - part810, - part811, - ]); - - var part812 = match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}"); - - var all163 = all_match({ - processors: [ - dup210, - dup337, - part809, - select187, - part812, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg473 = msg("00029:03", all163); - - var part813 = match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg474 = msg("00029:04", part813); - - var select188 = linear_select([ - msg470, - msg471, - msg472, - msg473, - msg474, - ]); - - var part814 = match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg475 = msg("00030", part814); - - var part815 = match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}"); - - var part816 = match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}"); - - var part817 = match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}"); - - var select189 = linear_select([ - part816, - part817, - ]); - - var all164 = all_match({ - processors: [ - part815, - select189, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg476 = msg("00030:01", all164); - - var part818 = match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg477 = msg("00030:05", part818); - - var part819 = match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg478 = msg("00030:06", part819); - - var part820 = match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg479 = msg("00030:07", part820); - - var part821 = match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg480 = msg("00030:10", part821); - - var part822 = match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg481 = msg("00030:12", part822); - - var part823 = match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}"); - - var part824 = match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}"); - - var part825 = match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}"); - - var select190 = linear_select([ - part824, - part825, - ]); - - var all165 = all_match({ - processors: [ - part823, - select190, - ], - on_success: processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg482 = msg("00030:13", all165); - - var part826 = match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}"); - - var part827 = match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}"); - - var part828 = match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}"); - - var part829 = match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}"); - - var select191 = linear_select([ - part826, - part827, - part828, - part829, - ]); - - var part830 = match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}"); - - var part831 = match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}"); - - var select192 = linear_select([ - part831, - dup16, - ]); - - var part832 = match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}"); - - var all166 = all_match({ - processors: [ - dup55, - select191, - part830, - select192, - part832, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg483 = msg("00030:14", all166); - - var msg484 = msg("00030:02", dup375); - - var part833 = match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg485 = msg("00030:15", part833); - - var part834 = match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg486 = msg("00030:16", part834); - - var part835 = match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg487 = msg("00030:18", part835); - - var part836 = match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}"); - - var part837 = match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}"); - - var part838 = match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}"); - - var select193 = linear_select([ - part837, - part838, - ]); - - var part839 = match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}"); - - var all167 = all_match({ - processors: [ - part836, - select193, - part839, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg488 = msg("00030:19", all167); - - var part840 = match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg489 = msg("00030:30", part840); - - var part841 = match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg490 = msg("00030:31", part841); - - var part842 = match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg491 = msg("00030:32", part842); - - var part843 = match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg492 = msg("00030:33", part843); - - var part844 = match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg493 = msg("00030:34", part844); - - var part845 = match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg494 = msg("00030:35", part845); - - var part846 = match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg495 = msg("00030:36", part846); - - var part847 = match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg496 = msg("00030:37", part847); - - var part848 = match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg497 = msg("00030:38", part848); - - var part849 = match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}"); - - var part850 = match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}"); - - var select194 = linear_select([ - part850, - dup16, - ]); - - var part851 = match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}"); - - var all168 = all_match({ - processors: [ - part849, - select194, - part851, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg498 = msg("00030:39", all168); - - var part852 = match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}"); - - var part853 = match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}"); - - var all169 = all_match({ - processors: [ - part852, - dup376, - part853, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg499 = msg("00030:17", all169); - - var part854 = match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}"); - - var part855 = match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}"); - - var select195 = linear_select([ - dup214, - part855, - ]); - - var part856 = match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}"); - - var all170 = all_match({ - processors: [ - part854, - select195, - part856, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg500 = msg("00030:40", all170); - - var part857 = match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg501 = msg("00030:41", part857); - - var part858 = match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg502 = msg("00030:42", part858); - - var part859 = match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg503 = msg("00030:43", part859); - - var part860 = match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg504 = msg("00030:44", part860); - - var part861 = match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg505 = msg("00030:45", part861); - - var part862 = match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg506 = msg("00030:46", part862); - - var part863 = match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg507 = msg("00030:47", part863); - - var part864 = match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg508 = msg("00030:48", part864); - - var part865 = match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg509 = msg("00030:49", part865); - - var part866 = match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg510 = msg("00030:50", part866); - - var part867 = match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg511 = msg("00030:51", part867); - - var part868 = match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg512 = msg("00030:52", part868); - - var part869 = match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg513 = msg("00030:53", part869); - - var part870 = match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([ - dup44, - dup211, - dup31, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg514 = msg("00030:54", part870); - - var part871 = match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}"); - - var all171 = all_match({ - processors: [ - part871, - dup377, - dup217, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg515 = msg("00030:55", all171); - - var part872 = match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg516 = msg("00030:56", part872); - - var part873 = match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([ - dup35, - dup218, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg517 = msg("00030:57", part873); - - var part874 = match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([ - dup86, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg518 = msg("00030:58", part874); - - var part875 = match("MESSAGE#512:00030:59", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{quote}s signer certificate.", processor_chain([ - dup35, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg519 = msg("00030:59", part875); - - var part876 = match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([ - dup35, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg520 = msg("00030:60", part876); - - var part877 = match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg521 = msg("00030:61", part877); - - var part878 = match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg522 = msg("00030:62", part878); - - var part879 = match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([ - dup18, - dup219, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg523 = msg("00030:63", part879); - - var part880 = match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg524 = msg("00030:64", part880); - - var part881 = match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg525 = msg("00030:65", part881); - - var part882 = match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg526 = msg("00030:66", part882); - - var part883 = match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg527 = msg("00030:67", part883); - - var part884 = match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg528 = msg("00030:68", part884); - - var part885 = match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg529 = msg("00030:69", part885); - - var part886 = match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}"); - - var all172 = all_match({ - processors: [ - part886, - dup377, - dup217, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg530 = msg("00030:70", all172); - - var part887 = match("MESSAGE#524:00030:71", "nwparser.payload", "PKI: The public key of image%{quote}s signer has been loaded successfully, for future image authentication.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg531 = msg("00030:71", part887); - - var part888 = match("MESSAGE#525:00030:72", "nwparser.payload", "PKI: The signature of the image%{quote}s signer certificate cannot be verified.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg532 = msg("00030:72", part888); - - var part889 = match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}"); - - var part890 = match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}"); - - var part891 = match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}"); - - var part892 = match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}"); - - var select196 = linear_select([ - part890, - part891, - part892, - ]); - - var part893 = match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}."); - - var all173 = all_match({ - processors: [ - part889, - select196, - part893, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg533 = msg("00030:73", all173); - - var part894 = match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg534 = msg("00030:74", part894); - - var part895 = match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg535 = msg("00030:75", part895); - - var part896 = match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}"); - - var part897 = match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}."); - - var all174 = all_match({ - processors: [ - part896, - dup376, - part897, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg536 = msg("00030:76", all174); - - var part898 = match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg537 = msg("00030:77", part898); - - var part899 = match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([ - dup35, - dup211, - dup220, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg538 = msg("00030:78", part899); - - var part900 = match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([ - dup35, - dup211, - dup220, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg539 = msg("00030:79", part900); - - var part901 = match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg540 = msg("00030:80", part901); - - var part902 = match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg541 = msg("00030:81", part902); - - var part903 = match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg542 = msg("00030:82", part903); - - var part904 = match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg543 = msg("00030:83", part904); - - var part905 = match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg544 = msg("00030:84", part905); - - var part906 = match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([ - setc("eventcategory","1603080000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg545 = msg("00030:85", part906); - - var part907 = match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})"); - - var all175 = all_match({ - processors: [ - dup221, - dup378, - part907, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg546 = msg("00030:86", all175); - - var part908 = match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg547 = msg("00030:87", part908); - - var part909 = match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>"); - - var all176 = all_match({ - processors: [ - dup221, - dup378, - part909, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg548 = msg("00030:88", all176); - - var select197 = linear_select([ - msg475, - msg476, - msg477, - msg478, - msg479, - msg480, - msg481, - msg482, - msg483, - msg484, - msg485, - msg486, - msg487, - msg488, - msg489, - msg490, - msg491, - msg492, - msg493, - msg494, - msg495, - msg496, - msg497, - msg498, - msg499, - msg500, - msg501, - msg502, - msg503, - msg504, - msg505, - msg506, - msg507, - msg508, - msg509, - msg510, - msg511, - msg512, - msg513, - msg514, - msg515, - msg516, - msg517, - msg518, - msg519, - msg520, - msg521, - msg522, - msg523, - msg524, - msg525, - msg526, - msg527, - msg528, - msg529, - msg530, - msg531, - msg532, - msg533, - msg534, - msg535, - msg536, - msg537, - msg538, - msg539, - msg540, - msg541, - msg542, - msg543, - msg544, - msg545, - msg546, - msg547, - msg548, - ]); - - var part910 = match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg549 = msg("00031:13", part910); - - var part911 = match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg550 = msg("00031", part911); - - var part912 = match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg551 = msg("00031:01", part912); - - var part913 = match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}"); - - var part914 = match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}"); - - var part915 = match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}"); - - var part916 = match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}"); - - var all177 = all_match({ - processors: [ - part913, - dup379, - part914, - dup379, - part915, - dup379, - part916, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg552 = msg("00031:02", all177); - - var part917 = match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}"); - - var select198 = linear_select([ - dup130, - dup129, - ]); - - var part918 = match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}"); - - var all178 = all_match({ - processors: [ - part917, - select198, - part918, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg553 = msg("00031:03", all178); - - var part919 = match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}"); - - var part920 = match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}"); - - var select199 = linear_select([ - part920, - dup226, - ]); - - var part921 = match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}"); - - var all179 = all_match({ - processors: [ - part919, - select199, - part921, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg554 = msg("00031:04", all179); - - var part922 = match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}"); - - var select200 = linear_select([ - dup226, - dup25, - ]); - - var part923 = match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})"); - - var all180 = all_match({ - processors: [ - part922, - select200, - part923, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg555 = msg("00031:11", all180); - - var part924 = match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}"); - - var part925 = match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}"); - - var part926 = match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}"); - - var select201 = linear_select([ - part925, - part926, - ]); - - var part927 = match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}"); - - var part928 = match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}"); - - var part929 = match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}"); - - var part930 = match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}"); - - var part931 = match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}"); - - var select202 = linear_select([ - part931, - dup96, - ]); - - var part932 = match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}"); - - var all181 = all_match({ - processors: [ - part924, - select201, - part927, - dup379, - part928, - dup379, - part929, - dup379, - part930, - select202, - part932, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg556 = msg("00031:08", all181); - - var part933 = match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}"); - - var all182 = all_match({ - processors: [ - part933, - dup337, - dup227, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg557 = msg("00031:05", all182); - - var part934 = match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}"); - - var select203 = linear_select([ - part934, - dup229, - dup230, - ]); - - var part935 = match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}"); - - var select204 = linear_select([ - dup105, - dup96, - ]); - - var part936 = match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}"); - - var part937 = match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}"); - - var all183 = all_match({ - processors: [ - dup228, - select203, - part935, - select204, - part936, - dup356, - part937, - dup352, - dup23, - dup380, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg558 = msg("00031:06", all183); - - var part938 = match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}"); - - var all184 = all_match({ - processors: [ - dup228, - dup381, - part938, - dup337, - dup227, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg559 = msg("00031:07", all184); - - var part939 = match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}"); - - var all185 = all_match({ - processors: [ - dup228, - dup381, - part939, - dup380, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg560 = msg("00031:09", all185); - - var part940 = match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg561 = msg("00031:10", part940); - - var part941 = match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg562 = msg("00031:12", part941); - - var select205 = linear_select([ - msg549, - msg550, - msg551, - msg552, - msg553, - msg554, - msg555, - msg556, - msg557, - msg558, - msg559, - msg560, - msg561, - msg562, - ]); - - var part942 = match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup232, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg563 = msg("00032", part942); - - var part943 = match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg564 = msg("00032:01", part943); - - var part944 = match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}"); - - var part945 = match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}"); - - var part946 = match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}"); - - var part947 = match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}"); - - var part948 = match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}"); - - var select206 = linear_select([ - part945, - part946, - part947, - part948, - ]); - - var all186 = all_match({ - processors: [ - part944, - select206, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg565 = msg("00032:03", all186); - - var part949 = match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg566 = msg("00032:04", part949); - - var part950 = match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg567 = msg("00032:05", part950); - - var msg568 = msg("00032:02", dup375); - - var select207 = linear_select([ - msg563, - msg564, - msg565, - msg566, - msg567, - msg568, - ]); - - var part951 = match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("agent","NSM"), - ])); - - var msg569 = msg("00033:25", part951); - - var part952 = match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}"); - - var part953 = match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}"); - - var select208 = linear_select([ - dup52, - part953, - ]); - - var part954 = match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}"); - - var all187 = all_match({ - processors: [ - dup382, - part952, - select208, - part954, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg570 = msg("00033", all187); - - var part955 = match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}"); - - var part956 = match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}"); - - var select209 = linear_select([ - part955, - part956, - ]); - - var part957 = match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}"); - - var all188 = all_match({ - processors: [ - dup160, - select209, - dup23, - dup369, - part957, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg571 = msg("00033:03", all188); - - var part958 = match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}"); - - var all189 = all_match({ - processors: [ - dup382, - dup23, - dup369, - part958, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg572 = msg("00033:02", all189); - - var part959 = match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg573 = msg("00033:04", part959); - - var part960 = match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg574 = msg("00033:05", part960); - - var part961 = match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([ - dup27, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg575 = msg("00033:06", part961); - - var part962 = match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([ - dup27, - dup2, - dup3, - setc("dclass_counter1_string","Number of times the threshold was exceeded"), - dup4, - dup5, - dup61, - ])); - - var msg576 = msg("00033:01", part962); - - var part963 = match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg577 = msg("00033:07", part963); - - var part964 = match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}"); - - var all190 = all_match({ - processors: [ - dup235, - dup383, - part964, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg578 = msg("00033:08", all190); - - var part965 = match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}"); - - var all191 = all_match({ - processors: [ - dup235, - dup383, - part965, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg579 = msg("00033:09", all191); - - var part966 = match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}"); - - var part967 = match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}"); - - var select210 = linear_select([ - part967, - dup238, - ]); - - var all192 = all_match({ - processors: [ - dup235, - dup383, - part966, - select210, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg580 = msg("00033:10", all192); - - var part968 = match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}"); - - var part969 = match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}"); - - var all193 = all_match({ - processors: [ - dup235, - dup383, - part968, - dup383, - part969, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg581 = msg("00033:11", all193); - - var part970 = match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}"); - - var select211 = linear_select([ - dup101, - dup238, - ]); - - var all194 = all_match({ - processors: [ - dup235, - dup383, - part970, - select211, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg582 = msg("00033:12", all194); - - var part971 = match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}"); - - var part972 = match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}"); - - var part973 = match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}."); - - var select212 = linear_select([ - part972, - part973, - ]); - - var all195 = all_match({ - processors: [ - dup235, - dup383, - part971, - select212, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg583 = msg("00033:13", all195); - - var part974 = match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}."); - - var all196 = all_match({ - processors: [ - dup235, - dup383, - part974, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg584 = msg("00033:14", all196); - - var part975 = match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}."); - - var all197 = all_match({ - processors: [ - dup235, - dup383, - part975, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg585 = msg("00033:15", all197); - - var part976 = match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}."); - - var all198 = all_match({ - processors: [ - dup235, - dup383, - part976, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg586 = msg("00033:16", all198); - - var part977 = match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}"); - - var part978 = match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}"); - - var part979 = match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}"); - - var select213 = linear_select([ - part978, - part979, - ]); - - var all199 = all_match({ - processors: [ - dup235, - dup383, - part977, - select213, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg587 = msg("00033:17", all199); - - var part980 = match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); - - var part981 = match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time."); - - var all200 = all_match({ - processors: [ - part980, - dup339, - dup70, - dup340, - part981, - ], - on_success: processor_chain([ - dup27, - dup2, - dup4, - dup5, - dup3, - dup59, - dup61, - ]), - }); - - var msg588 = msg("00033:19", all200); - - var part982 = match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([ - dup27, - dup2, - dup4, - dup5, - dup3, - dup59, - dup60, - ])); - - var msg589 = msg("00033:20", part982); - - var all201 = all_match({ - processors: [ - dup239, - dup343, - dup83, - ], - on_success: processor_chain([ - dup27, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg590 = msg("00033:21", all201); - - var part983 = match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var all202 = all_match({ - processors: [ - part983, - dup343, - dup83, - ], - on_success: processor_chain([ - dup27, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg591 = msg("00033:22", all202); - - var part984 = match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg592 = msg("00033:23", part984); - - var part985 = match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([ - setc("eventcategory","1001030500"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg593 = msg("00033:24", part985); - - var select214 = linear_select([ - msg569, - msg570, - msg571, - msg572, - msg573, - msg574, - msg575, - msg576, - msg577, - msg578, - msg579, - msg580, - msg581, - msg582, - msg583, - msg584, - msg585, - msg586, - msg587, - msg588, - msg589, - msg590, - msg591, - msg592, - msg593, - ]); - - var part986 = match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}"); - - var part987 = match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}"); - - var select215 = linear_select([ - part986, - part987, - ]); - - var part988 = match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}"); - - var part989 = match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}"); - - var select216 = linear_select([ - part988, - dup201, - part989, - ]); - - var select217 = linear_select([ - dup196, - dup103, - dup163, - ]); - - var part990 = match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})"); - - var all203 = all_match({ - processors: [ - select215, - dup103, - select216, - dup202, - select217, - part990, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg594 = msg("00034", all203); - - var part991 = match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}"); - - var part992 = match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}"); - - var select218 = linear_select([ - part991, - part992, - ]); - - var part993 = match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}"); - - var part994 = match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}"); - - var select219 = linear_select([ - part994, - dup241, - ]); - - var part995 = match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}"); - - var all204 = all_match({ - processors: [ - select218, - part993, - select219, - part995, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg595 = msg("00034:01", all204); - - var part996 = match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg596 = msg("00034:02", part996); - - var part997 = match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}"); - - var all205 = all_match({ - processors: [ - dup384, - part997, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg597 = msg("00034:03", all205); - - var part998 = match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg598 = msg("00034:04", part998); - - var part999 = match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg599 = msg("00034:05", part999); - - var part1000 = match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}"); - - var part1001 = match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}"); - - var part1002 = match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}"); - - var select220 = linear_select([ - part1001, - part1002, - ]); - - var part1003 = match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}"); - - var all206 = all_match({ - processors: [ - dup384, - part1000, - select220, - part1003, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg600 = msg("00034:06", all206); - - var part1004 = match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg601 = msg("00034:07", part1004); - - var part1005 = match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg602 = msg("00034:08", part1005); - - var part1006 = match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg603 = msg("00034:09", part1006); - - var part1007 = match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}"); - - var part1008 = match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}"); - - var part1009 = match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}"); - - var part1010 = match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}"); - - var select221 = linear_select([ - part1009, - part1010, - ]); - - var part1011 = match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}"); - - var all207 = all_match({ - processors: [ - dup244, - dup385, - part1007, - dup352, - part1008, - select221, - part1011, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg604 = msg("00034:10", all207); - - var part1012 = match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}"); - - var part1013 = match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}"); - - var all208 = all_match({ - processors: [ - dup244, - dup385, - part1012, - dup386, - part1013, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg605 = msg("00034:12", all208); - - var part1014 = match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}"); - - var part1015 = match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}"); - - var all209 = all_match({ - processors: [ - dup244, - dup385, - part1014, - dup386, - part1015, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg606 = msg("00034:11", all209); - - var part1016 = match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg607 = msg("00034:15", part1016); - - var part1017 = match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}"); - - var all210 = all_match({ - processors: [ - dup244, - dup387, - part1017, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg608 = msg("00034:18", all210); - - var part1018 = match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge"); - - var all211 = all_match({ - processors: [ - dup244, - dup387, - part1018, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg609 = msg("00034:20", all211); - - var part1019 = match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}"); - - var part1020 = match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}"); - - var part1021 = match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}"); - - var select222 = linear_select([ - part1021, - dup156, - ]); - - var part1022 = match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}"); - - var part1023 = match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}"); - - var part1024 = match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}"); - - var select223 = linear_select([ - part1023, - part1024, - ]); - - var all212 = all_match({ - processors: [ - dup244, - dup387, - part1019, - dup372, - part1020, - select222, - part1022, - select223, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg610 = msg("00034:21", all212); - - var part1025 = match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg611 = msg("00034:22", part1025); - - var part1026 = match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}"); - - var part1027 = match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}"); - - var select224 = linear_select([ - part1026, - part1027, - ]); - - var part1028 = match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}"); - - var all213 = all_match({ - processors: [ - dup160, - select224, - part1028, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg612 = msg("00034:23", all213); - - var part1029 = match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg613 = msg("00034:24", part1029); - - var part1030 = match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg614 = msg("00034:25", part1030); - - var part1031 = match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg615 = msg("00034:26", part1031); - - var part1032 = match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg616 = msg("00034:27", part1032); - - var part1033 = match("MESSAGE#608:00034:28", "nwparser.payload", "PPPoE%{quote}s session closed by AC", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg617 = msg("00034:28", part1033); - - var part1034 = match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg618 = msg("00034:29", part1034); - - var part1035 = match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg619 = msg("00034:30", part1035); - - var part1036 = match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg620 = msg("00034:31", part1036); - - var part1037 = match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg621 = msg("00034:32", part1037); - - var part1038 = match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg622 = msg("00034:33", part1038); - - var part1039 = match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg623 = msg("00034:34", part1039); - - var part1040 = match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg624 = msg("00034:35", part1040); - - var part1041 = match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg625 = msg("00034:36", part1041); - - var part1042 = match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg626 = msg("00034:37", part1042); - - var part1043 = match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg627 = msg("00034:38", part1043); - - var part1044 = match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg628 = msg("00034:39", part1044); - - var part1045 = match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg629 = msg("00034:40", part1045); - - var part1046 = match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}"); - - var part1047 = match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}"); - - var all214 = all_match({ - processors: [ - part1046, - dup373, - part1047, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg630 = msg("00034:41", all214); - - var part1048 = match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg631 = msg("00034:42", part1048); - - var part1049 = match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg632 = msg("00034:43", part1049); - - var part1050 = match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg633 = msg("00034:44", part1050); - - var select225 = linear_select([ - msg594, - msg595, - msg596, - msg597, - msg598, - msg599, - msg600, - msg601, - msg602, - msg603, - msg604, - msg605, - msg606, - msg607, - msg608, - msg609, - msg610, - msg611, - msg612, - msg613, - msg614, - msg615, - msg616, - msg617, - msg618, - msg619, - msg620, - msg621, - msg622, - msg623, - msg624, - msg625, - msg626, - msg627, - msg628, - msg629, - msg630, - msg631, - msg632, - msg633, - ]); - - var part1051 = match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg634 = msg("00035", part1051); - - var part1052 = match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg635 = msg("00035:01", part1052); - - var part1053 = match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg636 = msg("00035:02", part1053); - - var part1054 = match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg637 = msg("00035:03", part1054); - - var part1055 = match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}"); - - var part1056 = match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}"); - - var part1057 = match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}"); - - var part1058 = match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}"); - - var select226 = linear_select([ - part1056, - part1057, - part1058, - ]); - - var part1059 = match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}"); - - var all215 = all_match({ - processors: [ - part1055, - select226, - part1059, - ], - on_success: processor_chain([ - dup117, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg638 = msg("00035:04", all215); - - var part1060 = match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg639 = msg("00035:05", part1060); - - var part1061 = match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}"); - - var part1062 = match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}"); - - var all216 = all_match({ - processors: [ - part1061, - dup388, - part1062, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg640 = msg("00035:06", all216); - - var part1063 = match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg641 = msg("00035:07", part1063); - - var part1064 = match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg642 = msg("00035:08", part1064); - - var part1065 = match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}"); - - var select227 = linear_select([ - part1065, - dup92, - ]); - - var all217 = all_match({ - processors: [ - dup253, - select227, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg643 = msg("00035:09", all217); - - var part1066 = match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}"); - - var part1067 = match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}"); - - var part1068 = match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}"); - - var select228 = linear_select([ - part1067, - part1068, - ]); - - var all218 = all_match({ - processors: [ - part1066, - select228, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg644 = msg("00035:10", all218); - - var part1069 = match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}"); - - var part1070 = match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}"); - - var part1071 = match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}"); - - var select229 = linear_select([ - part1070, - part1071, - ]); - - var all219 = all_match({ - processors: [ - part1069, - select229, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg645 = msg("00035:11", all219); - - var part1072 = match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}"); - - var part1073 = match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}"); - - var all220 = all_match({ - processors: [ - part1072, - dup388, - part1073, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg646 = msg("00035:12", all220); - - var part1074 = match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}"); - - var select230 = linear_select([ - dup101, - part1074, - ]); - - var part1075 = match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}"); - - var all221 = all_match({ - processors: [ - dup253, - select230, - part1075, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg647 = msg("00035:13", all221); - - var part1076 = match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg648 = msg("00035:14", part1076); - - var part1077 = match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}"); - - var part1078 = match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}"); - - var part1079 = match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}"); - - var select231 = linear_select([ - part1078, - part1079, - ]); - - var all222 = all_match({ - processors: [ - part1077, - select231, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg649 = msg("00035:15", all222); - - var part1080 = match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg650 = msg("00035:16", part1080); - - var select232 = linear_select([ - msg634, - msg635, - msg636, - msg637, - msg638, - msg639, - msg640, - msg641, - msg642, - msg643, - msg644, - msg645, - msg646, - msg647, - msg648, - msg649, - msg650, - ]); - - var part1081 = match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg651 = msg("00036", part1081); - - var part1082 = match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}"); - - var part1083 = match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}"); - - var select233 = linear_select([ - dup214, - part1083, - ]); - - var part1084 = match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}"); - - var all223 = all_match({ - processors: [ - part1082, - select233, - part1084, - ], - on_success: processor_chain([ - dup254, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg652 = msg("00036:01", all223); - - var select234 = linear_select([ - msg651, - msg652, - ]); - - var part1085 = match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}"); - - var part1086 = match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}"); - - var part1087 = match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}"); - - var select235 = linear_select([ - part1086, - part1087, - ]); - - var all224 = all_match({ - processors: [ - part1085, - select235, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg653 = msg("00037", all224); - - var part1088 = match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}"); - - var select236 = linear_select([ - dup255, - dup256, - ]); - - var part1089 = match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}"); - - var all225 = all_match({ - processors: [ - part1088, - select236, - part1089, - dup351, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg654 = msg("00037:01", all225); - - var part1090 = match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg655 = msg("00037:02", part1090); - - var part1091 = match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}"); - - var part1092 = match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}"); - - var select237 = linear_select([ - part1091, - part1092, - ]); - - var part1093 = match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}"); - - var part1094 = match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})"); - - var part1095 = match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}."); - - var select238 = linear_select([ - part1094, - part1095, - ]); - - var all226 = all_match({ - processors: [ - dup113, - select237, - dup371, - part1093, - select238, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg656 = msg("00037:03", all226); - - var part1096 = match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg657 = msg("00037:04", part1096); - - var part1097 = match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}"); - - var select239 = linear_select([ - dup256, - dup255, - ]); - - var part1098 = match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}"); - - var part1099 = match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space"); - - var select240 = linear_select([ - dup10, - part1099, - ]); - - var all227 = all_match({ - processors: [ - part1097, - select239, - part1098, - select240, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg658 = msg("00037:05", all227); - - var part1100 = match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg659 = msg("00037:06", part1100); - - var select241 = linear_select([ - msg653, - msg654, - msg655, - msg656, - msg657, - msg658, - msg659, - ]); - - var part1101 = match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}"); - - var part1102 = match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}"); - - var part1103 = match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}"); - - var select242 = linear_select([ - part1102, - part1103, - ]); - - var all228 = all_match({ - processors: [ - part1101, - select242, - dup36, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg660 = msg("00038", all228); - - var part1104 = match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg661 = msg("00039", part1104); - - var part1105 = match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}"); - - var part1106 = match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}"); - - var select243 = linear_select([ - part1105, - part1106, - ]); - - var part1107 = match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}"); - - var all229 = all_match({ - processors: [ - select243, - part1107, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg662 = msg("00040", all229); - - var part1108 = match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg663 = msg("00040:01", part1108); - - var select244 = linear_select([ - msg662, - msg663, - ]); - - var part1109 = match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg664 = msg("00041", part1109); - - var part1110 = match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg665 = msg("00041:01", part1110); - - var select245 = linear_select([ - msg664, - msg665, - ]); - - var part1111 = match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg666 = msg("00042", part1111); - - var part1112 = match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup9, - dup4, - dup5, - dup60, - ])); - - var msg667 = msg("00042:01", part1112); - - var select246 = linear_select([ - msg666, - msg667, - ]); - - var part1113 = match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg668 = msg("00043", part1113); - - var part1114 = match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}"); - - var part1115 = match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}"); - - var select247 = linear_select([ - dup257, - part1115, - ]); - - var part1116 = match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}"); - - var all230 = all_match({ - processors: [ - part1114, - select247, - part1116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg669 = msg("00044", all230); - - var part1117 = match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg670 = msg("00044:01", part1117); - - var select248 = linear_select([ - msg669, - msg670, - ]); - - var part1118 = match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg671 = msg("00045", part1118); - - var part1119 = match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}"); - - var part1120 = match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}"); - - var select249 = linear_select([ - part1119, - part1120, - ]); - - var part1121 = match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})"); - - var all231 = all_match({ - processors: [ - dup183, - select249, - part1121, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg672 = msg("00047", all231); - - var part1122 = match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}"); - - var part1123 = match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}"); - - var part1124 = match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}"); - - var select250 = linear_select([ - part1123, - part1124, - ]); - - var part1125 = match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}"); - - var part1126 = match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}"); - - var select251 = linear_select([ - part1126, - dup112, - ]); - - var part1127 = match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}"); - - var select252 = linear_select([ - part1127, - dup139, - ]); - - var part1128 = match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}"); - - var part1129 = match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}"); - - var select253 = linear_select([ - part1129, - dup16, - ]); - - var part1130 = match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}"); - - var part1131 = match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}"); - - var select254 = linear_select([ - part1131, - dup129, - ]); - - var part1132 = match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})"); - - var all232 = all_match({ - processors: [ - part1122, - select250, - part1125, - select251, - dup257, - select252, - part1128, - select253, - part1130, - select254, - part1132, - ], - on_success: processor_chain([ - setc("eventcategory","1501000000"), - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg673 = msg("00048", all232); - - var part1133 = match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}"); - - var part1134 = match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}"); - - var part1135 = match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}"); - - var select255 = linear_select([ - part1134, - part1135, - ]); - - var part1136 = match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}"); - - var part1137 = match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}"); - - var select256 = linear_select([ - part1137, - dup105, - ]); - - var part1138 = match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})"); - - var all233 = all_match({ - processors: [ - part1133, - select255, - part1136, - select256, - part1138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg674 = msg("00048:01", all233); - - var part1139 = match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([ - dup209, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg675 = msg("00048:02", part1139); - - var select257 = linear_select([ - msg673, - msg674, - msg675, - ]); - - var part1140 = match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg676 = msg("00049", part1140); - - var part1141 = match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg677 = msg("00049:01", part1141); - - var part1142 = match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg678 = msg("00049:02", part1142); - - var part1143 = match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg679 = msg("00049:03", part1143); - - var part1144 = match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg680 = msg("00049:04", part1144); - - var part1145 = match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg681 = msg("00049:05", part1145); - - var select258 = linear_select([ - msg676, - msg677, - msg678, - msg679, - msg680, - msg681, - ]); - - var part1146 = match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg682 = msg("00050", part1146); - - var part1147 = match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg683 = msg("00051", part1147); - - var part1148 = match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg684 = msg("00052", part1148); - - var part1149 = match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}"); - - var select259 = linear_select([ - dup169, - part1149, - ]); - - var part1150 = match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}."); - - var all234 = all_match({ - processors: [ - dup258, - select259, - part1150, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg685 = msg("00055", all234); - - var part1151 = match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}"); - - var part1152 = match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}"); - - var select260 = linear_select([ - part1151, - part1152, - ]); - - var part1153 = match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}."); - - var all235 = all_match({ - processors: [ - dup258, - select260, - part1153, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg686 = msg("00055:01", all235); - - var part1154 = match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}."); - - var all236 = all_match({ - processors: [ - dup259, - dup389, - part1154, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg687 = msg("00055:02", all236); - - var part1155 = match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}."); - - var all237 = all_match({ - processors: [ - dup259, - dup389, - part1155, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg688 = msg("00055:03", all237); - - var part1156 = match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg689 = msg("00055:04", part1156); - - var part1157 = match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}"); - - var part1158 = match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}"); - - var select261 = linear_select([ - dup110, - part1158, - ]); - - var part1159 = match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}"); - - var all238 = all_match({ - processors: [ - part1157, - select261, - part1159, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg690 = msg("00055:05", all238); - - var part1160 = match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}"); - - var part1161 = match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}"); - - var part1162 = match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}"); - - var select262 = linear_select([ - part1161, - part1162, - ]); - - var part1163 = match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}."); - - var all239 = all_match({ - processors: [ - part1160, - select262, - part1163, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg691 = msg("00055:06", all239); - - var part1164 = match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}"); - - var part1165 = match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}"); - - var part1166 = match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}"); - - var select263 = linear_select([ - part1164, - part1165, - part1166, - ]); - - var part1167 = match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}."); - - var all240 = all_match({ - processors: [ - dup258, - select263, - part1167, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg692 = msg("00055:07", all240); - - var part1168 = match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}"); - - var part1169 = match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}"); - - var select264 = linear_select([ - part1168, - part1169, - ]); - - var part1170 = match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}."); - - var all241 = all_match({ - processors: [ - dup258, - select264, - part1170, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg693 = msg("00055:08", all241); - - var part1171 = match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg694 = msg("00055:09", part1171); - - var part1172 = match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg695 = msg("00055:10", part1172); - - var select265 = linear_select([ - msg685, - msg686, - msg687, - msg688, - msg689, - msg690, - msg691, - msg692, - msg693, - msg694, - msg695, - ]); - - var part1173 = match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg696 = msg("00056", part1173); - - var part1174 = match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg697 = msg("00057", part1174); - - var part1175 = match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg698 = msg("00058", part1175); - - var part1176 = match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}"); - - var part1177 = match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}"); - - var select266 = linear_select([ - part1177, - dup262, - dup157, - dup156, - ]); - - var all242 = all_match({ - processors: [ - part1176, - select266, - dup116, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg699 = msg("00059", all242); - - var part1178 = match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}"); - - var part1179 = match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}"); - - var part1180 = match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}"); - - var select267 = linear_select([ - part1179, - part1180, - ]); - - var part1181 = match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}"); - - var all243 = all_match({ - processors: [ - part1178, - select267, - part1181, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg700 = msg("00059:02", all243); - - var part1182 = match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg701 = msg("00059:03", part1182); - - var part1183 = match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg702 = msg("00059:04", part1183); - - var part1184 = match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}"); - - var part1185 = match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}"); - - var part1186 = match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}"); - - var part1187 = match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}"); - - var select268 = linear_select([ - part1184, - part1185, - part1186, - part1187, - ]); - - var part1188 = match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared."); - - var all244 = all_match({ - processors: [ - select268, - part1188, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg703 = msg("00059:05", all244); - - var part1189 = match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg704 = msg("00059:06", part1189); - - var part1190 = match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg705 = msg("00059:07", part1190); - - var part1191 = match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}"); - - var part1192 = match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}"); - - var select269 = linear_select([ - part1191, - part1192, - ]); - - var part1193 = match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3})."); - - var all245 = all_match({ - processors: [ - select269, - part1193, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg706 = msg("00059:08", all245); - - var part1194 = match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}"); - - var part1195 = match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}"); - - var select270 = linear_select([ - part1194, - part1195, - ]); - - var part1196 = match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}"); - - var part1197 = match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}"); - - var select271 = linear_select([ - dup261, - part1197, - ]); - - var part1198 = match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\""); - - var all246 = all_match({ - processors: [ - dup160, - select270, - part1196, - select271, - part1198, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg707 = msg("00059:09", all246); - - var part1199 = match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg708 = msg("00059:01", part1199); - - var select272 = linear_select([ - msg699, - msg700, - msg701, - msg702, - msg703, - msg704, - msg705, - msg706, - msg707, - msg708, - ]); - - var part1200 = match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP failed"), - ])); - - var msg709 = msg("00062:01", part1200); - - var part1201 = match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP failure reached threshold"), - ])); - - var msg710 = msg("00062:02", part1201); - - var part1202 = match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP succeeded"), - ])); - - var msg711 = msg("00062:03", part1202); - - var part1203 = match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg712 = msg("00062", part1203); - - var select273 = linear_select([ - msg709, - msg710, - msg711, - msg712, - ]); - - var part1204 = match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg713 = msg("00063", part1204); - - var part1205 = match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg714 = msg("00064", part1205); - - var part1206 = match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg715 = msg("00064:01", part1206); - - var part1207 = match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg716 = msg("00064:02", part1207); - - var select274 = linear_select([ - msg714, - msg715, - msg716, - ]); - - var msg717 = msg("00070", dup411); - - var part1208 = match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}"); - - var part1209 = match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}"); - - var part1210 = match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})"); - - var select275 = linear_select([ - part1209, - part1210, - ]); - - var all247 = all_match({ - processors: [ - dup267, - dup391, - part1208, - select275, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg718 = msg("00070:01", all247); - - var part1211 = match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg719 = msg("00070:02", part1211); - - var select276 = linear_select([ - msg717, - msg718, - msg719, - ]); - - var msg720 = msg("00071", dup411); - - var part1212 = match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg721 = msg("00071:01", part1212); - - var select277 = linear_select([ - msg720, - msg721, - ]); - - var msg722 = msg("00072", dup411); - - var msg723 = msg("00072:01", dup412); - - var select278 = linear_select([ - msg722, - msg723, - ]); - - var msg724 = msg("00073", dup411); - - var msg725 = msg("00073:01", dup412); - - var select279 = linear_select([ - msg724, - msg725, - ]); - - var msg726 = msg("00074", dup392); - - var all248 = all_match({ - processors: [ - dup263, - dup390, - dup271, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg727 = msg("00075", all248); - - var part1213 = match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","local device in the Virtual Security Device group changed state to inoperable"), - ])); - - var msg728 = msg("00075:02", part1213); - - var part1214 = match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg729 = msg("00075:01", part1214); - - var select280 = linear_select([ - msg727, - msg728, - msg729, - ]); - - var msg730 = msg("00076", dup392); - - var part1215 = match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}"); - - var all249 = all_match({ - processors: [ - dup263, - dup390, - part1215, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg731 = msg("00076:01", all249); - - var select281 = linear_select([ - msg730, - msg731, - ]); - - var part1216 = match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg732 = msg("00077", part1216); - - var all250 = all_match({ - processors: [ - dup263, - dup390, - dup271, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg733 = msg("00077:01", all250); - - var part1217 = match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([ - setc("eventcategory","1607000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg734 = msg("00077:02", part1217); - - var select282 = linear_select([ - msg732, - msg733, - msg734, - ]); - - var part1218 = match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg735 = msg("00084", part1218); - - var part1219 = match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}"); - - var part1220 = match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}"); - - var select283 = linear_select([ - part1219, - part1220, - ]); - - var part1221 = match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}"); - - var all251 = all_match({ - processors: [ - select283, - dup103, - dup369, - part1221, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg736 = msg("00090", all251); - - var part1222 = match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg737 = msg("00200", part1222); - - var part1223 = match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg738 = msg("00201", part1223); - - var part1224 = match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([ - dup272, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg739 = msg("00202", part1224); - - var part1225 = match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([ - dup272, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg740 = msg("00203", part1225); - - var part1226 = match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}"); - - var part1227 = match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}"); - - var part1228 = match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}"); - - var select284 = linear_select([ - part1227, - part1228, - ]); - - var part1229 = match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})"); - - var all252 = all_match({ - processors: [ - part1226, - select284, - part1229, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg741 = msg("00206", all252); - - var part1230 = match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}"); - - var part1231 = match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet."); - - var all253 = all_match({ - processors: [ - part1230, - dup352, - part1231, - ], - on_success: processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg742 = msg("00206:01", all253); - - var part1232 = match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}"); - - var part1233 = match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet."); - - var all254 = all_match({ - processors: [ - part1232, - dup352, - part1233, - ], - on_success: processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg743 = msg("00206:02", all254); - - var part1234 = match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg744 = msg("00206:03", part1234); - - var part1235 = match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg745 = msg("00206:04", part1235); - - var select285 = linear_select([ - msg741, - msg742, - msg743, - msg744, - msg745, - ]); - - var part1236 = match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg746 = msg("00207", part1236); - - var part1237 = match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg747 = msg("00207:01", part1237); - - var part1238 = match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg748 = msg("00207:02", part1238); - - var part1239 = match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg749 = msg("00207:03", part1239); - - var select286 = linear_select([ - msg746, - msg747, - msg748, - msg749, - ]); - - var part1240 = match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - dup278, - ])); - - var msg750 = msg("00257", part1240); - - var part1241 = match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup279, - dup276, - dup277, - dup280, - ])); - - var msg751 = msg("00257:14", part1241); - - var part1242 = match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - dup278, - ])); - - var msg752 = msg("00257:01", part1242); - - var part1243 = match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup279, - dup282, - dup280, - ])); - - var msg753 = msg("00257:15", part1243); - - var part1244 = match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ])); - - var msg754 = msg("00257:02", part1244); - - var part1245 = match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg755 = msg("00257:03", part1245); - - var part1246 = match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ])); - - var msg756 = msg("00257:04", part1246); - - var part1247 = match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg757 = msg("00257:05", part1247); - - var part1248 = match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}"); - - var all255 = all_match({ - processors: [ - dup283, - dup393, - part1248, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg758 = msg("00257:19", all255); - - var part1249 = match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}"); - - var all256 = all_match({ - processors: [ - dup283, - dup393, - part1249, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg759 = msg("00257:16", all256); - - var part1250 = match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}"); - - var all257 = all_match({ - processors: [ - dup283, - dup393, - part1250, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ]), - }); - - var msg760 = msg("00257:17", all257); - - var part1251 = match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}"); - - var all258 = all_match({ - processors: [ - dup283, - dup393, - part1251, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ]), - }); - - var msg761 = msg("00257:18", all258); - - var part1252 = match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}"); - - var part1253 = match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}"); - - var part1254 = match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport"); - - var select287 = linear_select([ - part1253, - part1254, - ]); - - var all259 = all_match({ - processors: [ - part1252, - select287, - ], - on_success: processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ]), - }); - - var msg762 = msg("00257:06", all259); - - var part1255 = match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg763 = msg("00257:07", part1255); - - var part1256 = match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup276, - dup277, - ])); - - var msg764 = msg("00257:08", part1256); - - var part1257 = match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}"); - - var part1258 = match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}"); - - var part1259 = match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}"); - - var part1260 = match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype"); - - var select288 = linear_select([ - part1258, - part1259, - part1260, - ]); - - var all260 = all_match({ - processors: [ - part1257, - select288, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg765 = msg("00257:09", all260); - - var part1261 = match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); - - var part1262 = match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}"); - - var select289 = linear_select([ - part1262, - dup286, - ]); - - var all261 = all_match({ - processors: [ - part1261, - select289, - ], - on_success: processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup276, - dup277, - ]), - }); - - var msg766 = msg("00257:10", all261); - - var part1263 = match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); - - var part1264 = match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}"); - - var select290 = linear_select([ - part1264, - dup286, - ]); - - var all262 = all_match({ - processors: [ - part1263, - select290, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg767 = msg("00257:11", all262); - - var part1265 = match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ])); - - var msg768 = msg("00257:12", part1265); - - var part1266 = match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup274, - dup4, - dup5, - ])); - - var msg769 = msg("00257:13", part1266); - - var select291 = linear_select([ - msg750, - msg751, - msg752, - msg753, - msg754, - msg755, - msg756, - msg757, - msg758, - msg759, - msg760, - msg761, - msg762, - msg763, - msg764, - msg765, - msg766, - msg767, - msg768, - msg769, - ]); - - var part1267 = match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}"); - - var part1268 = match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}"); - - var select292 = linear_select([ - part1268, - dup289, - dup241, - ]); - - var part1269 = match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}"); - - var all263 = all_match({ - processors: [ - dup394, - part1267, - select292, - part1269, - ], - on_success: processor_chain([ - dup28, - dup29, - dup30, - dup31, - dup32, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg770 = msg("00259", all263); - - var part1270 = match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}"); - - var all264 = all_match({ - processors: [ - dup394, - part1270, - ], - on_success: processor_chain([ - dup33, - dup29, - dup34, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg771 = msg("00259:07", all264); - - var part1271 = match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg772 = msg("00259:01", part1271); - - var part1272 = match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg773 = msg("00259:02", part1272); - - var part1273 = match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg774 = msg("00259:03", part1273); - - var part1274 = match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg775 = msg("00259:04", part1274); - - var part1275 = match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}"); - - var part1276 = match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}"); - - var select293 = linear_select([ - dup241, - dup289, - part1276, - ]); - - var part1277 = match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}"); - - var all265 = all_match({ - processors: [ - part1275, - select293, - part1277, - ], - on_success: processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg776 = msg("00259:05", all265); - - var part1278 = match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg777 = msg("00259:06", part1278); - - var select294 = linear_select([ - msg770, - msg771, - msg772, - msg773, - msg774, - msg775, - msg776, - msg777, - ]); - - var part1279 = match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg778 = msg("00262", part1279); - - var part1280 = match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([ - setc("eventcategory","1401050100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg779 = msg("00263", part1280); - - var part1281 = match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}"); - - var part1282 = match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}"); - - var part1283 = match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}"); - - var part1284 = match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}"); - - var select295 = linear_select([ - part1281, - part1282, - part1283, - part1284, - ]); - - var part1285 = match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}"); - - var all266 = all_match({ - processors: [ - select295, - part1285, - ], - on_success: processor_chain([ - setc("eventcategory","1003000000"), - dup2, - dup4, - dup5, - dup3, - dup61, - ]), - }); - - var msg780 = msg("00400", all266); - - var part1286 = match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg781 = msg("00401", part1286); - - var part1287 = match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup292, - ])); - - var msg782 = msg("00402", part1287); - - var part1288 = match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}"); - - var part1289 = match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}"); - - var all267 = all_match({ - processors: [ - part1288, - dup337, - part1289, - ], - on_success: processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup292, - ]), - }); - - var msg783 = msg("00402:01", all267); - - var select296 = linear_select([ - msg782, - msg783, - ]); - - var part1290 = match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg784 = msg("00403", part1290); - - var part1291 = match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup4, - dup5, - dup3, - dup292, - ])); - - var msg785 = msg("00404", part1291); - - var part1292 = match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup147, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg786 = msg("00405", part1292); - - var msg787 = msg("00406", dup413); - - var msg788 = msg("00407", dup413); - - var msg789 = msg("00408", dup413); - - var all268 = all_match({ - processors: [ - dup132, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg790 = msg("00409", all268); - - var msg791 = msg("00410", dup413); - - var part1293 = match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup60, - ])); - - var msg792 = msg("00410:01", part1293); - - var select297 = linear_select([ - msg791, - msg792, - ]); - - var part1294 = match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}"); - - var all269 = all_match({ - processors: [ - part1294, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg793 = msg("00411", all269); - - var part1295 = match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}"); - - var part1296 = match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all270 = all_match({ - processors: [ - part1295, - dup337, - part1296, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg794 = msg("00413", all270); - - var part1297 = match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}"); - - var all271 = all_match({ - processors: [ - part1297, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup61, - ]), - }); - - var msg795 = msg("00413:01", all271); - - var part1298 = match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup9, - ])); - - var msg796 = msg("00413:02", part1298); - - var select298 = linear_select([ - msg794, - msg795, - msg796, - ]); - - var part1299 = match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg797 = msg("00414", part1299); - - var part1300 = match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup9, - ])); - - var msg798 = msg("00414:01", part1300); - - var select299 = linear_select([ - msg797, - msg798, - ]); - - var part1301 = match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg799 = msg("00415", part1301); - - var all272 = all_match({ - processors: [ - dup132, - dup343, - dup294, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg800 = msg("00423", all272); - - var all273 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup60, - ]), - }); - - var msg801 = msg("00429", all273); - - var all274 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup60, - ]), - }); - - var msg802 = msg("00429:01", all274); - - var select300 = linear_select([ - msg801, - msg802, - ]); - - var all275 = all_match({ - processors: [ - dup80, - dup343, - dup295, - dup351, - ], - on_success: processor_chain([ - dup85, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ]), - }); - - var msg803 = msg("00430", all275); - - var all276 = all_match({ - processors: [ - dup132, - dup343, - dup295, - dup351, - ], - on_success: processor_chain([ - dup85, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup60, - ]), - }); - - var msg804 = msg("00430:01", all276); - - var select301 = linear_select([ - msg803, - msg804, - ]); - - var msg805 = msg("00431", dup414); - - var msg806 = msg("00432", dup414); - - var msg807 = msg("00433", dup415); - - var msg808 = msg("00434", dup415); - - var msg809 = msg("00435", dup395); - - var all277 = all_match({ - processors: [ - dup132, - dup343, - dup294, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup5, - dup3, - dup60, - ]), - }); - - var msg810 = msg("00435:01", all277); - - var select302 = linear_select([ - msg809, - msg810, - ]); - - var msg811 = msg("00436", dup395); - - var all278 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup4, - dup5, - dup3, - dup60, - ]), - }); - - var msg812 = msg("00436:01", all278); - - var select303 = linear_select([ - msg811, - msg812, - ]); - - var part1302 = match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg813 = msg("00437", part1302); - - var all279 = all_match({ - processors: [ - dup299, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - dup9, - ]), - }); - - var msg814 = msg("00437:01", all279); - - var part1303 = match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - dup9, - ])); - - var msg815 = msg("00437:02", part1303); - - var select304 = linear_select([ - msg813, - msg814, - msg815, - ]); - - var part1304 = match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg816 = msg("00438", part1304); - - var part1305 = match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg817 = msg("00438:01", part1305); - - var all280 = all_match({ - processors: [ - dup299, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup61, - ]), - }); - - var msg818 = msg("00438:02", all280); - - var select305 = linear_select([ - msg816, - msg817, - msg818, - ]); - - var part1306 = match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ])); - - var msg819 = msg("00440", part1306); - - var part1307 = match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg820 = msg("00440:02", part1307); - - var all281 = all_match({ - processors: [ - dup239, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup9, - dup61, - ]), - }); - - var msg821 = msg("00440:01", all281); - - var part1308 = match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}"); - - var all282 = all_match({ - processors: [ - part1308, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup9, - dup60, - ]), - }); - - var msg822 = msg("00440:03", all282); - - var select306 = linear_select([ - msg819, - msg820, - msg821, - msg822, - ]); - - var part1309 = match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var msg823 = msg("00441", part1309); - - var msg824 = msg("00442", dup396); - - var msg825 = msg("00443", dup396); - - var part1310 = match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg826 = msg("00511", part1310); - - var part1311 = match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}"); - - var all283 = all_match({ - processors: [ - part1311, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg827 = msg("00511:01", all283); - - var part1312 = match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg828 = msg("00511:02", part1312); - - var part1313 = match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}"); - - var all284 = all_match({ - processors: [ - part1313, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg829 = msg("00511:03", all284); - - var part1314 = match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}"); - - var all285 = all_match({ - processors: [ - part1314, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg830 = msg("00511:04", all285); - - var part1315 = match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}"); - - var all286 = all_match({ - processors: [ - part1315, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg831 = msg("00511:05", all286); - - var part1316 = match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}"); - - var all287 = all_match({ - processors: [ - part1316, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg832 = msg("00511:06", all287); - - var part1317 = match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}"); - - var all288 = all_match({ - processors: [ - part1317, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg833 = msg("00511:07", all288); - - var part1318 = match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}"); - - var all289 = all_match({ - processors: [ - part1318, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg834 = msg("00511:08", all289); - - var part1319 = match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}"); - - var all290 = all_match({ - processors: [ - part1319, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg835 = msg("00511:09", all290); - - var part1320 = match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}"); - - var all291 = all_match({ - processors: [ - part1320, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg836 = msg("00511:10", all291); - - var part1321 = match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}"); - - var all292 = all_match({ - processors: [ - part1321, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg837 = msg("00511:11", all292); - - var part1322 = match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}"); - - var all293 = all_match({ - processors: [ - part1322, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg838 = msg("00511:12", all293); - - var part1323 = match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}"); - - var all294 = all_match({ - processors: [ - part1323, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg839 = msg("00511:13", all294); - - var part1324 = match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg840 = msg("00511:14", part1324); - - var select307 = linear_select([ - msg826, - msg827, - msg828, - msg829, - msg830, - msg831, - msg832, - msg833, - msg834, - msg835, - msg836, - msg837, - msg838, - msg839, - msg840, - ]); - - var part1325 = match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}"); - - var part1326 = match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}"); - - var select308 = linear_select([ - dup123, - part1326, - dup122, - ]); - - var part1327 = match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}"); - - var part1328 = match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})"); - - var part1329 = match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result"); - - var select309 = linear_select([ - part1328, - part1329, - ]); - - var all295 = all_match({ - processors: [ - part1325, - select308, - part1327, - select309, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg841 = msg("00513", all295); - - var part1330 = match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}"); - - var select310 = linear_select([ - part1330, - dup287, - ]); - - var part1331 = match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}"); - - var part1332 = match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}"); - - var select311 = linear_select([ - dup96, - part1332, - ]); - - var part1333 = match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}"); - - var all296 = all_match({ - processors: [ - select310, - part1331, - select311, - part1333, - ], - on_success: processor_chain([ - dup301, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg842 = msg("00515", all296); - - var part1334 = match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}"); - - var part1335 = match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}"); - - var part1336 = match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}"); - - var select312 = linear_select([ - part1335, - part1336, - ]); - - var part1337 = match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2"); - - var all297 = all_match({ - processors: [ - part1334, - select312, - part1337, - ], - on_success: processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup4, - dup5, - dup302, - dup3, - ]), - }); - - var msg843 = msg("00515:01", all297); - - var part1338 = match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}"); - - var part1339 = match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}"); - - var part1340 = match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}"); - - var select313 = linear_select([ - part1339, - part1340, - ]); - - var part1341 = match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}"); - - var part1342 = match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}"); - - var select314 = linear_select([ - part1341, - part1342, - dup15, - ]); - - var part1343 = match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out"); - - var all298 = all_match({ - processors: [ - part1338, - select313, - select314, - part1343, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg844 = msg("00515:02", all298); - - var part1344 = match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}"); - - var part1345 = match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}"); - - var select315 = linear_select([ - part1344, - part1345, - ]); - - var part1346 = match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}"); - - var part1347 = match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type"); - - var select316 = linear_select([ - dup304, - part1347, - ]); - - var all299 = all_match({ - processors: [ - select315, - part1346, - dup398, - dup40, - select316, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg845 = msg("00515:04", all299); - - var part1348 = match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg846 = msg("00515:06", part1348); - - var part1349 = match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}"); - - var select317 = linear_select([ - dup305, - dup16, - ]); - - var part1350 = match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}"); - - var part1351 = match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})"); - - var select318 = linear_select([ - dup306, - part1351, - dup304, - ]); - - var all300 = all_match({ - processors: [ - part1349, - select317, - part1350, - dup398, - dup40, - select318, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg847 = msg("00515:05", all300); - - var part1352 = match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg848 = msg("00515:07", part1352); - - var part1353 = match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}"); - - var part1354 = match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}"); - - var part1355 = match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}"); - - var select319 = linear_select([ - part1354, - part1355, - ]); - - var part1356 = match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}"); - - var all301 = all_match({ - processors: [ - part1353, - select319, - part1356, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg849 = msg("00515:08", all301); - - var part1357 = match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg850 = msg("00515:09", part1357); - - var part1358 = match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg851 = msg("00515:10", part1358); - - var part1359 = match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg852 = msg("00515:11", part1359); - - var part1360 = match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}"); - - var part1361 = match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})"); - - var all302 = all_match({ - processors: [ - part1360, - dup399, - part1361, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg853 = msg("00515:12", all302); - - var select320 = linear_select([ - dup288, - dup287, - ]); - - var part1362 = match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}"); - - var select321 = linear_select([ - dup306, - dup304, - ]); - - var all303 = all_match({ - processors: [ - select320, - part1362, - dup398, - dup40, - select321, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg854 = msg("00515:13", all303); - - var part1363 = match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}"); - - var part1364 = match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}"); - - var select322 = linear_select([ - part1363, - part1364, - ]); - - var part1365 = match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}"); - - var part1366 = match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session."); - - var part1367 = match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})"); - - var part1368 = match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}"); - - var select323 = linear_select([ - part1366, - part1367, - part1368, - ]); - - var all304 = all_match({ - processors: [ - select322, - dup398, - part1365, - select323, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg855 = msg("00515:14", all304); - - var part1369 = match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}"); - - var part1370 = match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}"); - - var part1371 = match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}"); - - var select324 = linear_select([ - part1370, - part1371, - ]); - - var all305 = all_match({ - processors: [ - part1369, - dup398, - dup40, - select324, - dup41, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg856 = msg("00515:15", all305); - - var part1372 = match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}"); - - var select325 = linear_select([ - part1372, - dup287, - ]); - - var part1373 = match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}"); - - var part1374 = match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})"); - - var all306 = all_match({ - processors: [ - select325, - part1373, - dup399, - part1374, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg857 = msg("00515:16", all306); - - var part1375 = match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}"); - - var part1376 = match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}"); - - var part1377 = match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}"); - - var select326 = linear_select([ - part1376, - part1377, - ]); - - var part1378 = match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}"); - - var all307 = all_match({ - processors: [ - part1375, - select326, - part1378, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg858 = msg("00515:17", all307); - - var part1379 = match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg859 = msg("00515:18", part1379); - - var part1380 = match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}"); - - var part1381 = match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}"); - - var part1382 = match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}"); - - var select327 = linear_select([ - part1381, - part1382, - ]); - - var all308 = all_match({ - processors: [ - part1380, - select327, - dup41, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg860 = msg("00515:19", all308); - - var part1383 = match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg861 = msg("00515:20", part1383); - - var select328 = linear_select([ - msg842, - msg843, - msg844, - msg845, - msg846, - msg847, - msg848, - msg849, - msg850, - msg851, - msg852, - msg853, - msg854, - msg855, - msg856, - msg857, - msg858, - msg859, - msg860, - msg861, - ]); - - var part1384 = match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg862 = msg("00518", part1384); - - var part1385 = match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg863 = msg("00518:17", part1385); - - var part1386 = match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg864 = msg("00518:01", part1386); - - var part1387 = match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg865 = msg("00518:02", part1387); - - var part1388 = match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg866 = msg("00518:03", part1388); - - var part1389 = match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg867 = msg("00518:04", part1389); - - var part1390 = match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg868 = msg("00518:05", part1390); - - var part1391 = match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([ - dup35, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg869 = msg("00518:06", part1391); - - var part1392 = match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}"); - - var part1393 = match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}"); - - var select329 = linear_select([ - dup24, - part1393, - ]); - - var part1394 = match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}"); - - var all309 = all_match({ - processors: [ - part1392, - select329, - part1394, - ], - on_success: processor_chain([ - dup53, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg870 = msg("00518:07", all309); - - var part1395 = match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([ - dup35, - dup29, - dup31, - dup39, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg871 = msg("00518:08", part1395); - - var part1396 = match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg872 = msg("00518:09", part1396); - - var part1397 = match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup4, - dup9, - dup5, - dup3, - dup302, - ])); - - var msg873 = msg("00518:10", part1397); - - var part1398 = match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}"); - - var part1399 = match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}"); - - var part1400 = match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}"); - - var select330 = linear_select([ - part1399, - part1400, - ]); - - var part1401 = match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})"); - - var all310 = all_match({ - processors: [ - part1398, - select330, - part1401, - ], - on_success: processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup9, - dup4, - dup5, - dup3, - ]), - }); - - var msg874 = msg("00518:11", all310); - - var part1402 = match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup9, - dup5, - dup3, - ])); - - var msg875 = msg("00518:12", part1402); - - var part1403 = match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup9, - dup5, - ])); - - var msg876 = msg("00518:13", part1403); - - var part1404 = match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([ - dup290, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg877 = msg("00518:14", part1404); - - var select331 = linear_select([ - msg862, - msg863, - msg864, - msg865, - msg866, - msg867, - msg868, - msg869, - msg870, - msg871, - msg872, - msg873, - msg874, - msg875, - msg876, - msg877, - ]); - - var part1405 = match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}"); - - var part1406 = match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}"); - - var part1407 = match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}"); - - var select332 = linear_select([ - dup194, - part1406, - part1407, - ]); - - var part1408 = match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}"); - - var part1409 = match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}"); - - var select333 = linear_select([ - part1409, - dup16, - ]); - - var part1410 = match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}"); - - var all311 = all_match({ - processors: [ - part1405, - select332, - part1408, - select333, - part1410, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg878 = msg("00519", all311); - - var part1411 = match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}"); - - var select334 = linear_select([ - dup307, - dup305, - ]); - - var part1412 = match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}"); - - var all312 = all_match({ - processors: [ - part1411, - select334, - part1412, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg879 = msg("00519:01", all312); - - var part1413 = match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}"); - - var select335 = linear_select([ - dup307, - part1413, - ]); - - var part1414 = match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}"); - - var all313 = all_match({ - processors: [ - dup160, - select335, - part1414, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg880 = msg("00519:02", all313); - - var part1415 = match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg881 = msg("00519:03", part1415); - - var part1416 = match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg882 = msg("00519:04", part1416); - - var part1417 = match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg883 = msg("00519:05", part1417); - - var select336 = linear_select([ - msg878, - msg879, - msg880, - msg881, - msg882, - msg883, - ]); - - var part1418 = match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg884 = msg("00520", part1418); - - var part1419 = match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}"); - - var part1420 = match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}"); - - var part1421 = match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}"); - - var part1422 = match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}"); - - var part1423 = match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}"); - - var select337 = linear_select([ - part1420, - part1421, - part1422, - part1423, - ]); - - var part1424 = match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}"); - - var all314 = all_match({ - processors: [ - part1419, - select337, - part1424, - ], - on_success: processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg885 = msg("00520:01", all314); - - var part1425 = match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}"); - - var part1426 = match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}"); - - var all315 = all_match({ - processors: [ - part1425, - dup400, - part1426, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg886 = msg("00520:02", all315); - - var part1427 = match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}"); - - var part1428 = match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}"); - - var part1429 = match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}"); - - var select338 = linear_select([ - part1427, - part1428, - part1429, - ]); - - var part1430 = match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}"); - - var part1431 = match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}"); - - var part1432 = match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed"); - - var all316 = all_match({ - processors: [ - dup160, - select338, - part1430, - dup400, - part1431, - dup400, - part1432, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg887 = msg("00520:03", all316); - - var part1433 = match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg888 = msg("00520:04", part1433); - - var part1434 = match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg889 = msg("00520:05", part1434); - - var select339 = linear_select([ - msg884, - msg885, - msg886, - msg887, - msg888, - msg889, - ]); - - var part1435 = match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg890 = msg("00521", part1435); - - var part1436 = match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg891 = msg("00522", part1436); - - var part1437 = match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg892 = msg("00523", part1437); - - var part1438 = match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg893 = msg("00524", part1438); - - var part1439 = match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg894 = msg("00524:02", part1439); - - var part1440 = match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg895 = msg("00524:03", part1440); - - var part1441 = match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg896 = msg("00524:04", part1441); - - var part1442 = match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg897 = msg("00524:05", part1442); - - var part1443 = match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg898 = msg("00524:06", part1443); - - var part1444 = match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg899 = msg("00524:12", part1444); - - var part1445 = match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([ - dup19, - dup2, - dup4, - setc("result","the SNMP version type is incorrect"), - dup5, - dup9, - ])); - - var msg900 = msg("00524:14", part1445); - - var part1446 = match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}"); - - var part1447 = match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}"); - - var all317 = all_match({ - processors: [ - part1446, - dup401, - part1447, - ], - on_success: processor_chain([ - dup18, - dup2, - dup4, - dup5, - ]), - }); - - var msg901 = msg("00524:13", all317); - - var part1448 = match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg902 = msg("00524:07", part1448); - - var part1449 = match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg903 = msg("00524:08", part1449); - - var part1450 = match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg904 = msg("00524:09", part1450); - - var part1451 = match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg905 = msg("00524:10", part1451); - - var part1452 = match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg906 = msg("00524:11", part1452); - - var part1453 = match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg907 = msg("00524:16", part1453); - - var select340 = linear_select([ - msg893, - msg894, - msg895, - msg896, - msg897, - msg898, - msg899, - msg900, - msg901, - msg902, - msg903, - msg904, - msg905, - msg906, - msg907, - ]); - - var part1454 = match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([ - dup203, - setc("ec_subject","Password"), - dup38, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg908 = msg("00525", part1454); - - var part1455 = match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg909 = msg("00525:01", part1455); - - var part1456 = match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg910 = msg("00525:02", part1456); - - var part1457 = match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg911 = msg("00525:03", part1457); - - var select341 = linear_select([ - msg908, - msg909, - msg910, - msg911, - ]); - - var part1458 = match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([ - dup37, - dup219, - dup38, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg912 = msg("00526", part1458); - - var part1459 = match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}"); - - var part1460 = match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}"); - - var select342 = linear_select([ - dup311, - part1460, - ]); - - var part1461 = match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}"); - - var part1462 = match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}"); - - var part1463 = match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}"); - - var select343 = linear_select([ - dup312, - part1462, - part1463, - ]); - - var all318 = all_match({ - processors: [ - part1459, - select342, - part1461, - select343, - dup108, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg913 = msg("00527", all318); - - var part1464 = match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg914 = msg("00527:01", part1464); - - var part1465 = match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}"); - - var part1466 = match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}"); - - var part1467 = match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}"); - - var select344 = linear_select([ - dup311, - part1466, - part1467, - ]); - - var part1468 = match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}"); - - var all319 = all_match({ - processors: [ - part1465, - select344, - part1468, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg915 = msg("00527:02", all319); - - var part1469 = match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg916 = msg("00527:03", part1469); - - var part1470 = match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg917 = msg("00527:04", part1470); - - var part1471 = match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated."); - - var all320 = all_match({ - processors: [ - dup210, - dup337, - part1471, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg918 = msg("00527:05", all320); - - var part1472 = match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}"); - - var select345 = linear_select([ - dup106, - dup127, - ]); - - var part1473 = match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}"); - - var select346 = linear_select([ - dup312, - part1473, - ]); - - var part1474 = match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})"); - - var all321 = all_match({ - processors: [ - part1472, - select345, - dup23, - select346, - part1474, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg919 = msg("00527:06", all321); - - var part1475 = match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg920 = msg("00527:07", part1475); - - var part1476 = match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg921 = msg("00527:08", part1476); - - var part1477 = match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}"); - - var part1478 = match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}"); - - var part1479 = match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}"); - - var select347 = linear_select([ - part1478, - part1479, - ]); - - var all322 = all_match({ - processors: [ - part1477, - select347, - dup41, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg922 = msg("00527:09", all322); - - var part1480 = match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg923 = msg("00527:10", part1480); - - var select348 = linear_select([ - msg913, - msg914, - msg915, - msg916, - msg917, - msg918, - msg919, - msg920, - msg921, - msg922, - msg923, - ]); - - var part1481 = match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([ - setc("eventcategory","1302010000"), - dup29, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg924 = msg("00528", part1481); - - var part1482 = match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg925 = msg("00528:01", part1482); - - var part1483 = match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg926 = msg("00528:02", part1483); - - var part1484 = match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg927 = msg("00528:03", part1484); - - var part1485 = match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg928 = msg("00528:04", part1485); - - var part1486 = match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg929 = msg("00528:05", part1486); - - var part1487 = match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([ - dup313, - dup2, - dup3, - dup4, - dup5, - setc("result","invalid version string"), - ])); - - var msg930 = msg("00528:06", part1487); - - var part1488 = match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}"); - - var part1489 = match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}"); - - var part1490 = match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}"); - - var part1491 = match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}"); - - var select349 = linear_select([ - dup88, - part1489, - part1490, - part1491, - ]); - - var part1492 = match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}"); - - var all323 = all_match({ - processors: [ - part1488, - select349, - part1492, - ], - on_success: processor_chain([ - dup314, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg931 = msg("00528:07", all323); - - var part1493 = match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([ - dup314, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg932 = msg("00528:08", part1493); - - var part1494 = match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg933 = msg("00528:09", part1494); - - var part1495 = match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg934 = msg("00528:10", part1495); - - var part1496 = match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg935 = msg("00528:11", part1496); - - var part1497 = match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("disposition","disabled"), - ])); - - var msg936 = msg("00528:12", part1497); - - var part1498 = match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}"); - - var part1499 = match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}"); - - var part1500 = match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}"); - - var select350 = linear_select([ - part1499, - part1500, - ]); - - var part1501 = match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}"); - - var part1502 = match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}"); - - var part1503 = match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}"); - - var select351 = linear_select([ - part1503, - dup157, - ]); - - var part1504 = match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}"); - - var all324 = all_match({ - processors: [ - part1498, - select350, - part1501, - dup337, - part1502, - select351, - part1504, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg937 = msg("00528:13", all324); - - var part1505 = match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg938 = msg("00528:14", part1505); - - var part1506 = match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}"); - - var part1507 = match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}"); - - var select352 = linear_select([ - dup315, - part1507, - ]); - - var part1508 = match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}"); - - var part1509 = match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}"); - - var part1510 = match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}"); - - var select353 = linear_select([ - part1509, - part1510, - ]); - - var all325 = all_match({ - processors: [ - part1506, - select352, - part1508, - select353, - dup108, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg939 = msg("00528:15", all325); - - var part1511 = match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg940 = msg("00528:16", part1511); - - var part1512 = match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg941 = msg("00528:17", part1512); - - var part1513 = match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}"); - - var all326 = all_match({ - processors: [ - dup316, - dup402, - part1513, - dup403, - dup320, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("disposition","successful"), - setc("event_description","authentication successful for admin user"), - ]), - }); - - var msg942 = msg("00528:18", all326); - - var part1514 = match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}"); - - var all327 = all_match({ - processors: [ - dup316, - dup402, - part1514, - dup403, - dup320, - ], - on_success: processor_chain([ - dup206, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup302, - dup3, - setc("event_description","authentication failed for admin user"), - ]), - }); - - var msg943 = msg("00528:26", all327); - - var part1515 = match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}"); - - var all328 = all_match({ - processors: [ - dup321, - dup404, - part1515, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg944 = msg("00528:19", all328); - - var part1516 = match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}"); - - var all329 = all_match({ - processors: [ - dup321, - dup404, - part1516, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg945 = msg("00528:20", all329); - - var part1517 = match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg946 = msg("00528:21", part1517); - - var part1518 = match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}"); - - var part1519 = match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface."); - - var all330 = all_match({ - processors: [ - part1518, - dup337, - part1519, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("result","SCS is not enabled for that interface"), - ]), - }); - - var msg947 = msg("00528:22", all330); - - var part1520 = match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("result","SCS cannot generate the host and server keys before timing out"), - ])); - - var msg948 = msg("00528:23", part1520); - - var part1521 = match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg949 = msg("00528:24", part1521); - - var part1522 = match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}"); - - var part1523 = match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled."); - - var all331 = all_match({ - processors: [ - part1522, - dup403, - part1523, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg950 = msg("00528:25", all331); - - var select354 = linear_select([ - msg924, - msg925, - msg926, - msg927, - msg928, - msg929, - msg930, - msg931, - msg932, - msg933, - msg934, - msg935, - msg936, - msg937, - msg938, - msg939, - msg940, - msg941, - msg942, - msg943, - msg944, - msg945, - msg946, - msg947, - msg948, - msg949, - msg950, - ]); - - var part1524 = match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}"); - - var part1525 = match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}"); - - var select355 = linear_select([ - part1524, - part1525, - ]); - - var part1526 = match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}"); - - var all332 = all_match({ - processors: [ - dup63, - select355, - part1526, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg951 = msg("00529", all332); - - var part1527 = match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}"); - - var part1528 = match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}"); - - var part1529 = match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}"); - - var select356 = linear_select([ - part1528, - part1529, - ]); - - var all333 = all_match({ - processors: [ - part1527, - select356, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg952 = msg("00529:01", all333); - - var select357 = linear_select([ - msg951, - msg952, - ]); - - var part1530 = match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg953 = msg("00530", part1530); - - var part1531 = match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}"); - - var part1532 = match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released"); - - var all334 = all_match({ - processors: [ - part1531, - dup337, - part1532, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg954 = msg("00530:01", all334); - - var part1533 = match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg955 = msg("00530:02", part1533); - - var part1534 = match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg956 = msg("00530:03", part1534); - - var part1535 = match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg957 = msg("00530:04", part1535); - - var part1536 = match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg958 = msg("00530:05", part1536); - - var part1537 = match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg959 = msg("00530:06", part1537); - - var select358 = linear_select([ - msg953, - msg954, - msg955, - msg956, - msg957, - msg958, - msg959, - ]); - - var part1538 = match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}"); - - var all335 = all_match({ - processors: [ - part1538, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg960 = msg("00531", all335); - - var part1539 = match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg961 = msg("00531:01", part1539); - - var part1540 = match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg962 = msg("00531:02", part1540); - - var part1541 = match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}"); - - var part1542 = match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}"); - - var select359 = linear_select([ - part1542, - dup115, - ]); - - var part1543 = match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}"); - - var part1544 = match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})"); - - var part1545 = match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5"); - - var select360 = linear_select([ - part1544, - part1545, - ]); - - var all336 = all_match({ - processors: [ - part1541, - select359, - part1543, - select360, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup146, - ]), - }); - - var msg963 = msg("00531:03", all336); - - var part1546 = match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}"); - - var part1547 = match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}"); - - var part1548 = match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}"); - - var select361 = linear_select([ - part1547, - part1548, - dup189, - ]); - - var part1549 = match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}"); - - var all337 = all_match({ - processors: [ - part1546, - select361, - part1549, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg964 = msg("00531:04", all337); - - var part1550 = match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg965 = msg("00531:05", part1550); - - var part1551 = match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg966 = msg("00531:06", part1551); - - var part1552 = match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg967 = msg("00531:07", part1552); - - var part1553 = match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg968 = msg("00531:08", part1553); - - var part1554 = match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg969 = msg("00531:09", part1554); - - var part1555 = match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg970 = msg("00531:10", part1555); - - var part1556 = match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","system clock changed based on receive from primary NTP server"), - ])); - - var msg971 = msg("00531:11", part1556); - - var part1557 = match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg972 = msg("00531:12", part1557); - - var select362 = linear_select([ - msg960, - msg961, - msg962, - msg963, - msg964, - msg965, - msg966, - msg967, - msg968, - msg969, - msg970, - msg971, - msg972, - ]); - - var part1558 = match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg973 = msg("00533", part1558); - - var part1559 = match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg974 = msg("00534", part1559); - - var part1560 = match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg975 = msg("00535", part1560); - - var part1561 = match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg976 = msg("00535:01", part1561); - - var part1562 = match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg977 = msg("00535:02", part1562); - - var part1563 = match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg978 = msg("00535:03", part1563); - - var part1564 = match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - setc("result","SCEP_FAILURE message"), - ])); - - var msg979 = msg("00535:04", part1564); - - var part1565 = match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg980 = msg("00535:05", part1565); - - var part1566 = match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Saved CA configuration - cert subject name"), - ])); - - var msg981 = msg("00535:06", part1566); - - var select363 = linear_select([ - msg975, - msg976, - msg977, - msg978, - msg979, - msg980, - msg981, - ]); - - var part1567 = match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}"); - - var part1568 = match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}"); - - var part1569 = match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}"); - - var part1570 = match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}"); - - var part1571 = match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}"); - - var select364 = linear_select([ - part1568, - part1569, - part1570, - part1571, - ]); - - var all338 = all_match({ - processors: [ - part1567, - select364, - dup10, - ], - on_success: processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg982 = msg("00536:49", all338); - - var part1572 = match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg983 = msg("00536", part1572); - - var part1573 = match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg984 = msg("00536:01", part1573); - - var part1574 = match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg985 = msg("00536:02", part1574); - - var part1575 = match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg986 = msg("00536:03", part1575); - - var part1576 = match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([ - setc("eventcategory","1801010100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg987 = msg("00536:04", part1576); - - var part1577 = match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg988 = msg("00536:05", part1577); - - var part1578 = match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg989 = msg("00536:06", part1578); - - var part1579 = match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg990 = msg("00536:07", part1579); - - var part1580 = match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg991 = msg("00536:08", part1580); - - var part1581 = match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg992 = msg("00536:09", part1581); - - var part1582 = match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg993 = msg("00536:10", part1582); - - var part1583 = match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg994 = msg("00536:11", part1583); - - var part1584 = match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg995 = msg("00536:12", part1584); - - var part1585 = match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg996 = msg("00536:13", part1585); - - var part1586 = match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}"); - - var part1587 = match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}"); - - var all339 = all_match({ - processors: [ - part1586, - dup383, - part1587, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg997 = msg("00536:14", all339); - - var part1588 = match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg998 = msg("00536:50", part1588); - - var part1589 = match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg999 = msg("00536:15", part1589); - - var part1590 = match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1000 = msg("00536:16", part1590); - - var part1591 = match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1001 = msg("00536:17", part1591); - - var part1592 = match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1002 = msg("00536:18", part1592); - - var part1593 = match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1003 = msg("00536:19", part1593); - - var part1594 = match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1004 = msg("00536:20", part1594); - - var part1595 = match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1005 = msg("00536:21", part1595); - - var part1596 = match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("result","Negotiations failed"), - ])); - - var msg1006 = msg("00536:22", part1596); - - var part1597 = match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("result","The time limit has elapsed"), - setc("disposition","Aborted"), - ])); - - var msg1007 = msg("00536:23", part1597); - - var part1598 = match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1008 = msg("00536:24", part1598); - - var part1599 = match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1009 = msg("00536:25", part1599); - - var part1600 = match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1010 = msg("00536:26", part1600); - - var part1601 = match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1011 = msg("00536:27", part1601); - - var part1602 = match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1012 = msg("00536:28", part1602); - - var part1603 = match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1013 = msg("00536:29", part1603); - - var part1604 = match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1014 = msg("00536:30", part1604); - - var part1605 = match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1015 = msg("00536:31", part1605); - - var part1606 = match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1016 = msg("00536:32", part1606); - - var part1607 = match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1017 = msg("00536:33", part1607); - - var part1608 = match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1018 = msg("00536:34", part1608); - - var part1609 = match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1019 = msg("00536:35", part1609); - - var part1610 = match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}"); - - var part1611 = match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first"); - - var all340 = all_match({ - processors: [ - part1610, - dup401, - part1611, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1020 = msg("00536:36", all340); - - var part1612 = match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1021 = msg("00536:37", part1612); - - var part1613 = match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1022 = msg("00536:38", part1613); - - var part1614 = match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1023 = msg("00536:39", part1614); - - var part1615 = match("MESSAGE#1011:00536:40", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{quote}s gateway has a dynamic IP address and negotiations are in Main mode", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1024 = msg("00536:40", part1615); - - var part1616 = match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1025 = msg("00536:47", part1616); - - var part1617 = match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1026 = msg("00536:41", part1617); - - var part1618 = match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1027 = msg("00536:42", part1618); - - var part1619 = match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1028 = msg("00536:43", part1619); - - var part1620 = match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1029 = msg("00536:44", part1620); - - var part1621 = match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1030 = msg("00536:45", part1621); - - var part1622 = match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Received an IKE packet on interface"), - ])); - - var msg1031 = msg("00536:48", part1622); - - var part1623 = match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1032 = msg("00536:46", part1623); - - var select365 = linear_select([ - msg982, - msg983, - msg984, - msg985, - msg986, - msg987, - msg988, - msg989, - msg990, - msg991, - msg992, - msg993, - msg994, - msg995, - msg996, - msg997, - msg998, - msg999, - msg1000, - msg1001, - msg1002, - msg1003, - msg1004, - msg1005, - msg1006, - msg1007, - msg1008, - msg1009, - msg1010, - msg1011, - msg1012, - msg1013, - msg1014, - msg1015, - msg1016, - msg1017, - msg1018, - msg1019, - msg1020, - msg1021, - msg1022, - msg1023, - msg1024, - msg1025, - msg1026, - msg1027, - msg1028, - msg1029, - msg1030, - msg1031, - msg1032, - ]); - - var part1624 = match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg1033 = msg("00537", part1624); - - var part1625 = match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1034 = msg("00537:01", part1625); - - var part1626 = match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1035 = msg("00537:02", part1626); - - var part1627 = match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1036 = msg("00537:03", part1627); - - var select366 = linear_select([ - msg1033, - msg1034, - msg1035, - msg1036, - ]); - - var part1628 = match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}"); - - var select367 = linear_select([ - dup111, - dup119, - ]); - - var part1629 = match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}"); - - var all341 = all_match({ - processors: [ - part1628, - select367, - part1629, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1037 = msg("00538", all341); - - var part1630 = match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1038 = msg("00538:01", part1630); - - var part1631 = match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1039 = msg("00538:02", part1631); - - var part1632 = match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([ - dup19, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg1040 = msg("00538:03", part1632); - - var part1633 = match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1041 = msg("00538:04", part1633); - - var part1634 = match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}"); - - var part1635 = match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}"); - - var part1636 = match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}"); - - var select368 = linear_select([ - part1635, - part1636, - ]); - - var part1637 = match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}"); - - var all342 = all_match({ - processors: [ - part1634, - select368, - part1637, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1042 = msg("00538:05", all342); - - var part1638 = match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}"); - - var part1639 = match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}"); - - var part1640 = match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}"); - - var select369 = linear_select([ - part1639, - part1640, - ]); - - var part1641 = match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip"); - - var all343 = all_match({ - processors: [ - part1638, - select369, - part1641, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1043 = msg("00538:06", all343); - - var part1642 = match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}"); - - var part1643 = match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}"); - - var select370 = linear_select([ - part1643, - dup16, - ]); - - var all344 = all_match({ - processors: [ - part1642, - select370, - dup136, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1044 = msg("00538:07", all344); - - var part1644 = match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1045 = msg("00538:08", part1644); - - var part1645 = match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([ - dup301, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Connected to NSM server"), - ])); - - var msg1046 = msg("00538:09", part1645); - - var part1646 = match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}"); - - var part1647 = match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})"); - - var select371 = linear_select([ - part1647, - dup41, - ]); - - var all345 = all_match({ - processors: [ - part1646, - select371, - ], - on_success: processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Connection to NSM server is down"), - ]), - }); - - var msg1047 = msg("00538:10", all345); - - var part1648 = match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - dup323, - ])); - - var msg1048 = msg("00538:11", part1648); - - var part1649 = match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - dup323, - ])); - - var msg1049 = msg("00538:12", part1649); - - var part1650 = match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Sent 2B message"), - ])); - - var msg1050 = msg("00538:13", part1650); - - var select372 = linear_select([ - msg1037, - msg1038, - msg1039, - msg1040, - msg1041, - msg1042, - msg1043, - msg1044, - msg1045, - msg1046, - msg1047, - msg1048, - msg1049, - msg1050, - ]); - - var part1651 = match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1051 = msg("00539", part1651); - - var part1652 = match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1052 = msg("00539:01", part1652); - - var part1653 = match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1053 = msg("00539:02", part1653); - - var part1654 = match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1054 = msg("00539:03", part1654); - - var part1655 = match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1055 = msg("00539:04", part1655); - - var part1656 = match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1056 = msg("00539:05", part1656); - - var part1657 = match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1057 = msg("00539:06", part1657); - - var select373 = linear_select([ - msg1051, - msg1052, - msg1053, - msg1054, - msg1055, - msg1056, - msg1057, - ]); - - var part1658 = match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([ - dup324, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1058 = msg("00541", part1658); - - var part1659 = match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([ - dup273, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1059 = msg("00541:01", part1659); - - var part1660 = match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([ - dup273, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1060 = msg("00541:02", part1660); - - var part1661 = match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}"); - - var part1662 = match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>"); - - var select374 = linear_select([ - part1662, - dup21, - ]); - - var all346 = all_match({ - processors: [ - part1661, - select374, - ], - on_success: processor_chain([ - dup44, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1061 = msg("00541:03", all346); - - var select375 = linear_select([ - msg1058, - msg1059, - msg1060, - msg1061, - ]); - - var part1663 = match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1062 = msg("00542", part1663); - - var part1664 = match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}"); - - var part1665 = match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}"); - - var part1666 = match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}"); - - var select376 = linear_select([ - part1665, - part1666, - ]); - - var part1667 = match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}"); - - var part1668 = match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}"); - - var select377 = linear_select([ - part1668, - dup106, - ]); - - var part1669 = match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})"); - - var all347 = all_match({ - processors: [ - part1664, - select376, - part1667, - select377, - part1669, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup9, - dup3, - ]), - }); - - var msg1063 = msg("00543", all347); - - var part1670 = match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup60, - setc("action","RADIUS server challenge"), - ])); - - var msg1064 = msg("00544", part1670); - - var part1671 = match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1065 = msg("00546", part1671); - - var part1672 = match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg1066 = msg("00547", part1672); - - var part1673 = match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg1067 = msg("00547:01", part1673); - - var part1674 = match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1068 = msg("00547:02", part1674); - - var part1675 = match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}"); - - var part1676 = match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}"); - - var part1677 = match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}"); - - var select378 = linear_select([ - part1676, - part1677, - ]); - - var part1678 = match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})"); - - var all348 = all_match({ - processors: [ - part1675, - select378, - part1678, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Content is bypassed for connection"), - ]), - }); - - var msg1069 = msg("00547:03", all348); - - var select379 = linear_select([ - msg1066, - msg1067, - msg1068, - msg1069, - ]); - - var part1679 = match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1070 = msg("00549", part1679); - - var part1680 = match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1071 = msg("00551", part1680); - - var part1681 = match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1072 = msg("00551:01", part1681); - - var part1682 = match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}"); - - var part1683 = match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}"); - - var select380 = linear_select([ - part1683, - dup89, - ]); - - var all349 = all_match({ - processors: [ - part1682, - select380, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1073 = msg("00551:02", all349); - - var part1684 = match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([ - dup18, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1074 = msg("00551:03", part1684); - - var part1685 = match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1075 = msg("00551:04", part1685); - - var select381 = linear_select([ - msg1071, - msg1072, - msg1073, - msg1074, - msg1075, - ]); - - var part1686 = match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}"); - - var part1687 = match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}"); - - var part1688 = match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}"); - - var part1689 = match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}"); - - var select382 = linear_select([ - part1687, - part1688, - part1689, - ]); - - var all350 = all_match({ - processors: [ - part1686, - select382, - dup325, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1076 = msg("00553", all350); - - var part1690 = match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1077 = msg("00553:01", part1690); - - var part1691 = match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1078 = msg("00553:02", part1691); - - var part1692 = match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1079 = msg("00553:03", part1692); - - var part1693 = match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}"); - - var select383 = linear_select([ - dup326, - dup327, - ]); - - var part1694 = match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}."); - - var all351 = all_match({ - processors: [ - part1693, - select383, - part1694, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1080 = msg("00553:04", all351); - - var part1695 = match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1081 = msg("00553:05", part1695); - - var part1696 = match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1082 = msg("00553:06", part1696); - - var part1697 = match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1083 = msg("00553:07", part1697); - - var part1698 = match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}"); - - var select384 = linear_select([ - dup327, - dup326, - ]); - - var all352 = all_match({ - processors: [ - part1698, - select384, - dup328, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1084 = msg("00553:08", all352); - - var part1699 = match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1085 = msg("00553:09", part1699); - - var part1700 = match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1086 = msg("00553:10", part1700); - - var part1701 = match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1087 = msg("00553:11", part1701); - - var part1702 = match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1088 = msg("00553:12", part1702); - - var part1703 = match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1089 = msg("00553:13", part1703); - - var part1704 = match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1090 = msg("00553:14", part1704); - - var part1705 = match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1091 = msg("00553:15", part1705); - - var part1706 = match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1092 = msg("00553:16", part1706); - - var part1707 = match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1093 = msg("00553:17", part1707); - - var part1708 = match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1094 = msg("00553:18", part1708); - - var part1709 = match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1095 = msg("00553:19", part1709); - - var part1710 = match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1096 = msg("00553:20", part1710); - - var part1711 = match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1097 = msg("00553:21", part1711); - - var part1712 = match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1098 = msg("00553:22", part1712); - - var select385 = linear_select([ - msg1076, - msg1077, - msg1078, - msg1079, - msg1080, - msg1081, - msg1082, - msg1083, - msg1084, - msg1085, - msg1086, - msg1087, - msg1088, - msg1089, - msg1090, - msg1091, - msg1092, - msg1093, - msg1094, - msg1095, - msg1096, - msg1097, - msg1098, - ]); - - var part1713 = match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}"); - - var part1714 = match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}"); - - var part1715 = match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}"); - - var part1716 = match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}"); - - var select386 = linear_select([ - part1714, - part1715, - part1716, - ]); - - var all353 = all_match({ - processors: [ - part1713, - select386, - dup325, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1099 = msg("00554", all353); - - var part1717 = match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1100 = msg("00554:01", part1717); - - var part1718 = match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1101 = msg("00554:02", part1718); - - var part1719 = match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1102 = msg("00554:03", part1719); - - var part1720 = match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}"); - - var part1721 = match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}."); - - var all354 = all_match({ - processors: [ - part1720, - dup405, - part1721, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1103 = msg("00554:04", all354); - - var part1722 = match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}"); - - var part1723 = match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}"); - - var part1724 = match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}"); - - var select387 = linear_select([ - part1723, - part1724, - ]); - - var all355 = all_match({ - processors: [ - part1722, - select387, - dup116, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1104 = msg("00554:05", all355); - - var part1725 = match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1105 = msg("00554:06", part1725); - - var part1726 = match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}"); - - var all356 = all_match({ - processors: [ - part1726, - dup405, - dup328, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1106 = msg("00554:07", all356); - - var part1727 = match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}"); - - var part1728 = match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}"); - - var part1729 = match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}"); - - var part1730 = match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}"); - - var select388 = linear_select([ - part1728, - part1729, - part1730, - ]); - - var all357 = all_match({ - processors: [ - part1727, - select388, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1107 = msg("00554:08", all357); - - var part1731 = match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1108 = msg("00554:09", part1731); - - var part1732 = match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1109 = msg("00554:10", part1732); - - var part1733 = match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1110 = msg("00554:11", part1733); - - var part1734 = match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}"); - - var part1735 = match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}"); - - var part1736 = match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}"); - - var select389 = linear_select([ - part1735, - part1736, - ]); - - var part1737 = match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}"); - - var part1738 = match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}"); - - var part1739 = match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}"); - - var select390 = linear_select([ - part1738, - part1739, - ]); - - var part1740 = match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}"); - - var all358 = all_match({ - processors: [ - part1734, - select389, - part1737, - select390, - part1740, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1111 = msg("00554:12", all358); - - var part1741 = match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1112 = msg("00554:13", part1741); - - var part1742 = match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1113 = msg("00554:14", part1742); - - var part1743 = match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1114 = msg("00554:15", part1743); - - var part1744 = match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1115 = msg("00554:16", part1744); - - var part1745 = match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1116 = msg("00554:17", part1745); - - var select391 = linear_select([ - msg1099, - msg1100, - msg1101, - msg1102, - msg1103, - msg1104, - msg1105, - msg1106, - msg1107, - msg1108, - msg1109, - msg1110, - msg1111, - msg1112, - msg1113, - msg1114, - msg1115, - msg1116, - ]); - - var part1746 = match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1117 = msg("00555", part1746); - - var part1747 = match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1118 = msg("00556", part1747); - - var part1748 = match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1119 = msg("00556:01", part1748); - - var part1749 = match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}"); - - var part1750 = match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}"); - - var part1751 = match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}"); - - var select392 = linear_select([ - part1750, - part1751, - ]); - - var part1752 = match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}"); - - var part1753 = match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}"); - - var part1754 = match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}"); - - var select393 = linear_select([ - part1753, - part1754, - ]); - - var part1755 = match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3})."); - - var all359 = all_match({ - processors: [ - part1749, - select392, - part1752, - select393, - part1755, - ], - on_success: processor_chain([ - dup254, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1120 = msg("00556:02", all359); - - var part1756 = match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}"); - - var part1757 = match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}"); - - var part1758 = match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}"); - - var select394 = linear_select([ - part1757, - part1758, - ]); - - var part1759 = match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}"); - - var all360 = all_match({ - processors: [ - part1756, - select394, - part1759, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1121 = msg("00556:03", all360); - - var part1760 = match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1122 = msg("00556:04", part1760); - - var part1761 = match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1123 = msg("00556:05", part1761); - - var part1762 = match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1124 = msg("00556:06", part1762); - - var part1763 = match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1125 = msg("00556:07", part1763); - - var part1764 = match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}"); - - var all361 = all_match({ - processors: [ - part1764, - dup358, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1126 = msg("00556:08", all361); - - var part1765 = match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - dup282, - ])); - - var msg1127 = msg("00556:09", part1765); - - var part1766 = match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1128 = msg("00556:10", part1766); - - var part1767 = match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1129 = msg("00556:11", part1767); - - var part1768 = match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}"); - - var select395 = linear_select([ - dup140, - dup169, - ]); - - var part1769 = match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}."); - - var all362 = all_match({ - processors: [ - part1768, - select395, - part1769, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1130 = msg("00556:12", all362); - - var part1770 = match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1131 = msg("00556:13", part1770); - - var part1771 = match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}"); - - var part1772 = match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}."); - - var all363 = all_match({ - processors: [ - part1771, - dup406, - part1772, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1132 = msg("00556:14", all363); - - var part1773 = match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}"); - - var part1774 = match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}."); - - var all364 = all_match({ - processors: [ - part1773, - dup406, - part1774, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - dup282, - ]), - }); - - var msg1133 = msg("00556:15", all364); - - var part1775 = match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}"); - - var part1776 = match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}"); - - var part1777 = match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}"); - - var select396 = linear_select([ - part1776, - part1777, - ]); - - var part1778 = match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}"); - - var select397 = linear_select([ - dup104, - dup120, - ]); - - var all365 = all_match({ - processors: [ - part1775, - select396, - part1778, - select397, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1134 = msg("00556:16", all365); - - var part1779 = match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}"); - - var part1780 = match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}"); - - var part1781 = match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}"); - - var select398 = linear_select([ - part1780, - part1781, - ]); - - var part1782 = match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}"); - - var all366 = all_match({ - processors: [ - part1779, - select398, - part1782, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1135 = msg("00556:17", all366); - - var part1783 = match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}"); - - var part1784 = match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}"); - - var select399 = linear_select([ - dup101, - part1784, - ]); - - var part1785 = match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}."); - - var all367 = all_match({ - processors: [ - part1783, - select399, - part1785, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1136 = msg("00556:18", all367); - - var part1786 = match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}"); - - var part1787 = match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}"); - - var select400 = linear_select([ - dup103, - dup96, - ]); - - var part1788 = match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}"); - - var all368 = all_match({ - processors: [ - part1786, - dup355, - part1787, - select400, - part1788, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1137 = msg("00556:20", all368); - - var part1789 = match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([ - dup232, - dup2, - dup3, - dup9, - dup4, - dup5, - dup282, - ])); - - var msg1138 = msg("00556:21", part1789); - - var part1790 = match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([ - dup232, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1139 = msg("00556:22", part1790); - - var select401 = linear_select([ - msg1118, - msg1119, - msg1120, - msg1121, - msg1122, - msg1123, - msg1124, - msg1125, - msg1126, - msg1127, - msg1128, - msg1129, - msg1130, - msg1131, - msg1132, - msg1133, - msg1134, - msg1135, - msg1136, - msg1137, - msg1138, - msg1139, - ]); - - var part1791 = match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1140 = msg("00572", part1791); - - var part1792 = match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1141 = msg("00572:01", part1792); - - var part1793 = match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1142 = msg("00572:03", part1793); - - var select402 = linear_select([ - msg1140, - msg1141, - msg1142, - ]); - - var part1794 = match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1143 = msg("00615", part1794); - - var part1795 = match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1144 = msg("00615:01", part1795); - - var select403 = linear_select([ - msg1143, - msg1144, - ]); - - var part1796 = match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ])); - - var msg1145 = msg("00601", part1796); - - var part1797 = match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ])); - - var msg1146 = msg("00601:01", part1797); - - var part1798 = match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1147 = msg("00601:18", part1798); - - var select404 = linear_select([ - msg1145, - msg1146, - msg1147, - ]); - - var part1799 = match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1148 = msg("00602", part1799); - - var part1800 = match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}"); - - var part1801 = match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}"); - - var part1802 = match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}"); - - var part1803 = match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}"); - - var select405 = linear_select([ - part1802, - part1803, - ]); - - var part1804 = match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}"); - - var part1805 = match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}"); - - var select406 = linear_select([ - part1805, - dup96, - ]); - - var part1806 = match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})"); - - var all369 = all_match({ - processors: [ - part1800, - dup353, - part1801, - select405, - part1804, - select406, - part1806, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1149 = msg("00612", all369); - - var part1807 = match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1150 = msg("00620", part1807); - - var part1808 = match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}"); - - var part1809 = match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}"); - - var part1810 = match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}"); - - var select407 = linear_select([ - part1809, - part1810, - ]); - - var part1811 = match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})"); - - var all370 = all_match({ - processors: [ - part1808, - select407, - part1811, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1151 = msg("00620:01", all370); - - var part1812 = match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1152 = msg("00620:02", part1812); - - var part1813 = match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1153 = msg("00620:03", part1813); - - var part1814 = match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1154 = msg("00620:04", part1814); - - var select408 = linear_select([ - msg1150, - msg1151, - msg1152, - msg1153, - msg1154, - ]); - - var part1815 = match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([ - dup273, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1155 = msg("00622", part1815); - - var part1816 = match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}"); - - var part1817 = match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}"); - - var part1818 = match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}"); - - var select409 = linear_select([ - part1817, - part1818, - ]); - - var all371 = all_match({ - processors: [ - part1816, - select409, - dup49, - ], - on_success: processor_chain([ - dup273, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1156 = msg("00625", all371); - - var part1819 = match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}"); - - var part1820 = match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}"); - - var part1821 = match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}"); - - var part1822 = match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}"); - - var select410 = linear_select([ - part1820, - part1821, - part1822, - ]); - - var part1823 = match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})"); - - var all372 = all_match({ - processors: [ - part1819, - select410, - part1823, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1157 = msg("00628", all372); - - var part1824 = match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - dup282, - ])); - - var msg1158 = msg("00767:50", part1824); - - var part1825 = match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1159 = msg("00767:51", part1825); - - var part1826 = match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1160 = msg("00767:52", part1826); - - var part1827 = match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1161 = msg("00767:53", part1827); - - var part1828 = match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([ - dup27, - setc("ec_theme","Communication"), - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1162 = msg("00767", part1828); - - var part1829 = match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}"); - - var part1830 = match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}"); - - var part1831 = match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}"); - - var select411 = linear_select([ - part1830, - part1831, - ]); - - var all373 = all_match({ - processors: [ - part1829, - select411, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1163 = msg("00767:01", all373); - - var part1832 = match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([ - setc("eventcategory","1702000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1164 = msg("00767:02", part1832); - - var part1833 = match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1165 = msg("00767:03", part1833); - - var part1834 = match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1166 = msg("00767:04", part1834); - - var part1835 = match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1167 = msg("00767:05", part1835); - - var part1836 = match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1168 = msg("00767:06", part1836); - - var part1837 = match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1169 = msg("00767:07", part1837); - - var part1838 = match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}"); - - var all374 = all_match({ - processors: [ - part1838, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1170 = msg("00767:08", all374); - - var part1839 = match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}"); - - var part1840 = match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}"); - - var part1841 = match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}"); - - var select412 = linear_select([ - part1840, - part1841, - ]); - - var all375 = all_match({ - processors: [ - part1839, - select412, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1171 = msg("00767:09", all375); - - var part1842 = match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}"); - - var all376 = all_match({ - processors: [ - part1842, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1172 = msg("00767:10", all376); - - var part1843 = match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}"); - - var part1844 = match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}"); - - var select413 = linear_select([ - dup331, - part1844, - ]); - - var part1845 = match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}"); - - var part1846 = match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}"); - - var select414 = linear_select([ - dup331, - part1846, - ]); - - var part1847 = match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}"); - - var all377 = all_match({ - processors: [ - part1843, - select413, - part1845, - select414, - part1847, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1173 = msg("00767:11", all377); - - var part1848 = match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1174 = msg("00767:12", part1848); - - var part1849 = match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}"); - - var all378 = all_match({ - processors: [ - part1849, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1175 = msg("00767:13", all378); - - var part1850 = match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}"); - - var part1851 = match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}"); - - var select415 = linear_select([ - part1851, - dup262, - ]); - - var part1852 = match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}"); - - var part1853 = match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}"); - - var part1854 = match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username"); - - var select416 = linear_select([ - part1853, - part1854, - ]); - - var all379 = all_match({ - processors: [ - part1850, - select415, - part1852, - select416, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1176 = msg("00767:14", all379); - - var part1855 = match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}"); - - var part1856 = match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}"); - - var part1857 = match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}"); - - var select417 = linear_select([ - part1855, - part1856, - part1857, - ]); - - var part1858 = match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}"); - - var part1859 = match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}."); - - var all380 = all_match({ - processors: [ - dup183, - select417, - part1858, - dup336, - part1859, - ], - on_success: processor_chain([ - dup223, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1177 = msg("00767:15", all380); - - var part1860 = match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1178 = msg("00767:16", part1860); - - var part1861 = match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}"); - - var all381 = all_match({ - processors: [ - part1861, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1179 = msg("00767:17", all381); - - var part1862 = match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1180 = msg("00767:18", part1862); - - var part1863 = match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1181 = msg("00767:19", part1863); - - var part1864 = match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1182 = msg("00767:20", part1864); - - var part1865 = match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1183 = msg("00767:21", part1865); - - var part1866 = match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}"); - - var part1867 = match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}"); - - var part1868 = match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}"); - - var select418 = linear_select([ - part1867, - part1868, - ]); - - var part1869 = match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}"); - - var part1870 = match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}"); - - var part1871 = match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}"); - - var select419 = linear_select([ - part1870, - part1871, - ]); - - var part1872 = match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}"); - - var all382 = all_match({ - processors: [ - part1866, - select418, - part1869, - select419, - part1872, - dup354, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1184 = msg("00767:22", all382); - - var part1873 = match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1185 = msg("00767:23", part1873); - - var part1874 = match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}"); - - var select420 = linear_select([ - dup169, - dup16, - ]); - - var part1875 = match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}"); - - var part1876 = match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}"); - - var select421 = linear_select([ - part1875, - part1876, - ]); - - var all383 = all_match({ - processors: [ - part1874, - select420, - dup23, - select421, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1186 = msg("00767:25", all383); - - var part1877 = match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}"); - - var part1878 = match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}"); - - var part1879 = match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}"); - - var select422 = linear_select([ - part1878, - part1879, - ]); - - var part1880 = match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}"); - - var part1881 = match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}"); - - var part1882 = match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})"); - - var select423 = linear_select([ - part1881, - part1882, - ]); - - var all384 = all_match({ - processors: [ - part1877, - select422, - part1880, - select423, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1187 = msg("00767:26", all384); - - var part1883 = match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}"); - - var part1884 = match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})"); - - var part1885 = match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3"); - - var select424 = linear_select([ - part1884, - part1885, - ]); - - var all385 = all_match({ - processors: [ - part1883, - select424, - ], - on_success: processor_chain([ - dup223, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1188 = msg("00767:27", all385); - - var part1886 = match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1189 = msg("00767:28", part1886); - - var part1887 = match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1190 = msg("00767:29", part1887); - - var part1888 = match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1191 = msg("00767:30", part1888); - - var part1889 = match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}"); - - var part1890 = match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}"); - - var select425 = linear_select([ - part1889, - part1890, - ]); - - var part1891 = match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}"); - - var all386 = all_match({ - processors: [ - dup186, - select425, - part1891, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1192 = msg("00767:31", all386); - - var part1892 = match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}"); - - var part1893 = match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}"); - - var part1894 = match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}"); - - var select426 = linear_select([ - part1893, - part1894, - ]); - - var part1895 = match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})"); - - var all387 = all_match({ - processors: [ - part1892, - select426, - part1895, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1193 = msg("00767:32", all387); - - var part1896 = match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1194 = msg("00767:33", part1896); - - var part1897 = match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([ - dup313, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1195 = msg("00767:34", part1897); - - var part1898 = match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1196 = msg("00767:35", part1898); - - var part1899 = match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1197 = msg("00767:36", part1899); - - var part1900 = match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([ - dup254, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1198 = msg("00767:37", part1900); - - var part1901 = match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([ - setc("eventcategory","1602000000"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1199 = msg("00767:38", part1901); - - var part1902 = match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}"); - - var part1903 = match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}"); - - var part1904 = match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}"); - - var select427 = linear_select([ - part1903, - part1904, - ]); - - var part1905 = match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}"); - - var part1906 = match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}"); - - var part1907 = match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}"); - - var select428 = linear_select([ - part1906, - part1907, - ]); - - var all388 = all_match({ - processors: [ - part1902, - select427, - part1905, - select428, - dup10, - ], - on_success: processor_chain([ - dup324, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1200 = msg("00767:39", all388); - - var part1908 = match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([ - dup62, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1201 = msg("00767:40", part1908); - - var part1909 = match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1202 = msg("00767:42", part1909); - - var part1910 = match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1203 = msg("00767:43", part1910); - - var part1911 = match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1204 = msg("00767:44", part1911); - - var part1912 = match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1205 = msg("00767:45", part1912); - - var part1913 = match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1206 = msg("00767:46", part1913); - - var part1914 = match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg1207 = msg("00767:47", part1914); - - var part1915 = match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}"); - - var part1916 = match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})"); - - var all389 = all_match({ - processors: [ - part1915, - dup364, - part1916, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1208 = msg("00767:24", all389); - - var part1917 = match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1209 = msg("00767:48", part1917); - - var part1918 = match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}"); - - var part1919 = match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}"); - - var part1920 = match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}"); - - var select429 = linear_select([ - part1919, - part1920, - ]); - - var part1921 = match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})"); - - var all390 = all_match({ - processors: [ - part1918, - select429, - part1921, - ], - on_success: processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1210 = msg("00767:49", all390); - - var select430 = linear_select([ - msg1158, - msg1159, - msg1160, - msg1161, - msg1162, - msg1163, - msg1164, - msg1165, - msg1166, - msg1167, - msg1168, - msg1169, - msg1170, - msg1171, - msg1172, - msg1173, - msg1174, - msg1175, - msg1176, - msg1177, - msg1178, - msg1179, - msg1180, - msg1181, - msg1182, - msg1183, - msg1184, - msg1185, - msg1186, - msg1187, - msg1188, - msg1189, - msg1190, - msg1191, - msg1192, - msg1193, - msg1194, - msg1195, - msg1196, - msg1197, - msg1198, - msg1199, - msg1200, - msg1201, - msg1202, - msg1203, - msg1204, - msg1205, - msg1206, - msg1207, - msg1208, - msg1209, - msg1210, - ]); - - var part1922 = match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup277, - dup3, - dup275, - dup60, - ])); - - var msg1211 = msg("01269", part1922); - - var msg1212 = msg("01269:01", dup407); - - var msg1213 = msg("01269:02", dup408); - - var msg1214 = msg("01269:03", dup409); - - var select431 = linear_select([ - msg1211, - msg1212, - msg1213, - msg1214, - ]); - - var part1923 = match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup276, - dup277, - dup275, - dup332, - ])); - - var msg1215 = msg("17852", part1923); - - var part1924 = match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1216 = msg("17852:01", part1924); - - var part1925 = match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var msg1217 = msg("17852:02", part1925); - - var part1926 = match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1218 = msg("17852:03", part1926); - - var select432 = linear_select([ - msg1215, - msg1216, - msg1217, - msg1218, - ]); - - var msg1219 = msg("23184", dup410); - - var part1927 = match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup61, - dup282, - ])); - - var msg1220 = msg("23184:01", part1927); - - var part1928 = match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup276, - dup277, - dup275, - dup61, - ])); - - var msg1221 = msg("23184:02", part1928); - - var part1929 = match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1222 = msg("23184:03", part1929); - - var select433 = linear_select([ - msg1219, - msg1220, - msg1221, - msg1222, - ]); - - var msg1223 = msg("27052", dup410); - - var part1930 = match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup61, - dup282, - ])); - - var msg1224 = msg("27052:01", part1930); - - var select434 = linear_select([ - msg1223, - msg1224, - ]); - - var part1931 = match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup277, - dup5, - dup274, - dup3, - dup275, - dup276, - dup60, - ])); - - var msg1225 = msg("39568", part1931); - - var msg1226 = msg("39568:01", dup407); - - var msg1227 = msg("39568:02", dup408); - - var msg1228 = msg("39568:03", dup409); - - var select435 = linear_select([ - msg1225, - msg1226, - msg1227, - msg1228, - ]); - - var chain1 = processor_chain([ - select2, - msgid_select({ - "00001": select6, - "00002": select29, - "00003": select31, - "00004": select33, - "00005": select39, - "00006": select40, - "00007": select63, - "00008": select66, - "00009": select83, - "00010": select86, - "00011": select100, - "00012": select101, - "00013": select102, - "00014": select104, - "00015": select114, - "00016": select115, - "00017": select125, - "00018": select138, - "00019": select147, - "00020": select150, - "00021": select151, - "00022": select163, - "00023": select164, - "00024": select170, - "00025": select171, - "00026": select176, - "00027": select184, - "00028": msg469, - "00029": select188, - "00030": select197, - "00031": select205, - "00032": select207, - "00033": select214, - "00034": select225, - "00035": select232, - "00036": select234, - "00037": select241, - "00038": msg660, - "00039": msg661, - "00040": select244, - "00041": select245, - "00042": select246, - "00043": msg668, - "00044": select248, - "00045": msg671, - "00047": msg672, - "00048": select257, - "00049": select258, - "00050": msg682, - "00051": msg683, - "00052": msg684, - "00055": select265, - "00056": msg696, - "00057": msg697, - "00058": msg698, - "00059": select272, - "00062": select273, - "00063": msg713, - "00064": select274, - "00070": select276, - "00071": select277, - "00072": select278, - "00073": select279, - "00074": msg726, - "00075": select280, - "00076": select281, - "00077": select282, - "00084": msg735, - "00090": msg736, - "00200": msg737, - "00201": msg738, - "00202": msg739, - "00203": msg740, - "00206": select285, - "00207": select286, - "00257": select291, - "00259": select294, - "00262": msg778, - "00263": msg779, - "00400": msg780, - "00401": msg781, - "00402": select296, - "00403": msg784, - "00404": msg785, - "00405": msg786, - "00406": msg787, - "00407": msg788, - "00408": msg789, - "00409": msg790, - "00410": select297, - "00411": msg793, - "00413": select298, - "00414": select299, - "00415": msg799, - "00423": msg800, - "00429": select300, - "00430": select301, - "00431": msg805, - "00432": msg806, - "00433": msg807, - "00434": msg808, - "00435": select302, - "00436": select303, - "00437": select304, - "00438": select305, - "00440": select306, - "00441": msg823, - "00442": msg824, - "00443": msg825, - "00511": select307, - "00513": msg841, - "00515": select328, - "00518": select331, - "00519": select336, - "00520": select339, - "00521": msg890, - "00522": msg891, - "00523": msg892, - "00524": select340, - "00525": select341, - "00526": msg912, - "00527": select348, - "00528": select354, - "00529": select357, - "00530": select358, - "00531": select362, - "00533": msg973, - "00534": msg974, - "00535": select363, - "00536": select365, - "00537": select366, - "00538": select372, - "00539": select373, - "00541": select375, - "00542": msg1062, - "00543": msg1063, - "00544": msg1064, - "00546": msg1065, - "00547": select379, - "00549": msg1070, - "00551": select381, - "00553": select385, - "00554": select391, - "00555": msg1117, - "00556": select401, - "00572": select402, - "00601": select404, - "00602": msg1148, - "00612": msg1149, - "00615": select403, - "00620": select408, - "00622": msg1155, - "00625": msg1156, - "00628": msg1157, - "00767": select430, - "01269": select431, - "17852": select432, - "23184": select433, - "27052": select434, - "39568": select435, - }), - ]); - - var part1932 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); - - var part1933 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); - - var part1934 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); - - var part1935 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); - - var part1936 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); - - var part1937 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); - - var part1938 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); - - var part1939 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); - - var part1940 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); - - var part1941 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); - - var part1942 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); - - var part1943 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); - - var part1944 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); - - var part1945 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); - - var part1946 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); - - var part1947 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); - - var part1948 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); - - var part1949 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); - - var part1950 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); - - var part1951 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); - - var part1952 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); - - var part1953 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); - - var part1954 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); - - var part1955 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); - - var part1956 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); - - var part1957 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); - - var part1958 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); - - var part1959 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); - - var part1960 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); - - var part1961 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); - - var part1962 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); - - var part1963 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); - - var part1964 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part1965 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); - - var part1966 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); - - var part1967 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); - - var part1968 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); - - var part1969 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); - - var part1970 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); - - var part1971 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); - - var part1972 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); - - var part1973 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); - - var part1974 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); - - var part1975 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); - - var part1976 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); - - var part1977 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part1978 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); - - var part1979 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); - - var part1980 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part1981 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); - - var part1982 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); - - var part1983 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); - - var part1984 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); - - var part1985 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); - - var part1986 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); - - var part1987 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); - - var part1988 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); - - var part1989 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); - - var part1990 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); - - var part1991 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); - - var part1992 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); - - var part1993 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); - - var part1994 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); - - var part1995 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); - - var part1996 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); - - var part1997 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); - - var part1998 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); - - var part1999 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); - - var part2000 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); - - var part2001 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); - - var part2002 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); - - var part2003 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); - - var part2004 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); - - var part2005 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); - - var part2006 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); - - var part2007 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); - - var part2008 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); - - var part2009 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); - - var part2010 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); - - var part2011 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); - - var part2012 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); - - var part2013 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); - - var part2014 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); - - var part2015 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); - - var part2016 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); - - var part2017 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); - - var part2018 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); - - var part2019 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); - - var part2020 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); - - var part2021 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part2022 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2023 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); - - var part2024 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); - - var part2025 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); - - var part2026 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); - - var part2027 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); - - var part2028 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); - - var part2029 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); - - var part2030 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); - - var part2031 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); - - var part2032 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); - - var part2033 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); - - var part2034 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); - - var part2035 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); - - var part2036 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); - - var part2037 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); - - var part2038 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); - - var part2039 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); - - var part2040 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); - - var part2041 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); - - var part2042 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); - - var part2043 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); - - var part2044 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); - - var part2045 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); - - var part2046 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); - - var part2047 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); - - var part2048 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); - - var part2049 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); - - var part2050 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); - - var part2051 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); - - var part2052 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); - - var part2053 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); - - var part2054 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); - - var part2055 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); - - var part2056 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); - - var part2057 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); - - var part2058 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); - - var part2059 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); - - var part2060 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); - - var part2061 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); - - var part2062 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); - - var part2063 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); - - var part2064 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); - - var part2065 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); - - var part2066 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); - - var part2067 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); - - var part2068 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); - - var part2069 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); - - var part2070 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); - - var part2071 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); - - var part2072 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); - - var part2073 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); - - var part2074 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); - - var part2075 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); - - var part2076 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); - - var part2077 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); - - var part2078 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); - - var part2079 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); - - var part2080 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); - - var part2081 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); - - var part2082 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); - - var part2083 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); - - var part2084 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); - - var part2085 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); - - var part2086 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); - - var part2087 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); - - var part2088 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); - - var part2089 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); - - var part2090 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); - - var part2091 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); - - var part2092 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); - - var part2093 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); - - var part2094 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); - - var part2095 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); - - var part2096 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); - - var part2097 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); - - var part2098 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); - - var part2099 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); - - var part2100 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); - - var part2101 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); - - var part2102 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); - - var part2103 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); - - var part2104 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); - - var part2105 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); - - var part2106 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2107 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); - - var part2108 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); - - var part2109 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); - - var part2110 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); - - var part2111 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); - - var part2112 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); - - var part2113 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); - - var part2114 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); - - var part2115 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); - - var part2116 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); - - var part2117 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); - - var part2118 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); - - var part2119 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); - - var part2120 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); - - var part2121 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); - - var part2122 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); - - var part2123 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); - - var part2124 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); - - var part2125 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); - - var part2126 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); - - var part2127 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); - - var part2128 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); - - var part2129 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); - - var part2130 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); - - var part2131 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var part2132 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); - - var part2133 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); - - var part2134 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); - - var part2135 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); - - var part2136 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var part2137 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); - - var part2138 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); - - var part2139 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); - - var part2140 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); - - var part2141 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); - - var part2142 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); - - var part2143 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); - - var part2144 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); - - var part2145 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); - - var part2146 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); - - var part2147 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2148 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2149 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var part2150 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); - - var part2151 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); - - var part2152 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); - - var part2153 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); - - var part2154 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); - - var part2155 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); - - var part2156 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); - - var part2157 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); - - var part2158 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); - - var part2159 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); - - var part2160 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); - - var part2161 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); - - var part2162 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); - - var part2163 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); - - var part2164 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); - - var part2165 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); - - var part2166 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); - - var part2167 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); - - var part2168 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); - - var part2169 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); - - var part2170 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); - - var part2171 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); - - var part2172 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); - - var part2173 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); - - var part2174 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); - - var part2175 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); - - var select436 = linear_select([ - dup10, - dup11, - ]); - - var part2176 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select437 = linear_select([ - dup13, - dup14, - ]); - - var select438 = linear_select([ - dup15, - dup16, - ]); - - var select439 = linear_select([ - dup56, - dup57, - ]); - - var select440 = linear_select([ - dup65, - dup66, - ]); - - var select441 = linear_select([ - dup68, - dup69, - ]); - - var select442 = linear_select([ - dup71, - dup72, - ]); - - var part2177 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var select443 = linear_select([ - dup74, - dup75, - ]); - - var select444 = linear_select([ - dup81, - dup82, - ]); - - var select445 = linear_select([ - dup24, - dup90, - ]); - - var select446 = linear_select([ - dup94, - dup95, - ]); - - var select447 = linear_select([ - dup98, - dup99, - ]); - - var select448 = linear_select([ - dup100, - dup101, - dup102, - ]); - - var select449 = linear_select([ - dup113, - dup114, - ]); - - var select450 = linear_select([ - dup111, - dup16, - ]); - - var select451 = linear_select([ - dup127, - dup107, - ]); - - var select452 = linear_select([ - dup8, - dup21, - ]); - - var select453 = linear_select([ - dup122, - dup133, - ]); - - var select454 = linear_select([ - dup142, - dup143, - ]); - - var select455 = linear_select([ - dup145, - dup21, - ]); - - var select456 = linear_select([ - dup127, - dup106, - ]); - - var select457 = linear_select([ - dup152, - dup96, - ]); - - var select458 = linear_select([ - dup154, - dup155, - ]); - - var select459 = linear_select([ - dup156, - dup157, - ]); - - var select460 = linear_select([ - dup99, - dup134, - ]); - - var select461 = linear_select([ - dup158, - dup159, - ]); - - var select462 = linear_select([ - dup161, - dup162, - ]); - - var select463 = linear_select([ - dup163, - dup103, - ]); - - var select464 = linear_select([ - dup162, - dup161, - ]); - - var select465 = linear_select([ - dup46, - dup47, - ]); - - var select466 = linear_select([ - dup166, - dup167, - ]); - - var select467 = linear_select([ - dup172, - dup173, - ]); - - var select468 = linear_select([ - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - ]); - - var select469 = linear_select([ - dup49, - dup21, - ]); - - var select470 = linear_select([ - dup189, - dup190, - ]); - - var select471 = linear_select([ - dup96, - dup152, - ]); - - var select472 = linear_select([ - dup196, - dup197, - ]); - - var select473 = linear_select([ - dup24, - dup200, - ]); - - var select474 = linear_select([ - dup103, - dup163, - ]); - - var select475 = linear_select([ - dup205, - dup118, - ]); - - var part2178 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select476 = linear_select([ - dup212, - dup213, - ]); - - var select477 = linear_select([ - dup215, - dup216, - ]); - - var select478 = linear_select([ - dup222, - dup215, - ]); - - var select479 = linear_select([ - dup224, - dup225, - ]); - - var select480 = linear_select([ - dup231, - dup124, - ]); - - var select481 = linear_select([ - dup229, - dup230, - ]); - - var select482 = linear_select([ - dup233, - dup234, - ]); - - var select483 = linear_select([ - dup236, - dup237, - ]); - - var select484 = linear_select([ - dup242, - dup243, - ]); - - var select485 = linear_select([ - dup245, - dup246, - ]); - - var select486 = linear_select([ - dup247, - dup248, - ]); - - var select487 = linear_select([ - dup249, - dup250, - ]); - - var select488 = linear_select([ - dup251, - dup252, - ]); - - var select489 = linear_select([ - dup260, - dup261, - ]); - - var select490 = linear_select([ - dup264, - dup265, - ]); - - var select491 = linear_select([ - dup268, - dup269, - ]); - - var part2179 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select492 = linear_select([ - dup284, - dup285, - ]); - - var select493 = linear_select([ - dup287, - dup288, - ]); - - var part2180 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup60, - ])); - - var part2181 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var select494 = linear_select([ - dup300, - dup26, - ]); - - var select495 = linear_select([ - dup115, - dup303, - ]); - - var select496 = linear_select([ - dup125, - dup96, - ]); - - var select497 = linear_select([ - dup189, - dup308, - dup309, - ]); - - var select498 = linear_select([ - dup310, - dup16, - ]); - - var select499 = linear_select([ - dup317, - dup318, - ]); - - var select500 = linear_select([ - dup319, - dup315, - ]); - - var select501 = linear_select([ - dup322, - dup250, - ]); - - var select502 = linear_select([ - dup327, - dup329, - ]); - - var select503 = linear_select([ - dup330, - dup129, - ]); - - var part2182 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var part2183 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup60, - ])); - - var part2184 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var part2185 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var all391 = all_match({ - processors: [ - dup263, - dup390, - dup266, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var all392 = all_match({ - processors: [ - dup267, - dup391, - dup270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var all393 = all_match({ - processors: [ - dup80, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var all394 = all_match({ - processors: [ - dup296, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var all395 = all_match({ - processors: [ - dup298, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/juniper_netscreen/0.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/juniper_netscreen/0.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 0598bf2e41..0000000000 --- a/packages/juniper_netscreen/0.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- -description: Pipeline for Netscreen - -processors: - - set: - field: ecs.version - value: '8.4.0' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/juniper_netscreen/0.4.1/data_stream/log/fields/agent.yml b/packages/juniper_netscreen/0.4.1/data_stream/log/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/juniper_netscreen/0.4.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/juniper_netscreen/0.4.1/data_stream/log/fields/base-fields.yml b/packages/juniper_netscreen/0.4.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 82882053b6..0000000000 --- a/packages/juniper_netscreen/0.4.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,46 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: juniper_netscreen -- name: event.dataset - type: constant_keyword - description: Event dataset - value: juniper_netscreen.log -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/juniper_netscreen/0.4.1/data_stream/log/fields/ecs.yml b/packages/juniper_netscreen/0.4.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index f7e5c95752..0000000000 --- a/packages/juniper_netscreen/0.4.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,547 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/juniper_netscreen/0.4.1/data_stream/log/fields/fields.yml b/packages/juniper_netscreen/0.4.1/data_stream/log/fields/fields.yml deleted file mode 100755 index ea69cd79e3..0000000000 --- a/packages/juniper_netscreen/0.4.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,1754 +0,0 @@ -- name: rsa - type: group - fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - ignore_above: 1024 - description: Server domain. -- name: network.interface.name - type: keyword diff --git a/packages/juniper_netscreen/0.4.1/data_stream/log/manifest.yml b/packages/juniper_netscreen/0.4.1/data_stream/log/manifest.yml deleted file mode 100755 index 7b194a9784..0000000000 --- a/packages/juniper_netscreen/0.4.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,205 +0,0 @@ -title: Netscreen logs -release: experimental -type: logs -streams: - - input: udp - title: Netscreen logs - description: Collect Netscreen logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-netscreen - - forwarded - - name: udp_host - type: text - title: UDP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: UDP port to listen on - multi: false - required: true - show_user: true - default: 9523 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Netscreen logs - description: Collect Netscreen logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-netscreen - - forwarded - - name: tcp_host - type: text - title: TCP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: TCP port to listen on - multi: false - required: true - show_user: true - default: 9523 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: filestream - enabled: false - title: Netscreen logs - description: Collect Netscreen logs from file - template_path: logfile.yml.hbs - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/juniper-netscreen.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-netscreen - - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/juniper_netscreen/0.4.1/data_stream/log/sample_event.json b/packages/juniper_netscreen/0.4.1/data_stream/log/sample_event.json deleted file mode 100755 index 4794339b14..0000000000 --- a/packages/juniper_netscreen/0.4.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "1d0b19ed-8fb1-4e91-873a-19f2949ff20e", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "juniper_netscreen.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "code": "00628", - "dataset": "juniper_netscreen.log", - "ingested": "2022-01-25T12:47:59Z", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "low", - "source": { - "address": "172.30.0.4:59406" - } - }, - "observer": { - "product": "Netscreen", - "type": "Firewall", - "vendor": "Juniper" - }, - "rsa": { - "internal": { - "messageid": "00628" - }, - "misc": { - "hardware_id": "olab", - "severity": "low" - }, - "time": { - "event_time": "2016-01-29T06:09:59.000Z" - } - }, - "tags": [ - "juniper-netscreen", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/juniper_netscreen/0.4.1/docs/README.md b/packages/juniper_netscreen/0.4.1/docs/README.md deleted file mode 100755 index 4d46345975..0000000000 --- a/packages/juniper_netscreen/0.4.1/docs/README.md +++ /dev/null @@ -1,913 +0,0 @@ -# Juniper integration - -This is an integration for ingesting logs from [Juniper NetScreen](https://www.juniper.net/documentation/en_US/release-independent/screenos/information-products/pathway-pages/netscreen-series/product/). - -### Log - -The `log` dataset collects Netscreen logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "1d0b19ed-8fb1-4e91-873a-19f2949ff20e", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "juniper_netscreen.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "code": "00628", - "dataset": "juniper_netscreen.log", - "ingested": "2022-01-25T12:47:59Z", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "low", - "source": { - "address": "172.30.0.4:59406" - } - }, - "observer": { - "product": "Netscreen", - "type": "Firewall", - "vendor": "Juniper" - }, - "rsa": { - "internal": { - "messageid": "00628" - }, - "misc": { - "hardware_id": "olab", - "severity": "low" - }, - "time": { - "event_time": "2016-01-29T06:09:59.000Z" - } - }, - "tags": [ - "juniper-netscreen", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - diff --git a/packages/juniper_netscreen/0.4.1/img/logo.svg b/packages/juniper_netscreen/0.4.1/img/logo.svg deleted file mode 100755 index 8802414a5a..0000000000 --- a/packages/juniper_netscreen/0.4.1/img/logo.svg +++ /dev/null @@ -1,72 +0,0 @@ - -image/svg+xml \ No newline at end of file diff --git a/packages/juniper_netscreen/0.4.1/manifest.yml b/packages/juniper_netscreen/0.4.1/manifest.yml deleted file mode 100755 index 49ae6788b4..0000000000 --- a/packages/juniper_netscreen/0.4.1/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -format_version: 1.0.0 -name: juniper_netscreen -title: Juniper NetScreen -version: "0.4.1" -description: Collect logs from Juniper NetScreen with Elastic Agent. -categories: ["network", "security"] -release: experimental -license: basic -type: integration -conditions: - kibana.version: "^8.0.0" -policy_templates: - - name: juniper - title: Juniper NetScreen logs - description: Collect Juniper NetScreen logs from syslog or a file. - inputs: - - type: udp - title: Collect logs from Juniper NetScreen via UDP - description: Collecting syslog from Juniper NetScreen via UDP. - - type: tcp - title: Collect logs from Juniper NetScreen via TCP - description: Collecting syslog from Juniper NetScreen via TCP. - - type: filestream - title: Collect logs from Juniper NetScreen via file - description: Collecting syslog from Juniper NetScreen via file. -icons: - - src: /img/logo.svg - title: Juniper logo - size: 32x32 - type: image/svg+xml -owner: - github: elastic/security-external-integrations diff --git a/packages/juniper_netscreen/0.4.2/LICENSE.txt b/packages/juniper_netscreen/0.4.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/juniper_netscreen/0.4.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/juniper_netscreen/0.4.2/changelog.yml b/packages/juniper_netscreen/0.4.2/changelog.yml deleted file mode 100755 index 0f7c677efa..0000000000 --- a/packages/juniper_netscreen/0.4.2/changelog.yml +++ /dev/null @@ -1,54 +0,0 @@ -# newer versions go on top -- version: "0.4.2" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 - - description: Fix rendering of MAC addresses. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "0.4.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "0.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3867 -- version: "0.3.1" - changes: - - description: Add documentation link to juniper documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3134 -- version: "0.3.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "0.2.0" - changes: - - description: Update to ECS 8.2.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "0.1.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.1.0" - changes: - - description: Update to ECS 8.0.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2590 -- version: "0.0.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.0.1" - changes: - - description: Initial release of new package split from oroginal Juniper package - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/2070 diff --git a/packages/juniper_netscreen/0.4.2/data_stream/log/agent/stream/logfile.yml.hbs b/packages/juniper_netscreen/0.4.2/data_stream/log/agent/stream/logfile.yml.hbs deleted file mode 100755 index 36eb610dff..0000000000 --- a/packages/juniper_netscreen/0.4.2/data_stream/log/agent/stream/logfile.yml.hbs +++ /dev/null @@ -1,26357 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -prospector.scanner.exclude_files: ['\.gz$'] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Juniper" - product: "Netscreen" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} for %{p0}"); - - var dup7 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); - - var dup8 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); - - var dup9 = date_time({ - dest: "event_time", - args: ["fld1"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup10 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); - - var dup11 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); - - var dup12 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); - - var dup13 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); - - var dup14 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); - - var dup15 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); - - var dup16 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); - - var dup17 = setc("eventcategory","1502000000"); - - var dup18 = setc("eventcategory","1703000000"); - - var dup19 = setc("eventcategory","1603000000"); - - var dup20 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); - - var dup21 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); - - var dup22 = setc("eventcategory","1502050000"); - - var dup23 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); - - var dup24 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); - - var dup25 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); - - var dup26 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); - - var dup27 = setc("eventcategory","1801010000"); - - var dup28 = setc("eventcategory","1401060000"); - - var dup29 = setc("ec_subject","User"); - - var dup30 = setc("ec_activity","Logon"); - - var dup31 = setc("ec_theme","Authentication"); - - var dup32 = setc("ec_outcome","Success"); - - var dup33 = setc("eventcategory","1401070000"); - - var dup34 = setc("ec_activity","Logoff"); - - var dup35 = setc("eventcategory","1303000000"); - - var dup36 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); - - var dup37 = setc("eventcategory","1402020200"); - - var dup38 = setc("ec_theme","UserGroup"); - - var dup39 = setc("ec_outcome","Error"); - - var dup40 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); - - var dup41 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); - - var dup42 = setc("eventcategory","1402020300"); - - var dup43 = setc("ec_activity","Modify"); - - var dup44 = setc("eventcategory","1605000000"); - - var dup45 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); - - var dup46 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); - - var dup47 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); - - var dup48 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); - - var dup49 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); - - var dup50 = setc("eventcategory","1701020000"); - - var dup51 = setc("ec_theme","Configuration"); - - var dup52 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); - - var dup53 = setc("eventcategory","1301000000"); - - var dup54 = setc("ec_outcome","Failure"); - - var dup55 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); - - var dup56 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); - - var dup57 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); - - var dup58 = setc("eventcategory","1001000000"); - - var dup59 = setc("dclass_counter1_string","Number of times the attack occurred"); - - var dup60 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("saddr"), - field("daddr"), - ], - }); - - var dup61 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("saddr"), - field("daddr"), - field("sport"), - field("dport"), - ], - }); - - var dup62 = setc("eventcategory","1608010000"); - - var dup63 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); - - var dup64 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); - - var dup65 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); - - var dup66 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); - - var dup67 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup68 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); - - var dup69 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); - - var dup70 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); - - var dup71 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); - - var dup72 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); - - var dup73 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); - - var dup74 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); - - var dup75 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); - - var dup76 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); - - var dup77 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); - - var dup78 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); - - var dup79 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); - - var dup80 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup81 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); - - var dup82 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); - - var dup83 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup84 = setc("eventcategory","1002020000"); - - var dup85 = setc("eventcategory","1002000000"); - - var dup86 = setc("eventcategory","1603110000"); - - var dup87 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); - - var dup88 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); - - var dup89 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); - - var dup90 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); - - var dup91 = setc("eventcategory","1613040200"); - - var dup92 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); - - var dup93 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); - - var dup94 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); - - var dup95 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); - - var dup96 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); - - var dup97 = setc("eventcategory","1613050200"); - - var dup98 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); - - var dup99 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); - - var dup100 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); - - var dup101 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); - - var dup102 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); - - var dup103 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); - - var dup104 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); - - var dup105 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); - - var dup106 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); - - var dup107 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); - - var dup108 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); - - var dup109 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); - - var dup110 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); - - var dup111 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); - - var dup112 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); - - var dup113 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); - - var dup114 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); - - var dup115 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); - - var dup116 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); - - var dup117 = setc("eventcategory","1603090000"); - - var dup118 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); - - var dup119 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); - - var dup120 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); - - var dup121 = setc("eventcategory","1603030000"); - - var dup122 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); - - var dup123 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); - - var dup124 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); - - var dup125 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); - - var dup126 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); - - var dup127 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); - - var dup128 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); - - var dup129 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); - - var dup130 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); - - var dup131 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup132 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup133 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); - - var dup134 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); - - var dup135 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); - - var dup136 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); - - var dup137 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); - - var dup138 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); - - var dup139 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); - - var dup140 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); - - var dup141 = setc("eventcategory","1702030000"); - - var dup142 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); - - var dup143 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); - - var dup144 = setc("eventcategory","1601000000"); - - var dup145 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); - - var dup146 = date_time({ - dest: "event_time", - args: ["fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup147 = setc("eventcategory","1103000000"); - - var dup148 = setc("ec_subject","NetworkComm"); - - var dup149 = setc("ec_activity","Scan"); - - var dup150 = setc("ec_theme","TEV"); - - var dup151 = setc("eventcategory","1103010000"); - - var dup152 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); - - var dup153 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); - - var dup154 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); - - var dup155 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); - - var dup156 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); - - var dup157 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); - - var dup158 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); - - var dup159 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); - - var dup160 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); - - var dup161 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); - - var dup162 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); - - var dup163 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); - - var dup164 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); - - var dup165 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); - - var dup166 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); - - var dup167 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); - - var dup168 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); - - var dup169 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); - - var dup170 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); - - var dup171 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); - - var dup172 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); - - var dup173 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); - - var dup174 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); - - var dup175 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); - - var dup176 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); - - var dup177 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); - - var dup178 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); - - var dup179 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); - - var dup180 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); - - var dup181 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); - - var dup182 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); - - var dup183 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); - - var dup184 = setc("eventcategory","1603020000"); - - var dup185 = setc("eventcategory","1803000000"); - - var dup186 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); - - var dup187 = setc("eventcategory","1603010000"); - - var dup188 = setc("eventcategory","1603100000"); - - var dup189 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); - - var dup190 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); - - var dup191 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); - - var dup192 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); - - var dup193 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); - - var dup194 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); - - var dup195 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); - - var dup196 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); - - var dup197 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); - - var dup198 = setc("eventcategory","1801030000"); - - var dup199 = setc("eventcategory","1302010200"); - - var dup200 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); - - var dup201 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); - - var dup202 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); - - var dup203 = setc("eventcategory","1304000000"); - - var dup204 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); - - var dup205 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); - - var dup206 = setc("eventcategory","1401030000"); - - var dup207 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); - - var dup208 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); - - var dup209 = setc("eventcategory","1605020000"); - - var dup210 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); - - var dup211 = setc("ec_subject","Certificate"); - - var dup212 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); - - var dup213 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); - - var dup214 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); - - var dup215 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); - - var dup216 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); - - var dup217 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); - - var dup218 = setc("ec_subject","CryptoKey"); - - var dup219 = setc("ec_subject","Configuration"); - - var dup220 = setc("ec_activity","Request"); - - var dup221 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); - - var dup222 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); - - var dup223 = setc("eventcategory","1612000000"); - - var dup224 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); - - var dup225 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); - - var dup226 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); - - var dup227 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); - - var dup228 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); - - var dup229 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); - - var dup230 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); - - var dup231 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); - - var dup232 = setc("eventcategory","1201000000"); - - var dup233 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); - - var dup234 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); - - var dup235 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); - - var dup236 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); - - var dup237 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); - - var dup238 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); - - var dup239 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup240 = setc("eventcategory","1401000000"); - - var dup241 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); - - var dup242 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); - - var dup243 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); - - var dup244 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); - - var dup245 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); - - var dup246 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); - - var dup247 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); - - var dup248 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); - - var dup249 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); - - var dup250 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); - - var dup251 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); - - var dup252 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); - - var dup253 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); - - var dup254 = setc("eventcategory","1608000000"); - - var dup255 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); - - var dup256 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); - - var dup257 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); - - var dup258 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); - - var dup259 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); - - var dup260 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); - - var dup261 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); - - var dup262 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); - - var dup263 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); - - var dup264 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); - - var dup265 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); - - var dup266 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var dup267 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); - - var dup268 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); - - var dup269 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); - - var dup270 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); - - var dup271 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var dup272 = setc("eventcategory","1805010000"); - - var dup273 = setc("eventcategory","1805000000"); - - var dup274 = date_time({ - dest: "starttime", - args: ["fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup275 = call({ - dest: "nwparser.bytes", - fn: CALC, - args: [ - field("sbytes"), - constant("+"), - field("rbytes"), - ], - }); - - var dup276 = setc("action","Deny"); - - var dup277 = setc("disposition","Deny"); - - var dup278 = setc("direction","outgoing"); - - var dup279 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("saddr"), - field("daddr"), - field("sport"), - field("dport"), - ], - }); - - var dup280 = setc("direction","incoming"); - - var dup281 = setc("eventcategory","1801000000"); - - var dup282 = setf("action","disposition"); - - var dup283 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); - - var dup284 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); - - var dup285 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); - - var dup286 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); - - var dup287 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); - - var dup288 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); - - var dup289 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); - - var dup290 = setc("eventcategory","1401050200"); - - var dup291 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("daddr"), - field("saddr"), - ], - }); - - var dup292 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("daddr"), - field("saddr"), - field("dport"), - field("sport"), - ], - }); - - var dup293 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); - - var dup294 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); - - var dup295 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); - - var dup296 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup297 = setc("eventcategory","1204000000"); - - var dup298 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup299 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var dup300 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); - - var dup301 = setc("eventcategory","1801020000"); - - var dup302 = setc("disposition","failed"); - - var dup303 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); - - var dup304 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); - - var dup305 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); - - var dup306 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); - - var dup307 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); - - var dup308 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); - - var dup309 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); - - var dup310 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); - - var dup311 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); - - var dup312 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); - - var dup313 = setc("eventcategory","1803020000"); - - var dup314 = setc("eventcategory","1613030000"); - - var dup315 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); - - var dup316 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); - - var dup317 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); - - var dup318 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); - - var dup319 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); - - var dup320 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); - - var dup321 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); - - var dup322 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); - - var dup323 = setc("event_description","Cannot connect to NSM server"); - - var dup324 = setc("eventcategory","1603040000"); - - var dup325 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); - - var dup326 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); - - var dup327 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); - - var dup328 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); - - var dup329 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); - - var dup330 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); - - var dup331 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); - - var dup332 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("daddr"), - field("saddr"), - field("dport"), - field("sport"), - ], - }); - - var dup333 = linear_select([ - dup10, - dup11, - ]); - - var dup334 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup335 = linear_select([ - dup13, - dup14, - ]); - - var dup336 = linear_select([ - dup15, - dup16, - ]); - - var dup337 = linear_select([ - dup56, - dup57, - ]); - - var dup338 = linear_select([ - dup65, - dup66, - ]); - - var dup339 = linear_select([ - dup68, - dup69, - ]); - - var dup340 = linear_select([ - dup71, - dup72, - ]); - - var dup341 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var dup342 = linear_select([ - dup74, - dup75, - ]); - - var dup343 = linear_select([ - dup81, - dup82, - ]); - - var dup344 = linear_select([ - dup24, - dup90, - ]); - - var dup345 = linear_select([ - dup94, - dup95, - ]); - - var dup346 = linear_select([ - dup98, - dup99, - ]); - - var dup347 = linear_select([ - dup100, - dup101, - dup102, - ]); - - var dup348 = linear_select([ - dup113, - dup114, - ]); - - var dup349 = linear_select([ - dup111, - dup16, - ]); - - var dup350 = linear_select([ - dup127, - dup107, - ]); - - var dup351 = linear_select([ - dup8, - dup21, - ]); - - var dup352 = linear_select([ - dup122, - dup133, - ]); - - var dup353 = linear_select([ - dup142, - dup143, - ]); - - var dup354 = linear_select([ - dup145, - dup21, - ]); - - var dup355 = linear_select([ - dup127, - dup106, - ]); - - var dup356 = linear_select([ - dup152, - dup96, - ]); - - var dup357 = linear_select([ - dup154, - dup155, - ]); - - var dup358 = linear_select([ - dup156, - dup157, - ]); - - var dup359 = linear_select([ - dup99, - dup134, - ]); - - var dup360 = linear_select([ - dup158, - dup159, - ]); - - var dup361 = linear_select([ - dup161, - dup162, - ]); - - var dup362 = linear_select([ - dup163, - dup103, - ]); - - var dup363 = linear_select([ - dup162, - dup161, - ]); - - var dup364 = linear_select([ - dup46, - dup47, - ]); - - var dup365 = linear_select([ - dup166, - dup167, - ]); - - var dup366 = linear_select([ - dup172, - dup173, - ]); - - var dup367 = linear_select([ - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - ]); - - var dup368 = linear_select([ - dup49, - dup21, - ]); - - var dup369 = linear_select([ - dup189, - dup190, - ]); - - var dup370 = linear_select([ - dup96, - dup152, - ]); - - var dup371 = linear_select([ - dup196, - dup197, - ]); - - var dup372 = linear_select([ - dup24, - dup200, - ]); - - var dup373 = linear_select([ - dup103, - dup163, - ]); - - var dup374 = linear_select([ - dup205, - dup118, - ]); - - var dup375 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup376 = linear_select([ - dup212, - dup213, - ]); - - var dup377 = linear_select([ - dup215, - dup216, - ]); - - var dup378 = linear_select([ - dup222, - dup215, - ]); - - var dup379 = linear_select([ - dup224, - dup225, - ]); - - var dup380 = linear_select([ - dup231, - dup124, - ]); - - var dup381 = linear_select([ - dup229, - dup230, - ]); - - var dup382 = linear_select([ - dup233, - dup234, - ]); - - var dup383 = linear_select([ - dup236, - dup237, - ]); - - var dup384 = linear_select([ - dup242, - dup243, - ]); - - var dup385 = linear_select([ - dup245, - dup246, - ]); - - var dup386 = linear_select([ - dup247, - dup248, - ]); - - var dup387 = linear_select([ - dup249, - dup250, - ]); - - var dup388 = linear_select([ - dup251, - dup252, - ]); - - var dup389 = linear_select([ - dup260, - dup261, - ]); - - var dup390 = linear_select([ - dup264, - dup265, - ]); - - var dup391 = linear_select([ - dup268, - dup269, - ]); - - var dup392 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup393 = linear_select([ - dup284, - dup285, - ]); - - var dup394 = linear_select([ - dup287, - dup288, - ]); - - var dup395 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup60, - ])); - - var dup396 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var dup397 = linear_select([ - dup300, - dup26, - ]); - - var dup398 = linear_select([ - dup115, - dup303, - ]); - - var dup399 = linear_select([ - dup125, - dup96, - ]); - - var dup400 = linear_select([ - dup189, - dup308, - dup309, - ]); - - var dup401 = linear_select([ - dup310, - dup16, - ]); - - var dup402 = linear_select([ - dup317, - dup318, - ]); - - var dup403 = linear_select([ - dup319, - dup315, - ]); - - var dup404 = linear_select([ - dup322, - dup250, - ]); - - var dup405 = linear_select([ - dup327, - dup329, - ]); - - var dup406 = linear_select([ - dup330, - dup129, - ]); - - var dup407 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var dup408 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup60, - ])); - - var dup409 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var dup410 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var dup411 = all_match({ - processors: [ - dup263, - dup390, - dup266, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var dup412 = all_match({ - processors: [ - dup267, - dup391, - dup270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var dup413 = all_match({ - processors: [ - dup80, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var dup414 = all_match({ - processors: [ - dup296, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var dup415 = all_match({ - processors: [ - dup298, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0003"), - ])); - - var hdr3 = match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var hdr4 = match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}"); - - var part1 = match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}"); - - var part2 = match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}"); - - var part3 = match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}"); - - var select1 = linear_select([ - part1, - part2, - part3, - ]); - - var part4 = match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}"); - - var all1 = all_match({ - processors: [ - hdr4, - select1, - part4, - ], - on_success: processor_chain([ - setc("header_id","0002"), - ]), - }); - - var select2 = linear_select([ - hdr1, - hdr2, - hdr3, - all1, - ]); - - var part5 = match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1 = msg("00001", part5); - - var part6 = match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg2 = msg("00001:01", part6); - - var part7 = match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}"); - - var select3 = linear_select([ - part7, - dup7, - ]); - - var part8 = match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}"); - - var all2 = all_match({ - processors: [ - dup6, - select3, - part8, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg3 = msg("00001:02", all2); - - var part9 = match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg4 = msg("00001:03", part9); - - var part10 = match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}"); - - var select4 = linear_select([ - part10, - dup7, - ]); - - var part11 = match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}"); - - var part12 = match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}"); - - var select5 = linear_select([ - dup8, - part12, - ]); - - var all3 = all_match({ - processors: [ - dup6, - select4, - part11, - select5, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg5 = msg("00001:04", all3); - - var part13 = match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}"); - - var all4 = all_match({ - processors: [ - part13, - dup333, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg6 = msg("00001:05", all4); - - var part14 = match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg7 = msg("00001:06", part14); - - var msg8 = msg("00001:07", dup334); - - var part15 = match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}"); - - var part16 = match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})"); - - var all5 = all_match({ - processors: [ - dup12, - dup335, - part15, - dup336, - part16, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg9 = msg("00001:08", all5); - - var part17 = match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})"); - - var all6 = all_match({ - processors: [ - dup12, - dup335, - part17, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg10 = msg("00001:09", all6); - - var select6 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - ]); - - var part18 = match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg11 = msg("00002:03", part18); - - var part19 = match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg12 = msg("00002:04", part19); - - var part20 = match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg13 = msg("00002:05", part20); - - var part21 = match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg14 = msg("00002:06", part21); - - var part22 = match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg15 = msg("00002:07", part22); - - var part23 = match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg16 = msg("00002:55", part23); - - var part24 = match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg17 = msg("00002:08", part24); - - var part25 = match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg18 = msg("00002:09", part25); - - var part26 = match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg19 = msg("00002:10", part26); - - var part27 = match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg20 = msg("00002:11", part27); - - var part28 = match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg21 = msg("00002:12", part28); - - var part29 = match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg22 = msg("00002:15", part29); - - var msg23 = msg("00002:17", dup334); - - var part30 = match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}"); - - var part31 = match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}"); - - var part32 = match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}"); - - var select7 = linear_select([ - part31, - part32, - ]); - - var part33 = match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):"); - - var all7 = all_match({ - processors: [ - part30, - select7, - part33, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg24 = msg("00002:18", all7); - - var part34 = match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg25 = msg("00002:19", part34); - - var part35 = match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}"); - - var part36 = match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}"); - - var select8 = linear_select([ - part36, - dup20, - dup21, - ]); - - var all8 = all_match({ - processors: [ - part35, - select8, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg26 = msg("00002:20", all8); - - var part37 = match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}"); - - var part38 = match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}"); - - var select9 = linear_select([ - part37, - part38, - ]); - - var select10 = linear_select([ - dup24, - dup25, - ]); - - var part39 = match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}"); - - var all9 = all_match({ - processors: [ - select9, - dup23, - select10, - part39, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg27 = msg("00002:21", all9); - - var part40 = match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}"); - - var part41 = match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console"); - - var part42 = match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}"); - - var select11 = linear_select([ - part41, - part42, - dup26, - ]); - - var all10 = all_match({ - processors: [ - part40, - select11, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg28 = msg("00002:22", all10); - - var part43 = match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}"); - - var part44 = match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}"); - - var select12 = linear_select([ - dup20, - part44, - dup21, - ]); - - var all11 = all_match({ - processors: [ - part43, - select12, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg29 = msg("00002:23", all11); - - var part45 = match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}"); - - var part46 = match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}"); - - var part47 = match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}"); - - var select13 = linear_select([ - part46, - part47, - ]); - - var all12 = all_match({ - processors: [ - part45, - select13, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg30 = msg("00002:24", all12); - - var part48 = match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - setc("eventcategory","1402000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg31 = msg("00002:25", part48); - - var part49 = match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg32 = msg("00002:26", part49); - - var part50 = match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg33 = msg("00002:27", part50); - - var part51 = match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg34 = msg("00002:28", part51); - - var part52 = match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg35 = msg("00002:29", part52); - - var part53 = match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ - dup28, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg36 = msg("00002:30", part53); - - var part54 = match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ - dup33, - dup29, - dup34, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg37 = msg("00002:41", part54); - - var part55 = match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ - dup35, - dup29, - dup30, - dup31, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg38 = msg("00002:31", part55); - - var part56 = match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}"); - - var part57 = match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}"); - - var select14 = linear_select([ - part56, - part57, - ]); - - var part58 = match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}"); - - var all13 = all_match({ - processors: [ - select14, - part58, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg39 = msg("00002:32", all13); - - var part59 = match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg40 = msg("00002:35", part59); - - var part60 = match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}"); - - var part61 = match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}"); - - var part62 = match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}"); - - var select15 = linear_select([ - part61, - part62, - ]); - - var part63 = match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}"); - - var all14 = all_match({ - processors: [ - part60, - select15, - part63, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg41 = msg("00002:36", all14); - - var part64 = match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}"); - - var part65 = match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}"); - - var part66 = match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}"); - - var part67 = match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}"); - - var part68 = match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}"); - - var select16 = linear_select([ - part65, - part66, - part67, - part68, - ]); - - var part69 = match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}"); - - var all15 = all_match({ - processors: [ - part64, - select16, - part69, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg42 = msg("00002:37", all15); - - var part70 = match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}"); - - var part71 = match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}"); - - var select17 = linear_select([ - part71, - dup36, - ]); - - var all16 = all_match({ - processors: [ - part70, - select17, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg43 = msg("00002:38", all16); - - var part72 = match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg44 = msg("00002:39", part72); - - var part73 = match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ - dup37, - dup29, - setc("ec_activity","Create"), - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg45 = msg("00002:40", part73); - - var part74 = match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg46 = msg("00002:44", part74); - - var part75 = match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}"); - - var part76 = match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}"); - - var select18 = linear_select([ - part76, - dup40, - ]); - - var part77 = match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}"); - - var part78 = match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}"); - - var part79 = match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}"); - - var select19 = linear_select([ - part78, - part79, - ]); - - var all17 = all_match({ - processors: [ - part75, - select18, - part77, - select19, - dup41, - ], - on_success: processor_chain([ - dup42, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg47 = msg("00002:42", all17); - - var part80 = match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}"); - - var part81 = match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}"); - - var part82 = match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}"); - - var select20 = linear_select([ - part81, - part82, - ]); - - var part83 = match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all18 = all_match({ - processors: [ - part80, - select20, - part83, - ], - on_success: processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg48 = msg("00002:43", all18); - - var part84 = match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg49 = msg("00002:50", part84); - - var part85 = match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg50 = msg("00002:51", part85); - - var part86 = match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg51 = msg("00002:45", part86); - - var part87 = match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}"); - - var part88 = match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}"); - - var part89 = match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}"); - - var part90 = match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}"); - - var part91 = match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}"); - - var select21 = linear_select([ - part87, - part88, - part89, - part90, - part91, - ]); - - var part92 = match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})"); - - var all19 = all_match({ - processors: [ - select21, - part92, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg52 = msg("00002:47", all19); - - var part93 = match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}"); - - var part94 = match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}"); - - var part95 = match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}"); - - var select22 = linear_select([ - part94, - part95, - ]); - - var part96 = match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}"); - - var part97 = match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}"); - - var select23 = linear_select([ - part97, - dup45, - ]); - - var all20 = all_match({ - processors: [ - part93, - select22, - part96, - select23, - dup41, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg53 = msg("00002:48", all20); - - var part98 = match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}"); - - var part99 = match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}"); - - var part100 = match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}"); - - var part101 = match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}"); - - var part102 = match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}"); - - var select24 = linear_select([ - part99, - part100, - part101, - part102, - ]); - - var part103 = match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}"); - - var part104 = match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}"); - - var select25 = linear_select([ - dup46, - part104, - dup47, - ]); - - var select26 = linear_select([ - dup48, - dup45, - ]); - - var all21 = all_match({ - processors: [ - part98, - select24, - part103, - select25, - select26, - dup41, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg54 = msg("00002:52", all21); - - var part105 = match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([ - dup42, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg55 = msg("00002:53", part105); - - var part106 = match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}"); - - var part107 = match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}"); - - var part108 = match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}"); - - var select27 = linear_select([ - part107, - part108, - ]); - - var all22 = all_match({ - processors: [ - part106, - select27, - dup49, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg56 = msg("00002:54", all22); - - var part109 = match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}"); - - var part110 = match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}"); - - var select28 = linear_select([ - part110, - dup52, - ]); - - var part111 = match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}"); - - var all23 = all_match({ - processors: [ - part109, - select28, - part111, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg57 = msg("00002", all23); - - var part112 = match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([ - dup53, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg58 = msg("00002:56", part112); - - var select29 = linear_select([ - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - msg38, - msg39, - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, - ]); - - var part113 = match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ - dup53, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg59 = msg("00003", part113); - - var part114 = match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([ - dup53, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg60 = msg("00003:01", part114); - - var part115 = match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg61 = msg("00003:02", part115); - - var part116 = match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg62 = msg("00003:03", part116); - - var part117 = match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}"); - - var part118 = match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}"); - - var select30 = linear_select([ - part117, - part118, - ]); - - var part119 = match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}."); - - var all24 = all_match({ - processors: [ - dup55, - select30, - part119, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg63 = msg("00003:05", all24); - - var select31 = linear_select([ - msg59, - msg60, - msg61, - msg62, - msg63, - ]); - - var part120 = match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg64 = msg("00004", part120); - - var part121 = match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg65 = msg("00004:01", part121); - - var part122 = match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg66 = msg("00004:02", part122); - - var part123 = match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg67 = msg("00004:03", part123); - - var part124 = match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}"); - - var part125 = match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times"); - - var all25 = all_match({ - processors: [ - part124, - dup337, - part125, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup59, - dup3, - dup60, - ]), - }); - - var msg68 = msg("00004:04", all25); - - var part126 = match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg69 = msg("00004:05", part126); - - var part127 = match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg70 = msg("00004:06", part127); - - var part128 = match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg71 = msg("00004:07", part128); - - var part129 = match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg72 = msg("00004:08", part129); - - var part130 = match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg73 = msg("00004:09", part130); - - var part131 = match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg74 = msg("00004:10", part131); - - var part132 = match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg75 = msg("00004:11", part132); - - var part133 = match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg76 = msg("00004:12", part133); - - var part134 = match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg77 = msg("00004:13", part134); - - var part135 = match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}"); - - var part136 = match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}"); - - var select32 = linear_select([ - part135, - part136, - ]); - - var all26 = all_match({ - processors: [ - dup63, - select32, - dup49, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg78 = msg("00004:14", all26); - - var part137 = match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg79 = msg("00004:15", part137); - - var part138 = match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg80 = msg("00004:16", part138); - - var all27 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup9, - dup5, - dup3, - dup60, - ]), - }); - - var msg81 = msg("00004:17", all27); - - var select33 = linear_select([ - msg64, - msg65, - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - ]); - - var part139 = match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg82 = msg("00005", part139); - - var part140 = match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg83 = msg("00005:01", part140); - - var part141 = match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg84 = msg("00005:02", part141); - - var part142 = match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); - - var part143 = match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}"); - - var part144 = match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}"); - - var select34 = linear_select([ - part144, - dup73, - ]); - - var part145 = match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times"); - - var all28 = all_match({ - processors: [ - part142, - dup339, - dup70, - dup340, - part143, - select34, - part145, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ]), - }); - - var msg85 = msg("00005:03", all28); - - var msg86 = msg("00005:04", dup341); - - var part146 = match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([ - setc("eventcategory","1001020100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg87 = msg("00005:05", part146); - - var part147 = match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}."); - - var all29 = all_match({ - processors: [ - dup342, - part147, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg88 = msg("00005:06", all29); - - var part148 = match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}"); - - var part149 = match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}"); - - var part150 = match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}"); - - var part151 = match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}"); - - var part152 = match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}"); - - var select35 = linear_select([ - part149, - part150, - dup76, - part151, - part152, - ]); - - var part153 = match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}."); - - var all30 = all_match({ - processors: [ - part148, - select35, - part153, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg89 = msg("00005:07", all30); - - var part154 = match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}"); - - var select36 = linear_select([ - dup77, - dup78, - ]); - - var part155 = match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}."); - - var all31 = all_match({ - processors: [ - dup342, - part154, - select36, - part155, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg90 = msg("00005:08", all31); - - var part156 = match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg91 = msg("00005:09", part156); - - var part157 = match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg92 = msg("00005:10", part157); - - var part158 = match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}"); - - var part159 = match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}"); - - var part160 = match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}"); - - var part161 = match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}"); - - var part162 = match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}"); - - var part163 = match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}"); - - var select37 = linear_select([ - part159, - part160, - part161, - part162, - part163, - ]); - - var all32 = all_match({ - processors: [ - part158, - select37, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg93 = msg("00005:11", all32); - - var part164 = match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg94 = msg("00005:12", part164); - - var part165 = match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg95 = msg("00005:13", part165); - - var part166 = match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg96 = msg("00005:14", part166); - - var part167 = match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg97 = msg("00005:15", part167); - - var part168 = match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg98 = msg("00005:16", part168); - - var part169 = match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}"); - - var part170 = match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}"); - - var select38 = linear_select([ - part169, - part170, - ]); - - var part171 = match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}."); - - var all33 = all_match({ - processors: [ - dup79, - select38, - part171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg99 = msg("00005:17", all33); - - var all34 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg100 = msg("00005:18", all34); - - var part172 = match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup84, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg101 = msg("00005:19", part172); - - var part173 = match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ - dup84, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg102 = msg("00005:20", part173); - - var select39 = linear_select([ - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, - msg89, - msg90, - msg91, - msg92, - msg93, - msg94, - msg95, - msg96, - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, - ]); - - var part174 = match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg103 = msg("00006", part174); - - var part175 = match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg104 = msg("00006:01", part175); - - var part176 = match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg105 = msg("00006:02", part176); - - var part177 = match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg106 = msg("00006:03", part177); - - var part178 = match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var all35 = all_match({ - processors: [ - part178, - dup338, - dup67, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg107 = msg("00006:04", all35); - - var all36 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg108 = msg("00006:05", all36); - - var select40 = linear_select([ - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, - ]); - - var part179 = match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg109 = msg("00007", part179); - - var part180 = match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg110 = msg("00007:01", part180); - - var part181 = match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}"); - - var part182 = match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}"); - - var part183 = match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}"); - - var select41 = linear_select([ - part182, - part183, - ]); - - var all37 = all_match({ - processors: [ - part181, - select41, - ], - on_success: processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg111 = msg("00007:02", all37); - - var part184 = match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg112 = msg("00007:03", part184); - - var select42 = linear_select([ - dup88, - dup89, - ]); - - var part185 = match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}"); - - var all38 = all_match({ - processors: [ - dup87, - select42, - dup23, - dup344, - part185, - ], - on_success: processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg113 = msg("00007:04", all38); - - var part186 = match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg114 = msg("00007:05", part186); - - var part187 = match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg115 = msg("00007:06", part187); - - var part188 = match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg116 = msg("00007:07", part188); - - var part189 = match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg117 = msg("00007:08", part189); - - var part190 = match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg118 = msg("00007:09", part190); - - var part191 = match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg119 = msg("00007:10", part191); - - var part192 = match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}"); - - var select43 = linear_select([ - dup92, - dup93, - ]); - - var all39 = all_match({ - processors: [ - part192, - select43, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg120 = msg("00007:11", all39); - - var part193 = match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg121 = msg("00007:12", part193); - - var part194 = match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg122 = msg("00007:13", part194); - - var part195 = match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup60, - ])); - - var msg123 = msg("00007:14", part195); - - var part196 = match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg124 = msg("00007:15", part196); - - var part197 = match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg125 = msg("00007:16", part197); - - var part198 = match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg126 = msg("00007:17", part198); - - var part199 = match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}"); - - var part200 = match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}"); - - var part201 = match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}"); - - var select44 = linear_select([ - part200, - part201, - ]); - - var part202 = match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}"); - - var part203 = match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}"); - - var part204 = match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}"); - - var select45 = linear_select([ - part203, - part204, - ]); - - var all40 = all_match({ - processors: [ - part199, - select44, - part202, - select45, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg127 = msg("00007:18", all40); - - var part205 = match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg128 = msg("00007:20", part205); - - var part206 = match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}"); - - var all41 = all_match({ - processors: [ - part206, - dup345, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg129 = msg("00007:21", all41); - - var part207 = match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg130 = msg("00007:22", part207); - - var part208 = match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg131 = msg("00007:23", part208); - - var part209 = match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg132 = msg("00007:24", part209); - - var part210 = match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg133 = msg("00007:25", part210); - - var part211 = match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}"); - - var part212 = match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}"); - - var part213 = match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}"); - - var select46 = linear_select([ - part212, - part213, - ]); - - var all42 = all_match({ - processors: [ - part211, - select46, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg134 = msg("00007:26", all42); - - var part214 = match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg135 = msg("00007:27", part214); - - var part215 = match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg136 = msg("00007:28", part215); - - var part216 = match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}"); - - var part217 = match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}"); - - var part218 = match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}"); - - var part219 = match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}"); - - var part220 = match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}"); - - var part221 = match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}"); - - var select47 = linear_select([ - part217, - part218, - part219, - part220, - part221, - ]); - - var all43 = all_match({ - processors: [ - part216, - select47, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg137 = msg("00007:29", all43); - - var part222 = match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg138 = msg("00007:30", part222); - - var part223 = match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}"); - - var all44 = all_match({ - processors: [ - part223, - dup345, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg139 = msg("00007:31", all44); - - var part224 = match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}"); - - var select48 = linear_select([ - dup89, - dup88, - ]); - - var part225 = match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}"); - - var all45 = all_match({ - processors: [ - part224, - select48, - dup23, - dup344, - part225, - ], - on_success: processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg140 = msg("00007:32", all45); - - var part226 = match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}"); - - var part227 = match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}"); - - var select49 = linear_select([ - part226, - part227, - ]); - - var part228 = match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}"); - - var part229 = match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}"); - - var select50 = linear_select([ - part229, - dup96, - ]); - - var part230 = match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode."); - - var all46 = all_match({ - processors: [ - select49, - part228, - select50, - part230, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg141 = msg("00007:33", all46); - - var part231 = match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([ - dup97, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg142 = msg("00007:34", part231); - - var part232 = match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg143 = msg("00007:35", part232); - - var part233 = match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg144 = msg("00007:36", part233); - - var part234 = match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}"); - - var all47 = all_match({ - processors: [ - part234, - dup346, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg145 = msg("00007:37", all47); - - var part235 = match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}"); - - var part236 = match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}"); - - var part237 = match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}"); - - var part238 = match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}"); - - var select51 = linear_select([ - part237, - part238, - ]); - - var all48 = all_match({ - processors: [ - part235, - dup347, - dup103, - dup347, - part236, - select51, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg146 = msg("00007:38", all48); - - var part239 = match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}"); - - var all49 = all_match({ - processors: [ - part239, - dup346, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg147 = msg("00007:39", all49); - - var part240 = match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg148 = msg("00007:40", part240); - - var part241 = match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg149 = msg("00007:41", part241); - - var part242 = match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg150 = msg("00007:42", part242); - - var part243 = match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg151 = msg("00007:43", part243); - - var part244 = match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg152 = msg("00007:44", part244); - - var part245 = match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg153 = msg("00007:45", part245); - - var part246 = match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup60, - ])); - - var msg154 = msg("00007:46", part246); - - var part247 = match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg155 = msg("00007:47", part247); - - var part248 = match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([ - dup97, - dup2, - dup3, - dup4, - setc("disposition","dropped"), - setc("result","Invalid encryption Password"), - ])); - - var msg156 = msg("00007:48", part248); - - var part249 = match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([ - setc("eventcategory","1604000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg157 = msg("00007:49", part249); - - var part250 = match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}"); - - var part251 = match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}"); - - var part252 = match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}"); - - var select52 = linear_select([ - part251, - part252, - ]); - - var part253 = match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}"); - - var all50 = all_match({ - processors: [ - part250, - select52, - part253, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg158 = msg("00007:50", all50); - - var part254 = match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}"); - - var part255 = match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}"); - - var select53 = linear_select([ - dup104, - part255, - ]); - - var select54 = linear_select([ - dup105, - dup73, - ]); - - var part256 = match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}"); - - var select55 = linear_select([ - dup106, - dup107, - ]); - - var all51 = all_match({ - processors: [ - part254, - select53, - dup23, - select54, - part256, - select55, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg159 = msg("00007:51", all51); - - var part257 = match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg160 = msg("00007:52", part257); - - var part258 = match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg161 = msg("00007:53", part258); - - var part259 = match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg162 = msg("00007:54", part259); - - var part260 = match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg163 = msg("00007:55", part260); - - var part261 = match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg164 = msg("00007:56", part261); - - var select56 = linear_select([ - dup109, - dup110, - ]); - - var select57 = linear_select([ - dup111, - dup112, - ]); - - var part262 = match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}"); - - var all52 = all_match({ - processors: [ - dup55, - select56, - dup23, - select57, - part262, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg165 = msg("00007:57", all52); - - var part263 = match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg166 = msg("00007:58", part263); - - var part264 = match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg167 = msg("00007:59", part264); - - var part265 = match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg168 = msg("00007:60", part265); - - var part266 = match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg169 = msg("00007:61", part266); - - var part267 = match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg170 = msg("00007:62", part267); - - var part268 = match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg171 = msg("00007:63", part268); - - var part269 = match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}"); - - var part270 = match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}"); - - var all53 = all_match({ - processors: [ - dup348, - part269, - dup349, - part270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg172 = msg("00007:64", all53); - - var part271 = match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}"); - - var part272 = match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}"); - - var part273 = match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}"); - - var select58 = linear_select([ - part272, - part273, - ]); - - var part274 = match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}"); - - var part275 = match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}"); - - var all54 = all_match({ - processors: [ - dup348, - part271, - select58, - part274, - dup349, - part275, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg173 = msg("00007:65", all54); - - var part276 = match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}"); - - var part277 = match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}"); - - var select59 = linear_select([ - part276, - part277, - ]); - - var part278 = match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}"); - - var part279 = match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}"); - - var select60 = linear_select([ - part279, - dup115, - ]); - - var all55 = all_match({ - processors: [ - select59, - part278, - select60, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg174 = msg("00007:66", all55); - - var part280 = match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg175 = msg("00007:67", part280); - - var part281 = match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}"); - - var part282 = match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}"); - - var part283 = match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}"); - - var select61 = linear_select([ - part282, - part283, - ]); - - var part284 = match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}"); - - var part285 = match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}"); - - var part286 = match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}"); - - var select62 = linear_select([ - part285, - part286, - ]); - - var all56 = all_match({ - processors: [ - part281, - select61, - part284, - select62, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg176 = msg("00007:68", all56); - - var part287 = match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg177 = msg("00007:69", part287); - - var part288 = match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg178 = msg("00007:70", part288); - - var part289 = match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg179 = msg("00007:71", part289); - - var part290 = match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg180 = msg("00007:72", part290); - - var select63 = linear_select([ - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, - msg138, - msg139, - msg140, - msg141, - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, - msg156, - msg157, - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - msg174, - msg175, - msg176, - msg177, - msg178, - msg179, - msg180, - ]); - - var part291 = match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg181 = msg("00008", part291); - - var msg182 = msg("00008:01", dup341); - - var part292 = match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg183 = msg("00008:02", part292); - - var part293 = match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg184 = msg("00008:03", part293); - - var part294 = match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}"); - - var part295 = match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}"); - - var part296 = match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}"); - - var part297 = match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}"); - - var select64 = linear_select([ - part295, - part296, - part297, - ]); - - var part298 = match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}"); - - var part299 = match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}"); - - var part300 = match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})"); - - var part301 = match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}"); - - var part302 = match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}"); - - var part303 = match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}"); - - var select65 = linear_select([ - part299, - part300, - part301, - part302, - part303, - dup21, - ]); - - var all57 = all_match({ - processors: [ - part294, - select64, - part298, - select65, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg185 = msg("00008:04", all57); - - var part304 = match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg186 = msg("00008:05", part304); - - var part305 = match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg187 = msg("00008:06", part305); - - var part306 = match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup60, - ])); - - var msg188 = msg("00008:07", part306); - - var part307 = match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup60, - ])); - - var msg189 = msg("00008:08", part307); - - var part308 = match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg190 = msg("00008:09", part308); - - var part309 = match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}"); - - var all58 = all_match({ - processors: [ - part309, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ]), - }); - - var msg191 = msg("00008:10", all58); - - var select66 = linear_select([ - msg181, - msg182, - msg183, - msg184, - msg185, - msg186, - msg187, - msg188, - msg189, - msg190, - msg191, - ]); - - var part310 = match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg192 = msg("00009", part310); - - var part311 = match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg193 = msg("00009:01", part311); - - var part312 = match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg194 = msg("00009:02", part312); - - var part313 = match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg195 = msg("00009:03", part313); - - var part314 = match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg196 = msg("00009:05", part314); - - var part315 = match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}"); - - var part316 = match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}"); - - var select67 = linear_select([ - part315, - part316, - ]); - - var select68 = linear_select([ - dup119, - dup16, - ]); - - var part317 = match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}"); - - var part318 = match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}"); - - var select69 = linear_select([ - dup120, - part318, - ]); - - var part319 = match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}"); - - var part320 = match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info"); - - var select70 = linear_select([ - part319, - part320, - ]); - - var all59 = all_match({ - processors: [ - select67, - dup118, - select68, - part317, - select69, - dup23, - select70, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg197 = msg("00009:06", all59); - - var part321 = match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}"); - - var part322 = match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}"); - - var part323 = match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}"); - - var part324 = match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}"); - - var select71 = linear_select([ - part323, - part324, - ]); - - var part325 = match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}"); - - var all60 = all_match({ - processors: [ - part321, - dup337, - part322, - select71, - part325, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg198 = msg("00009:07", all60); - - var part326 = match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg199 = msg("00009:09", part326); - - var part327 = match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}"); - - var part328 = match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}"); - - var part329 = match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}"); - - var select72 = linear_select([ - part328, - part329, - ]); - - var all61 = all_match({ - processors: [ - part327, - select72, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg200 = msg("00009:10", all61); - - var part330 = match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}"); - - var part331 = match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}"); - - var select73 = linear_select([ - part330, - part331, - ]); - - var part332 = match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}"); - - var all62 = all_match({ - processors: [ - select73, - part332, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg201 = msg("00009:11", all62); - - var part333 = match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg202 = msg("00009:12", part333); - - var part334 = match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg203 = msg("00009:13", part334); - - var part335 = match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}"); - - var part336 = match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}"); - - var part337 = match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}"); - - var select74 = linear_select([ - part335, - part336, - part337, - ]); - - var part338 = match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}"); - - var select75 = linear_select([ - dup122, - dup123, - ]); - - var part339 = match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})"); - - var select76 = linear_select([ - part339, - dup124, - ]); - - var all63 = all_match({ - processors: [ - select74, - part338, - select75, - dup23, - select76, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg204 = msg("00009:14", all63); - - var part340 = match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}"); - - var part341 = match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}"); - - var select77 = linear_select([ - part341, - dup125, - ]); - - var all64 = all_match({ - processors: [ - part340, - select77, - dup126, - dup350, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg205 = msg("00009:15", all64); - - var part342 = match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}"); - - var part343 = match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}"); - - var select78 = linear_select([ - dup129, - dup130, - part343, - ]); - - var part344 = match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}."); - - var all65 = all_match({ - processors: [ - part342, - dup350, - dup23, - select78, - part344, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg206 = msg("00009:16", all65); - - var part345 = match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}"); - - var part346 = match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}"); - - var part347 = match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}"); - - var select79 = linear_select([ - part346, - part347, - ]); - - var part348 = match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}."); - - var all66 = all_match({ - processors: [ - part345, - select79, - part348, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg207 = msg("00009:17", all66); - - var part349 = match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg208 = msg("00009:18", part349); - - var part350 = match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg209 = msg("00009:19", part350); - - var part351 = match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg210 = msg("00009:27", part351); - - var part352 = match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}"); - - var part353 = match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}"); - - var select80 = linear_select([ - part352, - part353, - ]); - - var part354 = match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}"); - - var part355 = match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}"); - - var part356 = match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}"); - - var part357 = match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}"); - - var part358 = match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})"); - - var select81 = linear_select([ - part355, - part356, - part357, - part358, - ]); - - var all67 = all_match({ - processors: [ - select80, - part354, - select81, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg211 = msg("00009:20", all67); - - var part359 = match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var all68 = all_match({ - processors: [ - part359, - dup343, - dup131, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ]), - }); - - var msg212 = msg("00009:21", all68); - - var part360 = match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg213 = msg("00009:22", part360); - - var part361 = match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg214 = msg("00009:23", part361); - - var part362 = match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}"); - - var part363 = match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}"); - - var part364 = match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}"); - - var select82 = linear_select([ - part363, - part364, - ]); - - var part365 = match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}"); - - var all69 = all_match({ - processors: [ - part362, - select82, - part365, - ], - on_success: processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg215 = msg("00009:24", all69); - - var part366 = match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg216 = msg("00009:25", part366); - - var part367 = match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}"); - - var all70 = all_match({ - processors: [ - part367, - dup333, - ], - on_success: processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg217 = msg("00009:26", all70); - - var select83 = linear_select([ - msg192, - msg193, - msg194, - msg195, - msg196, - msg197, - msg198, - msg199, - msg200, - msg201, - msg202, - msg203, - msg204, - msg205, - msg206, - msg207, - msg208, - msg209, - msg210, - msg211, - msg212, - msg213, - msg214, - msg215, - msg216, - msg217, - ]); - - var part368 = match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}"); - - var part369 = match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}"); - - var part370 = match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}"); - - var select84 = linear_select([ - part369, - part370, - ]); - - var part371 = match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}"); - - var part372 = match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}"); - - var part373 = match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}"); - - var select85 = linear_select([ - part372, - part373, - dup126, - ]); - - var part374 = match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}"); - - var all71 = all_match({ - processors: [ - part368, - select84, - part371, - select85, - part374, - dup351, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup5, - dup9, - dup3, - dup61, - ]), - }); - - var msg218 = msg("00010", all71); - - var part375 = match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg219 = msg("00010:01", part375); - - var part376 = match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg220 = msg("00010:02", part376); - - var all72 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup9, - dup3, - dup60, - ]), - }); - - var msg221 = msg("00010:03", all72); - - var select86 = linear_select([ - msg218, - msg219, - msg220, - msg221, - ]); - - var part377 = match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg222 = msg("00011", part377); - - var part378 = match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}"); - - var select87 = linear_select([ - dup57, - dup56, - ]); - - var part379 = match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}"); - - var all73 = all_match({ - processors: [ - part378, - select87, - part379, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg223 = msg("00011:01", all73); - - var part380 = match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg224 = msg("00011:02", part380); - - var part381 = match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}"); - - var part382 = match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}"); - - var part383 = match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}"); - - var select88 = linear_select([ - part382, - part383, - ]); - - var part384 = match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}"); - - var part385 = match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}"); - - var part386 = match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}"); - - var select89 = linear_select([ - part385, - part386, - ]); - - var all74 = all_match({ - processors: [ - part381, - select88, - part384, - select89, - dup36, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg225 = msg("00011:03", all74); - - var part387 = match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}"); - - var part388 = match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}"); - - var all75 = all_match({ - processors: [ - part387, - dup352, - part388, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg226 = msg("00011:04", all75); - - var part389 = match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}"); - - var part390 = match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}"); - - var select90 = linear_select([ - part389, - part390, - ]); - - var part391 = match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}"); - - var all76 = all_match({ - processors: [ - dup79, - select90, - part391, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg227 = msg("00011:05", all76); - - var part392 = match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup59, - dup3, - dup60, - ])); - - var msg228 = msg("00011:07", part392); - - var part393 = match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg229 = msg("00011:08", part393); - - var part394 = match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg230 = msg("00011:09", part394); - - var part395 = match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg231 = msg("00011:10", part395); - - var part396 = match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg232 = msg("00011:11", part396); - - var part397 = match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg233 = msg("00011:12", part397); - - var part398 = match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg234 = msg("00011:13", part398); - - var part399 = match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}"); - - var part400 = match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}"); - - var select91 = linear_select([ - dup134, - part400, - ]); - - var all77 = all_match({ - processors: [ - part399, - select91, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg235 = msg("00011:14", all77); - - var part401 = match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg236 = msg("00011:15", part401); - - var part402 = match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg237 = msg("00011:16", part402); - - var part403 = match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}"); - - var part404 = match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}"); - - var part405 = match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}"); - - var part406 = match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}"); - - var select92 = linear_select([ - part404, - part405, - part406, - ]); - - var all78 = all_match({ - processors: [ - part403, - select92, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg238 = msg("00011:17", all78); - - var part407 = match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}"); - - var part408 = match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}"); - - var select93 = linear_select([ - part407, - part408, - ]); - - var part409 = match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}"); - - var part410 = match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}"); - - var part411 = match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}"); - - var select94 = linear_select([ - part410, - part411, - ]); - - var part412 = match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}"); - - var part413 = match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}"); - - var select95 = linear_select([ - part413, - dup135, - ]); - - var part414 = match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}"); - - var all79 = all_match({ - processors: [ - select93, - part409, - select94, - part412, - select95, - part414, - dup350, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg239 = msg("00011:18", all79); - - var part415 = match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}"); - - var part416 = match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}"); - - var part417 = match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}"); - - var select96 = linear_select([ - part416, - part417, - ]); - - var part418 = match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}"); - - var part419 = match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}"); - - var select97 = linear_select([ - part419, - dup135, - ]); - - var part420 = match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}"); - - var part421 = match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}"); - - var select98 = linear_select([ - dup107, - part421, - ]); - - var all80 = all_match({ - processors: [ - part415, - select96, - part418, - select97, - part420, - select98, - dup136, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg240 = msg("00011:19", all80); - - var part422 = match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}"); - - var select99 = linear_select([ - part422, - dup79, - ]); - - var part423 = match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\""); - - var all81 = all_match({ - processors: [ - select99, - part423, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg241 = msg("00011:20", all81); - - var part424 = match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg242 = msg("00011:21", part424); - - var part425 = match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg243 = msg("00011:22", part425); - - var all82 = all_match({ - processors: [ - dup132, - dup343, - dup131, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("saddr"), - field("daddr"), - ], - }), - ]), - }); - - var msg244 = msg("00011:23", all82); - - var part426 = match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg245 = msg("00011:24", part426); - - var part427 = match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg246 = msg("00011:25", part427); - - var part428 = match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg247 = msg("00011:26", part428); - - var select100 = linear_select([ - msg222, - msg223, - msg224, - msg225, - msg226, - msg227, - msg228, - msg229, - msg230, - msg231, - msg232, - msg233, - msg234, - msg235, - msg236, - msg237, - msg238, - msg239, - msg240, - msg241, - msg242, - msg243, - msg244, - msg245, - msg246, - msg247, - ]); - - var part429 = match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg248 = msg("00012:02", part429); - - var part430 = match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg249 = msg("00012:03", part430); - - var part431 = match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg250 = msg("00012:04", part431); - - var part432 = match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg251 = msg("00012:05", part432); - - var part433 = match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg252 = msg("00012:06", part433); - - var part434 = match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - dup59, - ])); - - var msg253 = msg("00012:07", part434); - - var part435 = match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg254 = msg("00012:08", part435); - - var all83 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg255 = msg("00012:09", all83); - - var all84 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg256 = msg("00012:10", all84); - - var part436 = match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup9, - dup61, - ])); - - var msg257 = msg("00012:11", part436); - - var part437 = match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg258 = msg("00012:12", part437); - - var part438 = match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg259 = msg("00012", part438); - - var part439 = match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg260 = msg("00012:01", part439); - - var select101 = linear_select([ - msg248, - msg249, - msg250, - msg251, - msg252, - msg253, - msg254, - msg255, - msg256, - msg257, - msg258, - msg259, - msg260, - ]); - - var part440 = match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg261 = msg("00013", part440); - - var part441 = match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - setc("signame","An Attempt to connect to NetScreen-Global Manager Port."), - ])); - - var msg262 = msg("00013:01", part441); - - var part442 = match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg263 = msg("00013:02", part442); - - var part443 = match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg264 = msg("00013:03", part443); - - var select102 = linear_select([ - msg261, - msg262, - msg263, - msg264, - ]); - - var part444 = match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg265 = msg("00014", part444); - - var part445 = match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}"); - - var part446 = match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}"); - - var part447 = match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}"); - - var select103 = linear_select([ - part446, - part447, - ]); - - var all85 = all_match({ - processors: [ - part445, - select103, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg266 = msg("00014:01", all85); - - var part448 = match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg267 = msg("00014:02", part448); - - var part449 = match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg268 = msg("00014:03", part449); - - var part450 = match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg269 = msg("00014:04", part450); - - var part451 = match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg270 = msg("00014:05", part451); - - var part452 = match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg271 = msg("00014:06", part452); - - var part453 = match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg272 = msg("00014:07", part453); - - var part454 = match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([ - dup27, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg273 = msg("00014:08", part454); - - var select104 = linear_select([ - msg265, - msg266, - msg267, - msg268, - msg269, - msg270, - msg271, - msg272, - msg273, - ]); - - var part455 = match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg274 = msg("00015", part455); - - var part456 = match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg275 = msg("00015:01", part456); - - var part457 = match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}"); - - var part458 = match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}"); - - var part459 = match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}"); - - var part460 = match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}"); - - var select105 = linear_select([ - part458, - dup137, - part459, - part460, - ]); - - var all86 = all_match({ - processors: [ - part457, - select105, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg276 = msg("00015:02", all86); - - var part461 = match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg277 = msg("00015:03", part461); - - var part462 = match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}"); - - var part463 = match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}"); - - var select106 = linear_select([ - dup139, - dup140, - part463, - ]); - - var all87 = all_match({ - processors: [ - part462, - select106, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg278 = msg("00015:04", all87); - - var part464 = match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}"); - - var part465 = match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}"); - - var part466 = match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}"); - - var part467 = match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}"); - - var select107 = linear_select([ - part465, - part466, - dup76, - part467, - ]); - - var all88 = all_match({ - processors: [ - part464, - select107, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg279 = msg("00015:05", all88); - - var part468 = match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}"); - - var part469 = match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}"); - - var select108 = linear_select([ - part468, - part469, - ]); - - var part470 = match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}"); - - var all89 = all_match({ - processors: [ - select108, - part470, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg280 = msg("00015:06", all89); - - var part471 = match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg281 = msg("00015:07", part471); - - var part472 = match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([ - dup141, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg282 = msg("00015:08", part472); - - var part473 = match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}"); - - var part474 = match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}"); - - var select109 = linear_select([ - part473, - part474, - ]); - - var part475 = match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}"); - - var all90 = all_match({ - processors: [ - select109, - part475, - ], - on_success: processor_chain([ - dup141, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg283 = msg("00015:09", all90); - - var part476 = match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg284 = msg("00015:10", part476); - - var part477 = match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg285 = msg("00015:11", part477); - - var part478 = match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}"); - - var part479 = match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}"); - - var select110 = linear_select([ - part478, - part479, - ]); - - var part480 = match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}"); - - var part481 = match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})"); - - var all91 = all_match({ - processors: [ - dup87, - select110, - part480, - dup353, - dup103, - dup353, - part481, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg286 = msg("00015:12", all91); - - var part482 = match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg287 = msg("00015:13", part482); - - var part483 = match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}"); - - var all92 = all_match({ - processors: [ - part483, - dup353, - dup116, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg288 = msg("00015:14", all92); - - var part484 = match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg289 = msg("00015:15", part484); - - var part485 = match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg290 = msg("00015:16", part485); - - var part486 = match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg291 = msg("00015:17", part486); - - var part487 = match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - setc("change_attribute","RTO mirror group"), - ])); - - var msg292 = msg("00015:18", part487); - - var part488 = match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg293 = msg("00015:19", part488); - - var part489 = match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg294 = msg("00015:20", part489); - - var part490 = match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}"); - - var part491 = match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}"); - - var part492 = match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}"); - - var select111 = linear_select([ - part491, - part492, - ]); - - var all93 = all_match({ - processors: [ - part490, - select111, - dup116, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg295 = msg("00015:21", all93); - - var part493 = match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}"); - - var part494 = match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}"); - - var part495 = match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}"); - - var select112 = linear_select([ - part493, - part494, - part495, - ]); - - var part496 = match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}"); - - var all94 = all_match({ - processors: [ - select112, - part496, - dup354, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg296 = msg("00015:22", all94); - - var part497 = match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg297 = msg("00015:23", part497); - - var part498 = match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg298 = msg("00015:24", part498); - - var part499 = match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([ - setc("eventcategory","1613050100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg299 = msg("00015:25", part499); - - var part500 = match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([ - dup97, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg300 = msg("00015:29", part500); - - var part501 = match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}"); - - var part502 = match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}"); - - var part503 = match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}"); - - var select113 = linear_select([ - part502, - part503, - ]); - - var all95 = all_match({ - processors: [ - part501, - select113, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg301 = msg("00015:26", all95); - - var part504 = match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - dup146, - ])); - - var msg302 = msg("00015:33", part504); - - var part505 = match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg303 = msg("00015:27", part505); - - var part506 = match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg304 = msg("00015:28", part506); - - var part507 = match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}"); - - var part508 = match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})"); - - var all96 = all_match({ - processors: [ - part507, - dup355, - part508, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg305 = msg("00015:30", all96); - - var part509 = match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg306 = msg("00015:31", part509); - - var part510 = match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg307 = msg("00015:32", part510); - - var select114 = linear_select([ - msg274, - msg275, - msg276, - msg277, - msg278, - msg279, - msg280, - msg281, - msg282, - msg283, - msg284, - msg285, - msg286, - msg287, - msg288, - msg289, - msg290, - msg291, - msg292, - msg293, - msg294, - msg295, - msg296, - msg297, - msg298, - msg299, - msg300, - msg301, - msg302, - msg303, - msg304, - msg305, - msg306, - msg307, - ]); - - var part511 = match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg308 = msg("00016", part511); - - var part512 = match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg309 = msg("00016:01", part512); - - var part513 = match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([ - dup1, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg310 = msg("00016:02", part513); - - var part514 = match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg311 = msg("00016:03", part514); - - var part515 = match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg312 = msg("00016:05", part515); - - var part516 = match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg313 = msg("00016:06", part516); - - var part517 = match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}"); - - var all97 = all_match({ - processors: [ - part517, - dup338, - dup67, - ], - on_success: processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg314 = msg("00016:07", all97); - - var part518 = match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - setc("eventcategory","1001020305"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg315 = msg("00016:08", part518); - - var part519 = match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - setc("eventcategory","1001030305"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg316 = msg("00016:09", part519); - - var select115 = linear_select([ - msg308, - msg309, - msg310, - msg311, - msg312, - msg313, - msg314, - msg315, - msg316, - ]); - - var part520 = match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ])); - - var msg317 = msg("00017", part520); - - var part521 = match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}"); - - var part522 = match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}"); - - var part523 = match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}"); - - var select116 = linear_select([ - part522, - part523, - ]); - - var part524 = match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}"); - - var all98 = all_match({ - processors: [ - part521, - select116, - part524, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg318 = msg("00017:23", all98); - - var part525 = match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}"); - - var part526 = match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}"); - - var select117 = linear_select([ - part525, - part526, - ]); - - var part527 = match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}"); - - var part528 = match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}"); - - var all99 = all_match({ - processors: [ - select117, - part527, - dup356, - part528, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg319 = msg("00017:01", all99); - - var part529 = match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg320 = msg("00017:02", part529); - - var part530 = match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg321 = msg("00017:03", part530); - - var part531 = match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}"); - - var all100 = all_match({ - processors: [ - dup153, - dup357, - part531, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg322 = msg("00017:04", all100); - - var part532 = match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg323 = msg("00017:05", part532); - - var part533 = match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}"); - - var part534 = match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}"); - - var part535 = match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}"); - - var select118 = linear_select([ - part534, - dup101, - part535, - ]); - - var all101 = all_match({ - processors: [ - part533, - select118, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg324 = msg("00017:06", all101); - - var part536 = match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}"); - - var part537 = match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}"); - - var part538 = match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}"); - - var part539 = match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}"); - - var part540 = match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}"); - - var select119 = linear_select([ - part537, - part538, - dup98, - part539, - part540, - ]); - - var all102 = all_match({ - processors: [ - part536, - select119, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg325 = msg("00017:07", all102); - - var part541 = match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg326 = msg("00017:08", part541); - - var part542 = match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}"); - - var part543 = match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}"); - - var select120 = linear_select([ - part542, - part543, - ]); - - var part544 = match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}"); - - var part545 = match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}"); - - var part546 = match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}"); - - var part547 = match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}"); - - var select121 = linear_select([ - part545, - part546, - part547, - ]); - - var part548 = match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}"); - - var part549 = match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit"); - - var part550 = match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}"); - - var select122 = linear_select([ - part549, - part550, - dup36, - ]); - - var all103 = all_match({ - processors: [ - select120, - part544, - select121, - part548, - select122, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg327 = msg("00017:09", all103); - - var part551 = match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}"); - - var all104 = all_match({ - processors: [ - part551, - dup358, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg328 = msg("00017:10", all104); - - var part552 = match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg329 = msg("00017:11", part552); - - var part553 = match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}"); - - var part554 = match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}"); - - var select123 = linear_select([ - dup109, - dup110, - part554, - ]); - - var all105 = all_match({ - processors: [ - part553, - select123, - dup127, - dup359, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg330 = msg("00017:12", all105); - - var part555 = match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg331 = msg("00017:26", part555); - - var part556 = match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg332 = msg("00017:13", part556); - - var part557 = match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup9, - dup5, - ])); - - var msg333 = msg("00017:14", part557); - - var part558 = match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}"); - - var part559 = match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}."); - - var all106 = all_match({ - processors: [ - part558, - dup360, - part559, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg334 = msg("00017:15", all106); - - var part560 = match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}"); - - var part561 = match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}."); - - var all107 = all_match({ - processors: [ - part560, - dup360, - part561, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg335 = msg("00017:31", all107); - - var part562 = match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}"); - - var all108 = all_match({ - processors: [ - part562, - dup359, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg336 = msg("00017:16", all108); - - var part563 = match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}"); - - var select124 = linear_select([ - dup99, - dup93, - ]); - - var all109 = all_match({ - processors: [ - part563, - select124, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg337 = msg("00017:17", all109); - - var part564 = match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}"); - - var all110 = all_match({ - processors: [ - dup153, - dup357, - part564, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg338 = msg("00017:18", all110); - - var part565 = match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}"); - - var part566 = match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all111 = all_match({ - processors: [ - part565, - dup337, - part566, - ], - on_success: processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ]), - }); - - var msg339 = msg("00017:19", all111); - - var all112 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup151, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - ]), - }); - - var msg340 = msg("00017:20", all112); - - var part567 = match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ])); - - var msg341 = msg("00017:21", part567); - - var part568 = match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg342 = msg("00017:22", part568); - - var part569 = match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg343 = msg("00017:24", part569); - - var part570 = match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg344 = msg("00017:25", part570); - - var part571 = match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg345 = msg("00017:28", part571); - - var part572 = match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg346 = msg("00017:29", part572); - - var select125 = linear_select([ - msg317, - msg318, - msg319, - msg320, - msg321, - msg322, - msg323, - msg324, - msg325, - msg326, - msg327, - msg328, - msg329, - msg330, - msg331, - msg332, - msg333, - msg334, - msg335, - msg336, - msg337, - msg338, - msg339, - msg340, - msg341, - msg342, - msg343, - msg344, - msg345, - msg346, - ]); - - var part573 = match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg347 = msg("00018", part573); - - var part574 = match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([ - setc("eventcategory","1502010000"), - dup2, - dup4, - dup5, - dup3, - ])); - - var msg348 = msg("00018:01", part574); - - var part575 = match("MESSAGE#347:00018:02", "nwparser.payload", "Device%{quote}s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg349 = msg("00018:02", part575); - - var part576 = match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg350 = msg("00018:04", part576); - - var part577 = match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg351 = msg("00018:16", part577); - - var part578 = match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}"); - - var part579 = match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}"); - - var part580 = match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}"); - - var select126 = linear_select([ - part579, - part580, - ]); - - var part581 = match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}"); - - var all113 = all_match({ - processors: [ - part578, - select126, - part581, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg352 = msg("00018:06", all113); - - var part582 = match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg353 = msg("00018:08", part582); - - var part583 = match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup3, - dup2, - dup9, - dup4, - dup5, - ])); - - var msg354 = msg("00018:09", part583); - - var part584 = match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}"); - - var part585 = match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}"); - - var part586 = match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}"); - - var select127 = linear_select([ - part585, - part586, - ]); - - var part587 = match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})"); - - var all114 = all_match({ - processors: [ - part584, - select127, - part587, - ], - on_success: processor_chain([ - dup17, - dup3, - dup2, - dup9, - dup4, - dup5, - ]), - }); - - var msg355 = msg("00018:10", all114); - - var part588 = match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}"); - - var part589 = match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}"); - - var select128 = linear_select([ - part588, - part589, - ]); - - var part590 = match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}"); - - var part591 = match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}"); - - var select129 = linear_select([ - part591, - dup16, - ]); - - var all115 = all_match({ - processors: [ - dup160, - select128, - part590, - select129, - dup10, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg356 = msg("00018:11", all115); - - var part592 = match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}"); - - var part593 = match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}"); - - var part594 = match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}"); - - var part595 = match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}"); - - var select130 = linear_select([ - part593, - part594, - part595, - ]); - - var part596 = match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all116 = all_match({ - processors: [ - part592, - select130, - part596, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg357 = msg("00018:12", all116); - - var part597 = match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}"); - - var all117 = all_match({ - processors: [ - dup361, - part597, - dup362, - dup164, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg358 = msg("00018:32", all117); - - var part598 = match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}"); - - var all118 = all_match({ - processors: [ - dup361, - part598, - dup362, - dup164, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg359 = msg("00018:22", all118); - - var part599 = match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}"); - - var select131 = linear_select([ - dup78, - dup77, - ]); - - var part600 = match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer"); - - var all119 = all_match({ - processors: [ - part599, - select131, - part600, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg360 = msg("00018:15", all119); - - var part601 = match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}"); - - var part602 = match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}"); - - var part603 = match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}"); - - var select132 = linear_select([ - part602, - part603, - ]); - - var part604 = match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}"); - - var part605 = match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}"); - - var part606 = match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}"); - - var part607 = match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}"); - - var select133 = linear_select([ - part605, - part606, - part607, - ]); - - var part608 = match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all120 = all_match({ - processors: [ - part601, - select132, - part604, - select133, - part608, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg361 = msg("00018:14", all120); - - var part609 = match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg362 = msg("00018:29", part609); - - var part610 = match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg363 = msg("00018:07", part610); - - var part611 = match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg364 = msg("00018:18", part611); - - var part612 = match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg365 = msg("00018:17", part612); - - var part613 = match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg366 = msg("00018:19", part613); - - var part614 = match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}"); - - var part615 = match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}"); - - var select134 = linear_select([ - part614, - part615, - ]); - - var part616 = match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}"); - - var part617 = match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}"); - - var select135 = linear_select([ - part617, - dup103, - ]); - - var part618 = match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}"); - - var part619 = match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}"); - - var select136 = linear_select([ - part618, - part619, - ]); - - var part620 = match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})"); - - var all121 = all_match({ - processors: [ - select134, - part616, - select135, - dup23, - select136, - part620, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg367 = msg("00018:23", all121); - - var part621 = match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg368 = msg("00018:21", part621); - - var part622 = match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg369 = msg("00018:24", part622); - - var part623 = match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); - - var all122 = all_match({ - processors: [ - dup363, - part623, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg370 = msg("00018:25", all122); - - var part624 = match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); - - var all123 = all_match({ - processors: [ - dup363, - part624, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg371 = msg("00018:30", all123); - - var part625 = match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}"); - - var part626 = match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}"); - - var select137 = linear_select([ - dup48, - part626, - ]); - - var all124 = all_match({ - processors: [ - part625, - dup364, - select137, - dup41, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg372 = msg("00018:26", all124); - - var part627 = match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg373 = msg("00018:27", part627); - - var part628 = match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup4, - dup5, - dup9, - setc("info","the DI attack component was modified"), - ])); - - var msg374 = msg("00018:28", part628); - - var part629 = match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg375 = msg("00018:03", part629); - - var part630 = match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg376 = msg("00018:31", part630); - - var select138 = linear_select([ - msg347, - msg348, - msg349, - msg350, - msg351, - msg352, - msg353, - msg354, - msg355, - msg356, - msg357, - msg358, - msg359, - msg360, - msg361, - msg362, - msg363, - msg364, - msg365, - msg366, - msg367, - msg368, - msg369, - msg370, - msg371, - msg372, - msg373, - msg374, - msg375, - msg376, - ]); - - var part631 = match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg377 = msg("00019", part631); - - var part632 = match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured"); - - var all125 = all_match({ - processors: [ - dup165, - dup365, - part632, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg378 = msg("00019:01", all125); - - var part633 = match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}"); - - var part634 = match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}"); - - var part635 = match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}"); - - var select139 = linear_select([ - part634, - part635, - ]); - - var all126 = all_match({ - processors: [ - part633, - select139, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg379 = msg("00019:02", all126); - - var part636 = match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg380 = msg("00019:03", part636); - - var select140 = linear_select([ - dup169, - dup78, - ]); - - var select141 = linear_select([ - dup139, - dup170, - dup137, - dup122, - ]); - - var all127 = all_match({ - processors: [ - dup168, - select140, - dup23, - select141, - dup171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg381 = msg("00019:04", all127); - - var part637 = match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}"); - - var part638 = match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}"); - - var part639 = match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}"); - - var part640 = match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}"); - - var part641 = match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}"); - - var part642 = match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}"); - - var part643 = match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}"); - - var part644 = match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}"); - - var part645 = match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}"); - - var select142 = linear_select([ - part638, - part639, - part640, - part641, - part642, - part643, - part644, - part645, - ]); - - var all128 = all_match({ - processors: [ - part637, - select142, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg382 = msg("00019:05", all128); - - var part646 = match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}"); - - var all129 = all_match({ - processors: [ - dup168, - dup366, - part646, - dup367, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg383 = msg("00019:06", all129); - - var part647 = match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg384 = msg("00019:07", part647); - - var part648 = match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg385 = msg("00019:08", part648); - - var part649 = match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}"); - - var select143 = linear_select([ - dup139, - dup170, - dup137, - ]); - - var all130 = all_match({ - processors: [ - part649, - select143, - dup171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg386 = msg("00019:09", all130); - - var part650 = match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}"); - - var part651 = match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}"); - - var select144 = linear_select([ - part650, - part651, - ]); - - var all131 = all_match({ - processors: [ - dup183, - select144, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg387 = msg("00019:10", all131); - - var part652 = match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined"); - - var all132 = all_match({ - processors: [ - dup165, - dup365, - part652, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg388 = msg("00019:11", all132); - - var part653 = match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg389 = msg("00019:12", part653); - - var part654 = match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}"); - - var select145 = linear_select([ - dup107, - dup106, - ]); - - var part655 = match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}"); - - var all133 = all_match({ - processors: [ - part654, - select145, - part655, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg390 = msg("00019:13", all133); - - var part656 = match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}"); - - var all134 = all_match({ - processors: [ - dup168, - dup366, - part656, - dup367, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg391 = msg("00019:14", all134); - - var part657 = match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg392 = msg("00019:15", part657); - - var part658 = match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([ - setc("eventcategory","1701030000"), - setc("ec_activity","Delete"), - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg393 = msg("00019:16", part658); - - var part659 = match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg394 = msg("00019:17", part659); - - var part660 = match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}"); - - var part661 = match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}"); - - var part662 = match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}"); - - var select146 = linear_select([ - part661, - part662, - ]); - - var all135 = all_match({ - processors: [ - part660, - select146, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg395 = msg("00019:18", all135); - - var part663 = match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg396 = msg("00019:19", part663); - - var part664 = match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg397 = msg("00019:20", part664); - - var select147 = linear_select([ - msg377, - msg378, - msg379, - msg380, - msg381, - msg382, - msg383, - msg384, - msg385, - msg386, - msg387, - msg388, - msg389, - msg390, - msg391, - msg392, - msg393, - msg394, - msg395, - msg396, - msg397, - ]); - - var part665 = match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg398 = msg("00020", part665); - - var part666 = match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}"); - - var part667 = match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}"); - - var select148 = linear_select([ - dup152, - part667, - ]); - - var part668 = match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}"); - - var part669 = match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes"); - - var part670 = match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total"); - - var select149 = linear_select([ - part669, - part670, - ]); - - var all136 = all_match({ - processors: [ - part666, - select148, - part668, - select149, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg399 = msg("00020:01", all136); - - var part671 = match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg400 = msg("00020:02", part671); - - var select150 = linear_select([ - msg398, - msg399, - msg400, - ]); - - var part672 = match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg401 = msg("00021", part672); - - var part673 = match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg402 = msg("00021:01", part673); - - var part674 = match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg403 = msg("00021:02", part674); - - var part675 = match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([ - dup185, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg404 = msg("00021:03", part675); - - var part676 = match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg405 = msg("00021:04", part676); - - var part677 = match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg406 = msg("00021:05", part677); - - var part678 = match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - setc("info","DIP port-translation stickiness was modified"), - ])); - - var msg407 = msg("00021:06", part678); - - var select151 = linear_select([ - msg401, - msg402, - msg403, - msg404, - msg405, - msg406, - msg407, - ]); - - var part679 = match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}"); - - var part680 = match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}"); - - var select152 = linear_select([ - part679, - part680, - ]); - - var part681 = match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly"); - - var all137 = all_match({ - processors: [ - dup186, - select152, - part681, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg408 = msg("00022", all137); - - var part682 = match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}"); - - var part683 = match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}"); - - var part684 = match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}"); - - var select153 = linear_select([ - part682, - part683, - part684, - ]); - - var part685 = match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}"); - - var all138 = all_match({ - processors: [ - select153, - part685, - dup368, - ], - on_success: processor_chain([ - dup187, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg409 = msg("00022:01", all138); - - var part686 = match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg410 = msg("00022:02", part686); - - var part687 = match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg411 = msg("00022:03", part687); - - var part688 = match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}"); - - var part689 = match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}"); - - var part690 = match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}"); - - var part691 = match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}"); - - var part692 = match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}"); - - var select154 = linear_select([ - part689, - part690, - part691, - part692, - ]); - - var part693 = match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}"); - - var all139 = all_match({ - processors: [ - part688, - select154, - part693, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg412 = msg("00022:04", all139); - - var part694 = match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg413 = msg("00022:05", part694); - - var part695 = match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}"); - - var part696 = match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}"); - - var part697 = match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}"); - - var select155 = linear_select([ - part696, - part697, - ]); - - var part698 = match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}"); - - var all140 = all_match({ - processors: [ - part695, - select155, - part698, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg414 = msg("00022:06", all140); - - var part699 = match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg415 = msg("00022:07", part699); - - var part700 = match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}"); - - var part701 = match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}"); - - var part702 = match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}"); - - var select156 = linear_select([ - part700, - part701, - part702, - ]); - - var part703 = match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}"); - - var part704 = match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}"); - - var select157 = linear_select([ - part704, - dup96, - ]); - - var part705 = match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}"); - - var part706 = match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}"); - - var select158 = linear_select([ - part706, - dup96, - ]); - - var part707 = match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}"); - - var all141 = all_match({ - processors: [ - select156, - part703, - select157, - part705, - select158, - part707, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg416 = msg("00022:08", all141); - - var part708 = match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}"); - - var select159 = linear_select([ - dup191, - dup192, - ]); - - var part709 = match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}"); - - var all142 = all_match({ - processors: [ - dup55, - dup369, - part708, - select159, - part709, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg417 = msg("00022:09", all142); - - var part710 = match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}"); - - var part711 = match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}"); - - var part712 = match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}"); - - var select160 = linear_select([ - part711, - part712, - ]); - - var all143 = all_match({ - processors: [ - part710, - select160, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg418 = msg("00022:10", all143); - - var part713 = match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}"); - - var part714 = match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}"); - - var part715 = match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}"); - - var select161 = linear_select([ - part714, - part715, - ]); - - var all144 = all_match({ - processors: [ - part713, - select161, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg419 = msg("00022:11", all144); - - var part716 = match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}"); - - var select162 = linear_select([ - dup192, - dup191, - ]); - - var part717 = match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}"); - - var all145 = all_match({ - processors: [ - part716, - select162, - part717, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg420 = msg("00022:12", all145); - - var part718 = match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg421 = msg("00022:13", part718); - - var part719 = match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg422 = msg("00022:14", part719); - - var select163 = linear_select([ - msg408, - msg409, - msg410, - msg411, - msg412, - msg413, - msg414, - msg415, - msg416, - msg417, - msg418, - msg419, - msg420, - msg421, - msg422, - ]); - - var part720 = match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg423 = msg("00023", part720); - - var part721 = match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg424 = msg("00023:01", part721); - - var part722 = match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg425 = msg("00023:02", part722); - - var select164 = linear_select([ - msg423, - msg424, - msg425, - ]); - - var part723 = match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}"); - - var part724 = match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}"); - - var select165 = linear_select([ - part723, - part724, - ]); - - var part725 = match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}"); - - var part726 = match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}"); - - var select166 = linear_select([ - part725, - part726, - ]); - - var all146 = all_match({ - processors: [ - select165, - dup193, - select166, - dup52, - dup368, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg426 = msg("00024", all146); - - var part727 = match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}"); - - var part728 = match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}"); - - var part729 = match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}"); - - var part730 = match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}"); - - var part731 = match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}"); - - var select167 = linear_select([ - part727, - part728, - part729, - part730, - part731, - ]); - - var part732 = match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}"); - - var all147 = all_match({ - processors: [ - select167, - part732, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg427 = msg("00024:01", all147); - - var part733 = match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}"); - - var part734 = match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}"); - - var part735 = match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}"); - - var select168 = linear_select([ - part734, - part735, - ]); - - var part736 = match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})"); - - var all148 = all_match({ - processors: [ - part733, - select168, - part736, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg428 = msg("00024:02", all148); - - var part737 = match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}"); - - var select169 = linear_select([ - dup194, - dup106, - ]); - - var part738 = match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})"); - - var all149 = all_match({ - processors: [ - part737, - select169, - part738, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg429 = msg("00024:03", all149); - - var select170 = linear_select([ - msg426, - msg427, - msg428, - msg429, - ]); - - var part739 = match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg430 = msg("00025", part739); - - var part740 = match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg431 = msg("00025:01", part740); - - var part741 = match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg432 = msg("00025:02", part741); - - var part742 = match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg433 = msg("00025:03", part742); - - var part743 = match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg434 = msg("00025:04", part743); - - var select171 = linear_select([ - msg430, - msg431, - msg432, - msg433, - msg434, - ]); - - var part744 = match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg435 = msg("00026", part744); - - var part745 = match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg436 = msg("00026:13", part745); - - var part746 = match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}"); - - var part747 = match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})"); - - var all150 = all_match({ - processors: [ - dup195, - dup370, - part746, - dup371, - part747, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg437 = msg("00026:01", all150); - - var part748 = match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}"); - - var select172 = linear_select([ - part748, - dup96, - ]); - - var part749 = match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}"); - - var part750 = match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}"); - - var part751 = match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}"); - - var select173 = linear_select([ - part750, - part751, - ]); - - var all151 = all_match({ - processors: [ - dup195, - select172, - part749, - select173, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg438 = msg("00026:02", all151); - - var part752 = match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}"); - - var all152 = all_match({ - processors: [ - dup195, - dup370, - part752, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg439 = msg("00026:03", all152); - - var part753 = match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([ - dup198, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg440 = msg("00026:04", part753); - - var part754 = match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([ - dup198, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg441 = msg("00026:05", part754); - - var part755 = match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg442 = msg("00026:06", part755); - - var part756 = match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg443 = msg("00026:07", part756); - - var part757 = match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}"); - - var part758 = match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]"); - - var all153 = all_match({ - processors: [ - part757, - dup372, - part758, - ], - on_success: processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg444 = msg("00026:08", all153); - - var part759 = match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg445 = msg("00026:09", part759); - - var part760 = match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}"); - - var part761 = match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}"); - - var part762 = match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}"); - - var select174 = linear_select([ - part761, - part762, - ]); - - var part763 = match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}"); - - var select175 = linear_select([ - part763, - dup201, - ]); - - var part764 = match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})"); - - var all154 = all_match({ - processors: [ - part760, - select174, - dup103, - select175, - dup202, - dup373, - part764, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg446 = msg("00026:10", all154); - - var part765 = match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg447 = msg("00026:11", part765); - - var part766 = match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg448 = msg("00026:12", part766); - - var select176 = linear_select([ - msg435, - msg436, - msg437, - msg438, - msg439, - msg440, - msg441, - msg442, - msg443, - msg444, - msg445, - msg446, - msg447, - msg448, - ]); - - var part767 = match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}"); - - var part768 = match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}"); - - var part769 = match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}"); - - var part770 = match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}"); - - var select177 = linear_select([ - part768, - part769, - part770, - ]); - - var all155 = all_match({ - processors: [ - dup204, - dup374, - part767, - select177, - ], - on_success: processor_chain([ - dup206, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg449 = msg("00027", all155); - - var part771 = match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg450 = msg("00027:01", part771); - - var part772 = match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg451 = msg("00027:02", part772); - - var part773 = match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg452 = msg("00027:03", part773); - - var part774 = match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg453 = msg("00027:04", part774); - - var part775 = match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}"); - - var part776 = match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}"); - - var part777 = match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}"); - - var select178 = linear_select([ - part776, - part777, - ]); - - var part778 = match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}"); - - var part779 = match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}"); - - var select179 = linear_select([ - part779, - dup127, - ]); - - var select180 = linear_select([ - dup207, - dup208, - ]); - - var all156 = all_match({ - processors: [ - part775, - select178, - part778, - select179, - dup23, - select180, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg454 = msg("00027:05", all156); - - var part780 = match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}"); - - var select181 = linear_select([ - dup208, - dup207, - ]); - - var all157 = all_match({ - processors: [ - part780, - select181, - ], - on_success: processor_chain([ - setc("eventcategory","1606000000"), - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg455 = msg("00027:06", all157); - - var part781 = match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg456 = msg("00027:07", part781); - - var part782 = match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg457 = msg("00027:08", part782); - - var part783 = match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg458 = msg("00027:09", part783); - - var part784 = match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg459 = msg("00027:10", part784); - - var part785 = match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg460 = msg("00027:11", part785); - - var part786 = match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}"); - - var part787 = match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}"); - - var select182 = linear_select([ - part787, - dup193, - ]); - - var part788 = match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}"); - - var all158 = all_match({ - processors: [ - part786, - select182, - part788, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg461 = msg("00027:12", all158); - - var part789 = match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}"); - - var all159 = all_match({ - processors: [ - dup204, - dup374, - part789, - ], - on_success: processor_chain([ - dup206, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg462 = msg("00027:13", all159); - - var part790 = match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}"); - - var part791 = match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}"); - - var part792 = match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}"); - - var select183 = linear_select([ - part791, - part792, - ]); - - var part793 = match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})"); - - var all160 = all_match({ - processors: [ - part790, - select183, - part793, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg463 = msg("00027:14", all160); - - var part794 = match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg464 = msg("00027:15", part794); - - var part795 = match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg465 = msg("00027:16", part795); - - var part796 = match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg466 = msg("00027:17", part796); - - var part797 = match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg467 = msg("00027:18", part797); - - var part798 = match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg468 = msg("00027:19", part798); - - var select184 = linear_select([ - msg449, - msg450, - msg451, - msg452, - msg453, - msg454, - msg455, - msg456, - msg457, - msg458, - msg459, - msg460, - msg461, - msg462, - msg463, - msg464, - msg465, - msg466, - msg467, - msg468, - ]); - - var part799 = match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}"); - - var part800 = match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}"); - - var part801 = match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}"); - - var select185 = linear_select([ - part799, - part800, - part801, - ]); - - var part802 = match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all161 = all_match({ - processors: [ - select185, - part802, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - setc("signame","Attempt to Connect to the NetScreen-Global Port"), - ]), - }); - - var msg469 = msg("00028", all161); - - var part803 = match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg470 = msg("00029", part803); - - var part804 = match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg471 = msg("00029:01", part804); - - var part805 = match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}"); - - var part806 = match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}"); - - var part807 = match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}"); - - var select186 = linear_select([ - part806, - part807, - ]); - - var part808 = match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}"); - - var all162 = all_match({ - processors: [ - part805, - select186, - part808, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg472 = msg("00029:02", all162); - - var part809 = match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}"); - - var part810 = match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}"); - - var part811 = match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}"); - - var select187 = linear_select([ - part810, - part811, - ]); - - var part812 = match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}"); - - var all163 = all_match({ - processors: [ - dup210, - dup337, - part809, - select187, - part812, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg473 = msg("00029:03", all163); - - var part813 = match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg474 = msg("00029:04", part813); - - var select188 = linear_select([ - msg470, - msg471, - msg472, - msg473, - msg474, - ]); - - var part814 = match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg475 = msg("00030", part814); - - var part815 = match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}"); - - var part816 = match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}"); - - var part817 = match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}"); - - var select189 = linear_select([ - part816, - part817, - ]); - - var all164 = all_match({ - processors: [ - part815, - select189, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg476 = msg("00030:01", all164); - - var part818 = match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg477 = msg("00030:05", part818); - - var part819 = match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg478 = msg("00030:06", part819); - - var part820 = match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg479 = msg("00030:07", part820); - - var part821 = match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg480 = msg("00030:10", part821); - - var part822 = match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg481 = msg("00030:12", part822); - - var part823 = match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}"); - - var part824 = match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}"); - - var part825 = match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}"); - - var select190 = linear_select([ - part824, - part825, - ]); - - var all165 = all_match({ - processors: [ - part823, - select190, - ], - on_success: processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg482 = msg("00030:13", all165); - - var part826 = match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}"); - - var part827 = match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}"); - - var part828 = match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}"); - - var part829 = match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}"); - - var select191 = linear_select([ - part826, - part827, - part828, - part829, - ]); - - var part830 = match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}"); - - var part831 = match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}"); - - var select192 = linear_select([ - part831, - dup16, - ]); - - var part832 = match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}"); - - var all166 = all_match({ - processors: [ - dup55, - select191, - part830, - select192, - part832, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg483 = msg("00030:14", all166); - - var msg484 = msg("00030:02", dup375); - - var part833 = match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg485 = msg("00030:15", part833); - - var part834 = match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg486 = msg("00030:16", part834); - - var part835 = match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg487 = msg("00030:18", part835); - - var part836 = match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}"); - - var part837 = match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}"); - - var part838 = match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}"); - - var select193 = linear_select([ - part837, - part838, - ]); - - var part839 = match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}"); - - var all167 = all_match({ - processors: [ - part836, - select193, - part839, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg488 = msg("00030:19", all167); - - var part840 = match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg489 = msg("00030:30", part840); - - var part841 = match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg490 = msg("00030:31", part841); - - var part842 = match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg491 = msg("00030:32", part842); - - var part843 = match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg492 = msg("00030:33", part843); - - var part844 = match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg493 = msg("00030:34", part844); - - var part845 = match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg494 = msg("00030:35", part845); - - var part846 = match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg495 = msg("00030:36", part846); - - var part847 = match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg496 = msg("00030:37", part847); - - var part848 = match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg497 = msg("00030:38", part848); - - var part849 = match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}"); - - var part850 = match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}"); - - var select194 = linear_select([ - part850, - dup16, - ]); - - var part851 = match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}"); - - var all168 = all_match({ - processors: [ - part849, - select194, - part851, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg498 = msg("00030:39", all168); - - var part852 = match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}"); - - var part853 = match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}"); - - var all169 = all_match({ - processors: [ - part852, - dup376, - part853, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg499 = msg("00030:17", all169); - - var part854 = match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}"); - - var part855 = match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}"); - - var select195 = linear_select([ - dup214, - part855, - ]); - - var part856 = match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}"); - - var all170 = all_match({ - processors: [ - part854, - select195, - part856, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg500 = msg("00030:40", all170); - - var part857 = match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg501 = msg("00030:41", part857); - - var part858 = match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg502 = msg("00030:42", part858); - - var part859 = match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg503 = msg("00030:43", part859); - - var part860 = match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg504 = msg("00030:44", part860); - - var part861 = match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg505 = msg("00030:45", part861); - - var part862 = match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg506 = msg("00030:46", part862); - - var part863 = match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg507 = msg("00030:47", part863); - - var part864 = match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg508 = msg("00030:48", part864); - - var part865 = match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg509 = msg("00030:49", part865); - - var part866 = match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg510 = msg("00030:50", part866); - - var part867 = match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg511 = msg("00030:51", part867); - - var part868 = match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg512 = msg("00030:52", part868); - - var part869 = match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg513 = msg("00030:53", part869); - - var part870 = match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([ - dup44, - dup211, - dup31, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg514 = msg("00030:54", part870); - - var part871 = match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}"); - - var all171 = all_match({ - processors: [ - part871, - dup377, - dup217, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg515 = msg("00030:55", all171); - - var part872 = match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg516 = msg("00030:56", part872); - - var part873 = match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([ - dup35, - dup218, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg517 = msg("00030:57", part873); - - var part874 = match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([ - dup86, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg518 = msg("00030:58", part874); - - var part875 = match("MESSAGE#512:00030:59", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{quote}s signer certificate.", processor_chain([ - dup35, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg519 = msg("00030:59", part875); - - var part876 = match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([ - dup35, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg520 = msg("00030:60", part876); - - var part877 = match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg521 = msg("00030:61", part877); - - var part878 = match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg522 = msg("00030:62", part878); - - var part879 = match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([ - dup18, - dup219, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg523 = msg("00030:63", part879); - - var part880 = match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg524 = msg("00030:64", part880); - - var part881 = match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg525 = msg("00030:65", part881); - - var part882 = match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg526 = msg("00030:66", part882); - - var part883 = match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg527 = msg("00030:67", part883); - - var part884 = match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg528 = msg("00030:68", part884); - - var part885 = match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg529 = msg("00030:69", part885); - - var part886 = match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}"); - - var all172 = all_match({ - processors: [ - part886, - dup377, - dup217, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg530 = msg("00030:70", all172); - - var part887 = match("MESSAGE#524:00030:71", "nwparser.payload", "PKI: The public key of image%{quote}s signer has been loaded successfully, for future image authentication.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg531 = msg("00030:71", part887); - - var part888 = match("MESSAGE#525:00030:72", "nwparser.payload", "PKI: The signature of the image%{quote}s signer certificate cannot be verified.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg532 = msg("00030:72", part888); - - var part889 = match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}"); - - var part890 = match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}"); - - var part891 = match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}"); - - var part892 = match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}"); - - var select196 = linear_select([ - part890, - part891, - part892, - ]); - - var part893 = match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}."); - - var all173 = all_match({ - processors: [ - part889, - select196, - part893, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg533 = msg("00030:73", all173); - - var part894 = match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg534 = msg("00030:74", part894); - - var part895 = match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg535 = msg("00030:75", part895); - - var part896 = match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}"); - - var part897 = match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}."); - - var all174 = all_match({ - processors: [ - part896, - dup376, - part897, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg536 = msg("00030:76", all174); - - var part898 = match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg537 = msg("00030:77", part898); - - var part899 = match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([ - dup35, - dup211, - dup220, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg538 = msg("00030:78", part899); - - var part900 = match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([ - dup35, - dup211, - dup220, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg539 = msg("00030:79", part900); - - var part901 = match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg540 = msg("00030:80", part901); - - var part902 = match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg541 = msg("00030:81", part902); - - var part903 = match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg542 = msg("00030:82", part903); - - var part904 = match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg543 = msg("00030:83", part904); - - var part905 = match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg544 = msg("00030:84", part905); - - var part906 = match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([ - setc("eventcategory","1603080000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg545 = msg("00030:85", part906); - - var part907 = match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})"); - - var all175 = all_match({ - processors: [ - dup221, - dup378, - part907, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg546 = msg("00030:86", all175); - - var part908 = match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg547 = msg("00030:87", part908); - - var part909 = match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>"); - - var all176 = all_match({ - processors: [ - dup221, - dup378, - part909, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg548 = msg("00030:88", all176); - - var select197 = linear_select([ - msg475, - msg476, - msg477, - msg478, - msg479, - msg480, - msg481, - msg482, - msg483, - msg484, - msg485, - msg486, - msg487, - msg488, - msg489, - msg490, - msg491, - msg492, - msg493, - msg494, - msg495, - msg496, - msg497, - msg498, - msg499, - msg500, - msg501, - msg502, - msg503, - msg504, - msg505, - msg506, - msg507, - msg508, - msg509, - msg510, - msg511, - msg512, - msg513, - msg514, - msg515, - msg516, - msg517, - msg518, - msg519, - msg520, - msg521, - msg522, - msg523, - msg524, - msg525, - msg526, - msg527, - msg528, - msg529, - msg530, - msg531, - msg532, - msg533, - msg534, - msg535, - msg536, - msg537, - msg538, - msg539, - msg540, - msg541, - msg542, - msg543, - msg544, - msg545, - msg546, - msg547, - msg548, - ]); - - var part910 = match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg549 = msg("00031:13", part910); - - var part911 = match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg550 = msg("00031", part911); - - var part912 = match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg551 = msg("00031:01", part912); - - var part913 = match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}"); - - var part914 = match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}"); - - var part915 = match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}"); - - var part916 = match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}"); - - var all177 = all_match({ - processors: [ - part913, - dup379, - part914, - dup379, - part915, - dup379, - part916, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg552 = msg("00031:02", all177); - - var part917 = match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}"); - - var select198 = linear_select([ - dup130, - dup129, - ]); - - var part918 = match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}"); - - var all178 = all_match({ - processors: [ - part917, - select198, - part918, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg553 = msg("00031:03", all178); - - var part919 = match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}"); - - var part920 = match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}"); - - var select199 = linear_select([ - part920, - dup226, - ]); - - var part921 = match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}"); - - var all179 = all_match({ - processors: [ - part919, - select199, - part921, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg554 = msg("00031:04", all179); - - var part922 = match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}"); - - var select200 = linear_select([ - dup226, - dup25, - ]); - - var part923 = match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})"); - - var all180 = all_match({ - processors: [ - part922, - select200, - part923, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg555 = msg("00031:11", all180); - - var part924 = match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}"); - - var part925 = match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}"); - - var part926 = match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}"); - - var select201 = linear_select([ - part925, - part926, - ]); - - var part927 = match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}"); - - var part928 = match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}"); - - var part929 = match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}"); - - var part930 = match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}"); - - var part931 = match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}"); - - var select202 = linear_select([ - part931, - dup96, - ]); - - var part932 = match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}"); - - var all181 = all_match({ - processors: [ - part924, - select201, - part927, - dup379, - part928, - dup379, - part929, - dup379, - part930, - select202, - part932, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg556 = msg("00031:08", all181); - - var part933 = match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}"); - - var all182 = all_match({ - processors: [ - part933, - dup337, - dup227, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg557 = msg("00031:05", all182); - - var part934 = match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}"); - - var select203 = linear_select([ - part934, - dup229, - dup230, - ]); - - var part935 = match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}"); - - var select204 = linear_select([ - dup105, - dup96, - ]); - - var part936 = match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}"); - - var part937 = match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}"); - - var all183 = all_match({ - processors: [ - dup228, - select203, - part935, - select204, - part936, - dup356, - part937, - dup352, - dup23, - dup380, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg558 = msg("00031:06", all183); - - var part938 = match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}"); - - var all184 = all_match({ - processors: [ - dup228, - dup381, - part938, - dup337, - dup227, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg559 = msg("00031:07", all184); - - var part939 = match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}"); - - var all185 = all_match({ - processors: [ - dup228, - dup381, - part939, - dup380, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg560 = msg("00031:09", all185); - - var part940 = match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg561 = msg("00031:10", part940); - - var part941 = match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg562 = msg("00031:12", part941); - - var select205 = linear_select([ - msg549, - msg550, - msg551, - msg552, - msg553, - msg554, - msg555, - msg556, - msg557, - msg558, - msg559, - msg560, - msg561, - msg562, - ]); - - var part942 = match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup232, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg563 = msg("00032", part942); - - var part943 = match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg564 = msg("00032:01", part943); - - var part944 = match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}"); - - var part945 = match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}"); - - var part946 = match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}"); - - var part947 = match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}"); - - var part948 = match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}"); - - var select206 = linear_select([ - part945, - part946, - part947, - part948, - ]); - - var all186 = all_match({ - processors: [ - part944, - select206, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg565 = msg("00032:03", all186); - - var part949 = match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg566 = msg("00032:04", part949); - - var part950 = match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg567 = msg("00032:05", part950); - - var msg568 = msg("00032:02", dup375); - - var select207 = linear_select([ - msg563, - msg564, - msg565, - msg566, - msg567, - msg568, - ]); - - var part951 = match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("agent","NSM"), - ])); - - var msg569 = msg("00033:25", part951); - - var part952 = match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}"); - - var part953 = match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}"); - - var select208 = linear_select([ - dup52, - part953, - ]); - - var part954 = match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}"); - - var all187 = all_match({ - processors: [ - dup382, - part952, - select208, - part954, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg570 = msg("00033", all187); - - var part955 = match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}"); - - var part956 = match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}"); - - var select209 = linear_select([ - part955, - part956, - ]); - - var part957 = match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}"); - - var all188 = all_match({ - processors: [ - dup160, - select209, - dup23, - dup369, - part957, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg571 = msg("00033:03", all188); - - var part958 = match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}"); - - var all189 = all_match({ - processors: [ - dup382, - dup23, - dup369, - part958, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg572 = msg("00033:02", all189); - - var part959 = match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg573 = msg("00033:04", part959); - - var part960 = match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg574 = msg("00033:05", part960); - - var part961 = match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([ - dup27, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg575 = msg("00033:06", part961); - - var part962 = match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([ - dup27, - dup2, - dup3, - setc("dclass_counter1_string","Number of times the threshold was exceeded"), - dup4, - dup5, - dup61, - ])); - - var msg576 = msg("00033:01", part962); - - var part963 = match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg577 = msg("00033:07", part963); - - var part964 = match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}"); - - var all190 = all_match({ - processors: [ - dup235, - dup383, - part964, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg578 = msg("00033:08", all190); - - var part965 = match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}"); - - var all191 = all_match({ - processors: [ - dup235, - dup383, - part965, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg579 = msg("00033:09", all191); - - var part966 = match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}"); - - var part967 = match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}"); - - var select210 = linear_select([ - part967, - dup238, - ]); - - var all192 = all_match({ - processors: [ - dup235, - dup383, - part966, - select210, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg580 = msg("00033:10", all192); - - var part968 = match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}"); - - var part969 = match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}"); - - var all193 = all_match({ - processors: [ - dup235, - dup383, - part968, - dup383, - part969, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg581 = msg("00033:11", all193); - - var part970 = match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}"); - - var select211 = linear_select([ - dup101, - dup238, - ]); - - var all194 = all_match({ - processors: [ - dup235, - dup383, - part970, - select211, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg582 = msg("00033:12", all194); - - var part971 = match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}"); - - var part972 = match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}"); - - var part973 = match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}."); - - var select212 = linear_select([ - part972, - part973, - ]); - - var all195 = all_match({ - processors: [ - dup235, - dup383, - part971, - select212, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg583 = msg("00033:13", all195); - - var part974 = match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}."); - - var all196 = all_match({ - processors: [ - dup235, - dup383, - part974, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg584 = msg("00033:14", all196); - - var part975 = match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}."); - - var all197 = all_match({ - processors: [ - dup235, - dup383, - part975, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg585 = msg("00033:15", all197); - - var part976 = match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}."); - - var all198 = all_match({ - processors: [ - dup235, - dup383, - part976, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg586 = msg("00033:16", all198); - - var part977 = match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}"); - - var part978 = match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}"); - - var part979 = match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}"); - - var select213 = linear_select([ - part978, - part979, - ]); - - var all199 = all_match({ - processors: [ - dup235, - dup383, - part977, - select213, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg587 = msg("00033:17", all199); - - var part980 = match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); - - var part981 = match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time."); - - var all200 = all_match({ - processors: [ - part980, - dup339, - dup70, - dup340, - part981, - ], - on_success: processor_chain([ - dup27, - dup2, - dup4, - dup5, - dup3, - dup59, - dup61, - ]), - }); - - var msg588 = msg("00033:19", all200); - - var part982 = match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([ - dup27, - dup2, - dup4, - dup5, - dup3, - dup59, - dup60, - ])); - - var msg589 = msg("00033:20", part982); - - var all201 = all_match({ - processors: [ - dup239, - dup343, - dup83, - ], - on_success: processor_chain([ - dup27, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg590 = msg("00033:21", all201); - - var part983 = match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var all202 = all_match({ - processors: [ - part983, - dup343, - dup83, - ], - on_success: processor_chain([ - dup27, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg591 = msg("00033:22", all202); - - var part984 = match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg592 = msg("00033:23", part984); - - var part985 = match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([ - setc("eventcategory","1001030500"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg593 = msg("00033:24", part985); - - var select214 = linear_select([ - msg569, - msg570, - msg571, - msg572, - msg573, - msg574, - msg575, - msg576, - msg577, - msg578, - msg579, - msg580, - msg581, - msg582, - msg583, - msg584, - msg585, - msg586, - msg587, - msg588, - msg589, - msg590, - msg591, - msg592, - msg593, - ]); - - var part986 = match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}"); - - var part987 = match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}"); - - var select215 = linear_select([ - part986, - part987, - ]); - - var part988 = match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}"); - - var part989 = match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}"); - - var select216 = linear_select([ - part988, - dup201, - part989, - ]); - - var select217 = linear_select([ - dup196, - dup103, - dup163, - ]); - - var part990 = match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})"); - - var all203 = all_match({ - processors: [ - select215, - dup103, - select216, - dup202, - select217, - part990, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg594 = msg("00034", all203); - - var part991 = match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}"); - - var part992 = match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}"); - - var select218 = linear_select([ - part991, - part992, - ]); - - var part993 = match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}"); - - var part994 = match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}"); - - var select219 = linear_select([ - part994, - dup241, - ]); - - var part995 = match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}"); - - var all204 = all_match({ - processors: [ - select218, - part993, - select219, - part995, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg595 = msg("00034:01", all204); - - var part996 = match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg596 = msg("00034:02", part996); - - var part997 = match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}"); - - var all205 = all_match({ - processors: [ - dup384, - part997, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg597 = msg("00034:03", all205); - - var part998 = match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg598 = msg("00034:04", part998); - - var part999 = match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg599 = msg("00034:05", part999); - - var part1000 = match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}"); - - var part1001 = match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}"); - - var part1002 = match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}"); - - var select220 = linear_select([ - part1001, - part1002, - ]); - - var part1003 = match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}"); - - var all206 = all_match({ - processors: [ - dup384, - part1000, - select220, - part1003, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg600 = msg("00034:06", all206); - - var part1004 = match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg601 = msg("00034:07", part1004); - - var part1005 = match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg602 = msg("00034:08", part1005); - - var part1006 = match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg603 = msg("00034:09", part1006); - - var part1007 = match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}"); - - var part1008 = match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}"); - - var part1009 = match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}"); - - var part1010 = match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}"); - - var select221 = linear_select([ - part1009, - part1010, - ]); - - var part1011 = match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}"); - - var all207 = all_match({ - processors: [ - dup244, - dup385, - part1007, - dup352, - part1008, - select221, - part1011, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg604 = msg("00034:10", all207); - - var part1012 = match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}"); - - var part1013 = match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}"); - - var all208 = all_match({ - processors: [ - dup244, - dup385, - part1012, - dup386, - part1013, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg605 = msg("00034:12", all208); - - var part1014 = match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}"); - - var part1015 = match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}"); - - var all209 = all_match({ - processors: [ - dup244, - dup385, - part1014, - dup386, - part1015, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg606 = msg("00034:11", all209); - - var part1016 = match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg607 = msg("00034:15", part1016); - - var part1017 = match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}"); - - var all210 = all_match({ - processors: [ - dup244, - dup387, - part1017, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg608 = msg("00034:18", all210); - - var part1018 = match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge"); - - var all211 = all_match({ - processors: [ - dup244, - dup387, - part1018, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg609 = msg("00034:20", all211); - - var part1019 = match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}"); - - var part1020 = match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}"); - - var part1021 = match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}"); - - var select222 = linear_select([ - part1021, - dup156, - ]); - - var part1022 = match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}"); - - var part1023 = match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}"); - - var part1024 = match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}"); - - var select223 = linear_select([ - part1023, - part1024, - ]); - - var all212 = all_match({ - processors: [ - dup244, - dup387, - part1019, - dup372, - part1020, - select222, - part1022, - select223, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg610 = msg("00034:21", all212); - - var part1025 = match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg611 = msg("00034:22", part1025); - - var part1026 = match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}"); - - var part1027 = match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}"); - - var select224 = linear_select([ - part1026, - part1027, - ]); - - var part1028 = match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}"); - - var all213 = all_match({ - processors: [ - dup160, - select224, - part1028, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg612 = msg("00034:23", all213); - - var part1029 = match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg613 = msg("00034:24", part1029); - - var part1030 = match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg614 = msg("00034:25", part1030); - - var part1031 = match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg615 = msg("00034:26", part1031); - - var part1032 = match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg616 = msg("00034:27", part1032); - - var part1033 = match("MESSAGE#608:00034:28", "nwparser.payload", "PPPoE%{quote}s session closed by AC", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg617 = msg("00034:28", part1033); - - var part1034 = match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg618 = msg("00034:29", part1034); - - var part1035 = match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg619 = msg("00034:30", part1035); - - var part1036 = match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg620 = msg("00034:31", part1036); - - var part1037 = match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg621 = msg("00034:32", part1037); - - var part1038 = match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg622 = msg("00034:33", part1038); - - var part1039 = match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg623 = msg("00034:34", part1039); - - var part1040 = match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg624 = msg("00034:35", part1040); - - var part1041 = match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg625 = msg("00034:36", part1041); - - var part1042 = match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg626 = msg("00034:37", part1042); - - var part1043 = match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg627 = msg("00034:38", part1043); - - var part1044 = match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg628 = msg("00034:39", part1044); - - var part1045 = match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg629 = msg("00034:40", part1045); - - var part1046 = match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}"); - - var part1047 = match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}"); - - var all214 = all_match({ - processors: [ - part1046, - dup373, - part1047, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg630 = msg("00034:41", all214); - - var part1048 = match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg631 = msg("00034:42", part1048); - - var part1049 = match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg632 = msg("00034:43", part1049); - - var part1050 = match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg633 = msg("00034:44", part1050); - - var select225 = linear_select([ - msg594, - msg595, - msg596, - msg597, - msg598, - msg599, - msg600, - msg601, - msg602, - msg603, - msg604, - msg605, - msg606, - msg607, - msg608, - msg609, - msg610, - msg611, - msg612, - msg613, - msg614, - msg615, - msg616, - msg617, - msg618, - msg619, - msg620, - msg621, - msg622, - msg623, - msg624, - msg625, - msg626, - msg627, - msg628, - msg629, - msg630, - msg631, - msg632, - msg633, - ]); - - var part1051 = match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg634 = msg("00035", part1051); - - var part1052 = match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg635 = msg("00035:01", part1052); - - var part1053 = match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg636 = msg("00035:02", part1053); - - var part1054 = match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg637 = msg("00035:03", part1054); - - var part1055 = match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}"); - - var part1056 = match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}"); - - var part1057 = match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}"); - - var part1058 = match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}"); - - var select226 = linear_select([ - part1056, - part1057, - part1058, - ]); - - var part1059 = match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}"); - - var all215 = all_match({ - processors: [ - part1055, - select226, - part1059, - ], - on_success: processor_chain([ - dup117, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg638 = msg("00035:04", all215); - - var part1060 = match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg639 = msg("00035:05", part1060); - - var part1061 = match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}"); - - var part1062 = match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}"); - - var all216 = all_match({ - processors: [ - part1061, - dup388, - part1062, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg640 = msg("00035:06", all216); - - var part1063 = match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg641 = msg("00035:07", part1063); - - var part1064 = match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg642 = msg("00035:08", part1064); - - var part1065 = match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}"); - - var select227 = linear_select([ - part1065, - dup92, - ]); - - var all217 = all_match({ - processors: [ - dup253, - select227, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg643 = msg("00035:09", all217); - - var part1066 = match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}"); - - var part1067 = match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}"); - - var part1068 = match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}"); - - var select228 = linear_select([ - part1067, - part1068, - ]); - - var all218 = all_match({ - processors: [ - part1066, - select228, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg644 = msg("00035:10", all218); - - var part1069 = match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}"); - - var part1070 = match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}"); - - var part1071 = match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}"); - - var select229 = linear_select([ - part1070, - part1071, - ]); - - var all219 = all_match({ - processors: [ - part1069, - select229, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg645 = msg("00035:11", all219); - - var part1072 = match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}"); - - var part1073 = match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}"); - - var all220 = all_match({ - processors: [ - part1072, - dup388, - part1073, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg646 = msg("00035:12", all220); - - var part1074 = match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}"); - - var select230 = linear_select([ - dup101, - part1074, - ]); - - var part1075 = match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}"); - - var all221 = all_match({ - processors: [ - dup253, - select230, - part1075, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg647 = msg("00035:13", all221); - - var part1076 = match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg648 = msg("00035:14", part1076); - - var part1077 = match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}"); - - var part1078 = match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}"); - - var part1079 = match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}"); - - var select231 = linear_select([ - part1078, - part1079, - ]); - - var all222 = all_match({ - processors: [ - part1077, - select231, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg649 = msg("00035:15", all222); - - var part1080 = match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg650 = msg("00035:16", part1080); - - var select232 = linear_select([ - msg634, - msg635, - msg636, - msg637, - msg638, - msg639, - msg640, - msg641, - msg642, - msg643, - msg644, - msg645, - msg646, - msg647, - msg648, - msg649, - msg650, - ]); - - var part1081 = match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg651 = msg("00036", part1081); - - var part1082 = match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}"); - - var part1083 = match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}"); - - var select233 = linear_select([ - dup214, - part1083, - ]); - - var part1084 = match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}"); - - var all223 = all_match({ - processors: [ - part1082, - select233, - part1084, - ], - on_success: processor_chain([ - dup254, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg652 = msg("00036:01", all223); - - var select234 = linear_select([ - msg651, - msg652, - ]); - - var part1085 = match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}"); - - var part1086 = match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}"); - - var part1087 = match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}"); - - var select235 = linear_select([ - part1086, - part1087, - ]); - - var all224 = all_match({ - processors: [ - part1085, - select235, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg653 = msg("00037", all224); - - var part1088 = match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}"); - - var select236 = linear_select([ - dup255, - dup256, - ]); - - var part1089 = match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}"); - - var all225 = all_match({ - processors: [ - part1088, - select236, - part1089, - dup351, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg654 = msg("00037:01", all225); - - var part1090 = match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg655 = msg("00037:02", part1090); - - var part1091 = match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}"); - - var part1092 = match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}"); - - var select237 = linear_select([ - part1091, - part1092, - ]); - - var part1093 = match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}"); - - var part1094 = match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})"); - - var part1095 = match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}."); - - var select238 = linear_select([ - part1094, - part1095, - ]); - - var all226 = all_match({ - processors: [ - dup113, - select237, - dup371, - part1093, - select238, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg656 = msg("00037:03", all226); - - var part1096 = match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg657 = msg("00037:04", part1096); - - var part1097 = match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}"); - - var select239 = linear_select([ - dup256, - dup255, - ]); - - var part1098 = match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}"); - - var part1099 = match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space"); - - var select240 = linear_select([ - dup10, - part1099, - ]); - - var all227 = all_match({ - processors: [ - part1097, - select239, - part1098, - select240, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg658 = msg("00037:05", all227); - - var part1100 = match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg659 = msg("00037:06", part1100); - - var select241 = linear_select([ - msg653, - msg654, - msg655, - msg656, - msg657, - msg658, - msg659, - ]); - - var part1101 = match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}"); - - var part1102 = match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}"); - - var part1103 = match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}"); - - var select242 = linear_select([ - part1102, - part1103, - ]); - - var all228 = all_match({ - processors: [ - part1101, - select242, - dup36, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg660 = msg("00038", all228); - - var part1104 = match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg661 = msg("00039", part1104); - - var part1105 = match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}"); - - var part1106 = match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}"); - - var select243 = linear_select([ - part1105, - part1106, - ]); - - var part1107 = match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}"); - - var all229 = all_match({ - processors: [ - select243, - part1107, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg662 = msg("00040", all229); - - var part1108 = match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg663 = msg("00040:01", part1108); - - var select244 = linear_select([ - msg662, - msg663, - ]); - - var part1109 = match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg664 = msg("00041", part1109); - - var part1110 = match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg665 = msg("00041:01", part1110); - - var select245 = linear_select([ - msg664, - msg665, - ]); - - var part1111 = match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg666 = msg("00042", part1111); - - var part1112 = match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup9, - dup4, - dup5, - dup60, - ])); - - var msg667 = msg("00042:01", part1112); - - var select246 = linear_select([ - msg666, - msg667, - ]); - - var part1113 = match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg668 = msg("00043", part1113); - - var part1114 = match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}"); - - var part1115 = match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}"); - - var select247 = linear_select([ - dup257, - part1115, - ]); - - var part1116 = match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}"); - - var all230 = all_match({ - processors: [ - part1114, - select247, - part1116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg669 = msg("00044", all230); - - var part1117 = match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg670 = msg("00044:01", part1117); - - var select248 = linear_select([ - msg669, - msg670, - ]); - - var part1118 = match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg671 = msg("00045", part1118); - - var part1119 = match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}"); - - var part1120 = match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}"); - - var select249 = linear_select([ - part1119, - part1120, - ]); - - var part1121 = match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})"); - - var all231 = all_match({ - processors: [ - dup183, - select249, - part1121, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg672 = msg("00047", all231); - - var part1122 = match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}"); - - var part1123 = match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}"); - - var part1124 = match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}"); - - var select250 = linear_select([ - part1123, - part1124, - ]); - - var part1125 = match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}"); - - var part1126 = match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}"); - - var select251 = linear_select([ - part1126, - dup112, - ]); - - var part1127 = match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}"); - - var select252 = linear_select([ - part1127, - dup139, - ]); - - var part1128 = match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}"); - - var part1129 = match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}"); - - var select253 = linear_select([ - part1129, - dup16, - ]); - - var part1130 = match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}"); - - var part1131 = match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}"); - - var select254 = linear_select([ - part1131, - dup129, - ]); - - var part1132 = match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})"); - - var all232 = all_match({ - processors: [ - part1122, - select250, - part1125, - select251, - dup257, - select252, - part1128, - select253, - part1130, - select254, - part1132, - ], - on_success: processor_chain([ - setc("eventcategory","1501000000"), - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg673 = msg("00048", all232); - - var part1133 = match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}"); - - var part1134 = match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}"); - - var part1135 = match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}"); - - var select255 = linear_select([ - part1134, - part1135, - ]); - - var part1136 = match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}"); - - var part1137 = match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}"); - - var select256 = linear_select([ - part1137, - dup105, - ]); - - var part1138 = match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})"); - - var all233 = all_match({ - processors: [ - part1133, - select255, - part1136, - select256, - part1138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg674 = msg("00048:01", all233); - - var part1139 = match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([ - dup209, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg675 = msg("00048:02", part1139); - - var select257 = linear_select([ - msg673, - msg674, - msg675, - ]); - - var part1140 = match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg676 = msg("00049", part1140); - - var part1141 = match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg677 = msg("00049:01", part1141); - - var part1142 = match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg678 = msg("00049:02", part1142); - - var part1143 = match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg679 = msg("00049:03", part1143); - - var part1144 = match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg680 = msg("00049:04", part1144); - - var part1145 = match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg681 = msg("00049:05", part1145); - - var select258 = linear_select([ - msg676, - msg677, - msg678, - msg679, - msg680, - msg681, - ]); - - var part1146 = match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg682 = msg("00050", part1146); - - var part1147 = match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg683 = msg("00051", part1147); - - var part1148 = match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg684 = msg("00052", part1148); - - var part1149 = match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}"); - - var select259 = linear_select([ - dup169, - part1149, - ]); - - var part1150 = match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}."); - - var all234 = all_match({ - processors: [ - dup258, - select259, - part1150, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg685 = msg("00055", all234); - - var part1151 = match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}"); - - var part1152 = match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}"); - - var select260 = linear_select([ - part1151, - part1152, - ]); - - var part1153 = match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}."); - - var all235 = all_match({ - processors: [ - dup258, - select260, - part1153, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg686 = msg("00055:01", all235); - - var part1154 = match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}."); - - var all236 = all_match({ - processors: [ - dup259, - dup389, - part1154, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg687 = msg("00055:02", all236); - - var part1155 = match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}."); - - var all237 = all_match({ - processors: [ - dup259, - dup389, - part1155, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg688 = msg("00055:03", all237); - - var part1156 = match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg689 = msg("00055:04", part1156); - - var part1157 = match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}"); - - var part1158 = match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}"); - - var select261 = linear_select([ - dup110, - part1158, - ]); - - var part1159 = match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}"); - - var all238 = all_match({ - processors: [ - part1157, - select261, - part1159, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg690 = msg("00055:05", all238); - - var part1160 = match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}"); - - var part1161 = match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}"); - - var part1162 = match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}"); - - var select262 = linear_select([ - part1161, - part1162, - ]); - - var part1163 = match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}."); - - var all239 = all_match({ - processors: [ - part1160, - select262, - part1163, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg691 = msg("00055:06", all239); - - var part1164 = match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}"); - - var part1165 = match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}"); - - var part1166 = match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}"); - - var select263 = linear_select([ - part1164, - part1165, - part1166, - ]); - - var part1167 = match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}."); - - var all240 = all_match({ - processors: [ - dup258, - select263, - part1167, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg692 = msg("00055:07", all240); - - var part1168 = match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}"); - - var part1169 = match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}"); - - var select264 = linear_select([ - part1168, - part1169, - ]); - - var part1170 = match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}."); - - var all241 = all_match({ - processors: [ - dup258, - select264, - part1170, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg693 = msg("00055:08", all241); - - var part1171 = match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg694 = msg("00055:09", part1171); - - var part1172 = match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg695 = msg("00055:10", part1172); - - var select265 = linear_select([ - msg685, - msg686, - msg687, - msg688, - msg689, - msg690, - msg691, - msg692, - msg693, - msg694, - msg695, - ]); - - var part1173 = match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg696 = msg("00056", part1173); - - var part1174 = match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg697 = msg("00057", part1174); - - var part1175 = match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg698 = msg("00058", part1175); - - var part1176 = match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}"); - - var part1177 = match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}"); - - var select266 = linear_select([ - part1177, - dup262, - dup157, - dup156, - ]); - - var all242 = all_match({ - processors: [ - part1176, - select266, - dup116, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg699 = msg("00059", all242); - - var part1178 = match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}"); - - var part1179 = match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}"); - - var part1180 = match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}"); - - var select267 = linear_select([ - part1179, - part1180, - ]); - - var part1181 = match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}"); - - var all243 = all_match({ - processors: [ - part1178, - select267, - part1181, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg700 = msg("00059:02", all243); - - var part1182 = match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg701 = msg("00059:03", part1182); - - var part1183 = match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg702 = msg("00059:04", part1183); - - var part1184 = match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}"); - - var part1185 = match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}"); - - var part1186 = match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}"); - - var part1187 = match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}"); - - var select268 = linear_select([ - part1184, - part1185, - part1186, - part1187, - ]); - - var part1188 = match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared."); - - var all244 = all_match({ - processors: [ - select268, - part1188, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg703 = msg("00059:05", all244); - - var part1189 = match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg704 = msg("00059:06", part1189); - - var part1190 = match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg705 = msg("00059:07", part1190); - - var part1191 = match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}"); - - var part1192 = match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}"); - - var select269 = linear_select([ - part1191, - part1192, - ]); - - var part1193 = match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3})."); - - var all245 = all_match({ - processors: [ - select269, - part1193, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg706 = msg("00059:08", all245); - - var part1194 = match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}"); - - var part1195 = match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}"); - - var select270 = linear_select([ - part1194, - part1195, - ]); - - var part1196 = match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}"); - - var part1197 = match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}"); - - var select271 = linear_select([ - dup261, - part1197, - ]); - - var part1198 = match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\""); - - var all246 = all_match({ - processors: [ - dup160, - select270, - part1196, - select271, - part1198, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg707 = msg("00059:09", all246); - - var part1199 = match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg708 = msg("00059:01", part1199); - - var select272 = linear_select([ - msg699, - msg700, - msg701, - msg702, - msg703, - msg704, - msg705, - msg706, - msg707, - msg708, - ]); - - var part1200 = match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP failed"), - ])); - - var msg709 = msg("00062:01", part1200); - - var part1201 = match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP failure reached threshold"), - ])); - - var msg710 = msg("00062:02", part1201); - - var part1202 = match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP succeeded"), - ])); - - var msg711 = msg("00062:03", part1202); - - var part1203 = match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg712 = msg("00062", part1203); - - var select273 = linear_select([ - msg709, - msg710, - msg711, - msg712, - ]); - - var part1204 = match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg713 = msg("00063", part1204); - - var part1205 = match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg714 = msg("00064", part1205); - - var part1206 = match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg715 = msg("00064:01", part1206); - - var part1207 = match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg716 = msg("00064:02", part1207); - - var select274 = linear_select([ - msg714, - msg715, - msg716, - ]); - - var msg717 = msg("00070", dup411); - - var part1208 = match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}"); - - var part1209 = match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}"); - - var part1210 = match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})"); - - var select275 = linear_select([ - part1209, - part1210, - ]); - - var all247 = all_match({ - processors: [ - dup267, - dup391, - part1208, - select275, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg718 = msg("00070:01", all247); - - var part1211 = match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg719 = msg("00070:02", part1211); - - var select276 = linear_select([ - msg717, - msg718, - msg719, - ]); - - var msg720 = msg("00071", dup411); - - var part1212 = match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg721 = msg("00071:01", part1212); - - var select277 = linear_select([ - msg720, - msg721, - ]); - - var msg722 = msg("00072", dup411); - - var msg723 = msg("00072:01", dup412); - - var select278 = linear_select([ - msg722, - msg723, - ]); - - var msg724 = msg("00073", dup411); - - var msg725 = msg("00073:01", dup412); - - var select279 = linear_select([ - msg724, - msg725, - ]); - - var msg726 = msg("00074", dup392); - - var all248 = all_match({ - processors: [ - dup263, - dup390, - dup271, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg727 = msg("00075", all248); - - var part1213 = match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","local device in the Virtual Security Device group changed state to inoperable"), - ])); - - var msg728 = msg("00075:02", part1213); - - var part1214 = match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg729 = msg("00075:01", part1214); - - var select280 = linear_select([ - msg727, - msg728, - msg729, - ]); - - var msg730 = msg("00076", dup392); - - var part1215 = match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}"); - - var all249 = all_match({ - processors: [ - dup263, - dup390, - part1215, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg731 = msg("00076:01", all249); - - var select281 = linear_select([ - msg730, - msg731, - ]); - - var part1216 = match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg732 = msg("00077", part1216); - - var all250 = all_match({ - processors: [ - dup263, - dup390, - dup271, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg733 = msg("00077:01", all250); - - var part1217 = match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([ - setc("eventcategory","1607000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg734 = msg("00077:02", part1217); - - var select282 = linear_select([ - msg732, - msg733, - msg734, - ]); - - var part1218 = match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg735 = msg("00084", part1218); - - var part1219 = match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}"); - - var part1220 = match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}"); - - var select283 = linear_select([ - part1219, - part1220, - ]); - - var part1221 = match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}"); - - var all251 = all_match({ - processors: [ - select283, - dup103, - dup369, - part1221, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg736 = msg("00090", all251); - - var part1222 = match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg737 = msg("00200", part1222); - - var part1223 = match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg738 = msg("00201", part1223); - - var part1224 = match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([ - dup272, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg739 = msg("00202", part1224); - - var part1225 = match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([ - dup272, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg740 = msg("00203", part1225); - - var part1226 = match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}"); - - var part1227 = match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}"); - - var part1228 = match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}"); - - var select284 = linear_select([ - part1227, - part1228, - ]); - - var part1229 = match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})"); - - var all252 = all_match({ - processors: [ - part1226, - select284, - part1229, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg741 = msg("00206", all252); - - var part1230 = match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}"); - - var part1231 = match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet."); - - var all253 = all_match({ - processors: [ - part1230, - dup352, - part1231, - ], - on_success: processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg742 = msg("00206:01", all253); - - var part1232 = match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}"); - - var part1233 = match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet."); - - var all254 = all_match({ - processors: [ - part1232, - dup352, - part1233, - ], - on_success: processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg743 = msg("00206:02", all254); - - var part1234 = match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg744 = msg("00206:03", part1234); - - var part1235 = match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg745 = msg("00206:04", part1235); - - var select285 = linear_select([ - msg741, - msg742, - msg743, - msg744, - msg745, - ]); - - var part1236 = match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg746 = msg("00207", part1236); - - var part1237 = match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg747 = msg("00207:01", part1237); - - var part1238 = match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg748 = msg("00207:02", part1238); - - var part1239 = match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg749 = msg("00207:03", part1239); - - var select286 = linear_select([ - msg746, - msg747, - msg748, - msg749, - ]); - - var part1240 = match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - dup278, - ])); - - var msg750 = msg("00257", part1240); - - var part1241 = match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup279, - dup276, - dup277, - dup280, - ])); - - var msg751 = msg("00257:14", part1241); - - var part1242 = match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - dup278, - ])); - - var msg752 = msg("00257:01", part1242); - - var part1243 = match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup279, - dup282, - dup280, - ])); - - var msg753 = msg("00257:15", part1243); - - var part1244 = match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ])); - - var msg754 = msg("00257:02", part1244); - - var part1245 = match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg755 = msg("00257:03", part1245); - - var part1246 = match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ])); - - var msg756 = msg("00257:04", part1246); - - var part1247 = match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg757 = msg("00257:05", part1247); - - var part1248 = match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}"); - - var all255 = all_match({ - processors: [ - dup283, - dup393, - part1248, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg758 = msg("00257:19", all255); - - var part1249 = match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}"); - - var all256 = all_match({ - processors: [ - dup283, - dup393, - part1249, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg759 = msg("00257:16", all256); - - var part1250 = match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}"); - - var all257 = all_match({ - processors: [ - dup283, - dup393, - part1250, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ]), - }); - - var msg760 = msg("00257:17", all257); - - var part1251 = match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}"); - - var all258 = all_match({ - processors: [ - dup283, - dup393, - part1251, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ]), - }); - - var msg761 = msg("00257:18", all258); - - var part1252 = match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}"); - - var part1253 = match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}"); - - var part1254 = match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport"); - - var select287 = linear_select([ - part1253, - part1254, - ]); - - var all259 = all_match({ - processors: [ - part1252, - select287, - ], - on_success: processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ]), - }); - - var msg762 = msg("00257:06", all259); - - var part1255 = match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg763 = msg("00257:07", part1255); - - var part1256 = match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup276, - dup277, - ])); - - var msg764 = msg("00257:08", part1256); - - var part1257 = match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}"); - - var part1258 = match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}"); - - var part1259 = match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}"); - - var part1260 = match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype"); - - var select288 = linear_select([ - part1258, - part1259, - part1260, - ]); - - var all260 = all_match({ - processors: [ - part1257, - select288, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg765 = msg("00257:09", all260); - - var part1261 = match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); - - var part1262 = match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}"); - - var select289 = linear_select([ - part1262, - dup286, - ]); - - var all261 = all_match({ - processors: [ - part1261, - select289, - ], - on_success: processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup276, - dup277, - ]), - }); - - var msg766 = msg("00257:10", all261); - - var part1263 = match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); - - var part1264 = match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}"); - - var select290 = linear_select([ - part1264, - dup286, - ]); - - var all262 = all_match({ - processors: [ - part1263, - select290, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg767 = msg("00257:11", all262); - - var part1265 = match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ])); - - var msg768 = msg("00257:12", part1265); - - var part1266 = match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup274, - dup4, - dup5, - ])); - - var msg769 = msg("00257:13", part1266); - - var select291 = linear_select([ - msg750, - msg751, - msg752, - msg753, - msg754, - msg755, - msg756, - msg757, - msg758, - msg759, - msg760, - msg761, - msg762, - msg763, - msg764, - msg765, - msg766, - msg767, - msg768, - msg769, - ]); - - var part1267 = match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}"); - - var part1268 = match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}"); - - var select292 = linear_select([ - part1268, - dup289, - dup241, - ]); - - var part1269 = match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}"); - - var all263 = all_match({ - processors: [ - dup394, - part1267, - select292, - part1269, - ], - on_success: processor_chain([ - dup28, - dup29, - dup30, - dup31, - dup32, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg770 = msg("00259", all263); - - var part1270 = match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}"); - - var all264 = all_match({ - processors: [ - dup394, - part1270, - ], - on_success: processor_chain([ - dup33, - dup29, - dup34, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg771 = msg("00259:07", all264); - - var part1271 = match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg772 = msg("00259:01", part1271); - - var part1272 = match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg773 = msg("00259:02", part1272); - - var part1273 = match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg774 = msg("00259:03", part1273); - - var part1274 = match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg775 = msg("00259:04", part1274); - - var part1275 = match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}"); - - var part1276 = match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}"); - - var select293 = linear_select([ - dup241, - dup289, - part1276, - ]); - - var part1277 = match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}"); - - var all265 = all_match({ - processors: [ - part1275, - select293, - part1277, - ], - on_success: processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg776 = msg("00259:05", all265); - - var part1278 = match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg777 = msg("00259:06", part1278); - - var select294 = linear_select([ - msg770, - msg771, - msg772, - msg773, - msg774, - msg775, - msg776, - msg777, - ]); - - var part1279 = match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg778 = msg("00262", part1279); - - var part1280 = match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([ - setc("eventcategory","1401050100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg779 = msg("00263", part1280); - - var part1281 = match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}"); - - var part1282 = match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}"); - - var part1283 = match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}"); - - var part1284 = match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}"); - - var select295 = linear_select([ - part1281, - part1282, - part1283, - part1284, - ]); - - var part1285 = match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}"); - - var all266 = all_match({ - processors: [ - select295, - part1285, - ], - on_success: processor_chain([ - setc("eventcategory","1003000000"), - dup2, - dup4, - dup5, - dup3, - dup61, - ]), - }); - - var msg780 = msg("00400", all266); - - var part1286 = match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg781 = msg("00401", part1286); - - var part1287 = match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup292, - ])); - - var msg782 = msg("00402", part1287); - - var part1288 = match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}"); - - var part1289 = match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}"); - - var all267 = all_match({ - processors: [ - part1288, - dup337, - part1289, - ], - on_success: processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup292, - ]), - }); - - var msg783 = msg("00402:01", all267); - - var select296 = linear_select([ - msg782, - msg783, - ]); - - var part1290 = match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg784 = msg("00403", part1290); - - var part1291 = match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup4, - dup5, - dup3, - dup292, - ])); - - var msg785 = msg("00404", part1291); - - var part1292 = match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup147, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg786 = msg("00405", part1292); - - var msg787 = msg("00406", dup413); - - var msg788 = msg("00407", dup413); - - var msg789 = msg("00408", dup413); - - var all268 = all_match({ - processors: [ - dup132, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg790 = msg("00409", all268); - - var msg791 = msg("00410", dup413); - - var part1293 = match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup60, - ])); - - var msg792 = msg("00410:01", part1293); - - var select297 = linear_select([ - msg791, - msg792, - ]); - - var part1294 = match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}"); - - var all269 = all_match({ - processors: [ - part1294, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg793 = msg("00411", all269); - - var part1295 = match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}"); - - var part1296 = match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all270 = all_match({ - processors: [ - part1295, - dup337, - part1296, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg794 = msg("00413", all270); - - var part1297 = match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}"); - - var all271 = all_match({ - processors: [ - part1297, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup61, - ]), - }); - - var msg795 = msg("00413:01", all271); - - var part1298 = match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup9, - ])); - - var msg796 = msg("00413:02", part1298); - - var select298 = linear_select([ - msg794, - msg795, - msg796, - ]); - - var part1299 = match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg797 = msg("00414", part1299); - - var part1300 = match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup9, - ])); - - var msg798 = msg("00414:01", part1300); - - var select299 = linear_select([ - msg797, - msg798, - ]); - - var part1301 = match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg799 = msg("00415", part1301); - - var all272 = all_match({ - processors: [ - dup132, - dup343, - dup294, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg800 = msg("00423", all272); - - var all273 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup60, - ]), - }); - - var msg801 = msg("00429", all273); - - var all274 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup60, - ]), - }); - - var msg802 = msg("00429:01", all274); - - var select300 = linear_select([ - msg801, - msg802, - ]); - - var all275 = all_match({ - processors: [ - dup80, - dup343, - dup295, - dup351, - ], - on_success: processor_chain([ - dup85, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ]), - }); - - var msg803 = msg("00430", all275); - - var all276 = all_match({ - processors: [ - dup132, - dup343, - dup295, - dup351, - ], - on_success: processor_chain([ - dup85, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup60, - ]), - }); - - var msg804 = msg("00430:01", all276); - - var select301 = linear_select([ - msg803, - msg804, - ]); - - var msg805 = msg("00431", dup414); - - var msg806 = msg("00432", dup414); - - var msg807 = msg("00433", dup415); - - var msg808 = msg("00434", dup415); - - var msg809 = msg("00435", dup395); - - var all277 = all_match({ - processors: [ - dup132, - dup343, - dup294, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup5, - dup3, - dup60, - ]), - }); - - var msg810 = msg("00435:01", all277); - - var select302 = linear_select([ - msg809, - msg810, - ]); - - var msg811 = msg("00436", dup395); - - var all278 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup4, - dup5, - dup3, - dup60, - ]), - }); - - var msg812 = msg("00436:01", all278); - - var select303 = linear_select([ - msg811, - msg812, - ]); - - var part1302 = match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg813 = msg("00437", part1302); - - var all279 = all_match({ - processors: [ - dup299, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - dup9, - ]), - }); - - var msg814 = msg("00437:01", all279); - - var part1303 = match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - dup9, - ])); - - var msg815 = msg("00437:02", part1303); - - var select304 = linear_select([ - msg813, - msg814, - msg815, - ]); - - var part1304 = match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg816 = msg("00438", part1304); - - var part1305 = match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg817 = msg("00438:01", part1305); - - var all280 = all_match({ - processors: [ - dup299, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup61, - ]), - }); - - var msg818 = msg("00438:02", all280); - - var select305 = linear_select([ - msg816, - msg817, - msg818, - ]); - - var part1306 = match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ])); - - var msg819 = msg("00440", part1306); - - var part1307 = match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg820 = msg("00440:02", part1307); - - var all281 = all_match({ - processors: [ - dup239, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup9, - dup61, - ]), - }); - - var msg821 = msg("00440:01", all281); - - var part1308 = match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}"); - - var all282 = all_match({ - processors: [ - part1308, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup9, - dup60, - ]), - }); - - var msg822 = msg("00440:03", all282); - - var select306 = linear_select([ - msg819, - msg820, - msg821, - msg822, - ]); - - var part1309 = match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var msg823 = msg("00441", part1309); - - var msg824 = msg("00442", dup396); - - var msg825 = msg("00443", dup396); - - var part1310 = match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg826 = msg("00511", part1310); - - var part1311 = match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}"); - - var all283 = all_match({ - processors: [ - part1311, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg827 = msg("00511:01", all283); - - var part1312 = match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg828 = msg("00511:02", part1312); - - var part1313 = match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}"); - - var all284 = all_match({ - processors: [ - part1313, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg829 = msg("00511:03", all284); - - var part1314 = match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}"); - - var all285 = all_match({ - processors: [ - part1314, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg830 = msg("00511:04", all285); - - var part1315 = match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}"); - - var all286 = all_match({ - processors: [ - part1315, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg831 = msg("00511:05", all286); - - var part1316 = match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}"); - - var all287 = all_match({ - processors: [ - part1316, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg832 = msg("00511:06", all287); - - var part1317 = match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}"); - - var all288 = all_match({ - processors: [ - part1317, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg833 = msg("00511:07", all288); - - var part1318 = match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}"); - - var all289 = all_match({ - processors: [ - part1318, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg834 = msg("00511:08", all289); - - var part1319 = match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}"); - - var all290 = all_match({ - processors: [ - part1319, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg835 = msg("00511:09", all290); - - var part1320 = match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}"); - - var all291 = all_match({ - processors: [ - part1320, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg836 = msg("00511:10", all291); - - var part1321 = match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}"); - - var all292 = all_match({ - processors: [ - part1321, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg837 = msg("00511:11", all292); - - var part1322 = match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}"); - - var all293 = all_match({ - processors: [ - part1322, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg838 = msg("00511:12", all293); - - var part1323 = match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}"); - - var all294 = all_match({ - processors: [ - part1323, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg839 = msg("00511:13", all294); - - var part1324 = match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg840 = msg("00511:14", part1324); - - var select307 = linear_select([ - msg826, - msg827, - msg828, - msg829, - msg830, - msg831, - msg832, - msg833, - msg834, - msg835, - msg836, - msg837, - msg838, - msg839, - msg840, - ]); - - var part1325 = match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}"); - - var part1326 = match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}"); - - var select308 = linear_select([ - dup123, - part1326, - dup122, - ]); - - var part1327 = match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}"); - - var part1328 = match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})"); - - var part1329 = match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result"); - - var select309 = linear_select([ - part1328, - part1329, - ]); - - var all295 = all_match({ - processors: [ - part1325, - select308, - part1327, - select309, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg841 = msg("00513", all295); - - var part1330 = match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}"); - - var select310 = linear_select([ - part1330, - dup287, - ]); - - var part1331 = match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}"); - - var part1332 = match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}"); - - var select311 = linear_select([ - dup96, - part1332, - ]); - - var part1333 = match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}"); - - var all296 = all_match({ - processors: [ - select310, - part1331, - select311, - part1333, - ], - on_success: processor_chain([ - dup301, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg842 = msg("00515", all296); - - var part1334 = match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}"); - - var part1335 = match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}"); - - var part1336 = match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}"); - - var select312 = linear_select([ - part1335, - part1336, - ]); - - var part1337 = match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2"); - - var all297 = all_match({ - processors: [ - part1334, - select312, - part1337, - ], - on_success: processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup4, - dup5, - dup302, - dup3, - ]), - }); - - var msg843 = msg("00515:01", all297); - - var part1338 = match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}"); - - var part1339 = match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}"); - - var part1340 = match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}"); - - var select313 = linear_select([ - part1339, - part1340, - ]); - - var part1341 = match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}"); - - var part1342 = match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}"); - - var select314 = linear_select([ - part1341, - part1342, - dup15, - ]); - - var part1343 = match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out"); - - var all298 = all_match({ - processors: [ - part1338, - select313, - select314, - part1343, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg844 = msg("00515:02", all298); - - var part1344 = match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}"); - - var part1345 = match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}"); - - var select315 = linear_select([ - part1344, - part1345, - ]); - - var part1346 = match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}"); - - var part1347 = match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type"); - - var select316 = linear_select([ - dup304, - part1347, - ]); - - var all299 = all_match({ - processors: [ - select315, - part1346, - dup398, - dup40, - select316, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg845 = msg("00515:04", all299); - - var part1348 = match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg846 = msg("00515:06", part1348); - - var part1349 = match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}"); - - var select317 = linear_select([ - dup305, - dup16, - ]); - - var part1350 = match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}"); - - var part1351 = match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})"); - - var select318 = linear_select([ - dup306, - part1351, - dup304, - ]); - - var all300 = all_match({ - processors: [ - part1349, - select317, - part1350, - dup398, - dup40, - select318, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg847 = msg("00515:05", all300); - - var part1352 = match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg848 = msg("00515:07", part1352); - - var part1353 = match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}"); - - var part1354 = match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}"); - - var part1355 = match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}"); - - var select319 = linear_select([ - part1354, - part1355, - ]); - - var part1356 = match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}"); - - var all301 = all_match({ - processors: [ - part1353, - select319, - part1356, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg849 = msg("00515:08", all301); - - var part1357 = match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg850 = msg("00515:09", part1357); - - var part1358 = match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg851 = msg("00515:10", part1358); - - var part1359 = match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg852 = msg("00515:11", part1359); - - var part1360 = match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}"); - - var part1361 = match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})"); - - var all302 = all_match({ - processors: [ - part1360, - dup399, - part1361, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg853 = msg("00515:12", all302); - - var select320 = linear_select([ - dup288, - dup287, - ]); - - var part1362 = match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}"); - - var select321 = linear_select([ - dup306, - dup304, - ]); - - var all303 = all_match({ - processors: [ - select320, - part1362, - dup398, - dup40, - select321, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg854 = msg("00515:13", all303); - - var part1363 = match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}"); - - var part1364 = match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}"); - - var select322 = linear_select([ - part1363, - part1364, - ]); - - var part1365 = match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}"); - - var part1366 = match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session."); - - var part1367 = match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})"); - - var part1368 = match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}"); - - var select323 = linear_select([ - part1366, - part1367, - part1368, - ]); - - var all304 = all_match({ - processors: [ - select322, - dup398, - part1365, - select323, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg855 = msg("00515:14", all304); - - var part1369 = match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}"); - - var part1370 = match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}"); - - var part1371 = match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}"); - - var select324 = linear_select([ - part1370, - part1371, - ]); - - var all305 = all_match({ - processors: [ - part1369, - dup398, - dup40, - select324, - dup41, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg856 = msg("00515:15", all305); - - var part1372 = match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}"); - - var select325 = linear_select([ - part1372, - dup287, - ]); - - var part1373 = match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}"); - - var part1374 = match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})"); - - var all306 = all_match({ - processors: [ - select325, - part1373, - dup399, - part1374, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg857 = msg("00515:16", all306); - - var part1375 = match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}"); - - var part1376 = match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}"); - - var part1377 = match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}"); - - var select326 = linear_select([ - part1376, - part1377, - ]); - - var part1378 = match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}"); - - var all307 = all_match({ - processors: [ - part1375, - select326, - part1378, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg858 = msg("00515:17", all307); - - var part1379 = match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg859 = msg("00515:18", part1379); - - var part1380 = match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}"); - - var part1381 = match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}"); - - var part1382 = match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}"); - - var select327 = linear_select([ - part1381, - part1382, - ]); - - var all308 = all_match({ - processors: [ - part1380, - select327, - dup41, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg860 = msg("00515:19", all308); - - var part1383 = match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg861 = msg("00515:20", part1383); - - var select328 = linear_select([ - msg842, - msg843, - msg844, - msg845, - msg846, - msg847, - msg848, - msg849, - msg850, - msg851, - msg852, - msg853, - msg854, - msg855, - msg856, - msg857, - msg858, - msg859, - msg860, - msg861, - ]); - - var part1384 = match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg862 = msg("00518", part1384); - - var part1385 = match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg863 = msg("00518:17", part1385); - - var part1386 = match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg864 = msg("00518:01", part1386); - - var part1387 = match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg865 = msg("00518:02", part1387); - - var part1388 = match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg866 = msg("00518:03", part1388); - - var part1389 = match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg867 = msg("00518:04", part1389); - - var part1390 = match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg868 = msg("00518:05", part1390); - - var part1391 = match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([ - dup35, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg869 = msg("00518:06", part1391); - - var part1392 = match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}"); - - var part1393 = match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}"); - - var select329 = linear_select([ - dup24, - part1393, - ]); - - var part1394 = match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}"); - - var all309 = all_match({ - processors: [ - part1392, - select329, - part1394, - ], - on_success: processor_chain([ - dup53, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg870 = msg("00518:07", all309); - - var part1395 = match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([ - dup35, - dup29, - dup31, - dup39, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg871 = msg("00518:08", part1395); - - var part1396 = match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg872 = msg("00518:09", part1396); - - var part1397 = match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup4, - dup9, - dup5, - dup3, - dup302, - ])); - - var msg873 = msg("00518:10", part1397); - - var part1398 = match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}"); - - var part1399 = match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}"); - - var part1400 = match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}"); - - var select330 = linear_select([ - part1399, - part1400, - ]); - - var part1401 = match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})"); - - var all310 = all_match({ - processors: [ - part1398, - select330, - part1401, - ], - on_success: processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup9, - dup4, - dup5, - dup3, - ]), - }); - - var msg874 = msg("00518:11", all310); - - var part1402 = match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup9, - dup5, - dup3, - ])); - - var msg875 = msg("00518:12", part1402); - - var part1403 = match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup9, - dup5, - ])); - - var msg876 = msg("00518:13", part1403); - - var part1404 = match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([ - dup290, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg877 = msg("00518:14", part1404); - - var select331 = linear_select([ - msg862, - msg863, - msg864, - msg865, - msg866, - msg867, - msg868, - msg869, - msg870, - msg871, - msg872, - msg873, - msg874, - msg875, - msg876, - msg877, - ]); - - var part1405 = match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}"); - - var part1406 = match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}"); - - var part1407 = match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}"); - - var select332 = linear_select([ - dup194, - part1406, - part1407, - ]); - - var part1408 = match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}"); - - var part1409 = match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}"); - - var select333 = linear_select([ - part1409, - dup16, - ]); - - var part1410 = match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}"); - - var all311 = all_match({ - processors: [ - part1405, - select332, - part1408, - select333, - part1410, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg878 = msg("00519", all311); - - var part1411 = match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}"); - - var select334 = linear_select([ - dup307, - dup305, - ]); - - var part1412 = match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}"); - - var all312 = all_match({ - processors: [ - part1411, - select334, - part1412, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg879 = msg("00519:01", all312); - - var part1413 = match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}"); - - var select335 = linear_select([ - dup307, - part1413, - ]); - - var part1414 = match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}"); - - var all313 = all_match({ - processors: [ - dup160, - select335, - part1414, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg880 = msg("00519:02", all313); - - var part1415 = match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg881 = msg("00519:03", part1415); - - var part1416 = match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg882 = msg("00519:04", part1416); - - var part1417 = match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg883 = msg("00519:05", part1417); - - var select336 = linear_select([ - msg878, - msg879, - msg880, - msg881, - msg882, - msg883, - ]); - - var part1418 = match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg884 = msg("00520", part1418); - - var part1419 = match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}"); - - var part1420 = match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}"); - - var part1421 = match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}"); - - var part1422 = match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}"); - - var part1423 = match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}"); - - var select337 = linear_select([ - part1420, - part1421, - part1422, - part1423, - ]); - - var part1424 = match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}"); - - var all314 = all_match({ - processors: [ - part1419, - select337, - part1424, - ], - on_success: processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg885 = msg("00520:01", all314); - - var part1425 = match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}"); - - var part1426 = match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}"); - - var all315 = all_match({ - processors: [ - part1425, - dup400, - part1426, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg886 = msg("00520:02", all315); - - var part1427 = match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}"); - - var part1428 = match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}"); - - var part1429 = match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}"); - - var select338 = linear_select([ - part1427, - part1428, - part1429, - ]); - - var part1430 = match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}"); - - var part1431 = match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}"); - - var part1432 = match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed"); - - var all316 = all_match({ - processors: [ - dup160, - select338, - part1430, - dup400, - part1431, - dup400, - part1432, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg887 = msg("00520:03", all316); - - var part1433 = match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg888 = msg("00520:04", part1433); - - var part1434 = match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg889 = msg("00520:05", part1434); - - var select339 = linear_select([ - msg884, - msg885, - msg886, - msg887, - msg888, - msg889, - ]); - - var part1435 = match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg890 = msg("00521", part1435); - - var part1436 = match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg891 = msg("00522", part1436); - - var part1437 = match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg892 = msg("00523", part1437); - - var part1438 = match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg893 = msg("00524", part1438); - - var part1439 = match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg894 = msg("00524:02", part1439); - - var part1440 = match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg895 = msg("00524:03", part1440); - - var part1441 = match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg896 = msg("00524:04", part1441); - - var part1442 = match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg897 = msg("00524:05", part1442); - - var part1443 = match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg898 = msg("00524:06", part1443); - - var part1444 = match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg899 = msg("00524:12", part1444); - - var part1445 = match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([ - dup19, - dup2, - dup4, - setc("result","the SNMP version type is incorrect"), - dup5, - dup9, - ])); - - var msg900 = msg("00524:14", part1445); - - var part1446 = match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}"); - - var part1447 = match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}"); - - var all317 = all_match({ - processors: [ - part1446, - dup401, - part1447, - ], - on_success: processor_chain([ - dup18, - dup2, - dup4, - dup5, - ]), - }); - - var msg901 = msg("00524:13", all317); - - var part1448 = match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg902 = msg("00524:07", part1448); - - var part1449 = match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg903 = msg("00524:08", part1449); - - var part1450 = match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg904 = msg("00524:09", part1450); - - var part1451 = match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg905 = msg("00524:10", part1451); - - var part1452 = match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg906 = msg("00524:11", part1452); - - var part1453 = match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg907 = msg("00524:16", part1453); - - var select340 = linear_select([ - msg893, - msg894, - msg895, - msg896, - msg897, - msg898, - msg899, - msg900, - msg901, - msg902, - msg903, - msg904, - msg905, - msg906, - msg907, - ]); - - var part1454 = match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([ - dup203, - setc("ec_subject","Password"), - dup38, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg908 = msg("00525", part1454); - - var part1455 = match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg909 = msg("00525:01", part1455); - - var part1456 = match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg910 = msg("00525:02", part1456); - - var part1457 = match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg911 = msg("00525:03", part1457); - - var select341 = linear_select([ - msg908, - msg909, - msg910, - msg911, - ]); - - var part1458 = match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([ - dup37, - dup219, - dup38, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg912 = msg("00526", part1458); - - var part1459 = match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}"); - - var part1460 = match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}"); - - var select342 = linear_select([ - dup311, - part1460, - ]); - - var part1461 = match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}"); - - var part1462 = match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}"); - - var part1463 = match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}"); - - var select343 = linear_select([ - dup312, - part1462, - part1463, - ]); - - var all318 = all_match({ - processors: [ - part1459, - select342, - part1461, - select343, - dup108, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg913 = msg("00527", all318); - - var part1464 = match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg914 = msg("00527:01", part1464); - - var part1465 = match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}"); - - var part1466 = match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}"); - - var part1467 = match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}"); - - var select344 = linear_select([ - dup311, - part1466, - part1467, - ]); - - var part1468 = match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}"); - - var all319 = all_match({ - processors: [ - part1465, - select344, - part1468, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg915 = msg("00527:02", all319); - - var part1469 = match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg916 = msg("00527:03", part1469); - - var part1470 = match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg917 = msg("00527:04", part1470); - - var part1471 = match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated."); - - var all320 = all_match({ - processors: [ - dup210, - dup337, - part1471, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg918 = msg("00527:05", all320); - - var part1472 = match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}"); - - var select345 = linear_select([ - dup106, - dup127, - ]); - - var part1473 = match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}"); - - var select346 = linear_select([ - dup312, - part1473, - ]); - - var part1474 = match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})"); - - var all321 = all_match({ - processors: [ - part1472, - select345, - dup23, - select346, - part1474, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg919 = msg("00527:06", all321); - - var part1475 = match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg920 = msg("00527:07", part1475); - - var part1476 = match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg921 = msg("00527:08", part1476); - - var part1477 = match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}"); - - var part1478 = match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}"); - - var part1479 = match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}"); - - var select347 = linear_select([ - part1478, - part1479, - ]); - - var all322 = all_match({ - processors: [ - part1477, - select347, - dup41, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg922 = msg("00527:09", all322); - - var part1480 = match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg923 = msg("00527:10", part1480); - - var select348 = linear_select([ - msg913, - msg914, - msg915, - msg916, - msg917, - msg918, - msg919, - msg920, - msg921, - msg922, - msg923, - ]); - - var part1481 = match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([ - setc("eventcategory","1302010000"), - dup29, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg924 = msg("00528", part1481); - - var part1482 = match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg925 = msg("00528:01", part1482); - - var part1483 = match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg926 = msg("00528:02", part1483); - - var part1484 = match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg927 = msg("00528:03", part1484); - - var part1485 = match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg928 = msg("00528:04", part1485); - - var part1486 = match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg929 = msg("00528:05", part1486); - - var part1487 = match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([ - dup313, - dup2, - dup3, - dup4, - dup5, - setc("result","invalid version string"), - ])); - - var msg930 = msg("00528:06", part1487); - - var part1488 = match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}"); - - var part1489 = match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}"); - - var part1490 = match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}"); - - var part1491 = match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}"); - - var select349 = linear_select([ - dup88, - part1489, - part1490, - part1491, - ]); - - var part1492 = match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}"); - - var all323 = all_match({ - processors: [ - part1488, - select349, - part1492, - ], - on_success: processor_chain([ - dup314, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg931 = msg("00528:07", all323); - - var part1493 = match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([ - dup314, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg932 = msg("00528:08", part1493); - - var part1494 = match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg933 = msg("00528:09", part1494); - - var part1495 = match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg934 = msg("00528:10", part1495); - - var part1496 = match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg935 = msg("00528:11", part1496); - - var part1497 = match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("disposition","disabled"), - ])); - - var msg936 = msg("00528:12", part1497); - - var part1498 = match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}"); - - var part1499 = match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}"); - - var part1500 = match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}"); - - var select350 = linear_select([ - part1499, - part1500, - ]); - - var part1501 = match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}"); - - var part1502 = match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}"); - - var part1503 = match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}"); - - var select351 = linear_select([ - part1503, - dup157, - ]); - - var part1504 = match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}"); - - var all324 = all_match({ - processors: [ - part1498, - select350, - part1501, - dup337, - part1502, - select351, - part1504, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg937 = msg("00528:13", all324); - - var part1505 = match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg938 = msg("00528:14", part1505); - - var part1506 = match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}"); - - var part1507 = match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}"); - - var select352 = linear_select([ - dup315, - part1507, - ]); - - var part1508 = match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}"); - - var part1509 = match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}"); - - var part1510 = match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}"); - - var select353 = linear_select([ - part1509, - part1510, - ]); - - var all325 = all_match({ - processors: [ - part1506, - select352, - part1508, - select353, - dup108, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg939 = msg("00528:15", all325); - - var part1511 = match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg940 = msg("00528:16", part1511); - - var part1512 = match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg941 = msg("00528:17", part1512); - - var part1513 = match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}"); - - var all326 = all_match({ - processors: [ - dup316, - dup402, - part1513, - dup403, - dup320, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("disposition","successful"), - setc("event_description","authentication successful for admin user"), - ]), - }); - - var msg942 = msg("00528:18", all326); - - var part1514 = match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}"); - - var all327 = all_match({ - processors: [ - dup316, - dup402, - part1514, - dup403, - dup320, - ], - on_success: processor_chain([ - dup206, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup302, - dup3, - setc("event_description","authentication failed for admin user"), - ]), - }); - - var msg943 = msg("00528:26", all327); - - var part1515 = match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}"); - - var all328 = all_match({ - processors: [ - dup321, - dup404, - part1515, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg944 = msg("00528:19", all328); - - var part1516 = match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}"); - - var all329 = all_match({ - processors: [ - dup321, - dup404, - part1516, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg945 = msg("00528:20", all329); - - var part1517 = match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg946 = msg("00528:21", part1517); - - var part1518 = match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}"); - - var part1519 = match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface."); - - var all330 = all_match({ - processors: [ - part1518, - dup337, - part1519, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("result","SCS is not enabled for that interface"), - ]), - }); - - var msg947 = msg("00528:22", all330); - - var part1520 = match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("result","SCS cannot generate the host and server keys before timing out"), - ])); - - var msg948 = msg("00528:23", part1520); - - var part1521 = match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg949 = msg("00528:24", part1521); - - var part1522 = match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}"); - - var part1523 = match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled."); - - var all331 = all_match({ - processors: [ - part1522, - dup403, - part1523, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg950 = msg("00528:25", all331); - - var select354 = linear_select([ - msg924, - msg925, - msg926, - msg927, - msg928, - msg929, - msg930, - msg931, - msg932, - msg933, - msg934, - msg935, - msg936, - msg937, - msg938, - msg939, - msg940, - msg941, - msg942, - msg943, - msg944, - msg945, - msg946, - msg947, - msg948, - msg949, - msg950, - ]); - - var part1524 = match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}"); - - var part1525 = match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}"); - - var select355 = linear_select([ - part1524, - part1525, - ]); - - var part1526 = match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}"); - - var all332 = all_match({ - processors: [ - dup63, - select355, - part1526, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg951 = msg("00529", all332); - - var part1527 = match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}"); - - var part1528 = match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}"); - - var part1529 = match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}"); - - var select356 = linear_select([ - part1528, - part1529, - ]); - - var all333 = all_match({ - processors: [ - part1527, - select356, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg952 = msg("00529:01", all333); - - var select357 = linear_select([ - msg951, - msg952, - ]); - - var part1530 = match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg953 = msg("00530", part1530); - - var part1531 = match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}"); - - var part1532 = match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released"); - - var all334 = all_match({ - processors: [ - part1531, - dup337, - part1532, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg954 = msg("00530:01", all334); - - var part1533 = match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg955 = msg("00530:02", part1533); - - var part1534 = match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg956 = msg("00530:03", part1534); - - var part1535 = match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg957 = msg("00530:04", part1535); - - var part1536 = match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg958 = msg("00530:05", part1536); - - var part1537 = match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg959 = msg("00530:06", part1537); - - var select358 = linear_select([ - msg953, - msg954, - msg955, - msg956, - msg957, - msg958, - msg959, - ]); - - var part1538 = match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}"); - - var all335 = all_match({ - processors: [ - part1538, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg960 = msg("00531", all335); - - var part1539 = match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg961 = msg("00531:01", part1539); - - var part1540 = match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg962 = msg("00531:02", part1540); - - var part1541 = match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}"); - - var part1542 = match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}"); - - var select359 = linear_select([ - part1542, - dup115, - ]); - - var part1543 = match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}"); - - var part1544 = match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})"); - - var part1545 = match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5"); - - var select360 = linear_select([ - part1544, - part1545, - ]); - - var all336 = all_match({ - processors: [ - part1541, - select359, - part1543, - select360, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup146, - ]), - }); - - var msg963 = msg("00531:03", all336); - - var part1546 = match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}"); - - var part1547 = match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}"); - - var part1548 = match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}"); - - var select361 = linear_select([ - part1547, - part1548, - dup189, - ]); - - var part1549 = match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}"); - - var all337 = all_match({ - processors: [ - part1546, - select361, - part1549, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg964 = msg("00531:04", all337); - - var part1550 = match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg965 = msg("00531:05", part1550); - - var part1551 = match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg966 = msg("00531:06", part1551); - - var part1552 = match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg967 = msg("00531:07", part1552); - - var part1553 = match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg968 = msg("00531:08", part1553); - - var part1554 = match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg969 = msg("00531:09", part1554); - - var part1555 = match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg970 = msg("00531:10", part1555); - - var part1556 = match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","system clock changed based on receive from primary NTP server"), - ])); - - var msg971 = msg("00531:11", part1556); - - var part1557 = match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg972 = msg("00531:12", part1557); - - var select362 = linear_select([ - msg960, - msg961, - msg962, - msg963, - msg964, - msg965, - msg966, - msg967, - msg968, - msg969, - msg970, - msg971, - msg972, - ]); - - var part1558 = match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg973 = msg("00533", part1558); - - var part1559 = match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg974 = msg("00534", part1559); - - var part1560 = match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg975 = msg("00535", part1560); - - var part1561 = match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg976 = msg("00535:01", part1561); - - var part1562 = match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg977 = msg("00535:02", part1562); - - var part1563 = match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg978 = msg("00535:03", part1563); - - var part1564 = match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - setc("result","SCEP_FAILURE message"), - ])); - - var msg979 = msg("00535:04", part1564); - - var part1565 = match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg980 = msg("00535:05", part1565); - - var part1566 = match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Saved CA configuration - cert subject name"), - ])); - - var msg981 = msg("00535:06", part1566); - - var select363 = linear_select([ - msg975, - msg976, - msg977, - msg978, - msg979, - msg980, - msg981, - ]); - - var part1567 = match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}"); - - var part1568 = match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}"); - - var part1569 = match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}"); - - var part1570 = match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}"); - - var part1571 = match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}"); - - var select364 = linear_select([ - part1568, - part1569, - part1570, - part1571, - ]); - - var all338 = all_match({ - processors: [ - part1567, - select364, - dup10, - ], - on_success: processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg982 = msg("00536:49", all338); - - var part1572 = match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg983 = msg("00536", part1572); - - var part1573 = match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg984 = msg("00536:01", part1573); - - var part1574 = match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg985 = msg("00536:02", part1574); - - var part1575 = match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg986 = msg("00536:03", part1575); - - var part1576 = match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([ - setc("eventcategory","1801010100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg987 = msg("00536:04", part1576); - - var part1577 = match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg988 = msg("00536:05", part1577); - - var part1578 = match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg989 = msg("00536:06", part1578); - - var part1579 = match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg990 = msg("00536:07", part1579); - - var part1580 = match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg991 = msg("00536:08", part1580); - - var part1581 = match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg992 = msg("00536:09", part1581); - - var part1582 = match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg993 = msg("00536:10", part1582); - - var part1583 = match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg994 = msg("00536:11", part1583); - - var part1584 = match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg995 = msg("00536:12", part1584); - - var part1585 = match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg996 = msg("00536:13", part1585); - - var part1586 = match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}"); - - var part1587 = match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}"); - - var all339 = all_match({ - processors: [ - part1586, - dup383, - part1587, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg997 = msg("00536:14", all339); - - var part1588 = match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg998 = msg("00536:50", part1588); - - var part1589 = match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg999 = msg("00536:15", part1589); - - var part1590 = match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1000 = msg("00536:16", part1590); - - var part1591 = match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1001 = msg("00536:17", part1591); - - var part1592 = match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1002 = msg("00536:18", part1592); - - var part1593 = match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1003 = msg("00536:19", part1593); - - var part1594 = match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1004 = msg("00536:20", part1594); - - var part1595 = match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1005 = msg("00536:21", part1595); - - var part1596 = match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("result","Negotiations failed"), - ])); - - var msg1006 = msg("00536:22", part1596); - - var part1597 = match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("result","The time limit has elapsed"), - setc("disposition","Aborted"), - ])); - - var msg1007 = msg("00536:23", part1597); - - var part1598 = match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1008 = msg("00536:24", part1598); - - var part1599 = match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1009 = msg("00536:25", part1599); - - var part1600 = match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1010 = msg("00536:26", part1600); - - var part1601 = match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1011 = msg("00536:27", part1601); - - var part1602 = match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1012 = msg("00536:28", part1602); - - var part1603 = match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1013 = msg("00536:29", part1603); - - var part1604 = match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1014 = msg("00536:30", part1604); - - var part1605 = match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1015 = msg("00536:31", part1605); - - var part1606 = match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1016 = msg("00536:32", part1606); - - var part1607 = match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1017 = msg("00536:33", part1607); - - var part1608 = match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1018 = msg("00536:34", part1608); - - var part1609 = match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1019 = msg("00536:35", part1609); - - var part1610 = match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}"); - - var part1611 = match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first"); - - var all340 = all_match({ - processors: [ - part1610, - dup401, - part1611, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1020 = msg("00536:36", all340); - - var part1612 = match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1021 = msg("00536:37", part1612); - - var part1613 = match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1022 = msg("00536:38", part1613); - - var part1614 = match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1023 = msg("00536:39", part1614); - - var part1615 = match("MESSAGE#1011:00536:40", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{quote}s gateway has a dynamic IP address and negotiations are in Main mode", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1024 = msg("00536:40", part1615); - - var part1616 = match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1025 = msg("00536:47", part1616); - - var part1617 = match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1026 = msg("00536:41", part1617); - - var part1618 = match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1027 = msg("00536:42", part1618); - - var part1619 = match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1028 = msg("00536:43", part1619); - - var part1620 = match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1029 = msg("00536:44", part1620); - - var part1621 = match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1030 = msg("00536:45", part1621); - - var part1622 = match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Received an IKE packet on interface"), - ])); - - var msg1031 = msg("00536:48", part1622); - - var part1623 = match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1032 = msg("00536:46", part1623); - - var select365 = linear_select([ - msg982, - msg983, - msg984, - msg985, - msg986, - msg987, - msg988, - msg989, - msg990, - msg991, - msg992, - msg993, - msg994, - msg995, - msg996, - msg997, - msg998, - msg999, - msg1000, - msg1001, - msg1002, - msg1003, - msg1004, - msg1005, - msg1006, - msg1007, - msg1008, - msg1009, - msg1010, - msg1011, - msg1012, - msg1013, - msg1014, - msg1015, - msg1016, - msg1017, - msg1018, - msg1019, - msg1020, - msg1021, - msg1022, - msg1023, - msg1024, - msg1025, - msg1026, - msg1027, - msg1028, - msg1029, - msg1030, - msg1031, - msg1032, - ]); - - var part1624 = match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg1033 = msg("00537", part1624); - - var part1625 = match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1034 = msg("00537:01", part1625); - - var part1626 = match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1035 = msg("00537:02", part1626); - - var part1627 = match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1036 = msg("00537:03", part1627); - - var select366 = linear_select([ - msg1033, - msg1034, - msg1035, - msg1036, - ]); - - var part1628 = match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}"); - - var select367 = linear_select([ - dup111, - dup119, - ]); - - var part1629 = match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}"); - - var all341 = all_match({ - processors: [ - part1628, - select367, - part1629, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1037 = msg("00538", all341); - - var part1630 = match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1038 = msg("00538:01", part1630); - - var part1631 = match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1039 = msg("00538:02", part1631); - - var part1632 = match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([ - dup19, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg1040 = msg("00538:03", part1632); - - var part1633 = match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1041 = msg("00538:04", part1633); - - var part1634 = match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}"); - - var part1635 = match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}"); - - var part1636 = match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}"); - - var select368 = linear_select([ - part1635, - part1636, - ]); - - var part1637 = match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}"); - - var all342 = all_match({ - processors: [ - part1634, - select368, - part1637, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1042 = msg("00538:05", all342); - - var part1638 = match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}"); - - var part1639 = match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}"); - - var part1640 = match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}"); - - var select369 = linear_select([ - part1639, - part1640, - ]); - - var part1641 = match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip"); - - var all343 = all_match({ - processors: [ - part1638, - select369, - part1641, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1043 = msg("00538:06", all343); - - var part1642 = match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}"); - - var part1643 = match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}"); - - var select370 = linear_select([ - part1643, - dup16, - ]); - - var all344 = all_match({ - processors: [ - part1642, - select370, - dup136, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1044 = msg("00538:07", all344); - - var part1644 = match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1045 = msg("00538:08", part1644); - - var part1645 = match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([ - dup301, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Connected to NSM server"), - ])); - - var msg1046 = msg("00538:09", part1645); - - var part1646 = match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}"); - - var part1647 = match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})"); - - var select371 = linear_select([ - part1647, - dup41, - ]); - - var all345 = all_match({ - processors: [ - part1646, - select371, - ], - on_success: processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Connection to NSM server is down"), - ]), - }); - - var msg1047 = msg("00538:10", all345); - - var part1648 = match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - dup323, - ])); - - var msg1048 = msg("00538:11", part1648); - - var part1649 = match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - dup323, - ])); - - var msg1049 = msg("00538:12", part1649); - - var part1650 = match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Sent 2B message"), - ])); - - var msg1050 = msg("00538:13", part1650); - - var select372 = linear_select([ - msg1037, - msg1038, - msg1039, - msg1040, - msg1041, - msg1042, - msg1043, - msg1044, - msg1045, - msg1046, - msg1047, - msg1048, - msg1049, - msg1050, - ]); - - var part1651 = match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1051 = msg("00539", part1651); - - var part1652 = match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1052 = msg("00539:01", part1652); - - var part1653 = match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1053 = msg("00539:02", part1653); - - var part1654 = match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1054 = msg("00539:03", part1654); - - var part1655 = match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1055 = msg("00539:04", part1655); - - var part1656 = match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1056 = msg("00539:05", part1656); - - var part1657 = match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1057 = msg("00539:06", part1657); - - var select373 = linear_select([ - msg1051, - msg1052, - msg1053, - msg1054, - msg1055, - msg1056, - msg1057, - ]); - - var part1658 = match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([ - dup324, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1058 = msg("00541", part1658); - - var part1659 = match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([ - dup273, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1059 = msg("00541:01", part1659); - - var part1660 = match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([ - dup273, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1060 = msg("00541:02", part1660); - - var part1661 = match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}"); - - var part1662 = match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>"); - - var select374 = linear_select([ - part1662, - dup21, - ]); - - var all346 = all_match({ - processors: [ - part1661, - select374, - ], - on_success: processor_chain([ - dup44, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1061 = msg("00541:03", all346); - - var select375 = linear_select([ - msg1058, - msg1059, - msg1060, - msg1061, - ]); - - var part1663 = match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1062 = msg("00542", part1663); - - var part1664 = match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}"); - - var part1665 = match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}"); - - var part1666 = match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}"); - - var select376 = linear_select([ - part1665, - part1666, - ]); - - var part1667 = match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}"); - - var part1668 = match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}"); - - var select377 = linear_select([ - part1668, - dup106, - ]); - - var part1669 = match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})"); - - var all347 = all_match({ - processors: [ - part1664, - select376, - part1667, - select377, - part1669, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup9, - dup3, - ]), - }); - - var msg1063 = msg("00543", all347); - - var part1670 = match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup60, - setc("action","RADIUS server challenge"), - ])); - - var msg1064 = msg("00544", part1670); - - var part1671 = match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1065 = msg("00546", part1671); - - var part1672 = match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg1066 = msg("00547", part1672); - - var part1673 = match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg1067 = msg("00547:01", part1673); - - var part1674 = match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1068 = msg("00547:02", part1674); - - var part1675 = match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}"); - - var part1676 = match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}"); - - var part1677 = match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}"); - - var select378 = linear_select([ - part1676, - part1677, - ]); - - var part1678 = match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})"); - - var all348 = all_match({ - processors: [ - part1675, - select378, - part1678, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Content is bypassed for connection"), - ]), - }); - - var msg1069 = msg("00547:03", all348); - - var select379 = linear_select([ - msg1066, - msg1067, - msg1068, - msg1069, - ]); - - var part1679 = match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1070 = msg("00549", part1679); - - var part1680 = match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1071 = msg("00551", part1680); - - var part1681 = match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1072 = msg("00551:01", part1681); - - var part1682 = match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}"); - - var part1683 = match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}"); - - var select380 = linear_select([ - part1683, - dup89, - ]); - - var all349 = all_match({ - processors: [ - part1682, - select380, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1073 = msg("00551:02", all349); - - var part1684 = match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([ - dup18, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1074 = msg("00551:03", part1684); - - var part1685 = match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1075 = msg("00551:04", part1685); - - var select381 = linear_select([ - msg1071, - msg1072, - msg1073, - msg1074, - msg1075, - ]); - - var part1686 = match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}"); - - var part1687 = match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}"); - - var part1688 = match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}"); - - var part1689 = match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}"); - - var select382 = linear_select([ - part1687, - part1688, - part1689, - ]); - - var all350 = all_match({ - processors: [ - part1686, - select382, - dup325, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1076 = msg("00553", all350); - - var part1690 = match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1077 = msg("00553:01", part1690); - - var part1691 = match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1078 = msg("00553:02", part1691); - - var part1692 = match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1079 = msg("00553:03", part1692); - - var part1693 = match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}"); - - var select383 = linear_select([ - dup326, - dup327, - ]); - - var part1694 = match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}."); - - var all351 = all_match({ - processors: [ - part1693, - select383, - part1694, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1080 = msg("00553:04", all351); - - var part1695 = match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1081 = msg("00553:05", part1695); - - var part1696 = match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1082 = msg("00553:06", part1696); - - var part1697 = match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1083 = msg("00553:07", part1697); - - var part1698 = match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}"); - - var select384 = linear_select([ - dup327, - dup326, - ]); - - var all352 = all_match({ - processors: [ - part1698, - select384, - dup328, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1084 = msg("00553:08", all352); - - var part1699 = match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1085 = msg("00553:09", part1699); - - var part1700 = match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1086 = msg("00553:10", part1700); - - var part1701 = match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1087 = msg("00553:11", part1701); - - var part1702 = match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1088 = msg("00553:12", part1702); - - var part1703 = match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1089 = msg("00553:13", part1703); - - var part1704 = match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1090 = msg("00553:14", part1704); - - var part1705 = match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1091 = msg("00553:15", part1705); - - var part1706 = match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1092 = msg("00553:16", part1706); - - var part1707 = match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1093 = msg("00553:17", part1707); - - var part1708 = match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1094 = msg("00553:18", part1708); - - var part1709 = match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1095 = msg("00553:19", part1709); - - var part1710 = match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1096 = msg("00553:20", part1710); - - var part1711 = match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1097 = msg("00553:21", part1711); - - var part1712 = match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1098 = msg("00553:22", part1712); - - var select385 = linear_select([ - msg1076, - msg1077, - msg1078, - msg1079, - msg1080, - msg1081, - msg1082, - msg1083, - msg1084, - msg1085, - msg1086, - msg1087, - msg1088, - msg1089, - msg1090, - msg1091, - msg1092, - msg1093, - msg1094, - msg1095, - msg1096, - msg1097, - msg1098, - ]); - - var part1713 = match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}"); - - var part1714 = match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}"); - - var part1715 = match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}"); - - var part1716 = match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}"); - - var select386 = linear_select([ - part1714, - part1715, - part1716, - ]); - - var all353 = all_match({ - processors: [ - part1713, - select386, - dup325, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1099 = msg("00554", all353); - - var part1717 = match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1100 = msg("00554:01", part1717); - - var part1718 = match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1101 = msg("00554:02", part1718); - - var part1719 = match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1102 = msg("00554:03", part1719); - - var part1720 = match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}"); - - var part1721 = match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}."); - - var all354 = all_match({ - processors: [ - part1720, - dup405, - part1721, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1103 = msg("00554:04", all354); - - var part1722 = match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}"); - - var part1723 = match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}"); - - var part1724 = match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}"); - - var select387 = linear_select([ - part1723, - part1724, - ]); - - var all355 = all_match({ - processors: [ - part1722, - select387, - dup116, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1104 = msg("00554:05", all355); - - var part1725 = match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1105 = msg("00554:06", part1725); - - var part1726 = match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}"); - - var all356 = all_match({ - processors: [ - part1726, - dup405, - dup328, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1106 = msg("00554:07", all356); - - var part1727 = match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}"); - - var part1728 = match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}"); - - var part1729 = match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}"); - - var part1730 = match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}"); - - var select388 = linear_select([ - part1728, - part1729, - part1730, - ]); - - var all357 = all_match({ - processors: [ - part1727, - select388, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1107 = msg("00554:08", all357); - - var part1731 = match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1108 = msg("00554:09", part1731); - - var part1732 = match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1109 = msg("00554:10", part1732); - - var part1733 = match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1110 = msg("00554:11", part1733); - - var part1734 = match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}"); - - var part1735 = match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}"); - - var part1736 = match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}"); - - var select389 = linear_select([ - part1735, - part1736, - ]); - - var part1737 = match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}"); - - var part1738 = match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}"); - - var part1739 = match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}"); - - var select390 = linear_select([ - part1738, - part1739, - ]); - - var part1740 = match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}"); - - var all358 = all_match({ - processors: [ - part1734, - select389, - part1737, - select390, - part1740, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1111 = msg("00554:12", all358); - - var part1741 = match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1112 = msg("00554:13", part1741); - - var part1742 = match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1113 = msg("00554:14", part1742); - - var part1743 = match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1114 = msg("00554:15", part1743); - - var part1744 = match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1115 = msg("00554:16", part1744); - - var part1745 = match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1116 = msg("00554:17", part1745); - - var select391 = linear_select([ - msg1099, - msg1100, - msg1101, - msg1102, - msg1103, - msg1104, - msg1105, - msg1106, - msg1107, - msg1108, - msg1109, - msg1110, - msg1111, - msg1112, - msg1113, - msg1114, - msg1115, - msg1116, - ]); - - var part1746 = match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1117 = msg("00555", part1746); - - var part1747 = match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1118 = msg("00556", part1747); - - var part1748 = match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1119 = msg("00556:01", part1748); - - var part1749 = match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}"); - - var part1750 = match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}"); - - var part1751 = match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}"); - - var select392 = linear_select([ - part1750, - part1751, - ]); - - var part1752 = match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}"); - - var part1753 = match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}"); - - var part1754 = match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}"); - - var select393 = linear_select([ - part1753, - part1754, - ]); - - var part1755 = match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3})."); - - var all359 = all_match({ - processors: [ - part1749, - select392, - part1752, - select393, - part1755, - ], - on_success: processor_chain([ - dup254, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1120 = msg("00556:02", all359); - - var part1756 = match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}"); - - var part1757 = match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}"); - - var part1758 = match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}"); - - var select394 = linear_select([ - part1757, - part1758, - ]); - - var part1759 = match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}"); - - var all360 = all_match({ - processors: [ - part1756, - select394, - part1759, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1121 = msg("00556:03", all360); - - var part1760 = match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1122 = msg("00556:04", part1760); - - var part1761 = match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1123 = msg("00556:05", part1761); - - var part1762 = match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1124 = msg("00556:06", part1762); - - var part1763 = match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1125 = msg("00556:07", part1763); - - var part1764 = match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}"); - - var all361 = all_match({ - processors: [ - part1764, - dup358, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1126 = msg("00556:08", all361); - - var part1765 = match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - dup282, - ])); - - var msg1127 = msg("00556:09", part1765); - - var part1766 = match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1128 = msg("00556:10", part1766); - - var part1767 = match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1129 = msg("00556:11", part1767); - - var part1768 = match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}"); - - var select395 = linear_select([ - dup140, - dup169, - ]); - - var part1769 = match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}."); - - var all362 = all_match({ - processors: [ - part1768, - select395, - part1769, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1130 = msg("00556:12", all362); - - var part1770 = match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1131 = msg("00556:13", part1770); - - var part1771 = match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}"); - - var part1772 = match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}."); - - var all363 = all_match({ - processors: [ - part1771, - dup406, - part1772, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1132 = msg("00556:14", all363); - - var part1773 = match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}"); - - var part1774 = match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}."); - - var all364 = all_match({ - processors: [ - part1773, - dup406, - part1774, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - dup282, - ]), - }); - - var msg1133 = msg("00556:15", all364); - - var part1775 = match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}"); - - var part1776 = match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}"); - - var part1777 = match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}"); - - var select396 = linear_select([ - part1776, - part1777, - ]); - - var part1778 = match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}"); - - var select397 = linear_select([ - dup104, - dup120, - ]); - - var all365 = all_match({ - processors: [ - part1775, - select396, - part1778, - select397, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1134 = msg("00556:16", all365); - - var part1779 = match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}"); - - var part1780 = match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}"); - - var part1781 = match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}"); - - var select398 = linear_select([ - part1780, - part1781, - ]); - - var part1782 = match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}"); - - var all366 = all_match({ - processors: [ - part1779, - select398, - part1782, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1135 = msg("00556:17", all366); - - var part1783 = match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}"); - - var part1784 = match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}"); - - var select399 = linear_select([ - dup101, - part1784, - ]); - - var part1785 = match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}."); - - var all367 = all_match({ - processors: [ - part1783, - select399, - part1785, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1136 = msg("00556:18", all367); - - var part1786 = match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}"); - - var part1787 = match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}"); - - var select400 = linear_select([ - dup103, - dup96, - ]); - - var part1788 = match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}"); - - var all368 = all_match({ - processors: [ - part1786, - dup355, - part1787, - select400, - part1788, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1137 = msg("00556:20", all368); - - var part1789 = match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([ - dup232, - dup2, - dup3, - dup9, - dup4, - dup5, - dup282, - ])); - - var msg1138 = msg("00556:21", part1789); - - var part1790 = match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([ - dup232, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1139 = msg("00556:22", part1790); - - var select401 = linear_select([ - msg1118, - msg1119, - msg1120, - msg1121, - msg1122, - msg1123, - msg1124, - msg1125, - msg1126, - msg1127, - msg1128, - msg1129, - msg1130, - msg1131, - msg1132, - msg1133, - msg1134, - msg1135, - msg1136, - msg1137, - msg1138, - msg1139, - ]); - - var part1791 = match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1140 = msg("00572", part1791); - - var part1792 = match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1141 = msg("00572:01", part1792); - - var part1793 = match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1142 = msg("00572:03", part1793); - - var select402 = linear_select([ - msg1140, - msg1141, - msg1142, - ]); - - var part1794 = match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1143 = msg("00615", part1794); - - var part1795 = match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1144 = msg("00615:01", part1795); - - var select403 = linear_select([ - msg1143, - msg1144, - ]); - - var part1796 = match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ])); - - var msg1145 = msg("00601", part1796); - - var part1797 = match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ])); - - var msg1146 = msg("00601:01", part1797); - - var part1798 = match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1147 = msg("00601:18", part1798); - - var select404 = linear_select([ - msg1145, - msg1146, - msg1147, - ]); - - var part1799 = match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1148 = msg("00602", part1799); - - var part1800 = match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}"); - - var part1801 = match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}"); - - var part1802 = match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}"); - - var part1803 = match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}"); - - var select405 = linear_select([ - part1802, - part1803, - ]); - - var part1804 = match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}"); - - var part1805 = match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}"); - - var select406 = linear_select([ - part1805, - dup96, - ]); - - var part1806 = match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})"); - - var all369 = all_match({ - processors: [ - part1800, - dup353, - part1801, - select405, - part1804, - select406, - part1806, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1149 = msg("00612", all369); - - var part1807 = match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1150 = msg("00620", part1807); - - var part1808 = match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}"); - - var part1809 = match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}"); - - var part1810 = match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}"); - - var select407 = linear_select([ - part1809, - part1810, - ]); - - var part1811 = match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})"); - - var all370 = all_match({ - processors: [ - part1808, - select407, - part1811, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1151 = msg("00620:01", all370); - - var part1812 = match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1152 = msg("00620:02", part1812); - - var part1813 = match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1153 = msg("00620:03", part1813); - - var part1814 = match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1154 = msg("00620:04", part1814); - - var select408 = linear_select([ - msg1150, - msg1151, - msg1152, - msg1153, - msg1154, - ]); - - var part1815 = match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([ - dup273, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1155 = msg("00622", part1815); - - var part1816 = match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}"); - - var part1817 = match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}"); - - var part1818 = match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}"); - - var select409 = linear_select([ - part1817, - part1818, - ]); - - var all371 = all_match({ - processors: [ - part1816, - select409, - dup49, - ], - on_success: processor_chain([ - dup273, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1156 = msg("00625", all371); - - var part1819 = match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}"); - - var part1820 = match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}"); - - var part1821 = match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}"); - - var part1822 = match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}"); - - var select410 = linear_select([ - part1820, - part1821, - part1822, - ]); - - var part1823 = match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})"); - - var all372 = all_match({ - processors: [ - part1819, - select410, - part1823, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1157 = msg("00628", all372); - - var part1824 = match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - dup282, - ])); - - var msg1158 = msg("00767:50", part1824); - - var part1825 = match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1159 = msg("00767:51", part1825); - - var part1826 = match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1160 = msg("00767:52", part1826); - - var part1827 = match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1161 = msg("00767:53", part1827); - - var part1828 = match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([ - dup27, - setc("ec_theme","Communication"), - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1162 = msg("00767", part1828); - - var part1829 = match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}"); - - var part1830 = match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}"); - - var part1831 = match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}"); - - var select411 = linear_select([ - part1830, - part1831, - ]); - - var all373 = all_match({ - processors: [ - part1829, - select411, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1163 = msg("00767:01", all373); - - var part1832 = match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([ - setc("eventcategory","1702000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1164 = msg("00767:02", part1832); - - var part1833 = match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1165 = msg("00767:03", part1833); - - var part1834 = match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1166 = msg("00767:04", part1834); - - var part1835 = match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1167 = msg("00767:05", part1835); - - var part1836 = match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1168 = msg("00767:06", part1836); - - var part1837 = match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1169 = msg("00767:07", part1837); - - var part1838 = match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}"); - - var all374 = all_match({ - processors: [ - part1838, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1170 = msg("00767:08", all374); - - var part1839 = match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}"); - - var part1840 = match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}"); - - var part1841 = match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}"); - - var select412 = linear_select([ - part1840, - part1841, - ]); - - var all375 = all_match({ - processors: [ - part1839, - select412, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1171 = msg("00767:09", all375); - - var part1842 = match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}"); - - var all376 = all_match({ - processors: [ - part1842, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1172 = msg("00767:10", all376); - - var part1843 = match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}"); - - var part1844 = match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}"); - - var select413 = linear_select([ - dup331, - part1844, - ]); - - var part1845 = match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}"); - - var part1846 = match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}"); - - var select414 = linear_select([ - dup331, - part1846, - ]); - - var part1847 = match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}"); - - var all377 = all_match({ - processors: [ - part1843, - select413, - part1845, - select414, - part1847, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1173 = msg("00767:11", all377); - - var part1848 = match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1174 = msg("00767:12", part1848); - - var part1849 = match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}"); - - var all378 = all_match({ - processors: [ - part1849, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1175 = msg("00767:13", all378); - - var part1850 = match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}"); - - var part1851 = match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}"); - - var select415 = linear_select([ - part1851, - dup262, - ]); - - var part1852 = match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}"); - - var part1853 = match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}"); - - var part1854 = match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username"); - - var select416 = linear_select([ - part1853, - part1854, - ]); - - var all379 = all_match({ - processors: [ - part1850, - select415, - part1852, - select416, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1176 = msg("00767:14", all379); - - var part1855 = match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}"); - - var part1856 = match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}"); - - var part1857 = match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}"); - - var select417 = linear_select([ - part1855, - part1856, - part1857, - ]); - - var part1858 = match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}"); - - var part1859 = match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}."); - - var all380 = all_match({ - processors: [ - dup183, - select417, - part1858, - dup336, - part1859, - ], - on_success: processor_chain([ - dup223, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1177 = msg("00767:15", all380); - - var part1860 = match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1178 = msg("00767:16", part1860); - - var part1861 = match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}"); - - var all381 = all_match({ - processors: [ - part1861, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1179 = msg("00767:17", all381); - - var part1862 = match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1180 = msg("00767:18", part1862); - - var part1863 = match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1181 = msg("00767:19", part1863); - - var part1864 = match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1182 = msg("00767:20", part1864); - - var part1865 = match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1183 = msg("00767:21", part1865); - - var part1866 = match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}"); - - var part1867 = match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}"); - - var part1868 = match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}"); - - var select418 = linear_select([ - part1867, - part1868, - ]); - - var part1869 = match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}"); - - var part1870 = match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}"); - - var part1871 = match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}"); - - var select419 = linear_select([ - part1870, - part1871, - ]); - - var part1872 = match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}"); - - var all382 = all_match({ - processors: [ - part1866, - select418, - part1869, - select419, - part1872, - dup354, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1184 = msg("00767:22", all382); - - var part1873 = match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1185 = msg("00767:23", part1873); - - var part1874 = match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}"); - - var select420 = linear_select([ - dup169, - dup16, - ]); - - var part1875 = match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}"); - - var part1876 = match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}"); - - var select421 = linear_select([ - part1875, - part1876, - ]); - - var all383 = all_match({ - processors: [ - part1874, - select420, - dup23, - select421, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1186 = msg("00767:25", all383); - - var part1877 = match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}"); - - var part1878 = match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}"); - - var part1879 = match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}"); - - var select422 = linear_select([ - part1878, - part1879, - ]); - - var part1880 = match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}"); - - var part1881 = match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}"); - - var part1882 = match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})"); - - var select423 = linear_select([ - part1881, - part1882, - ]); - - var all384 = all_match({ - processors: [ - part1877, - select422, - part1880, - select423, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1187 = msg("00767:26", all384); - - var part1883 = match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}"); - - var part1884 = match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})"); - - var part1885 = match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3"); - - var select424 = linear_select([ - part1884, - part1885, - ]); - - var all385 = all_match({ - processors: [ - part1883, - select424, - ], - on_success: processor_chain([ - dup223, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1188 = msg("00767:27", all385); - - var part1886 = match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1189 = msg("00767:28", part1886); - - var part1887 = match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1190 = msg("00767:29", part1887); - - var part1888 = match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1191 = msg("00767:30", part1888); - - var part1889 = match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}"); - - var part1890 = match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}"); - - var select425 = linear_select([ - part1889, - part1890, - ]); - - var part1891 = match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}"); - - var all386 = all_match({ - processors: [ - dup186, - select425, - part1891, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1192 = msg("00767:31", all386); - - var part1892 = match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}"); - - var part1893 = match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}"); - - var part1894 = match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}"); - - var select426 = linear_select([ - part1893, - part1894, - ]); - - var part1895 = match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})"); - - var all387 = all_match({ - processors: [ - part1892, - select426, - part1895, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1193 = msg("00767:32", all387); - - var part1896 = match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1194 = msg("00767:33", part1896); - - var part1897 = match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([ - dup313, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1195 = msg("00767:34", part1897); - - var part1898 = match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1196 = msg("00767:35", part1898); - - var part1899 = match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1197 = msg("00767:36", part1899); - - var part1900 = match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([ - dup254, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1198 = msg("00767:37", part1900); - - var part1901 = match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([ - setc("eventcategory","1602000000"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1199 = msg("00767:38", part1901); - - var part1902 = match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}"); - - var part1903 = match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}"); - - var part1904 = match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}"); - - var select427 = linear_select([ - part1903, - part1904, - ]); - - var part1905 = match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}"); - - var part1906 = match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}"); - - var part1907 = match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}"); - - var select428 = linear_select([ - part1906, - part1907, - ]); - - var all388 = all_match({ - processors: [ - part1902, - select427, - part1905, - select428, - dup10, - ], - on_success: processor_chain([ - dup324, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1200 = msg("00767:39", all388); - - var part1908 = match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([ - dup62, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1201 = msg("00767:40", part1908); - - var part1909 = match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1202 = msg("00767:42", part1909); - - var part1910 = match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1203 = msg("00767:43", part1910); - - var part1911 = match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1204 = msg("00767:44", part1911); - - var part1912 = match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1205 = msg("00767:45", part1912); - - var part1913 = match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1206 = msg("00767:46", part1913); - - var part1914 = match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg1207 = msg("00767:47", part1914); - - var part1915 = match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}"); - - var part1916 = match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})"); - - var all389 = all_match({ - processors: [ - part1915, - dup364, - part1916, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1208 = msg("00767:24", all389); - - var part1917 = match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1209 = msg("00767:48", part1917); - - var part1918 = match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}"); - - var part1919 = match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}"); - - var part1920 = match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}"); - - var select429 = linear_select([ - part1919, - part1920, - ]); - - var part1921 = match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})"); - - var all390 = all_match({ - processors: [ - part1918, - select429, - part1921, - ], - on_success: processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1210 = msg("00767:49", all390); - - var select430 = linear_select([ - msg1158, - msg1159, - msg1160, - msg1161, - msg1162, - msg1163, - msg1164, - msg1165, - msg1166, - msg1167, - msg1168, - msg1169, - msg1170, - msg1171, - msg1172, - msg1173, - msg1174, - msg1175, - msg1176, - msg1177, - msg1178, - msg1179, - msg1180, - msg1181, - msg1182, - msg1183, - msg1184, - msg1185, - msg1186, - msg1187, - msg1188, - msg1189, - msg1190, - msg1191, - msg1192, - msg1193, - msg1194, - msg1195, - msg1196, - msg1197, - msg1198, - msg1199, - msg1200, - msg1201, - msg1202, - msg1203, - msg1204, - msg1205, - msg1206, - msg1207, - msg1208, - msg1209, - msg1210, - ]); - - var part1922 = match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup277, - dup3, - dup275, - dup60, - ])); - - var msg1211 = msg("01269", part1922); - - var msg1212 = msg("01269:01", dup407); - - var msg1213 = msg("01269:02", dup408); - - var msg1214 = msg("01269:03", dup409); - - var select431 = linear_select([ - msg1211, - msg1212, - msg1213, - msg1214, - ]); - - var part1923 = match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup276, - dup277, - dup275, - dup332, - ])); - - var msg1215 = msg("17852", part1923); - - var part1924 = match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1216 = msg("17852:01", part1924); - - var part1925 = match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var msg1217 = msg("17852:02", part1925); - - var part1926 = match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1218 = msg("17852:03", part1926); - - var select432 = linear_select([ - msg1215, - msg1216, - msg1217, - msg1218, - ]); - - var msg1219 = msg("23184", dup410); - - var part1927 = match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup61, - dup282, - ])); - - var msg1220 = msg("23184:01", part1927); - - var part1928 = match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup276, - dup277, - dup275, - dup61, - ])); - - var msg1221 = msg("23184:02", part1928); - - var part1929 = match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1222 = msg("23184:03", part1929); - - var select433 = linear_select([ - msg1219, - msg1220, - msg1221, - msg1222, - ]); - - var msg1223 = msg("27052", dup410); - - var part1930 = match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup61, - dup282, - ])); - - var msg1224 = msg("27052:01", part1930); - - var select434 = linear_select([ - msg1223, - msg1224, - ]); - - var part1931 = match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup277, - dup5, - dup274, - dup3, - dup275, - dup276, - dup60, - ])); - - var msg1225 = msg("39568", part1931); - - var msg1226 = msg("39568:01", dup407); - - var msg1227 = msg("39568:02", dup408); - - var msg1228 = msg("39568:03", dup409); - - var select435 = linear_select([ - msg1225, - msg1226, - msg1227, - msg1228, - ]); - - var chain1 = processor_chain([ - select2, - msgid_select({ - "00001": select6, - "00002": select29, - "00003": select31, - "00004": select33, - "00005": select39, - "00006": select40, - "00007": select63, - "00008": select66, - "00009": select83, - "00010": select86, - "00011": select100, - "00012": select101, - "00013": select102, - "00014": select104, - "00015": select114, - "00016": select115, - "00017": select125, - "00018": select138, - "00019": select147, - "00020": select150, - "00021": select151, - "00022": select163, - "00023": select164, - "00024": select170, - "00025": select171, - "00026": select176, - "00027": select184, - "00028": msg469, - "00029": select188, - "00030": select197, - "00031": select205, - "00032": select207, - "00033": select214, - "00034": select225, - "00035": select232, - "00036": select234, - "00037": select241, - "00038": msg660, - "00039": msg661, - "00040": select244, - "00041": select245, - "00042": select246, - "00043": msg668, - "00044": select248, - "00045": msg671, - "00047": msg672, - "00048": select257, - "00049": select258, - "00050": msg682, - "00051": msg683, - "00052": msg684, - "00055": select265, - "00056": msg696, - "00057": msg697, - "00058": msg698, - "00059": select272, - "00062": select273, - "00063": msg713, - "00064": select274, - "00070": select276, - "00071": select277, - "00072": select278, - "00073": select279, - "00074": msg726, - "00075": select280, - "00076": select281, - "00077": select282, - "00084": msg735, - "00090": msg736, - "00200": msg737, - "00201": msg738, - "00202": msg739, - "00203": msg740, - "00206": select285, - "00207": select286, - "00257": select291, - "00259": select294, - "00262": msg778, - "00263": msg779, - "00400": msg780, - "00401": msg781, - "00402": select296, - "00403": msg784, - "00404": msg785, - "00405": msg786, - "00406": msg787, - "00407": msg788, - "00408": msg789, - "00409": msg790, - "00410": select297, - "00411": msg793, - "00413": select298, - "00414": select299, - "00415": msg799, - "00423": msg800, - "00429": select300, - "00430": select301, - "00431": msg805, - "00432": msg806, - "00433": msg807, - "00434": msg808, - "00435": select302, - "00436": select303, - "00437": select304, - "00438": select305, - "00440": select306, - "00441": msg823, - "00442": msg824, - "00443": msg825, - "00511": select307, - "00513": msg841, - "00515": select328, - "00518": select331, - "00519": select336, - "00520": select339, - "00521": msg890, - "00522": msg891, - "00523": msg892, - "00524": select340, - "00525": select341, - "00526": msg912, - "00527": select348, - "00528": select354, - "00529": select357, - "00530": select358, - "00531": select362, - "00533": msg973, - "00534": msg974, - "00535": select363, - "00536": select365, - "00537": select366, - "00538": select372, - "00539": select373, - "00541": select375, - "00542": msg1062, - "00543": msg1063, - "00544": msg1064, - "00546": msg1065, - "00547": select379, - "00549": msg1070, - "00551": select381, - "00553": select385, - "00554": select391, - "00555": msg1117, - "00556": select401, - "00572": select402, - "00601": select404, - "00602": msg1148, - "00612": msg1149, - "00615": select403, - "00620": select408, - "00622": msg1155, - "00625": msg1156, - "00628": msg1157, - "00767": select430, - "01269": select431, - "17852": select432, - "23184": select433, - "27052": select434, - "39568": select435, - }), - ]); - - var part1932 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); - - var part1933 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); - - var part1934 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); - - var part1935 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); - - var part1936 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); - - var part1937 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); - - var part1938 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); - - var part1939 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); - - var part1940 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); - - var part1941 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); - - var part1942 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); - - var part1943 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); - - var part1944 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); - - var part1945 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); - - var part1946 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); - - var part1947 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); - - var part1948 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); - - var part1949 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); - - var part1950 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); - - var part1951 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); - - var part1952 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); - - var part1953 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); - - var part1954 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); - - var part1955 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); - - var part1956 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); - - var part1957 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); - - var part1958 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); - - var part1959 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); - - var part1960 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); - - var part1961 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); - - var part1962 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); - - var part1963 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); - - var part1964 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part1965 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); - - var part1966 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); - - var part1967 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); - - var part1968 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); - - var part1969 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); - - var part1970 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); - - var part1971 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); - - var part1972 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); - - var part1973 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); - - var part1974 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); - - var part1975 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); - - var part1976 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); - - var part1977 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part1978 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); - - var part1979 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); - - var part1980 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part1981 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); - - var part1982 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); - - var part1983 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); - - var part1984 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); - - var part1985 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); - - var part1986 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); - - var part1987 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); - - var part1988 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); - - var part1989 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); - - var part1990 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); - - var part1991 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); - - var part1992 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); - - var part1993 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); - - var part1994 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); - - var part1995 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); - - var part1996 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); - - var part1997 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); - - var part1998 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); - - var part1999 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); - - var part2000 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); - - var part2001 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); - - var part2002 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); - - var part2003 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); - - var part2004 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); - - var part2005 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); - - var part2006 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); - - var part2007 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); - - var part2008 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); - - var part2009 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); - - var part2010 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); - - var part2011 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); - - var part2012 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); - - var part2013 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); - - var part2014 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); - - var part2015 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); - - var part2016 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); - - var part2017 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); - - var part2018 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); - - var part2019 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); - - var part2020 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); - - var part2021 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part2022 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2023 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); - - var part2024 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); - - var part2025 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); - - var part2026 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); - - var part2027 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); - - var part2028 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); - - var part2029 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); - - var part2030 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); - - var part2031 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); - - var part2032 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); - - var part2033 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); - - var part2034 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); - - var part2035 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); - - var part2036 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); - - var part2037 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); - - var part2038 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); - - var part2039 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); - - var part2040 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); - - var part2041 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); - - var part2042 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); - - var part2043 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); - - var part2044 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); - - var part2045 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); - - var part2046 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); - - var part2047 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); - - var part2048 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); - - var part2049 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); - - var part2050 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); - - var part2051 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); - - var part2052 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); - - var part2053 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); - - var part2054 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); - - var part2055 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); - - var part2056 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); - - var part2057 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); - - var part2058 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); - - var part2059 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); - - var part2060 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); - - var part2061 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); - - var part2062 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); - - var part2063 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); - - var part2064 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); - - var part2065 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); - - var part2066 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); - - var part2067 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); - - var part2068 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); - - var part2069 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); - - var part2070 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); - - var part2071 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); - - var part2072 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); - - var part2073 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); - - var part2074 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); - - var part2075 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); - - var part2076 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); - - var part2077 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); - - var part2078 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); - - var part2079 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); - - var part2080 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); - - var part2081 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); - - var part2082 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); - - var part2083 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); - - var part2084 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); - - var part2085 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); - - var part2086 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); - - var part2087 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); - - var part2088 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); - - var part2089 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); - - var part2090 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); - - var part2091 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); - - var part2092 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); - - var part2093 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); - - var part2094 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); - - var part2095 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); - - var part2096 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); - - var part2097 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); - - var part2098 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); - - var part2099 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); - - var part2100 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); - - var part2101 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); - - var part2102 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); - - var part2103 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); - - var part2104 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); - - var part2105 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); - - var part2106 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2107 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); - - var part2108 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); - - var part2109 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); - - var part2110 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); - - var part2111 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); - - var part2112 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); - - var part2113 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); - - var part2114 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); - - var part2115 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); - - var part2116 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); - - var part2117 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); - - var part2118 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); - - var part2119 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); - - var part2120 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); - - var part2121 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); - - var part2122 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); - - var part2123 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); - - var part2124 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); - - var part2125 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); - - var part2126 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); - - var part2127 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); - - var part2128 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); - - var part2129 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); - - var part2130 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); - - var part2131 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var part2132 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); - - var part2133 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); - - var part2134 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); - - var part2135 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); - - var part2136 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var part2137 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); - - var part2138 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); - - var part2139 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); - - var part2140 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); - - var part2141 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); - - var part2142 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); - - var part2143 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); - - var part2144 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); - - var part2145 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); - - var part2146 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); - - var part2147 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2148 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2149 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var part2150 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); - - var part2151 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); - - var part2152 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); - - var part2153 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); - - var part2154 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); - - var part2155 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); - - var part2156 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); - - var part2157 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); - - var part2158 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); - - var part2159 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); - - var part2160 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); - - var part2161 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); - - var part2162 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); - - var part2163 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); - - var part2164 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); - - var part2165 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); - - var part2166 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); - - var part2167 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); - - var part2168 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); - - var part2169 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); - - var part2170 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); - - var part2171 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); - - var part2172 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); - - var part2173 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); - - var part2174 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); - - var part2175 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); - - var select436 = linear_select([ - dup10, - dup11, - ]); - - var part2176 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select437 = linear_select([ - dup13, - dup14, - ]); - - var select438 = linear_select([ - dup15, - dup16, - ]); - - var select439 = linear_select([ - dup56, - dup57, - ]); - - var select440 = linear_select([ - dup65, - dup66, - ]); - - var select441 = linear_select([ - dup68, - dup69, - ]); - - var select442 = linear_select([ - dup71, - dup72, - ]); - - var part2177 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var select443 = linear_select([ - dup74, - dup75, - ]); - - var select444 = linear_select([ - dup81, - dup82, - ]); - - var select445 = linear_select([ - dup24, - dup90, - ]); - - var select446 = linear_select([ - dup94, - dup95, - ]); - - var select447 = linear_select([ - dup98, - dup99, - ]); - - var select448 = linear_select([ - dup100, - dup101, - dup102, - ]); - - var select449 = linear_select([ - dup113, - dup114, - ]); - - var select450 = linear_select([ - dup111, - dup16, - ]); - - var select451 = linear_select([ - dup127, - dup107, - ]); - - var select452 = linear_select([ - dup8, - dup21, - ]); - - var select453 = linear_select([ - dup122, - dup133, - ]); - - var select454 = linear_select([ - dup142, - dup143, - ]); - - var select455 = linear_select([ - dup145, - dup21, - ]); - - var select456 = linear_select([ - dup127, - dup106, - ]); - - var select457 = linear_select([ - dup152, - dup96, - ]); - - var select458 = linear_select([ - dup154, - dup155, - ]); - - var select459 = linear_select([ - dup156, - dup157, - ]); - - var select460 = linear_select([ - dup99, - dup134, - ]); - - var select461 = linear_select([ - dup158, - dup159, - ]); - - var select462 = linear_select([ - dup161, - dup162, - ]); - - var select463 = linear_select([ - dup163, - dup103, - ]); - - var select464 = linear_select([ - dup162, - dup161, - ]); - - var select465 = linear_select([ - dup46, - dup47, - ]); - - var select466 = linear_select([ - dup166, - dup167, - ]); - - var select467 = linear_select([ - dup172, - dup173, - ]); - - var select468 = linear_select([ - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - ]); - - var select469 = linear_select([ - dup49, - dup21, - ]); - - var select470 = linear_select([ - dup189, - dup190, - ]); - - var select471 = linear_select([ - dup96, - dup152, - ]); - - var select472 = linear_select([ - dup196, - dup197, - ]); - - var select473 = linear_select([ - dup24, - dup200, - ]); - - var select474 = linear_select([ - dup103, - dup163, - ]); - - var select475 = linear_select([ - dup205, - dup118, - ]); - - var part2178 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select476 = linear_select([ - dup212, - dup213, - ]); - - var select477 = linear_select([ - dup215, - dup216, - ]); - - var select478 = linear_select([ - dup222, - dup215, - ]); - - var select479 = linear_select([ - dup224, - dup225, - ]); - - var select480 = linear_select([ - dup231, - dup124, - ]); - - var select481 = linear_select([ - dup229, - dup230, - ]); - - var select482 = linear_select([ - dup233, - dup234, - ]); - - var select483 = linear_select([ - dup236, - dup237, - ]); - - var select484 = linear_select([ - dup242, - dup243, - ]); - - var select485 = linear_select([ - dup245, - dup246, - ]); - - var select486 = linear_select([ - dup247, - dup248, - ]); - - var select487 = linear_select([ - dup249, - dup250, - ]); - - var select488 = linear_select([ - dup251, - dup252, - ]); - - var select489 = linear_select([ - dup260, - dup261, - ]); - - var select490 = linear_select([ - dup264, - dup265, - ]); - - var select491 = linear_select([ - dup268, - dup269, - ]); - - var part2179 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select492 = linear_select([ - dup284, - dup285, - ]); - - var select493 = linear_select([ - dup287, - dup288, - ]); - - var part2180 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup60, - ])); - - var part2181 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var select494 = linear_select([ - dup300, - dup26, - ]); - - var select495 = linear_select([ - dup115, - dup303, - ]); - - var select496 = linear_select([ - dup125, - dup96, - ]); - - var select497 = linear_select([ - dup189, - dup308, - dup309, - ]); - - var select498 = linear_select([ - dup310, - dup16, - ]); - - var select499 = linear_select([ - dup317, - dup318, - ]); - - var select500 = linear_select([ - dup319, - dup315, - ]); - - var select501 = linear_select([ - dup322, - dup250, - ]); - - var select502 = linear_select([ - dup327, - dup329, - ]); - - var select503 = linear_select([ - dup330, - dup129, - ]); - - var part2182 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var part2183 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup60, - ])); - - var part2184 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var part2185 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var all391 = all_match({ - processors: [ - dup263, - dup390, - dup266, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var all392 = all_match({ - processors: [ - dup267, - dup391, - dup270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var all393 = all_match({ - processors: [ - dup80, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var all394 = all_match({ - processors: [ - dup296, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var all395 = all_match({ - processors: [ - dup298, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/juniper_netscreen/0.4.2/data_stream/log/agent/stream/tcp.yml.hbs b/packages/juniper_netscreen/0.4.2/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 0a6ba053fa..0000000000 --- a/packages/juniper_netscreen/0.4.2/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,26354 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Juniper" - product: "Netscreen" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} for %{p0}"); - - var dup7 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); - - var dup8 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); - - var dup9 = date_time({ - dest: "event_time", - args: ["fld1"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup10 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); - - var dup11 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); - - var dup12 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); - - var dup13 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); - - var dup14 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); - - var dup15 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); - - var dup16 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); - - var dup17 = setc("eventcategory","1502000000"); - - var dup18 = setc("eventcategory","1703000000"); - - var dup19 = setc("eventcategory","1603000000"); - - var dup20 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); - - var dup21 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); - - var dup22 = setc("eventcategory","1502050000"); - - var dup23 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); - - var dup24 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); - - var dup25 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); - - var dup26 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); - - var dup27 = setc("eventcategory","1801010000"); - - var dup28 = setc("eventcategory","1401060000"); - - var dup29 = setc("ec_subject","User"); - - var dup30 = setc("ec_activity","Logon"); - - var dup31 = setc("ec_theme","Authentication"); - - var dup32 = setc("ec_outcome","Success"); - - var dup33 = setc("eventcategory","1401070000"); - - var dup34 = setc("ec_activity","Logoff"); - - var dup35 = setc("eventcategory","1303000000"); - - var dup36 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); - - var dup37 = setc("eventcategory","1402020200"); - - var dup38 = setc("ec_theme","UserGroup"); - - var dup39 = setc("ec_outcome","Error"); - - var dup40 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); - - var dup41 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); - - var dup42 = setc("eventcategory","1402020300"); - - var dup43 = setc("ec_activity","Modify"); - - var dup44 = setc("eventcategory","1605000000"); - - var dup45 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); - - var dup46 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); - - var dup47 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); - - var dup48 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); - - var dup49 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); - - var dup50 = setc("eventcategory","1701020000"); - - var dup51 = setc("ec_theme","Configuration"); - - var dup52 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); - - var dup53 = setc("eventcategory","1301000000"); - - var dup54 = setc("ec_outcome","Failure"); - - var dup55 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); - - var dup56 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); - - var dup57 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); - - var dup58 = setc("eventcategory","1001000000"); - - var dup59 = setc("dclass_counter1_string","Number of times the attack occurred"); - - var dup60 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("saddr"), - field("daddr"), - ], - }); - - var dup61 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("saddr"), - field("daddr"), - field("sport"), - field("dport"), - ], - }); - - var dup62 = setc("eventcategory","1608010000"); - - var dup63 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); - - var dup64 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); - - var dup65 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); - - var dup66 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); - - var dup67 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup68 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); - - var dup69 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); - - var dup70 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); - - var dup71 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); - - var dup72 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); - - var dup73 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); - - var dup74 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); - - var dup75 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); - - var dup76 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); - - var dup77 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); - - var dup78 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); - - var dup79 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); - - var dup80 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup81 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); - - var dup82 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); - - var dup83 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup84 = setc("eventcategory","1002020000"); - - var dup85 = setc("eventcategory","1002000000"); - - var dup86 = setc("eventcategory","1603110000"); - - var dup87 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); - - var dup88 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); - - var dup89 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); - - var dup90 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); - - var dup91 = setc("eventcategory","1613040200"); - - var dup92 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); - - var dup93 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); - - var dup94 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); - - var dup95 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); - - var dup96 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); - - var dup97 = setc("eventcategory","1613050200"); - - var dup98 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); - - var dup99 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); - - var dup100 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); - - var dup101 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); - - var dup102 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); - - var dup103 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); - - var dup104 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); - - var dup105 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); - - var dup106 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); - - var dup107 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); - - var dup108 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); - - var dup109 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); - - var dup110 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); - - var dup111 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); - - var dup112 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); - - var dup113 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); - - var dup114 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); - - var dup115 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); - - var dup116 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); - - var dup117 = setc("eventcategory","1603090000"); - - var dup118 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); - - var dup119 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); - - var dup120 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); - - var dup121 = setc("eventcategory","1603030000"); - - var dup122 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); - - var dup123 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); - - var dup124 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); - - var dup125 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); - - var dup126 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); - - var dup127 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); - - var dup128 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); - - var dup129 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); - - var dup130 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); - - var dup131 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup132 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup133 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); - - var dup134 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); - - var dup135 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); - - var dup136 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); - - var dup137 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); - - var dup138 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); - - var dup139 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); - - var dup140 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); - - var dup141 = setc("eventcategory","1702030000"); - - var dup142 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); - - var dup143 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); - - var dup144 = setc("eventcategory","1601000000"); - - var dup145 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); - - var dup146 = date_time({ - dest: "event_time", - args: ["fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup147 = setc("eventcategory","1103000000"); - - var dup148 = setc("ec_subject","NetworkComm"); - - var dup149 = setc("ec_activity","Scan"); - - var dup150 = setc("ec_theme","TEV"); - - var dup151 = setc("eventcategory","1103010000"); - - var dup152 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); - - var dup153 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); - - var dup154 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); - - var dup155 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); - - var dup156 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); - - var dup157 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); - - var dup158 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); - - var dup159 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); - - var dup160 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); - - var dup161 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); - - var dup162 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); - - var dup163 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); - - var dup164 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); - - var dup165 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); - - var dup166 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); - - var dup167 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); - - var dup168 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); - - var dup169 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); - - var dup170 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); - - var dup171 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); - - var dup172 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); - - var dup173 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); - - var dup174 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); - - var dup175 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); - - var dup176 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); - - var dup177 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); - - var dup178 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); - - var dup179 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); - - var dup180 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); - - var dup181 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); - - var dup182 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); - - var dup183 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); - - var dup184 = setc("eventcategory","1603020000"); - - var dup185 = setc("eventcategory","1803000000"); - - var dup186 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); - - var dup187 = setc("eventcategory","1603010000"); - - var dup188 = setc("eventcategory","1603100000"); - - var dup189 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); - - var dup190 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); - - var dup191 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); - - var dup192 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); - - var dup193 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); - - var dup194 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); - - var dup195 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); - - var dup196 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); - - var dup197 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); - - var dup198 = setc("eventcategory","1801030000"); - - var dup199 = setc("eventcategory","1302010200"); - - var dup200 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); - - var dup201 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); - - var dup202 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); - - var dup203 = setc("eventcategory","1304000000"); - - var dup204 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); - - var dup205 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); - - var dup206 = setc("eventcategory","1401030000"); - - var dup207 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); - - var dup208 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); - - var dup209 = setc("eventcategory","1605020000"); - - var dup210 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); - - var dup211 = setc("ec_subject","Certificate"); - - var dup212 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); - - var dup213 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); - - var dup214 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); - - var dup215 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); - - var dup216 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); - - var dup217 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); - - var dup218 = setc("ec_subject","CryptoKey"); - - var dup219 = setc("ec_subject","Configuration"); - - var dup220 = setc("ec_activity","Request"); - - var dup221 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); - - var dup222 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); - - var dup223 = setc("eventcategory","1612000000"); - - var dup224 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); - - var dup225 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); - - var dup226 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); - - var dup227 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); - - var dup228 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); - - var dup229 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); - - var dup230 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); - - var dup231 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); - - var dup232 = setc("eventcategory","1201000000"); - - var dup233 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); - - var dup234 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); - - var dup235 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); - - var dup236 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); - - var dup237 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); - - var dup238 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); - - var dup239 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup240 = setc("eventcategory","1401000000"); - - var dup241 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); - - var dup242 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); - - var dup243 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); - - var dup244 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); - - var dup245 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); - - var dup246 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); - - var dup247 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); - - var dup248 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); - - var dup249 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); - - var dup250 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); - - var dup251 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); - - var dup252 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); - - var dup253 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); - - var dup254 = setc("eventcategory","1608000000"); - - var dup255 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); - - var dup256 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); - - var dup257 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); - - var dup258 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); - - var dup259 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); - - var dup260 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); - - var dup261 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); - - var dup262 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); - - var dup263 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); - - var dup264 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); - - var dup265 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); - - var dup266 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var dup267 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); - - var dup268 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); - - var dup269 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); - - var dup270 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); - - var dup271 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var dup272 = setc("eventcategory","1805010000"); - - var dup273 = setc("eventcategory","1805000000"); - - var dup274 = date_time({ - dest: "starttime", - args: ["fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup275 = call({ - dest: "nwparser.bytes", - fn: CALC, - args: [ - field("sbytes"), - constant("+"), - field("rbytes"), - ], - }); - - var dup276 = setc("action","Deny"); - - var dup277 = setc("disposition","Deny"); - - var dup278 = setc("direction","outgoing"); - - var dup279 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("saddr"), - field("daddr"), - field("sport"), - field("dport"), - ], - }); - - var dup280 = setc("direction","incoming"); - - var dup281 = setc("eventcategory","1801000000"); - - var dup282 = setf("action","disposition"); - - var dup283 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); - - var dup284 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); - - var dup285 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); - - var dup286 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); - - var dup287 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); - - var dup288 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); - - var dup289 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); - - var dup290 = setc("eventcategory","1401050200"); - - var dup291 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("daddr"), - field("saddr"), - ], - }); - - var dup292 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("daddr"), - field("saddr"), - field("dport"), - field("sport"), - ], - }); - - var dup293 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); - - var dup294 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); - - var dup295 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); - - var dup296 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup297 = setc("eventcategory","1204000000"); - - var dup298 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup299 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var dup300 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); - - var dup301 = setc("eventcategory","1801020000"); - - var dup302 = setc("disposition","failed"); - - var dup303 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); - - var dup304 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); - - var dup305 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); - - var dup306 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); - - var dup307 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); - - var dup308 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); - - var dup309 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); - - var dup310 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); - - var dup311 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); - - var dup312 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); - - var dup313 = setc("eventcategory","1803020000"); - - var dup314 = setc("eventcategory","1613030000"); - - var dup315 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); - - var dup316 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); - - var dup317 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); - - var dup318 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); - - var dup319 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); - - var dup320 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); - - var dup321 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); - - var dup322 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); - - var dup323 = setc("event_description","Cannot connect to NSM server"); - - var dup324 = setc("eventcategory","1603040000"); - - var dup325 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); - - var dup326 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); - - var dup327 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); - - var dup328 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); - - var dup329 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); - - var dup330 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); - - var dup331 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); - - var dup332 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("daddr"), - field("saddr"), - field("dport"), - field("sport"), - ], - }); - - var dup333 = linear_select([ - dup10, - dup11, - ]); - - var dup334 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup335 = linear_select([ - dup13, - dup14, - ]); - - var dup336 = linear_select([ - dup15, - dup16, - ]); - - var dup337 = linear_select([ - dup56, - dup57, - ]); - - var dup338 = linear_select([ - dup65, - dup66, - ]); - - var dup339 = linear_select([ - dup68, - dup69, - ]); - - var dup340 = linear_select([ - dup71, - dup72, - ]); - - var dup341 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var dup342 = linear_select([ - dup74, - dup75, - ]); - - var dup343 = linear_select([ - dup81, - dup82, - ]); - - var dup344 = linear_select([ - dup24, - dup90, - ]); - - var dup345 = linear_select([ - dup94, - dup95, - ]); - - var dup346 = linear_select([ - dup98, - dup99, - ]); - - var dup347 = linear_select([ - dup100, - dup101, - dup102, - ]); - - var dup348 = linear_select([ - dup113, - dup114, - ]); - - var dup349 = linear_select([ - dup111, - dup16, - ]); - - var dup350 = linear_select([ - dup127, - dup107, - ]); - - var dup351 = linear_select([ - dup8, - dup21, - ]); - - var dup352 = linear_select([ - dup122, - dup133, - ]); - - var dup353 = linear_select([ - dup142, - dup143, - ]); - - var dup354 = linear_select([ - dup145, - dup21, - ]); - - var dup355 = linear_select([ - dup127, - dup106, - ]); - - var dup356 = linear_select([ - dup152, - dup96, - ]); - - var dup357 = linear_select([ - dup154, - dup155, - ]); - - var dup358 = linear_select([ - dup156, - dup157, - ]); - - var dup359 = linear_select([ - dup99, - dup134, - ]); - - var dup360 = linear_select([ - dup158, - dup159, - ]); - - var dup361 = linear_select([ - dup161, - dup162, - ]); - - var dup362 = linear_select([ - dup163, - dup103, - ]); - - var dup363 = linear_select([ - dup162, - dup161, - ]); - - var dup364 = linear_select([ - dup46, - dup47, - ]); - - var dup365 = linear_select([ - dup166, - dup167, - ]); - - var dup366 = linear_select([ - dup172, - dup173, - ]); - - var dup367 = linear_select([ - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - ]); - - var dup368 = linear_select([ - dup49, - dup21, - ]); - - var dup369 = linear_select([ - dup189, - dup190, - ]); - - var dup370 = linear_select([ - dup96, - dup152, - ]); - - var dup371 = linear_select([ - dup196, - dup197, - ]); - - var dup372 = linear_select([ - dup24, - dup200, - ]); - - var dup373 = linear_select([ - dup103, - dup163, - ]); - - var dup374 = linear_select([ - dup205, - dup118, - ]); - - var dup375 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup376 = linear_select([ - dup212, - dup213, - ]); - - var dup377 = linear_select([ - dup215, - dup216, - ]); - - var dup378 = linear_select([ - dup222, - dup215, - ]); - - var dup379 = linear_select([ - dup224, - dup225, - ]); - - var dup380 = linear_select([ - dup231, - dup124, - ]); - - var dup381 = linear_select([ - dup229, - dup230, - ]); - - var dup382 = linear_select([ - dup233, - dup234, - ]); - - var dup383 = linear_select([ - dup236, - dup237, - ]); - - var dup384 = linear_select([ - dup242, - dup243, - ]); - - var dup385 = linear_select([ - dup245, - dup246, - ]); - - var dup386 = linear_select([ - dup247, - dup248, - ]); - - var dup387 = linear_select([ - dup249, - dup250, - ]); - - var dup388 = linear_select([ - dup251, - dup252, - ]); - - var dup389 = linear_select([ - dup260, - dup261, - ]); - - var dup390 = linear_select([ - dup264, - dup265, - ]); - - var dup391 = linear_select([ - dup268, - dup269, - ]); - - var dup392 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup393 = linear_select([ - dup284, - dup285, - ]); - - var dup394 = linear_select([ - dup287, - dup288, - ]); - - var dup395 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup60, - ])); - - var dup396 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var dup397 = linear_select([ - dup300, - dup26, - ]); - - var dup398 = linear_select([ - dup115, - dup303, - ]); - - var dup399 = linear_select([ - dup125, - dup96, - ]); - - var dup400 = linear_select([ - dup189, - dup308, - dup309, - ]); - - var dup401 = linear_select([ - dup310, - dup16, - ]); - - var dup402 = linear_select([ - dup317, - dup318, - ]); - - var dup403 = linear_select([ - dup319, - dup315, - ]); - - var dup404 = linear_select([ - dup322, - dup250, - ]); - - var dup405 = linear_select([ - dup327, - dup329, - ]); - - var dup406 = linear_select([ - dup330, - dup129, - ]); - - var dup407 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var dup408 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup60, - ])); - - var dup409 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var dup410 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var dup411 = all_match({ - processors: [ - dup263, - dup390, - dup266, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var dup412 = all_match({ - processors: [ - dup267, - dup391, - dup270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var dup413 = all_match({ - processors: [ - dup80, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var dup414 = all_match({ - processors: [ - dup296, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var dup415 = all_match({ - processors: [ - dup298, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0003"), - ])); - - var hdr3 = match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var hdr4 = match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}"); - - var part1 = match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}"); - - var part2 = match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}"); - - var part3 = match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}"); - - var select1 = linear_select([ - part1, - part2, - part3, - ]); - - var part4 = match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}"); - - var all1 = all_match({ - processors: [ - hdr4, - select1, - part4, - ], - on_success: processor_chain([ - setc("header_id","0002"), - ]), - }); - - var select2 = linear_select([ - hdr1, - hdr2, - hdr3, - all1, - ]); - - var part5 = match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1 = msg("00001", part5); - - var part6 = match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg2 = msg("00001:01", part6); - - var part7 = match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}"); - - var select3 = linear_select([ - part7, - dup7, - ]); - - var part8 = match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}"); - - var all2 = all_match({ - processors: [ - dup6, - select3, - part8, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg3 = msg("00001:02", all2); - - var part9 = match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg4 = msg("00001:03", part9); - - var part10 = match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}"); - - var select4 = linear_select([ - part10, - dup7, - ]); - - var part11 = match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}"); - - var part12 = match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}"); - - var select5 = linear_select([ - dup8, - part12, - ]); - - var all3 = all_match({ - processors: [ - dup6, - select4, - part11, - select5, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg5 = msg("00001:04", all3); - - var part13 = match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}"); - - var all4 = all_match({ - processors: [ - part13, - dup333, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg6 = msg("00001:05", all4); - - var part14 = match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg7 = msg("00001:06", part14); - - var msg8 = msg("00001:07", dup334); - - var part15 = match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}"); - - var part16 = match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})"); - - var all5 = all_match({ - processors: [ - dup12, - dup335, - part15, - dup336, - part16, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg9 = msg("00001:08", all5); - - var part17 = match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})"); - - var all6 = all_match({ - processors: [ - dup12, - dup335, - part17, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg10 = msg("00001:09", all6); - - var select6 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - ]); - - var part18 = match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg11 = msg("00002:03", part18); - - var part19 = match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg12 = msg("00002:04", part19); - - var part20 = match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg13 = msg("00002:05", part20); - - var part21 = match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg14 = msg("00002:06", part21); - - var part22 = match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg15 = msg("00002:07", part22); - - var part23 = match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg16 = msg("00002:55", part23); - - var part24 = match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg17 = msg("00002:08", part24); - - var part25 = match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg18 = msg("00002:09", part25); - - var part26 = match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg19 = msg("00002:10", part26); - - var part27 = match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg20 = msg("00002:11", part27); - - var part28 = match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg21 = msg("00002:12", part28); - - var part29 = match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg22 = msg("00002:15", part29); - - var msg23 = msg("00002:17", dup334); - - var part30 = match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}"); - - var part31 = match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}"); - - var part32 = match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}"); - - var select7 = linear_select([ - part31, - part32, - ]); - - var part33 = match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):"); - - var all7 = all_match({ - processors: [ - part30, - select7, - part33, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg24 = msg("00002:18", all7); - - var part34 = match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg25 = msg("00002:19", part34); - - var part35 = match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}"); - - var part36 = match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}"); - - var select8 = linear_select([ - part36, - dup20, - dup21, - ]); - - var all8 = all_match({ - processors: [ - part35, - select8, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg26 = msg("00002:20", all8); - - var part37 = match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}"); - - var part38 = match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}"); - - var select9 = linear_select([ - part37, - part38, - ]); - - var select10 = linear_select([ - dup24, - dup25, - ]); - - var part39 = match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}"); - - var all9 = all_match({ - processors: [ - select9, - dup23, - select10, - part39, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg27 = msg("00002:21", all9); - - var part40 = match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}"); - - var part41 = match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console"); - - var part42 = match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}"); - - var select11 = linear_select([ - part41, - part42, - dup26, - ]); - - var all10 = all_match({ - processors: [ - part40, - select11, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg28 = msg("00002:22", all10); - - var part43 = match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}"); - - var part44 = match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}"); - - var select12 = linear_select([ - dup20, - part44, - dup21, - ]); - - var all11 = all_match({ - processors: [ - part43, - select12, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg29 = msg("00002:23", all11); - - var part45 = match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}"); - - var part46 = match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}"); - - var part47 = match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}"); - - var select13 = linear_select([ - part46, - part47, - ]); - - var all12 = all_match({ - processors: [ - part45, - select13, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg30 = msg("00002:24", all12); - - var part48 = match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - setc("eventcategory","1402000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg31 = msg("00002:25", part48); - - var part49 = match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg32 = msg("00002:26", part49); - - var part50 = match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg33 = msg("00002:27", part50); - - var part51 = match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg34 = msg("00002:28", part51); - - var part52 = match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg35 = msg("00002:29", part52); - - var part53 = match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ - dup28, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg36 = msg("00002:30", part53); - - var part54 = match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ - dup33, - dup29, - dup34, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg37 = msg("00002:41", part54); - - var part55 = match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ - dup35, - dup29, - dup30, - dup31, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg38 = msg("00002:31", part55); - - var part56 = match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}"); - - var part57 = match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}"); - - var select14 = linear_select([ - part56, - part57, - ]); - - var part58 = match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}"); - - var all13 = all_match({ - processors: [ - select14, - part58, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg39 = msg("00002:32", all13); - - var part59 = match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg40 = msg("00002:35", part59); - - var part60 = match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}"); - - var part61 = match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}"); - - var part62 = match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}"); - - var select15 = linear_select([ - part61, - part62, - ]); - - var part63 = match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}"); - - var all14 = all_match({ - processors: [ - part60, - select15, - part63, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg41 = msg("00002:36", all14); - - var part64 = match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}"); - - var part65 = match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}"); - - var part66 = match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}"); - - var part67 = match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}"); - - var part68 = match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}"); - - var select16 = linear_select([ - part65, - part66, - part67, - part68, - ]); - - var part69 = match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}"); - - var all15 = all_match({ - processors: [ - part64, - select16, - part69, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg42 = msg("00002:37", all15); - - var part70 = match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}"); - - var part71 = match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}"); - - var select17 = linear_select([ - part71, - dup36, - ]); - - var all16 = all_match({ - processors: [ - part70, - select17, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg43 = msg("00002:38", all16); - - var part72 = match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg44 = msg("00002:39", part72); - - var part73 = match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ - dup37, - dup29, - setc("ec_activity","Create"), - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg45 = msg("00002:40", part73); - - var part74 = match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg46 = msg("00002:44", part74); - - var part75 = match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}"); - - var part76 = match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}"); - - var select18 = linear_select([ - part76, - dup40, - ]); - - var part77 = match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}"); - - var part78 = match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}"); - - var part79 = match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}"); - - var select19 = linear_select([ - part78, - part79, - ]); - - var all17 = all_match({ - processors: [ - part75, - select18, - part77, - select19, - dup41, - ], - on_success: processor_chain([ - dup42, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg47 = msg("00002:42", all17); - - var part80 = match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}"); - - var part81 = match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}"); - - var part82 = match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}"); - - var select20 = linear_select([ - part81, - part82, - ]); - - var part83 = match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all18 = all_match({ - processors: [ - part80, - select20, - part83, - ], - on_success: processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg48 = msg("00002:43", all18); - - var part84 = match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg49 = msg("00002:50", part84); - - var part85 = match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg50 = msg("00002:51", part85); - - var part86 = match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg51 = msg("00002:45", part86); - - var part87 = match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}"); - - var part88 = match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}"); - - var part89 = match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}"); - - var part90 = match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}"); - - var part91 = match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}"); - - var select21 = linear_select([ - part87, - part88, - part89, - part90, - part91, - ]); - - var part92 = match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})"); - - var all19 = all_match({ - processors: [ - select21, - part92, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg52 = msg("00002:47", all19); - - var part93 = match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}"); - - var part94 = match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}"); - - var part95 = match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}"); - - var select22 = linear_select([ - part94, - part95, - ]); - - var part96 = match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}"); - - var part97 = match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}"); - - var select23 = linear_select([ - part97, - dup45, - ]); - - var all20 = all_match({ - processors: [ - part93, - select22, - part96, - select23, - dup41, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg53 = msg("00002:48", all20); - - var part98 = match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}"); - - var part99 = match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}"); - - var part100 = match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}"); - - var part101 = match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}"); - - var part102 = match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}"); - - var select24 = linear_select([ - part99, - part100, - part101, - part102, - ]); - - var part103 = match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}"); - - var part104 = match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}"); - - var select25 = linear_select([ - dup46, - part104, - dup47, - ]); - - var select26 = linear_select([ - dup48, - dup45, - ]); - - var all21 = all_match({ - processors: [ - part98, - select24, - part103, - select25, - select26, - dup41, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg54 = msg("00002:52", all21); - - var part105 = match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([ - dup42, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg55 = msg("00002:53", part105); - - var part106 = match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}"); - - var part107 = match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}"); - - var part108 = match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}"); - - var select27 = linear_select([ - part107, - part108, - ]); - - var all22 = all_match({ - processors: [ - part106, - select27, - dup49, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg56 = msg("00002:54", all22); - - var part109 = match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}"); - - var part110 = match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}"); - - var select28 = linear_select([ - part110, - dup52, - ]); - - var part111 = match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}"); - - var all23 = all_match({ - processors: [ - part109, - select28, - part111, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg57 = msg("00002", all23); - - var part112 = match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([ - dup53, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg58 = msg("00002:56", part112); - - var select29 = linear_select([ - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - msg38, - msg39, - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, - ]); - - var part113 = match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ - dup53, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg59 = msg("00003", part113); - - var part114 = match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([ - dup53, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg60 = msg("00003:01", part114); - - var part115 = match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg61 = msg("00003:02", part115); - - var part116 = match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg62 = msg("00003:03", part116); - - var part117 = match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}"); - - var part118 = match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}"); - - var select30 = linear_select([ - part117, - part118, - ]); - - var part119 = match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}."); - - var all24 = all_match({ - processors: [ - dup55, - select30, - part119, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg63 = msg("00003:05", all24); - - var select31 = linear_select([ - msg59, - msg60, - msg61, - msg62, - msg63, - ]); - - var part120 = match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg64 = msg("00004", part120); - - var part121 = match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg65 = msg("00004:01", part121); - - var part122 = match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg66 = msg("00004:02", part122); - - var part123 = match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg67 = msg("00004:03", part123); - - var part124 = match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}"); - - var part125 = match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times"); - - var all25 = all_match({ - processors: [ - part124, - dup337, - part125, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup59, - dup3, - dup60, - ]), - }); - - var msg68 = msg("00004:04", all25); - - var part126 = match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg69 = msg("00004:05", part126); - - var part127 = match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg70 = msg("00004:06", part127); - - var part128 = match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg71 = msg("00004:07", part128); - - var part129 = match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg72 = msg("00004:08", part129); - - var part130 = match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg73 = msg("00004:09", part130); - - var part131 = match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg74 = msg("00004:10", part131); - - var part132 = match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg75 = msg("00004:11", part132); - - var part133 = match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg76 = msg("00004:12", part133); - - var part134 = match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg77 = msg("00004:13", part134); - - var part135 = match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}"); - - var part136 = match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}"); - - var select32 = linear_select([ - part135, - part136, - ]); - - var all26 = all_match({ - processors: [ - dup63, - select32, - dup49, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg78 = msg("00004:14", all26); - - var part137 = match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg79 = msg("00004:15", part137); - - var part138 = match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg80 = msg("00004:16", part138); - - var all27 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup9, - dup5, - dup3, - dup60, - ]), - }); - - var msg81 = msg("00004:17", all27); - - var select33 = linear_select([ - msg64, - msg65, - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - ]); - - var part139 = match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg82 = msg("00005", part139); - - var part140 = match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg83 = msg("00005:01", part140); - - var part141 = match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg84 = msg("00005:02", part141); - - var part142 = match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); - - var part143 = match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}"); - - var part144 = match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}"); - - var select34 = linear_select([ - part144, - dup73, - ]); - - var part145 = match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times"); - - var all28 = all_match({ - processors: [ - part142, - dup339, - dup70, - dup340, - part143, - select34, - part145, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ]), - }); - - var msg85 = msg("00005:03", all28); - - var msg86 = msg("00005:04", dup341); - - var part146 = match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([ - setc("eventcategory","1001020100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg87 = msg("00005:05", part146); - - var part147 = match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}."); - - var all29 = all_match({ - processors: [ - dup342, - part147, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg88 = msg("00005:06", all29); - - var part148 = match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}"); - - var part149 = match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}"); - - var part150 = match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}"); - - var part151 = match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}"); - - var part152 = match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}"); - - var select35 = linear_select([ - part149, - part150, - dup76, - part151, - part152, - ]); - - var part153 = match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}."); - - var all30 = all_match({ - processors: [ - part148, - select35, - part153, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg89 = msg("00005:07", all30); - - var part154 = match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}"); - - var select36 = linear_select([ - dup77, - dup78, - ]); - - var part155 = match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}."); - - var all31 = all_match({ - processors: [ - dup342, - part154, - select36, - part155, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg90 = msg("00005:08", all31); - - var part156 = match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg91 = msg("00005:09", part156); - - var part157 = match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg92 = msg("00005:10", part157); - - var part158 = match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}"); - - var part159 = match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}"); - - var part160 = match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}"); - - var part161 = match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}"); - - var part162 = match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}"); - - var part163 = match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}"); - - var select37 = linear_select([ - part159, - part160, - part161, - part162, - part163, - ]); - - var all32 = all_match({ - processors: [ - part158, - select37, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg93 = msg("00005:11", all32); - - var part164 = match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg94 = msg("00005:12", part164); - - var part165 = match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg95 = msg("00005:13", part165); - - var part166 = match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg96 = msg("00005:14", part166); - - var part167 = match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg97 = msg("00005:15", part167); - - var part168 = match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg98 = msg("00005:16", part168); - - var part169 = match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}"); - - var part170 = match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}"); - - var select38 = linear_select([ - part169, - part170, - ]); - - var part171 = match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}."); - - var all33 = all_match({ - processors: [ - dup79, - select38, - part171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg99 = msg("00005:17", all33); - - var all34 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg100 = msg("00005:18", all34); - - var part172 = match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup84, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg101 = msg("00005:19", part172); - - var part173 = match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ - dup84, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg102 = msg("00005:20", part173); - - var select39 = linear_select([ - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, - msg89, - msg90, - msg91, - msg92, - msg93, - msg94, - msg95, - msg96, - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, - ]); - - var part174 = match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg103 = msg("00006", part174); - - var part175 = match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg104 = msg("00006:01", part175); - - var part176 = match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg105 = msg("00006:02", part176); - - var part177 = match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg106 = msg("00006:03", part177); - - var part178 = match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var all35 = all_match({ - processors: [ - part178, - dup338, - dup67, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg107 = msg("00006:04", all35); - - var all36 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg108 = msg("00006:05", all36); - - var select40 = linear_select([ - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, - ]); - - var part179 = match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg109 = msg("00007", part179); - - var part180 = match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg110 = msg("00007:01", part180); - - var part181 = match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}"); - - var part182 = match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}"); - - var part183 = match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}"); - - var select41 = linear_select([ - part182, - part183, - ]); - - var all37 = all_match({ - processors: [ - part181, - select41, - ], - on_success: processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg111 = msg("00007:02", all37); - - var part184 = match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg112 = msg("00007:03", part184); - - var select42 = linear_select([ - dup88, - dup89, - ]); - - var part185 = match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}"); - - var all38 = all_match({ - processors: [ - dup87, - select42, - dup23, - dup344, - part185, - ], - on_success: processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg113 = msg("00007:04", all38); - - var part186 = match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg114 = msg("00007:05", part186); - - var part187 = match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg115 = msg("00007:06", part187); - - var part188 = match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg116 = msg("00007:07", part188); - - var part189 = match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg117 = msg("00007:08", part189); - - var part190 = match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg118 = msg("00007:09", part190); - - var part191 = match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg119 = msg("00007:10", part191); - - var part192 = match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}"); - - var select43 = linear_select([ - dup92, - dup93, - ]); - - var all39 = all_match({ - processors: [ - part192, - select43, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg120 = msg("00007:11", all39); - - var part193 = match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg121 = msg("00007:12", part193); - - var part194 = match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg122 = msg("00007:13", part194); - - var part195 = match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup60, - ])); - - var msg123 = msg("00007:14", part195); - - var part196 = match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg124 = msg("00007:15", part196); - - var part197 = match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg125 = msg("00007:16", part197); - - var part198 = match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg126 = msg("00007:17", part198); - - var part199 = match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}"); - - var part200 = match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}"); - - var part201 = match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}"); - - var select44 = linear_select([ - part200, - part201, - ]); - - var part202 = match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}"); - - var part203 = match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}"); - - var part204 = match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}"); - - var select45 = linear_select([ - part203, - part204, - ]); - - var all40 = all_match({ - processors: [ - part199, - select44, - part202, - select45, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg127 = msg("00007:18", all40); - - var part205 = match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg128 = msg("00007:20", part205); - - var part206 = match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}"); - - var all41 = all_match({ - processors: [ - part206, - dup345, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg129 = msg("00007:21", all41); - - var part207 = match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg130 = msg("00007:22", part207); - - var part208 = match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg131 = msg("00007:23", part208); - - var part209 = match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg132 = msg("00007:24", part209); - - var part210 = match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg133 = msg("00007:25", part210); - - var part211 = match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}"); - - var part212 = match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}"); - - var part213 = match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}"); - - var select46 = linear_select([ - part212, - part213, - ]); - - var all42 = all_match({ - processors: [ - part211, - select46, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg134 = msg("00007:26", all42); - - var part214 = match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg135 = msg("00007:27", part214); - - var part215 = match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg136 = msg("00007:28", part215); - - var part216 = match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}"); - - var part217 = match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}"); - - var part218 = match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}"); - - var part219 = match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}"); - - var part220 = match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}"); - - var part221 = match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}"); - - var select47 = linear_select([ - part217, - part218, - part219, - part220, - part221, - ]); - - var all43 = all_match({ - processors: [ - part216, - select47, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg137 = msg("00007:29", all43); - - var part222 = match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg138 = msg("00007:30", part222); - - var part223 = match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}"); - - var all44 = all_match({ - processors: [ - part223, - dup345, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg139 = msg("00007:31", all44); - - var part224 = match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}"); - - var select48 = linear_select([ - dup89, - dup88, - ]); - - var part225 = match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}"); - - var all45 = all_match({ - processors: [ - part224, - select48, - dup23, - dup344, - part225, - ], - on_success: processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg140 = msg("00007:32", all45); - - var part226 = match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}"); - - var part227 = match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}"); - - var select49 = linear_select([ - part226, - part227, - ]); - - var part228 = match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}"); - - var part229 = match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}"); - - var select50 = linear_select([ - part229, - dup96, - ]); - - var part230 = match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode."); - - var all46 = all_match({ - processors: [ - select49, - part228, - select50, - part230, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg141 = msg("00007:33", all46); - - var part231 = match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([ - dup97, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg142 = msg("00007:34", part231); - - var part232 = match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg143 = msg("00007:35", part232); - - var part233 = match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg144 = msg("00007:36", part233); - - var part234 = match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}"); - - var all47 = all_match({ - processors: [ - part234, - dup346, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg145 = msg("00007:37", all47); - - var part235 = match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}"); - - var part236 = match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}"); - - var part237 = match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}"); - - var part238 = match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}"); - - var select51 = linear_select([ - part237, - part238, - ]); - - var all48 = all_match({ - processors: [ - part235, - dup347, - dup103, - dup347, - part236, - select51, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg146 = msg("00007:38", all48); - - var part239 = match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}"); - - var all49 = all_match({ - processors: [ - part239, - dup346, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg147 = msg("00007:39", all49); - - var part240 = match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg148 = msg("00007:40", part240); - - var part241 = match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg149 = msg("00007:41", part241); - - var part242 = match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg150 = msg("00007:42", part242); - - var part243 = match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg151 = msg("00007:43", part243); - - var part244 = match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg152 = msg("00007:44", part244); - - var part245 = match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg153 = msg("00007:45", part245); - - var part246 = match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup60, - ])); - - var msg154 = msg("00007:46", part246); - - var part247 = match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg155 = msg("00007:47", part247); - - var part248 = match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([ - dup97, - dup2, - dup3, - dup4, - setc("disposition","dropped"), - setc("result","Invalid encryption Password"), - ])); - - var msg156 = msg("00007:48", part248); - - var part249 = match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([ - setc("eventcategory","1604000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg157 = msg("00007:49", part249); - - var part250 = match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}"); - - var part251 = match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}"); - - var part252 = match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}"); - - var select52 = linear_select([ - part251, - part252, - ]); - - var part253 = match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}"); - - var all50 = all_match({ - processors: [ - part250, - select52, - part253, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg158 = msg("00007:50", all50); - - var part254 = match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}"); - - var part255 = match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}"); - - var select53 = linear_select([ - dup104, - part255, - ]); - - var select54 = linear_select([ - dup105, - dup73, - ]); - - var part256 = match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}"); - - var select55 = linear_select([ - dup106, - dup107, - ]); - - var all51 = all_match({ - processors: [ - part254, - select53, - dup23, - select54, - part256, - select55, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg159 = msg("00007:51", all51); - - var part257 = match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg160 = msg("00007:52", part257); - - var part258 = match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg161 = msg("00007:53", part258); - - var part259 = match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg162 = msg("00007:54", part259); - - var part260 = match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg163 = msg("00007:55", part260); - - var part261 = match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg164 = msg("00007:56", part261); - - var select56 = linear_select([ - dup109, - dup110, - ]); - - var select57 = linear_select([ - dup111, - dup112, - ]); - - var part262 = match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}"); - - var all52 = all_match({ - processors: [ - dup55, - select56, - dup23, - select57, - part262, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg165 = msg("00007:57", all52); - - var part263 = match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg166 = msg("00007:58", part263); - - var part264 = match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg167 = msg("00007:59", part264); - - var part265 = match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg168 = msg("00007:60", part265); - - var part266 = match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg169 = msg("00007:61", part266); - - var part267 = match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg170 = msg("00007:62", part267); - - var part268 = match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg171 = msg("00007:63", part268); - - var part269 = match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}"); - - var part270 = match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}"); - - var all53 = all_match({ - processors: [ - dup348, - part269, - dup349, - part270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg172 = msg("00007:64", all53); - - var part271 = match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}"); - - var part272 = match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}"); - - var part273 = match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}"); - - var select58 = linear_select([ - part272, - part273, - ]); - - var part274 = match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}"); - - var part275 = match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}"); - - var all54 = all_match({ - processors: [ - dup348, - part271, - select58, - part274, - dup349, - part275, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg173 = msg("00007:65", all54); - - var part276 = match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}"); - - var part277 = match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}"); - - var select59 = linear_select([ - part276, - part277, - ]); - - var part278 = match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}"); - - var part279 = match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}"); - - var select60 = linear_select([ - part279, - dup115, - ]); - - var all55 = all_match({ - processors: [ - select59, - part278, - select60, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg174 = msg("00007:66", all55); - - var part280 = match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg175 = msg("00007:67", part280); - - var part281 = match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}"); - - var part282 = match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}"); - - var part283 = match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}"); - - var select61 = linear_select([ - part282, - part283, - ]); - - var part284 = match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}"); - - var part285 = match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}"); - - var part286 = match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}"); - - var select62 = linear_select([ - part285, - part286, - ]); - - var all56 = all_match({ - processors: [ - part281, - select61, - part284, - select62, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg176 = msg("00007:68", all56); - - var part287 = match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg177 = msg("00007:69", part287); - - var part288 = match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg178 = msg("00007:70", part288); - - var part289 = match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg179 = msg("00007:71", part289); - - var part290 = match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg180 = msg("00007:72", part290); - - var select63 = linear_select([ - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, - msg138, - msg139, - msg140, - msg141, - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, - msg156, - msg157, - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - msg174, - msg175, - msg176, - msg177, - msg178, - msg179, - msg180, - ]); - - var part291 = match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg181 = msg("00008", part291); - - var msg182 = msg("00008:01", dup341); - - var part292 = match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg183 = msg("00008:02", part292); - - var part293 = match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg184 = msg("00008:03", part293); - - var part294 = match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}"); - - var part295 = match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}"); - - var part296 = match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}"); - - var part297 = match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}"); - - var select64 = linear_select([ - part295, - part296, - part297, - ]); - - var part298 = match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}"); - - var part299 = match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}"); - - var part300 = match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})"); - - var part301 = match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}"); - - var part302 = match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}"); - - var part303 = match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}"); - - var select65 = linear_select([ - part299, - part300, - part301, - part302, - part303, - dup21, - ]); - - var all57 = all_match({ - processors: [ - part294, - select64, - part298, - select65, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg185 = msg("00008:04", all57); - - var part304 = match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg186 = msg("00008:05", part304); - - var part305 = match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg187 = msg("00008:06", part305); - - var part306 = match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup60, - ])); - - var msg188 = msg("00008:07", part306); - - var part307 = match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup60, - ])); - - var msg189 = msg("00008:08", part307); - - var part308 = match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg190 = msg("00008:09", part308); - - var part309 = match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}"); - - var all58 = all_match({ - processors: [ - part309, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ]), - }); - - var msg191 = msg("00008:10", all58); - - var select66 = linear_select([ - msg181, - msg182, - msg183, - msg184, - msg185, - msg186, - msg187, - msg188, - msg189, - msg190, - msg191, - ]); - - var part310 = match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg192 = msg("00009", part310); - - var part311 = match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg193 = msg("00009:01", part311); - - var part312 = match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg194 = msg("00009:02", part312); - - var part313 = match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg195 = msg("00009:03", part313); - - var part314 = match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg196 = msg("00009:05", part314); - - var part315 = match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}"); - - var part316 = match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}"); - - var select67 = linear_select([ - part315, - part316, - ]); - - var select68 = linear_select([ - dup119, - dup16, - ]); - - var part317 = match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}"); - - var part318 = match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}"); - - var select69 = linear_select([ - dup120, - part318, - ]); - - var part319 = match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}"); - - var part320 = match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info"); - - var select70 = linear_select([ - part319, - part320, - ]); - - var all59 = all_match({ - processors: [ - select67, - dup118, - select68, - part317, - select69, - dup23, - select70, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg197 = msg("00009:06", all59); - - var part321 = match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}"); - - var part322 = match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}"); - - var part323 = match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}"); - - var part324 = match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}"); - - var select71 = linear_select([ - part323, - part324, - ]); - - var part325 = match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}"); - - var all60 = all_match({ - processors: [ - part321, - dup337, - part322, - select71, - part325, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg198 = msg("00009:07", all60); - - var part326 = match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg199 = msg("00009:09", part326); - - var part327 = match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}"); - - var part328 = match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}"); - - var part329 = match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}"); - - var select72 = linear_select([ - part328, - part329, - ]); - - var all61 = all_match({ - processors: [ - part327, - select72, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg200 = msg("00009:10", all61); - - var part330 = match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}"); - - var part331 = match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}"); - - var select73 = linear_select([ - part330, - part331, - ]); - - var part332 = match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}"); - - var all62 = all_match({ - processors: [ - select73, - part332, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg201 = msg("00009:11", all62); - - var part333 = match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg202 = msg("00009:12", part333); - - var part334 = match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg203 = msg("00009:13", part334); - - var part335 = match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}"); - - var part336 = match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}"); - - var part337 = match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}"); - - var select74 = linear_select([ - part335, - part336, - part337, - ]); - - var part338 = match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}"); - - var select75 = linear_select([ - dup122, - dup123, - ]); - - var part339 = match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})"); - - var select76 = linear_select([ - part339, - dup124, - ]); - - var all63 = all_match({ - processors: [ - select74, - part338, - select75, - dup23, - select76, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg204 = msg("00009:14", all63); - - var part340 = match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}"); - - var part341 = match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}"); - - var select77 = linear_select([ - part341, - dup125, - ]); - - var all64 = all_match({ - processors: [ - part340, - select77, - dup126, - dup350, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg205 = msg("00009:15", all64); - - var part342 = match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}"); - - var part343 = match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}"); - - var select78 = linear_select([ - dup129, - dup130, - part343, - ]); - - var part344 = match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}."); - - var all65 = all_match({ - processors: [ - part342, - dup350, - dup23, - select78, - part344, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg206 = msg("00009:16", all65); - - var part345 = match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}"); - - var part346 = match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}"); - - var part347 = match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}"); - - var select79 = linear_select([ - part346, - part347, - ]); - - var part348 = match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}."); - - var all66 = all_match({ - processors: [ - part345, - select79, - part348, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg207 = msg("00009:17", all66); - - var part349 = match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg208 = msg("00009:18", part349); - - var part350 = match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg209 = msg("00009:19", part350); - - var part351 = match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg210 = msg("00009:27", part351); - - var part352 = match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}"); - - var part353 = match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}"); - - var select80 = linear_select([ - part352, - part353, - ]); - - var part354 = match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}"); - - var part355 = match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}"); - - var part356 = match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}"); - - var part357 = match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}"); - - var part358 = match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})"); - - var select81 = linear_select([ - part355, - part356, - part357, - part358, - ]); - - var all67 = all_match({ - processors: [ - select80, - part354, - select81, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg211 = msg("00009:20", all67); - - var part359 = match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var all68 = all_match({ - processors: [ - part359, - dup343, - dup131, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ]), - }); - - var msg212 = msg("00009:21", all68); - - var part360 = match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg213 = msg("00009:22", part360); - - var part361 = match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg214 = msg("00009:23", part361); - - var part362 = match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}"); - - var part363 = match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}"); - - var part364 = match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}"); - - var select82 = linear_select([ - part363, - part364, - ]); - - var part365 = match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}"); - - var all69 = all_match({ - processors: [ - part362, - select82, - part365, - ], - on_success: processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg215 = msg("00009:24", all69); - - var part366 = match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg216 = msg("00009:25", part366); - - var part367 = match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}"); - - var all70 = all_match({ - processors: [ - part367, - dup333, - ], - on_success: processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg217 = msg("00009:26", all70); - - var select83 = linear_select([ - msg192, - msg193, - msg194, - msg195, - msg196, - msg197, - msg198, - msg199, - msg200, - msg201, - msg202, - msg203, - msg204, - msg205, - msg206, - msg207, - msg208, - msg209, - msg210, - msg211, - msg212, - msg213, - msg214, - msg215, - msg216, - msg217, - ]); - - var part368 = match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}"); - - var part369 = match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}"); - - var part370 = match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}"); - - var select84 = linear_select([ - part369, - part370, - ]); - - var part371 = match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}"); - - var part372 = match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}"); - - var part373 = match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}"); - - var select85 = linear_select([ - part372, - part373, - dup126, - ]); - - var part374 = match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}"); - - var all71 = all_match({ - processors: [ - part368, - select84, - part371, - select85, - part374, - dup351, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup5, - dup9, - dup3, - dup61, - ]), - }); - - var msg218 = msg("00010", all71); - - var part375 = match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg219 = msg("00010:01", part375); - - var part376 = match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg220 = msg("00010:02", part376); - - var all72 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup9, - dup3, - dup60, - ]), - }); - - var msg221 = msg("00010:03", all72); - - var select86 = linear_select([ - msg218, - msg219, - msg220, - msg221, - ]); - - var part377 = match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg222 = msg("00011", part377); - - var part378 = match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}"); - - var select87 = linear_select([ - dup57, - dup56, - ]); - - var part379 = match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}"); - - var all73 = all_match({ - processors: [ - part378, - select87, - part379, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg223 = msg("00011:01", all73); - - var part380 = match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg224 = msg("00011:02", part380); - - var part381 = match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}"); - - var part382 = match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}"); - - var part383 = match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}"); - - var select88 = linear_select([ - part382, - part383, - ]); - - var part384 = match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}"); - - var part385 = match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}"); - - var part386 = match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}"); - - var select89 = linear_select([ - part385, - part386, - ]); - - var all74 = all_match({ - processors: [ - part381, - select88, - part384, - select89, - dup36, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg225 = msg("00011:03", all74); - - var part387 = match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}"); - - var part388 = match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}"); - - var all75 = all_match({ - processors: [ - part387, - dup352, - part388, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg226 = msg("00011:04", all75); - - var part389 = match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}"); - - var part390 = match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}"); - - var select90 = linear_select([ - part389, - part390, - ]); - - var part391 = match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}"); - - var all76 = all_match({ - processors: [ - dup79, - select90, - part391, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg227 = msg("00011:05", all76); - - var part392 = match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup59, - dup3, - dup60, - ])); - - var msg228 = msg("00011:07", part392); - - var part393 = match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg229 = msg("00011:08", part393); - - var part394 = match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg230 = msg("00011:09", part394); - - var part395 = match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg231 = msg("00011:10", part395); - - var part396 = match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg232 = msg("00011:11", part396); - - var part397 = match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg233 = msg("00011:12", part397); - - var part398 = match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg234 = msg("00011:13", part398); - - var part399 = match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}"); - - var part400 = match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}"); - - var select91 = linear_select([ - dup134, - part400, - ]); - - var all77 = all_match({ - processors: [ - part399, - select91, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg235 = msg("00011:14", all77); - - var part401 = match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg236 = msg("00011:15", part401); - - var part402 = match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg237 = msg("00011:16", part402); - - var part403 = match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}"); - - var part404 = match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}"); - - var part405 = match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}"); - - var part406 = match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}"); - - var select92 = linear_select([ - part404, - part405, - part406, - ]); - - var all78 = all_match({ - processors: [ - part403, - select92, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg238 = msg("00011:17", all78); - - var part407 = match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}"); - - var part408 = match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}"); - - var select93 = linear_select([ - part407, - part408, - ]); - - var part409 = match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}"); - - var part410 = match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}"); - - var part411 = match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}"); - - var select94 = linear_select([ - part410, - part411, - ]); - - var part412 = match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}"); - - var part413 = match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}"); - - var select95 = linear_select([ - part413, - dup135, - ]); - - var part414 = match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}"); - - var all79 = all_match({ - processors: [ - select93, - part409, - select94, - part412, - select95, - part414, - dup350, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg239 = msg("00011:18", all79); - - var part415 = match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}"); - - var part416 = match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}"); - - var part417 = match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}"); - - var select96 = linear_select([ - part416, - part417, - ]); - - var part418 = match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}"); - - var part419 = match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}"); - - var select97 = linear_select([ - part419, - dup135, - ]); - - var part420 = match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}"); - - var part421 = match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}"); - - var select98 = linear_select([ - dup107, - part421, - ]); - - var all80 = all_match({ - processors: [ - part415, - select96, - part418, - select97, - part420, - select98, - dup136, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg240 = msg("00011:19", all80); - - var part422 = match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}"); - - var select99 = linear_select([ - part422, - dup79, - ]); - - var part423 = match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\""); - - var all81 = all_match({ - processors: [ - select99, - part423, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg241 = msg("00011:20", all81); - - var part424 = match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg242 = msg("00011:21", part424); - - var part425 = match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg243 = msg("00011:22", part425); - - var all82 = all_match({ - processors: [ - dup132, - dup343, - dup131, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("saddr"), - field("daddr"), - ], - }), - ]), - }); - - var msg244 = msg("00011:23", all82); - - var part426 = match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg245 = msg("00011:24", part426); - - var part427 = match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg246 = msg("00011:25", part427); - - var part428 = match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg247 = msg("00011:26", part428); - - var select100 = linear_select([ - msg222, - msg223, - msg224, - msg225, - msg226, - msg227, - msg228, - msg229, - msg230, - msg231, - msg232, - msg233, - msg234, - msg235, - msg236, - msg237, - msg238, - msg239, - msg240, - msg241, - msg242, - msg243, - msg244, - msg245, - msg246, - msg247, - ]); - - var part429 = match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg248 = msg("00012:02", part429); - - var part430 = match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg249 = msg("00012:03", part430); - - var part431 = match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg250 = msg("00012:04", part431); - - var part432 = match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg251 = msg("00012:05", part432); - - var part433 = match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg252 = msg("00012:06", part433); - - var part434 = match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - dup59, - ])); - - var msg253 = msg("00012:07", part434); - - var part435 = match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg254 = msg("00012:08", part435); - - var all83 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg255 = msg("00012:09", all83); - - var all84 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg256 = msg("00012:10", all84); - - var part436 = match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup9, - dup61, - ])); - - var msg257 = msg("00012:11", part436); - - var part437 = match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg258 = msg("00012:12", part437); - - var part438 = match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg259 = msg("00012", part438); - - var part439 = match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg260 = msg("00012:01", part439); - - var select101 = linear_select([ - msg248, - msg249, - msg250, - msg251, - msg252, - msg253, - msg254, - msg255, - msg256, - msg257, - msg258, - msg259, - msg260, - ]); - - var part440 = match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg261 = msg("00013", part440); - - var part441 = match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - setc("signame","An Attempt to connect to NetScreen-Global Manager Port."), - ])); - - var msg262 = msg("00013:01", part441); - - var part442 = match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg263 = msg("00013:02", part442); - - var part443 = match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg264 = msg("00013:03", part443); - - var select102 = linear_select([ - msg261, - msg262, - msg263, - msg264, - ]); - - var part444 = match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg265 = msg("00014", part444); - - var part445 = match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}"); - - var part446 = match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}"); - - var part447 = match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}"); - - var select103 = linear_select([ - part446, - part447, - ]); - - var all85 = all_match({ - processors: [ - part445, - select103, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg266 = msg("00014:01", all85); - - var part448 = match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg267 = msg("00014:02", part448); - - var part449 = match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg268 = msg("00014:03", part449); - - var part450 = match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg269 = msg("00014:04", part450); - - var part451 = match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg270 = msg("00014:05", part451); - - var part452 = match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg271 = msg("00014:06", part452); - - var part453 = match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg272 = msg("00014:07", part453); - - var part454 = match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([ - dup27, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg273 = msg("00014:08", part454); - - var select104 = linear_select([ - msg265, - msg266, - msg267, - msg268, - msg269, - msg270, - msg271, - msg272, - msg273, - ]); - - var part455 = match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg274 = msg("00015", part455); - - var part456 = match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg275 = msg("00015:01", part456); - - var part457 = match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}"); - - var part458 = match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}"); - - var part459 = match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}"); - - var part460 = match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}"); - - var select105 = linear_select([ - part458, - dup137, - part459, - part460, - ]); - - var all86 = all_match({ - processors: [ - part457, - select105, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg276 = msg("00015:02", all86); - - var part461 = match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg277 = msg("00015:03", part461); - - var part462 = match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}"); - - var part463 = match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}"); - - var select106 = linear_select([ - dup139, - dup140, - part463, - ]); - - var all87 = all_match({ - processors: [ - part462, - select106, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg278 = msg("00015:04", all87); - - var part464 = match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}"); - - var part465 = match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}"); - - var part466 = match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}"); - - var part467 = match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}"); - - var select107 = linear_select([ - part465, - part466, - dup76, - part467, - ]); - - var all88 = all_match({ - processors: [ - part464, - select107, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg279 = msg("00015:05", all88); - - var part468 = match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}"); - - var part469 = match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}"); - - var select108 = linear_select([ - part468, - part469, - ]); - - var part470 = match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}"); - - var all89 = all_match({ - processors: [ - select108, - part470, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg280 = msg("00015:06", all89); - - var part471 = match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg281 = msg("00015:07", part471); - - var part472 = match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([ - dup141, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg282 = msg("00015:08", part472); - - var part473 = match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}"); - - var part474 = match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}"); - - var select109 = linear_select([ - part473, - part474, - ]); - - var part475 = match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}"); - - var all90 = all_match({ - processors: [ - select109, - part475, - ], - on_success: processor_chain([ - dup141, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg283 = msg("00015:09", all90); - - var part476 = match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg284 = msg("00015:10", part476); - - var part477 = match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg285 = msg("00015:11", part477); - - var part478 = match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}"); - - var part479 = match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}"); - - var select110 = linear_select([ - part478, - part479, - ]); - - var part480 = match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}"); - - var part481 = match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})"); - - var all91 = all_match({ - processors: [ - dup87, - select110, - part480, - dup353, - dup103, - dup353, - part481, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg286 = msg("00015:12", all91); - - var part482 = match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg287 = msg("00015:13", part482); - - var part483 = match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}"); - - var all92 = all_match({ - processors: [ - part483, - dup353, - dup116, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg288 = msg("00015:14", all92); - - var part484 = match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg289 = msg("00015:15", part484); - - var part485 = match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg290 = msg("00015:16", part485); - - var part486 = match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg291 = msg("00015:17", part486); - - var part487 = match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - setc("change_attribute","RTO mirror group"), - ])); - - var msg292 = msg("00015:18", part487); - - var part488 = match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg293 = msg("00015:19", part488); - - var part489 = match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg294 = msg("00015:20", part489); - - var part490 = match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}"); - - var part491 = match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}"); - - var part492 = match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}"); - - var select111 = linear_select([ - part491, - part492, - ]); - - var all93 = all_match({ - processors: [ - part490, - select111, - dup116, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg295 = msg("00015:21", all93); - - var part493 = match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}"); - - var part494 = match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}"); - - var part495 = match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}"); - - var select112 = linear_select([ - part493, - part494, - part495, - ]); - - var part496 = match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}"); - - var all94 = all_match({ - processors: [ - select112, - part496, - dup354, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg296 = msg("00015:22", all94); - - var part497 = match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg297 = msg("00015:23", part497); - - var part498 = match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg298 = msg("00015:24", part498); - - var part499 = match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([ - setc("eventcategory","1613050100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg299 = msg("00015:25", part499); - - var part500 = match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([ - dup97, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg300 = msg("00015:29", part500); - - var part501 = match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}"); - - var part502 = match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}"); - - var part503 = match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}"); - - var select113 = linear_select([ - part502, - part503, - ]); - - var all95 = all_match({ - processors: [ - part501, - select113, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg301 = msg("00015:26", all95); - - var part504 = match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - dup146, - ])); - - var msg302 = msg("00015:33", part504); - - var part505 = match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg303 = msg("00015:27", part505); - - var part506 = match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg304 = msg("00015:28", part506); - - var part507 = match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}"); - - var part508 = match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})"); - - var all96 = all_match({ - processors: [ - part507, - dup355, - part508, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg305 = msg("00015:30", all96); - - var part509 = match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg306 = msg("00015:31", part509); - - var part510 = match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg307 = msg("00015:32", part510); - - var select114 = linear_select([ - msg274, - msg275, - msg276, - msg277, - msg278, - msg279, - msg280, - msg281, - msg282, - msg283, - msg284, - msg285, - msg286, - msg287, - msg288, - msg289, - msg290, - msg291, - msg292, - msg293, - msg294, - msg295, - msg296, - msg297, - msg298, - msg299, - msg300, - msg301, - msg302, - msg303, - msg304, - msg305, - msg306, - msg307, - ]); - - var part511 = match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg308 = msg("00016", part511); - - var part512 = match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg309 = msg("00016:01", part512); - - var part513 = match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([ - dup1, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg310 = msg("00016:02", part513); - - var part514 = match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg311 = msg("00016:03", part514); - - var part515 = match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg312 = msg("00016:05", part515); - - var part516 = match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg313 = msg("00016:06", part516); - - var part517 = match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}"); - - var all97 = all_match({ - processors: [ - part517, - dup338, - dup67, - ], - on_success: processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg314 = msg("00016:07", all97); - - var part518 = match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - setc("eventcategory","1001020305"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg315 = msg("00016:08", part518); - - var part519 = match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - setc("eventcategory","1001030305"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg316 = msg("00016:09", part519); - - var select115 = linear_select([ - msg308, - msg309, - msg310, - msg311, - msg312, - msg313, - msg314, - msg315, - msg316, - ]); - - var part520 = match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ])); - - var msg317 = msg("00017", part520); - - var part521 = match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}"); - - var part522 = match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}"); - - var part523 = match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}"); - - var select116 = linear_select([ - part522, - part523, - ]); - - var part524 = match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}"); - - var all98 = all_match({ - processors: [ - part521, - select116, - part524, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg318 = msg("00017:23", all98); - - var part525 = match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}"); - - var part526 = match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}"); - - var select117 = linear_select([ - part525, - part526, - ]); - - var part527 = match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}"); - - var part528 = match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}"); - - var all99 = all_match({ - processors: [ - select117, - part527, - dup356, - part528, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg319 = msg("00017:01", all99); - - var part529 = match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg320 = msg("00017:02", part529); - - var part530 = match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg321 = msg("00017:03", part530); - - var part531 = match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}"); - - var all100 = all_match({ - processors: [ - dup153, - dup357, - part531, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg322 = msg("00017:04", all100); - - var part532 = match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg323 = msg("00017:05", part532); - - var part533 = match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}"); - - var part534 = match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}"); - - var part535 = match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}"); - - var select118 = linear_select([ - part534, - dup101, - part535, - ]); - - var all101 = all_match({ - processors: [ - part533, - select118, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg324 = msg("00017:06", all101); - - var part536 = match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}"); - - var part537 = match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}"); - - var part538 = match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}"); - - var part539 = match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}"); - - var part540 = match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}"); - - var select119 = linear_select([ - part537, - part538, - dup98, - part539, - part540, - ]); - - var all102 = all_match({ - processors: [ - part536, - select119, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg325 = msg("00017:07", all102); - - var part541 = match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg326 = msg("00017:08", part541); - - var part542 = match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}"); - - var part543 = match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}"); - - var select120 = linear_select([ - part542, - part543, - ]); - - var part544 = match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}"); - - var part545 = match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}"); - - var part546 = match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}"); - - var part547 = match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}"); - - var select121 = linear_select([ - part545, - part546, - part547, - ]); - - var part548 = match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}"); - - var part549 = match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit"); - - var part550 = match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}"); - - var select122 = linear_select([ - part549, - part550, - dup36, - ]); - - var all103 = all_match({ - processors: [ - select120, - part544, - select121, - part548, - select122, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg327 = msg("00017:09", all103); - - var part551 = match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}"); - - var all104 = all_match({ - processors: [ - part551, - dup358, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg328 = msg("00017:10", all104); - - var part552 = match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg329 = msg("00017:11", part552); - - var part553 = match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}"); - - var part554 = match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}"); - - var select123 = linear_select([ - dup109, - dup110, - part554, - ]); - - var all105 = all_match({ - processors: [ - part553, - select123, - dup127, - dup359, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg330 = msg("00017:12", all105); - - var part555 = match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg331 = msg("00017:26", part555); - - var part556 = match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg332 = msg("00017:13", part556); - - var part557 = match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup9, - dup5, - ])); - - var msg333 = msg("00017:14", part557); - - var part558 = match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}"); - - var part559 = match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}."); - - var all106 = all_match({ - processors: [ - part558, - dup360, - part559, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg334 = msg("00017:15", all106); - - var part560 = match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}"); - - var part561 = match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}."); - - var all107 = all_match({ - processors: [ - part560, - dup360, - part561, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg335 = msg("00017:31", all107); - - var part562 = match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}"); - - var all108 = all_match({ - processors: [ - part562, - dup359, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg336 = msg("00017:16", all108); - - var part563 = match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}"); - - var select124 = linear_select([ - dup99, - dup93, - ]); - - var all109 = all_match({ - processors: [ - part563, - select124, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg337 = msg("00017:17", all109); - - var part564 = match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}"); - - var all110 = all_match({ - processors: [ - dup153, - dup357, - part564, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg338 = msg("00017:18", all110); - - var part565 = match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}"); - - var part566 = match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all111 = all_match({ - processors: [ - part565, - dup337, - part566, - ], - on_success: processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ]), - }); - - var msg339 = msg("00017:19", all111); - - var all112 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup151, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - ]), - }); - - var msg340 = msg("00017:20", all112); - - var part567 = match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ])); - - var msg341 = msg("00017:21", part567); - - var part568 = match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg342 = msg("00017:22", part568); - - var part569 = match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg343 = msg("00017:24", part569); - - var part570 = match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg344 = msg("00017:25", part570); - - var part571 = match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg345 = msg("00017:28", part571); - - var part572 = match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg346 = msg("00017:29", part572); - - var select125 = linear_select([ - msg317, - msg318, - msg319, - msg320, - msg321, - msg322, - msg323, - msg324, - msg325, - msg326, - msg327, - msg328, - msg329, - msg330, - msg331, - msg332, - msg333, - msg334, - msg335, - msg336, - msg337, - msg338, - msg339, - msg340, - msg341, - msg342, - msg343, - msg344, - msg345, - msg346, - ]); - - var part573 = match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg347 = msg("00018", part573); - - var part574 = match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([ - setc("eventcategory","1502010000"), - dup2, - dup4, - dup5, - dup3, - ])); - - var msg348 = msg("00018:01", part574); - - var part575 = match("MESSAGE#347:00018:02", "nwparser.payload", "Device%{quote}s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg349 = msg("00018:02", part575); - - var part576 = match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg350 = msg("00018:04", part576); - - var part577 = match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg351 = msg("00018:16", part577); - - var part578 = match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}"); - - var part579 = match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}"); - - var part580 = match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}"); - - var select126 = linear_select([ - part579, - part580, - ]); - - var part581 = match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}"); - - var all113 = all_match({ - processors: [ - part578, - select126, - part581, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg352 = msg("00018:06", all113); - - var part582 = match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg353 = msg("00018:08", part582); - - var part583 = match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup3, - dup2, - dup9, - dup4, - dup5, - ])); - - var msg354 = msg("00018:09", part583); - - var part584 = match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}"); - - var part585 = match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}"); - - var part586 = match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}"); - - var select127 = linear_select([ - part585, - part586, - ]); - - var part587 = match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})"); - - var all114 = all_match({ - processors: [ - part584, - select127, - part587, - ], - on_success: processor_chain([ - dup17, - dup3, - dup2, - dup9, - dup4, - dup5, - ]), - }); - - var msg355 = msg("00018:10", all114); - - var part588 = match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}"); - - var part589 = match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}"); - - var select128 = linear_select([ - part588, - part589, - ]); - - var part590 = match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}"); - - var part591 = match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}"); - - var select129 = linear_select([ - part591, - dup16, - ]); - - var all115 = all_match({ - processors: [ - dup160, - select128, - part590, - select129, - dup10, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg356 = msg("00018:11", all115); - - var part592 = match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}"); - - var part593 = match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}"); - - var part594 = match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}"); - - var part595 = match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}"); - - var select130 = linear_select([ - part593, - part594, - part595, - ]); - - var part596 = match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all116 = all_match({ - processors: [ - part592, - select130, - part596, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg357 = msg("00018:12", all116); - - var part597 = match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}"); - - var all117 = all_match({ - processors: [ - dup361, - part597, - dup362, - dup164, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg358 = msg("00018:32", all117); - - var part598 = match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}"); - - var all118 = all_match({ - processors: [ - dup361, - part598, - dup362, - dup164, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg359 = msg("00018:22", all118); - - var part599 = match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}"); - - var select131 = linear_select([ - dup78, - dup77, - ]); - - var part600 = match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer"); - - var all119 = all_match({ - processors: [ - part599, - select131, - part600, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg360 = msg("00018:15", all119); - - var part601 = match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}"); - - var part602 = match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}"); - - var part603 = match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}"); - - var select132 = linear_select([ - part602, - part603, - ]); - - var part604 = match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}"); - - var part605 = match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}"); - - var part606 = match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}"); - - var part607 = match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}"); - - var select133 = linear_select([ - part605, - part606, - part607, - ]); - - var part608 = match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all120 = all_match({ - processors: [ - part601, - select132, - part604, - select133, - part608, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg361 = msg("00018:14", all120); - - var part609 = match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg362 = msg("00018:29", part609); - - var part610 = match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg363 = msg("00018:07", part610); - - var part611 = match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg364 = msg("00018:18", part611); - - var part612 = match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg365 = msg("00018:17", part612); - - var part613 = match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg366 = msg("00018:19", part613); - - var part614 = match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}"); - - var part615 = match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}"); - - var select134 = linear_select([ - part614, - part615, - ]); - - var part616 = match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}"); - - var part617 = match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}"); - - var select135 = linear_select([ - part617, - dup103, - ]); - - var part618 = match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}"); - - var part619 = match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}"); - - var select136 = linear_select([ - part618, - part619, - ]); - - var part620 = match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})"); - - var all121 = all_match({ - processors: [ - select134, - part616, - select135, - dup23, - select136, - part620, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg367 = msg("00018:23", all121); - - var part621 = match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg368 = msg("00018:21", part621); - - var part622 = match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg369 = msg("00018:24", part622); - - var part623 = match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); - - var all122 = all_match({ - processors: [ - dup363, - part623, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg370 = msg("00018:25", all122); - - var part624 = match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); - - var all123 = all_match({ - processors: [ - dup363, - part624, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg371 = msg("00018:30", all123); - - var part625 = match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}"); - - var part626 = match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}"); - - var select137 = linear_select([ - dup48, - part626, - ]); - - var all124 = all_match({ - processors: [ - part625, - dup364, - select137, - dup41, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg372 = msg("00018:26", all124); - - var part627 = match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg373 = msg("00018:27", part627); - - var part628 = match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup4, - dup5, - dup9, - setc("info","the DI attack component was modified"), - ])); - - var msg374 = msg("00018:28", part628); - - var part629 = match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg375 = msg("00018:03", part629); - - var part630 = match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg376 = msg("00018:31", part630); - - var select138 = linear_select([ - msg347, - msg348, - msg349, - msg350, - msg351, - msg352, - msg353, - msg354, - msg355, - msg356, - msg357, - msg358, - msg359, - msg360, - msg361, - msg362, - msg363, - msg364, - msg365, - msg366, - msg367, - msg368, - msg369, - msg370, - msg371, - msg372, - msg373, - msg374, - msg375, - msg376, - ]); - - var part631 = match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg377 = msg("00019", part631); - - var part632 = match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured"); - - var all125 = all_match({ - processors: [ - dup165, - dup365, - part632, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg378 = msg("00019:01", all125); - - var part633 = match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}"); - - var part634 = match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}"); - - var part635 = match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}"); - - var select139 = linear_select([ - part634, - part635, - ]); - - var all126 = all_match({ - processors: [ - part633, - select139, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg379 = msg("00019:02", all126); - - var part636 = match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg380 = msg("00019:03", part636); - - var select140 = linear_select([ - dup169, - dup78, - ]); - - var select141 = linear_select([ - dup139, - dup170, - dup137, - dup122, - ]); - - var all127 = all_match({ - processors: [ - dup168, - select140, - dup23, - select141, - dup171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg381 = msg("00019:04", all127); - - var part637 = match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}"); - - var part638 = match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}"); - - var part639 = match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}"); - - var part640 = match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}"); - - var part641 = match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}"); - - var part642 = match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}"); - - var part643 = match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}"); - - var part644 = match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}"); - - var part645 = match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}"); - - var select142 = linear_select([ - part638, - part639, - part640, - part641, - part642, - part643, - part644, - part645, - ]); - - var all128 = all_match({ - processors: [ - part637, - select142, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg382 = msg("00019:05", all128); - - var part646 = match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}"); - - var all129 = all_match({ - processors: [ - dup168, - dup366, - part646, - dup367, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg383 = msg("00019:06", all129); - - var part647 = match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg384 = msg("00019:07", part647); - - var part648 = match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg385 = msg("00019:08", part648); - - var part649 = match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}"); - - var select143 = linear_select([ - dup139, - dup170, - dup137, - ]); - - var all130 = all_match({ - processors: [ - part649, - select143, - dup171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg386 = msg("00019:09", all130); - - var part650 = match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}"); - - var part651 = match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}"); - - var select144 = linear_select([ - part650, - part651, - ]); - - var all131 = all_match({ - processors: [ - dup183, - select144, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg387 = msg("00019:10", all131); - - var part652 = match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined"); - - var all132 = all_match({ - processors: [ - dup165, - dup365, - part652, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg388 = msg("00019:11", all132); - - var part653 = match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg389 = msg("00019:12", part653); - - var part654 = match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}"); - - var select145 = linear_select([ - dup107, - dup106, - ]); - - var part655 = match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}"); - - var all133 = all_match({ - processors: [ - part654, - select145, - part655, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg390 = msg("00019:13", all133); - - var part656 = match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}"); - - var all134 = all_match({ - processors: [ - dup168, - dup366, - part656, - dup367, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg391 = msg("00019:14", all134); - - var part657 = match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg392 = msg("00019:15", part657); - - var part658 = match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([ - setc("eventcategory","1701030000"), - setc("ec_activity","Delete"), - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg393 = msg("00019:16", part658); - - var part659 = match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg394 = msg("00019:17", part659); - - var part660 = match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}"); - - var part661 = match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}"); - - var part662 = match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}"); - - var select146 = linear_select([ - part661, - part662, - ]); - - var all135 = all_match({ - processors: [ - part660, - select146, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg395 = msg("00019:18", all135); - - var part663 = match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg396 = msg("00019:19", part663); - - var part664 = match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg397 = msg("00019:20", part664); - - var select147 = linear_select([ - msg377, - msg378, - msg379, - msg380, - msg381, - msg382, - msg383, - msg384, - msg385, - msg386, - msg387, - msg388, - msg389, - msg390, - msg391, - msg392, - msg393, - msg394, - msg395, - msg396, - msg397, - ]); - - var part665 = match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg398 = msg("00020", part665); - - var part666 = match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}"); - - var part667 = match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}"); - - var select148 = linear_select([ - dup152, - part667, - ]); - - var part668 = match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}"); - - var part669 = match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes"); - - var part670 = match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total"); - - var select149 = linear_select([ - part669, - part670, - ]); - - var all136 = all_match({ - processors: [ - part666, - select148, - part668, - select149, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg399 = msg("00020:01", all136); - - var part671 = match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg400 = msg("00020:02", part671); - - var select150 = linear_select([ - msg398, - msg399, - msg400, - ]); - - var part672 = match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg401 = msg("00021", part672); - - var part673 = match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg402 = msg("00021:01", part673); - - var part674 = match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg403 = msg("00021:02", part674); - - var part675 = match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([ - dup185, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg404 = msg("00021:03", part675); - - var part676 = match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg405 = msg("00021:04", part676); - - var part677 = match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg406 = msg("00021:05", part677); - - var part678 = match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - setc("info","DIP port-translation stickiness was modified"), - ])); - - var msg407 = msg("00021:06", part678); - - var select151 = linear_select([ - msg401, - msg402, - msg403, - msg404, - msg405, - msg406, - msg407, - ]); - - var part679 = match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}"); - - var part680 = match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}"); - - var select152 = linear_select([ - part679, - part680, - ]); - - var part681 = match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly"); - - var all137 = all_match({ - processors: [ - dup186, - select152, - part681, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg408 = msg("00022", all137); - - var part682 = match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}"); - - var part683 = match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}"); - - var part684 = match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}"); - - var select153 = linear_select([ - part682, - part683, - part684, - ]); - - var part685 = match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}"); - - var all138 = all_match({ - processors: [ - select153, - part685, - dup368, - ], - on_success: processor_chain([ - dup187, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg409 = msg("00022:01", all138); - - var part686 = match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg410 = msg("00022:02", part686); - - var part687 = match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg411 = msg("00022:03", part687); - - var part688 = match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}"); - - var part689 = match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}"); - - var part690 = match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}"); - - var part691 = match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}"); - - var part692 = match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}"); - - var select154 = linear_select([ - part689, - part690, - part691, - part692, - ]); - - var part693 = match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}"); - - var all139 = all_match({ - processors: [ - part688, - select154, - part693, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg412 = msg("00022:04", all139); - - var part694 = match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg413 = msg("00022:05", part694); - - var part695 = match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}"); - - var part696 = match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}"); - - var part697 = match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}"); - - var select155 = linear_select([ - part696, - part697, - ]); - - var part698 = match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}"); - - var all140 = all_match({ - processors: [ - part695, - select155, - part698, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg414 = msg("00022:06", all140); - - var part699 = match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg415 = msg("00022:07", part699); - - var part700 = match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}"); - - var part701 = match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}"); - - var part702 = match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}"); - - var select156 = linear_select([ - part700, - part701, - part702, - ]); - - var part703 = match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}"); - - var part704 = match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}"); - - var select157 = linear_select([ - part704, - dup96, - ]); - - var part705 = match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}"); - - var part706 = match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}"); - - var select158 = linear_select([ - part706, - dup96, - ]); - - var part707 = match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}"); - - var all141 = all_match({ - processors: [ - select156, - part703, - select157, - part705, - select158, - part707, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg416 = msg("00022:08", all141); - - var part708 = match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}"); - - var select159 = linear_select([ - dup191, - dup192, - ]); - - var part709 = match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}"); - - var all142 = all_match({ - processors: [ - dup55, - dup369, - part708, - select159, - part709, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg417 = msg("00022:09", all142); - - var part710 = match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}"); - - var part711 = match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}"); - - var part712 = match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}"); - - var select160 = linear_select([ - part711, - part712, - ]); - - var all143 = all_match({ - processors: [ - part710, - select160, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg418 = msg("00022:10", all143); - - var part713 = match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}"); - - var part714 = match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}"); - - var part715 = match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}"); - - var select161 = linear_select([ - part714, - part715, - ]); - - var all144 = all_match({ - processors: [ - part713, - select161, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg419 = msg("00022:11", all144); - - var part716 = match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}"); - - var select162 = linear_select([ - dup192, - dup191, - ]); - - var part717 = match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}"); - - var all145 = all_match({ - processors: [ - part716, - select162, - part717, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg420 = msg("00022:12", all145); - - var part718 = match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg421 = msg("00022:13", part718); - - var part719 = match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg422 = msg("00022:14", part719); - - var select163 = linear_select([ - msg408, - msg409, - msg410, - msg411, - msg412, - msg413, - msg414, - msg415, - msg416, - msg417, - msg418, - msg419, - msg420, - msg421, - msg422, - ]); - - var part720 = match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg423 = msg("00023", part720); - - var part721 = match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg424 = msg("00023:01", part721); - - var part722 = match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg425 = msg("00023:02", part722); - - var select164 = linear_select([ - msg423, - msg424, - msg425, - ]); - - var part723 = match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}"); - - var part724 = match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}"); - - var select165 = linear_select([ - part723, - part724, - ]); - - var part725 = match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}"); - - var part726 = match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}"); - - var select166 = linear_select([ - part725, - part726, - ]); - - var all146 = all_match({ - processors: [ - select165, - dup193, - select166, - dup52, - dup368, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg426 = msg("00024", all146); - - var part727 = match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}"); - - var part728 = match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}"); - - var part729 = match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}"); - - var part730 = match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}"); - - var part731 = match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}"); - - var select167 = linear_select([ - part727, - part728, - part729, - part730, - part731, - ]); - - var part732 = match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}"); - - var all147 = all_match({ - processors: [ - select167, - part732, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg427 = msg("00024:01", all147); - - var part733 = match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}"); - - var part734 = match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}"); - - var part735 = match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}"); - - var select168 = linear_select([ - part734, - part735, - ]); - - var part736 = match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})"); - - var all148 = all_match({ - processors: [ - part733, - select168, - part736, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg428 = msg("00024:02", all148); - - var part737 = match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}"); - - var select169 = linear_select([ - dup194, - dup106, - ]); - - var part738 = match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})"); - - var all149 = all_match({ - processors: [ - part737, - select169, - part738, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg429 = msg("00024:03", all149); - - var select170 = linear_select([ - msg426, - msg427, - msg428, - msg429, - ]); - - var part739 = match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg430 = msg("00025", part739); - - var part740 = match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg431 = msg("00025:01", part740); - - var part741 = match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg432 = msg("00025:02", part741); - - var part742 = match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg433 = msg("00025:03", part742); - - var part743 = match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg434 = msg("00025:04", part743); - - var select171 = linear_select([ - msg430, - msg431, - msg432, - msg433, - msg434, - ]); - - var part744 = match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg435 = msg("00026", part744); - - var part745 = match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg436 = msg("00026:13", part745); - - var part746 = match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}"); - - var part747 = match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})"); - - var all150 = all_match({ - processors: [ - dup195, - dup370, - part746, - dup371, - part747, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg437 = msg("00026:01", all150); - - var part748 = match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}"); - - var select172 = linear_select([ - part748, - dup96, - ]); - - var part749 = match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}"); - - var part750 = match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}"); - - var part751 = match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}"); - - var select173 = linear_select([ - part750, - part751, - ]); - - var all151 = all_match({ - processors: [ - dup195, - select172, - part749, - select173, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg438 = msg("00026:02", all151); - - var part752 = match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}"); - - var all152 = all_match({ - processors: [ - dup195, - dup370, - part752, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg439 = msg("00026:03", all152); - - var part753 = match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([ - dup198, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg440 = msg("00026:04", part753); - - var part754 = match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([ - dup198, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg441 = msg("00026:05", part754); - - var part755 = match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg442 = msg("00026:06", part755); - - var part756 = match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg443 = msg("00026:07", part756); - - var part757 = match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}"); - - var part758 = match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]"); - - var all153 = all_match({ - processors: [ - part757, - dup372, - part758, - ], - on_success: processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg444 = msg("00026:08", all153); - - var part759 = match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg445 = msg("00026:09", part759); - - var part760 = match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}"); - - var part761 = match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}"); - - var part762 = match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}"); - - var select174 = linear_select([ - part761, - part762, - ]); - - var part763 = match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}"); - - var select175 = linear_select([ - part763, - dup201, - ]); - - var part764 = match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})"); - - var all154 = all_match({ - processors: [ - part760, - select174, - dup103, - select175, - dup202, - dup373, - part764, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg446 = msg("00026:10", all154); - - var part765 = match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg447 = msg("00026:11", part765); - - var part766 = match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg448 = msg("00026:12", part766); - - var select176 = linear_select([ - msg435, - msg436, - msg437, - msg438, - msg439, - msg440, - msg441, - msg442, - msg443, - msg444, - msg445, - msg446, - msg447, - msg448, - ]); - - var part767 = match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}"); - - var part768 = match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}"); - - var part769 = match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}"); - - var part770 = match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}"); - - var select177 = linear_select([ - part768, - part769, - part770, - ]); - - var all155 = all_match({ - processors: [ - dup204, - dup374, - part767, - select177, - ], - on_success: processor_chain([ - dup206, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg449 = msg("00027", all155); - - var part771 = match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg450 = msg("00027:01", part771); - - var part772 = match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg451 = msg("00027:02", part772); - - var part773 = match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg452 = msg("00027:03", part773); - - var part774 = match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg453 = msg("00027:04", part774); - - var part775 = match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}"); - - var part776 = match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}"); - - var part777 = match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}"); - - var select178 = linear_select([ - part776, - part777, - ]); - - var part778 = match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}"); - - var part779 = match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}"); - - var select179 = linear_select([ - part779, - dup127, - ]); - - var select180 = linear_select([ - dup207, - dup208, - ]); - - var all156 = all_match({ - processors: [ - part775, - select178, - part778, - select179, - dup23, - select180, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg454 = msg("00027:05", all156); - - var part780 = match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}"); - - var select181 = linear_select([ - dup208, - dup207, - ]); - - var all157 = all_match({ - processors: [ - part780, - select181, - ], - on_success: processor_chain([ - setc("eventcategory","1606000000"), - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg455 = msg("00027:06", all157); - - var part781 = match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg456 = msg("00027:07", part781); - - var part782 = match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg457 = msg("00027:08", part782); - - var part783 = match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg458 = msg("00027:09", part783); - - var part784 = match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg459 = msg("00027:10", part784); - - var part785 = match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg460 = msg("00027:11", part785); - - var part786 = match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}"); - - var part787 = match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}"); - - var select182 = linear_select([ - part787, - dup193, - ]); - - var part788 = match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}"); - - var all158 = all_match({ - processors: [ - part786, - select182, - part788, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg461 = msg("00027:12", all158); - - var part789 = match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}"); - - var all159 = all_match({ - processors: [ - dup204, - dup374, - part789, - ], - on_success: processor_chain([ - dup206, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg462 = msg("00027:13", all159); - - var part790 = match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}"); - - var part791 = match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}"); - - var part792 = match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}"); - - var select183 = linear_select([ - part791, - part792, - ]); - - var part793 = match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})"); - - var all160 = all_match({ - processors: [ - part790, - select183, - part793, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg463 = msg("00027:14", all160); - - var part794 = match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg464 = msg("00027:15", part794); - - var part795 = match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg465 = msg("00027:16", part795); - - var part796 = match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg466 = msg("00027:17", part796); - - var part797 = match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg467 = msg("00027:18", part797); - - var part798 = match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg468 = msg("00027:19", part798); - - var select184 = linear_select([ - msg449, - msg450, - msg451, - msg452, - msg453, - msg454, - msg455, - msg456, - msg457, - msg458, - msg459, - msg460, - msg461, - msg462, - msg463, - msg464, - msg465, - msg466, - msg467, - msg468, - ]); - - var part799 = match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}"); - - var part800 = match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}"); - - var part801 = match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}"); - - var select185 = linear_select([ - part799, - part800, - part801, - ]); - - var part802 = match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all161 = all_match({ - processors: [ - select185, - part802, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - setc("signame","Attempt to Connect to the NetScreen-Global Port"), - ]), - }); - - var msg469 = msg("00028", all161); - - var part803 = match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg470 = msg("00029", part803); - - var part804 = match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg471 = msg("00029:01", part804); - - var part805 = match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}"); - - var part806 = match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}"); - - var part807 = match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}"); - - var select186 = linear_select([ - part806, - part807, - ]); - - var part808 = match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}"); - - var all162 = all_match({ - processors: [ - part805, - select186, - part808, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg472 = msg("00029:02", all162); - - var part809 = match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}"); - - var part810 = match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}"); - - var part811 = match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}"); - - var select187 = linear_select([ - part810, - part811, - ]); - - var part812 = match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}"); - - var all163 = all_match({ - processors: [ - dup210, - dup337, - part809, - select187, - part812, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg473 = msg("00029:03", all163); - - var part813 = match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg474 = msg("00029:04", part813); - - var select188 = linear_select([ - msg470, - msg471, - msg472, - msg473, - msg474, - ]); - - var part814 = match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg475 = msg("00030", part814); - - var part815 = match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}"); - - var part816 = match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}"); - - var part817 = match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}"); - - var select189 = linear_select([ - part816, - part817, - ]); - - var all164 = all_match({ - processors: [ - part815, - select189, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg476 = msg("00030:01", all164); - - var part818 = match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg477 = msg("00030:05", part818); - - var part819 = match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg478 = msg("00030:06", part819); - - var part820 = match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg479 = msg("00030:07", part820); - - var part821 = match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg480 = msg("00030:10", part821); - - var part822 = match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg481 = msg("00030:12", part822); - - var part823 = match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}"); - - var part824 = match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}"); - - var part825 = match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}"); - - var select190 = linear_select([ - part824, - part825, - ]); - - var all165 = all_match({ - processors: [ - part823, - select190, - ], - on_success: processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg482 = msg("00030:13", all165); - - var part826 = match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}"); - - var part827 = match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}"); - - var part828 = match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}"); - - var part829 = match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}"); - - var select191 = linear_select([ - part826, - part827, - part828, - part829, - ]); - - var part830 = match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}"); - - var part831 = match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}"); - - var select192 = linear_select([ - part831, - dup16, - ]); - - var part832 = match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}"); - - var all166 = all_match({ - processors: [ - dup55, - select191, - part830, - select192, - part832, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg483 = msg("00030:14", all166); - - var msg484 = msg("00030:02", dup375); - - var part833 = match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg485 = msg("00030:15", part833); - - var part834 = match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg486 = msg("00030:16", part834); - - var part835 = match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg487 = msg("00030:18", part835); - - var part836 = match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}"); - - var part837 = match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}"); - - var part838 = match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}"); - - var select193 = linear_select([ - part837, - part838, - ]); - - var part839 = match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}"); - - var all167 = all_match({ - processors: [ - part836, - select193, - part839, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg488 = msg("00030:19", all167); - - var part840 = match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg489 = msg("00030:30", part840); - - var part841 = match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg490 = msg("00030:31", part841); - - var part842 = match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg491 = msg("00030:32", part842); - - var part843 = match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg492 = msg("00030:33", part843); - - var part844 = match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg493 = msg("00030:34", part844); - - var part845 = match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg494 = msg("00030:35", part845); - - var part846 = match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg495 = msg("00030:36", part846); - - var part847 = match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg496 = msg("00030:37", part847); - - var part848 = match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg497 = msg("00030:38", part848); - - var part849 = match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}"); - - var part850 = match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}"); - - var select194 = linear_select([ - part850, - dup16, - ]); - - var part851 = match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}"); - - var all168 = all_match({ - processors: [ - part849, - select194, - part851, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg498 = msg("00030:39", all168); - - var part852 = match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}"); - - var part853 = match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}"); - - var all169 = all_match({ - processors: [ - part852, - dup376, - part853, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg499 = msg("00030:17", all169); - - var part854 = match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}"); - - var part855 = match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}"); - - var select195 = linear_select([ - dup214, - part855, - ]); - - var part856 = match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}"); - - var all170 = all_match({ - processors: [ - part854, - select195, - part856, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg500 = msg("00030:40", all170); - - var part857 = match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg501 = msg("00030:41", part857); - - var part858 = match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg502 = msg("00030:42", part858); - - var part859 = match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg503 = msg("00030:43", part859); - - var part860 = match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg504 = msg("00030:44", part860); - - var part861 = match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg505 = msg("00030:45", part861); - - var part862 = match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg506 = msg("00030:46", part862); - - var part863 = match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg507 = msg("00030:47", part863); - - var part864 = match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg508 = msg("00030:48", part864); - - var part865 = match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg509 = msg("00030:49", part865); - - var part866 = match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg510 = msg("00030:50", part866); - - var part867 = match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg511 = msg("00030:51", part867); - - var part868 = match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg512 = msg("00030:52", part868); - - var part869 = match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg513 = msg("00030:53", part869); - - var part870 = match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([ - dup44, - dup211, - dup31, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg514 = msg("00030:54", part870); - - var part871 = match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}"); - - var all171 = all_match({ - processors: [ - part871, - dup377, - dup217, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg515 = msg("00030:55", all171); - - var part872 = match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg516 = msg("00030:56", part872); - - var part873 = match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([ - dup35, - dup218, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg517 = msg("00030:57", part873); - - var part874 = match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([ - dup86, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg518 = msg("00030:58", part874); - - var part875 = match("MESSAGE#512:00030:59", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{quote}s signer certificate.", processor_chain([ - dup35, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg519 = msg("00030:59", part875); - - var part876 = match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([ - dup35, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg520 = msg("00030:60", part876); - - var part877 = match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg521 = msg("00030:61", part877); - - var part878 = match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg522 = msg("00030:62", part878); - - var part879 = match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([ - dup18, - dup219, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg523 = msg("00030:63", part879); - - var part880 = match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg524 = msg("00030:64", part880); - - var part881 = match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg525 = msg("00030:65", part881); - - var part882 = match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg526 = msg("00030:66", part882); - - var part883 = match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg527 = msg("00030:67", part883); - - var part884 = match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg528 = msg("00030:68", part884); - - var part885 = match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg529 = msg("00030:69", part885); - - var part886 = match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}"); - - var all172 = all_match({ - processors: [ - part886, - dup377, - dup217, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg530 = msg("00030:70", all172); - - var part887 = match("MESSAGE#524:00030:71", "nwparser.payload", "PKI: The public key of image%{quote}s signer has been loaded successfully, for future image authentication.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg531 = msg("00030:71", part887); - - var part888 = match("MESSAGE#525:00030:72", "nwparser.payload", "PKI: The signature of the image%{quote}s signer certificate cannot be verified.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg532 = msg("00030:72", part888); - - var part889 = match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}"); - - var part890 = match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}"); - - var part891 = match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}"); - - var part892 = match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}"); - - var select196 = linear_select([ - part890, - part891, - part892, - ]); - - var part893 = match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}."); - - var all173 = all_match({ - processors: [ - part889, - select196, - part893, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg533 = msg("00030:73", all173); - - var part894 = match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg534 = msg("00030:74", part894); - - var part895 = match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg535 = msg("00030:75", part895); - - var part896 = match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}"); - - var part897 = match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}."); - - var all174 = all_match({ - processors: [ - part896, - dup376, - part897, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg536 = msg("00030:76", all174); - - var part898 = match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg537 = msg("00030:77", part898); - - var part899 = match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([ - dup35, - dup211, - dup220, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg538 = msg("00030:78", part899); - - var part900 = match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([ - dup35, - dup211, - dup220, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg539 = msg("00030:79", part900); - - var part901 = match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg540 = msg("00030:80", part901); - - var part902 = match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg541 = msg("00030:81", part902); - - var part903 = match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg542 = msg("00030:82", part903); - - var part904 = match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg543 = msg("00030:83", part904); - - var part905 = match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg544 = msg("00030:84", part905); - - var part906 = match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([ - setc("eventcategory","1603080000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg545 = msg("00030:85", part906); - - var part907 = match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})"); - - var all175 = all_match({ - processors: [ - dup221, - dup378, - part907, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg546 = msg("00030:86", all175); - - var part908 = match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg547 = msg("00030:87", part908); - - var part909 = match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>"); - - var all176 = all_match({ - processors: [ - dup221, - dup378, - part909, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg548 = msg("00030:88", all176); - - var select197 = linear_select([ - msg475, - msg476, - msg477, - msg478, - msg479, - msg480, - msg481, - msg482, - msg483, - msg484, - msg485, - msg486, - msg487, - msg488, - msg489, - msg490, - msg491, - msg492, - msg493, - msg494, - msg495, - msg496, - msg497, - msg498, - msg499, - msg500, - msg501, - msg502, - msg503, - msg504, - msg505, - msg506, - msg507, - msg508, - msg509, - msg510, - msg511, - msg512, - msg513, - msg514, - msg515, - msg516, - msg517, - msg518, - msg519, - msg520, - msg521, - msg522, - msg523, - msg524, - msg525, - msg526, - msg527, - msg528, - msg529, - msg530, - msg531, - msg532, - msg533, - msg534, - msg535, - msg536, - msg537, - msg538, - msg539, - msg540, - msg541, - msg542, - msg543, - msg544, - msg545, - msg546, - msg547, - msg548, - ]); - - var part910 = match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg549 = msg("00031:13", part910); - - var part911 = match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg550 = msg("00031", part911); - - var part912 = match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg551 = msg("00031:01", part912); - - var part913 = match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}"); - - var part914 = match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}"); - - var part915 = match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}"); - - var part916 = match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}"); - - var all177 = all_match({ - processors: [ - part913, - dup379, - part914, - dup379, - part915, - dup379, - part916, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg552 = msg("00031:02", all177); - - var part917 = match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}"); - - var select198 = linear_select([ - dup130, - dup129, - ]); - - var part918 = match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}"); - - var all178 = all_match({ - processors: [ - part917, - select198, - part918, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg553 = msg("00031:03", all178); - - var part919 = match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}"); - - var part920 = match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}"); - - var select199 = linear_select([ - part920, - dup226, - ]); - - var part921 = match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}"); - - var all179 = all_match({ - processors: [ - part919, - select199, - part921, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg554 = msg("00031:04", all179); - - var part922 = match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}"); - - var select200 = linear_select([ - dup226, - dup25, - ]); - - var part923 = match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})"); - - var all180 = all_match({ - processors: [ - part922, - select200, - part923, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg555 = msg("00031:11", all180); - - var part924 = match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}"); - - var part925 = match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}"); - - var part926 = match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}"); - - var select201 = linear_select([ - part925, - part926, - ]); - - var part927 = match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}"); - - var part928 = match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}"); - - var part929 = match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}"); - - var part930 = match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}"); - - var part931 = match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}"); - - var select202 = linear_select([ - part931, - dup96, - ]); - - var part932 = match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}"); - - var all181 = all_match({ - processors: [ - part924, - select201, - part927, - dup379, - part928, - dup379, - part929, - dup379, - part930, - select202, - part932, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg556 = msg("00031:08", all181); - - var part933 = match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}"); - - var all182 = all_match({ - processors: [ - part933, - dup337, - dup227, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg557 = msg("00031:05", all182); - - var part934 = match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}"); - - var select203 = linear_select([ - part934, - dup229, - dup230, - ]); - - var part935 = match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}"); - - var select204 = linear_select([ - dup105, - dup96, - ]); - - var part936 = match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}"); - - var part937 = match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}"); - - var all183 = all_match({ - processors: [ - dup228, - select203, - part935, - select204, - part936, - dup356, - part937, - dup352, - dup23, - dup380, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg558 = msg("00031:06", all183); - - var part938 = match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}"); - - var all184 = all_match({ - processors: [ - dup228, - dup381, - part938, - dup337, - dup227, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg559 = msg("00031:07", all184); - - var part939 = match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}"); - - var all185 = all_match({ - processors: [ - dup228, - dup381, - part939, - dup380, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg560 = msg("00031:09", all185); - - var part940 = match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg561 = msg("00031:10", part940); - - var part941 = match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg562 = msg("00031:12", part941); - - var select205 = linear_select([ - msg549, - msg550, - msg551, - msg552, - msg553, - msg554, - msg555, - msg556, - msg557, - msg558, - msg559, - msg560, - msg561, - msg562, - ]); - - var part942 = match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup232, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg563 = msg("00032", part942); - - var part943 = match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg564 = msg("00032:01", part943); - - var part944 = match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}"); - - var part945 = match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}"); - - var part946 = match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}"); - - var part947 = match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}"); - - var part948 = match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}"); - - var select206 = linear_select([ - part945, - part946, - part947, - part948, - ]); - - var all186 = all_match({ - processors: [ - part944, - select206, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg565 = msg("00032:03", all186); - - var part949 = match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg566 = msg("00032:04", part949); - - var part950 = match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg567 = msg("00032:05", part950); - - var msg568 = msg("00032:02", dup375); - - var select207 = linear_select([ - msg563, - msg564, - msg565, - msg566, - msg567, - msg568, - ]); - - var part951 = match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("agent","NSM"), - ])); - - var msg569 = msg("00033:25", part951); - - var part952 = match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}"); - - var part953 = match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}"); - - var select208 = linear_select([ - dup52, - part953, - ]); - - var part954 = match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}"); - - var all187 = all_match({ - processors: [ - dup382, - part952, - select208, - part954, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg570 = msg("00033", all187); - - var part955 = match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}"); - - var part956 = match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}"); - - var select209 = linear_select([ - part955, - part956, - ]); - - var part957 = match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}"); - - var all188 = all_match({ - processors: [ - dup160, - select209, - dup23, - dup369, - part957, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg571 = msg("00033:03", all188); - - var part958 = match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}"); - - var all189 = all_match({ - processors: [ - dup382, - dup23, - dup369, - part958, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg572 = msg("00033:02", all189); - - var part959 = match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg573 = msg("00033:04", part959); - - var part960 = match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg574 = msg("00033:05", part960); - - var part961 = match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([ - dup27, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg575 = msg("00033:06", part961); - - var part962 = match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([ - dup27, - dup2, - dup3, - setc("dclass_counter1_string","Number of times the threshold was exceeded"), - dup4, - dup5, - dup61, - ])); - - var msg576 = msg("00033:01", part962); - - var part963 = match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg577 = msg("00033:07", part963); - - var part964 = match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}"); - - var all190 = all_match({ - processors: [ - dup235, - dup383, - part964, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg578 = msg("00033:08", all190); - - var part965 = match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}"); - - var all191 = all_match({ - processors: [ - dup235, - dup383, - part965, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg579 = msg("00033:09", all191); - - var part966 = match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}"); - - var part967 = match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}"); - - var select210 = linear_select([ - part967, - dup238, - ]); - - var all192 = all_match({ - processors: [ - dup235, - dup383, - part966, - select210, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg580 = msg("00033:10", all192); - - var part968 = match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}"); - - var part969 = match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}"); - - var all193 = all_match({ - processors: [ - dup235, - dup383, - part968, - dup383, - part969, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg581 = msg("00033:11", all193); - - var part970 = match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}"); - - var select211 = linear_select([ - dup101, - dup238, - ]); - - var all194 = all_match({ - processors: [ - dup235, - dup383, - part970, - select211, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg582 = msg("00033:12", all194); - - var part971 = match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}"); - - var part972 = match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}"); - - var part973 = match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}."); - - var select212 = linear_select([ - part972, - part973, - ]); - - var all195 = all_match({ - processors: [ - dup235, - dup383, - part971, - select212, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg583 = msg("00033:13", all195); - - var part974 = match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}."); - - var all196 = all_match({ - processors: [ - dup235, - dup383, - part974, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg584 = msg("00033:14", all196); - - var part975 = match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}."); - - var all197 = all_match({ - processors: [ - dup235, - dup383, - part975, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg585 = msg("00033:15", all197); - - var part976 = match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}."); - - var all198 = all_match({ - processors: [ - dup235, - dup383, - part976, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg586 = msg("00033:16", all198); - - var part977 = match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}"); - - var part978 = match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}"); - - var part979 = match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}"); - - var select213 = linear_select([ - part978, - part979, - ]); - - var all199 = all_match({ - processors: [ - dup235, - dup383, - part977, - select213, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg587 = msg("00033:17", all199); - - var part980 = match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); - - var part981 = match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time."); - - var all200 = all_match({ - processors: [ - part980, - dup339, - dup70, - dup340, - part981, - ], - on_success: processor_chain([ - dup27, - dup2, - dup4, - dup5, - dup3, - dup59, - dup61, - ]), - }); - - var msg588 = msg("00033:19", all200); - - var part982 = match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([ - dup27, - dup2, - dup4, - dup5, - dup3, - dup59, - dup60, - ])); - - var msg589 = msg("00033:20", part982); - - var all201 = all_match({ - processors: [ - dup239, - dup343, - dup83, - ], - on_success: processor_chain([ - dup27, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg590 = msg("00033:21", all201); - - var part983 = match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var all202 = all_match({ - processors: [ - part983, - dup343, - dup83, - ], - on_success: processor_chain([ - dup27, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg591 = msg("00033:22", all202); - - var part984 = match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg592 = msg("00033:23", part984); - - var part985 = match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([ - setc("eventcategory","1001030500"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg593 = msg("00033:24", part985); - - var select214 = linear_select([ - msg569, - msg570, - msg571, - msg572, - msg573, - msg574, - msg575, - msg576, - msg577, - msg578, - msg579, - msg580, - msg581, - msg582, - msg583, - msg584, - msg585, - msg586, - msg587, - msg588, - msg589, - msg590, - msg591, - msg592, - msg593, - ]); - - var part986 = match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}"); - - var part987 = match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}"); - - var select215 = linear_select([ - part986, - part987, - ]); - - var part988 = match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}"); - - var part989 = match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}"); - - var select216 = linear_select([ - part988, - dup201, - part989, - ]); - - var select217 = linear_select([ - dup196, - dup103, - dup163, - ]); - - var part990 = match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})"); - - var all203 = all_match({ - processors: [ - select215, - dup103, - select216, - dup202, - select217, - part990, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg594 = msg("00034", all203); - - var part991 = match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}"); - - var part992 = match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}"); - - var select218 = linear_select([ - part991, - part992, - ]); - - var part993 = match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}"); - - var part994 = match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}"); - - var select219 = linear_select([ - part994, - dup241, - ]); - - var part995 = match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}"); - - var all204 = all_match({ - processors: [ - select218, - part993, - select219, - part995, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg595 = msg("00034:01", all204); - - var part996 = match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg596 = msg("00034:02", part996); - - var part997 = match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}"); - - var all205 = all_match({ - processors: [ - dup384, - part997, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg597 = msg("00034:03", all205); - - var part998 = match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg598 = msg("00034:04", part998); - - var part999 = match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg599 = msg("00034:05", part999); - - var part1000 = match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}"); - - var part1001 = match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}"); - - var part1002 = match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}"); - - var select220 = linear_select([ - part1001, - part1002, - ]); - - var part1003 = match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}"); - - var all206 = all_match({ - processors: [ - dup384, - part1000, - select220, - part1003, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg600 = msg("00034:06", all206); - - var part1004 = match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg601 = msg("00034:07", part1004); - - var part1005 = match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg602 = msg("00034:08", part1005); - - var part1006 = match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg603 = msg("00034:09", part1006); - - var part1007 = match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}"); - - var part1008 = match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}"); - - var part1009 = match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}"); - - var part1010 = match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}"); - - var select221 = linear_select([ - part1009, - part1010, - ]); - - var part1011 = match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}"); - - var all207 = all_match({ - processors: [ - dup244, - dup385, - part1007, - dup352, - part1008, - select221, - part1011, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg604 = msg("00034:10", all207); - - var part1012 = match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}"); - - var part1013 = match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}"); - - var all208 = all_match({ - processors: [ - dup244, - dup385, - part1012, - dup386, - part1013, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg605 = msg("00034:12", all208); - - var part1014 = match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}"); - - var part1015 = match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}"); - - var all209 = all_match({ - processors: [ - dup244, - dup385, - part1014, - dup386, - part1015, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg606 = msg("00034:11", all209); - - var part1016 = match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg607 = msg("00034:15", part1016); - - var part1017 = match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}"); - - var all210 = all_match({ - processors: [ - dup244, - dup387, - part1017, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg608 = msg("00034:18", all210); - - var part1018 = match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge"); - - var all211 = all_match({ - processors: [ - dup244, - dup387, - part1018, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg609 = msg("00034:20", all211); - - var part1019 = match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}"); - - var part1020 = match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}"); - - var part1021 = match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}"); - - var select222 = linear_select([ - part1021, - dup156, - ]); - - var part1022 = match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}"); - - var part1023 = match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}"); - - var part1024 = match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}"); - - var select223 = linear_select([ - part1023, - part1024, - ]); - - var all212 = all_match({ - processors: [ - dup244, - dup387, - part1019, - dup372, - part1020, - select222, - part1022, - select223, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg610 = msg("00034:21", all212); - - var part1025 = match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg611 = msg("00034:22", part1025); - - var part1026 = match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}"); - - var part1027 = match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}"); - - var select224 = linear_select([ - part1026, - part1027, - ]); - - var part1028 = match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}"); - - var all213 = all_match({ - processors: [ - dup160, - select224, - part1028, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg612 = msg("00034:23", all213); - - var part1029 = match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg613 = msg("00034:24", part1029); - - var part1030 = match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg614 = msg("00034:25", part1030); - - var part1031 = match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg615 = msg("00034:26", part1031); - - var part1032 = match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg616 = msg("00034:27", part1032); - - var part1033 = match("MESSAGE#608:00034:28", "nwparser.payload", "PPPoE%{quote}s session closed by AC", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg617 = msg("00034:28", part1033); - - var part1034 = match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg618 = msg("00034:29", part1034); - - var part1035 = match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg619 = msg("00034:30", part1035); - - var part1036 = match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg620 = msg("00034:31", part1036); - - var part1037 = match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg621 = msg("00034:32", part1037); - - var part1038 = match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg622 = msg("00034:33", part1038); - - var part1039 = match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg623 = msg("00034:34", part1039); - - var part1040 = match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg624 = msg("00034:35", part1040); - - var part1041 = match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg625 = msg("00034:36", part1041); - - var part1042 = match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg626 = msg("00034:37", part1042); - - var part1043 = match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg627 = msg("00034:38", part1043); - - var part1044 = match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg628 = msg("00034:39", part1044); - - var part1045 = match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg629 = msg("00034:40", part1045); - - var part1046 = match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}"); - - var part1047 = match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}"); - - var all214 = all_match({ - processors: [ - part1046, - dup373, - part1047, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg630 = msg("00034:41", all214); - - var part1048 = match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg631 = msg("00034:42", part1048); - - var part1049 = match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg632 = msg("00034:43", part1049); - - var part1050 = match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg633 = msg("00034:44", part1050); - - var select225 = linear_select([ - msg594, - msg595, - msg596, - msg597, - msg598, - msg599, - msg600, - msg601, - msg602, - msg603, - msg604, - msg605, - msg606, - msg607, - msg608, - msg609, - msg610, - msg611, - msg612, - msg613, - msg614, - msg615, - msg616, - msg617, - msg618, - msg619, - msg620, - msg621, - msg622, - msg623, - msg624, - msg625, - msg626, - msg627, - msg628, - msg629, - msg630, - msg631, - msg632, - msg633, - ]); - - var part1051 = match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg634 = msg("00035", part1051); - - var part1052 = match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg635 = msg("00035:01", part1052); - - var part1053 = match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg636 = msg("00035:02", part1053); - - var part1054 = match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg637 = msg("00035:03", part1054); - - var part1055 = match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}"); - - var part1056 = match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}"); - - var part1057 = match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}"); - - var part1058 = match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}"); - - var select226 = linear_select([ - part1056, - part1057, - part1058, - ]); - - var part1059 = match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}"); - - var all215 = all_match({ - processors: [ - part1055, - select226, - part1059, - ], - on_success: processor_chain([ - dup117, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg638 = msg("00035:04", all215); - - var part1060 = match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg639 = msg("00035:05", part1060); - - var part1061 = match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}"); - - var part1062 = match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}"); - - var all216 = all_match({ - processors: [ - part1061, - dup388, - part1062, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg640 = msg("00035:06", all216); - - var part1063 = match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg641 = msg("00035:07", part1063); - - var part1064 = match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg642 = msg("00035:08", part1064); - - var part1065 = match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}"); - - var select227 = linear_select([ - part1065, - dup92, - ]); - - var all217 = all_match({ - processors: [ - dup253, - select227, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg643 = msg("00035:09", all217); - - var part1066 = match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}"); - - var part1067 = match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}"); - - var part1068 = match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}"); - - var select228 = linear_select([ - part1067, - part1068, - ]); - - var all218 = all_match({ - processors: [ - part1066, - select228, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg644 = msg("00035:10", all218); - - var part1069 = match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}"); - - var part1070 = match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}"); - - var part1071 = match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}"); - - var select229 = linear_select([ - part1070, - part1071, - ]); - - var all219 = all_match({ - processors: [ - part1069, - select229, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg645 = msg("00035:11", all219); - - var part1072 = match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}"); - - var part1073 = match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}"); - - var all220 = all_match({ - processors: [ - part1072, - dup388, - part1073, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg646 = msg("00035:12", all220); - - var part1074 = match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}"); - - var select230 = linear_select([ - dup101, - part1074, - ]); - - var part1075 = match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}"); - - var all221 = all_match({ - processors: [ - dup253, - select230, - part1075, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg647 = msg("00035:13", all221); - - var part1076 = match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg648 = msg("00035:14", part1076); - - var part1077 = match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}"); - - var part1078 = match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}"); - - var part1079 = match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}"); - - var select231 = linear_select([ - part1078, - part1079, - ]); - - var all222 = all_match({ - processors: [ - part1077, - select231, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg649 = msg("00035:15", all222); - - var part1080 = match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg650 = msg("00035:16", part1080); - - var select232 = linear_select([ - msg634, - msg635, - msg636, - msg637, - msg638, - msg639, - msg640, - msg641, - msg642, - msg643, - msg644, - msg645, - msg646, - msg647, - msg648, - msg649, - msg650, - ]); - - var part1081 = match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg651 = msg("00036", part1081); - - var part1082 = match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}"); - - var part1083 = match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}"); - - var select233 = linear_select([ - dup214, - part1083, - ]); - - var part1084 = match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}"); - - var all223 = all_match({ - processors: [ - part1082, - select233, - part1084, - ], - on_success: processor_chain([ - dup254, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg652 = msg("00036:01", all223); - - var select234 = linear_select([ - msg651, - msg652, - ]); - - var part1085 = match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}"); - - var part1086 = match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}"); - - var part1087 = match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}"); - - var select235 = linear_select([ - part1086, - part1087, - ]); - - var all224 = all_match({ - processors: [ - part1085, - select235, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg653 = msg("00037", all224); - - var part1088 = match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}"); - - var select236 = linear_select([ - dup255, - dup256, - ]); - - var part1089 = match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}"); - - var all225 = all_match({ - processors: [ - part1088, - select236, - part1089, - dup351, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg654 = msg("00037:01", all225); - - var part1090 = match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg655 = msg("00037:02", part1090); - - var part1091 = match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}"); - - var part1092 = match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}"); - - var select237 = linear_select([ - part1091, - part1092, - ]); - - var part1093 = match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}"); - - var part1094 = match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})"); - - var part1095 = match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}."); - - var select238 = linear_select([ - part1094, - part1095, - ]); - - var all226 = all_match({ - processors: [ - dup113, - select237, - dup371, - part1093, - select238, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg656 = msg("00037:03", all226); - - var part1096 = match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg657 = msg("00037:04", part1096); - - var part1097 = match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}"); - - var select239 = linear_select([ - dup256, - dup255, - ]); - - var part1098 = match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}"); - - var part1099 = match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space"); - - var select240 = linear_select([ - dup10, - part1099, - ]); - - var all227 = all_match({ - processors: [ - part1097, - select239, - part1098, - select240, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg658 = msg("00037:05", all227); - - var part1100 = match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg659 = msg("00037:06", part1100); - - var select241 = linear_select([ - msg653, - msg654, - msg655, - msg656, - msg657, - msg658, - msg659, - ]); - - var part1101 = match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}"); - - var part1102 = match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}"); - - var part1103 = match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}"); - - var select242 = linear_select([ - part1102, - part1103, - ]); - - var all228 = all_match({ - processors: [ - part1101, - select242, - dup36, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg660 = msg("00038", all228); - - var part1104 = match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg661 = msg("00039", part1104); - - var part1105 = match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}"); - - var part1106 = match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}"); - - var select243 = linear_select([ - part1105, - part1106, - ]); - - var part1107 = match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}"); - - var all229 = all_match({ - processors: [ - select243, - part1107, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg662 = msg("00040", all229); - - var part1108 = match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg663 = msg("00040:01", part1108); - - var select244 = linear_select([ - msg662, - msg663, - ]); - - var part1109 = match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg664 = msg("00041", part1109); - - var part1110 = match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg665 = msg("00041:01", part1110); - - var select245 = linear_select([ - msg664, - msg665, - ]); - - var part1111 = match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg666 = msg("00042", part1111); - - var part1112 = match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup9, - dup4, - dup5, - dup60, - ])); - - var msg667 = msg("00042:01", part1112); - - var select246 = linear_select([ - msg666, - msg667, - ]); - - var part1113 = match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg668 = msg("00043", part1113); - - var part1114 = match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}"); - - var part1115 = match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}"); - - var select247 = linear_select([ - dup257, - part1115, - ]); - - var part1116 = match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}"); - - var all230 = all_match({ - processors: [ - part1114, - select247, - part1116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg669 = msg("00044", all230); - - var part1117 = match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg670 = msg("00044:01", part1117); - - var select248 = linear_select([ - msg669, - msg670, - ]); - - var part1118 = match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg671 = msg("00045", part1118); - - var part1119 = match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}"); - - var part1120 = match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}"); - - var select249 = linear_select([ - part1119, - part1120, - ]); - - var part1121 = match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})"); - - var all231 = all_match({ - processors: [ - dup183, - select249, - part1121, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg672 = msg("00047", all231); - - var part1122 = match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}"); - - var part1123 = match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}"); - - var part1124 = match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}"); - - var select250 = linear_select([ - part1123, - part1124, - ]); - - var part1125 = match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}"); - - var part1126 = match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}"); - - var select251 = linear_select([ - part1126, - dup112, - ]); - - var part1127 = match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}"); - - var select252 = linear_select([ - part1127, - dup139, - ]); - - var part1128 = match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}"); - - var part1129 = match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}"); - - var select253 = linear_select([ - part1129, - dup16, - ]); - - var part1130 = match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}"); - - var part1131 = match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}"); - - var select254 = linear_select([ - part1131, - dup129, - ]); - - var part1132 = match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})"); - - var all232 = all_match({ - processors: [ - part1122, - select250, - part1125, - select251, - dup257, - select252, - part1128, - select253, - part1130, - select254, - part1132, - ], - on_success: processor_chain([ - setc("eventcategory","1501000000"), - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg673 = msg("00048", all232); - - var part1133 = match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}"); - - var part1134 = match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}"); - - var part1135 = match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}"); - - var select255 = linear_select([ - part1134, - part1135, - ]); - - var part1136 = match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}"); - - var part1137 = match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}"); - - var select256 = linear_select([ - part1137, - dup105, - ]); - - var part1138 = match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})"); - - var all233 = all_match({ - processors: [ - part1133, - select255, - part1136, - select256, - part1138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg674 = msg("00048:01", all233); - - var part1139 = match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([ - dup209, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg675 = msg("00048:02", part1139); - - var select257 = linear_select([ - msg673, - msg674, - msg675, - ]); - - var part1140 = match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg676 = msg("00049", part1140); - - var part1141 = match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg677 = msg("00049:01", part1141); - - var part1142 = match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg678 = msg("00049:02", part1142); - - var part1143 = match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg679 = msg("00049:03", part1143); - - var part1144 = match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg680 = msg("00049:04", part1144); - - var part1145 = match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg681 = msg("00049:05", part1145); - - var select258 = linear_select([ - msg676, - msg677, - msg678, - msg679, - msg680, - msg681, - ]); - - var part1146 = match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg682 = msg("00050", part1146); - - var part1147 = match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg683 = msg("00051", part1147); - - var part1148 = match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg684 = msg("00052", part1148); - - var part1149 = match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}"); - - var select259 = linear_select([ - dup169, - part1149, - ]); - - var part1150 = match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}."); - - var all234 = all_match({ - processors: [ - dup258, - select259, - part1150, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg685 = msg("00055", all234); - - var part1151 = match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}"); - - var part1152 = match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}"); - - var select260 = linear_select([ - part1151, - part1152, - ]); - - var part1153 = match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}."); - - var all235 = all_match({ - processors: [ - dup258, - select260, - part1153, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg686 = msg("00055:01", all235); - - var part1154 = match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}."); - - var all236 = all_match({ - processors: [ - dup259, - dup389, - part1154, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg687 = msg("00055:02", all236); - - var part1155 = match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}."); - - var all237 = all_match({ - processors: [ - dup259, - dup389, - part1155, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg688 = msg("00055:03", all237); - - var part1156 = match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg689 = msg("00055:04", part1156); - - var part1157 = match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}"); - - var part1158 = match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}"); - - var select261 = linear_select([ - dup110, - part1158, - ]); - - var part1159 = match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}"); - - var all238 = all_match({ - processors: [ - part1157, - select261, - part1159, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg690 = msg("00055:05", all238); - - var part1160 = match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}"); - - var part1161 = match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}"); - - var part1162 = match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}"); - - var select262 = linear_select([ - part1161, - part1162, - ]); - - var part1163 = match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}."); - - var all239 = all_match({ - processors: [ - part1160, - select262, - part1163, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg691 = msg("00055:06", all239); - - var part1164 = match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}"); - - var part1165 = match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}"); - - var part1166 = match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}"); - - var select263 = linear_select([ - part1164, - part1165, - part1166, - ]); - - var part1167 = match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}."); - - var all240 = all_match({ - processors: [ - dup258, - select263, - part1167, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg692 = msg("00055:07", all240); - - var part1168 = match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}"); - - var part1169 = match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}"); - - var select264 = linear_select([ - part1168, - part1169, - ]); - - var part1170 = match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}."); - - var all241 = all_match({ - processors: [ - dup258, - select264, - part1170, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg693 = msg("00055:08", all241); - - var part1171 = match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg694 = msg("00055:09", part1171); - - var part1172 = match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg695 = msg("00055:10", part1172); - - var select265 = linear_select([ - msg685, - msg686, - msg687, - msg688, - msg689, - msg690, - msg691, - msg692, - msg693, - msg694, - msg695, - ]); - - var part1173 = match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg696 = msg("00056", part1173); - - var part1174 = match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg697 = msg("00057", part1174); - - var part1175 = match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg698 = msg("00058", part1175); - - var part1176 = match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}"); - - var part1177 = match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}"); - - var select266 = linear_select([ - part1177, - dup262, - dup157, - dup156, - ]); - - var all242 = all_match({ - processors: [ - part1176, - select266, - dup116, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg699 = msg("00059", all242); - - var part1178 = match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}"); - - var part1179 = match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}"); - - var part1180 = match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}"); - - var select267 = linear_select([ - part1179, - part1180, - ]); - - var part1181 = match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}"); - - var all243 = all_match({ - processors: [ - part1178, - select267, - part1181, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg700 = msg("00059:02", all243); - - var part1182 = match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg701 = msg("00059:03", part1182); - - var part1183 = match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg702 = msg("00059:04", part1183); - - var part1184 = match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}"); - - var part1185 = match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}"); - - var part1186 = match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}"); - - var part1187 = match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}"); - - var select268 = linear_select([ - part1184, - part1185, - part1186, - part1187, - ]); - - var part1188 = match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared."); - - var all244 = all_match({ - processors: [ - select268, - part1188, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg703 = msg("00059:05", all244); - - var part1189 = match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg704 = msg("00059:06", part1189); - - var part1190 = match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg705 = msg("00059:07", part1190); - - var part1191 = match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}"); - - var part1192 = match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}"); - - var select269 = linear_select([ - part1191, - part1192, - ]); - - var part1193 = match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3})."); - - var all245 = all_match({ - processors: [ - select269, - part1193, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg706 = msg("00059:08", all245); - - var part1194 = match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}"); - - var part1195 = match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}"); - - var select270 = linear_select([ - part1194, - part1195, - ]); - - var part1196 = match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}"); - - var part1197 = match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}"); - - var select271 = linear_select([ - dup261, - part1197, - ]); - - var part1198 = match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\""); - - var all246 = all_match({ - processors: [ - dup160, - select270, - part1196, - select271, - part1198, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg707 = msg("00059:09", all246); - - var part1199 = match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg708 = msg("00059:01", part1199); - - var select272 = linear_select([ - msg699, - msg700, - msg701, - msg702, - msg703, - msg704, - msg705, - msg706, - msg707, - msg708, - ]); - - var part1200 = match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP failed"), - ])); - - var msg709 = msg("00062:01", part1200); - - var part1201 = match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP failure reached threshold"), - ])); - - var msg710 = msg("00062:02", part1201); - - var part1202 = match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP succeeded"), - ])); - - var msg711 = msg("00062:03", part1202); - - var part1203 = match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg712 = msg("00062", part1203); - - var select273 = linear_select([ - msg709, - msg710, - msg711, - msg712, - ]); - - var part1204 = match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg713 = msg("00063", part1204); - - var part1205 = match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg714 = msg("00064", part1205); - - var part1206 = match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg715 = msg("00064:01", part1206); - - var part1207 = match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg716 = msg("00064:02", part1207); - - var select274 = linear_select([ - msg714, - msg715, - msg716, - ]); - - var msg717 = msg("00070", dup411); - - var part1208 = match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}"); - - var part1209 = match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}"); - - var part1210 = match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})"); - - var select275 = linear_select([ - part1209, - part1210, - ]); - - var all247 = all_match({ - processors: [ - dup267, - dup391, - part1208, - select275, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg718 = msg("00070:01", all247); - - var part1211 = match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg719 = msg("00070:02", part1211); - - var select276 = linear_select([ - msg717, - msg718, - msg719, - ]); - - var msg720 = msg("00071", dup411); - - var part1212 = match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg721 = msg("00071:01", part1212); - - var select277 = linear_select([ - msg720, - msg721, - ]); - - var msg722 = msg("00072", dup411); - - var msg723 = msg("00072:01", dup412); - - var select278 = linear_select([ - msg722, - msg723, - ]); - - var msg724 = msg("00073", dup411); - - var msg725 = msg("00073:01", dup412); - - var select279 = linear_select([ - msg724, - msg725, - ]); - - var msg726 = msg("00074", dup392); - - var all248 = all_match({ - processors: [ - dup263, - dup390, - dup271, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg727 = msg("00075", all248); - - var part1213 = match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","local device in the Virtual Security Device group changed state to inoperable"), - ])); - - var msg728 = msg("00075:02", part1213); - - var part1214 = match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg729 = msg("00075:01", part1214); - - var select280 = linear_select([ - msg727, - msg728, - msg729, - ]); - - var msg730 = msg("00076", dup392); - - var part1215 = match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}"); - - var all249 = all_match({ - processors: [ - dup263, - dup390, - part1215, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg731 = msg("00076:01", all249); - - var select281 = linear_select([ - msg730, - msg731, - ]); - - var part1216 = match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg732 = msg("00077", part1216); - - var all250 = all_match({ - processors: [ - dup263, - dup390, - dup271, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg733 = msg("00077:01", all250); - - var part1217 = match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([ - setc("eventcategory","1607000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg734 = msg("00077:02", part1217); - - var select282 = linear_select([ - msg732, - msg733, - msg734, - ]); - - var part1218 = match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg735 = msg("00084", part1218); - - var part1219 = match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}"); - - var part1220 = match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}"); - - var select283 = linear_select([ - part1219, - part1220, - ]); - - var part1221 = match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}"); - - var all251 = all_match({ - processors: [ - select283, - dup103, - dup369, - part1221, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg736 = msg("00090", all251); - - var part1222 = match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg737 = msg("00200", part1222); - - var part1223 = match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg738 = msg("00201", part1223); - - var part1224 = match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([ - dup272, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg739 = msg("00202", part1224); - - var part1225 = match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([ - dup272, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg740 = msg("00203", part1225); - - var part1226 = match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}"); - - var part1227 = match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}"); - - var part1228 = match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}"); - - var select284 = linear_select([ - part1227, - part1228, - ]); - - var part1229 = match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})"); - - var all252 = all_match({ - processors: [ - part1226, - select284, - part1229, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg741 = msg("00206", all252); - - var part1230 = match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}"); - - var part1231 = match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet."); - - var all253 = all_match({ - processors: [ - part1230, - dup352, - part1231, - ], - on_success: processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg742 = msg("00206:01", all253); - - var part1232 = match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}"); - - var part1233 = match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet."); - - var all254 = all_match({ - processors: [ - part1232, - dup352, - part1233, - ], - on_success: processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg743 = msg("00206:02", all254); - - var part1234 = match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg744 = msg("00206:03", part1234); - - var part1235 = match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg745 = msg("00206:04", part1235); - - var select285 = linear_select([ - msg741, - msg742, - msg743, - msg744, - msg745, - ]); - - var part1236 = match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg746 = msg("00207", part1236); - - var part1237 = match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg747 = msg("00207:01", part1237); - - var part1238 = match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg748 = msg("00207:02", part1238); - - var part1239 = match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg749 = msg("00207:03", part1239); - - var select286 = linear_select([ - msg746, - msg747, - msg748, - msg749, - ]); - - var part1240 = match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - dup278, - ])); - - var msg750 = msg("00257", part1240); - - var part1241 = match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup279, - dup276, - dup277, - dup280, - ])); - - var msg751 = msg("00257:14", part1241); - - var part1242 = match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - dup278, - ])); - - var msg752 = msg("00257:01", part1242); - - var part1243 = match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup279, - dup282, - dup280, - ])); - - var msg753 = msg("00257:15", part1243); - - var part1244 = match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ])); - - var msg754 = msg("00257:02", part1244); - - var part1245 = match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg755 = msg("00257:03", part1245); - - var part1246 = match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ])); - - var msg756 = msg("00257:04", part1246); - - var part1247 = match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg757 = msg("00257:05", part1247); - - var part1248 = match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}"); - - var all255 = all_match({ - processors: [ - dup283, - dup393, - part1248, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg758 = msg("00257:19", all255); - - var part1249 = match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}"); - - var all256 = all_match({ - processors: [ - dup283, - dup393, - part1249, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg759 = msg("00257:16", all256); - - var part1250 = match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}"); - - var all257 = all_match({ - processors: [ - dup283, - dup393, - part1250, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ]), - }); - - var msg760 = msg("00257:17", all257); - - var part1251 = match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}"); - - var all258 = all_match({ - processors: [ - dup283, - dup393, - part1251, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ]), - }); - - var msg761 = msg("00257:18", all258); - - var part1252 = match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}"); - - var part1253 = match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}"); - - var part1254 = match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport"); - - var select287 = linear_select([ - part1253, - part1254, - ]); - - var all259 = all_match({ - processors: [ - part1252, - select287, - ], - on_success: processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ]), - }); - - var msg762 = msg("00257:06", all259); - - var part1255 = match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg763 = msg("00257:07", part1255); - - var part1256 = match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup276, - dup277, - ])); - - var msg764 = msg("00257:08", part1256); - - var part1257 = match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}"); - - var part1258 = match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}"); - - var part1259 = match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}"); - - var part1260 = match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype"); - - var select288 = linear_select([ - part1258, - part1259, - part1260, - ]); - - var all260 = all_match({ - processors: [ - part1257, - select288, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg765 = msg("00257:09", all260); - - var part1261 = match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); - - var part1262 = match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}"); - - var select289 = linear_select([ - part1262, - dup286, - ]); - - var all261 = all_match({ - processors: [ - part1261, - select289, - ], - on_success: processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup276, - dup277, - ]), - }); - - var msg766 = msg("00257:10", all261); - - var part1263 = match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); - - var part1264 = match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}"); - - var select290 = linear_select([ - part1264, - dup286, - ]); - - var all262 = all_match({ - processors: [ - part1263, - select290, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg767 = msg("00257:11", all262); - - var part1265 = match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ])); - - var msg768 = msg("00257:12", part1265); - - var part1266 = match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup274, - dup4, - dup5, - ])); - - var msg769 = msg("00257:13", part1266); - - var select291 = linear_select([ - msg750, - msg751, - msg752, - msg753, - msg754, - msg755, - msg756, - msg757, - msg758, - msg759, - msg760, - msg761, - msg762, - msg763, - msg764, - msg765, - msg766, - msg767, - msg768, - msg769, - ]); - - var part1267 = match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}"); - - var part1268 = match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}"); - - var select292 = linear_select([ - part1268, - dup289, - dup241, - ]); - - var part1269 = match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}"); - - var all263 = all_match({ - processors: [ - dup394, - part1267, - select292, - part1269, - ], - on_success: processor_chain([ - dup28, - dup29, - dup30, - dup31, - dup32, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg770 = msg("00259", all263); - - var part1270 = match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}"); - - var all264 = all_match({ - processors: [ - dup394, - part1270, - ], - on_success: processor_chain([ - dup33, - dup29, - dup34, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg771 = msg("00259:07", all264); - - var part1271 = match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg772 = msg("00259:01", part1271); - - var part1272 = match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg773 = msg("00259:02", part1272); - - var part1273 = match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg774 = msg("00259:03", part1273); - - var part1274 = match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg775 = msg("00259:04", part1274); - - var part1275 = match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}"); - - var part1276 = match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}"); - - var select293 = linear_select([ - dup241, - dup289, - part1276, - ]); - - var part1277 = match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}"); - - var all265 = all_match({ - processors: [ - part1275, - select293, - part1277, - ], - on_success: processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg776 = msg("00259:05", all265); - - var part1278 = match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg777 = msg("00259:06", part1278); - - var select294 = linear_select([ - msg770, - msg771, - msg772, - msg773, - msg774, - msg775, - msg776, - msg777, - ]); - - var part1279 = match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg778 = msg("00262", part1279); - - var part1280 = match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([ - setc("eventcategory","1401050100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg779 = msg("00263", part1280); - - var part1281 = match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}"); - - var part1282 = match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}"); - - var part1283 = match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}"); - - var part1284 = match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}"); - - var select295 = linear_select([ - part1281, - part1282, - part1283, - part1284, - ]); - - var part1285 = match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}"); - - var all266 = all_match({ - processors: [ - select295, - part1285, - ], - on_success: processor_chain([ - setc("eventcategory","1003000000"), - dup2, - dup4, - dup5, - dup3, - dup61, - ]), - }); - - var msg780 = msg("00400", all266); - - var part1286 = match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg781 = msg("00401", part1286); - - var part1287 = match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup292, - ])); - - var msg782 = msg("00402", part1287); - - var part1288 = match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}"); - - var part1289 = match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}"); - - var all267 = all_match({ - processors: [ - part1288, - dup337, - part1289, - ], - on_success: processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup292, - ]), - }); - - var msg783 = msg("00402:01", all267); - - var select296 = linear_select([ - msg782, - msg783, - ]); - - var part1290 = match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg784 = msg("00403", part1290); - - var part1291 = match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup4, - dup5, - dup3, - dup292, - ])); - - var msg785 = msg("00404", part1291); - - var part1292 = match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup147, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg786 = msg("00405", part1292); - - var msg787 = msg("00406", dup413); - - var msg788 = msg("00407", dup413); - - var msg789 = msg("00408", dup413); - - var all268 = all_match({ - processors: [ - dup132, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg790 = msg("00409", all268); - - var msg791 = msg("00410", dup413); - - var part1293 = match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup60, - ])); - - var msg792 = msg("00410:01", part1293); - - var select297 = linear_select([ - msg791, - msg792, - ]); - - var part1294 = match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}"); - - var all269 = all_match({ - processors: [ - part1294, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg793 = msg("00411", all269); - - var part1295 = match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}"); - - var part1296 = match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all270 = all_match({ - processors: [ - part1295, - dup337, - part1296, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg794 = msg("00413", all270); - - var part1297 = match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}"); - - var all271 = all_match({ - processors: [ - part1297, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup61, - ]), - }); - - var msg795 = msg("00413:01", all271); - - var part1298 = match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup9, - ])); - - var msg796 = msg("00413:02", part1298); - - var select298 = linear_select([ - msg794, - msg795, - msg796, - ]); - - var part1299 = match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg797 = msg("00414", part1299); - - var part1300 = match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup9, - ])); - - var msg798 = msg("00414:01", part1300); - - var select299 = linear_select([ - msg797, - msg798, - ]); - - var part1301 = match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg799 = msg("00415", part1301); - - var all272 = all_match({ - processors: [ - dup132, - dup343, - dup294, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg800 = msg("00423", all272); - - var all273 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup60, - ]), - }); - - var msg801 = msg("00429", all273); - - var all274 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup60, - ]), - }); - - var msg802 = msg("00429:01", all274); - - var select300 = linear_select([ - msg801, - msg802, - ]); - - var all275 = all_match({ - processors: [ - dup80, - dup343, - dup295, - dup351, - ], - on_success: processor_chain([ - dup85, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ]), - }); - - var msg803 = msg("00430", all275); - - var all276 = all_match({ - processors: [ - dup132, - dup343, - dup295, - dup351, - ], - on_success: processor_chain([ - dup85, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup60, - ]), - }); - - var msg804 = msg("00430:01", all276); - - var select301 = linear_select([ - msg803, - msg804, - ]); - - var msg805 = msg("00431", dup414); - - var msg806 = msg("00432", dup414); - - var msg807 = msg("00433", dup415); - - var msg808 = msg("00434", dup415); - - var msg809 = msg("00435", dup395); - - var all277 = all_match({ - processors: [ - dup132, - dup343, - dup294, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup5, - dup3, - dup60, - ]), - }); - - var msg810 = msg("00435:01", all277); - - var select302 = linear_select([ - msg809, - msg810, - ]); - - var msg811 = msg("00436", dup395); - - var all278 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup4, - dup5, - dup3, - dup60, - ]), - }); - - var msg812 = msg("00436:01", all278); - - var select303 = linear_select([ - msg811, - msg812, - ]); - - var part1302 = match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg813 = msg("00437", part1302); - - var all279 = all_match({ - processors: [ - dup299, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - dup9, - ]), - }); - - var msg814 = msg("00437:01", all279); - - var part1303 = match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - dup9, - ])); - - var msg815 = msg("00437:02", part1303); - - var select304 = linear_select([ - msg813, - msg814, - msg815, - ]); - - var part1304 = match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg816 = msg("00438", part1304); - - var part1305 = match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg817 = msg("00438:01", part1305); - - var all280 = all_match({ - processors: [ - dup299, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup61, - ]), - }); - - var msg818 = msg("00438:02", all280); - - var select305 = linear_select([ - msg816, - msg817, - msg818, - ]); - - var part1306 = match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ])); - - var msg819 = msg("00440", part1306); - - var part1307 = match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg820 = msg("00440:02", part1307); - - var all281 = all_match({ - processors: [ - dup239, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup9, - dup61, - ]), - }); - - var msg821 = msg("00440:01", all281); - - var part1308 = match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}"); - - var all282 = all_match({ - processors: [ - part1308, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup9, - dup60, - ]), - }); - - var msg822 = msg("00440:03", all282); - - var select306 = linear_select([ - msg819, - msg820, - msg821, - msg822, - ]); - - var part1309 = match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var msg823 = msg("00441", part1309); - - var msg824 = msg("00442", dup396); - - var msg825 = msg("00443", dup396); - - var part1310 = match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg826 = msg("00511", part1310); - - var part1311 = match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}"); - - var all283 = all_match({ - processors: [ - part1311, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg827 = msg("00511:01", all283); - - var part1312 = match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg828 = msg("00511:02", part1312); - - var part1313 = match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}"); - - var all284 = all_match({ - processors: [ - part1313, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg829 = msg("00511:03", all284); - - var part1314 = match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}"); - - var all285 = all_match({ - processors: [ - part1314, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg830 = msg("00511:04", all285); - - var part1315 = match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}"); - - var all286 = all_match({ - processors: [ - part1315, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg831 = msg("00511:05", all286); - - var part1316 = match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}"); - - var all287 = all_match({ - processors: [ - part1316, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg832 = msg("00511:06", all287); - - var part1317 = match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}"); - - var all288 = all_match({ - processors: [ - part1317, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg833 = msg("00511:07", all288); - - var part1318 = match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}"); - - var all289 = all_match({ - processors: [ - part1318, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg834 = msg("00511:08", all289); - - var part1319 = match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}"); - - var all290 = all_match({ - processors: [ - part1319, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg835 = msg("00511:09", all290); - - var part1320 = match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}"); - - var all291 = all_match({ - processors: [ - part1320, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg836 = msg("00511:10", all291); - - var part1321 = match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}"); - - var all292 = all_match({ - processors: [ - part1321, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg837 = msg("00511:11", all292); - - var part1322 = match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}"); - - var all293 = all_match({ - processors: [ - part1322, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg838 = msg("00511:12", all293); - - var part1323 = match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}"); - - var all294 = all_match({ - processors: [ - part1323, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg839 = msg("00511:13", all294); - - var part1324 = match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg840 = msg("00511:14", part1324); - - var select307 = linear_select([ - msg826, - msg827, - msg828, - msg829, - msg830, - msg831, - msg832, - msg833, - msg834, - msg835, - msg836, - msg837, - msg838, - msg839, - msg840, - ]); - - var part1325 = match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}"); - - var part1326 = match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}"); - - var select308 = linear_select([ - dup123, - part1326, - dup122, - ]); - - var part1327 = match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}"); - - var part1328 = match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})"); - - var part1329 = match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result"); - - var select309 = linear_select([ - part1328, - part1329, - ]); - - var all295 = all_match({ - processors: [ - part1325, - select308, - part1327, - select309, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg841 = msg("00513", all295); - - var part1330 = match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}"); - - var select310 = linear_select([ - part1330, - dup287, - ]); - - var part1331 = match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}"); - - var part1332 = match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}"); - - var select311 = linear_select([ - dup96, - part1332, - ]); - - var part1333 = match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}"); - - var all296 = all_match({ - processors: [ - select310, - part1331, - select311, - part1333, - ], - on_success: processor_chain([ - dup301, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg842 = msg("00515", all296); - - var part1334 = match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}"); - - var part1335 = match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}"); - - var part1336 = match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}"); - - var select312 = linear_select([ - part1335, - part1336, - ]); - - var part1337 = match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2"); - - var all297 = all_match({ - processors: [ - part1334, - select312, - part1337, - ], - on_success: processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup4, - dup5, - dup302, - dup3, - ]), - }); - - var msg843 = msg("00515:01", all297); - - var part1338 = match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}"); - - var part1339 = match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}"); - - var part1340 = match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}"); - - var select313 = linear_select([ - part1339, - part1340, - ]); - - var part1341 = match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}"); - - var part1342 = match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}"); - - var select314 = linear_select([ - part1341, - part1342, - dup15, - ]); - - var part1343 = match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out"); - - var all298 = all_match({ - processors: [ - part1338, - select313, - select314, - part1343, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg844 = msg("00515:02", all298); - - var part1344 = match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}"); - - var part1345 = match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}"); - - var select315 = linear_select([ - part1344, - part1345, - ]); - - var part1346 = match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}"); - - var part1347 = match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type"); - - var select316 = linear_select([ - dup304, - part1347, - ]); - - var all299 = all_match({ - processors: [ - select315, - part1346, - dup398, - dup40, - select316, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg845 = msg("00515:04", all299); - - var part1348 = match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg846 = msg("00515:06", part1348); - - var part1349 = match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}"); - - var select317 = linear_select([ - dup305, - dup16, - ]); - - var part1350 = match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}"); - - var part1351 = match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})"); - - var select318 = linear_select([ - dup306, - part1351, - dup304, - ]); - - var all300 = all_match({ - processors: [ - part1349, - select317, - part1350, - dup398, - dup40, - select318, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg847 = msg("00515:05", all300); - - var part1352 = match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg848 = msg("00515:07", part1352); - - var part1353 = match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}"); - - var part1354 = match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}"); - - var part1355 = match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}"); - - var select319 = linear_select([ - part1354, - part1355, - ]); - - var part1356 = match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}"); - - var all301 = all_match({ - processors: [ - part1353, - select319, - part1356, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg849 = msg("00515:08", all301); - - var part1357 = match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg850 = msg("00515:09", part1357); - - var part1358 = match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg851 = msg("00515:10", part1358); - - var part1359 = match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg852 = msg("00515:11", part1359); - - var part1360 = match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}"); - - var part1361 = match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})"); - - var all302 = all_match({ - processors: [ - part1360, - dup399, - part1361, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg853 = msg("00515:12", all302); - - var select320 = linear_select([ - dup288, - dup287, - ]); - - var part1362 = match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}"); - - var select321 = linear_select([ - dup306, - dup304, - ]); - - var all303 = all_match({ - processors: [ - select320, - part1362, - dup398, - dup40, - select321, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg854 = msg("00515:13", all303); - - var part1363 = match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}"); - - var part1364 = match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}"); - - var select322 = linear_select([ - part1363, - part1364, - ]); - - var part1365 = match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}"); - - var part1366 = match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session."); - - var part1367 = match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})"); - - var part1368 = match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}"); - - var select323 = linear_select([ - part1366, - part1367, - part1368, - ]); - - var all304 = all_match({ - processors: [ - select322, - dup398, - part1365, - select323, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg855 = msg("00515:14", all304); - - var part1369 = match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}"); - - var part1370 = match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}"); - - var part1371 = match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}"); - - var select324 = linear_select([ - part1370, - part1371, - ]); - - var all305 = all_match({ - processors: [ - part1369, - dup398, - dup40, - select324, - dup41, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg856 = msg("00515:15", all305); - - var part1372 = match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}"); - - var select325 = linear_select([ - part1372, - dup287, - ]); - - var part1373 = match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}"); - - var part1374 = match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})"); - - var all306 = all_match({ - processors: [ - select325, - part1373, - dup399, - part1374, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg857 = msg("00515:16", all306); - - var part1375 = match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}"); - - var part1376 = match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}"); - - var part1377 = match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}"); - - var select326 = linear_select([ - part1376, - part1377, - ]); - - var part1378 = match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}"); - - var all307 = all_match({ - processors: [ - part1375, - select326, - part1378, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg858 = msg("00515:17", all307); - - var part1379 = match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg859 = msg("00515:18", part1379); - - var part1380 = match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}"); - - var part1381 = match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}"); - - var part1382 = match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}"); - - var select327 = linear_select([ - part1381, - part1382, - ]); - - var all308 = all_match({ - processors: [ - part1380, - select327, - dup41, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg860 = msg("00515:19", all308); - - var part1383 = match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg861 = msg("00515:20", part1383); - - var select328 = linear_select([ - msg842, - msg843, - msg844, - msg845, - msg846, - msg847, - msg848, - msg849, - msg850, - msg851, - msg852, - msg853, - msg854, - msg855, - msg856, - msg857, - msg858, - msg859, - msg860, - msg861, - ]); - - var part1384 = match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg862 = msg("00518", part1384); - - var part1385 = match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg863 = msg("00518:17", part1385); - - var part1386 = match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg864 = msg("00518:01", part1386); - - var part1387 = match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg865 = msg("00518:02", part1387); - - var part1388 = match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg866 = msg("00518:03", part1388); - - var part1389 = match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg867 = msg("00518:04", part1389); - - var part1390 = match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg868 = msg("00518:05", part1390); - - var part1391 = match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([ - dup35, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg869 = msg("00518:06", part1391); - - var part1392 = match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}"); - - var part1393 = match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}"); - - var select329 = linear_select([ - dup24, - part1393, - ]); - - var part1394 = match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}"); - - var all309 = all_match({ - processors: [ - part1392, - select329, - part1394, - ], - on_success: processor_chain([ - dup53, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg870 = msg("00518:07", all309); - - var part1395 = match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([ - dup35, - dup29, - dup31, - dup39, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg871 = msg("00518:08", part1395); - - var part1396 = match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg872 = msg("00518:09", part1396); - - var part1397 = match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup4, - dup9, - dup5, - dup3, - dup302, - ])); - - var msg873 = msg("00518:10", part1397); - - var part1398 = match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}"); - - var part1399 = match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}"); - - var part1400 = match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}"); - - var select330 = linear_select([ - part1399, - part1400, - ]); - - var part1401 = match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})"); - - var all310 = all_match({ - processors: [ - part1398, - select330, - part1401, - ], - on_success: processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup9, - dup4, - dup5, - dup3, - ]), - }); - - var msg874 = msg("00518:11", all310); - - var part1402 = match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup9, - dup5, - dup3, - ])); - - var msg875 = msg("00518:12", part1402); - - var part1403 = match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup9, - dup5, - ])); - - var msg876 = msg("00518:13", part1403); - - var part1404 = match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([ - dup290, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg877 = msg("00518:14", part1404); - - var select331 = linear_select([ - msg862, - msg863, - msg864, - msg865, - msg866, - msg867, - msg868, - msg869, - msg870, - msg871, - msg872, - msg873, - msg874, - msg875, - msg876, - msg877, - ]); - - var part1405 = match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}"); - - var part1406 = match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}"); - - var part1407 = match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}"); - - var select332 = linear_select([ - dup194, - part1406, - part1407, - ]); - - var part1408 = match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}"); - - var part1409 = match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}"); - - var select333 = linear_select([ - part1409, - dup16, - ]); - - var part1410 = match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}"); - - var all311 = all_match({ - processors: [ - part1405, - select332, - part1408, - select333, - part1410, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg878 = msg("00519", all311); - - var part1411 = match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}"); - - var select334 = linear_select([ - dup307, - dup305, - ]); - - var part1412 = match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}"); - - var all312 = all_match({ - processors: [ - part1411, - select334, - part1412, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg879 = msg("00519:01", all312); - - var part1413 = match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}"); - - var select335 = linear_select([ - dup307, - part1413, - ]); - - var part1414 = match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}"); - - var all313 = all_match({ - processors: [ - dup160, - select335, - part1414, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg880 = msg("00519:02", all313); - - var part1415 = match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg881 = msg("00519:03", part1415); - - var part1416 = match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg882 = msg("00519:04", part1416); - - var part1417 = match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg883 = msg("00519:05", part1417); - - var select336 = linear_select([ - msg878, - msg879, - msg880, - msg881, - msg882, - msg883, - ]); - - var part1418 = match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg884 = msg("00520", part1418); - - var part1419 = match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}"); - - var part1420 = match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}"); - - var part1421 = match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}"); - - var part1422 = match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}"); - - var part1423 = match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}"); - - var select337 = linear_select([ - part1420, - part1421, - part1422, - part1423, - ]); - - var part1424 = match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}"); - - var all314 = all_match({ - processors: [ - part1419, - select337, - part1424, - ], - on_success: processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg885 = msg("00520:01", all314); - - var part1425 = match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}"); - - var part1426 = match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}"); - - var all315 = all_match({ - processors: [ - part1425, - dup400, - part1426, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg886 = msg("00520:02", all315); - - var part1427 = match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}"); - - var part1428 = match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}"); - - var part1429 = match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}"); - - var select338 = linear_select([ - part1427, - part1428, - part1429, - ]); - - var part1430 = match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}"); - - var part1431 = match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}"); - - var part1432 = match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed"); - - var all316 = all_match({ - processors: [ - dup160, - select338, - part1430, - dup400, - part1431, - dup400, - part1432, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg887 = msg("00520:03", all316); - - var part1433 = match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg888 = msg("00520:04", part1433); - - var part1434 = match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg889 = msg("00520:05", part1434); - - var select339 = linear_select([ - msg884, - msg885, - msg886, - msg887, - msg888, - msg889, - ]); - - var part1435 = match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg890 = msg("00521", part1435); - - var part1436 = match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg891 = msg("00522", part1436); - - var part1437 = match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg892 = msg("00523", part1437); - - var part1438 = match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg893 = msg("00524", part1438); - - var part1439 = match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg894 = msg("00524:02", part1439); - - var part1440 = match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg895 = msg("00524:03", part1440); - - var part1441 = match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg896 = msg("00524:04", part1441); - - var part1442 = match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg897 = msg("00524:05", part1442); - - var part1443 = match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg898 = msg("00524:06", part1443); - - var part1444 = match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg899 = msg("00524:12", part1444); - - var part1445 = match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([ - dup19, - dup2, - dup4, - setc("result","the SNMP version type is incorrect"), - dup5, - dup9, - ])); - - var msg900 = msg("00524:14", part1445); - - var part1446 = match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}"); - - var part1447 = match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}"); - - var all317 = all_match({ - processors: [ - part1446, - dup401, - part1447, - ], - on_success: processor_chain([ - dup18, - dup2, - dup4, - dup5, - ]), - }); - - var msg901 = msg("00524:13", all317); - - var part1448 = match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg902 = msg("00524:07", part1448); - - var part1449 = match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg903 = msg("00524:08", part1449); - - var part1450 = match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg904 = msg("00524:09", part1450); - - var part1451 = match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg905 = msg("00524:10", part1451); - - var part1452 = match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg906 = msg("00524:11", part1452); - - var part1453 = match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg907 = msg("00524:16", part1453); - - var select340 = linear_select([ - msg893, - msg894, - msg895, - msg896, - msg897, - msg898, - msg899, - msg900, - msg901, - msg902, - msg903, - msg904, - msg905, - msg906, - msg907, - ]); - - var part1454 = match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([ - dup203, - setc("ec_subject","Password"), - dup38, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg908 = msg("00525", part1454); - - var part1455 = match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg909 = msg("00525:01", part1455); - - var part1456 = match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg910 = msg("00525:02", part1456); - - var part1457 = match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg911 = msg("00525:03", part1457); - - var select341 = linear_select([ - msg908, - msg909, - msg910, - msg911, - ]); - - var part1458 = match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([ - dup37, - dup219, - dup38, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg912 = msg("00526", part1458); - - var part1459 = match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}"); - - var part1460 = match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}"); - - var select342 = linear_select([ - dup311, - part1460, - ]); - - var part1461 = match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}"); - - var part1462 = match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}"); - - var part1463 = match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}"); - - var select343 = linear_select([ - dup312, - part1462, - part1463, - ]); - - var all318 = all_match({ - processors: [ - part1459, - select342, - part1461, - select343, - dup108, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg913 = msg("00527", all318); - - var part1464 = match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg914 = msg("00527:01", part1464); - - var part1465 = match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}"); - - var part1466 = match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}"); - - var part1467 = match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}"); - - var select344 = linear_select([ - dup311, - part1466, - part1467, - ]); - - var part1468 = match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}"); - - var all319 = all_match({ - processors: [ - part1465, - select344, - part1468, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg915 = msg("00527:02", all319); - - var part1469 = match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg916 = msg("00527:03", part1469); - - var part1470 = match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg917 = msg("00527:04", part1470); - - var part1471 = match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated."); - - var all320 = all_match({ - processors: [ - dup210, - dup337, - part1471, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg918 = msg("00527:05", all320); - - var part1472 = match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}"); - - var select345 = linear_select([ - dup106, - dup127, - ]); - - var part1473 = match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}"); - - var select346 = linear_select([ - dup312, - part1473, - ]); - - var part1474 = match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})"); - - var all321 = all_match({ - processors: [ - part1472, - select345, - dup23, - select346, - part1474, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg919 = msg("00527:06", all321); - - var part1475 = match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg920 = msg("00527:07", part1475); - - var part1476 = match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg921 = msg("00527:08", part1476); - - var part1477 = match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}"); - - var part1478 = match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}"); - - var part1479 = match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}"); - - var select347 = linear_select([ - part1478, - part1479, - ]); - - var all322 = all_match({ - processors: [ - part1477, - select347, - dup41, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg922 = msg("00527:09", all322); - - var part1480 = match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg923 = msg("00527:10", part1480); - - var select348 = linear_select([ - msg913, - msg914, - msg915, - msg916, - msg917, - msg918, - msg919, - msg920, - msg921, - msg922, - msg923, - ]); - - var part1481 = match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([ - setc("eventcategory","1302010000"), - dup29, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg924 = msg("00528", part1481); - - var part1482 = match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg925 = msg("00528:01", part1482); - - var part1483 = match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg926 = msg("00528:02", part1483); - - var part1484 = match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg927 = msg("00528:03", part1484); - - var part1485 = match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg928 = msg("00528:04", part1485); - - var part1486 = match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg929 = msg("00528:05", part1486); - - var part1487 = match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([ - dup313, - dup2, - dup3, - dup4, - dup5, - setc("result","invalid version string"), - ])); - - var msg930 = msg("00528:06", part1487); - - var part1488 = match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}"); - - var part1489 = match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}"); - - var part1490 = match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}"); - - var part1491 = match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}"); - - var select349 = linear_select([ - dup88, - part1489, - part1490, - part1491, - ]); - - var part1492 = match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}"); - - var all323 = all_match({ - processors: [ - part1488, - select349, - part1492, - ], - on_success: processor_chain([ - dup314, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg931 = msg("00528:07", all323); - - var part1493 = match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([ - dup314, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg932 = msg("00528:08", part1493); - - var part1494 = match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg933 = msg("00528:09", part1494); - - var part1495 = match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg934 = msg("00528:10", part1495); - - var part1496 = match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg935 = msg("00528:11", part1496); - - var part1497 = match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("disposition","disabled"), - ])); - - var msg936 = msg("00528:12", part1497); - - var part1498 = match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}"); - - var part1499 = match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}"); - - var part1500 = match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}"); - - var select350 = linear_select([ - part1499, - part1500, - ]); - - var part1501 = match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}"); - - var part1502 = match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}"); - - var part1503 = match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}"); - - var select351 = linear_select([ - part1503, - dup157, - ]); - - var part1504 = match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}"); - - var all324 = all_match({ - processors: [ - part1498, - select350, - part1501, - dup337, - part1502, - select351, - part1504, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg937 = msg("00528:13", all324); - - var part1505 = match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg938 = msg("00528:14", part1505); - - var part1506 = match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}"); - - var part1507 = match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}"); - - var select352 = linear_select([ - dup315, - part1507, - ]); - - var part1508 = match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}"); - - var part1509 = match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}"); - - var part1510 = match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}"); - - var select353 = linear_select([ - part1509, - part1510, - ]); - - var all325 = all_match({ - processors: [ - part1506, - select352, - part1508, - select353, - dup108, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg939 = msg("00528:15", all325); - - var part1511 = match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg940 = msg("00528:16", part1511); - - var part1512 = match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg941 = msg("00528:17", part1512); - - var part1513 = match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}"); - - var all326 = all_match({ - processors: [ - dup316, - dup402, - part1513, - dup403, - dup320, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("disposition","successful"), - setc("event_description","authentication successful for admin user"), - ]), - }); - - var msg942 = msg("00528:18", all326); - - var part1514 = match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}"); - - var all327 = all_match({ - processors: [ - dup316, - dup402, - part1514, - dup403, - dup320, - ], - on_success: processor_chain([ - dup206, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup302, - dup3, - setc("event_description","authentication failed for admin user"), - ]), - }); - - var msg943 = msg("00528:26", all327); - - var part1515 = match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}"); - - var all328 = all_match({ - processors: [ - dup321, - dup404, - part1515, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg944 = msg("00528:19", all328); - - var part1516 = match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}"); - - var all329 = all_match({ - processors: [ - dup321, - dup404, - part1516, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg945 = msg("00528:20", all329); - - var part1517 = match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg946 = msg("00528:21", part1517); - - var part1518 = match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}"); - - var part1519 = match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface."); - - var all330 = all_match({ - processors: [ - part1518, - dup337, - part1519, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("result","SCS is not enabled for that interface"), - ]), - }); - - var msg947 = msg("00528:22", all330); - - var part1520 = match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("result","SCS cannot generate the host and server keys before timing out"), - ])); - - var msg948 = msg("00528:23", part1520); - - var part1521 = match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg949 = msg("00528:24", part1521); - - var part1522 = match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}"); - - var part1523 = match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled."); - - var all331 = all_match({ - processors: [ - part1522, - dup403, - part1523, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg950 = msg("00528:25", all331); - - var select354 = linear_select([ - msg924, - msg925, - msg926, - msg927, - msg928, - msg929, - msg930, - msg931, - msg932, - msg933, - msg934, - msg935, - msg936, - msg937, - msg938, - msg939, - msg940, - msg941, - msg942, - msg943, - msg944, - msg945, - msg946, - msg947, - msg948, - msg949, - msg950, - ]); - - var part1524 = match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}"); - - var part1525 = match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}"); - - var select355 = linear_select([ - part1524, - part1525, - ]); - - var part1526 = match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}"); - - var all332 = all_match({ - processors: [ - dup63, - select355, - part1526, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg951 = msg("00529", all332); - - var part1527 = match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}"); - - var part1528 = match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}"); - - var part1529 = match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}"); - - var select356 = linear_select([ - part1528, - part1529, - ]); - - var all333 = all_match({ - processors: [ - part1527, - select356, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg952 = msg("00529:01", all333); - - var select357 = linear_select([ - msg951, - msg952, - ]); - - var part1530 = match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg953 = msg("00530", part1530); - - var part1531 = match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}"); - - var part1532 = match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released"); - - var all334 = all_match({ - processors: [ - part1531, - dup337, - part1532, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg954 = msg("00530:01", all334); - - var part1533 = match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg955 = msg("00530:02", part1533); - - var part1534 = match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg956 = msg("00530:03", part1534); - - var part1535 = match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg957 = msg("00530:04", part1535); - - var part1536 = match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg958 = msg("00530:05", part1536); - - var part1537 = match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg959 = msg("00530:06", part1537); - - var select358 = linear_select([ - msg953, - msg954, - msg955, - msg956, - msg957, - msg958, - msg959, - ]); - - var part1538 = match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}"); - - var all335 = all_match({ - processors: [ - part1538, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg960 = msg("00531", all335); - - var part1539 = match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg961 = msg("00531:01", part1539); - - var part1540 = match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg962 = msg("00531:02", part1540); - - var part1541 = match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}"); - - var part1542 = match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}"); - - var select359 = linear_select([ - part1542, - dup115, - ]); - - var part1543 = match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}"); - - var part1544 = match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})"); - - var part1545 = match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5"); - - var select360 = linear_select([ - part1544, - part1545, - ]); - - var all336 = all_match({ - processors: [ - part1541, - select359, - part1543, - select360, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup146, - ]), - }); - - var msg963 = msg("00531:03", all336); - - var part1546 = match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}"); - - var part1547 = match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}"); - - var part1548 = match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}"); - - var select361 = linear_select([ - part1547, - part1548, - dup189, - ]); - - var part1549 = match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}"); - - var all337 = all_match({ - processors: [ - part1546, - select361, - part1549, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg964 = msg("00531:04", all337); - - var part1550 = match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg965 = msg("00531:05", part1550); - - var part1551 = match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg966 = msg("00531:06", part1551); - - var part1552 = match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg967 = msg("00531:07", part1552); - - var part1553 = match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg968 = msg("00531:08", part1553); - - var part1554 = match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg969 = msg("00531:09", part1554); - - var part1555 = match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg970 = msg("00531:10", part1555); - - var part1556 = match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","system clock changed based on receive from primary NTP server"), - ])); - - var msg971 = msg("00531:11", part1556); - - var part1557 = match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg972 = msg("00531:12", part1557); - - var select362 = linear_select([ - msg960, - msg961, - msg962, - msg963, - msg964, - msg965, - msg966, - msg967, - msg968, - msg969, - msg970, - msg971, - msg972, - ]); - - var part1558 = match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg973 = msg("00533", part1558); - - var part1559 = match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg974 = msg("00534", part1559); - - var part1560 = match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg975 = msg("00535", part1560); - - var part1561 = match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg976 = msg("00535:01", part1561); - - var part1562 = match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg977 = msg("00535:02", part1562); - - var part1563 = match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg978 = msg("00535:03", part1563); - - var part1564 = match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - setc("result","SCEP_FAILURE message"), - ])); - - var msg979 = msg("00535:04", part1564); - - var part1565 = match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg980 = msg("00535:05", part1565); - - var part1566 = match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Saved CA configuration - cert subject name"), - ])); - - var msg981 = msg("00535:06", part1566); - - var select363 = linear_select([ - msg975, - msg976, - msg977, - msg978, - msg979, - msg980, - msg981, - ]); - - var part1567 = match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}"); - - var part1568 = match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}"); - - var part1569 = match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}"); - - var part1570 = match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}"); - - var part1571 = match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}"); - - var select364 = linear_select([ - part1568, - part1569, - part1570, - part1571, - ]); - - var all338 = all_match({ - processors: [ - part1567, - select364, - dup10, - ], - on_success: processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg982 = msg("00536:49", all338); - - var part1572 = match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg983 = msg("00536", part1572); - - var part1573 = match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg984 = msg("00536:01", part1573); - - var part1574 = match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg985 = msg("00536:02", part1574); - - var part1575 = match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg986 = msg("00536:03", part1575); - - var part1576 = match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([ - setc("eventcategory","1801010100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg987 = msg("00536:04", part1576); - - var part1577 = match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg988 = msg("00536:05", part1577); - - var part1578 = match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg989 = msg("00536:06", part1578); - - var part1579 = match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg990 = msg("00536:07", part1579); - - var part1580 = match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg991 = msg("00536:08", part1580); - - var part1581 = match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg992 = msg("00536:09", part1581); - - var part1582 = match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg993 = msg("00536:10", part1582); - - var part1583 = match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg994 = msg("00536:11", part1583); - - var part1584 = match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg995 = msg("00536:12", part1584); - - var part1585 = match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg996 = msg("00536:13", part1585); - - var part1586 = match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}"); - - var part1587 = match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}"); - - var all339 = all_match({ - processors: [ - part1586, - dup383, - part1587, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg997 = msg("00536:14", all339); - - var part1588 = match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg998 = msg("00536:50", part1588); - - var part1589 = match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg999 = msg("00536:15", part1589); - - var part1590 = match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1000 = msg("00536:16", part1590); - - var part1591 = match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1001 = msg("00536:17", part1591); - - var part1592 = match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1002 = msg("00536:18", part1592); - - var part1593 = match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1003 = msg("00536:19", part1593); - - var part1594 = match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1004 = msg("00536:20", part1594); - - var part1595 = match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1005 = msg("00536:21", part1595); - - var part1596 = match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("result","Negotiations failed"), - ])); - - var msg1006 = msg("00536:22", part1596); - - var part1597 = match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("result","The time limit has elapsed"), - setc("disposition","Aborted"), - ])); - - var msg1007 = msg("00536:23", part1597); - - var part1598 = match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1008 = msg("00536:24", part1598); - - var part1599 = match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1009 = msg("00536:25", part1599); - - var part1600 = match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1010 = msg("00536:26", part1600); - - var part1601 = match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1011 = msg("00536:27", part1601); - - var part1602 = match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1012 = msg("00536:28", part1602); - - var part1603 = match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1013 = msg("00536:29", part1603); - - var part1604 = match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1014 = msg("00536:30", part1604); - - var part1605 = match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1015 = msg("00536:31", part1605); - - var part1606 = match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1016 = msg("00536:32", part1606); - - var part1607 = match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1017 = msg("00536:33", part1607); - - var part1608 = match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1018 = msg("00536:34", part1608); - - var part1609 = match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1019 = msg("00536:35", part1609); - - var part1610 = match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}"); - - var part1611 = match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first"); - - var all340 = all_match({ - processors: [ - part1610, - dup401, - part1611, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1020 = msg("00536:36", all340); - - var part1612 = match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1021 = msg("00536:37", part1612); - - var part1613 = match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1022 = msg("00536:38", part1613); - - var part1614 = match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1023 = msg("00536:39", part1614); - - var part1615 = match("MESSAGE#1011:00536:40", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{quote}s gateway has a dynamic IP address and negotiations are in Main mode", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1024 = msg("00536:40", part1615); - - var part1616 = match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1025 = msg("00536:47", part1616); - - var part1617 = match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1026 = msg("00536:41", part1617); - - var part1618 = match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1027 = msg("00536:42", part1618); - - var part1619 = match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1028 = msg("00536:43", part1619); - - var part1620 = match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1029 = msg("00536:44", part1620); - - var part1621 = match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1030 = msg("00536:45", part1621); - - var part1622 = match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Received an IKE packet on interface"), - ])); - - var msg1031 = msg("00536:48", part1622); - - var part1623 = match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1032 = msg("00536:46", part1623); - - var select365 = linear_select([ - msg982, - msg983, - msg984, - msg985, - msg986, - msg987, - msg988, - msg989, - msg990, - msg991, - msg992, - msg993, - msg994, - msg995, - msg996, - msg997, - msg998, - msg999, - msg1000, - msg1001, - msg1002, - msg1003, - msg1004, - msg1005, - msg1006, - msg1007, - msg1008, - msg1009, - msg1010, - msg1011, - msg1012, - msg1013, - msg1014, - msg1015, - msg1016, - msg1017, - msg1018, - msg1019, - msg1020, - msg1021, - msg1022, - msg1023, - msg1024, - msg1025, - msg1026, - msg1027, - msg1028, - msg1029, - msg1030, - msg1031, - msg1032, - ]); - - var part1624 = match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg1033 = msg("00537", part1624); - - var part1625 = match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1034 = msg("00537:01", part1625); - - var part1626 = match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1035 = msg("00537:02", part1626); - - var part1627 = match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1036 = msg("00537:03", part1627); - - var select366 = linear_select([ - msg1033, - msg1034, - msg1035, - msg1036, - ]); - - var part1628 = match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}"); - - var select367 = linear_select([ - dup111, - dup119, - ]); - - var part1629 = match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}"); - - var all341 = all_match({ - processors: [ - part1628, - select367, - part1629, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1037 = msg("00538", all341); - - var part1630 = match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1038 = msg("00538:01", part1630); - - var part1631 = match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1039 = msg("00538:02", part1631); - - var part1632 = match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([ - dup19, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg1040 = msg("00538:03", part1632); - - var part1633 = match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1041 = msg("00538:04", part1633); - - var part1634 = match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}"); - - var part1635 = match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}"); - - var part1636 = match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}"); - - var select368 = linear_select([ - part1635, - part1636, - ]); - - var part1637 = match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}"); - - var all342 = all_match({ - processors: [ - part1634, - select368, - part1637, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1042 = msg("00538:05", all342); - - var part1638 = match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}"); - - var part1639 = match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}"); - - var part1640 = match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}"); - - var select369 = linear_select([ - part1639, - part1640, - ]); - - var part1641 = match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip"); - - var all343 = all_match({ - processors: [ - part1638, - select369, - part1641, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1043 = msg("00538:06", all343); - - var part1642 = match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}"); - - var part1643 = match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}"); - - var select370 = linear_select([ - part1643, - dup16, - ]); - - var all344 = all_match({ - processors: [ - part1642, - select370, - dup136, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1044 = msg("00538:07", all344); - - var part1644 = match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1045 = msg("00538:08", part1644); - - var part1645 = match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([ - dup301, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Connected to NSM server"), - ])); - - var msg1046 = msg("00538:09", part1645); - - var part1646 = match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}"); - - var part1647 = match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})"); - - var select371 = linear_select([ - part1647, - dup41, - ]); - - var all345 = all_match({ - processors: [ - part1646, - select371, - ], - on_success: processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Connection to NSM server is down"), - ]), - }); - - var msg1047 = msg("00538:10", all345); - - var part1648 = match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - dup323, - ])); - - var msg1048 = msg("00538:11", part1648); - - var part1649 = match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - dup323, - ])); - - var msg1049 = msg("00538:12", part1649); - - var part1650 = match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Sent 2B message"), - ])); - - var msg1050 = msg("00538:13", part1650); - - var select372 = linear_select([ - msg1037, - msg1038, - msg1039, - msg1040, - msg1041, - msg1042, - msg1043, - msg1044, - msg1045, - msg1046, - msg1047, - msg1048, - msg1049, - msg1050, - ]); - - var part1651 = match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1051 = msg("00539", part1651); - - var part1652 = match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1052 = msg("00539:01", part1652); - - var part1653 = match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1053 = msg("00539:02", part1653); - - var part1654 = match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1054 = msg("00539:03", part1654); - - var part1655 = match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1055 = msg("00539:04", part1655); - - var part1656 = match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1056 = msg("00539:05", part1656); - - var part1657 = match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1057 = msg("00539:06", part1657); - - var select373 = linear_select([ - msg1051, - msg1052, - msg1053, - msg1054, - msg1055, - msg1056, - msg1057, - ]); - - var part1658 = match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([ - dup324, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1058 = msg("00541", part1658); - - var part1659 = match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([ - dup273, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1059 = msg("00541:01", part1659); - - var part1660 = match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([ - dup273, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1060 = msg("00541:02", part1660); - - var part1661 = match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}"); - - var part1662 = match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>"); - - var select374 = linear_select([ - part1662, - dup21, - ]); - - var all346 = all_match({ - processors: [ - part1661, - select374, - ], - on_success: processor_chain([ - dup44, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1061 = msg("00541:03", all346); - - var select375 = linear_select([ - msg1058, - msg1059, - msg1060, - msg1061, - ]); - - var part1663 = match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1062 = msg("00542", part1663); - - var part1664 = match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}"); - - var part1665 = match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}"); - - var part1666 = match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}"); - - var select376 = linear_select([ - part1665, - part1666, - ]); - - var part1667 = match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}"); - - var part1668 = match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}"); - - var select377 = linear_select([ - part1668, - dup106, - ]); - - var part1669 = match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})"); - - var all347 = all_match({ - processors: [ - part1664, - select376, - part1667, - select377, - part1669, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup9, - dup3, - ]), - }); - - var msg1063 = msg("00543", all347); - - var part1670 = match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup60, - setc("action","RADIUS server challenge"), - ])); - - var msg1064 = msg("00544", part1670); - - var part1671 = match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1065 = msg("00546", part1671); - - var part1672 = match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg1066 = msg("00547", part1672); - - var part1673 = match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg1067 = msg("00547:01", part1673); - - var part1674 = match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1068 = msg("00547:02", part1674); - - var part1675 = match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}"); - - var part1676 = match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}"); - - var part1677 = match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}"); - - var select378 = linear_select([ - part1676, - part1677, - ]); - - var part1678 = match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})"); - - var all348 = all_match({ - processors: [ - part1675, - select378, - part1678, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Content is bypassed for connection"), - ]), - }); - - var msg1069 = msg("00547:03", all348); - - var select379 = linear_select([ - msg1066, - msg1067, - msg1068, - msg1069, - ]); - - var part1679 = match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1070 = msg("00549", part1679); - - var part1680 = match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1071 = msg("00551", part1680); - - var part1681 = match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1072 = msg("00551:01", part1681); - - var part1682 = match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}"); - - var part1683 = match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}"); - - var select380 = linear_select([ - part1683, - dup89, - ]); - - var all349 = all_match({ - processors: [ - part1682, - select380, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1073 = msg("00551:02", all349); - - var part1684 = match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([ - dup18, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1074 = msg("00551:03", part1684); - - var part1685 = match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1075 = msg("00551:04", part1685); - - var select381 = linear_select([ - msg1071, - msg1072, - msg1073, - msg1074, - msg1075, - ]); - - var part1686 = match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}"); - - var part1687 = match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}"); - - var part1688 = match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}"); - - var part1689 = match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}"); - - var select382 = linear_select([ - part1687, - part1688, - part1689, - ]); - - var all350 = all_match({ - processors: [ - part1686, - select382, - dup325, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1076 = msg("00553", all350); - - var part1690 = match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1077 = msg("00553:01", part1690); - - var part1691 = match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1078 = msg("00553:02", part1691); - - var part1692 = match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1079 = msg("00553:03", part1692); - - var part1693 = match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}"); - - var select383 = linear_select([ - dup326, - dup327, - ]); - - var part1694 = match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}."); - - var all351 = all_match({ - processors: [ - part1693, - select383, - part1694, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1080 = msg("00553:04", all351); - - var part1695 = match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1081 = msg("00553:05", part1695); - - var part1696 = match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1082 = msg("00553:06", part1696); - - var part1697 = match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1083 = msg("00553:07", part1697); - - var part1698 = match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}"); - - var select384 = linear_select([ - dup327, - dup326, - ]); - - var all352 = all_match({ - processors: [ - part1698, - select384, - dup328, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1084 = msg("00553:08", all352); - - var part1699 = match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1085 = msg("00553:09", part1699); - - var part1700 = match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1086 = msg("00553:10", part1700); - - var part1701 = match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1087 = msg("00553:11", part1701); - - var part1702 = match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1088 = msg("00553:12", part1702); - - var part1703 = match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1089 = msg("00553:13", part1703); - - var part1704 = match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1090 = msg("00553:14", part1704); - - var part1705 = match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1091 = msg("00553:15", part1705); - - var part1706 = match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1092 = msg("00553:16", part1706); - - var part1707 = match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1093 = msg("00553:17", part1707); - - var part1708 = match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1094 = msg("00553:18", part1708); - - var part1709 = match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1095 = msg("00553:19", part1709); - - var part1710 = match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1096 = msg("00553:20", part1710); - - var part1711 = match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1097 = msg("00553:21", part1711); - - var part1712 = match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1098 = msg("00553:22", part1712); - - var select385 = linear_select([ - msg1076, - msg1077, - msg1078, - msg1079, - msg1080, - msg1081, - msg1082, - msg1083, - msg1084, - msg1085, - msg1086, - msg1087, - msg1088, - msg1089, - msg1090, - msg1091, - msg1092, - msg1093, - msg1094, - msg1095, - msg1096, - msg1097, - msg1098, - ]); - - var part1713 = match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}"); - - var part1714 = match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}"); - - var part1715 = match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}"); - - var part1716 = match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}"); - - var select386 = linear_select([ - part1714, - part1715, - part1716, - ]); - - var all353 = all_match({ - processors: [ - part1713, - select386, - dup325, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1099 = msg("00554", all353); - - var part1717 = match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1100 = msg("00554:01", part1717); - - var part1718 = match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1101 = msg("00554:02", part1718); - - var part1719 = match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1102 = msg("00554:03", part1719); - - var part1720 = match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}"); - - var part1721 = match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}."); - - var all354 = all_match({ - processors: [ - part1720, - dup405, - part1721, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1103 = msg("00554:04", all354); - - var part1722 = match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}"); - - var part1723 = match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}"); - - var part1724 = match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}"); - - var select387 = linear_select([ - part1723, - part1724, - ]); - - var all355 = all_match({ - processors: [ - part1722, - select387, - dup116, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1104 = msg("00554:05", all355); - - var part1725 = match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1105 = msg("00554:06", part1725); - - var part1726 = match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}"); - - var all356 = all_match({ - processors: [ - part1726, - dup405, - dup328, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1106 = msg("00554:07", all356); - - var part1727 = match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}"); - - var part1728 = match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}"); - - var part1729 = match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}"); - - var part1730 = match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}"); - - var select388 = linear_select([ - part1728, - part1729, - part1730, - ]); - - var all357 = all_match({ - processors: [ - part1727, - select388, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1107 = msg("00554:08", all357); - - var part1731 = match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1108 = msg("00554:09", part1731); - - var part1732 = match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1109 = msg("00554:10", part1732); - - var part1733 = match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1110 = msg("00554:11", part1733); - - var part1734 = match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}"); - - var part1735 = match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}"); - - var part1736 = match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}"); - - var select389 = linear_select([ - part1735, - part1736, - ]); - - var part1737 = match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}"); - - var part1738 = match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}"); - - var part1739 = match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}"); - - var select390 = linear_select([ - part1738, - part1739, - ]); - - var part1740 = match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}"); - - var all358 = all_match({ - processors: [ - part1734, - select389, - part1737, - select390, - part1740, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1111 = msg("00554:12", all358); - - var part1741 = match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1112 = msg("00554:13", part1741); - - var part1742 = match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1113 = msg("00554:14", part1742); - - var part1743 = match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1114 = msg("00554:15", part1743); - - var part1744 = match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1115 = msg("00554:16", part1744); - - var part1745 = match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1116 = msg("00554:17", part1745); - - var select391 = linear_select([ - msg1099, - msg1100, - msg1101, - msg1102, - msg1103, - msg1104, - msg1105, - msg1106, - msg1107, - msg1108, - msg1109, - msg1110, - msg1111, - msg1112, - msg1113, - msg1114, - msg1115, - msg1116, - ]); - - var part1746 = match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1117 = msg("00555", part1746); - - var part1747 = match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1118 = msg("00556", part1747); - - var part1748 = match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1119 = msg("00556:01", part1748); - - var part1749 = match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}"); - - var part1750 = match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}"); - - var part1751 = match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}"); - - var select392 = linear_select([ - part1750, - part1751, - ]); - - var part1752 = match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}"); - - var part1753 = match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}"); - - var part1754 = match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}"); - - var select393 = linear_select([ - part1753, - part1754, - ]); - - var part1755 = match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3})."); - - var all359 = all_match({ - processors: [ - part1749, - select392, - part1752, - select393, - part1755, - ], - on_success: processor_chain([ - dup254, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1120 = msg("00556:02", all359); - - var part1756 = match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}"); - - var part1757 = match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}"); - - var part1758 = match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}"); - - var select394 = linear_select([ - part1757, - part1758, - ]); - - var part1759 = match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}"); - - var all360 = all_match({ - processors: [ - part1756, - select394, - part1759, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1121 = msg("00556:03", all360); - - var part1760 = match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1122 = msg("00556:04", part1760); - - var part1761 = match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1123 = msg("00556:05", part1761); - - var part1762 = match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1124 = msg("00556:06", part1762); - - var part1763 = match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1125 = msg("00556:07", part1763); - - var part1764 = match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}"); - - var all361 = all_match({ - processors: [ - part1764, - dup358, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1126 = msg("00556:08", all361); - - var part1765 = match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - dup282, - ])); - - var msg1127 = msg("00556:09", part1765); - - var part1766 = match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1128 = msg("00556:10", part1766); - - var part1767 = match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1129 = msg("00556:11", part1767); - - var part1768 = match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}"); - - var select395 = linear_select([ - dup140, - dup169, - ]); - - var part1769 = match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}."); - - var all362 = all_match({ - processors: [ - part1768, - select395, - part1769, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1130 = msg("00556:12", all362); - - var part1770 = match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1131 = msg("00556:13", part1770); - - var part1771 = match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}"); - - var part1772 = match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}."); - - var all363 = all_match({ - processors: [ - part1771, - dup406, - part1772, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1132 = msg("00556:14", all363); - - var part1773 = match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}"); - - var part1774 = match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}."); - - var all364 = all_match({ - processors: [ - part1773, - dup406, - part1774, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - dup282, - ]), - }); - - var msg1133 = msg("00556:15", all364); - - var part1775 = match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}"); - - var part1776 = match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}"); - - var part1777 = match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}"); - - var select396 = linear_select([ - part1776, - part1777, - ]); - - var part1778 = match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}"); - - var select397 = linear_select([ - dup104, - dup120, - ]); - - var all365 = all_match({ - processors: [ - part1775, - select396, - part1778, - select397, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1134 = msg("00556:16", all365); - - var part1779 = match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}"); - - var part1780 = match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}"); - - var part1781 = match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}"); - - var select398 = linear_select([ - part1780, - part1781, - ]); - - var part1782 = match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}"); - - var all366 = all_match({ - processors: [ - part1779, - select398, - part1782, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1135 = msg("00556:17", all366); - - var part1783 = match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}"); - - var part1784 = match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}"); - - var select399 = linear_select([ - dup101, - part1784, - ]); - - var part1785 = match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}."); - - var all367 = all_match({ - processors: [ - part1783, - select399, - part1785, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1136 = msg("00556:18", all367); - - var part1786 = match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}"); - - var part1787 = match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}"); - - var select400 = linear_select([ - dup103, - dup96, - ]); - - var part1788 = match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}"); - - var all368 = all_match({ - processors: [ - part1786, - dup355, - part1787, - select400, - part1788, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1137 = msg("00556:20", all368); - - var part1789 = match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([ - dup232, - dup2, - dup3, - dup9, - dup4, - dup5, - dup282, - ])); - - var msg1138 = msg("00556:21", part1789); - - var part1790 = match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([ - dup232, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1139 = msg("00556:22", part1790); - - var select401 = linear_select([ - msg1118, - msg1119, - msg1120, - msg1121, - msg1122, - msg1123, - msg1124, - msg1125, - msg1126, - msg1127, - msg1128, - msg1129, - msg1130, - msg1131, - msg1132, - msg1133, - msg1134, - msg1135, - msg1136, - msg1137, - msg1138, - msg1139, - ]); - - var part1791 = match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1140 = msg("00572", part1791); - - var part1792 = match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1141 = msg("00572:01", part1792); - - var part1793 = match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1142 = msg("00572:03", part1793); - - var select402 = linear_select([ - msg1140, - msg1141, - msg1142, - ]); - - var part1794 = match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1143 = msg("00615", part1794); - - var part1795 = match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1144 = msg("00615:01", part1795); - - var select403 = linear_select([ - msg1143, - msg1144, - ]); - - var part1796 = match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ])); - - var msg1145 = msg("00601", part1796); - - var part1797 = match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ])); - - var msg1146 = msg("00601:01", part1797); - - var part1798 = match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1147 = msg("00601:18", part1798); - - var select404 = linear_select([ - msg1145, - msg1146, - msg1147, - ]); - - var part1799 = match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1148 = msg("00602", part1799); - - var part1800 = match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}"); - - var part1801 = match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}"); - - var part1802 = match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}"); - - var part1803 = match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}"); - - var select405 = linear_select([ - part1802, - part1803, - ]); - - var part1804 = match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}"); - - var part1805 = match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}"); - - var select406 = linear_select([ - part1805, - dup96, - ]); - - var part1806 = match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})"); - - var all369 = all_match({ - processors: [ - part1800, - dup353, - part1801, - select405, - part1804, - select406, - part1806, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1149 = msg("00612", all369); - - var part1807 = match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1150 = msg("00620", part1807); - - var part1808 = match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}"); - - var part1809 = match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}"); - - var part1810 = match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}"); - - var select407 = linear_select([ - part1809, - part1810, - ]); - - var part1811 = match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})"); - - var all370 = all_match({ - processors: [ - part1808, - select407, - part1811, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1151 = msg("00620:01", all370); - - var part1812 = match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1152 = msg("00620:02", part1812); - - var part1813 = match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1153 = msg("00620:03", part1813); - - var part1814 = match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1154 = msg("00620:04", part1814); - - var select408 = linear_select([ - msg1150, - msg1151, - msg1152, - msg1153, - msg1154, - ]); - - var part1815 = match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([ - dup273, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1155 = msg("00622", part1815); - - var part1816 = match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}"); - - var part1817 = match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}"); - - var part1818 = match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}"); - - var select409 = linear_select([ - part1817, - part1818, - ]); - - var all371 = all_match({ - processors: [ - part1816, - select409, - dup49, - ], - on_success: processor_chain([ - dup273, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1156 = msg("00625", all371); - - var part1819 = match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}"); - - var part1820 = match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}"); - - var part1821 = match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}"); - - var part1822 = match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}"); - - var select410 = linear_select([ - part1820, - part1821, - part1822, - ]); - - var part1823 = match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})"); - - var all372 = all_match({ - processors: [ - part1819, - select410, - part1823, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1157 = msg("00628", all372); - - var part1824 = match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - dup282, - ])); - - var msg1158 = msg("00767:50", part1824); - - var part1825 = match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1159 = msg("00767:51", part1825); - - var part1826 = match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1160 = msg("00767:52", part1826); - - var part1827 = match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1161 = msg("00767:53", part1827); - - var part1828 = match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([ - dup27, - setc("ec_theme","Communication"), - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1162 = msg("00767", part1828); - - var part1829 = match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}"); - - var part1830 = match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}"); - - var part1831 = match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}"); - - var select411 = linear_select([ - part1830, - part1831, - ]); - - var all373 = all_match({ - processors: [ - part1829, - select411, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1163 = msg("00767:01", all373); - - var part1832 = match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([ - setc("eventcategory","1702000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1164 = msg("00767:02", part1832); - - var part1833 = match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1165 = msg("00767:03", part1833); - - var part1834 = match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1166 = msg("00767:04", part1834); - - var part1835 = match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1167 = msg("00767:05", part1835); - - var part1836 = match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1168 = msg("00767:06", part1836); - - var part1837 = match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1169 = msg("00767:07", part1837); - - var part1838 = match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}"); - - var all374 = all_match({ - processors: [ - part1838, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1170 = msg("00767:08", all374); - - var part1839 = match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}"); - - var part1840 = match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}"); - - var part1841 = match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}"); - - var select412 = linear_select([ - part1840, - part1841, - ]); - - var all375 = all_match({ - processors: [ - part1839, - select412, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1171 = msg("00767:09", all375); - - var part1842 = match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}"); - - var all376 = all_match({ - processors: [ - part1842, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1172 = msg("00767:10", all376); - - var part1843 = match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}"); - - var part1844 = match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}"); - - var select413 = linear_select([ - dup331, - part1844, - ]); - - var part1845 = match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}"); - - var part1846 = match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}"); - - var select414 = linear_select([ - dup331, - part1846, - ]); - - var part1847 = match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}"); - - var all377 = all_match({ - processors: [ - part1843, - select413, - part1845, - select414, - part1847, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1173 = msg("00767:11", all377); - - var part1848 = match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1174 = msg("00767:12", part1848); - - var part1849 = match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}"); - - var all378 = all_match({ - processors: [ - part1849, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1175 = msg("00767:13", all378); - - var part1850 = match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}"); - - var part1851 = match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}"); - - var select415 = linear_select([ - part1851, - dup262, - ]); - - var part1852 = match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}"); - - var part1853 = match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}"); - - var part1854 = match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username"); - - var select416 = linear_select([ - part1853, - part1854, - ]); - - var all379 = all_match({ - processors: [ - part1850, - select415, - part1852, - select416, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1176 = msg("00767:14", all379); - - var part1855 = match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}"); - - var part1856 = match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}"); - - var part1857 = match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}"); - - var select417 = linear_select([ - part1855, - part1856, - part1857, - ]); - - var part1858 = match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}"); - - var part1859 = match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}."); - - var all380 = all_match({ - processors: [ - dup183, - select417, - part1858, - dup336, - part1859, - ], - on_success: processor_chain([ - dup223, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1177 = msg("00767:15", all380); - - var part1860 = match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1178 = msg("00767:16", part1860); - - var part1861 = match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}"); - - var all381 = all_match({ - processors: [ - part1861, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1179 = msg("00767:17", all381); - - var part1862 = match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1180 = msg("00767:18", part1862); - - var part1863 = match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1181 = msg("00767:19", part1863); - - var part1864 = match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1182 = msg("00767:20", part1864); - - var part1865 = match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1183 = msg("00767:21", part1865); - - var part1866 = match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}"); - - var part1867 = match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}"); - - var part1868 = match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}"); - - var select418 = linear_select([ - part1867, - part1868, - ]); - - var part1869 = match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}"); - - var part1870 = match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}"); - - var part1871 = match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}"); - - var select419 = linear_select([ - part1870, - part1871, - ]); - - var part1872 = match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}"); - - var all382 = all_match({ - processors: [ - part1866, - select418, - part1869, - select419, - part1872, - dup354, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1184 = msg("00767:22", all382); - - var part1873 = match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1185 = msg("00767:23", part1873); - - var part1874 = match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}"); - - var select420 = linear_select([ - dup169, - dup16, - ]); - - var part1875 = match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}"); - - var part1876 = match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}"); - - var select421 = linear_select([ - part1875, - part1876, - ]); - - var all383 = all_match({ - processors: [ - part1874, - select420, - dup23, - select421, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1186 = msg("00767:25", all383); - - var part1877 = match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}"); - - var part1878 = match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}"); - - var part1879 = match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}"); - - var select422 = linear_select([ - part1878, - part1879, - ]); - - var part1880 = match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}"); - - var part1881 = match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}"); - - var part1882 = match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})"); - - var select423 = linear_select([ - part1881, - part1882, - ]); - - var all384 = all_match({ - processors: [ - part1877, - select422, - part1880, - select423, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1187 = msg("00767:26", all384); - - var part1883 = match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}"); - - var part1884 = match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})"); - - var part1885 = match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3"); - - var select424 = linear_select([ - part1884, - part1885, - ]); - - var all385 = all_match({ - processors: [ - part1883, - select424, - ], - on_success: processor_chain([ - dup223, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1188 = msg("00767:27", all385); - - var part1886 = match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1189 = msg("00767:28", part1886); - - var part1887 = match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1190 = msg("00767:29", part1887); - - var part1888 = match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1191 = msg("00767:30", part1888); - - var part1889 = match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}"); - - var part1890 = match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}"); - - var select425 = linear_select([ - part1889, - part1890, - ]); - - var part1891 = match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}"); - - var all386 = all_match({ - processors: [ - dup186, - select425, - part1891, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1192 = msg("00767:31", all386); - - var part1892 = match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}"); - - var part1893 = match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}"); - - var part1894 = match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}"); - - var select426 = linear_select([ - part1893, - part1894, - ]); - - var part1895 = match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})"); - - var all387 = all_match({ - processors: [ - part1892, - select426, - part1895, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1193 = msg("00767:32", all387); - - var part1896 = match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1194 = msg("00767:33", part1896); - - var part1897 = match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([ - dup313, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1195 = msg("00767:34", part1897); - - var part1898 = match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1196 = msg("00767:35", part1898); - - var part1899 = match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1197 = msg("00767:36", part1899); - - var part1900 = match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([ - dup254, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1198 = msg("00767:37", part1900); - - var part1901 = match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([ - setc("eventcategory","1602000000"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1199 = msg("00767:38", part1901); - - var part1902 = match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}"); - - var part1903 = match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}"); - - var part1904 = match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}"); - - var select427 = linear_select([ - part1903, - part1904, - ]); - - var part1905 = match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}"); - - var part1906 = match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}"); - - var part1907 = match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}"); - - var select428 = linear_select([ - part1906, - part1907, - ]); - - var all388 = all_match({ - processors: [ - part1902, - select427, - part1905, - select428, - dup10, - ], - on_success: processor_chain([ - dup324, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1200 = msg("00767:39", all388); - - var part1908 = match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([ - dup62, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1201 = msg("00767:40", part1908); - - var part1909 = match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1202 = msg("00767:42", part1909); - - var part1910 = match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1203 = msg("00767:43", part1910); - - var part1911 = match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1204 = msg("00767:44", part1911); - - var part1912 = match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1205 = msg("00767:45", part1912); - - var part1913 = match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1206 = msg("00767:46", part1913); - - var part1914 = match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg1207 = msg("00767:47", part1914); - - var part1915 = match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}"); - - var part1916 = match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})"); - - var all389 = all_match({ - processors: [ - part1915, - dup364, - part1916, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1208 = msg("00767:24", all389); - - var part1917 = match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1209 = msg("00767:48", part1917); - - var part1918 = match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}"); - - var part1919 = match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}"); - - var part1920 = match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}"); - - var select429 = linear_select([ - part1919, - part1920, - ]); - - var part1921 = match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})"); - - var all390 = all_match({ - processors: [ - part1918, - select429, - part1921, - ], - on_success: processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1210 = msg("00767:49", all390); - - var select430 = linear_select([ - msg1158, - msg1159, - msg1160, - msg1161, - msg1162, - msg1163, - msg1164, - msg1165, - msg1166, - msg1167, - msg1168, - msg1169, - msg1170, - msg1171, - msg1172, - msg1173, - msg1174, - msg1175, - msg1176, - msg1177, - msg1178, - msg1179, - msg1180, - msg1181, - msg1182, - msg1183, - msg1184, - msg1185, - msg1186, - msg1187, - msg1188, - msg1189, - msg1190, - msg1191, - msg1192, - msg1193, - msg1194, - msg1195, - msg1196, - msg1197, - msg1198, - msg1199, - msg1200, - msg1201, - msg1202, - msg1203, - msg1204, - msg1205, - msg1206, - msg1207, - msg1208, - msg1209, - msg1210, - ]); - - var part1922 = match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup277, - dup3, - dup275, - dup60, - ])); - - var msg1211 = msg("01269", part1922); - - var msg1212 = msg("01269:01", dup407); - - var msg1213 = msg("01269:02", dup408); - - var msg1214 = msg("01269:03", dup409); - - var select431 = linear_select([ - msg1211, - msg1212, - msg1213, - msg1214, - ]); - - var part1923 = match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup276, - dup277, - dup275, - dup332, - ])); - - var msg1215 = msg("17852", part1923); - - var part1924 = match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1216 = msg("17852:01", part1924); - - var part1925 = match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var msg1217 = msg("17852:02", part1925); - - var part1926 = match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1218 = msg("17852:03", part1926); - - var select432 = linear_select([ - msg1215, - msg1216, - msg1217, - msg1218, - ]); - - var msg1219 = msg("23184", dup410); - - var part1927 = match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup61, - dup282, - ])); - - var msg1220 = msg("23184:01", part1927); - - var part1928 = match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup276, - dup277, - dup275, - dup61, - ])); - - var msg1221 = msg("23184:02", part1928); - - var part1929 = match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1222 = msg("23184:03", part1929); - - var select433 = linear_select([ - msg1219, - msg1220, - msg1221, - msg1222, - ]); - - var msg1223 = msg("27052", dup410); - - var part1930 = match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup61, - dup282, - ])); - - var msg1224 = msg("27052:01", part1930); - - var select434 = linear_select([ - msg1223, - msg1224, - ]); - - var part1931 = match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup277, - dup5, - dup274, - dup3, - dup275, - dup276, - dup60, - ])); - - var msg1225 = msg("39568", part1931); - - var msg1226 = msg("39568:01", dup407); - - var msg1227 = msg("39568:02", dup408); - - var msg1228 = msg("39568:03", dup409); - - var select435 = linear_select([ - msg1225, - msg1226, - msg1227, - msg1228, - ]); - - var chain1 = processor_chain([ - select2, - msgid_select({ - "00001": select6, - "00002": select29, - "00003": select31, - "00004": select33, - "00005": select39, - "00006": select40, - "00007": select63, - "00008": select66, - "00009": select83, - "00010": select86, - "00011": select100, - "00012": select101, - "00013": select102, - "00014": select104, - "00015": select114, - "00016": select115, - "00017": select125, - "00018": select138, - "00019": select147, - "00020": select150, - "00021": select151, - "00022": select163, - "00023": select164, - "00024": select170, - "00025": select171, - "00026": select176, - "00027": select184, - "00028": msg469, - "00029": select188, - "00030": select197, - "00031": select205, - "00032": select207, - "00033": select214, - "00034": select225, - "00035": select232, - "00036": select234, - "00037": select241, - "00038": msg660, - "00039": msg661, - "00040": select244, - "00041": select245, - "00042": select246, - "00043": msg668, - "00044": select248, - "00045": msg671, - "00047": msg672, - "00048": select257, - "00049": select258, - "00050": msg682, - "00051": msg683, - "00052": msg684, - "00055": select265, - "00056": msg696, - "00057": msg697, - "00058": msg698, - "00059": select272, - "00062": select273, - "00063": msg713, - "00064": select274, - "00070": select276, - "00071": select277, - "00072": select278, - "00073": select279, - "00074": msg726, - "00075": select280, - "00076": select281, - "00077": select282, - "00084": msg735, - "00090": msg736, - "00200": msg737, - "00201": msg738, - "00202": msg739, - "00203": msg740, - "00206": select285, - "00207": select286, - "00257": select291, - "00259": select294, - "00262": msg778, - "00263": msg779, - "00400": msg780, - "00401": msg781, - "00402": select296, - "00403": msg784, - "00404": msg785, - "00405": msg786, - "00406": msg787, - "00407": msg788, - "00408": msg789, - "00409": msg790, - "00410": select297, - "00411": msg793, - "00413": select298, - "00414": select299, - "00415": msg799, - "00423": msg800, - "00429": select300, - "00430": select301, - "00431": msg805, - "00432": msg806, - "00433": msg807, - "00434": msg808, - "00435": select302, - "00436": select303, - "00437": select304, - "00438": select305, - "00440": select306, - "00441": msg823, - "00442": msg824, - "00443": msg825, - "00511": select307, - "00513": msg841, - "00515": select328, - "00518": select331, - "00519": select336, - "00520": select339, - "00521": msg890, - "00522": msg891, - "00523": msg892, - "00524": select340, - "00525": select341, - "00526": msg912, - "00527": select348, - "00528": select354, - "00529": select357, - "00530": select358, - "00531": select362, - "00533": msg973, - "00534": msg974, - "00535": select363, - "00536": select365, - "00537": select366, - "00538": select372, - "00539": select373, - "00541": select375, - "00542": msg1062, - "00543": msg1063, - "00544": msg1064, - "00546": msg1065, - "00547": select379, - "00549": msg1070, - "00551": select381, - "00553": select385, - "00554": select391, - "00555": msg1117, - "00556": select401, - "00572": select402, - "00601": select404, - "00602": msg1148, - "00612": msg1149, - "00615": select403, - "00620": select408, - "00622": msg1155, - "00625": msg1156, - "00628": msg1157, - "00767": select430, - "01269": select431, - "17852": select432, - "23184": select433, - "27052": select434, - "39568": select435, - }), - ]); - - var part1932 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); - - var part1933 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); - - var part1934 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); - - var part1935 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); - - var part1936 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); - - var part1937 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); - - var part1938 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); - - var part1939 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); - - var part1940 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); - - var part1941 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); - - var part1942 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); - - var part1943 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); - - var part1944 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); - - var part1945 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); - - var part1946 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); - - var part1947 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); - - var part1948 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); - - var part1949 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); - - var part1950 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); - - var part1951 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); - - var part1952 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); - - var part1953 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); - - var part1954 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); - - var part1955 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); - - var part1956 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); - - var part1957 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); - - var part1958 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); - - var part1959 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); - - var part1960 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); - - var part1961 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); - - var part1962 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); - - var part1963 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); - - var part1964 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part1965 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); - - var part1966 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); - - var part1967 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); - - var part1968 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); - - var part1969 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); - - var part1970 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); - - var part1971 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); - - var part1972 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); - - var part1973 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); - - var part1974 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); - - var part1975 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); - - var part1976 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); - - var part1977 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part1978 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); - - var part1979 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); - - var part1980 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part1981 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); - - var part1982 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); - - var part1983 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); - - var part1984 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); - - var part1985 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); - - var part1986 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); - - var part1987 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); - - var part1988 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); - - var part1989 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); - - var part1990 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); - - var part1991 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); - - var part1992 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); - - var part1993 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); - - var part1994 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); - - var part1995 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); - - var part1996 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); - - var part1997 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); - - var part1998 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); - - var part1999 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); - - var part2000 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); - - var part2001 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); - - var part2002 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); - - var part2003 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); - - var part2004 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); - - var part2005 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); - - var part2006 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); - - var part2007 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); - - var part2008 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); - - var part2009 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); - - var part2010 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); - - var part2011 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); - - var part2012 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); - - var part2013 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); - - var part2014 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); - - var part2015 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); - - var part2016 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); - - var part2017 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); - - var part2018 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); - - var part2019 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); - - var part2020 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); - - var part2021 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part2022 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2023 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); - - var part2024 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); - - var part2025 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); - - var part2026 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); - - var part2027 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); - - var part2028 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); - - var part2029 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); - - var part2030 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); - - var part2031 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); - - var part2032 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); - - var part2033 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); - - var part2034 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); - - var part2035 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); - - var part2036 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); - - var part2037 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); - - var part2038 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); - - var part2039 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); - - var part2040 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); - - var part2041 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); - - var part2042 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); - - var part2043 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); - - var part2044 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); - - var part2045 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); - - var part2046 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); - - var part2047 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); - - var part2048 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); - - var part2049 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); - - var part2050 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); - - var part2051 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); - - var part2052 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); - - var part2053 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); - - var part2054 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); - - var part2055 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); - - var part2056 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); - - var part2057 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); - - var part2058 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); - - var part2059 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); - - var part2060 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); - - var part2061 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); - - var part2062 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); - - var part2063 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); - - var part2064 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); - - var part2065 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); - - var part2066 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); - - var part2067 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); - - var part2068 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); - - var part2069 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); - - var part2070 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); - - var part2071 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); - - var part2072 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); - - var part2073 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); - - var part2074 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); - - var part2075 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); - - var part2076 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); - - var part2077 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); - - var part2078 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); - - var part2079 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); - - var part2080 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); - - var part2081 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); - - var part2082 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); - - var part2083 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); - - var part2084 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); - - var part2085 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); - - var part2086 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); - - var part2087 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); - - var part2088 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); - - var part2089 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); - - var part2090 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); - - var part2091 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); - - var part2092 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); - - var part2093 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); - - var part2094 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); - - var part2095 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); - - var part2096 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); - - var part2097 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); - - var part2098 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); - - var part2099 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); - - var part2100 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); - - var part2101 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); - - var part2102 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); - - var part2103 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); - - var part2104 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); - - var part2105 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); - - var part2106 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2107 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); - - var part2108 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); - - var part2109 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); - - var part2110 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); - - var part2111 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); - - var part2112 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); - - var part2113 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); - - var part2114 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); - - var part2115 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); - - var part2116 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); - - var part2117 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); - - var part2118 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); - - var part2119 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); - - var part2120 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); - - var part2121 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); - - var part2122 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); - - var part2123 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); - - var part2124 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); - - var part2125 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); - - var part2126 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); - - var part2127 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); - - var part2128 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); - - var part2129 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); - - var part2130 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); - - var part2131 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var part2132 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); - - var part2133 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); - - var part2134 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); - - var part2135 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); - - var part2136 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var part2137 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); - - var part2138 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); - - var part2139 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); - - var part2140 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); - - var part2141 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); - - var part2142 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); - - var part2143 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); - - var part2144 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); - - var part2145 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); - - var part2146 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); - - var part2147 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2148 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2149 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var part2150 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); - - var part2151 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); - - var part2152 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); - - var part2153 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); - - var part2154 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); - - var part2155 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); - - var part2156 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); - - var part2157 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); - - var part2158 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); - - var part2159 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); - - var part2160 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); - - var part2161 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); - - var part2162 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); - - var part2163 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); - - var part2164 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); - - var part2165 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); - - var part2166 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); - - var part2167 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); - - var part2168 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); - - var part2169 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); - - var part2170 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); - - var part2171 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); - - var part2172 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); - - var part2173 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); - - var part2174 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); - - var part2175 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); - - var select436 = linear_select([ - dup10, - dup11, - ]); - - var part2176 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select437 = linear_select([ - dup13, - dup14, - ]); - - var select438 = linear_select([ - dup15, - dup16, - ]); - - var select439 = linear_select([ - dup56, - dup57, - ]); - - var select440 = linear_select([ - dup65, - dup66, - ]); - - var select441 = linear_select([ - dup68, - dup69, - ]); - - var select442 = linear_select([ - dup71, - dup72, - ]); - - var part2177 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var select443 = linear_select([ - dup74, - dup75, - ]); - - var select444 = linear_select([ - dup81, - dup82, - ]); - - var select445 = linear_select([ - dup24, - dup90, - ]); - - var select446 = linear_select([ - dup94, - dup95, - ]); - - var select447 = linear_select([ - dup98, - dup99, - ]); - - var select448 = linear_select([ - dup100, - dup101, - dup102, - ]); - - var select449 = linear_select([ - dup113, - dup114, - ]); - - var select450 = linear_select([ - dup111, - dup16, - ]); - - var select451 = linear_select([ - dup127, - dup107, - ]); - - var select452 = linear_select([ - dup8, - dup21, - ]); - - var select453 = linear_select([ - dup122, - dup133, - ]); - - var select454 = linear_select([ - dup142, - dup143, - ]); - - var select455 = linear_select([ - dup145, - dup21, - ]); - - var select456 = linear_select([ - dup127, - dup106, - ]); - - var select457 = linear_select([ - dup152, - dup96, - ]); - - var select458 = linear_select([ - dup154, - dup155, - ]); - - var select459 = linear_select([ - dup156, - dup157, - ]); - - var select460 = linear_select([ - dup99, - dup134, - ]); - - var select461 = linear_select([ - dup158, - dup159, - ]); - - var select462 = linear_select([ - dup161, - dup162, - ]); - - var select463 = linear_select([ - dup163, - dup103, - ]); - - var select464 = linear_select([ - dup162, - dup161, - ]); - - var select465 = linear_select([ - dup46, - dup47, - ]); - - var select466 = linear_select([ - dup166, - dup167, - ]); - - var select467 = linear_select([ - dup172, - dup173, - ]); - - var select468 = linear_select([ - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - ]); - - var select469 = linear_select([ - dup49, - dup21, - ]); - - var select470 = linear_select([ - dup189, - dup190, - ]); - - var select471 = linear_select([ - dup96, - dup152, - ]); - - var select472 = linear_select([ - dup196, - dup197, - ]); - - var select473 = linear_select([ - dup24, - dup200, - ]); - - var select474 = linear_select([ - dup103, - dup163, - ]); - - var select475 = linear_select([ - dup205, - dup118, - ]); - - var part2178 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select476 = linear_select([ - dup212, - dup213, - ]); - - var select477 = linear_select([ - dup215, - dup216, - ]); - - var select478 = linear_select([ - dup222, - dup215, - ]); - - var select479 = linear_select([ - dup224, - dup225, - ]); - - var select480 = linear_select([ - dup231, - dup124, - ]); - - var select481 = linear_select([ - dup229, - dup230, - ]); - - var select482 = linear_select([ - dup233, - dup234, - ]); - - var select483 = linear_select([ - dup236, - dup237, - ]); - - var select484 = linear_select([ - dup242, - dup243, - ]); - - var select485 = linear_select([ - dup245, - dup246, - ]); - - var select486 = linear_select([ - dup247, - dup248, - ]); - - var select487 = linear_select([ - dup249, - dup250, - ]); - - var select488 = linear_select([ - dup251, - dup252, - ]); - - var select489 = linear_select([ - dup260, - dup261, - ]); - - var select490 = linear_select([ - dup264, - dup265, - ]); - - var select491 = linear_select([ - dup268, - dup269, - ]); - - var part2179 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select492 = linear_select([ - dup284, - dup285, - ]); - - var select493 = linear_select([ - dup287, - dup288, - ]); - - var part2180 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup60, - ])); - - var part2181 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var select494 = linear_select([ - dup300, - dup26, - ]); - - var select495 = linear_select([ - dup115, - dup303, - ]); - - var select496 = linear_select([ - dup125, - dup96, - ]); - - var select497 = linear_select([ - dup189, - dup308, - dup309, - ]); - - var select498 = linear_select([ - dup310, - dup16, - ]); - - var select499 = linear_select([ - dup317, - dup318, - ]); - - var select500 = linear_select([ - dup319, - dup315, - ]); - - var select501 = linear_select([ - dup322, - dup250, - ]); - - var select502 = linear_select([ - dup327, - dup329, - ]); - - var select503 = linear_select([ - dup330, - dup129, - ]); - - var part2182 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var part2183 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup60, - ])); - - var part2184 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var part2185 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var all391 = all_match({ - processors: [ - dup263, - dup390, - dup266, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var all392 = all_match({ - processors: [ - dup267, - dup391, - dup270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var all393 = all_match({ - processors: [ - dup80, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var all394 = all_match({ - processors: [ - dup296, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var all395 = all_match({ - processors: [ - dup298, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/juniper_netscreen/0.4.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/juniper_netscreen/0.4.2/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 63a0c266a8..0000000000 --- a/packages/juniper_netscreen/0.4.2/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,26354 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Juniper" - product: "Netscreen" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} for %{p0}"); - - var dup7 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); - - var dup8 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); - - var dup9 = date_time({ - dest: "event_time", - args: ["fld1"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup10 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); - - var dup11 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); - - var dup12 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); - - var dup13 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); - - var dup14 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); - - var dup15 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); - - var dup16 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); - - var dup17 = setc("eventcategory","1502000000"); - - var dup18 = setc("eventcategory","1703000000"); - - var dup19 = setc("eventcategory","1603000000"); - - var dup20 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); - - var dup21 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); - - var dup22 = setc("eventcategory","1502050000"); - - var dup23 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); - - var dup24 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); - - var dup25 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); - - var dup26 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); - - var dup27 = setc("eventcategory","1801010000"); - - var dup28 = setc("eventcategory","1401060000"); - - var dup29 = setc("ec_subject","User"); - - var dup30 = setc("ec_activity","Logon"); - - var dup31 = setc("ec_theme","Authentication"); - - var dup32 = setc("ec_outcome","Success"); - - var dup33 = setc("eventcategory","1401070000"); - - var dup34 = setc("ec_activity","Logoff"); - - var dup35 = setc("eventcategory","1303000000"); - - var dup36 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); - - var dup37 = setc("eventcategory","1402020200"); - - var dup38 = setc("ec_theme","UserGroup"); - - var dup39 = setc("ec_outcome","Error"); - - var dup40 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); - - var dup41 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); - - var dup42 = setc("eventcategory","1402020300"); - - var dup43 = setc("ec_activity","Modify"); - - var dup44 = setc("eventcategory","1605000000"); - - var dup45 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); - - var dup46 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); - - var dup47 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); - - var dup48 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); - - var dup49 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); - - var dup50 = setc("eventcategory","1701020000"); - - var dup51 = setc("ec_theme","Configuration"); - - var dup52 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); - - var dup53 = setc("eventcategory","1301000000"); - - var dup54 = setc("ec_outcome","Failure"); - - var dup55 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); - - var dup56 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); - - var dup57 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); - - var dup58 = setc("eventcategory","1001000000"); - - var dup59 = setc("dclass_counter1_string","Number of times the attack occurred"); - - var dup60 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("saddr"), - field("daddr"), - ], - }); - - var dup61 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("saddr"), - field("daddr"), - field("sport"), - field("dport"), - ], - }); - - var dup62 = setc("eventcategory","1608010000"); - - var dup63 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); - - var dup64 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); - - var dup65 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); - - var dup66 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); - - var dup67 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup68 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); - - var dup69 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); - - var dup70 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); - - var dup71 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); - - var dup72 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); - - var dup73 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); - - var dup74 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); - - var dup75 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); - - var dup76 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); - - var dup77 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); - - var dup78 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); - - var dup79 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); - - var dup80 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup81 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); - - var dup82 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); - - var dup83 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup84 = setc("eventcategory","1002020000"); - - var dup85 = setc("eventcategory","1002000000"); - - var dup86 = setc("eventcategory","1603110000"); - - var dup87 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); - - var dup88 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); - - var dup89 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); - - var dup90 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); - - var dup91 = setc("eventcategory","1613040200"); - - var dup92 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); - - var dup93 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); - - var dup94 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); - - var dup95 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); - - var dup96 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); - - var dup97 = setc("eventcategory","1613050200"); - - var dup98 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); - - var dup99 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); - - var dup100 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); - - var dup101 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); - - var dup102 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); - - var dup103 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); - - var dup104 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); - - var dup105 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); - - var dup106 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); - - var dup107 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); - - var dup108 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); - - var dup109 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); - - var dup110 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); - - var dup111 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); - - var dup112 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); - - var dup113 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); - - var dup114 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); - - var dup115 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); - - var dup116 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); - - var dup117 = setc("eventcategory","1603090000"); - - var dup118 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); - - var dup119 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); - - var dup120 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); - - var dup121 = setc("eventcategory","1603030000"); - - var dup122 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); - - var dup123 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); - - var dup124 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); - - var dup125 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); - - var dup126 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); - - var dup127 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); - - var dup128 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); - - var dup129 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); - - var dup130 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); - - var dup131 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); - - var dup132 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup133 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); - - var dup134 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); - - var dup135 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); - - var dup136 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); - - var dup137 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); - - var dup138 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); - - var dup139 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); - - var dup140 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); - - var dup141 = setc("eventcategory","1702030000"); - - var dup142 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); - - var dup143 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); - - var dup144 = setc("eventcategory","1601000000"); - - var dup145 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); - - var dup146 = date_time({ - dest: "event_time", - args: ["fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup147 = setc("eventcategory","1103000000"); - - var dup148 = setc("ec_subject","NetworkComm"); - - var dup149 = setc("ec_activity","Scan"); - - var dup150 = setc("ec_theme","TEV"); - - var dup151 = setc("eventcategory","1103010000"); - - var dup152 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); - - var dup153 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); - - var dup154 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); - - var dup155 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); - - var dup156 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); - - var dup157 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); - - var dup158 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); - - var dup159 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); - - var dup160 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); - - var dup161 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); - - var dup162 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); - - var dup163 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); - - var dup164 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); - - var dup165 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); - - var dup166 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); - - var dup167 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); - - var dup168 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); - - var dup169 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); - - var dup170 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); - - var dup171 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); - - var dup172 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); - - var dup173 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); - - var dup174 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); - - var dup175 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); - - var dup176 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); - - var dup177 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); - - var dup178 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); - - var dup179 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); - - var dup180 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); - - var dup181 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); - - var dup182 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); - - var dup183 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); - - var dup184 = setc("eventcategory","1603020000"); - - var dup185 = setc("eventcategory","1803000000"); - - var dup186 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); - - var dup187 = setc("eventcategory","1603010000"); - - var dup188 = setc("eventcategory","1603100000"); - - var dup189 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); - - var dup190 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); - - var dup191 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); - - var dup192 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); - - var dup193 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); - - var dup194 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); - - var dup195 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); - - var dup196 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); - - var dup197 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); - - var dup198 = setc("eventcategory","1801030000"); - - var dup199 = setc("eventcategory","1302010200"); - - var dup200 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); - - var dup201 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); - - var dup202 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); - - var dup203 = setc("eventcategory","1304000000"); - - var dup204 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); - - var dup205 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); - - var dup206 = setc("eventcategory","1401030000"); - - var dup207 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); - - var dup208 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); - - var dup209 = setc("eventcategory","1605020000"); - - var dup210 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); - - var dup211 = setc("ec_subject","Certificate"); - - var dup212 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); - - var dup213 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); - - var dup214 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); - - var dup215 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); - - var dup216 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); - - var dup217 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); - - var dup218 = setc("ec_subject","CryptoKey"); - - var dup219 = setc("ec_subject","Configuration"); - - var dup220 = setc("ec_activity","Request"); - - var dup221 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); - - var dup222 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); - - var dup223 = setc("eventcategory","1612000000"); - - var dup224 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); - - var dup225 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); - - var dup226 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); - - var dup227 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); - - var dup228 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); - - var dup229 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); - - var dup230 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); - - var dup231 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); - - var dup232 = setc("eventcategory","1201000000"); - - var dup233 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); - - var dup234 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); - - var dup235 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); - - var dup236 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); - - var dup237 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); - - var dup238 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); - - var dup239 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup240 = setc("eventcategory","1401000000"); - - var dup241 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); - - var dup242 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); - - var dup243 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); - - var dup244 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); - - var dup245 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); - - var dup246 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); - - var dup247 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); - - var dup248 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); - - var dup249 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); - - var dup250 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); - - var dup251 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); - - var dup252 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); - - var dup253 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); - - var dup254 = setc("eventcategory","1608000000"); - - var dup255 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); - - var dup256 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); - - var dup257 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); - - var dup258 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); - - var dup259 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); - - var dup260 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); - - var dup261 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); - - var dup262 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); - - var dup263 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); - - var dup264 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); - - var dup265 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); - - var dup266 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var dup267 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); - - var dup268 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); - - var dup269 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); - - var dup270 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); - - var dup271 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var dup272 = setc("eventcategory","1805010000"); - - var dup273 = setc("eventcategory","1805000000"); - - var dup274 = date_time({ - dest: "starttime", - args: ["fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup275 = call({ - dest: "nwparser.bytes", - fn: CALC, - args: [ - field("sbytes"), - constant("+"), - field("rbytes"), - ], - }); - - var dup276 = setc("action","Deny"); - - var dup277 = setc("disposition","Deny"); - - var dup278 = setc("direction","outgoing"); - - var dup279 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("saddr"), - field("daddr"), - field("sport"), - field("dport"), - ], - }); - - var dup280 = setc("direction","incoming"); - - var dup281 = setc("eventcategory","1801000000"); - - var dup282 = setf("action","disposition"); - - var dup283 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); - - var dup284 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); - - var dup285 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); - - var dup286 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); - - var dup287 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); - - var dup288 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); - - var dup289 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); - - var dup290 = setc("eventcategory","1401050200"); - - var dup291 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("daddr"), - field("saddr"), - ], - }); - - var dup292 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("daddr"), - field("saddr"), - field("dport"), - field("sport"), - ], - }); - - var dup293 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); - - var dup294 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); - - var dup295 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); - - var dup296 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup297 = setc("eventcategory","1204000000"); - - var dup298 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var dup299 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var dup300 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); - - var dup301 = setc("eventcategory","1801020000"); - - var dup302 = setc("disposition","failed"); - - var dup303 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); - - var dup304 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); - - var dup305 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); - - var dup306 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); - - var dup307 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); - - var dup308 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); - - var dup309 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); - - var dup310 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); - - var dup311 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); - - var dup312 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); - - var dup313 = setc("eventcategory","1803020000"); - - var dup314 = setc("eventcategory","1613030000"); - - var dup315 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); - - var dup316 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); - - var dup317 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); - - var dup318 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); - - var dup319 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); - - var dup320 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); - - var dup321 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); - - var dup322 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); - - var dup323 = setc("event_description","Cannot connect to NSM server"); - - var dup324 = setc("eventcategory","1603040000"); - - var dup325 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); - - var dup326 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); - - var dup327 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); - - var dup328 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); - - var dup329 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); - - var dup330 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); - - var dup331 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); - - var dup332 = call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$OUT"), - field("daddr"), - field("saddr"), - field("dport"), - field("sport"), - ], - }); - - var dup333 = linear_select([ - dup10, - dup11, - ]); - - var dup334 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup335 = linear_select([ - dup13, - dup14, - ]); - - var dup336 = linear_select([ - dup15, - dup16, - ]); - - var dup337 = linear_select([ - dup56, - dup57, - ]); - - var dup338 = linear_select([ - dup65, - dup66, - ]); - - var dup339 = linear_select([ - dup68, - dup69, - ]); - - var dup340 = linear_select([ - dup71, - dup72, - ]); - - var dup341 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var dup342 = linear_select([ - dup74, - dup75, - ]); - - var dup343 = linear_select([ - dup81, - dup82, - ]); - - var dup344 = linear_select([ - dup24, - dup90, - ]); - - var dup345 = linear_select([ - dup94, - dup95, - ]); - - var dup346 = linear_select([ - dup98, - dup99, - ]); - - var dup347 = linear_select([ - dup100, - dup101, - dup102, - ]); - - var dup348 = linear_select([ - dup113, - dup114, - ]); - - var dup349 = linear_select([ - dup111, - dup16, - ]); - - var dup350 = linear_select([ - dup127, - dup107, - ]); - - var dup351 = linear_select([ - dup8, - dup21, - ]); - - var dup352 = linear_select([ - dup122, - dup133, - ]); - - var dup353 = linear_select([ - dup142, - dup143, - ]); - - var dup354 = linear_select([ - dup145, - dup21, - ]); - - var dup355 = linear_select([ - dup127, - dup106, - ]); - - var dup356 = linear_select([ - dup152, - dup96, - ]); - - var dup357 = linear_select([ - dup154, - dup155, - ]); - - var dup358 = linear_select([ - dup156, - dup157, - ]); - - var dup359 = linear_select([ - dup99, - dup134, - ]); - - var dup360 = linear_select([ - dup158, - dup159, - ]); - - var dup361 = linear_select([ - dup161, - dup162, - ]); - - var dup362 = linear_select([ - dup163, - dup103, - ]); - - var dup363 = linear_select([ - dup162, - dup161, - ]); - - var dup364 = linear_select([ - dup46, - dup47, - ]); - - var dup365 = linear_select([ - dup166, - dup167, - ]); - - var dup366 = linear_select([ - dup172, - dup173, - ]); - - var dup367 = linear_select([ - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - ]); - - var dup368 = linear_select([ - dup49, - dup21, - ]); - - var dup369 = linear_select([ - dup189, - dup190, - ]); - - var dup370 = linear_select([ - dup96, - dup152, - ]); - - var dup371 = linear_select([ - dup196, - dup197, - ]); - - var dup372 = linear_select([ - dup24, - dup200, - ]); - - var dup373 = linear_select([ - dup103, - dup163, - ]); - - var dup374 = linear_select([ - dup205, - dup118, - ]); - - var dup375 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup376 = linear_select([ - dup212, - dup213, - ]); - - var dup377 = linear_select([ - dup215, - dup216, - ]); - - var dup378 = linear_select([ - dup222, - dup215, - ]); - - var dup379 = linear_select([ - dup224, - dup225, - ]); - - var dup380 = linear_select([ - dup231, - dup124, - ]); - - var dup381 = linear_select([ - dup229, - dup230, - ]); - - var dup382 = linear_select([ - dup233, - dup234, - ]); - - var dup383 = linear_select([ - dup236, - dup237, - ]); - - var dup384 = linear_select([ - dup242, - dup243, - ]); - - var dup385 = linear_select([ - dup245, - dup246, - ]); - - var dup386 = linear_select([ - dup247, - dup248, - ]); - - var dup387 = linear_select([ - dup249, - dup250, - ]); - - var dup388 = linear_select([ - dup251, - dup252, - ]); - - var dup389 = linear_select([ - dup260, - dup261, - ]); - - var dup390 = linear_select([ - dup264, - dup265, - ]); - - var dup391 = linear_select([ - dup268, - dup269, - ]); - - var dup392 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var dup393 = linear_select([ - dup284, - dup285, - ]); - - var dup394 = linear_select([ - dup287, - dup288, - ]); - - var dup395 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup60, - ])); - - var dup396 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var dup397 = linear_select([ - dup300, - dup26, - ]); - - var dup398 = linear_select([ - dup115, - dup303, - ]); - - var dup399 = linear_select([ - dup125, - dup96, - ]); - - var dup400 = linear_select([ - dup189, - dup308, - dup309, - ]); - - var dup401 = linear_select([ - dup310, - dup16, - ]); - - var dup402 = linear_select([ - dup317, - dup318, - ]); - - var dup403 = linear_select([ - dup319, - dup315, - ]); - - var dup404 = linear_select([ - dup322, - dup250, - ]); - - var dup405 = linear_select([ - dup327, - dup329, - ]); - - var dup406 = linear_select([ - dup330, - dup129, - ]); - - var dup407 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var dup408 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup60, - ])); - - var dup409 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var dup410 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var dup411 = all_match({ - processors: [ - dup263, - dup390, - dup266, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var dup412 = all_match({ - processors: [ - dup267, - dup391, - dup270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var dup413 = all_match({ - processors: [ - dup80, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var dup414 = all_match({ - processors: [ - dup296, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var dup415 = all_match({ - processors: [ - dup298, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0003"), - ])); - - var hdr3 = match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var hdr4 = match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}"); - - var part1 = match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}"); - - var part2 = match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}"); - - var part3 = match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}"); - - var select1 = linear_select([ - part1, - part2, - part3, - ]); - - var part4 = match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}"); - - var all1 = all_match({ - processors: [ - hdr4, - select1, - part4, - ], - on_success: processor_chain([ - setc("header_id","0002"), - ]), - }); - - var select2 = linear_select([ - hdr1, - hdr2, - hdr3, - all1, - ]); - - var part5 = match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1 = msg("00001", part5); - - var part6 = match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg2 = msg("00001:01", part6); - - var part7 = match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}"); - - var select3 = linear_select([ - part7, - dup7, - ]); - - var part8 = match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}"); - - var all2 = all_match({ - processors: [ - dup6, - select3, - part8, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg3 = msg("00001:02", all2); - - var part9 = match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg4 = msg("00001:03", part9); - - var part10 = match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}"); - - var select4 = linear_select([ - part10, - dup7, - ]); - - var part11 = match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}"); - - var part12 = match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}"); - - var select5 = linear_select([ - dup8, - part12, - ]); - - var all3 = all_match({ - processors: [ - dup6, - select4, - part11, - select5, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg5 = msg("00001:04", all3); - - var part13 = match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}"); - - var all4 = all_match({ - processors: [ - part13, - dup333, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg6 = msg("00001:05", all4); - - var part14 = match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg7 = msg("00001:06", part14); - - var msg8 = msg("00001:07", dup334); - - var part15 = match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}"); - - var part16 = match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})"); - - var all5 = all_match({ - processors: [ - dup12, - dup335, - part15, - dup336, - part16, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg9 = msg("00001:08", all5); - - var part17 = match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})"); - - var all6 = all_match({ - processors: [ - dup12, - dup335, - part17, - ], - on_success: processor_chain([ - dup1, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg10 = msg("00001:09", all6); - - var select6 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - ]); - - var part18 = match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg11 = msg("00002:03", part18); - - var part19 = match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg12 = msg("00002:04", part19); - - var part20 = match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg13 = msg("00002:05", part20); - - var part21 = match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg14 = msg("00002:06", part21); - - var part22 = match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg15 = msg("00002:07", part22); - - var part23 = match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg16 = msg("00002:55", part23); - - var part24 = match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg17 = msg("00002:08", part24); - - var part25 = match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg18 = msg("00002:09", part25); - - var part26 = match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg19 = msg("00002:10", part26); - - var part27 = match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg20 = msg("00002:11", part27); - - var part28 = match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg21 = msg("00002:12", part28); - - var part29 = match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg22 = msg("00002:15", part29); - - var msg23 = msg("00002:17", dup334); - - var part30 = match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}"); - - var part31 = match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}"); - - var part32 = match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}"); - - var select7 = linear_select([ - part31, - part32, - ]); - - var part33 = match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):"); - - var all7 = all_match({ - processors: [ - part30, - select7, - part33, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg24 = msg("00002:18", all7); - - var part34 = match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg25 = msg("00002:19", part34); - - var part35 = match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}"); - - var part36 = match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}"); - - var select8 = linear_select([ - part36, - dup20, - dup21, - ]); - - var all8 = all_match({ - processors: [ - part35, - select8, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg26 = msg("00002:20", all8); - - var part37 = match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}"); - - var part38 = match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}"); - - var select9 = linear_select([ - part37, - part38, - ]); - - var select10 = linear_select([ - dup24, - dup25, - ]); - - var part39 = match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}"); - - var all9 = all_match({ - processors: [ - select9, - dup23, - select10, - part39, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg27 = msg("00002:21", all9); - - var part40 = match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}"); - - var part41 = match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console"); - - var part42 = match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}"); - - var select11 = linear_select([ - part41, - part42, - dup26, - ]); - - var all10 = all_match({ - processors: [ - part40, - select11, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg28 = msg("00002:22", all10); - - var part43 = match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}"); - - var part44 = match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}"); - - var select12 = linear_select([ - dup20, - part44, - dup21, - ]); - - var all11 = all_match({ - processors: [ - part43, - select12, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg29 = msg("00002:23", all11); - - var part45 = match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}"); - - var part46 = match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}"); - - var part47 = match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}"); - - var select13 = linear_select([ - part46, - part47, - ]); - - var all12 = all_match({ - processors: [ - part45, - select13, - ], - on_success: processor_chain([ - dup22, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg30 = msg("00002:24", all12); - - var part48 = match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - setc("eventcategory","1402000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg31 = msg("00002:25", part48); - - var part49 = match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg32 = msg("00002:26", part49); - - var part50 = match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg33 = msg("00002:27", part50); - - var part51 = match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg34 = msg("00002:28", part51); - - var part52 = match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg35 = msg("00002:29", part52); - - var part53 = match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ - dup28, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg36 = msg("00002:30", part53); - - var part54 = match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ - dup33, - dup29, - dup34, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg37 = msg("00002:41", part54); - - var part55 = match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ - dup35, - dup29, - dup30, - dup31, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg38 = msg("00002:31", part55); - - var part56 = match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}"); - - var part57 = match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}"); - - var select14 = linear_select([ - part56, - part57, - ]); - - var part58 = match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}"); - - var all13 = all_match({ - processors: [ - select14, - part58, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg39 = msg("00002:32", all13); - - var part59 = match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg40 = msg("00002:35", part59); - - var part60 = match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}"); - - var part61 = match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}"); - - var part62 = match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}"); - - var select15 = linear_select([ - part61, - part62, - ]); - - var part63 = match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}"); - - var all14 = all_match({ - processors: [ - part60, - select15, - part63, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg41 = msg("00002:36", all14); - - var part64 = match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}"); - - var part65 = match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}"); - - var part66 = match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}"); - - var part67 = match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}"); - - var part68 = match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}"); - - var select16 = linear_select([ - part65, - part66, - part67, - part68, - ]); - - var part69 = match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}"); - - var all15 = all_match({ - processors: [ - part64, - select16, - part69, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg42 = msg("00002:37", all15); - - var part70 = match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}"); - - var part71 = match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}"); - - var select17 = linear_select([ - part71, - dup36, - ]); - - var all16 = all_match({ - processors: [ - part70, - select17, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg43 = msg("00002:38", all16); - - var part72 = match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg44 = msg("00002:39", part72); - - var part73 = match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ - dup37, - dup29, - setc("ec_activity","Create"), - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg45 = msg("00002:40", part73); - - var part74 = match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg46 = msg("00002:44", part74); - - var part75 = match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}"); - - var part76 = match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}"); - - var select18 = linear_select([ - part76, - dup40, - ]); - - var part77 = match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}"); - - var part78 = match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}"); - - var part79 = match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}"); - - var select19 = linear_select([ - part78, - part79, - ]); - - var all17 = all_match({ - processors: [ - part75, - select18, - part77, - select19, - dup41, - ], - on_success: processor_chain([ - dup42, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg47 = msg("00002:42", all17); - - var part80 = match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}"); - - var part81 = match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}"); - - var part82 = match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}"); - - var select20 = linear_select([ - part81, - part82, - ]); - - var part83 = match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all18 = all_match({ - processors: [ - part80, - select20, - part83, - ], - on_success: processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg48 = msg("00002:43", all18); - - var part84 = match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg49 = msg("00002:50", part84); - - var part85 = match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([ - dup42, - dup29, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg50 = msg("00002:51", part85); - - var part86 = match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg51 = msg("00002:45", part86); - - var part87 = match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}"); - - var part88 = match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}"); - - var part89 = match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}"); - - var part90 = match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}"); - - var part91 = match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}"); - - var select21 = linear_select([ - part87, - part88, - part89, - part90, - part91, - ]); - - var part92 = match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})"); - - var all19 = all_match({ - processors: [ - select21, - part92, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg52 = msg("00002:47", all19); - - var part93 = match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}"); - - var part94 = match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}"); - - var part95 = match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}"); - - var select22 = linear_select([ - part94, - part95, - ]); - - var part96 = match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}"); - - var part97 = match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}"); - - var select23 = linear_select([ - part97, - dup45, - ]); - - var all20 = all_match({ - processors: [ - part93, - select22, - part96, - select23, - dup41, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg53 = msg("00002:48", all20); - - var part98 = match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}"); - - var part99 = match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}"); - - var part100 = match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}"); - - var part101 = match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}"); - - var part102 = match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}"); - - var select24 = linear_select([ - part99, - part100, - part101, - part102, - ]); - - var part103 = match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}"); - - var part104 = match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}"); - - var select25 = linear_select([ - dup46, - part104, - dup47, - ]); - - var select26 = linear_select([ - dup48, - dup45, - ]); - - var all21 = all_match({ - processors: [ - part98, - select24, - part103, - select25, - select26, - dup41, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg54 = msg("00002:52", all21); - - var part105 = match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([ - dup42, - dup43, - dup38, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg55 = msg("00002:53", part105); - - var part106 = match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}"); - - var part107 = match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}"); - - var part108 = match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}"); - - var select27 = linear_select([ - part107, - part108, - ]); - - var all22 = all_match({ - processors: [ - part106, - select27, - dup49, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg56 = msg("00002:54", all22); - - var part109 = match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}"); - - var part110 = match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}"); - - var select28 = linear_select([ - part110, - dup52, - ]); - - var part111 = match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}"); - - var all23 = all_match({ - processors: [ - part109, - select28, - part111, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg57 = msg("00002", all23); - - var part112 = match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([ - dup53, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg58 = msg("00002:56", part112); - - var select29 = linear_select([ - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - msg38, - msg39, - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, - ]); - - var part113 = match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ - dup53, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg59 = msg("00003", part113); - - var part114 = match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([ - dup53, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg60 = msg("00003:01", part114); - - var part115 = match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg61 = msg("00003:02", part115); - - var part116 = match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg62 = msg("00003:03", part116); - - var part117 = match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}"); - - var part118 = match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}"); - - var select30 = linear_select([ - part117, - part118, - ]); - - var part119 = match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}."); - - var all24 = all_match({ - processors: [ - dup55, - select30, - part119, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg63 = msg("00003:05", all24); - - var select31 = linear_select([ - msg59, - msg60, - msg61, - msg62, - msg63, - ]); - - var part120 = match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg64 = msg("00004", part120); - - var part121 = match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg65 = msg("00004:01", part121); - - var part122 = match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg66 = msg("00004:02", part122); - - var part123 = match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg67 = msg("00004:03", part123); - - var part124 = match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}"); - - var part125 = match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times"); - - var all25 = all_match({ - processors: [ - part124, - dup337, - part125, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup59, - dup3, - dup60, - ]), - }); - - var msg68 = msg("00004:04", all25); - - var part126 = match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg69 = msg("00004:05", part126); - - var part127 = match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg70 = msg("00004:06", part127); - - var part128 = match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg71 = msg("00004:07", part128); - - var part129 = match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg72 = msg("00004:08", part129); - - var part130 = match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg73 = msg("00004:09", part130); - - var part131 = match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([ - dup62, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg74 = msg("00004:10", part131); - - var part132 = match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg75 = msg("00004:11", part132); - - var part133 = match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg76 = msg("00004:12", part133); - - var part134 = match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg77 = msg("00004:13", part134); - - var part135 = match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}"); - - var part136 = match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}"); - - var select32 = linear_select([ - part135, - part136, - ]); - - var all26 = all_match({ - processors: [ - dup63, - select32, - dup49, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg78 = msg("00004:14", all26); - - var part137 = match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg79 = msg("00004:15", part137); - - var part138 = match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg80 = msg("00004:16", part138); - - var all27 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup9, - dup5, - dup3, - dup60, - ]), - }); - - var msg81 = msg("00004:17", all27); - - var select33 = linear_select([ - msg64, - msg65, - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - ]); - - var part139 = match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg82 = msg("00005", part139); - - var part140 = match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg83 = msg("00005:01", part140); - - var part141 = match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg84 = msg("00005:02", part141); - - var part142 = match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); - - var part143 = match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}"); - - var part144 = match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}"); - - var select34 = linear_select([ - part144, - dup73, - ]); - - var part145 = match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times"); - - var all28 = all_match({ - processors: [ - part142, - dup339, - dup70, - dup340, - part143, - select34, - part145, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ]), - }); - - var msg85 = msg("00005:03", all28); - - var msg86 = msg("00005:04", dup341); - - var part146 = match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([ - setc("eventcategory","1001020100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg87 = msg("00005:05", part146); - - var part147 = match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}."); - - var all29 = all_match({ - processors: [ - dup342, - part147, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg88 = msg("00005:06", all29); - - var part148 = match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}"); - - var part149 = match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}"); - - var part150 = match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}"); - - var part151 = match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}"); - - var part152 = match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}"); - - var select35 = linear_select([ - part149, - part150, - dup76, - part151, - part152, - ]); - - var part153 = match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}."); - - var all30 = all_match({ - processors: [ - part148, - select35, - part153, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg89 = msg("00005:07", all30); - - var part154 = match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}"); - - var select36 = linear_select([ - dup77, - dup78, - ]); - - var part155 = match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}."); - - var all31 = all_match({ - processors: [ - dup342, - part154, - select36, - part155, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg90 = msg("00005:08", all31); - - var part156 = match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg91 = msg("00005:09", part156); - - var part157 = match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg92 = msg("00005:10", part157); - - var part158 = match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}"); - - var part159 = match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}"); - - var part160 = match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}"); - - var part161 = match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}"); - - var part162 = match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}"); - - var part163 = match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}"); - - var select37 = linear_select([ - part159, - part160, - part161, - part162, - part163, - ]); - - var all32 = all_match({ - processors: [ - part158, - select37, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg93 = msg("00005:11", all32); - - var part164 = match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg94 = msg("00005:12", part164); - - var part165 = match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg95 = msg("00005:13", part165); - - var part166 = match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg96 = msg("00005:14", part166); - - var part167 = match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg97 = msg("00005:15", part167); - - var part168 = match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg98 = msg("00005:16", part168); - - var part169 = match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}"); - - var part170 = match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}"); - - var select38 = linear_select([ - part169, - part170, - ]); - - var part171 = match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}."); - - var all33 = all_match({ - processors: [ - dup79, - select38, - part171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg99 = msg("00005:17", all33); - - var all34 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg100 = msg("00005:18", all34); - - var part172 = match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup84, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg101 = msg("00005:19", part172); - - var part173 = match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ - dup84, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg102 = msg("00005:20", part173); - - var select39 = linear_select([ - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, - msg89, - msg90, - msg91, - msg92, - msg93, - msg94, - msg95, - msg96, - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, - ]); - - var part174 = match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg103 = msg("00006", part174); - - var part175 = match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg104 = msg("00006:01", part175); - - var part176 = match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg105 = msg("00006:02", part176); - - var part177 = match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg106 = msg("00006:03", part177); - - var part178 = match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var all35 = all_match({ - processors: [ - part178, - dup338, - dup67, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg107 = msg("00006:04", all35); - - var all36 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup84, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg108 = msg("00006:05", all36); - - var select40 = linear_select([ - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, - ]); - - var part179 = match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg109 = msg("00007", part179); - - var part180 = match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg110 = msg("00007:01", part180); - - var part181 = match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}"); - - var part182 = match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}"); - - var part183 = match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}"); - - var select41 = linear_select([ - part182, - part183, - ]); - - var all37 = all_match({ - processors: [ - part181, - select41, - ], - on_success: processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg111 = msg("00007:02", all37); - - var part184 = match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg112 = msg("00007:03", part184); - - var select42 = linear_select([ - dup88, - dup89, - ]); - - var part185 = match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}"); - - var all38 = all_match({ - processors: [ - dup87, - select42, - dup23, - dup344, - part185, - ], - on_success: processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg113 = msg("00007:04", all38); - - var part186 = match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg114 = msg("00007:05", part186); - - var part187 = match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg115 = msg("00007:06", part187); - - var part188 = match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg116 = msg("00007:07", part188); - - var part189 = match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg117 = msg("00007:08", part189); - - var part190 = match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg118 = msg("00007:09", part190); - - var part191 = match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg119 = msg("00007:10", part191); - - var part192 = match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}"); - - var select43 = linear_select([ - dup92, - dup93, - ]); - - var all39 = all_match({ - processors: [ - part192, - select43, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg120 = msg("00007:11", all39); - - var part193 = match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg121 = msg("00007:12", part193); - - var part194 = match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg122 = msg("00007:13", part194); - - var part195 = match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup60, - ])); - - var msg123 = msg("00007:14", part195); - - var part196 = match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg124 = msg("00007:15", part196); - - var part197 = match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg125 = msg("00007:16", part197); - - var part198 = match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg126 = msg("00007:17", part198); - - var part199 = match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}"); - - var part200 = match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}"); - - var part201 = match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}"); - - var select44 = linear_select([ - part200, - part201, - ]); - - var part202 = match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}"); - - var part203 = match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}"); - - var part204 = match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}"); - - var select45 = linear_select([ - part203, - part204, - ]); - - var all40 = all_match({ - processors: [ - part199, - select44, - part202, - select45, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg127 = msg("00007:18", all40); - - var part205 = match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg128 = msg("00007:20", part205); - - var part206 = match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}"); - - var all41 = all_match({ - processors: [ - part206, - dup345, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg129 = msg("00007:21", all41); - - var part207 = match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg130 = msg("00007:22", part207); - - var part208 = match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg131 = msg("00007:23", part208); - - var part209 = match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg132 = msg("00007:24", part209); - - var part210 = match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg133 = msg("00007:25", part210); - - var part211 = match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}"); - - var part212 = match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}"); - - var part213 = match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}"); - - var select46 = linear_select([ - part212, - part213, - ]); - - var all42 = all_match({ - processors: [ - part211, - select46, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg134 = msg("00007:26", all42); - - var part214 = match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg135 = msg("00007:27", part214); - - var part215 = match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg136 = msg("00007:28", part215); - - var part216 = match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}"); - - var part217 = match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}"); - - var part218 = match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}"); - - var part219 = match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}"); - - var part220 = match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}"); - - var part221 = match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}"); - - var select47 = linear_select([ - part217, - part218, - part219, - part220, - part221, - ]); - - var all43 = all_match({ - processors: [ - part216, - select47, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg137 = msg("00007:29", all43); - - var part222 = match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg138 = msg("00007:30", part222); - - var part223 = match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}"); - - var all44 = all_match({ - processors: [ - part223, - dup345, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg139 = msg("00007:31", all44); - - var part224 = match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}"); - - var select48 = linear_select([ - dup89, - dup88, - ]); - - var part225 = match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}"); - - var all45 = all_match({ - processors: [ - part224, - select48, - dup23, - dup344, - part225, - ], - on_success: processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg140 = msg("00007:32", all45); - - var part226 = match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}"); - - var part227 = match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}"); - - var select49 = linear_select([ - part226, - part227, - ]); - - var part228 = match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}"); - - var part229 = match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}"); - - var select50 = linear_select([ - part229, - dup96, - ]); - - var part230 = match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode."); - - var all46 = all_match({ - processors: [ - select49, - part228, - select50, - part230, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg141 = msg("00007:33", all46); - - var part231 = match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([ - dup97, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg142 = msg("00007:34", part231); - - var part232 = match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg143 = msg("00007:35", part232); - - var part233 = match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg144 = msg("00007:36", part233); - - var part234 = match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}"); - - var all47 = all_match({ - processors: [ - part234, - dup346, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg145 = msg("00007:37", all47); - - var part235 = match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}"); - - var part236 = match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}"); - - var part237 = match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}"); - - var part238 = match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}"); - - var select51 = linear_select([ - part237, - part238, - ]); - - var all48 = all_match({ - processors: [ - part235, - dup347, - dup103, - dup347, - part236, - select51, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg146 = msg("00007:38", all48); - - var part239 = match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}"); - - var all49 = all_match({ - processors: [ - part239, - dup346, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg147 = msg("00007:39", all49); - - var part240 = match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg148 = msg("00007:40", part240); - - var part241 = match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg149 = msg("00007:41", part241); - - var part242 = match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg150 = msg("00007:42", part242); - - var part243 = match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg151 = msg("00007:43", part243); - - var part244 = match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg152 = msg("00007:44", part244); - - var part245 = match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg153 = msg("00007:45", part245); - - var part246 = match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup85, - dup2, - dup3, - dup4, - dup59, - dup5, - dup60, - ])); - - var msg154 = msg("00007:46", part246); - - var part247 = match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg155 = msg("00007:47", part247); - - var part248 = match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([ - dup97, - dup2, - dup3, - dup4, - setc("disposition","dropped"), - setc("result","Invalid encryption Password"), - ])); - - var msg156 = msg("00007:48", part248); - - var part249 = match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([ - setc("eventcategory","1604000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg157 = msg("00007:49", part249); - - var part250 = match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}"); - - var part251 = match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}"); - - var part252 = match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}"); - - var select52 = linear_select([ - part251, - part252, - ]); - - var part253 = match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}"); - - var all50 = all_match({ - processors: [ - part250, - select52, - part253, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg158 = msg("00007:50", all50); - - var part254 = match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}"); - - var part255 = match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}"); - - var select53 = linear_select([ - dup104, - part255, - ]); - - var select54 = linear_select([ - dup105, - dup73, - ]); - - var part256 = match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}"); - - var select55 = linear_select([ - dup106, - dup107, - ]); - - var all51 = all_match({ - processors: [ - part254, - select53, - dup23, - select54, - part256, - select55, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg159 = msg("00007:51", all51); - - var part257 = match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg160 = msg("00007:52", part257); - - var part258 = match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg161 = msg("00007:53", part258); - - var part259 = match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg162 = msg("00007:54", part259); - - var part260 = match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg163 = msg("00007:55", part260); - - var part261 = match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg164 = msg("00007:56", part261); - - var select56 = linear_select([ - dup109, - dup110, - ]); - - var select57 = linear_select([ - dup111, - dup112, - ]); - - var part262 = match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}"); - - var all52 = all_match({ - processors: [ - dup55, - select56, - dup23, - select57, - part262, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg165 = msg("00007:57", all52); - - var part263 = match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg166 = msg("00007:58", part263); - - var part264 = match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg167 = msg("00007:59", part264); - - var part265 = match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg168 = msg("00007:60", part265); - - var part266 = match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg169 = msg("00007:61", part266); - - var part267 = match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg170 = msg("00007:62", part267); - - var part268 = match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg171 = msg("00007:63", part268); - - var part269 = match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}"); - - var part270 = match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}"); - - var all53 = all_match({ - processors: [ - dup348, - part269, - dup349, - part270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg172 = msg("00007:64", all53); - - var part271 = match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}"); - - var part272 = match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}"); - - var part273 = match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}"); - - var select58 = linear_select([ - part272, - part273, - ]); - - var part274 = match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}"); - - var part275 = match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}"); - - var all54 = all_match({ - processors: [ - dup348, - part271, - select58, - part274, - dup349, - part275, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg173 = msg("00007:65", all54); - - var part276 = match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}"); - - var part277 = match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}"); - - var select59 = linear_select([ - part276, - part277, - ]); - - var part278 = match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}"); - - var part279 = match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}"); - - var select60 = linear_select([ - part279, - dup115, - ]); - - var all55 = all_match({ - processors: [ - select59, - part278, - select60, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg174 = msg("00007:66", all55); - - var part280 = match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg175 = msg("00007:67", part280); - - var part281 = match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}"); - - var part282 = match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}"); - - var part283 = match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}"); - - var select61 = linear_select([ - part282, - part283, - ]); - - var part284 = match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}"); - - var part285 = match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}"); - - var part286 = match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}"); - - var select62 = linear_select([ - part285, - part286, - ]); - - var all56 = all_match({ - processors: [ - part281, - select61, - part284, - select62, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg176 = msg("00007:68", all56); - - var part287 = match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg177 = msg("00007:69", part287); - - var part288 = match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg178 = msg("00007:70", part288); - - var part289 = match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg179 = msg("00007:71", part289); - - var part290 = match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg180 = msg("00007:72", part290); - - var select63 = linear_select([ - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, - msg138, - msg139, - msg140, - msg141, - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, - msg156, - msg157, - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - msg174, - msg175, - msg176, - msg177, - msg178, - msg179, - msg180, - ]); - - var part291 = match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg181 = msg("00008", part291); - - var msg182 = msg("00008:01", dup341); - - var part292 = match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg183 = msg("00008:02", part292); - - var part293 = match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg184 = msg("00008:03", part293); - - var part294 = match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}"); - - var part295 = match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}"); - - var part296 = match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}"); - - var part297 = match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}"); - - var select64 = linear_select([ - part295, - part296, - part297, - ]); - - var part298 = match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}"); - - var part299 = match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}"); - - var part300 = match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})"); - - var part301 = match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}"); - - var part302 = match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}"); - - var part303 = match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}"); - - var select65 = linear_select([ - part299, - part300, - part301, - part302, - part303, - dup21, - ]); - - var all57 = all_match({ - processors: [ - part294, - select64, - part298, - select65, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg185 = msg("00008:04", all57); - - var part304 = match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg186 = msg("00008:05", part304); - - var part305 = match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg187 = msg("00008:06", part305); - - var part306 = match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup60, - ])); - - var msg188 = msg("00008:07", part306); - - var part307 = match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup60, - ])); - - var msg189 = msg("00008:08", part307); - - var part308 = match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg190 = msg("00008:09", part308); - - var part309 = match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}"); - - var all58 = all_match({ - processors: [ - part309, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ]), - }); - - var msg191 = msg("00008:10", all58); - - var select66 = linear_select([ - msg181, - msg182, - msg183, - msg184, - msg185, - msg186, - msg187, - msg188, - msg189, - msg190, - msg191, - ]); - - var part310 = match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg192 = msg("00009", part310); - - var part311 = match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg193 = msg("00009:01", part311); - - var part312 = match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg194 = msg("00009:02", part312); - - var part313 = match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg195 = msg("00009:03", part313); - - var part314 = match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg196 = msg("00009:05", part314); - - var part315 = match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}"); - - var part316 = match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}"); - - var select67 = linear_select([ - part315, - part316, - ]); - - var select68 = linear_select([ - dup119, - dup16, - ]); - - var part317 = match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}"); - - var part318 = match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}"); - - var select69 = linear_select([ - dup120, - part318, - ]); - - var part319 = match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}"); - - var part320 = match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info"); - - var select70 = linear_select([ - part319, - part320, - ]); - - var all59 = all_match({ - processors: [ - select67, - dup118, - select68, - part317, - select69, - dup23, - select70, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg197 = msg("00009:06", all59); - - var part321 = match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}"); - - var part322 = match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}"); - - var part323 = match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}"); - - var part324 = match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}"); - - var select71 = linear_select([ - part323, - part324, - ]); - - var part325 = match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}"); - - var all60 = all_match({ - processors: [ - part321, - dup337, - part322, - select71, - part325, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg198 = msg("00009:07", all60); - - var part326 = match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg199 = msg("00009:09", part326); - - var part327 = match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}"); - - var part328 = match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}"); - - var part329 = match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}"); - - var select72 = linear_select([ - part328, - part329, - ]); - - var all61 = all_match({ - processors: [ - part327, - select72, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg200 = msg("00009:10", all61); - - var part330 = match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}"); - - var part331 = match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}"); - - var select73 = linear_select([ - part330, - part331, - ]); - - var part332 = match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}"); - - var all62 = all_match({ - processors: [ - select73, - part332, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg201 = msg("00009:11", all62); - - var part333 = match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg202 = msg("00009:12", part333); - - var part334 = match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg203 = msg("00009:13", part334); - - var part335 = match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}"); - - var part336 = match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}"); - - var part337 = match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}"); - - var select74 = linear_select([ - part335, - part336, - part337, - ]); - - var part338 = match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}"); - - var select75 = linear_select([ - dup122, - dup123, - ]); - - var part339 = match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})"); - - var select76 = linear_select([ - part339, - dup124, - ]); - - var all63 = all_match({ - processors: [ - select74, - part338, - select75, - dup23, - select76, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg204 = msg("00009:14", all63); - - var part340 = match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}"); - - var part341 = match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}"); - - var select77 = linear_select([ - part341, - dup125, - ]); - - var all64 = all_match({ - processors: [ - part340, - select77, - dup126, - dup350, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg205 = msg("00009:15", all64); - - var part342 = match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}"); - - var part343 = match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}"); - - var select78 = linear_select([ - dup129, - dup130, - part343, - ]); - - var part344 = match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}."); - - var all65 = all_match({ - processors: [ - part342, - dup350, - dup23, - select78, - part344, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg206 = msg("00009:16", all65); - - var part345 = match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}"); - - var part346 = match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}"); - - var part347 = match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}"); - - var select79 = linear_select([ - part346, - part347, - ]); - - var part348 = match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}."); - - var all66 = all_match({ - processors: [ - part345, - select79, - part348, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg207 = msg("00009:17", all66); - - var part349 = match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg208 = msg("00009:18", part349); - - var part350 = match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg209 = msg("00009:19", part350); - - var part351 = match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg210 = msg("00009:27", part351); - - var part352 = match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}"); - - var part353 = match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}"); - - var select80 = linear_select([ - part352, - part353, - ]); - - var part354 = match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}"); - - var part355 = match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}"); - - var part356 = match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}"); - - var part357 = match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}"); - - var part358 = match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})"); - - var select81 = linear_select([ - part355, - part356, - part357, - part358, - ]); - - var all67 = all_match({ - processors: [ - select80, - part354, - select81, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg211 = msg("00009:20", all67); - - var part359 = match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var all68 = all_match({ - processors: [ - part359, - dup343, - dup131, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ]), - }); - - var msg212 = msg("00009:21", all68); - - var part360 = match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg213 = msg("00009:22", part360); - - var part361 = match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg214 = msg("00009:23", part361); - - var part362 = match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}"); - - var part363 = match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}"); - - var part364 = match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}"); - - var select82 = linear_select([ - part363, - part364, - ]); - - var part365 = match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}"); - - var all69 = all_match({ - processors: [ - part362, - select82, - part365, - ], - on_success: processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg215 = msg("00009:24", all69); - - var part366 = match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg216 = msg("00009:25", part366); - - var part367 = match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}"); - - var all70 = all_match({ - processors: [ - part367, - dup333, - ], - on_success: processor_chain([ - dup1, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg217 = msg("00009:26", all70); - - var select83 = linear_select([ - msg192, - msg193, - msg194, - msg195, - msg196, - msg197, - msg198, - msg199, - msg200, - msg201, - msg202, - msg203, - msg204, - msg205, - msg206, - msg207, - msg208, - msg209, - msg210, - msg211, - msg212, - msg213, - msg214, - msg215, - msg216, - msg217, - ]); - - var part368 = match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}"); - - var part369 = match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}"); - - var part370 = match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}"); - - var select84 = linear_select([ - part369, - part370, - ]); - - var part371 = match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}"); - - var part372 = match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}"); - - var part373 = match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}"); - - var select85 = linear_select([ - part372, - part373, - dup126, - ]); - - var part374 = match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}"); - - var all71 = all_match({ - processors: [ - part368, - select84, - part371, - select85, - part374, - dup351, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup5, - dup9, - dup3, - dup61, - ]), - }); - - var msg218 = msg("00010", all71); - - var part375 = match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg219 = msg("00010:01", part375); - - var part376 = match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg220 = msg("00010:02", part376); - - var all72 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup9, - dup3, - dup60, - ]), - }); - - var msg221 = msg("00010:03", all72); - - var select86 = linear_select([ - msg218, - msg219, - msg220, - msg221, - ]); - - var part377 = match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg222 = msg("00011", part377); - - var part378 = match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}"); - - var select87 = linear_select([ - dup57, - dup56, - ]); - - var part379 = match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}"); - - var all73 = all_match({ - processors: [ - part378, - select87, - part379, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg223 = msg("00011:01", all73); - - var part380 = match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg224 = msg("00011:02", part380); - - var part381 = match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}"); - - var part382 = match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}"); - - var part383 = match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}"); - - var select88 = linear_select([ - part382, - part383, - ]); - - var part384 = match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}"); - - var part385 = match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}"); - - var part386 = match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}"); - - var select89 = linear_select([ - part385, - part386, - ]); - - var all74 = all_match({ - processors: [ - part381, - select88, - part384, - select89, - dup36, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg225 = msg("00011:03", all74); - - var part387 = match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}"); - - var part388 = match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}"); - - var all75 = all_match({ - processors: [ - part387, - dup352, - part388, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg226 = msg("00011:04", all75); - - var part389 = match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}"); - - var part390 = match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}"); - - var select90 = linear_select([ - part389, - part390, - ]); - - var part391 = match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}"); - - var all76 = all_match({ - processors: [ - dup79, - select90, - part391, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg227 = msg("00011:05", all76); - - var part392 = match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup59, - dup3, - dup60, - ])); - - var msg228 = msg("00011:07", part392); - - var part393 = match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg229 = msg("00011:08", part393); - - var part394 = match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg230 = msg("00011:09", part394); - - var part395 = match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg231 = msg("00011:10", part395); - - var part396 = match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg232 = msg("00011:11", part396); - - var part397 = match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg233 = msg("00011:12", part397); - - var part398 = match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg234 = msg("00011:13", part398); - - var part399 = match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}"); - - var part400 = match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}"); - - var select91 = linear_select([ - dup134, - part400, - ]); - - var all77 = all_match({ - processors: [ - part399, - select91, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg235 = msg("00011:14", all77); - - var part401 = match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg236 = msg("00011:15", part401); - - var part402 = match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg237 = msg("00011:16", part402); - - var part403 = match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}"); - - var part404 = match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}"); - - var part405 = match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}"); - - var part406 = match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}"); - - var select92 = linear_select([ - part404, - part405, - part406, - ]); - - var all78 = all_match({ - processors: [ - part403, - select92, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg238 = msg("00011:17", all78); - - var part407 = match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}"); - - var part408 = match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}"); - - var select93 = linear_select([ - part407, - part408, - ]); - - var part409 = match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}"); - - var part410 = match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}"); - - var part411 = match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}"); - - var select94 = linear_select([ - part410, - part411, - ]); - - var part412 = match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}"); - - var part413 = match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}"); - - var select95 = linear_select([ - part413, - dup135, - ]); - - var part414 = match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}"); - - var all79 = all_match({ - processors: [ - select93, - part409, - select94, - part412, - select95, - part414, - dup350, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg239 = msg("00011:18", all79); - - var part415 = match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}"); - - var part416 = match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}"); - - var part417 = match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}"); - - var select96 = linear_select([ - part416, - part417, - ]); - - var part418 = match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}"); - - var part419 = match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}"); - - var select97 = linear_select([ - part419, - dup135, - ]); - - var part420 = match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}"); - - var part421 = match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}"); - - var select98 = linear_select([ - dup107, - part421, - ]); - - var all80 = all_match({ - processors: [ - part415, - select96, - part418, - select97, - part420, - select98, - dup136, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg240 = msg("00011:19", all80); - - var part422 = match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}"); - - var select99 = linear_select([ - part422, - dup79, - ]); - - var part423 = match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\""); - - var all81 = all_match({ - processors: [ - select99, - part423, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg241 = msg("00011:20", all81); - - var part424 = match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg242 = msg("00011:21", part424); - - var part425 = match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg243 = msg("00011:22", part425); - - var all82 = all_match({ - processors: [ - dup132, - dup343, - dup131, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - call({ - dest: "nwparser.inout", - fn: DIRCHK, - args: [ - field("$IN"), - field("saddr"), - field("daddr"), - ], - }), - ]), - }); - - var msg244 = msg("00011:23", all82); - - var part426 = match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg245 = msg("00011:24", part426); - - var part427 = match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg246 = msg("00011:25", part427); - - var part428 = match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg247 = msg("00011:26", part428); - - var select100 = linear_select([ - msg222, - msg223, - msg224, - msg225, - msg226, - msg227, - msg228, - msg229, - msg230, - msg231, - msg232, - msg233, - msg234, - msg235, - msg236, - msg237, - msg238, - msg239, - msg240, - msg241, - msg242, - msg243, - msg244, - msg245, - msg246, - msg247, - ]); - - var part429 = match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg248 = msg("00012:02", part429); - - var part430 = match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg249 = msg("00012:03", part430); - - var part431 = match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg250 = msg("00012:04", part431); - - var part432 = match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg251 = msg("00012:05", part432); - - var part433 = match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup59, - dup61, - ])); - - var msg252 = msg("00012:06", part433); - - var part434 = match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - dup59, - ])); - - var msg253 = msg("00012:07", part434); - - var part435 = match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg254 = msg("00012:08", part435); - - var all83 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg255 = msg("00012:09", all83); - - var all84 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg256 = msg("00012:10", all84); - - var part436 = match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup9, - dup61, - ])); - - var msg257 = msg("00012:11", part436); - - var part437 = match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg258 = msg("00012:12", part437); - - var part438 = match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg259 = msg("00012", part438); - - var part439 = match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg260 = msg("00012:01", part439); - - var select101 = linear_select([ - msg248, - msg249, - msg250, - msg251, - msg252, - msg253, - msg254, - msg255, - msg256, - msg257, - msg258, - msg259, - msg260, - ]); - - var part440 = match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg261 = msg("00013", part440); - - var part441 = match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - setc("signame","An Attempt to connect to NetScreen-Global Manager Port."), - ])); - - var msg262 = msg("00013:01", part441); - - var part442 = match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg263 = msg("00013:02", part442); - - var part443 = match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg264 = msg("00013:03", part443); - - var select102 = linear_select([ - msg261, - msg262, - msg263, - msg264, - ]); - - var part444 = match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg265 = msg("00014", part444); - - var part445 = match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}"); - - var part446 = match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}"); - - var part447 = match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}"); - - var select103 = linear_select([ - part446, - part447, - ]); - - var all85 = all_match({ - processors: [ - part445, - select103, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg266 = msg("00014:01", all85); - - var part448 = match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg267 = msg("00014:02", part448); - - var part449 = match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg268 = msg("00014:03", part449); - - var part450 = match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg269 = msg("00014:04", part450); - - var part451 = match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg270 = msg("00014:05", part451); - - var part452 = match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg271 = msg("00014:06", part452); - - var part453 = match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg272 = msg("00014:07", part453); - - var part454 = match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([ - dup27, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg273 = msg("00014:08", part454); - - var select104 = linear_select([ - msg265, - msg266, - msg267, - msg268, - msg269, - msg270, - msg271, - msg272, - msg273, - ]); - - var part455 = match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg274 = msg("00015", part455); - - var part456 = match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg275 = msg("00015:01", part456); - - var part457 = match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}"); - - var part458 = match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}"); - - var part459 = match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}"); - - var part460 = match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}"); - - var select105 = linear_select([ - part458, - dup137, - part459, - part460, - ]); - - var all86 = all_match({ - processors: [ - part457, - select105, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg276 = msg("00015:02", all86); - - var part461 = match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg277 = msg("00015:03", part461); - - var part462 = match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}"); - - var part463 = match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}"); - - var select106 = linear_select([ - dup139, - dup140, - part463, - ]); - - var all87 = all_match({ - processors: [ - part462, - select106, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg278 = msg("00015:04", all87); - - var part464 = match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}"); - - var part465 = match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}"); - - var part466 = match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}"); - - var part467 = match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}"); - - var select107 = linear_select([ - part465, - part466, - dup76, - part467, - ]); - - var all88 = all_match({ - processors: [ - part464, - select107, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg279 = msg("00015:05", all88); - - var part468 = match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}"); - - var part469 = match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}"); - - var select108 = linear_select([ - part468, - part469, - ]); - - var part470 = match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}"); - - var all89 = all_match({ - processors: [ - select108, - part470, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg280 = msg("00015:06", all89); - - var part471 = match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg281 = msg("00015:07", part471); - - var part472 = match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([ - dup141, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg282 = msg("00015:08", part472); - - var part473 = match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}"); - - var part474 = match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}"); - - var select109 = linear_select([ - part473, - part474, - ]); - - var part475 = match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}"); - - var all90 = all_match({ - processors: [ - select109, - part475, - ], - on_success: processor_chain([ - dup141, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg283 = msg("00015:09", all90); - - var part476 = match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg284 = msg("00015:10", part476); - - var part477 = match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg285 = msg("00015:11", part477); - - var part478 = match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}"); - - var part479 = match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}"); - - var select110 = linear_select([ - part478, - part479, - ]); - - var part480 = match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}"); - - var part481 = match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})"); - - var all91 = all_match({ - processors: [ - dup87, - select110, - part480, - dup353, - dup103, - dup353, - part481, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg286 = msg("00015:12", all91); - - var part482 = match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg287 = msg("00015:13", part482); - - var part483 = match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}"); - - var all92 = all_match({ - processors: [ - part483, - dup353, - dup116, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg288 = msg("00015:14", all92); - - var part484 = match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg289 = msg("00015:15", part484); - - var part485 = match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg290 = msg("00015:16", part485); - - var part486 = match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg291 = msg("00015:17", part486); - - var part487 = match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - setc("change_attribute","RTO mirror group"), - ])); - - var msg292 = msg("00015:18", part487); - - var part488 = match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg293 = msg("00015:19", part488); - - var part489 = match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg294 = msg("00015:20", part489); - - var part490 = match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}"); - - var part491 = match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}"); - - var part492 = match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}"); - - var select111 = linear_select([ - part491, - part492, - ]); - - var all93 = all_match({ - processors: [ - part490, - select111, - dup116, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg295 = msg("00015:21", all93); - - var part493 = match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}"); - - var part494 = match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}"); - - var part495 = match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}"); - - var select112 = linear_select([ - part493, - part494, - part495, - ]); - - var part496 = match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}"); - - var all94 = all_match({ - processors: [ - select112, - part496, - dup354, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg296 = msg("00015:22", all94); - - var part497 = match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg297 = msg("00015:23", part497); - - var part498 = match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg298 = msg("00015:24", part498); - - var part499 = match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([ - setc("eventcategory","1613050100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg299 = msg("00015:25", part499); - - var part500 = match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([ - dup97, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg300 = msg("00015:29", part500); - - var part501 = match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}"); - - var part502 = match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}"); - - var part503 = match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}"); - - var select113 = linear_select([ - part502, - part503, - ]); - - var all95 = all_match({ - processors: [ - part501, - select113, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg301 = msg("00015:26", all95); - - var part504 = match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - dup146, - ])); - - var msg302 = msg("00015:33", part504); - - var part505 = match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg303 = msg("00015:27", part505); - - var part506 = match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg304 = msg("00015:28", part506); - - var part507 = match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}"); - - var part508 = match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})"); - - var all96 = all_match({ - processors: [ - part507, - dup355, - part508, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg305 = msg("00015:30", all96); - - var part509 = match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg306 = msg("00015:31", part509); - - var part510 = match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg307 = msg("00015:32", part510); - - var select114 = linear_select([ - msg274, - msg275, - msg276, - msg277, - msg278, - msg279, - msg280, - msg281, - msg282, - msg283, - msg284, - msg285, - msg286, - msg287, - msg288, - msg289, - msg290, - msg291, - msg292, - msg293, - msg294, - msg295, - msg296, - msg297, - msg298, - msg299, - msg300, - msg301, - msg302, - msg303, - msg304, - msg305, - msg306, - msg307, - ]); - - var part511 = match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg308 = msg("00016", part511); - - var part512 = match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg309 = msg("00016:01", part512); - - var part513 = match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([ - dup1, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg310 = msg("00016:02", part513); - - var part514 = match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg311 = msg("00016:03", part514); - - var part515 = match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg312 = msg("00016:05", part515); - - var part516 = match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg313 = msg("00016:06", part516); - - var part517 = match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}"); - - var all97 = all_match({ - processors: [ - part517, - dup338, - dup67, - ], - on_success: processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg314 = msg("00016:07", all97); - - var part518 = match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - setc("eventcategory","1001020305"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg315 = msg("00016:08", part518); - - var part519 = match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - setc("eventcategory","1001030305"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg316 = msg("00016:09", part519); - - var select115 = linear_select([ - msg308, - msg309, - msg310, - msg311, - msg312, - msg313, - msg314, - msg315, - msg316, - ]); - - var part520 = match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ])); - - var msg317 = msg("00017", part520); - - var part521 = match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}"); - - var part522 = match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}"); - - var part523 = match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}"); - - var select116 = linear_select([ - part522, - part523, - ]); - - var part524 = match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}"); - - var all98 = all_match({ - processors: [ - part521, - select116, - part524, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg318 = msg("00017:23", all98); - - var part525 = match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}"); - - var part526 = match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}"); - - var select117 = linear_select([ - part525, - part526, - ]); - - var part527 = match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}"); - - var part528 = match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}"); - - var all99 = all_match({ - processors: [ - select117, - part527, - dup356, - part528, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg319 = msg("00017:01", all99); - - var part529 = match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg320 = msg("00017:02", part529); - - var part530 = match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg321 = msg("00017:03", part530); - - var part531 = match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}"); - - var all100 = all_match({ - processors: [ - dup153, - dup357, - part531, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg322 = msg("00017:04", all100); - - var part532 = match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg323 = msg("00017:05", part532); - - var part533 = match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}"); - - var part534 = match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}"); - - var part535 = match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}"); - - var select118 = linear_select([ - part534, - dup101, - part535, - ]); - - var all101 = all_match({ - processors: [ - part533, - select118, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg324 = msg("00017:06", all101); - - var part536 = match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}"); - - var part537 = match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}"); - - var part538 = match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}"); - - var part539 = match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}"); - - var part540 = match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}"); - - var select119 = linear_select([ - part537, - part538, - dup98, - part539, - part540, - ]); - - var all102 = all_match({ - processors: [ - part536, - select119, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg325 = msg("00017:07", all102); - - var part541 = match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg326 = msg("00017:08", part541); - - var part542 = match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}"); - - var part543 = match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}"); - - var select120 = linear_select([ - part542, - part543, - ]); - - var part544 = match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}"); - - var part545 = match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}"); - - var part546 = match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}"); - - var part547 = match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}"); - - var select121 = linear_select([ - part545, - part546, - part547, - ]); - - var part548 = match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}"); - - var part549 = match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit"); - - var part550 = match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}"); - - var select122 = linear_select([ - part549, - part550, - dup36, - ]); - - var all103 = all_match({ - processors: [ - select120, - part544, - select121, - part548, - select122, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg327 = msg("00017:09", all103); - - var part551 = match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}"); - - var all104 = all_match({ - processors: [ - part551, - dup358, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg328 = msg("00017:10", all104); - - var part552 = match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg329 = msg("00017:11", part552); - - var part553 = match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}"); - - var part554 = match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}"); - - var select123 = linear_select([ - dup109, - dup110, - part554, - ]); - - var all105 = all_match({ - processors: [ - part553, - select123, - dup127, - dup359, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg330 = msg("00017:12", all105); - - var part555 = match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg331 = msg("00017:26", part555); - - var part556 = match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg332 = msg("00017:13", part556); - - var part557 = match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup9, - dup5, - ])); - - var msg333 = msg("00017:14", part557); - - var part558 = match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}"); - - var part559 = match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}."); - - var all106 = all_match({ - processors: [ - part558, - dup360, - part559, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg334 = msg("00017:15", all106); - - var part560 = match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}"); - - var part561 = match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}."); - - var all107 = all_match({ - processors: [ - part560, - dup360, - part561, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg335 = msg("00017:31", all107); - - var part562 = match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}"); - - var all108 = all_match({ - processors: [ - part562, - dup359, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg336 = msg("00017:16", all108); - - var part563 = match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}"); - - var select124 = linear_select([ - dup99, - dup93, - ]); - - var all109 = all_match({ - processors: [ - part563, - select124, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg337 = msg("00017:17", all109); - - var part564 = match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}"); - - var all110 = all_match({ - processors: [ - dup153, - dup357, - part564, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg338 = msg("00017:18", all110); - - var part565 = match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}"); - - var part566 = match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all111 = all_match({ - processors: [ - part565, - dup337, - part566, - ], - on_success: processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ]), - }); - - var msg339 = msg("00017:19", all111); - - var all112 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup151, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - ]), - }); - - var msg340 = msg("00017:20", all112); - - var part567 = match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup151, - dup2, - dup3, - dup59, - dup4, - dup5, - ])); - - var msg341 = msg("00017:21", part567); - - var part568 = match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg342 = msg("00017:22", part568); - - var part569 = match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg343 = msg("00017:24", part569); - - var part570 = match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg344 = msg("00017:25", part570); - - var part571 = match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg345 = msg("00017:28", part571); - - var part572 = match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg346 = msg("00017:29", part572); - - var select125 = linear_select([ - msg317, - msg318, - msg319, - msg320, - msg321, - msg322, - msg323, - msg324, - msg325, - msg326, - msg327, - msg328, - msg329, - msg330, - msg331, - msg332, - msg333, - msg334, - msg335, - msg336, - msg337, - msg338, - msg339, - msg340, - msg341, - msg342, - msg343, - msg344, - msg345, - msg346, - ]); - - var part573 = match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg347 = msg("00018", part573); - - var part574 = match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([ - setc("eventcategory","1502010000"), - dup2, - dup4, - dup5, - dup3, - ])); - - var msg348 = msg("00018:01", part574); - - var part575 = match("MESSAGE#347:00018:02", "nwparser.payload", "Device%{quote}s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg349 = msg("00018:02", part575); - - var part576 = match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg350 = msg("00018:04", part576); - - var part577 = match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg351 = msg("00018:16", part577); - - var part578 = match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}"); - - var part579 = match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}"); - - var part580 = match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}"); - - var select126 = linear_select([ - part579, - part580, - ]); - - var part581 = match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}"); - - var all113 = all_match({ - processors: [ - part578, - select126, - part581, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg352 = msg("00018:06", all113); - - var part582 = match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg353 = msg("00018:08", part582); - - var part583 = match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup3, - dup2, - dup9, - dup4, - dup5, - ])); - - var msg354 = msg("00018:09", part583); - - var part584 = match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}"); - - var part585 = match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}"); - - var part586 = match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}"); - - var select127 = linear_select([ - part585, - part586, - ]); - - var part587 = match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})"); - - var all114 = all_match({ - processors: [ - part584, - select127, - part587, - ], - on_success: processor_chain([ - dup17, - dup3, - dup2, - dup9, - dup4, - dup5, - ]), - }); - - var msg355 = msg("00018:10", all114); - - var part588 = match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}"); - - var part589 = match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}"); - - var select128 = linear_select([ - part588, - part589, - ]); - - var part590 = match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}"); - - var part591 = match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}"); - - var select129 = linear_select([ - part591, - dup16, - ]); - - var all115 = all_match({ - processors: [ - dup160, - select128, - part590, - select129, - dup10, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg356 = msg("00018:11", all115); - - var part592 = match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}"); - - var part593 = match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}"); - - var part594 = match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}"); - - var part595 = match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}"); - - var select130 = linear_select([ - part593, - part594, - part595, - ]); - - var part596 = match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all116 = all_match({ - processors: [ - part592, - select130, - part596, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg357 = msg("00018:12", all116); - - var part597 = match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}"); - - var all117 = all_match({ - processors: [ - dup361, - part597, - dup362, - dup164, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg358 = msg("00018:32", all117); - - var part598 = match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}"); - - var all118 = all_match({ - processors: [ - dup361, - part598, - dup362, - dup164, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg359 = msg("00018:22", all118); - - var part599 = match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}"); - - var select131 = linear_select([ - dup78, - dup77, - ]); - - var part600 = match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer"); - - var all119 = all_match({ - processors: [ - part599, - select131, - part600, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg360 = msg("00018:15", all119); - - var part601 = match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}"); - - var part602 = match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}"); - - var part603 = match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}"); - - var select132 = linear_select([ - part602, - part603, - ]); - - var part604 = match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}"); - - var part605 = match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}"); - - var part606 = match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}"); - - var part607 = match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}"); - - var select133 = linear_select([ - part605, - part606, - part607, - ]); - - var part608 = match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); - - var all120 = all_match({ - processors: [ - part601, - select132, - part604, - select133, - part608, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg361 = msg("00018:14", all120); - - var part609 = match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg362 = msg("00018:29", part609); - - var part610 = match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg363 = msg("00018:07", part610); - - var part611 = match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg364 = msg("00018:18", part611); - - var part612 = match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg365 = msg("00018:17", part612); - - var part613 = match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg366 = msg("00018:19", part613); - - var part614 = match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}"); - - var part615 = match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}"); - - var select134 = linear_select([ - part614, - part615, - ]); - - var part616 = match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}"); - - var part617 = match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}"); - - var select135 = linear_select([ - part617, - dup103, - ]); - - var part618 = match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}"); - - var part619 = match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}"); - - var select136 = linear_select([ - part618, - part619, - ]); - - var part620 = match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})"); - - var all121 = all_match({ - processors: [ - select134, - part616, - select135, - dup23, - select136, - part620, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg367 = msg("00018:23", all121); - - var part621 = match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg368 = msg("00018:21", part621); - - var part622 = match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg369 = msg("00018:24", part622); - - var part623 = match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); - - var all122 = all_match({ - processors: [ - dup363, - part623, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg370 = msg("00018:25", all122); - - var part624 = match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); - - var all123 = all_match({ - processors: [ - dup363, - part624, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg371 = msg("00018:30", all123); - - var part625 = match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}"); - - var part626 = match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}"); - - var select137 = linear_select([ - dup48, - part626, - ]); - - var all124 = all_match({ - processors: [ - part625, - dup364, - select137, - dup41, - ], - on_success: processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg372 = msg("00018:26", all124); - - var part627 = match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg373 = msg("00018:27", part627); - - var part628 = match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup4, - dup5, - dup9, - setc("info","the DI attack component was modified"), - ])); - - var msg374 = msg("00018:28", part628); - - var part629 = match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([ - dup17, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg375 = msg("00018:03", part629); - - var part630 = match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg376 = msg("00018:31", part630); - - var select138 = linear_select([ - msg347, - msg348, - msg349, - msg350, - msg351, - msg352, - msg353, - msg354, - msg355, - msg356, - msg357, - msg358, - msg359, - msg360, - msg361, - msg362, - msg363, - msg364, - msg365, - msg366, - msg367, - msg368, - msg369, - msg370, - msg371, - msg372, - msg373, - msg374, - msg375, - msg376, - ]); - - var part631 = match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg377 = msg("00019", part631); - - var part632 = match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured"); - - var all125 = all_match({ - processors: [ - dup165, - dup365, - part632, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg378 = msg("00019:01", all125); - - var part633 = match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}"); - - var part634 = match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}"); - - var part635 = match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}"); - - var select139 = linear_select([ - part634, - part635, - ]); - - var all126 = all_match({ - processors: [ - part633, - select139, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg379 = msg("00019:02", all126); - - var part636 = match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg380 = msg("00019:03", part636); - - var select140 = linear_select([ - dup169, - dup78, - ]); - - var select141 = linear_select([ - dup139, - dup170, - dup137, - dup122, - ]); - - var all127 = all_match({ - processors: [ - dup168, - select140, - dup23, - select141, - dup171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg381 = msg("00019:04", all127); - - var part637 = match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}"); - - var part638 = match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}"); - - var part639 = match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}"); - - var part640 = match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}"); - - var part641 = match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}"); - - var part642 = match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}"); - - var part643 = match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}"); - - var part644 = match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}"); - - var part645 = match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}"); - - var select142 = linear_select([ - part638, - part639, - part640, - part641, - part642, - part643, - part644, - part645, - ]); - - var all128 = all_match({ - processors: [ - part637, - select142, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg382 = msg("00019:05", all128); - - var part646 = match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}"); - - var all129 = all_match({ - processors: [ - dup168, - dup366, - part646, - dup367, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg383 = msg("00019:06", all129); - - var part647 = match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([ - dup91, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg384 = msg("00019:07", part647); - - var part648 = match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg385 = msg("00019:08", part648); - - var part649 = match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}"); - - var select143 = linear_select([ - dup139, - dup170, - dup137, - ]); - - var all130 = all_match({ - processors: [ - part649, - select143, - dup171, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg386 = msg("00019:09", all130); - - var part650 = match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}"); - - var part651 = match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}"); - - var select144 = linear_select([ - part650, - part651, - ]); - - var all131 = all_match({ - processors: [ - dup183, - select144, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg387 = msg("00019:10", all131); - - var part652 = match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined"); - - var all132 = all_match({ - processors: [ - dup165, - dup365, - part652, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg388 = msg("00019:11", all132); - - var part653 = match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg389 = msg("00019:12", part653); - - var part654 = match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}"); - - var select145 = linear_select([ - dup107, - dup106, - ]); - - var part655 = match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}"); - - var all133 = all_match({ - processors: [ - part654, - select145, - part655, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg390 = msg("00019:13", all133); - - var part656 = match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}"); - - var all134 = all_match({ - processors: [ - dup168, - dup366, - part656, - dup367, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg391 = msg("00019:14", all134); - - var part657 = match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg392 = msg("00019:15", part657); - - var part658 = match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([ - setc("eventcategory","1701030000"), - setc("ec_activity","Delete"), - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg393 = msg("00019:16", part658); - - var part659 = match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg394 = msg("00019:17", part659); - - var part660 = match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}"); - - var part661 = match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}"); - - var part662 = match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}"); - - var select146 = linear_select([ - part661, - part662, - ]); - - var all135 = all_match({ - processors: [ - part660, - select146, - dup138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg395 = msg("00019:18", all135); - - var part663 = match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg396 = msg("00019:19", part663); - - var part664 = match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg397 = msg("00019:20", part664); - - var select147 = linear_select([ - msg377, - msg378, - msg379, - msg380, - msg381, - msg382, - msg383, - msg384, - msg385, - msg386, - msg387, - msg388, - msg389, - msg390, - msg391, - msg392, - msg393, - msg394, - msg395, - msg396, - msg397, - ]); - - var part665 = match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg398 = msg("00020", part665); - - var part666 = match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}"); - - var part667 = match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}"); - - var select148 = linear_select([ - dup152, - part667, - ]); - - var part668 = match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}"); - - var part669 = match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes"); - - var part670 = match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total"); - - var select149 = linear_select([ - part669, - part670, - ]); - - var all136 = all_match({ - processors: [ - part666, - select148, - part668, - select149, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg399 = msg("00020:01", all136); - - var part671 = match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg400 = msg("00020:02", part671); - - var select150 = linear_select([ - msg398, - msg399, - msg400, - ]); - - var part672 = match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg401 = msg("00021", part672); - - var part673 = match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg402 = msg("00021:01", part673); - - var part674 = match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg403 = msg("00021:02", part674); - - var part675 = match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([ - dup185, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg404 = msg("00021:03", part675); - - var part676 = match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg405 = msg("00021:04", part676); - - var part677 = match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg406 = msg("00021:05", part677); - - var part678 = match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - setc("info","DIP port-translation stickiness was modified"), - ])); - - var msg407 = msg("00021:06", part678); - - var select151 = linear_select([ - msg401, - msg402, - msg403, - msg404, - msg405, - msg406, - msg407, - ]); - - var part679 = match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}"); - - var part680 = match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}"); - - var select152 = linear_select([ - part679, - part680, - ]); - - var part681 = match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly"); - - var all137 = all_match({ - processors: [ - dup186, - select152, - part681, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg408 = msg("00022", all137); - - var part682 = match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}"); - - var part683 = match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}"); - - var part684 = match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}"); - - var select153 = linear_select([ - part682, - part683, - part684, - ]); - - var part685 = match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}"); - - var all138 = all_match({ - processors: [ - select153, - part685, - dup368, - ], - on_success: processor_chain([ - dup187, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg409 = msg("00022:01", all138); - - var part686 = match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg410 = msg("00022:02", part686); - - var part687 = match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg411 = msg("00022:03", part687); - - var part688 = match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}"); - - var part689 = match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}"); - - var part690 = match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}"); - - var part691 = match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}"); - - var part692 = match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}"); - - var select154 = linear_select([ - part689, - part690, - part691, - part692, - ]); - - var part693 = match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}"); - - var all139 = all_match({ - processors: [ - part688, - select154, - part693, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg412 = msg("00022:04", all139); - - var part694 = match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg413 = msg("00022:05", part694); - - var part695 = match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}"); - - var part696 = match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}"); - - var part697 = match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}"); - - var select155 = linear_select([ - part696, - part697, - ]); - - var part698 = match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}"); - - var all140 = all_match({ - processors: [ - part695, - select155, - part698, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg414 = msg("00022:06", all140); - - var part699 = match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg415 = msg("00022:07", part699); - - var part700 = match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}"); - - var part701 = match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}"); - - var part702 = match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}"); - - var select156 = linear_select([ - part700, - part701, - part702, - ]); - - var part703 = match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}"); - - var part704 = match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}"); - - var select157 = linear_select([ - part704, - dup96, - ]); - - var part705 = match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}"); - - var part706 = match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}"); - - var select158 = linear_select([ - part706, - dup96, - ]); - - var part707 = match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}"); - - var all141 = all_match({ - processors: [ - select156, - part703, - select157, - part705, - select158, - part707, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg416 = msg("00022:08", all141); - - var part708 = match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}"); - - var select159 = linear_select([ - dup191, - dup192, - ]); - - var part709 = match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}"); - - var all142 = all_match({ - processors: [ - dup55, - dup369, - part708, - select159, - part709, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg417 = msg("00022:09", all142); - - var part710 = match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}"); - - var part711 = match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}"); - - var part712 = match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}"); - - var select160 = linear_select([ - part711, - part712, - ]); - - var all143 = all_match({ - processors: [ - part710, - select160, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg418 = msg("00022:10", all143); - - var part713 = match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}"); - - var part714 = match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}"); - - var part715 = match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}"); - - var select161 = linear_select([ - part714, - part715, - ]); - - var all144 = all_match({ - processors: [ - part713, - select161, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg419 = msg("00022:11", all144); - - var part716 = match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}"); - - var select162 = linear_select([ - dup192, - dup191, - ]); - - var part717 = match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}"); - - var all145 = all_match({ - processors: [ - part716, - select162, - part717, - ], - on_success: processor_chain([ - dup188, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg420 = msg("00022:12", all145); - - var part718 = match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg421 = msg("00022:13", part718); - - var part719 = match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg422 = msg("00022:14", part719); - - var select163 = linear_select([ - msg408, - msg409, - msg410, - msg411, - msg412, - msg413, - msg414, - msg415, - msg416, - msg417, - msg418, - msg419, - msg420, - msg421, - msg422, - ]); - - var part720 = match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg423 = msg("00023", part720); - - var part721 = match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg424 = msg("00023:01", part721); - - var part722 = match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([ - dup187, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg425 = msg("00023:02", part722); - - var select164 = linear_select([ - msg423, - msg424, - msg425, - ]); - - var part723 = match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}"); - - var part724 = match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}"); - - var select165 = linear_select([ - part723, - part724, - ]); - - var part725 = match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}"); - - var part726 = match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}"); - - var select166 = linear_select([ - part725, - part726, - ]); - - var all146 = all_match({ - processors: [ - select165, - dup193, - select166, - dup52, - dup368, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg426 = msg("00024", all146); - - var part727 = match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}"); - - var part728 = match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}"); - - var part729 = match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}"); - - var part730 = match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}"); - - var part731 = match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}"); - - var select167 = linear_select([ - part727, - part728, - part729, - part730, - part731, - ]); - - var part732 = match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}"); - - var all147 = all_match({ - processors: [ - select167, - part732, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg427 = msg("00024:01", all147); - - var part733 = match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}"); - - var part734 = match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}"); - - var part735 = match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}"); - - var select168 = linear_select([ - part734, - part735, - ]); - - var part736 = match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})"); - - var all148 = all_match({ - processors: [ - part733, - select168, - part736, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg428 = msg("00024:02", all148); - - var part737 = match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}"); - - var select169 = linear_select([ - dup194, - dup106, - ]); - - var part738 = match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})"); - - var all149 = all_match({ - processors: [ - part737, - select169, - part738, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg429 = msg("00024:03", all149); - - var select170 = linear_select([ - msg426, - msg427, - msg428, - msg429, - ]); - - var part739 = match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg430 = msg("00025", part739); - - var part740 = match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg431 = msg("00025:01", part740); - - var part741 = match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg432 = msg("00025:02", part741); - - var part742 = match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg433 = msg("00025:03", part742); - - var part743 = match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg434 = msg("00025:04", part743); - - var select171 = linear_select([ - msg430, - msg431, - msg432, - msg433, - msg434, - ]); - - var part744 = match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg435 = msg("00026", part744); - - var part745 = match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg436 = msg("00026:13", part745); - - var part746 = match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}"); - - var part747 = match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})"); - - var all150 = all_match({ - processors: [ - dup195, - dup370, - part746, - dup371, - part747, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg437 = msg("00026:01", all150); - - var part748 = match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}"); - - var select172 = linear_select([ - part748, - dup96, - ]); - - var part749 = match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}"); - - var part750 = match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}"); - - var part751 = match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}"); - - var select173 = linear_select([ - part750, - part751, - ]); - - var all151 = all_match({ - processors: [ - dup195, - select172, - part749, - select173, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg438 = msg("00026:02", all151); - - var part752 = match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}"); - - var all152 = all_match({ - processors: [ - dup195, - dup370, - part752, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg439 = msg("00026:03", all152); - - var part753 = match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([ - dup198, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg440 = msg("00026:04", part753); - - var part754 = match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([ - dup198, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg441 = msg("00026:05", part754); - - var part755 = match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg442 = msg("00026:06", part755); - - var part756 = match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg443 = msg("00026:07", part756); - - var part757 = match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}"); - - var part758 = match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]"); - - var all153 = all_match({ - processors: [ - part757, - dup372, - part758, - ], - on_success: processor_chain([ - dup199, - dup29, - dup30, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg444 = msg("00026:08", all153); - - var part759 = match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg445 = msg("00026:09", part759); - - var part760 = match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}"); - - var part761 = match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}"); - - var part762 = match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}"); - - var select174 = linear_select([ - part761, - part762, - ]); - - var part763 = match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}"); - - var select175 = linear_select([ - part763, - dup201, - ]); - - var part764 = match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})"); - - var all154 = all_match({ - processors: [ - part760, - select174, - dup103, - select175, - dup202, - dup373, - part764, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg446 = msg("00026:10", all154); - - var part765 = match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg447 = msg("00026:11", part765); - - var part766 = match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg448 = msg("00026:12", part766); - - var select176 = linear_select([ - msg435, - msg436, - msg437, - msg438, - msg439, - msg440, - msg441, - msg442, - msg443, - msg444, - msg445, - msg446, - msg447, - msg448, - ]); - - var part767 = match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}"); - - var part768 = match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}"); - - var part769 = match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}"); - - var part770 = match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}"); - - var select177 = linear_select([ - part768, - part769, - part770, - ]); - - var all155 = all_match({ - processors: [ - dup204, - dup374, - part767, - select177, - ], - on_success: processor_chain([ - dup206, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg449 = msg("00027", all155); - - var part771 = match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg450 = msg("00027:01", part771); - - var part772 = match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg451 = msg("00027:02", part772); - - var part773 = match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg452 = msg("00027:03", part773); - - var part774 = match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg453 = msg("00027:04", part774); - - var part775 = match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}"); - - var part776 = match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}"); - - var part777 = match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}"); - - var select178 = linear_select([ - part776, - part777, - ]); - - var part778 = match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}"); - - var part779 = match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}"); - - var select179 = linear_select([ - part779, - dup127, - ]); - - var select180 = linear_select([ - dup207, - dup208, - ]); - - var all156 = all_match({ - processors: [ - part775, - select178, - part778, - select179, - dup23, - select180, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg454 = msg("00027:05", all156); - - var part780 = match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}"); - - var select181 = linear_select([ - dup208, - dup207, - ]); - - var all157 = all_match({ - processors: [ - part780, - select181, - ], - on_success: processor_chain([ - setc("eventcategory","1606000000"), - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg455 = msg("00027:06", all157); - - var part781 = match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg456 = msg("00027:07", part781); - - var part782 = match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg457 = msg("00027:08", part782); - - var part783 = match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg458 = msg("00027:09", part783); - - var part784 = match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg459 = msg("00027:10", part784); - - var part785 = match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg460 = msg("00027:11", part785); - - var part786 = match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}"); - - var part787 = match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}"); - - var select182 = linear_select([ - part787, - dup193, - ]); - - var part788 = match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}"); - - var all158 = all_match({ - processors: [ - part786, - select182, - part788, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg461 = msg("00027:12", all158); - - var part789 = match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}"); - - var all159 = all_match({ - processors: [ - dup204, - dup374, - part789, - ], - on_success: processor_chain([ - dup206, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg462 = msg("00027:13", all159); - - var part790 = match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}"); - - var part791 = match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}"); - - var part792 = match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}"); - - var select183 = linear_select([ - part791, - part792, - ]); - - var part793 = match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})"); - - var all160 = all_match({ - processors: [ - part790, - select183, - part793, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg463 = msg("00027:14", all160); - - var part794 = match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg464 = msg("00027:15", part794); - - var part795 = match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg465 = msg("00027:16", part795); - - var part796 = match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg466 = msg("00027:17", part796); - - var part797 = match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg467 = msg("00027:18", part797); - - var part798 = match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg468 = msg("00027:19", part798); - - var select184 = linear_select([ - msg449, - msg450, - msg451, - msg452, - msg453, - msg454, - msg455, - msg456, - msg457, - msg458, - msg459, - msg460, - msg461, - msg462, - msg463, - msg464, - msg465, - msg466, - msg467, - msg468, - ]); - - var part799 = match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}"); - - var part800 = match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}"); - - var part801 = match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}"); - - var select185 = linear_select([ - part799, - part800, - part801, - ]); - - var part802 = match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all161 = all_match({ - processors: [ - select185, - part802, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - setc("signame","Attempt to Connect to the NetScreen-Global Port"), - ]), - }); - - var msg469 = msg("00028", all161); - - var part803 = match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg470 = msg("00029", part803); - - var part804 = match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg471 = msg("00029:01", part804); - - var part805 = match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}"); - - var part806 = match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}"); - - var part807 = match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}"); - - var select186 = linear_select([ - part806, - part807, - ]); - - var part808 = match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}"); - - var all162 = all_match({ - processors: [ - part805, - select186, - part808, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg472 = msg("00029:02", all162); - - var part809 = match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}"); - - var part810 = match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}"); - - var part811 = match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}"); - - var select187 = linear_select([ - part810, - part811, - ]); - - var part812 = match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}"); - - var all163 = all_match({ - processors: [ - dup210, - dup337, - part809, - select187, - part812, - ], - on_success: processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg473 = msg("00029:03", all163); - - var part813 = match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg474 = msg("00029:04", part813); - - var select188 = linear_select([ - msg470, - msg471, - msg472, - msg473, - msg474, - ]); - - var part814 = match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg475 = msg("00030", part814); - - var part815 = match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}"); - - var part816 = match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}"); - - var part817 = match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}"); - - var select189 = linear_select([ - part816, - part817, - ]); - - var all164 = all_match({ - processors: [ - part815, - select189, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg476 = msg("00030:01", all164); - - var part818 = match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg477 = msg("00030:05", part818); - - var part819 = match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg478 = msg("00030:06", part819); - - var part820 = match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg479 = msg("00030:07", part820); - - var part821 = match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg480 = msg("00030:10", part821); - - var part822 = match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg481 = msg("00030:12", part822); - - var part823 = match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}"); - - var part824 = match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}"); - - var part825 = match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}"); - - var select190 = linear_select([ - part824, - part825, - ]); - - var all165 = all_match({ - processors: [ - part823, - select190, - ], - on_success: processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg482 = msg("00030:13", all165); - - var part826 = match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}"); - - var part827 = match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}"); - - var part828 = match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}"); - - var part829 = match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}"); - - var select191 = linear_select([ - part826, - part827, - part828, - part829, - ]); - - var part830 = match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}"); - - var part831 = match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}"); - - var select192 = linear_select([ - part831, - dup16, - ]); - - var part832 = match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}"); - - var all166 = all_match({ - processors: [ - dup55, - select191, - part830, - select192, - part832, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg483 = msg("00030:14", all166); - - var msg484 = msg("00030:02", dup375); - - var part833 = match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg485 = msg("00030:15", part833); - - var part834 = match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg486 = msg("00030:16", part834); - - var part835 = match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg487 = msg("00030:18", part835); - - var part836 = match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}"); - - var part837 = match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}"); - - var part838 = match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}"); - - var select193 = linear_select([ - part837, - part838, - ]); - - var part839 = match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}"); - - var all167 = all_match({ - processors: [ - part836, - select193, - part839, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg488 = msg("00030:19", all167); - - var part840 = match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg489 = msg("00030:30", part840); - - var part841 = match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg490 = msg("00030:31", part841); - - var part842 = match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg491 = msg("00030:32", part842); - - var part843 = match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg492 = msg("00030:33", part843); - - var part844 = match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg493 = msg("00030:34", part844); - - var part845 = match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg494 = msg("00030:35", part845); - - var part846 = match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg495 = msg("00030:36", part846); - - var part847 = match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg496 = msg("00030:37", part847); - - var part848 = match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg497 = msg("00030:38", part848); - - var part849 = match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}"); - - var part850 = match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}"); - - var select194 = linear_select([ - part850, - dup16, - ]); - - var part851 = match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}"); - - var all168 = all_match({ - processors: [ - part849, - select194, - part851, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg498 = msg("00030:39", all168); - - var part852 = match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}"); - - var part853 = match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}"); - - var all169 = all_match({ - processors: [ - part852, - dup376, - part853, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg499 = msg("00030:17", all169); - - var part854 = match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}"); - - var part855 = match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}"); - - var select195 = linear_select([ - dup214, - part855, - ]); - - var part856 = match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}"); - - var all170 = all_match({ - processors: [ - part854, - select195, - part856, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg500 = msg("00030:40", all170); - - var part857 = match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg501 = msg("00030:41", part857); - - var part858 = match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg502 = msg("00030:42", part858); - - var part859 = match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg503 = msg("00030:43", part859); - - var part860 = match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg504 = msg("00030:44", part860); - - var part861 = match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg505 = msg("00030:45", part861); - - var part862 = match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg506 = msg("00030:46", part862); - - var part863 = match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg507 = msg("00030:47", part863); - - var part864 = match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg508 = msg("00030:48", part864); - - var part865 = match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg509 = msg("00030:49", part865); - - var part866 = match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg510 = msg("00030:50", part866); - - var part867 = match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg511 = msg("00030:51", part867); - - var part868 = match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg512 = msg("00030:52", part868); - - var part869 = match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg513 = msg("00030:53", part869); - - var part870 = match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([ - dup44, - dup211, - dup31, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg514 = msg("00030:54", part870); - - var part871 = match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}"); - - var all171 = all_match({ - processors: [ - part871, - dup377, - dup217, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg515 = msg("00030:55", all171); - - var part872 = match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg516 = msg("00030:56", part872); - - var part873 = match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([ - dup35, - dup218, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg517 = msg("00030:57", part873); - - var part874 = match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([ - dup86, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg518 = msg("00030:58", part874); - - var part875 = match("MESSAGE#512:00030:59", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{quote}s signer certificate.", processor_chain([ - dup35, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg519 = msg("00030:59", part875); - - var part876 = match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([ - dup35, - dup218, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg520 = msg("00030:60", part876); - - var part877 = match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg521 = msg("00030:61", part877); - - var part878 = match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg522 = msg("00030:62", part878); - - var part879 = match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([ - dup18, - dup219, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg523 = msg("00030:63", part879); - - var part880 = match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg524 = msg("00030:64", part880); - - var part881 = match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg525 = msg("00030:65", part881); - - var part882 = match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg526 = msg("00030:66", part882); - - var part883 = match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg527 = msg("00030:67", part883); - - var part884 = match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg528 = msg("00030:68", part884); - - var part885 = match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg529 = msg("00030:69", part885); - - var part886 = match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}"); - - var all172 = all_match({ - processors: [ - part886, - dup377, - dup217, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg530 = msg("00030:70", all172); - - var part887 = match("MESSAGE#524:00030:71", "nwparser.payload", "PKI: The public key of image%{quote}s signer has been loaded successfully, for future image authentication.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg531 = msg("00030:71", part887); - - var part888 = match("MESSAGE#525:00030:72", "nwparser.payload", "PKI: The signature of the image%{quote}s signer certificate cannot be verified.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg532 = msg("00030:72", part888); - - var part889 = match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}"); - - var part890 = match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}"); - - var part891 = match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}"); - - var part892 = match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}"); - - var select196 = linear_select([ - part890, - part891, - part892, - ]); - - var part893 = match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}."); - - var all173 = all_match({ - processors: [ - part889, - select196, - part893, - ], - on_success: processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg533 = msg("00030:73", all173); - - var part894 = match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg534 = msg("00030:74", part894); - - var part895 = match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg535 = msg("00030:75", part895); - - var part896 = match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}"); - - var part897 = match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}."); - - var all174 = all_match({ - processors: [ - part896, - dup376, - part897, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg536 = msg("00030:76", all174); - - var part898 = match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([ - dup18, - dup218, - dup51, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg537 = msg("00030:77", part898); - - var part899 = match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([ - dup35, - dup211, - dup220, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg538 = msg("00030:78", part899); - - var part900 = match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([ - dup35, - dup211, - dup220, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg539 = msg("00030:79", part900); - - var part901 = match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg540 = msg("00030:80", part901); - - var part902 = match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg541 = msg("00030:81", part902); - - var part903 = match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg542 = msg("00030:82", part903); - - var part904 = match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([ - dup35, - dup211, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg543 = msg("00030:83", part904); - - var part905 = match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg544 = msg("00030:84", part905); - - var part906 = match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([ - setc("eventcategory","1603080000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg545 = msg("00030:85", part906); - - var part907 = match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})"); - - var all175 = all_match({ - processors: [ - dup221, - dup378, - part907, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg546 = msg("00030:86", all175); - - var part908 = match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg547 = msg("00030:87", part908); - - var part909 = match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>"); - - var all176 = all_match({ - processors: [ - dup221, - dup378, - part909, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg548 = msg("00030:88", all176); - - var select197 = linear_select([ - msg475, - msg476, - msg477, - msg478, - msg479, - msg480, - msg481, - msg482, - msg483, - msg484, - msg485, - msg486, - msg487, - msg488, - msg489, - msg490, - msg491, - msg492, - msg493, - msg494, - msg495, - msg496, - msg497, - msg498, - msg499, - msg500, - msg501, - msg502, - msg503, - msg504, - msg505, - msg506, - msg507, - msg508, - msg509, - msg510, - msg511, - msg512, - msg513, - msg514, - msg515, - msg516, - msg517, - msg518, - msg519, - msg520, - msg521, - msg522, - msg523, - msg524, - msg525, - msg526, - msg527, - msg528, - msg529, - msg530, - msg531, - msg532, - msg533, - msg534, - msg535, - msg536, - msg537, - msg538, - msg539, - msg540, - msg541, - msg542, - msg543, - msg544, - msg545, - msg546, - msg547, - msg548, - ]); - - var part910 = match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg549 = msg("00031:13", part910); - - var part911 = match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg550 = msg("00031", part911); - - var part912 = match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg551 = msg("00031:01", part912); - - var part913 = match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}"); - - var part914 = match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}"); - - var part915 = match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}"); - - var part916 = match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}"); - - var all177 = all_match({ - processors: [ - part913, - dup379, - part914, - dup379, - part915, - dup379, - part916, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg552 = msg("00031:02", all177); - - var part917 = match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}"); - - var select198 = linear_select([ - dup130, - dup129, - ]); - - var part918 = match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}"); - - var all178 = all_match({ - processors: [ - part917, - select198, - part918, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg553 = msg("00031:03", all178); - - var part919 = match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}"); - - var part920 = match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}"); - - var select199 = linear_select([ - part920, - dup226, - ]); - - var part921 = match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}"); - - var all179 = all_match({ - processors: [ - part919, - select199, - part921, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg554 = msg("00031:04", all179); - - var part922 = match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}"); - - var select200 = linear_select([ - dup226, - dup25, - ]); - - var part923 = match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})"); - - var all180 = all_match({ - processors: [ - part922, - select200, - part923, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg555 = msg("00031:11", all180); - - var part924 = match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}"); - - var part925 = match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}"); - - var part926 = match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}"); - - var select201 = linear_select([ - part925, - part926, - ]); - - var part927 = match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}"); - - var part928 = match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}"); - - var part929 = match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}"); - - var part930 = match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}"); - - var part931 = match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}"); - - var select202 = linear_select([ - part931, - dup96, - ]); - - var part932 = match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}"); - - var all181 = all_match({ - processors: [ - part924, - select201, - part927, - dup379, - part928, - dup379, - part929, - dup379, - part930, - select202, - part932, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg556 = msg("00031:08", all181); - - var part933 = match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}"); - - var all182 = all_match({ - processors: [ - part933, - dup337, - dup227, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg557 = msg("00031:05", all182); - - var part934 = match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}"); - - var select203 = linear_select([ - part934, - dup229, - dup230, - ]); - - var part935 = match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}"); - - var select204 = linear_select([ - dup105, - dup96, - ]); - - var part936 = match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}"); - - var part937 = match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}"); - - var all183 = all_match({ - processors: [ - dup228, - select203, - part935, - select204, - part936, - dup356, - part937, - dup352, - dup23, - dup380, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg558 = msg("00031:06", all183); - - var part938 = match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}"); - - var all184 = all_match({ - processors: [ - dup228, - dup381, - part938, - dup337, - dup227, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg559 = msg("00031:07", all184); - - var part939 = match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}"); - - var all185 = all_match({ - processors: [ - dup228, - dup381, - part939, - dup380, - ], - on_success: processor_chain([ - dup121, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg560 = msg("00031:09", all185); - - var part940 = match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg561 = msg("00031:10", part940); - - var part941 = match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg562 = msg("00031:12", part941); - - var select205 = linear_select([ - msg549, - msg550, - msg551, - msg552, - msg553, - msg554, - msg555, - msg556, - msg557, - msg558, - msg559, - msg560, - msg561, - msg562, - ]); - - var part942 = match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup232, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg563 = msg("00032", part942); - - var part943 = match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg564 = msg("00032:01", part943); - - var part944 = match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}"); - - var part945 = match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}"); - - var part946 = match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}"); - - var part947 = match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}"); - - var part948 = match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}"); - - var select206 = linear_select([ - part945, - part946, - part947, - part948, - ]); - - var all186 = all_match({ - processors: [ - part944, - select206, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg565 = msg("00032:03", all186); - - var part949 = match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup59, - dup5, - dup61, - ])); - - var msg566 = msg("00032:04", part949); - - var part950 = match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg567 = msg("00032:05", part950); - - var msg568 = msg("00032:02", dup375); - - var select207 = linear_select([ - msg563, - msg564, - msg565, - msg566, - msg567, - msg568, - ]); - - var part951 = match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("agent","NSM"), - ])); - - var msg569 = msg("00033:25", part951); - - var part952 = match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}"); - - var part953 = match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}"); - - var select208 = linear_select([ - dup52, - part953, - ]); - - var part954 = match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}"); - - var all187 = all_match({ - processors: [ - dup382, - part952, - select208, - part954, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg570 = msg("00033", all187); - - var part955 = match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}"); - - var part956 = match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}"); - - var select209 = linear_select([ - part955, - part956, - ]); - - var part957 = match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}"); - - var all188 = all_match({ - processors: [ - dup160, - select209, - dup23, - dup369, - part957, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg571 = msg("00033:03", all188); - - var part958 = match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}"); - - var all189 = all_match({ - processors: [ - dup382, - dup23, - dup369, - part958, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg572 = msg("00033:02", all189); - - var part959 = match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg573 = msg("00033:04", part959); - - var part960 = match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg574 = msg("00033:05", part960); - - var part961 = match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([ - dup27, - dup2, - dup3, - dup59, - dup4, - dup5, - dup61, - ])); - - var msg575 = msg("00033:06", part961); - - var part962 = match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([ - dup27, - dup2, - dup3, - setc("dclass_counter1_string","Number of times the threshold was exceeded"), - dup4, - dup5, - dup61, - ])); - - var msg576 = msg("00033:01", part962); - - var part963 = match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg577 = msg("00033:07", part963); - - var part964 = match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}"); - - var all190 = all_match({ - processors: [ - dup235, - dup383, - part964, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg578 = msg("00033:08", all190); - - var part965 = match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}"); - - var all191 = all_match({ - processors: [ - dup235, - dup383, - part965, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg579 = msg("00033:09", all191); - - var part966 = match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}"); - - var part967 = match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}"); - - var select210 = linear_select([ - part967, - dup238, - ]); - - var all192 = all_match({ - processors: [ - dup235, - dup383, - part966, - select210, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg580 = msg("00033:10", all192); - - var part968 = match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}"); - - var part969 = match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}"); - - var all193 = all_match({ - processors: [ - dup235, - dup383, - part968, - dup383, - part969, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg581 = msg("00033:11", all193); - - var part970 = match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}"); - - var select211 = linear_select([ - dup101, - dup238, - ]); - - var all194 = all_match({ - processors: [ - dup235, - dup383, - part970, - select211, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg582 = msg("00033:12", all194); - - var part971 = match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}"); - - var part972 = match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}"); - - var part973 = match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}."); - - var select212 = linear_select([ - part972, - part973, - ]); - - var all195 = all_match({ - processors: [ - dup235, - dup383, - part971, - select212, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg583 = msg("00033:13", all195); - - var part974 = match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}."); - - var all196 = all_match({ - processors: [ - dup235, - dup383, - part974, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg584 = msg("00033:14", all196); - - var part975 = match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}."); - - var all197 = all_match({ - processors: [ - dup235, - dup383, - part975, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg585 = msg("00033:15", all197); - - var part976 = match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}."); - - var all198 = all_match({ - processors: [ - dup235, - dup383, - part976, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg586 = msg("00033:16", all198); - - var part977 = match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}"); - - var part978 = match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}"); - - var part979 = match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}"); - - var select213 = linear_select([ - part978, - part979, - ]); - - var all199 = all_match({ - processors: [ - dup235, - dup383, - part977, - select213, - dup116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg587 = msg("00033:17", all199); - - var part980 = match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); - - var part981 = match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time."); - - var all200 = all_match({ - processors: [ - part980, - dup339, - dup70, - dup340, - part981, - ], - on_success: processor_chain([ - dup27, - dup2, - dup4, - dup5, - dup3, - dup59, - dup61, - ]), - }); - - var msg588 = msg("00033:19", all200); - - var part982 = match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([ - dup27, - dup2, - dup4, - dup5, - dup3, - dup59, - dup60, - ])); - - var msg589 = msg("00033:20", part982); - - var all201 = all_match({ - processors: [ - dup239, - dup343, - dup83, - ], - on_success: processor_chain([ - dup27, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg590 = msg("00033:21", all201); - - var part983 = match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var all202 = all_match({ - processors: [ - part983, - dup343, - dup83, - ], - on_success: processor_chain([ - dup27, - dup2, - dup9, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg591 = msg("00033:22", all202); - - var part984 = match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg592 = msg("00033:23", part984); - - var part985 = match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([ - setc("eventcategory","1001030500"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg593 = msg("00033:24", part985); - - var select214 = linear_select([ - msg569, - msg570, - msg571, - msg572, - msg573, - msg574, - msg575, - msg576, - msg577, - msg578, - msg579, - msg580, - msg581, - msg582, - msg583, - msg584, - msg585, - msg586, - msg587, - msg588, - msg589, - msg590, - msg591, - msg592, - msg593, - ]); - - var part986 = match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}"); - - var part987 = match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}"); - - var select215 = linear_select([ - part986, - part987, - ]); - - var part988 = match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}"); - - var part989 = match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}"); - - var select216 = linear_select([ - part988, - dup201, - part989, - ]); - - var select217 = linear_select([ - dup196, - dup103, - dup163, - ]); - - var part990 = match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})"); - - var all203 = all_match({ - processors: [ - select215, - dup103, - select216, - dup202, - select217, - part990, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg594 = msg("00034", all203); - - var part991 = match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}"); - - var part992 = match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}"); - - var select218 = linear_select([ - part991, - part992, - ]); - - var part993 = match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}"); - - var part994 = match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}"); - - var select219 = linear_select([ - part994, - dup241, - ]); - - var part995 = match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}"); - - var all204 = all_match({ - processors: [ - select218, - part993, - select219, - part995, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg595 = msg("00034:01", all204); - - var part996 = match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg596 = msg("00034:02", part996); - - var part997 = match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}"); - - var all205 = all_match({ - processors: [ - dup384, - part997, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg597 = msg("00034:03", all205); - - var part998 = match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg598 = msg("00034:04", part998); - - var part999 = match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg599 = msg("00034:05", part999); - - var part1000 = match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}"); - - var part1001 = match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}"); - - var part1002 = match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}"); - - var select220 = linear_select([ - part1001, - part1002, - ]); - - var part1003 = match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}"); - - var all206 = all_match({ - processors: [ - dup384, - part1000, - select220, - part1003, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg600 = msg("00034:06", all206); - - var part1004 = match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg601 = msg("00034:07", part1004); - - var part1005 = match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg602 = msg("00034:08", part1005); - - var part1006 = match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg603 = msg("00034:09", part1006); - - var part1007 = match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}"); - - var part1008 = match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}"); - - var part1009 = match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}"); - - var part1010 = match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}"); - - var select221 = linear_select([ - part1009, - part1010, - ]); - - var part1011 = match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}"); - - var all207 = all_match({ - processors: [ - dup244, - dup385, - part1007, - dup352, - part1008, - select221, - part1011, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg604 = msg("00034:10", all207); - - var part1012 = match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}"); - - var part1013 = match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}"); - - var all208 = all_match({ - processors: [ - dup244, - dup385, - part1012, - dup386, - part1013, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg605 = msg("00034:12", all208); - - var part1014 = match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}"); - - var part1015 = match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}"); - - var all209 = all_match({ - processors: [ - dup244, - dup385, - part1014, - dup386, - part1015, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg606 = msg("00034:11", all209); - - var part1016 = match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg607 = msg("00034:15", part1016); - - var part1017 = match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}"); - - var all210 = all_match({ - processors: [ - dup244, - dup387, - part1017, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg608 = msg("00034:18", all210); - - var part1018 = match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge"); - - var all211 = all_match({ - processors: [ - dup244, - dup387, - part1018, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg609 = msg("00034:20", all211); - - var part1019 = match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}"); - - var part1020 = match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}"); - - var part1021 = match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}"); - - var select222 = linear_select([ - part1021, - dup156, - ]); - - var part1022 = match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}"); - - var part1023 = match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}"); - - var part1024 = match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}"); - - var select223 = linear_select([ - part1023, - part1024, - ]); - - var all212 = all_match({ - processors: [ - dup244, - dup387, - part1019, - dup372, - part1020, - select222, - part1022, - select223, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg610 = msg("00034:21", all212); - - var part1025 = match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg611 = msg("00034:22", part1025); - - var part1026 = match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}"); - - var part1027 = match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}"); - - var select224 = linear_select([ - part1026, - part1027, - ]); - - var part1028 = match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}"); - - var all213 = all_match({ - processors: [ - dup160, - select224, - part1028, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg612 = msg("00034:23", all213); - - var part1029 = match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg613 = msg("00034:24", part1029); - - var part1030 = match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg614 = msg("00034:25", part1030); - - var part1031 = match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg615 = msg("00034:26", part1031); - - var part1032 = match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg616 = msg("00034:27", part1032); - - var part1033 = match("MESSAGE#608:00034:28", "nwparser.payload", "PPPoE%{quote}s session closed by AC", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg617 = msg("00034:28", part1033); - - var part1034 = match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg618 = msg("00034:29", part1034); - - var part1035 = match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg619 = msg("00034:30", part1035); - - var part1036 = match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg620 = msg("00034:31", part1036); - - var part1037 = match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg621 = msg("00034:32", part1037); - - var part1038 = match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg622 = msg("00034:33", part1038); - - var part1039 = match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg623 = msg("00034:34", part1039); - - var part1040 = match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg624 = msg("00034:35", part1040); - - var part1041 = match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg625 = msg("00034:36", part1041); - - var part1042 = match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg626 = msg("00034:37", part1042); - - var part1043 = match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg627 = msg("00034:38", part1043); - - var part1044 = match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg628 = msg("00034:39", part1044); - - var part1045 = match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg629 = msg("00034:40", part1045); - - var part1046 = match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}"); - - var part1047 = match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}"); - - var all214 = all_match({ - processors: [ - part1046, - dup373, - part1047, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg630 = msg("00034:41", all214); - - var part1048 = match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg631 = msg("00034:42", part1048); - - var part1049 = match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg632 = msg("00034:43", part1049); - - var part1050 = match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg633 = msg("00034:44", part1050); - - var select225 = linear_select([ - msg594, - msg595, - msg596, - msg597, - msg598, - msg599, - msg600, - msg601, - msg602, - msg603, - msg604, - msg605, - msg606, - msg607, - msg608, - msg609, - msg610, - msg611, - msg612, - msg613, - msg614, - msg615, - msg616, - msg617, - msg618, - msg619, - msg620, - msg621, - msg622, - msg623, - msg624, - msg625, - msg626, - msg627, - msg628, - msg629, - msg630, - msg631, - msg632, - msg633, - ]); - - var part1051 = match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg634 = msg("00035", part1051); - - var part1052 = match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg635 = msg("00035:01", part1052); - - var part1053 = match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg636 = msg("00035:02", part1053); - - var part1054 = match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg637 = msg("00035:03", part1054); - - var part1055 = match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}"); - - var part1056 = match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}"); - - var part1057 = match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}"); - - var part1058 = match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}"); - - var select226 = linear_select([ - part1056, - part1057, - part1058, - ]); - - var part1059 = match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}"); - - var all215 = all_match({ - processors: [ - part1055, - select226, - part1059, - ], - on_success: processor_chain([ - dup117, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg638 = msg("00035:04", all215); - - var part1060 = match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg639 = msg("00035:05", part1060); - - var part1061 = match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}"); - - var part1062 = match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}"); - - var all216 = all_match({ - processors: [ - part1061, - dup388, - part1062, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg640 = msg("00035:06", all216); - - var part1063 = match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg641 = msg("00035:07", part1063); - - var part1064 = match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg642 = msg("00035:08", part1064); - - var part1065 = match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}"); - - var select227 = linear_select([ - part1065, - dup92, - ]); - - var all217 = all_match({ - processors: [ - dup253, - select227, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg643 = msg("00035:09", all217); - - var part1066 = match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}"); - - var part1067 = match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}"); - - var part1068 = match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}"); - - var select228 = linear_select([ - part1067, - part1068, - ]); - - var all218 = all_match({ - processors: [ - part1066, - select228, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg644 = msg("00035:10", all218); - - var part1069 = match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}"); - - var part1070 = match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}"); - - var part1071 = match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}"); - - var select229 = linear_select([ - part1070, - part1071, - ]); - - var all219 = all_match({ - processors: [ - part1069, - select229, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg645 = msg("00035:11", all219); - - var part1072 = match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}"); - - var part1073 = match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}"); - - var all220 = all_match({ - processors: [ - part1072, - dup388, - part1073, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg646 = msg("00035:12", all220); - - var part1074 = match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}"); - - var select230 = linear_select([ - dup101, - part1074, - ]); - - var part1075 = match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}"); - - var all221 = all_match({ - processors: [ - dup253, - select230, - part1075, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg647 = msg("00035:13", all221); - - var part1076 = match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg648 = msg("00035:14", part1076); - - var part1077 = match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}"); - - var part1078 = match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}"); - - var part1079 = match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}"); - - var select231 = linear_select([ - part1078, - part1079, - ]); - - var all222 = all_match({ - processors: [ - part1077, - select231, - ], - on_success: processor_chain([ - dup184, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg649 = msg("00035:15", all222); - - var part1080 = match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg650 = msg("00035:16", part1080); - - var select232 = linear_select([ - msg634, - msg635, - msg636, - msg637, - msg638, - msg639, - msg640, - msg641, - msg642, - msg643, - msg644, - msg645, - msg646, - msg647, - msg648, - msg649, - msg650, - ]); - - var part1081 = match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg651 = msg("00036", part1081); - - var part1082 = match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}"); - - var part1083 = match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}"); - - var select233 = linear_select([ - dup214, - part1083, - ]); - - var part1084 = match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}"); - - var all223 = all_match({ - processors: [ - part1082, - select233, - part1084, - ], - on_success: processor_chain([ - dup254, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg652 = msg("00036:01", all223); - - var select234 = linear_select([ - msg651, - msg652, - ]); - - var part1085 = match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}"); - - var part1086 = match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}"); - - var part1087 = match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}"); - - var select235 = linear_select([ - part1086, - part1087, - ]); - - var all224 = all_match({ - processors: [ - part1085, - select235, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg653 = msg("00037", all224); - - var part1088 = match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}"); - - var select236 = linear_select([ - dup255, - dup256, - ]); - - var part1089 = match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}"); - - var all225 = all_match({ - processors: [ - part1088, - select236, - part1089, - dup351, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg654 = msg("00037:01", all225); - - var part1090 = match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg655 = msg("00037:02", part1090); - - var part1091 = match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}"); - - var part1092 = match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}"); - - var select237 = linear_select([ - part1091, - part1092, - ]); - - var part1093 = match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}"); - - var part1094 = match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})"); - - var part1095 = match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}."); - - var select238 = linear_select([ - part1094, - part1095, - ]); - - var all226 = all_match({ - processors: [ - dup113, - select237, - dup371, - part1093, - select238, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg656 = msg("00037:03", all226); - - var part1096 = match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg657 = msg("00037:04", part1096); - - var part1097 = match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}"); - - var select239 = linear_select([ - dup256, - dup255, - ]); - - var part1098 = match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}"); - - var part1099 = match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space"); - - var select240 = linear_select([ - dup10, - part1099, - ]); - - var all227 = all_match({ - processors: [ - part1097, - select239, - part1098, - select240, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg658 = msg("00037:05", all227); - - var part1100 = match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg659 = msg("00037:06", part1100); - - var select241 = linear_select([ - msg653, - msg654, - msg655, - msg656, - msg657, - msg658, - msg659, - ]); - - var part1101 = match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}"); - - var part1102 = match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}"); - - var part1103 = match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}"); - - var select242 = linear_select([ - part1102, - part1103, - ]); - - var all228 = all_match({ - processors: [ - part1101, - select242, - dup36, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg660 = msg("00038", all228); - - var part1104 = match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg661 = msg("00039", part1104); - - var part1105 = match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}"); - - var part1106 = match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}"); - - var select243 = linear_select([ - part1105, - part1106, - ]); - - var part1107 = match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}"); - - var all229 = all_match({ - processors: [ - select243, - part1107, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg662 = msg("00040", all229); - - var part1108 = match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg663 = msg("00040:01", part1108); - - var select244 = linear_select([ - msg662, - msg663, - ]); - - var part1109 = match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg664 = msg("00041", part1109); - - var part1110 = match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg665 = msg("00041:01", part1110); - - var select245 = linear_select([ - msg664, - msg665, - ]); - - var part1111 = match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg666 = msg("00042", part1111); - - var part1112 = match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup9, - dup4, - dup5, - dup60, - ])); - - var msg667 = msg("00042:01", part1112); - - var select246 = linear_select([ - msg666, - msg667, - ]); - - var part1113 = match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg668 = msg("00043", part1113); - - var part1114 = match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}"); - - var part1115 = match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}"); - - var select247 = linear_select([ - dup257, - part1115, - ]); - - var part1116 = match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}"); - - var all230 = all_match({ - processors: [ - part1114, - select247, - part1116, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg669 = msg("00044", all230); - - var part1117 = match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg670 = msg("00044:01", part1117); - - var select248 = linear_select([ - msg669, - msg670, - ]); - - var part1118 = match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg671 = msg("00045", part1118); - - var part1119 = match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}"); - - var part1120 = match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}"); - - var select249 = linear_select([ - part1119, - part1120, - ]); - - var part1121 = match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})"); - - var all231 = all_match({ - processors: [ - dup183, - select249, - part1121, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg672 = msg("00047", all231); - - var part1122 = match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}"); - - var part1123 = match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}"); - - var part1124 = match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}"); - - var select250 = linear_select([ - part1123, - part1124, - ]); - - var part1125 = match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}"); - - var part1126 = match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}"); - - var select251 = linear_select([ - part1126, - dup112, - ]); - - var part1127 = match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}"); - - var select252 = linear_select([ - part1127, - dup139, - ]); - - var part1128 = match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}"); - - var part1129 = match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}"); - - var select253 = linear_select([ - part1129, - dup16, - ]); - - var part1130 = match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}"); - - var part1131 = match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}"); - - var select254 = linear_select([ - part1131, - dup129, - ]); - - var part1132 = match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})"); - - var all232 = all_match({ - processors: [ - part1122, - select250, - part1125, - select251, - dup257, - select252, - part1128, - select253, - part1130, - select254, - part1132, - ], - on_success: processor_chain([ - setc("eventcategory","1501000000"), - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg673 = msg("00048", all232); - - var part1133 = match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}"); - - var part1134 = match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}"); - - var part1135 = match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}"); - - var select255 = linear_select([ - part1134, - part1135, - ]); - - var part1136 = match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}"); - - var part1137 = match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}"); - - var select256 = linear_select([ - part1137, - dup105, - ]); - - var part1138 = match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})"); - - var all233 = all_match({ - processors: [ - part1133, - select255, - part1136, - select256, - part1138, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg674 = msg("00048:01", all233); - - var part1139 = match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([ - dup209, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg675 = msg("00048:02", part1139); - - var select257 = linear_select([ - msg673, - msg674, - msg675, - ]); - - var part1140 = match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg676 = msg("00049", part1140); - - var part1141 = match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg677 = msg("00049:01", part1141); - - var part1142 = match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg678 = msg("00049:02", part1142); - - var part1143 = match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg679 = msg("00049:03", part1143); - - var part1144 = match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg680 = msg("00049:04", part1144); - - var part1145 = match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg681 = msg("00049:05", part1145); - - var select258 = linear_select([ - msg676, - msg677, - msg678, - msg679, - msg680, - msg681, - ]); - - var part1146 = match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg682 = msg("00050", part1146); - - var part1147 = match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg683 = msg("00051", part1147); - - var part1148 = match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg684 = msg("00052", part1148); - - var part1149 = match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}"); - - var select259 = linear_select([ - dup169, - part1149, - ]); - - var part1150 = match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}."); - - var all234 = all_match({ - processors: [ - dup258, - select259, - part1150, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg685 = msg("00055", all234); - - var part1151 = match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}"); - - var part1152 = match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}"); - - var select260 = linear_select([ - part1151, - part1152, - ]); - - var part1153 = match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}."); - - var all235 = all_match({ - processors: [ - dup258, - select260, - part1153, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg686 = msg("00055:01", all235); - - var part1154 = match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}."); - - var all236 = all_match({ - processors: [ - dup259, - dup389, - part1154, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg687 = msg("00055:02", all236); - - var part1155 = match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}."); - - var all237 = all_match({ - processors: [ - dup259, - dup389, - part1155, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg688 = msg("00055:03", all237); - - var part1156 = match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg689 = msg("00055:04", part1156); - - var part1157 = match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}"); - - var part1158 = match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}"); - - var select261 = linear_select([ - dup110, - part1158, - ]); - - var part1159 = match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}"); - - var all238 = all_match({ - processors: [ - part1157, - select261, - part1159, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg690 = msg("00055:05", all238); - - var part1160 = match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}"); - - var part1161 = match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}"); - - var part1162 = match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}"); - - var select262 = linear_select([ - part1161, - part1162, - ]); - - var part1163 = match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}."); - - var all239 = all_match({ - processors: [ - part1160, - select262, - part1163, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg691 = msg("00055:06", all239); - - var part1164 = match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}"); - - var part1165 = match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}"); - - var part1166 = match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}"); - - var select263 = linear_select([ - part1164, - part1165, - part1166, - ]); - - var part1167 = match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}."); - - var all240 = all_match({ - processors: [ - dup258, - select263, - part1167, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg692 = msg("00055:07", all240); - - var part1168 = match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}"); - - var part1169 = match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}"); - - var select264 = linear_select([ - part1168, - part1169, - ]); - - var part1170 = match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}."); - - var all241 = all_match({ - processors: [ - dup258, - select264, - part1170, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg693 = msg("00055:08", all241); - - var part1171 = match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg694 = msg("00055:09", part1171); - - var part1172 = match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg695 = msg("00055:10", part1172); - - var select265 = linear_select([ - msg685, - msg686, - msg687, - msg688, - msg689, - msg690, - msg691, - msg692, - msg693, - msg694, - msg695, - ]); - - var part1173 = match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg696 = msg("00056", part1173); - - var part1174 = match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg697 = msg("00057", part1174); - - var part1175 = match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg698 = msg("00058", part1175); - - var part1176 = match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}"); - - var part1177 = match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}"); - - var select266 = linear_select([ - part1177, - dup262, - dup157, - dup156, - ]); - - var all242 = all_match({ - processors: [ - part1176, - select266, - dup116, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg699 = msg("00059", all242); - - var part1178 = match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}"); - - var part1179 = match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}"); - - var part1180 = match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}"); - - var select267 = linear_select([ - part1179, - part1180, - ]); - - var part1181 = match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}"); - - var all243 = all_match({ - processors: [ - part1178, - select267, - part1181, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg700 = msg("00059:02", all243); - - var part1182 = match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg701 = msg("00059:03", part1182); - - var part1183 = match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg702 = msg("00059:04", part1183); - - var part1184 = match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}"); - - var part1185 = match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}"); - - var part1186 = match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}"); - - var part1187 = match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}"); - - var select268 = linear_select([ - part1184, - part1185, - part1186, - part1187, - ]); - - var part1188 = match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared."); - - var all244 = all_match({ - processors: [ - select268, - part1188, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg703 = msg("00059:05", all244); - - var part1189 = match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg704 = msg("00059:06", part1189); - - var part1190 = match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg705 = msg("00059:07", part1190); - - var part1191 = match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}"); - - var part1192 = match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}"); - - var select269 = linear_select([ - part1191, - part1192, - ]); - - var part1193 = match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3})."); - - var all245 = all_match({ - processors: [ - select269, - part1193, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg706 = msg("00059:08", all245); - - var part1194 = match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}"); - - var part1195 = match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}"); - - var select270 = linear_select([ - part1194, - part1195, - ]); - - var part1196 = match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}"); - - var part1197 = match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}"); - - var select271 = linear_select([ - dup261, - part1197, - ]); - - var part1198 = match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\""); - - var all246 = all_match({ - processors: [ - dup160, - select270, - part1196, - select271, - part1198, - ], - on_success: processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg707 = msg("00059:09", all246); - - var part1199 = match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg708 = msg("00059:01", part1199); - - var select272 = linear_select([ - msg699, - msg700, - msg701, - msg702, - msg703, - msg704, - msg705, - msg706, - msg707, - msg708, - ]); - - var part1200 = match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP failed"), - ])); - - var msg709 = msg("00062:01", part1200); - - var part1201 = match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP failure reached threshold"), - ])); - - var msg710 = msg("00062:02", part1201); - - var part1202 = match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Track IP succeeded"), - ])); - - var msg711 = msg("00062:03", part1202); - - var part1203 = match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg712 = msg("00062", part1203); - - var select273 = linear_select([ - msg709, - msg710, - msg711, - msg712, - ]); - - var part1204 = match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg713 = msg("00063", part1204); - - var part1205 = match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg714 = msg("00064", part1205); - - var part1206 = match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg715 = msg("00064:01", part1206); - - var part1207 = match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([ - dup17, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg716 = msg("00064:02", part1207); - - var select274 = linear_select([ - msg714, - msg715, - msg716, - ]); - - var msg717 = msg("00070", dup411); - - var part1208 = match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}"); - - var part1209 = match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}"); - - var part1210 = match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})"); - - var select275 = linear_select([ - part1209, - part1210, - ]); - - var all247 = all_match({ - processors: [ - dup267, - dup391, - part1208, - select275, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg718 = msg("00070:01", all247); - - var part1211 = match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg719 = msg("00070:02", part1211); - - var select276 = linear_select([ - msg717, - msg718, - msg719, - ]); - - var msg720 = msg("00071", dup411); - - var part1212 = match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg721 = msg("00071:01", part1212); - - var select277 = linear_select([ - msg720, - msg721, - ]); - - var msg722 = msg("00072", dup411); - - var msg723 = msg("00072:01", dup412); - - var select278 = linear_select([ - msg722, - msg723, - ]); - - var msg724 = msg("00073", dup411); - - var msg725 = msg("00073:01", dup412); - - var select279 = linear_select([ - msg724, - msg725, - ]); - - var msg726 = msg("00074", dup392); - - var all248 = all_match({ - processors: [ - dup263, - dup390, - dup271, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg727 = msg("00075", all248); - - var part1213 = match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","local device in the Virtual Security Device group changed state to inoperable"), - ])); - - var msg728 = msg("00075:02", part1213); - - var part1214 = match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg729 = msg("00075:01", part1214); - - var select280 = linear_select([ - msg727, - msg728, - msg729, - ]); - - var msg730 = msg("00076", dup392); - - var part1215 = match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}"); - - var all249 = all_match({ - processors: [ - dup263, - dup390, - part1215, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg731 = msg("00076:01", all249); - - var select281 = linear_select([ - msg730, - msg731, - ]); - - var part1216 = match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg732 = msg("00077", part1216); - - var all250 = all_match({ - processors: [ - dup263, - dup390, - dup271, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg733 = msg("00077:01", all250); - - var part1217 = match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([ - setc("eventcategory","1607000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg734 = msg("00077:02", part1217); - - var select282 = linear_select([ - msg732, - msg733, - msg734, - ]); - - var part1218 = match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg735 = msg("00084", part1218); - - var part1219 = match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}"); - - var part1220 = match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}"); - - var select283 = linear_select([ - part1219, - part1220, - ]); - - var part1221 = match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}"); - - var all251 = all_match({ - processors: [ - select283, - dup103, - dup369, - part1221, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg736 = msg("00090", all251); - - var part1222 = match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg737 = msg("00200", part1222); - - var part1223 = match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg738 = msg("00201", part1223); - - var part1224 = match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([ - dup272, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg739 = msg("00202", part1224); - - var part1225 = match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([ - dup272, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg740 = msg("00203", part1225); - - var part1226 = match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}"); - - var part1227 = match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}"); - - var part1228 = match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}"); - - var select284 = linear_select([ - part1227, - part1228, - ]); - - var part1229 = match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})"); - - var all252 = all_match({ - processors: [ - part1226, - select284, - part1229, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg741 = msg("00206", all252); - - var part1230 = match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}"); - - var part1231 = match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet."); - - var all253 = all_match({ - processors: [ - part1230, - dup352, - part1231, - ], - on_success: processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg742 = msg("00206:01", all253); - - var part1232 = match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}"); - - var part1233 = match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet."); - - var all254 = all_match({ - processors: [ - part1232, - dup352, - part1233, - ], - on_success: processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg743 = msg("00206:02", all254); - - var part1234 = match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg744 = msg("00206:03", part1234); - - var part1235 = match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg745 = msg("00206:04", part1235); - - var select285 = linear_select([ - msg741, - msg742, - msg743, - msg744, - msg745, - ]); - - var part1236 = match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg746 = msg("00207", part1236); - - var part1237 = match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg747 = msg("00207:01", part1237); - - var part1238 = match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg748 = msg("00207:02", part1238); - - var part1239 = match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([ - dup273, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg749 = msg("00207:03", part1239); - - var select286 = linear_select([ - msg746, - msg747, - msg748, - msg749, - ]); - - var part1240 = match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - dup278, - ])); - - var msg750 = msg("00257", part1240); - - var part1241 = match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup279, - dup276, - dup277, - dup280, - ])); - - var msg751 = msg("00257:14", part1241); - - var part1242 = match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - dup278, - ])); - - var msg752 = msg("00257:01", part1242); - - var part1243 = match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup279, - dup282, - dup280, - ])); - - var msg753 = msg("00257:15", part1243); - - var part1244 = match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ])); - - var msg754 = msg("00257:02", part1244); - - var part1245 = match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg755 = msg("00257:03", part1245); - - var part1246 = match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ])); - - var msg756 = msg("00257:04", part1246); - - var part1247 = match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg757 = msg("00257:05", part1247); - - var part1248 = match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}"); - - var all255 = all_match({ - processors: [ - dup283, - dup393, - part1248, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg758 = msg("00257:19", all255); - - var part1249 = match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}"); - - var all256 = all_match({ - processors: [ - dup283, - dup393, - part1249, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg759 = msg("00257:16", all256); - - var part1250 = match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}"); - - var all257 = all_match({ - processors: [ - dup283, - dup393, - part1250, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ]), - }); - - var msg760 = msg("00257:17", all257); - - var part1251 = match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}"); - - var all258 = all_match({ - processors: [ - dup283, - dup393, - part1251, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ]), - }); - - var msg761 = msg("00257:18", all258); - - var part1252 = match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}"); - - var part1253 = match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}"); - - var part1254 = match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport"); - - var select287 = linear_select([ - part1253, - part1254, - ]); - - var all259 = all_match({ - processors: [ - part1252, - select287, - ], - on_success: processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup276, - dup277, - ]), - }); - - var msg762 = msg("00257:06", all259); - - var part1255 = match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup61, - dup282, - ])); - - var msg763 = msg("00257:07", part1255); - - var part1256 = match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup276, - dup277, - ])); - - var msg764 = msg("00257:08", part1256); - - var part1257 = match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}"); - - var part1258 = match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}"); - - var part1259 = match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}"); - - var part1260 = match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype"); - - var select288 = linear_select([ - part1258, - part1259, - part1260, - ]); - - var all260 = all_match({ - processors: [ - part1257, - select288, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg765 = msg("00257:09", all260); - - var part1261 = match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); - - var part1262 = match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}"); - - var select289 = linear_select([ - part1262, - dup286, - ]); - - var all261 = all_match({ - processors: [ - part1261, - select289, - ], - on_success: processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup276, - dup277, - ]), - }); - - var msg766 = msg("00257:10", all261); - - var part1263 = match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); - - var part1264 = match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}"); - - var select290 = linear_select([ - part1264, - dup286, - ]); - - var all262 = all_match({ - processors: [ - part1263, - select290, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ]), - }); - - var msg767 = msg("00257:11", all262); - - var part1265 = match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup274, - dup275, - dup60, - dup282, - ])); - - var msg768 = msg("00257:12", part1265); - - var part1266 = match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup274, - dup4, - dup5, - ])); - - var msg769 = msg("00257:13", part1266); - - var select291 = linear_select([ - msg750, - msg751, - msg752, - msg753, - msg754, - msg755, - msg756, - msg757, - msg758, - msg759, - msg760, - msg761, - msg762, - msg763, - msg764, - msg765, - msg766, - msg767, - msg768, - msg769, - ]); - - var part1267 = match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}"); - - var part1268 = match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}"); - - var select292 = linear_select([ - part1268, - dup289, - dup241, - ]); - - var part1269 = match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}"); - - var all263 = all_match({ - processors: [ - dup394, - part1267, - select292, - part1269, - ], - on_success: processor_chain([ - dup28, - dup29, - dup30, - dup31, - dup32, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg770 = msg("00259", all263); - - var part1270 = match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}"); - - var all264 = all_match({ - processors: [ - dup394, - part1270, - ], - on_success: processor_chain([ - dup33, - dup29, - dup34, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg771 = msg("00259:07", all264); - - var part1271 = match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg772 = msg("00259:01", part1271); - - var part1272 = match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg773 = msg("00259:02", part1272); - - var part1273 = match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg774 = msg("00259:03", part1273); - - var part1274 = match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg775 = msg("00259:04", part1274); - - var part1275 = match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}"); - - var part1276 = match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}"); - - var select293 = linear_select([ - dup241, - dup289, - part1276, - ]); - - var part1277 = match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}"); - - var all265 = all_match({ - processors: [ - part1275, - select293, - part1277, - ], - on_success: processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg776 = msg("00259:05", all265); - - var part1278 = match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg777 = msg("00259:06", part1278); - - var select294 = linear_select([ - msg770, - msg771, - msg772, - msg773, - msg774, - msg775, - msg776, - msg777, - ]); - - var part1279 = match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg778 = msg("00262", part1279); - - var part1280 = match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([ - setc("eventcategory","1401050100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg779 = msg("00263", part1280); - - var part1281 = match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}"); - - var part1282 = match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}"); - - var part1283 = match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}"); - - var part1284 = match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}"); - - var select295 = linear_select([ - part1281, - part1282, - part1283, - part1284, - ]); - - var part1285 = match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}"); - - var all266 = all_match({ - processors: [ - select295, - part1285, - ], - on_success: processor_chain([ - setc("eventcategory","1003000000"), - dup2, - dup4, - dup5, - dup3, - dup61, - ]), - }); - - var msg780 = msg("00400", all266); - - var part1286 = match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg781 = msg("00401", part1286); - - var part1287 = match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup292, - ])); - - var msg782 = msg("00402", part1287); - - var part1288 = match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}"); - - var part1289 = match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}"); - - var all267 = all_match({ - processors: [ - part1288, - dup337, - part1289, - ], - on_success: processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup292, - ]), - }); - - var msg783 = msg("00402:01", all267); - - var select296 = linear_select([ - msg782, - msg783, - ]); - - var part1290 = match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup85, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg784 = msg("00403", part1290); - - var part1291 = match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup147, - dup148, - dup149, - dup150, - dup2, - dup4, - dup5, - dup3, - dup292, - ])); - - var msg785 = msg("00404", part1291); - - var part1292 = match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ - dup147, - dup2, - dup4, - dup5, - dup3, - dup291, - ])); - - var msg786 = msg("00405", part1292); - - var msg787 = msg("00406", dup413); - - var msg788 = msg("00407", dup413); - - var msg789 = msg("00408", dup413); - - var all268 = all_match({ - processors: [ - dup132, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg790 = msg("00409", all268); - - var msg791 = msg("00410", dup413); - - var part1293 = match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup60, - ])); - - var msg792 = msg("00410:01", part1293); - - var select297 = linear_select([ - msg791, - msg792, - ]); - - var part1294 = match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}"); - - var all269 = all_match({ - processors: [ - part1294, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg793 = msg("00411", all269); - - var part1295 = match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}"); - - var part1296 = match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); - - var all270 = all_match({ - processors: [ - part1295, - dup337, - part1296, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var msg794 = msg("00413", all270); - - var part1297 = match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}"); - - var all271 = all_match({ - processors: [ - part1297, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup61, - ]), - }); - - var msg795 = msg("00413:01", all271); - - var part1298 = match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup59, - dup5, - dup9, - ])); - - var msg796 = msg("00413:02", part1298); - - var select298 = linear_select([ - msg794, - msg795, - msg796, - ]); - - var part1299 = match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg797 = msg("00414", part1299); - - var part1300 = match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup3, - dup59, - dup4, - dup5, - dup9, - ])); - - var msg798 = msg("00414:01", part1300); - - var select299 = linear_select([ - msg797, - msg798, - ]); - - var part1301 = match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg799 = msg("00415", part1301); - - var all272 = all_match({ - processors: [ - dup132, - dup343, - dup294, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup60, - ]), - }); - - var msg800 = msg("00423", all272); - - var all273 = all_match({ - processors: [ - dup80, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup60, - ]), - }); - - var msg801 = msg("00429", all273); - - var all274 = all_match({ - processors: [ - dup132, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup60, - ]), - }); - - var msg802 = msg("00429:01", all274); - - var select300 = linear_select([ - msg801, - msg802, - ]); - - var all275 = all_match({ - processors: [ - dup80, - dup343, - dup295, - dup351, - ], - on_success: processor_chain([ - dup85, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ]), - }); - - var msg803 = msg("00430", all275); - - var all276 = all_match({ - processors: [ - dup132, - dup343, - dup295, - dup351, - ], - on_success: processor_chain([ - dup85, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup60, - ]), - }); - - var msg804 = msg("00430:01", all276); - - var select301 = linear_select([ - msg803, - msg804, - ]); - - var msg805 = msg("00431", dup414); - - var msg806 = msg("00432", dup414); - - var msg807 = msg("00433", dup415); - - var msg808 = msg("00434", dup415); - - var msg809 = msg("00435", dup395); - - var all277 = all_match({ - processors: [ - dup132, - dup343, - dup294, - ], - on_success: processor_chain([ - dup58, - dup2, - dup4, - dup59, - dup5, - dup3, - dup60, - ]), - }); - - var msg810 = msg("00435:01", all277); - - var select302 = linear_select([ - msg809, - msg810, - ]); - - var msg811 = msg("00436", dup395); - - var all278 = all_match({ - processors: [ - dup64, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup9, - dup4, - dup5, - dup3, - dup60, - ]), - }); - - var msg812 = msg("00436:01", all278); - - var select303 = linear_select([ - msg811, - msg812, - ]); - - var part1302 = match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg813 = msg("00437", part1302); - - var all279 = all_match({ - processors: [ - dup299, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - dup9, - ]), - }); - - var msg814 = msg("00437:01", all279); - - var part1303 = match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - dup9, - ])); - - var msg815 = msg("00437:02", part1303); - - var select304 = linear_select([ - msg813, - msg814, - msg815, - ]); - - var part1304 = match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg816 = msg("00438", part1304); - - var part1305 = match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ])); - - var msg817 = msg("00438:01", part1305); - - var all280 = all_match({ - processors: [ - dup299, - dup338, - dup67, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup61, - ]), - }); - - var msg818 = msg("00438:02", all280); - - var select305 = linear_select([ - msg816, - msg817, - msg818, - ]); - - var part1306 = match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup9, - dup60, - ])); - - var msg819 = msg("00440", part1306); - - var part1307 = match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg820 = msg("00440:02", part1307); - - var all281 = all_match({ - processors: [ - dup239, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup9, - dup61, - ]), - }); - - var msg821 = msg("00440:01", all281); - - var part1308 = match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}"); - - var all282 = all_match({ - processors: [ - part1308, - dup343, - dup83, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup9, - dup60, - ]), - }); - - var msg822 = msg("00440:03", all282); - - var select306 = linear_select([ - msg819, - msg820, - msg821, - msg822, - ]); - - var part1309 = match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var msg823 = msg("00441", part1309); - - var msg824 = msg("00442", dup396); - - var msg825 = msg("00443", dup396); - - var part1310 = match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg826 = msg("00511", part1310); - - var part1311 = match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}"); - - var all283 = all_match({ - processors: [ - part1311, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg827 = msg("00511:01", all283); - - var part1312 = match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg828 = msg("00511:02", part1312); - - var part1313 = match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}"); - - var all284 = all_match({ - processors: [ - part1313, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg829 = msg("00511:03", all284); - - var part1314 = match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}"); - - var all285 = all_match({ - processors: [ - part1314, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg830 = msg("00511:04", all285); - - var part1315 = match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}"); - - var all286 = all_match({ - processors: [ - part1315, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg831 = msg("00511:05", all286); - - var part1316 = match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}"); - - var all287 = all_match({ - processors: [ - part1316, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg832 = msg("00511:06", all287); - - var part1317 = match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}"); - - var all288 = all_match({ - processors: [ - part1317, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg833 = msg("00511:07", all288); - - var part1318 = match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}"); - - var all289 = all_match({ - processors: [ - part1318, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg834 = msg("00511:08", all289); - - var part1319 = match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}"); - - var all290 = all_match({ - processors: [ - part1319, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg835 = msg("00511:09", all290); - - var part1320 = match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}"); - - var all291 = all_match({ - processors: [ - part1320, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg836 = msg("00511:10", all291); - - var part1321 = match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}"); - - var all292 = all_match({ - processors: [ - part1321, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg837 = msg("00511:11", all292); - - var part1322 = match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}"); - - var all293 = all_match({ - processors: [ - part1322, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg838 = msg("00511:12", all293); - - var part1323 = match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}"); - - var all294 = all_match({ - processors: [ - part1323, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg839 = msg("00511:13", all294); - - var part1324 = match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg840 = msg("00511:14", part1324); - - var select307 = linear_select([ - msg826, - msg827, - msg828, - msg829, - msg830, - msg831, - msg832, - msg833, - msg834, - msg835, - msg836, - msg837, - msg838, - msg839, - msg840, - ]); - - var part1325 = match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}"); - - var part1326 = match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}"); - - var select308 = linear_select([ - dup123, - part1326, - dup122, - ]); - - var part1327 = match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}"); - - var part1328 = match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})"); - - var part1329 = match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result"); - - var select309 = linear_select([ - part1328, - part1329, - ]); - - var all295 = all_match({ - processors: [ - part1325, - select308, - part1327, - select309, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - dup9, - ]), - }); - - var msg841 = msg("00513", all295); - - var part1330 = match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}"); - - var select310 = linear_select([ - part1330, - dup287, - ]); - - var part1331 = match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}"); - - var part1332 = match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}"); - - var select311 = linear_select([ - dup96, - part1332, - ]); - - var part1333 = match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}"); - - var all296 = all_match({ - processors: [ - select310, - part1331, - select311, - part1333, - ], - on_success: processor_chain([ - dup301, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg842 = msg("00515", all296); - - var part1334 = match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}"); - - var part1335 = match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}"); - - var part1336 = match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}"); - - var select312 = linear_select([ - part1335, - part1336, - ]); - - var part1337 = match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2"); - - var all297 = all_match({ - processors: [ - part1334, - select312, - part1337, - ], - on_success: processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup4, - dup5, - dup302, - dup3, - ]), - }); - - var msg843 = msg("00515:01", all297); - - var part1338 = match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}"); - - var part1339 = match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}"); - - var part1340 = match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}"); - - var select313 = linear_select([ - part1339, - part1340, - ]); - - var part1341 = match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}"); - - var part1342 = match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}"); - - var select314 = linear_select([ - part1341, - part1342, - dup15, - ]); - - var part1343 = match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out"); - - var all298 = all_match({ - processors: [ - part1338, - select313, - select314, - part1343, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg844 = msg("00515:02", all298); - - var part1344 = match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}"); - - var part1345 = match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}"); - - var select315 = linear_select([ - part1344, - part1345, - ]); - - var part1346 = match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}"); - - var part1347 = match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type"); - - var select316 = linear_select([ - dup304, - part1347, - ]); - - var all299 = all_match({ - processors: [ - select315, - part1346, - dup398, - dup40, - select316, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg845 = msg("00515:04", all299); - - var part1348 = match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg846 = msg("00515:06", part1348); - - var part1349 = match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}"); - - var select317 = linear_select([ - dup305, - dup16, - ]); - - var part1350 = match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}"); - - var part1351 = match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})"); - - var select318 = linear_select([ - dup306, - part1351, - dup304, - ]); - - var all300 = all_match({ - processors: [ - part1349, - select317, - part1350, - dup398, - dup40, - select318, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg847 = msg("00515:05", all300); - - var part1352 = match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg848 = msg("00515:07", part1352); - - var part1353 = match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}"); - - var part1354 = match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}"); - - var part1355 = match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}"); - - var select319 = linear_select([ - part1354, - part1355, - ]); - - var part1356 = match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}"); - - var all301 = all_match({ - processors: [ - part1353, - select319, - part1356, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg849 = msg("00515:08", all301); - - var part1357 = match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg850 = msg("00515:09", part1357); - - var part1358 = match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg851 = msg("00515:10", part1358); - - var part1359 = match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg852 = msg("00515:11", part1359); - - var part1360 = match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}"); - - var part1361 = match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})"); - - var all302 = all_match({ - processors: [ - part1360, - dup399, - part1361, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg853 = msg("00515:12", all302); - - var select320 = linear_select([ - dup288, - dup287, - ]); - - var part1362 = match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}"); - - var select321 = linear_select([ - dup306, - dup304, - ]); - - var all303 = all_match({ - processors: [ - select320, - part1362, - dup398, - dup40, - select321, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg854 = msg("00515:13", all303); - - var part1363 = match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}"); - - var part1364 = match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}"); - - var select322 = linear_select([ - part1363, - part1364, - ]); - - var part1365 = match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}"); - - var part1366 = match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session."); - - var part1367 = match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})"); - - var part1368 = match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}"); - - var select323 = linear_select([ - part1366, - part1367, - part1368, - ]); - - var all304 = all_match({ - processors: [ - select322, - dup398, - part1365, - select323, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg855 = msg("00515:14", all304); - - var part1369 = match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}"); - - var part1370 = match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}"); - - var part1371 = match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}"); - - var select324 = linear_select([ - part1370, - part1371, - ]); - - var all305 = all_match({ - processors: [ - part1369, - dup398, - dup40, - select324, - dup41, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg856 = msg("00515:15", all305); - - var part1372 = match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}"); - - var select325 = linear_select([ - part1372, - dup287, - ]); - - var part1373 = match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}"); - - var part1374 = match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})"); - - var all306 = all_match({ - processors: [ - select325, - part1373, - dup399, - part1374, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg857 = msg("00515:16", all306); - - var part1375 = match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}"); - - var part1376 = match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}"); - - var part1377 = match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}"); - - var select326 = linear_select([ - part1376, - part1377, - ]); - - var part1378 = match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}"); - - var all307 = all_match({ - processors: [ - part1375, - select326, - part1378, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg858 = msg("00515:17", all307); - - var part1379 = match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg859 = msg("00515:18", part1379); - - var part1380 = match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}"); - - var part1381 = match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}"); - - var part1382 = match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}"); - - var select327 = linear_select([ - part1381, - part1382, - ]); - - var all308 = all_match({ - processors: [ - part1380, - select327, - dup41, - ], - on_success: processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg860 = msg("00515:19", all308); - - var part1383 = match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([ - dup240, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg861 = msg("00515:20", part1383); - - var select328 = linear_select([ - msg842, - msg843, - msg844, - msg845, - msg846, - msg847, - msg848, - msg849, - msg850, - msg851, - msg852, - msg853, - msg854, - msg855, - msg856, - msg857, - msg858, - msg859, - msg860, - msg861, - ]); - - var part1384 = match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg862 = msg("00518", part1384); - - var part1385 = match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg863 = msg("00518:17", part1385); - - var part1386 = match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg864 = msg("00518:01", part1386); - - var part1387 = match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg865 = msg("00518:02", part1387); - - var part1388 = match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg866 = msg("00518:03", part1388); - - var part1389 = match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg867 = msg("00518:04", part1389); - - var part1390 = match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg868 = msg("00518:05", part1390); - - var part1391 = match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([ - dup35, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg869 = msg("00518:06", part1391); - - var part1392 = match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}"); - - var part1393 = match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}"); - - var select329 = linear_select([ - dup24, - part1393, - ]); - - var part1394 = match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}"); - - var all309 = all_match({ - processors: [ - part1392, - select329, - part1394, - ], - on_success: processor_chain([ - dup53, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg870 = msg("00518:07", all309); - - var part1395 = match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([ - dup35, - dup29, - dup31, - dup39, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg871 = msg("00518:08", part1395); - - var part1396 = match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg872 = msg("00518:09", part1396); - - var part1397 = match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup4, - dup9, - dup5, - dup3, - dup302, - ])); - - var msg873 = msg("00518:10", part1397); - - var part1398 = match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}"); - - var part1399 = match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}"); - - var part1400 = match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}"); - - var select330 = linear_select([ - part1399, - part1400, - ]); - - var part1401 = match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})"); - - var all310 = all_match({ - processors: [ - part1398, - select330, - part1401, - ], - on_success: processor_chain([ - dup206, - dup29, - dup30, - dup31, - dup54, - dup2, - dup9, - dup4, - dup5, - dup3, - ]), - }); - - var msg874 = msg("00518:11", all310); - - var part1402 = match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup9, - dup5, - dup3, - ])); - - var msg875 = msg("00518:12", part1402); - - var part1403 = match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([ - dup290, - dup2, - dup3, - dup4, - dup9, - dup5, - ])); - - var msg876 = msg("00518:13", part1403); - - var part1404 = match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([ - dup290, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg877 = msg("00518:14", part1404); - - var select331 = linear_select([ - msg862, - msg863, - msg864, - msg865, - msg866, - msg867, - msg868, - msg869, - msg870, - msg871, - msg872, - msg873, - msg874, - msg875, - msg876, - msg877, - ]); - - var part1405 = match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}"); - - var part1406 = match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}"); - - var part1407 = match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}"); - - var select332 = linear_select([ - dup194, - part1406, - part1407, - ]); - - var part1408 = match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}"); - - var part1409 = match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}"); - - var select333 = linear_select([ - part1409, - dup16, - ]); - - var part1410 = match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}"); - - var all311 = all_match({ - processors: [ - part1405, - select332, - part1408, - select333, - part1410, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg878 = msg("00519", all311); - - var part1411 = match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}"); - - var select334 = linear_select([ - dup307, - dup305, - ]); - - var part1412 = match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}"); - - var all312 = all_match({ - processors: [ - part1411, - select334, - part1412, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg879 = msg("00519:01", all312); - - var part1413 = match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}"); - - var select335 = linear_select([ - dup307, - part1413, - ]); - - var part1414 = match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}"); - - var all313 = all_match({ - processors: [ - dup160, - select335, - part1414, - ], - on_success: processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg880 = msg("00519:02", all313); - - var part1415 = match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([ - dup240, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg881 = msg("00519:03", part1415); - - var part1416 = match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg882 = msg("00519:04", part1416); - - var part1417 = match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([ - dup240, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg883 = msg("00519:05", part1417); - - var select336 = linear_select([ - msg878, - msg879, - msg880, - msg881, - msg882, - msg883, - ]); - - var part1418 = match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg884 = msg("00520", part1418); - - var part1419 = match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}"); - - var part1420 = match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}"); - - var part1421 = match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}"); - - var part1422 = match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}"); - - var part1423 = match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}"); - - var select337 = linear_select([ - part1420, - part1421, - part1422, - part1423, - ]); - - var part1424 = match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}"); - - var all314 = all_match({ - processors: [ - part1419, - select337, - part1424, - ], - on_success: processor_chain([ - dup35, - dup31, - dup39, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg885 = msg("00520:01", all314); - - var part1425 = match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}"); - - var part1426 = match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}"); - - var all315 = all_match({ - processors: [ - part1425, - dup400, - part1426, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg886 = msg("00520:02", all315); - - var part1427 = match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}"); - - var part1428 = match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}"); - - var part1429 = match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}"); - - var select338 = linear_select([ - part1427, - part1428, - part1429, - ]); - - var part1430 = match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}"); - - var part1431 = match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}"); - - var part1432 = match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed"); - - var all316 = all_match({ - processors: [ - dup160, - select338, - part1430, - dup400, - part1431, - dup400, - part1432, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg887 = msg("00520:03", all316); - - var part1433 = match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg888 = msg("00520:04", part1433); - - var part1434 = match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg889 = msg("00520:05", part1434); - - var select339 = linear_select([ - msg884, - msg885, - msg886, - msg887, - msg888, - msg889, - ]); - - var part1435 = match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg890 = msg("00521", part1435); - - var part1436 = match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg891 = msg("00522", part1436); - - var part1437 = match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg892 = msg("00523", part1437); - - var part1438 = match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([ - dup209, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg893 = msg("00524", part1438); - - var part1439 = match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg894 = msg("00524:02", part1439); - - var part1440 = match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg895 = msg("00524:03", part1440); - - var part1441 = match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg896 = msg("00524:04", part1441); - - var part1442 = match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg897 = msg("00524:05", part1442); - - var part1443 = match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg898 = msg("00524:06", part1443); - - var part1444 = match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg899 = msg("00524:12", part1444); - - var part1445 = match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([ - dup19, - dup2, - dup4, - setc("result","the SNMP version type is incorrect"), - dup5, - dup9, - ])); - - var msg900 = msg("00524:14", part1445); - - var part1446 = match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}"); - - var part1447 = match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}"); - - var all317 = all_match({ - processors: [ - part1446, - dup401, - part1447, - ], - on_success: processor_chain([ - dup18, - dup2, - dup4, - dup5, - ]), - }); - - var msg901 = msg("00524:13", all317); - - var part1448 = match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg902 = msg("00524:07", part1448); - - var part1449 = match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg903 = msg("00524:08", part1449); - - var part1450 = match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg904 = msg("00524:09", part1450); - - var part1451 = match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg905 = msg("00524:10", part1451); - - var part1452 = match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - ])); - - var msg906 = msg("00524:11", part1452); - - var part1453 = match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg907 = msg("00524:16", part1453); - - var select340 = linear_select([ - msg893, - msg894, - msg895, - msg896, - msg897, - msg898, - msg899, - msg900, - msg901, - msg902, - msg903, - msg904, - msg905, - msg906, - msg907, - ]); - - var part1454 = match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([ - dup203, - setc("ec_subject","Password"), - dup38, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg908 = msg("00525", part1454); - - var part1455 = match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg909 = msg("00525:01", part1455); - - var part1456 = match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg910 = msg("00525:02", part1456); - - var part1457 = match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg911 = msg("00525:03", part1457); - - var select341 = linear_select([ - msg908, - msg909, - msg910, - msg911, - ]); - - var part1458 = match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([ - dup37, - dup219, - dup38, - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg912 = msg("00526", part1458); - - var part1459 = match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}"); - - var part1460 = match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}"); - - var select342 = linear_select([ - dup311, - part1460, - ]); - - var part1461 = match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}"); - - var part1462 = match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}"); - - var part1463 = match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}"); - - var select343 = linear_select([ - dup312, - part1462, - part1463, - ]); - - var all318 = all_match({ - processors: [ - part1459, - select342, - part1461, - select343, - dup108, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg913 = msg("00527", all318); - - var part1464 = match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg914 = msg("00527:01", part1464); - - var part1465 = match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}"); - - var part1466 = match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}"); - - var part1467 = match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}"); - - var select344 = linear_select([ - dup311, - part1466, - part1467, - ]); - - var part1468 = match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}"); - - var all319 = all_match({ - processors: [ - part1465, - select344, - part1468, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg915 = msg("00527:02", all319); - - var part1469 = match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg916 = msg("00527:03", part1469); - - var part1470 = match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg917 = msg("00527:04", part1470); - - var part1471 = match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated."); - - var all320 = all_match({ - processors: [ - dup210, - dup337, - part1471, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg918 = msg("00527:05", all320); - - var part1472 = match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}"); - - var select345 = linear_select([ - dup106, - dup127, - ]); - - var part1473 = match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}"); - - var select346 = linear_select([ - dup312, - part1473, - ]); - - var part1474 = match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})"); - - var all321 = all_match({ - processors: [ - part1472, - select345, - dup23, - select346, - part1474, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg919 = msg("00527:06", all321); - - var part1475 = match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg920 = msg("00527:07", part1475); - - var part1476 = match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg921 = msg("00527:08", part1476); - - var part1477 = match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}"); - - var part1478 = match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}"); - - var part1479 = match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}"); - - var select347 = linear_select([ - part1478, - part1479, - ]); - - var all322 = all_match({ - processors: [ - part1477, - select347, - dup41, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg922 = msg("00527:09", all322); - - var part1480 = match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg923 = msg("00527:10", part1480); - - var select348 = linear_select([ - msg913, - msg914, - msg915, - msg916, - msg917, - msg918, - msg919, - msg920, - msg921, - msg922, - msg923, - ]); - - var part1481 = match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([ - setc("eventcategory","1302010000"), - dup29, - dup31, - dup32, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg924 = msg("00528", part1481); - - var part1482 = match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg925 = msg("00528:01", part1482); - - var part1483 = match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg926 = msg("00528:02", part1483); - - var part1484 = match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg927 = msg("00528:03", part1484); - - var part1485 = match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([ - dup203, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg928 = msg("00528:04", part1485); - - var part1486 = match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([ - dup203, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg929 = msg("00528:05", part1486); - - var part1487 = match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([ - dup313, - dup2, - dup3, - dup4, - dup5, - setc("result","invalid version string"), - ])); - - var msg930 = msg("00528:06", part1487); - - var part1488 = match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}"); - - var part1489 = match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}"); - - var part1490 = match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}"); - - var part1491 = match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}"); - - var select349 = linear_select([ - dup88, - part1489, - part1490, - part1491, - ]); - - var part1492 = match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}"); - - var all323 = all_match({ - processors: [ - part1488, - select349, - part1492, - ], - on_success: processor_chain([ - dup314, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg931 = msg("00528:07", all323); - - var part1493 = match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([ - dup314, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg932 = msg("00528:08", part1493); - - var part1494 = match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg933 = msg("00528:09", part1494); - - var part1495 = match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg934 = msg("00528:10", part1495); - - var part1496 = match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg935 = msg("00528:11", part1496); - - var part1497 = match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("disposition","disabled"), - ])); - - var msg936 = msg("00528:12", part1497); - - var part1498 = match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}"); - - var part1499 = match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}"); - - var part1500 = match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}"); - - var select350 = linear_select([ - part1499, - part1500, - ]); - - var part1501 = match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}"); - - var part1502 = match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}"); - - var part1503 = match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}"); - - var select351 = linear_select([ - part1503, - dup157, - ]); - - var part1504 = match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}"); - - var all324 = all_match({ - processors: [ - part1498, - select350, - part1501, - dup337, - part1502, - select351, - part1504, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg937 = msg("00528:13", all324); - - var part1505 = match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg938 = msg("00528:14", part1505); - - var part1506 = match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}"); - - var part1507 = match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}"); - - var select352 = linear_select([ - dup315, - part1507, - ]); - - var part1508 = match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}"); - - var part1509 = match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}"); - - var part1510 = match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}"); - - var select353 = linear_select([ - part1509, - part1510, - ]); - - var all325 = all_match({ - processors: [ - part1506, - select352, - part1508, - select353, - dup108, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg939 = msg("00528:15", all325); - - var part1511 = match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg940 = msg("00528:16", part1511); - - var part1512 = match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg941 = msg("00528:17", part1512); - - var part1513 = match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}"); - - var all326 = all_match({ - processors: [ - dup316, - dup402, - part1513, - dup403, - dup320, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("disposition","successful"), - setc("event_description","authentication successful for admin user"), - ]), - }); - - var msg942 = msg("00528:18", all326); - - var part1514 = match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}"); - - var all327 = all_match({ - processors: [ - dup316, - dup402, - part1514, - dup403, - dup320, - ], - on_success: processor_chain([ - dup206, - dup29, - dup31, - dup54, - dup2, - dup4, - dup5, - dup302, - dup3, - setc("event_description","authentication failed for admin user"), - ]), - }); - - var msg943 = msg("00528:26", all327); - - var part1515 = match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}"); - - var all328 = all_match({ - processors: [ - dup321, - dup404, - part1515, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg944 = msg("00528:19", all328); - - var part1516 = match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}"); - - var all329 = all_match({ - processors: [ - dup321, - dup404, - part1516, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg945 = msg("00528:20", all329); - - var part1517 = match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg946 = msg("00528:21", part1517); - - var part1518 = match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}"); - - var part1519 = match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface."); - - var all330 = all_match({ - processors: [ - part1518, - dup337, - part1519, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("result","SCS is not enabled for that interface"), - ]), - }); - - var msg947 = msg("00528:22", all330); - - var part1520 = match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - setc("result","SCS cannot generate the host and server keys before timing out"), - ])); - - var msg948 = msg("00528:23", part1520); - - var part1521 = match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg949 = msg("00528:24", part1521); - - var part1522 = match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}"); - - var part1523 = match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled."); - - var all331 = all_match({ - processors: [ - part1522, - dup403, - part1523, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - ]), - }); - - var msg950 = msg("00528:25", all331); - - var select354 = linear_select([ - msg924, - msg925, - msg926, - msg927, - msg928, - msg929, - msg930, - msg931, - msg932, - msg933, - msg934, - msg935, - msg936, - msg937, - msg938, - msg939, - msg940, - msg941, - msg942, - msg943, - msg944, - msg945, - msg946, - msg947, - msg948, - msg949, - msg950, - ]); - - var part1524 = match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}"); - - var part1525 = match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}"); - - var select355 = linear_select([ - part1524, - part1525, - ]); - - var part1526 = match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}"); - - var all332 = all_match({ - processors: [ - dup63, - select355, - part1526, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg951 = msg("00529", all332); - - var part1527 = match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}"); - - var part1528 = match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}"); - - var part1529 = match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}"); - - var select356 = linear_select([ - part1528, - part1529, - ]); - - var all333 = all_match({ - processors: [ - part1527, - select356, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg952 = msg("00529:01", all333); - - var select357 = linear_select([ - msg951, - msg952, - ]); - - var part1530 = match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([ - dup272, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg953 = msg("00530", part1530); - - var part1531 = match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}"); - - var part1532 = match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released"); - - var all334 = all_match({ - processors: [ - part1531, - dup337, - part1532, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg954 = msg("00530:01", all334); - - var part1533 = match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg955 = msg("00530:02", part1533); - - var part1534 = match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg956 = msg("00530:03", part1534); - - var part1535 = match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg957 = msg("00530:04", part1535); - - var part1536 = match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg958 = msg("00530:05", part1536); - - var part1537 = match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg959 = msg("00530:06", part1537); - - var select358 = linear_select([ - msg953, - msg954, - msg955, - msg956, - msg957, - msg958, - msg959, - ]); - - var part1538 = match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}"); - - var all335 = all_match({ - processors: [ - part1538, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg960 = msg("00531", all335); - - var part1539 = match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg961 = msg("00531:01", part1539); - - var part1540 = match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg962 = msg("00531:02", part1540); - - var part1541 = match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}"); - - var part1542 = match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}"); - - var select359 = linear_select([ - part1542, - dup115, - ]); - - var part1543 = match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}"); - - var part1544 = match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})"); - - var part1545 = match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5"); - - var select360 = linear_select([ - part1544, - part1545, - ]); - - var all336 = all_match({ - processors: [ - part1541, - select359, - part1543, - select360, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup146, - ]), - }); - - var msg963 = msg("00531:03", all336); - - var part1546 = match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}"); - - var part1547 = match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}"); - - var part1548 = match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}"); - - var select361 = linear_select([ - part1547, - part1548, - dup189, - ]); - - var part1549 = match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}"); - - var all337 = all_match({ - processors: [ - part1546, - select361, - part1549, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg964 = msg("00531:04", all337); - - var part1550 = match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg965 = msg("00531:05", part1550); - - var part1551 = match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg966 = msg("00531:06", part1551); - - var part1552 = match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg967 = msg("00531:07", part1552); - - var part1553 = match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg968 = msg("00531:08", part1553); - - var part1554 = match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg969 = msg("00531:09", part1554); - - var part1555 = match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([ - dup86, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg970 = msg("00531:10", part1555); - - var part1556 = match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","system clock changed based on receive from primary NTP server"), - ])); - - var msg971 = msg("00531:11", part1556); - - var part1557 = match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg972 = msg("00531:12", part1557); - - var select362 = linear_select([ - msg960, - msg961, - msg962, - msg963, - msg964, - msg965, - msg966, - msg967, - msg968, - msg969, - msg970, - msg971, - msg972, - ]); - - var part1558 = match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg973 = msg("00533", part1558); - - var part1559 = match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg974 = msg("00534", part1559); - - var part1560 = match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg975 = msg("00535", part1560); - - var part1561 = match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg976 = msg("00535:01", part1561); - - var part1562 = match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg977 = msg("00535:02", part1562); - - var part1563 = match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg978 = msg("00535:03", part1563); - - var part1564 = match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - setc("result","SCEP_FAILURE message"), - ])); - - var msg979 = msg("00535:04", part1564); - - var part1565 = match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg980 = msg("00535:05", part1565); - - var part1566 = match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([ - dup314, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Saved CA configuration - cert subject name"), - ])); - - var msg981 = msg("00535:06", part1566); - - var select363 = linear_select([ - msg975, - msg976, - msg977, - msg978, - msg979, - msg980, - msg981, - ]); - - var part1567 = match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}"); - - var part1568 = match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}"); - - var part1569 = match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}"); - - var part1570 = match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}"); - - var part1571 = match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}"); - - var select364 = linear_select([ - part1568, - part1569, - part1570, - part1571, - ]); - - var all338 = all_match({ - processors: [ - part1567, - select364, - dup10, - ], - on_success: processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ]), - }); - - var msg982 = msg("00536:49", all338); - - var part1572 = match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg983 = msg("00536", part1572); - - var part1573 = match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg984 = msg("00536:01", part1573); - - var part1574 = match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg985 = msg("00536:02", part1574); - - var part1575 = match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg986 = msg("00536:03", part1575); - - var part1576 = match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([ - setc("eventcategory","1801010100"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg987 = msg("00536:04", part1576); - - var part1577 = match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg988 = msg("00536:05", part1577); - - var part1578 = match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg989 = msg("00536:06", part1578); - - var part1579 = match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg990 = msg("00536:07", part1579); - - var part1580 = match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg991 = msg("00536:08", part1580); - - var part1581 = match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg992 = msg("00536:09", part1581); - - var part1582 = match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg993 = msg("00536:10", part1582); - - var part1583 = match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg994 = msg("00536:11", part1583); - - var part1584 = match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg995 = msg("00536:12", part1584); - - var part1585 = match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg996 = msg("00536:13", part1585); - - var part1586 = match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}"); - - var part1587 = match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}"); - - var all339 = all_match({ - processors: [ - part1586, - dup383, - part1587, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg997 = msg("00536:14", all339); - - var part1588 = match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([ - dup44, - dup2, - dup9, - dup3, - dup4, - dup5, - ])); - - var msg998 = msg("00536:50", part1588); - - var part1589 = match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg999 = msg("00536:15", part1589); - - var part1590 = match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1000 = msg("00536:16", part1590); - - var part1591 = match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1001 = msg("00536:17", part1591); - - var part1592 = match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1002 = msg("00536:18", part1592); - - var part1593 = match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1003 = msg("00536:19", part1593); - - var part1594 = match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1004 = msg("00536:20", part1594); - - var part1595 = match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1005 = msg("00536:21", part1595); - - var part1596 = match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("result","Negotiations failed"), - ])); - - var msg1006 = msg("00536:22", part1596); - - var part1597 = match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("result","The time limit has elapsed"), - setc("disposition","Aborted"), - ])); - - var msg1007 = msg("00536:23", part1597); - - var part1598 = match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1008 = msg("00536:24", part1598); - - var part1599 = match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1009 = msg("00536:25", part1599); - - var part1600 = match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1010 = msg("00536:26", part1600); - - var part1601 = match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1011 = msg("00536:27", part1601); - - var part1602 = match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1012 = msg("00536:28", part1602); - - var part1603 = match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1013 = msg("00536:29", part1603); - - var part1604 = match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1014 = msg("00536:30", part1604); - - var part1605 = match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1015 = msg("00536:31", part1605); - - var part1606 = match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1016 = msg("00536:32", part1606); - - var part1607 = match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1017 = msg("00536:33", part1607); - - var part1608 = match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1018 = msg("00536:34", part1608); - - var part1609 = match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1019 = msg("00536:35", part1609); - - var part1610 = match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}"); - - var part1611 = match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first"); - - var all340 = all_match({ - processors: [ - part1610, - dup401, - part1611, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1020 = msg("00536:36", all340); - - var part1612 = match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1021 = msg("00536:37", part1612); - - var part1613 = match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1022 = msg("00536:38", part1613); - - var part1614 = match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1023 = msg("00536:39", part1614); - - var part1615 = match("MESSAGE#1011:00536:40", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{quote}s gateway has a dynamic IP address and negotiations are in Main mode", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1024 = msg("00536:40", part1615); - - var part1616 = match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1025 = msg("00536:47", part1616); - - var part1617 = match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1026 = msg("00536:41", part1617); - - var part1618 = match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1027 = msg("00536:42", part1618); - - var part1619 = match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1028 = msg("00536:43", part1619); - - var part1620 = match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1029 = msg("00536:44", part1620); - - var part1621 = match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1030 = msg("00536:45", part1621); - - var part1622 = match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Received an IKE packet on interface"), - ])); - - var msg1031 = msg("00536:48", part1622); - - var part1623 = match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1032 = msg("00536:46", part1623); - - var select365 = linear_select([ - msg982, - msg983, - msg984, - msg985, - msg986, - msg987, - msg988, - msg989, - msg990, - msg991, - msg992, - msg993, - msg994, - msg995, - msg996, - msg997, - msg998, - msg999, - msg1000, - msg1001, - msg1002, - msg1003, - msg1004, - msg1005, - msg1006, - msg1007, - msg1008, - msg1009, - msg1010, - msg1011, - msg1012, - msg1013, - msg1014, - msg1015, - msg1016, - msg1017, - msg1018, - msg1019, - msg1020, - msg1021, - msg1022, - msg1023, - msg1024, - msg1025, - msg1026, - msg1027, - msg1028, - msg1029, - msg1030, - msg1031, - msg1032, - ]); - - var part1624 = match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([ - dup18, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg1033 = msg("00537", part1624); - - var part1625 = match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1034 = msg("00537:01", part1625); - - var part1626 = match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1035 = msg("00537:02", part1626); - - var part1627 = match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1036 = msg("00537:03", part1627); - - var select366 = linear_select([ - msg1033, - msg1034, - msg1035, - msg1036, - ]); - - var part1628 = match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}"); - - var select367 = linear_select([ - dup111, - dup119, - ]); - - var part1629 = match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}"); - - var all341 = all_match({ - processors: [ - part1628, - select367, - part1629, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1037 = msg("00538", all341); - - var part1630 = match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1038 = msg("00538:01", part1630); - - var part1631 = match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1039 = msg("00538:02", part1631); - - var part1632 = match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([ - dup19, - dup2, - dup4, - dup5, - dup3, - ])); - - var msg1040 = msg("00538:03", part1632); - - var part1633 = match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1041 = msg("00538:04", part1633); - - var part1634 = match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}"); - - var part1635 = match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}"); - - var part1636 = match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}"); - - var select368 = linear_select([ - part1635, - part1636, - ]); - - var part1637 = match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}"); - - var all342 = all_match({ - processors: [ - part1634, - select368, - part1637, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1042 = msg("00538:05", all342); - - var part1638 = match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}"); - - var part1639 = match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}"); - - var part1640 = match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}"); - - var select369 = linear_select([ - part1639, - part1640, - ]); - - var part1641 = match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip"); - - var all343 = all_match({ - processors: [ - part1638, - select369, - part1641, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1043 = msg("00538:06", all343); - - var part1642 = match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}"); - - var part1643 = match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}"); - - var select370 = linear_select([ - part1643, - dup16, - ]); - - var all344 = all_match({ - processors: [ - part1642, - select370, - dup136, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1044 = msg("00538:07", all344); - - var part1644 = match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1045 = msg("00538:08", part1644); - - var part1645 = match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([ - dup301, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Connected to NSM server"), - ])); - - var msg1046 = msg("00538:09", part1645); - - var part1646 = match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}"); - - var part1647 = match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})"); - - var select371 = linear_select([ - part1647, - dup41, - ]); - - var all345 = all_match({ - processors: [ - part1646, - select371, - ], - on_success: processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Connection to NSM server is down"), - ]), - }); - - var msg1047 = msg("00538:10", all345); - - var part1648 = match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - dup323, - ])); - - var msg1048 = msg("00538:11", part1648); - - var part1649 = match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([ - dup198, - dup2, - dup3, - dup9, - dup4, - dup5, - dup323, - ])); - - var msg1049 = msg("00538:12", part1649); - - var part1650 = match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - setc("event_description","Sent 2B message"), - ])); - - var msg1050 = msg("00538:13", part1650); - - var select372 = linear_select([ - msg1037, - msg1038, - msg1039, - msg1040, - msg1041, - msg1042, - msg1043, - msg1044, - msg1045, - msg1046, - msg1047, - msg1048, - msg1049, - msg1050, - ]); - - var part1651 = match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1051 = msg("00539", part1651); - - var part1652 = match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1052 = msg("00539:01", part1652); - - var part1653 = match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([ - dup117, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1053 = msg("00539:02", part1653); - - var part1654 = match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1054 = msg("00539:03", part1654); - - var part1655 = match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1055 = msg("00539:04", part1655); - - var part1656 = match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1056 = msg("00539:05", part1656); - - var part1657 = match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1057 = msg("00539:06", part1657); - - var select373 = linear_select([ - msg1051, - msg1052, - msg1053, - msg1054, - msg1055, - msg1056, - msg1057, - ]); - - var part1658 = match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([ - dup324, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1058 = msg("00541", part1658); - - var part1659 = match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([ - dup273, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1059 = msg("00541:01", part1659); - - var part1660 = match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([ - dup273, - dup9, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1060 = msg("00541:02", part1660); - - var part1661 = match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}"); - - var part1662 = match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>"); - - var select374 = linear_select([ - part1662, - dup21, - ]); - - var all346 = all_match({ - processors: [ - part1661, - select374, - ], - on_success: processor_chain([ - dup44, - dup9, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1061 = msg("00541:03", all346); - - var select375 = linear_select([ - msg1058, - msg1059, - msg1060, - msg1061, - ]); - - var part1663 = match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1062 = msg("00542", part1663); - - var part1664 = match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}"); - - var part1665 = match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}"); - - var part1666 = match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}"); - - var select376 = linear_select([ - part1665, - part1666, - ]); - - var part1667 = match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}"); - - var part1668 = match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}"); - - var select377 = linear_select([ - part1668, - dup106, - ]); - - var part1669 = match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})"); - - var all347 = all_match({ - processors: [ - part1664, - select376, - part1667, - select377, - part1669, - ], - on_success: processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup9, - dup3, - ]), - }); - - var msg1063 = msg("00543", all347); - - var part1670 = match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup3, - dup60, - setc("action","RADIUS server challenge"), - ])); - - var msg1064 = msg("00544", part1670); - - var part1671 = match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1065 = msg("00546", part1671); - - var part1672 = match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg1066 = msg("00547", part1672); - - var part1673 = match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup3, - dup61, - ])); - - var msg1067 = msg("00547:01", part1673); - - var part1674 = match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1068 = msg("00547:02", part1674); - - var part1675 = match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}"); - - var part1676 = match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}"); - - var part1677 = match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}"); - - var select378 = linear_select([ - part1676, - part1677, - ]); - - var part1678 = match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})"); - - var all348 = all_match({ - processors: [ - part1675, - select378, - part1678, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - setc("event_description","Content is bypassed for connection"), - ]), - }); - - var msg1069 = msg("00547:03", all348); - - var select379 = linear_select([ - msg1066, - msg1067, - msg1068, - msg1069, - ]); - - var part1679 = match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([ - dup281, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1070 = msg("00549", part1679); - - var part1680 = match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1071 = msg("00551", part1680); - - var part1681 = match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([ - dup86, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1072 = msg("00551:01", part1681); - - var part1682 = match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}"); - - var part1683 = match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}"); - - var select380 = linear_select([ - part1683, - dup89, - ]); - - var all349 = all_match({ - processors: [ - part1682, - select380, - dup128, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1073 = msg("00551:02", all349); - - var part1684 = match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([ - dup18, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1074 = msg("00551:03", part1684); - - var part1685 = match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1075 = msg("00551:04", part1685); - - var select381 = linear_select([ - msg1071, - msg1072, - msg1073, - msg1074, - msg1075, - ]); - - var part1686 = match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}"); - - var part1687 = match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}"); - - var part1688 = match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}"); - - var part1689 = match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}"); - - var select382 = linear_select([ - part1687, - part1688, - part1689, - ]); - - var all350 = all_match({ - processors: [ - part1686, - select382, - dup325, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1076 = msg("00553", all350); - - var part1690 = match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1077 = msg("00553:01", part1690); - - var part1691 = match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1078 = msg("00553:02", part1691); - - var part1692 = match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1079 = msg("00553:03", part1692); - - var part1693 = match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}"); - - var select383 = linear_select([ - dup326, - dup327, - ]); - - var part1694 = match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}."); - - var all351 = all_match({ - processors: [ - part1693, - select383, - part1694, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1080 = msg("00553:04", all351); - - var part1695 = match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1081 = msg("00553:05", part1695); - - var part1696 = match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1082 = msg("00553:06", part1696); - - var part1697 = match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1083 = msg("00553:07", part1697); - - var part1698 = match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}"); - - var select384 = linear_select([ - dup327, - dup326, - ]); - - var all352 = all_match({ - processors: [ - part1698, - select384, - dup328, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1084 = msg("00553:08", all352); - - var part1699 = match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1085 = msg("00553:09", part1699); - - var part1700 = match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1086 = msg("00553:10", part1700); - - var part1701 = match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1087 = msg("00553:11", part1701); - - var part1702 = match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1088 = msg("00553:12", part1702); - - var part1703 = match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1089 = msg("00553:13", part1703); - - var part1704 = match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1090 = msg("00553:14", part1704); - - var part1705 = match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1091 = msg("00553:15", part1705); - - var part1706 = match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1092 = msg("00553:16", part1706); - - var part1707 = match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1093 = msg("00553:17", part1707); - - var part1708 = match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1094 = msg("00553:18", part1708); - - var part1709 = match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1095 = msg("00553:19", part1709); - - var part1710 = match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1096 = msg("00553:20", part1710); - - var part1711 = match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1097 = msg("00553:21", part1711); - - var part1712 = match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1098 = msg("00553:22", part1712); - - var select385 = linear_select([ - msg1076, - msg1077, - msg1078, - msg1079, - msg1080, - msg1081, - msg1082, - msg1083, - msg1084, - msg1085, - msg1086, - msg1087, - msg1088, - msg1089, - msg1090, - msg1091, - msg1092, - msg1093, - msg1094, - msg1095, - msg1096, - msg1097, - msg1098, - ]); - - var part1713 = match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}"); - - var part1714 = match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}"); - - var part1715 = match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}"); - - var part1716 = match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}"); - - var select386 = linear_select([ - part1714, - part1715, - part1716, - ]); - - var all353 = all_match({ - processors: [ - part1713, - select386, - dup325, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1099 = msg("00554", all353); - - var part1717 = match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1100 = msg("00554:01", part1717); - - var part1718 = match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1101 = msg("00554:02", part1718); - - var part1719 = match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1102 = msg("00554:03", part1719); - - var part1720 = match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}"); - - var part1721 = match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}."); - - var all354 = all_match({ - processors: [ - part1720, - dup405, - part1721, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1103 = msg("00554:04", all354); - - var part1722 = match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}"); - - var part1723 = match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}"); - - var part1724 = match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}"); - - var select387 = linear_select([ - part1723, - part1724, - ]); - - var all355 = all_match({ - processors: [ - part1722, - select387, - dup116, - ], - on_success: processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1104 = msg("00554:05", all355); - - var part1725 = match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([ - dup144, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1105 = msg("00554:06", part1725); - - var part1726 = match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}"); - - var all356 = all_match({ - processors: [ - part1726, - dup405, - dup328, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1106 = msg("00554:07", all356); - - var part1727 = match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}"); - - var part1728 = match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}"); - - var part1729 = match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}"); - - var part1730 = match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}"); - - var select388 = linear_select([ - part1728, - part1729, - part1730, - ]); - - var all357 = all_match({ - processors: [ - part1727, - select388, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1107 = msg("00554:08", all357); - - var part1731 = match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1108 = msg("00554:09", part1731); - - var part1732 = match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1109 = msg("00554:10", part1732); - - var part1733 = match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1110 = msg("00554:11", part1733); - - var part1734 = match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}"); - - var part1735 = match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}"); - - var part1736 = match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}"); - - var select389 = linear_select([ - part1735, - part1736, - ]); - - var part1737 = match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}"); - - var part1738 = match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}"); - - var part1739 = match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}"); - - var select390 = linear_select([ - part1738, - part1739, - ]); - - var part1740 = match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}"); - - var all358 = all_match({ - processors: [ - part1734, - select389, - part1737, - select390, - part1740, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1111 = msg("00554:12", all358); - - var part1741 = match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1112 = msg("00554:13", part1741); - - var part1742 = match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1113 = msg("00554:14", part1742); - - var part1743 = match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1114 = msg("00554:15", part1743); - - var part1744 = match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1115 = msg("00554:16", part1744); - - var part1745 = match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1116 = msg("00554:17", part1745); - - var select391 = linear_select([ - msg1099, - msg1100, - msg1101, - msg1102, - msg1103, - msg1104, - msg1105, - msg1106, - msg1107, - msg1108, - msg1109, - msg1110, - msg1111, - msg1112, - msg1113, - msg1114, - msg1115, - msg1116, - ]); - - var part1746 = match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1117 = msg("00555", part1746); - - var part1747 = match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1118 = msg("00556", part1747); - - var part1748 = match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1119 = msg("00556:01", part1748); - - var part1749 = match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}"); - - var part1750 = match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}"); - - var part1751 = match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}"); - - var select392 = linear_select([ - part1750, - part1751, - ]); - - var part1752 = match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}"); - - var part1753 = match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}"); - - var part1754 = match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}"); - - var select393 = linear_select([ - part1753, - part1754, - ]); - - var part1755 = match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3})."); - - var all359 = all_match({ - processors: [ - part1749, - select392, - part1752, - select393, - part1755, - ], - on_success: processor_chain([ - dup254, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1120 = msg("00556:02", all359); - - var part1756 = match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}"); - - var part1757 = match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}"); - - var part1758 = match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}"); - - var select394 = linear_select([ - part1757, - part1758, - ]); - - var part1759 = match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}"); - - var all360 = all_match({ - processors: [ - part1756, - select394, - part1759, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1121 = msg("00556:03", all360); - - var part1760 = match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1122 = msg("00556:04", part1760); - - var part1761 = match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1123 = msg("00556:05", part1761); - - var part1762 = match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1124 = msg("00556:06", part1762); - - var part1763 = match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1125 = msg("00556:07", part1763); - - var part1764 = match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}"); - - var all361 = all_match({ - processors: [ - part1764, - dup358, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1126 = msg("00556:08", all361); - - var part1765 = match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - dup282, - ])); - - var msg1127 = msg("00556:09", part1765); - - var part1766 = match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([ - dup232, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1128 = msg("00556:10", part1766); - - var part1767 = match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1129 = msg("00556:11", part1767); - - var part1768 = match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}"); - - var select395 = linear_select([ - dup140, - dup169, - ]); - - var part1769 = match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}."); - - var all362 = all_match({ - processors: [ - part1768, - select395, - part1769, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1130 = msg("00556:12", all362); - - var part1770 = match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1131 = msg("00556:13", part1770); - - var part1771 = match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}"); - - var part1772 = match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}."); - - var all363 = all_match({ - processors: [ - part1771, - dup406, - part1772, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1132 = msg("00556:14", all363); - - var part1773 = match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}"); - - var part1774 = match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}."); - - var all364 = all_match({ - processors: [ - part1773, - dup406, - part1774, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - dup282, - ]), - }); - - var msg1133 = msg("00556:15", all364); - - var part1775 = match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}"); - - var part1776 = match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}"); - - var part1777 = match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}"); - - var select396 = linear_select([ - part1776, - part1777, - ]); - - var part1778 = match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}"); - - var select397 = linear_select([ - dup104, - dup120, - ]); - - var all365 = all_match({ - processors: [ - part1775, - select396, - part1778, - select397, - dup116, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1134 = msg("00556:16", all365); - - var part1779 = match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}"); - - var part1780 = match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}"); - - var part1781 = match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}"); - - var select398 = linear_select([ - part1780, - part1781, - ]); - - var part1782 = match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}"); - - var all366 = all_match({ - processors: [ - part1779, - select398, - part1782, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1135 = msg("00556:17", all366); - - var part1783 = match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}"); - - var part1784 = match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}"); - - var select399 = linear_select([ - dup101, - part1784, - ]); - - var part1785 = match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}."); - - var all367 = all_match({ - processors: [ - part1783, - select399, - part1785, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1136 = msg("00556:18", all367); - - var part1786 = match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}"); - - var part1787 = match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}"); - - var select400 = linear_select([ - dup103, - dup96, - ]); - - var part1788 = match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}"); - - var all368 = all_match({ - processors: [ - part1786, - dup355, - part1787, - select400, - part1788, - ], - on_success: processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1137 = msg("00556:20", all368); - - var part1789 = match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([ - dup232, - dup2, - dup3, - dup9, - dup4, - dup5, - dup282, - ])); - - var msg1138 = msg("00556:21", part1789); - - var part1790 = match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([ - dup232, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1139 = msg("00556:22", part1790); - - var select401 = linear_select([ - msg1118, - msg1119, - msg1120, - msg1121, - msg1122, - msg1123, - msg1124, - msg1125, - msg1126, - msg1127, - msg1128, - msg1129, - msg1130, - msg1131, - msg1132, - msg1133, - msg1134, - msg1135, - msg1136, - msg1137, - msg1138, - msg1139, - ]); - - var part1791 = match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1140 = msg("00572", part1791); - - var part1792 = match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1141 = msg("00572:01", part1792); - - var part1793 = match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1142 = msg("00572:03", part1793); - - var select402 = linear_select([ - msg1140, - msg1141, - msg1142, - ]); - - var part1794 = match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1143 = msg("00615", part1794); - - var part1795 = match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([ - dup44, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1144 = msg("00615:01", part1795); - - var select403 = linear_select([ - msg1143, - msg1144, - ]); - - var part1796 = match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ])); - - var msg1145 = msg("00601", part1796); - - var part1797 = match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup9, - dup4, - dup5, - dup61, - ])); - - var msg1146 = msg("00601:01", part1797); - - var part1798 = match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1147 = msg("00601:18", part1798); - - var select404 = linear_select([ - msg1145, - msg1146, - msg1147, - ]); - - var part1799 = match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([ - dup19, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1148 = msg("00602", part1799); - - var part1800 = match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}"); - - var part1801 = match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}"); - - var part1802 = match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}"); - - var part1803 = match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}"); - - var select405 = linear_select([ - part1802, - part1803, - ]); - - var part1804 = match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}"); - - var part1805 = match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}"); - - var select406 = linear_select([ - part1805, - dup96, - ]); - - var part1806 = match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})"); - - var all369 = all_match({ - processors: [ - part1800, - dup353, - part1801, - select405, - part1804, - select406, - part1806, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1149 = msg("00612", all369); - - var part1807 = match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1150 = msg("00620", part1807); - - var part1808 = match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}"); - - var part1809 = match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}"); - - var part1810 = match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}"); - - var select407 = linear_select([ - part1809, - part1810, - ]); - - var part1811 = match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})"); - - var all370 = all_match({ - processors: [ - part1808, - select407, - part1811, - ], - on_success: processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1151 = msg("00620:01", all370); - - var part1812 = match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1152 = msg("00620:02", part1812); - - var part1813 = match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1153 = msg("00620:03", part1813); - - var part1814 = match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1154 = msg("00620:04", part1814); - - var select408 = linear_select([ - msg1150, - msg1151, - msg1152, - msg1153, - msg1154, - ]); - - var part1815 = match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([ - dup273, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1155 = msg("00622", part1815); - - var part1816 = match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}"); - - var part1817 = match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}"); - - var part1818 = match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}"); - - var select409 = linear_select([ - part1817, - part1818, - ]); - - var all371 = all_match({ - processors: [ - part1816, - select409, - dup49, - ], - on_success: processor_chain([ - dup273, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1156 = msg("00625", all371); - - var part1819 = match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}"); - - var part1820 = match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}"); - - var part1821 = match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}"); - - var part1822 = match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}"); - - var select410 = linear_select([ - part1820, - part1821, - part1822, - ]); - - var part1823 = match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})"); - - var all372 = all_match({ - processors: [ - part1819, - select410, - part1823, - ], - on_success: processor_chain([ - dup223, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1157 = msg("00628", all372); - - var part1824 = match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - dup282, - ])); - - var msg1158 = msg("00767:50", part1824); - - var part1825 = match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1159 = msg("00767:51", part1825); - - var part1826 = match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1160 = msg("00767:52", part1826); - - var part1827 = match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup58, - dup2, - dup4, - dup5, - dup9, - ])); - - var msg1161 = msg("00767:53", part1827); - - var part1828 = match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([ - dup27, - setc("ec_theme","Communication"), - dup39, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1162 = msg("00767", part1828); - - var part1829 = match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}"); - - var part1830 = match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}"); - - var part1831 = match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}"); - - var select411 = linear_select([ - part1830, - part1831, - ]); - - var all373 = all_match({ - processors: [ - part1829, - select411, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1163 = msg("00767:01", all373); - - var part1832 = match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([ - setc("eventcategory","1702000000"), - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1164 = msg("00767:02", part1832); - - var part1833 = match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1165 = msg("00767:03", part1833); - - var part1834 = match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1166 = msg("00767:04", part1834); - - var part1835 = match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1167 = msg("00767:05", part1835); - - var part1836 = match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([ - dup27, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1168 = msg("00767:06", part1836); - - var part1837 = match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1169 = msg("00767:07", part1837); - - var part1838 = match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}"); - - var all374 = all_match({ - processors: [ - part1838, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1170 = msg("00767:08", all374); - - var part1839 = match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}"); - - var part1840 = match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}"); - - var part1841 = match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}"); - - var select412 = linear_select([ - part1840, - part1841, - ]); - - var all375 = all_match({ - processors: [ - part1839, - select412, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1171 = msg("00767:09", all375); - - var part1842 = match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}"); - - var all376 = all_match({ - processors: [ - part1842, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1172 = msg("00767:10", all376); - - var part1843 = match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}"); - - var part1844 = match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}"); - - var select413 = linear_select([ - dup331, - part1844, - ]); - - var part1845 = match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}"); - - var part1846 = match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}"); - - var select414 = linear_select([ - dup331, - part1846, - ]); - - var part1847 = match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}"); - - var all377 = all_match({ - processors: [ - part1843, - select413, - part1845, - select414, - part1847, - ], - on_success: processor_chain([ - dup18, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1173 = msg("00767:11", all377); - - var part1848 = match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1174 = msg("00767:12", part1848); - - var part1849 = match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}"); - - var all378 = all_match({ - processors: [ - part1849, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1175 = msg("00767:13", all378); - - var part1850 = match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}"); - - var part1851 = match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}"); - - var select415 = linear_select([ - part1851, - dup262, - ]); - - var part1852 = match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}"); - - var part1853 = match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}"); - - var part1854 = match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username"); - - var select416 = linear_select([ - part1853, - part1854, - ]); - - var all379 = all_match({ - processors: [ - part1850, - select415, - part1852, - select416, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1176 = msg("00767:14", all379); - - var part1855 = match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}"); - - var part1856 = match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}"); - - var part1857 = match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}"); - - var select417 = linear_select([ - part1855, - part1856, - part1857, - ]); - - var part1858 = match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}"); - - var part1859 = match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}."); - - var all380 = all_match({ - processors: [ - dup183, - select417, - part1858, - dup336, - part1859, - ], - on_success: processor_chain([ - dup223, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1177 = msg("00767:15", all380); - - var part1860 = match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1178 = msg("00767:16", part1860); - - var part1861 = match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}"); - - var all381 = all_match({ - processors: [ - part1861, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1179 = msg("00767:17", all381); - - var part1862 = match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1180 = msg("00767:18", part1862); - - var part1863 = match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1181 = msg("00767:19", part1863); - - var part1864 = match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1182 = msg("00767:20", part1864); - - var part1865 = match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1183 = msg("00767:21", part1865); - - var part1866 = match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}"); - - var part1867 = match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}"); - - var part1868 = match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}"); - - var select418 = linear_select([ - part1867, - part1868, - ]); - - var part1869 = match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}"); - - var part1870 = match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}"); - - var part1871 = match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}"); - - var select419 = linear_select([ - part1870, - part1871, - ]); - - var part1872 = match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}"); - - var all382 = all_match({ - processors: [ - part1866, - select418, - part1869, - select419, - part1872, - dup354, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1184 = msg("00767:22", all382); - - var part1873 = match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var msg1185 = msg("00767:23", part1873); - - var part1874 = match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}"); - - var select420 = linear_select([ - dup169, - dup16, - ]); - - var part1875 = match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}"); - - var part1876 = match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}"); - - var select421 = linear_select([ - part1875, - part1876, - ]); - - var all383 = all_match({ - processors: [ - part1874, - select420, - dup23, - select421, - dup108, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var msg1186 = msg("00767:25", all383); - - var part1877 = match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}"); - - var part1878 = match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}"); - - var part1879 = match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}"); - - var select422 = linear_select([ - part1878, - part1879, - ]); - - var part1880 = match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}"); - - var part1881 = match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}"); - - var part1882 = match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})"); - - var select423 = linear_select([ - part1881, - part1882, - ]); - - var all384 = all_match({ - processors: [ - part1877, - select422, - part1880, - select423, - ], - on_success: processor_chain([ - dup50, - dup43, - dup51, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1187 = msg("00767:26", all384); - - var part1883 = match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}"); - - var part1884 = match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})"); - - var part1885 = match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3"); - - var select424 = linear_select([ - part1884, - part1885, - ]); - - var all385 = all_match({ - processors: [ - part1883, - select424, - ], - on_success: processor_chain([ - dup223, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1188 = msg("00767:27", all385); - - var part1886 = match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1189 = msg("00767:28", part1886); - - var part1887 = match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1190 = msg("00767:29", part1887); - - var part1888 = match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1191 = msg("00767:30", part1888); - - var part1889 = match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}"); - - var part1890 = match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}"); - - var select425 = linear_select([ - part1889, - part1890, - ]); - - var part1891 = match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}"); - - var all386 = all_match({ - processors: [ - dup186, - select425, - part1891, - dup397, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1192 = msg("00767:31", all386); - - var part1892 = match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}"); - - var part1893 = match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}"); - - var part1894 = match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}"); - - var select426 = linear_select([ - part1893, - part1894, - ]); - - var part1895 = match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})"); - - var all387 = all_match({ - processors: [ - part1892, - select426, - part1895, - ], - on_success: processor_chain([ - dup27, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1193 = msg("00767:32", all387); - - var part1896 = match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1194 = msg("00767:33", part1896); - - var part1897 = match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([ - dup313, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1195 = msg("00767:34", part1897); - - var part1898 = match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1196 = msg("00767:35", part1898); - - var part1899 = match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1197 = msg("00767:36", part1899); - - var part1900 = match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([ - dup254, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1198 = msg("00767:37", part1900); - - var part1901 = match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([ - setc("eventcategory","1602000000"), - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1199 = msg("00767:38", part1901); - - var part1902 = match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}"); - - var part1903 = match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}"); - - var part1904 = match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}"); - - var select427 = linear_select([ - part1903, - part1904, - ]); - - var part1905 = match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}"); - - var part1906 = match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}"); - - var part1907 = match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}"); - - var select428 = linear_select([ - part1906, - part1907, - ]); - - var all388 = all_match({ - processors: [ - part1902, - select427, - part1905, - select428, - dup10, - ], - on_success: processor_chain([ - dup324, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1200 = msg("00767:39", all388); - - var part1908 = match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([ - dup62, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1201 = msg("00767:40", part1908); - - var part1909 = match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1202 = msg("00767:42", part1909); - - var part1910 = match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1203 = msg("00767:43", part1910); - - var part1911 = match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([ - dup44, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1204 = msg("00767:44", part1911); - - var part1912 = match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1205 = msg("00767:45", part1912); - - var part1913 = match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1206 = msg("00767:46", part1913); - - var part1914 = match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - dup9, - ])); - - var msg1207 = msg("00767:47", part1914); - - var part1915 = match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}"); - - var part1916 = match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})"); - - var all389 = all_match({ - processors: [ - part1915, - dup364, - part1916, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup9, - dup4, - dup5, - ]), - }); - - var msg1208 = msg("00767:24", all389); - - var part1917 = match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([ - dup272, - dup2, - dup3, - dup9, - dup4, - dup5, - ])); - - var msg1209 = msg("00767:48", part1917); - - var part1918 = match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}"); - - var part1919 = match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}"); - - var part1920 = match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}"); - - var select429 = linear_select([ - part1919, - part1920, - ]); - - var part1921 = match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})"); - - var all390 = all_match({ - processors: [ - part1918, - select429, - part1921, - ], - on_success: processor_chain([ - dup1, - dup2, - dup4, - dup5, - dup9, - ]), - }); - - var msg1210 = msg("00767:49", all390); - - var select430 = linear_select([ - msg1158, - msg1159, - msg1160, - msg1161, - msg1162, - msg1163, - msg1164, - msg1165, - msg1166, - msg1167, - msg1168, - msg1169, - msg1170, - msg1171, - msg1172, - msg1173, - msg1174, - msg1175, - msg1176, - msg1177, - msg1178, - msg1179, - msg1180, - msg1181, - msg1182, - msg1183, - msg1184, - msg1185, - msg1186, - msg1187, - msg1188, - msg1189, - msg1190, - msg1191, - msg1192, - msg1193, - msg1194, - msg1195, - msg1196, - msg1197, - msg1198, - msg1199, - msg1200, - msg1201, - msg1202, - msg1203, - msg1204, - msg1205, - msg1206, - msg1207, - msg1208, - msg1209, - msg1210, - ]); - - var part1922 = match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup277, - dup3, - dup275, - dup60, - ])); - - var msg1211 = msg("01269", part1922); - - var msg1212 = msg("01269:01", dup407); - - var msg1213 = msg("01269:02", dup408); - - var msg1214 = msg("01269:03", dup409); - - var select431 = linear_select([ - msg1211, - msg1212, - msg1213, - msg1214, - ]); - - var part1923 = match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup276, - dup277, - dup275, - dup332, - ])); - - var msg1215 = msg("17852", part1923); - - var part1924 = match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1216 = msg("17852:01", part1924); - - var part1925 = match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var msg1217 = msg("17852:02", part1925); - - var part1926 = match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1218 = msg("17852:03", part1926); - - var select432 = linear_select([ - msg1215, - msg1216, - msg1217, - msg1218, - ]); - - var msg1219 = msg("23184", dup410); - - var part1927 = match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup61, - dup282, - ])); - - var msg1220 = msg("23184:01", part1927); - - var part1928 = match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup276, - dup277, - dup275, - dup61, - ])); - - var msg1221 = msg("23184:02", part1928); - - var part1929 = match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup332, - dup282, - ])); - - var msg1222 = msg("23184:03", part1929); - - var select433 = linear_select([ - msg1219, - msg1220, - msg1221, - msg1222, - ]); - - var msg1223 = msg("27052", dup410); - - var part1930 = match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup61, - dup282, - ])); - - var msg1224 = msg("27052:01", part1930); - - var select434 = linear_select([ - msg1223, - msg1224, - ]); - - var part1931 = match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup277, - dup5, - dup274, - dup3, - dup275, - dup276, - dup60, - ])); - - var msg1225 = msg("39568", part1931); - - var msg1226 = msg("39568:01", dup407); - - var msg1227 = msg("39568:02", dup408); - - var msg1228 = msg("39568:03", dup409); - - var select435 = linear_select([ - msg1225, - msg1226, - msg1227, - msg1228, - ]); - - var chain1 = processor_chain([ - select2, - msgid_select({ - "00001": select6, - "00002": select29, - "00003": select31, - "00004": select33, - "00005": select39, - "00006": select40, - "00007": select63, - "00008": select66, - "00009": select83, - "00010": select86, - "00011": select100, - "00012": select101, - "00013": select102, - "00014": select104, - "00015": select114, - "00016": select115, - "00017": select125, - "00018": select138, - "00019": select147, - "00020": select150, - "00021": select151, - "00022": select163, - "00023": select164, - "00024": select170, - "00025": select171, - "00026": select176, - "00027": select184, - "00028": msg469, - "00029": select188, - "00030": select197, - "00031": select205, - "00032": select207, - "00033": select214, - "00034": select225, - "00035": select232, - "00036": select234, - "00037": select241, - "00038": msg660, - "00039": msg661, - "00040": select244, - "00041": select245, - "00042": select246, - "00043": msg668, - "00044": select248, - "00045": msg671, - "00047": msg672, - "00048": select257, - "00049": select258, - "00050": msg682, - "00051": msg683, - "00052": msg684, - "00055": select265, - "00056": msg696, - "00057": msg697, - "00058": msg698, - "00059": select272, - "00062": select273, - "00063": msg713, - "00064": select274, - "00070": select276, - "00071": select277, - "00072": select278, - "00073": select279, - "00074": msg726, - "00075": select280, - "00076": select281, - "00077": select282, - "00084": msg735, - "00090": msg736, - "00200": msg737, - "00201": msg738, - "00202": msg739, - "00203": msg740, - "00206": select285, - "00207": select286, - "00257": select291, - "00259": select294, - "00262": msg778, - "00263": msg779, - "00400": msg780, - "00401": msg781, - "00402": select296, - "00403": msg784, - "00404": msg785, - "00405": msg786, - "00406": msg787, - "00407": msg788, - "00408": msg789, - "00409": msg790, - "00410": select297, - "00411": msg793, - "00413": select298, - "00414": select299, - "00415": msg799, - "00423": msg800, - "00429": select300, - "00430": select301, - "00431": msg805, - "00432": msg806, - "00433": msg807, - "00434": msg808, - "00435": select302, - "00436": select303, - "00437": select304, - "00438": select305, - "00440": select306, - "00441": msg823, - "00442": msg824, - "00443": msg825, - "00511": select307, - "00513": msg841, - "00515": select328, - "00518": select331, - "00519": select336, - "00520": select339, - "00521": msg890, - "00522": msg891, - "00523": msg892, - "00524": select340, - "00525": select341, - "00526": msg912, - "00527": select348, - "00528": select354, - "00529": select357, - "00530": select358, - "00531": select362, - "00533": msg973, - "00534": msg974, - "00535": select363, - "00536": select365, - "00537": select366, - "00538": select372, - "00539": select373, - "00541": select375, - "00542": msg1062, - "00543": msg1063, - "00544": msg1064, - "00546": msg1065, - "00547": select379, - "00549": msg1070, - "00551": select381, - "00553": select385, - "00554": select391, - "00555": msg1117, - "00556": select401, - "00572": select402, - "00601": select404, - "00602": msg1148, - "00612": msg1149, - "00615": select403, - "00620": select408, - "00622": msg1155, - "00625": msg1156, - "00628": msg1157, - "00767": select430, - "01269": select431, - "17852": select432, - "23184": select433, - "27052": select434, - "39568": select435, - }), - ]); - - var part1932 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); - - var part1933 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); - - var part1934 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); - - var part1935 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); - - var part1936 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); - - var part1937 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); - - var part1938 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); - - var part1939 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); - - var part1940 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); - - var part1941 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); - - var part1942 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); - - var part1943 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); - - var part1944 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); - - var part1945 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); - - var part1946 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); - - var part1947 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); - - var part1948 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); - - var part1949 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); - - var part1950 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); - - var part1951 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); - - var part1952 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); - - var part1953 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); - - var part1954 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); - - var part1955 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); - - var part1956 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); - - var part1957 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); - - var part1958 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); - - var part1959 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); - - var part1960 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); - - var part1961 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); - - var part1962 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); - - var part1963 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); - - var part1964 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part1965 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); - - var part1966 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); - - var part1967 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); - - var part1968 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); - - var part1969 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); - - var part1970 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); - - var part1971 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); - - var part1972 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); - - var part1973 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); - - var part1974 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); - - var part1975 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); - - var part1976 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); - - var part1977 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part1978 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); - - var part1979 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); - - var part1980 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part1981 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); - - var part1982 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); - - var part1983 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); - - var part1984 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); - - var part1985 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); - - var part1986 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); - - var part1987 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); - - var part1988 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); - - var part1989 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); - - var part1990 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); - - var part1991 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); - - var part1992 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); - - var part1993 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); - - var part1994 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); - - var part1995 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); - - var part1996 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); - - var part1997 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); - - var part1998 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); - - var part1999 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); - - var part2000 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); - - var part2001 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); - - var part2002 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); - - var part2003 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); - - var part2004 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); - - var part2005 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); - - var part2006 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); - - var part2007 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); - - var part2008 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); - - var part2009 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); - - var part2010 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); - - var part2011 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); - - var part2012 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); - - var part2013 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); - - var part2014 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); - - var part2015 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); - - var part2016 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); - - var part2017 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); - - var part2018 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); - - var part2019 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); - - var part2020 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); - - var part2021 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); - - var part2022 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2023 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); - - var part2024 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); - - var part2025 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); - - var part2026 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); - - var part2027 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); - - var part2028 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); - - var part2029 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); - - var part2030 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); - - var part2031 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); - - var part2032 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); - - var part2033 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); - - var part2034 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); - - var part2035 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); - - var part2036 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); - - var part2037 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); - - var part2038 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); - - var part2039 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); - - var part2040 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); - - var part2041 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); - - var part2042 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); - - var part2043 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); - - var part2044 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); - - var part2045 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); - - var part2046 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); - - var part2047 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); - - var part2048 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); - - var part2049 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); - - var part2050 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); - - var part2051 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); - - var part2052 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); - - var part2053 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); - - var part2054 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); - - var part2055 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); - - var part2056 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); - - var part2057 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); - - var part2058 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); - - var part2059 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); - - var part2060 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); - - var part2061 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); - - var part2062 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); - - var part2063 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); - - var part2064 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); - - var part2065 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); - - var part2066 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); - - var part2067 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); - - var part2068 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); - - var part2069 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); - - var part2070 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); - - var part2071 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); - - var part2072 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); - - var part2073 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); - - var part2074 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); - - var part2075 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); - - var part2076 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); - - var part2077 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); - - var part2078 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); - - var part2079 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); - - var part2080 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); - - var part2081 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); - - var part2082 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); - - var part2083 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); - - var part2084 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); - - var part2085 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); - - var part2086 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); - - var part2087 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); - - var part2088 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); - - var part2089 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); - - var part2090 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); - - var part2091 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); - - var part2092 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); - - var part2093 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); - - var part2094 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); - - var part2095 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); - - var part2096 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); - - var part2097 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); - - var part2098 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); - - var part2099 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); - - var part2100 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); - - var part2101 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); - - var part2102 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); - - var part2103 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); - - var part2104 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); - - var part2105 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); - - var part2106 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2107 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); - - var part2108 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); - - var part2109 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); - - var part2110 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); - - var part2111 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); - - var part2112 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); - - var part2113 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); - - var part2114 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); - - var part2115 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); - - var part2116 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); - - var part2117 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); - - var part2118 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); - - var part2119 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); - - var part2120 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); - - var part2121 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); - - var part2122 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); - - var part2123 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); - - var part2124 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); - - var part2125 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); - - var part2126 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); - - var part2127 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); - - var part2128 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); - - var part2129 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); - - var part2130 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); - - var part2131 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var part2132 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); - - var part2133 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); - - var part2134 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); - - var part2135 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); - - var part2136 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); - - var part2137 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); - - var part2138 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); - - var part2139 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); - - var part2140 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); - - var part2141 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); - - var part2142 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); - - var part2143 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); - - var part2144 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); - - var part2145 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); - - var part2146 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); - - var part2147 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2148 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); - - var part2149 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); - - var part2150 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); - - var part2151 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); - - var part2152 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); - - var part2153 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); - - var part2154 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); - - var part2155 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); - - var part2156 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); - - var part2157 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); - - var part2158 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); - - var part2159 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); - - var part2160 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); - - var part2161 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); - - var part2162 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); - - var part2163 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); - - var part2164 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); - - var part2165 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); - - var part2166 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); - - var part2167 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); - - var part2168 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); - - var part2169 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); - - var part2170 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); - - var part2171 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); - - var part2172 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); - - var part2173 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); - - var part2174 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); - - var part2175 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); - - var select436 = linear_select([ - dup10, - dup11, - ]); - - var part2176 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select437 = linear_select([ - dup13, - dup14, - ]); - - var select438 = linear_select([ - dup15, - dup16, - ]); - - var select439 = linear_select([ - dup56, - dup57, - ]); - - var select440 = linear_select([ - dup65, - dup66, - ]); - - var select441 = linear_select([ - dup68, - dup69, - ]); - - var select442 = linear_select([ - dup71, - dup72, - ]); - - var part2177 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ - dup58, - dup2, - dup3, - dup4, - dup5, - dup61, - ])); - - var select443 = linear_select([ - dup74, - dup75, - ]); - - var select444 = linear_select([ - dup81, - dup82, - ]); - - var select445 = linear_select([ - dup24, - dup90, - ]); - - var select446 = linear_select([ - dup94, - dup95, - ]); - - var select447 = linear_select([ - dup98, - dup99, - ]); - - var select448 = linear_select([ - dup100, - dup101, - dup102, - ]); - - var select449 = linear_select([ - dup113, - dup114, - ]); - - var select450 = linear_select([ - dup111, - dup16, - ]); - - var select451 = linear_select([ - dup127, - dup107, - ]); - - var select452 = linear_select([ - dup8, - dup21, - ]); - - var select453 = linear_select([ - dup122, - dup133, - ]); - - var select454 = linear_select([ - dup142, - dup143, - ]); - - var select455 = linear_select([ - dup145, - dup21, - ]); - - var select456 = linear_select([ - dup127, - dup106, - ]); - - var select457 = linear_select([ - dup152, - dup96, - ]); - - var select458 = linear_select([ - dup154, - dup155, - ]); - - var select459 = linear_select([ - dup156, - dup157, - ]); - - var select460 = linear_select([ - dup99, - dup134, - ]); - - var select461 = linear_select([ - dup158, - dup159, - ]); - - var select462 = linear_select([ - dup161, - dup162, - ]); - - var select463 = linear_select([ - dup163, - dup103, - ]); - - var select464 = linear_select([ - dup162, - dup161, - ]); - - var select465 = linear_select([ - dup46, - dup47, - ]); - - var select466 = linear_select([ - dup166, - dup167, - ]); - - var select467 = linear_select([ - dup172, - dup173, - ]); - - var select468 = linear_select([ - dup174, - dup175, - dup176, - dup177, - dup178, - dup179, - dup180, - dup181, - dup182, - ]); - - var select469 = linear_select([ - dup49, - dup21, - ]); - - var select470 = linear_select([ - dup189, - dup190, - ]); - - var select471 = linear_select([ - dup96, - dup152, - ]); - - var select472 = linear_select([ - dup196, - dup197, - ]); - - var select473 = linear_select([ - dup24, - dup200, - ]); - - var select474 = linear_select([ - dup103, - dup163, - ]); - - var select475 = linear_select([ - dup205, - dup118, - ]); - - var part2178 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select476 = linear_select([ - dup212, - dup213, - ]); - - var select477 = linear_select([ - dup215, - dup216, - ]); - - var select478 = linear_select([ - dup222, - dup215, - ]); - - var select479 = linear_select([ - dup224, - dup225, - ]); - - var select480 = linear_select([ - dup231, - dup124, - ]); - - var select481 = linear_select([ - dup229, - dup230, - ]); - - var select482 = linear_select([ - dup233, - dup234, - ]); - - var select483 = linear_select([ - dup236, - dup237, - ]); - - var select484 = linear_select([ - dup242, - dup243, - ]); - - var select485 = linear_select([ - dup245, - dup246, - ]); - - var select486 = linear_select([ - dup247, - dup248, - ]); - - var select487 = linear_select([ - dup249, - dup250, - ]); - - var select488 = linear_select([ - dup251, - dup252, - ]); - - var select489 = linear_select([ - dup260, - dup261, - ]); - - var select490 = linear_select([ - dup264, - dup265, - ]); - - var select491 = linear_select([ - dup268, - dup269, - ]); - - var part2179 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ])); - - var select492 = linear_select([ - dup284, - dup285, - ]); - - var select493 = linear_select([ - dup287, - dup288, - ]); - - var part2180 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ - dup58, - dup2, - dup59, - dup4, - dup5, - dup3, - dup60, - ])); - - var part2181 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ - dup58, - dup4, - dup59, - dup5, - dup9, - dup2, - dup3, - dup60, - ])); - - var select494 = linear_select([ - dup300, - dup26, - ]); - - var select495 = linear_select([ - dup115, - dup303, - ]); - - var select496 = linear_select([ - dup125, - dup96, - ]); - - var select497 = linear_select([ - dup189, - dup308, - dup309, - ]); - - var select498 = linear_select([ - dup310, - dup16, - ]); - - var select499 = linear_select([ - dup317, - dup318, - ]); - - var select500 = linear_select([ - dup319, - dup315, - ]); - - var select501 = linear_select([ - dup322, - dup250, - ]); - - var select502 = linear_select([ - dup327, - dup329, - ]); - - var select503 = linear_select([ - dup330, - dup129, - ]); - - var part2182 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var part2183 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup60, - ])); - - var part2184 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup281, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup60, - dup282, - ])); - - var part2185 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup185, - dup2, - dup4, - dup5, - dup274, - dup3, - dup275, - dup276, - dup277, - dup61, - ])); - - var all391 = all_match({ - processors: [ - dup263, - dup390, - dup266, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var all392 = all_match({ - processors: [ - dup267, - dup391, - dup270, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), - }); - - var all393 = all_match({ - processors: [ - dup80, - dup343, - dup293, - ], - on_success: processor_chain([ - dup58, - dup2, - dup59, - dup3, - dup4, - dup5, - dup61, - ]), - }); - - var all394 = all_match({ - processors: [ - dup296, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - - var all395 = all_match({ - processors: [ - dup298, - dup343, - dup131, - ], - on_success: processor_chain([ - dup297, - dup2, - dup3, - dup9, - dup59, - dup4, - dup5, - dup61, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/juniper_netscreen/0.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/juniper_netscreen/0.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index cfdf886443..0000000000 --- a/packages/juniper_netscreen/0.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,94 +0,0 @@ ---- -description: Pipeline for Netscreen - -processors: - - set: - field: ecs.version - value: '8.4.0' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # Canonicalise MAC addresses - - gsub: - field: destination.mac - ignore_missing: true - pattern: '[:.]' - replacement: '-' - - uppercase: - field: destination.mac - ignore_missing: true - - gsub: - field: source.mac - ignore_missing: true - pattern: '[:.]' - replacement: '-' - - uppercase: - field: source.mac - ignore_missing: true - - gsub: - field: host.mac - ignore_missing: true - pattern: '[:.]' - replacement: '-' - - uppercase: - field: host.mac - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/juniper_netscreen/0.4.2/data_stream/log/fields/agent.yml b/packages/juniper_netscreen/0.4.2/data_stream/log/fields/agent.yml deleted file mode 100755 index 38bb8dcec5..0000000000 --- a/packages/juniper_netscreen/0.4.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,175 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/juniper_netscreen/0.4.2/data_stream/log/fields/base-fields.yml b/packages/juniper_netscreen/0.4.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 50748c8646..0000000000 --- a/packages/juniper_netscreen/0.4.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,43 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: juniper_netscreen -- name: event.dataset - type: constant_keyword - description: Event dataset - value: juniper_netscreen.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/juniper_netscreen/0.4.2/data_stream/log/fields/ecs.yml b/packages/juniper_netscreen/0.4.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index f7e5c95752..0000000000 --- a/packages/juniper_netscreen/0.4.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,547 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/juniper_netscreen/0.4.2/data_stream/log/fields/fields.yml b/packages/juniper_netscreen/0.4.2/data_stream/log/fields/fields.yml deleted file mode 100755 index ea69cd79e3..0000000000 --- a/packages/juniper_netscreen/0.4.2/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,1754 +0,0 @@ -- name: rsa - type: group - fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - ignore_above: 1024 - description: Server domain. -- name: network.interface.name - type: keyword diff --git a/packages/juniper_netscreen/0.4.2/data_stream/log/manifest.yml b/packages/juniper_netscreen/0.4.2/data_stream/log/manifest.yml deleted file mode 100755 index 7b194a9784..0000000000 --- a/packages/juniper_netscreen/0.4.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,205 +0,0 @@ -title: Netscreen logs -release: experimental -type: logs -streams: - - input: udp - title: Netscreen logs - description: Collect Netscreen logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-netscreen - - forwarded - - name: udp_host - type: text - title: UDP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: UDP port to listen on - multi: false - required: true - show_user: true - default: 9523 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Netscreen logs - description: Collect Netscreen logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-netscreen - - forwarded - - name: tcp_host - type: text - title: TCP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: TCP port to listen on - multi: false - required: true - show_user: true - default: 9523 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: filestream - enabled: false - title: Netscreen logs - description: Collect Netscreen logs from file - template_path: logfile.yml.hbs - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/juniper-netscreen.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-netscreen - - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/juniper_netscreen/0.4.2/data_stream/log/sample_event.json b/packages/juniper_netscreen/0.4.2/data_stream/log/sample_event.json deleted file mode 100755 index 981f92eb79..0000000000 --- a/packages/juniper_netscreen/0.4.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "c439baa6-c1f5-4533-bb61-3a020bd4e4f9", - "id": "11de7269-3d5a-4523-8b1f-e40ea1e2be97", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "data_stream": { - "dataset": "juniper_netscreen.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "11de7269-3d5a-4523-8b1f-e40ea1e2be97", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "code": "00628", - "dataset": "juniper_netscreen.log", - "ingested": "2022-09-28T06:19:48Z", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "low", - "source": { - "address": "192.168.176.4:38747" - } - }, - "observer": { - "product": "Netscreen", - "type": "Firewall", - "vendor": "Juniper" - }, - "rsa": { - "internal": { - "messageid": "00628" - }, - "misc": { - "hardware_id": "olab", - "severity": "low" - }, - "time": { - "event_time": "2016-01-29T06:09:59.000Z" - } - }, - "tags": [ - "juniper-netscreen", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/juniper_netscreen/0.4.2/docs/README.md b/packages/juniper_netscreen/0.4.2/docs/README.md deleted file mode 100755 index a0e1544b4e..0000000000 --- a/packages/juniper_netscreen/0.4.2/docs/README.md +++ /dev/null @@ -1,913 +0,0 @@ -# Juniper integration - -This is an integration for ingesting logs from [Juniper NetScreen](https://www.juniper.net/documentation/en_US/release-independent/screenos/information-products/pathway-pages/netscreen-series/product/). - -### Log - -The `log` dataset collects Netscreen logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "c439baa6-c1f5-4533-bb61-3a020bd4e4f9", - "id": "11de7269-3d5a-4523-8b1f-e40ea1e2be97", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "data_stream": { - "dataset": "juniper_netscreen.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "11de7269-3d5a-4523-8b1f-e40ea1e2be97", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "code": "00628", - "dataset": "juniper_netscreen.log", - "ingested": "2022-09-28T06:19:48Z", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "low", - "source": { - "address": "192.168.176.4:38747" - } - }, - "observer": { - "product": "Netscreen", - "type": "Firewall", - "vendor": "Juniper" - }, - "rsa": { - "internal": { - "messageid": "00628" - }, - "misc": { - "hardware_id": "olab", - "severity": "low" - }, - "time": { - "event_time": "2016-01-29T06:09:59.000Z" - } - }, - "tags": [ - "juniper-netscreen", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - diff --git a/packages/juniper_netscreen/0.4.2/img/logo.svg b/packages/juniper_netscreen/0.4.2/img/logo.svg deleted file mode 100755 index 8802414a5a..0000000000 --- a/packages/juniper_netscreen/0.4.2/img/logo.svg +++ /dev/null @@ -1,72 +0,0 @@ - -image/svg+xml \ No newline at end of file diff --git a/packages/juniper_netscreen/0.4.2/manifest.yml b/packages/juniper_netscreen/0.4.2/manifest.yml deleted file mode 100755 index d8dec96133..0000000000 --- a/packages/juniper_netscreen/0.4.2/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -format_version: 1.0.0 -name: juniper_netscreen -title: Juniper NetScreen -version: "0.4.2" -description: Collect logs from Juniper NetScreen with Elastic Agent. -categories: ["network", "security"] -release: experimental -license: basic -type: integration -conditions: - kibana.version: "^8.0.0" -policy_templates: - - name: juniper - title: Juniper NetScreen logs - description: Collect Juniper NetScreen logs from syslog or a file. - inputs: - - type: udp - title: Collect logs from Juniper NetScreen via UDP - description: Collecting syslog from Juniper NetScreen via UDP. - - type: tcp - title: Collect logs from Juniper NetScreen via TCP - description: Collecting syslog from Juniper NetScreen via TCP. - - type: filestream - title: Collect logs from Juniper NetScreen via file - description: Collecting syslog from Juniper NetScreen via file. -icons: - - src: /img/logo.svg - title: Juniper logo - size: 32x32 - type: image/svg+xml -owner: - github: elastic/security-external-integrations diff --git a/packages/juniper_srx/1.5.2/LICENSE.txt b/packages/juniper_srx/1.5.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/juniper_srx/1.5.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/juniper_srx/1.5.2/changelog.yml b/packages/juniper_srx/1.5.2/changelog.yml deleted file mode 100755 index 401ebe8377..0000000000 --- a/packages/juniper_srx/1.5.2/changelog.yml +++ /dev/null @@ -1,66 +0,0 @@ -# newer versions go on top -- version: "1.5.2" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "1.5.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.5.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3867 -- version: "1.4.1" - changes: - - description: Improve TCP, SSL config description and example. - type: enhancement - link: https://github.com/elastic/integrations/pull/3763 -- version: "1.4.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.3.1" - changes: - - description: Add link to juniper documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3135 -- version: "1.3.0" - changes: - - description: Add TLS and custom options support to TCP input - type: enhancement - link: https://github.com/elastic/integrations/pull/3320 -- version: "1.2.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.1.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.1.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.1.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2418 -- version: "1.0.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.0.0" - changes: - - description: Initial release of new package split from oroginal Juniper package - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/2068 diff --git a/packages/juniper_srx/1.5.2/data_stream/log/agent/stream/logfile.yml.hbs b/packages/juniper_srx/1.5.2/data_stream/log/agent/stream/logfile.yml.hbs deleted file mode 100755 index 6bafca7cc9..0000000000 --- a/packages/juniper_srx/1.5.2/data_stream/log/agent/stream/logfile.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -prospector.scanner.exclude_files: ['\.gz$'] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ diff --git a/packages/juniper_srx/1.5.2/data_stream/log/agent/stream/tcp.yml.hbs b/packages/juniper_srx/1.5.2/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 12309d4b4e..0000000000 --- a/packages/juniper_srx/1.5.2/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ -{{#if tcp_options}} -{{tcp_options}} -{{/if}} diff --git a/packages/juniper_srx/1.5.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/juniper_srx/1.5.2/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 0696ac9d89..0000000000 --- a/packages/juniper_srx/1.5.2/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ diff --git a/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/atp.yml b/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/atp.yml deleted file mode 100755 index 44d01d3639..0000000000 --- a/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/atp.yml +++ /dev/null @@ -1,364 +0,0 @@ ---- -description: Pipeline for parsing junipersrx firewall logs (atp pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success - if: "ctx.juniper?.srx?.tag != null" -- append: - field: event.category - value: network -- set: - field: event.kind - value: alert - if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.juniper?.srx?.tag) && ctx.juniper?.srx?.action != "PERMIT"' -- append: - field: event.category - value: malware - if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.juniper?.srx?.tag) && ctx.juniper?.srx?.action != "PERMIT"' -- append: - field: event.type - value: - - info - - denied - - connection - if: "ctx.juniper?.srx?.action == 'BLOCK' || ctx.juniper?.srx?.tag == 'AAMW_MALWARE_EVENT_LOG'" -- append: - field: event.type - value: - - allowed - - connection - if: "ctx.juniper?.srx?.action != 'BLOCK' && ctx.juniper?.srx?.tag != 'AAMW_MALWARE_EVENT_LOG'" -- set: - field: event.action - value: malware_detected - if: "ctx.juniper?.srx?.action == 'BLOCK' || ctx.juniper?.srx?.tag == 'AAMW_MALWARE_EVENT_LOG'" - - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: juniper.srx.destination_address - target_field: destination.ip - ignore_missing: true - if: "ctx.juniper?.srx?.destination_address != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" -- rename: - field: juniper.srx.nat_destination_address - target_field: destination.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_address != null" -- convert: - field: juniper.srx.destination_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.destination_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" -- convert: - field: juniper.srx.nat_destination_port - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_port != null" -- set: - field: server.nat.port - value: '{{destination.nat.port}}' - if: "ctx.destination?.nat?.port != null" -- convert: - field: server.nat.port - target_field: server.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_server - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_server != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" -- convert: - field: juniper.srx.packets_from_server - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_server != null" -- set: - field: server.packets - value: '{{destination.packets}}' - if: "ctx.destination?.packets != null" -- convert: - field: server.packets - target_field: server.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.packets != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: juniper.srx.source_address - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.source_address != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" -- rename: - field: juniper.srx.nat_source_address - target_field: source.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_address != null" -- rename: - field: juniper.srx.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.sourceip != null" -- convert: - field: juniper.srx.source_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.source_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" -- convert: - field: juniper.srx.nat_source_port - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_port != null" -- set: - field: client.nat.port - value: '{{source.nat.port}}' - if: "ctx.source?.nat?.port != null" -- convert: - field: client.nat.port - target_field: client.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_client - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_client != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" -- convert: - field: juniper.srx.packets_from_client - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_client != null" -- set: - field: client.packets - value: '{{source.packets}}' - if: "ctx.source?.packets != null" -- convert: - field: client.packets - target_field: client.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.packets != null" -- rename: - field: juniper.srx.username - target_field: source.user.name - ignore_missing: true - if: "ctx.juniper?.srx?.username != null" -- rename: - field: juniper.srx.hostname - target_field: source.domain - ignore_missing: true - if: "ctx.juniper?.srx?.hostname != null" -- rename: - field: juniper.srx.client_ip - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.client_ip != null" - -###################### -## ECS URL Mapping ## -###################### -- rename: - field: juniper.srx.http_host - target_field: url.domain - ignore_missing: true - if: "ctx.juniper?.srx?.http_host != null" - -############################# -## ECS Network/Geo Mapping ## -############################# -- rename: - field: juniper.srx.protocol_id - target_field: network.iana_number - ignore_missing: true - if: "ctx.juniper?.srx?.protocol_id != null" -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -############### -## Timestamp ## -############### -- date: - if: 'ctx.juniper.srx?.timestamp != null' - field: juniper.srx.timestamp - target_field: juniper.srx.timestamp - formats: - - 'EEE MMM dd HH:mm:ss yyyy' - - 'EEE MMM d HH:mm:ss yyyy' - on_failure: - - remove: - field: - - juniper.srx.timestamp - -############# -## Cleanup ## -############# -- remove: - field: - - juniper.srx.destination_port - - juniper.srx.nat_destination_port - - juniper.srx.bytes_from_client - - juniper.srx.packets_from_client - - juniper.srx.source_port - - juniper.srx.nat_source_port - - juniper.srx.bytes_from_server - - juniper.srx.packets_from_server - ignore_missing: true - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index f9086cb5e8..0000000000 --- a/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,321 +0,0 @@ ---- -# This module only supports syslog messages in the format "structured-data + brief" -# https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html -description: Pipeline for parsing junipersrx firewall logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - grok: - field: event.original - patterns: - - '^<%{POSINT:syslog_pri}>(\d{1,3}\s)?(?:%{TIMESTAMP_ISO8601:_temp_.raw_date})\s%{SYSLOGHOST:syslog_hostname}\s%{PROG:syslog_program}\s(?:%{POSINT:syslog_pid}|-)?\s%{WORD:log_type}\s\[.+?\s%{GREEDYDATA:_temp_.original}\]$' - -# split Juniper-SRX fields - - kv: - field: _temp_.original - field_split: " (?=[a-z0-9\\_\\-]+=)" - value_split: "=" - prefix: "juniper.srx." - ignore_missing: true - ignore_failure: false - trim_value: "\"" - -# Converts all kebab-case key names to snake_case - - script: - lang: painless - source: >- - ctx.juniper.srx = ctx?.juniper?.srx.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace('-', '_'), e -> e.getValue())); - -# -# Parse the date -# - - date: - if: "ctx?.event?.timezone == null" - field: _temp_.raw_date - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss z - - yyyy-MM-dd HH:mm:ss Z - - ISO8601 - - date: - if: "ctx?.event?.timezone != null" - timezone: "{{ event.timezone }}" - field: _temp_.raw_date - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss z - - yyyy-MM-dd HH:mm:ss Z - - ISO8601 - -# Can possibly be omitted if there is a solution for the equal signs and the calculation of the start time. -# -> juniper.srx.elapsed_time - - rename: - field: juniper.srx.elapsed_time - target_field: juniper.srx.duration - if: "ctx?.juniper?.srx?.elapsed_time != null" - -# Sets starts, end and duration when start and duration is known - - script: - lang: painless - if: ctx?.juniper?.srx?.duration != null - source: >- - ctx.event.duration = Integer.parseInt(ctx.juniper.srx.duration) * 1000000000L; - ctx.event.start = ctx['@timestamp']; - ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); - ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); - -# Removes all empty fields - - script: - lang: painless - params: - values: - - "None" - - "UNKNOWN" - - "N/A" - - "-" - source: >- - ctx?.juniper?.srx.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); - -####################### -## ECS Event Mapping ## -####################### - - convert: - field: syslog_pri - type: long - target_field: event.severity - ignore_failure: true - -##################### -## ECS Log Mapping ## -##################### -# https://www.juniper.net/documentation/en_US/junos/topics/reference/general/syslog-interpreting-msg-generated-structured-data-format.html#fac_sev_codes - - set: - field: "log.level" - if: '["0", "8", "16", "24", "32", "40", "48", "56", "64", "72", "80", "88", "96", "104", "112", "128", "136", "144", "152", "160", "168", "176", "184"].contains(ctx.syslog_pri)' - value: emergency - - set: - field: "log.level" - if: '["1", "9", "17", "25", "33", "41", "49", "57", "65", "73", "81", "89", "97", "105", "113", "129", "137", "145", "153", "161", "169", "177", "185"].contains(ctx.syslog_pri)' - value: alert - - set: - field: "log.level" - if: '["2", "10", "18", "26", "34", "42", "50", "58", "66", "74", "82", "90", "98", "106", "114", "130", "138", "146", "154", "162", "170", "178", "186"].contains(ctx.syslog_pri)' - value: critical - - set: - field: "log.level" - if: '["3", "11", "19", "27", "35", "43", "51", "59", "67", "75", "83", "91", "99", "107", "115", "131", "139", "147", "155", "163", "171", "179", "187"].contains(ctx.syslog_pri)' - value: error - - set: - field: "log.level" - if: '["4", "12", "20", "28", "36", "44", "52", "60", "68", "76", "84", "92", "100", "108", "116", "132", "140", "148", "156", "164", "172", "180", "188"].contains(ctx.syslog_pri)' - value: warning - - set: - field: "log.level" - if: '["5", "13", "21", "29", "37", "45", "53", "61", "69", "77", "85", "93", "101", "109", "117", "133", "141", "149", "157", "165", "173", "181", "189"].contains(ctx.syslog_pri)' - value: notification - - set: - field: "log.level" - if: '["6", "14", "22", "30", "38", "46", "54", "62", "70", "78", "86", "94", "102", "110", "118", "134", "142", "150", "158", "166", "174", "182", "190"].contains(ctx.syslog_pri)' - value: informational - - set: - field: "log.level" - if: '["7", "15", "23", "31", "39", "47", "55", "63", "71", "79", "87", "95", "103", "111", "119", "135", "143", "151", "159", "167", "175", "183", "191"].contains(ctx.syslog_pri)' - value: debug - -########################## -## ECS Observer Mapping ## -########################## - - set: - field: observer.vendor - value: Juniper - - set: - field: observer.product - value: SRX - - set: - field: observer.type - value: firewall - - rename: - field: syslog_hostname - target_field: observer.name - ignore_missing: true - - rename: - field: juniper.srx.packet_incoming_interface - target_field: observer.ingress.interface.name - ignore_missing: true - - rename: - field: juniper.srx.destination_interface_name - target_field: observer.egress.interface.name - ignore_missing: true - - rename: - field: juniper.srx.source_interface_name - target_field: observer.ingress.interface.name - ignore_missing: true - - rename: - field: juniper.srx.interface_name - target_field: observer.ingress.interface.name - ignore_missing: true - - rename: - field: juniper.srx.source_zone_name - target_field: observer.ingress.zone - ignore_missing: true - - rename: - field: juniper.srx.source_zone - target_field: observer.ingress.zone - ignore_missing: true - - rename: - field: juniper.srx.destination_zone_name - target_field: observer.egress.zone - ignore_missing: true - - rename: - field: juniper.srx.destination_zone - target_field: observer.egress.zone - ignore_missing: true - - rename: - field: syslog_program - target_field: juniper.srx.process - ignore_missing: true - - rename: - field: log_type - target_field: juniper.srx.tag - ignore_missing: true - - -############# -## Cleanup ## -############# - - remove: - field: - - message - - _temp_ - - juniper.srx.duration - - juniper.srx.dir_disp - - juniper.srx.srczone - - juniper.srx.dstzone - - juniper.srx.duration - - syslog_pri - ignore_missing: true - -################################ -## Product Specific Pipelines ## -################################ - - pipeline: - name: '{{ IngestPipeline "flow" }}' - if: "ctx.juniper?.srx?.process == 'RT_FLOW'" - - pipeline: - name: '{{ IngestPipeline "utm" }}' - if: "ctx.juniper?.srx?.process == 'RT_UTM'" - - pipeline: - name: '{{ IngestPipeline "idp" }}' - if: "ctx.juniper?.srx?.process == 'RT_IDP'" - - pipeline: - name: '{{ IngestPipeline "ids" }}' - if: "ctx.juniper?.srx?.process == 'RT_IDS'" - - pipeline: - name: '{{ IngestPipeline "atp" }}' - if: "ctx.juniper?.srx?.process == 'RT_AAMW'" - - pipeline: - name: '{{ IngestPipeline "secintel" }}' - if: "ctx.juniper?.srx?.process == 'RT_SECINTEL'" - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - -######################### -## ECS Related Mapping ## -######################### - - append: - if: 'ctx.source?.ip != null' - field: related.ip - value: '{{source.ip}}' - ignore_failure: true - allow_duplicates: false - - append: - if: 'ctx.destination?.ip != null' - field: related.ip - value: '{{destination.ip}}' - ignore_failure: true - allow_duplicates: false - - append: - if: 'ctx.source?.nat?.ip != null' - field: related.ip - value: '{{source.nat.ip}}' - ignore_failure: true - allow_duplicates: false - - append: - if: 'ctx?.destination?.nat?.ip != null' - field: related.ip - value: '{{destination.nat.ip}}' - ignore_failure: true - allow_duplicates: false - - append: - if: 'ctx.url?.domain != null' - field: related.hosts - value: '{{url.domain}}' - ignore_failure: true - allow_duplicates: false - - append: - if: 'ctx.source?.domain != null' - field: related.hosts - value: '{{source.domain}}' - ignore_failure: true - allow_duplicates: false - - append: - if: 'ctx.destination?.domain != null' - field: related.hosts - value: '{{destination.domain}}' - ignore_failure: true - allow_duplicates: false - - append: - if: 'ctx?.source?.user?.name != null' - field: related.user - value: '{{source.user.name}}' - ignore_failure: true - allow_duplicates: false - - append: - if: 'ctx?.destination?.user?.name != null' - field: related.user - value: '{{destination.user.name}}' - ignore_failure: true - allow_duplicates: false - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/flow.yml b/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/flow.yml deleted file mode 100755 index bf9fcbeb05..0000000000 --- a/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/flow.yml +++ /dev/null @@ -1,363 +0,0 @@ ---- -description: Pipeline for parsing junipersrx firewall logs (flow pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success - if: "ctx.juniper?.srx?.tag != null" -- append: - field: event.category - value: network -- convert: - field: juniper.srx.application_risk - type: float - target_field: event.risk_score - ignore_missing: true - ignore_failure: true -- append: - field: event.type - value: - - start - - allowed - - connection - if: "ctx.juniper?.srx?.tag.endsWith('CREATE') || ctx.juniper?.srx?.tag.endsWith('UPDATE') || ctx.juniper?.srx?.tag.endsWith('CREATE_LS') || ctx.juniper?.srx?.tag.endsWith('UPDATE_LS')" -- append: - field: event.type - value: - - end - - allowed - - connection - if: "ctx.juniper?.srx?.tag.endsWith('CLOSE') || ctx.juniper?.srx?.tag.endsWith('CLOSE_LS')" -- append: - field: event.type - value: - - denied - - connection - if: "ctx.juniper?.srx?.tag.endsWith('DENY') || ctx.juniper?.srx?.tag.endsWith('DENY_LS')" -- set: - field: event.action - value: flow_started - if: "ctx.juniper?.srx?.tag.endsWith('CREATE') || ctx.juniper?.srx?.tag.endsWith('UPDATE') || ctx.juniper?.srx?.tag.endsWith('CREATE_LS') || ctx.juniper?.srx?.tag.endsWith('UPDATE_LS')" -- set: - field: event.action - value: flow_close - if: "ctx.juniper?.srx?.tag.endsWith('CLOSE') || ctx.juniper?.srx?.tag.endsWith('CLOSE_LS')" -- set: - field: event.action - value: flow_deny - if: "ctx.juniper?.srx?.tag.endsWith('DENY') || ctx.juniper?.srx?.tag.endsWith('DENY_LS')" - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: juniper.srx.destination_address - target_field: destination.ip - ignore_missing: true - if: "ctx.juniper?.srx?.destination_address != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" -- rename: - field: juniper.srx.nat_destination_address - target_field: destination.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_address != null" -- convert: - field: juniper.srx.destination_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.destination_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx?.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" -- convert: - field: juniper.srx.nat_destination_port - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_port != null" -- set: - field: server.nat.port - value: '{{destination.nat.port}}' - if: "ctx.destination?.nat?.port != null" -- convert: - field: server.nat.port - target_field: server.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_server - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_server != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" -- convert: - field: juniper.srx.packets_from_server - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_server != null" -- set: - field: server.packets - value: '{{destination.packets}}' - if: "ctx.destination?.packets != null" -- convert: - field: server.packets - target_field: server.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.packets != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: juniper.srx.source_address - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.source_address != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" -- rename: - field: juniper.srx.nat_source_address - target_field: source.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_address != null" -- rename: - field: juniper.srx.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.sourceip != null" -- convert: - field: juniper.srx.source_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.source_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" -- convert: - field: juniper.srx.nat_source_port - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_port != null" -- set: - field: client.nat.port - value: '{{source.nat.port}}' - if: "ctx.source?.nat?.port != null" -- convert: - field: client.nat.port - target_field: client.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_client - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_client != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" -- convert: - field: juniper.srx.packets_from_client - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_client != null" -- set: - field: client.packets - value: '{{source.packets}}' - if: "ctx.source?.packets != null" -- convert: - field: client.packets - target_field: client.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.packets != null" -- rename: - field: juniper.srx.username - target_field: source.user.name - ignore_missing: true - if: "ctx.juniper?.srx?.username != null" - -###################### -## ECS Rule Mapping ## -###################### -- rename: - field: juniper.srx.policy_name - target_field: rule.name - ignore_missing: true - if: "ctx.juniper?.srx?.policy_name != null" - -############################# -## ECS Network/Geo Mapping ## -############################# -- rename: - field: juniper.srx.protocol_id - target_field: network.iana_number - ignore_missing: true - if: "ctx.juniper?.srx?.protocol_id != null" -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -- script: - lang: painless - source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" - ignore_failure: true -- script: - lang: painless - source: "ctx.network.packets = ctx.client.packets + ctx.server.packets" - if: "ctx?.client?.packets != null && ctx?.server?.packets != null" - ignore_failure: true - -############# -## Cleanup ## -############# -- remove: - field: - - juniper.srx.application_risk - - juniper.srx.destination_port - - juniper.srx.nat_destination_port - - juniper.srx.bytes_from_client - - juniper.srx.packets_from_client - - juniper.srx.source_port - - juniper.srx.nat_source_port - - juniper.srx.bytes_from_server - - juniper.srx.packets_from_server - ignore_missing: true - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/idp.yml b/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/idp.yml deleted file mode 100755 index 0b26118a9f..0000000000 --- a/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/idp.yml +++ /dev/null @@ -1,288 +0,0 @@ ---- -description: Pipeline for parsing junipersrx firewall logs (idp pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success - if: "ctx.juniper?.srx?.tag != null" -- append: - field: event.category - value: network -- set: - field: event.kind - value: alert - if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.category - value: intrusion_detection - if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.type - value: - - info - - denied - - connection - if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.type - value: - - allowed - - connection - if: '!["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' -- set: - field: event.action - value: application_ddos - if: '["IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' -- set: - field: event.action - value: security_threat - if: '["IDP_ATTACK_LOG_EVENT", "IDP_ATTACK_LOG_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' - - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: juniper.srx.destination_address - target_field: destination.ip - ignore_missing: true - if: "ctx.juniper?.srx?.destination_address != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" -- rename: - field: juniper.srx.nat_destination_address - target_field: destination.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_address != null" -- convert: - field: juniper.srx.destination_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.destination_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" -- convert: - field: juniper.srx.nat_destination_port - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx['nat_destination_port'] != null" -- set: - field: server.nat.port - value: '{{destination.nat.port}}' - if: "ctx.destination?.nat?.port != null" -- convert: - field: server.nat.port - target_field: server.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.nat?.port != null" -- convert: - field: juniper.srx.inbound_bytes - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.inbound_bytes != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" -- convert: - field: juniper.srx.inbound_packets - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.inbound_packets !=null" -- set: - field: server.packets - value: '{{destination.packets}}' - if: "ctx.destination?.packets != null" -- convert: - field: server.packets - target_field: server.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.packets != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: juniper.srx.source_address - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.source_address != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" -- rename: - field: juniper.srx.nat_source_address - target_field: source.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_address != null" -- rename: - field: juniper.srx.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.sourceip != null" -- convert: - field: juniper.srx.source_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.source_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" -- convert: - field: juniper.srx.nat_source_port - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_port != null" -- set: - field: client.nat.port - value: '{{source.nat.port}}' - if: "ctx.source?.nat?.port != null" -- convert: - field: client.nat.port - target_field: client.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.nat?.port != null" -- convert: - field: juniper.srx.outbound_bytes - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.outbound_bytes != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" -- convert: - field: juniper.srx.outbound_packets - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.outbound_packets != null" -- set: - field: client.packets - value: '{{source.packets}}' - if: "ctx.source?.packets != null" -- convert: - field: client.packets - target_field: client.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.packets != null" -- rename: - field: juniper.srx.username - target_field: source.user.name - ignore_missing: true - if: "ctx.juniper?.srx?.username != null" - -###################### -## ECS Rule Mapping ## -###################### -- rename: - field: juniper.srx.rulebase_name - target_field: rule.name - ignore_missing: true - if: "ctx.juniper?.srx?.rulebase_name != null" -- rename: - field: juniper.srx.rule_name - target_field: rule.id - ignore_missing: true - if: "ctx.juniper?.srx?.rule_name != null" - -######################### -## ECS Network Mapping ## -######################### -- rename: - field: juniper.srx.protocol_name - target_field: network.protocol - ignore_missing: true - if: "ctx.juniper?.srx?.protocol_name != null" - -######################### -## ECS message Mapping ## -######################### -- rename: - field: juniper.srx.message - target_field: message - ignore_missing: true - if: "ctx.juniper?.srx?.message != null" - -############# -## Cleanup ## -############# -- remove: - field: - - juniper.srx.destination_port - - juniper.srx.nat_destination_port - - juniper.srx.outbound_bytes - - juniper.srx.outbound_packets - - juniper.srx.source_port - - juniper.srx.nat_source_port - - juniper.srx.inbound_bytes - - juniper.srx.inbound_packets - ignore_missing: true - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/ids.yml b/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/ids.yml deleted file mode 100755 index 9b39206834..0000000000 --- a/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/ids.yml +++ /dev/null @@ -1,364 +0,0 @@ ---- -description: Pipeline for parsing junipersrx firewall logs (ids pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success - if: "ctx.juniper?.srx?.tag != null" -- append: - field: event.category - value: network -- set: - field: event.kind - value: alert - if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.category - value: intrusion_detection - if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.type - value: - - info - - denied - - connection - if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.type - value: - - allowed - - connection - if: '!["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' -- set: - field: event.action - value: flood_detected - if: '["ICMP flood!", "UDP flood!", "SYN flood!", "SYN flood Src-IP based!", "SYN flood Dst-IP based!"].contains(ctx.juniper?.srx?.attack_name)' -- set: - field: event.action - value: scan_detected - if: "ctx.juniper?.srx?.attack_name == 'TCP port scan!'" -- set: - field: event.action - value: sweep_detected - if: '["TCP sweep!", "IP sweep!", "UDP sweep!", "Address sweep!"].contains(ctx.juniper?.srx?.attack_name)' -- set: - field: event.action - value: fragment_detected - if: '["ICMP fragment!", "SYN fragment!"].contains(ctx.juniper?.srx?.attack_name)' -- set: - field: event.action - value: spoofing_detected - if: "ctx.juniper?.srx?.attack_name == 'IP spoofing!'" -- set: - field: event.action - value: session_limit_detected - if: '["Src IP session limit!", "Dst IP session limit!"].contains(ctx.juniper?.srx?.attack_name)' -- set: - field: event.action - value: attack_detected - if: '["Land attack!", "WinNuke attack!"].contains(ctx.juniper?.srx?.attack_name)' -- set: - field: event.action - value: illegal_tcp_flag_detected - if: '["No TCP flag!", "SYN and FIN bits!", "FIN but no ACK bit!"].contains(ctx.juniper?.srx?.attack_name)' -- set: - field: event.action - value: tunneling_screen - if: "ctx.juniper?.srx?.attack_name.startsWith('Tunnel')" - - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: juniper.srx.destination_address - target_field: destination.ip - ignore_missing: true - if: "ctx.juniper?.srx?.destination_address != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" -- rename: - field: juniper.srx.nat_destination_address - target_field: destination.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_address != null" -- convert: - field: juniper.srx.destination_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.destination_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" -- convert: - field: juniper.srx.nat_destination_port - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_port != null" -- set: - field: server.nat.port - value: '{{destination.nat.port}}' - if: "ctx.destination?.nat?.port != null" -- convert: - field: server.nat.port - target_field: server.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_server - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_server != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" -- convert: - field: juniper.srx.packets_from_server - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_server !=null" -- set: - field: server.packets - value: '{{destination.packets}}' - if: "ctx.destination?.packets != null" -- convert: - field: server.packets - target_field: server.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.packets != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: juniper.srx.source_address - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.source_address != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" -- rename: - field: juniper.srx.nat_source_address - target_field: source.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_address != null" -- rename: - field: juniper.srx.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.sourceip != null" -- convert: - field: juniper.srx.source_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.source_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" -- convert: - field: juniper.srx.nat_source_port - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_port != null" -- set: - field: client.nat.port - value: '{{source.nat.port}}' - if: "ctx.source?.nat?.port != null" -- convert: - field: client.nat.port - target_field: client.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_client - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_client != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" -- convert: - field: juniper.srx.packets_from_client - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_client != null" -- set: - field: client.packets - value: '{{source.packets}}' - if: "ctx.source?.packets != null" -- convert: - field: client.packets - target_field: client.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.packets != null" -- rename: - field: juniper.srx.username - target_field: source.user.name - ignore_missing: true - if: "ctx.juniper?.srx?.username != null" - -############################# -## ECS Network/Geo Mapping ## -############################# -- rename: - field: juniper.srx.protocol_id - target_field: network.iana_number - ignore_missing: true - if: "ctx.juniper?.srx?.protocol_id != null" -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - -############# -## Cleanup ## -############# -- remove: - field: - - juniper.srx.destination_port - - juniper.srx.nat_destination_port - - juniper.srx.bytes_from_client - - juniper.srx.packets_from_client - - juniper.srx.source_port - - juniper.srx.nat_source_port - - juniper.srx.bytes_from_server - - juniper.srx.packets_from_server - ignore_missing: true - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/secintel.yml b/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/secintel.yml deleted file mode 100755 index 790a8aa9cb..0000000000 --- a/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/secintel.yml +++ /dev/null @@ -1,350 +0,0 @@ ---- -description: Pipeline for parsing junipersrx firewall logs (secintel pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success - if: "ctx.juniper?.srx?.tag != null" -- append: - field: event.category - value: network -- set: - field: event.kind - value: alert - if: 'ctx.juniper?.srx?.tag == "SECINTEL_ACTION_LOG" && ctx.juniper?.srx?.action != "PERMIT"' -- append: - field: event.category - value: malware - if: 'ctx.juniper?.srx?.tag == "SECINTEL_ACTION_LOG" && ctx.juniper?.srx?.action != "PERMIT"' -- append: - field: event.type - value: - - info - - denied - - connection - if: "ctx.juniper?.srx?.action == 'BLOCK'" -- append: - field: event.type - value: - - allowed - - connection - if: "ctx.juniper?.srx?.action != 'BLOCK'" -- set: - field: event.action - value: malware_detected - if: "ctx.juniper?.srx?.action == 'BLOCK'" - - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: juniper.srx.destination_address - target_field: destination.ip - ignore_missing: true - if: "ctx.juniper?.srx?.destination_address != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" -- rename: - field: juniper.srx.nat_destination_address - target_field: destination.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_address != null" -- convert: - field: juniper.srx.destination_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.destination_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" -- convert: - field: juniper.srx.nat_destination_port - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_port != null" -- set: - field: server.nat.port - value: '{{destination.nat.port}}' - if: "ctx.destination?.nat?.port != null" -- convert: - field: server.nat.port - target_field: server.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_server - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_server != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" -- convert: - field: juniper.srx.packets_from_server - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_server !=null" -- set: - field: server.packets - value: '{{destination.packets}}' - if: "ctx.destination?.packets != null" -- convert: - field: server.packets - target_field: server.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.packets != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: juniper.srx.source_address - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.source_address != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" -- rename: - field: juniper.srx.nat_source_address - target_field: source.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_address != null" -- rename: - field: juniper.srx.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.sourceip != null" -- convert: - field: juniper.srx.source_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.source_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" -- convert: - field: juniper.srx.nat_source_port - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_port != null" -- set: - field: client.nat.port - value: '{{source.nat.port}}' - if: "ctx.source?.nat?.port != null" -- convert: - field: client.nat.port - target_field: client.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_client - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_client != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" -- convert: - field: juniper.srx.packets_from_client - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_client != null" -- set: - field: client.packets - value: '{{source.packets}}' - if: "ctx.source?.packets != null" -- convert: - field: client.packets - target_field: client.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.packets != null" -- rename: - field: juniper.srx.username - target_field: source.user.name - ignore_missing: true - if: "ctx.juniper?.srx?.username != null" -- rename: - field: juniper.srx.hostname - target_field: source.address - ignore_missing: true - if: "ctx.juniper?.srx?.hostname != null" -- rename: - field: juniper.srx.client_ip - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.client_ip != null" - -###################### -## ECS URL Mapping ## -###################### -- rename: - field: juniper.srx.http_host - target_field: url.domain - ignore_missing: true - if: "ctx.juniper?.srx?.http_host != null" - -############################# -## ECS Network/Geo Mapping ## -############################# -- rename: - field: juniper.srx.protocol_id - target_field: network.iana_number - ignore_missing: true - if: "ctx.juniper?.srx?.protocol_id != null" -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -############# -## Cleanup ## -############# -- remove: - field: - - juniper.srx.destination_port - - juniper.srx.nat_destination_port - - juniper.srx.bytes_from_client - - juniper.srx.packets_from_client - - juniper.srx.source_port - - juniper.srx.nat_source_port - - juniper.srx.bytes_from_server - - juniper.srx.packets_from_server - ignore_missing: true - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/utm.yml b/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/utm.yml deleted file mode 100755 index 056f23dbe1..0000000000 --- a/packages/juniper_srx/1.5.2/data_stream/log/elasticsearch/ingest_pipeline/utm.yml +++ /dev/null @@ -1,391 +0,0 @@ ---- -description: Pipeline for parsing junipersrx firewall logs (utm pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success - if: "ctx.juniper?.srx?.tag != null" -- append: - field: event.category - value: network -- convert: - field: juniper.srx.urlcategory_risk - type: float - target_field: event.risk_score - ignore_missing: true - ignore_failure: true -- set: - field: event.kind - value: alert - if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.category - value: malware - if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.type - value: - - info - - denied - - connection - if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.type - value: - - allowed - - connection - if: '!["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' -- set: - field: event.action - value: web_filter - if: '["WEBFILTER_URL_BLOCKED", "WEBFILTER_URL_BLOCKED_LS"].contains(ctx.juniper?.srx?.tag)' -- set: - field: event.action - value: content_filter - if: '["CONTENT_FILTERING_BLOCKED_MT", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' -- set: - field: event.action - value: antispam_filter - if: '["ANTISPAM_SPAM_DETECTED_MT", "ANTISPAM_SPAM_DETECTED_MT_LS"].contains(ctx.juniper?.srx?.tag)' -- set: - field: event.action - value: virus_detected - if: '["AV_VIRUS_DETECTED_MT", "AV_VIRUS_DETECTED_MT_LS"].contains(ctx.juniper?.srx?.tag)' - - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: juniper.srx.destination_address - target_field: destination.ip - ignore_missing: true - if: "ctx.juniper?.srx?.destination_address != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" -- rename: - field: juniper.srx.nat_destination_address - target_field: destination.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_address != null" -- convert: - field: juniper.srx.destination_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.destination_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" -- convert: - field: juniper.srx.nat_destination_port - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_port != null" -- set: - field: server.nat.port - value: '{{destination.nat.port}}' - if: "ctx.destination?.nat?.port != null" -- convert: - field: server.nat.port - target_field: server.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_server - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_server != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" -- convert: - field: juniper.srx.packets_from_server - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_server !=null" -- set: - field: server.packets - value: '{{destination.packets}}' - if: "ctx.destination?.packets != null" -- convert: - field: server.packets - target_field: server.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.packets != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: juniper.srx.source_address - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.source_address != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" -- rename: - field: juniper.srx.nat_source_address - target_field: source.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_address != null" -- rename: - field: juniper.srx.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.sourceip != null" -- convert: - field: juniper.srx.source_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.source_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" -- convert: - field: juniper.srx.nat_source_port - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_port != null" -- set: - field: client.nat.port - value: '{{source.nat.port}}' - if: "ctx.source?.nat?.port != null" -- convert: - field: client.nat.port - target_field: client.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_client - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_client != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" -- convert: - field: juniper.srx.packets_from_client - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_client != null" -- set: - field: client.packets - value: '{{source.packets}}' - if: "ctx.source?.packets != null" -- convert: - field: client.packets - target_field: client.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.packets != null" -- rename: - field: juniper.srx.username - target_field: source.user.name - ignore_missing: true - if: "ctx.juniper?.srx?.username != null" - -###################### -## ECS Rule Mapping ## -###################### -- rename: - field: juniper.srx.policy_name - target_field: rule.name - ignore_missing: true - if: "ctx.juniper?.srx?.policy_name != null" - -##################### -## ECS URL Mapping ## -##################### -- rename: - field: juniper.srx.url - target_field: url.domain - ignore_missing: true - if: "ctx.juniper?.srx?.url != null" -- rename: - field: juniper.srx.obj - target_field: url.path - ignore_missing: true - if: "ctx.juniper?.srx?.obj != null" - -###################### -## ECS File Mapping ## -###################### -- rename: - field: juniper.srx.filename - target_field: file.name - ignore_missing: true - if: "ctx.juniper?.srx?.filename != null" - -######################### -## ECS Network Mapping ## -######################### -- rename: - field: juniper.srx.protocol - target_field: network.protocol - ignore_missing: true - if: "ctx.juniper?.srx?.protocol != null" - -############################# -## ECS Network/Geo Mapping ## -############################# -- rename: - field: juniper.srx.protocol_id - target_field: network.iana_number - ignore_missing: true - if: "ctx.juniper?.srx?.protocol_id != null" -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -############# -## Cleanup ## -############# -- remove: - field: - - juniper.srx.destination_port - - juniper.srx.nat_destination_port - - juniper.srx.bytes_from_client - - juniper.srx.packets_from_client - - juniper.srx.source_port - - juniper.srx.nat_source_port - - juniper.srx.bytes_from_server - - juniper.srx.packets_from_server - - juniper.srx.urlcategory_risk - ignore_missing: true - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.5.2/data_stream/log/fields/agent.yml b/packages/juniper_srx/1.5.2/data_stream/log/fields/agent.yml deleted file mode 100755 index d30923aab3..0000000000 --- a/packages/juniper_srx/1.5.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,72 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.offset - type: long - description: Byte offset of the log line within its file. -- name: log.source.address - type: keyword - description: Source address of the syslog message. diff --git a/packages/juniper_srx/1.5.2/data_stream/log/fields/base-fields.yml b/packages/juniper_srx/1.5.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 5d7fc0ea18..0000000000 --- a/packages/juniper_srx/1.5.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: juniper_srx -- name: event.dataset - type: constant_keyword - description: Event dataset - value: juniper_srx.log diff --git a/packages/juniper_srx/1.5.2/data_stream/log/fields/ecs.yml b/packages/juniper_srx/1.5.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index 16e3ea4dde..0000000000 --- a/packages/juniper_srx/1.5.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,2759 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - Extended build information for the agent. - This field is intended to contain any build information that a data source may provide, no specific formatting is required. - name: agent.build.original - type: keyword -- description: |- - Ephemeral identifier of this agent (if one exists). - This id normally changes across restarts, but `agent.id` does not. - name: agent.ephemeral_id - type: keyword -- description: |- - Unique identifier of this agent (if one exists). - Example: For Beats this would be beat.id. - name: agent.id - type: keyword -- description: |- - Custom name of the agent. - This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. - name: agent.name - type: keyword -- description: |- - Type of the agent. - The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - name: agent.type - type: keyword -- description: Version of the agent. - name: agent.version - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: as.organization.name - type: keyword -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: client.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: client.as.organization.name - type: keyword -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - name: client.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: client.geo.name - type: keyword -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - MAC address of the client. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: client.mac - type: keyword -- description: |- - Translated IP of source based NAT sessions (e.g. internal client to internet). - Typically connections traversing load balancers, firewalls, or routers. - name: client.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions (e.g. internal client to internet). - Typically connections traversing load balancers, firewalls, or routers. - name: client.nat.port - type: long -- description: Packets sent from the client to the server. - name: client.packets - type: long -- description: Port of the client. - name: client.port - type: long -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: client.user.domain - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: client.user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: client.user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: client.user.group.id - type: keyword -- description: Name of the group. - name: client.user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: client.user.hash - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: client.user.name - type: keyword -- description: Array of user roles at the time of the event. - name: client.user.roles - normalize: - - array - type: keyword -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Instance name of the host machine. - name: cloud.instance.name - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: |- - The cloud project identifier. - Examples: Google Cloud Project id, Azure Project id. - name: cloud.project.id - type: keyword -- description: |- - The cloud project name. - Examples: Google Cloud Project name, Azure Project name. - name: cloud.project.name - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: Boolean to capture if a signature is present. - name: code_signature.exists - type: boolean -- description: |- - Additional information about the certificate status. - This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - name: code_signature.status - type: keyword -- description: Subject name of the code signer - name: code_signature.subject_name - type: keyword -- description: |- - Stores the trust status of the certificate chain. - Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - name: code_signature.trusted - type: boolean -- description: |- - Boolean to capture if the digital signature is verified against the binary content. - Leave unpopulated if a certificate was unchecked. - name: code_signature.valid - type: boolean -- description: Unique container id. - name: container.id - type: keyword -- description: Name of the image the container was built on. - name: container.image.name - type: keyword -- description: Container image tags. - name: container.image.tag - normalize: - - array - type: keyword -- description: Image labels. - name: container.labels - type: object -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: destination.user.domain - type: keyword -- description: User email address. - name: destination.user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: destination.user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: destination.user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: destination.user.group.id - type: keyword -- description: Name of the group. - name: destination.user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: destination.user.hash - type: keyword -- description: Unique identifier of the user. - name: destination.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: Array of user roles at the time of the event. - name: destination.user.roles - normalize: - - array - type: keyword -- description: Boolean to capture if a signature is present. - name: dll.code_signature.exists - type: boolean -- description: |- - Additional information about the certificate status. - This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - name: dll.code_signature.status - type: keyword -- description: Subject name of the code signer - name: dll.code_signature.subject_name - type: keyword -- description: |- - Stores the trust status of the certificate chain. - Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - name: dll.code_signature.trusted - type: boolean -- description: |- - Boolean to capture if the digital signature is verified against the binary content. - Leave unpopulated if a certificate was unchecked. - name: dll.code_signature.valid - type: boolean -- description: MD5 hash. - name: dll.hash.md5 - type: keyword -- description: SHA1 hash. - name: dll.hash.sha1 - type: keyword -- description: SHA256 hash. - name: dll.hash.sha256 - type: keyword -- description: SHA512 hash. - name: dll.hash.sha512 - type: keyword -- description: |- - Name of the library. - This generally maps to the name of the file on disk. - name: dll.name - type: keyword -- description: Full file path of the library. - name: dll.path - type: keyword -- description: CPU architecture target for the file. - name: dll.pe.architecture - type: keyword -- description: Internal company name of the file, provided at compile-time. - name: dll.pe.company - type: keyword -- description: Internal description of the file, provided at compile-time. - name: dll.pe.description - type: keyword -- description: Internal version of the file, provided at compile-time. - name: dll.pe.file_version - type: keyword -- description: |- - A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - name: dll.pe.imphash - type: keyword -- description: Internal name of the file, provided at compile-time. - name: dll.pe.original_file_name - type: keyword -- description: Internal product name of the file, provided at compile-time. - name: dll.pe.product - type: keyword -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: Array of 2 letter DNS header flags. - name: dns.header_flags - normalize: - - array - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - name: dns.op_code - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Unique identifier for the error. - name: error.id - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: The stack trace of this error in plain text. - multi_fields: - - name: text - type: match_only_text - name: error.stack_trace - type: wildcard -- description: The type of the error, for example the class name of the exception. - name: error.type - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - name: event.hash - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - Reference URL linking to additional information about this event. - This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.reference - type: keyword -- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - name: event.risk_score - type: float -- description: |- - Normalized risk score or priority of the event, on a scale of 0 to 100. - This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. - name: event.risk_score_norm - type: float -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - URL linking to an external system to continue investigation of this event. - This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.url - type: keyword -- description: |- - Last time the file was accessed. - Note that not all filesystems keep track of access time. - name: file.accessed - type: date -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Boolean to capture if a signature is present. - name: file.code_signature.exists - type: boolean -- description: |- - Additional information about the certificate status. - This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - name: file.code_signature.status - type: keyword -- description: Subject name of the code signer - name: file.code_signature.subject_name - type: keyword -- description: |- - Stores the trust status of the certificate chain. - Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - name: file.code_signature.trusted - type: boolean -- description: |- - Boolean to capture if the digital signature is verified against the binary content. - Leave unpopulated if a certificate was unchecked. - name: file.code_signature.valid - type: boolean -- description: |- - File creation time. - Note that not all filesystems store the creation time. - name: file.created - type: date -- description: |- - Last time the file attributes or metadata changed. - Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. - name: file.ctime - type: date -- description: Device that is the source of the file. - name: file.device - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - Drive letter where the file is located. This field is only relevant on Windows. - The value should be uppercase, and not include the colon. - name: file.drive_letter - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Primary group ID (GID) of the file. - name: file.gid - type: keyword -- description: Primary group name of the file. - name: file.group - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: SHA512 hash. - name: file.hash.sha512 - type: keyword -- description: Inode representing the file in the filesystem. - name: file.inode - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: file.mime_type - type: keyword -- description: Mode of the file in octal representation. - name: file.mode - type: keyword -- description: Last time the file content was modified. - name: file.mtime - type: date -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: File owner's username. - name: file.owner - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: CPU architecture target for the file. - name: file.pe.architecture - type: keyword -- description: Internal company name of the file, provided at compile-time. - name: file.pe.company - type: keyword -- description: Internal description of the file, provided at compile-time. - name: file.pe.description - type: keyword -- description: Internal version of the file, provided at compile-time. - name: file.pe.file_version - type: keyword -- description: |- - A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - name: file.pe.imphash - type: keyword -- description: Internal name of the file, provided at compile-time. - name: file.pe.original_file_name - type: keyword -- description: Internal product name of the file, provided at compile-time. - name: file.pe.product - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Target path for symlinks. - multi_fields: - - name: text - type: match_only_text - name: file.target_path - type: keyword -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: The user ID (UID) or security identifier (SID) of the file owner. - name: file.uid - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: file.x509.alternative_names - normalize: - - array - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: file.x509.issuer.common_name - normalize: - - array - type: keyword -- description: List of country \(C) codes - name: file.x509.issuer.country - normalize: - - array - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: file.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: file.x509.issuer.locality - normalize: - - array - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: file.x509.issuer.organization - normalize: - - array - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: file.x509.issuer.organizational_unit - normalize: - - array - type: keyword -- description: List of state or province names (ST, S, or P) - name: file.x509.issuer.state_or_province - normalize: - - array - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: file.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: file.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: file.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: file.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: file.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: file.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: file.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: file.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: file.x509.subject.common_name - normalize: - - array - type: keyword -- description: List of country \(C) code - name: file.x509.subject.country - normalize: - - array - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: file.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: file.x509.subject.locality - normalize: - - array - type: keyword -- description: List of organizations (O) of subject. - name: file.x509.subject.organization - normalize: - - array - type: keyword -- description: List of organizational units (OU) of subject. - name: file.x509.subject.organizational_unit - normalize: - - array - type: keyword -- description: List of state or province names (ST, S, or P) - name: file.x509.subject.state_or_province - normalize: - - array - type: keyword -- description: Version of x509 format. - name: file.x509.version_number - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Name of the continent. - name: geo.continent_name - type: keyword -- description: Country ISO code. - name: geo.country_iso_code - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: Longitude and latitude. - name: geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region ISO code. - name: geo.region_iso_code - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: MD5 hash. - name: hash.md5 - type: keyword -- description: SHA1 hash. - name: hash.sha1 - type: keyword -- description: SHA256 hash. - name: hash.sha256 - type: keyword -- description: SHA512 hash. - name: hash.sha512 - type: keyword -- description: Operating system architecture. - name: host.architecture - type: keyword -- description: |- - Name of the domain of which the host is a member. - For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - name: host.domain - type: keyword -- description: City name. - name: host.geo.city_name - type: keyword -- description: Name of the continent. - name: host.geo.continent_name - type: keyword -- description: Country ISO code. - name: host.geo.country_iso_code - type: keyword -- description: Country name. - name: host.geo.country_name - type: keyword -- description: Longitude and latitude. - name: host.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: host.geo.name - type: keyword -- description: Region ISO code. - name: host.geo.region_iso_code - type: keyword -- description: Region name. - name: host.geo.region_name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: host.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: host.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: host.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: host.os.platform - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: |- - Type of host. - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. - name: host.type - type: keyword -- description: Seconds the host has been up. - name: host.uptime - type: long -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: The full HTTP request body. - multi_fields: - - name: text - type: match_only_text - name: http.request.body.content - type: wildcard -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: The full HTTP response body. - multi_fields: - - name: text - type: match_only_text - name: http.response.body.content - type: wildcard -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. - name: interface.alias - type: keyword -- description: Interface ID as reported by an observer (typically SNMP interface ID). - name: interface.id - type: keyword -- description: Interface name as reported by the system. - name: interface.name - type: keyword -- description: |- - Custom key/value pairs. - Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. - Example: `docker` and `k8s` labels. - name: labels - type: object -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. - name: log.syslog - type: object -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: The Syslog text-based facility of the log event, if available. - name: log.syslog.facility.name - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. - name: log.syslog.severity.name - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) - name: network.inner - type: object -- description: VLAN ID as reported by the observer. - name: network.inner.vlan.id - type: keyword -- description: Optional VLAN name as reported by the observer. - name: network.inner.vlan.name - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: VLAN ID as reported by the observer. - name: network.vlan.id - type: keyword -- description: Optional VLAN name as reported by the observer. - name: network.vlan.name - type: keyword -- description: Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. - name: observer.egress - type: object -- description: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. - name: observer.egress.interface.alias - type: keyword -- description: Interface ID as reported by an observer (typically SNMP interface ID). - name: observer.egress.interface.id - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: VLAN ID as reported by the observer. - name: observer.egress.vlan.id - type: keyword -- description: Optional VLAN name as reported by the observer. - name: observer.egress.vlan.name - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: City name. - name: observer.geo.city_name - type: keyword -- description: Name of the continent. - name: observer.geo.continent_name - type: keyword -- description: Country ISO code. - name: observer.geo.country_iso_code - type: keyword -- description: Country name. - name: observer.geo.country_name - type: keyword -- description: Longitude and latitude. - name: observer.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: observer.geo.name - type: keyword -- description: Region ISO code. - name: observer.geo.region_iso_code - type: keyword -- description: Region name. - name: observer.geo.region_name - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. - name: observer.ingress - type: object -- description: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. - name: observer.ingress.interface.alias - type: keyword -- description: Interface ID as reported by an observer (typically SNMP interface ID). - name: observer.ingress.interface.id - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: VLAN ID as reported by the observer. - name: observer.ingress.vlan.id - type: keyword -- description: Optional VLAN name as reported by the observer. - name: observer.ingress.vlan.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: IP addresses of the observer. - name: observer.ip - normalize: - - array - type: ip -- description: |- - MAC addresses of the observer. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: observer.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: observer.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: observer.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: observer.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: observer.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: observer.os.platform - type: keyword -- description: Operating system version as a raw string. - name: observer.os.version - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: organization.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: os.platform - type: keyword -- description: Operating system version as a raw string. - name: os.version - type: keyword -- description: Package architecture. - name: package.architecture - type: keyword -- description: |- - Additional information about the build version of the installed package. - For example use the commit SHA of a non-released package. - name: package.build_version - type: keyword -- description: Checksum of the installed package for verification. - name: package.checksum - type: keyword -- description: Description of the package. - name: package.description - type: keyword -- description: Indicating how the package was installed, e.g. user-local, global. - name: package.install_scope - type: keyword -- description: Time when package was installed. - name: package.installed - type: date -- description: |- - License under which the package was released. - Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). - name: package.license - type: keyword -- description: Package name - name: package.name - type: keyword -- description: Path where the package is installed. - name: package.path - type: keyword -- description: Home page or reference URL of the software in this package, if available. - name: package.reference - type: keyword -- description: Package size in bytes. - name: package.size - type: long -- description: |- - Type of package. - This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. - name: package.type - type: keyword -- description: Package version - name: package.version - type: keyword -- description: CPU architecture target for the file. - name: pe.architecture - type: keyword -- description: Internal company name of the file, provided at compile-time. - name: pe.company - type: keyword -- description: Internal description of the file, provided at compile-time. - name: pe.description - type: keyword -- description: Internal version of the file, provided at compile-time. - name: pe.file_version - type: keyword -- description: |- - A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - name: pe.imphash - type: keyword -- description: Internal name of the file, provided at compile-time. - name: pe.original_file_name - type: keyword -- description: Internal product name of the file, provided at compile-time. - name: pe.product - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - normalize: - - array - type: keyword -- description: |- - Length of the process.args array. - This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - name: process.args_count - type: long -- description: Boolean to capture if a signature is present. - name: process.code_signature.exists - type: boolean -- description: |- - Additional information about the certificate status. - This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - name: process.code_signature.status - type: keyword -- description: Subject name of the code signer - name: process.code_signature.subject_name - type: keyword -- description: |- - Stores the trust status of the certificate chain. - Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - name: process.code_signature.trusted - type: boolean -- description: |- - Boolean to capture if the digital signature is verified against the binary content. - Leave unpopulated if a certificate was unchecked. - name: process.code_signature.valid - type: boolean -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - The exit code of the process, if this is a termination event. - The field should be absent if there is no exit code for the event (e.g. process start). - name: process.exit_code - type: long -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA1 hash. - name: process.hash.sha1 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: SHA512 hash. - name: process.hash.sha512 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.parent.args - normalize: - - array - type: keyword -- description: |- - Length of the process.args array. - This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - name: process.parent.args_count - type: long -- description: Boolean to capture if a signature is present. - name: process.parent.code_signature.exists - type: boolean -- description: |- - Additional information about the certificate status. - This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - name: process.parent.code_signature.status - type: keyword -- description: Subject name of the code signer - name: process.parent.code_signature.subject_name - type: keyword -- description: |- - Stores the trust status of the certificate chain. - Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - name: process.parent.code_signature.trusted - type: boolean -- description: |- - Boolean to capture if the digital signature is verified against the binary content. - Leave unpopulated if a certificate was unchecked. - name: process.parent.code_signature.valid - type: boolean -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: |- - The exit code of the process, if this is a termination event. - The field should be absent if there is no exit code for the event (e.g. process start). - name: process.parent.exit_code - type: long -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: SHA1 hash. - name: process.parent.hash.sha1 - type: keyword -- description: SHA256 hash. - name: process.parent.hash.sha256 - type: keyword -- description: SHA512 hash. - name: process.parent.hash.sha512 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: CPU architecture target for the file. - name: process.parent.pe.architecture - type: keyword -- description: Internal company name of the file, provided at compile-time. - name: process.parent.pe.company - type: keyword -- description: Internal description of the file, provided at compile-time. - name: process.parent.pe.description - type: keyword -- description: Internal version of the file, provided at compile-time. - name: process.parent.pe.file_version - type: keyword -- description: |- - A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - name: process.parent.pe.imphash - type: keyword -- description: Internal name of the file, provided at compile-time. - name: process.parent.pe.original_file_name - type: keyword -- description: Internal product name of the file, provided at compile-time. - name: process.parent.pe.product - type: keyword -- description: |- - Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - Identifier of the group of processes the process belongs to. - name: process.parent.pgid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: The time the process started. - name: process.parent.start - type: date -- description: Thread ID. - name: process.parent.thread.id - type: long -- description: Thread name. - name: process.parent.thread.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Seconds the process has been up. - name: process.parent.uptime - type: long -- description: The working directory of the process. - multi_fields: - - name: text - type: match_only_text - name: process.parent.working_directory - type: keyword -- description: CPU architecture target for the file. - name: process.pe.architecture - type: keyword -- description: Internal company name of the file, provided at compile-time. - name: process.pe.company - type: keyword -- description: Internal description of the file, provided at compile-time. - name: process.pe.description - type: keyword -- description: Internal version of the file, provided at compile-time. - name: process.pe.file_version - type: keyword -- description: |- - A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - name: process.pe.imphash - type: keyword -- description: Internal name of the file, provided at compile-time. - name: process.pe.original_file_name - type: keyword -- description: Internal product name of the file, provided at compile-time. - name: process.pe.product - type: keyword -- description: |- - Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - Identifier of the group of processes the process belongs to. - name: process.pgid - type: long -- description: Process id. - name: process.pid - type: long -- description: The time the process started. - name: process.start - type: date -- description: Thread ID. - name: process.thread.id - type: long -- description: Thread name. - name: process.thread.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: Seconds the process has been up. - name: process.uptime - type: long -- description: The working directory of the process. - multi_fields: - - name: text - type: match_only_text - name: process.working_directory - type: keyword -- description: |- - Original bytes written with base64 encoding. - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. - name: registry.data.bytes - type: keyword -- description: |- - Content when writing string types. - Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). - name: registry.data.strings - normalize: - - array - type: wildcard -- description: Standard registry type for encoding contents - name: registry.data.type - type: keyword -- description: Abbreviated name for the hive. - name: registry.hive - type: keyword -- description: Hive-relative path of keys. - name: registry.key - type: keyword -- description: Full path, including hive, key and value - name: registry.path - type: keyword -- description: Name of the value written. - name: registry.value - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. - name: rule.author - normalize: - - array - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: The description of the rule generating the event. - name: rule.description - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: Name of the license under which the rule used to generate this event is made available. - name: rule.license - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Reference URL to additional information about the rule used to generate this event. - The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. - name: rule.reference - type: keyword -- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - name: rule.ruleset - type: keyword -- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - name: rule.uuid - type: keyword -- description: The version / revision of the rule being used for analysis. - name: rule.version - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: server.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: server.as.organization.name - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: City name. - name: server.geo.city_name - type: keyword -- description: Name of the continent. - name: server.geo.continent_name - type: keyword -- description: Country ISO code. - name: server.geo.country_iso_code - type: keyword -- description: Country name. - name: server.geo.country_name - type: keyword -- description: Longitude and latitude. - name: server.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: server.geo.name - type: keyword -- description: Region ISO code. - name: server.geo.region_iso_code - type: keyword -- description: Region name. - name: server.geo.region_name - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: |- - MAC address of the server. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: server.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: server.nat.ip - type: ip -- description: |- - Translated port of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: server.nat.port - type: long -- description: Packets sent from the server to the client. - name: server.packets - type: long -- description: Port of the server. - name: server.port - type: long -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: server.user.domain - type: keyword -- description: User email address. - name: server.user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: server.user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: server.user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: server.user.group.id - type: keyword -- description: Name of the group. - name: server.user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: server.user.hash - type: keyword -- description: Unique identifier of the user. - name: server.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: server.user.name - type: keyword -- description: Array of user roles at the time of the event. - name: server.user.roles - normalize: - - array - type: keyword -- description: |- - Ephemeral identifier of this service (if one exists). - This id normally changes across restarts, but `service.id` does not. - name: service.ephemeral_id - type: keyword -- description: |- - Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. - This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. - Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. - name: service.id - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Name of a service node. - This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. - In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. - name: service.node.name - type: keyword -- description: Current state of the service. - name: service.state - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword -- description: |- - Version of the service the data was collected from. - This allows to look at a data set only for a specific version of a service. - name: service.version - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: User email address. - name: source.user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: source.user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: source.user.group.id - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: source.user.hash - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: Array of user roles at the time of the event. - name: source.user.roles - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. - name: threat.framework - type: keyword -- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - name: threat.tactic.id - normalize: - - array - type: keyword -- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) - name: threat.tactic.name - normalize: - - array - type: keyword -- description: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - name: threat.tactic.reference - normalize: - - array - type: keyword -- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - name: threat.technique.id - normalize: - - array - type: keyword -- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - multi_fields: - - name: text - type: match_only_text - name: threat.technique.name - normalize: - - array - type: keyword -- description: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - name: threat.technique.reference - normalize: - - array - type: keyword -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. - name: tls.client.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - name: tls.client.certificate_chain - normalize: - - array - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha256 - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: Date/Time indicating when client certificate is no longer considered valid. - name: tls.client.not_after - type: date -- description: Date/Time indicating when client certificate is first considered valid. - name: tls.client.not_before - type: date -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: Distinguished name of subject of the x.509 certificate presented by the client. - name: tls.client.subject - type: keyword -- description: Array of ciphers offered by the client during the client hello. - name: tls.client.supported_ciphers - normalize: - - array - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.client.x509.alternative_names - normalize: - - array - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.client.x509.issuer.common_name - normalize: - - array - type: keyword -- description: List of country \(C) codes - name: tls.client.x509.issuer.country - normalize: - - array - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.client.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.issuer.locality - normalize: - - array - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.client.x509.issuer.organization - normalize: - - array - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.client.x509.issuer.organizational_unit - normalize: - - array - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.issuer.state_or_province - normalize: - - array - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.client.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.client.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.client.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.client.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.client.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.client.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.client.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.client.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.client.x509.subject.common_name - normalize: - - array - type: keyword -- description: List of country \(C) code - name: tls.client.x509.subject.country - normalize: - - array - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.client.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.subject.locality - normalize: - - array - type: keyword -- description: List of organizations (O) of subject. - name: tls.client.x509.subject.organization - normalize: - - array - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.client.x509.subject.organizational_unit - normalize: - - array - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.subject.state_or_province - normalize: - - array - type: keyword -- description: Version of x509 format. - name: tls.client.x509.version_number - type: keyword -- description: String indicating the curve used for the given cipher, when applicable. - name: tls.curve - type: keyword -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - name: tls.established - type: boolean -- description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. - name: tls.next_protocol - type: keyword -- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - name: tls.resumed - type: boolean -- description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. - name: tls.server.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - name: tls.server.certificate_chain - normalize: - - array - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha256 - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword -- description: Timestamp indicating when server certificate is no longer considered valid. - name: tls.server.not_after - type: date -- description: Timestamp indicating when server certificate is first considered valid. - name: tls.server.not_before - type: date -- description: Subject of the x.509 certificate presented by the server. - name: tls.server.subject - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.server.x509.alternative_names - normalize: - - array - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - normalize: - - array - type: keyword -- description: List of country \(C) codes - name: tls.server.x509.issuer.country - normalize: - - array - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.server.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.issuer.locality - normalize: - - array - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.server.x509.issuer.organization - normalize: - - array - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.server.x509.issuer.organizational_unit - normalize: - - array - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.issuer.state_or_province - normalize: - - array - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.server.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.server.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.server.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.server.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.server.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.server.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.server.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.server.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - normalize: - - array - type: keyword -- description: List of country \(C) code - name: tls.server.x509.subject.country - normalize: - - array - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.server.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.subject.locality - normalize: - - array - type: keyword -- description: List of organizations (O) of subject. - name: tls.server.x509.subject.organization - normalize: - - array - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.server.x509.subject.organizational_unit - normalize: - - array - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.subject.state_or_province - normalize: - - array - type: keyword -- description: Version of x509 format. - name: tls.server.x509.version_number - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword -- description: |- - Unique identifier of the span within the scope of its trace. - A span represents an operation within a transaction, such as a request to another service, or a database query. - name: span.id - type: keyword -- description: |- - Unique identifier of the trace. - A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. - name: trace.id - type: keyword -- description: |- - Unique identifier of the transaction within the scope of its trace. - A transaction is the highest level of work measured within a service, such as a request to a server. - name: transaction.id - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.group.id - type: keyword -- description: Name of the group. - name: user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: user.hash - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Array of user roles at the time of the event. - name: user.roles - normalize: - - array - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: VLAN ID as reported by the observer. - name: vlan.id - type: keyword -- description: Optional VLAN name as reported by the observer. - name: vlan.name - type: keyword -- description: |- - The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) - This field must be an array. - name: vulnerability.category - normalize: - - array - type: keyword -- description: The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) - name: vulnerability.classification - type: keyword -- description: The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) - multi_fields: - - name: text - type: match_only_text - name: vulnerability.description - type: keyword -- description: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) - name: vulnerability.enumeration - type: keyword -- description: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] - name: vulnerability.id - type: keyword -- description: A resource that provides additional information, context, and mitigations for the identified vulnerability. - name: vulnerability.reference - type: keyword -- description: The report or scan identification number. - name: vulnerability.report_id - type: keyword -- description: The name of the vulnerability scanner vendor. - name: vulnerability.scanner.vendor - type: keyword -- description: |- - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) - name: vulnerability.score.base - type: float -- description: |- - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) - name: vulnerability.score.environmental - type: float -- description: |- - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) - name: vulnerability.score.temporal - type: float -- description: |- - The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. - CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) - name: vulnerability.score.version - type: keyword -- description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) - name: vulnerability.severity - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: x509.alternative_names - normalize: - - array - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: x509.issuer.common_name - normalize: - - array - type: keyword -- description: List of country \(C) codes - name: x509.issuer.country - normalize: - - array - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: x509.issuer.locality - normalize: - - array - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: x509.issuer.organization - normalize: - - array - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: x509.issuer.organizational_unit - normalize: - - array - type: keyword -- description: List of state or province names (ST, S, or P) - name: x509.issuer.state_or_province - normalize: - - array - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: x509.subject.common_name - normalize: - - array - type: keyword -- description: List of country \(C) code - name: x509.subject.country - normalize: - - array - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: x509.subject.locality - normalize: - - array - type: keyword -- description: List of organizations (O) of subject. - name: x509.subject.organization - normalize: - - array - type: keyword -- description: List of organizational units (OU) of subject. - name: x509.subject.organizational_unit - normalize: - - array - type: keyword -- description: List of state or province names (ST, S, or P) - name: x509.subject.state_or_province - normalize: - - array - type: keyword -- description: Version of x509 format. - name: x509.version_number - type: keyword diff --git a/packages/juniper_srx/1.5.2/data_stream/log/fields/fields.yml b/packages/juniper_srx/1.5.2/data_stream/log/fields/fields.yml deleted file mode 100755 index f1c609ea12..0000000000 --- a/packages/juniper_srx/1.5.2/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,388 +0,0 @@ -- name: juniper.srx - type: group - release: ga - fields: - - name: reason - type: keyword - description: | - reason - - name: connection_tag - type: keyword - description: | - connection tag - - name: service_name - type: keyword - description: | - service name - - name: nat_connection_tag - type: keyword - description: | - nat connection tag - - name: src_nat_rule_type - type: keyword - description: | - src nat rule type - - name: src_nat_rule_name - type: keyword - description: | - src nat rule name - - name: dst_nat_rule_type - type: keyword - description: | - dst nat rule type - - name: dst_nat_rule_name - type: keyword - description: | - dst nat rule name - - name: protocol_id - type: keyword - description: | - protocol id - - name: policy_name - type: keyword - description: | - policy name - - name: session_id_32 - type: keyword - description: | - session id 32 - - name: session_id - type: keyword - description: | - session id - - name: outbound_packets - type: integer - description: | - packets from client - - name: outbound_bytes - type: integer - description: | - bytes from client - - name: inbound_packets - type: integer - description: | - packets from server - - name: inbound_bytes - type: integer - description: | - bytes from server - - name: elapsed_time - type: date - description: | - elapsed time - - name: application - type: keyword - description: | - application - - name: nested_application - type: keyword - description: | - nested application - - name: username - type: keyword - description: | - username - - name: roles - type: keyword - description: | - roles - - name: encrypted - type: keyword - description: | - encrypted - - name: application_category - type: keyword - description: | - application category - - name: application_sub_category - type: keyword - description: | - application sub category - - name: application_characteristics - type: keyword - description: | - application characteristics - - name: secure_web_proxy_session_type - type: keyword - description: | - secure web proxy session type - - name: peer_session_id - type: keyword - description: | - peer session id - - name: peer_source_address - type: ip - description: | - peer source address - - name: peer_source_port - type: integer - description: | - peer source port - - name: peer_destination_address - type: ip - description: | - peer destination address - - name: peer_destination_port - type: integer - description: | - peer destination port - - name: hostname - type: keyword - description: | - hostname - - name: src_vrf_grp - type: keyword - description: | - src_vrf_grp - - name: dst_vrf_grp - type: keyword - description: | - dst_vrf_grp - - name: icmp_type - type: integer - description: | - icmp type - - name: process - type: keyword - description: | - process that generated the message - - name: apbr_rule_type - type: keyword - description: | - apbr rule type - - name: dscp_value - type: integer - description: | - apbr rule type - - name: logical_system_name - type: keyword - description: | - logical system name - - name: profile_name - type: keyword - description: | - profile name - - name: routing_instance - type: keyword - description: | - routing instance - - name: rule_name - type: keyword - description: | - rule name - - name: uplink_tx_bytes - type: integer - description: | - uplink tx bytes - - name: uplink_rx_bytes - type: integer - description: | - uplink rx bytes - - name: obj - type: keyword - description: | - url path - - name: url - type: keyword - description: | - url domain - - name: profile - type: keyword - description: | - filter profile - - name: category - type: keyword - description: | - filter category - - name: filename - type: keyword - description: | - filename - - name: temporary_filename - type: keyword - description: | - temporary_filename - - name: name - type: keyword - description: | - name - - name: error_message - type: keyword - description: | - error_message - - name: error_code - type: keyword - description: | - error_code - - name: action - type: keyword - description: | - action - - name: protocol - type: keyword - description: | - protocol - - name: protocol_name - type: keyword - description: | - protocol name - - name: type - type: keyword - description: | - type - - name: repeat_count - type: integer - description: | - repeat count - - name: alert - type: keyword - description: | - repeat alert - - name: message_type - type: keyword - description: | - message type - - name: threat_severity - type: keyword - description: | - threat severity - - name: application_name - type: keyword - description: | - application name - - name: attack_name - type: keyword - description: | - attack name - - name: index - type: keyword - description: | - index - - name: message - type: keyword - description: | - mesagge - - name: epoch_time - type: date - description: | - epoch time - - name: packet_log_id - type: integer - description: | - packet log id - - name: export_id - type: integer - description: | - packet log id - - name: ddos_application_name - type: keyword - description: | - ddos application name - - name: connection_hit_rate - type: integer - description: | - connection hit rate - - name: time_scope - type: keyword - description: | - time scope - - name: context_hit_rate - type: integer - description: | - context hit rate - - name: context_value_hit_rate - type: integer - description: | - context value hit rate - - name: time_count - type: integer - description: | - time count - - name: time_period - type: integer - description: | - time period - - name: context_value - type: keyword - description: | - context value - - name: context_name - type: keyword - description: | - context name - - name: ruleebase_name - type: keyword - description: | - ruleebase name - - name: verdict_source - type: keyword - description: | - verdict source - - name: verdict_number - type: integer - description: | - verdict number - - name: file_category - type: keyword - description: | - file category - - name: sample_sha256 - type: keyword - description: | - sample sha256 - - name: malware_info - type: keyword - description: | - malware info - - name: client_ip - type: ip - description: | - client ip - - name: tenant_id - type: keyword - description: | - tenant id - - name: timestamp - type: date - description: | - timestamp - - name: th - type: keyword - description: | - th - - name: status - type: keyword - description: | - status - - name: state - type: keyword - description: | - state - - name: file_hash_lookup - type: keyword - description: | - file hash lookup - - name: file_name - type: keyword - description: | - file name - - name: action_detail - type: keyword - description: | - action detail - - name: sub_category - type: keyword - description: | - sub category - - name: feed_name - type: keyword - description: | - feed name - - name: occur_count - type: integer - description: | - occur count - - name: tag - type: keyword - description: |- - system log message tag, which uniquely identifies the message. diff --git a/packages/juniper_srx/1.5.2/data_stream/log/manifest.yml b/packages/juniper_srx/1.5.2/data_stream/log/manifest.yml deleted file mode 100755 index 5ec184fed0..0000000000 --- a/packages/juniper_srx/1.5.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,154 +0,0 @@ -type: logs -title: Juniper SRX logs -streams: - - input: tcp - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9006 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-srx - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate, keys, supported_protocols, verification_mode etc. See [SSL](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details. - multi: false - required: false - show_user: false - default: | - #certificate: "/etc/server/cert.pem" - #key: "/etc/server/key.pem" - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - #max_connections: 1 - #framing: delimiter - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. - template_path: tcp.yml.hbs - title: Juniper SRX logs - description: Collect Juniper SRX logs via TCP - - input: udp - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9006 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-srx - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: udp.yml.hbs - title: Juniper SRX logs - description: Collect Juniper SRX logs via UDP - - input: filestream - enabled: false - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/juniper-srx.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-srx - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: logfile.yml.hbs - title: Juniper SRX logs - description: Read Juniper SRX logs from a file diff --git a/packages/juniper_srx/1.5.2/data_stream/log/sample_event.json b/packages/juniper_srx/1.5.2/data_stream/log/sample_event.json deleted file mode 100755 index 2f4880e6c7..0000000000 --- a/packages/juniper_srx/1.5.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "@timestamp": "2016-02-18T01:32:50.391Z", - "agent": { - "ephemeral_id": "468e3921-9867-43fa-8cc6-d8b5ccb54a25", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "client": { - "ip": "192.168.1.100", - "port": 58071 - }, - "data_stream": { - "dataset": "juniper_srx.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 35908 - }, - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "port": 80 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "web_filter", - "agent_id_status": "verified", - "category": [ - "network", - "malware" - ], - "dataset": "juniper_srx.log", - "ingested": "2022-01-01T23:05:23Z", - "kind": "alert", - "outcome": "success", - "severity": 12, - "timezone": "+00:00", - "type": [ - "info", - "denied", - "connection" - ] - }, - "input": { - "type": "udp" - }, - "juniper": { - "srx": { - "category": "cat1", - "process": "RT_UTM", - "profile": "uf1", - "reason": "BY_BLACK_LIST", - "tag": "WEBFILTER_URL_BLOCKED" - } - }, - "log": { - "level": "warning", - "source": { - "address": "172.18.0.7:60328" - } - }, - "observer": { - "name": "utm-srx550-b", - "product": "SRX", - "type": "firewall", - "vendor": "Juniper" - }, - "related": { - "hosts": [ - "www.baidu.com" - ], - "ip": [ - "192.168.1.100", - "67.43.156.13" - ], - "user": [ - "user01" - ] - }, - "server": { - "ip": "67.43.156.13", - "port": 80 - }, - "source": { - "ip": "192.168.1.100", - "port": 58071, - "user": { - "name": "user01" - } - }, - "tags": [ - "juniper-srx", - "forwarded" - ], - "url": { - "domain": "www.baidu.com", - "path": "/" - } -} \ No newline at end of file diff --git a/packages/juniper_srx/1.5.2/docs/README.md b/packages/juniper_srx/1.5.2/docs/README.md deleted file mode 100755 index d156e21d4e..0000000000 --- a/packages/juniper_srx/1.5.2/docs/README.md +++ /dev/null @@ -1,870 +0,0 @@ -# Juniper SRX integration - -This is an integration for ingesting logs from [Juniper SRX](https://www.juniper.net/documentation/en_US/release-independent/junos/information-products/pathway-pages/srx-series/product/). - -### Log - -The SRX Log integration only supports syslog messages in the format "structured-data + brief". See the [JunOS Documentation on structured-data.](https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html) - -To configure a remote syslog destination, please reference the [SRX Getting Started - Configure System Logging.](https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502) -The syslog format choosen should be `Default`. - -The following processes and tags are supported: - -| JunOS processes | JunOS tags | -|-----------------|-------------------------------------------| -| RT_FLOW | RT_FLOW_SESSION_CREATE | -| | RT_FLOW_SESSION_CLOSE | -| | RT_FLOW_SESSION_DENY | -| | APPTRACK_SESSION_CREATE | -| | APPTRACK_SESSION_CLOSE | -| | APPTRACK_SESSION_VOL_UPDATE | -| RT_IDS | RT_SCREEN_TCP | -| | RT_SCREEN_UDP | -| | RT_SCREEN_ICMP | -| | RT_SCREEN_IP | -| | RT_SCREEN_TCP_DST_IP | -| | RT_SCREEN_TCP_SRC_IP | -| RT_UTM | WEBFILTER_URL_PERMITTED | -| | WEBFILTER_URL_BLOCKED | -| | AV_VIRUS_DETECTED_MT | -| | CONTENT_FILTERING_BLOCKED_MT | -| | ANTISPAM_SPAM_DETECTED_MT | -| RT_IDP | IDP_ATTACK_LOG_EVENT | -| | IDP_APPDDOS_APP_STATE_EVENT | -| RT_AAMW | SRX_AAMW_ACTION_LOG | -| | AAMW_MALWARE_EVENT_LOG | -| | AAMW_HOST_INFECTED_EVENT_LOG | -| | AAMW_ACTION_LOG | -| RT_SECINTEL | SECINTEL_ACTION_LOG | - - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| agent.build.original | Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. | keyword | -| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | -| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | -| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | -| agent.version | Version of the agent. | keyword | -| as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| as.organization.name | Organization name. | keyword | -| as.organization.name.text | Multi-field of `as.organization.name`. | match_only_text | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | -| client.nat.port | Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | long | -| client.packets | Packets sent from the client to the server. | long | -| client.port | Port of the client. | long | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| client.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| client.user.email | User email address. | keyword | -| client.user.full_name | User's full name, if available. | keyword | -| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text | -| client.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| client.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| client.user.group.name | Name of the group. | keyword | -| client.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | -| client.user.roles | Array of user roles at the time of the event. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | -| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| code_signature.exists | Boolean to capture if a signature is present. | boolean | -| code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| code_signature.subject_name | Subject name of the code signer | keyword | -| code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | -| code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.image.tag | Container image tags. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.email | User email address. | keyword | -| destination.user.full_name | User's full name, if available. | keyword | -| destination.user.full_name.text | Multi-field of `destination.user.full_name`. | match_only_text | -| destination.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| destination.user.group.name | Name of the group. | keyword | -| destination.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| destination.user.roles | Array of user roles at the time of the event. | keyword | -| dll.code_signature.exists | Boolean to capture if a signature is present. | boolean | -| dll.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| dll.code_signature.subject_name | Subject name of the code signer | keyword | -| dll.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | -| dll.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | -| dll.hash.md5 | MD5 hash. | keyword | -| dll.hash.sha1 | SHA1 hash. | keyword | -| dll.hash.sha256 | SHA256 hash. | keyword | -| dll.hash.sha512 | SHA512 hash. | keyword | -| dll.name | Name of the library. This generally maps to the name of the file on disk. | keyword | -| dll.path | Full file path of the library. | keyword | -| dll.pe.architecture | CPU architecture target for the file. | keyword | -| dll.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| dll.pe.description | Internal description of the file, provided at compile-time. | keyword | -| dll.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| dll.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.header_flags | Array of 2 letter DNS header flags. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.id | Unique identifier for the error. | keyword | -| error.message | Error message. | match_only_text | -| error.stack_trace | The stack trace of this error in plain text. | wildcard | -| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | -| error.type | The type of the error, for example the class name of the exception. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.code_signature.exists | Boolean to capture if a signature is present. | boolean | -| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| file.code_signature.subject_name | Subject name of the code signer | keyword | -| file.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | -| file.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | -| file.created | File creation time. Note that not all filesystems store the creation time. | date | -| file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | -| file.device | Device that is the source of the file. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.drive_letter | Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.gid | Primary group ID (GID) of the file. | keyword | -| file.group | Primary group name of the file. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.hash.sha512 | SHA512 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.mode | Mode of the file in octal representation. | keyword | -| file.mtime | Last time the file content was modified. | date | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.owner | File owner's username. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.pe.architecture | CPU architecture target for the file. | keyword | -| file.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| file.pe.description | Internal description of the file, provided at compile-time. | keyword | -| file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| file.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| file.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.target_path | Target path for symlinks. | keyword | -| file.target_path.text | Multi-field of `file.target_path`. | match_only_text | -| file.type | File type (file, dir, or symlink). | keyword | -| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | -| file.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| file.x509.issuer.country | List of country \(C) codes | keyword | -| file.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| file.x509.issuer.locality | List of locality names (L) | keyword | -| file.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| file.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| file.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| file.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| file.x509.not_before | Time at which the certificate is first considered valid. | date | -| file.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| file.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| file.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| file.x509.public_key_size | The size of the public key space in bits. | long | -| file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| file.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| file.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| file.x509.subject.country | List of country \(C) code | keyword | -| file.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| file.x509.subject.locality | List of locality names (L) | keyword | -| file.x509.subject.organization | List of organizations (O) of subject. | keyword | -| file.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| file.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| file.x509.version_number | Version of x509 format. | keyword | -| geo.city_name | City name. | keyword | -| geo.continent_name | Name of the continent. | keyword | -| geo.country_iso_code | Country ISO code. | keyword | -| geo.country_name | Country name. | keyword | -| geo.location | Longitude and latitude. | geo_point | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_iso_code | Region ISO code. | keyword | -| geo.region_name | Region name. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| hash.md5 | MD5 hash. | keyword | -| hash.sha1 | SHA1 hash. | keyword | -| hash.sha256 | SHA256 hash. | keyword | -| hash.sha512 | SHA512 hash. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| host.uptime | Seconds the host has been up. | long | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.body.content | The full HTTP request body. | wildcard | -| http.request.body.content.text | Multi-field of `http.request.body.content`. | match_only_text | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.body.content | The full HTTP response body. | wildcard | -| http.response.body.content.text | Multi-field of `http.response.body.content`. | match_only_text | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type. | keyword | -| interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | -| interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | -| interface.name | Interface name as reported by the system. | keyword | -| juniper.srx.action | action | keyword | -| juniper.srx.action_detail | action detail | keyword | -| juniper.srx.alert | repeat alert | keyword | -| juniper.srx.apbr_rule_type | apbr rule type | keyword | -| juniper.srx.application | application | keyword | -| juniper.srx.application_category | application category | keyword | -| juniper.srx.application_characteristics | application characteristics | keyword | -| juniper.srx.application_name | application name | keyword | -| juniper.srx.application_sub_category | application sub category | keyword | -| juniper.srx.attack_name | attack name | keyword | -| juniper.srx.category | filter category | keyword | -| juniper.srx.client_ip | client ip | ip | -| juniper.srx.connection_hit_rate | connection hit rate | integer | -| juniper.srx.connection_tag | connection tag | keyword | -| juniper.srx.context_hit_rate | context hit rate | integer | -| juniper.srx.context_name | context name | keyword | -| juniper.srx.context_value | context value | keyword | -| juniper.srx.context_value_hit_rate | context value hit rate | integer | -| juniper.srx.ddos_application_name | ddos application name | keyword | -| juniper.srx.dscp_value | apbr rule type | integer | -| juniper.srx.dst_nat_rule_name | dst nat rule name | keyword | -| juniper.srx.dst_nat_rule_type | dst nat rule type | keyword | -| juniper.srx.dst_vrf_grp | dst_vrf_grp | keyword | -| juniper.srx.elapsed_time | elapsed time | date | -| juniper.srx.encrypted | encrypted | keyword | -| juniper.srx.epoch_time | epoch time | date | -| juniper.srx.error_code | error_code | keyword | -| juniper.srx.error_message | error_message | keyword | -| juniper.srx.export_id | packet log id | integer | -| juniper.srx.feed_name | feed name | keyword | -| juniper.srx.file_category | file category | keyword | -| juniper.srx.file_hash_lookup | file hash lookup | keyword | -| juniper.srx.file_name | file name | keyword | -| juniper.srx.filename | filename | keyword | -| juniper.srx.hostname | hostname | keyword | -| juniper.srx.icmp_type | icmp type | integer | -| juniper.srx.inbound_bytes | bytes from server | integer | -| juniper.srx.inbound_packets | packets from server | integer | -| juniper.srx.index | index | keyword | -| juniper.srx.logical_system_name | logical system name | keyword | -| juniper.srx.malware_info | malware info | keyword | -| juniper.srx.message | mesagge | keyword | -| juniper.srx.message_type | message type | keyword | -| juniper.srx.name | name | keyword | -| juniper.srx.nat_connection_tag | nat connection tag | keyword | -| juniper.srx.nested_application | nested application | keyword | -| juniper.srx.obj | url path | keyword | -| juniper.srx.occur_count | occur count | integer | -| juniper.srx.outbound_bytes | bytes from client | integer | -| juniper.srx.outbound_packets | packets from client | integer | -| juniper.srx.packet_log_id | packet log id | integer | -| juniper.srx.peer_destination_address | peer destination address | ip | -| juniper.srx.peer_destination_port | peer destination port | integer | -| juniper.srx.peer_session_id | peer session id | keyword | -| juniper.srx.peer_source_address | peer source address | ip | -| juniper.srx.peer_source_port | peer source port | integer | -| juniper.srx.policy_name | policy name | keyword | -| juniper.srx.process | process that generated the message | keyword | -| juniper.srx.profile | filter profile | keyword | -| juniper.srx.profile_name | profile name | keyword | -| juniper.srx.protocol | protocol | keyword | -| juniper.srx.protocol_id | protocol id | keyword | -| juniper.srx.protocol_name | protocol name | keyword | -| juniper.srx.reason | reason | keyword | -| juniper.srx.repeat_count | repeat count | integer | -| juniper.srx.roles | roles | keyword | -| juniper.srx.routing_instance | routing instance | keyword | -| juniper.srx.rule_name | rule name | keyword | -| juniper.srx.ruleebase_name | ruleebase name | keyword | -| juniper.srx.sample_sha256 | sample sha256 | keyword | -| juniper.srx.secure_web_proxy_session_type | secure web proxy session type | keyword | -| juniper.srx.service_name | service name | keyword | -| juniper.srx.session_id | session id | keyword | -| juniper.srx.session_id_32 | session id 32 | keyword | -| juniper.srx.src_nat_rule_name | src nat rule name | keyword | -| juniper.srx.src_nat_rule_type | src nat rule type | keyword | -| juniper.srx.src_vrf_grp | src_vrf_grp | keyword | -| juniper.srx.state | state | keyword | -| juniper.srx.status | status | keyword | -| juniper.srx.sub_category | sub category | keyword | -| juniper.srx.tag | system log message tag, which uniquely identifies the message. | keyword | -| juniper.srx.temporary_filename | temporary_filename | keyword | -| juniper.srx.tenant_id | tenant id | keyword | -| juniper.srx.th | th | keyword | -| juniper.srx.threat_severity | threat severity | keyword | -| juniper.srx.time_count | time count | integer | -| juniper.srx.time_period | time period | integer | -| juniper.srx.time_scope | time scope | keyword | -| juniper.srx.timestamp | timestamp | date | -| juniper.srx.type | type | keyword | -| juniper.srx.uplink_rx_bytes | uplink rx bytes | integer | -| juniper.srx.uplink_tx_bytes | uplink tx bytes | integer | -| juniper.srx.url | url domain | keyword | -| juniper.srx.username | username | keyword | -| juniper.srx.verdict_number | verdict number | integer | -| juniper.srx.verdict_source | verdict source | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Byte offset of the log line within its file. | long | -| log.source.address | Source address of the syslog message. | keyword | -| log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| network.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| observer.egress | Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | -| observer.egress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | -| observer.egress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.egress.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.geo.city_name | City name. | keyword | -| observer.geo.continent_name | Name of the continent. | keyword | -| observer.geo.country_iso_code | Country ISO code. | keyword | -| observer.geo.country_name | Country name. | keyword | -| observer.geo.location | Longitude and latitude. | geo_point | -| observer.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| observer.geo.region_iso_code | Region ISO code. | keyword | -| observer.geo.region_name | Region name. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress | Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | -| observer.ingress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | -| observer.ingress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.ingress.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| observer.os.full | Operating system name, including the version or code name. | keyword | -| observer.os.full.text | Multi-field of `observer.os.full`. | match_only_text | -| observer.os.kernel | Operating system kernel version as a raw string. | keyword | -| observer.os.name | Operating system name, without the version. | keyword | -| observer.os.name.text | Multi-field of `observer.os.name`. | match_only_text | -| observer.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| observer.os.version | Operating system version as a raw string. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| organization.id | Unique identifier for the organization. | keyword | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| os.full | Operating system name, including the version or code name. | keyword | -| os.full.text | Multi-field of `os.full`. | match_only_text | -| os.kernel | Operating system kernel version as a raw string. | keyword | -| os.name | Operating system name, without the version. | keyword | -| os.name.text | Multi-field of `os.name`. | match_only_text | -| os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| os.version | Operating system version as a raw string. | keyword | -| package.architecture | Package architecture. | keyword | -| package.build_version | Additional information about the build version of the installed package. For example use the commit SHA of a non-released package. | keyword | -| package.checksum | Checksum of the installed package for verification. | keyword | -| package.description | Description of the package. | keyword | -| package.install_scope | Indicating how the package was installed, e.g. user-local, global. | keyword | -| package.installed | Time when package was installed. | date | -| package.license | License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). | keyword | -| package.name | Package name | keyword | -| package.path | Path where the package is installed. | keyword | -| package.reference | Home page or reference URL of the software in this package, if available. | keyword | -| package.size | Package size in bytes. | long | -| package.type | Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | keyword | -| package.version | Package version | keyword | -| pe.architecture | CPU architecture target for the file. | keyword | -| pe.company | Internal company name of the file, provided at compile-time. | keyword | -| pe.description | Internal description of the file, provided at compile-time. | keyword | -| pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| pe.product | Internal product name of the file, provided at compile-time. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | -| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| process.code_signature.subject_name | Subject name of the code signer | keyword | -| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | -| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.hash.sha512 | SHA512 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | -| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | -| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | -| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha1 | SHA1 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.hash.sha512 | SHA512 hash. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pe.architecture | CPU architecture target for the file. | keyword | -| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | -| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| process.parent.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | -| process.parent.pid | Process id. | long | -| process.parent.start | The time the process started. | date | -| process.parent.thread.id | Thread ID. | long | -| process.parent.thread.name | Thread name. | keyword | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.parent.uptime | Seconds the process has been up. | long | -| process.parent.working_directory | The working directory of the process. | keyword | -| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | -| process.pe.architecture | CPU architecture target for the file. | keyword | -| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| process.pe.description | Internal description of the file, provided at compile-time. | keyword | -| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| process.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| process.thread.id | Thread ID. | long | -| process.thread.name | Thread name. | keyword | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| process.uptime | Seconds the process has been up. | long | -| process.working_directory | The working directory of the process. | keyword | -| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | -| registry.data.bytes | Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. | keyword | -| registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | -| registry.data.type | Standard registry type for encoding contents | keyword | -| registry.hive | Abbreviated name for the hive. | keyword | -| registry.key | Hive-relative path of keys. | keyword | -| registry.path | Full path, including hive, key and value | keyword | -| registry.value | Name of the value written. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.author | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.license | Name of the license under which the rule used to generate this event is made available. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.reference | Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| rule.version | The version / revision of the rule being used for analysis. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| server.as.organization.name | Organization name. | keyword | -| server.as.organization.name.text | Multi-field of `server.as.organization.name`. | match_only_text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.geo.city_name | City name. | keyword | -| server.geo.continent_name | Name of the continent. | keyword | -| server.geo.country_iso_code | Country ISO code. | keyword | -| server.geo.country_name | Country name. | keyword | -| server.geo.location | Longitude and latitude. | geo_point | -| server.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| server.geo.region_iso_code | Region ISO code. | keyword | -| server.geo.region_name | Region name. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| server.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| server.nat.port | Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | long | -| server.packets | Packets sent from the server to the client. | long | -| server.port | Port of the server. | long | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| server.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| server.user.email | User email address. | keyword | -| server.user.full_name | User's full name, if available. | keyword | -| server.user.full_name.text | Multi-field of `server.user.full_name`. | match_only_text | -| server.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| server.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| server.user.group.name | Name of the group. | keyword | -| server.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| server.user.id | Unique identifier of the user. | keyword | -| server.user.name | Short name or login of the user. | keyword | -| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | -| server.user.roles | Array of user roles at the time of the event. | keyword | -| service.ephemeral_id | Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not. | keyword | -| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| service.node.name | Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. | keyword | -| service.state | Current state of the service. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.email | User email address. | keyword | -| source.user.full_name | User's full name, if available. | keyword | -| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | -| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| source.user.roles | Array of user roles at the time of the event. | keyword | -| span.id | Unique identifier of the span within the scope of its trace. A span represents an operation within a transaction, such as a request to another service, or a database query. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.client.certificate | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. | keyword | -| tls.client.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.client.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | -| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | -| tls.client.supported_ciphers | Array of ciphers offered by the client during the client hello. | keyword | -| tls.client.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.country | List of country \(C) codes | keyword | -| tls.client.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.locality | List of locality names (L) | keyword | -| tls.client.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.client.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.client.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.client.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.client.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.client.x509.public_key_size | The size of the public key space in bits. | long | -| tls.client.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.client.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.client.x509.subject.country | List of country \(C) code | keyword | -| tls.client.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.client.x509.subject.locality | List of locality names (L) | keyword | -| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.version_number | Version of x509 format. | keyword | -| tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| tls.next_protocol | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | keyword | -| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | -| tls.server.certificate | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. | keyword | -| tls.server.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.server.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | -| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | -| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.country | List of country \(C) codes | keyword | -| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.locality | List of locality names (L) | keyword | -| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.server.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.server.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.server.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.server.x509.public_key_size | The size of the public key space in bits. | long | -| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.server.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country \(C) code | keyword | -| tls.server.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.version_number | Version of x509 format. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| trace.id | Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. | keyword | -| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.group.name | Name of the group. | keyword | -| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.roles | Array of user roles at the time of the event. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | -| vlan.id | VLAN ID as reported by the observer. | keyword | -| vlan.name | Optional VLAN name as reported by the observer. | keyword | -| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | -| vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword | -| vulnerability.description | The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) | keyword | -| vulnerability.description.text | Multi-field of `vulnerability.description`. | match_only_text | -| vulnerability.enumeration | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) | keyword | -| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | -| vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword | -| vulnerability.report_id | The report or scan identification number. | keyword | -| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword | -| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.score.environmental | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.score.temporal | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | -| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | -| x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| x509.issuer.country | List of country \(C) codes | keyword | -| x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| x509.issuer.locality | List of locality names (L) | keyword | -| x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| x509.not_after | Time at which the certificate is no longer considered valid. | date | -| x509.not_before | Time at which the certificate is first considered valid. | date | -| x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| x509.public_key_size | The size of the public key space in bits. | long | -| x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| x509.subject.common_name | List of common names (CN) of subject. | keyword | -| x509.subject.country | List of country \(C) code | keyword | -| x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| x509.subject.locality | List of locality names (L) | keyword | -| x509.subject.organization | List of organizations (O) of subject. | keyword | -| x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| x509.version_number | Version of x509 format. | keyword | diff --git a/packages/juniper_srx/1.5.2/img/logo.svg b/packages/juniper_srx/1.5.2/img/logo.svg deleted file mode 100755 index 8802414a5a..0000000000 --- a/packages/juniper_srx/1.5.2/img/logo.svg +++ /dev/null @@ -1,72 +0,0 @@ - -image/svg+xml \ No newline at end of file diff --git a/packages/juniper_srx/1.5.2/manifest.yml b/packages/juniper_srx/1.5.2/manifest.yml deleted file mode 100755 index 9bf889cc4a..0000000000 --- a/packages/juniper_srx/1.5.2/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -format_version: 1.0.0 -name: juniper_srx -title: Juniper SRX -version: "1.5.2" -description: Collect logs from Juniper SRX devices with Elastic Agent. -categories: ["network", "security"] -release: ga -license: basic -type: integration -conditions: - kibana.version: ^8.0.0 -policy_templates: - - name: juniper - title: Juniper SRX logs - description: Collect Juniper SRX logs from syslog or a file. - inputs: - - type: udp - title: Collect logs from Juniper SRX via UDP - description: Collecting syslog from Juniper SRX via UDP. - - type: tcp - title: Collect logs from Juniper SRX via TCP - description: Collecting syslog from Juniper SRX via TCP. - - type: filestream - title: Collect logs from Juniper SRX via file - description: Collecting syslog from Juniper SRX via file. -icons: - - src: /img/logo.svg - title: Juniper logo - size: 32x32 - type: image/svg+xml -owner: - github: elastic/security-external-integrations diff --git a/packages/keycloak/1.5.1/LICENSE.txt b/packages/keycloak/1.5.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/keycloak/1.5.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/keycloak/1.5.1/changelog.yml b/packages/keycloak/1.5.1/changelog.yml deleted file mode 100755 index b00d03589f..0000000000 --- a/packages/keycloak/1.5.1/changelog.yml +++ /dev/null @@ -1,56 +0,0 @@ -# newer versions go on top -- version: "1.5.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.5.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3867 -- version: "1.4.2" - changes: - - description: Fix typo in 'Timezone Offset' description. - type: bugfix - link: https://github.com/elastic/integrations/pull/3708 -- version: "1.4.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "1.4.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.3.1" - changes: - - description: Add link to keycloak documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3136 -- version: "1.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.2.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2419 -- version: "1.1.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2273 -- version: "1.0.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/1913 diff --git a/packages/keycloak/1.5.1/data_stream/log/agent/stream/filestream.yml.hbs b/packages/keycloak/1.5.1/data_stream/log/agent/stream/filestream.yml.hbs deleted file mode 100755 index bc2ae91604..0000000000 --- a/packages/keycloak/1.5.1/data_stream/log/agent/stream/filestream.yml.hbs +++ /dev/null @@ -1,25 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -prospector.scanner.exclude_files: ['\.gz$'] -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ -- add_fields: - target: _tmp - fields: - tz_offset: {{tz_offset}} - only_user_events: {{only_user_events}} \ No newline at end of file diff --git a/packages/keycloak/1.5.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/keycloak/1.5.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b9a8de1cd1..0000000000 --- a/packages/keycloak/1.5.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -description: Pipeline for parsing keycloak logs -processors: -- set: - field: ecs.version - value: '8.4.0' -- rename: - field: message - target_field: event.original -- grok: - field: event.original - patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{LOGLEVEL:log.level}%{SPACE}\\[%{JAVACLASS:log.logger}\\] \\(%{DATA:process.thread.name}\\) %{GREEDYDATA:message}" -- set: - field: event.timezone - value: "{{_tmp.tz_offset}}" - if: ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local' -- date: - field: _tmp.timestamp - target_field: '@timestamp' - timezone: "{{ event.timezone }}" - formats: - - yyyy-MM-dd HH:mm:ss,SSS - if: ctx.event?.timezone != null -- date: - field: _tmp.timestamp - target_field: '@timestamp' - formats: - - yyyy-MM-dd HH:mm:ss,SSS - if: ctx.event?.timezone == null -- pipeline: - name: '{{ IngestPipeline "events" }}' - if: "ctx.log?.logger == 'org.keycloak.events'" -- drop: - if: "ctx._tmp?.only_user_events && ctx.log?.logger != 'org.keycloak.events'" -- remove: - field: - - _tmp - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/keycloak/1.5.1/data_stream/log/elasticsearch/ingest_pipeline/events.yml b/packages/keycloak/1.5.1/data_stream/log/elasticsearch/ingest_pipeline/events.yml deleted file mode 100755 index d5f85a41cb..0000000000 --- a/packages/keycloak/1.5.1/data_stream/log/elasticsearch/ingest_pipeline/events.yml +++ /dev/null @@ -1,221 +0,0 @@ ---- -description: Pipeline for parsing keycloak http logs -processors: -- kv: - field: message - target_field: json - field_split: ", " - value_split: "=" - ignore_missing: true -- rename: - field: json.type - target_field: keycloak.login.type - ignore_missing: true -- rename: - field: json.operationType - target_field: keycloak.admin.operation - ignore_missing: true -- rename: - field: json.resourceType - target_field: keycloak.admin.resource.type - ignore_missing: true -- rename: - field: json.resourcePath - target_field: keycloak.admin.resource.path - ignore_missing: true -- set: - field: keycloak.event_type - value: login - if: ctx.keycloak?.login != null -- set: - field: keycloak.event_type - value: admin - if: ctx.keycloak?.admin != null -- set: - field: event.code - value: "{{{keycloak.admin.operation}}}-{{{keycloak.admin.resource.type}}}" - if: ctx.keycloak?.admin != null -- set: - field: event.action - copy_from: event.code - ignore_empty_value: true - if: ctx.keycloak?.admin != null -- rename: - field: json.error - target_field: event.code - ignore_missing: true - if: ctx.keycloak?.login != null && ctx.event?.code == null -- set: - field: event.action - copy_from: keycloak.login.type - ignore_empty_value: true -- rename: - field: json.realmId - target_field: keycloak.realm.id - ignore_missing: true -- rename: - field: json.clientId - target_field: keycloak.client.id - ignore_missing: true - if: ctx.json?.clientId != "null" -- rename: - field: json.userId - target_field: user.id - ignore_missing: true - if: ctx.json?.userId != "null" -- rename: - field: json.ipAddress - target_field: source.address - ignore_missing: true -- convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - ignore_missing: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: json.redirect_uri - target_field: keycloak.login.redirect_uri - ignore_missing: true -- uri_parts: - field: keycloak.login.redirect_uri - ignore_failure: true -- rename: - field: json.auth_method - target_field: keycloak.login.auth_method - ignore_missing: true -- rename: - field: json.auth_type - target_field: keycloak.login.auth_type - ignore_missing: true -- rename: - field: json.code_id - target_field: keycloak.login.code_id - ignore_missing: true -- rename: - field: json.username - target_field: user.name - ignore_missing: true -- rename: - field: json.authSessionParentId - target_field: keycloak.login.auth_session_parent_id - ignore_missing: true -- rename: - field: json.authSessionTabId - target_field: keycloak.login.auth_session_tab_id - ignore_missing: true -- grok: - field: keycloak.admin.resource.path - patterns: - - 'users/%{UUID:user.target.id}' - - 'groups/%{UUID:group.id}' - ignore_failure: true - ignore_missing: true -- set: - field: event.kind - value: event -- append: - field: event.category - value: - - authentication - if: ctx.keycloak?.login != null -- append: - field: event.type - value: - - info -- append: - field: event.type - value: - - denied - if: ctx.keycloak?.login?.type == 'LOGIN_ERROR' -- append: - field: event.type - value: - - start - - allowed - if: ctx.keycloak?.login?.type == 'LOGIN' -- append: - field: event.type - value: - - end - if: ctx.keycloak?.login?.type == 'LOGOUT' -- append: - field: event.category - value: - - iam - if: ctx.keycloak?.admin != null -- append: - field: event.type - value: - - admin - if: ctx.keycloak?.admin != null -- append: - field: event.type - value: - - creation - if: ctx.keycloak?.admin?.operation == "CREATE" -- append: - field: event.type - value: - - change - if: ctx.keycloak?.admin?.operation == "UPDATE" -- append: - field: event.type - value: - - deletion - if: ctx.keycloak?.admin?.operation == "DELETE" -- append: - field: event.type - value: - - group - if: ctx.keycloak?.admin?.resource == "GROUP" -- append: - field: event.type - value: - - user - if: ctx.keycloak?.admin?.resource == "USER" -- append: - field: related.ip - value: "{{source.ip}}" - if: ctx.source?.ip != null -- append: - field: related.user - value: "{{user.id}}" - if: ctx.user?.id != null -- append: - field: related.user - value: "{{user.target.id}}" - if: ctx.user?.target?.id != null -- append: - field: related.hosts - value: "{{url.domain}}" - if: ctx.url?.domain != null -- remove: - field: - - message - - json - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/keycloak/1.5.1/data_stream/log/fields/agent.yml b/packages/keycloak/1.5.1/data_stream/log/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/keycloak/1.5.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/keycloak/1.5.1/data_stream/log/fields/base-fields.yml b/packages/keycloak/1.5.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 5efd7e55ae..0000000000 --- a/packages/keycloak/1.5.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: keycloak -- name: event.dataset - type: constant_keyword - description: Event dataset - value: keycloak.log -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/keycloak/1.5.1/data_stream/log/fields/beats.yml b/packages/keycloak/1.5.1/data_stream/log/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/keycloak/1.5.1/data_stream/log/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/keycloak/1.5.1/data_stream/log/fields/ecs.yml b/packages/keycloak/1.5.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index 265cd45782..0000000000 --- a/packages/keycloak/1.5.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,200 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: Thread name. - name: process.thread.name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- name: url.scheme diff --git a/packages/keycloak/1.5.1/data_stream/log/fields/fields.yml b/packages/keycloak/1.5.1/data_stream/log/fields/fields.yml deleted file mode 100755 index 637184d34d..0000000000 --- a/packages/keycloak/1.5.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,82 +0,0 @@ -- name: keycloak - type: group - description: > - Fields for Keycloak Event Logs - - fields: - - name: client.id - type: keyword - description: > - ID of the Keycloak client - - - name: realm.id - type: keyword - description: > - Keycloak Realm ID - - - name: event_type - type: keyword - description: > - Keycloak event type; Login or Admin - -- name: keycloak.admin - type: group - description: > - Fields for Keycloak Admin Event Logs - - fields: - - name: operation - type: keyword - description: > - Keycloak admin operation; Add, Update, Delete - - - name: resource.type - type: keyword - description: > - Type of keycloak resource being acted upon; Group, User, Client, Scope... - - - name: resource.path - type: keyword - description: > - Path to affected resource - -- name: keycloak.login - type: group - description: > - Fields for Keycloak Login Event Logs - - fields: - - name: auth_method - type: keyword - description: > - Keycloak authentication method (SAML or OpenID Connect) - - - name: auth_session_parent_id - type: keyword - description: > - Parent session ID - - - name: auth_session_tab_id - type: keyword - description: > - Session Tab ID - - - name: auth_type - type: keyword - description: > - OpenID Connect authentication type (code, implicit...) - - - name: code_id - type: keyword - description: > - OpenID Connect Code ID - - - name: redirect_uri - type: keyword - description: > - Keycloak redirect URL - - - name: type - type: keyword - description: >- - Event Type diff --git a/packages/keycloak/1.5.1/data_stream/log/manifest.yml b/packages/keycloak/1.5.1/data_stream/log/manifest.yml deleted file mode 100755 index 80ca4ab588..0000000000 --- a/packages/keycloak/1.5.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,58 +0,0 @@ -type: logs -title: Keycloak -streams: - - input: filestream - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /opt/jboss/standalone/logs/*.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - keycloak-log - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UTC. - - name: only_user_events - required: true - show_user: true - title: Only ingest Keycloak user driven events; logins, config changes... - description: Ignores background Wildfly and Jboss log messages - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: "filestream.yml.hbs" - title: Keycloak logs - description: Collect Keycloak logs via log files diff --git a/packages/keycloak/1.5.1/data_stream/log/sample_event.json b/packages/keycloak/1.5.1/data_stream/log/sample_event.json deleted file mode 100755 index 9c0e547d46..0000000000 --- a/packages/keycloak/1.5.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,73 +0,0 @@ -{ - "@timestamp": "2021-10-22T21:01:42.667-05:00", - "agent": { - "ephemeral_id": "3fa6009c-adab-4e39-9c43-05f16ba9ef47", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "keycloak.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "dataset": "keycloak.log", - "ingested": "2022-01-01T23:08:55Z", - "original": "2021-10-22 21:01:42,667 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 64) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication", - "timezone": "-05:00" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", - "ip": [ - "172.18.0.5" - ], - "mac": [ - "02:42:ac:12:00:05" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-43-generic", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "input": { - "type": "filestream" - }, - "log": { - "file": { - "path": "/tmp/service_logs/test-log.log" - }, - "level": "INFO", - "logger": "org.jboss.resteasy.resteasy_jaxrs.i18n", - "offset": 928 - }, - "message": "RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication", - "process": { - "thread": { - "name": "ServerService Thread Pool -- 64" - } - }, - "tags": [ - "preserve_original_event", - "keycloak-log" - ] -} \ No newline at end of file diff --git a/packages/keycloak/1.5.1/docs/README.md b/packages/keycloak/1.5.1/docs/README.md deleted file mode 100755 index ffdf12b8ea..0000000000 --- a/packages/keycloak/1.5.1/docs/README.md +++ /dev/null @@ -1,207 +0,0 @@ -# Keycloak Integration - -The Keycloak integration collects events from the [Keycloak](https://www.keycloak.org/server/logging) log files. - -To enable logging of all Keycloak events like logins, user creation/updates/deletions.... add the below -``` - - - -``` -to your configuration XML file (ie standalone.xml) under the path below -``` - - - - .... - - - -``` -## Logs - -### log - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| keycloak.admin.operation | Keycloak admin operation; Add, Update, Delete | keyword | -| keycloak.admin.resource.path | Path to affected resource | keyword | -| keycloak.admin.resource.type | Type of keycloak resource being acted upon; Group, User, Client, Scope... | keyword | -| keycloak.client.id | ID of the Keycloak client | keyword | -| keycloak.event_type | Keycloak event type; Login or Admin | keyword | -| keycloak.login.auth_method | Keycloak authentication method (SAML or OpenID Connect) | keyword | -| keycloak.login.auth_session_parent_id | Parent session ID | keyword | -| keycloak.login.auth_session_tab_id | Session Tab ID | keyword | -| keycloak.login.auth_type | OpenID Connect authentication type (code, implicit...) | keyword | -| keycloak.login.code_id | OpenID Connect Code ID | keyword | -| keycloak.login.redirect_uri | Keycloak redirect URL | keyword | -| keycloak.login.type | Event Type | keyword | -| keycloak.realm.id | Keycloak Realm ID | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| process.thread.name | Thread name. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.scheme | | | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.id | Unique identifier of the user. | keyword | - - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-10-22T21:01:42.667-05:00", - "agent": { - "ephemeral_id": "3fa6009c-adab-4e39-9c43-05f16ba9ef47", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "keycloak.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "dataset": "keycloak.log", - "ingested": "2022-01-01T23:08:55Z", - "original": "2021-10-22 21:01:42,667 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 64) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication", - "timezone": "-05:00" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", - "ip": [ - "172.18.0.5" - ], - "mac": [ - "02:42:ac:12:00:05" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-43-generic", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "input": { - "type": "filestream" - }, - "log": { - "file": { - "path": "/tmp/service_logs/test-log.log" - }, - "level": "INFO", - "logger": "org.jboss.resteasy.resteasy_jaxrs.i18n", - "offset": 928 - }, - "message": "RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication", - "process": { - "thread": { - "name": "ServerService Thread Pool -- 64" - } - }, - "tags": [ - "preserve_original_event", - "keycloak-log" - ] -} -``` \ No newline at end of file diff --git a/packages/keycloak/1.5.1/img/keycloak-logo.svg b/packages/keycloak/1.5.1/img/keycloak-logo.svg deleted file mode 100755 index 570bcc1c30..0000000000 --- a/packages/keycloak/1.5.1/img/keycloak-logo.svg +++ /dev/null @@ -1 +0,0 @@ -keycloak_deliverables \ No newline at end of file diff --git a/packages/keycloak/1.5.1/manifest.yml b/packages/keycloak/1.5.1/manifest.yml deleted file mode 100755 index 73e9d0dcd5..0000000000 --- a/packages/keycloak/1.5.1/manifest.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: keycloak -title: Keycloak -version: "1.5.1" -release: ga -description: Collect logs from Keycloak with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security, network, web] -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/keycloak-logo.svg - title: Keycloak - size: 256x256 - type: image/svg+xml -policy_templates: - - name: keycloak - title: Keycloak logs - description: Collect logs from Keycloak - inputs: - - type: filestream - title: "Collect Keycloak logs" - description: "Collecting logs from Keycloak" -owner: - github: elastic/security-external-integrations diff --git a/packages/mattermost/1.4.1/LICENSE.txt b/packages/mattermost/1.4.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/mattermost/1.4.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/mattermost/1.4.1/changelog.yml b/packages/mattermost/1.4.1/changelog.yml deleted file mode 100755 index 4e013d9626..0000000000 --- a/packages/mattermost/1.4.1/changelog.yml +++ /dev/null @@ -1,41 +0,0 @@ -# newer versions go on top -- version: "1.4.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3867 -- version: "1.3.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "1.3.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.2.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "1.1.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.1.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2420 -- version: "1.0.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/2315 diff --git a/packages/mattermost/1.4.1/data_stream/audit/agent/stream/stream.yml.hbs b/packages/mattermost/1.4.1/data_stream/audit/agent/stream/stream.yml.hbs deleted file mode 100755 index 58c6d8be75..0000000000 --- a/packages/mattermost/1.4.1/data_stream/audit/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/mattermost/1.4.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/mattermost/1.4.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 28dc41c3a7..0000000000 --- a/packages/mattermost/1.4.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,448 +0,0 @@ ---- -description: Pipeline for processing Mattermost audit logs -processors: -- set: - field: ecs.version - value: '8.4.0' -- rename: - field: message - target_field: event.original -- json: - field: event.original - target_field: json -- date: - field: json.timestamp - formats: - - yyyy-MM-dd HH:mm:ss.SSS 'Z' - timezone: UTC - target_field: "@timestamp" -- rename: - field: json.event - target_field: event.action - ignore_missing: true -- rename: - field: json.err - target_field: error.code - ignore_missing: true -- rename: - field: json.errors - target_field: mattermost.audit.error.message - ignore_missing: true - if: ctx.json?.errors != "[]" -- gsub: - field: mattermost.audit.error.message - pattern: "(\\[|\\])" - replacement: "" - ignore_missing: true -- split: - field: mattermost.audit.error.message - separator: ",\\s+" - ignore_missing: true - ignore_failure: true -- set: - field: event.outcome - value: success - if: ctx.json?.status == "success" -- set: - field: event.outcome - value: failure - if: ctx.json?.status == "fail" || ctx.mattermost?.audit?.error?.message != null -- set: - field: event.outcome - value: unknown - if: ctx.event?.outcome == null -- rename: - field: json.user_id - target_field: user.id - ignore_missing: true -- rename: - field: json.user_id - target_field: user.id - ignore_missing: true -- rename: - field: json.login_id - target_field: user.id - ignore_missing: true - if: ctx.user?.id == null -- rename: - field: json.ip_address - target_field: source.address - ignore_missing: true -- convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - ignore_failure: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- user_agent: - field: json.client - target_field: user_agent - ignore_missing: true -- rename: - field: json.api_path - target_field: mattermost.audit.api_path - ignore_missing: true -- uri_parts: - field: mattermost.audit.api_path - ignore_failure: true -- rename: - field: json.session_id - target_field: mattermost.audit.session.id - ignore_missing: true -- rename: - field: json.device_id - target_field: mattermost.audit.device.id - ignore_missing: true -- rename: - field: json.cluster_id - target_field: mattermost.audit.cluster.id - ignore_missing: true -- rename: - field: json.user.id - target_field: user.target.id - ignore_missing: true -- rename: - field: json.user.name - target_field: user.target.name - ignore_missing: true -- rename: - field: json.user.roles - target_field: user.target.roles - ignore_missing: true -- split: - field: user.target.roles - separator: \s+ - ignore_missing: true -- rename: - field: json.remove_user_id - target_field: user.target.id - ignore_missing: true -- gsub: - field: json.user_ids - pattern: "(\\[|\\])" - replacement: "" - ignore_missing: true -- split: - field: json.user_ids - separator: \s+ - ignore_missing: true - ignore_failure: true -- rename: - field: json.user_ids - target_field: user.target.id - ignore_missing: true -- rename: - field: json.team - target_field: mattermost.audit.team - ignore_missing: true -- rename: - field: json.code - target_field: http.response.status_code - ignore_missing: true -- rename: - field: json.post - target_field: mattermost.audit.post - ignore_missing: true -- rename: - field: mattermost.audit.post.channel_id - target_field: mattermost.audit.post.channel.id - ignore_missing: true -- rename: - field: json.patch - target_field: mattermost.audit.patch - ignore_missing: true -- rename: - field: json.patched - target_field: mattermost.audit.patch - ignore_missing: true -- rename: - field: json.channel - target_field: mattermost.audit.channel - ignore_missing: true -- rename: - field: json.channeld - target_field: mattermost.audit.channel - ignore_missing: true -- script: - lang: painless - tag: Add ECS categorization - params: - login: - category: - - authentication - - session - type: - - start - Logout: - category: - - authentication - - session - type: - - end - revokeAllSessionsForUser: - category: - - session - type: - - end - getConfig: - category: - - configuration - type: - - admin - - info - updateConfig: - category: - - configuration - type: - - change - updatePassword: - category: - - iam - type: - - user - - change - updatePreferences: - category: - - iam - type: - - user - - change - updateUserActive: - category: - - iam - type: - - admin - - user - - change - patchUser: - category: - - iam - type: - - user - - change - createPost: - category: - - configuration - type: - - creation - createChannel: - category: - - configuration - type: - - creation - patchChannel: - category: - - configuration - type: - - change - deleteChannel: - category: - - configuration - type: - - deletion - convertChannelToPrivate: - category: - - configuration - type: - - change - restoreChannel: - category: - - configuration - type: - - change - removeChannelMember: - category: - - configuration - type: - - change - createTeam: - category: - - iam - type: - - group - - creation - patchTeam: - category: - - iam - type: - - group - - change - deleteTeam: - category: - - iam - type: - - group - - deletion - addTeamMembers: - category: - - iam - type: - - group - - change - removeTeamMember: - category: - - iam - type: - - group - - change - - source: >- - ctx.event.kind = 'event'; - ctx.event.category = ['configuration']; - ctx.event.type = ['info']; - if (ctx?.event?.action == null) { - return; - } - if (params.get(ctx.event.action) == null) { - return; - } - def hm = new HashMap(params.get(ctx.event.action)); - hm.forEach((k, v) -> ctx.event[k] = v); -- script: - lang: painless - description: Add ECS User fields - if: "ctx.event?.category.contains('iam')" - source: >- - if (ctx?.event?.action == null) { - return; - } - if (ctx.group == null) { - Map map = new HashMap(); - ctx.put("group", map); - } - if (ctx.user == null) { - Map map = new HashMap(); - ctx.put("user", map); - } - if (ctx.user?.target == null) { - Map map = new HashMap(); - ctx.user.put("target", map); - } - if (ctx.user?.changes == null) { - Map map = new HashMap(); - ctx.user.put("changes", map); - } - if (ctx.user?.target?.group == null) { - Map map = new HashMap(); - ctx.user.target.put("group", map); - } - if(['patchUser'].contains(ctx.event.action)) { - if(ctx.user?.target?.name != ctx.mattermost?.audit?.patch?.name) { - ctx.user.changes.put("name", ctx.mattermost?.audit?.patch?.name); - } - } - if(['createTeam','patchTeam','deleteTeam'].contains(ctx.event.action)) { - ctx.group.put("name", ctx.mattermost?.audit?.team?.name); - ctx.group.put("id", ctx.mattermost?.audit?.team?.id); - } - if(['addTeamMembers','removeTeamMember'].contains(ctx.event.action)) { - ctx.user.target.group.put("name", ctx.mattermost?.audit?.team?.name); - ctx.user.target.group.put("id", ctx.mattermost?.audit?.team?.id); - } -- append: - field: related.user - value: '{{user.name}}' - allow_duplicates: false - if: ctx.user?.name != null -- append: - field: related.user - value: '{{user.changes.name}}' - allow_duplicates: false - if: ctx.user?.changes?.name != null -- append: - field: related.user - value: '{{user.id}}' - allow_duplicates: false - if: ctx.user?.id != null -- append: - field: related.user - value: '{{user.target.id}}' - allow_duplicates: false - if: ctx.user?.target?.id != null && ctx.user.target.id instanceof String -- foreach: - field: user.target.id - processor: - append: - field: related.user - value: '{{_ingest._value}}' - allow_duplicates: false - ignore_missing: true - if: ctx.user?.target?.id != null && ctx.user.target.id instanceof List -- append: - field: related.ip - value: '{{source.ip}}' - allow_duplicates: false - if: ctx.source?.ip != null -- append: - field: mattermost.audit.related.channel - value: '{{mattermost.audit.post.channel.id}}' - allow_duplicates: false - if: ctx.mattermost?.audit?.post?.channel?.id != null -- append: - field: mattermost.audit.related.channel - value: '{{mattermost.audit.channel.id}}' - allow_duplicates: false - if: ctx.mattermost?.audit?.channel?.id != null -- append: - field: mattermost.audit.related.team - value: '{{mattermost.audit.team.id}}' - allow_duplicates: false - if: ctx.mattermost?.audit?.team?.id != null -- remove: - field: - - json - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/mattermost/1.4.1/data_stream/audit/fields/agent.yml b/packages/mattermost/1.4.1/data_stream/audit/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/mattermost/1.4.1/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/mattermost/1.4.1/data_stream/audit/fields/base-fields.yml b/packages/mattermost/1.4.1/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index f420124bd0..0000000000 --- a/packages/mattermost/1.4.1/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: mattermost -- name: event.dataset - type: constant_keyword - description: Event dataset - value: mattermost.audit -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/mattermost/1.4.1/data_stream/audit/fields/beats.yml b/packages/mattermost/1.4.1/data_stream/audit/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/mattermost/1.4.1/data_stream/audit/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/mattermost/1.4.1/data_stream/audit/fields/ecs.yml b/packages/mattermost/1.4.1/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 503ad62c8b..0000000000 --- a/packages/mattermost/1.4.1/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,150 +0,0 @@ -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword -- description: Array of user roles at the time of the event. - name: user.target.roles - normalize: - - array - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.changes.name - type: keyword -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip diff --git a/packages/mattermost/1.4.1/data_stream/audit/fields/fields.yml b/packages/mattermost/1.4.1/data_stream/audit/fields/fields.yml deleted file mode 100755 index ef12410ec0..0000000000 --- a/packages/mattermost/1.4.1/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,86 +0,0 @@ -- name: mattermost.audit - type: group - description: > - Fields for Mattermost audit logs - - fields: - - name: api_path - type: keyword - description: >- - REST API endpoint - - name: channel.id - type: keyword - description: >- - ID of affected channel - - name: channel.name - type: keyword - description: >- - Name of affected channel - - name: channel.type - type: keyword - description: >- - Type of affected channel - - name: cluster.id - type: keyword - description: >- - Mattermost cluster ID - - name: team.id - type: keyword - description: >- - ID of affected team - - name: team.name - type: keyword - description: >- - Name of affected team - - name: team.type - type: keyword - description: >- - Type of affected team - - name: status - type: keyword - description: >- - Outcome of action/event, ex. success, fail, attempt... - - name: session.id - type: keyword - description: >- - ID of session used to call the API - - name: post.channel.id - type: keyword - description: >- - Channel ID of post - - name: post.id - type: keyword - description: >- - Post ID - - name: post.pinned - type: boolean - description: >- - Whether or not the post was pinned to the channel - - name: related.channel - type: keyword - description: >- - List of channels realted to the event - - name: related.team - type: keyword - description: >- - List of channels realted to the event - - name: patch.id - type: keyword - description: >- - ID of patched channel/team/user... - - name: patch.name - type: keyword - description: >- - Name of patched channel/team/user... - - name: patch.type - type: keyword - description: >- - Type of patched channel/team/user... - - name: patch.roles - type: keyword - description: >- - Roles of patched user - - name: error.message - type: keyword - description: >- - Mattermost error message diff --git a/packages/mattermost/1.4.1/data_stream/audit/manifest.yml b/packages/mattermost/1.4.1/data_stream/audit/manifest.yml deleted file mode 100755 index ec6a496cbb..0000000000 --- a/packages/mattermost/1.4.1/data_stream/audit/manifest.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: "Audit Logs" -type: logs -streams: - - input: logfile - title: Audit Logs - description: Collect audit logs from Mattermost server - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - mattermost-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" diff --git a/packages/mattermost/1.4.1/data_stream/audit/sample_event.json b/packages/mattermost/1.4.1/data_stream/audit/sample_event.json deleted file mode 100755 index 771a6c9540..0000000000 --- a/packages/mattermost/1.4.1/data_stream/audit/sample_event.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "@timestamp": "2021-12-04T23:19:32.051Z", - "agent": { - "ephemeral_id": "9f5e87b3-da6a-4888-96ba-c905ba197b12", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "mattermost.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "updateConfig", - "agent_id_status": "verified", - "category": [ - "configuration" - ], - "dataset": "mattermost.audit", - "ingested": "2022-01-02T00:19:22Z", - "kind": "event", - "original": "{\"timestamp\":\"2021-12-04 23:19:32.051 Z\",\"event\":\"updateConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"172.19.0.1\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", - "outcome": "success", - "type": [ - "change" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", - "ip": [ - "172.18.0.5" - ], - "mac": [ - "02:42:ac:12:00:05" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-43-generic", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/audit.log" - }, - "offset": 0 - }, - "mattermost": { - "audit": { - "api_path": "/api/v4/config", - "cluster": { - "id": "jq3utry71f8a7q9qgebmjccf4r" - }, - "session": { - "id": "pjh4n69j3p883k7hhzippskcba" - } - } - }, - "related": { - "ip": [ - "172.19.0.1" - ], - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ] - }, - "source": { - "address": "172.19.0.1", - "ip": "172.19.0.1" - }, - "tags": [ - "mattermost-audit", - "preserve_original_event" - ], - "url": { - "original": "/api/v4/config", - "path": "/api/v4/config" - }, - "user": { - "id": "ag99yu4i1if63jrui63tsmq57y" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", - "os": { - "full": "Windows 10", - "name": "Windows", - "version": "10" - }, - "version": "96.0.4664.45" - } -} \ No newline at end of file diff --git a/packages/mattermost/1.4.1/docs/README.md b/packages/mattermost/1.4.1/docs/README.md deleted file mode 100755 index eb65c6786d..0000000000 --- a/packages/mattermost/1.4.1/docs/README.md +++ /dev/null @@ -1,240 +0,0 @@ -# Mattermost Integration - -The Mattermost integration collects logs from Mattermost servers. This integration has been tested with Mattermost version 5.31.9 but is expected to work with other versions. - -## Logs - -### Audit - -All access to the Mattermost REST API or CLI is audited. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.response.status_code | HTTP response status code. | long | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| mattermost.audit.api_path | REST API endpoint | keyword | -| mattermost.audit.channel.id | ID of affected channel | keyword | -| mattermost.audit.channel.name | Name of affected channel | keyword | -| mattermost.audit.channel.type | Type of affected channel | keyword | -| mattermost.audit.cluster.id | Mattermost cluster ID | keyword | -| mattermost.audit.error.message | Mattermost error message | keyword | -| mattermost.audit.patch.id | ID of patched channel/team/user... | keyword | -| mattermost.audit.patch.name | Name of patched channel/team/user... | keyword | -| mattermost.audit.patch.roles | Roles of patched user | keyword | -| mattermost.audit.patch.type | Type of patched channel/team/user... | keyword | -| mattermost.audit.post.channel.id | Channel ID of post | keyword | -| mattermost.audit.post.id | Post ID | keyword | -| mattermost.audit.post.pinned | Whether or not the post was pinned to the channel | boolean | -| mattermost.audit.related.channel | List of channels realted to the event | keyword | -| mattermost.audit.related.team | List of channels realted to the event | keyword | -| mattermost.audit.session.id | ID of session used to call the API | keyword | -| mattermost.audit.status | Outcome of action/event, ex. success, fail, attempt... | keyword | -| mattermost.audit.team.id | ID of affected team | keyword | -| mattermost.audit.team.name | Name of affected team | keyword | -| mattermost.audit.team.type | Type of affected team | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| user.changes.name | Short name or login of the user. | keyword | -| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | -| user.target.roles | Array of user roles at the time of the event. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2021-12-04T23:19:32.051Z", - "agent": { - "ephemeral_id": "9f5e87b3-da6a-4888-96ba-c905ba197b12", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "mattermost.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "updateConfig", - "agent_id_status": "verified", - "category": [ - "configuration" - ], - "dataset": "mattermost.audit", - "ingested": "2022-01-02T00:19:22Z", - "kind": "event", - "original": "{\"timestamp\":\"2021-12-04 23:19:32.051 Z\",\"event\":\"updateConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"172.19.0.1\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", - "outcome": "success", - "type": [ - "change" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", - "ip": [ - "172.18.0.5" - ], - "mac": [ - "02:42:ac:12:00:05" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-43-generic", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/audit.log" - }, - "offset": 0 - }, - "mattermost": { - "audit": { - "api_path": "/api/v4/config", - "cluster": { - "id": "jq3utry71f8a7q9qgebmjccf4r" - }, - "session": { - "id": "pjh4n69j3p883k7hhzippskcba" - } - } - }, - "related": { - "ip": [ - "172.19.0.1" - ], - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ] - }, - "source": { - "address": "172.19.0.1", - "ip": "172.19.0.1" - }, - "tags": [ - "mattermost-audit", - "preserve_original_event" - ], - "url": { - "original": "/api/v4/config", - "path": "/api/v4/config" - }, - "user": { - "id": "ag99yu4i1if63jrui63tsmq57y" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", - "os": { - "full": "Windows 10", - "name": "Windows", - "version": "10" - }, - "version": "96.0.4664.45" - } -} -``` diff --git a/packages/mattermost/1.4.1/img/mattermost-logo.svg b/packages/mattermost/1.4.1/img/mattermost-logo.svg deleted file mode 100755 index 2905ca74ac..0000000000 --- a/packages/mattermost/1.4.1/img/mattermost-logo.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/mattermost/1.4.1/manifest.yml b/packages/mattermost/1.4.1/manifest.yml deleted file mode 100755 index 99bdafbf6e..0000000000 --- a/packages/mattermost/1.4.1/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -format_version: 1.0.0 -name: mattermost -title: "Mattermost" -version: 1.4.1 -license: basic -description: Collect logs from Mattermost with Elastic Agent. -type: integration -categories: - - security - - web -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/mattermost-logo.svg - title: Mattermost logo - size: 537x535 - type: image/svg+xml -policy_templates: - - name: logs - title: Mattermost Logs - description: Collect logs from Mattermost - inputs: - - type: logfile - title: Collect logs from Mattermost servers - description: Collect logs from Mattermost servers -owner: - github: elastic/security-external-integrations diff --git a/packages/mattermost/1.4.2/LICENSE.txt b/packages/mattermost/1.4.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/mattermost/1.4.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/mattermost/1.4.2/changelog.yml b/packages/mattermost/1.4.2/changelog.yml deleted file mode 100755 index a766778f3b..0000000000 --- a/packages/mattermost/1.4.2/changelog.yml +++ /dev/null @@ -1,46 +0,0 @@ -# newer versions go on top -- version: "1.4.2" - changes: - - description: Add link to Mattermost documentation. - type: enhancement - link: https://github.com/elastic/integrations/pull/4247 -- version: "1.4.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3867 -- version: "1.3.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "1.3.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.2.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "1.1.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.1.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2420 -- version: "1.0.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/2315 diff --git a/packages/mattermost/1.4.2/data_stream/audit/agent/stream/stream.yml.hbs b/packages/mattermost/1.4.2/data_stream/audit/agent/stream/stream.yml.hbs deleted file mode 100755 index 58c6d8be75..0000000000 --- a/packages/mattermost/1.4.2/data_stream/audit/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/mattermost/1.4.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/mattermost/1.4.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 28dc41c3a7..0000000000 --- a/packages/mattermost/1.4.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,448 +0,0 @@ ---- -description: Pipeline for processing Mattermost audit logs -processors: -- set: - field: ecs.version - value: '8.4.0' -- rename: - field: message - target_field: event.original -- json: - field: event.original - target_field: json -- date: - field: json.timestamp - formats: - - yyyy-MM-dd HH:mm:ss.SSS 'Z' - timezone: UTC - target_field: "@timestamp" -- rename: - field: json.event - target_field: event.action - ignore_missing: true -- rename: - field: json.err - target_field: error.code - ignore_missing: true -- rename: - field: json.errors - target_field: mattermost.audit.error.message - ignore_missing: true - if: ctx.json?.errors != "[]" -- gsub: - field: mattermost.audit.error.message - pattern: "(\\[|\\])" - replacement: "" - ignore_missing: true -- split: - field: mattermost.audit.error.message - separator: ",\\s+" - ignore_missing: true - ignore_failure: true -- set: - field: event.outcome - value: success - if: ctx.json?.status == "success" -- set: - field: event.outcome - value: failure - if: ctx.json?.status == "fail" || ctx.mattermost?.audit?.error?.message != null -- set: - field: event.outcome - value: unknown - if: ctx.event?.outcome == null -- rename: - field: json.user_id - target_field: user.id - ignore_missing: true -- rename: - field: json.user_id - target_field: user.id - ignore_missing: true -- rename: - field: json.login_id - target_field: user.id - ignore_missing: true - if: ctx.user?.id == null -- rename: - field: json.ip_address - target_field: source.address - ignore_missing: true -- convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - ignore_failure: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- user_agent: - field: json.client - target_field: user_agent - ignore_missing: true -- rename: - field: json.api_path - target_field: mattermost.audit.api_path - ignore_missing: true -- uri_parts: - field: mattermost.audit.api_path - ignore_failure: true -- rename: - field: json.session_id - target_field: mattermost.audit.session.id - ignore_missing: true -- rename: - field: json.device_id - target_field: mattermost.audit.device.id - ignore_missing: true -- rename: - field: json.cluster_id - target_field: mattermost.audit.cluster.id - ignore_missing: true -- rename: - field: json.user.id - target_field: user.target.id - ignore_missing: true -- rename: - field: json.user.name - target_field: user.target.name - ignore_missing: true -- rename: - field: json.user.roles - target_field: user.target.roles - ignore_missing: true -- split: - field: user.target.roles - separator: \s+ - ignore_missing: true -- rename: - field: json.remove_user_id - target_field: user.target.id - ignore_missing: true -- gsub: - field: json.user_ids - pattern: "(\\[|\\])" - replacement: "" - ignore_missing: true -- split: - field: json.user_ids - separator: \s+ - ignore_missing: true - ignore_failure: true -- rename: - field: json.user_ids - target_field: user.target.id - ignore_missing: true -- rename: - field: json.team - target_field: mattermost.audit.team - ignore_missing: true -- rename: - field: json.code - target_field: http.response.status_code - ignore_missing: true -- rename: - field: json.post - target_field: mattermost.audit.post - ignore_missing: true -- rename: - field: mattermost.audit.post.channel_id - target_field: mattermost.audit.post.channel.id - ignore_missing: true -- rename: - field: json.patch - target_field: mattermost.audit.patch - ignore_missing: true -- rename: - field: json.patched - target_field: mattermost.audit.patch - ignore_missing: true -- rename: - field: json.channel - target_field: mattermost.audit.channel - ignore_missing: true -- rename: - field: json.channeld - target_field: mattermost.audit.channel - ignore_missing: true -- script: - lang: painless - tag: Add ECS categorization - params: - login: - category: - - authentication - - session - type: - - start - Logout: - category: - - authentication - - session - type: - - end - revokeAllSessionsForUser: - category: - - session - type: - - end - getConfig: - category: - - configuration - type: - - admin - - info - updateConfig: - category: - - configuration - type: - - change - updatePassword: - category: - - iam - type: - - user - - change - updatePreferences: - category: - - iam - type: - - user - - change - updateUserActive: - category: - - iam - type: - - admin - - user - - change - patchUser: - category: - - iam - type: - - user - - change - createPost: - category: - - configuration - type: - - creation - createChannel: - category: - - configuration - type: - - creation - patchChannel: - category: - - configuration - type: - - change - deleteChannel: - category: - - configuration - type: - - deletion - convertChannelToPrivate: - category: - - configuration - type: - - change - restoreChannel: - category: - - configuration - type: - - change - removeChannelMember: - category: - - configuration - type: - - change - createTeam: - category: - - iam - type: - - group - - creation - patchTeam: - category: - - iam - type: - - group - - change - deleteTeam: - category: - - iam - type: - - group - - deletion - addTeamMembers: - category: - - iam - type: - - group - - change - removeTeamMember: - category: - - iam - type: - - group - - change - - source: >- - ctx.event.kind = 'event'; - ctx.event.category = ['configuration']; - ctx.event.type = ['info']; - if (ctx?.event?.action == null) { - return; - } - if (params.get(ctx.event.action) == null) { - return; - } - def hm = new HashMap(params.get(ctx.event.action)); - hm.forEach((k, v) -> ctx.event[k] = v); -- script: - lang: painless - description: Add ECS User fields - if: "ctx.event?.category.contains('iam')" - source: >- - if (ctx?.event?.action == null) { - return; - } - if (ctx.group == null) { - Map map = new HashMap(); - ctx.put("group", map); - } - if (ctx.user == null) { - Map map = new HashMap(); - ctx.put("user", map); - } - if (ctx.user?.target == null) { - Map map = new HashMap(); - ctx.user.put("target", map); - } - if (ctx.user?.changes == null) { - Map map = new HashMap(); - ctx.user.put("changes", map); - } - if (ctx.user?.target?.group == null) { - Map map = new HashMap(); - ctx.user.target.put("group", map); - } - if(['patchUser'].contains(ctx.event.action)) { - if(ctx.user?.target?.name != ctx.mattermost?.audit?.patch?.name) { - ctx.user.changes.put("name", ctx.mattermost?.audit?.patch?.name); - } - } - if(['createTeam','patchTeam','deleteTeam'].contains(ctx.event.action)) { - ctx.group.put("name", ctx.mattermost?.audit?.team?.name); - ctx.group.put("id", ctx.mattermost?.audit?.team?.id); - } - if(['addTeamMembers','removeTeamMember'].contains(ctx.event.action)) { - ctx.user.target.group.put("name", ctx.mattermost?.audit?.team?.name); - ctx.user.target.group.put("id", ctx.mattermost?.audit?.team?.id); - } -- append: - field: related.user - value: '{{user.name}}' - allow_duplicates: false - if: ctx.user?.name != null -- append: - field: related.user - value: '{{user.changes.name}}' - allow_duplicates: false - if: ctx.user?.changes?.name != null -- append: - field: related.user - value: '{{user.id}}' - allow_duplicates: false - if: ctx.user?.id != null -- append: - field: related.user - value: '{{user.target.id}}' - allow_duplicates: false - if: ctx.user?.target?.id != null && ctx.user.target.id instanceof String -- foreach: - field: user.target.id - processor: - append: - field: related.user - value: '{{_ingest._value}}' - allow_duplicates: false - ignore_missing: true - if: ctx.user?.target?.id != null && ctx.user.target.id instanceof List -- append: - field: related.ip - value: '{{source.ip}}' - allow_duplicates: false - if: ctx.source?.ip != null -- append: - field: mattermost.audit.related.channel - value: '{{mattermost.audit.post.channel.id}}' - allow_duplicates: false - if: ctx.mattermost?.audit?.post?.channel?.id != null -- append: - field: mattermost.audit.related.channel - value: '{{mattermost.audit.channel.id}}' - allow_duplicates: false - if: ctx.mattermost?.audit?.channel?.id != null -- append: - field: mattermost.audit.related.team - value: '{{mattermost.audit.team.id}}' - allow_duplicates: false - if: ctx.mattermost?.audit?.team?.id != null -- remove: - field: - - json - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/mattermost/1.4.2/data_stream/audit/fields/agent.yml b/packages/mattermost/1.4.2/data_stream/audit/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/mattermost/1.4.2/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/mattermost/1.4.2/data_stream/audit/fields/base-fields.yml b/packages/mattermost/1.4.2/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index f420124bd0..0000000000 --- a/packages/mattermost/1.4.2/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: mattermost -- name: event.dataset - type: constant_keyword - description: Event dataset - value: mattermost.audit -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/mattermost/1.4.2/data_stream/audit/fields/beats.yml b/packages/mattermost/1.4.2/data_stream/audit/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/mattermost/1.4.2/data_stream/audit/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/mattermost/1.4.2/data_stream/audit/fields/ecs.yml b/packages/mattermost/1.4.2/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 503ad62c8b..0000000000 --- a/packages/mattermost/1.4.2/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,150 +0,0 @@ -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword -- description: Array of user roles at the time of the event. - name: user.target.roles - normalize: - - array - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.changes.name - type: keyword -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip diff --git a/packages/mattermost/1.4.2/data_stream/audit/fields/fields.yml b/packages/mattermost/1.4.2/data_stream/audit/fields/fields.yml deleted file mode 100755 index ef12410ec0..0000000000 --- a/packages/mattermost/1.4.2/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,86 +0,0 @@ -- name: mattermost.audit - type: group - description: > - Fields for Mattermost audit logs - - fields: - - name: api_path - type: keyword - description: >- - REST API endpoint - - name: channel.id - type: keyword - description: >- - ID of affected channel - - name: channel.name - type: keyword - description: >- - Name of affected channel - - name: channel.type - type: keyword - description: >- - Type of affected channel - - name: cluster.id - type: keyword - description: >- - Mattermost cluster ID - - name: team.id - type: keyword - description: >- - ID of affected team - - name: team.name - type: keyword - description: >- - Name of affected team - - name: team.type - type: keyword - description: >- - Type of affected team - - name: status - type: keyword - description: >- - Outcome of action/event, ex. success, fail, attempt... - - name: session.id - type: keyword - description: >- - ID of session used to call the API - - name: post.channel.id - type: keyword - description: >- - Channel ID of post - - name: post.id - type: keyword - description: >- - Post ID - - name: post.pinned - type: boolean - description: >- - Whether or not the post was pinned to the channel - - name: related.channel - type: keyword - description: >- - List of channels realted to the event - - name: related.team - type: keyword - description: >- - List of channels realted to the event - - name: patch.id - type: keyword - description: >- - ID of patched channel/team/user... - - name: patch.name - type: keyword - description: >- - Name of patched channel/team/user... - - name: patch.type - type: keyword - description: >- - Type of patched channel/team/user... - - name: patch.roles - type: keyword - description: >- - Roles of patched user - - name: error.message - type: keyword - description: >- - Mattermost error message diff --git a/packages/mattermost/1.4.2/data_stream/audit/manifest.yml b/packages/mattermost/1.4.2/data_stream/audit/manifest.yml deleted file mode 100755 index ec6a496cbb..0000000000 --- a/packages/mattermost/1.4.2/data_stream/audit/manifest.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: "Audit Logs" -type: logs -streams: - - input: logfile - title: Audit Logs - description: Collect audit logs from Mattermost server - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - mattermost-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" diff --git a/packages/mattermost/1.4.2/data_stream/audit/sample_event.json b/packages/mattermost/1.4.2/data_stream/audit/sample_event.json deleted file mode 100755 index 771a6c9540..0000000000 --- a/packages/mattermost/1.4.2/data_stream/audit/sample_event.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "@timestamp": "2021-12-04T23:19:32.051Z", - "agent": { - "ephemeral_id": "9f5e87b3-da6a-4888-96ba-c905ba197b12", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "mattermost.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "updateConfig", - "agent_id_status": "verified", - "category": [ - "configuration" - ], - "dataset": "mattermost.audit", - "ingested": "2022-01-02T00:19:22Z", - "kind": "event", - "original": "{\"timestamp\":\"2021-12-04 23:19:32.051 Z\",\"event\":\"updateConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"172.19.0.1\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", - "outcome": "success", - "type": [ - "change" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", - "ip": [ - "172.18.0.5" - ], - "mac": [ - "02:42:ac:12:00:05" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-43-generic", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/audit.log" - }, - "offset": 0 - }, - "mattermost": { - "audit": { - "api_path": "/api/v4/config", - "cluster": { - "id": "jq3utry71f8a7q9qgebmjccf4r" - }, - "session": { - "id": "pjh4n69j3p883k7hhzippskcba" - } - } - }, - "related": { - "ip": [ - "172.19.0.1" - ], - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ] - }, - "source": { - "address": "172.19.0.1", - "ip": "172.19.0.1" - }, - "tags": [ - "mattermost-audit", - "preserve_original_event" - ], - "url": { - "original": "/api/v4/config", - "path": "/api/v4/config" - }, - "user": { - "id": "ag99yu4i1if63jrui63tsmq57y" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", - "os": { - "full": "Windows 10", - "name": "Windows", - "version": "10" - }, - "version": "96.0.4664.45" - } -} \ No newline at end of file diff --git a/packages/mattermost/1.4.2/docs/README.md b/packages/mattermost/1.4.2/docs/README.md deleted file mode 100755 index ceb1cdc8c0..0000000000 --- a/packages/mattermost/1.4.2/docs/README.md +++ /dev/null @@ -1,242 +0,0 @@ -# Mattermost Integration - -The Mattermost integration collects logs from [Mattermost]( -https://docs.mattermost.com/) servers. This integration has been tested with -Mattermost version 5.31.9 but is expected to work with other versions. - -## Logs - -### Audit - -All access to the Mattermost REST API or CLI is audited. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.response.status_code | HTTP response status code. | long | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| mattermost.audit.api_path | REST API endpoint | keyword | -| mattermost.audit.channel.id | ID of affected channel | keyword | -| mattermost.audit.channel.name | Name of affected channel | keyword | -| mattermost.audit.channel.type | Type of affected channel | keyword | -| mattermost.audit.cluster.id | Mattermost cluster ID | keyword | -| mattermost.audit.error.message | Mattermost error message | keyword | -| mattermost.audit.patch.id | ID of patched channel/team/user... | keyword | -| mattermost.audit.patch.name | Name of patched channel/team/user... | keyword | -| mattermost.audit.patch.roles | Roles of patched user | keyword | -| mattermost.audit.patch.type | Type of patched channel/team/user... | keyword | -| mattermost.audit.post.channel.id | Channel ID of post | keyword | -| mattermost.audit.post.id | Post ID | keyword | -| mattermost.audit.post.pinned | Whether or not the post was pinned to the channel | boolean | -| mattermost.audit.related.channel | List of channels realted to the event | keyword | -| mattermost.audit.related.team | List of channels realted to the event | keyword | -| mattermost.audit.session.id | ID of session used to call the API | keyword | -| mattermost.audit.status | Outcome of action/event, ex. success, fail, attempt... | keyword | -| mattermost.audit.team.id | ID of affected team | keyword | -| mattermost.audit.team.name | Name of affected team | keyword | -| mattermost.audit.team.type | Type of affected team | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| user.changes.name | Short name or login of the user. | keyword | -| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | -| user.target.roles | Array of user roles at the time of the event. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2021-12-04T23:19:32.051Z", - "agent": { - "ephemeral_id": "9f5e87b3-da6a-4888-96ba-c905ba197b12", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "mattermost.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "updateConfig", - "agent_id_status": "verified", - "category": [ - "configuration" - ], - "dataset": "mattermost.audit", - "ingested": "2022-01-02T00:19:22Z", - "kind": "event", - "original": "{\"timestamp\":\"2021-12-04 23:19:32.051 Z\",\"event\":\"updateConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"172.19.0.1\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", - "outcome": "success", - "type": [ - "change" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", - "ip": [ - "172.18.0.5" - ], - "mac": [ - "02:42:ac:12:00:05" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-43-generic", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/audit.log" - }, - "offset": 0 - }, - "mattermost": { - "audit": { - "api_path": "/api/v4/config", - "cluster": { - "id": "jq3utry71f8a7q9qgebmjccf4r" - }, - "session": { - "id": "pjh4n69j3p883k7hhzippskcba" - } - } - }, - "related": { - "ip": [ - "172.19.0.1" - ], - "user": [ - "ag99yu4i1if63jrui63tsmq57y" - ] - }, - "source": { - "address": "172.19.0.1", - "ip": "172.19.0.1" - }, - "tags": [ - "mattermost-audit", - "preserve_original_event" - ], - "url": { - "original": "/api/v4/config", - "path": "/api/v4/config" - }, - "user": { - "id": "ag99yu4i1if63jrui63tsmq57y" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", - "os": { - "full": "Windows 10", - "name": "Windows", - "version": "10" - }, - "version": "96.0.4664.45" - } -} -``` diff --git a/packages/mattermost/1.4.2/img/mattermost-logo.svg b/packages/mattermost/1.4.2/img/mattermost-logo.svg deleted file mode 100755 index 2905ca74ac..0000000000 --- a/packages/mattermost/1.4.2/img/mattermost-logo.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/mattermost/1.4.2/manifest.yml b/packages/mattermost/1.4.2/manifest.yml deleted file mode 100755 index 9af061f14f..0000000000 --- a/packages/mattermost/1.4.2/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -format_version: 1.0.0 -name: mattermost -title: "Mattermost" -version: 1.4.2 -license: basic -description: Collect logs from Mattermost with Elastic Agent. -type: integration -categories: - - security - - web -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/mattermost-logo.svg - title: Mattermost logo - size: 537x535 - type: image/svg+xml -policy_templates: - - name: logs - title: Mattermost Logs - description: Collect logs from Mattermost - inputs: - - type: logfile - title: Collect logs from Mattermost servers - description: Collect logs from Mattermost servers -owner: - github: elastic/security-external-integrations diff --git a/packages/microsoft_dhcp/1.7.0/LICENSE.txt b/packages/microsoft_dhcp/1.7.0/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/microsoft_dhcp/1.7.0/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/microsoft_dhcp/1.7.0/changelog.yml b/packages/microsoft_dhcp/1.7.0/changelog.yml deleted file mode 100755 index e98e18db88..0000000000 --- a/packages/microsoft_dhcp/1.7.0/changelog.yml +++ /dev/null @@ -1,76 +0,0 @@ -# newer versions go on top -- version: "1.7.0" - changes: - - description: Change host.domain to host.name to reflect the event data and then extract host.domain from the host.name - type: enhancement - link: https://github.com/elastic/integrations/pull/4280 -- version: "1.6.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3867 -- version: "1.5.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.4.2" - changes: - - description: Change event.type value from end to stop according to ECS - type: bugfix - link: https://github.com/elastic/integrations/issues/3406 -- version: "1.4.1" - changes: - - description: Format observer.mac as per ECS and add missing mappings for event.category, event.outcome, and event.type. - type: bugfix - link: https://github.com/elastic/integrations/pull/3300 -- version: "1.4.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "1.3.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2423 -- version: "1.2.0" - changes: - - description: Add DHCPv6 Server support - type: enhancement - link: https://github.com/elastic/integrations/pull/2473 -- version: "1.1.0" - changes: - - description: Add more event.action and event.outcome values - type: enhancement - link: https://github.com/elastic/integrations/pull/2296 -- version: "1.0.0" - changes: - - description: GA integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2360 -- version: "0.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "0.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2276 -- version: "0.1.1" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1972 -- version: "0.1.0" - changes: - - description: Initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/1793 diff --git a/packages/microsoft_dhcp/1.7.0/data_stream/log/agent/stream/logfile.yml.hbs b/packages/microsoft_dhcp/1.7.0/data_stream/log/agent/stream/logfile.yml.hbs deleted file mode 100755 index 2b61987446..0000000000 --- a/packages/microsoft_dhcp/1.7.0/data_stream/log/agent/stream/logfile.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -paths: -{{#each paths as |path i|}} - - '{{path}}' -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if tz_offset}} -fields_under_root: true -fields: - _conf: - tz_offset: {{tz_offset}} -{{/if}} -processors: -- drop_event: - when: - not: - regexp: - message: "^[0-9]+,.*" -- add_observer_metadata: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/microsoft_dhcp/1.7.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_dhcp/1.7.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 1a5a6a3ead..0000000000 --- a/packages/microsoft_dhcp/1.7.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -description: Pipeline for processing Microsoft DHCP Server logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - set: - field: event.timezone - value: "{{{_conf.tz_offset}}}" - if: "ctx?._conf?.tz_offset != null && ctx._conf.tz_offset != 'local'" - - set: - field: event.original - override: false - copy_from: message - - remove: - field: message - ignore_missing: true - - rename: - field: message - target_field: event.original - ignore_missing: true - - pipeline: - name: '{{ IngestPipeline "dhcp" }}' - if: "ctx?.log?.file?.path != null && !ctx.log.file.path.contains('V6')" - - pipeline: - name: '{{ IngestPipeline "dhcpv6" }}' - if: "ctx?.log?.file?.path != null && ctx.log.file.path.contains('V6')" - - foreach: - field: observer.mac - ignore_missing: true - processor: - gsub: - field: _ingest._value - pattern: '[:]' - replacement: '-' - - foreach: - field: observer.mac - ignore_missing: true - processor: - uppercase: - field: _ingest._value - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - remove: - field: - - _tmp_ - - _conf - ignore_missing: true -on_failure: - - set: - field: error.message - value: |- - Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" - - remove: - field: - - _tmp_ - - _conf diff --git a/packages/microsoft_dhcp/1.7.0/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml b/packages/microsoft_dhcp/1.7.0/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml deleted file mode 100755 index e2ad56f413..0000000000 --- a/packages/microsoft_dhcp/1.7.0/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml +++ /dev/null @@ -1,353 +0,0 @@ ---- -## Reference document for DHCP field mapping: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd183591(v=ws.10) -description: Pipeline for processing Microsoft DHCP Server logs. -processors: - - csv: - field: event.original - target_fields: - - event.code - - _tmp_.date - - _tmp_.time - - message - - host.ip - - host.name - - _tmp_.mac - - user.name - - microsoft.dhcp.transaction_id - - microsoft.dhcp.result - - microsoft.dhcp.probation_time - - microsoft.dhcp.correlation_id - - microsoft.dhcp.dhc_id - - microsoft.dhcp.vendor.hex - - microsoft.dhcp.vendor.string - - microsoft.dhcp.user.hex - - microsoft.dhcp.user.string - - microsoft.dhcp.relay_agent_info - - microsoft.dhcp.dns_error_code - ignore_failure: true - - grok: - field: host.name - if: 'ctx.host?.name != null && ctx.host.name.contains(".")' - patterns: - - "%{HOSTNAME}\\.%{GREEDYDATA:host.domain}" - pattern_definitions: - "HOSTNAME": "[^.]+" - ignore_failure: true - - set: - field: _tmp_.timestamp - value: "{{{_tmp_.date}}} {{{_tmp_.time}}}" - - date: - field: _tmp_.timestamp - formats: - - "MM/dd/yy HH:mm:ss" - timezone: "{{{event.timezone}}}" - - script: - description: Set event action, category, outcome, and type for all known event types. - lang: painless - tag: Add ECS categorization fields - params: - "00": - action: log-start - category: - - process - type: - - start - "01": - action: log-end - category: - - process - type: - - end - "02": - action: log-pause - category: - - process - type: - - change - outcome: failure - "10": - action: dhcp-new - category: - - network - type: - - allowed - - connection - "11": - action: dhcp-renew - category: - - network - type: - - allowed - - connection - "12": - action: dhcp-release - category: - - network - type: - - allowed - - connection - "13": - category: - - network - type: - - connection - "14": - category: - - network - type: - - connection - - denied - outcome: failure - "15": - action: dhcp-deny - category: - - network - type: - - connection - - denied - outcome: failure - "16": - action: dhcp-delete - category: - - network - type: - - connection - "17": - action: dhcp-expire - category: - - network - type: - - connection - "18": - action: dhcp-expire - category: - - network - type: - - connection - "20": - category: - - network - type: - - allowed - - connection - "21": - category: - - network - type: - - allowed - - connection - "22": - category: - - network - type: - - connection - - denied - outcome: failure - "23": - category: - - network - type: - - connection - - denied - outcome: failure - "24": - action: ip-cleanup-start - category: - - process - type: - - start - "25": - action: ip-cleanup-end - category: - - process - type: - - start - "30": - action: dhcp-dns-update - category: - - network - type: - - connection - "31": - action: dhcp-dns-update - category: - - network - type: - - connection - outcome: failure - "32": - action: dhcp-dns-update - category: - - network - type: - - connection - "33": - category: - - network - type: - - connection - outcome: failure - "34": - action: dhcp-dns-update - category: - - network - type: - - connection - outcome: failure - "35": - action: dhcp-dns-update - category: - - network - type: - - connection - - denied - outcome: failure - "36": - category: - - network - type: - - connection - - denied - outcome: failure - "50": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - outcome: failure - "51": - action: rogue-server-detection - category: - - authentication - - network - type: - - allowed - - connection - "52": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - "53": - action: rogue-server-detection - category: - - authentication - - network - type: - - allowed - - connection - "54": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - - denied - outcome: failure - "55": - action: rogue-server-detection - category: - - authentication - - network - type: - - allowed - - connection - "56": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - - denied - outcome: failure - "57": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - "58": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - outcome: failure - "59": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - outcome: failure - "60": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - "61": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - "62": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - "63": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - "64": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - source: |- - if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { - return; - } - def hm = new HashMap(params[ctx.event.code]); - hm.forEach((k, v) -> ctx.event[k] = v); - - set: - field: event.outcome - value: success - if: ctx?.event?.outcome == null - - gsub: - field: _tmp_.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true - - uppercase: - field: _tmp_.mac - ignore_missing: true - - append: - if: ctx?._tmp_?.mac != null - field: host.mac - value: '{{{_tmp_.mac}}}' -on_failure: - - set: - field: error.message - value: |- - Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/microsoft_dhcp/1.7.0/data_stream/log/elasticsearch/ingest_pipeline/dhcpv6.yml b/packages/microsoft_dhcp/1.7.0/data_stream/log/elasticsearch/ingest_pipeline/dhcpv6.yml deleted file mode 100755 index ff848a28a8..0000000000 --- a/packages/microsoft_dhcp/1.7.0/data_stream/log/elasticsearch/ingest_pipeline/dhcpv6.yml +++ /dev/null @@ -1,252 +0,0 @@ ---- -description: Pipeline for processing Microsoft DHCPv6 Server logs. -processors: - - csv: - field: event.original - target_fields: - - event.code - - _tmp_.date - - _tmp_.time - - message - - host.ip - - host.name - - microsoft.dhcp.error_code - - microsoft.dhcp.duid.length - - microsoft.dhcp.duid.hex - - microsoft.dhcp.user.string - - microsoft.dhcp.dhc_id - - microsoft.dhcp.subnet_prefix - ignore_failure: true - - grok: - field: host.name - if: 'ctx.host?.name != null && ctx.host.name.contains(".")' - patterns: - - "%{HOSTNAME}\\.%{GREEDYDATA:host.domain}" - pattern_definitions: - "HOSTNAME": "[^.]+" - ignore_failure: true - - set: - field: _tmp_.timestamp - value: "{{{_tmp_.date}}} {{{_tmp_.time}}}" - - date: - field: _tmp_.timestamp - formats: - - "MM/dd/yy HH:mm:ss" - timezone: "{{{event.timezone}}}" - - script: - description: Set event action, category, outcome, and type for all known event types. - lang: painless - tag: Add ECS categorization fields - params: - "11000": - action: dhcpv6-solicit - category: - - network - type: - - connection - - protocol - "11001": - action: dhcpv6-advertise - category: - - network - type: - - connection - - protocol - "11002": - action: dhcpv6-request - category: - - network - type: - - connection - - protocol - "11003": - action: dhcpv6-confirm - category: - - network - type: - - connection - - protocol - "11004": - action: dhcpv6-renew - category: - - network - type: - - connection - - protocol - "11005": - action: dhcpv6-rebind - category: - - network - type: - - connection - - protocol - "11006": - action: dhcpv6-decline - category: - - network - type: - - connection - - protocol - outcome: failure - "11007": - action: dhcpv6-release - category: - - network - type: - - connection - "11008": - action: dhcpv6-info-request - category: - - network - type: - - connection - "11009": - action: dhcpv6-scope-full - category: - - network - type: - - connection - "11010": - action: log-start - category: - - process - type: - - start - "11011": - action: log-stop - category: - - process - type: - - end - "11012": - action: log-pause - category: - - process - type: - - change - "11013": - action: log-file - category: - - process - type: - - info - "11014": - action: dhcpv6-bad-address - category: - - network - type: - - connection - outcome: failure - "11015": - action: dhcpv6-address-in-use - category: - - network - type: - - connection - "11016": - action: dhcpv6-client-deleted - category: - - network - type: - - connection - "11017": - action: ipv6-dns-record-not-deleted - category: - - network - type: - - connection - "11018": - action: dhcpv6-expired - category: - - network - type: - - connection - "11019": - action: dhcpv6-lease-expired-deleted - category: - - network - type: - - connection - "11020": - action: dhcpv6-cleanup-start - category: - - process - type: - - start - "11021": - action: dhcpv6-cleanup-end - category: - - process - type: - - end - "11022": - action: ipv6-dns-update-request - category: - - network - type: - - connection - - start - "11023": - action: ipv6-dns-update-failed - category: - - network - type: - - connection - - end - outcome: failure - "11024": - action: ipv6-dns-update-successful - category: - - network - type: - - connection - - end - "11028": - action: ipv6-dns-update-request-queue-exceeded - category: - - network - type: - - connection - - end - outcome: failure - "11029": - action: ipv6-dns-update-request-failed - category: - - network - type: - - connection - - end - outcome: failure - "11030": - action: dhcpv6-stateless-clients-pruged - category: - - process - type: - - change - "11031": - action: dhcpv6-stateless-clients-expired - category: - - process - type: - - change - "11032": - action: dhcpv6-stateless-client-info-request - category: - - network - type: - - info - source: |- - if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { - return; - } - def hm = new HashMap(params[ctx.event.code]); - hm.forEach((k, v) -> ctx.event[k] = v); - - set: - field: event.outcome - value: success - if: ctx?.event?.outcome == null -on_failure: - - set: - field: error.message - value: |- - Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/microsoft_dhcp/1.7.0/data_stream/log/fields/agent.yml b/packages/microsoft_dhcp/1.7.0/data_stream/log/fields/agent.yml deleted file mode 100755 index dbed2e68dc..0000000000 --- a/packages/microsoft_dhcp/1.7.0/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: input.type - type: keyword -- name: log.offset - type: long diff --git a/packages/microsoft_dhcp/1.7.0/data_stream/log/fields/base-fields.yml b/packages/microsoft_dhcp/1.7.0/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 096db185c7..0000000000 --- a/packages/microsoft_dhcp/1.7.0/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: microsoft_dhcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: microsoft_dhcp.log diff --git a/packages/microsoft_dhcp/1.7.0/data_stream/log/fields/ecs.yml b/packages/microsoft_dhcp/1.7.0/data_stream/log/fields/ecs.yml deleted file mode 100755 index dc576f8d62..0000000000 --- a/packages/microsoft_dhcp/1.7.0/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,124 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Name of the domain of which the host is a member. - For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - name: host.domain - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: IP addresses of the observer. - name: observer.ip - normalize: - - array - type: ip -- description: |- - MAC addresses of the observer. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: observer.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/microsoft_dhcp/1.7.0/data_stream/log/fields/fields.yml b/packages/microsoft_dhcp/1.7.0/data_stream/log/fields/fields.yml deleted file mode 100755 index 3d7eebb86c..0000000000 --- a/packages/microsoft_dhcp/1.7.0/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: microsoft.dhcp - type: group - fields: - - name: transaction_id - type: keyword - description: | - The DHCP transaction ID. - - name: result - type: keyword - description: | - The DHCP result type, for example "NoQuarantine", "Drop Packet" etc. - - name: probation_time - type: keyword - description: | - The probation time before lease ends on specific IP. - - name: correlation_id - type: keyword - description: | - The NAP correlation ID related to the client/server transaction. - - name: dhc_id - type: keyword - description: | - The related DHCID (DHC DNS record). - - name: vendor.hex - type: keyword - description: | - Hex representation of the vendor. - - name: vendor.string - type: keyword - description: | - String representation of the vendor. - - name: user.hex - type: keyword - description: | - Hex representation of the user. - - name: user.string - type: keyword - description: | - String representation of the user. - - name: relay_agent_info - type: keyword - description: | - Information about DHCP relay agent used for the DHCP request. - - name: dns_error_code - type: keyword - description: | - DNS error code communicated to client. - - name: error_code - type: keyword - description: | - DHCP server error code. - - name: duid.length - type: keyword - description: | - The length of the DUID field. - - name: duid.hex - type: keyword - description: | - The related DHCP Unique Identifier (DUID) for the host (DHCPv6). - - name: subnet_prefix - type: keyword - description: | - The number of bits for the subnet prefix. diff --git a/packages/microsoft_dhcp/1.7.0/data_stream/log/manifest.yml b/packages/microsoft_dhcp/1.7.0/data_stream/log/manifest.yml deleted file mode 100755 index 092f44f2b0..0000000000 --- a/packages/microsoft_dhcp/1.7.0/data_stream/log/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: "Microsoft DHCP Logs" -type: logs -streams: - - input: logfile - template_path: logfile.yml.hbs - title: DHCP Logs - description: Collects Microsoft DHCP logs. - vars: - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. - - name: paths - type: text - title: Paths - multi: true - show_user: true - default: - - 'C:\Windows\System32\DHCP\DhcpSrvLog-*.log' - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - microsoft_dhcp - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/microsoft_dhcp/1.7.0/data_stream/log/sample_event.json b/packages/microsoft_dhcp/1.7.0/data_stream/log/sample_event.json deleted file mode 100755 index c56a4fede8..0000000000 --- a/packages/microsoft_dhcp/1.7.0/data_stream/log/sample_event.json +++ /dev/null @@ -1,73 +0,0 @@ -{ - "@timestamp": "2001-01-01T01:01:01.000-05:00", - "agent": { - "ephemeral_id": "268da6cf-879e-4478-b666-96c44fba3109", - "id": "3355f43c-4984-4a3f-b93d-56ac8c865c8c", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "data_stream": { - "dataset": "microsoft_dhcp.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "3355f43c-4984-4a3f-b93d-56ac8c865c8c", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "action": "dhcp-dns-update", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "35", - "dataset": "microsoft_dhcp.log", - "ingested": "2022-09-26T06:06:08Z", - "kind": "event", - "original": "35,01/01/01,01:01:01,DNS update request failed,192.168.2.1,host.test.com,000000000000,", - "outcome": "failure", - "timezone": "America/New_York", - "type": [ - "connection", - "denied" - ] - }, - "host": { - "domain": "test.com", - "ip": "192.168.2.1", - "mac": [ - "00-00-00-00-00-00" - ], - "name": "host.test.com" - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/test-dhcp.log" - }, - "offset": 2407 - }, - "message": "DNS update request failed", - "observer": { - "hostname": "docker-fleet-agent", - "ip": [ - "172.23.0.4" - ], - "mac": [ - "02-42-AC-17-00-04" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "microsoft_dhcp" - ] -} \ No newline at end of file diff --git a/packages/microsoft_dhcp/1.7.0/docs/README.md b/packages/microsoft_dhcp/1.7.0/docs/README.md deleted file mode 100755 index d840ba02d0..0000000000 --- a/packages/microsoft_dhcp/1.7.0/docs/README.md +++ /dev/null @@ -1,145 +0,0 @@ -# Microsoft DHCP - -This integration collects logs and metrics from Microsoft DHCP logs. - -## Compatibility - -This integration has been made to support the DHCP log format from Windows Server 2008 and later. - -### Logs - -Ingest logs from Microsoft DHCP Server, by default logged with the filename format: -`%windir%\System32\DHCP\DhcpSrvLog-*.log` - -Logs may also be ingested from Microsoft DHCPv6 Server, by default logged with the filename format: -`%windir%\System32\DHCP\DhcpV6SrvLog-*.log` - -Relevant documentation for Microsoft DHCP can be found on [this]https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd183591(v=ws.10) location. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2001-01-01T01:01:01.000-05:00", - "agent": { - "ephemeral_id": "268da6cf-879e-4478-b666-96c44fba3109", - "id": "3355f43c-4984-4a3f-b93d-56ac8c865c8c", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "data_stream": { - "dataset": "microsoft_dhcp.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "3355f43c-4984-4a3f-b93d-56ac8c865c8c", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "action": "dhcp-dns-update", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "35", - "dataset": "microsoft_dhcp.log", - "ingested": "2022-09-26T06:06:08Z", - "kind": "event", - "original": "35,01/01/01,01:01:01,DNS update request failed,192.168.2.1,host.test.com,000000000000,", - "outcome": "failure", - "timezone": "America/New_York", - "type": [ - "connection", - "denied" - ] - }, - "host": { - "domain": "test.com", - "ip": "192.168.2.1", - "mac": [ - "00-00-00-00-00-00" - ], - "name": "host.test.com" - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/test-dhcp.log" - }, - "offset": 2407 - }, - "message": "DNS update request failed", - "observer": { - "hostname": "docker-fleet-agent", - "ip": [ - "172.23.0.4" - ], - "mac": [ - "02-42-AC-17-00-04" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "microsoft_dhcp" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| input.type | | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| microsoft.dhcp.correlation_id | The NAP correlation ID related to the client/server transaction. | keyword | -| microsoft.dhcp.dhc_id | The related DHCID (DHC DNS record). | keyword | -| microsoft.dhcp.dns_error_code | DNS error code communicated to client. | keyword | -| microsoft.dhcp.duid.hex | The related DHCP Unique Identifier (DUID) for the host (DHCPv6). | keyword | -| microsoft.dhcp.duid.length | The length of the DUID field. | keyword | -| microsoft.dhcp.error_code | DHCP server error code. | keyword | -| microsoft.dhcp.probation_time | The probation time before lease ends on specific IP. | keyword | -| microsoft.dhcp.relay_agent_info | Information about DHCP relay agent used for the DHCP request. | keyword | -| microsoft.dhcp.result | The DHCP result type, for example "NoQuarantine", "Drop Packet" etc. | keyword | -| microsoft.dhcp.subnet_prefix | The number of bits for the subnet prefix. | keyword | -| microsoft.dhcp.transaction_id | The DHCP transaction ID. | keyword | -| microsoft.dhcp.user.hex | Hex representation of the user. | keyword | -| microsoft.dhcp.user.string | String representation of the user. | keyword | -| microsoft.dhcp.vendor.hex | Hex representation of the vendor. | keyword | -| microsoft.dhcp.vendor.string | String representation of the vendor. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/microsoft_dhcp/1.7.0/img/logo.svg b/packages/microsoft_dhcp/1.7.0/img/logo.svg deleted file mode 100755 index 5334aa7ca6..0000000000 --- a/packages/microsoft_dhcp/1.7.0/img/logo.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/microsoft_dhcp/1.7.0/manifest.yml b/packages/microsoft_dhcp/1.7.0/manifest.yml deleted file mode 100755 index d9135a0745..0000000000 --- a/packages/microsoft_dhcp/1.7.0/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -format_version: 1.0.0 -name: microsoft_dhcp -title: Microsoft DHCP -version: "1.7.0" -license: basic -description: Collect logs from Microsoft DHCP with Elastic Agent. -type: integration -categories: - - network -release: ga -conditions: - kibana.version: ^7.14.0 || ^8.0.0 -icons: - - src: /img/logo.svg - title: Microsoft logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: microsoft_dhcp - title: Microsoft DHCP - description: Collect Microsoft DHCP logs. - inputs: - - type: logfile - title: Logs from file - description: Collect DHCP logs from file. -owner: - github: elastic/security-external-integrations diff --git a/packages/modsecurity/1.2.1/LICENSE.txt b/packages/modsecurity/1.2.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/modsecurity/1.2.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/modsecurity/1.2.1/changelog.yml b/packages/modsecurity/1.2.1/changelog.yml deleted file mode 100755 index 59d5c45be7..0000000000 --- a/packages/modsecurity/1.2.1/changelog.yml +++ /dev/null @@ -1,66 +0,0 @@ -# newer versions go on top -- version: "1.2.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.2.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3868 -- version: "1.1.3" - changes: - - description: Fix typo in the build/docs/README.md - type: bugfix - link: https://github.com/elastic/integrations/pull/3435 -- version: "1.1.2" - changes: - - description: Fix date format, Json issues and apache modesecurity issues - type: bugfix - link: https://github.com/elastic/integrations/pull/3363 -- version: "1.1.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.1.5" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.1.4" - changes: - - description: Change ownership to correct owner and update versions to support 8.x - type: enhancement - link: https://github.com/elastic/integrations/pull/2846 -- version: "0.1.3" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.1.2" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "0.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1830 -- version: "0.1.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/1603 diff --git a/packages/modsecurity/1.2.1/data_stream/auditlog/agent/stream/stream.yml.hbs b/packages/modsecurity/1.2.1/data_stream/auditlog/agent/stream/stream.yml.hbs deleted file mode 100755 index 334aa4dc32..0000000000 --- a/packages/modsecurity/1.2.1/data_stream/auditlog/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -paths: -{{#each paths}} -- {{this}} -{{/each}} -tags: -{{#if preserve_original_event}} -- preserve_original_event -{{/if}} -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -fields_under_root: true -fields: - tz_offset: {{tz_offset}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -exclude_files: [".gz$"] -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ diff --git a/packages/modsecurity/1.2.1/data_stream/auditlog/elasticsearch/ingest_pipeline/apache-modsec.yml b/packages/modsecurity/1.2.1/data_stream/auditlog/elasticsearch/ingest_pipeline/apache-modsec.yml deleted file mode 100755 index 4e6ec41c63..0000000000 --- a/packages/modsecurity/1.2.1/data_stream/auditlog/elasticsearch/ingest_pipeline/apache-modsec.yml +++ /dev/null @@ -1,118 +0,0 @@ ---- -description: Pipeline for apache modsecurity audit log. -processors: - - rename: - field: json.transaction.time - target_field: _temps.date - ignore_missing: true - - date: - field: _temps.date - formats: - - d/MMM/yyyy:HH:mm:ss Z -# rename ecs - - rename: - field: json.transaction.remote_address - target_field: source.ip - ignore_missing: true - - rename: - field: json.transaction.remote_port - target_field: source.port - ignore_missing: true - - grok: - field: json.request.request_line - patterns: - - "%{NOTSPACE:http.request.method} %{URIPATHPARAM:url.original}(?: HTTP/%{NUMBER:http.version})" - - set: - field: _temps.url - if: ctx.json.transaction.local_port == 443 - value: "https://{{json.request.headers.Host}}:{{json.transaction.#local_port}}{{url.original}}" - - set: - field: _temps.url - if: ctx.json.transaction.local_port == 80 - value: "http://{{json.request.headers.Host}}:{{json.transaction.#local_port}}{{url.original}}" - - uri_parts: - field: _temps.url - ignore_failure: true - keep_original: true - remove_if_successful: true - - rename: - field: json.response.status - target_field: http.response.status_code - ignore_missing: true - - rename: - field: json.response.headers.Content-Type - target_field: http.response.mime_type - ignore_missing: true - - rename: - field: json.response.headers.Content-Length - target_field: http.response.bytes - ignore_missing: true - - convert: - field: http.response.bytes - type: long - - rename: - field: json.audit_data.messages - target_field: modsec.audit.details - ignore_missing: true - - script: - lang: painless - ignore_failure: true - source: | - if (ctx.modsec?.audit?.details == null || ctx.modsec.audit.details.length == 0) { - return; - } - def details = ctx.modsec.audit.details; - def messages = new ArrayList(); - for (def i = 0; i < details.length; i++) { - def idx = details[i].indexOf(' ['); // Find first key value mark. - if (idx < 0) { - idx = details[i].length; - } - messages.add(details[i].substring(0, idx)); - } - ctx.modsec.audit.messages = messages - -# user agent and geoip enrich - - user_agent: - field: json.request.headers.User-Agent - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - set: - field: event.kind - value: event - - append: - field: event.category - value: web - - append: - field: event.type - value: access - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - remove: - field: - - json - - _temps - ignore_failure: true - ignore_missing: true diff --git a/packages/modsecurity/1.2.1/data_stream/auditlog/elasticsearch/ingest_pipeline/default.yml b/packages/modsecurity/1.2.1/data_stream/auditlog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 389f5e6809..0000000000 --- a/packages/modsecurity/1.2.1/data_stream/auditlog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -description: Pipeline for modsecurity audit log. -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - allow_duplicate_keys: true - -# according to check apache modesec log or nginx modsec log - - set: - field: modsec.audit.server - copy_from: json.audit_data.server - ignore_empty_value: true - - set: - field: modsec.audit.server - copy_from: json.transaction.response.headers.Server - ignore_empty_value: true - - pipeline: - name: '{{ IngestPipeline "nginx-modsec" }}' - if: ctx.modsec.audit.server.toLowerCase().contains('nginx') - - pipeline: - name: '{{ IngestPipeline "apache-modsec" }}' - if: ctx.modsec.audit.server.toLowerCase().contains('apache') - -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/modsecurity/1.2.1/data_stream/auditlog/elasticsearch/ingest_pipeline/nginx-modsec.yml b/packages/modsecurity/1.2.1/data_stream/auditlog/elasticsearch/ingest_pipeline/nginx-modsec.yml deleted file mode 100755 index 575bcd0238..0000000000 --- a/packages/modsecurity/1.2.1/data_stream/auditlog/elasticsearch/ingest_pipeline/nginx-modsec.yml +++ /dev/null @@ -1,117 +0,0 @@ ---- -description: Pipeline for apache modsecurity audit log. -processors: - - rename: - field: json.transaction.time_stamp - target_field: _temps.date - ignore_missing: true - - date: - field: _temps.date - formats: - - E MMM dd HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy -# rename ecs - - rename: - field: json.transaction.client_ip - target_field: source.ip - ignore_missing: true - - rename: - field: json.transaction.client_port - target_field: source.port - ignore_missing: true - - rename: - field: json.transaction.request.method - target_field: http.request.method - ignore_missing: true - - convert: - field: json.transaction.request.http_version - target_field: http.version - type: string - ignore_missing: true - - set: - field: _temps.url - if: ctx.json.transaction.host_port == 443 - value: "https://{{json.transaction.request.headers.Host}}:{{json.transaction.host_port}}{{json.transaction.request.uri}}" - - set: - field: _temps.url - if: ctx.json.transaction.host_port == 80 - value: "http://{{json.transaction.request.headers.Host}}:{{json.transaction.host_port}}{{json.transaction.request.uri}}" - - uri_parts: - field: _temps.url - ignore_failure: true - keep_original: true - remove_if_successful: true - - rename: - field: json.transaction.response.http_code - target_field: http.response.status_code - ignore_missing: true - - rename: - field: json.transaction.response.headers.Content-Type - target_field: http.response.mime_type - ignore_missing: true - - rename: - field: json.transaction.response.Content-Length - target_field: http.response.bytes - ignore_missing: true - - foreach: - field: json.transaction.messages - ignore_missing: true - processor: - append: - field: modsec.audit.messages - value: '{{{_ingest._value.message}}}' - - foreach: - field: json.transaction.messages - ignore_missing: true - processor: - remove: - field: _ingest._value.message - - rename: - field: json.transaction.messages - target_field: modsec.audit.details - if: ctx.json?.transaction?.messages != null && ctx.json?.transaction?.messages.length != 0 - -# user agent and geoip enrich - - user_agent: - field: json.transaction.request.headers.User-Agent - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - set: - field: event.kind - value: event - - append: - field: event.category - value: web - - append: - field: event.type - value: access - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - remove: - field: - - json - - _temps - ignore_failure: true - ignore_missing: true diff --git a/packages/modsecurity/1.2.1/data_stream/auditlog/fields/agent.yml b/packages/modsecurity/1.2.1/data_stream/auditlog/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/modsecurity/1.2.1/data_stream/auditlog/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/modsecurity/1.2.1/data_stream/auditlog/fields/base-fields.yml b/packages/modsecurity/1.2.1/data_stream/auditlog/fields/base-fields.yml deleted file mode 100755 index 041609421b..0000000000 --- a/packages/modsecurity/1.2.1/data_stream/auditlog/fields/base-fields.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: 'message' - type: text - description: human-readable summary of the event -- name: event.module - type: constant_keyword - description: Event module - value: modsecurity -- name: event.dataset - type: constant_keyword - description: Event dataset - value: modsecurity.auditlog diff --git a/packages/modsecurity/1.2.1/data_stream/auditlog/fields/ecs.yml b/packages/modsecurity/1.2.1/data_stream/auditlog/fields/ecs.yml deleted file mode 100755 index c6d206e469..0000000000 --- a/packages/modsecurity/1.2.1/data_stream/auditlog/fields/ecs.yml +++ /dev/null @@ -1,181 +0,0 @@ -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: |- - Mime type of the body of the response. - This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. - name: http.response.mime_type - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword diff --git a/packages/modsecurity/1.2.1/data_stream/auditlog/fields/fields.yml b/packages/modsecurity/1.2.1/data_stream/auditlog/fields/fields.yml deleted file mode 100755 index d17908753c..0000000000 --- a/packages/modsecurity/1.2.1/data_stream/auditlog/fields/fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: modsec.audit - type: group - fields: - - name: server - type: keyword - description: Modsecurity server name. - - name: messages - type: keyword - description: Modsecurity audit message. - - name: details - type: flattened - description: Modsecurity audit details. diff --git a/packages/modsecurity/1.2.1/data_stream/auditlog/manifest.yml b/packages/modsecurity/1.2.1/data_stream/auditlog/manifest.yml deleted file mode 100755 index e164fa7e7c..0000000000 --- a/packages/modsecurity/1.2.1/data_stream/auditlog/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -title: Modsecurity Audit Log -type: logs -release: experimental -streams: - - input: logfile - template_path: stream.yml.hbs - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/modsec-audit* - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - modsec-audit - - name: preserve_original_event - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - required: true - show_user: true - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - title: Modsecurity Audit Log - description: Collect modsecurity audit logs diff --git a/packages/modsecurity/1.2.1/data_stream/auditlog/sample_event.json b/packages/modsecurity/1.2.1/data_stream/auditlog/sample_event.json deleted file mode 100755 index 14ce68fb72..0000000000 --- a/packages/modsecurity/1.2.1/data_stream/auditlog/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2021-05-14T14:38:37.000Z", - "agent": { - "ephemeral_id": "8fddcb23-4448-4367-90d9-edcbc864bd90", - "hostname": "docker-fleet-agent", - "id": "7e4d3f97-32e1-485a-833e-ad6e2dcf10cf", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.0" - }, - "data_stream": { - "dataset": "modsecurity.auditlog", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "7e4d3f97-32e1-485a-833e-ad6e2dcf10cf", - "snapshot": true, - "version": "7.16.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "web" - ], - "dataset": "modsecurity.auditlog", - "ingested": "2022-06-29T08:29:43Z", - "kind": "event", - "timezone": "+00:00", - "type": [ - "access" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "1fe40eba24f3f02b88864749eb7679a3", - "ip": [ - "172.31.0.7" - ], - "mac": [ - "02:42:ac:1f:00:07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.10.102.1-microsoft-standard-WSL2", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "http": { - "request": { - "method": "PUT" - }, - "response": { - "mime_type": "application/json; charset=utf-8", - "status_code": 400 - }, - "version": "1.1" - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/modsec-audit.log" - }, - "offset": 0 - }, - "modsec": { - "audit": { - "server": "nginx/1.14.0" - } - }, - "source": { - "ip": "37.120.205.2", - "port": 56047 - }, - "tags": [ - "modsec-audit" - ], - "url": { - "domain": "www.test.com", - "original": "https://www.test.com:/orders/2734183/finish", - "path": "/orders/2734183/finish", - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "okhttp", - "original": "okhttp/2.7.5", - "version": "2.7.5" - } -} \ No newline at end of file diff --git a/packages/modsecurity/1.2.1/docs/README.md b/packages/modsecurity/1.2.1/docs/README.md deleted file mode 100755 index 6ec87e815c..0000000000 --- a/packages/modsecurity/1.2.1/docs/README.md +++ /dev/null @@ -1,116 +0,0 @@ -# Modsecurity Integration - -This integration periodically fetches audit logs from [Modsecurity](https://github.com/SpiderLabs/ModSecurity/) servers. It can parse audit logs created by the HTTP server. - -## Compatibility - -The logs were tested with ModSecurity v3 with nginx connector and ModSecurity v3 with Apache Connector. Change the default ModSecurity logging format to json as per configuration. - -``` -SecAuditLogParts ABDEFHIJZ -SecAuditLogType Serial -SecAuditLog /var/log/modsec_audit.json -SecAuditLogFormat JSON -``` - -> Be careful to drop **the list of all rules that matched for the transaction (K)** in SecAuditLogParts. That part can make raw logs too long to parse. - -### Audit Log - -The `Audit Log` dataset collects Modsecurity Audit logs. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.mime_type | Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. | keyword | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| message | human-readable summary of the event | text | -| modsec.audit.details | Modsecurity audit details. | flattened | -| modsec.audit.messages | Modsecurity audit message. | keyword | -| modsec.audit.server | Modsecurity server name. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - diff --git a/packages/modsecurity/1.2.1/img/modsec.svg b/packages/modsecurity/1.2.1/img/modsec.svg deleted file mode 100755 index 3001b7e70c..0000000000 --- a/packages/modsecurity/1.2.1/img/modsec.svg +++ /dev/null @@ -1 +0,0 @@ - diff --git a/packages/modsecurity/1.2.1/manifest.yml b/packages/modsecurity/1.2.1/manifest.yml deleted file mode 100755 index cca3e50be6..0000000000 --- a/packages/modsecurity/1.2.1/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -format_version: 1.0.0 -name: modsecurity -title: "ModSecurity Audit" -version: 1.2.1 -license: basic -description: Collect logs from ModSecurity with Elastic Agent -type: integration -categories: - - security - - web -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/modsec.svg - title: ModSecurity - size: 32x32 - type: image/svg+xml -policy_templates: - - name: modsec - title: ModSecurity audit logs - description: Collect modsecurity audit logs - inputs: - - type: logfile - title: Collect logs from modsecurity instances - description: Collecting modsecurity audit logs -owner: - github: elastic/security-external-integrations diff --git a/packages/netflow/2.2.3/LICENSE.txt b/packages/netflow/2.2.3/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/netflow/2.2.3/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/netflow/2.2.3/changelog.yml b/packages/netflow/2.2.3/changelog.yml deleted file mode 100755 index 3e829d3c54..0000000000 --- a/packages/netflow/2.2.3/changelog.yml +++ /dev/null @@ -1,137 +0,0 @@ -# newer versions go on top -- version: "2.2.3" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.2.2" - changes: - - description: Remove unused visualizations - type: enhancement - link: https://github.com/elastic/integrations/issues/3975 -- version: "2.2.1" - changes: - - description: Added link to Netflow documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3002 -- version: "2.2.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3868 -- version: "2.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "2.0.1" - changes: - - description: Fix invalid value in sample event - type: bugfix - link: https://github.com/elastic/integrations/pull/3334 -- version: "2.0.0" - changes: - - description: Migrate map visualisation from tile_map to map object - type: enhancement - link: https://github.com/elastic/integrations/pull/3263 -- version: "1.5.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "1.4.2" - changes: - - description: Replace invalid field value - type: enhancement - link: https://github.com/elastic/integrations/pull/3096 -- version: "1.4.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.4.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2424 -- version: "1.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2220 -- version: "1.2.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2098 -- version: "1.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1973 -- version: "1.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1833 -- version: "1.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1667 -- version: "1.1.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1489 -- version: '1.1.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1396 -- version: "1.1.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "1.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1218 - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1218 -- version: "0.4.1" - changes: - - description: Use `wildcard` field type for the relevant ECS fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/1179 -- version: "0.4.0" - changes: - - description: update to ECS 1.10.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1062 -- version: "0.3.9" - changes: - - description: add pipeline tests and move ecs.version set the to ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/1006 -- version: "0.3.8" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/857 -- version: "0.1.0" - changes: - - description: Change field type of `netflow.application_category_nam` and `netflow.application_sub_category_name` to keyword to ensure there are no type conflicts between vendors. - type: enhancement - link: https://github.com/elastic/integrations/pull/697 - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/23 diff --git a/packages/netflow/2.2.3/data_stream/log/agent/stream/netflow.yml.hbs b/packages/netflow/2.2.3/data_stream/log/agent/stream/netflow.yml.hbs deleted file mode 100755 index 45be18a81e..0000000000 --- a/packages/netflow/2.2.3/data_stream/log/agent/stream/netflow.yml.hbs +++ /dev/null @@ -1,31 +0,0 @@ -protocols: [v1, v5, v6, v7, v8, v9, ipfix] -host: '{{host}}:{{port}}' -max_message_size: '{{max_message_size}}' -expiration_timeout: '{{expiration_timeout}}' -queue_size: {{queue_size}} -{{#if timeout}} -timeout: '{{timeout}}' -{{/if}} -{{#if read_buffer}} -read_buffer: '{{read_buffer}}' -{{/if}} -{{#if custom_definitions}} -custom_definitions: -{{#each custom_definitions}} -- '{{this}}' -{{/each}} -{{/if}} -{{#if detect_sequence_reset}} -detect_sequence_reset: {{detect_sequence_reset}} -{{/if}} -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/netflow/2.2.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/netflow/2.2.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 22e867908d..0000000000 --- a/packages/netflow/2.2.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- -description: Pipeline for NetFlow - -processors: - - set: - field: ecs.version - value: '8.4.0' - - convert: - field: network.iana_number - type: string - ignore_missing: true - ignore_failure: true - - - set: - field: event.category - value: - - network - - session - if: 'ctx.event?.category != null && ctx.event?.category == "network_session"' - - # IP Geolocation Lookup - - geoip: - if: ctx.source?.geo == null - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - if: ctx.destination?.geo == null - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/netflow/2.2.3/data_stream/log/fields/agent.yml b/packages/netflow/2.2.3/data_stream/log/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/netflow/2.2.3/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/netflow/2.2.3/data_stream/log/fields/base-fields.yml b/packages/netflow/2.2.3/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 12d5ac2a45..0000000000 --- a/packages/netflow/2.2.3/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: netflow -- name: event.dataset - type: constant_keyword - description: Event dataset - value: netflow.log -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/netflow/2.2.3/data_stream/log/fields/ecs.yml b/packages/netflow/2.2.3/data_stream/log/fields/ecs.yml deleted file mode 100755 index 18a03cfc03..0000000000 --- a/packages/netflow/2.2.3/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,1620 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - Ephemeral identifier of this agent (if one exists). - This id normally changes across restarts, but `agent.id` does not. - name: agent.ephemeral_id - type: keyword -- description: |- - Unique identifier of this agent (if one exists). - Example: For Beats this would be beat.id. - name: agent.id - type: keyword -- description: |- - Custom name of the agent. - This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. - name: agent.name - type: keyword -- description: |- - Type of the agent. - The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - name: agent.type - type: keyword -- description: Version of the agent. - name: agent.version - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: as.organization.name - type: keyword -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: client.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: client.as.organization.name - type: keyword -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - name: client.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: client.geo.name - type: keyword -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - MAC address of the client. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: client.mac - type: keyword -- description: |- - Translated IP of source based NAT sessions (e.g. internal client to internet). - Typically connections traversing load balancers, firewalls, or routers. - name: client.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions (e.g. internal client to internet). - Typically connections traversing load balancers, firewalls, or routers. - name: client.nat.port - type: long -- description: Packets sent from the client to the server. - name: client.packets - type: long -- description: Port of the client. - name: client.port - type: long -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: client.user.domain - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: client.user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: client.user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: client.user.group.id - type: keyword -- description: Name of the group. - name: client.user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: client.user.hash - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: client.user.name - type: keyword -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Instance name of the host machine. - name: cloud.instance.name - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: Unique container id. - name: container.id - type: keyword -- description: Name of the image the container was built on. - name: container.image.name - type: keyword -- description: Container image tags. - name: container.image.tag - normalize: - - array - type: keyword -- description: Image labels. - name: container.labels - type: object -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: destination.user.domain - type: keyword -- description: User email address. - name: destination.user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: destination.user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: destination.user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: destination.user.group.id - type: keyword -- description: Name of the group. - name: destination.user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: destination.user.hash - type: keyword -- description: Unique identifier of the user. - name: destination.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: Array of 2 letter DNS header flags. - name: dns.header_flags - normalize: - - array - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - name: dns.op_code - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Unique identifier for the error. - name: error.id - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: The stack trace of this error in plain text. - multi_fields: - - name: text - type: match_only_text - name: error.stack_trace - type: wildcard -- description: The type of the error, for example the class name of the exception. - name: error.type - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - name: event.hash - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - name: event.risk_score - type: float -- description: |- - Normalized risk score or priority of the event, on a scale of 0 to 100. - This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. - name: event.risk_score_norm - type: float -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Last time the file was accessed. - Note that not all filesystems keep track of access time. - name: file.accessed - type: date -- description: |- - File creation time. - Note that not all filesystems store the creation time. - name: file.created - type: date -- description: |- - Last time the file attributes or metadata changed. - Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. - name: file.ctime - type: date -- description: Device that is the source of the file. - name: file.device - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Primary group ID (GID) of the file. - name: file.gid - type: keyword -- description: Primary group name of the file. - name: file.group - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: SHA512 hash. - name: file.hash.sha512 - type: keyword -- description: Inode representing the file in the filesystem. - name: file.inode - type: keyword -- description: Mode of the file in octal representation. - name: file.mode - type: keyword -- description: Last time the file content was modified. - name: file.mtime - type: date -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: File owner's username. - name: file.owner - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Target path for symlinks. - multi_fields: - - name: text - type: match_only_text - name: file.target_path - type: keyword -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: The user ID (UID) or security identifier (SID) of the file owner. - name: file.uid - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Name of the continent. - name: geo.continent_name - type: keyword -- description: Country ISO code. - name: geo.country_iso_code - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: Longitude and latitude. - name: geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region ISO code. - name: geo.region_iso_code - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: MD5 hash. - name: hash.md5 - type: keyword -- description: SHA1 hash. - name: hash.sha1 - type: keyword -- description: SHA256 hash. - name: hash.sha256 - type: keyword -- description: SHA512 hash. - name: hash.sha512 - type: keyword -- description: Operating system architecture. - name: host.architecture - type: keyword -- description: City name. - name: host.geo.city_name - type: keyword -- description: Name of the continent. - name: host.geo.continent_name - type: keyword -- description: Country ISO code. - name: host.geo.country_iso_code - type: keyword -- description: Country name. - name: host.geo.country_name - type: keyword -- description: Longitude and latitude. - name: host.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: host.geo.name - type: keyword -- description: Region ISO code. - name: host.geo.region_iso_code - type: keyword -- description: Region name. - name: host.geo.region_name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: host.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: host.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: host.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: host.os.platform - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: |- - Type of host. - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. - name: host.type - type: keyword -- description: Seconds the host has been up. - name: host.uptime - type: long -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: The full HTTP request body. - multi_fields: - - name: text - type: match_only_text - name: http.request.body.content - type: wildcard -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: The full HTTP response body. - multi_fields: - - name: text - type: match_only_text - name: http.response.body.content - type: wildcard -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Custom key/value pairs. - Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. - Example: `docker` and `k8s` labels. - name: labels - type: object -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: The line number of the file containing the source code which originated the log event. - name: log.origin.file.line - type: long -- description: |- - The name of the file containing the source code which originated the log event. - Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. - name: log.origin.file.name - type: keyword -- description: The name of the function or method which originated the log event. - name: log.origin.function - type: keyword -- description: The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. - name: log.syslog - type: object -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: The Syslog text-based facility of the log event, if available. - name: log.syslog.facility.name - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. - name: log.syslog.severity.name - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: City name. - name: observer.geo.city_name - type: keyword -- description: Name of the continent. - name: observer.geo.continent_name - type: keyword -- description: Country ISO code. - name: observer.geo.country_iso_code - type: keyword -- description: Country name. - name: observer.geo.country_name - type: keyword -- description: Longitude and latitude. - name: observer.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: observer.geo.name - type: keyword -- description: Region ISO code. - name: observer.geo.region_iso_code - type: keyword -- description: Region name. - name: observer.geo.region_name - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: IP addresses of the observer. - name: observer.ip - normalize: - - array - type: ip -- description: |- - MAC addresses of the observer. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: observer.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: observer.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: observer.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: observer.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: observer.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: observer.os.platform - type: keyword -- description: Operating system version as a raw string. - name: observer.os.version - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: organization.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: os.platform - type: keyword -- description: Operating system version as a raw string. - name: os.version - type: keyword -- description: Package architecture. - name: package.architecture - type: keyword -- description: Checksum of the installed package for verification. - name: package.checksum - type: keyword -- description: Description of the package. - name: package.description - type: keyword -- description: Indicating how the package was installed, e.g. user-local, global. - name: package.install_scope - type: keyword -- description: Time when package was installed. - name: package.installed - type: date -- description: |- - License under which the package was released. - Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). - name: package.license - type: keyword -- description: Package name - name: package.name - type: keyword -- description: Path where the package is installed. - name: package.path - type: keyword -- description: Package size in bytes. - name: package.size - type: long -- description: Package version - name: package.version - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - normalize: - - array - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA1 hash. - name: process.hash.sha1 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: SHA512 hash. - name: process.hash.sha512 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - Identifier of the group of processes the process belongs to. - name: process.pgid - type: long -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: The time the process started. - name: process.start - type: date -- description: Thread ID. - name: process.thread.id - type: long -- description: Thread name. - name: process.thread.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: Seconds the process has been up. - name: process.uptime - type: long -- description: The working directory of the process. - multi_fields: - - name: text - type: match_only_text - name: process.working_directory - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: server.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: server.as.organization.name - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: City name. - name: server.geo.city_name - type: keyword -- description: Name of the continent. - name: server.geo.continent_name - type: keyword -- description: Country ISO code. - name: server.geo.country_iso_code - type: keyword -- description: Country name. - name: server.geo.country_name - type: keyword -- description: Longitude and latitude. - name: server.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: server.geo.name - type: keyword -- description: Region ISO code. - name: server.geo.region_iso_code - type: keyword -- description: Region name. - name: server.geo.region_name - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: |- - MAC address of the server. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: server.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: server.nat.ip - type: ip -- description: |- - Translated port of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: server.nat.port - type: long -- description: Packets sent from the server to the client. - name: server.packets - type: long -- description: Port of the server. - name: server.port - type: long -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: server.user.domain - type: keyword -- description: User email address. - name: server.user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: server.user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: server.user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: server.user.group.id - type: keyword -- description: Name of the group. - name: server.user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: server.user.hash - type: keyword -- description: Unique identifier of the user. - name: server.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: server.user.name - type: keyword -- description: |- - Ephemeral identifier of this service (if one exists). - This id normally changes across restarts, but `service.id` does not. - name: service.ephemeral_id - type: keyword -- description: |- - Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. - This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. - Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. - name: service.id - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Name of a service node. - This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. - In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. - name: service.node.name - type: keyword -- description: Current state of the service. - name: service.state - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword -- description: |- - Version of the service the data was collected from. - This allows to look at a data set only for a specific version of a service. - name: service.version - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: User email address. - name: source.user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: source.user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: source.user.group.id - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: source.user.hash - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. - name: threat.framework - type: keyword -- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - name: threat.tactic.id - normalize: - - array - type: keyword -- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) - name: threat.tactic.name - normalize: - - array - type: keyword -- description: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - name: threat.tactic.reference - normalize: - - array - type: keyword -- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - name: threat.technique.id - normalize: - - array - type: keyword -- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - multi_fields: - - name: text - type: match_only_text - name: threat.technique.name - normalize: - - array - type: keyword -- description: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - name: threat.technique.reference - normalize: - - array - type: keyword -- description: |- - Unique identifier of the trace. - A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. - name: trace.id - type: keyword -- description: |- - Unique identifier of the transaction within the scope of its trace. - A transaction is the highest level of work measured within a service, such as a request to a server. - name: transaction.id - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.group.id - type: keyword -- description: Name of the group. - name: user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: user.hash - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/netflow/2.2.3/data_stream/log/fields/package-fields.yml b/packages/netflow/2.2.3/data_stream/log/fields/package-fields.yml deleted file mode 100755 index 1915b6a75d..0000000000 --- a/packages/netflow/2.2.3/data_stream/log/fields/package-fields.yml +++ /dev/null @@ -1,2689 +0,0 @@ -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: flow.locality - type: keyword - description: Identifies whether the flow involved public IP addresses or only private address. -- name: flow.id - type: keyword - description: Hash of source and destination IPs. -- name: destination.locality - type: keyword - description: Whether the destination IP is private or public. -- name: source.locality - type: keyword - description: Whether the source IP is private or public. -- name: netflow - type: group - description: > - Fields from NetFlow and IPFIX. - - fields: - - name: type - type: keyword - description: > - The type of NetFlow record described by this event. - - - name: exporter - type: group - description: > - Metadata related to the exporter device that generated this record. - - fields: - - name: address - type: keyword - description: > - Exporter's network address in IP:port format. - - - name: source_id - type: long - description: > - Observation domain ID to which this record belongs. - - - name: timestamp - type: date - description: > - Time and date of export. - - - name: uptime_millis - type: long - description: > - How long the exporter process has been running, in milliseconds. - - - name: version - type: integer - description: > - NetFlow version used. - - - name: absolute_error - type: double - - name: address_pool_high_threshold - type: long - - name: address_pool_low_threshold - type: long - - name: address_port_mapping_high_threshold - type: long - - name: address_port_mapping_low_threshold - type: long - - name: address_port_mapping_per_user_high_threshold - type: long - - name: afc_protocol - type: integer - - name: afc_protocol_name - type: keyword - - name: anonymization_flags - type: integer - - name: anonymization_technique - type: integer - - name: application_business-relevance - type: long - - name: application_category_name - type: keyword - - name: application_description - type: keyword - - name: application_group_name - type: keyword - - name: application_http_uri_statistics - type: short - - name: application_http_user-agent - type: short - - name: application_id - type: short - - name: application_name - type: keyword - - name: application_sub_category_name - type: keyword - - name: application_traffic-class - type: long - - name: art_client_network_time_maximum - type: long - - name: art_client_network_time_minimum - type: long - - name: art_client_network_time_sum - type: long - - name: art_clientpackets - type: long - - name: art_count_late_responses - type: long - - name: art_count_new_connections - type: long - - name: art_count_responses - type: long - - name: art_count_responses_histogram_bucket1 - type: long - - name: art_count_responses_histogram_bucket2 - type: long - - name: art_count_responses_histogram_bucket3 - type: long - - name: art_count_responses_histogram_bucket4 - type: long - - name: art_count_responses_histogram_bucket5 - type: long - - name: art_count_responses_histogram_bucket6 - type: long - - name: art_count_responses_histogram_bucket7 - type: long - - name: art_count_retransmissions - type: long - - name: art_count_transactions - type: long - - name: art_network_time_maximum - type: long - - name: art_network_time_minimum - type: long - - name: art_network_time_sum - type: long - - name: art_response_time_maximum - type: long - - name: art_response_time_minimum - type: long - - name: art_response_time_sum - type: long - - name: art_server_network_time_maximum - type: long - - name: art_server_network_time_minimum - type: long - - name: art_server_network_time_sum - type: long - - name: art_server_response_time_maximum - type: long - - name: art_server_response_time_minimum - type: long - - name: art_server_response_time_sum - type: long - - name: art_serverpackets - type: long - - name: art_total_response_time_maximum - type: long - - name: art_total_response_time_minimum - type: long - - name: art_total_response_time_sum - type: long - - name: art_total_transaction_time_maximum - type: long - - name: art_total_transaction_time_minimum - type: long - - name: art_total_transaction_time_sum - type: long - - name: assembled_fragment_count - type: long - - name: audit_counter - type: long - - name: average_interarrival_time - type: long - - name: bgp_destination_as_number - type: long - - name: bgp_next_adjacent_as_number - type: long - - name: bgp_next_hop_ipv4_address - type: ip - - name: bgp_next_hop_ipv6_address - type: ip - - name: bgp_prev_adjacent_as_number - type: long - - name: bgp_source_as_number - type: long - - name: bgp_validity_state - type: short - - name: biflow_direction - type: short - - name: bind_ipv4_address - type: ip - - name: bind_transport_port - type: integer - - name: class_id - type: long - - name: class_name - type: keyword - - name: classification_engine_id - type: short - - name: collection_time_milliseconds - type: date - - name: collector_certificate - type: short - - name: collector_ipv4_address - type: ip - - name: collector_ipv6_address - type: ip - - name: collector_transport_port - type: integer - - name: common_properties_id - type: long - - name: confidence_level - type: double - - name: conn_ipv4_address - type: ip - - name: conn_transport_port - type: integer - - name: connection_sum_duration_seconds - type: long - - name: connection_transaction_id - type: long - - name: conntrack_id - type: long - - name: data_byte_count - type: long - - name: data_link_frame_section - type: short - - name: data_link_frame_size - type: integer - - name: data_link_frame_type - type: integer - - name: data_records_reliability - type: boolean - - name: delta_flow_count - type: long - - name: destination_ipv4_address - type: ip - - name: destination_ipv4_prefix - type: ip - - name: destination_ipv4_prefix_length - type: short - - name: destination_ipv6_address - type: ip - - name: destination_ipv6_prefix - type: ip - - name: destination_ipv6_prefix_length - type: short - - name: destination_mac_address - type: keyword - - name: destination_transport_port - type: integer - - name: digest_hash_value - type: long - - name: distinct_count_of_destination_ip_address - type: long - - name: distinct_count_of_destination_ipv4_address - type: long - - name: distinct_count_of_destination_ipv6_address - type: long - - name: distinct_count_of_source_ip_address - type: long - - name: distinct_count_of_source_ipv4_address - type: long - - name: distinct_count_of_source_ipv6_address - type: long - - name: dns_authoritative - type: short - - name: dns_cname - type: keyword - - name: dns_id - type: integer - - name: dns_mx_exchange - type: keyword - - name: dns_mx_preference - type: integer - - name: dns_nsd_name - type: keyword - - name: dns_nx_domain - type: short - - name: dns_ptrd_name - type: keyword - - name: dns_qname - type: keyword - - name: dns_qr_type - type: integer - - name: dns_query_response - type: short - - name: dns_rr_section - type: short - - name: dns_soa_expire - type: long - - name: dns_soa_minimum - type: long - - name: dns_soa_refresh - type: long - - name: dns_soa_retry - type: long - - name: dns_soa_serial - type: long - - name: dns_soam_name - type: keyword - - name: dns_soar_name - type: keyword - - name: dns_srv_port - type: integer - - name: dns_srv_priority - type: integer - - name: dns_srv_target - type: integer - - name: dns_srv_weight - type: integer - - name: dns_ttl - type: long - - name: dns_txt_data - type: keyword - - name: dot1q_customer_dei - type: boolean - - name: dot1q_customer_destination_mac_address - type: keyword - - name: dot1q_customer_priority - type: short - - name: dot1q_customer_source_mac_address - type: keyword - - name: dot1q_customer_vlan_id - type: integer - - name: dot1q_dei - type: boolean - - name: dot1q_priority - type: short - - name: dot1q_service_instance_id - type: long - - name: dot1q_service_instance_priority - type: short - - name: dot1q_service_instance_tag - type: short - - name: dot1q_vlan_id - type: integer - - name: dropped_layer2_octet_delta_count - type: long - - name: dropped_layer2_octet_total_count - type: long - - name: dropped_octet_delta_count - type: long - - name: dropped_octet_total_count - type: long - - name: dropped_packet_delta_count - type: long - - name: dropped_packet_total_count - type: long - - name: dst_traffic_index - type: long - - name: egress_broadcast_packet_total_count - type: long - - name: egress_interface - type: long - - name: egress_interface_type - type: long - - name: egress_physical_interface - type: long - - name: egress_unicast_packet_total_count - type: long - - name: egress_vrfid - type: long - - name: encrypted_technology - type: keyword - - name: engine_id - type: short - - name: engine_type - type: short - - name: ethernet_header_length - type: short - - name: ethernet_payload_length - type: integer - - name: ethernet_total_length - type: integer - - name: ethernet_type - type: integer - - name: expired_fragment_count - type: long - - name: export_interface - type: long - - name: export_protocol_version - type: short - - name: export_sctp_stream_id - type: integer - - name: export_transport_protocol - type: short - - name: exported_flow_record_total_count - type: long - - name: exported_message_total_count - type: long - - name: exported_octet_total_count - type: long - - name: exporter_certificate - type: short - - name: exporter_ipv4_address - type: ip - - name: exporter_ipv6_address - type: ip - - name: exporter_transport_port - type: integer - - name: exporting_process_id - type: long - - name: external_address_realm - type: short - - name: firewall_event - type: short - - name: first_eight_non_empty_packet_directions - type: short - - name: first_non_empty_packet_size - type: integer - - name: first_packet_banner - type: keyword - - name: flags_and_sampler_id - type: long - - name: flow_active_timeout - type: integer - - name: flow_attributes - type: integer - - name: flow_direction - type: short - - name: flow_duration_microseconds - type: long - - name: flow_duration_milliseconds - type: long - - name: flow_end_delta_microseconds - type: long - - name: flow_end_microseconds - type: date - - name: flow_end_milliseconds - type: date - - name: flow_end_nanoseconds - type: date - - name: flow_end_reason - type: short - - name: flow_end_seconds - type: date - - name: flow_end_sys_up_time - type: long - - name: flow_id - type: long - - name: flow_idle_timeout - type: integer - - name: flow_key_indicator - type: long - - name: flow_label_ipv6 - type: long - - name: flow_sampling_time_interval - type: long - - name: flow_sampling_time_spacing - type: long - - name: flow_selected_flow_delta_count - type: long - - name: flow_selected_octet_delta_count - type: long - - name: flow_selected_packet_delta_count - type: long - - name: flow_selector_algorithm - type: integer - - name: flow_start_delta_microseconds - type: long - - name: flow_start_microseconds - type: date - - name: flow_start_milliseconds - type: date - - name: flow_start_nanoseconds - type: date - - name: flow_start_seconds - type: date - - name: flow_start_sys_up_time - type: long - - name: flow_table_flush_event_count - type: long - - name: flow_table_peak_count - type: long - - name: forwarding_status - type: short - - name: fragment_flags - type: short - - name: fragment_identification - type: long - - name: fragment_offset - type: integer - - name: fw_blackout_secs - type: long - - name: fw_configured_value - type: long - - name: fw_cts_src_sgt - type: long - - name: fw_event_level - type: long - - name: fw_event_level_id - type: long - - name: fw_ext_event - type: integer - - name: fw_ext_event_alt - type: long - - name: fw_ext_event_desc - type: keyword - - name: fw_half_open_count - type: long - - name: fw_half_open_high - type: long - - name: fw_half_open_rate - type: long - - name: fw_max_sessions - type: long - - name: fw_rule - type: keyword - - name: fw_summary_pkt_count - type: long - - name: fw_zone_pair_id - type: long - - name: fw_zone_pair_name - type: long - - name: global_address_mapping_high_threshold - type: long - - name: gre_key - type: long - - name: hash_digest_output - type: boolean - - name: hash_flow_domain - type: integer - - name: hash_initialiser_value - type: long - - name: hash_ip_payload_offset - type: long - - name: hash_ip_payload_size - type: long - - name: hash_output_range_max - type: long - - name: hash_output_range_min - type: long - - name: hash_selected_range_max - type: long - - name: hash_selected_range_min - type: long - - name: http_content_type - type: keyword - - name: http_message_version - type: keyword - - name: http_reason_phrase - type: keyword - - name: http_request_host - type: keyword - - name: http_request_method - type: keyword - - name: http_request_target - type: keyword - - name: http_status_code - type: integer - - name: http_user_agent - type: keyword - - name: icmp_code_ipv4 - type: short - - name: icmp_code_ipv6 - type: short - - name: icmp_type_code_ipv4 - type: integer - - name: icmp_type_code_ipv6 - type: integer - - name: icmp_type_ipv4 - type: short - - name: icmp_type_ipv6 - type: short - - name: igmp_type - type: short - - name: ignored_data_record_total_count - type: long - - name: ignored_layer2_frame_total_count - type: long - - name: ignored_layer2_octet_total_count - type: long - - name: ignored_octet_total_count - type: long - - name: ignored_packet_total_count - type: long - - name: information_element_data_type - type: short - - name: information_element_description - type: keyword - - name: information_element_id - type: integer - - name: information_element_index - type: integer - - name: information_element_name - type: keyword - - name: information_element_range_begin - type: long - - name: information_element_range_end - type: long - - name: information_element_semantics - type: short - - name: information_element_units - type: integer - - name: ingress_broadcast_packet_total_count - type: long - - name: ingress_interface - type: long - - name: ingress_interface_type - type: long - - name: ingress_multicast_packet_total_count - type: long - - name: ingress_physical_interface - type: long - - name: ingress_unicast_packet_total_count - type: long - - name: ingress_vrfid - type: long - - name: initial_tcp_flags - type: short - - name: initiator_octets - type: long - - name: initiator_packets - type: long - - name: interface_description - type: keyword - - name: interface_name - type: keyword - - name: intermediate_process_id - type: long - - name: internal_address_realm - type: short - - name: ip_class_of_service - type: short - - name: ip_diff_serv_code_point - type: short - - name: ip_header_length - type: short - - name: ip_header_packet_section - type: short - - name: ip_next_hop_ipv4_address - type: ip - - name: ip_next_hop_ipv6_address - type: ip - - name: ip_payload_length - type: long - - name: ip_payload_packet_section - type: short - - name: ip_precedence - type: short - - name: ip_sec_spi - type: long - - name: ip_total_length - type: long - - name: ip_ttl - type: short - - name: ip_version - type: short - - name: ipv4_ihl - type: short - - name: ipv4_options - type: long - - name: ipv4_router_sc - type: ip - - name: ipv6_extension_headers - type: long - - name: is_multicast - type: short - - name: ixia_browser_id - type: short - - name: ixia_browser_name - type: keyword - - name: ixia_device_id - type: short - - name: ixia_device_name - type: keyword - - name: ixia_dns_answer - type: keyword - - name: ixia_dns_classes - type: keyword - - name: ixia_dns_query - type: keyword - - name: ixia_dns_record_txt - type: keyword - - name: ixia_dst_as_name - type: keyword - - name: ixia_dst_city_name - type: keyword - - name: ixia_dst_country_code - type: keyword - - name: ixia_dst_country_name - type: keyword - - name: ixia_dst_latitude - type: float - - name: ixia_dst_longitude - type: float - - name: ixia_dst_region_code - type: keyword - - name: ixia_dst_region_node - type: keyword - - name: ixia_encrypt_cipher - type: keyword - - name: ixia_encrypt_key_length - type: integer - - name: ixia_encrypt_type - type: keyword - - name: ixia_http_host_name - type: keyword - - name: ixia_http_uri - type: keyword - - name: ixia_http_user_agent - type: keyword - - name: ixia_imsi_subscriber - type: keyword - - name: ixia_l7_app_id - type: long - - name: ixia_l7_app_name - type: keyword - - name: ixia_latency - type: long - - name: ixia_rev_octet_delta_count - type: long - - name: ixia_rev_packet_delta_count - type: long - - name: ixia_src_as_name - type: keyword - - name: ixia_src_city_name - type: keyword - - name: ixia_src_country_code - type: keyword - - name: ixia_src_country_name - type: keyword - - name: ixia_src_latitude - type: float - - name: ixia_src_longitude - type: float - - name: ixia_src_region_code - type: keyword - - name: ixia_src_region_name - type: keyword - - name: ixia_threat_ipv4 - type: ip - - name: ixia_threat_ipv6 - type: ip - - name: ixia_threat_type - type: keyword - - name: large_packet_count - type: long - - name: layer2_frame_delta_count - type: long - - name: layer2_frame_total_count - type: long - - name: layer2_octet_delta_count - type: long - - name: layer2_octet_delta_sum_of_squares - type: long - - name: layer2_octet_total_count - type: long - - name: layer2_octet_total_sum_of_squares - type: long - - name: layer2_segment_id - type: long - - name: layer2packet_section_data - type: short - - name: layer2packet_section_offset - type: integer - - name: layer2packet_section_size - type: integer - - name: line_card_id - type: long - - name: log_op - type: short - - name: lower_ci_limit - type: double - - name: mark - type: long - - name: max_bib_entries - type: long - - name: max_entries_per_user - type: long - - name: max_export_seconds - type: date - - name: max_flow_end_microseconds - type: date - - name: max_flow_end_milliseconds - type: date - - name: max_flow_end_nanoseconds - type: date - - name: max_flow_end_seconds - type: date - - name: max_fragments_pending_reassembly - type: long - - name: max_packet_size - type: integer - - name: max_session_entries - type: long - - name: max_subscribers - type: long - - name: maximum_ip_total_length - type: long - - name: maximum_layer2_total_length - type: long - - name: maximum_ttl - type: short - - name: mean_flow_rate - type: long - - name: mean_packet_rate - type: long - - name: message_md5_checksum - type: short - - name: message_scope - type: short - - name: metering_process_id - type: long - - name: metro_evc_id - type: keyword - - name: metro_evc_type - type: short - - name: mib_capture_time_semantics - type: short - - name: mib_context_engine_id - type: short - - name: mib_context_name - type: keyword - - name: mib_index_indicator - type: long - - name: mib_module_name - type: keyword - - name: mib_object_description - type: keyword - - name: mib_object_identifier - type: short - - name: mib_object_name - type: keyword - - name: mib_object_syntax - type: keyword - - name: mib_object_value_bits - type: short - - name: mib_object_value_counter - type: long - - name: mib_object_value_gauge - type: long - - name: mib_object_value_integer - type: integer - - name: mib_object_value_ip_address - type: ip - - name: mib_object_value_octet_string - type: short - - name: mib_object_value_oid - type: short - - name: mib_object_value_time_ticks - type: long - - name: mib_object_value_unsigned - type: long - - name: mib_sub_identifier - type: long - - name: min_export_seconds - type: date - - name: min_flow_start_microseconds - type: date - - name: min_flow_start_milliseconds - type: date - - name: min_flow_start_nanoseconds - type: date - - name: min_flow_start_seconds - type: date - - name: minimum_ip_total_length - type: long - - name: minimum_layer2_total_length - type: long - - name: minimum_ttl - type: short - - name: mobile_imsi - type: keyword - - name: mobile_msisdn - type: keyword - - name: monitoring_interval_end_milli_seconds - type: date - - name: monitoring_interval_start_milli_seconds - type: date - - name: mpls_label_stack_depth - type: long - - name: mpls_label_stack_length - type: long - - name: mpls_label_stack_section - type: short - - name: mpls_label_stack_section10 - type: short - - name: mpls_label_stack_section2 - type: short - - name: mpls_label_stack_section3 - type: short - - name: mpls_label_stack_section4 - type: short - - name: mpls_label_stack_section5 - type: short - - name: mpls_label_stack_section6 - type: short - - name: mpls_label_stack_section7 - type: short - - name: mpls_label_stack_section8 - type: short - - name: mpls_label_stack_section9 - type: short - - name: mpls_payload_length - type: long - - name: mpls_payload_packet_section - type: short - - name: mpls_top_label_exp - type: short - - name: mpls_top_label_ipv4_address - type: ip - - name: mpls_top_label_ipv6_address - type: ip - - name: mpls_top_label_prefix_length - type: short - - name: mpls_top_label_stack_section - type: short - - name: mpls_top_label_ttl - type: short - - name: mpls_top_label_type - type: short - - name: mpls_vpn_route_distinguisher - type: short - - name: mptcp_address_id - type: short - - name: mptcp_flags - type: short - - name: mptcp_initial_data_sequence_number - type: long - - name: mptcp_maximum_segment_size - type: integer - - name: mptcp_receiver_token - type: long - - name: multicast_replication_factor - type: long - - name: nat_event - type: short - - name: nat_inside_svcid - type: integer - - name: nat_instance_id - type: long - - name: nat_originating_address_realm - type: short - - name: nat_outside_svcid - type: integer - - name: nat_pool_id - type: long - - name: nat_pool_name - type: keyword - - name: nat_quota_exceeded_event - type: long - - name: nat_sub_string - type: keyword - - name: nat_threshold_event - type: long - - name: nat_type - type: short - - name: netscale_ica_client_version - type: keyword - - name: netscaler_aaa_username - type: keyword - - name: netscaler_app_name - type: keyword - - name: netscaler_app_name_app_id - type: long - - name: netscaler_app_name_incarnation_number - type: long - - name: netscaler_app_template_name - type: keyword - - name: netscaler_app_unit_name_app_id - type: long - - name: netscaler_application_startup_duration - type: long - - name: netscaler_application_startup_time - type: long - - name: netscaler_cache_redir_client_connection_core_id - type: long - - name: netscaler_cache_redir_client_connection_transaction_id - type: long - - name: netscaler_client_rtt - type: long - - name: netscaler_connection_chain_hop_count - type: long - - name: netscaler_connection_chain_id - type: short - - name: netscaler_connection_id - type: long - - name: netscaler_current_license_consumed - type: long - - name: netscaler_db_clt_host_name - type: keyword - - name: netscaler_db_database_name - type: keyword - - name: netscaler_db_login_flags - type: long - - name: netscaler_db_protocol_name - type: short - - name: netscaler_db_req_string - type: keyword - - name: netscaler_db_req_type - type: short - - name: netscaler_db_resp_length - type: long - - name: netscaler_db_resp_status - type: long - - name: netscaler_db_resp_status_string - type: keyword - - name: netscaler_db_user_name - type: keyword - - name: netscaler_flow_flags - type: long - - name: netscaler_http_client_interaction_end_time - type: keyword - - name: netscaler_http_client_interaction_start_time - type: keyword - - name: netscaler_http_client_render_end_time - type: keyword - - name: netscaler_http_client_render_start_time - type: keyword - - name: netscaler_http_content_type - type: keyword - - name: netscaler_http_domain_name - type: keyword - - name: netscaler_http_req_authorization - type: keyword - - name: netscaler_http_req_cookie - type: keyword - - name: netscaler_http_req_forw_fb - type: long - - name: netscaler_http_req_forw_lb - type: long - - name: netscaler_http_req_host - type: keyword - - name: netscaler_http_req_method - type: keyword - - name: netscaler_http_req_rcv_fb - type: long - - name: netscaler_http_req_rcv_lb - type: long - - name: netscaler_http_req_referer - type: keyword - - name: netscaler_http_req_url - type: keyword - - name: netscaler_http_req_user_agent - type: keyword - - name: netscaler_http_req_via - type: keyword - - name: netscaler_http_req_xforwarded_for - type: keyword - - name: netscaler_http_res_forw_fb - type: long - - name: netscaler_http_res_forw_lb - type: long - - name: netscaler_http_res_location - type: keyword - - name: netscaler_http_res_rcv_fb - type: long - - name: netscaler_http_res_rcv_lb - type: long - - name: netscaler_http_res_set_cookie - type: keyword - - name: netscaler_http_res_set_cookie2 - type: keyword - - name: netscaler_http_rsp_len - type: long - - name: netscaler_http_rsp_status - type: integer - - name: netscaler_ica_app_module_path - type: keyword - - name: netscaler_ica_app_process_id - type: long - - name: netscaler_ica_application_name - type: keyword - - name: netscaler_ica_application_termination_time - type: long - - name: netscaler_ica_application_termination_type - type: integer - - name: netscaler_ica_channel_id1 - type: long - - name: netscaler_ica_channel_id1_bytes - type: long - - name: netscaler_ica_channel_id2 - type: long - - name: netscaler_ica_channel_id2_bytes - type: long - - name: netscaler_ica_channel_id3 - type: long - - name: netscaler_ica_channel_id3_bytes - type: long - - name: netscaler_ica_channel_id4 - type: long - - name: netscaler_ica_channel_id4_bytes - type: long - - name: netscaler_ica_channel_id5 - type: long - - name: netscaler_ica_channel_id5_bytes - type: long - - name: netscaler_ica_client_host_name - type: keyword - - name: netscaler_ica_client_ip - type: ip - - name: netscaler_ica_client_launcher - type: integer - - name: netscaler_ica_client_side_rto_count - type: integer - - name: netscaler_ica_client_side_window_size - type: integer - - name: netscaler_ica_client_type - type: integer - - name: netscaler_ica_clientside_delay - type: long - - name: netscaler_ica_clientside_jitter - type: long - - name: netscaler_ica_clientside_packets_retransmit - type: integer - - name: netscaler_ica_clientside_rtt - type: long - - name: netscaler_ica_clientside_rx_bytes - type: long - - name: netscaler_ica_clientside_srtt - type: long - - name: netscaler_ica_clientside_tx_bytes - type: long - - name: netscaler_ica_connection_priority - type: integer - - name: netscaler_ica_device_serial_no - type: long - - name: netscaler_ica_domain_name - type: keyword - - name: netscaler_ica_flags - type: long - - name: netscaler_ica_host_delay - type: long - - name: netscaler_ica_l7_client_latency - type: long - - name: netscaler_ica_l7_server_latency - type: long - - name: netscaler_ica_launch_mechanism - type: integer - - name: netscaler_ica_network_update_end_time - type: long - - name: netscaler_ica_network_update_start_time - type: long - - name: netscaler_ica_rtt - type: long - - name: netscaler_ica_server_name - type: keyword - - name: netscaler_ica_server_side_rto_count - type: integer - - name: netscaler_ica_server_side_window_size - type: integer - - name: netscaler_ica_serverside_delay - type: long - - name: netscaler_ica_serverside_jitter - type: long - - name: netscaler_ica_serverside_packets_retransmit - type: integer - - name: netscaler_ica_serverside_rtt - type: long - - name: netscaler_ica_serverside_srtt - type: long - - name: netscaler_ica_session_end_time - type: long - - name: netscaler_ica_session_guid - type: short - - name: netscaler_ica_session_reconnects - type: short - - name: netscaler_ica_session_setup_time - type: long - - name: netscaler_ica_session_update_begin_sec - type: long - - name: netscaler_ica_session_update_end_sec - type: long - - name: netscaler_ica_username - type: keyword - - name: netscaler_license_type - type: short - - name: netscaler_main_page_core_id - type: long - - name: netscaler_main_page_id - type: long - - name: netscaler_max_license_count - type: long - - name: netscaler_msi_client_cookie - type: short - - name: netscaler_round_trip_time - type: long - - name: netscaler_server_ttfb - type: long - - name: netscaler_server_ttlb - type: long - - name: netscaler_syslog_message - type: keyword - - name: netscaler_syslog_priority - type: short - - name: netscaler_syslog_timestamp - type: long - - name: netscaler_transaction_id - type: long - - name: netscaler_unknown270 - type: long - - name: netscaler_unknown271 - type: long - - name: netscaler_unknown272 - type: long - - name: netscaler_unknown273 - type: long - - name: netscaler_unknown274 - type: long - - name: netscaler_unknown275 - type: long - - name: netscaler_unknown276 - type: long - - name: netscaler_unknown277 - type: long - - name: netscaler_unknown278 - type: long - - name: netscaler_unknown279 - type: long - - name: netscaler_unknown280 - type: long - - name: netscaler_unknown281 - type: long - - name: netscaler_unknown282 - type: long - - name: netscaler_unknown283 - type: long - - name: netscaler_unknown284 - type: long - - name: netscaler_unknown285 - type: long - - name: netscaler_unknown286 - type: long - - name: netscaler_unknown287 - type: long - - name: netscaler_unknown288 - type: long - - name: netscaler_unknown289 - type: long - - name: netscaler_unknown290 - type: long - - name: netscaler_unknown291 - type: long - - name: netscaler_unknown292 - type: long - - name: netscaler_unknown293 - type: long - - name: netscaler_unknown294 - type: long - - name: netscaler_unknown295 - type: long - - name: netscaler_unknown296 - type: long - - name: netscaler_unknown297 - type: long - - name: netscaler_unknown298 - type: long - - name: netscaler_unknown299 - type: long - - name: netscaler_unknown300 - type: long - - name: netscaler_unknown301 - type: long - - name: netscaler_unknown302 - type: long - - name: netscaler_unknown303 - type: long - - name: netscaler_unknown304 - type: long - - name: netscaler_unknown305 - type: long - - name: netscaler_unknown306 - type: long - - name: netscaler_unknown307 - type: long - - name: netscaler_unknown308 - type: long - - name: netscaler_unknown309 - type: long - - name: netscaler_unknown310 - type: long - - name: netscaler_unknown311 - type: long - - name: netscaler_unknown312 - type: long - - name: netscaler_unknown313 - type: long - - name: netscaler_unknown314 - type: long - - name: netscaler_unknown315 - type: long - - name: netscaler_unknown316 - type: keyword - - name: netscaler_unknown317 - type: long - - name: netscaler_unknown318 - type: long - - name: netscaler_unknown319 - type: keyword - - name: netscaler_unknown320 - type: integer - - name: netscaler_unknown321 - type: long - - name: netscaler_unknown322 - type: long - - name: netscaler_unknown323 - type: integer - - name: netscaler_unknown324 - type: integer - - name: netscaler_unknown325 - type: integer - - name: netscaler_unknown326 - type: integer - - name: netscaler_unknown327 - type: long - - name: netscaler_unknown328 - type: integer - - name: netscaler_unknown329 - type: integer - - name: netscaler_unknown330 - type: integer - - name: netscaler_unknown331 - type: integer - - name: netscaler_unknown332 - type: long - - name: netscaler_unknown333 - type: keyword - - name: netscaler_unknown334 - type: keyword - - name: netscaler_unknown335 - type: long - - name: netscaler_unknown336 - type: long - - name: netscaler_unknown337 - type: long - - name: netscaler_unknown338 - type: long - - name: netscaler_unknown339 - type: long - - name: netscaler_unknown340 - type: long - - name: netscaler_unknown341 - type: long - - name: netscaler_unknown342 - type: long - - name: netscaler_unknown343 - type: long - - name: netscaler_unknown344 - type: long - - name: netscaler_unknown345 - type: long - - name: netscaler_unknown346 - type: long - - name: netscaler_unknown347 - type: long - - name: netscaler_unknown348 - type: integer - - name: netscaler_unknown349 - type: keyword - - name: netscaler_unknown350 - type: keyword - - name: netscaler_unknown351 - type: keyword - - name: netscaler_unknown352 - type: integer - - name: netscaler_unknown353 - type: long - - name: netscaler_unknown354 - type: long - - name: netscaler_unknown355 - type: long - - name: netscaler_unknown356 - type: long - - name: netscaler_unknown357 - type: long - - name: netscaler_unknown363 - type: short - - name: netscaler_unknown383 - type: short - - name: netscaler_unknown391 - type: long - - name: netscaler_unknown398 - type: long - - name: netscaler_unknown404 - type: long - - name: netscaler_unknown405 - type: long - - name: netscaler_unknown427 - type: long - - name: netscaler_unknown429 - type: short - - name: netscaler_unknown432 - type: short - - name: netscaler_unknown433 - type: short - - name: netscaler_unknown453 - type: long - - name: netscaler_unknown465 - type: long - - name: new_connection_delta_count - type: long - - name: next_header_ipv6 - type: short - - name: non_empty_packet_count - type: long - - name: not_sent_flow_total_count - type: long - - name: not_sent_layer2_octet_total_count - type: long - - name: not_sent_octet_total_count - type: long - - name: not_sent_packet_total_count - type: long - - name: observation_domain_id - type: long - - name: observation_domain_name - type: keyword - - name: observation_point_id - type: long - - name: observation_point_type - type: short - - name: observation_time_microseconds - type: date - - name: observation_time_milliseconds - type: date - - name: observation_time_nanoseconds - type: date - - name: observation_time_seconds - type: date - - name: observed_flow_total_count - type: long - - name: octet_delta_count - type: long - - name: octet_delta_sum_of_squares - type: long - - name: octet_total_count - type: long - - name: octet_total_sum_of_squares - type: long - - name: opaque_octets - type: short - - name: original_exporter_ipv4_address - type: ip - - name: original_exporter_ipv6_address - type: ip - - name: original_flows_completed - type: long - - name: original_flows_initiated - type: long - - name: original_flows_present - type: long - - name: original_observation_domain_id - type: long - - name: os_finger_print - type: keyword - - name: os_name - type: keyword - - name: os_version - type: keyword - - name: p2p_technology - type: keyword - - name: packet_delta_count - type: long - - name: packet_total_count - type: long - - name: padding_octets - type: short - - name: payload - type: keyword - - name: payload_entropy - type: short - - name: payload_length_ipv6 - type: integer - - name: policy_qos_classification_hierarchy - type: long - - name: policy_qos_queue_index - type: long - - name: policy_qos_queuedrops - type: long - - name: policy_qos_queueindex - type: long - - name: port_id - type: long - - name: port_range_end - type: integer - - name: port_range_num_ports - type: integer - - name: port_range_start - type: integer - - name: port_range_step_size - type: integer - - name: post_destination_mac_address - type: keyword - - name: post_dot1q_customer_vlan_id - type: integer - - name: post_dot1q_vlan_id - type: integer - - name: post_ip_class_of_service - type: short - - name: post_ip_diff_serv_code_point - type: short - - name: post_ip_precedence - type: short - - name: post_layer2_octet_delta_count - type: long - - name: post_layer2_octet_total_count - type: long - - name: post_mcast_layer2_octet_delta_count - type: long - - name: post_mcast_layer2_octet_total_count - type: long - - name: post_mcast_octet_delta_count - type: long - - name: post_mcast_octet_total_count - type: long - - name: post_mcast_packet_delta_count - type: long - - name: post_mcast_packet_total_count - type: long - - name: post_mpls_top_label_exp - type: short - - name: post_napt_destination_transport_port - type: integer - - name: post_napt_source_transport_port - type: integer - - name: post_nat_destination_ipv4_address - type: ip - - name: post_nat_destination_ipv6_address - type: ip - - name: post_nat_source_ipv4_address - type: ip - - name: post_nat_source_ipv6_address - type: ip - - name: post_octet_delta_count - type: long - - name: post_octet_total_count - type: long - - name: post_packet_delta_count - type: long - - name: post_packet_total_count - type: long - - name: post_source_mac_address - type: keyword - - name: post_vlan_id - type: integer - - name: private_enterprise_number - type: long - - name: procera_apn - type: keyword - - name: procera_base_service - type: keyword - - name: procera_content_categories - type: keyword - - name: procera_device_id - type: long - - name: procera_external_rtt - type: integer - - name: procera_flow_behavior - type: keyword - - name: procera_ggsn - type: keyword - - name: procera_http_content_type - type: keyword - - name: procera_http_file_length - type: long - - name: procera_http_language - type: keyword - - name: procera_http_location - type: keyword - - name: procera_http_referer - type: keyword - - name: procera_http_request_method - type: keyword - - name: procera_http_request_version - type: keyword - - name: procera_http_response_status - type: integer - - name: procera_http_url - type: keyword - - name: procera_http_user_agent - type: keyword - - name: procera_imsi - type: long - - name: procera_incoming_octets - type: long - - name: procera_incoming_packets - type: long - - name: procera_incoming_shaping_drops - type: long - - name: procera_incoming_shaping_latency - type: integer - - name: procera_internal_rtt - type: integer - - name: procera_local_ipv4_host - type: ip - - name: procera_local_ipv6_host - type: ip - - name: procera_msisdn - type: long - - name: procera_outgoing_octets - type: long - - name: procera_outgoing_packets - type: long - - name: procera_outgoing_shaping_drops - type: long - - name: procera_outgoing_shaping_latency - type: integer - - name: procera_property - type: keyword - - name: procera_qoe_incoming_external - type: float - - name: procera_qoe_incoming_internal - type: float - - name: procera_qoe_outgoing_external - type: float - - name: procera_qoe_outgoing_internal - type: float - - name: procera_rat - type: keyword - - name: procera_remote_ipv4_host - type: ip - - name: procera_remote_ipv6_host - type: ip - - name: procera_rnc - type: integer - - name: procera_server_hostname - type: keyword - - name: procera_service - type: keyword - - name: procera_sgsn - type: keyword - - name: procera_subscriber_identifier - type: keyword - - name: procera_template_name - type: keyword - - name: procera_user_location_information - type: keyword - - name: protocol_identifier - type: short - - name: pseudo_wire_control_word - type: long - - name: pseudo_wire_destination_ipv4_address - type: ip - - name: pseudo_wire_id - type: long - - name: pseudo_wire_type - type: integer - - name: reason - type: long - - name: reason_text - type: keyword - - name: relative_error - type: double - - name: responder_octets - type: long - - name: responder_packets - type: long - - name: reverse_absolute_error - type: double - - name: reverse_anonymization_flags - type: integer - - name: reverse_anonymization_technique - type: integer - - name: reverse_application_category_name - type: keyword - - name: reverse_application_description - type: keyword - - name: reverse_application_group_name - type: keyword - - name: reverse_application_id - type: keyword - - name: reverse_application_name - type: keyword - - name: reverse_application_sub_category_name - type: keyword - - name: reverse_average_interarrival_time - type: long - - name: reverse_bgp_destination_as_number - type: long - - name: reverse_bgp_next_adjacent_as_number - type: long - - name: reverse_bgp_next_hop_ipv4_address - type: ip - - name: reverse_bgp_next_hop_ipv6_address - type: ip - - name: reverse_bgp_prev_adjacent_as_number - type: long - - name: reverse_bgp_source_as_number - type: long - - name: reverse_bgp_validity_state - type: short - - name: reverse_class_id - type: short - - name: reverse_class_name - type: keyword - - name: reverse_classification_engine_id - type: short - - name: reverse_collection_time_milliseconds - type: long - - name: reverse_collector_certificate - type: keyword - - name: reverse_confidence_level - type: double - - name: reverse_connection_sum_duration_seconds - type: long - - name: reverse_connection_transaction_id - type: long - - name: reverse_data_byte_count - type: long - - name: reverse_data_link_frame_section - type: keyword - - name: reverse_data_link_frame_size - type: integer - - name: reverse_data_link_frame_type - type: integer - - name: reverse_data_records_reliability - type: short - - name: reverse_delta_flow_count - type: long - - name: reverse_destination_ipv4_address - type: ip - - name: reverse_destination_ipv4_prefix - type: ip - - name: reverse_destination_ipv4_prefix_length - type: short - - name: reverse_destination_ipv6_address - type: ip - - name: reverse_destination_ipv6_prefix - type: ip - - name: reverse_destination_ipv6_prefix_length - type: short - - name: reverse_destination_mac_address - type: keyword - - name: reverse_destination_transport_port - type: integer - - name: reverse_digest_hash_value - type: long - - name: reverse_distinct_count_of_destination_ip_address - type: long - - name: reverse_distinct_count_of_destination_ipv4_address - type: long - - name: reverse_distinct_count_of_destination_ipv6_address - type: long - - name: reverse_distinct_count_of_source_ip_address - type: long - - name: reverse_distinct_count_of_source_ipv4_address - type: long - - name: reverse_distinct_count_of_source_ipv6_address - type: long - - name: reverse_dot1q_customer_dei - type: short - - name: reverse_dot1q_customer_destination_mac_address - type: keyword - - name: reverse_dot1q_customer_priority - type: short - - name: reverse_dot1q_customer_source_mac_address - type: keyword - - name: reverse_dot1q_customer_vlan_id - type: integer - - name: reverse_dot1q_dei - type: short - - name: reverse_dot1q_priority - type: short - - name: reverse_dot1q_service_instance_id - type: long - - name: reverse_dot1q_service_instance_priority - type: short - - name: reverse_dot1q_service_instance_tag - type: keyword - - name: reverse_dot1q_vlan_id - type: integer - - name: reverse_dropped_layer2_octet_delta_count - type: long - - name: reverse_dropped_layer2_octet_total_count - type: long - - name: reverse_dropped_octet_delta_count - type: long - - name: reverse_dropped_octet_total_count - type: long - - name: reverse_dropped_packet_delta_count - type: long - - name: reverse_dropped_packet_total_count - type: long - - name: reverse_dst_traffic_index - type: long - - name: reverse_egress_broadcast_packet_total_count - type: long - - name: reverse_egress_interface - type: long - - name: reverse_egress_interface_type - type: long - - name: reverse_egress_physical_interface - type: long - - name: reverse_egress_unicast_packet_total_count - type: long - - name: reverse_egress_vrfid - type: long - - name: reverse_encrypted_technology - type: keyword - - name: reverse_engine_id - type: short - - name: reverse_engine_type - type: short - - name: reverse_ethernet_header_length - type: short - - name: reverse_ethernet_payload_length - type: integer - - name: reverse_ethernet_total_length - type: integer - - name: reverse_ethernet_type - type: integer - - name: reverse_export_sctp_stream_id - type: integer - - name: reverse_exporter_certificate - type: keyword - - name: reverse_exporting_process_id - type: long - - name: reverse_firewall_event - type: short - - name: reverse_first_non_empty_packet_size - type: integer - - name: reverse_first_packet_banner - type: keyword - - name: reverse_flags_and_sampler_id - type: long - - name: reverse_flow_active_timeout - type: integer - - name: reverse_flow_attributes - type: integer - - name: reverse_flow_delta_milliseconds - type: long - - name: reverse_flow_direction - type: short - - name: reverse_flow_duration_microseconds - type: long - - name: reverse_flow_duration_milliseconds - type: long - - name: reverse_flow_end_delta_microseconds - type: long - - name: reverse_flow_end_microseconds - type: long - - name: reverse_flow_end_milliseconds - type: long - - name: reverse_flow_end_nanoseconds - type: long - - name: reverse_flow_end_reason - type: short - - name: reverse_flow_end_seconds - type: long - - name: reverse_flow_end_sys_up_time - type: long - - name: reverse_flow_idle_timeout - type: integer - - name: reverse_flow_label_ipv6 - type: long - - name: reverse_flow_sampling_time_interval - type: long - - name: reverse_flow_sampling_time_spacing - type: long - - name: reverse_flow_selected_flow_delta_count - type: long - - name: reverse_flow_selected_octet_delta_count - type: long - - name: reverse_flow_selected_packet_delta_count - type: long - - name: reverse_flow_selector_algorithm - type: integer - - name: reverse_flow_start_delta_microseconds - type: long - - name: reverse_flow_start_microseconds - type: long - - name: reverse_flow_start_milliseconds - type: long - - name: reverse_flow_start_nanoseconds - type: long - - name: reverse_flow_start_seconds - type: long - - name: reverse_flow_start_sys_up_time - type: long - - name: reverse_forwarding_status - type: long - - name: reverse_fragment_flags - type: short - - name: reverse_fragment_identification - type: long - - name: reverse_fragment_offset - type: integer - - name: reverse_gre_key - type: long - - name: reverse_hash_digest_output - type: short - - name: reverse_hash_flow_domain - type: integer - - name: reverse_hash_initialiser_value - type: long - - name: reverse_hash_ip_payload_offset - type: long - - name: reverse_hash_ip_payload_size - type: long - - name: reverse_hash_output_range_max - type: long - - name: reverse_hash_output_range_min - type: long - - name: reverse_hash_selected_range_max - type: long - - name: reverse_hash_selected_range_min - type: long - - name: reverse_icmp_code_ipv4 - type: short - - name: reverse_icmp_code_ipv6 - type: short - - name: reverse_icmp_type_code_ipv4 - type: integer - - name: reverse_icmp_type_code_ipv6 - type: integer - - name: reverse_icmp_type_ipv4 - type: short - - name: reverse_icmp_type_ipv6 - type: short - - name: reverse_igmp_type - type: short - - name: reverse_ignored_data_record_total_count - type: long - - name: reverse_ignored_layer2_frame_total_count - type: long - - name: reverse_ignored_layer2_octet_total_count - type: long - - name: reverse_information_element_data_type - type: short - - name: reverse_information_element_description - type: keyword - - name: reverse_information_element_id - type: integer - - name: reverse_information_element_index - type: integer - - name: reverse_information_element_name - type: keyword - - name: reverse_information_element_range_begin - type: long - - name: reverse_information_element_range_end - type: long - - name: reverse_information_element_semantics - type: short - - name: reverse_information_element_units - type: integer - - name: reverse_ingress_broadcast_packet_total_count - type: long - - name: reverse_ingress_interface - type: long - - name: reverse_ingress_interface_type - type: long - - name: reverse_ingress_multicast_packet_total_count - type: long - - name: reverse_ingress_physical_interface - type: long - - name: reverse_ingress_unicast_packet_total_count - type: long - - name: reverse_ingress_vrfid - type: long - - name: reverse_initial_tcp_flags - type: short - - name: reverse_initiator_octets - type: long - - name: reverse_initiator_packets - type: long - - name: reverse_interface_description - type: keyword - - name: reverse_interface_name - type: keyword - - name: reverse_intermediate_process_id - type: long - - name: reverse_ip_class_of_service - type: short - - name: reverse_ip_diff_serv_code_point - type: short - - name: reverse_ip_header_length - type: short - - name: reverse_ip_header_packet_section - type: keyword - - name: reverse_ip_next_hop_ipv4_address - type: ip - - name: reverse_ip_next_hop_ipv6_address - type: ip - - name: reverse_ip_payload_length - type: long - - name: reverse_ip_payload_packet_section - type: keyword - - name: reverse_ip_precedence - type: short - - name: reverse_ip_sec_spi - type: long - - name: reverse_ip_total_length - type: long - - name: reverse_ip_ttl - type: short - - name: reverse_ip_version - type: short - - name: reverse_ipv4_ihl - type: short - - name: reverse_ipv4_options - type: long - - name: reverse_ipv4_router_sc - type: ip - - name: reverse_ipv6_extension_headers - type: long - - name: reverse_is_multicast - type: short - - name: reverse_large_packet_count - type: long - - name: reverse_layer2_frame_delta_count - type: long - - name: reverse_layer2_frame_total_count - type: long - - name: reverse_layer2_octet_delta_count - type: long - - name: reverse_layer2_octet_delta_sum_of_squares - type: long - - name: reverse_layer2_octet_total_count - type: long - - name: reverse_layer2_octet_total_sum_of_squares - type: long - - name: reverse_layer2_segment_id - type: long - - name: reverse_layer2packet_section_data - type: keyword - - name: reverse_layer2packet_section_offset - type: integer - - name: reverse_layer2packet_section_size - type: integer - - name: reverse_line_card_id - type: long - - name: reverse_lower_ci_limit - type: double - - name: reverse_max_export_seconds - type: long - - name: reverse_max_flow_end_microseconds - type: long - - name: reverse_max_flow_end_milliseconds - type: long - - name: reverse_max_flow_end_nanoseconds - type: long - - name: reverse_max_flow_end_seconds - type: long - - name: reverse_max_packet_size - type: integer - - name: reverse_maximum_ip_total_length - type: long - - name: reverse_maximum_layer2_total_length - type: long - - name: reverse_maximum_ttl - type: short - - name: reverse_message_md5_checksum - type: keyword - - name: reverse_message_scope - type: short - - name: reverse_metering_process_id - type: long - - name: reverse_metro_evc_id - type: keyword - - name: reverse_metro_evc_type - type: short - - name: reverse_min_export_seconds - type: long - - name: reverse_min_flow_start_microseconds - type: long - - name: reverse_min_flow_start_milliseconds - type: long - - name: reverse_min_flow_start_nanoseconds - type: long - - name: reverse_min_flow_start_seconds - type: long - - name: reverse_minimum_ip_total_length - type: long - - name: reverse_minimum_layer2_total_length - type: long - - name: reverse_minimum_ttl - type: short - - name: reverse_monitoring_interval_end_milli_seconds - type: long - - name: reverse_monitoring_interval_start_milli_seconds - type: long - - name: reverse_mpls_label_stack_depth - type: long - - name: reverse_mpls_label_stack_length - type: long - - name: reverse_mpls_label_stack_section - type: keyword - - name: reverse_mpls_label_stack_section10 - type: keyword - - name: reverse_mpls_label_stack_section2 - type: keyword - - name: reverse_mpls_label_stack_section3 - type: keyword - - name: reverse_mpls_label_stack_section4 - type: keyword - - name: reverse_mpls_label_stack_section5 - type: keyword - - name: reverse_mpls_label_stack_section6 - type: keyword - - name: reverse_mpls_label_stack_section7 - type: keyword - - name: reverse_mpls_label_stack_section8 - type: keyword - - name: reverse_mpls_label_stack_section9 - type: keyword - - name: reverse_mpls_payload_length - type: long - - name: reverse_mpls_payload_packet_section - type: keyword - - name: reverse_mpls_top_label_exp - type: short - - name: reverse_mpls_top_label_ipv4_address - type: ip - - name: reverse_mpls_top_label_ipv6_address - type: ip - - name: reverse_mpls_top_label_prefix_length - type: short - - name: reverse_mpls_top_label_stack_section - type: keyword - - name: reverse_mpls_top_label_ttl - type: short - - name: reverse_mpls_top_label_type - type: short - - name: reverse_mpls_vpn_route_distinguisher - type: keyword - - name: reverse_multicast_replication_factor - type: long - - name: reverse_nat_event - type: short - - name: reverse_nat_originating_address_realm - type: short - - name: reverse_nat_pool_id - type: long - - name: reverse_nat_pool_name - type: keyword - - name: reverse_nat_type - type: short - - name: reverse_new_connection_delta_count - type: long - - name: reverse_next_header_ipv6 - type: short - - name: reverse_non_empty_packet_count - type: long - - name: reverse_not_sent_layer2_octet_total_count - type: long - - name: reverse_observation_domain_name - type: keyword - - name: reverse_observation_point_id - type: long - - name: reverse_observation_point_type - type: short - - name: reverse_observation_time_microseconds - type: long - - name: reverse_observation_time_milliseconds - type: long - - name: reverse_observation_time_nanoseconds - type: long - - name: reverse_observation_time_seconds - type: long - - name: reverse_octet_delta_count - type: long - - name: reverse_octet_delta_sum_of_squares - type: long - - name: reverse_octet_total_count - type: long - - name: reverse_octet_total_sum_of_squares - type: long - - name: reverse_opaque_octets - type: keyword - - name: reverse_original_exporter_ipv4_address - type: ip - - name: reverse_original_exporter_ipv6_address - type: ip - - name: reverse_original_flows_completed - type: long - - name: reverse_original_flows_initiated - type: long - - name: reverse_original_flows_present - type: long - - name: reverse_original_observation_domain_id - type: long - - name: reverse_os_finger_print - type: keyword - - name: reverse_os_name - type: keyword - - name: reverse_os_version - type: keyword - - name: reverse_p2p_technology - type: keyword - - name: reverse_packet_delta_count - type: long - - name: reverse_packet_total_count - type: long - - name: reverse_payload - type: keyword - - name: reverse_payload_entropy - type: short - - name: reverse_payload_length_ipv6 - type: integer - - name: reverse_port_id - type: long - - name: reverse_port_range_end - type: integer - - name: reverse_port_range_num_ports - type: integer - - name: reverse_port_range_start - type: integer - - name: reverse_port_range_step_size - type: integer - - name: reverse_post_destination_mac_address - type: keyword - - name: reverse_post_dot1q_customer_vlan_id - type: integer - - name: reverse_post_dot1q_vlan_id - type: integer - - name: reverse_post_ip_class_of_service - type: short - - name: reverse_post_ip_diff_serv_code_point - type: short - - name: reverse_post_ip_precedence - type: short - - name: reverse_post_layer2_octet_delta_count - type: long - - name: reverse_post_layer2_octet_total_count - type: long - - name: reverse_post_mcast_layer2_octet_delta_count - type: long - - name: reverse_post_mcast_layer2_octet_total_count - type: long - - name: reverse_post_mcast_octet_delta_count - type: long - - name: reverse_post_mcast_octet_total_count - type: long - - name: reverse_post_mcast_packet_delta_count - type: long - - name: reverse_post_mcast_packet_total_count - type: long - - name: reverse_post_mpls_top_label_exp - type: short - - name: reverse_post_napt_destination_transport_port - type: integer - - name: reverse_post_napt_source_transport_port - type: integer - - name: reverse_post_nat_destination_ipv4_address - type: ip - - name: reverse_post_nat_destination_ipv6_address - type: ip - - name: reverse_post_nat_source_ipv4_address - type: ip - - name: reverse_post_nat_source_ipv6_address - type: ip - - name: reverse_post_octet_delta_count - type: long - - name: reverse_post_octet_total_count - type: long - - name: reverse_post_packet_delta_count - type: long - - name: reverse_post_packet_total_count - type: long - - name: reverse_post_source_mac_address - type: keyword - - name: reverse_post_vlan_id - type: integer - - name: reverse_private_enterprise_number - type: long - - name: reverse_protocol_identifier - type: short - - name: reverse_pseudo_wire_control_word - type: long - - name: reverse_pseudo_wire_destination_ipv4_address - type: ip - - name: reverse_pseudo_wire_id - type: long - - name: reverse_pseudo_wire_type - type: integer - - name: reverse_relative_error - type: double - - name: reverse_responder_octets - type: long - - name: reverse_responder_packets - type: long - - name: reverse_rfc3550_jitter_microseconds - type: long - - name: reverse_rfc3550_jitter_milliseconds - type: long - - name: reverse_rfc3550_jitter_nanoseconds - type: long - - name: reverse_rtp_payload_type - type: short - - name: reverse_rtp_sequence_number - type: integer - - name: reverse_sampler_id - type: short - - name: reverse_sampler_mode - type: short - - name: reverse_sampler_name - type: keyword - - name: reverse_sampler_random_interval - type: long - - name: reverse_sampling_algorithm - type: short - - name: reverse_sampling_flow_interval - type: long - - name: reverse_sampling_flow_spacing - type: long - - name: reverse_sampling_interval - type: long - - name: reverse_sampling_packet_interval - type: long - - name: reverse_sampling_packet_space - type: long - - name: reverse_sampling_population - type: long - - name: reverse_sampling_probability - type: double - - name: reverse_sampling_size - type: long - - name: reverse_sampling_time_interval - type: long - - name: reverse_sampling_time_space - type: long - - name: reverse_second_packet_banner - type: keyword - - name: reverse_section_exported_octets - type: integer - - name: reverse_section_offset - type: integer - - name: reverse_selection_sequence_id - type: long - - name: reverse_selector_algorithm - type: integer - - name: reverse_selector_id - type: long - - name: reverse_selector_id_total_flows_observed - type: long - - name: reverse_selector_id_total_flows_selected - type: long - - name: reverse_selector_id_total_pkts_observed - type: long - - name: reverse_selector_id_total_pkts_selected - type: long - - name: reverse_selector_name - type: keyword - - name: reverse_session_scope - type: short - - name: reverse_small_packet_count - type: long - - name: reverse_source_ipv4_address - type: ip - - name: reverse_source_ipv4_prefix - type: ip - - name: reverse_source_ipv4_prefix_length - type: short - - name: reverse_source_ipv6_address - type: ip - - name: reverse_source_ipv6_prefix - type: ip - - name: reverse_source_ipv6_prefix_length - type: short - - name: reverse_source_mac_address - type: keyword - - name: reverse_source_transport_port - type: integer - - name: reverse_src_traffic_index - type: long - - name: reverse_sta_ipv4_address - type: ip - - name: reverse_sta_mac_address - type: keyword - - name: reverse_standard_deviation_interarrival_time - type: long - - name: reverse_standard_deviation_payload_length - type: integer - - name: reverse_system_init_time_milliseconds - type: long - - name: reverse_tcp_ack_total_count - type: long - - name: reverse_tcp_acknowledgement_number - type: long - - name: reverse_tcp_control_bits - type: integer - - name: reverse_tcp_destination_port - type: integer - - name: reverse_tcp_fin_total_count - type: long - - name: reverse_tcp_header_length - type: short - - name: reverse_tcp_options - type: long - - name: reverse_tcp_psh_total_count - type: long - - name: reverse_tcp_rst_total_count - type: long - - name: reverse_tcp_sequence_number - type: long - - name: reverse_tcp_source_port - type: integer - - name: reverse_tcp_syn_total_count - type: long - - name: reverse_tcp_urg_total_count - type: long - - name: reverse_tcp_urgent_pointer - type: integer - - name: reverse_tcp_window_scale - type: integer - - name: reverse_tcp_window_size - type: integer - - name: reverse_total_length_ipv4 - type: integer - - name: reverse_transport_octet_delta_count - type: long - - name: reverse_transport_packet_delta_count - type: long - - name: reverse_tunnel_technology - type: keyword - - name: reverse_udp_destination_port - type: integer - - name: reverse_udp_message_length - type: integer - - name: reverse_udp_source_port - type: integer - - name: reverse_union_tcp_flags - type: short - - name: reverse_upper_ci_limit - type: double - - name: reverse_user_name - type: keyword - - name: reverse_value_distribution_method - type: short - - name: reverse_virtual_station_interface_id - type: keyword - - name: reverse_virtual_station_interface_name - type: keyword - - name: reverse_virtual_station_name - type: keyword - - name: reverse_virtual_station_uuid - type: keyword - - name: reverse_vlan_id - type: integer - - name: reverse_vr_fname - type: keyword - - name: reverse_wlan_channel_id - type: short - - name: reverse_wlan_ssid - type: keyword - - name: reverse_wtp_mac_address - type: keyword - - name: rfc3550_jitter_microseconds - type: long - - name: rfc3550_jitter_milliseconds - type: long - - name: rfc3550_jitter_nanoseconds - type: long - - name: rtp_payload_type - type: short - - name: rtp_sequence_number - type: integer - - name: sampler_id - type: short - - name: sampler_mode - type: short - - name: sampler_name - type: keyword - - name: sampler_random_interval - type: long - - name: sampling_algorithm - type: short - - name: sampling_flow_interval - type: long - - name: sampling_flow_spacing - type: long - - name: sampling_interval - type: long - - name: sampling_packet_interval - type: long - - name: sampling_packet_space - type: long - - name: sampling_population - type: long - - name: sampling_probability - type: double - - name: sampling_size - type: long - - name: sampling_time_interval - type: long - - name: sampling_time_space - type: long - - name: second_packet_banner - type: keyword - - name: section_exported_octets - type: integer - - name: section_offset - type: integer - - name: selection_sequence_id - type: long - - name: selector_algorithm - type: integer - - name: selector_id - type: long - - name: selector_id_total_flows_observed - type: long - - name: selector_id_total_flows_selected - type: long - - name: selector_id_total_pkts_observed - type: long - - name: selector_id_total_pkts_selected - type: long - - name: selector_name - type: keyword - - name: service_name - type: keyword - - name: session_scope - type: short - - name: silk_app_label - type: integer - - name: small_packet_count - type: long - - name: source_ipv4_address - type: ip - - name: source_ipv4_prefix - type: ip - - name: source_ipv4_prefix_length - type: short - - name: source_ipv6_address - type: ip - - name: source_ipv6_prefix - type: ip - - name: source_ipv6_prefix_length - type: short - - name: source_mac_address - type: keyword - - name: source_transport_port - type: integer - - name: source_transport_ports_limit - type: integer - - name: src_traffic_index - type: long - - name: ssl_cert_serial_number - type: keyword - - name: ssl_cert_signature - type: keyword - - name: ssl_cert_validity_not_after - type: keyword - - name: ssl_cert_validity_not_before - type: keyword - - name: ssl_cert_version - type: short - - name: ssl_certificate_hash - type: keyword - - name: ssl_cipher - type: keyword - - name: ssl_client_version - type: short - - name: ssl_compression_method - type: short - - name: ssl_object_type - type: keyword - - name: ssl_object_value - type: keyword - - name: ssl_public_key_algorithm - type: keyword - - name: ssl_public_key_length - type: keyword - - name: ssl_server_cipher - type: long - - name: ssl_server_name - type: keyword - - name: sta_ipv4_address - type: ip - - name: sta_mac_address - type: keyword - - name: standard_deviation_interarrival_time - type: long - - name: standard_deviation_payload_length - type: short - - name: system_init_time_milliseconds - type: date - - name: tcp_ack_total_count - type: long - - name: tcp_acknowledgement_number - type: long - - name: tcp_control_bits - type: integer - - name: tcp_destination_port - type: integer - - name: tcp_fin_total_count - type: long - - name: tcp_header_length - type: short - - name: tcp_options - type: long - - name: tcp_psh_total_count - type: long - - name: tcp_rst_total_count - type: long - - name: tcp_sequence_number - type: long - - name: tcp_source_port - type: integer - - name: tcp_syn_total_count - type: long - - name: tcp_urg_total_count - type: long - - name: tcp_urgent_pointer - type: integer - - name: tcp_window_scale - type: integer - - name: tcp_window_size - type: integer - - name: template_id - type: integer - - name: tftp_filename - type: keyword - - name: tftp_mode - type: keyword - - name: timestamp - type: long - - name: timestamp_absolute_monitoring-interval - type: long - - name: total_length_ipv4 - type: integer - - name: traffic_type - type: short - - name: transport_octet_delta_count - type: long - - name: transport_packet_delta_count - type: long - - name: tunnel_technology - type: keyword - - name: udp_destination_port - type: integer - - name: udp_message_length - type: integer - - name: udp_source_port - type: integer - - name: union_tcp_flags - type: short - - name: upper_ci_limit - type: double - - name: user_name - type: keyword - - name: username - type: keyword - - name: value_distribution_method - type: short - - name: viptela_vpn_id - type: long - - name: virtual_station_interface_id - type: short - - name: virtual_station_interface_name - type: keyword - - name: virtual_station_name - type: keyword - - name: virtual_station_uuid - type: short - - name: vlan_id - type: integer - - name: vmware_egress_interface_attr - type: integer - - name: vmware_ingress_interface_attr - type: integer - - name: vmware_tenant_dest_ipv4 - type: ip - - name: vmware_tenant_dest_ipv6 - type: ip - - name: vmware_tenant_dest_port - type: integer - - name: vmware_tenant_protocol - type: short - - name: vmware_tenant_source_ipv4 - type: ip - - name: vmware_tenant_source_ipv6 - type: ip - - name: vmware_tenant_source_port - type: integer - - name: vmware_vxlan_export_role - type: short - - name: vpn_identifier - type: short - - name: vr_fname - type: keyword - - name: waasoptimization_segment - type: short - - name: wlan_channel_id - type: short - - name: wlan_ssid - type: keyword - - name: wtp_mac_address - type: keyword - - name: xlate_destination_address_ip_v4 - type: ip - - name: xlate_destination_port - type: integer - - name: xlate_source_address_ip_v4 - type: ip - - name: xlate_source_port - type: integer diff --git a/packages/netflow/2.2.3/data_stream/log/manifest.yml b/packages/netflow/2.2.3/data_stream/log/manifest.yml deleted file mode 100755 index bf706ae5c5..0000000000 --- a/packages/netflow/2.2.3/data_stream/log/manifest.yml +++ /dev/null @@ -1,80 +0,0 @@ -title: NetFlow logs -type: logs -streams: - - input: netflow - template_path: netflow.yml.hbs - title: Collect NetFlow logs - description: Collect NetFlow logs using the netflow input - vars: - - name: host - type: text - title: UDP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: port - type: integer - title: UDP port to listen on - multi: false - required: true - show_user: true - default: 2055 - - name: expiration_timeout - type: text - title: Time duration before an idle session or unused template is expired - multi: false - required: true - show_user: false - default: 30m - - name: queue_size - type: integer - title: Maximum number of packets that can be queued for processing - multi: false - required: true - show_user: false - default: 8192 - - name: custom_definitions - type: text - title: Custom definitions - multi: true - required: false - show_user: false - default: "" - - name: detect_sequence_reset - type: bool - title: Whether to detect sequence reset - multi: false - required: true - show_user: false - default: true - - name: max_message_size - type: text - title: Maximum size of the message received over UDP - multi: false - required: true - show_user: false - default: 10KiB - - name: tags - type: text - title: Tags - multi: true - required: false - show_user: false - default: - - netflow - - forwarded - - name: timeout - type: text - title: Read timeout for socket operations - multi: false - required: false - show_user: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/netflow/2.2.3/data_stream/log/sample_event.json b/packages/netflow/2.2.3/data_stream/log/sample_event.json deleted file mode 100755 index 3e6f655051..0000000000 --- a/packages/netflow/2.2.3/data_stream/log/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2018-07-03T10:47:00.000Z", - "agent": { - "ephemeral_id": "499040e3-2739-4333-bc0a-714aceaaa76b", - "id": "f98d63fc-e620-4d4d-b16e-814a105b1bc9", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "client": { - "bytes": 719, - "packets": 5 - }, - "data_stream": { - "dataset": "netflow.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 0, - "packets": 0 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "f98d63fc-e620-4d4d-b16e-814a105b1bc9", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "netflow_flow", - "agent_id_status": "verified", - "category": [ - "network", - "session" - ], - "created": "2022-05-12T09:08:00.955Z", - "dataset": "netflow.log", - "ingested": "2022-05-12T09:08:01Z", - "kind": "event", - "type": [ - "connection" - ] - }, - "flow": { - "id": "Vhs9T5k296w", - "locality": "internal" - }, - "input": { - "type": "netflow" - }, - "netflow": { - "application_id": [ - 3, - 0, - 0, - 80 - ], - "art_client_network_time_sum": 0, - "art_count_late_responses": 0, - "art_count_responses": 0, - "art_count_retransmissions": 0, - "art_count_transactions": 0, - "art_network_time_sum": 0, - "art_response_time_sum": 0, - "art_server_network_time_sum": 0, - "art_server_response_time_maximum": 0, - "art_server_response_time_sum": 0, - "art_total_response_time_sum": 0, - "art_total_transaction_time_sum": 0, - "biflow_direction": 1, - "connection_sum_duration_seconds": 0, - "egress_interface": 13, - "exporter": { - "address": "192.168.208.4:56750", - "source_id": 512, - "timestamp": "2018-07-03T10:47:00.000Z", - "uptime_millis": 0, - "version": 10 - }, - "flow_end_sys_up_time": 564184158, - "flow_start_sys_up_time": 564184140, - "ingress_interface": 10, - "ingress_vrfid": 0, - "initiator_octets": 719, - "initiator_packets": 5, - "ip_diff_serv_code_point": 0, - "ip_ttl": 49, - "new_connection_delta_count": 1, - "protocol_identifier": 6, - "responder_octets": 0, - "responder_packets": 0, - "type": "netflow_flow", - "vlan_id": 0, - "waasoptimization_segment": 16 - }, - "network": { - "bytes": 719, - "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", - "direction": "unknown", - "iana_number": "6", - "packets": 5, - "transport": "tcp" - }, - "observer": { - "ip": "192.168.208.4" - }, - "server": { - "bytes": 0, - "packets": 0 - }, - "source": { - "bytes": 719, - "packets": 5 - }, - "tags": [ - "netflow", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/docs/README.md b/packages/netflow/2.2.3/docs/README.md deleted file mode 100755 index 184488d216..0000000000 --- a/packages/netflow/2.2.3/docs/README.md +++ /dev/null @@ -1,1787 +0,0 @@ -# Netflow Integration - -This integration is for receiving NetFlow and IPFIX flow records over UDP. -It supports NetFlow versions 1, 5, 6, 7, 8 and 9, as well as IPFIX. For NetFlow versions older than 9, fields are mapped automatically to NetFlow v9. - -For more information on Netflow and IPFIX, see: - -- [Cisco Systems NetFlow Services Export Version 9](https://www.ietf.org/rfc/rfc3954.txt) -- [Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information](https://www.ietf.org/rfc/rfc7011.txt) - -It includes the following dataset: - -- `log` dataset - -## Compatibility - -## Logs - -### log - -The `log` dataset collects netflow logs. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | -| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | -| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | -| agent.version | Version of the agent. | keyword | -| as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| as.organization.name | Organization name. | keyword | -| as.organization.name.text | Multi-field of `as.organization.name`. | match_only_text | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | -| client.nat.port | Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | long | -| client.packets | Packets sent from the client to the server. | long | -| client.port | Port of the client. | long | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| client.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| client.user.email | User email address. | keyword | -| client.user.full_name | User's full name, if available. | keyword | -| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text | -| client.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| client.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| client.user.group.name | Name of the group. | keyword | -| client.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.image.tag | Container image tags. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.locality | Whether the destination IP is private or public. | keyword | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.email | User email address. | keyword | -| destination.user.full_name | User's full name, if available. | keyword | -| destination.user.full_name.text | Multi-field of `destination.user.full_name`. | match_only_text | -| destination.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| destination.user.group.name | Name of the group. | keyword | -| destination.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.header_flags | Array of 2 letter DNS header flags. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.id | Unique identifier for the error. | keyword | -| error.message | Error message. | match_only_text | -| error.stack_trace | The stack trace of this error in plain text. | wildcard | -| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | -| error.type | The type of the error, for example the class name of the exception. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | -| file.created | File creation time. Note that not all filesystems store the creation time. | date | -| file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | -| file.device | Device that is the source of the file. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.gid | Primary group ID (GID) of the file. | keyword | -| file.group | Primary group name of the file. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.hash.sha512 | SHA512 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.mode | Mode of the file in octal representation. | keyword | -| file.mtime | Last time the file content was modified. | date | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.owner | File owner's username. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.target_path | Target path for symlinks. | keyword | -| file.target_path.text | Multi-field of `file.target_path`. | match_only_text | -| file.type | File type (file, dir, or symlink). | keyword | -| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | -| flow.id | Hash of source and destination IPs. | keyword | -| flow.locality | Identifies whether the flow involved public IP addresses or only private address. | keyword | -| geo.city_name | City name. | keyword | -| geo.continent_name | Name of the continent. | keyword | -| geo.country_iso_code | Country ISO code. | keyword | -| geo.country_name | Country name. | keyword | -| geo.location | Longitude and latitude. | geo_point | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_iso_code | Region ISO code. | keyword | -| geo.region_name | Region name. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| hash.md5 | MD5 hash. | keyword | -| hash.sha1 | SHA1 hash. | keyword | -| hash.sha256 | SHA256 hash. | keyword | -| hash.sha512 | SHA512 hash. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| host.uptime | Seconds the host has been up. | long | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.body.content | The full HTTP request body. | wildcard | -| http.request.body.content.text | Multi-field of `http.request.body.content`. | match_only_text | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.body.content | The full HTTP response body. | wildcard | -| http.response.body.content.text | Multi-field of `http.response.body.content`. | match_only_text | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Type of Filebeat input. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.origin.file.line | The line number of the file containing the source code which originated the log event. | long | -| log.origin.file.name | The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. | keyword | -| log.origin.function | The name of the function or method which originated the log event. | keyword | -| log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| netflow.absolute_error | | double | -| netflow.address_pool_high_threshold | | long | -| netflow.address_pool_low_threshold | | long | -| netflow.address_port_mapping_high_threshold | | long | -| netflow.address_port_mapping_low_threshold | | long | -| netflow.address_port_mapping_per_user_high_threshold | | long | -| netflow.afc_protocol | | integer | -| netflow.afc_protocol_name | | keyword | -| netflow.anonymization_flags | | integer | -| netflow.anonymization_technique | | integer | -| netflow.application_business-relevance | | long | -| netflow.application_category_name | | keyword | -| netflow.application_description | | keyword | -| netflow.application_group_name | | keyword | -| netflow.application_http_uri_statistics | | short | -| netflow.application_http_user-agent | | short | -| netflow.application_id | | short | -| netflow.application_name | | keyword | -| netflow.application_sub_category_name | | keyword | -| netflow.application_traffic-class | | long | -| netflow.art_client_network_time_maximum | | long | -| netflow.art_client_network_time_minimum | | long | -| netflow.art_client_network_time_sum | | long | -| netflow.art_clientpackets | | long | -| netflow.art_count_late_responses | | long | -| netflow.art_count_new_connections | | long | -| netflow.art_count_responses | | long | -| netflow.art_count_responses_histogram_bucket1 | | long | -| netflow.art_count_responses_histogram_bucket2 | | long | -| netflow.art_count_responses_histogram_bucket3 | | long | -| netflow.art_count_responses_histogram_bucket4 | | long | -| netflow.art_count_responses_histogram_bucket5 | | long | -| netflow.art_count_responses_histogram_bucket6 | | long | -| netflow.art_count_responses_histogram_bucket7 | | long | -| netflow.art_count_retransmissions | | long | -| netflow.art_count_transactions | | long | -| netflow.art_network_time_maximum | | long | -| netflow.art_network_time_minimum | | long | -| netflow.art_network_time_sum | | long | -| netflow.art_response_time_maximum | | long | -| netflow.art_response_time_minimum | | long | -| netflow.art_response_time_sum | | long | -| netflow.art_server_network_time_maximum | | long | -| netflow.art_server_network_time_minimum | | long | -| netflow.art_server_network_time_sum | | long | -| netflow.art_server_response_time_maximum | | long | -| netflow.art_server_response_time_minimum | | long | -| netflow.art_server_response_time_sum | | long | -| netflow.art_serverpackets | | long | -| netflow.art_total_response_time_maximum | | long | -| netflow.art_total_response_time_minimum | | long | -| netflow.art_total_response_time_sum | | long | -| netflow.art_total_transaction_time_maximum | | long | -| netflow.art_total_transaction_time_minimum | | long | -| netflow.art_total_transaction_time_sum | | long | -| netflow.assembled_fragment_count | | long | -| netflow.audit_counter | | long | -| netflow.average_interarrival_time | | long | -| netflow.bgp_destination_as_number | | long | -| netflow.bgp_next_adjacent_as_number | | long | -| netflow.bgp_next_hop_ipv4_address | | ip | -| netflow.bgp_next_hop_ipv6_address | | ip | -| netflow.bgp_prev_adjacent_as_number | | long | -| netflow.bgp_source_as_number | | long | -| netflow.bgp_validity_state | | short | -| netflow.biflow_direction | | short | -| netflow.bind_ipv4_address | | ip | -| netflow.bind_transport_port | | integer | -| netflow.class_id | | long | -| netflow.class_name | | keyword | -| netflow.classification_engine_id | | short | -| netflow.collection_time_milliseconds | | date | -| netflow.collector_certificate | | short | -| netflow.collector_ipv4_address | | ip | -| netflow.collector_ipv6_address | | ip | -| netflow.collector_transport_port | | integer | -| netflow.common_properties_id | | long | -| netflow.confidence_level | | double | -| netflow.conn_ipv4_address | | ip | -| netflow.conn_transport_port | | integer | -| netflow.connection_sum_duration_seconds | | long | -| netflow.connection_transaction_id | | long | -| netflow.conntrack_id | | long | -| netflow.data_byte_count | | long | -| netflow.data_link_frame_section | | short | -| netflow.data_link_frame_size | | integer | -| netflow.data_link_frame_type | | integer | -| netflow.data_records_reliability | | boolean | -| netflow.delta_flow_count | | long | -| netflow.destination_ipv4_address | | ip | -| netflow.destination_ipv4_prefix | | ip | -| netflow.destination_ipv4_prefix_length | | short | -| netflow.destination_ipv6_address | | ip | -| netflow.destination_ipv6_prefix | | ip | -| netflow.destination_ipv6_prefix_length | | short | -| netflow.destination_mac_address | | keyword | -| netflow.destination_transport_port | | integer | -| netflow.digest_hash_value | | long | -| netflow.distinct_count_of_destination_ip_address | | long | -| netflow.distinct_count_of_destination_ipv4_address | | long | -| netflow.distinct_count_of_destination_ipv6_address | | long | -| netflow.distinct_count_of_source_ip_address | | long | -| netflow.distinct_count_of_source_ipv4_address | | long | -| netflow.distinct_count_of_source_ipv6_address | | long | -| netflow.dns_authoritative | | short | -| netflow.dns_cname | | keyword | -| netflow.dns_id | | integer | -| netflow.dns_mx_exchange | | keyword | -| netflow.dns_mx_preference | | integer | -| netflow.dns_nsd_name | | keyword | -| netflow.dns_nx_domain | | short | -| netflow.dns_ptrd_name | | keyword | -| netflow.dns_qname | | keyword | -| netflow.dns_qr_type | | integer | -| netflow.dns_query_response | | short | -| netflow.dns_rr_section | | short | -| netflow.dns_soa_expire | | long | -| netflow.dns_soa_minimum | | long | -| netflow.dns_soa_refresh | | long | -| netflow.dns_soa_retry | | long | -| netflow.dns_soa_serial | | long | -| netflow.dns_soam_name | | keyword | -| netflow.dns_soar_name | | keyword | -| netflow.dns_srv_port | | integer | -| netflow.dns_srv_priority | | integer | -| netflow.dns_srv_target | | integer | -| netflow.dns_srv_weight | | integer | -| netflow.dns_ttl | | long | -| netflow.dns_txt_data | | keyword | -| netflow.dot1q_customer_dei | | boolean | -| netflow.dot1q_customer_destination_mac_address | | keyword | -| netflow.dot1q_customer_priority | | short | -| netflow.dot1q_customer_source_mac_address | | keyword | -| netflow.dot1q_customer_vlan_id | | integer | -| netflow.dot1q_dei | | boolean | -| netflow.dot1q_priority | | short | -| netflow.dot1q_service_instance_id | | long | -| netflow.dot1q_service_instance_priority | | short | -| netflow.dot1q_service_instance_tag | | short | -| netflow.dot1q_vlan_id | | integer | -| netflow.dropped_layer2_octet_delta_count | | long | -| netflow.dropped_layer2_octet_total_count | | long | -| netflow.dropped_octet_delta_count | | long | -| netflow.dropped_octet_total_count | | long | -| netflow.dropped_packet_delta_count | | long | -| netflow.dropped_packet_total_count | | long | -| netflow.dst_traffic_index | | long | -| netflow.egress_broadcast_packet_total_count | | long | -| netflow.egress_interface | | long | -| netflow.egress_interface_type | | long | -| netflow.egress_physical_interface | | long | -| netflow.egress_unicast_packet_total_count | | long | -| netflow.egress_vrfid | | long | -| netflow.encrypted_technology | | keyword | -| netflow.engine_id | | short | -| netflow.engine_type | | short | -| netflow.ethernet_header_length | | short | -| netflow.ethernet_payload_length | | integer | -| netflow.ethernet_total_length | | integer | -| netflow.ethernet_type | | integer | -| netflow.expired_fragment_count | | long | -| netflow.export_interface | | long | -| netflow.export_protocol_version | | short | -| netflow.export_sctp_stream_id | | integer | -| netflow.export_transport_protocol | | short | -| netflow.exported_flow_record_total_count | | long | -| netflow.exported_message_total_count | | long | -| netflow.exported_octet_total_count | | long | -| netflow.exporter.address | Exporter's network address in IP:port format. | keyword | -| netflow.exporter.source_id | Observation domain ID to which this record belongs. | long | -| netflow.exporter.timestamp | Time and date of export. | date | -| netflow.exporter.uptime_millis | How long the exporter process has been running, in milliseconds. | long | -| netflow.exporter.version | NetFlow version used. | integer | -| netflow.exporter_certificate | | short | -| netflow.exporter_ipv4_address | | ip | -| netflow.exporter_ipv6_address | | ip | -| netflow.exporter_transport_port | | integer | -| netflow.exporting_process_id | | long | -| netflow.external_address_realm | | short | -| netflow.firewall_event | | short | -| netflow.first_eight_non_empty_packet_directions | | short | -| netflow.first_non_empty_packet_size | | integer | -| netflow.first_packet_banner | | keyword | -| netflow.flags_and_sampler_id | | long | -| netflow.flow_active_timeout | | integer | -| netflow.flow_attributes | | integer | -| netflow.flow_direction | | short | -| netflow.flow_duration_microseconds | | long | -| netflow.flow_duration_milliseconds | | long | -| netflow.flow_end_delta_microseconds | | long | -| netflow.flow_end_microseconds | | date | -| netflow.flow_end_milliseconds | | date | -| netflow.flow_end_nanoseconds | | date | -| netflow.flow_end_reason | | short | -| netflow.flow_end_seconds | | date | -| netflow.flow_end_sys_up_time | | long | -| netflow.flow_id | | long | -| netflow.flow_idle_timeout | | integer | -| netflow.flow_key_indicator | | long | -| netflow.flow_label_ipv6 | | long | -| netflow.flow_sampling_time_interval | | long | -| netflow.flow_sampling_time_spacing | | long | -| netflow.flow_selected_flow_delta_count | | long | -| netflow.flow_selected_octet_delta_count | | long | -| netflow.flow_selected_packet_delta_count | | long | -| netflow.flow_selector_algorithm | | integer | -| netflow.flow_start_delta_microseconds | | long | -| netflow.flow_start_microseconds | | date | -| netflow.flow_start_milliseconds | | date | -| netflow.flow_start_nanoseconds | | date | -| netflow.flow_start_seconds | | date | -| netflow.flow_start_sys_up_time | | long | -| netflow.flow_table_flush_event_count | | long | -| netflow.flow_table_peak_count | | long | -| netflow.forwarding_status | | short | -| netflow.fragment_flags | | short | -| netflow.fragment_identification | | long | -| netflow.fragment_offset | | integer | -| netflow.fw_blackout_secs | | long | -| netflow.fw_configured_value | | long | -| netflow.fw_cts_src_sgt | | long | -| netflow.fw_event_level | | long | -| netflow.fw_event_level_id | | long | -| netflow.fw_ext_event | | integer | -| netflow.fw_ext_event_alt | | long | -| netflow.fw_ext_event_desc | | keyword | -| netflow.fw_half_open_count | | long | -| netflow.fw_half_open_high | | long | -| netflow.fw_half_open_rate | | long | -| netflow.fw_max_sessions | | long | -| netflow.fw_rule | | keyword | -| netflow.fw_summary_pkt_count | | long | -| netflow.fw_zone_pair_id | | long | -| netflow.fw_zone_pair_name | | long | -| netflow.global_address_mapping_high_threshold | | long | -| netflow.gre_key | | long | -| netflow.hash_digest_output | | boolean | -| netflow.hash_flow_domain | | integer | -| netflow.hash_initialiser_value | | long | -| netflow.hash_ip_payload_offset | | long | -| netflow.hash_ip_payload_size | | long | -| netflow.hash_output_range_max | | long | -| netflow.hash_output_range_min | | long | -| netflow.hash_selected_range_max | | long | -| netflow.hash_selected_range_min | | long | -| netflow.http_content_type | | keyword | -| netflow.http_message_version | | keyword | -| netflow.http_reason_phrase | | keyword | -| netflow.http_request_host | | keyword | -| netflow.http_request_method | | keyword | -| netflow.http_request_target | | keyword | -| netflow.http_status_code | | integer | -| netflow.http_user_agent | | keyword | -| netflow.icmp_code_ipv4 | | short | -| netflow.icmp_code_ipv6 | | short | -| netflow.icmp_type_code_ipv4 | | integer | -| netflow.icmp_type_code_ipv6 | | integer | -| netflow.icmp_type_ipv4 | | short | -| netflow.icmp_type_ipv6 | | short | -| netflow.igmp_type | | short | -| netflow.ignored_data_record_total_count | | long | -| netflow.ignored_layer2_frame_total_count | | long | -| netflow.ignored_layer2_octet_total_count | | long | -| netflow.ignored_octet_total_count | | long | -| netflow.ignored_packet_total_count | | long | -| netflow.information_element_data_type | | short | -| netflow.information_element_description | | keyword | -| netflow.information_element_id | | integer | -| netflow.information_element_index | | integer | -| netflow.information_element_name | | keyword | -| netflow.information_element_range_begin | | long | -| netflow.information_element_range_end | | long | -| netflow.information_element_semantics | | short | -| netflow.information_element_units | | integer | -| netflow.ingress_broadcast_packet_total_count | | long | -| netflow.ingress_interface | | long | -| netflow.ingress_interface_type | | long | -| netflow.ingress_multicast_packet_total_count | | long | -| netflow.ingress_physical_interface | | long | -| netflow.ingress_unicast_packet_total_count | | long | -| netflow.ingress_vrfid | | long | -| netflow.initial_tcp_flags | | short | -| netflow.initiator_octets | | long | -| netflow.initiator_packets | | long | -| netflow.interface_description | | keyword | -| netflow.interface_name | | keyword | -| netflow.intermediate_process_id | | long | -| netflow.internal_address_realm | | short | -| netflow.ip_class_of_service | | short | -| netflow.ip_diff_serv_code_point | | short | -| netflow.ip_header_length | | short | -| netflow.ip_header_packet_section | | short | -| netflow.ip_next_hop_ipv4_address | | ip | -| netflow.ip_next_hop_ipv6_address | | ip | -| netflow.ip_payload_length | | long | -| netflow.ip_payload_packet_section | | short | -| netflow.ip_precedence | | short | -| netflow.ip_sec_spi | | long | -| netflow.ip_total_length | | long | -| netflow.ip_ttl | | short | -| netflow.ip_version | | short | -| netflow.ipv4_ihl | | short | -| netflow.ipv4_options | | long | -| netflow.ipv4_router_sc | | ip | -| netflow.ipv6_extension_headers | | long | -| netflow.is_multicast | | short | -| netflow.ixia_browser_id | | short | -| netflow.ixia_browser_name | | keyword | -| netflow.ixia_device_id | | short | -| netflow.ixia_device_name | | keyword | -| netflow.ixia_dns_answer | | keyword | -| netflow.ixia_dns_classes | | keyword | -| netflow.ixia_dns_query | | keyword | -| netflow.ixia_dns_record_txt | | keyword | -| netflow.ixia_dst_as_name | | keyword | -| netflow.ixia_dst_city_name | | keyword | -| netflow.ixia_dst_country_code | | keyword | -| netflow.ixia_dst_country_name | | keyword | -| netflow.ixia_dst_latitude | | float | -| netflow.ixia_dst_longitude | | float | -| netflow.ixia_dst_region_code | | keyword | -| netflow.ixia_dst_region_node | | keyword | -| netflow.ixia_encrypt_cipher | | keyword | -| netflow.ixia_encrypt_key_length | | integer | -| netflow.ixia_encrypt_type | | keyword | -| netflow.ixia_http_host_name | | keyword | -| netflow.ixia_http_uri | | keyword | -| netflow.ixia_http_user_agent | | keyword | -| netflow.ixia_imsi_subscriber | | keyword | -| netflow.ixia_l7_app_id | | long | -| netflow.ixia_l7_app_name | | keyword | -| netflow.ixia_latency | | long | -| netflow.ixia_rev_octet_delta_count | | long | -| netflow.ixia_rev_packet_delta_count | | long | -| netflow.ixia_src_as_name | | keyword | -| netflow.ixia_src_city_name | | keyword | -| netflow.ixia_src_country_code | | keyword | -| netflow.ixia_src_country_name | | keyword | -| netflow.ixia_src_latitude | | float | -| netflow.ixia_src_longitude | | float | -| netflow.ixia_src_region_code | | keyword | -| netflow.ixia_src_region_name | | keyword | -| netflow.ixia_threat_ipv4 | | ip | -| netflow.ixia_threat_ipv6 | | ip | -| netflow.ixia_threat_type | | keyword | -| netflow.large_packet_count | | long | -| netflow.layer2_frame_delta_count | | long | -| netflow.layer2_frame_total_count | | long | -| netflow.layer2_octet_delta_count | | long | -| netflow.layer2_octet_delta_sum_of_squares | | long | -| netflow.layer2_octet_total_count | | long | -| netflow.layer2_octet_total_sum_of_squares | | long | -| netflow.layer2_segment_id | | long | -| netflow.layer2packet_section_data | | short | -| netflow.layer2packet_section_offset | | integer | -| netflow.layer2packet_section_size | | integer | -| netflow.line_card_id | | long | -| netflow.log_op | | short | -| netflow.lower_ci_limit | | double | -| netflow.mark | | long | -| netflow.max_bib_entries | | long | -| netflow.max_entries_per_user | | long | -| netflow.max_export_seconds | | date | -| netflow.max_flow_end_microseconds | | date | -| netflow.max_flow_end_milliseconds | | date | -| netflow.max_flow_end_nanoseconds | | date | -| netflow.max_flow_end_seconds | | date | -| netflow.max_fragments_pending_reassembly | | long | -| netflow.max_packet_size | | integer | -| netflow.max_session_entries | | long | -| netflow.max_subscribers | | long | -| netflow.maximum_ip_total_length | | long | -| netflow.maximum_layer2_total_length | | long | -| netflow.maximum_ttl | | short | -| netflow.mean_flow_rate | | long | -| netflow.mean_packet_rate | | long | -| netflow.message_md5_checksum | | short | -| netflow.message_scope | | short | -| netflow.metering_process_id | | long | -| netflow.metro_evc_id | | keyword | -| netflow.metro_evc_type | | short | -| netflow.mib_capture_time_semantics | | short | -| netflow.mib_context_engine_id | | short | -| netflow.mib_context_name | | keyword | -| netflow.mib_index_indicator | | long | -| netflow.mib_module_name | | keyword | -| netflow.mib_object_description | | keyword | -| netflow.mib_object_identifier | | short | -| netflow.mib_object_name | | keyword | -| netflow.mib_object_syntax | | keyword | -| netflow.mib_object_value_bits | | short | -| netflow.mib_object_value_counter | | long | -| netflow.mib_object_value_gauge | | long | -| netflow.mib_object_value_integer | | integer | -| netflow.mib_object_value_ip_address | | ip | -| netflow.mib_object_value_octet_string | | short | -| netflow.mib_object_value_oid | | short | -| netflow.mib_object_value_time_ticks | | long | -| netflow.mib_object_value_unsigned | | long | -| netflow.mib_sub_identifier | | long | -| netflow.min_export_seconds | | date | -| netflow.min_flow_start_microseconds | | date | -| netflow.min_flow_start_milliseconds | | date | -| netflow.min_flow_start_nanoseconds | | date | -| netflow.min_flow_start_seconds | | date | -| netflow.minimum_ip_total_length | | long | -| netflow.minimum_layer2_total_length | | long | -| netflow.minimum_ttl | | short | -| netflow.mobile_imsi | | keyword | -| netflow.mobile_msisdn | | keyword | -| netflow.monitoring_interval_end_milli_seconds | | date | -| netflow.monitoring_interval_start_milli_seconds | | date | -| netflow.mpls_label_stack_depth | | long | -| netflow.mpls_label_stack_length | | long | -| netflow.mpls_label_stack_section | | short | -| netflow.mpls_label_stack_section10 | | short | -| netflow.mpls_label_stack_section2 | | short | -| netflow.mpls_label_stack_section3 | | short | -| netflow.mpls_label_stack_section4 | | short | -| netflow.mpls_label_stack_section5 | | short | -| netflow.mpls_label_stack_section6 | | short | -| netflow.mpls_label_stack_section7 | | short | -| netflow.mpls_label_stack_section8 | | short | -| netflow.mpls_label_stack_section9 | | short | -| netflow.mpls_payload_length | | long | -| netflow.mpls_payload_packet_section | | short | -| netflow.mpls_top_label_exp | | short | -| netflow.mpls_top_label_ipv4_address | | ip | -| netflow.mpls_top_label_ipv6_address | | ip | -| netflow.mpls_top_label_prefix_length | | short | -| netflow.mpls_top_label_stack_section | | short | -| netflow.mpls_top_label_ttl | | short | -| netflow.mpls_top_label_type | | short | -| netflow.mpls_vpn_route_distinguisher | | short | -| netflow.mptcp_address_id | | short | -| netflow.mptcp_flags | | short | -| netflow.mptcp_initial_data_sequence_number | | long | -| netflow.mptcp_maximum_segment_size | | integer | -| netflow.mptcp_receiver_token | | long | -| netflow.multicast_replication_factor | | long | -| netflow.nat_event | | short | -| netflow.nat_inside_svcid | | integer | -| netflow.nat_instance_id | | long | -| netflow.nat_originating_address_realm | | short | -| netflow.nat_outside_svcid | | integer | -| netflow.nat_pool_id | | long | -| netflow.nat_pool_name | | keyword | -| netflow.nat_quota_exceeded_event | | long | -| netflow.nat_sub_string | | keyword | -| netflow.nat_threshold_event | | long | -| netflow.nat_type | | short | -| netflow.netscale_ica_client_version | | keyword | -| netflow.netscaler_aaa_username | | keyword | -| netflow.netscaler_app_name | | keyword | -| netflow.netscaler_app_name_app_id | | long | -| netflow.netscaler_app_name_incarnation_number | | long | -| netflow.netscaler_app_template_name | | keyword | -| netflow.netscaler_app_unit_name_app_id | | long | -| netflow.netscaler_application_startup_duration | | long | -| netflow.netscaler_application_startup_time | | long | -| netflow.netscaler_cache_redir_client_connection_core_id | | long | -| netflow.netscaler_cache_redir_client_connection_transaction_id | | long | -| netflow.netscaler_client_rtt | | long | -| netflow.netscaler_connection_chain_hop_count | | long | -| netflow.netscaler_connection_chain_id | | short | -| netflow.netscaler_connection_id | | long | -| netflow.netscaler_current_license_consumed | | long | -| netflow.netscaler_db_clt_host_name | | keyword | -| netflow.netscaler_db_database_name | | keyword | -| netflow.netscaler_db_login_flags | | long | -| netflow.netscaler_db_protocol_name | | short | -| netflow.netscaler_db_req_string | | keyword | -| netflow.netscaler_db_req_type | | short | -| netflow.netscaler_db_resp_length | | long | -| netflow.netscaler_db_resp_status | | long | -| netflow.netscaler_db_resp_status_string | | keyword | -| netflow.netscaler_db_user_name | | keyword | -| netflow.netscaler_flow_flags | | long | -| netflow.netscaler_http_client_interaction_end_time | | keyword | -| netflow.netscaler_http_client_interaction_start_time | | keyword | -| netflow.netscaler_http_client_render_end_time | | keyword | -| netflow.netscaler_http_client_render_start_time | | keyword | -| netflow.netscaler_http_content_type | | keyword | -| netflow.netscaler_http_domain_name | | keyword | -| netflow.netscaler_http_req_authorization | | keyword | -| netflow.netscaler_http_req_cookie | | keyword | -| netflow.netscaler_http_req_forw_fb | | long | -| netflow.netscaler_http_req_forw_lb | | long | -| netflow.netscaler_http_req_host | | keyword | -| netflow.netscaler_http_req_method | | keyword | -| netflow.netscaler_http_req_rcv_fb | | long | -| netflow.netscaler_http_req_rcv_lb | | long | -| netflow.netscaler_http_req_referer | | keyword | -| netflow.netscaler_http_req_url | | keyword | -| netflow.netscaler_http_req_user_agent | | keyword | -| netflow.netscaler_http_req_via | | keyword | -| netflow.netscaler_http_req_xforwarded_for | | keyword | -| netflow.netscaler_http_res_forw_fb | | long | -| netflow.netscaler_http_res_forw_lb | | long | -| netflow.netscaler_http_res_location | | keyword | -| netflow.netscaler_http_res_rcv_fb | | long | -| netflow.netscaler_http_res_rcv_lb | | long | -| netflow.netscaler_http_res_set_cookie | | keyword | -| netflow.netscaler_http_res_set_cookie2 | | keyword | -| netflow.netscaler_http_rsp_len | | long | -| netflow.netscaler_http_rsp_status | | integer | -| netflow.netscaler_ica_app_module_path | | keyword | -| netflow.netscaler_ica_app_process_id | | long | -| netflow.netscaler_ica_application_name | | keyword | -| netflow.netscaler_ica_application_termination_time | | long | -| netflow.netscaler_ica_application_termination_type | | integer | -| netflow.netscaler_ica_channel_id1 | | long | -| netflow.netscaler_ica_channel_id1_bytes | | long | -| netflow.netscaler_ica_channel_id2 | | long | -| netflow.netscaler_ica_channel_id2_bytes | | long | -| netflow.netscaler_ica_channel_id3 | | long | -| netflow.netscaler_ica_channel_id3_bytes | | long | -| netflow.netscaler_ica_channel_id4 | | long | -| netflow.netscaler_ica_channel_id4_bytes | | long | -| netflow.netscaler_ica_channel_id5 | | long | -| netflow.netscaler_ica_channel_id5_bytes | | long | -| netflow.netscaler_ica_client_host_name | | keyword | -| netflow.netscaler_ica_client_ip | | ip | -| netflow.netscaler_ica_client_launcher | | integer | -| netflow.netscaler_ica_client_side_rto_count | | integer | -| netflow.netscaler_ica_client_side_window_size | | integer | -| netflow.netscaler_ica_client_type | | integer | -| netflow.netscaler_ica_clientside_delay | | long | -| netflow.netscaler_ica_clientside_jitter | | long | -| netflow.netscaler_ica_clientside_packets_retransmit | | integer | -| netflow.netscaler_ica_clientside_rtt | | long | -| netflow.netscaler_ica_clientside_rx_bytes | | long | -| netflow.netscaler_ica_clientside_srtt | | long | -| netflow.netscaler_ica_clientside_tx_bytes | | long | -| netflow.netscaler_ica_connection_priority | | integer | -| netflow.netscaler_ica_device_serial_no | | long | -| netflow.netscaler_ica_domain_name | | keyword | -| netflow.netscaler_ica_flags | | long | -| netflow.netscaler_ica_host_delay | | long | -| netflow.netscaler_ica_l7_client_latency | | long | -| netflow.netscaler_ica_l7_server_latency | | long | -| netflow.netscaler_ica_launch_mechanism | | integer | -| netflow.netscaler_ica_network_update_end_time | | long | -| netflow.netscaler_ica_network_update_start_time | | long | -| netflow.netscaler_ica_rtt | | long | -| netflow.netscaler_ica_server_name | | keyword | -| netflow.netscaler_ica_server_side_rto_count | | integer | -| netflow.netscaler_ica_server_side_window_size | | integer | -| netflow.netscaler_ica_serverside_delay | | long | -| netflow.netscaler_ica_serverside_jitter | | long | -| netflow.netscaler_ica_serverside_packets_retransmit | | integer | -| netflow.netscaler_ica_serverside_rtt | | long | -| netflow.netscaler_ica_serverside_srtt | | long | -| netflow.netscaler_ica_session_end_time | | long | -| netflow.netscaler_ica_session_guid | | short | -| netflow.netscaler_ica_session_reconnects | | short | -| netflow.netscaler_ica_session_setup_time | | long | -| netflow.netscaler_ica_session_update_begin_sec | | long | -| netflow.netscaler_ica_session_update_end_sec | | long | -| netflow.netscaler_ica_username | | keyword | -| netflow.netscaler_license_type | | short | -| netflow.netscaler_main_page_core_id | | long | -| netflow.netscaler_main_page_id | | long | -| netflow.netscaler_max_license_count | | long | -| netflow.netscaler_msi_client_cookie | | short | -| netflow.netscaler_round_trip_time | | long | -| netflow.netscaler_server_ttfb | | long | -| netflow.netscaler_server_ttlb | | long | -| netflow.netscaler_syslog_message | | keyword | -| netflow.netscaler_syslog_priority | | short | -| netflow.netscaler_syslog_timestamp | | long | -| netflow.netscaler_transaction_id | | long | -| netflow.netscaler_unknown270 | | long | -| netflow.netscaler_unknown271 | | long | -| netflow.netscaler_unknown272 | | long | -| netflow.netscaler_unknown273 | | long | -| netflow.netscaler_unknown274 | | long | -| netflow.netscaler_unknown275 | | long | -| netflow.netscaler_unknown276 | | long | -| netflow.netscaler_unknown277 | | long | -| netflow.netscaler_unknown278 | | long | -| netflow.netscaler_unknown279 | | long | -| netflow.netscaler_unknown280 | | long | -| netflow.netscaler_unknown281 | | long | -| netflow.netscaler_unknown282 | | long | -| netflow.netscaler_unknown283 | | long | -| netflow.netscaler_unknown284 | | long | -| netflow.netscaler_unknown285 | | long | -| netflow.netscaler_unknown286 | | long | -| netflow.netscaler_unknown287 | | long | -| netflow.netscaler_unknown288 | | long | -| netflow.netscaler_unknown289 | | long | -| netflow.netscaler_unknown290 | | long | -| netflow.netscaler_unknown291 | | long | -| netflow.netscaler_unknown292 | | long | -| netflow.netscaler_unknown293 | | long | -| netflow.netscaler_unknown294 | | long | -| netflow.netscaler_unknown295 | | long | -| netflow.netscaler_unknown296 | | long | -| netflow.netscaler_unknown297 | | long | -| netflow.netscaler_unknown298 | | long | -| netflow.netscaler_unknown299 | | long | -| netflow.netscaler_unknown300 | | long | -| netflow.netscaler_unknown301 | | long | -| netflow.netscaler_unknown302 | | long | -| netflow.netscaler_unknown303 | | long | -| netflow.netscaler_unknown304 | | long | -| netflow.netscaler_unknown305 | | long | -| netflow.netscaler_unknown306 | | long | -| netflow.netscaler_unknown307 | | long | -| netflow.netscaler_unknown308 | | long | -| netflow.netscaler_unknown309 | | long | -| netflow.netscaler_unknown310 | | long | -| netflow.netscaler_unknown311 | | long | -| netflow.netscaler_unknown312 | | long | -| netflow.netscaler_unknown313 | | long | -| netflow.netscaler_unknown314 | | long | -| netflow.netscaler_unknown315 | | long | -| netflow.netscaler_unknown316 | | keyword | -| netflow.netscaler_unknown317 | | long | -| netflow.netscaler_unknown318 | | long | -| netflow.netscaler_unknown319 | | keyword | -| netflow.netscaler_unknown320 | | integer | -| netflow.netscaler_unknown321 | | long | -| netflow.netscaler_unknown322 | | long | -| netflow.netscaler_unknown323 | | integer | -| netflow.netscaler_unknown324 | | integer | -| netflow.netscaler_unknown325 | | integer | -| netflow.netscaler_unknown326 | | integer | -| netflow.netscaler_unknown327 | | long | -| netflow.netscaler_unknown328 | | integer | -| netflow.netscaler_unknown329 | | integer | -| netflow.netscaler_unknown330 | | integer | -| netflow.netscaler_unknown331 | | integer | -| netflow.netscaler_unknown332 | | long | -| netflow.netscaler_unknown333 | | keyword | -| netflow.netscaler_unknown334 | | keyword | -| netflow.netscaler_unknown335 | | long | -| netflow.netscaler_unknown336 | | long | -| netflow.netscaler_unknown337 | | long | -| netflow.netscaler_unknown338 | | long | -| netflow.netscaler_unknown339 | | long | -| netflow.netscaler_unknown340 | | long | -| netflow.netscaler_unknown341 | | long | -| netflow.netscaler_unknown342 | | long | -| netflow.netscaler_unknown343 | | long | -| netflow.netscaler_unknown344 | | long | -| netflow.netscaler_unknown345 | | long | -| netflow.netscaler_unknown346 | | long | -| netflow.netscaler_unknown347 | | long | -| netflow.netscaler_unknown348 | | integer | -| netflow.netscaler_unknown349 | | keyword | -| netflow.netscaler_unknown350 | | keyword | -| netflow.netscaler_unknown351 | | keyword | -| netflow.netscaler_unknown352 | | integer | -| netflow.netscaler_unknown353 | | long | -| netflow.netscaler_unknown354 | | long | -| netflow.netscaler_unknown355 | | long | -| netflow.netscaler_unknown356 | | long | -| netflow.netscaler_unknown357 | | long | -| netflow.netscaler_unknown363 | | short | -| netflow.netscaler_unknown383 | | short | -| netflow.netscaler_unknown391 | | long | -| netflow.netscaler_unknown398 | | long | -| netflow.netscaler_unknown404 | | long | -| netflow.netscaler_unknown405 | | long | -| netflow.netscaler_unknown427 | | long | -| netflow.netscaler_unknown429 | | short | -| netflow.netscaler_unknown432 | | short | -| netflow.netscaler_unknown433 | | short | -| netflow.netscaler_unknown453 | | long | -| netflow.netscaler_unknown465 | | long | -| netflow.new_connection_delta_count | | long | -| netflow.next_header_ipv6 | | short | -| netflow.non_empty_packet_count | | long | -| netflow.not_sent_flow_total_count | | long | -| netflow.not_sent_layer2_octet_total_count | | long | -| netflow.not_sent_octet_total_count | | long | -| netflow.not_sent_packet_total_count | | long | -| netflow.observation_domain_id | | long | -| netflow.observation_domain_name | | keyword | -| netflow.observation_point_id | | long | -| netflow.observation_point_type | | short | -| netflow.observation_time_microseconds | | date | -| netflow.observation_time_milliseconds | | date | -| netflow.observation_time_nanoseconds | | date | -| netflow.observation_time_seconds | | date | -| netflow.observed_flow_total_count | | long | -| netflow.octet_delta_count | | long | -| netflow.octet_delta_sum_of_squares | | long | -| netflow.octet_total_count | | long | -| netflow.octet_total_sum_of_squares | | long | -| netflow.opaque_octets | | short | -| netflow.original_exporter_ipv4_address | | ip | -| netflow.original_exporter_ipv6_address | | ip | -| netflow.original_flows_completed | | long | -| netflow.original_flows_initiated | | long | -| netflow.original_flows_present | | long | -| netflow.original_observation_domain_id | | long | -| netflow.os_finger_print | | keyword | -| netflow.os_name | | keyword | -| netflow.os_version | | keyword | -| netflow.p2p_technology | | keyword | -| netflow.packet_delta_count | | long | -| netflow.packet_total_count | | long | -| netflow.padding_octets | | short | -| netflow.payload | | keyword | -| netflow.payload_entropy | | short | -| netflow.payload_length_ipv6 | | integer | -| netflow.policy_qos_classification_hierarchy | | long | -| netflow.policy_qos_queue_index | | long | -| netflow.policy_qos_queuedrops | | long | -| netflow.policy_qos_queueindex | | long | -| netflow.port_id | | long | -| netflow.port_range_end | | integer | -| netflow.port_range_num_ports | | integer | -| netflow.port_range_start | | integer | -| netflow.port_range_step_size | | integer | -| netflow.post_destination_mac_address | | keyword | -| netflow.post_dot1q_customer_vlan_id | | integer | -| netflow.post_dot1q_vlan_id | | integer | -| netflow.post_ip_class_of_service | | short | -| netflow.post_ip_diff_serv_code_point | | short | -| netflow.post_ip_precedence | | short | -| netflow.post_layer2_octet_delta_count | | long | -| netflow.post_layer2_octet_total_count | | long | -| netflow.post_mcast_layer2_octet_delta_count | | long | -| netflow.post_mcast_layer2_octet_total_count | | long | -| netflow.post_mcast_octet_delta_count | | long | -| netflow.post_mcast_octet_total_count | | long | -| netflow.post_mcast_packet_delta_count | | long | -| netflow.post_mcast_packet_total_count | | long | -| netflow.post_mpls_top_label_exp | | short | -| netflow.post_napt_destination_transport_port | | integer | -| netflow.post_napt_source_transport_port | | integer | -| netflow.post_nat_destination_ipv4_address | | ip | -| netflow.post_nat_destination_ipv6_address | | ip | -| netflow.post_nat_source_ipv4_address | | ip | -| netflow.post_nat_source_ipv6_address | | ip | -| netflow.post_octet_delta_count | | long | -| netflow.post_octet_total_count | | long | -| netflow.post_packet_delta_count | | long | -| netflow.post_packet_total_count | | long | -| netflow.post_source_mac_address | | keyword | -| netflow.post_vlan_id | | integer | -| netflow.private_enterprise_number | | long | -| netflow.procera_apn | | keyword | -| netflow.procera_base_service | | keyword | -| netflow.procera_content_categories | | keyword | -| netflow.procera_device_id | | long | -| netflow.procera_external_rtt | | integer | -| netflow.procera_flow_behavior | | keyword | -| netflow.procera_ggsn | | keyword | -| netflow.procera_http_content_type | | keyword | -| netflow.procera_http_file_length | | long | -| netflow.procera_http_language | | keyword | -| netflow.procera_http_location | | keyword | -| netflow.procera_http_referer | | keyword | -| netflow.procera_http_request_method | | keyword | -| netflow.procera_http_request_version | | keyword | -| netflow.procera_http_response_status | | integer | -| netflow.procera_http_url | | keyword | -| netflow.procera_http_user_agent | | keyword | -| netflow.procera_imsi | | long | -| netflow.procera_incoming_octets | | long | -| netflow.procera_incoming_packets | | long | -| netflow.procera_incoming_shaping_drops | | long | -| netflow.procera_incoming_shaping_latency | | integer | -| netflow.procera_internal_rtt | | integer | -| netflow.procera_local_ipv4_host | | ip | -| netflow.procera_local_ipv6_host | | ip | -| netflow.procera_msisdn | | long | -| netflow.procera_outgoing_octets | | long | -| netflow.procera_outgoing_packets | | long | -| netflow.procera_outgoing_shaping_drops | | long | -| netflow.procera_outgoing_shaping_latency | | integer | -| netflow.procera_property | | keyword | -| netflow.procera_qoe_incoming_external | | float | -| netflow.procera_qoe_incoming_internal | | float | -| netflow.procera_qoe_outgoing_external | | float | -| netflow.procera_qoe_outgoing_internal | | float | -| netflow.procera_rat | | keyword | -| netflow.procera_remote_ipv4_host | | ip | -| netflow.procera_remote_ipv6_host | | ip | -| netflow.procera_rnc | | integer | -| netflow.procera_server_hostname | | keyword | -| netflow.procera_service | | keyword | -| netflow.procera_sgsn | | keyword | -| netflow.procera_subscriber_identifier | | keyword | -| netflow.procera_template_name | | keyword | -| netflow.procera_user_location_information | | keyword | -| netflow.protocol_identifier | | short | -| netflow.pseudo_wire_control_word | | long | -| netflow.pseudo_wire_destination_ipv4_address | | ip | -| netflow.pseudo_wire_id | | long | -| netflow.pseudo_wire_type | | integer | -| netflow.reason | | long | -| netflow.reason_text | | keyword | -| netflow.relative_error | | double | -| netflow.responder_octets | | long | -| netflow.responder_packets | | long | -| netflow.reverse_absolute_error | | double | -| netflow.reverse_anonymization_flags | | integer | -| netflow.reverse_anonymization_technique | | integer | -| netflow.reverse_application_category_name | | keyword | -| netflow.reverse_application_description | | keyword | -| netflow.reverse_application_group_name | | keyword | -| netflow.reverse_application_id | | keyword | -| netflow.reverse_application_name | | keyword | -| netflow.reverse_application_sub_category_name | | keyword | -| netflow.reverse_average_interarrival_time | | long | -| netflow.reverse_bgp_destination_as_number | | long | -| netflow.reverse_bgp_next_adjacent_as_number | | long | -| netflow.reverse_bgp_next_hop_ipv4_address | | ip | -| netflow.reverse_bgp_next_hop_ipv6_address | | ip | -| netflow.reverse_bgp_prev_adjacent_as_number | | long | -| netflow.reverse_bgp_source_as_number | | long | -| netflow.reverse_bgp_validity_state | | short | -| netflow.reverse_class_id | | short | -| netflow.reverse_class_name | | keyword | -| netflow.reverse_classification_engine_id | | short | -| netflow.reverse_collection_time_milliseconds | | long | -| netflow.reverse_collector_certificate | | keyword | -| netflow.reverse_confidence_level | | double | -| netflow.reverse_connection_sum_duration_seconds | | long | -| netflow.reverse_connection_transaction_id | | long | -| netflow.reverse_data_byte_count | | long | -| netflow.reverse_data_link_frame_section | | keyword | -| netflow.reverse_data_link_frame_size | | integer | -| netflow.reverse_data_link_frame_type | | integer | -| netflow.reverse_data_records_reliability | | short | -| netflow.reverse_delta_flow_count | | long | -| netflow.reverse_destination_ipv4_address | | ip | -| netflow.reverse_destination_ipv4_prefix | | ip | -| netflow.reverse_destination_ipv4_prefix_length | | short | -| netflow.reverse_destination_ipv6_address | | ip | -| netflow.reverse_destination_ipv6_prefix | | ip | -| netflow.reverse_destination_ipv6_prefix_length | | short | -| netflow.reverse_destination_mac_address | | keyword | -| netflow.reverse_destination_transport_port | | integer | -| netflow.reverse_digest_hash_value | | long | -| netflow.reverse_distinct_count_of_destination_ip_address | | long | -| netflow.reverse_distinct_count_of_destination_ipv4_address | | long | -| netflow.reverse_distinct_count_of_destination_ipv6_address | | long | -| netflow.reverse_distinct_count_of_source_ip_address | | long | -| netflow.reverse_distinct_count_of_source_ipv4_address | | long | -| netflow.reverse_distinct_count_of_source_ipv6_address | | long | -| netflow.reverse_dot1q_customer_dei | | short | -| netflow.reverse_dot1q_customer_destination_mac_address | | keyword | -| netflow.reverse_dot1q_customer_priority | | short | -| netflow.reverse_dot1q_customer_source_mac_address | | keyword | -| netflow.reverse_dot1q_customer_vlan_id | | integer | -| netflow.reverse_dot1q_dei | | short | -| netflow.reverse_dot1q_priority | | short | -| netflow.reverse_dot1q_service_instance_id | | long | -| netflow.reverse_dot1q_service_instance_priority | | short | -| netflow.reverse_dot1q_service_instance_tag | | keyword | -| netflow.reverse_dot1q_vlan_id | | integer | -| netflow.reverse_dropped_layer2_octet_delta_count | | long | -| netflow.reverse_dropped_layer2_octet_total_count | | long | -| netflow.reverse_dropped_octet_delta_count | | long | -| netflow.reverse_dropped_octet_total_count | | long | -| netflow.reverse_dropped_packet_delta_count | | long | -| netflow.reverse_dropped_packet_total_count | | long | -| netflow.reverse_dst_traffic_index | | long | -| netflow.reverse_egress_broadcast_packet_total_count | | long | -| netflow.reverse_egress_interface | | long | -| netflow.reverse_egress_interface_type | | long | -| netflow.reverse_egress_physical_interface | | long | -| netflow.reverse_egress_unicast_packet_total_count | | long | -| netflow.reverse_egress_vrfid | | long | -| netflow.reverse_encrypted_technology | | keyword | -| netflow.reverse_engine_id | | short | -| netflow.reverse_engine_type | | short | -| netflow.reverse_ethernet_header_length | | short | -| netflow.reverse_ethernet_payload_length | | integer | -| netflow.reverse_ethernet_total_length | | integer | -| netflow.reverse_ethernet_type | | integer | -| netflow.reverse_export_sctp_stream_id | | integer | -| netflow.reverse_exporter_certificate | | keyword | -| netflow.reverse_exporting_process_id | | long | -| netflow.reverse_firewall_event | | short | -| netflow.reverse_first_non_empty_packet_size | | integer | -| netflow.reverse_first_packet_banner | | keyword | -| netflow.reverse_flags_and_sampler_id | | long | -| netflow.reverse_flow_active_timeout | | integer | -| netflow.reverse_flow_attributes | | integer | -| netflow.reverse_flow_delta_milliseconds | | long | -| netflow.reverse_flow_direction | | short | -| netflow.reverse_flow_duration_microseconds | | long | -| netflow.reverse_flow_duration_milliseconds | | long | -| netflow.reverse_flow_end_delta_microseconds | | long | -| netflow.reverse_flow_end_microseconds | | long | -| netflow.reverse_flow_end_milliseconds | | long | -| netflow.reverse_flow_end_nanoseconds | | long | -| netflow.reverse_flow_end_reason | | short | -| netflow.reverse_flow_end_seconds | | long | -| netflow.reverse_flow_end_sys_up_time | | long | -| netflow.reverse_flow_idle_timeout | | integer | -| netflow.reverse_flow_label_ipv6 | | long | -| netflow.reverse_flow_sampling_time_interval | | long | -| netflow.reverse_flow_sampling_time_spacing | | long | -| netflow.reverse_flow_selected_flow_delta_count | | long | -| netflow.reverse_flow_selected_octet_delta_count | | long | -| netflow.reverse_flow_selected_packet_delta_count | | long | -| netflow.reverse_flow_selector_algorithm | | integer | -| netflow.reverse_flow_start_delta_microseconds | | long | -| netflow.reverse_flow_start_microseconds | | long | -| netflow.reverse_flow_start_milliseconds | | long | -| netflow.reverse_flow_start_nanoseconds | | long | -| netflow.reverse_flow_start_seconds | | long | -| netflow.reverse_flow_start_sys_up_time | | long | -| netflow.reverse_forwarding_status | | long | -| netflow.reverse_fragment_flags | | short | -| netflow.reverse_fragment_identification | | long | -| netflow.reverse_fragment_offset | | integer | -| netflow.reverse_gre_key | | long | -| netflow.reverse_hash_digest_output | | short | -| netflow.reverse_hash_flow_domain | | integer | -| netflow.reverse_hash_initialiser_value | | long | -| netflow.reverse_hash_ip_payload_offset | | long | -| netflow.reverse_hash_ip_payload_size | | long | -| netflow.reverse_hash_output_range_max | | long | -| netflow.reverse_hash_output_range_min | | long | -| netflow.reverse_hash_selected_range_max | | long | -| netflow.reverse_hash_selected_range_min | | long | -| netflow.reverse_icmp_code_ipv4 | | short | -| netflow.reverse_icmp_code_ipv6 | | short | -| netflow.reverse_icmp_type_code_ipv4 | | integer | -| netflow.reverse_icmp_type_code_ipv6 | | integer | -| netflow.reverse_icmp_type_ipv4 | | short | -| netflow.reverse_icmp_type_ipv6 | | short | -| netflow.reverse_igmp_type | | short | -| netflow.reverse_ignored_data_record_total_count | | long | -| netflow.reverse_ignored_layer2_frame_total_count | | long | -| netflow.reverse_ignored_layer2_octet_total_count | | long | -| netflow.reverse_information_element_data_type | | short | -| netflow.reverse_information_element_description | | keyword | -| netflow.reverse_information_element_id | | integer | -| netflow.reverse_information_element_index | | integer | -| netflow.reverse_information_element_name | | keyword | -| netflow.reverse_information_element_range_begin | | long | -| netflow.reverse_information_element_range_end | | long | -| netflow.reverse_information_element_semantics | | short | -| netflow.reverse_information_element_units | | integer | -| netflow.reverse_ingress_broadcast_packet_total_count | | long | -| netflow.reverse_ingress_interface | | long | -| netflow.reverse_ingress_interface_type | | long | -| netflow.reverse_ingress_multicast_packet_total_count | | long | -| netflow.reverse_ingress_physical_interface | | long | -| netflow.reverse_ingress_unicast_packet_total_count | | long | -| netflow.reverse_ingress_vrfid | | long | -| netflow.reverse_initial_tcp_flags | | short | -| netflow.reverse_initiator_octets | | long | -| netflow.reverse_initiator_packets | | long | -| netflow.reverse_interface_description | | keyword | -| netflow.reverse_interface_name | | keyword | -| netflow.reverse_intermediate_process_id | | long | -| netflow.reverse_ip_class_of_service | | short | -| netflow.reverse_ip_diff_serv_code_point | | short | -| netflow.reverse_ip_header_length | | short | -| netflow.reverse_ip_header_packet_section | | keyword | -| netflow.reverse_ip_next_hop_ipv4_address | | ip | -| netflow.reverse_ip_next_hop_ipv6_address | | ip | -| netflow.reverse_ip_payload_length | | long | -| netflow.reverse_ip_payload_packet_section | | keyword | -| netflow.reverse_ip_precedence | | short | -| netflow.reverse_ip_sec_spi | | long | -| netflow.reverse_ip_total_length | | long | -| netflow.reverse_ip_ttl | | short | -| netflow.reverse_ip_version | | short | -| netflow.reverse_ipv4_ihl | | short | -| netflow.reverse_ipv4_options | | long | -| netflow.reverse_ipv4_router_sc | | ip | -| netflow.reverse_ipv6_extension_headers | | long | -| netflow.reverse_is_multicast | | short | -| netflow.reverse_large_packet_count | | long | -| netflow.reverse_layer2_frame_delta_count | | long | -| netflow.reverse_layer2_frame_total_count | | long | -| netflow.reverse_layer2_octet_delta_count | | long | -| netflow.reverse_layer2_octet_delta_sum_of_squares | | long | -| netflow.reverse_layer2_octet_total_count | | long | -| netflow.reverse_layer2_octet_total_sum_of_squares | | long | -| netflow.reverse_layer2_segment_id | | long | -| netflow.reverse_layer2packet_section_data | | keyword | -| netflow.reverse_layer2packet_section_offset | | integer | -| netflow.reverse_layer2packet_section_size | | integer | -| netflow.reverse_line_card_id | | long | -| netflow.reverse_lower_ci_limit | | double | -| netflow.reverse_max_export_seconds | | long | -| netflow.reverse_max_flow_end_microseconds | | long | -| netflow.reverse_max_flow_end_milliseconds | | long | -| netflow.reverse_max_flow_end_nanoseconds | | long | -| netflow.reverse_max_flow_end_seconds | | long | -| netflow.reverse_max_packet_size | | integer | -| netflow.reverse_maximum_ip_total_length | | long | -| netflow.reverse_maximum_layer2_total_length | | long | -| netflow.reverse_maximum_ttl | | short | -| netflow.reverse_message_md5_checksum | | keyword | -| netflow.reverse_message_scope | | short | -| netflow.reverse_metering_process_id | | long | -| netflow.reverse_metro_evc_id | | keyword | -| netflow.reverse_metro_evc_type | | short | -| netflow.reverse_min_export_seconds | | long | -| netflow.reverse_min_flow_start_microseconds | | long | -| netflow.reverse_min_flow_start_milliseconds | | long | -| netflow.reverse_min_flow_start_nanoseconds | | long | -| netflow.reverse_min_flow_start_seconds | | long | -| netflow.reverse_minimum_ip_total_length | | long | -| netflow.reverse_minimum_layer2_total_length | | long | -| netflow.reverse_minimum_ttl | | short | -| netflow.reverse_monitoring_interval_end_milli_seconds | | long | -| netflow.reverse_monitoring_interval_start_milli_seconds | | long | -| netflow.reverse_mpls_label_stack_depth | | long | -| netflow.reverse_mpls_label_stack_length | | long | -| netflow.reverse_mpls_label_stack_section | | keyword | -| netflow.reverse_mpls_label_stack_section10 | | keyword | -| netflow.reverse_mpls_label_stack_section2 | | keyword | -| netflow.reverse_mpls_label_stack_section3 | | keyword | -| netflow.reverse_mpls_label_stack_section4 | | keyword | -| netflow.reverse_mpls_label_stack_section5 | | keyword | -| netflow.reverse_mpls_label_stack_section6 | | keyword | -| netflow.reverse_mpls_label_stack_section7 | | keyword | -| netflow.reverse_mpls_label_stack_section8 | | keyword | -| netflow.reverse_mpls_label_stack_section9 | | keyword | -| netflow.reverse_mpls_payload_length | | long | -| netflow.reverse_mpls_payload_packet_section | | keyword | -| netflow.reverse_mpls_top_label_exp | | short | -| netflow.reverse_mpls_top_label_ipv4_address | | ip | -| netflow.reverse_mpls_top_label_ipv6_address | | ip | -| netflow.reverse_mpls_top_label_prefix_length | | short | -| netflow.reverse_mpls_top_label_stack_section | | keyword | -| netflow.reverse_mpls_top_label_ttl | | short | -| netflow.reverse_mpls_top_label_type | | short | -| netflow.reverse_mpls_vpn_route_distinguisher | | keyword | -| netflow.reverse_multicast_replication_factor | | long | -| netflow.reverse_nat_event | | short | -| netflow.reverse_nat_originating_address_realm | | short | -| netflow.reverse_nat_pool_id | | long | -| netflow.reverse_nat_pool_name | | keyword | -| netflow.reverse_nat_type | | short | -| netflow.reverse_new_connection_delta_count | | long | -| netflow.reverse_next_header_ipv6 | | short | -| netflow.reverse_non_empty_packet_count | | long | -| netflow.reverse_not_sent_layer2_octet_total_count | | long | -| netflow.reverse_observation_domain_name | | keyword | -| netflow.reverse_observation_point_id | | long | -| netflow.reverse_observation_point_type | | short | -| netflow.reverse_observation_time_microseconds | | long | -| netflow.reverse_observation_time_milliseconds | | long | -| netflow.reverse_observation_time_nanoseconds | | long | -| netflow.reverse_observation_time_seconds | | long | -| netflow.reverse_octet_delta_count | | long | -| netflow.reverse_octet_delta_sum_of_squares | | long | -| netflow.reverse_octet_total_count | | long | -| netflow.reverse_octet_total_sum_of_squares | | long | -| netflow.reverse_opaque_octets | | keyword | -| netflow.reverse_original_exporter_ipv4_address | | ip | -| netflow.reverse_original_exporter_ipv6_address | | ip | -| netflow.reverse_original_flows_completed | | long | -| netflow.reverse_original_flows_initiated | | long | -| netflow.reverse_original_flows_present | | long | -| netflow.reverse_original_observation_domain_id | | long | -| netflow.reverse_os_finger_print | | keyword | -| netflow.reverse_os_name | | keyword | -| netflow.reverse_os_version | | keyword | -| netflow.reverse_p2p_technology | | keyword | -| netflow.reverse_packet_delta_count | | long | -| netflow.reverse_packet_total_count | | long | -| netflow.reverse_payload | | keyword | -| netflow.reverse_payload_entropy | | short | -| netflow.reverse_payload_length_ipv6 | | integer | -| netflow.reverse_port_id | | long | -| netflow.reverse_port_range_end | | integer | -| netflow.reverse_port_range_num_ports | | integer | -| netflow.reverse_port_range_start | | integer | -| netflow.reverse_port_range_step_size | | integer | -| netflow.reverse_post_destination_mac_address | | keyword | -| netflow.reverse_post_dot1q_customer_vlan_id | | integer | -| netflow.reverse_post_dot1q_vlan_id | | integer | -| netflow.reverse_post_ip_class_of_service | | short | -| netflow.reverse_post_ip_diff_serv_code_point | | short | -| netflow.reverse_post_ip_precedence | | short | -| netflow.reverse_post_layer2_octet_delta_count | | long | -| netflow.reverse_post_layer2_octet_total_count | | long | -| netflow.reverse_post_mcast_layer2_octet_delta_count | | long | -| netflow.reverse_post_mcast_layer2_octet_total_count | | long | -| netflow.reverse_post_mcast_octet_delta_count | | long | -| netflow.reverse_post_mcast_octet_total_count | | long | -| netflow.reverse_post_mcast_packet_delta_count | | long | -| netflow.reverse_post_mcast_packet_total_count | | long | -| netflow.reverse_post_mpls_top_label_exp | | short | -| netflow.reverse_post_napt_destination_transport_port | | integer | -| netflow.reverse_post_napt_source_transport_port | | integer | -| netflow.reverse_post_nat_destination_ipv4_address | | ip | -| netflow.reverse_post_nat_destination_ipv6_address | | ip | -| netflow.reverse_post_nat_source_ipv4_address | | ip | -| netflow.reverse_post_nat_source_ipv6_address | | ip | -| netflow.reverse_post_octet_delta_count | | long | -| netflow.reverse_post_octet_total_count | | long | -| netflow.reverse_post_packet_delta_count | | long | -| netflow.reverse_post_packet_total_count | | long | -| netflow.reverse_post_source_mac_address | | keyword | -| netflow.reverse_post_vlan_id | | integer | -| netflow.reverse_private_enterprise_number | | long | -| netflow.reverse_protocol_identifier | | short | -| netflow.reverse_pseudo_wire_control_word | | long | -| netflow.reverse_pseudo_wire_destination_ipv4_address | | ip | -| netflow.reverse_pseudo_wire_id | | long | -| netflow.reverse_pseudo_wire_type | | integer | -| netflow.reverse_relative_error | | double | -| netflow.reverse_responder_octets | | long | -| netflow.reverse_responder_packets | | long | -| netflow.reverse_rfc3550_jitter_microseconds | | long | -| netflow.reverse_rfc3550_jitter_milliseconds | | long | -| netflow.reverse_rfc3550_jitter_nanoseconds | | long | -| netflow.reverse_rtp_payload_type | | short | -| netflow.reverse_rtp_sequence_number | | integer | -| netflow.reverse_sampler_id | | short | -| netflow.reverse_sampler_mode | | short | -| netflow.reverse_sampler_name | | keyword | -| netflow.reverse_sampler_random_interval | | long | -| netflow.reverse_sampling_algorithm | | short | -| netflow.reverse_sampling_flow_interval | | long | -| netflow.reverse_sampling_flow_spacing | | long | -| netflow.reverse_sampling_interval | | long | -| netflow.reverse_sampling_packet_interval | | long | -| netflow.reverse_sampling_packet_space | | long | -| netflow.reverse_sampling_population | | long | -| netflow.reverse_sampling_probability | | double | -| netflow.reverse_sampling_size | | long | -| netflow.reverse_sampling_time_interval | | long | -| netflow.reverse_sampling_time_space | | long | -| netflow.reverse_second_packet_banner | | keyword | -| netflow.reverse_section_exported_octets | | integer | -| netflow.reverse_section_offset | | integer | -| netflow.reverse_selection_sequence_id | | long | -| netflow.reverse_selector_algorithm | | integer | -| netflow.reverse_selector_id | | long | -| netflow.reverse_selector_id_total_flows_observed | | long | -| netflow.reverse_selector_id_total_flows_selected | | long | -| netflow.reverse_selector_id_total_pkts_observed | | long | -| netflow.reverse_selector_id_total_pkts_selected | | long | -| netflow.reverse_selector_name | | keyword | -| netflow.reverse_session_scope | | short | -| netflow.reverse_small_packet_count | | long | -| netflow.reverse_source_ipv4_address | | ip | -| netflow.reverse_source_ipv4_prefix | | ip | -| netflow.reverse_source_ipv4_prefix_length | | short | -| netflow.reverse_source_ipv6_address | | ip | -| netflow.reverse_source_ipv6_prefix | | ip | -| netflow.reverse_source_ipv6_prefix_length | | short | -| netflow.reverse_source_mac_address | | keyword | -| netflow.reverse_source_transport_port | | integer | -| netflow.reverse_src_traffic_index | | long | -| netflow.reverse_sta_ipv4_address | | ip | -| netflow.reverse_sta_mac_address | | keyword | -| netflow.reverse_standard_deviation_interarrival_time | | long | -| netflow.reverse_standard_deviation_payload_length | | integer | -| netflow.reverse_system_init_time_milliseconds | | long | -| netflow.reverse_tcp_ack_total_count | | long | -| netflow.reverse_tcp_acknowledgement_number | | long | -| netflow.reverse_tcp_control_bits | | integer | -| netflow.reverse_tcp_destination_port | | integer | -| netflow.reverse_tcp_fin_total_count | | long | -| netflow.reverse_tcp_header_length | | short | -| netflow.reverse_tcp_options | | long | -| netflow.reverse_tcp_psh_total_count | | long | -| netflow.reverse_tcp_rst_total_count | | long | -| netflow.reverse_tcp_sequence_number | | long | -| netflow.reverse_tcp_source_port | | integer | -| netflow.reverse_tcp_syn_total_count | | long | -| netflow.reverse_tcp_urg_total_count | | long | -| netflow.reverse_tcp_urgent_pointer | | integer | -| netflow.reverse_tcp_window_scale | | integer | -| netflow.reverse_tcp_window_size | | integer | -| netflow.reverse_total_length_ipv4 | | integer | -| netflow.reverse_transport_octet_delta_count | | long | -| netflow.reverse_transport_packet_delta_count | | long | -| netflow.reverse_tunnel_technology | | keyword | -| netflow.reverse_udp_destination_port | | integer | -| netflow.reverse_udp_message_length | | integer | -| netflow.reverse_udp_source_port | | integer | -| netflow.reverse_union_tcp_flags | | short | -| netflow.reverse_upper_ci_limit | | double | -| netflow.reverse_user_name | | keyword | -| netflow.reverse_value_distribution_method | | short | -| netflow.reverse_virtual_station_interface_id | | keyword | -| netflow.reverse_virtual_station_interface_name | | keyword | -| netflow.reverse_virtual_station_name | | keyword | -| netflow.reverse_virtual_station_uuid | | keyword | -| netflow.reverse_vlan_id | | integer | -| netflow.reverse_vr_fname | | keyword | -| netflow.reverse_wlan_channel_id | | short | -| netflow.reverse_wlan_ssid | | keyword | -| netflow.reverse_wtp_mac_address | | keyword | -| netflow.rfc3550_jitter_microseconds | | long | -| netflow.rfc3550_jitter_milliseconds | | long | -| netflow.rfc3550_jitter_nanoseconds | | long | -| netflow.rtp_payload_type | | short | -| netflow.rtp_sequence_number | | integer | -| netflow.sampler_id | | short | -| netflow.sampler_mode | | short | -| netflow.sampler_name | | keyword | -| netflow.sampler_random_interval | | long | -| netflow.sampling_algorithm | | short | -| netflow.sampling_flow_interval | | long | -| netflow.sampling_flow_spacing | | long | -| netflow.sampling_interval | | long | -| netflow.sampling_packet_interval | | long | -| netflow.sampling_packet_space | | long | -| netflow.sampling_population | | long | -| netflow.sampling_probability | | double | -| netflow.sampling_size | | long | -| netflow.sampling_time_interval | | long | -| netflow.sampling_time_space | | long | -| netflow.second_packet_banner | | keyword | -| netflow.section_exported_octets | | integer | -| netflow.section_offset | | integer | -| netflow.selection_sequence_id | | long | -| netflow.selector_algorithm | | integer | -| netflow.selector_id | | long | -| netflow.selector_id_total_flows_observed | | long | -| netflow.selector_id_total_flows_selected | | long | -| netflow.selector_id_total_pkts_observed | | long | -| netflow.selector_id_total_pkts_selected | | long | -| netflow.selector_name | | keyword | -| netflow.service_name | | keyword | -| netflow.session_scope | | short | -| netflow.silk_app_label | | integer | -| netflow.small_packet_count | | long | -| netflow.source_ipv4_address | | ip | -| netflow.source_ipv4_prefix | | ip | -| netflow.source_ipv4_prefix_length | | short | -| netflow.source_ipv6_address | | ip | -| netflow.source_ipv6_prefix | | ip | -| netflow.source_ipv6_prefix_length | | short | -| netflow.source_mac_address | | keyword | -| netflow.source_transport_port | | integer | -| netflow.source_transport_ports_limit | | integer | -| netflow.src_traffic_index | | long | -| netflow.ssl_cert_serial_number | | keyword | -| netflow.ssl_cert_signature | | keyword | -| netflow.ssl_cert_validity_not_after | | keyword | -| netflow.ssl_cert_validity_not_before | | keyword | -| netflow.ssl_cert_version | | short | -| netflow.ssl_certificate_hash | | keyword | -| netflow.ssl_cipher | | keyword | -| netflow.ssl_client_version | | short | -| netflow.ssl_compression_method | | short | -| netflow.ssl_object_type | | keyword | -| netflow.ssl_object_value | | keyword | -| netflow.ssl_public_key_algorithm | | keyword | -| netflow.ssl_public_key_length | | keyword | -| netflow.ssl_server_cipher | | long | -| netflow.ssl_server_name | | keyword | -| netflow.sta_ipv4_address | | ip | -| netflow.sta_mac_address | | keyword | -| netflow.standard_deviation_interarrival_time | | long | -| netflow.standard_deviation_payload_length | | short | -| netflow.system_init_time_milliseconds | | date | -| netflow.tcp_ack_total_count | | long | -| netflow.tcp_acknowledgement_number | | long | -| netflow.tcp_control_bits | | integer | -| netflow.tcp_destination_port | | integer | -| netflow.tcp_fin_total_count | | long | -| netflow.tcp_header_length | | short | -| netflow.tcp_options | | long | -| netflow.tcp_psh_total_count | | long | -| netflow.tcp_rst_total_count | | long | -| netflow.tcp_sequence_number | | long | -| netflow.tcp_source_port | | integer | -| netflow.tcp_syn_total_count | | long | -| netflow.tcp_urg_total_count | | long | -| netflow.tcp_urgent_pointer | | integer | -| netflow.tcp_window_scale | | integer | -| netflow.tcp_window_size | | integer | -| netflow.template_id | | integer | -| netflow.tftp_filename | | keyword | -| netflow.tftp_mode | | keyword | -| netflow.timestamp | | long | -| netflow.timestamp_absolute_monitoring-interval | | long | -| netflow.total_length_ipv4 | | integer | -| netflow.traffic_type | | short | -| netflow.transport_octet_delta_count | | long | -| netflow.transport_packet_delta_count | | long | -| netflow.tunnel_technology | | keyword | -| netflow.type | The type of NetFlow record described by this event. | keyword | -| netflow.udp_destination_port | | integer | -| netflow.udp_message_length | | integer | -| netflow.udp_source_port | | integer | -| netflow.union_tcp_flags | | short | -| netflow.upper_ci_limit | | double | -| netflow.user_name | | keyword | -| netflow.username | | keyword | -| netflow.value_distribution_method | | short | -| netflow.viptela_vpn_id | | long | -| netflow.virtual_station_interface_id | | short | -| netflow.virtual_station_interface_name | | keyword | -| netflow.virtual_station_name | | keyword | -| netflow.virtual_station_uuid | | short | -| netflow.vlan_id | | integer | -| netflow.vmware_egress_interface_attr | | integer | -| netflow.vmware_ingress_interface_attr | | integer | -| netflow.vmware_tenant_dest_ipv4 | | ip | -| netflow.vmware_tenant_dest_ipv6 | | ip | -| netflow.vmware_tenant_dest_port | | integer | -| netflow.vmware_tenant_protocol | | short | -| netflow.vmware_tenant_source_ipv4 | | ip | -| netflow.vmware_tenant_source_ipv6 | | ip | -| netflow.vmware_tenant_source_port | | integer | -| netflow.vmware_vxlan_export_role | | short | -| netflow.vpn_identifier | | short | -| netflow.vr_fname | | keyword | -| netflow.waasoptimization_segment | | short | -| netflow.wlan_channel_id | | short | -| netflow.wlan_ssid | | keyword | -| netflow.wtp_mac_address | | keyword | -| netflow.xlate_destination_address_ip_v4 | | ip | -| netflow.xlate_destination_port | | integer | -| netflow.xlate_source_address_ip_v4 | | ip | -| netflow.xlate_source_port | | integer | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.geo.city_name | City name. | keyword | -| observer.geo.continent_name | Name of the continent. | keyword | -| observer.geo.country_iso_code | Country ISO code. | keyword | -| observer.geo.country_name | Country name. | keyword | -| observer.geo.location | Longitude and latitude. | geo_point | -| observer.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| observer.geo.region_iso_code | Region ISO code. | keyword | -| observer.geo.region_name | Region name. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| observer.os.full | Operating system name, including the version or code name. | keyword | -| observer.os.full.text | Multi-field of `observer.os.full`. | match_only_text | -| observer.os.kernel | Operating system kernel version as a raw string. | keyword | -| observer.os.name | Operating system name, without the version. | keyword | -| observer.os.name.text | Multi-field of `observer.os.name`. | match_only_text | -| observer.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| observer.os.version | Operating system version as a raw string. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| organization.id | Unique identifier for the organization. | keyword | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| os.full | Operating system name, including the version or code name. | keyword | -| os.full.text | Multi-field of `os.full`. | match_only_text | -| os.kernel | Operating system kernel version as a raw string. | keyword | -| os.name | Operating system name, without the version. | keyword | -| os.name.text | Multi-field of `os.name`. | match_only_text | -| os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| os.version | Operating system version as a raw string. | keyword | -| package.architecture | Package architecture. | keyword | -| package.checksum | Checksum of the installed package for verification. | keyword | -| package.description | Description of the package. | keyword | -| package.install_scope | Indicating how the package was installed, e.g. user-local, global. | keyword | -| package.installed | Time when package was installed. | date | -| package.license | License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). | keyword | -| package.name | Package name | keyword | -| package.path | Path where the package is installed. | keyword | -| package.size | Package size in bytes. | long | -| package.version | Package version | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.hash.sha512 | SHA512 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| process.thread.id | Thread ID. | long | -| process.thread.name | Thread name. | keyword | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| process.uptime | Seconds the process has been up. | long | -| process.working_directory | The working directory of the process. | keyword | -| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | -| related.ip | All of the IPs seen on your event. | ip | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| server.as.organization.name | Organization name. | keyword | -| server.as.organization.name.text | Multi-field of `server.as.organization.name`. | match_only_text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.geo.city_name | City name. | keyword | -| server.geo.continent_name | Name of the continent. | keyword | -| server.geo.country_iso_code | Country ISO code. | keyword | -| server.geo.country_name | Country name. | keyword | -| server.geo.location | Longitude and latitude. | geo_point | -| server.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| server.geo.region_iso_code | Region ISO code. | keyword | -| server.geo.region_name | Region name. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| server.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| server.nat.port | Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | long | -| server.packets | Packets sent from the server to the client. | long | -| server.port | Port of the server. | long | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| server.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| server.user.email | User email address. | keyword | -| server.user.full_name | User's full name, if available. | keyword | -| server.user.full_name.text | Multi-field of `server.user.full_name`. | match_only_text | -| server.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| server.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| server.user.group.name | Name of the group. | keyword | -| server.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| server.user.id | Unique identifier of the user. | keyword | -| server.user.name | Short name or login of the user. | keyword | -| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | -| service.ephemeral_id | Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not. | keyword | -| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| service.node.name | Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. | keyword | -| service.state | Current state of the service. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.locality | Whether the source IP is private or public. | keyword | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.email | User email address. | keyword | -| source.user.full_name | User's full name, if available. | keyword | -| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | -| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| trace.id | Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. | keyword | -| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.group.name | Name of the group. | keyword | -| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - diff --git a/packages/netflow/2.2.3/kibana/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c.json b/packages/netflow/2.2.3/kibana/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c.json deleted file mode 100755 index 6df6ba38b4..0000000000 --- a/packages/netflow/2.2.3/kibana/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "description": "Netflow Top N flows", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":24},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":24},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"9\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs Netflow] Top-N", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "netflow-15295ea6-ba84-47db-8ced-9312abbf495c", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "netflow-5292a65b-c532-422a-9008-1251a8073a3a", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "netflow-cccff92f-cb71-49a9-9caf-84867751d31e", - "name": "9:panel_9", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2.json b/packages/netflow/2.2.3/kibana/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2.json deleted file mode 100755 index 5121267442..0000000000 --- a/packages/netflow/2.2.3/kibana/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "Overview of Netflow", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":16,\"x\":16,\"y\":12},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"21\",\"w\":16,\"x\":32,\"y\":12},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"22\",\"panelRefName\":\"panel_22\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"23\",\"w\":16,\"x\":0,\"y\":12},\"panelIndex\":\"23\",\"panelRefName\":\"panel_23\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"24\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"24\",\"panelRefName\":\"panel_24\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"25\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"25\",\"panelRefName\":\"panel_25\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"26\",\"w\":16,\"x\":0,\"y\":28},\"panelIndex\":\"26\",\"panelRefName\":\"panel_26\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"27\",\"w\":16,\"x\":16,\"y\":28},\"panelIndex\":\"27\",\"panelRefName\":\"panel_27\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"29\",\"w\":16,\"x\":32,\"y\":28},\"panelIndex\":\"29\",\"panelRefName\":\"panel_29\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs Netflow] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-34e26884-161a-4448-9556-43b5bf2f62a2", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netflow-ae334aec-31fa-4df7-a064-40b18831d819", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "netflow-1558508d-591c-49be-bef4-85fdac18a960", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957", - "name": "21:panel_21", - "type": "visualization" - }, - { - "id": "netflow-f772028b-d5a6-4d55-b441-493871981a60", - "name": "22:panel_22", - "type": "visualization" - }, - { - "id": "netflow-57e13a20-e94f-4465-a942-42148634a1d2", - "name": "23:panel_23", - "type": "visualization" - }, - { - "id": "netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d", - "name": "24:panel_24", - "type": "visualization" - }, - { - "id": "netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761", - "name": "25:panel_25", - "type": "visualization" - }, - { - "id": "netflow-31708a70-4957-4a8a-8065-5c88a344ad02", - "name": "26:panel_26", - "type": "visualization" - }, - { - "id": "netflow-b677cd82-b33e-49b3-8b6e-0e110177b163", - "name": "27:panel_27", - "type": "visualization" - }, - { - "id": "netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f", - "name": "29:panel_29", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json b/packages/netflow/2.2.3/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json deleted file mode 100755 index 8c9c9643d8..0000000000 --- a/packages/netflow/2.2.3/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json +++ /dev/null @@ -1,232 +0,0 @@ -{ - "attributes": { - "description": "Netflow traffic analysis", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":24,\"x\":24,\"y\":84},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":108},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":108},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":84},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"14\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":16,\"x\":0,\"y\":28},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":16,\"x\":24,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":16,\"x\":24,\"y\":28},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":16,\"x\":0,\"y\":52},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":16,\"x\":24,\"y\":52},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"21\",\"w\":16,\"x\":0,\"y\":76},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":16,\"x\":24,\"y\":76},\"panelIndex\":\"22\",\"panelRefName\":\"panel_22\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"23\",\"w\":16,\"x\":0,\"y\":100},\"panelIndex\":\"23\",\"panelRefName\":\"panel_23\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"24\",\"w\":16,\"x\":24,\"y\":100},\"panelIndex\":\"24\",\"panelRefName\":\"panel_24\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"25\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"25\",\"panelRefName\":\"panel_25\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"26\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"26\",\"panelRefName\":\"panel_26\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"27\",\"w\":8,\"x\":16,\"y\":4},\"panelIndex\":\"27\",\"panelRefName\":\"panel_27\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"28\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"28\",\"panelRefName\":\"panel_28\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"29\",\"w\":8,\"x\":40,\"y\":28},\"panelIndex\":\"29\",\"panelRefName\":\"panel_29\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"30\",\"w\":8,\"x\":16,\"y\":28},\"panelIndex\":\"30\",\"panelRefName\":\"panel_30\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"31\",\"w\":24,\"x\":24,\"y\":92},\"panelIndex\":\"31\",\"panelRefName\":\"panel_31\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"34\",\"w\":24,\"x\":24,\"y\":116},\"panelIndex\":\"34\",\"panelRefName\":\"panel_34\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"35\",\"w\":24,\"x\":0,\"y\":116},\"panelIndex\":\"35\",\"panelRefName\":\"panel_35\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"38\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"38\",\"panelRefName\":\"panel_38\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"42\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"42\",\"panelRefName\":\"panel_42\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"44\",\"w\":24,\"x\":0,\"y\":92},\"panelIndex\":\"44\",\"panelRefName\":\"panel_44\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"45\",\"w\":24,\"x\":0,\"y\":68},\"panelIndex\":\"45\",\"panelRefName\":\"panel_45\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"47\",\"w\":24,\"x\":24,\"y\":68},\"panelIndex\":\"47\",\"panelRefName\":\"panel_47\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"48\",\"w\":8,\"x\":16,\"y\":52},\"panelIndex\":\"48\",\"panelRefName\":\"panel_48\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"49\",\"w\":8,\"x\":40,\"y\":52},\"panelIndex\":\"49\",\"panelRefName\":\"panel_49\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"50\",\"w\":8,\"x\":40,\"y\":76},\"panelIndex\":\"50\",\"panelRefName\":\"panel_50\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"51\",\"w\":8,\"x\":40,\"y\":100},\"panelIndex\":\"51\",\"panelRefName\":\"panel_51\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"52\",\"w\":8,\"x\":16,\"y\":100},\"panelIndex\":\"52\",\"panelRefName\":\"panel_52\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"53\",\"w\":8,\"x\":16,\"y\":76},\"panelIndex\":\"53\",\"panelRefName\":\"panel_53\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs Netflow] Traffic Analysis", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-38012abe-c611-4124-8497-381fcd85acc8", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "netflow-5d868836-c7b2-4812-bf47-4838aac281d9", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "netflow-717cd7c7-bfca-435d-8ee7-38259927aade", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "netflow-681f0ce4-d828-4a99-b643-0c0715530050", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "netflow-248e00b4-8fc2-406f-8907-729d5380aaa7", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957", - "name": "20:panel_20", - "type": "visualization" - }, - { - "id": "netflow-57e13a20-e94f-4465-a942-42148634a1d2", - "name": "21:panel_21", - "type": "visualization" - }, - { - "id": "netflow-f772028b-d5a6-4d55-b441-493871981a60", - "name": "22:panel_22", - "type": "visualization" - }, - { - "id": "netflow-a14c3248-952d-42aa-bd7d-9b39157a776f", - "name": "23:panel_23", - "type": "visualization" - }, - { - "id": "netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2", - "name": "24:panel_24", - "type": "visualization" - }, - { - "id": "netflow-0528bc66-6981-400a-a02d-c1d221b38890", - "name": "25:panel_25", - "type": "visualization" - }, - { - "id": "netflow-e99dc327-03de-4561-9e0c-f550710125c2", - "name": "26:panel_26", - "type": "visualization" - }, - { - "id": "netflow-32e712ed-fa15-4db7-8575-8476e8d65b03", - "name": "27:panel_27", - "type": "visualization" - }, - { - "id": "netflow-d59a031c-70d6-47d7-966d-7fcb805be9be", - "name": "28:panel_28", - "type": "visualization" - }, - { - "id": "netflow-af707b01-29f1-462b-b279-6d2e803f3645", - "name": "29:panel_29", - "type": "visualization" - }, - { - "id": "netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b", - "name": "30:panel_30", - "type": "visualization" - }, - { - "id": "netflow-30cd1009-2925-4c9b-820d-d689f5d1efda", - "name": "31:panel_31", - "type": "visualization" - }, - { - "id": "netflow-7d447b22-89dc-4f32-b549-4b8620af4d76", - "name": "34:panel_34", - "type": "visualization" - }, - { - "id": "netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0", - "name": "35:panel_35", - "type": "visualization" - }, - { - "id": "netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f", - "name": "38:panel_38", - "type": "visualization" - }, - { - "id": "netflow-201d7dd1-a880-4a64-b631-db5629340db9", - "name": "42:panel_42", - "type": "visualization" - }, - { - "id": "netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb", - "name": "44:panel_44", - "type": "visualization" - }, - { - "id": "netflow-a1704d46-15fc-41c2-851d-796ceb49877f", - "name": "45:panel_45", - "type": "visualization" - }, - { - "id": "netflow-15e2a267-2495-4df2-a121-abe410d2f18c", - "name": "47:panel_47", - "type": "visualization" - }, - { - "id": "netflow-f27c1479-0625-4cdc-92de-672e47db0f87", - "name": "48:panel_48", - "type": "visualization" - }, - { - "id": "netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2", - "name": "49:panel_49", - "type": "visualization" - }, - { - "id": "netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6", - "name": "50:panel_50", - "type": "visualization" - }, - { - "id": "netflow-16262df9-a979-4136-935e-d883c7d373d7", - "name": "51:panel_51", - "type": "visualization" - }, - { - "id": "netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95", - "name": "52:panel_52", - "type": "visualization" - }, - { - "id": "netflow-2dca3025-692c-4876-8bcc-e0b248dc9819", - "name": "53:panel_53", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024.json b/packages/netflow/2.2.3/kibana/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024.json deleted file mode 100755 index 8e2e71878d..0000000000 --- a/packages/netflow/2.2.3/kibana/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Netflow geo location", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":{\"query\":\"netflow.log\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":16,\"x\":0,\"y\":12},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"20\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"9afd9bfb-ab56-4bc3-a8c6-e412c1bc7f24\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"85982ce7-be78-44ec-a692-96c118b3a187\\\",\\\"includeInFitToBounds\\\":true,\\\"label\\\":\\\"Destination Geo Location Heatmap [Logs Netflow]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"6972252f-e3a3-4886-abfb-bea957bc1c73\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"colorRampName\\\":\\\"theclassic\\\",\\\"type\\\":\\\"HEATMAP\\\"},\\\"type\\\":\\\"HEATMAP\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Destination Geo Location Heatmap [Logs Netflow]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"41aa0e4c-7e76-4715-bf20-c756e74ffe02\",\"w\":32,\"x\":16,\"y\":4},\"panelIndex\":\"41aa0e4c-7e76-4715-bf20-c756e74ffe02\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Logs Netflow] Geo Location", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-77326664-23be-4bf1-a126-6d7e60cfc024", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "netflow-aed09724-0a69-4331-84f5-3d2067c43930", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "netflow-f531f957-e8c0-497a-ad41-ef39c2d29671", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "name": "20:panel_20", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "41aa0e4c-7e76-4715-bf20-c756e74ffe02:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365.json b/packages/netflow/2.2.3/kibana/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365.json deleted file mode 100755 index 8ffb5c9326..0000000000 --- a/packages/netflow/2.2.3/kibana/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "Netflow flow records", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":36,\"x\":12,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"source.ip\",\"source.port\",\"destination.ip\",\"destination.port\",\"network.transport\",\"network.bytes\",\"network.packets\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs Netflow] Flow records", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-94972700-de4a-4272-9143-2fa8d4981365", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a", - "name": "5:panel_5", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32.json b/packages/netflow/2.2.3/kibana/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32.json deleted file mode 100755 index 273f679d05..0000000000 --- a/packages/netflow/2.2.3/kibana/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Netflow conversation partners", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs Netflow] Conversation Partners", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-acd7a630-0c71-4840-bc9e-4a3801374a32", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "netflow-ae334aec-31fa-4df7-a064-40b18831d819", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "name": "5:panel_5", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a.json b/packages/netflow/2.2.3/kibana/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a.json deleted file mode 100755 index a900f7c546..0000000000 --- a/packages/netflow/2.2.3/kibana/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Autonomous systems Netflow", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"8\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs Netflow] Autonomous Systems", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-c64665f9-d222-421e-90b0-c7310d944b8a", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "netflow-12aad647-c45d-4667-a029-152c1a97cbbc", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "netflow-f7808e70-df2a-4532-a350-966704567c24", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "netflow-aed09724-0a69-4331-84f5-3d2067c43930", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "netflow-f531f957-e8c0-497a-ad41-ef39c2d29671", - "name": "8:panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425.json b/packages/netflow/2.2.3/kibana/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425.json deleted file mode 100755 index 9496b56018..0000000000 --- a/packages/netflow/2.2.3/kibana/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Netflow exporters", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs Netflow] Flow Exporters", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "netflow-441c6c50-fa1a-489c-96c6-76f7925dea24", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "netflow-85ebf558-402b-45d2-a186-e15f8673ec07", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600", - "name": "10:panel_10", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/search/netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a.json b/packages/netflow/2.2.3/kibana/search/netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a.json deleted file mode 100755 index 4ed0aa06f5..0000000000 --- a/packages/netflow/2.2.3/kibana/search/netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "network.transport", - "network.bytes", - "network.packets" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"netflow.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Flow Records [Logs Netflow]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2.json b/packages/netflow/2.2.3/kibana/visualization/netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2.json deleted file mode 100755 index 8bfe0f24fd..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "VLAN Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"VLANs\",\"field\":\"netflow.vlan_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"VLAN Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81.json b/packages/netflow/2.2.3/kibana/visualization/netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81.json deleted file mode 100755 index 4edc81efd4..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Autonomous Systems [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Autonomous System\",\"field\":\"destination.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Autonomous Systems [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-0528bc66-6981-400a-a02d-c1d221b38890.json b/packages/netflow/2.2.3/kibana/visualization/netflow-0528bc66-6981-400a-a02d-c1d221b38890.json deleted file mode 100755 index 4283ed8398..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-0528bc66-6981-400a-a02d-c1d221b38890.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Sources (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"source.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Sources (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-0528bc66-6981-400a-a02d-c1d221b38890", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4.json b/packages/netflow/2.2.3/kibana/visualization/netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4.json deleted file mode 100755 index d3cd03e5fd..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Source Ports (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Source Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-12aad647-c45d-4667-a029-152c1a97cbbc.json b/packages/netflow/2.2.3/kibana/visualization/netflow-12aad647-c45d-4667-a029-152c1a97cbbc.json deleted file mode 100755 index 50ca670a97..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-12aad647-c45d-4667-a029-152c1a97cbbc.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination Autonomous Systems (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-12aad647-c45d-4667-a029-152c1a97cbbc", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796.json b/packages/netflow/2.2.3/kibana/visualization/netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796.json deleted file mode 100755 index 07d1ebeea9..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Ingress Interfaces (flow records) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Ingress Interface\",\"field\":\"netflow.ingress_interface\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Ingress Interfaces (flow records) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-15295ea6-ba84-47db-8ced-9312abbf495c.json b/packages/netflow/2.2.3/kibana/visualization/netflow-15295ea6-ba84-47db-8ced-9312abbf495c.json deleted file mode 100755 index 3f2413b575..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-15295ea6-ba84-47db-8ced-9312abbf495c.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Sources [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Sources [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-15295ea6-ba84-47db-8ced-9312abbf495c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-1558508d-591c-49be-bef4-85fdac18a960.json b/packages/netflow/2.2.3/kibana/visualization/netflow-1558508d-591c-49be-bef4-85fdac18a960.json deleted file mode 100755 index f8800be221..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-1558508d-591c-49be-bef4-85fdac18a960.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Sources and Ports (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Sources and Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-1558508d-591c-49be-bef4-85fdac18a960", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-15e2a267-2495-4df2-a121-abe410d2f18c.json b/packages/netflow/2.2.3/kibana/visualization/netflow-15e2a267-2495-4df2-a121-abe410d2f18c.json deleted file mode 100755 index 185796e6a0..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-15e2a267-2495-4df2-a121-abe410d2f18c.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "VLANs (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.vlan_id:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.vlan_id:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"VLANs (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-15e2a267-2495-4df2-a121-abe410d2f18c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-16262df9-a979-4136-935e-d883c7d373d7.json b/packages/netflow/2.2.3/kibana/visualization/netflow-16262df9-a979-4136-935e-d883c7d373d7.json deleted file mode 100755 index 2be98aa7d5..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-16262df9-a979-4136-935e-d883c7d373d7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "City Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Cities\",\"field\":\"destination.geo.city_name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"City Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-16262df9-a979-4136-935e-d883c7d373d7", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72.json b/packages/netflow/2.2.3/kibana/visualization/netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72.json deleted file mode 100755 index 5d2741d0ea..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Ingress Interfaces (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.ingress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ingress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Ingress Interfaces (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a.json b/packages/netflow/2.2.3/kibana/visualization/netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a.json deleted file mode 100755 index 8089613edd..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Types of Service (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type of Service\",\"field\":\"netflow.ip_class_of_service\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Types of Service (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0.json b/packages/netflow/2.2.3/kibana/visualization/netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0.json deleted file mode 100755 index 36dd644fb6..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Cities (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.geo.city_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.city_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Cities (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-201d7dd1-a880-4a64-b631-db5629340db9.json b/packages/netflow/2.2.3/kibana/visualization/netflow-201d7dd1-a880-4a64-b631-db5629340db9.json deleted file mode 100755 index 6e319d2ee8..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-201d7dd1-a880-4a64-b631-db5629340db9.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Source Ports (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"source.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Ports (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-201d7dd1-a880-4a64-b631-db5629340db9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823.json b/packages/netflow/2.2.3/kibana/visualization/netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823.json deleted file mode 100755 index 38d938c712..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Countries and Cities (flow records) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Countries and Cities (flow records) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-248e00b4-8fc2-406f-8907-729d5380aaa7.json b/packages/netflow/2.2.3/kibana/visualization/netflow-248e00b4-8fc2-406f-8907-729d5380aaa7.json deleted file mode 100755 index 0b978a1c6b..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-248e00b4-8fc2-406f-8907-729d5380aaa7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destinations (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destinations (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-248e00b4-8fc2-406f-8907-729d5380aaa7", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03.json b/packages/netflow/2.2.3/kibana/visualization/netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03.json deleted file mode 100755 index 18a1464367..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Protocols [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"network.transport\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Protocols [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-2dca3025-692c-4876-8bcc-e0b248dc9819.json b/packages/netflow/2.2.3/kibana/visualization/netflow-2dca3025-692c-4876-8bcc-e0b248dc9819.json deleted file mode 100755 index f735f227fc..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-2dca3025-692c-4876-8bcc-e0b248dc9819.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "TCP Flags Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"TCP Flag States\",\"field\":\"netflow.tcp_control_bits\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"TCP Flags Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-2dca3025-692c-4876-8bcc-e0b248dc9819", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-30cd1009-2925-4c9b-820d-d689f5d1efda.json b/packages/netflow/2.2.3/kibana/visualization/netflow-30cd1009-2925-4c9b-820d-d689f5d1efda.json deleted file mode 100755 index bbff9003ca..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-30cd1009-2925-4c9b-820d-d689f5d1efda.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Autonomous Systems (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Autonomous Systems (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-30cd1009-2925-4c9b-820d-d689f5d1efda", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-31708a70-4957-4a8a-8065-5c88a344ad02.json b/packages/netflow/2.2.3/kibana/visualization/netflow-31708a70-4957-4a8a-8065-5c88a344ad02.json deleted file mode 100755 index 4ab3ca80e4..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-31708a70-4957-4a8a-8065-5c88a344ad02.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Flow Exporters (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flow Exporter\",\"field\":\"agent.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Flow Exporters (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-31708a70-4957-4a8a-8065-5c88a344ad02", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f.json b/packages/netflow/2.2.3/kibana/visualization/netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f.json deleted file mode 100755 index 08d9c2dafa..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Destination Ports [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Destination Ports [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-32e712ed-fa15-4db7-8575-8476e8d65b03.json b/packages/netflow/2.2.3/kibana/visualization/netflow-32e712ed-fa15-4db7-8575-8476e8d65b03.json deleted file mode 100755 index b34bb34cac..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-32e712ed-fa15-4db7-8575-8476e8d65b03.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Source Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Source Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-32e712ed-fa15-4db7-8575-8476e8d65b03", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f.json b/packages/netflow/2.2.3/kibana/visualization/netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f.json deleted file mode 100755 index ca56e99437..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination Ports (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Ports (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f.json b/packages/netflow/2.2.3/kibana/visualization/netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f.json deleted file mode 100755 index 59778d4915..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Version (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Version\",\"field\":\"netflow.exporter.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Version (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86.json b/packages/netflow/2.2.3/kibana/visualization/netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86.json deleted file mode 100755 index b12c7d2621..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination Ports (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Ports (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-441c6c50-fa1a-489c-96c6-76f7925dea24.json b/packages/netflow/2.2.3/kibana/visualization/netflow-441c6c50-fa1a-489c-96c6-76f7925dea24.json deleted file mode 100755 index 2a58338da7..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-441c6c50-fa1a-489c-96c6-76f7925dea24.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Flow Exporters (flow records) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flow Exporter\",\"field\":\"agent.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Flow Exporters (flow records) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-441c6c50-fa1a-489c-96c6-76f7925dea24", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a.json b/packages/netflow/2.2.3/kibana/visualization/netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a.json deleted file mode 100755 index de5cb96164..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Egress Interfaces (flow records) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Egress Interface\",\"field\":\"netflow.egress_interface\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Egress Interfaces (flow records) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094.json b/packages/netflow/2.2.3/kibana/visualization/netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094.json deleted file mode 100755 index 42c5ea60ea..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Flow Records [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timeline\",\"extended_bounds\":{},\"field\":\"event.end\",\"interval\":\"s\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Version\",\"field\":\"netflow.exporter.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Flow Records\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Flow Records [Logs Netflow]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-5292a65b-c532-422a-9008-1251a8073a3a.json b/packages/netflow/2.2.3/kibana/visualization/netflow-5292a65b-c532-422a-9008-1251a8073a3a.json deleted file mode 100755 index def8920024..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-5292a65b-c532-422a-9008-1251a8073a3a.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Cities [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":true,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Cities [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-5292a65b-c532-422a-9008-1251a8073a3a", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49.json b/packages/netflow/2.2.3/kibana/visualization/netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49.json deleted file mode 100755 index 9de72f30b5..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Destinations [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Destinations [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-57e13a20-e94f-4465-a942-42148634a1d2.json b/packages/netflow/2.2.3/kibana/visualization/netflow-57e13a20-e94f-4465-a942-42148634a1d2.json deleted file mode 100755 index 7e811e1ea3..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-57e13a20-e94f-4465-a942-42148634a1d2.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "TCP Flags (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"TCP Flags\",\"field\":\"netflow.tcp_control_bits\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":255},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"TCP Flags (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-57e13a20-e94f-4465-a942-42148634a1d2", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761.json b/packages/netflow/2.2.3/kibana/visualization/netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761.json deleted file mode 100755 index 1cb0ac07fd..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Countries and Cities (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Countries and Cities (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63.json b/packages/netflow/2.2.3/kibana/visualization/netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63.json deleted file mode 100755 index 552f9ceaf6..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Countries (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.geo.country_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.country_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Countries (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-5d868836-c7b2-4812-bf47-4838aac281d9.json b/packages/netflow/2.2.3/kibana/visualization/netflow-5d868836-c7b2-4812-bf47-4838aac281d9.json deleted file mode 100755 index 1a237de283..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-5d868836-c7b2-4812-bf47-4838aac281d9.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "TCP Flags (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.tcp_control_bits:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.tcp_control_bits:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"TCP Flags (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-5d868836-c7b2-4812-bf47-4838aac281d9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95.json b/packages/netflow/2.2.3/kibana/visualization/netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95.json deleted file mode 100755 index 6c3e1b32bd..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Country Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Countries\",\"field\":\"destination.geo.country_name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Country Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de.json b/packages/netflow/2.2.3/kibana/visualization/netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de.json deleted file mode 100755 index c4b788481c..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destinations and Ports (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destinations and Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-681f0ce4-d828-4a99-b643-0c0715530050.json b/packages/netflow/2.2.3/kibana/visualization/netflow-681f0ce4-d828-4a99-b643-0c0715530050.json deleted file mode 100755 index e185a6934d..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-681f0ce4-d828-4a99-b643-0c0715530050.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destinations (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destinations (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-681f0ce4-d828-4a99-b643-0c0715530050", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f.json b/packages/netflow/2.2.3/kibana/visualization/netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f.json deleted file mode 100755 index f420f9b844..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Sources (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"source.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Sources (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-717cd7c7-bfca-435d-8ee7-38259927aade.json b/packages/netflow/2.2.3/kibana/visualization/netflow-717cd7c7-bfca-435d-8ee7-38259927aade.json deleted file mode 100755 index da2f83b090..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-717cd7c7-bfca-435d-8ee7-38259927aade.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Types of Service (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.ip_class_of_service:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ip_class_of_service:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Types of Service (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-717cd7c7-bfca-435d-8ee7-38259927aade", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa.json b/packages/netflow/2.2.3/kibana/visualization/netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa.json deleted file mode 100755 index c9b9434535..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Source Autonomous Systems (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"source.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-7d447b22-89dc-4f32-b549-4b8620af4d76.json b/packages/netflow/2.2.3/kibana/visualization/netflow-7d447b22-89dc-4f32-b549-4b8620af4d76.json deleted file mode 100755 index 5170f89858..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-7d447b22-89dc-4f32-b549-4b8620af4d76.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Cities (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.geo.city_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.city_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Cities (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-7d447b22-89dc-4f32-b549-4b8620af4d76", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957.json b/packages/netflow/2.2.3/kibana/visualization/netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957.json deleted file mode 100755 index e10072db9a..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "VLANs (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"VLAN\",\"field\":\"netflow.vlan_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"VLANs (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-85ebf558-402b-45d2-a186-e15f8673ec07.json b/packages/netflow/2.2.3/kibana/visualization/netflow-85ebf558-402b-45d2-a186-e15f8673ec07.json deleted file mode 100755 index 4d61c728ef..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-85ebf558-402b-45d2-a186-e15f8673ec07.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Egress Interfaces (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.egress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.egress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Egress Interfaces (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-85ebf558-402b-45d2-a186-e15f8673ec07", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb.json b/packages/netflow/2.2.3/kibana/visualization/netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb.json deleted file mode 100755 index d3bba7450d..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "TCP Flags (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.tcp_control_bits:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.tcp_control_bits:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"TCP Flags (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-a14c3248-952d-42aa-bd7d-9b39157a776f.json b/packages/netflow/2.2.3/kibana/visualization/netflow-a14c3248-952d-42aa-bd7d-9b39157a776f.json deleted file mode 100755 index 305b1cbe98..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-a14c3248-952d-42aa-bd7d-9b39157a776f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Countries (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Countries (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-a14c3248-952d-42aa-bd7d-9b39157a776f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-a1704d46-15fc-41c2-851d-796ceb49877f.json b/packages/netflow/2.2.3/kibana/visualization/netflow-a1704d46-15fc-41c2-851d-796ceb49877f.json deleted file mode 100755 index 9fd050b6f2..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-a1704d46-15fc-41c2-851d-796ceb49877f.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Types of Service (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.ip_class_of_service:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ip_class_of_service:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Types of Service (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-a1704d46-15fc-41c2-851d-796ceb49877f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d.json b/packages/netflow/2.2.3/kibana/visualization/netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d.json deleted file mode 100755 index fff9d9fbb7..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "VLANs (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.vlan_id:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.vlan_id:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"VLANs (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2.json b/packages/netflow/2.2.3/kibana/visualization/netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2.json deleted file mode 100755 index d5430f2886..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Cities (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Cities (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb.json b/packages/netflow/2.2.3/kibana/visualization/netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb.json deleted file mode 100755 index e67336cb81..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Autonomous Systems (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-ae334aec-31fa-4df7-a064-40b18831d819.json b/packages/netflow/2.2.3/kibana/visualization/netflow-ae334aec-31fa-4df7-a064-40b18831d819.json deleted file mode 100755 index 11c13cd5af..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-ae334aec-31fa-4df7-a064-40b18831d819.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "IP Version and Protocols (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IP Version\",\"field\":\"network.type\",\"missingBucket\":true,\"missingBucketLabel\":\"unset ip version\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"sum\",\"format\":{\"id\":\"bytes\"},\"params\":{}}},\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"IP Version and Protocols (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-ae334aec-31fa-4df7-a064-40b18831d819", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-aed09724-0a69-4331-84f5-3d2067c43930.json b/packages/netflow/2.2.3/kibana/visualization/netflow-aed09724-0a69-4331-84f5-3d2067c43930.json deleted file mode 100755 index 0cb598214c..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-aed09724-0a69-4331-84f5-3d2067c43930.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destinations and Sources (flow records) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destinations and Sources (flow records) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-aed09724-0a69-4331-84f5-3d2067c43930", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-af707b01-29f1-462b-b279-6d2e803f3645.json b/packages/netflow/2.2.3/kibana/visualization/netflow-af707b01-29f1-462b-b279-6d2e803f3645.json deleted file mode 100755 index 4687a20531..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-af707b01-29f1-462b-b279-6d2e803f3645.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination Port Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Destination Port Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-af707b01-29f1-462b-b279-6d2e803f3645", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d.json b/packages/netflow/2.2.3/kibana/visualization/netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d.json deleted file mode 100755 index b966d64753..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Locality (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Locality\",\"field\":\"flow.locality\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Locality (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-b677cd82-b33e-49b3-8b6e-0e110177b163.json b/packages/netflow/2.2.3/kibana/visualization/netflow-b677cd82-b33e-49b3-8b6e-0e110177b163.json deleted file mode 100755 index 1eceb9a616..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-b677cd82-b33e-49b3-8b6e-0e110177b163.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Direction (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Direction\",\"field\":\"network.direction\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Direction (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-b677cd82-b33e-49b3-8b6e-0e110177b163", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52.json b/packages/netflow/2.2.3/kibana/visualization/netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52.json deleted file mode 100755 index a0b7c0c1c2..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Flow Records [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Flow Records [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035.json b/packages/netflow/2.2.3/kibana/visualization/netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035.json deleted file mode 100755 index 878b1708d1..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination and Source Ports (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destination and Source Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-cccff92f-cb71-49a9-9caf-84867751d31e.json b/packages/netflow/2.2.3/kibana/visualization/netflow-cccff92f-cb71-49a9-9caf-84867751d31e.json deleted file mode 100755 index 2a6ad569d2..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-cccff92f-cb71-49a9-9caf-84867751d31e.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Flow Exporters [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Flow Exporter\",\"field\":\"agent.name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Flow Exporters [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-cccff92f-cb71-49a9-9caf-84867751d31e", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4.json b/packages/netflow/2.2.3/kibana/visualization/netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4.json deleted file mode 100755 index 743e1dfb17..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination Ports (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destination Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df.json b/packages/netflow/2.2.3/kibana/visualization/netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df.json deleted file mode 100755 index 979ae6b817..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination Autonomous Systems (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Autonomous Systems (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600.json b/packages/netflow/2.2.3/kibana/visualization/netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600.json deleted file mode 100755 index c6f2374192..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Ingress Interfaces (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.ingress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ingress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Ingress Interfaces (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0.json b/packages/netflow/2.2.3/kibana/visualization/netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0.json deleted file mode 100755 index 79287a5688..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Countries (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.geo.country_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.country_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Countries (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3.json b/packages/netflow/2.2.3/kibana/visualization/netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3.json deleted file mode 100755 index 80858ba78a..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Dashboard Navigation [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Overview](#/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2) | [Conversation Partners](#/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32) | [Traffic Analysis](#/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8) | [Top-N](#/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c) | [Geo Location](#/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024) | [Autonomous Systems](#/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a) | [Flow Exporters](#/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425) | [Raw Flow Records](#/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365)\\n***\"},\"title\":\"Dashboard Navigation [Logs Netflow]\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6.json b/packages/netflow/2.2.3/kibana/visualization/netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6.json deleted file mode 100755 index 31ce08b895..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Autonomous System Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Autonomous Systems\",\"field\":\"destination.as.organization.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Autonomous System Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-d59a031c-70d6-47d7-966d-7fcb805be9be.json b/packages/netflow/2.2.3/kibana/visualization/netflow-d59a031c-70d6-47d7-966d-7fcb805be9be.json deleted file mode 100755 index 2966189f54..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-d59a031c-70d6-47d7-966d-7fcb805be9be.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destinations (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destinations (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-d59a031c-70d6-47d7-966d-7fcb805be9be", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b.json b/packages/netflow/2.2.3/kibana/visualization/netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b.json deleted file mode 100755 index e443df12d7..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Source Port Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Ports\",\"field\":\"source.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Source Port Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d.json b/packages/netflow/2.2.3/kibana/visualization/netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d.json deleted file mode 100755 index d2c4ad8355..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destinations and Sources (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destinations and Sources (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-e99dc327-03de-4561-9e0c-f550710125c2.json b/packages/netflow/2.2.3/kibana/visualization/netflow-e99dc327-03de-4561-9e0c-f550710125c2.json deleted file mode 100755 index 497a4ccbfb..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-e99dc327-03de-4561-9e0c-f550710125c2.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination Count [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"fontSize\":\"32\",\"handleNoResults\":true},\"title\":\"Destination Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-e99dc327-03de-4561-9e0c-f550710125c2", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf.json b/packages/netflow/2.2.3/kibana/visualization/netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf.json deleted file mode 100755 index 60c450cad9..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Source Ports [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Source Ports [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9.json b/packages/netflow/2.2.3/kibana/visualization/netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9.json deleted file mode 100755 index 510bd9c74c..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Conversation Partners [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Conversation Partners [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-f27c1479-0625-4cdc-92de-672e47db0f87.json b/packages/netflow/2.2.3/kibana/visualization/netflow-f27c1479-0625-4cdc-92de-672e47db0f87.json deleted file mode 100755 index 75c6397b07..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-f27c1479-0625-4cdc-92de-672e47db0f87.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ToS Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Types of Service\",\"field\":\"netflow.ip_class_of_service\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"ToS Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-f27c1479-0625-4cdc-92de-672e47db0f87", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-f531f957-e8c0-497a-ad41-ef39c2d29671.json b/packages/netflow/2.2.3/kibana/visualization/netflow-f531f957-e8c0-497a-ad41-ef39c2d29671.json deleted file mode 100755 index dcd2f36948..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-f531f957-e8c0-497a-ad41-ef39c2d29671.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination and Source Ports (flow records) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destination and Source Ports (flow records) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-f531f957-e8c0-497a-ad41-ef39c2d29671", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404.json b/packages/netflow/2.2.3/kibana/visualization/netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404.json deleted file mode 100755 index 19567eb0c0..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Source Ports (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"source.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Ports (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9.json b/packages/netflow/2.2.3/kibana/visualization/netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9.json deleted file mode 100755 index 8ba248d484..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Source Autonomous Systems (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"source.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Autonomous Systems (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-f772028b-d5a6-4d55-b441-493871981a60.json b/packages/netflow/2.2.3/kibana/visualization/netflow-f772028b-d5a6-4d55-b441-493871981a60.json deleted file mode 100755 index f92dadbfe2..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-f772028b-d5a6-4d55-b441-493871981a60.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Autonomous Systems (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Autonomous System\",\"field\":\"destination.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-f772028b-d5a6-4d55-b441-493871981a60", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-f7808e70-df2a-4532-a350-966704567c24.json b/packages/netflow/2.2.3/kibana/visualization/netflow-f7808e70-df2a-4532-a350-966704567c24.json deleted file mode 100755 index 55a143a303..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-f7808e70-df2a-4532-a350-966704567c24.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination and Source ASs (flow records) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination AS\",\"field\":\"destination.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source AS\",\"field\":\"source.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destination and Source ASs (flow records) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-f7808e70-df2a-4532-a350-966704567c24", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7.json b/packages/netflow/2.2.3/kibana/visualization/netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7.json deleted file mode 100755 index d810abfa5a..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Egress Interfaces (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.egress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.egress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Egress Interfaces (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/kibana/visualization/netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56.json b/packages/netflow/2.2.3/kibana/visualization/netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56.json deleted file mode 100755 index 8e5d47ad63..0000000000 --- a/packages/netflow/2.2.3/kibana/visualization/netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Sources (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Sources (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.3/manifest.yml b/packages/netflow/2.2.3/manifest.yml deleted file mode 100755 index f167ead54e..0000000000 --- a/packages/netflow/2.2.3/manifest.yml +++ /dev/null @@ -1,23 +0,0 @@ -format_version: 1.0.0 -name: netflow -title: NetFlow Records -version: "2.2.3" -license: basic -description: Collect flow records from NetFlow and IPFIX exporters with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: ^8.0.0 -policy_templates: - - name: netflow - title: NetFlow logs - description: Collect Netflow logs from networks via UDP - inputs: - - type: netflow - title: Collect NetFlow logs - description: Collecting NetFlow logs using the netflow input -owner: - github: elastic/security-external-integrations diff --git a/packages/netflow/2.2.4/LICENSE.txt b/packages/netflow/2.2.4/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/netflow/2.2.4/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/netflow/2.2.4/changelog.yml b/packages/netflow/2.2.4/changelog.yml deleted file mode 100755 index 2c867ec0f3..0000000000 --- a/packages/netflow/2.2.4/changelog.yml +++ /dev/null @@ -1,142 +0,0 @@ -# newer versions go on top -- version: "2.2.4" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "2.2.3" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.2.2" - changes: - - description: Remove unused visualizations - type: enhancement - link: https://github.com/elastic/integrations/issues/3975 -- version: "2.2.1" - changes: - - description: Added link to Netflow documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3002 -- version: "2.2.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3868 -- version: "2.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "2.0.1" - changes: - - description: Fix invalid value in sample event - type: bugfix - link: https://github.com/elastic/integrations/pull/3334 -- version: "2.0.0" - changes: - - description: Migrate map visualisation from tile_map to map object - type: enhancement - link: https://github.com/elastic/integrations/pull/3263 -- version: "1.5.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "1.4.2" - changes: - - description: Replace invalid field value - type: enhancement - link: https://github.com/elastic/integrations/pull/3096 -- version: "1.4.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.4.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2424 -- version: "1.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2220 -- version: "1.2.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2098 -- version: "1.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1973 -- version: "1.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1833 -- version: "1.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1667 -- version: "1.1.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1489 -- version: '1.1.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1396 -- version: "1.1.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "1.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1218 - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1218 -- version: "0.4.1" - changes: - - description: Use `wildcard` field type for the relevant ECS fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/1179 -- version: "0.4.0" - changes: - - description: update to ECS 1.10.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1062 -- version: "0.3.9" - changes: - - description: add pipeline tests and move ecs.version set the to ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/1006 -- version: "0.3.8" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/857 -- version: "0.1.0" - changes: - - description: Change field type of `netflow.application_category_nam` and `netflow.application_sub_category_name` to keyword to ensure there are no type conflicts between vendors. - type: enhancement - link: https://github.com/elastic/integrations/pull/697 - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/23 diff --git a/packages/netflow/2.2.4/data_stream/log/agent/stream/netflow.yml.hbs b/packages/netflow/2.2.4/data_stream/log/agent/stream/netflow.yml.hbs deleted file mode 100755 index 45be18a81e..0000000000 --- a/packages/netflow/2.2.4/data_stream/log/agent/stream/netflow.yml.hbs +++ /dev/null @@ -1,31 +0,0 @@ -protocols: [v1, v5, v6, v7, v8, v9, ipfix] -host: '{{host}}:{{port}}' -max_message_size: '{{max_message_size}}' -expiration_timeout: '{{expiration_timeout}}' -queue_size: {{queue_size}} -{{#if timeout}} -timeout: '{{timeout}}' -{{/if}} -{{#if read_buffer}} -read_buffer: '{{read_buffer}}' -{{/if}} -{{#if custom_definitions}} -custom_definitions: -{{#each custom_definitions}} -- '{{this}}' -{{/each}} -{{/if}} -{{#if detect_sequence_reset}} -detect_sequence_reset: {{detect_sequence_reset}} -{{/if}} -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/netflow/2.2.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/netflow/2.2.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 22e867908d..0000000000 --- a/packages/netflow/2.2.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- -description: Pipeline for NetFlow - -processors: - - set: - field: ecs.version - value: '8.4.0' - - convert: - field: network.iana_number - type: string - ignore_missing: true - ignore_failure: true - - - set: - field: event.category - value: - - network - - session - if: 'ctx.event?.category != null && ctx.event?.category == "network_session"' - - # IP Geolocation Lookup - - geoip: - if: ctx.source?.geo == null - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - if: ctx.destination?.geo == null - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/netflow/2.2.4/data_stream/log/fields/agent.yml b/packages/netflow/2.2.4/data_stream/log/fields/agent.yml deleted file mode 100755 index e0b771d54f..0000000000 --- a/packages/netflow/2.2.4/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,100 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/netflow/2.2.4/data_stream/log/fields/base-fields.yml b/packages/netflow/2.2.4/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 008a46bbbb..0000000000 --- a/packages/netflow/2.2.4/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: netflow -- name: event.dataset - type: constant_keyword - description: Event dataset - value: netflow.log diff --git a/packages/netflow/2.2.4/data_stream/log/fields/ecs.yml b/packages/netflow/2.2.4/data_stream/log/fields/ecs.yml deleted file mode 100755 index 18a03cfc03..0000000000 --- a/packages/netflow/2.2.4/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,1620 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - Ephemeral identifier of this agent (if one exists). - This id normally changes across restarts, but `agent.id` does not. - name: agent.ephemeral_id - type: keyword -- description: |- - Unique identifier of this agent (if one exists). - Example: For Beats this would be beat.id. - name: agent.id - type: keyword -- description: |- - Custom name of the agent. - This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. - name: agent.name - type: keyword -- description: |- - Type of the agent. - The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - name: agent.type - type: keyword -- description: Version of the agent. - name: agent.version - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: as.organization.name - type: keyword -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: client.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: client.as.organization.name - type: keyword -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - name: client.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: client.geo.name - type: keyword -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - MAC address of the client. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: client.mac - type: keyword -- description: |- - Translated IP of source based NAT sessions (e.g. internal client to internet). - Typically connections traversing load balancers, firewalls, or routers. - name: client.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions (e.g. internal client to internet). - Typically connections traversing load balancers, firewalls, or routers. - name: client.nat.port - type: long -- description: Packets sent from the client to the server. - name: client.packets - type: long -- description: Port of the client. - name: client.port - type: long -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: client.user.domain - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: client.user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: client.user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: client.user.group.id - type: keyword -- description: Name of the group. - name: client.user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: client.user.hash - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: client.user.name - type: keyword -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Instance name of the host machine. - name: cloud.instance.name - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: Unique container id. - name: container.id - type: keyword -- description: Name of the image the container was built on. - name: container.image.name - type: keyword -- description: Container image tags. - name: container.image.tag - normalize: - - array - type: keyword -- description: Image labels. - name: container.labels - type: object -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: destination.user.domain - type: keyword -- description: User email address. - name: destination.user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: destination.user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: destination.user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: destination.user.group.id - type: keyword -- description: Name of the group. - name: destination.user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: destination.user.hash - type: keyword -- description: Unique identifier of the user. - name: destination.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: Array of 2 letter DNS header flags. - name: dns.header_flags - normalize: - - array - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - name: dns.op_code - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Unique identifier for the error. - name: error.id - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: The stack trace of this error in plain text. - multi_fields: - - name: text - type: match_only_text - name: error.stack_trace - type: wildcard -- description: The type of the error, for example the class name of the exception. - name: error.type - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - name: event.hash - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - name: event.risk_score - type: float -- description: |- - Normalized risk score or priority of the event, on a scale of 0 to 100. - This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. - name: event.risk_score_norm - type: float -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Last time the file was accessed. - Note that not all filesystems keep track of access time. - name: file.accessed - type: date -- description: |- - File creation time. - Note that not all filesystems store the creation time. - name: file.created - type: date -- description: |- - Last time the file attributes or metadata changed. - Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. - name: file.ctime - type: date -- description: Device that is the source of the file. - name: file.device - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Primary group ID (GID) of the file. - name: file.gid - type: keyword -- description: Primary group name of the file. - name: file.group - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: SHA512 hash. - name: file.hash.sha512 - type: keyword -- description: Inode representing the file in the filesystem. - name: file.inode - type: keyword -- description: Mode of the file in octal representation. - name: file.mode - type: keyword -- description: Last time the file content was modified. - name: file.mtime - type: date -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: File owner's username. - name: file.owner - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Target path for symlinks. - multi_fields: - - name: text - type: match_only_text - name: file.target_path - type: keyword -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: The user ID (UID) or security identifier (SID) of the file owner. - name: file.uid - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Name of the continent. - name: geo.continent_name - type: keyword -- description: Country ISO code. - name: geo.country_iso_code - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: Longitude and latitude. - name: geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region ISO code. - name: geo.region_iso_code - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: MD5 hash. - name: hash.md5 - type: keyword -- description: SHA1 hash. - name: hash.sha1 - type: keyword -- description: SHA256 hash. - name: hash.sha256 - type: keyword -- description: SHA512 hash. - name: hash.sha512 - type: keyword -- description: Operating system architecture. - name: host.architecture - type: keyword -- description: City name. - name: host.geo.city_name - type: keyword -- description: Name of the continent. - name: host.geo.continent_name - type: keyword -- description: Country ISO code. - name: host.geo.country_iso_code - type: keyword -- description: Country name. - name: host.geo.country_name - type: keyword -- description: Longitude and latitude. - name: host.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: host.geo.name - type: keyword -- description: Region ISO code. - name: host.geo.region_iso_code - type: keyword -- description: Region name. - name: host.geo.region_name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: host.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: host.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: host.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: host.os.platform - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: |- - Type of host. - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. - name: host.type - type: keyword -- description: Seconds the host has been up. - name: host.uptime - type: long -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: The full HTTP request body. - multi_fields: - - name: text - type: match_only_text - name: http.request.body.content - type: wildcard -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: The full HTTP response body. - multi_fields: - - name: text - type: match_only_text - name: http.response.body.content - type: wildcard -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Custom key/value pairs. - Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. - Example: `docker` and `k8s` labels. - name: labels - type: object -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: The line number of the file containing the source code which originated the log event. - name: log.origin.file.line - type: long -- description: |- - The name of the file containing the source code which originated the log event. - Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. - name: log.origin.file.name - type: keyword -- description: The name of the function or method which originated the log event. - name: log.origin.function - type: keyword -- description: The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. - name: log.syslog - type: object -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: The Syslog text-based facility of the log event, if available. - name: log.syslog.facility.name - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. - name: log.syslog.severity.name - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: City name. - name: observer.geo.city_name - type: keyword -- description: Name of the continent. - name: observer.geo.continent_name - type: keyword -- description: Country ISO code. - name: observer.geo.country_iso_code - type: keyword -- description: Country name. - name: observer.geo.country_name - type: keyword -- description: Longitude and latitude. - name: observer.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: observer.geo.name - type: keyword -- description: Region ISO code. - name: observer.geo.region_iso_code - type: keyword -- description: Region name. - name: observer.geo.region_name - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: IP addresses of the observer. - name: observer.ip - normalize: - - array - type: ip -- description: |- - MAC addresses of the observer. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: observer.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: observer.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: observer.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: observer.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: observer.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: observer.os.platform - type: keyword -- description: Operating system version as a raw string. - name: observer.os.version - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: organization.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: os.platform - type: keyword -- description: Operating system version as a raw string. - name: os.version - type: keyword -- description: Package architecture. - name: package.architecture - type: keyword -- description: Checksum of the installed package for verification. - name: package.checksum - type: keyword -- description: Description of the package. - name: package.description - type: keyword -- description: Indicating how the package was installed, e.g. user-local, global. - name: package.install_scope - type: keyword -- description: Time when package was installed. - name: package.installed - type: date -- description: |- - License under which the package was released. - Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). - name: package.license - type: keyword -- description: Package name - name: package.name - type: keyword -- description: Path where the package is installed. - name: package.path - type: keyword -- description: Package size in bytes. - name: package.size - type: long -- description: Package version - name: package.version - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - normalize: - - array - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA1 hash. - name: process.hash.sha1 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: SHA512 hash. - name: process.hash.sha512 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - Identifier of the group of processes the process belongs to. - name: process.pgid - type: long -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: The time the process started. - name: process.start - type: date -- description: Thread ID. - name: process.thread.id - type: long -- description: Thread name. - name: process.thread.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: Seconds the process has been up. - name: process.uptime - type: long -- description: The working directory of the process. - multi_fields: - - name: text - type: match_only_text - name: process.working_directory - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: server.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: server.as.organization.name - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: City name. - name: server.geo.city_name - type: keyword -- description: Name of the continent. - name: server.geo.continent_name - type: keyword -- description: Country ISO code. - name: server.geo.country_iso_code - type: keyword -- description: Country name. - name: server.geo.country_name - type: keyword -- description: Longitude and latitude. - name: server.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: server.geo.name - type: keyword -- description: Region ISO code. - name: server.geo.region_iso_code - type: keyword -- description: Region name. - name: server.geo.region_name - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: |- - MAC address of the server. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: server.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: server.nat.ip - type: ip -- description: |- - Translated port of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: server.nat.port - type: long -- description: Packets sent from the server to the client. - name: server.packets - type: long -- description: Port of the server. - name: server.port - type: long -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: server.user.domain - type: keyword -- description: User email address. - name: server.user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: server.user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: server.user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: server.user.group.id - type: keyword -- description: Name of the group. - name: server.user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: server.user.hash - type: keyword -- description: Unique identifier of the user. - name: server.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: server.user.name - type: keyword -- description: |- - Ephemeral identifier of this service (if one exists). - This id normally changes across restarts, but `service.id` does not. - name: service.ephemeral_id - type: keyword -- description: |- - Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. - This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. - Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. - name: service.id - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Name of a service node. - This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. - In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. - name: service.node.name - type: keyword -- description: Current state of the service. - name: service.state - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword -- description: |- - Version of the service the data was collected from. - This allows to look at a data set only for a specific version of a service. - name: service.version - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: User email address. - name: source.user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: source.user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: source.user.group.id - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: source.user.hash - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. - name: threat.framework - type: keyword -- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - name: threat.tactic.id - normalize: - - array - type: keyword -- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) - name: threat.tactic.name - normalize: - - array - type: keyword -- description: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - name: threat.tactic.reference - normalize: - - array - type: keyword -- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - name: threat.technique.id - normalize: - - array - type: keyword -- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - multi_fields: - - name: text - type: match_only_text - name: threat.technique.name - normalize: - - array - type: keyword -- description: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - name: threat.technique.reference - normalize: - - array - type: keyword -- description: |- - Unique identifier of the trace. - A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. - name: trace.id - type: keyword -- description: |- - Unique identifier of the transaction within the scope of its trace. - A transaction is the highest level of work measured within a service, such as a request to a server. - name: transaction.id - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.group.id - type: keyword -- description: Name of the group. - name: user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: user.hash - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/netflow/2.2.4/data_stream/log/fields/package-fields.yml b/packages/netflow/2.2.4/data_stream/log/fields/package-fields.yml deleted file mode 100755 index 1915b6a75d..0000000000 --- a/packages/netflow/2.2.4/data_stream/log/fields/package-fields.yml +++ /dev/null @@ -1,2689 +0,0 @@ -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: flow.locality - type: keyword - description: Identifies whether the flow involved public IP addresses or only private address. -- name: flow.id - type: keyword - description: Hash of source and destination IPs. -- name: destination.locality - type: keyword - description: Whether the destination IP is private or public. -- name: source.locality - type: keyword - description: Whether the source IP is private or public. -- name: netflow - type: group - description: > - Fields from NetFlow and IPFIX. - - fields: - - name: type - type: keyword - description: > - The type of NetFlow record described by this event. - - - name: exporter - type: group - description: > - Metadata related to the exporter device that generated this record. - - fields: - - name: address - type: keyword - description: > - Exporter's network address in IP:port format. - - - name: source_id - type: long - description: > - Observation domain ID to which this record belongs. - - - name: timestamp - type: date - description: > - Time and date of export. - - - name: uptime_millis - type: long - description: > - How long the exporter process has been running, in milliseconds. - - - name: version - type: integer - description: > - NetFlow version used. - - - name: absolute_error - type: double - - name: address_pool_high_threshold - type: long - - name: address_pool_low_threshold - type: long - - name: address_port_mapping_high_threshold - type: long - - name: address_port_mapping_low_threshold - type: long - - name: address_port_mapping_per_user_high_threshold - type: long - - name: afc_protocol - type: integer - - name: afc_protocol_name - type: keyword - - name: anonymization_flags - type: integer - - name: anonymization_technique - type: integer - - name: application_business-relevance - type: long - - name: application_category_name - type: keyword - - name: application_description - type: keyword - - name: application_group_name - type: keyword - - name: application_http_uri_statistics - type: short - - name: application_http_user-agent - type: short - - name: application_id - type: short - - name: application_name - type: keyword - - name: application_sub_category_name - type: keyword - - name: application_traffic-class - type: long - - name: art_client_network_time_maximum - type: long - - name: art_client_network_time_minimum - type: long - - name: art_client_network_time_sum - type: long - - name: art_clientpackets - type: long - - name: art_count_late_responses - type: long - - name: art_count_new_connections - type: long - - name: art_count_responses - type: long - - name: art_count_responses_histogram_bucket1 - type: long - - name: art_count_responses_histogram_bucket2 - type: long - - name: art_count_responses_histogram_bucket3 - type: long - - name: art_count_responses_histogram_bucket4 - type: long - - name: art_count_responses_histogram_bucket5 - type: long - - name: art_count_responses_histogram_bucket6 - type: long - - name: art_count_responses_histogram_bucket7 - type: long - - name: art_count_retransmissions - type: long - - name: art_count_transactions - type: long - - name: art_network_time_maximum - type: long - - name: art_network_time_minimum - type: long - - name: art_network_time_sum - type: long - - name: art_response_time_maximum - type: long - - name: art_response_time_minimum - type: long - - name: art_response_time_sum - type: long - - name: art_server_network_time_maximum - type: long - - name: art_server_network_time_minimum - type: long - - name: art_server_network_time_sum - type: long - - name: art_server_response_time_maximum - type: long - - name: art_server_response_time_minimum - type: long - - name: art_server_response_time_sum - type: long - - name: art_serverpackets - type: long - - name: art_total_response_time_maximum - type: long - - name: art_total_response_time_minimum - type: long - - name: art_total_response_time_sum - type: long - - name: art_total_transaction_time_maximum - type: long - - name: art_total_transaction_time_minimum - type: long - - name: art_total_transaction_time_sum - type: long - - name: assembled_fragment_count - type: long - - name: audit_counter - type: long - - name: average_interarrival_time - type: long - - name: bgp_destination_as_number - type: long - - name: bgp_next_adjacent_as_number - type: long - - name: bgp_next_hop_ipv4_address - type: ip - - name: bgp_next_hop_ipv6_address - type: ip - - name: bgp_prev_adjacent_as_number - type: long - - name: bgp_source_as_number - type: long - - name: bgp_validity_state - type: short - - name: biflow_direction - type: short - - name: bind_ipv4_address - type: ip - - name: bind_transport_port - type: integer - - name: class_id - type: long - - name: class_name - type: keyword - - name: classification_engine_id - type: short - - name: collection_time_milliseconds - type: date - - name: collector_certificate - type: short - - name: collector_ipv4_address - type: ip - - name: collector_ipv6_address - type: ip - - name: collector_transport_port - type: integer - - name: common_properties_id - type: long - - name: confidence_level - type: double - - name: conn_ipv4_address - type: ip - - name: conn_transport_port - type: integer - - name: connection_sum_duration_seconds - type: long - - name: connection_transaction_id - type: long - - name: conntrack_id - type: long - - name: data_byte_count - type: long - - name: data_link_frame_section - type: short - - name: data_link_frame_size - type: integer - - name: data_link_frame_type - type: integer - - name: data_records_reliability - type: boolean - - name: delta_flow_count - type: long - - name: destination_ipv4_address - type: ip - - name: destination_ipv4_prefix - type: ip - - name: destination_ipv4_prefix_length - type: short - - name: destination_ipv6_address - type: ip - - name: destination_ipv6_prefix - type: ip - - name: destination_ipv6_prefix_length - type: short - - name: destination_mac_address - type: keyword - - name: destination_transport_port - type: integer - - name: digest_hash_value - type: long - - name: distinct_count_of_destination_ip_address - type: long - - name: distinct_count_of_destination_ipv4_address - type: long - - name: distinct_count_of_destination_ipv6_address - type: long - - name: distinct_count_of_source_ip_address - type: long - - name: distinct_count_of_source_ipv4_address - type: long - - name: distinct_count_of_source_ipv6_address - type: long - - name: dns_authoritative - type: short - - name: dns_cname - type: keyword - - name: dns_id - type: integer - - name: dns_mx_exchange - type: keyword - - name: dns_mx_preference - type: integer - - name: dns_nsd_name - type: keyword - - name: dns_nx_domain - type: short - - name: dns_ptrd_name - type: keyword - - name: dns_qname - type: keyword - - name: dns_qr_type - type: integer - - name: dns_query_response - type: short - - name: dns_rr_section - type: short - - name: dns_soa_expire - type: long - - name: dns_soa_minimum - type: long - - name: dns_soa_refresh - type: long - - name: dns_soa_retry - type: long - - name: dns_soa_serial - type: long - - name: dns_soam_name - type: keyword - - name: dns_soar_name - type: keyword - - name: dns_srv_port - type: integer - - name: dns_srv_priority - type: integer - - name: dns_srv_target - type: integer - - name: dns_srv_weight - type: integer - - name: dns_ttl - type: long - - name: dns_txt_data - type: keyword - - name: dot1q_customer_dei - type: boolean - - name: dot1q_customer_destination_mac_address - type: keyword - - name: dot1q_customer_priority - type: short - - name: dot1q_customer_source_mac_address - type: keyword - - name: dot1q_customer_vlan_id - type: integer - - name: dot1q_dei - type: boolean - - name: dot1q_priority - type: short - - name: dot1q_service_instance_id - type: long - - name: dot1q_service_instance_priority - type: short - - name: dot1q_service_instance_tag - type: short - - name: dot1q_vlan_id - type: integer - - name: dropped_layer2_octet_delta_count - type: long - - name: dropped_layer2_octet_total_count - type: long - - name: dropped_octet_delta_count - type: long - - name: dropped_octet_total_count - type: long - - name: dropped_packet_delta_count - type: long - - name: dropped_packet_total_count - type: long - - name: dst_traffic_index - type: long - - name: egress_broadcast_packet_total_count - type: long - - name: egress_interface - type: long - - name: egress_interface_type - type: long - - name: egress_physical_interface - type: long - - name: egress_unicast_packet_total_count - type: long - - name: egress_vrfid - type: long - - name: encrypted_technology - type: keyword - - name: engine_id - type: short - - name: engine_type - type: short - - name: ethernet_header_length - type: short - - name: ethernet_payload_length - type: integer - - name: ethernet_total_length - type: integer - - name: ethernet_type - type: integer - - name: expired_fragment_count - type: long - - name: export_interface - type: long - - name: export_protocol_version - type: short - - name: export_sctp_stream_id - type: integer - - name: export_transport_protocol - type: short - - name: exported_flow_record_total_count - type: long - - name: exported_message_total_count - type: long - - name: exported_octet_total_count - type: long - - name: exporter_certificate - type: short - - name: exporter_ipv4_address - type: ip - - name: exporter_ipv6_address - type: ip - - name: exporter_transport_port - type: integer - - name: exporting_process_id - type: long - - name: external_address_realm - type: short - - name: firewall_event - type: short - - name: first_eight_non_empty_packet_directions - type: short - - name: first_non_empty_packet_size - type: integer - - name: first_packet_banner - type: keyword - - name: flags_and_sampler_id - type: long - - name: flow_active_timeout - type: integer - - name: flow_attributes - type: integer - - name: flow_direction - type: short - - name: flow_duration_microseconds - type: long - - name: flow_duration_milliseconds - type: long - - name: flow_end_delta_microseconds - type: long - - name: flow_end_microseconds - type: date - - name: flow_end_milliseconds - type: date - - name: flow_end_nanoseconds - type: date - - name: flow_end_reason - type: short - - name: flow_end_seconds - type: date - - name: flow_end_sys_up_time - type: long - - name: flow_id - type: long - - name: flow_idle_timeout - type: integer - - name: flow_key_indicator - type: long - - name: flow_label_ipv6 - type: long - - name: flow_sampling_time_interval - type: long - - name: flow_sampling_time_spacing - type: long - - name: flow_selected_flow_delta_count - type: long - - name: flow_selected_octet_delta_count - type: long - - name: flow_selected_packet_delta_count - type: long - - name: flow_selector_algorithm - type: integer - - name: flow_start_delta_microseconds - type: long - - name: flow_start_microseconds - type: date - - name: flow_start_milliseconds - type: date - - name: flow_start_nanoseconds - type: date - - name: flow_start_seconds - type: date - - name: flow_start_sys_up_time - type: long - - name: flow_table_flush_event_count - type: long - - name: flow_table_peak_count - type: long - - name: forwarding_status - type: short - - name: fragment_flags - type: short - - name: fragment_identification - type: long - - name: fragment_offset - type: integer - - name: fw_blackout_secs - type: long - - name: fw_configured_value - type: long - - name: fw_cts_src_sgt - type: long - - name: fw_event_level - type: long - - name: fw_event_level_id - type: long - - name: fw_ext_event - type: integer - - name: fw_ext_event_alt - type: long - - name: fw_ext_event_desc - type: keyword - - name: fw_half_open_count - type: long - - name: fw_half_open_high - type: long - - name: fw_half_open_rate - type: long - - name: fw_max_sessions - type: long - - name: fw_rule - type: keyword - - name: fw_summary_pkt_count - type: long - - name: fw_zone_pair_id - type: long - - name: fw_zone_pair_name - type: long - - name: global_address_mapping_high_threshold - type: long - - name: gre_key - type: long - - name: hash_digest_output - type: boolean - - name: hash_flow_domain - type: integer - - name: hash_initialiser_value - type: long - - name: hash_ip_payload_offset - type: long - - name: hash_ip_payload_size - type: long - - name: hash_output_range_max - type: long - - name: hash_output_range_min - type: long - - name: hash_selected_range_max - type: long - - name: hash_selected_range_min - type: long - - name: http_content_type - type: keyword - - name: http_message_version - type: keyword - - name: http_reason_phrase - type: keyword - - name: http_request_host - type: keyword - - name: http_request_method - type: keyword - - name: http_request_target - type: keyword - - name: http_status_code - type: integer - - name: http_user_agent - type: keyword - - name: icmp_code_ipv4 - type: short - - name: icmp_code_ipv6 - type: short - - name: icmp_type_code_ipv4 - type: integer - - name: icmp_type_code_ipv6 - type: integer - - name: icmp_type_ipv4 - type: short - - name: icmp_type_ipv6 - type: short - - name: igmp_type - type: short - - name: ignored_data_record_total_count - type: long - - name: ignored_layer2_frame_total_count - type: long - - name: ignored_layer2_octet_total_count - type: long - - name: ignored_octet_total_count - type: long - - name: ignored_packet_total_count - type: long - - name: information_element_data_type - type: short - - name: information_element_description - type: keyword - - name: information_element_id - type: integer - - name: information_element_index - type: integer - - name: information_element_name - type: keyword - - name: information_element_range_begin - type: long - - name: information_element_range_end - type: long - - name: information_element_semantics - type: short - - name: information_element_units - type: integer - - name: ingress_broadcast_packet_total_count - type: long - - name: ingress_interface - type: long - - name: ingress_interface_type - type: long - - name: ingress_multicast_packet_total_count - type: long - - name: ingress_physical_interface - type: long - - name: ingress_unicast_packet_total_count - type: long - - name: ingress_vrfid - type: long - - name: initial_tcp_flags - type: short - - name: initiator_octets - type: long - - name: initiator_packets - type: long - - name: interface_description - type: keyword - - name: interface_name - type: keyword - - name: intermediate_process_id - type: long - - name: internal_address_realm - type: short - - name: ip_class_of_service - type: short - - name: ip_diff_serv_code_point - type: short - - name: ip_header_length - type: short - - name: ip_header_packet_section - type: short - - name: ip_next_hop_ipv4_address - type: ip - - name: ip_next_hop_ipv6_address - type: ip - - name: ip_payload_length - type: long - - name: ip_payload_packet_section - type: short - - name: ip_precedence - type: short - - name: ip_sec_spi - type: long - - name: ip_total_length - type: long - - name: ip_ttl - type: short - - name: ip_version - type: short - - name: ipv4_ihl - type: short - - name: ipv4_options - type: long - - name: ipv4_router_sc - type: ip - - name: ipv6_extension_headers - type: long - - name: is_multicast - type: short - - name: ixia_browser_id - type: short - - name: ixia_browser_name - type: keyword - - name: ixia_device_id - type: short - - name: ixia_device_name - type: keyword - - name: ixia_dns_answer - type: keyword - - name: ixia_dns_classes - type: keyword - - name: ixia_dns_query - type: keyword - - name: ixia_dns_record_txt - type: keyword - - name: ixia_dst_as_name - type: keyword - - name: ixia_dst_city_name - type: keyword - - name: ixia_dst_country_code - type: keyword - - name: ixia_dst_country_name - type: keyword - - name: ixia_dst_latitude - type: float - - name: ixia_dst_longitude - type: float - - name: ixia_dst_region_code - type: keyword - - name: ixia_dst_region_node - type: keyword - - name: ixia_encrypt_cipher - type: keyword - - name: ixia_encrypt_key_length - type: integer - - name: ixia_encrypt_type - type: keyword - - name: ixia_http_host_name - type: keyword - - name: ixia_http_uri - type: keyword - - name: ixia_http_user_agent - type: keyword - - name: ixia_imsi_subscriber - type: keyword - - name: ixia_l7_app_id - type: long - - name: ixia_l7_app_name - type: keyword - - name: ixia_latency - type: long - - name: ixia_rev_octet_delta_count - type: long - - name: ixia_rev_packet_delta_count - type: long - - name: ixia_src_as_name - type: keyword - - name: ixia_src_city_name - type: keyword - - name: ixia_src_country_code - type: keyword - - name: ixia_src_country_name - type: keyword - - name: ixia_src_latitude - type: float - - name: ixia_src_longitude - type: float - - name: ixia_src_region_code - type: keyword - - name: ixia_src_region_name - type: keyword - - name: ixia_threat_ipv4 - type: ip - - name: ixia_threat_ipv6 - type: ip - - name: ixia_threat_type - type: keyword - - name: large_packet_count - type: long - - name: layer2_frame_delta_count - type: long - - name: layer2_frame_total_count - type: long - - name: layer2_octet_delta_count - type: long - - name: layer2_octet_delta_sum_of_squares - type: long - - name: layer2_octet_total_count - type: long - - name: layer2_octet_total_sum_of_squares - type: long - - name: layer2_segment_id - type: long - - name: layer2packet_section_data - type: short - - name: layer2packet_section_offset - type: integer - - name: layer2packet_section_size - type: integer - - name: line_card_id - type: long - - name: log_op - type: short - - name: lower_ci_limit - type: double - - name: mark - type: long - - name: max_bib_entries - type: long - - name: max_entries_per_user - type: long - - name: max_export_seconds - type: date - - name: max_flow_end_microseconds - type: date - - name: max_flow_end_milliseconds - type: date - - name: max_flow_end_nanoseconds - type: date - - name: max_flow_end_seconds - type: date - - name: max_fragments_pending_reassembly - type: long - - name: max_packet_size - type: integer - - name: max_session_entries - type: long - - name: max_subscribers - type: long - - name: maximum_ip_total_length - type: long - - name: maximum_layer2_total_length - type: long - - name: maximum_ttl - type: short - - name: mean_flow_rate - type: long - - name: mean_packet_rate - type: long - - name: message_md5_checksum - type: short - - name: message_scope - type: short - - name: metering_process_id - type: long - - name: metro_evc_id - type: keyword - - name: metro_evc_type - type: short - - name: mib_capture_time_semantics - type: short - - name: mib_context_engine_id - type: short - - name: mib_context_name - type: keyword - - name: mib_index_indicator - type: long - - name: mib_module_name - type: keyword - - name: mib_object_description - type: keyword - - name: mib_object_identifier - type: short - - name: mib_object_name - type: keyword - - name: mib_object_syntax - type: keyword - - name: mib_object_value_bits - type: short - - name: mib_object_value_counter - type: long - - name: mib_object_value_gauge - type: long - - name: mib_object_value_integer - type: integer - - name: mib_object_value_ip_address - type: ip - - name: mib_object_value_octet_string - type: short - - name: mib_object_value_oid - type: short - - name: mib_object_value_time_ticks - type: long - - name: mib_object_value_unsigned - type: long - - name: mib_sub_identifier - type: long - - name: min_export_seconds - type: date - - name: min_flow_start_microseconds - type: date - - name: min_flow_start_milliseconds - type: date - - name: min_flow_start_nanoseconds - type: date - - name: min_flow_start_seconds - type: date - - name: minimum_ip_total_length - type: long - - name: minimum_layer2_total_length - type: long - - name: minimum_ttl - type: short - - name: mobile_imsi - type: keyword - - name: mobile_msisdn - type: keyword - - name: monitoring_interval_end_milli_seconds - type: date - - name: monitoring_interval_start_milli_seconds - type: date - - name: mpls_label_stack_depth - type: long - - name: mpls_label_stack_length - type: long - - name: mpls_label_stack_section - type: short - - name: mpls_label_stack_section10 - type: short - - name: mpls_label_stack_section2 - type: short - - name: mpls_label_stack_section3 - type: short - - name: mpls_label_stack_section4 - type: short - - name: mpls_label_stack_section5 - type: short - - name: mpls_label_stack_section6 - type: short - - name: mpls_label_stack_section7 - type: short - - name: mpls_label_stack_section8 - type: short - - name: mpls_label_stack_section9 - type: short - - name: mpls_payload_length - type: long - - name: mpls_payload_packet_section - type: short - - name: mpls_top_label_exp - type: short - - name: mpls_top_label_ipv4_address - type: ip - - name: mpls_top_label_ipv6_address - type: ip - - name: mpls_top_label_prefix_length - type: short - - name: mpls_top_label_stack_section - type: short - - name: mpls_top_label_ttl - type: short - - name: mpls_top_label_type - type: short - - name: mpls_vpn_route_distinguisher - type: short - - name: mptcp_address_id - type: short - - name: mptcp_flags - type: short - - name: mptcp_initial_data_sequence_number - type: long - - name: mptcp_maximum_segment_size - type: integer - - name: mptcp_receiver_token - type: long - - name: multicast_replication_factor - type: long - - name: nat_event - type: short - - name: nat_inside_svcid - type: integer - - name: nat_instance_id - type: long - - name: nat_originating_address_realm - type: short - - name: nat_outside_svcid - type: integer - - name: nat_pool_id - type: long - - name: nat_pool_name - type: keyword - - name: nat_quota_exceeded_event - type: long - - name: nat_sub_string - type: keyword - - name: nat_threshold_event - type: long - - name: nat_type - type: short - - name: netscale_ica_client_version - type: keyword - - name: netscaler_aaa_username - type: keyword - - name: netscaler_app_name - type: keyword - - name: netscaler_app_name_app_id - type: long - - name: netscaler_app_name_incarnation_number - type: long - - name: netscaler_app_template_name - type: keyword - - name: netscaler_app_unit_name_app_id - type: long - - name: netscaler_application_startup_duration - type: long - - name: netscaler_application_startup_time - type: long - - name: netscaler_cache_redir_client_connection_core_id - type: long - - name: netscaler_cache_redir_client_connection_transaction_id - type: long - - name: netscaler_client_rtt - type: long - - name: netscaler_connection_chain_hop_count - type: long - - name: netscaler_connection_chain_id - type: short - - name: netscaler_connection_id - type: long - - name: netscaler_current_license_consumed - type: long - - name: netscaler_db_clt_host_name - type: keyword - - name: netscaler_db_database_name - type: keyword - - name: netscaler_db_login_flags - type: long - - name: netscaler_db_protocol_name - type: short - - name: netscaler_db_req_string - type: keyword - - name: netscaler_db_req_type - type: short - - name: netscaler_db_resp_length - type: long - - name: netscaler_db_resp_status - type: long - - name: netscaler_db_resp_status_string - type: keyword - - name: netscaler_db_user_name - type: keyword - - name: netscaler_flow_flags - type: long - - name: netscaler_http_client_interaction_end_time - type: keyword - - name: netscaler_http_client_interaction_start_time - type: keyword - - name: netscaler_http_client_render_end_time - type: keyword - - name: netscaler_http_client_render_start_time - type: keyword - - name: netscaler_http_content_type - type: keyword - - name: netscaler_http_domain_name - type: keyword - - name: netscaler_http_req_authorization - type: keyword - - name: netscaler_http_req_cookie - type: keyword - - name: netscaler_http_req_forw_fb - type: long - - name: netscaler_http_req_forw_lb - type: long - - name: netscaler_http_req_host - type: keyword - - name: netscaler_http_req_method - type: keyword - - name: netscaler_http_req_rcv_fb - type: long - - name: netscaler_http_req_rcv_lb - type: long - - name: netscaler_http_req_referer - type: keyword - - name: netscaler_http_req_url - type: keyword - - name: netscaler_http_req_user_agent - type: keyword - - name: netscaler_http_req_via - type: keyword - - name: netscaler_http_req_xforwarded_for - type: keyword - - name: netscaler_http_res_forw_fb - type: long - - name: netscaler_http_res_forw_lb - type: long - - name: netscaler_http_res_location - type: keyword - - name: netscaler_http_res_rcv_fb - type: long - - name: netscaler_http_res_rcv_lb - type: long - - name: netscaler_http_res_set_cookie - type: keyword - - name: netscaler_http_res_set_cookie2 - type: keyword - - name: netscaler_http_rsp_len - type: long - - name: netscaler_http_rsp_status - type: integer - - name: netscaler_ica_app_module_path - type: keyword - - name: netscaler_ica_app_process_id - type: long - - name: netscaler_ica_application_name - type: keyword - - name: netscaler_ica_application_termination_time - type: long - - name: netscaler_ica_application_termination_type - type: integer - - name: netscaler_ica_channel_id1 - type: long - - name: netscaler_ica_channel_id1_bytes - type: long - - name: netscaler_ica_channel_id2 - type: long - - name: netscaler_ica_channel_id2_bytes - type: long - - name: netscaler_ica_channel_id3 - type: long - - name: netscaler_ica_channel_id3_bytes - type: long - - name: netscaler_ica_channel_id4 - type: long - - name: netscaler_ica_channel_id4_bytes - type: long - - name: netscaler_ica_channel_id5 - type: long - - name: netscaler_ica_channel_id5_bytes - type: long - - name: netscaler_ica_client_host_name - type: keyword - - name: netscaler_ica_client_ip - type: ip - - name: netscaler_ica_client_launcher - type: integer - - name: netscaler_ica_client_side_rto_count - type: integer - - name: netscaler_ica_client_side_window_size - type: integer - - name: netscaler_ica_client_type - type: integer - - name: netscaler_ica_clientside_delay - type: long - - name: netscaler_ica_clientside_jitter - type: long - - name: netscaler_ica_clientside_packets_retransmit - type: integer - - name: netscaler_ica_clientside_rtt - type: long - - name: netscaler_ica_clientside_rx_bytes - type: long - - name: netscaler_ica_clientside_srtt - type: long - - name: netscaler_ica_clientside_tx_bytes - type: long - - name: netscaler_ica_connection_priority - type: integer - - name: netscaler_ica_device_serial_no - type: long - - name: netscaler_ica_domain_name - type: keyword - - name: netscaler_ica_flags - type: long - - name: netscaler_ica_host_delay - type: long - - name: netscaler_ica_l7_client_latency - type: long - - name: netscaler_ica_l7_server_latency - type: long - - name: netscaler_ica_launch_mechanism - type: integer - - name: netscaler_ica_network_update_end_time - type: long - - name: netscaler_ica_network_update_start_time - type: long - - name: netscaler_ica_rtt - type: long - - name: netscaler_ica_server_name - type: keyword - - name: netscaler_ica_server_side_rto_count - type: integer - - name: netscaler_ica_server_side_window_size - type: integer - - name: netscaler_ica_serverside_delay - type: long - - name: netscaler_ica_serverside_jitter - type: long - - name: netscaler_ica_serverside_packets_retransmit - type: integer - - name: netscaler_ica_serverside_rtt - type: long - - name: netscaler_ica_serverside_srtt - type: long - - name: netscaler_ica_session_end_time - type: long - - name: netscaler_ica_session_guid - type: short - - name: netscaler_ica_session_reconnects - type: short - - name: netscaler_ica_session_setup_time - type: long - - name: netscaler_ica_session_update_begin_sec - type: long - - name: netscaler_ica_session_update_end_sec - type: long - - name: netscaler_ica_username - type: keyword - - name: netscaler_license_type - type: short - - name: netscaler_main_page_core_id - type: long - - name: netscaler_main_page_id - type: long - - name: netscaler_max_license_count - type: long - - name: netscaler_msi_client_cookie - type: short - - name: netscaler_round_trip_time - type: long - - name: netscaler_server_ttfb - type: long - - name: netscaler_server_ttlb - type: long - - name: netscaler_syslog_message - type: keyword - - name: netscaler_syslog_priority - type: short - - name: netscaler_syslog_timestamp - type: long - - name: netscaler_transaction_id - type: long - - name: netscaler_unknown270 - type: long - - name: netscaler_unknown271 - type: long - - name: netscaler_unknown272 - type: long - - name: netscaler_unknown273 - type: long - - name: netscaler_unknown274 - type: long - - name: netscaler_unknown275 - type: long - - name: netscaler_unknown276 - type: long - - name: netscaler_unknown277 - type: long - - name: netscaler_unknown278 - type: long - - name: netscaler_unknown279 - type: long - - name: netscaler_unknown280 - type: long - - name: netscaler_unknown281 - type: long - - name: netscaler_unknown282 - type: long - - name: netscaler_unknown283 - type: long - - name: netscaler_unknown284 - type: long - - name: netscaler_unknown285 - type: long - - name: netscaler_unknown286 - type: long - - name: netscaler_unknown287 - type: long - - name: netscaler_unknown288 - type: long - - name: netscaler_unknown289 - type: long - - name: netscaler_unknown290 - type: long - - name: netscaler_unknown291 - type: long - - name: netscaler_unknown292 - type: long - - name: netscaler_unknown293 - type: long - - name: netscaler_unknown294 - type: long - - name: netscaler_unknown295 - type: long - - name: netscaler_unknown296 - type: long - - name: netscaler_unknown297 - type: long - - name: netscaler_unknown298 - type: long - - name: netscaler_unknown299 - type: long - - name: netscaler_unknown300 - type: long - - name: netscaler_unknown301 - type: long - - name: netscaler_unknown302 - type: long - - name: netscaler_unknown303 - type: long - - name: netscaler_unknown304 - type: long - - name: netscaler_unknown305 - type: long - - name: netscaler_unknown306 - type: long - - name: netscaler_unknown307 - type: long - - name: netscaler_unknown308 - type: long - - name: netscaler_unknown309 - type: long - - name: netscaler_unknown310 - type: long - - name: netscaler_unknown311 - type: long - - name: netscaler_unknown312 - type: long - - name: netscaler_unknown313 - type: long - - name: netscaler_unknown314 - type: long - - name: netscaler_unknown315 - type: long - - name: netscaler_unknown316 - type: keyword - - name: netscaler_unknown317 - type: long - - name: netscaler_unknown318 - type: long - - name: netscaler_unknown319 - type: keyword - - name: netscaler_unknown320 - type: integer - - name: netscaler_unknown321 - type: long - - name: netscaler_unknown322 - type: long - - name: netscaler_unknown323 - type: integer - - name: netscaler_unknown324 - type: integer - - name: netscaler_unknown325 - type: integer - - name: netscaler_unknown326 - type: integer - - name: netscaler_unknown327 - type: long - - name: netscaler_unknown328 - type: integer - - name: netscaler_unknown329 - type: integer - - name: netscaler_unknown330 - type: integer - - name: netscaler_unknown331 - type: integer - - name: netscaler_unknown332 - type: long - - name: netscaler_unknown333 - type: keyword - - name: netscaler_unknown334 - type: keyword - - name: netscaler_unknown335 - type: long - - name: netscaler_unknown336 - type: long - - name: netscaler_unknown337 - type: long - - name: netscaler_unknown338 - type: long - - name: netscaler_unknown339 - type: long - - name: netscaler_unknown340 - type: long - - name: netscaler_unknown341 - type: long - - name: netscaler_unknown342 - type: long - - name: netscaler_unknown343 - type: long - - name: netscaler_unknown344 - type: long - - name: netscaler_unknown345 - type: long - - name: netscaler_unknown346 - type: long - - name: netscaler_unknown347 - type: long - - name: netscaler_unknown348 - type: integer - - name: netscaler_unknown349 - type: keyword - - name: netscaler_unknown350 - type: keyword - - name: netscaler_unknown351 - type: keyword - - name: netscaler_unknown352 - type: integer - - name: netscaler_unknown353 - type: long - - name: netscaler_unknown354 - type: long - - name: netscaler_unknown355 - type: long - - name: netscaler_unknown356 - type: long - - name: netscaler_unknown357 - type: long - - name: netscaler_unknown363 - type: short - - name: netscaler_unknown383 - type: short - - name: netscaler_unknown391 - type: long - - name: netscaler_unknown398 - type: long - - name: netscaler_unknown404 - type: long - - name: netscaler_unknown405 - type: long - - name: netscaler_unknown427 - type: long - - name: netscaler_unknown429 - type: short - - name: netscaler_unknown432 - type: short - - name: netscaler_unknown433 - type: short - - name: netscaler_unknown453 - type: long - - name: netscaler_unknown465 - type: long - - name: new_connection_delta_count - type: long - - name: next_header_ipv6 - type: short - - name: non_empty_packet_count - type: long - - name: not_sent_flow_total_count - type: long - - name: not_sent_layer2_octet_total_count - type: long - - name: not_sent_octet_total_count - type: long - - name: not_sent_packet_total_count - type: long - - name: observation_domain_id - type: long - - name: observation_domain_name - type: keyword - - name: observation_point_id - type: long - - name: observation_point_type - type: short - - name: observation_time_microseconds - type: date - - name: observation_time_milliseconds - type: date - - name: observation_time_nanoseconds - type: date - - name: observation_time_seconds - type: date - - name: observed_flow_total_count - type: long - - name: octet_delta_count - type: long - - name: octet_delta_sum_of_squares - type: long - - name: octet_total_count - type: long - - name: octet_total_sum_of_squares - type: long - - name: opaque_octets - type: short - - name: original_exporter_ipv4_address - type: ip - - name: original_exporter_ipv6_address - type: ip - - name: original_flows_completed - type: long - - name: original_flows_initiated - type: long - - name: original_flows_present - type: long - - name: original_observation_domain_id - type: long - - name: os_finger_print - type: keyword - - name: os_name - type: keyword - - name: os_version - type: keyword - - name: p2p_technology - type: keyword - - name: packet_delta_count - type: long - - name: packet_total_count - type: long - - name: padding_octets - type: short - - name: payload - type: keyword - - name: payload_entropy - type: short - - name: payload_length_ipv6 - type: integer - - name: policy_qos_classification_hierarchy - type: long - - name: policy_qos_queue_index - type: long - - name: policy_qos_queuedrops - type: long - - name: policy_qos_queueindex - type: long - - name: port_id - type: long - - name: port_range_end - type: integer - - name: port_range_num_ports - type: integer - - name: port_range_start - type: integer - - name: port_range_step_size - type: integer - - name: post_destination_mac_address - type: keyword - - name: post_dot1q_customer_vlan_id - type: integer - - name: post_dot1q_vlan_id - type: integer - - name: post_ip_class_of_service - type: short - - name: post_ip_diff_serv_code_point - type: short - - name: post_ip_precedence - type: short - - name: post_layer2_octet_delta_count - type: long - - name: post_layer2_octet_total_count - type: long - - name: post_mcast_layer2_octet_delta_count - type: long - - name: post_mcast_layer2_octet_total_count - type: long - - name: post_mcast_octet_delta_count - type: long - - name: post_mcast_octet_total_count - type: long - - name: post_mcast_packet_delta_count - type: long - - name: post_mcast_packet_total_count - type: long - - name: post_mpls_top_label_exp - type: short - - name: post_napt_destination_transport_port - type: integer - - name: post_napt_source_transport_port - type: integer - - name: post_nat_destination_ipv4_address - type: ip - - name: post_nat_destination_ipv6_address - type: ip - - name: post_nat_source_ipv4_address - type: ip - - name: post_nat_source_ipv6_address - type: ip - - name: post_octet_delta_count - type: long - - name: post_octet_total_count - type: long - - name: post_packet_delta_count - type: long - - name: post_packet_total_count - type: long - - name: post_source_mac_address - type: keyword - - name: post_vlan_id - type: integer - - name: private_enterprise_number - type: long - - name: procera_apn - type: keyword - - name: procera_base_service - type: keyword - - name: procera_content_categories - type: keyword - - name: procera_device_id - type: long - - name: procera_external_rtt - type: integer - - name: procera_flow_behavior - type: keyword - - name: procera_ggsn - type: keyword - - name: procera_http_content_type - type: keyword - - name: procera_http_file_length - type: long - - name: procera_http_language - type: keyword - - name: procera_http_location - type: keyword - - name: procera_http_referer - type: keyword - - name: procera_http_request_method - type: keyword - - name: procera_http_request_version - type: keyword - - name: procera_http_response_status - type: integer - - name: procera_http_url - type: keyword - - name: procera_http_user_agent - type: keyword - - name: procera_imsi - type: long - - name: procera_incoming_octets - type: long - - name: procera_incoming_packets - type: long - - name: procera_incoming_shaping_drops - type: long - - name: procera_incoming_shaping_latency - type: integer - - name: procera_internal_rtt - type: integer - - name: procera_local_ipv4_host - type: ip - - name: procera_local_ipv6_host - type: ip - - name: procera_msisdn - type: long - - name: procera_outgoing_octets - type: long - - name: procera_outgoing_packets - type: long - - name: procera_outgoing_shaping_drops - type: long - - name: procera_outgoing_shaping_latency - type: integer - - name: procera_property - type: keyword - - name: procera_qoe_incoming_external - type: float - - name: procera_qoe_incoming_internal - type: float - - name: procera_qoe_outgoing_external - type: float - - name: procera_qoe_outgoing_internal - type: float - - name: procera_rat - type: keyword - - name: procera_remote_ipv4_host - type: ip - - name: procera_remote_ipv6_host - type: ip - - name: procera_rnc - type: integer - - name: procera_server_hostname - type: keyword - - name: procera_service - type: keyword - - name: procera_sgsn - type: keyword - - name: procera_subscriber_identifier - type: keyword - - name: procera_template_name - type: keyword - - name: procera_user_location_information - type: keyword - - name: protocol_identifier - type: short - - name: pseudo_wire_control_word - type: long - - name: pseudo_wire_destination_ipv4_address - type: ip - - name: pseudo_wire_id - type: long - - name: pseudo_wire_type - type: integer - - name: reason - type: long - - name: reason_text - type: keyword - - name: relative_error - type: double - - name: responder_octets - type: long - - name: responder_packets - type: long - - name: reverse_absolute_error - type: double - - name: reverse_anonymization_flags - type: integer - - name: reverse_anonymization_technique - type: integer - - name: reverse_application_category_name - type: keyword - - name: reverse_application_description - type: keyword - - name: reverse_application_group_name - type: keyword - - name: reverse_application_id - type: keyword - - name: reverse_application_name - type: keyword - - name: reverse_application_sub_category_name - type: keyword - - name: reverse_average_interarrival_time - type: long - - name: reverse_bgp_destination_as_number - type: long - - name: reverse_bgp_next_adjacent_as_number - type: long - - name: reverse_bgp_next_hop_ipv4_address - type: ip - - name: reverse_bgp_next_hop_ipv6_address - type: ip - - name: reverse_bgp_prev_adjacent_as_number - type: long - - name: reverse_bgp_source_as_number - type: long - - name: reverse_bgp_validity_state - type: short - - name: reverse_class_id - type: short - - name: reverse_class_name - type: keyword - - name: reverse_classification_engine_id - type: short - - name: reverse_collection_time_milliseconds - type: long - - name: reverse_collector_certificate - type: keyword - - name: reverse_confidence_level - type: double - - name: reverse_connection_sum_duration_seconds - type: long - - name: reverse_connection_transaction_id - type: long - - name: reverse_data_byte_count - type: long - - name: reverse_data_link_frame_section - type: keyword - - name: reverse_data_link_frame_size - type: integer - - name: reverse_data_link_frame_type - type: integer - - name: reverse_data_records_reliability - type: short - - name: reverse_delta_flow_count - type: long - - name: reverse_destination_ipv4_address - type: ip - - name: reverse_destination_ipv4_prefix - type: ip - - name: reverse_destination_ipv4_prefix_length - type: short - - name: reverse_destination_ipv6_address - type: ip - - name: reverse_destination_ipv6_prefix - type: ip - - name: reverse_destination_ipv6_prefix_length - type: short - - name: reverse_destination_mac_address - type: keyword - - name: reverse_destination_transport_port - type: integer - - name: reverse_digest_hash_value - type: long - - name: reverse_distinct_count_of_destination_ip_address - type: long - - name: reverse_distinct_count_of_destination_ipv4_address - type: long - - name: reverse_distinct_count_of_destination_ipv6_address - type: long - - name: reverse_distinct_count_of_source_ip_address - type: long - - name: reverse_distinct_count_of_source_ipv4_address - type: long - - name: reverse_distinct_count_of_source_ipv6_address - type: long - - name: reverse_dot1q_customer_dei - type: short - - name: reverse_dot1q_customer_destination_mac_address - type: keyword - - name: reverse_dot1q_customer_priority - type: short - - name: reverse_dot1q_customer_source_mac_address - type: keyword - - name: reverse_dot1q_customer_vlan_id - type: integer - - name: reverse_dot1q_dei - type: short - - name: reverse_dot1q_priority - type: short - - name: reverse_dot1q_service_instance_id - type: long - - name: reverse_dot1q_service_instance_priority - type: short - - name: reverse_dot1q_service_instance_tag - type: keyword - - name: reverse_dot1q_vlan_id - type: integer - - name: reverse_dropped_layer2_octet_delta_count - type: long - - name: reverse_dropped_layer2_octet_total_count - type: long - - name: reverse_dropped_octet_delta_count - type: long - - name: reverse_dropped_octet_total_count - type: long - - name: reverse_dropped_packet_delta_count - type: long - - name: reverse_dropped_packet_total_count - type: long - - name: reverse_dst_traffic_index - type: long - - name: reverse_egress_broadcast_packet_total_count - type: long - - name: reverse_egress_interface - type: long - - name: reverse_egress_interface_type - type: long - - name: reverse_egress_physical_interface - type: long - - name: reverse_egress_unicast_packet_total_count - type: long - - name: reverse_egress_vrfid - type: long - - name: reverse_encrypted_technology - type: keyword - - name: reverse_engine_id - type: short - - name: reverse_engine_type - type: short - - name: reverse_ethernet_header_length - type: short - - name: reverse_ethernet_payload_length - type: integer - - name: reverse_ethernet_total_length - type: integer - - name: reverse_ethernet_type - type: integer - - name: reverse_export_sctp_stream_id - type: integer - - name: reverse_exporter_certificate - type: keyword - - name: reverse_exporting_process_id - type: long - - name: reverse_firewall_event - type: short - - name: reverse_first_non_empty_packet_size - type: integer - - name: reverse_first_packet_banner - type: keyword - - name: reverse_flags_and_sampler_id - type: long - - name: reverse_flow_active_timeout - type: integer - - name: reverse_flow_attributes - type: integer - - name: reverse_flow_delta_milliseconds - type: long - - name: reverse_flow_direction - type: short - - name: reverse_flow_duration_microseconds - type: long - - name: reverse_flow_duration_milliseconds - type: long - - name: reverse_flow_end_delta_microseconds - type: long - - name: reverse_flow_end_microseconds - type: long - - name: reverse_flow_end_milliseconds - type: long - - name: reverse_flow_end_nanoseconds - type: long - - name: reverse_flow_end_reason - type: short - - name: reverse_flow_end_seconds - type: long - - name: reverse_flow_end_sys_up_time - type: long - - name: reverse_flow_idle_timeout - type: integer - - name: reverse_flow_label_ipv6 - type: long - - name: reverse_flow_sampling_time_interval - type: long - - name: reverse_flow_sampling_time_spacing - type: long - - name: reverse_flow_selected_flow_delta_count - type: long - - name: reverse_flow_selected_octet_delta_count - type: long - - name: reverse_flow_selected_packet_delta_count - type: long - - name: reverse_flow_selector_algorithm - type: integer - - name: reverse_flow_start_delta_microseconds - type: long - - name: reverse_flow_start_microseconds - type: long - - name: reverse_flow_start_milliseconds - type: long - - name: reverse_flow_start_nanoseconds - type: long - - name: reverse_flow_start_seconds - type: long - - name: reverse_flow_start_sys_up_time - type: long - - name: reverse_forwarding_status - type: long - - name: reverse_fragment_flags - type: short - - name: reverse_fragment_identification - type: long - - name: reverse_fragment_offset - type: integer - - name: reverse_gre_key - type: long - - name: reverse_hash_digest_output - type: short - - name: reverse_hash_flow_domain - type: integer - - name: reverse_hash_initialiser_value - type: long - - name: reverse_hash_ip_payload_offset - type: long - - name: reverse_hash_ip_payload_size - type: long - - name: reverse_hash_output_range_max - type: long - - name: reverse_hash_output_range_min - type: long - - name: reverse_hash_selected_range_max - type: long - - name: reverse_hash_selected_range_min - type: long - - name: reverse_icmp_code_ipv4 - type: short - - name: reverse_icmp_code_ipv6 - type: short - - name: reverse_icmp_type_code_ipv4 - type: integer - - name: reverse_icmp_type_code_ipv6 - type: integer - - name: reverse_icmp_type_ipv4 - type: short - - name: reverse_icmp_type_ipv6 - type: short - - name: reverse_igmp_type - type: short - - name: reverse_ignored_data_record_total_count - type: long - - name: reverse_ignored_layer2_frame_total_count - type: long - - name: reverse_ignored_layer2_octet_total_count - type: long - - name: reverse_information_element_data_type - type: short - - name: reverse_information_element_description - type: keyword - - name: reverse_information_element_id - type: integer - - name: reverse_information_element_index - type: integer - - name: reverse_information_element_name - type: keyword - - name: reverse_information_element_range_begin - type: long - - name: reverse_information_element_range_end - type: long - - name: reverse_information_element_semantics - type: short - - name: reverse_information_element_units - type: integer - - name: reverse_ingress_broadcast_packet_total_count - type: long - - name: reverse_ingress_interface - type: long - - name: reverse_ingress_interface_type - type: long - - name: reverse_ingress_multicast_packet_total_count - type: long - - name: reverse_ingress_physical_interface - type: long - - name: reverse_ingress_unicast_packet_total_count - type: long - - name: reverse_ingress_vrfid - type: long - - name: reverse_initial_tcp_flags - type: short - - name: reverse_initiator_octets - type: long - - name: reverse_initiator_packets - type: long - - name: reverse_interface_description - type: keyword - - name: reverse_interface_name - type: keyword - - name: reverse_intermediate_process_id - type: long - - name: reverse_ip_class_of_service - type: short - - name: reverse_ip_diff_serv_code_point - type: short - - name: reverse_ip_header_length - type: short - - name: reverse_ip_header_packet_section - type: keyword - - name: reverse_ip_next_hop_ipv4_address - type: ip - - name: reverse_ip_next_hop_ipv6_address - type: ip - - name: reverse_ip_payload_length - type: long - - name: reverse_ip_payload_packet_section - type: keyword - - name: reverse_ip_precedence - type: short - - name: reverse_ip_sec_spi - type: long - - name: reverse_ip_total_length - type: long - - name: reverse_ip_ttl - type: short - - name: reverse_ip_version - type: short - - name: reverse_ipv4_ihl - type: short - - name: reverse_ipv4_options - type: long - - name: reverse_ipv4_router_sc - type: ip - - name: reverse_ipv6_extension_headers - type: long - - name: reverse_is_multicast - type: short - - name: reverse_large_packet_count - type: long - - name: reverse_layer2_frame_delta_count - type: long - - name: reverse_layer2_frame_total_count - type: long - - name: reverse_layer2_octet_delta_count - type: long - - name: reverse_layer2_octet_delta_sum_of_squares - type: long - - name: reverse_layer2_octet_total_count - type: long - - name: reverse_layer2_octet_total_sum_of_squares - type: long - - name: reverse_layer2_segment_id - type: long - - name: reverse_layer2packet_section_data - type: keyword - - name: reverse_layer2packet_section_offset - type: integer - - name: reverse_layer2packet_section_size - type: integer - - name: reverse_line_card_id - type: long - - name: reverse_lower_ci_limit - type: double - - name: reverse_max_export_seconds - type: long - - name: reverse_max_flow_end_microseconds - type: long - - name: reverse_max_flow_end_milliseconds - type: long - - name: reverse_max_flow_end_nanoseconds - type: long - - name: reverse_max_flow_end_seconds - type: long - - name: reverse_max_packet_size - type: integer - - name: reverse_maximum_ip_total_length - type: long - - name: reverse_maximum_layer2_total_length - type: long - - name: reverse_maximum_ttl - type: short - - name: reverse_message_md5_checksum - type: keyword - - name: reverse_message_scope - type: short - - name: reverse_metering_process_id - type: long - - name: reverse_metro_evc_id - type: keyword - - name: reverse_metro_evc_type - type: short - - name: reverse_min_export_seconds - type: long - - name: reverse_min_flow_start_microseconds - type: long - - name: reverse_min_flow_start_milliseconds - type: long - - name: reverse_min_flow_start_nanoseconds - type: long - - name: reverse_min_flow_start_seconds - type: long - - name: reverse_minimum_ip_total_length - type: long - - name: reverse_minimum_layer2_total_length - type: long - - name: reverse_minimum_ttl - type: short - - name: reverse_monitoring_interval_end_milli_seconds - type: long - - name: reverse_monitoring_interval_start_milli_seconds - type: long - - name: reverse_mpls_label_stack_depth - type: long - - name: reverse_mpls_label_stack_length - type: long - - name: reverse_mpls_label_stack_section - type: keyword - - name: reverse_mpls_label_stack_section10 - type: keyword - - name: reverse_mpls_label_stack_section2 - type: keyword - - name: reverse_mpls_label_stack_section3 - type: keyword - - name: reverse_mpls_label_stack_section4 - type: keyword - - name: reverse_mpls_label_stack_section5 - type: keyword - - name: reverse_mpls_label_stack_section6 - type: keyword - - name: reverse_mpls_label_stack_section7 - type: keyword - - name: reverse_mpls_label_stack_section8 - type: keyword - - name: reverse_mpls_label_stack_section9 - type: keyword - - name: reverse_mpls_payload_length - type: long - - name: reverse_mpls_payload_packet_section - type: keyword - - name: reverse_mpls_top_label_exp - type: short - - name: reverse_mpls_top_label_ipv4_address - type: ip - - name: reverse_mpls_top_label_ipv6_address - type: ip - - name: reverse_mpls_top_label_prefix_length - type: short - - name: reverse_mpls_top_label_stack_section - type: keyword - - name: reverse_mpls_top_label_ttl - type: short - - name: reverse_mpls_top_label_type - type: short - - name: reverse_mpls_vpn_route_distinguisher - type: keyword - - name: reverse_multicast_replication_factor - type: long - - name: reverse_nat_event - type: short - - name: reverse_nat_originating_address_realm - type: short - - name: reverse_nat_pool_id - type: long - - name: reverse_nat_pool_name - type: keyword - - name: reverse_nat_type - type: short - - name: reverse_new_connection_delta_count - type: long - - name: reverse_next_header_ipv6 - type: short - - name: reverse_non_empty_packet_count - type: long - - name: reverse_not_sent_layer2_octet_total_count - type: long - - name: reverse_observation_domain_name - type: keyword - - name: reverse_observation_point_id - type: long - - name: reverse_observation_point_type - type: short - - name: reverse_observation_time_microseconds - type: long - - name: reverse_observation_time_milliseconds - type: long - - name: reverse_observation_time_nanoseconds - type: long - - name: reverse_observation_time_seconds - type: long - - name: reverse_octet_delta_count - type: long - - name: reverse_octet_delta_sum_of_squares - type: long - - name: reverse_octet_total_count - type: long - - name: reverse_octet_total_sum_of_squares - type: long - - name: reverse_opaque_octets - type: keyword - - name: reverse_original_exporter_ipv4_address - type: ip - - name: reverse_original_exporter_ipv6_address - type: ip - - name: reverse_original_flows_completed - type: long - - name: reverse_original_flows_initiated - type: long - - name: reverse_original_flows_present - type: long - - name: reverse_original_observation_domain_id - type: long - - name: reverse_os_finger_print - type: keyword - - name: reverse_os_name - type: keyword - - name: reverse_os_version - type: keyword - - name: reverse_p2p_technology - type: keyword - - name: reverse_packet_delta_count - type: long - - name: reverse_packet_total_count - type: long - - name: reverse_payload - type: keyword - - name: reverse_payload_entropy - type: short - - name: reverse_payload_length_ipv6 - type: integer - - name: reverse_port_id - type: long - - name: reverse_port_range_end - type: integer - - name: reverse_port_range_num_ports - type: integer - - name: reverse_port_range_start - type: integer - - name: reverse_port_range_step_size - type: integer - - name: reverse_post_destination_mac_address - type: keyword - - name: reverse_post_dot1q_customer_vlan_id - type: integer - - name: reverse_post_dot1q_vlan_id - type: integer - - name: reverse_post_ip_class_of_service - type: short - - name: reverse_post_ip_diff_serv_code_point - type: short - - name: reverse_post_ip_precedence - type: short - - name: reverse_post_layer2_octet_delta_count - type: long - - name: reverse_post_layer2_octet_total_count - type: long - - name: reverse_post_mcast_layer2_octet_delta_count - type: long - - name: reverse_post_mcast_layer2_octet_total_count - type: long - - name: reverse_post_mcast_octet_delta_count - type: long - - name: reverse_post_mcast_octet_total_count - type: long - - name: reverse_post_mcast_packet_delta_count - type: long - - name: reverse_post_mcast_packet_total_count - type: long - - name: reverse_post_mpls_top_label_exp - type: short - - name: reverse_post_napt_destination_transport_port - type: integer - - name: reverse_post_napt_source_transport_port - type: integer - - name: reverse_post_nat_destination_ipv4_address - type: ip - - name: reverse_post_nat_destination_ipv6_address - type: ip - - name: reverse_post_nat_source_ipv4_address - type: ip - - name: reverse_post_nat_source_ipv6_address - type: ip - - name: reverse_post_octet_delta_count - type: long - - name: reverse_post_octet_total_count - type: long - - name: reverse_post_packet_delta_count - type: long - - name: reverse_post_packet_total_count - type: long - - name: reverse_post_source_mac_address - type: keyword - - name: reverse_post_vlan_id - type: integer - - name: reverse_private_enterprise_number - type: long - - name: reverse_protocol_identifier - type: short - - name: reverse_pseudo_wire_control_word - type: long - - name: reverse_pseudo_wire_destination_ipv4_address - type: ip - - name: reverse_pseudo_wire_id - type: long - - name: reverse_pseudo_wire_type - type: integer - - name: reverse_relative_error - type: double - - name: reverse_responder_octets - type: long - - name: reverse_responder_packets - type: long - - name: reverse_rfc3550_jitter_microseconds - type: long - - name: reverse_rfc3550_jitter_milliseconds - type: long - - name: reverse_rfc3550_jitter_nanoseconds - type: long - - name: reverse_rtp_payload_type - type: short - - name: reverse_rtp_sequence_number - type: integer - - name: reverse_sampler_id - type: short - - name: reverse_sampler_mode - type: short - - name: reverse_sampler_name - type: keyword - - name: reverse_sampler_random_interval - type: long - - name: reverse_sampling_algorithm - type: short - - name: reverse_sampling_flow_interval - type: long - - name: reverse_sampling_flow_spacing - type: long - - name: reverse_sampling_interval - type: long - - name: reverse_sampling_packet_interval - type: long - - name: reverse_sampling_packet_space - type: long - - name: reverse_sampling_population - type: long - - name: reverse_sampling_probability - type: double - - name: reverse_sampling_size - type: long - - name: reverse_sampling_time_interval - type: long - - name: reverse_sampling_time_space - type: long - - name: reverse_second_packet_banner - type: keyword - - name: reverse_section_exported_octets - type: integer - - name: reverse_section_offset - type: integer - - name: reverse_selection_sequence_id - type: long - - name: reverse_selector_algorithm - type: integer - - name: reverse_selector_id - type: long - - name: reverse_selector_id_total_flows_observed - type: long - - name: reverse_selector_id_total_flows_selected - type: long - - name: reverse_selector_id_total_pkts_observed - type: long - - name: reverse_selector_id_total_pkts_selected - type: long - - name: reverse_selector_name - type: keyword - - name: reverse_session_scope - type: short - - name: reverse_small_packet_count - type: long - - name: reverse_source_ipv4_address - type: ip - - name: reverse_source_ipv4_prefix - type: ip - - name: reverse_source_ipv4_prefix_length - type: short - - name: reverse_source_ipv6_address - type: ip - - name: reverse_source_ipv6_prefix - type: ip - - name: reverse_source_ipv6_prefix_length - type: short - - name: reverse_source_mac_address - type: keyword - - name: reverse_source_transport_port - type: integer - - name: reverse_src_traffic_index - type: long - - name: reverse_sta_ipv4_address - type: ip - - name: reverse_sta_mac_address - type: keyword - - name: reverse_standard_deviation_interarrival_time - type: long - - name: reverse_standard_deviation_payload_length - type: integer - - name: reverse_system_init_time_milliseconds - type: long - - name: reverse_tcp_ack_total_count - type: long - - name: reverse_tcp_acknowledgement_number - type: long - - name: reverse_tcp_control_bits - type: integer - - name: reverse_tcp_destination_port - type: integer - - name: reverse_tcp_fin_total_count - type: long - - name: reverse_tcp_header_length - type: short - - name: reverse_tcp_options - type: long - - name: reverse_tcp_psh_total_count - type: long - - name: reverse_tcp_rst_total_count - type: long - - name: reverse_tcp_sequence_number - type: long - - name: reverse_tcp_source_port - type: integer - - name: reverse_tcp_syn_total_count - type: long - - name: reverse_tcp_urg_total_count - type: long - - name: reverse_tcp_urgent_pointer - type: integer - - name: reverse_tcp_window_scale - type: integer - - name: reverse_tcp_window_size - type: integer - - name: reverse_total_length_ipv4 - type: integer - - name: reverse_transport_octet_delta_count - type: long - - name: reverse_transport_packet_delta_count - type: long - - name: reverse_tunnel_technology - type: keyword - - name: reverse_udp_destination_port - type: integer - - name: reverse_udp_message_length - type: integer - - name: reverse_udp_source_port - type: integer - - name: reverse_union_tcp_flags - type: short - - name: reverse_upper_ci_limit - type: double - - name: reverse_user_name - type: keyword - - name: reverse_value_distribution_method - type: short - - name: reverse_virtual_station_interface_id - type: keyword - - name: reverse_virtual_station_interface_name - type: keyword - - name: reverse_virtual_station_name - type: keyword - - name: reverse_virtual_station_uuid - type: keyword - - name: reverse_vlan_id - type: integer - - name: reverse_vr_fname - type: keyword - - name: reverse_wlan_channel_id - type: short - - name: reverse_wlan_ssid - type: keyword - - name: reverse_wtp_mac_address - type: keyword - - name: rfc3550_jitter_microseconds - type: long - - name: rfc3550_jitter_milliseconds - type: long - - name: rfc3550_jitter_nanoseconds - type: long - - name: rtp_payload_type - type: short - - name: rtp_sequence_number - type: integer - - name: sampler_id - type: short - - name: sampler_mode - type: short - - name: sampler_name - type: keyword - - name: sampler_random_interval - type: long - - name: sampling_algorithm - type: short - - name: sampling_flow_interval - type: long - - name: sampling_flow_spacing - type: long - - name: sampling_interval - type: long - - name: sampling_packet_interval - type: long - - name: sampling_packet_space - type: long - - name: sampling_population - type: long - - name: sampling_probability - type: double - - name: sampling_size - type: long - - name: sampling_time_interval - type: long - - name: sampling_time_space - type: long - - name: second_packet_banner - type: keyword - - name: section_exported_octets - type: integer - - name: section_offset - type: integer - - name: selection_sequence_id - type: long - - name: selector_algorithm - type: integer - - name: selector_id - type: long - - name: selector_id_total_flows_observed - type: long - - name: selector_id_total_flows_selected - type: long - - name: selector_id_total_pkts_observed - type: long - - name: selector_id_total_pkts_selected - type: long - - name: selector_name - type: keyword - - name: service_name - type: keyword - - name: session_scope - type: short - - name: silk_app_label - type: integer - - name: small_packet_count - type: long - - name: source_ipv4_address - type: ip - - name: source_ipv4_prefix - type: ip - - name: source_ipv4_prefix_length - type: short - - name: source_ipv6_address - type: ip - - name: source_ipv6_prefix - type: ip - - name: source_ipv6_prefix_length - type: short - - name: source_mac_address - type: keyword - - name: source_transport_port - type: integer - - name: source_transport_ports_limit - type: integer - - name: src_traffic_index - type: long - - name: ssl_cert_serial_number - type: keyword - - name: ssl_cert_signature - type: keyword - - name: ssl_cert_validity_not_after - type: keyword - - name: ssl_cert_validity_not_before - type: keyword - - name: ssl_cert_version - type: short - - name: ssl_certificate_hash - type: keyword - - name: ssl_cipher - type: keyword - - name: ssl_client_version - type: short - - name: ssl_compression_method - type: short - - name: ssl_object_type - type: keyword - - name: ssl_object_value - type: keyword - - name: ssl_public_key_algorithm - type: keyword - - name: ssl_public_key_length - type: keyword - - name: ssl_server_cipher - type: long - - name: ssl_server_name - type: keyword - - name: sta_ipv4_address - type: ip - - name: sta_mac_address - type: keyword - - name: standard_deviation_interarrival_time - type: long - - name: standard_deviation_payload_length - type: short - - name: system_init_time_milliseconds - type: date - - name: tcp_ack_total_count - type: long - - name: tcp_acknowledgement_number - type: long - - name: tcp_control_bits - type: integer - - name: tcp_destination_port - type: integer - - name: tcp_fin_total_count - type: long - - name: tcp_header_length - type: short - - name: tcp_options - type: long - - name: tcp_psh_total_count - type: long - - name: tcp_rst_total_count - type: long - - name: tcp_sequence_number - type: long - - name: tcp_source_port - type: integer - - name: tcp_syn_total_count - type: long - - name: tcp_urg_total_count - type: long - - name: tcp_urgent_pointer - type: integer - - name: tcp_window_scale - type: integer - - name: tcp_window_size - type: integer - - name: template_id - type: integer - - name: tftp_filename - type: keyword - - name: tftp_mode - type: keyword - - name: timestamp - type: long - - name: timestamp_absolute_monitoring-interval - type: long - - name: total_length_ipv4 - type: integer - - name: traffic_type - type: short - - name: transport_octet_delta_count - type: long - - name: transport_packet_delta_count - type: long - - name: tunnel_technology - type: keyword - - name: udp_destination_port - type: integer - - name: udp_message_length - type: integer - - name: udp_source_port - type: integer - - name: union_tcp_flags - type: short - - name: upper_ci_limit - type: double - - name: user_name - type: keyword - - name: username - type: keyword - - name: value_distribution_method - type: short - - name: viptela_vpn_id - type: long - - name: virtual_station_interface_id - type: short - - name: virtual_station_interface_name - type: keyword - - name: virtual_station_name - type: keyword - - name: virtual_station_uuid - type: short - - name: vlan_id - type: integer - - name: vmware_egress_interface_attr - type: integer - - name: vmware_ingress_interface_attr - type: integer - - name: vmware_tenant_dest_ipv4 - type: ip - - name: vmware_tenant_dest_ipv6 - type: ip - - name: vmware_tenant_dest_port - type: integer - - name: vmware_tenant_protocol - type: short - - name: vmware_tenant_source_ipv4 - type: ip - - name: vmware_tenant_source_ipv6 - type: ip - - name: vmware_tenant_source_port - type: integer - - name: vmware_vxlan_export_role - type: short - - name: vpn_identifier - type: short - - name: vr_fname - type: keyword - - name: waasoptimization_segment - type: short - - name: wlan_channel_id - type: short - - name: wlan_ssid - type: keyword - - name: wtp_mac_address - type: keyword - - name: xlate_destination_address_ip_v4 - type: ip - - name: xlate_destination_port - type: integer - - name: xlate_source_address_ip_v4 - type: ip - - name: xlate_source_port - type: integer diff --git a/packages/netflow/2.2.4/data_stream/log/manifest.yml b/packages/netflow/2.2.4/data_stream/log/manifest.yml deleted file mode 100755 index bf706ae5c5..0000000000 --- a/packages/netflow/2.2.4/data_stream/log/manifest.yml +++ /dev/null @@ -1,80 +0,0 @@ -title: NetFlow logs -type: logs -streams: - - input: netflow - template_path: netflow.yml.hbs - title: Collect NetFlow logs - description: Collect NetFlow logs using the netflow input - vars: - - name: host - type: text - title: UDP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: port - type: integer - title: UDP port to listen on - multi: false - required: true - show_user: true - default: 2055 - - name: expiration_timeout - type: text - title: Time duration before an idle session or unused template is expired - multi: false - required: true - show_user: false - default: 30m - - name: queue_size - type: integer - title: Maximum number of packets that can be queued for processing - multi: false - required: true - show_user: false - default: 8192 - - name: custom_definitions - type: text - title: Custom definitions - multi: true - required: false - show_user: false - default: "" - - name: detect_sequence_reset - type: bool - title: Whether to detect sequence reset - multi: false - required: true - show_user: false - default: true - - name: max_message_size - type: text - title: Maximum size of the message received over UDP - multi: false - required: true - show_user: false - default: 10KiB - - name: tags - type: text - title: Tags - multi: true - required: false - show_user: false - default: - - netflow - - forwarded - - name: timeout - type: text - title: Read timeout for socket operations - multi: false - required: false - show_user: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/netflow/2.2.4/data_stream/log/sample_event.json b/packages/netflow/2.2.4/data_stream/log/sample_event.json deleted file mode 100755 index 3e6f655051..0000000000 --- a/packages/netflow/2.2.4/data_stream/log/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2018-07-03T10:47:00.000Z", - "agent": { - "ephemeral_id": "499040e3-2739-4333-bc0a-714aceaaa76b", - "id": "f98d63fc-e620-4d4d-b16e-814a105b1bc9", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "client": { - "bytes": 719, - "packets": 5 - }, - "data_stream": { - "dataset": "netflow.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 0, - "packets": 0 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "f98d63fc-e620-4d4d-b16e-814a105b1bc9", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "netflow_flow", - "agent_id_status": "verified", - "category": [ - "network", - "session" - ], - "created": "2022-05-12T09:08:00.955Z", - "dataset": "netflow.log", - "ingested": "2022-05-12T09:08:01Z", - "kind": "event", - "type": [ - "connection" - ] - }, - "flow": { - "id": "Vhs9T5k296w", - "locality": "internal" - }, - "input": { - "type": "netflow" - }, - "netflow": { - "application_id": [ - 3, - 0, - 0, - 80 - ], - "art_client_network_time_sum": 0, - "art_count_late_responses": 0, - "art_count_responses": 0, - "art_count_retransmissions": 0, - "art_count_transactions": 0, - "art_network_time_sum": 0, - "art_response_time_sum": 0, - "art_server_network_time_sum": 0, - "art_server_response_time_maximum": 0, - "art_server_response_time_sum": 0, - "art_total_response_time_sum": 0, - "art_total_transaction_time_sum": 0, - "biflow_direction": 1, - "connection_sum_duration_seconds": 0, - "egress_interface": 13, - "exporter": { - "address": "192.168.208.4:56750", - "source_id": 512, - "timestamp": "2018-07-03T10:47:00.000Z", - "uptime_millis": 0, - "version": 10 - }, - "flow_end_sys_up_time": 564184158, - "flow_start_sys_up_time": 564184140, - "ingress_interface": 10, - "ingress_vrfid": 0, - "initiator_octets": 719, - "initiator_packets": 5, - "ip_diff_serv_code_point": 0, - "ip_ttl": 49, - "new_connection_delta_count": 1, - "protocol_identifier": 6, - "responder_octets": 0, - "responder_packets": 0, - "type": "netflow_flow", - "vlan_id": 0, - "waasoptimization_segment": 16 - }, - "network": { - "bytes": 719, - "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", - "direction": "unknown", - "iana_number": "6", - "packets": 5, - "transport": "tcp" - }, - "observer": { - "ip": "192.168.208.4" - }, - "server": { - "bytes": 0, - "packets": 0 - }, - "source": { - "bytes": 719, - "packets": 5 - }, - "tags": [ - "netflow", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/docs/README.md b/packages/netflow/2.2.4/docs/README.md deleted file mode 100755 index 84d7b6f6e7..0000000000 --- a/packages/netflow/2.2.4/docs/README.md +++ /dev/null @@ -1,1787 +0,0 @@ -# Netflow Integration - -This integration is for receiving NetFlow and IPFIX flow records over UDP. -It supports NetFlow versions 1, 5, 6, 7, 8 and 9, as well as IPFIX. For NetFlow versions older than 9, fields are mapped automatically to NetFlow v9. - -For more information on Netflow and IPFIX, see: - -- [Cisco Systems NetFlow Services Export Version 9](https://www.ietf.org/rfc/rfc3954.txt) -- [Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information](https://www.ietf.org/rfc/rfc7011.txt) - -It includes the following dataset: - -- `log` dataset - -## Compatibility - -## Logs - -### log - -The `log` dataset collects netflow logs. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | -| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | -| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | -| agent.version | Version of the agent. | keyword | -| as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| as.organization.name | Organization name. | keyword | -| as.organization.name.text | Multi-field of `as.organization.name`. | match_only_text | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | -| client.nat.port | Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | long | -| client.packets | Packets sent from the client to the server. | long | -| client.port | Port of the client. | long | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| client.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| client.user.email | User email address. | keyword | -| client.user.full_name | User's full name, if available. | keyword | -| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text | -| client.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| client.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| client.user.group.name | Name of the group. | keyword | -| client.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.image.tag | Container image tags. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.locality | Whether the destination IP is private or public. | keyword | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.email | User email address. | keyword | -| destination.user.full_name | User's full name, if available. | keyword | -| destination.user.full_name.text | Multi-field of `destination.user.full_name`. | match_only_text | -| destination.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| destination.user.group.name | Name of the group. | keyword | -| destination.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.header_flags | Array of 2 letter DNS header flags. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.id | Unique identifier for the error. | keyword | -| error.message | Error message. | match_only_text | -| error.stack_trace | The stack trace of this error in plain text. | wildcard | -| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | -| error.type | The type of the error, for example the class name of the exception. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | -| file.created | File creation time. Note that not all filesystems store the creation time. | date | -| file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | -| file.device | Device that is the source of the file. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.gid | Primary group ID (GID) of the file. | keyword | -| file.group | Primary group name of the file. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.hash.sha512 | SHA512 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.mode | Mode of the file in octal representation. | keyword | -| file.mtime | Last time the file content was modified. | date | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.owner | File owner's username. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.target_path | Target path for symlinks. | keyword | -| file.target_path.text | Multi-field of `file.target_path`. | match_only_text | -| file.type | File type (file, dir, or symlink). | keyword | -| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | -| flow.id | Hash of source and destination IPs. | keyword | -| flow.locality | Identifies whether the flow involved public IP addresses or only private address. | keyword | -| geo.city_name | City name. | keyword | -| geo.continent_name | Name of the continent. | keyword | -| geo.country_iso_code | Country ISO code. | keyword | -| geo.country_name | Country name. | keyword | -| geo.location | Longitude and latitude. | geo_point | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_iso_code | Region ISO code. | keyword | -| geo.region_name | Region name. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| hash.md5 | MD5 hash. | keyword | -| hash.sha1 | SHA1 hash. | keyword | -| hash.sha256 | SHA256 hash. | keyword | -| hash.sha512 | SHA512 hash. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| host.uptime | Seconds the host has been up. | long | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.body.content | The full HTTP request body. | wildcard | -| http.request.body.content.text | Multi-field of `http.request.body.content`. | match_only_text | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.body.content | The full HTTP response body. | wildcard | -| http.response.body.content.text | Multi-field of `http.response.body.content`. | match_only_text | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Type of Filebeat input. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.origin.file.line | The line number of the file containing the source code which originated the log event. | long | -| log.origin.file.name | The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. | keyword | -| log.origin.function | The name of the function or method which originated the log event. | keyword | -| log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| netflow.absolute_error | | double | -| netflow.address_pool_high_threshold | | long | -| netflow.address_pool_low_threshold | | long | -| netflow.address_port_mapping_high_threshold | | long | -| netflow.address_port_mapping_low_threshold | | long | -| netflow.address_port_mapping_per_user_high_threshold | | long | -| netflow.afc_protocol | | integer | -| netflow.afc_protocol_name | | keyword | -| netflow.anonymization_flags | | integer | -| netflow.anonymization_technique | | integer | -| netflow.application_business-relevance | | long | -| netflow.application_category_name | | keyword | -| netflow.application_description | | keyword | -| netflow.application_group_name | | keyword | -| netflow.application_http_uri_statistics | | short | -| netflow.application_http_user-agent | | short | -| netflow.application_id | | short | -| netflow.application_name | | keyword | -| netflow.application_sub_category_name | | keyword | -| netflow.application_traffic-class | | long | -| netflow.art_client_network_time_maximum | | long | -| netflow.art_client_network_time_minimum | | long | -| netflow.art_client_network_time_sum | | long | -| netflow.art_clientpackets | | long | -| netflow.art_count_late_responses | | long | -| netflow.art_count_new_connections | | long | -| netflow.art_count_responses | | long | -| netflow.art_count_responses_histogram_bucket1 | | long | -| netflow.art_count_responses_histogram_bucket2 | | long | -| netflow.art_count_responses_histogram_bucket3 | | long | -| netflow.art_count_responses_histogram_bucket4 | | long | -| netflow.art_count_responses_histogram_bucket5 | | long | -| netflow.art_count_responses_histogram_bucket6 | | long | -| netflow.art_count_responses_histogram_bucket7 | | long | -| netflow.art_count_retransmissions | | long | -| netflow.art_count_transactions | | long | -| netflow.art_network_time_maximum | | long | -| netflow.art_network_time_minimum | | long | -| netflow.art_network_time_sum | | long | -| netflow.art_response_time_maximum | | long | -| netflow.art_response_time_minimum | | long | -| netflow.art_response_time_sum | | long | -| netflow.art_server_network_time_maximum | | long | -| netflow.art_server_network_time_minimum | | long | -| netflow.art_server_network_time_sum | | long | -| netflow.art_server_response_time_maximum | | long | -| netflow.art_server_response_time_minimum | | long | -| netflow.art_server_response_time_sum | | long | -| netflow.art_serverpackets | | long | -| netflow.art_total_response_time_maximum | | long | -| netflow.art_total_response_time_minimum | | long | -| netflow.art_total_response_time_sum | | long | -| netflow.art_total_transaction_time_maximum | | long | -| netflow.art_total_transaction_time_minimum | | long | -| netflow.art_total_transaction_time_sum | | long | -| netflow.assembled_fragment_count | | long | -| netflow.audit_counter | | long | -| netflow.average_interarrival_time | | long | -| netflow.bgp_destination_as_number | | long | -| netflow.bgp_next_adjacent_as_number | | long | -| netflow.bgp_next_hop_ipv4_address | | ip | -| netflow.bgp_next_hop_ipv6_address | | ip | -| netflow.bgp_prev_adjacent_as_number | | long | -| netflow.bgp_source_as_number | | long | -| netflow.bgp_validity_state | | short | -| netflow.biflow_direction | | short | -| netflow.bind_ipv4_address | | ip | -| netflow.bind_transport_port | | integer | -| netflow.class_id | | long | -| netflow.class_name | | keyword | -| netflow.classification_engine_id | | short | -| netflow.collection_time_milliseconds | | date | -| netflow.collector_certificate | | short | -| netflow.collector_ipv4_address | | ip | -| netflow.collector_ipv6_address | | ip | -| netflow.collector_transport_port | | integer | -| netflow.common_properties_id | | long | -| netflow.confidence_level | | double | -| netflow.conn_ipv4_address | | ip | -| netflow.conn_transport_port | | integer | -| netflow.connection_sum_duration_seconds | | long | -| netflow.connection_transaction_id | | long | -| netflow.conntrack_id | | long | -| netflow.data_byte_count | | long | -| netflow.data_link_frame_section | | short | -| netflow.data_link_frame_size | | integer | -| netflow.data_link_frame_type | | integer | -| netflow.data_records_reliability | | boolean | -| netflow.delta_flow_count | | long | -| netflow.destination_ipv4_address | | ip | -| netflow.destination_ipv4_prefix | | ip | -| netflow.destination_ipv4_prefix_length | | short | -| netflow.destination_ipv6_address | | ip | -| netflow.destination_ipv6_prefix | | ip | -| netflow.destination_ipv6_prefix_length | | short | -| netflow.destination_mac_address | | keyword | -| netflow.destination_transport_port | | integer | -| netflow.digest_hash_value | | long | -| netflow.distinct_count_of_destination_ip_address | | long | -| netflow.distinct_count_of_destination_ipv4_address | | long | -| netflow.distinct_count_of_destination_ipv6_address | | long | -| netflow.distinct_count_of_source_ip_address | | long | -| netflow.distinct_count_of_source_ipv4_address | | long | -| netflow.distinct_count_of_source_ipv6_address | | long | -| netflow.dns_authoritative | | short | -| netflow.dns_cname | | keyword | -| netflow.dns_id | | integer | -| netflow.dns_mx_exchange | | keyword | -| netflow.dns_mx_preference | | integer | -| netflow.dns_nsd_name | | keyword | -| netflow.dns_nx_domain | | short | -| netflow.dns_ptrd_name | | keyword | -| netflow.dns_qname | | keyword | -| netflow.dns_qr_type | | integer | -| netflow.dns_query_response | | short | -| netflow.dns_rr_section | | short | -| netflow.dns_soa_expire | | long | -| netflow.dns_soa_minimum | | long | -| netflow.dns_soa_refresh | | long | -| netflow.dns_soa_retry | | long | -| netflow.dns_soa_serial | | long | -| netflow.dns_soam_name | | keyword | -| netflow.dns_soar_name | | keyword | -| netflow.dns_srv_port | | integer | -| netflow.dns_srv_priority | | integer | -| netflow.dns_srv_target | | integer | -| netflow.dns_srv_weight | | integer | -| netflow.dns_ttl | | long | -| netflow.dns_txt_data | | keyword | -| netflow.dot1q_customer_dei | | boolean | -| netflow.dot1q_customer_destination_mac_address | | keyword | -| netflow.dot1q_customer_priority | | short | -| netflow.dot1q_customer_source_mac_address | | keyword | -| netflow.dot1q_customer_vlan_id | | integer | -| netflow.dot1q_dei | | boolean | -| netflow.dot1q_priority | | short | -| netflow.dot1q_service_instance_id | | long | -| netflow.dot1q_service_instance_priority | | short | -| netflow.dot1q_service_instance_tag | | short | -| netflow.dot1q_vlan_id | | integer | -| netflow.dropped_layer2_octet_delta_count | | long | -| netflow.dropped_layer2_octet_total_count | | long | -| netflow.dropped_octet_delta_count | | long | -| netflow.dropped_octet_total_count | | long | -| netflow.dropped_packet_delta_count | | long | -| netflow.dropped_packet_total_count | | long | -| netflow.dst_traffic_index | | long | -| netflow.egress_broadcast_packet_total_count | | long | -| netflow.egress_interface | | long | -| netflow.egress_interface_type | | long | -| netflow.egress_physical_interface | | long | -| netflow.egress_unicast_packet_total_count | | long | -| netflow.egress_vrfid | | long | -| netflow.encrypted_technology | | keyword | -| netflow.engine_id | | short | -| netflow.engine_type | | short | -| netflow.ethernet_header_length | | short | -| netflow.ethernet_payload_length | | integer | -| netflow.ethernet_total_length | | integer | -| netflow.ethernet_type | | integer | -| netflow.expired_fragment_count | | long | -| netflow.export_interface | | long | -| netflow.export_protocol_version | | short | -| netflow.export_sctp_stream_id | | integer | -| netflow.export_transport_protocol | | short | -| netflow.exported_flow_record_total_count | | long | -| netflow.exported_message_total_count | | long | -| netflow.exported_octet_total_count | | long | -| netflow.exporter.address | Exporter's network address in IP:port format. | keyword | -| netflow.exporter.source_id | Observation domain ID to which this record belongs. | long | -| netflow.exporter.timestamp | Time and date of export. | date | -| netflow.exporter.uptime_millis | How long the exporter process has been running, in milliseconds. | long | -| netflow.exporter.version | NetFlow version used. | integer | -| netflow.exporter_certificate | | short | -| netflow.exporter_ipv4_address | | ip | -| netflow.exporter_ipv6_address | | ip | -| netflow.exporter_transport_port | | integer | -| netflow.exporting_process_id | | long | -| netflow.external_address_realm | | short | -| netflow.firewall_event | | short | -| netflow.first_eight_non_empty_packet_directions | | short | -| netflow.first_non_empty_packet_size | | integer | -| netflow.first_packet_banner | | keyword | -| netflow.flags_and_sampler_id | | long | -| netflow.flow_active_timeout | | integer | -| netflow.flow_attributes | | integer | -| netflow.flow_direction | | short | -| netflow.flow_duration_microseconds | | long | -| netflow.flow_duration_milliseconds | | long | -| netflow.flow_end_delta_microseconds | | long | -| netflow.flow_end_microseconds | | date | -| netflow.flow_end_milliseconds | | date | -| netflow.flow_end_nanoseconds | | date | -| netflow.flow_end_reason | | short | -| netflow.flow_end_seconds | | date | -| netflow.flow_end_sys_up_time | | long | -| netflow.flow_id | | long | -| netflow.flow_idle_timeout | | integer | -| netflow.flow_key_indicator | | long | -| netflow.flow_label_ipv6 | | long | -| netflow.flow_sampling_time_interval | | long | -| netflow.flow_sampling_time_spacing | | long | -| netflow.flow_selected_flow_delta_count | | long | -| netflow.flow_selected_octet_delta_count | | long | -| netflow.flow_selected_packet_delta_count | | long | -| netflow.flow_selector_algorithm | | integer | -| netflow.flow_start_delta_microseconds | | long | -| netflow.flow_start_microseconds | | date | -| netflow.flow_start_milliseconds | | date | -| netflow.flow_start_nanoseconds | | date | -| netflow.flow_start_seconds | | date | -| netflow.flow_start_sys_up_time | | long | -| netflow.flow_table_flush_event_count | | long | -| netflow.flow_table_peak_count | | long | -| netflow.forwarding_status | | short | -| netflow.fragment_flags | | short | -| netflow.fragment_identification | | long | -| netflow.fragment_offset | | integer | -| netflow.fw_blackout_secs | | long | -| netflow.fw_configured_value | | long | -| netflow.fw_cts_src_sgt | | long | -| netflow.fw_event_level | | long | -| netflow.fw_event_level_id | | long | -| netflow.fw_ext_event | | integer | -| netflow.fw_ext_event_alt | | long | -| netflow.fw_ext_event_desc | | keyword | -| netflow.fw_half_open_count | | long | -| netflow.fw_half_open_high | | long | -| netflow.fw_half_open_rate | | long | -| netflow.fw_max_sessions | | long | -| netflow.fw_rule | | keyword | -| netflow.fw_summary_pkt_count | | long | -| netflow.fw_zone_pair_id | | long | -| netflow.fw_zone_pair_name | | long | -| netflow.global_address_mapping_high_threshold | | long | -| netflow.gre_key | | long | -| netflow.hash_digest_output | | boolean | -| netflow.hash_flow_domain | | integer | -| netflow.hash_initialiser_value | | long | -| netflow.hash_ip_payload_offset | | long | -| netflow.hash_ip_payload_size | | long | -| netflow.hash_output_range_max | | long | -| netflow.hash_output_range_min | | long | -| netflow.hash_selected_range_max | | long | -| netflow.hash_selected_range_min | | long | -| netflow.http_content_type | | keyword | -| netflow.http_message_version | | keyword | -| netflow.http_reason_phrase | | keyword | -| netflow.http_request_host | | keyword | -| netflow.http_request_method | | keyword | -| netflow.http_request_target | | keyword | -| netflow.http_status_code | | integer | -| netflow.http_user_agent | | keyword | -| netflow.icmp_code_ipv4 | | short | -| netflow.icmp_code_ipv6 | | short | -| netflow.icmp_type_code_ipv4 | | integer | -| netflow.icmp_type_code_ipv6 | | integer | -| netflow.icmp_type_ipv4 | | short | -| netflow.icmp_type_ipv6 | | short | -| netflow.igmp_type | | short | -| netflow.ignored_data_record_total_count | | long | -| netflow.ignored_layer2_frame_total_count | | long | -| netflow.ignored_layer2_octet_total_count | | long | -| netflow.ignored_octet_total_count | | long | -| netflow.ignored_packet_total_count | | long | -| netflow.information_element_data_type | | short | -| netflow.information_element_description | | keyword | -| netflow.information_element_id | | integer | -| netflow.information_element_index | | integer | -| netflow.information_element_name | | keyword | -| netflow.information_element_range_begin | | long | -| netflow.information_element_range_end | | long | -| netflow.information_element_semantics | | short | -| netflow.information_element_units | | integer | -| netflow.ingress_broadcast_packet_total_count | | long | -| netflow.ingress_interface | | long | -| netflow.ingress_interface_type | | long | -| netflow.ingress_multicast_packet_total_count | | long | -| netflow.ingress_physical_interface | | long | -| netflow.ingress_unicast_packet_total_count | | long | -| netflow.ingress_vrfid | | long | -| netflow.initial_tcp_flags | | short | -| netflow.initiator_octets | | long | -| netflow.initiator_packets | | long | -| netflow.interface_description | | keyword | -| netflow.interface_name | | keyword | -| netflow.intermediate_process_id | | long | -| netflow.internal_address_realm | | short | -| netflow.ip_class_of_service | | short | -| netflow.ip_diff_serv_code_point | | short | -| netflow.ip_header_length | | short | -| netflow.ip_header_packet_section | | short | -| netflow.ip_next_hop_ipv4_address | | ip | -| netflow.ip_next_hop_ipv6_address | | ip | -| netflow.ip_payload_length | | long | -| netflow.ip_payload_packet_section | | short | -| netflow.ip_precedence | | short | -| netflow.ip_sec_spi | | long | -| netflow.ip_total_length | | long | -| netflow.ip_ttl | | short | -| netflow.ip_version | | short | -| netflow.ipv4_ihl | | short | -| netflow.ipv4_options | | long | -| netflow.ipv4_router_sc | | ip | -| netflow.ipv6_extension_headers | | long | -| netflow.is_multicast | | short | -| netflow.ixia_browser_id | | short | -| netflow.ixia_browser_name | | keyword | -| netflow.ixia_device_id | | short | -| netflow.ixia_device_name | | keyword | -| netflow.ixia_dns_answer | | keyword | -| netflow.ixia_dns_classes | | keyword | -| netflow.ixia_dns_query | | keyword | -| netflow.ixia_dns_record_txt | | keyword | -| netflow.ixia_dst_as_name | | keyword | -| netflow.ixia_dst_city_name | | keyword | -| netflow.ixia_dst_country_code | | keyword | -| netflow.ixia_dst_country_name | | keyword | -| netflow.ixia_dst_latitude | | float | -| netflow.ixia_dst_longitude | | float | -| netflow.ixia_dst_region_code | | keyword | -| netflow.ixia_dst_region_node | | keyword | -| netflow.ixia_encrypt_cipher | | keyword | -| netflow.ixia_encrypt_key_length | | integer | -| netflow.ixia_encrypt_type | | keyword | -| netflow.ixia_http_host_name | | keyword | -| netflow.ixia_http_uri | | keyword | -| netflow.ixia_http_user_agent | | keyword | -| netflow.ixia_imsi_subscriber | | keyword | -| netflow.ixia_l7_app_id | | long | -| netflow.ixia_l7_app_name | | keyword | -| netflow.ixia_latency | | long | -| netflow.ixia_rev_octet_delta_count | | long | -| netflow.ixia_rev_packet_delta_count | | long | -| netflow.ixia_src_as_name | | keyword | -| netflow.ixia_src_city_name | | keyword | -| netflow.ixia_src_country_code | | keyword | -| netflow.ixia_src_country_name | | keyword | -| netflow.ixia_src_latitude | | float | -| netflow.ixia_src_longitude | | float | -| netflow.ixia_src_region_code | | keyword | -| netflow.ixia_src_region_name | | keyword | -| netflow.ixia_threat_ipv4 | | ip | -| netflow.ixia_threat_ipv6 | | ip | -| netflow.ixia_threat_type | | keyword | -| netflow.large_packet_count | | long | -| netflow.layer2_frame_delta_count | | long | -| netflow.layer2_frame_total_count | | long | -| netflow.layer2_octet_delta_count | | long | -| netflow.layer2_octet_delta_sum_of_squares | | long | -| netflow.layer2_octet_total_count | | long | -| netflow.layer2_octet_total_sum_of_squares | | long | -| netflow.layer2_segment_id | | long | -| netflow.layer2packet_section_data | | short | -| netflow.layer2packet_section_offset | | integer | -| netflow.layer2packet_section_size | | integer | -| netflow.line_card_id | | long | -| netflow.log_op | | short | -| netflow.lower_ci_limit | | double | -| netflow.mark | | long | -| netflow.max_bib_entries | | long | -| netflow.max_entries_per_user | | long | -| netflow.max_export_seconds | | date | -| netflow.max_flow_end_microseconds | | date | -| netflow.max_flow_end_milliseconds | | date | -| netflow.max_flow_end_nanoseconds | | date | -| netflow.max_flow_end_seconds | | date | -| netflow.max_fragments_pending_reassembly | | long | -| netflow.max_packet_size | | integer | -| netflow.max_session_entries | | long | -| netflow.max_subscribers | | long | -| netflow.maximum_ip_total_length | | long | -| netflow.maximum_layer2_total_length | | long | -| netflow.maximum_ttl | | short | -| netflow.mean_flow_rate | | long | -| netflow.mean_packet_rate | | long | -| netflow.message_md5_checksum | | short | -| netflow.message_scope | | short | -| netflow.metering_process_id | | long | -| netflow.metro_evc_id | | keyword | -| netflow.metro_evc_type | | short | -| netflow.mib_capture_time_semantics | | short | -| netflow.mib_context_engine_id | | short | -| netflow.mib_context_name | | keyword | -| netflow.mib_index_indicator | | long | -| netflow.mib_module_name | | keyword | -| netflow.mib_object_description | | keyword | -| netflow.mib_object_identifier | | short | -| netflow.mib_object_name | | keyword | -| netflow.mib_object_syntax | | keyword | -| netflow.mib_object_value_bits | | short | -| netflow.mib_object_value_counter | | long | -| netflow.mib_object_value_gauge | | long | -| netflow.mib_object_value_integer | | integer | -| netflow.mib_object_value_ip_address | | ip | -| netflow.mib_object_value_octet_string | | short | -| netflow.mib_object_value_oid | | short | -| netflow.mib_object_value_time_ticks | | long | -| netflow.mib_object_value_unsigned | | long | -| netflow.mib_sub_identifier | | long | -| netflow.min_export_seconds | | date | -| netflow.min_flow_start_microseconds | | date | -| netflow.min_flow_start_milliseconds | | date | -| netflow.min_flow_start_nanoseconds | | date | -| netflow.min_flow_start_seconds | | date | -| netflow.minimum_ip_total_length | | long | -| netflow.minimum_layer2_total_length | | long | -| netflow.minimum_ttl | | short | -| netflow.mobile_imsi | | keyword | -| netflow.mobile_msisdn | | keyword | -| netflow.monitoring_interval_end_milli_seconds | | date | -| netflow.monitoring_interval_start_milli_seconds | | date | -| netflow.mpls_label_stack_depth | | long | -| netflow.mpls_label_stack_length | | long | -| netflow.mpls_label_stack_section | | short | -| netflow.mpls_label_stack_section10 | | short | -| netflow.mpls_label_stack_section2 | | short | -| netflow.mpls_label_stack_section3 | | short | -| netflow.mpls_label_stack_section4 | | short | -| netflow.mpls_label_stack_section5 | | short | -| netflow.mpls_label_stack_section6 | | short | -| netflow.mpls_label_stack_section7 | | short | -| netflow.mpls_label_stack_section8 | | short | -| netflow.mpls_label_stack_section9 | | short | -| netflow.mpls_payload_length | | long | -| netflow.mpls_payload_packet_section | | short | -| netflow.mpls_top_label_exp | | short | -| netflow.mpls_top_label_ipv4_address | | ip | -| netflow.mpls_top_label_ipv6_address | | ip | -| netflow.mpls_top_label_prefix_length | | short | -| netflow.mpls_top_label_stack_section | | short | -| netflow.mpls_top_label_ttl | | short | -| netflow.mpls_top_label_type | | short | -| netflow.mpls_vpn_route_distinguisher | | short | -| netflow.mptcp_address_id | | short | -| netflow.mptcp_flags | | short | -| netflow.mptcp_initial_data_sequence_number | | long | -| netflow.mptcp_maximum_segment_size | | integer | -| netflow.mptcp_receiver_token | | long | -| netflow.multicast_replication_factor | | long | -| netflow.nat_event | | short | -| netflow.nat_inside_svcid | | integer | -| netflow.nat_instance_id | | long | -| netflow.nat_originating_address_realm | | short | -| netflow.nat_outside_svcid | | integer | -| netflow.nat_pool_id | | long | -| netflow.nat_pool_name | | keyword | -| netflow.nat_quota_exceeded_event | | long | -| netflow.nat_sub_string | | keyword | -| netflow.nat_threshold_event | | long | -| netflow.nat_type | | short | -| netflow.netscale_ica_client_version | | keyword | -| netflow.netscaler_aaa_username | | keyword | -| netflow.netscaler_app_name | | keyword | -| netflow.netscaler_app_name_app_id | | long | -| netflow.netscaler_app_name_incarnation_number | | long | -| netflow.netscaler_app_template_name | | keyword | -| netflow.netscaler_app_unit_name_app_id | | long | -| netflow.netscaler_application_startup_duration | | long | -| netflow.netscaler_application_startup_time | | long | -| netflow.netscaler_cache_redir_client_connection_core_id | | long | -| netflow.netscaler_cache_redir_client_connection_transaction_id | | long | -| netflow.netscaler_client_rtt | | long | -| netflow.netscaler_connection_chain_hop_count | | long | -| netflow.netscaler_connection_chain_id | | short | -| netflow.netscaler_connection_id | | long | -| netflow.netscaler_current_license_consumed | | long | -| netflow.netscaler_db_clt_host_name | | keyword | -| netflow.netscaler_db_database_name | | keyword | -| netflow.netscaler_db_login_flags | | long | -| netflow.netscaler_db_protocol_name | | short | -| netflow.netscaler_db_req_string | | keyword | -| netflow.netscaler_db_req_type | | short | -| netflow.netscaler_db_resp_length | | long | -| netflow.netscaler_db_resp_status | | long | -| netflow.netscaler_db_resp_status_string | | keyword | -| netflow.netscaler_db_user_name | | keyword | -| netflow.netscaler_flow_flags | | long | -| netflow.netscaler_http_client_interaction_end_time | | keyword | -| netflow.netscaler_http_client_interaction_start_time | | keyword | -| netflow.netscaler_http_client_render_end_time | | keyword | -| netflow.netscaler_http_client_render_start_time | | keyword | -| netflow.netscaler_http_content_type | | keyword | -| netflow.netscaler_http_domain_name | | keyword | -| netflow.netscaler_http_req_authorization | | keyword | -| netflow.netscaler_http_req_cookie | | keyword | -| netflow.netscaler_http_req_forw_fb | | long | -| netflow.netscaler_http_req_forw_lb | | long | -| netflow.netscaler_http_req_host | | keyword | -| netflow.netscaler_http_req_method | | keyword | -| netflow.netscaler_http_req_rcv_fb | | long | -| netflow.netscaler_http_req_rcv_lb | | long | -| netflow.netscaler_http_req_referer | | keyword | -| netflow.netscaler_http_req_url | | keyword | -| netflow.netscaler_http_req_user_agent | | keyword | -| netflow.netscaler_http_req_via | | keyword | -| netflow.netscaler_http_req_xforwarded_for | | keyword | -| netflow.netscaler_http_res_forw_fb | | long | -| netflow.netscaler_http_res_forw_lb | | long | -| netflow.netscaler_http_res_location | | keyword | -| netflow.netscaler_http_res_rcv_fb | | long | -| netflow.netscaler_http_res_rcv_lb | | long | -| netflow.netscaler_http_res_set_cookie | | keyword | -| netflow.netscaler_http_res_set_cookie2 | | keyword | -| netflow.netscaler_http_rsp_len | | long | -| netflow.netscaler_http_rsp_status | | integer | -| netflow.netscaler_ica_app_module_path | | keyword | -| netflow.netscaler_ica_app_process_id | | long | -| netflow.netscaler_ica_application_name | | keyword | -| netflow.netscaler_ica_application_termination_time | | long | -| netflow.netscaler_ica_application_termination_type | | integer | -| netflow.netscaler_ica_channel_id1 | | long | -| netflow.netscaler_ica_channel_id1_bytes | | long | -| netflow.netscaler_ica_channel_id2 | | long | -| netflow.netscaler_ica_channel_id2_bytes | | long | -| netflow.netscaler_ica_channel_id3 | | long | -| netflow.netscaler_ica_channel_id3_bytes | | long | -| netflow.netscaler_ica_channel_id4 | | long | -| netflow.netscaler_ica_channel_id4_bytes | | long | -| netflow.netscaler_ica_channel_id5 | | long | -| netflow.netscaler_ica_channel_id5_bytes | | long | -| netflow.netscaler_ica_client_host_name | | keyword | -| netflow.netscaler_ica_client_ip | | ip | -| netflow.netscaler_ica_client_launcher | | integer | -| netflow.netscaler_ica_client_side_rto_count | | integer | -| netflow.netscaler_ica_client_side_window_size | | integer | -| netflow.netscaler_ica_client_type | | integer | -| netflow.netscaler_ica_clientside_delay | | long | -| netflow.netscaler_ica_clientside_jitter | | long | -| netflow.netscaler_ica_clientside_packets_retransmit | | integer | -| netflow.netscaler_ica_clientside_rtt | | long | -| netflow.netscaler_ica_clientside_rx_bytes | | long | -| netflow.netscaler_ica_clientside_srtt | | long | -| netflow.netscaler_ica_clientside_tx_bytes | | long | -| netflow.netscaler_ica_connection_priority | | integer | -| netflow.netscaler_ica_device_serial_no | | long | -| netflow.netscaler_ica_domain_name | | keyword | -| netflow.netscaler_ica_flags | | long | -| netflow.netscaler_ica_host_delay | | long | -| netflow.netscaler_ica_l7_client_latency | | long | -| netflow.netscaler_ica_l7_server_latency | | long | -| netflow.netscaler_ica_launch_mechanism | | integer | -| netflow.netscaler_ica_network_update_end_time | | long | -| netflow.netscaler_ica_network_update_start_time | | long | -| netflow.netscaler_ica_rtt | | long | -| netflow.netscaler_ica_server_name | | keyword | -| netflow.netscaler_ica_server_side_rto_count | | integer | -| netflow.netscaler_ica_server_side_window_size | | integer | -| netflow.netscaler_ica_serverside_delay | | long | -| netflow.netscaler_ica_serverside_jitter | | long | -| netflow.netscaler_ica_serverside_packets_retransmit | | integer | -| netflow.netscaler_ica_serverside_rtt | | long | -| netflow.netscaler_ica_serverside_srtt | | long | -| netflow.netscaler_ica_session_end_time | | long | -| netflow.netscaler_ica_session_guid | | short | -| netflow.netscaler_ica_session_reconnects | | short | -| netflow.netscaler_ica_session_setup_time | | long | -| netflow.netscaler_ica_session_update_begin_sec | | long | -| netflow.netscaler_ica_session_update_end_sec | | long | -| netflow.netscaler_ica_username | | keyword | -| netflow.netscaler_license_type | | short | -| netflow.netscaler_main_page_core_id | | long | -| netflow.netscaler_main_page_id | | long | -| netflow.netscaler_max_license_count | | long | -| netflow.netscaler_msi_client_cookie | | short | -| netflow.netscaler_round_trip_time | | long | -| netflow.netscaler_server_ttfb | | long | -| netflow.netscaler_server_ttlb | | long | -| netflow.netscaler_syslog_message | | keyword | -| netflow.netscaler_syslog_priority | | short | -| netflow.netscaler_syslog_timestamp | | long | -| netflow.netscaler_transaction_id | | long | -| netflow.netscaler_unknown270 | | long | -| netflow.netscaler_unknown271 | | long | -| netflow.netscaler_unknown272 | | long | -| netflow.netscaler_unknown273 | | long | -| netflow.netscaler_unknown274 | | long | -| netflow.netscaler_unknown275 | | long | -| netflow.netscaler_unknown276 | | long | -| netflow.netscaler_unknown277 | | long | -| netflow.netscaler_unknown278 | | long | -| netflow.netscaler_unknown279 | | long | -| netflow.netscaler_unknown280 | | long | -| netflow.netscaler_unknown281 | | long | -| netflow.netscaler_unknown282 | | long | -| netflow.netscaler_unknown283 | | long | -| netflow.netscaler_unknown284 | | long | -| netflow.netscaler_unknown285 | | long | -| netflow.netscaler_unknown286 | | long | -| netflow.netscaler_unknown287 | | long | -| netflow.netscaler_unknown288 | | long | -| netflow.netscaler_unknown289 | | long | -| netflow.netscaler_unknown290 | | long | -| netflow.netscaler_unknown291 | | long | -| netflow.netscaler_unknown292 | | long | -| netflow.netscaler_unknown293 | | long | -| netflow.netscaler_unknown294 | | long | -| netflow.netscaler_unknown295 | | long | -| netflow.netscaler_unknown296 | | long | -| netflow.netscaler_unknown297 | | long | -| netflow.netscaler_unknown298 | | long | -| netflow.netscaler_unknown299 | | long | -| netflow.netscaler_unknown300 | | long | -| netflow.netscaler_unknown301 | | long | -| netflow.netscaler_unknown302 | | long | -| netflow.netscaler_unknown303 | | long | -| netflow.netscaler_unknown304 | | long | -| netflow.netscaler_unknown305 | | long | -| netflow.netscaler_unknown306 | | long | -| netflow.netscaler_unknown307 | | long | -| netflow.netscaler_unknown308 | | long | -| netflow.netscaler_unknown309 | | long | -| netflow.netscaler_unknown310 | | long | -| netflow.netscaler_unknown311 | | long | -| netflow.netscaler_unknown312 | | long | -| netflow.netscaler_unknown313 | | long | -| netflow.netscaler_unknown314 | | long | -| netflow.netscaler_unknown315 | | long | -| netflow.netscaler_unknown316 | | keyword | -| netflow.netscaler_unknown317 | | long | -| netflow.netscaler_unknown318 | | long | -| netflow.netscaler_unknown319 | | keyword | -| netflow.netscaler_unknown320 | | integer | -| netflow.netscaler_unknown321 | | long | -| netflow.netscaler_unknown322 | | long | -| netflow.netscaler_unknown323 | | integer | -| netflow.netscaler_unknown324 | | integer | -| netflow.netscaler_unknown325 | | integer | -| netflow.netscaler_unknown326 | | integer | -| netflow.netscaler_unknown327 | | long | -| netflow.netscaler_unknown328 | | integer | -| netflow.netscaler_unknown329 | | integer | -| netflow.netscaler_unknown330 | | integer | -| netflow.netscaler_unknown331 | | integer | -| netflow.netscaler_unknown332 | | long | -| netflow.netscaler_unknown333 | | keyword | -| netflow.netscaler_unknown334 | | keyword | -| netflow.netscaler_unknown335 | | long | -| netflow.netscaler_unknown336 | | long | -| netflow.netscaler_unknown337 | | long | -| netflow.netscaler_unknown338 | | long | -| netflow.netscaler_unknown339 | | long | -| netflow.netscaler_unknown340 | | long | -| netflow.netscaler_unknown341 | | long | -| netflow.netscaler_unknown342 | | long | -| netflow.netscaler_unknown343 | | long | -| netflow.netscaler_unknown344 | | long | -| netflow.netscaler_unknown345 | | long | -| netflow.netscaler_unknown346 | | long | -| netflow.netscaler_unknown347 | | long | -| netflow.netscaler_unknown348 | | integer | -| netflow.netscaler_unknown349 | | keyword | -| netflow.netscaler_unknown350 | | keyword | -| netflow.netscaler_unknown351 | | keyword | -| netflow.netscaler_unknown352 | | integer | -| netflow.netscaler_unknown353 | | long | -| netflow.netscaler_unknown354 | | long | -| netflow.netscaler_unknown355 | | long | -| netflow.netscaler_unknown356 | | long | -| netflow.netscaler_unknown357 | | long | -| netflow.netscaler_unknown363 | | short | -| netflow.netscaler_unknown383 | | short | -| netflow.netscaler_unknown391 | | long | -| netflow.netscaler_unknown398 | | long | -| netflow.netscaler_unknown404 | | long | -| netflow.netscaler_unknown405 | | long | -| netflow.netscaler_unknown427 | | long | -| netflow.netscaler_unknown429 | | short | -| netflow.netscaler_unknown432 | | short | -| netflow.netscaler_unknown433 | | short | -| netflow.netscaler_unknown453 | | long | -| netflow.netscaler_unknown465 | | long | -| netflow.new_connection_delta_count | | long | -| netflow.next_header_ipv6 | | short | -| netflow.non_empty_packet_count | | long | -| netflow.not_sent_flow_total_count | | long | -| netflow.not_sent_layer2_octet_total_count | | long | -| netflow.not_sent_octet_total_count | | long | -| netflow.not_sent_packet_total_count | | long | -| netflow.observation_domain_id | | long | -| netflow.observation_domain_name | | keyword | -| netflow.observation_point_id | | long | -| netflow.observation_point_type | | short | -| netflow.observation_time_microseconds | | date | -| netflow.observation_time_milliseconds | | date | -| netflow.observation_time_nanoseconds | | date | -| netflow.observation_time_seconds | | date | -| netflow.observed_flow_total_count | | long | -| netflow.octet_delta_count | | long | -| netflow.octet_delta_sum_of_squares | | long | -| netflow.octet_total_count | | long | -| netflow.octet_total_sum_of_squares | | long | -| netflow.opaque_octets | | short | -| netflow.original_exporter_ipv4_address | | ip | -| netflow.original_exporter_ipv6_address | | ip | -| netflow.original_flows_completed | | long | -| netflow.original_flows_initiated | | long | -| netflow.original_flows_present | | long | -| netflow.original_observation_domain_id | | long | -| netflow.os_finger_print | | keyword | -| netflow.os_name | | keyword | -| netflow.os_version | | keyword | -| netflow.p2p_technology | | keyword | -| netflow.packet_delta_count | | long | -| netflow.packet_total_count | | long | -| netflow.padding_octets | | short | -| netflow.payload | | keyword | -| netflow.payload_entropy | | short | -| netflow.payload_length_ipv6 | | integer | -| netflow.policy_qos_classification_hierarchy | | long | -| netflow.policy_qos_queue_index | | long | -| netflow.policy_qos_queuedrops | | long | -| netflow.policy_qos_queueindex | | long | -| netflow.port_id | | long | -| netflow.port_range_end | | integer | -| netflow.port_range_num_ports | | integer | -| netflow.port_range_start | | integer | -| netflow.port_range_step_size | | integer | -| netflow.post_destination_mac_address | | keyword | -| netflow.post_dot1q_customer_vlan_id | | integer | -| netflow.post_dot1q_vlan_id | | integer | -| netflow.post_ip_class_of_service | | short | -| netflow.post_ip_diff_serv_code_point | | short | -| netflow.post_ip_precedence | | short | -| netflow.post_layer2_octet_delta_count | | long | -| netflow.post_layer2_octet_total_count | | long | -| netflow.post_mcast_layer2_octet_delta_count | | long | -| netflow.post_mcast_layer2_octet_total_count | | long | -| netflow.post_mcast_octet_delta_count | | long | -| netflow.post_mcast_octet_total_count | | long | -| netflow.post_mcast_packet_delta_count | | long | -| netflow.post_mcast_packet_total_count | | long | -| netflow.post_mpls_top_label_exp | | short | -| netflow.post_napt_destination_transport_port | | integer | -| netflow.post_napt_source_transport_port | | integer | -| netflow.post_nat_destination_ipv4_address | | ip | -| netflow.post_nat_destination_ipv6_address | | ip | -| netflow.post_nat_source_ipv4_address | | ip | -| netflow.post_nat_source_ipv6_address | | ip | -| netflow.post_octet_delta_count | | long | -| netflow.post_octet_total_count | | long | -| netflow.post_packet_delta_count | | long | -| netflow.post_packet_total_count | | long | -| netflow.post_source_mac_address | | keyword | -| netflow.post_vlan_id | | integer | -| netflow.private_enterprise_number | | long | -| netflow.procera_apn | | keyword | -| netflow.procera_base_service | | keyword | -| netflow.procera_content_categories | | keyword | -| netflow.procera_device_id | | long | -| netflow.procera_external_rtt | | integer | -| netflow.procera_flow_behavior | | keyword | -| netflow.procera_ggsn | | keyword | -| netflow.procera_http_content_type | | keyword | -| netflow.procera_http_file_length | | long | -| netflow.procera_http_language | | keyword | -| netflow.procera_http_location | | keyword | -| netflow.procera_http_referer | | keyword | -| netflow.procera_http_request_method | | keyword | -| netflow.procera_http_request_version | | keyword | -| netflow.procera_http_response_status | | integer | -| netflow.procera_http_url | | keyword | -| netflow.procera_http_user_agent | | keyword | -| netflow.procera_imsi | | long | -| netflow.procera_incoming_octets | | long | -| netflow.procera_incoming_packets | | long | -| netflow.procera_incoming_shaping_drops | | long | -| netflow.procera_incoming_shaping_latency | | integer | -| netflow.procera_internal_rtt | | integer | -| netflow.procera_local_ipv4_host | | ip | -| netflow.procera_local_ipv6_host | | ip | -| netflow.procera_msisdn | | long | -| netflow.procera_outgoing_octets | | long | -| netflow.procera_outgoing_packets | | long | -| netflow.procera_outgoing_shaping_drops | | long | -| netflow.procera_outgoing_shaping_latency | | integer | -| netflow.procera_property | | keyword | -| netflow.procera_qoe_incoming_external | | float | -| netflow.procera_qoe_incoming_internal | | float | -| netflow.procera_qoe_outgoing_external | | float | -| netflow.procera_qoe_outgoing_internal | | float | -| netflow.procera_rat | | keyword | -| netflow.procera_remote_ipv4_host | | ip | -| netflow.procera_remote_ipv6_host | | ip | -| netflow.procera_rnc | | integer | -| netflow.procera_server_hostname | | keyword | -| netflow.procera_service | | keyword | -| netflow.procera_sgsn | | keyword | -| netflow.procera_subscriber_identifier | | keyword | -| netflow.procera_template_name | | keyword | -| netflow.procera_user_location_information | | keyword | -| netflow.protocol_identifier | | short | -| netflow.pseudo_wire_control_word | | long | -| netflow.pseudo_wire_destination_ipv4_address | | ip | -| netflow.pseudo_wire_id | | long | -| netflow.pseudo_wire_type | | integer | -| netflow.reason | | long | -| netflow.reason_text | | keyword | -| netflow.relative_error | | double | -| netflow.responder_octets | | long | -| netflow.responder_packets | | long | -| netflow.reverse_absolute_error | | double | -| netflow.reverse_anonymization_flags | | integer | -| netflow.reverse_anonymization_technique | | integer | -| netflow.reverse_application_category_name | | keyword | -| netflow.reverse_application_description | | keyword | -| netflow.reverse_application_group_name | | keyword | -| netflow.reverse_application_id | | keyword | -| netflow.reverse_application_name | | keyword | -| netflow.reverse_application_sub_category_name | | keyword | -| netflow.reverse_average_interarrival_time | | long | -| netflow.reverse_bgp_destination_as_number | | long | -| netflow.reverse_bgp_next_adjacent_as_number | | long | -| netflow.reverse_bgp_next_hop_ipv4_address | | ip | -| netflow.reverse_bgp_next_hop_ipv6_address | | ip | -| netflow.reverse_bgp_prev_adjacent_as_number | | long | -| netflow.reverse_bgp_source_as_number | | long | -| netflow.reverse_bgp_validity_state | | short | -| netflow.reverse_class_id | | short | -| netflow.reverse_class_name | | keyword | -| netflow.reverse_classification_engine_id | | short | -| netflow.reverse_collection_time_milliseconds | | long | -| netflow.reverse_collector_certificate | | keyword | -| netflow.reverse_confidence_level | | double | -| netflow.reverse_connection_sum_duration_seconds | | long | -| netflow.reverse_connection_transaction_id | | long | -| netflow.reverse_data_byte_count | | long | -| netflow.reverse_data_link_frame_section | | keyword | -| netflow.reverse_data_link_frame_size | | integer | -| netflow.reverse_data_link_frame_type | | integer | -| netflow.reverse_data_records_reliability | | short | -| netflow.reverse_delta_flow_count | | long | -| netflow.reverse_destination_ipv4_address | | ip | -| netflow.reverse_destination_ipv4_prefix | | ip | -| netflow.reverse_destination_ipv4_prefix_length | | short | -| netflow.reverse_destination_ipv6_address | | ip | -| netflow.reverse_destination_ipv6_prefix | | ip | -| netflow.reverse_destination_ipv6_prefix_length | | short | -| netflow.reverse_destination_mac_address | | keyword | -| netflow.reverse_destination_transport_port | | integer | -| netflow.reverse_digest_hash_value | | long | -| netflow.reverse_distinct_count_of_destination_ip_address | | long | -| netflow.reverse_distinct_count_of_destination_ipv4_address | | long | -| netflow.reverse_distinct_count_of_destination_ipv6_address | | long | -| netflow.reverse_distinct_count_of_source_ip_address | | long | -| netflow.reverse_distinct_count_of_source_ipv4_address | | long | -| netflow.reverse_distinct_count_of_source_ipv6_address | | long | -| netflow.reverse_dot1q_customer_dei | | short | -| netflow.reverse_dot1q_customer_destination_mac_address | | keyword | -| netflow.reverse_dot1q_customer_priority | | short | -| netflow.reverse_dot1q_customer_source_mac_address | | keyword | -| netflow.reverse_dot1q_customer_vlan_id | | integer | -| netflow.reverse_dot1q_dei | | short | -| netflow.reverse_dot1q_priority | | short | -| netflow.reverse_dot1q_service_instance_id | | long | -| netflow.reverse_dot1q_service_instance_priority | | short | -| netflow.reverse_dot1q_service_instance_tag | | keyword | -| netflow.reverse_dot1q_vlan_id | | integer | -| netflow.reverse_dropped_layer2_octet_delta_count | | long | -| netflow.reverse_dropped_layer2_octet_total_count | | long | -| netflow.reverse_dropped_octet_delta_count | | long | -| netflow.reverse_dropped_octet_total_count | | long | -| netflow.reverse_dropped_packet_delta_count | | long | -| netflow.reverse_dropped_packet_total_count | | long | -| netflow.reverse_dst_traffic_index | | long | -| netflow.reverse_egress_broadcast_packet_total_count | | long | -| netflow.reverse_egress_interface | | long | -| netflow.reverse_egress_interface_type | | long | -| netflow.reverse_egress_physical_interface | | long | -| netflow.reverse_egress_unicast_packet_total_count | | long | -| netflow.reverse_egress_vrfid | | long | -| netflow.reverse_encrypted_technology | | keyword | -| netflow.reverse_engine_id | | short | -| netflow.reverse_engine_type | | short | -| netflow.reverse_ethernet_header_length | | short | -| netflow.reverse_ethernet_payload_length | | integer | -| netflow.reverse_ethernet_total_length | | integer | -| netflow.reverse_ethernet_type | | integer | -| netflow.reverse_export_sctp_stream_id | | integer | -| netflow.reverse_exporter_certificate | | keyword | -| netflow.reverse_exporting_process_id | | long | -| netflow.reverse_firewall_event | | short | -| netflow.reverse_first_non_empty_packet_size | | integer | -| netflow.reverse_first_packet_banner | | keyword | -| netflow.reverse_flags_and_sampler_id | | long | -| netflow.reverse_flow_active_timeout | | integer | -| netflow.reverse_flow_attributes | | integer | -| netflow.reverse_flow_delta_milliseconds | | long | -| netflow.reverse_flow_direction | | short | -| netflow.reverse_flow_duration_microseconds | | long | -| netflow.reverse_flow_duration_milliseconds | | long | -| netflow.reverse_flow_end_delta_microseconds | | long | -| netflow.reverse_flow_end_microseconds | | long | -| netflow.reverse_flow_end_milliseconds | | long | -| netflow.reverse_flow_end_nanoseconds | | long | -| netflow.reverse_flow_end_reason | | short | -| netflow.reverse_flow_end_seconds | | long | -| netflow.reverse_flow_end_sys_up_time | | long | -| netflow.reverse_flow_idle_timeout | | integer | -| netflow.reverse_flow_label_ipv6 | | long | -| netflow.reverse_flow_sampling_time_interval | | long | -| netflow.reverse_flow_sampling_time_spacing | | long | -| netflow.reverse_flow_selected_flow_delta_count | | long | -| netflow.reverse_flow_selected_octet_delta_count | | long | -| netflow.reverse_flow_selected_packet_delta_count | | long | -| netflow.reverse_flow_selector_algorithm | | integer | -| netflow.reverse_flow_start_delta_microseconds | | long | -| netflow.reverse_flow_start_microseconds | | long | -| netflow.reverse_flow_start_milliseconds | | long | -| netflow.reverse_flow_start_nanoseconds | | long | -| netflow.reverse_flow_start_seconds | | long | -| netflow.reverse_flow_start_sys_up_time | | long | -| netflow.reverse_forwarding_status | | long | -| netflow.reverse_fragment_flags | | short | -| netflow.reverse_fragment_identification | | long | -| netflow.reverse_fragment_offset | | integer | -| netflow.reverse_gre_key | | long | -| netflow.reverse_hash_digest_output | | short | -| netflow.reverse_hash_flow_domain | | integer | -| netflow.reverse_hash_initialiser_value | | long | -| netflow.reverse_hash_ip_payload_offset | | long | -| netflow.reverse_hash_ip_payload_size | | long | -| netflow.reverse_hash_output_range_max | | long | -| netflow.reverse_hash_output_range_min | | long | -| netflow.reverse_hash_selected_range_max | | long | -| netflow.reverse_hash_selected_range_min | | long | -| netflow.reverse_icmp_code_ipv4 | | short | -| netflow.reverse_icmp_code_ipv6 | | short | -| netflow.reverse_icmp_type_code_ipv4 | | integer | -| netflow.reverse_icmp_type_code_ipv6 | | integer | -| netflow.reverse_icmp_type_ipv4 | | short | -| netflow.reverse_icmp_type_ipv6 | | short | -| netflow.reverse_igmp_type | | short | -| netflow.reverse_ignored_data_record_total_count | | long | -| netflow.reverse_ignored_layer2_frame_total_count | | long | -| netflow.reverse_ignored_layer2_octet_total_count | | long | -| netflow.reverse_information_element_data_type | | short | -| netflow.reverse_information_element_description | | keyword | -| netflow.reverse_information_element_id | | integer | -| netflow.reverse_information_element_index | | integer | -| netflow.reverse_information_element_name | | keyword | -| netflow.reverse_information_element_range_begin | | long | -| netflow.reverse_information_element_range_end | | long | -| netflow.reverse_information_element_semantics | | short | -| netflow.reverse_information_element_units | | integer | -| netflow.reverse_ingress_broadcast_packet_total_count | | long | -| netflow.reverse_ingress_interface | | long | -| netflow.reverse_ingress_interface_type | | long | -| netflow.reverse_ingress_multicast_packet_total_count | | long | -| netflow.reverse_ingress_physical_interface | | long | -| netflow.reverse_ingress_unicast_packet_total_count | | long | -| netflow.reverse_ingress_vrfid | | long | -| netflow.reverse_initial_tcp_flags | | short | -| netflow.reverse_initiator_octets | | long | -| netflow.reverse_initiator_packets | | long | -| netflow.reverse_interface_description | | keyword | -| netflow.reverse_interface_name | | keyword | -| netflow.reverse_intermediate_process_id | | long | -| netflow.reverse_ip_class_of_service | | short | -| netflow.reverse_ip_diff_serv_code_point | | short | -| netflow.reverse_ip_header_length | | short | -| netflow.reverse_ip_header_packet_section | | keyword | -| netflow.reverse_ip_next_hop_ipv4_address | | ip | -| netflow.reverse_ip_next_hop_ipv6_address | | ip | -| netflow.reverse_ip_payload_length | | long | -| netflow.reverse_ip_payload_packet_section | | keyword | -| netflow.reverse_ip_precedence | | short | -| netflow.reverse_ip_sec_spi | | long | -| netflow.reverse_ip_total_length | | long | -| netflow.reverse_ip_ttl | | short | -| netflow.reverse_ip_version | | short | -| netflow.reverse_ipv4_ihl | | short | -| netflow.reverse_ipv4_options | | long | -| netflow.reverse_ipv4_router_sc | | ip | -| netflow.reverse_ipv6_extension_headers | | long | -| netflow.reverse_is_multicast | | short | -| netflow.reverse_large_packet_count | | long | -| netflow.reverse_layer2_frame_delta_count | | long | -| netflow.reverse_layer2_frame_total_count | | long | -| netflow.reverse_layer2_octet_delta_count | | long | -| netflow.reverse_layer2_octet_delta_sum_of_squares | | long | -| netflow.reverse_layer2_octet_total_count | | long | -| netflow.reverse_layer2_octet_total_sum_of_squares | | long | -| netflow.reverse_layer2_segment_id | | long | -| netflow.reverse_layer2packet_section_data | | keyword | -| netflow.reverse_layer2packet_section_offset | | integer | -| netflow.reverse_layer2packet_section_size | | integer | -| netflow.reverse_line_card_id | | long | -| netflow.reverse_lower_ci_limit | | double | -| netflow.reverse_max_export_seconds | | long | -| netflow.reverse_max_flow_end_microseconds | | long | -| netflow.reverse_max_flow_end_milliseconds | | long | -| netflow.reverse_max_flow_end_nanoseconds | | long | -| netflow.reverse_max_flow_end_seconds | | long | -| netflow.reverse_max_packet_size | | integer | -| netflow.reverse_maximum_ip_total_length | | long | -| netflow.reverse_maximum_layer2_total_length | | long | -| netflow.reverse_maximum_ttl | | short | -| netflow.reverse_message_md5_checksum | | keyword | -| netflow.reverse_message_scope | | short | -| netflow.reverse_metering_process_id | | long | -| netflow.reverse_metro_evc_id | | keyword | -| netflow.reverse_metro_evc_type | | short | -| netflow.reverse_min_export_seconds | | long | -| netflow.reverse_min_flow_start_microseconds | | long | -| netflow.reverse_min_flow_start_milliseconds | | long | -| netflow.reverse_min_flow_start_nanoseconds | | long | -| netflow.reverse_min_flow_start_seconds | | long | -| netflow.reverse_minimum_ip_total_length | | long | -| netflow.reverse_minimum_layer2_total_length | | long | -| netflow.reverse_minimum_ttl | | short | -| netflow.reverse_monitoring_interval_end_milli_seconds | | long | -| netflow.reverse_monitoring_interval_start_milli_seconds | | long | -| netflow.reverse_mpls_label_stack_depth | | long | -| netflow.reverse_mpls_label_stack_length | | long | -| netflow.reverse_mpls_label_stack_section | | keyword | -| netflow.reverse_mpls_label_stack_section10 | | keyword | -| netflow.reverse_mpls_label_stack_section2 | | keyword | -| netflow.reverse_mpls_label_stack_section3 | | keyword | -| netflow.reverse_mpls_label_stack_section4 | | keyword | -| netflow.reverse_mpls_label_stack_section5 | | keyword | -| netflow.reverse_mpls_label_stack_section6 | | keyword | -| netflow.reverse_mpls_label_stack_section7 | | keyword | -| netflow.reverse_mpls_label_stack_section8 | | keyword | -| netflow.reverse_mpls_label_stack_section9 | | keyword | -| netflow.reverse_mpls_payload_length | | long | -| netflow.reverse_mpls_payload_packet_section | | keyword | -| netflow.reverse_mpls_top_label_exp | | short | -| netflow.reverse_mpls_top_label_ipv4_address | | ip | -| netflow.reverse_mpls_top_label_ipv6_address | | ip | -| netflow.reverse_mpls_top_label_prefix_length | | short | -| netflow.reverse_mpls_top_label_stack_section | | keyword | -| netflow.reverse_mpls_top_label_ttl | | short | -| netflow.reverse_mpls_top_label_type | | short | -| netflow.reverse_mpls_vpn_route_distinguisher | | keyword | -| netflow.reverse_multicast_replication_factor | | long | -| netflow.reverse_nat_event | | short | -| netflow.reverse_nat_originating_address_realm | | short | -| netflow.reverse_nat_pool_id | | long | -| netflow.reverse_nat_pool_name | | keyword | -| netflow.reverse_nat_type | | short | -| netflow.reverse_new_connection_delta_count | | long | -| netflow.reverse_next_header_ipv6 | | short | -| netflow.reverse_non_empty_packet_count | | long | -| netflow.reverse_not_sent_layer2_octet_total_count | | long | -| netflow.reverse_observation_domain_name | | keyword | -| netflow.reverse_observation_point_id | | long | -| netflow.reverse_observation_point_type | | short | -| netflow.reverse_observation_time_microseconds | | long | -| netflow.reverse_observation_time_milliseconds | | long | -| netflow.reverse_observation_time_nanoseconds | | long | -| netflow.reverse_observation_time_seconds | | long | -| netflow.reverse_octet_delta_count | | long | -| netflow.reverse_octet_delta_sum_of_squares | | long | -| netflow.reverse_octet_total_count | | long | -| netflow.reverse_octet_total_sum_of_squares | | long | -| netflow.reverse_opaque_octets | | keyword | -| netflow.reverse_original_exporter_ipv4_address | | ip | -| netflow.reverse_original_exporter_ipv6_address | | ip | -| netflow.reverse_original_flows_completed | | long | -| netflow.reverse_original_flows_initiated | | long | -| netflow.reverse_original_flows_present | | long | -| netflow.reverse_original_observation_domain_id | | long | -| netflow.reverse_os_finger_print | | keyword | -| netflow.reverse_os_name | | keyword | -| netflow.reverse_os_version | | keyword | -| netflow.reverse_p2p_technology | | keyword | -| netflow.reverse_packet_delta_count | | long | -| netflow.reverse_packet_total_count | | long | -| netflow.reverse_payload | | keyword | -| netflow.reverse_payload_entropy | | short | -| netflow.reverse_payload_length_ipv6 | | integer | -| netflow.reverse_port_id | | long | -| netflow.reverse_port_range_end | | integer | -| netflow.reverse_port_range_num_ports | | integer | -| netflow.reverse_port_range_start | | integer | -| netflow.reverse_port_range_step_size | | integer | -| netflow.reverse_post_destination_mac_address | | keyword | -| netflow.reverse_post_dot1q_customer_vlan_id | | integer | -| netflow.reverse_post_dot1q_vlan_id | | integer | -| netflow.reverse_post_ip_class_of_service | | short | -| netflow.reverse_post_ip_diff_serv_code_point | | short | -| netflow.reverse_post_ip_precedence | | short | -| netflow.reverse_post_layer2_octet_delta_count | | long | -| netflow.reverse_post_layer2_octet_total_count | | long | -| netflow.reverse_post_mcast_layer2_octet_delta_count | | long | -| netflow.reverse_post_mcast_layer2_octet_total_count | | long | -| netflow.reverse_post_mcast_octet_delta_count | | long | -| netflow.reverse_post_mcast_octet_total_count | | long | -| netflow.reverse_post_mcast_packet_delta_count | | long | -| netflow.reverse_post_mcast_packet_total_count | | long | -| netflow.reverse_post_mpls_top_label_exp | | short | -| netflow.reverse_post_napt_destination_transport_port | | integer | -| netflow.reverse_post_napt_source_transport_port | | integer | -| netflow.reverse_post_nat_destination_ipv4_address | | ip | -| netflow.reverse_post_nat_destination_ipv6_address | | ip | -| netflow.reverse_post_nat_source_ipv4_address | | ip | -| netflow.reverse_post_nat_source_ipv6_address | | ip | -| netflow.reverse_post_octet_delta_count | | long | -| netflow.reverse_post_octet_total_count | | long | -| netflow.reverse_post_packet_delta_count | | long | -| netflow.reverse_post_packet_total_count | | long | -| netflow.reverse_post_source_mac_address | | keyword | -| netflow.reverse_post_vlan_id | | integer | -| netflow.reverse_private_enterprise_number | | long | -| netflow.reverse_protocol_identifier | | short | -| netflow.reverse_pseudo_wire_control_word | | long | -| netflow.reverse_pseudo_wire_destination_ipv4_address | | ip | -| netflow.reverse_pseudo_wire_id | | long | -| netflow.reverse_pseudo_wire_type | | integer | -| netflow.reverse_relative_error | | double | -| netflow.reverse_responder_octets | | long | -| netflow.reverse_responder_packets | | long | -| netflow.reverse_rfc3550_jitter_microseconds | | long | -| netflow.reverse_rfc3550_jitter_milliseconds | | long | -| netflow.reverse_rfc3550_jitter_nanoseconds | | long | -| netflow.reverse_rtp_payload_type | | short | -| netflow.reverse_rtp_sequence_number | | integer | -| netflow.reverse_sampler_id | | short | -| netflow.reverse_sampler_mode | | short | -| netflow.reverse_sampler_name | | keyword | -| netflow.reverse_sampler_random_interval | | long | -| netflow.reverse_sampling_algorithm | | short | -| netflow.reverse_sampling_flow_interval | | long | -| netflow.reverse_sampling_flow_spacing | | long | -| netflow.reverse_sampling_interval | | long | -| netflow.reverse_sampling_packet_interval | | long | -| netflow.reverse_sampling_packet_space | | long | -| netflow.reverse_sampling_population | | long | -| netflow.reverse_sampling_probability | | double | -| netflow.reverse_sampling_size | | long | -| netflow.reverse_sampling_time_interval | | long | -| netflow.reverse_sampling_time_space | | long | -| netflow.reverse_second_packet_banner | | keyword | -| netflow.reverse_section_exported_octets | | integer | -| netflow.reverse_section_offset | | integer | -| netflow.reverse_selection_sequence_id | | long | -| netflow.reverse_selector_algorithm | | integer | -| netflow.reverse_selector_id | | long | -| netflow.reverse_selector_id_total_flows_observed | | long | -| netflow.reverse_selector_id_total_flows_selected | | long | -| netflow.reverse_selector_id_total_pkts_observed | | long | -| netflow.reverse_selector_id_total_pkts_selected | | long | -| netflow.reverse_selector_name | | keyword | -| netflow.reverse_session_scope | | short | -| netflow.reverse_small_packet_count | | long | -| netflow.reverse_source_ipv4_address | | ip | -| netflow.reverse_source_ipv4_prefix | | ip | -| netflow.reverse_source_ipv4_prefix_length | | short | -| netflow.reverse_source_ipv6_address | | ip | -| netflow.reverse_source_ipv6_prefix | | ip | -| netflow.reverse_source_ipv6_prefix_length | | short | -| netflow.reverse_source_mac_address | | keyword | -| netflow.reverse_source_transport_port | | integer | -| netflow.reverse_src_traffic_index | | long | -| netflow.reverse_sta_ipv4_address | | ip | -| netflow.reverse_sta_mac_address | | keyword | -| netflow.reverse_standard_deviation_interarrival_time | | long | -| netflow.reverse_standard_deviation_payload_length | | integer | -| netflow.reverse_system_init_time_milliseconds | | long | -| netflow.reverse_tcp_ack_total_count | | long | -| netflow.reverse_tcp_acknowledgement_number | | long | -| netflow.reverse_tcp_control_bits | | integer | -| netflow.reverse_tcp_destination_port | | integer | -| netflow.reverse_tcp_fin_total_count | | long | -| netflow.reverse_tcp_header_length | | short | -| netflow.reverse_tcp_options | | long | -| netflow.reverse_tcp_psh_total_count | | long | -| netflow.reverse_tcp_rst_total_count | | long | -| netflow.reverse_tcp_sequence_number | | long | -| netflow.reverse_tcp_source_port | | integer | -| netflow.reverse_tcp_syn_total_count | | long | -| netflow.reverse_tcp_urg_total_count | | long | -| netflow.reverse_tcp_urgent_pointer | | integer | -| netflow.reverse_tcp_window_scale | | integer | -| netflow.reverse_tcp_window_size | | integer | -| netflow.reverse_total_length_ipv4 | | integer | -| netflow.reverse_transport_octet_delta_count | | long | -| netflow.reverse_transport_packet_delta_count | | long | -| netflow.reverse_tunnel_technology | | keyword | -| netflow.reverse_udp_destination_port | | integer | -| netflow.reverse_udp_message_length | | integer | -| netflow.reverse_udp_source_port | | integer | -| netflow.reverse_union_tcp_flags | | short | -| netflow.reverse_upper_ci_limit | | double | -| netflow.reverse_user_name | | keyword | -| netflow.reverse_value_distribution_method | | short | -| netflow.reverse_virtual_station_interface_id | | keyword | -| netflow.reverse_virtual_station_interface_name | | keyword | -| netflow.reverse_virtual_station_name | | keyword | -| netflow.reverse_virtual_station_uuid | | keyword | -| netflow.reverse_vlan_id | | integer | -| netflow.reverse_vr_fname | | keyword | -| netflow.reverse_wlan_channel_id | | short | -| netflow.reverse_wlan_ssid | | keyword | -| netflow.reverse_wtp_mac_address | | keyword | -| netflow.rfc3550_jitter_microseconds | | long | -| netflow.rfc3550_jitter_milliseconds | | long | -| netflow.rfc3550_jitter_nanoseconds | | long | -| netflow.rtp_payload_type | | short | -| netflow.rtp_sequence_number | | integer | -| netflow.sampler_id | | short | -| netflow.sampler_mode | | short | -| netflow.sampler_name | | keyword | -| netflow.sampler_random_interval | | long | -| netflow.sampling_algorithm | | short | -| netflow.sampling_flow_interval | | long | -| netflow.sampling_flow_spacing | | long | -| netflow.sampling_interval | | long | -| netflow.sampling_packet_interval | | long | -| netflow.sampling_packet_space | | long | -| netflow.sampling_population | | long | -| netflow.sampling_probability | | double | -| netflow.sampling_size | | long | -| netflow.sampling_time_interval | | long | -| netflow.sampling_time_space | | long | -| netflow.second_packet_banner | | keyword | -| netflow.section_exported_octets | | integer | -| netflow.section_offset | | integer | -| netflow.selection_sequence_id | | long | -| netflow.selector_algorithm | | integer | -| netflow.selector_id | | long | -| netflow.selector_id_total_flows_observed | | long | -| netflow.selector_id_total_flows_selected | | long | -| netflow.selector_id_total_pkts_observed | | long | -| netflow.selector_id_total_pkts_selected | | long | -| netflow.selector_name | | keyword | -| netflow.service_name | | keyword | -| netflow.session_scope | | short | -| netflow.silk_app_label | | integer | -| netflow.small_packet_count | | long | -| netflow.source_ipv4_address | | ip | -| netflow.source_ipv4_prefix | | ip | -| netflow.source_ipv4_prefix_length | | short | -| netflow.source_ipv6_address | | ip | -| netflow.source_ipv6_prefix | | ip | -| netflow.source_ipv6_prefix_length | | short | -| netflow.source_mac_address | | keyword | -| netflow.source_transport_port | | integer | -| netflow.source_transport_ports_limit | | integer | -| netflow.src_traffic_index | | long | -| netflow.ssl_cert_serial_number | | keyword | -| netflow.ssl_cert_signature | | keyword | -| netflow.ssl_cert_validity_not_after | | keyword | -| netflow.ssl_cert_validity_not_before | | keyword | -| netflow.ssl_cert_version | | short | -| netflow.ssl_certificate_hash | | keyword | -| netflow.ssl_cipher | | keyword | -| netflow.ssl_client_version | | short | -| netflow.ssl_compression_method | | short | -| netflow.ssl_object_type | | keyword | -| netflow.ssl_object_value | | keyword | -| netflow.ssl_public_key_algorithm | | keyword | -| netflow.ssl_public_key_length | | keyword | -| netflow.ssl_server_cipher | | long | -| netflow.ssl_server_name | | keyword | -| netflow.sta_ipv4_address | | ip | -| netflow.sta_mac_address | | keyword | -| netflow.standard_deviation_interarrival_time | | long | -| netflow.standard_deviation_payload_length | | short | -| netflow.system_init_time_milliseconds | | date | -| netflow.tcp_ack_total_count | | long | -| netflow.tcp_acknowledgement_number | | long | -| netflow.tcp_control_bits | | integer | -| netflow.tcp_destination_port | | integer | -| netflow.tcp_fin_total_count | | long | -| netflow.tcp_header_length | | short | -| netflow.tcp_options | | long | -| netflow.tcp_psh_total_count | | long | -| netflow.tcp_rst_total_count | | long | -| netflow.tcp_sequence_number | | long | -| netflow.tcp_source_port | | integer | -| netflow.tcp_syn_total_count | | long | -| netflow.tcp_urg_total_count | | long | -| netflow.tcp_urgent_pointer | | integer | -| netflow.tcp_window_scale | | integer | -| netflow.tcp_window_size | | integer | -| netflow.template_id | | integer | -| netflow.tftp_filename | | keyword | -| netflow.tftp_mode | | keyword | -| netflow.timestamp | | long | -| netflow.timestamp_absolute_monitoring-interval | | long | -| netflow.total_length_ipv4 | | integer | -| netflow.traffic_type | | short | -| netflow.transport_octet_delta_count | | long | -| netflow.transport_packet_delta_count | | long | -| netflow.tunnel_technology | | keyword | -| netflow.type | The type of NetFlow record described by this event. | keyword | -| netflow.udp_destination_port | | integer | -| netflow.udp_message_length | | integer | -| netflow.udp_source_port | | integer | -| netflow.union_tcp_flags | | short | -| netflow.upper_ci_limit | | double | -| netflow.user_name | | keyword | -| netflow.username | | keyword | -| netflow.value_distribution_method | | short | -| netflow.viptela_vpn_id | | long | -| netflow.virtual_station_interface_id | | short | -| netflow.virtual_station_interface_name | | keyword | -| netflow.virtual_station_name | | keyword | -| netflow.virtual_station_uuid | | short | -| netflow.vlan_id | | integer | -| netflow.vmware_egress_interface_attr | | integer | -| netflow.vmware_ingress_interface_attr | | integer | -| netflow.vmware_tenant_dest_ipv4 | | ip | -| netflow.vmware_tenant_dest_ipv6 | | ip | -| netflow.vmware_tenant_dest_port | | integer | -| netflow.vmware_tenant_protocol | | short | -| netflow.vmware_tenant_source_ipv4 | | ip | -| netflow.vmware_tenant_source_ipv6 | | ip | -| netflow.vmware_tenant_source_port | | integer | -| netflow.vmware_vxlan_export_role | | short | -| netflow.vpn_identifier | | short | -| netflow.vr_fname | | keyword | -| netflow.waasoptimization_segment | | short | -| netflow.wlan_channel_id | | short | -| netflow.wlan_ssid | | keyword | -| netflow.wtp_mac_address | | keyword | -| netflow.xlate_destination_address_ip_v4 | | ip | -| netflow.xlate_destination_port | | integer | -| netflow.xlate_source_address_ip_v4 | | ip | -| netflow.xlate_source_port | | integer | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.geo.city_name | City name. | keyword | -| observer.geo.continent_name | Name of the continent. | keyword | -| observer.geo.country_iso_code | Country ISO code. | keyword | -| observer.geo.country_name | Country name. | keyword | -| observer.geo.location | Longitude and latitude. | geo_point | -| observer.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| observer.geo.region_iso_code | Region ISO code. | keyword | -| observer.geo.region_name | Region name. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| observer.os.full | Operating system name, including the version or code name. | keyword | -| observer.os.full.text | Multi-field of `observer.os.full`. | match_only_text | -| observer.os.kernel | Operating system kernel version as a raw string. | keyword | -| observer.os.name | Operating system name, without the version. | keyword | -| observer.os.name.text | Multi-field of `observer.os.name`. | match_only_text | -| observer.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| observer.os.version | Operating system version as a raw string. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| organization.id | Unique identifier for the organization. | keyword | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| os.full | Operating system name, including the version or code name. | keyword | -| os.full.text | Multi-field of `os.full`. | match_only_text | -| os.kernel | Operating system kernel version as a raw string. | keyword | -| os.name | Operating system name, without the version. | keyword | -| os.name.text | Multi-field of `os.name`. | match_only_text | -| os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| os.version | Operating system version as a raw string. | keyword | -| package.architecture | Package architecture. | keyword | -| package.checksum | Checksum of the installed package for verification. | keyword | -| package.description | Description of the package. | keyword | -| package.install_scope | Indicating how the package was installed, e.g. user-local, global. | keyword | -| package.installed | Time when package was installed. | date | -| package.license | License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). | keyword | -| package.name | Package name | keyword | -| package.path | Path where the package is installed. | keyword | -| package.size | Package size in bytes. | long | -| package.version | Package version | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.hash.sha512 | SHA512 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| process.thread.id | Thread ID. | long | -| process.thread.name | Thread name. | keyword | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| process.uptime | Seconds the process has been up. | long | -| process.working_directory | The working directory of the process. | keyword | -| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | -| related.ip | All of the IPs seen on your event. | ip | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| server.as.organization.name | Organization name. | keyword | -| server.as.organization.name.text | Multi-field of `server.as.organization.name`. | match_only_text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.geo.city_name | City name. | keyword | -| server.geo.continent_name | Name of the continent. | keyword | -| server.geo.country_iso_code | Country ISO code. | keyword | -| server.geo.country_name | Country name. | keyword | -| server.geo.location | Longitude and latitude. | geo_point | -| server.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| server.geo.region_iso_code | Region ISO code. | keyword | -| server.geo.region_name | Region name. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| server.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| server.nat.port | Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | long | -| server.packets | Packets sent from the server to the client. | long | -| server.port | Port of the server. | long | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| server.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| server.user.email | User email address. | keyword | -| server.user.full_name | User's full name, if available. | keyword | -| server.user.full_name.text | Multi-field of `server.user.full_name`. | match_only_text | -| server.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| server.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| server.user.group.name | Name of the group. | keyword | -| server.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| server.user.id | Unique identifier of the user. | keyword | -| server.user.name | Short name or login of the user. | keyword | -| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | -| service.ephemeral_id | Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not. | keyword | -| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| service.node.name | Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. | keyword | -| service.state | Current state of the service. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.locality | Whether the source IP is private or public. | keyword | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.email | User email address. | keyword | -| source.user.full_name | User's full name, if available. | keyword | -| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | -| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| trace.id | Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. | keyword | -| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.group.name | Name of the group. | keyword | -| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - diff --git a/packages/netflow/2.2.4/kibana/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c.json b/packages/netflow/2.2.4/kibana/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c.json deleted file mode 100755 index 6df6ba38b4..0000000000 --- a/packages/netflow/2.2.4/kibana/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "description": "Netflow Top N flows", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":24},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":24},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"9\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs Netflow] Top-N", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "netflow-15295ea6-ba84-47db-8ced-9312abbf495c", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "netflow-5292a65b-c532-422a-9008-1251a8073a3a", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "netflow-cccff92f-cb71-49a9-9caf-84867751d31e", - "name": "9:panel_9", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2.json b/packages/netflow/2.2.4/kibana/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2.json deleted file mode 100755 index 5121267442..0000000000 --- a/packages/netflow/2.2.4/kibana/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "Overview of Netflow", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":16,\"x\":16,\"y\":12},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"21\",\"w\":16,\"x\":32,\"y\":12},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"22\",\"panelRefName\":\"panel_22\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"23\",\"w\":16,\"x\":0,\"y\":12},\"panelIndex\":\"23\",\"panelRefName\":\"panel_23\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"24\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"24\",\"panelRefName\":\"panel_24\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"25\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"25\",\"panelRefName\":\"panel_25\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"26\",\"w\":16,\"x\":0,\"y\":28},\"panelIndex\":\"26\",\"panelRefName\":\"panel_26\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"27\",\"w\":16,\"x\":16,\"y\":28},\"panelIndex\":\"27\",\"panelRefName\":\"panel_27\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"29\",\"w\":16,\"x\":32,\"y\":28},\"panelIndex\":\"29\",\"panelRefName\":\"panel_29\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs Netflow] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-34e26884-161a-4448-9556-43b5bf2f62a2", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netflow-ae334aec-31fa-4df7-a064-40b18831d819", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "netflow-1558508d-591c-49be-bef4-85fdac18a960", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957", - "name": "21:panel_21", - "type": "visualization" - }, - { - "id": "netflow-f772028b-d5a6-4d55-b441-493871981a60", - "name": "22:panel_22", - "type": "visualization" - }, - { - "id": "netflow-57e13a20-e94f-4465-a942-42148634a1d2", - "name": "23:panel_23", - "type": "visualization" - }, - { - "id": "netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d", - "name": "24:panel_24", - "type": "visualization" - }, - { - "id": "netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761", - "name": "25:panel_25", - "type": "visualization" - }, - { - "id": "netflow-31708a70-4957-4a8a-8065-5c88a344ad02", - "name": "26:panel_26", - "type": "visualization" - }, - { - "id": "netflow-b677cd82-b33e-49b3-8b6e-0e110177b163", - "name": "27:panel_27", - "type": "visualization" - }, - { - "id": "netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f", - "name": "29:panel_29", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json b/packages/netflow/2.2.4/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json deleted file mode 100755 index 8c9c9643d8..0000000000 --- a/packages/netflow/2.2.4/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json +++ /dev/null @@ -1,232 +0,0 @@ -{ - "attributes": { - "description": "Netflow traffic analysis", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":24,\"x\":24,\"y\":84},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":108},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":108},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":84},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"14\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":16,\"x\":0,\"y\":28},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":16,\"x\":24,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":16,\"x\":24,\"y\":28},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":16,\"x\":0,\"y\":52},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":16,\"x\":24,\"y\":52},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"21\",\"w\":16,\"x\":0,\"y\":76},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":16,\"x\":24,\"y\":76},\"panelIndex\":\"22\",\"panelRefName\":\"panel_22\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"23\",\"w\":16,\"x\":0,\"y\":100},\"panelIndex\":\"23\",\"panelRefName\":\"panel_23\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"24\",\"w\":16,\"x\":24,\"y\":100},\"panelIndex\":\"24\",\"panelRefName\":\"panel_24\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"25\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"25\",\"panelRefName\":\"panel_25\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"26\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"26\",\"panelRefName\":\"panel_26\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"27\",\"w\":8,\"x\":16,\"y\":4},\"panelIndex\":\"27\",\"panelRefName\":\"panel_27\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"28\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"28\",\"panelRefName\":\"panel_28\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"29\",\"w\":8,\"x\":40,\"y\":28},\"panelIndex\":\"29\",\"panelRefName\":\"panel_29\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"30\",\"w\":8,\"x\":16,\"y\":28},\"panelIndex\":\"30\",\"panelRefName\":\"panel_30\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"31\",\"w\":24,\"x\":24,\"y\":92},\"panelIndex\":\"31\",\"panelRefName\":\"panel_31\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"34\",\"w\":24,\"x\":24,\"y\":116},\"panelIndex\":\"34\",\"panelRefName\":\"panel_34\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"35\",\"w\":24,\"x\":0,\"y\":116},\"panelIndex\":\"35\",\"panelRefName\":\"panel_35\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"38\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"38\",\"panelRefName\":\"panel_38\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"42\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"42\",\"panelRefName\":\"panel_42\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"44\",\"w\":24,\"x\":0,\"y\":92},\"panelIndex\":\"44\",\"panelRefName\":\"panel_44\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"45\",\"w\":24,\"x\":0,\"y\":68},\"panelIndex\":\"45\",\"panelRefName\":\"panel_45\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"47\",\"w\":24,\"x\":24,\"y\":68},\"panelIndex\":\"47\",\"panelRefName\":\"panel_47\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"48\",\"w\":8,\"x\":16,\"y\":52},\"panelIndex\":\"48\",\"panelRefName\":\"panel_48\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"49\",\"w\":8,\"x\":40,\"y\":52},\"panelIndex\":\"49\",\"panelRefName\":\"panel_49\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"50\",\"w\":8,\"x\":40,\"y\":76},\"panelIndex\":\"50\",\"panelRefName\":\"panel_50\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"51\",\"w\":8,\"x\":40,\"y\":100},\"panelIndex\":\"51\",\"panelRefName\":\"panel_51\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"52\",\"w\":8,\"x\":16,\"y\":100},\"panelIndex\":\"52\",\"panelRefName\":\"panel_52\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"53\",\"w\":8,\"x\":16,\"y\":76},\"panelIndex\":\"53\",\"panelRefName\":\"panel_53\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs Netflow] Traffic Analysis", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-38012abe-c611-4124-8497-381fcd85acc8", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "netflow-5d868836-c7b2-4812-bf47-4838aac281d9", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "netflow-717cd7c7-bfca-435d-8ee7-38259927aade", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "netflow-681f0ce4-d828-4a99-b643-0c0715530050", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "netflow-248e00b4-8fc2-406f-8907-729d5380aaa7", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957", - "name": "20:panel_20", - "type": "visualization" - }, - { - "id": "netflow-57e13a20-e94f-4465-a942-42148634a1d2", - "name": "21:panel_21", - "type": "visualization" - }, - { - "id": "netflow-f772028b-d5a6-4d55-b441-493871981a60", - "name": "22:panel_22", - "type": "visualization" - }, - { - "id": "netflow-a14c3248-952d-42aa-bd7d-9b39157a776f", - "name": "23:panel_23", - "type": "visualization" - }, - { - "id": "netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2", - "name": "24:panel_24", - "type": "visualization" - }, - { - "id": "netflow-0528bc66-6981-400a-a02d-c1d221b38890", - "name": "25:panel_25", - "type": "visualization" - }, - { - "id": "netflow-e99dc327-03de-4561-9e0c-f550710125c2", - "name": "26:panel_26", - "type": "visualization" - }, - { - "id": "netflow-32e712ed-fa15-4db7-8575-8476e8d65b03", - "name": "27:panel_27", - "type": "visualization" - }, - { - "id": "netflow-d59a031c-70d6-47d7-966d-7fcb805be9be", - "name": "28:panel_28", - "type": "visualization" - }, - { - "id": "netflow-af707b01-29f1-462b-b279-6d2e803f3645", - "name": "29:panel_29", - "type": "visualization" - }, - { - "id": "netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b", - "name": "30:panel_30", - "type": "visualization" - }, - { - "id": "netflow-30cd1009-2925-4c9b-820d-d689f5d1efda", - "name": "31:panel_31", - "type": "visualization" - }, - { - "id": "netflow-7d447b22-89dc-4f32-b549-4b8620af4d76", - "name": "34:panel_34", - "type": "visualization" - }, - { - "id": "netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0", - "name": "35:panel_35", - "type": "visualization" - }, - { - "id": "netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f", - "name": "38:panel_38", - "type": "visualization" - }, - { - "id": "netflow-201d7dd1-a880-4a64-b631-db5629340db9", - "name": "42:panel_42", - "type": "visualization" - }, - { - "id": "netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb", - "name": "44:panel_44", - "type": "visualization" - }, - { - "id": "netflow-a1704d46-15fc-41c2-851d-796ceb49877f", - "name": "45:panel_45", - "type": "visualization" - }, - { - "id": "netflow-15e2a267-2495-4df2-a121-abe410d2f18c", - "name": "47:panel_47", - "type": "visualization" - }, - { - "id": "netflow-f27c1479-0625-4cdc-92de-672e47db0f87", - "name": "48:panel_48", - "type": "visualization" - }, - { - "id": "netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2", - "name": "49:panel_49", - "type": "visualization" - }, - { - "id": "netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6", - "name": "50:panel_50", - "type": "visualization" - }, - { - "id": "netflow-16262df9-a979-4136-935e-d883c7d373d7", - "name": "51:panel_51", - "type": "visualization" - }, - { - "id": "netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95", - "name": "52:panel_52", - "type": "visualization" - }, - { - "id": "netflow-2dca3025-692c-4876-8bcc-e0b248dc9819", - "name": "53:panel_53", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024.json b/packages/netflow/2.2.4/kibana/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024.json deleted file mode 100755 index 8e2e71878d..0000000000 --- a/packages/netflow/2.2.4/kibana/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Netflow geo location", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":{\"query\":\"netflow.log\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":16,\"x\":0,\"y\":12},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"20\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"9afd9bfb-ab56-4bc3-a8c6-e412c1bc7f24\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"85982ce7-be78-44ec-a692-96c118b3a187\\\",\\\"includeInFitToBounds\\\":true,\\\"label\\\":\\\"Destination Geo Location Heatmap [Logs Netflow]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"6972252f-e3a3-4886-abfb-bea957bc1c73\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"colorRampName\\\":\\\"theclassic\\\",\\\"type\\\":\\\"HEATMAP\\\"},\\\"type\\\":\\\"HEATMAP\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Destination Geo Location Heatmap [Logs Netflow]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"41aa0e4c-7e76-4715-bf20-c756e74ffe02\",\"w\":32,\"x\":16,\"y\":4},\"panelIndex\":\"41aa0e4c-7e76-4715-bf20-c756e74ffe02\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Logs Netflow] Geo Location", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-77326664-23be-4bf1-a126-6d7e60cfc024", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "netflow-aed09724-0a69-4331-84f5-3d2067c43930", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "netflow-f531f957-e8c0-497a-ad41-ef39c2d29671", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "name": "20:panel_20", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "41aa0e4c-7e76-4715-bf20-c756e74ffe02:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365.json b/packages/netflow/2.2.4/kibana/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365.json deleted file mode 100755 index 8ffb5c9326..0000000000 --- a/packages/netflow/2.2.4/kibana/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "Netflow flow records", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":36,\"x\":12,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"source.ip\",\"source.port\",\"destination.ip\",\"destination.port\",\"network.transport\",\"network.bytes\",\"network.packets\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs Netflow] Flow records", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-94972700-de4a-4272-9143-2fa8d4981365", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a", - "name": "5:panel_5", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32.json b/packages/netflow/2.2.4/kibana/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32.json deleted file mode 100755 index 273f679d05..0000000000 --- a/packages/netflow/2.2.4/kibana/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "description": "Netflow conversation partners", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs Netflow] Conversation Partners", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-acd7a630-0c71-4840-bc9e-4a3801374a32", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "netflow-ae334aec-31fa-4df7-a064-40b18831d819", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "name": "5:panel_5", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a.json b/packages/netflow/2.2.4/kibana/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a.json deleted file mode 100755 index a900f7c546..0000000000 --- a/packages/netflow/2.2.4/kibana/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Autonomous systems Netflow", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"8\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs Netflow] Autonomous Systems", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-c64665f9-d222-421e-90b0-c7310d944b8a", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "netflow-12aad647-c45d-4667-a029-152c1a97cbbc", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "netflow-f7808e70-df2a-4532-a350-966704567c24", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "netflow-aed09724-0a69-4331-84f5-3d2067c43930", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "netflow-f531f957-e8c0-497a-ad41-ef39c2d29671", - "name": "8:panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425.json b/packages/netflow/2.2.4/kibana/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425.json deleted file mode 100755 index 9496b56018..0000000000 --- a/packages/netflow/2.2.4/kibana/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Netflow exporters", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Logs Netflow] Flow Exporters", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "netflow-441c6c50-fa1a-489c-96c6-76f7925dea24", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "netflow-85ebf558-402b-45d2-a186-e15f8673ec07", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600", - "name": "10:panel_10", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/search/netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a.json b/packages/netflow/2.2.4/kibana/search/netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a.json deleted file mode 100755 index 4ed0aa06f5..0000000000 --- a/packages/netflow/2.2.4/kibana/search/netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "network.transport", - "network.bytes", - "network.packets" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"netflow.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Flow Records [Logs Netflow]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2.json b/packages/netflow/2.2.4/kibana/visualization/netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2.json deleted file mode 100755 index 8bfe0f24fd..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "VLAN Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"VLANs\",\"field\":\"netflow.vlan_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"VLAN Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81.json b/packages/netflow/2.2.4/kibana/visualization/netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81.json deleted file mode 100755 index 4edc81efd4..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Autonomous Systems [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Autonomous System\",\"field\":\"destination.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Autonomous Systems [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-0528bc66-6981-400a-a02d-c1d221b38890.json b/packages/netflow/2.2.4/kibana/visualization/netflow-0528bc66-6981-400a-a02d-c1d221b38890.json deleted file mode 100755 index 4283ed8398..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-0528bc66-6981-400a-a02d-c1d221b38890.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Sources (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"source.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Sources (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-0528bc66-6981-400a-a02d-c1d221b38890", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4.json b/packages/netflow/2.2.4/kibana/visualization/netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4.json deleted file mode 100755 index d3cd03e5fd..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Source Ports (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Source Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-12aad647-c45d-4667-a029-152c1a97cbbc.json b/packages/netflow/2.2.4/kibana/visualization/netflow-12aad647-c45d-4667-a029-152c1a97cbbc.json deleted file mode 100755 index 50ca670a97..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-12aad647-c45d-4667-a029-152c1a97cbbc.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination Autonomous Systems (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-12aad647-c45d-4667-a029-152c1a97cbbc", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796.json b/packages/netflow/2.2.4/kibana/visualization/netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796.json deleted file mode 100755 index 07d1ebeea9..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Ingress Interfaces (flow records) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Ingress Interface\",\"field\":\"netflow.ingress_interface\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Ingress Interfaces (flow records) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-15295ea6-ba84-47db-8ced-9312abbf495c.json b/packages/netflow/2.2.4/kibana/visualization/netflow-15295ea6-ba84-47db-8ced-9312abbf495c.json deleted file mode 100755 index 3f2413b575..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-15295ea6-ba84-47db-8ced-9312abbf495c.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Sources [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Sources [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-15295ea6-ba84-47db-8ced-9312abbf495c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-1558508d-591c-49be-bef4-85fdac18a960.json b/packages/netflow/2.2.4/kibana/visualization/netflow-1558508d-591c-49be-bef4-85fdac18a960.json deleted file mode 100755 index f8800be221..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-1558508d-591c-49be-bef4-85fdac18a960.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Sources and Ports (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Sources and Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-1558508d-591c-49be-bef4-85fdac18a960", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-15e2a267-2495-4df2-a121-abe410d2f18c.json b/packages/netflow/2.2.4/kibana/visualization/netflow-15e2a267-2495-4df2-a121-abe410d2f18c.json deleted file mode 100755 index 185796e6a0..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-15e2a267-2495-4df2-a121-abe410d2f18c.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "VLANs (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.vlan_id:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.vlan_id:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"VLANs (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-15e2a267-2495-4df2-a121-abe410d2f18c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-16262df9-a979-4136-935e-d883c7d373d7.json b/packages/netflow/2.2.4/kibana/visualization/netflow-16262df9-a979-4136-935e-d883c7d373d7.json deleted file mode 100755 index 2be98aa7d5..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-16262df9-a979-4136-935e-d883c7d373d7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "City Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Cities\",\"field\":\"destination.geo.city_name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"City Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-16262df9-a979-4136-935e-d883c7d373d7", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72.json b/packages/netflow/2.2.4/kibana/visualization/netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72.json deleted file mode 100755 index 5d2741d0ea..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Ingress Interfaces (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.ingress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ingress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Ingress Interfaces (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a.json b/packages/netflow/2.2.4/kibana/visualization/netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a.json deleted file mode 100755 index 8089613edd..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Types of Service (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type of Service\",\"field\":\"netflow.ip_class_of_service\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Types of Service (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0.json b/packages/netflow/2.2.4/kibana/visualization/netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0.json deleted file mode 100755 index 36dd644fb6..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Cities (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.geo.city_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.city_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Cities (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-201d7dd1-a880-4a64-b631-db5629340db9.json b/packages/netflow/2.2.4/kibana/visualization/netflow-201d7dd1-a880-4a64-b631-db5629340db9.json deleted file mode 100755 index 6e319d2ee8..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-201d7dd1-a880-4a64-b631-db5629340db9.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Source Ports (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"source.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Ports (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-201d7dd1-a880-4a64-b631-db5629340db9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823.json b/packages/netflow/2.2.4/kibana/visualization/netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823.json deleted file mode 100755 index 38d938c712..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Countries and Cities (flow records) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Countries and Cities (flow records) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-248e00b4-8fc2-406f-8907-729d5380aaa7.json b/packages/netflow/2.2.4/kibana/visualization/netflow-248e00b4-8fc2-406f-8907-729d5380aaa7.json deleted file mode 100755 index 0b978a1c6b..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-248e00b4-8fc2-406f-8907-729d5380aaa7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destinations (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destinations (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-248e00b4-8fc2-406f-8907-729d5380aaa7", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03.json b/packages/netflow/2.2.4/kibana/visualization/netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03.json deleted file mode 100755 index 18a1464367..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Protocols [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"network.transport\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Protocols [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-2dca3025-692c-4876-8bcc-e0b248dc9819.json b/packages/netflow/2.2.4/kibana/visualization/netflow-2dca3025-692c-4876-8bcc-e0b248dc9819.json deleted file mode 100755 index f735f227fc..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-2dca3025-692c-4876-8bcc-e0b248dc9819.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "TCP Flags Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"TCP Flag States\",\"field\":\"netflow.tcp_control_bits\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"TCP Flags Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-2dca3025-692c-4876-8bcc-e0b248dc9819", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-30cd1009-2925-4c9b-820d-d689f5d1efda.json b/packages/netflow/2.2.4/kibana/visualization/netflow-30cd1009-2925-4c9b-820d-d689f5d1efda.json deleted file mode 100755 index bbff9003ca..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-30cd1009-2925-4c9b-820d-d689f5d1efda.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Autonomous Systems (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Autonomous Systems (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-30cd1009-2925-4c9b-820d-d689f5d1efda", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-31708a70-4957-4a8a-8065-5c88a344ad02.json b/packages/netflow/2.2.4/kibana/visualization/netflow-31708a70-4957-4a8a-8065-5c88a344ad02.json deleted file mode 100755 index 4ab3ca80e4..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-31708a70-4957-4a8a-8065-5c88a344ad02.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Flow Exporters (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flow Exporter\",\"field\":\"agent.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Flow Exporters (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-31708a70-4957-4a8a-8065-5c88a344ad02", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f.json b/packages/netflow/2.2.4/kibana/visualization/netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f.json deleted file mode 100755 index 08d9c2dafa..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Destination Ports [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Destination Ports [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-32e712ed-fa15-4db7-8575-8476e8d65b03.json b/packages/netflow/2.2.4/kibana/visualization/netflow-32e712ed-fa15-4db7-8575-8476e8d65b03.json deleted file mode 100755 index b34bb34cac..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-32e712ed-fa15-4db7-8575-8476e8d65b03.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Source Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Source Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-32e712ed-fa15-4db7-8575-8476e8d65b03", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f.json b/packages/netflow/2.2.4/kibana/visualization/netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f.json deleted file mode 100755 index ca56e99437..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination Ports (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Ports (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f.json b/packages/netflow/2.2.4/kibana/visualization/netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f.json deleted file mode 100755 index 59778d4915..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Version (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Version\",\"field\":\"netflow.exporter.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Version (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86.json b/packages/netflow/2.2.4/kibana/visualization/netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86.json deleted file mode 100755 index b12c7d2621..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination Ports (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Ports (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-441c6c50-fa1a-489c-96c6-76f7925dea24.json b/packages/netflow/2.2.4/kibana/visualization/netflow-441c6c50-fa1a-489c-96c6-76f7925dea24.json deleted file mode 100755 index 2a58338da7..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-441c6c50-fa1a-489c-96c6-76f7925dea24.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Flow Exporters (flow records) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flow Exporter\",\"field\":\"agent.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Flow Exporters (flow records) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-441c6c50-fa1a-489c-96c6-76f7925dea24", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a.json b/packages/netflow/2.2.4/kibana/visualization/netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a.json deleted file mode 100755 index de5cb96164..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Egress Interfaces (flow records) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Egress Interface\",\"field\":\"netflow.egress_interface\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Egress Interfaces (flow records) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094.json b/packages/netflow/2.2.4/kibana/visualization/netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094.json deleted file mode 100755 index 42c5ea60ea..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Flow Records [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timeline\",\"extended_bounds\":{},\"field\":\"event.end\",\"interval\":\"s\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Version\",\"field\":\"netflow.exporter.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Flow Records\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Flow Records [Logs Netflow]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-5292a65b-c532-422a-9008-1251a8073a3a.json b/packages/netflow/2.2.4/kibana/visualization/netflow-5292a65b-c532-422a-9008-1251a8073a3a.json deleted file mode 100755 index def8920024..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-5292a65b-c532-422a-9008-1251a8073a3a.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Cities [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":true,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Cities [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-5292a65b-c532-422a-9008-1251a8073a3a", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49.json b/packages/netflow/2.2.4/kibana/visualization/netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49.json deleted file mode 100755 index 9de72f30b5..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Destinations [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Destinations [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-57e13a20-e94f-4465-a942-42148634a1d2.json b/packages/netflow/2.2.4/kibana/visualization/netflow-57e13a20-e94f-4465-a942-42148634a1d2.json deleted file mode 100755 index 7e811e1ea3..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-57e13a20-e94f-4465-a942-42148634a1d2.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "TCP Flags (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"TCP Flags\",\"field\":\"netflow.tcp_control_bits\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":255},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"TCP Flags (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-57e13a20-e94f-4465-a942-42148634a1d2", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761.json b/packages/netflow/2.2.4/kibana/visualization/netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761.json deleted file mode 100755 index 1cb0ac07fd..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Countries and Cities (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Countries and Cities (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63.json b/packages/netflow/2.2.4/kibana/visualization/netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63.json deleted file mode 100755 index 552f9ceaf6..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Countries (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.geo.country_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.country_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Countries (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-5d868836-c7b2-4812-bf47-4838aac281d9.json b/packages/netflow/2.2.4/kibana/visualization/netflow-5d868836-c7b2-4812-bf47-4838aac281d9.json deleted file mode 100755 index 1a237de283..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-5d868836-c7b2-4812-bf47-4838aac281d9.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "TCP Flags (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.tcp_control_bits:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.tcp_control_bits:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"TCP Flags (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-5d868836-c7b2-4812-bf47-4838aac281d9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95.json b/packages/netflow/2.2.4/kibana/visualization/netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95.json deleted file mode 100755 index 6c3e1b32bd..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Country Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Countries\",\"field\":\"destination.geo.country_name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Country Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de.json b/packages/netflow/2.2.4/kibana/visualization/netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de.json deleted file mode 100755 index c4b788481c..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destinations and Ports (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destinations and Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-681f0ce4-d828-4a99-b643-0c0715530050.json b/packages/netflow/2.2.4/kibana/visualization/netflow-681f0ce4-d828-4a99-b643-0c0715530050.json deleted file mode 100755 index e185a6934d..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-681f0ce4-d828-4a99-b643-0c0715530050.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destinations (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destinations (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-681f0ce4-d828-4a99-b643-0c0715530050", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f.json b/packages/netflow/2.2.4/kibana/visualization/netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f.json deleted file mode 100755 index f420f9b844..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Sources (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"source.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Sources (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-717cd7c7-bfca-435d-8ee7-38259927aade.json b/packages/netflow/2.2.4/kibana/visualization/netflow-717cd7c7-bfca-435d-8ee7-38259927aade.json deleted file mode 100755 index da2f83b090..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-717cd7c7-bfca-435d-8ee7-38259927aade.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Types of Service (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.ip_class_of_service:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ip_class_of_service:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Types of Service (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-717cd7c7-bfca-435d-8ee7-38259927aade", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa.json b/packages/netflow/2.2.4/kibana/visualization/netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa.json deleted file mode 100755 index c9b9434535..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Source Autonomous Systems (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"source.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-7d447b22-89dc-4f32-b549-4b8620af4d76.json b/packages/netflow/2.2.4/kibana/visualization/netflow-7d447b22-89dc-4f32-b549-4b8620af4d76.json deleted file mode 100755 index 5170f89858..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-7d447b22-89dc-4f32-b549-4b8620af4d76.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Cities (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.geo.city_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.city_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Cities (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-7d447b22-89dc-4f32-b549-4b8620af4d76", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957.json b/packages/netflow/2.2.4/kibana/visualization/netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957.json deleted file mode 100755 index e10072db9a..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "VLANs (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"VLAN\",\"field\":\"netflow.vlan_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"VLANs (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-85ebf558-402b-45d2-a186-e15f8673ec07.json b/packages/netflow/2.2.4/kibana/visualization/netflow-85ebf558-402b-45d2-a186-e15f8673ec07.json deleted file mode 100755 index 4d61c728ef..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-85ebf558-402b-45d2-a186-e15f8673ec07.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Egress Interfaces (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.egress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.egress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Egress Interfaces (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-85ebf558-402b-45d2-a186-e15f8673ec07", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb.json b/packages/netflow/2.2.4/kibana/visualization/netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb.json deleted file mode 100755 index d3bba7450d..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "TCP Flags (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.tcp_control_bits:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.tcp_control_bits:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"TCP Flags (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-a14c3248-952d-42aa-bd7d-9b39157a776f.json b/packages/netflow/2.2.4/kibana/visualization/netflow-a14c3248-952d-42aa-bd7d-9b39157a776f.json deleted file mode 100755 index 305b1cbe98..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-a14c3248-952d-42aa-bd7d-9b39157a776f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Countries (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Countries (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-a14c3248-952d-42aa-bd7d-9b39157a776f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-a1704d46-15fc-41c2-851d-796ceb49877f.json b/packages/netflow/2.2.4/kibana/visualization/netflow-a1704d46-15fc-41c2-851d-796ceb49877f.json deleted file mode 100755 index 9fd050b6f2..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-a1704d46-15fc-41c2-851d-796ceb49877f.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Types of Service (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.ip_class_of_service:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ip_class_of_service:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Types of Service (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-a1704d46-15fc-41c2-851d-796ceb49877f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d.json b/packages/netflow/2.2.4/kibana/visualization/netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d.json deleted file mode 100755 index fff9d9fbb7..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "VLANs (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.vlan_id:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.vlan_id:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"VLANs (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2.json b/packages/netflow/2.2.4/kibana/visualization/netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2.json deleted file mode 100755 index d5430f2886..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Cities (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Cities (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb.json b/packages/netflow/2.2.4/kibana/visualization/netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb.json deleted file mode 100755 index e67336cb81..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Autonomous Systems (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-ae334aec-31fa-4df7-a064-40b18831d819.json b/packages/netflow/2.2.4/kibana/visualization/netflow-ae334aec-31fa-4df7-a064-40b18831d819.json deleted file mode 100755 index 11c13cd5af..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-ae334aec-31fa-4df7-a064-40b18831d819.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "IP Version and Protocols (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IP Version\",\"field\":\"network.type\",\"missingBucket\":true,\"missingBucketLabel\":\"unset ip version\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"sum\",\"format\":{\"id\":\"bytes\"},\"params\":{}}},\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"IP Version and Protocols (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-ae334aec-31fa-4df7-a064-40b18831d819", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-aed09724-0a69-4331-84f5-3d2067c43930.json b/packages/netflow/2.2.4/kibana/visualization/netflow-aed09724-0a69-4331-84f5-3d2067c43930.json deleted file mode 100755 index 0cb598214c..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-aed09724-0a69-4331-84f5-3d2067c43930.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destinations and Sources (flow records) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destinations and Sources (flow records) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-aed09724-0a69-4331-84f5-3d2067c43930", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-af707b01-29f1-462b-b279-6d2e803f3645.json b/packages/netflow/2.2.4/kibana/visualization/netflow-af707b01-29f1-462b-b279-6d2e803f3645.json deleted file mode 100755 index 4687a20531..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-af707b01-29f1-462b-b279-6d2e803f3645.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination Port Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Destination Port Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-af707b01-29f1-462b-b279-6d2e803f3645", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d.json b/packages/netflow/2.2.4/kibana/visualization/netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d.json deleted file mode 100755 index b966d64753..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Locality (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Locality\",\"field\":\"flow.locality\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Locality (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-b677cd82-b33e-49b3-8b6e-0e110177b163.json b/packages/netflow/2.2.4/kibana/visualization/netflow-b677cd82-b33e-49b3-8b6e-0e110177b163.json deleted file mode 100755 index 1eceb9a616..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-b677cd82-b33e-49b3-8b6e-0e110177b163.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Direction (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Direction\",\"field\":\"network.direction\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Direction (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-b677cd82-b33e-49b3-8b6e-0e110177b163", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52.json b/packages/netflow/2.2.4/kibana/visualization/netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52.json deleted file mode 100755 index a0b7c0c1c2..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Flow Records [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Flow Records [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035.json b/packages/netflow/2.2.4/kibana/visualization/netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035.json deleted file mode 100755 index 878b1708d1..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination and Source Ports (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destination and Source Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-cccff92f-cb71-49a9-9caf-84867751d31e.json b/packages/netflow/2.2.4/kibana/visualization/netflow-cccff92f-cb71-49a9-9caf-84867751d31e.json deleted file mode 100755 index 2a6ad569d2..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-cccff92f-cb71-49a9-9caf-84867751d31e.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Flow Exporters [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Flow Exporter\",\"field\":\"agent.name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Flow Exporters [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-cccff92f-cb71-49a9-9caf-84867751d31e", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4.json b/packages/netflow/2.2.4/kibana/visualization/netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4.json deleted file mode 100755 index 743e1dfb17..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination Ports (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destination Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df.json b/packages/netflow/2.2.4/kibana/visualization/netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df.json deleted file mode 100755 index 979ae6b817..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination Autonomous Systems (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Autonomous Systems (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600.json b/packages/netflow/2.2.4/kibana/visualization/netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600.json deleted file mode 100755 index c6f2374192..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Ingress Interfaces (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.ingress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ingress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Ingress Interfaces (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0.json b/packages/netflow/2.2.4/kibana/visualization/netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0.json deleted file mode 100755 index 79287a5688..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Countries (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.geo.country_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.country_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Countries (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3.json b/packages/netflow/2.2.4/kibana/visualization/netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3.json deleted file mode 100755 index 80858ba78a..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Dashboard Navigation [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Overview](#/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2) | [Conversation Partners](#/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32) | [Traffic Analysis](#/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8) | [Top-N](#/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c) | [Geo Location](#/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024) | [Autonomous Systems](#/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a) | [Flow Exporters](#/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425) | [Raw Flow Records](#/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365)\\n***\"},\"title\":\"Dashboard Navigation [Logs Netflow]\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6.json b/packages/netflow/2.2.4/kibana/visualization/netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6.json deleted file mode 100755 index 31ce08b895..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Autonomous System Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Autonomous Systems\",\"field\":\"destination.as.organization.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Autonomous System Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-d59a031c-70d6-47d7-966d-7fcb805be9be.json b/packages/netflow/2.2.4/kibana/visualization/netflow-d59a031c-70d6-47d7-966d-7fcb805be9be.json deleted file mode 100755 index 2966189f54..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-d59a031c-70d6-47d7-966d-7fcb805be9be.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destinations (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destinations (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-d59a031c-70d6-47d7-966d-7fcb805be9be", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b.json b/packages/netflow/2.2.4/kibana/visualization/netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b.json deleted file mode 100755 index e443df12d7..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Source Port Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Ports\",\"field\":\"source.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Source Port Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d.json b/packages/netflow/2.2.4/kibana/visualization/netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d.json deleted file mode 100755 index d2c4ad8355..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destinations and Sources (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destinations and Sources (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-e99dc327-03de-4561-9e0c-f550710125c2.json b/packages/netflow/2.2.4/kibana/visualization/netflow-e99dc327-03de-4561-9e0c-f550710125c2.json deleted file mode 100755 index 497a4ccbfb..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-e99dc327-03de-4561-9e0c-f550710125c2.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination Count [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"fontSize\":\"32\",\"handleNoResults\":true},\"title\":\"Destination Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-e99dc327-03de-4561-9e0c-f550710125c2", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf.json b/packages/netflow/2.2.4/kibana/visualization/netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf.json deleted file mode 100755 index 60c450cad9..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Top Source Ports [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Source Ports [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9.json b/packages/netflow/2.2.4/kibana/visualization/netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9.json deleted file mode 100755 index 510bd9c74c..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Conversation Partners [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Conversation Partners [Logs Netflow]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-f27c1479-0625-4cdc-92de-672e47db0f87.json b/packages/netflow/2.2.4/kibana/visualization/netflow-f27c1479-0625-4cdc-92de-672e47db0f87.json deleted file mode 100755 index 75c6397b07..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-f27c1479-0625-4cdc-92de-672e47db0f87.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "ToS Count [Logs Netflow]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Types of Service\",\"field\":\"netflow.ip_class_of_service\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"ToS Count [Logs Netflow]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-f27c1479-0625-4cdc-92de-672e47db0f87", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-f531f957-e8c0-497a-ad41-ef39c2d29671.json b/packages/netflow/2.2.4/kibana/visualization/netflow-f531f957-e8c0-497a-ad41-ef39c2d29671.json deleted file mode 100755 index dcd2f36948..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-f531f957-e8c0-497a-ad41-ef39c2d29671.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination and Source Ports (flow records) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destination and Source Ports (flow records) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-f531f957-e8c0-497a-ad41-ef39c2d29671", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404.json b/packages/netflow/2.2.4/kibana/visualization/netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404.json deleted file mode 100755 index 19567eb0c0..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Source Ports (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"source.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Ports (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9.json b/packages/netflow/2.2.4/kibana/visualization/netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9.json deleted file mode 100755 index 8ba248d484..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Source Autonomous Systems (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"source.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Autonomous Systems (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-f772028b-d5a6-4d55-b441-493871981a60.json b/packages/netflow/2.2.4/kibana/visualization/netflow-f772028b-d5a6-4d55-b441-493871981a60.json deleted file mode 100755 index f92dadbfe2..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-f772028b-d5a6-4d55-b441-493871981a60.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Autonomous Systems (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Autonomous System\",\"field\":\"destination.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-f772028b-d5a6-4d55-b441-493871981a60", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-f7808e70-df2a-4532-a350-966704567c24.json b/packages/netflow/2.2.4/kibana/visualization/netflow-f7808e70-df2a-4532-a350-966704567c24.json deleted file mode 100755 index 55a143a303..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-f7808e70-df2a-4532-a350-966704567c24.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Destination and Source ASs (flow records) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination AS\",\"field\":\"destination.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source AS\",\"field\":\"source.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destination and Source ASs (flow records) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-f7808e70-df2a-4532-a350-966704567c24", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7.json b/packages/netflow/2.2.4/kibana/visualization/netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7.json deleted file mode 100755 index d810abfa5a..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Egress Interfaces (packets) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.egress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.egress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Egress Interfaces (packets) [Logs Netflow]\",\"type\":\"timelion\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/kibana/visualization/netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56.json b/packages/netflow/2.2.4/kibana/visualization/netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56.json deleted file mode 100755 index 8e5d47ad63..0000000000 --- a/packages/netflow/2.2.4/kibana/visualization/netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Sources (bytes) [Logs Netflow]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Sources (bytes) [Logs Netflow]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netflow/2.2.4/manifest.yml b/packages/netflow/2.2.4/manifest.yml deleted file mode 100755 index 3ed26b7e7d..0000000000 --- a/packages/netflow/2.2.4/manifest.yml +++ /dev/null @@ -1,23 +0,0 @@ -format_version: 1.0.0 -name: netflow -title: NetFlow Records -version: "2.2.4" -license: basic -description: Collect flow records from NetFlow and IPFIX exporters with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: ^8.0.0 -policy_templates: - - name: netflow - title: NetFlow logs - description: Collect Netflow logs from networks via UDP - inputs: - - type: netflow - title: Collect NetFlow logs - description: Collecting NetFlow logs using the netflow input -owner: - github: elastic/security-external-integrations diff --git a/packages/okta/1.10.2/LICENSE.txt b/packages/okta/1.10.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/okta/1.10.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/okta/1.10.2/changelog.yml b/packages/okta/1.10.2/changelog.yml deleted file mode 100755 index 770c9ecc50..0000000000 --- a/packages/okta/1.10.2/changelog.yml +++ /dev/null @@ -1,190 +0,0 @@ -# newer versions go on top -- version: "1.10.2" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.10.1" - changes: - - description: Mark api_key config option as a required field - type: bugfix - link: https://github.com/elastic/integrations/pull/4127 -- version: "1.10.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3868 -- version: "1.9.2" - changes: - - description: Fix proxy URL documentation rendering. - type: bugfix - link: https://github.com/elastic/integrations/pull/3881 -- version: "1.9.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "1.9.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.8.0" - changes: - - description: Add `okta.debug_context.debug_data.risk_level` field - type: enhancement - link: https://github.com/elastic/integrations/pull/3362 - - description: Add flattened `okta.debug_context.debug_data.flattened.log_only_security_data.*` fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3362 - - description: Fix mapping type for `client.as.number` - type: bugfix - link: https://github.com/elastic/integrations/pull/3362 -- version: "1.7.0" - changes: - - description: Add flattened `okta.request.ip_chain.*` fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3326 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "1.5.2" - changes: - - description: Handle invalid values in client.ipAddress - type: bugfix - link: https://github.com/elastic/integrations/pull/3010 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Increase the limit for the number of results in an API response. - type: enhancement - link: https://github.com/elastic/integrations/pull/2791 -- version: "1.4.1" - changes: - - description: Add missing field mapping for event.created. - type: enhancement - link: https://github.com/elastic/integrations/pull/2774 -- version: "1.4.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2428 -- version: "1.3.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.3.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2264 -- version: "1.2.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2095 -- version: "1.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1977 -- version: "1.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1838 -- version: "1.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1638 -- version: "1.1.3" - changes: - - description: Add proxy config - type: enhancement - link: https://github.com/elastic/integrations/pull/1648 -- version: "1.1.2" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1494 -- version: "1.1.1" - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1403 -- version: "1.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "1.0.1" - changes: - - description: add missing `initial_interval` option to the manifest - type: bugfix - link: https://github.com/elastic/integrations/pull/1299 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1222 - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1222 -- version: "0.6.0" - changes: - - description: Update to ECS 1.10.0 and add event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1067 -- version: "0.5.2" - changes: - - description: Add httpjson system tests and remove log input. - type: enhancement - link: https://github.com/elastic/integrations/pull/1034 -- version: "0.5.1" - changes: - - description: Make event.original optional - type: enhancement - link: https://github.com/elastic/integrations/pull/1009 -- version: "0.5.0" - changes: - - description: change okta.target to flattened type - type: enhancement - link: https://github.com/elastic/integrations/pull/899 -- version: "0.4.2" - changes: - - description: add fail_on_template_error on pagination - type: bugfix - link: https://github.com/elastic/integrations/pull/901 -- version: "0.4.1" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/861 -- version: "0.4.0" - changes: - - description: Moves edge processing to ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/759/ -- version: "0.3.1" - changes: - - description: Change kibana.version constraint to be more conservative. - type: bugfix - link: https://github.com/elastic/integrations/pull/749 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/232 diff --git a/packages/okta/1.10.2/data_stream/system/agent/stream/httpjson.yml.hbs b/packages/okta/1.10.2/data_stream/system/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 24a3d77d72..0000000000 --- a/packages/okta/1.10.2/data_stream/system/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,56 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" - -{{#if url}} -request.url: {{url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} - -request.rate_limit: - limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]' - remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]' - reset: '[[.last_response.header.Get "X-Rate-Limit-Reset"]]' -request.transforms: - - set: - target: header.Authorization - value: "SSWS {{api_key}}" - - set: - target: url.params.limit - value: '1000' - - set: - target: url.params.since - value: "[[.cursor.published]]" - default: '[[formatDate (now (parseDuration "-{{initial_interval}}")) "RFC3339"]]' -response.pagination: - - set: - target: url.value - value: '[[ getRFC5988Link "next" .last_response.header.Link ]]' - fail_on_template_error: true - -cursor: - published: - value: "[[.last_event.published]]" - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/okta/1.10.2/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/okta/1.10.2/data_stream/system/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 0d7fa155cd..0000000000 --- a/packages/okta/1.10.2/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,628 +0,0 @@ ---- -description: Pipeline for Okta system logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: json - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - ((Map) o).values().removeIf(v -> drop(v)); - return (((Map) o).size() == 0); - } else if (o instanceof List) { - ((List) o).removeIf(v -> drop(v)); - return (((List) o).length == 0); - } - return false; - } - drop(ctx); - - convert: - field: json.uuid - target_field: _id - type: string - ignore_failure: true - if: ctx?.json?.uuid != null && ctx?.json?.uuid != "" - - date: - field: json.published - formats: - - ISO8601 - ignore_failure: true - - set: - field: event.kind - value: event - - rename: - field: json.displayMessage - target_field: okta.display_message - ignore_missing: true - ignore_failure: true - - rename: - field: json.eventType - target_field: okta.event_type - ignore_missing: true - ignore_failure: true - - append: - field: event.category - value: iam - if: | - ["group.user_membership.add","group.user_membership.remove", - "user.lifecycle.activate","user.lifecycle.create", - "user.lifecycle.deactivate","user.lifecycle.suspend", - "user.lifecycle.unsuspend"].contains(ctx?.okta?.event_type) - - append: - field: event.category - value: configuration - if: | - ["policy.lifecycle.activate","policy.lifecycle.create", - "policy.lifecycle.deactivate","policy.lifecycle.delete", - "policy.lifecycle.update","policy.rule.activate","policy.rule.add", - "policy.rule.deactivate","policy.rule.delete", - "application.lifecycle.create","application.lifecycle.delete", - "policy.rule.update","application.lifecycle.activate", - "application.lifecycle.deactivate","application.lifecycle.update"].contains(ctx?.okta?.event_type) - - append: - field: event.category - value: authentication - if: '["user.session.start","user.session.end","user.authentication.sso","policy.evaluate_sign_on"].contains(ctx?.okta?.event_type)' - - append: - field: event.category - value: session - if: '["user.session.start","user.session.end"].contains(ctx?.okta?.event_type)' - - append: - field: event.type - value: info - if: | - ["system.org.rate_limit.warning","system.org.rate_limit.violation", - "core.concurrency.org.limit.violation"].contains(ctx?.okta?.event_type) - - append: - field: event.type - value: network - if: '["security.request.blocked"].contains(ctx?.okta?.event_type)' - - append: - field: event.type - value: network - if: | - ["system.org.rate_limit.warning","system.org.rate_limit.violation", - "core.concurrency.org.limit.violation","security.request.blocked"].contains(ctx?.okta?.event_type) - - append: - field: event.type - value: start - if: '["user.session.start"].contains(ctx?.okta?.event_type)' - - append: - field: event.type - value: end - if: '["user.session.end"].contains(ctx?.okta?.event_type)' - - append: - field: event.type - value: group - if: '["group.user_membership.add","group.user_membership.remove"].contains(ctx?.okta?.event_type)' - - append: - field: event.type - value: user - if: | - ["user.lifecycle.activate","user.lifecycle.create", - "user.lifecycle.deactivate","user.lifecycle.suspend", - "user.lifecycle.unsuspend","user.authentication.sso", - "user.session.start","user.session.end","application.user_membership.add", - "application.user_membership.remove","application.user_membership.change_username"].contains(ctx?.okta?.event_type) - - append: - field: event.type - value: change - if: | - ["user.lifecycle.activate","user.lifecycle.deactivate", - "user.lifecycle.suspend","user.lifecycle.unsuspend", - "group.user_membership.add","group.user_membership.remove", - "policy.lifecycle.activate","policy.lifecycle.deactivate", - "policy.lifecycle.update","policy.rule.activate","policy.rule.add", - "policy.rule.deactivate","policy.rule.update","application.user_membership.add", - "application.user_membership.remove","application.user_membership.change_username"].contains(ctx?.okta?.event_type) - - append: - field: event.type - value: creation - if: '["user.lifecycle.create","policy.lifecycle.create","application.lifecycle.create"].contains(ctx?.okta?.event_type)' - - append: - field: event.type - value: deletion - if: '["policy.lifecycle.delete","application.lifecycle.delete"].contains(ctx?.okta?.event_type)' - - append: - field: event.type - value: info - if: '["policy.evaluate_sign_on"].contains(ctx?.okta?.event_type)' - - rename: - field: json.uuid - target_field: okta.uuid - ignore_missing: true - ignore_failure: true - - rename: - field: json.actor.alternateId - target_field: okta.actor.alternate_id - ignore_missing: true - ignore_failure: true - - rename: - field: json.actor.displayName - target_field: okta.actor.display_name - ignore_missing: true - ignore_failure: true - - rename: - field: json.actor.id - target_field: okta.actor.id - ignore_missing: true - ignore_failure: true - - rename: - field: json.actor.type - target_field: okta.actor.type - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.device - target_field: okta.client.device - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.geographicalContext.geolocation - target_field: client.geo.location - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.geographicalContext.city - target_field: client.geo.city_name - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.geographicalContext.state - target_field: client.geo.region_name - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.geographicalContext.country - target_field: client.geo.country_name - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.id - target_field: okta.client.id - ignore_missing: true - ignore_failure: true - - convert: - field: json.client.ipAddress - target_field: okta.client.ip - type: ip - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.userAgent.browser - target_field: okta.client.user_agent.browser - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.userAgent.os - target_field: okta.client.user_agent.os - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.userAgent.rawUserAgent - target_field: okta.client.user_agent.raw_user_agent - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.zone - target_field: okta.client.zone - ignore_missing: true - ignore_failure: true - - rename: - field: json.outcome.reason - target_field: okta.outcome.reason - ignore_missing: true - ignore_failure: true - - rename: - field: json.outcome.result - target_field: okta.outcome.result - ignore_missing: true - ignore_failure: true - - rename: - field: json.target - target_field: okta.target - ignore_missing: true - ignore_failure: true - - rename: - field: json.transaction.id - target_field: okta.transaction.id - ignore_missing: true - ignore_failure: true - - rename: - field: json.transaction.type - target_field: okta.transaction.type - ignore_missing: true - ignore_failure: true - - set: - field: okta.debug_context.debug_data.flattened - copy_from: json.debugContext.debugData - ignore_failure: true - - json: - field: okta.debug_context.debug_data.flattened.logOnlySecurityData - ignore_failure: true - - dissect: - field: okta.debug_context.debug_data.flattened.behaviors - pattern: "{%{okta.debug_context.debug_data.flattened.behaviors}}" - ignore_missing: true - ignore_failure: true - - kv: - field: okta.debug_context.debug_data.flattened.behaviors - field_split: ", " - value_split: "=" - target_field: _behaviors_object - if: ctx.okta?.debug_context?.debug_data?.flattened?.behaviors != null - - remove: - field: okta.debug_context.debug_data.flattened.behaviors - if: ctx._behaviors_object != null - - rename: - field: _behaviors_object - target_field: okta.debug_context.debug_data.flattened.behaviors - ignore_missing: true - ignore_failure: true - - dissect: - field: okta.debug_context.debug_data.flattened.risk - pattern: "{%{okta.debug_context.debug_data.flattened.risk}}" - ignore_missing: true - ignore_failure: true - - kv: - field: okta.debug_context.debug_data.flattened.risk - field_split: ", " - value_split: "=" - target_field: _risk_object - if: ctx.okta?.debug_context?.debug_data?.flattened?.risk != null - - remove: - field: okta.debug_context.debug_data.flattened.risk - if: ctx._risk_object != null - - rename: - field: _risk_object - target_field: okta.debug_context.debug_data.flattened.risk - ignore_missing: true - ignore_failure: true - - rename: - field: json.debugContext.debugData.deviceFingerprint - target_field: okta.debug_context.debug_data.device_fingerprint - ignore_missing: true - ignore_failure: true - - rename: - field: json.debugContext.debugData.requestId - target_field: okta.debug_context.debug_data.request_id - ignore_missing: true - ignore_failure: true - - rename: - field: json.debugContext.debugData.requestUri - target_field: okta.debug_context.debug_data.request_uri - ignore_missing: true - ignore_failure: true - - rename: - field: json.debugContext.debugData.threatSuspected - target_field: okta.debug_context.debug_data.threat_suspected - ignore_missing: true - ignore_failure: true - - rename: - field: json.debugContext.debugData.url - target_field: okta.debug_context.debug_data.url - ignore_missing: true - ignore_failure: true - - set: - field: okta.debug_context.debug_data.risk_level - value: "{{{okta.debug_context.debug_data.flattened.logOnlySecurityData.risk.level}}}" - if: 'ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.level != null && ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.level != ""' - - set: - field: okta.debug_context.debug_data.risk_level - value: "{{{okta.debug_context.debug_data.flattened.risk.level}}}" - if: 'ctx.okta?.debug_context?.debug_data?.risk_level == null && ctx.okta?.debug_context?.debug_data?.flattened?.risk != null && ctx.okta?.debug_context?.debug_data?.flattened?.risk != ""' - - rename: - field: json.authenticationContext.authenticationProvider - target_field: okta.authentication_context.authentication_provider - ignore_missing: true - ignore_failure: true - - rename: - field: json.authenticationContext.authenticationStep - target_field: okta.authentication_context.authentication_step - ignore_missing: true - ignore_failure: true - - rename: - field: json.authenticationContext.credentialProvider - target_field: okta.authentication_context.credential_provider - ignore_missing: true - ignore_failure: true - - rename: - field: json.authenticationContext.credentialType - target_field: okta.authentication_context.credential_type - ignore_missing: true - ignore_failure: true - - rename: - field: json.authenticationContext.externalSessionId - target_field: okta.authentication_context.external_session_id - ignore_missing: true - ignore_failure: true - - rename: - field: json.authenticationContext.interface - target_field: okta.authentication_context.authentication_provider - ignore_missing: true - ignore_failure: true - - rename: - field: json.authenticationContext.issuer - target_field: okta.authentication_context.issuer - ignore_missing: true - ignore_failure: true - - rename: - field: json.securityContext.asNumber - target_field: okta.security_context.as.number - ignore_missing: true - ignore_failure: true - - rename: - field: json.securityContext.asOrg - target_field: okta.security_context.as.organization.name - ignore_missing: true - ignore_failure: true - - rename: - field: json.securityContext.domain - target_field: okta.security_context.domain - ignore_missing: true - ignore_failure: true - - rename: - field: json.securityContext.isProxy - target_field: okta.security_context.is_proxy - ignore_missing: true - ignore_failure: true - - rename: - field: json.securityContext.isp - target_field: okta.security_context.isp - ignore_missing: true - ignore_failure: true - - rename: - field: json.request.ipChain - target_field: okta.request.ip_chain - ignore_missing: true - ignore_failure: true - - foreach: - field: okta.request.ip_chain - processor: - rename: - field: _ingest._value.geographicalContext - target_field: _ingest._value.geographical_context - ignore_missing: true - ignore_failure: true - ignore_missing: true - - foreach: - field: okta.request.ip_chain - processor: - rename: - field: _ingest._value.geographical_context.postalCode - target_field: _ingest._value.geographical_context.postal_code - ignore_missing: true - ignore_failure: true - ignore_missing: true - - convert: - field: okta.client.user_agent.raw_user_agent - target_field: user_agent.original - type: string - ignore_failure: true - - set: - field: client.ip - copy_from: okta.client.ip - if: ctx?.okta?.client?.ip != null - - set: - field: source.ip - copy_from: okta.client.ip - if: ctx?.okta?.client?.ip != null - - convert: - field: okta.event_type - target_field: event.action - type: string - ignore_failure: true - - convert: - field: okta.security_context.as.organization.name - target_field: client.as.organization.name - type: string - ignore_failure: true - - convert: - field: okta.security_context.domain - target_field: client.domain - type: string - ignore_failure: true - - convert: - field: okta.security_context.domain - target_field: source.domain - type: string - ignore_failure: true - - convert: - field: okta.uuid - target_field: event.id - type: string - ignore_failure: true - - lowercase: - field: okta.outcome.result - target_field: okta.outcome.result_lower - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx?.okta?.outcome?.result_lower != null && (ctx?.okta?.outcome?.result_lower == "success" || ctx?.okta?.outcome?.result_lower == "allow") - - set: - field: event.outcome - value: failure - if: ctx?.okta?.outcome?.result_lower != null && (ctx?.okta?.outcome?.result_lower == "failure" || ctx?.okta?.outcome?.result_lower == "deny") - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - - remove: - field: okta.outcome.result_lower - ignore_missing: true - - script: - lang: painless - source: | - def arr = ctx?.okta?.target; - if (arr != null) { - for (def i = 0; i < arr.length; i++) { - arr[i]["alternate_id"] = arr[i]["alternateId"]; - arr[i].remove("alternateId"); - arr[i]["display_name"] = arr[i]["displayName"]; - arr[i].remove("displayName"); - arr[i].remove("detailEntry"); - } - } - - script: - lang: painless - source: | - def arr = ctx?.okta?.target; - if (arr != null) { - for (def i = 0; i < arr.length; i++) { - if (arr[i]["type"].toLowerCase().contains("user")) { - ctx["okta_target_user"] = arr[i]; - break; - } - } - } - if: ctx?.okta?.event_type != null && ctx?.okta?.event_type.contains("user.") - - script: - lang: painless - source: | - def arr = ctx?.okta?.target; - if (arr != null) { - for (def i = 0; i < arr.length; i++) { - if (arr[i]["type"].toLowerCase().contains("group")) { - ctx["okta_target_group"] = arr[i]; - break; - } - } - } - if: ctx?.okta?.event_type != null && ctx?.okta?.event_type.contains("group.") - - rename: - field: okta_target_user.display_name - target_field: user.target.full_name - ignore_missing: true - - rename: - field: okta_target_user.id - target_field: user.target.id - ignore_missing: true - - rename: - field: okta_target_user.login - target_field: user.target.email - ignore_missing: true - - rename: - field: okta_target_group.display_name - target_field: user.target.group.name - ignore_missing: true - - rename: - field: okta_target_group.id - target_field: user.target.group.id - ignore_missing: true - - remove: - field: - - okta_target_user - - okta_target_group - ignore_missing: true - - set: - field: client.user.id - value: "{{okta.actor.id}}" - ignore_empty_value: true - if: ctx?.okta?.actor?.id != null - - set: - field: source.user.id - value: "{{okta.actor.id}}" - ignore_empty_value: true - if: ctx?.okta?.actor?.id != null - - set: - field: client.user.full_name - value: "{{okta.actor.display_name}}" - ignore_empty_value: true - if: ctx?.okta?.actor?.display_name != null - - set: - field: source.user.full_name - value: "{{okta.actor.display_name}}" - ignore_empty_value: true - if: ctx?.okta?.actor?.display_name != null - - set: - field: user.full_name - value: "{{okta.actor.display_name}}" - ignore_empty_value: true - if: ctx?.okta?.actor?.display_name != null - - append: - field: related.user - value: "{{okta.actor.display_name}}" - allow_duplicates: false - if: ctx?.okta?.actor?.display_name != null - - append: - field: related.user - value: "{{user.target.full_name}}" - allow_duplicates: false - if: ctx?.user?.target?.full_name != null - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - remove: - field: json - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/okta/1.10.2/data_stream/system/fields/agent.yml b/packages/okta/1.10.2/data_stream/system/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/okta/1.10.2/data_stream/system/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/okta/1.10.2/data_stream/system/fields/base-fields.yml b/packages/okta/1.10.2/data_stream/system/fields/base-fields.yml deleted file mode 100755 index 915728ae0c..0000000000 --- a/packages/okta/1.10.2/data_stream/system/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: okta -- name: event.dataset - type: constant_keyword - description: Event dataset - value: okta.system -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/okta/1.10.2/data_stream/system/fields/beats.yml b/packages/okta/1.10.2/data_stream/system/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/okta/1.10.2/data_stream/system/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/okta/1.10.2/data_stream/system/fields/ecs.yml b/packages/okta/1.10.2/data_stream/system/fields/ecs.yml deleted file mode 100755 index d527f2389d..0000000000 --- a/packages/okta/1.10.2/data_stream/system/fields/ecs.yml +++ /dev/null @@ -1,307 +0,0 @@ -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: client.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: client.as.organization.name - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - name: client.geo.location - type: geo_point -- description: Region name. - name: client.geo.region_name - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: client.user.full_name - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Unique container id. - name: container.id - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: source.user.full_name - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.domain - type: keyword -- description: User email address. - name: user.target.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.target.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/okta/1.10.2/data_stream/system/fields/fields.yml b/packages/okta/1.10.2/data_stream/system/fields/fields.yml deleted file mode 100755 index 88055c4d48..0000000000 --- a/packages/okta/1.10.2/data_stream/system/fields/fields.yml +++ /dev/null @@ -1,270 +0,0 @@ -- name: okta.uuid - title: UUID - type: keyword - description: | - The unique identifier of the Okta LogEvent. -- name: okta.event_type - title: Event Type - type: keyword - description: | - The type of the LogEvent. -- name: okta.version - title: Version - type: keyword - description: | - The version of the LogEvent. -- name: okta.severity - title: Severity - type: keyword - description: | - The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. -- name: okta.display_message - title: Display Message - type: keyword - description: | - The display message of the LogEvent. -- name: okta.actor - title: Actor - type: group - fields: - - name: id - type: keyword - description: | - Identifier of the actor. - - name: type - type: keyword - description: | - Type of the actor. - - name: alternate_id - type: keyword - description: | - Alternate identifier of the actor. - - name: display_name - type: keyword - description: | - Display name of the actor. -- name: okta.client - title: Client - type: group - fields: - - name: ip - type: ip - description: | - The IP address of the client. - - name: user_agent - type: group - fields: - - name: raw_user_agent - type: keyword - description: | - The raw informaton of the user agent. - - name: os - type: keyword - description: | - The OS informaton. - - name: browser - type: keyword - description: | - The browser informaton of the client. - - name: zone - type: keyword - description: | - The zone information of the client. - - name: device - type: keyword - description: | - The information of the client device. - - name: id - type: keyword - description: | - The identifier of the client. -- name: okta.outcome - title: Outcome of the LogEvent. - type: group - fields: - - name: reason - type: keyword - description: | - The reason of the outcome. - - name: result - type: keyword - description: | - The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. -- name: okta.target - title: Target - type: flattened - description: | - The list of targets. - fields: - - name: id - type: keyword - description: | - Identifier of the actor. - - name: type - type: keyword - description: | - Type of the actor. - - name: alternate_id - type: keyword - description: | - Alternate identifier of the actor. - - name: display_name - type: keyword - description: | - Display name of the actor. -- name: okta.transaction - title: Transaction - type: group - fields: - - name: id - type: keyword - description: | - Identifier of the transaction. - - name: type - type: keyword - description: | - The type of transaction. Must be one of "WEB", "JOB". -- name: okta.debug_context - title: Debug Context - type: group - fields: - - name: debug_data - type: group - fields: - - name: device_fingerprint - type: keyword - description: | - The fingerprint of the device. - - name: request_id - type: keyword - description: | - The identifier of the request. - - name: request_uri - type: keyword - description: | - The request URI. - - name: threat_suspected - type: keyword - description: | - Threat suspected. - - name: risk_level - type: keyword - description: | - The risk level assigned to the sign in attempt. - - name: url - type: keyword - description: | - The URL. - - name: flattened - type: flattened - description: | - The complete debug_data object. -- name: okta.authentication_context - title: Authentication Context - type: group - fields: - - name: authentication_provider - type: keyword - description: | - The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. - - name: authentication_step - type: integer - description: | - The authentication step. - - name: credential_provider - type: keyword - description: | - The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. - - name: credential_type - type: keyword - description: | - The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. - - name: issuer - type: array - description: | - The information about the issuer. - fields: - - name: id - type: keyword - description: | - The identifier of the issuer. - - name: type - type: keyword - description: | - The type of the issuer. - - name: external_session_id - type: keyword - description: | - The session identifer of the external session if any. - - name: interface - type: keyword - description: | - The interface used. e.g., Outlook, Office365, wsTrust -- name: okta.security_context - title: Security Context - type: group - fields: - - name: as - type: group - fields: - - name: number - type: integer - description: | - The AS number. - - name: organization - type: group - fields: - - name: name - type: keyword - description: | - The organization name. - - name: isp - type: keyword - description: | - The Internet Service Provider. - - name: domain - type: keyword - description: | - The domain name. - - name: is_proxy - type: boolean - description: | - Whether it is a proxy or not. -- name: okta.request - title: Request - type: group - fields: - - name: ip_chain - type: flattened - fields: - - name: ip - type: ip - description: | - IP address. - - name: version - type: keyword - description: | - IP version. Must be one of V4, V6. - - name: source - type: keyword - description: | - Source information. - - name: geographical_context - type: group - fields: - - name: city - type: keyword - description: The city. - - name: state - type: keyword - description: The state. - - name: postal_code - type: keyword - description: The postal code. - - name: country - type: keyword - description: The country. - - name: geolocation - type: geo_point - description: | - Geolocation information. diff --git a/packages/okta/1.10.2/data_stream/system/manifest.yml b/packages/okta/1.10.2/data_stream/system/manifest.yml deleted file mode 100755 index 442cc16cd2..0000000000 --- a/packages/okta/1.10.2/data_stream/system/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Okta system logs -streams: - - input: httpjson - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - okta-system - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: httpjson.yml.hbs - title: Okta system logs - description: Collect Okta system logs diff --git a/packages/okta/1.10.2/data_stream/system/sample_event.json b/packages/okta/1.10.2/data_stream/system/sample_event.json deleted file mode 100755 index e048970ffb..0000000000 --- a/packages/okta/1.10.2/data_stream/system/sample_event.json +++ /dev/null @@ -1,163 +0,0 @@ -{ - "@timestamp": "2020-02-14T20:18:57.718Z", - "agent": { - "ephemeral_id": "3347d5a2-0d81-41c5-8cbf-a69aebcdb56a", - "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.1" - }, - "client": { - "geo": { - "city_name": "Dublin", - "country_name": "United States", - "location": { - "lat": 37.7201, - "lon": -121.919 - }, - "region_name": "California" - }, - "ip": "108.255.197.247", - "user": { - "full_name": "xxxxxx", - "id": "00u1abvz4pYqdM8ms4x6" - } - }, - "data_stream": { - "dataset": "okta.system", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", - "snapshot": true, - "version": "8.2.1" - }, - "event": { - "action": "user.session.start", - "agent_id_status": "verified", - "category": [ - "authentication", - "session" - ], - "created": "2022-05-18T08:57:39.484Z", - "dataset": "okta.system", - "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", - "ingested": "2022-05-18T08:57:40Z", - "kind": "event", - "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", - "outcome": "success", - "type": [ - "start", - "user" - ] - }, - "input": { - "type": "httpjson" - }, - "okta": { - "actor": { - "alternate_id": "xxxxxx@elastic.co", - "display_name": "xxxxxx", - "id": "00u1abvz4pYqdM8ms4x6", - "type": "User" - }, - "authentication_context": { - "authentication_step": 0, - "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" - }, - "client": { - "device": "Computer", - "ip": "108.255.197.247", - "user_agent": { - "browser": "FIREFOX", - "os": "Mac OS X", - "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" - }, - "zone": "null" - }, - "debug_context": { - "debug_data": { - "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", - "flattened": { - "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", - "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", - "requestUri": "/api/v1/authn", - "threatSuspected": "false", - "url": "/api/v1/authn?" - }, - "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", - "request_uri": "/api/v1/authn", - "threat_suspected": "false", - "url": "/api/v1/authn?" - } - }, - "display_message": "User login to Okta", - "event_type": "user.session.start", - "outcome": { - "result": "SUCCESS" - }, - "request": { - "ip_chain": [ - { - "geographical_context": { - "city": "Dublin", - "country": "United States", - "geolocation": { - "lat": 37.7201, - "lon": -121.919 - }, - "postal_code": "94568", - "state": "California" - }, - "ip": "108.255.197.247", - "version": "V4" - } - ] - }, - "transaction": { - "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", - "type": "WEB" - }, - "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" - }, - "related": { - "ip": [ - "108.255.197.247" - ], - "user": [ - "xxxxxx" - ] - }, - "source": { - "ip": "108.255.197.247", - "user": { - "full_name": "xxxxxx", - "id": "00u1abvz4pYqdM8ms4x6" - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "okta-system" - ], - "user": { - "full_name": "xxxxxx" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "72.0." - } -} \ No newline at end of file diff --git a/packages/okta/1.10.2/docs/README.md b/packages/okta/1.10.2/docs/README.md deleted file mode 100755 index a791d0c7b3..0000000000 --- a/packages/okta/1.10.2/docs/README.md +++ /dev/null @@ -1,356 +0,0 @@ -# Okta Integration - -The Okta integration collects events from the Okta API, specifically reading from the Okta System Log API. - -## Logs - -### System - -The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. This module is implemented using the httpjson input and is configured to paginate through the logs while honoring any rate-limiting headers sent by Okta. - -An example event for `system` looks as following: - -```json -{ - "@timestamp": "2020-02-14T20:18:57.718Z", - "agent": { - "ephemeral_id": "3347d5a2-0d81-41c5-8cbf-a69aebcdb56a", - "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.1" - }, - "client": { - "geo": { - "city_name": "Dublin", - "country_name": "United States", - "location": { - "lat": 37.7201, - "lon": -121.919 - }, - "region_name": "California" - }, - "ip": "108.255.197.247", - "user": { - "full_name": "xxxxxx", - "id": "00u1abvz4pYqdM8ms4x6" - } - }, - "data_stream": { - "dataset": "okta.system", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", - "snapshot": true, - "version": "8.2.1" - }, - "event": { - "action": "user.session.start", - "agent_id_status": "verified", - "category": [ - "authentication", - "session" - ], - "created": "2022-05-18T08:57:39.484Z", - "dataset": "okta.system", - "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", - "ingested": "2022-05-18T08:57:40Z", - "kind": "event", - "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", - "outcome": "success", - "type": [ - "start", - "user" - ] - }, - "input": { - "type": "httpjson" - }, - "okta": { - "actor": { - "alternate_id": "xxxxxx@elastic.co", - "display_name": "xxxxxx", - "id": "00u1abvz4pYqdM8ms4x6", - "type": "User" - }, - "authentication_context": { - "authentication_step": 0, - "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" - }, - "client": { - "device": "Computer", - "ip": "108.255.197.247", - "user_agent": { - "browser": "FIREFOX", - "os": "Mac OS X", - "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" - }, - "zone": "null" - }, - "debug_context": { - "debug_data": { - "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", - "flattened": { - "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", - "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", - "requestUri": "/api/v1/authn", - "threatSuspected": "false", - "url": "/api/v1/authn?" - }, - "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", - "request_uri": "/api/v1/authn", - "threat_suspected": "false", - "url": "/api/v1/authn?" - } - }, - "display_message": "User login to Okta", - "event_type": "user.session.start", - "outcome": { - "result": "SUCCESS" - }, - "request": { - "ip_chain": [ - { - "geographical_context": { - "city": "Dublin", - "country": "United States", - "geolocation": { - "lat": 37.7201, - "lon": -121.919 - }, - "postal_code": "94568", - "state": "California" - }, - "ip": "108.255.197.247", - "version": "V4" - } - ] - }, - "transaction": { - "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", - "type": "WEB" - }, - "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" - }, - "related": { - "ip": [ - "108.255.197.247" - ], - "user": [ - "xxxxxx" - ] - }, - "source": { - "ip": "108.255.197.247", - "user": { - "full_name": "xxxxxx", - "id": "00u1abvz4pYqdM8ms4x6" - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "okta-system" - ], - "user": { - "full_name": "xxxxxx" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "72.0." - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.user.full_name | User's full name, if available. | keyword | -| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| okta.actor.alternate_id | Alternate identifier of the actor. | keyword | -| okta.actor.display_name | Display name of the actor. | keyword | -| okta.actor.id | Identifier of the actor. | keyword | -| okta.actor.type | Type of the actor. | keyword | -| okta.authentication_context.authentication_provider | The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. | keyword | -| okta.authentication_context.authentication_step | The authentication step. | integer | -| okta.authentication_context.credential_provider | The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. | keyword | -| okta.authentication_context.credential_type | The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. | keyword | -| okta.authentication_context.external_session_id | The session identifer of the external session if any. | keyword | -| okta.authentication_context.interface | The interface used. e.g., Outlook, Office365, wsTrust | keyword | -| okta.authentication_context.issuer.id | The identifier of the issuer. | keyword | -| okta.authentication_context.issuer.type | The type of the issuer. | keyword | -| okta.client.device | The information of the client device. | keyword | -| okta.client.id | The identifier of the client. | keyword | -| okta.client.ip | The IP address of the client. | ip | -| okta.client.user_agent.browser | The browser informaton of the client. | keyword | -| okta.client.user_agent.os | The OS informaton. | keyword | -| okta.client.user_agent.raw_user_agent | The raw informaton of the user agent. | keyword | -| okta.client.zone | The zone information of the client. | keyword | -| okta.debug_context.debug_data.device_fingerprint | The fingerprint of the device. | keyword | -| okta.debug_context.debug_data.flattened | The complete debug_data object. | flattened | -| okta.debug_context.debug_data.request_id | The identifier of the request. | keyword | -| okta.debug_context.debug_data.request_uri | The request URI. | keyword | -| okta.debug_context.debug_data.risk_level | The risk level assigned to the sign in attempt. | keyword | -| okta.debug_context.debug_data.threat_suspected | Threat suspected. | keyword | -| okta.debug_context.debug_data.url | The URL. | keyword | -| okta.display_message | The display message of the LogEvent. | keyword | -| okta.event_type | The type of the LogEvent. | keyword | -| okta.outcome.reason | The reason of the outcome. | keyword | -| okta.outcome.result | The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. | keyword | -| okta.request.ip_chain.geographical_context.city | The city. | keyword | -| okta.request.ip_chain.geographical_context.country | The country. | keyword | -| okta.request.ip_chain.geographical_context.geolocation | Geolocation information. | geo_point | -| okta.request.ip_chain.geographical_context.postal_code | The postal code. | keyword | -| okta.request.ip_chain.geographical_context.state | The state. | keyword | -| okta.request.ip_chain.ip | IP address. | ip | -| okta.request.ip_chain.source | Source information. | keyword | -| okta.request.ip_chain.version | IP version. Must be one of V4, V6. | keyword | -| okta.security_context.as.number | The AS number. | integer | -| okta.security_context.as.organization.name | The organization name. | keyword | -| okta.security_context.domain | The domain name. | keyword | -| okta.security_context.is_proxy | Whether it is a proxy or not. | boolean | -| okta.security_context.isp | The Internet Service Provider. | keyword | -| okta.severity | The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. | keyword | -| okta.target.alternate_id | Alternate identifier of the actor. | keyword | -| okta.target.display_name | Display name of the actor. | keyword | -| okta.target.id | Identifier of the actor. | keyword | -| okta.target.type | Type of the actor. | keyword | -| okta.transaction.id | Identifier of the transaction. | keyword | -| okta.transaction.type | The type of transaction. Must be one of "WEB", "JOB". | keyword | -| okta.uuid | The unique identifier of the Okta LogEvent. | keyword | -| okta.version | The version of the LogEvent. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.full_name | User's full name, if available. | keyword | -| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | -| source.user.id | Unique identifier of the user. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.email | User email address. | keyword | -| user.target.full_name | User's full name, if available. | keyword | -| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | diff --git a/packages/okta/1.10.2/img/filebeat-okta-dashboard.png b/packages/okta/1.10.2/img/filebeat-okta-dashboard.png deleted file mode 100755 index 6a28b4363b..0000000000 Binary files a/packages/okta/1.10.2/img/filebeat-okta-dashboard.png and /dev/null differ diff --git a/packages/okta/1.10.2/img/okta-logo.svg b/packages/okta/1.10.2/img/okta-logo.svg deleted file mode 100755 index d806cb7dc6..0000000000 --- a/packages/okta/1.10.2/img/okta-logo.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/packages/okta/1.10.2/kibana/dashboard/okta-749203a0-67b1-11ea-a76f-bf44814e437d.json b/packages/okta/1.10.2/kibana/dashboard/okta-749203a0-67b1-11ea-a76f-bf44814e437d.json deleted file mode 100755 index d8725c4d60..0000000000 --- a/packages/okta/1.10.2/kibana/dashboard/okta-749203a0-67b1-11ea-a76f-bf44814e437d.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "attributes": { - "description": "Logs Okta integration Kibana dashboard", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"hiddenLayers\":[],\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":26.54701,\"lon\":-44.69098,\"zoom\":2.75},\"openTOCDetails\":[]},\"gridData\":{\"h\":22,\"i\":\"8013824b-5a66-494c-acc5-3df8b7678879\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8013824b-5a66-494c-acc5-3df8b7678879\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"c6a66fe5-21a2-4308-8563-d4a7f5135d25\",\"w\":10,\"x\":0,\"y\":22},\"panelIndex\":\"c6a66fe5-21a2-4308-8563-d4a7f5135d25\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"195db901-dc2b-4b7d-80c3-742e2712ac2a\",\"w\":9,\"x\":10,\"y\":22},\"panelIndex\":\"195db901-dc2b-4b7d-80c3-742e2712ac2a\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"dc5128e2-0b4d-4dd5-bbc2-624f64467a77\",\"w\":19,\"x\":29,\"y\":22},\"panelIndex\":\"dc5128e2-0b4d-4dd5-bbc2-624f64467a77\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"a25a43ed-3262-486c-a482-1fac52f26128\",\"w\":10,\"x\":19,\"y\":22},\"panelIndex\":\"a25a43ed-3262-486c-a482-1fac52f26128\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"c0d5bac3-7e50-4ef9-a401-5a596ec84ee9\",\"w\":48,\"x\":0,\"y\":33},\"panelIndex\":\"c0d5bac3-7e50-4ef9-a401-5a596ec84ee9\",\"panelRefName\":\"panel_5\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs Okta] Overview", - "version": 1 - }, - "id": "okta-749203a0-67b1-11ea-a76f-bf44814e437d", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "okta-281ca660-67b1-11ea-a76f-bf44814e437d", - "name": "panel_0", - "type": "map" - }, - { - "id": "okta-545d6a00-67ae-11ea-a76f-bf44814e437d", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "okta-7c6ec080-67c6-11ea-a76f-bf44814e437d", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "okta-cda883a0-67c6-11ea-a76f-bf44814e437d", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "okta-0a784b30-67c7-11ea-a76f-bf44814e437d", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "okta-21028750-67ca-11ea-a76f-bf44814e437d", - "name": "panel_5", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/okta/1.10.2/kibana/map/okta-281ca660-67b1-11ea-a76f-bf44814e437d.json b/packages/okta/1.10.2/kibana/map/okta-281ca660-67b1-11ea-a76f-bf44814e437d.json deleted file mode 100755 index 916a10ca30..0000000000 --- a/packages/okta/1.10.2/kibana/map/okta-281ca660-67b1-11ea-a76f-bf44814e437d.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "attributes": { - "description": "", - "layerListJSON": "[{\"alpha\":1,\"id\":\"6908e81b-1695-4445-aee4-8bc8c9f65600\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"dc52e707-92d7-4de7-becf-a3a8bfaa2c2d\",\"label\":\"Okta \",\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"okta.system\\\" \"},\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"filterByMapBounds\":false,\"geoField\":\"client.geo.location\",\"id\":\"4b8bd321-4b90-4d97-83e0-2b12bf091f66\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"scalingType\":\"LIMIT\",\"sortField\":\"\",\"sortOrder\":\"desc\",\"tooltipProperties\":[],\"topHitsSize\":1,\"type\":\"ES_SEARCH\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#54B399\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#41937c\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]", - "mapStateJSON": "{\"center\":{\"lat\":26.54701,\"lon\":-44.69098},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":false},\"timeFilters\":{\"from\":\"now-15w\",\"to\":\"now\"},\"zoom\":2.75}", - "title": "Geolocation [Logs Okta]", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" - }, - "id": "okta-281ca660-67b1-11ea-a76f-bf44814e437d", - "migrationVersion": { - "map": "7.9.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "map" -} \ No newline at end of file diff --git a/packages/okta/1.10.2/kibana/search/okta-21028750-67ca-11ea-a76f-bf44814e437d.json b/packages/okta/1.10.2/kibana/search/okta-21028750-67ca-11ea-a76f-bf44814e437d.json deleted file mode 100755 index 35112753e0..0000000000 --- a/packages/okta/1.10.2/kibana/search/okta-21028750-67ca-11ea-a76f-bf44814e437d.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.outcome\",\"negate\":false,\"params\":{\"query\":\"FAILURE\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.outcome\":\"FAILURE\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ], - [ - "event.created", - "desc" - ] - ], - "title": "Okta Failure Events", - "version": 1 - }, - "id": "okta-21028750-67ca-11ea-a76f-bf44814e437d", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/okta/1.10.2/kibana/visualization/okta-0a784b30-67c7-11ea-a76f-bf44814e437d.json b/packages/okta/1.10.2/kibana/visualization/okta-0a784b30-67c7-11ea-a76f-bf44814e437d.json deleted file mode 100755 index e31342b53d..0000000000 --- a/packages/okta/1.10.2/kibana/visualization/okta-0a784b30-67c7-11ea-a76f-bf44814e437d.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Actor Types [Logs Okta]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"okta.actor.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Actor Types [Logs Okta]\",\"type\":\"pie\"}" - }, - "id": "okta-0a784b30-67c7-11ea-a76f-bf44814e437d", - "migrationVersion": { - "visualization": "7.8.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/okta/1.10.2/kibana/visualization/okta-545d6a00-67ae-11ea-a76f-bf44814e437d.json b/packages/okta/1.10.2/kibana/visualization/okta-545d6a00-67ae-11ea-a76f-bf44814e437d.json deleted file mode 100755 index c1c400b37c..0000000000 --- a/packages/okta/1.10.2/kibana/visualization/okta-545d6a00-67ae-11ea-a76f-bf44814e437d.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Event Outcome [Logs Okta]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Event Outcome [Logs Okta]\",\"type\":\"pie\"}" - }, - "id": "okta-545d6a00-67ae-11ea-a76f-bf44814e437d", - "migrationVersion": { - "visualization": "7.8.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/okta/1.10.2/kibana/visualization/okta-7c6ec080-67c6-11ea-a76f-bf44814e437d.json b/packages/okta/1.10.2/kibana/visualization/okta-7c6ec080-67c6-11ea-a76f-bf44814e437d.json deleted file mode 100755 index beb76986ed..0000000000 --- a/packages/okta/1.10.2/kibana/visualization/okta-7c6ec080-67c6-11ea-a76f-bf44814e437d.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Transaction Types [Logs Okta]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"okta.transaction.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Transaction Types [Logs Okta]\",\"type\":\"pie\"}" - }, - "id": "okta-7c6ec080-67c6-11ea-a76f-bf44814e437d", - "migrationVersion": { - "visualization": "7.8.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/okta/1.10.2/kibana/visualization/okta-cda883a0-67c6-11ea-a76f-bf44814e437d.json b/packages/okta/1.10.2/kibana/visualization/okta-cda883a0-67c6-11ea-a76f-bf44814e437d.json deleted file mode 100755 index 4e314cfd4c..0000000000 --- a/packages/okta/1.10.2/kibana/visualization/okta-cda883a0-67c6-11ea-a76f-bf44814e437d.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Time Series [Logs Okta]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"id\":\"abd68650-67c6-11ea-8c7d-ed286611413e\"}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"okta.system\\\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"Time Series [Logs Okta]\",\"type\":\"metrics\"}" - }, - "id": "okta-cda883a0-67c6-11ea-a76f-bf44814e437d", - "migrationVersion": { - "visualization": "7.8.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/okta/1.10.2/manifest.yml b/packages/okta/1.10.2/manifest.yml deleted file mode 100755 index 90b4fb2b8a..0000000000 --- a/packages/okta/1.10.2/manifest.yml +++ /dev/null @@ -1,77 +0,0 @@ -name: okta -title: Okta -version: 1.10.2 -release: ga -description: Collect and parse event logs from Okta API with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -conditions: - kibana.version: ^7.14.0 || ^8.0.0 -icons: - - src: /img/okta-logo.svg - title: Okta - size: 216x216 - type: image/svg+xml -screenshots: - - src: /img/filebeat-okta-dashboard.png - title: Okta Dashboard - size: 1024x662 - type: image/png -policy_templates: - - name: okta - title: Okta logs - description: Collect logs from Okta - inputs: - - type: httpjson - vars: - - name: api_key - type: text - title: API Key - multi: false - required: true - show_user: true - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: true - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 60s - - name: initial_interval - type: text - title: Initial Interval - multi: false - required: true - show_user: true - default: 24h - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: true - - name: url - type: text - title: Okta System Log API Url - multi: false - required: false - show_user: true - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http\[s\]://:@: - title: "Collect Okta logs via API" - description: "Collecting logs from Okta via API" -owner: - github: elastic/security-external-integrations diff --git a/packages/oracle/1.4.0/LICENSE.txt b/packages/oracle/1.4.0/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/oracle/1.4.0/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/oracle/1.4.0/changelog.yml b/packages/oracle/1.4.0/changelog.yml deleted file mode 100755 index a1a7c4116b..0000000000 --- a/packages/oracle/1.4.0/changelog.yml +++ /dev/null @@ -1,41 +0,0 @@ -# newer versions go on top -- version: "1.4.0" - changes: - - description: Enhancement to capture system statistics metrics, pga metrics, sga metrics. - type: enhancement - link: https://github.com/elastic/integrations/pull/3967 -- version: "1.3.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3868 -- version: "1.2.0" - changes: - - description: Enhancement to capture performance, tablespace and sysmetrics metric data for Oracle database - type: enhancement - link: https://github.com/elastic/integrations/pull/3759 -- version: "1.1.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.0.2" - changes: - - description: Supporting the double digit date parsing in ingest pipeline for oracle logs - type: bugfix - link: https://github.com/elastic/integrations/pull/3318 -- version: "1.0.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.0.0" - changes: - - description: Initial Release - type: enhancement - link: https://github.com/elastic/integrations/pull/2721 diff --git a/packages/oracle/1.4.0/data_stream/database_audit/agent/stream/stream.yml.hbs b/packages/oracle/1.4.0/data_stream/database_audit/agent/stream/stream.yml.hbs deleted file mode 100755 index 3eeb00bc7f..0000000000 --- a/packages/oracle/1.4.0/data_stream/database_audit/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -paths: -{{#each paths}} -- {{this}} -{{/each}} -parsers: -- multiline: - type: pattern - pattern: '^[A-Za-z]{3}\s+[A-Za-z]{3}\s+[0-9]{1,2}\s[0-9]{2}:[0-9]{2}:[0-9]{2}\s[0-9]{4}\s\S[0-9]{2}:[0-9]{2}' - negate: true - match: after - timeout: 10 -exclude_lines: ['^Audit file'] -tags: -{{#if preserve_original_event}} -- preserve_original_event -{{/if}} -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -exclude_files: [".gz$"] -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ diff --git a/packages/oracle/1.4.0/data_stream/database_audit/elasticsearch/ingest_pipeline/default.yml b/packages/oracle/1.4.0/data_stream/database_audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index cf3e447f55..0000000000 --- a/packages/oracle/1.4.0/data_stream/database_audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- -description: Pipeline for parsing Oracle Audit logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.action - value: database_audit - - set: - field: event.kind - value: event - - set: - field: event.category - value: database - - set: - field: event.type - value: access - - set: - field: event.outcome - value: success - - rename: - field: message - target_field: event.original - ignore_missing: true - - grok: - field: event.original - patterns: - - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH : '%{GREEDYDATA:LENGTH}'\\\n(?m)%{GREEDYDATA:audit}" - - kv: - field: audit - field_split: "\\\n(?=[a-zA-Z])" - value_split: ":\\S\\d+\\S(?= ')" - trim_value: " '" - trim_key: " " - prefix: oracle.database_audit. - - grok: - field: log.file.path - patterns: - - "%{BASE10NUM:process.pid}\\_%{BASE10NUM}\\.aud(\\.log)?$" - if: ctx.log?.file?.path != null - # All field names are uppercase by default, converts them to lowercase - - script: - source: "ctx.oracle.database_audit = ctx.oracle.database_audit.entrySet().stream().collect(Collectors.toMap(entry -> entry.getKey().toLowerCase(), Map.Entry::getValue));" - lang: painless - # Replace all field names that has spaces in them with _ - - script: - lang: painless - source: "ctx.oracle.database_audit = ctx?.oracle?.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace(' ', '_'), e -> e.getValue()));" - - gsub: - field: "oracle.database_audit.action" - pattern: "\\n" - replacement: "" - - gsub: - field: "oracle.database_audit.action" - pattern: "\\s{2,}" - replacement: " " - - trim: - field: "oracle.database_audit.action_number" - ignore_missing: true - # Removes all null values from ctx.* - - script: - lang: painless - if: ctx?.oracle?.database_audit != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v instanceof String && v.isEmpty() == true); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: - - "@timestamp" - ignore_missing: true - - date: - field: tmp_timestamp - target_field: "@timestamp" - formats: - - EEE MMM [ d][dd] HH:mm:ss uuuu XXX - - grok: - field: tmp_timestamp - patterns: - - "%{ISO8601_TIMEZONE:event.timezone}$" - - rename: - field: oracle.database_audit.privilege - target_field: user.roles - ignore_missing: true - - rename: - field: LENGTH - target_field: oracle.database_audit.length - ignore_missing: true - - rename: - field: oracle.database_audit.client_user - target_field: client.user.name - ignore_missing: true - - rename: - field: oracle.database_audit.client_address - target_field: client.address - ignore_missing: true - - rename: - field: oracle.database_audit.userhost - target_field: server.address - ignore_missing: true - - rename: - field: oracle.database_audit.database_user - target_field: server.user.name - ignore_missing: true - - convert: - field: oracle.database_audit.length - type: long - ignore_missing: true - - grok: - field: client.address - patterns: - - "(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})" - ignore_failure: true - ignore_missing: true - - grok: - field: server.address - patterns: - - "(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})" - ignore_failure: true - ignore_missing: true - # Renaming certain fields for better data structure - - rename: - field: oracle.database_audit.sessionid - target_field: oracle.database_audit.session_id - ignore_missing: true - - rename: - field: oracle.database_audit.client_terminal - target_field: oracle.database_audit.client.terminal - ignore_missing: true - - rename: - field: oracle.database_audit.client_address - target_field: oracle.database_audit.client.address - ignore_missing: true - - rename: - field: oracle.database_audit.database_user - target_field: oracle.database_audit.database.user - ignore_missing: true - - rename: - field: oracle.database_audit.userhost - target_field: oracle.database_audit.database.host - ignore_missing: true - - rename: - field: oracle.database_audit.dbid - target_field: oracle.database_audit.database.id - ignore_missing: true - - rename: - field: oracle.database_audit.entry_id - target_field: oracle.database_audit.entry.id - ignore_missing: true - - convert: - field: process.pid - type: long - ignore_missing: true - - append: - field: related.user - value: "{{server.user.name}}" - allow_duplicates: false - if: ctx?.server?.user?.name != null - - append: - field: related.user - value: "{{client.user.name}}" - allow_duplicates: false - if: ctx?.client?.user?.name != null - - append: - field: related.ip - value: "{{client.ip}}" - allow_duplicates: false - if: ctx?.client?.ip != null - - append: - field: related.ip - value: "{{server.ip}}" - allow_duplicates: false - if: ctx?.server?.ip != null - - append: - field: related.hosts - value: "{{client.domain}}" - allow_duplicates: false - if: ctx?.client?.domain != null - - append: - field: related.hosts - value: "{{server.domain}}" - allow_duplicates: false - if: ctx?.server?.domain != null - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - remove: - field: - - tmp_timestamp - - audit - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/oracle/1.4.0/data_stream/database_audit/fields/agent.yml b/packages/oracle/1.4.0/data_stream/database_audit/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/oracle/1.4.0/data_stream/database_audit/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/oracle/1.4.0/data_stream/database_audit/fields/base-fields.yml b/packages/oracle/1.4.0/data_stream/database_audit/fields/base-fields.yml deleted file mode 100755 index 33efa5ed0c..0000000000 --- a/packages/oracle/1.4.0/data_stream/database_audit/fields/base-fields.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. -- name: "message" - type: text - description: human-readable summary of the event -- name: event.module - type: constant_keyword - description: Event module - value: oracle -- name: event.dataset - type: constant_keyword - description: Event dataset - value: oracle.database_audit diff --git a/packages/oracle/1.4.0/data_stream/database_audit/fields/ecs.yml b/packages/oracle/1.4.0/data_stream/database_audit/fields/ecs.yml deleted file mode 100755 index 47eff9f31c..0000000000 --- a/packages/oracle/1.4.0/data_stream/database_audit/fields/ecs.yml +++ /dev/null @@ -1,146 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: Array of user roles at the time of the event. - name: user.roles - normalize: - - array - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: server.user.name - type: keyword -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: client.user.name - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Process id. - name: process.pid - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: related log flags - name: log.flags -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/oracle/1.4.0/data_stream/database_audit/fields/fields.yml b/packages/oracle/1.4.0/data_stream/database_audit/fields/fields.yml deleted file mode 100755 index 8f57baa92f..0000000000 --- a/packages/oracle/1.4.0/data_stream/database_audit/fields/fields.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: oracle.database_audit - type: group - description: > - Integration for parsing Oracle Database audit logs - - fields: - - name: status - type: keyword - description: > - Database Audit Status. - - - name: session_id - type: keyword - description: > - Indicates the audit session ID number. - - - name: client.terminal - type: keyword - description: > - If available, the client terminal type, for example "pty". - - - name: client.address - type: keyword - description: > - The IP Address or Domain used by the client. - - - name: client.user - type: keyword - description: > - The user running the client or connection to the database. - - - name: database.user - type: keyword - description: > - The database user used to authenticate. - - - name: privilege - type: keyword - description: > - The privilege group related to the database user. - - - name: entry.id - type: keyword - description: > - Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records. - - - name: database.host - type: keyword - description: > - Client host machine name. - - - name: action - type: keyword - description: > - The action performed during the audit event. This could for example be the raw query. - - - name: action_number - type: keyword - description: > - Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON. - - - name: database.id - type: keyword - description: > - Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view. - - - name: length - type: long - description: > - Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record. - diff --git a/packages/oracle/1.4.0/data_stream/database_audit/manifest.yml b/packages/oracle/1.4.0/data_stream/database_audit/manifest.yml deleted file mode 100755 index e5c659768f..0000000000 --- a/packages/oracle/1.4.0/data_stream/database_audit/manifest.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: Oracle Audit Log -type: logs -streams: - - input: filestream - template_path: stream.yml.hbs - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /home/user/oracleauditlogs/*.aud - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - oracle-database_audit - - name: preserve_original_event - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - required: true - show_user: true - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - title: Oracle Audit Log - description: Collect Oracle audit logs diff --git a/packages/oracle/1.4.0/data_stream/database_audit/sample_event.json b/packages/oracle/1.4.0/data_stream/database_audit/sample_event.json deleted file mode 100755 index f31d24c3a2..0000000000 --- a/packages/oracle/1.4.0/data_stream/database_audit/sample_event.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "@timestamp": "2020-10-07T14:57:51.000Z", - "agent": { - "ephemeral_id": "021be4f6-f6ea-47c5-aa38-62ba8c3f0f3c", - "id": "5940e9e3-013b-43c0-a459-261d69b08862", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "client": { - "user": { - "name": "oracle" - } - }, - "data_stream": { - "dataset": "oracle.database_audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "5940e9e3-013b-43c0-a459-261d69b08862", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "database_audit", - "agent_id_status": "verified", - "category": "database", - "dataset": "oracle.database_audit", - "ingested": "2022-02-24T08:25:06Z", - "kind": "event", - "outcome": "success", - "timezone": "-04:00", - "type": "access" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.240.7" - ], - "mac": [ - "02:42:c0:a8:f0:07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.60.1-microsoft-standard-WSL2", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "input": { - "type": "filestream" - }, - "log": { - "file": { - "path": "/tmp/service_logs/ORCLCDB_ora_13765_20201007105751904399925443.aud.log" - }, - "flags": [ - "multiline" - ], - "offset": 882 - }, - "oracle": { - "database_audit": { - "action": "CONNECT", - "action_number": "100", - "client": { - "terminal": "pts/0" - }, - "length": 253, - "session_id": "4294967295", - "status": "0" - } - }, - "process": { - "pid": 13765 - }, - "related": { - "hosts": [ - "testlab.local" - ], - "user": [ - "/", - "oracle" - ] - }, - "server": { - "address": "testlab.local", - "domain": "testlab.local", - "user": { - "name": "/" - } - }, - "tags": [ - "oracle-database_audit" - ], - "user": { - "roles": "SYSDBA" - } -} \ No newline at end of file diff --git a/packages/oracle/1.4.0/data_stream/memory/agent/stream/stream.yml.hbs b/packages/oracle/1.4.0/data_stream/memory/agent/stream/stream.yml.hbs deleted file mode 100755 index fce8214842..0000000000 --- a/packages/oracle/1.4.0/data_stream/memory/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -metricsets: ["query"] -period: {{period}} -hosts: -{{#each hosts}} - - {{this}} -{{/each}} -raw_data.enabled: true -merge_results: true -driver: "oracle" -sql_queries: - - query: select name, value from V$PGASTAT where name in ('aggregate PGA auto target','global memory bound', 'total PGA allocated', 'total PGA used for auto workareas', 'total PGA inuse', 'maximum PGA allocated', 'total freeable PGA memory', 'cache hit percentage', 'aggregate PGA target parameter') - response_format: variables - - query: select 'sga free memory' as NAME, sum(decode(name,'free memory',bytes)) as VALUE from v$sgastat where pool = 'shared pool' union select 'sga total memory' as NAME, sum(bytes) as VALUE from v$sgastat where pool = 'shared pool' - response_format: variables \ No newline at end of file diff --git a/packages/oracle/1.4.0/data_stream/memory/elasticsearch/ingest_pipeline/default.yml b/packages/oracle/1.4.0/data_stream/memory/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 86747040f6..0000000000 --- a/packages/oracle/1.4.0/data_stream/memory/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,88 +0,0 @@ ---- -description: Pipeline for processing Oracle Program Global Area and System Global Area metrics -processors: - - remove: - field: sql.driver - ignore_missing: true - ignore_failure: true - - remove: - field: sql.query - ignore_missing: true - ignore_failure: true - - rename: - field: sql - target_field: oracle - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.metrics - target_field: oracle.memory - ignore_missing: true - - foreach: - field: oracle.memory - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: " " - replacement: "_" - - rename: - field: oracle.memory.cache_hit_percentage - target_field: oracle.memory.pga.cache_hit_pct - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.aggregate_pga_auto_target - target_field: oracle.memory.pga.aggregate_auto_target - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.aggregate_pga_target_parameter - target_field: oracle.memory.pga.aggregate_target_parameter - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.total_pga_allocated - target_field: oracle.memory.pga.total_allocated - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.total_pga_used_for_auto_workareas - target_field: oracle.memory.pga.total_used_for_auto_workareas - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.global_memory_bound - target_field: oracle.memory.pga.global_memory_bound - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.total_pga_inuse - target_field: oracle.memory.pga.total_inuse - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.total_freeable_pga_memory - target_field: oracle.memory.pga.total_freeable_memory - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.maximum_pga_allocated - target_field: oracle.memory.pga.maximum_allocated - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.sga_total_memory - target_field: oracle.memory.sga.total_memory - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.sga_free_memory - target_field: oracle.memory.sga.free_memory - ignore_missing: true - ignore_failure: true - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/oracle/1.4.0/data_stream/memory/fields/base-fields.yml b/packages/oracle/1.4.0/data_stream/memory/fields/base-fields.yml deleted file mode 100755 index e716a4e002..0000000000 --- a/packages/oracle/1.4.0/data_stream/memory/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: sql -- name: event.dataset - type: constant_keyword - description: Event module - value: oracle.memory diff --git a/packages/oracle/1.4.0/data_stream/memory/fields/ecs.yml b/packages/oracle/1.4.0/data_stream/memory/fields/ecs.yml deleted file mode 100755 index 958b30e712..0000000000 --- a/packages/oracle/1.4.0/data_stream/memory/fields/ecs.yml +++ /dev/null @@ -1,21 +0,0 @@ -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Address where data about this service was collected from. - This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). - name: service.address - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/oracle/1.4.0/data_stream/memory/fields/fields.yml b/packages/oracle/1.4.0/data_stream/memory/fields/fields.yml deleted file mode 100755 index 7e27b73c07..0000000000 --- a/packages/oracle/1.4.0/data_stream/memory/fields/fields.yml +++ /dev/null @@ -1,65 +0,0 @@ -- name: oracle.memory - type: group - release: beta - fields: - - name: pga - type: group - fields: - - name: total_freeable_memory - type: double - description: Number of bytes of PGA memory in all processes that could be freed back to the operating system. - unit: byte - metric_type: gauge - - name: cache_hit_pct - type: double - description: A metric computed by the Oracle Database to reflect the performance of the PGA memory component, cumulative since instance startup. - unit: percent - metric_type: gauge - - name: maximum_allocated - type: double - description: Maximum number of bytes of PGA memory allocated at one time since instance startup. - unit: byte - metric_type: gauge - - name: total_inuse - type: double - unit: byte - description: Indicates how much PGA memory is currently consumed by work areas. This number can be used to determine how much memory is consumed by other consumers of the PGA memory (for example, PL/SQL or Java). - metric_type: gauge - - name: global_memory_bound - type: double - unit: byte - description: Maximum size of a work area executed in automatic mode. - metric_type: gauge - - name: aggregate_auto_target - type: double - unit: byte - description: Amount of PGA memory the Oracle Database can use for work areas running in automatic mode. - metric_type: gauge - - name: total_allocated - type: double - unit: byte - description: Current amount of PGA memory allocated by the instance. - metric_type: gauge - - name: total_used_for_auto_workareas - type: double - unit: byte - description: Indicates how much PGA memory is currently consumed by work areas running under the automatic memory management mode. This number can be used to determine how much memory is consumed by other consumers of the PGA memory (for example, PL/SQL or Java). - metric_type: gauge - - name: aggregate_target_parameter - type: double - unit: byte - metric_type: gauge - description: Current value of the PGA_AGGREGATE_TARGET initialization parameter. If this parameter is not set, then its value is 0 and automatic management of PGA memory is disabled. - - name: sga - type: group - fields: - - name: free_memory - type: double - unit: byte - description: Amount of free memory in the Shared pool. - metric_type: gauge - - name: total_memory - type: double - unit: byte - description: Amount of total memory in the Shared pool. - metric_type: gauge diff --git a/packages/oracle/1.4.0/data_stream/memory/manifest.yml b/packages/oracle/1.4.0/data_stream/memory/manifest.yml deleted file mode 100755 index 3fc4e1f016..0000000000 --- a/packages/oracle/1.4.0/data_stream/memory/manifest.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: "Memory metrics" -type: metrics -release: beta -streams: - - input: sql/metrics - enabled: false - title: Oracle memory metrics - description: Collect memory metrics - vars: - - name: period - type: text - title: Period - default: 60s - multi: false - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - oracle_memory_metrics diff --git a/packages/oracle/1.4.0/data_stream/memory/sample_event.json b/packages/oracle/1.4.0/data_stream/memory/sample_event.json deleted file mode 100755 index 6f85ddd051..0000000000 --- a/packages/oracle/1.4.0/data_stream/memory/sample_event.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "@timestamp": "2022-08-07T04:32:07.853Z", - "oracle": { - "memory": { - "pga": { - "total_inuse": 171153408, - "aggregate_auto_target": 579262464, - "total_allocated": 212888576, - "maximum_allocated": 694778880, - "total_freeable_memory": 14876672, - "global_memory_bound": 104857600, - "aggregate_target_parameter": 805306368, - "total_used_for_auto_workareas": 738304, - "cache_hit_pct": 100 - } - } - }, - "service": { - "address": "0.0.0.0:1521", - "type": "sql" - }, - "data_stream": { - "namespace": "default", - "type": "metrics", - "dataset": "oracle.memory" - }, - "metricset": { - "period": 60000, - "name": "query" - }, - "event": { - "duration": 53225246, - "agent_id_status": "verified", - "ingested": "2022-08-07T04:32:07Z", - "module": "sql", - "dataset": "oracle.memory" - } -} \ No newline at end of file diff --git a/packages/oracle/1.4.0/data_stream/performance/agent/stream/stream.yml.hbs b/packages/oracle/1.4.0/data_stream/performance/agent/stream/stream.yml.hbs deleted file mode 100755 index ca7431242a..0000000000 --- a/packages/oracle/1.4.0/data_stream/performance/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -metricsets: ["query"] -period: {{period}} -hosts: -{{#each hosts}} - - {{this}} -{{/each}} -raw_data.enabled: true -driver: "oracle" -sql_queries: - - query: SELECT name, physical_reads, db_block_gets, consistent_gets, 1 - (physical_reads / (db_block_gets + consistent_gets)) "Hit_Ratio" FROM V$BUFFER_POOL_STATISTICS - response_format: table - - query: SELECT sum(a.value) total_cur, avg(a.value) avg_cur, max(a.value) max_cur, S.username, s.machine FROM v$sesstat a, v$statname b, v$session s WHERE a.statistic# = b.statistic# AND s.sid = a.sid GROUP BY s.username, s.machine - response_format: table - - query: SELECT total_cursors, current_cursors, sess_cur_cache_hits, parse_count_total, sess_cur_cache_hits / total_cursors as cachehits_totalcursors_ratio , sess_cur_cache_hits - parse_count_total as real_parses FROM ( SELECT sum ( decode ( name, 'opened cursors cumulative', value, 0)) total_cursors, sum ( decode ( name, 'opened cursors current',value,0)) current_cursors, sum ( decode ( name, 'session cursor cache hits',value,0)) sess_cur_cache_hits, sum ( decode ( name, 'parse count (total)',value,0)) parse_count_total FROM v$sysstat WHERE name IN ( 'opened cursors cumulative','opened cursors current','session cursor cache hits', 'parse count (total)' )) - response_format: table - - query: SELECT 'lock_requests' "Ratio" , AVG(gethitratio) FROM V$LIBRARYCACHE UNION SELECT 'pin_requests' "Ratio", AVG(pinhitratio) FROM V$LIBRARYCACHE UNION SELECT 'io_reloads' "Ratio", (SUM(reloads) / SUM(pins)) FROM V$LIBRARYCACHE - response_format: variables - - query: SELECT COUNT(*) as "failed_db_jobs" FROM dba_jobs WHERE NVL(failures, 0) < > 0 - response_format: table - - query: select 'active_session_count' as name, count(s.status) as value from gv$session s, v$process p where p.addr=s.paddr and s.status='ACTIVE' union select 'inactive_session_count' as name, count(s.status) as value from gv$session s, v$process p where p.addr=s.paddr and s.status='INACTIVE' union select 'inactive_morethan_onehr' as name, count(s.status) as value from gv$session s, v$process p where p.addr=s.paddr and s.last_call_et > 3600 and s.status='INACTIVE' - response_format: variables - - query: select WAIT_CLASS, TOTAL_WAITS, round(100 * (TOTAL_WAITS / SUM_WAITS),2) PCT_WAITS, ROUND((TIME_WAITED / 100),2) TIME_WAITED_SECS, round(100 * (TIME_WAITED / SUM_TIME),2) PCT_TIME from (select WAIT_CLASS, TOTAL_WAITS, TIME_WAITED from V$SYSTEM_WAIT_CLASS where WAIT_CLASS != 'Idle'), (select sum(TOTAL_WAITS) SUM_WAITS, sum(TIME_WAITED) SUM_TIME from V$SYSTEM_WAIT_CLASS where WAIT_CLASS != 'Idle') order by 5 desc - response_format: table diff --git a/packages/oracle/1.4.0/data_stream/performance/elasticsearch/ingest_pipeline/default.yml b/packages/oracle/1.4.0/data_stream/performance/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3aa14a77e1..0000000000 --- a/packages/oracle/1.4.0/data_stream/performance/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,167 +0,0 @@ ---- -description: Pipeline for processing oracle performance -processors: - - remove: - field: sql.driver - ignore_missing: true - ignore_failure: true - - remove: - field: sql.query - ignore_missing: true - ignore_failure: true - - rename: - field: sql - target_field: oracle - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.metrics - target_field: oracle.performance - ignore_missing: true - - rename: - field: oracle.performance.hit_ratio - target_field: oracle.performance.cache.buffer.hit.pct - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.consistent_gets - target_field: oracle.performance.cache.get.consistent - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.db_block_gets - target_field: oracle.performance.cache.get.db_blocks - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.physical_reads - target_field: oracle.performance.cache.physical_reads - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.name - target_field: oracle.performance.buffer_pool - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.avg_cur - target_field: oracle.performance.cursors.avg - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.max_cur - target_field: racle.performance.cursors.max - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.total_cur - target_field: oracle.performance.cursors.total - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.cachehits_totalcursors_ratio - target_field: oracle.performance.cursors.cache_hit.pct - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.current_cursors - target_field: oracle.performance.cursors.opened.current - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.total_cursors - target_field: oracle.performance.cursors.opened.total - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.real_parses - target_field: oracle.performance.cursors.parse.real - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.sess_cur_cache_hits - target_field: oracle.performance.cursors.session.cache_hits - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.active_session_count - target_field: oracle.performance.session_count.active - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.inactive_morethan_onehr - target_field: oracle.performance.session_count.inactive_morethan_onehr - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.inactive_session_count - target_field: oracle.performance.session_count.inactive - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.pct_time - target_field: oracle.performance.wait.pct_time - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.pct_waits - target_field: oracle.performance.wait.pct_waits - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.time_waited_secs - target_field: oracle.performance.wait.time_waited_secs - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.total_waits - target_field: oracle.performance.wait.total_waits - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.wait_class - target_field: oracle.performance.wait.wait_class - ignore_missing: true - ignore_failure: true - - foreach: - field: oracle.performance - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: " " - replacement: "_" - - foreach: - field: oracle.performance - ignore_failure: true - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: "\\(%\\)" - replacement: "pct" - - - foreach: - field: oracle.performance - ignore_missing: true - ignore_failure: true - processor: - gsub: - field: "_ingest._key" - pattern: "%" - replacement: "pct" - - - foreach: - field: oracle.performance - ignore_missing: true - ignore_failure: true - processor: - gsub: - field: "_ingest._key" - pattern: "/" - replacement: "" - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/oracle/1.4.0/data_stream/performance/fields/base-fields.yml b/packages/oracle/1.4.0/data_stream/performance/fields/base-fields.yml deleted file mode 100755 index bbe909fc7e..0000000000 --- a/packages/oracle/1.4.0/data_stream/performance/fields/base-fields.yml +++ /dev/null @@ -1,36 +0,0 @@ -- description: |- - An overarching type for the data stream. - Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. - name: data_stream.type - type: constant_keyword -- description: |- - The field can contain anything that makes sense to signify the source of the data. - Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. - Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: - * Must not contain `-` - * No longer than 100 characters - name: data_stream.dataset - type: constant_keyword -- description: |- - A user defined namespace. Namespaces are useful to allow grouping of data. - Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. - Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: - * Must not contain `-` - * No longer than 100 characters - name: data_stream.namespace - type: constant_keyword -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: Event module - name: event.module - type: constant_keyword - value: sql -- description: Event module - name: event.dataset - type: constant_keyword - value: oracle.performance diff --git a/packages/oracle/1.4.0/data_stream/performance/fields/ecs.yml b/packages/oracle/1.4.0/data_stream/performance/fields/ecs.yml deleted file mode 100755 index 958b30e712..0000000000 --- a/packages/oracle/1.4.0/data_stream/performance/fields/ecs.yml +++ /dev/null @@ -1,21 +0,0 @@ -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Address where data about this service was collected from. - This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). - name: service.address - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/oracle/1.4.0/data_stream/performance/fields/fields.yml b/packages/oracle/1.4.0/data_stream/performance/fields/fields.yml deleted file mode 100755 index 123573e5a2..0000000000 --- a/packages/oracle/1.4.0/data_stream/performance/fields/fields.yml +++ /dev/null @@ -1,164 +0,0 @@ -- name: oracle.performance - type: group - release: beta - fields: - - name: machine - type: keyword - description: | - Operating system machine name. - - name: buffer_pool - type: keyword - description: | - Name of the buffer pool in the instance. - - name: username - type: keyword - description: | - Oracle username - - name: io_reloads - type: double - metric_type: gauge - description: | - Reloads by Pins ratio. A Reload is any PIN of an object that is not the first PIN performed since the object handle was created, and which requires loading the object from disk. Pins are the number of times a PIN was requested for objects of this namespace. - - name: lock_requests - type: double - metric_type: gauge - description: | - Average of the ratio between 'gethits' and 'gets', where 'gethits' the number of times an object's handle was found in memory and 'gets' is the number of times a lock was requested for objects of this namespace. - - name: pin_requests - type: double - metric_type: gauge - description: | - Average of all pinhits/pins ratios, where 'PinHits' is the number of times all of the metadata pieces of the library object were found in memory and 'pins' is the number of times a PIN was requested for objects of this namespace. - - name: failed_db_jobs - type: double - metric_type: gauge - description: | - This metric checks for failed DBMS jobs. - - name: cache - type: group - fields: - - name: physical_reads - type: long - metric_type: gauge - description: | - Physical reads. This metric represents the number of data blocks read from disk per second during a time period. - - name: get - type: group - fields: - - name: db_blocks - type: long - metric_type: gauge - description: | - Database blocks gotten. - - name: consistent - type: long - metric_type: gauge - description: | - Consistent gets statistic. - - name: buffer.hit.pct - type: double - metric_type: gauge - unit: percent - description: | - The cache hit ratio of the specified buffer pool. - - name: cursors - type: group - description: Cursors information - fields: - - name: parse - type: group - fields: - - name: real - type: long - metric_type: gauge - description: | - "Real number of parses that occurred: session cursor cache hits - parse count (total)." - - name: total - type: long - metric_type: gauge - description: | - Total number of parse calls (hard and soft). A soft parse is a check on an object already in the shared pool, to verify that the permissions on the underlying object have not changed. - - name: opened - type: group - fields: - - name: current - type: long - metric_type: gauge - description: | - Total number of current open cursors. - - name: total - type: long - metric_type: counter - description: | - Total number of cursors opened since the instance started. - - name: avg - type: double - metric_type: gauge - description: | - Average cursors opened by username and machine. - - name: max - type: double - metric_type: gauge - description: | - Max cursors opened by username and machine. - - name: total - type: double - metric_type: gauge - description: | - Total opened cursors by username and machine. - - name: session.cache_hits - type: double - metric_type: gauge - description: | - Number of hits in the session cursor cache. A hit means that the SQL statement did not have to be reparsed. - - name: parse.real - type: double - metric_type: gauge - description: | - "Real number of parses that occurred: session cursor cache hits - parse count (total)." - - name: cache_hit.pct - type: double - unit: percent - metric_type: gauge - description: | - Ratio of session cursor cache hits from total number of cursors. - - name: session_count - type: group - fields: - - name: active - type: double - metric_type: gauge - description: Total count of sessions. - - name: inactive_morethan_onehr - type: double - metric_type: gauge - description: Total inactive sessions more than one hour. - - name: inactive - type: double - metric_type: gauge - description: Total count of Inactive sessions. - - name: wait - type: group - fields: - - name: pct_time - type: double - unit: percent - metric_type: gauge - description: Percentage of time waits that are not Idle wait class. - - name: pct_waits - type: double - unit: percent - metric_type: gauge - description: Percentage of number of pct time waits that are not of Idle wait class. - - name: time_waited_secs - type: double - metric_type: gauge - unit: s - description: Amount of time spent in the wait class by the session. - - name: total_waits - type: double - metric_type: counter - description: Number of times waits of the class occurred for the session. - - name: wait_class - type: keyword - description: Every wait event belongs to a class of wait event. Wait classes can be one of the following - Administrative, Application, Cluster, Commit, Concurrency, Configuration, Idle, Network, Other, Scheduler, System IO, User IO diff --git a/packages/oracle/1.4.0/data_stream/performance/manifest.yml b/packages/oracle/1.4.0/data_stream/performance/manifest.yml deleted file mode 100755 index 8c72706a17..0000000000 --- a/packages/oracle/1.4.0/data_stream/performance/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: "Oracle performance metrics" -type: metrics -release: beta -streams: - - input: sql/metrics - enabled: false - title: Oracle database performance metrics - description: Collect Oracle database performance metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 60s - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - oracle_performance diff --git a/packages/oracle/1.4.0/data_stream/performance/sample_event.json b/packages/oracle/1.4.0/data_stream/performance/sample_event.json deleted file mode 100755 index a734052702..0000000000 --- a/packages/oracle/1.4.0/data_stream/performance/sample_event.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "event": { - "dataset": "oracle.performance", - "duration": 115000, - "module": "sql" - }, - "metricset": { - "name": "query", - "period": 60000 - }, - "oracle": { - "performance": { - "cursors": { - "opened": { - "current": 7, - "total": 6225 - }, - "parse": { - "real": 1336, - "total": 3684 - }, - "session": { - "cache_hits": 5020 - }, - "cache_hit": { - "pct": 0.8064257028112449 - } - }, - "io_reloads": 0.0013963503027202182, - "lock_requests": 0.5725039956419224, - "pin_requests": 0.7780581056654354 - } - }, - "service": { - "address": "oracle://localhost:1521/ORCLCDB.localdomain", - "type": "sql" - } -} \ No newline at end of file diff --git a/packages/oracle/1.4.0/data_stream/sysmetric/agent/stream/stream.yml.hbs b/packages/oracle/1.4.0/data_stream/sysmetric/agent/stream/stream.yml.hbs deleted file mode 100755 index e7e3200417..0000000000 --- a/packages/oracle/1.4.0/data_stream/sysmetric/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["query"] -period: {{period}} -hosts: -{{#each hosts}} - - {{this}} -{{/each}} -raw_data.enabled: true -dynamic_metric_name_filter: "{{dynamic_metric_name_filter}}" -driver: "oracle" -sql_queries: - - query: SELECT METRIC_NAME, VALUE FROM V$SYSMETRIC WHERE GROUP_ID = 2 and METRIC_NAME LIKE '{{dynamic_metric_name_filter}}' - response_format: variables \ No newline at end of file diff --git a/packages/oracle/1.4.0/data_stream/sysmetric/elasticsearch/ingest_pipeline/default.yml b/packages/oracle/1.4.0/data_stream/sysmetric/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b208594792..0000000000 --- a/packages/oracle/1.4.0/data_stream/sysmetric/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- -description: Pipeline for processing oracle sysmetrics data -processors: - - remove: - field: sql.driver - ignore_missing: true - ignore_failure: true - - remove: - field: sql.query - ignore_missing: true - ignore_failure: true - - rename: - field: sql - target_field: oracle - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.metrics - target_field: "oracle.sysmetric" - ignore_failure: true - ignore_missing: true - - foreach: - field: oracle.sysmetric - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: " " - replacement: "_" - - foreach: - field: oracle.sysmetric - ignore_failure: true - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: "\\(%\\)" - replacement: "pct" - - - foreach: - field: oracle.sysmetric - ignore_missing: true - ignore_failure: true - processor: - gsub: - field: "_ingest._key" - pattern: "%" - replacement: "pct" - - - foreach: - field: oracle.sysmetric - ignore_missing: true - ignore_failure: true - processor: - gsub: - field: "_ingest._key" - pattern: "/" - replacement: "" -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/oracle/1.4.0/data_stream/sysmetric/fields/base-fields.yml b/packages/oracle/1.4.0/data_stream/sysmetric/fields/base-fields.yml deleted file mode 100755 index 57593eecb4..0000000000 --- a/packages/oracle/1.4.0/data_stream/sysmetric/fields/base-fields.yml +++ /dev/null @@ -1,36 +0,0 @@ -- description: |- - An overarching type for the data stream. - Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. - name: data_stream.type - type: constant_keyword -- description: |- - The field can contain anything that makes sense to signify the source of the data. - Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. - Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: - * Must not contain `-` - * No longer than 100 characters - name: data_stream.dataset - type: constant_keyword -- description: |- - A user defined namespace. Namespaces are useful to allow grouping of data. - Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. - Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: - * Must not contain `-` - * No longer than 100 characters - name: data_stream.namespace - type: constant_keyword -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: Event module - name: event.module - type: constant_keyword - value: sql -- description: Event module - name: event.dataset - type: constant_keyword - value: oracle.sysmetric diff --git a/packages/oracle/1.4.0/data_stream/sysmetric/fields/ecs.yml b/packages/oracle/1.4.0/data_stream/sysmetric/fields/ecs.yml deleted file mode 100755 index 958b30e712..0000000000 --- a/packages/oracle/1.4.0/data_stream/sysmetric/fields/ecs.yml +++ /dev/null @@ -1,21 +0,0 @@ -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Address where data about this service was collected from. - This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). - name: service.address - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/oracle/1.4.0/data_stream/sysmetric/fields/fields.yml b/packages/oracle/1.4.0/data_stream/sysmetric/fields/fields.yml deleted file mode 100755 index e6bed58954..0000000000 --- a/packages/oracle/1.4.0/data_stream/sysmetric/fields/fields.yml +++ /dev/null @@ -1,819 +0,0 @@ -- name: oracle.sysmetric - type: group - release: beta - fields: - - name: long_table_scans_per_sec - type: double - metric_type: gauge - description: | - Long table scans per second. - - name: physical_reads_per_txn - type: double - metric_type: gauge - description: | - Physical reads per transaction. - - name: global_cache_blocks_corrupted - type: double - metric_type: gauge - description: | - Global cache blocks corrupted. - - name: branch_node_splits_per_txn - type: double - metric_type: gauge - description: | - Branch node splits per transaction. - - name: cpu_usage_per_txn - type: double - metric_type: gauge - description: | - CPU usage per transaction. - - name: pq_qc_session_count - type: double - metric_type: gauge - description: | - Pq qc session count. - - name: background_checkpoints_per_sec - type: double - metric_type: gauge - description: | - Background checkpoints per second. - - name: replayed_user_calls - type: double - metric_type: gauge - description: | - Replayed user calls - - name: physical_write_total_io_requests_per_sec - type: double - metric_type: gauge - description: | - Physical write total io requests per second. - - name: total_index_scans_per_sec - type: double - metric_type: gauge - description: | - Total index scans per second. - - name: executions_per_txn - type: double - metric_type: gauge - description: | - Executions per transaction. - - name: user_rollbacks_per_sec - type: double - metric_type: gauge - description: | - User rollbacks per second. - - name: pq_slave_session_count - type: double - metric_type: gauge - description: | - Pq slave session count. - - name: physical_reads_per_sec - type: double - metric_type: gauge - description: | - Physical reads per second. - - name: disk_sort_per_txn - type: double - metric_type: gauge - description: | - Disk sort per transaction. - - name: user_transaction_per_sec - type: double - metric_type: gauge - description: | - User transaction per second. - - name: user_rollback_undo_records_applied_per_txn - type: double - metric_type: gauge - description: | - User rollback undo records applied per transaction. - - name: px_operations_not_downgraded_per_sec - type: double - metric_type: gauge - description: | - Px operations not downgraded per second. - - name: vm_in_bytes_per_sec - type: double - metric_type: gauge - description: | - Vm in bytes per sec - - name: session_limit_pct - unit: percent - type: double - metric_type: gauge - description: | - "Session limit percentage." - - name: enqueue_waits_per_txn - type: double - metric_type: gauge - description: | - Enqueue waits per transaction. - - name: total_table_scans_per_user_call - type: double - metric_type: gauge - description: | - Total table scans per user call. - - name: logical_reads_per_sec - type: double - metric_type: gauge - description: | - Logical reads per sec. - - name: dbwr_checkpoints_per_sec - type: double - metric_type: gauge - description: | - Dbwr checkpoints per sec. - - name: physical_reads_direct_per_txn - type: double - metric_type: gauge - description: | - Physical reads direct per transaction. - - name: cpu_usage_per_sec - type: double - metric_type: gauge - description: | - CPU usage per second. - - name: total_parse_count_per_sec - type: double - metric_type: gauge - description: | - Total parse count per sec - - name: px_downgraded_50_to_75pct_per_sec - unit: percent - type: double - metric_type: gauge - description: | - Px downgraded 50 to 75 percentage per second. - - name: total_index_scans_per_txn - type: double - metric_type: gauge - description: | - Total index scans per transaction. - - name: cell_physical_io_interconnect_bytes - type: double - metric_type: gauge - description: | - Cell physical io interconnect bytes. - - name: physical_writes_direct_per_sec - type: double - metric_type: gauge - description: | - Physical writes direct per second. - - name: consistent_read_changes_per_txn - type: double - metric_type: gauge - description: | - Consistent read changes per transaction. - - name: response_time_per_txn - type: double - metric_type: gauge - description: | - Response time per transaction. - - name: long_table_scans_per_txn - type: double - metric_type: gauge - description: | - Long table scans per transaction. - - name: parse_failure_count_per_txn - type: double - metric_type: gauge - description: | - Parse failure count per transaction. - - name: redo_allocation_hit_ratio - type: double - metric_type: gauge - description: | - Redo allocation hit ratio. - - name: total_pga_allocated - type: double - metric_type: gauge - description: | - Total pga allocated. - - name: logical_reads_per_user_call - type: double - metric_type: gauge - description: | - Logical reads per user call. - - name: redo_writes_per_sec - type: double - metric_type: gauge - description: | - Redo writes per second. - - name: db_block_changes_per_txn - type: double - metric_type: gauge - description: | - Db block changes per transaction. - - name: redo_writes_per_txn - type: double - metric_type: gauge - description: | - Redo writes per transaction. - - name: executions_per_sec - type: double - metric_type: gauge - description: | - Executions per second. - - name: rows_per_sort - type: double - metric_type: gauge - description: | - Rows per sort. - - name: physical_reads_direct_per_sec - type: double - metric_type: gauge - description: | - Physical reads direct per second. - - name: physical_writes_direct_per_txn - type: double - metric_type: gauge - description: | - Physical writes direct per transaction. - - name: vm_out_bytes_per_sec - type: double - metric_type: gauge - description: | - Vm out bytes per second. - - name: pga_cache_hit_pct - unit: percent - type: double - metric_type: gauge - description: | - Pga cache hit percentage. - - name: recursive_calls_per_sec - type: double - metric_type: gauge - description: | - Recursive calls per second. - - name: average_active_sessions - type: double - metric_type: gauge - description: | - Average active sessions. - - name: leaf_node_splits_per_sec - type: double - metric_type: gauge - description: | - Leaf node splits per second. - - name: user_commits_percentage - type: double - metric_type: gauge - description: | - User commits percentage. - - name: total_table_scans_per_sec - type: double - metric_type: gauge - description: | - Total table scans per second. - - name: streams_pool_usage_percentage - type: double - metric_type: gauge - description: | - Streams pool usage percentage. - - name: consistent_read_gets_per_sec - type: double - metric_type: gauge - description: | - Consistent read gets per second. - - name: enqueue_timeouts_per_sec - type: double - metric_type: gauge - description: | - Enqueue timeouts per second. - - name: physical_read_total_bytes_per_sec - type: double - metric_type: gauge - description: | - Physical read total bytes per second. - - name: consistent_read_changes_per_sec - type: double - metric_type: gauge - description: | - Consistent read changes per second. - - name: physical_writes_per_sec - type: double - metric_type: gauge - description: | - Physical writes per second. - - name: average_synchronous_single-block_read_latency - type: double - metric_type: gauge - description: | - Average synchronous single-block read latency. - - name: physical_read_io_requests_per_sec - type: double - metric_type: gauge - description: | - Physical read io requests per second. - - name: db_block_changes_per_sec - type: double - metric_type: gauge - description: | - Db block changes per second. - - name: current_os_load - type: double - metric_type: gauge - description: | - Current os load - - name: user_calls_per_sec - type: double - metric_type: gauge - description: | - User calls per second. - - name: leaf_node_splits_per_txn - type: double - metric_type: gauge - description: | - Leaf node splits per transaction. - - name: host_cpu_utilization_pct - unit: percent - type: double - metric_type: gauge - description: | - Host CPU utilization percentage. - - name: total_parse_count_per_txn - type: double - metric_type: gauge - description: | - Total parse count per transaction. - - name: run_queue_per_sec - type: double - metric_type: gauge - description: | - Run queue per second. - - name: total_sorts_per_user_call - type: double - metric_type: gauge - description: | - Total sorts per user call. - - name: cursor_cache_hit_ratio - type: double - metric_type: gauge - description: | - Cursor cache hit ratio. - - name: enqueue_waits_per_sec - type: double - metric_type: gauge - description: | - Enqueue waits per second. - - name: branch_node_splits_per_sec - type: double - metric_type: gauge - description: | - Branch node splits per second. - - name: cr_undo_records_applied_per_txn - type: double - metric_type: gauge - description: | - Cr undo records applied per transaction. - - name: consistent_read_gets_per_txn - type: double - metric_type: gauge - description: | - Consistent read gets per transaction. - - name: soft_parse_ratio - type: double - metric_type: gauge - description: | - Soft parse ratio. - - name: database_time_per_sec - type: double - metric_type: gauge - description: | - Database time per second. - - name: physical_read_bytes_per_sec - type: double - metric_type: gauge - description: | - Physical read bytes per second. - - name: current_logons_count - type: double - metric_type: gauge - description: | - Current logons count. - - name: total_table_scans_per_txn - type: double - metric_type: gauge - description: | - Total table scans per transaction. - - name: txns_per_logon - type: double - metric_type: gauge - description: | - transactions per logon. - - name: user_rollback_undorec_applied_per_sec - type: double - metric_type: gauge - description: | - User rollback undorec applied per second. - - name: physical_writes_per_txn - type: double - metric_type: gauge - description: | - Physical writes per transaction. - - name: cr_undo_records_applied_per_sec - type: double - metric_type: gauge - description: | - Cr undo records applied per second. - - name: gc_cr_block_received_per_second - type: double - metric_type: gauge - description: | - Gc cr block received per second. - - name: recursive_calls_per_txn - type: double - metric_type: gauge - description: | - Recursive calls per transaction. - - name: px_downgraded_1_to_25pct_per_sec - unit: percent - type: double - metric_type: gauge - description: | - Px downgraded 1 to 25 percentage per second. - - name: workload_capture_and_replay_status - type: double - metric_type: gauge - description: | - Workload capture and replay status. - - name: cr_blocks_created_per_txn - type: double - metric_type: gauge - description: | - Cr blocks created per transaction. - - name: physical_write_bytes_per_sec - type: double - metric_type: gauge - description: | - Physical write bytes per second. - - name: physical_reads_direct_lobs_per_txn - type: double - metric_type: gauge - description: | - Physical reads direct lobs per transaction. - - name: physical_write_total_bytes_per_sec - type: double - metric_type: gauge - description: | - Physical write total bytes per second. - - name: physical_write_io_requests_per_sec - type: double - metric_type: gauge - description: | - Physical write io requests per second. - - name: session_count - type: double - metric_type: gauge - description: | - Session count. - - name: logons_per_txn - type: double - metric_type: gauge - description: | - Logons per transaction. - - name: queries_parallelized_per_sec - type: double - metric_type: gauge - description: | - Queries parallelized per second. - - name: background_time_per_sec - type: double - metric_type: gauge - description: | - Background time per second. - - name: global_cache_average_cr_get_time - type: double - metric_type: gauge - description: | - Global cache average cr get time. - - name: user_rollbacks_percentage - type: double - metric_type: gauge - description: | - User rollbacks percentage. - - name: enqueue_requests_per_sec - type: double - metric_type: gauge - description: | - Enqueue requests per second. - - name: enqueue_deadlocks_per_txn - type: double - metric_type: gauge - description: | - Enqueue deadlocks per transaction. - - name: library_cache_hit_ratio - type: double - metric_type: gauge - description: | - Library cache hit ratio. - - name: enqueue_timeouts_per_txn - type: double - metric_type: gauge - description: | - Enqueue timeouts per transaction. - - name: cr_blocks_created_per_sec - type: double - metric_type: gauge - description: | - Cr blocks created per second. - - name: physical_reads_direct_lobs_per_sec - type: double - metric_type: gauge - description: | - Physical reads direct lobs per second. - - name: px_downgraded_75_to_99pct_per_sec - unit: percent - type: double - metric_type: gauge - description: | - Px downgraded 75 to 99 percentage per second. - - name: global_cache_blocks_lost - type: double - metric_type: gauge - description: | - Global cache blocks lost. - - name: user_limit_pct - unit: percent - type: double - metric_type: gauge - description: | - User limit percentage. - - name: process_limit_pct - unit: percent - type: double - metric_type: gauge - description: | - Process limit percentage. - - name: user_calls_per_txn - type: double - metric_type: gauge - description: | - User calls per transaction - - name: physical_writes_direct_lobs_per_sec - type: double - metric_type: gauge - description: | - Physical writes direct lobs per sec - - name: open_cursors_per_sec - type: double - metric_type: gauge - description: | - Open cursors per sec - - name: physical_writes_direct_lobs__per_txn - type: double - metric_type: gauge - description: | - Physical writes direct lobs per transaction - - name: total_pga_used_by_sql_workareas - type: double - metric_type: gauge - description: | - Total pga used by sql workareas - - name: px_downgraded_25_to_50pct_per_sec - unit: percent - type: double - metric_type: gauge - description: | - Px downgraded 25 to 50 percentage per sec - - name: user_commits_per_sec - type: double - metric_type: gauge - description: | - User commits per sec - - name: enqueue_deadlocks_per_sec - type: double - metric_type: gauge - description: | - Enqueue deadlocks per sec - - name: enqueue_requests_per_txn - type: double - metric_type: gauge - description: | - Enqueue requests per transaction - - name: background_cpu_usage_per_sec - type: double - metric_type: gauge - description: | - Background CPU usage per sec - - name: physical_read_total_io_requests_per_sec - type: double - metric_type: gauge - description: | - Physical read total io requests per sec - - name: logons_per_sec - type: double - metric_type: gauge - description: | - Logons per sec - - name: redo_generated_per_txn - type: double - metric_type: gauge - description: | - Redo generated per transaction - - name: db_block_gets_per_txn - type: double - metric_type: gauge - description: | - Db block gets per transaction - - name: execute_without_parse_ratio - type: double - metric_type: gauge - description: | - Execute without parse ratio - - name: temp_space_used - type: double - metric_type: gauge - description: | - Temp space used - - name: sql_service_response_time - type: double - metric_type: gauge - description: | - Sql service response time - - name: parse_failure_count_per_sec - type: double - metric_type: gauge - description: | - Parse failure count per sec - - name: user_calls_ratio - type: double - metric_type: gauge - description: | - User calls ratio - - name: active_parallel_sessions - type: double - metric_type: gauge - description: | - Active parallel sessions - - name: io_megabytes_per_second - type: double - metric_type: gauge - description: | - IO megabytes per second - - name: database_cpu_time_ratio - type: double - metric_type: gauge - description: | - Database CPU time ratio - - name: dml_statements_parallelized_per_sec - type: double - metric_type: gauge - description: | - Dml statements parallelized per sec - - name: ddl_statements_parallelized_per_sec - type: double - metric_type: gauge - description: | - Ddl statements parallelized per sec - - name: current_open_cursors_count - type: double - metric_type: gauge - description: | - Current open cursors count - - name: open_cursors_per_txn - type: double - metric_type: gauge - description: | - Open cursors per transaction - - name: global_cache_average_current_get_time - type: double - metric_type: gauge - description: | - Global cache average current get time - - name: hard_parse_count_per_sec - type: double - metric_type: gauge - description: | - Hard parse count per sec - - name: buffer_cache_hit_ratio - type: double - metric_type: gauge - description: | - Buffer cache hit ratio - - name: gc_current_block_received_per_txn - type: double - metric_type: gauge - description: | - Gc current block received per transaction - - name: db_block_gets_per_sec - type: double - metric_type: gauge - description: | - Db block gets per sec - - name: executions_per_user_call - type: double - metric_type: gauge - description: | - Executions per user call - - name: row_cache_hit_ratio - type: double - metric_type: gauge - description: | - Row cache hit ratio. - - name: gc_cr_block_received_per_txn - type: double - metric_type: gauge - description: | - Gc cr block received per transaction. - - name: hard_parse_count_per_txn - type: double - metric_type: gauge - description: | - Hard parse count per transaction. - - name: host_cpu_usage_per_sec - type: double - metric_type: gauge - description: | - Host CPU usage per sec. - - name: db_block_changes_per_user_call - type: double - metric_type: gauge - description: | - Db block changes per user call. - - name: row_cache_miss_ratio - type: double - metric_type: gauge - description: | - Row cache miss ratio. - - name: network_traffic_volume_per_sec - type: double - metric_type: gauge - description: | - Network traffic volume per second. - - name: database_wait_time_ratio - type: double - metric_type: gauge - description: | - Database wait time ratio. - - name: logical_reads_per_txn - type: double - metric_type: gauge - description: | - Logical reads per transaction. - - name: db_block_gets_per_user_call - type: double - metric_type: gauge - description: | - Db block gets per user call. - - name: library_cache_miss_ratio - type: double - metric_type: gauge - description: | - Library cache miss ratio. - - name: full_index_scans_per_txn - type: double - metric_type: gauge - description: | - Full index scans per transaction. - - name: px_downgraded_to_serial_per_sec - type: double - metric_type: gauge - description: | - Px downgraded to serial per sec. - - name: redo_generated_per_sec - type: double - metric_type: gauge - description: | - Redo generated per second. - - name: active_serial_sessions - type: double - metric_type: gauge - description: | - Active serial sessions. - - name: full_index_scans_per_sec - type: double - metric_type: gauge - description: | - Full index scans per second. - - name: captured_user_calls - type: double - metric_type: gauge - description: | - Captured user calls. - - name: memory_sorts_ratio - type: double - metric_type: gauge - description: | - Memory sorts ratio. - - name: io_requests_per_second - type: double - metric_type: gauge - description: | - IO requests per second - - name: gc_current_block_received_per_second - type: double - metric_type: gauge - description: | - Gc current block received per second. - - name: disk_sort_per_sec - type: double - metric_type: gauge - description: | - Disk sort per second. - - name: shared_pool_free_pct - unit: percent - type: double - metric_type: gauge - description: |- - Shared pool free percentage. diff --git a/packages/oracle/1.4.0/data_stream/sysmetric/manifest.yml b/packages/oracle/1.4.0/data_stream/sysmetric/manifest.yml deleted file mode 100755 index b00f93e3d4..0000000000 --- a/packages/oracle/1.4.0/data_stream/sysmetric/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: "Sysmetric related metrics." -type: metrics -release: beta -streams: - - input: sql/metrics - enabled: false - title: Oracle sysmetrics metrics data - description: Collect sysmetrics data of Oracle database - vars: - - name: period - type: text - title: Period - default: 60s - multi: false - required: true - show_user: true - - name: dynamic_metric_name_filter - type: text - title: Metric Name Filter - multi: false - required: false - show_user: true - default: "%" - description: Filter values returned by applying filter on METRIC_NAME of V$SYSMETRIC - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - oracle_sysmetrics diff --git a/packages/oracle/1.4.0/data_stream/sysmetric/sample_event.json b/packages/oracle/1.4.0/data_stream/sysmetric/sample_event.json deleted file mode 100755 index dacf1b44f5..0000000000 --- a/packages/oracle/1.4.0/data_stream/sysmetric/sample_event.json +++ /dev/null @@ -1,181 +0,0 @@ -{ - "@timestamp": "2022-05-27T02:18:55.112Z", - "event": { - "dataset": "oracle.sysmetric", - "module": "sql", - "duration": 408974115 - }, - "metricset": { - "name": "query", - "period": 60000 - }, - "oracle": { - "sysmetric": { - "row_cache_hit_ratio": 100, - "current_open_cursors_count": 28, - "total_pga_allocated": 194334720, - "px_downgraded_75_to_99pct_per_sec": 0, - "enqueue_deadlocks_per_txn": 0, - "db_block_gets_per_sec": 1.83501683501684, - "cr_blocks_created_per_txn": 0, - "logical_reads_per_user_call": 5.44347826086956, - "response_time_per_txn": 20.0772, - "recursive_calls_per_sec": 21.9191919191919, - "db_block_gets_per_txn": 54.5, - "long_table_scans_per_txn": 0, - "total_parse_count_per_txn": 54, - "db_block_changes_per_user_call": 0.947826086956522, - "px_downgraded_to_serial_per_sec": 0, - "cell_physical_io_interconnect_bytes": 4483072, - "physical_writes_direct_per_sec": 0, - "current_os_load": 1.6591796875, - "user_rollback_undo_records_applied_per_txn": 0, - "db_block_changes_per_txn": 54.5, - "disk_sort_per_sec": 0, - "cr_undo_records_applied_per_txn": 0, - "process_limit_pct": 27.3333333333333, - "cpu_usage_per_sec": 0.77420202020202, - "active_parallel_sessions": 0, - "long_table_scans_per_sec": 0, - "database_time_per_sec": 0.676, - "physical_read_total_io_requests_per_sec": 3.75420875420875, - "cr_undo_records_applied_per_sec": 0, - "gc_cr_block_received_per_txn": 0, - "active_serial_sessions": 1, - "pq_slave_session_count": 0, - "physical_writes_direct_per_txn": 0, - "session_count": 66, - "dbwr_checkpoints_per_sec": 0, - "db_block_changes_per_sec": 1.83501683501684, - "cpu_usage_per_txn": 22.9938, - "vm_out_bytes_per_sec": 0, - "parse_failure_count_per_sec": 0, - "gc_cr_block_received_per_second": 0, - "rows_per_sort": 2.27027027027027, - "physical_read_bytes_per_sec": 0, - "physical_writes_direct_lobs_per_sec": 0, - "consistent_read_changes_per_txn": 2, - "global_cache_blocks_lost": 0, - "average_synchronous_single-block_read_latency": 0.0280373831775701, - "physical_read_io_requests_per_sec": 0, - "background_checkpoints_per_sec": 0, - "enqueue_requests_per_txn": 6353.5, - "global_cache_blocks_corrupted": 0, - "user_transaction_per_sec": 0.0336700336700337, - "logical_reads_per_sec": 10.5387205387205, - "background_time_per_sec": 0.0137291582491582, - "total_pga_used_by_sql_workareas": 0, - "branch_node_splits_per_sec": 0, - "px_downgraded_50_to_75pct_per_sec": 0, - "user_rollback_undorec_applied_per_sec": 0, - "consistent_read_gets_per_sec": 8.7037037037037, - "consistent_read_changes_per_sec": 0.0673400673400673, - "leaf_node_splits_per_txn": 0, - "total_sorts_per_user_call": 0.321739130434783, - "enqueue_requests_per_sec": 213.922558922559, - "gc_current_block_received_per_txn": 0, - "physical_reads_direct_per_sec": 0, - "px_downgraded_1_to_25pct_per_sec": 0, - "redo_allocation_hit_ratio": 100, - "enqueue_deadlocks_per_sec": 0, - "shared_pool_free_pct": 11.3199416627275, - "row_cache_miss_ratio": 0, - "database_cpu_time_ratio": 114.526926065388, - "physical_write_io_requests_per_sec": 0.336700336700337, - "redo_generated_per_txn": 11194, - "enqueue_timeouts_per_sec": 0, - "logical_reads_per_txn": 313, - "average_active_sessions": 0.00676, - "leaf_node_splits_per_sec": 0, - "cursor_cache_hit_ratio": 153.703703703704, - "physical_reads_direct_per_txn": 0, - "branch_node_splits_per_txn": 0, - "executions_per_user_call": 2.22608695652174, - "px_operations_not_downgraded_per_sec": 0.0673400673400673, - "workload_capture_and_replay_status": 0, - "user_calls_per_sec": 1.93602693602694, - "physical_read_total_bytes_per_sec": 57121.6161616162, - "run_queue_per_sec": 0, - "open_cursors_per_txn": 126, - "physical_writes_per_txn": 10, - "global_cache_average_cr_get_time": 0, - "global_cache_average_current_get_time": 0, - "gc_current_block_received_per_second": 0, - "px_downgraded_25_to_50pct_per_sec": 0, - "user_limit_pct": 0.00000109430402542797, - "user_calls_ratio": 8.11573747353564, - "current_logons_count": 47, - "library_cache_miss_ratio": 0, - "physical_writes_direct_lobs__per_txn": 0, - "queries_parallelized_per_sec": 0, - "total_table_scans_per_sec": 0.303030303030303, - "physical_write_total_bytes_per_sec": 18350.9764309764, - "io_megabytes_per_second": 0.0841750841750842, - "execute_without_parse_ratio": 57.8125, - "hard_parse_count_per_sec": 0, - "user_commits_percentage": 100, - "redo_generated_per_sec": 376.902356902357, - "enqueue_timeouts_per_txn": 0, - "captured_user_calls": 0, - "physical_reads_direct_lobs_per_txn": 0, - "session_limit_pct": 13.9830508474576, - "pq_qc_session_count": 0, - "host_cpu_usage_per_sec": 92.3905723905724, - "physical_reads_direct_lobs_per_sec": 0, - "parse_failure_count_per_txn": 0, - "open_cursors_per_sec": 4.24242424242424, - "user_rollbacks_per_sec": 0, - "full_index_scans_per_sec": 0, - "physical_writes_per_sec": 0.336700336700337, - "physical_write_bytes_per_sec": 2758.24915824916, - "memory_sorts_ratio": 100, - "streams_pool_usage_percentage": 0, - "user_rollbacks_percentage": 0, - "consistent_read_gets_per_txn": 258.5, - "user_commits_per_sec": 0.0336700336700337, - "background_cpu_usage_per_sec": 0.626880471380471, - "database_wait_time_ratio": 0, - "user_calls_per_txn": 57.5, - "hard_parse_count_per_txn": 0, - "total_table_scans_per_txn": 9, - "ddl_statements_parallelized_per_sec": 0, - "temp_space_used": 0, - "enqueue_waits_per_txn": 2, - "io_requests_per_second": 5.23569023569024, - "library_cache_hit_ratio": 100, - "logons_per_sec": 0.420875420875421, - "full_index_scans_per_txn": 0, - "txns_per_logon": 0.08, - "pga_cache_hit_pct": 100, - "physical_reads_per_txn": 0, - "host_cpu_utilization_pct": 11.6182572614108, - "sql_service_response_time": 0.0283376146788991, - "db_block_gets_per_user_call": 0.947826086956522, - "physical_reads_per_sec": 0, - "soft_parse_ratio": 100, - "total_index_scans_per_sec": 3.06397306397306, - "executions_per_txn": 128, - "disk_sort_per_txn": 0, - "logons_per_txn": 12.5, - "enqueue_waits_per_sec": 0.0673400673400673, - "physical_write_total_io_requests_per_sec": 1.48148148148148, - "replayed_user_calls": 0, - "dml_statements_parallelized_per_sec": 0, - "cr_blocks_created_per_sec": 0, - "total_table_scans_per_user_call": 0.156521739130435, - "buffer_cache_hit_ratio": 100, - "vm_in_bytes_per_sec": 0, - "redo_writes_per_txn": 5.5, - "network_traffic_volume_per_sec": 522.289562289562, - "executions_per_sec": 4.30976430976431, - "total_index_scans_per_txn": 91, - "redo_writes_per_sec": 0.185185185185185, - "recursive_calls_per_txn": 651, - "total_parse_count_per_sec": 1.81818181818182 - } - }, - "service": { - "address": "oracle://localhost:1521/ORCLCDB.localdomain", - "type": "sql" - } -} \ No newline at end of file diff --git a/packages/oracle/1.4.0/data_stream/system_statistics/agent/stream/stream.yml.hbs b/packages/oracle/1.4.0/data_stream/system_statistics/agent/stream/stream.yml.hbs deleted file mode 100755 index 5231d2fb1d..0000000000 --- a/packages/oracle/1.4.0/data_stream/system_statistics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,90 +0,0 @@ -metricsets: ["query"] -period: {{period}} -hosts: -{{#each hosts}} - - {{this}} -{{/each}} -raw_data.enabled: true -driver: "oracle" -sql_queries: - - query: SELECT NAME, VALUE FROM V$SYSSTAT WHERE NAME IN ( - 'bytes received via SQL*Net from client', - 'bytes received via SQL*Net from dblink', - 'bytes sent via SQL*Net to client', - 'bytes sent via SQL*Net to dblink', - 'CPU used by this session', - 'db block changes', - 'db block gets from cache', - 'DBWR checkpoint buffers written', - 'DBWR checkpoints', - 'DML statements parallelized', - 'enqueue conversions', - 'enqueue deadlocks', - 'enqueue releases', - 'enqueue requests', - 'enqueue timeouts', - 'enqueue waits', - 'exchange deadlocks', - 'execute count', - 'gc current block receive time', - 'index fast full scans (direct read)', - 'index fast full scans (full)', - 'index fast full scans (rowid ranges)', - 'lob reads', - 'lob writes', - 'logons current', - 'opened cursors current', - 'Parallel operations not downgraded', - 'parse count (hard)', - 'parse count (total)', - 'parse time cpu', - 'parse time elapsed', - 'physical read bytes', - 'physical read IO requests', - 'physical read total bytes', - 'physical read total IO requests', - 'physical reads', - 'physical write bytes', - 'physical write IO requests', - 'physical write total bytes', - 'physical write total IO requests', - 'physical writes', - 'physical writes direct', - 'physical writes from cache', - 'process last non-idle time', - 'queries parallelized', - 'recovery blocks read', - 'recursive calls', - 'recursive cpu usage', - 'redo blocks written', - 'redo buffer allocation retries', - 'redo log space requests', - 'redo log space wait time', - 'redo size', - 'redo synch time', - 'redo write time', - 'redo writes', - 'session cursor cache count', - 'session cursor cache hits', - 'session logical reads', - 'session stored procedure space', - 'sorts (disk)', - 'sorts (memory)', - 'sorts (rows)', - 'table scan rows gotten', - 'table scans (direct read)', - 'table scans (long tables)', - 'table scans (rowid ranges)', - 'transaction rollbacks', - 'user calls', - 'user commits', - 'user rollbacks', - 'DB time', - 'OS System time used', - 'OS User time used', - 'SMON posted for instance recovery', - 'SMON posted for txn recovery for other instances', - 'java call heap live size', - 'java call heap total size', - 'java call heap used size') - response_format: variables \ No newline at end of file diff --git a/packages/oracle/1.4.0/data_stream/system_statistics/elasticsearch/ingest_pipeline/default.yml b/packages/oracle/1.4.0/data_stream/system_statistics/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 4e8d55540d..0000000000 --- a/packages/oracle/1.4.0/data_stream/system_statistics/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -description: Pipeline for processing Oracle system statistics metrics -processors: - - remove: - field: sql.driver - ignore_missing: true - ignore_failure: true - - remove: - field: sql.query - ignore_missing: true - ignore_failure: true - - rename: - field: sql - target_field: oracle - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.metrics - target_field: oracle.system_statistics - ignore_missing: true - ignore_failure: true - - foreach: - field: oracle.system_statistics - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: " " - replacement: "_" - - foreach: - field: oracle.system_statistics - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: "\\(" - replacement: "" - - foreach: - field: oracle.system_statistics - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: "\\)" - replacement: "" - - foreach: - field: oracle.system_statistics - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: "\\*" - replacement: "" - - rename: - field: oracle.system_statistics.process_last_non-idle_time - target_field: oracle.system_statistics.process_last_non_idle_time - ignore_missing: true - ignore_failure: true - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/oracle/1.4.0/data_stream/system_statistics/fields/base-fields.yml b/packages/oracle/1.4.0/data_stream/system_statistics/fields/base-fields.yml deleted file mode 100755 index 6cc192b4ed..0000000000 --- a/packages/oracle/1.4.0/data_stream/system_statistics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: sql -- name: event.dataset - type: constant_keyword - description: Event module - value: oracle.system_statistics diff --git a/packages/oracle/1.4.0/data_stream/system_statistics/fields/ecs.yml b/packages/oracle/1.4.0/data_stream/system_statistics/fields/ecs.yml deleted file mode 100755 index 958b30e712..0000000000 --- a/packages/oracle/1.4.0/data_stream/system_statistics/fields/ecs.yml +++ /dev/null @@ -1,21 +0,0 @@ -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Address where data about this service was collected from. - This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). - name: service.address - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/oracle/1.4.0/data_stream/system_statistics/fields/fields.yml b/packages/oracle/1.4.0/data_stream/system_statistics/fields/fields.yml deleted file mode 100755 index 8da6521ffc..0000000000 --- a/packages/oracle/1.4.0/data_stream/system_statistics/fields/fields.yml +++ /dev/null @@ -1,335 +0,0 @@ -- name: oracle.system_statistics - type: group - release: beta - fields: - - name: parallel_operations_not_downgraded - type: double - metric_type: counter - description: Number of times parallel execution was executed at the requested degree of parallelism - - name: physical_writes_direct - type: double - metric_type: counter - description: Number of writes directly to disk, bypassing the buffer cache (as in a direct load operation). - - name: os_user_time_used - type: double - metric_type: counter - description: The total CPU time used for user calls. - - name: physical_writes_from_cache - type: double - metric_type: counter - description: Total number of data blocks written to disk from the buffer cache. This is a subset of "physical writes" statistic. - - name: user_calls - type: double - metric_type: counter - description: Number of user calls such as login, parse, fetch, or execute. - - name: table_scan_rows_gotten - type: double - metric_type: counter - description: Number of rows that are processed during scanning operations. - - name: smon_posted_for_txn_recovery_for_other_instances - type: double - metric_type: counter - description: The total count or number of times SMON posted for instance recovery - - name: enqueue_deadlocks - type: double - metric_type: counter - description: Total number of deadlocks between table or row locks in different sessions. - - name: gc_current_block_receive_time - type: double - metric_type: counter - description: The total time required for consistent read requests to complete. It records the round-trip time for all requests for consistent read blocks. - - name: queries_parallelized - type: double - metric_type: counter - description: Number of SELECT statements executed in parallel. - - name: enqueue_releases - type: double - metric_type: counter - description: Total number of table or row locks released. - - name: user_rollbacks - type: double - metric_type: counter - description: Number of times users manually issue the ROLLBACK statement or an error occurs during a user's transactions. - - name: session_cursor_cache_count - type: double - metric_type: counter - description: Total number of cursors cached. - - name: redo_blocks_written - type: double - metric_type: counter - description: Total number of redo blocks written. - - name: redo_buffer_allocation_retries - type: double - metric_type: counter - description: Total number of retries necessary to allocate space in the redo buffer. - - name: enqueue_conversions - type: double - metric_type: counter - description: Total number of conversions of the state of table or row lock. - - name: transaction_rollbacks - type: double - metric_type: counter - description: Number of transactions being successfully rolled back. - - name: physical_reads - type: double - metric_type: counter - description: Total number of data blocks read from disk. - - name: table_scans_direct_read - type: double - metric_type: counter - description: The number of table scans performed with direct read (bypassing the buffer cache). - - name: lob_writes - type: double - metric_type: counter - description: The number of LOB API write operations performed in the session/system. - - name: java_call_heap_live_size - type: double - metric_type: counter - description: The Java call heap live size. - - name: lob_reads - type: double - metric_type: counter - description: The number of LOB API read operations performed in the session/system. - - name: bytes_received_via_sqlnet_from_client - type: double - metric_type: counter - unit: byte - description: Total number of bytes received from the client over Oracle Net Services. - - name: table_scans_long_tables - type: double - metric_type: counter - description: Long (or conversely short) tables can be defined as tables that do not meet the short table criteria. - - name: java_call_heap_used_size - type: double - metric_type: counter - description: The Java call heap used size. - - name: physical_writes - type: double - metric_type: counter - description: Total number of data blocks written to disk. This statistics value equals the sum of physical writes direct and physical writes from cache values. - - name: sorts_rows - type: double - metric_type: counter - description: Total number of rows sorted. - - name: parse_time_elapsed - type: double - metric_type: counter - unit: ms - description: Total elapsed time for parsing, in 10s of milliseconds. - - name: exchange_deadlocks - type: double - metric_type: counter - description: Number of times that a process detected a potential deadlock when exchanging two buffers and raised an internal, restartable error. Index scans are the only operations that perform exchanges. - - name: db_block_changes - type: double - metric_type: counter - description: This statistic counts the total number of changes that were part of an update or delete operation that were made to all blocks in the SGA. - - name: enqueue_waits - type: double - metric_type: counter - description: Total number of waits that occurred during an enqueue convert or get because the enqueue get was deferred. - - name: redo_size - type: double - metric_type: counter - unit: byte - description: Total amount of redo generated in bytes. - - name: table_scans_rowid_ranges - type: double - metric_type: counter - description: During parallel query, the number of table scans conducted with specified ROWID ranges. - - name: enqueue_requests - type: double - metric_type: counter - description: Total number of table or row locks acquired - - name: user_commits - type: double - metric_type: counter - description: Number of user commits. When a user commits a transaction, the redo generated that reflects the changes made to database blocks must be written to disk. - - name: cpu_used_by_this_session - type: double - metric_type: counter - unit: ms - description: Amount of CPU time (in 10s of milliseconds) used by a session from the time a user call starts until it ends. - - name: execute_count - type: double - metric_type: counter - description: Total number of calls (user and recursive) that executed SQL statements. - - name: process_last_non_idle_time - type: double - metric_type: counter - description: The last time this process executed. - - name: os_system_time_used - type: double - metric_type: counter - description: The total CPU time used for system calls. - - name: recursive_cpu_usage - type: double - metric_type: counter - description: Total CPU time used by non-user calls (recursive calls). - - name: redo_write_time - type: double - metric_type: counter - unit: micros - description: Total elapsed time of the write from the redo log buffer to the current redo log file in microseconds. - - name: redo_synch_time - type: double - metric_type: counter - unit: ms - description: Elapsed time of all redo synch writes calls in 10s of milliseconds. - - name: bytes_sent_via_sqlnet_to_dblink - type: double - unit: byte - metric_type: counter - description: Total number of bytes sent over a database link. - - name: parse_time_cpu - type: double - metric_type: counter - unit: ms - description: Total CPU time used for parsing (hard and soft) in 10s of milliseconds - - name: physical_write_total_bytes - type: double - unit: byte - metric_type: counter - description: Total size in bytes of all disk writes for the database instance including application activity, backup and recovery, and other utilities. - - name: enqueue_timeouts - type: double - metric_type: counter - description: Total number of table and row locks (acquired and converted) that timed out before they could complete. - - name: physical_write_io_requests - type: double - metric_type: counter - description: Number of write requests for application activity (mainly buffer cache and direct load operation) which wrote one or more database blocks per request. - - name: java_call_heap_total_size - type: double - metric_type: counter - unit: byte - description: The total Java call heap size. - - name: dbwr_checkpoints - type: double - metric_type: counter - description: The number of times the DBWR was asked to scan the cache and write all blocks marked for a checkpoint or the end of recovery. - - name: recursive_calls - type: double - metric_type: counter - description: The number of recursive calls generated at both the user and system level. - - name: index_fast_full_scans_full - type: double - metric_type: counter - description: The number of fast full scans initiated using direct read. - - name: logons_current - type: double - metric_type: counter - description: Total number of current logons. - - name: session_cursor_cache_hits - type: double - metric_type: counter - description: Total number of cursors cached. - - name: smon_posted_for_instance_recovery - type: double - metric_type: counter - description: The total count or number of times SMON posted for instance recovery. - - name: redo_log_space_requests - type: double - metric_type: counter - description: The number of times the active log file is full and Oracle must wait for disk space to be allocated for the redo log entries. - - name: physical_write_total_io_requests - type: double - metric_type: counter - description: The number of write requests which wrote one or more database blocks from all instance activity including application activity, backup and recovery, and other utilities. - - name: parse_count_total - type: double - metric_type: counter - description: Total number of parse calls (hard, soft, and describe). - - name: sorts_memory - type: double - metric_type: counter - description: The number of sort operations that were performed completely in memory and did not require any disk writes. - - name: physical_read_bytes - type: double - unit: byte - metric_type: counter - description: Total size in bytes of all disk reads by application activity (and not other instance activity) only. - - name: sorts_disk - type: double - metric_type: counter - description: The number of sort operations that required at least one disk write. - - name: session_logical_reads - type: double - metric_type: counter - description: The sum of db block gets plus consistent gets. This includes logical reads of database blocks from either the buffer cache or process private memory. - - name: dbwr_checkpoint_buffers_written - type: double - metric_type: counter - description: The number of buffers that were written for checkpoints. - - name: dml_statements_parallelized - type: double - metric_type: counter - description: The number of DML statements that were executed in parallel. - - name: redo_writes - type: double - metric_type: counter - description: Total number of writes by LGWR to the redo log files. - - name: recovery_blocks_read - type: double - metric_type: counter - description: The number of blocks read during recovery. - - name: index_fast_full_scans_direct_read - type: double - metric_type: counter - description: The number of fast full scans initiated using direct read. - - name: physical_read_total_io_requests - type: double - metric_type: counter - description: The number of read requests which read one or more database blocks for all instance activity including application, backup and recovery, and other utilities. - - name: db_block_gets_from_cache - type: double - metric_type: counter - description: The number of times a CURRENT block was requested from the buffer cache. - - name: opened_cursors_current - type: double - metric_type: counter - description: Total number of current open cursors. - - name: db_time - type: double - metric_type: counter - description: The sum of CPU consumption of all the Oracle process and the sum of non-idle wait time. - - name: bytes_received_via_sqlnet_from_dblink - type: double - unit: byte - metric_type: counter - description: Total number of bytes received from a database link over Oracle Net Services - - name: parse_count_hard - type: double - metric_type: counter - description: Total number of parse calls (real parses). - - name: index_fast_full_scans_rowid_ranges - type: double - metric_type: counter - description: The number of fast full scans initiated with rowid endpoints specified. - - name: bytes_sent_via_sqlnet_to_client - type: double - metric_type: counter - unit: byte - description: Total number of bytes sent to the client from the foreground processes. - - name: session_stored_procedure_space - type: double - metric_type: counter - description: Amount of memory this session is using for stored procedures. - - name: physical_write_bytes - type: double - metric_type: counter - unit: byte - description: Total size in bytes of all disk writes from the database application activity (and not other kinds of instance activity). - - name: redo_log_space_wait_time - type: double - metric_type: counter - description: Total time waited in centiseconds for available space in the redo log buffer. - - name: physical_read_io_requests - type: double - metric_type: counter - description: Number of read requests for application activity (mainly buffer cache and direct load operation) which read one or more database blocks per request. - - name: physical_read_total_bytes - type: double - metric_type: counter - unit: byte - description: Total size in bytes of disk reads by all database instance activity including application reads, backup and recovery, and other utilities. diff --git a/packages/oracle/1.4.0/data_stream/system_statistics/manifest.yml b/packages/oracle/1.4.0/data_stream/system_statistics/manifest.yml deleted file mode 100755 index faf3153104..0000000000 --- a/packages/oracle/1.4.0/data_stream/system_statistics/manifest.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: "System Statistics" -type: metrics -release: beta -streams: - - input: sql/metrics - enabled: false - title: Oracle system statistics metrics - description: Collect Oracle system statistics metrics - vars: - - name: period - type: text - title: Period - default: 60s - multi: false - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - oracle_system_statistics_metrics diff --git a/packages/oracle/1.4.0/data_stream/system_statistics/sample_event.json b/packages/oracle/1.4.0/data_stream/system_statistics/sample_event.json deleted file mode 100755 index 93cec66048..0000000000 --- a/packages/oracle/1.4.0/data_stream/system_statistics/sample_event.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "oracle": { - "system_statistics": { - "parallel_operations_not_downgraded": 74269, - "physical_writes_direct": 49593, - "os_user_time_used": 0, - "physical_writes_from_cache": 1640956, - "user_calls": 1728270, - "table_scan_rows_gotten": 6496308028, - "smon_posted_for_txn_recovery_for_other_instances": 0, - "enqueue_deadlocks": 0, - "gc_current_block_receive_time": 0, - "queries_parallelized": 0, - "enqueue_releases": 204823089, - "user_rollbacks": 566, - "session_cursor_cache_count": 1392126, - "redo_blocks_written": 12594127, - "redo_buffer_allocation_retries": 20026, - "enqueue_conversions": 5808876, - "transaction_rollbacks": 4797, - "physical_reads": 15267747, - "table_scans_direct_read": 131, - "lob_writes": 1555222, - "java_call_heap_live_size": 0, - "lob_reads": 250087, - "bytes_received_via_sqlnet_from_client": 99978239, - "table_scans_long_tables": 823, - "java_call_heap_used_size": 0, - "physical_writes": 1690549, - "sorts_rows": 289153904, - "parse_time_elapsed": 119320, - "exchange_deadlocks": 1, - "db_block_changes": 35370231, - "enqueue_waits": 93701, - "redo_size": 6102600928, - "table_scans_rowid_ranges": 0, - "enqueue_requests": 204831722, - "user_commits": 178585, - "cpu_used_by_this_session": 2532130, - "execute_count": 29214384, - "process_last_non_idle_time": 1659881160, - "os_system_time_used": 0, - "recursive_cpu_usage": 1957103, - "redo_write_time": 123863, - "redo_synch_time": 7173, - "bytes_sent_via_sqlnet_to_dblink": 0, - "parse_time_cpu": 75577, - "physical_write_total_bytes": 36649355517, - "enqueue_timeouts": 8601, - "physical_write_io_requests": 959618, - "java_call_heap_total_size": 0, - "dbwr_checkpoints": 7081, - "recursive_calls": 81604284, - "index_fast_full_scans_full": 39008, - "logons_current": 51, - "session_cursor_cache_hits": 47613134, - "smon_posted_for_instance_recovery": 0, - "redo_log_space_requests": 57742, - "physical_write_total_io_requests": 2504705, - "parse_count_total": 6028908, - "sorts_memory": 2134811, - "physical_read_bytes": 125073383424, - "sorts_disk": 0, - "session_logical_reads": 440906935, - "dbwr_checkpoint_buffers_written": 1186157, - "dml_statements_parallelized": 0, - "redo_writes": 524251, - "recovery_blocks_read": 0, - "index_fast_full_scans_direct_read": 0, - "physical_read_total_io_requests": 7036559, - "db_block_gets_from_cache": 36495181, - "opened_cursors_current": 31, - "db_time": 41363170, - "bytes_received_via_sqlnet_from_dblink": 0, - "parse_count_hard": 184548, - "index_fast_full_scans_rowid_ranges": 0, - "bytes_sent_via_sqlnet_to_client": 227960514, - "session_stored_procedure_space": 0, - "physical_write_bytes": 13848977408, - "redo_log_space_wait_time": 382148, - "physical_read_io_requests": 3834637, - "physical_read_total_bytes": 183706260480 - } - }, - "@timestamp": "2022-08-07T14:06:01.373Z", - "data_stream": { - "namespace": "default", - "type": "metrics", - "dataset": "oracle.system_statistics" - }, - "service": { - "address": "0.0.0.0:1521", - "type": "sql" - }, - "metricset": { - "period": 60000, - "name": "query" - }, - "event": { - "duration": 61168658, - "agent_id_status": "verified", - "ingested": "2022-08-07T14:06:02Z", - "module": "sql", - "dataset": "oracle.system_statistics" - } -} \ No newline at end of file diff --git a/packages/oracle/1.4.0/data_stream/tablespace/agent/stream/stream.yml.hbs b/packages/oracle/1.4.0/data_stream/tablespace/agent/stream/stream.yml.hbs deleted file mode 100755 index 3ca99fcfa6..0000000000 --- a/packages/oracle/1.4.0/data_stream/tablespace/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,94 +0,0 @@ -metricsets: ["query"] -period: {{period}} -hosts: -{{#each hosts}} - - {{this}} -{{/each}} -raw_data.enabled: true -driver: "oracle" -dynamic_metric_name_filter: "{{dynamic_metric_name_filter}}" -sql_queries: - - query: "WITH data_files - AS (SELECT file_name, - file_id, - tablespace_name, - bytes, - status, - maxbytes, - user_bytes, - online_status - FROM sys.dba_data_files - UNION - SELECT file_name, - file_id, - tablespace_name, - bytes, - status, - maxbytes, - user_bytes, - status AS ONLINE_STATUS - FROM sys.dba_temp_files), - spaces - AS (SELECT b.tablespace_name TB_NAME, - tbs_size TB_SIZE_USED, - a.free_space TB_SIZE_FREE - FROM (SELECT tablespace_name, - SUM(bytes) AS free_space - FROM dba_free_space - GROUP BY tablespace_name) a, - (SELECT tablespace_name, - SUM(bytes) AS tbs_size - FROM dba_data_files - GROUP BY tablespace_name) b - WHERE a.tablespace_name(+) = b.tablespace_name - AND a.tablespace_name != 'TEMP'), - temp_spaces - AS (SELECT tablespace_name, - tablespace_size, - allocated_space, - free_space - FROM dba_temp_free_space - WHERE tablespace_name = 'TEMP'), - details - AS (SELECT df.file_name, - df.file_id, - df.tablespace_name, - df.bytes, - df.status, - df.maxbytes, - df.user_bytes, - df.online_status, - sp.tb_size_used, - sp.tb_size_free - FROM data_files df, - spaces sp - WHERE df.tablespace_name = sp.tb_name - UNION - SELECT df.file_name, - df.file_id, - df.tablespace_name, - df.bytes, - df.status, - df.maxbytes, - df.user_bytes, - df.online_status, - tsp.tablespace_size - tsp.free_space AS TB_SIZE_USED, - tsp.free_space AS TB_SIZE_FREE - FROM data_files df, - temp_spaces tsp - WHERE df.tablespace_name = tsp.tablespace_name) -SELECT file_name, - file_id, - tablespace_name, - bytes, - status, - maxbytes, - user_bytes, - online_status, - tb_size_used, - tb_size_free, - SUM(bytes) - over() AS TOTAL_BYTES -FROM details" - response_format: table - diff --git a/packages/oracle/1.4.0/data_stream/tablespace/elasticsearch/ingest_pipeline/default.yml b/packages/oracle/1.4.0/data_stream/tablespace/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ff2627424f..0000000000 --- a/packages/oracle/1.4.0/data_stream/tablespace/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,80 +0,0 @@ ---- -description: Pipeline for processing oracle tablespace metrics -processors: - - remove: - field: sql.driver - ignore_missing: true - ignore_failure: true - - remove: - field: sql.query - ignore_missing: true - ignore_failure: true - - rename: - field: sql - target_field: oracle - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.metrics - target_field: oracle.tablespace - ignore_missing: true - - rename: - field: oracle.tablespace.file_id - target_field: oracle.tablespace.data_file.id - ignore_failure: true - ignore_missing: true - - rename: - field: oracle.tablespace.file_name - target_field: oracle.tablespace.data_file.name - ignore_failure: true - ignore_missing: true - - rename: - field: oracle.tablespace.status - target_field: oracle.tablespace.data_file.status - ignore_failure: true - ignore_missing: true - - rename: - field: oracle.tablespace.online_status - target_field: oracle.tablespace.data_file.online_status - ignore_failure: true - ignore_missing: true - - rename: - field: oracle.tablespace.bytes - target_field: oracle.tablespace.data_file.size.bytes - ignore_failure: true - ignore_missing: true - - rename: - field: oracle.tablespace.maxbytes - target_field: oracle.tablespace.data_file.size.max.bytes - ignore_failure: true - ignore_missing: true - - rename: - field : oracle.tablespace.user_bytes - target_field: oracle.tablespace.data_file.size.free.bytes - ignore_failure: true - ignore_missing: true - - rename: - field : oracle.tablespace.tb_size_free - target_field: oracle.tablespace.space.free.bytes - ignore_failure: true - ignore_missing: true - - rename: - field: oracle.tablespace.tb_size_used - target_field: oracle.tablespace.space.used.bytes - ignore_failure: true - ignore_missing: true - - rename: - field: oracle.tablespace.tablespace_name - target_field: oracle.tablespace.name - ignore_failure: true - ignore_missing: true - - rename: - field: oracle.tablespace.total_bytes - target_field: oracle.tablespace.space.total.bytes - ignore_failure: true - ignore_missing: true - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/oracle/1.4.0/data_stream/tablespace/fields/base-fields.yml b/packages/oracle/1.4.0/data_stream/tablespace/fields/base-fields.yml deleted file mode 100755 index 3672659faf..0000000000 --- a/packages/oracle/1.4.0/data_stream/tablespace/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: sql -- name: event.dataset - type: constant_keyword - description: Event module - value: oracle.tablespace diff --git a/packages/oracle/1.4.0/data_stream/tablespace/fields/ecs.yml b/packages/oracle/1.4.0/data_stream/tablespace/fields/ecs.yml deleted file mode 100755 index 958b30e712..0000000000 --- a/packages/oracle/1.4.0/data_stream/tablespace/fields/ecs.yml +++ /dev/null @@ -1,21 +0,0 @@ -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Address where data about this service was collected from. - This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). - name: service.address - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/oracle/1.4.0/data_stream/tablespace/fields/fields.yml b/packages/oracle/1.4.0/data_stream/tablespace/fields/fields.yml deleted file mode 100755 index e38d00d276..0000000000 --- a/packages/oracle/1.4.0/data_stream/tablespace/fields/fields.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: oracle.tablespace - type: group - release: beta - fields: - - name: name - type: keyword - description: Tablespace name - - name: data_file - type: group - description: Database files information - fields: - - name: id - type: long - description: Tablespace unique identifier. - - name: name - type: keyword - description: Filename of the data file - - name: size - type: group - description: Size information about the file - fields: - - name: max.bytes - format: bytes - unit: byte - metric_type: gauge - type: long - description: Maximum file size in bytes - - name: bytes - format: bytes - unit: byte - metric_type: gauge - type: long - description: Size of the file in bytes - - name: free.bytes - format: bytes - unit: byte - metric_type: gauge - type: long - description: > - The size of the file available for user data. The actual size of the file minus this value is used to store file related metadata. - - - name: status - type: keyword - description: > - File status: AVAILABLE or INVALID (INVALID means that the file number is not in use, for example, a file in a tablespace that was dropped) - - - name: online_status - type: keyword - description: Last known online status of the data file. One of SYSOFF, SYSTEM, OFFLINE, ONLINE or RECOVER. - - name: space - type: group - description: Tablespace space usage information - fields: - - name: free.bytes - format: bytes - unit: byte - type: long - metric_type: gauge - description: Tablespace total free space available, in bytes. - - name: used.bytes - format: bytes - unit: byte - type: long - metric_type: gauge - description: Tablespace used space, in bytes. - - name: total.bytes - format: bytes - unit: byte - type: long - metric_type: gauge - description: Tablespace total size, in bytes. diff --git a/packages/oracle/1.4.0/data_stream/tablespace/manifest.yml b/packages/oracle/1.4.0/data_stream/tablespace/manifest.yml deleted file mode 100755 index be70e97f3c..0000000000 --- a/packages/oracle/1.4.0/data_stream/tablespace/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: "Oracle tablespace metrics" -type: metrics -release: beta -streams: - - input: sql/metrics - enabled: false - title: Oracle tablespace metrics data - description: Collect tablespace data of Oracle database - vars: - - name: period - type: text - title: Period - default: 60s - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - oracle_tablespace diff --git a/packages/oracle/1.4.0/data_stream/tablespace/sample_event.json b/packages/oracle/1.4.0/data_stream/tablespace/sample_event.json deleted file mode 100755 index 5812d5658b..0000000000 --- a/packages/oracle/1.4.0/data_stream/tablespace/sample_event.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "event": { - "dataset": "oracle.tablespace", - "duration": 115000, - "module": "sql" - }, - "metricset": { - "name": "query", - "period": 60000 - }, - "oracle": { - "tablespace": { - "data_file": { - "size": { - "max": { - "bytes": 34359721984 - }, - "bytes": 1310720000, - "free": { - "bytes": 1309671424 - } - }, - "online_status": "ONLINE", - "name": "/u02/app/oracle/oradata/ORCL/sysaux01.dbf", - "id": 3, - "status": "AVAILABLE" - }, - "name": "SYSAUX", - "space": { - "total": { - "bytes": 2355101696 - }, - "used": { - "bytes": 1310720000 - }, - "free": { - "bytes": 70713344 - } - } - } - }, - "service": { - "address": "oracle://localhost:1521/ORCLCDB.localdomain", - "type": "sql" - } -} \ No newline at end of file diff --git a/packages/oracle/1.4.0/docs/README.md b/packages/oracle/1.4.0/docs/README.md deleted file mode 100755 index 1bf74a5d8f..0000000000 --- a/packages/oracle/1.4.0/docs/README.md +++ /dev/null @@ -1,1092 +0,0 @@ -# Oracle Integration - -This integration is for ingesting Audit Trail logs and fetching performance, tablespace and sysmetric metrics from Oracle Databases. - -The integration expects an *.aud audit file that is generated from Oracle Databases by default. If this has been disabled then please see the [Oracle Database Audit Trail Documentation](https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/introduction-to-auditing.html#GUID-8D96829C-9151-4FA4-BED9-831D088F12FF). - -### Requirements - -Connectivity to Oracle can be facilitated in two ways either by using official Oracle libraries or by using a JDBC driver. Facilitation of the connectivity using JDBC is not supported currently with Metricbeat. Connectivity can be facilitated using Oracle libraries and the detailed steps to do the same are mentioned below. - -#### Oracle Database Connection Pre-requisites - -To get connected with the Oracle Database ORACLE_SID, ORACLE_BASE, ORACLE_HOME environment variables should be set. - -For example: Let’s consider Oracle Database 21c installation using RPM manually by following the [Oracle Installation instructions](https://docs.oracle.com/en/database/oracle/oracle-database/21/ladbi/running-rpm-packages-to-install-oracle-database.html). Environment variables should be set as follows: - `ORACLE_SID=ORCLCDB` - `ORACLE_BASE=/opt/oracle/oradata` - `ORACLE_HOME=/opt/oracle/product/21c/dbhome_1` -Also, add `$ORACLE_HOME/bin` to the `PATH` environment variable. - -#### Oracle Instant Client - -Oracle Instant Client enables development and deployment of applications that connect to Oracle Database. The Instant Client libraries provide the necessary network connectivity and advanced data features to make full use of Oracle Database. If you have OCI Oracle server which comes with these libraries pre-installed, you don't need a separate client installation. - -The OCI library install few Client Shared Libraries that must be referenced on the machine where Metricbeat is installed. Please follow the [Oracle Client Installation link](https://docs.oracle.com/en/database/oracle/oracle-database/21/lacli/install-instant-client-using-zip.html#GUID-D3DCB4FB-D3CA-4C25-BE48-3A1FB5A22E84) link for OCI Instant Client set up. The OCI Instant Client is available with the Oracle Universal Installer, RPM file or ZIP file. Download links can be found at the [Oracle Instant Client Download page](https://www.oracle.com/database/technologies/instant-client/downloads.html). - -#### Enable Listener - -The Oracle listener is a service that runs on the database host and receives requests from Oracle clients. Make sure that [Listener](https://docs.oracle.com/cd/B19306_01/network.102/b14213/lsnrctl.htm) is be running. -To check if the listener is running or not, run: - -`lsnrctl STATUS` - -If the listener is not running, use the command to start: - -`lsnrctl START` - -Then, Metricbeat can be launched. - -*Host Configuration* - -The following two types of host configurations are supported: - -1. Old style host configuration for backwards compatibility: - - `hosts: ["user/pass@0.0.0.0:1521/ORCLPDB1.localdomain"]` - - `hosts: ["user/password@0.0.0.0:1521/ORCLPDB1.localdomain as sysdba"]` - -2. DSN host configuration: - - `hosts: ['user="user" password="pass" connectString="0.0.0.0:1521/ORCLPDB1.localdomain"']` - - `hosts: ['user="user" password="password" connectString="host:port/service_name" sysdba=true']` - - -Note: If the password contains the backslash (`\`) character, it must be escaped with a backslash. For example, if the password is `my\_password`, it should be written as `my\\_password`. - - -## Compatibility - -This integration has been tested with Oracle Database 19c, and should work for 18c as well though it has not been tested. - -### Audit Log - -The `database_audit` dataset collects Oracle Audit logs. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.flags | related log flags | | -| log.offset | Log offset | long | -| message | human-readable summary of the event | text | -| oracle.database_audit.action | The action performed during the audit event. This could for example be the raw query. | keyword | -| oracle.database_audit.action_number | Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON. | keyword | -| oracle.database_audit.client.address | The IP Address or Domain used by the client. | keyword | -| oracle.database_audit.client.terminal | If available, the client terminal type, for example "pty". | keyword | -| oracle.database_audit.client.user | The user running the client or connection to the database. | keyword | -| oracle.database_audit.database.host | Client host machine name. | keyword | -| oracle.database_audit.database.id | Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view. | keyword | -| oracle.database_audit.database.user | The database user used to authenticate. | keyword | -| oracle.database_audit.entry.id | Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records. | keyword | -| oracle.database_audit.length | Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record. | long | -| oracle.database_audit.privilege | The privilege group related to the database user. | keyword | -| oracle.database_audit.session_id | Indicates the audit session ID number. | keyword | -| oracle.database_audit.status | Database Audit Status. | keyword | -| process.pid | Process id. | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.user.name | Short name or login of the user. | keyword | -| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.roles | Array of user roles at the time of the event. | keyword | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - - -An example event for `database_audit` looks as following: - -```json -{ - "@timestamp": "2020-10-07T14:57:51.000Z", - "agent": { - "ephemeral_id": "021be4f6-f6ea-47c5-aa38-62ba8c3f0f3c", - "id": "5940e9e3-013b-43c0-a459-261d69b08862", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "client": { - "user": { - "name": "oracle" - } - }, - "data_stream": { - "dataset": "oracle.database_audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "5940e9e3-013b-43c0-a459-261d69b08862", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "database_audit", - "agent_id_status": "verified", - "category": "database", - "dataset": "oracle.database_audit", - "ingested": "2022-02-24T08:25:06Z", - "kind": "event", - "outcome": "success", - "timezone": "-04:00", - "type": "access" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.240.7" - ], - "mac": [ - "02:42:c0:a8:f0:07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.60.1-microsoft-standard-WSL2", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "input": { - "type": "filestream" - }, - "log": { - "file": { - "path": "/tmp/service_logs/ORCLCDB_ora_13765_20201007105751904399925443.aud.log" - }, - "flags": [ - "multiline" - ], - "offset": 882 - }, - "oracle": { - "database_audit": { - "action": "CONNECT", - "action_number": "100", - "client": { - "terminal": "pts/0" - }, - "length": 253, - "session_id": "4294967295", - "status": "0" - } - }, - "process": { - "pid": 13765 - }, - "related": { - "hosts": [ - "testlab.local" - ], - "user": [ - "/", - "oracle" - ] - }, - "server": { - "address": "testlab.local", - "domain": "testlab.local", - "user": { - "name": "/" - } - }, - "tags": [ - "oracle-database_audit" - ], - "user": { - "roles": "SYSDBA" - } -} -``` - -### Tablespace Metrics - -Tablespace metrics describes the tablespace usage metrics of all types of tablespaces in the oracle database. - -**Exported fields** - -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| event.dataset | Event module | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| host.ip | Host ip addresses. | ip | | | -| oracle.tablespace.data_file.id | Tablespace unique identifier. | long | | | -| oracle.tablespace.data_file.name | Filename of the data file | keyword | | | -| oracle.tablespace.data_file.online_status | Last known online status of the data file. One of SYSOFF, SYSTEM, OFFLINE, ONLINE or RECOVER. | keyword | | | -| oracle.tablespace.data_file.size.bytes | Size of the file in bytes | long | byte | gauge | -| oracle.tablespace.data_file.size.free.bytes | The size of the file available for user data. The actual size of the file minus this value is used to store file related metadata. | long | byte | gauge | -| oracle.tablespace.data_file.size.max.bytes | Maximum file size in bytes | long | byte | gauge | -| oracle.tablespace.data_file.status | File status: AVAILABLE or INVALID (INVALID means that the file number is not in use, for example, a file in a tablespace that was dropped) | keyword | | | -| oracle.tablespace.name | Tablespace name | keyword | | | -| oracle.tablespace.space.free.bytes | Tablespace total free space available, in bytes. | long | byte | gauge | -| oracle.tablespace.space.total.bytes | Tablespace total size, in bytes. | long | byte | gauge | -| oracle.tablespace.space.used.bytes | Tablespace used space, in bytes. | long | byte | gauge | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | - - -An example event for `tablespace` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "event": { - "dataset": "oracle.tablespace", - "duration": 115000, - "module": "sql" - }, - "metricset": { - "name": "query", - "period": 60000 - }, - "oracle": { - "tablespace": { - "data_file": { - "size": { - "max": { - "bytes": 34359721984 - }, - "bytes": 1310720000, - "free": { - "bytes": 1309671424 - } - }, - "online_status": "ONLINE", - "name": "/u02/app/oracle/oradata/ORCL/sysaux01.dbf", - "id": 3, - "status": "AVAILABLE" - }, - "name": "SYSAUX", - "space": { - "total": { - "bytes": 2355101696 - }, - "used": { - "bytes": 1310720000 - }, - "free": { - "bytes": 70713344 - } - } - } - }, - "service": { - "address": "oracle://localhost:1521/ORCLCDB.localdomain", - "type": "sql" - } -} -``` - -### Sysmetrics - -The system metrics value captured for the most current time interval for the long duration (60-seconds) are mentioned below - -**Exported fields** - -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | -| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | -| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | -| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| event.dataset | Event module | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| host.ip | Host ip addresses. | ip | | | -| oracle.sysmetric.active_parallel_sessions | Active parallel sessions | double | | gauge | -| oracle.sysmetric.active_serial_sessions | Active serial sessions. | double | | gauge | -| oracle.sysmetric.average_active_sessions | Average active sessions. | double | | gauge | -| oracle.sysmetric.average_synchronous_single-block_read_latency | Average synchronous single-block read latency. | double | | gauge | -| oracle.sysmetric.background_checkpoints_per_sec | Background checkpoints per second. | double | | gauge | -| oracle.sysmetric.background_cpu_usage_per_sec | Background CPU usage per sec | double | | gauge | -| oracle.sysmetric.background_time_per_sec | Background time per second. | double | | gauge | -| oracle.sysmetric.branch_node_splits_per_sec | Branch node splits per second. | double | | gauge | -| oracle.sysmetric.branch_node_splits_per_txn | Branch node splits per transaction. | double | | gauge | -| oracle.sysmetric.buffer_cache_hit_ratio | Buffer cache hit ratio | double | | gauge | -| oracle.sysmetric.captured_user_calls | Captured user calls. | double | | gauge | -| oracle.sysmetric.cell_physical_io_interconnect_bytes | Cell physical io interconnect bytes. | double | | gauge | -| oracle.sysmetric.consistent_read_changes_per_sec | Consistent read changes per second. | double | | gauge | -| oracle.sysmetric.consistent_read_changes_per_txn | Consistent read changes per transaction. | double | | gauge | -| oracle.sysmetric.consistent_read_gets_per_sec | Consistent read gets per second. | double | | gauge | -| oracle.sysmetric.consistent_read_gets_per_txn | Consistent read gets per transaction. | double | | gauge | -| oracle.sysmetric.cpu_usage_per_sec | CPU usage per second. | double | | gauge | -| oracle.sysmetric.cpu_usage_per_txn | CPU usage per transaction. | double | | gauge | -| oracle.sysmetric.cr_blocks_created_per_sec | Cr blocks created per second. | double | | gauge | -| oracle.sysmetric.cr_blocks_created_per_txn | Cr blocks created per transaction. | double | | gauge | -| oracle.sysmetric.cr_undo_records_applied_per_sec | Cr undo records applied per second. | double | | gauge | -| oracle.sysmetric.cr_undo_records_applied_per_txn | Cr undo records applied per transaction. | double | | gauge | -| oracle.sysmetric.current_logons_count | Current logons count. | double | | gauge | -| oracle.sysmetric.current_open_cursors_count | Current open cursors count | double | | gauge | -| oracle.sysmetric.current_os_load | Current os load | double | | gauge | -| oracle.sysmetric.cursor_cache_hit_ratio | Cursor cache hit ratio. | double | | gauge | -| oracle.sysmetric.database_cpu_time_ratio | Database CPU time ratio | double | | gauge | -| oracle.sysmetric.database_time_per_sec | Database time per second. | double | | gauge | -| oracle.sysmetric.database_wait_time_ratio | Database wait time ratio. | double | | gauge | -| oracle.sysmetric.db_block_changes_per_sec | Db block changes per second. | double | | gauge | -| oracle.sysmetric.db_block_changes_per_txn | Db block changes per transaction. | double | | gauge | -| oracle.sysmetric.db_block_changes_per_user_call | Db block changes per user call. | double | | gauge | -| oracle.sysmetric.db_block_gets_per_sec | Db block gets per sec | double | | gauge | -| oracle.sysmetric.db_block_gets_per_txn | Db block gets per transaction | double | | gauge | -| oracle.sysmetric.db_block_gets_per_user_call | Db block gets per user call. | double | | gauge | -| oracle.sysmetric.dbwr_checkpoints_per_sec | Dbwr checkpoints per sec. | double | | gauge | -| oracle.sysmetric.ddl_statements_parallelized_per_sec | Ddl statements parallelized per sec | double | | gauge | -| oracle.sysmetric.disk_sort_per_sec | Disk sort per second. | double | | gauge | -| oracle.sysmetric.disk_sort_per_txn | Disk sort per transaction. | double | | gauge | -| oracle.sysmetric.dml_statements_parallelized_per_sec | Dml statements parallelized per sec | double | | gauge | -| oracle.sysmetric.enqueue_deadlocks_per_sec | Enqueue deadlocks per sec | double | | gauge | -| oracle.sysmetric.enqueue_deadlocks_per_txn | Enqueue deadlocks per transaction. | double | | gauge | -| oracle.sysmetric.enqueue_requests_per_sec | Enqueue requests per second. | double | | gauge | -| oracle.sysmetric.enqueue_requests_per_txn | Enqueue requests per transaction | double | | gauge | -| oracle.sysmetric.enqueue_timeouts_per_sec | Enqueue timeouts per second. | double | | gauge | -| oracle.sysmetric.enqueue_timeouts_per_txn | Enqueue timeouts per transaction. | double | | gauge | -| oracle.sysmetric.enqueue_waits_per_sec | Enqueue waits per second. | double | | gauge | -| oracle.sysmetric.enqueue_waits_per_txn | Enqueue waits per transaction. | double | | gauge | -| oracle.sysmetric.execute_without_parse_ratio | Execute without parse ratio | double | | gauge | -| oracle.sysmetric.executions_per_sec | Executions per second. | double | | gauge | -| oracle.sysmetric.executions_per_txn | Executions per transaction. | double | | gauge | -| oracle.sysmetric.executions_per_user_call | Executions per user call | double | | gauge | -| oracle.sysmetric.full_index_scans_per_sec | Full index scans per second. | double | | gauge | -| oracle.sysmetric.full_index_scans_per_txn | Full index scans per transaction. | double | | gauge | -| oracle.sysmetric.gc_cr_block_received_per_second | Gc cr block received per second. | double | | gauge | -| oracle.sysmetric.gc_cr_block_received_per_txn | Gc cr block received per transaction. | double | | gauge | -| oracle.sysmetric.gc_current_block_received_per_second | Gc current block received per second. | double | | gauge | -| oracle.sysmetric.gc_current_block_received_per_txn | Gc current block received per transaction | double | | gauge | -| oracle.sysmetric.global_cache_average_cr_get_time | Global cache average cr get time. | double | | gauge | -| oracle.sysmetric.global_cache_average_current_get_time | Global cache average current get time | double | | gauge | -| oracle.sysmetric.global_cache_blocks_corrupted | Global cache blocks corrupted. | double | | gauge | -| oracle.sysmetric.global_cache_blocks_lost | Global cache blocks lost. | double | | gauge | -| oracle.sysmetric.hard_parse_count_per_sec | Hard parse count per sec | double | | gauge | -| oracle.sysmetric.hard_parse_count_per_txn | Hard parse count per transaction. | double | | gauge | -| oracle.sysmetric.host_cpu_usage_per_sec | Host CPU usage per sec. | double | | gauge | -| oracle.sysmetric.host_cpu_utilization_pct | Host CPU utilization percentage. | double | percent | gauge | -| oracle.sysmetric.io_megabytes_per_second | IO megabytes per second | double | | gauge | -| oracle.sysmetric.io_requests_per_second | IO requests per second | double | | gauge | -| oracle.sysmetric.leaf_node_splits_per_sec | Leaf node splits per second. | double | | gauge | -| oracle.sysmetric.leaf_node_splits_per_txn | Leaf node splits per transaction. | double | | gauge | -| oracle.sysmetric.library_cache_hit_ratio | Library cache hit ratio. | double | | gauge | -| oracle.sysmetric.library_cache_miss_ratio | Library cache miss ratio. | double | | gauge | -| oracle.sysmetric.logical_reads_per_sec | Logical reads per sec. | double | | gauge | -| oracle.sysmetric.logical_reads_per_txn | Logical reads per transaction. | double | | gauge | -| oracle.sysmetric.logical_reads_per_user_call | Logical reads per user call. | double | | gauge | -| oracle.sysmetric.logons_per_sec | Logons per sec | double | | gauge | -| oracle.sysmetric.logons_per_txn | Logons per transaction. | double | | gauge | -| oracle.sysmetric.long_table_scans_per_sec | Long table scans per second. | double | | gauge | -| oracle.sysmetric.long_table_scans_per_txn | Long table scans per transaction. | double | | gauge | -| oracle.sysmetric.memory_sorts_ratio | Memory sorts ratio. | double | | gauge | -| oracle.sysmetric.network_traffic_volume_per_sec | Network traffic volume per second. | double | | gauge | -| oracle.sysmetric.open_cursors_per_sec | Open cursors per sec | double | | gauge | -| oracle.sysmetric.open_cursors_per_txn | Open cursors per transaction | double | | gauge | -| oracle.sysmetric.parse_failure_count_per_sec | Parse failure count per sec | double | | gauge | -| oracle.sysmetric.parse_failure_count_per_txn | Parse failure count per transaction. | double | | gauge | -| oracle.sysmetric.pga_cache_hit_pct | Pga cache hit percentage. | double | percent | gauge | -| oracle.sysmetric.physical_read_bytes_per_sec | Physical read bytes per second. | double | | gauge | -| oracle.sysmetric.physical_read_io_requests_per_sec | Physical read io requests per second. | double | | gauge | -| oracle.sysmetric.physical_read_total_bytes_per_sec | Physical read total bytes per second. | double | | gauge | -| oracle.sysmetric.physical_read_total_io_requests_per_sec | Physical read total io requests per sec | double | | gauge | -| oracle.sysmetric.physical_reads_direct_lobs_per_sec | Physical reads direct lobs per second. | double | | gauge | -| oracle.sysmetric.physical_reads_direct_lobs_per_txn | Physical reads direct lobs per transaction. | double | | gauge | -| oracle.sysmetric.physical_reads_direct_per_sec | Physical reads direct per second. | double | | gauge | -| oracle.sysmetric.physical_reads_direct_per_txn | Physical reads direct per transaction. | double | | gauge | -| oracle.sysmetric.physical_reads_per_sec | Physical reads per second. | double | | gauge | -| oracle.sysmetric.physical_reads_per_txn | Physical reads per transaction. | double | | gauge | -| oracle.sysmetric.physical_write_bytes_per_sec | Physical write bytes per second. | double | | gauge | -| oracle.sysmetric.physical_write_io_requests_per_sec | Physical write io requests per second. | double | | gauge | -| oracle.sysmetric.physical_write_total_bytes_per_sec | Physical write total bytes per second. | double | | gauge | -| oracle.sysmetric.physical_write_total_io_requests_per_sec | Physical write total io requests per second. | double | | gauge | -| oracle.sysmetric.physical_writes_direct_lobs__per_txn | Physical writes direct lobs per transaction | double | | gauge | -| oracle.sysmetric.physical_writes_direct_lobs_per_sec | Physical writes direct lobs per sec | double | | gauge | -| oracle.sysmetric.physical_writes_direct_per_sec | Physical writes direct per second. | double | | gauge | -| oracle.sysmetric.physical_writes_direct_per_txn | Physical writes direct per transaction. | double | | gauge | -| oracle.sysmetric.physical_writes_per_sec | Physical writes per second. | double | | gauge | -| oracle.sysmetric.physical_writes_per_txn | Physical writes per transaction. | double | | gauge | -| oracle.sysmetric.pq_qc_session_count | Pq qc session count. | double | | gauge | -| oracle.sysmetric.pq_slave_session_count | Pq slave session count. | double | | gauge | -| oracle.sysmetric.process_limit_pct | Process limit percentage. | double | percent | gauge | -| oracle.sysmetric.px_downgraded_1_to_25pct_per_sec | Px downgraded 1 to 25 percentage per second. | double | percent | gauge | -| oracle.sysmetric.px_downgraded_25_to_50pct_per_sec | Px downgraded 25 to 50 percentage per sec | double | percent | gauge | -| oracle.sysmetric.px_downgraded_50_to_75pct_per_sec | Px downgraded 50 to 75 percentage per second. | double | percent | gauge | -| oracle.sysmetric.px_downgraded_75_to_99pct_per_sec | Px downgraded 75 to 99 percentage per second. | double | percent | gauge | -| oracle.sysmetric.px_downgraded_to_serial_per_sec | Px downgraded to serial per sec. | double | | gauge | -| oracle.sysmetric.px_operations_not_downgraded_per_sec | Px operations not downgraded per second. | double | | gauge | -| oracle.sysmetric.queries_parallelized_per_sec | Queries parallelized per second. | double | | gauge | -| oracle.sysmetric.recursive_calls_per_sec | Recursive calls per second. | double | | gauge | -| oracle.sysmetric.recursive_calls_per_txn | Recursive calls per transaction. | double | | gauge | -| oracle.sysmetric.redo_allocation_hit_ratio | Redo allocation hit ratio. | double | | gauge | -| oracle.sysmetric.redo_generated_per_sec | Redo generated per second. | double | | gauge | -| oracle.sysmetric.redo_generated_per_txn | Redo generated per transaction | double | | gauge | -| oracle.sysmetric.redo_writes_per_sec | Redo writes per second. | double | | gauge | -| oracle.sysmetric.redo_writes_per_txn | Redo writes per transaction. | double | | gauge | -| oracle.sysmetric.replayed_user_calls | Replayed user calls | double | | gauge | -| oracle.sysmetric.response_time_per_txn | Response time per transaction. | double | | gauge | -| oracle.sysmetric.row_cache_hit_ratio | Row cache hit ratio. | double | | gauge | -| oracle.sysmetric.row_cache_miss_ratio | Row cache miss ratio. | double | | gauge | -| oracle.sysmetric.rows_per_sort | Rows per sort. | double | | gauge | -| oracle.sysmetric.run_queue_per_sec | Run queue per second. | double | | gauge | -| oracle.sysmetric.session_count | Session count. | double | | gauge | -| oracle.sysmetric.session_limit_pct | "Session limit percentage." | double | percent | gauge | -| oracle.sysmetric.shared_pool_free_pct | Shared pool free percentage. | double | percent | gauge | -| oracle.sysmetric.soft_parse_ratio | Soft parse ratio. | double | | gauge | -| oracle.sysmetric.sql_service_response_time | Sql service response time | double | | gauge | -| oracle.sysmetric.streams_pool_usage_percentage | Streams pool usage percentage. | double | | gauge | -| oracle.sysmetric.temp_space_used | Temp space used | double | | gauge | -| oracle.sysmetric.total_index_scans_per_sec | Total index scans per second. | double | | gauge | -| oracle.sysmetric.total_index_scans_per_txn | Total index scans per transaction. | double | | gauge | -| oracle.sysmetric.total_parse_count_per_sec | Total parse count per sec | double | | gauge | -| oracle.sysmetric.total_parse_count_per_txn | Total parse count per transaction. | double | | gauge | -| oracle.sysmetric.total_pga_allocated | Total pga allocated. | double | | gauge | -| oracle.sysmetric.total_pga_used_by_sql_workareas | Total pga used by sql workareas | double | | gauge | -| oracle.sysmetric.total_sorts_per_user_call | Total sorts per user call. | double | | gauge | -| oracle.sysmetric.total_table_scans_per_sec | Total table scans per second. | double | | gauge | -| oracle.sysmetric.total_table_scans_per_txn | Total table scans per transaction. | double | | gauge | -| oracle.sysmetric.total_table_scans_per_user_call | Total table scans per user call. | double | | gauge | -| oracle.sysmetric.txns_per_logon | transactions per logon. | double | | gauge | -| oracle.sysmetric.user_calls_per_sec | User calls per second. | double | | gauge | -| oracle.sysmetric.user_calls_per_txn | User calls per transaction | double | | gauge | -| oracle.sysmetric.user_calls_ratio | User calls ratio | double | | gauge | -| oracle.sysmetric.user_commits_per_sec | User commits per sec | double | | gauge | -| oracle.sysmetric.user_commits_percentage | User commits percentage. | double | | gauge | -| oracle.sysmetric.user_limit_pct | User limit percentage. | double | percent | gauge | -| oracle.sysmetric.user_rollback_undo_records_applied_per_txn | User rollback undo records applied per transaction. | double | | gauge | -| oracle.sysmetric.user_rollback_undorec_applied_per_sec | User rollback undorec applied per second. | double | | gauge | -| oracle.sysmetric.user_rollbacks_per_sec | User rollbacks per second. | double | | gauge | -| oracle.sysmetric.user_rollbacks_percentage | User rollbacks percentage. | double | | gauge | -| oracle.sysmetric.user_transaction_per_sec | User transaction per second. | double | | gauge | -| oracle.sysmetric.vm_in_bytes_per_sec | Vm in bytes per sec | double | | gauge | -| oracle.sysmetric.vm_out_bytes_per_sec | Vm out bytes per second. | double | | gauge | -| oracle.sysmetric.workload_capture_and_replay_status | Workload capture and replay status. | double | | gauge | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | - - -An example event for `sysmetric` looks as following: - -```json -{ - "@timestamp": "2022-05-27T02:18:55.112Z", - "event": { - "dataset": "oracle.sysmetric", - "module": "sql", - "duration": 408974115 - }, - "metricset": { - "name": "query", - "period": 60000 - }, - "oracle": { - "sysmetric": { - "row_cache_hit_ratio": 100, - "current_open_cursors_count": 28, - "total_pga_allocated": 194334720, - "px_downgraded_75_to_99pct_per_sec": 0, - "enqueue_deadlocks_per_txn": 0, - "db_block_gets_per_sec": 1.83501683501684, - "cr_blocks_created_per_txn": 0, - "logical_reads_per_user_call": 5.44347826086956, - "response_time_per_txn": 20.0772, - "recursive_calls_per_sec": 21.9191919191919, - "db_block_gets_per_txn": 54.5, - "long_table_scans_per_txn": 0, - "total_parse_count_per_txn": 54, - "db_block_changes_per_user_call": 0.947826086956522, - "px_downgraded_to_serial_per_sec": 0, - "cell_physical_io_interconnect_bytes": 4483072, - "physical_writes_direct_per_sec": 0, - "current_os_load": 1.6591796875, - "user_rollback_undo_records_applied_per_txn": 0, - "db_block_changes_per_txn": 54.5, - "disk_sort_per_sec": 0, - "cr_undo_records_applied_per_txn": 0, - "process_limit_pct": 27.3333333333333, - "cpu_usage_per_sec": 0.77420202020202, - "active_parallel_sessions": 0, - "long_table_scans_per_sec": 0, - "database_time_per_sec": 0.676, - "physical_read_total_io_requests_per_sec": 3.75420875420875, - "cr_undo_records_applied_per_sec": 0, - "gc_cr_block_received_per_txn": 0, - "active_serial_sessions": 1, - "pq_slave_session_count": 0, - "physical_writes_direct_per_txn": 0, - "session_count": 66, - "dbwr_checkpoints_per_sec": 0, - "db_block_changes_per_sec": 1.83501683501684, - "cpu_usage_per_txn": 22.9938, - "vm_out_bytes_per_sec": 0, - "parse_failure_count_per_sec": 0, - "gc_cr_block_received_per_second": 0, - "rows_per_sort": 2.27027027027027, - "physical_read_bytes_per_sec": 0, - "physical_writes_direct_lobs_per_sec": 0, - "consistent_read_changes_per_txn": 2, - "global_cache_blocks_lost": 0, - "average_synchronous_single-block_read_latency": 0.0280373831775701, - "physical_read_io_requests_per_sec": 0, - "background_checkpoints_per_sec": 0, - "enqueue_requests_per_txn": 6353.5, - "global_cache_blocks_corrupted": 0, - "user_transaction_per_sec": 0.0336700336700337, - "logical_reads_per_sec": 10.5387205387205, - "background_time_per_sec": 0.0137291582491582, - "total_pga_used_by_sql_workareas": 0, - "branch_node_splits_per_sec": 0, - "px_downgraded_50_to_75pct_per_sec": 0, - "user_rollback_undorec_applied_per_sec": 0, - "consistent_read_gets_per_sec": 8.7037037037037, - "consistent_read_changes_per_sec": 0.0673400673400673, - "leaf_node_splits_per_txn": 0, - "total_sorts_per_user_call": 0.321739130434783, - "enqueue_requests_per_sec": 213.922558922559, - "gc_current_block_received_per_txn": 0, - "physical_reads_direct_per_sec": 0, - "px_downgraded_1_to_25pct_per_sec": 0, - "redo_allocation_hit_ratio": 100, - "enqueue_deadlocks_per_sec": 0, - "shared_pool_free_pct": 11.3199416627275, - "row_cache_miss_ratio": 0, - "database_cpu_time_ratio": 114.526926065388, - "physical_write_io_requests_per_sec": 0.336700336700337, - "redo_generated_per_txn": 11194, - "enqueue_timeouts_per_sec": 0, - "logical_reads_per_txn": 313, - "average_active_sessions": 0.00676, - "leaf_node_splits_per_sec": 0, - "cursor_cache_hit_ratio": 153.703703703704, - "physical_reads_direct_per_txn": 0, - "branch_node_splits_per_txn": 0, - "executions_per_user_call": 2.22608695652174, - "px_operations_not_downgraded_per_sec": 0.0673400673400673, - "workload_capture_and_replay_status": 0, - "user_calls_per_sec": 1.93602693602694, - "physical_read_total_bytes_per_sec": 57121.6161616162, - "run_queue_per_sec": 0, - "open_cursors_per_txn": 126, - "physical_writes_per_txn": 10, - "global_cache_average_cr_get_time": 0, - "global_cache_average_current_get_time": 0, - "gc_current_block_received_per_second": 0, - "px_downgraded_25_to_50pct_per_sec": 0, - "user_limit_pct": 0.00000109430402542797, - "user_calls_ratio": 8.11573747353564, - "current_logons_count": 47, - "library_cache_miss_ratio": 0, - "physical_writes_direct_lobs__per_txn": 0, - "queries_parallelized_per_sec": 0, - "total_table_scans_per_sec": 0.303030303030303, - "physical_write_total_bytes_per_sec": 18350.9764309764, - "io_megabytes_per_second": 0.0841750841750842, - "execute_without_parse_ratio": 57.8125, - "hard_parse_count_per_sec": 0, - "user_commits_percentage": 100, - "redo_generated_per_sec": 376.902356902357, - "enqueue_timeouts_per_txn": 0, - "captured_user_calls": 0, - "physical_reads_direct_lobs_per_txn": 0, - "session_limit_pct": 13.9830508474576, - "pq_qc_session_count": 0, - "host_cpu_usage_per_sec": 92.3905723905724, - "physical_reads_direct_lobs_per_sec": 0, - "parse_failure_count_per_txn": 0, - "open_cursors_per_sec": 4.24242424242424, - "user_rollbacks_per_sec": 0, - "full_index_scans_per_sec": 0, - "physical_writes_per_sec": 0.336700336700337, - "physical_write_bytes_per_sec": 2758.24915824916, - "memory_sorts_ratio": 100, - "streams_pool_usage_percentage": 0, - "user_rollbacks_percentage": 0, - "consistent_read_gets_per_txn": 258.5, - "user_commits_per_sec": 0.0336700336700337, - "background_cpu_usage_per_sec": 0.626880471380471, - "database_wait_time_ratio": 0, - "user_calls_per_txn": 57.5, - "hard_parse_count_per_txn": 0, - "total_table_scans_per_txn": 9, - "ddl_statements_parallelized_per_sec": 0, - "temp_space_used": 0, - "enqueue_waits_per_txn": 2, - "io_requests_per_second": 5.23569023569024, - "library_cache_hit_ratio": 100, - "logons_per_sec": 0.420875420875421, - "full_index_scans_per_txn": 0, - "txns_per_logon": 0.08, - "pga_cache_hit_pct": 100, - "physical_reads_per_txn": 0, - "host_cpu_utilization_pct": 11.6182572614108, - "sql_service_response_time": 0.0283376146788991, - "db_block_gets_per_user_call": 0.947826086956522, - "physical_reads_per_sec": 0, - "soft_parse_ratio": 100, - "total_index_scans_per_sec": 3.06397306397306, - "executions_per_txn": 128, - "disk_sort_per_txn": 0, - "logons_per_txn": 12.5, - "enqueue_waits_per_sec": 0.0673400673400673, - "physical_write_total_io_requests_per_sec": 1.48148148148148, - "replayed_user_calls": 0, - "dml_statements_parallelized_per_sec": 0, - "cr_blocks_created_per_sec": 0, - "total_table_scans_per_user_call": 0.156521739130435, - "buffer_cache_hit_ratio": 100, - "vm_in_bytes_per_sec": 0, - "redo_writes_per_txn": 5.5, - "network_traffic_volume_per_sec": 522.289562289562, - "executions_per_sec": 4.30976430976431, - "total_index_scans_per_txn": 91, - "redo_writes_per_sec": 0.185185185185185, - "recursive_calls_per_txn": 651, - "total_parse_count_per_sec": 1.81818181818182 - } - }, - "service": { - "address": "oracle://localhost:1521/ORCLCDB.localdomain", - "type": "sql" - } -} -``` - -### Memory Metrics - -A Program Global Area (PGA) is a memory region that contains data and control information for a server process. It is nonshared memory created by Oracle Database when a server process is started. Access to the PGA is exclusive to the server process. Metrics concerning Program Global Area (PGA) memory are mentioned below. - -**Exported fields** - -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| event.dataset | Event module | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| host.ip | Host ip addresses. | ip | | | -| oracle.memory.pga.aggregate_auto_target | Amount of PGA memory the Oracle Database can use for work areas running in automatic mode. | double | byte | gauge | -| oracle.memory.pga.aggregate_target_parameter | Current value of the PGA_AGGREGATE_TARGET initialization parameter. If this parameter is not set, then its value is 0 and automatic management of PGA memory is disabled. | double | byte | gauge | -| oracle.memory.pga.cache_hit_pct | A metric computed by the Oracle Database to reflect the performance of the PGA memory component, cumulative since instance startup. | double | percent | gauge | -| oracle.memory.pga.global_memory_bound | Maximum size of a work area executed in automatic mode. | double | byte | gauge | -| oracle.memory.pga.maximum_allocated | Maximum number of bytes of PGA memory allocated at one time since instance startup. | double | byte | gauge | -| oracle.memory.pga.total_allocated | Current amount of PGA memory allocated by the instance. | double | byte | gauge | -| oracle.memory.pga.total_freeable_memory | Number of bytes of PGA memory in all processes that could be freed back to the operating system. | double | byte | gauge | -| oracle.memory.pga.total_inuse | Indicates how much PGA memory is currently consumed by work areas. This number can be used to determine how much memory is consumed by other consumers of the PGA memory (for example, PL/SQL or Java). | double | byte | gauge | -| oracle.memory.pga.total_used_for_auto_workareas | Indicates how much PGA memory is currently consumed by work areas running under the automatic memory management mode. This number can be used to determine how much memory is consumed by other consumers of the PGA memory (for example, PL/SQL or Java). | double | byte | gauge | -| oracle.memory.sga.free_memory | Amount of free memory in the Shared pool. | double | byte | gauge | -| oracle.memory.sga.total_memory | Amount of total memory in the Shared pool. | double | byte | gauge | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | - - -An example event for `memory` looks as following: - -```json -{ - "@timestamp": "2022-08-07T04:32:07.853Z", - "oracle": { - "memory": { - "pga": { - "total_inuse": 171153408, - "aggregate_auto_target": 579262464, - "total_allocated": 212888576, - "maximum_allocated": 694778880, - "total_freeable_memory": 14876672, - "global_memory_bound": 104857600, - "aggregate_target_parameter": 805306368, - "total_used_for_auto_workareas": 738304, - "cache_hit_pct": 100 - } - } - }, - "service": { - "address": "0.0.0.0:1521", - "type": "sql" - }, - "data_stream": { - "namespace": "default", - "type": "metrics", - "dataset": "oracle.memory" - }, - "metricset": { - "period": 60000, - "name": "query" - }, - "event": { - "duration": 53225246, - "agent_id_status": "verified", - "ingested": "2022-08-07T04:32:07Z", - "module": "sql", - "dataset": "oracle.memory" - } -} -``` - -### System Statistics Metrics - -The System Global Area (SGA) is a group of shared memory structures that contain data and control information for one Oracle Database instance. Metrics concerning System Global Area (SGA) memory are mentioned below. - -**Exported fields** - -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| event.dataset | Event module | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| host.ip | Host ip addresses. | ip | | | -| oracle.system_statistics.bytes_received_via_sqlnet_from_client | Total number of bytes received from the client over Oracle Net Services. | double | byte | counter | -| oracle.system_statistics.bytes_received_via_sqlnet_from_dblink | Total number of bytes received from a database link over Oracle Net Services | double | byte | counter | -| oracle.system_statistics.bytes_sent_via_sqlnet_to_client | Total number of bytes sent to the client from the foreground processes. | double | byte | counter | -| oracle.system_statistics.bytes_sent_via_sqlnet_to_dblink | Total number of bytes sent over a database link. | double | byte | counter | -| oracle.system_statistics.cpu_used_by_this_session | Amount of CPU time (in 10s of milliseconds) used by a session from the time a user call starts until it ends. | double | ms | counter | -| oracle.system_statistics.db_block_changes | This statistic counts the total number of changes that were part of an update or delete operation that were made to all blocks in the SGA. | double | | counter | -| oracle.system_statistics.db_block_gets_from_cache | The number of times a CURRENT block was requested from the buffer cache. | double | | counter | -| oracle.system_statistics.db_time | The sum of CPU consumption of all the Oracle process and the sum of non-idle wait time. | double | | counter | -| oracle.system_statistics.dbwr_checkpoint_buffers_written | The number of buffers that were written for checkpoints. | double | | counter | -| oracle.system_statistics.dbwr_checkpoints | The number of times the DBWR was asked to scan the cache and write all blocks marked for a checkpoint or the end of recovery. | double | | counter | -| oracle.system_statistics.dml_statements_parallelized | The number of DML statements that were executed in parallel. | double | | counter | -| oracle.system_statistics.enqueue_conversions | Total number of conversions of the state of table or row lock. | double | | counter | -| oracle.system_statistics.enqueue_deadlocks | Total number of deadlocks between table or row locks in different sessions. | double | | counter | -| oracle.system_statistics.enqueue_releases | Total number of table or row locks released. | double | | counter | -| oracle.system_statistics.enqueue_requests | Total number of table or row locks acquired | double | | counter | -| oracle.system_statistics.enqueue_timeouts | Total number of table and row locks (acquired and converted) that timed out before they could complete. | double | | counter | -| oracle.system_statistics.enqueue_waits | Total number of waits that occurred during an enqueue convert or get because the enqueue get was deferred. | double | | counter | -| oracle.system_statistics.exchange_deadlocks | Number of times that a process detected a potential deadlock when exchanging two buffers and raised an internal, restartable error. Index scans are the only operations that perform exchanges. | double | | counter | -| oracle.system_statistics.execute_count | Total number of calls (user and recursive) that executed SQL statements. | double | | counter | -| oracle.system_statistics.gc_current_block_receive_time | The total time required for consistent read requests to complete. It records the round-trip time for all requests for consistent read blocks. | double | | counter | -| oracle.system_statistics.index_fast_full_scans_direct_read | The number of fast full scans initiated using direct read. | double | | counter | -| oracle.system_statistics.index_fast_full_scans_full | The number of fast full scans initiated using direct read. | double | | counter | -| oracle.system_statistics.index_fast_full_scans_rowid_ranges | The number of fast full scans initiated with rowid endpoints specified. | double | | counter | -| oracle.system_statistics.java_call_heap_live_size | The Java call heap live size. | double | | counter | -| oracle.system_statistics.java_call_heap_total_size | The total Java call heap size. | double | byte | counter | -| oracle.system_statistics.java_call_heap_used_size | The Java call heap used size. | double | | counter | -| oracle.system_statistics.lob_reads | The number of LOB API read operations performed in the session/system. | double | | counter | -| oracle.system_statistics.lob_writes | The number of LOB API write operations performed in the session/system. | double | | counter | -| oracle.system_statistics.logons_current | Total number of current logons. | double | | counter | -| oracle.system_statistics.opened_cursors_current | Total number of current open cursors. | double | | counter | -| oracle.system_statistics.os_system_time_used | The total CPU time used for system calls. | double | | counter | -| oracle.system_statistics.os_user_time_used | The total CPU time used for user calls. | double | | counter | -| oracle.system_statistics.parallel_operations_not_downgraded | Number of times parallel execution was executed at the requested degree of parallelism | double | | counter | -| oracle.system_statistics.parse_count_hard | Total number of parse calls (real parses). | double | | counter | -| oracle.system_statistics.parse_count_total | Total number of parse calls (hard, soft, and describe). | double | | counter | -| oracle.system_statistics.parse_time_cpu | Total CPU time used for parsing (hard and soft) in 10s of milliseconds | double | ms | counter | -| oracle.system_statistics.parse_time_elapsed | Total elapsed time for parsing, in 10s of milliseconds. | double | ms | counter | -| oracle.system_statistics.physical_read_bytes | Total size in bytes of all disk reads by application activity (and not other instance activity) only. | double | byte | counter | -| oracle.system_statistics.physical_read_io_requests | Number of read requests for application activity (mainly buffer cache and direct load operation) which read one or more database blocks per request. | double | | counter | -| oracle.system_statistics.physical_read_total_bytes | Total size in bytes of disk reads by all database instance activity including application reads, backup and recovery, and other utilities. | double | byte | counter | -| oracle.system_statistics.physical_read_total_io_requests | The number of read requests which read one or more database blocks for all instance activity including application, backup and recovery, and other utilities. | double | | counter | -| oracle.system_statistics.physical_reads | Total number of data blocks read from disk. | double | | counter | -| oracle.system_statistics.physical_write_bytes | Total size in bytes of all disk writes from the database application activity (and not other kinds of instance activity). | double | byte | counter | -| oracle.system_statistics.physical_write_io_requests | Number of write requests for application activity (mainly buffer cache and direct load operation) which wrote one or more database blocks per request. | double | | counter | -| oracle.system_statistics.physical_write_total_bytes | Total size in bytes of all disk writes for the database instance including application activity, backup and recovery, and other utilities. | double | byte | counter | -| oracle.system_statistics.physical_write_total_io_requests | The number of write requests which wrote one or more database blocks from all instance activity including application activity, backup and recovery, and other utilities. | double | | counter | -| oracle.system_statistics.physical_writes | Total number of data blocks written to disk. This statistics value equals the sum of physical writes direct and physical writes from cache values. | double | | counter | -| oracle.system_statistics.physical_writes_direct | Number of writes directly to disk, bypassing the buffer cache (as in a direct load operation). | double | | counter | -| oracle.system_statistics.physical_writes_from_cache | Total number of data blocks written to disk from the buffer cache. This is a subset of "physical writes" statistic. | double | | counter | -| oracle.system_statistics.process_last_non_idle_time | The last time this process executed. | double | | counter | -| oracle.system_statistics.queries_parallelized | Number of SELECT statements executed in parallel. | double | | counter | -| oracle.system_statistics.recovery_blocks_read | The number of blocks read during recovery. | double | | counter | -| oracle.system_statistics.recursive_calls | The number of recursive calls generated at both the user and system level. | double | | counter | -| oracle.system_statistics.recursive_cpu_usage | Total CPU time used by non-user calls (recursive calls). | double | | counter | -| oracle.system_statistics.redo_blocks_written | Total number of redo blocks written. | double | | counter | -| oracle.system_statistics.redo_buffer_allocation_retries | Total number of retries necessary to allocate space in the redo buffer. | double | | counter | -| oracle.system_statistics.redo_log_space_requests | The number of times the active log file is full and Oracle must wait for disk space to be allocated for the redo log entries. | double | | counter | -| oracle.system_statistics.redo_log_space_wait_time | Total time waited in centiseconds for available space in the redo log buffer. | double | | counter | -| oracle.system_statistics.redo_size | Total amount of redo generated in bytes. | double | byte | counter | -| oracle.system_statistics.redo_synch_time | Elapsed time of all redo synch writes calls in 10s of milliseconds. | double | ms | counter | -| oracle.system_statistics.redo_write_time | Total elapsed time of the write from the redo log buffer to the current redo log file in microseconds. | double | micros | counter | -| oracle.system_statistics.redo_writes | Total number of writes by LGWR to the redo log files. | double | | counter | -| oracle.system_statistics.session_cursor_cache_count | Total number of cursors cached. | double | | counter | -| oracle.system_statistics.session_cursor_cache_hits | Total number of cursors cached. | double | | counter | -| oracle.system_statistics.session_logical_reads | The sum of db block gets plus consistent gets. This includes logical reads of database blocks from either the buffer cache or process private memory. | double | | counter | -| oracle.system_statistics.session_stored_procedure_space | Amount of memory this session is using for stored procedures. | double | | counter | -| oracle.system_statistics.smon_posted_for_instance_recovery | The total count or number of times SMON posted for instance recovery. | double | | counter | -| oracle.system_statistics.smon_posted_for_txn_recovery_for_other_instances | The total count or number of times SMON posted for instance recovery | double | | counter | -| oracle.system_statistics.sorts_disk | The number of sort operations that required at least one disk write. | double | | counter | -| oracle.system_statistics.sorts_memory | The number of sort operations that were performed completely in memory and did not require any disk writes. | double | | counter | -| oracle.system_statistics.sorts_rows | Total number of rows sorted. | double | | counter | -| oracle.system_statistics.table_scan_rows_gotten | Number of rows that are processed during scanning operations. | double | | counter | -| oracle.system_statistics.table_scans_direct_read | The number of table scans performed with direct read (bypassing the buffer cache). | double | | counter | -| oracle.system_statistics.table_scans_long_tables | Long (or conversely short) tables can be defined as tables that do not meet the short table criteria. | double | | counter | -| oracle.system_statistics.table_scans_rowid_ranges | During parallel query, the number of table scans conducted with specified ROWID ranges. | double | | counter | -| oracle.system_statistics.transaction_rollbacks | Number of transactions being successfully rolled back. | double | | counter | -| oracle.system_statistics.user_calls | Number of user calls such as login, parse, fetch, or execute. | double | | counter | -| oracle.system_statistics.user_commits | Number of user commits. When a user commits a transaction, the redo generated that reflects the changes made to database blocks must be written to disk. | double | | counter | -| oracle.system_statistics.user_rollbacks | Number of times users manually issue the ROLLBACK statement or an error occurs during a user's transactions. | double | | counter | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | - - -An example event for `system_statistics` looks as following: - -```json -{ - "oracle": { - "system_statistics": { - "parallel_operations_not_downgraded": 74269, - "physical_writes_direct": 49593, - "os_user_time_used": 0, - "physical_writes_from_cache": 1640956, - "user_calls": 1728270, - "table_scan_rows_gotten": 6496308028, - "smon_posted_for_txn_recovery_for_other_instances": 0, - "enqueue_deadlocks": 0, - "gc_current_block_receive_time": 0, - "queries_parallelized": 0, - "enqueue_releases": 204823089, - "user_rollbacks": 566, - "session_cursor_cache_count": 1392126, - "redo_blocks_written": 12594127, - "redo_buffer_allocation_retries": 20026, - "enqueue_conversions": 5808876, - "transaction_rollbacks": 4797, - "physical_reads": 15267747, - "table_scans_direct_read": 131, - "lob_writes": 1555222, - "java_call_heap_live_size": 0, - "lob_reads": 250087, - "bytes_received_via_sqlnet_from_client": 99978239, - "table_scans_long_tables": 823, - "java_call_heap_used_size": 0, - "physical_writes": 1690549, - "sorts_rows": 289153904, - "parse_time_elapsed": 119320, - "exchange_deadlocks": 1, - "db_block_changes": 35370231, - "enqueue_waits": 93701, - "redo_size": 6102600928, - "table_scans_rowid_ranges": 0, - "enqueue_requests": 204831722, - "user_commits": 178585, - "cpu_used_by_this_session": 2532130, - "execute_count": 29214384, - "process_last_non_idle_time": 1659881160, - "os_system_time_used": 0, - "recursive_cpu_usage": 1957103, - "redo_write_time": 123863, - "redo_synch_time": 7173, - "bytes_sent_via_sqlnet_to_dblink": 0, - "parse_time_cpu": 75577, - "physical_write_total_bytes": 36649355517, - "enqueue_timeouts": 8601, - "physical_write_io_requests": 959618, - "java_call_heap_total_size": 0, - "dbwr_checkpoints": 7081, - "recursive_calls": 81604284, - "index_fast_full_scans_full": 39008, - "logons_current": 51, - "session_cursor_cache_hits": 47613134, - "smon_posted_for_instance_recovery": 0, - "redo_log_space_requests": 57742, - "physical_write_total_io_requests": 2504705, - "parse_count_total": 6028908, - "sorts_memory": 2134811, - "physical_read_bytes": 125073383424, - "sorts_disk": 0, - "session_logical_reads": 440906935, - "dbwr_checkpoint_buffers_written": 1186157, - "dml_statements_parallelized": 0, - "redo_writes": 524251, - "recovery_blocks_read": 0, - "index_fast_full_scans_direct_read": 0, - "physical_read_total_io_requests": 7036559, - "db_block_gets_from_cache": 36495181, - "opened_cursors_current": 31, - "db_time": 41363170, - "bytes_received_via_sqlnet_from_dblink": 0, - "parse_count_hard": 184548, - "index_fast_full_scans_rowid_ranges": 0, - "bytes_sent_via_sqlnet_to_client": 227960514, - "session_stored_procedure_space": 0, - "physical_write_bytes": 13848977408, - "redo_log_space_wait_time": 382148, - "physical_read_io_requests": 3834637, - "physical_read_total_bytes": 183706260480 - } - }, - "@timestamp": "2022-08-07T14:06:01.373Z", - "data_stream": { - "namespace": "default", - "type": "metrics", - "dataset": "oracle.system_statistics" - }, - "service": { - "address": "0.0.0.0:1521", - "type": "sql" - }, - "metricset": { - "period": 60000, - "name": "query" - }, - "event": { - "duration": 61168658, - "agent_id_status": "verified", - "ingested": "2022-08-07T14:06:02Z", - "module": "sql", - "dataset": "oracle.system_statistics" - } -} -``` - -### Performance Metrics - -Performance metrics give an overview of where time is spent in the system and enable comparisons of wait times across the system. - -**Exported fields** - -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | -| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | -| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | -| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| event.dataset | Event module | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| host.ip | Host ip addresses. | ip | | | -| oracle.performance.buffer_pool | Name of the buffer pool in the instance. | keyword | | | -| oracle.performance.cache.buffer.hit.pct | The cache hit ratio of the specified buffer pool. | double | percent | gauge | -| oracle.performance.cache.get.consistent | Consistent gets statistic. | long | | gauge | -| oracle.performance.cache.get.db_blocks | Database blocks gotten. | long | | gauge | -| oracle.performance.cache.physical_reads | Physical reads. This metric represents the number of data blocks read from disk per second during a time period. | long | | gauge | -| oracle.performance.cursors.avg | Average cursors opened by username and machine. | double | | gauge | -| oracle.performance.cursors.cache_hit.pct | Ratio of session cursor cache hits from total number of cursors. | double | percent | gauge | -| oracle.performance.cursors.max | Max cursors opened by username and machine. | double | | gauge | -| oracle.performance.cursors.opened.current | Total number of current open cursors. | long | | gauge | -| oracle.performance.cursors.opened.total | Total number of cursors opened since the instance started. | long | | counter | -| oracle.performance.cursors.parse.real | "Real number of parses that occurred: session cursor cache hits - parse count (total)." | double | | gauge | -| oracle.performance.cursors.parse.total | Total number of parse calls (hard and soft). A soft parse is a check on an object already in the shared pool, to verify that the permissions on the underlying object have not changed. | long | | gauge | -| oracle.performance.cursors.session.cache_hits | Number of hits in the session cursor cache. A hit means that the SQL statement did not have to be reparsed. | double | | gauge | -| oracle.performance.cursors.total | Total opened cursors by username and machine. | double | | gauge | -| oracle.performance.failed_db_jobs | This metric checks for failed DBMS jobs. | double | | gauge | -| oracle.performance.io_reloads | Reloads by Pins ratio. A Reload is any PIN of an object that is not the first PIN performed since the object handle was created, and which requires loading the object from disk. Pins are the number of times a PIN was requested for objects of this namespace. | double | | gauge | -| oracle.performance.lock_requests | Average of the ratio between 'gethits' and 'gets', where 'gethits' the number of times an object's handle was found in memory and 'gets' is the number of times a lock was requested for objects of this namespace. | double | | gauge | -| oracle.performance.machine | Operating system machine name. | keyword | | | -| oracle.performance.pin_requests | Average of all pinhits/pins ratios, where 'PinHits' is the number of times all of the metadata pieces of the library object were found in memory and 'pins' is the number of times a PIN was requested for objects of this namespace. | double | | gauge | -| oracle.performance.session_count.active | Total count of sessions. | double | | gauge | -| oracle.performance.session_count.inactive | Total count of Inactive sessions. | double | | gauge | -| oracle.performance.session_count.inactive_morethan_onehr | Total inactive sessions more than one hour. | double | | gauge | -| oracle.performance.username | Oracle username | keyword | | | -| oracle.performance.wait.pct_time | Percentage of time waits that are not Idle wait class. | double | percent | gauge | -| oracle.performance.wait.pct_waits | Percentage of number of pct time waits that are not of Idle wait class. | double | percent | gauge | -| oracle.performance.wait.time_waited_secs | Amount of time spent in the wait class by the session. | double | s | gauge | -| oracle.performance.wait.total_waits | Number of times waits of the class occurred for the session. | double | | counter | -| oracle.performance.wait.wait_class | Every wait event belongs to a class of wait event. Wait classes can be one of the following - Administrative, Application, Cluster, Commit, Concurrency, Configuration, Idle, Network, Other, Scheduler, System IO, User IO | keyword | | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | - - -An example event for `performance` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "event": { - "dataset": "oracle.performance", - "duration": 115000, - "module": "sql" - }, - "metricset": { - "name": "query", - "period": 60000 - }, - "oracle": { - "performance": { - "cursors": { - "opened": { - "current": 7, - "total": 6225 - }, - "parse": { - "real": 1336, - "total": 3684 - }, - "session": { - "cache_hits": 5020 - }, - "cache_hit": { - "pct": 0.8064257028112449 - } - }, - "io_reloads": 0.0013963503027202182, - "lock_requests": 0.5725039956419224, - "pin_requests": 0.7780581056654354 - } - }, - "service": { - "address": "oracle://localhost:1521/ORCLCDB.localdomain", - "type": "sql" - } -} -``` diff --git a/packages/oracle/1.4.0/img/Oracle-memory-dashboard.png b/packages/oracle/1.4.0/img/Oracle-memory-dashboard.png deleted file mode 100755 index 70dca52361..0000000000 Binary files a/packages/oracle/1.4.0/img/Oracle-memory-dashboard.png and /dev/null differ diff --git a/packages/oracle/1.4.0/img/Oracle-overview-dashboard.png b/packages/oracle/1.4.0/img/Oracle-overview-dashboard.png deleted file mode 100755 index 86d1d08237..0000000000 Binary files a/packages/oracle/1.4.0/img/Oracle-overview-dashboard.png and /dev/null differ diff --git a/packages/oracle/1.4.0/img/Oracle-performance-dashboard.png b/packages/oracle/1.4.0/img/Oracle-performance-dashboard.png deleted file mode 100755 index e70c93cd1e..0000000000 Binary files a/packages/oracle/1.4.0/img/Oracle-performance-dashboard.png and /dev/null differ diff --git a/packages/oracle/1.4.0/img/Oracle-sysmetrics-dashboard-2.png b/packages/oracle/1.4.0/img/Oracle-sysmetrics-dashboard-2.png deleted file mode 100755 index 3bf8714846..0000000000 Binary files a/packages/oracle/1.4.0/img/Oracle-sysmetrics-dashboard-2.png and /dev/null differ diff --git a/packages/oracle/1.4.0/img/Oracle-sysmetrics-dashboard.png b/packages/oracle/1.4.0/img/Oracle-sysmetrics-dashboard.png deleted file mode 100755 index b9326442c1..0000000000 Binary files a/packages/oracle/1.4.0/img/Oracle-sysmetrics-dashboard.png and /dev/null differ diff --git a/packages/oracle/1.4.0/img/Oracle-system_statistics-dashboard.png b/packages/oracle/1.4.0/img/Oracle-system_statistics-dashboard.png deleted file mode 100755 index a7f3583ac5..0000000000 Binary files a/packages/oracle/1.4.0/img/Oracle-system_statistics-dashboard.png and /dev/null differ diff --git a/packages/oracle/1.4.0/img/Oracle-tablespace-dashboard.png b/packages/oracle/1.4.0/img/Oracle-tablespace-dashboard.png deleted file mode 100755 index b65c2f6c88..0000000000 Binary files a/packages/oracle/1.4.0/img/Oracle-tablespace-dashboard.png and /dev/null differ diff --git a/packages/oracle/1.4.0/img/oracle_logo.svg b/packages/oracle/1.4.0/img/oracle_logo.svg deleted file mode 100755 index 0981dfcff2..0000000000 --- a/packages/oracle/1.4.0/img/oracle_logo.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/oracle/1.4.0/kibana/dashboard/oracle-55661160-08c7-11ed-9abf-15e60715cfab.json b/packages/oracle/1.4.0/kibana/dashboard/oracle-55661160-08c7-11ed-9abf-15e60715cfab.json deleted file mode 100755 index 88a301b4e3..0000000000 --- a/packages/oracle/1.4.0/kibana/dashboard/oracle-55661160-08c7-11ed-9abf-15e60715cfab.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "An overview of key metrics from all Metricsets in the Oracle database ", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"ba0bb1ef-4ee9-4f73-a2aa-a225b09de689\",\"index_pattern_ref_name\":\"metrics_2d950709-7e6b-4c0e-b617-6d61c71445fd_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8d191d67-85c3-466e-9675-777356df52c7\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cursors.avg\",\"id\":\"ed0e869d-b7b9-4a66-ad8b-8e864476b80c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.performance.machine\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"2d950709-7e6b-4c0e-b617-6d61c71445fd\",\"w\":21,\"x\":0,\"y\":0},\"panelIndex\":\"2d950709-7e6b-4c0e-b617-6d61c71445fd\",\"title\":\"Average Cursors by Machine (Top 10)[Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"fefde680-08c7-11ed-a12c-5d4b2a3a48a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"041284f6-9f0a-4497-a3f3-62b7fde78734\",\"index_pattern_ref_name\":\"metrics_c43feec7-7125-4f5b-9f45-42525eb507e9_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"7f68b308-f13e-420f-95e2-033405dc19b2\",\"label\":\"Cache Buffer Hit Ratio\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cache.buffer.hit.pct\",\"id\":\"bfe864c9-7c4e-49a5-bea4-faaeaee77d9d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"gauge\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"c43feec7-7125-4f5b-9f45-42525eb507e9\",\"w\":10,\"x\":21,\"y\":0},\"panelIndex\":\"c43feec7-7125-4f5b-9f45-42525eb507e9\",\"title\":\"Cache Buffer Hit Ratio [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"id\":\"79a807d0-08c8-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"fc16576c-5187-43f1-b5ee-b5c45133a5a8\",\"index_pattern_ref_name\":\"metrics_3b1f6b7f-519e-4180-8946-ab1318580f2e_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"d0c9577a-4556-4042-af76-ce4865dd9730\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.space.used.bytes\",\"id\":\"800f1ba7-aa50-401c-ba9e-8950b765aac3\",\"type\":\"avg\"},{\"field\":\"oracle.tablespace.space.total.bytes\",\"id\":\"94a9c9b0-08c8-11ed-a12c-5d4b2a3a48a4\",\"type\":\"avg\"},{\"id\":\"b36d9ca0-08c8-11ed-a12c-5d4b2a3a48a4\",\"script\":\"params.used / params.total\",\"type\":\"math\",\"variables\":[{\"field\":\"800f1ba7-aa50-401c-ba9e-8950b765aac3\",\"id\":\"b74cab90-08c8-11ed-a12c-5d4b2a3a48a4\",\"name\":\"used\"},{\"field\":\"94a9c9b0-08c8-11ed-a12c-5d4b2a3a48a4\",\"id\":\"bbb92d70-08c8-11ed-a12c-5d4b2a3a48a4\",\"name\":\"total\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.tablespace.name\",\"terms_order_by\":\"800f1ba7-aa50-401c-ba9e-8950b765aac3\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"top_n\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"3b1f6b7f-519e-4180-8946-ab1318580f2e\",\"w\":17,\"x\":31,\"y\":0},\"panelIndex\":\"3b1f6b7f-519e-4180-8946-ab1318580f2e\",\"title\":\"Ratio of used space in Tablespaces [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_c1ef413e-3dde-47a7-8d51-dae932fa7378_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\"Top 10 Total cursors\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cursors.total\",\"id\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.performance.machine\",\"terms_order_by\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"c1ef413e-3dde-47a7-8d51-dae932fa7378\",\"w\":21,\"x\":0,\"y\":7},\"panelIndex\":\"c1ef413e-3dde-47a7-8d51-dae932fa7378\",\"title\":\"Total Cursors by machine (Top 10) [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"fc4dfe11-e6db-4167-920e-64f122def5d8\",\"index_pattern_ref_name\":\"metrics_3876b6d8-78a7-4c9e-81a3-fb36778d3877_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"4037b186-ba3b-4373-8aab-6507be08330d\",\"label\":\"IO Reloads\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.io_reloads\",\"id\":\"d67d6b0e-7afc-4571-826f-b36aeeed432f\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8a3e6c80-08d0-11ed-a12c-5d4b2a3a48a4\",\"label\":\"Lock Requets\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.lock_requests\",\"id\":\"8a3e6c81-08d0-11ed-a12c-5d4b2a3a48a4\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(145,112,184,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"9fead320-08d0-11ed-a12c-5d4b2a3a48a4\",\"label\":\"Pin Requests\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.pin_requests\",\"id\":\"9fead321-08d0-11ed-a12c-5d4b2a3a48a4\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"3876b6d8-78a7-4c9e-81a3-fb36778d3877\",\"w\":27,\"x\":21,\"y\":7},\"panelIndex\":\"3876b6d8-78a7-4c9e-81a3-fb36778d3877\",\"title\":\"Lock/Pin requests and IO reloads ratios [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"51dfc970-08ca-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_40e7a0e6-3dbd-4a3e-a16c-00d158510f1f_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\"Current opened cursors\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cursors.opened.current\",\"id\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":0,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"40e7a0e6-3dbd-4a3e-a16c-00d158510f1f\",\"w\":21,\"x\":0,\"y\":15},\"panelIndex\":\"40e7a0e6-3dbd-4a3e-a16c-00d158510f1f\",\"title\":\"Current opened cursors [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"fc4dfe11-e6db-4167-920e-64f122def5d8\",\"index_pattern_ref_name\":\"metrics_2e70259a-baf0-4aaa-a2f6-5d788a4ba970_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"4037b186-ba3b-4373-8aab-6507be08330d\",\"label\":\"Data file size by filename\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.data_file.size.bytes\",\"id\":\"d67d6b0e-7afc-4571-826f-b36aeeed432f\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.tablespace.data_file.name\",\"terms_order_by\":\"d67d6b0e-7afc-4571-826f-b36aeeed432f\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"2e70259a-baf0-4aaa-a2f6-5d788a4ba970\",\"w\":27,\"x\":21,\"y\":15},\"panelIndex\":\"2e70259a-baf0-4aaa-a2f6-5d788a4ba970\",\"title\":\"Avg data file size by filename [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"51dfc970-08ca-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_35e1b318-2d7b-48b5-9f9c-1339c1355f05_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\"Session cache hits\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cursors.session.cache_hits\",\"id\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":0,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"35e1b318-2d7b-48b5-9f9c-1339c1355f05\",\"w\":27,\"x\":21,\"y\":23},\"panelIndex\":\"35e1b318-2d7b-48b5-9f9c-1339c1355f05\",\"title\":\"Session cache hits [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"51dfc970-08ca-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_57b32d4a-8d5e-48a0-afc9-31a672064a2b_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\"DB Blocks gets\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cache.get.db_blocks\",\"id\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.performance.buffer_pool\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"57b32d4a-8d5e-48a0-afc9-31a672064a2b\",\"w\":21,\"x\":0,\"y\":24},\"panelIndex\":\"57b32d4a-8d5e-48a0-afc9-31a672064a2b\",\"title\":\"DB Blocks Gets by buffer pool (Top 10) [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"51dfc970-08ca-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_e4597686-26b6-4f14-aa5c-4773e6f59e1a_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\"Top 10 Total cursors\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cursors.max\",\"id\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.performance.machine\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"e4597686-26b6-4f14-aa5c-4773e6f59e1a\",\"w\":14,\"x\":0,\"y\":33},\"panelIndex\":\"e4597686-26b6-4f14-aa5c-4773e6f59e1a\",\"title\":\"Max Cursors by machine (Top 10) [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"51dfc970-08ca-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_14d04a9d-5a41-47e0-a188-297dbf41776e_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\"Tablespace total size (TEMP)\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.space.total.bytes\",\"id\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_exclude\":\"\",\"terms_field\":\"oracle.tablespace.name\",\"terms_include\":\"TEMP\",\"terms_order_by\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"4fe2fb20-08e2-11ed-bbf2-8b9cc975c696\",\"label\":\"Tablespace total size (Not TEMP)\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.space.used.bytes\",\"id\":\"4fe2fb21-08e2-11ed-bbf2-8b9cc975c696\",\"type\":\"avg\"},{\"field\":\"oracle.tablespace.space.free.bytes\",\"id\":\"a2c90eb0-08e2-11ed-bbf2-8b9cc975c696\",\"type\":\"avg\"},{\"id\":\"db2acdc0-08e2-11ed-bbf2-8b9cc975c696\",\"script\":\"params.used + params.free\",\"type\":\"math\",\"variables\":[{\"field\":\"4fe2fb21-08e2-11ed-bbf2-8b9cc975c696\",\"id\":\"e155ef90-08e2-11ed-bbf2-8b9cc975c696\",\"name\":\"used\"},{\"field\":\"a2c90eb0-08e2-11ed-bbf2-8b9cc975c696\",\"id\":\"e5019270-08e2-11ed-bbf2-8b9cc975c696\",\"name\":\"free\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_exclude\":\"TEMP\",\"terms_field\":\"oracle.tablespace.name\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"14d04a9d-5a41-47e0-a188-297dbf41776e\",\"w\":16,\"x\":14,\"y\":33},\"panelIndex\":\"14d04a9d-5a41-47e0-a188-297dbf41776e\",\"title\":\"Tablespace Total Size [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"51dfc970-08ca-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_db7524f9-0a44-4e90-9681-dbce2b0d07e7_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\"Real parsed cursors\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cursors.parse.real\",\"id\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":0,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"db7524f9-0a44-4e90-9681-dbce2b0d07e7\",\"w\":18,\"x\":30,\"y\":33},\"panelIndex\":\"db7524f9-0a44-4e90-9681-dbce2b0d07e7\",\"title\":\"Total / Real parsed cursors [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"fc4dfe11-e6db-4167-920e-64f122def5d8\",\"index_pattern_ref_name\":\"metrics_1ef29c9d-9b46-4f2a-89db-63a6d586d2e0_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"4037b186-ba3b-4373-8aab-6507be08330d\",\"label\":\"Consistent Gets\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cache.get.consistent\",\"id\":\"d67d6b0e-7afc-4571-826f-b36aeeed432f\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.performance.buffer_pool\",\"terms_order_by\":\"d67d6b0e-7afc-4571-826f-b36aeeed432f\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":11,\"i\":\"1ef29c9d-9b46-4f2a-89db-63a6d586d2e0\",\"w\":48,\"x\":0,\"y\":42},\"panelIndex\":\"1ef29c9d-9b46-4f2a-89db-63a6d586d2e0\",\"title\":\"Consistent Gets by buffer pool (Top 10) [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"}]", - "timeRestore": false, - "title": "[Metrics Oracle] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "oracle-55661160-08c7-11ed-9abf-15e60715cfab", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "2d950709-7e6b-4c0e-b617-6d61c71445fd:metrics_2d950709-7e6b-4c0e-b617-6d61c71445fd_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c43feec7-7125-4f5b-9f45-42525eb507e9:metrics_c43feec7-7125-4f5b-9f45-42525eb507e9_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3b1f6b7f-519e-4180-8946-ab1318580f2e:metrics_3b1f6b7f-519e-4180-8946-ab1318580f2e_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c1ef413e-3dde-47a7-8d51-dae932fa7378:metrics_c1ef413e-3dde-47a7-8d51-dae932fa7378_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3876b6d8-78a7-4c9e-81a3-fb36778d3877:metrics_3876b6d8-78a7-4c9e-81a3-fb36778d3877_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "40e7a0e6-3dbd-4a3e-a16c-00d158510f1f:metrics_40e7a0e6-3dbd-4a3e-a16c-00d158510f1f_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2e70259a-baf0-4aaa-a2f6-5d788a4ba970:metrics_2e70259a-baf0-4aaa-a2f6-5d788a4ba970_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "35e1b318-2d7b-48b5-9f9c-1339c1355f05:metrics_35e1b318-2d7b-48b5-9f9c-1339c1355f05_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "57b32d4a-8d5e-48a0-afc9-31a672064a2b:metrics_57b32d4a-8d5e-48a0-afc9-31a672064a2b_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e4597686-26b6-4f14-aa5c-4773e6f59e1a:metrics_e4597686-26b6-4f14-aa5c-4773e6f59e1a_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "14d04a9d-5a41-47e0-a188-297dbf41776e:metrics_14d04a9d-5a41-47e0-a188-297dbf41776e_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "db7524f9-0a44-4e90-9681-dbce2b0d07e7:metrics_db7524f9-0a44-4e90-9681-dbce2b0d07e7_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1ef29c9d-9b46-4f2a-89db-63a6d586d2e0:metrics_1ef29c9d-9b46-4f2a-89db-63a6d586d2e0_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/oracle/1.4.0/kibana/dashboard/oracle-59eeb380-08d7-11ed-9abf-15e60715cfab.json b/packages/oracle/1.4.0/kibana/dashboard/oracle-59eeb380-08d7-11ed-9abf-15e60715cfab.json deleted file mode 100755 index 3d43249d62..0000000000 --- a/packages/oracle/1.4.0/kibana/dashboard/oracle-59eeb380-08d7-11ed-9abf-15e60715cfab.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"e40198de-6b6b-41ef-97e3-ffece3aa8162\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"service.address\",\"title\":\"Oracle Host Control\",\"id\":\"e40198de-6b6b-41ef-97e3-ffece3aa8162\",\"enhancements\":{}}}}" - }, - "description": "An overview of key metrics from Sysmetric Metricsets in the Oracle database ", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_5461235c-8f78-4efc-8d60-fdcbb1a3823e_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Session Count\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.session_count\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"5461235c-8f78-4efc-8d60-fdcbb1a3823e\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"5461235c-8f78-4efc-8d60-fdcbb1a3823e\",\"title\":\"Top 10 session counts by host [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"id\":\"24ebfdf0-08d7-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_d19f3a74-3c36-46e6-b682-bdaa3b8dcc26_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"pivot_id\":\"service.address\",\"pivot_label\":\"Host Name\",\"pivot_type\":\"string\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Session Count\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.average_active_sessions\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"table\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"d19f3a74-3c36-46e6-b682-bdaa3b8dcc26\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"d19f3a74-3c36-46e6-b682-bdaa3b8dcc26\",\"title\":\"Top 10 session counts by host [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_1edc70d6-135f-42f7-8148-a826a9c769d2_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Current OS Load\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.current_os_load\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"1edc70d6-135f-42f7-8148-a826a9c769d2\",\"w\":24,\"x\":0,\"y\":9},\"panelIndex\":\"1edc70d6-135f-42f7-8148-a826a9c769d2\",\"title\":\"Current OS Load [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_da3c4da2-7ff9-478d-bd73-9a4342f6bac1_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Physical Reads per second\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.physical_read_bytes_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"da3c4da2-7ff9-478d-bd73-9a4342f6bac1\",\"w\":24,\"x\":24,\"y\":9},\"panelIndex\":\"da3c4da2-7ff9-478d-bd73-9a4342f6bac1\",\"title\":\"Physical Reads per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_e412984d-be6e-4d04-b53e-50a90837f9df_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"User Transactions per second\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.user_transaction_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"e412984d-be6e-4d04-b53e-50a90837f9df\",\"w\":24,\"x\":0,\"y\":18},\"panelIndex\":\"e412984d-be6e-4d04-b53e-50a90837f9df\",\"title\":\"User Transactions per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_d18cbbd4-2e10-4af0-94e0-848f9da6bb66_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Total Table Scans per transaction\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.total_table_scans_per_txn\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"d18cbbd4-2e10-4af0-94e0-848f9da6bb66\",\"w\":24,\"x\":24,\"y\":18},\"panelIndex\":\"d18cbbd4-2e10-4af0-94e0-848f9da6bb66\",\"title\":\"Total Table Scans per transaction [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_85469acb-e2aa-4a16-8c70-66307d94cf5f_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Physical Writes per second\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.physical_write_bytes_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"85469acb-e2aa-4a16-8c70-66307d94cf5f\",\"w\":24,\"x\":0,\"y\":27},\"panelIndex\":\"85469acb-e2aa-4a16-8c70-66307d94cf5f\",\"title\":\"Physical Writes per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_b6dd5668-70d5-440f-b00a-e8d7554a3907_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Total Index Scans per transaction\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.total_index_scans_per_txn\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"b6dd5668-70d5-440f-b00a-e8d7554a3907\",\"w\":24,\"x\":24,\"y\":27},\"panelIndex\":\"b6dd5668-70d5-440f-b00a-e8d7554a3907\",\"title\":\"Total Index Scans per transaction [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_88e9d016-e10b-4a8a-a376-075da5a96fe9_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Host CPU Utilization (%)\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.host_cpu_utilization_pct\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"88e9d016-e10b-4a8a-a376-075da5a96fe9\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"88e9d016-e10b-4a8a-a376-075da5a96fe9\",\"title\":\"Host CPU Utilization (%) [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_c3be0eb6-6b65-4686-a1cf-ed11c66b418c_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Network Traffic Volume per second\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.network_traffic_volume_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"c3be0eb6-6b65-4686-a1cf-ed11c66b418c\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"c3be0eb6-6b65-4686-a1cf-ed11c66b418c\",\"title\":\"Network Traffic Volume per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_14dbf023-3bc4-43d1-b035-c38e2cdf16ed_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"User Rollbacks per second\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.user_rollbacks_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"14dbf023-3bc4-43d1-b035-c38e2cdf16ed\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"14dbf023-3bc4-43d1-b035-c38e2cdf16ed\",\"title\":\"User Rollbacks per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_fe650da5-109a-4144-ab12-487e42e8f99b_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"CPU Usage per second\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.cpu_usage_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"fe650da5-109a-4144-ab12-487e42e8f99b\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"fe650da5-109a-4144-ab12-487e42e8f99b\",\"title\":\"CPU Usage per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_2aa60f20-b6a7-4898-af36-46a457c6dee6_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"DB Block Changes per second\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.db_block_changes_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"2aa60f20-b6a7-4898-af36-46a457c6dee6\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"2aa60f20-b6a7-4898-af36-46a457c6dee6\",\"title\":\"DB Block Changes per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_cfaed72f-f3bc-4aff-ab77-53b473433116_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Physical Read Total Bytes per second\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.physical_read_total_bytes_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"cfaed72f-f3bc-4aff-ab77-53b473433116\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"cfaed72f-f3bc-4aff-ab77-53b473433116\",\"title\":\"Physical Read Total Bytes per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_d4b2e08a-3295-441a-acf5-a1ac4d316ca9_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Response Time Per Transaction\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.response_time_per_txn\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"d4b2e08a-3295-441a-acf5-a1ac4d316ca9\",\"w\":24,\"x\":0,\"y\":63},\"panelIndex\":\"d4b2e08a-3295-441a-acf5-a1ac4d316ca9\",\"title\":\"Response Time (Centi-Second) per transaction [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"}]", - "timeRestore": false, - "title": "[Metrics Oracle] Sysmetric", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "oracle-59eeb380-08d7-11ed-9abf-15e60715cfab", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "5461235c-8f78-4efc-8d60-fdcbb1a3823e:metrics_5461235c-8f78-4efc-8d60-fdcbb1a3823e_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d19f3a74-3c36-46e6-b682-bdaa3b8dcc26:metrics_d19f3a74-3c36-46e6-b682-bdaa3b8dcc26_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1edc70d6-135f-42f7-8148-a826a9c769d2:metrics_1edc70d6-135f-42f7-8148-a826a9c769d2_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "da3c4da2-7ff9-478d-bd73-9a4342f6bac1:metrics_da3c4da2-7ff9-478d-bd73-9a4342f6bac1_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e412984d-be6e-4d04-b53e-50a90837f9df:metrics_e412984d-be6e-4d04-b53e-50a90837f9df_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d18cbbd4-2e10-4af0-94e0-848f9da6bb66:metrics_d18cbbd4-2e10-4af0-94e0-848f9da6bb66_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "85469acb-e2aa-4a16-8c70-66307d94cf5f:metrics_85469acb-e2aa-4a16-8c70-66307d94cf5f_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b6dd5668-70d5-440f-b00a-e8d7554a3907:metrics_b6dd5668-70d5-440f-b00a-e8d7554a3907_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "88e9d016-e10b-4a8a-a376-075da5a96fe9:metrics_88e9d016-e10b-4a8a-a376-075da5a96fe9_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c3be0eb6-6b65-4686-a1cf-ed11c66b418c:metrics_c3be0eb6-6b65-4686-a1cf-ed11c66b418c_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "14dbf023-3bc4-43d1-b035-c38e2cdf16ed:metrics_14dbf023-3bc4-43d1-b035-c38e2cdf16ed_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fe650da5-109a-4144-ab12-487e42e8f99b:metrics_fe650da5-109a-4144-ab12-487e42e8f99b_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2aa60f20-b6a7-4898-af36-46a457c6dee6:metrics_2aa60f20-b6a7-4898-af36-46a457c6dee6_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "cfaed72f-f3bc-4aff-ab77-53b473433116:metrics_cfaed72f-f3bc-4aff-ab77-53b473433116_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d4b2e08a-3295-441a-acf5-a1ac4d316ca9:metrics_d4b2e08a-3295-441a-acf5-a1ac4d316ca9_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_e40198de-6b6b-41ef-97e3-ffece3aa8162:optionsListDataView", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/oracle/1.4.0/kibana/dashboard/oracle-6b4866c0-1599-11ed-9607-2ba0819b3835.json b/packages/oracle/1.4.0/kibana/dashboard/oracle-6b4866c0-1599-11ed-9607-2ba0819b3835.json deleted file mode 100755 index 5ecb99fcda..0000000000 --- a/packages/oracle/1.4.0/kibana/dashboard/oracle-6b4866c0-1599-11ed-9607-2ba0819b3835.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"3de2a6b1-0cb3-4b1d-8a5f-070387961941\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"service.address\",\"title\":\"Oracle Host Control\",\"id\":\"3de2a6b1-0cb3-4b1d-8a5f-070387961941\",\"enhancements\":{}}}}" - }, - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"28881ff0-159a-11ed-8473-87f6af0978f0\"}],\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_fccef14a-39c2-4c48-958e-c7d35b573c59_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\" \",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.performance.session_count.active\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"fccef14a-39c2-4c48-958e-c7d35b573c59\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"fccef14a-39c2-4c48-958e-c7d35b573c59\",\"title\":\"Active Session Count [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"28881ff0-159a-11ed-8473-87f6af0978f0\"}],\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_83525479-b533-4868-ba6f-462969f55c31_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\" \",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.performance.session_count.inactive\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"83525479-b533-4868-ba6f-462969f55c31\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"83525479-b533-4868-ba6f-462969f55c31\",\"title\":\"InActive Session Count [Metrics Oracle] (copy)\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"28881ff0-159a-11ed-8473-87f6af0978f0\"}],\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_3dfe5e91-0cdf-4a6b-95c8-d91c0f3326ef_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\" \",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.user_transaction_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"3dfe5e91-0cdf-4a6b-95c8-d91c0f3326ef\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"3dfe5e91-0cdf-4a6b-95c8-d91c0f3326ef\",\"title\":\"User Transactions per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"51dfc970-08ca-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_438cfc7d-6aca-4ae5-a0dc-e20025cc1488_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\" \",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cursors.opened.current\",\"id\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"type\":\"max\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":0,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"438cfc7d-6aca-4ae5-a0dc-e20025cc1488\",\"w\":8,\"x\":24,\"y\":0},\"panelIndex\":\"438cfc7d-6aca-4ae5-a0dc-e20025cc1488\",\"title\":\"Current opened cursors [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_4b465607-cfa3-463d-b9ad-1f4c1ee62c3d_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"00.0\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.pga_sga.sga_total_memory\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"},{\"field\":\"oracle.pga_sga.sga_free_memory\",\"id\":\"7042d7f0-1571-11ed-8473-87f6af0978f0\",\"type\":\"avg\"},{\"id\":\"80e236f0-1571-11ed-8473-87f6af0978f0\",\"script\":\"(params.free / params.total) * 100\",\"type\":\"math\",\"variables\":[{\"field\":\"7042d7f0-1571-11ed-8473-87f6af0978f0\",\"id\":\"83727ec0-1571-11ed-8473-87f6af0978f0\",\"name\":\"free\"},{\"field\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"id\":\"87d69c30-1571-11ed-8473-87f6af0978f0\",\"name\":\"total\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}%\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"4b465607-cfa3-463d-b9ad-1f4c1ee62c3d\",\"w\":8,\"x\":32,\"y\":0},\"panelIndex\":\"4b465607-cfa3-463d-b9ad-1f4c1ee62c3d\",\"title\":\"Shared Pool Free Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd175a40-159a-11ed-8473-87f6af0978f0\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"fefde680-08c7-11ed-a12c-5d4b2a3a48a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"041284f6-9f0a-4497-a3f3-62b7fde78734\",\"index_pattern_ref_name\":\"metrics_2c913f00-88a4-4846-afa1-4bc687a2f610_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"7f68b308-f13e-420f-95e2-033405dc19b2\",\"label\":\" \",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cache.buffer.hit.pct\",\"id\":\"bfe864c9-7c4e-49a5-bea4-faaeaee77d9d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"2c913f00-88a4-4846-afa1-4bc687a2f610\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"2c913f00-88a4-4846-afa1-4bc687a2f610\",\"title\":\"Cache Buffer Hit Ratio [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"28881ff0-159a-11ed-8473-87f6af0978f0\"}],\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_8ad2c774-0180-4600-8162-b562315e7282_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\" \",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.performance.session_count.inactive_morethan_onehr\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"8ad2c774-0180-4600-8162-b562315e7282\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"8ad2c774-0180-4600-8162-b562315e7282\",\"title\":\"InActive Session Count \\u003e 1hr [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_454c3a56-4b8b-47a9-832b-33a1991ed934_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Sorts (Memory)\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.sorts_memory\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_454c3a56-4b8b-47a9-832b-33a1991ed934_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"fb93bbf0-13a8-11ed-ac2d-bba62e78d30c\",\"label\":\"Sorts (Disk)\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.sorts_disk\",\"id\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"id\":\"fb93e301-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_454c3a56-4b8b-47a9-832b-33a1991ed934_2_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"454c3a56-4b8b-47a9-832b-33a1991ed934\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"454c3a56-4b8b-47a9-832b-33a1991ed934\",\"title\":\"Parse count - Sorts Memory vs Sorts Disk [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_920ebc93-000f-4859-a8d1-971fed50afe4_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"00.0\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Wait time Percentage\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.performance.wait.pct_time\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_920ebc93-000f-4859-a8d1-971fed50afe4_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"terms\",\"stacked\":\"stacked\",\"terms_field\":\"oracle.performance.wait.wait_class\",\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}} %\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"920ebc93-000f-4859-a8d1-971fed50afe4\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"920ebc93-000f-4859-a8d1-971fed50afe4\",\"title\":\"Wait Time Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_aa6a165c-9840-424b-8439-579b0060b57d_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Response Time Per Transaction\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.response_time_per_txn\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"aa6a165c-9840-424b-8439-579b0060b57d\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"aa6a165c-9840-424b-8439-579b0060b57d\",\"title\":\"Response Time (Centi-Second) per transaction [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_e78668fc-df19-4c94-a855-12ba59b19f0f_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"00.0\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Wait time Request Percentage\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.performance.wait.pct_waits\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"status\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_e78668fc-df19-4c94-a855-12ba59b19f0f_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"terms\",\"stacked\":\"stacked\",\"terms_field\":\"oracle.performance.wait.wait_class\",\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}} %\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"e78668fc-df19-4c94-a855-12ba59b19f0f\",\"w\":24,\"x\":0,\"y\":22},\"panelIndex\":\"e78668fc-df19-4c94-a855-12ba59b19f0f\",\"title\":\"Wait Time Request Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_c01e27f8-3cac-49c2-b040-00217e983743_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Cache Hit Percentage\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.pga_sga.cache_hit_pct\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"avg\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_c01e27f8-3cac-49c2-b040-00217e983743_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":11,\"i\":\"c01e27f8-3cac-49c2-b040-00217e983743\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c01e27f8-3cac-49c2-b040-00217e983743\",\"title\":\"Cache Hit Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_7dfa318b-a0e2-4a1f-bd54-e7362935548d_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Parse Count Hard\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.parse_count_hard\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_7dfa318b-a0e2-4a1f-bd54-e7362935548d_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(203,240,230,1)\",\"fill\":\"0.7\",\"formatter\":\"number\",\"id\":\"fb93bbf0-13a8-11ed-ac2d-bba62e78d30c\",\"label\":\"Parse Count Total\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.performance.parse_count_total\",\"id\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"id\":\"fb93e301-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_7dfa318b-a0e2-4a1f-bd54-e7362935548d_2_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"7dfa318b-a0e2-4a1f-bd54-e7362935548d\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"7dfa318b-a0e2-4a1f-bd54-e7362935548d\",\"title\":\"Parse count - Total vs Hard [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_8ff3ea00-57e4-426d-9968-3b497ddcafb3_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Host CPU Utilization (%)\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.host_cpu_utilization_pct\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":11,\"i\":\"8ff3ea00-57e4-426d-9968-3b497ddcafb3\",\"w\":24,\"x\":24,\"y\":37},\"panelIndex\":\"8ff3ea00-57e4-426d-9968-3b497ddcafb3\",\"title\":\"Host CPU Utilization (%) [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"00.0\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.pga_sga.sga_total_memory\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"},{\"field\":\"oracle.pga_sga.sga_free_memory\",\"id\":\"7042d7f0-1571-11ed-8473-87f6af0978f0\",\"type\":\"avg\"},{\"id\":\"80e236f0-1571-11ed-8473-87f6af0978f0\",\"script\":\"(params.free / params.total) * 100\",\"type\":\"math\",\"variables\":[{\"field\":\"7042d7f0-1571-11ed-8473-87f6af0978f0\",\"id\":\"83727ec0-1571-11ed-8473-87f6af0978f0\",\"name\":\"free\"},{\"field\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"id\":\"87d69c30-1571-11ed-8473-87f6af0978f0\",\"name\":\"total\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}%\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad\",\"w\":24,\"x\":0,\"y\":42},\"panelIndex\":\"7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad\",\"title\":\"Shared Pool Free Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Metrics Oracle] Performance Metrics", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "oracle-6b4866c0-1599-11ed-9607-2ba0819b3835", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "fccef14a-39c2-4c48-958e-c7d35b573c59:metrics_fccef14a-39c2-4c48-958e-c7d35b573c59_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "83525479-b533-4868-ba6f-462969f55c31:metrics_83525479-b533-4868-ba6f-462969f55c31_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3dfe5e91-0cdf-4a6b-95c8-d91c0f3326ef:metrics_3dfe5e91-0cdf-4a6b-95c8-d91c0f3326ef_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "438cfc7d-6aca-4ae5-a0dc-e20025cc1488:metrics_438cfc7d-6aca-4ae5-a0dc-e20025cc1488_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4b465607-cfa3-463d-b9ad-1f4c1ee62c3d:metrics_4b465607-cfa3-463d-b9ad-1f4c1ee62c3d_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2c913f00-88a4-4846-afa1-4bc687a2f610:metrics_2c913f00-88a4-4846-afa1-4bc687a2f610_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8ad2c774-0180-4600-8162-b562315e7282:metrics_8ad2c774-0180-4600-8162-b562315e7282_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "454c3a56-4b8b-47a9-832b-33a1991ed934:metrics_454c3a56-4b8b-47a9-832b-33a1991ed934_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "454c3a56-4b8b-47a9-832b-33a1991ed934:metrics_454c3a56-4b8b-47a9-832b-33a1991ed934_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "454c3a56-4b8b-47a9-832b-33a1991ed934:metrics_454c3a56-4b8b-47a9-832b-33a1991ed934_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "920ebc93-000f-4859-a8d1-971fed50afe4:metrics_920ebc93-000f-4859-a8d1-971fed50afe4_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "920ebc93-000f-4859-a8d1-971fed50afe4:metrics_920ebc93-000f-4859-a8d1-971fed50afe4_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "aa6a165c-9840-424b-8439-579b0060b57d:metrics_aa6a165c-9840-424b-8439-579b0060b57d_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e78668fc-df19-4c94-a855-12ba59b19f0f:metrics_e78668fc-df19-4c94-a855-12ba59b19f0f_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e78668fc-df19-4c94-a855-12ba59b19f0f:metrics_e78668fc-df19-4c94-a855-12ba59b19f0f_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c01e27f8-3cac-49c2-b040-00217e983743:metrics_c01e27f8-3cac-49c2-b040-00217e983743_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c01e27f8-3cac-49c2-b040-00217e983743:metrics_c01e27f8-3cac-49c2-b040-00217e983743_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7dfa318b-a0e2-4a1f-bd54-e7362935548d:metrics_7dfa318b-a0e2-4a1f-bd54-e7362935548d_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7dfa318b-a0e2-4a1f-bd54-e7362935548d:metrics_7dfa318b-a0e2-4a1f-bd54-e7362935548d_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7dfa318b-a0e2-4a1f-bd54-e7362935548d:metrics_7dfa318b-a0e2-4a1f-bd54-e7362935548d_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8ff3ea00-57e4-426d-9968-3b497ddcafb3:metrics_8ff3ea00-57e4-426d-9968-3b497ddcafb3_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad:metrics_7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_3de2a6b1-0cb3-4b1d-8a5f-070387961941:optionsListDataView", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/oracle/1.4.0/kibana/dashboard/oracle-9e19fb00-08e1-11ed-9abf-15e60715cfab.json b/packages/oracle/1.4.0/kibana/dashboard/oracle-9e19fb00-08e1-11ed-9abf-15e60715cfab.json deleted file mode 100755 index 1d5df12200..0000000000 --- a/packages/oracle/1.4.0/kibana/dashboard/oracle-9e19fb00-08e1-11ed-9abf-15e60715cfab.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "An overview of key metrics from all Metricsets in the Oracle database ", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"e640ae4d-6372-4a49-be99-4e477874dccb\",\"index_pattern_ref_name\":\"metrics_5e206919-734c-40b5-a7c8-382c24cbd202_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"c2f70760-43b9-4f8a-b3d5-a15b7f9ff585\",\"label\":\"Data file size by filename\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.data_file.size.bytes\",\"id\":\"2ecdfc99-39a3-4c97-9dc4-72585cab6138\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.tablespace.data_file.name\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"5e206919-734c-40b5-a7c8-382c24cbd202\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"5e206919-734c-40b5-a7c8-382c24cbd202\",\"title\":\"Avg data file size by filename [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"id\":\"79a807d0-08c8-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"fc16576c-5187-43f1-b5ee-b5c45133a5a8\",\"index_pattern_ref_name\":\"metrics_3b1f6b7f-519e-4180-8946-ab1318580f2e_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"d0c9577a-4556-4042-af76-ce4865dd9730\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.space.used.bytes\",\"id\":\"800f1ba7-aa50-401c-ba9e-8950b765aac3\",\"type\":\"avg\"},{\"field\":\"oracle.tablespace.space.total.bytes\",\"id\":\"94a9c9b0-08c8-11ed-a12c-5d4b2a3a48a4\",\"type\":\"avg\"},{\"id\":\"b36d9ca0-08c8-11ed-a12c-5d4b2a3a48a4\",\"script\":\"params.used / params.total\",\"type\":\"math\",\"variables\":[{\"field\":\"800f1ba7-aa50-401c-ba9e-8950b765aac3\",\"id\":\"b74cab90-08c8-11ed-a12c-5d4b2a3a48a4\",\"name\":\"used\"},{\"field\":\"94a9c9b0-08c8-11ed-a12c-5d4b2a3a48a4\",\"id\":\"bbb92d70-08c8-11ed-a12c-5d4b2a3a48a4\",\"name\":\"total\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.tablespace.name\",\"terms_order_by\":\"800f1ba7-aa50-401c-ba9e-8950b765aac3\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"top_n\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"3b1f6b7f-519e-4180-8946-ab1318580f2e\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"3b1f6b7f-519e-4180-8946-ab1318580f2e\",\"title\":\"Ratio of used space in Tablespaces [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"51dfc970-08ca-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_14d04a9d-5a41-47e0-a188-297dbf41776e_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\"Tablespace Total Size (TEMP)\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.space.total.bytes\",\"id\":\"bc5c1370-08e4-11ed-bbf2-8b9cc975c696\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_exclude\":\"\",\"terms_field\":\"oracle.tablespace.name\",\"terms_include\":\"TEMP\",\"terms_order_by\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"d875d500-08e4-11ed-bbf2-8b9cc975c696\",\"label\":\"Tablespace Total Size (Non - TEMP)\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.space.free.bytes\",\"id\":\"d875d501-08e4-11ed-bbf2-8b9cc975c696\",\"type\":\"avg\"},{\"field\":\"oracle.tablespace.space.used.bytes\",\"id\":\"05bb7e20-08e5-11ed-bbf2-8b9cc975c696\",\"type\":\"avg\"},{\"id\":\"12de6090-08e5-11ed-bbf2-8b9cc975c696\",\"script\":\"params.used + params.free\",\"type\":\"math\",\"variables\":[{\"field\":\"05bb7e20-08e5-11ed-bbf2-8b9cc975c696\",\"id\":\"14ca2b00-08e5-11ed-bbf2-8b9cc975c696\",\"name\":\"used\"},{\"field\":\"d875d501-08e4-11ed-bbf2-8b9cc975c696\",\"id\":\"19662150-08e5-11ed-bbf2-8b9cc975c696\",\"name\":\"free\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_exclude\":\"TEMP\",\"terms_field\":\"oracle.tablespace.name\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"14d04a9d-5a41-47e0-a188-297dbf41776e\",\"w\":24,\"x\":24,\"y\":7},\"panelIndex\":\"14d04a9d-5a41-47e0-a188-297dbf41776e\",\"title\":\"Tablespace Total Size [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"83835a30-08e5-11ed-bbf2-8b9cc975c696\"}],\"bar_color_rules\":[{\"id\":\"81e33ec0-08e5-11ed-bbf2-8b9cc975c696\"}],\"drop_last_bucket\":0,\"id\":\"e640ae4d-6372-4a49-be99-4e477874dccb\",\"index_pattern_ref_name\":\"metrics_187cba56-fde4-481f-8e6b-0266f9029e3a_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"c2f70760-43b9-4f8a-b3d5-a15b7f9ff585\",\"label\":\"Maximum data file size\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.data_file.size.max.bytes\",\"id\":\"2ecdfc99-39a3-4c97-9dc4-72585cab6138\",\"type\":\"avg\"},{\"field\":\"oracle.tablespace.data_file.size.bytes\",\"id\":\"451a2690-08e8-11ed-bbf2-8b9cc975c696\",\"type\":\"avg\"},{\"id\":\"5e07ae70-08e8-11ed-bbf2-8b9cc975c696\",\"script\":\"params.used / params.total\",\"type\":\"math\",\"variables\":[{\"field\":\"451a2690-08e8-11ed-bbf2-8b9cc975c696\",\"id\":\"602a1940-08e8-11ed-bbf2-8b9cc975c696\",\"name\":\"used\"},{\"field\":\"2ecdfc99-39a3-4c97-9dc4-72585cab6138\",\"id\":\"6c114760-08e8-11ed-bbf2-8b9cc975c696\",\"name\":\"total\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.tablespace.data_file.name\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"top_n\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"187cba56-fde4-481f-8e6b-0266f9029e3a\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"187cba56-fde4-481f-8e6b-0266f9029e3a\",\"title\":\"Ratio of used space in data files [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"}]", - "timeRestore": false, - "title": "[Metrics Oracle] Tablespace", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "oracle-9e19fb00-08e1-11ed-9abf-15e60715cfab", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "5e206919-734c-40b5-a7c8-382c24cbd202:metrics_5e206919-734c-40b5-a7c8-382c24cbd202_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3b1f6b7f-519e-4180-8946-ab1318580f2e:metrics_3b1f6b7f-519e-4180-8946-ab1318580f2e_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "14d04a9d-5a41-47e0-a188-297dbf41776e:metrics_14d04a9d-5a41-47e0-a188-297dbf41776e_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "187cba56-fde4-481f-8e6b-0266f9029e3a:metrics_187cba56-fde4-481f-8e6b-0266f9029e3a_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/oracle/1.4.0/kibana/dashboard/oracle-b6b2c9f0-13a7-11ed-9607-2ba0819b3835.json b/packages/oracle/1.4.0/kibana/dashboard/oracle-b6b2c9f0-13a7-11ed-9607-2ba0819b3835.json deleted file mode 100755 index 742d189ee7..0000000000 --- a/packages/oracle/1.4.0/kibana/dashboard/oracle-b6b2c9f0-13a7-11ed-9607-2ba0819b3835.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"3de2a6b1-0cb3-4b1d-8a5f-070387961941\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"service.address\",\"title\":\"Oracle Host Control\",\"id\":\"3de2a6b1-0cb3-4b1d-8a5f-070387961941\",\"enhancements\":{}}}}" - }, - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_988770fe-59b5-4c12-b668-20a8d9461bf5_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"rgba(197,237,226,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Rate of Change (%)\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.performance.parse_count_total\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"type\":\"derivative\",\"unit\":\"5m\"},{\"id\":\"a427c130-139f-11ed-b7bb-c962dc44100f\",\"script\":\"params.diff \\u003e 0 ? ( params.diff ) / params.avg_value : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"id\":\"a835cf60-139f-11ed-b7bb-c962dc44100f\",\"name\":\"diff\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"c00a9440-139f-11ed-b7bb-c962dc44100f\",\"name\":\"avg_value\"}]}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":1,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_988770fe-59b5-4c12-b668-20a8d9461bf5_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\"Rate of Change (Count)\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.performance.parse_count_total\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"id\":\"1ede1350-13a7-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"988770fe-59b5-4c12-b668-20a8d9461bf5\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"988770fe-59b5-4c12-b668-20a8d9461bf5\",\"title\":\"Parse count - Total [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_ef891567-af66-4b13-a569-b53a5cdf0b8f_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Parse Count Hard\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.parse_count_hard\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_ef891567-af66-4b13-a569-b53a5cdf0b8f_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(203,240,230,1)\",\"fill\":\"0.7\",\"formatter\":\"number\",\"id\":\"fb93bbf0-13a8-11ed-ac2d-bba62e78d30c\",\"label\":\"Parse Count Total\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.performance.parse_count_total\",\"id\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"id\":\"fb93e301-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_ef891567-af66-4b13-a569-b53a5cdf0b8f_2_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"ef891567-af66-4b13-a569-b53a5cdf0b8f\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"ef891567-af66-4b13-a569-b53a5cdf0b8f\",\"title\":\"Parse count - Total vs Hard [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_a2e7769f-32bf-4ffd-baa5-bbb408060350_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Sorts (Memory)\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.sorts_memory\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_a2e7769f-32bf-4ffd-baa5-bbb408060350_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"fb93bbf0-13a8-11ed-ac2d-bba62e78d30c\",\"label\":\"Sorts (Disk)\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.sorts_disk\",\"id\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"id\":\"fb93e301-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_a2e7769f-32bf-4ffd-baa5-bbb408060350_2_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"a2e7769f-32bf-4ffd-baa5-bbb408060350\",\"w\":24,\"x\":0,\"y\":8},\"panelIndex\":\"a2e7769f-32bf-4ffd-baa5-bbb408060350\",\"title\":\"Parse count - Sorts Memory vs Sorts Disk [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_fc929a45-39c5-4099-a519-c5cc2fab637c_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(159,211,197,1)\",\"fill\":\"0.5\",\"formatter\":\"ms,ms,0\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Parse time (Elapsed)\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.parse_time_elapsed\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"type\":\"derivative\",\"unit\":\"\"},{\"id\":\"b096b7c0-13b1-11ed-ac2d-bba62e78d30c\",\"script\":\"params.ms_value / 10\",\"type\":\"math\",\"variables\":[{\"field\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"id\":\"b5690050-13b1-11ed-ac2d-bba62e78d30c\",\"name\":\"ms_value\"}]}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_fc929a45-39c5-4099-a519-c5cc2fab637c_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}} ms\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":\"0\",\"formatter\":\"ms,ms,0\",\"id\":\"fb93bbf0-13a8-11ed-ac2d-bba62e78d30c\",\"label\":\"Parse time (CPU)\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.parse_time_cpu\",\"id\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"id\":\"fb93e301-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"\"},{\"id\":\"cd8de100-13b1-11ed-ac2d-bba62e78d30c\",\"script\":\"params.ms_value/10\",\"type\":\"math\",\"variables\":[{\"field\":\"fb93e301-13a8-11ed-ac2d-bba62e78d30c\",\"id\":\"d16a57e0-13b1-11ed-ac2d-bba62e78d30c\",\"name\":\"ms_value\"}]}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_fc929a45-39c5-4099-a519-c5cc2fab637c_2_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}} ms\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"ms,ms,0\",\"hidden\":true,\"id\":\"0c9bc3a0-13b0-11ed-ac2d-bba62e78d30c\",\"label\":\"Parse time (Waiting)\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.parse_time_cpu\",\"id\":\"0c9bc3a1-13b0-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"0c9bc3a1-13b0-11ed-ac2d-bba62e78d30c\",\"id\":\"0c9bc3a2-13b0-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"oracle.system_statistics.parse_time_elapsed\",\"id\":\"142def80-13b0-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"142def80-13b0-11ed-ac2d-bba62e78d30c\",\"id\":\"24c73400-13b0-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"\"},{\"id\":\"2e0f4d40-13b0-11ed-ac2d-bba62e78d30c\",\"script\":\"(params.elapsed - params.cpu)/10\",\"type\":\"math\",\"variables\":[{\"field\":\"24c73400-13b0-11ed-ac2d-bba62e78d30c\",\"id\":\"320fedf0-13b0-11ed-ac2d-bba62e78d30c\",\"name\":\"elapsed\"},{\"field\":\"0c9bc3a2-13b0-11ed-ac2d-bba62e78d30c\",\"id\":\"42085e90-13b0-11ed-ac2d-bba62e78d30c\",\"name\":\"cpu\"}]}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_fc929a45-39c5-4099-a519-c5cc2fab637c_3_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}} ms\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"fc929a45-39c5-4099-a519-c5cc2fab637c\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"fc929a45-39c5-4099-a519-c5cc2fab637c\",\"title\":\"Parse Time [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_5706242b-0b49-4fb7-9ef0-afb451c9e358_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"User rollbacks\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.user_rollbacks\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_5706242b-0b49-4fb7-9ef0-afb451c9e358_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"fb93bbf0-13a8-11ed-ac2d-bba62e78d30c\",\"label\":\"Transaction Rollbacks\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.transaction_rollbacks\",\"id\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"id\":\"fb93e301-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_5706242b-0b49-4fb7-9ef0-afb451c9e358_2_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"5706242b-0b49-4fb7-9ef0-afb451c9e358\",\"w\":24,\"x\":24,\"y\":8},\"panelIndex\":\"5706242b-0b49-4fb7-9ef0-afb451c9e358\",\"title\":\"Rollbacks[Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_244f1b00-46e2-4f49-8016-c3b7072c1241_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Physical writes from cache\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.physical_writes_from_cache\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_244f1b00-46e2-4f49-8016-c3b7072c1241_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":\"-0.1\",\"formatter\":\"number\",\"id\":\"fb93bbf0-13a8-11ed-ac2d-bba62e78d30c\",\"label\":\"Physical writes Direct\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.physical_writes_direct\",\"id\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"id\":\"fb93e301-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_244f1b00-46e2-4f49-8016-c3b7072c1241_2_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"rgba(178,224,211,1)\",\"fill\":\"0.5\",\"formatter\":\"default\",\"id\":\"141b9140-13b6-11ed-ac2d-bba62e78d30c\",\"label\":\"Physical Writes\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.system_statistics.physical_writes\",\"id\":\"141b9141-13b6-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"141b9141-13b6-11ed-ac2d-bba62e78d30c\",\"id\":\"239d7250-13b6-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"244f1b00-46e2-4f49-8016-c3b7072c1241\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"244f1b00-46e2-4f49-8016-c3b7072c1241\",\"title\":\"Physical Writes [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_32552a41-3ad8-46d9-8462-1c5e091bab66_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Enqueue Requests Per Second\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.sysmetric.enqueue_requests_per_sec\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_32552a41-3ad8-46d9-8462-1c5e091bab66_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"9b888bf0-13bc-11ed-ac2d-bba62e78d30c\",\"label\":\"Enqueue Timeouts Per Second\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.sysmetric.enqueue_timeouts_per_sec\",\"id\":\"9b888bf1-13bc-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_32552a41-3ad8-46d9-8462-1c5e091bab66_2_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(145,112,184,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"c5af8ff0-13bc-11ed-ac2d-bba62e78d30c\",\"label\":\"Enqueue Deadlocks Per Second\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.sysmetric.enqueue_deadlocks_per_sec\",\"id\":\"c5af8ff1-13bc-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_32552a41-3ad8-46d9-8462-1c5e091bab66_3_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"32552a41-3ad8-46d9-8462-1c5e091bab66\",\"w\":24,\"x\":0,\"y\":24},\"panelIndex\":\"32552a41-3ad8-46d9-8462-1c5e091bab66\",\"title\":\"Enqueue Metrics [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_18bbe239-30b6-4fb5-b193-10cef19a8f47_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\" \",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.opened_cursors_current\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_18bbe239-30b6-4fb5-b193-10cef19a8f47_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"18bbe239-30b6-4fb5-b193-10cef19a8f47\",\"w\":24,\"x\":24,\"y\":24},\"panelIndex\":\"18bbe239-30b6-4fb5-b193-10cef19a8f47\",\"title\":\"Current Opened Cursors [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Metrics Oracle] System Statistics Metrics", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "oracle-b6b2c9f0-13a7-11ed-9607-2ba0819b3835", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "988770fe-59b5-4c12-b668-20a8d9461bf5:metrics_988770fe-59b5-4c12-b668-20a8d9461bf5_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "988770fe-59b5-4c12-b668-20a8d9461bf5:metrics_988770fe-59b5-4c12-b668-20a8d9461bf5_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ef891567-af66-4b13-a569-b53a5cdf0b8f:metrics_ef891567-af66-4b13-a569-b53a5cdf0b8f_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ef891567-af66-4b13-a569-b53a5cdf0b8f:metrics_ef891567-af66-4b13-a569-b53a5cdf0b8f_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ef891567-af66-4b13-a569-b53a5cdf0b8f:metrics_ef891567-af66-4b13-a569-b53a5cdf0b8f_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a2e7769f-32bf-4ffd-baa5-bbb408060350:metrics_a2e7769f-32bf-4ffd-baa5-bbb408060350_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a2e7769f-32bf-4ffd-baa5-bbb408060350:metrics_a2e7769f-32bf-4ffd-baa5-bbb408060350_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a2e7769f-32bf-4ffd-baa5-bbb408060350:metrics_a2e7769f-32bf-4ffd-baa5-bbb408060350_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fc929a45-39c5-4099-a519-c5cc2fab637c:metrics_fc929a45-39c5-4099-a519-c5cc2fab637c_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fc929a45-39c5-4099-a519-c5cc2fab637c:metrics_fc929a45-39c5-4099-a519-c5cc2fab637c_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fc929a45-39c5-4099-a519-c5cc2fab637c:metrics_fc929a45-39c5-4099-a519-c5cc2fab637c_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fc929a45-39c5-4099-a519-c5cc2fab637c:metrics_fc929a45-39c5-4099-a519-c5cc2fab637c_3_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5706242b-0b49-4fb7-9ef0-afb451c9e358:metrics_5706242b-0b49-4fb7-9ef0-afb451c9e358_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5706242b-0b49-4fb7-9ef0-afb451c9e358:metrics_5706242b-0b49-4fb7-9ef0-afb451c9e358_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5706242b-0b49-4fb7-9ef0-afb451c9e358:metrics_5706242b-0b49-4fb7-9ef0-afb451c9e358_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "244f1b00-46e2-4f49-8016-c3b7072c1241:metrics_244f1b00-46e2-4f49-8016-c3b7072c1241_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "244f1b00-46e2-4f49-8016-c3b7072c1241:metrics_244f1b00-46e2-4f49-8016-c3b7072c1241_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "244f1b00-46e2-4f49-8016-c3b7072c1241:metrics_244f1b00-46e2-4f49-8016-c3b7072c1241_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "32552a41-3ad8-46d9-8462-1c5e091bab66:metrics_32552a41-3ad8-46d9-8462-1c5e091bab66_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "32552a41-3ad8-46d9-8462-1c5e091bab66:metrics_32552a41-3ad8-46d9-8462-1c5e091bab66_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "32552a41-3ad8-46d9-8462-1c5e091bab66:metrics_32552a41-3ad8-46d9-8462-1c5e091bab66_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "32552a41-3ad8-46d9-8462-1c5e091bab66:metrics_32552a41-3ad8-46d9-8462-1c5e091bab66_3_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "18bbe239-30b6-4fb5-b193-10cef19a8f47:metrics_18bbe239-30b6-4fb5-b193-10cef19a8f47_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "18bbe239-30b6-4fb5-b193-10cef19a8f47:metrics_18bbe239-30b6-4fb5-b193-10cef19a8f47_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_3de2a6b1-0cb3-4b1d-8a5f-070387961941:optionsListDataView", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/oracle/1.4.0/kibana/dashboard/oracle-bdb780f0-156a-11ed-9607-2ba0819b3835.json b/packages/oracle/1.4.0/kibana/dashboard/oracle-bdb780f0-156a-11ed-9607-2ba0819b3835.json deleted file mode 100755 index 74d4e261a7..0000000000 --- a/packages/oracle/1.4.0/kibana/dashboard/oracle-bdb780f0-156a-11ed-9607-2ba0819b3835.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"3de2a6b1-0cb3-4b1d-8a5f-070387961941\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"service.address\",\"title\":\"Oracle Host Control\",\"id\":\"3de2a6b1-0cb3-4b1d-8a5f-070387961941\",\"enhancements\":{}}}}" - }, - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_988770fe-59b5-4c12-b668-20a8d9461bf5_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"bytes\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.pga.total_freeable_memory\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"988770fe-59b5-4c12-b668-20a8d9461bf5\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"988770fe-59b5-4c12-b668-20a8d9461bf5\",\"title\":\"Total Freeable PGA [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_7fbd33ad-7e54-464d-82c3-a3fa6567b7d8_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"00.0\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.pga.cache_hit_pct\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}%\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"7fbd33ad-7e54-464d-82c3-a3fa6567b7d8\",\"w\":9,\"x\":9,\"y\":0},\"panelIndex\":\"7fbd33ad-7e54-464d-82c3-a3fa6567b7d8\",\"title\":\"PGA Cache Hit Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_57fa7ae6-9533-4674-8b45-0c1c533b69d5_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"bytes\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.pga.maximum_allocated\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"57fa7ae6-9533-4674-8b45-0c1c533b69d5\",\"w\":9,\"x\":18,\"y\":0},\"panelIndex\":\"57fa7ae6-9533-4674-8b45-0c1c533b69d5\",\"title\":\"Maximum PGA Allocated [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_490fc7d3-aecc-43a3-aaeb-b455d55eed12_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"00.0\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.pga.cache_hit_pct\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}%\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"490fc7d3-aecc-43a3-aaeb-b455d55eed12\",\"w\":21,\"x\":27,\"y\":0},\"panelIndex\":\"490fc7d3-aecc-43a3-aaeb-b455d55eed12\",\"title\":\"PGA Cache Hit Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_4598c927-c422-4e6d-b754-86dbea636361_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"bytes\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.pga.aggregate_target_parameter\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"4598c927-c422-4e6d-b754-86dbea636361\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"4598c927-c422-4e6d-b754-86dbea636361\",\"title\":\"PGA Aggregate Target [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_67ff0142-e274-4854-bdc7-444209a339a9_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"bytes\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.pga.global_memory_bound\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"67ff0142-e274-4854-bdc7-444209a339a9\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"67ff0142-e274-4854-bdc7-444209a339a9\",\"title\":\"PGA Global Memory Bound [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_ddf697e9-b1e8-4edd-b808-ac2c52a14886_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"bytes\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.pga.total_allocated\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"ddf697e9-b1e8-4edd-b808-ac2c52a14886\",\"w\":9,\"x\":18,\"y\":6},\"panelIndex\":\"ddf697e9-b1e8-4edd-b808-ac2c52a14886\",\"title\":\"PGA Allocated [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"00.0\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.sga.total_memory\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"},{\"field\":\"oracle.memory.sga.free_memory\",\"id\":\"7042d7f0-1571-11ed-8473-87f6af0978f0\",\"type\":\"avg\"},{\"id\":\"80e236f0-1571-11ed-8473-87f6af0978f0\",\"script\":\"(params.free / params.total) * 100\",\"type\":\"math\",\"variables\":[{\"field\":\"7042d7f0-1571-11ed-8473-87f6af0978f0\",\"id\":\"83727ec0-1571-11ed-8473-87f6af0978f0\",\"name\":\"free\"},{\"field\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"id\":\"87d69c30-1571-11ed-8473-87f6af0978f0\",\"name\":\"total\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}%\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad\",\"w\":21,\"x\":27,\"y\":9},\"panelIndex\":\"7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad\",\"title\":\"Shared Pool Free Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_4b465607-cfa3-463d-b9ad-1f4c1ee62c3d_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"00.0\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.sga.total_memory\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"},{\"field\":\"oracle.memory.sga.free_memory\",\"id\":\"7042d7f0-1571-11ed-8473-87f6af0978f0\",\"type\":\"avg\"},{\"id\":\"80e236f0-1571-11ed-8473-87f6af0978f0\",\"script\":\"(params.free / params.total) * 100\",\"type\":\"math\",\"variables\":[{\"field\":\"7042d7f0-1571-11ed-8473-87f6af0978f0\",\"id\":\"83727ec0-1571-11ed-8473-87f6af0978f0\",\"name\":\"free\"},{\"field\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"id\":\"87d69c30-1571-11ed-8473-87f6af0978f0\",\"name\":\"total\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}%\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"4b465607-cfa3-463d-b9ad-1f4c1ee62c3d\",\"w\":9,\"x\":0,\"y\":12},\"panelIndex\":\"4b465607-cfa3-463d-b9ad-1f4c1ee62c3d\",\"title\":\"Shared Pool Free Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_21a5a3f9-d053-427f-b591-9849015a2d15_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"bytes\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.sga.free_memory\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"21a5a3f9-d053-427f-b591-9849015a2d15\",\"w\":9,\"x\":9,\"y\":12},\"panelIndex\":\"21a5a3f9-d053-427f-b591-9849015a2d15\",\"title\":\"Shared Pool Free Memory [Metrics Oracle] \",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_01d39b22-9ee9-429d-9ee5-d0c67bf64e2c_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"bytes\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.sga.total_memory\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"01d39b22-9ee9-429d-9ee5-d0c67bf64e2c\",\"w\":9,\"x\":18,\"y\":12},\"panelIndex\":\"01d39b22-9ee9-429d-9ee5-d0c67bf64e2c\",\"title\":\"Shared Pool Total Memory [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"}]", - "timeRestore": false, - "title": "[Metrics Oracle] Memory Metrics", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "oracle-bdb780f0-156a-11ed-9607-2ba0819b3835", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "988770fe-59b5-4c12-b668-20a8d9461bf5:metrics_988770fe-59b5-4c12-b668-20a8d9461bf5_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7fbd33ad-7e54-464d-82c3-a3fa6567b7d8:metrics_7fbd33ad-7e54-464d-82c3-a3fa6567b7d8_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "57fa7ae6-9533-4674-8b45-0c1c533b69d5:metrics_57fa7ae6-9533-4674-8b45-0c1c533b69d5_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "490fc7d3-aecc-43a3-aaeb-b455d55eed12:metrics_490fc7d3-aecc-43a3-aaeb-b455d55eed12_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4598c927-c422-4e6d-b754-86dbea636361:metrics_4598c927-c422-4e6d-b754-86dbea636361_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "67ff0142-e274-4854-bdc7-444209a339a9:metrics_67ff0142-e274-4854-bdc7-444209a339a9_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ddf697e9-b1e8-4edd-b808-ac2c52a14886:metrics_ddf697e9-b1e8-4edd-b808-ac2c52a14886_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad:metrics_7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4b465607-cfa3-463d-b9ad-1f4c1ee62c3d:metrics_4b465607-cfa3-463d-b9ad-1f4c1ee62c3d_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "21a5a3f9-d053-427f-b591-9849015a2d15:metrics_21a5a3f9-d053-427f-b591-9849015a2d15_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "01d39b22-9ee9-429d-9ee5-d0c67bf64e2c:metrics_01d39b22-9ee9-429d-9ee5-d0c67bf64e2c_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_3de2a6b1-0cb3-4b1d-8a5f-070387961941:optionsListDataView", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/oracle/1.4.0/manifest.yml b/packages/oracle/1.4.0/manifest.yml deleted file mode 100755 index 83b324ccbd..0000000000 --- a/packages/oracle/1.4.0/manifest.yml +++ /dev/null @@ -1,69 +0,0 @@ -format_version: 1.0.0 -name: oracle -title: "Oracle" -version: 1.4.0 -license: basic -description: Collect Oracle Audit Log, Performance metrics, Tablespace metrics, Sysmetrics metrics, System statistics metrics, memory metrics from Oracle database. -type: integration -categories: - - security - - datastore -release: ga -conditions: - kibana.version: "^8.3.0" -screenshots: - - src: /img/Oracle-overview-dashboard.png - title: Oracle overview dashboard - size: 3298x1722 - type: image/png - - src: /img/Oracle-memory-dashboard.png - title: Oracle memory metrics dashboard - size: 3360x3590 - type: image/png - - src: /img/Oracle-performance-dashboard.png - title: Oracle performance metrics dashboard - size: 3360x3590 - type: image/png - - src: /img/Oracle-system_statistics-dashboard.png - title: Oracle system statistics metrics dashboard - size: 3360x3590 - type: image/png - - src: /img/Oracle-tablespace-dashboard.png - title: Oracle tablespace metrics dashboard - size: 3360x3590 - type: image/png - - src: /img/Oracle-sysmetrics-dashboard.png - title: Oracle sysmetrics dashboard - size: 3360x3590 - type: image/png - - src: /img/Oracle-sysmetrics-dashboard-2.png - title: Oracle sysmetrics dashboard - size: 3360x3590 - type: image/png -icons: - - src: /img/oracle_logo.svg - title: Oracle - size: 32x32 - type: image/svg+xml -policy_templates: - - name: oracle - title: Oracle Audit Logs - description: Collect Oracle Audit logs, Performance metrics, Tablespace metrics, Sysmetrics integration, System statistics, memory metrics. - inputs: - - type: filestream - title: Collect logs from Oracle instances - description: Collecting Oracle audit logs - - type: sql/metrics - vars: - - name: hosts - type: text - title: Oracle DSN - multi: true - required: true - show_user: true - default: - - oracle://sys:Oradoc_db1@0.0.0.0:1521/ORCLCDB.localdomain?sysdba=1 - title: Collect Oracle database's performance metrics, tablespace metrics, sysmetrics and memory metrics - description: Collecting performance metrics, tablespace metrics, sysmetrics, system statistics metrics and memory metrics from Oracle database instances -owner: - github: elastic/security-external-integrations diff --git a/packages/oracle/1.4.1/LICENSE.txt b/packages/oracle/1.4.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/oracle/1.4.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/oracle/1.4.1/changelog.yml b/packages/oracle/1.4.1/changelog.yml deleted file mode 100755 index 133b54cffa..0000000000 --- a/packages/oracle/1.4.1/changelog.yml +++ /dev/null @@ -1,46 +0,0 @@ -# newer versions go on top -- version: "1.4.1" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "1.4.0" - changes: - - description: Enhancement to capture system statistics metrics, pga metrics, sga metrics. - type: enhancement - link: https://github.com/elastic/integrations/pull/3967 -- version: "1.3.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3868 -- version: "1.2.0" - changes: - - description: Enhancement to capture performance, tablespace and sysmetrics metric data for Oracle database - type: enhancement - link: https://github.com/elastic/integrations/pull/3759 -- version: "1.1.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.0.2" - changes: - - description: Supporting the double digit date parsing in ingest pipeline for oracle logs - type: bugfix - link: https://github.com/elastic/integrations/pull/3318 -- version: "1.0.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.0.0" - changes: - - description: Initial Release - type: enhancement - link: https://github.com/elastic/integrations/pull/2721 diff --git a/packages/oracle/1.4.1/data_stream/database_audit/agent/stream/stream.yml.hbs b/packages/oracle/1.4.1/data_stream/database_audit/agent/stream/stream.yml.hbs deleted file mode 100755 index 3eeb00bc7f..0000000000 --- a/packages/oracle/1.4.1/data_stream/database_audit/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -paths: -{{#each paths}} -- {{this}} -{{/each}} -parsers: -- multiline: - type: pattern - pattern: '^[A-Za-z]{3}\s+[A-Za-z]{3}\s+[0-9]{1,2}\s[0-9]{2}:[0-9]{2}:[0-9]{2}\s[0-9]{4}\s\S[0-9]{2}:[0-9]{2}' - negate: true - match: after - timeout: 10 -exclude_lines: ['^Audit file'] -tags: -{{#if preserve_original_event}} -- preserve_original_event -{{/if}} -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -exclude_files: [".gz$"] -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ diff --git a/packages/oracle/1.4.1/data_stream/database_audit/elasticsearch/ingest_pipeline/default.yml b/packages/oracle/1.4.1/data_stream/database_audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index cf3e447f55..0000000000 --- a/packages/oracle/1.4.1/data_stream/database_audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- -description: Pipeline for parsing Oracle Audit logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.action - value: database_audit - - set: - field: event.kind - value: event - - set: - field: event.category - value: database - - set: - field: event.type - value: access - - set: - field: event.outcome - value: success - - rename: - field: message - target_field: event.original - ignore_missing: true - - grok: - field: event.original - patterns: - - "%{GREEDYDATA:tmp_timestamp}\\\nLENGTH : '%{GREEDYDATA:LENGTH}'\\\n(?m)%{GREEDYDATA:audit}" - - kv: - field: audit - field_split: "\\\n(?=[a-zA-Z])" - value_split: ":\\S\\d+\\S(?= ')" - trim_value: " '" - trim_key: " " - prefix: oracle.database_audit. - - grok: - field: log.file.path - patterns: - - "%{BASE10NUM:process.pid}\\_%{BASE10NUM}\\.aud(\\.log)?$" - if: ctx.log?.file?.path != null - # All field names are uppercase by default, converts them to lowercase - - script: - source: "ctx.oracle.database_audit = ctx.oracle.database_audit.entrySet().stream().collect(Collectors.toMap(entry -> entry.getKey().toLowerCase(), Map.Entry::getValue));" - lang: painless - # Replace all field names that has spaces in them with _ - - script: - lang: painless - source: "ctx.oracle.database_audit = ctx?.oracle?.database_audit.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace(' ', '_'), e -> e.getValue()));" - - gsub: - field: "oracle.database_audit.action" - pattern: "\\n" - replacement: "" - - gsub: - field: "oracle.database_audit.action" - pattern: "\\s{2,}" - replacement: " " - - trim: - field: "oracle.database_audit.action_number" - ignore_missing: true - # Removes all null values from ctx.* - - script: - lang: painless - if: ctx?.oracle?.database_audit != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v instanceof String && v.isEmpty() == true); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: - - "@timestamp" - ignore_missing: true - - date: - field: tmp_timestamp - target_field: "@timestamp" - formats: - - EEE MMM [ d][dd] HH:mm:ss uuuu XXX - - grok: - field: tmp_timestamp - patterns: - - "%{ISO8601_TIMEZONE:event.timezone}$" - - rename: - field: oracle.database_audit.privilege - target_field: user.roles - ignore_missing: true - - rename: - field: LENGTH - target_field: oracle.database_audit.length - ignore_missing: true - - rename: - field: oracle.database_audit.client_user - target_field: client.user.name - ignore_missing: true - - rename: - field: oracle.database_audit.client_address - target_field: client.address - ignore_missing: true - - rename: - field: oracle.database_audit.userhost - target_field: server.address - ignore_missing: true - - rename: - field: oracle.database_audit.database_user - target_field: server.user.name - ignore_missing: true - - convert: - field: oracle.database_audit.length - type: long - ignore_missing: true - - grok: - field: client.address - patterns: - - "(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})" - ignore_failure: true - ignore_missing: true - - grok: - field: server.address - patterns: - - "(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})" - ignore_failure: true - ignore_missing: true - # Renaming certain fields for better data structure - - rename: - field: oracle.database_audit.sessionid - target_field: oracle.database_audit.session_id - ignore_missing: true - - rename: - field: oracle.database_audit.client_terminal - target_field: oracle.database_audit.client.terminal - ignore_missing: true - - rename: - field: oracle.database_audit.client_address - target_field: oracle.database_audit.client.address - ignore_missing: true - - rename: - field: oracle.database_audit.database_user - target_field: oracle.database_audit.database.user - ignore_missing: true - - rename: - field: oracle.database_audit.userhost - target_field: oracle.database_audit.database.host - ignore_missing: true - - rename: - field: oracle.database_audit.dbid - target_field: oracle.database_audit.database.id - ignore_missing: true - - rename: - field: oracle.database_audit.entry_id - target_field: oracle.database_audit.entry.id - ignore_missing: true - - convert: - field: process.pid - type: long - ignore_missing: true - - append: - field: related.user - value: "{{server.user.name}}" - allow_duplicates: false - if: ctx?.server?.user?.name != null - - append: - field: related.user - value: "{{client.user.name}}" - allow_duplicates: false - if: ctx?.client?.user?.name != null - - append: - field: related.ip - value: "{{client.ip}}" - allow_duplicates: false - if: ctx?.client?.ip != null - - append: - field: related.ip - value: "{{server.ip}}" - allow_duplicates: false - if: ctx?.server?.ip != null - - append: - field: related.hosts - value: "{{client.domain}}" - allow_duplicates: false - if: ctx?.client?.domain != null - - append: - field: related.hosts - value: "{{server.domain}}" - allow_duplicates: false - if: ctx?.server?.domain != null - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - remove: - field: - - tmp_timestamp - - audit - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/oracle/1.4.1/data_stream/database_audit/fields/agent.yml b/packages/oracle/1.4.1/data_stream/database_audit/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/oracle/1.4.1/data_stream/database_audit/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/oracle/1.4.1/data_stream/database_audit/fields/base-fields.yml b/packages/oracle/1.4.1/data_stream/database_audit/fields/base-fields.yml deleted file mode 100755 index 33efa5ed0c..0000000000 --- a/packages/oracle/1.4.1/data_stream/database_audit/fields/base-fields.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. -- name: "message" - type: text - description: human-readable summary of the event -- name: event.module - type: constant_keyword - description: Event module - value: oracle -- name: event.dataset - type: constant_keyword - description: Event dataset - value: oracle.database_audit diff --git a/packages/oracle/1.4.1/data_stream/database_audit/fields/ecs.yml b/packages/oracle/1.4.1/data_stream/database_audit/fields/ecs.yml deleted file mode 100755 index 47eff9f31c..0000000000 --- a/packages/oracle/1.4.1/data_stream/database_audit/fields/ecs.yml +++ /dev/null @@ -1,146 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: Array of user roles at the time of the event. - name: user.roles - normalize: - - array - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: server.user.name - type: keyword -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: client.user.name - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Process id. - name: process.pid - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: related log flags - name: log.flags -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword diff --git a/packages/oracle/1.4.1/data_stream/database_audit/fields/fields.yml b/packages/oracle/1.4.1/data_stream/database_audit/fields/fields.yml deleted file mode 100755 index 8f57baa92f..0000000000 --- a/packages/oracle/1.4.1/data_stream/database_audit/fields/fields.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: oracle.database_audit - type: group - description: > - Integration for parsing Oracle Database audit logs - - fields: - - name: status - type: keyword - description: > - Database Audit Status. - - - name: session_id - type: keyword - description: > - Indicates the audit session ID number. - - - name: client.terminal - type: keyword - description: > - If available, the client terminal type, for example "pty". - - - name: client.address - type: keyword - description: > - The IP Address or Domain used by the client. - - - name: client.user - type: keyword - description: > - The user running the client or connection to the database. - - - name: database.user - type: keyword - description: > - The database user used to authenticate. - - - name: privilege - type: keyword - description: > - The privilege group related to the database user. - - - name: entry.id - type: keyword - description: > - Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records. - - - name: database.host - type: keyword - description: > - Client host machine name. - - - name: action - type: keyword - description: > - The action performed during the audit event. This could for example be the raw query. - - - name: action_number - type: keyword - description: > - Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON. - - - name: database.id - type: keyword - description: > - Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view. - - - name: length - type: long - description: > - Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record. - diff --git a/packages/oracle/1.4.1/data_stream/database_audit/manifest.yml b/packages/oracle/1.4.1/data_stream/database_audit/manifest.yml deleted file mode 100755 index e5c659768f..0000000000 --- a/packages/oracle/1.4.1/data_stream/database_audit/manifest.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: Oracle Audit Log -type: logs -streams: - - input: filestream - template_path: stream.yml.hbs - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /home/user/oracleauditlogs/*.aud - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - oracle-database_audit - - name: preserve_original_event - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - required: true - show_user: true - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - title: Oracle Audit Log - description: Collect Oracle audit logs diff --git a/packages/oracle/1.4.1/data_stream/database_audit/sample_event.json b/packages/oracle/1.4.1/data_stream/database_audit/sample_event.json deleted file mode 100755 index f31d24c3a2..0000000000 --- a/packages/oracle/1.4.1/data_stream/database_audit/sample_event.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "@timestamp": "2020-10-07T14:57:51.000Z", - "agent": { - "ephemeral_id": "021be4f6-f6ea-47c5-aa38-62ba8c3f0f3c", - "id": "5940e9e3-013b-43c0-a459-261d69b08862", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "client": { - "user": { - "name": "oracle" - } - }, - "data_stream": { - "dataset": "oracle.database_audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "5940e9e3-013b-43c0-a459-261d69b08862", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "database_audit", - "agent_id_status": "verified", - "category": "database", - "dataset": "oracle.database_audit", - "ingested": "2022-02-24T08:25:06Z", - "kind": "event", - "outcome": "success", - "timezone": "-04:00", - "type": "access" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.240.7" - ], - "mac": [ - "02:42:c0:a8:f0:07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.60.1-microsoft-standard-WSL2", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "input": { - "type": "filestream" - }, - "log": { - "file": { - "path": "/tmp/service_logs/ORCLCDB_ora_13765_20201007105751904399925443.aud.log" - }, - "flags": [ - "multiline" - ], - "offset": 882 - }, - "oracle": { - "database_audit": { - "action": "CONNECT", - "action_number": "100", - "client": { - "terminal": "pts/0" - }, - "length": 253, - "session_id": "4294967295", - "status": "0" - } - }, - "process": { - "pid": 13765 - }, - "related": { - "hosts": [ - "testlab.local" - ], - "user": [ - "/", - "oracle" - ] - }, - "server": { - "address": "testlab.local", - "domain": "testlab.local", - "user": { - "name": "/" - } - }, - "tags": [ - "oracle-database_audit" - ], - "user": { - "roles": "SYSDBA" - } -} \ No newline at end of file diff --git a/packages/oracle/1.4.1/data_stream/memory/agent/stream/stream.yml.hbs b/packages/oracle/1.4.1/data_stream/memory/agent/stream/stream.yml.hbs deleted file mode 100755 index fce8214842..0000000000 --- a/packages/oracle/1.4.1/data_stream/memory/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,14 +0,0 @@ -metricsets: ["query"] -period: {{period}} -hosts: -{{#each hosts}} - - {{this}} -{{/each}} -raw_data.enabled: true -merge_results: true -driver: "oracle" -sql_queries: - - query: select name, value from V$PGASTAT where name in ('aggregate PGA auto target','global memory bound', 'total PGA allocated', 'total PGA used for auto workareas', 'total PGA inuse', 'maximum PGA allocated', 'total freeable PGA memory', 'cache hit percentage', 'aggregate PGA target parameter') - response_format: variables - - query: select 'sga free memory' as NAME, sum(decode(name,'free memory',bytes)) as VALUE from v$sgastat where pool = 'shared pool' union select 'sga total memory' as NAME, sum(bytes) as VALUE from v$sgastat where pool = 'shared pool' - response_format: variables \ No newline at end of file diff --git a/packages/oracle/1.4.1/data_stream/memory/elasticsearch/ingest_pipeline/default.yml b/packages/oracle/1.4.1/data_stream/memory/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 86747040f6..0000000000 --- a/packages/oracle/1.4.1/data_stream/memory/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,88 +0,0 @@ ---- -description: Pipeline for processing Oracle Program Global Area and System Global Area metrics -processors: - - remove: - field: sql.driver - ignore_missing: true - ignore_failure: true - - remove: - field: sql.query - ignore_missing: true - ignore_failure: true - - rename: - field: sql - target_field: oracle - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.metrics - target_field: oracle.memory - ignore_missing: true - - foreach: - field: oracle.memory - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: " " - replacement: "_" - - rename: - field: oracle.memory.cache_hit_percentage - target_field: oracle.memory.pga.cache_hit_pct - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.aggregate_pga_auto_target - target_field: oracle.memory.pga.aggregate_auto_target - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.aggregate_pga_target_parameter - target_field: oracle.memory.pga.aggregate_target_parameter - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.total_pga_allocated - target_field: oracle.memory.pga.total_allocated - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.total_pga_used_for_auto_workareas - target_field: oracle.memory.pga.total_used_for_auto_workareas - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.global_memory_bound - target_field: oracle.memory.pga.global_memory_bound - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.total_pga_inuse - target_field: oracle.memory.pga.total_inuse - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.total_freeable_pga_memory - target_field: oracle.memory.pga.total_freeable_memory - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.maximum_pga_allocated - target_field: oracle.memory.pga.maximum_allocated - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.sga_total_memory - target_field: oracle.memory.sga.total_memory - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.memory.sga_free_memory - target_field: oracle.memory.sga.free_memory - ignore_missing: true - ignore_failure: true - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/oracle/1.4.1/data_stream/memory/fields/base-fields.yml b/packages/oracle/1.4.1/data_stream/memory/fields/base-fields.yml deleted file mode 100755 index e716a4e002..0000000000 --- a/packages/oracle/1.4.1/data_stream/memory/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: sql -- name: event.dataset - type: constant_keyword - description: Event module - value: oracle.memory diff --git a/packages/oracle/1.4.1/data_stream/memory/fields/ecs.yml b/packages/oracle/1.4.1/data_stream/memory/fields/ecs.yml deleted file mode 100755 index 958b30e712..0000000000 --- a/packages/oracle/1.4.1/data_stream/memory/fields/ecs.yml +++ /dev/null @@ -1,21 +0,0 @@ -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Address where data about this service was collected from. - This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). - name: service.address - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/oracle/1.4.1/data_stream/memory/fields/fields.yml b/packages/oracle/1.4.1/data_stream/memory/fields/fields.yml deleted file mode 100755 index 7e27b73c07..0000000000 --- a/packages/oracle/1.4.1/data_stream/memory/fields/fields.yml +++ /dev/null @@ -1,65 +0,0 @@ -- name: oracle.memory - type: group - release: beta - fields: - - name: pga - type: group - fields: - - name: total_freeable_memory - type: double - description: Number of bytes of PGA memory in all processes that could be freed back to the operating system. - unit: byte - metric_type: gauge - - name: cache_hit_pct - type: double - description: A metric computed by the Oracle Database to reflect the performance of the PGA memory component, cumulative since instance startup. - unit: percent - metric_type: gauge - - name: maximum_allocated - type: double - description: Maximum number of bytes of PGA memory allocated at one time since instance startup. - unit: byte - metric_type: gauge - - name: total_inuse - type: double - unit: byte - description: Indicates how much PGA memory is currently consumed by work areas. This number can be used to determine how much memory is consumed by other consumers of the PGA memory (for example, PL/SQL or Java). - metric_type: gauge - - name: global_memory_bound - type: double - unit: byte - description: Maximum size of a work area executed in automatic mode. - metric_type: gauge - - name: aggregate_auto_target - type: double - unit: byte - description: Amount of PGA memory the Oracle Database can use for work areas running in automatic mode. - metric_type: gauge - - name: total_allocated - type: double - unit: byte - description: Current amount of PGA memory allocated by the instance. - metric_type: gauge - - name: total_used_for_auto_workareas - type: double - unit: byte - description: Indicates how much PGA memory is currently consumed by work areas running under the automatic memory management mode. This number can be used to determine how much memory is consumed by other consumers of the PGA memory (for example, PL/SQL or Java). - metric_type: gauge - - name: aggregate_target_parameter - type: double - unit: byte - metric_type: gauge - description: Current value of the PGA_AGGREGATE_TARGET initialization parameter. If this parameter is not set, then its value is 0 and automatic management of PGA memory is disabled. - - name: sga - type: group - fields: - - name: free_memory - type: double - unit: byte - description: Amount of free memory in the Shared pool. - metric_type: gauge - - name: total_memory - type: double - unit: byte - description: Amount of total memory in the Shared pool. - metric_type: gauge diff --git a/packages/oracle/1.4.1/data_stream/memory/manifest.yml b/packages/oracle/1.4.1/data_stream/memory/manifest.yml deleted file mode 100755 index 3fc4e1f016..0000000000 --- a/packages/oracle/1.4.1/data_stream/memory/manifest.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: "Memory metrics" -type: metrics -release: beta -streams: - - input: sql/metrics - enabled: false - title: Oracle memory metrics - description: Collect memory metrics - vars: - - name: period - type: text - title: Period - default: 60s - multi: false - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - oracle_memory_metrics diff --git a/packages/oracle/1.4.1/data_stream/memory/sample_event.json b/packages/oracle/1.4.1/data_stream/memory/sample_event.json deleted file mode 100755 index 6f85ddd051..0000000000 --- a/packages/oracle/1.4.1/data_stream/memory/sample_event.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "@timestamp": "2022-08-07T04:32:07.853Z", - "oracle": { - "memory": { - "pga": { - "total_inuse": 171153408, - "aggregate_auto_target": 579262464, - "total_allocated": 212888576, - "maximum_allocated": 694778880, - "total_freeable_memory": 14876672, - "global_memory_bound": 104857600, - "aggregate_target_parameter": 805306368, - "total_used_for_auto_workareas": 738304, - "cache_hit_pct": 100 - } - } - }, - "service": { - "address": "0.0.0.0:1521", - "type": "sql" - }, - "data_stream": { - "namespace": "default", - "type": "metrics", - "dataset": "oracle.memory" - }, - "metricset": { - "period": 60000, - "name": "query" - }, - "event": { - "duration": 53225246, - "agent_id_status": "verified", - "ingested": "2022-08-07T04:32:07Z", - "module": "sql", - "dataset": "oracle.memory" - } -} \ No newline at end of file diff --git a/packages/oracle/1.4.1/data_stream/performance/agent/stream/stream.yml.hbs b/packages/oracle/1.4.1/data_stream/performance/agent/stream/stream.yml.hbs deleted file mode 100755 index ca7431242a..0000000000 --- a/packages/oracle/1.4.1/data_stream/performance/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -metricsets: ["query"] -period: {{period}} -hosts: -{{#each hosts}} - - {{this}} -{{/each}} -raw_data.enabled: true -driver: "oracle" -sql_queries: - - query: SELECT name, physical_reads, db_block_gets, consistent_gets, 1 - (physical_reads / (db_block_gets + consistent_gets)) "Hit_Ratio" FROM V$BUFFER_POOL_STATISTICS - response_format: table - - query: SELECT sum(a.value) total_cur, avg(a.value) avg_cur, max(a.value) max_cur, S.username, s.machine FROM v$sesstat a, v$statname b, v$session s WHERE a.statistic# = b.statistic# AND s.sid = a.sid GROUP BY s.username, s.machine - response_format: table - - query: SELECT total_cursors, current_cursors, sess_cur_cache_hits, parse_count_total, sess_cur_cache_hits / total_cursors as cachehits_totalcursors_ratio , sess_cur_cache_hits - parse_count_total as real_parses FROM ( SELECT sum ( decode ( name, 'opened cursors cumulative', value, 0)) total_cursors, sum ( decode ( name, 'opened cursors current',value,0)) current_cursors, sum ( decode ( name, 'session cursor cache hits',value,0)) sess_cur_cache_hits, sum ( decode ( name, 'parse count (total)',value,0)) parse_count_total FROM v$sysstat WHERE name IN ( 'opened cursors cumulative','opened cursors current','session cursor cache hits', 'parse count (total)' )) - response_format: table - - query: SELECT 'lock_requests' "Ratio" , AVG(gethitratio) FROM V$LIBRARYCACHE UNION SELECT 'pin_requests' "Ratio", AVG(pinhitratio) FROM V$LIBRARYCACHE UNION SELECT 'io_reloads' "Ratio", (SUM(reloads) / SUM(pins)) FROM V$LIBRARYCACHE - response_format: variables - - query: SELECT COUNT(*) as "failed_db_jobs" FROM dba_jobs WHERE NVL(failures, 0) < > 0 - response_format: table - - query: select 'active_session_count' as name, count(s.status) as value from gv$session s, v$process p where p.addr=s.paddr and s.status='ACTIVE' union select 'inactive_session_count' as name, count(s.status) as value from gv$session s, v$process p where p.addr=s.paddr and s.status='INACTIVE' union select 'inactive_morethan_onehr' as name, count(s.status) as value from gv$session s, v$process p where p.addr=s.paddr and s.last_call_et > 3600 and s.status='INACTIVE' - response_format: variables - - query: select WAIT_CLASS, TOTAL_WAITS, round(100 * (TOTAL_WAITS / SUM_WAITS),2) PCT_WAITS, ROUND((TIME_WAITED / 100),2) TIME_WAITED_SECS, round(100 * (TIME_WAITED / SUM_TIME),2) PCT_TIME from (select WAIT_CLASS, TOTAL_WAITS, TIME_WAITED from V$SYSTEM_WAIT_CLASS where WAIT_CLASS != 'Idle'), (select sum(TOTAL_WAITS) SUM_WAITS, sum(TIME_WAITED) SUM_TIME from V$SYSTEM_WAIT_CLASS where WAIT_CLASS != 'Idle') order by 5 desc - response_format: table diff --git a/packages/oracle/1.4.1/data_stream/performance/elasticsearch/ingest_pipeline/default.yml b/packages/oracle/1.4.1/data_stream/performance/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3aa14a77e1..0000000000 --- a/packages/oracle/1.4.1/data_stream/performance/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,167 +0,0 @@ ---- -description: Pipeline for processing oracle performance -processors: - - remove: - field: sql.driver - ignore_missing: true - ignore_failure: true - - remove: - field: sql.query - ignore_missing: true - ignore_failure: true - - rename: - field: sql - target_field: oracle - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.metrics - target_field: oracle.performance - ignore_missing: true - - rename: - field: oracle.performance.hit_ratio - target_field: oracle.performance.cache.buffer.hit.pct - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.consistent_gets - target_field: oracle.performance.cache.get.consistent - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.db_block_gets - target_field: oracle.performance.cache.get.db_blocks - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.physical_reads - target_field: oracle.performance.cache.physical_reads - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.name - target_field: oracle.performance.buffer_pool - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.avg_cur - target_field: oracle.performance.cursors.avg - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.max_cur - target_field: racle.performance.cursors.max - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.total_cur - target_field: oracle.performance.cursors.total - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.cachehits_totalcursors_ratio - target_field: oracle.performance.cursors.cache_hit.pct - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.current_cursors - target_field: oracle.performance.cursors.opened.current - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.total_cursors - target_field: oracle.performance.cursors.opened.total - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.real_parses - target_field: oracle.performance.cursors.parse.real - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.sess_cur_cache_hits - target_field: oracle.performance.cursors.session.cache_hits - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.active_session_count - target_field: oracle.performance.session_count.active - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.inactive_morethan_onehr - target_field: oracle.performance.session_count.inactive_morethan_onehr - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.inactive_session_count - target_field: oracle.performance.session_count.inactive - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.pct_time - target_field: oracle.performance.wait.pct_time - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.pct_waits - target_field: oracle.performance.wait.pct_waits - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.time_waited_secs - target_field: oracle.performance.wait.time_waited_secs - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.total_waits - target_field: oracle.performance.wait.total_waits - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.performance.wait_class - target_field: oracle.performance.wait.wait_class - ignore_missing: true - ignore_failure: true - - foreach: - field: oracle.performance - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: " " - replacement: "_" - - foreach: - field: oracle.performance - ignore_failure: true - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: "\\(%\\)" - replacement: "pct" - - - foreach: - field: oracle.performance - ignore_missing: true - ignore_failure: true - processor: - gsub: - field: "_ingest._key" - pattern: "%" - replacement: "pct" - - - foreach: - field: oracle.performance - ignore_missing: true - ignore_failure: true - processor: - gsub: - field: "_ingest._key" - pattern: "/" - replacement: "" - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/oracle/1.4.1/data_stream/performance/fields/base-fields.yml b/packages/oracle/1.4.1/data_stream/performance/fields/base-fields.yml deleted file mode 100755 index bbe909fc7e..0000000000 --- a/packages/oracle/1.4.1/data_stream/performance/fields/base-fields.yml +++ /dev/null @@ -1,36 +0,0 @@ -- description: |- - An overarching type for the data stream. - Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. - name: data_stream.type - type: constant_keyword -- description: |- - The field can contain anything that makes sense to signify the source of the data. - Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. - Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: - * Must not contain `-` - * No longer than 100 characters - name: data_stream.dataset - type: constant_keyword -- description: |- - A user defined namespace. Namespaces are useful to allow grouping of data. - Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. - Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: - * Must not contain `-` - * No longer than 100 characters - name: data_stream.namespace - type: constant_keyword -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: Event module - name: event.module - type: constant_keyword - value: sql -- description: Event module - name: event.dataset - type: constant_keyword - value: oracle.performance diff --git a/packages/oracle/1.4.1/data_stream/performance/fields/ecs.yml b/packages/oracle/1.4.1/data_stream/performance/fields/ecs.yml deleted file mode 100755 index 958b30e712..0000000000 --- a/packages/oracle/1.4.1/data_stream/performance/fields/ecs.yml +++ /dev/null @@ -1,21 +0,0 @@ -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Address where data about this service was collected from. - This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). - name: service.address - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/oracle/1.4.1/data_stream/performance/fields/fields.yml b/packages/oracle/1.4.1/data_stream/performance/fields/fields.yml deleted file mode 100755 index b35350a33b..0000000000 --- a/packages/oracle/1.4.1/data_stream/performance/fields/fields.yml +++ /dev/null @@ -1,159 +0,0 @@ -- name: oracle.performance - type: group - release: beta - fields: - - name: machine - type: keyword - description: | - Operating system machine name. - - name: buffer_pool - type: keyword - description: | - Name of the buffer pool in the instance. - - name: username - type: keyword - description: | - Oracle username - - name: io_reloads - type: double - metric_type: gauge - description: | - Reloads by Pins ratio. A Reload is any PIN of an object that is not the first PIN performed since the object handle was created, and which requires loading the object from disk. Pins are the number of times a PIN was requested for objects of this namespace. - - name: lock_requests - type: double - metric_type: gauge - description: | - Average of the ratio between 'gethits' and 'gets', where 'gethits' the number of times an object's handle was found in memory and 'gets' is the number of times a lock was requested for objects of this namespace. - - name: pin_requests - type: double - metric_type: gauge - description: | - Average of all pinhits/pins ratios, where 'PinHits' is the number of times all of the metadata pieces of the library object were found in memory and 'pins' is the number of times a PIN was requested for objects of this namespace. - - name: failed_db_jobs - type: double - metric_type: gauge - description: | - This metric checks for failed DBMS jobs. - - name: cache - type: group - fields: - - name: physical_reads - type: long - metric_type: gauge - description: | - Physical reads. This metric represents the number of data blocks read from disk per second during a time period. - - name: get - type: group - fields: - - name: db_blocks - type: long - metric_type: gauge - description: | - Database blocks gotten. - - name: consistent - type: long - metric_type: gauge - description: | - Consistent gets statistic. - - name: buffer.hit.pct - type: double - metric_type: gauge - unit: percent - description: | - The cache hit ratio of the specified buffer pool. - - name: cursors - type: group - description: Cursors information - fields: - - name: parse - type: group - fields: - - name: real - type: double - metric_type: gauge - description: | - "Real number of parses that occurred: session cursor cache hits - parse count (total)." - - name: total - type: long - metric_type: gauge - description: | - Total number of parse calls (hard and soft). A soft parse is a check on an object already in the shared pool, to verify that the permissions on the underlying object have not changed. - - name: opened - type: group - fields: - - name: current - type: long - metric_type: gauge - description: | - Total number of current open cursors. - - name: total - type: long - metric_type: counter - description: | - Total number of cursors opened since the instance started. - - name: avg - type: double - metric_type: gauge - description: | - Average cursors opened by username and machine. - - name: max - type: double - metric_type: gauge - description: | - Max cursors opened by username and machine. - - name: total - type: double - metric_type: gauge - description: | - Total opened cursors by username and machine. - - name: session.cache_hits - type: double - metric_type: gauge - description: | - Number of hits in the session cursor cache. A hit means that the SQL statement did not have to be reparsed. - - name: cache_hit.pct - type: double - unit: percent - metric_type: gauge - description: | - Ratio of session cursor cache hits from total number of cursors. - - name: session_count - type: group - fields: - - name: active - type: double - metric_type: gauge - description: Total count of sessions. - - name: inactive_morethan_onehr - type: double - metric_type: gauge - description: Total inactive sessions more than one hour. - - name: inactive - type: double - metric_type: gauge - description: Total count of Inactive sessions. - - name: wait - type: group - fields: - - name: pct_time - type: double - unit: percent - metric_type: gauge - description: Percentage of time waits that are not Idle wait class. - - name: pct_waits - type: double - unit: percent - metric_type: gauge - description: Percentage of number of pct time waits that are not of Idle wait class. - - name: time_waited_secs - type: double - metric_type: gauge - unit: s - description: Amount of time spent in the wait class by the session. - - name: total_waits - type: double - metric_type: counter - description: Number of times waits of the class occurred for the session. - - name: wait_class - type: keyword - description: Every wait event belongs to a class of wait event. Wait classes can be one of the following - Administrative, Application, Cluster, Commit, Concurrency, Configuration, Idle, Network, Other, Scheduler, System IO, User IO diff --git a/packages/oracle/1.4.1/data_stream/performance/manifest.yml b/packages/oracle/1.4.1/data_stream/performance/manifest.yml deleted file mode 100755 index 8c72706a17..0000000000 --- a/packages/oracle/1.4.1/data_stream/performance/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: "Oracle performance metrics" -type: metrics -release: beta -streams: - - input: sql/metrics - enabled: false - title: Oracle database performance metrics - description: Collect Oracle database performance metrics - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 60s - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - oracle_performance diff --git a/packages/oracle/1.4.1/data_stream/performance/sample_event.json b/packages/oracle/1.4.1/data_stream/performance/sample_event.json deleted file mode 100755 index a734052702..0000000000 --- a/packages/oracle/1.4.1/data_stream/performance/sample_event.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "event": { - "dataset": "oracle.performance", - "duration": 115000, - "module": "sql" - }, - "metricset": { - "name": "query", - "period": 60000 - }, - "oracle": { - "performance": { - "cursors": { - "opened": { - "current": 7, - "total": 6225 - }, - "parse": { - "real": 1336, - "total": 3684 - }, - "session": { - "cache_hits": 5020 - }, - "cache_hit": { - "pct": 0.8064257028112449 - } - }, - "io_reloads": 0.0013963503027202182, - "lock_requests": 0.5725039956419224, - "pin_requests": 0.7780581056654354 - } - }, - "service": { - "address": "oracle://localhost:1521/ORCLCDB.localdomain", - "type": "sql" - } -} \ No newline at end of file diff --git a/packages/oracle/1.4.1/data_stream/sysmetric/agent/stream/stream.yml.hbs b/packages/oracle/1.4.1/data_stream/sysmetric/agent/stream/stream.yml.hbs deleted file mode 100755 index e7e3200417..0000000000 --- a/packages/oracle/1.4.1/data_stream/sysmetric/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12 +0,0 @@ -metricsets: ["query"] -period: {{period}} -hosts: -{{#each hosts}} - - {{this}} -{{/each}} -raw_data.enabled: true -dynamic_metric_name_filter: "{{dynamic_metric_name_filter}}" -driver: "oracle" -sql_queries: - - query: SELECT METRIC_NAME, VALUE FROM V$SYSMETRIC WHERE GROUP_ID = 2 and METRIC_NAME LIKE '{{dynamic_metric_name_filter}}' - response_format: variables \ No newline at end of file diff --git a/packages/oracle/1.4.1/data_stream/sysmetric/elasticsearch/ingest_pipeline/default.yml b/packages/oracle/1.4.1/data_stream/sysmetric/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b208594792..0000000000 --- a/packages/oracle/1.4.1/data_stream/sysmetric/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- -description: Pipeline for processing oracle sysmetrics data -processors: - - remove: - field: sql.driver - ignore_missing: true - ignore_failure: true - - remove: - field: sql.query - ignore_missing: true - ignore_failure: true - - rename: - field: sql - target_field: oracle - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.metrics - target_field: "oracle.sysmetric" - ignore_failure: true - ignore_missing: true - - foreach: - field: oracle.sysmetric - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: " " - replacement: "_" - - foreach: - field: oracle.sysmetric - ignore_failure: true - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: "\\(%\\)" - replacement: "pct" - - - foreach: - field: oracle.sysmetric - ignore_missing: true - ignore_failure: true - processor: - gsub: - field: "_ingest._key" - pattern: "%" - replacement: "pct" - - - foreach: - field: oracle.sysmetric - ignore_missing: true - ignore_failure: true - processor: - gsub: - field: "_ingest._key" - pattern: "/" - replacement: "" -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/oracle/1.4.1/data_stream/sysmetric/fields/base-fields.yml b/packages/oracle/1.4.1/data_stream/sysmetric/fields/base-fields.yml deleted file mode 100755 index 57593eecb4..0000000000 --- a/packages/oracle/1.4.1/data_stream/sysmetric/fields/base-fields.yml +++ /dev/null @@ -1,36 +0,0 @@ -- description: |- - An overarching type for the data stream. - Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. - name: data_stream.type - type: constant_keyword -- description: |- - The field can contain anything that makes sense to signify the source of the data. - Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. - Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: - * Must not contain `-` - * No longer than 100 characters - name: data_stream.dataset - type: constant_keyword -- description: |- - A user defined namespace. Namespaces are useful to allow grouping of data. - Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. - Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: - * Must not contain `-` - * No longer than 100 characters - name: data_stream.namespace - type: constant_keyword -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: Event module - name: event.module - type: constant_keyword - value: sql -- description: Event module - name: event.dataset - type: constant_keyword - value: oracle.sysmetric diff --git a/packages/oracle/1.4.1/data_stream/sysmetric/fields/ecs.yml b/packages/oracle/1.4.1/data_stream/sysmetric/fields/ecs.yml deleted file mode 100755 index 958b30e712..0000000000 --- a/packages/oracle/1.4.1/data_stream/sysmetric/fields/ecs.yml +++ /dev/null @@ -1,21 +0,0 @@ -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Address where data about this service was collected from. - This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). - name: service.address - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/oracle/1.4.1/data_stream/sysmetric/fields/fields.yml b/packages/oracle/1.4.1/data_stream/sysmetric/fields/fields.yml deleted file mode 100755 index e6bed58954..0000000000 --- a/packages/oracle/1.4.1/data_stream/sysmetric/fields/fields.yml +++ /dev/null @@ -1,819 +0,0 @@ -- name: oracle.sysmetric - type: group - release: beta - fields: - - name: long_table_scans_per_sec - type: double - metric_type: gauge - description: | - Long table scans per second. - - name: physical_reads_per_txn - type: double - metric_type: gauge - description: | - Physical reads per transaction. - - name: global_cache_blocks_corrupted - type: double - metric_type: gauge - description: | - Global cache blocks corrupted. - - name: branch_node_splits_per_txn - type: double - metric_type: gauge - description: | - Branch node splits per transaction. - - name: cpu_usage_per_txn - type: double - metric_type: gauge - description: | - CPU usage per transaction. - - name: pq_qc_session_count - type: double - metric_type: gauge - description: | - Pq qc session count. - - name: background_checkpoints_per_sec - type: double - metric_type: gauge - description: | - Background checkpoints per second. - - name: replayed_user_calls - type: double - metric_type: gauge - description: | - Replayed user calls - - name: physical_write_total_io_requests_per_sec - type: double - metric_type: gauge - description: | - Physical write total io requests per second. - - name: total_index_scans_per_sec - type: double - metric_type: gauge - description: | - Total index scans per second. - - name: executions_per_txn - type: double - metric_type: gauge - description: | - Executions per transaction. - - name: user_rollbacks_per_sec - type: double - metric_type: gauge - description: | - User rollbacks per second. - - name: pq_slave_session_count - type: double - metric_type: gauge - description: | - Pq slave session count. - - name: physical_reads_per_sec - type: double - metric_type: gauge - description: | - Physical reads per second. - - name: disk_sort_per_txn - type: double - metric_type: gauge - description: | - Disk sort per transaction. - - name: user_transaction_per_sec - type: double - metric_type: gauge - description: | - User transaction per second. - - name: user_rollback_undo_records_applied_per_txn - type: double - metric_type: gauge - description: | - User rollback undo records applied per transaction. - - name: px_operations_not_downgraded_per_sec - type: double - metric_type: gauge - description: | - Px operations not downgraded per second. - - name: vm_in_bytes_per_sec - type: double - metric_type: gauge - description: | - Vm in bytes per sec - - name: session_limit_pct - unit: percent - type: double - metric_type: gauge - description: | - "Session limit percentage." - - name: enqueue_waits_per_txn - type: double - metric_type: gauge - description: | - Enqueue waits per transaction. - - name: total_table_scans_per_user_call - type: double - metric_type: gauge - description: | - Total table scans per user call. - - name: logical_reads_per_sec - type: double - metric_type: gauge - description: | - Logical reads per sec. - - name: dbwr_checkpoints_per_sec - type: double - metric_type: gauge - description: | - Dbwr checkpoints per sec. - - name: physical_reads_direct_per_txn - type: double - metric_type: gauge - description: | - Physical reads direct per transaction. - - name: cpu_usage_per_sec - type: double - metric_type: gauge - description: | - CPU usage per second. - - name: total_parse_count_per_sec - type: double - metric_type: gauge - description: | - Total parse count per sec - - name: px_downgraded_50_to_75pct_per_sec - unit: percent - type: double - metric_type: gauge - description: | - Px downgraded 50 to 75 percentage per second. - - name: total_index_scans_per_txn - type: double - metric_type: gauge - description: | - Total index scans per transaction. - - name: cell_physical_io_interconnect_bytes - type: double - metric_type: gauge - description: | - Cell physical io interconnect bytes. - - name: physical_writes_direct_per_sec - type: double - metric_type: gauge - description: | - Physical writes direct per second. - - name: consistent_read_changes_per_txn - type: double - metric_type: gauge - description: | - Consistent read changes per transaction. - - name: response_time_per_txn - type: double - metric_type: gauge - description: | - Response time per transaction. - - name: long_table_scans_per_txn - type: double - metric_type: gauge - description: | - Long table scans per transaction. - - name: parse_failure_count_per_txn - type: double - metric_type: gauge - description: | - Parse failure count per transaction. - - name: redo_allocation_hit_ratio - type: double - metric_type: gauge - description: | - Redo allocation hit ratio. - - name: total_pga_allocated - type: double - metric_type: gauge - description: | - Total pga allocated. - - name: logical_reads_per_user_call - type: double - metric_type: gauge - description: | - Logical reads per user call. - - name: redo_writes_per_sec - type: double - metric_type: gauge - description: | - Redo writes per second. - - name: db_block_changes_per_txn - type: double - metric_type: gauge - description: | - Db block changes per transaction. - - name: redo_writes_per_txn - type: double - metric_type: gauge - description: | - Redo writes per transaction. - - name: executions_per_sec - type: double - metric_type: gauge - description: | - Executions per second. - - name: rows_per_sort - type: double - metric_type: gauge - description: | - Rows per sort. - - name: physical_reads_direct_per_sec - type: double - metric_type: gauge - description: | - Physical reads direct per second. - - name: physical_writes_direct_per_txn - type: double - metric_type: gauge - description: | - Physical writes direct per transaction. - - name: vm_out_bytes_per_sec - type: double - metric_type: gauge - description: | - Vm out bytes per second. - - name: pga_cache_hit_pct - unit: percent - type: double - metric_type: gauge - description: | - Pga cache hit percentage. - - name: recursive_calls_per_sec - type: double - metric_type: gauge - description: | - Recursive calls per second. - - name: average_active_sessions - type: double - metric_type: gauge - description: | - Average active sessions. - - name: leaf_node_splits_per_sec - type: double - metric_type: gauge - description: | - Leaf node splits per second. - - name: user_commits_percentage - type: double - metric_type: gauge - description: | - User commits percentage. - - name: total_table_scans_per_sec - type: double - metric_type: gauge - description: | - Total table scans per second. - - name: streams_pool_usage_percentage - type: double - metric_type: gauge - description: | - Streams pool usage percentage. - - name: consistent_read_gets_per_sec - type: double - metric_type: gauge - description: | - Consistent read gets per second. - - name: enqueue_timeouts_per_sec - type: double - metric_type: gauge - description: | - Enqueue timeouts per second. - - name: physical_read_total_bytes_per_sec - type: double - metric_type: gauge - description: | - Physical read total bytes per second. - - name: consistent_read_changes_per_sec - type: double - metric_type: gauge - description: | - Consistent read changes per second. - - name: physical_writes_per_sec - type: double - metric_type: gauge - description: | - Physical writes per second. - - name: average_synchronous_single-block_read_latency - type: double - metric_type: gauge - description: | - Average synchronous single-block read latency. - - name: physical_read_io_requests_per_sec - type: double - metric_type: gauge - description: | - Physical read io requests per second. - - name: db_block_changes_per_sec - type: double - metric_type: gauge - description: | - Db block changes per second. - - name: current_os_load - type: double - metric_type: gauge - description: | - Current os load - - name: user_calls_per_sec - type: double - metric_type: gauge - description: | - User calls per second. - - name: leaf_node_splits_per_txn - type: double - metric_type: gauge - description: | - Leaf node splits per transaction. - - name: host_cpu_utilization_pct - unit: percent - type: double - metric_type: gauge - description: | - Host CPU utilization percentage. - - name: total_parse_count_per_txn - type: double - metric_type: gauge - description: | - Total parse count per transaction. - - name: run_queue_per_sec - type: double - metric_type: gauge - description: | - Run queue per second. - - name: total_sorts_per_user_call - type: double - metric_type: gauge - description: | - Total sorts per user call. - - name: cursor_cache_hit_ratio - type: double - metric_type: gauge - description: | - Cursor cache hit ratio. - - name: enqueue_waits_per_sec - type: double - metric_type: gauge - description: | - Enqueue waits per second. - - name: branch_node_splits_per_sec - type: double - metric_type: gauge - description: | - Branch node splits per second. - - name: cr_undo_records_applied_per_txn - type: double - metric_type: gauge - description: | - Cr undo records applied per transaction. - - name: consistent_read_gets_per_txn - type: double - metric_type: gauge - description: | - Consistent read gets per transaction. - - name: soft_parse_ratio - type: double - metric_type: gauge - description: | - Soft parse ratio. - - name: database_time_per_sec - type: double - metric_type: gauge - description: | - Database time per second. - - name: physical_read_bytes_per_sec - type: double - metric_type: gauge - description: | - Physical read bytes per second. - - name: current_logons_count - type: double - metric_type: gauge - description: | - Current logons count. - - name: total_table_scans_per_txn - type: double - metric_type: gauge - description: | - Total table scans per transaction. - - name: txns_per_logon - type: double - metric_type: gauge - description: | - transactions per logon. - - name: user_rollback_undorec_applied_per_sec - type: double - metric_type: gauge - description: | - User rollback undorec applied per second. - - name: physical_writes_per_txn - type: double - metric_type: gauge - description: | - Physical writes per transaction. - - name: cr_undo_records_applied_per_sec - type: double - metric_type: gauge - description: | - Cr undo records applied per second. - - name: gc_cr_block_received_per_second - type: double - metric_type: gauge - description: | - Gc cr block received per second. - - name: recursive_calls_per_txn - type: double - metric_type: gauge - description: | - Recursive calls per transaction. - - name: px_downgraded_1_to_25pct_per_sec - unit: percent - type: double - metric_type: gauge - description: | - Px downgraded 1 to 25 percentage per second. - - name: workload_capture_and_replay_status - type: double - metric_type: gauge - description: | - Workload capture and replay status. - - name: cr_blocks_created_per_txn - type: double - metric_type: gauge - description: | - Cr blocks created per transaction. - - name: physical_write_bytes_per_sec - type: double - metric_type: gauge - description: | - Physical write bytes per second. - - name: physical_reads_direct_lobs_per_txn - type: double - metric_type: gauge - description: | - Physical reads direct lobs per transaction. - - name: physical_write_total_bytes_per_sec - type: double - metric_type: gauge - description: | - Physical write total bytes per second. - - name: physical_write_io_requests_per_sec - type: double - metric_type: gauge - description: | - Physical write io requests per second. - - name: session_count - type: double - metric_type: gauge - description: | - Session count. - - name: logons_per_txn - type: double - metric_type: gauge - description: | - Logons per transaction. - - name: queries_parallelized_per_sec - type: double - metric_type: gauge - description: | - Queries parallelized per second. - - name: background_time_per_sec - type: double - metric_type: gauge - description: | - Background time per second. - - name: global_cache_average_cr_get_time - type: double - metric_type: gauge - description: | - Global cache average cr get time. - - name: user_rollbacks_percentage - type: double - metric_type: gauge - description: | - User rollbacks percentage. - - name: enqueue_requests_per_sec - type: double - metric_type: gauge - description: | - Enqueue requests per second. - - name: enqueue_deadlocks_per_txn - type: double - metric_type: gauge - description: | - Enqueue deadlocks per transaction. - - name: library_cache_hit_ratio - type: double - metric_type: gauge - description: | - Library cache hit ratio. - - name: enqueue_timeouts_per_txn - type: double - metric_type: gauge - description: | - Enqueue timeouts per transaction. - - name: cr_blocks_created_per_sec - type: double - metric_type: gauge - description: | - Cr blocks created per second. - - name: physical_reads_direct_lobs_per_sec - type: double - metric_type: gauge - description: | - Physical reads direct lobs per second. - - name: px_downgraded_75_to_99pct_per_sec - unit: percent - type: double - metric_type: gauge - description: | - Px downgraded 75 to 99 percentage per second. - - name: global_cache_blocks_lost - type: double - metric_type: gauge - description: | - Global cache blocks lost. - - name: user_limit_pct - unit: percent - type: double - metric_type: gauge - description: | - User limit percentage. - - name: process_limit_pct - unit: percent - type: double - metric_type: gauge - description: | - Process limit percentage. - - name: user_calls_per_txn - type: double - metric_type: gauge - description: | - User calls per transaction - - name: physical_writes_direct_lobs_per_sec - type: double - metric_type: gauge - description: | - Physical writes direct lobs per sec - - name: open_cursors_per_sec - type: double - metric_type: gauge - description: | - Open cursors per sec - - name: physical_writes_direct_lobs__per_txn - type: double - metric_type: gauge - description: | - Physical writes direct lobs per transaction - - name: total_pga_used_by_sql_workareas - type: double - metric_type: gauge - description: | - Total pga used by sql workareas - - name: px_downgraded_25_to_50pct_per_sec - unit: percent - type: double - metric_type: gauge - description: | - Px downgraded 25 to 50 percentage per sec - - name: user_commits_per_sec - type: double - metric_type: gauge - description: | - User commits per sec - - name: enqueue_deadlocks_per_sec - type: double - metric_type: gauge - description: | - Enqueue deadlocks per sec - - name: enqueue_requests_per_txn - type: double - metric_type: gauge - description: | - Enqueue requests per transaction - - name: background_cpu_usage_per_sec - type: double - metric_type: gauge - description: | - Background CPU usage per sec - - name: physical_read_total_io_requests_per_sec - type: double - metric_type: gauge - description: | - Physical read total io requests per sec - - name: logons_per_sec - type: double - metric_type: gauge - description: | - Logons per sec - - name: redo_generated_per_txn - type: double - metric_type: gauge - description: | - Redo generated per transaction - - name: db_block_gets_per_txn - type: double - metric_type: gauge - description: | - Db block gets per transaction - - name: execute_without_parse_ratio - type: double - metric_type: gauge - description: | - Execute without parse ratio - - name: temp_space_used - type: double - metric_type: gauge - description: | - Temp space used - - name: sql_service_response_time - type: double - metric_type: gauge - description: | - Sql service response time - - name: parse_failure_count_per_sec - type: double - metric_type: gauge - description: | - Parse failure count per sec - - name: user_calls_ratio - type: double - metric_type: gauge - description: | - User calls ratio - - name: active_parallel_sessions - type: double - metric_type: gauge - description: | - Active parallel sessions - - name: io_megabytes_per_second - type: double - metric_type: gauge - description: | - IO megabytes per second - - name: database_cpu_time_ratio - type: double - metric_type: gauge - description: | - Database CPU time ratio - - name: dml_statements_parallelized_per_sec - type: double - metric_type: gauge - description: | - Dml statements parallelized per sec - - name: ddl_statements_parallelized_per_sec - type: double - metric_type: gauge - description: | - Ddl statements parallelized per sec - - name: current_open_cursors_count - type: double - metric_type: gauge - description: | - Current open cursors count - - name: open_cursors_per_txn - type: double - metric_type: gauge - description: | - Open cursors per transaction - - name: global_cache_average_current_get_time - type: double - metric_type: gauge - description: | - Global cache average current get time - - name: hard_parse_count_per_sec - type: double - metric_type: gauge - description: | - Hard parse count per sec - - name: buffer_cache_hit_ratio - type: double - metric_type: gauge - description: | - Buffer cache hit ratio - - name: gc_current_block_received_per_txn - type: double - metric_type: gauge - description: | - Gc current block received per transaction - - name: db_block_gets_per_sec - type: double - metric_type: gauge - description: | - Db block gets per sec - - name: executions_per_user_call - type: double - metric_type: gauge - description: | - Executions per user call - - name: row_cache_hit_ratio - type: double - metric_type: gauge - description: | - Row cache hit ratio. - - name: gc_cr_block_received_per_txn - type: double - metric_type: gauge - description: | - Gc cr block received per transaction. - - name: hard_parse_count_per_txn - type: double - metric_type: gauge - description: | - Hard parse count per transaction. - - name: host_cpu_usage_per_sec - type: double - metric_type: gauge - description: | - Host CPU usage per sec. - - name: db_block_changes_per_user_call - type: double - metric_type: gauge - description: | - Db block changes per user call. - - name: row_cache_miss_ratio - type: double - metric_type: gauge - description: | - Row cache miss ratio. - - name: network_traffic_volume_per_sec - type: double - metric_type: gauge - description: | - Network traffic volume per second. - - name: database_wait_time_ratio - type: double - metric_type: gauge - description: | - Database wait time ratio. - - name: logical_reads_per_txn - type: double - metric_type: gauge - description: | - Logical reads per transaction. - - name: db_block_gets_per_user_call - type: double - metric_type: gauge - description: | - Db block gets per user call. - - name: library_cache_miss_ratio - type: double - metric_type: gauge - description: | - Library cache miss ratio. - - name: full_index_scans_per_txn - type: double - metric_type: gauge - description: | - Full index scans per transaction. - - name: px_downgraded_to_serial_per_sec - type: double - metric_type: gauge - description: | - Px downgraded to serial per sec. - - name: redo_generated_per_sec - type: double - metric_type: gauge - description: | - Redo generated per second. - - name: active_serial_sessions - type: double - metric_type: gauge - description: | - Active serial sessions. - - name: full_index_scans_per_sec - type: double - metric_type: gauge - description: | - Full index scans per second. - - name: captured_user_calls - type: double - metric_type: gauge - description: | - Captured user calls. - - name: memory_sorts_ratio - type: double - metric_type: gauge - description: | - Memory sorts ratio. - - name: io_requests_per_second - type: double - metric_type: gauge - description: | - IO requests per second - - name: gc_current_block_received_per_second - type: double - metric_type: gauge - description: | - Gc current block received per second. - - name: disk_sort_per_sec - type: double - metric_type: gauge - description: | - Disk sort per second. - - name: shared_pool_free_pct - unit: percent - type: double - metric_type: gauge - description: |- - Shared pool free percentage. diff --git a/packages/oracle/1.4.1/data_stream/sysmetric/manifest.yml b/packages/oracle/1.4.1/data_stream/sysmetric/manifest.yml deleted file mode 100755 index b00f93e3d4..0000000000 --- a/packages/oracle/1.4.1/data_stream/sysmetric/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: "Sysmetric related metrics." -type: metrics -release: beta -streams: - - input: sql/metrics - enabled: false - title: Oracle sysmetrics metrics data - description: Collect sysmetrics data of Oracle database - vars: - - name: period - type: text - title: Period - default: 60s - multi: false - required: true - show_user: true - - name: dynamic_metric_name_filter - type: text - title: Metric Name Filter - multi: false - required: false - show_user: true - default: "%" - description: Filter values returned by applying filter on METRIC_NAME of V$SYSMETRIC - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - oracle_sysmetrics diff --git a/packages/oracle/1.4.1/data_stream/sysmetric/sample_event.json b/packages/oracle/1.4.1/data_stream/sysmetric/sample_event.json deleted file mode 100755 index dacf1b44f5..0000000000 --- a/packages/oracle/1.4.1/data_stream/sysmetric/sample_event.json +++ /dev/null @@ -1,181 +0,0 @@ -{ - "@timestamp": "2022-05-27T02:18:55.112Z", - "event": { - "dataset": "oracle.sysmetric", - "module": "sql", - "duration": 408974115 - }, - "metricset": { - "name": "query", - "period": 60000 - }, - "oracle": { - "sysmetric": { - "row_cache_hit_ratio": 100, - "current_open_cursors_count": 28, - "total_pga_allocated": 194334720, - "px_downgraded_75_to_99pct_per_sec": 0, - "enqueue_deadlocks_per_txn": 0, - "db_block_gets_per_sec": 1.83501683501684, - "cr_blocks_created_per_txn": 0, - "logical_reads_per_user_call": 5.44347826086956, - "response_time_per_txn": 20.0772, - "recursive_calls_per_sec": 21.9191919191919, - "db_block_gets_per_txn": 54.5, - "long_table_scans_per_txn": 0, - "total_parse_count_per_txn": 54, - "db_block_changes_per_user_call": 0.947826086956522, - "px_downgraded_to_serial_per_sec": 0, - "cell_physical_io_interconnect_bytes": 4483072, - "physical_writes_direct_per_sec": 0, - "current_os_load": 1.6591796875, - "user_rollback_undo_records_applied_per_txn": 0, - "db_block_changes_per_txn": 54.5, - "disk_sort_per_sec": 0, - "cr_undo_records_applied_per_txn": 0, - "process_limit_pct": 27.3333333333333, - "cpu_usage_per_sec": 0.77420202020202, - "active_parallel_sessions": 0, - "long_table_scans_per_sec": 0, - "database_time_per_sec": 0.676, - "physical_read_total_io_requests_per_sec": 3.75420875420875, - "cr_undo_records_applied_per_sec": 0, - "gc_cr_block_received_per_txn": 0, - "active_serial_sessions": 1, - "pq_slave_session_count": 0, - "physical_writes_direct_per_txn": 0, - "session_count": 66, - "dbwr_checkpoints_per_sec": 0, - "db_block_changes_per_sec": 1.83501683501684, - "cpu_usage_per_txn": 22.9938, - "vm_out_bytes_per_sec": 0, - "parse_failure_count_per_sec": 0, - "gc_cr_block_received_per_second": 0, - "rows_per_sort": 2.27027027027027, - "physical_read_bytes_per_sec": 0, - "physical_writes_direct_lobs_per_sec": 0, - "consistent_read_changes_per_txn": 2, - "global_cache_blocks_lost": 0, - "average_synchronous_single-block_read_latency": 0.0280373831775701, - "physical_read_io_requests_per_sec": 0, - "background_checkpoints_per_sec": 0, - "enqueue_requests_per_txn": 6353.5, - "global_cache_blocks_corrupted": 0, - "user_transaction_per_sec": 0.0336700336700337, - "logical_reads_per_sec": 10.5387205387205, - "background_time_per_sec": 0.0137291582491582, - "total_pga_used_by_sql_workareas": 0, - "branch_node_splits_per_sec": 0, - "px_downgraded_50_to_75pct_per_sec": 0, - "user_rollback_undorec_applied_per_sec": 0, - "consistent_read_gets_per_sec": 8.7037037037037, - "consistent_read_changes_per_sec": 0.0673400673400673, - "leaf_node_splits_per_txn": 0, - "total_sorts_per_user_call": 0.321739130434783, - "enqueue_requests_per_sec": 213.922558922559, - "gc_current_block_received_per_txn": 0, - "physical_reads_direct_per_sec": 0, - "px_downgraded_1_to_25pct_per_sec": 0, - "redo_allocation_hit_ratio": 100, - "enqueue_deadlocks_per_sec": 0, - "shared_pool_free_pct": 11.3199416627275, - "row_cache_miss_ratio": 0, - "database_cpu_time_ratio": 114.526926065388, - "physical_write_io_requests_per_sec": 0.336700336700337, - "redo_generated_per_txn": 11194, - "enqueue_timeouts_per_sec": 0, - "logical_reads_per_txn": 313, - "average_active_sessions": 0.00676, - "leaf_node_splits_per_sec": 0, - "cursor_cache_hit_ratio": 153.703703703704, - "physical_reads_direct_per_txn": 0, - "branch_node_splits_per_txn": 0, - "executions_per_user_call": 2.22608695652174, - "px_operations_not_downgraded_per_sec": 0.0673400673400673, - "workload_capture_and_replay_status": 0, - "user_calls_per_sec": 1.93602693602694, - "physical_read_total_bytes_per_sec": 57121.6161616162, - "run_queue_per_sec": 0, - "open_cursors_per_txn": 126, - "physical_writes_per_txn": 10, - "global_cache_average_cr_get_time": 0, - "global_cache_average_current_get_time": 0, - "gc_current_block_received_per_second": 0, - "px_downgraded_25_to_50pct_per_sec": 0, - "user_limit_pct": 0.00000109430402542797, - "user_calls_ratio": 8.11573747353564, - "current_logons_count": 47, - "library_cache_miss_ratio": 0, - "physical_writes_direct_lobs__per_txn": 0, - "queries_parallelized_per_sec": 0, - "total_table_scans_per_sec": 0.303030303030303, - "physical_write_total_bytes_per_sec": 18350.9764309764, - "io_megabytes_per_second": 0.0841750841750842, - "execute_without_parse_ratio": 57.8125, - "hard_parse_count_per_sec": 0, - "user_commits_percentage": 100, - "redo_generated_per_sec": 376.902356902357, - "enqueue_timeouts_per_txn": 0, - "captured_user_calls": 0, - "physical_reads_direct_lobs_per_txn": 0, - "session_limit_pct": 13.9830508474576, - "pq_qc_session_count": 0, - "host_cpu_usage_per_sec": 92.3905723905724, - "physical_reads_direct_lobs_per_sec": 0, - "parse_failure_count_per_txn": 0, - "open_cursors_per_sec": 4.24242424242424, - "user_rollbacks_per_sec": 0, - "full_index_scans_per_sec": 0, - "physical_writes_per_sec": 0.336700336700337, - "physical_write_bytes_per_sec": 2758.24915824916, - "memory_sorts_ratio": 100, - "streams_pool_usage_percentage": 0, - "user_rollbacks_percentage": 0, - "consistent_read_gets_per_txn": 258.5, - "user_commits_per_sec": 0.0336700336700337, - "background_cpu_usage_per_sec": 0.626880471380471, - "database_wait_time_ratio": 0, - "user_calls_per_txn": 57.5, - "hard_parse_count_per_txn": 0, - "total_table_scans_per_txn": 9, - "ddl_statements_parallelized_per_sec": 0, - "temp_space_used": 0, - "enqueue_waits_per_txn": 2, - "io_requests_per_second": 5.23569023569024, - "library_cache_hit_ratio": 100, - "logons_per_sec": 0.420875420875421, - "full_index_scans_per_txn": 0, - "txns_per_logon": 0.08, - "pga_cache_hit_pct": 100, - "physical_reads_per_txn": 0, - "host_cpu_utilization_pct": 11.6182572614108, - "sql_service_response_time": 0.0283376146788991, - "db_block_gets_per_user_call": 0.947826086956522, - "physical_reads_per_sec": 0, - "soft_parse_ratio": 100, - "total_index_scans_per_sec": 3.06397306397306, - "executions_per_txn": 128, - "disk_sort_per_txn": 0, - "logons_per_txn": 12.5, - "enqueue_waits_per_sec": 0.0673400673400673, - "physical_write_total_io_requests_per_sec": 1.48148148148148, - "replayed_user_calls": 0, - "dml_statements_parallelized_per_sec": 0, - "cr_blocks_created_per_sec": 0, - "total_table_scans_per_user_call": 0.156521739130435, - "buffer_cache_hit_ratio": 100, - "vm_in_bytes_per_sec": 0, - "redo_writes_per_txn": 5.5, - "network_traffic_volume_per_sec": 522.289562289562, - "executions_per_sec": 4.30976430976431, - "total_index_scans_per_txn": 91, - "redo_writes_per_sec": 0.185185185185185, - "recursive_calls_per_txn": 651, - "total_parse_count_per_sec": 1.81818181818182 - } - }, - "service": { - "address": "oracle://localhost:1521/ORCLCDB.localdomain", - "type": "sql" - } -} \ No newline at end of file diff --git a/packages/oracle/1.4.1/data_stream/system_statistics/agent/stream/stream.yml.hbs b/packages/oracle/1.4.1/data_stream/system_statistics/agent/stream/stream.yml.hbs deleted file mode 100755 index 5231d2fb1d..0000000000 --- a/packages/oracle/1.4.1/data_stream/system_statistics/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,90 +0,0 @@ -metricsets: ["query"] -period: {{period}} -hosts: -{{#each hosts}} - - {{this}} -{{/each}} -raw_data.enabled: true -driver: "oracle" -sql_queries: - - query: SELECT NAME, VALUE FROM V$SYSSTAT WHERE NAME IN ( - 'bytes received via SQL*Net from client', - 'bytes received via SQL*Net from dblink', - 'bytes sent via SQL*Net to client', - 'bytes sent via SQL*Net to dblink', - 'CPU used by this session', - 'db block changes', - 'db block gets from cache', - 'DBWR checkpoint buffers written', - 'DBWR checkpoints', - 'DML statements parallelized', - 'enqueue conversions', - 'enqueue deadlocks', - 'enqueue releases', - 'enqueue requests', - 'enqueue timeouts', - 'enqueue waits', - 'exchange deadlocks', - 'execute count', - 'gc current block receive time', - 'index fast full scans (direct read)', - 'index fast full scans (full)', - 'index fast full scans (rowid ranges)', - 'lob reads', - 'lob writes', - 'logons current', - 'opened cursors current', - 'Parallel operations not downgraded', - 'parse count (hard)', - 'parse count (total)', - 'parse time cpu', - 'parse time elapsed', - 'physical read bytes', - 'physical read IO requests', - 'physical read total bytes', - 'physical read total IO requests', - 'physical reads', - 'physical write bytes', - 'physical write IO requests', - 'physical write total bytes', - 'physical write total IO requests', - 'physical writes', - 'physical writes direct', - 'physical writes from cache', - 'process last non-idle time', - 'queries parallelized', - 'recovery blocks read', - 'recursive calls', - 'recursive cpu usage', - 'redo blocks written', - 'redo buffer allocation retries', - 'redo log space requests', - 'redo log space wait time', - 'redo size', - 'redo synch time', - 'redo write time', - 'redo writes', - 'session cursor cache count', - 'session cursor cache hits', - 'session logical reads', - 'session stored procedure space', - 'sorts (disk)', - 'sorts (memory)', - 'sorts (rows)', - 'table scan rows gotten', - 'table scans (direct read)', - 'table scans (long tables)', - 'table scans (rowid ranges)', - 'transaction rollbacks', - 'user calls', - 'user commits', - 'user rollbacks', - 'DB time', - 'OS System time used', - 'OS User time used', - 'SMON posted for instance recovery', - 'SMON posted for txn recovery for other instances', - 'java call heap live size', - 'java call heap total size', - 'java call heap used size') - response_format: variables \ No newline at end of file diff --git a/packages/oracle/1.4.1/data_stream/system_statistics/elasticsearch/ingest_pipeline/default.yml b/packages/oracle/1.4.1/data_stream/system_statistics/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 4e8d55540d..0000000000 --- a/packages/oracle/1.4.1/data_stream/system_statistics/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -description: Pipeline for processing Oracle system statistics metrics -processors: - - remove: - field: sql.driver - ignore_missing: true - ignore_failure: true - - remove: - field: sql.query - ignore_missing: true - ignore_failure: true - - rename: - field: sql - target_field: oracle - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.metrics - target_field: oracle.system_statistics - ignore_missing: true - ignore_failure: true - - foreach: - field: oracle.system_statistics - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: " " - replacement: "_" - - foreach: - field: oracle.system_statistics - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: "\\(" - replacement: "" - - foreach: - field: oracle.system_statistics - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: "\\)" - replacement: "" - - foreach: - field: oracle.system_statistics - ignore_missing: true - processor: - gsub: - field: "_ingest._key" - pattern: "\\*" - replacement: "" - - rename: - field: oracle.system_statistics.process_last_non-idle_time - target_field: oracle.system_statistics.process_last_non_idle_time - ignore_missing: true - ignore_failure: true - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/oracle/1.4.1/data_stream/system_statistics/fields/base-fields.yml b/packages/oracle/1.4.1/data_stream/system_statistics/fields/base-fields.yml deleted file mode 100755 index 6cc192b4ed..0000000000 --- a/packages/oracle/1.4.1/data_stream/system_statistics/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: sql -- name: event.dataset - type: constant_keyword - description: Event module - value: oracle.system_statistics diff --git a/packages/oracle/1.4.1/data_stream/system_statistics/fields/ecs.yml b/packages/oracle/1.4.1/data_stream/system_statistics/fields/ecs.yml deleted file mode 100755 index 958b30e712..0000000000 --- a/packages/oracle/1.4.1/data_stream/system_statistics/fields/ecs.yml +++ /dev/null @@ -1,21 +0,0 @@ -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Address where data about this service was collected from. - This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). - name: service.address - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/oracle/1.4.1/data_stream/system_statistics/fields/fields.yml b/packages/oracle/1.4.1/data_stream/system_statistics/fields/fields.yml deleted file mode 100755 index 8da6521ffc..0000000000 --- a/packages/oracle/1.4.1/data_stream/system_statistics/fields/fields.yml +++ /dev/null @@ -1,335 +0,0 @@ -- name: oracle.system_statistics - type: group - release: beta - fields: - - name: parallel_operations_not_downgraded - type: double - metric_type: counter - description: Number of times parallel execution was executed at the requested degree of parallelism - - name: physical_writes_direct - type: double - metric_type: counter - description: Number of writes directly to disk, bypassing the buffer cache (as in a direct load operation). - - name: os_user_time_used - type: double - metric_type: counter - description: The total CPU time used for user calls. - - name: physical_writes_from_cache - type: double - metric_type: counter - description: Total number of data blocks written to disk from the buffer cache. This is a subset of "physical writes" statistic. - - name: user_calls - type: double - metric_type: counter - description: Number of user calls such as login, parse, fetch, or execute. - - name: table_scan_rows_gotten - type: double - metric_type: counter - description: Number of rows that are processed during scanning operations. - - name: smon_posted_for_txn_recovery_for_other_instances - type: double - metric_type: counter - description: The total count or number of times SMON posted for instance recovery - - name: enqueue_deadlocks - type: double - metric_type: counter - description: Total number of deadlocks between table or row locks in different sessions. - - name: gc_current_block_receive_time - type: double - metric_type: counter - description: The total time required for consistent read requests to complete. It records the round-trip time for all requests for consistent read blocks. - - name: queries_parallelized - type: double - metric_type: counter - description: Number of SELECT statements executed in parallel. - - name: enqueue_releases - type: double - metric_type: counter - description: Total number of table or row locks released. - - name: user_rollbacks - type: double - metric_type: counter - description: Number of times users manually issue the ROLLBACK statement or an error occurs during a user's transactions. - - name: session_cursor_cache_count - type: double - metric_type: counter - description: Total number of cursors cached. - - name: redo_blocks_written - type: double - metric_type: counter - description: Total number of redo blocks written. - - name: redo_buffer_allocation_retries - type: double - metric_type: counter - description: Total number of retries necessary to allocate space in the redo buffer. - - name: enqueue_conversions - type: double - metric_type: counter - description: Total number of conversions of the state of table or row lock. - - name: transaction_rollbacks - type: double - metric_type: counter - description: Number of transactions being successfully rolled back. - - name: physical_reads - type: double - metric_type: counter - description: Total number of data blocks read from disk. - - name: table_scans_direct_read - type: double - metric_type: counter - description: The number of table scans performed with direct read (bypassing the buffer cache). - - name: lob_writes - type: double - metric_type: counter - description: The number of LOB API write operations performed in the session/system. - - name: java_call_heap_live_size - type: double - metric_type: counter - description: The Java call heap live size. - - name: lob_reads - type: double - metric_type: counter - description: The number of LOB API read operations performed in the session/system. - - name: bytes_received_via_sqlnet_from_client - type: double - metric_type: counter - unit: byte - description: Total number of bytes received from the client over Oracle Net Services. - - name: table_scans_long_tables - type: double - metric_type: counter - description: Long (or conversely short) tables can be defined as tables that do not meet the short table criteria. - - name: java_call_heap_used_size - type: double - metric_type: counter - description: The Java call heap used size. - - name: physical_writes - type: double - metric_type: counter - description: Total number of data blocks written to disk. This statistics value equals the sum of physical writes direct and physical writes from cache values. - - name: sorts_rows - type: double - metric_type: counter - description: Total number of rows sorted. - - name: parse_time_elapsed - type: double - metric_type: counter - unit: ms - description: Total elapsed time for parsing, in 10s of milliseconds. - - name: exchange_deadlocks - type: double - metric_type: counter - description: Number of times that a process detected a potential deadlock when exchanging two buffers and raised an internal, restartable error. Index scans are the only operations that perform exchanges. - - name: db_block_changes - type: double - metric_type: counter - description: This statistic counts the total number of changes that were part of an update or delete operation that were made to all blocks in the SGA. - - name: enqueue_waits - type: double - metric_type: counter - description: Total number of waits that occurred during an enqueue convert or get because the enqueue get was deferred. - - name: redo_size - type: double - metric_type: counter - unit: byte - description: Total amount of redo generated in bytes. - - name: table_scans_rowid_ranges - type: double - metric_type: counter - description: During parallel query, the number of table scans conducted with specified ROWID ranges. - - name: enqueue_requests - type: double - metric_type: counter - description: Total number of table or row locks acquired - - name: user_commits - type: double - metric_type: counter - description: Number of user commits. When a user commits a transaction, the redo generated that reflects the changes made to database blocks must be written to disk. - - name: cpu_used_by_this_session - type: double - metric_type: counter - unit: ms - description: Amount of CPU time (in 10s of milliseconds) used by a session from the time a user call starts until it ends. - - name: execute_count - type: double - metric_type: counter - description: Total number of calls (user and recursive) that executed SQL statements. - - name: process_last_non_idle_time - type: double - metric_type: counter - description: The last time this process executed. - - name: os_system_time_used - type: double - metric_type: counter - description: The total CPU time used for system calls. - - name: recursive_cpu_usage - type: double - metric_type: counter - description: Total CPU time used by non-user calls (recursive calls). - - name: redo_write_time - type: double - metric_type: counter - unit: micros - description: Total elapsed time of the write from the redo log buffer to the current redo log file in microseconds. - - name: redo_synch_time - type: double - metric_type: counter - unit: ms - description: Elapsed time of all redo synch writes calls in 10s of milliseconds. - - name: bytes_sent_via_sqlnet_to_dblink - type: double - unit: byte - metric_type: counter - description: Total number of bytes sent over a database link. - - name: parse_time_cpu - type: double - metric_type: counter - unit: ms - description: Total CPU time used for parsing (hard and soft) in 10s of milliseconds - - name: physical_write_total_bytes - type: double - unit: byte - metric_type: counter - description: Total size in bytes of all disk writes for the database instance including application activity, backup and recovery, and other utilities. - - name: enqueue_timeouts - type: double - metric_type: counter - description: Total number of table and row locks (acquired and converted) that timed out before they could complete. - - name: physical_write_io_requests - type: double - metric_type: counter - description: Number of write requests for application activity (mainly buffer cache and direct load operation) which wrote one or more database blocks per request. - - name: java_call_heap_total_size - type: double - metric_type: counter - unit: byte - description: The total Java call heap size. - - name: dbwr_checkpoints - type: double - metric_type: counter - description: The number of times the DBWR was asked to scan the cache and write all blocks marked for a checkpoint or the end of recovery. - - name: recursive_calls - type: double - metric_type: counter - description: The number of recursive calls generated at both the user and system level. - - name: index_fast_full_scans_full - type: double - metric_type: counter - description: The number of fast full scans initiated using direct read. - - name: logons_current - type: double - metric_type: counter - description: Total number of current logons. - - name: session_cursor_cache_hits - type: double - metric_type: counter - description: Total number of cursors cached. - - name: smon_posted_for_instance_recovery - type: double - metric_type: counter - description: The total count or number of times SMON posted for instance recovery. - - name: redo_log_space_requests - type: double - metric_type: counter - description: The number of times the active log file is full and Oracle must wait for disk space to be allocated for the redo log entries. - - name: physical_write_total_io_requests - type: double - metric_type: counter - description: The number of write requests which wrote one or more database blocks from all instance activity including application activity, backup and recovery, and other utilities. - - name: parse_count_total - type: double - metric_type: counter - description: Total number of parse calls (hard, soft, and describe). - - name: sorts_memory - type: double - metric_type: counter - description: The number of sort operations that were performed completely in memory and did not require any disk writes. - - name: physical_read_bytes - type: double - unit: byte - metric_type: counter - description: Total size in bytes of all disk reads by application activity (and not other instance activity) only. - - name: sorts_disk - type: double - metric_type: counter - description: The number of sort operations that required at least one disk write. - - name: session_logical_reads - type: double - metric_type: counter - description: The sum of db block gets plus consistent gets. This includes logical reads of database blocks from either the buffer cache or process private memory. - - name: dbwr_checkpoint_buffers_written - type: double - metric_type: counter - description: The number of buffers that were written for checkpoints. - - name: dml_statements_parallelized - type: double - metric_type: counter - description: The number of DML statements that were executed in parallel. - - name: redo_writes - type: double - metric_type: counter - description: Total number of writes by LGWR to the redo log files. - - name: recovery_blocks_read - type: double - metric_type: counter - description: The number of blocks read during recovery. - - name: index_fast_full_scans_direct_read - type: double - metric_type: counter - description: The number of fast full scans initiated using direct read. - - name: physical_read_total_io_requests - type: double - metric_type: counter - description: The number of read requests which read one or more database blocks for all instance activity including application, backup and recovery, and other utilities. - - name: db_block_gets_from_cache - type: double - metric_type: counter - description: The number of times a CURRENT block was requested from the buffer cache. - - name: opened_cursors_current - type: double - metric_type: counter - description: Total number of current open cursors. - - name: db_time - type: double - metric_type: counter - description: The sum of CPU consumption of all the Oracle process and the sum of non-idle wait time. - - name: bytes_received_via_sqlnet_from_dblink - type: double - unit: byte - metric_type: counter - description: Total number of bytes received from a database link over Oracle Net Services - - name: parse_count_hard - type: double - metric_type: counter - description: Total number of parse calls (real parses). - - name: index_fast_full_scans_rowid_ranges - type: double - metric_type: counter - description: The number of fast full scans initiated with rowid endpoints specified. - - name: bytes_sent_via_sqlnet_to_client - type: double - metric_type: counter - unit: byte - description: Total number of bytes sent to the client from the foreground processes. - - name: session_stored_procedure_space - type: double - metric_type: counter - description: Amount of memory this session is using for stored procedures. - - name: physical_write_bytes - type: double - metric_type: counter - unit: byte - description: Total size in bytes of all disk writes from the database application activity (and not other kinds of instance activity). - - name: redo_log_space_wait_time - type: double - metric_type: counter - description: Total time waited in centiseconds for available space in the redo log buffer. - - name: physical_read_io_requests - type: double - metric_type: counter - description: Number of read requests for application activity (mainly buffer cache and direct load operation) which read one or more database blocks per request. - - name: physical_read_total_bytes - type: double - metric_type: counter - unit: byte - description: Total size in bytes of disk reads by all database instance activity including application reads, backup and recovery, and other utilities. diff --git a/packages/oracle/1.4.1/data_stream/system_statistics/manifest.yml b/packages/oracle/1.4.1/data_stream/system_statistics/manifest.yml deleted file mode 100755 index faf3153104..0000000000 --- a/packages/oracle/1.4.1/data_stream/system_statistics/manifest.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: "System Statistics" -type: metrics -release: beta -streams: - - input: sql/metrics - enabled: false - title: Oracle system statistics metrics - description: Collect Oracle system statistics metrics - vars: - - name: period - type: text - title: Period - default: 60s - multi: false - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - oracle_system_statistics_metrics diff --git a/packages/oracle/1.4.1/data_stream/system_statistics/sample_event.json b/packages/oracle/1.4.1/data_stream/system_statistics/sample_event.json deleted file mode 100755 index 93cec66048..0000000000 --- a/packages/oracle/1.4.1/data_stream/system_statistics/sample_event.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "oracle": { - "system_statistics": { - "parallel_operations_not_downgraded": 74269, - "physical_writes_direct": 49593, - "os_user_time_used": 0, - "physical_writes_from_cache": 1640956, - "user_calls": 1728270, - "table_scan_rows_gotten": 6496308028, - "smon_posted_for_txn_recovery_for_other_instances": 0, - "enqueue_deadlocks": 0, - "gc_current_block_receive_time": 0, - "queries_parallelized": 0, - "enqueue_releases": 204823089, - "user_rollbacks": 566, - "session_cursor_cache_count": 1392126, - "redo_blocks_written": 12594127, - "redo_buffer_allocation_retries": 20026, - "enqueue_conversions": 5808876, - "transaction_rollbacks": 4797, - "physical_reads": 15267747, - "table_scans_direct_read": 131, - "lob_writes": 1555222, - "java_call_heap_live_size": 0, - "lob_reads": 250087, - "bytes_received_via_sqlnet_from_client": 99978239, - "table_scans_long_tables": 823, - "java_call_heap_used_size": 0, - "physical_writes": 1690549, - "sorts_rows": 289153904, - "parse_time_elapsed": 119320, - "exchange_deadlocks": 1, - "db_block_changes": 35370231, - "enqueue_waits": 93701, - "redo_size": 6102600928, - "table_scans_rowid_ranges": 0, - "enqueue_requests": 204831722, - "user_commits": 178585, - "cpu_used_by_this_session": 2532130, - "execute_count": 29214384, - "process_last_non_idle_time": 1659881160, - "os_system_time_used": 0, - "recursive_cpu_usage": 1957103, - "redo_write_time": 123863, - "redo_synch_time": 7173, - "bytes_sent_via_sqlnet_to_dblink": 0, - "parse_time_cpu": 75577, - "physical_write_total_bytes": 36649355517, - "enqueue_timeouts": 8601, - "physical_write_io_requests": 959618, - "java_call_heap_total_size": 0, - "dbwr_checkpoints": 7081, - "recursive_calls": 81604284, - "index_fast_full_scans_full": 39008, - "logons_current": 51, - "session_cursor_cache_hits": 47613134, - "smon_posted_for_instance_recovery": 0, - "redo_log_space_requests": 57742, - "physical_write_total_io_requests": 2504705, - "parse_count_total": 6028908, - "sorts_memory": 2134811, - "physical_read_bytes": 125073383424, - "sorts_disk": 0, - "session_logical_reads": 440906935, - "dbwr_checkpoint_buffers_written": 1186157, - "dml_statements_parallelized": 0, - "redo_writes": 524251, - "recovery_blocks_read": 0, - "index_fast_full_scans_direct_read": 0, - "physical_read_total_io_requests": 7036559, - "db_block_gets_from_cache": 36495181, - "opened_cursors_current": 31, - "db_time": 41363170, - "bytes_received_via_sqlnet_from_dblink": 0, - "parse_count_hard": 184548, - "index_fast_full_scans_rowid_ranges": 0, - "bytes_sent_via_sqlnet_to_client": 227960514, - "session_stored_procedure_space": 0, - "physical_write_bytes": 13848977408, - "redo_log_space_wait_time": 382148, - "physical_read_io_requests": 3834637, - "physical_read_total_bytes": 183706260480 - } - }, - "@timestamp": "2022-08-07T14:06:01.373Z", - "data_stream": { - "namespace": "default", - "type": "metrics", - "dataset": "oracle.system_statistics" - }, - "service": { - "address": "0.0.0.0:1521", - "type": "sql" - }, - "metricset": { - "period": 60000, - "name": "query" - }, - "event": { - "duration": 61168658, - "agent_id_status": "verified", - "ingested": "2022-08-07T14:06:02Z", - "module": "sql", - "dataset": "oracle.system_statistics" - } -} \ No newline at end of file diff --git a/packages/oracle/1.4.1/data_stream/tablespace/agent/stream/stream.yml.hbs b/packages/oracle/1.4.1/data_stream/tablespace/agent/stream/stream.yml.hbs deleted file mode 100755 index 3ca99fcfa6..0000000000 --- a/packages/oracle/1.4.1/data_stream/tablespace/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,94 +0,0 @@ -metricsets: ["query"] -period: {{period}} -hosts: -{{#each hosts}} - - {{this}} -{{/each}} -raw_data.enabled: true -driver: "oracle" -dynamic_metric_name_filter: "{{dynamic_metric_name_filter}}" -sql_queries: - - query: "WITH data_files - AS (SELECT file_name, - file_id, - tablespace_name, - bytes, - status, - maxbytes, - user_bytes, - online_status - FROM sys.dba_data_files - UNION - SELECT file_name, - file_id, - tablespace_name, - bytes, - status, - maxbytes, - user_bytes, - status AS ONLINE_STATUS - FROM sys.dba_temp_files), - spaces - AS (SELECT b.tablespace_name TB_NAME, - tbs_size TB_SIZE_USED, - a.free_space TB_SIZE_FREE - FROM (SELECT tablespace_name, - SUM(bytes) AS free_space - FROM dba_free_space - GROUP BY tablespace_name) a, - (SELECT tablespace_name, - SUM(bytes) AS tbs_size - FROM dba_data_files - GROUP BY tablespace_name) b - WHERE a.tablespace_name(+) = b.tablespace_name - AND a.tablespace_name != 'TEMP'), - temp_spaces - AS (SELECT tablespace_name, - tablespace_size, - allocated_space, - free_space - FROM dba_temp_free_space - WHERE tablespace_name = 'TEMP'), - details - AS (SELECT df.file_name, - df.file_id, - df.tablespace_name, - df.bytes, - df.status, - df.maxbytes, - df.user_bytes, - df.online_status, - sp.tb_size_used, - sp.tb_size_free - FROM data_files df, - spaces sp - WHERE df.tablespace_name = sp.tb_name - UNION - SELECT df.file_name, - df.file_id, - df.tablespace_name, - df.bytes, - df.status, - df.maxbytes, - df.user_bytes, - df.online_status, - tsp.tablespace_size - tsp.free_space AS TB_SIZE_USED, - tsp.free_space AS TB_SIZE_FREE - FROM data_files df, - temp_spaces tsp - WHERE df.tablespace_name = tsp.tablespace_name) -SELECT file_name, - file_id, - tablespace_name, - bytes, - status, - maxbytes, - user_bytes, - online_status, - tb_size_used, - tb_size_free, - SUM(bytes) - over() AS TOTAL_BYTES -FROM details" - response_format: table - diff --git a/packages/oracle/1.4.1/data_stream/tablespace/elasticsearch/ingest_pipeline/default.yml b/packages/oracle/1.4.1/data_stream/tablespace/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ff2627424f..0000000000 --- a/packages/oracle/1.4.1/data_stream/tablespace/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,80 +0,0 @@ ---- -description: Pipeline for processing oracle tablespace metrics -processors: - - remove: - field: sql.driver - ignore_missing: true - ignore_failure: true - - remove: - field: sql.query - ignore_missing: true - ignore_failure: true - - rename: - field: sql - target_field: oracle - ignore_missing: true - ignore_failure: true - - rename: - field: oracle.metrics - target_field: oracle.tablespace - ignore_missing: true - - rename: - field: oracle.tablespace.file_id - target_field: oracle.tablespace.data_file.id - ignore_failure: true - ignore_missing: true - - rename: - field: oracle.tablespace.file_name - target_field: oracle.tablespace.data_file.name - ignore_failure: true - ignore_missing: true - - rename: - field: oracle.tablespace.status - target_field: oracle.tablespace.data_file.status - ignore_failure: true - ignore_missing: true - - rename: - field: oracle.tablespace.online_status - target_field: oracle.tablespace.data_file.online_status - ignore_failure: true - ignore_missing: true - - rename: - field: oracle.tablespace.bytes - target_field: oracle.tablespace.data_file.size.bytes - ignore_failure: true - ignore_missing: true - - rename: - field: oracle.tablespace.maxbytes - target_field: oracle.tablespace.data_file.size.max.bytes - ignore_failure: true - ignore_missing: true - - rename: - field : oracle.tablespace.user_bytes - target_field: oracle.tablespace.data_file.size.free.bytes - ignore_failure: true - ignore_missing: true - - rename: - field : oracle.tablespace.tb_size_free - target_field: oracle.tablespace.space.free.bytes - ignore_failure: true - ignore_missing: true - - rename: - field: oracle.tablespace.tb_size_used - target_field: oracle.tablespace.space.used.bytes - ignore_failure: true - ignore_missing: true - - rename: - field: oracle.tablespace.tablespace_name - target_field: oracle.tablespace.name - ignore_failure: true - ignore_missing: true - - rename: - field: oracle.tablespace.total_bytes - target_field: oracle.tablespace.space.total.bytes - ignore_failure: true - ignore_missing: true - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/oracle/1.4.1/data_stream/tablespace/fields/base-fields.yml b/packages/oracle/1.4.1/data_stream/tablespace/fields/base-fields.yml deleted file mode 100755 index 3672659faf..0000000000 --- a/packages/oracle/1.4.1/data_stream/tablespace/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: sql -- name: event.dataset - type: constant_keyword - description: Event module - value: oracle.tablespace diff --git a/packages/oracle/1.4.1/data_stream/tablespace/fields/ecs.yml b/packages/oracle/1.4.1/data_stream/tablespace/fields/ecs.yml deleted file mode 100755 index 958b30e712..0000000000 --- a/packages/oracle/1.4.1/data_stream/tablespace/fields/ecs.yml +++ /dev/null @@ -1,21 +0,0 @@ -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Address where data about this service was collected from. - This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). - name: service.address - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/oracle/1.4.1/data_stream/tablespace/fields/fields.yml b/packages/oracle/1.4.1/data_stream/tablespace/fields/fields.yml deleted file mode 100755 index e38d00d276..0000000000 --- a/packages/oracle/1.4.1/data_stream/tablespace/fields/fields.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: oracle.tablespace - type: group - release: beta - fields: - - name: name - type: keyword - description: Tablespace name - - name: data_file - type: group - description: Database files information - fields: - - name: id - type: long - description: Tablespace unique identifier. - - name: name - type: keyword - description: Filename of the data file - - name: size - type: group - description: Size information about the file - fields: - - name: max.bytes - format: bytes - unit: byte - metric_type: gauge - type: long - description: Maximum file size in bytes - - name: bytes - format: bytes - unit: byte - metric_type: gauge - type: long - description: Size of the file in bytes - - name: free.bytes - format: bytes - unit: byte - metric_type: gauge - type: long - description: > - The size of the file available for user data. The actual size of the file minus this value is used to store file related metadata. - - - name: status - type: keyword - description: > - File status: AVAILABLE or INVALID (INVALID means that the file number is not in use, for example, a file in a tablespace that was dropped) - - - name: online_status - type: keyword - description: Last known online status of the data file. One of SYSOFF, SYSTEM, OFFLINE, ONLINE or RECOVER. - - name: space - type: group - description: Tablespace space usage information - fields: - - name: free.bytes - format: bytes - unit: byte - type: long - metric_type: gauge - description: Tablespace total free space available, in bytes. - - name: used.bytes - format: bytes - unit: byte - type: long - metric_type: gauge - description: Tablespace used space, in bytes. - - name: total.bytes - format: bytes - unit: byte - type: long - metric_type: gauge - description: Tablespace total size, in bytes. diff --git a/packages/oracle/1.4.1/data_stream/tablespace/manifest.yml b/packages/oracle/1.4.1/data_stream/tablespace/manifest.yml deleted file mode 100755 index be70e97f3c..0000000000 --- a/packages/oracle/1.4.1/data_stream/tablespace/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: "Oracle tablespace metrics" -type: metrics -release: beta -streams: - - input: sql/metrics - enabled: false - title: Oracle tablespace metrics data - description: Collect tablespace data of Oracle database - vars: - - name: period - type: text - title: Period - default: 60s - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - oracle_tablespace diff --git a/packages/oracle/1.4.1/data_stream/tablespace/sample_event.json b/packages/oracle/1.4.1/data_stream/tablespace/sample_event.json deleted file mode 100755 index 5812d5658b..0000000000 --- a/packages/oracle/1.4.1/data_stream/tablespace/sample_event.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "event": { - "dataset": "oracle.tablespace", - "duration": 115000, - "module": "sql" - }, - "metricset": { - "name": "query", - "period": 60000 - }, - "oracle": { - "tablespace": { - "data_file": { - "size": { - "max": { - "bytes": 34359721984 - }, - "bytes": 1310720000, - "free": { - "bytes": 1309671424 - } - }, - "online_status": "ONLINE", - "name": "/u02/app/oracle/oradata/ORCL/sysaux01.dbf", - "id": 3, - "status": "AVAILABLE" - }, - "name": "SYSAUX", - "space": { - "total": { - "bytes": 2355101696 - }, - "used": { - "bytes": 1310720000 - }, - "free": { - "bytes": 70713344 - } - } - } - }, - "service": { - "address": "oracle://localhost:1521/ORCLCDB.localdomain", - "type": "sql" - } -} \ No newline at end of file diff --git a/packages/oracle/1.4.1/docs/README.md b/packages/oracle/1.4.1/docs/README.md deleted file mode 100755 index 1bf74a5d8f..0000000000 --- a/packages/oracle/1.4.1/docs/README.md +++ /dev/null @@ -1,1092 +0,0 @@ -# Oracle Integration - -This integration is for ingesting Audit Trail logs and fetching performance, tablespace and sysmetric metrics from Oracle Databases. - -The integration expects an *.aud audit file that is generated from Oracle Databases by default. If this has been disabled then please see the [Oracle Database Audit Trail Documentation](https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/introduction-to-auditing.html#GUID-8D96829C-9151-4FA4-BED9-831D088F12FF). - -### Requirements - -Connectivity to Oracle can be facilitated in two ways either by using official Oracle libraries or by using a JDBC driver. Facilitation of the connectivity using JDBC is not supported currently with Metricbeat. Connectivity can be facilitated using Oracle libraries and the detailed steps to do the same are mentioned below. - -#### Oracle Database Connection Pre-requisites - -To get connected with the Oracle Database ORACLE_SID, ORACLE_BASE, ORACLE_HOME environment variables should be set. - -For example: Let’s consider Oracle Database 21c installation using RPM manually by following the [Oracle Installation instructions](https://docs.oracle.com/en/database/oracle/oracle-database/21/ladbi/running-rpm-packages-to-install-oracle-database.html). Environment variables should be set as follows: - `ORACLE_SID=ORCLCDB` - `ORACLE_BASE=/opt/oracle/oradata` - `ORACLE_HOME=/opt/oracle/product/21c/dbhome_1` -Also, add `$ORACLE_HOME/bin` to the `PATH` environment variable. - -#### Oracle Instant Client - -Oracle Instant Client enables development and deployment of applications that connect to Oracle Database. The Instant Client libraries provide the necessary network connectivity and advanced data features to make full use of Oracle Database. If you have OCI Oracle server which comes with these libraries pre-installed, you don't need a separate client installation. - -The OCI library install few Client Shared Libraries that must be referenced on the machine where Metricbeat is installed. Please follow the [Oracle Client Installation link](https://docs.oracle.com/en/database/oracle/oracle-database/21/lacli/install-instant-client-using-zip.html#GUID-D3DCB4FB-D3CA-4C25-BE48-3A1FB5A22E84) link for OCI Instant Client set up. The OCI Instant Client is available with the Oracle Universal Installer, RPM file or ZIP file. Download links can be found at the [Oracle Instant Client Download page](https://www.oracle.com/database/technologies/instant-client/downloads.html). - -#### Enable Listener - -The Oracle listener is a service that runs on the database host and receives requests from Oracle clients. Make sure that [Listener](https://docs.oracle.com/cd/B19306_01/network.102/b14213/lsnrctl.htm) is be running. -To check if the listener is running or not, run: - -`lsnrctl STATUS` - -If the listener is not running, use the command to start: - -`lsnrctl START` - -Then, Metricbeat can be launched. - -*Host Configuration* - -The following two types of host configurations are supported: - -1. Old style host configuration for backwards compatibility: - - `hosts: ["user/pass@0.0.0.0:1521/ORCLPDB1.localdomain"]` - - `hosts: ["user/password@0.0.0.0:1521/ORCLPDB1.localdomain as sysdba"]` - -2. DSN host configuration: - - `hosts: ['user="user" password="pass" connectString="0.0.0.0:1521/ORCLPDB1.localdomain"']` - - `hosts: ['user="user" password="password" connectString="host:port/service_name" sysdba=true']` - - -Note: If the password contains the backslash (`\`) character, it must be escaped with a backslash. For example, if the password is `my\_password`, it should be written as `my\\_password`. - - -## Compatibility - -This integration has been tested with Oracle Database 19c, and should work for 18c as well though it has not been tested. - -### Audit Log - -The `database_audit` dataset collects Oracle Audit logs. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.flags | related log flags | | -| log.offset | Log offset | long | -| message | human-readable summary of the event | text | -| oracle.database_audit.action | The action performed during the audit event. This could for example be the raw query. | keyword | -| oracle.database_audit.action_number | Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON. | keyword | -| oracle.database_audit.client.address | The IP Address or Domain used by the client. | keyword | -| oracle.database_audit.client.terminal | If available, the client terminal type, for example "pty". | keyword | -| oracle.database_audit.client.user | The user running the client or connection to the database. | keyword | -| oracle.database_audit.database.host | Client host machine name. | keyword | -| oracle.database_audit.database.id | Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view. | keyword | -| oracle.database_audit.database.user | The database user used to authenticate. | keyword | -| oracle.database_audit.entry.id | Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records. | keyword | -| oracle.database_audit.length | Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record. | long | -| oracle.database_audit.privilege | The privilege group related to the database user. | keyword | -| oracle.database_audit.session_id | Indicates the audit session ID number. | keyword | -| oracle.database_audit.status | Database Audit Status. | keyword | -| process.pid | Process id. | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.user.name | Short name or login of the user. | keyword | -| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.roles | Array of user roles at the time of the event. | keyword | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - - -An example event for `database_audit` looks as following: - -```json -{ - "@timestamp": "2020-10-07T14:57:51.000Z", - "agent": { - "ephemeral_id": "021be4f6-f6ea-47c5-aa38-62ba8c3f0f3c", - "id": "5940e9e3-013b-43c0-a459-261d69b08862", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "client": { - "user": { - "name": "oracle" - } - }, - "data_stream": { - "dataset": "oracle.database_audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "5940e9e3-013b-43c0-a459-261d69b08862", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "database_audit", - "agent_id_status": "verified", - "category": "database", - "dataset": "oracle.database_audit", - "ingested": "2022-02-24T08:25:06Z", - "kind": "event", - "outcome": "success", - "timezone": "-04:00", - "type": "access" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.240.7" - ], - "mac": [ - "02:42:c0:a8:f0:07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.60.1-microsoft-standard-WSL2", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "input": { - "type": "filestream" - }, - "log": { - "file": { - "path": "/tmp/service_logs/ORCLCDB_ora_13765_20201007105751904399925443.aud.log" - }, - "flags": [ - "multiline" - ], - "offset": 882 - }, - "oracle": { - "database_audit": { - "action": "CONNECT", - "action_number": "100", - "client": { - "terminal": "pts/0" - }, - "length": 253, - "session_id": "4294967295", - "status": "0" - } - }, - "process": { - "pid": 13765 - }, - "related": { - "hosts": [ - "testlab.local" - ], - "user": [ - "/", - "oracle" - ] - }, - "server": { - "address": "testlab.local", - "domain": "testlab.local", - "user": { - "name": "/" - } - }, - "tags": [ - "oracle-database_audit" - ], - "user": { - "roles": "SYSDBA" - } -} -``` - -### Tablespace Metrics - -Tablespace metrics describes the tablespace usage metrics of all types of tablespaces in the oracle database. - -**Exported fields** - -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| event.dataset | Event module | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| host.ip | Host ip addresses. | ip | | | -| oracle.tablespace.data_file.id | Tablespace unique identifier. | long | | | -| oracle.tablespace.data_file.name | Filename of the data file | keyword | | | -| oracle.tablespace.data_file.online_status | Last known online status of the data file. One of SYSOFF, SYSTEM, OFFLINE, ONLINE or RECOVER. | keyword | | | -| oracle.tablespace.data_file.size.bytes | Size of the file in bytes | long | byte | gauge | -| oracle.tablespace.data_file.size.free.bytes | The size of the file available for user data. The actual size of the file minus this value is used to store file related metadata. | long | byte | gauge | -| oracle.tablespace.data_file.size.max.bytes | Maximum file size in bytes | long | byte | gauge | -| oracle.tablespace.data_file.status | File status: AVAILABLE or INVALID (INVALID means that the file number is not in use, for example, a file in a tablespace that was dropped) | keyword | | | -| oracle.tablespace.name | Tablespace name | keyword | | | -| oracle.tablespace.space.free.bytes | Tablespace total free space available, in bytes. | long | byte | gauge | -| oracle.tablespace.space.total.bytes | Tablespace total size, in bytes. | long | byte | gauge | -| oracle.tablespace.space.used.bytes | Tablespace used space, in bytes. | long | byte | gauge | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | - - -An example event for `tablespace` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "event": { - "dataset": "oracle.tablespace", - "duration": 115000, - "module": "sql" - }, - "metricset": { - "name": "query", - "period": 60000 - }, - "oracle": { - "tablespace": { - "data_file": { - "size": { - "max": { - "bytes": 34359721984 - }, - "bytes": 1310720000, - "free": { - "bytes": 1309671424 - } - }, - "online_status": "ONLINE", - "name": "/u02/app/oracle/oradata/ORCL/sysaux01.dbf", - "id": 3, - "status": "AVAILABLE" - }, - "name": "SYSAUX", - "space": { - "total": { - "bytes": 2355101696 - }, - "used": { - "bytes": 1310720000 - }, - "free": { - "bytes": 70713344 - } - } - } - }, - "service": { - "address": "oracle://localhost:1521/ORCLCDB.localdomain", - "type": "sql" - } -} -``` - -### Sysmetrics - -The system metrics value captured for the most current time interval for the long duration (60-seconds) are mentioned below - -**Exported fields** - -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | -| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | -| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | -| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| event.dataset | Event module | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| host.ip | Host ip addresses. | ip | | | -| oracle.sysmetric.active_parallel_sessions | Active parallel sessions | double | | gauge | -| oracle.sysmetric.active_serial_sessions | Active serial sessions. | double | | gauge | -| oracle.sysmetric.average_active_sessions | Average active sessions. | double | | gauge | -| oracle.sysmetric.average_synchronous_single-block_read_latency | Average synchronous single-block read latency. | double | | gauge | -| oracle.sysmetric.background_checkpoints_per_sec | Background checkpoints per second. | double | | gauge | -| oracle.sysmetric.background_cpu_usage_per_sec | Background CPU usage per sec | double | | gauge | -| oracle.sysmetric.background_time_per_sec | Background time per second. | double | | gauge | -| oracle.sysmetric.branch_node_splits_per_sec | Branch node splits per second. | double | | gauge | -| oracle.sysmetric.branch_node_splits_per_txn | Branch node splits per transaction. | double | | gauge | -| oracle.sysmetric.buffer_cache_hit_ratio | Buffer cache hit ratio | double | | gauge | -| oracle.sysmetric.captured_user_calls | Captured user calls. | double | | gauge | -| oracle.sysmetric.cell_physical_io_interconnect_bytes | Cell physical io interconnect bytes. | double | | gauge | -| oracle.sysmetric.consistent_read_changes_per_sec | Consistent read changes per second. | double | | gauge | -| oracle.sysmetric.consistent_read_changes_per_txn | Consistent read changes per transaction. | double | | gauge | -| oracle.sysmetric.consistent_read_gets_per_sec | Consistent read gets per second. | double | | gauge | -| oracle.sysmetric.consistent_read_gets_per_txn | Consistent read gets per transaction. | double | | gauge | -| oracle.sysmetric.cpu_usage_per_sec | CPU usage per second. | double | | gauge | -| oracle.sysmetric.cpu_usage_per_txn | CPU usage per transaction. | double | | gauge | -| oracle.sysmetric.cr_blocks_created_per_sec | Cr blocks created per second. | double | | gauge | -| oracle.sysmetric.cr_blocks_created_per_txn | Cr blocks created per transaction. | double | | gauge | -| oracle.sysmetric.cr_undo_records_applied_per_sec | Cr undo records applied per second. | double | | gauge | -| oracle.sysmetric.cr_undo_records_applied_per_txn | Cr undo records applied per transaction. | double | | gauge | -| oracle.sysmetric.current_logons_count | Current logons count. | double | | gauge | -| oracle.sysmetric.current_open_cursors_count | Current open cursors count | double | | gauge | -| oracle.sysmetric.current_os_load | Current os load | double | | gauge | -| oracle.sysmetric.cursor_cache_hit_ratio | Cursor cache hit ratio. | double | | gauge | -| oracle.sysmetric.database_cpu_time_ratio | Database CPU time ratio | double | | gauge | -| oracle.sysmetric.database_time_per_sec | Database time per second. | double | | gauge | -| oracle.sysmetric.database_wait_time_ratio | Database wait time ratio. | double | | gauge | -| oracle.sysmetric.db_block_changes_per_sec | Db block changes per second. | double | | gauge | -| oracle.sysmetric.db_block_changes_per_txn | Db block changes per transaction. | double | | gauge | -| oracle.sysmetric.db_block_changes_per_user_call | Db block changes per user call. | double | | gauge | -| oracle.sysmetric.db_block_gets_per_sec | Db block gets per sec | double | | gauge | -| oracle.sysmetric.db_block_gets_per_txn | Db block gets per transaction | double | | gauge | -| oracle.sysmetric.db_block_gets_per_user_call | Db block gets per user call. | double | | gauge | -| oracle.sysmetric.dbwr_checkpoints_per_sec | Dbwr checkpoints per sec. | double | | gauge | -| oracle.sysmetric.ddl_statements_parallelized_per_sec | Ddl statements parallelized per sec | double | | gauge | -| oracle.sysmetric.disk_sort_per_sec | Disk sort per second. | double | | gauge | -| oracle.sysmetric.disk_sort_per_txn | Disk sort per transaction. | double | | gauge | -| oracle.sysmetric.dml_statements_parallelized_per_sec | Dml statements parallelized per sec | double | | gauge | -| oracle.sysmetric.enqueue_deadlocks_per_sec | Enqueue deadlocks per sec | double | | gauge | -| oracle.sysmetric.enqueue_deadlocks_per_txn | Enqueue deadlocks per transaction. | double | | gauge | -| oracle.sysmetric.enqueue_requests_per_sec | Enqueue requests per second. | double | | gauge | -| oracle.sysmetric.enqueue_requests_per_txn | Enqueue requests per transaction | double | | gauge | -| oracle.sysmetric.enqueue_timeouts_per_sec | Enqueue timeouts per second. | double | | gauge | -| oracle.sysmetric.enqueue_timeouts_per_txn | Enqueue timeouts per transaction. | double | | gauge | -| oracle.sysmetric.enqueue_waits_per_sec | Enqueue waits per second. | double | | gauge | -| oracle.sysmetric.enqueue_waits_per_txn | Enqueue waits per transaction. | double | | gauge | -| oracle.sysmetric.execute_without_parse_ratio | Execute without parse ratio | double | | gauge | -| oracle.sysmetric.executions_per_sec | Executions per second. | double | | gauge | -| oracle.sysmetric.executions_per_txn | Executions per transaction. | double | | gauge | -| oracle.sysmetric.executions_per_user_call | Executions per user call | double | | gauge | -| oracle.sysmetric.full_index_scans_per_sec | Full index scans per second. | double | | gauge | -| oracle.sysmetric.full_index_scans_per_txn | Full index scans per transaction. | double | | gauge | -| oracle.sysmetric.gc_cr_block_received_per_second | Gc cr block received per second. | double | | gauge | -| oracle.sysmetric.gc_cr_block_received_per_txn | Gc cr block received per transaction. | double | | gauge | -| oracle.sysmetric.gc_current_block_received_per_second | Gc current block received per second. | double | | gauge | -| oracle.sysmetric.gc_current_block_received_per_txn | Gc current block received per transaction | double | | gauge | -| oracle.sysmetric.global_cache_average_cr_get_time | Global cache average cr get time. | double | | gauge | -| oracle.sysmetric.global_cache_average_current_get_time | Global cache average current get time | double | | gauge | -| oracle.sysmetric.global_cache_blocks_corrupted | Global cache blocks corrupted. | double | | gauge | -| oracle.sysmetric.global_cache_blocks_lost | Global cache blocks lost. | double | | gauge | -| oracle.sysmetric.hard_parse_count_per_sec | Hard parse count per sec | double | | gauge | -| oracle.sysmetric.hard_parse_count_per_txn | Hard parse count per transaction. | double | | gauge | -| oracle.sysmetric.host_cpu_usage_per_sec | Host CPU usage per sec. | double | | gauge | -| oracle.sysmetric.host_cpu_utilization_pct | Host CPU utilization percentage. | double | percent | gauge | -| oracle.sysmetric.io_megabytes_per_second | IO megabytes per second | double | | gauge | -| oracle.sysmetric.io_requests_per_second | IO requests per second | double | | gauge | -| oracle.sysmetric.leaf_node_splits_per_sec | Leaf node splits per second. | double | | gauge | -| oracle.sysmetric.leaf_node_splits_per_txn | Leaf node splits per transaction. | double | | gauge | -| oracle.sysmetric.library_cache_hit_ratio | Library cache hit ratio. | double | | gauge | -| oracle.sysmetric.library_cache_miss_ratio | Library cache miss ratio. | double | | gauge | -| oracle.sysmetric.logical_reads_per_sec | Logical reads per sec. | double | | gauge | -| oracle.sysmetric.logical_reads_per_txn | Logical reads per transaction. | double | | gauge | -| oracle.sysmetric.logical_reads_per_user_call | Logical reads per user call. | double | | gauge | -| oracle.sysmetric.logons_per_sec | Logons per sec | double | | gauge | -| oracle.sysmetric.logons_per_txn | Logons per transaction. | double | | gauge | -| oracle.sysmetric.long_table_scans_per_sec | Long table scans per second. | double | | gauge | -| oracle.sysmetric.long_table_scans_per_txn | Long table scans per transaction. | double | | gauge | -| oracle.sysmetric.memory_sorts_ratio | Memory sorts ratio. | double | | gauge | -| oracle.sysmetric.network_traffic_volume_per_sec | Network traffic volume per second. | double | | gauge | -| oracle.sysmetric.open_cursors_per_sec | Open cursors per sec | double | | gauge | -| oracle.sysmetric.open_cursors_per_txn | Open cursors per transaction | double | | gauge | -| oracle.sysmetric.parse_failure_count_per_sec | Parse failure count per sec | double | | gauge | -| oracle.sysmetric.parse_failure_count_per_txn | Parse failure count per transaction. | double | | gauge | -| oracle.sysmetric.pga_cache_hit_pct | Pga cache hit percentage. | double | percent | gauge | -| oracle.sysmetric.physical_read_bytes_per_sec | Physical read bytes per second. | double | | gauge | -| oracle.sysmetric.physical_read_io_requests_per_sec | Physical read io requests per second. | double | | gauge | -| oracle.sysmetric.physical_read_total_bytes_per_sec | Physical read total bytes per second. | double | | gauge | -| oracle.sysmetric.physical_read_total_io_requests_per_sec | Physical read total io requests per sec | double | | gauge | -| oracle.sysmetric.physical_reads_direct_lobs_per_sec | Physical reads direct lobs per second. | double | | gauge | -| oracle.sysmetric.physical_reads_direct_lobs_per_txn | Physical reads direct lobs per transaction. | double | | gauge | -| oracle.sysmetric.physical_reads_direct_per_sec | Physical reads direct per second. | double | | gauge | -| oracle.sysmetric.physical_reads_direct_per_txn | Physical reads direct per transaction. | double | | gauge | -| oracle.sysmetric.physical_reads_per_sec | Physical reads per second. | double | | gauge | -| oracle.sysmetric.physical_reads_per_txn | Physical reads per transaction. | double | | gauge | -| oracle.sysmetric.physical_write_bytes_per_sec | Physical write bytes per second. | double | | gauge | -| oracle.sysmetric.physical_write_io_requests_per_sec | Physical write io requests per second. | double | | gauge | -| oracle.sysmetric.physical_write_total_bytes_per_sec | Physical write total bytes per second. | double | | gauge | -| oracle.sysmetric.physical_write_total_io_requests_per_sec | Physical write total io requests per second. | double | | gauge | -| oracle.sysmetric.physical_writes_direct_lobs__per_txn | Physical writes direct lobs per transaction | double | | gauge | -| oracle.sysmetric.physical_writes_direct_lobs_per_sec | Physical writes direct lobs per sec | double | | gauge | -| oracle.sysmetric.physical_writes_direct_per_sec | Physical writes direct per second. | double | | gauge | -| oracle.sysmetric.physical_writes_direct_per_txn | Physical writes direct per transaction. | double | | gauge | -| oracle.sysmetric.physical_writes_per_sec | Physical writes per second. | double | | gauge | -| oracle.sysmetric.physical_writes_per_txn | Physical writes per transaction. | double | | gauge | -| oracle.sysmetric.pq_qc_session_count | Pq qc session count. | double | | gauge | -| oracle.sysmetric.pq_slave_session_count | Pq slave session count. | double | | gauge | -| oracle.sysmetric.process_limit_pct | Process limit percentage. | double | percent | gauge | -| oracle.sysmetric.px_downgraded_1_to_25pct_per_sec | Px downgraded 1 to 25 percentage per second. | double | percent | gauge | -| oracle.sysmetric.px_downgraded_25_to_50pct_per_sec | Px downgraded 25 to 50 percentage per sec | double | percent | gauge | -| oracle.sysmetric.px_downgraded_50_to_75pct_per_sec | Px downgraded 50 to 75 percentage per second. | double | percent | gauge | -| oracle.sysmetric.px_downgraded_75_to_99pct_per_sec | Px downgraded 75 to 99 percentage per second. | double | percent | gauge | -| oracle.sysmetric.px_downgraded_to_serial_per_sec | Px downgraded to serial per sec. | double | | gauge | -| oracle.sysmetric.px_operations_not_downgraded_per_sec | Px operations not downgraded per second. | double | | gauge | -| oracle.sysmetric.queries_parallelized_per_sec | Queries parallelized per second. | double | | gauge | -| oracle.sysmetric.recursive_calls_per_sec | Recursive calls per second. | double | | gauge | -| oracle.sysmetric.recursive_calls_per_txn | Recursive calls per transaction. | double | | gauge | -| oracle.sysmetric.redo_allocation_hit_ratio | Redo allocation hit ratio. | double | | gauge | -| oracle.sysmetric.redo_generated_per_sec | Redo generated per second. | double | | gauge | -| oracle.sysmetric.redo_generated_per_txn | Redo generated per transaction | double | | gauge | -| oracle.sysmetric.redo_writes_per_sec | Redo writes per second. | double | | gauge | -| oracle.sysmetric.redo_writes_per_txn | Redo writes per transaction. | double | | gauge | -| oracle.sysmetric.replayed_user_calls | Replayed user calls | double | | gauge | -| oracle.sysmetric.response_time_per_txn | Response time per transaction. | double | | gauge | -| oracle.sysmetric.row_cache_hit_ratio | Row cache hit ratio. | double | | gauge | -| oracle.sysmetric.row_cache_miss_ratio | Row cache miss ratio. | double | | gauge | -| oracle.sysmetric.rows_per_sort | Rows per sort. | double | | gauge | -| oracle.sysmetric.run_queue_per_sec | Run queue per second. | double | | gauge | -| oracle.sysmetric.session_count | Session count. | double | | gauge | -| oracle.sysmetric.session_limit_pct | "Session limit percentage." | double | percent | gauge | -| oracle.sysmetric.shared_pool_free_pct | Shared pool free percentage. | double | percent | gauge | -| oracle.sysmetric.soft_parse_ratio | Soft parse ratio. | double | | gauge | -| oracle.sysmetric.sql_service_response_time | Sql service response time | double | | gauge | -| oracle.sysmetric.streams_pool_usage_percentage | Streams pool usage percentage. | double | | gauge | -| oracle.sysmetric.temp_space_used | Temp space used | double | | gauge | -| oracle.sysmetric.total_index_scans_per_sec | Total index scans per second. | double | | gauge | -| oracle.sysmetric.total_index_scans_per_txn | Total index scans per transaction. | double | | gauge | -| oracle.sysmetric.total_parse_count_per_sec | Total parse count per sec | double | | gauge | -| oracle.sysmetric.total_parse_count_per_txn | Total parse count per transaction. | double | | gauge | -| oracle.sysmetric.total_pga_allocated | Total pga allocated. | double | | gauge | -| oracle.sysmetric.total_pga_used_by_sql_workareas | Total pga used by sql workareas | double | | gauge | -| oracle.sysmetric.total_sorts_per_user_call | Total sorts per user call. | double | | gauge | -| oracle.sysmetric.total_table_scans_per_sec | Total table scans per second. | double | | gauge | -| oracle.sysmetric.total_table_scans_per_txn | Total table scans per transaction. | double | | gauge | -| oracle.sysmetric.total_table_scans_per_user_call | Total table scans per user call. | double | | gauge | -| oracle.sysmetric.txns_per_logon | transactions per logon. | double | | gauge | -| oracle.sysmetric.user_calls_per_sec | User calls per second. | double | | gauge | -| oracle.sysmetric.user_calls_per_txn | User calls per transaction | double | | gauge | -| oracle.sysmetric.user_calls_ratio | User calls ratio | double | | gauge | -| oracle.sysmetric.user_commits_per_sec | User commits per sec | double | | gauge | -| oracle.sysmetric.user_commits_percentage | User commits percentage. | double | | gauge | -| oracle.sysmetric.user_limit_pct | User limit percentage. | double | percent | gauge | -| oracle.sysmetric.user_rollback_undo_records_applied_per_txn | User rollback undo records applied per transaction. | double | | gauge | -| oracle.sysmetric.user_rollback_undorec_applied_per_sec | User rollback undorec applied per second. | double | | gauge | -| oracle.sysmetric.user_rollbacks_per_sec | User rollbacks per second. | double | | gauge | -| oracle.sysmetric.user_rollbacks_percentage | User rollbacks percentage. | double | | gauge | -| oracle.sysmetric.user_transaction_per_sec | User transaction per second. | double | | gauge | -| oracle.sysmetric.vm_in_bytes_per_sec | Vm in bytes per sec | double | | gauge | -| oracle.sysmetric.vm_out_bytes_per_sec | Vm out bytes per second. | double | | gauge | -| oracle.sysmetric.workload_capture_and_replay_status | Workload capture and replay status. | double | | gauge | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | - - -An example event for `sysmetric` looks as following: - -```json -{ - "@timestamp": "2022-05-27T02:18:55.112Z", - "event": { - "dataset": "oracle.sysmetric", - "module": "sql", - "duration": 408974115 - }, - "metricset": { - "name": "query", - "period": 60000 - }, - "oracle": { - "sysmetric": { - "row_cache_hit_ratio": 100, - "current_open_cursors_count": 28, - "total_pga_allocated": 194334720, - "px_downgraded_75_to_99pct_per_sec": 0, - "enqueue_deadlocks_per_txn": 0, - "db_block_gets_per_sec": 1.83501683501684, - "cr_blocks_created_per_txn": 0, - "logical_reads_per_user_call": 5.44347826086956, - "response_time_per_txn": 20.0772, - "recursive_calls_per_sec": 21.9191919191919, - "db_block_gets_per_txn": 54.5, - "long_table_scans_per_txn": 0, - "total_parse_count_per_txn": 54, - "db_block_changes_per_user_call": 0.947826086956522, - "px_downgraded_to_serial_per_sec": 0, - "cell_physical_io_interconnect_bytes": 4483072, - "physical_writes_direct_per_sec": 0, - "current_os_load": 1.6591796875, - "user_rollback_undo_records_applied_per_txn": 0, - "db_block_changes_per_txn": 54.5, - "disk_sort_per_sec": 0, - "cr_undo_records_applied_per_txn": 0, - "process_limit_pct": 27.3333333333333, - "cpu_usage_per_sec": 0.77420202020202, - "active_parallel_sessions": 0, - "long_table_scans_per_sec": 0, - "database_time_per_sec": 0.676, - "physical_read_total_io_requests_per_sec": 3.75420875420875, - "cr_undo_records_applied_per_sec": 0, - "gc_cr_block_received_per_txn": 0, - "active_serial_sessions": 1, - "pq_slave_session_count": 0, - "physical_writes_direct_per_txn": 0, - "session_count": 66, - "dbwr_checkpoints_per_sec": 0, - "db_block_changes_per_sec": 1.83501683501684, - "cpu_usage_per_txn": 22.9938, - "vm_out_bytes_per_sec": 0, - "parse_failure_count_per_sec": 0, - "gc_cr_block_received_per_second": 0, - "rows_per_sort": 2.27027027027027, - "physical_read_bytes_per_sec": 0, - "physical_writes_direct_lobs_per_sec": 0, - "consistent_read_changes_per_txn": 2, - "global_cache_blocks_lost": 0, - "average_synchronous_single-block_read_latency": 0.0280373831775701, - "physical_read_io_requests_per_sec": 0, - "background_checkpoints_per_sec": 0, - "enqueue_requests_per_txn": 6353.5, - "global_cache_blocks_corrupted": 0, - "user_transaction_per_sec": 0.0336700336700337, - "logical_reads_per_sec": 10.5387205387205, - "background_time_per_sec": 0.0137291582491582, - "total_pga_used_by_sql_workareas": 0, - "branch_node_splits_per_sec": 0, - "px_downgraded_50_to_75pct_per_sec": 0, - "user_rollback_undorec_applied_per_sec": 0, - "consistent_read_gets_per_sec": 8.7037037037037, - "consistent_read_changes_per_sec": 0.0673400673400673, - "leaf_node_splits_per_txn": 0, - "total_sorts_per_user_call": 0.321739130434783, - "enqueue_requests_per_sec": 213.922558922559, - "gc_current_block_received_per_txn": 0, - "physical_reads_direct_per_sec": 0, - "px_downgraded_1_to_25pct_per_sec": 0, - "redo_allocation_hit_ratio": 100, - "enqueue_deadlocks_per_sec": 0, - "shared_pool_free_pct": 11.3199416627275, - "row_cache_miss_ratio": 0, - "database_cpu_time_ratio": 114.526926065388, - "physical_write_io_requests_per_sec": 0.336700336700337, - "redo_generated_per_txn": 11194, - "enqueue_timeouts_per_sec": 0, - "logical_reads_per_txn": 313, - "average_active_sessions": 0.00676, - "leaf_node_splits_per_sec": 0, - "cursor_cache_hit_ratio": 153.703703703704, - "physical_reads_direct_per_txn": 0, - "branch_node_splits_per_txn": 0, - "executions_per_user_call": 2.22608695652174, - "px_operations_not_downgraded_per_sec": 0.0673400673400673, - "workload_capture_and_replay_status": 0, - "user_calls_per_sec": 1.93602693602694, - "physical_read_total_bytes_per_sec": 57121.6161616162, - "run_queue_per_sec": 0, - "open_cursors_per_txn": 126, - "physical_writes_per_txn": 10, - "global_cache_average_cr_get_time": 0, - "global_cache_average_current_get_time": 0, - "gc_current_block_received_per_second": 0, - "px_downgraded_25_to_50pct_per_sec": 0, - "user_limit_pct": 0.00000109430402542797, - "user_calls_ratio": 8.11573747353564, - "current_logons_count": 47, - "library_cache_miss_ratio": 0, - "physical_writes_direct_lobs__per_txn": 0, - "queries_parallelized_per_sec": 0, - "total_table_scans_per_sec": 0.303030303030303, - "physical_write_total_bytes_per_sec": 18350.9764309764, - "io_megabytes_per_second": 0.0841750841750842, - "execute_without_parse_ratio": 57.8125, - "hard_parse_count_per_sec": 0, - "user_commits_percentage": 100, - "redo_generated_per_sec": 376.902356902357, - "enqueue_timeouts_per_txn": 0, - "captured_user_calls": 0, - "physical_reads_direct_lobs_per_txn": 0, - "session_limit_pct": 13.9830508474576, - "pq_qc_session_count": 0, - "host_cpu_usage_per_sec": 92.3905723905724, - "physical_reads_direct_lobs_per_sec": 0, - "parse_failure_count_per_txn": 0, - "open_cursors_per_sec": 4.24242424242424, - "user_rollbacks_per_sec": 0, - "full_index_scans_per_sec": 0, - "physical_writes_per_sec": 0.336700336700337, - "physical_write_bytes_per_sec": 2758.24915824916, - "memory_sorts_ratio": 100, - "streams_pool_usage_percentage": 0, - "user_rollbacks_percentage": 0, - "consistent_read_gets_per_txn": 258.5, - "user_commits_per_sec": 0.0336700336700337, - "background_cpu_usage_per_sec": 0.626880471380471, - "database_wait_time_ratio": 0, - "user_calls_per_txn": 57.5, - "hard_parse_count_per_txn": 0, - "total_table_scans_per_txn": 9, - "ddl_statements_parallelized_per_sec": 0, - "temp_space_used": 0, - "enqueue_waits_per_txn": 2, - "io_requests_per_second": 5.23569023569024, - "library_cache_hit_ratio": 100, - "logons_per_sec": 0.420875420875421, - "full_index_scans_per_txn": 0, - "txns_per_logon": 0.08, - "pga_cache_hit_pct": 100, - "physical_reads_per_txn": 0, - "host_cpu_utilization_pct": 11.6182572614108, - "sql_service_response_time": 0.0283376146788991, - "db_block_gets_per_user_call": 0.947826086956522, - "physical_reads_per_sec": 0, - "soft_parse_ratio": 100, - "total_index_scans_per_sec": 3.06397306397306, - "executions_per_txn": 128, - "disk_sort_per_txn": 0, - "logons_per_txn": 12.5, - "enqueue_waits_per_sec": 0.0673400673400673, - "physical_write_total_io_requests_per_sec": 1.48148148148148, - "replayed_user_calls": 0, - "dml_statements_parallelized_per_sec": 0, - "cr_blocks_created_per_sec": 0, - "total_table_scans_per_user_call": 0.156521739130435, - "buffer_cache_hit_ratio": 100, - "vm_in_bytes_per_sec": 0, - "redo_writes_per_txn": 5.5, - "network_traffic_volume_per_sec": 522.289562289562, - "executions_per_sec": 4.30976430976431, - "total_index_scans_per_txn": 91, - "redo_writes_per_sec": 0.185185185185185, - "recursive_calls_per_txn": 651, - "total_parse_count_per_sec": 1.81818181818182 - } - }, - "service": { - "address": "oracle://localhost:1521/ORCLCDB.localdomain", - "type": "sql" - } -} -``` - -### Memory Metrics - -A Program Global Area (PGA) is a memory region that contains data and control information for a server process. It is nonshared memory created by Oracle Database when a server process is started. Access to the PGA is exclusive to the server process. Metrics concerning Program Global Area (PGA) memory are mentioned below. - -**Exported fields** - -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| event.dataset | Event module | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| host.ip | Host ip addresses. | ip | | | -| oracle.memory.pga.aggregate_auto_target | Amount of PGA memory the Oracle Database can use for work areas running in automatic mode. | double | byte | gauge | -| oracle.memory.pga.aggregate_target_parameter | Current value of the PGA_AGGREGATE_TARGET initialization parameter. If this parameter is not set, then its value is 0 and automatic management of PGA memory is disabled. | double | byte | gauge | -| oracle.memory.pga.cache_hit_pct | A metric computed by the Oracle Database to reflect the performance of the PGA memory component, cumulative since instance startup. | double | percent | gauge | -| oracle.memory.pga.global_memory_bound | Maximum size of a work area executed in automatic mode. | double | byte | gauge | -| oracle.memory.pga.maximum_allocated | Maximum number of bytes of PGA memory allocated at one time since instance startup. | double | byte | gauge | -| oracle.memory.pga.total_allocated | Current amount of PGA memory allocated by the instance. | double | byte | gauge | -| oracle.memory.pga.total_freeable_memory | Number of bytes of PGA memory in all processes that could be freed back to the operating system. | double | byte | gauge | -| oracle.memory.pga.total_inuse | Indicates how much PGA memory is currently consumed by work areas. This number can be used to determine how much memory is consumed by other consumers of the PGA memory (for example, PL/SQL or Java). | double | byte | gauge | -| oracle.memory.pga.total_used_for_auto_workareas | Indicates how much PGA memory is currently consumed by work areas running under the automatic memory management mode. This number can be used to determine how much memory is consumed by other consumers of the PGA memory (for example, PL/SQL or Java). | double | byte | gauge | -| oracle.memory.sga.free_memory | Amount of free memory in the Shared pool. | double | byte | gauge | -| oracle.memory.sga.total_memory | Amount of total memory in the Shared pool. | double | byte | gauge | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | - - -An example event for `memory` looks as following: - -```json -{ - "@timestamp": "2022-08-07T04:32:07.853Z", - "oracle": { - "memory": { - "pga": { - "total_inuse": 171153408, - "aggregate_auto_target": 579262464, - "total_allocated": 212888576, - "maximum_allocated": 694778880, - "total_freeable_memory": 14876672, - "global_memory_bound": 104857600, - "aggregate_target_parameter": 805306368, - "total_used_for_auto_workareas": 738304, - "cache_hit_pct": 100 - } - } - }, - "service": { - "address": "0.0.0.0:1521", - "type": "sql" - }, - "data_stream": { - "namespace": "default", - "type": "metrics", - "dataset": "oracle.memory" - }, - "metricset": { - "period": 60000, - "name": "query" - }, - "event": { - "duration": 53225246, - "agent_id_status": "verified", - "ingested": "2022-08-07T04:32:07Z", - "module": "sql", - "dataset": "oracle.memory" - } -} -``` - -### System Statistics Metrics - -The System Global Area (SGA) is a group of shared memory structures that contain data and control information for one Oracle Database instance. Metrics concerning System Global Area (SGA) memory are mentioned below. - -**Exported fields** - -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| event.dataset | Event module | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| host.ip | Host ip addresses. | ip | | | -| oracle.system_statistics.bytes_received_via_sqlnet_from_client | Total number of bytes received from the client over Oracle Net Services. | double | byte | counter | -| oracle.system_statistics.bytes_received_via_sqlnet_from_dblink | Total number of bytes received from a database link over Oracle Net Services | double | byte | counter | -| oracle.system_statistics.bytes_sent_via_sqlnet_to_client | Total number of bytes sent to the client from the foreground processes. | double | byte | counter | -| oracle.system_statistics.bytes_sent_via_sqlnet_to_dblink | Total number of bytes sent over a database link. | double | byte | counter | -| oracle.system_statistics.cpu_used_by_this_session | Amount of CPU time (in 10s of milliseconds) used by a session from the time a user call starts until it ends. | double | ms | counter | -| oracle.system_statistics.db_block_changes | This statistic counts the total number of changes that were part of an update or delete operation that were made to all blocks in the SGA. | double | | counter | -| oracle.system_statistics.db_block_gets_from_cache | The number of times a CURRENT block was requested from the buffer cache. | double | | counter | -| oracle.system_statistics.db_time | The sum of CPU consumption of all the Oracle process and the sum of non-idle wait time. | double | | counter | -| oracle.system_statistics.dbwr_checkpoint_buffers_written | The number of buffers that were written for checkpoints. | double | | counter | -| oracle.system_statistics.dbwr_checkpoints | The number of times the DBWR was asked to scan the cache and write all blocks marked for a checkpoint or the end of recovery. | double | | counter | -| oracle.system_statistics.dml_statements_parallelized | The number of DML statements that were executed in parallel. | double | | counter | -| oracle.system_statistics.enqueue_conversions | Total number of conversions of the state of table or row lock. | double | | counter | -| oracle.system_statistics.enqueue_deadlocks | Total number of deadlocks between table or row locks in different sessions. | double | | counter | -| oracle.system_statistics.enqueue_releases | Total number of table or row locks released. | double | | counter | -| oracle.system_statistics.enqueue_requests | Total number of table or row locks acquired | double | | counter | -| oracle.system_statistics.enqueue_timeouts | Total number of table and row locks (acquired and converted) that timed out before they could complete. | double | | counter | -| oracle.system_statistics.enqueue_waits | Total number of waits that occurred during an enqueue convert or get because the enqueue get was deferred. | double | | counter | -| oracle.system_statistics.exchange_deadlocks | Number of times that a process detected a potential deadlock when exchanging two buffers and raised an internal, restartable error. Index scans are the only operations that perform exchanges. | double | | counter | -| oracle.system_statistics.execute_count | Total number of calls (user and recursive) that executed SQL statements. | double | | counter | -| oracle.system_statistics.gc_current_block_receive_time | The total time required for consistent read requests to complete. It records the round-trip time for all requests for consistent read blocks. | double | | counter | -| oracle.system_statistics.index_fast_full_scans_direct_read | The number of fast full scans initiated using direct read. | double | | counter | -| oracle.system_statistics.index_fast_full_scans_full | The number of fast full scans initiated using direct read. | double | | counter | -| oracle.system_statistics.index_fast_full_scans_rowid_ranges | The number of fast full scans initiated with rowid endpoints specified. | double | | counter | -| oracle.system_statistics.java_call_heap_live_size | The Java call heap live size. | double | | counter | -| oracle.system_statistics.java_call_heap_total_size | The total Java call heap size. | double | byte | counter | -| oracle.system_statistics.java_call_heap_used_size | The Java call heap used size. | double | | counter | -| oracle.system_statistics.lob_reads | The number of LOB API read operations performed in the session/system. | double | | counter | -| oracle.system_statistics.lob_writes | The number of LOB API write operations performed in the session/system. | double | | counter | -| oracle.system_statistics.logons_current | Total number of current logons. | double | | counter | -| oracle.system_statistics.opened_cursors_current | Total number of current open cursors. | double | | counter | -| oracle.system_statistics.os_system_time_used | The total CPU time used for system calls. | double | | counter | -| oracle.system_statistics.os_user_time_used | The total CPU time used for user calls. | double | | counter | -| oracle.system_statistics.parallel_operations_not_downgraded | Number of times parallel execution was executed at the requested degree of parallelism | double | | counter | -| oracle.system_statistics.parse_count_hard | Total number of parse calls (real parses). | double | | counter | -| oracle.system_statistics.parse_count_total | Total number of parse calls (hard, soft, and describe). | double | | counter | -| oracle.system_statistics.parse_time_cpu | Total CPU time used for parsing (hard and soft) in 10s of milliseconds | double | ms | counter | -| oracle.system_statistics.parse_time_elapsed | Total elapsed time for parsing, in 10s of milliseconds. | double | ms | counter | -| oracle.system_statistics.physical_read_bytes | Total size in bytes of all disk reads by application activity (and not other instance activity) only. | double | byte | counter | -| oracle.system_statistics.physical_read_io_requests | Number of read requests for application activity (mainly buffer cache and direct load operation) which read one or more database blocks per request. | double | | counter | -| oracle.system_statistics.physical_read_total_bytes | Total size in bytes of disk reads by all database instance activity including application reads, backup and recovery, and other utilities. | double | byte | counter | -| oracle.system_statistics.physical_read_total_io_requests | The number of read requests which read one or more database blocks for all instance activity including application, backup and recovery, and other utilities. | double | | counter | -| oracle.system_statistics.physical_reads | Total number of data blocks read from disk. | double | | counter | -| oracle.system_statistics.physical_write_bytes | Total size in bytes of all disk writes from the database application activity (and not other kinds of instance activity). | double | byte | counter | -| oracle.system_statistics.physical_write_io_requests | Number of write requests for application activity (mainly buffer cache and direct load operation) which wrote one or more database blocks per request. | double | | counter | -| oracle.system_statistics.physical_write_total_bytes | Total size in bytes of all disk writes for the database instance including application activity, backup and recovery, and other utilities. | double | byte | counter | -| oracle.system_statistics.physical_write_total_io_requests | The number of write requests which wrote one or more database blocks from all instance activity including application activity, backup and recovery, and other utilities. | double | | counter | -| oracle.system_statistics.physical_writes | Total number of data blocks written to disk. This statistics value equals the sum of physical writes direct and physical writes from cache values. | double | | counter | -| oracle.system_statistics.physical_writes_direct | Number of writes directly to disk, bypassing the buffer cache (as in a direct load operation). | double | | counter | -| oracle.system_statistics.physical_writes_from_cache | Total number of data blocks written to disk from the buffer cache. This is a subset of "physical writes" statistic. | double | | counter | -| oracle.system_statistics.process_last_non_idle_time | The last time this process executed. | double | | counter | -| oracle.system_statistics.queries_parallelized | Number of SELECT statements executed in parallel. | double | | counter | -| oracle.system_statistics.recovery_blocks_read | The number of blocks read during recovery. | double | | counter | -| oracle.system_statistics.recursive_calls | The number of recursive calls generated at both the user and system level. | double | | counter | -| oracle.system_statistics.recursive_cpu_usage | Total CPU time used by non-user calls (recursive calls). | double | | counter | -| oracle.system_statistics.redo_blocks_written | Total number of redo blocks written. | double | | counter | -| oracle.system_statistics.redo_buffer_allocation_retries | Total number of retries necessary to allocate space in the redo buffer. | double | | counter | -| oracle.system_statistics.redo_log_space_requests | The number of times the active log file is full and Oracle must wait for disk space to be allocated for the redo log entries. | double | | counter | -| oracle.system_statistics.redo_log_space_wait_time | Total time waited in centiseconds for available space in the redo log buffer. | double | | counter | -| oracle.system_statistics.redo_size | Total amount of redo generated in bytes. | double | byte | counter | -| oracle.system_statistics.redo_synch_time | Elapsed time of all redo synch writes calls in 10s of milliseconds. | double | ms | counter | -| oracle.system_statistics.redo_write_time | Total elapsed time of the write from the redo log buffer to the current redo log file in microseconds. | double | micros | counter | -| oracle.system_statistics.redo_writes | Total number of writes by LGWR to the redo log files. | double | | counter | -| oracle.system_statistics.session_cursor_cache_count | Total number of cursors cached. | double | | counter | -| oracle.system_statistics.session_cursor_cache_hits | Total number of cursors cached. | double | | counter | -| oracle.system_statistics.session_logical_reads | The sum of db block gets plus consistent gets. This includes logical reads of database blocks from either the buffer cache or process private memory. | double | | counter | -| oracle.system_statistics.session_stored_procedure_space | Amount of memory this session is using for stored procedures. | double | | counter | -| oracle.system_statistics.smon_posted_for_instance_recovery | The total count or number of times SMON posted for instance recovery. | double | | counter | -| oracle.system_statistics.smon_posted_for_txn_recovery_for_other_instances | The total count or number of times SMON posted for instance recovery | double | | counter | -| oracle.system_statistics.sorts_disk | The number of sort operations that required at least one disk write. | double | | counter | -| oracle.system_statistics.sorts_memory | The number of sort operations that were performed completely in memory and did not require any disk writes. | double | | counter | -| oracle.system_statistics.sorts_rows | Total number of rows sorted. | double | | counter | -| oracle.system_statistics.table_scan_rows_gotten | Number of rows that are processed during scanning operations. | double | | counter | -| oracle.system_statistics.table_scans_direct_read | The number of table scans performed with direct read (bypassing the buffer cache). | double | | counter | -| oracle.system_statistics.table_scans_long_tables | Long (or conversely short) tables can be defined as tables that do not meet the short table criteria. | double | | counter | -| oracle.system_statistics.table_scans_rowid_ranges | During parallel query, the number of table scans conducted with specified ROWID ranges. | double | | counter | -| oracle.system_statistics.transaction_rollbacks | Number of transactions being successfully rolled back. | double | | counter | -| oracle.system_statistics.user_calls | Number of user calls such as login, parse, fetch, or execute. | double | | counter | -| oracle.system_statistics.user_commits | Number of user commits. When a user commits a transaction, the redo generated that reflects the changes made to database blocks must be written to disk. | double | | counter | -| oracle.system_statistics.user_rollbacks | Number of times users manually issue the ROLLBACK statement or an error occurs during a user's transactions. | double | | counter | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | - - -An example event for `system_statistics` looks as following: - -```json -{ - "oracle": { - "system_statistics": { - "parallel_operations_not_downgraded": 74269, - "physical_writes_direct": 49593, - "os_user_time_used": 0, - "physical_writes_from_cache": 1640956, - "user_calls": 1728270, - "table_scan_rows_gotten": 6496308028, - "smon_posted_for_txn_recovery_for_other_instances": 0, - "enqueue_deadlocks": 0, - "gc_current_block_receive_time": 0, - "queries_parallelized": 0, - "enqueue_releases": 204823089, - "user_rollbacks": 566, - "session_cursor_cache_count": 1392126, - "redo_blocks_written": 12594127, - "redo_buffer_allocation_retries": 20026, - "enqueue_conversions": 5808876, - "transaction_rollbacks": 4797, - "physical_reads": 15267747, - "table_scans_direct_read": 131, - "lob_writes": 1555222, - "java_call_heap_live_size": 0, - "lob_reads": 250087, - "bytes_received_via_sqlnet_from_client": 99978239, - "table_scans_long_tables": 823, - "java_call_heap_used_size": 0, - "physical_writes": 1690549, - "sorts_rows": 289153904, - "parse_time_elapsed": 119320, - "exchange_deadlocks": 1, - "db_block_changes": 35370231, - "enqueue_waits": 93701, - "redo_size": 6102600928, - "table_scans_rowid_ranges": 0, - "enqueue_requests": 204831722, - "user_commits": 178585, - "cpu_used_by_this_session": 2532130, - "execute_count": 29214384, - "process_last_non_idle_time": 1659881160, - "os_system_time_used": 0, - "recursive_cpu_usage": 1957103, - "redo_write_time": 123863, - "redo_synch_time": 7173, - "bytes_sent_via_sqlnet_to_dblink": 0, - "parse_time_cpu": 75577, - "physical_write_total_bytes": 36649355517, - "enqueue_timeouts": 8601, - "physical_write_io_requests": 959618, - "java_call_heap_total_size": 0, - "dbwr_checkpoints": 7081, - "recursive_calls": 81604284, - "index_fast_full_scans_full": 39008, - "logons_current": 51, - "session_cursor_cache_hits": 47613134, - "smon_posted_for_instance_recovery": 0, - "redo_log_space_requests": 57742, - "physical_write_total_io_requests": 2504705, - "parse_count_total": 6028908, - "sorts_memory": 2134811, - "physical_read_bytes": 125073383424, - "sorts_disk": 0, - "session_logical_reads": 440906935, - "dbwr_checkpoint_buffers_written": 1186157, - "dml_statements_parallelized": 0, - "redo_writes": 524251, - "recovery_blocks_read": 0, - "index_fast_full_scans_direct_read": 0, - "physical_read_total_io_requests": 7036559, - "db_block_gets_from_cache": 36495181, - "opened_cursors_current": 31, - "db_time": 41363170, - "bytes_received_via_sqlnet_from_dblink": 0, - "parse_count_hard": 184548, - "index_fast_full_scans_rowid_ranges": 0, - "bytes_sent_via_sqlnet_to_client": 227960514, - "session_stored_procedure_space": 0, - "physical_write_bytes": 13848977408, - "redo_log_space_wait_time": 382148, - "physical_read_io_requests": 3834637, - "physical_read_total_bytes": 183706260480 - } - }, - "@timestamp": "2022-08-07T14:06:01.373Z", - "data_stream": { - "namespace": "default", - "type": "metrics", - "dataset": "oracle.system_statistics" - }, - "service": { - "address": "0.0.0.0:1521", - "type": "sql" - }, - "metricset": { - "period": 60000, - "name": "query" - }, - "event": { - "duration": 61168658, - "agent_id_status": "verified", - "ingested": "2022-08-07T14:06:02Z", - "module": "sql", - "dataset": "oracle.system_statistics" - } -} -``` - -### Performance Metrics - -Performance metrics give an overview of where time is spent in the system and enable comparisons of wait times across the system. - -**Exported fields** - -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | -| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | -| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | -| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| event.dataset | Event module | constant_keyword | | | -| event.module | Event module | constant_keyword | | | -| host.ip | Host ip addresses. | ip | | | -| oracle.performance.buffer_pool | Name of the buffer pool in the instance. | keyword | | | -| oracle.performance.cache.buffer.hit.pct | The cache hit ratio of the specified buffer pool. | double | percent | gauge | -| oracle.performance.cache.get.consistent | Consistent gets statistic. | long | | gauge | -| oracle.performance.cache.get.db_blocks | Database blocks gotten. | long | | gauge | -| oracle.performance.cache.physical_reads | Physical reads. This metric represents the number of data blocks read from disk per second during a time period. | long | | gauge | -| oracle.performance.cursors.avg | Average cursors opened by username and machine. | double | | gauge | -| oracle.performance.cursors.cache_hit.pct | Ratio of session cursor cache hits from total number of cursors. | double | percent | gauge | -| oracle.performance.cursors.max | Max cursors opened by username and machine. | double | | gauge | -| oracle.performance.cursors.opened.current | Total number of current open cursors. | long | | gauge | -| oracle.performance.cursors.opened.total | Total number of cursors opened since the instance started. | long | | counter | -| oracle.performance.cursors.parse.real | "Real number of parses that occurred: session cursor cache hits - parse count (total)." | double | | gauge | -| oracle.performance.cursors.parse.total | Total number of parse calls (hard and soft). A soft parse is a check on an object already in the shared pool, to verify that the permissions on the underlying object have not changed. | long | | gauge | -| oracle.performance.cursors.session.cache_hits | Number of hits in the session cursor cache. A hit means that the SQL statement did not have to be reparsed. | double | | gauge | -| oracle.performance.cursors.total | Total opened cursors by username and machine. | double | | gauge | -| oracle.performance.failed_db_jobs | This metric checks for failed DBMS jobs. | double | | gauge | -| oracle.performance.io_reloads | Reloads by Pins ratio. A Reload is any PIN of an object that is not the first PIN performed since the object handle was created, and which requires loading the object from disk. Pins are the number of times a PIN was requested for objects of this namespace. | double | | gauge | -| oracle.performance.lock_requests | Average of the ratio between 'gethits' and 'gets', where 'gethits' the number of times an object's handle was found in memory and 'gets' is the number of times a lock was requested for objects of this namespace. | double | | gauge | -| oracle.performance.machine | Operating system machine name. | keyword | | | -| oracle.performance.pin_requests | Average of all pinhits/pins ratios, where 'PinHits' is the number of times all of the metadata pieces of the library object were found in memory and 'pins' is the number of times a PIN was requested for objects of this namespace. | double | | gauge | -| oracle.performance.session_count.active | Total count of sessions. | double | | gauge | -| oracle.performance.session_count.inactive | Total count of Inactive sessions. | double | | gauge | -| oracle.performance.session_count.inactive_morethan_onehr | Total inactive sessions more than one hour. | double | | gauge | -| oracle.performance.username | Oracle username | keyword | | | -| oracle.performance.wait.pct_time | Percentage of time waits that are not Idle wait class. | double | percent | gauge | -| oracle.performance.wait.pct_waits | Percentage of number of pct time waits that are not of Idle wait class. | double | percent | gauge | -| oracle.performance.wait.time_waited_secs | Amount of time spent in the wait class by the session. | double | s | gauge | -| oracle.performance.wait.total_waits | Number of times waits of the class occurred for the session. | double | | counter | -| oracle.performance.wait.wait_class | Every wait event belongs to a class of wait event. Wait classes can be one of the following - Administrative, Application, Cluster, Commit, Concurrency, Configuration, Idle, Network, Other, Scheduler, System IO, User IO | keyword | | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | - - -An example event for `performance` looks as following: - -```json -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "event": { - "dataset": "oracle.performance", - "duration": 115000, - "module": "sql" - }, - "metricset": { - "name": "query", - "period": 60000 - }, - "oracle": { - "performance": { - "cursors": { - "opened": { - "current": 7, - "total": 6225 - }, - "parse": { - "real": 1336, - "total": 3684 - }, - "session": { - "cache_hits": 5020 - }, - "cache_hit": { - "pct": 0.8064257028112449 - } - }, - "io_reloads": 0.0013963503027202182, - "lock_requests": 0.5725039956419224, - "pin_requests": 0.7780581056654354 - } - }, - "service": { - "address": "oracle://localhost:1521/ORCLCDB.localdomain", - "type": "sql" - } -} -``` diff --git a/packages/oracle/1.4.1/img/Oracle-memory-dashboard.png b/packages/oracle/1.4.1/img/Oracle-memory-dashboard.png deleted file mode 100755 index 70dca52361..0000000000 Binary files a/packages/oracle/1.4.1/img/Oracle-memory-dashboard.png and /dev/null differ diff --git a/packages/oracle/1.4.1/img/Oracle-overview-dashboard.png b/packages/oracle/1.4.1/img/Oracle-overview-dashboard.png deleted file mode 100755 index 86d1d08237..0000000000 Binary files a/packages/oracle/1.4.1/img/Oracle-overview-dashboard.png and /dev/null differ diff --git a/packages/oracle/1.4.1/img/Oracle-performance-dashboard.png b/packages/oracle/1.4.1/img/Oracle-performance-dashboard.png deleted file mode 100755 index e70c93cd1e..0000000000 Binary files a/packages/oracle/1.4.1/img/Oracle-performance-dashboard.png and /dev/null differ diff --git a/packages/oracle/1.4.1/img/Oracle-sysmetrics-dashboard-2.png b/packages/oracle/1.4.1/img/Oracle-sysmetrics-dashboard-2.png deleted file mode 100755 index 3bf8714846..0000000000 Binary files a/packages/oracle/1.4.1/img/Oracle-sysmetrics-dashboard-2.png and /dev/null differ diff --git a/packages/oracle/1.4.1/img/Oracle-sysmetrics-dashboard.png b/packages/oracle/1.4.1/img/Oracle-sysmetrics-dashboard.png deleted file mode 100755 index b9326442c1..0000000000 Binary files a/packages/oracle/1.4.1/img/Oracle-sysmetrics-dashboard.png and /dev/null differ diff --git a/packages/oracle/1.4.1/img/Oracle-system_statistics-dashboard.png b/packages/oracle/1.4.1/img/Oracle-system_statistics-dashboard.png deleted file mode 100755 index a7f3583ac5..0000000000 Binary files a/packages/oracle/1.4.1/img/Oracle-system_statistics-dashboard.png and /dev/null differ diff --git a/packages/oracle/1.4.1/img/Oracle-tablespace-dashboard.png b/packages/oracle/1.4.1/img/Oracle-tablespace-dashboard.png deleted file mode 100755 index b65c2f6c88..0000000000 Binary files a/packages/oracle/1.4.1/img/Oracle-tablespace-dashboard.png and /dev/null differ diff --git a/packages/oracle/1.4.1/img/oracle_logo.svg b/packages/oracle/1.4.1/img/oracle_logo.svg deleted file mode 100755 index 0981dfcff2..0000000000 --- a/packages/oracle/1.4.1/img/oracle_logo.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/oracle/1.4.1/kibana/dashboard/oracle-55661160-08c7-11ed-9abf-15e60715cfab.json b/packages/oracle/1.4.1/kibana/dashboard/oracle-55661160-08c7-11ed-9abf-15e60715cfab.json deleted file mode 100755 index 88a301b4e3..0000000000 --- a/packages/oracle/1.4.1/kibana/dashboard/oracle-55661160-08c7-11ed-9abf-15e60715cfab.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "An overview of key metrics from all Metricsets in the Oracle database ", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"ba0bb1ef-4ee9-4f73-a2aa-a225b09de689\",\"index_pattern_ref_name\":\"metrics_2d950709-7e6b-4c0e-b617-6d61c71445fd_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8d191d67-85c3-466e-9675-777356df52c7\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cursors.avg\",\"id\":\"ed0e869d-b7b9-4a66-ad8b-8e864476b80c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.performance.machine\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"2d950709-7e6b-4c0e-b617-6d61c71445fd\",\"w\":21,\"x\":0,\"y\":0},\"panelIndex\":\"2d950709-7e6b-4c0e-b617-6d61c71445fd\",\"title\":\"Average Cursors by Machine (Top 10)[Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"fefde680-08c7-11ed-a12c-5d4b2a3a48a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"041284f6-9f0a-4497-a3f3-62b7fde78734\",\"index_pattern_ref_name\":\"metrics_c43feec7-7125-4f5b-9f45-42525eb507e9_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"7f68b308-f13e-420f-95e2-033405dc19b2\",\"label\":\"Cache Buffer Hit Ratio\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cache.buffer.hit.pct\",\"id\":\"bfe864c9-7c4e-49a5-bea4-faaeaee77d9d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"gauge\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"c43feec7-7125-4f5b-9f45-42525eb507e9\",\"w\":10,\"x\":21,\"y\":0},\"panelIndex\":\"c43feec7-7125-4f5b-9f45-42525eb507e9\",\"title\":\"Cache Buffer Hit Ratio [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"id\":\"79a807d0-08c8-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"fc16576c-5187-43f1-b5ee-b5c45133a5a8\",\"index_pattern_ref_name\":\"metrics_3b1f6b7f-519e-4180-8946-ab1318580f2e_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"d0c9577a-4556-4042-af76-ce4865dd9730\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.space.used.bytes\",\"id\":\"800f1ba7-aa50-401c-ba9e-8950b765aac3\",\"type\":\"avg\"},{\"field\":\"oracle.tablespace.space.total.bytes\",\"id\":\"94a9c9b0-08c8-11ed-a12c-5d4b2a3a48a4\",\"type\":\"avg\"},{\"id\":\"b36d9ca0-08c8-11ed-a12c-5d4b2a3a48a4\",\"script\":\"params.used / params.total\",\"type\":\"math\",\"variables\":[{\"field\":\"800f1ba7-aa50-401c-ba9e-8950b765aac3\",\"id\":\"b74cab90-08c8-11ed-a12c-5d4b2a3a48a4\",\"name\":\"used\"},{\"field\":\"94a9c9b0-08c8-11ed-a12c-5d4b2a3a48a4\",\"id\":\"bbb92d70-08c8-11ed-a12c-5d4b2a3a48a4\",\"name\":\"total\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.tablespace.name\",\"terms_order_by\":\"800f1ba7-aa50-401c-ba9e-8950b765aac3\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"top_n\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"3b1f6b7f-519e-4180-8946-ab1318580f2e\",\"w\":17,\"x\":31,\"y\":0},\"panelIndex\":\"3b1f6b7f-519e-4180-8946-ab1318580f2e\",\"title\":\"Ratio of used space in Tablespaces [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_c1ef413e-3dde-47a7-8d51-dae932fa7378_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\"Top 10 Total cursors\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cursors.total\",\"id\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.performance.machine\",\"terms_order_by\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"c1ef413e-3dde-47a7-8d51-dae932fa7378\",\"w\":21,\"x\":0,\"y\":7},\"panelIndex\":\"c1ef413e-3dde-47a7-8d51-dae932fa7378\",\"title\":\"Total Cursors by machine (Top 10) [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"fc4dfe11-e6db-4167-920e-64f122def5d8\",\"index_pattern_ref_name\":\"metrics_3876b6d8-78a7-4c9e-81a3-fb36778d3877_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"4037b186-ba3b-4373-8aab-6507be08330d\",\"label\":\"IO Reloads\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.io_reloads\",\"id\":\"d67d6b0e-7afc-4571-826f-b36aeeed432f\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8a3e6c80-08d0-11ed-a12c-5d4b2a3a48a4\",\"label\":\"Lock Requets\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.lock_requests\",\"id\":\"8a3e6c81-08d0-11ed-a12c-5d4b2a3a48a4\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(145,112,184,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"9fead320-08d0-11ed-a12c-5d4b2a3a48a4\",\"label\":\"Pin Requests\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.pin_requests\",\"id\":\"9fead321-08d0-11ed-a12c-5d4b2a3a48a4\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"3876b6d8-78a7-4c9e-81a3-fb36778d3877\",\"w\":27,\"x\":21,\"y\":7},\"panelIndex\":\"3876b6d8-78a7-4c9e-81a3-fb36778d3877\",\"title\":\"Lock/Pin requests and IO reloads ratios [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"51dfc970-08ca-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_40e7a0e6-3dbd-4a3e-a16c-00d158510f1f_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\"Current opened cursors\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cursors.opened.current\",\"id\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":0,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"40e7a0e6-3dbd-4a3e-a16c-00d158510f1f\",\"w\":21,\"x\":0,\"y\":15},\"panelIndex\":\"40e7a0e6-3dbd-4a3e-a16c-00d158510f1f\",\"title\":\"Current opened cursors [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"fc4dfe11-e6db-4167-920e-64f122def5d8\",\"index_pattern_ref_name\":\"metrics_2e70259a-baf0-4aaa-a2f6-5d788a4ba970_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"4037b186-ba3b-4373-8aab-6507be08330d\",\"label\":\"Data file size by filename\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.data_file.size.bytes\",\"id\":\"d67d6b0e-7afc-4571-826f-b36aeeed432f\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.tablespace.data_file.name\",\"terms_order_by\":\"d67d6b0e-7afc-4571-826f-b36aeeed432f\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"2e70259a-baf0-4aaa-a2f6-5d788a4ba970\",\"w\":27,\"x\":21,\"y\":15},\"panelIndex\":\"2e70259a-baf0-4aaa-a2f6-5d788a4ba970\",\"title\":\"Avg data file size by filename [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"51dfc970-08ca-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_35e1b318-2d7b-48b5-9f9c-1339c1355f05_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\"Session cache hits\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cursors.session.cache_hits\",\"id\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":0,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"35e1b318-2d7b-48b5-9f9c-1339c1355f05\",\"w\":27,\"x\":21,\"y\":23},\"panelIndex\":\"35e1b318-2d7b-48b5-9f9c-1339c1355f05\",\"title\":\"Session cache hits [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"51dfc970-08ca-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_57b32d4a-8d5e-48a0-afc9-31a672064a2b_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\"DB Blocks gets\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cache.get.db_blocks\",\"id\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.performance.buffer_pool\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"57b32d4a-8d5e-48a0-afc9-31a672064a2b\",\"w\":21,\"x\":0,\"y\":24},\"panelIndex\":\"57b32d4a-8d5e-48a0-afc9-31a672064a2b\",\"title\":\"DB Blocks Gets by buffer pool (Top 10) [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"51dfc970-08ca-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_e4597686-26b6-4f14-aa5c-4773e6f59e1a_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\"Top 10 Total cursors\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cursors.max\",\"id\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.performance.machine\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"e4597686-26b6-4f14-aa5c-4773e6f59e1a\",\"w\":14,\"x\":0,\"y\":33},\"panelIndex\":\"e4597686-26b6-4f14-aa5c-4773e6f59e1a\",\"title\":\"Max Cursors by machine (Top 10) [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"51dfc970-08ca-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_14d04a9d-5a41-47e0-a188-297dbf41776e_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\"Tablespace total size (TEMP)\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.space.total.bytes\",\"id\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_exclude\":\"\",\"terms_field\":\"oracle.tablespace.name\",\"terms_include\":\"TEMP\",\"terms_order_by\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"4fe2fb20-08e2-11ed-bbf2-8b9cc975c696\",\"label\":\"Tablespace total size (Not TEMP)\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.space.used.bytes\",\"id\":\"4fe2fb21-08e2-11ed-bbf2-8b9cc975c696\",\"type\":\"avg\"},{\"field\":\"oracle.tablespace.space.free.bytes\",\"id\":\"a2c90eb0-08e2-11ed-bbf2-8b9cc975c696\",\"type\":\"avg\"},{\"id\":\"db2acdc0-08e2-11ed-bbf2-8b9cc975c696\",\"script\":\"params.used + params.free\",\"type\":\"math\",\"variables\":[{\"field\":\"4fe2fb21-08e2-11ed-bbf2-8b9cc975c696\",\"id\":\"e155ef90-08e2-11ed-bbf2-8b9cc975c696\",\"name\":\"used\"},{\"field\":\"a2c90eb0-08e2-11ed-bbf2-8b9cc975c696\",\"id\":\"e5019270-08e2-11ed-bbf2-8b9cc975c696\",\"name\":\"free\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_exclude\":\"TEMP\",\"terms_field\":\"oracle.tablespace.name\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"14d04a9d-5a41-47e0-a188-297dbf41776e\",\"w\":16,\"x\":14,\"y\":33},\"panelIndex\":\"14d04a9d-5a41-47e0-a188-297dbf41776e\",\"title\":\"Tablespace Total Size [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"51dfc970-08ca-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_db7524f9-0a44-4e90-9681-dbce2b0d07e7_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\"Real parsed cursors\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cursors.parse.real\",\"id\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":0,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"db7524f9-0a44-4e90-9681-dbce2b0d07e7\",\"w\":18,\"x\":30,\"y\":33},\"panelIndex\":\"db7524f9-0a44-4e90-9681-dbce2b0d07e7\",\"title\":\"Total / Real parsed cursors [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"fc4dfe11-e6db-4167-920e-64f122def5d8\",\"index_pattern_ref_name\":\"metrics_1ef29c9d-9b46-4f2a-89db-63a6d586d2e0_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"4037b186-ba3b-4373-8aab-6507be08330d\",\"label\":\"Consistent Gets\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cache.get.consistent\",\"id\":\"d67d6b0e-7afc-4571-826f-b36aeeed432f\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.performance.buffer_pool\",\"terms_order_by\":\"d67d6b0e-7afc-4571-826f-b36aeeed432f\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":11,\"i\":\"1ef29c9d-9b46-4f2a-89db-63a6d586d2e0\",\"w\":48,\"x\":0,\"y\":42},\"panelIndex\":\"1ef29c9d-9b46-4f2a-89db-63a6d586d2e0\",\"title\":\"Consistent Gets by buffer pool (Top 10) [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"}]", - "timeRestore": false, - "title": "[Metrics Oracle] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "oracle-55661160-08c7-11ed-9abf-15e60715cfab", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "2d950709-7e6b-4c0e-b617-6d61c71445fd:metrics_2d950709-7e6b-4c0e-b617-6d61c71445fd_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c43feec7-7125-4f5b-9f45-42525eb507e9:metrics_c43feec7-7125-4f5b-9f45-42525eb507e9_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3b1f6b7f-519e-4180-8946-ab1318580f2e:metrics_3b1f6b7f-519e-4180-8946-ab1318580f2e_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c1ef413e-3dde-47a7-8d51-dae932fa7378:metrics_c1ef413e-3dde-47a7-8d51-dae932fa7378_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3876b6d8-78a7-4c9e-81a3-fb36778d3877:metrics_3876b6d8-78a7-4c9e-81a3-fb36778d3877_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "40e7a0e6-3dbd-4a3e-a16c-00d158510f1f:metrics_40e7a0e6-3dbd-4a3e-a16c-00d158510f1f_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2e70259a-baf0-4aaa-a2f6-5d788a4ba970:metrics_2e70259a-baf0-4aaa-a2f6-5d788a4ba970_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "35e1b318-2d7b-48b5-9f9c-1339c1355f05:metrics_35e1b318-2d7b-48b5-9f9c-1339c1355f05_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "57b32d4a-8d5e-48a0-afc9-31a672064a2b:metrics_57b32d4a-8d5e-48a0-afc9-31a672064a2b_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e4597686-26b6-4f14-aa5c-4773e6f59e1a:metrics_e4597686-26b6-4f14-aa5c-4773e6f59e1a_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "14d04a9d-5a41-47e0-a188-297dbf41776e:metrics_14d04a9d-5a41-47e0-a188-297dbf41776e_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "db7524f9-0a44-4e90-9681-dbce2b0d07e7:metrics_db7524f9-0a44-4e90-9681-dbce2b0d07e7_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1ef29c9d-9b46-4f2a-89db-63a6d586d2e0:metrics_1ef29c9d-9b46-4f2a-89db-63a6d586d2e0_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/oracle/1.4.1/kibana/dashboard/oracle-59eeb380-08d7-11ed-9abf-15e60715cfab.json b/packages/oracle/1.4.1/kibana/dashboard/oracle-59eeb380-08d7-11ed-9abf-15e60715cfab.json deleted file mode 100755 index 3d43249d62..0000000000 --- a/packages/oracle/1.4.1/kibana/dashboard/oracle-59eeb380-08d7-11ed-9abf-15e60715cfab.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"e40198de-6b6b-41ef-97e3-ffece3aa8162\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"service.address\",\"title\":\"Oracle Host Control\",\"id\":\"e40198de-6b6b-41ef-97e3-ffece3aa8162\",\"enhancements\":{}}}}" - }, - "description": "An overview of key metrics from Sysmetric Metricsets in the Oracle database ", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_5461235c-8f78-4efc-8d60-fdcbb1a3823e_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Session Count\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.session_count\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"5461235c-8f78-4efc-8d60-fdcbb1a3823e\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"5461235c-8f78-4efc-8d60-fdcbb1a3823e\",\"title\":\"Top 10 session counts by host [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"id\":\"24ebfdf0-08d7-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_d19f3a74-3c36-46e6-b682-bdaa3b8dcc26_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"pivot_id\":\"service.address\",\"pivot_label\":\"Host Name\",\"pivot_type\":\"string\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Session Count\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.average_active_sessions\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"table\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"d19f3a74-3c36-46e6-b682-bdaa3b8dcc26\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"d19f3a74-3c36-46e6-b682-bdaa3b8dcc26\",\"title\":\"Top 10 session counts by host [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_1edc70d6-135f-42f7-8148-a826a9c769d2_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Current OS Load\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.current_os_load\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"1edc70d6-135f-42f7-8148-a826a9c769d2\",\"w\":24,\"x\":0,\"y\":9},\"panelIndex\":\"1edc70d6-135f-42f7-8148-a826a9c769d2\",\"title\":\"Current OS Load [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_da3c4da2-7ff9-478d-bd73-9a4342f6bac1_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Physical Reads per second\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.physical_read_bytes_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"da3c4da2-7ff9-478d-bd73-9a4342f6bac1\",\"w\":24,\"x\":24,\"y\":9},\"panelIndex\":\"da3c4da2-7ff9-478d-bd73-9a4342f6bac1\",\"title\":\"Physical Reads per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_e412984d-be6e-4d04-b53e-50a90837f9df_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"User Transactions per second\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.user_transaction_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"e412984d-be6e-4d04-b53e-50a90837f9df\",\"w\":24,\"x\":0,\"y\":18},\"panelIndex\":\"e412984d-be6e-4d04-b53e-50a90837f9df\",\"title\":\"User Transactions per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_d18cbbd4-2e10-4af0-94e0-848f9da6bb66_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Total Table Scans per transaction\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.total_table_scans_per_txn\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"d18cbbd4-2e10-4af0-94e0-848f9da6bb66\",\"w\":24,\"x\":24,\"y\":18},\"panelIndex\":\"d18cbbd4-2e10-4af0-94e0-848f9da6bb66\",\"title\":\"Total Table Scans per transaction [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_85469acb-e2aa-4a16-8c70-66307d94cf5f_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Physical Writes per second\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.physical_write_bytes_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"85469acb-e2aa-4a16-8c70-66307d94cf5f\",\"w\":24,\"x\":0,\"y\":27},\"panelIndex\":\"85469acb-e2aa-4a16-8c70-66307d94cf5f\",\"title\":\"Physical Writes per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_b6dd5668-70d5-440f-b00a-e8d7554a3907_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Total Index Scans per transaction\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.total_index_scans_per_txn\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"b6dd5668-70d5-440f-b00a-e8d7554a3907\",\"w\":24,\"x\":24,\"y\":27},\"panelIndex\":\"b6dd5668-70d5-440f-b00a-e8d7554a3907\",\"title\":\"Total Index Scans per transaction [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_88e9d016-e10b-4a8a-a376-075da5a96fe9_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Host CPU Utilization (%)\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.host_cpu_utilization_pct\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"88e9d016-e10b-4a8a-a376-075da5a96fe9\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"88e9d016-e10b-4a8a-a376-075da5a96fe9\",\"title\":\"Host CPU Utilization (%) [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_c3be0eb6-6b65-4686-a1cf-ed11c66b418c_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Network Traffic Volume per second\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.network_traffic_volume_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"c3be0eb6-6b65-4686-a1cf-ed11c66b418c\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"c3be0eb6-6b65-4686-a1cf-ed11c66b418c\",\"title\":\"Network Traffic Volume per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_14dbf023-3bc4-43d1-b035-c38e2cdf16ed_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"User Rollbacks per second\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.user_rollbacks_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"14dbf023-3bc4-43d1-b035-c38e2cdf16ed\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"14dbf023-3bc4-43d1-b035-c38e2cdf16ed\",\"title\":\"User Rollbacks per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_fe650da5-109a-4144-ab12-487e42e8f99b_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"CPU Usage per second\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.cpu_usage_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"fe650da5-109a-4144-ab12-487e42e8f99b\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"fe650da5-109a-4144-ab12-487e42e8f99b\",\"title\":\"CPU Usage per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_2aa60f20-b6a7-4898-af36-46a457c6dee6_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"DB Block Changes per second\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.db_block_changes_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"2aa60f20-b6a7-4898-af36-46a457c6dee6\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"2aa60f20-b6a7-4898-af36-46a457c6dee6\",\"title\":\"DB Block Changes per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_cfaed72f-f3bc-4aff-ab77-53b473433116_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Physical Read Total Bytes per second\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.physical_read_total_bytes_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"cfaed72f-f3bc-4aff-ab77-53b473433116\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"cfaed72f-f3bc-4aff-ab77-53b473433116\",\"title\":\"Physical Read Total Bytes per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_d4b2e08a-3295-441a-acf5-a1ac4d316ca9_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Response Time Per Transaction\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.response_time_per_txn\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"d4b2e08a-3295-441a-acf5-a1ac4d316ca9\",\"w\":24,\"x\":0,\"y\":63},\"panelIndex\":\"d4b2e08a-3295-441a-acf5-a1ac4d316ca9\",\"title\":\"Response Time (Centi-Second) per transaction [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"}]", - "timeRestore": false, - "title": "[Metrics Oracle] Sysmetric", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "oracle-59eeb380-08d7-11ed-9abf-15e60715cfab", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "5461235c-8f78-4efc-8d60-fdcbb1a3823e:metrics_5461235c-8f78-4efc-8d60-fdcbb1a3823e_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d19f3a74-3c36-46e6-b682-bdaa3b8dcc26:metrics_d19f3a74-3c36-46e6-b682-bdaa3b8dcc26_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1edc70d6-135f-42f7-8148-a826a9c769d2:metrics_1edc70d6-135f-42f7-8148-a826a9c769d2_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "da3c4da2-7ff9-478d-bd73-9a4342f6bac1:metrics_da3c4da2-7ff9-478d-bd73-9a4342f6bac1_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e412984d-be6e-4d04-b53e-50a90837f9df:metrics_e412984d-be6e-4d04-b53e-50a90837f9df_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d18cbbd4-2e10-4af0-94e0-848f9da6bb66:metrics_d18cbbd4-2e10-4af0-94e0-848f9da6bb66_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "85469acb-e2aa-4a16-8c70-66307d94cf5f:metrics_85469acb-e2aa-4a16-8c70-66307d94cf5f_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b6dd5668-70d5-440f-b00a-e8d7554a3907:metrics_b6dd5668-70d5-440f-b00a-e8d7554a3907_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "88e9d016-e10b-4a8a-a376-075da5a96fe9:metrics_88e9d016-e10b-4a8a-a376-075da5a96fe9_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c3be0eb6-6b65-4686-a1cf-ed11c66b418c:metrics_c3be0eb6-6b65-4686-a1cf-ed11c66b418c_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "14dbf023-3bc4-43d1-b035-c38e2cdf16ed:metrics_14dbf023-3bc4-43d1-b035-c38e2cdf16ed_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fe650da5-109a-4144-ab12-487e42e8f99b:metrics_fe650da5-109a-4144-ab12-487e42e8f99b_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2aa60f20-b6a7-4898-af36-46a457c6dee6:metrics_2aa60f20-b6a7-4898-af36-46a457c6dee6_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "cfaed72f-f3bc-4aff-ab77-53b473433116:metrics_cfaed72f-f3bc-4aff-ab77-53b473433116_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d4b2e08a-3295-441a-acf5-a1ac4d316ca9:metrics_d4b2e08a-3295-441a-acf5-a1ac4d316ca9_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_e40198de-6b6b-41ef-97e3-ffece3aa8162:optionsListDataView", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/oracle/1.4.1/kibana/dashboard/oracle-6b4866c0-1599-11ed-9607-2ba0819b3835.json b/packages/oracle/1.4.1/kibana/dashboard/oracle-6b4866c0-1599-11ed-9607-2ba0819b3835.json deleted file mode 100755 index 5ecb99fcda..0000000000 --- a/packages/oracle/1.4.1/kibana/dashboard/oracle-6b4866c0-1599-11ed-9607-2ba0819b3835.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"3de2a6b1-0cb3-4b1d-8a5f-070387961941\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"service.address\",\"title\":\"Oracle Host Control\",\"id\":\"3de2a6b1-0cb3-4b1d-8a5f-070387961941\",\"enhancements\":{}}}}" - }, - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"28881ff0-159a-11ed-8473-87f6af0978f0\"}],\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_fccef14a-39c2-4c48-958e-c7d35b573c59_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\" \",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.performance.session_count.active\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"fccef14a-39c2-4c48-958e-c7d35b573c59\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"fccef14a-39c2-4c48-958e-c7d35b573c59\",\"title\":\"Active Session Count [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"28881ff0-159a-11ed-8473-87f6af0978f0\"}],\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_83525479-b533-4868-ba6f-462969f55c31_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\" \",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.performance.session_count.inactive\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"83525479-b533-4868-ba6f-462969f55c31\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"83525479-b533-4868-ba6f-462969f55c31\",\"title\":\"InActive Session Count [Metrics Oracle] (copy)\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"28881ff0-159a-11ed-8473-87f6af0978f0\"}],\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_3dfe5e91-0cdf-4a6b-95c8-d91c0f3326ef_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\" \",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.user_transaction_per_sec\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"3dfe5e91-0cdf-4a6b-95c8-d91c0f3326ef\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"3dfe5e91-0cdf-4a6b-95c8-d91c0f3326ef\",\"title\":\"User Transactions per second [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"51dfc970-08ca-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_438cfc7d-6aca-4ae5-a0dc-e20025cc1488_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\" \",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cursors.opened.current\",\"id\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"type\":\"max\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":0,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"438cfc7d-6aca-4ae5-a0dc-e20025cc1488\",\"w\":8,\"x\":24,\"y\":0},\"panelIndex\":\"438cfc7d-6aca-4ae5-a0dc-e20025cc1488\",\"title\":\"Current opened cursors [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_4b465607-cfa3-463d-b9ad-1f4c1ee62c3d_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"00.0\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.pga_sga.sga_total_memory\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"},{\"field\":\"oracle.pga_sga.sga_free_memory\",\"id\":\"7042d7f0-1571-11ed-8473-87f6af0978f0\",\"type\":\"avg\"},{\"id\":\"80e236f0-1571-11ed-8473-87f6af0978f0\",\"script\":\"(params.free / params.total) * 100\",\"type\":\"math\",\"variables\":[{\"field\":\"7042d7f0-1571-11ed-8473-87f6af0978f0\",\"id\":\"83727ec0-1571-11ed-8473-87f6af0978f0\",\"name\":\"free\"},{\"field\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"id\":\"87d69c30-1571-11ed-8473-87f6af0978f0\",\"name\":\"total\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}%\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"4b465607-cfa3-463d-b9ad-1f4c1ee62c3d\",\"w\":8,\"x\":32,\"y\":0},\"panelIndex\":\"4b465607-cfa3-463d-b9ad-1f4c1ee62c3d\",\"title\":\"Shared Pool Free Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd175a40-159a-11ed-8473-87f6af0978f0\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"fefde680-08c7-11ed-a12c-5d4b2a3a48a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"041284f6-9f0a-4497-a3f3-62b7fde78734\",\"index_pattern_ref_name\":\"metrics_2c913f00-88a4-4846-afa1-4bc687a2f610_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"7f68b308-f13e-420f-95e2-033405dc19b2\",\"label\":\" \",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.performance.cache.buffer.hit.pct\",\"id\":\"bfe864c9-7c4e-49a5-bea4-faaeaee77d9d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"2c913f00-88a4-4846-afa1-4bc687a2f610\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"2c913f00-88a4-4846-afa1-4bc687a2f610\",\"title\":\"Cache Buffer Hit Ratio [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"28881ff0-159a-11ed-8473-87f6af0978f0\"}],\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_8ad2c774-0180-4600-8162-b562315e7282_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\" \",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.performance.session_count.inactive_morethan_onehr\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"8ad2c774-0180-4600-8162-b562315e7282\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"8ad2c774-0180-4600-8162-b562315e7282\",\"title\":\"InActive Session Count \\u003e 1hr [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_454c3a56-4b8b-47a9-832b-33a1991ed934_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Sorts (Memory)\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.sorts_memory\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_454c3a56-4b8b-47a9-832b-33a1991ed934_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"fb93bbf0-13a8-11ed-ac2d-bba62e78d30c\",\"label\":\"Sorts (Disk)\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.sorts_disk\",\"id\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"id\":\"fb93e301-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_454c3a56-4b8b-47a9-832b-33a1991ed934_2_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"454c3a56-4b8b-47a9-832b-33a1991ed934\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"454c3a56-4b8b-47a9-832b-33a1991ed934\",\"title\":\"Parse count - Sorts Memory vs Sorts Disk [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_920ebc93-000f-4859-a8d1-971fed50afe4_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"00.0\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Wait time Percentage\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.performance.wait.pct_time\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_920ebc93-000f-4859-a8d1-971fed50afe4_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"terms\",\"stacked\":\"stacked\",\"terms_field\":\"oracle.performance.wait.wait_class\",\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}} %\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"920ebc93-000f-4859-a8d1-971fed50afe4\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"920ebc93-000f-4859-a8d1-971fed50afe4\",\"title\":\"Wait Time Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_aa6a165c-9840-424b-8439-579b0060b57d_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Response Time Per Transaction\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.response_time_per_txn\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"aa6a165c-9840-424b-8439-579b0060b57d\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"aa6a165c-9840-424b-8439-579b0060b57d\",\"title\":\"Response Time (Centi-Second) per transaction [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_e78668fc-df19-4c94-a855-12ba59b19f0f_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"00.0\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Wait time Request Percentage\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.performance.wait.pct_waits\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"status\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_e78668fc-df19-4c94-a855-12ba59b19f0f_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"terms\",\"stacked\":\"stacked\",\"terms_field\":\"oracle.performance.wait.wait_class\",\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}} %\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"e78668fc-df19-4c94-a855-12ba59b19f0f\",\"w\":24,\"x\":0,\"y\":22},\"panelIndex\":\"e78668fc-df19-4c94-a855-12ba59b19f0f\",\"title\":\"Wait Time Request Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_c01e27f8-3cac-49c2-b040-00217e983743_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Cache Hit Percentage\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.pga_sga.cache_hit_pct\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"avg\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_c01e27f8-3cac-49c2-b040-00217e983743_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":11,\"i\":\"c01e27f8-3cac-49c2-b040-00217e983743\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c01e27f8-3cac-49c2-b040-00217e983743\",\"title\":\"Cache Hit Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_7dfa318b-a0e2-4a1f-bd54-e7362935548d_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Parse Count Hard\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.parse_count_hard\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_7dfa318b-a0e2-4a1f-bd54-e7362935548d_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(203,240,230,1)\",\"fill\":\"0.7\",\"formatter\":\"number\",\"id\":\"fb93bbf0-13a8-11ed-ac2d-bba62e78d30c\",\"label\":\"Parse Count Total\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.performance.parse_count_total\",\"id\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"id\":\"fb93e301-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_7dfa318b-a0e2-4a1f-bd54-e7362935548d_2_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"7dfa318b-a0e2-4a1f-bd54-e7362935548d\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"7dfa318b-a0e2-4a1f-bd54-e7362935548d\",\"title\":\"Parse count - Total vs Hard [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"c6a7c206-f75c-44f1-9142-c4408879556b\",\"index_pattern_ref_name\":\"metrics_8ff3ea00-57e4-426d-9968-3b497ddcafb3_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fa2ed62e-0a11-466f-9d6b-d6cbe8b97c02\",\"label\":\"Host CPU Utilization (%)\",\"line_width\":1,\"metrics\":[{\"agg_with\":\"avg\",\"field\":\"oracle.sysmetric.host_cpu_utilization_pct\",\"id\":\"9465e81a-cfbb-4c7b-bfc3-9d2154518673\",\"order\":\"desc\",\"type\":\"top_hit\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"service.address\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":11,\"i\":\"8ff3ea00-57e4-426d-9968-3b497ddcafb3\",\"w\":24,\"x\":24,\"y\":37},\"panelIndex\":\"8ff3ea00-57e4-426d-9968-3b497ddcafb3\",\"title\":\"Host CPU Utilization (%) [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"00.0\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.pga_sga.sga_total_memory\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"},{\"field\":\"oracle.pga_sga.sga_free_memory\",\"id\":\"7042d7f0-1571-11ed-8473-87f6af0978f0\",\"type\":\"avg\"},{\"id\":\"80e236f0-1571-11ed-8473-87f6af0978f0\",\"script\":\"(params.free / params.total) * 100\",\"type\":\"math\",\"variables\":[{\"field\":\"7042d7f0-1571-11ed-8473-87f6af0978f0\",\"id\":\"83727ec0-1571-11ed-8473-87f6af0978f0\",\"name\":\"free\"},{\"field\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"id\":\"87d69c30-1571-11ed-8473-87f6af0978f0\",\"name\":\"total\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}%\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad\",\"w\":24,\"x\":0,\"y\":42},\"panelIndex\":\"7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad\",\"title\":\"Shared Pool Free Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Metrics Oracle] Performance Metrics", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "oracle-6b4866c0-1599-11ed-9607-2ba0819b3835", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "fccef14a-39c2-4c48-958e-c7d35b573c59:metrics_fccef14a-39c2-4c48-958e-c7d35b573c59_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "83525479-b533-4868-ba6f-462969f55c31:metrics_83525479-b533-4868-ba6f-462969f55c31_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3dfe5e91-0cdf-4a6b-95c8-d91c0f3326ef:metrics_3dfe5e91-0cdf-4a6b-95c8-d91c0f3326ef_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "438cfc7d-6aca-4ae5-a0dc-e20025cc1488:metrics_438cfc7d-6aca-4ae5-a0dc-e20025cc1488_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4b465607-cfa3-463d-b9ad-1f4c1ee62c3d:metrics_4b465607-cfa3-463d-b9ad-1f4c1ee62c3d_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2c913f00-88a4-4846-afa1-4bc687a2f610:metrics_2c913f00-88a4-4846-afa1-4bc687a2f610_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8ad2c774-0180-4600-8162-b562315e7282:metrics_8ad2c774-0180-4600-8162-b562315e7282_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "454c3a56-4b8b-47a9-832b-33a1991ed934:metrics_454c3a56-4b8b-47a9-832b-33a1991ed934_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "454c3a56-4b8b-47a9-832b-33a1991ed934:metrics_454c3a56-4b8b-47a9-832b-33a1991ed934_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "454c3a56-4b8b-47a9-832b-33a1991ed934:metrics_454c3a56-4b8b-47a9-832b-33a1991ed934_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "920ebc93-000f-4859-a8d1-971fed50afe4:metrics_920ebc93-000f-4859-a8d1-971fed50afe4_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "920ebc93-000f-4859-a8d1-971fed50afe4:metrics_920ebc93-000f-4859-a8d1-971fed50afe4_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "aa6a165c-9840-424b-8439-579b0060b57d:metrics_aa6a165c-9840-424b-8439-579b0060b57d_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e78668fc-df19-4c94-a855-12ba59b19f0f:metrics_e78668fc-df19-4c94-a855-12ba59b19f0f_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e78668fc-df19-4c94-a855-12ba59b19f0f:metrics_e78668fc-df19-4c94-a855-12ba59b19f0f_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c01e27f8-3cac-49c2-b040-00217e983743:metrics_c01e27f8-3cac-49c2-b040-00217e983743_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c01e27f8-3cac-49c2-b040-00217e983743:metrics_c01e27f8-3cac-49c2-b040-00217e983743_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7dfa318b-a0e2-4a1f-bd54-e7362935548d:metrics_7dfa318b-a0e2-4a1f-bd54-e7362935548d_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7dfa318b-a0e2-4a1f-bd54-e7362935548d:metrics_7dfa318b-a0e2-4a1f-bd54-e7362935548d_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7dfa318b-a0e2-4a1f-bd54-e7362935548d:metrics_7dfa318b-a0e2-4a1f-bd54-e7362935548d_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8ff3ea00-57e4-426d-9968-3b497ddcafb3:metrics_8ff3ea00-57e4-426d-9968-3b497ddcafb3_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad:metrics_7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_3de2a6b1-0cb3-4b1d-8a5f-070387961941:optionsListDataView", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/oracle/1.4.1/kibana/dashboard/oracle-9e19fb00-08e1-11ed-9abf-15e60715cfab.json b/packages/oracle/1.4.1/kibana/dashboard/oracle-9e19fb00-08e1-11ed-9abf-15e60715cfab.json deleted file mode 100755 index 1d5df12200..0000000000 --- a/packages/oracle/1.4.1/kibana/dashboard/oracle-9e19fb00-08e1-11ed-9abf-15e60715cfab.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "An overview of key metrics from all Metricsets in the Oracle database ", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"e640ae4d-6372-4a49-be99-4e477874dccb\",\"index_pattern_ref_name\":\"metrics_5e206919-734c-40b5-a7c8-382c24cbd202_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"c2f70760-43b9-4f8a-b3d5-a15b7f9ff585\",\"label\":\"Data file size by filename\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.data_file.size.bytes\",\"id\":\"2ecdfc99-39a3-4c97-9dc4-72585cab6138\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.tablespace.data_file.name\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"5e206919-734c-40b5-a7c8-382c24cbd202\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"5e206919-734c-40b5-a7c8-382c24cbd202\",\"title\":\"Avg data file size by filename [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"id\":\"79a807d0-08c8-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"fc16576c-5187-43f1-b5ee-b5c45133a5a8\",\"index_pattern_ref_name\":\"metrics_3b1f6b7f-519e-4180-8946-ab1318580f2e_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"d0c9577a-4556-4042-af76-ce4865dd9730\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.space.used.bytes\",\"id\":\"800f1ba7-aa50-401c-ba9e-8950b765aac3\",\"type\":\"avg\"},{\"field\":\"oracle.tablespace.space.total.bytes\",\"id\":\"94a9c9b0-08c8-11ed-a12c-5d4b2a3a48a4\",\"type\":\"avg\"},{\"id\":\"b36d9ca0-08c8-11ed-a12c-5d4b2a3a48a4\",\"script\":\"params.used / params.total\",\"type\":\"math\",\"variables\":[{\"field\":\"800f1ba7-aa50-401c-ba9e-8950b765aac3\",\"id\":\"b74cab90-08c8-11ed-a12c-5d4b2a3a48a4\",\"name\":\"used\"},{\"field\":\"94a9c9b0-08c8-11ed-a12c-5d4b2a3a48a4\",\"id\":\"bbb92d70-08c8-11ed-a12c-5d4b2a3a48a4\",\"name\":\"total\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.tablespace.name\",\"terms_order_by\":\"800f1ba7-aa50-401c-ba9e-8950b765aac3\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"top_n\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"3b1f6b7f-519e-4180-8946-ab1318580f2e\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"3b1f6b7f-519e-4180-8946-ab1318580f2e\",\"title\":\"Ratio of used space in Tablespaces [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"51dfc970-08ca-11ed-a12c-5d4b2a3a48a4\"}],\"drop_last_bucket\":0,\"id\":\"0bf6fba1-6aba-4031-b22f-caca9339ee5d\",\"index_pattern_ref_name\":\"metrics_14d04a9d-5a41-47e0-a188-297dbf41776e_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"8c22d686-b04c-4154-a424-d2e366b260f8\",\"label\":\"Tablespace Total Size (TEMP)\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.space.total.bytes\",\"id\":\"bc5c1370-08e4-11ed-bbf2-8b9cc975c696\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_exclude\":\"\",\"terms_field\":\"oracle.tablespace.name\",\"terms_include\":\"TEMP\",\"terms_order_by\":\"42eab07c-8975-4bf8-b429-85ae12bd3e7d\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"d875d500-08e4-11ed-bbf2-8b9cc975c696\",\"label\":\"Tablespace Total Size (Non - TEMP)\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.space.free.bytes\",\"id\":\"d875d501-08e4-11ed-bbf2-8b9cc975c696\",\"type\":\"avg\"},{\"field\":\"oracle.tablespace.space.used.bytes\",\"id\":\"05bb7e20-08e5-11ed-bbf2-8b9cc975c696\",\"type\":\"avg\"},{\"id\":\"12de6090-08e5-11ed-bbf2-8b9cc975c696\",\"script\":\"params.used + params.free\",\"type\":\"math\",\"variables\":[{\"field\":\"05bb7e20-08e5-11ed-bbf2-8b9cc975c696\",\"id\":\"14ca2b00-08e5-11ed-bbf2-8b9cc975c696\",\"name\":\"used\"},{\"field\":\"d875d501-08e4-11ed-bbf2-8b9cc975c696\",\"id\":\"19662150-08e5-11ed-bbf2-8b9cc975c696\",\"name\":\"free\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_exclude\":\"TEMP\",\"terms_field\":\"oracle.tablespace.name\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"14d04a9d-5a41-47e0-a188-297dbf41776e\",\"w\":24,\"x\":24,\"y\":7},\"panelIndex\":\"14d04a9d-5a41-47e0-a188-297dbf41776e\",\"title\":\"Tablespace Total Size [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"83835a30-08e5-11ed-bbf2-8b9cc975c696\"}],\"bar_color_rules\":[{\"id\":\"81e33ec0-08e5-11ed-bbf2-8b9cc975c696\"}],\"drop_last_bucket\":0,\"id\":\"e640ae4d-6372-4a49-be99-4e477874dccb\",\"index_pattern_ref_name\":\"metrics_187cba56-fde4-481f-8e6b-0266f9029e3a_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"c2f70760-43b9-4f8a-b3d5-a15b7f9ff585\",\"label\":\"Maximum data file size\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.tablespace.data_file.size.max.bytes\",\"id\":\"2ecdfc99-39a3-4c97-9dc4-72585cab6138\",\"type\":\"avg\"},{\"field\":\"oracle.tablespace.data_file.size.bytes\",\"id\":\"451a2690-08e8-11ed-bbf2-8b9cc975c696\",\"type\":\"avg\"},{\"id\":\"5e07ae70-08e8-11ed-bbf2-8b9cc975c696\",\"script\":\"params.used / params.total\",\"type\":\"math\",\"variables\":[{\"field\":\"451a2690-08e8-11ed-bbf2-8b9cc975c696\",\"id\":\"602a1940-08e8-11ed-bbf2-8b9cc975c696\",\"name\":\"used\"},{\"field\":\"2ecdfc99-39a3-4c97-9dc4-72585cab6138\",\"id\":\"6c114760-08e8-11ed-bbf2-8b9cc975c696\",\"name\":\"total\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"oracle.tablespace.data_file.name\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"top_n\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"187cba56-fde4-481f-8e6b-0266f9029e3a\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"187cba56-fde4-481f-8e6b-0266f9029e3a\",\"title\":\"Ratio of used space in data files [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"}]", - "timeRestore": false, - "title": "[Metrics Oracle] Tablespace", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "oracle-9e19fb00-08e1-11ed-9abf-15e60715cfab", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "5e206919-734c-40b5-a7c8-382c24cbd202:metrics_5e206919-734c-40b5-a7c8-382c24cbd202_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3b1f6b7f-519e-4180-8946-ab1318580f2e:metrics_3b1f6b7f-519e-4180-8946-ab1318580f2e_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "14d04a9d-5a41-47e0-a188-297dbf41776e:metrics_14d04a9d-5a41-47e0-a188-297dbf41776e_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "187cba56-fde4-481f-8e6b-0266f9029e3a:metrics_187cba56-fde4-481f-8e6b-0266f9029e3a_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/oracle/1.4.1/kibana/dashboard/oracle-b6b2c9f0-13a7-11ed-9607-2ba0819b3835.json b/packages/oracle/1.4.1/kibana/dashboard/oracle-b6b2c9f0-13a7-11ed-9607-2ba0819b3835.json deleted file mode 100755 index 742d189ee7..0000000000 --- a/packages/oracle/1.4.1/kibana/dashboard/oracle-b6b2c9f0-13a7-11ed-9607-2ba0819b3835.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"3de2a6b1-0cb3-4b1d-8a5f-070387961941\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"service.address\",\"title\":\"Oracle Host Control\",\"id\":\"3de2a6b1-0cb3-4b1d-8a5f-070387961941\",\"enhancements\":{}}}}" - }, - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_988770fe-59b5-4c12-b668-20a8d9461bf5_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"rgba(197,237,226,1)\",\"fill\":\"1\",\"formatter\":\"percent\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Rate of Change (%)\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.performance.parse_count_total\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"type\":\"derivative\",\"unit\":\"5m\"},{\"id\":\"a427c130-139f-11ed-b7bb-c962dc44100f\",\"script\":\"params.diff \\u003e 0 ? ( params.diff ) / params.avg_value : null\",\"type\":\"calculation\",\"variables\":[{\"field\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"id\":\"a835cf60-139f-11ed-b7bb-c962dc44100f\",\"name\":\"diff\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"c00a9440-139f-11ed-b7bb-c962dc44100f\",\"name\":\"avg_value\"}]}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":1,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_988770fe-59b5-4c12-b668-20a8d9461bf5_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\"Rate of Change (Count)\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.performance.parse_count_total\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"id\":\"1ede1350-13a7-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"988770fe-59b5-4c12-b668-20a8d9461bf5\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"988770fe-59b5-4c12-b668-20a8d9461bf5\",\"title\":\"Parse count - Total [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_ef891567-af66-4b13-a569-b53a5cdf0b8f_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Parse Count Hard\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.parse_count_hard\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_ef891567-af66-4b13-a569-b53a5cdf0b8f_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(203,240,230,1)\",\"fill\":\"0.7\",\"formatter\":\"number\",\"id\":\"fb93bbf0-13a8-11ed-ac2d-bba62e78d30c\",\"label\":\"Parse Count Total\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.performance.parse_count_total\",\"id\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"id\":\"fb93e301-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_ef891567-af66-4b13-a569-b53a5cdf0b8f_2_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"ef891567-af66-4b13-a569-b53a5cdf0b8f\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"ef891567-af66-4b13-a569-b53a5cdf0b8f\",\"title\":\"Parse count - Total vs Hard [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_a2e7769f-32bf-4ffd-baa5-bbb408060350_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Sorts (Memory)\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.sorts_memory\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_a2e7769f-32bf-4ffd-baa5-bbb408060350_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"fb93bbf0-13a8-11ed-ac2d-bba62e78d30c\",\"label\":\"Sorts (Disk)\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.sorts_disk\",\"id\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"id\":\"fb93e301-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_a2e7769f-32bf-4ffd-baa5-bbb408060350_2_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"a2e7769f-32bf-4ffd-baa5-bbb408060350\",\"w\":24,\"x\":0,\"y\":8},\"panelIndex\":\"a2e7769f-32bf-4ffd-baa5-bbb408060350\",\"title\":\"Parse count - Sorts Memory vs Sorts Disk [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_fc929a45-39c5-4099-a519-c5cc2fab637c_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(159,211,197,1)\",\"fill\":\"0.5\",\"formatter\":\"ms,ms,0\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Parse time (Elapsed)\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.parse_time_elapsed\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"type\":\"derivative\",\"unit\":\"\"},{\"id\":\"b096b7c0-13b1-11ed-ac2d-bba62e78d30c\",\"script\":\"params.ms_value / 10\",\"type\":\"math\",\"variables\":[{\"field\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"id\":\"b5690050-13b1-11ed-ac2d-bba62e78d30c\",\"name\":\"ms_value\"}]}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_fc929a45-39c5-4099-a519-c5cc2fab637c_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}} ms\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":\"0\",\"formatter\":\"ms,ms,0\",\"id\":\"fb93bbf0-13a8-11ed-ac2d-bba62e78d30c\",\"label\":\"Parse time (CPU)\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.parse_time_cpu\",\"id\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"id\":\"fb93e301-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"\"},{\"id\":\"cd8de100-13b1-11ed-ac2d-bba62e78d30c\",\"script\":\"params.ms_value/10\",\"type\":\"math\",\"variables\":[{\"field\":\"fb93e301-13a8-11ed-ac2d-bba62e78d30c\",\"id\":\"d16a57e0-13b1-11ed-ac2d-bba62e78d30c\",\"name\":\"ms_value\"}]}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_fc929a45-39c5-4099-a519-c5cc2fab637c_2_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}} ms\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"ms,ms,0\",\"hidden\":true,\"id\":\"0c9bc3a0-13b0-11ed-ac2d-bba62e78d30c\",\"label\":\"Parse time (Waiting)\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.parse_time_cpu\",\"id\":\"0c9bc3a1-13b0-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"0c9bc3a1-13b0-11ed-ac2d-bba62e78d30c\",\"id\":\"0c9bc3a2-13b0-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"\"},{\"field\":\"oracle.system_statistics.parse_time_elapsed\",\"id\":\"142def80-13b0-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"142def80-13b0-11ed-ac2d-bba62e78d30c\",\"id\":\"24c73400-13b0-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"\"},{\"id\":\"2e0f4d40-13b0-11ed-ac2d-bba62e78d30c\",\"script\":\"(params.elapsed - params.cpu)/10\",\"type\":\"math\",\"variables\":[{\"field\":\"24c73400-13b0-11ed-ac2d-bba62e78d30c\",\"id\":\"320fedf0-13b0-11ed-ac2d-bba62e78d30c\",\"name\":\"elapsed\"},{\"field\":\"0c9bc3a2-13b0-11ed-ac2d-bba62e78d30c\",\"id\":\"42085e90-13b0-11ed-ac2d-bba62e78d30c\",\"name\":\"cpu\"}]}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_fc929a45-39c5-4099-a519-c5cc2fab637c_3_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}} ms\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"fc929a45-39c5-4099-a519-c5cc2fab637c\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"fc929a45-39c5-4099-a519-c5cc2fab637c\",\"title\":\"Parse Time [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_5706242b-0b49-4fb7-9ef0-afb451c9e358_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"User rollbacks\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.user_rollbacks\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_5706242b-0b49-4fb7-9ef0-afb451c9e358_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"fb93bbf0-13a8-11ed-ac2d-bba62e78d30c\",\"label\":\"Transaction Rollbacks\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.transaction_rollbacks\",\"id\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"id\":\"fb93e301-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_5706242b-0b49-4fb7-9ef0-afb451c9e358_2_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"5706242b-0b49-4fb7-9ef0-afb451c9e358\",\"w\":24,\"x\":24,\"y\":8},\"panelIndex\":\"5706242b-0b49-4fb7-9ef0-afb451c9e358\",\"title\":\"Rollbacks[Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_244f1b00-46e2-4f49-8016-c3b7072c1241_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Physical writes from cache\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.physical_writes_from_cache\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"},{\"field\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"id\":\"94a76e20-139c-11ed-b7bb-c962dc44100f\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_244f1b00-46e2-4f49-8016-c3b7072c1241_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":\"-0.1\",\"formatter\":\"number\",\"id\":\"fb93bbf0-13a8-11ed-ac2d-bba62e78d30c\",\"label\":\"Physical writes Direct\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.physical_writes_direct\",\"id\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"fb93bbf1-13a8-11ed-ac2d-bba62e78d30c\",\"id\":\"fb93e301-13a8-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_244f1b00-46e2-4f49-8016-c3b7072c1241_2_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"rgba(178,224,211,1)\",\"fill\":\"0.5\",\"formatter\":\"default\",\"id\":\"141b9140-13b6-11ed-ac2d-bba62e78d30c\",\"label\":\"Physical Writes\",\"line_width\":1,\"metrics\":[{\"field\":\"oracle.system_statistics.physical_writes\",\"id\":\"141b9141-13b6-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"},{\"field\":\"141b9141-13b6-11ed-ac2d-bba62e78d30c\",\"id\":\"239d7250-13b6-11ed-ac2d-bba62e78d30c\",\"type\":\"derivative\",\"unit\":\"5m\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"244f1b00-46e2-4f49-8016-c3b7072c1241\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"244f1b00-46e2-4f49-8016-c3b7072c1241\",\"title\":\"Physical Writes [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_32552a41-3ad8-46d9-8462-1c5e091bab66_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\"Enqueue Requests Per Second\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.sysmetric.enqueue_requests_per_sec\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_32552a41-3ad8-46d9-8462-1c5e091bab66_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(96,146,192,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"9b888bf0-13bc-11ed-ac2d-bba62e78d30c\",\"label\":\"Enqueue Timeouts Per Second\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.sysmetric.enqueue_timeouts_per_sec\",\"id\":\"9b888bf1-13bc-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_32552a41-3ad8-46d9-8462-1c5e091bab66_2_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"},{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(145,112,184,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"c5af8ff0-13bc-11ed-ac2d-bba62e78d30c\",\"label\":\"Enqueue Deadlocks Per Second\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.sysmetric.enqueue_deadlocks_per_sec\",\"id\":\"c5af8ff1-13bc-11ed-ac2d-bba62e78d30c\",\"type\":\"max\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_32552a41-3ad8-46d9-8462-1c5e091bab66_3_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"32552a41-3ad8-46d9-8462-1c5e091bab66\",\"w\":24,\"x\":0,\"y\":24},\"panelIndex\":\"32552a41-3ad8-46d9-8462-1c5e091bab66\",\"title\":\"Enqueue Metrics [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_18bbe239-30b6-4fb5-b193-10cef19a8f47_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"bbdce57d-1d8a-4c0e-a94d-2b9511cd0f8c\",\"label\":\" \",\"line_width\":\"1\",\"metrics\":[{\"field\":\"oracle.system_statistics.opened_cursors_current\",\"id\":\"78823468-ea1e-4798-842e-54c8999b8bb3\",\"type\":\"max\"}],\"override_index_pattern\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"series_index_pattern_ref_name\":\"metrics_18bbe239-30b6-4fb5-b193-10cef19a8f47_1_index_pattern\",\"split_color_mode\":null,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"18bbe239-30b6-4fb5-b193-10cef19a8f47\",\"w\":24,\"x\":24,\"y\":24},\"panelIndex\":\"18bbe239-30b6-4fb5-b193-10cef19a8f47\",\"title\":\"Current Opened Cursors [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.4.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Metrics Oracle] System Statistics Metrics", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "oracle-b6b2c9f0-13a7-11ed-9607-2ba0819b3835", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "988770fe-59b5-4c12-b668-20a8d9461bf5:metrics_988770fe-59b5-4c12-b668-20a8d9461bf5_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "988770fe-59b5-4c12-b668-20a8d9461bf5:metrics_988770fe-59b5-4c12-b668-20a8d9461bf5_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ef891567-af66-4b13-a569-b53a5cdf0b8f:metrics_ef891567-af66-4b13-a569-b53a5cdf0b8f_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ef891567-af66-4b13-a569-b53a5cdf0b8f:metrics_ef891567-af66-4b13-a569-b53a5cdf0b8f_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ef891567-af66-4b13-a569-b53a5cdf0b8f:metrics_ef891567-af66-4b13-a569-b53a5cdf0b8f_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a2e7769f-32bf-4ffd-baa5-bbb408060350:metrics_a2e7769f-32bf-4ffd-baa5-bbb408060350_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a2e7769f-32bf-4ffd-baa5-bbb408060350:metrics_a2e7769f-32bf-4ffd-baa5-bbb408060350_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a2e7769f-32bf-4ffd-baa5-bbb408060350:metrics_a2e7769f-32bf-4ffd-baa5-bbb408060350_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fc929a45-39c5-4099-a519-c5cc2fab637c:metrics_fc929a45-39c5-4099-a519-c5cc2fab637c_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fc929a45-39c5-4099-a519-c5cc2fab637c:metrics_fc929a45-39c5-4099-a519-c5cc2fab637c_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fc929a45-39c5-4099-a519-c5cc2fab637c:metrics_fc929a45-39c5-4099-a519-c5cc2fab637c_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fc929a45-39c5-4099-a519-c5cc2fab637c:metrics_fc929a45-39c5-4099-a519-c5cc2fab637c_3_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5706242b-0b49-4fb7-9ef0-afb451c9e358:metrics_5706242b-0b49-4fb7-9ef0-afb451c9e358_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5706242b-0b49-4fb7-9ef0-afb451c9e358:metrics_5706242b-0b49-4fb7-9ef0-afb451c9e358_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5706242b-0b49-4fb7-9ef0-afb451c9e358:metrics_5706242b-0b49-4fb7-9ef0-afb451c9e358_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "244f1b00-46e2-4f49-8016-c3b7072c1241:metrics_244f1b00-46e2-4f49-8016-c3b7072c1241_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "244f1b00-46e2-4f49-8016-c3b7072c1241:metrics_244f1b00-46e2-4f49-8016-c3b7072c1241_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "244f1b00-46e2-4f49-8016-c3b7072c1241:metrics_244f1b00-46e2-4f49-8016-c3b7072c1241_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "32552a41-3ad8-46d9-8462-1c5e091bab66:metrics_32552a41-3ad8-46d9-8462-1c5e091bab66_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "32552a41-3ad8-46d9-8462-1c5e091bab66:metrics_32552a41-3ad8-46d9-8462-1c5e091bab66_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "32552a41-3ad8-46d9-8462-1c5e091bab66:metrics_32552a41-3ad8-46d9-8462-1c5e091bab66_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "32552a41-3ad8-46d9-8462-1c5e091bab66:metrics_32552a41-3ad8-46d9-8462-1c5e091bab66_3_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "18bbe239-30b6-4fb5-b193-10cef19a8f47:metrics_18bbe239-30b6-4fb5-b193-10cef19a8f47_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "18bbe239-30b6-4fb5-b193-10cef19a8f47:metrics_18bbe239-30b6-4fb5-b193-10cef19a8f47_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_3de2a6b1-0cb3-4b1d-8a5f-070387961941:optionsListDataView", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/oracle/1.4.1/kibana/dashboard/oracle-bdb780f0-156a-11ed-9607-2ba0819b3835.json b/packages/oracle/1.4.1/kibana/dashboard/oracle-bdb780f0-156a-11ed-9607-2ba0819b3835.json deleted file mode 100755 index 74d4e261a7..0000000000 --- a/packages/oracle/1.4.1/kibana/dashboard/oracle-bdb780f0-156a-11ed-9607-2ba0819b3835.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"3de2a6b1-0cb3-4b1d-8a5f-070387961941\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"service.address\",\"title\":\"Oracle Host Control\",\"id\":\"3de2a6b1-0cb3-4b1d-8a5f-070387961941\",\"enhancements\":{}}}}" - }, - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_988770fe-59b5-4c12-b668-20a8d9461bf5_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"bytes\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.pga.total_freeable_memory\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"988770fe-59b5-4c12-b668-20a8d9461bf5\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"988770fe-59b5-4c12-b668-20a8d9461bf5\",\"title\":\"Total Freeable PGA [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_7fbd33ad-7e54-464d-82c3-a3fa6567b7d8_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"00.0\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.pga.cache_hit_pct\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}%\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"7fbd33ad-7e54-464d-82c3-a3fa6567b7d8\",\"w\":9,\"x\":9,\"y\":0},\"panelIndex\":\"7fbd33ad-7e54-464d-82c3-a3fa6567b7d8\",\"title\":\"PGA Cache Hit Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_57fa7ae6-9533-4674-8b45-0c1c533b69d5_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"bytes\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.pga.maximum_allocated\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"57fa7ae6-9533-4674-8b45-0c1c533b69d5\",\"w\":9,\"x\":18,\"y\":0},\"panelIndex\":\"57fa7ae6-9533-4674-8b45-0c1c533b69d5\",\"title\":\"Maximum PGA Allocated [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_490fc7d3-aecc-43a3-aaeb-b455d55eed12_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"00.0\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.pga.cache_hit_pct\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}%\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"490fc7d3-aecc-43a3-aaeb-b455d55eed12\",\"w\":21,\"x\":27,\"y\":0},\"panelIndex\":\"490fc7d3-aecc-43a3-aaeb-b455d55eed12\",\"title\":\"PGA Cache Hit Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_4598c927-c422-4e6d-b754-86dbea636361_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"bytes\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.pga.aggregate_target_parameter\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"4598c927-c422-4e6d-b754-86dbea636361\",\"w\":9,\"x\":0,\"y\":6},\"panelIndex\":\"4598c927-c422-4e6d-b754-86dbea636361\",\"title\":\"PGA Aggregate Target [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_67ff0142-e274-4854-bdc7-444209a339a9_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"bytes\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.pga.global_memory_bound\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"67ff0142-e274-4854-bdc7-444209a339a9\",\"w\":9,\"x\":9,\"y\":6},\"panelIndex\":\"67ff0142-e274-4854-bdc7-444209a339a9\",\"title\":\"PGA Global Memory Bound [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_ddf697e9-b1e8-4edd-b808-ac2c52a14886_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"bytes\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.pga.total_allocated\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"ddf697e9-b1e8-4edd-b808-ac2c52a14886\",\"w\":9,\"x\":18,\"y\":6},\"panelIndex\":\"ddf697e9-b1e8-4edd-b808-ac2c52a14886\",\"title\":\"PGA Allocated [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0\",\"formatter\":\"00.0\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.sga.total_memory\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"},{\"field\":\"oracle.memory.sga.free_memory\",\"id\":\"7042d7f0-1571-11ed-8473-87f6af0978f0\",\"type\":\"avg\"},{\"id\":\"80e236f0-1571-11ed-8473-87f6af0978f0\",\"script\":\"(params.free / params.total) * 100\",\"type\":\"math\",\"variables\":[{\"field\":\"7042d7f0-1571-11ed-8473-87f6af0978f0\",\"id\":\"83727ec0-1571-11ed-8473-87f6af0978f0\",\"name\":\"free\"},{\"field\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"id\":\"87d69c30-1571-11ed-8473-87f6af0978f0\",\"name\":\"total\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}%\"}],\"show_grid\":0,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":9,\"i\":\"7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad\",\"w\":21,\"x\":27,\"y\":9},\"panelIndex\":\"7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad\",\"title\":\"Shared Pool Free Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_4b465607-cfa3-463d-b9ad-1f4c1ee62c3d_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"00.0\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.sga.total_memory\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"},{\"field\":\"oracle.memory.sga.free_memory\",\"id\":\"7042d7f0-1571-11ed-8473-87f6af0978f0\",\"type\":\"avg\"},{\"id\":\"80e236f0-1571-11ed-8473-87f6af0978f0\",\"script\":\"(params.free / params.total) * 100\",\"type\":\"math\",\"variables\":[{\"field\":\"7042d7f0-1571-11ed-8473-87f6af0978f0\",\"id\":\"83727ec0-1571-11ed-8473-87f6af0978f0\",\"name\":\"free\"},{\"field\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"id\":\"87d69c30-1571-11ed-8473-87f6af0978f0\",\"name\":\"total\"}]}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}%\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"4b465607-cfa3-463d-b9ad-1f4c1ee62c3d\",\"w\":9,\"x\":0,\"y\":12},\"panelIndex\":\"4b465607-cfa3-463d-b9ad-1f4c1ee62c3d\",\"title\":\"Shared Pool Free Percentage [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_21a5a3f9-d053-427f-b591-9849015a2d15_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"bytes\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.sga.free_memory\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"21a5a3f9-d053-427f-b591-9849015a2d15\",\"w\":9,\"x\":9,\"y\":12},\"panelIndex\":\"21a5a3f9-d053-427f-b591-9849015a2d15\",\"title\":\"Shared Pool Free Memory [Metrics Oracle] \",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"e24122f0-13a3-11ed-ac2d-bba62e78d30c\"}],\"drop_last_bucket\":0,\"id\":\"c78db4b3-758b-4967-b1e3-fd5d66cc8508\",\"index_pattern_ref_name\":\"metrics_01d39b22-9ee9-429d-9ee5-d0c67bf64e2c_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"legend_position\":\"bottom\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"left\",\"chart_type\":\"line\",\"color\":\"rgba(84,179,153,1)\",\"fill\":\"0.5\",\"formatter\":\"bytes\",\"id\":\"ebe118d0-13a6-11ed-ac2d-bba62e78d30c\",\"label\":\" \",\"line_width\":\"2\",\"metrics\":[{\"field\":\"oracle.memory.sga.total_memory\",\"id\":\"ebe118d1-13a6-11ed-ac2d-bba62e78d30c\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":\"2\",\"separate_axis\":1,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"time_range_mode\":\"entire_time_range\",\"value_template\":\"{{value}}\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"metric\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"01d39b22-9ee9-429d-9ee5-d0c67bf64e2c\",\"w\":9,\"x\":18,\"y\":12},\"panelIndex\":\"01d39b22-9ee9-429d-9ee5-d0c67bf64e2c\",\"title\":\"Shared Pool Total Memory [Metrics Oracle]\",\"type\":\"visualization\",\"version\":\"8.3.0\"}]", - "timeRestore": false, - "title": "[Metrics Oracle] Memory Metrics", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "oracle-bdb780f0-156a-11ed-9607-2ba0819b3835", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "988770fe-59b5-4c12-b668-20a8d9461bf5:metrics_988770fe-59b5-4c12-b668-20a8d9461bf5_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7fbd33ad-7e54-464d-82c3-a3fa6567b7d8:metrics_7fbd33ad-7e54-464d-82c3-a3fa6567b7d8_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "57fa7ae6-9533-4674-8b45-0c1c533b69d5:metrics_57fa7ae6-9533-4674-8b45-0c1c533b69d5_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "490fc7d3-aecc-43a3-aaeb-b455d55eed12:metrics_490fc7d3-aecc-43a3-aaeb-b455d55eed12_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4598c927-c422-4e6d-b754-86dbea636361:metrics_4598c927-c422-4e6d-b754-86dbea636361_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "67ff0142-e274-4854-bdc7-444209a339a9:metrics_67ff0142-e274-4854-bdc7-444209a339a9_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ddf697e9-b1e8-4edd-b808-ac2c52a14886:metrics_ddf697e9-b1e8-4edd-b808-ac2c52a14886_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad:metrics_7d8c17b6-bae8-4d50-bbe6-10ff2e3f02ad_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4b465607-cfa3-463d-b9ad-1f4c1ee62c3d:metrics_4b465607-cfa3-463d-b9ad-1f4c1ee62c3d_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "21a5a3f9-d053-427f-b591-9849015a2d15:metrics_21a5a3f9-d053-427f-b591-9849015a2d15_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "01d39b22-9ee9-429d-9ee5-d0c67bf64e2c:metrics_01d39b22-9ee9-429d-9ee5-d0c67bf64e2c_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_3de2a6b1-0cb3-4b1d-8a5f-070387961941:optionsListDataView", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/oracle/1.4.1/manifest.yml b/packages/oracle/1.4.1/manifest.yml deleted file mode 100755 index 34ea42ad2b..0000000000 --- a/packages/oracle/1.4.1/manifest.yml +++ /dev/null @@ -1,69 +0,0 @@ -format_version: 1.0.0 -name: oracle -title: "Oracle" -version: 1.4.1 -license: basic -description: Collect Oracle Audit Log, Performance metrics, Tablespace metrics, Sysmetrics metrics, System statistics metrics, memory metrics from Oracle database. -type: integration -categories: - - security - - datastore -release: ga -conditions: - kibana.version: "^8.3.0" -screenshots: - - src: /img/Oracle-overview-dashboard.png - title: Oracle overview dashboard - size: 3298x1722 - type: image/png - - src: /img/Oracle-memory-dashboard.png - title: Oracle memory metrics dashboard - size: 3360x3590 - type: image/png - - src: /img/Oracle-performance-dashboard.png - title: Oracle performance metrics dashboard - size: 3360x3590 - type: image/png - - src: /img/Oracle-system_statistics-dashboard.png - title: Oracle system statistics metrics dashboard - size: 3360x3590 - type: image/png - - src: /img/Oracle-tablespace-dashboard.png - title: Oracle tablespace metrics dashboard - size: 3360x3590 - type: image/png - - src: /img/Oracle-sysmetrics-dashboard.png - title: Oracle sysmetrics dashboard - size: 3360x3590 - type: image/png - - src: /img/Oracle-sysmetrics-dashboard-2.png - title: Oracle sysmetrics dashboard - size: 3360x3590 - type: image/png -icons: - - src: /img/oracle_logo.svg - title: Oracle - size: 32x32 - type: image/svg+xml -policy_templates: - - name: oracle - title: Oracle Audit Logs - description: Collect Oracle Audit logs, Performance metrics, Tablespace metrics, Sysmetrics integration, System statistics, memory metrics. - inputs: - - type: filestream - title: Collect logs from Oracle instances - description: Collecting Oracle audit logs - - type: sql/metrics - vars: - - name: hosts - type: text - title: Oracle DSN - multi: true - required: true - show_user: true - default: - - oracle://sys:Oradoc_db1@0.0.0.0:1521/ORCLCDB.localdomain?sysdba=1 - title: Collect Oracle database's performance metrics, tablespace metrics, sysmetrics and memory metrics - description: Collecting performance metrics, tablespace metrics, sysmetrics, system statistics metrics and memory metrics from Oracle database instances -owner: - github: elastic/security-external-integrations diff --git a/packages/pfsense/1.3.2/LICENSE.txt b/packages/pfsense/1.3.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/pfsense/1.3.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/pfsense/1.3.2/changelog.yml b/packages/pfsense/1.3.2/changelog.yml deleted file mode 100755 index 346c44b9ae..0000000000 --- a/packages/pfsense/1.3.2/changelog.yml +++ /dev/null @@ -1,106 +0,0 @@ -# newer versions go on top -- version: "1.3.2" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.3.1" - changes: - - description: Fix redundant Grok pattern - type: enhancement - link: https://github.com/elastic/integrations/pull/3969 -- version: "1.3.0" - changes: - - description: Add DHCPv6 support - type: enhancement - link: https://github.com/elastic/integrations/pull/3815 -- version: "1.2.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3909 -- version: "1.1.2" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "1.1.1" - changes: - - description: Fix grok to support new opensense log format - type: bugfix - link: https://github.com/elastic/integrations/pull/3612 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.0.3" - changes: - - description: updated links in the documentation to the vendor documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3145 -- version: "1.0.2" - changes: - - description: Update HAProxy log parsing to handle non HTTPS and TCP logs - type: bugfix - link: https://github.com/elastic/integrations/pull/3504 -- version: "1.0.1" - changes: - - description: Format client.mac as per ECS. - type: bugfix - link: https://github.com/elastic/integrations/pull/3303 -- version: "1.0.0" - changes: - - description: Add OPNsense support. Add PHP-FPM log parsing. - type: bugfix - link: https://github.com/elastic/integrations/pull/2413 -- version: "0.4.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "0.3.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2432 -- version: "0.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "0.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2257 -- version: "0.1.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2091 -- version: "0.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1981 -- version: "0.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1842 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/1286 diff --git a/packages/pfsense/1.3.2/data_stream/log/agent/stream/tcp.yml.hbs b/packages/pfsense/1.3.2/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 9241b23255..0000000000 --- a/packages/pfsense/1.3.2/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -- add_locale: ~ -- add_fields: - target: _tmp - fields: - tz_offset: {{tz_offset}} -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/pfsense/1.3.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/pfsense/1.3.2/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index ca515ab199..0000000000 --- a/packages/pfsense/1.3.2/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,26 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -- add_fields: - target: _tmp - fields: - tz_offset: {{tz_offset}} -{{#if internal_networks.length}} - internal_networks: - {{#each internal_networks as |ntwrk i|}} - - {{ntwrk}} - {{/each}} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 297430504e..0000000000 --- a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,226 +0,0 @@ ---- -description: Pipeline for PFsense -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: observer.vendor - value: netgate - - set: - field: observer.type - value: firewall - - rename: - field: message - target_field: event.original - - set: - field: event.kind - value: event - - set: - field: event.timezone - value: "{{_tmp.tz_offset}}" - if: ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local' - - grok: - description: Parse syslog header - field: event.original - patterns: - - '^(%{ECS_SYSLOG_PRI})?%{TIMESTAMP} %{GREEDYDATA:message}' - pattern_definitions: - ECS_SYSLOG_PRI: '<%{NONNEGINT:log.syslog.priority:long}>(\d )?' - BSD_TIMESTAMP_FORMAT: '%{SYSLOGTIMESTAMP:_tmp.timestamp}(%{SPACE}%{OBSERVER})?%{SPACE}%{PROCESS}(\[%{POSINT:process.pid:long}\])?:' - SYSLOG_TIMESTAMP_FORMAT: '%{TIMESTAMP_ISO8601:_tmp.timestamp8601}%{SPACE}%{OBSERVER}%{SPACE}%{PROCESS}%{SPACE}(%{POSINT:process.pid:long}|-) - (-|\[%{DATA}\])?' - TIMESTAMP_ISO8601: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?' - TIMESTAMP: '(?:%{BSD_TIMESTAMP_FORMAT}|%{SYSLOG_TIMESTAMP_FORMAT})' - OBSERVER: '(?:%{IP:observer.ip}|%{HOSTNAME:observer.name})' - PROCESS: '(\(%{DATA:process.name}\)|(%{UNIXPATH}/)?%{WORD:process.name})' - - date: - if: ctx._tmp.timestamp8601 != null - field: _tmp.timestamp8601 - target_field: '@timestamp' - formats: - - ISO8601 - - date: - if: ctx.event?.timezone != null && ctx._tmp?.timestamp != null - field: _tmp.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - timezone: '{{ event.timezone }}' - - grok: - description: Set Event Provider - field: process.name - patterns: - - '^%{WORD:event.provider}' - - pipeline: - name: '{{ IngestPipeline "firewall" }}' - if: ctx.event.provider == 'filterlog' - - pipeline: - name: '{{ IngestPipeline "openvpn" }}' - if: ctx.event.provider == 'openvpn' - - pipeline: - name: '{{ IngestPipeline "ipsec" }}' - if: ctx.event.provider == 'charon' - - pipeline: - name: '{{ IngestPipeline "dhcp" }}' - if: '["dhcpd", "dhclient", "dhcp6c"].contains(ctx.event.provider)' - - pipeline: - name: '{{ IngestPipeline "unbound" }}' - if: ctx.event.provider == 'unbound' - - pipeline: - name: '{{ IngestPipeline "haproxy" }}' - if: ctx.event.provider == 'haproxy' - - pipeline: - name: '{{ IngestPipeline "php-fpm" }}' - if: ctx.event.provider == 'php-fpm' - - pipeline: - name: '{{ IngestPipeline "squid" }}' - if: ctx.event.provider == 'squid' - - drop: - if: '!["filterlog", "openvpn", "charon", "dhcpd", "dhclient", "dhcp6c", "unbound", "haproxy", "php-fpm", "squid"].contains(ctx.event?.provider)' - - append: - field: event.category - value: network - if: "ctx.network != null" - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - ignore_missing: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_failure: true - ignore_missing: true - - set: - field: network.type - value: ipv6 - if: 'ctx.source?.ip != null && ctx.source.ip.contains(":")' - - set: - field: network.type - value: ipv4 - if: 'ctx.source?.ip != null && ctx.source.ip.contains(".")' - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - ignore_missing: true - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - community_id: - target_field: network.community_id - ignore_failure: true - - grok: - field: observer.ingress.interface.name - patterns: - - "%{DATA}.%{NONNEGINT:observer.ingress.vlan.id}" - ignore_missing: true - ignore_failure: true - - set: - field: network.vlan.id - copy_from: observer.ingress.vlan.id - ignore_empty_value: true - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{source.nat.ip}}" - allow_duplicates: false - if: ctx.source?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - if: "ctx.destination?.domain != null" - - append: - field: related.user - value: "{{user.name}}" - if: "ctx.user?.name != null" - - set: - field: network.direction - value: "{{network.direction}}bound" - if: ctx.network?.direction != null && ctx.network?.direction =~ /^(in|out)$/ - - remove: - field: - - _tmp - ignore_failure: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || (v instanceof String && v == "-")); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - remove: - field: - - _tmp - ignore_failure: true - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml b/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml deleted file mode 100755 index 1e3d8547cb..0000000000 --- a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml +++ /dev/null @@ -1,93 +0,0 @@ ---- -description: Pipeline for PFsense DHCP logs -processors: - - grok: - field: message - patterns: - - '%{DATA:_tmp.action}/%{INTERFACE:observer.ingress.interface.name}/%{MAC_ADDRESS:server.mac}/%{NOTSPACE:pfsense.dhcp.subnet}' - - '%{DATA:_tmp.action} %{IPV6:client.address}(/%{NUMBER})? on %{INTERFACE:observer.ingress.interface.name}' - - '%{DATA:_tmp.action} (from|to) %{IPV6:client.address} port %{POSINT:client.port:long}(, transaction ID %{NOTSPACE:pfsense.dhcp.transaction_id})?' - - '%{DATA:_tmp.action} for: %{IPV6:client.address}(, age %{POSINT:pfsense.dhcp.age:long} secs)?%{GREEDYDATA}' - - '%{DATA:_tmp.action}: address %{IPV6:client.address} to client with duid %{DUID:pfsense.dhcp.duid} iaid = -%{NOTSPACE:pfsense.dhcp.iaid} valid for %{POSINT:pfsense.dhcp.lease_time:long} seconds' - - '%{WORD:event.action} %{MIDDLE} via %{INTERFACE:observer.ingress.interface.name}' - - '%{DATA:_tmp.action} %{IPV6:client.address}' - - '%{GREEDYDATA}' - pattern_definitions: - INTERFACE: '[a-z0-9\.]+' - MAC_ADDRESS: '([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})' - FROM: 'from %{MAC_ADDRESS:client.mac}' - ON: 'on %{IP:client.address} to %{MAC_ADDRESS:client.mac} \(%{HOSTNAME:pfsense.dhcp.hostname}\)' - FOR: 'for %{IP:client.address} \(%{IP:server.address}\)? from %{MAC_ADDRESS:client.mac} \(%{HOSTNAME:pfsense.dhcp.hostname}\)' - MIDDLE: '(?:%{FROM}|%{ON}|%{FOR})' - DUID: '(?i)[0-9a-f]{2}(:[0-9a-f]{2})+' - - append: - field: event.type - value: - - connection - - protocol - - info - allow_duplicates: false - - set: - field: network.protocol - value: dhcp - - set: - field: network.protocol - value: dhcpv6 - if: ctx.event.provider == 'dhcp6c' || (ctx.server?.address != null && ctx.server.address.contains(':')) || (ctx.client?.address != null && ctx.client.address.contains(':')) - - set: - field: network.transport - value: udp - - convert: - field: client.address - target_field: client.ip - type: ip - ignore_failure: true - ignore_missing: true - - convert: - field: server.address - target_field: server.ip - type: ip - ignore_failure: true - ignore_missing: true - - uppercase: - field: client.mac - ignore_missing: true - - gsub: - field: client.mac - pattern: '[:]' - replacement: '-' - ignore_missing: true - - uppercase: - field: server.mac - ignore_missing: true - - gsub: - field: server.mac - pattern: '[:]' - replacement: '-' - ignore_missing: true - - lowercase: - field: _tmp.action - ignore_missing: true - - gsub: - field: _tmp.action - target_field: event.action - pattern: ' ' - replacement: '-' - ignore_missing: true - - set: - field: source - copy_from: client - ignore_empty_value: true - - set: - field: destination - copy_from: server - ignore_empty_value: true - - append: - field: related.hosts - value: "{{pfsense.dhcp.hostname}}" - allow_duplicates: false - if: "ctx.pfsense?.log?.dhcp?.hostname != null" -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/firewall.yml b/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/firewall.yml deleted file mode 100755 index eeaa3e01b3..0000000000 --- a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/firewall.yml +++ /dev/null @@ -1,86 +0,0 @@ ---- -description: Pipeline for PFsense Firewall logs -processors: - - grok: - field: message - patterns: - - "%{PF_LOG_ENTRY}%{GREEDYDATA}" - pattern_definitions: - PF_LOG_ENTRY: "%{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}?" - PF_LOG_DATA: "%{INT},%{INT}?,,%{WORD:rule.id},%{DATA:observer.ingress.interface.name},%{PF_REASON:event.reason},%{WORD:event.action},%{WORD:network.direction}," - PF_REASON: '[a-zA-Z-]+' - PF_IP_DATA: "%{NONNEGINT:network.bytes:long},%{IP:source.address},%{IP:destination.address}," - PF_IP_SPECIFIC_DATA: "%{PF_IPv4_SPECIFIC_DATA}|%{PF_IPv6_SPECIFIC_DATA}" - PF_IPv4_SPECIFIC_DATA: "(?(4)),%{BASE16NUM:pfsense.ip.tos},%{WORD:pfsense.ip.ecn}?,%{NONNEGINT:pfsense.ip.ttl:long},%{NONNEGINT:pfsense.ip.id:long},%{NONNEGINT:pfsense.ip.offset:long},(?:%{WORD:pfsense.ip.flags}|%{PF_SPEC:pfsense.ip.flags}),%{INT:network.iana_number},%{WORD:network.transport}," - PF_IPv6_SPECIFIC_DATA: "(?(6)),%{BASE16NUM:pfsense.ip.tos},%{WORD:pfsense.ip.flow_label},%{WORD:pfsense.ip.flags},%{WORD:network.transport},%{INT:network.iana_number}," - PF_PROTOCOL_DATA: "%{PF_TCP_DATA}|%{PF_UDP_DATA}|%{PF_ICMP_DATA}|%{PF_IGMP_DATA}|%{PF_IPv6_VAR}|%{PF_IPv6_ICMP}" - PF_IPv6_VAR: "%{GREEDYDATA}" - PF_IPv6_ICMP: '' - PF_TCP_DATA: "%{INT:source.port:long},%{INT:destination.port:long},%{NONNEGINT:pfsense.tcp.length:long},%{WORD:pfsense.tcp.flags}?,%{NONNEGINT:pfsense.tcp.seq:long}?:?%{NONNEGINT},%{NONNEGINT:pfsense.tcp.ack:long}?,%{NONNEGINT:pfsense.tcp.window:long}?,%{WORD:pfsense.tcp.urg}?,%{GREEDYDATA:pfsense.tcp.options}" - PF_UDP_DATA: "%{INT:source.port:long},%{INT:destination.port:long},%{NONNEGINT:pfsense.udp.length:long}$" - PF_IGMP_DATA: "datalength=%{NONNEGINT:network.packets:long}" - PF_ICMP_DATA: "%{PF_ICMP_TYPE}%{PF_ICMP_RESPONSE}" - PF_ICMP_TYPE: "(?(request|reply|unreachproto|unreachport|unreach|timeexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply))," - PF_ICMP_RESPONSE: "%{PF_ICMP_ECHO_REQ_REPLY}|%{PF_ICMP_UNREACHPORT}|%{PF_ICMP_UNREACHPROTO}|%{PF_ICMP_UNREACHABLE}|%{PF_ICMP_NEED_FLAG}|%{PF_ICMP_TSTAMP}|%{PF_ICMP_TSTAMP_REPLY}" - PF_ICMP_ECHO_REQ_REPLY: "%{NONNEGINT:pfsense.icmp.id:long},%{NONNEGINT:pfsense.icmp.seq:long}" - PF_ICMP_UNREACHPORT: "%{IP:[pfsense.icmp.destination.ip]},%{WORD:pfsense.icmp.unreachable.iana_number},%{NONNEGINT:pfsense.icmp.unreachable.port:long}" - PF_ICMP_UNREACHPROTO: "%{IP:[pfsense.icmp.destination.ip]},%{WORD:[pfsense.icmp.unreachable.iana_number]}" - PF_ICMP_UNREACHABLE: "%{GREEDYDATA:pfsense.icmp.unreachable.other}" - PF_ICMP_NEED_FLAG: "%{IP:pfsense.icmp.destination.ip},%{NONNEGINT:pfsense.icmp.mtu:long}" - PF_ICMP_TSTAMP: "%{INT:pfsense.icmp.id},%{INT:pfsense.icmp.seq}" - PF_ICMP_TSTAMP_REPLY: "%{INT:pfsense.icmp.id},%{INT:pfsense.icmp.seq},%{INT:pfsense.icmp.otime},%{INT:pfsense.icmp.rtime},%{INT:pfsense.icmp.ttime}" - PF_SPEC: "[+]" - - set: - field: event.kind - value: event - - append: - field: event.type - value: connection - allow_duplicates: false - if: ctx.source?.address != null && ctx.destination?.address != null - - append: - field: event.type - value: denied - allow_duplicates: false - if: ctx.event.action == 'block' - - append: - field: event.type - value: allowed - allow_duplicates: false - if: ctx.event.action == 'pass' - - lowercase: - field: network.transport - ignore_missing: true - - remove: - field: ack_number - ignore_missing: true - if: ctx.ack_number == null || ctx.ack_number == '' - - network_direction: - internal_networks_field: _tmp.internal_networks - - split: - field: pfsense.tcp.options - separator: ';' - ignore_missing: true - ignore_failure: true - - date: - field: pfsense.icmp.otime - ignore_failure: true - formats: - - UNIX - - UNIX_MS - - date: - field: pfsense.icmp.rtime - ignore_failure: true - formats: - - UNIX - - UNIX_MS - - date: - field: pfsense.icmp.ttime - ignore_failure: true - formats: - - UNIX - - UNIX_MS -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml b/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml deleted file mode 100755 index d7bb578afb..0000000000 --- a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml +++ /dev/null @@ -1,100 +0,0 @@ ---- -description: Pipeline for parsing PFsense HAProxy http, tcp and default logs. -processors: - - grok: - field: message - patterns: - - 'Connect from (%{IPORHOST:source.address}|-):%{POSINT:source.port:long} %{WORD} %{IPORHOST:destination.address}:%{POSINT:destination.port:long} \(%{NOTSPACE:haproxy.frontend_name}/%{WORD:haproxy.mode}\)' - # HTTP(S) - - '(%{IPORHOST:source.address}|-):%{POSINT:source.port:long} \[%{NOTSPACE:haproxy.request_date}\] %{NOTSPACE:haproxy.frontend_name} %{NOTSPACE:haproxy.backend_name}/%{NOTSPACE:haproxy.server_name} - %{NUMBER:haproxy.http.request.time_wait_ms:long}/%{NUMBER:haproxy.total_waiting_time_ms:long}/%{NUMBER:haproxy.connection_wait_time_ms:long}/%{NUMBER:haproxy.http.request.time_wait_without_data_ms:long}/%{NUMBER:_temp.duration:long} - %{NUMBER:http.response.status_code:long} %{NUMBER:haproxy.bytes_read:long} %{NOTSPACE:haproxy.http.request.captured_cookie} %{NOTSPACE:haproxy.http.response.captured_cookie} %{NOTSPACE:haproxy.termination_state} - %{NUMBER:haproxy.connections.active:long}/%{NUMBER:haproxy.connections.frontend:long}/%{NUMBER:haproxy.connections.backend:long}/%{NUMBER:haproxy.connections.server:long}/%{NUMBER:haproxy.connections.retries:long} %{NUMBER:haproxy.server_queue:long}/%{NUMBER:haproxy.backend_queue:long} - (\{%{DATA:haproxy.http.request.captured_headers}\} \{%{DATA:haproxy.http.response.captured_headers}\} |\{%{DATA}\} )?"%{GREEDYDATA:haproxy.http.request.raw_request_line}"' - # TCP - - '(%{IP:source.address}|-):%{POSINT:source.port:long} \[%{NOTSPACE:haproxy.request_date}\] - %{NOTSPACE:haproxy.frontend_name} %{NOTSPACE:haproxy.backend_name}/%{NOTSPACE:haproxy.server_name} - %{NUMBER:haproxy.total_waiting_time_ms:long}/%{NUMBER:haproxy.connection_wait_time_ms:long}/%{NUMBER:_temp.duration:long} - %{NUMBER:haproxy.bytes_read:long} %{NOTSPACE:haproxy.termination_state} %{NUMBER:haproxy.connections.active:long}/%{NUMBER:haproxy.connections.frontend:long}/%{NUMBER:haproxy.connections.backend:long}/%{NUMBER:haproxy.connections.server:long}/%{NUMBER:haproxy.connections.retries:long} - %{NUMBER:haproxy.server_queue:long}/%{NUMBER:haproxy.backend_queue:long}' - # Error - - '(%{IP:source.address}|-):%{POSINT:source.port:long} \[%{NOTSPACE:haproxy.request_date}\] %{NOTSPACE:haproxy.frontend_name}/%{BIND_NAME:haproxy.bind_name}:? %{GREEDYDATA:haproxy.error_message}' - ignore_missing: false - pattern_definitions: - HAPROXY_DATE: (%{MONTHDAY}[/-]%{MONTH}[/-]%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND})|%{SYSLOGTIMESTAMP} - BIND_NAME: ((%{IP:destination.address})?(:%{POSINT:destination.port:long})?|%{NOTSPACE}) - on_failure: - - drop: - description: Drop if not a connection log - - date: - if: ctx.haproxy?.request_date != null && ctx.event?.timezone == null - field: haproxy.request_date - target_field: '@timestamp' - formats: - - dd/MMM/yyyy:HH:mm:ss.SSS - - MMM dd HH:mm:ss - - date: - if: ctx.haproxy?.request_date != null && ctx.event?.timezone != null - field: haproxy.request_date - target_field: '@timestamp' - formats: - - dd/MMM/yyyy:HH:mm:ss.SSS - - MMM dd HH:mm:ss - timezone: '{{ event.timezone }}' - - grok: - field: haproxy.http.request.raw_request_line - patterns: - - '%{WORD:http.request.method}%{SPACE}%{URIPATHPARAM:url.original}%{SPACE}HTTP/%{NUMBER:http.version}' - ignore_missing: true - if: 'ctx.haproxy?.http?.request?.raw_request_line != null && !ctx.haproxy?.http?.request?.raw_request_line.isEmpty() && ctx.haproxy?.http?.request?.raw_request_line != ""' - - uri_parts: - field: url.original - ignore_failure: true - if: ctx.url?.original != null - - split: - field: haproxy.http.request.captured_headers - separator: \| - ignore_failure: true - ignore_missing: true - - split: - field: haproxy.http.response.captured_headers - separator: \| - ignore_failure: true - ignore_missing: true - - script: - lang: painless - source: ctx.event.duration = Math.round(ctx._temp.duration * params.scale) - params: - scale: 1000000 - if: ctx._temp?.duration != null - - convert: - field: haproxy.bytes_read - target_field: http.response.bytes - type: long - ignore_missing: true - if: ctx.containsKey('http') - - append: - field: event.category - value: web - if: "ctx.haproxy?.mode == 'HTTP' || ctx.haproxy?.http != null" - - append: - field: event.type - value: connection - if: "ctx.source?.address != null && ctx.destination?.address != null" - - set: - field: event.outcome - value: success - if: "ctx.http?.response?.status_code != null && ctx.http.response.status_code < 400" - - set: - field: event.outcome - value: failure - if: "ctx.http?.response?.status_code != null && ctx.http.response.status_code >= 400" - - remove: - field: - - _temp - - haproxy.request_date - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml b/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml deleted file mode 100755 index 251b346de2..0000000000 --- a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -description: Pipeline for PFsense IPSEC logs -processors: - - grok: - field: message - patterns: - - '%{PREFIX}%{GREEDYDATA}%{SOURCE} to %{DEST} \(%{NONNEGINT:network.bytes:long} bytes\)' - - '%{GREEDYDATA}' - pattern_definitions: - PREFIX: '\d+\[%{WORD}\]' - SOURCE: '%{IP:source.address}\[%{NONNEGINT:source.port:long}\]' - DEST: '%{IP:destination.address}\[%{NONNEGINT:destination.port:long}\]' - - append: - field: event.type - value: connection - allow_duplicates: false - if: ctx.source?.address != null - - append: - field: event.type - value: end - allow_duplicates: false - if: ctx.message.toLowerCase().contains('disconnected') - - set: - field: source.ip - value: "{{source.address}}" - ignore_empty_value: true - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_empty_value: true - - set: - field: network.protocol - value: ipsec -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml b/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml deleted file mode 100755 index 68e9eec151..0000000000 --- a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -description: Pipeline for PFsense OpenVPN logs -processors: - - grok: - field: message - patterns: - - '%{SOURCE}%{SPACE}peer%{SPACE}info:%{SPACE}%{GREEDYDATA:pfsense.openvpn.peer_info}' - - '%{SOURCE}%{SPACE}\[%{USERNAME:user.name}\]%{SPACE}%{GREEDYDATA}' - - "user%{SPACE}'%{USERNAME:user.name}'%{GREEDYDATA}" - - '%{USERNAME:user.name}/%{SOURCE}%{DATA}IPv4=(%{IP:source.nat.ip}|%{GREEDYDATA}),%{SPACE}IPv6=(%{IP:source.nat.ip}|%{GREEDYDATA})' - - '%{GREEDYDATA}%{SOURCE}' - - '%{GREEDYDATA}' - pattern_definitions: - SOURCE: '%{IP:source.address}:%{NONNEGINT:source.port:long}' - USERNAME: '[a-zA-Z0-9._-]+' - - append: - field: event.category - value: authentication - allow_duplicates: false - if: ctx.message.contains('auth') - - append: - field: event.type - value: connection - allow_duplicates: false - if: ctx.source?.address != null - - append: - field: event.type - value: error - allow_duplicates: false - if: ctx.message.toLowerCase().contains('error') || ctx.message.toLowerCase().contains('not auth') - - append: - field: event.type - value: start - allow_duplicates: false - if: ctx.message.toLowerCase().contains('initiat') - - set: - field: source.ip - value: "{{source.address}}" - ignore_empty_value: true - - set: - field: network.protocol - value: openvpn -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/php-fpm.yml b/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/php-fpm.yml deleted file mode 100755 index f634f148f1..0000000000 --- a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/php-fpm.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -description: Pipeline for PFsense PHP-FPM logs -processors: - - grok: - field: message - patterns: - - '^%{DATA}: %{PF_APP_DATA}' - - '^%{GREEDYDATA}' - pattern_definitions: - PF_APP_DATA: '(%{PF_APP_LOGIN}|%{PF_APP_LOGOUT}|%{PF_APP_ERROR})' - PF_APP_LOGIN: "(%{DATA:_tmp.action}) for user '%{USER:user.name}' from: %{IP:source.address} \\(%{DATA}\\)" - PF_APP_LOGOUT: "User (%{DATA:_tmp.action}) for user '%{USER:user.name}' from: %{IP:source.address}" - PF_APP_ERROR: "webConfigurator %{DATA:_tmp.action} for user '%{DATA:user.name}' from: %{IP:source.address}" - - append: - field: event.category - value: authentication - allow_duplicates: false - - set: - field: event.outcome - value: success - if: 'ctx._tmp?.action.toLowerCase().contains("success")' - - set: - field: event.outcome - value: failure - if: 'ctx._tmp?.action.toLowerCase().contains("authentication error")' - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - ignore_failure: true - - rename: - field: observer.ip - target_field: host.ip - ignore_missing: true - - rename: - field: observer.name - target_field: host.name - ignore_missing: true -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/squid.yml b/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/squid.yml deleted file mode 100755 index 051af25eb3..0000000000 --- a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/squid.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for parsing PFsense Squid logs. -processors: - - grok: - field: message - patterns: - - '%{IPORHOST:source.address} %{NOTSPACE:squid.request_status}/%{NUMBER:http.response.status_code:long} %{NUMBER:http.response.bytes:long} %{NOTSPACE:http.request.method} (%{URI:url.original})?%{SPACE}%{NOTSPACE:http.request.referrer}%{SPACE}%{NOTSPACE:squid.hierarchy_status}/%{IPORHOST:destination.address}%{SPACE}%{NOTSPACE:http.response.mime_type}' - ignore_missing: false - - uri_parts: - field: url.original - ignore_failure: true - if: ctx.url?.original != null - - append: - field: event.category - value: web - - set: - field: event.outcome - value: success - if: "ctx.http?.response?.status_code != null && ctx.http.response.status_code < 400" - - set: - field: event.outcome - value: failure - if: "ctx.http?.response?.status_code != null && ctx.http.response.status_code >= 400" -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/unbound.yml b/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/unbound.yml deleted file mode 100755 index c534f17bb3..0000000000 --- a/packages/pfsense/1.3.2/data_stream/log/elasticsearch/ingest_pipeline/unbound.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- -description: Pipeline for PFsense Unbound DNS logs -processors: - - grok: - field: message - patterns: - - '%{LOGLEVEL:log.level}: %{IP:source.address} %{HOSTNAME:_tmp.question.name}(\.) %{WORD:_tmp.question.type} %{WORD:_tmp.question.class}' - on_failure: - - drop: - description: Drop if not a query log - - append: - field: event.type - value: connection - allow_duplicates: false - if: ctx.source?.address != null - - append: - field: event.type - value: end - allow_duplicates: false - if: ctx.message.toLowerCase().contains('disconnected') - - set: - field: network.protocol - value: dns - - set: - field: dns.type - value: question - if: ctx._tmp?.question?.name != null - - registered_domain: - field: _tmp.question.name - target_field: dns.question - ignore_missing: true - - rename: - field: dns.question.domain - target_field: dns.question.name - ignore_missing: true - - rename: - field: _tmp.question.type - target_field: dns.question.type - ignore_missing: true - - rename: - field: _tmp.question.class - target_field: dns.question.class - ignore_missing: true - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - ignore_missing: true - - set: - field: client - copy_from: source - ignore_empty_value: true -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.3.2/data_stream/log/fields/agent.yml b/packages/pfsense/1.3.2/data_stream/log/fields/agent.yml deleted file mode 100755 index c961daeee1..0000000000 --- a/packages/pfsense/1.3.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: hostname - type: keyword - description: Hostname from syslog header. -- name: log.source.address - type: keyword - description: Source address of the syslog message. -- name: process.program - type: keyword - description: Process from syslog header. diff --git a/packages/pfsense/1.3.2/data_stream/log/fields/base-fields.yml b/packages/pfsense/1.3.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 8007b1ad5b..0000000000 --- a/packages/pfsense/1.3.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: pfsense -- name: event.dataset - type: constant_keyword - description: Event dataset - value: pfsense.log diff --git a/packages/pfsense/1.3.2/data_stream/log/fields/ecs.yml b/packages/pfsense/1.3.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index 9a1221b4f8..0000000000 --- a/packages/pfsense/1.3.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,582 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: client.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: client.as.organization.name - type: keyword -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - ignore_above: 1024 - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - name: client.geo.location - type: geo_point -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - MAC address of the client. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: client.mac - type: keyword -- description: Port of the client. - name: client.port - type: long -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: |- - Mime type of the body of the response. - This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. - name: http.response.mime_type - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: VLAN ID as reported by the observer. - name: network.vlan.id - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: VLAN ID as reported by the observer. - name: observer.ingress.vlan.id - type: keyword -- description: IP addresses of the observer. - name: observer.ip - normalize: - - array - type: ip -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: |- - MAC address of the server. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: server.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: source.user.full_name - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/pfsense/1.3.2/data_stream/log/fields/fields.yml b/packages/pfsense/1.3.2/data_stream/log/fields/fields.yml deleted file mode 100755 index 4c3e855785..0000000000 --- a/packages/pfsense/1.3.2/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,283 +0,0 @@ -- name: pfsense.ip - type: group - fields: - - name: tos - type: keyword - description: | - IP Type of Service identification. - - name: ecn - type: keyword - description: | - Explicit Congestion Notification. - - name: ttl - type: long - description: | - Time To Live (TTL) of the packet - - name: id - type: long - description: | - ID of the packet - - name: offset - type: long - description: | - Fragment offset - - name: flags - type: keyword - description: | - IP flags. - - name: flow_label - type: keyword - description: | - Flow label -- name: pfsense.tcp - type: group - fields: - - name: flags - type: keyword - description: | - TCP flags. - - name: seq - type: long - description: | - TCP sequence number. - - name: ack - type: long - description: | - TCP Acknowledgment number. - - name: window - type: long - description: | - Advertised TCP window size. - - name: urg - type: keyword - description: | - Urgent pointer data. - - name: options - type: array - description: | - TCP Options. - - name: length - type: long - description: | - Length of the TCP header and payload. -- name: pfsense.udp - type: group - fields: - - name: length - type: long - description: | - Length of the UDP header and payload. -- name: pfsense.icmp - type: group - fields: - - name: type - type: keyword - description: | - ICMP type. - - name: id - type: long - description: | - ID of the echo request/reply - - name: destination.ip - type: ip - description: Original destination address of the connection that caused this notification - - name: mtu - type: long - description: MTU to use for subsequent data to this destination - - name: otime - type: date - description: Originate Timestamp - - name: rtime - type: date - description: Receive Timestamp - - name: ttime - type: date - description: Transmit Timestamp - - name: unreachable - type: group - fields: - - name: iana_number - type: long - description: | - Protocol ID number that was unreachable - - name: port - type: long - description: | - Port number that was unreachable - - name: other - type: keyword - description: | - Other unreachable information - - name: code - type: long - description: | - ICMP code. - - name: parameter - type: long - description: | - ICMP parameter. - - name: redirect - type: ip - description: | - ICMP redirect address. - - name: seq - type: long - description: | - ICMP sequence number. -- name: pfsense.dhcp - type: group - fields: - - name: hostname - type: keyword - description: | - Hostname of DHCP client - - name: age - type: long - description: | - Age of DHCP lease in seconds - - name: duid - type: keyword - description: | - The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. - - name: iaid - type: keyword - description: | - Identity Association Identifier used alongside the DUID to uniquely identify a DHCP client - - name: transaction_id - type: keyword - description: | - The DHCP transaction ID - - name: lease_time - type: long - description: | - The DHCP lease time in seconds - - name: subnet - type: keyword - description: | - The subnet for which the DHCP server is issuing IPs -- name: pfsense.openvpn.peer_info - type: keyword - description: |- - Information about the Open VPN client -- name: haproxy - type: group - fields: - - name: frontend_name - type: keyword - description: Name of the frontend (or listener) which received and processed the connection. - - name: backend_name - type: keyword - description: Name of the backend (or listener) which was selected to manage the connection to the server. - - name: server_name - type: keyword - description: Name of the last server to which the connection was sent. - - name: total_waiting_time_ms - type: long - description: Total time in milliseconds spent waiting in the various queues - - name: connection_wait_time_ms - type: long - description: Total time in milliseconds spent waiting for the connection to establish to the final server - - name: bytes_read - type: long - description: Total number of bytes transmitted to the client when the log is emitted. - - name: time_queue - type: long - description: Total time in milliseconds spent waiting in the various queues. - - name: time_backend_connect - type: long - description: Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. - - name: server_queue - type: long - description: Total number of requests which were processed before this one in the server queue. - - name: backend_queue - type: long - description: Total number of requests which were processed before this one in the backend's global queue. - - name: bind_name - type: keyword - description: Name of the listening address which received the connection. - - name: error_message - type: text - description: Error message logged by HAProxy in case of error. - - name: source - type: keyword - description: The HAProxy source of the log - - name: termination_state - type: keyword - description: Condition the session was in when the session ended. - - name: mode - type: keyword - description: mode that the frontend is operating (TCP or HTTP) - - name: connections - type: group - fields: - - name: active - type: long - description: Total number of concurrent connections on the process when the session was logged. - - name: frontend - type: long - description: Total number of concurrent connections on the frontend when the session was logged. - - name: backend - type: long - description: Total number of concurrent connections handled by the backend when the session was logged. - - name: server - type: long - description: Total number of concurrent connections still active on the server when the session was logged. - - name: retries - type: long - description: Number of connection retries experienced by this session when trying to connect to the server. - - name: client - type: group - - name: destination - type: group - - name: geoip - type: group -- name: haproxy.http - type: group - fields: - - name: response - type: group - fields: - - name: captured_cookie - type: keyword - description: | - Optional "name=value" entry indicating that the client had this cookie in the response. - - name: captured_headers - type: keyword - description: | - List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. - - name: request - type: group - fields: - - name: captured_cookie - type: keyword - description: | - Optional "name=value" entry indicating that the server has returned a cookie with its request. - - name: captured_headers - type: keyword - description: | - List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. - - name: raw_request_line - type: keyword - description: Complete HTTP request line, including the method, request and HTTP version string. - - name: time_wait_without_data_ms - type: long - description: Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. - - name: time_wait_ms - type: long - description: Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. -- name: haproxy.tcp - type: group - fields: - - name: connection_waiting_time_ms - type: long - description: Total time in milliseconds elapsed between the accept and the last close -- name: squid - type: group - fields: - - name: request_status - type: keyword - description: | - The cache result code; how the cache responded to the request: HIT, MISS, and so on. Cache result codes are described [here](https://www.websense.com/content/support/library/web/v773/wcg_help/cachrslt.aspx#596301). - - name: hierarchy_status - type: keyword - description: The proxy hierarchy route; the route Content Gateway used to retrieve the object. diff --git a/packages/pfsense/1.3.2/data_stream/log/manifest.yml b/packages/pfsense/1.3.2/data_stream/log/manifest.yml deleted file mode 100755 index 1b65cbac0b..0000000000 --- a/packages/pfsense/1.3.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,140 +0,0 @@ -type: logs -title: pfSense log logs -release: experimental -streams: - - input: udp - template_path: udp.yml.hbs - title: pfSense syslog logs - description: Collect pfsense logs using udp input - vars: - - name: syslog_host - type: text - title: Syslog Host - description: The interface to listen to UDP based syslog traffic. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - description: The UDP port to listen for syslog traffic. Ports below 1024 require Filebeat to run as root. - multi: false - required: true - show_user: true - default: 9001 - - name: internal_networks - type: text - title: Internal Networks - multi: true - required: false - show_user: true - default: - - private - description: The internal IP subnet(s) of the network. - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes (with no timezone) in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - pfsense - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: tcp - template_path: tcp.yml.hbs - title: pfSense syslog logs - description: Collect pfsense logs using tcp input - enabled: false - vars: - - name: syslog_host - type: text - title: Syslog Host - description: The interface to listen to TCP based syslog traffic. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - description: The TCP port to listen for syslog traffic. Ports below 1024 require Filebeat to run as root. - multi: false - required: true - show_user: true - default: 9001 - - name: internal_networks - type: text - title: Internal Networks - multi: true - required: false - show_user: true - default: - - private - description: The internal IP subnet(s) of the network. - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes (with no timezone) in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - pfsense - - forwarded - - name: ssl - type: yaml - title: TLS configuration - multi: false - required: false - show_user: true - description: Options for enabling TLS mode. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/pfsense/1.3.2/data_stream/log/sample_event.json b/packages/pfsense/1.3.2/data_stream/log/sample_event.json deleted file mode 100755 index 118d8fa673..0000000000 --- a/packages/pfsense/1.3.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,135 +0,0 @@ -{ - "@timestamp": "2021-07-04T00:10:14.578Z", - "agent": { - "ephemeral_id": "6b82ecb8-3739-4d1c-aeca-3a62c5340c7f", - "id": "c5c06c39-0b86-45ec-9ae3-c773f4562eaa", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "data_stream": { - "dataset": "pfsense.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "175.16.199.1", - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 853 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "c5c06c39-0b86-45ec-9ae3-c773f4562eaa", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "action": "block", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "pfsense.log", - "ingested": "2022-07-30T02:57:35Z", - "kind": "event", - "original": "\u003c134\u003e1 2021-07-03T19:10:14.578288-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale", - "provider": "filterlog", - "reason": "match", - "timezone": "-05:00", - "type": [ - "connection", - "denied" - ] - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "172.19.0.6:50688" - }, - "syslog": { - "priority": 134 - } - }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale", - "network": { - "bytes": 60, - "community_id": "1:pOXVyPJTFJI5seusI/UD6SwvBjg=", - "direction": "inbound", - "iana_number": "6", - "transport": "tcp", - "type": "ipv4" - }, - "observer": { - "ingress": { - "interface": { - "name": "igb1.12" - }, - "vlan": { - "id": "12" - } - }, - "name": "pfSense.example.com", - "type": "firewall", - "vendor": "netgate" - }, - "pfsense": { - "ip": { - "flags": "DF", - "id": 32989, - "offset": 0, - "tos": "0x0", - "ttl": 63 - }, - "tcp": { - "flags": "S", - "length": 0, - "options": [ - "mss", - "sackOK", - "TS", - "nop", - "wscale" - ], - "window": 64240 - } - }, - "process": { - "name": "filterlog", - "pid": 72237 - }, - "related": { - "ip": [ - "175.16.199.1", - "10.170.12.50" - ] - }, - "rule": { - "id": "1535324496" - }, - "source": { - "address": "10.170.12.50", - "ip": "10.170.12.50", - "port": 49652 - }, - "tags": [ - "preserve_original_event", - "pfsense", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/docs/README.md b/packages/pfsense/1.3.2/docs/README.md deleted file mode 100755 index e54d342ce9..0000000000 --- a/packages/pfsense/1.3.2/docs/README.md +++ /dev/null @@ -1,440 +0,0 @@ -# pfSense Integration - -This is an integration to parse certain logs from [pfSense and OPNsense firewalls](https://docs.netgate.com/pfsense/en/latest/). It parses logs received over the network via syslog (UDP/TCP/TLS). pfSense natively only supports UDP. OPNsense supports all 3 transports. - -Currently the integration supports parsing the Firewall, Unbound, DHCP Daemon, OpenVPN, IPsec, HAProxy, Squid, and PHP-FPM (Authentication) logs. -All other events will be dropped. -The HAProxy logs are setup to be compatible with the dashboards from the HAProxy integration. Install the HAPrxoy integration assets to use them. - -## pfSense Setup -1. Navigate to _Status -> System Logs_, then click on _Settings_ -2. At the bottom check _Enable Remote Logging_ -3. (Optional) Select a specific interface to use for forwarding -4. Input the agent IP address and port as set via the integration config into the field _Remote log servers_ (e.g. 192.168.100.50:5140) -5. Under _Remote Syslog Contents_ select what logs to forward to the agent - * Select _Everything_ to forward all logs to the agent or select the individual services to forward. Any log entry not in the list above will be dropped. This will cause additional data to be sent to the agent and Elasticsearch. The firewall, VPN, DHCP, DNS, and Authentication (PHP-FPM) logs are able to be individually selected. In order to collect HAProxy and Squid or other "package" logs, the _Everything_ option must be selected. - -## OPNsense Setup -1. Navigate to _System -> Settings -> Logging/Targets_ -2. Add a new _Logging/Target_ (Click the plus icon) - - Transport = UDP or TCP or TLS - - Applications = Select a list of applications to send to remote syslog. Leave empty for all. - - Levels = Nothing Selected - - Facilities = Nothing Selected - - Hostname = IP of Elastic agent as configured in the integration config - - Port = Port of Elastic agent as configured in the integration config - - Certificate = Client certificate to use (when selecting a tls transport type) - - Description = Syslog to Elasticsearch - - Click Save - - The module is by default configured to run with the `udp` input on port `9001`. - -**Important** -The pfSense integration supports both the BSD logging format (used by pfSense by default and OPNsense) and the Syslog format (optional for pfSense). -However the syslog format is recommended. It will provide the firewall hostname and timestamps with timezone information. -When using the BSD format, the `Timezone Offset` config must be set when deploying the agent or else the timezone will default to the timezone of the agent. See `https:///status_logs_settings.php` and https://docs.netgate.com/pfsense/en/latest/monitoring/logs/settings.html for more information. - -A huge thanks to [a3ilson](https://github.com/a3ilson) for the https://github.com/pfelk/pfelk repo, which is the foundation for the majority of the grok patterns and dashboards in this integration. - -## Logs - -### pfSense log - -This is the pfSense `log` dataset. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-07-04T00:10:14.578Z", - "agent": { - "ephemeral_id": "6b82ecb8-3739-4d1c-aeca-3a62c5340c7f", - "id": "c5c06c39-0b86-45ec-9ae3-c773f4562eaa", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "data_stream": { - "dataset": "pfsense.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "175.16.199.1", - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 853 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "c5c06c39-0b86-45ec-9ae3-c773f4562eaa", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "action": "block", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "pfsense.log", - "ingested": "2022-07-30T02:57:35Z", - "kind": "event", - "original": "\u003c134\u003e1 2021-07-03T19:10:14.578288-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale", - "provider": "filterlog", - "reason": "match", - "timezone": "-05:00", - "type": [ - "connection", - "denied" - ] - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "172.19.0.6:50688" - }, - "syslog": { - "priority": 134 - } - }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale", - "network": { - "bytes": 60, - "community_id": "1:pOXVyPJTFJI5seusI/UD6SwvBjg=", - "direction": "inbound", - "iana_number": "6", - "transport": "tcp", - "type": "ipv4" - }, - "observer": { - "ingress": { - "interface": { - "name": "igb1.12" - }, - "vlan": { - "id": "12" - } - }, - "name": "pfSense.example.com", - "type": "firewall", - "vendor": "netgate" - }, - "pfsense": { - "ip": { - "flags": "DF", - "id": 32989, - "offset": 0, - "tos": "0x0", - "ttl": 63 - }, - "tcp": { - "flags": "S", - "length": 0, - "options": [ - "mss", - "sackOK", - "TS", - "nop", - "wscale" - ], - "window": 64240 - } - }, - "process": { - "name": "filterlog", - "pid": 72237 - }, - "related": { - "ip": [ - "175.16.199.1", - "10.170.12.50" - ] - }, - "rule": { - "id": "1535324496" - }, - "source": { - "address": "10.170.12.50", - "ip": "10.170.12.50", - "port": 49652 - }, - "tags": [ - "preserve_original_event", - "pfsense", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.port | Port of the destination. | long | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| haproxy.backend_name | Name of the backend (or listener) which was selected to manage the connection to the server. | keyword | -| haproxy.backend_queue | Total number of requests which were processed before this one in the backend's global queue. | long | -| haproxy.bind_name | Name of the listening address which received the connection. | keyword | -| haproxy.bytes_read | Total number of bytes transmitted to the client when the log is emitted. | long | -| haproxy.connection_wait_time_ms | Total time in milliseconds spent waiting for the connection to establish to the final server | long | -| haproxy.connections.active | Total number of concurrent connections on the process when the session was logged. | long | -| haproxy.connections.backend | Total number of concurrent connections handled by the backend when the session was logged. | long | -| haproxy.connections.frontend | Total number of concurrent connections on the frontend when the session was logged. | long | -| haproxy.connections.retries | Number of connection retries experienced by this session when trying to connect to the server. | long | -| haproxy.connections.server | Total number of concurrent connections still active on the server when the session was logged. | long | -| haproxy.error_message | Error message logged by HAProxy in case of error. | text | -| haproxy.frontend_name | Name of the frontend (or listener) which received and processed the connection. | keyword | -| haproxy.http.request.captured_cookie | Optional "name=value" entry indicating that the server has returned a cookie with its request. | keyword | -| haproxy.http.request.captured_headers | List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. | keyword | -| haproxy.http.request.raw_request_line | Complete HTTP request line, including the method, request and HTTP version string. | keyword | -| haproxy.http.request.time_wait_ms | Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. | long | -| haproxy.http.request.time_wait_without_data_ms | Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. | long | -| haproxy.http.response.captured_cookie | Optional "name=value" entry indicating that the client had this cookie in the response. | keyword | -| haproxy.http.response.captured_headers | List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. | keyword | -| haproxy.mode | mode that the frontend is operating (TCP or HTTP) | keyword | -| haproxy.server_name | Name of the last server to which the connection was sent. | keyword | -| haproxy.server_queue | Total number of requests which were processed before this one in the server queue. | long | -| haproxy.source | The HAProxy source of the log | keyword | -| haproxy.tcp.connection_waiting_time_ms | Total time in milliseconds elapsed between the accept and the last close | long | -| haproxy.termination_state | Condition the session was in when the session ended. | keyword | -| haproxy.time_backend_connect | Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. | long | -| haproxy.time_queue | Total time in milliseconds spent waiting in the various queues. | long | -| haproxy.total_waiting_time_ms | Total time in milliseconds spent waiting in the various queues | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| hostname | Hostname from syslog header. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.mime_type | Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. | keyword | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.source.address | Source address of the syslog message. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| network.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| pfsense.dhcp.age | Age of DHCP lease in seconds | long | -| pfsense.dhcp.duid | The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. | keyword | -| pfsense.dhcp.hostname | Hostname of DHCP client | keyword | -| pfsense.dhcp.iaid | Identity Association Identifier used alongside the DUID to uniquely identify a DHCP client | keyword | -| pfsense.dhcp.lease_time | The DHCP lease time in seconds | long | -| pfsense.dhcp.subnet | The subnet for which the DHCP server is issuing IPs | keyword | -| pfsense.dhcp.transaction_id | The DHCP transaction ID | keyword | -| pfsense.icmp.code | ICMP code. | long | -| pfsense.icmp.destination.ip | Original destination address of the connection that caused this notification | ip | -| pfsense.icmp.id | ID of the echo request/reply | long | -| pfsense.icmp.mtu | MTU to use for subsequent data to this destination | long | -| pfsense.icmp.otime | Originate Timestamp | date | -| pfsense.icmp.parameter | ICMP parameter. | long | -| pfsense.icmp.redirect | ICMP redirect address. | ip | -| pfsense.icmp.rtime | Receive Timestamp | date | -| pfsense.icmp.seq | ICMP sequence number. | long | -| pfsense.icmp.ttime | Transmit Timestamp | date | -| pfsense.icmp.type | ICMP type. | keyword | -| pfsense.icmp.unreachable.iana_number | Protocol ID number that was unreachable | long | -| pfsense.icmp.unreachable.other | Other unreachable information | keyword | -| pfsense.icmp.unreachable.port | Port number that was unreachable | long | -| pfsense.ip.ecn | Explicit Congestion Notification. | keyword | -| pfsense.ip.flags | IP flags. | keyword | -| pfsense.ip.flow_label | Flow label | keyword | -| pfsense.ip.id | ID of the packet | long | -| pfsense.ip.offset | Fragment offset | long | -| pfsense.ip.tos | IP Type of Service identification. | keyword | -| pfsense.ip.ttl | Time To Live (TTL) of the packet | long | -| pfsense.openvpn.peer_info | Information about the Open VPN client | keyword | -| pfsense.tcp.ack | TCP Acknowledgment number. | long | -| pfsense.tcp.flags | TCP flags. | keyword | -| pfsense.tcp.length | Length of the TCP header and payload. | long | -| pfsense.tcp.options | TCP Options. | array | -| pfsense.tcp.seq | TCP sequence number. | long | -| pfsense.tcp.urg | Urgent pointer data. | keyword | -| pfsense.tcp.window | Advertised TCP window size. | long | -| pfsense.udp.length | Length of the UDP header and payload. | long | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| process.program | Process from syslog header. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| server.port | Port of the server. | long | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.port | Port of the source. | long | -| source.user.full_name | User's full name, if available. | keyword | -| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | -| source.user.id | Unique identifier of the user. | keyword | -| squid.hierarchy_status | The proxy hierarchy route; the route Content Gateway used to retrieve the object. | keyword | -| squid.request_status | The cache result code; how the cache responded to the request: HIT, MISS, and so on. Cache result codes are described [here](https://www.websense.com/content/support/library/web/v773/wcg_help/cachrslt.aspx#596301). | keyword | -| tags | List of keywords used to tag each event. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.username | Username of the request. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - diff --git a/packages/pfsense/1.3.2/img/dhcp.png b/packages/pfsense/1.3.2/img/dhcp.png deleted file mode 100755 index 3f73f8f3f4..0000000000 Binary files a/packages/pfsense/1.3.2/img/dhcp.png and /dev/null differ diff --git a/packages/pfsense/1.3.2/img/firewall.png b/packages/pfsense/1.3.2/img/firewall.png deleted file mode 100755 index c98b30b09d..0000000000 Binary files a/packages/pfsense/1.3.2/img/firewall.png and /dev/null differ diff --git a/packages/pfsense/1.3.2/img/pfsense.svg b/packages/pfsense/1.3.2/img/pfsense.svg deleted file mode 100755 index f63b99ab31..0000000000 --- a/packages/pfsense/1.3.2/img/pfsense.svg +++ /dev/null @@ -1,22 +0,0 @@ - - - - - - image/svg+xml - - pfSense Logo - - - - pfSense Logo - - - - - - - - - - diff --git a/packages/pfsense/1.3.2/img/unbound-1.png b/packages/pfsense/1.3.2/img/unbound-1.png deleted file mode 100755 index cc53e8aa49..0000000000 Binary files a/packages/pfsense/1.3.2/img/unbound-1.png and /dev/null differ diff --git a/packages/pfsense/1.3.2/img/unbound-2.png b/packages/pfsense/1.3.2/img/unbound-2.png deleted file mode 100755 index eaa51ee3df..0000000000 Binary files a/packages/pfsense/1.3.2/img/unbound-2.png and /dev/null differ diff --git a/packages/pfsense/1.3.2/img/unbound-3.png b/packages/pfsense/1.3.2/img/unbound-3.png deleted file mode 100755 index 838bfdc6bf..0000000000 Binary files a/packages/pfsense/1.3.2/img/unbound-3.png and /dev/null differ diff --git a/packages/pfsense/1.3.2/kibana/dashboard/pfsense-986061c0-3a9a-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/dashboard/pfsense-986061c0-3a9a-11eb-96b2-e765737b7534.json deleted file mode 100755 index 47067b4828..0000000000 --- a/packages/pfsense/1.3.2/kibana/dashboard/pfsense-986061c0-3a9a-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"73294aad-e475-4a63-97d1-fc214a83bb0a\",\"w\":34,\"x\":0,\"y\":0},\"panelIndex\":\"73294aad-e475-4a63-97d1-fc214a83bb0a\",\"panelRefName\":\"panel_73294aad-e475-4a63-97d1-fc214a83bb0a\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"46725bb5-e239-4fa2-8dfd-4de947863354\",\"w\":14,\"x\":34,\"y\":0},\"panelIndex\":\"46725bb5-e239-4fa2-8dfd-4de947863354\",\"panelRefName\":\"panel_46725bb5-e239-4fa2-8dfd-4de947863354\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"f39b1b4c-b444-4d25-a8c5-a78b6285025f\",\"w\":14,\"x\":34,\"y\":6},\"panelIndex\":\"f39b1b4c-b444-4d25-a8c5-a78b6285025f\",\"panelRefName\":\"panel_f39b1b4c-b444-4d25-a8c5-a78b6285025f\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"a7662c6e-94d5-4062-85f4-0132897f3578\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"a7662c6e-94d5-4062-85f4-0132897f3578\",\"panelRefName\":\"panel_a7662c6e-94d5-4062-85f4-0132897f3578\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"763610d2-c8aa-4ab9-9a63-112e2471dcfc\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"763610d2-c8aa-4ab9-9a63-112e2471dcfc\",\"panelRefName\":\"panel_763610d2-c8aa-4ab9-9a63-112e2471dcfc\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"27569da9-7531-40cf-be93-8778738b68be\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"27569da9-7531-40cf-be93-8778738b68be\",\"panelRefName\":\"panel_27569da9-7531-40cf-be93-8778738b68be\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"columns\":[\"log.level\",\"client.ip\",\"dns.question.name\",\"dns.question.type\",\"dns.question.class\"],\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"7ea4ebda-9d0c-4885-9c37-71cd0665497f\",\"w\":30,\"x\":0,\"y\":46},\"panelIndex\":\"7ea4ebda-9d0c-4885-9c37-71cd0665497f\",\"panelRefName\":\"panel_7ea4ebda-9d0c-4885-9c37-71cd0665497f\",\"type\":\"search\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"6a32114d-577c-488b-b1e9-b7b4fc8941ae\",\"w\":18,\"x\":30,\"y\":46},\"panelIndex\":\"6a32114d-577c-488b-b1e9-b7b4fc8941ae\",\"panelRefName\":\"panel_6a32114d-577c-488b-b1e9-b7b4fc8941ae\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "Unbound - Dashboard [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-986061c0-3a9a-11eb-96b2-e765737b7534", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534", - "name": "73294aad-e475-4a63-97d1-fc214a83bb0a:panel_73294aad-e475-4a63-97d1-fc214a83bb0a", - "type": "visualization" - }, - { - "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56", - "name": "46725bb5-e239-4fa2-8dfd-4de947863354:panel_46725bb5-e239-4fa2-8dfd-4de947863354", - "type": "visualization" - }, - { - "id": "pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534", - "name": "f39b1b4c-b444-4d25-a8c5-a78b6285025f:panel_f39b1b4c-b444-4d25-a8c5-a78b6285025f", - "type": "visualization" - }, - { - "id": "pfsense-77eaf920-3a98-11eb-96b2-e765737b7534", - "name": "a7662c6e-94d5-4062-85f4-0132897f3578:panel_a7662c6e-94d5-4062-85f4-0132897f3578", - "type": "visualization" - }, - { - "id": "pfsense-98775710-3a98-11eb-96b2-e765737b7534", - "name": "763610d2-c8aa-4ab9-9a63-112e2471dcfc:panel_763610d2-c8aa-4ab9-9a63-112e2471dcfc", - "type": "visualization" - }, - { - "id": "pfsense-5b553450-3a99-11eb-96b2-e765737b7534", - "name": "27569da9-7531-40cf-be93-8778738b68be:panel_27569da9-7531-40cf-be93-8778738b68be", - "type": "visualization" - }, - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "7ea4ebda-9d0c-4885-9c37-71cd0665497f:panel_7ea4ebda-9d0c-4885-9c37-71cd0665497f", - "type": "search" - }, - { - "id": "pfsense-f554afa0-3a98-11eb-96b2-e765737b7534", - "name": "6a32114d-577c-488b-b1e9-b7b4fc8941ae:panel_6a32114d-577c-488b-b1e9-b7b4fc8941ae", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/dashboard/pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/dashboard/pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534.json deleted file mode 100755 index 7bb13ddc75..0000000000 --- a/packages/pfsense/1.3.2/kibana/dashboard/pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"e0fb8e49-4af8-4958-9d55-8db1ed6cad2b\",\"w\":16,\"x\":0,\"y\":7},\"panelIndex\":\"e0fb8e49-4af8-4958-9d55-8db1ed6cad2b\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"82ed451e-8ee1-41a5-9aea-ffbd723c86cc\",\"w\":17,\"x\":16,\"y\":0},\"panelIndex\":\"82ed451e-8ee1-41a5-9aea-ffbd723c86cc\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"d2c26a96-ad50-4155-a67e-b6559246c302\",\"w\":15,\"x\":33,\"y\":0},\"panelIndex\":\"d2c26a96-ad50-4155-a67e-b6559246c302\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"9db410fe-e1b3-46d1-9e9b-828f3cec05dd\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"9db410fe-e1b3-46d1-9e9b-828f3cec05dd\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"20a6aca9-2a7c-4b4a-8bd4-f2e9ae5d6249\",\"w\":15,\"x\":33,\"y\":7},\"panelIndex\":\"20a6aca9-2a7c-4b4a-8bd4-f2e9ae5d6249\",\"panelRefName\":\"panel_4\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"c2fbea99-8684-446a-a570-48bcbb9f1c39\",\"w\":33,\"x\":0,\"y\":14},\"panelIndex\":\"c2fbea99-8684-446a-a570-48bcbb9f1c39\",\"panelRefName\":\"panel_5\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"f4ceeef3-255f-4a1d-85f3-0635aa6a0772\",\"w\":15,\"x\":33,\"y\":14},\"panelIndex\":\"f4ceeef3-255f-4a1d-85f3-0635aa6a0772\",\"panelRefName\":\"panel_6\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a49d8775-3fc1-4b7b-8e8b-26c9e8705b6a\",\"w\":33,\"x\":0,\"y\":28},\"panelIndex\":\"a49d8775-3fc1-4b7b-8e8b-26c9e8705b6a\",\"panelRefName\":\"panel_7\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"60b4467b-8227-41de-b5ec-00c860793819\",\"w\":15,\"x\":33,\"y\":28},\"panelIndex\":\"60b4467b-8227-41de-b5ec-00c860793819\",\"panelRefName\":\"panel_8\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"columns\":[\"observer.name\",\"observer.ingress.vlan.id\",\"source.ip\",\"source.port\",\"destination.ip\",\"destination.port\",\"rule.id\",\"event.action\"],\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"290350f0-e295-4441-8228-2f7c74fc8a0c\",\"w\":48,\"x\":0,\"y\":43},\"panelIndex\":\"290350f0-e295-4441-8228-2f7c74fc8a0c\",\"panelRefName\":\"panel_9\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"b5d79638-384f-411b-a5c9-0d5aea67c08f\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"b5d79638-384f-411b-a5c9-0d5aea67c08f\",\"panelRefName\":\"panel_10\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"20537b1f-8d42-4522-8f9e-8e6fbccca58a\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"20537b1f-8d42-4522-8f9e-8e6fbccca58a\",\"panelRefName\":\"panel_11\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "Firewall - Dashboard [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "pfsense-274304d0-3a8f-11eb-96b2-e765737b7534", - "name": "panel_1", - "type": "lens" - }, - { - "id": "pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534", - "name": "panel_5", - "type": "lens" - }, - { - "id": "pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "panel_9", - "type": "search" - }, - { - "id": "pfsense-b1545340-3a8f-11eb-96b2-e765737b7534", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/dashboard/pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/dashboard/pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 133ffa4a16..0000000000 --- a/packages/pfsense/1.3.2/kibana/dashboard/pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":22,\"i\":\"2b46d706-0288-4541-8880-ccb2efeeee92\",\"w\":35,\"x\":0,\"y\":0},\"panelIndex\":\"2b46d706-0288-4541-8880-ccb2efeeee92\",\"panelRefName\":\"panel_2b46d706-0288-4541-8880-ccb2efeeee92\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"6018121a-9303-4c73-9c96-d23362cdc74d\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"6018121a-9303-4c73-9c96-d23362cdc74d\",\"panelRefName\":\"panel_6018121a-9303-4c73-9c96-d23362cdc74d\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082\",\"panelRefName\":\"panel_b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"d9f98967-4e91-4eef-9a43-9caaeeebe6f8\",\"w\":13,\"x\":35,\"y\":14},\"panelIndex\":\"d9f98967-4e91-4eef-9a43-9caaeeebe6f8\",\"panelRefName\":\"panel_d9f98967-4e91-4eef-9a43-9caaeeebe6f8\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"20e8c75c-3e93-42ab-b5c5-6ad814b64151\",\"w\":32,\"x\":0,\"y\":22},\"panelIndex\":\"20e8c75c-3e93-42ab-b5c5-6ad814b64151\",\"panelRefName\":\"panel_20e8c75c-3e93-42ab-b5c5-6ad814b64151\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"5b500115-4722-432b-8d67-38b1a948c1d5\",\"w\":16,\"x\":32,\"y\":22},\"panelIndex\":\"5b500115-4722-432b-8d67-38b1a948c1d5\",\"panelRefName\":\"panel_5b500115-4722-432b-8d67-38b1a948c1d5\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"aa85065f-1b07-468c-b264-1231b59be97b\",\"w\":16,\"x\":0,\"y\":36},\"panelIndex\":\"aa85065f-1b07-468c-b264-1231b59be97b\",\"panelRefName\":\"panel_aa85065f-1b07-468c-b264-1231b59be97b\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5\",\"w\":32,\"x\":16,\"y\":36},\"panelIndex\":\"22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5\",\"panelRefName\":\"panel_22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"columns\":[\"observer.name\",\"observer.ingress.interface.name\",\"event.action\",\"client.ip\",\"client.mac\",\"pfsense.dhcp.hostname\"],\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"73ea92c6-7373-4121-a255-1ed2e43010c1\",\"w\":48,\"x\":0,\"y\":50},\"panelIndex\":\"73ea92c6-7373-4121-a255-1ed2e43010c1\",\"panelRefName\":\"panel_73ea92c6-7373-4121-a255-1ed2e43010c1\",\"type\":\"search\",\"version\":\"7.10.0\"}]", - "timeRestore": false, - "title": "DHCP - Dashboard [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534", - "name": "2b46d706-0288-4541-8880-ccb2efeeee92:panel_2b46d706-0288-4541-8880-ccb2efeeee92", - "type": "visualization" - }, - { - "id": "pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534", - "name": "6018121a-9303-4c73-9c96-d23362cdc74d:panel_6018121a-9303-4c73-9c96-d23362cdc74d", - "type": "visualization" - }, - { - "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56", - "name": "b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082:panel_b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082", - "type": "visualization" - }, - { - "id": "pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534", - "name": "d9f98967-4e91-4eef-9a43-9caaeeebe6f8:panel_d9f98967-4e91-4eef-9a43-9caaeeebe6f8", - "type": "visualization" - }, - { - "id": "pfsense-457371f0-3afe-11eb-96b2-e765737b7534", - "name": "20e8c75c-3e93-42ab-b5c5-6ad814b64151:panel_20e8c75c-3e93-42ab-b5c5-6ad814b64151", - "type": "visualization" - }, - { - "id": "pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534", - "name": "5b500115-4722-432b-8d67-38b1a948c1d5:panel_5b500115-4722-432b-8d67-38b1a948c1d5", - "type": "visualization" - }, - { - "id": "pfsense-9990cd00-3afe-11eb-96b2-e765737b7534", - "name": "aa85065f-1b07-468c-b264-1231b59be97b:panel_aa85065f-1b07-468c-b264-1231b59be97b", - "type": "visualization" - }, - { - "id": "pfsense-072449e0-3a9c-11eb-96b2-e765737b7534", - "name": "22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5:panel_22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5", - "type": "visualization" - }, - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "73ea92c6-7373-4121-a255-1ed2e43010c1:panel_73ea92c6-7373-4121-a255-1ed2e43010c1", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/lens/pfsense-274304d0-3a8f-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/lens/pfsense-274304d0-3a8f-11eb-96b2-e765737b7534.json deleted file mode 100755 index 0e6f2067c4..0000000000 --- a/packages/pfsense/1.3.2/kibana/lens/pfsense-274304d0-3a8f-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "Treemap depicting the top 10 countries by destination ", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "d77ab0e4-c2c2-4fb4-bd98-63c13ade7778": { - "columnOrder": [ - "9d13ff42-0a6d-4cb4-bff4-bbd64836de35", - "57fc4315-85f4-4449-a8bd-308ec2e81e68" - ], - "columns": { - "57fc4315-85f4-4449-a8bd-308ec2e81e68": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "9d13ff42-0a6d-4cb4-bff4-bbd64836de35": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of destination.geo.country_name", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "57fc4315-85f4-4449-a8bd-308ec2e81e68", - "type": "column" - }, - "orderDirection": "desc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "destination.geo.country_name" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "9d13ff42-0a6d-4cb4-bff4-bbd64836de35" - ], - "layerId": "d77ab0e4-c2c2-4fb4-bd98-63c13ade7778", - "legendDisplay": "default", - "metric": "57fc4315-85f4-4449-a8bd-308ec2e81e68", - "nestedLegend": false, - "numberDisplay": "percent", - "percentDecimals": 0 - } - ], - "shape": "treemap" - } - }, - "title": "Firewall - Top Destination Countries/Treemap (Lens) [pfSense]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-274304d0-3a8f-11eb-96b2-e765737b7534", - "migrationVersion": { - "lens": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-d77ab0e4-c2c2-4fb4-bd98-63c13ade7778", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/lens/pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/lens/pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534.json deleted file mode 100755 index 02f2a08f36..0000000000 --- a/packages/pfsense/1.3.2/kibana/lens/pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "attributes": { - "description": "Events over time line chart utilizing the LENS virtualization", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "25e5682a-0461-46dc-aa0a-7ad4cec0eade": { - "columnOrder": [ - "f718697e-acee-4bfd-99f4-3406e224ed7f", - "440112fe-405a-4b46-840e-2b9772961acc", - "31549313-ebc1-427a-9913-3f6f78594221" - ], - "columns": { - "31549313-ebc1-427a-9913-3f6f78594221": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "440112fe-405a-4b46-840e-2b9772961acc": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "f718697e-acee-4bfd-99f4-3406e224ed7f": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of event.action", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "31549313-ebc1-427a-9913-3f6f78594221", - "type": "column" - }, - "orderDirection": "desc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "event.action" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "31549313-ebc1-427a-9913-3f6f78594221" - ], - "layerId": "25e5682a-0461-46dc-aa0a-7ad4cec0eade", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "f718697e-acee-4bfd-99f4-3406e224ed7f", - "xAccessor": "440112fe-405a-4b46-840e-2b9772961acc" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - } - } - }, - "title": "Firewall - Events/Time (Lens) [pfSense]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534", - "migrationVersion": { - "lens": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-25e5682a-0461-46dc-aa0a-7ad4cec0eade", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/search/pfsense-22edf800-3a8e-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/search/pfsense-22edf800-3a8e-11eb-96b2-e765737b7534.json deleted file mode 100755 index a455496aa4..0000000000 --- a/packages/pfsense/1.3.2/kibana/search/pfsense-22edf800-3a8e-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"filterlog\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"filterlog\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Firewall - Discover [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/search/pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/search/pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 2476202065..0000000000 --- a/packages/pfsense/1.3.2/kibana/search/pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"dhcpd\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"dhcpd\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "DHCP - Discover [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/search/pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4.json b/packages/pfsense/1.3.2/kibana/search/pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4.json deleted file mode 100755 index 133d3caa85..0000000000 --- a/packages/pfsense/1.3.2/kibana/search/pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"unbound\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"unbound\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Unbound - Discover [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-072449e0-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-072449e0-3a9c-11eb-96b2-e765737b7534.json deleted file mode 100755 index e672a59a66..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-072449e0-3a9c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - Client IP/Time [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"DHCP - Client IP/Time\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-072449e0-3a9c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 75f6a89eae..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "Select by interface alias", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interface Selector [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"observer.ingress.interface.name\",\"id\":\"1607565832669\",\"indexPatternRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"label\":\"Interface Selector\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Interface Selector\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534.json deleted file mode 100755 index a3ebaa5ea7..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Unbound dns question types", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - Question Types [pfSense]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"top\",\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Unbound - Question Types [pfSense]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56.json deleted file mode 100755 index 7f73b1e962..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Firewall Selector [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"observer.name\",\"id\":\"1613404486264\",\"indexPatternRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"label\":\"Firewall Selector\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Firewall Selector\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-457371f0-3afe-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-457371f0-3afe-11eb-96b2-e765737b7534.json deleted file mode 100755 index bfc06cc851..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-457371f0-3afe-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - Operation/Time [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-12h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"DHCP - Operation/Time\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-457371f0-3afe-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 985d72a2e0..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "Select by network transport type", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Transport Type [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"network.transport\",\"id\":\"1607565832669\",\"indexPatternRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"label\":\"Network Transport Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Network Transport Type\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-5b553450-3a99-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-5b553450-3a99-11eb-96b2-e765737b7534.json deleted file mode 100755 index cee6c25e13..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-5b553450-3a99-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Unbound client IP over time", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - Client IP/Time [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Unbound - Client IP/Time\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-5b553450-3a99-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 44a1d15c5a..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - Interface [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"observer.ingress.interface.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"DHCP - Interface\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-77eaf920-3a98-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-77eaf920-3a98-11eb-96b2-e765737b7534.json deleted file mode 100755 index e4a8a861bc..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-77eaf920-3a98-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Top 10 client IP unbound events", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - Top Client IPs [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Unbound - Top Client IPs\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-77eaf920-3a98-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534.json deleted file mode 100755 index b3c6b75a69..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Displays quantity of events based on action type", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Event Action [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Event Action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Firewall - Event Action\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-98775710-3a98-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-98775710-3a98-11eb-96b2-e765737b7534.json deleted file mode 100755 index 0e0841e17f..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-98775710-3a98-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Top 10 domain name question/queries", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - Top Queries [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.registered_domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Unbound - Top Queried Domains \",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-98775710-3a98-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-9990cd00-3afe-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-9990cd00-3afe-11eb-96b2-e765737b7534.json deleted file mode 100755 index ed42e0ac5c..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-9990cd00-3afe-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - Client IP [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"DHCP - Client IP\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-9990cd00-3afe-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-b1545340-3a8f-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-b1545340-3a8f-11eb-96b2-e765737b7534.json deleted file mode 100755 index e5404d633a..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-b1545340-3a8f-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Heatmap of destination countries", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Country Destination/Heatmap [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Destination Heatmap\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Firewall - Country Destination/Heatmap\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-b1545340-3a8f-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534.json deleted file mode 100755 index 0489e7a517..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - IP/MAC Flow [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"spec\":\"{\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\n data: [\\n {\\n // query ES based on the currently selected time range and filter string\\n name: rawData\\n url: {\\n %context%: true\\n %timefield%: @timestamp\\n index: logs-*\\n body: {\\n size: 0\\n aggs: {\\n table: {\\n composite: {\\n size: 10000\\n sources: [\\n {\\n stk1: {\\n terms: {field: \\\"client.ip\\\"}\\n }\\n }\\n {\\n stk2: {\\n terms: {field: \\\"client.mac\\\"}\\n }\\n }\\n ]\\n }\\n }\\n }\\n }\\n }\\n // From the result, take just the data we are interested in\\n format: {property: \\\"aggregations.table.buckets\\\"}\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\n transform: [\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n ]\\n }\\n {\\n name: nodes\\n source: rawData\\n transform: [\\n // when a country is selected, filter out unrelated data\\n {\\n type: filter\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n }\\n // Set new key for later lookups - identifies each node\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n // instead of each table row, create two new rows,\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\n {\\n type: fold\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\n }\\n // Create a sortkey, different for stk1 and stk2 stacks.\\n // Space separator ensures proper sort order in some corner cases.\\n {\\n type: formula\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n as: sortField\\n }\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n // independently for each stack, and ensuring they are in the proper order,\\n // alphabetical from the top (reversed on the y axis)\\n {\\n type: stack\\n groupby: [\\\"stack\\\"]\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n field: size\\n }\\n // calculate vertical center point for each node, used to draw edges\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n ]\\n }\\n {\\n name: groups\\n source: nodes\\n transform: [\\n // combine all nodes into country groups, summing up the doc counts\\n {\\n type: aggregate\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n fields: [\\\"size\\\"]\\n ops: [\\\"sum\\\"]\\n as: [\\\"total\\\"]\\n }\\n // re-calculate the stacking y0,y1 values\\n {\\n type: stack\\n groupby: [\\\"stack\\\"]\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n field: total\\n }\\n // project y0 and y1 values to screen coordinates\\n // doing it once here instead of doing it several times in marks\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n // boolean flag if the label should be on the right of the stack\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\n // domain upper bound, which represents the total traffic\\n {\\n type: formula\\n expr: datum.total/domain('y')[1]\\n as: percentage\\n }\\n ]\\n }\\n {\\n // This is a temp lookup table with all the 'stk2' stack nodes\\n name: destinationNodes\\n source: nodes\\n transform: [\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n ]\\n }\\n {\\n name: edges\\n source: nodes\\n transform: [\\n // we only want nodes from the left stack\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\n {\\n type: lookup\\n from: destinationNodes\\n key: key\\n fields: [\\\"key\\\"]\\n as: [\\\"target\\\"]\\n }\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n {\\n type: linkpath\\n orient: horizontal\\n shape: diagonal\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n }\\n // A little trick to calculate the thickness of the line.\\n // The value needs to be the same as the hight of the node, but scaling\\n // size to screen's height gives inversed value because screen's Y\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n // is at the bottom. So subtracting scaled doc count from screen height\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n {\\n type: formula\\n expr: range('y')[0]-scale('y', datum.size)\\n as: strokeWidth\\n }\\n // Tooltip needs individual link's percentage of all traffic\\n {\\n type: formula\\n expr: datum.size/domain('y')[1]\\n as: percentage\\n }\\n ]\\n }\\n ]\\n scales: [\\n {\\n // calculates horizontal stack positioning\\n name: x\\n type: band\\n range: width\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n paddingOuter: 0.05\\n paddingInner: 0.95\\n }\\n {\\n // this scale goes up as high as the highest y1 value of all nodes\\n name: y\\n type: linear\\n range: height\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n }\\n {\\n // use rawData to ensure the colors stay the same when clicking.\\n name: color\\n type: ordinal\\n range: category\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n }\\n {\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\n name: stackNames\\n type: ordinal\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n }\\n ]\\n axes: [\\n {\\n // x axis should use custom label formatting to print proper stack names\\n orient: bottom\\n scale: x\\n encode: {\\n labels: {\\n update: {\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n }\\n }\\n }\\n }\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\n ]\\n marks: [\\n {\\n // draw the connecting line between stacks\\n type: path\\n name: edgeMark\\n from: {data: \\\"edges\\\"}\\n // this prevents some autosizing issues with large strokeWidth for paths\\n clip: true\\n encode: {\\n update: {\\n // By default use color of the left node, except when showing traffic\\n // from just one country, in which case use destination color.\\n stroke: [\\n {\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\n scale: color\\n field: stk2\\n }\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n ]\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\n path: {field: \\\"path\\\"}\\n // when showing all traffic, and hovering over a country,\\n // highlight the traffic from that country.\\n strokeOpacity: {\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n }\\n // Ensure that the hover-selected edges show on top\\n zindex: {\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n }\\n // format tooltip string\\n tooltip: {\\n signal: datum.stk1 + ' → ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n }\\n }\\n // Simple mouseover highlighting of a single line\\n hover: {\\n strokeOpacity: {value: 1}\\n }\\n }\\n }\\n {\\n // draw stack groups (countries)\\n type: rect\\n name: groupMark\\n from: {data: \\\"groups\\\"}\\n encode: {\\n enter: {\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n width: {scale: \\\"x\\\", band: 1}\\n }\\n update: {\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n y: {field: \\\"scaledY0\\\"}\\n y2: {field: \\\"scaledY1\\\"}\\n fillOpacity: {value: 0.6}\\n tooltip: {\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n }\\n }\\n hover: {\\n fillOpacity: {value: 1}\\n }\\n }\\n }\\n {\\n // draw country code labels on the inner side of the stack\\n type: text\\n from: {data: \\\"groups\\\"}\\n // don't process events for the labels - otherwise line mouseover is unclean\\n interactive: false\\n encode: {\\n update: {\\n // depending on which stack it is, position x with some padding\\n x: {\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n }\\n // middle of the group\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n baseline: {value: \\\"middle\\\"}\\n fontWeight: {value: \\\"bold\\\"}\\n // only show text label if the group's height is large enough\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\n }\\n }\\n }\\n {\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\n type: group\\n data: [\\n // We need to make the button show only when groupSelector signal is true.\\n // Each mark is drawn as many times as there are elements in the backing data.\\n // Which means that if values list is empty, it will not be drawn.\\n // Here I create a data source with one empty object, and filter that list\\n // based on the signal value. This can only be done in a group.\\n {\\n name: dataForShowAll\\n values: [{}]\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n }\\n ]\\n // Set button size and positioning\\n encode: {\\n enter: {\\n xc: {signal: \\\"width/2\\\"}\\n y: {value: 30}\\n width: {value: 80}\\n height: {value: 30}\\n }\\n }\\n marks: [\\n {\\n // This group is shown as a button with rounded corners.\\n type: group\\n // mark name allows signal capturing\\n name: groupReset\\n // Only shows button if dataForShowAll has values.\\n from: {data: \\\"dataForShowAll\\\"}\\n encode: {\\n enter: {\\n cornerRadius: {value: 6}\\n fill: {value: \\\"#f5f5f5\\\"}\\n stroke: {value: \\\"#c1c1c1\\\"}\\n strokeWidth: {value: 2}\\n // use parent group's size\\n height: {\\n field: {group: \\\"height\\\"}\\n }\\n width: {\\n field: {group: \\\"width\\\"}\\n }\\n }\\n update: {\\n // groups are transparent by default\\n opacity: {value: 1}\\n }\\n hover: {\\n opacity: {value: 0.7}\\n }\\n }\\n marks: [\\n {\\n type: text\\n // if true, it will prevent clicking on the button when over text.\\n interactive: false\\n encode: {\\n enter: {\\n // center text in the paren group\\n xc: {\\n field: {group: \\\"width\\\"}\\n mult: 0.5\\n }\\n yc: {\\n field: {group: \\\"height\\\"}\\n mult: 0.5\\n offset: 2\\n }\\n align: {value: \\\"center\\\"}\\n baseline: {value: \\\"middle\\\"}\\n fontWeight: {value: \\\"bold\\\"}\\n text: {value: \\\"Show All\\\"}\\n }\\n }\\n }\\n ]\\n }\\n ]\\n }\\n ]\\n signals: [\\n {\\n // used to highlight traffic to/from the same country\\n name: groupHover\\n value: {}\\n on: [\\n {\\n events: @groupMark:mouseover\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n }\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n ]\\n }\\n // used to filter only the data related to the selected country\\n {\\n name: groupSelector\\n value: false\\n on: [\\n {\\n // Clicking groupMark sets this signal to the filter values\\n events: @groupMark:click!\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n }\\n {\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n events: [\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n {type: \\\"dblclick\\\"}\\n ]\\n update: \\\"false\\\"\\n }\\n ]\\n }\\n ]\\n}\"},\"title\":\"DHCP - IP/MAC Flow\",\"type\":\"vega\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 384f395db3..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Events over type based on network transport type", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Network Transport/Time [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Network Transport/Time\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":true,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Firewall - Network Transport/Time\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534.json deleted file mode 100755 index 09a7a4ce7a..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Heatmap of source countries", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Country Source/Heatmap [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Source Heatmap\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Firewall - Country Source/Heatmap\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534.json deleted file mode 100755 index 4ce6eca893..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - Operation [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"DHCP - Operation\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534.json deleted file mode 100755 index bd1ab0a445..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Client IP \u003c-flow-\u003e dns question name", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - DNS Flow [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"spec\":\"{\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\n data: [\\n {\\n // query ES based on the currently selected time range and filter string\\n name: rawData\\n url: {\\n %context%: true\\n %timefield%: @timestamp\\n index: logs-*\\n body: {\\n size: 0\\n aggs: {\\n table: {\\n composite: {\\n size: 10000\\n sources: [\\n {\\n stk1: {\\n terms: {field: \\\"client.ip\\\"}\\n }\\n }\\n {\\n stk2: {\\n terms: {field: \\\"dns.question.name\\\"}\\n }\\n }\\n ]\\n }\\n }\\n }\\n }\\n }\\n // From the result, take just the data we are interested in\\n format: {property: \\\"aggregations.table.buckets\\\"}\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\n transform: [\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n ]\\n }\\n {\\n name: nodes\\n source: rawData\\n transform: [\\n // when a country is selected, filter out unrelated data\\n {\\n type: filter\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n }\\n // Set new key for later lookups - identifies each node\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n // instead of each table row, create two new rows,\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\n {\\n type: fold\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\n }\\n // Create a sortkey, different for stk1 and stk2 stacks.\\n // Space separator ensures proper sort order in some corner cases.\\n {\\n type: formula\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n as: sortField\\n }\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n // independently for each stack, and ensuring they are in the proper order,\\n // alphabetical from the top (reversed on the y axis)\\n {\\n type: stack\\n groupby: [\\\"stack\\\"]\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n field: size\\n }\\n // calculate vertical center point for each node, used to draw edges\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n ]\\n }\\n {\\n name: groups\\n source: nodes\\n transform: [\\n // combine all nodes into country groups, summing up the doc counts\\n {\\n type: aggregate\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n fields: [\\\"size\\\"]\\n ops: [\\\"sum\\\"]\\n as: [\\\"total\\\"]\\n }\\n // re-calculate the stacking y0,y1 values\\n {\\n type: stack\\n groupby: [\\\"stack\\\"]\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n field: total\\n }\\n // project y0 and y1 values to screen coordinates\\n // doing it once here instead of doing it several times in marks\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n // boolean flag if the label should be on the right of the stack\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\n // domain upper bound, which represents the total traffic\\n {\\n type: formula\\n expr: datum.total/domain('y')[1]\\n as: percentage\\n }\\n ]\\n }\\n {\\n // This is a temp lookup table with all the 'stk2' stack nodes\\n name: destinationNodes\\n source: nodes\\n transform: [\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n ]\\n }\\n {\\n name: edges\\n source: nodes\\n transform: [\\n // we only want nodes from the left stack\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\n {\\n type: lookup\\n from: destinationNodes\\n key: key\\n fields: [\\\"key\\\"]\\n as: [\\\"target\\\"]\\n }\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n {\\n type: linkpath\\n orient: horizontal\\n shape: diagonal\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n }\\n // A little trick to calculate the thickness of the line.\\n // The value needs to be the same as the hight of the node, but scaling\\n // size to screen's height gives inversed value because screen's Y\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n // is at the bottom. So subtracting scaled doc count from screen height\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n {\\n type: formula\\n expr: range('y')[0]-scale('y', datum.size)\\n as: strokeWidth\\n }\\n // Tooltip needs individual link's percentage of all traffic\\n {\\n type: formula\\n expr: datum.size/domain('y')[1]\\n as: percentage\\n }\\n ]\\n }\\n ]\\n scales: [\\n {\\n // calculates horizontal stack positioning\\n name: x\\n type: band\\n range: width\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n paddingOuter: 0.05\\n paddingInner: 0.95\\n }\\n {\\n // this scale goes up as high as the highest y1 value of all nodes\\n name: y\\n type: linear\\n range: height\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n }\\n {\\n // use rawData to ensure the colors stay the same when clicking.\\n name: color\\n type: ordinal\\n range: category\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n }\\n {\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\n name: stackNames\\n type: ordinal\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n }\\n ]\\n axes: [\\n {\\n // x axis should use custom label formatting to print proper stack names\\n orient: bottom\\n scale: x\\n encode: {\\n labels: {\\n update: {\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n }\\n }\\n }\\n }\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\n ]\\n marks: [\\n {\\n // draw the connecting line between stacks\\n type: path\\n name: edgeMark\\n from: {data: \\\"edges\\\"}\\n // this prevents some autosizing issues with large strokeWidth for paths\\n clip: true\\n encode: {\\n update: {\\n // By default use color of the left node, except when showing traffic\\n // from just one country, in which case use destination color.\\n stroke: [\\n {\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\n scale: color\\n field: stk2\\n }\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n ]\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\n path: {field: \\\"path\\\"}\\n // when showing all traffic, and hovering over a country,\\n // highlight the traffic from that country.\\n strokeOpacity: {\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n }\\n // Ensure that the hover-selected edges show on top\\n zindex: {\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n }\\n // format tooltip string\\n tooltip: {\\n signal: datum.stk1 + ' → ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n }\\n }\\n // Simple mouseover highlighting of a single line\\n hover: {\\n strokeOpacity: {value: 1}\\n }\\n }\\n }\\n {\\n // draw stack groups (countries)\\n type: rect\\n name: groupMark\\n from: {data: \\\"groups\\\"}\\n encode: {\\n enter: {\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n width: {scale: \\\"x\\\", band: 1}\\n }\\n update: {\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n y: {field: \\\"scaledY0\\\"}\\n y2: {field: \\\"scaledY1\\\"}\\n fillOpacity: {value: 0.6}\\n tooltip: {\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n }\\n }\\n hover: {\\n fillOpacity: {value: 1}\\n }\\n }\\n }\\n {\\n // draw country code labels on the inner side of the stack\\n type: text\\n from: {data: \\\"groups\\\"}\\n // don't process events for the labels - otherwise line mouseover is unclean\\n interactive: false\\n encode: {\\n update: {\\n // depending on which stack it is, position x with some padding\\n x: {\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n }\\n // middle of the group\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n baseline: {value: \\\"middle\\\"}\\n fontWeight: {value: \\\"bold\\\"}\\n // only show text label if the group's height is large enough\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\n }\\n }\\n }\\n {\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\n type: group\\n data: [\\n // We need to make the button show only when groupSelector signal is true.\\n // Each mark is drawn as many times as there are elements in the backing data.\\n // Which means that if values list is empty, it will not be drawn.\\n // Here I create a data source with one empty object, and filter that list\\n // based on the signal value. This can only be done in a group.\\n {\\n name: dataForShowAll\\n values: [{}]\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n }\\n ]\\n // Set button size and positioning\\n encode: {\\n enter: {\\n xc: {signal: \\\"width/2\\\"}\\n y: {value: 30}\\n width: {value: 80}\\n height: {value: 30}\\n }\\n }\\n marks: [\\n {\\n // This group is shown as a button with rounded corners.\\n type: group\\n // mark name allows signal capturing\\n name: groupReset\\n // Only shows button if dataForShowAll has values.\\n from: {data: \\\"dataForShowAll\\\"}\\n encode: {\\n enter: {\\n cornerRadius: {value: 6}\\n fill: {value: \\\"#f5f5f5\\\"}\\n stroke: {value: \\\"#c1c1c1\\\"}\\n strokeWidth: {value: 2}\\n // use parent group's size\\n height: {\\n field: {group: \\\"height\\\"}\\n }\\n width: {\\n field: {group: \\\"width\\\"}\\n }\\n }\\n update: {\\n // groups are transparent by default\\n opacity: {value: 1}\\n }\\n hover: {\\n opacity: {value: 0.7}\\n }\\n }\\n marks: [\\n {\\n type: text\\n // if true, it will prevent clicking on the button when over text.\\n interactive: false\\n encode: {\\n enter: {\\n // center text in the paren group\\n xc: {\\n field: {group: \\\"width\\\"}\\n mult: 0.5\\n }\\n yc: {\\n field: {group: \\\"height\\\"}\\n mult: 0.5\\n offset: 2\\n }\\n align: {value: \\\"center\\\"}\\n baseline: {value: \\\"middle\\\"}\\n fontWeight: {value: \\\"bold\\\"}\\n text: {value: \\\"Show All\\\"}\\n }\\n }\\n }\\n ]\\n }\\n ]\\n }\\n ]\\n signals: [\\n {\\n // used to highlight traffic to/from the same country\\n name: groupHover\\n value: {}\\n on: [\\n {\\n events: @groupMark:mouseover\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n }\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n ]\\n }\\n // used to filter only the data related to the selected country\\n {\\n name: groupSelector\\n value: false\\n on: [\\n {\\n // Clicking groupMark sets this signal to the filter values\\n events: @groupMark:click!\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n }\\n {\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n events: [\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n {type: \\\"dblclick\\\"}\\n ]\\n update: \\\"false\\\"\\n }\\n ]\\n }\\n ]\\n}\"},\"title\":\"Unbound - DNS Flow\",\"type\":\"vega\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534.json deleted file mode 100755 index b773f61c44..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Pie chart depicting events by interface alias", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Events by Interface [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Firewall - Events by Interface\",\"field\":\"observer.ingress.interface.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Firewall - Events by Interface\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-f554afa0-3a98-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-f554afa0-3a98-11eb-96b2-e765737b7534.json deleted file mode 100755 index 137b895052..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-f554afa0-3a98-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Unbound request heat map by IP address", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - Request Rate [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"top\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Unbound - Request Rate\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-f554afa0-3a98-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/kibana/visualization/pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.3.2/kibana/visualization/pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 95dfc88834..0000000000 --- a/packages/pfsense/1.3.2/kibana/visualization/pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Network transport pie chart", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Network Transport [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Network Transport\",\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":true,\"type\":\"pie\"},\"title\":\"Firewall - Network Transport \",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.3.2/manifest.yml b/packages/pfsense/1.3.2/manifest.yml deleted file mode 100755 index 6e15fda7e6..0000000000 --- a/packages/pfsense/1.3.2/manifest.yml +++ /dev/null @@ -1,52 +0,0 @@ -name: pfsense -title: pfSense -version: "1.3.2" -release: ga -description: Collect logs from pfSense and OPNsense with Elastic Agent. -type: integration -icons: - - src: /img/pfsense.svg - title: pfsense - size: 512x143 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - network - - security -conditions: - kibana.version: ^7.15.0 || ^8.0.0 -screenshots: - - src: /img/firewall.png - title: pfSense Firewall Dashboard - size: 2993x1646 - type: image/png - - src: /img/dhcp.png - title: pfSense DHCP Dashboard - size: 2999x1640 - type: image/png - - src: /img/unbound-1.png - title: pfSense Unbound Dashboard - size: 1680x763 - type: image/png - - src: /img/unbound-2.png - title: pfSense Unbound Dashboard - size: 1679x833 - type: image/png - - src: /img/unbound-3.png - title: pfSense Unbound Dashboard - size: 1679x904 - type: image/png -policy_templates: - - name: pfsense - title: pfSense logs - description: Collect logs from pfSense systems - inputs: - - type: udp - title: "Collect pfSense logs (input: udp)" - description: "Collecting logs from pfSense systems (input: udp)" - - type: tcp - title: "Collect pfSense logs (input: tcp)" - description: "Collecting logs from pfSense systems (input: tcp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/qnap_nas/1.4.1/LICENSE.txt b/packages/qnap_nas/1.4.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/qnap_nas/1.4.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/qnap_nas/1.4.1/changelog.yml b/packages/qnap_nas/1.4.1/changelog.yml deleted file mode 100755 index 6bd4b57d92..0000000000 --- a/packages/qnap_nas/1.4.1/changelog.yml +++ /dev/null @@ -1,46 +0,0 @@ -# newer versions go on top -- version: "1.4.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "1.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3869 -- version: "1.3.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.2.1" - changes: - - description: Added link to QNAP documentation in the readme file - type: enhancement - link: https://github.com/elastic/integrations/pull/3155 -- version: "1.2.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "1.1.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.1.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2435 -- version: "1.0.1" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.0.0" - changes: - - description: initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/2202 diff --git a/packages/qnap_nas/1.4.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/qnap_nas/1.4.1/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 9241b23255..0000000000 --- a/packages/qnap_nas/1.4.1/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -- add_locale: ~ -- add_fields: - target: _tmp - fields: - tz_offset: {{tz_offset}} -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/qnap_nas/1.4.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/qnap_nas/1.4.1/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 53b6e1b0cb..0000000000 --- a/packages/qnap_nas/1.4.1/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -- add_fields: - target: _tmp - fields: - tz_offset: {{tz_offset}} -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/qnap_nas/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/qnap_nas/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 22f26fdc38..0000000000 --- a/packages/qnap_nas/1.4.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,294 +0,0 @@ ---- -description: Pipeline for parsing QNAP NAS logs -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - - set: - field: observer.vendor - value: QNAP - - set: - field: observer.product - value: NAS - - set: - field: observer.type - value: nas - - grok: - field: event.original - patterns: - - '^(%{ECS_SYSLOG_PRI})?%{SYSLOGTIMESTAMP:_tmp.timestamp} %{NAS} %{SYSLOGPROG}: %{LOG_TYPE:event.provider}: %{GREEDYDATA:_tmp.message}' - pattern_definitions: - NAS: '(?:%{IP:host.ip}|%{HOSTNAME:host.name})' - ECS_SYSLOG_PRI: '<%{NONNEGINT:log.syslog.priority:long}>' - SYSLOGPROG: '%{PROG:process.name}(?:\[%{POSINT:process.pid:int}\])?' - LOG_TYPE: '(event log|conn log)' - - set: - field: event.timezone - value: "{{_tmp.tz_offset}}" - if: ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local' - - date: - field: _tmp.timestamp - target_field: '@timestamp' - timezone: "{{ event.timezone }}" - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - if: ctx.event?.timezone != null - - date: - field: _tmp.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - if: ctx.event?.timezone == null - - set: - field: event.created - copy_from: '@timestamp' - - grok: - field: _tmp.message - patterns: - - '^%{SHARED}, Application: %{DATA:qnap.nas.application}, Category: %{DATA:qnap.nas.category}, Content: %{DATA:message}$' - - '^%{SHARED}, Connection type: %{DATA:qnap.nas.connection_type}, Accessed resources: %{RESOURCE}, Action: %{DATA:event.action}$' - pattern_definitions: - SHARED: 'Users: %{USER:user.name}, Source IP: (127.0.0.1|%{IP:source.address}), Computer name: (---|%{HOSTNAME:source.domain})' - RESOURCE: '(\[%{DATA:qnap.nas.application}\] )?(---|%{FILE_PATH:qnap.nas.file.path}|%{DATA:qnap.nas.application})' - FILE_PATH: '[_%\(\)!$@:.,+~\-\s[:alnum:]]*(\/[_%\(\)!$@:.,+~\-\s[:alnum:]]*)+' - - grok: - field: message - patterns: - - '^\[Shared Folders\] %{ACTION:event.action} "%{DATA:qnap.nas.file.path}"\.$' - - '^\[User Groups\] %{ACTION:event.action} "%{DATA:group.name}"\.$' - - '^\[Users\] %{USER_EVENTS} "%{DATA:user.target.name}"\.$' - pattern_definitions: - ACTION: (Created|Deleted) %{DATA} - USER_EVENTS: (%{ACTION:event.action}|%{DATA:event.action} of user) - ignore_failure: true - ignore_missing: true - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - grok: - field: qnap.nas.file.path - patterns: - - '%{FILE_PATH:file.path} -> %{FILE_PATH:qnap.nas.file.new_path}' - - '%{FILE_PATH:file.path}' - pattern_definitions: - FILE_PATH: '[_%\(\)!$@:.,+~\-\s[:alnum:]]*(\/[_%\(\)!$@:.,+~\-\s[:alnum:]]*)*' - ignore_failure: true - ignore_missing: true - - grok: - field: file.path - patterns: - - '\.%{DATA:file.extension}$' - ignore_failure: true - ignore_missing: true - - lowercase: - field: event.action - ignore_missing: true - - gsub: - field: event.action - pattern: 'the ' - replacement: '' - ignore_missing: true - - gsub: - field: event.action - pattern: \s - replacement: '-' - ignore_missing: true - - gsub: - field: event.provider - pattern: \s - replacement: '-' - ignore_missing: true - - - script: - lang: painless - description: Add ECS categorization - params: - create-directory: - category: - - file - type: - - creation - read: - category: - - file - type: - - access - rename: - category: - - file - type: - - change - delete: - category: - - file - type: - - deletion - add: - category: - - file - type: - - creation - created-shared-folder: - category: - - file - type: - - creation - deleted-shared-folder: - category: - - file - type: - - deletion - created-user-group: - category: - - iam - type: - - group - - creation - deleted-user-group: - category: - - iam - type: - - group - - deletion - changed-password: - category: - - iam - type: - - user - - change - outcome: success - edited-account-profile: - category: - - iam - type: - - user - - change - outcome: success - created-user: - category: - - iam - type: - - user - - creation - deleted-user: - category: - - iam - type: - - user - - deletion - login-fail: - category: - - authentication - type: - - info - outcome: failure - login-success: - category: - - authentication - type: - - start - outcome: success - logout: - category: - - authentication - type: - - end - source: >- - ctx.event.kind = 'event'; - ctx.event.type = 'info'; - if(ctx?.event?.action == null && ctx.event?.provider == 'event-log') { - if(ctx.event?.category == null) { - List list = new ArrayList(); - ctx.event.put("category", list); - } - ctx.event.category.add('configuration'); - ctx.event.type = 'change'; - } else if (ctx?.event?.action == null) { - return; - } - if (params.get(ctx.event.action) == null) { - return; - } - def hm = new HashMap(params.get(ctx.event.action)); - hm.forEach((k, v) -> ctx.event[k] = v); - - append: - if: ctx.source?.ip != null - field: related.ip - value: '{{source.ip}}' - allow_duplicates: false - - append: - if: ctx.source?.domain != null - field: related.hosts - value: '{{source.domain}}' - allow_duplicates: false - - append: - if: ctx.user?.name != null - field: related.user - value: '{{user.name}}' - allow_duplicates: false - - remove: - field: - - _tmp - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == "---"); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/qnap_nas/1.4.1/data_stream/log/fields/base-fields.yml b/packages/qnap_nas/1.4.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index b1f340837b..0000000000 --- a/packages/qnap_nas/1.4.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: qnap_nas -- name: event.dataset - type: constant_keyword - description: Event dataset - value: qnap_nas.log -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/qnap_nas/1.4.1/data_stream/log/fields/beats.yml b/packages/qnap_nas/1.4.1/data_stream/log/fields/beats.yml deleted file mode 100755 index 9275638f93..0000000000 --- a/packages/qnap_nas/1.4.1/data_stream/log/fields/beats.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/qnap_nas/1.4.1/data_stream/log/fields/ecs.yml b/packages/qnap_nas/1.4.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index 5801e87123..0000000000 --- a/packages/qnap_nas/1.4.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,158 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text diff --git a/packages/qnap_nas/1.4.1/data_stream/log/fields/fields.yml b/packages/qnap_nas/1.4.1/data_stream/log/fields/fields.yml deleted file mode 100755 index 23729a536e..0000000000 --- a/packages/qnap_nas/1.4.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: qnap.nas - type: group - fields: - - name: file.path - type: keyword - description: Path of accessed resource - - name: file.new_path - type: keyword - description: Renamed/Moved path of accessed resource - - name: connection_type - type: keyword - description: Connection type (ex. Samba) - - name: application - type: keyword - description: QNAP application that generated the event - - name: category - type: keyword - description: Sub-component of the QNAP application that generated the event diff --git a/packages/qnap_nas/1.4.1/data_stream/log/manifest.yml b/packages/qnap_nas/1.4.1/data_stream/log/manifest.yml deleted file mode 100755 index 81a6c1fd29..0000000000 --- a/packages/qnap_nas/1.4.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,119 +0,0 @@ -type: logs -title: QNAP NAS logs -streams: - - input: tcp - enabled: true - template_path: tcp.yml.hbs - title: QNAP NAS logs (TCP) - description: Collect QNAP NAS logs using TCP input - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9301 - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - qnap-nas - - forwarded - - name: ssl - type: yaml - title: TLS configuration - multi: false - required: false - show_user: true - description: Options for enabling TLS mode. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: udp - enabled: false - template_path: udp.yml.hbs - title: QNAP NAS logs (UDP) - description: Collect QNAP NAS logs using UDP input - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9301 - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - qnap-nas - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/qnap_nas/1.4.1/data_stream/log/sample_event.json b/packages/qnap_nas/1.4.1/data_stream/log/sample_event.json deleted file mode 100755 index 0dee7e02aa..0000000000 --- a/packages/qnap_nas/1.4.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "@timestamp": "2022-10-30T20:24:24.000Z", - "agent": { - "ephemeral_id": "b6db294f-f5fd-4570-9d9c-cd0a74001651", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "qnap_nas.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "create-directory", - "agent_id_status": "verified", - "category": [ - "file" - ], - "created": "2022-10-30T20:24:24.000Z", - "dataset": "qnap_nas.log", - "ingested": "2022-01-02T09:51:24Z", - "kind": "event", - "provider": "conn-log", - "timezone": "+00:00", - "type": [ - "creation" - ] - }, - "file": { - "path": "path/to/files/New folder" - }, - "host": { - "name": "qnap-nas01" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.18.0.7:46086" - }, - "syslog": { - "priority": 30 - } - }, - "observer": { - "product": "NAS", - "type": "nas", - "vendor": "QNAP" - }, - "process": { - "name": "qulogd", - "pid": 14629 - }, - "qnap": { - "nas": { - "connection_type": "Samba", - "file": { - "path": "path/to/files/New folder" - } - } - }, - "related": { - "hosts": [ - "user-laptop" - ], - "ip": [ - "10.50.36.33" - ], - "user": [ - "admin.user" - ] - }, - "source": { - "address": "10.50.36.33", - "domain": "user-laptop", - "ip": "10.50.36.33" - }, - "tags": [ - "qnap-nas", - "forwarded" - ], - "user": { - "name": "admin.user" - } -} \ No newline at end of file diff --git a/packages/qnap_nas/1.4.1/docs/README.md b/packages/qnap_nas/1.4.1/docs/README.md deleted file mode 100755 index 7ad02668a5..0000000000 --- a/packages/qnap_nas/1.4.1/docs/README.md +++ /dev/null @@ -1,174 +0,0 @@ -# QNAP NAS - -The QNAP NAS integration collects Event and Access logs from [QNAP NAS](https://docs.qnap.com/nas-outdated/4.1/SMB/en/index.html?system_logs.htm) devices. - -## Log - -The `log` dataset receives QNAP NAS Event and Access logs over the syslog protocol. This has been tested with QTS 4.5.4 but is expected to work with new versions. This integration is only compatible with the "Send to Syslog Server" option which uses the RFC-3164 syslog format. Both Event and Access events are supported. All protocols; UDP, TCP, TLS are supported. - -### Example event - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2022-10-30T20:24:24.000Z", - "agent": { - "ephemeral_id": "b6db294f-f5fd-4570-9d9c-cd0a74001651", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "qnap_nas.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "create-directory", - "agent_id_status": "verified", - "category": [ - "file" - ], - "created": "2022-10-30T20:24:24.000Z", - "dataset": "qnap_nas.log", - "ingested": "2022-01-02T09:51:24Z", - "kind": "event", - "provider": "conn-log", - "timezone": "+00:00", - "type": [ - "creation" - ] - }, - "file": { - "path": "path/to/files/New folder" - }, - "host": { - "name": "qnap-nas01" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.18.0.7:46086" - }, - "syslog": { - "priority": 30 - } - }, - "observer": { - "product": "NAS", - "type": "nas", - "vendor": "QNAP" - }, - "process": { - "name": "qulogd", - "pid": 14629 - }, - "qnap": { - "nas": { - "connection_type": "Samba", - "file": { - "path": "path/to/files/New folder" - } - } - }, - "related": { - "hosts": [ - "user-laptop" - ], - "ip": [ - "10.50.36.33" - ], - "user": [ - "admin.user" - ] - }, - "source": { - "address": "10.50.36.33", - "domain": "user-laptop", - "ip": "10.50.36.33" - }, - "tags": [ - "qnap-nas", - "forwarded" - ], - "user": { - "name": "admin.user" - } -} -``` - -**Exported fields** - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| group.name | Name of the group. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| qnap.nas.application | QNAP application that generated the event | keyword | -| qnap.nas.category | Sub-component of the QNAP application that generated the event | keyword | -| qnap.nas.connection_type | Connection type (ex. Samba) | keyword | -| qnap.nas.file.new_path | Renamed/Moved path of accessed resource | keyword | -| qnap.nas.file.path | Path of accessed resource | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - diff --git a/packages/qnap_nas/1.4.1/img/logo.svg b/packages/qnap_nas/1.4.1/img/logo.svg deleted file mode 100755 index 8f7fb87bd5..0000000000 --- a/packages/qnap_nas/1.4.1/img/logo.svg +++ /dev/null @@ -1,36 +0,0 @@ - - - - - - - - - - - - - - - - - - - - diff --git a/packages/qnap_nas/1.4.1/kibana/dashboard/qnap_nas-32e28700-4b0c-11ec-b2cc-b9a3cc301b75.json b/packages/qnap_nas/1.4.1/kibana/dashboard/qnap_nas-32e28700-4b0c-11ec-b2cc-b9a3cc301b75.json deleted file mode 100755 index cb6ffb29f8..0000000000 --- a/packages/qnap_nas/1.4.1/kibana/dashboard/qnap_nas-32e28700-4b0c-11ec-b2cc-b9a3cc301b75.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true},\"gridData\":{\"h\":7,\"i\":\"08e193f5-7994-4a34-8572-62dd8fb527fd\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"08e193f5-7994-4a34-8572-62dd8fb527fd\",\"panelRefName\":\"panel_08e193f5-7994-4a34-8572-62dd8fb527fd\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":18,\"i\":\"41e893ff-a7e2-4146-af96-35cd7fc9b5b9\",\"w\":17,\"x\":0,\"y\":7},\"panelIndex\":\"41e893ff-a7e2-4146-af96-35cd7fc9b5b9\",\"panelRefName\":\"panel_41e893ff-a7e2-4146-af96-35cd7fc9b5b9\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"3bef5ad2-ec7d-4cd0-b8af-255533d30f62\",\"w\":15,\"x\":17,\"y\":7},\"panelIndex\":\"3bef5ad2-ec7d-4cd0-b8af-255533d30f62\",\"panelRefName\":\"panel_3bef5ad2-ec7d-4cd0-b8af-255533d30f62\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"table\":null,\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":1,\"width\":168.5},{\"colIndex\":0,\"width\":464.5}]}}},\"gridData\":{\"h\":18,\"i\":\"20d36c90-71af-4062-94da-0374c871667e\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"20d36c90-71af-4062-94da-0374c871667e\",\"panelRefName\":\"panel_20d36c90-71af-4062-94da-0374c871667e\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"e0abcb09-b900-4d29-9146-02ab3aca914e\",\"w\":48,\"x\":0,\"y\":25},\"panelIndex\":\"e0abcb09-b900-4d29-9146-02ab3aca914e\",\"panelRefName\":\"panel_e0abcb09-b900-4d29-9146-02ab3aca914e\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[QNAP NAS] Access Logs", - "version": 1 - }, - "coreMigrationVersion": "7.16.0", - "id": "qnap_nas-32e28700-4b0c-11ec-b2cc-b9a3cc301b75", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "qnap_nas-47e207a0-4b13-11ec-b2cc-b9a3cc301b75", - "name": "08e193f5-7994-4a34-8572-62dd8fb527fd:panel_08e193f5-7994-4a34-8572-62dd8fb527fd", - "type": "visualization" - }, - { - "id": "qnap_nas-ae17aa40-4b0c-11ec-b2cc-b9a3cc301b75", - "name": "41e893ff-a7e2-4146-af96-35cd7fc9b5b9:panel_41e893ff-a7e2-4146-af96-35cd7fc9b5b9", - "type": "visualization" - }, - { - "id": "qnap_nas-05c7ac80-4b0e-11ec-b2cc-b9a3cc301b75", - "name": "3bef5ad2-ec7d-4cd0-b8af-255533d30f62:panel_3bef5ad2-ec7d-4cd0-b8af-255533d30f62", - "type": "visualization" - }, - { - "id": "qnap_nas-d315c4c0-4b0d-11ec-b2cc-b9a3cc301b75", - "name": "20d36c90-71af-4062-94da-0374c871667e:panel_20d36c90-71af-4062-94da-0374c871667e", - "type": "visualization" - }, - { - "id": "qnap_nas-6cc17ac0-4b0d-11ec-b2cc-b9a3cc301b75", - "name": "e0abcb09-b900-4d29-9146-02ab3aca914e:panel_e0abcb09-b900-4d29-9146-02ab3aca914e", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/qnap_nas/1.4.1/kibana/search/qnap_nas-50acdec0-4b0c-11ec-b2cc-b9a3cc301b75.json b/packages/qnap_nas/1.4.1/kibana/search/qnap_nas-50acdec0-4b0c-11ec-b2cc-b9a3cc301b75.json deleted file mode 100755 index bdf45511e0..0000000000 --- a/packages/qnap_nas/1.4.1/kibana/search/qnap_nas-50acdec0-4b0c-11ec-b2cc-b9a3cc301b75.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":{\"query\":\"qnap_nas.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.dataset\":\"qnap_nas.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Discover [QNAP NAS]" - }, - "coreMigrationVersion": "7.16.0", - "id": "qnap_nas-50acdec0-4b0c-11ec-b2cc-b9a3cc301b75", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/qnap_nas/1.4.1/kibana/visualization/qnap_nas-05c7ac80-4b0e-11ec-b2cc-b9a3cc301b75.json b/packages/qnap_nas/1.4.1/kibana/visualization/qnap_nas-05c7ac80-4b0e-11ec-b2cc-b9a3cc301b75.json deleted file mode 100755 index 39a1ee9bde..0000000000 --- a/packages/qnap_nas/1.4.1/kibana/visualization/qnap_nas-05c7ac80-4b0e-11ec-b2cc-b9a3cc301b75.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Connection Types [QNAP NAS]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"qnap.nas.connection_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Connection Types [QNAP NAS]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "qnap_nas-05c7ac80-4b0e-11ec-b2cc-b9a3cc301b75", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "qnap_nas-50acdec0-4b0c-11ec-b2cc-b9a3cc301b75", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/qnap_nas/1.4.1/kibana/visualization/qnap_nas-47e207a0-4b13-11ec-b2cc-b9a3cc301b75.json b/packages/qnap_nas/1.4.1/kibana/visualization/qnap_nas-47e207a0-4b13-11ec-b2cc-b9a3cc301b75.json deleted file mode 100755 index 604b6c25b3..0000000000 --- a/packages/qnap_nas/1.4.1/kibana/visualization/qnap_nas-47e207a0-4b13-11ec-b2cc-b9a3cc301b75.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"qnap_nas.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"qnap_nas.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Controls [QNAP NAS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"source.ip\",\"id\":\"1637528635830\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Source IP\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"host.name\",\"id\":\"1637528676545\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"NAS Hostname\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"user.name\",\"id\":\"1637528892452\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"User\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"qnap.nas.connection_type\",\"id\":\"1637530638172\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Connection Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Controls [QNAP NAS]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "qnap_nas-47e207a0-4b13-11ec-b2cc-b9a3cc301b75", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/qnap_nas/1.4.1/kibana/visualization/qnap_nas-6cc17ac0-4b0d-11ec-b2cc-b9a3cc301b75.json b/packages/qnap_nas/1.4.1/kibana/visualization/qnap_nas-6cc17ac0-4b0d-11ec-b2cc-b9a3cc301b75.json deleted file mode 100755 index 774e1f6329..0000000000 --- a/packages/qnap_nas/1.4.1/kibana/visualization/qnap_nas-6cc17ac0-4b0d-11ec-b2cc-b9a3cc301b75.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"conn-log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"conn-log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Event Actions over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y/d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"1w\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Event Actions over TIme\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "qnap_nas-6cc17ac0-4b0d-11ec-b2cc-b9a3cc301b75", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "qnap_nas-50acdec0-4b0c-11ec-b2cc-b9a3cc301b75", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/qnap_nas/1.4.1/kibana/visualization/qnap_nas-ae17aa40-4b0c-11ec-b2cc-b9a3cc301b75.json b/packages/qnap_nas/1.4.1/kibana/visualization/qnap_nas-ae17aa40-4b0c-11ec-b2cc-b9a3cc301b75.json deleted file mode 100755 index 9c8c81a1ea..0000000000 --- a/packages/qnap_nas/1.4.1/kibana/visualization/qnap_nas-ae17aa40-4b0c-11ec-b2cc-b9a3cc301b75.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "File Actions [QNAP NAS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"File Actions [QNAP NAS]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "qnap_nas-ae17aa40-4b0c-11ec-b2cc-b9a3cc301b75", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "qnap_nas-50acdec0-4b0c-11ec-b2cc-b9a3cc301b75", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/qnap_nas/1.4.1/kibana/visualization/qnap_nas-d315c4c0-4b0d-11ec-b2cc-b9a3cc301b75.json b/packages/qnap_nas/1.4.1/kibana/visualization/qnap_nas-d315c4c0-4b0d-11ec-b2cc-b9a3cc301b75.json deleted file mode 100755 index ec9de93ff2..0000000000 --- a/packages/qnap_nas/1.4.1/kibana/visualization/qnap_nas-d315c4c0-4b0d-11ec-b2cc-b9a3cc301b75.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"conn-log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"conn-log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Accessed Files [QNAP NAS]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"file.path\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top Accessed Files [QNAP NAS]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "qnap_nas-d315c4c0-4b0d-11ec-b2cc-b9a3cc301b75", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "qnap_nas-50acdec0-4b0c-11ec-b2cc-b9a3cc301b75", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/qnap_nas/1.4.1/manifest.yml b/packages/qnap_nas/1.4.1/manifest.yml deleted file mode 100755 index 7d02ba2d5f..0000000000 --- a/packages/qnap_nas/1.4.1/manifest.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: qnap_nas -title: QNAP NAS -version: "1.4.1" -release: ga -description: Collect logs from QNAP NAS devices with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: ["security"] -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/logo.svg - title: QNAP logo - size: 643x121 - type: image/svg+xml -policy_templates: - - name: qnap - title: QNAP NAS Event & Access logs - description: Collect logs from QNAP NAS - inputs: - - type: tcp - title: 'Collect logs from QNAP NAS via TCP' - description: 'Collecting logs from QNAP NAS via TCP' - - type: udp - title: 'Collect logs from QNAP NAS via UDP' - description: 'Collecting logs from QNAP NAS via UDP' -owner: - github: elastic/security-external-integrations diff --git a/packages/sentinel_one/1.2.2/LICENSE.txt b/packages/sentinel_one/1.2.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/sentinel_one/1.2.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/sentinel_one/1.2.2/changelog.yml b/packages/sentinel_one/1.2.2/changelog.yml deleted file mode 100755 index d493f57114..0000000000 --- a/packages/sentinel_one/1.2.2/changelog.yml +++ /dev/null @@ -1,41 +0,0 @@ -# newer versions go on top -- version: "1.2.2" - changes: - - description: Ensure stability of related.hash array ordering. - type: bugfix - link: https://github.com/elastic/integrations/issues/4296 -- version: "1.2.1" - changes: - - description: Enrich the event.category, event.type, event.kind and event.outcome field based on activity. - type: bugfix - link: https://github.com/elastic/integrations/pull/3787 -- version: "1.2.0" - changes: - - description: Set event.kind to alert for Sentinel One Threats. - type: enhancement - link: https://github.com/elastic/integrations/pull/3669 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3910 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3859 -- version: "0.2.1" - changes: - - description: Fix proxy URL documentation rendering. - type: bugfix - link: https://github.com/elastic/integrations/pull/3881 -- version: "0.2.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "0.1.0" - changes: - - description: Initial Release - type: enhancement - link: https://github.com/elastic/integrations/pull/3232 diff --git a/packages/sentinel_one/1.2.2/data_stream/activity/agent/stream/httpjson.yml.hbs b/packages/sentinel_one/1.2.2/data_stream/activity/agent/stream/httpjson.yml.hbs deleted file mode 100755 index ce51b9aa5e..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/activity/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,51 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/web/api/v2.1/activities -request.transforms: - - set: - target: header.Authorization - value: 'ApiToken {{api_token}}' - - set: - target: url.params.limit - value: '100' - - set: - target: url.params.sortBy - value: 'createdAt' - - set: - target: url.params.sortOrder - value: 'asc' - - set: - target: url.params.createdAt__gte - value: '[[formatDate (parseDate .cursor.last_create_at)]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.pagination: - - set: - target: url.params.cursor - value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_create_at: - value: '[[.last_event.createdAt]]' -response.split: - target: body.data -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/sentinel_one/1.2.2/data_stream/activity/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/1.2.2/data_stream/activity/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c3cb48caa8..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/activity/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,472 +0,0 @@ ---- -description: Pipeline for processing activity logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.createdAt - - json.updatedAt - - json.id - target_field: _id - ignore_missing: true - - script: - description: Set the value of event.category, event.outcome, event.type and event.kind. - lang: painless - source: > - def eventCategory = new HashSet(); - def eventType = new HashSet(); - if (ctx.json?.threatId != null && ctx.json.threatId != '') { - def threat_classification = ctx.json?.data?.threatClassification; - if (['Exploit','PUA'].contains(threat_classification)) { - eventCategory.add('threat'); - eventType.add('indicator'); - } else if (['Malware','Ransomware','Trojan','Downloader'].contains(threat_classification)) { - eventCategory.add('malware'); - eventType.add('info'); - } - } - else if (ctx.json?.primaryDescription != null) { - def description = ctx.json.primaryDescription.toLowerCase(); - if (description.contains('logged in')) { - eventCategory.add('authentication'); - eventType.add('start'); - ctx.event.outcome = 'success'; - } else if (description.contains('logged out')) { - eventCategory.add('authentication'); - eventType.add('end'); - } - if (description.contains('created') || description.contains('added')) { - eventCategory.add('configuration'); - eventType.add('creation'); - } - if (description.contains('deleted')) { - eventCategory.add('configuration'); - eventType.add('deletion'); - } - if (description.contains('edited') || description.contains('updated') || description.contains('modified')) { - eventCategory.add('configuration'); - eventType.add('change'); - } - if (description.contains('enabled') || description.contains('recovery email')) { - eventCategory.add('configuration'); - } - if (description.contains('verification email')) { - eventCategory.add('email'); - } - if (description.contains('failed to log in')) { - eventCategory.add('authentication'); - ctx.event.outcome = 'failure'; - } - if (eventType.isEmpty()) { - eventType.add('info'); - } - } - if (!eventCategory.isEmpty()) { - def category = new ArrayList(); - for (def c: eventCategory) { - category.add(c); - } - Collections.sort(category); - ctx.event.category = category; - } - if (!eventType.isEmpty()) { - def type = new ArrayList(); - for (def t: eventType) { - type.add(t); - } - Collections.sort(type); - ctx.event.type = type; - } - if (['suspicious', 'malicious'].contains(ctx.json?.data?.confidenceLevel)) { - ctx.event.kind = 'alert'; - } else { - ctx.event.kind = 'event'; - } - - date: - field: json.updatedAt - target_field: sentinel_one.activity.updated_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.description - target_field: message - ignore_missing: true - - rename: - field: json.hash - target_field: process.hash.sha1 - ignore_missing: true - - append: - field: related.hash - value: '{{{process.hash.sha1}}}' - if: ctx.process?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.osFamily - target_field: os.family - ignore_missing: true - - rename: - field: json.agentUpdatedVersion - target_field: observer.version - ignore_missing: true - - rename: - field: json.groupId - target_field: user.group.id - ignore_missing: true - - rename: - field: json.groupName - target_field: user.group.name - ignore_missing: true - - rename: - field: json.accountId - target_field: sentinel_one.activity.account.id - ignore_missing: true - - rename: - field: json.userId - target_field: user.id - ignore_missing: true - - rename: - field: json.accountName - target_field: sentinel_one.activity.account.name - ignore_missing: true - - rename: - field: json.agentId - target_field: sentinel_one.activity.agent.id - ignore_missing: true - - rename: - field: json.comments - target_field: sentinel_one.activity.comments - ignore_missing: true - - date: - field: json.createdAt - target_field: '@timestamp' - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.primaryDescription - target_field: sentinel_one.activity.description.primary - ignore_missing: true - - rename: - field: json.secondaryDescription - target_field: sentinel_one.activity.description.secondary - ignore_missing: true - - rename: - field: json.id - target_field: sentinel_one.activity.id - ignore_missing: true - - rename: - field: json.siteId - target_field: sentinel_one.activity.site.id - ignore_missing: true - - rename: - field: json.siteName - target_field: sentinel_one.activity.site.name - ignore_missing: true - - rename: - field: json.threatId - target_field: sentinel_one.activity.threat.id - ignore_missing: true - - convert: - field: json.activityType - target_field: sentinel_one.activity.type - type: long - ignore_failure: true - - convert: - field: json.data.accountId - target_field: sentinel_one.activity.data.account.id - type: string - ignore_failure: true - - rename: - field: json.data.accountName - target_field: sentinel_one.activity.data.account.name - ignore_missing: true - - rename: - field: json.data.fullScopeDetails - target_field: sentinel_one.activity.data.fullscope.details - ignore_missing: true - - rename: - field: json.data.fullScopeDetailsPath - target_field: sentinel_one.activity.data.fullscope.details_path - ignore_missing: true - - rename: - field: json.data.groupName - target_field: sentinel_one.activity.data.group_name - ignore_missing: true - - rename: - field: json.data.scopeLevel - target_field: sentinel_one.activity.data.scope.level - ignore_missing: true - - rename: - field: json.data.scopeName - target_field: sentinel_one.activity.data.scope.name - ignore_missing: true - - rename: - field: json.data.siteName - target_field: sentinel_one.activity.data.site.name - ignore_missing: true - - rename: - field: json.data.username - target_field: user.full_name - ignore_missing: true - - append: - field: related.user - value: '{{{user.full_name}}}' - if: ctx.user?.full_name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.data.byUser - target_field: sentinel_one.activity.data.user.name - ignore_missing: true - - append: - field: related.user - value: '{{{sentinel_one.activity.data.user.name}}}' - if: ctx.sentinel_one?.activity?.data?.user?.name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.data.role - target_field: sentinel_one.activity.data.role - ignore_missing: true - - rename: - field: json.data.roleName - target_field: sentinel_one.activity.data.role_name - ignore_missing: true - - rename: - field: json.data.scopeLevelName - target_field: sentinel_one.activity.data.scope_level.name - ignore_missing: true - - rename: - field: json.data.userScope - target_field: sentinel_one.activity.data.user.scope - ignore_missing: true - - convert: - field: json.data.newValue - target_field: sentinel_one.activity.data.new.value - type: boolean - ignore_failure: true - - convert: - field: json.data.externalIp - type: ip - ignore_failure: true - - geoip: - field: json.data.externalIp - target_field: host.geo - ignore_missing: true - - convert: - field: json.data.ipAddress - type: ip - ignore_failure: true - - geoip: - field: json.data.ipAddress - target_field: host.geo - ignore_missing: true - if: ctx.host?.geo == null - - append: - field: host.ip - value: '{{{json.data.ipAddress}}}' - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: '{{{json.data.externalIp}}}' - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{json.data.ipAddress}}}' - if: ctx.json?.data?.ipAddress != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{json.data.externalIp}}}' - if: ctx.json?.data?.externalIp != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.data.reason - target_field: sentinel_one.activity.data.reason - ignore_missing: true - - rename: - field: json.data.source - target_field: sentinel_one.activity.data.source - ignore_missing: true - - rename: - field: json.data.recoveryEmail - target_field: user.email - ignore_missing: true - - rename: - field: json.data.computerName - target_field: host.name - ignore_missing: true - - append: - field: related.hosts - value: '{{{host.name}}}' - if: ctx.host?.name != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.data.system - target_field: sentinel_one.activity.data.system - type: boolean - ignore_failure: true - - rename: - field: json.data.uuid - target_field: sentinel_one.activity.data.uuid - ignore_missing: true - - rename: - field: json.data.group - target_field: sentinel_one.activity.data.group - ignore_missing: true - - rename: - field: json.data.optionalGroups - target_field: sentinel_one.activity.data.optionals_groups - ignore_missing: true - - date: - field: json.data.createdAt - target_field: sentinel_one.activity.data.created_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.data.status - target_field: sentinel_one.activity.data.status - ignore_missing: true - - rename: - field: json.data.fileContentHash - target_field: file.hash.sha1 - ignore_missing: true - - append: - field: related.hash - value: '{{{file.hash.sha1}}}' - if: ctx.file?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.data.osFamily - target_field: host.os.family - ignore_missing: true - - rename: - field: json.data.confidenceLevel - target_field: sentinel_one.activity.data.confidence.level - ignore_missing: true - - rename: - field: json.data.escapedMaliciousProcessArguments - target_field: sentinel_one.activity.data.malicious.process.arguments - ignore_missing: true - - rename: - field: json.data.fileDisplayName - target_field: file.name - ignore_missing: true - - rename: - field: json.data.filePath - target_field: file.path - ignore_missing: true - - rename: - field: json.data.threatClassification - target_field: sentinel_one.activity.data.threat.classification.name - ignore_missing: true - - rename: - field: json.data.threatClassificationSource - target_field: sentinel_one.activity.data.threat.classification.source - ignore_missing: true - - rename: - field: json.data.globalStatus - target_field: sentinel_one.activity.data.global.status - ignore_missing: true - - rename: - field: json.data.newStatus - target_field: sentinel_one.activity.data.new.status - ignore_missing: true - - rename: - field: json.data.originalStatus - target_field: sentinel_one.activity.data.original.status - ignore_missing: true - - rename: - field: json.data.downloadUrl - target_field: sentinel_one.activity.data.downloaded.url - ignore_missing: true - - rename: - field: json.data.description - target_field: sentinel_one.activity.data.description - ignore_missing: true - - rename: - field: json.data.policy - target_field: sentinel_one.activity.data.policy - ignore_missing: true - - convert: - field: json.data.policyName - target_field: sentinel_one.activity.data.policy_name - type: string - ignore_failure: true - - rename: - field: json.data.changedKeys - target_field: sentinel_one.activity.data.changed_keys - ignore_missing: true - - rename: - field: json.data.newConfidenceLevel - target_field: sentinel_one.activity.data.new.confidence_level - ignore_missing: true - - rename: - field: json.data.oldConfidenceLevel - target_field: sentinel_one.activity.data.old.confidence_level - ignore_missing: true - - rename: - field: json.data.attr - target_field: sentinel_one.activity.data.attr - ignore_missing: true - - remove: - field: - - json.data.accountId - - json.data.newValue - - json.data.ipAddress - - json.data.externalIp - - json.data.system - - json.data.policyName - ignore_missing: true - - rename: - field: json.data - target_field: sentinel_one.activity.data.flattened - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/sentinel_one/1.2.2/data_stream/activity/fields/agent.yml b/packages/sentinel_one/1.2.2/data_stream/activity/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/activity/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/sentinel_one/1.2.2/data_stream/activity/fields/base-fields.yml b/packages/sentinel_one/1.2.2/data_stream/activity/fields/base-fields.yml deleted file mode 100755 index 281aed0955..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/activity/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sentinel_one.activity -- name: event.module - type: constant_keyword - description: Event module - value: sentinel_one -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/sentinel_one/1.2.2/data_stream/activity/fields/ecs.yml b/packages/sentinel_one/1.2.2/data_stream/activity/fields/ecs.yml deleted file mode 100755 index 70165a092d..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/activity/fields/ecs.yml +++ /dev/null @@ -1,132 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: City name. - name: host.geo.city_name - type: keyword -- description: Name of the continent. - name: host.geo.continent_name - type: keyword -- description: Country ISO code. - name: host.geo.country_iso_code - type: keyword -- description: Country name. - name: host.geo.country_name - type: keyword -- description: Longitude and latitude. - name: host.geo.location - type: geo_point -- description: Region ISO code. - name: host.geo.region_iso_code - type: keyword -- description: Region name. - name: host.geo.region_name - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Observer version. - name: observer.version - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: os.family - type: keyword -- description: SHA1 hash. - name: process.hash.sha1 - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.group.id - type: keyword -- description: Name of the group. - name: user.group.name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword diff --git a/packages/sentinel_one/1.2.2/data_stream/activity/fields/fields.yml b/packages/sentinel_one/1.2.2/data_stream/activity/fields/fields.yml deleted file mode 100755 index d1a883dc12..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/activity/fields/fields.yml +++ /dev/null @@ -1,222 +0,0 @@ -- name: sentinel_one.activity - type: group - fields: - - name: account - type: group - fields: - - name: id - type: keyword - description: Related account ID (if applicable). - - name: name - type: keyword - description: Related account name (if applicable). - - name: agent - type: group - fields: - - name: id - type: keyword - description: Related agent (if applicable). - - name: comments - type: keyword - description: Comments. - - name: data - type: group - fields: - - name: account - type: group - fields: - - name: id - type: keyword - description: Related account ID (if applicable). - - name: name - type: keyword - description: Related account name (if applicable). - - name: attr - type: keyword - description: Attribute. - - name: changed_keys - type: keyword - description: Changed keys. - - name: confidence - type: group - fields: - - name: level - type: keyword - description: Confidence level. - - name: created_at - type: date - description: Created time. - - name: description - type: keyword - description: Description. - - name: downloaded - type: group - fields: - - name: url - type: keyword - description: Downloaded URL. - - name: flattened - type: flattened - description: Extra activity specific data. - - name: fullscope - type: group - fields: - - name: details - type: keyword - description: fullscope details. - - name: details_path - type: keyword - description: fullscope details path. - - name: global - type: group - fields: - - name: status - type: keyword - description: Global status. - - name: group - type: keyword - description: Related group (if applicable). - - name: group_name - type: keyword - description: Related group name (if applicable). - - name: malicious - type: group - fields: - - name: process - type: group - fields: - - name: arguments - type: keyword - description: Malicious process arguments. - - name: new - type: group - fields: - - name: confidence_level - type: keyword - description: New confidence level. - - name: status - type: keyword - description: Status. - - name: value - type: boolean - description: Value. - - name: old - type: group - fields: - - name: confidence_level - type: keyword - description: Old confidence level. - - name: optionals_groups - type: keyword - description: Optionals groups. - - name: original - type: group - fields: - - name: status - type: keyword - description: Original status. - - name: policy - type: flattened - description: Policy. - - name: policy_name - type: keyword - description: Policy name. - - name: reason - type: keyword - description: Reason. - - name: role - type: keyword - description: Role. - - name: role_name - type: keyword - description: Role name. - - name: scope - type: group - fields: - - name: level - type: keyword - description: Scope Level. - - name: name - type: keyword - description: Scope name. - - name: scope_level - type: group - fields: - - name: name - type: keyword - description: Scope level name. - - name: site - type: group - fields: - - name: name - type: keyword - description: Related site name (if applicable). - - name: source - type: keyword - description: Source. - - name: status - type: keyword - description: Status. - - name: system - type: boolean - description: System. - - name: threat - type: group - fields: - - name: classification - type: group - fields: - - name: name - type: keyword - description: Threat classification name. - - name: source - type: keyword - description: Threat classification source. - - name: user - type: group - fields: - - name: name - type: keyword - description: User name. - - name: scope - type: keyword - description: User scope. - - name: uuid - type: keyword - description: UUID. - - name: description - type: group - fields: - - name: primary - type: keyword - description: Primary description. - - name: secondary - type: keyword - description: Secondary description. - - name: id - type: keyword - description: Activity ID. - - name: site - type: group - fields: - - name: id - type: keyword - description: Related site ID (if applicable). - - name: name - type: keyword - description: Related site name (if applicable). - - name: threat - type: group - fields: - - name: id - type: keyword - description: Related threat ID (if applicable). - - name: type - type: long - description: Activity type. - - name: updated_at - type: date - description: Activity last updated time (UTC). -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/sentinel_one/1.2.2/data_stream/activity/manifest.yml b/packages/sentinel_one/1.2.2/data_stream/activity/manifest.yml deleted file mode 100755 index c3ede624da..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/activity/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: Collect Activity logs from SentinelOne -type: logs -streams: - - input: httpjson - title: Activity logs - description: Collect activity logs from SentinelOne. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the activities from SentinelOne. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the SentinelOne API. - default: 1m - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - sentinel_one-activity - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/sentinel_one/1.2.2/data_stream/activity/sample_event.json b/packages/sentinel_one/1.2.2/data_stream/activity/sample_event.json deleted file mode 100755 index 0e863eddc3..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/activity/sample_event.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "@timestamp": "2022-04-05T16:01:56.995Z", - "agent": { - "ephemeral_id": "fa8409d5-7599-4d01-a29f-b9375742abc3", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "data_stream": { - "dataset": "sentinel_one.activity", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "configuration" - ], - "created": "2022-09-26T01:54:28.433Z", - "dataset": "sentinel_one.activity", - "ingested": "2022-09-26T01:54:29Z", - "kind": "event", - "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-05T16:01:56.995120Z\",\"data\":{\"accountId\":1234567890123456800,\"accountName\":\"Default\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/path\",\"groupName\":null,\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"username\":\"test user\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"created Default account.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-05T16:01:56.992136Z\",\"userId\":\"1234567890123456789\"}", - "type": [ - "creation" - ] - }, - "input": { - "type": "httpjson" - }, - "related": { - "user": [ - "test user" - ] - }, - "sentinel_one": { - "activity": { - "account": { - "id": "1234567890123456789", - "name": "Default" - }, - "data": { - "account": { - "id": "1234567890123456800", - "name": "Default" - }, - "fullscope": { - "details": "Account Default", - "details_path": "test/path" - }, - "scope": { - "level": "Account", - "name": "Default" - } - }, - "description": { - "primary": "created Default account." - }, - "id": "1234567890123456789", - "type": 1234, - "updated_at": "2022-04-05T16:01:56.992Z" - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-activity" - ], - "user": { - "full_name": "test user", - "id": "1234567890123456789" - } -} \ No newline at end of file diff --git a/packages/sentinel_one/1.2.2/data_stream/agent/agent/stream/httpjson.yml.hbs b/packages/sentinel_one/1.2.2/data_stream/agent/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 6d48f7a428..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/agent/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,51 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/web/api/v2.1/agents -request.transforms: - - set: - target: header.Authorization - value: 'ApiToken {{api_token}}' - - set: - target: url.params.limit - value: '100' - - set: - target: url.params.sortBy - value: 'updatedAt' - - set: - target: url.params.sortOrder - value: 'asc' - - set: - target: url.params.updatedAt__gte - value: '[[formatDate (parseDate .cursor.last_update_at)]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.pagination: - - set: - target: url.params.cursor - value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_update_at: - value: '[[.last_event.updatedAt]]' -response.split: - target: body.data -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/sentinel_one/1.2.2/data_stream/agent/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/1.2.2/data_stream/agent/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 02b96c5152..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/agent/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,610 +0,0 @@ ---- -description: Pipeline for processing agent logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: [host] - - set: - field: event.type - value: [info] - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - rename: - field: json.accountId - target_field: sentinel_one.agent.account.id - ignore_missing: true - - rename: - field: json.accountName - target_field: sentinel_one.agent.account.name - ignore_missing: true - - rename: - field: json.activeDirectory.computerDistinguishedName - target_field: sentinel_one.agent.active_directory.computer.name - ignore_missing: true - - rename: - field: json.activeDirectory.computerMemberOf - target_field: sentinel_one.agent.active_directory.computer.member_of - ignore_missing: true - - rename: - field: json.activeDirectory.lastUserDistinguishedName - target_field: sentinel_one.agent.active_directory.last_user.distinguished_name - ignore_missing: true - - rename: - field: json.activeDirectory.lastUserMemberOf - target_field: sentinel_one.agent.active_directory.last_user.member_of - ignore_missing: true - - rename: - field: json.activeDirectory.userPrincipalName - target_field: sentinel_one.agent.active_directory.user.principal_name - ignore_missing: true - - rename: - field: json.activeDirectory.mail - target_field: sentinel_one.agent.active_directory.mail - ignore_missing: true - - convert: - field: json.activeThreats - target_field: sentinel_one.agent.active_threats_count - type: long - ignore_failure: true - - rename: - field: json.agentVersion - target_field: observer.version - ignore_missing: true - - convert: - field: json.allowRemoteShell - target_field: sentinel_one.agent.allow_remote_shell - type: boolean - ignore_failure: true - - rename: - field: json.appsVulnerabilityStatus - target_field: sentinel_one.agent.apps_vulnerability_status - ignore_missing: true - - rename: - field: json.cloudProviders - target_field: sentinel_one.agent.cloud_provider - ignore_missing: true - - rename: - field: json.computerName - target_field: host.name - ignore_missing: true - - append: - field: related.hosts - value: '{{{host.name}}}' - if: ctx.host?.name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.consoleMigrationStatus - target_field: sentinel_one.agent.console_migration_status - ignore_missing: true - - convert: - field: json.coreCount - target_field: sentinel_one.agent.core.count - type: long - ignore_failure: true - - convert: - field: json.cpuCount - target_field: sentinel_one.agent.cpu.count - type: long - ignore_failure: true - - rename: - field: json.cpuId - target_field: sentinel_one.agent.cpu.id - ignore_missing: true - - date: - field: json.createdAt - target_field: sentinel_one.agent.created_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.detectionState - target_field: sentinel_one.agent.detection_state - ignore_missing: true - - rename: - field: json.domain - target_field: host.domain - ignore_missing: true - - append: - field: related.hosts - value: '{{{host.domain}}}' - if: ctx.host?.domain != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.encryptedApplications - target_field: sentinel_one.agent.encrypted_application - type: boolean - ignore_failure: true - - rename: - field: json.externalId - target_field: sentinel_one.agent.external.id - ignore_missing: true - - geoip: - field: json.externalIp - target_field: host.geo - ignore_missing: true - if: ctx.json?.externalIp != null && ctx.json?.externalIp != '' - - convert: - field: json.externalIp - target_field: host.ip - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{host.ip}}}' - if: ctx.host?.ip != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.firewallEnabled - target_field: sentinel_one.agent.firewall_enabled - type: boolean - ignore_failure: true - - date: - field: json.firstFullModeTime - target_field: sentinel_one.agent.first_full_mode_time - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.groupId - target_field: group.id - ignore_missing: true - - rename: - field: json.groupIp - target_field: sentinel_one.agent.group.ip - ignore_missing: true - - rename: - field: json.groupName - target_field: group.name - ignore_missing: true - - date: - field: json.groupUpdatedAt - target_field: sentinel_one.agent.group.updated_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.id - target_field: host.id - ignore_missing: true - - convert: - field: json.infected - target_field: sentinel_one.agent.infected - type: boolean - ignore_failure: true - - convert: - field: json.inRemoteShellSession - target_field: sentinel_one.agent.in_remote_shell_session - type: boolean - ignore_failure: true - - rename: - field: json.installerType - target_field: sentinel_one.agent.installer_type - ignore_missing: true - - convert: - field: json.isActive - target_field: sentinel_one.agent.is_active - type: boolean - ignore_failure: true - - convert: - field: json.isDecommissioned - target_field: sentinel_one.agent.is_decommissioned - type: boolean - ignore_failure: true - - convert: - field: json.isPendingUninstall - target_field: sentinel_one.agent.is_pending_uninstall - type: boolean - ignore_failure: true - - convert: - field: json.isUninstalled - target_field: sentinel_one.agent.is_uninstalled - type: boolean - ignore_failure: true - - convert: - field: json.isUpToDate - target_field: sentinel_one.agent.is_up_to_date - type: boolean - ignore_failure: true - - date: - field: json.lastActiveDate - target_field: sentinel_one.agent.last_active_date - formats: - - ISO8601 - ignore_failure: true - - convert: - field: json.lastIpToMgmt - target_field: sentinel_one.agent.last_ip_to_mgmt - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{sentinel_one.agent.last_ip_to_mgmt}}}' - if: ctx.sentinel_one?.agent?.last_ip_to_mgmt != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.lastLoggedInUserName - target_field: sentinel_one.agent.last_logged_in_user_name - ignore_missing: true - - append: - field: related.user - value: '{{{sentinel_one.agent.last_logged_in_user_name}}}' - if: ctx.sentinel_one?.agent?.last_logged_in_user_name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.licenseKey - target_field: sentinel_one.agent.license.key - ignore_missing: true - - convert: - field: json.locationEnabled - target_field: sentinel_one.agent.location.enabled - type: boolean - ignore_failure: true - - rename: - field: json.locations - target_field: sentinel_one.agent.locations - ignore_missing: true - - rename: - field: json.locationType - target_field: sentinel_one.agent.location.type - ignore_missing: true - - rename: - field: json.machineType - target_field: sentinel_one.agent.machine.type - ignore_missing: true - - rename: - field: json.mitigationMode - target_field: sentinel_one.agent.mitigation_mode - ignore_missing: true - - rename: - field: json.mitigationModeSuspicious - target_field: sentinel_one.agent.mitigation_mode_suspicious - ignore_missing: true - - rename: - field: json.modelName - target_field: sentinel_one.agent.model_name - ignore_missing: true - - foreach: - field: json.networkInterfaces - processor: - convert: - field: _ingest._value.gatewayIp - target_field: _ingest._value.gateway.ip - type: ip - ignore_failure: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - append: - field: related.ip - value: "{{{_ingest._value.gatewayIp}}}" - allow_duplicates: false - ignore_failure: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - gsub: - field: _ingest._value.gatewayMacAddress - pattern: '[-:.]' - replacement: '-' - ignore_missing: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - uppercase: - field: _ingest._value.gatewayMacAddress - target_field: _ingest._value.gateway.mac - ignore_missing: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - convert: - field: _ingest._value.inet - type: ip - ignore_failure: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - foreach: - field: _ingest._value.inet - processor: - append: - field: related.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - convert: - field: _ingest._value.inet6 - type: ip - ignore_failure: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - foreach: - field: _ingest._value.inet6 - processor: - append: - field: related.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - append: - field: host.mac - value: "{{{_ingest._value.physical}}}" - ignore_failure: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - remove: - field: - - _ingest._value.physical - - _ingest._value.gatewayMacAddress - - _ingest._value.gatewayIp - ignore_missing: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - gsub: - field: host.mac - pattern: '[-:.]' - replacement: '-' - ignore_missing: true - - uppercase: - field: host.mac - ignore_missing: true - - rename: - field: json.networkInterfaces - target_field: sentinel_one.agent.network_interfaces - ignore_missing: true - - convert: - field: json.networkQuarantineEnabled - target_field: sentinel_one.agent.network_quarantine_enabled - type: boolean - ignore_failure: true - - rename: - field: json.networkStatus - target_field: sentinel_one.agent.network_status - ignore_missing: true - - rename: - field: json.operationalState - target_field: sentinel_one.agent.operational_state - ignore_missing: true - - rename: - field: json.operationalStateExpiration - target_field: sentinel_one.agent.operational_state_expiration - ignore_missing: true - - rename: - field: json.osArch - target_field: sentinel_one.agent.os.arch - ignore_missing: true - - rename: - field: json.osName - target_field: host.os.name - ignore_missing: true - - rename: - field: json.osRevision - target_field: host.os.version - ignore_missing: true - - date: - field: json.osStartTime - target_field: sentinel_one.agent.os.start_time - formats: - - ISO8601 - ignore_failure: true - - lowercase: - field: json.osType - target_field: host.os.type - ignore_failure: true - - rename: - field: json.osUsername - target_field: user.name - ignore_missing: true - - append: - field: related.user - value: '{{{user.name}}}' - if: ctx.user?.name != null - allow_duplicates: false - ignore_failure: true - - date: - field: json.policyUpdatedAt - target_field: sentinel_one.agent.policy.updated_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.rangerStatus - target_field: sentinel_one.agent.ranger.status - ignore_missing: true - - rename: - field: json.rangerVersion - target_field: sentinel_one.agent.ranger.version - ignore_missing: true - - date: - field: json.registeredAt - target_field: sentinel_one.agent.registered_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.remoteProfilingState - target_field: sentinel_one.agent.remote_profiling_state - ignore_missing: true - - rename: - field: json.remoteProfilingStateExpiration - target_field: sentinel_one.agent.remote_profiling_state_expiration - ignore_missing: true - - date: - field: json.scanAbortedAt - target_field: sentinel_one.agent.scan.aborted_at - formats: - - ISO8601 - ignore_failure: true - - date: - field: json.scanFinishedAt - target_field: sentinel_one.agent.scan.finished_at - formats: - - ISO8601 - ignore_failure: true - - date: - field: json.scanStartedAt - target_field: sentinel_one.agent.scan.started_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.scanStatus - target_field: sentinel_one.agent.scan.status - ignore_missing: true - - rename: - field: json.siteId - target_field: sentinel_one.agent.site.id - ignore_missing: true - - rename: - field: json.siteName - target_field: sentinel_one.agent.site.name - ignore_missing: true - - rename: - field: json.storageName - target_field: sentinel_one.agent.storage.name - ignore_missing: true - - rename: - field: json.storageType - target_field: sentinel_one.agent.storage.type - ignore_missing: true - - convert: - field: json.threatRebootRequired - target_field: sentinel_one.agent.threat_reboot_required - type: boolean - ignore_failure: true - - convert: - field: json.totalMemory - target_field: sentinel_one.agent.total_memory - type: long - ignore_failure: true - - date: - field: json.updatedAt - target_field: '@timestamp' - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.userActionsNeeded - target_field: sentinel_one.agent.user_action_needed - ignore_missing: true - - rename: - field: json.uuid - target_field: sentinel_one.agent.uuid - ignore_missing: true - - rename: - field: json.tags.sentinelone - target_field: sentinel_one.agent.tags - ignore_missing: true - - foreach: - field: sentinel_one.agent.tags - processor: - date: - field: _ingest._value.assignedAt - target_field: _ingest._value.assigned_at - formats: - - ISO8601 - ignore_failure: true - ignore_failure: true - if: ctx.sentinel_one?.agent?.tags != null && ctx.sentinel_one?.agent?.tags instanceof List - - foreach: - field: sentinel_one.agent.tags - processor: - rename: - field: _ingest._value.assignedBy - target_field: _ingest._value.assigned_by - ignore_missing: true - ignore_failure: true - if: ctx.sentinel_one?.agent?.tags != null && ctx.sentinel_one?.agent?.tags instanceof List - - foreach: - field: sentinel_one.agent.tags - processor: - rename: - field: _ingest._value.assignedById - target_field: _ingest._value.assigned_by_id - ignore_missing: true - ignore_failure: true - if: ctx.sentinel_one?.agent?.tags != null && ctx.sentinel_one?.agent?.tags instanceof List - - foreach: - field: sentinel_one.agent.tags - processor: - remove: - field: - - _ingest._value.assignedAt - ignore_missing: true - ignore_failure: true - if: ctx.sentinel_one?.agent?.tags != null && ctx.sentinel_one?.agent?.tags instanceof List - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - remove: - field: - - json - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/sentinel_one/1.2.2/data_stream/agent/fields/agent.yml b/packages/sentinel_one/1.2.2/data_stream/agent/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/agent/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/sentinel_one/1.2.2/data_stream/agent/fields/base-fields.yml b/packages/sentinel_one/1.2.2/data_stream/agent/fields/base-fields.yml deleted file mode 100755 index 2efd12d530..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/agent/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: sentinel_one -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sentinel_one.agent -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/sentinel_one/1.2.2/data_stream/agent/fields/ecs.yml b/packages/sentinel_one/1.2.2/data_stream/agent/fields/ecs.yml deleted file mode 100755 index 74e4af83fc..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/agent/fields/ecs.yml +++ /dev/null @@ -1,102 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: City name. - name: host.geo.city_name - type: keyword -- description: Name of the continent. - name: host.geo.continent_name - type: keyword -- description: Country ISO code. - name: host.geo.country_iso_code - type: keyword -- description: Country name. - name: host.geo.country_name - type: keyword -- description: Longitude and latitude. - name: host.geo.location - type: geo_point -- description: Region ISO code. - name: host.geo.region_iso_code - type: keyword -- description: Region name. - name: host.geo.region_name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/sentinel_one/1.2.2/data_stream/agent/fields/fields.yml b/packages/sentinel_one/1.2.2/data_stream/agent/fields/fields.yml deleted file mode 100755 index 27de0f644d..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/agent/fields/fields.yml +++ /dev/null @@ -1,314 +0,0 @@ -- name: sentinel_one.agent - type: group - fields: - - name: account - type: group - fields: - - name: id - type: keyword - description: A reference to the containing account. - - name: name - type: keyword - description: Name of the containing account. - - name: active_directory - type: group - fields: - - name: computer - type: group - fields: - - name: member_of - type: keyword - description: Computer member of. - - name: name - type: keyword - description: Computer distinguished name. - - name: last_user - type: group - fields: - - name: distinguished_name - type: keyword - description: Last user distinguished name. - - name: member_of - type: keyword - description: Last user member of. - - name: mail - type: keyword - description: Mail. - - name: user - type: group - fields: - - name: principal_name - type: keyword - description: User principal name. - - name: active_threats_count - type: long - description: Current number of active threats. - - name: allow_remote_shell - type: boolean - description: Agent is capable and policy enabled for remote shell. - - name: apps_vulnerability_status - type: keyword - description: Apps vulnerability status. - - name: cloud_provider - type: flattened - description: Cloud providers for this agent. - - name: console_migration_status - type: keyword - description: What step the agent is at in the process of migrating to another console, if any. - - name: core - type: group - fields: - - name: count - type: long - description: CPU cores. - - name: cpu - type: group - fields: - - name: count - type: long - description: Number of CPUs. - - name: id - type: keyword - description: CPU model. - - name: created_at - type: date - description: Created at. - - name: detection_state - type: keyword - description: Detection State. - - name: encrypted_application - type: boolean - description: Disk encryption status. - - name: external - type: group - fields: - - name: id - type: keyword - description: External ID set by customer. - - name: firewall_enabled - type: boolean - description: Firewall enabled. - - name: first_full_mode_time - type: date - description: Date of the first time the Agent moved to full or slim detection modes. - - name: group - type: group - fields: - - name: ip - type: keyword - description: Group subnet address. - - name: updated_at - type: date - description: Group updated at. - - name: in_remote_shell_session - type: boolean - description: Is the Agent in a remote shell session. - - name: infected - type: boolean - description: Indicates if the Agent has active threats. - - name: installer_type - type: keyword - description: Installer package type (file extension). - - name: is_active - type: boolean - description: Indicates if the agent was recently active. - - name: is_decommissioned - type: boolean - description: Is Agent decommissioned. - - name: is_pending_uninstall - type: boolean - description: Agent with a pending uninstall request. - - name: is_uninstalled - type: boolean - description: Indicates if Agent was removed from the device. - - name: is_up_to_date - type: boolean - description: Indicates if the agent version is up to date. - - name: last_active_date - type: date - description: Last active date. - - name: last_ip_to_mgmt - type: ip - description: The last IP used to connect to the Management console. - - name: last_logged_in_user_name - type: keyword - description: Last logged in user name. - - name: license - type: group - fields: - - name: key - type: keyword - description: License key. - - name: location - type: group - fields: - - name: type - type: keyword - description: Reported location type. - - name: enabled - type: boolean - description: Location enabled. - - name: locations - type: group - description: A list of locations reported by the Agent. - fields: - - name: id - type: keyword - description: Location ID. - - name: name - type: keyword - description: Location name. - - name: scope - type: keyword - description: Location scope. - - name: machine - type: group - fields: - - name: type - type: keyword - description: Machine type. - - name: mitigation_mode - type: keyword - description: Agent mitigation mode policy. - - name: mitigation_mode_suspicious - type: keyword - description: Mitigation mode policy for suspicious activity. - - name: model_name - type: keyword - description: Device model. - - name: network_interfaces - type: group - description: Device's network interfaces. - fields: - - name: gateway - type: group - fields: - - name: ip - type: ip - description: The default gateway ip. - - name: mac - type: keyword - description: The default gateway mac address. - - name: id - type: keyword - description: Id. - - name: inet - type: ip - description: IPv4 addresses. - - name: inet6 - type: ip - description: IPv6 addresses. - - name: name - type: keyword - description: Name. - - name: network_quarantine_enabled - type: boolean - description: Network quarantine enabled. - - name: network_status - type: keyword - description: Agent's network connectivity status. - - name: operational_state - type: keyword - description: Agent operational state. - - name: operational_state_expiration - type: keyword - description: Agent operational state expiration. - - name: os - type: group - fields: - - name: arch - type: keyword - description: OS architecture. - - name: start_time - type: date - description: Last boot time. - - name: policy - type: group - fields: - - name: updated_at - type: date - description: Policy updated at. - - name: ranger - type: group - fields: - - name: status - type: keyword - description: Is Agent disabled as a Ranger. - - name: version - type: keyword - description: The version of Ranger. - - name: registered_at - type: date - description: Time of first registration to management console (similar to createdAt). - - name: remote_profiling_state - type: keyword - description: Agent remote profiling state. - - name: remote_profiling_state_expiration - type: keyword - description: Agent remote profiling state expiration in seconds. - - name: scan - type: group - fields: - - name: aborted_at - type: date - description: Abort time of last scan (if applicable). - - name: finished_at - type: date - description: Finish time of last scan (if applicable). - - name: started_at - type: date - description: Start time of last scan. - - name: status - type: keyword - description: Last scan status. - - name: site - type: group - fields: - - name: id - type: keyword - description: A reference to the containing site. - - name: name - type: keyword - description: Name of the containing site. - - name: storage - type: group - fields: - - name: name - type: keyword - description: Storage name. - - name: type - type: keyword - description: Storage type. - - name: tags - type: group - fields: - - name: assigned_at - type: date - description: When tag assigned to the agent. - - name: assigned_by - type: keyword - description: full user name who assigned the tag to the agent. - - name: assigned_by_id - type: keyword - description: User ID who assigned the tag to the agent. - - name: id - type: keyword - description: Tag ID. - - name: key - type: keyword - description: Tag key. - - name: value - type: keyword - description: Tag value. - - name: threat_reboot_required - type: boolean - description: Flag representing if the Agent has at least one threat with at least one mitigation action that is pending reboot to succeed. - - name: total_memory - type: long - description: Memory size (MB). - - name: user_action_needed - type: keyword - description: A list of pending user actions. - - name: uuid - type: keyword - description: Agent's universally unique identifier. diff --git a/packages/sentinel_one/1.2.2/data_stream/agent/manifest.yml b/packages/sentinel_one/1.2.2/data_stream/agent/manifest.yml deleted file mode 100755 index 9a9d0fa9e4..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/agent/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: Collect Agent logs from SentinelOne -type: logs -streams: - - input: httpjson - title: Agent logs - description: Collect agent logs from SentinelOne. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the agents from SentinelOne. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the SentinelOne API. - default: 5m - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - sentinel_one-agent - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/sentinel_one/1.2.2/data_stream/agent/sample_event.json b/packages/sentinel_one/1.2.2/data_stream/agent/sample_event.json deleted file mode 100755 index b6a6d3843e..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/agent/sample_event.json +++ /dev/null @@ -1,189 +0,0 @@ -{ - "@timestamp": "2022-04-07T08:31:47.481Z", - "agent": { - "ephemeral_id": "75ba6397-6106-475c-a560-f92de9e8ce2e", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "data_stream": { - "dataset": "sentinel_one.agent", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "host" - ], - "created": "2022-09-26T01:55:05.976Z", - "dataset": "sentinel_one.agent", - "ingested": "2022-09-26T01:55:07Z", - "kind": "event", - "original": "{\"accountId\":\"12345123451234512345\",\"accountName\":\"Account Name\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.x\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"assignedBy\":\"test-user\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"key\":\"key123\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}", - "type": [ - "info" - ] - }, - "group": { - "id": "1234567890123456789", - "name": "Default Group" - }, - "host": { - "domain": "WORKGROUP", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "id": "13491234512345", - "ip": "81.2.69.143", - "mac": [ - "00-00-5E-00-53-00" - ], - "name": "user-test", - "os": { - "name": "Linux Server", - "type": "linux", - "version": "1234" - } - }, - "input": { - "type": "httpjson" - }, - "observer": { - "version": "12.x.x.x" - }, - "related": { - "hosts": [ - "user-test", - "WORKGROUP" - ], - "ip": [ - "81.2.69.143", - "81.2.69.145", - "81.2.69.144", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ] - }, - "sentinel_one": { - "agent": { - "account": { - "id": "12345123451234512345", - "name": "Account Name" - }, - "active_threats_count": 7, - "allow_remote_shell": true, - "apps_vulnerability_status": "not_applicable", - "console_migration_status": "N/A", - "core": { - "count": 2 - }, - "cpu": { - "count": 2, - "id": "CPU Name" - }, - "created_at": "2022-03-18T09:12:00.519Z", - "encrypted_application": false, - "firewall_enabled": true, - "group": { - "ip": "81.2.69.x" - }, - "in_remote_shell_session": false, - "infected": true, - "installer_type": ".msi", - "is_active": true, - "is_decommissioned": false, - "is_pending_uninstall": false, - "is_uninstalled": false, - "is_up_to_date": true, - "last_active_date": "2022-03-17T09:51:28.506Z", - "last_ip_to_mgmt": "81.2.69.145", - "location": { - "enabled": true, - "type": "not_applicable" - }, - "machine": { - "type": "server" - }, - "mitigation_mode": "detect", - "mitigation_mode_suspicious": "detect", - "model_name": "Compute Engine", - "network_interfaces": [ - { - "gateway": { - "ip": "81.2.69.145", - "mac": "00-00-5E-00-53-00" - }, - "id": "1234567890123456789", - "inet": [ - "81.2.69.144" - ], - "inet6": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], - "name": "Ethernet" - } - ], - "network_quarantine_enabled": false, - "network_status": "connected", - "operational_state": "na", - "os": { - "arch": "64 bit", - "start_time": "2022-04-06T08:27:14.000Z" - }, - "ranger": { - "status": "Enabled", - "version": "21.x.x.x" - }, - "registered_at": "2022-04-06T08:26:45.515Z", - "remote_profiling_state": "disabled", - "scan": { - "finished_at": "2022-04-06T09:18:21.090Z", - "started_at": "2022-04-06T08:26:52.838Z", - "status": "finished" - }, - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, - "tags": [ - { - "assigned_at": "2018-02-27T04:49:26.257Z", - "assigned_by": "test-user", - "assigned_by_id": "123456789012345678", - "id": "123456789012345678", - "key": "key123", - "value": "value123" - } - ], - "threat_reboot_required": false, - "total_memory": 1234, - "user_action_needed": [ - "reboot_needed" - ], - "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30" - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-agent" - ] -} \ No newline at end of file diff --git a/packages/sentinel_one/1.2.2/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/sentinel_one/1.2.2/data_stream/alert/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 7b99acb278..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/alert/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,51 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/web/api/v2.1/cloud-detection/alerts -request.transforms: - - set: - target: header.Authorization - value: 'ApiToken {{api_token}}' - - set: - target: url.params.limit - value: '100' - - set: - target: url.params.sortBy - value: 'alertInfoCreatedAt' - - set: - target: url.params.sortOrder - value: 'asc' - - set: - target: url.params.createdAt__gte - value: '[[formatDate (parseDate .cursor.last_create_at)]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.pagination: - - set: - target: url.params.cursor - value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_create_at: - value: '[[.last_event.alertInfo.createdAt]]' -response.split: - target: body.data -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/sentinel_one/1.2.2/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/1.2.2/data_stream/alert/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 4439b0c12c..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,622 +0,0 @@ ---- -description: Pipeline for processing alert logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: [malware] - - set: - field: event.type - value: [info] - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.alertInfo.createdAt - - json.alertInfo.updatedAt - - json.alertInfo.alertId - target_field: _id - ignore_missing: true - - rename: - field: json.agentDetectionInfo.machineType - target_field: host.type - ignore_missing: true - - rename: - field: json.agentDetectionInfo.name - target_field: host.name - ignore_missing: true - - append: - field: related.hosts - value: '{{{host.name}}}' - if: ctx.host?.name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.agentDetectionInfo.osFamily - target_field: host.os.family - ignore_missing: true - - rename: - field: json.agentDetectionInfo.osRevision - target_field: host.os.version - ignore_missing: true - - rename: - field: json.agentDetectionInfo.siteId - target_field: sentinel_one.alert.agent.site_id - ignore_missing: true - - rename: - field: json.agentDetectionInfo.uuid - target_field: observer.serial_number - ignore_missing: true - - rename: - field: json.agentDetectionInfo.osName - target_field: host.os.name - ignore_missing: true - - rename: - field: json.agentDetectionInfo.version - target_field: observer.version - ignore_missing: true - - date: - field: json.alertInfo.createdAt - target_field: '@timestamp' - if: ctx.json?.alertInfo?.createdAt != null - ignore_failure: true - formats: - - ISO8601 - - convert: - field: json.alertInfo.srcIp - target_field: source.ip - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.alertInfo.incidentStatus - target_field: sentinel_one.alert.info.status - ignore_missing: true - - rename: - field: json.alertInfo.registryOldValue - target_field: sentinel_one.alert.info.registry.old_value - ignore_missing: true - - rename: - field: json.alertInfo.alertId - target_field: event.id - ignore_missing: true - - convert: - field: json.alertInfo.dstPort - target_field: destination.port - type: long - ignore_failure: true - - rename: - field: json.alertInfo.indicatorName - target_field: sentinel_one.alert.info.indicator.name - ignore_missing: true - - rename: - field: json.alertInfo.registryPath - target_field: registry.path - ignore_missing: true - - rename: - field: json.alertInfo.loginType - target_field: sentinel_one.alert.info.login.type - ignore_missing: true - - convert: - field: json.alertInfo.dstIp - target_field: destination.ip - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{destination.ip}}}' - if: ctx.destination?.ip != null - allow_duplicates: false - ignore_failure: true - - date: - field: json.alertInfo.updatedAt - target_field: sentinel_one.alert.info.updated_at - if: ctx.json?.alertInfo?.updatedAt != null - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.alertInfo.indicatorDescription - target_field: sentinel_one.alert.info.indicator.description - ignore_missing: true - - rename: - field: json.alertInfo.loginsUserName - target_field: user.name - ignore_missing: true - - append: - field: related.user - value: '{{{user.name}}}' - allow_duplicates: false - ignore_failure: true - - rename: - field: json.alertInfo.loginIsSuccessful - target_field: sentinel_one.alert.info.login.is_successful - ignore_missing: true - - rename: - field: json.alertInfo.indicatorCategory - target_field: sentinel_one.alert.info.indicator.category - ignore_missing: true - - rename: - field: json.alertInfo.modulePath - target_field: dll.path - ignore_missing: true - - rename: - field: json.alertInfo.loginAccountSid - target_field: sentinel_one.alert.info.login.account.sid - ignore_missing: true - - rename: - field: json.alertInfo.dnsResponse - target_field: sentinel_one.alert.info.dns.response - ignore_missing: true - - rename: - field: json.alertInfo.netEventDirection - target_field: network.direction - ignore_missing: true - if: ctx.json?.alertInfo?.netEventDirection != null && ['ingress', 'egress', 'inbound', 'outbound', 'internal', 'external', 'unknown'].contains(ctx.json.alertInfo.netEventDirection) - - rename: - field: json.alertInfo.registryValue - target_field: registry.value - ignore_missing: true - - convert: - field: json.alertInfo.srcMachineIp - target_field: host.ip - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{host.ip}}}' - if: ctx.host?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.alertInfo.registryOldValueType - target_field: sentinel_one.alert.info.registry.old_value_type - ignore_missing: true - - rename: - field: json.alertInfo.eventType - target_field: sentinel_one.alert.info.event_type - ignore_missing: true - - rename: - field: json.alertInfo.analystVerdict - target_field: sentinel_one.alert.analyst_verdict - ignore_missing: true - - rename: - field: json.alertInfo.dvEventId - target_field: sentinel_one.alert.dv_event.id - ignore_missing: true - - rename: - field: json.alertInfo.dnsRequest - target_field: dns.question.name - ignore_missing: true - - rename: - field: json.alertInfo.loginIsAdministratorEquivalent - target_field: sentinel_one.alert.info.login.is_administrator - ignore_missing: true - - rename: - field: json.alertInfo.loginAccountDomain - target_field: user.domain - ignore_missing: true - - rename: - field: json.alertInfo.tiIndicatorType - target_field: sentinel_one.alert.info.ti_indicator.type - ignore_missing: true - - rename: - field: json.alertInfo.moduleSha1 - target_field: dll.hash.sha1 - ignore_missing: true - - append: - field: related.hash - value: '{{{dll.hash.sha1}}}' - if: ctx.dll?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.alertInfo.source - target_field: sentinel_one.alert.info.source - ignore_missing: true - - convert: - field: json.alertInfo.srcPort - target_field: source.port - type: long - ignore_failure: true - - rename: - field: json.alertInfo.tiIndicatorValue - target_field: sentinel_one.alert.info.ti_indicator.value - ignore_missing: true - - rename: - field: json.alertInfo.tiIndicatorSource - target_field: sentinel_one.alert.info.ti_indicator.source - ignore_missing: true - - date: - field: json.alertInfo.reportedAt - target_field: sentinel_one.alert.info.reported_at - if: ctx.json?.alertInfo?.reportedAt != null - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.alertInfo.registryKeyPath - target_field: registry.key - ignore_missing: true - - rename: - field: json.alertInfo.tiIndicatorComparisonMethod - target_field: sentinel_one.alert.info.ti_indicator.comparison_method - ignore_missing: true - - rename: - field: json.alertInfo.hitType - target_field: sentinel_one.alert.info.hit.type - ignore_missing: true - - rename: - field: json.containerInfo.id - target_field: container.id - ignore_missing: true - - rename: - field: json.containerInfo.image - target_field: container.image.name - ignore_missing: true - - rename: - field: json.containerInfo.labels - target_field: sentinel_one.alert.container.info.labels - ignore_missing: true - - rename: - field: json.containerInfo.name - target_field: container.name - ignore_missing: true - - rename: - field: json.kubernetesInfo.cluster - target_field: orchestrator.cluster.name - ignore_missing: true - - rename: - field: json.kubernetesInfo.controllerKind - target_field: sentinel_one.alert.kubernetes.controller.kind - ignore_missing: true - - rename: - field: json.kubernetesInfo.controllerLabels - target_field: sentinel_one.alert.kubernetes.controller.labels - ignore_missing: true - - rename: - field: json.kubernetesInfo.controllerName - target_field: sentinel_one.alert.kubernetes.controller.name - ignore_missing: true - - rename: - field: json.kubernetesInfo.namespace - target_field: orchestrator.namespace - ignore_missing: true - - rename: - field: json.kubernetesInfo.namespaceLabels - target_field: sentinel_one.alert.kubernetes.namespace.labels - ignore_missing: true - - rename: - field: json.kubernetesInfo.node - target_field: sentinel_one.alert.kubernetes.node - ignore_missing: true - - rename: - field: json.kubernetesInfo.pod - target_field: sentinel_one.alert.kubernetes.pod.name - ignore_missing: true - - rename: - field: json.kubernetesInfo.podLabels - target_field: sentinel_one.alert.kubernetes.pod.labels - ignore_missing: true - - rename: - field: json.osName - target_field: os.name - ignore_missing: true - - rename: - field: json.ruleInfo.type - target_field: rule.category - ignore_missing: true - - rename: - field: json.ruleInfo.description - target_field: rule.description - ignore_missing: true - - rename: - field: json.ruleInfo.id - target_field: rule.id - ignore_missing: true - - rename: - field: json.ruleInfo.name - target_field: rule.name - ignore_missing: true - - rename: - field: json.ruleInfo.scopeLevel - target_field: sentinel_one.alert.rule.scope_level - ignore_missing: true - - rename: - field: json.ruleInfo.severity - target_field: sentinel_one.alert.rule.severity - ignore_missing: true - - rename: - field: json.ruleInfo.treatAsThreat - target_field: sentinel_one.alert.rule.treat_as_threat - ignore_missing: true - - rename: - field: json.sourceParentProcessInfo.commandline - target_field: process.parent.command_line - ignore_missing: true - - rename: - field: json.sourceParentProcessInfo.fileHashMd5 - target_field: process.parent.hash.md5 - ignore_missing: true - - append: - field: related.hash - value: '{{{process.parent.hash.md5}}}' - if: ctx.process?.parent?.hash?.md5 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.sourceParentProcessInfo.fileHashSha1 - target_field: process.parent.hash.sha1 - ignore_missing: true - - append: - field: related.hash - value: '{{{process.parent.hash.sha1}}}' - if: ctx.process?.parent?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.sourceParentProcessInfo.fileHashSha256 - target_field: process.parent.hash.sha256 - ignore_missing: true - - append: - field: related.hash - value: '{{{process.parent.hash.sha256}}}' - if: ctx.process?.parent?.hash?.sha256 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.sourceParentProcessInfo.filePath - target_field: process.parent.executable - ignore_missing: true - - rename: - field: json.sourceParentProcessInfo.fileSignerIdentity - target_field: process.parent.code_signature.signing_id - ignore_missing: true - - rename: - field: json.sourceParentProcessInfo.integrityLevel - target_field: sentinel_one.alert.process.parent.integrity_level - ignore_missing: true - - rename: - field: json.sourceParentProcessInfo.name - target_field: process.parent.name - ignore_missing: true - - convert: - field: json.sourceParentProcessInfo.pid - target_field: process.parent.pid - type: long - ignore_failure: true - - date: - field: json.sourceParentProcessInfo.pidStarttime - target_field: process.parent.start - if: ctx.json?.sourceParentProcessInfo?.pidStarttime != null - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.sourceParentProcessInfo.storyline - target_field: sentinel_one.alert.process.parent.storyline - ignore_missing: true - - rename: - field: json.sourceParentProcessInfo.subsystem - target_field: sentinel_one.alert.process.parent.subsystem - ignore_missing: true - - rename: - field: json.sourceParentProcessInfo.uniqueId - target_field: process.parent.entity_id - ignore_missing: true - - rename: - field: json.sourceParentProcessInfo.user - target_field: process.parent.user.name - ignore_missing: true - - rename: - field: json.sourceProcessInfo.commandline - target_field: process.command_line - ignore_missing: true - - rename: - field: json.sourceProcessInfo.fileHashMd5 - target_field: process.hash.md5 - ignore_missing: true - - append: - field: related.hash - value: '{{{process.hash.md5}}}' - if: ctx.process?.hash?.md5 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.sourceProcessInfo.fileHashSha1 - target_field: process.hash.sha1 - ignore_missing: true - - append: - field: related.hash - value: '{{{process.hash.sha1}}}' - if: ctx.process?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.sourceProcessInfo.fileHashSha256 - target_field: process.hash.sha256 - ignore_missing: true - - append: - field: related.hash - value: '{{{process.hash.sha256}}}' - if: ctx.process?.hash?.sha256 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.sourceProcessInfo.filePath - target_field: process.executable - ignore_missing: true - - rename: - field: json.sourceProcessInfo.fileSignerIdentity - target_field: process.code_signature.signing_id - ignore_missing: true - - rename: - field: json.sourceProcessInfo.integrityLevel - target_field: sentinel_one.alert.process.integrity_level - ignore_missing: true - - rename: - field: json.sourceProcessInfo.name - target_field: process.name - ignore_missing: true - - convert: - field: json.sourceProcessInfo.pid - target_field: process.pid - type: long - ignore_failure: true - - date: - field: json.sourceProcessInfo.pidStarttime - target_field: process.start - if: ctx.json?.sourceProcessInfo?.pidStarttime != null - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.sourceProcessInfo.storyline - target_field: sentinel_one.alert.process.storyline - ignore_missing: true - - rename: - field: json.sourceProcessInfo.subsystem - target_field: sentinel_one.alert.process.subsystem - ignore_missing: true - - rename: - field: json.sourceProcessInfo.uniqueId - target_field: process.entity_id - ignore_missing: true - - rename: - field: json.sourceProcessInfo.user - target_field: process.user.name - ignore_missing: true - - date: - field: json.targetProcessInfo.tgtFileCreatedAt - target_field: file.created - if: ctx.json?.targetProcessInfo?.tgtFileCreatedAt != null - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.targetProcessInfo.tgtFileIsSigned - target_field: sentinel_one.alert.target.process.file.is_signed - ignore_missing: true - - rename: - field: json.targetProcessInfo.tgtFileOldPath - target_field: sentinel_one.alert.target.process.file.old_path - ignore_missing: true - - rename: - field: json.targetProcessInfo.tgtProcImagePath - target_field: sentinel_one.alert.target.process.proc.image_path - ignore_missing: true - - rename: - field: json.targetProcessInfo.tgtProcSignedStatus - target_field: sentinel_one.alert.target.process.proc.signed_status - ignore_missing: true - - rename: - field: json.targetProcessInfo.tgtFileHashSha256 - target_field: sentinel_one.alert.target.process.file.hash.sha256 - ignore_missing: true - - append: - field: related.hash - value: '{{{sentinel_one.alert.target.process.file.hash.sha256}}}' - if: ctx.sentinel_one?.alert?.target?.process?.file?.hash?.sha256 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.targetProcessInfo.tgtProcStorylineId - target_field: sentinel_one.alert.target.process.proc.storyline_id - ignore_missing: true - - convert: - field: json.targetProcessInfo.tgtProcPid - target_field: sentinel_one.alert.target.process.proc.pid - type: long - ignore_failure: true - - rename: - field: json.targetProcessInfo.tgtProcCmdLine - target_field: sentinel_one.alert.target.process.proc.cmdline - ignore_missing: true - - rename: - field: json.targetProcessInfo.tgtProcName - target_field: sentinel_one.alert.target.process.proc.name - ignore_missing: true - - date: - field: json.targetProcessInfo.tgtFileModifiedAt - target_field: file.mtime - if: ctx.json?.targetProcessInfo?.tgtFileModifiedAt != null - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.targetProcessInfo.tgtFileId - target_field: sentinel_one.alert.target.process.file.id - ignore_missing: true - - rename: - field: json.targetProcessInfo.tgtProcIntegrityLevel - target_field: sentinel_one.alert.target.process.proc.integrity_level - ignore_missing: true - - rename: - field: json.targetProcessInfo.tgtFileHashSha1 - target_field: sentinel_one.alert.target.process.file.hash.sha1 - ignore_missing: true - - append: - field: related.hash - value: '{{{sentinel_one.alert.target.process.file.hash.sha1}}}' - if: ctx.sentinel_one?.alert?.target?.process?.file?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.targetProcessInfo.tgtProcUid - target_field: sentinel_one.alert.target.process.proc.uid - ignore_missing: true - - date: - field: json.targetProcessInfo.tgtProcessStartTime - target_field: sentinel_one.alert.target.process.start_time - if: ctx.json?.targetProcessInfo?.tgtProcessStartTime != null - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.targetProcessInfo.tgtFilePath - target_field: sentinel_one.alert.target.process.file.path - ignore_missing: true - - remove: - field: json - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sentinel_one/1.2.2/data_stream/alert/fields/agent.yml b/packages/sentinel_one/1.2.2/data_stream/alert/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/alert/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/sentinel_one/1.2.2/data_stream/alert/fields/base-fields.yml b/packages/sentinel_one/1.2.2/data_stream/alert/fields/base-fields.yml deleted file mode 100755 index 33fc797d19..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/alert/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: sentinel_one -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sentinel_one.alert -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/sentinel_one/1.2.2/data_stream/alert/fields/ecs.yml b/packages/sentinel_one/1.2.2/data_stream/alert/fields/ecs.yml deleted file mode 100755 index ca1bbd8918..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/alert/fields/ecs.yml +++ /dev/null @@ -1,265 +0,0 @@ -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: SHA1 hash. - name: dll.hash.sha1 - type: keyword -- description: Full file path of the library. - name: dll.path - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - File creation time. - Note that not all filesystems store the creation time. - name: file.created - type: date -- description: Last time the file content was modified. - name: file.mtime - type: date -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: os.name - type: keyword -- description: |- - The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. - name: process.code_signature.signing_id - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA1 hash. - name: process.hash.sha1 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. - name: process.parent.code_signature.signing_id - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: SHA1 hash. - name: process.parent.hash.sha1 - type: keyword -- description: SHA256 hash. - name: process.parent.hash.sha256 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: Process id. - name: process.parent.pid - type: long -- description: The time the process started. - name: process.parent.start - type: date -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: process.parent.user.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: The time the process started. - name: process.start - type: date -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: process.user.name - type: keyword -- description: Hive-relative path of keys. - name: registry.key - type: keyword -- description: Full path, including hive, key and value - name: registry.path - type: keyword -- description: Name of the value written. - name: registry.value - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: The description of the rule generating the event. - name: rule.description - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/sentinel_one/1.2.2/data_stream/alert/fields/fields.yml b/packages/sentinel_one/1.2.2/data_stream/alert/fields/fields.yml deleted file mode 100755 index 1a86a7a3a8..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/alert/fields/fields.yml +++ /dev/null @@ -1,243 +0,0 @@ -- name: sentinel_one.alert - type: group - fields: - - name: agent - type: group - fields: - - name: site_id - type: keyword - description: Site id. - - name: analyst_verdict - type: keyword - description: Analyst verdict. - - name: container - type: group - fields: - - name: info - type: group - fields: - - name: labels - type: keyword - description: Container info labels. - - name: dv_event - type: group - fields: - - name: id - type: keyword - description: DV event id. - - name: info - type: group - fields: - - name: dns - type: group - fields: - - name: response - type: keyword - description: IP address, DNS, type, etc. in response. - - name: event_type - type: keyword - description: Event type. - - name: hit - type: group - fields: - - name: type - type: keyword - description: Type of hit reported from agent. - - name: indicator - type: group - fields: - - name: category - type: keyword - description: Indicator categories for this process. - - name: description - type: keyword - description: Indicator_description. - - name: name - type: keyword - description: Indicator names for this process. - - name: login - type: group - fields: - - name: account - type: group - fields: - - name: sid - type: keyword - description: SID of the account that attempted to login. - - name: is_administrator - type: keyword - description: Is the login attempt administrator equivalent. - - name: is_successful - type: keyword - description: Was the login attempt successful. - - name: type - type: keyword - description: Type of login which was performed. - - name: registry - type: group - fields: - - name: old_value - type: keyword - description: Registry previous value (in case of modification). - - name: old_value_type - type: keyword - description: Registry previous value type (in case of modification). - - name: reported_at - type: date - description: Timestamp of alert creation in STAR. - - name: source - type: keyword - description: Source reported from agent. - - name: status - type: keyword - description: Incident status. - - name: ti_indicator - type: group - fields: - - name: comparison_method - type: keyword - description: The comparison method used by SentinelOne to trigger the event. - - name: source - type: keyword - description: The value of the identified Threat Intelligence indicator. - - name: type - type: keyword - description: The type of the identified Threat Intelligence indicator. - - name: value - type: keyword - description: The value of the identified Threat Intelligence indicator. - - name: updated_at - type: date - description: Date of alert updated in Star MMS. - - name: kubernetes - type: group - fields: - - name: controller - type: group - fields: - - name: kind - type: keyword - description: Controller kind. - - name: labels - type: keyword - description: Controller labels. - - name: name - type: keyword - description: Controller name. - - name: namespace - type: group - fields: - - name: labels - type: keyword - description: Namespace labels. - - name: node - type: keyword - description: Node. - - name: pod - type: group - fields: - - name: labels - type: keyword - description: Pod Labels. - - name: name - type: keyword - description: Pod name. - - name: process - type: group - fields: - - name: integrity_level - type: keyword - description: Integrity level. - - name: parent - type: group - fields: - - name: integrity_level - type: keyword - description: Integrity level. - - name: storyline - type: keyword - description: StoryLine. - - name: subsystem - type: keyword - description: Subsystem. - - name: storyline - type: keyword - description: StoryLine. - - name: subsystem - type: keyword - description: Subsystem. - - name: rule - type: group - fields: - - name: scope_level - type: keyword - description: Scope level. - - name: severity - type: keyword - description: Rule severity. - - name: treat_as_threat - type: keyword - description: Rule treat as threat type. - - name: target - type: group - fields: - - name: process - type: group - fields: - - name: file - type: group - fields: - - name: hash - type: group - fields: - - name: sha1 - type: keyword - description: SHA1 Signature of File. - - name: sha256 - type: keyword - description: SHA256 Signature of File. - - name: id - type: keyword - description: Unique ID of file. - - name: is_signed - type: keyword - description: Is fle signed. - - name: old_path - type: keyword - description: Old path before 'Rename'. - - name: path - type: keyword - description: Path and filename. - - name: proc - type: group - fields: - - name: cmdline - type: keyword - description: Target Process Command Line. - - name: image_path - type: keyword - description: Target Process Image path - - name: integrity_level - type: keyword - description: Integrity level of target process. - - name: name - type: keyword - description: Target Process Name. - - name: pid - type: long - description: Target Process ID (PID). - - name: signed_status - type: keyword - description: Target Process Signed Status. - - name: storyline_id - type: keyword - description: Target Process StoryLine ID. - - name: uid - type: keyword - description: Target Process Unique ID. - - name: start_time - type: date - description: Target Process Start Time. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/sentinel_one/1.2.2/data_stream/alert/manifest.yml b/packages/sentinel_one/1.2.2/data_stream/alert/manifest.yml deleted file mode 100755 index 3aeb57a47b..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/alert/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: Collect Alert logs from SentinelOne -type: logs -streams: - - input: httpjson - title: Alert logs - description: Collect alert logs from SentinelOne. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the alerts from SentinelOne. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the SentinelOne API. - default: 5m - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - sentinel_one-alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/sentinel_one/1.2.2/data_stream/alert/sample_event.json b/packages/sentinel_one/1.2.2/data_stream/alert/sample_event.json deleted file mode 100755 index 4f0cea14ef..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/alert/sample_event.json +++ /dev/null @@ -1,270 +0,0 @@ -{ - "@timestamp": "2018-02-27T04:49:26.257Z", - "agent": { - "ephemeral_id": "e13a5cfd-1c28-4abc-b09c-940f6d1dfc6f", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "container": { - "id": "string", - "image": { - "name": "string" - }, - "name": "string" - }, - "data_stream": { - "dataset": "sentinel_one.alert", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "0.0.0.0", - "port": 1234 - }, - "dll": { - "hash": { - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" - }, - "path": "string" - }, - "dns": { - "question": { - "name": "string" - } - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "malware" - ], - "created": "2022-09-26T01:55:44.088Z", - "dataset": "sentinel_one.alert", - "id": "123456789123456789", - "ingested": "2022-09-26T01:55:47Z", - "kind": "event", - "original": "{\"agentDetectionInfo\":{\"machineType\":\"string\",\"name\":\"string\",\"osFamily\":\"string\",\"osName\":\"string\",\"osRevision\":\"string\",\"siteId\":\"123456789123456789\",\"uuid\":\"string\",\"version\":\"3.x.x.x\"},\"alertInfo\":{\"alertId\":\"123456789123456789\",\"analystVerdict\":\"string\",\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"dnsRequest\":\"string\",\"dnsResponse\":\"string\",\"dstIp\":\"0.0.0.0\",\"dstPort\":\"1234\",\"dvEventId\":\"string\",\"eventType\":\"string\",\"hitType\":\"Events\",\"incidentStatus\":\"string\",\"indicatorCategory\":\"string\",\"indicatorDescription\":\"string\",\"indicatorName\":\"string\",\"loginAccountDomain\":\"string\",\"loginAccountSid\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginIsSuccessful\":\"string\",\"loginType\":\"string\",\"loginsUserName\":\"string\",\"modulePath\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"netEventDirection\":\"string\",\"registryKeyPath\":\"string\",\"registryOldValue\":\"string\",\"registryOldValueType\":\"string\",\"registryPath\":\"string\",\"registryValue\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"source\":\"string\",\"srcIp\":\"0.0.0.0\",\"srcMachineIp\":\"0.0.0.0\",\"srcPort\":\"string\",\"tiIndicatorComparisonMethod\":\"string\",\"tiIndicatorSource\":\"string\",\"tiIndicatorType\":\"string\",\"tiIndicatorValue\":\"string\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\"},\"containerInfo\":{\"id\":\"string\",\"image\":\"string\",\"labels\":\"string\",\"name\":\"string\"},\"kubernetesInfo\":{\"cluster\":\"string\",\"controllerKind\":\"string\",\"controllerLabels\":\"string\",\"controllerName\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"node\":\"string\",\"pod\":\"string\",\"podLabels\":\"string\"},\"ruleInfo\":{\"description\":\"string\",\"id\":\"string\",\"name\":\"string\",\"scopeLevel\":\"string\",\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\"},\"sourceParentProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"sourceProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtFileId\":\"string\",\"tgtFileIsSigned\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileOldPath\":\"string\",\"tgtFilePath\":\"string\",\"tgtProcCmdLine\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtProcName\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcSignedStatus\":\"string\",\"tgtProcStorylineId\":\"string\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\"}}", - "type": [ - "info" - ] - }, - "file": { - "created": "2018-02-27T04:49:26.257Z", - "mtime": "2018-02-27T04:49:26.257Z" - }, - "host": { - "ip": "0.0.0.0", - "name": "string", - "os": { - "family": "string", - "name": "string", - "version": "string" - }, - "type": "string" - }, - "input": { - "type": "httpjson" - }, - "observer": { - "serial_number": "string", - "version": "3.x.x.x" - }, - "orchestrator": { - "cluster": { - "name": "string" - }, - "namespace": "string" - }, - "process": { - "code_signature": { - "signing_id": "string" - }, - "command_line": "string", - "entity_id": "string", - "executable": "string", - "hash": { - "md5": "5d41402abc4b2a76b9719d911017c592", - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" - }, - "name": "string", - "parent": { - "code_signature": { - "signing_id": "string" - }, - "command_line": "string", - "entity_id": "string", - "executable": "string", - "hash": { - "md5": "5d41402abc4b2a76b9719d911017c592", - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" - }, - "name": "string", - "pid": 12345, - "start": "2018-02-27T04:49:26.257Z", - "user": { - "name": "string" - } - }, - "pid": 12345, - "start": "2018-02-27T04:49:26.257Z", - "user": { - "name": "string" - } - }, - "registry": { - "key": "string", - "path": "string", - "value": "string" - }, - "related": { - "hash": [ - "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "5d41402abc4b2a76b9719d911017c592", - "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" - ], - "hosts": [ - "string" - ], - "ip": [ - "0.0.0.0" - ], - "user": [ - "string" - ] - }, - "rule": { - "description": "string", - "id": "string", - "name": "string" - }, - "sentinel_one": { - "alert": { - "agent": { - "site_id": "123456789123456789" - }, - "analyst_verdict": "string", - "container": { - "info": { - "labels": "string" - } - }, - "dv_event": { - "id": "string" - }, - "info": { - "dns": { - "response": "string" - }, - "event_type": "string", - "hit": { - "type": "Events" - }, - "indicator": { - "category": "string", - "description": "string", - "name": "string" - }, - "login": { - "account": { - "sid": "string" - }, - "is_administrator": "string", - "is_successful": "string", - "type": "string" - }, - "registry": { - "old_value": "string", - "old_value_type": "string" - }, - "reported_at": "2018-02-27T04:49:26.257Z", - "source": "string", - "status": "string", - "ti_indicator": { - "comparison_method": "string", - "source": "string", - "type": "string", - "value": "string" - }, - "updated_at": "2018-02-27T04:49:26.257Z" - }, - "kubernetes": { - "controller": { - "kind": "string", - "labels": "string", - "name": "string" - }, - "namespace": { - "labels": "string" - }, - "node": "string", - "pod": { - "labels": "string", - "name": "string" - } - }, - "process": { - "integrity_level": "unknown", - "parent": { - "integrity_level": "unknown", - "storyline": "string", - "subsystem": "unknown" - }, - "storyline": "string", - "subsystem": "unknown" - }, - "rule": { - "scope_level": "string", - "severity": "Low", - "treat_as_threat": "UNDEFINED" - }, - "target": { - "process": { - "file": { - "hash": { - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" - }, - "id": "string", - "is_signed": "string", - "old_path": "string", - "path": "string" - }, - "proc": { - "cmdline": "string", - "image_path": "string", - "integrity_level": "unknown", - "name": "string", - "pid": 12345, - "signed_status": "string", - "storyline_id": "string", - "uid": "string" - }, - "start_time": "2018-02-27T04:49:26.257Z" - } - } - } - }, - "source": { - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-alert" - ], - "user": { - "domain": "string", - "name": "string" - } -} \ No newline at end of file diff --git a/packages/sentinel_one/1.2.2/data_stream/group/agent/stream/httpjson.yml.hbs b/packages/sentinel_one/1.2.2/data_stream/group/agent/stream/httpjson.yml.hbs deleted file mode 100755 index ab9e91fdfe..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/group/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,51 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/web/api/v2.1/groups -request.transforms: - - set: - target: header.Authorization - value: 'ApiToken {{api_token}}' - - set: - target: url.params.limit - value: '100' - - set: - target: url.params.sortBy - value: 'updatedAt' - - set: - target: url.params.sortOrder - value: 'asc' - - set: - target: url.params.updatedAt__gte - value: '[[formatDate (parseDate .cursor.last_update_at)]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.pagination: - - set: - target: url.params.cursor - value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_update_at: - value: '[[.last_event.updatedAt]]' -response.split: - target: body.data -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/sentinel_one/1.2.2/data_stream/group/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/1.2.2/data_stream/group/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 969198b565..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/group/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,133 +0,0 @@ ---- -description: Pipeline for processing group logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: [iam] - - set: - field: event.type - value: [info] - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.createdAt - - json.updatedAt - - json.id - target_field: _id - ignore_missing: true - - date: - field: json.updatedAt - target_field: '@timestamp' - formats: - - ISO8601 - ignore_failure: true - - date: - field: json.createdAt - target_field: sentinel_one.group.created_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.creator - target_field: user.full_name - ignore_missing: true - - append: - field: related.user - value: '{{{user.full_name}}}' - if: ctx.user?.full_name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.creatorId - target_field: sentinel_one.group.creator.id - ignore_missing: true - - rename: - field: json.filterId - target_field: sentinel_one.group.filter.id - ignore_missing: true - - rename: - field: json.filterName - target_field: sentinel_one.group.filter.name - ignore_missing: true - - rename: - field: json.id - target_field: group.id - ignore_missing: true - - convert: - field: json.inherits - target_field: sentinel_one.group.inherits - type: boolean - ignore_failure: true - - convert: - field: json.isDefault - target_field: sentinel_one.group.is_default - type: boolean - ignore_failure: true - - rename: - field: json.name - target_field: group.name - ignore_missing: true - - convert: - field: json.rank - target_field: sentinel_one.group.rank - type: long - ignore_failure: true - - rename: - field: json.registrationToken - target_field: sentinel_one.group.registration_token - ignore_missing: true - - rename: - field: json.siteId - target_field: sentinel_one.group.site.id - ignore_missing: true - - convert: - field: json.totalAgents - target_field: sentinel_one.group.agent.count - type: long - ignore_failure: true - - rename: - field: json.type - target_field: sentinel_one.group.type - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/sentinel_one/1.2.2/data_stream/group/fields/agent.yml b/packages/sentinel_one/1.2.2/data_stream/group/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/group/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/sentinel_one/1.2.2/data_stream/group/fields/base-fields.yml b/packages/sentinel_one/1.2.2/data_stream/group/fields/base-fields.yml deleted file mode 100755 index 4b00f737cf..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/group/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sentinel_one.group -- name: event.module - type: constant_keyword - description: Event module - value: sentinel_one -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/sentinel_one/1.2.2/data_stream/group/fields/ecs.yml b/packages/sentinel_one/1.2.2/data_stream/group/fields/ecs.yml deleted file mode 100755 index 7f307e2667..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/group/fields/ecs.yml +++ /dev/null @@ -1,66 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword diff --git a/packages/sentinel_one/1.2.2/data_stream/group/fields/fields.yml b/packages/sentinel_one/1.2.2/data_stream/group/fields/fields.yml deleted file mode 100755 index 89cd8a3787..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/group/fields/fields.yml +++ /dev/null @@ -1,40 +0,0 @@ -- name: sentinel_one.group - type: group - fields: - - name: agent - type: group - fields: - - name: count - type: long - - name: created_at - type: date - - name: creator - type: group - fields: - - name: id - type: keyword - - name: filter - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - - name: inherits - type: boolean - - name: is_default - type: boolean - - name: rank - type: long - - name: registration_token - type: keyword - - name: site - type: group - fields: - - name: id - type: keyword - - name: type - type: keyword -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/sentinel_one/1.2.2/data_stream/group/manifest.yml b/packages/sentinel_one/1.2.2/data_stream/group/manifest.yml deleted file mode 100755 index 4cbbd473d3..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/group/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: Collect Group logs from SentinelOne -type: logs -streams: - - input: httpjson - title: Group logs - description: Collect group logs from SentinelOne. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the groups from SentinelOne. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the SentinelOne API. - default: 5m - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - sentinel_one-group - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/sentinel_one/1.2.2/data_stream/group/sample_event.json b/packages/sentinel_one/1.2.2/data_stream/group/sample_event.json deleted file mode 100755 index 14ed9e6239..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/group/sample_event.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "@timestamp": "2022-04-05T16:01:57.564Z", - "agent": { - "ephemeral_id": "73e9a896-4008-48cb-8ee4-ac49f5d15e32", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "data_stream": { - "dataset": "sentinel_one.group", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2022-09-26T01:56:24.112Z", - "dataset": "sentinel_one.group", - "ingested": "2022-09-26T01:56:27Z", - "kind": "event", - "original": "{\"createdAt\":\"2022-04-05T16:01:56.928383Z\",\"creator\":\"Test User\",\"creatorId\":\"1234567890123456789\",\"filterId\":null,\"filterName\":null,\"id\":\"1234567890123456789\",\"inherits\":true,\"isDefault\":true,\"name\":\"Default Group\",\"rank\":null,\"registrationToken\":\"eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=\",\"siteId\":\"1234567890123456789\",\"totalAgents\":1,\"type\":\"static\",\"updatedAt\":\"2022-04-05T16:01:57.564266Z\"}", - "type": [ - "info" - ] - }, - "group": { - "id": "1234567890123456789", - "name": "Default Group" - }, - "input": { - "type": "httpjson" - }, - "related": { - "user": [ - "Test User" - ] - }, - "sentinel_one": { - "group": { - "agent": { - "count": 1 - }, - "created_at": "2022-04-05T16:01:56.928Z", - "creator": { - "id": "1234567890123456789" - }, - "inherits": true, - "is_default": true, - "registration_token": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", - "site": { - "id": "1234567890123456789" - }, - "type": "static" - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-group" - ], - "user": { - "full_name": "Test User" - } -} \ No newline at end of file diff --git a/packages/sentinel_one/1.2.2/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/sentinel_one/1.2.2/data_stream/threat/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 7d5345a4af..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/threat/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,51 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/web/api/v2.1/threats -request.transforms: - - set: - target: header.Authorization - value: 'ApiToken {{api_token}}' - - set: - target: url.params.limit - value: '100' - - set: - target: url.params.sortBy - value: 'updatedAt' - - set: - target: url.params.sortOrder - value: 'asc' - - set: - target: url.params.updatedAt__gte - value: '[[formatDate (parseDate .cursor.last_update_at)]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.pagination: - - set: - target: url.params.cursor - value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_update_at: - value: '[[.last_event.threatInfo.updatedAt]]' -response.split: - target: body.data -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/sentinel_one/1.2.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/1.2.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 65cffa3c5a..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,953 +0,0 @@ ---- -description: Pipeline for processing threat logs. -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: alert - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.threatInfo.createdAt - - json.threatInfo.updatedAt - - json.id - target_field: _id - ignore_missing: true - - script: - description: Set the value of event.category and event.type. - lang: painless - source: > - def eventCategory = new ArrayList(); - def eventType = new ArrayList(); - if (ctx.json?.threatInfo?.threatId != null && ctx.json.threatInfo.threatId != '') { - def threat_classification = ctx.json?.threatInfo?.classification; - if (['Exploit','PUA'].contains(threat_classification)) { - eventCategory.add('threat'); - eventType.add('indicator'); - } else if (['Malware','Ransomware','Trojan','Downloader'].contains(threat_classification)) { - eventCategory.add('malware'); - eventType.add('info'); - } - } - ctx.event.type = eventType; - ctx.event.category = eventCategory; - - date: - field: json.threatInfo.updatedAt - target_field: '@timestamp' - formats: - - ISO8601 - ignore_failure: true - - join: - field: json.threatInfo.engines - target_field: event.action - separator: ',' - ignore_failure: true - - set: - field: process.name - copy_from: json.threatInfo.originatorProcess - ignore_empty_value: true - - rename: - field: json.agentDetectionInfo.accountId - target_field: sentinel_one.threat.detection.account.id - ignore_missing: true - - rename: - field: json.agentDetectionInfo.accountName - target_field: sentinel_one.threat.detection.account.name - ignore_missing: true - - rename: - field: json.agentDetectionInfo.agentDetectionState - target_field: sentinel_one.threat.detection.state - ignore_missing: true - - rename: - field: json.agentDetectionInfo.agentDomain - target_field: sentinel_one.threat.detection.agent.domain - ignore_missing: true - - convert: - field: json.agentDetectionInfo.agentIpV4 - target_field: sentinel_one.threat.detection.agent.ipv4 - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{sentinel_one.threat.detection.agent.ipv4}}}' - if: ctx.sentinel_one?.threat?.detection?.agent?.ipv4 != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.agentDetectionInfo.agentIpV6 - target_field: sentinel_one.threat.detection.agent.ipv6 - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{sentinel_one.threat.detection.agent.ipv6}}}' - if: ctx.sentinel_one?.threat?.detection?.agent?.ipv6 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.agentDetectionInfo.agentLastLoggedInUpn - target_field: sentinel_one.threat.detection.agent.last_logged_in.upn - ignore_missing: true - - rename: - field: json.agentDetectionInfo.agentLastLoggedInUserMail - target_field: user.email - ignore_missing: true - - rename: - field: json.agentDetectionInfo.agentLastLoggedInUserName - target_field: user.name - ignore_missing: true - - set: - if: ctx.user?.name == null - field: user.name - copy_from: json.threatInfo.processUser - ignore_empty_value: true - - append: - field: related.user - value: '{{{user.name}}}' - if: ctx.user?.name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.agentDetectionInfo.agentMitigationMode - target_field: sentinel_one.threat.detection.agent.mitigation_mode - ignore_missing: true - - rename: - field: json.agentDetectionInfo.agentOsName - target_field: sentinel_one.threat.detection.agent.os.name - ignore_missing: true - - rename: - field: json.agentDetectionInfo.agentOsRevision - target_field: sentinel_one.threat.detection.agent.os.version - ignore_missing: true - - date: - field: json.agentDetectionInfo.agentRegisteredAt - target_field: sentinel_one.threat.detection.agent.registered_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.agentDetectionInfo.agentUuid - target_field: sentinel_one.threat.detection.agent.uuid - ignore_missing: true - - rename: - field: json.agentDetectionInfo.agentVersion - target_field: sentinel_one.threat.detection.agent.version - ignore_missing: true - - rename: - field: json.agentDetectionInfo.cloudProviders - target_field: sentinel_one.threat.detection.cloud_providers - ignore_missing: true - - convert: - field: json.agentDetectionInfo.externalIp - target_field: host.ip - type: ip - ignore_failure: true - - geoip: - field: host.ip - target_field: host.geo - ignore_missing: true - if: ctx.host?.ip != null && ctx.host?.ip != '' - - append: - field: related.ip - value: '{{{host.ip}}}' - if: ctx.host?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.agentDetectionInfo.groupId - target_field: sentinel_one.threat.detection.agent.group.id - ignore_missing: true - - rename: - field: json.agentDetectionInfo.groupName - target_field: sentinel_one.threat.detection.agent.group.name - ignore_missing: true - - rename: - field: json.agentDetectionInfo.siteId - target_field: sentinel_one.threat.detection.agent.site.id - ignore_missing: true - - rename: - field: json.agentDetectionInfo.siteName - target_field: sentinel_one.threat.detection.agent.site.name - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.accountId - target_field: sentinel_one.threat.agent.account.id - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.accountName - target_field: sentinel_one.threat.agent.account.name - ignore_missing: true - - convert: - field: json.agentRealtimeInfo.activeThreats - target_field: sentinel_one.threat.agent.active_threats - type: long - ignore_failure: true - - rename: - field: json.agentRealtimeInfo.agentComputerName - target_field: host.name - ignore_missing: true - - append: - field: related.hosts - value: '{{{host.name}}}' - if: ctx.host?.name != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.agentRealtimeInfo.agentDecommissionedAt - target_field: sentinel_one.threat.agent.decommissioned_at - type: boolean - ignore_failure: true - - rename: - field: json.agentRealtimeInfo.agentDomain - target_field: host.domain - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.agentId - target_field: host.id - ignore_missing: true - - convert: - field: json.agentRealtimeInfo.agentInfected - target_field: sentinel_one.threat.agent.infected - type: boolean - ignore_failure: true - - convert: - field: json.agentRealtimeInfo.agentIsActive - target_field: sentinel_one.threat.agent.is_active - type: boolean - ignore_failure: true - - convert: - field: json.agentRealtimeInfo.agentIsDecommissioned - target_field: sentinel_one.threat.agent.is_decommissioned - type: boolean - ignore_failure: true - - rename: - field: json.agentRealtimeInfo.agentMachineType - target_field: sentinel_one.threat.agent.machine_type - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.agentMitigationMode - target_field: sentinel_one.threat.agent.mitigation_mode - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.agentNetworkStatus - target_field: sentinel_one.threat.agent.network_status - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.agentOsName - target_field: host.os.name - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.agentOsRevision - target_field: sentinel_one.threat.agent.os.version - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.agentOsType - target_field: host.os.type - ignore_missing: true - - lowercase: - field: host.os.type - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.agentUuid - target_field: sentinel_one.threat.agent.uuid - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.agentVersion - target_field: observer.version - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.groupId - target_field: sentinel_one.threat.agent.group.id - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.groupName - target_field: sentinel_one.threat.agent.group.name - ignore_missing: true - - foreach: - field: json.agentRealtimeInfo.networkInterfaces - processor: - convert: - field: _ingest._value.inet - type: ip - ignore_failure: true - ignore_failure: true - if: ctx.json?.agentRealtimeInfo?.networkInterfaces != null && ctx.json?.agentRealtimeInfo?.networkInterfaces instanceof List - - foreach: - field: json.agentRealtimeInfo.networkInterfaces - processor: - foreach: - field: _ingest._value.inet - processor: - append: - field: related.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - if: ctx.json?.agentRealtimeInfo?.networkInterfaces != null && ctx.json?.agentRealtimeInfo?.networkInterfaces instanceof List - - foreach: - field: json.agentRealtimeInfo.networkInterfaces - processor: - convert: - field: _ingest._value.inet6 - type: ip - ignore_failure: true - ignore_failure: true - if: ctx.json?.agentRealtimeInfo?.networkInterfaces != null && ctx.json?.agentRealtimeInfo?.networkInterfaces instanceof List - - foreach: - field: json.agentRealtimeInfo.networkInterfaces - processor: - foreach: - field: _ingest._value.inet6 - processor: - append: - field: related.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - if: ctx.json?.agentRealtimeInfo?.networkInterfaces != null && ctx.json?.agentRealtimeInfo?.networkInterfaces instanceof List - - foreach: - field: json.agentRealtimeInfo.networkInterfaces - processor: - append: - field: host.mac - value: "{{{_ingest._value.physical}}}" - allow_duplicates: false - ignore_failure: true - ignore_failure: true - if: ctx.json?.agentRealtimeInfo?.networkInterfaces != null && ctx.json?.agentRealtimeInfo?.networkInterfaces instanceof List - - foreach: - field: json.agentRealtimeInfo.networkInterfaces - processor: - remove: - field: - - _ingest._value.physical - ignore_missing: true - ignore_failure: true - if: ctx.json?.agentRealtimeInfo?.networkInterfaces != null && ctx.json?.agentRealtimeInfo?.networkInterfaces instanceof List - - rename: - field: json.agentRealtimeInfo.networkInterfaces - target_field: sentinel_one.threat.agent.network_interface - ignore_missing: true - - gsub: - field: host.mac - pattern: '[-:.]' - replacement: '-' - ignore_missing: true - - uppercase: - field: host.mac - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.operationalState - target_field: sentinel_one.threat.agent.operational_state - ignore_missing: true - - convert: - field: json.agentRealtimeInfo.rebootRequired - target_field: sentinel_one.threat.agent.reboot_required - type: boolean - ignore_failure: true - - date: - field: json.agentRealtimeInfo.scanAbortedAt - target_field: sentinel_one.threat.agent.scan.aborted_at - formats: - - ISO8601 - ignore_failure: true - - date: - field: json.agentRealtimeInfo.scanFinishedAt - target_field: sentinel_one.threat.agent.scan.finished_at - formats: - - ISO8601 - ignore_failure: true - - date: - field: json.agentRealtimeInfo.scanStartedAt - target_field: sentinel_one.threat.agent.scan.started_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.agentRealtimeInfo.scanStatus - target_field: sentinel_one.threat.agent.scan.status - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.siteId - target_field: sentinel_one.threat.agent.site.id - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.siteName - target_field: sentinel_one.threat.agent.site.name - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.storageName - target_field: sentinel_one.threat.agent.storage.name - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.storageType - target_field: sentinel_one.threat.agent.storage.type - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.userActionsNeeded - target_field: sentinel_one.threat.agent.user_action_needed - ignore_missing: true - - rename: - field: json.containerInfo.id - target_field: container.id - ignore_missing: true - - rename: - field: json.containerInfo.image - target_field: container.image.name - ignore_missing: true - - rename: - field: json.containerInfo.labels - target_field: sentinel_one.threat.container.labels - ignore_missing: true - - rename: - field: json.containerInfo.name - target_field: container.name - ignore_missing: true - - rename: - field: json.description - target_field: message - ignore_missing: true - - rename: - field: json.id - target_field: sentinel_one.threat.id - ignore_missing: true - - foreach: - field: json.indicators - processor: - rename: - field: _ingest._value.category - target_field: _ingest._value.category.name - ignore_missing: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - rename: - field: _ingest._value.categoryId - target_field: _ingest._value.category.id - ignore_missing: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - foreach: - field: _ingest._value.ids - processor: - append: - field: threat.tactic.id - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - foreach: - field: _ingest._value.tactics - processor: - append: - field: threat.tactic.name - value: '{{{_ingest._value.name}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - foreach: - field: _ingest._value.tactics - processor: - append: - field: threat.framework - value: '{{{_ingest._value.source}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - foreach: - field: _ingest._value.tactics - processor: - foreach: - field: _ingest._value.techniques - processor: - append: - field: threat.technique.reference - value: '{{{_ingest._value.link}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - foreach: - field: _ingest._value.tactics - processor: - foreach: - field: _ingest._value.techniques - processor: - append: - field: threat.technique.id - value: '{{{_ingest._value.name}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - remove: - field: - - _ingest._value.ids - - _ingest._value.tactics - ignore_missing: true - ignore_failure: true - - rename: - field: json.indicators - target_field: sentinel_one.threat.indicators - ignore_missing: true - - rename: - field: json.kubernetesInfo.cluster - target_field: sentinel_one.threat.kubernetes.cluster - ignore_missing: true - - rename: - field: json.kubernetesInfo.controllerKind - target_field: sentinel_one.threat.kubernetes.controller.kind - ignore_missing: true - - rename: - field: json.kubernetesInfo.controllerLabels - target_field: sentinel_one.threat.kubernetes.controller.labels - ignore_missing: true - - rename: - field: json.kubernetesInfo.controllerName - target_field: sentinel_one.threat.kubernetes.controller.name - ignore_missing: true - - rename: - field: json.kubernetesInfo.namespace - target_field: sentinel_one.threat.kubernetes.namespace.name - ignore_missing: true - - rename: - field: json.kubernetesInfo.namespaceLabels - target_field: sentinel_one.threat.kubernetes.namespace.labels - ignore_missing: true - - rename: - field: json.kubernetesInfo.node - target_field: sentinel_one.threat.kubernetes.node - ignore_missing: true - - rename: - field: json.kubernetesInfo.pod - target_field: sentinel_one.threat.kubernetes.pod.name - ignore_missing: true - - rename: - field: json.kubernetesInfo.podLabels - target_field: sentinel_one.threat.kubernetes.pod.labels - ignore_missing: true - - foreach: - field: json.mitigationStatus - processor: - convert: - field: _ingest._value.actionsCounters.failed - target_field: _ingest._value.action_counters.failed - type: long - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - convert: - field: _ingest._value.actionsCounters.notFound - target_field: _ingest._value.action_counters.not_found - type: long - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - convert: - field: _ingest._value.actionsCounters.pendingReboot - target_field: _ingest._value.action_counters.pending_reboot - type: long - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - convert: - field: _ingest._value.actionsCounters.success - target_field: _ingest._value.action_counters.success - type: long - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - convert: - field: _ingest._value.actionsCounters.total - target_field: _ingest._value.action_counters.total - type: long - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - convert: - field: _ingest._value.agentSupportsReport - target_field: _ingest._value.agent_supports_report - type: boolean - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - convert: - field: _ingest._value.groupNotFound - target_field: _ingest._value.group_not_found - type: boolean - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - date: - field: _ingest._value.lastUpdate - target_field: _ingest._value.last_update - formats: - - ISO8601 - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - rename: - field: _ingest._value.latestReport - target_field: _ingest._value.latest_report - ignore_missing: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - date: - field: _ingest._value.mitigationEndedAt - target_field: _ingest._value.mitigation_ended_at - formats: - - ISO8601 - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - date: - field: _ingest._value.mitigationStartedAt - target_field: _ingest._value.mitigation_started_at - formats: - - ISO8601 - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - remove: - field: - - _ingest._value.actionsCounters - - _ingest._value.agentSupportsReport - - _ingest._value.groupNotFound - - _ingest._value.lastUpdate - - _ingest._value.mitigationEndedAt - - _ingest._value.mitigationStartedAt - ignore_missing: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - rename: - field: json.mitigationStatus - target_field: sentinel_one.threat.mitigation_status - ignore_missing: true - - rename: - field: json.threatInfo.analystVerdict - target_field: sentinel_one.threat.analysis.verdict - ignore_missing: true - - rename: - field: json.threatInfo.analystVerdictDescription - target_field: sentinel_one.threat.analysis.description - ignore_missing: true - - convert: - field: json.threatInfo.automaticallyResolved - target_field: sentinel_one.threat.automatically_resolved - type: boolean - ignore_failure: true - - rename: - field: json.threatInfo.browserType - target_field: sentinel_one.threat.browser_type - ignore_missing: true - - rename: - field: json.threatInfo.certificateId - target_field: sentinel_one.threat.certificate.id - ignore_missing: true - - rename: - field: json.threatInfo.classification - target_field: sentinel_one.threat.classification - ignore_missing: true - - rename: - field: json.threatInfo.classificationSource - target_field: sentinel_one.threat.classification_source - ignore_missing: true - - rename: - field: json.threatInfo.cloudFilesHashVerdict - target_field: sentinel_one.threat.cloudfiles_hash_verdict - ignore_missing: true - - rename: - field: json.threatInfo.collectionId - target_field: sentinel_one.threat.collection.id - ignore_missing: true - - rename: - field: json.threatInfo.confidenceLevel - target_field: sentinel_one.threat.confidence_level - ignore_missing: true - - date: - field: json.threatInfo.createdAt - target_field: sentinel_one.threat.created_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.threatInfo.detectionEngines - target_field: sentinel_one.threat.detection.engines - ignore_missing: true - - rename: - field: json.threatInfo.detectionType - target_field: sentinel_one.threat.detection.type - ignore_missing: true - - rename: - field: json.threatInfo.engines - target_field: sentinel_one.threat.engines - ignore_missing: true - - convert: - field: json.threatInfo.externalTicketExists - target_field: sentinel_one.threat.external_ticket.exist - type: boolean - ignore_failure: true - - rename: - field: json.threatInfo.externalTicketId - target_field: sentinel_one.threat.external_ticket.id - ignore_missing: true - - convert: - field: json.threatInfo.failedActions - target_field: sentinel_one.threat.failed_actions - type: boolean - ignore_failure: true - - rename: - field: json.threatInfo.fileExtension - target_field: threat.indicator.file.extension - ignore_missing: true - - rename: - field: json.threatInfo.fileExtensionType - target_field: sentinel_one.threat.file.extension.type - ignore_missing: true - - rename: - field: json.threatInfo.filePath - target_field: threat.indicator.file.path - ignore_missing: true - - convert: - field: json.threatInfo.fileSize - target_field: threat.indicator.file.size - type: long - ignore_failure: true - - rename: - field: json.threatInfo.fileVerificationType - target_field: sentinel_one.threat.file.verification_type - ignore_missing: true - - date: - field: json.threatInfo.identifiedAt - target_field: sentinel_one.threat.file.identified_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.threatInfo.incidentStatus - target_field: sentinel_one.threat.incident.status - ignore_missing: true - - rename: - field: json.threatInfo.incidentStatusDescription - target_field: sentinel_one.threat.incident.status_description - ignore_missing: true - - rename: - field: json.threatInfo.initiatedBy - target_field: sentinel_one.threat.initiated.name - ignore_missing: true - - rename: - field: json.threatInfo.initiatedByDescription - target_field: sentinel_one.threat.initiated.description - ignore_missing: true - - rename: - field: json.threatInfo.initiatingUserId - target_field: sentinel_one.threat.initiating_user.id - ignore_missing: true - - rename: - field: json.threatInfo.initiatingUsername - target_field: sentinel_one.threat.initiating_user.name - ignore_missing: true - - append: - field: related.user - value: '{{{sentinel_one.threat.initiating_user.name}}}' - if: ctx.sentinel_one?.threat?.initiating_user?.name != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.threatInfo.isFileless - target_field: sentinel_one.threat.is_fileless - type: boolean - ignore_failure: true - - convert: - field: json.threatInfo.isValidCertificate - target_field: sentinel_one.threat.is_valid_certificate - type: boolean - ignore_failure: true - - rename: - field: json.threatInfo.maliciousProcessArguments - target_field: sentinel_one.threat.malicious_process_arguments - ignore_missing: true - - rename: - field: json.threatInfo.md5 - target_field: threat.indicator.file.hash.md5 - ignore_missing: true - - convert: - field: json.threatInfo.mitigatedPreemptively - target_field: sentinel_one.threat.mitigated_preemptively - type: boolean - ignore_failure: true - - rename: - field: json.threatInfo.mitigationStatus - target_field: sentinel_one.threat.mitigation.status - ignore_missing: true - - rename: - field: json.threatInfo.mitigationStatusDescription - target_field: sentinel_one.threat.mitigation.description - ignore_missing: true - - rename: - field: json.threatInfo.originatorProcess - target_field: sentinel_one.threat.originator_process - ignore_missing: true - - convert: - field: json.threatInfo.pendingActions - target_field: sentinel_one.threat.pending_actions - type: boolean - ignore_failure: true - - rename: - field: json.threatInfo.processUser - target_field: sentinel_one.threat.process_user - ignore_missing: true - - append: - field: related.user - value: '{{{sentinel_one.threat.process_user}}}' - if: ctx.sentinel_one?.threat?.process_user != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.threatInfo.publisherName - target_field: sentinel_one.threat.publisher.name - ignore_missing: true - - convert: - field: json.threatInfo.reachedEventsLimit - target_field: sentinel_one.threat.reached_events_limit - type: boolean - ignore_failure: true - - convert: - field: json.threatInfo.rebootRequired - target_field: sentinel_one.threat.reboot_required - type: boolean - ignore_failure: true - - rename: - field: json.threatInfo.sha1 - target_field: threat.indicator.file.hash.sha1 - ignore_missing: true - - append: - field: related.hash - value: '{{{threat.indicator.file.hash.sha1}}}' - if: ctx.threat?.indicator?.file?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.threatInfo.sha256 - target_field: threat.indicator.file.hash.sha256 - ignore_missing: true - - append: - field: related.hash - value: '{{{threat.indicator.file.hash.sha256}}}' - if: ctx.threat?.indicator?.file?.hash?.sha256 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.threatInfo.storyline - target_field: sentinel_one.threat.storyline - ignore_missing: true - - rename: - field: json.threatInfo.threatId - target_field: sentinel_one.threat.threat_id - ignore_missing: true - - rename: - field: json.threatInfo.threatName - target_field: sentinel_one.threat.name - ignore_missing: true - - rename: - field: json.whiteningOptions - target_field: sentinel_one.threat.whitening_option - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/sentinel_one/1.2.2/data_stream/threat/fields/agent.yml b/packages/sentinel_one/1.2.2/data_stream/threat/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/threat/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/sentinel_one/1.2.2/data_stream/threat/fields/base-fields.yml b/packages/sentinel_one/1.2.2/data_stream/threat/fields/base-fields.yml deleted file mode 100755 index 43a1d989b7..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/threat/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sentinel_one.threat -- name: event.module - type: constant_keyword - description: Event module - value: sentinel_one -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/sentinel_one/1.2.2/data_stream/threat/fields/ecs.yml b/packages/sentinel_one/1.2.2/data_stream/threat/fields/ecs.yml deleted file mode 100755 index 74b77c4ddd..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/threat/fields/ecs.yml +++ /dev/null @@ -1,166 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: City name. - name: host.geo.city_name - type: keyword -- description: Name of the continent. - name: host.geo.continent_name - type: keyword -- description: Country ISO code. - name: host.geo.country_iso_code - type: keyword -- description: Country name. - name: host.geo.country_name - type: keyword -- description: Longitude and latitude. - name: host.geo.location - type: geo_point -- description: Region ISO code. - name: host.geo.region_iso_code - type: keyword -- description: Region name. - name: host.geo.region_name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. - name: threat.framework - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.file.extension - type: keyword -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: threat.indicator.file.size - type: long -- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - name: threat.tactic.id - normalize: - - array - type: keyword -- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) - name: threat.tactic.name - normalize: - - array - type: keyword -- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - name: threat.technique.id - normalize: - - array - type: keyword -- description: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - name: threat.technique.reference - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/sentinel_one/1.2.2/data_stream/threat/fields/fields.yml b/packages/sentinel_one/1.2.2/data_stream/threat/fields/fields.yml deleted file mode 100755 index 8466924293..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/threat/fields/fields.yml +++ /dev/null @@ -1,462 +0,0 @@ -- name: sentinel_one.threat - type: group - fields: - - name: agent - type: group - fields: - - name: account - type: group - fields: - - name: id - type: keyword - description: Account id. - - name: name - type: keyword - description: Account name. - - name: active_threats - type: long - description: Active threats. - - name: decommissioned_at - type: boolean - description: Decommissioned at. - - name: group - type: group - fields: - - name: id - type: keyword - description: Group id. - - name: name - type: keyword - description: Group name. - - name: infected - type: boolean - description: Agent infected. - - name: is_active - type: boolean - description: Is active. - - name: is_decommissioned - type: boolean - description: Is decommissioned. - - name: machine_type - type: keyword - description: Machine type. - - name: mitigation_mode - type: keyword - description: Agent mitigation mode policy. - - name: network_interface - type: group - fields: - - name: id - type: keyword - description: Device's network interfaces id. - - name: inet - type: keyword - description: Device's network interfaces IPv4 addresses. - - name: inet6 - type: keyword - description: Device's network interfaces IPv6 addresses. - - name: name - type: keyword - description: Device's network interfaces IPv4 Name. - - name: network_status - type: keyword - description: Network status. - - name: operational_state - type: keyword - description: Agent operational state. - - name: os - type: group - fields: - - name: version - type: keyword - description: OS revision. - - name: reboot_required - type: boolean - description: A reboot is required on the endpoint for at least one acton on the threat. - - name: scan - type: group - fields: - - name: aborted_at - type: keyword - description: Abort time of last scan (if applicable). - - name: finished_at - type: keyword - description: Finish time of last scan (if applicable). - - name: started_at - type: keyword - description: Start time of last scan. - - name: status - type: keyword - description: Scan status. - - name: site - type: group - fields: - - name: id - type: keyword - description: Site id. - - name: name - type: keyword - description: Site name. - - name: storage - type: group - fields: - - name: name - type: keyword - description: Storage Name. - - name: type - type: keyword - description: Storage Type. - - name: user_action_needed - type: keyword - description: 'A list of pending user actions. List items possible values: "none, reboot_needed, user_acton_needed, upgrade_needed, incompatible_os, unprotected, user_acton_needed_fda, user_acton_needed_rs_fda,user_acton_needed_network, rebootless_without_dynamic_detection, extended_exclusions_partially_accepted, user_action_needed_bluetooth_per".' - - name: uuid - type: keyword - description: UUID. - - name: analysis - type: group - fields: - - name: description - type: keyword - description: Analyst verdict description. - - name: verdict - type: keyword - description: Analyst verdict. - - name: automatically_resolved - type: boolean - description: Automatically resolved. - - name: browser_type - type: keyword - description: Browser type. - - name: certificate - type: group - fields: - - name: id - type: keyword - description: File Certificate ID. - - name: classification - type: keyword - description: Classification of the threat. - - name: classification_source - type: keyword - description: Source of the threat Classification. - - name: cloudfiles_hash_verdict - type: keyword - description: Cloud files hash verdict. - - name: collection - type: group - fields: - - name: id - type: keyword - description: Collection id. - - name: confidence_level - type: keyword - description: SentinelOne threat confidence level. - - name: container - type: group - fields: - - name: labels - type: keyword - description: Container labels. - - name: created_at - type: date - description: Timestamp of date creation in the Management Console. - - name: detection - type: group - fields: - - name: account - type: group - fields: - - name: id - type: keyword - description: Orig account id. - - name: name - type: keyword - description: Orig account name. - - name: agent - type: group - fields: - - name: domain - type: keyword - description: Network domain. - - name: group - type: group - fields: - - name: id - type: keyword - description: Orig group id. - - name: name - type: keyword - description: Orig group name. - - name: ipv4 - type: ip - description: Orig agent ipv4. - - name: ipv6 - type: ip - description: Orig agent ipv6. - - name: last_logged_in - type: group - fields: - - name: upn - type: keyword - description: UPN of last logged in user. - - name: mitigation_mode - type: keyword - description: Agent mitigation mode policy. - - name: os - type: group - fields: - - name: name - type: keyword - description: Orig agent OS name. - - name: version - type: keyword - description: Orig agent OS revision. - - name: registered_at - type: date - description: Time of first registration to management console. - - name: site - type: group - fields: - - name: id - type: keyword - description: Orig site id. - - name: name - type: keyword - description: Orig site name. - - name: uuid - type: keyword - description: UUID of the agent. - - name: version - type: keyword - description: Orig agent version. - - name: cloud_providers - type: flattened - description: Cloud providers for this agent. - - name: engines - type: group - fields: - - name: key - type: keyword - description: List of engines that detected the threat key. - - name: title - type: keyword - description: List of engines that detected the threat title. - - name: state - type: keyword - description: The Agent's detection state at time of detection. - - name: type - type: keyword - description: Detection type. - - name: engines - type: keyword - description: List of engines that detected the threat. - - name: external_ticket - type: group - fields: - - name: exist - type: boolean - description: External ticket exists. - - name: id - type: keyword - description: External ticket id. - - name: failed_actions - type: boolean - description: At least one action failed on the threat. - - name: file - type: group - fields: - - name: extension - type: group - fields: - - name: type - type: keyword - description: File extension type. - - name: identified_at - type: keyword - description: Identified at. - - name: verification_type - type: keyword - description: File verification type. - - name: id - type: keyword - description: Threat id. - - name: incident - type: group - fields: - - name: status - type: keyword - description: Incident status. - - name: status_description - type: keyword - description: Incident status description. - - name: indicators - type: group - fields: - - name: category - type: group - fields: - - name: id - type: long - description: Indicators Category Id. - - name: name - type: keyword - description: Indicators Category Name. - - name: description - type: keyword - description: Indicators Description. - - name: initiated - type: group - fields: - - name: description - type: keyword - description: Initiated by description. - - name: name - type: keyword - description: Source of threat. - - name: initiating_user - type: group - fields: - - name: id - type: keyword - description: Initiating user id. - - name: name - type: keyword - description: Initiating user username. - - name: is_fileless - type: boolean - description: Is fileless. - - name: is_valid_certificate - type: boolean - description: True if the certificate is valid. - - name: kubernetes - type: group - fields: - - name: cluster - type: keyword - description: Cluster. - - name: controller - type: group - fields: - - name: kind - type: keyword - description: Controller kind. - - name: labels - type: keyword - description: Controller labels. - - name: name - type: keyword - description: Controller name. - - name: namespace - type: group - fields: - - name: labels - type: keyword - description: Namespace labels. - - name: name - type: keyword - description: Namespace name. - - name: node - type: keyword - description: Node. - - name: pod - type: group - fields: - - name: labels - type: keyword - description: Pod labels. - - name: name - type: keyword - description: Pod name. - - name: malicious_process_arguments - type: keyword - description: Malicious process arguments. - - name: mitigated_preemptively - type: boolean - description: True is the threat was blocked before execution. - - name: mitigation - type: group - fields: - - name: description - type: keyword - description: Mitigation status description. - - name: status - type: keyword - description: Mitigation status. - - name: mitigation_status - type: group - fields: - - name: action - type: keyword - description: Action. - - name: action_counters - type: group - fields: - - name: failed - type: long - description: Actions counters Failed. - - name: not_found - type: long - description: Actions counters Not found. - - name: pending_reboot - type: long - description: Actions counters Pending reboot. - - name: success - type: long - description: Actions counters Success. - - name: total - type: long - description: Actions counters Total. - - name: agent_supports_report - type: keyword - description: The Agent generates a full mitigation report. - - name: group_not_found - type: keyword - description: Agent could not find the threat. - - name: last_update - type: keyword - description: Timestamp of last mitigation status update. - - name: latest_report - type: keyword - description: Report download URL. If None, there is no report. - - name: mitigation_ended_at - type: keyword - description: The time the Agent finished the mitigation. - - name: mitigation_started_at - type: keyword - description: The time the Agent started the mitigation. - - name: status - type: keyword - description: Status. - - name: name - type: keyword - description: Threat name. - - name: originator_process - type: keyword - description: Originator process. - - name: pending_actions - type: boolean - description: At least one action is pending on the threat. - - name: process_user - type: keyword - description: Process user. - - name: publisher - type: group - fields: - - name: name - type: keyword - description: Certificate publisher. - - name: reached_events_limit - type: boolean - description: Has number of OS events for this threat reached the limit, resulting in a partial attack storyline. - - name: reboot_required - type: boolean - description: A reboot is required on the endpoint for at least one threat. - - name: storyline - type: keyword - description: Storyline identifier from agent. - - name: threat_id - type: keyword - description: Threat id. - - name: whitening_option - type: keyword - description: Whitening options. diff --git a/packages/sentinel_one/1.2.2/data_stream/threat/manifest.yml b/packages/sentinel_one/1.2.2/data_stream/threat/manifest.yml deleted file mode 100755 index 5dcd6795cd..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/threat/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: Collect Threat logs from SentinelOne -type: logs -streams: - - input: httpjson - title: Threat logs - description: Collect threat logs from SentinelOne. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the threats from SentinelOne. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the SentinelOne API. - default: 5m - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - sentinel_one-threat - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/sentinel_one/1.2.2/data_stream/threat/sample_event.json b/packages/sentinel_one/1.2.2/data_stream/threat/sample_event.json deleted file mode 100755 index 82338b4879..0000000000 --- a/packages/sentinel_one/1.2.2/data_stream/threat/sample_event.json +++ /dev/null @@ -1,268 +0,0 @@ -{ - "@timestamp": "2022-04-06T08:54:17.194Z", - "agent": { - "ephemeral_id": "7562adce-b104-46d3-bc7b-c9e79060ca40", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "data_stream": { - "dataset": "sentinel_one.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "action": "SentinelOne Cloud", - "agent_id_status": "verified", - "category": [ - "malware" - ], - "created": "2022-09-26T01:57:04.978Z", - "dataset": "sentinel_one.threat", - "ingested": "2022-09-26T01:57:08Z", - "kind": "alert", - "original": "{\"agentDetectionInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"agentDetectionState\":null,\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"10.0.0.1\",\"agentIpV6\":\"XX80::7X59:X6X9:9X72:XXXX\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentRegisteredAt\":\"2022-04-06T08:26:45.515278Z\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\"},\"agentRealtimeInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activeThreats\":7,\"agentComputerName\":\"test-LINUX\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1234567890123456789\",\"agentInfected\":true,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"server\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentOsType\":\"linux\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x.1234\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1234567890123456789\",\"inet\":[\"10.0.0.1\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"X2:0X:0X:X6:00:XX\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1234567890123456789\",\"indicators\":[],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"unquarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:54:17.198002Z\",\"latestReport\":\"/threats/mitigation-report\",\"mitigationEndedAt\":\"2022-04-06T08:54:17.101000Z\",\"mitigationStartedAt\":\"2022-04-06T08:54:17.101000Z\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:45:55.303355Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2022-04-06T08:45:55.297364Z\",\"mitigationStartedAt\":\"2022-04-06T08:45:55.297363Z\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Trojan\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"1234567890123456789\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2022-04-06T08:45:54.519988Z\",\"detectionEngines\":[{\"key\":\"sentinelone_cloud\",\"title\":\"SentinelOne Cloud\"}],\"detectionType\":\"static\",\"engines\":[\"SentinelOne Cloud\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"default.exe\",\"fileSize\":1234,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2022-04-06T08:45:53.968000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"default.exe\",\"pendingActions\":false,\"processUser\":\"test user\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"sha256\":null,\"storyline\":\"D0XXXXXXXXXXAF4D\",\"threatId\":\"1234567890123456789\",\"threatName\":\"default.exe\",\"updatedAt\":\"2022-04-06T08:54:17.194122Z\"},\"whiteningOptions\":[\"hash\"]}", - "type": [ - "info" - ] - }, - "host": { - "domain": "WORKGROUP", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "id": "1234567890123456789", - "ip": "81.2.69.143", - "mac": [ - "X2-0X-0X-X6-00-XX" - ], - "name": "test-LINUX", - "os": { - "name": "linux", - "type": "linux" - } - }, - "input": { - "type": "httpjson" - }, - "observer": { - "version": "21.x.x.1234" - }, - "process": { - "name": "default.exe" - }, - "related": { - "hash": [ - "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" - ], - "hosts": [ - "test-LINUX" - ], - "ip": [ - "10.0.0.1", - "81.2.69.143", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], - "user": [ - "test user" - ] - }, - "sentinel_one": { - "threat": { - "agent": { - "account": { - "id": "1234567890123456789", - "name": "Default" - }, - "active_threats": 7, - "group": { - "id": "1234567890123456789", - "name": "Default Group" - }, - "infected": true, - "is_active": true, - "is_decommissioned": false, - "machine_type": "server", - "mitigation_mode": "detect", - "network_interface": [ - { - "id": "1234567890123456789", - "inet": [ - "10.0.0.1" - ], - "inet6": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], - "name": "Ethernet" - } - ], - "network_status": "connected", - "operational_state": "na", - "os": { - "version": "1234" - }, - "reboot_required": false, - "scan": { - "finished_at": "2022-04-06T09:18:21.090Z", - "started_at": "2022-04-06T08:26:52.838Z", - "status": "finished" - }, - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, - "uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx" - }, - "analysis": { - "description": "Undefined", - "verdict": "undefined" - }, - "automatically_resolved": false, - "classification": "Trojan", - "classification_source": "Cloud", - "cloudfiles_hash_verdict": "black", - "collection": { - "id": "1234567890123456789" - }, - "confidence_level": "malicious", - "created_at": "2022-04-06T08:45:54.519Z", - "detection": { - "account": { - "id": "1234567890123456789", - "name": "Default" - }, - "agent": { - "domain": "WORKGROUP", - "group": { - "id": "1234567890123456789", - "name": "Default Group" - }, - "ipv4": "10.0.0.1", - "mitigation_mode": "protect", - "os": { - "name": "linux", - "version": "1234" - }, - "registered_at": "2022-04-06T08:26:45.515Z", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, - "uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", - "version": "21.x.x" - }, - "engines": [ - { - "key": "sentinelone_cloud", - "title": "SentinelOne Cloud" - } - ], - "type": "static" - }, - "engines": [ - "SentinelOne Cloud" - ], - "external_ticket": { - "exist": false - }, - "failed_actions": false, - "file": { - "extension": { - "type": "Executable" - }, - "identified_at": "2022-04-06T08:45:53.968Z", - "verification_type": "NotSigned" - }, - "id": "1234567890123456789", - "incident": { - "status": "unresolved", - "status_description": "Unresolved" - }, - "initiated": { - "description": "Agent Policy", - "name": "agent_policy" - }, - "is_fileless": false, - "is_valid_certificate": false, - "mitigated_preemptively": false, - "mitigation": { - "description": "Not mitigated", - "status": "not_mitigated" - }, - "mitigation_status": [ - { - "action": "unquarantine", - "action_counters": { - "failed": 0, - "not_found": 0, - "pending_reboot": 0, - "success": 1, - "total": 1 - }, - "agent_supports_report": true, - "group_not_found": false, - "last_update": "2022-04-06T08:54:17.198Z", - "latest_report": "/threats/mitigation-report", - "mitigation_ended_at": "2022-04-06T08:54:17.101Z", - "mitigation_started_at": "2022-04-06T08:54:17.101Z", - "status": "success" - }, - { - "action": "kill", - "agent_supports_report": true, - "group_not_found": false, - "last_update": "2022-04-06T08:45:55.303Z", - "mitigation_ended_at": "2022-04-06T08:45:55.297Z", - "mitigation_started_at": "2022-04-06T08:45:55.297Z", - "status": "success" - } - ], - "name": "default.exe", - "originator_process": "default.exe", - "pending_actions": false, - "process_user": "test user", - "reached_events_limit": false, - "reboot_required": false, - "storyline": "D0XXXXXXXXXXAF4D", - "threat_id": "1234567890123456789", - "whitening_option": [ - "hash" - ] - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-threat" - ], - "threat": { - "indicator": { - "file": { - "extension": "EXE", - "hash": { - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" - }, - "path": "default.exe", - "size": 1234 - } - } - } -} \ No newline at end of file diff --git a/packages/sentinel_one/1.2.2/docs/README.md b/packages/sentinel_one/1.2.2/docs/README.md deleted file mode 100755 index f3423383fa..0000000000 --- a/packages/sentinel_one/1.2.2/docs/README.md +++ /dev/null @@ -1,1661 +0,0 @@ -# SentinelOne - -The [SentinelOne](https://www.sentinelone.com/) integration collects and parses data from SentinelOne REST APIs. - -## Compatibility - -This module has been tested against `SentinelOne Management Console API version 2.1`. - -## To collect data from SentinelOne APIs, user must have API Token. To create API token follow below steps: - - 1. Log in to the **SentinelOne Management Console** as an **Admin**. - ![SentinelOne dashboards](../img/sentinel-one-dashboard.png) - 2. Navigate to **Logged User Account** from top right panel in navigation bar. - 3. Click **My User**. - 4. In the API token section, click **Generate**. - ![SentinelOne generate API token ](../img/sentinel-one-api-token-generate.png) - -## Note - -The API token generated by user is time-limited. To rotate a new token login with the dedicated admin account. - -## Logs - -### activity - -This is the `activity` dataset. - -An example event for `activity` looks as following: - -```json -{ - "@timestamp": "2022-04-05T16:01:56.995Z", - "agent": { - "ephemeral_id": "fa8409d5-7599-4d01-a29f-b9375742abc3", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "data_stream": { - "dataset": "sentinel_one.activity", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "configuration" - ], - "created": "2022-09-26T01:54:28.433Z", - "dataset": "sentinel_one.activity", - "ingested": "2022-09-26T01:54:29Z", - "kind": "event", - "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-05T16:01:56.995120Z\",\"data\":{\"accountId\":1234567890123456800,\"accountName\":\"Default\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/path\",\"groupName\":null,\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"username\":\"test user\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"created Default account.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-05T16:01:56.992136Z\",\"userId\":\"1234567890123456789\"}", - "type": [ - "creation" - ] - }, - "input": { - "type": "httpjson" - }, - "related": { - "user": [ - "test user" - ] - }, - "sentinel_one": { - "activity": { - "account": { - "id": "1234567890123456789", - "name": "Default" - }, - "data": { - "account": { - "id": "1234567890123456800", - "name": "Default" - }, - "fullscope": { - "details": "Account Default", - "details_path": "test/path" - }, - "scope": { - "level": "Account", - "name": "Default" - } - }, - "description": { - "primary": "created Default account." - }, - "id": "1234567890123456789", - "type": 1234, - "updated_at": "2022-04-05T16:01:56.992Z" - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-activity" - ], - "user": { - "full_name": "test user", - "id": "1234567890123456789" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| observer.version | Observer version. | keyword | -| os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| sentinel_one.activity.account.id | Related account ID (if applicable). | keyword | -| sentinel_one.activity.account.name | Related account name (if applicable). | keyword | -| sentinel_one.activity.agent.id | Related agent (if applicable). | keyword | -| sentinel_one.activity.comments | Comments. | keyword | -| sentinel_one.activity.data.account.id | Related account ID (if applicable). | keyword | -| sentinel_one.activity.data.account.name | Related account name (if applicable). | keyword | -| sentinel_one.activity.data.attr | Attribute. | keyword | -| sentinel_one.activity.data.changed_keys | Changed keys. | keyword | -| sentinel_one.activity.data.confidence.level | Confidence level. | keyword | -| sentinel_one.activity.data.created_at | Created time. | date | -| sentinel_one.activity.data.description | Description. | keyword | -| sentinel_one.activity.data.downloaded.url | Downloaded URL. | keyword | -| sentinel_one.activity.data.flattened | Extra activity specific data. | flattened | -| sentinel_one.activity.data.fullscope.details | fullscope details. | keyword | -| sentinel_one.activity.data.fullscope.details_path | fullscope details path. | keyword | -| sentinel_one.activity.data.global.status | Global status. | keyword | -| sentinel_one.activity.data.group | Related group (if applicable). | keyword | -| sentinel_one.activity.data.group_name | Related group name (if applicable). | keyword | -| sentinel_one.activity.data.malicious.process.arguments | Malicious process arguments. | keyword | -| sentinel_one.activity.data.new.confidence_level | New confidence level. | keyword | -| sentinel_one.activity.data.new.status | Status. | keyword | -| sentinel_one.activity.data.new.value | Value. | boolean | -| sentinel_one.activity.data.old.confidence_level | Old confidence level. | keyword | -| sentinel_one.activity.data.optionals_groups | Optionals groups. | keyword | -| sentinel_one.activity.data.original.status | Original status. | keyword | -| sentinel_one.activity.data.policy | Policy. | flattened | -| sentinel_one.activity.data.policy_name | Policy name. | keyword | -| sentinel_one.activity.data.reason | Reason. | keyword | -| sentinel_one.activity.data.role | Role. | keyword | -| sentinel_one.activity.data.role_name | Role name. | keyword | -| sentinel_one.activity.data.scope.level | Scope Level. | keyword | -| sentinel_one.activity.data.scope.name | Scope name. | keyword | -| sentinel_one.activity.data.scope_level.name | Scope level name. | keyword | -| sentinel_one.activity.data.site.name | Related site name (if applicable). | keyword | -| sentinel_one.activity.data.source | Source. | keyword | -| sentinel_one.activity.data.status | Status. | keyword | -| sentinel_one.activity.data.system | System. | boolean | -| sentinel_one.activity.data.threat.classification.name | Threat classification name. | keyword | -| sentinel_one.activity.data.threat.classification.source | Threat classification source. | keyword | -| sentinel_one.activity.data.user.name | User name. | keyword | -| sentinel_one.activity.data.user.scope | User scope. | keyword | -| sentinel_one.activity.data.uuid | UUID. | keyword | -| sentinel_one.activity.description.primary | Primary description. | keyword | -| sentinel_one.activity.description.secondary | Secondary description. | keyword | -| sentinel_one.activity.id | Activity ID. | keyword | -| sentinel_one.activity.site.id | Related site ID (if applicable). | keyword | -| sentinel_one.activity.site.name | Related site name (if applicable). | keyword | -| sentinel_one.activity.threat.id | Related threat ID (if applicable). | keyword | -| sentinel_one.activity.type | Activity type. | long | -| sentinel_one.activity.updated_at | Activity last updated time (UTC). | date | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.group.name | Name of the group. | keyword | -| user.id | Unique identifier of the user. | keyword | - - -### agent - -This is the `agent` dataset. - -An example event for `agent` looks as following: - -```json -{ - "@timestamp": "2022-04-07T08:31:47.481Z", - "agent": { - "ephemeral_id": "75ba6397-6106-475c-a560-f92de9e8ce2e", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "data_stream": { - "dataset": "sentinel_one.agent", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "host" - ], - "created": "2022-09-26T01:55:05.976Z", - "dataset": "sentinel_one.agent", - "ingested": "2022-09-26T01:55:07Z", - "kind": "event", - "original": "{\"accountId\":\"12345123451234512345\",\"accountName\":\"Account Name\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.x\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"assignedBy\":\"test-user\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"key\":\"key123\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}", - "type": [ - "info" - ] - }, - "group": { - "id": "1234567890123456789", - "name": "Default Group" - }, - "host": { - "domain": "WORKGROUP", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "id": "13491234512345", - "ip": "81.2.69.143", - "mac": [ - "00-00-5E-00-53-00" - ], - "name": "user-test", - "os": { - "name": "Linux Server", - "type": "linux", - "version": "1234" - } - }, - "input": { - "type": "httpjson" - }, - "observer": { - "version": "12.x.x.x" - }, - "related": { - "hosts": [ - "user-test", - "WORKGROUP" - ], - "ip": [ - "81.2.69.143", - "81.2.69.145", - "81.2.69.144", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ] - }, - "sentinel_one": { - "agent": { - "account": { - "id": "12345123451234512345", - "name": "Account Name" - }, - "active_threats_count": 7, - "allow_remote_shell": true, - "apps_vulnerability_status": "not_applicable", - "console_migration_status": "N/A", - "core": { - "count": 2 - }, - "cpu": { - "count": 2, - "id": "CPU Name" - }, - "created_at": "2022-03-18T09:12:00.519Z", - "encrypted_application": false, - "firewall_enabled": true, - "group": { - "ip": "81.2.69.x" - }, - "in_remote_shell_session": false, - "infected": true, - "installer_type": ".msi", - "is_active": true, - "is_decommissioned": false, - "is_pending_uninstall": false, - "is_uninstalled": false, - "is_up_to_date": true, - "last_active_date": "2022-03-17T09:51:28.506Z", - "last_ip_to_mgmt": "81.2.69.145", - "location": { - "enabled": true, - "type": "not_applicable" - }, - "machine": { - "type": "server" - }, - "mitigation_mode": "detect", - "mitigation_mode_suspicious": "detect", - "model_name": "Compute Engine", - "network_interfaces": [ - { - "gateway": { - "ip": "81.2.69.145", - "mac": "00-00-5E-00-53-00" - }, - "id": "1234567890123456789", - "inet": [ - "81.2.69.144" - ], - "inet6": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], - "name": "Ethernet" - } - ], - "network_quarantine_enabled": false, - "network_status": "connected", - "operational_state": "na", - "os": { - "arch": "64 bit", - "start_time": "2022-04-06T08:27:14.000Z" - }, - "ranger": { - "status": "Enabled", - "version": "21.x.x.x" - }, - "registered_at": "2022-04-06T08:26:45.515Z", - "remote_profiling_state": "disabled", - "scan": { - "finished_at": "2022-04-06T09:18:21.090Z", - "started_at": "2022-04-06T08:26:52.838Z", - "status": "finished" - }, - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, - "tags": [ - { - "assigned_at": "2018-02-27T04:49:26.257Z", - "assigned_by": "test-user", - "assigned_by_id": "123456789012345678", - "id": "123456789012345678", - "key": "key123", - "value": "value123" - } - ], - "threat_reboot_required": false, - "total_memory": 1234, - "user_action_needed": [ - "reboot_needed" - ], - "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30" - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-agent" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| observer.version | Observer version. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| sentinel_one.agent.account.id | A reference to the containing account. | keyword | -| sentinel_one.agent.account.name | Name of the containing account. | keyword | -| sentinel_one.agent.active_directory.computer.member_of | Computer member of. | keyword | -| sentinel_one.agent.active_directory.computer.name | Computer distinguished name. | keyword | -| sentinel_one.agent.active_directory.last_user.distinguished_name | Last user distinguished name. | keyword | -| sentinel_one.agent.active_directory.last_user.member_of | Last user member of. | keyword | -| sentinel_one.agent.active_directory.mail | Mail. | keyword | -| sentinel_one.agent.active_directory.user.principal_name | User principal name. | keyword | -| sentinel_one.agent.active_threats_count | Current number of active threats. | long | -| sentinel_one.agent.allow_remote_shell | Agent is capable and policy enabled for remote shell. | boolean | -| sentinel_one.agent.apps_vulnerability_status | Apps vulnerability status. | keyword | -| sentinel_one.agent.cloud_provider | Cloud providers for this agent. | flattened | -| sentinel_one.agent.console_migration_status | What step the agent is at in the process of migrating to another console, if any. | keyword | -| sentinel_one.agent.core.count | CPU cores. | long | -| sentinel_one.agent.cpu.count | Number of CPUs. | long | -| sentinel_one.agent.cpu.id | CPU model. | keyword | -| sentinel_one.agent.created_at | Created at. | date | -| sentinel_one.agent.detection_state | Detection State. | keyword | -| sentinel_one.agent.encrypted_application | Disk encryption status. | boolean | -| sentinel_one.agent.external.id | External ID set by customer. | keyword | -| sentinel_one.agent.firewall_enabled | Firewall enabled. | boolean | -| sentinel_one.agent.first_full_mode_time | Date of the first time the Agent moved to full or slim detection modes. | date | -| sentinel_one.agent.group.ip | Group subnet address. | keyword | -| sentinel_one.agent.group.updated_at | Group updated at. | date | -| sentinel_one.agent.in_remote_shell_session | Is the Agent in a remote shell session. | boolean | -| sentinel_one.agent.infected | Indicates if the Agent has active threats. | boolean | -| sentinel_one.agent.installer_type | Installer package type (file extension). | keyword | -| sentinel_one.agent.is_active | Indicates if the agent was recently active. | boolean | -| sentinel_one.agent.is_decommissioned | Is Agent decommissioned. | boolean | -| sentinel_one.agent.is_pending_uninstall | Agent with a pending uninstall request. | boolean | -| sentinel_one.agent.is_uninstalled | Indicates if Agent was removed from the device. | boolean | -| sentinel_one.agent.is_up_to_date | Indicates if the agent version is up to date. | boolean | -| sentinel_one.agent.last_active_date | Last active date. | date | -| sentinel_one.agent.last_ip_to_mgmt | The last IP used to connect to the Management console. | ip | -| sentinel_one.agent.last_logged_in_user_name | Last logged in user name. | keyword | -| sentinel_one.agent.license.key | License key. | keyword | -| sentinel_one.agent.location.enabled | Location enabled. | boolean | -| sentinel_one.agent.location.type | Reported location type. | keyword | -| sentinel_one.agent.locations.id | Location ID. | keyword | -| sentinel_one.agent.locations.name | Location name. | keyword | -| sentinel_one.agent.locations.scope | Location scope. | keyword | -| sentinel_one.agent.machine.type | Machine type. | keyword | -| sentinel_one.agent.mitigation_mode | Agent mitigation mode policy. | keyword | -| sentinel_one.agent.mitigation_mode_suspicious | Mitigation mode policy for suspicious activity. | keyword | -| sentinel_one.agent.model_name | Device model. | keyword | -| sentinel_one.agent.network_interfaces.gateway.ip | The default gateway ip. | ip | -| sentinel_one.agent.network_interfaces.gateway.mac | The default gateway mac address. | keyword | -| sentinel_one.agent.network_interfaces.id | Id. | keyword | -| sentinel_one.agent.network_interfaces.inet | IPv4 addresses. | ip | -| sentinel_one.agent.network_interfaces.inet6 | IPv6 addresses. | ip | -| sentinel_one.agent.network_interfaces.name | Name. | keyword | -| sentinel_one.agent.network_quarantine_enabled | Network quarantine enabled. | boolean | -| sentinel_one.agent.network_status | Agent's network connectivity status. | keyword | -| sentinel_one.agent.operational_state | Agent operational state. | keyword | -| sentinel_one.agent.operational_state_expiration | Agent operational state expiration. | keyword | -| sentinel_one.agent.os.arch | OS architecture. | keyword | -| sentinel_one.agent.os.start_time | Last boot time. | date | -| sentinel_one.agent.policy.updated_at | Policy updated at. | date | -| sentinel_one.agent.ranger.status | Is Agent disabled as a Ranger. | keyword | -| sentinel_one.agent.ranger.version | The version of Ranger. | keyword | -| sentinel_one.agent.registered_at | Time of first registration to management console (similar to createdAt). | date | -| sentinel_one.agent.remote_profiling_state | Agent remote profiling state. | keyword | -| sentinel_one.agent.remote_profiling_state_expiration | Agent remote profiling state expiration in seconds. | keyword | -| sentinel_one.agent.scan.aborted_at | Abort time of last scan (if applicable). | date | -| sentinel_one.agent.scan.finished_at | Finish time of last scan (if applicable). | date | -| sentinel_one.agent.scan.started_at | Start time of last scan. | date | -| sentinel_one.agent.scan.status | Last scan status. | keyword | -| sentinel_one.agent.site.id | A reference to the containing site. | keyword | -| sentinel_one.agent.site.name | Name of the containing site. | keyword | -| sentinel_one.agent.storage.name | Storage name. | keyword | -| sentinel_one.agent.storage.type | Storage type. | keyword | -| sentinel_one.agent.tags.assigned_at | When tag assigned to the agent. | date | -| sentinel_one.agent.tags.assigned_by | full user name who assigned the tag to the agent. | keyword | -| sentinel_one.agent.tags.assigned_by_id | User ID who assigned the tag to the agent. | keyword | -| sentinel_one.agent.tags.id | Tag ID. | keyword | -| sentinel_one.agent.tags.key | Tag key. | keyword | -| sentinel_one.agent.tags.value | Tag value. | keyword | -| sentinel_one.agent.threat_reboot_required | Flag representing if the Agent has at least one threat with at least one mitigation action that is pending reboot to succeed. | boolean | -| sentinel_one.agent.total_memory | Memory size (MB). | long | -| sentinel_one.agent.user_action_needed | A list of pending user actions. | keyword | -| sentinel_one.agent.uuid | Agent's universally unique identifier. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -### alert - -This is the `alert` dataset. - -An example event for `alert` looks as following: - -```json -{ - "@timestamp": "2018-02-27T04:49:26.257Z", - "agent": { - "ephemeral_id": "e13a5cfd-1c28-4abc-b09c-940f6d1dfc6f", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "container": { - "id": "string", - "image": { - "name": "string" - }, - "name": "string" - }, - "data_stream": { - "dataset": "sentinel_one.alert", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "0.0.0.0", - "port": 1234 - }, - "dll": { - "hash": { - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" - }, - "path": "string" - }, - "dns": { - "question": { - "name": "string" - } - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "malware" - ], - "created": "2022-09-26T01:55:44.088Z", - "dataset": "sentinel_one.alert", - "id": "123456789123456789", - "ingested": "2022-09-26T01:55:47Z", - "kind": "event", - "original": "{\"agentDetectionInfo\":{\"machineType\":\"string\",\"name\":\"string\",\"osFamily\":\"string\",\"osName\":\"string\",\"osRevision\":\"string\",\"siteId\":\"123456789123456789\",\"uuid\":\"string\",\"version\":\"3.x.x.x\"},\"alertInfo\":{\"alertId\":\"123456789123456789\",\"analystVerdict\":\"string\",\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"dnsRequest\":\"string\",\"dnsResponse\":\"string\",\"dstIp\":\"0.0.0.0\",\"dstPort\":\"1234\",\"dvEventId\":\"string\",\"eventType\":\"string\",\"hitType\":\"Events\",\"incidentStatus\":\"string\",\"indicatorCategory\":\"string\",\"indicatorDescription\":\"string\",\"indicatorName\":\"string\",\"loginAccountDomain\":\"string\",\"loginAccountSid\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginIsSuccessful\":\"string\",\"loginType\":\"string\",\"loginsUserName\":\"string\",\"modulePath\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"netEventDirection\":\"string\",\"registryKeyPath\":\"string\",\"registryOldValue\":\"string\",\"registryOldValueType\":\"string\",\"registryPath\":\"string\",\"registryValue\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"source\":\"string\",\"srcIp\":\"0.0.0.0\",\"srcMachineIp\":\"0.0.0.0\",\"srcPort\":\"string\",\"tiIndicatorComparisonMethod\":\"string\",\"tiIndicatorSource\":\"string\",\"tiIndicatorType\":\"string\",\"tiIndicatorValue\":\"string\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\"},\"containerInfo\":{\"id\":\"string\",\"image\":\"string\",\"labels\":\"string\",\"name\":\"string\"},\"kubernetesInfo\":{\"cluster\":\"string\",\"controllerKind\":\"string\",\"controllerLabels\":\"string\",\"controllerName\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"node\":\"string\",\"pod\":\"string\",\"podLabels\":\"string\"},\"ruleInfo\":{\"description\":\"string\",\"id\":\"string\",\"name\":\"string\",\"scopeLevel\":\"string\",\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\"},\"sourceParentProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"sourceProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtFileId\":\"string\",\"tgtFileIsSigned\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileOldPath\":\"string\",\"tgtFilePath\":\"string\",\"tgtProcCmdLine\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtProcName\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcSignedStatus\":\"string\",\"tgtProcStorylineId\":\"string\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\"}}", - "type": [ - "info" - ] - }, - "file": { - "created": "2018-02-27T04:49:26.257Z", - "mtime": "2018-02-27T04:49:26.257Z" - }, - "host": { - "ip": "0.0.0.0", - "name": "string", - "os": { - "family": "string", - "name": "string", - "version": "string" - }, - "type": "string" - }, - "input": { - "type": "httpjson" - }, - "observer": { - "serial_number": "string", - "version": "3.x.x.x" - }, - "orchestrator": { - "cluster": { - "name": "string" - }, - "namespace": "string" - }, - "process": { - "code_signature": { - "signing_id": "string" - }, - "command_line": "string", - "entity_id": "string", - "executable": "string", - "hash": { - "md5": "5d41402abc4b2a76b9719d911017c592", - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" - }, - "name": "string", - "parent": { - "code_signature": { - "signing_id": "string" - }, - "command_line": "string", - "entity_id": "string", - "executable": "string", - "hash": { - "md5": "5d41402abc4b2a76b9719d911017c592", - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" - }, - "name": "string", - "pid": 12345, - "start": "2018-02-27T04:49:26.257Z", - "user": { - "name": "string" - } - }, - "pid": 12345, - "start": "2018-02-27T04:49:26.257Z", - "user": { - "name": "string" - } - }, - "registry": { - "key": "string", - "path": "string", - "value": "string" - }, - "related": { - "hash": [ - "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "5d41402abc4b2a76b9719d911017c592", - "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" - ], - "hosts": [ - "string" - ], - "ip": [ - "0.0.0.0" - ], - "user": [ - "string" - ] - }, - "rule": { - "description": "string", - "id": "string", - "name": "string" - }, - "sentinel_one": { - "alert": { - "agent": { - "site_id": "123456789123456789" - }, - "analyst_verdict": "string", - "container": { - "info": { - "labels": "string" - } - }, - "dv_event": { - "id": "string" - }, - "info": { - "dns": { - "response": "string" - }, - "event_type": "string", - "hit": { - "type": "Events" - }, - "indicator": { - "category": "string", - "description": "string", - "name": "string" - }, - "login": { - "account": { - "sid": "string" - }, - "is_administrator": "string", - "is_successful": "string", - "type": "string" - }, - "registry": { - "old_value": "string", - "old_value_type": "string" - }, - "reported_at": "2018-02-27T04:49:26.257Z", - "source": "string", - "status": "string", - "ti_indicator": { - "comparison_method": "string", - "source": "string", - "type": "string", - "value": "string" - }, - "updated_at": "2018-02-27T04:49:26.257Z" - }, - "kubernetes": { - "controller": { - "kind": "string", - "labels": "string", - "name": "string" - }, - "namespace": { - "labels": "string" - }, - "node": "string", - "pod": { - "labels": "string", - "name": "string" - } - }, - "process": { - "integrity_level": "unknown", - "parent": { - "integrity_level": "unknown", - "storyline": "string", - "subsystem": "unknown" - }, - "storyline": "string", - "subsystem": "unknown" - }, - "rule": { - "scope_level": "string", - "severity": "Low", - "treat_as_threat": "UNDEFINED" - }, - "target": { - "process": { - "file": { - "hash": { - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" - }, - "id": "string", - "is_signed": "string", - "old_path": "string", - "path": "string" - }, - "proc": { - "cmdline": "string", - "image_path": "string", - "integrity_level": "unknown", - "name": "string", - "pid": 12345, - "signed_status": "string", - "storyline_id": "string", - "uid": "string" - }, - "start_time": "2018-02-27T04:49:26.257Z" - } - } - } - }, - "source": { - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-alert" - ], - "user": { - "domain": "string", - "name": "string" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dll.hash.sha1 | SHA1 hash. | keyword | -| dll.path | Full file path of the library. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.created | File creation time. Note that not all filesystems store the creation time. | date | -| file.mtime | Last time the file content was modified. | date | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.version | Observer version. | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| os.name | Operating system name, without the version. | keyword | -| os.name.text | Multi-field of `os.name`. | match_only_text | -| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha1 | SHA1 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.start | The time the process started. | date | -| process.parent.user.name | Short name or login of the user. | keyword | -| process.parent.user.name.text | Multi-field of `process.parent.user.name`. | match_only_text | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| process.user.name | Short name or login of the user. | keyword | -| process.user.name.text | Multi-field of `process.user.name`. | match_only_text | -| registry.key | Hive-relative path of keys. | keyword | -| registry.path | Full path, including hive, key and value | keyword | -| registry.value | Name of the value written. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| sentinel_one.alert.agent.site_id | Site id. | keyword | -| sentinel_one.alert.analyst_verdict | Analyst verdict. | keyword | -| sentinel_one.alert.container.info.labels | Container info labels. | keyword | -| sentinel_one.alert.dv_event.id | DV event id. | keyword | -| sentinel_one.alert.info.dns.response | IP address, DNS, type, etc. in response. | keyword | -| sentinel_one.alert.info.event_type | Event type. | keyword | -| sentinel_one.alert.info.hit.type | Type of hit reported from agent. | keyword | -| sentinel_one.alert.info.indicator.category | Indicator categories for this process. | keyword | -| sentinel_one.alert.info.indicator.description | Indicator_description. | keyword | -| sentinel_one.alert.info.indicator.name | Indicator names for this process. | keyword | -| sentinel_one.alert.info.login.account.sid | SID of the account that attempted to login. | keyword | -| sentinel_one.alert.info.login.is_administrator | Is the login attempt administrator equivalent. | keyword | -| sentinel_one.alert.info.login.is_successful | Was the login attempt successful. | keyword | -| sentinel_one.alert.info.login.type | Type of login which was performed. | keyword | -| sentinel_one.alert.info.registry.old_value | Registry previous value (in case of modification). | keyword | -| sentinel_one.alert.info.registry.old_value_type | Registry previous value type (in case of modification). | keyword | -| sentinel_one.alert.info.reported_at | Timestamp of alert creation in STAR. | date | -| sentinel_one.alert.info.source | Source reported from agent. | keyword | -| sentinel_one.alert.info.status | Incident status. | keyword | -| sentinel_one.alert.info.ti_indicator.comparison_method | The comparison method used by SentinelOne to trigger the event. | keyword | -| sentinel_one.alert.info.ti_indicator.source | The value of the identified Threat Intelligence indicator. | keyword | -| sentinel_one.alert.info.ti_indicator.type | The type of the identified Threat Intelligence indicator. | keyword | -| sentinel_one.alert.info.ti_indicator.value | The value of the identified Threat Intelligence indicator. | keyword | -| sentinel_one.alert.info.updated_at | Date of alert updated in Star MMS. | date | -| sentinel_one.alert.kubernetes.controller.kind | Controller kind. | keyword | -| sentinel_one.alert.kubernetes.controller.labels | Controller labels. | keyword | -| sentinel_one.alert.kubernetes.controller.name | Controller name. | keyword | -| sentinel_one.alert.kubernetes.namespace.labels | Namespace labels. | keyword | -| sentinel_one.alert.kubernetes.node | Node. | keyword | -| sentinel_one.alert.kubernetes.pod.labels | Pod Labels. | keyword | -| sentinel_one.alert.kubernetes.pod.name | Pod name. | keyword | -| sentinel_one.alert.process.integrity_level | Integrity level. | keyword | -| sentinel_one.alert.process.parent.integrity_level | Integrity level. | keyword | -| sentinel_one.alert.process.parent.storyline | StoryLine. | keyword | -| sentinel_one.alert.process.parent.subsystem | Subsystem. | keyword | -| sentinel_one.alert.process.storyline | StoryLine. | keyword | -| sentinel_one.alert.process.subsystem | Subsystem. | keyword | -| sentinel_one.alert.rule.scope_level | Scope level. | keyword | -| sentinel_one.alert.rule.severity | Rule severity. | keyword | -| sentinel_one.alert.rule.treat_as_threat | Rule treat as threat type. | keyword | -| sentinel_one.alert.target.process.file.hash.sha1 | SHA1 Signature of File. | keyword | -| sentinel_one.alert.target.process.file.hash.sha256 | SHA256 Signature of File. | keyword | -| sentinel_one.alert.target.process.file.id | Unique ID of file. | keyword | -| sentinel_one.alert.target.process.file.is_signed | Is fle signed. | keyword | -| sentinel_one.alert.target.process.file.old_path | Old path before 'Rename'. | keyword | -| sentinel_one.alert.target.process.file.path | Path and filename. | keyword | -| sentinel_one.alert.target.process.proc.cmdline | Target Process Command Line. | keyword | -| sentinel_one.alert.target.process.proc.image_path | Target Process Image path | keyword | -| sentinel_one.alert.target.process.proc.integrity_level | Integrity level of target process. | keyword | -| sentinel_one.alert.target.process.proc.name | Target Process Name. | keyword | -| sentinel_one.alert.target.process.proc.pid | Target Process ID (PID). | long | -| sentinel_one.alert.target.process.proc.signed_status | Target Process Signed Status. | keyword | -| sentinel_one.alert.target.process.proc.storyline_id | Target Process StoryLine ID. | keyword | -| sentinel_one.alert.target.process.proc.uid | Target Process Unique ID. | keyword | -| sentinel_one.alert.target.process.start_time | Target Process Start Time. | date | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -### group - -This is the `group` dataset. - -An example event for `group` looks as following: - -```json -{ - "@timestamp": "2022-04-05T16:01:57.564Z", - "agent": { - "ephemeral_id": "73e9a896-4008-48cb-8ee4-ac49f5d15e32", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "data_stream": { - "dataset": "sentinel_one.group", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2022-09-26T01:56:24.112Z", - "dataset": "sentinel_one.group", - "ingested": "2022-09-26T01:56:27Z", - "kind": "event", - "original": "{\"createdAt\":\"2022-04-05T16:01:56.928383Z\",\"creator\":\"Test User\",\"creatorId\":\"1234567890123456789\",\"filterId\":null,\"filterName\":null,\"id\":\"1234567890123456789\",\"inherits\":true,\"isDefault\":true,\"name\":\"Default Group\",\"rank\":null,\"registrationToken\":\"eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=\",\"siteId\":\"1234567890123456789\",\"totalAgents\":1,\"type\":\"static\",\"updatedAt\":\"2022-04-05T16:01:57.564266Z\"}", - "type": [ - "info" - ] - }, - "group": { - "id": "1234567890123456789", - "name": "Default Group" - }, - "input": { - "type": "httpjson" - }, - "related": { - "user": [ - "Test User" - ] - }, - "sentinel_one": { - "group": { - "agent": { - "count": 1 - }, - "created_at": "2022-04-05T16:01:56.928Z", - "creator": { - "id": "1234567890123456789" - }, - "inherits": true, - "is_default": true, - "registration_token": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", - "site": { - "id": "1234567890123456789" - }, - "type": "static" - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-group" - ], - "user": { - "full_name": "Test User" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| sentinel_one.group.agent.count | | long | -| sentinel_one.group.created_at | | date | -| sentinel_one.group.creator.id | | keyword | -| sentinel_one.group.filter.id | | keyword | -| sentinel_one.group.filter.name | | keyword | -| sentinel_one.group.inherits | | boolean | -| sentinel_one.group.is_default | | boolean | -| sentinel_one.group.rank | | long | -| sentinel_one.group.registration_token | | keyword | -| sentinel_one.group.site.id | | keyword | -| sentinel_one.group.type | | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | - - -### threat - -This is the `threat` dataset. - -An example event for `threat` looks as following: - -```json -{ - "@timestamp": "2022-04-06T08:54:17.194Z", - "agent": { - "ephemeral_id": "7562adce-b104-46d3-bc7b-c9e79060ca40", - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.4.1" - }, - "data_stream": { - "dataset": "sentinel_one.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "15b19080-249c-49a5-801a-edf25c28dcfe", - "snapshot": false, - "version": "8.4.1" - }, - "event": { - "action": "SentinelOne Cloud", - "agent_id_status": "verified", - "category": [ - "malware" - ], - "created": "2022-09-26T01:57:04.978Z", - "dataset": "sentinel_one.threat", - "ingested": "2022-09-26T01:57:08Z", - "kind": "alert", - "original": "{\"agentDetectionInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"agentDetectionState\":null,\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"10.0.0.1\",\"agentIpV6\":\"XX80::7X59:X6X9:9X72:XXXX\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentRegisteredAt\":\"2022-04-06T08:26:45.515278Z\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\"},\"agentRealtimeInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activeThreats\":7,\"agentComputerName\":\"test-LINUX\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1234567890123456789\",\"agentInfected\":true,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"server\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentOsType\":\"linux\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x.1234\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1234567890123456789\",\"inet\":[\"10.0.0.1\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"X2:0X:0X:X6:00:XX\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1234567890123456789\",\"indicators\":[],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"unquarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:54:17.198002Z\",\"latestReport\":\"/threats/mitigation-report\",\"mitigationEndedAt\":\"2022-04-06T08:54:17.101000Z\",\"mitigationStartedAt\":\"2022-04-06T08:54:17.101000Z\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:45:55.303355Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2022-04-06T08:45:55.297364Z\",\"mitigationStartedAt\":\"2022-04-06T08:45:55.297363Z\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Trojan\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"1234567890123456789\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2022-04-06T08:45:54.519988Z\",\"detectionEngines\":[{\"key\":\"sentinelone_cloud\",\"title\":\"SentinelOne Cloud\"}],\"detectionType\":\"static\",\"engines\":[\"SentinelOne Cloud\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"default.exe\",\"fileSize\":1234,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2022-04-06T08:45:53.968000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"default.exe\",\"pendingActions\":false,\"processUser\":\"test user\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"sha256\":null,\"storyline\":\"D0XXXXXXXXXXAF4D\",\"threatId\":\"1234567890123456789\",\"threatName\":\"default.exe\",\"updatedAt\":\"2022-04-06T08:54:17.194122Z\"},\"whiteningOptions\":[\"hash\"]}", - "type": [ - "info" - ] - }, - "host": { - "domain": "WORKGROUP", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "id": "1234567890123456789", - "ip": "81.2.69.143", - "mac": [ - "X2-0X-0X-X6-00-XX" - ], - "name": "test-LINUX", - "os": { - "name": "linux", - "type": "linux" - } - }, - "input": { - "type": "httpjson" - }, - "observer": { - "version": "21.x.x.1234" - }, - "process": { - "name": "default.exe" - }, - "related": { - "hash": [ - "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" - ], - "hosts": [ - "test-LINUX" - ], - "ip": [ - "10.0.0.1", - "81.2.69.143", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], - "user": [ - "test user" - ] - }, - "sentinel_one": { - "threat": { - "agent": { - "account": { - "id": "1234567890123456789", - "name": "Default" - }, - "active_threats": 7, - "group": { - "id": "1234567890123456789", - "name": "Default Group" - }, - "infected": true, - "is_active": true, - "is_decommissioned": false, - "machine_type": "server", - "mitigation_mode": "detect", - "network_interface": [ - { - "id": "1234567890123456789", - "inet": [ - "10.0.0.1" - ], - "inet6": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], - "name": "Ethernet" - } - ], - "network_status": "connected", - "operational_state": "na", - "os": { - "version": "1234" - }, - "reboot_required": false, - "scan": { - "finished_at": "2022-04-06T09:18:21.090Z", - "started_at": "2022-04-06T08:26:52.838Z", - "status": "finished" - }, - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, - "uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx" - }, - "analysis": { - "description": "Undefined", - "verdict": "undefined" - }, - "automatically_resolved": false, - "classification": "Trojan", - "classification_source": "Cloud", - "cloudfiles_hash_verdict": "black", - "collection": { - "id": "1234567890123456789" - }, - "confidence_level": "malicious", - "created_at": "2022-04-06T08:45:54.519Z", - "detection": { - "account": { - "id": "1234567890123456789", - "name": "Default" - }, - "agent": { - "domain": "WORKGROUP", - "group": { - "id": "1234567890123456789", - "name": "Default Group" - }, - "ipv4": "10.0.0.1", - "mitigation_mode": "protect", - "os": { - "name": "linux", - "version": "1234" - }, - "registered_at": "2022-04-06T08:26:45.515Z", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, - "uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", - "version": "21.x.x" - }, - "engines": [ - { - "key": "sentinelone_cloud", - "title": "SentinelOne Cloud" - } - ], - "type": "static" - }, - "engines": [ - "SentinelOne Cloud" - ], - "external_ticket": { - "exist": false - }, - "failed_actions": false, - "file": { - "extension": { - "type": "Executable" - }, - "identified_at": "2022-04-06T08:45:53.968Z", - "verification_type": "NotSigned" - }, - "id": "1234567890123456789", - "incident": { - "status": "unresolved", - "status_description": "Unresolved" - }, - "initiated": { - "description": "Agent Policy", - "name": "agent_policy" - }, - "is_fileless": false, - "is_valid_certificate": false, - "mitigated_preemptively": false, - "mitigation": { - "description": "Not mitigated", - "status": "not_mitigated" - }, - "mitigation_status": [ - { - "action": "unquarantine", - "action_counters": { - "failed": 0, - "not_found": 0, - "pending_reboot": 0, - "success": 1, - "total": 1 - }, - "agent_supports_report": true, - "group_not_found": false, - "last_update": "2022-04-06T08:54:17.198Z", - "latest_report": "/threats/mitigation-report", - "mitigation_ended_at": "2022-04-06T08:54:17.101Z", - "mitigation_started_at": "2022-04-06T08:54:17.101Z", - "status": "success" - }, - { - "action": "kill", - "agent_supports_report": true, - "group_not_found": false, - "last_update": "2022-04-06T08:45:55.303Z", - "mitigation_ended_at": "2022-04-06T08:45:55.297Z", - "mitigation_started_at": "2022-04-06T08:45:55.297Z", - "status": "success" - } - ], - "name": "default.exe", - "originator_process": "default.exe", - "pending_actions": false, - "process_user": "test user", - "reached_events_limit": false, - "reboot_required": false, - "storyline": "D0XXXXXXXXXXAF4D", - "threat_id": "1234567890123456789", - "whitening_option": [ - "hash" - ] - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-threat" - ], - "threat": { - "indicator": { - "file": { - "extension": "EXE", - "hash": { - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" - }, - "path": "default.exe", - "size": 1234 - } - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| sentinel_one.threat.agent.account.id | Account id. | keyword | -| sentinel_one.threat.agent.account.name | Account name. | keyword | -| sentinel_one.threat.agent.active_threats | Active threats. | long | -| sentinel_one.threat.agent.decommissioned_at | Decommissioned at. | boolean | -| sentinel_one.threat.agent.group.id | Group id. | keyword | -| sentinel_one.threat.agent.group.name | Group name. | keyword | -| sentinel_one.threat.agent.infected | Agent infected. | boolean | -| sentinel_one.threat.agent.is_active | Is active. | boolean | -| sentinel_one.threat.agent.is_decommissioned | Is decommissioned. | boolean | -| sentinel_one.threat.agent.machine_type | Machine type. | keyword | -| sentinel_one.threat.agent.mitigation_mode | Agent mitigation mode policy. | keyword | -| sentinel_one.threat.agent.network_interface.id | Device's network interfaces id. | keyword | -| sentinel_one.threat.agent.network_interface.inet | Device's network interfaces IPv4 addresses. | keyword | -| sentinel_one.threat.agent.network_interface.inet6 | Device's network interfaces IPv6 addresses. | keyword | -| sentinel_one.threat.agent.network_interface.name | Device's network interfaces IPv4 Name. | keyword | -| sentinel_one.threat.agent.network_status | Network status. | keyword | -| sentinel_one.threat.agent.operational_state | Agent operational state. | keyword | -| sentinel_one.threat.agent.os.version | OS revision. | keyword | -| sentinel_one.threat.agent.reboot_required | A reboot is required on the endpoint for at least one acton on the threat. | boolean | -| sentinel_one.threat.agent.scan.aborted_at | Abort time of last scan (if applicable). | keyword | -| sentinel_one.threat.agent.scan.finished_at | Finish time of last scan (if applicable). | keyword | -| sentinel_one.threat.agent.scan.started_at | Start time of last scan. | keyword | -| sentinel_one.threat.agent.scan.status | Scan status. | keyword | -| sentinel_one.threat.agent.site.id | Site id. | keyword | -| sentinel_one.threat.agent.site.name | Site name. | keyword | -| sentinel_one.threat.agent.storage.name | Storage Name. | keyword | -| sentinel_one.threat.agent.storage.type | Storage Type. | keyword | -| sentinel_one.threat.agent.user_action_needed | A list of pending user actions. List items possible values: "none, reboot_needed, user_acton_needed, upgrade_needed, incompatible_os, unprotected, user_acton_needed_fda, user_acton_needed_rs_fda,user_acton_needed_network, rebootless_without_dynamic_detection, extended_exclusions_partially_accepted, user_action_needed_bluetooth_per". | keyword | -| sentinel_one.threat.agent.uuid | UUID. | keyword | -| sentinel_one.threat.analysis.description | Analyst verdict description. | keyword | -| sentinel_one.threat.analysis.verdict | Analyst verdict. | keyword | -| sentinel_one.threat.automatically_resolved | Automatically resolved. | boolean | -| sentinel_one.threat.browser_type | Browser type. | keyword | -| sentinel_one.threat.certificate.id | File Certificate ID. | keyword | -| sentinel_one.threat.classification | Classification of the threat. | keyword | -| sentinel_one.threat.classification_source | Source of the threat Classification. | keyword | -| sentinel_one.threat.cloudfiles_hash_verdict | Cloud files hash verdict. | keyword | -| sentinel_one.threat.collection.id | Collection id. | keyword | -| sentinel_one.threat.confidence_level | SentinelOne threat confidence level. | keyword | -| sentinel_one.threat.container.labels | Container labels. | keyword | -| sentinel_one.threat.created_at | Timestamp of date creation in the Management Console. | date | -| sentinel_one.threat.detection.account.id | Orig account id. | keyword | -| sentinel_one.threat.detection.account.name | Orig account name. | keyword | -| sentinel_one.threat.detection.agent.domain | Network domain. | keyword | -| sentinel_one.threat.detection.agent.group.id | Orig group id. | keyword | -| sentinel_one.threat.detection.agent.group.name | Orig group name. | keyword | -| sentinel_one.threat.detection.agent.ipv4 | Orig agent ipv4. | ip | -| sentinel_one.threat.detection.agent.ipv6 | Orig agent ipv6. | ip | -| sentinel_one.threat.detection.agent.last_logged_in.upn | UPN of last logged in user. | keyword | -| sentinel_one.threat.detection.agent.mitigation_mode | Agent mitigation mode policy. | keyword | -| sentinel_one.threat.detection.agent.os.name | Orig agent OS name. | keyword | -| sentinel_one.threat.detection.agent.os.version | Orig agent OS revision. | keyword | -| sentinel_one.threat.detection.agent.registered_at | Time of first registration to management console. | date | -| sentinel_one.threat.detection.agent.site.id | Orig site id. | keyword | -| sentinel_one.threat.detection.agent.site.name | Orig site name. | keyword | -| sentinel_one.threat.detection.agent.uuid | UUID of the agent. | keyword | -| sentinel_one.threat.detection.agent.version | Orig agent version. | keyword | -| sentinel_one.threat.detection.cloud_providers | Cloud providers for this agent. | flattened | -| sentinel_one.threat.detection.engines.key | List of engines that detected the threat key. | keyword | -| sentinel_one.threat.detection.engines.title | List of engines that detected the threat title. | keyword | -| sentinel_one.threat.detection.state | The Agent's detection state at time of detection. | keyword | -| sentinel_one.threat.detection.type | Detection type. | keyword | -| sentinel_one.threat.engines | List of engines that detected the threat. | keyword | -| sentinel_one.threat.external_ticket.exist | External ticket exists. | boolean | -| sentinel_one.threat.external_ticket.id | External ticket id. | keyword | -| sentinel_one.threat.failed_actions | At least one action failed on the threat. | boolean | -| sentinel_one.threat.file.extension.type | File extension type. | keyword | -| sentinel_one.threat.file.identified_at | Identified at. | keyword | -| sentinel_one.threat.file.verification_type | File verification type. | keyword | -| sentinel_one.threat.id | Threat id. | keyword | -| sentinel_one.threat.incident.status | Incident status. | keyword | -| sentinel_one.threat.incident.status_description | Incident status description. | keyword | -| sentinel_one.threat.indicators.category.id | Indicators Category Id. | long | -| sentinel_one.threat.indicators.category.name | Indicators Category Name. | keyword | -| sentinel_one.threat.indicators.description | Indicators Description. | keyword | -| sentinel_one.threat.initiated.description | Initiated by description. | keyword | -| sentinel_one.threat.initiated.name | Source of threat. | keyword | -| sentinel_one.threat.initiating_user.id | Initiating user id. | keyword | -| sentinel_one.threat.initiating_user.name | Initiating user username. | keyword | -| sentinel_one.threat.is_fileless | Is fileless. | boolean | -| sentinel_one.threat.is_valid_certificate | True if the certificate is valid. | boolean | -| sentinel_one.threat.kubernetes.cluster | Cluster. | keyword | -| sentinel_one.threat.kubernetes.controller.kind | Controller kind. | keyword | -| sentinel_one.threat.kubernetes.controller.labels | Controller labels. | keyword | -| sentinel_one.threat.kubernetes.controller.name | Controller name. | keyword | -| sentinel_one.threat.kubernetes.namespace.labels | Namespace labels. | keyword | -| sentinel_one.threat.kubernetes.namespace.name | Namespace name. | keyword | -| sentinel_one.threat.kubernetes.node | Node. | keyword | -| sentinel_one.threat.kubernetes.pod.labels | Pod labels. | keyword | -| sentinel_one.threat.kubernetes.pod.name | Pod name. | keyword | -| sentinel_one.threat.malicious_process_arguments | Malicious process arguments. | keyword | -| sentinel_one.threat.mitigated_preemptively | True is the threat was blocked before execution. | boolean | -| sentinel_one.threat.mitigation.description | Mitigation status description. | keyword | -| sentinel_one.threat.mitigation.status | Mitigation status. | keyword | -| sentinel_one.threat.mitigation_status.action | Action. | keyword | -| sentinel_one.threat.mitigation_status.action_counters.failed | Actions counters Failed. | long | -| sentinel_one.threat.mitigation_status.action_counters.not_found | Actions counters Not found. | long | -| sentinel_one.threat.mitigation_status.action_counters.pending_reboot | Actions counters Pending reboot. | long | -| sentinel_one.threat.mitigation_status.action_counters.success | Actions counters Success. | long | -| sentinel_one.threat.mitigation_status.action_counters.total | Actions counters Total. | long | -| sentinel_one.threat.mitigation_status.agent_supports_report | The Agent generates a full mitigation report. | keyword | -| sentinel_one.threat.mitigation_status.group_not_found | Agent could not find the threat. | keyword | -| sentinel_one.threat.mitigation_status.last_update | Timestamp of last mitigation status update. | keyword | -| sentinel_one.threat.mitigation_status.latest_report | Report download URL. If None, there is no report. | keyword | -| sentinel_one.threat.mitigation_status.mitigation_ended_at | The time the Agent finished the mitigation. | keyword | -| sentinel_one.threat.mitigation_status.mitigation_started_at | The time the Agent started the mitigation. | keyword | -| sentinel_one.threat.mitigation_status.status | Status. | keyword | -| sentinel_one.threat.name | Threat name. | keyword | -| sentinel_one.threat.originator_process | Originator process. | keyword | -| sentinel_one.threat.pending_actions | At least one action is pending on the threat. | boolean | -| sentinel_one.threat.process_user | Process user. | keyword | -| sentinel_one.threat.publisher.name | Certificate publisher. | keyword | -| sentinel_one.threat.reached_events_limit | Has number of OS events for this threat reached the limit, resulting in a partial attack storyline. | boolean | -| sentinel_one.threat.reboot_required | A reboot is required on the endpoint for at least one threat. | boolean | -| sentinel_one.threat.storyline | Storyline identifier from agent. | keyword | -| sentinel_one.threat.threat_id | Threat id. | keyword | -| sentinel_one.threat.whitening_option | Whitening options. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.indicator.file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| threat.indicator.file.path.text | Multi-field of `threat.indicator.file.path`. | match_only_text | -| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/sentinel_one/1.2.2/img/sentinel-one-api-token-generate.png b/packages/sentinel_one/1.2.2/img/sentinel-one-api-token-generate.png deleted file mode 100755 index 6f7dbebc0e..0000000000 Binary files a/packages/sentinel_one/1.2.2/img/sentinel-one-api-token-generate.png and /dev/null differ diff --git a/packages/sentinel_one/1.2.2/img/sentinel-one-dashboard.png b/packages/sentinel_one/1.2.2/img/sentinel-one-dashboard.png deleted file mode 100755 index 633d30ea35..0000000000 Binary files a/packages/sentinel_one/1.2.2/img/sentinel-one-dashboard.png and /dev/null differ diff --git a/packages/sentinel_one/1.2.2/img/sentinel-one-logo.svg b/packages/sentinel_one/1.2.2/img/sentinel-one-logo.svg deleted file mode 100755 index a482b77616..0000000000 --- a/packages/sentinel_one/1.2.2/img/sentinel-one-logo.svg +++ /dev/null @@ -1,2 +0,0 @@ - -SentinelOne logo diff --git a/packages/sentinel_one/1.2.2/img/sentinel-one-screenshot.png b/packages/sentinel_one/1.2.2/img/sentinel-one-screenshot.png deleted file mode 100755 index 397e49f8a8..0000000000 Binary files a/packages/sentinel_one/1.2.2/img/sentinel-one-screenshot.png and /dev/null differ diff --git a/packages/sentinel_one/1.2.2/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/1.2.2/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json deleted file mode 100755 index f48ef23ccb..0000000000 --- a/packages/sentinel_one/1.2.2/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json +++ /dev/null @@ -1,282 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-58329672-9ca4-4454-9d78-c619ef956a6a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"58329672-9ca4-4454-9d78-c619ef956a6a\":{\"columnOrder\":[\"d8990d07-439a-4335-9646-8fbcab6e268d\"],\"columns\":{\"d8990d07-439a-4335-9646-8fbcab6e268d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"accessor\":\"d8990d07-439a-4335-9646-8fbcab6e268d\",\"layerId\":\"58329672-9ca4-4454-9d78-c619ef956a6a\",\"layerType\":\"data\"}},\"title\":\"Total Number of Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"ac59079e-c791-449b-aeeb-d47504921dff\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"ac59079e-c791-449b-aeeb-d47504921dff\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-01d7bdc3-638b-4d23-9ae6-d24678743470\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"01d7bdc3-638b-4d23-9ae6-d24678743470\":{\"columnOrder\":[\"831e34ee-b0d6-44b1-81b7-2bfee2a628ab\"],\"columns\":{\"831e34ee-b0d6-44b1-81b7-2bfee2a628ab\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.incident.status\",\"negate\":false,\"params\":{\"query\":\"resolved\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.incident.status\":\"resolved\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"accessor\":\"831e34ee-b0d6-44b1-81b7-2bfee2a628ab\",\"layerId\":\"01d7bdc3-638b-4d23-9ae6-d24678743470\",\"layerType\":\"data\"}},\"title\":\"Total Resolved Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"1684da14-7484-42a6-91d6-b9659883e20d\",\"w\":12,\"x\":12,\"y\":0},\"panelIndex\":\"1684da14-7484-42a6-91d6-b9659883e20d\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8a4ab761-ffa9-4e3d-bd66-9cf0b7ee9849\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8a4ab761-ffa9-4e3d-bd66-9cf0b7ee9849\":{\"columnOrder\":[\"f3d83b7a-fc35-4c85-83f8-b41e12baddf6\"],\"columns\":{\"f3d83b7a-fc35-4c85-83f8-b41e12baddf6\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.incident.status\",\"negate\":false,\"params\":{\"query\":\"unresolved\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.incident.status\":\"unresolved\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"accessor\":\"f3d83b7a-fc35-4c85-83f8-b41e12baddf6\",\"layerId\":\"8a4ab761-ffa9-4e3d-bd66-9cf0b7ee9849\",\"layerType\":\"data\"}},\"title\":\"Unresolved Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":6,\"i\":\"030f8164-5e7d-4fb6-a779-d0537748a819\",\"w\":12,\"x\":24,\"y\":0},\"panelIndex\":\"030f8164-5e7d-4fb6-a779-d0537748a819\",\"title\":\"Total Unresolved Threats [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6f8f021f-aef7-458f-a0bb-445bd78741db\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6f8f021f-aef7-458f-a0bb-445bd78741db\":{\"columnOrder\":[\"1ede434b-a316-4e79-85b6-ffbfc41f379a\"],\"columns\":{\"1ede434b-a316-4e79-85b6-ffbfc41f379a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.incident.status\",\"negate\":false,\"params\":{\"query\":\"resolved\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.incident.status\":\"resolved\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sentinel_one.threat.mitigation.status\",\"negate\":false,\"params\":{\"query\":\"active\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.mitigation.status\":\"active\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"accessor\":\"1ede434b-a316-4e79-85b6-ffbfc41f379a\",\"layerId\":\"6f8f021f-aef7-458f-a0bb-445bd78741db\",\"layerType\":\"data\"}},\"title\":\"Active Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":6,\"i\":\"075409b1-9d74-4399-8348-3101a2d22392\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"075409b1-9d74-4399-8348-3101a2d22392\",\"title\":\"Active Threats [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-31be526e-c389-4f6d-93e8-27f1b7dcd0d0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"31be526e-c389-4f6d-93e8-27f1b7dcd0d0\":{\"columnOrder\":[\"8ae53844-358d-4472-9d64-d7c2708fc29c\"],\"columns\":{\"8ae53844-358d-4472-9d64-d7c2708fc29c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.incident.status\",\"negate\":true,\"params\":{\"query\":\"resolved\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.incident.status\":\"resolved\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sentinel_one.threat.mitigation.status\",\"negate\":false,\"params\":{\"query\":\"blocked\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.mitigation.status\":\"blocked\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"accessor\":\"8ae53844-358d-4472-9d64-d7c2708fc29c\",\"layerId\":\"31be526e-c389-4f6d-93e8-27f1b7dcd0d0\",\"layerType\":\"data\"}},\"title\":\"Blocked Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"3ff8c08e-3a29-488c-b481-9b51accaae95\",\"w\":16,\"x\":0,\"y\":6},\"panelIndex\":\"3ff8c08e-3a29-488c-b481-9b51accaae95\",\"title\":\"Total Blocked Threats [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1c27890e-f153-4984-8c2f-6004a3779f71\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1c27890e-f153-4984-8c2f-6004a3779f71\":{\"columnOrder\":[\"eb8375d7-8836-43bb-840a-88c8c2f11b43\"],\"columns\":{\"eb8375d7-8836-43bb-840a-88c8c2f11b43\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.mitigation.status\",\"negate\":false,\"params\":{\"query\":\"mitigated\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.mitigation.status\":\"mitigated\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sentinel_one.threat.incident.status\",\"negate\":true,\"params\":{\"query\":\"resolved\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.incident.status\":\"resolved\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"accessor\":\"eb8375d7-8836-43bb-840a-88c8c2f11b43\",\"layerId\":\"1c27890e-f153-4984-8c2f-6004a3779f71\",\"layerType\":\"data\"}},\"title\":\"Mitigated Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"d2411b38-52ad-47c2-b364-f1f42b7cd26a\",\"w\":16,\"x\":16,\"y\":6},\"panelIndex\":\"d2411b38-52ad-47c2-b364-f1f42b7cd26a\",\"title\":\"Total Mitigated Threats [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98a05273-ef46-4b59-8caa-86b7de9c9724\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98a05273-ef46-4b59-8caa-86b7de9c9724\":{\"columnOrder\":[\"9295a43b-ccd0-4d23-abf8-73586af8dac7\"],\"columns\":{\"9295a43b-ccd0-4d23-abf8-73586af8dac7\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.incident.status\",\"negate\":true,\"params\":{\"query\":\"resolved\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.incident.status\":\"resolved\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"sentinel_one.threat.mitigation.status : \\\"suspicious\\\" and data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"accessor\":\"9295a43b-ccd0-4d23-abf8-73586af8dac7\",\"layerId\":\"98a05273-ef46-4b59-8caa-86b7de9c9724\",\"layerType\":\"data\"}},\"title\":\"Detected - Suspicious Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"14069c35-b940-4540-82f8-1ef2bb73dfe1\",\"w\":16,\"x\":32,\"y\":6},\"panelIndex\":\"14069c35-b940-4540-82f8-1ef2bb73dfe1\",\"title\":\"Total Detected - Suspicious Threats [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9d8d04b8-42e9-488a-9c18-39f38153e46a\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9d8d04b8-42e9-488a-9c18-39f38153e46a\":{\"columnOrder\":[\"3629412b-4ee6-4169-92d4-d5d8ebb7ab62\",\"324989fb-f85e-4bbc-b7f9-b85472d54928\"],\"columns\":{\"324989fb-f85e-4bbc-b7f9-b85472d54928\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"},\"3629412b-4ee6-4169-92d4-d5d8ebb7ab62\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Prevalent Threats\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"324989fb-f85e-4bbc-b7f9-b85472d54928\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.incident.status\",\"negate\":true,\"params\":{\"query\":\"resolved\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.incident.status\":\"resolved\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"324989fb-f85e-4bbc-b7f9-b85472d54928\"],\"layerId\":\"9d8d04b8-42e9-488a-9c18-39f38153e46a\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"3629412b-4ee6-4169-92d4-d5d8ebb7ab62\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Most Prevalent Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"213a2279-8bb5-491b-b0f0-d5a7a2473670\",\"w\":24,\"x\":24,\"y\":14},\"panelIndex\":\"213a2279-8bb5-491b-b0f0-d5a7a2473670\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ec6bf891-aedf-4b92-af42-54c04e749174\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ec6bf891-aedf-4b92-af42-54c04e749174\":{\"columnOrder\":[\"7dc311c6-df3f-40ca-88e5-3925010191be\",\"9934d429-8319-435c-8c72-57a56541dfcb\"],\"columns\":{\"7dc311c6-df3f-40ca-88e5-3925010191be\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Engine Detections\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9934d429-8319-435c-8c72-57a56541dfcb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.detection.engines.title\"},\"9934d429-8319-435c-8c72-57a56541dfcb\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"7dc311c6-df3f-40ca-88e5-3925010191be\"],\"layerId\":\"ec6bf891-aedf-4b92-af42-54c04e749174\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9934d429-8319-435c-8c72-57a56541dfcb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Detections by Engine [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"14523f88-ccbb-45bc-9758-7263315630cb\",\"w\":24,\"x\":0,\"y\":14},\"panelIndex\":\"14523f88-ccbb-45bc-9758-7263315630cb\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f83c655e-003c-4cc5-a2e3-789acb23b691\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f83c655e-003c-4cc5-a2e3-789acb23b691\":{\"columnOrder\":[\"d427f2bd-912c-476e-85a7-3110216b3b8d\",\"7fead18f-d40b-4539-ace7-5328e84140d2\"],\"columns\":{\"7fead18f-d40b-4539-ace7-5328e84140d2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"},\"d427f2bd-912c-476e-85a7-3110216b3b8d\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Filters\",\"operationType\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.threat.agent.is_active : true \"},\"label\":\"Active Agents\"},{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.threat.agent.is_active : false \"},\"label\":\"Inactive Agents\"}]},\"scale\":\"ordinal\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.agent.is_active\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"sentinel_one.threat.agent.is_active\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d427f2bd-912c-476e-85a7-3110216b3b8d\"],\"layerId\":\"f83c655e-003c-4cc5-a2e3-789acb23b691\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"7fead18f-d40b-4539-ace7-5328e84140d2\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Threats by Agent Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"dc9ba6b7-0c35-4333-99ad-653d57c20fd7\",\"w\":24,\"x\":0,\"y\":29},\"panelIndex\":\"dc9ba6b7-0c35-4333-99ad-653d57c20fd7\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6f4336e8-7451-476e-89a5-fe65d93be571\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6f4336e8-7451-476e-89a5-fe65d93be571\":{\"columnOrder\":[\"59424e47-b686-440e-b754-51a079ad1417\",\"7c71fee2-7e8b-48d2-8344-767b3e76f207\"],\"columns\":{\"59424e47-b686-440e-b754-51a079ad1417\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7c71fee2-7e8b-48d2-8344-767b3e76f207\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.mitigation_status.action\"},\"7c71fee2-7e8b-48d2-8344-767b3e76f207\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"59424e47-b686-440e-b754-51a079ad1417\"],\"layerId\":\"6f4336e8-7451-476e-89a5-fe65d93be571\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"7c71fee2-7e8b-48d2-8344-767b3e76f207\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Threats by Mitigation Status Action [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"0ae44b6f-3e90-4fce-96a0-a0bdf069ab0e\",\"w\":24,\"x\":24,\"y\":29},\"panelIndex\":\"0ae44b6f-3e90-4fce-96a0-a0bdf069ab0e\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd\":{\"columnOrder\":[\"039a2941-5111-4bf1-a02a-af4a8fe09609\",\"86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43\"],\"columns\":{\"039a2941-5111-4bf1-a02a-af4a8fe09609\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Mitigation Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.mitigation_status.status\"},\"86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"039a2941-5111-4bf1-a02a-af4a8fe09609\"],\"layerId\":\"c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Threats by Mitigation Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"accf3797-c215-44a4-829d-c9ff30758f7b\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"accf3797-c215-44a4-829d-c9ff30758f7b\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a64559b1-90c9-4859-9d5f-2585172bcda4\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a64559b1-90c9-4859-9d5f-2585172bcda4\":{\"columnOrder\":[\"e8b50532-e3ed-47d7-a0d4-7aaced47afa3\",\"ad08fd36-cbe4-4baa-ac1d-9454a3fd297b\"],\"columns\":{\"ad08fd36-cbe4-4baa-ac1d-9454a3fd297b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"},\"e8b50532-e3ed-47d7-a0d4-7aaced47afa3\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Mitigation Mode\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ad08fd36-cbe4-4baa-ac1d-9454a3fd297b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.agent.mitigation_mode\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"ad08fd36-cbe4-4baa-ac1d-9454a3fd297b\"],\"layerId\":\"a64559b1-90c9-4859-9d5f-2585172bcda4\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"e8b50532-e3ed-47d7-a0d4-7aaced47afa3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Threats by Agent Mitigation Mode [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"301b13f1-59c8-40e0-80f8-ecc1892b938d\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"301b13f1-59c8-40e0-80f8-ecc1892b938d\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-da28cab9-5d08-4b0b-bbd6-2cf9952051b2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"da28cab9-5d08-4b0b-bbd6-2cf9952051b2\":{\"columnOrder\":[\"eb417ca9-4ef4-4280-8fd0-a8f7ca8261eb\",\"ae868bf2-36dc-418c-a6fc-43718e58cd78\"],\"columns\":{\"ae868bf2-36dc-418c-a6fc-43718e58cd78\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"},\"eb417ca9-4ef4-4280-8fd0-a8f7ca8261eb\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Confidence Level\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ae868bf2-36dc-418c-a6fc-43718e58cd78\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.confidence_level\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"ae868bf2-36dc-418c-a6fc-43718e58cd78\"],\"layerId\":\"da28cab9-5d08-4b0b-bbd6-2cf9952051b2\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"eb417ca9-4ef4-4280-8fd0-a8f7ca8261eb\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Threats by Confidence Level [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b8f90700-ca73-40c7-9257-8612aa86cc9f\",\"w\":24,\"x\":0,\"y\":59},\"panelIndex\":\"b8f90700-ca73-40c7-9257-8612aa86cc9f\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-87c51fc8-6c57-4d1c-a3f5-8b420f1d392c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"87c51fc8-6c57-4d1c-a3f5-8b420f1d392c\":{\"columnOrder\":[\"4aa33c2e-9de0-4eb8-96d2-2e2c4da4c70f\",\"7c555542-d2ad-4e9f-9779-305d5be0422a\"],\"columns\":{\"4aa33c2e-9de0-4eb8-96d2-2e2c4da4c70f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7c555542-d2ad-4e9f-9779-305d5be0422a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.file.extension.type\"},\"7c555542-d2ad-4e9f-9779-305d5be0422a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"7c555542-d2ad-4e9f-9779-305d5be0422a\"],\"layerId\":\"87c51fc8-6c57-4d1c-a3f5-8b420f1d392c\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"4aa33c2e-9de0-4eb8-96d2-2e2c4da4c70f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Threats by File Extension Type [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9bdf752f-f767-44a4-bf05-51e0a27b7bbf\",\"w\":24,\"x\":24,\"y\":59},\"panelIndex\":\"9bdf752f-f767-44a4-bf05-51e0a27b7bbf\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3f121a5b-0179-4329-a945-a3d23d83172f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3f121a5b-0179-4329-a945-a3d23d83172f\":{\"columnOrder\":[\"d0e857c2-8d8d-4177-9667-36bacc56c5a1\",\"cf378f6b-a6f6-4df2-933c-95224587ebf8\"],\"columns\":{\"cf378f6b-a6f6-4df2-933c-95224587ebf8\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"},\"d0e857c2-8d8d-4177-9667-36bacc56c5a1\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"cf378f6b-a6f6-4df2-933c-95224587ebf8\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"d0e857c2-8d8d-4177-9667-36bacc56c5a1\",\"isTransposed\":false},{\"columnId\":\"cf378f6b-a6f6-4df2-933c-95224587ebf8\",\"isTransposed\":false}],\"layerId\":\"3f121a5b-0179-4329-a945-a3d23d83172f\",\"layerType\":\"data\"}},\"title\":\"Top 10 File Extension [Logs SentinelOne]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ed9a7061-e640-41f3-a838-3772f86e4be4\",\"w\":24,\"x\":0,\"y\":74},\"panelIndex\":\"ed9a7061-e640-41f3-a838-3772f86e4be4\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8662c82e-ca55-4ddc-81b6-2c4f9a3afbf8\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8662c82e-ca55-4ddc-81b6-2c4f9a3afbf8\":{\"columnOrder\":[\"33d893f0-097c-42d5-bf31-4460415368d4\",\"d71d067f-c96c-4701-8f64-700b42388d59\"],\"columns\":{\"33d893f0-097c-42d5-bf31-4460415368d4\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Incident Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d71d067f-c96c-4701-8f64-700b42388d59\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.incident.status\"},\"d71d067f-c96c-4701-8f64-700b42388d59\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"d71d067f-c96c-4701-8f64-700b42388d59\"],\"layerId\":\"8662c82e-ca55-4ddc-81b6-2c4f9a3afbf8\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"33d893f0-097c-42d5-bf31-4460415368d4\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Threats by Incident Status [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e17f8b5f-d5de-4921-bb3a-9d3e7ef58ae4\",\"w\":24,\"x\":24,\"y\":74},\"panelIndex\":\"e17f8b5f-d5de-4921-bb3a-9d3e7ef58ae4\",\"title\":\"Distribution of Threats by Incident Status [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\",\"field\":\"sentinel_one.threat.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Technique Name\",\"field\":\"threat.technique.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Top 10 Threat Techniques [Logs SentinelOne]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d788430-6b2b-4e7c-9468-36b0aebf8468\",\"w\":24,\"x\":0,\"y\":89},\"panelIndex\":\"6d788430-6b2b-4e7c-9468-36b0aebf8468\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-71ff1569-960a-408c-8e00-df6b68186912\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"71ff1569-960a-408c-8e00-df6b68186912\":{\"columnOrder\":[\"9a221d90-b37c-4947-899a-a8806d7d25f1\",\"d24c6b72-358d-4f01-ade3-cf9c228946e0\"],\"columns\":{\"9a221d90-b37c-4947-899a-a8806d7d25f1\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Filters\",\"operationType\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.threat.agent.infected : true \"},\"label\":\"Infected Agents\"},{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.threat.agent.infected : false \"},\"label\":\"Non-Infected Agents\"}]},\"scale\":\"ordinal\"},\"d24c6b72-358d-4f01-ade3-cf9c228946e0\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.agent.infected\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"sentinel_one.threat.agent.infected\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9a221d90-b37c-4947-899a-a8806d7d25f1\"],\"layerId\":\"71ff1569-960a-408c-8e00-df6b68186912\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d24c6b72-358d-4f01-ade3-cf9c228946e0\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Threats by Infected Agents [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"1888de07-0e2f-4fc4-80e9-f3102e8b97b3\",\"w\":24,\"x\":24,\"y\":89},\"panelIndex\":\"1888de07-0e2f-4fc4-80e9-f3102e8b97b3\",\"title\":\"Distribution of Threats by Infected Agents [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fe7a9cc-3417-4166-bdfc-5cdb85599981\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fe7a9cc-3417-4166-bdfc-5cdb85599981\":{\"columnOrder\":[\"d0c8d1eb-750e-4d24-b6c3-245ca5bf9daa\",\"99d2033b-2144-4e21-ad23-a170fcac9408\"],\"columns\":{\"99d2033b-2144-4e21-ad23-a170fcac9408\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"},\"d0c8d1eb-750e-4d24-b6c3-245ca5bf9daa\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Detection Engine\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"99d2033b-2144-4e21-ad23-a170fcac9408\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.detection.engines.title\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"d0c8d1eb-750e-4d24-b6c3-245ca5bf9daa\",\"isTransposed\":false},{\"columnId\":\"99d2033b-2144-4e21-ad23-a170fcac9408\",\"isTransposed\":false}],\"layerId\":\"9fe7a9cc-3417-4166-bdfc-5cdb85599981\",\"layerType\":\"data\"}},\"title\":\"Distribution of Threats by Detection Engine [Logs SentinelOne] \",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6080a8f0-54d7-4fae-884f-f34dbed69ea8\",\"w\":24,\"x\":0,\"y\":104},\"panelIndex\":\"6080a8f0-54d7-4fae-884f-f34dbed69ea8\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\",\"field\":\"sentinel_one.threat.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Classification\",\"field\":\"sentinel_one.threat.classification\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Top Threats by Classification [Logs SentinelOne]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"55d0b7da-986b-4e98-b476-f3768233dc8f\",\"w\":24,\"x\":24,\"y\":104},\"panelIndex\":\"55d0b7da-986b-4e98-b476-f3768233dc8f\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs SentinelOne] Threats", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "ac59079e-c791-449b-aeeb-d47504921dff:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ac59079e-c791-449b-aeeb-d47504921dff:indexpattern-datasource-layer-58329672-9ca4-4454-9d78-c619ef956a6a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1684da14-7484-42a6-91d6-b9659883e20d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1684da14-7484-42a6-91d6-b9659883e20d:indexpattern-datasource-layer-01d7bdc3-638b-4d23-9ae6-d24678743470", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1684da14-7484-42a6-91d6-b9659883e20d:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "030f8164-5e7d-4fb6-a779-d0537748a819:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "030f8164-5e7d-4fb6-a779-d0537748a819:indexpattern-datasource-layer-8a4ab761-ffa9-4e3d-bd66-9cf0b7ee9849", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "030f8164-5e7d-4fb6-a779-d0537748a819:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "075409b1-9d74-4399-8348-3101a2d22392:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "075409b1-9d74-4399-8348-3101a2d22392:indexpattern-datasource-layer-6f8f021f-aef7-458f-a0bb-445bd78741db", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "075409b1-9d74-4399-8348-3101a2d22392:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "075409b1-9d74-4399-8348-3101a2d22392:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3ff8c08e-3a29-488c-b481-9b51accaae95:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3ff8c08e-3a29-488c-b481-9b51accaae95:indexpattern-datasource-layer-31be526e-c389-4f6d-93e8-27f1b7dcd0d0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3ff8c08e-3a29-488c-b481-9b51accaae95:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3ff8c08e-3a29-488c-b481-9b51accaae95:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2411b38-52ad-47c2-b364-f1f42b7cd26a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2411b38-52ad-47c2-b364-f1f42b7cd26a:indexpattern-datasource-layer-1c27890e-f153-4984-8c2f-6004a3779f71", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2411b38-52ad-47c2-b364-f1f42b7cd26a:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2411b38-52ad-47c2-b364-f1f42b7cd26a:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "14069c35-b940-4540-82f8-1ef2bb73dfe1:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "14069c35-b940-4540-82f8-1ef2bb73dfe1:indexpattern-datasource-layer-98a05273-ef46-4b59-8caa-86b7de9c9724", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "14069c35-b940-4540-82f8-1ef2bb73dfe1:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:indexpattern-datasource-layer-9d8d04b8-42e9-488a-9c18-39f38153e46a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "14523f88-ccbb-45bc-9758-7263315630cb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "14523f88-ccbb-45bc-9758-7263315630cb:indexpattern-datasource-layer-ec6bf891-aedf-4b92-af42-54c04e749174", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "dc9ba6b7-0c35-4333-99ad-653d57c20fd7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "dc9ba6b7-0c35-4333-99ad-653d57c20fd7:indexpattern-datasource-layer-f83c655e-003c-4cc5-a2e3-789acb23b691", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "dc9ba6b7-0c35-4333-99ad-653d57c20fd7:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0ae44b6f-3e90-4fce-96a0-a0bdf069ab0e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0ae44b6f-3e90-4fce-96a0-a0bdf069ab0e:indexpattern-datasource-layer-6f4336e8-7451-476e-89a5-fe65d93be571", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "accf3797-c215-44a4-829d-c9ff30758f7b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "accf3797-c215-44a4-829d-c9ff30758f7b:indexpattern-datasource-layer-c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "301b13f1-59c8-40e0-80f8-ecc1892b938d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "301b13f1-59c8-40e0-80f8-ecc1892b938d:indexpattern-datasource-layer-a64559b1-90c9-4859-9d5f-2585172bcda4", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8f90700-ca73-40c7-9257-8612aa86cc9f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8f90700-ca73-40c7-9257-8612aa86cc9f:indexpattern-datasource-layer-da28cab9-5d08-4b0b-bbd6-2cf9952051b2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9bdf752f-f767-44a4-bf05-51e0a27b7bbf:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9bdf752f-f767-44a4-bf05-51e0a27b7bbf:indexpattern-datasource-layer-87c51fc8-6c57-4d1c-a3f5-8b420f1d392c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ed9a7061-e640-41f3-a838-3772f86e4be4:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ed9a7061-e640-41f3-a838-3772f86e4be4:indexpattern-datasource-layer-3f121a5b-0179-4329-a945-a3d23d83172f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e17f8b5f-d5de-4921-bb3a-9d3e7ef58ae4:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e17f8b5f-d5de-4921-bb3a-9d3e7ef58ae4:indexpattern-datasource-layer-8662c82e-ca55-4ddc-81b6-2c4f9a3afbf8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d788430-6b2b-4e7c-9468-36b0aebf8468:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1888de07-0e2f-4fc4-80e9-f3102e8b97b3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1888de07-0e2f-4fc4-80e9-f3102e8b97b3:indexpattern-datasource-layer-71ff1569-960a-408c-8e00-df6b68186912", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1888de07-0e2f-4fc4-80e9-f3102e8b97b3:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6080a8f0-54d7-4fae-884f-f34dbed69ea8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6080a8f0-54d7-4fae-884f-f34dbed69ea8:indexpattern-datasource-layer-9fe7a9cc-3417-4166-bdfc-5cdb85599981", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "55d0b7da-986b-4e98-b476-f3768233dc8f:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/sentinel_one/1.2.2/kibana/dashboard/sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/1.2.2/kibana/dashboard/sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538.json deleted file mode 100755 index 2bf2cdc78c..0000000000 --- a/packages/sentinel_one/1.2.2/kibana/dashboard/sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.group\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-551abd38-5fb7-4b65-8582-5aefeb823354\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"551abd38-5fb7-4b65-8582-5aefeb823354\":{\"columnOrder\":[\"e7acea9a-d9f8-4717-bcc7-5f20c894af20\"],\"columns\":{\"e7acea9a-d9f8-4717-bcc7-5f20c894af20\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"group.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.group\\\"\"},\"visualization\":{\"accessor\":\"e7acea9a-d9f8-4717-bcc7-5f20c894af20\",\"layerId\":\"551abd38-5fb7-4b65-8582-5aefeb823354\",\"layerType\":\"data\"}},\"title\":\"Total Number of Groups [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"2e9c0218-0e41-4cc7-80fa-a135cd08357a\",\"w\":15,\"x\":0,\"y\":0},\"panelIndex\":\"2e9c0218-0e41-4cc7-80fa-a135cd08357a\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9003983d-2897-44e8-8d69-98131f4862c0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9003983d-2897-44e8-8d69-98131f4862c0\":{\"columnOrder\":[\"e90d8830-87e6-44bd-b01d-05cf41281d45\",\"eea9932f-21ee-4f28-b1a7-feb8b211c125\"],\"columns\":{\"e90d8830-87e6-44bd-b01d-05cf41281d45\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Group Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"eea9932f-21ee-4f28-b1a7-feb8b211c125\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.group.type\"},\"eea9932f-21ee-4f28-b1a7-feb8b211c125\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"group.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.group\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e90d8830-87e6-44bd-b01d-05cf41281d45\"],\"layerId\":\"9003983d-2897-44e8-8d69-98131f4862c0\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"eea9932f-21ee-4f28-b1a7-feb8b211c125\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Groups by Type [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"44491cae-8e0b-45dc-abdd-ea5d57f1f419\",\"w\":16,\"x\":15,\"y\":0},\"panelIndex\":\"44491cae-8e0b-45dc-abdd-ea5d57f1f419\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-75ff32d0-b457-43b3-aaed-fa3bf295c083\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"75ff32d0-b457-43b3-aaed-fa3bf295c083\":{\"columnOrder\":[\"1e289288-8b66-476a-8143-1c1f7be49110\",\"902abe3f-a4f0-46d8-bc58-955a9b578b7e\"],\"columns\":{\"1e289288-8b66-476a-8143-1c1f7be49110\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Group Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"902abe3f-a4f0-46d8-bc58-955a9b578b7e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"group.name\"},\"902abe3f-a4f0-46d8-bc58-955a9b578b7e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Agent Count\",\"operationType\":\"max\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.group.agent.count\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.group\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"902abe3f-a4f0-46d8-bc58-955a9b578b7e\"],\"layerId\":\"75ff32d0-b457-43b3-aaed-fa3bf295c083\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"1e289288-8b66-476a-8143-1c1f7be49110\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Groups by Agent Count [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"26084a13-4083-4c3e-9f81-677b4ca38ca7\",\"w\":17,\"x\":31,\"y\":0},\"panelIndex\":\"26084a13-4083-4c3e-9f81-677b4ca38ca7\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1b0e558e-537e-40a9-bc0a-f8b42329c6b5\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1b0e558e-537e-40a9-bc0a-f8b42329c6b5\":{\"columnOrder\":[\"b88243e5-5e92-47d3-b775-f0a9d71fadf6\",\"a6e675d7-f28f-4e37-9b0e-a0849fbaa6b8\"],\"columns\":{\"a6e675d7-f28f-4e37-9b0e-a0849fbaa6b8\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"group.id\"},\"b88243e5-5e92-47d3-b775-f0a9d71fadf6\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Rank\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a6e675d7-f28f-4e37-9b0e-a0849fbaa6b8\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.group.rank\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.group\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b88243e5-5e92-47d3-b775-f0a9d71fadf6\"],\"layerId\":\"1b0e558e-537e-40a9-bc0a-f8b42329c6b5\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a6e675d7-f28f-4e37-9b0e-a0849fbaa6b8\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Groups by Rank [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c4c1c721-dabf-4a99-bd53-934afe7bb4d7\",\"w\":23,\"x\":0,\"y\":13},\"panelIndex\":\"c4c1c721-dabf-4a99-bd53-934afe7bb4d7\",\"title\":\"Distribution of Groups by Rank [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-cc8dc395-79e3-40c5-9857-d0385fcdc791\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"cc8dc395-79e3-40c5-9857-d0385fcdc791\":{\"columnOrder\":[\"ddec8617-23ff-4060-8029-5973b691cacd\",\"84fdcb1d-a681-41b1-b015-201cc40554f9\"],\"columns\":{\"84fdcb1d-a681-41b1-b015-201cc40554f9\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"group.id\"},\"ddec8617-23ff-4060-8029-5973b691cacd\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Creator Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"84fdcb1d-a681-41b1-b015-201cc40554f9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"user.full_name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.group\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"ddec8617-23ff-4060-8029-5973b691cacd\",\"isTransposed\":false},{\"columnId\":\"84fdcb1d-a681-41b1-b015-201cc40554f9\",\"isTransposed\":false}],\"layerId\":\"cc8dc395-79e3-40c5-9857-d0385fcdc791\",\"layerType\":\"data\"}},\"title\":\"Top 10 Creator Name [Logs SentinelOne]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4694770f-8a83-4877-992c-1a078c45e3c6\",\"w\":25,\"x\":23,\"y\":13},\"panelIndex\":\"4694770f-8a83-4877-992c-1a078c45e3c6\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs SentinelOne] Groups", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "2e9c0218-0e41-4cc7-80fa-a135cd08357a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2e9c0218-0e41-4cc7-80fa-a135cd08357a:indexpattern-datasource-layer-551abd38-5fb7-4b65-8582-5aefeb823354", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "44491cae-8e0b-45dc-abdd-ea5d57f1f419:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "44491cae-8e0b-45dc-abdd-ea5d57f1f419:indexpattern-datasource-layer-9003983d-2897-44e8-8d69-98131f4862c0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "26084a13-4083-4c3e-9f81-677b4ca38ca7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "26084a13-4083-4c3e-9f81-677b4ca38ca7:indexpattern-datasource-layer-75ff32d0-b457-43b3-aaed-fa3bf295c083", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c4c1c721-dabf-4a99-bd53-934afe7bb4d7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c4c1c721-dabf-4a99-bd53-934afe7bb4d7:indexpattern-datasource-layer-1b0e558e-537e-40a9-bc0a-f8b42329c6b5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4694770f-8a83-4877-992c-1a078c45e3c6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4694770f-8a83-4877-992c-1a078c45e3c6:indexpattern-datasource-layer-cc8dc395-79e3-40c5-9857-d0385fcdc791", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/sentinel_one/1.2.2/kibana/dashboard/sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/1.2.2/kibana/dashboard/sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538.json deleted file mode 100755 index 991792e563..0000000000 --- a/packages/sentinel_one/1.2.2/kibana/dashboard/sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538.json +++ /dev/null @@ -1,212 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-56dc7645-caa9-462c-abbd-496b8e73ba9c\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"56dc7645-caa9-462c-abbd-496b8e73ba9c\":{\"columnOrder\":[\"b504e88b-35dc-4481-b38b-617210c7054d\",\"123404f0-3fb4-40b8-88d0-2debd9a5ebfc\"],\"columns\":{\"123404f0-3fb4-40b8-88d0-2debd9a5ebfc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"b504e88b-35dc-4481-b38b-617210c7054d\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Filters\",\"operationType\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.is_active : true \"},\"label\":\"Active Agents\"},{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.is_active : false \"},\"label\":\"Inactive Agents\"}]},\"scale\":\"ordinal\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.agent.is_active\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"sentinel_one.agent.is_active\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b504e88b-35dc-4481-b38b-617210c7054d\"],\"layerId\":\"56dc7645-caa9-462c-abbd-496b8e73ba9c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"123404f0-3fb4-40b8-88d0-2debd9a5ebfc\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Active Agents Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"88da7d9d-b377-4455-a528-719f58c796f7\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"88da7d9d-b377-4455-a528-719f58c796f7\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ddc8b7d7-81b9-4d85-a686-7e723fc02c52\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ddc8b7d7-81b9-4d85-a686-7e723fc02c52\":{\"columnOrder\":[\"76f65f2c-80e0-41fe-a2cf-d470ec579540\",\"42960489-8884-48d3-89d4-f7e6ac04e3c8\"],\"columns\":{\"42960489-8884-48d3-89d4-f7e6ac04e3c8\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"76f65f2c-80e0-41fe-a2cf-d470ec579540\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Filters\",\"operationType\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.firewall_enabled : true \"},\"label\":\"Enabled\"},{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.firewall_enabled: false \"},\"label\":\"Disabled\"}]},\"scale\":\"ordinal\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.agent.firewall_enabled\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"sentinel_one.agent.firewall_enabled\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"76f65f2c-80e0-41fe-a2cf-d470ec579540\"],\"layerId\":\"ddc8b7d7-81b9-4d85-a686-7e723fc02c52\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"42960489-8884-48d3-89d4-f7e6ac04e3c8\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Firewall Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3158c9a2-f48a-42e2-ae82-e01c07a0a77b\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"3158c9a2-f48a-42e2-ae82-e01c07a0a77b\",\"title\":\"Distribution of Agents with Firewall Status [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e4082dc4-e9cc-4589-aed3-bf66cdac7d34\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e4082dc4-e9cc-4589-aed3-bf66cdac7d34\":{\"columnOrder\":[\"262773c9-227c-4f57-8bfc-530148301609\",\"14960b41-614b-4650-90d9-5feec22c00ce\"],\"columns\":{\"14960b41-614b-4650-90d9-5feec22c00ce\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"262773c9-227c-4f57-8bfc-530148301609\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Scan Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"14960b41-614b-4650-90d9-5feec22c00ce\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.agent.scan.status\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"262773c9-227c-4f57-8bfc-530148301609\"],\"layerId\":\"e4082dc4-e9cc-4589-aed3-bf66cdac7d34\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"14960b41-614b-4650-90d9-5feec22c00ce\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Scan Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a1308966-3dec-431c-82e3-29890ad87785\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"a1308966-3dec-431c-82e3-29890ad87785\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6a90d9b3-18c1-4b5d-9ba1-0a4bbf0022e3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6a90d9b3-18c1-4b5d-9ba1-0a4bbf0022e3\":{\"columnOrder\":[\"e8c07bab-a3f7-4cc9-96aa-4affa24dbbb2\",\"c986097b-d867-4c7f-a519-04be42d34916\"],\"columns\":{\"c986097b-d867-4c7f-a519-04be42d34916\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count \",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"e8c07bab-a3f7-4cc9-96aa-4affa24dbbb2\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Mitigation Mode\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c986097b-d867-4c7f-a519-04be42d34916\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.agent.mitigation_mode\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"c986097b-d867-4c7f-a519-04be42d34916\"],\"layerId\":\"6a90d9b3-18c1-4b5d-9ba1-0a4bbf0022e3\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"e8c07bab-a3f7-4cc9-96aa-4affa24dbbb2\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Agents by Mitigation Mode [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b4b87cb0-eccc-4b59-a6bc-5aca60f1cdb8\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"b4b87cb0-eccc-4b59-a6bc-5aca60f1cdb8\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-46e7eb74-692b-4c09-b8cd-f7817757c592\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"46e7eb74-692b-4c09-b8cd-f7817757c592\":{\"columnOrder\":[\"4394b62d-0267-4f42-9c8a-1e0f661181ca\",\"669fda39-2f89-42f4-8f3d-24ebed033e42\"],\"columns\":{\"4394b62d-0267-4f42-9c8a-1e0f661181ca\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Group IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"669fda39-2f89-42f4-8f3d-24ebed033e42\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.agent.group.ip\"},\"669fda39-2f89-42f4-8f3d-24ebed033e42\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count \",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"4394b62d-0267-4f42-9c8a-1e0f661181ca\"],\"layerId\":\"46e7eb74-692b-4c09-b8cd-f7817757c592\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"669fda39-2f89-42f4-8f3d-24ebed033e42\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Group IP [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5b220d94-4542-4e91-82a5-6fddc2d1f450\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"5b220d94-4542-4e91-82a5-6fddc2d1f450\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-76063bf9-bddc-448f-805e-e53308972d0a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"76063bf9-bddc-448f-805e-e53308972d0a\":{\"columnOrder\":[\"96dd816b-0e55-4e31-9e5b-11f64820a453\",\"2fb054c3-aaea-48a1-99c6-4de1dcd81881\"],\"columns\":{\"2fb054c3-aaea-48a1-99c6-4de1dcd81881\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"96dd816b-0e55-4e31-9e5b-11f64820a453\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"OS Architecture\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2fb054c3-aaea-48a1-99c6-4de1dcd81881\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.agent.os.arch\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"96dd816b-0e55-4e31-9e5b-11f64820a453\"],\"layerId\":\"76063bf9-bddc-448f-805e-e53308972d0a\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"2fb054c3-aaea-48a1-99c6-4de1dcd81881\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by OS Architecture [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4250d06c-8c4c-49ee-8199-3e153a355987\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"4250d06c-8c4c-49ee-8199-3e153a355987\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-67c6e93f-d08b-4c37-b01f-0d2b29874291\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"67c6e93f-d08b-4c37-b01f-0d2b29874291\":{\"columnOrder\":[\"6e3b93ec-b364-4d1a-8cd9-eb4250561a57\",\"44eec685-7c49-4119-baf7-2547c57d857a\"],\"columns\":{\"44eec685-7c49-4119-baf7-2547c57d857a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"6e3b93ec-b364-4d1a-8cd9-eb4250561a57\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Installer Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"44eec685-7c49-4119-baf7-2547c57d857a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.agent.installer_type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"44eec685-7c49-4119-baf7-2547c57d857a\"],\"layerId\":\"67c6e93f-d08b-4c37-b01f-0d2b29874291\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"6e3b93ec-b364-4d1a-8cd9-eb4250561a57\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Agents by Installer Type [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f2bbdd58-6b06-4b74-9b65-21858c9059c0\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"f2bbdd58-6b06-4b74-9b65-21858c9059c0\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-dae671b1-cfe6-4d04-b4b6-8037b31a5fe4\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"dae671b1-cfe6-4d04-b4b6-8037b31a5fe4\":{\"columnOrder\":[\"a8c8f9a7-9950-4eb1-aef9-2e3c223c64de\",\"f951b023-b4c9-4f40-8e27-e3122b6db069\"],\"columns\":{\"a8c8f9a7-9950-4eb1-aef9-2e3c223c64de\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Machine Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f951b023-b4c9-4f40-8e27-e3122b6db069\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.agent.machine.type\"},\"f951b023-b4c9-4f40-8e27-e3122b6db069\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"a8c8f9a7-9950-4eb1-aef9-2e3c223c64de\"],\"layerId\":\"dae671b1-cfe6-4d04-b4b6-8037b31a5fe4\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f951b023-b4c9-4f40-8e27-e3122b6db069\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Machine Type [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"595ba171-1de6-4b07-9f75-99d7b87fb828\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"595ba171-1de6-4b07-9f75-99d7b87fb828\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06b2ffc3-7740-4e73-807a-ea80e0747b80\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06b2ffc3-7740-4e73-807a-ea80e0747b80\":{\"columnOrder\":[\"0c348764-2e97-4ac5-829c-cd320b30e4d4\",\"ae18bca1-5ee5-44cd-a845-4b6d5e2f9fbe\",\"28cd1c1b-ab0a-40fb-a603-a1ddc4f0157f\"],\"columns\":{\"0c348764-2e97-4ac5-829c-cd320b30e4d4\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"OS Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"28cd1c1b-ab0a-40fb-a603-a1ddc4f0157f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"host.os.type\"},\"28cd1c1b-ab0a-40fb-a603-a1ddc4f0157f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"ae18bca1-5ee5-44cd-a845-4b6d5e2f9fbe\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"OS Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"28cd1c1b-ab0a-40fb-a603-a1ddc4f0157f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"host.os.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ae18bca1-5ee5-44cd-a845-4b6d5e2f9fbe\",\"0c348764-2e97-4ac5-829c-cd320b30e4d4\",\"ae18bca1-5ee5-44cd-a845-4b6d5e2f9fbe\"],\"layerId\":\"06b2ffc3-7740-4e73-807a-ea80e0747b80\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"28cd1c1b-ab0a-40fb-a603-a1ddc4f0157f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by OS Name, OS Type [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e1812890-1e55-4323-8016-fc7340d95b2f\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"e1812890-1e55-4323-8016-fc7340d95b2f\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-456e2023-abf7-40b7-bbc4-35020ef2edd5\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"456e2023-abf7-40b7-bbc4-35020ef2edd5\":{\"columnOrder\":[\"13bfcde7-20c3-40f4-a865-9c8db705dde6\",\"f8a1e135-5ef5-4e17-8660-369ab0230dd1\"],\"columns\":{\"13bfcde7-20c3-40f4-a865-9c8db705dde6\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Filters\",\"operationType\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.infected : true \"},\"label\":\"Infected Agents\"},{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.infected : false \"},\"label\":\"Non-Infected Agents\"}]},\"scale\":\"ordinal\"},\"f8a1e135-5ef5-4e17-8660-369ab0230dd1\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.agent.infected\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"sentinel_one.agent.infected\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"13bfcde7-20c3-40f4-a865-9c8db705dde6\"],\"layerId\":\"456e2023-abf7-40b7-bbc4-35020ef2edd5\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f8a1e135-5ef5-4e17-8660-369ab0230dd1\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Infected Agents Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"445f92f7-7a5f-4236-a8ac-df3087a536fe\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"445f92f7-7a5f-4236-a8ac-df3087a536fe\",\"title\":\"Distribution of Agents by Infected Agents [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-94b7fb49-4faf-4114-baa6-2c621257fd25\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"94b7fb49-4faf-4114-baa6-2c621257fd25\":{\"columnOrder\":[\"14e97f3a-9df8-494f-9190-6ff104f0e040\",\"ab4aa055-75f5-45bc-8d34-883bc47f771a\"],\"columns\":{\"14e97f3a-9df8-494f-9190-6ff104f0e040\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Site Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ab4aa055-75f5-45bc-8d34-883bc47f771a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.agent.site.name\"},\"ab4aa055-75f5-45bc-8d34-883bc47f771a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"14e97f3a-9df8-494f-9190-6ff104f0e040\",\"isTransposed\":false},{\"columnId\":\"ab4aa055-75f5-45bc-8d34-883bc47f771a\",\"isTransposed\":false}],\"layerId\":\"94b7fb49-4faf-4114-baa6-2c621257fd25\",\"layerType\":\"data\"}},\"title\":\"Top 10 Site Name [Logs SentinelOne]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fce4e5f5-f30f-473f-8bbf-9523a84a3f96\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"fce4e5f5-f30f-473f-8bbf-9523a84a3f96\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9767cd3d-c1a5-443e-9e79-64f2be92d73e\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9767cd3d-c1a5-443e-9e79-64f2be92d73e\":{\"columnOrder\":[\"91f47b2b-9e63-4958-9aeb-5d46537caaaa\",\"f35cbfab-8158-4a67-b1ea-b4142fe750b4\"],\"columns\":{\"91f47b2b-9e63-4958-9aeb-5d46537caaaa\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Filters\",\"operationType\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.is_up_to_date : true \"},\"label\":\"Up To Date Agents\"},{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.is_up_to_date : false \"},\"label\":\"Out Dated Agents\"}]},\"scale\":\"ordinal\"},\"f35cbfab-8158-4a67-b1ea-b4142fe750b4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.agent.is_up_to_date\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"sentinel_one.agent.is_up_to_date\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"91f47b2b-9e63-4958-9aeb-5d46537caaaa\"],\"layerId\":\"9767cd3d-c1a5-443e-9e79-64f2be92d73e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f35cbfab-8158-4a67-b1ea-b4142fe750b4\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Up To Date Agents Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8fa0d643-4d93-45a8-a9ea-57f6e1cff5a5\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"8fa0d643-4d93-45a8-a9ea-57f6e1cff5a5\",\"title\":\"Distribution of Agents by Up To Date Agents [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-469a2da2-7e40-4e47-b882-b553ebc14bf2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"469a2da2-7e40-4e47-b882-b553ebc14bf2\":{\"columnOrder\":[\"f9e8f30e-66a3-46c2-bf37-5a8a0be26ce3\",\"699767aa-b223-466d-b751-833a7921e49a\"],\"columns\":{\"699767aa-b223-466d-b751-833a7921e49a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Active Threats\",\"operationType\":\"median\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.agent.active_threats_count\"},\"f9e8f30e-66a3-46c2-bf37-5a8a0be26ce3\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Computer Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"699767aa-b223-466d-b751-833a7921e49a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"699767aa-b223-466d-b751-833a7921e49a\"],\"layerId\":\"469a2da2-7e40-4e47-b882-b553ebc14bf2\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"f9e8f30e-66a3-46c2-bf37-5a8a0be26ce3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Computer Name by Active Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a6230b4c-2b1a-4db7-96f5-a8b767794e6a\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"a6230b4c-2b1a-4db7-96f5-a8b767794e6a\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-65fd11fd-a0e7-4507-ad95-82593ace9d23\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"65fd11fd-a0e7-4507-ad95-82593ace9d23\":{\"columnOrder\":[\"dbe1fa00-5bae-49e9-9f6a-82a367d0f73d\",\"337ab9f4-ba31-4b10-97c2-37a90555ebbf\"],\"columns\":{\"337ab9f4-ba31-4b10-97c2-37a90555ebbf\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"dbe1fa00-5bae-49e9-9f6a-82a367d0f73d\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Filters\",\"operationType\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.is_pending_uninstall : true \"},\"label\":\"Pending Uninstall\"},{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.is_pending_uninstall: false \"},\"label\":\"Not Pending Uninstall\"}]},\"scale\":\"ordinal\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.agent.is_pending_uninstall\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"sentinel_one.agent.is_pending_uninstall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"dbe1fa00-5bae-49e9-9f6a-82a367d0f73d\"],\"layerId\":\"65fd11fd-a0e7-4507-ad95-82593ace9d23\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"337ab9f4-ba31-4b10-97c2-37a90555ebbf\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Pending Uninstall Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"28169c5e-d7e5-4b2d-a75c-78c6b477261f\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"28169c5e-d7e5-4b2d-a75c-78c6b477261f\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-15c36245-dfc6-41bc-aca4-abe1dd16e8e5\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"15c36245-dfc6-41bc-aca4-abe1dd16e8e5\":{\"columnOrder\":[\"34e6ebff-5e97-4117-ae55-0ac219a091ae\",\"b479de26-3fab-44c4-9f5c-ff493b2a7279\"],\"columns\":{\"34e6ebff-5e97-4117-ae55-0ac219a091ae\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Application Vulnerability Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b479de26-3fab-44c4-9f5c-ff493b2a7279\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.agent.apps_vulnerability_status\"},\"b479de26-3fab-44c4-9f5c-ff493b2a7279\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"34e6ebff-5e97-4117-ae55-0ac219a091ae\"],\"layerId\":\"15c36245-dfc6-41bc-aca4-abe1dd16e8e5\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b479de26-3fab-44c4-9f5c-ff493b2a7279\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Application Vulnerability Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"87c066da-976f-4df5-8ecf-a8b50b984eed\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"87c066da-976f-4df5-8ecf-a8b50b984eed\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1bc53fbf-f363-4273-9153-0e88fe027780\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1bc53fbf-f363-4273-9153-0e88fe027780\":{\"columnOrder\":[\"acf8b38d-83f6-4585-87d3-789ccc365528\",\"7ddca434-c6b4-4f23-983f-fa65333fd84a\"],\"columns\":{\"7ddca434-c6b4-4f23-983f-fa65333fd84a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"acf8b38d-83f6-4585-87d3-789ccc365528\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Filters\",\"operationType\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.is_uninstalled : true \"},\"label\":\"Uninstalled Agents\"},{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.is_uninstalled: false \"},\"label\":\"Installed Agents\"}]},\"scale\":\"ordinal\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.agent.is_uninstalled\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"sentinel_one.agent.is_uninstalled\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"acf8b38d-83f6-4585-87d3-789ccc365528\"],\"layerId\":\"1bc53fbf-f363-4273-9153-0e88fe027780\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"7ddca434-c6b4-4f23-983f-fa65333fd84a\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Percentage of Uninstalled Agents [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e62614cf-e513-40e5-aea7-6abbacf4e73b\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"e62614cf-e513-40e5-aea7-6abbacf4e73b\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs SentinelOne] Agents", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "88da7d9d-b377-4455-a528-719f58c796f7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "88da7d9d-b377-4455-a528-719f58c796f7:indexpattern-datasource-layer-56dc7645-caa9-462c-abbd-496b8e73ba9c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "88da7d9d-b377-4455-a528-719f58c796f7:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3158c9a2-f48a-42e2-ae82-e01c07a0a77b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3158c9a2-f48a-42e2-ae82-e01c07a0a77b:indexpattern-datasource-layer-ddc8b7d7-81b9-4d85-a686-7e723fc02c52", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3158c9a2-f48a-42e2-ae82-e01c07a0a77b:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a1308966-3dec-431c-82e3-29890ad87785:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a1308966-3dec-431c-82e3-29890ad87785:indexpattern-datasource-layer-e4082dc4-e9cc-4589-aed3-bf66cdac7d34", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b4b87cb0-eccc-4b59-a6bc-5aca60f1cdb8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b4b87cb0-eccc-4b59-a6bc-5aca60f1cdb8:indexpattern-datasource-layer-6a90d9b3-18c1-4b5d-9ba1-0a4bbf0022e3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5b220d94-4542-4e91-82a5-6fddc2d1f450:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5b220d94-4542-4e91-82a5-6fddc2d1f450:indexpattern-datasource-layer-46e7eb74-692b-4c09-b8cd-f7817757c592", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4250d06c-8c4c-49ee-8199-3e153a355987:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4250d06c-8c4c-49ee-8199-3e153a355987:indexpattern-datasource-layer-76063bf9-bddc-448f-805e-e53308972d0a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f2bbdd58-6b06-4b74-9b65-21858c9059c0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f2bbdd58-6b06-4b74-9b65-21858c9059c0:indexpattern-datasource-layer-67c6e93f-d08b-4c37-b01f-0d2b29874291", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "595ba171-1de6-4b07-9f75-99d7b87fb828:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "595ba171-1de6-4b07-9f75-99d7b87fb828:indexpattern-datasource-layer-dae671b1-cfe6-4d04-b4b6-8037b31a5fe4", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e1812890-1e55-4323-8016-fc7340d95b2f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e1812890-1e55-4323-8016-fc7340d95b2f:indexpattern-datasource-layer-06b2ffc3-7740-4e73-807a-ea80e0747b80", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "445f92f7-7a5f-4236-a8ac-df3087a536fe:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "445f92f7-7a5f-4236-a8ac-df3087a536fe:indexpattern-datasource-layer-456e2023-abf7-40b7-bbc4-35020ef2edd5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "445f92f7-7a5f-4236-a8ac-df3087a536fe:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fce4e5f5-f30f-473f-8bbf-9523a84a3f96:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fce4e5f5-f30f-473f-8bbf-9523a84a3f96:indexpattern-datasource-layer-94b7fb49-4faf-4114-baa6-2c621257fd25", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fa0d643-4d93-45a8-a9ea-57f6e1cff5a5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fa0d643-4d93-45a8-a9ea-57f6e1cff5a5:indexpattern-datasource-layer-9767cd3d-c1a5-443e-9e79-64f2be92d73e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fa0d643-4d93-45a8-a9ea-57f6e1cff5a5:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a6230b4c-2b1a-4db7-96f5-a8b767794e6a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a6230b4c-2b1a-4db7-96f5-a8b767794e6a:indexpattern-datasource-layer-469a2da2-7e40-4e47-b882-b553ebc14bf2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "28169c5e-d7e5-4b2d-a75c-78c6b477261f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "28169c5e-d7e5-4b2d-a75c-78c6b477261f:indexpattern-datasource-layer-65fd11fd-a0e7-4507-ad95-82593ace9d23", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "28169c5e-d7e5-4b2d-a75c-78c6b477261f:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "87c066da-976f-4df5-8ecf-a8b50b984eed:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "87c066da-976f-4df5-8ecf-a8b50b984eed:indexpattern-datasource-layer-15c36245-dfc6-41bc-aca4-abe1dd16e8e5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e62614cf-e513-40e5-aea7-6abbacf4e73b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e62614cf-e513-40e5-aea7-6abbacf4e73b:indexpattern-datasource-layer-1bc53fbf-f363-4273-9153-0e88fe027780", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e62614cf-e513-40e5-aea7-6abbacf4e73b:filter-index-pattern-0", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/sentinel_one/1.2.2/kibana/dashboard/sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/1.2.2/kibana/dashboard/sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538.json deleted file mode 100755 index a1b85204b6..0000000000 --- a/packages/sentinel_one/1.2.2/kibana/dashboard/sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.activity\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3aa4f16e-85bd-466a-b665-445b6d5de2cd\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3aa4f16e-85bd-466a-b665-445b6d5de2cd\":{\"columnOrder\":[\"b9e2330d-e198-4126-a3b0-77e64079e984\"],\"columns\":{\"b9e2330d-e198-4126-a3b0-77e64079e984\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.activity\\\"\"},\"visualization\":{\"accessor\":\"b9e2330d-e198-4126-a3b0-77e64079e984\",\"layerId\":\"3aa4f16e-85bd-466a-b665-445b6d5de2cd\",\"layerType\":\"data\"}},\"title\":\"Total Number of Activities [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"6b1d0060-0c72-441e-9901-855d5ee70a67\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"6b1d0060-0c72-441e-9901-855d5ee70a67\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1284ad1-7648-410f-b78f-78a997f797cd\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1284ad1-7648-410f-b78f-78a997f797cd\":{\"columnOrder\":[\"328306c1-4f54-43a4-b22b-1a0d5d692b56\",\"33e68f71-0393-4fc3-8560-b1ed069c6aff\"],\"columns\":{\"328306c1-4f54-43a4-b22b-1a0d5d692b56\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"User ID\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"33e68f71-0393-4fc3-8560-b1ed069c6aff\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"user.id\"},\"33e68f71-0393-4fc3-8560-b1ed069c6aff\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.activity\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"328306c1-4f54-43a4-b22b-1a0d5d692b56\",\"isTransposed\":false},{\"columnId\":\"33e68f71-0393-4fc3-8560-b1ed069c6aff\",\"isTransposed\":false}],\"layerId\":\"c1284ad1-7648-410f-b78f-78a997f797cd\",\"layerType\":\"data\"}},\"title\":\"Top 10 User ID [Logs SentinelOne]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"fe58dc4e-28bd-4efc-9995-4431b0128e73\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"fe58dc4e-28bd-4efc-9995-4431b0128e73\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c68f6ca1-bcfd-462e-8462-6c41882faa91\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c68f6ca1-bcfd-462e-8462-6c41882faa91\":{\"columnOrder\":[\"20baeaa0-d2a6-4fd1-94b2-e1b9face320d\",\"ad264914-7ee8-4563-9165-5c2f2d0cbdde\"],\"columns\":{\"20baeaa0-d2a6-4fd1-94b2-e1b9face320d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Agent ID\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ad264914-7ee8-4563-9165-5c2f2d0cbdde\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.activity.agent.id\"},\"ad264914-7ee8-4563-9165-5c2f2d0cbdde\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.activity\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"20baeaa0-d2a6-4fd1-94b2-e1b9face320d\"],\"layerId\":\"c68f6ca1-bcfd-462e-8462-6c41882faa91\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"ad264914-7ee8-4563-9165-5c2f2d0cbdde\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Activities by Agent ID [Logs SentinelOne]]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"e9f9f5be-1784-4930-b656-b41e8baf100b\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"e9f9f5be-1784-4930-b656-b41e8baf100b\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-286fe5cf-c73d-4edf-9e11-04e266706ac0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"286fe5cf-c73d-4edf-9e11-04e266706ac0\":{\"columnOrder\":[\"0c47280a-f6fa-4360-ab66-d64449fb9926\",\"06382207-6085-4738-8cd7-5bc411702e69\"],\"columns\":{\"06382207-6085-4738-8cd7-5bc411702e69\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"0c47280a-f6fa-4360-ab66-d64449fb9926\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Account Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"06382207-6085-4738-8cd7-5bc411702e69\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.activity.account.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.activity\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"0c47280a-f6fa-4360-ab66-d64449fb9926\",\"isTransposed\":false},{\"columnId\":\"06382207-6085-4738-8cd7-5bc411702e69\",\"isTransposed\":false}],\"layerId\":\"286fe5cf-c73d-4edf-9e11-04e266706ac0\",\"layerType\":\"data\"}},\"title\":\"Top 10 Account Name [Logs SentinelOne]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"822b1071-df2f-43bd-84a8-da1bcdd97528\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"822b1071-df2f-43bd-84a8-da1bcdd97528\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3398cd0c-0707-4e86-8138-7823fd3fe3ad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3398cd0c-0707-4e86-8138-7823fd3fe3ad\":{\"columnOrder\":[\"b87b3729-1100-4fe2-82a0-fcc4b5b65999\",\"b06e82de-dde9-4eae-a13d-4c4702f60694\"],\"columns\":{\"b06e82de-dde9-4eae-a13d-4c4702f60694\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b87b3729-1100-4fe2-82a0-fcc4b5b65999\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"OS Family\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b06e82de-dde9-4eae-a13d-4c4702f60694\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"os.family\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.activity\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b87b3729-1100-4fe2-82a0-fcc4b5b65999\"],\"layerId\":\"3398cd0c-0707-4e86-8138-7823fd3fe3ad\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b06e82de-dde9-4eae-a13d-4c4702f60694\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Activities by OS Family [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"96472e81-2362-46b7-9a78-ced057e7f22b\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"96472e81-2362-46b7-9a78-ced057e7f22b\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-27449a92-7952-4cb5-aec7-c18c8110f077\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"27449a92-7952-4cb5-aec7-c18c8110f077\":{\"columnOrder\":[\"cd851cfb-18ee-4ba6-bf2b-61041da779c1\",\"c7d31b39-34dd-4c74-a4a9-bb34d381ff43\",\"152f8820-ce3e-4d27-a8a6-a96858d54954\"],\"columns\":{\"152f8820-ce3e-4d27-a8a6-a96858d54954\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c7d31b39-34dd-4c74-a4a9-bb34d381ff43\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Computer Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"152f8820-ce3e-4d27-a8a6-a96858d54954\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.name\"},\"cd851cfb-18ee-4ba6-bf2b-61041da779c1\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Primary Description\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"152f8820-ce3e-4d27-a8a6-a96858d54954\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.activity.description.primary\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"host.name\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"host.name\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.activity\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"cd851cfb-18ee-4ba6-bf2b-61041da779c1\",\"isTransposed\":false},{\"columnId\":\"152f8820-ce3e-4d27-a8a6-a96858d54954\",\"isTransposed\":false},{\"columnId\":\"c7d31b39-34dd-4c74-a4a9-bb34d381ff43\",\"isTransposed\":false}],\"layerId\":\"27449a92-7952-4cb5-aec7-c18c8110f077\",\"layerType\":\"data\"}},\"title\":\"Top 10 Primary Description by Computer Name [Logs SentinelOne]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"6776b675-6e78-4293-9419-abb2052779a9\",\"w\":24,\"x\":24,\"y\":27},\"panelIndex\":\"6776b675-6e78-4293-9419-abb2052779a9\",\"title\":\"Top 10 Primary Description by Computer Name [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-5abe3706-203c-48d8-afb0-96e3b47b163e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"5abe3706-203c-48d8-afb0-96e3b47b163e\":{\"columnOrder\":[\"bfb48360-d985-485c-8a3f-92e348223b55\",\"b56fdd4c-8aa5-4bee-822c-f46c1a7ff5af\"],\"columns\":{\"b56fdd4c-8aa5-4bee-822c-f46c1a7ff5af\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"bfb48360-d985-485c-8a3f-92e348223b55\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Computer Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b56fdd4c-8aa5-4bee-822c-f46c1a7ff5af\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.activity\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"bfb48360-d985-485c-8a3f-92e348223b55\",\"isTransposed\":false},{\"columnId\":\"b56fdd4c-8aa5-4bee-822c-f46c1a7ff5af\",\"isTransposed\":false}],\"layerId\":\"5abe3706-203c-48d8-afb0-96e3b47b163e\",\"layerType\":\"data\"}},\"title\":\"Top 10 Activities Count by Computer Name [Logs SentinelOne]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"60e34164-f433-4c23-bfa1-a84269e385dc\",\"w\":24,\"x\":0,\"y\":27},\"panelIndex\":\"60e34164-f433-4c23-bfa1-a84269e385dc\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs SentinelOne] Activities", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "6b1d0060-0c72-441e-9901-855d5ee70a67:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6b1d0060-0c72-441e-9901-855d5ee70a67:indexpattern-datasource-layer-3aa4f16e-85bd-466a-b665-445b6d5de2cd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe58dc4e-28bd-4efc-9995-4431b0128e73:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe58dc4e-28bd-4efc-9995-4431b0128e73:indexpattern-datasource-layer-c1284ad1-7648-410f-b78f-78a997f797cd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9f9f5be-1784-4930-b656-b41e8baf100b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9f9f5be-1784-4930-b656-b41e8baf100b:indexpattern-datasource-layer-c68f6ca1-bcfd-462e-8462-6c41882faa91", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "822b1071-df2f-43bd-84a8-da1bcdd97528:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "822b1071-df2f-43bd-84a8-da1bcdd97528:indexpattern-datasource-layer-286fe5cf-c73d-4edf-9e11-04e266706ac0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "96472e81-2362-46b7-9a78-ced057e7f22b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "96472e81-2362-46b7-9a78-ced057e7f22b:indexpattern-datasource-layer-3398cd0c-0707-4e86-8138-7823fd3fe3ad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6776b675-6e78-4293-9419-abb2052779a9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6776b675-6e78-4293-9419-abb2052779a9:indexpattern-datasource-layer-27449a92-7952-4cb5-aec7-c18c8110f077", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6776b675-6e78-4293-9419-abb2052779a9:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "60e34164-f433-4c23-bfa1-a84269e385dc:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "60e34164-f433-4c23-bfa1-a84269e385dc:indexpattern-datasource-layer-5abe3706-203c-48d8-afb0-96e3b47b163e", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/sentinel_one/1.2.2/kibana/dashboard/sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/1.2.2/kibana/dashboard/sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538.json deleted file mode 100755 index cb7b394cf3..0000000000 --- a/packages/sentinel_one/1.2.2/kibana/dashboard/sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"1a5f3a94-99e7-4ad0-adec-e58382e9b5de\",\"w\":48,\"x\":0,\"y\":57},\"panelIndex\":\"1a5f3a94-99e7-4ad0-adec-e58382e9b5de\",\"panelRefName\":\"panel_1a5f3a94-99e7-4ad0-adec-e58382e9b5de\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a70c9f24-f23c-453b-8c96-f1e710d919fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a70c9f24-f23c-453b-8c96-f1e710d919fc\":{\"columnOrder\":[\"3da4d948-d5f9-414d-af6e-ea897044f260\"],\"columns\":{\"3da4d948-d5f9-414d-af6e-ea897044f260\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"accessor\":\"3da4d948-d5f9-414d-af6e-ea897044f260\",\"layerId\":\"a70c9f24-f23c-453b-8c96-f1e710d919fc\",\"layerType\":\"data\"}},\"title\":\"Total Number of Alerts [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"b1454cbc-86ff-4612-9129-bc0b2b710079\",\"w\":11,\"x\":0,\"y\":0},\"panelIndex\":\"b1454cbc-86ff-4612-9129-bc0b2b710079\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b50e4935-fe9a-460a-ab6d-43dcb1da50cb\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b50e4935-fe9a-460a-ab6d-43dcb1da50cb\":{\"columnOrder\":[\"270e4c10-e504-46fa-be0a-05759a516322\",\"de45442f-1e4f-4b15-acc9-abc576928301\"],\"columns\":{\"270e4c10-e504-46fa-be0a-05759a516322\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"OS Family\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de45442f-1e4f-4b15-acc9-abc576928301\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"host.os.family\"},\"de45442f-1e4f-4b15-acc9-abc576928301\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"270e4c10-e504-46fa-be0a-05759a516322\"],\"layerId\":\"b50e4935-fe9a-460a-ab6d-43dcb1da50cb\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de45442f-1e4f-4b15-acc9-abc576928301\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Alerts by OS Family [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"02d8b05a-a909-43e8-bab4-41c424e0e889\",\"w\":19,\"x\":11,\"y\":0},\"panelIndex\":\"02d8b05a-a909-43e8-bab4-41c424e0e889\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-da42b88e-21d2-434f-9bbc-a8386239736f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"da42b88e-21d2-434f-9bbc-a8386239736f\":{\"columnOrder\":[\"20818763-4451-42db-bcfd-f17df146a699\",\"dafcda2b-19bc-4796-beca-bfe8a90aa089\"],\"columns\":{\"20818763-4451-42db-bcfd-f17df146a699\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Agent Version\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"dafcda2b-19bc-4796-beca-bfe8a90aa089\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"observer.version\"},\"dafcda2b-19bc-4796-beca-bfe8a90aa089\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"20818763-4451-42db-bcfd-f17df146a699\"],\"layerId\":\"da42b88e-21d2-434f-9bbc-a8386239736f\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"dafcda2b-19bc-4796-beca-bfe8a90aa089\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Alerts by Agent Version [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"869821d9-6b7b-4b0a-be75-476ec72548c9\",\"w\":18,\"x\":30,\"y\":0},\"panelIndex\":\"869821d9-6b7b-4b0a-be75-476ec72548c9\",\"title\":\"Distribution of Alerts by Agent Version [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bf67982d-968e-4dfc-9e1e-378fe14caa5a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bf67982d-968e-4dfc-9e1e-378fe14caa5a\":{\"columnOrder\":[\"6bcb2e67-6f42-48ee-ae55-06508280e8b9\",\"82538ec1-3110-4936-84f3-4894a3fbd634\"],\"columns\":{\"6bcb2e67-6f42-48ee-ae55-06508280e8b9\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Treat As Threat\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"82538ec1-3110-4936-84f3-4894a3fbd634\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.alert.rule.treat_as_threat\"},\"82538ec1-3110-4936-84f3-4894a3fbd634\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"6bcb2e67-6f42-48ee-ae55-06508280e8b9\"],\"layerId\":\"bf67982d-968e-4dfc-9e1e-378fe14caa5a\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"82538ec1-3110-4936-84f3-4894a3fbd634\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Alerts by Treat As Threat [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"781400e7-5d84-4316-a890-0f92323bbfa4\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"781400e7-5d84-4316-a890-0f92323bbfa4\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-12bb8402-74e9-4f83-96db-18e874c28661\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"12bb8402-74e9-4f83-96db-18e874c28661\":{\"columnOrder\":[\"99d34625-e9dc-41a0-9bec-3076d907137c\",\"580be51c-ada9-456e-b4c6-af616ade4a31\"],\"columns\":{\"580be51c-ada9-456e-b4c6-af616ade4a31\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"99d34625-e9dc-41a0-9bec-3076d907137c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Scope Level\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"580be51c-ada9-456e-b4c6-af616ade4a31\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.alert.rule.scope_level\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"99d34625-e9dc-41a0-9bec-3076d907137c\"],\"layerId\":\"12bb8402-74e9-4f83-96db-18e874c28661\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"580be51c-ada9-456e-b4c6-af616ade4a31\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Alerts by Scope Level [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c328a3b4-108a-4a1f-a545-5e6a3acc40b0\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"c328a3b4-108a-4a1f-a545-5e6a3acc40b0\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6b6b61df-1417-49a3-81a1-7dda411c4e71\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6b6b61df-1417-49a3-81a1-7dda411c4e71\":{\"columnOrder\":[\"27530883-162f-4958-bee8-ef06abc84059\",\"ecb1b9f1-2129-4d39-887d-3c2869f94908\"],\"columns\":{\"27530883-162f-4958-bee8-ef06abc84059\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Rule Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ecb1b9f1-2129-4d39-887d-3c2869f94908\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"ecb1b9f1-2129-4d39-887d-3c2869f94908\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"27530883-162f-4958-bee8-ef06abc84059\",\"isTransposed\":false},{\"columnId\":\"ecb1b9f1-2129-4d39-887d-3c2869f94908\",\"isTransposed\":false}],\"layerId\":\"6b6b61df-1417-49a3-81a1-7dda411c4e71\",\"layerType\":\"data\"}},\"title\":\"Top 10 Rule Names [Logs SentinelOne]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"24c1e7fd-242a-49b1-bff0-521218255ed7\",\"w\":24,\"x\":0,\"y\":27},\"panelIndex\":\"24c1e7fd-242a-49b1-bff0-521218255ed7\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6575381f-da1f-4e3e-aa6e-ee5d513b66e2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6575381f-da1f-4e3e-aa6e-ee5d513b66e2\":{\"columnOrder\":[\"0331dc07-e879-47b7-9279-687b413d436f\",\"66f1847e-6cfe-4b2a-95a7-795f68736736\"],\"columns\":{\"0331dc07-e879-47b7-9279-687b413d436f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Rule Severity\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"66f1847e-6cfe-4b2a-95a7-795f68736736\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.alert.rule.severity\"},\"66f1847e-6cfe-4b2a-95a7-795f68736736\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"66f1847e-6cfe-4b2a-95a7-795f68736736\"],\"layerId\":\"6575381f-da1f-4e3e-aa6e-ee5d513b66e2\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"0331dc07-e879-47b7-9279-687b413d436f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Alerts by Rule Severity [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"986ac399-7ca0-420e-a224-f55f9dc48f5c\",\"w\":24,\"x\":24,\"y\":27},\"panelIndex\":\"986ac399-7ca0-420e-a224-f55f9dc48f5c\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-92ea1b1a-7e5f-4d77-9af5-5c75151c6382\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"92ea1b1a-7e5f-4d77-9af5-5c75151c6382\":{\"columnOrder\":[\"ddcf4498-b8ec-4e73-8a42-6b9e04e549c0\",\"f2f2bd2b-27e3-4868-bae1-ff003f94d936\"],\"columns\":{\"ddcf4498-b8ec-4e73-8a42-6b9e04e549c0\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Event Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f2f2bd2b-27e3-4868-bae1-ff003f94d936\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.type\"},\"f2f2bd2b-27e3-4868-bae1-ff003f94d936\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ddcf4498-b8ec-4e73-8a42-6b9e04e549c0\"],\"layerId\":\"92ea1b1a-7e5f-4d77-9af5-5c75151c6382\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f2f2bd2b-27e3-4868-bae1-ff003f94d936\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Alerts by Event Type [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"946d6cac-4418-40cf-b301-614d64130caa\",\"w\":24,\"x\":0,\"y\":42},\"panelIndex\":\"946d6cac-4418-40cf-b301-614d64130caa\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-76215aa5-943c-4f3f-a5b5-dfa7095216e5\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"76215aa5-943c-4f3f-a5b5-dfa7095216e5\":{\"columnOrder\":[\"58c3a718-0540-4a34-bdb7-d3ac85d94986\",\"27c9c040-2ef7-4384-88fa-156d43d3ffe9\"],\"columns\":{\"27c9c040-2ef7-4384-88fa-156d43d3ffe9\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"58c3a718-0540-4a34-bdb7-d3ac85d94986\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Incident Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"27c9c040-2ef7-4384-88fa-156d43d3ffe9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.alert.info.status\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"58c3a718-0540-4a34-bdb7-d3ac85d94986\"],\"layerId\":\"76215aa5-943c-4f3f-a5b5-dfa7095216e5\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"27c9c040-2ef7-4384-88fa-156d43d3ffe9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Alerts by Incident Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d9f10ef5-e421-4193-8a29-de995a862192\",\"w\":24,\"x\":24,\"y\":42},\"panelIndex\":\"d9f10ef5-e421-4193-8a29-de995a862192\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs SentinelOne] Alerts", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "sentinel_one-89773b00-c1fa-11ec-a23a-27e16fe32bb9", - "name": "1a5f3a94-99e7-4ad0-adec-e58382e9b5de:panel_1a5f3a94-99e7-4ad0-adec-e58382e9b5de", - "type": "search" - }, - { - "id": "logs-*", - "name": "b1454cbc-86ff-4612-9129-bc0b2b710079:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b1454cbc-86ff-4612-9129-bc0b2b710079:indexpattern-datasource-layer-a70c9f24-f23c-453b-8c96-f1e710d919fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02d8b05a-a909-43e8-bab4-41c424e0e889:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02d8b05a-a909-43e8-bab4-41c424e0e889:indexpattern-datasource-layer-b50e4935-fe9a-460a-ab6d-43dcb1da50cb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "869821d9-6b7b-4b0a-be75-476ec72548c9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "869821d9-6b7b-4b0a-be75-476ec72548c9:indexpattern-datasource-layer-da42b88e-21d2-434f-9bbc-a8386239736f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "781400e7-5d84-4316-a890-0f92323bbfa4:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "781400e7-5d84-4316-a890-0f92323bbfa4:indexpattern-datasource-layer-bf67982d-968e-4dfc-9e1e-378fe14caa5a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c328a3b4-108a-4a1f-a545-5e6a3acc40b0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c328a3b4-108a-4a1f-a545-5e6a3acc40b0:indexpattern-datasource-layer-12bb8402-74e9-4f83-96db-18e874c28661", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "24c1e7fd-242a-49b1-bff0-521218255ed7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "24c1e7fd-242a-49b1-bff0-521218255ed7:indexpattern-datasource-layer-6b6b61df-1417-49a3-81a1-7dda411c4e71", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "986ac399-7ca0-420e-a224-f55f9dc48f5c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "986ac399-7ca0-420e-a224-f55f9dc48f5c:indexpattern-datasource-layer-6575381f-da1f-4e3e-aa6e-ee5d513b66e2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "946d6cac-4418-40cf-b301-614d64130caa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "946d6cac-4418-40cf-b301-614d64130caa:indexpattern-datasource-layer-92ea1b1a-7e5f-4d77-9af5-5c75151c6382", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d9f10ef5-e421-4193-8a29-de995a862192:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d9f10ef5-e421-4193-8a29-de995a862192:indexpattern-datasource-layer-76215aa5-943c-4f3f-a5b5-dfa7095216e5", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/sentinel_one/1.2.2/kibana/search/sentinel_one-89773b00-c1fa-11ec-a23a-27e16fe32bb9.json b/packages/sentinel_one/1.2.2/kibana/search/sentinel_one-89773b00-c1fa-11ec-a23a-27e16fe32bb9.json deleted file mode 100755 index 534700dab7..0000000000 --- a/packages/sentinel_one/1.2.2/kibana/search/sentinel_one-89773b00-c1fa-11ec-a23a-27e16fe32bb9.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "rule.id", - "rule.name", - "rule.description", - "host.name", - "observer.version", - "host.type", - "observer.serial_number" - ], - "description": "", - "grid": {}, - "hideChart": true, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Recent Alerts [Logs SentinelOne]" - }, - "coreMigrationVersion": "7.17.0", - "id": "sentinel_one-89773b00-c1fa-11ec-a23a-27e16fe32bb9", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/sentinel_one/1.2.2/manifest.yml b/packages/sentinel_one/1.2.2/manifest.yml deleted file mode 100755 index 31352dfc1a..0000000000 --- a/packages/sentinel_one/1.2.2/manifest.yml +++ /dev/null @@ -1,79 +0,0 @@ -format_version: 1.0.0 -name: sentinel_one -title: SentinelOne -version: "1.2.2" -license: basic -description: Collect logs from SentinelOne with Elastic Agent. -type: integration -categories: - - security -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/sentinel-one-screenshot.png - title: SentinelOne Threat Dashboard Screenshot - size: 600x600 - type: image/png -icons: - - src: /img/sentinel-one-logo.svg - title: SentinelOne Logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: sentinel_one - title: SentinelOne - description: Collect logs from SentinelOne. - inputs: - - type: httpjson - title: Collect SentinelOne logs via API - description: Collecting SentinelOne logs via API. - vars: - - name: url - type: text - title: URL - description: SentinelOne console URL. - required: true - - name: api_token - type: password - title: API Token - description: API Token with API Access Level type. - required: true - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http\[s\]://:@:. Please ensure your username and password are in URL encoded format. - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- -owner: - github: elastic/security-external-integrations diff --git a/packages/slack/0.1.1/LICENSE.txt b/packages/slack/0.1.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/slack/0.1.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/slack/0.1.1/changelog.yml b/packages/slack/0.1.1/changelog.yml deleted file mode 100755 index 2aec9db38b..0000000000 --- a/packages/slack/0.1.1/changelog.yml +++ /dev/null @@ -1,11 +0,0 @@ -# newer versions go on top -- version: "0.1.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "0.1.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/3278 diff --git a/packages/slack/0.1.1/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/slack/0.1.1/data_stream/audit/agent/stream/httpjson.yml.hbs deleted file mode 100755 index fd3d88e382..0000000000 --- a/packages/slack/0.1.1/data_stream/audit/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,64 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" -request.url: {{api_url}}/audit/v1/logs -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} - -request.transforms: - - set: - target: header.Authorization - value: "Bearer {{oauth_token}}" - - set: - target: url.params.oldest - value: "[[.cursor.last_timestamp]]" - default: '[[(now (parseDuration "-{{initial_interval}}")).Unix]]' - - set: - target: url.params.latest - value: '[[(now).Unix]]' - - set: - target: url.params.limit - value: '[[{{limit}}]]' - -request.rate_limit.reset: '[[ add (toInt (.last_response.header.Get "Retry-After")) ((now).Unix) ]]' -request.rate_limit.remaining: '0' # hardcoded to 0 since slack doesn't return remaining header only reset - -response.split: - target: body.entries -response.pagination: -- set: - target: url.params.cursor - value: '[[.last_response.body.response_metadata.next_cursor]]' - fail_on_template_error: true - -cursor: - last_timestamp: - value: "[[.first_event.date_create]]" - fail_on_template_error: true - -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/slack/0.1.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/slack/0.1.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 9ea4dc73e6..0000000000 --- a/packages/slack/0.1.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,395 +0,0 @@ ---- -description: Pipeline for parsing Slack Audit logs -processors: -- set: - field: ecs.version - value: '8.4.0' -- rename: - field: message - target_field: event.original -- json: - field: event.original - target_field: json -- date: - field: json.date_create - formats: - - UNIX - target_field: "@timestamp" -- rename: - field: json.action - target_field: event.action - ignore_missing: true -- rename: - field: json.id - target_field: event.id - ignore_missing: true -- fingerprint: - fields: - - event.id - target_field: _id - ignore_missing: true -- rename: - field: json.actor.user.id - target_field: user.id - ignore_missing: true -- rename: - field: json.actor.user.name - target_field: user.full_name - ignore_missing: true -- rename: - field: json.actor.user.email - target_field: user.email - ignore_missing: true -- rename: - field: json.entity.workspace - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.enterprise - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.user - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.file - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.channel - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.app - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.workflow - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.user - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.usergroup - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.barrier - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.message - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.role - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.account_type_role - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.type - target_field: slack.audit.entity.entity_type - ignore_missing: true -- rename: - field: json.context.ua - target_field: user_agent.original - ignore_missing: true -- user_agent: - field: user_agent.original - ignore_failure: true -- rename: - field: json.context.ip_address - target_field: source.address - ignore_missing: true -- convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: json.context.location - target_field: slack.audit.context - ignore_missing: true -- append: - field: related.user - value: "{{user.id}}" - allow_duplicates: false - if: ctx.user?.id != null -- append: - field: related.user - value: "{{user.email}}" - allow_duplicates: false - if: ctx.user?.email != null -- append: - field: related.ip - value: "{{source.ip}}" - if: ctx.source?.ip != null - - - -- script: - lang: painless - tag: Add ECS categorization - params: -## User Actions - user_login: - category: - - authentication - - session - type: - - info - - start - outcome: success - user_login_failed: - category: - - authentication - type: - - info - outcome: failure - user_logout: - category: - - authentication - - session - type: - - info - - end - outcome: success - user_session_invalidated: - category: - - authentication - - session - type: - - info - - end - outcome: success - user_session_reset_by_admin: - category: - - authentication - - session - type: - - info - - end - outcome: success - user_created: - category: - - iam - type: - - creation - - user - user_deactivated: - category: - - iam - type: - - deletion - - user - user_reactivated: - category: - - iam - type: - - change - - user - role_change_to_admin: - category: - - iam - type: - - change - - user - - admin - role_change_to_guest: - category: - - iam - type: - - change - - user - role_change_to_owner: - category: - - iam - type: - - change - - user - - admin - role_change_to_user: - category: - - iam - type: - - change - - user - user_email_updated: - category: - - iam - type: - - change - - user -## User Group Actions - user_added_to_usergroup: - category: - - iam - type: - - change - - group - - user - user_removed_from_usergroup: - category: - - iam - type: - - change - - group - - user - default_channel_added_to_usergroup: - category: - - iam - - configuration - type: - - change - - group - default_channel_removed_from_usergroup: - category: - - iam - - configuration - type: - - change - - group - role_added_to_usergroup: - category: - - iam - type: - - change - - group - role_removed_from_usergroup: - category: - - iam - type: - - change - - group - role_modified_on_usergroup: - category: - - iam - type: - - change - - group -## User Group Actions - file_downloaded: - category: - - file - type: - - allowed - file_downloaded_blocked: - category: - - file - type: - - denied - file_uploaded: - category: - - file - type: - - creation - file_public_link_created: - category: - - file - type: - - info - file_public_link_revoked: - category: - - file - type: - - info - file_shared: - category: - - file - type: - - info - file_malicious_content_detected: - category: - - file - - malware - type: - - info - - source: >- - ctx.event.kind = 'event'; - ctx.event.type = 'info'; - if (ctx?.event?.action == null) { - return; - } - if (params.get(ctx.event.action) == null) { - return; - } - def hm = new HashMap(params.get(ctx.event.action)); - hm.forEach((k, v) -> ctx.event[k] = v); -- remove: - field: - - json - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/slack/0.1.1/data_stream/audit/fields/agent.yml b/packages/slack/0.1.1/data_stream/audit/fields/agent.yml deleted file mode 100755 index 62ab051948..0000000000 --- a/packages/slack/0.1.1/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,112 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Instance name of the host machine. - name: cloud.instance.name - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - The cloud project identifier. - Examples: Google Cloud Project id, Azure Project id. - name: cloud.project.id - type: keyword -- description: Image ID for the cloud instance. - name: cloud.image.id - type: keyword -- description: Unique container id. - name: container.id - type: keyword -- description: Name of the image the container was built on. - name: container.image.name - type: keyword -- description: Image labels. - name: container.labels - type: object -- description: Container name. - name: container.name - type: keyword -- description: Operating system architecture. - name: host.architecture - type: keyword -- description: |- - Name of the domain of which the host is a member. - For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - name: host.domain - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: host.os.family - type: keyword -- description: Operating system kernel version as a raw string. - name: host.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: host.os.platform - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: |- - Type of host. - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. - name: host.type - type: keyword -- description: If the host is a container. - name: host.containerized - type: boolean -- description: OS build information. - name: host.os.build - type: keyword -- description: OS codename, if any. - name: host.os.codename - type: keyword diff --git a/packages/slack/0.1.1/data_stream/audit/fields/base-fields.yml b/packages/slack/0.1.1/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 90993968ef..0000000000 --- a/packages/slack/0.1.1/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: slack -- name: event.dataset - type: constant_keyword - description: Event dataset - value: slack.audit -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/slack/0.1.1/data_stream/audit/fields/beats.yml b/packages/slack/0.1.1/data_stream/audit/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/slack/0.1.1/data_stream/audit/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/slack/0.1.1/data_stream/audit/fields/ecs.yml b/packages/slack/0.1.1/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 7d9361ce5b..0000000000 --- a/packages/slack/0.1.1/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,178 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/slack/0.1.1/data_stream/audit/fields/fields.yml b/packages/slack/0.1.1/data_stream/audit/fields/fields.yml deleted file mode 100755 index 1bf914714d..0000000000 --- a/packages/slack/0.1.1/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,141 +0,0 @@ -- name: slack.audit - type: group - description: > - Fields for Cloudflare Audit Logs - - fields: - - name: context.domain - type: keyword - description: > - The domain of the Workspace or Enterprise - - - name: context.id - type: keyword - description: > - The ID of the workspace or enterprise - - - name: context.name - type: keyword - description: > - The name of the workspace or enterprise - - - name: context.type - type: keyword - description: > - The type of account. Either `Workspace` or `Enterprise` - - - name: entity - type: group - description: > - Fields for the entity acted upon by the actor/user. Some fields are type specific. - - fields: - - name: entity_type - type: keyword - description: > - Type of the entity: workspace, enterprise, user, file, channel, app, workflow, user, usergroup, barrier, message, role, account_type_role. - - - name: email - type: keyword - description: > - Email address of the entity when entity_type is user - - - name: id - type: keyword - description: > - ID of the entity - - - name: name - type: keyword - description: > - Name of the entity - - - name: team - type: keyword - description: > - Team that the entity exists within when entity_type is user or message - - - name: domain - type: keyword - description: > - Domain of the entity when entity_type is Workspace or Enterprise - - - name: filetype - type: keyword - description: > - Filetype of the entity when entity_type is file - - - name: filetype - type: keyword - description: > - Title of the entity when entity_type is file - - - name: privacy - type: keyword - description: > - Privacy status of entity when entity_type is channel - - - name: is_shared - type: boolean - description: > - If channel is shared when entity_type is channel - - - name: is_org_shared - type: boolean - description: > - If channel is shared when entity_type is channel - - - name: teams_shared_with - type: keyword - description: > - List of orgs channel is shared with when entity_type is channel - - - name: is_distributed - type: boolean - description: > - If App is distributed when entity_type is app - - - name: is_directory_approved - type: boolean - description: > - If App is approved when entity_type is app - - - name: is_workflow_app - type: boolean - description: > - If App is a workflow when entity_type is app - - - name: scopes - type: keyword - description: > - The OAuth scopes when entity_type is app - - - name: primary_usergroup - type: keyword - description: > - The primary user group when entity_type is barrier - - - name: barriered_from_usergroup - type: keyword - description: > - The user group barrier when entity_type is barrier - - - name: channel - type: keyword - description: > - The channel the entity is within when entity_type is message - - - name: timestamp - type: keyword - description: > - The timestamp of the entity when entity_type is message - - - name: timestamp - type: date - description: > - The timestamp of the entity when entity_type is message - - - name: type - type: keyword - description: >- - The type of the entity when entity_type is role diff --git a/packages/slack/0.1.1/data_stream/audit/manifest.yml b/packages/slack/0.1.1/data_stream/audit/manifest.yml deleted file mode 100755 index bb36a3b04f..0000000000 --- a/packages/slack/0.1.1/data_stream/audit/manifest.yml +++ /dev/null @@ -1,62 +0,0 @@ -type: logs -title: Slack Audit Logs -streams: - - input: httpjson - vars: - - name: oauth_token - type: password - title: OAuth API Token - description: The OAuth API Token used to authenticate with the Slack API - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - description: Interval at which the logs will be pulled. The value must be between 2m and 1h. - default: 1h - - name: initial_interval - type: text - title: Initial Interval - multi: false - required: true - show_user: false - description: Initial interval at which the logs will be pulled. Defaults to 30 days (720 hours). - default: 720h - - name: limit - type: integer - title: Limit - description: Number of events to fetch on each request. Max is 9999. - show_user: false - required: true - default: 9999 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - forwarded - - slack-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" - template_path: httpjson.yml.hbs - title: Slack Audit logs - description: Collect Slack Audit logs via the API diff --git a/packages/slack/0.1.1/data_stream/audit/sample_event.json b/packages/slack/0.1.1/data_stream/audit/sample_event.json deleted file mode 100755 index eaaa704739..0000000000 --- a/packages/slack/0.1.1/data_stream/audit/sample_event.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "@timestamp": "2018-03-16T15:32:23.000Z", - "agent": { - "ephemeral_id": "f1750a2f-f033-40a6-a77b-c70e9750ccb0", - "id": "592bbba2-ceea-4a3a-8ccb-0c8c92d1eed3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.0" - }, - "data_stream": { - "dataset": "slack.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "592bbba2-ceea-4a3a-8ccb-0c8c92d1eed3", - "snapshot": false, - "version": "8.1.0" - }, - "event": { - "action": "user_login", - "agent_id_status": "verified", - "created": "2022-05-04T16:10:05.054Z", - "dataset": "slack.audit", - "id": "0123a45b-6c7d-8900-e12f-3456789gh0i1", - "ingested": "2022-05-04T16:10:06Z", - "kind": "event", - "original": "{\"action\":\"user_login\",\"actor\":{\"type\":\"user\",\"user\":{\"email\":\"bird@slack.com\",\"id\":\"W123AB456\",\"name\":\"Charlie Parker\"}},\"context\":{\"ip_address\":\"81.2.69.143\",\"location\":{\"domain\":\"birdland\",\"id\":\"E1701NCCA\",\"name\":\"Birdland\",\"type\":\"enterprise\"},\"ua\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36\"},\"date_create\":1521214343,\"entity\":{\"type\":\"user\",\"user\":{\"email\":\"bird@slack.com\",\"id\":\"W123AB456\",\"name\":\"Charlie Parker\"}},\"id\":\"0123a45b-6c7d-8900-e12f-3456789gh0i1\"}", - "type": "info" - }, - "input": { - "type": "httpjson" - }, - "related": { - "ip": [ - "81.2.69.143" - ], - "user": [ - "W123AB456", - "bird@slack.com" - ] - }, - "slack": { - "audit": { - "context": { - "domain": "birdland", - "id": "E1701NCCA", - "name": "Birdland", - "type": "enterprise" - }, - "entity": { - "email": "bird@slack.com", - "entity_type": "user", - "id": "W123AB456", - "name": "Charlie Parker" - } - } - }, - "source": { - "address": "81.2.69.143", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "tags": [ - "forwarded", - "slack-audit", - "preserve_original_event" - ], - "user": { - "email": "bird@slack.com", - "full_name": "Charlie Parker", - "id": "W123AB456" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36", - "os": { - "full": "Mac OS X 10.12.6", - "name": "Mac OS X", - "version": "10.12.6" - }, - "version": "64.0.3282.186" - } -} \ No newline at end of file diff --git a/packages/slack/0.1.1/docs/README.md b/packages/slack/0.1.1/docs/README.md deleted file mode 100755 index e90e4576d4..0000000000 --- a/packages/slack/0.1.1/docs/README.md +++ /dev/null @@ -1,251 +0,0 @@ -# Slack Integration - -[Slack](https://www.slack.com) is used by numerous orgazations as their primary chat and collaboration tool. - -The Slack integration uses [Slack's API](https://api.slack.com/) to retrieve audit events and ingest them into Elasticsearch. This allows you to search, observe, and visualize the Slack log events through Elasticsearch. - -The Elastic agent running this integration interacts with Slack's infrastructure using their APIs to retrieve [audit logs](https://api.slack.com/admins/audit-logs) for a workspace or enterprise. - -**Please note the Audit Logs API is only available to Slack workspaces on an Enterprise Grid plan. These API methods will not work for workspaces on a Free, Standard, or Business+ plan.** - -## Configuration - -### Enabling the integration in Elastic - -1. In Kibana go to **Management > Integrations** -2. In the "Search for integrations" search bar type **Slack**. -3. Click on "Slack" integration from the search results. -4. Click on **Add Slack** button to add Slack integration. - -### Configure Slack audit logs data stream - -Enter values "OAuth API Token". - -1. [**OAuth API Token**](https://api.slack.com/authentication/basics) will be generated when a [Slack App](https://api.slack.com/apps) is created. - -#### Configure using API Token - -For the Slack integration to be able to successfully get logs the following "User Token Scopes"" must be granted to the Slack App: - -- `auditlogs:read` - -## Logs - -### Audit - -Audit logs summarize the history of changes made within the Slack Enterprise. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| slack.audit.context.domain | The domain of the Workspace or Enterprise | keyword | -| slack.audit.context.id | The ID of the workspace or enterprise | keyword | -| slack.audit.context.name | The name of the workspace or enterprise | keyword | -| slack.audit.context.type | The type of account. Either `Workspace` or `Enterprise` | keyword | -| slack.audit.entity.barriered_from_usergroup | The user group barrier when entity_type is barrier | keyword | -| slack.audit.entity.channel | The channel the entity is within when entity_type is message | keyword | -| slack.audit.entity.domain | Domain of the entity when entity_type is Workspace or Enterprise | keyword | -| slack.audit.entity.email | Email address of the entity when entity_type is user | keyword | -| slack.audit.entity.entity_type | Type of the entity: workspace, enterprise, user, file, channel, app, workflow, user, usergroup, barrier, message, role, account_type_role. | keyword | -| slack.audit.entity.filetype | Filetype of the entity when entity_type is file | keyword | -| slack.audit.entity.id | ID of the entity | keyword | -| slack.audit.entity.is_directory_approved | If App is approved when entity_type is app | boolean | -| slack.audit.entity.is_distributed | If App is distributed when entity_type is app | boolean | -| slack.audit.entity.is_org_shared | If channel is shared when entity_type is channel | boolean | -| slack.audit.entity.is_shared | If channel is shared when entity_type is channel | boolean | -| slack.audit.entity.is_workflow_app | If App is a workflow when entity_type is app | boolean | -| slack.audit.entity.name | Name of the entity | keyword | -| slack.audit.entity.primary_usergroup | The primary user group when entity_type is barrier | keyword | -| slack.audit.entity.privacy | Privacy status of entity when entity_type is channel | keyword | -| slack.audit.entity.scopes | The OAuth scopes when entity_type is app | keyword | -| slack.audit.entity.team | Team that the entity exists within when entity_type is user or message | keyword | -| slack.audit.entity.teams_shared_with | List of orgs channel is shared with when entity_type is channel | keyword | -| slack.audit.entity.timestamp | The timestamp of the entity when entity_type is message | date | -| slack.audit.entity.type | The type of the entity when entity_type is role | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2018-03-16T15:32:23.000Z", - "agent": { - "ephemeral_id": "f1750a2f-f033-40a6-a77b-c70e9750ccb0", - "id": "592bbba2-ceea-4a3a-8ccb-0c8c92d1eed3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.0" - }, - "data_stream": { - "dataset": "slack.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "592bbba2-ceea-4a3a-8ccb-0c8c92d1eed3", - "snapshot": false, - "version": "8.1.0" - }, - "event": { - "action": "user_login", - "agent_id_status": "verified", - "created": "2022-05-04T16:10:05.054Z", - "dataset": "slack.audit", - "id": "0123a45b-6c7d-8900-e12f-3456789gh0i1", - "ingested": "2022-05-04T16:10:06Z", - "kind": "event", - "original": "{\"action\":\"user_login\",\"actor\":{\"type\":\"user\",\"user\":{\"email\":\"bird@slack.com\",\"id\":\"W123AB456\",\"name\":\"Charlie Parker\"}},\"context\":{\"ip_address\":\"81.2.69.143\",\"location\":{\"domain\":\"birdland\",\"id\":\"E1701NCCA\",\"name\":\"Birdland\",\"type\":\"enterprise\"},\"ua\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36\"},\"date_create\":1521214343,\"entity\":{\"type\":\"user\",\"user\":{\"email\":\"bird@slack.com\",\"id\":\"W123AB456\",\"name\":\"Charlie Parker\"}},\"id\":\"0123a45b-6c7d-8900-e12f-3456789gh0i1\"}", - "type": "info" - }, - "input": { - "type": "httpjson" - }, - "related": { - "ip": [ - "81.2.69.143" - ], - "user": [ - "W123AB456", - "bird@slack.com" - ] - }, - "slack": { - "audit": { - "context": { - "domain": "birdland", - "id": "E1701NCCA", - "name": "Birdland", - "type": "enterprise" - }, - "entity": { - "email": "bird@slack.com", - "entity_type": "user", - "id": "W123AB456", - "name": "Charlie Parker" - } - } - }, - "source": { - "address": "81.2.69.143", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "tags": [ - "forwarded", - "slack-audit", - "preserve_original_event" - ], - "user": { - "email": "bird@slack.com", - "full_name": "Charlie Parker", - "id": "W123AB456" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36", - "os": { - "full": "Mac OS X 10.12.6", - "name": "Mac OS X", - "version": "10.12.6" - }, - "version": "64.0.3282.186" - } -} -``` diff --git a/packages/slack/0.1.1/img/slack.svg b/packages/slack/0.1.1/img/slack.svg deleted file mode 100755 index 69a4eb6a21..0000000000 --- a/packages/slack/0.1.1/img/slack.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/slack/0.1.1/manifest.yml b/packages/slack/0.1.1/manifest.yml deleted file mode 100755 index 414612e62a..0000000000 --- a/packages/slack/0.1.1/manifest.yml +++ /dev/null @@ -1,56 +0,0 @@ -format_version: 1.0.0 -name: slack -title: "Slack Logs" -version: 0.1.1 -license: basic -description: "Slack Logs Integration" -type: integration -categories: - - productivity - - security -conditions: - kibana.version: "^8.1.0" -icons: - - src: /img/slack.svg - title: Slack logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: slack - title: Slack logs - description: Collect logs from Slack - inputs: - - type: httpjson - title: "Collect Slack logs via API" - description: "Collecting logs from Slack via API" - vars: - - name: api_url - type: text - title: API URL. - description: The root url for the API endpoints - multi: false - required: true - show_user: false - default: https://api.slack.com - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: true - default: 60s -owner: - github: elastic/security-external-integrations diff --git a/packages/slack/0.1.2/LICENSE.txt b/packages/slack/0.1.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/slack/0.1.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/slack/0.1.2/changelog.yml b/packages/slack/0.1.2/changelog.yml deleted file mode 100755 index 512c0cecbd..0000000000 --- a/packages/slack/0.1.2/changelog.yml +++ /dev/null @@ -1,16 +0,0 @@ -# newer versions go on top -- version: "0.1.2" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "0.1.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "0.1.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/3278 diff --git a/packages/slack/0.1.2/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/slack/0.1.2/data_stream/audit/agent/stream/httpjson.yml.hbs deleted file mode 100755 index fd3d88e382..0000000000 --- a/packages/slack/0.1.2/data_stream/audit/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,64 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" -request.url: {{api_url}}/audit/v1/logs -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} - -request.transforms: - - set: - target: header.Authorization - value: "Bearer {{oauth_token}}" - - set: - target: url.params.oldest - value: "[[.cursor.last_timestamp]]" - default: '[[(now (parseDuration "-{{initial_interval}}")).Unix]]' - - set: - target: url.params.latest - value: '[[(now).Unix]]' - - set: - target: url.params.limit - value: '[[{{limit}}]]' - -request.rate_limit.reset: '[[ add (toInt (.last_response.header.Get "Retry-After")) ((now).Unix) ]]' -request.rate_limit.remaining: '0' # hardcoded to 0 since slack doesn't return remaining header only reset - -response.split: - target: body.entries -response.pagination: -- set: - target: url.params.cursor - value: '[[.last_response.body.response_metadata.next_cursor]]' - fail_on_template_error: true - -cursor: - last_timestamp: - value: "[[.first_event.date_create]]" - fail_on_template_error: true - -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/slack/0.1.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/slack/0.1.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 9ea4dc73e6..0000000000 --- a/packages/slack/0.1.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,395 +0,0 @@ ---- -description: Pipeline for parsing Slack Audit logs -processors: -- set: - field: ecs.version - value: '8.4.0' -- rename: - field: message - target_field: event.original -- json: - field: event.original - target_field: json -- date: - field: json.date_create - formats: - - UNIX - target_field: "@timestamp" -- rename: - field: json.action - target_field: event.action - ignore_missing: true -- rename: - field: json.id - target_field: event.id - ignore_missing: true -- fingerprint: - fields: - - event.id - target_field: _id - ignore_missing: true -- rename: - field: json.actor.user.id - target_field: user.id - ignore_missing: true -- rename: - field: json.actor.user.name - target_field: user.full_name - ignore_missing: true -- rename: - field: json.actor.user.email - target_field: user.email - ignore_missing: true -- rename: - field: json.entity.workspace - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.enterprise - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.user - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.file - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.channel - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.app - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.workflow - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.user - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.usergroup - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.barrier - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.message - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.role - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.account_type_role - target_field: slack.audit.entity - ignore_missing: true - if: "ctx.slack?.entity == null" -- rename: - field: json.entity.type - target_field: slack.audit.entity.entity_type - ignore_missing: true -- rename: - field: json.context.ua - target_field: user_agent.original - ignore_missing: true -- user_agent: - field: user_agent.original - ignore_failure: true -- rename: - field: json.context.ip_address - target_field: source.address - ignore_missing: true -- convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: json.context.location - target_field: slack.audit.context - ignore_missing: true -- append: - field: related.user - value: "{{user.id}}" - allow_duplicates: false - if: ctx.user?.id != null -- append: - field: related.user - value: "{{user.email}}" - allow_duplicates: false - if: ctx.user?.email != null -- append: - field: related.ip - value: "{{source.ip}}" - if: ctx.source?.ip != null - - - -- script: - lang: painless - tag: Add ECS categorization - params: -## User Actions - user_login: - category: - - authentication - - session - type: - - info - - start - outcome: success - user_login_failed: - category: - - authentication - type: - - info - outcome: failure - user_logout: - category: - - authentication - - session - type: - - info - - end - outcome: success - user_session_invalidated: - category: - - authentication - - session - type: - - info - - end - outcome: success - user_session_reset_by_admin: - category: - - authentication - - session - type: - - info - - end - outcome: success - user_created: - category: - - iam - type: - - creation - - user - user_deactivated: - category: - - iam - type: - - deletion - - user - user_reactivated: - category: - - iam - type: - - change - - user - role_change_to_admin: - category: - - iam - type: - - change - - user - - admin - role_change_to_guest: - category: - - iam - type: - - change - - user - role_change_to_owner: - category: - - iam - type: - - change - - user - - admin - role_change_to_user: - category: - - iam - type: - - change - - user - user_email_updated: - category: - - iam - type: - - change - - user -## User Group Actions - user_added_to_usergroup: - category: - - iam - type: - - change - - group - - user - user_removed_from_usergroup: - category: - - iam - type: - - change - - group - - user - default_channel_added_to_usergroup: - category: - - iam - - configuration - type: - - change - - group - default_channel_removed_from_usergroup: - category: - - iam - - configuration - type: - - change - - group - role_added_to_usergroup: - category: - - iam - type: - - change - - group - role_removed_from_usergroup: - category: - - iam - type: - - change - - group - role_modified_on_usergroup: - category: - - iam - type: - - change - - group -## User Group Actions - file_downloaded: - category: - - file - type: - - allowed - file_downloaded_blocked: - category: - - file - type: - - denied - file_uploaded: - category: - - file - type: - - creation - file_public_link_created: - category: - - file - type: - - info - file_public_link_revoked: - category: - - file - type: - - info - file_shared: - category: - - file - type: - - info - file_malicious_content_detected: - category: - - file - - malware - type: - - info - - source: >- - ctx.event.kind = 'event'; - ctx.event.type = 'info'; - if (ctx?.event?.action == null) { - return; - } - if (params.get(ctx.event.action) == null) { - return; - } - def hm = new HashMap(params.get(ctx.event.action)); - hm.forEach((k, v) -> ctx.event[k] = v); -- remove: - field: - - json - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/slack/0.1.2/data_stream/audit/fields/agent.yml b/packages/slack/0.1.2/data_stream/audit/fields/agent.yml deleted file mode 100755 index 62ab051948..0000000000 --- a/packages/slack/0.1.2/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,112 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Instance name of the host machine. - name: cloud.instance.name - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - The cloud project identifier. - Examples: Google Cloud Project id, Azure Project id. - name: cloud.project.id - type: keyword -- description: Image ID for the cloud instance. - name: cloud.image.id - type: keyword -- description: Unique container id. - name: container.id - type: keyword -- description: Name of the image the container was built on. - name: container.image.name - type: keyword -- description: Image labels. - name: container.labels - type: object -- description: Container name. - name: container.name - type: keyword -- description: Operating system architecture. - name: host.architecture - type: keyword -- description: |- - Name of the domain of which the host is a member. - For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - name: host.domain - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: host.os.family - type: keyword -- description: Operating system kernel version as a raw string. - name: host.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: host.os.platform - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: |- - Type of host. - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. - name: host.type - type: keyword -- description: If the host is a container. - name: host.containerized - type: boolean -- description: OS build information. - name: host.os.build - type: keyword -- description: OS codename, if any. - name: host.os.codename - type: keyword diff --git a/packages/slack/0.1.2/data_stream/audit/fields/base-fields.yml b/packages/slack/0.1.2/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 90993968ef..0000000000 --- a/packages/slack/0.1.2/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: slack -- name: event.dataset - type: constant_keyword - description: Event dataset - value: slack.audit -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/slack/0.1.2/data_stream/audit/fields/beats.yml b/packages/slack/0.1.2/data_stream/audit/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/slack/0.1.2/data_stream/audit/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/slack/0.1.2/data_stream/audit/fields/ecs.yml b/packages/slack/0.1.2/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 7d9361ce5b..0000000000 --- a/packages/slack/0.1.2/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,178 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/slack/0.1.2/data_stream/audit/fields/fields.yml b/packages/slack/0.1.2/data_stream/audit/fields/fields.yml deleted file mode 100755 index cd8a9e4105..0000000000 --- a/packages/slack/0.1.2/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,141 +0,0 @@ -- name: slack.audit - type: group - description: > - Fields for Cloudflare Audit Logs - - fields: - - name: context.domain - type: keyword - description: > - The domain of the Workspace or Enterprise - - - name: context.id - type: keyword - description: > - The ID of the workspace or enterprise - - - name: context.name - type: keyword - description: > - The name of the workspace or enterprise - - - name: context.type - type: keyword - description: > - The type of account. Either `Workspace` or `Enterprise` - - - name: entity - type: group - description: > - Fields for the entity acted upon by the actor/user. Some fields are type specific. - - fields: - - name: entity_type - type: keyword - description: > - Type of the entity: workspace, enterprise, user, file, channel, app, workflow, user, usergroup, barrier, message, role, account_type_role. - - - name: email - type: keyword - description: > - Email address of the entity when entity_type is user - - - name: id - type: keyword - description: > - ID of the entity - - - name: name - type: keyword - description: > - Name of the entity - - - name: team - type: keyword - description: > - Team that the entity exists within when entity_type is user or message - - - name: domain - type: keyword - description: > - Domain of the entity when entity_type is Workspace or Enterprise - - - name: filetype - type: keyword - description: > - Filetype of the entity when entity_type is file - - - name: title - type: keyword - description: > - Title of the entity when entity_type is file - - - name: privacy - type: keyword - description: > - Privacy status of entity when entity_type is channel - - - name: is_shared - type: boolean - description: > - If channel is shared when entity_type is channel - - - name: is_org_shared - type: boolean - description: > - If channel is shared when entity_type is channel - - - name: teams_shared_with - type: keyword - description: > - List of orgs channel is shared with when entity_type is channel - - - name: is_distributed - type: boolean - description: > - If App is distributed when entity_type is app - - - name: is_directory_approved - type: boolean - description: > - If App is approved when entity_type is app - - - name: is_workflow_app - type: boolean - description: > - If App is a workflow when entity_type is app - - - name: scopes - type: keyword - description: > - The OAuth scopes when entity_type is app - - - name: primary_usergroup - type: keyword - description: > - The primary user group when entity_type is barrier - - - name: barriered_from_usergroup - type: keyword - description: > - The user group barrier when entity_type is barrier - - - name: channel - type: keyword - description: > - The channel the entity is within when entity_type is message - - - name: timestamp - type: keyword - description: > - The timestamp of the entity when entity_type is message - - - name: timestamp - type: date - description: > - The timestamp of the entity when entity_type is message - - - name: type - type: keyword - description: >- - The type of the entity when entity_type is role diff --git a/packages/slack/0.1.2/data_stream/audit/manifest.yml b/packages/slack/0.1.2/data_stream/audit/manifest.yml deleted file mode 100755 index bb36a3b04f..0000000000 --- a/packages/slack/0.1.2/data_stream/audit/manifest.yml +++ /dev/null @@ -1,62 +0,0 @@ -type: logs -title: Slack Audit Logs -streams: - - input: httpjson - vars: - - name: oauth_token - type: password - title: OAuth API Token - description: The OAuth API Token used to authenticate with the Slack API - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - description: Interval at which the logs will be pulled. The value must be between 2m and 1h. - default: 1h - - name: initial_interval - type: text - title: Initial Interval - multi: false - required: true - show_user: false - description: Initial interval at which the logs will be pulled. Defaults to 30 days (720 hours). - default: 720h - - name: limit - type: integer - title: Limit - description: Number of events to fetch on each request. Max is 9999. - show_user: false - required: true - default: 9999 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - forwarded - - slack-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" - template_path: httpjson.yml.hbs - title: Slack Audit logs - description: Collect Slack Audit logs via the API diff --git a/packages/slack/0.1.2/data_stream/audit/sample_event.json b/packages/slack/0.1.2/data_stream/audit/sample_event.json deleted file mode 100755 index eaaa704739..0000000000 --- a/packages/slack/0.1.2/data_stream/audit/sample_event.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "@timestamp": "2018-03-16T15:32:23.000Z", - "agent": { - "ephemeral_id": "f1750a2f-f033-40a6-a77b-c70e9750ccb0", - "id": "592bbba2-ceea-4a3a-8ccb-0c8c92d1eed3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.0" - }, - "data_stream": { - "dataset": "slack.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "592bbba2-ceea-4a3a-8ccb-0c8c92d1eed3", - "snapshot": false, - "version": "8.1.0" - }, - "event": { - "action": "user_login", - "agent_id_status": "verified", - "created": "2022-05-04T16:10:05.054Z", - "dataset": "slack.audit", - "id": "0123a45b-6c7d-8900-e12f-3456789gh0i1", - "ingested": "2022-05-04T16:10:06Z", - "kind": "event", - "original": "{\"action\":\"user_login\",\"actor\":{\"type\":\"user\",\"user\":{\"email\":\"bird@slack.com\",\"id\":\"W123AB456\",\"name\":\"Charlie Parker\"}},\"context\":{\"ip_address\":\"81.2.69.143\",\"location\":{\"domain\":\"birdland\",\"id\":\"E1701NCCA\",\"name\":\"Birdland\",\"type\":\"enterprise\"},\"ua\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36\"},\"date_create\":1521214343,\"entity\":{\"type\":\"user\",\"user\":{\"email\":\"bird@slack.com\",\"id\":\"W123AB456\",\"name\":\"Charlie Parker\"}},\"id\":\"0123a45b-6c7d-8900-e12f-3456789gh0i1\"}", - "type": "info" - }, - "input": { - "type": "httpjson" - }, - "related": { - "ip": [ - "81.2.69.143" - ], - "user": [ - "W123AB456", - "bird@slack.com" - ] - }, - "slack": { - "audit": { - "context": { - "domain": "birdland", - "id": "E1701NCCA", - "name": "Birdland", - "type": "enterprise" - }, - "entity": { - "email": "bird@slack.com", - "entity_type": "user", - "id": "W123AB456", - "name": "Charlie Parker" - } - } - }, - "source": { - "address": "81.2.69.143", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "tags": [ - "forwarded", - "slack-audit", - "preserve_original_event" - ], - "user": { - "email": "bird@slack.com", - "full_name": "Charlie Parker", - "id": "W123AB456" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36", - "os": { - "full": "Mac OS X 10.12.6", - "name": "Mac OS X", - "version": "10.12.6" - }, - "version": "64.0.3282.186" - } -} \ No newline at end of file diff --git a/packages/slack/0.1.2/docs/README.md b/packages/slack/0.1.2/docs/README.md deleted file mode 100755 index 9ff2fb1047..0000000000 --- a/packages/slack/0.1.2/docs/README.md +++ /dev/null @@ -1,252 +0,0 @@ -# Slack Integration - -[Slack](https://www.slack.com) is used by numerous orgazations as their primary chat and collaboration tool. - -The Slack integration uses [Slack's API](https://api.slack.com/) to retrieve audit events and ingest them into Elasticsearch. This allows you to search, observe, and visualize the Slack log events through Elasticsearch. - -The Elastic agent running this integration interacts with Slack's infrastructure using their APIs to retrieve [audit logs](https://api.slack.com/admins/audit-logs) for a workspace or enterprise. - -**Please note the Audit Logs API is only available to Slack workspaces on an Enterprise Grid plan. These API methods will not work for workspaces on a Free, Standard, or Business+ plan.** - -## Configuration - -### Enabling the integration in Elastic - -1. In Kibana go to **Management > Integrations** -2. In the "Search for integrations" search bar type **Slack**. -3. Click on "Slack" integration from the search results. -4. Click on **Add Slack** button to add Slack integration. - -### Configure Slack audit logs data stream - -Enter values "OAuth API Token". - -1. [**OAuth API Token**](https://api.slack.com/authentication/basics) will be generated when a [Slack App](https://api.slack.com/apps) is created. - -#### Configure using API Token - -For the Slack integration to be able to successfully get logs the following "User Token Scopes"" must be granted to the Slack App: - -- `auditlogs:read` - -## Logs - -### Audit - -Audit logs summarize the history of changes made within the Slack Enterprise. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| slack.audit.context.domain | The domain of the Workspace or Enterprise | keyword | -| slack.audit.context.id | The ID of the workspace or enterprise | keyword | -| slack.audit.context.name | The name of the workspace or enterprise | keyword | -| slack.audit.context.type | The type of account. Either `Workspace` or `Enterprise` | keyword | -| slack.audit.entity.barriered_from_usergroup | The user group barrier when entity_type is barrier | keyword | -| slack.audit.entity.channel | The channel the entity is within when entity_type is message | keyword | -| slack.audit.entity.domain | Domain of the entity when entity_type is Workspace or Enterprise | keyword | -| slack.audit.entity.email | Email address of the entity when entity_type is user | keyword | -| slack.audit.entity.entity_type | Type of the entity: workspace, enterprise, user, file, channel, app, workflow, user, usergroup, barrier, message, role, account_type_role. | keyword | -| slack.audit.entity.filetype | Filetype of the entity when entity_type is file | keyword | -| slack.audit.entity.id | ID of the entity | keyword | -| slack.audit.entity.is_directory_approved | If App is approved when entity_type is app | boolean | -| slack.audit.entity.is_distributed | If App is distributed when entity_type is app | boolean | -| slack.audit.entity.is_org_shared | If channel is shared when entity_type is channel | boolean | -| slack.audit.entity.is_shared | If channel is shared when entity_type is channel | boolean | -| slack.audit.entity.is_workflow_app | If App is a workflow when entity_type is app | boolean | -| slack.audit.entity.name | Name of the entity | keyword | -| slack.audit.entity.primary_usergroup | The primary user group when entity_type is barrier | keyword | -| slack.audit.entity.privacy | Privacy status of entity when entity_type is channel | keyword | -| slack.audit.entity.scopes | The OAuth scopes when entity_type is app | keyword | -| slack.audit.entity.team | Team that the entity exists within when entity_type is user or message | keyword | -| slack.audit.entity.teams_shared_with | List of orgs channel is shared with when entity_type is channel | keyword | -| slack.audit.entity.timestamp | The timestamp of the entity when entity_type is message | date | -| slack.audit.entity.title | Title of the entity when entity_type is file | keyword | -| slack.audit.entity.type | The type of the entity when entity_type is role | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2018-03-16T15:32:23.000Z", - "agent": { - "ephemeral_id": "f1750a2f-f033-40a6-a77b-c70e9750ccb0", - "id": "592bbba2-ceea-4a3a-8ccb-0c8c92d1eed3", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.0" - }, - "data_stream": { - "dataset": "slack.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "592bbba2-ceea-4a3a-8ccb-0c8c92d1eed3", - "snapshot": false, - "version": "8.1.0" - }, - "event": { - "action": "user_login", - "agent_id_status": "verified", - "created": "2022-05-04T16:10:05.054Z", - "dataset": "slack.audit", - "id": "0123a45b-6c7d-8900-e12f-3456789gh0i1", - "ingested": "2022-05-04T16:10:06Z", - "kind": "event", - "original": "{\"action\":\"user_login\",\"actor\":{\"type\":\"user\",\"user\":{\"email\":\"bird@slack.com\",\"id\":\"W123AB456\",\"name\":\"Charlie Parker\"}},\"context\":{\"ip_address\":\"81.2.69.143\",\"location\":{\"domain\":\"birdland\",\"id\":\"E1701NCCA\",\"name\":\"Birdland\",\"type\":\"enterprise\"},\"ua\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36\"},\"date_create\":1521214343,\"entity\":{\"type\":\"user\",\"user\":{\"email\":\"bird@slack.com\",\"id\":\"W123AB456\",\"name\":\"Charlie Parker\"}},\"id\":\"0123a45b-6c7d-8900-e12f-3456789gh0i1\"}", - "type": "info" - }, - "input": { - "type": "httpjson" - }, - "related": { - "ip": [ - "81.2.69.143" - ], - "user": [ - "W123AB456", - "bird@slack.com" - ] - }, - "slack": { - "audit": { - "context": { - "domain": "birdland", - "id": "E1701NCCA", - "name": "Birdland", - "type": "enterprise" - }, - "entity": { - "email": "bird@slack.com", - "entity_type": "user", - "id": "W123AB456", - "name": "Charlie Parker" - } - } - }, - "source": { - "address": "81.2.69.143", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "tags": [ - "forwarded", - "slack-audit", - "preserve_original_event" - ], - "user": { - "email": "bird@slack.com", - "full_name": "Charlie Parker", - "id": "W123AB456" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Chrome", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36", - "os": { - "full": "Mac OS X 10.12.6", - "name": "Mac OS X", - "version": "10.12.6" - }, - "version": "64.0.3282.186" - } -} -``` diff --git a/packages/slack/0.1.2/img/slack.svg b/packages/slack/0.1.2/img/slack.svg deleted file mode 100755 index 69a4eb6a21..0000000000 --- a/packages/slack/0.1.2/img/slack.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/slack/0.1.2/manifest.yml b/packages/slack/0.1.2/manifest.yml deleted file mode 100755 index 7b922bd211..0000000000 --- a/packages/slack/0.1.2/manifest.yml +++ /dev/null @@ -1,56 +0,0 @@ -format_version: 1.0.0 -name: slack -title: "Slack Logs" -version: 0.1.2 -license: basic -description: "Slack Logs Integration" -type: integration -categories: - - productivity - - security -conditions: - kibana.version: "^8.1.0" -icons: - - src: /img/slack.svg - title: Slack logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: slack - title: Slack logs - description: Collect logs from Slack - inputs: - - type: httpjson - title: "Collect Slack logs via API" - description: "Collecting logs from Slack via API" - vars: - - name: api_url - type: text - title: API URL. - description: The root url for the API endpoints - multi: false - required: true - show_user: false - default: https://api.slack.com - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: true - default: 60s -owner: - github: elastic/security-external-integrations diff --git a/packages/sophos/2.4.1/LICENSE.txt b/packages/sophos/2.4.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/sophos/2.4.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/sophos/2.4.1/changelog.yml b/packages/sophos/2.4.1/changelog.yml deleted file mode 100755 index ef74396f6a..0000000000 --- a/packages/sophos/2.4.1/changelog.yml +++ /dev/null @@ -1,205 +0,0 @@ -# newer versions go on top -- version: "2.4.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3870 -- version: "2.3.2" - changes: - - description: Improve TCP, SSL config description and example for Sophos XG. - type: enhancement - link: https://github.com/elastic/integrations/pull/3763 -- version: "2.3.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "2.3.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "2.2.2" - changes: - - description: Update Readme to include links to Sophos's documentation. Also used the latest product name for Astaro - type: enhancement - link: https://github.com/elastic/integrations/pull/3160 -- version: "2.2.1" - changes: - - description: Format source.mac and destination.mac as per ECS for the UTM data stream. - type: bugfix - link: https://github.com/elastic/integrations/pull/3370 -- version: "2.2.0" - changes: - - description: Improve inputs for Sophos XG pipeline. - type: enhancement - link: https://github.com/elastic/integrations/pull/3322 -- version: "2.1.0" - changes: - - description: Update to ECS 8.2.0 to use new email field set. - type: enhancement - link: https://github.com/elastic/integrations/pull/2798 -- version: "2.0.0" - changes: - - description: Remove space from sophos.xg.trans_src_ip field. - type: bugfix - link: https://github.com/elastic/integrations/pull/3127 - - description: Do not modify event.original. - type: bugfix - link: https://github.com/elastic/integrations/pull/3127 - - description: Populate `url.*` fields based on `sophos.xg.url`. - type: enhancement - link: https://github.com/elastic/integrations/pull/3127 - - description: Rename `sophos.xg.reason` to `event.reason` (ECS). - type: enhancement - link: https://github.com/elastic/integrations/pull/3127 - - description: Lowercase `network.transport` as per ECS. - type: bugfix - link: https://github.com/elastic/integrations/pull/3127 - - description: Format `source.mac` and `destination.mac` as per ECS. - type: bugfix - link: https://github.com/elastic/integrations/pull/3127 - - description: Set the `event.code` from the message ID (and remove `sophos.xg.message_id`). - type: enhancement - link: https://github.com/elastic/integrations/pull/3127 - - description: Add `network.community_id`. - type: enhancement - link: https://github.com/elastic/integrations/pull/3127 - - description: Reduce event size by removing `client` and `server` fields that are clones of `source` and `destination`, respectively. - type: breaking-change - link: https://github.com/elastic/integrations/pull/3127 -- version: "1.2.3" - changes: - - description: Update pipelines to parse new fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2163 -- version: "1.2.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.1" - changes: - - description: Add missing ingest pipeline for "System Health" logs - type: bugfix - link: https://github.com/elastic/integrations/pull/2743 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2596 -- version: "1.1.3" - changes: - - description: Fix KV splitting and syslog header handling - type: bugfix - link: https://github.com/elastic/integrations/pull/2320 -- version: "1.1.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.1.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.1.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2271 -- version: "1.0.6" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2086 -- version: "1.0.5" - changes: - - description: Support hostname in syslog header in UTM data stream. - type: enhancement - link: https://github.com/elastic/integrations/pull/2034 -- version: "1.0.4" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1987 -- version: "1.0.3" - changes: - - description: Fixed a bug that prevents the package from working in 7.16. - type: bugfix - link: https://github.com/elastic/integrations/pull/1882 -- version: "1.0.2" - changes: - - description: Fix logic that adds known devices to policy - type: bugfix - link: https://github.com/elastic/integrations/pull/1888 -- version: "1.0.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1851 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1775 -- version: "0.6.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1678 -- version: "0.5.4" - changes: - - description: Requires version 7.14.1 of the stack - type: bugfix - link: https://github.com/elastic/integrations/pull/1541 -- version: "0.5.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1504 -- version: '0.5.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1418 -- version: "0.5.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.5.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.4.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1275 -- version: "0.3.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1102 -- version: "0.2.1" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/870 -- version: "0.2.0" - changes: - - description: Add XG data stream - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/package-storage/pull/400 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/package-storage/pull/400 diff --git a/packages/sophos/2.4.1/data_stream/utm/agent/stream/stream.yml.hbs b/packages/sophos/2.4.1/data_stream/utm/agent/stream/stream.yml.hbs deleted file mode 100755 index 8cce59a86f..0000000000 --- a/packages/sophos/2.4.1/data_stream/utm/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5072 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Sophos" - product: "UTM" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ - setc("header_id","0003"), - setc("messageid","reverseproxy"), - ])); - - var hdr4 = match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","0005"), - ])); - - var hdr5 = match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0004"), - setc("messageid","astarosg_TVM"), - ])); - - var hdr6 = match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ - setc("header_id","0006"), - setc("messageid","Sophos_Firewall"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, - ]); - - var part1 = match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg1 = msg("named:01", part1); - - var part2 = match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg2 = msg("named:02", part2); - - var part3 = match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ - dup4, - dup2, - dup3, - ])); - - var msg3 = msg("named:03", part3); - - var part4 = match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ - dup5, - dup2, - dup3, - ])); - - var msg4 = msg("named:04", part4); - - var part5 = match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ - dup6, - dup2, - dup3, - ])); - - var msg5 = msg("named:05", part5); - - var part6 = match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ - setc("eventcategory","1804000000"), - dup2, - dup3, - ])); - - var msg6 = msg("named:06", part6); - - var part7 = match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ - dup7, - dup2, - dup3, - ])); - - var msg7 = msg("named:07", part7); - - var part8 = match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg8 = msg("named:08", part8); - - var part9 = match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ - dup7, - dup2, - dup3, - setc("action","reloading"), - ])); - - var msg9 = msg("named:09", part9); - - var part10 = match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - ])); - - var msg10 = msg("named:10", part10); - - var part11 = match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - setc("action","all zones loaded"), - ])); - - var msg11 = msg("named:11", part11); - - var part12 = match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ - dup7, - setc("disposition","running"), - dup2, - dup3, - setc("action","running"), - ])); - - var msg12 = msg("named:12", part12); - - var part13 = match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ - dup7, - setc("context","built-in root key"), - dup2, - dup3, - ])); - - var msg13 = msg("named:13", part13); - - var part14 = match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg14 = msg("named:14", part14); - - var part15 = match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ - dup10, - setc("event_description","named:too many timeouts resolving DNS."), - dup11, - dup2, - ])); - - var msg15 = msg("named:15", part15); - - var part16 = match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:FORMERR resolving DNS."), - dup11, - dup2, - ])); - - var msg16 = msg("named:16", part16); - - var part17 = match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:unexpected RCODE (SERVFAIL) resolving DNS."), - dup11, - dup2, - ])); - - var msg17 = msg("named:17", part17); - - var select2 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - ]); - - var part18 = match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ - dup12, - setc("event_description","httpproxy:Integrated HTTP-Proxy."), - dup11, - dup2, - ])); - - var msg18 = msg("httpproxy:09", part18); - - var part19 = match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ - dup10, - setc("event_description","httpproxy:Name or service not known."), - dup11, - dup2, - ])); - - var msg19 = msg("httpproxy:10", part19); - - var part20 = match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ - dup10, - setc("event_description","httpproxy:failed to resolve passthrough."), - dup11, - dup2, - ])); - - var msg20 = msg("httpproxy:11", part20); - - var part21 = match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ - dup10, - setc("event_description","httpproxy:ssl handshake failure."), - dup11, - dup2, - ])); - - var msg21 = msg("httpproxy:12", part21); - - var part22 = match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ - dup10, - setc("event_description","httpproxy:EVP_DecryptFinal failed."), - dup11, - dup2, - ])); - - var msg22 = msg("httpproxy:13", part22); - - var part23 = match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ - dup10, - setc("event_description","httpproxy:decrypt failed."), - dup11, - dup2, - ])); - - var msg23 = msg("httpproxy:14", part23); - - var part24 = match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:reloading av pattern"), - dup11, - dup2, - ])); - - var msg24 = msg("httpproxy:15", part24); - - var part25 = match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ - dup12, - setc("event_description","httpproxy:sc_check_servers.Server checked."), - dup11, - dup2, - ])); - - var msg25 = msg("httpproxy:16", part25); - - var part26 = match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ - dup12, - setc("event_description","httpproxy:shutdown finished, exiting."), - dup11, - dup2, - ])); - - var msg26 = msg("httpproxy:17", part26); - - var part27 = match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ - dup12, - setc("event_description","httpproxy:"), - dup11, - dup2, - ])); - - var msg27 = msg("httpproxy:18", part27); - - var part28 = match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ - dup12, - setc("event_description","httpproxy:reading profiles"), - dup11, - dup2, - ])); - - var msg28 = msg("httpproxy:19", part28); - - var part29 = match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ - dup12, - setc("event_description","httpproxy:finished startup"), - dup11, - dup2, - ])); - - var msg29 = msg("httpproxy:20", part29); - - var part30 = match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:read_request_headers related message."), - dup11, - dup2, - ])); - - var msg30 = msg("httpproxy:21", part30); - - var part31 = match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_loop related message."), - dup11, - dup2, - ])); - - var msg31 = msg("httpproxy:22", part31); - - var part32 = match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scan_exit related message."), - dup11, - dup2, - ])); - - var msg32 = msg("httpproxy:23", part32); - - var part33 = match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_exit related message."), - dup11, - dup2, - ])); - - var msg33 = msg("httpproxy:24", part33); - - var part34 = match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_exit related message."), - dup11, - dup2, - ])); - - var msg34 = msg("httpproxy:25", part34); - - var part35 = match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_zap related message."), - dup11, - dup2, - ])); - - var msg35 = msg("httpproxy:26", part35); - - var part36 = match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scanner_init related message."), - dup11, - dup2, - ])); - - var msg36 = msg("httpproxy:27", part36); - - var part37 = tagval("MESSAGE#36:httpproxy:01", "nwparser.payload", tvm, { - "action": "action", - "ad_domain": "fld1", - "app-id": "fld18", - "application": "fld17", - "auth": "fld10", - "authtime": "fld4", - "avscantime": "fld7", - "cached": "fld2", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld6", - "content-type": "content_type", - "device": "fld9", - "dnstime": "fld5", - "dstip": "daddr", - "error": "result", - "exceptions": "fld12", - "extension": "fld13", - "file": "filename", - "filename": "filename", - "filteraction": "fld3", - "fullreqtime": "fld8", - "function": "action", - "group": "group", - "id": "rule", - "line": "fld14", - "message": "context", - "method": "web_method", - "name": "event_description", - "profile": "policyname", - "reason": "rule_group", - "referer": "web_referer", - "reputation": "fld16", - "request": "connectionid", - "severity": "severity", - "size": "rbytes", - "srcip": "saddr", - "statuscode": "resultcode", - "sub": "network_service", - "sys": "vsys", - "time": "fld15", - "ua": "fld11", - "url": "url", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg37 = msg("httpproxy:01", part37); - - var select3 = linear_select([ - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - ]); - - var part38 = match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ - dup16, - dup2, - dup3, - ])); - - var msg38 = msg("URID:01", part38); - - var part39 = tagval("MESSAGE#38:ulogd:01", "nwparser.payload", tvm, { - "action": "action", - "code": "fld30", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "fwrule": "policy_id", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "name": "event_description", - "outitf": "dinterface", - "prec": "fld27", - "proto": "fld24", - "seq": "fld23", - "severity": "severity", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "sub": "network_service", - "sys": "vsys", - "tcpflags": "fld29", - "tos": "fld26", - "ttl": "fld28", - "type": "fld31", - }, processor_chain([ - dup13, - setc("ec_subject","NetworkComm"), - setc("ec_activity","Scan"), - setc("ec_theme","TEV"), - dup11, - dup2, - dup45, - dup46, - ])); - - var msg39 = msg("ulogd:01", part39); - - var part40 = match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ - dup6, - setc("disposition","configured"), - dup2, - dup3, - ])); - - var msg40 = msg("reverseproxy:01", part40); - - var part41 = match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg41 = msg("reverseproxy:02", part41); - - var part42 = match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg42 = msg("reverseproxy:03", part42); - - var part43 = match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ - dup17, - setc("event_id","AH00292"), - dup2, - dup3, - ])); - - var msg43 = msg("reverseproxy:04", part43); - - var part44 = match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ - setc("eventcategory","1805010000"), - dup18, - dup2, - dup3, - ])); - - var msg44 = msg("reverseproxy:06", part44); - - var part45 = match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); - - var select4 = linear_select([ - dup19, - ]); - - var part46 = match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); - - var all1 = all_match({ - processors: [ - part45, - select4, - part46, - ], - on_success: processor_chain([ - dup5, - setc("event_id","AH00297"), - dup2, - dup3, - ]), - }); - - var msg45 = msg("reverseproxy:07", all1); - - var part47 = match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ - dup4, - setc("event_id","AH00112"), - dup2, - dup3, - ])); - - var msg46 = msg("reverseproxy:08", part47); - - var part48 = match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ - setc("eventcategory","1605010000"), - setc("event_id","AH00094"), - dup2, - dup3, - ])); - - var msg47 = msg("reverseproxy:09", part48); - - var part49 = match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ - dup12, - setc("event_id","AH00291"), - dup2, - dup3, - ])); - - var msg48 = msg("reverseproxy:10", part49); - - var part50 = match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ - dup20, - setc("event_id","AH02572"), - dup2, - dup3, - ])); - - var msg49 = msg("reverseproxy:11", part50); - - var part51 = match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ - dup20, - setc("context","SSL Library Error"), - dup2, - dup3, - ])); - - var msg50 = msg("reverseproxy:12", part51); - - var part52 = match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ - dup20, - setc("result","Fatal error"), - setc("event_id","AH02312"), - dup2, - dup3, - ])); - - var msg51 = msg("reverseproxy:13", part52); - - var part53 = match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ - dup20, - setc("result","Configuration Failed"), - setc("event_id","AH00020"), - dup2, - dup3, - ])); - - var msg52 = msg("reverseproxy:14", part53); - - var part54 = match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ - setc("eventcategory","1609000000"), - setc("context","Unclean shutdown"), - setc("event_id","AH00098"), - dup2, - dup3, - ])); - - var msg53 = msg("reverseproxy:15", part54); - - var part55 = match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ - dup16, - setc("event_id","AH00295"), - dup2, - dup3, - ])); - - var msg54 = msg("reverseproxy:16", part55); - - var part56 = match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); - - var part57 = match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); - - var select5 = linear_select([ - part57, - dup19, - ]); - - var part58 = match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all2 = all_match({ - processors: [ - part56, - select5, - part58, - ], - on_success: processor_chain([ - dup21, - dup2, - dup3, - ]), - }); - - var msg55 = msg("reverseproxy:17", all2); - - var part59 = match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ - dup4, - dup22, - dup2, - dup3, - ])); - - var msg56 = msg("reverseproxy:18", part59); - - var part60 = match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ - dup23, - dup22, - dup2, - dup3, - ])); - - var msg57 = msg("reverseproxy:19", part60); - - var part61 = match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg58 = msg("reverseproxy:20", part61); - - var part62 = match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ - dup20, - dup18, - setc("event_id","AH01909"), - dup2, - dup3, - ])); - - var msg59 = msg("reverseproxy:21", part62); - - var part63 = match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ - dup20, - setc("comments","Invalid port configuration"), - dup2, - dup3, - ])); - - var msg60 = msg("reverseproxy:22", part63); - - var part64 = match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg61 = msg("reverseproxy:23", part64); - - var part65 = match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg62 = msg("reverseproxy:24", part65); - - var part66 = match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg63 = msg("reverseproxy:25", part66); - - var part67 = match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); - - var part68 = match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); - - var select6 = linear_select([ - part68, - dup19, - ]); - - var part69 = match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); - - var part70 = match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); - - var part71 = match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); - - var select7 = linear_select([ - part70, - part71, - ]); - - var part72 = match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all3 = all_match({ - processors: [ - part67, - select6, - part69, - select7, - part72, - ], - on_success: processor_chain([ - dup24, - dup2, - dup3, - ]), - }); - - var msg64 = msg("reverseproxy:26", all3); - - var part73 = match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg65 = msg("reverseproxy:27", part73); - - var part74 = match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ - dup26, - setc("result","virus daemon error"), - dup2, - dup3, - ])); - - var msg66 = msg("reverseproxy:28", part74); - - var part75 = match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ - dup27, - setc("result","virus found"), - dup2, - dup3, - ])); - - var msg67 = msg("reverseproxy:29", part75); - - var part76 = match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg68 = msg("reverseproxy:30", part76); - - var part77 = match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ - dup25, - setc("result","Cannot read reply"), - dup2, - dup3, - ])); - - var msg69 = msg("reverseproxy:31", part77); - - var part78 = match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg70 = msg("reverseproxy:32", part78); - - var part79 = match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg71 = msg("reverseproxy:33", part79); - - var part80 = match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg72 = msg("reverseproxy:34", part80); - - var part81 = match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg73 = msg("reverseproxy:35", part81); - - var part82 = match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ - dup27, - setc("result","Virus found"), - dup2, - dup3, - ])); - - var msg74 = msg("reverseproxy:36", part82); - - var part83 = match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg75 = msg("reverseproxy:37", part83); - - var part84 = match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg76 = msg("reverseproxy:38", part84); - - var part85 = match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ - dup23, - setc("result","Form validation failed"), - dup2, - dup3, - ])); - - var msg77 = msg("reverseproxy:39", part85); - - var part86 = match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ - dup25, - setc("result","Sending trickle failed"), - dup2, - dup3, - ])); - - var msg78 = msg("reverseproxy:40", part86); - - var part87 = match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ - dup30, - dup2, - dup3, - ])); - - var msg79 = msg("reverseproxy:41", part87); - - var part88 = match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ - setc("eventcategory","1603050000"), - dup2, - dup3, - ])); - - var msg80 = msg("reverseproxy:42", part88); - - var part89 = match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ - dup30, - setc("event_id","AH01110"), - setc("result","Error reading response"), - dup2, - dup3, - ])); - - var msg81 = msg("reverseproxy:43", part89); - - var part90 = match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1601020000"), - setc("result","No form context found"), - dup2, - dup3, - ])); - - var msg82 = msg("reverseproxy:44", part90); - - var part91 = match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ - dup25, - setc("event_id","AH00957"), - dup2, - dup3, - ])); - - var msg83 = msg("reverseproxy:45", part91); - - var part92 = match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ - dup16, - setc("event_id","AH00959"), - setc("result","disabling worker"), - dup2, - dup3, - ])); - - var msg84 = msg("reverseproxy:46", part92); - - var part93 = match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1801000000"), - setc("context","Not all file sent to client"), - dup2, - dup3, - ])); - - var msg85 = msg("reverseproxy:47", part93); - - var part94 = match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg86 = msg("reverseproxy:48", part94); - - var part95 = match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg87 = msg("reverseproxy:49", part95); - - var part96 = tagval("MESSAGE#87:reverseproxy:05", "nwparser.payload", tvm, { - "cookie": "web_cookie", - "exceptions": "policy_waiver", - "extra": "info", - "host": "dhost", - "id": "policy_id", - "localip": "fld3", - "method": "web_method", - "reason": "comments", - "referer": "web_referer", - "server": "daddr", - "set-cookie": "fld5", - "size": "fld4", - "srcip": "saddr", - "statuscode": "resultcode", - "time": "processing_time", - "url": "web_root", - "user": "username", - }, processor_chain([ - setc("eventcategory","1802000000"), - dup2, - dup3, - ])); - - var msg88 = msg("reverseproxy:05", part96); - - var select8 = linear_select([ - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, - msg59, - msg60, - msg61, - msg62, - msg63, - msg64, - msg65, - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, - ]); - - var part97 = tagval("MESSAGE#88:confd-sync", "nwparser.payload", tvm, { - "id": "fld5", - "name": "event_description", - "severity": "severity", - "sub": "service", - "sys": "fld2", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg89 = msg("confd-sync", part97); - - var part98 = tagval("MESSAGE#89:confd:01", "nwparser.payload", tvm, { - "account": "logon_id", - "attributes": "obj_name", - "class": "group_object", - "client": "fld3", - "count": "fld4", - "facility": "logon_type", - "id": "fld1", - "name": "event_description", - "node": "node", - "object": "fld6", - "severity": "severity", - "srcip": "saddr", - "storage": "directory", - "sub": "service", - "sys": "fld2", - "type": "obj_type", - "user": "username", - "version": "version", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg90 = msg("confd:01", part98); - - var part99 = match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy Frox started."), - dup11, - dup2, - ])); - - var msg91 = msg("frox", part99); - - var part100 = match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy listening on port."), - dup11, - dup2, - ])); - - var msg92 = msg("frox:01", part100); - - var part101 = match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy dropped priveleges."), - dup11, - dup2, - ])); - - var msg93 = msg("frox:02", part101); - - var select9 = linear_select([ - msg91, - msg92, - msg93, - ]); - - var part102 = match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ - dup12, - setc("event_description","afcd: IM/P2P Classifier configuration reloaded successfully."), - dup11, - dup2, - ])); - - var msg94 = msg("afcd", part102); - - var part103 = match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ - dup12, - setc("event_description","ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]..."), - dup11, - dup2, - ])); - - var msg95 = msg("ipsec_starter", part103); - - var part104 = match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ - dup12, - setc("event_description","ipsec_starter: IP address or index of physical interface changed."), - dup11, - dup2, - ])); - - var msg96 = msg("ipsec_starter:01", part104); - - var select10 = linear_select([ - msg95, - msg96, - ]); - - var part105 = match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: Starting Pluto."), - dup11, - dup2, - ])); - - var msg97 = msg("pluto", part105); - - var part106 = match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: including NAT-Traversal patch."), - dup11, - dup2, - ])); - - var msg98 = msg("pluto:01", part106); - - var part107 = match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating encryption algorithm."), - dup11, - dup2, - ])); - - var msg99 = msg("pluto:02", part107); - - var part108 = match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating hash algorithm."), - dup11, - dup2, - ])); - - var msg100 = msg("pluto:03", part108); - - var part109 = match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ - dup12, - setc("event_description","pluto: Testing registered IKE encryption algorithms"), - dup11, - dup2, - ])); - - var msg101 = msg("pluto:04", part109); - - var part110 = match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test not available."), - dup11, - dup2, - ])); - - var msg102 = msg("pluto:05", part110); - - var part111 = match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test passed."), - dup11, - dup2, - ])); - - var msg103 = msg("pluto:06", part111); - - var part112 = match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ - dup12, - setc("event_description","pluto: Using KLIPS IPsec interface code"), - dup11, - dup2, - ])); - - var msg104 = msg("pluto:07", part112); - - var part113 = match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","pluto: adding interface"), - dup11, - dup2, - ])); - - var msg105 = msg("pluto:08", part113); - - var part114 = match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ - dup34, - setc("event_description","pluto: loading secrets"), - dup11, - dup2, - ])); - - var msg106 = msg("pluto:09", part114); - - var part115 = match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ - dup34, - setc("event_description","pluto: loaded private key file"), - dup11, - dup2, - ])); - - var msg107 = msg("pluto:10", part115); - - var part116 = match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ - dup12, - setc("event_description","pluto: added connection description"), - dup11, - dup2, - ])); - - var msg108 = msg("pluto:11", part116); - - var part117 = match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg109 = msg("pluto:12", part117); - - var part118 = match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup10, - dup36, - dup11, - dup2, - ])); - - var msg110 = msg("pluto:13", part118); - - var part119 = match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg111 = msg("pluto:14", part119); - - var part120 = match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ - dup12, - setc("event_description","pluto:forgetting secrets"), - dup11, - dup2, - ])); - - var msg112 = msg("pluto:15", part120); - - var part121 = match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ - dup12, - setc("event_description","pluto:Changing to directory"), - dup11, - dup2, - ])); - - var msg113 = msg("pluto:17", part121); - - var part122 = match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ - dup12, - setc("event_description","pluto:*time to handle event"), - dup11, - dup2, - ])); - - var msg114 = msg("pluto:18", part122); - - var part123 = match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ - dup12, - setc("event_description","pluto:*received kernel message"), - dup11, - dup2, - ])); - - var msg115 = msg("pluto:19", part123); - - var part124 = match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ - dup25, - setc("event_description","pluto:rejected packet"), - dup11, - dup2, - ])); - - var msg116 = msg("pluto:20", part124); - - var part125 = match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg117 = msg("pluto:21", part125); - - var part126 = match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg118 = msg("pluto:22", part126); - - var part127 = match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg119 = msg("pluto:23", part127); - - var part128 = match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg120 = msg("pluto:24", part128); - - var part129 = match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg121 = msg("pluto:25", part129); - - var part130 = match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg122 = msg("pluto:26", part130); - - var part131 = match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg123 = msg("pluto:27", part131); - - var part132 = match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg124 = msg("pluto:28", part132); - - var part133 = match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg125 = msg("pluto:29", part133); - - var part134 = match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg126 = msg("pluto:30", part134); - - var part135 = match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg127 = msg("pluto:31", part135); - - var part136 = match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ - dup12, - setc("event_description","not authenticated"), - dup11, - dup2, - ])); - - var msg128 = msg("pluto:32", part136); - - var part137 = match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg129 = msg("pluto:33", part137); - - var part138 = match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup12, - dup36, - dup11, - dup2, - ])); - - var msg130 = msg("pluto:34", part138); - - var part139 = match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg131 = msg("pluto:35", part139); - - var select11 = linear_select([ - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, - ]); - - var part140 = match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ - setc("eventcategory","1607000000"), - setc("event_description","xl2tpd:This binary does not support kernel L2TP."), - dup11, - dup2, - ])); - - var msg132 = msg("xl2tpd", part140); - - var part141 = match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ - dup12, - setc("event_description","xl2tpd:xl2tpd started."), - dup11, - dup2, - ])); - - var msg133 = msg("xl2tpd:01", part141); - - var part142 = match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg134 = msg("xl2tpd:02", part142); - - var part143 = match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg135 = msg("xl2tpd:03", part143); - - var part144 = match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg136 = msg("xl2tpd:04", part144); - - var part145 = match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg137 = msg("xl2tpd:05", part145); - - var select12 = linear_select([ - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, - ]); - - var part146 = match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ - dup12, - setc("event_description","barnyard: Exiting"), - dup11, - dup2, - ])); - - var msg138 = msg("barnyard:01", part146); - - var part147 = match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Initializing daemon mode"), - dup11, - dup2, - ])); - - var msg139 = msg("barnyard:02", part147); - - var part148 = match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ - dup12, - setc("event_description","barnyard:Opened spool file."), - dup11, - dup2, - ])); - - var msg140 = msg("barnyard:03", part148); - - var part149 = match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Waiting for new data"), - dup11, - dup2, - ])); - - var msg141 = msg("barnyard:04", part149); - - var select13 = linear_select([ - msg138, - msg139, - msg140, - msg141, - ]); - - var part150 = match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ - dup12, - setc("event_description","exim:SMTP connection from localhost closed by QUIT"), - dup11, - dup2, - ])); - - var msg142 = msg("exim:01", part150); - - var part151 = match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ - setc("eventcategory","1207010000"), - setc("event_description","exim:e-mail accepted from relay."), - dup11, - dup2, - ])); - - var msg143 = msg("exim:02", part151); - - var part152 = match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ - setc("eventcategory","1207000000"), - setc("event_description","exim: e-mail sent."), - dup11, - dup2, - ])); - - var msg144 = msg("exim:03", part152); - - var part153 = match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ - dup39, - setc("event_description","exim: e-mail host lookup did not complete in DNS."), - dup11, - dup2, - ])); - - var msg145 = msg("exim:04", part153); - - var part154 = match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ - dup39, - setc("event_description","exim: e-mail routing defer:retry time not reached."), - dup11, - dup2, - ])); - - var msg146 = msg("exim:05", part154); - - var part155 = match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ - dup12, - setc("event_description","exim: exim daemon started."), - dup11, - dup2, - ])); - - var msg147 = msg("exim:06", part155); - - var part156 = match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ - dup12, - setc("event_description","exim: Start queue run."), - dup11, - dup2, - ])); - - var msg148 = msg("exim:07", part156); - - var part157 = match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ - dup12, - setc("event_description","exim: SIGHUP received: re-exec daemon."), - dup11, - dup2, - ])); - - var msg149 = msg("exim:08", part157); - - var part158 = match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim: SMTP connection from host."), - dup11, - dup2, - ])); - - var msg150 = msg("exim:09", part158); - - var part159 = match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:rejected EHLO from host."), - dup11, - dup2, - ])); - - var msg151 = msg("exim:10", part159); - - var part160 = match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:SMTP protocol synchronization error rejected connection from host."), - dup11, - dup2, - ])); - - var msg152 = msg("exim:11", part160); - - var part161 = match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:TLS error on connection from host."), - dup11, - dup2, - ])); - - var msg153 = msg("exim:12", part161); - - var part162 = match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg154 = msg("exim:13", part162); - - var part163 = match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg155 = msg("exim:14", part163); - - var part164 = match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg156 = msg("exim:15", part164); - - var part165 = match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg157 = msg("exim:16", part165); - - var select14 = linear_select([ - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, - msg156, - msg157, - ]); - - var part166 = match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ - dup12, - setc("event_description","smtpd: Process moved to work queue."), - dup11, - dup2, - ])); - - var msg158 = msg("smtpd:01", part166); - - var part167 = match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ - setc("eventcategory","1207010100"), - dup11, - dup2, - ])); - - var msg159 = msg("smtpd:02", part167); - - var part168 = match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ - dup12, - setc("event_description","smtpd: SCANNER: Nothing to do,exiting."), - dup11, - dup2, - ])); - - var msg160 = msg("smtpd:03", part168); - - var part169 = match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status two set to disabled."), - dup11, - dup2, - ])); - - var msg161 = msg("smtpd:04", part169); - - var part170 = match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status one set to disabled."), - dup11, - dup2, - ])); - - var msg162 = msg("smtpd:07", part170); - - var part171 = match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:(Re-)loading configuration from Confd."), - dup11, - dup2, - ])); - - var msg163 = msg("smtpd:05", part171); - - var part172 = match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:Sending QR one."), - dup11, - dup2, - ])); - - var msg164 = msg("smtpd:06", part172); - - var select15 = linear_select([ - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - ]); - - var part173 = match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ - dup10, - setc("event_description","sshd: Did not receive identification string."), - dup11, - dup2, - ])); - - var msg165 = msg("sshd:01", part173); - - var part174 = match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ - dup12, - setc("event_description","sshd:Received SIGHUP restarting."), - dup11, - dup2, - ])); - - var msg166 = msg("sshd:02", part174); - - var part175 = match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ - dup12, - setc("event_description","sshd:Server listening; restarting."), - dup11, - dup2, - ])); - - var msg167 = msg("sshd:03", part175); - - var part176 = match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ - dup41, - setc("event_description","sshd:Invalid user admin."), - dup11, - dup2, - ])); - - var msg168 = msg("sshd:04", part176); - - var part177 = match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed none for invalid user admin."), - dup11, - dup2, - ])); - - var msg169 = msg("sshd:05", part177); - - var part178 = match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ - dup10, - setc("event_description","sshd:error:Could not get shadow information for NOUSER"), - dup11, - dup2, - ])); - - var msg170 = msg("sshd:06", part178); - - var part179 = match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed password for root."), - dup11, - dup2, - ])); - - var msg171 = msg("sshd:07", part179); - - var part180 = match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - setc("eventcategory","1302000000"), - setc("event_description","sshd:Accepted password for loginuser."), - dup11, - dup2, - ])); - - var msg172 = msg("sshd:08", part180); - - var part181 = match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ - dup10, - setc("event_description","sshd:subsystem request for sftp failed,subsystem not found."), - dup11, - dup2, - ])); - - var msg173 = msg("sshd:09", part181); - - var select16 = linear_select([ - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - ]); - - var part182 = tagval("MESSAGE#173:aua:01", "nwparser.payload", tvm, { - "caller": "fld4", - "engine": "fld5", - "id": "fld1", - "name": "event_description", - "severity": "severity", - "srcip": "saddr", - "sub": "service", - "sys": "fld2", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg174 = msg("aua:01", part182); - - var part183 = match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ - dup12, - setc("event_description","sockd: created new negotiatorchild."), - dup11, - dup2, - ])); - - var msg175 = msg("sockd:01", part183); - - var part184 = match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ - dup12, - setc("event_description","sockd:dante/server running."), - dup11, - dup2, - ])); - - var msg176 = msg("sockd:02", part184); - - var part185 = match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ - dup12, - setc("event_description","sockd:sockdexit():terminating on signal."), - dup11, - dup2, - ])); - - var msg177 = msg("sockd:03", part185); - - var select17 = linear_select([ - msg175, - msg176, - msg177, - ]); - - var part186 = match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ - dup12, - setc("event_description","pop3proxy:Master started."), - dup11, - dup2, - ])); - - var msg178 = msg("pop3proxy", part186); - - var part187 = tagval("MESSAGE#178:astarosg_TVM", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg179 = msg("astarosg_TVM", part187); - - var part188 = tagval("MESSAGE#179:httpd", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "port": "network_port", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "query": "web_query", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "uid": "uid", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg180 = msg("httpd", part188); - - var part189 = match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ - setc("eventcategory","1502000000"), - dup2, - dup3, - ])); - - var msg181 = msg("httpd:01", part189); - - var select18 = linear_select([ - msg180, - msg181, - ]); - - var part190 = tagval("MESSAGE#181:Sophos_Firewall", "nwparser.payload", tvm, { - "activityname": "fld9", - "appfilter_policy_id": "fld10", - "application": "application", - "application_category": "fld23", - "application_risk": "risk_num", - "application_technology": "fld11", - "appresolvedby": "fld22", - "category": "fld4", - "category_type": "fld5", - "connevent": "fld19", - "connid": "connectionid", - "contenttype": "content_type", - "dir_disp": "fld18", - "domain": "fqdn", - "dst_country_code": "location_dst", - "dst_ip": "daddr", - "dst_port": "dport", - "dstzone": "dst_zone", - "dstzonetype": "fld17", - "duration": "duration", - "exceptions": "fld8", - "fw_rule_id": "rule_uid", - "hb_health": "fld21", - "httpresponsecode": "fld7", - "iap": "id1", - "in_interface": "sinterface", - "ips_policy_id": "policy_id", - "log_component": "event_source", - "log_subtype": "category", - "log_type": "event_type", - "message": "info", - "out_interface": "dinterface", - "override_token": "fld6", - "policy_type": "fld23", - "priority": "severity", - "protocol": "protocol", - "reason": "result", - "recv_bytes": "rbytes", - "recv_pkts": "fld15", - "referer": "web_referer", - "sent_bytes": "sbytes", - "sent_pkts": "fld14", - "src_country_code": "location_src", - "src_ip": "saddr", - "src_mac": "smacaddr", - "src_port": "sport", - "srczone": "src_zone", - "srczonetype": "fld16", - "status": "event_state", - "status_code": "resultcode", - "tran_dst_ip": "dtransaddr", - "tran_dst_port": "dtransport", - "tran_src_ip": "stransaddr", - "tran_src_port": "stransport", - "transactionid": "id2", - "url": "url", - "user_agent": "user_agent", - "user_gp": "group", - "user_name": "username", - "vconnid": "fld20", - }, processor_chain([ - setc("eventcategory","1204000000"), - dup2, - date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dS], - ], - }), - ])); - - var msg182 = msg("Sophos_Firewall", part190); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "Sophos_Firewall": msg182, - "URID": msg38, - "afcd": msg94, - "astarosg_TVM": msg179, - "aua": msg174, - "barnyard": select13, - "confd": msg90, - "confd-sync": msg89, - "exim": select14, - "frox": select9, - "httpd": select18, - "httpproxy": select3, - "ipsec_starter": select10, - "named": select2, - "pluto": select11, - "pop3proxy": msg178, - "reverseproxy": select8, - "smtpd": select15, - "sockd": select17, - "sshd": select16, - "ulogd": msg39, - "xl2tpd": select12, - }), - ]); - - var part191 = match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/sophos/2.4.1/data_stream/utm/agent/stream/tcp.yml.hbs b/packages/sophos/2.4.1/data_stream/utm/agent/stream/tcp.yml.hbs deleted file mode 100755 index 1de04c8c77..0000000000 --- a/packages/sophos/2.4.1/data_stream/utm/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,5069 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Sophos" - product: "UTM" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ - setc("header_id","0003"), - setc("messageid","reverseproxy"), - ])); - - var hdr4 = match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","0005"), - ])); - - var hdr5 = match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0004"), - setc("messageid","astarosg_TVM"), - ])); - - var hdr6 = match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ - setc("header_id","0006"), - setc("messageid","Sophos_Firewall"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, - ]); - - var part1 = match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg1 = msg("named:01", part1); - - var part2 = match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg2 = msg("named:02", part2); - - var part3 = match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ - dup4, - dup2, - dup3, - ])); - - var msg3 = msg("named:03", part3); - - var part4 = match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ - dup5, - dup2, - dup3, - ])); - - var msg4 = msg("named:04", part4); - - var part5 = match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ - dup6, - dup2, - dup3, - ])); - - var msg5 = msg("named:05", part5); - - var part6 = match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ - setc("eventcategory","1804000000"), - dup2, - dup3, - ])); - - var msg6 = msg("named:06", part6); - - var part7 = match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ - dup7, - dup2, - dup3, - ])); - - var msg7 = msg("named:07", part7); - - var part8 = match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg8 = msg("named:08", part8); - - var part9 = match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ - dup7, - dup2, - dup3, - setc("action","reloading"), - ])); - - var msg9 = msg("named:09", part9); - - var part10 = match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - ])); - - var msg10 = msg("named:10", part10); - - var part11 = match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - setc("action","all zones loaded"), - ])); - - var msg11 = msg("named:11", part11); - - var part12 = match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ - dup7, - setc("disposition","running"), - dup2, - dup3, - setc("action","running"), - ])); - - var msg12 = msg("named:12", part12); - - var part13 = match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ - dup7, - setc("context","built-in root key"), - dup2, - dup3, - ])); - - var msg13 = msg("named:13", part13); - - var part14 = match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg14 = msg("named:14", part14); - - var part15 = match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ - dup10, - setc("event_description","named:too many timeouts resolving DNS."), - dup11, - dup2, - ])); - - var msg15 = msg("named:15", part15); - - var part16 = match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:FORMERR resolving DNS."), - dup11, - dup2, - ])); - - var msg16 = msg("named:16", part16); - - var part17 = match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:unexpected RCODE (SERVFAIL) resolving DNS."), - dup11, - dup2, - ])); - - var msg17 = msg("named:17", part17); - - var select2 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - ]); - - var part18 = match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ - dup12, - setc("event_description","httpproxy:Integrated HTTP-Proxy."), - dup11, - dup2, - ])); - - var msg18 = msg("httpproxy:09", part18); - - var part19 = match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ - dup10, - setc("event_description","httpproxy:Name or service not known."), - dup11, - dup2, - ])); - - var msg19 = msg("httpproxy:10", part19); - - var part20 = match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ - dup10, - setc("event_description","httpproxy:failed to resolve passthrough."), - dup11, - dup2, - ])); - - var msg20 = msg("httpproxy:11", part20); - - var part21 = match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ - dup10, - setc("event_description","httpproxy:ssl handshake failure."), - dup11, - dup2, - ])); - - var msg21 = msg("httpproxy:12", part21); - - var part22 = match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ - dup10, - setc("event_description","httpproxy:EVP_DecryptFinal failed."), - dup11, - dup2, - ])); - - var msg22 = msg("httpproxy:13", part22); - - var part23 = match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ - dup10, - setc("event_description","httpproxy:decrypt failed."), - dup11, - dup2, - ])); - - var msg23 = msg("httpproxy:14", part23); - - var part24 = match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:reloading av pattern"), - dup11, - dup2, - ])); - - var msg24 = msg("httpproxy:15", part24); - - var part25 = match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ - dup12, - setc("event_description","httpproxy:sc_check_servers.Server checked."), - dup11, - dup2, - ])); - - var msg25 = msg("httpproxy:16", part25); - - var part26 = match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ - dup12, - setc("event_description","httpproxy:shutdown finished, exiting."), - dup11, - dup2, - ])); - - var msg26 = msg("httpproxy:17", part26); - - var part27 = match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ - dup12, - setc("event_description","httpproxy:"), - dup11, - dup2, - ])); - - var msg27 = msg("httpproxy:18", part27); - - var part28 = match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ - dup12, - setc("event_description","httpproxy:reading profiles"), - dup11, - dup2, - ])); - - var msg28 = msg("httpproxy:19", part28); - - var part29 = match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ - dup12, - setc("event_description","httpproxy:finished startup"), - dup11, - dup2, - ])); - - var msg29 = msg("httpproxy:20", part29); - - var part30 = match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:read_request_headers related message."), - dup11, - dup2, - ])); - - var msg30 = msg("httpproxy:21", part30); - - var part31 = match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_loop related message."), - dup11, - dup2, - ])); - - var msg31 = msg("httpproxy:22", part31); - - var part32 = match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scan_exit related message."), - dup11, - dup2, - ])); - - var msg32 = msg("httpproxy:23", part32); - - var part33 = match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_exit related message."), - dup11, - dup2, - ])); - - var msg33 = msg("httpproxy:24", part33); - - var part34 = match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_exit related message."), - dup11, - dup2, - ])); - - var msg34 = msg("httpproxy:25", part34); - - var part35 = match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_zap related message."), - dup11, - dup2, - ])); - - var msg35 = msg("httpproxy:26", part35); - - var part36 = match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scanner_init related message."), - dup11, - dup2, - ])); - - var msg36 = msg("httpproxy:27", part36); - - var part37 = tagval("MESSAGE#36:httpproxy:01", "nwparser.payload", tvm, { - "action": "action", - "ad_domain": "fld1", - "app-id": "fld18", - "application": "fld17", - "auth": "fld10", - "authtime": "fld4", - "avscantime": "fld7", - "cached": "fld2", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld6", - "content-type": "content_type", - "device": "fld9", - "dnstime": "fld5", - "dstip": "daddr", - "error": "result", - "exceptions": "fld12", - "extension": "fld13", - "file": "filename", - "filename": "filename", - "filteraction": "fld3", - "fullreqtime": "fld8", - "function": "action", - "group": "group", - "id": "rule", - "line": "fld14", - "message": "context", - "method": "web_method", - "name": "event_description", - "profile": "policyname", - "reason": "rule_group", - "referer": "web_referer", - "reputation": "fld16", - "request": "connectionid", - "severity": "severity", - "size": "rbytes", - "srcip": "saddr", - "statuscode": "resultcode", - "sub": "network_service", - "sys": "vsys", - "time": "fld15", - "ua": "fld11", - "url": "url", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg37 = msg("httpproxy:01", part37); - - var select3 = linear_select([ - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - ]); - - var part38 = match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ - dup16, - dup2, - dup3, - ])); - - var msg38 = msg("URID:01", part38); - - var part39 = tagval("MESSAGE#38:ulogd:01", "nwparser.payload", tvm, { - "action": "action", - "code": "fld30", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "fwrule": "policy_id", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "name": "event_description", - "outitf": "dinterface", - "prec": "fld27", - "proto": "fld24", - "seq": "fld23", - "severity": "severity", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "sub": "network_service", - "sys": "vsys", - "tcpflags": "fld29", - "tos": "fld26", - "ttl": "fld28", - "type": "fld31", - }, processor_chain([ - dup13, - setc("ec_subject","NetworkComm"), - setc("ec_activity","Scan"), - setc("ec_theme","TEV"), - dup11, - dup2, - dup45, - dup46, - ])); - - var msg39 = msg("ulogd:01", part39); - - var part40 = match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ - dup6, - setc("disposition","configured"), - dup2, - dup3, - ])); - - var msg40 = msg("reverseproxy:01", part40); - - var part41 = match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg41 = msg("reverseproxy:02", part41); - - var part42 = match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg42 = msg("reverseproxy:03", part42); - - var part43 = match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ - dup17, - setc("event_id","AH00292"), - dup2, - dup3, - ])); - - var msg43 = msg("reverseproxy:04", part43); - - var part44 = match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ - setc("eventcategory","1805010000"), - dup18, - dup2, - dup3, - ])); - - var msg44 = msg("reverseproxy:06", part44); - - var part45 = match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); - - var select4 = linear_select([ - dup19, - ]); - - var part46 = match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); - - var all1 = all_match({ - processors: [ - part45, - select4, - part46, - ], - on_success: processor_chain([ - dup5, - setc("event_id","AH00297"), - dup2, - dup3, - ]), - }); - - var msg45 = msg("reverseproxy:07", all1); - - var part47 = match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ - dup4, - setc("event_id","AH00112"), - dup2, - dup3, - ])); - - var msg46 = msg("reverseproxy:08", part47); - - var part48 = match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ - setc("eventcategory","1605010000"), - setc("event_id","AH00094"), - dup2, - dup3, - ])); - - var msg47 = msg("reverseproxy:09", part48); - - var part49 = match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ - dup12, - setc("event_id","AH00291"), - dup2, - dup3, - ])); - - var msg48 = msg("reverseproxy:10", part49); - - var part50 = match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ - dup20, - setc("event_id","AH02572"), - dup2, - dup3, - ])); - - var msg49 = msg("reverseproxy:11", part50); - - var part51 = match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ - dup20, - setc("context","SSL Library Error"), - dup2, - dup3, - ])); - - var msg50 = msg("reverseproxy:12", part51); - - var part52 = match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ - dup20, - setc("result","Fatal error"), - setc("event_id","AH02312"), - dup2, - dup3, - ])); - - var msg51 = msg("reverseproxy:13", part52); - - var part53 = match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ - dup20, - setc("result","Configuration Failed"), - setc("event_id","AH00020"), - dup2, - dup3, - ])); - - var msg52 = msg("reverseproxy:14", part53); - - var part54 = match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ - setc("eventcategory","1609000000"), - setc("context","Unclean shutdown"), - setc("event_id","AH00098"), - dup2, - dup3, - ])); - - var msg53 = msg("reverseproxy:15", part54); - - var part55 = match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ - dup16, - setc("event_id","AH00295"), - dup2, - dup3, - ])); - - var msg54 = msg("reverseproxy:16", part55); - - var part56 = match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); - - var part57 = match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); - - var select5 = linear_select([ - part57, - dup19, - ]); - - var part58 = match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all2 = all_match({ - processors: [ - part56, - select5, - part58, - ], - on_success: processor_chain([ - dup21, - dup2, - dup3, - ]), - }); - - var msg55 = msg("reverseproxy:17", all2); - - var part59 = match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ - dup4, - dup22, - dup2, - dup3, - ])); - - var msg56 = msg("reverseproxy:18", part59); - - var part60 = match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ - dup23, - dup22, - dup2, - dup3, - ])); - - var msg57 = msg("reverseproxy:19", part60); - - var part61 = match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg58 = msg("reverseproxy:20", part61); - - var part62 = match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ - dup20, - dup18, - setc("event_id","AH01909"), - dup2, - dup3, - ])); - - var msg59 = msg("reverseproxy:21", part62); - - var part63 = match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ - dup20, - setc("comments","Invalid port configuration"), - dup2, - dup3, - ])); - - var msg60 = msg("reverseproxy:22", part63); - - var part64 = match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg61 = msg("reverseproxy:23", part64); - - var part65 = match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg62 = msg("reverseproxy:24", part65); - - var part66 = match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg63 = msg("reverseproxy:25", part66); - - var part67 = match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); - - var part68 = match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); - - var select6 = linear_select([ - part68, - dup19, - ]); - - var part69 = match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); - - var part70 = match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); - - var part71 = match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); - - var select7 = linear_select([ - part70, - part71, - ]); - - var part72 = match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all3 = all_match({ - processors: [ - part67, - select6, - part69, - select7, - part72, - ], - on_success: processor_chain([ - dup24, - dup2, - dup3, - ]), - }); - - var msg64 = msg("reverseproxy:26", all3); - - var part73 = match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg65 = msg("reverseproxy:27", part73); - - var part74 = match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ - dup26, - setc("result","virus daemon error"), - dup2, - dup3, - ])); - - var msg66 = msg("reverseproxy:28", part74); - - var part75 = match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ - dup27, - setc("result","virus found"), - dup2, - dup3, - ])); - - var msg67 = msg("reverseproxy:29", part75); - - var part76 = match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg68 = msg("reverseproxy:30", part76); - - var part77 = match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ - dup25, - setc("result","Cannot read reply"), - dup2, - dup3, - ])); - - var msg69 = msg("reverseproxy:31", part77); - - var part78 = match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg70 = msg("reverseproxy:32", part78); - - var part79 = match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg71 = msg("reverseproxy:33", part79); - - var part80 = match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg72 = msg("reverseproxy:34", part80); - - var part81 = match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg73 = msg("reverseproxy:35", part81); - - var part82 = match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ - dup27, - setc("result","Virus found"), - dup2, - dup3, - ])); - - var msg74 = msg("reverseproxy:36", part82); - - var part83 = match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg75 = msg("reverseproxy:37", part83); - - var part84 = match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg76 = msg("reverseproxy:38", part84); - - var part85 = match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ - dup23, - setc("result","Form validation failed"), - dup2, - dup3, - ])); - - var msg77 = msg("reverseproxy:39", part85); - - var part86 = match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ - dup25, - setc("result","Sending trickle failed"), - dup2, - dup3, - ])); - - var msg78 = msg("reverseproxy:40", part86); - - var part87 = match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ - dup30, - dup2, - dup3, - ])); - - var msg79 = msg("reverseproxy:41", part87); - - var part88 = match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ - setc("eventcategory","1603050000"), - dup2, - dup3, - ])); - - var msg80 = msg("reverseproxy:42", part88); - - var part89 = match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ - dup30, - setc("event_id","AH01110"), - setc("result","Error reading response"), - dup2, - dup3, - ])); - - var msg81 = msg("reverseproxy:43", part89); - - var part90 = match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1601020000"), - setc("result","No form context found"), - dup2, - dup3, - ])); - - var msg82 = msg("reverseproxy:44", part90); - - var part91 = match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ - dup25, - setc("event_id","AH00957"), - dup2, - dup3, - ])); - - var msg83 = msg("reverseproxy:45", part91); - - var part92 = match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ - dup16, - setc("event_id","AH00959"), - setc("result","disabling worker"), - dup2, - dup3, - ])); - - var msg84 = msg("reverseproxy:46", part92); - - var part93 = match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1801000000"), - setc("context","Not all file sent to client"), - dup2, - dup3, - ])); - - var msg85 = msg("reverseproxy:47", part93); - - var part94 = match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg86 = msg("reverseproxy:48", part94); - - var part95 = match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg87 = msg("reverseproxy:49", part95); - - var part96 = tagval("MESSAGE#87:reverseproxy:05", "nwparser.payload", tvm, { - "cookie": "web_cookie", - "exceptions": "policy_waiver", - "extra": "info", - "host": "dhost", - "id": "policy_id", - "localip": "fld3", - "method": "web_method", - "reason": "comments", - "referer": "web_referer", - "server": "daddr", - "set-cookie": "fld5", - "size": "fld4", - "srcip": "saddr", - "statuscode": "resultcode", - "time": "processing_time", - "url": "web_root", - "user": "username", - }, processor_chain([ - setc("eventcategory","1802000000"), - dup2, - dup3, - ])); - - var msg88 = msg("reverseproxy:05", part96); - - var select8 = linear_select([ - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, - msg59, - msg60, - msg61, - msg62, - msg63, - msg64, - msg65, - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, - ]); - - var part97 = tagval("MESSAGE#88:confd-sync", "nwparser.payload", tvm, { - "id": "fld5", - "name": "event_description", - "severity": "severity", - "sub": "service", - "sys": "fld2", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg89 = msg("confd-sync", part97); - - var part98 = tagval("MESSAGE#89:confd:01", "nwparser.payload", tvm, { - "account": "logon_id", - "attributes": "obj_name", - "class": "group_object", - "client": "fld3", - "count": "fld4", - "facility": "logon_type", - "id": "fld1", - "name": "event_description", - "node": "node", - "object": "fld6", - "severity": "severity", - "srcip": "saddr", - "storage": "directory", - "sub": "service", - "sys": "fld2", - "type": "obj_type", - "user": "username", - "version": "version", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg90 = msg("confd:01", part98); - - var part99 = match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy Frox started."), - dup11, - dup2, - ])); - - var msg91 = msg("frox", part99); - - var part100 = match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy listening on port."), - dup11, - dup2, - ])); - - var msg92 = msg("frox:01", part100); - - var part101 = match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy dropped priveleges."), - dup11, - dup2, - ])); - - var msg93 = msg("frox:02", part101); - - var select9 = linear_select([ - msg91, - msg92, - msg93, - ]); - - var part102 = match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ - dup12, - setc("event_description","afcd: IM/P2P Classifier configuration reloaded successfully."), - dup11, - dup2, - ])); - - var msg94 = msg("afcd", part102); - - var part103 = match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ - dup12, - setc("event_description","ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]..."), - dup11, - dup2, - ])); - - var msg95 = msg("ipsec_starter", part103); - - var part104 = match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ - dup12, - setc("event_description","ipsec_starter: IP address or index of physical interface changed."), - dup11, - dup2, - ])); - - var msg96 = msg("ipsec_starter:01", part104); - - var select10 = linear_select([ - msg95, - msg96, - ]); - - var part105 = match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: Starting Pluto."), - dup11, - dup2, - ])); - - var msg97 = msg("pluto", part105); - - var part106 = match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: including NAT-Traversal patch."), - dup11, - dup2, - ])); - - var msg98 = msg("pluto:01", part106); - - var part107 = match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating encryption algorithm."), - dup11, - dup2, - ])); - - var msg99 = msg("pluto:02", part107); - - var part108 = match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating hash algorithm."), - dup11, - dup2, - ])); - - var msg100 = msg("pluto:03", part108); - - var part109 = match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ - dup12, - setc("event_description","pluto: Testing registered IKE encryption algorithms"), - dup11, - dup2, - ])); - - var msg101 = msg("pluto:04", part109); - - var part110 = match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test not available."), - dup11, - dup2, - ])); - - var msg102 = msg("pluto:05", part110); - - var part111 = match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test passed."), - dup11, - dup2, - ])); - - var msg103 = msg("pluto:06", part111); - - var part112 = match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ - dup12, - setc("event_description","pluto: Using KLIPS IPsec interface code"), - dup11, - dup2, - ])); - - var msg104 = msg("pluto:07", part112); - - var part113 = match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","pluto: adding interface"), - dup11, - dup2, - ])); - - var msg105 = msg("pluto:08", part113); - - var part114 = match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ - dup34, - setc("event_description","pluto: loading secrets"), - dup11, - dup2, - ])); - - var msg106 = msg("pluto:09", part114); - - var part115 = match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ - dup34, - setc("event_description","pluto: loaded private key file"), - dup11, - dup2, - ])); - - var msg107 = msg("pluto:10", part115); - - var part116 = match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ - dup12, - setc("event_description","pluto: added connection description"), - dup11, - dup2, - ])); - - var msg108 = msg("pluto:11", part116); - - var part117 = match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg109 = msg("pluto:12", part117); - - var part118 = match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup10, - dup36, - dup11, - dup2, - ])); - - var msg110 = msg("pluto:13", part118); - - var part119 = match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg111 = msg("pluto:14", part119); - - var part120 = match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ - dup12, - setc("event_description","pluto:forgetting secrets"), - dup11, - dup2, - ])); - - var msg112 = msg("pluto:15", part120); - - var part121 = match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ - dup12, - setc("event_description","pluto:Changing to directory"), - dup11, - dup2, - ])); - - var msg113 = msg("pluto:17", part121); - - var part122 = match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ - dup12, - setc("event_description","pluto:*time to handle event"), - dup11, - dup2, - ])); - - var msg114 = msg("pluto:18", part122); - - var part123 = match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ - dup12, - setc("event_description","pluto:*received kernel message"), - dup11, - dup2, - ])); - - var msg115 = msg("pluto:19", part123); - - var part124 = match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ - dup25, - setc("event_description","pluto:rejected packet"), - dup11, - dup2, - ])); - - var msg116 = msg("pluto:20", part124); - - var part125 = match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg117 = msg("pluto:21", part125); - - var part126 = match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg118 = msg("pluto:22", part126); - - var part127 = match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg119 = msg("pluto:23", part127); - - var part128 = match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg120 = msg("pluto:24", part128); - - var part129 = match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg121 = msg("pluto:25", part129); - - var part130 = match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg122 = msg("pluto:26", part130); - - var part131 = match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg123 = msg("pluto:27", part131); - - var part132 = match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg124 = msg("pluto:28", part132); - - var part133 = match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg125 = msg("pluto:29", part133); - - var part134 = match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg126 = msg("pluto:30", part134); - - var part135 = match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg127 = msg("pluto:31", part135); - - var part136 = match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ - dup12, - setc("event_description","not authenticated"), - dup11, - dup2, - ])); - - var msg128 = msg("pluto:32", part136); - - var part137 = match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg129 = msg("pluto:33", part137); - - var part138 = match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup12, - dup36, - dup11, - dup2, - ])); - - var msg130 = msg("pluto:34", part138); - - var part139 = match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg131 = msg("pluto:35", part139); - - var select11 = linear_select([ - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, - ]); - - var part140 = match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ - setc("eventcategory","1607000000"), - setc("event_description","xl2tpd:This binary does not support kernel L2TP."), - dup11, - dup2, - ])); - - var msg132 = msg("xl2tpd", part140); - - var part141 = match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ - dup12, - setc("event_description","xl2tpd:xl2tpd started."), - dup11, - dup2, - ])); - - var msg133 = msg("xl2tpd:01", part141); - - var part142 = match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg134 = msg("xl2tpd:02", part142); - - var part143 = match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg135 = msg("xl2tpd:03", part143); - - var part144 = match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg136 = msg("xl2tpd:04", part144); - - var part145 = match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg137 = msg("xl2tpd:05", part145); - - var select12 = linear_select([ - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, - ]); - - var part146 = match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ - dup12, - setc("event_description","barnyard: Exiting"), - dup11, - dup2, - ])); - - var msg138 = msg("barnyard:01", part146); - - var part147 = match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Initializing daemon mode"), - dup11, - dup2, - ])); - - var msg139 = msg("barnyard:02", part147); - - var part148 = match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ - dup12, - setc("event_description","barnyard:Opened spool file."), - dup11, - dup2, - ])); - - var msg140 = msg("barnyard:03", part148); - - var part149 = match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Waiting for new data"), - dup11, - dup2, - ])); - - var msg141 = msg("barnyard:04", part149); - - var select13 = linear_select([ - msg138, - msg139, - msg140, - msg141, - ]); - - var part150 = match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ - dup12, - setc("event_description","exim:SMTP connection from localhost closed by QUIT"), - dup11, - dup2, - ])); - - var msg142 = msg("exim:01", part150); - - var part151 = match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ - setc("eventcategory","1207010000"), - setc("event_description","exim:e-mail accepted from relay."), - dup11, - dup2, - ])); - - var msg143 = msg("exim:02", part151); - - var part152 = match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ - setc("eventcategory","1207000000"), - setc("event_description","exim: e-mail sent."), - dup11, - dup2, - ])); - - var msg144 = msg("exim:03", part152); - - var part153 = match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ - dup39, - setc("event_description","exim: e-mail host lookup did not complete in DNS."), - dup11, - dup2, - ])); - - var msg145 = msg("exim:04", part153); - - var part154 = match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ - dup39, - setc("event_description","exim: e-mail routing defer:retry time not reached."), - dup11, - dup2, - ])); - - var msg146 = msg("exim:05", part154); - - var part155 = match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ - dup12, - setc("event_description","exim: exim daemon started."), - dup11, - dup2, - ])); - - var msg147 = msg("exim:06", part155); - - var part156 = match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ - dup12, - setc("event_description","exim: Start queue run."), - dup11, - dup2, - ])); - - var msg148 = msg("exim:07", part156); - - var part157 = match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ - dup12, - setc("event_description","exim: SIGHUP received: re-exec daemon."), - dup11, - dup2, - ])); - - var msg149 = msg("exim:08", part157); - - var part158 = match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim: SMTP connection from host."), - dup11, - dup2, - ])); - - var msg150 = msg("exim:09", part158); - - var part159 = match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:rejected EHLO from host."), - dup11, - dup2, - ])); - - var msg151 = msg("exim:10", part159); - - var part160 = match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:SMTP protocol synchronization error rejected connection from host."), - dup11, - dup2, - ])); - - var msg152 = msg("exim:11", part160); - - var part161 = match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:TLS error on connection from host."), - dup11, - dup2, - ])); - - var msg153 = msg("exim:12", part161); - - var part162 = match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg154 = msg("exim:13", part162); - - var part163 = match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg155 = msg("exim:14", part163); - - var part164 = match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg156 = msg("exim:15", part164); - - var part165 = match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg157 = msg("exim:16", part165); - - var select14 = linear_select([ - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, - msg156, - msg157, - ]); - - var part166 = match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ - dup12, - setc("event_description","smtpd: Process moved to work queue."), - dup11, - dup2, - ])); - - var msg158 = msg("smtpd:01", part166); - - var part167 = match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ - setc("eventcategory","1207010100"), - dup11, - dup2, - ])); - - var msg159 = msg("smtpd:02", part167); - - var part168 = match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ - dup12, - setc("event_description","smtpd: SCANNER: Nothing to do,exiting."), - dup11, - dup2, - ])); - - var msg160 = msg("smtpd:03", part168); - - var part169 = match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status two set to disabled."), - dup11, - dup2, - ])); - - var msg161 = msg("smtpd:04", part169); - - var part170 = match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status one set to disabled."), - dup11, - dup2, - ])); - - var msg162 = msg("smtpd:07", part170); - - var part171 = match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:(Re-)loading configuration from Confd."), - dup11, - dup2, - ])); - - var msg163 = msg("smtpd:05", part171); - - var part172 = match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:Sending QR one."), - dup11, - dup2, - ])); - - var msg164 = msg("smtpd:06", part172); - - var select15 = linear_select([ - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - ]); - - var part173 = match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ - dup10, - setc("event_description","sshd: Did not receive identification string."), - dup11, - dup2, - ])); - - var msg165 = msg("sshd:01", part173); - - var part174 = match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ - dup12, - setc("event_description","sshd:Received SIGHUP restarting."), - dup11, - dup2, - ])); - - var msg166 = msg("sshd:02", part174); - - var part175 = match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ - dup12, - setc("event_description","sshd:Server listening; restarting."), - dup11, - dup2, - ])); - - var msg167 = msg("sshd:03", part175); - - var part176 = match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ - dup41, - setc("event_description","sshd:Invalid user admin."), - dup11, - dup2, - ])); - - var msg168 = msg("sshd:04", part176); - - var part177 = match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed none for invalid user admin."), - dup11, - dup2, - ])); - - var msg169 = msg("sshd:05", part177); - - var part178 = match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ - dup10, - setc("event_description","sshd:error:Could not get shadow information for NOUSER"), - dup11, - dup2, - ])); - - var msg170 = msg("sshd:06", part178); - - var part179 = match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed password for root."), - dup11, - dup2, - ])); - - var msg171 = msg("sshd:07", part179); - - var part180 = match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - setc("eventcategory","1302000000"), - setc("event_description","sshd:Accepted password for loginuser."), - dup11, - dup2, - ])); - - var msg172 = msg("sshd:08", part180); - - var part181 = match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ - dup10, - setc("event_description","sshd:subsystem request for sftp failed,subsystem not found."), - dup11, - dup2, - ])); - - var msg173 = msg("sshd:09", part181); - - var select16 = linear_select([ - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - ]); - - var part182 = tagval("MESSAGE#173:aua:01", "nwparser.payload", tvm, { - "caller": "fld4", - "engine": "fld5", - "id": "fld1", - "name": "event_description", - "severity": "severity", - "srcip": "saddr", - "sub": "service", - "sys": "fld2", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg174 = msg("aua:01", part182); - - var part183 = match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ - dup12, - setc("event_description","sockd: created new negotiatorchild."), - dup11, - dup2, - ])); - - var msg175 = msg("sockd:01", part183); - - var part184 = match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ - dup12, - setc("event_description","sockd:dante/server running."), - dup11, - dup2, - ])); - - var msg176 = msg("sockd:02", part184); - - var part185 = match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ - dup12, - setc("event_description","sockd:sockdexit():terminating on signal."), - dup11, - dup2, - ])); - - var msg177 = msg("sockd:03", part185); - - var select17 = linear_select([ - msg175, - msg176, - msg177, - ]); - - var part186 = match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ - dup12, - setc("event_description","pop3proxy:Master started."), - dup11, - dup2, - ])); - - var msg178 = msg("pop3proxy", part186); - - var part187 = tagval("MESSAGE#178:astarosg_TVM", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg179 = msg("astarosg_TVM", part187); - - var part188 = tagval("MESSAGE#179:httpd", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "port": "network_port", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "query": "web_query", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "uid": "uid", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg180 = msg("httpd", part188); - - var part189 = match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ - setc("eventcategory","1502000000"), - dup2, - dup3, - ])); - - var msg181 = msg("httpd:01", part189); - - var select18 = linear_select([ - msg180, - msg181, - ]); - - var part190 = tagval("MESSAGE#181:Sophos_Firewall", "nwparser.payload", tvm, { - "activityname": "fld9", - "appfilter_policy_id": "fld10", - "application": "application", - "application_category": "fld23", - "application_risk": "risk_num", - "application_technology": "fld11", - "appresolvedby": "fld22", - "category": "fld4", - "category_type": "fld5", - "connevent": "fld19", - "connid": "connectionid", - "contenttype": "content_type", - "dir_disp": "fld18", - "domain": "fqdn", - "dst_country_code": "location_dst", - "dst_ip": "daddr", - "dst_port": "dport", - "dstzone": "dst_zone", - "dstzonetype": "fld17", - "duration": "duration", - "exceptions": "fld8", - "fw_rule_id": "rule_uid", - "hb_health": "fld21", - "httpresponsecode": "fld7", - "iap": "id1", - "in_interface": "sinterface", - "ips_policy_id": "policy_id", - "log_component": "event_source", - "log_subtype": "category", - "log_type": "event_type", - "message": "info", - "out_interface": "dinterface", - "override_token": "fld6", - "policy_type": "fld23", - "priority": "severity", - "protocol": "protocol", - "reason": "result", - "recv_bytes": "rbytes", - "recv_pkts": "fld15", - "referer": "web_referer", - "sent_bytes": "sbytes", - "sent_pkts": "fld14", - "src_country_code": "location_src", - "src_ip": "saddr", - "src_mac": "smacaddr", - "src_port": "sport", - "srczone": "src_zone", - "srczonetype": "fld16", - "status": "event_state", - "status_code": "resultcode", - "tran_dst_ip": "dtransaddr", - "tran_dst_port": "dtransport", - "tran_src_ip": "stransaddr", - "tran_src_port": "stransport", - "transactionid": "id2", - "url": "url", - "user_agent": "user_agent", - "user_gp": "group", - "user_name": "username", - "vconnid": "fld20", - }, processor_chain([ - setc("eventcategory","1204000000"), - dup2, - date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dS], - ], - }), - ])); - - var msg182 = msg("Sophos_Firewall", part190); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "Sophos_Firewall": msg182, - "URID": msg38, - "afcd": msg94, - "astarosg_TVM": msg179, - "aua": msg174, - "barnyard": select13, - "confd": msg90, - "confd-sync": msg89, - "exim": select14, - "frox": select9, - "httpd": select18, - "httpproxy": select3, - "ipsec_starter": select10, - "named": select2, - "pluto": select11, - "pop3proxy": msg178, - "reverseproxy": select8, - "smtpd": select15, - "sockd": select17, - "sshd": select16, - "ulogd": msg39, - "xl2tpd": select12, - }), - ]); - - var part191 = match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/sophos/2.4.1/data_stream/utm/agent/stream/udp.yml.hbs b/packages/sophos/2.4.1/data_stream/utm/agent/stream/udp.yml.hbs deleted file mode 100755 index cef2ed2295..0000000000 --- a/packages/sophos/2.4.1/data_stream/utm/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,5069 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Sophos" - product: "UTM" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ - setc("header_id","0003"), - setc("messageid","reverseproxy"), - ])); - - var hdr4 = match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","0005"), - ])); - - var hdr5 = match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0004"), - setc("messageid","astarosg_TVM"), - ])); - - var hdr6 = match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ - setc("header_id","0006"), - setc("messageid","Sophos_Firewall"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, - ]); - - var part1 = match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg1 = msg("named:01", part1); - - var part2 = match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg2 = msg("named:02", part2); - - var part3 = match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ - dup4, - dup2, - dup3, - ])); - - var msg3 = msg("named:03", part3); - - var part4 = match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ - dup5, - dup2, - dup3, - ])); - - var msg4 = msg("named:04", part4); - - var part5 = match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ - dup6, - dup2, - dup3, - ])); - - var msg5 = msg("named:05", part5); - - var part6 = match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ - setc("eventcategory","1804000000"), - dup2, - dup3, - ])); - - var msg6 = msg("named:06", part6); - - var part7 = match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ - dup7, - dup2, - dup3, - ])); - - var msg7 = msg("named:07", part7); - - var part8 = match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg8 = msg("named:08", part8); - - var part9 = match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ - dup7, - dup2, - dup3, - setc("action","reloading"), - ])); - - var msg9 = msg("named:09", part9); - - var part10 = match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - ])); - - var msg10 = msg("named:10", part10); - - var part11 = match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - setc("action","all zones loaded"), - ])); - - var msg11 = msg("named:11", part11); - - var part12 = match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ - dup7, - setc("disposition","running"), - dup2, - dup3, - setc("action","running"), - ])); - - var msg12 = msg("named:12", part12); - - var part13 = match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ - dup7, - setc("context","built-in root key"), - dup2, - dup3, - ])); - - var msg13 = msg("named:13", part13); - - var part14 = match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg14 = msg("named:14", part14); - - var part15 = match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ - dup10, - setc("event_description","named:too many timeouts resolving DNS."), - dup11, - dup2, - ])); - - var msg15 = msg("named:15", part15); - - var part16 = match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:FORMERR resolving DNS."), - dup11, - dup2, - ])); - - var msg16 = msg("named:16", part16); - - var part17 = match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:unexpected RCODE (SERVFAIL) resolving DNS."), - dup11, - dup2, - ])); - - var msg17 = msg("named:17", part17); - - var select2 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - ]); - - var part18 = match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ - dup12, - setc("event_description","httpproxy:Integrated HTTP-Proxy."), - dup11, - dup2, - ])); - - var msg18 = msg("httpproxy:09", part18); - - var part19 = match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ - dup10, - setc("event_description","httpproxy:Name or service not known."), - dup11, - dup2, - ])); - - var msg19 = msg("httpproxy:10", part19); - - var part20 = match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ - dup10, - setc("event_description","httpproxy:failed to resolve passthrough."), - dup11, - dup2, - ])); - - var msg20 = msg("httpproxy:11", part20); - - var part21 = match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ - dup10, - setc("event_description","httpproxy:ssl handshake failure."), - dup11, - dup2, - ])); - - var msg21 = msg("httpproxy:12", part21); - - var part22 = match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ - dup10, - setc("event_description","httpproxy:EVP_DecryptFinal failed."), - dup11, - dup2, - ])); - - var msg22 = msg("httpproxy:13", part22); - - var part23 = match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ - dup10, - setc("event_description","httpproxy:decrypt failed."), - dup11, - dup2, - ])); - - var msg23 = msg("httpproxy:14", part23); - - var part24 = match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:reloading av pattern"), - dup11, - dup2, - ])); - - var msg24 = msg("httpproxy:15", part24); - - var part25 = match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ - dup12, - setc("event_description","httpproxy:sc_check_servers.Server checked."), - dup11, - dup2, - ])); - - var msg25 = msg("httpproxy:16", part25); - - var part26 = match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ - dup12, - setc("event_description","httpproxy:shutdown finished, exiting."), - dup11, - dup2, - ])); - - var msg26 = msg("httpproxy:17", part26); - - var part27 = match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ - dup12, - setc("event_description","httpproxy:"), - dup11, - dup2, - ])); - - var msg27 = msg("httpproxy:18", part27); - - var part28 = match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ - dup12, - setc("event_description","httpproxy:reading profiles"), - dup11, - dup2, - ])); - - var msg28 = msg("httpproxy:19", part28); - - var part29 = match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ - dup12, - setc("event_description","httpproxy:finished startup"), - dup11, - dup2, - ])); - - var msg29 = msg("httpproxy:20", part29); - - var part30 = match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:read_request_headers related message."), - dup11, - dup2, - ])); - - var msg30 = msg("httpproxy:21", part30); - - var part31 = match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_loop related message."), - dup11, - dup2, - ])); - - var msg31 = msg("httpproxy:22", part31); - - var part32 = match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scan_exit related message."), - dup11, - dup2, - ])); - - var msg32 = msg("httpproxy:23", part32); - - var part33 = match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_exit related message."), - dup11, - dup2, - ])); - - var msg33 = msg("httpproxy:24", part33); - - var part34 = match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_exit related message."), - dup11, - dup2, - ])); - - var msg34 = msg("httpproxy:25", part34); - - var part35 = match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_zap related message."), - dup11, - dup2, - ])); - - var msg35 = msg("httpproxy:26", part35); - - var part36 = match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scanner_init related message."), - dup11, - dup2, - ])); - - var msg36 = msg("httpproxy:27", part36); - - var part37 = tagval("MESSAGE#36:httpproxy:01", "nwparser.payload", tvm, { - "action": "action", - "ad_domain": "fld1", - "app-id": "fld18", - "application": "fld17", - "auth": "fld10", - "authtime": "fld4", - "avscantime": "fld7", - "cached": "fld2", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld6", - "content-type": "content_type", - "device": "fld9", - "dnstime": "fld5", - "dstip": "daddr", - "error": "result", - "exceptions": "fld12", - "extension": "fld13", - "file": "filename", - "filename": "filename", - "filteraction": "fld3", - "fullreqtime": "fld8", - "function": "action", - "group": "group", - "id": "rule", - "line": "fld14", - "message": "context", - "method": "web_method", - "name": "event_description", - "profile": "policyname", - "reason": "rule_group", - "referer": "web_referer", - "reputation": "fld16", - "request": "connectionid", - "severity": "severity", - "size": "rbytes", - "srcip": "saddr", - "statuscode": "resultcode", - "sub": "network_service", - "sys": "vsys", - "time": "fld15", - "ua": "fld11", - "url": "url", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg37 = msg("httpproxy:01", part37); - - var select3 = linear_select([ - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - ]); - - var part38 = match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ - dup16, - dup2, - dup3, - ])); - - var msg38 = msg("URID:01", part38); - - var part39 = tagval("MESSAGE#38:ulogd:01", "nwparser.payload", tvm, { - "action": "action", - "code": "fld30", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "fwrule": "policy_id", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "name": "event_description", - "outitf": "dinterface", - "prec": "fld27", - "proto": "fld24", - "seq": "fld23", - "severity": "severity", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "sub": "network_service", - "sys": "vsys", - "tcpflags": "fld29", - "tos": "fld26", - "ttl": "fld28", - "type": "fld31", - }, processor_chain([ - dup13, - setc("ec_subject","NetworkComm"), - setc("ec_activity","Scan"), - setc("ec_theme","TEV"), - dup11, - dup2, - dup45, - dup46, - ])); - - var msg39 = msg("ulogd:01", part39); - - var part40 = match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ - dup6, - setc("disposition","configured"), - dup2, - dup3, - ])); - - var msg40 = msg("reverseproxy:01", part40); - - var part41 = match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg41 = msg("reverseproxy:02", part41); - - var part42 = match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg42 = msg("reverseproxy:03", part42); - - var part43 = match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ - dup17, - setc("event_id","AH00292"), - dup2, - dup3, - ])); - - var msg43 = msg("reverseproxy:04", part43); - - var part44 = match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ - setc("eventcategory","1805010000"), - dup18, - dup2, - dup3, - ])); - - var msg44 = msg("reverseproxy:06", part44); - - var part45 = match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); - - var select4 = linear_select([ - dup19, - ]); - - var part46 = match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); - - var all1 = all_match({ - processors: [ - part45, - select4, - part46, - ], - on_success: processor_chain([ - dup5, - setc("event_id","AH00297"), - dup2, - dup3, - ]), - }); - - var msg45 = msg("reverseproxy:07", all1); - - var part47 = match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ - dup4, - setc("event_id","AH00112"), - dup2, - dup3, - ])); - - var msg46 = msg("reverseproxy:08", part47); - - var part48 = match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ - setc("eventcategory","1605010000"), - setc("event_id","AH00094"), - dup2, - dup3, - ])); - - var msg47 = msg("reverseproxy:09", part48); - - var part49 = match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ - dup12, - setc("event_id","AH00291"), - dup2, - dup3, - ])); - - var msg48 = msg("reverseproxy:10", part49); - - var part50 = match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ - dup20, - setc("event_id","AH02572"), - dup2, - dup3, - ])); - - var msg49 = msg("reverseproxy:11", part50); - - var part51 = match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ - dup20, - setc("context","SSL Library Error"), - dup2, - dup3, - ])); - - var msg50 = msg("reverseproxy:12", part51); - - var part52 = match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ - dup20, - setc("result","Fatal error"), - setc("event_id","AH02312"), - dup2, - dup3, - ])); - - var msg51 = msg("reverseproxy:13", part52); - - var part53 = match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ - dup20, - setc("result","Configuration Failed"), - setc("event_id","AH00020"), - dup2, - dup3, - ])); - - var msg52 = msg("reverseproxy:14", part53); - - var part54 = match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ - setc("eventcategory","1609000000"), - setc("context","Unclean shutdown"), - setc("event_id","AH00098"), - dup2, - dup3, - ])); - - var msg53 = msg("reverseproxy:15", part54); - - var part55 = match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ - dup16, - setc("event_id","AH00295"), - dup2, - dup3, - ])); - - var msg54 = msg("reverseproxy:16", part55); - - var part56 = match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); - - var part57 = match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); - - var select5 = linear_select([ - part57, - dup19, - ]); - - var part58 = match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all2 = all_match({ - processors: [ - part56, - select5, - part58, - ], - on_success: processor_chain([ - dup21, - dup2, - dup3, - ]), - }); - - var msg55 = msg("reverseproxy:17", all2); - - var part59 = match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ - dup4, - dup22, - dup2, - dup3, - ])); - - var msg56 = msg("reverseproxy:18", part59); - - var part60 = match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ - dup23, - dup22, - dup2, - dup3, - ])); - - var msg57 = msg("reverseproxy:19", part60); - - var part61 = match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg58 = msg("reverseproxy:20", part61); - - var part62 = match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ - dup20, - dup18, - setc("event_id","AH01909"), - dup2, - dup3, - ])); - - var msg59 = msg("reverseproxy:21", part62); - - var part63 = match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ - dup20, - setc("comments","Invalid port configuration"), - dup2, - dup3, - ])); - - var msg60 = msg("reverseproxy:22", part63); - - var part64 = match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg61 = msg("reverseproxy:23", part64); - - var part65 = match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg62 = msg("reverseproxy:24", part65); - - var part66 = match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg63 = msg("reverseproxy:25", part66); - - var part67 = match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); - - var part68 = match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); - - var select6 = linear_select([ - part68, - dup19, - ]); - - var part69 = match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); - - var part70 = match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); - - var part71 = match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); - - var select7 = linear_select([ - part70, - part71, - ]); - - var part72 = match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all3 = all_match({ - processors: [ - part67, - select6, - part69, - select7, - part72, - ], - on_success: processor_chain([ - dup24, - dup2, - dup3, - ]), - }); - - var msg64 = msg("reverseproxy:26", all3); - - var part73 = match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg65 = msg("reverseproxy:27", part73); - - var part74 = match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ - dup26, - setc("result","virus daemon error"), - dup2, - dup3, - ])); - - var msg66 = msg("reverseproxy:28", part74); - - var part75 = match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ - dup27, - setc("result","virus found"), - dup2, - dup3, - ])); - - var msg67 = msg("reverseproxy:29", part75); - - var part76 = match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg68 = msg("reverseproxy:30", part76); - - var part77 = match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ - dup25, - setc("result","Cannot read reply"), - dup2, - dup3, - ])); - - var msg69 = msg("reverseproxy:31", part77); - - var part78 = match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg70 = msg("reverseproxy:32", part78); - - var part79 = match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg71 = msg("reverseproxy:33", part79); - - var part80 = match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg72 = msg("reverseproxy:34", part80); - - var part81 = match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg73 = msg("reverseproxy:35", part81); - - var part82 = match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ - dup27, - setc("result","Virus found"), - dup2, - dup3, - ])); - - var msg74 = msg("reverseproxy:36", part82); - - var part83 = match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg75 = msg("reverseproxy:37", part83); - - var part84 = match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg76 = msg("reverseproxy:38", part84); - - var part85 = match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ - dup23, - setc("result","Form validation failed"), - dup2, - dup3, - ])); - - var msg77 = msg("reverseproxy:39", part85); - - var part86 = match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ - dup25, - setc("result","Sending trickle failed"), - dup2, - dup3, - ])); - - var msg78 = msg("reverseproxy:40", part86); - - var part87 = match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ - dup30, - dup2, - dup3, - ])); - - var msg79 = msg("reverseproxy:41", part87); - - var part88 = match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ - setc("eventcategory","1603050000"), - dup2, - dup3, - ])); - - var msg80 = msg("reverseproxy:42", part88); - - var part89 = match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ - dup30, - setc("event_id","AH01110"), - setc("result","Error reading response"), - dup2, - dup3, - ])); - - var msg81 = msg("reverseproxy:43", part89); - - var part90 = match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1601020000"), - setc("result","No form context found"), - dup2, - dup3, - ])); - - var msg82 = msg("reverseproxy:44", part90); - - var part91 = match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ - dup25, - setc("event_id","AH00957"), - dup2, - dup3, - ])); - - var msg83 = msg("reverseproxy:45", part91); - - var part92 = match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ - dup16, - setc("event_id","AH00959"), - setc("result","disabling worker"), - dup2, - dup3, - ])); - - var msg84 = msg("reverseproxy:46", part92); - - var part93 = match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1801000000"), - setc("context","Not all file sent to client"), - dup2, - dup3, - ])); - - var msg85 = msg("reverseproxy:47", part93); - - var part94 = match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg86 = msg("reverseproxy:48", part94); - - var part95 = match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg87 = msg("reverseproxy:49", part95); - - var part96 = tagval("MESSAGE#87:reverseproxy:05", "nwparser.payload", tvm, { - "cookie": "web_cookie", - "exceptions": "policy_waiver", - "extra": "info", - "host": "dhost", - "id": "policy_id", - "localip": "fld3", - "method": "web_method", - "reason": "comments", - "referer": "web_referer", - "server": "daddr", - "set-cookie": "fld5", - "size": "fld4", - "srcip": "saddr", - "statuscode": "resultcode", - "time": "processing_time", - "url": "web_root", - "user": "username", - }, processor_chain([ - setc("eventcategory","1802000000"), - dup2, - dup3, - ])); - - var msg88 = msg("reverseproxy:05", part96); - - var select8 = linear_select([ - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, - msg59, - msg60, - msg61, - msg62, - msg63, - msg64, - msg65, - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, - ]); - - var part97 = tagval("MESSAGE#88:confd-sync", "nwparser.payload", tvm, { - "id": "fld5", - "name": "event_description", - "severity": "severity", - "sub": "service", - "sys": "fld2", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg89 = msg("confd-sync", part97); - - var part98 = tagval("MESSAGE#89:confd:01", "nwparser.payload", tvm, { - "account": "logon_id", - "attributes": "obj_name", - "class": "group_object", - "client": "fld3", - "count": "fld4", - "facility": "logon_type", - "id": "fld1", - "name": "event_description", - "node": "node", - "object": "fld6", - "severity": "severity", - "srcip": "saddr", - "storage": "directory", - "sub": "service", - "sys": "fld2", - "type": "obj_type", - "user": "username", - "version": "version", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg90 = msg("confd:01", part98); - - var part99 = match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy Frox started."), - dup11, - dup2, - ])); - - var msg91 = msg("frox", part99); - - var part100 = match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy listening on port."), - dup11, - dup2, - ])); - - var msg92 = msg("frox:01", part100); - - var part101 = match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy dropped priveleges."), - dup11, - dup2, - ])); - - var msg93 = msg("frox:02", part101); - - var select9 = linear_select([ - msg91, - msg92, - msg93, - ]); - - var part102 = match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ - dup12, - setc("event_description","afcd: IM/P2P Classifier configuration reloaded successfully."), - dup11, - dup2, - ])); - - var msg94 = msg("afcd", part102); - - var part103 = match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ - dup12, - setc("event_description","ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]..."), - dup11, - dup2, - ])); - - var msg95 = msg("ipsec_starter", part103); - - var part104 = match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ - dup12, - setc("event_description","ipsec_starter: IP address or index of physical interface changed."), - dup11, - dup2, - ])); - - var msg96 = msg("ipsec_starter:01", part104); - - var select10 = linear_select([ - msg95, - msg96, - ]); - - var part105 = match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: Starting Pluto."), - dup11, - dup2, - ])); - - var msg97 = msg("pluto", part105); - - var part106 = match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: including NAT-Traversal patch."), - dup11, - dup2, - ])); - - var msg98 = msg("pluto:01", part106); - - var part107 = match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating encryption algorithm."), - dup11, - dup2, - ])); - - var msg99 = msg("pluto:02", part107); - - var part108 = match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating hash algorithm."), - dup11, - dup2, - ])); - - var msg100 = msg("pluto:03", part108); - - var part109 = match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ - dup12, - setc("event_description","pluto: Testing registered IKE encryption algorithms"), - dup11, - dup2, - ])); - - var msg101 = msg("pluto:04", part109); - - var part110 = match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test not available."), - dup11, - dup2, - ])); - - var msg102 = msg("pluto:05", part110); - - var part111 = match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test passed."), - dup11, - dup2, - ])); - - var msg103 = msg("pluto:06", part111); - - var part112 = match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ - dup12, - setc("event_description","pluto: Using KLIPS IPsec interface code"), - dup11, - dup2, - ])); - - var msg104 = msg("pluto:07", part112); - - var part113 = match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","pluto: adding interface"), - dup11, - dup2, - ])); - - var msg105 = msg("pluto:08", part113); - - var part114 = match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ - dup34, - setc("event_description","pluto: loading secrets"), - dup11, - dup2, - ])); - - var msg106 = msg("pluto:09", part114); - - var part115 = match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ - dup34, - setc("event_description","pluto: loaded private key file"), - dup11, - dup2, - ])); - - var msg107 = msg("pluto:10", part115); - - var part116 = match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ - dup12, - setc("event_description","pluto: added connection description"), - dup11, - dup2, - ])); - - var msg108 = msg("pluto:11", part116); - - var part117 = match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg109 = msg("pluto:12", part117); - - var part118 = match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup10, - dup36, - dup11, - dup2, - ])); - - var msg110 = msg("pluto:13", part118); - - var part119 = match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg111 = msg("pluto:14", part119); - - var part120 = match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ - dup12, - setc("event_description","pluto:forgetting secrets"), - dup11, - dup2, - ])); - - var msg112 = msg("pluto:15", part120); - - var part121 = match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ - dup12, - setc("event_description","pluto:Changing to directory"), - dup11, - dup2, - ])); - - var msg113 = msg("pluto:17", part121); - - var part122 = match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ - dup12, - setc("event_description","pluto:*time to handle event"), - dup11, - dup2, - ])); - - var msg114 = msg("pluto:18", part122); - - var part123 = match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ - dup12, - setc("event_description","pluto:*received kernel message"), - dup11, - dup2, - ])); - - var msg115 = msg("pluto:19", part123); - - var part124 = match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ - dup25, - setc("event_description","pluto:rejected packet"), - dup11, - dup2, - ])); - - var msg116 = msg("pluto:20", part124); - - var part125 = match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg117 = msg("pluto:21", part125); - - var part126 = match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg118 = msg("pluto:22", part126); - - var part127 = match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg119 = msg("pluto:23", part127); - - var part128 = match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg120 = msg("pluto:24", part128); - - var part129 = match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg121 = msg("pluto:25", part129); - - var part130 = match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg122 = msg("pluto:26", part130); - - var part131 = match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg123 = msg("pluto:27", part131); - - var part132 = match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg124 = msg("pluto:28", part132); - - var part133 = match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg125 = msg("pluto:29", part133); - - var part134 = match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg126 = msg("pluto:30", part134); - - var part135 = match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg127 = msg("pluto:31", part135); - - var part136 = match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ - dup12, - setc("event_description","not authenticated"), - dup11, - dup2, - ])); - - var msg128 = msg("pluto:32", part136); - - var part137 = match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg129 = msg("pluto:33", part137); - - var part138 = match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup12, - dup36, - dup11, - dup2, - ])); - - var msg130 = msg("pluto:34", part138); - - var part139 = match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg131 = msg("pluto:35", part139); - - var select11 = linear_select([ - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, - ]); - - var part140 = match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ - setc("eventcategory","1607000000"), - setc("event_description","xl2tpd:This binary does not support kernel L2TP."), - dup11, - dup2, - ])); - - var msg132 = msg("xl2tpd", part140); - - var part141 = match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ - dup12, - setc("event_description","xl2tpd:xl2tpd started."), - dup11, - dup2, - ])); - - var msg133 = msg("xl2tpd:01", part141); - - var part142 = match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg134 = msg("xl2tpd:02", part142); - - var part143 = match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg135 = msg("xl2tpd:03", part143); - - var part144 = match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg136 = msg("xl2tpd:04", part144); - - var part145 = match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg137 = msg("xl2tpd:05", part145); - - var select12 = linear_select([ - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, - ]); - - var part146 = match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ - dup12, - setc("event_description","barnyard: Exiting"), - dup11, - dup2, - ])); - - var msg138 = msg("barnyard:01", part146); - - var part147 = match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Initializing daemon mode"), - dup11, - dup2, - ])); - - var msg139 = msg("barnyard:02", part147); - - var part148 = match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ - dup12, - setc("event_description","barnyard:Opened spool file."), - dup11, - dup2, - ])); - - var msg140 = msg("barnyard:03", part148); - - var part149 = match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Waiting for new data"), - dup11, - dup2, - ])); - - var msg141 = msg("barnyard:04", part149); - - var select13 = linear_select([ - msg138, - msg139, - msg140, - msg141, - ]); - - var part150 = match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ - dup12, - setc("event_description","exim:SMTP connection from localhost closed by QUIT"), - dup11, - dup2, - ])); - - var msg142 = msg("exim:01", part150); - - var part151 = match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ - setc("eventcategory","1207010000"), - setc("event_description","exim:e-mail accepted from relay."), - dup11, - dup2, - ])); - - var msg143 = msg("exim:02", part151); - - var part152 = match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ - setc("eventcategory","1207000000"), - setc("event_description","exim: e-mail sent."), - dup11, - dup2, - ])); - - var msg144 = msg("exim:03", part152); - - var part153 = match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ - dup39, - setc("event_description","exim: e-mail host lookup did not complete in DNS."), - dup11, - dup2, - ])); - - var msg145 = msg("exim:04", part153); - - var part154 = match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ - dup39, - setc("event_description","exim: e-mail routing defer:retry time not reached."), - dup11, - dup2, - ])); - - var msg146 = msg("exim:05", part154); - - var part155 = match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ - dup12, - setc("event_description","exim: exim daemon started."), - dup11, - dup2, - ])); - - var msg147 = msg("exim:06", part155); - - var part156 = match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ - dup12, - setc("event_description","exim: Start queue run."), - dup11, - dup2, - ])); - - var msg148 = msg("exim:07", part156); - - var part157 = match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ - dup12, - setc("event_description","exim: SIGHUP received: re-exec daemon."), - dup11, - dup2, - ])); - - var msg149 = msg("exim:08", part157); - - var part158 = match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim: SMTP connection from host."), - dup11, - dup2, - ])); - - var msg150 = msg("exim:09", part158); - - var part159 = match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:rejected EHLO from host."), - dup11, - dup2, - ])); - - var msg151 = msg("exim:10", part159); - - var part160 = match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:SMTP protocol synchronization error rejected connection from host."), - dup11, - dup2, - ])); - - var msg152 = msg("exim:11", part160); - - var part161 = match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:TLS error on connection from host."), - dup11, - dup2, - ])); - - var msg153 = msg("exim:12", part161); - - var part162 = match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg154 = msg("exim:13", part162); - - var part163 = match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg155 = msg("exim:14", part163); - - var part164 = match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg156 = msg("exim:15", part164); - - var part165 = match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg157 = msg("exim:16", part165); - - var select14 = linear_select([ - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, - msg156, - msg157, - ]); - - var part166 = match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ - dup12, - setc("event_description","smtpd: Process moved to work queue."), - dup11, - dup2, - ])); - - var msg158 = msg("smtpd:01", part166); - - var part167 = match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ - setc("eventcategory","1207010100"), - dup11, - dup2, - ])); - - var msg159 = msg("smtpd:02", part167); - - var part168 = match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ - dup12, - setc("event_description","smtpd: SCANNER: Nothing to do,exiting."), - dup11, - dup2, - ])); - - var msg160 = msg("smtpd:03", part168); - - var part169 = match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status two set to disabled."), - dup11, - dup2, - ])); - - var msg161 = msg("smtpd:04", part169); - - var part170 = match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status one set to disabled."), - dup11, - dup2, - ])); - - var msg162 = msg("smtpd:07", part170); - - var part171 = match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:(Re-)loading configuration from Confd."), - dup11, - dup2, - ])); - - var msg163 = msg("smtpd:05", part171); - - var part172 = match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:Sending QR one."), - dup11, - dup2, - ])); - - var msg164 = msg("smtpd:06", part172); - - var select15 = linear_select([ - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - ]); - - var part173 = match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ - dup10, - setc("event_description","sshd: Did not receive identification string."), - dup11, - dup2, - ])); - - var msg165 = msg("sshd:01", part173); - - var part174 = match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ - dup12, - setc("event_description","sshd:Received SIGHUP restarting."), - dup11, - dup2, - ])); - - var msg166 = msg("sshd:02", part174); - - var part175 = match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ - dup12, - setc("event_description","sshd:Server listening; restarting."), - dup11, - dup2, - ])); - - var msg167 = msg("sshd:03", part175); - - var part176 = match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ - dup41, - setc("event_description","sshd:Invalid user admin."), - dup11, - dup2, - ])); - - var msg168 = msg("sshd:04", part176); - - var part177 = match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed none for invalid user admin."), - dup11, - dup2, - ])); - - var msg169 = msg("sshd:05", part177); - - var part178 = match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ - dup10, - setc("event_description","sshd:error:Could not get shadow information for NOUSER"), - dup11, - dup2, - ])); - - var msg170 = msg("sshd:06", part178); - - var part179 = match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed password for root."), - dup11, - dup2, - ])); - - var msg171 = msg("sshd:07", part179); - - var part180 = match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - setc("eventcategory","1302000000"), - setc("event_description","sshd:Accepted password for loginuser."), - dup11, - dup2, - ])); - - var msg172 = msg("sshd:08", part180); - - var part181 = match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ - dup10, - setc("event_description","sshd:subsystem request for sftp failed,subsystem not found."), - dup11, - dup2, - ])); - - var msg173 = msg("sshd:09", part181); - - var select16 = linear_select([ - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - ]); - - var part182 = tagval("MESSAGE#173:aua:01", "nwparser.payload", tvm, { - "caller": "fld4", - "engine": "fld5", - "id": "fld1", - "name": "event_description", - "severity": "severity", - "srcip": "saddr", - "sub": "service", - "sys": "fld2", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg174 = msg("aua:01", part182); - - var part183 = match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ - dup12, - setc("event_description","sockd: created new negotiatorchild."), - dup11, - dup2, - ])); - - var msg175 = msg("sockd:01", part183); - - var part184 = match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ - dup12, - setc("event_description","sockd:dante/server running."), - dup11, - dup2, - ])); - - var msg176 = msg("sockd:02", part184); - - var part185 = match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ - dup12, - setc("event_description","sockd:sockdexit():terminating on signal."), - dup11, - dup2, - ])); - - var msg177 = msg("sockd:03", part185); - - var select17 = linear_select([ - msg175, - msg176, - msg177, - ]); - - var part186 = match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ - dup12, - setc("event_description","pop3proxy:Master started."), - dup11, - dup2, - ])); - - var msg178 = msg("pop3proxy", part186); - - var part187 = tagval("MESSAGE#178:astarosg_TVM", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg179 = msg("astarosg_TVM", part187); - - var part188 = tagval("MESSAGE#179:httpd", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "port": "network_port", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "query": "web_query", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "uid": "uid", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg180 = msg("httpd", part188); - - var part189 = match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ - setc("eventcategory","1502000000"), - dup2, - dup3, - ])); - - var msg181 = msg("httpd:01", part189); - - var select18 = linear_select([ - msg180, - msg181, - ]); - - var part190 = tagval("MESSAGE#181:Sophos_Firewall", "nwparser.payload", tvm, { - "activityname": "fld9", - "appfilter_policy_id": "fld10", - "application": "application", - "application_category": "fld23", - "application_risk": "risk_num", - "application_technology": "fld11", - "appresolvedby": "fld22", - "category": "fld4", - "category_type": "fld5", - "connevent": "fld19", - "connid": "connectionid", - "contenttype": "content_type", - "dir_disp": "fld18", - "domain": "fqdn", - "dst_country_code": "location_dst", - "dst_ip": "daddr", - "dst_port": "dport", - "dstzone": "dst_zone", - "dstzonetype": "fld17", - "duration": "duration", - "exceptions": "fld8", - "fw_rule_id": "rule_uid", - "hb_health": "fld21", - "httpresponsecode": "fld7", - "iap": "id1", - "in_interface": "sinterface", - "ips_policy_id": "policy_id", - "log_component": "event_source", - "log_subtype": "category", - "log_type": "event_type", - "message": "info", - "out_interface": "dinterface", - "override_token": "fld6", - "policy_type": "fld23", - "priority": "severity", - "protocol": "protocol", - "reason": "result", - "recv_bytes": "rbytes", - "recv_pkts": "fld15", - "referer": "web_referer", - "sent_bytes": "sbytes", - "sent_pkts": "fld14", - "src_country_code": "location_src", - "src_ip": "saddr", - "src_mac": "smacaddr", - "src_port": "sport", - "srczone": "src_zone", - "srczonetype": "fld16", - "status": "event_state", - "status_code": "resultcode", - "tran_dst_ip": "dtransaddr", - "tran_dst_port": "dtransport", - "tran_src_ip": "stransaddr", - "tran_src_port": "stransport", - "transactionid": "id2", - "url": "url", - "user_agent": "user_agent", - "user_gp": "group", - "user_name": "username", - "vconnid": "fld20", - }, processor_chain([ - setc("eventcategory","1204000000"), - dup2, - date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dS], - ], - }), - ])); - - var msg182 = msg("Sophos_Firewall", part190); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "Sophos_Firewall": msg182, - "URID": msg38, - "afcd": msg94, - "astarosg_TVM": msg179, - "aua": msg174, - "barnyard": select13, - "confd": msg90, - "confd-sync": msg89, - "exim": select14, - "frox": select9, - "httpd": select18, - "httpproxy": select3, - "ipsec_starter": select10, - "named": select2, - "pluto": select11, - "pop3proxy": msg178, - "reverseproxy": select8, - "smtpd": select15, - "sockd": select17, - "sshd": select16, - "ulogd": msg39, - "xl2tpd": select12, - }), - ]); - - var part191 = match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/sophos/2.4.1/data_stream/utm/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/2.4.1/data_stream/utm/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 29f81ca838..0000000000 --- a/packages/sophos/2.4.1/data_stream/utm/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,84 +0,0 @@ ---- -description: Pipeline for Sophos UTM (formerly Astaro Security Gateway). - -processors: - - set: - field: ecs.version - value: '8.4.0' - - gsub: - field: destination.mac - ignore_missing: true - pattern: '[:]' - replacement: '-' - - gsub: - field: source.mac - ignore_missing: true - pattern: '[:]' - replacement: '-' - - uppercase: - field: destination.mac - ignore_missing: true - - uppercase: - field: source.mac - ignore_missing: true - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/sophos/2.4.1/data_stream/utm/fields/base-fields.yml b/packages/sophos/2.4.1/data_stream/utm/fields/base-fields.yml deleted file mode 100755 index 0c50a77637..0000000000 --- a/packages/sophos/2.4.1/data_stream/utm/fields/base-fields.yml +++ /dev/null @@ -1,46 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: sophos -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sophos.utm -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/sophos/2.4.1/data_stream/utm/fields/ecs.yml b/packages/sophos/2.4.1/data_stream/utm/fields/ecs.yml deleted file mode 100755 index f7e5c95752..0000000000 --- a/packages/sophos/2.4.1/data_stream/utm/fields/ecs.yml +++ /dev/null @@ -1,547 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/sophos/2.4.1/data_stream/utm/fields/fields.yml b/packages/sophos/2.4.1/data_stream/utm/fields/fields.yml deleted file mode 100755 index ea69cd79e3..0000000000 --- a/packages/sophos/2.4.1/data_stream/utm/fields/fields.yml +++ /dev/null @@ -1,1754 +0,0 @@ -- name: rsa - type: group - fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - ignore_above: 1024 - description: Server domain. -- name: network.interface.name - type: keyword diff --git a/packages/sophos/2.4.1/data_stream/utm/manifest.yml b/packages/sophos/2.4.1/data_stream/utm/manifest.yml deleted file mode 100755 index 807bd92dda..0000000000 --- a/packages/sophos/2.4.1/data_stream/utm/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -title: Sophos UTM logs -release: experimental -type: logs -streams: - - input: udp - title: Sophos UTM logs - description: Collect Sophos UTM logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-utm - - forwarded - - name: udp_host - type: text - title: UDP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: UDP port to listen on - multi: false - required: true - show_user: true - default: 9549 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Sophos UTM logs - description: Collect Sophos UTM logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-utm - - forwarded - - name: tcp_host - type: text - title: TCP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: TCP port to listen on - multi: false - required: true - show_user: true - default: 9549 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - enabled: false - title: Sophos UTM logs - description: Collect Sophos UTM logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/sophos-utm.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-utm - - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/sophos/2.4.1/data_stream/utm/sample_event.json b/packages/sophos/2.4.1/data_stream/utm/sample_event.json deleted file mode 100755 index 5dbfab0f64..0000000000 --- a/packages/sophos/2.4.1/data_stream/utm/sample_event.json +++ /dev/null @@ -1,73 +0,0 @@ -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "4a4dd5d5-8f82-4911-b531-99290943b6c6", - "id": "9a015053-a5c0-4959-99ab-2b6556a2a396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "sophos.utm", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "9a015053-a5c0-4959-99ab-2b6556a2a396", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "code": "smtpd", - "dataset": "sophos.utm", - "ingested": "2022-01-25T18:04:29Z", - "timezone": "+00:00" - }, - "host": { - "name": "localhost.localdomain" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.25.0.7:39467" - } - }, - "message": "smtpd: MASTER:QR globally disabled, status one set to disabled.", - "observer": { - "product": "UTM", - "type": "Firewall", - "vendor": "Sophos" - }, - "process": { - "pid": 905 - }, - "related": { - "hosts": [ - "localhost.localdomain" - ] - }, - "rsa": { - "internal": { - "event_desc": "smtpd: MASTER:QR globally disabled, status one set to disabled.", - "messageid": "smtpd" - }, - "network": { - "alias_host": [ - "localhost.localdomain" - ] - }, - "time": { - "event_time": "2016-01-29T06:09:59.000Z" - } - }, - "tags": [ - "sophos-utm", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/sophos/2.4.1/data_stream/xg/agent/stream/log.yml.hbs b/packages/sophos/2.4.1/data_stream/xg/agent/stream/log.yml.hbs deleted file mode 100755 index 177b022013..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/agent/stream/log.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ -- add_fields: - target: '_conf' - fields: - default: {{default_host_name}} - mappings: -{{#if known_devices}} - {{known_devices}} -{{/if}} diff --git a/packages/sophos/2.4.1/data_stream/xg/agent/stream/tcp.yml.hbs b/packages/sophos/2.4.1/data_stream/xg/agent/stream/tcp.yml.hbs deleted file mode 100755 index b901abd778..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,31 +0,0 @@ -tcp: -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ -- add_fields: - target: '_conf' - fields: - default: {{default_host_name}} - mappings: -{{#if known_devices}} - {{known_devices}} -{{/if}} -{{#if tcp_options}} -{{tcp_options}} -{{/if}} diff --git a/packages/sophos/2.4.1/data_stream/xg/agent/stream/udp.yml.hbs b/packages/sophos/2.4.1/data_stream/xg/agent/stream/udp.yml.hbs deleted file mode 100755 index 426c9fc440..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,25 +0,0 @@ -udp: -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ -- add_fields: - target: '_conf' - fields: - default: {{default_host_name}} - mappings: -{{#if known_devices}} - {{known_devices}} -{{/if}} diff --git a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml b/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml deleted file mode 100755 index 573c3d7f40..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml +++ /dev/null @@ -1,135 +0,0 @@ ---- -description: Pipeline for parsing Sophos XG firewall logs (anti-spam pipeline). -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - ignore_empty_value: true -- set: - field: event.outcome - value: success - ignore_empty_value: true -- set: - field: event.kind - value: alert - if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.event?.code)' -- append: - field: event.category - value: malware - if: '["13001", "13002", "13004", "13005", "13006", "13009", "13014", "14001", "14002", "15001", "15002"].contains(ctx.event?.code)' -- append: - field: event.category - value: intrusion_detection - if: "ctx.event?.code == '13012'" -- append: - field: event.category - value: network -- append: - field: event.type - value: - - allowed - - connection - if: '["13003", "13007", "13008", "13010", "13013", "14003", "15003", "18035"].contains(ctx.event?.code)' -- append: - field: event.type - value: - - info - - denied - - connection - if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.event?.code)' - -#################################### -## ECS Destination Mapping -#################################### -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" - -############################### -## ECS Source Mapping -############################### -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- rename: - field: sophos.xg.src_domainname - target_field: source.domain - ignore_missing: true - -####################### -## ECS Email Mapping ## -####################### -- rename: - field: sophos.xg.from_email_address - target_field: source.user.email - ignore_missing: true -- rename: - field: sophos.xg.to_email_address - target_field: destination.user.email - ignore_missing: true -- append: - field: email.from.address - value: "{{{source.user.email}}}" - if: "ctx?.source?.user?.email != null" -- append: - field: email.to.address - value: "{{{destination.user.email}}}" - if: "ctx?.destination?.user?.email != null" -- set: - field: email.subject - copy_from: sophos.xg.email_subject - if: "ctx?.sophos.xg?.email_subject != null" -- set: - field: email.subject - copy_from: sophos.xg.subject - if: "ctx?.sophos.xg?.subject != null && ctx.email?.subject == null" - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true -- lowercase: - field: sophos.xg.log_component - target_field: network.protocol - ignore_missing: true - -############# -## Cleanup ## -############# -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.src_port - - sophos.xg.from_email_address - - sophos.xg.to_email_address - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml b/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml deleted file mode 100755 index cbfa5e2829..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml +++ /dev/null @@ -1,222 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (antivirus pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: alert -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- append: - field: event.category - value: - - malware - - network - if: "ctx.sophos?.xg?.log_subtype == 'Virus'" -- append: - field: event.type - value: - - info - - denied - - connection - if: "ctx.sophos?.xg?.log_subtype == 'Virus'" -- set: - field: event.kind - value: event - if: '["09002"].contains(ctx.event?.code)' -- append: - field: event.type - value: - - allowed - - connection - if: '["09002"].contains(ctx.event?.code)' -- append: - field: event.category - value: network - if: '["09002"].contains(ctx.event?.code)' - -############################# -## ECS Destination Mapping ## -############################# -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" -- rename: - field: sophos.xg.dstdomain - target_field: destination.domain - ignore_failure: true -- rename: - field: sophos.xg.dst_domainname - target_field: destination.domain - ignore_failure: true - -######################## -## ECS Source Mapping ## -######################## -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" -- rename: - field: sophos.xg.src_domainname - target_field: source.domain - ignore_failure: true - -####################### -## ECS Email Mapping ## -####################### -- rename: - field: sophos.xg.from_email_address - target_field: source.user.email - ignore_missing: true -- rename: - field: sophos.xg.to_email_address - target_field: destination.user.email - ignore_missing: true -- append: - field: email.from.address - value: "{{{source.user.email}}}" - if: "ctx?.source?.user?.email != null" -- append: - field: email.to.address - value: "{{{destination.user.email}}}" - if: "ctx?.destination?.user?.email != null" -- set: - field: email.subject - copy_from: sophos.xg.email_subject - if: "ctx?.sophos.xg?.email_subject != null" -- set: - field: email.subject - copy_from: sophos.xg.subject - if: "ctx?.sophos.xg?.subject != null && ctx.email?.subject == null" - -###################### -## ECS Rule Mapping ## -###################### -- rename: - field: sophos.xg.fw_rule_id - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" - -##################### -## ECS URL Mapping ## -##################### -- rename: - field: sophos.xg.url - target_field: url.original - ignore_missing: true - if: "ctx.sophos?.xg?.url != null" -- uri_parts: - if: ctx.url?.original != null && ctx.url.original.contains("://") - field: url.original - target_field: url -- set: - if: ctx.url?.original != null && ctx.url.original.contains("://") - field: url.full - copy_from: url.original - ignore_empty_value: true -- rename: - field: sophos.xg.domainname - target_field: url.domain - ignore_failure: true - -############################ -## ECS User Agent Mapping ## -############################ -- rename: - field: sophos.xg.user_agent - target_field: user_agent.original - ignore_missing: true - if: "ctx.sophos?.xg?.user_agent != null" -- convert: - field: sophos.xg.status_code - target_field: http.response.status_code - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.status_code != null && ctx.sophos?.xg?.status_code != ''" - -###################### -## ECS File Mapping ## -###################### -- rename: - field: sophos.xg.filename - target_field: file.name - ignore_missing: true - if: "ctx.sophos?.xg?.filename != null" -- convert: - field: sophos.xg.file_size - target_field: file.size - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.file_size != null" -- rename: - field: sophos.xg.file_path - target_field: file.directory - ignore_missing: true - if: "ctx.sophos?.xg?.file_path != null" - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true -- lowercase: - field: sophos.xg.log_component - target_field: network.protocol - ignore_missing: true - -############# -## Cleanup ## -############# -- lowercase: - field: event.info - ignore_failure: true -- remove: - field: - - sophos.xg.domainname - - sophos.xg.dst_port - - sophos.xg.src_port - - sophos.xg.status_code - - sophos.xg.file_size - - sophos.xg.from_email_address - - sophos.xg.to_email_address - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml b/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml deleted file mode 100755 index 47bcb458a6..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml +++ /dev/null @@ -1,120 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (atp pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: alert -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- append: - field: event.category - value: - - intrusion_detection - - network - if: '["18009", "18010"].contains(ctx.event?.code)' -- append: - field: event.type - value: - - denied - - connection - if: '["18009", "18010"].contains(ctx.event?.code)' -- rename: - field: sophos.xg.eventid - target_field: event.id - ignore_missing: true - if: "ctx.sophos?.xg?.eventid != null" - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: sophos.xg.destinationip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.destinationip != null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: sophos.xg.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.sourceip != null" -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - -##################### -## ECS URL Mapping ## -##################### -- rename: - field: sophos.xg.url - target_field: url.original - ignore_missing: true - if: "ctx.sophos?.xg?.url != null" -- uri_parts: - if: ctx.url?.original != null && ctx.url.original.contains("://") - field: url.original - target_field: url -- set: - if: ctx.url?.original != null && ctx.url.original.contains("://") - field: url.full - copy_from: url.original - ignore_empty_value: true - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true - -############# -## Cleanup ## -############# -- lowercase: - field: event.action - ignore_failure: true -- lowercase: - field: event.info - ignore_failure: true -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.src_port - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml b/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml deleted file mode 100755 index d8030558aa..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml +++ /dev/null @@ -1,168 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (Content Filtering pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.kind - value: alert - if: 'ctx.sophos?.xg?.log_subtype == "Denied"' -- append: - field: event.category - value: - - malware - - network - if: 'ctx.sophos?.xg?.log_subtype == "Denied"' -- append: - field: event.category - value: network - if: "ctx.sophos?.xg?.log_subtype != 'Denied'" -- append: - field: event.type - value: - - allowed - - connection - if: '["Allowed", "Warned"].contains(ctx.sophos?.xg?.log_subtype)' -- append: - field: event.type - value: - - info - - denied - - connection - if: "ctx.sophos?.xg?.log_subtype == 'Denied'" - -########################## -## ECS Destination Mapping -########################## -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" - -##################### -## ECS Source Mapping -##################### -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" -- rename: - field: sophos.xg.user_gp - target_field: source.user.group.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_gp != null" - -##################### -## ECS URL Mapping ## -##################### -- rename: - field: sophos.xg.url - target_field: url.original - ignore_missing: true -- uri_parts: - field: url.original - target_field: url - if: "ctx.url?.original != null" -- set: - field: url.full - copy_from: url.original - ignore_empty_value: true -- rename: - field: sophos.xg.domain - target_field: url.domain - ignore_missing: true - if: ctx.url?.domain == null - -############################ -## ECS User Agent Mapping ## -############################ -- rename: - field: sophos.xg.referer - target_field: http.request.referrer - ignore_missing: true - if: "ctx.sophos?.xg?.referer != null" -- convert: - field: sophos.xg.status_code - target_field: http.response.status_code - type: long - ignore_missing: true - if: "ctx.sophos?.xg?.status_code != null && ctx.sophos?.xg?.status_code != ''" -- convert: - field: sophos.xg.http_status - target_field: http.response.status_code - type: long - ignore_missing: true - if: "ctx.sophos?.xg?.http_status != null && ctx.sophos?.xg?.http_status != '' && ctx.sophos?.xg?.http_status != '0'" -- rename: - field: sophos.xg.user_agent - target_field: user_agent.original - ignore_missing: true -- user_agent: - field: user_agent.original - target_field: user_agent - ignore_missing: true - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true -- set: - field: network.protocol - copy_from: url.scheme - override: false - ignore_empty_value: true - -############# -## Cleanup ## -############# -- lowercase: - field: event.action - ignore_failure: true -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.src_port - - sophos.xg.domain - - sophos.xg.http_status - - sophos.xg.http_user_agent - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a693793783..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,568 +0,0 @@ ---- -description: Pipeline for parsing Sophos XG firewall logs. -processors: -- set: - field: ecs.version - value: '8.4.0' - -- set: - field: event.original - copy_from: message - override: false -- grok: - field: event.original - patterns: - - '^%{SYSLOG5424PRI}(%{SYSLOGTIMESTAMP} %{NOTSPACE} )?%{GREEDYDATA:message}$' - - '^%{SYSLOG5424PRI}%{GREEDYDATA:message}$' - - '^%{SYSLOGTIMESTAMP} %{HOSTNAME:observer.hostname} %{GREEDYDATA:message}$' - - '%{GREEDYDATA:message}$' - -# split Sophos-XG fields -- kv: - field: message - field_split: " (?=[a-zA-Z0-9_]+=)" - value_split: "=" - prefix: "sophos.xg." - ignore_missing: true - ignore_failure: false - trim_value: "\"" - -- script: - description: Lowercase sophos.xg key name names. - tag: lowercase-sophos-keys - if: ctx.sophos?.xg != null - source: | - def lowercaseMap = [:]; - for(def entry : ctx.sophos.xg.entrySet()){ - lowercaseMap.put(entry.getKey().toLowerCase(), entry.getValue()); - } - ctx.sophos.xg = lowercaseMap; - -# Parse the date -- set: - field: _temp_.time - value: "{{sophos.xg.date}} {{sophos.xg.time}}" - if: ctx.sophos?.xg?.date != null && ctx.sophos?.xg?.time != null -- set: - field: _temp_.time - copy_from: sophos.xg.timestamp - ignore_empty_value: true - if: ctx._temp_?.time == null -- date: - if: ctx._temp_?.time != null && ctx.event?.timezone == null - field: _temp_.time - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss Z - - yyyy-MM-dd HH:mm:ss z - - ISO8601 -- date: - if: ctx._temp_?.time != null && ctx.event?.timezone != null - timezone: "{{ event.timezone }}" - field: _temp_.time - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss Z - - yyyy-MM-dd HH:mm:ss z - - ISO8601 - -# Sets starts, end and duration when start and duration is known -- script: - lang: painless - if: ctx.sophos?.xg?.duration != null - source: >- - ctx.event.duration = Integer.parseInt(ctx.sophos.xg.duration) * 1000000000L; - ctx.event.start = ctx['@timestamp']; - ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); - ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); - -# Removes all empty fields -- script: - description: Remove empty fields. - tag: remove-empty-fields - lang: painless - params: - values: - - "" - - "-" - - "N/A" - source: >- - ctx.sophos?.xg.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); - -####################### -## ECS Event Mapping ## -####################### - -# log_id consists of (example: 010101600001): -# log type: 2 digits -# log component: 2 digits -# log subtype: 2 digits -# severity: 1 digit -# message ID: 5 digits -- gsub: - description: Set event.severity from log_id. - field: sophos.xg.log_id - target_field: event.severity - pattern: '^.{6}(.).*$' - replacement: '$1' - ignore_failure: true -- convert: - field: event.severity - type: long - ignore_missing: true -- gsub: - description: Set event.code from log_id. - field: sophos.xg.log_id - target_field: event.code - pattern: '^.{7}(.{5})$' - replacement: '$1' - ignore_failure: true - -##################### -## ECS Log Mapping ## -##################### -- set: - if: ctx.event?.severity == 0 - field: log.level - value: unknown -- set: - if: ctx.event?.severity == 1 - field: log.level - value: alert -- set: - if: ctx.event?.severity == 2 - field: log.level - value: critical -- set: - if: ctx.event?.severity == 3 - field: log.level - value: error -- set: - if: ctx.event?.severity == 4 - field: log.level - value: warning -- set: - if: ctx.event?.severity == 5 - field: log.level - value: notification -- set: - if: ctx.event?.severity == 6 - field: log.level - value: informational -- set: - if: ctx.event?.severity == 7 - field: log.level - value: debug - -- set: - field: log.level - copy_from: sophos.xg.severity - ignore_empty_value: true - -########################## -## ECS Observer Mapping ## -########################## -- set: - field: observer.vendor - value: Sophos -- set: - field: observer.product - value: XG -- set: - field: observer.type - value: firewall -- rename: - field: sophos.xg.device_id - target_field: observer.serial_number - ignore_missing: true -- rename: - field: sophos.xg.device_serial_id - target_field: observer.serial_number - ignore_missing: true -- rename: - field: sophos.xg.out_interface - target_field: observer.egress.interface.name - ignore_missing: true -- rename: - field: sophos.xg.in_interface - target_field: observer.ingress.interface.name - ignore_missing: true -- rename: - field: sophos.xg.srczone - target_field: observer.ingress.zone - ignore_missing: true -- rename: - field: sophos.xg.src_zone - target_field: observer.ingress.zone - ignore_missing: true -- rename: - field: sophos.xg.dstzone - target_field: observer.egress.zone - ignore_missing: true -- rename: - field: sophos.xg.dst_zone - target_field: observer.egress.zone - ignore_missing: true -- rename: - field: sophos.xg.srczonetype - target_field: sophos.xg.src_zone_type - ignore_missing: true -- rename: - field: sophos.xg.dstzonetype - target_field: sophos.xg.dst_zone_type - ignore_missing: true - -################### -## Set host.name ## -################### -- script: - lang: painless - if: ctx.observer?.serial_number != null - source: >- - def conf = ctx['_conf']; - if (conf == null) return; - def serial = ctx.observer.serial_number; - def mappings = conf.mappings; - if (mappings == null) return; - def name = conf['default']; - for (def item : mappings) { - if (item.serial_number == serial) { - name = item.hostname; - break; - } - } - if (ctx.host == null) { - ctx.host = new HashMap(); - } - ctx.host.name = name; - -############# -## Cleanup ## -############# -- remove: - field: - - message - - _temp_ - - _conf - - sophos.xg.date - - sophos.xg.time - - sophos.xg.timestamp - - sophos.xg.duration - - sophos.xg.timezone - - sophos.xg.dir_disp - - sophos.xg.log_occurrence - - sophos.xg.nat_rule_id - - sophos.xg.in_display_interface - - sophos.xg.out_display_interface - - syslog5424_pri - ignore_missing: true - -- convert: - field: sophos.xg.sent_bytes - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.sent_bytes != null" -- convert: - field: sophos.xg.bytes_sent - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.bytes_sent != null" -- convert: - field: sophos.xg.recv_bytes - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.recv_bytes != null" -- convert: - field: sophos.xg.bytes_received - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.bytes_received != null" - -############################# -## ECS Source/Destination MAC -############################# -- rename: - field: sophos.xg.src_mac - target_field: source.mac - ignore_failure: true -- uppercase: - field: source.mac - ignore_missing: true -- gsub: - field: source.mac - pattern: '[-:. ]' - replacement: '' - ignore_missing: true -- gsub: - field: source.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true - -- rename: - field: sophos.xg.dst_mac - target_field: destination.mac - ignore_failure: true -- uppercase: - field: destination.mac - ignore_missing: true -- gsub: - field: destination.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: destination.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true - -############################### -## Product Specific Pipelines ## -############################### -- pipeline: - name: '{{ IngestPipeline "antispam" }}' - if: "ctx.sophos?.xg?.log_type == 'Anti-Spam'" -- pipeline: - name: '{{ IngestPipeline "antivirus" }}' - if: "ctx.sophos?.xg?.log_type == 'Anti-Virus'" -- pipeline: - name: '{{ IngestPipeline "atp" }}' - if: "ctx.sophos?.xg?.log_type == 'ATP'" -- pipeline: - name: '{{ IngestPipeline "cfilter" }}' - if: "ctx.sophos?.xg?.log_type == 'Content Filtering'" -- pipeline: - name: '{{ IngestPipeline "event" }}' - if: "ctx.sophos?.xg?.log_type == 'Event'" -- pipeline: - name: '{{ IngestPipeline "firewall" }}' - if: "ctx.sophos?.xg?.log_type == 'Firewall'" -- pipeline: - name: '{{ IngestPipeline "idp" }}' - if: "ctx.sophos?.xg?.log_type == 'IDP'" -- pipeline: - name: '{{ IngestPipeline "sandstorm" }}' - if: "ctx.sophos?.xg?.log_type == 'Sandbox'" -- pipeline: - name: '{{ IngestPipeline "systemhealth" }}' - if: "ctx.sophos?.xg?.log_type == 'System Health'" -- pipeline: - name: '{{ IngestPipeline "waf" }}' - if: "ctx.sophos?.xg?.log_type == 'WAF'" -- pipeline: - name: '{{ IngestPipeline "wifi" }}' - if: "ctx.sophos?.xg?.log_type == 'Wireless Protection'" - -################## -# GeoIP Enrichment -################## -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -############## -## ECS Network -############## -- lowercase: - field: network.protocol - ignore_failure: true -- set: - description: Rename pops network.protocol to pop3s. - if: ctx.network?.protocol == "pops" - field: network.protocol - value: pop3s -- lowercase: - field: network.transport - ignore_failure: true -- script: - lang: painless - source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: "ctx.source?.bytes != null && ctx.destination?.bytes != null" - ignore_failure: true -- script: - lang: painless - source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" - if: "ctx.source?.packets != null && ctx.destination?.packets != null" - ignore_failure: true -- community_id: - ignore_failure: true - -#################### -## ECS Related Hosts -#################### -- append: - if: ctx.host?.name != null - field: related.hosts - value: '{{{host.name}}}' - allow_duplicates: false -- append: - if: ctx.url?.domain != null - field: related.hosts - value: '{{{url.domain}}}' - allow_duplicates: false -- append: - if: ctx.source?.domain != null - field: related.hosts - value: '{{{source.domain}}}' - allow_duplicates: false -- append: - if: ctx.destination?.domain != null - field: related.hosts - value: '{{{destination.domain}}}' - allow_duplicates: false - -################# -## ECS Related IP -################# -- append: - if: ctx.source?.ip != null - field: related.ip - value: '{{{source.ip}}}' - allow_duplicates: false -- append: - if: ctx.destination?.ip != null - field: related.ip - value: '{{{destination.ip}}}' - allow_duplicates: false -- append: - if: ctx.source?.nat?.ip != null - field: related.ip - value: '{{{source.nat.ip}}}' - allow_duplicates: false -- append: - if: ctx.destination?.nat?.ip != null - field: related.ip - value: '{{{destination.nat.ip}}}' - allow_duplicates: false - -################### -## ECS Related User -################### -- append: - if: ctx.source?.user?.name != null - field: related.user - value: "{{{source.user.name}}}" - allow_duplicates: false - -################### -## ECS Related Hash -################### -- append: - if: ctx.file?.hash?.sha1 != null - field: related.hash - value: "{{{file.hash.sha1}}}" - allow_duplicates: false -- append: - if: ctx.file?.hash?.sha256 != null - field: related.hash - value: "{{{file.hash.sha256}}}" - allow_duplicates: false - -############# -## Cleanup ## -############# -- rename: - field: sophos.xg.reason - target_field: event.reason - ignore_failure: true - -- remove: - field: - - sophos.xg.bytes_received - - sophos.xg.bytes_sent - - sophos.xg.dst_country - - sophos.xg.in_display_interface - - sophos.xg.out_display_interface - - sophos.xg.recv_bytes - - sophos.xg.sent_bytes - - sophos.xg.severity - - sophos.xg.src_country - ignore_missing: true -- remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: |- - Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/event.yml b/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/event.yml deleted file mode 100755 index 7442b607b2..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/event.yml +++ /dev/null @@ -1,129 +0,0 @@ ---- -description: Pipeline for parsing Sophos XG firewall logs (authentication events pipeline). -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success - if: 'ctx.sophos?.xg?.log_subtype == "Authentication" && ctx.sophos?.xg?.status == "Successful"' -- set: - field: event.outcome - value: failure - if: 'ctx.sophos?.xg?.log_subtype == "Authentication" && ctx.sophos?.xg?.status == "Failed"' -- set: - field: event.outcome - value: success - if: 'ctx.sophos?.xg?.log_subtype == "Admin" && ctx.sophos?.xg?.status == "Successful" && ctx.event?.code == "17507"' -- set: - field: event.outcome - value: failure - if: 'ctx.sophos?.xg?.log_subtype == "Admin" && ctx.sophos?.xg?.status == "Failed" && ctx.event?.code == "17507"' -- append: - field: event.type - value: - - user - - start - if: "['17701', '17704', '17707', '17710', '17713'].contains(ctx.event?.code)" -- append: - field: event.type - value: - - user - - end - if: "['17703', '17706', '17709', '17712', '17715'].contains(ctx.event?.code)" -- append: - field: event.type - value: connection - if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophos?.xg?.auth_client)" -- append: - field: event.category - value: network - if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophos?.xg?.auth_client)" -- append: - field: event.category - value: authentication - if: 'ctx.sophos?.xg?.log_subtype == "Authentication"' -- append: - field: event.type - value: info - if: 'ctx.event?.code == "17819"' -- append: - field: event.category - value: - - host - - malware - if: 'ctx.event?.code == "17819"' - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- rename: - field: sophos.xg.localinterfaceip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.localinterfaceip != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- rename: - field: sophos.xg.remoteinterfaceip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.remoteinterfaceip != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" -- set: - field: source.user.name - value: '{{sophos.xg.name}}' - if: "ctx.sophos?.xg?.name != null" -- set: - field: user.name - value: '{{source.user.name}}' - ignore_empty_value: true - if: 'ctx.sophos?.xg?.log_subtype == "Authentication"' -- rename: - field: sophos.xg.usergroupname - target_field: source.user.group.name - ignore_missing: true - if: "ctx.sophos?.xg?.usergroupname != null" - -######################### -## ECS Message Mapping ## -######################### -- rename: - field: sophos.xg.message - target_field: message - ignore_missing: true - -############# -## Cleanup ## -############# -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.src_port - - sophos.xg.name - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' - diff --git a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml b/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml deleted file mode 100755 index 7e48fade03..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml +++ /dev/null @@ -1,232 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (firewall pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.kind - value: alert - if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.event?.code)' -- append: - field: event.category - value: intrusion_detection - if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.event?.code)' -- append: - field: event.category - value: network -- append: - field: event.type - value: - - start - - allowed - - connection - if: "['Start', 'Interim'].contains(ctx.sophos?.xg?.connevent)" -- append: - field: event.type - value: - - end - - allowed - - connection - if: "ctx.sophos?.xg?.connevent == 'Stop'" -- append: - field: event.type - value: - - denied - - connection - if: "ctx.sophos?.xg?.status == 'Deny'" - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- rename: - field: sophos.xg.tran_dst_ip - target_field: destination.nat.ip - ignore_missing: true - if: "ctx.sophos?.xg?.tran_dst_ip != null" -- rename: - field: sophos.xg.destinationip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.destinationip !=null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" -- convert: - field: sophos.xg.tran_dst_port - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.tran_dst_port != null" -- convert: - field: sophos.xg.recv_pkts - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.recv_pkts !=null" -- convert: - field: sophos.xg.packets_received - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.packets_received !=null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- rename: - field: sophos.xg.tran_src_ip - target_field: source.nat.ip - ignore_missing: true - if: "ctx.sophos?.xg?.tran_src_ip != null" -- rename: - field: sophos.xg.src_trans_ip - target_field: source.nat.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_trans_ip != null" -- rename: - field: sophos.xg.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.sourceip != null" -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- convert: - field: sophos.xg.tran_src_port - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.tran_src_port != null" -- rename: - field: sophos.xg.src_mac - target_field: source.mac - ignore_missing: true - if: "ctx.sophos?.xg?.src_mac != null" -- trim: - field: sophos.xg.sent_pkts - ignore_missing: true -- trim: - field: sophos.xg.packets_sent - ignore_missing: true -- convert: - field: sophos.xg.sent_pkts - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.sent_pkts != null" -- convert: - field: sophos.xg.packets_sent - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.packets_sent != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" -- rename: - field: sophos.xg.user_gp - target_field: source.user.group.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_gp != null" - -###################### -## ECS Rule Mapping ## -###################### -- rename: - field: sophos.xg.fw_rule_id - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" -- rename: - field: sophos.xg.policy_type - target_field: rule.ruleset - ignore_missing: true - if: "ctx.sophos?.xg?.policy_type != null" - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.application - target_field: network.protocol - ignore_missing: true -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true -- set: - field: network.direction - value: inbound - if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.egress?.zone) && ctx.observer?.ingress?.zone == 'WAN'" -- set: - field: network.direction - value: outbound - if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.ingress?.zone) && ctx.observer?.egress?.zone == 'WAN'" -- set: - field: network.direction - value: internal - if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.ingress?.zone) && ['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.egress?.zone)" -- set: - field: network.direction - value: external - if: "ctx.observer?.ingress?.zone == 'WAN' && ctx.observer?.egress?.zone == 'WAN'" - -############# -## Cleanup ## -############# -- lowercase: - field: event.action - ignore_failure: true -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.tran_dst_port - - sophos.xg.recv_pkts - - sophos.xg.src_port - - sophos.xg.tran_src_port - - sophos.xg.sent_pkts - - sophos.xg.packets_received - - sophos.xg.packets_sent - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml b/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml deleted file mode 100755 index c38552b4c6..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml +++ /dev/null @@ -1,115 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (ipd pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: alert -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- append: - field: event.category - value: - - intrusion_detection - - network - if: '["06001", "06002", "07001", "07002"].contains(ctx.event?.code)' -- append: - field: event.type - value: - - denied - - connection - if: '["06001", "06002", "07001", "07002"].contains(ctx.event?.code)' - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" - -###################### -## ECS Rule Mapping ## -###################### -- rename: - field: sophos.xg.signature_id - target_field: rule.id - ignore_missing: true - if: "ctx.sophos?.xg?.signature_id != null" -- rename: - field: sophos.xg.signature_msg - target_field: rule.name - ignore_missing: true - if: "ctx.sophos?.xg?.signature_msg != null" -- rename: - field: sophos.xg.classification - target_field: rule.category - ignore_missing: true - if: "ctx.sophos?.xg?.classification != null" - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true - -############# -## Cleanup ## -############# -- lowercase: - field: network.protocol - ignore_failure: true -- lowercase: - field: event.action - ignore_failure: true -- lowercase: - field: event.info - ignore_failure: true -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.src_port - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml b/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml deleted file mode 100755 index df874a5254..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml +++ /dev/null @@ -1,133 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (sandbox pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.kind - value: alert - if: 'ctx.sophos?.xg?.log_subtype == "Denied"' -- append: - field: event.category - value: - - malware - - network - if: 'ctx.sophos?.xg?.log_subtype == "Denied"' -- append: - field: event.category - value: network - if: "ctx.sophos?.xg?.log_subtype != 'Denied'" -- append: - field: event.type - value: allowed - if: "['Allowed'].contains(ctx.sophos?.xg?.log_subtype)" -- append: - field: event.type - value: - - start - - connection - if: "['pending'].contains(ctx.sophos?.xg?.reason)" -- append: - field: event.type - value: - - end - - connection - if: "ctx.sophos?.xg?.reason == 'eligible'" -- append: - field: event.type - value: - - denied - - connection - if: "ctx.sophos?.xg?.log_subtype == 'Denied'" - -- rename: - if: ctx.sophos?.xg?.log_component == "Web" - field: sophos.xg.source - target_field: url.domain - ignore_missing: true - -######################## -## ECS Source Mapping ## -######################## -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" - -############################# -## ECS Destination Mapping ## -############################# -- convert: - field: url.domain - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - set: - field: destination.domain - copy_from: url.domain - ignore_empty_value: true - -###################### -## ECS File Mapping ## -###################### -- rename: - field: sophos.xg.filename - target_field: file.name - ignore_missing: true - if: ctx.sophos?.xg?.filename != null -- convert: - field: sophos.xg.filesize - target_field: file.size - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.filesize != null" -- rename: - field: sophos.xg.filetype - target_field: file.mime_type - ignore_missing: true - if: "ctx.sophos?.xg?.filetype != null" - -# In 18.0 and later the sha1sum contains the sha256 checksum of the file. -- rename: - field: sophos.xg.sha1sum - target_field: file.hash.sha1 - ignore_missing: true - if: "ctx.sophos?.xg?.sha1sum != null && ctx.sophos.xg.sha1sum.length() == 40" -- rename: - field: sophos.xg.sha1sum - target_field: file.hash.sha256 - ignore_missing: true - if: "ctx.sophos?.xg?.sha1sum != null && ctx.sophos.xg.sha1sum.length() == 64" - -############# -## Cleanup ## -############# -- remove: - field: - - sophos.xg.filesize - - sophos.xg.sha1sum - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/systemhealth.yml b/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/systemhealth.yml deleted file mode 100755 index 7a55e8b6a2..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/systemhealth.yml +++ /dev/null @@ -1,182 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (systemhealth pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- rename: - field: sophos.xg.idle - target_field: sophos.xg.idle_cpu - ignore_missing: true -- gsub: - field: sophos.xg.idle_cpu - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.idle_cpu - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.idle_cpu -- rename: - field: sophos.xg.system - target_field: sophos.xg.system_cpu - ignore_missing: true -- gsub: - field: sophos.xg.system_cpu - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.system_cpu - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.system_cpu -- rename: - field: sophos.xg.user - target_field: sophos.xg.user_cpu - ignore_missing: true -- gsub: - field: sophos.xg.user_cpu - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.user_cpu - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.user_cpu -- convert: - field: sophos.xg.used - type: integer - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.used -- convert: - field: sophos.xg.total_memory - type: integer - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.total_memory -- convert: - field: sophos.xg.free - type: integer - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.free -- gsub: - field: sophos.xg.configuration - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.configuration - type: float - ignore_missing: true - on_failure: - - remove: - field: - - sophos.xg.configuration - -- gsub: - field: sophos.xg.reports - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.reports - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.reports -- gsub: - field: sophos.xg.temp - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.temp - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.temp -- gsub: - field: sophos.xg.signature - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.signature - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.signature -- convert: - field: sophos.xg.users - type: integer - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.users -- convert: - field: sophos.xg.transmittedkbits - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.transmittedkbits -- convert: - field: sophos.xg.receivedkbits - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.receivedkbits -- convert: - field: sophos.xg.collisions - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.collisions -- convert: - field: sophos.xg.receiveddrops - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.receiveddrops -- convert: - field: sophos.xg.transmitteddrops - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.transmitteddrops - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml b/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml deleted file mode 100755 index a59c4334cd..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml +++ /dev/null @@ -1,174 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (waf pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.action - value: allowed - if: 'ctx.sophos?.xg?.reason == "-"' -- set: - field: event.action - value: denied - if: 'ctx.sophos?.xg?.reason != "-"' -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.reason != null" -- set: - field: event.kind - value: alert - if: 'ctx.sophos?.xg?.reason != "-"' -- append: - field: event.category - value: - - malware - - network - if: 'ctx.sophos?.xg?.reason == "Antivirus"' -- append: - field: event.category - value: - - intrusion_detection - - network - if: "ctx.sophos?.xg?.reason != 'Antivirus' && ctx.sophos?.xg?.reason != '-'" -- append: - field: event.type - value: - - allowed - - connection - if: 'ctx.sophos?.xg?.reason == "-"' -- append: - field: event.type - value: - - denied - - connection - if: 'ctx.sophos?.xg?.reason != "-"' - -- convert: - field: sophos.xg.responsetime - type: long - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.responsetime -- script: - description: Convert microseconds to nanoseconds. - lang: painless - source: | - if (ctx.sophos?.xg?.responsetime != null && ctx.sophos.xg.responsetime > 0) { - ctx.event.duration = ctx.sophos.xg.responsetime * 1000; - } - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: sophos.xg.localip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.localip != null" -- convert: - field: sophos.xg.bytessent - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.bytessent != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: sophos.xg.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.sourceip != null" -- convert: - field: sophos.xg.bytesrcv - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.bytesrcv != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" -- rename: - field: sophos.xg.user_gp - target_field: source.user.group.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_gp != null" - -##################### -## ECS URL Mapping ## -##################### -- rename: - field: sophos.xg.url - target_field: url.full - ignore_missing: true - if: "ctx.sophos?.xg?.url != null" -- rename: - field: sophos.xg.domain - target_field: url.domain - ignore_missing: true - if: "ctx.sophos?.xg?.domain != null" - -############################ -## ECS User Agent Mapping ## -############################ -- rename: - field: sophos.xg.referer - target_field: http.request.referrer - ignore_missing: true - if: "ctx.sophos?.xg?.referer != null" -- convert: - field: sophos.xg.httpstatus - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.httpstatus != null" -- rename: - field: sophos.xg.method - target_field: http.request.method - ignore_missing: true - if: "ctx.sophos?.xg?.method != null" -- rename: - field: sophos.xg.ws_protocol - target_field: http.version - ignore_missing: true - if: "ctx.sophos?.xg?.ws_protocol != null" -- rename: - field: sophos.xg.useragent - target_field: user_agent.original - ignore_missing: true - if: "ctx.sophos?.xg?.useragent != null" - -############# -## Cleanup ## -############# -- rename: - field: sophos.xg.SQLi - target_field: sophos.xg.sqli - ignore_missing: true -- rename: - field: sophos.xg.XSS - target_field: sophos.xg.xss - ignore_missing: true -- remove: - field: - - sophos.xg.bytesrcv - - sophos.xg.bytessent - - sophos.xg.httpstatus - - sophos.xg.responsetime - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/wifi.yml b/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/wifi.yml deleted file mode 100755 index 9dbbeb06c0..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/elasticsearch/ingest_pipeline/wifi.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for parsing Sophos XG firewall logs (wireless protection pipeline). -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success -- convert: - field: sophos.xg.clients_conn_ssid - type: long - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.clients_conn_ssid - -############# -## Cleanup ## -############# -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.1/data_stream/xg/fields/agent.yml b/packages/sophos/2.4.1/data_stream/xg/fields/agent.yml deleted file mode 100755 index 98998ae549..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset -- name: log.source.address - type: keyword - ignore_above: 1024 diff --git a/packages/sophos/2.4.1/data_stream/xg/fields/base-fields.yml b/packages/sophos/2.4.1/data_stream/xg/fields/base-fields.yml deleted file mode 100755 index a6aa5f75de..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: sophos -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sophos.xg -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/sophos/2.4.1/data_stream/xg/fields/ecs.yml b/packages/sophos/2.4.1/data_stream/xg/fields/ecs.yml deleted file mode 100755 index e2a16d5a76..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/fields/ecs.yml +++ /dev/null @@ -1,559 +0,0 @@ -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: User email address. - name: destination.user.email - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: The email address of the sender, typically from the RFC 5322 `From:` header field. - name: email.from.address - normalize: - - array - type: keyword -- description: The email address of recipient - name: email.to.address - normalize: - - array - type: keyword -- description: A brief summary of the topic of the message. - multi_fields: - - name: text - type: match_only_text - name: email.subject - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - name: event.hash - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: SHA512 hash. - name: file.hash.sha512 - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: file.mime_type - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - name: rule.ruleset - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: User email address. - name: source.user.email - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: url.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/sophos/2.4.1/data_stream/xg/fields/fields.yml b/packages/sophos/2.4.1/data_stream/xg/fields/fields.yml deleted file mode 100755 index 6dd56deeab..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/fields/fields.yml +++ /dev/null @@ -1,830 +0,0 @@ -- name: sophos - type: group - fields: - - name: xg - type: group - fields: - - name: action - type: keyword - description: | - Event Action - - name: activityname - type: keyword - description: | - Web policy activity that matched and caused the policy result. - - name: ap - type: keyword - description: | - Access Point Serial ID or LocalWifi0 or LocalWifi1. - - name: app_category - type: keyword - description: | - Name of the category under which application falls - - name: app_filter_policy_id - type: keyword - description: | - Application filter policy ID applied on the traffic - - name: app_is_cloud - type: keyword - description: | - Application is Cloud - - name: app_name - type: keyword - description: | - Application name - - name: app_resolved_by - type: keyword - description: | - Application is resolved by signature or synchronized application - - name: app_risk - type: keyword - description: | - Risk level assigned to the application - - name: app_technology - type: keyword - description: | - Technology of the application - - name: appfilter_policy_id - type: integer - description: | - Application Filter policy applied on the traffic - - name: application - type: keyword - description: | - Application name - - name: application_category - type: keyword - description: | - Application is resolved by signature or synchronized application - - name: application_filter_policy - type: integer - description: | - Application Filter policy applied on the traffic - - name: application_name - type: keyword - description: | - Application name - - name: application_risk - type: keyword - description: | - Risk level assigned to the application - - name: application_technology - type: keyword - description: | - Technology of the application - - name: appresolvedby - type: keyword - description: | - Technology of the application - - name: auth_client - type: keyword - description: | - Auth Client - - name: auth_mechanism - type: keyword - description: | - Auth mechanism - - name: av_policy_name - type: keyword - description: | - Malware scanning policy name which is applied on the traffic - - name: backup_mode - type: keyword - description: | - Backup mode - - name: branch_name - type: keyword - description: | - Branch Name - - name: category - type: keyword - description: | - IPS signature category. - - name: category_type - type: keyword - description: | - Type of category under which website falls - - name: classification - type: keyword - description: | - Signature classification - - name: client_host_name - type: keyword - description: | - Client host name - - name: client_physical_address - type: keyword - description: | - Client physical address - - name: clients_conn_ssid - type: long - description: | - Number of client connected to the SSID. - - name: collisions - type: long - description: | - collisions - - name: con_event - type: keyword - description: | - Event Start/Stop - - name: con_id - type: integer - description: | - Unique identifier of connection - - name: configuration - type: float - description: | - Configuration - - name: conn_id - type: integer - description: | - Unique identifier of connection - - name: connectionname - type: keyword - description: | - Connectionname - - name: connectiontype - type: keyword - description: | - Connectiontype - - name: connevent - type: keyword - description: | - Event on which this log is generated - - name: connid - type: keyword - description: | - Connection ID - - name: content_type - type: keyword - description: | - Type of the content - - name: contenttype - type: keyword - description: | - Type of the content - - name: context_match - type: keyword - description: | - Context Match - - name: context_prefix - type: keyword - description: | - Content Prefix - - name: context_suffix - type: keyword - description: | - Context Suffix - - name: cookie - type: keyword - description: | - cookie - - name: date - type: date - description: | - Date (yyyy-mm-dd) when the event occurred - - name: destinationip - type: ip - description: | - Original destination IP address of traffic - - name: device - type: keyword - description: | - device - - name: device_id - type: keyword - description: | - Serial number of the device - - name: device_model - type: keyword - description: | - Model number of the device - - name: device_name - type: keyword - description: | - Model number of the device - - name: dictionary_name - type: keyword - description: | - Dictionary Name - - name: dir_disp - type: keyword - description: | - TPacket direction. Possible values:“org”, “reply”, “” - - name: direction - type: keyword - description: | - Direction - - name: domainname - type: keyword - description: | - Domain from which virus was downloaded - - name: download_file_name - type: keyword - description: | - Download file name - - name: download_file_type - type: keyword - description: | - Download file type - - name: dst_country_code - type: keyword - description: | - Code of the country to which the destination IP belongs - - name: dst_domainname - type: keyword - description: | - Receiver domain name - - name: dst_ip - type: ip - description: | - Original destination IP address of traffic - - name: dst_port - type: integer - description: | - Original destination port of TCP and UDP traffic - - name: dst_zone_type - type: keyword - description: | - Type of destination zone - - name: dstdomain - type: keyword - description: | - Destination Domain - - name: duration - type: long - description: | - Durability of traffic (seconds) - - name: email_subject - type: keyword - description: | - Email Subject - - name: ep_uuid - type: keyword - description: | - Endpoint UUID - - name: ether_type - type: keyword - description: | - ethernet frame type - - name: eventid - type: keyword - description: | - ATP Evenet ID - - name: eventtime - type: date - description: | - Event time - - name: eventtype - type: keyword - description: | - ATP event type - - name: exceptions - type: keyword - description: | - List of the checks excluded by web exceptions. - - name: execution_path - type: keyword - description: | - ATP execution path - - name: extra - type: keyword - description: | - extra - - name: file_name - type: keyword - description: | - Filename - - name: file_path - type: keyword - description: | - File path - - name: file_size - type: integer - description: | - File Size - - name: filename - type: keyword - description: | - File name associated with the event - - name: filepath - type: keyword - description: | - Path of the file containing virus - - name: filesize - type: integer - description: | - Size of the file that contained virus - - name: free - type: integer - description: | - free - - name: from_email_address - type: keyword - description: | - Sender email address - - name: ftp_direction - type: keyword - description: | - Direction of FTP transfer: Upload or Download - - name: ftp_url - type: keyword - description: | - FTP URL from which virus was downloaded - - name: ftpcommand - type: keyword - description: | - FTP command used when virus was found - - name: fw_rule_id - type: integer - description: | - Firewall Rule ID which is applied on the traffic - - name: fw_rule_type - type: keyword - description: | - Firewall rule type which is applied on the traffic - - name: hb_health - type: keyword - description: | - Heartbeat status - - name: hb_status - type: keyword - description: | - Heartbeat status - - name: host - type: keyword - description: | - Host - - name: http_category - type: keyword - description: | - HTTP Category - - name: http_category_type - type: keyword - description: | - HTTP Category Type - - name: httpresponsecode - type: long - description: | - code of HTTP response - - name: iap - type: keyword - description: | - Internet Access policy ID applied on the traffic - - name: icmp_code - type: keyword - description: | - ICMP code of ICMP traffic - - name: icmp_type - type: keyword - description: | - ICMP type of ICMP traffic - - name: idle_cpu - type: float - description: | - idle ## - - name: idp_policy_id - type: integer - description: | - IPS policy ID which is applied on the traffic - - name: idp_policy_name - type: keyword - description: | - IPS policy name i.e. IPS policy name which is applied on the traffic - - name: in_interface - type: keyword - description: | - Interface for incoming traffic, e.g., Port A - - name: interface - type: keyword - description: | - interface - - name: ipaddress - type: keyword - description: | - Ipaddress - - name: ips_policy_id - type: integer - description: | - IPS policy ID applied on the traffic - - name: lease_time - type: keyword - description: | - Lease Time - - name: localgateway - type: keyword - description: | - Localgateway - - name: localnetwork - type: keyword - description: | - Localnetwork - - name: log_component - type: keyword - description: | - Component responsible for logging e.g. Firewall rule - - name: log_id - type: keyword - description: | - Unique 12 characters code (0101011) - - name: log_subtype - type: keyword - description: | - Sub type of event - - name: log_type - type: keyword - description: | - Type of event e.g. firewall event - - name: log_version - type: keyword - description: | - Log Version - - name: login_user - type: keyword - description: | - ATP login user - - name: mailid - type: keyword - description: | - mailid - - name: mailsize - type: integer - description: | - mailsize - - name: message - type: keyword - description: | - Message - - name: mode - type: keyword - description: | - Mode - - name: nat_rule_id - type: keyword - description: | - NAT Rule ID - - name: newversion - type: keyword - description: | - Newversion - - name: oldversion - type: keyword - description: | - Oldversion - - name: out_interface - type: keyword - description: | - Interface for outgoing traffic, e.g., Port B - - name: override_authorizer - type: keyword - description: | - Override authorizer - - name: override_name - type: keyword - description: | - Override name - - name: override_token - type: keyword - description: | - Override token - - name: phpsessid - type: keyword - description: | - PHP session ID - - name: platform - type: keyword - description: | - Platform of the traffic. - - name: policy_type - type: keyword - description: | - Policy type applied to the traffic - - name: priority - type: keyword - description: | - Severity level of traffic - - name: protocol - type: keyword - description: | - Protocol number of traffic - - name: qualifier - type: keyword - description: | - Qualifier - - name: quarantine - type: keyword - description: | - Path and filename of the file quarantined - - name: quarantine_reason - type: keyword - description: | - Quarantine reason - - name: querystring - type: keyword - description: | - querystring - - name: raw_data - type: keyword - description: | - Raw data - - name: received_pkts - type: long - description: | - Total number of packets received - - name: receiveddrops - type: long - description: | - received drops - - name: receivederrors - type: keyword - description: | - received errors - - name: receivedkbits - type: long - description: | - received kbits - - name: recv_bytes - type: long - description: | - Total number of bytes received - - name: red_id - type: keyword - description: | - RED ID - - name: referer - type: keyword - description: | - Referer - - name: remote_ip - type: ip - description: | - Remote IP - - name: remotenetwork - type: keyword - description: | - remotenetwork - - name: reported_host - type: keyword - description: | - Reported Host - - name: reported_ip - type: keyword - description: | - Reported IP - - name: reports - type: float - description: | - Reports - - name: rule_priority - type: keyword - description: | - Priority of IPS policy - - name: sent_bytes - type: long - description: | - Total number of bytes sent - - name: sent_pkts - type: long - description: | - Total number of packets sent - - name: server - type: keyword - description: | - Server - - name: sessionid - type: keyword - description: | - Sessionid - - name: sha1sum - type: keyword - description: | - SHA1 checksum of the item being analyzed - - name: signature - type: float - description: | - Signature - - name: signature_id - type: keyword - description: | - Signature ID - - name: signature_msg - type: keyword - description: | - Signature messsage - - name: site_category - type: keyword - description: | - Site Category - - name: source - type: keyword - description: | - Source - - name: sourceip - type: ip - description: | - Original source IP address of traffic - - name: spamaction - type: keyword - description: | - Spam Action - - name: sqli - type: keyword - description: | - related SQLI caught by the WAF - - name: src_country_code - type: keyword - description: | - Code of the country to which the source IP belongs - - name: src_domainname - type: keyword - description: | - Sender domain name - - name: src_ip - type: ip - description: | - Original source IP address of traffic - - name: src_mac - type: keyword - description: | - Original source MAC address of traffic - - name: src_port - type: integer - description: | - Original source port of TCP and UDP traffic - - name: src_zone_type - type: keyword - description: |- - Type of source zone - - name: ssid - type: keyword - description: | - Configured SSID name. - - name: start_time - type: date - description: | - Start time - - name: starttime - type: date - description: | - Starttime - - name: status - type: keyword - description: | - Ultimate status of traffic – Allowed or Denied - - name: status_code - type: keyword - description: | - Status code - - name: subject - type: keyword - description: | - Email subject - - name: syslog_server_name - type: keyword - description: | - Syslog server name - - name: syslog_server_name - type: keyword - description: | - Syslog server name. - - name: system_cpu - type: float - description: | - system - - name: target - type: keyword - description: | - Platform of the traffic. - - name: temp - type: float - description: | - Temp - - name: threatname - type: keyword - description: | - ATP threatname - - name: timestamp - type: date - description: | - timestamp - - name: timezone - type: keyword - description: | - Time (hh:mm:ss) when the event occurred - - name: to_email_address - type: keyword - description: | - Receipeint email address - - name: total_memory - type: integer - description: | - Total Memory - - name: trans_dst_ip - type: ip - description: | - Translated destination IP address for outgoing traffic - - name: trans_dst_port - type: integer - description: | - Translated destination port for outgoing traffic - - name: trans_src_ip - type: ip - description: | - Translated source IP address for outgoing traffic - - name: trans_src_port - type: integer - description: | - Translated source port for outgoing traffic - - name: transaction_id - type: keyword - description: | - Transaction ID - - name: transactionid - type: keyword - description: | - Transaction ID of the AV scan. - - name: transmitteddrops - type: long - description: | - transmitted drops - - name: transmittederrors - type: keyword - description: | - transmitted errors - - name: transmittedkbits - type: long - description: | - transmitted kbits - - name: unit - type: keyword - description: | - unit - - name: updatedip - type: ip - description: | - updatedip - - name: upload_file_name - type: keyword - description: | - Upload file name - - name: upload_file_type - type: keyword - description: | - Upload file type - - name: url - type: keyword - description: | - URL from which virus was downloaded - - name: used - type: integer - description: | - used - - name: used_quota - type: keyword - description: | - Used Quota - - name: user - type: keyword - description: | - User - - name: user_cpu - type: float - description: | - system - - name: user_gp - type: keyword - description: | - Group name to which the user belongs. - - name: user_group - type: keyword - description: | - Group name to which the user belongs - - name: user_name - type: keyword - description: | - user_name - - name: users - type: long - description: | - Number of users from System Health / Live User events. - - name: vconn_id - type: integer - description: | - Connection ID of the master connection - - name: virus - type: keyword - description: | - virus name - - name: web_policy_id - type: keyword - description: | - Web policy ID - - name: website - type: keyword - description: | - Website - - name: xss - type: keyword - description: | - related XSS caught by the WAF diff --git a/packages/sophos/2.4.1/data_stream/xg/manifest.yml b/packages/sophos/2.4.1/data_stream/xg/manifest.yml deleted file mode 100755 index 7da1c15a18..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/manifest.yml +++ /dev/null @@ -1,221 +0,0 @@ -type: logs -title: Sophos XG logs -streams: - - input: tcp - vars: - - name: syslog_host - type: text - title: Syslog Host - description: The interface to listen on for syslog data. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - description: The port to listen on for syslog data. - multi: false - required: true - show_user: true - default: 9005 - - name: default_host_name - type: text - title: Default Host Name - description: Host name / Observer name, since Sophos XG does not provide this in the syslog file. - multi: false - required: true - show_user: true - default: firewall.localgroup.local - - name: known_devices - type: yaml - title: Known Devices - description: | - The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. - This will match every known device serial number to a hostname. If no serial number appears the `default_host_name` will be used. - multi: false - required: true - show_user: true - default: | - - hostname: my_fancy_host - serial_number: "1234567890123456" - - hostname: some_other_host.local - serial_number: "1234567890123457" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-xg - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate, keys, supported_protocols, verification_mode etc. See [SSL](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details. - multi: false - required: false - show_user: false - default: | - #certificate: "/etc/server/cert.pem" - #key: "/etc/server/key.pem" - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - #max_connections: 1 - #framing: delimiter - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. - template_path: tcp.yml.hbs - title: Sophos XG logs - description: Collect Sophos XG logs - - input: udp - vars: - - name: syslog_host - type: text - title: Syslog Host - description: The interface to listen on for syslog data. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - description: The port to listen on for syslog data. - multi: false - required: true - show_user: true - default: 9005 - - name: default_host_name - type: text - title: Default Host Name - description: Host name / Observer name, since Sophos XG does not provide this in the syslog file. - multi: false - required: true - show_user: true - default: firewall.localgroup.local - - name: known_devices - type: yaml - title: Known Devices - description: | - The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. - This will match every known device serial number to a hostname. If no serial number appears the `default_host_name` will be used. - multi: false - required: true - show_user: true - default: | - - hostname: my_fancy_host - serial_number: "1234567890123456" - - hostname: some_other_host.local - serial_number: "1234567890123457" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-xg - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: udp.yml.hbs - title: Sophos XG logs - description: Collect Sophos XG logs - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - - name: default_host_name - type: text - title: Default Host Name - description: Host name / Observer name, since Sophos XG does not provide this in the syslog file. - multi: false - required: true - show_user: true - default: firewall.localgroup.local - - name: known_devices - type: yaml - title: Known Devices - description: | - The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. - This will match every known device serial number to a hostname. If no serial number appears the `default_host_name` will be used. - multi: false - required: true - show_user: true - default: | - - hostname: my_fancy_host - serial_number: "1234567890123456" - - hostname: some_other_host.local - serial_number: "1234567890123457" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-xg - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Sophos XG logs - description: Collect Sophos XG logs diff --git a/packages/sophos/2.4.1/data_stream/xg/sample_event.json b/packages/sophos/2.4.1/data_stream/xg/sample_event.json deleted file mode 100755 index ddf5f48645..0000000000 --- a/packages/sophos/2.4.1/data_stream/xg/sample_event.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "@timestamp": "2016-12-02T18:50:20.000Z", - "agent": { - "ephemeral_id": "b1eb8b45-bca7-40b1-b2f4-9d5c87e449bc", - "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.2" - }, - "data_stream": { - "dataset": "sophos.xg", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", - "snapshot": false, - "version": "8.1.2" - }, - "event": { - "action": "alert", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "16010", - "dataset": "sophos.xg", - "ingested": "2022-04-20T20:13:02Z", - "kind": "event", - "outcome": "success", - "severity": 1, - "timezone": "+00:00" - }, - "host": { - "name": "XG230" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "alert", - "source": { - "address": "172.31.0.8:48162" - } - }, - "observer": { - "product": "XG", - "serial_number": "1234567890123456", - "type": "firewall", - "vendor": "Sophos" - }, - "related": { - "hosts": [ - "XG230" - ], - "ip": [ - "10.108.108.49" - ] - }, - "sophos": { - "xg": { - "action": "Deny", - "context_match": "Not", - "context_prefix": "blah blah hello ", - "context_suffix": " hello blah ", - "device": "SFW", - "device_name": "SF01V", - "dictionary_name": "complicated_Custom", - "direction": "in", - "file_name": "cgi_echo.pl", - "log_component": "Web Content Policy", - "log_id": "058420116010", - "log_subtype": "Alert", - "log_type": "Content Filtering", - "site_category": "Information Technology", - "transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", - "user": "gi123456", - "website": "ta-web-static-testing.qa. astaro.de" - } - }, - "source": { - "ip": "10.108.108.49" - }, - "tags": [ - "sophos-xg", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/sophos/2.4.1/docs/README.md b/packages/sophos/2.4.1/docs/README.md deleted file mode 100755 index 2e0a9ca640..0000000000 --- a/packages/sophos/2.4.1/docs/README.md +++ /dev/null @@ -1,1331 +0,0 @@ -# Sophos Integration - -The Sophos integration collects and parses logs from Sophos Products. - -Currently it accepts logs in syslog format or from a file for the following devices: - -- `utm` dataset: supports [Unified Threat Management](https://www.sophos.com/en-us/support/documentation/sophos-utm) (formerly known as Astaro Security Gateway) logs. -- `xg` dataset: supports [Sophos XG SFOS logs](https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/Logs.html). - -To configure a remote syslog destination, please reference the [SophosXG/SFOS Documentation](https://community.sophos.com/kb/en-us/123184). - -The syslog format chosen should be `Default`. - -## Compatibility - -This module has been tested against SFOS version 17.5.x and 18.0.x. -Versions above this are expected to work but have not been tested. - -## Logs - -### Utm log - -The `utm` dataset collects Unified Threat Management logs. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| container.id | Unique container id. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -### XG log - -This is the Sophos `xg` dataset. Reference information about the log formats -can be found in the [Sophos syslog guide]( -https://docs.sophos.com/nsg/sophos-firewall/18.5/PDF/SF%20syslog%20guide%2018.5.pdf). - -An example event for `xg` looks as following: - -```json -{ - "@timestamp": "2016-12-02T18:50:20.000Z", - "agent": { - "ephemeral_id": "b1eb8b45-bca7-40b1-b2f4-9d5c87e449bc", - "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.2" - }, - "data_stream": { - "dataset": "sophos.xg", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", - "snapshot": false, - "version": "8.1.2" - }, - "event": { - "action": "alert", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "16010", - "dataset": "sophos.xg", - "ingested": "2022-04-20T20:13:02Z", - "kind": "event", - "outcome": "success", - "severity": 1, - "timezone": "+00:00" - }, - "host": { - "name": "XG230" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "alert", - "source": { - "address": "172.31.0.8:48162" - } - }, - "observer": { - "product": "XG", - "serial_number": "1234567890123456", - "type": "firewall", - "vendor": "Sophos" - }, - "related": { - "hosts": [ - "XG230" - ], - "ip": [ - "10.108.108.49" - ] - }, - "sophos": { - "xg": { - "action": "Deny", - "context_match": "Not", - "context_prefix": "blah blah hello ", - "context_suffix": " hello blah ", - "device": "SFW", - "device_name": "SF01V", - "dictionary_name": "complicated_Custom", - "direction": "in", - "file_name": "cgi_echo.pl", - "log_component": "Web Content Policy", - "log_id": "058420116010", - "log_subtype": "Alert", - "log_type": "Content Filtering", - "site_category": "Information Technology", - "transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", - "user": "gi123456", - "website": "ta-web-static-testing.qa. astaro.de" - } - }, - "source": { - "ip": "10.108.108.49" - }, - "tags": [ - "sophos-xg", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| destination.user.email | User email address. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.hash.sha512 | SHA512 hash. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| log.source.address | | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| sophos.xg.action | Event Action | keyword | -| sophos.xg.activityname | Web policy activity that matched and caused the policy result. | keyword | -| sophos.xg.ap | Access Point Serial ID or LocalWifi0 or LocalWifi1. | keyword | -| sophos.xg.app_category | Name of the category under which application falls | keyword | -| sophos.xg.app_filter_policy_id | Application filter policy ID applied on the traffic | keyword | -| sophos.xg.app_is_cloud | Application is Cloud | keyword | -| sophos.xg.app_name | Application name | keyword | -| sophos.xg.app_resolved_by | Application is resolved by signature or synchronized application | keyword | -| sophos.xg.app_risk | Risk level assigned to the application | keyword | -| sophos.xg.app_technology | Technology of the application | keyword | -| sophos.xg.appfilter_policy_id | Application Filter policy applied on the traffic | integer | -| sophos.xg.application | Application name | keyword | -| sophos.xg.application_category | Application is resolved by signature or synchronized application | keyword | -| sophos.xg.application_filter_policy | Application Filter policy applied on the traffic | integer | -| sophos.xg.application_name | Application name | keyword | -| sophos.xg.application_risk | Risk level assigned to the application | keyword | -| sophos.xg.application_technology | Technology of the application | keyword | -| sophos.xg.appresolvedby | Technology of the application | keyword | -| sophos.xg.auth_client | Auth Client | keyword | -| sophos.xg.auth_mechanism | Auth mechanism | keyword | -| sophos.xg.av_policy_name | Malware scanning policy name which is applied on the traffic | keyword | -| sophos.xg.backup_mode | Backup mode | keyword | -| sophos.xg.branch_name | Branch Name | keyword | -| sophos.xg.category | IPS signature category. | keyword | -| sophos.xg.category_type | Type of category under which website falls | keyword | -| sophos.xg.classification | Signature classification | keyword | -| sophos.xg.client_host_name | Client host name | keyword | -| sophos.xg.client_physical_address | Client physical address | keyword | -| sophos.xg.clients_conn_ssid | Number of client connected to the SSID. | long | -| sophos.xg.collisions | collisions | long | -| sophos.xg.con_event | Event Start/Stop | keyword | -| sophos.xg.con_id | Unique identifier of connection | integer | -| sophos.xg.configuration | Configuration | float | -| sophos.xg.conn_id | Unique identifier of connection | integer | -| sophos.xg.connectionname | Connectionname | keyword | -| sophos.xg.connectiontype | Connectiontype | keyword | -| sophos.xg.connevent | Event on which this log is generated | keyword | -| sophos.xg.connid | Connection ID | keyword | -| sophos.xg.content_type | Type of the content | keyword | -| sophos.xg.contenttype | Type of the content | keyword | -| sophos.xg.context_match | Context Match | keyword | -| sophos.xg.context_prefix | Content Prefix | keyword | -| sophos.xg.context_suffix | Context Suffix | keyword | -| sophos.xg.cookie | cookie | keyword | -| sophos.xg.date | Date (yyyy-mm-dd) when the event occurred | date | -| sophos.xg.destinationip | Original destination IP address of traffic | ip | -| sophos.xg.device | device | keyword | -| sophos.xg.device_id | Serial number of the device | keyword | -| sophos.xg.device_model | Model number of the device | keyword | -| sophos.xg.device_name | Model number of the device | keyword | -| sophos.xg.dictionary_name | Dictionary Name | keyword | -| sophos.xg.dir_disp | TPacket direction. Possible values:“org”, “reply”, “” | keyword | -| sophos.xg.direction | Direction | keyword | -| sophos.xg.domainname | Domain from which virus was downloaded | keyword | -| sophos.xg.download_file_name | Download file name | keyword | -| sophos.xg.download_file_type | Download file type | keyword | -| sophos.xg.dst_country_code | Code of the country to which the destination IP belongs | keyword | -| sophos.xg.dst_domainname | Receiver domain name | keyword | -| sophos.xg.dst_ip | Original destination IP address of traffic | ip | -| sophos.xg.dst_port | Original destination port of TCP and UDP traffic | integer | -| sophos.xg.dst_zone_type | Type of destination zone | keyword | -| sophos.xg.dstdomain | Destination Domain | keyword | -| sophos.xg.duration | Durability of traffic (seconds) | long | -| sophos.xg.email_subject | Email Subject | keyword | -| sophos.xg.ep_uuid | Endpoint UUID | keyword | -| sophos.xg.ether_type | ethernet frame type | keyword | -| sophos.xg.eventid | ATP Evenet ID | keyword | -| sophos.xg.eventtime | Event time | date | -| sophos.xg.eventtype | ATP event type | keyword | -| sophos.xg.exceptions | List of the checks excluded by web exceptions. | keyword | -| sophos.xg.execution_path | ATP execution path | keyword | -| sophos.xg.extra | extra | keyword | -| sophos.xg.file_name | Filename | keyword | -| sophos.xg.file_path | File path | keyword | -| sophos.xg.file_size | File Size | integer | -| sophos.xg.filename | File name associated with the event | keyword | -| sophos.xg.filepath | Path of the file containing virus | keyword | -| sophos.xg.filesize | Size of the file that contained virus | integer | -| sophos.xg.free | free | integer | -| sophos.xg.from_email_address | Sender email address | keyword | -| sophos.xg.ftp_direction | Direction of FTP transfer: Upload or Download | keyword | -| sophos.xg.ftp_url | FTP URL from which virus was downloaded | keyword | -| sophos.xg.ftpcommand | FTP command used when virus was found | keyword | -| sophos.xg.fw_rule_id | Firewall Rule ID which is applied on the traffic | integer | -| sophos.xg.fw_rule_type | Firewall rule type which is applied on the traffic | keyword | -| sophos.xg.hb_health | Heartbeat status | keyword | -| sophos.xg.hb_status | Heartbeat status | keyword | -| sophos.xg.host | Host | keyword | -| sophos.xg.http_category | HTTP Category | keyword | -| sophos.xg.http_category_type | HTTP Category Type | keyword | -| sophos.xg.httpresponsecode | code of HTTP response | long | -| sophos.xg.iap | Internet Access policy ID applied on the traffic | keyword | -| sophos.xg.icmp_code | ICMP code of ICMP traffic | keyword | -| sophos.xg.icmp_type | ICMP type of ICMP traffic | keyword | -| sophos.xg.idle_cpu | idle ## | float | -| sophos.xg.idp_policy_id | IPS policy ID which is applied on the traffic | integer | -| sophos.xg.idp_policy_name | IPS policy name i.e. IPS policy name which is applied on the traffic | keyword | -| sophos.xg.in_interface | Interface for incoming traffic, e.g., Port A | keyword | -| sophos.xg.interface | interface | keyword | -| sophos.xg.ipaddress | Ipaddress | keyword | -| sophos.xg.ips_policy_id | IPS policy ID applied on the traffic | integer | -| sophos.xg.lease_time | Lease Time | keyword | -| sophos.xg.localgateway | Localgateway | keyword | -| sophos.xg.localnetwork | Localnetwork | keyword | -| sophos.xg.log_component | Component responsible for logging e.g. Firewall rule | keyword | -| sophos.xg.log_id | Unique 12 characters code (0101011) | keyword | -| sophos.xg.log_subtype | Sub type of event | keyword | -| sophos.xg.log_type | Type of event e.g. firewall event | keyword | -| sophos.xg.log_version | Log Version | keyword | -| sophos.xg.login_user | ATP login user | keyword | -| sophos.xg.mailid | mailid | keyword | -| sophos.xg.mailsize | mailsize | integer | -| sophos.xg.message | Message | keyword | -| sophos.xg.mode | Mode | keyword | -| sophos.xg.nat_rule_id | NAT Rule ID | keyword | -| sophos.xg.newversion | Newversion | keyword | -| sophos.xg.oldversion | Oldversion | keyword | -| sophos.xg.out_interface | Interface for outgoing traffic, e.g., Port B | keyword | -| sophos.xg.override_authorizer | Override authorizer | keyword | -| sophos.xg.override_name | Override name | keyword | -| sophos.xg.override_token | Override token | keyword | -| sophos.xg.phpsessid | PHP session ID | keyword | -| sophos.xg.platform | Platform of the traffic. | keyword | -| sophos.xg.policy_type | Policy type applied to the traffic | keyword | -| sophos.xg.priority | Severity level of traffic | keyword | -| sophos.xg.protocol | Protocol number of traffic | keyword | -| sophos.xg.qualifier | Qualifier | keyword | -| sophos.xg.quarantine | Path and filename of the file quarantined | keyword | -| sophos.xg.quarantine_reason | Quarantine reason | keyword | -| sophos.xg.querystring | querystring | keyword | -| sophos.xg.raw_data | Raw data | keyword | -| sophos.xg.received_pkts | Total number of packets received | long | -| sophos.xg.receiveddrops | received drops | long | -| sophos.xg.receivederrors | received errors | keyword | -| sophos.xg.receivedkbits | received kbits | long | -| sophos.xg.recv_bytes | Total number of bytes received | long | -| sophos.xg.red_id | RED ID | keyword | -| sophos.xg.referer | Referer | keyword | -| sophos.xg.remote_ip | Remote IP | ip | -| sophos.xg.remotenetwork | remotenetwork | keyword | -| sophos.xg.reported_host | Reported Host | keyword | -| sophos.xg.reported_ip | Reported IP | keyword | -| sophos.xg.reports | Reports | float | -| sophos.xg.rule_priority | Priority of IPS policy | keyword | -| sophos.xg.sent_bytes | Total number of bytes sent | long | -| sophos.xg.sent_pkts | Total number of packets sent | long | -| sophos.xg.server | Server | keyword | -| sophos.xg.sessionid | Sessionid | keyword | -| sophos.xg.sha1sum | SHA1 checksum of the item being analyzed | keyword | -| sophos.xg.signature | Signature | float | -| sophos.xg.signature_id | Signature ID | keyword | -| sophos.xg.signature_msg | Signature messsage | keyword | -| sophos.xg.site_category | Site Category | keyword | -| sophos.xg.source | Source | keyword | -| sophos.xg.sourceip | Original source IP address of traffic | ip | -| sophos.xg.spamaction | Spam Action | keyword | -| sophos.xg.sqli | related SQLI caught by the WAF | keyword | -| sophos.xg.src_country_code | Code of the country to which the source IP belongs | keyword | -| sophos.xg.src_domainname | Sender domain name | keyword | -| sophos.xg.src_ip | Original source IP address of traffic | ip | -| sophos.xg.src_mac | Original source MAC address of traffic | keyword | -| sophos.xg.src_port | Original source port of TCP and UDP traffic | integer | -| sophos.xg.src_zone_type | Type of source zone | keyword | -| sophos.xg.ssid | Configured SSID name. | keyword | -| sophos.xg.start_time | Start time | date | -| sophos.xg.starttime | Starttime | date | -| sophos.xg.status | Ultimate status of traffic – Allowed or Denied | keyword | -| sophos.xg.status_code | Status code | keyword | -| sophos.xg.subject | Email subject | keyword | -| sophos.xg.syslog_server_name | Syslog server name | keyword | -| sophos.xg.system_cpu | system | float | -| sophos.xg.target | Platform of the traffic. | keyword | -| sophos.xg.temp | Temp | float | -| sophos.xg.threatname | ATP threatname | keyword | -| sophos.xg.timestamp | timestamp | date | -| sophos.xg.timezone | Time (hh:mm:ss) when the event occurred | keyword | -| sophos.xg.to_email_address | Receipeint email address | keyword | -| sophos.xg.total_memory | Total Memory | integer | -| sophos.xg.trans_dst_ip | Translated destination IP address for outgoing traffic | ip | -| sophos.xg.trans_dst_port | Translated destination port for outgoing traffic | integer | -| sophos.xg.trans_src_ip | Translated source IP address for outgoing traffic | ip | -| sophos.xg.trans_src_port | Translated source port for outgoing traffic | integer | -| sophos.xg.transaction_id | Transaction ID | keyword | -| sophos.xg.transactionid | Transaction ID of the AV scan. | keyword | -| sophos.xg.transmitteddrops | transmitted drops | long | -| sophos.xg.transmittederrors | transmitted errors | keyword | -| sophos.xg.transmittedkbits | transmitted kbits | long | -| sophos.xg.unit | unit | keyword | -| sophos.xg.updatedip | updatedip | ip | -| sophos.xg.upload_file_name | Upload file name | keyword | -| sophos.xg.upload_file_type | Upload file type | keyword | -| sophos.xg.url | URL from which virus was downloaded | keyword | -| sophos.xg.used | used | integer | -| sophos.xg.used_quota | Used Quota | keyword | -| sophos.xg.user | User | keyword | -| sophos.xg.user_cpu | system | float | -| sophos.xg.user_gp | Group name to which the user belongs. | keyword | -| sophos.xg.user_group | Group name to which the user belongs | keyword | -| sophos.xg.user_name | user_name | keyword | -| sophos.xg.users | Number of users from System Health / Live User events. | long | -| sophos.xg.vconn_id | Connection ID of the master connection | integer | -| sophos.xg.virus | virus name | keyword | -| sophos.xg.web_policy_id | Web policy ID | keyword | -| sophos.xg.website | Website | keyword | -| sophos.xg.xss | related XSS caught by the WAF | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.user.email | User email address. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - diff --git a/packages/sophos/2.4.1/img/logo.svg b/packages/sophos/2.4.1/img/logo.svg deleted file mode 100755 index 44612bd861..0000000000 --- a/packages/sophos/2.4.1/img/logo.svg +++ /dev/null @@ -1,39 +0,0 @@ - -image/svg+xml \ No newline at end of file diff --git a/packages/sophos/2.4.1/img/sophos.svg b/packages/sophos/2.4.1/img/sophos.svg deleted file mode 100755 index 5ebdeaf788..0000000000 --- a/packages/sophos/2.4.1/img/sophos.svg +++ /dev/null @@ -1,69 +0,0 @@ - - - -image/svg+xml diff --git a/packages/sophos/2.4.1/manifest.yml b/packages/sophos/2.4.1/manifest.yml deleted file mode 100755 index 6a9143f31f..0000000000 --- a/packages/sophos/2.4.1/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -format_version: 1.0.0 -name: sophos -title: Sophos -version: "2.4.1" -description: Collect logs from Sophos with Elastic Agent. -categories: ["security"] -release: ga -license: basic -type: integration -conditions: - kibana.version: "^7.17.0 || ^8.0.0" -policy_templates: - - name: sophos - title: Sophos logs - description: Collect Sophos logs from syslog or a file. - inputs: - - type: udp - title: Collect logs from Sophos via UDP - description: Collecting syslog from Sophos via UDP - - type: tcp - title: Collect logs from Sophos via TCP - description: Collecting syslog from Sophos via TCP - - type: logfile - title: Collect logs from Sophos via file - description: Collecting syslog from Sophos via file. -icons: - - src: /img/logo.svg - title: Sophos logo - size: 32x32 - type: image/svg+xml -owner: - github: elastic/security-external-integrations diff --git a/packages/sophos/2.4.2/LICENSE.txt b/packages/sophos/2.4.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/sophos/2.4.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/sophos/2.4.2/changelog.yml b/packages/sophos/2.4.2/changelog.yml deleted file mode 100755 index 53cc5fa5f9..0000000000 --- a/packages/sophos/2.4.2/changelog.yml +++ /dev/null @@ -1,210 +0,0 @@ -# newer versions go on top -- version: "2.4.2" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "2.4.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3870 -- version: "2.3.2" - changes: - - description: Improve TCP, SSL config description and example for Sophos XG. - type: enhancement - link: https://github.com/elastic/integrations/pull/3763 -- version: "2.3.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "2.3.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "2.2.2" - changes: - - description: Update Readme to include links to Sophos's documentation. Also used the latest product name for Astaro - type: enhancement - link: https://github.com/elastic/integrations/pull/3160 -- version: "2.2.1" - changes: - - description: Format source.mac and destination.mac as per ECS for the UTM data stream. - type: bugfix - link: https://github.com/elastic/integrations/pull/3370 -- version: "2.2.0" - changes: - - description: Improve inputs for Sophos XG pipeline. - type: enhancement - link: https://github.com/elastic/integrations/pull/3322 -- version: "2.1.0" - changes: - - description: Update to ECS 8.2.0 to use new email field set. - type: enhancement - link: https://github.com/elastic/integrations/pull/2798 -- version: "2.0.0" - changes: - - description: Remove space from sophos.xg.trans_src_ip field. - type: bugfix - link: https://github.com/elastic/integrations/pull/3127 - - description: Do not modify event.original. - type: bugfix - link: https://github.com/elastic/integrations/pull/3127 - - description: Populate `url.*` fields based on `sophos.xg.url`. - type: enhancement - link: https://github.com/elastic/integrations/pull/3127 - - description: Rename `sophos.xg.reason` to `event.reason` (ECS). - type: enhancement - link: https://github.com/elastic/integrations/pull/3127 - - description: Lowercase `network.transport` as per ECS. - type: bugfix - link: https://github.com/elastic/integrations/pull/3127 - - description: Format `source.mac` and `destination.mac` as per ECS. - type: bugfix - link: https://github.com/elastic/integrations/pull/3127 - - description: Set the `event.code` from the message ID (and remove `sophos.xg.message_id`). - type: enhancement - link: https://github.com/elastic/integrations/pull/3127 - - description: Add `network.community_id`. - type: enhancement - link: https://github.com/elastic/integrations/pull/3127 - - description: Reduce event size by removing `client` and `server` fields that are clones of `source` and `destination`, respectively. - type: breaking-change - link: https://github.com/elastic/integrations/pull/3127 -- version: "1.2.3" - changes: - - description: Update pipelines to parse new fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2163 -- version: "1.2.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.1" - changes: - - description: Add missing ingest pipeline for "System Health" logs - type: bugfix - link: https://github.com/elastic/integrations/pull/2743 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2596 -- version: "1.1.3" - changes: - - description: Fix KV splitting and syslog header handling - type: bugfix - link: https://github.com/elastic/integrations/pull/2320 -- version: "1.1.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.1.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.1.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2271 -- version: "1.0.6" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2086 -- version: "1.0.5" - changes: - - description: Support hostname in syslog header in UTM data stream. - type: enhancement - link: https://github.com/elastic/integrations/pull/2034 -- version: "1.0.4" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1987 -- version: "1.0.3" - changes: - - description: Fixed a bug that prevents the package from working in 7.16. - type: bugfix - link: https://github.com/elastic/integrations/pull/1882 -- version: "1.0.2" - changes: - - description: Fix logic that adds known devices to policy - type: bugfix - link: https://github.com/elastic/integrations/pull/1888 -- version: "1.0.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1851 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1775 -- version: "0.6.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1678 -- version: "0.5.4" - changes: - - description: Requires version 7.14.1 of the stack - type: bugfix - link: https://github.com/elastic/integrations/pull/1541 -- version: "0.5.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1504 -- version: '0.5.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1418 -- version: "0.5.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.5.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.4.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1275 -- version: "0.3.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1102 -- version: "0.2.1" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/870 -- version: "0.2.0" - changes: - - description: Add XG data stream - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/package-storage/pull/400 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/package-storage/pull/400 diff --git a/packages/sophos/2.4.2/data_stream/utm/agent/stream/stream.yml.hbs b/packages/sophos/2.4.2/data_stream/utm/agent/stream/stream.yml.hbs deleted file mode 100755 index 8cce59a86f..0000000000 --- a/packages/sophos/2.4.2/data_stream/utm/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5072 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Sophos" - product: "UTM" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ - setc("header_id","0003"), - setc("messageid","reverseproxy"), - ])); - - var hdr4 = match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","0005"), - ])); - - var hdr5 = match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0004"), - setc("messageid","astarosg_TVM"), - ])); - - var hdr6 = match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ - setc("header_id","0006"), - setc("messageid","Sophos_Firewall"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, - ]); - - var part1 = match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg1 = msg("named:01", part1); - - var part2 = match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg2 = msg("named:02", part2); - - var part3 = match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ - dup4, - dup2, - dup3, - ])); - - var msg3 = msg("named:03", part3); - - var part4 = match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ - dup5, - dup2, - dup3, - ])); - - var msg4 = msg("named:04", part4); - - var part5 = match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ - dup6, - dup2, - dup3, - ])); - - var msg5 = msg("named:05", part5); - - var part6 = match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ - setc("eventcategory","1804000000"), - dup2, - dup3, - ])); - - var msg6 = msg("named:06", part6); - - var part7 = match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ - dup7, - dup2, - dup3, - ])); - - var msg7 = msg("named:07", part7); - - var part8 = match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg8 = msg("named:08", part8); - - var part9 = match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ - dup7, - dup2, - dup3, - setc("action","reloading"), - ])); - - var msg9 = msg("named:09", part9); - - var part10 = match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - ])); - - var msg10 = msg("named:10", part10); - - var part11 = match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - setc("action","all zones loaded"), - ])); - - var msg11 = msg("named:11", part11); - - var part12 = match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ - dup7, - setc("disposition","running"), - dup2, - dup3, - setc("action","running"), - ])); - - var msg12 = msg("named:12", part12); - - var part13 = match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ - dup7, - setc("context","built-in root key"), - dup2, - dup3, - ])); - - var msg13 = msg("named:13", part13); - - var part14 = match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg14 = msg("named:14", part14); - - var part15 = match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ - dup10, - setc("event_description","named:too many timeouts resolving DNS."), - dup11, - dup2, - ])); - - var msg15 = msg("named:15", part15); - - var part16 = match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:FORMERR resolving DNS."), - dup11, - dup2, - ])); - - var msg16 = msg("named:16", part16); - - var part17 = match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:unexpected RCODE (SERVFAIL) resolving DNS."), - dup11, - dup2, - ])); - - var msg17 = msg("named:17", part17); - - var select2 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - ]); - - var part18 = match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ - dup12, - setc("event_description","httpproxy:Integrated HTTP-Proxy."), - dup11, - dup2, - ])); - - var msg18 = msg("httpproxy:09", part18); - - var part19 = match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ - dup10, - setc("event_description","httpproxy:Name or service not known."), - dup11, - dup2, - ])); - - var msg19 = msg("httpproxy:10", part19); - - var part20 = match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ - dup10, - setc("event_description","httpproxy:failed to resolve passthrough."), - dup11, - dup2, - ])); - - var msg20 = msg("httpproxy:11", part20); - - var part21 = match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ - dup10, - setc("event_description","httpproxy:ssl handshake failure."), - dup11, - dup2, - ])); - - var msg21 = msg("httpproxy:12", part21); - - var part22 = match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ - dup10, - setc("event_description","httpproxy:EVP_DecryptFinal failed."), - dup11, - dup2, - ])); - - var msg22 = msg("httpproxy:13", part22); - - var part23 = match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ - dup10, - setc("event_description","httpproxy:decrypt failed."), - dup11, - dup2, - ])); - - var msg23 = msg("httpproxy:14", part23); - - var part24 = match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:reloading av pattern"), - dup11, - dup2, - ])); - - var msg24 = msg("httpproxy:15", part24); - - var part25 = match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ - dup12, - setc("event_description","httpproxy:sc_check_servers.Server checked."), - dup11, - dup2, - ])); - - var msg25 = msg("httpproxy:16", part25); - - var part26 = match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ - dup12, - setc("event_description","httpproxy:shutdown finished, exiting."), - dup11, - dup2, - ])); - - var msg26 = msg("httpproxy:17", part26); - - var part27 = match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ - dup12, - setc("event_description","httpproxy:"), - dup11, - dup2, - ])); - - var msg27 = msg("httpproxy:18", part27); - - var part28 = match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ - dup12, - setc("event_description","httpproxy:reading profiles"), - dup11, - dup2, - ])); - - var msg28 = msg("httpproxy:19", part28); - - var part29 = match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ - dup12, - setc("event_description","httpproxy:finished startup"), - dup11, - dup2, - ])); - - var msg29 = msg("httpproxy:20", part29); - - var part30 = match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:read_request_headers related message."), - dup11, - dup2, - ])); - - var msg30 = msg("httpproxy:21", part30); - - var part31 = match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_loop related message."), - dup11, - dup2, - ])); - - var msg31 = msg("httpproxy:22", part31); - - var part32 = match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scan_exit related message."), - dup11, - dup2, - ])); - - var msg32 = msg("httpproxy:23", part32); - - var part33 = match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_exit related message."), - dup11, - dup2, - ])); - - var msg33 = msg("httpproxy:24", part33); - - var part34 = match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_exit related message."), - dup11, - dup2, - ])); - - var msg34 = msg("httpproxy:25", part34); - - var part35 = match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_zap related message."), - dup11, - dup2, - ])); - - var msg35 = msg("httpproxy:26", part35); - - var part36 = match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scanner_init related message."), - dup11, - dup2, - ])); - - var msg36 = msg("httpproxy:27", part36); - - var part37 = tagval("MESSAGE#36:httpproxy:01", "nwparser.payload", tvm, { - "action": "action", - "ad_domain": "fld1", - "app-id": "fld18", - "application": "fld17", - "auth": "fld10", - "authtime": "fld4", - "avscantime": "fld7", - "cached": "fld2", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld6", - "content-type": "content_type", - "device": "fld9", - "dnstime": "fld5", - "dstip": "daddr", - "error": "result", - "exceptions": "fld12", - "extension": "fld13", - "file": "filename", - "filename": "filename", - "filteraction": "fld3", - "fullreqtime": "fld8", - "function": "action", - "group": "group", - "id": "rule", - "line": "fld14", - "message": "context", - "method": "web_method", - "name": "event_description", - "profile": "policyname", - "reason": "rule_group", - "referer": "web_referer", - "reputation": "fld16", - "request": "connectionid", - "severity": "severity", - "size": "rbytes", - "srcip": "saddr", - "statuscode": "resultcode", - "sub": "network_service", - "sys": "vsys", - "time": "fld15", - "ua": "fld11", - "url": "url", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg37 = msg("httpproxy:01", part37); - - var select3 = linear_select([ - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - ]); - - var part38 = match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ - dup16, - dup2, - dup3, - ])); - - var msg38 = msg("URID:01", part38); - - var part39 = tagval("MESSAGE#38:ulogd:01", "nwparser.payload", tvm, { - "action": "action", - "code": "fld30", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "fwrule": "policy_id", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "name": "event_description", - "outitf": "dinterface", - "prec": "fld27", - "proto": "fld24", - "seq": "fld23", - "severity": "severity", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "sub": "network_service", - "sys": "vsys", - "tcpflags": "fld29", - "tos": "fld26", - "ttl": "fld28", - "type": "fld31", - }, processor_chain([ - dup13, - setc("ec_subject","NetworkComm"), - setc("ec_activity","Scan"), - setc("ec_theme","TEV"), - dup11, - dup2, - dup45, - dup46, - ])); - - var msg39 = msg("ulogd:01", part39); - - var part40 = match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ - dup6, - setc("disposition","configured"), - dup2, - dup3, - ])); - - var msg40 = msg("reverseproxy:01", part40); - - var part41 = match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg41 = msg("reverseproxy:02", part41); - - var part42 = match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg42 = msg("reverseproxy:03", part42); - - var part43 = match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ - dup17, - setc("event_id","AH00292"), - dup2, - dup3, - ])); - - var msg43 = msg("reverseproxy:04", part43); - - var part44 = match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ - setc("eventcategory","1805010000"), - dup18, - dup2, - dup3, - ])); - - var msg44 = msg("reverseproxy:06", part44); - - var part45 = match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); - - var select4 = linear_select([ - dup19, - ]); - - var part46 = match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); - - var all1 = all_match({ - processors: [ - part45, - select4, - part46, - ], - on_success: processor_chain([ - dup5, - setc("event_id","AH00297"), - dup2, - dup3, - ]), - }); - - var msg45 = msg("reverseproxy:07", all1); - - var part47 = match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ - dup4, - setc("event_id","AH00112"), - dup2, - dup3, - ])); - - var msg46 = msg("reverseproxy:08", part47); - - var part48 = match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ - setc("eventcategory","1605010000"), - setc("event_id","AH00094"), - dup2, - dup3, - ])); - - var msg47 = msg("reverseproxy:09", part48); - - var part49 = match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ - dup12, - setc("event_id","AH00291"), - dup2, - dup3, - ])); - - var msg48 = msg("reverseproxy:10", part49); - - var part50 = match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ - dup20, - setc("event_id","AH02572"), - dup2, - dup3, - ])); - - var msg49 = msg("reverseproxy:11", part50); - - var part51 = match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ - dup20, - setc("context","SSL Library Error"), - dup2, - dup3, - ])); - - var msg50 = msg("reverseproxy:12", part51); - - var part52 = match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ - dup20, - setc("result","Fatal error"), - setc("event_id","AH02312"), - dup2, - dup3, - ])); - - var msg51 = msg("reverseproxy:13", part52); - - var part53 = match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ - dup20, - setc("result","Configuration Failed"), - setc("event_id","AH00020"), - dup2, - dup3, - ])); - - var msg52 = msg("reverseproxy:14", part53); - - var part54 = match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ - setc("eventcategory","1609000000"), - setc("context","Unclean shutdown"), - setc("event_id","AH00098"), - dup2, - dup3, - ])); - - var msg53 = msg("reverseproxy:15", part54); - - var part55 = match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ - dup16, - setc("event_id","AH00295"), - dup2, - dup3, - ])); - - var msg54 = msg("reverseproxy:16", part55); - - var part56 = match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); - - var part57 = match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); - - var select5 = linear_select([ - part57, - dup19, - ]); - - var part58 = match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all2 = all_match({ - processors: [ - part56, - select5, - part58, - ], - on_success: processor_chain([ - dup21, - dup2, - dup3, - ]), - }); - - var msg55 = msg("reverseproxy:17", all2); - - var part59 = match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ - dup4, - dup22, - dup2, - dup3, - ])); - - var msg56 = msg("reverseproxy:18", part59); - - var part60 = match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ - dup23, - dup22, - dup2, - dup3, - ])); - - var msg57 = msg("reverseproxy:19", part60); - - var part61 = match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg58 = msg("reverseproxy:20", part61); - - var part62 = match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ - dup20, - dup18, - setc("event_id","AH01909"), - dup2, - dup3, - ])); - - var msg59 = msg("reverseproxy:21", part62); - - var part63 = match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ - dup20, - setc("comments","Invalid port configuration"), - dup2, - dup3, - ])); - - var msg60 = msg("reverseproxy:22", part63); - - var part64 = match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg61 = msg("reverseproxy:23", part64); - - var part65 = match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg62 = msg("reverseproxy:24", part65); - - var part66 = match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg63 = msg("reverseproxy:25", part66); - - var part67 = match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); - - var part68 = match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); - - var select6 = linear_select([ - part68, - dup19, - ]); - - var part69 = match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); - - var part70 = match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); - - var part71 = match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); - - var select7 = linear_select([ - part70, - part71, - ]); - - var part72 = match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all3 = all_match({ - processors: [ - part67, - select6, - part69, - select7, - part72, - ], - on_success: processor_chain([ - dup24, - dup2, - dup3, - ]), - }); - - var msg64 = msg("reverseproxy:26", all3); - - var part73 = match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg65 = msg("reverseproxy:27", part73); - - var part74 = match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ - dup26, - setc("result","virus daemon error"), - dup2, - dup3, - ])); - - var msg66 = msg("reverseproxy:28", part74); - - var part75 = match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ - dup27, - setc("result","virus found"), - dup2, - dup3, - ])); - - var msg67 = msg("reverseproxy:29", part75); - - var part76 = match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg68 = msg("reverseproxy:30", part76); - - var part77 = match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ - dup25, - setc("result","Cannot read reply"), - dup2, - dup3, - ])); - - var msg69 = msg("reverseproxy:31", part77); - - var part78 = match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg70 = msg("reverseproxy:32", part78); - - var part79 = match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg71 = msg("reverseproxy:33", part79); - - var part80 = match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg72 = msg("reverseproxy:34", part80); - - var part81 = match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg73 = msg("reverseproxy:35", part81); - - var part82 = match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ - dup27, - setc("result","Virus found"), - dup2, - dup3, - ])); - - var msg74 = msg("reverseproxy:36", part82); - - var part83 = match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg75 = msg("reverseproxy:37", part83); - - var part84 = match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg76 = msg("reverseproxy:38", part84); - - var part85 = match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ - dup23, - setc("result","Form validation failed"), - dup2, - dup3, - ])); - - var msg77 = msg("reverseproxy:39", part85); - - var part86 = match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ - dup25, - setc("result","Sending trickle failed"), - dup2, - dup3, - ])); - - var msg78 = msg("reverseproxy:40", part86); - - var part87 = match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ - dup30, - dup2, - dup3, - ])); - - var msg79 = msg("reverseproxy:41", part87); - - var part88 = match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ - setc("eventcategory","1603050000"), - dup2, - dup3, - ])); - - var msg80 = msg("reverseproxy:42", part88); - - var part89 = match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ - dup30, - setc("event_id","AH01110"), - setc("result","Error reading response"), - dup2, - dup3, - ])); - - var msg81 = msg("reverseproxy:43", part89); - - var part90 = match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1601020000"), - setc("result","No form context found"), - dup2, - dup3, - ])); - - var msg82 = msg("reverseproxy:44", part90); - - var part91 = match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ - dup25, - setc("event_id","AH00957"), - dup2, - dup3, - ])); - - var msg83 = msg("reverseproxy:45", part91); - - var part92 = match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ - dup16, - setc("event_id","AH00959"), - setc("result","disabling worker"), - dup2, - dup3, - ])); - - var msg84 = msg("reverseproxy:46", part92); - - var part93 = match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1801000000"), - setc("context","Not all file sent to client"), - dup2, - dup3, - ])); - - var msg85 = msg("reverseproxy:47", part93); - - var part94 = match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg86 = msg("reverseproxy:48", part94); - - var part95 = match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg87 = msg("reverseproxy:49", part95); - - var part96 = tagval("MESSAGE#87:reverseproxy:05", "nwparser.payload", tvm, { - "cookie": "web_cookie", - "exceptions": "policy_waiver", - "extra": "info", - "host": "dhost", - "id": "policy_id", - "localip": "fld3", - "method": "web_method", - "reason": "comments", - "referer": "web_referer", - "server": "daddr", - "set-cookie": "fld5", - "size": "fld4", - "srcip": "saddr", - "statuscode": "resultcode", - "time": "processing_time", - "url": "web_root", - "user": "username", - }, processor_chain([ - setc("eventcategory","1802000000"), - dup2, - dup3, - ])); - - var msg88 = msg("reverseproxy:05", part96); - - var select8 = linear_select([ - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, - msg59, - msg60, - msg61, - msg62, - msg63, - msg64, - msg65, - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, - ]); - - var part97 = tagval("MESSAGE#88:confd-sync", "nwparser.payload", tvm, { - "id": "fld5", - "name": "event_description", - "severity": "severity", - "sub": "service", - "sys": "fld2", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg89 = msg("confd-sync", part97); - - var part98 = tagval("MESSAGE#89:confd:01", "nwparser.payload", tvm, { - "account": "logon_id", - "attributes": "obj_name", - "class": "group_object", - "client": "fld3", - "count": "fld4", - "facility": "logon_type", - "id": "fld1", - "name": "event_description", - "node": "node", - "object": "fld6", - "severity": "severity", - "srcip": "saddr", - "storage": "directory", - "sub": "service", - "sys": "fld2", - "type": "obj_type", - "user": "username", - "version": "version", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg90 = msg("confd:01", part98); - - var part99 = match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy Frox started."), - dup11, - dup2, - ])); - - var msg91 = msg("frox", part99); - - var part100 = match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy listening on port."), - dup11, - dup2, - ])); - - var msg92 = msg("frox:01", part100); - - var part101 = match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy dropped priveleges."), - dup11, - dup2, - ])); - - var msg93 = msg("frox:02", part101); - - var select9 = linear_select([ - msg91, - msg92, - msg93, - ]); - - var part102 = match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ - dup12, - setc("event_description","afcd: IM/P2P Classifier configuration reloaded successfully."), - dup11, - dup2, - ])); - - var msg94 = msg("afcd", part102); - - var part103 = match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ - dup12, - setc("event_description","ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]..."), - dup11, - dup2, - ])); - - var msg95 = msg("ipsec_starter", part103); - - var part104 = match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ - dup12, - setc("event_description","ipsec_starter: IP address or index of physical interface changed."), - dup11, - dup2, - ])); - - var msg96 = msg("ipsec_starter:01", part104); - - var select10 = linear_select([ - msg95, - msg96, - ]); - - var part105 = match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: Starting Pluto."), - dup11, - dup2, - ])); - - var msg97 = msg("pluto", part105); - - var part106 = match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: including NAT-Traversal patch."), - dup11, - dup2, - ])); - - var msg98 = msg("pluto:01", part106); - - var part107 = match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating encryption algorithm."), - dup11, - dup2, - ])); - - var msg99 = msg("pluto:02", part107); - - var part108 = match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating hash algorithm."), - dup11, - dup2, - ])); - - var msg100 = msg("pluto:03", part108); - - var part109 = match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ - dup12, - setc("event_description","pluto: Testing registered IKE encryption algorithms"), - dup11, - dup2, - ])); - - var msg101 = msg("pluto:04", part109); - - var part110 = match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test not available."), - dup11, - dup2, - ])); - - var msg102 = msg("pluto:05", part110); - - var part111 = match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test passed."), - dup11, - dup2, - ])); - - var msg103 = msg("pluto:06", part111); - - var part112 = match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ - dup12, - setc("event_description","pluto: Using KLIPS IPsec interface code"), - dup11, - dup2, - ])); - - var msg104 = msg("pluto:07", part112); - - var part113 = match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","pluto: adding interface"), - dup11, - dup2, - ])); - - var msg105 = msg("pluto:08", part113); - - var part114 = match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ - dup34, - setc("event_description","pluto: loading secrets"), - dup11, - dup2, - ])); - - var msg106 = msg("pluto:09", part114); - - var part115 = match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ - dup34, - setc("event_description","pluto: loaded private key file"), - dup11, - dup2, - ])); - - var msg107 = msg("pluto:10", part115); - - var part116 = match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ - dup12, - setc("event_description","pluto: added connection description"), - dup11, - dup2, - ])); - - var msg108 = msg("pluto:11", part116); - - var part117 = match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg109 = msg("pluto:12", part117); - - var part118 = match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup10, - dup36, - dup11, - dup2, - ])); - - var msg110 = msg("pluto:13", part118); - - var part119 = match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg111 = msg("pluto:14", part119); - - var part120 = match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ - dup12, - setc("event_description","pluto:forgetting secrets"), - dup11, - dup2, - ])); - - var msg112 = msg("pluto:15", part120); - - var part121 = match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ - dup12, - setc("event_description","pluto:Changing to directory"), - dup11, - dup2, - ])); - - var msg113 = msg("pluto:17", part121); - - var part122 = match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ - dup12, - setc("event_description","pluto:*time to handle event"), - dup11, - dup2, - ])); - - var msg114 = msg("pluto:18", part122); - - var part123 = match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ - dup12, - setc("event_description","pluto:*received kernel message"), - dup11, - dup2, - ])); - - var msg115 = msg("pluto:19", part123); - - var part124 = match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ - dup25, - setc("event_description","pluto:rejected packet"), - dup11, - dup2, - ])); - - var msg116 = msg("pluto:20", part124); - - var part125 = match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg117 = msg("pluto:21", part125); - - var part126 = match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg118 = msg("pluto:22", part126); - - var part127 = match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg119 = msg("pluto:23", part127); - - var part128 = match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg120 = msg("pluto:24", part128); - - var part129 = match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg121 = msg("pluto:25", part129); - - var part130 = match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg122 = msg("pluto:26", part130); - - var part131 = match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg123 = msg("pluto:27", part131); - - var part132 = match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg124 = msg("pluto:28", part132); - - var part133 = match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg125 = msg("pluto:29", part133); - - var part134 = match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg126 = msg("pluto:30", part134); - - var part135 = match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg127 = msg("pluto:31", part135); - - var part136 = match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ - dup12, - setc("event_description","not authenticated"), - dup11, - dup2, - ])); - - var msg128 = msg("pluto:32", part136); - - var part137 = match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg129 = msg("pluto:33", part137); - - var part138 = match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup12, - dup36, - dup11, - dup2, - ])); - - var msg130 = msg("pluto:34", part138); - - var part139 = match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg131 = msg("pluto:35", part139); - - var select11 = linear_select([ - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, - ]); - - var part140 = match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ - setc("eventcategory","1607000000"), - setc("event_description","xl2tpd:This binary does not support kernel L2TP."), - dup11, - dup2, - ])); - - var msg132 = msg("xl2tpd", part140); - - var part141 = match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ - dup12, - setc("event_description","xl2tpd:xl2tpd started."), - dup11, - dup2, - ])); - - var msg133 = msg("xl2tpd:01", part141); - - var part142 = match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg134 = msg("xl2tpd:02", part142); - - var part143 = match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg135 = msg("xl2tpd:03", part143); - - var part144 = match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg136 = msg("xl2tpd:04", part144); - - var part145 = match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg137 = msg("xl2tpd:05", part145); - - var select12 = linear_select([ - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, - ]); - - var part146 = match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ - dup12, - setc("event_description","barnyard: Exiting"), - dup11, - dup2, - ])); - - var msg138 = msg("barnyard:01", part146); - - var part147 = match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Initializing daemon mode"), - dup11, - dup2, - ])); - - var msg139 = msg("barnyard:02", part147); - - var part148 = match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ - dup12, - setc("event_description","barnyard:Opened spool file."), - dup11, - dup2, - ])); - - var msg140 = msg("barnyard:03", part148); - - var part149 = match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Waiting for new data"), - dup11, - dup2, - ])); - - var msg141 = msg("barnyard:04", part149); - - var select13 = linear_select([ - msg138, - msg139, - msg140, - msg141, - ]); - - var part150 = match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ - dup12, - setc("event_description","exim:SMTP connection from localhost closed by QUIT"), - dup11, - dup2, - ])); - - var msg142 = msg("exim:01", part150); - - var part151 = match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ - setc("eventcategory","1207010000"), - setc("event_description","exim:e-mail accepted from relay."), - dup11, - dup2, - ])); - - var msg143 = msg("exim:02", part151); - - var part152 = match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ - setc("eventcategory","1207000000"), - setc("event_description","exim: e-mail sent."), - dup11, - dup2, - ])); - - var msg144 = msg("exim:03", part152); - - var part153 = match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ - dup39, - setc("event_description","exim: e-mail host lookup did not complete in DNS."), - dup11, - dup2, - ])); - - var msg145 = msg("exim:04", part153); - - var part154 = match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ - dup39, - setc("event_description","exim: e-mail routing defer:retry time not reached."), - dup11, - dup2, - ])); - - var msg146 = msg("exim:05", part154); - - var part155 = match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ - dup12, - setc("event_description","exim: exim daemon started."), - dup11, - dup2, - ])); - - var msg147 = msg("exim:06", part155); - - var part156 = match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ - dup12, - setc("event_description","exim: Start queue run."), - dup11, - dup2, - ])); - - var msg148 = msg("exim:07", part156); - - var part157 = match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ - dup12, - setc("event_description","exim: SIGHUP received: re-exec daemon."), - dup11, - dup2, - ])); - - var msg149 = msg("exim:08", part157); - - var part158 = match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim: SMTP connection from host."), - dup11, - dup2, - ])); - - var msg150 = msg("exim:09", part158); - - var part159 = match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:rejected EHLO from host."), - dup11, - dup2, - ])); - - var msg151 = msg("exim:10", part159); - - var part160 = match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:SMTP protocol synchronization error rejected connection from host."), - dup11, - dup2, - ])); - - var msg152 = msg("exim:11", part160); - - var part161 = match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:TLS error on connection from host."), - dup11, - dup2, - ])); - - var msg153 = msg("exim:12", part161); - - var part162 = match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg154 = msg("exim:13", part162); - - var part163 = match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg155 = msg("exim:14", part163); - - var part164 = match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg156 = msg("exim:15", part164); - - var part165 = match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg157 = msg("exim:16", part165); - - var select14 = linear_select([ - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, - msg156, - msg157, - ]); - - var part166 = match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ - dup12, - setc("event_description","smtpd: Process moved to work queue."), - dup11, - dup2, - ])); - - var msg158 = msg("smtpd:01", part166); - - var part167 = match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ - setc("eventcategory","1207010100"), - dup11, - dup2, - ])); - - var msg159 = msg("smtpd:02", part167); - - var part168 = match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ - dup12, - setc("event_description","smtpd: SCANNER: Nothing to do,exiting."), - dup11, - dup2, - ])); - - var msg160 = msg("smtpd:03", part168); - - var part169 = match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status two set to disabled."), - dup11, - dup2, - ])); - - var msg161 = msg("smtpd:04", part169); - - var part170 = match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status one set to disabled."), - dup11, - dup2, - ])); - - var msg162 = msg("smtpd:07", part170); - - var part171 = match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:(Re-)loading configuration from Confd."), - dup11, - dup2, - ])); - - var msg163 = msg("smtpd:05", part171); - - var part172 = match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:Sending QR one."), - dup11, - dup2, - ])); - - var msg164 = msg("smtpd:06", part172); - - var select15 = linear_select([ - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - ]); - - var part173 = match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ - dup10, - setc("event_description","sshd: Did not receive identification string."), - dup11, - dup2, - ])); - - var msg165 = msg("sshd:01", part173); - - var part174 = match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ - dup12, - setc("event_description","sshd:Received SIGHUP restarting."), - dup11, - dup2, - ])); - - var msg166 = msg("sshd:02", part174); - - var part175 = match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ - dup12, - setc("event_description","sshd:Server listening; restarting."), - dup11, - dup2, - ])); - - var msg167 = msg("sshd:03", part175); - - var part176 = match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ - dup41, - setc("event_description","sshd:Invalid user admin."), - dup11, - dup2, - ])); - - var msg168 = msg("sshd:04", part176); - - var part177 = match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed none for invalid user admin."), - dup11, - dup2, - ])); - - var msg169 = msg("sshd:05", part177); - - var part178 = match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ - dup10, - setc("event_description","sshd:error:Could not get shadow information for NOUSER"), - dup11, - dup2, - ])); - - var msg170 = msg("sshd:06", part178); - - var part179 = match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed password for root."), - dup11, - dup2, - ])); - - var msg171 = msg("sshd:07", part179); - - var part180 = match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - setc("eventcategory","1302000000"), - setc("event_description","sshd:Accepted password for loginuser."), - dup11, - dup2, - ])); - - var msg172 = msg("sshd:08", part180); - - var part181 = match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ - dup10, - setc("event_description","sshd:subsystem request for sftp failed,subsystem not found."), - dup11, - dup2, - ])); - - var msg173 = msg("sshd:09", part181); - - var select16 = linear_select([ - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - ]); - - var part182 = tagval("MESSAGE#173:aua:01", "nwparser.payload", tvm, { - "caller": "fld4", - "engine": "fld5", - "id": "fld1", - "name": "event_description", - "severity": "severity", - "srcip": "saddr", - "sub": "service", - "sys": "fld2", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg174 = msg("aua:01", part182); - - var part183 = match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ - dup12, - setc("event_description","sockd: created new negotiatorchild."), - dup11, - dup2, - ])); - - var msg175 = msg("sockd:01", part183); - - var part184 = match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ - dup12, - setc("event_description","sockd:dante/server running."), - dup11, - dup2, - ])); - - var msg176 = msg("sockd:02", part184); - - var part185 = match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ - dup12, - setc("event_description","sockd:sockdexit():terminating on signal."), - dup11, - dup2, - ])); - - var msg177 = msg("sockd:03", part185); - - var select17 = linear_select([ - msg175, - msg176, - msg177, - ]); - - var part186 = match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ - dup12, - setc("event_description","pop3proxy:Master started."), - dup11, - dup2, - ])); - - var msg178 = msg("pop3proxy", part186); - - var part187 = tagval("MESSAGE#178:astarosg_TVM", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg179 = msg("astarosg_TVM", part187); - - var part188 = tagval("MESSAGE#179:httpd", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "port": "network_port", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "query": "web_query", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "uid": "uid", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg180 = msg("httpd", part188); - - var part189 = match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ - setc("eventcategory","1502000000"), - dup2, - dup3, - ])); - - var msg181 = msg("httpd:01", part189); - - var select18 = linear_select([ - msg180, - msg181, - ]); - - var part190 = tagval("MESSAGE#181:Sophos_Firewall", "nwparser.payload", tvm, { - "activityname": "fld9", - "appfilter_policy_id": "fld10", - "application": "application", - "application_category": "fld23", - "application_risk": "risk_num", - "application_technology": "fld11", - "appresolvedby": "fld22", - "category": "fld4", - "category_type": "fld5", - "connevent": "fld19", - "connid": "connectionid", - "contenttype": "content_type", - "dir_disp": "fld18", - "domain": "fqdn", - "dst_country_code": "location_dst", - "dst_ip": "daddr", - "dst_port": "dport", - "dstzone": "dst_zone", - "dstzonetype": "fld17", - "duration": "duration", - "exceptions": "fld8", - "fw_rule_id": "rule_uid", - "hb_health": "fld21", - "httpresponsecode": "fld7", - "iap": "id1", - "in_interface": "sinterface", - "ips_policy_id": "policy_id", - "log_component": "event_source", - "log_subtype": "category", - "log_type": "event_type", - "message": "info", - "out_interface": "dinterface", - "override_token": "fld6", - "policy_type": "fld23", - "priority": "severity", - "protocol": "protocol", - "reason": "result", - "recv_bytes": "rbytes", - "recv_pkts": "fld15", - "referer": "web_referer", - "sent_bytes": "sbytes", - "sent_pkts": "fld14", - "src_country_code": "location_src", - "src_ip": "saddr", - "src_mac": "smacaddr", - "src_port": "sport", - "srczone": "src_zone", - "srczonetype": "fld16", - "status": "event_state", - "status_code": "resultcode", - "tran_dst_ip": "dtransaddr", - "tran_dst_port": "dtransport", - "tran_src_ip": "stransaddr", - "tran_src_port": "stransport", - "transactionid": "id2", - "url": "url", - "user_agent": "user_agent", - "user_gp": "group", - "user_name": "username", - "vconnid": "fld20", - }, processor_chain([ - setc("eventcategory","1204000000"), - dup2, - date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dS], - ], - }), - ])); - - var msg182 = msg("Sophos_Firewall", part190); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "Sophos_Firewall": msg182, - "URID": msg38, - "afcd": msg94, - "astarosg_TVM": msg179, - "aua": msg174, - "barnyard": select13, - "confd": msg90, - "confd-sync": msg89, - "exim": select14, - "frox": select9, - "httpd": select18, - "httpproxy": select3, - "ipsec_starter": select10, - "named": select2, - "pluto": select11, - "pop3proxy": msg178, - "reverseproxy": select8, - "smtpd": select15, - "sockd": select17, - "sshd": select16, - "ulogd": msg39, - "xl2tpd": select12, - }), - ]); - - var part191 = match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/sophos/2.4.2/data_stream/utm/agent/stream/tcp.yml.hbs b/packages/sophos/2.4.2/data_stream/utm/agent/stream/tcp.yml.hbs deleted file mode 100755 index 1de04c8c77..0000000000 --- a/packages/sophos/2.4.2/data_stream/utm/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,5069 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Sophos" - product: "UTM" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ - setc("header_id","0003"), - setc("messageid","reverseproxy"), - ])); - - var hdr4 = match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","0005"), - ])); - - var hdr5 = match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0004"), - setc("messageid","astarosg_TVM"), - ])); - - var hdr6 = match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ - setc("header_id","0006"), - setc("messageid","Sophos_Firewall"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, - ]); - - var part1 = match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg1 = msg("named:01", part1); - - var part2 = match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg2 = msg("named:02", part2); - - var part3 = match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ - dup4, - dup2, - dup3, - ])); - - var msg3 = msg("named:03", part3); - - var part4 = match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ - dup5, - dup2, - dup3, - ])); - - var msg4 = msg("named:04", part4); - - var part5 = match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ - dup6, - dup2, - dup3, - ])); - - var msg5 = msg("named:05", part5); - - var part6 = match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ - setc("eventcategory","1804000000"), - dup2, - dup3, - ])); - - var msg6 = msg("named:06", part6); - - var part7 = match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ - dup7, - dup2, - dup3, - ])); - - var msg7 = msg("named:07", part7); - - var part8 = match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg8 = msg("named:08", part8); - - var part9 = match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ - dup7, - dup2, - dup3, - setc("action","reloading"), - ])); - - var msg9 = msg("named:09", part9); - - var part10 = match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - ])); - - var msg10 = msg("named:10", part10); - - var part11 = match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - setc("action","all zones loaded"), - ])); - - var msg11 = msg("named:11", part11); - - var part12 = match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ - dup7, - setc("disposition","running"), - dup2, - dup3, - setc("action","running"), - ])); - - var msg12 = msg("named:12", part12); - - var part13 = match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ - dup7, - setc("context","built-in root key"), - dup2, - dup3, - ])); - - var msg13 = msg("named:13", part13); - - var part14 = match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg14 = msg("named:14", part14); - - var part15 = match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ - dup10, - setc("event_description","named:too many timeouts resolving DNS."), - dup11, - dup2, - ])); - - var msg15 = msg("named:15", part15); - - var part16 = match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:FORMERR resolving DNS."), - dup11, - dup2, - ])); - - var msg16 = msg("named:16", part16); - - var part17 = match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:unexpected RCODE (SERVFAIL) resolving DNS."), - dup11, - dup2, - ])); - - var msg17 = msg("named:17", part17); - - var select2 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - ]); - - var part18 = match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ - dup12, - setc("event_description","httpproxy:Integrated HTTP-Proxy."), - dup11, - dup2, - ])); - - var msg18 = msg("httpproxy:09", part18); - - var part19 = match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ - dup10, - setc("event_description","httpproxy:Name or service not known."), - dup11, - dup2, - ])); - - var msg19 = msg("httpproxy:10", part19); - - var part20 = match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ - dup10, - setc("event_description","httpproxy:failed to resolve passthrough."), - dup11, - dup2, - ])); - - var msg20 = msg("httpproxy:11", part20); - - var part21 = match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ - dup10, - setc("event_description","httpproxy:ssl handshake failure."), - dup11, - dup2, - ])); - - var msg21 = msg("httpproxy:12", part21); - - var part22 = match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ - dup10, - setc("event_description","httpproxy:EVP_DecryptFinal failed."), - dup11, - dup2, - ])); - - var msg22 = msg("httpproxy:13", part22); - - var part23 = match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ - dup10, - setc("event_description","httpproxy:decrypt failed."), - dup11, - dup2, - ])); - - var msg23 = msg("httpproxy:14", part23); - - var part24 = match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:reloading av pattern"), - dup11, - dup2, - ])); - - var msg24 = msg("httpproxy:15", part24); - - var part25 = match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ - dup12, - setc("event_description","httpproxy:sc_check_servers.Server checked."), - dup11, - dup2, - ])); - - var msg25 = msg("httpproxy:16", part25); - - var part26 = match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ - dup12, - setc("event_description","httpproxy:shutdown finished, exiting."), - dup11, - dup2, - ])); - - var msg26 = msg("httpproxy:17", part26); - - var part27 = match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ - dup12, - setc("event_description","httpproxy:"), - dup11, - dup2, - ])); - - var msg27 = msg("httpproxy:18", part27); - - var part28 = match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ - dup12, - setc("event_description","httpproxy:reading profiles"), - dup11, - dup2, - ])); - - var msg28 = msg("httpproxy:19", part28); - - var part29 = match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ - dup12, - setc("event_description","httpproxy:finished startup"), - dup11, - dup2, - ])); - - var msg29 = msg("httpproxy:20", part29); - - var part30 = match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:read_request_headers related message."), - dup11, - dup2, - ])); - - var msg30 = msg("httpproxy:21", part30); - - var part31 = match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_loop related message."), - dup11, - dup2, - ])); - - var msg31 = msg("httpproxy:22", part31); - - var part32 = match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scan_exit related message."), - dup11, - dup2, - ])); - - var msg32 = msg("httpproxy:23", part32); - - var part33 = match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_exit related message."), - dup11, - dup2, - ])); - - var msg33 = msg("httpproxy:24", part33); - - var part34 = match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_exit related message."), - dup11, - dup2, - ])); - - var msg34 = msg("httpproxy:25", part34); - - var part35 = match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_zap related message."), - dup11, - dup2, - ])); - - var msg35 = msg("httpproxy:26", part35); - - var part36 = match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scanner_init related message."), - dup11, - dup2, - ])); - - var msg36 = msg("httpproxy:27", part36); - - var part37 = tagval("MESSAGE#36:httpproxy:01", "nwparser.payload", tvm, { - "action": "action", - "ad_domain": "fld1", - "app-id": "fld18", - "application": "fld17", - "auth": "fld10", - "authtime": "fld4", - "avscantime": "fld7", - "cached": "fld2", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld6", - "content-type": "content_type", - "device": "fld9", - "dnstime": "fld5", - "dstip": "daddr", - "error": "result", - "exceptions": "fld12", - "extension": "fld13", - "file": "filename", - "filename": "filename", - "filteraction": "fld3", - "fullreqtime": "fld8", - "function": "action", - "group": "group", - "id": "rule", - "line": "fld14", - "message": "context", - "method": "web_method", - "name": "event_description", - "profile": "policyname", - "reason": "rule_group", - "referer": "web_referer", - "reputation": "fld16", - "request": "connectionid", - "severity": "severity", - "size": "rbytes", - "srcip": "saddr", - "statuscode": "resultcode", - "sub": "network_service", - "sys": "vsys", - "time": "fld15", - "ua": "fld11", - "url": "url", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg37 = msg("httpproxy:01", part37); - - var select3 = linear_select([ - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - ]); - - var part38 = match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ - dup16, - dup2, - dup3, - ])); - - var msg38 = msg("URID:01", part38); - - var part39 = tagval("MESSAGE#38:ulogd:01", "nwparser.payload", tvm, { - "action": "action", - "code": "fld30", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "fwrule": "policy_id", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "name": "event_description", - "outitf": "dinterface", - "prec": "fld27", - "proto": "fld24", - "seq": "fld23", - "severity": "severity", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "sub": "network_service", - "sys": "vsys", - "tcpflags": "fld29", - "tos": "fld26", - "ttl": "fld28", - "type": "fld31", - }, processor_chain([ - dup13, - setc("ec_subject","NetworkComm"), - setc("ec_activity","Scan"), - setc("ec_theme","TEV"), - dup11, - dup2, - dup45, - dup46, - ])); - - var msg39 = msg("ulogd:01", part39); - - var part40 = match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ - dup6, - setc("disposition","configured"), - dup2, - dup3, - ])); - - var msg40 = msg("reverseproxy:01", part40); - - var part41 = match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg41 = msg("reverseproxy:02", part41); - - var part42 = match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg42 = msg("reverseproxy:03", part42); - - var part43 = match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ - dup17, - setc("event_id","AH00292"), - dup2, - dup3, - ])); - - var msg43 = msg("reverseproxy:04", part43); - - var part44 = match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ - setc("eventcategory","1805010000"), - dup18, - dup2, - dup3, - ])); - - var msg44 = msg("reverseproxy:06", part44); - - var part45 = match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); - - var select4 = linear_select([ - dup19, - ]); - - var part46 = match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); - - var all1 = all_match({ - processors: [ - part45, - select4, - part46, - ], - on_success: processor_chain([ - dup5, - setc("event_id","AH00297"), - dup2, - dup3, - ]), - }); - - var msg45 = msg("reverseproxy:07", all1); - - var part47 = match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ - dup4, - setc("event_id","AH00112"), - dup2, - dup3, - ])); - - var msg46 = msg("reverseproxy:08", part47); - - var part48 = match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ - setc("eventcategory","1605010000"), - setc("event_id","AH00094"), - dup2, - dup3, - ])); - - var msg47 = msg("reverseproxy:09", part48); - - var part49 = match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ - dup12, - setc("event_id","AH00291"), - dup2, - dup3, - ])); - - var msg48 = msg("reverseproxy:10", part49); - - var part50 = match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ - dup20, - setc("event_id","AH02572"), - dup2, - dup3, - ])); - - var msg49 = msg("reverseproxy:11", part50); - - var part51 = match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ - dup20, - setc("context","SSL Library Error"), - dup2, - dup3, - ])); - - var msg50 = msg("reverseproxy:12", part51); - - var part52 = match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ - dup20, - setc("result","Fatal error"), - setc("event_id","AH02312"), - dup2, - dup3, - ])); - - var msg51 = msg("reverseproxy:13", part52); - - var part53 = match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ - dup20, - setc("result","Configuration Failed"), - setc("event_id","AH00020"), - dup2, - dup3, - ])); - - var msg52 = msg("reverseproxy:14", part53); - - var part54 = match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ - setc("eventcategory","1609000000"), - setc("context","Unclean shutdown"), - setc("event_id","AH00098"), - dup2, - dup3, - ])); - - var msg53 = msg("reverseproxy:15", part54); - - var part55 = match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ - dup16, - setc("event_id","AH00295"), - dup2, - dup3, - ])); - - var msg54 = msg("reverseproxy:16", part55); - - var part56 = match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); - - var part57 = match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); - - var select5 = linear_select([ - part57, - dup19, - ]); - - var part58 = match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all2 = all_match({ - processors: [ - part56, - select5, - part58, - ], - on_success: processor_chain([ - dup21, - dup2, - dup3, - ]), - }); - - var msg55 = msg("reverseproxy:17", all2); - - var part59 = match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ - dup4, - dup22, - dup2, - dup3, - ])); - - var msg56 = msg("reverseproxy:18", part59); - - var part60 = match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ - dup23, - dup22, - dup2, - dup3, - ])); - - var msg57 = msg("reverseproxy:19", part60); - - var part61 = match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg58 = msg("reverseproxy:20", part61); - - var part62 = match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ - dup20, - dup18, - setc("event_id","AH01909"), - dup2, - dup3, - ])); - - var msg59 = msg("reverseproxy:21", part62); - - var part63 = match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ - dup20, - setc("comments","Invalid port configuration"), - dup2, - dup3, - ])); - - var msg60 = msg("reverseproxy:22", part63); - - var part64 = match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg61 = msg("reverseproxy:23", part64); - - var part65 = match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg62 = msg("reverseproxy:24", part65); - - var part66 = match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg63 = msg("reverseproxy:25", part66); - - var part67 = match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); - - var part68 = match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); - - var select6 = linear_select([ - part68, - dup19, - ]); - - var part69 = match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); - - var part70 = match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); - - var part71 = match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); - - var select7 = linear_select([ - part70, - part71, - ]); - - var part72 = match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all3 = all_match({ - processors: [ - part67, - select6, - part69, - select7, - part72, - ], - on_success: processor_chain([ - dup24, - dup2, - dup3, - ]), - }); - - var msg64 = msg("reverseproxy:26", all3); - - var part73 = match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg65 = msg("reverseproxy:27", part73); - - var part74 = match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ - dup26, - setc("result","virus daemon error"), - dup2, - dup3, - ])); - - var msg66 = msg("reverseproxy:28", part74); - - var part75 = match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ - dup27, - setc("result","virus found"), - dup2, - dup3, - ])); - - var msg67 = msg("reverseproxy:29", part75); - - var part76 = match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg68 = msg("reverseproxy:30", part76); - - var part77 = match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ - dup25, - setc("result","Cannot read reply"), - dup2, - dup3, - ])); - - var msg69 = msg("reverseproxy:31", part77); - - var part78 = match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg70 = msg("reverseproxy:32", part78); - - var part79 = match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg71 = msg("reverseproxy:33", part79); - - var part80 = match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg72 = msg("reverseproxy:34", part80); - - var part81 = match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg73 = msg("reverseproxy:35", part81); - - var part82 = match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ - dup27, - setc("result","Virus found"), - dup2, - dup3, - ])); - - var msg74 = msg("reverseproxy:36", part82); - - var part83 = match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg75 = msg("reverseproxy:37", part83); - - var part84 = match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg76 = msg("reverseproxy:38", part84); - - var part85 = match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ - dup23, - setc("result","Form validation failed"), - dup2, - dup3, - ])); - - var msg77 = msg("reverseproxy:39", part85); - - var part86 = match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ - dup25, - setc("result","Sending trickle failed"), - dup2, - dup3, - ])); - - var msg78 = msg("reverseproxy:40", part86); - - var part87 = match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ - dup30, - dup2, - dup3, - ])); - - var msg79 = msg("reverseproxy:41", part87); - - var part88 = match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ - setc("eventcategory","1603050000"), - dup2, - dup3, - ])); - - var msg80 = msg("reverseproxy:42", part88); - - var part89 = match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ - dup30, - setc("event_id","AH01110"), - setc("result","Error reading response"), - dup2, - dup3, - ])); - - var msg81 = msg("reverseproxy:43", part89); - - var part90 = match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1601020000"), - setc("result","No form context found"), - dup2, - dup3, - ])); - - var msg82 = msg("reverseproxy:44", part90); - - var part91 = match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ - dup25, - setc("event_id","AH00957"), - dup2, - dup3, - ])); - - var msg83 = msg("reverseproxy:45", part91); - - var part92 = match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ - dup16, - setc("event_id","AH00959"), - setc("result","disabling worker"), - dup2, - dup3, - ])); - - var msg84 = msg("reverseproxy:46", part92); - - var part93 = match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1801000000"), - setc("context","Not all file sent to client"), - dup2, - dup3, - ])); - - var msg85 = msg("reverseproxy:47", part93); - - var part94 = match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg86 = msg("reverseproxy:48", part94); - - var part95 = match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg87 = msg("reverseproxy:49", part95); - - var part96 = tagval("MESSAGE#87:reverseproxy:05", "nwparser.payload", tvm, { - "cookie": "web_cookie", - "exceptions": "policy_waiver", - "extra": "info", - "host": "dhost", - "id": "policy_id", - "localip": "fld3", - "method": "web_method", - "reason": "comments", - "referer": "web_referer", - "server": "daddr", - "set-cookie": "fld5", - "size": "fld4", - "srcip": "saddr", - "statuscode": "resultcode", - "time": "processing_time", - "url": "web_root", - "user": "username", - }, processor_chain([ - setc("eventcategory","1802000000"), - dup2, - dup3, - ])); - - var msg88 = msg("reverseproxy:05", part96); - - var select8 = linear_select([ - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, - msg59, - msg60, - msg61, - msg62, - msg63, - msg64, - msg65, - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, - ]); - - var part97 = tagval("MESSAGE#88:confd-sync", "nwparser.payload", tvm, { - "id": "fld5", - "name": "event_description", - "severity": "severity", - "sub": "service", - "sys": "fld2", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg89 = msg("confd-sync", part97); - - var part98 = tagval("MESSAGE#89:confd:01", "nwparser.payload", tvm, { - "account": "logon_id", - "attributes": "obj_name", - "class": "group_object", - "client": "fld3", - "count": "fld4", - "facility": "logon_type", - "id": "fld1", - "name": "event_description", - "node": "node", - "object": "fld6", - "severity": "severity", - "srcip": "saddr", - "storage": "directory", - "sub": "service", - "sys": "fld2", - "type": "obj_type", - "user": "username", - "version": "version", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg90 = msg("confd:01", part98); - - var part99 = match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy Frox started."), - dup11, - dup2, - ])); - - var msg91 = msg("frox", part99); - - var part100 = match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy listening on port."), - dup11, - dup2, - ])); - - var msg92 = msg("frox:01", part100); - - var part101 = match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy dropped priveleges."), - dup11, - dup2, - ])); - - var msg93 = msg("frox:02", part101); - - var select9 = linear_select([ - msg91, - msg92, - msg93, - ]); - - var part102 = match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ - dup12, - setc("event_description","afcd: IM/P2P Classifier configuration reloaded successfully."), - dup11, - dup2, - ])); - - var msg94 = msg("afcd", part102); - - var part103 = match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ - dup12, - setc("event_description","ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]..."), - dup11, - dup2, - ])); - - var msg95 = msg("ipsec_starter", part103); - - var part104 = match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ - dup12, - setc("event_description","ipsec_starter: IP address or index of physical interface changed."), - dup11, - dup2, - ])); - - var msg96 = msg("ipsec_starter:01", part104); - - var select10 = linear_select([ - msg95, - msg96, - ]); - - var part105 = match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: Starting Pluto."), - dup11, - dup2, - ])); - - var msg97 = msg("pluto", part105); - - var part106 = match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: including NAT-Traversal patch."), - dup11, - dup2, - ])); - - var msg98 = msg("pluto:01", part106); - - var part107 = match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating encryption algorithm."), - dup11, - dup2, - ])); - - var msg99 = msg("pluto:02", part107); - - var part108 = match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating hash algorithm."), - dup11, - dup2, - ])); - - var msg100 = msg("pluto:03", part108); - - var part109 = match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ - dup12, - setc("event_description","pluto: Testing registered IKE encryption algorithms"), - dup11, - dup2, - ])); - - var msg101 = msg("pluto:04", part109); - - var part110 = match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test not available."), - dup11, - dup2, - ])); - - var msg102 = msg("pluto:05", part110); - - var part111 = match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test passed."), - dup11, - dup2, - ])); - - var msg103 = msg("pluto:06", part111); - - var part112 = match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ - dup12, - setc("event_description","pluto: Using KLIPS IPsec interface code"), - dup11, - dup2, - ])); - - var msg104 = msg("pluto:07", part112); - - var part113 = match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","pluto: adding interface"), - dup11, - dup2, - ])); - - var msg105 = msg("pluto:08", part113); - - var part114 = match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ - dup34, - setc("event_description","pluto: loading secrets"), - dup11, - dup2, - ])); - - var msg106 = msg("pluto:09", part114); - - var part115 = match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ - dup34, - setc("event_description","pluto: loaded private key file"), - dup11, - dup2, - ])); - - var msg107 = msg("pluto:10", part115); - - var part116 = match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ - dup12, - setc("event_description","pluto: added connection description"), - dup11, - dup2, - ])); - - var msg108 = msg("pluto:11", part116); - - var part117 = match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg109 = msg("pluto:12", part117); - - var part118 = match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup10, - dup36, - dup11, - dup2, - ])); - - var msg110 = msg("pluto:13", part118); - - var part119 = match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg111 = msg("pluto:14", part119); - - var part120 = match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ - dup12, - setc("event_description","pluto:forgetting secrets"), - dup11, - dup2, - ])); - - var msg112 = msg("pluto:15", part120); - - var part121 = match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ - dup12, - setc("event_description","pluto:Changing to directory"), - dup11, - dup2, - ])); - - var msg113 = msg("pluto:17", part121); - - var part122 = match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ - dup12, - setc("event_description","pluto:*time to handle event"), - dup11, - dup2, - ])); - - var msg114 = msg("pluto:18", part122); - - var part123 = match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ - dup12, - setc("event_description","pluto:*received kernel message"), - dup11, - dup2, - ])); - - var msg115 = msg("pluto:19", part123); - - var part124 = match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ - dup25, - setc("event_description","pluto:rejected packet"), - dup11, - dup2, - ])); - - var msg116 = msg("pluto:20", part124); - - var part125 = match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg117 = msg("pluto:21", part125); - - var part126 = match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg118 = msg("pluto:22", part126); - - var part127 = match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg119 = msg("pluto:23", part127); - - var part128 = match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg120 = msg("pluto:24", part128); - - var part129 = match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg121 = msg("pluto:25", part129); - - var part130 = match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg122 = msg("pluto:26", part130); - - var part131 = match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg123 = msg("pluto:27", part131); - - var part132 = match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg124 = msg("pluto:28", part132); - - var part133 = match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg125 = msg("pluto:29", part133); - - var part134 = match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg126 = msg("pluto:30", part134); - - var part135 = match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg127 = msg("pluto:31", part135); - - var part136 = match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ - dup12, - setc("event_description","not authenticated"), - dup11, - dup2, - ])); - - var msg128 = msg("pluto:32", part136); - - var part137 = match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg129 = msg("pluto:33", part137); - - var part138 = match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup12, - dup36, - dup11, - dup2, - ])); - - var msg130 = msg("pluto:34", part138); - - var part139 = match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg131 = msg("pluto:35", part139); - - var select11 = linear_select([ - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, - ]); - - var part140 = match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ - setc("eventcategory","1607000000"), - setc("event_description","xl2tpd:This binary does not support kernel L2TP."), - dup11, - dup2, - ])); - - var msg132 = msg("xl2tpd", part140); - - var part141 = match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ - dup12, - setc("event_description","xl2tpd:xl2tpd started."), - dup11, - dup2, - ])); - - var msg133 = msg("xl2tpd:01", part141); - - var part142 = match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg134 = msg("xl2tpd:02", part142); - - var part143 = match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg135 = msg("xl2tpd:03", part143); - - var part144 = match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg136 = msg("xl2tpd:04", part144); - - var part145 = match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg137 = msg("xl2tpd:05", part145); - - var select12 = linear_select([ - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, - ]); - - var part146 = match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ - dup12, - setc("event_description","barnyard: Exiting"), - dup11, - dup2, - ])); - - var msg138 = msg("barnyard:01", part146); - - var part147 = match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Initializing daemon mode"), - dup11, - dup2, - ])); - - var msg139 = msg("barnyard:02", part147); - - var part148 = match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ - dup12, - setc("event_description","barnyard:Opened spool file."), - dup11, - dup2, - ])); - - var msg140 = msg("barnyard:03", part148); - - var part149 = match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Waiting for new data"), - dup11, - dup2, - ])); - - var msg141 = msg("barnyard:04", part149); - - var select13 = linear_select([ - msg138, - msg139, - msg140, - msg141, - ]); - - var part150 = match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ - dup12, - setc("event_description","exim:SMTP connection from localhost closed by QUIT"), - dup11, - dup2, - ])); - - var msg142 = msg("exim:01", part150); - - var part151 = match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ - setc("eventcategory","1207010000"), - setc("event_description","exim:e-mail accepted from relay."), - dup11, - dup2, - ])); - - var msg143 = msg("exim:02", part151); - - var part152 = match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ - setc("eventcategory","1207000000"), - setc("event_description","exim: e-mail sent."), - dup11, - dup2, - ])); - - var msg144 = msg("exim:03", part152); - - var part153 = match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ - dup39, - setc("event_description","exim: e-mail host lookup did not complete in DNS."), - dup11, - dup2, - ])); - - var msg145 = msg("exim:04", part153); - - var part154 = match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ - dup39, - setc("event_description","exim: e-mail routing defer:retry time not reached."), - dup11, - dup2, - ])); - - var msg146 = msg("exim:05", part154); - - var part155 = match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ - dup12, - setc("event_description","exim: exim daemon started."), - dup11, - dup2, - ])); - - var msg147 = msg("exim:06", part155); - - var part156 = match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ - dup12, - setc("event_description","exim: Start queue run."), - dup11, - dup2, - ])); - - var msg148 = msg("exim:07", part156); - - var part157 = match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ - dup12, - setc("event_description","exim: SIGHUP received: re-exec daemon."), - dup11, - dup2, - ])); - - var msg149 = msg("exim:08", part157); - - var part158 = match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim: SMTP connection from host."), - dup11, - dup2, - ])); - - var msg150 = msg("exim:09", part158); - - var part159 = match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:rejected EHLO from host."), - dup11, - dup2, - ])); - - var msg151 = msg("exim:10", part159); - - var part160 = match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:SMTP protocol synchronization error rejected connection from host."), - dup11, - dup2, - ])); - - var msg152 = msg("exim:11", part160); - - var part161 = match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:TLS error on connection from host."), - dup11, - dup2, - ])); - - var msg153 = msg("exim:12", part161); - - var part162 = match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg154 = msg("exim:13", part162); - - var part163 = match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg155 = msg("exim:14", part163); - - var part164 = match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg156 = msg("exim:15", part164); - - var part165 = match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg157 = msg("exim:16", part165); - - var select14 = linear_select([ - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, - msg156, - msg157, - ]); - - var part166 = match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ - dup12, - setc("event_description","smtpd: Process moved to work queue."), - dup11, - dup2, - ])); - - var msg158 = msg("smtpd:01", part166); - - var part167 = match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ - setc("eventcategory","1207010100"), - dup11, - dup2, - ])); - - var msg159 = msg("smtpd:02", part167); - - var part168 = match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ - dup12, - setc("event_description","smtpd: SCANNER: Nothing to do,exiting."), - dup11, - dup2, - ])); - - var msg160 = msg("smtpd:03", part168); - - var part169 = match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status two set to disabled."), - dup11, - dup2, - ])); - - var msg161 = msg("smtpd:04", part169); - - var part170 = match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status one set to disabled."), - dup11, - dup2, - ])); - - var msg162 = msg("smtpd:07", part170); - - var part171 = match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:(Re-)loading configuration from Confd."), - dup11, - dup2, - ])); - - var msg163 = msg("smtpd:05", part171); - - var part172 = match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:Sending QR one."), - dup11, - dup2, - ])); - - var msg164 = msg("smtpd:06", part172); - - var select15 = linear_select([ - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - ]); - - var part173 = match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ - dup10, - setc("event_description","sshd: Did not receive identification string."), - dup11, - dup2, - ])); - - var msg165 = msg("sshd:01", part173); - - var part174 = match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ - dup12, - setc("event_description","sshd:Received SIGHUP restarting."), - dup11, - dup2, - ])); - - var msg166 = msg("sshd:02", part174); - - var part175 = match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ - dup12, - setc("event_description","sshd:Server listening; restarting."), - dup11, - dup2, - ])); - - var msg167 = msg("sshd:03", part175); - - var part176 = match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ - dup41, - setc("event_description","sshd:Invalid user admin."), - dup11, - dup2, - ])); - - var msg168 = msg("sshd:04", part176); - - var part177 = match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed none for invalid user admin."), - dup11, - dup2, - ])); - - var msg169 = msg("sshd:05", part177); - - var part178 = match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ - dup10, - setc("event_description","sshd:error:Could not get shadow information for NOUSER"), - dup11, - dup2, - ])); - - var msg170 = msg("sshd:06", part178); - - var part179 = match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed password for root."), - dup11, - dup2, - ])); - - var msg171 = msg("sshd:07", part179); - - var part180 = match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - setc("eventcategory","1302000000"), - setc("event_description","sshd:Accepted password for loginuser."), - dup11, - dup2, - ])); - - var msg172 = msg("sshd:08", part180); - - var part181 = match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ - dup10, - setc("event_description","sshd:subsystem request for sftp failed,subsystem not found."), - dup11, - dup2, - ])); - - var msg173 = msg("sshd:09", part181); - - var select16 = linear_select([ - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - ]); - - var part182 = tagval("MESSAGE#173:aua:01", "nwparser.payload", tvm, { - "caller": "fld4", - "engine": "fld5", - "id": "fld1", - "name": "event_description", - "severity": "severity", - "srcip": "saddr", - "sub": "service", - "sys": "fld2", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg174 = msg("aua:01", part182); - - var part183 = match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ - dup12, - setc("event_description","sockd: created new negotiatorchild."), - dup11, - dup2, - ])); - - var msg175 = msg("sockd:01", part183); - - var part184 = match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ - dup12, - setc("event_description","sockd:dante/server running."), - dup11, - dup2, - ])); - - var msg176 = msg("sockd:02", part184); - - var part185 = match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ - dup12, - setc("event_description","sockd:sockdexit():terminating on signal."), - dup11, - dup2, - ])); - - var msg177 = msg("sockd:03", part185); - - var select17 = linear_select([ - msg175, - msg176, - msg177, - ]); - - var part186 = match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ - dup12, - setc("event_description","pop3proxy:Master started."), - dup11, - dup2, - ])); - - var msg178 = msg("pop3proxy", part186); - - var part187 = tagval("MESSAGE#178:astarosg_TVM", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg179 = msg("astarosg_TVM", part187); - - var part188 = tagval("MESSAGE#179:httpd", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "port": "network_port", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "query": "web_query", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "uid": "uid", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg180 = msg("httpd", part188); - - var part189 = match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ - setc("eventcategory","1502000000"), - dup2, - dup3, - ])); - - var msg181 = msg("httpd:01", part189); - - var select18 = linear_select([ - msg180, - msg181, - ]); - - var part190 = tagval("MESSAGE#181:Sophos_Firewall", "nwparser.payload", tvm, { - "activityname": "fld9", - "appfilter_policy_id": "fld10", - "application": "application", - "application_category": "fld23", - "application_risk": "risk_num", - "application_technology": "fld11", - "appresolvedby": "fld22", - "category": "fld4", - "category_type": "fld5", - "connevent": "fld19", - "connid": "connectionid", - "contenttype": "content_type", - "dir_disp": "fld18", - "domain": "fqdn", - "dst_country_code": "location_dst", - "dst_ip": "daddr", - "dst_port": "dport", - "dstzone": "dst_zone", - "dstzonetype": "fld17", - "duration": "duration", - "exceptions": "fld8", - "fw_rule_id": "rule_uid", - "hb_health": "fld21", - "httpresponsecode": "fld7", - "iap": "id1", - "in_interface": "sinterface", - "ips_policy_id": "policy_id", - "log_component": "event_source", - "log_subtype": "category", - "log_type": "event_type", - "message": "info", - "out_interface": "dinterface", - "override_token": "fld6", - "policy_type": "fld23", - "priority": "severity", - "protocol": "protocol", - "reason": "result", - "recv_bytes": "rbytes", - "recv_pkts": "fld15", - "referer": "web_referer", - "sent_bytes": "sbytes", - "sent_pkts": "fld14", - "src_country_code": "location_src", - "src_ip": "saddr", - "src_mac": "smacaddr", - "src_port": "sport", - "srczone": "src_zone", - "srczonetype": "fld16", - "status": "event_state", - "status_code": "resultcode", - "tran_dst_ip": "dtransaddr", - "tran_dst_port": "dtransport", - "tran_src_ip": "stransaddr", - "tran_src_port": "stransport", - "transactionid": "id2", - "url": "url", - "user_agent": "user_agent", - "user_gp": "group", - "user_name": "username", - "vconnid": "fld20", - }, processor_chain([ - setc("eventcategory","1204000000"), - dup2, - date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dS], - ], - }), - ])); - - var msg182 = msg("Sophos_Firewall", part190); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "Sophos_Firewall": msg182, - "URID": msg38, - "afcd": msg94, - "astarosg_TVM": msg179, - "aua": msg174, - "barnyard": select13, - "confd": msg90, - "confd-sync": msg89, - "exim": select14, - "frox": select9, - "httpd": select18, - "httpproxy": select3, - "ipsec_starter": select10, - "named": select2, - "pluto": select11, - "pop3proxy": msg178, - "reverseproxy": select8, - "smtpd": select15, - "sockd": select17, - "sshd": select16, - "ulogd": msg39, - "xl2tpd": select12, - }), - ]); - - var part191 = match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/sophos/2.4.2/data_stream/utm/agent/stream/udp.yml.hbs b/packages/sophos/2.4.2/data_stream/utm/agent/stream/udp.yml.hbs deleted file mode 100755 index cef2ed2295..0000000000 --- a/packages/sophos/2.4.2/data_stream/utm/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,5069 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Sophos" - product: "UTM" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ - setc("header_id","0003"), - setc("messageid","reverseproxy"), - ])); - - var hdr4 = match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","0005"), - ])); - - var hdr5 = match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0004"), - setc("messageid","astarosg_TVM"), - ])); - - var hdr6 = match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ - setc("header_id","0006"), - setc("messageid","Sophos_Firewall"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, - ]); - - var part1 = match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg1 = msg("named:01", part1); - - var part2 = match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg2 = msg("named:02", part2); - - var part3 = match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ - dup4, - dup2, - dup3, - ])); - - var msg3 = msg("named:03", part3); - - var part4 = match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ - dup5, - dup2, - dup3, - ])); - - var msg4 = msg("named:04", part4); - - var part5 = match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ - dup6, - dup2, - dup3, - ])); - - var msg5 = msg("named:05", part5); - - var part6 = match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ - setc("eventcategory","1804000000"), - dup2, - dup3, - ])); - - var msg6 = msg("named:06", part6); - - var part7 = match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ - dup7, - dup2, - dup3, - ])); - - var msg7 = msg("named:07", part7); - - var part8 = match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg8 = msg("named:08", part8); - - var part9 = match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ - dup7, - dup2, - dup3, - setc("action","reloading"), - ])); - - var msg9 = msg("named:09", part9); - - var part10 = match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - ])); - - var msg10 = msg("named:10", part10); - - var part11 = match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - setc("action","all zones loaded"), - ])); - - var msg11 = msg("named:11", part11); - - var part12 = match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ - dup7, - setc("disposition","running"), - dup2, - dup3, - setc("action","running"), - ])); - - var msg12 = msg("named:12", part12); - - var part13 = match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ - dup7, - setc("context","built-in root key"), - dup2, - dup3, - ])); - - var msg13 = msg("named:13", part13); - - var part14 = match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg14 = msg("named:14", part14); - - var part15 = match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ - dup10, - setc("event_description","named:too many timeouts resolving DNS."), - dup11, - dup2, - ])); - - var msg15 = msg("named:15", part15); - - var part16 = match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:FORMERR resolving DNS."), - dup11, - dup2, - ])); - - var msg16 = msg("named:16", part16); - - var part17 = match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:unexpected RCODE (SERVFAIL) resolving DNS."), - dup11, - dup2, - ])); - - var msg17 = msg("named:17", part17); - - var select2 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - ]); - - var part18 = match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ - dup12, - setc("event_description","httpproxy:Integrated HTTP-Proxy."), - dup11, - dup2, - ])); - - var msg18 = msg("httpproxy:09", part18); - - var part19 = match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ - dup10, - setc("event_description","httpproxy:Name or service not known."), - dup11, - dup2, - ])); - - var msg19 = msg("httpproxy:10", part19); - - var part20 = match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ - dup10, - setc("event_description","httpproxy:failed to resolve passthrough."), - dup11, - dup2, - ])); - - var msg20 = msg("httpproxy:11", part20); - - var part21 = match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ - dup10, - setc("event_description","httpproxy:ssl handshake failure."), - dup11, - dup2, - ])); - - var msg21 = msg("httpproxy:12", part21); - - var part22 = match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ - dup10, - setc("event_description","httpproxy:EVP_DecryptFinal failed."), - dup11, - dup2, - ])); - - var msg22 = msg("httpproxy:13", part22); - - var part23 = match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ - dup10, - setc("event_description","httpproxy:decrypt failed."), - dup11, - dup2, - ])); - - var msg23 = msg("httpproxy:14", part23); - - var part24 = match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:reloading av pattern"), - dup11, - dup2, - ])); - - var msg24 = msg("httpproxy:15", part24); - - var part25 = match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ - dup12, - setc("event_description","httpproxy:sc_check_servers.Server checked."), - dup11, - dup2, - ])); - - var msg25 = msg("httpproxy:16", part25); - - var part26 = match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ - dup12, - setc("event_description","httpproxy:shutdown finished, exiting."), - dup11, - dup2, - ])); - - var msg26 = msg("httpproxy:17", part26); - - var part27 = match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ - dup12, - setc("event_description","httpproxy:"), - dup11, - dup2, - ])); - - var msg27 = msg("httpproxy:18", part27); - - var part28 = match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ - dup12, - setc("event_description","httpproxy:reading profiles"), - dup11, - dup2, - ])); - - var msg28 = msg("httpproxy:19", part28); - - var part29 = match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ - dup12, - setc("event_description","httpproxy:finished startup"), - dup11, - dup2, - ])); - - var msg29 = msg("httpproxy:20", part29); - - var part30 = match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:read_request_headers related message."), - dup11, - dup2, - ])); - - var msg30 = msg("httpproxy:21", part30); - - var part31 = match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_loop related message."), - dup11, - dup2, - ])); - - var msg31 = msg("httpproxy:22", part31); - - var part32 = match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scan_exit related message."), - dup11, - dup2, - ])); - - var msg32 = msg("httpproxy:23", part32); - - var part33 = match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_exit related message."), - dup11, - dup2, - ])); - - var msg33 = msg("httpproxy:24", part33); - - var part34 = match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_exit related message."), - dup11, - dup2, - ])); - - var msg34 = msg("httpproxy:25", part34); - - var part35 = match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_zap related message."), - dup11, - dup2, - ])); - - var msg35 = msg("httpproxy:26", part35); - - var part36 = match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scanner_init related message."), - dup11, - dup2, - ])); - - var msg36 = msg("httpproxy:27", part36); - - var part37 = tagval("MESSAGE#36:httpproxy:01", "nwparser.payload", tvm, { - "action": "action", - "ad_domain": "fld1", - "app-id": "fld18", - "application": "fld17", - "auth": "fld10", - "authtime": "fld4", - "avscantime": "fld7", - "cached": "fld2", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld6", - "content-type": "content_type", - "device": "fld9", - "dnstime": "fld5", - "dstip": "daddr", - "error": "result", - "exceptions": "fld12", - "extension": "fld13", - "file": "filename", - "filename": "filename", - "filteraction": "fld3", - "fullreqtime": "fld8", - "function": "action", - "group": "group", - "id": "rule", - "line": "fld14", - "message": "context", - "method": "web_method", - "name": "event_description", - "profile": "policyname", - "reason": "rule_group", - "referer": "web_referer", - "reputation": "fld16", - "request": "connectionid", - "severity": "severity", - "size": "rbytes", - "srcip": "saddr", - "statuscode": "resultcode", - "sub": "network_service", - "sys": "vsys", - "time": "fld15", - "ua": "fld11", - "url": "url", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg37 = msg("httpproxy:01", part37); - - var select3 = linear_select([ - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - ]); - - var part38 = match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ - dup16, - dup2, - dup3, - ])); - - var msg38 = msg("URID:01", part38); - - var part39 = tagval("MESSAGE#38:ulogd:01", "nwparser.payload", tvm, { - "action": "action", - "code": "fld30", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "fwrule": "policy_id", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "name": "event_description", - "outitf": "dinterface", - "prec": "fld27", - "proto": "fld24", - "seq": "fld23", - "severity": "severity", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "sub": "network_service", - "sys": "vsys", - "tcpflags": "fld29", - "tos": "fld26", - "ttl": "fld28", - "type": "fld31", - }, processor_chain([ - dup13, - setc("ec_subject","NetworkComm"), - setc("ec_activity","Scan"), - setc("ec_theme","TEV"), - dup11, - dup2, - dup45, - dup46, - ])); - - var msg39 = msg("ulogd:01", part39); - - var part40 = match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ - dup6, - setc("disposition","configured"), - dup2, - dup3, - ])); - - var msg40 = msg("reverseproxy:01", part40); - - var part41 = match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg41 = msg("reverseproxy:02", part41); - - var part42 = match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg42 = msg("reverseproxy:03", part42); - - var part43 = match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ - dup17, - setc("event_id","AH00292"), - dup2, - dup3, - ])); - - var msg43 = msg("reverseproxy:04", part43); - - var part44 = match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ - setc("eventcategory","1805010000"), - dup18, - dup2, - dup3, - ])); - - var msg44 = msg("reverseproxy:06", part44); - - var part45 = match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); - - var select4 = linear_select([ - dup19, - ]); - - var part46 = match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); - - var all1 = all_match({ - processors: [ - part45, - select4, - part46, - ], - on_success: processor_chain([ - dup5, - setc("event_id","AH00297"), - dup2, - dup3, - ]), - }); - - var msg45 = msg("reverseproxy:07", all1); - - var part47 = match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ - dup4, - setc("event_id","AH00112"), - dup2, - dup3, - ])); - - var msg46 = msg("reverseproxy:08", part47); - - var part48 = match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ - setc("eventcategory","1605010000"), - setc("event_id","AH00094"), - dup2, - dup3, - ])); - - var msg47 = msg("reverseproxy:09", part48); - - var part49 = match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ - dup12, - setc("event_id","AH00291"), - dup2, - dup3, - ])); - - var msg48 = msg("reverseproxy:10", part49); - - var part50 = match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ - dup20, - setc("event_id","AH02572"), - dup2, - dup3, - ])); - - var msg49 = msg("reverseproxy:11", part50); - - var part51 = match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ - dup20, - setc("context","SSL Library Error"), - dup2, - dup3, - ])); - - var msg50 = msg("reverseproxy:12", part51); - - var part52 = match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ - dup20, - setc("result","Fatal error"), - setc("event_id","AH02312"), - dup2, - dup3, - ])); - - var msg51 = msg("reverseproxy:13", part52); - - var part53 = match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ - dup20, - setc("result","Configuration Failed"), - setc("event_id","AH00020"), - dup2, - dup3, - ])); - - var msg52 = msg("reverseproxy:14", part53); - - var part54 = match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ - setc("eventcategory","1609000000"), - setc("context","Unclean shutdown"), - setc("event_id","AH00098"), - dup2, - dup3, - ])); - - var msg53 = msg("reverseproxy:15", part54); - - var part55 = match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ - dup16, - setc("event_id","AH00295"), - dup2, - dup3, - ])); - - var msg54 = msg("reverseproxy:16", part55); - - var part56 = match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); - - var part57 = match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); - - var select5 = linear_select([ - part57, - dup19, - ]); - - var part58 = match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all2 = all_match({ - processors: [ - part56, - select5, - part58, - ], - on_success: processor_chain([ - dup21, - dup2, - dup3, - ]), - }); - - var msg55 = msg("reverseproxy:17", all2); - - var part59 = match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ - dup4, - dup22, - dup2, - dup3, - ])); - - var msg56 = msg("reverseproxy:18", part59); - - var part60 = match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ - dup23, - dup22, - dup2, - dup3, - ])); - - var msg57 = msg("reverseproxy:19", part60); - - var part61 = match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg58 = msg("reverseproxy:20", part61); - - var part62 = match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ - dup20, - dup18, - setc("event_id","AH01909"), - dup2, - dup3, - ])); - - var msg59 = msg("reverseproxy:21", part62); - - var part63 = match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ - dup20, - setc("comments","Invalid port configuration"), - dup2, - dup3, - ])); - - var msg60 = msg("reverseproxy:22", part63); - - var part64 = match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg61 = msg("reverseproxy:23", part64); - - var part65 = match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg62 = msg("reverseproxy:24", part65); - - var part66 = match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg63 = msg("reverseproxy:25", part66); - - var part67 = match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); - - var part68 = match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); - - var select6 = linear_select([ - part68, - dup19, - ]); - - var part69 = match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); - - var part70 = match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); - - var part71 = match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); - - var select7 = linear_select([ - part70, - part71, - ]); - - var part72 = match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all3 = all_match({ - processors: [ - part67, - select6, - part69, - select7, - part72, - ], - on_success: processor_chain([ - dup24, - dup2, - dup3, - ]), - }); - - var msg64 = msg("reverseproxy:26", all3); - - var part73 = match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg65 = msg("reverseproxy:27", part73); - - var part74 = match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ - dup26, - setc("result","virus daemon error"), - dup2, - dup3, - ])); - - var msg66 = msg("reverseproxy:28", part74); - - var part75 = match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ - dup27, - setc("result","virus found"), - dup2, - dup3, - ])); - - var msg67 = msg("reverseproxy:29", part75); - - var part76 = match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg68 = msg("reverseproxy:30", part76); - - var part77 = match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ - dup25, - setc("result","Cannot read reply"), - dup2, - dup3, - ])); - - var msg69 = msg("reverseproxy:31", part77); - - var part78 = match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg70 = msg("reverseproxy:32", part78); - - var part79 = match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg71 = msg("reverseproxy:33", part79); - - var part80 = match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg72 = msg("reverseproxy:34", part80); - - var part81 = match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg73 = msg("reverseproxy:35", part81); - - var part82 = match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ - dup27, - setc("result","Virus found"), - dup2, - dup3, - ])); - - var msg74 = msg("reverseproxy:36", part82); - - var part83 = match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg75 = msg("reverseproxy:37", part83); - - var part84 = match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg76 = msg("reverseproxy:38", part84); - - var part85 = match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ - dup23, - setc("result","Form validation failed"), - dup2, - dup3, - ])); - - var msg77 = msg("reverseproxy:39", part85); - - var part86 = match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ - dup25, - setc("result","Sending trickle failed"), - dup2, - dup3, - ])); - - var msg78 = msg("reverseproxy:40", part86); - - var part87 = match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ - dup30, - dup2, - dup3, - ])); - - var msg79 = msg("reverseproxy:41", part87); - - var part88 = match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ - setc("eventcategory","1603050000"), - dup2, - dup3, - ])); - - var msg80 = msg("reverseproxy:42", part88); - - var part89 = match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ - dup30, - setc("event_id","AH01110"), - setc("result","Error reading response"), - dup2, - dup3, - ])); - - var msg81 = msg("reverseproxy:43", part89); - - var part90 = match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1601020000"), - setc("result","No form context found"), - dup2, - dup3, - ])); - - var msg82 = msg("reverseproxy:44", part90); - - var part91 = match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ - dup25, - setc("event_id","AH00957"), - dup2, - dup3, - ])); - - var msg83 = msg("reverseproxy:45", part91); - - var part92 = match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ - dup16, - setc("event_id","AH00959"), - setc("result","disabling worker"), - dup2, - dup3, - ])); - - var msg84 = msg("reverseproxy:46", part92); - - var part93 = match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1801000000"), - setc("context","Not all file sent to client"), - dup2, - dup3, - ])); - - var msg85 = msg("reverseproxy:47", part93); - - var part94 = match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg86 = msg("reverseproxy:48", part94); - - var part95 = match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg87 = msg("reverseproxy:49", part95); - - var part96 = tagval("MESSAGE#87:reverseproxy:05", "nwparser.payload", tvm, { - "cookie": "web_cookie", - "exceptions": "policy_waiver", - "extra": "info", - "host": "dhost", - "id": "policy_id", - "localip": "fld3", - "method": "web_method", - "reason": "comments", - "referer": "web_referer", - "server": "daddr", - "set-cookie": "fld5", - "size": "fld4", - "srcip": "saddr", - "statuscode": "resultcode", - "time": "processing_time", - "url": "web_root", - "user": "username", - }, processor_chain([ - setc("eventcategory","1802000000"), - dup2, - dup3, - ])); - - var msg88 = msg("reverseproxy:05", part96); - - var select8 = linear_select([ - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, - msg59, - msg60, - msg61, - msg62, - msg63, - msg64, - msg65, - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, - ]); - - var part97 = tagval("MESSAGE#88:confd-sync", "nwparser.payload", tvm, { - "id": "fld5", - "name": "event_description", - "severity": "severity", - "sub": "service", - "sys": "fld2", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg89 = msg("confd-sync", part97); - - var part98 = tagval("MESSAGE#89:confd:01", "nwparser.payload", tvm, { - "account": "logon_id", - "attributes": "obj_name", - "class": "group_object", - "client": "fld3", - "count": "fld4", - "facility": "logon_type", - "id": "fld1", - "name": "event_description", - "node": "node", - "object": "fld6", - "severity": "severity", - "srcip": "saddr", - "storage": "directory", - "sub": "service", - "sys": "fld2", - "type": "obj_type", - "user": "username", - "version": "version", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg90 = msg("confd:01", part98); - - var part99 = match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy Frox started."), - dup11, - dup2, - ])); - - var msg91 = msg("frox", part99); - - var part100 = match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy listening on port."), - dup11, - dup2, - ])); - - var msg92 = msg("frox:01", part100); - - var part101 = match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy dropped priveleges."), - dup11, - dup2, - ])); - - var msg93 = msg("frox:02", part101); - - var select9 = linear_select([ - msg91, - msg92, - msg93, - ]); - - var part102 = match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ - dup12, - setc("event_description","afcd: IM/P2P Classifier configuration reloaded successfully."), - dup11, - dup2, - ])); - - var msg94 = msg("afcd", part102); - - var part103 = match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ - dup12, - setc("event_description","ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]..."), - dup11, - dup2, - ])); - - var msg95 = msg("ipsec_starter", part103); - - var part104 = match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ - dup12, - setc("event_description","ipsec_starter: IP address or index of physical interface changed."), - dup11, - dup2, - ])); - - var msg96 = msg("ipsec_starter:01", part104); - - var select10 = linear_select([ - msg95, - msg96, - ]); - - var part105 = match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: Starting Pluto."), - dup11, - dup2, - ])); - - var msg97 = msg("pluto", part105); - - var part106 = match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: including NAT-Traversal patch."), - dup11, - dup2, - ])); - - var msg98 = msg("pluto:01", part106); - - var part107 = match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating encryption algorithm."), - dup11, - dup2, - ])); - - var msg99 = msg("pluto:02", part107); - - var part108 = match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating hash algorithm."), - dup11, - dup2, - ])); - - var msg100 = msg("pluto:03", part108); - - var part109 = match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ - dup12, - setc("event_description","pluto: Testing registered IKE encryption algorithms"), - dup11, - dup2, - ])); - - var msg101 = msg("pluto:04", part109); - - var part110 = match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test not available."), - dup11, - dup2, - ])); - - var msg102 = msg("pluto:05", part110); - - var part111 = match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test passed."), - dup11, - dup2, - ])); - - var msg103 = msg("pluto:06", part111); - - var part112 = match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ - dup12, - setc("event_description","pluto: Using KLIPS IPsec interface code"), - dup11, - dup2, - ])); - - var msg104 = msg("pluto:07", part112); - - var part113 = match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","pluto: adding interface"), - dup11, - dup2, - ])); - - var msg105 = msg("pluto:08", part113); - - var part114 = match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ - dup34, - setc("event_description","pluto: loading secrets"), - dup11, - dup2, - ])); - - var msg106 = msg("pluto:09", part114); - - var part115 = match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ - dup34, - setc("event_description","pluto: loaded private key file"), - dup11, - dup2, - ])); - - var msg107 = msg("pluto:10", part115); - - var part116 = match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ - dup12, - setc("event_description","pluto: added connection description"), - dup11, - dup2, - ])); - - var msg108 = msg("pluto:11", part116); - - var part117 = match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg109 = msg("pluto:12", part117); - - var part118 = match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup10, - dup36, - dup11, - dup2, - ])); - - var msg110 = msg("pluto:13", part118); - - var part119 = match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg111 = msg("pluto:14", part119); - - var part120 = match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ - dup12, - setc("event_description","pluto:forgetting secrets"), - dup11, - dup2, - ])); - - var msg112 = msg("pluto:15", part120); - - var part121 = match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ - dup12, - setc("event_description","pluto:Changing to directory"), - dup11, - dup2, - ])); - - var msg113 = msg("pluto:17", part121); - - var part122 = match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ - dup12, - setc("event_description","pluto:*time to handle event"), - dup11, - dup2, - ])); - - var msg114 = msg("pluto:18", part122); - - var part123 = match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ - dup12, - setc("event_description","pluto:*received kernel message"), - dup11, - dup2, - ])); - - var msg115 = msg("pluto:19", part123); - - var part124 = match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ - dup25, - setc("event_description","pluto:rejected packet"), - dup11, - dup2, - ])); - - var msg116 = msg("pluto:20", part124); - - var part125 = match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg117 = msg("pluto:21", part125); - - var part126 = match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg118 = msg("pluto:22", part126); - - var part127 = match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg119 = msg("pluto:23", part127); - - var part128 = match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg120 = msg("pluto:24", part128); - - var part129 = match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg121 = msg("pluto:25", part129); - - var part130 = match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg122 = msg("pluto:26", part130); - - var part131 = match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg123 = msg("pluto:27", part131); - - var part132 = match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg124 = msg("pluto:28", part132); - - var part133 = match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg125 = msg("pluto:29", part133); - - var part134 = match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg126 = msg("pluto:30", part134); - - var part135 = match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg127 = msg("pluto:31", part135); - - var part136 = match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ - dup12, - setc("event_description","not authenticated"), - dup11, - dup2, - ])); - - var msg128 = msg("pluto:32", part136); - - var part137 = match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg129 = msg("pluto:33", part137); - - var part138 = match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup12, - dup36, - dup11, - dup2, - ])); - - var msg130 = msg("pluto:34", part138); - - var part139 = match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg131 = msg("pluto:35", part139); - - var select11 = linear_select([ - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, - ]); - - var part140 = match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ - setc("eventcategory","1607000000"), - setc("event_description","xl2tpd:This binary does not support kernel L2TP."), - dup11, - dup2, - ])); - - var msg132 = msg("xl2tpd", part140); - - var part141 = match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ - dup12, - setc("event_description","xl2tpd:xl2tpd started."), - dup11, - dup2, - ])); - - var msg133 = msg("xl2tpd:01", part141); - - var part142 = match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg134 = msg("xl2tpd:02", part142); - - var part143 = match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg135 = msg("xl2tpd:03", part143); - - var part144 = match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg136 = msg("xl2tpd:04", part144); - - var part145 = match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg137 = msg("xl2tpd:05", part145); - - var select12 = linear_select([ - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, - ]); - - var part146 = match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ - dup12, - setc("event_description","barnyard: Exiting"), - dup11, - dup2, - ])); - - var msg138 = msg("barnyard:01", part146); - - var part147 = match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Initializing daemon mode"), - dup11, - dup2, - ])); - - var msg139 = msg("barnyard:02", part147); - - var part148 = match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ - dup12, - setc("event_description","barnyard:Opened spool file."), - dup11, - dup2, - ])); - - var msg140 = msg("barnyard:03", part148); - - var part149 = match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Waiting for new data"), - dup11, - dup2, - ])); - - var msg141 = msg("barnyard:04", part149); - - var select13 = linear_select([ - msg138, - msg139, - msg140, - msg141, - ]); - - var part150 = match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ - dup12, - setc("event_description","exim:SMTP connection from localhost closed by QUIT"), - dup11, - dup2, - ])); - - var msg142 = msg("exim:01", part150); - - var part151 = match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ - setc("eventcategory","1207010000"), - setc("event_description","exim:e-mail accepted from relay."), - dup11, - dup2, - ])); - - var msg143 = msg("exim:02", part151); - - var part152 = match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ - setc("eventcategory","1207000000"), - setc("event_description","exim: e-mail sent."), - dup11, - dup2, - ])); - - var msg144 = msg("exim:03", part152); - - var part153 = match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ - dup39, - setc("event_description","exim: e-mail host lookup did not complete in DNS."), - dup11, - dup2, - ])); - - var msg145 = msg("exim:04", part153); - - var part154 = match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ - dup39, - setc("event_description","exim: e-mail routing defer:retry time not reached."), - dup11, - dup2, - ])); - - var msg146 = msg("exim:05", part154); - - var part155 = match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ - dup12, - setc("event_description","exim: exim daemon started."), - dup11, - dup2, - ])); - - var msg147 = msg("exim:06", part155); - - var part156 = match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ - dup12, - setc("event_description","exim: Start queue run."), - dup11, - dup2, - ])); - - var msg148 = msg("exim:07", part156); - - var part157 = match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ - dup12, - setc("event_description","exim: SIGHUP received: re-exec daemon."), - dup11, - dup2, - ])); - - var msg149 = msg("exim:08", part157); - - var part158 = match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim: SMTP connection from host."), - dup11, - dup2, - ])); - - var msg150 = msg("exim:09", part158); - - var part159 = match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:rejected EHLO from host."), - dup11, - dup2, - ])); - - var msg151 = msg("exim:10", part159); - - var part160 = match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:SMTP protocol synchronization error rejected connection from host."), - dup11, - dup2, - ])); - - var msg152 = msg("exim:11", part160); - - var part161 = match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:TLS error on connection from host."), - dup11, - dup2, - ])); - - var msg153 = msg("exim:12", part161); - - var part162 = match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg154 = msg("exim:13", part162); - - var part163 = match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg155 = msg("exim:14", part163); - - var part164 = match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg156 = msg("exim:15", part164); - - var part165 = match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg157 = msg("exim:16", part165); - - var select14 = linear_select([ - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, - msg156, - msg157, - ]); - - var part166 = match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ - dup12, - setc("event_description","smtpd: Process moved to work queue."), - dup11, - dup2, - ])); - - var msg158 = msg("smtpd:01", part166); - - var part167 = match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ - setc("eventcategory","1207010100"), - dup11, - dup2, - ])); - - var msg159 = msg("smtpd:02", part167); - - var part168 = match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ - dup12, - setc("event_description","smtpd: SCANNER: Nothing to do,exiting."), - dup11, - dup2, - ])); - - var msg160 = msg("smtpd:03", part168); - - var part169 = match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status two set to disabled."), - dup11, - dup2, - ])); - - var msg161 = msg("smtpd:04", part169); - - var part170 = match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status one set to disabled."), - dup11, - dup2, - ])); - - var msg162 = msg("smtpd:07", part170); - - var part171 = match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:(Re-)loading configuration from Confd."), - dup11, - dup2, - ])); - - var msg163 = msg("smtpd:05", part171); - - var part172 = match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:Sending QR one."), - dup11, - dup2, - ])); - - var msg164 = msg("smtpd:06", part172); - - var select15 = linear_select([ - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - ]); - - var part173 = match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ - dup10, - setc("event_description","sshd: Did not receive identification string."), - dup11, - dup2, - ])); - - var msg165 = msg("sshd:01", part173); - - var part174 = match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ - dup12, - setc("event_description","sshd:Received SIGHUP restarting."), - dup11, - dup2, - ])); - - var msg166 = msg("sshd:02", part174); - - var part175 = match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ - dup12, - setc("event_description","sshd:Server listening; restarting."), - dup11, - dup2, - ])); - - var msg167 = msg("sshd:03", part175); - - var part176 = match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ - dup41, - setc("event_description","sshd:Invalid user admin."), - dup11, - dup2, - ])); - - var msg168 = msg("sshd:04", part176); - - var part177 = match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed none for invalid user admin."), - dup11, - dup2, - ])); - - var msg169 = msg("sshd:05", part177); - - var part178 = match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ - dup10, - setc("event_description","sshd:error:Could not get shadow information for NOUSER"), - dup11, - dup2, - ])); - - var msg170 = msg("sshd:06", part178); - - var part179 = match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed password for root."), - dup11, - dup2, - ])); - - var msg171 = msg("sshd:07", part179); - - var part180 = match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - setc("eventcategory","1302000000"), - setc("event_description","sshd:Accepted password for loginuser."), - dup11, - dup2, - ])); - - var msg172 = msg("sshd:08", part180); - - var part181 = match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ - dup10, - setc("event_description","sshd:subsystem request for sftp failed,subsystem not found."), - dup11, - dup2, - ])); - - var msg173 = msg("sshd:09", part181); - - var select16 = linear_select([ - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - ]); - - var part182 = tagval("MESSAGE#173:aua:01", "nwparser.payload", tvm, { - "caller": "fld4", - "engine": "fld5", - "id": "fld1", - "name": "event_description", - "severity": "severity", - "srcip": "saddr", - "sub": "service", - "sys": "fld2", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg174 = msg("aua:01", part182); - - var part183 = match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ - dup12, - setc("event_description","sockd: created new negotiatorchild."), - dup11, - dup2, - ])); - - var msg175 = msg("sockd:01", part183); - - var part184 = match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ - dup12, - setc("event_description","sockd:dante/server running."), - dup11, - dup2, - ])); - - var msg176 = msg("sockd:02", part184); - - var part185 = match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ - dup12, - setc("event_description","sockd:sockdexit():terminating on signal."), - dup11, - dup2, - ])); - - var msg177 = msg("sockd:03", part185); - - var select17 = linear_select([ - msg175, - msg176, - msg177, - ]); - - var part186 = match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ - dup12, - setc("event_description","pop3proxy:Master started."), - dup11, - dup2, - ])); - - var msg178 = msg("pop3proxy", part186); - - var part187 = tagval("MESSAGE#178:astarosg_TVM", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg179 = msg("astarosg_TVM", part187); - - var part188 = tagval("MESSAGE#179:httpd", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "port": "network_port", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "query": "web_query", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "uid": "uid", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg180 = msg("httpd", part188); - - var part189 = match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ - setc("eventcategory","1502000000"), - dup2, - dup3, - ])); - - var msg181 = msg("httpd:01", part189); - - var select18 = linear_select([ - msg180, - msg181, - ]); - - var part190 = tagval("MESSAGE#181:Sophos_Firewall", "nwparser.payload", tvm, { - "activityname": "fld9", - "appfilter_policy_id": "fld10", - "application": "application", - "application_category": "fld23", - "application_risk": "risk_num", - "application_technology": "fld11", - "appresolvedby": "fld22", - "category": "fld4", - "category_type": "fld5", - "connevent": "fld19", - "connid": "connectionid", - "contenttype": "content_type", - "dir_disp": "fld18", - "domain": "fqdn", - "dst_country_code": "location_dst", - "dst_ip": "daddr", - "dst_port": "dport", - "dstzone": "dst_zone", - "dstzonetype": "fld17", - "duration": "duration", - "exceptions": "fld8", - "fw_rule_id": "rule_uid", - "hb_health": "fld21", - "httpresponsecode": "fld7", - "iap": "id1", - "in_interface": "sinterface", - "ips_policy_id": "policy_id", - "log_component": "event_source", - "log_subtype": "category", - "log_type": "event_type", - "message": "info", - "out_interface": "dinterface", - "override_token": "fld6", - "policy_type": "fld23", - "priority": "severity", - "protocol": "protocol", - "reason": "result", - "recv_bytes": "rbytes", - "recv_pkts": "fld15", - "referer": "web_referer", - "sent_bytes": "sbytes", - "sent_pkts": "fld14", - "src_country_code": "location_src", - "src_ip": "saddr", - "src_mac": "smacaddr", - "src_port": "sport", - "srczone": "src_zone", - "srczonetype": "fld16", - "status": "event_state", - "status_code": "resultcode", - "tran_dst_ip": "dtransaddr", - "tran_dst_port": "dtransport", - "tran_src_ip": "stransaddr", - "tran_src_port": "stransport", - "transactionid": "id2", - "url": "url", - "user_agent": "user_agent", - "user_gp": "group", - "user_name": "username", - "vconnid": "fld20", - }, processor_chain([ - setc("eventcategory","1204000000"), - dup2, - date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dS], - ], - }), - ])); - - var msg182 = msg("Sophos_Firewall", part190); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "Sophos_Firewall": msg182, - "URID": msg38, - "afcd": msg94, - "astarosg_TVM": msg179, - "aua": msg174, - "barnyard": select13, - "confd": msg90, - "confd-sync": msg89, - "exim": select14, - "frox": select9, - "httpd": select18, - "httpproxy": select3, - "ipsec_starter": select10, - "named": select2, - "pluto": select11, - "pop3proxy": msg178, - "reverseproxy": select8, - "smtpd": select15, - "sockd": select17, - "sshd": select16, - "ulogd": msg39, - "xl2tpd": select12, - }), - ]); - - var part191 = match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/sophos/2.4.2/data_stream/utm/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/2.4.2/data_stream/utm/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 29f81ca838..0000000000 --- a/packages/sophos/2.4.2/data_stream/utm/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,84 +0,0 @@ ---- -description: Pipeline for Sophos UTM (formerly Astaro Security Gateway). - -processors: - - set: - field: ecs.version - value: '8.4.0' - - gsub: - field: destination.mac - ignore_missing: true - pattern: '[:]' - replacement: '-' - - gsub: - field: source.mac - ignore_missing: true - pattern: '[:]' - replacement: '-' - - uppercase: - field: destination.mac - ignore_missing: true - - uppercase: - field: source.mac - ignore_missing: true - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/sophos/2.4.2/data_stream/utm/fields/base-fields.yml b/packages/sophos/2.4.2/data_stream/utm/fields/base-fields.yml deleted file mode 100755 index cfae8afa1a..0000000000 --- a/packages/sophos/2.4.2/data_stream/utm/fields/base-fields.yml +++ /dev/null @@ -1,43 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: sophos -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sophos.utm -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/sophos/2.4.2/data_stream/utm/fields/ecs.yml b/packages/sophos/2.4.2/data_stream/utm/fields/ecs.yml deleted file mode 100755 index f7e5c95752..0000000000 --- a/packages/sophos/2.4.2/data_stream/utm/fields/ecs.yml +++ /dev/null @@ -1,547 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - normalize: - - array - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/sophos/2.4.2/data_stream/utm/fields/fields.yml b/packages/sophos/2.4.2/data_stream/utm/fields/fields.yml deleted file mode 100755 index ea69cd79e3..0000000000 --- a/packages/sophos/2.4.2/data_stream/utm/fields/fields.yml +++ /dev/null @@ -1,1754 +0,0 @@ -- name: rsa - type: group - fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - ignore_above: 1024 - description: Server domain. -- name: network.interface.name - type: keyword diff --git a/packages/sophos/2.4.2/data_stream/utm/manifest.yml b/packages/sophos/2.4.2/data_stream/utm/manifest.yml deleted file mode 100755 index 807bd92dda..0000000000 --- a/packages/sophos/2.4.2/data_stream/utm/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -title: Sophos UTM logs -release: experimental -type: logs -streams: - - input: udp - title: Sophos UTM logs - description: Collect Sophos UTM logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-utm - - forwarded - - name: udp_host - type: text - title: UDP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: UDP port to listen on - multi: false - required: true - show_user: true - default: 9549 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Sophos UTM logs - description: Collect Sophos UTM logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-utm - - forwarded - - name: tcp_host - type: text - title: TCP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: TCP port to listen on - multi: false - required: true - show_user: true - default: 9549 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - enabled: false - title: Sophos UTM logs - description: Collect Sophos UTM logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/sophos-utm.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-utm - - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/sophos/2.4.2/data_stream/utm/sample_event.json b/packages/sophos/2.4.2/data_stream/utm/sample_event.json deleted file mode 100755 index 5dbfab0f64..0000000000 --- a/packages/sophos/2.4.2/data_stream/utm/sample_event.json +++ /dev/null @@ -1,73 +0,0 @@ -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "4a4dd5d5-8f82-4911-b531-99290943b6c6", - "id": "9a015053-a5c0-4959-99ab-2b6556a2a396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "sophos.utm", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "9a015053-a5c0-4959-99ab-2b6556a2a396", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "code": "smtpd", - "dataset": "sophos.utm", - "ingested": "2022-01-25T18:04:29Z", - "timezone": "+00:00" - }, - "host": { - "name": "localhost.localdomain" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.25.0.7:39467" - } - }, - "message": "smtpd: MASTER:QR globally disabled, status one set to disabled.", - "observer": { - "product": "UTM", - "type": "Firewall", - "vendor": "Sophos" - }, - "process": { - "pid": 905 - }, - "related": { - "hosts": [ - "localhost.localdomain" - ] - }, - "rsa": { - "internal": { - "event_desc": "smtpd: MASTER:QR globally disabled, status one set to disabled.", - "messageid": "smtpd" - }, - "network": { - "alias_host": [ - "localhost.localdomain" - ] - }, - "time": { - "event_time": "2016-01-29T06:09:59.000Z" - } - }, - "tags": [ - "sophos-utm", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/sophos/2.4.2/data_stream/xg/agent/stream/log.yml.hbs b/packages/sophos/2.4.2/data_stream/xg/agent/stream/log.yml.hbs deleted file mode 100755 index 177b022013..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/agent/stream/log.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ -- add_fields: - target: '_conf' - fields: - default: {{default_host_name}} - mappings: -{{#if known_devices}} - {{known_devices}} -{{/if}} diff --git a/packages/sophos/2.4.2/data_stream/xg/agent/stream/tcp.yml.hbs b/packages/sophos/2.4.2/data_stream/xg/agent/stream/tcp.yml.hbs deleted file mode 100755 index b901abd778..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,31 +0,0 @@ -tcp: -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ -- add_fields: - target: '_conf' - fields: - default: {{default_host_name}} - mappings: -{{#if known_devices}} - {{known_devices}} -{{/if}} -{{#if tcp_options}} -{{tcp_options}} -{{/if}} diff --git a/packages/sophos/2.4.2/data_stream/xg/agent/stream/udp.yml.hbs b/packages/sophos/2.4.2/data_stream/xg/agent/stream/udp.yml.hbs deleted file mode 100755 index 426c9fc440..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,25 +0,0 @@ -udp: -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ -- add_fields: - target: '_conf' - fields: - default: {{default_host_name}} - mappings: -{{#if known_devices}} - {{known_devices}} -{{/if}} diff --git a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml b/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml deleted file mode 100755 index 573c3d7f40..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml +++ /dev/null @@ -1,135 +0,0 @@ ---- -description: Pipeline for parsing Sophos XG firewall logs (anti-spam pipeline). -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - ignore_empty_value: true -- set: - field: event.outcome - value: success - ignore_empty_value: true -- set: - field: event.kind - value: alert - if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.event?.code)' -- append: - field: event.category - value: malware - if: '["13001", "13002", "13004", "13005", "13006", "13009", "13014", "14001", "14002", "15001", "15002"].contains(ctx.event?.code)' -- append: - field: event.category - value: intrusion_detection - if: "ctx.event?.code == '13012'" -- append: - field: event.category - value: network -- append: - field: event.type - value: - - allowed - - connection - if: '["13003", "13007", "13008", "13010", "13013", "14003", "15003", "18035"].contains(ctx.event?.code)' -- append: - field: event.type - value: - - info - - denied - - connection - if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.event?.code)' - -#################################### -## ECS Destination Mapping -#################################### -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" - -############################### -## ECS Source Mapping -############################### -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- rename: - field: sophos.xg.src_domainname - target_field: source.domain - ignore_missing: true - -####################### -## ECS Email Mapping ## -####################### -- rename: - field: sophos.xg.from_email_address - target_field: source.user.email - ignore_missing: true -- rename: - field: sophos.xg.to_email_address - target_field: destination.user.email - ignore_missing: true -- append: - field: email.from.address - value: "{{{source.user.email}}}" - if: "ctx?.source?.user?.email != null" -- append: - field: email.to.address - value: "{{{destination.user.email}}}" - if: "ctx?.destination?.user?.email != null" -- set: - field: email.subject - copy_from: sophos.xg.email_subject - if: "ctx?.sophos.xg?.email_subject != null" -- set: - field: email.subject - copy_from: sophos.xg.subject - if: "ctx?.sophos.xg?.subject != null && ctx.email?.subject == null" - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true -- lowercase: - field: sophos.xg.log_component - target_field: network.protocol - ignore_missing: true - -############# -## Cleanup ## -############# -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.src_port - - sophos.xg.from_email_address - - sophos.xg.to_email_address - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml b/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml deleted file mode 100755 index cbfa5e2829..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml +++ /dev/null @@ -1,222 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (antivirus pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: alert -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- append: - field: event.category - value: - - malware - - network - if: "ctx.sophos?.xg?.log_subtype == 'Virus'" -- append: - field: event.type - value: - - info - - denied - - connection - if: "ctx.sophos?.xg?.log_subtype == 'Virus'" -- set: - field: event.kind - value: event - if: '["09002"].contains(ctx.event?.code)' -- append: - field: event.type - value: - - allowed - - connection - if: '["09002"].contains(ctx.event?.code)' -- append: - field: event.category - value: network - if: '["09002"].contains(ctx.event?.code)' - -############################# -## ECS Destination Mapping ## -############################# -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" -- rename: - field: sophos.xg.dstdomain - target_field: destination.domain - ignore_failure: true -- rename: - field: sophos.xg.dst_domainname - target_field: destination.domain - ignore_failure: true - -######################## -## ECS Source Mapping ## -######################## -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" -- rename: - field: sophos.xg.src_domainname - target_field: source.domain - ignore_failure: true - -####################### -## ECS Email Mapping ## -####################### -- rename: - field: sophos.xg.from_email_address - target_field: source.user.email - ignore_missing: true -- rename: - field: sophos.xg.to_email_address - target_field: destination.user.email - ignore_missing: true -- append: - field: email.from.address - value: "{{{source.user.email}}}" - if: "ctx?.source?.user?.email != null" -- append: - field: email.to.address - value: "{{{destination.user.email}}}" - if: "ctx?.destination?.user?.email != null" -- set: - field: email.subject - copy_from: sophos.xg.email_subject - if: "ctx?.sophos.xg?.email_subject != null" -- set: - field: email.subject - copy_from: sophos.xg.subject - if: "ctx?.sophos.xg?.subject != null && ctx.email?.subject == null" - -###################### -## ECS Rule Mapping ## -###################### -- rename: - field: sophos.xg.fw_rule_id - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" - -##################### -## ECS URL Mapping ## -##################### -- rename: - field: sophos.xg.url - target_field: url.original - ignore_missing: true - if: "ctx.sophos?.xg?.url != null" -- uri_parts: - if: ctx.url?.original != null && ctx.url.original.contains("://") - field: url.original - target_field: url -- set: - if: ctx.url?.original != null && ctx.url.original.contains("://") - field: url.full - copy_from: url.original - ignore_empty_value: true -- rename: - field: sophos.xg.domainname - target_field: url.domain - ignore_failure: true - -############################ -## ECS User Agent Mapping ## -############################ -- rename: - field: sophos.xg.user_agent - target_field: user_agent.original - ignore_missing: true - if: "ctx.sophos?.xg?.user_agent != null" -- convert: - field: sophos.xg.status_code - target_field: http.response.status_code - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.status_code != null && ctx.sophos?.xg?.status_code != ''" - -###################### -## ECS File Mapping ## -###################### -- rename: - field: sophos.xg.filename - target_field: file.name - ignore_missing: true - if: "ctx.sophos?.xg?.filename != null" -- convert: - field: sophos.xg.file_size - target_field: file.size - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.file_size != null" -- rename: - field: sophos.xg.file_path - target_field: file.directory - ignore_missing: true - if: "ctx.sophos?.xg?.file_path != null" - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true -- lowercase: - field: sophos.xg.log_component - target_field: network.protocol - ignore_missing: true - -############# -## Cleanup ## -############# -- lowercase: - field: event.info - ignore_failure: true -- remove: - field: - - sophos.xg.domainname - - sophos.xg.dst_port - - sophos.xg.src_port - - sophos.xg.status_code - - sophos.xg.file_size - - sophos.xg.from_email_address - - sophos.xg.to_email_address - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml b/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml deleted file mode 100755 index 47bcb458a6..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml +++ /dev/null @@ -1,120 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (atp pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: alert -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- append: - field: event.category - value: - - intrusion_detection - - network - if: '["18009", "18010"].contains(ctx.event?.code)' -- append: - field: event.type - value: - - denied - - connection - if: '["18009", "18010"].contains(ctx.event?.code)' -- rename: - field: sophos.xg.eventid - target_field: event.id - ignore_missing: true - if: "ctx.sophos?.xg?.eventid != null" - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: sophos.xg.destinationip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.destinationip != null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: sophos.xg.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.sourceip != null" -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - -##################### -## ECS URL Mapping ## -##################### -- rename: - field: sophos.xg.url - target_field: url.original - ignore_missing: true - if: "ctx.sophos?.xg?.url != null" -- uri_parts: - if: ctx.url?.original != null && ctx.url.original.contains("://") - field: url.original - target_field: url -- set: - if: ctx.url?.original != null && ctx.url.original.contains("://") - field: url.full - copy_from: url.original - ignore_empty_value: true - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true - -############# -## Cleanup ## -############# -- lowercase: - field: event.action - ignore_failure: true -- lowercase: - field: event.info - ignore_failure: true -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.src_port - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml b/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml deleted file mode 100755 index d8030558aa..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml +++ /dev/null @@ -1,168 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (Content Filtering pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.kind - value: alert - if: 'ctx.sophos?.xg?.log_subtype == "Denied"' -- append: - field: event.category - value: - - malware - - network - if: 'ctx.sophos?.xg?.log_subtype == "Denied"' -- append: - field: event.category - value: network - if: "ctx.sophos?.xg?.log_subtype != 'Denied'" -- append: - field: event.type - value: - - allowed - - connection - if: '["Allowed", "Warned"].contains(ctx.sophos?.xg?.log_subtype)' -- append: - field: event.type - value: - - info - - denied - - connection - if: "ctx.sophos?.xg?.log_subtype == 'Denied'" - -########################## -## ECS Destination Mapping -########################## -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" - -##################### -## ECS Source Mapping -##################### -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" -- rename: - field: sophos.xg.user_gp - target_field: source.user.group.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_gp != null" - -##################### -## ECS URL Mapping ## -##################### -- rename: - field: sophos.xg.url - target_field: url.original - ignore_missing: true -- uri_parts: - field: url.original - target_field: url - if: "ctx.url?.original != null" -- set: - field: url.full - copy_from: url.original - ignore_empty_value: true -- rename: - field: sophos.xg.domain - target_field: url.domain - ignore_missing: true - if: ctx.url?.domain == null - -############################ -## ECS User Agent Mapping ## -############################ -- rename: - field: sophos.xg.referer - target_field: http.request.referrer - ignore_missing: true - if: "ctx.sophos?.xg?.referer != null" -- convert: - field: sophos.xg.status_code - target_field: http.response.status_code - type: long - ignore_missing: true - if: "ctx.sophos?.xg?.status_code != null && ctx.sophos?.xg?.status_code != ''" -- convert: - field: sophos.xg.http_status - target_field: http.response.status_code - type: long - ignore_missing: true - if: "ctx.sophos?.xg?.http_status != null && ctx.sophos?.xg?.http_status != '' && ctx.sophos?.xg?.http_status != '0'" -- rename: - field: sophos.xg.user_agent - target_field: user_agent.original - ignore_missing: true -- user_agent: - field: user_agent.original - target_field: user_agent - ignore_missing: true - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true -- set: - field: network.protocol - copy_from: url.scheme - override: false - ignore_empty_value: true - -############# -## Cleanup ## -############# -- lowercase: - field: event.action - ignore_failure: true -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.src_port - - sophos.xg.domain - - sophos.xg.http_status - - sophos.xg.http_user_agent - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a693793783..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,568 +0,0 @@ ---- -description: Pipeline for parsing Sophos XG firewall logs. -processors: -- set: - field: ecs.version - value: '8.4.0' - -- set: - field: event.original - copy_from: message - override: false -- grok: - field: event.original - patterns: - - '^%{SYSLOG5424PRI}(%{SYSLOGTIMESTAMP} %{NOTSPACE} )?%{GREEDYDATA:message}$' - - '^%{SYSLOG5424PRI}%{GREEDYDATA:message}$' - - '^%{SYSLOGTIMESTAMP} %{HOSTNAME:observer.hostname} %{GREEDYDATA:message}$' - - '%{GREEDYDATA:message}$' - -# split Sophos-XG fields -- kv: - field: message - field_split: " (?=[a-zA-Z0-9_]+=)" - value_split: "=" - prefix: "sophos.xg." - ignore_missing: true - ignore_failure: false - trim_value: "\"" - -- script: - description: Lowercase sophos.xg key name names. - tag: lowercase-sophos-keys - if: ctx.sophos?.xg != null - source: | - def lowercaseMap = [:]; - for(def entry : ctx.sophos.xg.entrySet()){ - lowercaseMap.put(entry.getKey().toLowerCase(), entry.getValue()); - } - ctx.sophos.xg = lowercaseMap; - -# Parse the date -- set: - field: _temp_.time - value: "{{sophos.xg.date}} {{sophos.xg.time}}" - if: ctx.sophos?.xg?.date != null && ctx.sophos?.xg?.time != null -- set: - field: _temp_.time - copy_from: sophos.xg.timestamp - ignore_empty_value: true - if: ctx._temp_?.time == null -- date: - if: ctx._temp_?.time != null && ctx.event?.timezone == null - field: _temp_.time - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss Z - - yyyy-MM-dd HH:mm:ss z - - ISO8601 -- date: - if: ctx._temp_?.time != null && ctx.event?.timezone != null - timezone: "{{ event.timezone }}" - field: _temp_.time - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss Z - - yyyy-MM-dd HH:mm:ss z - - ISO8601 - -# Sets starts, end and duration when start and duration is known -- script: - lang: painless - if: ctx.sophos?.xg?.duration != null - source: >- - ctx.event.duration = Integer.parseInt(ctx.sophos.xg.duration) * 1000000000L; - ctx.event.start = ctx['@timestamp']; - ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); - ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); - -# Removes all empty fields -- script: - description: Remove empty fields. - tag: remove-empty-fields - lang: painless - params: - values: - - "" - - "-" - - "N/A" - source: >- - ctx.sophos?.xg.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); - -####################### -## ECS Event Mapping ## -####################### - -# log_id consists of (example: 010101600001): -# log type: 2 digits -# log component: 2 digits -# log subtype: 2 digits -# severity: 1 digit -# message ID: 5 digits -- gsub: - description: Set event.severity from log_id. - field: sophos.xg.log_id - target_field: event.severity - pattern: '^.{6}(.).*$' - replacement: '$1' - ignore_failure: true -- convert: - field: event.severity - type: long - ignore_missing: true -- gsub: - description: Set event.code from log_id. - field: sophos.xg.log_id - target_field: event.code - pattern: '^.{7}(.{5})$' - replacement: '$1' - ignore_failure: true - -##################### -## ECS Log Mapping ## -##################### -- set: - if: ctx.event?.severity == 0 - field: log.level - value: unknown -- set: - if: ctx.event?.severity == 1 - field: log.level - value: alert -- set: - if: ctx.event?.severity == 2 - field: log.level - value: critical -- set: - if: ctx.event?.severity == 3 - field: log.level - value: error -- set: - if: ctx.event?.severity == 4 - field: log.level - value: warning -- set: - if: ctx.event?.severity == 5 - field: log.level - value: notification -- set: - if: ctx.event?.severity == 6 - field: log.level - value: informational -- set: - if: ctx.event?.severity == 7 - field: log.level - value: debug - -- set: - field: log.level - copy_from: sophos.xg.severity - ignore_empty_value: true - -########################## -## ECS Observer Mapping ## -########################## -- set: - field: observer.vendor - value: Sophos -- set: - field: observer.product - value: XG -- set: - field: observer.type - value: firewall -- rename: - field: sophos.xg.device_id - target_field: observer.serial_number - ignore_missing: true -- rename: - field: sophos.xg.device_serial_id - target_field: observer.serial_number - ignore_missing: true -- rename: - field: sophos.xg.out_interface - target_field: observer.egress.interface.name - ignore_missing: true -- rename: - field: sophos.xg.in_interface - target_field: observer.ingress.interface.name - ignore_missing: true -- rename: - field: sophos.xg.srczone - target_field: observer.ingress.zone - ignore_missing: true -- rename: - field: sophos.xg.src_zone - target_field: observer.ingress.zone - ignore_missing: true -- rename: - field: sophos.xg.dstzone - target_field: observer.egress.zone - ignore_missing: true -- rename: - field: sophos.xg.dst_zone - target_field: observer.egress.zone - ignore_missing: true -- rename: - field: sophos.xg.srczonetype - target_field: sophos.xg.src_zone_type - ignore_missing: true -- rename: - field: sophos.xg.dstzonetype - target_field: sophos.xg.dst_zone_type - ignore_missing: true - -################### -## Set host.name ## -################### -- script: - lang: painless - if: ctx.observer?.serial_number != null - source: >- - def conf = ctx['_conf']; - if (conf == null) return; - def serial = ctx.observer.serial_number; - def mappings = conf.mappings; - if (mappings == null) return; - def name = conf['default']; - for (def item : mappings) { - if (item.serial_number == serial) { - name = item.hostname; - break; - } - } - if (ctx.host == null) { - ctx.host = new HashMap(); - } - ctx.host.name = name; - -############# -## Cleanup ## -############# -- remove: - field: - - message - - _temp_ - - _conf - - sophos.xg.date - - sophos.xg.time - - sophos.xg.timestamp - - sophos.xg.duration - - sophos.xg.timezone - - sophos.xg.dir_disp - - sophos.xg.log_occurrence - - sophos.xg.nat_rule_id - - sophos.xg.in_display_interface - - sophos.xg.out_display_interface - - syslog5424_pri - ignore_missing: true - -- convert: - field: sophos.xg.sent_bytes - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.sent_bytes != null" -- convert: - field: sophos.xg.bytes_sent - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.bytes_sent != null" -- convert: - field: sophos.xg.recv_bytes - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.recv_bytes != null" -- convert: - field: sophos.xg.bytes_received - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.bytes_received != null" - -############################# -## ECS Source/Destination MAC -############################# -- rename: - field: sophos.xg.src_mac - target_field: source.mac - ignore_failure: true -- uppercase: - field: source.mac - ignore_missing: true -- gsub: - field: source.mac - pattern: '[-:. ]' - replacement: '' - ignore_missing: true -- gsub: - field: source.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true - -- rename: - field: sophos.xg.dst_mac - target_field: destination.mac - ignore_failure: true -- uppercase: - field: destination.mac - ignore_missing: true -- gsub: - field: destination.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: destination.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true - -############################### -## Product Specific Pipelines ## -############################### -- pipeline: - name: '{{ IngestPipeline "antispam" }}' - if: "ctx.sophos?.xg?.log_type == 'Anti-Spam'" -- pipeline: - name: '{{ IngestPipeline "antivirus" }}' - if: "ctx.sophos?.xg?.log_type == 'Anti-Virus'" -- pipeline: - name: '{{ IngestPipeline "atp" }}' - if: "ctx.sophos?.xg?.log_type == 'ATP'" -- pipeline: - name: '{{ IngestPipeline "cfilter" }}' - if: "ctx.sophos?.xg?.log_type == 'Content Filtering'" -- pipeline: - name: '{{ IngestPipeline "event" }}' - if: "ctx.sophos?.xg?.log_type == 'Event'" -- pipeline: - name: '{{ IngestPipeline "firewall" }}' - if: "ctx.sophos?.xg?.log_type == 'Firewall'" -- pipeline: - name: '{{ IngestPipeline "idp" }}' - if: "ctx.sophos?.xg?.log_type == 'IDP'" -- pipeline: - name: '{{ IngestPipeline "sandstorm" }}' - if: "ctx.sophos?.xg?.log_type == 'Sandbox'" -- pipeline: - name: '{{ IngestPipeline "systemhealth" }}' - if: "ctx.sophos?.xg?.log_type == 'System Health'" -- pipeline: - name: '{{ IngestPipeline "waf" }}' - if: "ctx.sophos?.xg?.log_type == 'WAF'" -- pipeline: - name: '{{ IngestPipeline "wifi" }}' - if: "ctx.sophos?.xg?.log_type == 'Wireless Protection'" - -################## -# GeoIP Enrichment -################## -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -############## -## ECS Network -############## -- lowercase: - field: network.protocol - ignore_failure: true -- set: - description: Rename pops network.protocol to pop3s. - if: ctx.network?.protocol == "pops" - field: network.protocol - value: pop3s -- lowercase: - field: network.transport - ignore_failure: true -- script: - lang: painless - source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: "ctx.source?.bytes != null && ctx.destination?.bytes != null" - ignore_failure: true -- script: - lang: painless - source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" - if: "ctx.source?.packets != null && ctx.destination?.packets != null" - ignore_failure: true -- community_id: - ignore_failure: true - -#################### -## ECS Related Hosts -#################### -- append: - if: ctx.host?.name != null - field: related.hosts - value: '{{{host.name}}}' - allow_duplicates: false -- append: - if: ctx.url?.domain != null - field: related.hosts - value: '{{{url.domain}}}' - allow_duplicates: false -- append: - if: ctx.source?.domain != null - field: related.hosts - value: '{{{source.domain}}}' - allow_duplicates: false -- append: - if: ctx.destination?.domain != null - field: related.hosts - value: '{{{destination.domain}}}' - allow_duplicates: false - -################# -## ECS Related IP -################# -- append: - if: ctx.source?.ip != null - field: related.ip - value: '{{{source.ip}}}' - allow_duplicates: false -- append: - if: ctx.destination?.ip != null - field: related.ip - value: '{{{destination.ip}}}' - allow_duplicates: false -- append: - if: ctx.source?.nat?.ip != null - field: related.ip - value: '{{{source.nat.ip}}}' - allow_duplicates: false -- append: - if: ctx.destination?.nat?.ip != null - field: related.ip - value: '{{{destination.nat.ip}}}' - allow_duplicates: false - -################### -## ECS Related User -################### -- append: - if: ctx.source?.user?.name != null - field: related.user - value: "{{{source.user.name}}}" - allow_duplicates: false - -################### -## ECS Related Hash -################### -- append: - if: ctx.file?.hash?.sha1 != null - field: related.hash - value: "{{{file.hash.sha1}}}" - allow_duplicates: false -- append: - if: ctx.file?.hash?.sha256 != null - field: related.hash - value: "{{{file.hash.sha256}}}" - allow_duplicates: false - -############# -## Cleanup ## -############# -- rename: - field: sophos.xg.reason - target_field: event.reason - ignore_failure: true - -- remove: - field: - - sophos.xg.bytes_received - - sophos.xg.bytes_sent - - sophos.xg.dst_country - - sophos.xg.in_display_interface - - sophos.xg.out_display_interface - - sophos.xg.recv_bytes - - sophos.xg.sent_bytes - - sophos.xg.severity - - sophos.xg.src_country - ignore_missing: true -- remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: |- - Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/event.yml b/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/event.yml deleted file mode 100755 index 7442b607b2..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/event.yml +++ /dev/null @@ -1,129 +0,0 @@ ---- -description: Pipeline for parsing Sophos XG firewall logs (authentication events pipeline). -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success - if: 'ctx.sophos?.xg?.log_subtype == "Authentication" && ctx.sophos?.xg?.status == "Successful"' -- set: - field: event.outcome - value: failure - if: 'ctx.sophos?.xg?.log_subtype == "Authentication" && ctx.sophos?.xg?.status == "Failed"' -- set: - field: event.outcome - value: success - if: 'ctx.sophos?.xg?.log_subtype == "Admin" && ctx.sophos?.xg?.status == "Successful" && ctx.event?.code == "17507"' -- set: - field: event.outcome - value: failure - if: 'ctx.sophos?.xg?.log_subtype == "Admin" && ctx.sophos?.xg?.status == "Failed" && ctx.event?.code == "17507"' -- append: - field: event.type - value: - - user - - start - if: "['17701', '17704', '17707', '17710', '17713'].contains(ctx.event?.code)" -- append: - field: event.type - value: - - user - - end - if: "['17703', '17706', '17709', '17712', '17715'].contains(ctx.event?.code)" -- append: - field: event.type - value: connection - if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophos?.xg?.auth_client)" -- append: - field: event.category - value: network - if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophos?.xg?.auth_client)" -- append: - field: event.category - value: authentication - if: 'ctx.sophos?.xg?.log_subtype == "Authentication"' -- append: - field: event.type - value: info - if: 'ctx.event?.code == "17819"' -- append: - field: event.category - value: - - host - - malware - if: 'ctx.event?.code == "17819"' - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- rename: - field: sophos.xg.localinterfaceip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.localinterfaceip != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- rename: - field: sophos.xg.remoteinterfaceip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.remoteinterfaceip != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" -- set: - field: source.user.name - value: '{{sophos.xg.name}}' - if: "ctx.sophos?.xg?.name != null" -- set: - field: user.name - value: '{{source.user.name}}' - ignore_empty_value: true - if: 'ctx.sophos?.xg?.log_subtype == "Authentication"' -- rename: - field: sophos.xg.usergroupname - target_field: source.user.group.name - ignore_missing: true - if: "ctx.sophos?.xg?.usergroupname != null" - -######################### -## ECS Message Mapping ## -######################### -- rename: - field: sophos.xg.message - target_field: message - ignore_missing: true - -############# -## Cleanup ## -############# -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.src_port - - sophos.xg.name - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' - diff --git a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml b/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml deleted file mode 100755 index 7e48fade03..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml +++ /dev/null @@ -1,232 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (firewall pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.kind - value: alert - if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.event?.code)' -- append: - field: event.category - value: intrusion_detection - if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.event?.code)' -- append: - field: event.category - value: network -- append: - field: event.type - value: - - start - - allowed - - connection - if: "['Start', 'Interim'].contains(ctx.sophos?.xg?.connevent)" -- append: - field: event.type - value: - - end - - allowed - - connection - if: "ctx.sophos?.xg?.connevent == 'Stop'" -- append: - field: event.type - value: - - denied - - connection - if: "ctx.sophos?.xg?.status == 'Deny'" - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- rename: - field: sophos.xg.tran_dst_ip - target_field: destination.nat.ip - ignore_missing: true - if: "ctx.sophos?.xg?.tran_dst_ip != null" -- rename: - field: sophos.xg.destinationip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.destinationip !=null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" -- convert: - field: sophos.xg.tran_dst_port - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.tran_dst_port != null" -- convert: - field: sophos.xg.recv_pkts - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.recv_pkts !=null" -- convert: - field: sophos.xg.packets_received - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.packets_received !=null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- rename: - field: sophos.xg.tran_src_ip - target_field: source.nat.ip - ignore_missing: true - if: "ctx.sophos?.xg?.tran_src_ip != null" -- rename: - field: sophos.xg.src_trans_ip - target_field: source.nat.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_trans_ip != null" -- rename: - field: sophos.xg.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.sourceip != null" -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- convert: - field: sophos.xg.tran_src_port - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.tran_src_port != null" -- rename: - field: sophos.xg.src_mac - target_field: source.mac - ignore_missing: true - if: "ctx.sophos?.xg?.src_mac != null" -- trim: - field: sophos.xg.sent_pkts - ignore_missing: true -- trim: - field: sophos.xg.packets_sent - ignore_missing: true -- convert: - field: sophos.xg.sent_pkts - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.sent_pkts != null" -- convert: - field: sophos.xg.packets_sent - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.packets_sent != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" -- rename: - field: sophos.xg.user_gp - target_field: source.user.group.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_gp != null" - -###################### -## ECS Rule Mapping ## -###################### -- rename: - field: sophos.xg.fw_rule_id - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" -- rename: - field: sophos.xg.policy_type - target_field: rule.ruleset - ignore_missing: true - if: "ctx.sophos?.xg?.policy_type != null" - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.application - target_field: network.protocol - ignore_missing: true -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true -- set: - field: network.direction - value: inbound - if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.egress?.zone) && ctx.observer?.ingress?.zone == 'WAN'" -- set: - field: network.direction - value: outbound - if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.ingress?.zone) && ctx.observer?.egress?.zone == 'WAN'" -- set: - field: network.direction - value: internal - if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.ingress?.zone) && ['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.egress?.zone)" -- set: - field: network.direction - value: external - if: "ctx.observer?.ingress?.zone == 'WAN' && ctx.observer?.egress?.zone == 'WAN'" - -############# -## Cleanup ## -############# -- lowercase: - field: event.action - ignore_failure: true -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.tran_dst_port - - sophos.xg.recv_pkts - - sophos.xg.src_port - - sophos.xg.tran_src_port - - sophos.xg.sent_pkts - - sophos.xg.packets_received - - sophos.xg.packets_sent - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml b/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml deleted file mode 100755 index c38552b4c6..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml +++ /dev/null @@ -1,115 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (ipd pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: alert -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- append: - field: event.category - value: - - intrusion_detection - - network - if: '["06001", "06002", "07001", "07002"].contains(ctx.event?.code)' -- append: - field: event.type - value: - - denied - - connection - if: '["06001", "06002", "07001", "07002"].contains(ctx.event?.code)' - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" - -###################### -## ECS Rule Mapping ## -###################### -- rename: - field: sophos.xg.signature_id - target_field: rule.id - ignore_missing: true - if: "ctx.sophos?.xg?.signature_id != null" -- rename: - field: sophos.xg.signature_msg - target_field: rule.name - ignore_missing: true - if: "ctx.sophos?.xg?.signature_msg != null" -- rename: - field: sophos.xg.classification - target_field: rule.category - ignore_missing: true - if: "ctx.sophos?.xg?.classification != null" - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true - -############# -## Cleanup ## -############# -- lowercase: - field: network.protocol - ignore_failure: true -- lowercase: - field: event.action - ignore_failure: true -- lowercase: - field: event.info - ignore_failure: true -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.src_port - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml b/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml deleted file mode 100755 index df874a5254..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml +++ /dev/null @@ -1,133 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (sandbox pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.kind - value: alert - if: 'ctx.sophos?.xg?.log_subtype == "Denied"' -- append: - field: event.category - value: - - malware - - network - if: 'ctx.sophos?.xg?.log_subtype == "Denied"' -- append: - field: event.category - value: network - if: "ctx.sophos?.xg?.log_subtype != 'Denied'" -- append: - field: event.type - value: allowed - if: "['Allowed'].contains(ctx.sophos?.xg?.log_subtype)" -- append: - field: event.type - value: - - start - - connection - if: "['pending'].contains(ctx.sophos?.xg?.reason)" -- append: - field: event.type - value: - - end - - connection - if: "ctx.sophos?.xg?.reason == 'eligible'" -- append: - field: event.type - value: - - denied - - connection - if: "ctx.sophos?.xg?.log_subtype == 'Denied'" - -- rename: - if: ctx.sophos?.xg?.log_component == "Web" - field: sophos.xg.source - target_field: url.domain - ignore_missing: true - -######################## -## ECS Source Mapping ## -######################## -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" - -############################# -## ECS Destination Mapping ## -############################# -- convert: - field: url.domain - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - set: - field: destination.domain - copy_from: url.domain - ignore_empty_value: true - -###################### -## ECS File Mapping ## -###################### -- rename: - field: sophos.xg.filename - target_field: file.name - ignore_missing: true - if: ctx.sophos?.xg?.filename != null -- convert: - field: sophos.xg.filesize - target_field: file.size - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.filesize != null" -- rename: - field: sophos.xg.filetype - target_field: file.mime_type - ignore_missing: true - if: "ctx.sophos?.xg?.filetype != null" - -# In 18.0 and later the sha1sum contains the sha256 checksum of the file. -- rename: - field: sophos.xg.sha1sum - target_field: file.hash.sha1 - ignore_missing: true - if: "ctx.sophos?.xg?.sha1sum != null && ctx.sophos.xg.sha1sum.length() == 40" -- rename: - field: sophos.xg.sha1sum - target_field: file.hash.sha256 - ignore_missing: true - if: "ctx.sophos?.xg?.sha1sum != null && ctx.sophos.xg.sha1sum.length() == 64" - -############# -## Cleanup ## -############# -- remove: - field: - - sophos.xg.filesize - - sophos.xg.sha1sum - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/systemhealth.yml b/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/systemhealth.yml deleted file mode 100755 index 7a55e8b6a2..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/systemhealth.yml +++ /dev/null @@ -1,182 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (systemhealth pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- rename: - field: sophos.xg.idle - target_field: sophos.xg.idle_cpu - ignore_missing: true -- gsub: - field: sophos.xg.idle_cpu - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.idle_cpu - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.idle_cpu -- rename: - field: sophos.xg.system - target_field: sophos.xg.system_cpu - ignore_missing: true -- gsub: - field: sophos.xg.system_cpu - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.system_cpu - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.system_cpu -- rename: - field: sophos.xg.user - target_field: sophos.xg.user_cpu - ignore_missing: true -- gsub: - field: sophos.xg.user_cpu - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.user_cpu - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.user_cpu -- convert: - field: sophos.xg.used - type: integer - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.used -- convert: - field: sophos.xg.total_memory - type: integer - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.total_memory -- convert: - field: sophos.xg.free - type: integer - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.free -- gsub: - field: sophos.xg.configuration - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.configuration - type: float - ignore_missing: true - on_failure: - - remove: - field: - - sophos.xg.configuration - -- gsub: - field: sophos.xg.reports - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.reports - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.reports -- gsub: - field: sophos.xg.temp - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.temp - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.temp -- gsub: - field: sophos.xg.signature - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.signature - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.signature -- convert: - field: sophos.xg.users - type: integer - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.users -- convert: - field: sophos.xg.transmittedkbits - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.transmittedkbits -- convert: - field: sophos.xg.receivedkbits - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.receivedkbits -- convert: - field: sophos.xg.collisions - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.collisions -- convert: - field: sophos.xg.receiveddrops - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.receiveddrops -- convert: - field: sophos.xg.transmitteddrops - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.transmitteddrops - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml b/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml deleted file mode 100755 index a59c4334cd..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml +++ /dev/null @@ -1,174 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (waf pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.action - value: allowed - if: 'ctx.sophos?.xg?.reason == "-"' -- set: - field: event.action - value: denied - if: 'ctx.sophos?.xg?.reason != "-"' -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.reason != null" -- set: - field: event.kind - value: alert - if: 'ctx.sophos?.xg?.reason != "-"' -- append: - field: event.category - value: - - malware - - network - if: 'ctx.sophos?.xg?.reason == "Antivirus"' -- append: - field: event.category - value: - - intrusion_detection - - network - if: "ctx.sophos?.xg?.reason != 'Antivirus' && ctx.sophos?.xg?.reason != '-'" -- append: - field: event.type - value: - - allowed - - connection - if: 'ctx.sophos?.xg?.reason == "-"' -- append: - field: event.type - value: - - denied - - connection - if: 'ctx.sophos?.xg?.reason != "-"' - -- convert: - field: sophos.xg.responsetime - type: long - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.responsetime -- script: - description: Convert microseconds to nanoseconds. - lang: painless - source: | - if (ctx.sophos?.xg?.responsetime != null && ctx.sophos.xg.responsetime > 0) { - ctx.event.duration = ctx.sophos.xg.responsetime * 1000; - } - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: sophos.xg.localip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.localip != null" -- convert: - field: sophos.xg.bytessent - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.bytessent != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: sophos.xg.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.sourceip != null" -- convert: - field: sophos.xg.bytesrcv - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.bytesrcv != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" -- rename: - field: sophos.xg.user_gp - target_field: source.user.group.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_gp != null" - -##################### -## ECS URL Mapping ## -##################### -- rename: - field: sophos.xg.url - target_field: url.full - ignore_missing: true - if: "ctx.sophos?.xg?.url != null" -- rename: - field: sophos.xg.domain - target_field: url.domain - ignore_missing: true - if: "ctx.sophos?.xg?.domain != null" - -############################ -## ECS User Agent Mapping ## -############################ -- rename: - field: sophos.xg.referer - target_field: http.request.referrer - ignore_missing: true - if: "ctx.sophos?.xg?.referer != null" -- convert: - field: sophos.xg.httpstatus - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.httpstatus != null" -- rename: - field: sophos.xg.method - target_field: http.request.method - ignore_missing: true - if: "ctx.sophos?.xg?.method != null" -- rename: - field: sophos.xg.ws_protocol - target_field: http.version - ignore_missing: true - if: "ctx.sophos?.xg?.ws_protocol != null" -- rename: - field: sophos.xg.useragent - target_field: user_agent.original - ignore_missing: true - if: "ctx.sophos?.xg?.useragent != null" - -############# -## Cleanup ## -############# -- rename: - field: sophos.xg.SQLi - target_field: sophos.xg.sqli - ignore_missing: true -- rename: - field: sophos.xg.XSS - target_field: sophos.xg.xss - ignore_missing: true -- remove: - field: - - sophos.xg.bytesrcv - - sophos.xg.bytessent - - sophos.xg.httpstatus - - sophos.xg.responsetime - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/wifi.yml b/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/wifi.yml deleted file mode 100755 index 9dbbeb06c0..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/elasticsearch/ingest_pipeline/wifi.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for parsing Sophos XG firewall logs (wireless protection pipeline). -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success -- convert: - field: sophos.xg.clients_conn_ssid - type: long - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.clients_conn_ssid - -############# -## Cleanup ## -############# -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.4.2/data_stream/xg/fields/agent.yml b/packages/sophos/2.4.2/data_stream/xg/fields/agent.yml deleted file mode 100755 index 98998ae549..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset -- name: log.source.address - type: keyword - ignore_above: 1024 diff --git a/packages/sophos/2.4.2/data_stream/xg/fields/base-fields.yml b/packages/sophos/2.4.2/data_stream/xg/fields/base-fields.yml deleted file mode 100755 index a6aa5f75de..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: sophos -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sophos.xg -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/sophos/2.4.2/data_stream/xg/fields/ecs.yml b/packages/sophos/2.4.2/data_stream/xg/fields/ecs.yml deleted file mode 100755 index e2a16d5a76..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/fields/ecs.yml +++ /dev/null @@ -1,559 +0,0 @@ -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: User email address. - name: destination.user.email - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: The email address of the sender, typically from the RFC 5322 `From:` header field. - name: email.from.address - normalize: - - array - type: keyword -- description: The email address of recipient - name: email.to.address - normalize: - - array - type: keyword -- description: A brief summary of the topic of the message. - multi_fields: - - name: text - type: match_only_text - name: email.subject - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - name: event.hash - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: SHA512 hash. - name: file.hash.sha512 - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: file.mime_type - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - name: rule.ruleset - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: User email address. - name: source.user.email - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: url.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/sophos/2.4.2/data_stream/xg/fields/fields.yml b/packages/sophos/2.4.2/data_stream/xg/fields/fields.yml deleted file mode 100755 index 6dd56deeab..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/fields/fields.yml +++ /dev/null @@ -1,830 +0,0 @@ -- name: sophos - type: group - fields: - - name: xg - type: group - fields: - - name: action - type: keyword - description: | - Event Action - - name: activityname - type: keyword - description: | - Web policy activity that matched and caused the policy result. - - name: ap - type: keyword - description: | - Access Point Serial ID or LocalWifi0 or LocalWifi1. - - name: app_category - type: keyword - description: | - Name of the category under which application falls - - name: app_filter_policy_id - type: keyword - description: | - Application filter policy ID applied on the traffic - - name: app_is_cloud - type: keyword - description: | - Application is Cloud - - name: app_name - type: keyword - description: | - Application name - - name: app_resolved_by - type: keyword - description: | - Application is resolved by signature or synchronized application - - name: app_risk - type: keyword - description: | - Risk level assigned to the application - - name: app_technology - type: keyword - description: | - Technology of the application - - name: appfilter_policy_id - type: integer - description: | - Application Filter policy applied on the traffic - - name: application - type: keyword - description: | - Application name - - name: application_category - type: keyword - description: | - Application is resolved by signature or synchronized application - - name: application_filter_policy - type: integer - description: | - Application Filter policy applied on the traffic - - name: application_name - type: keyword - description: | - Application name - - name: application_risk - type: keyword - description: | - Risk level assigned to the application - - name: application_technology - type: keyword - description: | - Technology of the application - - name: appresolvedby - type: keyword - description: | - Technology of the application - - name: auth_client - type: keyword - description: | - Auth Client - - name: auth_mechanism - type: keyword - description: | - Auth mechanism - - name: av_policy_name - type: keyword - description: | - Malware scanning policy name which is applied on the traffic - - name: backup_mode - type: keyword - description: | - Backup mode - - name: branch_name - type: keyword - description: | - Branch Name - - name: category - type: keyword - description: | - IPS signature category. - - name: category_type - type: keyword - description: | - Type of category under which website falls - - name: classification - type: keyword - description: | - Signature classification - - name: client_host_name - type: keyword - description: | - Client host name - - name: client_physical_address - type: keyword - description: | - Client physical address - - name: clients_conn_ssid - type: long - description: | - Number of client connected to the SSID. - - name: collisions - type: long - description: | - collisions - - name: con_event - type: keyword - description: | - Event Start/Stop - - name: con_id - type: integer - description: | - Unique identifier of connection - - name: configuration - type: float - description: | - Configuration - - name: conn_id - type: integer - description: | - Unique identifier of connection - - name: connectionname - type: keyword - description: | - Connectionname - - name: connectiontype - type: keyword - description: | - Connectiontype - - name: connevent - type: keyword - description: | - Event on which this log is generated - - name: connid - type: keyword - description: | - Connection ID - - name: content_type - type: keyword - description: | - Type of the content - - name: contenttype - type: keyword - description: | - Type of the content - - name: context_match - type: keyword - description: | - Context Match - - name: context_prefix - type: keyword - description: | - Content Prefix - - name: context_suffix - type: keyword - description: | - Context Suffix - - name: cookie - type: keyword - description: | - cookie - - name: date - type: date - description: | - Date (yyyy-mm-dd) when the event occurred - - name: destinationip - type: ip - description: | - Original destination IP address of traffic - - name: device - type: keyword - description: | - device - - name: device_id - type: keyword - description: | - Serial number of the device - - name: device_model - type: keyword - description: | - Model number of the device - - name: device_name - type: keyword - description: | - Model number of the device - - name: dictionary_name - type: keyword - description: | - Dictionary Name - - name: dir_disp - type: keyword - description: | - TPacket direction. Possible values:“org”, “reply”, “” - - name: direction - type: keyword - description: | - Direction - - name: domainname - type: keyword - description: | - Domain from which virus was downloaded - - name: download_file_name - type: keyword - description: | - Download file name - - name: download_file_type - type: keyword - description: | - Download file type - - name: dst_country_code - type: keyword - description: | - Code of the country to which the destination IP belongs - - name: dst_domainname - type: keyword - description: | - Receiver domain name - - name: dst_ip - type: ip - description: | - Original destination IP address of traffic - - name: dst_port - type: integer - description: | - Original destination port of TCP and UDP traffic - - name: dst_zone_type - type: keyword - description: | - Type of destination zone - - name: dstdomain - type: keyword - description: | - Destination Domain - - name: duration - type: long - description: | - Durability of traffic (seconds) - - name: email_subject - type: keyword - description: | - Email Subject - - name: ep_uuid - type: keyword - description: | - Endpoint UUID - - name: ether_type - type: keyword - description: | - ethernet frame type - - name: eventid - type: keyword - description: | - ATP Evenet ID - - name: eventtime - type: date - description: | - Event time - - name: eventtype - type: keyword - description: | - ATP event type - - name: exceptions - type: keyword - description: | - List of the checks excluded by web exceptions. - - name: execution_path - type: keyword - description: | - ATP execution path - - name: extra - type: keyword - description: | - extra - - name: file_name - type: keyword - description: | - Filename - - name: file_path - type: keyword - description: | - File path - - name: file_size - type: integer - description: | - File Size - - name: filename - type: keyword - description: | - File name associated with the event - - name: filepath - type: keyword - description: | - Path of the file containing virus - - name: filesize - type: integer - description: | - Size of the file that contained virus - - name: free - type: integer - description: | - free - - name: from_email_address - type: keyword - description: | - Sender email address - - name: ftp_direction - type: keyword - description: | - Direction of FTP transfer: Upload or Download - - name: ftp_url - type: keyword - description: | - FTP URL from which virus was downloaded - - name: ftpcommand - type: keyword - description: | - FTP command used when virus was found - - name: fw_rule_id - type: integer - description: | - Firewall Rule ID which is applied on the traffic - - name: fw_rule_type - type: keyword - description: | - Firewall rule type which is applied on the traffic - - name: hb_health - type: keyword - description: | - Heartbeat status - - name: hb_status - type: keyword - description: | - Heartbeat status - - name: host - type: keyword - description: | - Host - - name: http_category - type: keyword - description: | - HTTP Category - - name: http_category_type - type: keyword - description: | - HTTP Category Type - - name: httpresponsecode - type: long - description: | - code of HTTP response - - name: iap - type: keyword - description: | - Internet Access policy ID applied on the traffic - - name: icmp_code - type: keyword - description: | - ICMP code of ICMP traffic - - name: icmp_type - type: keyword - description: | - ICMP type of ICMP traffic - - name: idle_cpu - type: float - description: | - idle ## - - name: idp_policy_id - type: integer - description: | - IPS policy ID which is applied on the traffic - - name: idp_policy_name - type: keyword - description: | - IPS policy name i.e. IPS policy name which is applied on the traffic - - name: in_interface - type: keyword - description: | - Interface for incoming traffic, e.g., Port A - - name: interface - type: keyword - description: | - interface - - name: ipaddress - type: keyword - description: | - Ipaddress - - name: ips_policy_id - type: integer - description: | - IPS policy ID applied on the traffic - - name: lease_time - type: keyword - description: | - Lease Time - - name: localgateway - type: keyword - description: | - Localgateway - - name: localnetwork - type: keyword - description: | - Localnetwork - - name: log_component - type: keyword - description: | - Component responsible for logging e.g. Firewall rule - - name: log_id - type: keyword - description: | - Unique 12 characters code (0101011) - - name: log_subtype - type: keyword - description: | - Sub type of event - - name: log_type - type: keyword - description: | - Type of event e.g. firewall event - - name: log_version - type: keyword - description: | - Log Version - - name: login_user - type: keyword - description: | - ATP login user - - name: mailid - type: keyword - description: | - mailid - - name: mailsize - type: integer - description: | - mailsize - - name: message - type: keyword - description: | - Message - - name: mode - type: keyword - description: | - Mode - - name: nat_rule_id - type: keyword - description: | - NAT Rule ID - - name: newversion - type: keyword - description: | - Newversion - - name: oldversion - type: keyword - description: | - Oldversion - - name: out_interface - type: keyword - description: | - Interface for outgoing traffic, e.g., Port B - - name: override_authorizer - type: keyword - description: | - Override authorizer - - name: override_name - type: keyword - description: | - Override name - - name: override_token - type: keyword - description: | - Override token - - name: phpsessid - type: keyword - description: | - PHP session ID - - name: platform - type: keyword - description: | - Platform of the traffic. - - name: policy_type - type: keyword - description: | - Policy type applied to the traffic - - name: priority - type: keyword - description: | - Severity level of traffic - - name: protocol - type: keyword - description: | - Protocol number of traffic - - name: qualifier - type: keyword - description: | - Qualifier - - name: quarantine - type: keyword - description: | - Path and filename of the file quarantined - - name: quarantine_reason - type: keyword - description: | - Quarantine reason - - name: querystring - type: keyword - description: | - querystring - - name: raw_data - type: keyword - description: | - Raw data - - name: received_pkts - type: long - description: | - Total number of packets received - - name: receiveddrops - type: long - description: | - received drops - - name: receivederrors - type: keyword - description: | - received errors - - name: receivedkbits - type: long - description: | - received kbits - - name: recv_bytes - type: long - description: | - Total number of bytes received - - name: red_id - type: keyword - description: | - RED ID - - name: referer - type: keyword - description: | - Referer - - name: remote_ip - type: ip - description: | - Remote IP - - name: remotenetwork - type: keyword - description: | - remotenetwork - - name: reported_host - type: keyword - description: | - Reported Host - - name: reported_ip - type: keyword - description: | - Reported IP - - name: reports - type: float - description: | - Reports - - name: rule_priority - type: keyword - description: | - Priority of IPS policy - - name: sent_bytes - type: long - description: | - Total number of bytes sent - - name: sent_pkts - type: long - description: | - Total number of packets sent - - name: server - type: keyword - description: | - Server - - name: sessionid - type: keyword - description: | - Sessionid - - name: sha1sum - type: keyword - description: | - SHA1 checksum of the item being analyzed - - name: signature - type: float - description: | - Signature - - name: signature_id - type: keyword - description: | - Signature ID - - name: signature_msg - type: keyword - description: | - Signature messsage - - name: site_category - type: keyword - description: | - Site Category - - name: source - type: keyword - description: | - Source - - name: sourceip - type: ip - description: | - Original source IP address of traffic - - name: spamaction - type: keyword - description: | - Spam Action - - name: sqli - type: keyword - description: | - related SQLI caught by the WAF - - name: src_country_code - type: keyword - description: | - Code of the country to which the source IP belongs - - name: src_domainname - type: keyword - description: | - Sender domain name - - name: src_ip - type: ip - description: | - Original source IP address of traffic - - name: src_mac - type: keyword - description: | - Original source MAC address of traffic - - name: src_port - type: integer - description: | - Original source port of TCP and UDP traffic - - name: src_zone_type - type: keyword - description: |- - Type of source zone - - name: ssid - type: keyword - description: | - Configured SSID name. - - name: start_time - type: date - description: | - Start time - - name: starttime - type: date - description: | - Starttime - - name: status - type: keyword - description: | - Ultimate status of traffic – Allowed or Denied - - name: status_code - type: keyword - description: | - Status code - - name: subject - type: keyword - description: | - Email subject - - name: syslog_server_name - type: keyword - description: | - Syslog server name - - name: syslog_server_name - type: keyword - description: | - Syslog server name. - - name: system_cpu - type: float - description: | - system - - name: target - type: keyword - description: | - Platform of the traffic. - - name: temp - type: float - description: | - Temp - - name: threatname - type: keyword - description: | - ATP threatname - - name: timestamp - type: date - description: | - timestamp - - name: timezone - type: keyword - description: | - Time (hh:mm:ss) when the event occurred - - name: to_email_address - type: keyword - description: | - Receipeint email address - - name: total_memory - type: integer - description: | - Total Memory - - name: trans_dst_ip - type: ip - description: | - Translated destination IP address for outgoing traffic - - name: trans_dst_port - type: integer - description: | - Translated destination port for outgoing traffic - - name: trans_src_ip - type: ip - description: | - Translated source IP address for outgoing traffic - - name: trans_src_port - type: integer - description: | - Translated source port for outgoing traffic - - name: transaction_id - type: keyword - description: | - Transaction ID - - name: transactionid - type: keyword - description: | - Transaction ID of the AV scan. - - name: transmitteddrops - type: long - description: | - transmitted drops - - name: transmittederrors - type: keyword - description: | - transmitted errors - - name: transmittedkbits - type: long - description: | - transmitted kbits - - name: unit - type: keyword - description: | - unit - - name: updatedip - type: ip - description: | - updatedip - - name: upload_file_name - type: keyword - description: | - Upload file name - - name: upload_file_type - type: keyword - description: | - Upload file type - - name: url - type: keyword - description: | - URL from which virus was downloaded - - name: used - type: integer - description: | - used - - name: used_quota - type: keyword - description: | - Used Quota - - name: user - type: keyword - description: | - User - - name: user_cpu - type: float - description: | - system - - name: user_gp - type: keyword - description: | - Group name to which the user belongs. - - name: user_group - type: keyword - description: | - Group name to which the user belongs - - name: user_name - type: keyword - description: | - user_name - - name: users - type: long - description: | - Number of users from System Health / Live User events. - - name: vconn_id - type: integer - description: | - Connection ID of the master connection - - name: virus - type: keyword - description: | - virus name - - name: web_policy_id - type: keyword - description: | - Web policy ID - - name: website - type: keyword - description: | - Website - - name: xss - type: keyword - description: | - related XSS caught by the WAF diff --git a/packages/sophos/2.4.2/data_stream/xg/manifest.yml b/packages/sophos/2.4.2/data_stream/xg/manifest.yml deleted file mode 100755 index 7da1c15a18..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/manifest.yml +++ /dev/null @@ -1,221 +0,0 @@ -type: logs -title: Sophos XG logs -streams: - - input: tcp - vars: - - name: syslog_host - type: text - title: Syslog Host - description: The interface to listen on for syslog data. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - description: The port to listen on for syslog data. - multi: false - required: true - show_user: true - default: 9005 - - name: default_host_name - type: text - title: Default Host Name - description: Host name / Observer name, since Sophos XG does not provide this in the syslog file. - multi: false - required: true - show_user: true - default: firewall.localgroup.local - - name: known_devices - type: yaml - title: Known Devices - description: | - The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. - This will match every known device serial number to a hostname. If no serial number appears the `default_host_name` will be used. - multi: false - required: true - show_user: true - default: | - - hostname: my_fancy_host - serial_number: "1234567890123456" - - hostname: some_other_host.local - serial_number: "1234567890123457" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-xg - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate, keys, supported_protocols, verification_mode etc. See [SSL](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details. - multi: false - required: false - show_user: false - default: | - #certificate: "/etc/server/cert.pem" - #key: "/etc/server/key.pem" - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - #max_connections: 1 - #framing: delimiter - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. - template_path: tcp.yml.hbs - title: Sophos XG logs - description: Collect Sophos XG logs - - input: udp - vars: - - name: syslog_host - type: text - title: Syslog Host - description: The interface to listen on for syslog data. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - description: The port to listen on for syslog data. - multi: false - required: true - show_user: true - default: 9005 - - name: default_host_name - type: text - title: Default Host Name - description: Host name / Observer name, since Sophos XG does not provide this in the syslog file. - multi: false - required: true - show_user: true - default: firewall.localgroup.local - - name: known_devices - type: yaml - title: Known Devices - description: | - The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. - This will match every known device serial number to a hostname. If no serial number appears the `default_host_name` will be used. - multi: false - required: true - show_user: true - default: | - - hostname: my_fancy_host - serial_number: "1234567890123456" - - hostname: some_other_host.local - serial_number: "1234567890123457" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-xg - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: udp.yml.hbs - title: Sophos XG logs - description: Collect Sophos XG logs - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - - name: default_host_name - type: text - title: Default Host Name - description: Host name / Observer name, since Sophos XG does not provide this in the syslog file. - multi: false - required: true - show_user: true - default: firewall.localgroup.local - - name: known_devices - type: yaml - title: Known Devices - description: | - The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. - This will match every known device serial number to a hostname. If no serial number appears the `default_host_name` will be used. - multi: false - required: true - show_user: true - default: | - - hostname: my_fancy_host - serial_number: "1234567890123456" - - hostname: some_other_host.local - serial_number: "1234567890123457" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-xg - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Sophos XG logs - description: Collect Sophos XG logs diff --git a/packages/sophos/2.4.2/data_stream/xg/sample_event.json b/packages/sophos/2.4.2/data_stream/xg/sample_event.json deleted file mode 100755 index ddf5f48645..0000000000 --- a/packages/sophos/2.4.2/data_stream/xg/sample_event.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "@timestamp": "2016-12-02T18:50:20.000Z", - "agent": { - "ephemeral_id": "b1eb8b45-bca7-40b1-b2f4-9d5c87e449bc", - "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.2" - }, - "data_stream": { - "dataset": "sophos.xg", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", - "snapshot": false, - "version": "8.1.2" - }, - "event": { - "action": "alert", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "16010", - "dataset": "sophos.xg", - "ingested": "2022-04-20T20:13:02Z", - "kind": "event", - "outcome": "success", - "severity": 1, - "timezone": "+00:00" - }, - "host": { - "name": "XG230" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "alert", - "source": { - "address": "172.31.0.8:48162" - } - }, - "observer": { - "product": "XG", - "serial_number": "1234567890123456", - "type": "firewall", - "vendor": "Sophos" - }, - "related": { - "hosts": [ - "XG230" - ], - "ip": [ - "10.108.108.49" - ] - }, - "sophos": { - "xg": { - "action": "Deny", - "context_match": "Not", - "context_prefix": "blah blah hello ", - "context_suffix": " hello blah ", - "device": "SFW", - "device_name": "SF01V", - "dictionary_name": "complicated_Custom", - "direction": "in", - "file_name": "cgi_echo.pl", - "log_component": "Web Content Policy", - "log_id": "058420116010", - "log_subtype": "Alert", - "log_type": "Content Filtering", - "site_category": "Information Technology", - "transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", - "user": "gi123456", - "website": "ta-web-static-testing.qa. astaro.de" - } - }, - "source": { - "ip": "10.108.108.49" - }, - "tags": [ - "sophos-xg", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/sophos/2.4.2/docs/README.md b/packages/sophos/2.4.2/docs/README.md deleted file mode 100755 index 3305fc3e71..0000000000 --- a/packages/sophos/2.4.2/docs/README.md +++ /dev/null @@ -1,1331 +0,0 @@ -# Sophos Integration - -The Sophos integration collects and parses logs from Sophos Products. - -Currently it accepts logs in syslog format or from a file for the following devices: - -- `utm` dataset: supports [Unified Threat Management](https://www.sophos.com/en-us/support/documentation/sophos-utm) (formerly known as Astaro Security Gateway) logs. -- `xg` dataset: supports [Sophos XG SFOS logs](https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/Logs.html). - -To configure a remote syslog destination, please reference the [SophosXG/SFOS Documentation](https://community.sophos.com/kb/en-us/123184). - -The syslog format chosen should be `Default`. - -## Compatibility - -This module has been tested against SFOS version 17.5.x and 18.0.x. -Versions above this are expected to work but have not been tested. - -## Logs - -### Utm log - -The `utm` dataset collects Unified Threat Management logs. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| container.id | Unique container id. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -### XG log - -This is the Sophos `xg` dataset. Reference information about the log formats -can be found in the [Sophos syslog guide]( -https://docs.sophos.com/nsg/sophos-firewall/18.5/PDF/SF%20syslog%20guide%2018.5.pdf). - -An example event for `xg` looks as following: - -```json -{ - "@timestamp": "2016-12-02T18:50:20.000Z", - "agent": { - "ephemeral_id": "b1eb8b45-bca7-40b1-b2f4-9d5c87e449bc", - "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.2" - }, - "data_stream": { - "dataset": "sophos.xg", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", - "snapshot": false, - "version": "8.1.2" - }, - "event": { - "action": "alert", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "16010", - "dataset": "sophos.xg", - "ingested": "2022-04-20T20:13:02Z", - "kind": "event", - "outcome": "success", - "severity": 1, - "timezone": "+00:00" - }, - "host": { - "name": "XG230" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "alert", - "source": { - "address": "172.31.0.8:48162" - } - }, - "observer": { - "product": "XG", - "serial_number": "1234567890123456", - "type": "firewall", - "vendor": "Sophos" - }, - "related": { - "hosts": [ - "XG230" - ], - "ip": [ - "10.108.108.49" - ] - }, - "sophos": { - "xg": { - "action": "Deny", - "context_match": "Not", - "context_prefix": "blah blah hello ", - "context_suffix": " hello blah ", - "device": "SFW", - "device_name": "SF01V", - "dictionary_name": "complicated_Custom", - "direction": "in", - "file_name": "cgi_echo.pl", - "log_component": "Web Content Policy", - "log_id": "058420116010", - "log_subtype": "Alert", - "log_type": "Content Filtering", - "site_category": "Information Technology", - "transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", - "user": "gi123456", - "website": "ta-web-static-testing.qa. astaro.de" - } - }, - "source": { - "ip": "10.108.108.49" - }, - "tags": [ - "sophos-xg", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| destination.user.email | User email address. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.hash.sha512 | SHA512 hash. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| log.source.address | | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| sophos.xg.action | Event Action | keyword | -| sophos.xg.activityname | Web policy activity that matched and caused the policy result. | keyword | -| sophos.xg.ap | Access Point Serial ID or LocalWifi0 or LocalWifi1. | keyword | -| sophos.xg.app_category | Name of the category under which application falls | keyword | -| sophos.xg.app_filter_policy_id | Application filter policy ID applied on the traffic | keyword | -| sophos.xg.app_is_cloud | Application is Cloud | keyword | -| sophos.xg.app_name | Application name | keyword | -| sophos.xg.app_resolved_by | Application is resolved by signature or synchronized application | keyword | -| sophos.xg.app_risk | Risk level assigned to the application | keyword | -| sophos.xg.app_technology | Technology of the application | keyword | -| sophos.xg.appfilter_policy_id | Application Filter policy applied on the traffic | integer | -| sophos.xg.application | Application name | keyword | -| sophos.xg.application_category | Application is resolved by signature or synchronized application | keyword | -| sophos.xg.application_filter_policy | Application Filter policy applied on the traffic | integer | -| sophos.xg.application_name | Application name | keyword | -| sophos.xg.application_risk | Risk level assigned to the application | keyword | -| sophos.xg.application_technology | Technology of the application | keyword | -| sophos.xg.appresolvedby | Technology of the application | keyword | -| sophos.xg.auth_client | Auth Client | keyword | -| sophos.xg.auth_mechanism | Auth mechanism | keyword | -| sophos.xg.av_policy_name | Malware scanning policy name which is applied on the traffic | keyword | -| sophos.xg.backup_mode | Backup mode | keyword | -| sophos.xg.branch_name | Branch Name | keyword | -| sophos.xg.category | IPS signature category. | keyword | -| sophos.xg.category_type | Type of category under which website falls | keyword | -| sophos.xg.classification | Signature classification | keyword | -| sophos.xg.client_host_name | Client host name | keyword | -| sophos.xg.client_physical_address | Client physical address | keyword | -| sophos.xg.clients_conn_ssid | Number of client connected to the SSID. | long | -| sophos.xg.collisions | collisions | long | -| sophos.xg.con_event | Event Start/Stop | keyword | -| sophos.xg.con_id | Unique identifier of connection | integer | -| sophos.xg.configuration | Configuration | float | -| sophos.xg.conn_id | Unique identifier of connection | integer | -| sophos.xg.connectionname | Connectionname | keyword | -| sophos.xg.connectiontype | Connectiontype | keyword | -| sophos.xg.connevent | Event on which this log is generated | keyword | -| sophos.xg.connid | Connection ID | keyword | -| sophos.xg.content_type | Type of the content | keyword | -| sophos.xg.contenttype | Type of the content | keyword | -| sophos.xg.context_match | Context Match | keyword | -| sophos.xg.context_prefix | Content Prefix | keyword | -| sophos.xg.context_suffix | Context Suffix | keyword | -| sophos.xg.cookie | cookie | keyword | -| sophos.xg.date | Date (yyyy-mm-dd) when the event occurred | date | -| sophos.xg.destinationip | Original destination IP address of traffic | ip | -| sophos.xg.device | device | keyword | -| sophos.xg.device_id | Serial number of the device | keyword | -| sophos.xg.device_model | Model number of the device | keyword | -| sophos.xg.device_name | Model number of the device | keyword | -| sophos.xg.dictionary_name | Dictionary Name | keyword | -| sophos.xg.dir_disp | TPacket direction. Possible values:“org”, “reply”, “” | keyword | -| sophos.xg.direction | Direction | keyword | -| sophos.xg.domainname | Domain from which virus was downloaded | keyword | -| sophos.xg.download_file_name | Download file name | keyword | -| sophos.xg.download_file_type | Download file type | keyword | -| sophos.xg.dst_country_code | Code of the country to which the destination IP belongs | keyword | -| sophos.xg.dst_domainname | Receiver domain name | keyword | -| sophos.xg.dst_ip | Original destination IP address of traffic | ip | -| sophos.xg.dst_port | Original destination port of TCP and UDP traffic | integer | -| sophos.xg.dst_zone_type | Type of destination zone | keyword | -| sophos.xg.dstdomain | Destination Domain | keyword | -| sophos.xg.duration | Durability of traffic (seconds) | long | -| sophos.xg.email_subject | Email Subject | keyword | -| sophos.xg.ep_uuid | Endpoint UUID | keyword | -| sophos.xg.ether_type | ethernet frame type | keyword | -| sophos.xg.eventid | ATP Evenet ID | keyword | -| sophos.xg.eventtime | Event time | date | -| sophos.xg.eventtype | ATP event type | keyword | -| sophos.xg.exceptions | List of the checks excluded by web exceptions. | keyword | -| sophos.xg.execution_path | ATP execution path | keyword | -| sophos.xg.extra | extra | keyword | -| sophos.xg.file_name | Filename | keyword | -| sophos.xg.file_path | File path | keyword | -| sophos.xg.file_size | File Size | integer | -| sophos.xg.filename | File name associated with the event | keyword | -| sophos.xg.filepath | Path of the file containing virus | keyword | -| sophos.xg.filesize | Size of the file that contained virus | integer | -| sophos.xg.free | free | integer | -| sophos.xg.from_email_address | Sender email address | keyword | -| sophos.xg.ftp_direction | Direction of FTP transfer: Upload or Download | keyword | -| sophos.xg.ftp_url | FTP URL from which virus was downloaded | keyword | -| sophos.xg.ftpcommand | FTP command used when virus was found | keyword | -| sophos.xg.fw_rule_id | Firewall Rule ID which is applied on the traffic | integer | -| sophos.xg.fw_rule_type | Firewall rule type which is applied on the traffic | keyword | -| sophos.xg.hb_health | Heartbeat status | keyword | -| sophos.xg.hb_status | Heartbeat status | keyword | -| sophos.xg.host | Host | keyword | -| sophos.xg.http_category | HTTP Category | keyword | -| sophos.xg.http_category_type | HTTP Category Type | keyword | -| sophos.xg.httpresponsecode | code of HTTP response | long | -| sophos.xg.iap | Internet Access policy ID applied on the traffic | keyword | -| sophos.xg.icmp_code | ICMP code of ICMP traffic | keyword | -| sophos.xg.icmp_type | ICMP type of ICMP traffic | keyword | -| sophos.xg.idle_cpu | idle ## | float | -| sophos.xg.idp_policy_id | IPS policy ID which is applied on the traffic | integer | -| sophos.xg.idp_policy_name | IPS policy name i.e. IPS policy name which is applied on the traffic | keyword | -| sophos.xg.in_interface | Interface for incoming traffic, e.g., Port A | keyword | -| sophos.xg.interface | interface | keyword | -| sophos.xg.ipaddress | Ipaddress | keyword | -| sophos.xg.ips_policy_id | IPS policy ID applied on the traffic | integer | -| sophos.xg.lease_time | Lease Time | keyword | -| sophos.xg.localgateway | Localgateway | keyword | -| sophos.xg.localnetwork | Localnetwork | keyword | -| sophos.xg.log_component | Component responsible for logging e.g. Firewall rule | keyword | -| sophos.xg.log_id | Unique 12 characters code (0101011) | keyword | -| sophos.xg.log_subtype | Sub type of event | keyword | -| sophos.xg.log_type | Type of event e.g. firewall event | keyword | -| sophos.xg.log_version | Log Version | keyword | -| sophos.xg.login_user | ATP login user | keyword | -| sophos.xg.mailid | mailid | keyword | -| sophos.xg.mailsize | mailsize | integer | -| sophos.xg.message | Message | keyword | -| sophos.xg.mode | Mode | keyword | -| sophos.xg.nat_rule_id | NAT Rule ID | keyword | -| sophos.xg.newversion | Newversion | keyword | -| sophos.xg.oldversion | Oldversion | keyword | -| sophos.xg.out_interface | Interface for outgoing traffic, e.g., Port B | keyword | -| sophos.xg.override_authorizer | Override authorizer | keyword | -| sophos.xg.override_name | Override name | keyword | -| sophos.xg.override_token | Override token | keyword | -| sophos.xg.phpsessid | PHP session ID | keyword | -| sophos.xg.platform | Platform of the traffic. | keyword | -| sophos.xg.policy_type | Policy type applied to the traffic | keyword | -| sophos.xg.priority | Severity level of traffic | keyword | -| sophos.xg.protocol | Protocol number of traffic | keyword | -| sophos.xg.qualifier | Qualifier | keyword | -| sophos.xg.quarantine | Path and filename of the file quarantined | keyword | -| sophos.xg.quarantine_reason | Quarantine reason | keyword | -| sophos.xg.querystring | querystring | keyword | -| sophos.xg.raw_data | Raw data | keyword | -| sophos.xg.received_pkts | Total number of packets received | long | -| sophos.xg.receiveddrops | received drops | long | -| sophos.xg.receivederrors | received errors | keyword | -| sophos.xg.receivedkbits | received kbits | long | -| sophos.xg.recv_bytes | Total number of bytes received | long | -| sophos.xg.red_id | RED ID | keyword | -| sophos.xg.referer | Referer | keyword | -| sophos.xg.remote_ip | Remote IP | ip | -| sophos.xg.remotenetwork | remotenetwork | keyword | -| sophos.xg.reported_host | Reported Host | keyword | -| sophos.xg.reported_ip | Reported IP | keyword | -| sophos.xg.reports | Reports | float | -| sophos.xg.rule_priority | Priority of IPS policy | keyword | -| sophos.xg.sent_bytes | Total number of bytes sent | long | -| sophos.xg.sent_pkts | Total number of packets sent | long | -| sophos.xg.server | Server | keyword | -| sophos.xg.sessionid | Sessionid | keyword | -| sophos.xg.sha1sum | SHA1 checksum of the item being analyzed | keyword | -| sophos.xg.signature | Signature | float | -| sophos.xg.signature_id | Signature ID | keyword | -| sophos.xg.signature_msg | Signature messsage | keyword | -| sophos.xg.site_category | Site Category | keyword | -| sophos.xg.source | Source | keyword | -| sophos.xg.sourceip | Original source IP address of traffic | ip | -| sophos.xg.spamaction | Spam Action | keyword | -| sophos.xg.sqli | related SQLI caught by the WAF | keyword | -| sophos.xg.src_country_code | Code of the country to which the source IP belongs | keyword | -| sophos.xg.src_domainname | Sender domain name | keyword | -| sophos.xg.src_ip | Original source IP address of traffic | ip | -| sophos.xg.src_mac | Original source MAC address of traffic | keyword | -| sophos.xg.src_port | Original source port of TCP and UDP traffic | integer | -| sophos.xg.src_zone_type | Type of source zone | keyword | -| sophos.xg.ssid | Configured SSID name. | keyword | -| sophos.xg.start_time | Start time | date | -| sophos.xg.starttime | Starttime | date | -| sophos.xg.status | Ultimate status of traffic – Allowed or Denied | keyword | -| sophos.xg.status_code | Status code | keyword | -| sophos.xg.subject | Email subject | keyword | -| sophos.xg.syslog_server_name | Syslog server name | keyword | -| sophos.xg.system_cpu | system | float | -| sophos.xg.target | Platform of the traffic. | keyword | -| sophos.xg.temp | Temp | float | -| sophos.xg.threatname | ATP threatname | keyword | -| sophos.xg.timestamp | timestamp | date | -| sophos.xg.timezone | Time (hh:mm:ss) when the event occurred | keyword | -| sophos.xg.to_email_address | Receipeint email address | keyword | -| sophos.xg.total_memory | Total Memory | integer | -| sophos.xg.trans_dst_ip | Translated destination IP address for outgoing traffic | ip | -| sophos.xg.trans_dst_port | Translated destination port for outgoing traffic | integer | -| sophos.xg.trans_src_ip | Translated source IP address for outgoing traffic | ip | -| sophos.xg.trans_src_port | Translated source port for outgoing traffic | integer | -| sophos.xg.transaction_id | Transaction ID | keyword | -| sophos.xg.transactionid | Transaction ID of the AV scan. | keyword | -| sophos.xg.transmitteddrops | transmitted drops | long | -| sophos.xg.transmittederrors | transmitted errors | keyword | -| sophos.xg.transmittedkbits | transmitted kbits | long | -| sophos.xg.unit | unit | keyword | -| sophos.xg.updatedip | updatedip | ip | -| sophos.xg.upload_file_name | Upload file name | keyword | -| sophos.xg.upload_file_type | Upload file type | keyword | -| sophos.xg.url | URL from which virus was downloaded | keyword | -| sophos.xg.used | used | integer | -| sophos.xg.used_quota | Used Quota | keyword | -| sophos.xg.user | User | keyword | -| sophos.xg.user_cpu | system | float | -| sophos.xg.user_gp | Group name to which the user belongs. | keyword | -| sophos.xg.user_group | Group name to which the user belongs | keyword | -| sophos.xg.user_name | user_name | keyword | -| sophos.xg.users | Number of users from System Health / Live User events. | long | -| sophos.xg.vconn_id | Connection ID of the master connection | integer | -| sophos.xg.virus | virus name | keyword | -| sophos.xg.web_policy_id | Web policy ID | keyword | -| sophos.xg.website | Website | keyword | -| sophos.xg.xss | related XSS caught by the WAF | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.user.email | User email address. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - diff --git a/packages/sophos/2.4.2/img/logo.svg b/packages/sophos/2.4.2/img/logo.svg deleted file mode 100755 index 44612bd861..0000000000 --- a/packages/sophos/2.4.2/img/logo.svg +++ /dev/null @@ -1,39 +0,0 @@ - -image/svg+xml \ No newline at end of file diff --git a/packages/sophos/2.4.2/img/sophos.svg b/packages/sophos/2.4.2/img/sophos.svg deleted file mode 100755 index 5ebdeaf788..0000000000 --- a/packages/sophos/2.4.2/img/sophos.svg +++ /dev/null @@ -1,69 +0,0 @@ - - - -image/svg+xml diff --git a/packages/sophos/2.4.2/manifest.yml b/packages/sophos/2.4.2/manifest.yml deleted file mode 100755 index 8842b95a92..0000000000 --- a/packages/sophos/2.4.2/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -format_version: 1.0.0 -name: sophos -title: Sophos -version: "2.4.2" -description: Collect logs from Sophos with Elastic Agent. -categories: ["security"] -release: ga -license: basic -type: integration -conditions: - kibana.version: "^7.17.0 || ^8.0.0" -policy_templates: - - name: sophos - title: Sophos logs - description: Collect Sophos logs from syslog or a file. - inputs: - - type: udp - title: Collect logs from Sophos via UDP - description: Collecting syslog from Sophos via UDP - - type: tcp - title: Collect logs from Sophos via TCP - description: Collecting syslog from Sophos via TCP - - type: logfile - title: Collect logs from Sophos via file - description: Collecting syslog from Sophos via file. -icons: - - src: /img/logo.svg - title: Sophos logo - size: 32x32 - type: image/svg+xml -owner: - github: elastic/security-external-integrations diff --git a/packages/suricata/2.4.2/LICENSE.txt b/packages/suricata/2.4.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/suricata/2.4.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/suricata/2.4.2/changelog.yml b/packages/suricata/2.4.2/changelog.yml deleted file mode 100755 index 7aa6583b55..0000000000 --- a/packages/suricata/2.4.2/changelog.yml +++ /dev/null @@ -1,175 +0,0 @@ -# newer versions go on top -- version: "2.4.2" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.4.1" - changes: - - description: Remove unused visualizations - type: enhancement - link: https://github.com/elastic/integrations/issues/3975 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3870 -- version: "2.3.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "2.3.0" - changes: - - description: Add Server Name Indication to related.hosts for TLS events. - type: enhancement - link: https://github.com/elastic/integrations/pull/3665 - - description: Render host.mac hardware addresses according to ECS. - type: bugfix - link: https://github.com/elastic/integrations/pull/3665 -- version: "2.2.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "2.1.0" - changes: - - description: Add JA3/JA3S to `related.hash` - type: enhancement - link: https://github.com/elastic/integrations/pull/3440 -- version: "2.0.0" - changes: - - description: Migrate map visualisation from tile_map to map object - type: enhancement - link: https://github.com/elastic/integrations/pull/3263 -- version: "1.7.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "1.6.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.6.0" - changes: - - description: Add network.protocol support for krb5, smtp, snmp, and ikev2. - type: enhancement - link: https://github.com/elastic/integrations/pull/2772 -- version: "1.5.0" - changes: - - description: Set destination.ip in events. - type: bugfix - link: https://github.com/elastic/integrations/issues/2558 - - description: Format MAC addresses per ECS and RFC 7042. - type: enhancement - link: https://github.com/elastic/integrations/pull/2564 -- version: "1.4.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2443 -- version: "1.3.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.3.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2244 -- version: "1.2.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2083 -- version: "1.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1989 -- version: "1.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1854 -- version: "1.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1680 -- version: "1.1.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1507 -- version: "1.1.2" - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1421 -- version: "1.1.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "1.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "1.0.1" - changes: - - description: Fixes improper date fields and metadata field issues. - type: bugfix - link: https://github.com/elastic/integrations/pull/1287 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1216 - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1216 -- version: "0.6.3" - changes: - - description: Use `wildcard` field type. - type: enhancement - link: https://github.com/elastic/integrations/pull/1162 -- version: "0.6.2" - changes: - - description: Modify event.original and update ECS version to 1.10.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1105 -- version: "0.6.1" - changes: - - description: Make event.original optional - type: enhancement - link: https://github.com/elastic/integrations/pull/991 -- version: "0.6.0" - changes: - - description: Move edge processing to ingest pipelines - type: enhancement - link: https://github.com/elastic/integrations/pull/749 -- version: "0.5.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/873 -- version: "0.5.1" - changes: - - description: Change kibana.version constraint to be more conservative. - type: bugfix - link: https://github.com/elastic/integrations/pull/749 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/186 diff --git a/packages/suricata/2.4.2/data_stream/eve/agent/stream/log.yml.hbs b/packages/suricata/2.4.2/data_stream/eve/agent/stream/log.yml.hbs deleted file mode 100755 index 0acdce5615..0000000000 --- a/packages/suricata/2.4.2/data_stream/eve/agent/stream/log.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/suricata/2.4.2/data_stream/eve/elasticsearch/ingest_pipeline/default.yml b/packages/suricata/2.4.2/data_stream/eve/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 685bfa3c9e..0000000000 --- a/packages/suricata/2.4.2/data_stream/eve/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,682 +0,0 @@ ---- -description: Pipeline for parsing Suricata EVE logs - -processors: - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.original - copy_from: message - override: false - ignore_failure: true - - remove: - field: message - ignore_missing: true - - set: - field: event.created - copy_from: '@timestamp' - override: false - ignore_failure: true - - json: - field: event.original - target_field: suricata.eve - - rename: - field: suricata.eve.ether.dest_mac - target_field: destination.mac - ignore_missing: true - - rename: - field: suricata.eve.ether.src_mac - target_field: source.mac - ignore_missing: true - - # Format source.mac address. - - gsub: - field: source.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true - - gsub: - field: source.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true - - uppercase: - field: source.mac - ignore_missing: true - - # Format destination.mac address. - - gsub: - field: destination.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true - - gsub: - field: destination.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true - - uppercase: - field: destination.mac - ignore_missing: true - - # Format host.mac addresses. - - script: - lang: painless - if: ctx.host?.mac != null - source: - def fixup(ArrayList macs) { - for (def i = 0; i < macs.length; i++) { - macs[i] = macs[i].replace(':','-').toUpperCase(); - } - return macs; - } - ctx.host['mac'] = fixup(ctx.host?.mac); - - - rename: - field: suricata.eve.src_ip - target_field: source.address - ignore_missing: true - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - convert: - field: suricata.eve.src_port - target_field: source.port - type: integer - ignore_failure: true - - rename: - field: suricata.eve.dest_ip - target_field: destination.address - ignore_missing: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_failure: true - - convert: - field: suricata.eve.dest_port - target_field: destination.port - type: integer - ignore_failure: true - - rename: - field: suricata.eve.proto - target_field: network.transport - ignore_missing: true - - convert: - field: suricata.eve.flow_id - type: string - ignore_missing: true - - date: - field: '@timestamp' - target_field: event.created - formats: - - ISO8601 - ignore_failure: true - - date: - field: suricata.eve.timestamp - formats: - - ISO8601 - - community_id: - target_field: network.community_id - ignore_failure: true - - registered_domain: - field: suricata.eve.dns.rrname - target_field: dns.question - ignore_missing: true - # Handle the different Suricata event types. - - lowercase: - field: suricata.eve.event_type - ignore_missing: true - - script: - lang: painless - ignore_failure: true - params: - alert: - kind: alert - category: - - network - - intrusion_detection - dns: - type: - - protocol - network_protocol: dns - flow: - type: - - connection - ftp: - type: - - protocol - network_protocol: ftp - ftp_data: - type: - - protocol - network_protocol: ftp - http: - category: - - network - - web - type: - - access - - protocol - network_protocol: http - http2: - category: - - network - - web - type: - - access - - protocol - network_protocol: http - ikev2: - type: - - protocol - network_protocol: ikev2 - krb5: - type: - - protocol - network_protocol: krb5 - mqtt: - type: - - protocol - network_protocol: mqtt - smb: - type: - - protocol - network_protocol: smb - smtp: - type: - - protocol - network_protocol: smtp - snmp: - type: - - protocol - network_protocol: snmp - ssh: - type: - - protocol - network_protocol: ssh - stats: - kind: metric - tftp: - type: - - protocol - network_protocol: tftp - tls: - type: - - protocol - network_protocol: tls - rdp: - type: - - protocol - network_protocol: rdp - rfb: # RFB (Remote Framebuffer Protocol) - type: - - protocol - network_protocol: rdp - - source: | - ctx.event.kind = 'event'; - ctx.event.category = ['network']; - def type_params = params.get(ctx?.suricata?.eve?.event_type); - if (type_params == null) { - return; - } - type_params.forEach((k, v) -> { - if ('network_protocol' == k) { - if (ctx.network == null) { - ctx.network = ['protocol': v]; - } else { - ctx.network.protocol = v; - } - } else { - ctx.event[k] = v; - } - }); - - ## Anomaly and Alert - - lowercase: - field: suricata.eve.app_proto - ignore_missing: true - - set: - if: ctx?.suricata?.eve?.app_proto == "ftp-data" - field: network.protocol - value: ftp - - set: - if: >- - ctx?.suricata?.eve?.app_proto != "failed" && - ctx?.suricata?.eve?.app_proto != "template" && - ctx?.suricata?.eve?.app_proto != "template-rust" - field: network.protocol - copy_from: suricata.eve.app_proto - ignore_failure: true - ## HTTP - - set: - if: 'ctx?.suricata?.eve?.event_type == "http" && ctx?.suricata?.eve?.http?.status != null && ctx?.suricata?.eve?.http?.status < 400' - field: event.outcome - value: success - - set: - if: 'ctx?.suricata?.eve?.event_type == "http" && ctx?.suricata?.eve?.http?.status != null && ctx?.suricata?.eve?.http?.status >= 400' - field: event.outcome - value: failure - - convert: - field: suricata.eve.http.http_port - type: integer - if: ctx?.suricata?.eve?.http?.http_port != null - ## DNS - - pipeline: - if: >- - ctx?.network?.protocol == "dns" - name: '{{ IngestPipeline "dns" }}' - ## TLS - - pipeline: - if: ctx?.network?.protocol == "tls" - name: '{{ IngestPipeline "tls" }}' - ## Flow - - append: - if: ctx?.suricata?.eve?.flow?.state == "new" - field: event.type - value: - - start - - append: - if: ctx?.suricata?.eve?.flow?.state == "closed" - field: event.type - value: - - end - - set: - field: http.request.method - copy_from: suricata.eve.http.http_method - ignore_failure: true - - rename: - field: suricata.eve.http.status - target_field: http.response.status_code - ignore_missing: true - - append: - if: ctx.suricata?.eve?.http?.hostname != null - value: '{{{suricata.eve.http.hostname}}}' - field: destination.domain - allow_duplicates: false - - remove: - field: suricata.eve.http.hostname - ignore_failure: true - - script: - lang: painless - tag: suricata_deduplicate_dest_domain - source: > - def domain = ctx.destination?.domain; - if (domain instanceof Collection) { - domain = domain.stream().distinct().collect(Collectors.toList()); - if (domain.length == 1) { - domain = domain[0]; - } - ctx.destination.domain = domain; - } - ignore_failure: true - - set: - if: "ctx?.network?.protocol == 'http'" - field: url.domain - copy_from: destination.domain - ignore_failure: true - - grok: - field: suricata.eve.http.url - patterns: - - '%{PATH:url.path}(?:\?%{QUERY:url.query})?(?:#%{ANY:url.fragment})?' - ignore_missing: true - pattern_definitions: - PATH: '[^?#]*' - QUERY: '[^#]*' - ANY: '.*' - - rename: - field: suricata.eve.http.url - target_field: url.original - ignore_missing: true - - rename: - field: suricata.eve.http.http_refer - target_field: http.request.referrer - ignore_missing: true - - rename: - field: suricata.eve.http.length - target_field: http.response.body.bytes - ignore_missing: true - - rename: - field: suricata.eve.fileinfo.filename - target_field: file.path - ignore_missing: true - - rename: - field: suricata.eve.fileinfo.size - target_field: file.size - ignore_missing: true - - lowercase: - field: network.transport - ignore_missing: true - - # Suricata alert and metadata - - convert: - field: suricata.eve.alert.category - target_field: message - type: string - ignore_missing: true - - set: - field: rule.category - value: "{{{suricata.eve.alert.category}}}" - ignore_empty_value: true - - set: - field: rule.id - value: "{{{suricata.eve.alert.signature_id}}}" - ignore_empty_value: true - - set: - field: rule.name - value: "{{{suricata.eve.alert.signature}}}" - ignore_empty_value: true - - set: - field: suricata.eve.alert.action - value: denied - if: "ctx?.suricata?.eve?.alert?.action == 'blocked'" - - append: - field: event.type - value: "{{{suricata.eve.alert.action}}}" - if: "ctx?.suricata?.eve?.alert?.action != null" - - remove: - field: suricata.eve.alert.action - ignore_failure: true - - rename: - field: suricata.eve.alert.severity - target_field: event.severity - ignore_missing: true - # All defined keys for metadata is moved out, leaving the metadata field as flattened for any custom fields introduced - # by suricata rules, to prevent the defined keys to be set as flattened type: - # https://better-schema.readthedocs.io/en/latest/schema.html#defined-keys - - rename: - field: suricata.eve.alert.metadata.protocols - target_field: suricata.eve.alert.protocols - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.attack_target - target_field: suricata.eve.alert.attack_target - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.capec_id - target_field: suricata.eve.alert.capec_id - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.cwe_id - target_field: suricata.eve.alert.cwe_id - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.malware - target_field: suricata.eve.alert.malware - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.cve - target_field: suricata.eve.alert.cve - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.cvss_v2_base - target_field: suricata.eve.alert.cvss_v2_base - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.cvss_v2_temporal - target_field: suricata.eve.alert.cvss_v2_temporal - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.cvss_v3_base - target_field: suricata.eve.alert.cvss_v3_base - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.cvss_v3_temporal - target_field: suricata.eve.alert.cvss_v3_temporal - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.priority - target_field: suricata.eve.alert.priority - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.hostile - target_field: suricata.eve.alert.hostile - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.infected - target_field: suricata.eve.alert.infected - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.created_at - target_field: _tmp_.created_at - ignore_missing: true - - join: - field: _tmp_.created_at - description: Converts date field to string - separator: "," - if: ctx._tmp_?.created_at != null - - date: - field: _tmp_.created_at - target_field: suricata.eve.alert.created_at - formats: - - yyyy-MM-dd - - yyyy_MM_dd - if: ctx._tmp_?.created_at != null - ignore_failure: true - - rename: - field: suricata.eve.alert.metadata.updated_at - target_field: _tmp_.updated_at - ignore_missing: true - - join: - field: _tmp_.updated_at - description: Converts date field to string - separator: "," - if: ctx._tmp_?.updated_at != null - - date: - field: _tmp_.updated_at - target_field: suricata.eve.alert.updated_at - formats: - - yyyy-MM-dd - - yyyy_MM_dd - if: ctx._tmp_?.updated_at != null - ignore_failure: true - - rename: - field: suricata.eve.alert.metadata.filename - target_field: file.name - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.classtype - target_field: suricata.eve.alert.classtype - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.rule_source - target_field: suricata.eve.alert.rule_source - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.sid - target_field: suricata.eve.alert.sid - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.mitre_attack - target_field: threat.tactic.id - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.mitre_tactic_id - target_field: threat.tactic.id - ignore_missing: true - if: ctx.threat?.tactic?.id == null - - rename: - field: suricata.eve.alert.metadata.mitre_tactic_name - target_field: threat.tactic.name - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.mitre_technique_id - target_field: threat.technique.id - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.mitre_technique_id - target_field: threat.technique.name - ignore_missing: true - - rename: - field: suricata.eve.flow.pkts_toclient - target_field: destination.packets - ignore_missing: true - - rename: - field: suricata.eve.flow.pkts_toserver - target_field: source.packets - ignore_missing: true - - rename: - field: suricata.eve.flow.bytes_toclient - target_field: destination.bytes - ignore_missing: true - - rename: - field: suricata.eve.flow.bytes_toserver - target_field: source.bytes - ignore_missing: true - - script: - lang: painless - source: > - long getOrZero(def map, def key) { - if (map!=null && map[key]!=null) { - return map[key]; - } - return 0; - } - def network=ctx['network'], source=ctx['source'], dest=ctx['destination']; - def sp=getOrZero(source,'packets'), sb=getOrZero(source,'bytes'), dp=getOrZero(dest,'packets'), db=getOrZero(dest,'bytes'); - if (sb+db+sp+dp > 0) { - if (network == null) { - network=new HashMap(); - ctx['network']=network; - } - if (sb+db > 0) { - network['bytes'] = sb+db; - } - if(sp+dp>0) { - network['packets'] = sp+dp; - } - } - - date: - field: suricata.eve.flow.start - target_field: event.start - formats: - - ISO8601 - ignore_failure: true - - date: - field: suricata.eve.flow.end - target_field: event.end - formats: - - ISO8601 - ignore_failure: true - - script: - lang: painless - source: > - Instant ins(def d) { - try { - return Instant.parse(d); - } catch(Exception e) { - return null; - } - } - def ev = ctx['event']; - if (ev != null) { - def start = ins(ev['start']); - def end = ins(ev['end']); - if (start != null && end != null && !start.isAfter(end)) { - ev['duration'] = Duration.between(start,end).toNanos(); - } - } - - lowercase: - field: suricata.eve.proto - target_field: network.transport - ignore_missing: true - - user_agent: - field: suricata.eve.http.http_user_agent - ignore_missing: true - - geoip: - if: ctx.source?.geo == null - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - if: ctx.destination?.geo == null - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{{url.domain}}}' - if: ctx.url?.domain != null && ctx.url?.domain != '' - allow_duplicates: false - - append: - if: ctx?.source?.ip != null - field: related.ip - value: '{{{source.ip}}}' - allow_duplicates: false - - append: - if: ctx?.destination?.ip != null - field: related.ip - value: '{{{destination.ip}}}' - allow_duplicates: false - - append: - field: related.hash - value: "{{tls.server.ja3s}}" - if: "ctx?.tls?.server?.ja3s != null" - - append: - field: related.hash - value: "{{tls.client.ja3}}" - if: "ctx?.tls?.client?.ja3 != null" - allow_duplicates: false - - remove: - field: suricata.eve.alert.metadata - if: "ctx.suricata?.eve?.alert?.metadata == null || ctx.suricata?.eve?.alert?.metadata.isEmpty()" - ignore_failure: true - ignore_missing: true - - remove: - field: - - suricata.eve.app_proto - - suricata.eve.flow.end - - suricata.eve.flow.start - - suricata.eve.http.http_method - - suricata.eve.http.http_user_agent - - suricata.eve.timestamp - - suricata.eve.src_port - - suricata.eve.dest_port - - dns.question.domain - - _tmp_ - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/suricata/2.4.2/data_stream/eve/elasticsearch/ingest_pipeline/dns-answer-v1.yml b/packages/suricata/2.4.2/data_stream/eve/elasticsearch/ingest_pipeline/dns-answer-v1.yml deleted file mode 100755 index 89f0984421..0000000000 --- a/packages/suricata/2.4.2/data_stream/eve/elasticsearch/ingest_pipeline/dns-answer-v1.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for Suricata DNS answers v1 - -# Suricata DNS v1 events contain a single answer. Multiple events are created -# to represent all of the answers. -processors: - - script: - lang: painless - tag: suricata_dns_answer_v1 - source: | - def name = ctx?.suricata?.eve?.dns?.rrname; - def data = ctx?.suricata?.eve?.dns?.rdata; - def type = ctx?.suricata?.eve?.dns?.rrtype; - def ttl = ctx?.suricata?.eve?.dns?.ttl; - - def answer = [:]; - if (name != null) { - answer["name"] = name; - } - if (data != null) { - answer["data"] = data; - } - if (type != null) { - answer["type"] = type; - } - if (ttl != null) { - answer["ttl"] = ttl; - } - if (!answer.isEmpty()) { - ctx.dns.answers = [answer]; - } - - if (type == "A" || type == "AAAA") { - ctx.dns.resolved_ip = [data]; - } -on_failure: - - set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/suricata/2.4.2/data_stream/eve/elasticsearch/ingest_pipeline/dns-answer-v2.yml b/packages/suricata/2.4.2/data_stream/eve/elasticsearch/ingest_pipeline/dns-answer-v2.yml deleted file mode 100755 index 00086f953a..0000000000 --- a/packages/suricata/2.4.2/data_stream/eve/elasticsearch/ingest_pipeline/dns-answer-v2.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -description: Pipeline for Suricata DNS answers v2 - -# Suricata DNS v2 events contain all answers in a single event. -processors: - - rename: - field: suricata.eve.dns.answers - target_field: dns.answers - ignore_missing: true - - script: - if: ctx?.dns?.answers != null - lang: painless - tag: suricata_dns_answers_v2 - source: | - def resolvedIps = new ArrayList(); - for (def answer : ctx?.dns?.answers) { - // Normalize field names to match ECS. - def name = answer.remove("rrname"); - if (name != null) { - answer["name"] = name; - } - def type = answer.remove("rrtype"); - if (type != null) { - answer["type"] = type; - } - def data = answer.remove("rdata"); - if (data != null) { - answer["data"] = data; - } - - if (type == "A" || type == "AAAA") { - resolvedIps.add(data); - } - } - - if (resolvedIps.size() > 0) { - ctx.dns.resolved_ip = resolvedIps; - } -on_failure: - - set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/suricata/2.4.2/data_stream/eve/elasticsearch/ingest_pipeline/dns.yml b/packages/suricata/2.4.2/data_stream/eve/elasticsearch/ingest_pipeline/dns.yml deleted file mode 100755 index 7f38b5dc6e..0000000000 --- a/packages/suricata/2.4.2/data_stream/eve/elasticsearch/ingest_pipeline/dns.yml +++ /dev/null @@ -1,93 +0,0 @@ ---- -description: Pipeline for Suricata DNS Events - -processors: - - set: - field: dns.id - value: '{{{suricata.eve.dns.id}}}' - ignore_empty_value: true - - set: - field: dns.response_code - value: '{{{suricata.eve.dns.rcode}}}' - ignore_empty_value: true - - set: - field: dns.type - value: '{{{suricata.eve.dns.type}}}' - ignore_empty_value: true - - set: - # V2 events always include the query data. - if: >- - ctx?.dns?.type == "query" || - ctx?.suricata?.eve?.dns?.version == 2 - field: dns.question.name - value: '{{{suricata.eve.dns.rrname}}}' - ignore_empty_value: true - - set: - # V2 events always include the query data. - if: >- - ctx?.dns?.type == "query" || - ctx?.suricata?.eve?.dns?.version == 2 - field: dns.question.type - value: '{{{suricata.eve.dns.rrtype}}}' - ignore_empty_value: true - - pipeline: - if: >- - ctx?.dns?.type == "answer" && - ctx?.suricata?.eve?.dns?.version == null - name: '{{ IngestPipeline "dns-answer-v1" }}' - - pipeline: - if: >- - ctx?.dns?.type == "answer" && - ctx?.suricata?.eve?.dns?.version == 2 - name: '{{ IngestPipeline "dns-answer-v2" }}' - - foreach: - field: dns.resolved_ip - ignore_missing: true - processor: - append: - field: related.ip - value: - - '{{{_ingest._value}}}' - allow_duplicates: false - - script: - if: ctx?.dns?.question?.registered_domain != null - tag: suricata_dns_top_level_domain - lang: painless - source: | - def rd = ctx.dns.question.registered_domain; - def firstDot = rd.indexOf("."); - if (firstDot == -1) { - return; - } - ctx.dns.question.top_level_domain = rd.substring(firstDot + 1); - - append: - if: ctx?.suricata?.eve?.dns?.aa == true - field: dns.header_flags - value: AA - - append: - if: ctx?.suricata?.eve?.dns?.tc == true - field: dns.header_flags - value: TC - - append: - if: ctx?.suricata?.eve?.dns?.rd == true - field: dns.header_flags - value: RD - - append: - if: ctx?.suricata?.eve?.dns?.ra == true - field: dns.header_flags - value: RA - - remove: - field: - - suricata.eve.dns.aa - - suricata.eve.dns.tc - - suricata.eve.dns.rd - - suricata.eve.dns.ra - - suricata.eve.dns.qr - - suricata.eve.dns.version - - suricata.eve.dns.flags - - suricata.eve.dns.grouped - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/suricata/2.4.2/data_stream/eve/elasticsearch/ingest_pipeline/tls.yml b/packages/suricata/2.4.2/data_stream/eve/elasticsearch/ingest_pipeline/tls.yml deleted file mode 100755 index 29b566bed6..0000000000 --- a/packages/suricata/2.4.2/data_stream/eve/elasticsearch/ingest_pipeline/tls.yml +++ /dev/null @@ -1,189 +0,0 @@ ---- -description: Pipeline for Suricata TLS Events - -processors: - - dissect: - field: suricata.eve.tls.version - pattern: '%{tls.version_protocol} %{tls.version}' - ignore_missing: true - if: ctx?.suricata?.eve?.tls?.version != 'UNDETERMINED' - - lowercase: - field: tls.version_protocol - ignore_missing: true - - script: - if: ctx?.suricata?.eve?.tls?.sni != null - tag: suricata_trim_tls_sni - lang: painless - source: | - def sni = ctx.suricata.eve.tls.sni; - if (!sni.endsWith(".")) { - return; - } - ctx.suricata.eve.tls.sni = sni.substring(0, sni.length() - 1); - # Subject - - set: - field: tls.server.subject - value: '{{{suricata.eve.tls.subject}}}' - ignore_empty_value: true - - kv: - field: suricata.eve.tls.subject - field_split: ' (?=[a-zA-Z]+=)' - value_split: '=' - target_field: suricata.eve.tls.kv_subject - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_subject.C - target_field: tls.server.x509.subject.country - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_subject.CN - target_field: tls.server.x509.subject.common_name - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_subject.L - target_field: tls.server.x509.subject.locality - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_subject.O - target_field: tls.server.x509.subject.organization - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_subject.OU - target_field: tls.server.x509.subject.organizational_unit - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_subject.ST - target_field: tls.server.x509.subject.state_or_province - ignore_missing: true - # Issuer - - set: - field: tls.server.issuer - value: '{{{suricata.eve.tls.issuerdn}}}' - ignore_empty_value: true - - gsub: - field: suricata.eve.tls.issuerdn - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: suricata.eve.tls.issuerdn - field_split: ', ' - value_split: '=' - target_field: suricata.eve.tls.kv_issuerdn - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_issuerdn.C - target_field: tls.server.x509.issuer.country - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_issuerdn.CN - target_field: tls.server.x509.issuer.common_name - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_issuerdn.L - target_field: tls.server.x509.issuer.locality - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_issuerdn.O - target_field: tls.server.x509.issuer.organization - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_issuerdn.OU - target_field: tls.server.x509.issuer.organizational_unit - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_issuerdn.ST - target_field: tls.server.x509.issuer.state_or_province - ignore_missing: true - - - convert: - field: suricata.eve.tls.session_resumed - target_field: tls.resumed - type: boolean - ignore_missing: true - - set: - field: tls.server.hash.sha1 - value: '{{{suricata.eve.tls.fingerprint}}}' - ignore_empty_value: true - - uppercase: - field: tls.server.hash.sha1 - ignore_missing: true - - split: - field: tls.server.hash.sha1 - separator: ":" - ignore_missing: true - - join: - field: tls.server.hash.sha1 - separator: "" - ignore_failure: true - - append: - field: related.hash - value: "{{tls.server.hash.sha1}}" - if: "ctx?.tls?.server?.hash?.sha1 != null" - - set: - field: tls.client.server_name - value: '{{{suricata.eve.tls.sni}}}' - ignore_empty_value: true - - set: - field: destination.domain - value: '{{{suricata.eve.tls.sni}}}' - ignore_empty_value: true - - append: - field: related.hosts - value: '{{{suricata.eve.tls.sni}}}' - if: ctx.suricata?.eve?.tls?.sni != null && ctx.suricata.eve.tls.sni != "" - allow_duplicates: false - - set: - field: tls.server.ja3s - value: '{{{suricata.eve.tls.ja3s.hash}}}' - ignore_empty_value: true - - set: - field: tls.client.ja3 - value: '{{{suricata.eve.tls.ja3.hash}}}' - ignore_empty_value: true - - set: - field: tls.server.certificate - value: '{{{suricata.eve.tls.certificate}}}' - ignore_empty_value: true - - set: - field: tls.server.certificate_chain - value: '{{{suricata.eve.tls.chain}}}' - ignore_empty_value: true - - set: - field: tls.server.x509.serial_number - value: '{{{suricata.eve.tls.serial}}}' - ignore_empty_value: true - - gsub: - field: tls.server.x509.serial_number - pattern: ':' - replacement: '' - ignore_missing: true - - date: - field: suricata.eve.tls.notafter - target_field: tls.server.not_after - formats: - - ISO8601 - if: ctx.suricata?.eve?.tls?.notafter != null - - date: - field: suricata.eve.tls.notbefore - target_field: tls.server.not_before - formats: - - ISO8601 - if: ctx.suricata?.eve?.tls?.notbefore != null - - set: - field: tls.server.x509.not_after - value: '{{{tls.server.not_after}}}' - ignore_empty_value: true - - set: - field: tls.server.x509.not_before - value: '{{{tls.server.not_before}}}' - ignore_empty_value: true - - remove: - field: - - suricata.eve.tls.kv_issuerdn - - suricata.eve.tls.kv_subject - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/suricata/2.4.2/data_stream/eve/fields/agent.yml b/packages/suricata/2.4.2/data_stream/eve/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/suricata/2.4.2/data_stream/eve/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/suricata/2.4.2/data_stream/eve/fields/base-fields.yml b/packages/suricata/2.4.2/data_stream/eve/fields/base-fields.yml deleted file mode 100755 index eee838550f..0000000000 --- a/packages/suricata/2.4.2/data_stream/eve/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: suricata -- name: event.dataset - type: constant_keyword - description: Event dataset - value: suricata.eve -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/suricata/2.4.2/data_stream/eve/fields/ecs.yml b/packages/suricata/2.4.2/data_stream/eve/fields/ecs.yml deleted file mode 100755 index 5ecb24c8ba..0000000000 --- a/packages/suricata/2.4.2/data_stream/eve/fields/ecs.yml +++ /dev/null @@ -1,417 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - normalize: - - array - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. - name: threat.framework - type: keyword -- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - name: threat.tactic.id - normalize: - - array - type: keyword -- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) - name: threat.tactic.name - normalize: - - array - type: keyword -- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - name: threat.technique.id - normalize: - - array - type: keyword -- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - multi_fields: - - name: text - type: match_only_text - name: threat.technique.name - normalize: - - array - type: keyword -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - name: tls.resumed - type: boolean -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha1 - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword -- description: Timestamp indicating when server certificate is no longer considered valid. - name: tls.server.not_after - type: date -- description: Timestamp indicating when server certificate is first considered valid. - name: tls.server.not_before - type: date -- description: Subject of the x.509 certificate presented by the server. - name: tls.server.subject - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - normalize: - - array - type: keyword -- description: List of country \(C) codes - name: tls.server.x509.issuer.country - normalize: - - array - type: keyword -- description: List of locality names (L) - name: tls.server.x509.issuer.locality - normalize: - - array - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.server.x509.issuer.organization - normalize: - - array - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.server.x509.issuer.organizational_unit - normalize: - - array - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.issuer.state_or_province - normalize: - - array - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.server.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.server.x509.not_before - type: date -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.server.x509.serial_number - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - normalize: - - array - type: keyword -- description: List of country \(C) code - name: tls.server.x509.subject.country - normalize: - - array - type: keyword -- description: List of locality names (L) - name: tls.server.x509.subject.locality - normalize: - - array - type: keyword -- description: List of organizations (O) of subject. - name: tls.server.x509.subject.organization - normalize: - - array - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.server.x509.subject.organizational_unit - normalize: - - array - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.subject.state_or_province - normalize: - - array - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/suricata/2.4.2/data_stream/eve/fields/fields-epr.yml b/packages/suricata/2.4.2/data_stream/eve/fields/fields-epr.yml deleted file mode 100755 index b8a01e0fdc..0000000000 --- a/packages/suricata/2.4.2/data_stream/eve/fields/fields-epr.yml +++ /dev/null @@ -1,169 +0,0 @@ -- name: event - title: Event - group: 2 - description: "The event fields are used for context information about the log or metric event itself.\nA log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events." - type: group - fields: - - name: created - level: core - type: date - description: "event.created contains the date/time when the event was first read by an agent, or by your pipeline.\nThis field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.\nIn most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.\nIn case the two timestamps are identical, @timestamp should be used." - example: "2016-05-23T08:05:34.857Z" - - name: ingested - level: core - type: date - description: "Timestamp when an event arrived in the central data store.\nThis is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.\nIn normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`." - example: "2016-05-23T08:05:35.101Z" - - name: original - level: core - type: keyword - ignore_above: 1024 - description: "Raw text message of entire event. Used to demonstrate log integrity.\nThis field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`." - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 -- name: dns - title: DNS - group: 2 - description: "Fields describing DNS queries and answers.\nDNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`)." - type: group - fields: - - name: answers - level: extended - type: object - object_type: keyword - description: "An array containing an object for each answer section returned by the server.\nThe main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.\nNot all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields." - - name: answers.class - level: extended - type: keyword - ignore_above: 1024 - description: The class of DNS data contained in this resource record. - example: IN - - name: answers.data - level: extended - type: keyword - ignore_above: 1024 - description: "The data describing the resource.\nThe meaning of this data depends on the type and class of the resource record." - example: 10.10.10.10 - - name: answers.name - level: extended - type: keyword - ignore_above: 1024 - description: "The domain name to which this resource record pertains.\nIf a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated." - example: www.google.com - - name: answers.ttl - level: extended - type: long - description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - example: 180 - - name: answers.type - level: extended - type: keyword - ignore_above: 1024 - description: The type of data contained in this resource record. - example: CNAME - - name: header_flags - level: extended - type: keyword - ignore_above: 1024 - description: "Array of 2 letter DNS header flags.\nExpected values are: AA, TC, RD, RA, AD, CD, DO." - example: - - RD - - RA - - name: id - level: extended - type: keyword - ignore_above: 1024 - description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - example: 62111 - - name: op_code - level: extended - type: keyword - ignore_above: 1024 - description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - example: QUERY - - name: question.class - level: extended - type: keyword - ignore_above: 1024 - description: The class of records being queried. - example: IN - - name: question.name - level: extended - type: keyword - ignore_above: 1024 - description: 'The name being queried. - - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.' - example: www.google.com - - name: question.registered_domain - level: extended - type: keyword - ignore_above: 1024 - description: 'The highest registered domain, stripped of the subdomain. - - For example, the registered domain for "foo.google.com" is "google.com". - - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com - - name: question.subdomain - level: extended - type: keyword - ignore_above: 1024 - description: 'The subdomain is all of the labels under the registered_domain. - - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' - example: www - - name: question.top_level_domain - level: extended - type: keyword - ignore_above: 1024 - description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". - - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - - name: question.type - level: extended - type: keyword - ignore_above: 1024 - description: The type of record being queried. - example: AAAA - - name: resolved_ip - level: extended - type: ip - description: "Array containing all IPs seen in `answers.data`.\nThe `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for." - example: - - 10.10.10.10 - - 10.10.10.11 - - name: response_code - level: extended - type: keyword - ignore_above: 1024 - description: The DNS response code. - example: NOERROR - - name: type - level: extended - type: keyword - ignore_above: 1024 - description: "The type of DNS event captured, query or answer.\nIf your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.\nIf your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers." - example: answer -- name: related - title: Related - group: 2 - description: "This field set is meant to facilitate pivoting around a piece of data.\nSome pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`.\nA concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`." - type: group - fields: - - name: ip - level: extended - type: ip - description: All of the IPs seen on your event. -- name: input.type # Filebeat Fields - type: keyword - description: Filebeat input type used to collect the log. -- name: log.file.path - type: keyword - description: > - The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`. - -- name: log.offset - type: long - description: >- - The file offset the reported line starts at. diff --git a/packages/suricata/2.4.2/data_stream/eve/fields/fields.yml b/packages/suricata/2.4.2/data_stream/eve/fields/fields.yml deleted file mode 100755 index 35d0142cbd..0000000000 --- a/packages/suricata/2.4.2/data_stream/eve/fields/fields.yml +++ /dev/null @@ -1,528 +0,0 @@ -- name: suricata.eve - type: group - fields: - - name: event_type - type: keyword - - name: app_proto_orig - type: keyword - - name: tcp - type: group - fields: - - name: tcp_flags - type: keyword - - name: psh - type: boolean - - name: tcp_flags_tc - type: keyword - - name: ack - type: boolean - - name: syn - type: boolean - - name: state - type: keyword - - name: tcp_flags_ts - type: keyword - - name: rst - type: boolean - - name: fin - type: boolean - - name: fileinfo - type: group - fields: - - name: sha1 - type: keyword - - name: tx_id - type: long - - name: state - type: keyword - - name: stored - type: boolean - - name: gaps - type: boolean - - name: sha256 - type: keyword - - name: md5 - type: keyword - - name: icmp_type - type: long - - name: pcap_cnt - type: long - - name: dns - type: group - fields: - - name: type - type: keyword - - name: rrtype - type: keyword - - name: rrname - type: keyword - - name: rdata - type: keyword - - name: tx_id - type: long - - name: ttl - type: long - - name: rcode - type: keyword - - name: id - type: long - - name: flow_id - type: keyword - - name: email - type: group - fields: - - name: status - type: keyword - - name: icmp_code - type: long - - name: http - type: group - fields: - - name: redirect - type: keyword - - name: protocol - type: keyword - - name: http_content_type - type: keyword - - name: http_port - type: long - - name: in_iface - type: keyword - - name: alert - type: group - fields: - - name: category - type: keyword - - name: rev - type: long - - name: gid - type: long - - name: signature - type: keyword - - name: signature_id - type: long - - name: protocols - type: keyword - - name: attack_target - type: keyword - - name: capec_id - type: keyword - - name: cwe_id - type: keyword - - name: malware - type: keyword - - name: cve - type: keyword - - name: cvss_v2_base - type: keyword - - name: cvss_v2_temporal - type: keyword - - name: cvss_v3_base - type: keyword - - name: cvss_v3_temporal - type: keyword - - name: priority - type: keyword - - name: hostile - type: keyword - - name: infected - type: keyword - - name: created_at - type: date - - name: updated_at - type: date - - name: classtype - type: keyword - - name: rule_source - type: keyword - - name: sid - type: keyword - - name: affected_product - type: keyword - - name: deployment - type: keyword - - name: former_category - type: keyword - - name: mitre_tool_id - type: keyword - - name: performance_impact - type: keyword - - name: signature_severity - type: keyword - - name: tag - type: keyword - - name: metadata - type: flattened - - name: ssh - type: group - fields: - - name: client - type: group - fields: - - name: proto_version - type: keyword - - name: software_version - type: keyword - - name: server - type: group - fields: - - name: proto_version - type: keyword - - name: software_version - type: keyword - - name: stats - type: group - fields: - - name: capture - type: group - fields: - - name: kernel_packets - type: long - - name: kernel_drops - type: long - - name: kernel_ifdrops - type: long - - name: uptime - type: long - - name: detect - type: group - fields: - - name: alert - type: long - - name: http - type: group - fields: - - name: memcap - type: long - - name: memuse - type: long - - name: file_store - type: group - fields: - - name: open_files - type: long - - name: defrag - type: group - fields: - - name: max_frag_hits - type: long - - name: ipv4 - type: group - fields: - - name: timeouts - type: long - - name: fragments - type: long - - name: reassembled - type: long - - name: ipv6 - type: group - fields: - - name: timeouts - type: long - - name: fragments - type: long - - name: reassembled - type: long - - name: flow - type: group - fields: - - name: tcp_reuse - type: long - - name: udp - type: long - - name: memcap - type: long - - name: emerg_mode_entered - type: long - - name: emerg_mode_over - type: long - - name: tcp - type: long - - name: icmpv6 - type: long - - name: icmpv4 - type: long - - name: spare - type: long - - name: memuse - type: long - - name: tcp - type: group - fields: - - name: pseudo_failed - type: long - - name: ssn_memcap_drop - type: long - - name: insert_data_overlap_fail - type: long - - name: sessions - type: long - - name: pseudo - type: long - - name: synack - type: long - - name: insert_data_normal_fail - type: long - - name: syn - type: long - - name: memuse - type: long - - name: invalid_checksum - type: long - - name: segment_memcap_drop - type: long - - name: overlap - type: long - - name: insert_list_fail - type: long - - name: rst - type: long - - name: stream_depth_reached - type: long - - name: reassembly_memuse - type: long - - name: reassembly_gap - type: long - - name: overlap_diff_data - type: long - - name: no_flow - type: long - - name: decoder - type: group - fields: - - name: avg_pkt_size - type: long - - name: bytes - type: long - - name: tcp - type: long - - name: raw - type: long - - name: ppp - type: long - - name: vlan_qinq - type: long - - name: "null" - type: long - - name: ltnull - type: group - fields: - - name: unsupported_type - type: long - - name: pkt_too_small - type: long - - name: invalid - type: long - - name: gre - type: long - - name: ipv4 - type: long - - name: ipv6 - type: long - - name: pkts - type: long - - name: ipv6_in_ipv6 - type: long - - name: ipraw - type: group - fields: - - name: invalid_ip_version - type: long - - name: pppoe - type: long - - name: udp - type: long - - name: dce - type: group - fields: - - name: pkt_too_small - type: long - - name: vlan - type: long - - name: sctp - type: long - - name: max_pkt_size - type: long - - name: teredo - type: long - - name: mpls - type: long - - name: sll - type: long - - name: icmpv6 - type: long - - name: icmpv4 - type: long - - name: erspan - type: long - - name: ethernet - type: long - - name: ipv4_in_ipv6 - type: long - - name: ieee8021ah - type: long - - name: dns - type: group - fields: - - name: memcap_global - type: long - - name: memcap_state - type: long - - name: memuse - type: long - - name: flow_mgr - type: group - fields: - - name: rows_busy - type: long - - name: flows_timeout - type: long - - name: flows_notimeout - type: long - - name: rows_skipped - type: long - - name: closed_pruned - type: long - - name: new_pruned - type: long - - name: flows_removed - type: long - - name: bypassed_pruned - type: long - - name: est_pruned - type: long - - name: flows_timeout_inuse - type: long - - name: flows_checked - type: long - - name: rows_maxlen - type: long - - name: rows_checked - type: long - - name: rows_empty - type: long - - name: app_layer - type: group - fields: - - name: flow - type: group - fields: - - name: tls - type: long - - name: ftp - type: long - - name: http - type: long - - name: failed_udp - type: long - - name: dns_udp - type: long - - name: dns_tcp - type: long - - name: smtp - type: long - - name: failed_tcp - type: long - - name: msn - type: long - - name: ssh - type: long - - name: imap - type: long - - name: dcerpc_udp - type: long - - name: dcerpc_tcp - type: long - - name: smb - type: long - - name: tx - type: group - fields: - - name: tls - type: long - - name: ftp - type: long - - name: http - type: long - - name: dns_udp - type: long - - name: dns_tcp - type: long - - name: smtp - type: long - - name: ssh - type: long - - name: dcerpc_udp - type: long - - name: dcerpc_tcp - type: long - - name: smb - type: long - - name: tls - type: group - fields: - - name: notbefore - type: date - - name: issuerdn - type: keyword - - name: sni - type: keyword - - name: version - type: keyword - - name: session_resumed - type: boolean - - name: fingerprint - type: keyword - - name: serial - type: keyword - - name: notafter - type: date - - name: subject - type: keyword - - name: ja3s - type: group - fields: - - name: string - type: keyword - - name: hash - type: keyword - - name: ja3 - type: group - fields: - - name: string - type: keyword - - name: hash - type: keyword - - name: app_proto_ts - type: keyword - - name: flow - type: group - fields: - - name: age - type: long - - name: state - type: keyword - - name: reason - type: keyword - - name: end - type: date - - name: alerted - type: boolean - - name: tx_id - type: long - - name: app_proto_tc - type: keyword - - name: smtp - type: group - fields: - - name: rcpt_to - type: keyword - - name: mail_from - type: keyword - - name: helo - type: keyword - - name: app_proto_expected - type: keyword - - name: flags - type: group diff --git a/packages/suricata/2.4.2/data_stream/eve/manifest.yml b/packages/suricata/2.4.2/data_stream/eve/manifest.yml deleted file mode 100755 index ccf51cd55e..0000000000 --- a/packages/suricata/2.4.2/data_stream/eve/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -type: logs -title: Suricata eve logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/suricata/eve.json - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - suricata-eve - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Suricata eve logs (log) - description: Collect Suricata eve logs using log input diff --git a/packages/suricata/2.4.2/data_stream/eve/sample_event.json b/packages/suricata/2.4.2/data_stream/eve/sample_event.json deleted file mode 100755 index b09518d82f..0000000000 --- a/packages/suricata/2.4.2/data_stream/eve/sample_event.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "@timestamp": "2018-07-05T19:01:09.820Z", - "agent": { - "ephemeral_id": "1766b03e-b9fd-4e5b-9c37-bb972c55d7c5", - "id": "543eeec2-6585-484f-9f7b-34db47abcd9c", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "data_stream": { - "dataset": "suricata.eve", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "192.168.253.112", - "ip": "192.168.253.112", - "port": 22 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "543eeec2-6585-484f-9f7b-34db47abcd9c", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-07-08T01:02:15.499Z", - "dataset": "suricata.eve", - "ingested": "2022-07-08T01:02:16Z", - "kind": "event", - "type": [ - "protocol" - ] - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/eve-small.ndjson" - }, - "offset": 0 - }, - "network": { - "community_id": "1:NLm1MbaBR6humQxEQI2Ai7h/XiI=", - "protocol": "ssh", - "transport": "tcp" - }, - "related": { - "ip": [ - "192.168.86.85", - "192.168.253.112" - ] - }, - "source": { - "address": "192.168.86.85", - "ip": "192.168.86.85", - "port": 55406 - }, - "suricata": { - "eve": { - "event_type": "ssh", - "flow_id": "298824096901438", - "in_iface": "en0", - "ssh": { - "client": { - "proto_version": "2.0", - "software_version": "OpenSSH_7.6" - }, - "server": { - "proto_version": "2.0", - "software_version": "libssh_0.7.0" - } - } - } - }, - "tags": [ - "forwarded", - "suricata-eve" - ] -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/docs/README.md b/packages/suricata/2.4.2/docs/README.md deleted file mode 100755 index 649ebd4d23..0000000000 --- a/packages/suricata/2.4.2/docs/README.md +++ /dev/null @@ -1,489 +0,0 @@ -# Suricata Integration - -This integration is for [Suricata](https://suricata-ids.org/). It reads the EVE -JSON output file. The EVE output writes alerts, anomalies, metadata, file info -and protocol specific records as JSON. - -## Compatibility - -This module has been developed against Suricata v4.0.4, but is expected to work -with other versions of Suricata. - -## EVE - -An example event for `eve` looks as following: - -```json -{ - "@timestamp": "2018-07-05T19:01:09.820Z", - "agent": { - "ephemeral_id": "1766b03e-b9fd-4e5b-9c37-bb972c55d7c5", - "id": "543eeec2-6585-484f-9f7b-34db47abcd9c", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.3" - }, - "data_stream": { - "dataset": "suricata.eve", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "192.168.253.112", - "ip": "192.168.253.112", - "port": 22 - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "543eeec2-6585-484f-9f7b-34db47abcd9c", - "snapshot": false, - "version": "8.2.3" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-07-08T01:02:15.499Z", - "dataset": "suricata.eve", - "ingested": "2022-07-08T01:02:16Z", - "kind": "event", - "type": [ - "protocol" - ] - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/eve-small.ndjson" - }, - "offset": 0 - }, - "network": { - "community_id": "1:NLm1MbaBR6humQxEQI2Ai7h/XiI=", - "protocol": "ssh", - "transport": "tcp" - }, - "related": { - "ip": [ - "192.168.86.85", - "192.168.253.112" - ] - }, - "source": { - "address": "192.168.86.85", - "ip": "192.168.86.85", - "port": 55406 - }, - "suricata": { - "eve": { - "event_type": "ssh", - "flow_id": "298824096901438", - "in_iface": "en0", - "ssh": { - "client": { - "proto_version": "2.0", - "software_version": "OpenSSH_7.6" - }, - "server": { - "proto_version": "2.0", - "software_version": "libssh_0.7.0" - } - } - } - }, - "tags": [ - "forwarded", - "suricata-eve" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.status_code | HTTP response status code. | long | -| input.type | Filebeat input type used to collect the log. | keyword | -| log.file.path | The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`. | keyword | -| log.offset | The file offset the reported line starts at. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| suricata.eve.alert.affected_product | | keyword | -| suricata.eve.alert.attack_target | | keyword | -| suricata.eve.alert.capec_id | | keyword | -| suricata.eve.alert.category | | keyword | -| suricata.eve.alert.classtype | | keyword | -| suricata.eve.alert.created_at | | date | -| suricata.eve.alert.cve | | keyword | -| suricata.eve.alert.cvss_v2_base | | keyword | -| suricata.eve.alert.cvss_v2_temporal | | keyword | -| suricata.eve.alert.cvss_v3_base | | keyword | -| suricata.eve.alert.cvss_v3_temporal | | keyword | -| suricata.eve.alert.cwe_id | | keyword | -| suricata.eve.alert.deployment | | keyword | -| suricata.eve.alert.former_category | | keyword | -| suricata.eve.alert.gid | | long | -| suricata.eve.alert.hostile | | keyword | -| suricata.eve.alert.infected | | keyword | -| suricata.eve.alert.malware | | keyword | -| suricata.eve.alert.metadata | | flattened | -| suricata.eve.alert.mitre_tool_id | | keyword | -| suricata.eve.alert.performance_impact | | keyword | -| suricata.eve.alert.priority | | keyword | -| suricata.eve.alert.protocols | | keyword | -| suricata.eve.alert.rev | | long | -| suricata.eve.alert.rule_source | | keyword | -| suricata.eve.alert.sid | | keyword | -| suricata.eve.alert.signature | | keyword | -| suricata.eve.alert.signature_id | | long | -| suricata.eve.alert.signature_severity | | keyword | -| suricata.eve.alert.tag | | keyword | -| suricata.eve.alert.updated_at | | date | -| suricata.eve.app_proto_expected | | keyword | -| suricata.eve.app_proto_orig | | keyword | -| suricata.eve.app_proto_tc | | keyword | -| suricata.eve.app_proto_ts | | keyword | -| suricata.eve.dns.id | | long | -| suricata.eve.dns.rcode | | keyword | -| suricata.eve.dns.rdata | | keyword | -| suricata.eve.dns.rrname | | keyword | -| suricata.eve.dns.rrtype | | keyword | -| suricata.eve.dns.ttl | | long | -| suricata.eve.dns.tx_id | | long | -| suricata.eve.dns.type | | keyword | -| suricata.eve.email.status | | keyword | -| suricata.eve.event_type | | keyword | -| suricata.eve.fileinfo.gaps | | boolean | -| suricata.eve.fileinfo.md5 | | keyword | -| suricata.eve.fileinfo.sha1 | | keyword | -| suricata.eve.fileinfo.sha256 | | keyword | -| suricata.eve.fileinfo.state | | keyword | -| suricata.eve.fileinfo.stored | | boolean | -| suricata.eve.fileinfo.tx_id | | long | -| suricata.eve.flow.age | | long | -| suricata.eve.flow.alerted | | boolean | -| suricata.eve.flow.end | | date | -| suricata.eve.flow.reason | | keyword | -| suricata.eve.flow.state | | keyword | -| suricata.eve.flow_id | | keyword | -| suricata.eve.http.http_content_type | | keyword | -| suricata.eve.http.http_port | | long | -| suricata.eve.http.protocol | | keyword | -| suricata.eve.http.redirect | | keyword | -| suricata.eve.icmp_code | | long | -| suricata.eve.icmp_type | | long | -| suricata.eve.in_iface | | keyword | -| suricata.eve.pcap_cnt | | long | -| suricata.eve.smtp.helo | | keyword | -| suricata.eve.smtp.mail_from | | keyword | -| suricata.eve.smtp.rcpt_to | | keyword | -| suricata.eve.ssh.client.proto_version | | keyword | -| suricata.eve.ssh.client.software_version | | keyword | -| suricata.eve.ssh.server.proto_version | | keyword | -| suricata.eve.ssh.server.software_version | | keyword | -| suricata.eve.stats.app_layer.flow.dcerpc_tcp | | long | -| suricata.eve.stats.app_layer.flow.dcerpc_udp | | long | -| suricata.eve.stats.app_layer.flow.dns_tcp | | long | -| suricata.eve.stats.app_layer.flow.dns_udp | | long | -| suricata.eve.stats.app_layer.flow.failed_tcp | | long | -| suricata.eve.stats.app_layer.flow.failed_udp | | long | -| suricata.eve.stats.app_layer.flow.ftp | | long | -| suricata.eve.stats.app_layer.flow.http | | long | -| suricata.eve.stats.app_layer.flow.imap | | long | -| suricata.eve.stats.app_layer.flow.msn | | long | -| suricata.eve.stats.app_layer.flow.smb | | long | -| suricata.eve.stats.app_layer.flow.smtp | | long | -| suricata.eve.stats.app_layer.flow.ssh | | long | -| suricata.eve.stats.app_layer.flow.tls | | long | -| suricata.eve.stats.app_layer.tx.dcerpc_tcp | | long | -| suricata.eve.stats.app_layer.tx.dcerpc_udp | | long | -| suricata.eve.stats.app_layer.tx.dns_tcp | | long | -| suricata.eve.stats.app_layer.tx.dns_udp | | long | -| suricata.eve.stats.app_layer.tx.ftp | | long | -| suricata.eve.stats.app_layer.tx.http | | long | -| suricata.eve.stats.app_layer.tx.smb | | long | -| suricata.eve.stats.app_layer.tx.smtp | | long | -| suricata.eve.stats.app_layer.tx.ssh | | long | -| suricata.eve.stats.app_layer.tx.tls | | long | -| suricata.eve.stats.capture.kernel_drops | | long | -| suricata.eve.stats.capture.kernel_ifdrops | | long | -| suricata.eve.stats.capture.kernel_packets | | long | -| suricata.eve.stats.decoder.avg_pkt_size | | long | -| suricata.eve.stats.decoder.bytes | | long | -| suricata.eve.stats.decoder.dce.pkt_too_small | | long | -| suricata.eve.stats.decoder.erspan | | long | -| suricata.eve.stats.decoder.ethernet | | long | -| suricata.eve.stats.decoder.gre | | long | -| suricata.eve.stats.decoder.icmpv4 | | long | -| suricata.eve.stats.decoder.icmpv6 | | long | -| suricata.eve.stats.decoder.ieee8021ah | | long | -| suricata.eve.stats.decoder.invalid | | long | -| suricata.eve.stats.decoder.ipraw.invalid_ip_version | | long | -| suricata.eve.stats.decoder.ipv4 | | long | -| suricata.eve.stats.decoder.ipv4_in_ipv6 | | long | -| suricata.eve.stats.decoder.ipv6 | | long | -| suricata.eve.stats.decoder.ipv6_in_ipv6 | | long | -| suricata.eve.stats.decoder.ltnull.pkt_too_small | | long | -| suricata.eve.stats.decoder.ltnull.unsupported_type | | long | -| suricata.eve.stats.decoder.max_pkt_size | | long | -| suricata.eve.stats.decoder.mpls | | long | -| suricata.eve.stats.decoder.null | | long | -| suricata.eve.stats.decoder.pkts | | long | -| suricata.eve.stats.decoder.ppp | | long | -| suricata.eve.stats.decoder.pppoe | | long | -| suricata.eve.stats.decoder.raw | | long | -| suricata.eve.stats.decoder.sctp | | long | -| suricata.eve.stats.decoder.sll | | long | -| suricata.eve.stats.decoder.tcp | | long | -| suricata.eve.stats.decoder.teredo | | long | -| suricata.eve.stats.decoder.udp | | long | -| suricata.eve.stats.decoder.vlan | | long | -| suricata.eve.stats.decoder.vlan_qinq | | long | -| suricata.eve.stats.defrag.ipv4.fragments | | long | -| suricata.eve.stats.defrag.ipv4.reassembled | | long | -| suricata.eve.stats.defrag.ipv4.timeouts | | long | -| suricata.eve.stats.defrag.ipv6.fragments | | long | -| suricata.eve.stats.defrag.ipv6.reassembled | | long | -| suricata.eve.stats.defrag.ipv6.timeouts | | long | -| suricata.eve.stats.defrag.max_frag_hits | | long | -| suricata.eve.stats.detect.alert | | long | -| suricata.eve.stats.dns.memcap_global | | long | -| suricata.eve.stats.dns.memcap_state | | long | -| suricata.eve.stats.dns.memuse | | long | -| suricata.eve.stats.file_store.open_files | | long | -| suricata.eve.stats.flow.emerg_mode_entered | | long | -| suricata.eve.stats.flow.emerg_mode_over | | long | -| suricata.eve.stats.flow.icmpv4 | | long | -| suricata.eve.stats.flow.icmpv6 | | long | -| suricata.eve.stats.flow.memcap | | long | -| suricata.eve.stats.flow.memuse | | long | -| suricata.eve.stats.flow.spare | | long | -| suricata.eve.stats.flow.tcp | | long | -| suricata.eve.stats.flow.tcp_reuse | | long | -| suricata.eve.stats.flow.udp | | long | -| suricata.eve.stats.flow_mgr.bypassed_pruned | | long | -| suricata.eve.stats.flow_mgr.closed_pruned | | long | -| suricata.eve.stats.flow_mgr.est_pruned | | long | -| suricata.eve.stats.flow_mgr.flows_checked | | long | -| suricata.eve.stats.flow_mgr.flows_notimeout | | long | -| suricata.eve.stats.flow_mgr.flows_removed | | long | -| suricata.eve.stats.flow_mgr.flows_timeout | | long | -| suricata.eve.stats.flow_mgr.flows_timeout_inuse | | long | -| suricata.eve.stats.flow_mgr.new_pruned | | long | -| suricata.eve.stats.flow_mgr.rows_busy | | long | -| suricata.eve.stats.flow_mgr.rows_checked | | long | -| suricata.eve.stats.flow_mgr.rows_empty | | long | -| suricata.eve.stats.flow_mgr.rows_maxlen | | long | -| suricata.eve.stats.flow_mgr.rows_skipped | | long | -| suricata.eve.stats.http.memcap | | long | -| suricata.eve.stats.http.memuse | | long | -| suricata.eve.stats.tcp.insert_data_normal_fail | | long | -| suricata.eve.stats.tcp.insert_data_overlap_fail | | long | -| suricata.eve.stats.tcp.insert_list_fail | | long | -| suricata.eve.stats.tcp.invalid_checksum | | long | -| suricata.eve.stats.tcp.memuse | | long | -| suricata.eve.stats.tcp.no_flow | | long | -| suricata.eve.stats.tcp.overlap | | long | -| suricata.eve.stats.tcp.overlap_diff_data | | long | -| suricata.eve.stats.tcp.pseudo | | long | -| suricata.eve.stats.tcp.pseudo_failed | | long | -| suricata.eve.stats.tcp.reassembly_gap | | long | -| suricata.eve.stats.tcp.reassembly_memuse | | long | -| suricata.eve.stats.tcp.rst | | long | -| suricata.eve.stats.tcp.segment_memcap_drop | | long | -| suricata.eve.stats.tcp.sessions | | long | -| suricata.eve.stats.tcp.ssn_memcap_drop | | long | -| suricata.eve.stats.tcp.stream_depth_reached | | long | -| suricata.eve.stats.tcp.syn | | long | -| suricata.eve.stats.tcp.synack | | long | -| suricata.eve.stats.uptime | | long | -| suricata.eve.tcp.ack | | boolean | -| suricata.eve.tcp.fin | | boolean | -| suricata.eve.tcp.psh | | boolean | -| suricata.eve.tcp.rst | | boolean | -| suricata.eve.tcp.state | | keyword | -| suricata.eve.tcp.syn | | boolean | -| suricata.eve.tcp.tcp_flags | | keyword | -| suricata.eve.tcp.tcp_flags_tc | | keyword | -| suricata.eve.tcp.tcp_flags_ts | | keyword | -| suricata.eve.tls.fingerprint | | keyword | -| suricata.eve.tls.issuerdn | | keyword | -| suricata.eve.tls.ja3.hash | | keyword | -| suricata.eve.tls.ja3.string | | keyword | -| suricata.eve.tls.ja3s.hash | | keyword | -| suricata.eve.tls.ja3s.string | | keyword | -| suricata.eve.tls.notafter | | date | -| suricata.eve.tls.notbefore | | date | -| suricata.eve.tls.serial | | keyword | -| suricata.eve.tls.session_resumed | | boolean | -| suricata.eve.tls.sni | | keyword | -| suricata.eve.tls.subject | | keyword | -| suricata.eve.tls.version | | keyword | -| suricata.eve.tx_id | | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | -| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | -| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | -| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.country | List of country \(C) codes | keyword | -| tls.server.x509.issuer.locality | List of locality names (L) | keyword | -| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country \(C) code | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - diff --git a/packages/suricata/2.4.2/img/filebeat-suricata-alerts.png b/packages/suricata/2.4.2/img/filebeat-suricata-alerts.png deleted file mode 100755 index bd45777eef..0000000000 Binary files a/packages/suricata/2.4.2/img/filebeat-suricata-alerts.png and /dev/null differ diff --git a/packages/suricata/2.4.2/img/filebeat-suricata-events.png b/packages/suricata/2.4.2/img/filebeat-suricata-events.png deleted file mode 100755 index b9501304ca..0000000000 Binary files a/packages/suricata/2.4.2/img/filebeat-suricata-events.png and /dev/null differ diff --git a/packages/suricata/2.4.2/img/suricata.svg b/packages/suricata/2.4.2/img/suricata.svg deleted file mode 100755 index 06e627a7e4..0000000000 --- a/packages/suricata/2.4.2/img/suricata.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/dashboard/suricata-05268ee0-86d1-11e8-b59d-21efb914e65c.json b/packages/suricata/2.4.2/kibana/dashboard/suricata-05268ee0-86d1-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 085a8d1bf7..0000000000 --- a/packages/suricata/2.4.2/kibana/dashboard/suricata-05268ee0-86d1-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "Overview of the Suricata Alerts dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":23,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"2\",\"w\":25,\"x\":23,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":41},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"search\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"7\",\"w\":12,\"x\":11,\"y\":14},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":11,\"x\":0,\"y\":14},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"e86b7f30-96da-4f52-9ff0-cefcaadcc914\",\"w\":23,\"x\":0,\"y\":0},\"panelIndex\":\"e86b7f30-96da-4f52-9ff0-cefcaadcc914\",\"panelRefName\":\"panel_e86b7f30-96da-4f52-9ff0-cefcaadcc914\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"967e2051-c2f4-49ef-bc72-d94947e45883\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"cdbf364a-7d6f-499e-9819-0ef05d687969\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Alert - Source Location [Logs Suricata]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"345ad34d-95d3-4e10-9850-cfd6b366fd7e\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15m\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Alert - Source Location [Logs Suricata]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"4b26e7f7-cfe8-4d5f-8cab-4d793c93c80b\",\"w\":23,\"x\":0,\"y\":26},\"panelIndex\":\"4b26e7f7-cfe8-4d5f-8cab-4d793c93c80b\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"20edc2ac-aae0-4f6b-8eae-405d2423b580\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"9df30dd6-f660-4daf-a2b6-3691e4bd6e81\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Alert - Destination Location [Logs Suricata]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"09c636cb-a239-4636-aaba-abbab2ec3b02\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15m\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Alert - Destination Location [Logs Suricata]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"df498f0d-f08c-48e0-9b9f-1e579824a327\",\"w\":25,\"x\":23,\"y\":26},\"panelIndex\":\"df498f0d-f08c-48e0-9b9f-1e579824a327\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Logs Suricata] Alert Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-05268ee0-86d1-11e8-b59d-21efb914e65c", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "suricata-494fa290-86d2-11e8-b59d-21efb914e65c", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "suricata-16033310-86d3-11e8-b59d-21efb914e65c", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c", - "name": "3:panel_3", - "type": "search" - }, - { - "id": "suricata-2ccdc1a0-86d8-11e8-b59d-21efb914e65c", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "suricata-c7b8b8f0-86d8-11e8-b59d-21efb914e65c", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "suricata-908e8c90-d296-11ea-90e3-8767fe7ccf14", - "name": "e86b7f30-96da-4f52-9ff0-cefcaadcc914:panel_e86b7f30-96da-4f52-9ff0-cefcaadcc914", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "4b26e7f7-cfe8-4d5f-8cab-4d793c93c80b:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "df498f0d-f08c-48e0-9b9f-1e579824a327:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/dashboard/suricata-78289c40-86da-11e8-b59d-21efb914e65c.json b/packages/suricata/2.4.2/kibana/dashboard/suricata-78289c40-86da-11e8-b59d-21efb914e65c.json deleted file mode 100755 index f064b2e5c3..0000000000 --- a/packages/suricata/2.4.2/kibana/dashboard/suricata-78289c40-86da-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "Overview of the Surcata events dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2\",\"w\":9,\"x\":0,\"y\":24},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"3\",\"w\":11,\"x\":19,\"y\":24},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":14},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":38},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"6\",\"w\":9,\"x\":30,\"y\":24},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"7\",\"w\":9,\"x\":39,\"y\":24},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"8\",\"w\":10,\"x\":9,\"y\":24},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":57},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"search\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"78f64fb8-a6ed-4960-a73b-a8c42c40f799\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"78f64fb8-a6ed-4960-a73b-a8c42c40f799\",\"panelRefName\":\"panel_78f64fb8-a6ed-4960-a73b-a8c42c40f799\",\"title\":\"\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"63e14057-b48b-48fe-b3e2-84f7690d60e8\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"63e14057-b48b-48fe-b3e2-84f7690d60e8\",\"panelRefName\":\"panel_63e14057-b48b-48fe-b3e2-84f7690d60e8\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs Suricata] Events Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-78289c40-86da-11e8-b59d-21efb914e65c", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "suricata-c7d46c60-86da-11e8-b59d-21efb914e65c", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "suricata-0a0aa630-86db-11e8-b59d-21efb914e65c", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "suricata-728f64c0-86db-11e8-b59d-21efb914e65c", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "suricata-9d5b5b50-86db-11e8-b59d-21efb914e65c", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "5:panel_5", - "type": "search" - }, - { - "id": "suricata-5f99eb50-86dc-11e8-b59d-21efb914e65c", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "suricata-8e7f88d0-86dc-11e8-b59d-21efb914e65c", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "suricata-0a363820-86dd-11e8-b59d-21efb914e65c", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "suricata-d57a2db0-86ca-11e8-b59d-21efb914e65c", - "name": "9:panel_9", - "type": "search" - }, - { - "id": "suricata-908e8c90-d296-11ea-90e3-8767fe7ccf14", - "name": "78f64fb8-a6ed-4960-a73b-a8c42c40f799:panel_78f64fb8-a6ed-4960-a73b-a8c42c40f799", - "type": "visualization" - }, - { - "id": "suricata-169c0600-d297-11ea-90e3-8767fe7ccf14", - "name": "63e14057-b48b-48fe-b3e2-84f7690d60e8:panel_63e14057-b48b-48fe-b3e2-84f7690d60e8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/search/suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c.json b/packages/suricata/2.4.2/kibana/search/suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 3778c195e0..0000000000 --- a/packages/suricata/2.4.2/kibana/search/suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.name", - "suricata.eve.flow_id", - "network.transport", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "destination.geo.region_name", - "destination.geo.country_iso_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"event\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"event\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"suricata.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"suricata.\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Events [Logs Suricata]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/search/suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c.json b/packages/suricata/2.4.2/kibana/search/suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 35eb9835ff..0000000000 --- a/packages/suricata/2.4.2/kibana/search/suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.name", - "suricata.eve.flow_id", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "source.geo.country_iso_code", - "destination.geo.country_iso_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"alert\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"alert\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"suricata.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"suricata.\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Alerts [Logs Suricata]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/search/suricata-d57a2db0-86ca-11e8-b59d-21efb914e65c.json b/packages/suricata/2.4.2/kibana/search/suricata-d57a2db0-86ca-11e8-b59d-21efb914e65c.json deleted file mode 100755 index c418052731..0000000000 --- a/packages/suricata/2.4.2/kibana/search/suricata-d57a2db0-86ca-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.name", - "suricata.eve.stats.detect.alert", - "suricata.eve.stats.app_layer.flow.dns_udp", - "suricata.eve.stats.app_layer.flow.tls", - "suricata.eve.stats.app_layer.flow.http", - "suricata.eve.stats.app_layer.flow.ssh", - "suricata.eve.stats.tcp.sessions" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"metric\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"metric\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"suricata.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"suricata.\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Host Stats [Logs Suricata]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-d57a2db0-86ca-11e8-b59d-21efb914e65c", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/visualization/suricata-0a0aa630-86db-11e8-b59d-21efb914e65c.json b/packages/suricata/2.4.2/kibana/visualization/suricata-0a0aa630-86db-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 9953a8c03c..0000000000 --- a/packages/suricata/2.4.2/kibana/visualization/suricata-0a0aa630-86db-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Event Types [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ECS Event Type\",\"field\":\"event.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Suricata Event Type\",\"field\":\"suricata.eve.event_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Event Types [Logs Suricata]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-0a0aa630-86db-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/visualization/suricata-0a363820-86dd-11e8-b59d-21efb914e65c.json b/packages/suricata/2.4.2/kibana/visualization/suricata-0a363820-86dd-11e8-b59d-21efb914e65c.json deleted file mode 100755 index baeb8fe1cf..0000000000 --- a/packages/suricata/2.4.2/kibana/visualization/suricata-0a363820-86dd-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Transport Protocols [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Top Transport Protocols [Logs Suricata]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-0a363820-86dd-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/visualization/suricata-16033310-86d3-11e8-b59d-21efb914e65c.json b/packages/suricata/2.4.2/kibana/visualization/suricata-16033310-86d3-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 3b4e53a494..0000000000 --- a/packages/suricata/2.4.2/kibana/visualization/suricata-16033310-86d3-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Alert Signatures [Logs Suricata]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Signature\",\"field\":\"rule.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Alert Category\",\"field\":\"rule.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Alert Signatures [Logs Suricata]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-16033310-86d3-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/visualization/suricata-169c0600-d297-11ea-90e3-8767fe7ccf14.json b/packages/suricata/2.4.2/kibana/visualization/suricata-169c0600-d297-11ea-90e3-8767fe7ccf14.json deleted file mode 100755 index 3159b130cd..0000000000 --- a/packages/suricata/2.4.2/kibana/visualization/suricata-169c0600-d297-11ea-90e3-8767fe7ccf14.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Event Count [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Events\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Event Count [Logs Suricata]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-169c0600-d297-11ea-90e3-8767fe7ccf14", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/visualization/suricata-2ccdc1a0-86d8-11e8-b59d-21efb914e65c.json b/packages/suricata/2.4.2/kibana/visualization/suricata-2ccdc1a0-86d8-11e8-b59d-21efb914e65c.json deleted file mode 100755 index bfd311a949..0000000000 --- a/packages/suricata/2.4.2/kibana/visualization/suricata-2ccdc1a0-86d8-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Alerts - Top Destination Countries [Logs Suricata]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"destination.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Alerts - Top Destination Countries [Logs Suricata]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-2ccdc1a0-86d8-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/visualization/suricata-494fa290-86d2-11e8-b59d-21efb914e65c.json b/packages/suricata/2.4.2/kibana/visualization/suricata-494fa290-86d2-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 8c00207969..0000000000 --- a/packages/suricata/2.4.2/kibana/visualization/suricata-494fa290-86d2-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Alerting Hosts [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-6y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top Alerting Hosts [Logs Suricata]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-494fa290-86d2-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/visualization/suricata-5f99eb50-86dc-11e8-b59d-21efb914e65c.json b/packages/suricata/2.4.2/kibana/visualization/suricata-5f99eb50-86dc-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 0c80bcb277..0000000000 --- a/packages/suricata/2.4.2/kibana/visualization/suricata-5f99eb50-86dc-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Connection Source Countries [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Top Connection Source Countries\",\"field\":\"source.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Top Connection Source Countries [Logs Suricata]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-5f99eb50-86dc-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/visualization/suricata-728f64c0-86db-11e8-b59d-21efb914e65c.json b/packages/suricata/2.4.2/kibana/visualization/suricata-728f64c0-86db-11e8-b59d-21efb914e65c.json deleted file mode 100755 index a1886532d1..0000000000 --- a/packages/suricata/2.4.2/kibana/visualization/suricata-728f64c0-86db-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Network Protocols [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Top Network Protocols [Logs Suricata]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-728f64c0-86db-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/visualization/suricata-8e7f88d0-86dc-11e8-b59d-21efb914e65c.json b/packages/suricata/2.4.2/kibana/visualization/suricata-8e7f88d0-86dc-11e8-b59d-21efb914e65c.json deleted file mode 100755 index c6d32256da..0000000000 --- a/packages/suricata/2.4.2/kibana/visualization/suricata-8e7f88d0-86dc-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Connection Destination Countries [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Top Connection Destination Countries\",\"field\":\"destination.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Top Connection Destination Countries [Logs Suricata]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-8e7f88d0-86dc-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/visualization/suricata-908e8c90-d296-11ea-90e3-8767fe7ccf14.json b/packages/suricata/2.4.2/kibana/visualization/suricata-908e8c90-d296-11ea-90e3-8767fe7ccf14.json deleted file mode 100755 index 298ee379ac..0000000000 --- a/packages/suricata/2.4.2/kibana/visualization/suricata-908e8c90-d296-11ea-90e3-8767fe7ccf14.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Navigation [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":18,\"markdown\":\"![Hello World](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADwAAAAyCAYAAAAA9rgCAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAACXBIWXMAAJ17AACdewE8n3fEAAABWWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyI+CiAgICAgICAgIDx0aWZmOk9yaWVudGF0aW9uPjE8L3RpZmY6T3JpZW50YXRpb24+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgpMwidZAAAN5UlEQVRoBe1ZeXCU5Rn/7b25s9nEHJAQAhggCIKCThFpFRXFa+yhTtVSndaZUvWPVjqt1bGHY6cdrVNq66C21UpbT7wwxqMjAh4oBCGQC8KRY7Ob3WQ3e9/9Pe/uh2ukrePM7h/oM2S/73ve87l+z/O+6NIkfIFI/wWSVYn6pcAnu8W/tPCXFj7JNPClS59kBv2UOF84Cxs/pYJ8M1jYHS/udIBOV1idF1ZgqWJ1Ov6jpFlKp1PqrVCCF07grLDJeBT+oX5Ex52wVk9DxYy5muwFeRbGn7LCphIx9G26A933noZ0KoFEyAvHe1uUAgoiLRcpiMCMWiVPYGQAvg/vg7lhFpLRIGL+cQxsuBTO95/PyCuKyTMVxqVFDoZtPBSAjivqjJUY/OfXYWlciXl370bVnMUZMXNiO19yF0bg7O6jXicgGJWKw1y3CG3rNsNcZlOonQtk+RJW5i2MwFnLBYcOQGeSZVNIx4eRSiblo6CU/xhmXIr1ktEwQke2Qm+lfPoixMcnEHQMZIQtQOxqWs27wBoMxYKTFHILLdwMmhdSb4RdR7V9FOyZd4G1EsNosUJfvATppI+opVe4HXFnBS4AWGkazbvAUlkJGYvLYKlZhnR0AqnIXpS2fgeRsV5Ibs4AluYL2tby88y/wLJvFcd6GIpsMNpWwFx9BUzl05Dw9SPgOCI9WIicRAJrohiLK5COuVA0/UyEht7m8xwMvvIA3TxBLxfdaz2VDvLyUxALazk2HvAQuHqRDPtgrVvKdBxFMngMrn3blXCFsHLeBdaOglGfB6HDj9Gl52Dyo9+w2rLSsnEYy5sI2uG8WPNEk+ZdYIlfId+RLlrXRUHLVS6OjOyEscSORGBUAdeJNpcPXt4F1tzZ270NejNFSEUodDOSoR7+uVExbw0q5yxVsun0WhLLh6iZOfNbWop1mZbiLDqCBzczD5cTjUMEqDLEJ/ahePpizLhwbVY68YT8C/yxhbk5FW/KBXPQUr4VL7sveUzlad/aM4u2WvwGRg4h5tpNC7dwbIzDo6qmrllykZo0LTW1WiZnXW05bU55apTLy33PRflP8LWB2cODXLPIFcsn9SsLkHOiKmgqb+o3R2pXN7KUt/f9zMlbXecYlFvrLWQZ+E7SaU/1NeXnBHOfcE9Thv23PkaxlgibjEV4IJ+guxlgKa/iJtjE/Jhg0S+KM1gs0BvNPOEk1EEgw2O5aDQhEQnRVeXkIwqiFq3Fak55jwUmMLFnIwxl4s5+SmmhkfthqroUxqJStU0ZG/W61VhzuZ2K+DjSZLzK0+SZSyvVGmo98YocZYiCDSYzDGY5nfDsHfRlqjjKY+I47c7MKIPGmAeH23/BnPgRuxphbbgM827agAg30f3HFUiFBzDz+u2oXrAcQecg+jZeSOw5iJa178M+dxkOv/QgvJ3rmWJWUVEmVlGNsC26HA1nr4G3fw9io50w10odPcn5TUhFAWv9UqWYycE+HHvpXsTcO5Dw96P+4ifQeN63Zc9UZBDdD11LdO+AseIctN3yCkwsUQeevx/+nk1E+wbOGYLeVMGqrQN1qzdj+ooraZQ4+p74McJHH2Ho6NB2mwPWqlraNg3jeH8nDm5YAWM1PU2MGaN2PBtZFNxHA+mQCg2wUCBfWZC74KBU6KDicWa1sVQ8osamjHsRG3MhVsw09MFGRFx/gKmsCpVn3QH/gXuoDHpK0VJ6ElC14DzlUT33t2bPyPSGY0B0YkjNKT/RSQ9jvwP60oWcdzuiPrcSOObpReRgDywto9yhAQkWMuEuKmjFuBobD/gQGWmHztKGhGc/wuOjSmDZu9657XEY6CmG4jPQdM0WzPkhrbbilxxIPxYPpXfJX677yLVBLk/cX7qbbOdg5k2voXjO92CZ1gxn+62I+VwoaVyI6CCFXPoAXXkB21pR3XY2jr3+VxlGS1Wj9sLHMfv2DpQ2LVKblp+IxyFZjBasQoqGCHtGVFv9+bei5dZ2mCrPZbsHRTO+jzl3vQ7b/OWqXYqcpH+YIFmlvsNj1GSWjOGRfyurVi66EfVnXaLY9nnL1DPq92a6qatj2VqW5FX701hxbsxcjrozL0B583wc+P3DKu+aK+pQVNOE4tb5mH7+Dej7++1ovbkDcl3r2/eg0mPF6T9F06rrtdmVNwmWhJxHxCikpOgeYX6DYWWfm8nbnt3PMgwYHjWzUHfGKumoSBTDWyTukR5Irwo5+hVfagK9zlCiXCrqOaKY6RSvX/iX+eBqstJnIfaTvaUScRTZ6mCpv0G5vfq216Fs/ncJfPR1HhJKamcg5B5h3A1AlrK1natWkL5CGsCEHb1KaWkpVli0hB09ql1iMckwkpCSMElnxwmgCoVGD8mRW5HcsEQcexXwiXb1pXOuUA3+fb/D0LZnM6eWjFozIz7LL/vLEJV3Oam6lqUPEtRpnBjMFXakQ2N0MzeqWldi4MUN8O7fCpHfWsI/IrOQCg1RG+eQg0XEsRu6IqC0hZ7Hu7Dw6B6VNcRSmlKUlvktpNdL7KU5rluFXMms1cSM0xB1PosYUVv1qT/namqK2GxbhqGnvgF31ztcmGr7H5QRLmNRNQlLQhPXMhv1KqUEHUcQHP4Xgoy7dHE1TEVl0M2+EFtumw437Kg5cw2cww70HAQOyUWmiVJlSdO1hFPE+QIsZSsYmyupnFlITbyMOO+yFYmC+SJ/x4lyy1VwxLlTeURl6woYSlpY1QWY9sZUN31pXTMar25HzLGTqeMsDPxtOfzDh1RjbvFwfFK+GKkPMzWulb7BaApDo0D3oXG8tflpPPbzW9D+KvDiw0DJnAweHOjqw9NPAE/+6GKUNbQg0bwczz8J7PigHrHkx3GjVWeOESee+y2wzzUNxpoWDPtnQK7Agh5qSBFTDDeg7SHLVMge92wnCC9ESf1MClyrMkh4bEh14eVSGvXLVqPuskeYjt4nYhpw+On1qlFHF5HMIx6T9RqlUV+AwjGcvJGMfrtGUtjyFLCt413846pv4dieHaD3Yu32t1FT36DmMpkMqOBb1YIraRa6VCwMG79LSnj4133CTqr/6NAgBGpitlNha5iB/lgrHtsE9PQdUe1yQTIeSCPGsFd3B4orSO5AglhrqlqisMJinymYRwA8rHrotaWaV9+EiiU/Y3AnEex7Dp7eXZCLNzOtGScWRDN4ggDd9KVngI4tnCTLE2WIU1a3tGLWNZfAoPOjYv4CnHr64uw2KCMVy3WRYEUn2rOWlCjlxdxjiEdZiQixj3a6Gh3oRzlZRVYTxp0jKCu1giGP4f4+6cmxOuw8mMLmjQwLlyYFFeQ6DBO9z2gtZ/5lGuNaggPh0W41Si8LaOjWdPE6ImkdzKxzIyO9iCWS2NcLvPAg4A5lJqVtYCDyMXUf/48puZ6h0VF/+nKsXrcekT2A640uHOraS26GpIgRUk9OVV5lFxxCiGYM+DKAkqSyZT/JRAJDXZ2wzwC6Nj+MXzdMw+G3noN9NgXu2qXaDQY9TPoUaEx4gh8L/FHnfjhCnHfoTfTePw2B/RtgtFcRyHYwvv3QS5xqtWtxdT30lSvRd4BaGw0hntLhg210HU6qXb9I6kgMkEEyWTN1q7xLFoiFgphJy1ZfuVJZ78C726XpOMm2JL+mGCf22jqUssYQBR7a26n6GMU0pMCkF67OdmJKDWLOYzA20gBDR2GqaYTrvWeoIK86eIiCZIQhGxLRcAi7dnyIN7cCr7yyH4QNTHqHacAapCd3IsKCRD/42qMY+7ADvtFB7Hj5eXS078BLr1GAyjrYaIVTzlgCKfG7dmxFJBhAV1YIK0OjsvoU2R+tolf/ZxPx+5Tl5p5/ubJnz6tPwj+RQVVRrNhYHTbicY6twcyLboGFgb3tT3eic9tbGDjQhd49uzHpGYfvPaIqq4obn9qJOzvduH7TVsRdgwjQMydYvoqvyJyiRA3oJicmEOp9DUbixyW/fRNr/uxGw9pd2NWdwAR5MQ+rr/Ej+/Didatx36omPHnZVXBsH0IjXantjKUqPS3+5s3KbXpefBS/+moN3nnobgS5yPwb1qOGriakeYiG6nPP+ooSzt2xG0f7iG6kFFFGvEBnJBBmC5vzrrsJXnqznNQ2XfM1/KTtNHS9s42bc4FeifJZ52LmvDaU2eyY2bYQRU3zIKXF2MgwfzOKljm1VDbucsK/n3m9zYbZCxbCZrejed4CONKL8PRfBPCOQj9WvgQ7Gac+7otpFPVrVuEHHd2wnVKrJr3g2htw/j13wfvuILwfRjDx7hAWrluLq25dr9rlJ84jJCs8SNEuq89onYcK4pXwOt9oly6q0pFIjU44lUcIb/Zpi7DurTeQjmRypHhSma0KQ33d8PC9vKEJJgEUkrWoCOWNpyrlD3bzpECSI6Ccv+S4KDR8sA9i+7KmxbAWC8Qx7Jg/G2Y1q3773mGNQXdIe6lRn9tNdzOirpGLEJ01N9FQc+hQP/xeL4qIro2zT4WBfaWPtIuLRUMhVlZm2OvqFc8z6kA8FmM/Az1hOibHPQj6/URQE6rYR0+g08b7vRNwO0a4OTNOmd6I4OQkIsQDa3EJbDWZsJHNjztHEY1EYCmykl8LWSPBNSwUTvp5ifhhhp2Z2GKvrZchioQv8xl4yFECaw3aU2rpzMV4Jj40obV2eWqbzeV9nvfctT7PeG3MZ92PElg6U4LMWMlb/JtK6lBBpmqZ0uf4+Bz+VN7U79z5j7cJU1tb9pMznzQd75fl/79vGSOU2+8/QDU5FFmyNvEAAAAASUVORK5CYII=) [Events](/app/dashboards#/view/suricata-78289c40-86da-11e8-b59d-21efb914e65c) | [Alerts](/app/dashboards#/view/suricata-05268ee0-86d1-11e8-b59d-21efb914e65c)\",\"openLinksInNewTab\":false},\"title\":\"Navigation [Logs Suricata]\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-908e8c90-d296-11ea-90e3-8767fe7ccf14", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/visualization/suricata-9d5b5b50-86db-11e8-b59d-21efb914e65c.json b/packages/suricata/2.4.2/kibana/visualization/suricata-9d5b5b50-86db-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 42cfa1a720..0000000000 --- a/packages/suricata/2.4.2/kibana/visualization/suricata-9d5b5b50-86db-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Hosts Generating Events [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-6y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top Hosts Generating Events [Logs Suricata]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-9d5b5b50-86db-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/visualization/suricata-c7b8b8f0-86d8-11e8-b59d-21efb914e65c.json b/packages/suricata/2.4.2/kibana/visualization/suricata-c7b8b8f0-86d8-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 3fb650fde2..0000000000 --- a/packages/suricata/2.4.2/kibana/visualization/suricata-c7b8b8f0-86d8-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Alerts - Top Source Countries [Logs Suricata]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"source.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Alerts - Top Source Countries [Logs Suricata]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-c7b8b8f0-86d8-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/kibana/visualization/suricata-c7d46c60-86da-11e8-b59d-21efb914e65c.json b/packages/suricata/2.4.2/kibana/visualization/suricata-c7d46c60-86da-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 9ca0a3617c..0000000000 --- a/packages/suricata/2.4.2/kibana/visualization/suricata-c7d46c60-86da-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Activity Types over Time [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-6y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"suricata.eve.event_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Activity Types over Time [Logs Suricata]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-c7d46c60-86da-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.4.2/manifest.yml b/packages/suricata/2.4.2/manifest.yml deleted file mode 100755 index cb8c329d81..0000000000 --- a/packages/suricata/2.4.2/manifest.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: suricata -title: Suricata -version: 2.4.2 -release: ga -description: Collect logs from Suricata with Elastic Agent. -type: integration -icons: - - src: /img/suricata.svg - title: suricata - size: 309x309 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: [network, security] -conditions: - kibana.version: ^8.0.0 -screenshots: - - src: /img/filebeat-suricata-events.png - title: filebeat suricata events - size: 1577x2646 - type: image/png - - src: /img/filebeat-suricata-alerts.png - title: filebeat suricata alerts - size: 1577x1750 - type: image/png -policy_templates: - - name: suricata - title: Suricata logs - description: Collect logs from Suricata instances - inputs: - - type: logfile - title: "Collect Suricata eve logs (input: logfile)" - description: "Collecting eve logs from Suricata instances (input: logfile)" -owner: - github: elastic/security-external-integrations diff --git a/packages/symantec_endpoint/2.0.1/LICENSE.txt b/packages/symantec_endpoint/2.0.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/symantec_endpoint/2.0.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/symantec_endpoint/2.0.1/changelog.yml b/packages/symantec_endpoint/2.0.1/changelog.yml deleted file mode 100755 index f71a12ab6e..0000000000 --- a/packages/symantec_endpoint/2.0.1/changelog.yml +++ /dev/null @@ -1,51 +0,0 @@ -# newer versions go on top -- version: "2.0.1" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "2.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3859 -- version: "1.2.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3870 -- version: "1.1.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.0.1" - changes: - - description: Readme - added link to Vendor documentation and improved the wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3162 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.0.4" - changes: - - description: Make field values conform to ECS - type: bugfix - link: https://github.com/elastic/integrations/pull/3330 -- version: "0.0.3" - changes: - - description: Make field values conform to ECS - type: bugfix - link: https://github.com/elastic/integrations/pull/3244 -- version: "0.0.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.0.1" - changes: - - description: Initial Release - type: enhancement - link: https://github.com/elastic/integrations/pull/2187 diff --git a/packages/symantec_endpoint/2.0.1/data_stream/log/agent/stream/logfile.yml.hbs b/packages/symantec_endpoint/2.0.1/data_stream/log/agent/stream/logfile.yml.hbs deleted file mode 100755 index f1500f2dbf..0000000000 --- a/packages/symantec_endpoint/2.0.1/data_stream/log/agent/stream/logfile.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - remove_mapped_fields: {{remove_mapped_fields}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/symantec_endpoint/2.0.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/symantec_endpoint/2.0.1/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 9ef03795f9..0000000000 --- a/packages/symantec_endpoint/2.0.1/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,25 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -max_message_size: 1 MiB - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - remove_mapped_fields: {{remove_mapped_fields}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/symantec_endpoint/2.0.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/symantec_endpoint/2.0.1/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 9ef03795f9..0000000000 --- a/packages/symantec_endpoint/2.0.1/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,25 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -max_message_size: 1 MiB - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - remove_mapped_fields: {{remove_mapped_fields}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/symantec_endpoint/2.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/symantec_endpoint/2.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index fcd7dbc4d3..0000000000 --- a/packages/symantec_endpoint/2.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1109 +0,0 @@ ---- -description: Pipeline for parsing Symantec Endpoint logs -processors: -- set: - field: event.original - copy_from: message - # Never override event.original (for the reindexing use case). - override: false - -- set: - field: ecs.version - value: '8.4.0' - -- grok: - description: Parse syslog header. - if: ctx.event.original.startsWith('<') - field: event.original - patterns: - - '^<%{NONNEGINT:log.syslog.priority:long}>(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp})(?: %{SYSLOGFACILITY})?(?: %{SYSLOGHOST:log.syslog.hostname})?(?: %{SYSLOGPROG}:)? %{GREEDYDATA:message}' - - '^%{SYSLOG5424LINE}' - pattern_definitions: - SYSLOGPROG: '%{PROG:log.syslog.process.name}(?:\[%{POSINT:log.syslog.process.pid:long}\])?' - SYSLOG5424PRI: '<%{NONNEGINT:log.syslog.priority:long}>' - SYSLOG5424BASE: '%{SYSLOG5424PRI}%{NONNEGINT:log.syslog.version:long} +(?:-|%{TIMESTAMP_ISO8601:timestamp}) +(?:-|%{IPORHOST:log.syslog.hostname}) +(?:-|%{SYSLOG5424PRINTASCII:log.syslog.process.name}) +(?:-|%{POSINT:log.syslog.process.pid:long}) +(?:-|%{SYSLOG5424PRINTASCII:log.syslog.message_id}) +(?:-|%{SYSLOG5424SD:log.syslog.structured_data})?' - SYSLOG5424LINE: '%{SYSLOG5424BASE} +%{GREEDYDATA:message}' -- grok: - description: Parse date/severity from log file dump format. - if: ctx.event.original.startsWith('20') || ctx.event.original.startsWith('19') - field: event.original - patterns: - - '^%{TIMESTAMP_ISO8601:timestamp},%{LOG_SEVERITY:log.level},%{GREEDYDATA:message}' - pattern_definitions: - LOG_SEVERITY: '(?:%{LOGLEVEL}|[Cc]ritical|CRITICAL|[Mm]ajor|MAJOR|[Mm]inor|MINOR|[Ii]nfo|INFO|[Ww]arning|WARNING|[Ee]rror|ERROR|[Ff]atal|FATAL)' - ignore_failure: true -- date: - if: ctx?.timestamp != null - field: timestamp - target_field: "@timestamp" - formats: - - "MMM dd HH:mm:ss" - - "MMM d HH:mm:ss" - - "MMM d HH:mm:ss" - - ISO8601 - - "YYYY-dd-MM HH:mm:ss" - timezone: '{{{_conf.tz_offset}}}' -- remove: - ignore_missing: true - field: timestamp - -### -# Processing steps: -# 1. Parse the CSV into an array of column values. -# 2. Parse labels from each column if the value takes the form of 'Label Name: Some Value' or 'Label Name:'. -# 3. Fingerprint the message based by joining the labels separated by '|'. Use 'NONE' for columns without an embedded label. -# 4. Set 'event.provider' based on the message fingerprint. The different log types are listed in https://knowledge.broadcom.com/external/article?legacyId=tech171741#Administrative. -# 5. Handle columns without an embedded label. Based on the fingerprint, map unlabeled columns to a key. -### - -- csv: - field: message - empty_value: "" - target_fields: - - '_csv_array.00' - - '_csv_array.01' - - '_csv_array.02' - - '_csv_array.03' - - '_csv_array.04' - - '_csv_array.05' - - '_csv_array.06' - - '_csv_array.07' - - '_csv_array.08' - - '_csv_array.09' - - '_csv_array.10' - - '_csv_array.11' - - '_csv_array.12' - - '_csv_array.13' - - '_csv_array.14' - - '_csv_array.15' - - '_csv_array.16' - - '_csv_array.17' - - '_csv_array.18' - - '_csv_array.19' - - '_csv_array.20' - - '_csv_array.21' - - '_csv_array.22' - - '_csv_array.23' - - '_csv_array.24' - - '_csv_array.25' - - '_csv_array.26' - - '_csv_array.27' - - '_csv_array.28' - - '_csv_array.29' - - '_csv_array.30' - - '_csv_array.31' - - '_csv_array.32' - - '_csv_array.33' - - '_csv_array.34' - - '_csv_array.35' - - '_csv_array.36' - - '_csv_array.37' - - '_csv_array.38' - - '_csv_array.39' - - '_csv_array.40' - - '_csv_array.41' - - '_csv_array.42' - - '_csv_array.43' - - '_csv_array.44' - - '_csv_array.45' - - '_csv_array.46' - - '_csv_array.47' - - '_csv_array.48' - - '_csv_array.49' - - '_csv_array.50' - -- script: - description: Create array from CSV values. - tag: csv-map-to-array - lang: painless - source: | - def columnArray = []; - def sortedMap = new TreeMap(); - sortedMap.putAll(ctx._csv_array); - sortedMap.forEach((key, value) -> { - def v = value; - if (v.startsWith("'") && v.endsWith("'")) - { - v = v.substring(1, v.length() - 1); - } - columnArray.add(v); - }); - ctx['_csv_array'] = columnArray; - -- script: - description: Split colon separated key/values. - tag: split-colon-separated-key-value - lang: painless - source: | - def aliases = Collections.unmodifiableMap([ - 'computer': 'computer_name', - 'domain': 'domain_name', - 'end_time': 'end', - 'local': 'local_host_ip', - 'local_host': 'local_host_ip', - 'server_name': 'server', - 'user': 'user_name' - ]); - - def keyPattern = /^([a-zA-Z][a-zA-Z0-9 \(\)-]{0,28}):(?:\s(.+)|\s)?/; - def keyValue = [:]; - def fingerprint = []; - ctx._csv_array.forEach(v -> { - def m = keyPattern.matcher(v); - def key = 'NONE'; - if (m.matches()) { - key = m.group(1).toLowerCase().replace(' ', '_'); - key = /[\(\)]+/.matcher(key).replaceAll(''); - - def tmp = aliases[key]; - if (tmp != null) { - key = tmp; - } - - - def value = m.group(2); - if (value != null && !value.trim().isEmpty()) { - keyValue[key] = value.trim(); - } - } - - fingerprint.add(key); - return true; - }); - if (!keyValue.isEmpty()) { - ctx['_csv_map'] = keyValue; - } - ctx['_fingerprint'] = String.join("|", fingerprint); - -- remove: - field: message - ignore_missing: true - -### -# Note to maintainers: -# The fingerprints below can be generated by adding 'debug' to the tags field. -# This causes a new _fingerprint field to be added to the event. -### -- script: - description: Assign keys to unlabeled columns based on fingerprints. - lang: painless - params: - providers: - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Behavior - - name: 'Agent Behavior Log' - fingerprint: NONE|NONE|NONE|NONE|NONE|begin|end|rule|NONE|NONE|NONE|NONE|NONE|user_name|domain_name|action_type|file_size_bytes|device_id - event_category: [intrusion_detection, process] - columns: - - index: 1 - name: local_host_ip - - index: 2 - name: action - - index: 3 - name: event_description - - index: 4 - name: api_name - - index: 8 - name: caller_process_id - - index: 9 - name: caller_process_name - - index: 10 - name: caller_return_address - - index: 11 - name: caller_return_module_name - - index: 12 - name: parameters # name of the module, process, registry location or file - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Security - - name: 'Agent Security Log' - fingerprint: - - NONE|event_description|local_host_ip|local_host_mac|remote_host_name|remote_host_ip|remote_host_mac|NONE|NONE|intrusion_id|begin|end|occurrences|application|location|user_name|domain_name|local_port|remote_port|cids_signature_id|cids_signature_string|cids_signature_subid|intrusion_url|intrusion_payload_url|sha-256|md-5 - - NONE|event_description|local_host_ip|local_host_mac|remote_host_name|remote_host_ip|remote_host_mac|NONE|NONE|NONE|begin|end|occurrences|application|location|user_name|domain_name|local_port|remote_port|cids_signature_id|cids_signature_string|cids_signature_subid|intrusion_url|intrusion_payload_url|sha-256|md-5 - event_category: [intrusion_detection, network, process] - event_type: [connection] - columns: - - index: 7 - name: traffic_direction - - index: 8 - name: network_protocol - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Traffic - - name: 'Agent Traffic Log' - fingerprint: NONE|local_host_ip|local_port|local_host_mac|remote_host_ip|remote_host_name|remote_port|remote_host_mac|NONE|NONE|begin|end|occurrences|application|rule|location|user_name|domain_name|action|sha-256|md-5 - event_category: [intrusion_detection, network, process] - event_type: [connection] - columns: - - index: 9 - name: traffic_direction - - index: 8 - name: network_protocol - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Activity - - name: 'Agent Activity Log' - fingerprint: site|server|domain_name|NONE|NONE|NONE|NONE - columns: - - index: 3 - name: event_description - - index: 4 - name: local_host_name - - index: 5 - name: user_name - - index: 6 - name: domain_name - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Packet - - name: 'Agent Packet Log' - fingerprint: - - NONE|local_host_ip|local_port|remote_host_ip|remote_host_name|remote_port|NONE|application|action - event_category: [intrusion_detection, network, process] - event_type: [connection] - columns: - - index: 6 - name: traffic_direction - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_System - - name: 'Agent System Log' - fingerprint: - - NONE|category|NONE|NONE|event_time - columns: - - index: 2 - name: event_source - - index: 3 - name: event_description - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Administrative - - name: 'Administrative Log' - fingerprint: site|server|domain_name|admin|NONE - columns: - - index: 4 - name: event_description - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#System - - name: 'System Log' - fingerprint: site|server|NONE - columns: - - index: 2 - name: event_description - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Proactive_Detection - - name: 'Agent Proactive Detection Log' - fingerprint: NONE|computer_name|detection_type|first_seen|application_name|application_type|application_version|hash_type|application_hash|company_name|file_size_bytes|sensitivity|detection_score|coh_engine_version|NONE|permitted_application_reason|disposition|download_site|web_domain|downloaded_by|prevalence|confidence|url_tracking_status|risk_level|detection_source|source|risk_name|occurrences|NONE|NONE|actual_action|requested_action|secondary_action|event_time|inserted|end|domain_name|group|server|user_name|source_computer|source_ip - columns: - - index: 0 - name: event_description - - index: 16 - name: submission_recommended - - index: 28 - name: file_path - - index: 29 - name: description - - name: 'Agent Proactive Detection Log' - fingerprint: NONE|computer_name|ip_address|detection_type|first_seen|application_name|application_type|application_version|hash_type|application_hash|company_name|file_size_bytes|sensitivity|detection_score|coh_engine_version|NONE|permitted_application_reason|disposition|download_site|web_domain|downloaded_by|prevalence|confidence|url_tracking_status|risk_level|risk_type|source|risk_name|occurrences|NONE|NONE|actual_action|requested_action|secondary_action|event_time|inserted|end|domain_name|group|server|user_name|source_computer|source_ip|intensive_protection_level|certificate_issuer|certificate_signer|certificate_thumbprint|signing_timestamp|certificate_serial_number - columns: - - index: 0 - name: event_description - - index: 17 - name: submission_recommended - - index: 29 - name: file_path - - index: 30 - name: description - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Policy - - name: 'Policy Log' - fingerprint: site|server|domain_name|admin|event_description|NONE - columns: - - index: 5 - name: policy_name - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Scan - - name: 'Agent Scan Log' - fingerprint: scan_id|begin|end|NONE|duration_seconds|user1|user2|NONE|scan_complete|command|threats|infected|total_files|omitted|computer_name|ip_address|domain_name|group|server - columns: - - index: 3 - name: action - - index: 7 - name: event_description - # https://knowledge.broadcom.com/external/article?legacyId=tech171741#Agent_Risk - - name: 'Agent Risk Log' - fingerprint: NONE|ip_address|computer_name|source|risk_name|occurrences|NONE|NONE|actual_action|requested_action|secondary_action|event_time|inserted|end|last_update_time|domain_name|group|server|user_name|source_computer|source_ip|disposition|download_site|web_domain|downloaded_by|prevalence|confidence|url_tracking_status|first_seen|sensitivity|permitted_application_reason|application_hash|hash_type|company_name|application_name|application_version|application_type|file_size_bytes|category_set|category_type|location|intensive_protection_level|certificate_issuer|certificate_signer|certificate_thumbprint|signing_timestamp|certificate_serial_number - columns: - - index: 0 - name: event_description - - index: 6 - name: file_path - source: | - // Assume first column is always the host.hostname. - def hostname = ctx._csv_array.get(0); - if (/[\.a-zA-Z0-9_-]+/.matcher(hostname).matches()) { - if (ctx?.host == null) { - ctx['host'] = [:]; - } - ctx['host']['hostname'] = hostname; - } - - def provider = null; - for (def p: params.providers) { - if (p.fingerprint == ctx._fingerprint || (p.fingerprint instanceof Collection && p.fingerprint.contains(ctx._fingerprint))) { - provider = p; - break; - } - } - if (provider == null) { return; } - - ctx['event']['provider'] = provider.name; - if (provider?.event_category != null) { - ctx['event']['category'] = new ArrayList(provider.event_category); - } - if (provider?.event_type!= null) { - ctx['event']['type'] = new ArrayList(provider.event_type); - } - for (def c : provider.columns) { - def v = ctx._csv_array.get(c.index).trim(); - if (!v.isEmpty()) { - ctx._csv_map[c.name] = v; - } - } - - -- rename: - field: _csv_map - target_field: symantec_endpoint.log - ignore_missing: true - -### -# BEGIN handling of Symantec Endpoint fields. -### - -# Action -- lowercase: - field: symantec_endpoint.log.action - ignore_missing: true -- set: - field: event.action - copy_from: symantec_endpoint.log.action - ignore_failure: true - -# Actual Action -- set: - if: ctx?.event?.action == null - field: event.action - copy_from: symantec_endpoint.log.actual_action - ignore_failure: true - -# Admin -- set: - field: user.name - copy_from: symantec_endpoint.log.admin - ignore_failure: true - -# Application -- set: - if: ctx?.process?.executable == null - field: process.executable - copy_from: symantec_endpoint.log.application - ignore_failure: true - -# Application Name -- set: - field: file.pe.product - copy_from: symantec_endpoint.log.application_name - ignore_failure: true - -# Application Version -- set: - field: file.pe.file_version - copy_from: symantec_endpoint.log.application_version - ignore_failure: true - -# Begin -- date: - field: symantec_endpoint.log.begin - target_field: event.start - ignore_failure: true - formats: - - yyyy-MM-dd HH:mm:ss - -# Caller MD-5 -- dissect: - tag: caller-md5 - field: symantec_endpoint.log.event_description - pattern: '%{} Caller MD5=%{process.hash.md5}' - ignore_failure: true - -# Caller Process ID -- convert: - field: symantec_endpoint.log.caller_process_id - target_field: process.pid - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.caller_process_id - -# Caller Process Name -- set: - if: ctx?.process?.executable == null - field: process.executable - copy_from: symantec_endpoint.log.caller_process_name - ignore_failure: true - -# Certificate Issuer -- append: - if: ctx?.symantec_endpoint?.log?.certificate_issuer != null - field: file.x509.issuer.common_name - value: '{{{symantec_endpoint.log.certificate_issuer}}}' - -# Certificate Serial Number -- set: - field: file.x509.serial_number - copy_from: symantec_endpoint.log.certificate_serial_number - ignore_failure: true - - # Certificate Signer -- append: - if: ctx?.symantec_endpoint?.log?.certificate_signer != null - field: file.x509.issuer.common_name - value: '{{{symantec_endpoint.log.certificate_signer}}}' - -# Certificate Thumbprint (hex encoded sha1 hashes are 40 characters) -- lowercase: - if: ctx?.symantec_endpoint?.log?.certificate_thumbprint != null && ctx.symantec_endpoint.log.certificate_thumbprint.length() == 40 - field: symantec_endpoint.log.certificate_thumbprint - target_field: file.hash.sha1 - -# Company Name -- set: - field: file.pe.company - copy_from: symantec_endpoint.log.company_name - ignore_failure: true - -# Company Name -- set: - field: host.hostname - copy_from: symantec_endpoint.log.computer_name - override: false - ignore_failure: true - -# Domain Name -- set: - if: ctx?.user?.domain == null - field: user.domain - copy_from: symantec_endpoint.log.domain_name - ignore_failure: true - -# Downloaded by -- set: - if: ctx?.process?.executable == null - field: process.executable - copy_from: symantec_endpoint.log.downloaded_by - ignore_failure: true - -# Download site -- uri_parts: - field: symantec_endpoint.log.download_site - ignore_failure: true - -# Duration (seconds) -- convert: - field: symantec_endpoint.log.duration_seconds - target_field: event.duration - type: long - ignore_missing: true - ignore_failure: true -- script: - description: Convert event.duration from seconds to nanoseconds. - if: ctx?.event?.duration != null - lang: painless - source: - ctx.event['duration'] = ctx.event.duration * 1e9; - -# End -- date: - field: symantec_endpoint.log.end - target_field: event.end - ignore_failure: true - formats: - - yyyy-MM-dd HH:mm:ss - -# Event Description -- set: - field: message - copy_from: symantec_endpoint.log.event_description - ignore_failure: true - -# Event Time -- date: - if: ctx?.symantec_endpoint?.log?.event_time != null - field: symantec_endpoint.log.event_time - target_field: symantec_endpoint.log.event_time - ignore_failure: true - formats: - - yyyy-MM-dd HH:mm:ss - on_failure: - - remove: - field: symantec_endpoint.log.event_time -- set: - if: ctx?.symantec_endpoint?.log?.event_time != null - field: '@timestamp' - copy_from: symantec_endpoint.log.event_time - -# File Path -- set: - field: file.path - copy_from: symantec_endpoint.log.file_path - ignore_failure: true - -# File Size (bytes) -- convert: - field: symantec_endpoint.log.file_size_bytes - target_field: file.size - type: long - ignore_missing: true - ignore_failure: true - -# Infected -- convert: - field: symantec_endpoint.log.infected - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.infected - -# Inserted -- date: - if: ctx?.symantec_endpoint?.log?.inserted != null - field: symantec_endpoint.log.inserted - target_field: symantec_endpoint.log.inserted - ignore_failure: true - formats: - - yyyy-MM-dd HH:mm:ss - on_failure: - - remove: - field: symantec_endpoint.log.inserted - -# Intrusion ID -- set: - field: rule.id - copy_from: symantec_endpoint.log.intrusion_id - ignore_failure: true - -# Intrusion Payload URL - -# Intrusion URL -- set: - field: url.original - copy_from: symantec_endpoint.log.intrusion_url - ignore_failure: true - -# IP Address -- append: - if: ctx?.symantec_endpoint.log?.ip_address != null - field: host.ip - value: '{{{symantec_endpoint.log.ip_address}}}' - allow_duplicates: false - -# Last Update Time (listed as always being in GMT) -- date: - if: ctx?.symantec_endpoint?.log?.last_update_time != null - field: symantec_endpoint.log.last_update_time - target_field: symantec_endpoint.log.last_update_time - formats: - - yyyy-MM-dd HH:mm:ss - on_failure: - - remove: - field: symantec_endpoint.log.last_update_time - -# Local Host IP -- set: - if: ctx?.symantec_endpoint?.log?.local_host_ip != null && ctx.symantec_endpoint.log.local_host_ip != "0.0.0.0" - field: source.address - copy_from: symantec_endpoint.log.local_host_ip - -# Local Host MAC -- set: - field: source.mac - copy_from: symantec_endpoint.log.local_host_mac - ignore_failure: true -- gsub: - field: source.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- remove: - if: ctx?.source?.mac == '000000000000' - field: source.mac -- gsub: - field: source.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: source.mac - ignore_missing: true - -# Local Host Name -- set: - if: ctx?.symantec_endpoint?.log?.local_host_name != "" - field: source.domain - copy_from: symantec_endpoint.log.local_host_name - ignore_failure: true - -# Local Port -- convert: - if: ctx?.symantec_endpoint?.log?.local_port != "0" - field: symantec_endpoint.log.local_port - target_field: source.port - type: long - ignore_failure: true - -# Location -- set: - field: source.geo.name - copy_from: symantec_endpoint.log.location - ignore_failure: true - -# MD-5 -- set: - field: process.hash.md5 - copy_from: symantec_endpoint.log.md-5 - ignore_failure: true -- lowercase: - field: process.hash.md5 - ignore_missing: true - -# Network Protocol (known as ECS network transport) -- set: - field: network.transport - copy_from: symantec_endpoint.log.network_protocol - ignore_failure: true -- lowercase: - field: network.transport - ignore_missing: true - -# Occurrences -- convert: - field: symantec_endpoint.log.occurrences - target_field: event.count - type: long - ignore_failure: true - -# Omitted -- convert: - field: symantec_endpoint.log.omitted - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.omitted - -# Remote Host IP -- set: - if: ctx?.symantec_endpoint?.log?.remote_host_ip != null && ctx.symantec_endpoint.log.remote_host_ip != "0.0.0.0" - field: destination.address - copy_from: symantec_endpoint.log.remote_host_ip - -# Remote Host MAC -- set: - field: destination.mac - copy_from: symantec_endpoint.log.remote_host_mac - ignore_failure: true -- gsub: - field: destination.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- remove: - if: ctx?.destination?.mac == '000000000000' - field: destination.mac -- gsub: - field: destination.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: destination.mac - ignore_missing: true - -# Remote Host Name -- set: - if: ctx?.symantec_endpoint?.log?.remote_host_name != "" - field: destination.domain - copy_from: symantec_endpoint.log.remote_host_name - ignore_failure: true - -# Remote Port -- convert: - if: ctx?.symantec_endpoint?.log?.remote_port != "0" - field: symantec_endpoint.log.remote_port - target_field: destination.port - type: long - ignore_failure: true - -# Rule -- set: - field: rule.name - copy_from: symantec_endpoint.log.rule - ignore_failure: true - -# Sensitivity -- convert: - field: symantec_endpoint.log.sensitivity - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.sensitivity - -# SHA-256 -- set: - field: process.hash.sha256 - copy_from: symantec_endpoint.log.sha-256 - ignore_failure: true -- lowercase: - field: process.hash.sha256 - ignore_missing: true - -# Signing Timestamp (Agent Risk Log) -- date: - if: ctx?.symantec_endpoint?.log?.signing_timestamp != null - field: symantec_endpoint.log.signing_timestamp - target_field: symantec_endpoint.log.signing_timestamp - formats: - - UNIX - on_failure: - - remove: - field: symantec_endpoint.log.signing_timestamp -- set: - field: file.x509.not_before - copy_from: symantec_endpoint.log.signing_timestamp - ignore_failure: true - -# Source Computer -- set: - field: source.domain - copy_from: symantec_endpoint.log.source_computer - ignore_failure: true - -# Source IP -- set: - field: source.address - copy_from: symantec_endpoint.log.source_ip - ignore_failure: true - -# Submission Recommended (Recommendation in the form of YES or NO on whether to submit this detection to Symantec or not.) -- set: - if: ctx?.symantec_endpoint?.log?.submission_recommended != null && ctx.symantec_endpoint.log.submission_recommended.toLowerCase().contains('yes') - field: symantec_endpoint.log.submission_recommended - value: true -- set: - if: ctx?.symantec_endpoint?.log?.submission_recommended != null && !ctx.symantec_endpoint.log.submission_recommended.toLowerCase().contains('yes') - field: symantec_endpoint.log.submission_recommended - value: false - -# Traffic Direction -# NOTE: inbound/outbound is changed to ingress/egress because this is a host -# based EDR and ECS guidelines say to use ingress/egress for hosts. -- set: - field: network.direction - copy_from: symantec_endpoint.log.traffic_direction - ignore_failure: true -- lowercase: - field: network.direction - ignore_missing: true -- set: - if: ctx?.network?.direction == "inbound" - field: network.direction - value: ingress -- set: - if: ctx?.network?.direction == "outbound" - field: network.direction - value: egress - -# Threats -- convert: - field: symantec_endpoint.log.threats - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.threats - -# Total files -- convert: - field: symantec_endpoint.log.total_files - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.total_files - -# User Name -- set: - field: user.name - copy_from: symantec_endpoint.log.user_name - ignore_failure: true - -# User1 -- set: - if: ctx?.symantec_endpoint?.log?.user1 != null && ctx?.user?.name == null - field: user.name - copy_from: symantec_endpoint.log.user1 - -### -# END handling of Symantec Endpoint fields. -### - -- remove: - if: ctx?._conf?.remove_mapped_fields == true - description: Remove symantec_endpoint.log fields that are mapped in some way to ECS. - ignore_missing: true - field: - - symantec_endpoint.log.action - - symantec_endpoint.log.actual_action - - symantec_endpoint.log.admin - - symantec_endpoint.log.application - - symantec_endpoint.log.application_name - - symantec_endpoint.log.application_version - - symantec_endpoint.log.begin - - symantec_endpoint.log.caller_process_id - - symantec_endpoint.log.caller_process_name - - symantec_endpoint.log.certificate_serial_number - - symantec_endpoint.log.certificate_thumbprint - - symantec_endpoint.log.company_name - - symantec_endpoint.log.domain_name - - symantec_endpoint.log.download_site - - symantec_endpoint.log.downloaded_by - - symantec_endpoint.log.duration_seconds - - symantec_endpoint.log.end - - symantec_endpoint.log.event_description - - symantec_endpoint.log.event_time - - symantec_endpoint.log.file_path - - symantec_endpoint.log.file_size_bytes - - symantec_endpoint.log.inserted - - symantec_endpoint.log.intrusion_id - - symantec_endpoint.log.intrusion_url - - symantec_endpoint.log.last_update_time - - symantec_endpoint.log.local_host_ip - - symantec_endpoint.log.local_host_mac - - symantec_endpoint.log.local_host_name - - symantec_endpoint.log.local_port - - symantec_endpoint.log.location - - symantec_endpoint.log.md-5 - - symantec_endpoint.log.network_protocol - - symantec_endpoint.log.occurrences - - symantec_endpoint.log.remote_host_ip - - symantec_endpoint.log.remote_host_mac - - symantec_endpoint.log.remote_host_name - - symantec_endpoint.log.remote_port - - symantec_endpoint.log.rule - - symantec_endpoint.log.sha-256 - - symantec_endpoint.log.signing_timestamp - - symantec_endpoint.log.source_computer - - symantec_endpoint.log.source_ip - - symantec_endpoint.log.submission_recommended - - symantec_endpoint.log.traffic_direction - - symantec_endpoint.log.user1 - - symantec_endpoint.log.user_name - -- remove: - description: Remove empty symantec_endpoint.log object. - if: ctx?.symantec_endpoint?.log != null && ctx.symantec_endpoint.log.isEmpty() - field: symantec_endpoint - ignore_missing: true - -# ECS Categorization -- set: - field: event.kind - value: event -- append: - description: Set event.type to allowed when activity is blocked. - if: ctx?.event?.action == 'blocked' || (ctx?.message != null && !ctx.message.contains('not blocked') && ctx.message.contains('blocked')) - field: event.type - value: denied - allow_duplicates: false -- append: - description: Set event.type to allowed when activity is not blocked. - if: ctx?.event?.action == 'not blocked' || (ctx?.message != null && ctx.message.contains('not blocked')) - field: event.type - value: allowed - allow_duplicates: false -- append: - if: ctx?.event?.provider == 'Administrative Log' && ctx.message.contains('log on') - field: event.category - value: authentication -- append: - if: ctx?.event?.provider == 'Administrative Log' && ctx.message.contains('log on') - field: event.type - value: info -- set: - if: ctx?.event?.provider == 'Administrative Log' && ctx.message.contains('log on failed') - field: event.outcome - value: failure -- set: - if: ctx?.event?.provider == 'Administrative Log' && ctx.message.contains('log on succeeded') - field: event.outcome - value: success - -# Destination IP -- convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - ignore_failure: true - -# Source IP -- convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - ignore_failure: true - -# Network Type -- set: - if: ctx?.source?.ip != null && !ctx.source.ip.contains(':') - field: network.type - value: ipv4 -- set: - if: ctx?.source?.ip != null && ctx.source.ip.contains(':') - field: network.type - value: ipv6 - -# Host IP -- append: - if: ctx?.source?.ip != null - field: host.ip - value: '{{{source.ip}}}' - allow_duplicates: false - -# Host MAC -- append: - if: ctx?.source?.mac != null - field: host.mac - value: '{{{source.mac}}}' - allow_duplicates: false - -# Host Hostname -- set: - field: host.hostname - copy_from: source.domain - override: false - ignore_failure: true - -# Host Name -- set: - field: host.name - copy_from: host.hostname - override: false - ignore_failure: true - -# Related IP -- append: - if: ctx?.source?.ip != null - field: related.ip - value: '{{{source.ip}}}' - allow_duplicates: false -- append: - if: ctx?.destination?.ip != null - field: related.ip - value: '{{{destination.ip}}}' - allow_duplicates: false - -# Related Hash -- append: - if: ctx?.file?.hash?.sha1 != null - field: related.hash - value: '{{{file.hash.sha1}}}' - allow_duplicates: true -- append: - if: ctx?.process?.hash?.md5 != null - field: related.hash - value: '{{{process.hash.md5}}}' - allow_duplicates: true -- append: - if: ctx?.process?.hash?.sha256 != null - field: related.hash - value: '{{{process.hash.sha256}}}' - allow_duplicates: true - -# Community ID -- community_id: - ignore_failure: true - -# IP Geolocation Lookup -- geoip: - if: ctx.source?.geo == null - field: source.ip - target_field: source.geo - ignore_missing: true -- geoip: - if: ctx.destination?.geo == null - field: destination.ip - target_field: destination.geo - ignore_missing: true - -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -- script: - # Local was assumed to be source and remote was assumed to be destination. - # But if direction is ingress then swap the two around. - description: Swap source/destination for "ingress". - tag: swap-source-destination-on-ingress - if: ctx?.network?.direction == "ingress" && ctx?.source != null && ctx?.destination != null - lang: painless - source: | - def tmp = ctx.source; - ctx.source = ctx.destination; - ctx.destination = tmp; - -- remove: - description: Retain event.original when preserve_original_event tag exists. - if: ctx?.tags == null || !ctx.tags.contains('preserve_original_event') - field: event.original - ignore_missing: true - -- remove: - if: ctx?.tags == null || !ctx.tags.contains('debug') - ignore_missing: true - field: - - _conf - - _csv_array - - _fingerprint - -on_failure: -- set: - field: error.message - value: 'processor {{ _ingest.on_failure_processor_type }}: {{ _ingest.on_failure_message }}' - -- remove: - if: ctx?.tags == null || !ctx.tags.contains('debug') - ignore_missing: true - field: - - _conf - - _csv_array - - _csv_map - - _fingerprint diff --git a/packages/symantec_endpoint/2.0.1/data_stream/log/fields/agent.yml b/packages/symantec_endpoint/2.0.1/data_stream/log/fields/agent.yml deleted file mode 100755 index c2cceee2d3..0000000000 --- a/packages/symantec_endpoint/2.0.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,210 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/symantec_endpoint/2.0.1/data_stream/log/fields/base-fields.yml b/packages/symantec_endpoint/2.0.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 9b29365e19..0000000000 --- a/packages/symantec_endpoint/2.0.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,32 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Name of the module this data is coming from. - value: symantec_endpoint -- name: event.dataset - type: constant_keyword - description: Name of the dataset. - value: symantec_endpoint.log -- name: "@timestamp" - type: date - description: Event timestamp. -- name: observer.vendor - type: constant_keyword - description: Vendor name of the observer. - value: Symantec -- name: observer.product - type: constant_keyword - description: The product name of the observer. - value: Endpoint Protection -- name: observer.type - type: constant_keyword - description: The type of the observer the data is coming from. - value: edr diff --git a/packages/symantec_endpoint/2.0.1/data_stream/log/fields/ecs.yml b/packages/symantec_endpoint/2.0.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index 6d01ea4660..0000000000 --- a/packages/symantec_endpoint/2.0.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,321 +0,0 @@ -- description: Unique container id. - name: container.id - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: Internal company name of the file, provided at compile-time. - name: file.pe.company - type: keyword -- description: Internal version of the file, provided at compile-time. - name: file.pe.file_version - type: keyword -- description: Internal product name of the file, provided at compile-time. - name: file.pe.product - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: List of common name (CN) of issuing certificate authority. - name: file.x509.issuer.common_name - normalize: - - array - type: keyword -- description: Time at which the certificate is first considered valid. - name: file.x509.not_before - type: date -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: file.x509.serial_number - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/symantec_endpoint/2.0.1/data_stream/log/fields/fields.yml b/packages/symantec_endpoint/2.0.1/data_stream/log/fields/fields.yml deleted file mode 100755 index 2c2cef565a..0000000000 --- a/packages/symantec_endpoint/2.0.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,333 +0,0 @@ -- name: symantec_endpoint.log - type: group - fields: - - name: action - type: keyword - description: > - The action taken on the traffic, e.g. "Blocked". - - - name: actual_action - type: keyword - description: Actual action from risk logs and proactive detection (SONAR) logs. - - name: admin - type: keyword - description: Name of the SEPM admin. - - name: api_name - type: keyword - description: API name that was blocked (agent behavior log). - - name: application - type: keyword - description: The full path name of the application involved. - - name: application_hash - type: keyword - description: The hash for this application. - - name: application_name - type: keyword - description: The application name. - - name: application_type - type: keyword - description: Application type (Trojan, key logger etc). - - name: application_version - type: keyword - description: The application version. - - name: begin - type: keyword - description: Start time of the event (also see event.start). - - name: caller_process_id - type: keyword - description: The ID of the process that triggers the logging. - - name: caller_process_name - type: keyword - description: > - The full path name of the application involved. It may be empty if the application is unknown, or if OS itself is involved, or if no application is involved. Also, it may be empty if profile says, "don't log application name in raw traffic log". - - - name: caller_return_address - type: keyword - description: > - The return address of the caller. This field allows the detection of the calling module that makes the API call. - - This is historically not used. You can expect Return Address to always be 0. - - - name: caller_return_module_name - description: > - The module name of the caller. See CallerReturnAddress for more information. - - Return Module name is historically unused. You can expect Return Module name to always be "No Module Name" except where you see Sysplant when sysplant has started. - - type: keyword - - name: category - type: keyword - description: Agent system log category (generally not populated by SEPM). - - name: category_set - type: keyword - description: Agent risk log category. - - name: category_type - type: keyword - description: Agent risk log category type. - - name: certificate_issuer - type: keyword - description: The certificate's issuer. - - name: certificate_serial_number - type: keyword - description: The certificate's serial number. - - name: certificate_signer - type: keyword - description: The certificate's signer. - - name: certificate_thumbprint - type: keyword - description: The certificate's thumbprint. - - name: cids_signature_id - type: keyword - description: The signature ID. - - name: cids_signature_string - type: keyword - description: The signature name. - - name: cids_signature_subid - type: keyword - description: The signature sub ID. - - name: coh_engine_version - type: keyword - description: TruScan engine version. - - name: command - type: keyword - description: Command sent from the SEPM. - - name: company_name - type: keyword - description: The company name from the application (used in agent risk logs). - - name: computer_name - type: keyword - description: Name of the host machine (used in agent risk/scan logs). - - name: confidence - type: keyword - description: > - The Confidence level that produced the conviction. Examples: High, low, bad, trustworthy etc. "Confidence: There is strong evidence that this file is untrustworthy." - - - name: description - type: keyword - description: Description of the virus file. - - name: detection_score - type: keyword - description: Score of detection. - - name: detection_source - type: keyword - description: Source of the detection. - - name: detection_type - type: keyword - description: Type of detection (e.g. heuristic). - - name: device_id - type: keyword - description: The GUID of an external device (floppy disk, DVD, USB device, etc.). - - name: disposition - type: keyword - description: Good / Bad / Unknown / Not available. - - name: domain_name - type: keyword - description: SEPM domain name. - - name: download_site - type: keyword - description: The URL determined from where the image was downloaded. - - name: downloaded_by - type: keyword - description: The creator process of the dropper threat. - - name: duration_seconds - type: keyword - description: The length of the scan, in seconds. - - name: end - type: keyword - description: Start time of the event (also see event.end). - - name: event_description - type: keyword - description: Description of the event. Usually, the first line of the description is treated as the summary. - - name: event_source - type: keyword - description: The data source. NETPORT, NATSRV, Network Intrusion Protection System, LiveUpdate Manager etc. - - name: event_time - type: date - description: Time of event occurrence. - - name: file_path - type: keyword - description: The file path of the attacked file. - - name: file_size_bytes - type: keyword - description: File size of application. - - name: first_seen - type: keyword - description: The first seen date for the convicted application. - - name: group - type: keyword - description: SEPM client group name. - - name: hash_type - type: keyword - description: Application hash type (MD5, SHA1, SHA256 etc). - - name: infected - type: long - description: The number of files that the scan found that were infected. - - name: inserted - type: date - description: The time that the event was inserted into the database. - - name: intensive_protection_level - type: keyword - description: The High Intensity Detection Level. - - name: intrusion_id - type: keyword - description: Intrusion ID. - - name: intrusion_payload_url - type: keyword - description: The URL that hosted the payload. - - name: intrusion_url - type: keyword - description: The URL from the detection. - - name: ip_address - type: keyword - description: IP Address of the machine. - - name: last_update_time - type: date - description: The time on the server when the event is logged into the system or updated in the system (GMT). - - name: local_host - type: keyword - description: The host name of the client computer. - - name: local_host_ip - type: keyword - description: The IP address of the local computer. - - name: local_host_mac - type: keyword - description: The MAC address of the local computer. - - name: local_host_name - type: keyword - description: The host name of the client computer. - - name: local_port - type: keyword - description: The TCP/UDP port of the local computer. - - name: location - type: keyword - description: The location used when the event occurred. - - name: md-5 - type: keyword - description: The MD5 hash value. - - name: network_protocol - type: keyword - description: Localized string for Others/ TCP/ UDP/ ICMP. - - name: occurrences - type: keyword - description: The number of attacks. Sometime, when a hacker launches a mass attack, it may be reduced to one event by the log system, depending on the damper period. - - name: omitted - type: long - description: The number of files that were omitted. - - name: parameters - type: keyword - description: > - Parameters is the name of the module, process, registry location or file that was used in the API call. Each parameter was converted to string format and separated by one space character. Double quotation mark characters within the string are escaped with a \ character. - - As an example, in the SEPM ADC policy you may have a rule with a condition which monitors for Load DLL Attempts with the rule being applied to mscoree.dll. In this case, in the parameters field you'd expect to see C:\Windows\SysWOW64\mscoree.dll. - - - name: permitted_application_reason - type: keyword - description: Reason for allow listing (e.g. Symantec permitted application list, Administrator permitted application list). - - name: policy_name - type: keyword - description: Name of the policy. - - name: prevalence - type: keyword - description: Number of users that have seen this. - - name: remote_host_ip - type: keyword - description: The IP address of the remote computer. - - name: remote_host_mac - type: keyword - description: The MAC address of the remote computer. - - name: remote_port - type: keyword - description: The TCP/UDP port of the remote computer. - - name: requested_action - type: keyword - description: Requested action by policy. - - name: risk_level - type: keyword - description: The risk level (high, med, low) for the convicted threat. - - name: risk_name - type: keyword - - name: risk_type - type: keyword - description: Localized strings for Heuristic / Cookie / Admin Black List / BPE / System Change / N/A. - - name: rule - type: keyword - description: > - The name of the rule that was triggered by the event. - - If the rule name is not specified in the security rule, then this field is empty. Having the rule name can be useful for troubleshooting. You may recognize a rule by the rule ID, but rule name can help you recognize it more quickly. - - - name: scan_complete - type: keyword - description: Scan message when scan ended. - - name: scan_id - type: keyword - description: The scan ID provided by the agent. - - name: secondary_action - type: keyword - description: Secondary action requested by policy - - name: sensitivity - type: long - description: Engine sensitivity that produced this detection - - name: server - type: keyword - description: Name of the server. - - name: server_name - type: keyword - description: Name of the server. - - name: sha-256 - type: keyword - description: The SHA-256 hash value. - - name: signing_timestamp - type: date - description: The certificate's signature timestamp. - - name: site - type: keyword - description: SEPM site name. - - name: source - type: keyword - description: Scan source (e.g. scheduled). - - name: source_computer - type: keyword - description: Computer name where this event occurred. - - name: source_ip - type: keyword - description: IP address of the machine on which the event occurred. - - name: submission_recommended - type: boolean - description: Recommendation on whether to submit this detection to Symantec. - - name: threats - type: long - description: The number of threats that the scan found. - - name: total_files - type: long - description: The number of files scanned. - - name: traffic_direction - type: keyword - description: Unknown / Inbound / Outbound - - name: url_tracking_status - type: keyword - description: Network intrusion prevention status - - name: user1 - type: keyword - description: User when scan started. - - name: user2 - type: keyword - description: User when scan ended. - - name: user_name - type: keyword - - name: web_domain - type: keyword - description: The web domain. -- name: log.syslog.hostname - type: keyword - description: Hostname parsed from syslog header. -- name: log.syslog.process.name - type: keyword -- name: log.syslog.process.pid - type: long -- name: log.syslog.priority - type: long -- name: log.syslog.version - type: long -- name: log.syslog.structured_data - type: flattened diff --git a/packages/symantec_endpoint/2.0.1/data_stream/log/manifest.yml b/packages/symantec_endpoint/2.0.1/data_stream/log/manifest.yml deleted file mode 100755 index e24087b13b..0000000000 --- a/packages/symantec_endpoint/2.0.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,190 +0,0 @@ -title: Symantec Endpoint Protection (SEP) Logs -type: logs -release: beta -streams: - - input: udp - template_path: udp.yml.hbs - title: SEP logs (syslog over UDP) - description: Collect Symantec Endpoint Protection (SEP) logs over UDP. - enabled: true - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9008 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - symantec-endpoint-log - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: remove_mapped_fields - required: true - show_user: false - title: Remove fields mapped to ECS - description: Remove symantec_endpoint.log fields that have been used to populate ECS fields. This reduces the size of events by removing duplicated data. - type: bool - multi: false - default: false - - input: tcp - template_path: tcp.yml.hbs - title: SEP logs (syslog over TCP) - description: Collect Symantec Endpoint Protection (SEP) logs over TCP. - enabled: false - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9008 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: ssl - type: yaml - title: TLS - description: Options for enabling TLS for the listening TCP socket. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - multi: false - required: false - show_user: false - default: | - enabled: false - certificate: "/etc/pki/client/cert.pem" - key: "/etc/pki/client/cert.key" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - symantec-endpoint-log - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: remove_mapped_fields - required: true - show_user: false - title: Remove fields mapped to ECS - description: Remove symantec_endpoint.log fields that have been used to populate ECS fields. This reduces the size of events by removing duplicated data. - type: bool - multi: false - default: false - - input: logfile - template_path: logfile.yml.hbs - title: SEP logs (from file) - description: Collect Symantec Endpoint Protection (SEP) logs from a file. - enabled: false - vars: - - name: paths - type: text - title: Paths - multi: true - required: false - show_user: true - default: - - 'C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump\*.log' - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - symantec-endpoint-log - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: remove_mapped_fields - required: true - show_user: false - title: Remove fields mapped to ECS - description: Remove symantec_endpoint.log fields that have been used to populate ECS fields. This reduces the size of events by removing duplicated data. - type: bool - multi: false - default: false diff --git a/packages/symantec_endpoint/2.0.1/data_stream/log/sample_event.json b/packages/symantec_endpoint/2.0.1/data_stream/log/sample_event.json deleted file mode 100755 index 4dfa5436fb..0000000000 --- a/packages/symantec_endpoint/2.0.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2018-02-16T08:01:33.000Z", - "agent": { - "ephemeral_id": "360bd055-47f7-487a-b357-e372825d65dd", - "id": "33b93e16-9d01-4487-9b09-99db9e860912", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.2" - }, - "data_stream": { - "dataset": "symantec_endpoint.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "33b93e16-9d01-4487-9b09-99db9e860912", - "snapshot": false, - "version": "8.2.2" - }, - "event": { - "action": "Left alone", - "agent_id_status": "verified", - "count": 1, - "dataset": "symantec_endpoint.log", - "end": "2018-02-16T08:01:33.000Z", - "ingested": "2022-06-27T23:54:21Z", - "kind": "event", - "original": "Potential risk found,Computer name: exampleComputer,Detection type: Heuristic,First Seen: Symantec has known about this file approximately 2 days.,Application name: Propsim,Application type: 127,\"Application version: \"\"3\",0,6,\"0\"\"\",Hash type: SHA-256,Application hash: SHA#1234567890,Company name: Dummy Technologies,File size (bytes): 343040,Sensitivity: 2,Detection score: 3,COH Engine Version: 8.1.1.1,Detection Submissions No,Permitted application reason: MDS,Disposition: Bad,Download site: ,Web domain: ,Downloaded by: c:/programdata/oracle/java/javapath_target_2151967445/Host126,Prevalence: Unknown,Confidence: There is not enough information about this file to recommend it.,URL Tracking Status: Off,Risk Level: High,Detection Source: N/A,Source: Heuristic Scan,Risk name: ,Occurrences: 1,f:\\user\\workspace\\baseline package creator\\release\\Host214,'',Actual action: Left alone,Requested action: Left alone,Secondary action: Left alone,Event time: 2018-02-16 08:01:33,Inserted: 2018-02-16 08:02:52,End: 2018-02-16 08:01:33,Domain: Default,Group: My Company\\SEPM Group Name,Server: SEPMServer,User: exampleUser,Source computer: ,Source IP:" - }, - "file": { - "pe": { - "company": "Dummy Technologies", - "file_version": "\"3", - "product": "Propsim" - }, - "size": 343040 - }, - "host": { - "hostname": "exampleComputer", - "name": "exampleComputer" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.19.0.4:51285" - } - }, - "process": { - "executable": "c:/programdata/oracle/java/javapath_target_2151967445/Host126" - }, - "symantec_endpoint": { - "log": { - "actual_action": "Left alone", - "application_hash": "SHA#1234567890", - "application_name": "Propsim", - "application_type": "127", - "application_version": "\"3", - "coh_engine_version": "8.1.1.1", - "company_name": "Dummy Technologies", - "computer_name": "exampleComputer", - "confidence": "There is not enough information about this file to recommend it.", - "detection_score": "3", - "detection_source": "N/A", - "detection_type": "Heuristic", - "disposition": "Bad", - "domain_name": "Default", - "downloaded_by": "c:/programdata/oracle/java/javapath_target_2151967445/Host126", - "end": "2018-02-16 08:01:33", - "event_time": "2018-02-16T08:01:33.000Z", - "file_size_bytes": "343040", - "first_seen": "Symantec has known about this file approximately 2 days.", - "group": "My Company\\SEPM Group Name", - "hash_type": "SHA-256", - "inserted": "2018-02-16T08:02:52.000Z", - "occurrences": "1", - "permitted_application_reason": "MDS", - "prevalence": "Unknown", - "requested_action": "Left alone", - "risk_level": "High", - "secondary_action": "Left alone", - "sensitivity": 2, - "server": "SEPMServer", - "source": "Heuristic Scan", - "url_tracking_status": "Off", - "user_name": "exampleUser" - } - }, - "tags": [ - "preserve_original_event", - "symantec-endpoint-log", - "forwarded" - ], - "user": { - "domain": "Default", - "name": "exampleUser" - } -} \ No newline at end of file diff --git a/packages/symantec_endpoint/2.0.1/docs/README.md b/packages/symantec_endpoint/2.0.1/docs/README.md deleted file mode 100755 index 428b3cf5dc..0000000000 --- a/packages/symantec_endpoint/2.0.1/docs/README.md +++ /dev/null @@ -1,457 +0,0 @@ -# Symantec Endpoint Protection Integration - -This integration is for [Symantec Endpoint Protection (SEP)](https://knowledge.broadcom.com/external/article?legacyId=tech171741) logs. It can be used -to receive logs sent by SEP over syslog or read logs exported to a text file. - -The log message is expected to be in CSV format. Syslog RFC3164 and RCF5424 -headers are allowed and will be parsed if present. The data is mapped to -ECS fields where applicable and the remaining fields are written under -`symantec_endpoint.log.*`. - -If a specific SEP log type is detected then `event.provider` is set (e.g. -`Agent Traffic Log`). - -## Syslog setup steps - -1. Enable this integration with the UDP input. -2. If the Symantec management server and Elastic Agent are running on different -hosts then configure the integration to listen on 0.0.0.0 so that it will accept -UDP packets on all interfaces. This makes the listening port reachable by the -Symantec server. -3. Configure the Symantec management server to send syslog to the Elastic Agent -that is running this integration. See [Exporting data to a Syslog server]( -https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-data-to-a-syslog-server-v8442743-d15e1107.html) -in the SEP guide. Use the IP address or hostname of the Elastic Agent as the -syslog server address. And use the listen port as the destination port (default -is 9008). - -## Log file setup steps - -1. Configure the Symantec management server to export log data to a text file. -See [Exporting log data to a text file](https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-log-data-to-a-text-file-v8440135-d15e1197.html). -2. Enable this integration with the log file input. Configure the input to -read from the location where the log files are being written. The default is -`C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump\*.log`. - -Logs exported to text file always begin with the event time and severity -columns (e.g. `2020-01-16 08:00:31,Critical,...`). - -## Log samples - -Below are samples of some different SEP log types. These examples have had their -syslog header removed, but when sent over syslog these lines typically -begin with an RFC3164 header like -`<51>Oct 3 10:38:14 symantec.endpointprotection.test SymantecServer: ` - -### Administrative Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=tech171741#Administrative) - -`Site: SEPSite,Server: SEPServer,Domain: _domainOrigin,Admin: _originUser,Administrator log on succeeded` - -### Agent Activity Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager]( https://knowledge.broadcom.com/external/article?legacyId=tech171741#Agent_Activity) - -`Site: SEPSite,Server Name: exampleserver,Domain Name: Default,The management server received the client log successfully,TESTHOST01,sampleuser01,sample.example.com` - -### Agent Behavior Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=tech171741#Agent_Behavior) - -`exampleserver,216.160.83.57,Blocked,[AC7-2.1] Block scripts - Caller MD5=d73b04b0e696b0945283defa3eee4538,File Write,Begin: 2019-09-06 15:18:56,End: 2019-09-06 15:18:56,Rule: Rule Name,9552,C:/ProgramData/bomgar-scc-0x5d4162a4/bomgar-scc.exe,0,No Module Name,C:/ProgramData/bomgar-scc-0x5d4162a4/start-cb-hook.bat,User: _originUser,Domain: _domainOrigin,Action Type: ,File size (bytes): 1403,Device ID: SCSI\Disk&Ven_WDC&Prod_WD10SPCX-75KHST0\4&1d8ead7a&0&000200` - -### Agent Packet Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=tech171741#Agent_Packet) - -`exampleserver,Local Host: 81.2.69.143,Local Port: 138,Remote Host IP: 81.2.69.144.,Remote Host Name: ,Remote Port: 138,Outbound,Application: C:/windows/system32/NTOSKRNL.EXE,Action: Blocked` - -### Agent Proactive Detection Log - -See vendor documentation:[External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Proactive_Detection) - -`Potential risk found,Computer name: exampleComputer,Detection type: Heuristic,First Seen: Symantec has known about this file approximately 2 days.,Application name: Propsim,Application type: 127,"Application version: ""3",0,6,"0""",Hash type: SHA-256,Application hash: SHA#1234567890,Company name: Dummy Technologies,File size (bytes): 343040,Sensitivity: 2,Detection score: 3,COH Engine Version: 8.1.1.1,Detection Submissions No,Permitted application reason: MDS,Disposition: Bad,Download site: ,Web domain: ,Downloaded by: c:/programdata/oracle/java/javapath_target_2151967445/Host126,Prevalence: Unknown,Confidence: There is not enough information about this file to recommend it.,URL Tracking Status: Off,Risk Level: High,Detection Source: N/A,Source: Heuristic Scan,Risk name: ,Occurrences: 1,f:\user\workspace\baseline package creator\release\Host214,'',Actual action: Left alone,Requested action: Left alone,Secondary action: Left alone,Event time: 2018-02-16 08:01:33,Inserted: 2018-02-16 08:02:52,End: 2018-02-16 08:01:33,Domain: Default,Group: My Company\SEPM Group Name,Server: SEPMServer,User: exampleUser,Source computer: ,Source IP:` - -### Agent Risk Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Risk) - -`Security risk found,IP Address: 1.128.3.4,Computer name: exampleComputer,Source: Auto-Protect scan,Risk name: WS.Reputation.1,Occurrences: 1,e:\removablemediaaccessutility.exe,,Actual action: All actions failed,Requested action: Process terminate pending restart,Secondary action: Left alone,Event time: 2019-09-03 08:12:25,Inserted: 2019-09-03 08:14:03,End: 2019-09-03 08:12:25,Last update time: 2019-09-03 08:14:03,Domain: SEPMServerDoman,Group: My Company\GroupName,Server: SEPMServerName,User: exampleUser,Source computer: ,Source IP: ,Disposition: Bad,Download site: ,Web domain: ,Downloaded by: e:/removablemediaaccessutility.exe,Prevalence: This file has been seen by fewer than 5 Symantec users.,Confidence: There is some evidence that this file is untrustworthy.,URL Tracking Status: On,First Seen: Symantec has known about this file approximately 2 days.,Sensitivity: ,Permitted application reason: Not on the permitted application list,Application hash: SHA#1234567890,Hash type: SHA2,Company name: Company Name,Application name: Client for Symantec Endpoint Encryption,Application version: 11.1.2 (Build 1248),Application type: 127,File size (bytes): 4193981,Category set: Malware,Category type: Insight Network Threat,Location: GD-OTS Unmanaged Client - Online,Intensive Protection Level: 0,Certificate issuer: Symantec Corporation,Certificate signer: VeriSign Class 3 Code Signing 2010 CA,Certificate thumbprint: AB6EF1497C6E1C8CCC12F06E945A4954FB41AD45,Signing timestamp: 1482491555,Certificate serial number: AB2D17E62E571F288ACB5666FD3C5230` - -### Agent Scan Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Scan) - -`Scan ID: 123456789,Begin: 2020-01-31 11:35:28,End: 2020-01-31 11:45:28,Started,Duration (seconds): 600,User1: exampleUser,User2: SYSTEM,Scan started on selected drives and folders and all extensions.,Scan Complete: Risks: 0 Scanned: 916 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 0,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 916,Omitted: 0,Computer: _destinationHostname,IP Address: 1.128.3.4,Domain: exampleDomain,Group: Company\US\UserWS\Main Office,Server: SEPServer` - -### Agent Security Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Security) - -`server03,Event Description: ARP Cache Poison,Local Host IP: 0.0.0.0,Local Host MAC: 2DFF88AABBDC,Remote Host Name: ,Remote Host IP: 0.0.0.0,Remote Host MAC: AABBCCDDEEFF,Inbound,Unknown,Intrusion ID: 0,Begin: 2020-11-23 13:56:35,End Time: 2020-11-23 13:56:35,Occurrences: 1,Application: ,Location: Remote,User Name: bobby,Domain Name: local,Local Port: 0,Remote Port: 0,CIDS Signature ID: 99990,CIDS Signature string: ARP Cache Poison,CIDS Signature SubID: 0,Intrusion URL: ,Intrusion Payload URL: ,SHA-256: ,MD-5:` - -### Agent System Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_System) - -`exampleHostname,Category: 0,CVE,New content update failed to download from the management server. Remote file path: https://server:443/content/{02335EF8-ADE1-4DD8-9F0F-2A9662352E65}/190815061/xdelta190815061_To_190816061.dax,Event time: 2019-08-19 07:14:38` - -### Agent Traffic Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Traffic) - -`host-plaintext,Local Host IP: 216.160.83.61,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 216.160.83.61,Remote Host Name: ,Remote Port: 33424,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-11 19:25:21,End Time: 2020-11-11 19:25:28,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000` - -### Policy Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Policy) - -`Site: SEPSite,Server: exampleHostname,Domain: exampleDomain,Admin: exampleAdmin,Event Description: Policy has been edited: Edited shared Intrusion Prevention policy: SEPPolicyName,SEPPolicyName` - -### System Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager]( https://knowledge.broadcom.com/external/article?legacyId=TECH171741#System) - -`Site: SEPSite,Server: exampleHostname,Symantec Endpoint Protection Manager could not update Intrusion Prevention Signatures 14.0.` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Name of the module this data is coming from. | constant_keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| file.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| file.x509.not_before | Time at which the certificate is first considered valid. | date | -| file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.hostname | Hostname parsed from syslog header. | keyword | -| log.syslog.priority | | long | -| log.syslog.process.name | | keyword | -| log.syslog.process.pid | | long | -| log.syslog.structured_data | | flattened | -| log.syslog.version | | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.product | The product name of the observer. | constant_keyword | -| observer.type | The type of the observer the data is coming from. | constant_keyword | -| observer.vendor | Vendor name of the observer. | constant_keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.port | Port of the source. | long | -| symantec_endpoint.log.action | The action taken on the traffic, e.g. "Blocked". | keyword | -| symantec_endpoint.log.actual_action | Actual action from risk logs and proactive detection (SONAR) logs. | keyword | -| symantec_endpoint.log.admin | Name of the SEPM admin. | keyword | -| symantec_endpoint.log.api_name | API name that was blocked (agent behavior log). | keyword | -| symantec_endpoint.log.application | The full path name of the application involved. | keyword | -| symantec_endpoint.log.application_hash | The hash for this application. | keyword | -| symantec_endpoint.log.application_name | The application name. | keyword | -| symantec_endpoint.log.application_type | Application type (Trojan, key logger etc). | keyword | -| symantec_endpoint.log.application_version | The application version. | keyword | -| symantec_endpoint.log.begin | Start time of the event (also see event.start). | keyword | -| symantec_endpoint.log.caller_process_id | The ID of the process that triggers the logging. | keyword | -| symantec_endpoint.log.caller_process_name | The full path name of the application involved. It may be empty if the application is unknown, or if OS itself is involved, or if no application is involved. Also, it may be empty if profile says, "don't log application name in raw traffic log". | keyword | -| symantec_endpoint.log.caller_return_address | The return address of the caller. This field allows the detection of the calling module that makes the API call. This is historically not used. You can expect Return Address to always be 0. | keyword | -| symantec_endpoint.log.caller_return_module_name | The module name of the caller. See CallerReturnAddress for more information. Return Module name is historically unused. You can expect Return Module name to always be "No Module Name" except where you see Sysplant when sysplant has started. | keyword | -| symantec_endpoint.log.category | Agent system log category (generally not populated by SEPM). | keyword | -| symantec_endpoint.log.category_set | Agent risk log category. | keyword | -| symantec_endpoint.log.category_type | Agent risk log category type. | keyword | -| symantec_endpoint.log.certificate_issuer | The certificate's issuer. | keyword | -| symantec_endpoint.log.certificate_serial_number | The certificate's serial number. | keyword | -| symantec_endpoint.log.certificate_signer | The certificate's signer. | keyword | -| symantec_endpoint.log.certificate_thumbprint | The certificate's thumbprint. | keyword | -| symantec_endpoint.log.cids_signature_id | The signature ID. | keyword | -| symantec_endpoint.log.cids_signature_string | The signature name. | keyword | -| symantec_endpoint.log.cids_signature_subid | The signature sub ID. | keyword | -| symantec_endpoint.log.coh_engine_version | TruScan engine version. | keyword | -| symantec_endpoint.log.command | Command sent from the SEPM. | keyword | -| symantec_endpoint.log.company_name | The company name from the application (used in agent risk logs). | keyword | -| symantec_endpoint.log.computer_name | Name of the host machine (used in agent risk/scan logs). | keyword | -| symantec_endpoint.log.confidence | The Confidence level that produced the conviction. Examples: High, low, bad, trustworthy etc. "Confidence: There is strong evidence that this file is untrustworthy." | keyword | -| symantec_endpoint.log.description | Description of the virus file. | keyword | -| symantec_endpoint.log.detection_score | Score of detection. | keyword | -| symantec_endpoint.log.detection_source | Source of the detection. | keyword | -| symantec_endpoint.log.detection_type | Type of detection (e.g. heuristic). | keyword | -| symantec_endpoint.log.device_id | The GUID of an external device (floppy disk, DVD, USB device, etc.). | keyword | -| symantec_endpoint.log.disposition | Good / Bad / Unknown / Not available. | keyword | -| symantec_endpoint.log.domain_name | SEPM domain name. | keyword | -| symantec_endpoint.log.download_site | The URL determined from where the image was downloaded. | keyword | -| symantec_endpoint.log.downloaded_by | The creator process of the dropper threat. | keyword | -| symantec_endpoint.log.duration_seconds | The length of the scan, in seconds. | keyword | -| symantec_endpoint.log.end | Start time of the event (also see event.end). | keyword | -| symantec_endpoint.log.event_description | Description of the event. Usually, the first line of the description is treated as the summary. | keyword | -| symantec_endpoint.log.event_source | The data source. NETPORT, NATSRV, Network Intrusion Protection System, LiveUpdate Manager etc. | keyword | -| symantec_endpoint.log.event_time | Time of event occurrence. | date | -| symantec_endpoint.log.file_path | The file path of the attacked file. | keyword | -| symantec_endpoint.log.file_size_bytes | File size of application. | keyword | -| symantec_endpoint.log.first_seen | The first seen date for the convicted application. | keyword | -| symantec_endpoint.log.group | SEPM client group name. | keyword | -| symantec_endpoint.log.hash_type | Application hash type (MD5, SHA1, SHA256 etc). | keyword | -| symantec_endpoint.log.infected | The number of files that the scan found that were infected. | long | -| symantec_endpoint.log.inserted | The time that the event was inserted into the database. | date | -| symantec_endpoint.log.intensive_protection_level | The High Intensity Detection Level. | keyword | -| symantec_endpoint.log.intrusion_id | Intrusion ID. | keyword | -| symantec_endpoint.log.intrusion_payload_url | The URL that hosted the payload. | keyword | -| symantec_endpoint.log.intrusion_url | The URL from the detection. | keyword | -| symantec_endpoint.log.ip_address | IP Address of the machine. | keyword | -| symantec_endpoint.log.last_update_time | The time on the server when the event is logged into the system or updated in the system (GMT). | date | -| symantec_endpoint.log.local_host | The host name of the client computer. | keyword | -| symantec_endpoint.log.local_host_ip | The IP address of the local computer. | keyword | -| symantec_endpoint.log.local_host_mac | The MAC address of the local computer. | keyword | -| symantec_endpoint.log.local_host_name | The host name of the client computer. | keyword | -| symantec_endpoint.log.local_port | The TCP/UDP port of the local computer. | keyword | -| symantec_endpoint.log.location | The location used when the event occurred. | keyword | -| symantec_endpoint.log.md-5 | The MD5 hash value. | keyword | -| symantec_endpoint.log.network_protocol | Localized string for Others/ TCP/ UDP/ ICMP. | keyword | -| symantec_endpoint.log.occurrences | The number of attacks. Sometime, when a hacker launches a mass attack, it may be reduced to one event by the log system, depending on the damper period. | keyword | -| symantec_endpoint.log.omitted | The number of files that were omitted. | long | -| symantec_endpoint.log.parameters | Parameters is the name of the module, process, registry location or file that was used in the API call. Each parameter was converted to string format and separated by one space character. Double quotation mark characters within the string are escaped with a \ character. As an example, in the SEPM ADC policy you may have a rule with a condition which monitors for Load DLL Attempts with the rule being applied to mscoree.dll. In this case, in the parameters field you'd expect to see C:\Windows\SysWOW64\mscoree.dll. | keyword | -| symantec_endpoint.log.permitted_application_reason | Reason for allow listing (e.g. Symantec permitted application list, Administrator permitted application list). | keyword | -| symantec_endpoint.log.policy_name | Name of the policy. | keyword | -| symantec_endpoint.log.prevalence | Number of users that have seen this. | keyword | -| symantec_endpoint.log.remote_host_ip | The IP address of the remote computer. | keyword | -| symantec_endpoint.log.remote_host_mac | The MAC address of the remote computer. | keyword | -| symantec_endpoint.log.remote_port | The TCP/UDP port of the remote computer. | keyword | -| symantec_endpoint.log.requested_action | Requested action by policy. | keyword | -| symantec_endpoint.log.risk_level | The risk level (high, med, low) for the convicted threat. | keyword | -| symantec_endpoint.log.risk_name | | keyword | -| symantec_endpoint.log.risk_type | Localized strings for Heuristic / Cookie / Admin Black List / BPE / System Change / N/A. | keyword | -| symantec_endpoint.log.rule | The name of the rule that was triggered by the event. If the rule name is not specified in the security rule, then this field is empty. Having the rule name can be useful for troubleshooting. You may recognize a rule by the rule ID, but rule name can help you recognize it more quickly. | keyword | -| symantec_endpoint.log.scan_complete | Scan message when scan ended. | keyword | -| symantec_endpoint.log.scan_id | The scan ID provided by the agent. | keyword | -| symantec_endpoint.log.secondary_action | Secondary action requested by policy | keyword | -| symantec_endpoint.log.sensitivity | Engine sensitivity that produced this detection | long | -| symantec_endpoint.log.server | Name of the server. | keyword | -| symantec_endpoint.log.server_name | Name of the server. | keyword | -| symantec_endpoint.log.sha-256 | The SHA-256 hash value. | keyword | -| symantec_endpoint.log.signing_timestamp | The certificate's signature timestamp. | date | -| symantec_endpoint.log.site | SEPM site name. | keyword | -| symantec_endpoint.log.source | Scan source (e.g. scheduled). | keyword | -| symantec_endpoint.log.source_computer | Computer name where this event occurred. | keyword | -| symantec_endpoint.log.source_ip | IP address of the machine on which the event occurred. | keyword | -| symantec_endpoint.log.submission_recommended | Recommendation on whether to submit this detection to Symantec. | boolean | -| symantec_endpoint.log.threats | The number of threats that the scan found. | long | -| symantec_endpoint.log.total_files | The number of files scanned. | long | -| symantec_endpoint.log.traffic_direction | Unknown / Inbound / Outbound | keyword | -| symantec_endpoint.log.url_tracking_status | Network intrusion prevention status | keyword | -| symantec_endpoint.log.user1 | User when scan started. | keyword | -| symantec_endpoint.log.user2 | User when scan ended. | keyword | -| symantec_endpoint.log.user_name | | keyword | -| symantec_endpoint.log.web_domain | The web domain. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2018-02-16T08:01:33.000Z", - "agent": { - "ephemeral_id": "360bd055-47f7-487a-b357-e372825d65dd", - "id": "33b93e16-9d01-4487-9b09-99db9e860912", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.2" - }, - "data_stream": { - "dataset": "symantec_endpoint.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.3.0" - }, - "elastic_agent": { - "id": "33b93e16-9d01-4487-9b09-99db9e860912", - "snapshot": false, - "version": "8.2.2" - }, - "event": { - "action": "Left alone", - "agent_id_status": "verified", - "count": 1, - "dataset": "symantec_endpoint.log", - "end": "2018-02-16T08:01:33.000Z", - "ingested": "2022-06-27T23:54:21Z", - "kind": "event", - "original": "Potential risk found,Computer name: exampleComputer,Detection type: Heuristic,First Seen: Symantec has known about this file approximately 2 days.,Application name: Propsim,Application type: 127,\"Application version: \"\"3\",0,6,\"0\"\"\",Hash type: SHA-256,Application hash: SHA#1234567890,Company name: Dummy Technologies,File size (bytes): 343040,Sensitivity: 2,Detection score: 3,COH Engine Version: 8.1.1.1,Detection Submissions No,Permitted application reason: MDS,Disposition: Bad,Download site: ,Web domain: ,Downloaded by: c:/programdata/oracle/java/javapath_target_2151967445/Host126,Prevalence: Unknown,Confidence: There is not enough information about this file to recommend it.,URL Tracking Status: Off,Risk Level: High,Detection Source: N/A,Source: Heuristic Scan,Risk name: ,Occurrences: 1,f:\\user\\workspace\\baseline package creator\\release\\Host214,'',Actual action: Left alone,Requested action: Left alone,Secondary action: Left alone,Event time: 2018-02-16 08:01:33,Inserted: 2018-02-16 08:02:52,End: 2018-02-16 08:01:33,Domain: Default,Group: My Company\\SEPM Group Name,Server: SEPMServer,User: exampleUser,Source computer: ,Source IP:" - }, - "file": { - "pe": { - "company": "Dummy Technologies", - "file_version": "\"3", - "product": "Propsim" - }, - "size": 343040 - }, - "host": { - "hostname": "exampleComputer", - "name": "exampleComputer" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.19.0.4:51285" - } - }, - "process": { - "executable": "c:/programdata/oracle/java/javapath_target_2151967445/Host126" - }, - "symantec_endpoint": { - "log": { - "actual_action": "Left alone", - "application_hash": "SHA#1234567890", - "application_name": "Propsim", - "application_type": "127", - "application_version": "\"3", - "coh_engine_version": "8.1.1.1", - "company_name": "Dummy Technologies", - "computer_name": "exampleComputer", - "confidence": "There is not enough information about this file to recommend it.", - "detection_score": "3", - "detection_source": "N/A", - "detection_type": "Heuristic", - "disposition": "Bad", - "domain_name": "Default", - "downloaded_by": "c:/programdata/oracle/java/javapath_target_2151967445/Host126", - "end": "2018-02-16 08:01:33", - "event_time": "2018-02-16T08:01:33.000Z", - "file_size_bytes": "343040", - "first_seen": "Symantec has known about this file approximately 2 days.", - "group": "My Company\\SEPM Group Name", - "hash_type": "SHA-256", - "inserted": "2018-02-16T08:02:52.000Z", - "occurrences": "1", - "permitted_application_reason": "MDS", - "prevalence": "Unknown", - "requested_action": "Left alone", - "risk_level": "High", - "secondary_action": "Left alone", - "sensitivity": 2, - "server": "SEPMServer", - "source": "Heuristic Scan", - "url_tracking_status": "Off", - "user_name": "exampleUser" - } - }, - "tags": [ - "preserve_original_event", - "symantec-endpoint-log", - "forwarded" - ], - "user": { - "domain": "Default", - "name": "exampleUser" - } -} -``` diff --git a/packages/symantec_endpoint/2.0.1/img/logo.svg b/packages/symantec_endpoint/2.0.1/img/logo.svg deleted file mode 100755 index 1b87d1e578..0000000000 --- a/packages/symantec_endpoint/2.0.1/img/logo.svg +++ /dev/null @@ -1,35 +0,0 @@ - - - -image/svg+xml diff --git a/packages/symantec_endpoint/2.0.1/img/symantec-endpoint-logs-overview.png b/packages/symantec_endpoint/2.0.1/img/symantec-endpoint-logs-overview.png deleted file mode 100755 index e2c8f8f867..0000000000 Binary files a/packages/symantec_endpoint/2.0.1/img/symantec-endpoint-logs-overview.png and /dev/null differ diff --git a/packages/symantec_endpoint/2.0.1/kibana/dashboard/symantec_endpoint-3ac0a690-5f71-11ec-85e4-338fc80d8393.json b/packages/symantec_endpoint/2.0.1/kibana/dashboard/symantec_endpoint-3ac0a690-5f71-11ec-85e4-338fc80d8393.json deleted file mode 100755 index 89e8d78857..0000000000 --- a/packages/symantec_endpoint/2.0.1/kibana/dashboard/symantec_endpoint-3ac0a690-5f71-11ec-85e4-338fc80d8393.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"symantec_endpoint.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"symantec_endpoint.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c971e3e3-37d5-4171-93af-956925edabb1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c971e3e3-37d5-4171-93af-956925edabb1\":{\"columnOrder\":[\"9a35327d-0a3f-43e9-8ef1-a7589a20c23d\",\"1c38d61b-9801-43fd-a8d0-fdafc89b1826\",\"5a933de5-3586-4844-88e8-4860130de30b\"],\"columns\":{\"1c38d61b-9801-43fd-a8d0-fdafc89b1826\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"5a933de5-3586-4844-88e8-4860130de30b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Log Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9a35327d-0a3f-43e9-8ef1-a7589a20c23d\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5a933de5-3586-4844-88e8-4860130de30b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"event.provider\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"5a933de5-3586-4844-88e8-4860130de30b\"],\"layerId\":\"c971e3e3-37d5-4171-93af-956925edabb1\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"9a35327d-0a3f-43e9-8ef1-a7589a20c23d\",\"xAccessor\":\"1c38d61b-9801-43fd-a8d0-fdafc89b1826\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"47f211da-7063-45c2-9be8-488f5e90cbf8\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"47f211da-7063-45c2-9be8-488f5e90cbf8\",\"title\":\"Log Types over Time\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-eac3c835-8b5e-4f3c-a023-81f830cd6a4a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"eac3c835-8b5e-4f3c-a023-81f830cd6a4a\":{\"columnOrder\":[\"21fba635-b5ea-4d84-af67-d710ec8ad164\",\"5564c2e5-debb-45e0-a159-0e7f229b2b94\",\"d2354973-ded4-4075-8afd-ae1835d1ea18\"],\"columns\":{\"21fba635-b5ea-4d84-af67-d710ec8ad164\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2354973-ded4-4075-8afd-ae1835d1ea18\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":6},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"},\"5564c2e5-debb-45e0-a159-0e7f229b2b94\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"event.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2354973-ded4-4075-8afd-ae1835d1ea18\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":6},\"scale\":\"ordinal\",\"sourceField\":\"event.type\"},\"d2354973-ded4-4075-8afd-ae1835d1ea18\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"eac3c835-8b5e-4f3c-a023-81f830cd6a4a\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"position\":\"right\",\"type\":\"lens_heatmap_legendConfig\"},\"shape\":\"heatmap\",\"valueAccessor\":\"d2354973-ded4-4075-8afd-ae1835d1ea18\",\"xAccessor\":\"21fba635-b5ea-4d84-af67-d710ec8ad164\",\"yAccessor\":\"5564c2e5-debb-45e0-a159-0e7f229b2b94\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"107c480c-8ee8-48ea-9e3a-7addcc0bad09\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"107c480c-8ee8-48ea-9e3a-7addcc0bad09\",\"title\":\"Event Category/Type Matrix\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bf9e979f-85fd-4ba9-86b5-7df1b94347e2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bf9e979f-85fd-4ba9-86b5-7df1b94347e2\":{\"columnOrder\":[\"4bbe5fec-050a-426e-aa8e-1d839d13b009\",\"b9a29e43-f628-447c-8225-1db604dff2e7\",\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\"],\"columns\":{\"4bbe5fec-050a-426e-aa8e-1d839d13b009\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of process.executable\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"process.executable\"},\"b9a29e43-f628-447c-8225-1db604dff2e7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"event.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.provider\"},\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"4bbe5fec-050a-426e-aa8e-1d839d13b009\",\"isTransposed\":false},{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"isTransposed\":false},{\"columnId\":\"b9a29e43-f628-447c-8225-1db604dff2e7\",\"isTransposed\":false}],\"layerId\":\"bf9e979f-85fd-4ba9-86b5-7df1b94347e2\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8fd69bce-37ba-4338-bbe0-9bb0bae7ceee\",\"w\":20,\"x\":0,\"y\":15},\"panelIndex\":\"8fd69bce-37ba-4338-bbe0-9bb0bae7ceee\",\"title\":\"Process Executables\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bf9e979f-85fd-4ba9-86b5-7df1b94347e2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bf9e979f-85fd-4ba9-86b5-7df1b94347e2\":{\"columnOrder\":[\"4bbe5fec-050a-426e-aa8e-1d839d13b009\",\"b9a29e43-f628-447c-8225-1db604dff2e7\",\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\"],\"columns\":{\"4bbe5fec-050a-426e-aa8e-1d839d13b009\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of file.path\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"file.path\"},\"b9a29e43-f628-447c-8225-1db604dff2e7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"event.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.provider\"},\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"4bbe5fec-050a-426e-aa8e-1d839d13b009\",\"isTransposed\":false,\"width\":654},{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"isTransposed\":false},{\"columnId\":\"b9a29e43-f628-447c-8225-1db604dff2e7\",\"isTransposed\":false}],\"layerId\":\"bf9e979f-85fd-4ba9-86b5-7df1b94347e2\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c1d7b91d-0c0f-4c72-939d-18220e449e1a\",\"w\":20,\"x\":20,\"y\":15},\"panelIndex\":\"c1d7b91d-0c0f-4c72-939d-18220e449e1a\",\"title\":\"File Paths\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-028dd220-5ea4-4938-a753-3a833f191e13\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"028dd220-5ea4-4938-a753-3a833f191e13\":{\"columnOrder\":[\"c10eaf4e-5353-41d6-937d-c45050d15294\",\"b2d572aa-bf40-4b3c-b7a7-9857719f294c\"],\"columns\":{\"b2d572aa-bf40-4b3c-b7a7-9857719f294c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c10eaf4e-5353-41d6-937d-c45050d15294\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of host.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b2d572aa-bf40-4b3c-b7a7-9857719f294c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":100},\"scale\":\"ordinal\",\"sourceField\":\"host.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"c10eaf4e-5353-41d6-937d-c45050d15294\",\"isTransposed\":false},{\"columnId\":\"b2d572aa-bf40-4b3c-b7a7-9857719f294c\",\"isTransposed\":false}],\"layerId\":\"028dd220-5ea4-4938-a753-3a833f191e13\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"cfc78bcd-47bc-4a32-8d25-6e4967461d03\",\"w\":8,\"x\":40,\"y\":15},\"panelIndex\":\"cfc78bcd-47bc-4a32-8d25-6e4967461d03\",\"title\":\"Hosts\",\"type\":\"lens\",\"version\":\"7.16.0\"}]", - "timeRestore": false, - "title": "[Symantec Endpoint Log] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.16.0", - "id": "symantec_endpoint-3ac0a690-5f71-11ec-85e4-338fc80d8393", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "47f211da-7063-45c2-9be8-488f5e90cbf8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "47f211da-7063-45c2-9be8-488f5e90cbf8:indexpattern-datasource-layer-c971e3e3-37d5-4171-93af-956925edabb1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "107c480c-8ee8-48ea-9e3a-7addcc0bad09:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "107c480c-8ee8-48ea-9e3a-7addcc0bad09:indexpattern-datasource-layer-eac3c835-8b5e-4f3c-a023-81f830cd6a4a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fd69bce-37ba-4338-bbe0-9bb0bae7ceee:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fd69bce-37ba-4338-bbe0-9bb0bae7ceee:indexpattern-datasource-layer-bf9e979f-85fd-4ba9-86b5-7df1b94347e2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1d7b91d-0c0f-4c72-939d-18220e449e1a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1d7b91d-0c0f-4c72-939d-18220e449e1a:indexpattern-datasource-layer-bf9e979f-85fd-4ba9-86b5-7df1b94347e2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cfc78bcd-47bc-4a32-8d25-6e4967461d03:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cfc78bcd-47bc-4a32-8d25-6e4967461d03:indexpattern-datasource-layer-028dd220-5ea4-4938-a753-3a833f191e13", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/symantec_endpoint/2.0.1/manifest.yml b/packages/symantec_endpoint/2.0.1/manifest.yml deleted file mode 100755 index e2ff803751..0000000000 --- a/packages/symantec_endpoint/2.0.1/manifest.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: symantec_endpoint -title: Symantec Endpoint Protection -version: "2.0.1" -release: ga -description: Collect logs from Symantec Endpoint Protection with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: ["security"] -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/logo.svg - title: Symantec - size: 216x216 - type: image/svg+xml -screenshots: - - src: /img/symantec-endpoint-logs-overview.png - title: Symantec Endpoint Logs Overview Dashboard - size: 2970x2234 - type: image/png -policy_templates: - - name: symantec - title: Symantec Endpoint Protection logs - description: Collect Symantec Endpoint Protection logs from file or over syslog. - inputs: - - type: logfile - title: Collect logs from file - description: Collect Symantec Endpoint Protection logs from file. - - type: tcp - title: Collect logs over TCP - description: Collect Symantec Endpoint Protection logs over TCP. - - type: udp - title: Collect logs over UDP - description: Collect Symantec Endpoint Protection logs over UDP. -owner: - github: elastic/security-external-integrations diff --git a/packages/ti_cif3/0.2.0/LICENSE.txt b/packages/ti_cif3/0.2.0/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/ti_cif3/0.2.0/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/ti_cif3/0.2.0/changelog.yml b/packages/ti_cif3/0.2.0/changelog.yml deleted file mode 100755 index 2498722408..0000000000 --- a/packages/ti_cif3/0.2.0/changelog.yml +++ /dev/null @@ -1,11 +0,0 @@ -# newer versions go on top -- version: "0.2.0" - changes: - - description: Labelling with Threat Intelligence category - type: enhancement - link: https://github.com/elastic/integrations/pull/4304 -- version: "0.1.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/3839 diff --git a/packages/ti_cif3/0.2.0/data_stream/feed/agent/stream/httpjson.yml.hbs b/packages/ti_cif3/0.2.0/data_stream/feed/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 42f0dcb645..0000000000 --- a/packages/ti_cif3/0.2.0/data_stream/feed/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,87 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" - -{{#if url}} -request.url: {{url}}/feed -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: -- set: - target: header.Accept - value: 'application/vnd.cif.v3+json' -- delete: - target: header.User-Agent -- set: - target: header.User-Agent - value: elastic-integration/0.1.0 -{{#if api_token }} -- set: - target: header.Authorization - value: Token token={{ api_token }} -{{/if}} -{{#if type}} -- set: - target: url.params.itype - value: {{ type }} -{{/if}} -{{#if confidence}} -- set: - target: url.params.confidence - value: {{ confidence }} -{{/if}} -{{#if limit}} -- set: - target: url.params.limit - value: {{ limit }} -{{/if}} -{{#if cif_tags}} -- set: - target: url.params.tags - value: {{ cif_tags }} -{{/if}} -{{#if lookback_hours}} -- set: - target: url.params.hours - value: {{ lookback_hours }} -{{/if}} -- set: - target: url.params.reporttime - value: '[[.cursor.last_requested_at]]' - default: '[[ formatDate (now (parseDuration "-{{initial_lookback}}")) "RFC3339" ]]' - -{{#each filters}} -- set: - target: "url.params.{{{ @key }}}" - value: {{ this }} -{{/each}} - -response.split: - target: body.data - -cursor: - last_requested_at: - value: '[[ formatDate (now) "RFC3339" ]]' - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.0/data_stream/feed/elasticsearch/ingest_pipeline/default.yml b/packages/ti_cif3/0.2.0/data_stream/feed/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 710037d1b1..0000000000 --- a/packages/ti_cif3/0.2.0/data_stream/feed/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,341 +0,0 @@ ---- -description: Pipeline for processing CIFv3 threat indicators -processors: - #################### - # Event ECS fields # - #################### - - set: - field: ecs.version - value: "8.4.0" - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - ###################### - # General ECS fields # - ###################### - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: cif3 - - ##################### - # Threat ECS Fields # - ##################### - - rename: - field: cif3.firsttime - target_field: threat.indicator.first_seen - ignore_missing: true - - rename: - field: cif3.lasttime - target_field: threat.indicator.last_seen - ignore_missing: true - - rename: - field: cif3.reporttime - target_field: threat.indicator.modified_at - ignore_missing: true - - rename: - field: cif3.provider - target_field: threat.indicator.provider - ignore_missing: true - - rename: - field: cif3.reference - target_field: threat.indicator.reference - ignore_missing: true - - rename: - field: cif3.count - target_field: threat.indicator.sightings - ignore_missing: true - - rename: - field: cif3.description - target_field: threat.indicator.description - ignore_missing: true - if: "ctx.cif3?.description != ''" - - uppercase: - field: cif3.tlp - target_field: threat.indicator.marking.tlp - ignore_missing: true - if: ctx.cif3?.tlp != null - ## File indicator operations - - set: - field: threat.indicator.type - value: file - if: "['md5', 'sha1', 'sha256', 'sha512', 'ssdeep'].contains(ctx.cif3?.itype) && !ctx.cif3?.tags.contains('ja3')" - - rename: - field: cif3.indicator - target_field: threat.indicator.tls.client.ja3 - ignore_missing: true - if: "ctx.cif3?.itype == 'md5' && ctx.cif3?.tags.contains('ja3')" - - rename: - field: cif3.indicator - target_field: threat.indicator.file.pe.imphash - ignore_missing: true - if: "ctx.cif3?.itype == 'md5' && ctx.cif3?.tags.contains('imphash')" - - append: - field: related.hash - value: "{{{ threat.indicator.file.hash.pe.imphash }}}" - if: ctx?.threat?.indicator?.file?.pe?.imphash != null - - rename: - field: cif3.indicator - target_field: _tmp.hashvalue - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'file'" - - set: - field: threat.indicator.file.hash.{{cif3.itype}} - value: "{{{ _tmp.hashvalue }}}" - if: "ctx.threat?.indicator?.type == 'file'" - - append: - field: related.hash - value: "{{{ _tmp.hashvalue }}}" - ignore_failure: true - if: "ctx.threat?.indicator?.type == 'file' && ctx?.threat?.indicator?.file?.pe?.imphash == null" - - ## ASN indicator operations - - set: - field: threat.indicator.type - value: autonomous-system - if: "ctx.cif3?.itype == 'asn'" - - grok: - field: cif3.indicator - patterns: - - "as(?:%{INT:threat.indicator.as.number})" - ignore_failure: true - if: "ctx.cif3?.itype == 'asn'" - - ## IP indicator operations - - set: - field: threat.indicator.type - value: ipv4-addr - if: "ctx.cif3?.itype == 'ipv4'" - - set: - field: threat.indicator.type - value: ipv6-addr - if: "ctx.cif3?.itype == 'ipv6'" - - rename: - field: cif3.indicator - target_field: threat.indicator.network.cidr - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && (ctx.cif3?.indicator_ipv4_mask != null || ctx.cif3?.indicator_ipv6_mask != null)" - - convert: - field: cif3.indicator - type: ip - target_field: threat.indicator.ip - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.indicator_ipv4_mask == null && ctx.cif3?.indicator_ipv6_mask == null" - - append: - field: related.ip - value: "{{{ threat.indicator.ip }}}" - if: ctx?.threat?.indicator?.ip != null - - rename: - field: cif3.cc - target_field: threat.indicator.geo.country_iso_code - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.cc != null" - - rename: - field: cif3.asn - target_field: threat.indicator.as.number - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.asn != null" - - rename: - field: cif3.asn_desc - target_field: threat.indicator.as.organization.name - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.asn_desc != null" - - rename: - field: cif3.latitude - target_field: threat.indicator.geo.location.lat - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.latitude != null" - - rename: - field: cif3.longitude - target_field: threat.indicator.geo.location.lon - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.longitude != null" - - rename: - field: cif3.region - target_field: threat.indicator.geo.region_name - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.region != null" - - rename: - field: cif3.timezone - target_field: threat.indicator.geo.timezone - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.timezone != null" - - ## URL indicator operations - - set: - field: threat.indicator.type - value: url - if: "ctx.cif3?.itype == 'url'" - - uri_parts: - field: cif3.indicator - target_field: threat.indicator.url - keep_original: true - remove_if_successful: true - if: "ctx.threat?.indicator?.type == 'url'" - - set: - field: threat.indicator.url.full - value: "{{{threat.indicator.url.original}}}" - ignore_empty_value: true - if: "ctx.cif3?.itype == 'url'" - # Host could be either IP address or hostname - - grok: - field: cif3.indicator - patterns: - - "%{URIPROTO:threat.indicator.url.scheme}://(?:%{IPV4:threat.indicator.ip}|\\[?%{IPV6:threat.indicator.ip}\\]?|%{HOSTNAME:threat.indicator.url.domain})(?::%{POSINT:threat.indicator.url.port})?(?:%{URIPATH:threat.indicator.url.path})?.*" - ignore_failure: true - if: "ctx.cif3?.itype == 'url'" - - ## Email indicator operations - - set: - field: threat.indicator.type - value: email-addr - if: "ctx.cif3?.itype == 'email'" - - rename: - field: cif3.indicator - target_field: threat.indicator.email.address - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'email-addr'" - - grok: - field: threat.indicator.email.address - patterns: - - "%{USERNAME}@%{GREEDYDATA:threat.indicator.url.domain}" - ignore_failure: true - if: "ctx.threat?.indicator?.type == 'email-addr'" - - ## Domain indicator operations - - set: - field: threat.indicator.type - value: domain-name - if: "ctx.cif3?.itype == 'fqdn'" - - rename: - field: cif3.indicator - target_field: threat.indicator.url.domain - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.threat?.indicator?.url?.domain == null" - - append: - field: related.hosts - value: "{{{ threat.indicator.url.domain }}}" - if: ctx?.threat?.indicator?.url?.domain != null - - ###################### - # Confidence # - ###################### - - script: - lang: painless - if: ctx.cif3?.confidence != null - description: Normalize confidence level. - source: > - def value = ctx.cif3.confidence; - if (value < 0.0 || value > 10.0) { - ctx.threat.indicator.confidence = "None"; - return; - } - if (value >= 0.0 && value < 3.0) { - ctx.threat.indicator.confidence = "Low"; - return; - } - if (value >= 3.0 && value < 7.0) { - ctx.threat.indicator.confidence = "Med"; - return; - } - if (value >= 7.0 && value <= 10.0) { - ctx.threat.indicator.confidence = "High"; - return; - } - - ################### - # Tags ECS fields # - ################### - - foreach: - field: cif3.tags - ignore_missing: true - processor: - append: - field: tags - value: "{{_ingest._value}}" - allow_duplicates: false - if: ctx.cif3?.tags != null - - ## Misc - - rename: - field: cif3.protocol - target_field: network.transport - if: ctx.cif3?.protocol != null - - rename: - field: cif3.application - target_field: network.protocol - if: ctx.cif3?.application != null - - rename: - field: cif3.port - target_field: threat.indicator.port - # sometimes contains a range like 1000-1002 or CSVs like 10,22,52 - ignore_failure: true - if: ctx.cif3?.port != null - - ###################### - # Cleanup processors # - ###################### - - set: - field: threat.indicator.type - value: unknown - if: ctx.threat?.indicator?.type == null - - script: - lang: painless - if: ctx.cif3 != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: cif3.rdata - ignore_missing: true - if: "ctx.cif3?.rdata == ''" - - remove: - field: - - cif3.indicator - - cif3.confidence - - cif3.indicator_ipv4 - - cif3.indicator_ipv6 - - cif3.group - - cif3.latitude - - cif3.longitude - - cif3.location - - cif3.city - - cif3.region - - cif3.tags - - cif3.tlp - - message - - _tmp - ignore_missing: true - if: ctx.threat?.indicator?.type != null -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_cif3/0.2.0/data_stream/feed/fields/base-fields.yml b/packages/ti_cif3/0.2.0/data_stream/feed/fields/base-fields.yml deleted file mode 100755 index 94818182d4..0000000000 --- a/packages/ti_cif3/0.2.0/data_stream/feed/fields/base-fields.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: ti_cif3 -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: cif3 -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_cif3.feed diff --git a/packages/ti_cif3/0.2.0/data_stream/feed/fields/beats.yml b/packages/ti_cif3/0.2.0/data_stream/feed/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/ti_cif3/0.2.0/data_stream/feed/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_cif3/0.2.0/data_stream/feed/fields/ecs.yml b/packages/ti_cif3/0.2.0/data_stream/feed/fields/ecs.yml deleted file mode 100755 index 7c1151e2f8..0000000000 --- a/packages/ti_cif3/0.2.0/data_stream/feed/fields/ecs.yml +++ /dev/null @@ -1,225 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Error message. - name: error.message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Name of the module this data is coming from. - If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. - name: event.module - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: Type of indicator as represented by Cyber Observable in STIX 2.0. - name: threat.indicator.type - type: keyword -- description: The date and time when intelligence source first reported sighting this indicator. - name: threat.indicator.first_seen - type: date -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: The date and time when intelligence source last modified information for this indicator. - name: threat.indicator.modified_at - type: date -- description: Reference URL linking to additional information about this indicator. - name: threat.indicator.reference - type: keyword -- description: Describes the type of action conducted by the threat. - name: threat.indicator.description - type: keyword -- description: Number of times this indicator was observed conducting threat activity. - name: threat.indicator.sightings - type: long -- description: File type (file, dir, or symlink). - name: threat.indicator.file.type - type: keyword -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: SHA512 hash. - name: threat.indicator.file.hash.sha512 - type: keyword -- description: |- - A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - name: threat.indicator.file.pe.imphash - type: keyword -- description: SSDEEP hash. - name: threat.indicator.file.hash.ssdeep - type: keyword -- description: An md5 hash that identifies clients based on their TLS handshake. - level: extended - name: threat.indicator.tls.client.ja3 - type: keyword -- description: Identifies a threat indicator as an email address (irrespective of direction). - name: threat.indicator.email.address - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.full - type: wildcard -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.original - type: wildcard -- description: Path of the request, such as "/search". - name: threat.indicator.url.path - type: wildcard -- description: Port of the request, such as 443. - name: threat.indicator.url.port - type: long -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: threat.indicator.url.scheme - type: keyword -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: threat.indicator.url.query - type: keyword -- description: The name of the indicator's provider. - name: threat.indicator.provider - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: threat.indicator.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.as.organization.name - type: keyword -- description: Traffic Light Protocol sharing markings. - name: threat.indicator.marking.tlp - type: keyword -- description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. - name: threat.indicator.confidence - type: keyword -- description: Longitude and latitude. - name: threat.indicator.geo.location - type: geo_point -- description: Country ISO code. - name: threat.indicator.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - name: threat.indicator.geo.location.lat - type: geo_point -- description: Longitude and latitude. - name: threat.indicator.geo.location.lon - type: geo_point -- description: Region name. - name: threat.indicator.geo.region_name - type: keyword -- description: The time zone of the location, such as IANA time zone name. - name: threat.indicator.geo.timezone - type: keyword diff --git a/packages/ti_cif3/0.2.0/data_stream/feed/fields/fields.yml b/packages/ti_cif3/0.2.0/data_stream/feed/fields/fields.yml deleted file mode 100755 index 4977ea2d80..0000000000 --- a/packages/ti_cif3/0.2.0/data_stream/feed/fields/fields.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: cif3 - type: group - description: Fields for CIFv3 Threat Indicators - fields: - - name: uuid - type: keyword - description: The ID of the indicator. - - name: indicator - type: keyword - description: > - The value of the indicator, for example if the type is fqdn, this would be the value. - - - name: description - type: keyword - description: A description of the indicator. - - name: rdata - type: keyword - description: > - Extra text or descriptive content related to the indicator such as OS, reverse lookup, etc. - - - name: reference - type: keyword - description: A reference URL with further info related to the indicator. - - name: itype - type: keyword - description: > - The indicator type, can for example be "ipv4, fqdn, email, url, sha256". - - - name: tags - type: keyword - description: > - Comma-separated list of words describing the indicator such as "malware,exploit". - - - name: confidence - type: float - description: > - The confidence on a scale of 0-10 that the tags appropriately contextualize the indicator. - - - name: provider - type: keyword - description: The source of the indicator information. - - name: application - type: keyword - description: The application used by the indicator, such as telnet or ssh. - - name: protocol - type: text - description: The protocol used by the indicator. - - name: portlist - type: text - description: The port or range of ports used by the indicator. - - name: city - type: keyword - description: GeoIP city information. - - name: region - type: keyword - description: GeoIP region information. - - name: count - type: integer - description: > - The number of times the same indicator has been reported with the same metadata by the same provider. - - - name: cc - type: keyword - description: Country code of GeoIP. - - name: location - type: geo_point - description: Lat/Long of GeoIP. - - name: latitude - type: keyword - description: Latitude of GeoIP. - - name: longitude - type: keyword - description: Longitude of GeoIP. - - name: timezone - type: text - description: Timezone of GeoIP. - - name: asn - type: integer - description: AS Number of IP. - - name: asn_desc - type: keyword - description: AS Number org name. - - name: indicator_ipv4 - type: ip - description: IPv4 address. - - name: indicator_ipv4_mask - type: integer - description: subnet mask of IPv4 CIDR. - - name: indicator_ipv6 - type: keyword - description: singleton IPv6 address. - - name: indicator_ipv6_mask - type: integer - description: subnet mask of IPv6 CIDR. - - name: indicator_iprange - type: ip_range - description: IPv4 or IPv6 IP Range. - - name: indicator_ssdeep_chunksize - type: integer - description: SSDEEP hash chunk size. - - name: indicator_ssdeep_chunk - type: text - description: SSDEEP hash chunk. - - name: indicator_ssdeep_double_chunk - type: text - description: SSDEEP hash double chunk. diff --git a/packages/ti_cif3/0.2.0/data_stream/feed/manifest.yml b/packages/ti_cif3/0.2.0/data_stream/feed/manifest.yml deleted file mode 100755 index 12e7254fbc..0000000000 --- a/packages/ti_cif3/0.2.0/data_stream/feed/manifest.yml +++ /dev/null @@ -1,113 +0,0 @@ -title: "CIFv3 Feed" -type: logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: CIFv3 feed indicators - description: Collect CIFv3 feed indicators - vars: - - name: confidence - type: text - title: Confidence - multi: false - required: true - show_user: true - default: 8 - description: "Minimum confidence (0-10) to return indicator in feed" - - name: cif_tags - type: text - title: Filter on indicator tags - multi: false - required: true - show_user: true - description: "A comma separated list of indicator tags to retrieve, e.g.: 'botnet,exploit,malware,phishing'" - - name: type - type: text - title: Filter on indicator type - multi: false - required: true - show_user: true - description: "An indicator type (fqdn|ipv4|url|ssdeep) to retrieve, example: 'md5'" - - name: limit - type: text - title: Result size limit - multi: false - required: true - show_user: true - default: 100000 - description: "Maximum result set size, capped at 250000" - - name: initial_lookback - type: text - title: Initial lookback period - multi: false - required: true - show_user: true - default: 120h - description: How far back to look for indicators the first time the agent is started. - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 60m - description: How frequently to pull the feed. - # this doesn't currently work - #- name: filters - # type: yaml - # title: Optional REST API filters - # multi: false - # required: false - # show_user: false - # default: |- - # #tlp: white - # description: "Optional REST API Feed filters supported by [CIFv3](https://github.com/csirtgadgets/bearded-avenger/blob/master/cif/httpd/common.py#L7-L9)." - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - description: "Default example enables https verification. Change to 'none' to disable. https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html" - default: |- - verification_mode: full - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: false - default: 120s - - name: proxy_url - type: url - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - description: Tags to add to each event once ingested into Elastic. Ingested indicators' tags will be appended dynamically to this list. - default: - - forwarded - - cif3-indicator - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/ti_cif3/0.2.0/data_stream/feed/sample_event.json b/packages/ti_cif3/0.2.0/data_stream/feed/sample_event.json deleted file mode 100755 index ab302efe65..0000000000 --- a/packages/ti_cif3/0.2.0/data_stream/feed/sample_event.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "@timestamp": "2022-07-25T02:59:05.404Z", - "agent": { - "ephemeral_id": "6d30ac65-9d55-4014-9a2a-2fbcf8816fff", - "id": "f599fd51-b36d-45b4-a90f-4d63240b8477", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cif3": { - "itype": "ipv4", - "portlist": "443", - "uuid": "ac240898-1443-4d7e-a98a-1daed220c162" - }, - "data_stream": { - "dataset": "ti_cif3.feed", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "f599fd51-b36d-45b4-a90f-4d63240b8477", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-07-25T02:59:05.404Z", - "dataset": "ti_cif3.feed", - "ingested": "2022-07-25T02:59:08Z", - "kind": "enrichment", - "original": "{\"application\":\"https\",\"asn\":8075,\"asn_desc\":\"microsoft-corp-msn-as-block\",\"cc\":\"br\",\"city\":\"campinas\",\"confidence\":10,\"count\":1,\"firsttime\":\"2022-07-20T20:25:53.000000Z\",\"group\":[\"everyone\"],\"indicator\":\"20.206.75.106\",\"indicator_ipv4\":\"20.206.75.106\",\"itype\":\"ipv4\",\"lasttime\":\"2022-07-20T20:25:53.000000Z\",\"latitude\":-22.9035,\"location\":[-47.0565,-22.9035],\"longitude\":-47.0565,\"portlist\":\"443\",\"protocol\":\"tcp\",\"provider\":\"sslbl.abuse.ch\",\"reference\":\"https://sslbl.abuse.ch/blacklist/sslipblacklist.csv\",\"region\":\"sao paulo\",\"reporttime\":\"2022-07-21T20:33:26.585967Z\",\"tags\":[\"botnet\"],\"timezone\":\"america/sao_paulo\",\"tlp\":\"white\",\"uuid\":\"ac240898-1443-4d7e-a98a-1daed220c162\"}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "network": { - "protocol": "https", - "transport": "tcp" - }, - "related": { - "ip": [ - "20.206.75.106" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "cif3-indicator", - "botnet" - ], - "threat": { - "indicator": { - "as": { - "number": 8075, - "organization": { - "name": "microsoft-corp-msn-as-block" - } - }, - "confidence": "High", - "first_seen": "2022-07-20T20:25:53.000000Z", - "geo": { - "country_iso_code": "br", - "location": { - "lat": -22.9035, - "lon": -47.0565 - }, - "region_name": "sao paulo", - "timezone": "america/sao_paulo" - }, - "ip": "20.206.75.106", - "last_seen": "2022-07-20T20:25:53.000000Z", - "marking": { - "tlp": "WHITE" - }, - "modified_at": "2022-07-21T20:33:26.585967Z", - "provider": "sslbl.abuse.ch", - "reference": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv", - "sightings": 1, - "type": "ipv4-addr" - } - } -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.0/docs/README.md b/packages/ti_cif3/0.2.0/docs/README.md deleted file mode 100755 index 88c66c8a26..0000000000 --- a/packages/ti_cif3/0.2.0/docs/README.md +++ /dev/null @@ -1,211 +0,0 @@ -# Collective Intelligence Framework v3 Integration - -This integration connects with the [REST API from the running CIFv3 instance](https://github.com/csirtgadgets/bearded-avenger-deploymentkit/wiki/REST-API) to retrieve indicators. - -## Data Streams - -### Feed - -The CIFv3 integration collects threat indicators based on user-defined configuration including a polling interval, how far back in time it should look, and other filters like indicator type and tags. - -CIFv3 `confidence` field values (0..10) are converted to ECS confidence (None, Low, Medium, High) in the following way: - -| CIFv3 Confidence | ECS Conversion | -| ---------------- | -------------- | -| Beyond Range | None | -| 0 - <3 | Low | -| 3 - <7 | Medium | -| 7 - 10 | High | - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cif3.application | The application used by the indicator, such as telnet or ssh. | keyword | -| cif3.asn | AS Number of IP. | integer | -| cif3.asn_desc | AS Number org name. | keyword | -| cif3.cc | Country code of GeoIP. | keyword | -| cif3.city | GeoIP city information. | keyword | -| cif3.confidence | The confidence on a scale of 0-10 that the tags appropriately contextualize the indicator. | float | -| cif3.count | The number of times the same indicator has been reported with the same metadata by the same provider. | integer | -| cif3.description | A description of the indicator. | keyword | -| cif3.indicator | The value of the indicator, for example if the type is fqdn, this would be the value. | keyword | -| cif3.indicator_iprange | IPv4 or IPv6 IP Range. | ip_range | -| cif3.indicator_ipv4 | IPv4 address. | ip | -| cif3.indicator_ipv4_mask | subnet mask of IPv4 CIDR. | integer | -| cif3.indicator_ipv6 | singleton IPv6 address. | keyword | -| cif3.indicator_ipv6_mask | subnet mask of IPv6 CIDR. | integer | -| cif3.indicator_ssdeep_chunk | SSDEEP hash chunk. | text | -| cif3.indicator_ssdeep_chunksize | SSDEEP hash chunk size. | integer | -| cif3.indicator_ssdeep_double_chunk | SSDEEP hash double chunk. | text | -| cif3.itype | The indicator type, can for example be "ipv4, fqdn, email, url, sha256". | keyword | -| cif3.latitude | Latitude of GeoIP. | keyword | -| cif3.location | Lat/Long of GeoIP. | geo_point | -| cif3.longitude | Longitude of GeoIP. | keyword | -| cif3.portlist | The port or range of ports used by the indicator. | text | -| cif3.protocol | The protocol used by the indicator. | text | -| cif3.provider | The source of the indicator information. | keyword | -| cif3.rdata | Extra text or descriptive content related to the indicator such as OS, reverse lookup, etc. | keyword | -| cif3.reference | A reference URL with further info related to the indicator. | keyword | -| cif3.region | GeoIP region information. | keyword | -| cif3.tags | Comma-separated list of words describing the indicator such as "malware,exploit". | keyword | -| cif3.timezone | Timezone of GeoIP. | text | -| cif3.uuid | The ID of the indicator. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.as.organization.name | Organization name. | keyword | -| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | -| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | -| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.indicator.geo.location | Longitude and latitude. | geo_point | -| threat.indicator.geo.location.lat | Longitude and latitude. | geo_point | -| threat.indicator.geo.location.lon | Longitude and latitude. | geo_point | -| threat.indicator.geo.region_name | Region name. | keyword | -| threat.indicator.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | -| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.indicator.sightings | Number of times this indicator was observed conducting threat activity. | long | -| threat.indicator.tls.client.ja3 | An md5 hash that identifies clients based on their TLS handshake. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | - - -An example event for `feed` looks as following: - -```json -{ - "@timestamp": "2022-07-25T02:59:05.404Z", - "agent": { - "ephemeral_id": "6d30ac65-9d55-4014-9a2a-2fbcf8816fff", - "id": "f599fd51-b36d-45b4-a90f-4d63240b8477", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cif3": { - "itype": "ipv4", - "portlist": "443", - "uuid": "ac240898-1443-4d7e-a98a-1daed220c162" - }, - "data_stream": { - "dataset": "ti_cif3.feed", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "f599fd51-b36d-45b4-a90f-4d63240b8477", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-07-25T02:59:05.404Z", - "dataset": "ti_cif3.feed", - "ingested": "2022-07-25T02:59:08Z", - "kind": "enrichment", - "original": "{\"application\":\"https\",\"asn\":8075,\"asn_desc\":\"microsoft-corp-msn-as-block\",\"cc\":\"br\",\"city\":\"campinas\",\"confidence\":10,\"count\":1,\"firsttime\":\"2022-07-20T20:25:53.000000Z\",\"group\":[\"everyone\"],\"indicator\":\"20.206.75.106\",\"indicator_ipv4\":\"20.206.75.106\",\"itype\":\"ipv4\",\"lasttime\":\"2022-07-20T20:25:53.000000Z\",\"latitude\":-22.9035,\"location\":[-47.0565,-22.9035],\"longitude\":-47.0565,\"portlist\":\"443\",\"protocol\":\"tcp\",\"provider\":\"sslbl.abuse.ch\",\"reference\":\"https://sslbl.abuse.ch/blacklist/sslipblacklist.csv\",\"region\":\"sao paulo\",\"reporttime\":\"2022-07-21T20:33:26.585967Z\",\"tags\":[\"botnet\"],\"timezone\":\"america/sao_paulo\",\"tlp\":\"white\",\"uuid\":\"ac240898-1443-4d7e-a98a-1daed220c162\"}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "network": { - "protocol": "https", - "transport": "tcp" - }, - "related": { - "ip": [ - "20.206.75.106" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "cif3-indicator", - "botnet" - ], - "threat": { - "indicator": { - "as": { - "number": 8075, - "organization": { - "name": "microsoft-corp-msn-as-block" - } - }, - "confidence": "High", - "first_seen": "2022-07-20T20:25:53.000000Z", - "geo": { - "country_iso_code": "br", - "location": { - "lat": -22.9035, - "lon": -47.0565 - }, - "region_name": "sao paulo", - "timezone": "america/sao_paulo" - }, - "ip": "20.206.75.106", - "last_seen": "2022-07-20T20:25:53.000000Z", - "marking": { - "tlp": "WHITE" - }, - "modified_at": "2022-07-21T20:33:26.585967Z", - "provider": "sslbl.abuse.ch", - "reference": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv", - "sightings": 1, - "type": "ipv4-addr" - } - } -} -``` diff --git a/packages/ti_cif3/0.2.0/img/csg_logo_big.svg b/packages/ti_cif3/0.2.0/img/csg_logo_big.svg deleted file mode 100755 index 5ee2369a85..0000000000 --- a/packages/ti_cif3/0.2.0/img/csg_logo_big.svg +++ /dev/null @@ -1,270 +0,0 @@ - - - - - diff --git a/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index 6798fb65da..0000000000 --- a/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about FQDN type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"domain-name\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"domain-name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[CIFv3 Overview](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Emails](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Files](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3) \\n**[CIFv3 FQDNs (This Page)](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3)** \\n[CIFv3 IPs](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3) \\n[CIFv3 URLs](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3) \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: domain-name**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains and statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-09bca2c1-c599-4575-be8a-a416589c7082\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"09bca2c1-c599-4575-be8a-a416589c7082\":{\"columnOrder\":[\"87d9346d-c199-44ef-b58c-2c0c7625a523\",\"40a4b01a-1e63-4cd8-ab62-da960940d757\"],\"columns\":{\"40a4b01a-1e63-4cd8-ab62-da960940d757\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"},\"87d9346d-c199-44ef-b58c-2c0c7625a523\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"FQDN\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"40a4b01a-1e63-4cd8-ab62-da960940d757\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":15},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"87d9346d-c199-44ef-b58c-2c0c7625a523\",\"isTransposed\":false},{\"columnId\":\"40a4b01a-1e63-4cd8-ab62-da960940d757\",\"isTransposed\":false}],\"layerId\":\"09bca2c1-c599-4575-be8a-a416589c7082\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c2db10e8-0e7e-4199-b787-48e14bd2e2fe\",\"w\":18,\"x\":13,\"y\":0},\"panelIndex\":\"c2db10e8-0e7e-4199-b787-48e14bd2e2fe\",\"title\":\"Sample of Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] FQDNs", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c2db10e8-0e7e-4199-b787-48e14bd2e2fe:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c2db10e8-0e7e-4199-b787-48e14bd2e2fe:indexpattern-datasource-layer-09bca2c1-c599-4575-be8a-a416589c7082", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index 4b709d9915..0000000000 --- a/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about File type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[CIFv3 Overview](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Emails](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3) \\n**[CIFv3 Files (This Page)](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3)** \\n[CIFv3 FQDNs](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3) \\n[CIFv3 IPs](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3) \\n[CIFv3 URLs](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3) \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":35,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_cif3-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"Unique MD5 [CIFv3]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_cif3-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"Unique SHA256 [CIFv3]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2825d170-daeb-4a6d-9d8f-8fda4dccffcc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2825d170-daeb-4a6d-9d8f-8fda4dccffcc\":{\"columnOrder\":[\"cb37ded7-9f40-418f-bfb9-6250652373d7\"],\"columns\":{\"cb37ded7-9f40-418f-bfb9-6250652373d7\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SSDEEP\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.ssdeep\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"cb37ded7-9f40-418f-bfb9-6250652373d7\",\"layerId\":\"2825d170-daeb-4a6d-9d8f-8fda4dccffcc\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"703fd39c-9642-4c7d-93c8-056f019acf42\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"703fd39c-9642-4c7d-93c8-056f019acf42\",\"title\":\"Unique SSDEEP [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ace6c894-6dac-441d-b0db-3e246db99579\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ace6c894-6dac-441d-b0db-3e246db99579\":{\"columnOrder\":[\"4c6f7061-d5e9-4c04-b9b2-39b984b06393\",\"e00a1b25-655b-4541-8ce0-1f84bdb16b1e\"],\"columns\":{\"4c6f7061-d5e9-4c04-b9b2-39b984b06393\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.description\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e00a1b25-655b-4541-8ce0-1f84bdb16b1e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.description\"},\"e00a1b25-655b-4541-8ce0-1f84bdb16b1e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of threat.indicator.description\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.description\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"4c6f7061-d5e9-4c04-b9b2-39b984b06393\"],\"layerId\":\"ace6c894-6dac-441d-b0db-3e246db99579\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e00a1b25-655b-4541-8ce0-1f84bdb16b1e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"9717eae1-9937-41e7-bad1-e9ce43d06723\",\"w\":22,\"x\":25,\"y\":0},\"panelIndex\":\"9717eae1-9937-41e7-bad1-e9ce43d06723\",\"title\":\"File Descriptions [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_cif3-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"Unique SHA1 [CIFv3]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":7,\"y\":8},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-331e77de-53be-48a4-8793-3fe9a23b22b1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"331e77de-53be-48a4-8793-3fe9a23b22b1\":{\"columnOrder\":[\"428df405-7955-4c10-94c1-0791e75aed8f\"],\"columns\":{\"428df405-7955-4c10-94c1-0791e75aed8f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA512\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha512\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"428df405-7955-4c10-94c1-0791e75aed8f\",\"layerId\":\"331e77de-53be-48a4-8793-3fe9a23b22b1\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"cb4ca769-08b2-4570-8a30-27cff9b77093\",\"w\":6,\"x\":13,\"y\":8},\"panelIndex\":\"cb4ca769-08b2-4570-8a30-27cff9b77093\",\"title\":\"Unique SHA512 [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4c3ad4e3-46af-447e-a4ce-dab516c52797\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4c3ad4e3-46af-447e-a4ce-dab516c52797\":{\"columnOrder\":[\"181798f7-2b90-44e1-b76a-2f17b7210690\"],\"columns\":{\"181798f7-2b90-44e1-b76a-2f17b7210690\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique IMPHASH\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.pe.imphash\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"181798f7-2b90-44e1-b76a-2f17b7210690\",\"layerId\":\"4c3ad4e3-46af-447e-a4ce-dab516c52797\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"823f92b7-a2ff-4883-aad1-28d3652371fe\",\"w\":6,\"x\":19,\"y\":8},\"panelIndex\":\"823f92b7-a2ff-4883-aad1-28d3652371fe\",\"title\":\"Unique IMPHASH [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] Files", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "703fd39c-9642-4c7d-93c8-056f019acf42:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "703fd39c-9642-4c7d-93c8-056f019acf42:indexpattern-datasource-layer-2825d170-daeb-4a6d-9d8f-8fda4dccffcc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9717eae1-9937-41e7-bad1-e9ce43d06723:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9717eae1-9937-41e7-bad1-e9ce43d06723:indexpattern-datasource-layer-ace6c894-6dac-441d-b0db-3e246db99579", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cb4ca769-08b2-4570-8a30-27cff9b77093:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cb4ca769-08b2-4570-8a30-27cff9b77093:indexpattern-datasource-layer-331e77de-53be-48a4-8793-3fe9a23b22b1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "823f92b7-a2ff-4883-aad1-28d3652371fe:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "823f92b7-a2ff-4883-aad1-28d3652371fe:indexpattern-datasource-layer-4c3ad4e3-46af-447e-a4ce-dab516c52797", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index 3e594dc91a..0000000000 --- a/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about IP type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":[\"ipv6-addr\",\"ipv4-addr\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"threat.indicator.type\":\"ipv6-addr\"}},{\"match_phrase\":{\"threat.indicator.type\":\"ipv4-addr\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[CIFv3 Overview](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Emails](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Files](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3) \\n[CIFv3 FQDNs](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3) \\n**[CIFv3 IPs(This Page)](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3)** \\n[CIFv3 URLs](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3) \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: ipv4-addr OR ipv6-addr**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like prevalent ASNs, GeoIP regions, statistics about how many unique indicators are ingested, and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-79edd9a4-1178-4294-94df-5d4b145d0e40\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"79edd9a4-1178-4294-94df-5d4b145d0e40\":{\"columnOrder\":[\"d1ce22a5-8010-4830-8c61-e8da8c2b2d11\"],\"columns\":{\"d1ce22a5-8010-4830-8c61-e8da8c2b2d11\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique IPs\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"d1ce22a5-8010-4830-8c61-e8da8c2b2d11\",\"layerId\":\"79edd9a4-1178-4294-94df-5d4b145d0e40\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"7725b9bd-df8d-491c-a518-fe00a4538ebc\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"7725b9bd-df8d-491c-a518-fe00a4538ebc\",\"title\":\"Unique IPs [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e8210fab-252e-4357-82f5-c8fc55fe2057\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e8210fab-252e-4357-82f5-c8fc55fe2057\":{\"columnOrder\":[\"937cc845-c2e1-412a-b419-97c9d8076bee\"],\"columns\":{\"937cc845-c2e1-412a-b419-97c9d8076bee\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique ASNs\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.as.number\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"937cc845-c2e1-412a-b419-97c9d8076bee\",\"layerId\":\"e8210fab-252e-4357-82f5-c8fc55fe2057\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"329518f4-c5f9-42b0-b396-85ffcbb8cda3\",\"w\":5,\"x\":12,\"y\":0},\"panelIndex\":\"329518f4-c5f9-42b0-b396-85ffcbb8cda3\",\"title\":\"Unique ASNs [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-864ef66d-9195-45a5-9dcd-916bcac76fd1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"864ef66d-9195-45a5-9dcd-916bcac76fd1\":{\"columnOrder\":[\"d8bba7bc-4a82-40c3-a858-e92244ef476c\",\"1c86e415-dcb9-49ae-aa85-e4c7c0ddffd7\"],\"columns\":{\"1c86e415-dcb9-49ae-aa85-e4c7c0ddffd7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"d8bba7bc-4a82-40c3-a858-e92244ef476c\":{\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.as.number\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"1c86e415-dcb9-49ae-aa85-e4c7c0ddffd7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.as.number\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d8bba7bc-4a82-40c3-a858-e92244ef476c\"],\"layerId\":\"864ef66d-9195-45a5-9dcd-916bcac76fd1\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"1c86e415-dcb9-49ae-aa85-e4c7c0ddffd7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c651f85b-26e4-481e-91ff-39267e540183\",\"w\":21,\"x\":17,\"y\":0},\"panelIndex\":\"c651f85b-26e4-481e-91ff-39267e540183\",\"title\":\"Most Prevalent ASNs [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b3600118-bbef-4f41-b472-c08e802518c3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b3600118-bbef-4f41-b472-c08e802518c3\":{\"columnOrder\":[\"deabebaa-8bfa-4b99-8996-5dd59ecd37ca\",\"a9e4b58d-6503-4645-bc9b-69aede4b3a4c\"],\"columns\":{\"a9e4b58d-6503-4645-bc9b-69aede4b3a4c\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"deabebaa-8bfa-4b99-8996-5dd59ecd37ca\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Country Code\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a9e4b58d-6503-4645-bc9b-69aede4b3a4c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":15},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.geo.country_iso_code\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"deabebaa-8bfa-4b99-8996-5dd59ecd37ca\",\"isTransposed\":false},{\"columnId\":\"a9e4b58d-6503-4645-bc9b-69aede4b3a4c\",\"isTransposed\":false}],\"layerId\":\"b3600118-bbef-4f41-b472-c08e802518c3\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"aea51b8a-0962-4b21-aa7e-7c599f0f45a4\",\"w\":10,\"x\":38,\"y\":0},\"panelIndex\":\"aea51b8a-0962-4b21-aa7e-7c599f0f45a4\",\"title\":\"Most Common Countries [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-da912e35-7510-42a6-b546-8d10a33b6546\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"da912e35-7510-42a6-b546-8d10a33b6546\":{\"columnOrder\":[\"989df1d6-f18f-4874-8601-9e7741935cc8\",\"f60fc28d-e739-46a2-a0ce-1340df8f7249\"],\"columns\":{\"989df1d6-f18f-4874-8601-9e7741935cc8\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f60fc28d-e739-46a2-a0ce-1340df8f7249\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":2},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.type\"},\"f60fc28d-e739-46a2-a0ce-1340df8f7249\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of threat.indicator.ip\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"989df1d6-f18f-4874-8601-9e7741935cc8\"],\"layerId\":\"da912e35-7510-42a6-b546-8d10a33b6546\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f60fc28d-e739-46a2-a0ce-1340df8f7249\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"1536f4f2-41d6-4fd0-b6c4-3650a2b5f92d\",\"w\":10,\"x\":7,\"y\":8},\"panelIndex\":\"1536f4f2-41d6-4fd0-b6c4-3650a2b5f92d\",\"title\":\"Percentage of IP Type [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"3df0f38b-db9e-451e-bb01-5a27226075df\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"threat.indicator.geo.location\\\",\\\"filterByMapBounds\\\":true,\\\"scalingType\\\":\\\"MVT\\\",\\\"id\\\":\\\"13a0c980-6195-4e3e-8506-b383ab8866c2\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"tooltipProperties\\\":[],\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSplitField\\\":\\\"\\\",\\\"topHitsSize\\\":1},\\\"id\\\":\\\"0a0a1a3e-d002-47b0-a99a-03eb965b8bc4\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#ea7861\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#e05235\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":1}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"TILED_VECTOR\\\",\\\"joins\\\":[]}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.14,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-75m\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":false,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":360,\"minLat\":-85.05113,\"minLon\":-360},\"mapCenter\":{\"lat\":26.16939,\"lon\":14.00125,\"zoom\":0.49},\"openTOCDetails\":[]},\"gridData\":{\"h\":14,\"i\":\"ad624736-f1dd-4d77-8517-680e7bc4b882\",\"w\":23,\"x\":7,\"y\":15},\"panelIndex\":\"ad624736-f1dd-4d77-8517-680e7bc4b882\",\"title\":\"IP Source Location [Logs CIFv3]\",\"type\":\"map\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] IPs", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7725b9bd-df8d-491c-a518-fe00a4538ebc:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7725b9bd-df8d-491c-a518-fe00a4538ebc:indexpattern-datasource-layer-79edd9a4-1178-4294-94df-5d4b145d0e40", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "329518f4-c5f9-42b0-b396-85ffcbb8cda3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "329518f4-c5f9-42b0-b396-85ffcbb8cda3:indexpattern-datasource-layer-e8210fab-252e-4357-82f5-c8fc55fe2057", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c651f85b-26e4-481e-91ff-39267e540183:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c651f85b-26e4-481e-91ff-39267e540183:indexpattern-datasource-layer-864ef66d-9195-45a5-9dcd-916bcac76fd1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aea51b8a-0962-4b21-aa7e-7c599f0f45a4:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aea51b8a-0962-4b21-aa7e-7c599f0f45a4:indexpattern-datasource-layer-b3600118-bbef-4f41-b472-c08e802518c3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1536f4f2-41d6-4fd0-b6c4-3650a2b5f92d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1536f4f2-41d6-4fd0-b6c4-3650a2b5f92d:indexpattern-datasource-layer-da912e35-7510-42a6-b546-8d10a33b6546", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ad624736-f1dd-4d77-8517-680e7bc4b882:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index 2fe7bc6819..0000000000 --- a/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about indicators ingested from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[CIFv3 (This Page)](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3)** \\n[CIFv3 Emails](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Files](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3) \\n[CIFv3 FQDNs](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3) \\n[CIFv3 IPs](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3) \\n[CIFv3 URLs](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3) \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the Collective Intelligence Framework v3 integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from a CIFv3 instance. \\n\\nThe ingestion rates (by default it fetches new updates every 60 minutes) and provides a few filters for drilling down to specific indicator types retrieved from the CIFv3 instance.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [CIFv3]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":31,\"i\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"title\":\"Overview Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_cif3.feed\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_cif3.feed\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1635779603363\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1635779625911\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"tags\",\"id\":\"1658691004225\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern\",\"label\":\"Indicator Tag\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Feed and Indicator Selector [CIFv3]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"title\":\"Feed and Indicator Selector [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"includeEmptyRows\":true,\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"legendSize\":\"auto\",\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs CIFv3]\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"w\":29,\"x\":7,\"y\":6},\"panelIndex\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"title\":\"Indicators ingested per Datastream [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2c2ce8ee-a793-4242-aad4-06f3a8707b02\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2c2ce8ee-a793-4242-aad4-06f3a8707b02\":{\"columnOrder\":[\"1d9b6fbf-58e3-427e-a453-edec40466320\",\"b6cbd44b-6f5d-4e1e-b1ab-0c09b3a67111\"],\"columns\":{\"1d9b6fbf-58e3-427e-a453-edec40466320\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b6cbd44b-6f5d-4e1e-b1ab-0c09b3a67111\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.type\"},\"b6cbd44b-6f5d-4e1e-b1ab-0c09b3a67111\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1d9b6fbf-58e3-427e-a453-edec40466320\"],\"layerId\":\"2c2ce8ee-a793-4242-aad4-06f3a8707b02\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b6cbd44b-6f5d-4e1e-b1ab-0c09b3a67111\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c446ea70-8a63-418e-8997-e43a5f7c5b5d\",\"w\":12,\"x\":36,\"y\":6},\"panelIndex\":\"c446ea70-8a63-418e-8997-e43a5f7c5b5d\",\"title\":\"Total Percentage by Type [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"070f5dbc-7687-4e97-9a57-5542b401c13f\":{\"columnOrder\":[\"1e352b49-3b83-44a6-98fe-8703d30f2517\"],\"columns\":{\"1e352b49-3b83-44a6-98fe-8703d30f2517\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"1e352b49-3b83-44a6-98fe-8703d30f2517\",\"layerId\":\"070f5dbc-7687-4e97-9a57-5542b401c13f\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"Total Indicators [Logs CIFv3]\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"w\":6,\"x\":36,\"y\":14},\"panelIndex\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"title\":\"Total Indicators [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_cif3-49830790-3b27-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df8e3a91-700b-428a-a763-525076e4d3c8\":{\"columnOrder\":[\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\"],\"columns\":{\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\",\"layerId\":\"df8e3a91-700b-428a-a763-525076e4d3c8\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"Total Datastreams [Logs CIFv3]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"w\":6,\"x\":42,\"y\":14},\"panelIndex\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"title\":\"Total Datastreams [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c446ea70-8a63-418e-8997-e43a5f7c5b5d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c446ea70-8a63-418e-8997-e43a5f7c5b5d:indexpattern-datasource-layer-2c2ce8ee-a793-4242-aad4-06f3a8707b02", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index fce7d83a02..0000000000 --- a/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about Email type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"email-addr\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"email-addr\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[CIFv3 Overview](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3) \\n**[CIFv3 Emails (This Page)](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3)** \\n[CIFv3 Files](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3) \\n[CIFv3 FQDNs](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3) \\n[CIFv3 IPs](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3) \\n[CIFv3 URLs](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3) \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: email-addr**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, and statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-cd81a60b-2661-48b3-a40f-ba8451e802a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"cd81a60b-2661-48b3-a40f-ba8451e802a6\":{\"columnOrder\":[\"4f96463f-c5f9-448b-ab9e-7e17a2bd5969\"],\"columns\":{\"4f96463f-c5f9-448b-ab9e-7e17a2bd5969\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Addresses\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.email.address\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"4f96463f-c5f9-448b-ab9e-7e17a2bd5969\",\"layerId\":\"cd81a60b-2661-48b3-a40f-ba8451e802a6\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"3a6a2852-0fb8-45df-9a79-e7729691fe5f\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"3a6a2852-0fb8-45df-9a79-e7729691fe5f\",\"title\":\"Unique Addresses [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\",\"rowHeight\":\"single\",\"rowHeightLines\":1}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":19,\"y\":0},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] Emails", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3a6a2852-0fb8-45df-9a79-e7729691fe5f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3a6a2852-0fb8-45df-9a79-e7729691fe5f:indexpattern-datasource-layer-cd81a60b-2661-48b3-a40f-ba8451e802a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index d29035b7c7..0000000000 --- a/packages/ti_cif3/0.2.0/kibana/dashboard/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about URL type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[CIFv3 Overview](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Emails](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Files](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3) \\n[CIFv3 FQDNs](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3) \\n[CIFv3 IPs](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3) \\n**[CIFv3 URLs (This Page)](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3)** \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"legendSize\":\"auto\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":10,\"x\":25,\"y\":0},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\",\"rowHeight\":\"single\",\"rowHeightLines\":1}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-dfaa5b71-ed27-4602-9dbe-d263fd33aa05\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"dfaa5b71-ed27-4602-9dbe-d263fd33aa05\":{\"columnOrder\":[\"c00d8a88-7047-4fa4-b99f-7e8be1370b6f\",\"14f7e661-8382-4e25-a998-10c6c576255e\"],\"columns\":{\"14f7e661-8382-4e25-a998-10c6c576255e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c00d8a88-7047-4fa4-b99f-7e8be1370b6f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"14f7e661-8382-4e25-a998-10c6c576255e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"c00d8a88-7047-4fa4-b99f-7e8be1370b6f\"],\"layerId\":\"dfaa5b71-ed27-4602-9dbe-d263fd33aa05\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"14f7e661-8382-4e25-a998-10c6c576255e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"353bb92f-8375-4dc6-b961-9ed7f7509627\",\"w\":28,\"x\":7,\"y\":8},\"panelIndex\":\"353bb92f-8375-4dc6-b961-9ed7f7509627\",\"title\":\"Most Popular File Extensions [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] URLs", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "353bb92f-8375-4dc6-b961-9ed7f7509627:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "353bb92f-8375-4dc6-b961-9ed7f7509627:indexpattern-datasource-layer-dfaa5b71-ed27-4602-9dbe-d263fd33aa05", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.0/kibana/tag/ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1.json.json b/packages/ti_cif3/0.2.0/kibana/tag/ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1.json.json deleted file mode 100755 index 5d464afed9..0000000000 --- a/packages/ti_cif3/0.2.0/kibana/tag/ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1.json.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "attributes": { - "color": "#01426A", - "description": "", - "name": "CIFv3" - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.0/manifest.yml b/packages/ti_cif3/0.2.0/manifest.yml deleted file mode 100755 index e4772c35e6..0000000000 --- a/packages/ti_cif3/0.2.0/manifest.yml +++ /dev/null @@ -1,43 +0,0 @@ -format_version: 1.0.0 -name: ti_cif3 -title: "Collective Intelligence Framework v3" -version: 0.2.0 -release: beta -license: basic -description: "Ingest threat indicators from a Collective Intelligence Framework v3 instance with Elastic Agent." -type: integration -categories: - - security - - threat_intel -conditions: - kibana.version: "^8.0.0" -icons: - - src: /img/csg_logo_big.svg - title: csirtgadgets logo - size: 1047x748 - type: image/svg+xml -policy_templates: - - name: ti_cif3 - title: Collective Intelligence Framework v3 - description: Ingest threat indicators from a Collective Intelligence Framework v3 instance with Elastic Agent. - inputs: - - type: httpjson - title: Collect threat indicators via API - description: Ingest threat indicators from a Collective Intelligence Framework v3 instance with Elastic Agent. - vars: - - name: url - type: url - title: CIFv3 API base URL - multi: false - required: true - show_user: true - description: "Base URL for CIFv3 instance, e.g.: https://cif.yourdomain.tld" - - name: api_token - type: password - title: API Token - multi: false - required: true - show_user: true - description: The CIFv3 API read token -owner: - github: elastic/security-external-integrations diff --git a/packages/ti_cif3/0.2.1/LICENSE.txt b/packages/ti_cif3/0.2.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/ti_cif3/0.2.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/ti_cif3/0.2.1/changelog.yml b/packages/ti_cif3/0.2.1/changelog.yml deleted file mode 100755 index 7f0182c12d..0000000000 --- a/packages/ti_cif3/0.2.1/changelog.yml +++ /dev/null @@ -1,16 +0,0 @@ -# newer versions go on top -- version: "0.2.1" - changes: - - description: Fix documentation build error - type: enhancement - link: https://github.com/elastic/integrations/pull/4295 -- version: "0.2.0" - changes: - - description: Labelling with Threat Intelligence category - type: enhancement - link: https://github.com/elastic/integrations/pull/4304 -- version: "0.1.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/3839 diff --git a/packages/ti_cif3/0.2.1/data_stream/feed/agent/stream/httpjson.yml.hbs b/packages/ti_cif3/0.2.1/data_stream/feed/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 42f0dcb645..0000000000 --- a/packages/ti_cif3/0.2.1/data_stream/feed/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,87 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" - -{{#if url}} -request.url: {{url}}/feed -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: -- set: - target: header.Accept - value: 'application/vnd.cif.v3+json' -- delete: - target: header.User-Agent -- set: - target: header.User-Agent - value: elastic-integration/0.1.0 -{{#if api_token }} -- set: - target: header.Authorization - value: Token token={{ api_token }} -{{/if}} -{{#if type}} -- set: - target: url.params.itype - value: {{ type }} -{{/if}} -{{#if confidence}} -- set: - target: url.params.confidence - value: {{ confidence }} -{{/if}} -{{#if limit}} -- set: - target: url.params.limit - value: {{ limit }} -{{/if}} -{{#if cif_tags}} -- set: - target: url.params.tags - value: {{ cif_tags }} -{{/if}} -{{#if lookback_hours}} -- set: - target: url.params.hours - value: {{ lookback_hours }} -{{/if}} -- set: - target: url.params.reporttime - value: '[[.cursor.last_requested_at]]' - default: '[[ formatDate (now (parseDuration "-{{initial_lookback}}")) "RFC3339" ]]' - -{{#each filters}} -- set: - target: "url.params.{{{ @key }}}" - value: {{ this }} -{{/each}} - -response.split: - target: body.data - -cursor: - last_requested_at: - value: '[[ formatDate (now) "RFC3339" ]]' - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.1/data_stream/feed/elasticsearch/ingest_pipeline/default.yml b/packages/ti_cif3/0.2.1/data_stream/feed/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 710037d1b1..0000000000 --- a/packages/ti_cif3/0.2.1/data_stream/feed/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,341 +0,0 @@ ---- -description: Pipeline for processing CIFv3 threat indicators -processors: - #################### - # Event ECS fields # - #################### - - set: - field: ecs.version - value: "8.4.0" - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - ###################### - # General ECS fields # - ###################### - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: cif3 - - ##################### - # Threat ECS Fields # - ##################### - - rename: - field: cif3.firsttime - target_field: threat.indicator.first_seen - ignore_missing: true - - rename: - field: cif3.lasttime - target_field: threat.indicator.last_seen - ignore_missing: true - - rename: - field: cif3.reporttime - target_field: threat.indicator.modified_at - ignore_missing: true - - rename: - field: cif3.provider - target_field: threat.indicator.provider - ignore_missing: true - - rename: - field: cif3.reference - target_field: threat.indicator.reference - ignore_missing: true - - rename: - field: cif3.count - target_field: threat.indicator.sightings - ignore_missing: true - - rename: - field: cif3.description - target_field: threat.indicator.description - ignore_missing: true - if: "ctx.cif3?.description != ''" - - uppercase: - field: cif3.tlp - target_field: threat.indicator.marking.tlp - ignore_missing: true - if: ctx.cif3?.tlp != null - ## File indicator operations - - set: - field: threat.indicator.type - value: file - if: "['md5', 'sha1', 'sha256', 'sha512', 'ssdeep'].contains(ctx.cif3?.itype) && !ctx.cif3?.tags.contains('ja3')" - - rename: - field: cif3.indicator - target_field: threat.indicator.tls.client.ja3 - ignore_missing: true - if: "ctx.cif3?.itype == 'md5' && ctx.cif3?.tags.contains('ja3')" - - rename: - field: cif3.indicator - target_field: threat.indicator.file.pe.imphash - ignore_missing: true - if: "ctx.cif3?.itype == 'md5' && ctx.cif3?.tags.contains('imphash')" - - append: - field: related.hash - value: "{{{ threat.indicator.file.hash.pe.imphash }}}" - if: ctx?.threat?.indicator?.file?.pe?.imphash != null - - rename: - field: cif3.indicator - target_field: _tmp.hashvalue - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'file'" - - set: - field: threat.indicator.file.hash.{{cif3.itype}} - value: "{{{ _tmp.hashvalue }}}" - if: "ctx.threat?.indicator?.type == 'file'" - - append: - field: related.hash - value: "{{{ _tmp.hashvalue }}}" - ignore_failure: true - if: "ctx.threat?.indicator?.type == 'file' && ctx?.threat?.indicator?.file?.pe?.imphash == null" - - ## ASN indicator operations - - set: - field: threat.indicator.type - value: autonomous-system - if: "ctx.cif3?.itype == 'asn'" - - grok: - field: cif3.indicator - patterns: - - "as(?:%{INT:threat.indicator.as.number})" - ignore_failure: true - if: "ctx.cif3?.itype == 'asn'" - - ## IP indicator operations - - set: - field: threat.indicator.type - value: ipv4-addr - if: "ctx.cif3?.itype == 'ipv4'" - - set: - field: threat.indicator.type - value: ipv6-addr - if: "ctx.cif3?.itype == 'ipv6'" - - rename: - field: cif3.indicator - target_field: threat.indicator.network.cidr - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && (ctx.cif3?.indicator_ipv4_mask != null || ctx.cif3?.indicator_ipv6_mask != null)" - - convert: - field: cif3.indicator - type: ip - target_field: threat.indicator.ip - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.indicator_ipv4_mask == null && ctx.cif3?.indicator_ipv6_mask == null" - - append: - field: related.ip - value: "{{{ threat.indicator.ip }}}" - if: ctx?.threat?.indicator?.ip != null - - rename: - field: cif3.cc - target_field: threat.indicator.geo.country_iso_code - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.cc != null" - - rename: - field: cif3.asn - target_field: threat.indicator.as.number - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.asn != null" - - rename: - field: cif3.asn_desc - target_field: threat.indicator.as.organization.name - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.asn_desc != null" - - rename: - field: cif3.latitude - target_field: threat.indicator.geo.location.lat - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.latitude != null" - - rename: - field: cif3.longitude - target_field: threat.indicator.geo.location.lon - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.longitude != null" - - rename: - field: cif3.region - target_field: threat.indicator.geo.region_name - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.region != null" - - rename: - field: cif3.timezone - target_field: threat.indicator.geo.timezone - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.timezone != null" - - ## URL indicator operations - - set: - field: threat.indicator.type - value: url - if: "ctx.cif3?.itype == 'url'" - - uri_parts: - field: cif3.indicator - target_field: threat.indicator.url - keep_original: true - remove_if_successful: true - if: "ctx.threat?.indicator?.type == 'url'" - - set: - field: threat.indicator.url.full - value: "{{{threat.indicator.url.original}}}" - ignore_empty_value: true - if: "ctx.cif3?.itype == 'url'" - # Host could be either IP address or hostname - - grok: - field: cif3.indicator - patterns: - - "%{URIPROTO:threat.indicator.url.scheme}://(?:%{IPV4:threat.indicator.ip}|\\[?%{IPV6:threat.indicator.ip}\\]?|%{HOSTNAME:threat.indicator.url.domain})(?::%{POSINT:threat.indicator.url.port})?(?:%{URIPATH:threat.indicator.url.path})?.*" - ignore_failure: true - if: "ctx.cif3?.itype == 'url'" - - ## Email indicator operations - - set: - field: threat.indicator.type - value: email-addr - if: "ctx.cif3?.itype == 'email'" - - rename: - field: cif3.indicator - target_field: threat.indicator.email.address - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'email-addr'" - - grok: - field: threat.indicator.email.address - patterns: - - "%{USERNAME}@%{GREEDYDATA:threat.indicator.url.domain}" - ignore_failure: true - if: "ctx.threat?.indicator?.type == 'email-addr'" - - ## Domain indicator operations - - set: - field: threat.indicator.type - value: domain-name - if: "ctx.cif3?.itype == 'fqdn'" - - rename: - field: cif3.indicator - target_field: threat.indicator.url.domain - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.threat?.indicator?.url?.domain == null" - - append: - field: related.hosts - value: "{{{ threat.indicator.url.domain }}}" - if: ctx?.threat?.indicator?.url?.domain != null - - ###################### - # Confidence # - ###################### - - script: - lang: painless - if: ctx.cif3?.confidence != null - description: Normalize confidence level. - source: > - def value = ctx.cif3.confidence; - if (value < 0.0 || value > 10.0) { - ctx.threat.indicator.confidence = "None"; - return; - } - if (value >= 0.0 && value < 3.0) { - ctx.threat.indicator.confidence = "Low"; - return; - } - if (value >= 3.0 && value < 7.0) { - ctx.threat.indicator.confidence = "Med"; - return; - } - if (value >= 7.0 && value <= 10.0) { - ctx.threat.indicator.confidence = "High"; - return; - } - - ################### - # Tags ECS fields # - ################### - - foreach: - field: cif3.tags - ignore_missing: true - processor: - append: - field: tags - value: "{{_ingest._value}}" - allow_duplicates: false - if: ctx.cif3?.tags != null - - ## Misc - - rename: - field: cif3.protocol - target_field: network.transport - if: ctx.cif3?.protocol != null - - rename: - field: cif3.application - target_field: network.protocol - if: ctx.cif3?.application != null - - rename: - field: cif3.port - target_field: threat.indicator.port - # sometimes contains a range like 1000-1002 or CSVs like 10,22,52 - ignore_failure: true - if: ctx.cif3?.port != null - - ###################### - # Cleanup processors # - ###################### - - set: - field: threat.indicator.type - value: unknown - if: ctx.threat?.indicator?.type == null - - script: - lang: painless - if: ctx.cif3 != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: cif3.rdata - ignore_missing: true - if: "ctx.cif3?.rdata == ''" - - remove: - field: - - cif3.indicator - - cif3.confidence - - cif3.indicator_ipv4 - - cif3.indicator_ipv6 - - cif3.group - - cif3.latitude - - cif3.longitude - - cif3.location - - cif3.city - - cif3.region - - cif3.tags - - cif3.tlp - - message - - _tmp - ignore_missing: true - if: ctx.threat?.indicator?.type != null -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_cif3/0.2.1/data_stream/feed/fields/base-fields.yml b/packages/ti_cif3/0.2.1/data_stream/feed/fields/base-fields.yml deleted file mode 100755 index 94818182d4..0000000000 --- a/packages/ti_cif3/0.2.1/data_stream/feed/fields/base-fields.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: ti_cif3 -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: cif3 -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_cif3.feed diff --git a/packages/ti_cif3/0.2.1/data_stream/feed/fields/beats.yml b/packages/ti_cif3/0.2.1/data_stream/feed/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/ti_cif3/0.2.1/data_stream/feed/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_cif3/0.2.1/data_stream/feed/fields/ecs.yml b/packages/ti_cif3/0.2.1/data_stream/feed/fields/ecs.yml deleted file mode 100755 index 7c1151e2f8..0000000000 --- a/packages/ti_cif3/0.2.1/data_stream/feed/fields/ecs.yml +++ /dev/null @@ -1,225 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Error message. - name: error.message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Name of the module this data is coming from. - If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. - name: event.module - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: Type of indicator as represented by Cyber Observable in STIX 2.0. - name: threat.indicator.type - type: keyword -- description: The date and time when intelligence source first reported sighting this indicator. - name: threat.indicator.first_seen - type: date -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: The date and time when intelligence source last modified information for this indicator. - name: threat.indicator.modified_at - type: date -- description: Reference URL linking to additional information about this indicator. - name: threat.indicator.reference - type: keyword -- description: Describes the type of action conducted by the threat. - name: threat.indicator.description - type: keyword -- description: Number of times this indicator was observed conducting threat activity. - name: threat.indicator.sightings - type: long -- description: File type (file, dir, or symlink). - name: threat.indicator.file.type - type: keyword -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: SHA512 hash. - name: threat.indicator.file.hash.sha512 - type: keyword -- description: |- - A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - name: threat.indicator.file.pe.imphash - type: keyword -- description: SSDEEP hash. - name: threat.indicator.file.hash.ssdeep - type: keyword -- description: An md5 hash that identifies clients based on their TLS handshake. - level: extended - name: threat.indicator.tls.client.ja3 - type: keyword -- description: Identifies a threat indicator as an email address (irrespective of direction). - name: threat.indicator.email.address - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.full - type: wildcard -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.original - type: wildcard -- description: Path of the request, such as "/search". - name: threat.indicator.url.path - type: wildcard -- description: Port of the request, such as 443. - name: threat.indicator.url.port - type: long -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: threat.indicator.url.scheme - type: keyword -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: threat.indicator.url.query - type: keyword -- description: The name of the indicator's provider. - name: threat.indicator.provider - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: threat.indicator.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.as.organization.name - type: keyword -- description: Traffic Light Protocol sharing markings. - name: threat.indicator.marking.tlp - type: keyword -- description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. - name: threat.indicator.confidence - type: keyword -- description: Longitude and latitude. - name: threat.indicator.geo.location - type: geo_point -- description: Country ISO code. - name: threat.indicator.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - name: threat.indicator.geo.location.lat - type: geo_point -- description: Longitude and latitude. - name: threat.indicator.geo.location.lon - type: geo_point -- description: Region name. - name: threat.indicator.geo.region_name - type: keyword -- description: The time zone of the location, such as IANA time zone name. - name: threat.indicator.geo.timezone - type: keyword diff --git a/packages/ti_cif3/0.2.1/data_stream/feed/fields/fields.yml b/packages/ti_cif3/0.2.1/data_stream/feed/fields/fields.yml deleted file mode 100755 index 4977ea2d80..0000000000 --- a/packages/ti_cif3/0.2.1/data_stream/feed/fields/fields.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: cif3 - type: group - description: Fields for CIFv3 Threat Indicators - fields: - - name: uuid - type: keyword - description: The ID of the indicator. - - name: indicator - type: keyword - description: > - The value of the indicator, for example if the type is fqdn, this would be the value. - - - name: description - type: keyword - description: A description of the indicator. - - name: rdata - type: keyword - description: > - Extra text or descriptive content related to the indicator such as OS, reverse lookup, etc. - - - name: reference - type: keyword - description: A reference URL with further info related to the indicator. - - name: itype - type: keyword - description: > - The indicator type, can for example be "ipv4, fqdn, email, url, sha256". - - - name: tags - type: keyword - description: > - Comma-separated list of words describing the indicator such as "malware,exploit". - - - name: confidence - type: float - description: > - The confidence on a scale of 0-10 that the tags appropriately contextualize the indicator. - - - name: provider - type: keyword - description: The source of the indicator information. - - name: application - type: keyword - description: The application used by the indicator, such as telnet or ssh. - - name: protocol - type: text - description: The protocol used by the indicator. - - name: portlist - type: text - description: The port or range of ports used by the indicator. - - name: city - type: keyword - description: GeoIP city information. - - name: region - type: keyword - description: GeoIP region information. - - name: count - type: integer - description: > - The number of times the same indicator has been reported with the same metadata by the same provider. - - - name: cc - type: keyword - description: Country code of GeoIP. - - name: location - type: geo_point - description: Lat/Long of GeoIP. - - name: latitude - type: keyword - description: Latitude of GeoIP. - - name: longitude - type: keyword - description: Longitude of GeoIP. - - name: timezone - type: text - description: Timezone of GeoIP. - - name: asn - type: integer - description: AS Number of IP. - - name: asn_desc - type: keyword - description: AS Number org name. - - name: indicator_ipv4 - type: ip - description: IPv4 address. - - name: indicator_ipv4_mask - type: integer - description: subnet mask of IPv4 CIDR. - - name: indicator_ipv6 - type: keyword - description: singleton IPv6 address. - - name: indicator_ipv6_mask - type: integer - description: subnet mask of IPv6 CIDR. - - name: indicator_iprange - type: ip_range - description: IPv4 or IPv6 IP Range. - - name: indicator_ssdeep_chunksize - type: integer - description: SSDEEP hash chunk size. - - name: indicator_ssdeep_chunk - type: text - description: SSDEEP hash chunk. - - name: indicator_ssdeep_double_chunk - type: text - description: SSDEEP hash double chunk. diff --git a/packages/ti_cif3/0.2.1/data_stream/feed/manifest.yml b/packages/ti_cif3/0.2.1/data_stream/feed/manifest.yml deleted file mode 100755 index 12e7254fbc..0000000000 --- a/packages/ti_cif3/0.2.1/data_stream/feed/manifest.yml +++ /dev/null @@ -1,113 +0,0 @@ -title: "CIFv3 Feed" -type: logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: CIFv3 feed indicators - description: Collect CIFv3 feed indicators - vars: - - name: confidence - type: text - title: Confidence - multi: false - required: true - show_user: true - default: 8 - description: "Minimum confidence (0-10) to return indicator in feed" - - name: cif_tags - type: text - title: Filter on indicator tags - multi: false - required: true - show_user: true - description: "A comma separated list of indicator tags to retrieve, e.g.: 'botnet,exploit,malware,phishing'" - - name: type - type: text - title: Filter on indicator type - multi: false - required: true - show_user: true - description: "An indicator type (fqdn|ipv4|url|ssdeep) to retrieve, example: 'md5'" - - name: limit - type: text - title: Result size limit - multi: false - required: true - show_user: true - default: 100000 - description: "Maximum result set size, capped at 250000" - - name: initial_lookback - type: text - title: Initial lookback period - multi: false - required: true - show_user: true - default: 120h - description: How far back to look for indicators the first time the agent is started. - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 60m - description: How frequently to pull the feed. - # this doesn't currently work - #- name: filters - # type: yaml - # title: Optional REST API filters - # multi: false - # required: false - # show_user: false - # default: |- - # #tlp: white - # description: "Optional REST API Feed filters supported by [CIFv3](https://github.com/csirtgadgets/bearded-avenger/blob/master/cif/httpd/common.py#L7-L9)." - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - description: "Default example enables https verification. Change to 'none' to disable. https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html" - default: |- - verification_mode: full - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: false - default: 120s - - name: proxy_url - type: url - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - description: Tags to add to each event once ingested into Elastic. Ingested indicators' tags will be appended dynamically to this list. - default: - - forwarded - - cif3-indicator - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/ti_cif3/0.2.1/data_stream/feed/sample_event.json b/packages/ti_cif3/0.2.1/data_stream/feed/sample_event.json deleted file mode 100755 index ab302efe65..0000000000 --- a/packages/ti_cif3/0.2.1/data_stream/feed/sample_event.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "@timestamp": "2022-07-25T02:59:05.404Z", - "agent": { - "ephemeral_id": "6d30ac65-9d55-4014-9a2a-2fbcf8816fff", - "id": "f599fd51-b36d-45b4-a90f-4d63240b8477", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cif3": { - "itype": "ipv4", - "portlist": "443", - "uuid": "ac240898-1443-4d7e-a98a-1daed220c162" - }, - "data_stream": { - "dataset": "ti_cif3.feed", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "f599fd51-b36d-45b4-a90f-4d63240b8477", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-07-25T02:59:05.404Z", - "dataset": "ti_cif3.feed", - "ingested": "2022-07-25T02:59:08Z", - "kind": "enrichment", - "original": "{\"application\":\"https\",\"asn\":8075,\"asn_desc\":\"microsoft-corp-msn-as-block\",\"cc\":\"br\",\"city\":\"campinas\",\"confidence\":10,\"count\":1,\"firsttime\":\"2022-07-20T20:25:53.000000Z\",\"group\":[\"everyone\"],\"indicator\":\"20.206.75.106\",\"indicator_ipv4\":\"20.206.75.106\",\"itype\":\"ipv4\",\"lasttime\":\"2022-07-20T20:25:53.000000Z\",\"latitude\":-22.9035,\"location\":[-47.0565,-22.9035],\"longitude\":-47.0565,\"portlist\":\"443\",\"protocol\":\"tcp\",\"provider\":\"sslbl.abuse.ch\",\"reference\":\"https://sslbl.abuse.ch/blacklist/sslipblacklist.csv\",\"region\":\"sao paulo\",\"reporttime\":\"2022-07-21T20:33:26.585967Z\",\"tags\":[\"botnet\"],\"timezone\":\"america/sao_paulo\",\"tlp\":\"white\",\"uuid\":\"ac240898-1443-4d7e-a98a-1daed220c162\"}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "network": { - "protocol": "https", - "transport": "tcp" - }, - "related": { - "ip": [ - "20.206.75.106" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "cif3-indicator", - "botnet" - ], - "threat": { - "indicator": { - "as": { - "number": 8075, - "organization": { - "name": "microsoft-corp-msn-as-block" - } - }, - "confidence": "High", - "first_seen": "2022-07-20T20:25:53.000000Z", - "geo": { - "country_iso_code": "br", - "location": { - "lat": -22.9035, - "lon": -47.0565 - }, - "region_name": "sao paulo", - "timezone": "america/sao_paulo" - }, - "ip": "20.206.75.106", - "last_seen": "2022-07-20T20:25:53.000000Z", - "marking": { - "tlp": "WHITE" - }, - "modified_at": "2022-07-21T20:33:26.585967Z", - "provider": "sslbl.abuse.ch", - "reference": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv", - "sightings": 1, - "type": "ipv4-addr" - } - } -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.1/docs/README.md b/packages/ti_cif3/0.2.1/docs/README.md deleted file mode 100755 index 915248f260..0000000000 --- a/packages/ti_cif3/0.2.1/docs/README.md +++ /dev/null @@ -1,211 +0,0 @@ -# Collective Intelligence Framework v3 Integration - -This integration connects with the [REST API from the running CIFv3 instance](https://github.com/csirtgadgets/bearded-avenger-deploymentkit/wiki/REST-API) to retrieve indicators. - -## Data Streams - -### Feed - -The CIFv3 integration collects threat indicators based on user-defined configuration including a polling interval, how far back in time it should look, and other filters like indicator type and tags. - -CIFv3 `confidence` field values (0..10) are converted to ECS confidence (None, Low, Medium, High) in the following way: - -| CIFv3 Confidence | ECS Conversion | -| ---------------- | -------------- | -| Beyond Range | None | -| 0 - \<3 | Low | -| 3 - \<7 | Medium | -| 7 - 10 | High | - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cif3.application | The application used by the indicator, such as telnet or ssh. | keyword | -| cif3.asn | AS Number of IP. | integer | -| cif3.asn_desc | AS Number org name. | keyword | -| cif3.cc | Country code of GeoIP. | keyword | -| cif3.city | GeoIP city information. | keyword | -| cif3.confidence | The confidence on a scale of 0-10 that the tags appropriately contextualize the indicator. | float | -| cif3.count | The number of times the same indicator has been reported with the same metadata by the same provider. | integer | -| cif3.description | A description of the indicator. | keyword | -| cif3.indicator | The value of the indicator, for example if the type is fqdn, this would be the value. | keyword | -| cif3.indicator_iprange | IPv4 or IPv6 IP Range. | ip_range | -| cif3.indicator_ipv4 | IPv4 address. | ip | -| cif3.indicator_ipv4_mask | subnet mask of IPv4 CIDR. | integer | -| cif3.indicator_ipv6 | singleton IPv6 address. | keyword | -| cif3.indicator_ipv6_mask | subnet mask of IPv6 CIDR. | integer | -| cif3.indicator_ssdeep_chunk | SSDEEP hash chunk. | text | -| cif3.indicator_ssdeep_chunksize | SSDEEP hash chunk size. | integer | -| cif3.indicator_ssdeep_double_chunk | SSDEEP hash double chunk. | text | -| cif3.itype | The indicator type, can for example be "ipv4, fqdn, email, url, sha256". | keyword | -| cif3.latitude | Latitude of GeoIP. | keyword | -| cif3.location | Lat/Long of GeoIP. | geo_point | -| cif3.longitude | Longitude of GeoIP. | keyword | -| cif3.portlist | The port or range of ports used by the indicator. | text | -| cif3.protocol | The protocol used by the indicator. | text | -| cif3.provider | The source of the indicator information. | keyword | -| cif3.rdata | Extra text or descriptive content related to the indicator such as OS, reverse lookup, etc. | keyword | -| cif3.reference | A reference URL with further info related to the indicator. | keyword | -| cif3.region | GeoIP region information. | keyword | -| cif3.tags | Comma-separated list of words describing the indicator such as "malware,exploit". | keyword | -| cif3.timezone | Timezone of GeoIP. | text | -| cif3.uuid | The ID of the indicator. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.as.organization.name | Organization name. | keyword | -| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | -| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | -| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.indicator.geo.location | Longitude and latitude. | geo_point | -| threat.indicator.geo.location.lat | Longitude and latitude. | geo_point | -| threat.indicator.geo.location.lon | Longitude and latitude. | geo_point | -| threat.indicator.geo.region_name | Region name. | keyword | -| threat.indicator.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | -| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.indicator.sightings | Number of times this indicator was observed conducting threat activity. | long | -| threat.indicator.tls.client.ja3 | An md5 hash that identifies clients based on their TLS handshake. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | - - -An example event for `feed` looks as following: - -```json -{ - "@timestamp": "2022-07-25T02:59:05.404Z", - "agent": { - "ephemeral_id": "6d30ac65-9d55-4014-9a2a-2fbcf8816fff", - "id": "f599fd51-b36d-45b4-a90f-4d63240b8477", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cif3": { - "itype": "ipv4", - "portlist": "443", - "uuid": "ac240898-1443-4d7e-a98a-1daed220c162" - }, - "data_stream": { - "dataset": "ti_cif3.feed", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "f599fd51-b36d-45b4-a90f-4d63240b8477", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-07-25T02:59:05.404Z", - "dataset": "ti_cif3.feed", - "ingested": "2022-07-25T02:59:08Z", - "kind": "enrichment", - "original": "{\"application\":\"https\",\"asn\":8075,\"asn_desc\":\"microsoft-corp-msn-as-block\",\"cc\":\"br\",\"city\":\"campinas\",\"confidence\":10,\"count\":1,\"firsttime\":\"2022-07-20T20:25:53.000000Z\",\"group\":[\"everyone\"],\"indicator\":\"20.206.75.106\",\"indicator_ipv4\":\"20.206.75.106\",\"itype\":\"ipv4\",\"lasttime\":\"2022-07-20T20:25:53.000000Z\",\"latitude\":-22.9035,\"location\":[-47.0565,-22.9035],\"longitude\":-47.0565,\"portlist\":\"443\",\"protocol\":\"tcp\",\"provider\":\"sslbl.abuse.ch\",\"reference\":\"https://sslbl.abuse.ch/blacklist/sslipblacklist.csv\",\"region\":\"sao paulo\",\"reporttime\":\"2022-07-21T20:33:26.585967Z\",\"tags\":[\"botnet\"],\"timezone\":\"america/sao_paulo\",\"tlp\":\"white\",\"uuid\":\"ac240898-1443-4d7e-a98a-1daed220c162\"}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "network": { - "protocol": "https", - "transport": "tcp" - }, - "related": { - "ip": [ - "20.206.75.106" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "cif3-indicator", - "botnet" - ], - "threat": { - "indicator": { - "as": { - "number": 8075, - "organization": { - "name": "microsoft-corp-msn-as-block" - } - }, - "confidence": "High", - "first_seen": "2022-07-20T20:25:53.000000Z", - "geo": { - "country_iso_code": "br", - "location": { - "lat": -22.9035, - "lon": -47.0565 - }, - "region_name": "sao paulo", - "timezone": "america/sao_paulo" - }, - "ip": "20.206.75.106", - "last_seen": "2022-07-20T20:25:53.000000Z", - "marking": { - "tlp": "WHITE" - }, - "modified_at": "2022-07-21T20:33:26.585967Z", - "provider": "sslbl.abuse.ch", - "reference": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv", - "sightings": 1, - "type": "ipv4-addr" - } - } -} -``` diff --git a/packages/ti_cif3/0.2.1/img/csg_logo_big.svg b/packages/ti_cif3/0.2.1/img/csg_logo_big.svg deleted file mode 100755 index 5ee2369a85..0000000000 --- a/packages/ti_cif3/0.2.1/img/csg_logo_big.svg +++ /dev/null @@ -1,270 +0,0 @@ - - - - - diff --git a/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index 6798fb65da..0000000000 --- a/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about FQDN type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"domain-name\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"domain-name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[CIFv3 Overview](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Emails](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Files](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3) \\n**[CIFv3 FQDNs (This Page)](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3)** \\n[CIFv3 IPs](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3) \\n[CIFv3 URLs](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3) \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: domain-name**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains and statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-09bca2c1-c599-4575-be8a-a416589c7082\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"09bca2c1-c599-4575-be8a-a416589c7082\":{\"columnOrder\":[\"87d9346d-c199-44ef-b58c-2c0c7625a523\",\"40a4b01a-1e63-4cd8-ab62-da960940d757\"],\"columns\":{\"40a4b01a-1e63-4cd8-ab62-da960940d757\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"},\"87d9346d-c199-44ef-b58c-2c0c7625a523\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"FQDN\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"40a4b01a-1e63-4cd8-ab62-da960940d757\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":15},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"87d9346d-c199-44ef-b58c-2c0c7625a523\",\"isTransposed\":false},{\"columnId\":\"40a4b01a-1e63-4cd8-ab62-da960940d757\",\"isTransposed\":false}],\"layerId\":\"09bca2c1-c599-4575-be8a-a416589c7082\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c2db10e8-0e7e-4199-b787-48e14bd2e2fe\",\"w\":18,\"x\":13,\"y\":0},\"panelIndex\":\"c2db10e8-0e7e-4199-b787-48e14bd2e2fe\",\"title\":\"Sample of Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] FQDNs", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c2db10e8-0e7e-4199-b787-48e14bd2e2fe:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c2db10e8-0e7e-4199-b787-48e14bd2e2fe:indexpattern-datasource-layer-09bca2c1-c599-4575-be8a-a416589c7082", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index 4b709d9915..0000000000 --- a/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about File type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[CIFv3 Overview](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Emails](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3) \\n**[CIFv3 Files (This Page)](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3)** \\n[CIFv3 FQDNs](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3) \\n[CIFv3 IPs](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3) \\n[CIFv3 URLs](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3) \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":35,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_cif3-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"Unique MD5 [CIFv3]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_cif3-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"Unique SHA256 [CIFv3]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2825d170-daeb-4a6d-9d8f-8fda4dccffcc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2825d170-daeb-4a6d-9d8f-8fda4dccffcc\":{\"columnOrder\":[\"cb37ded7-9f40-418f-bfb9-6250652373d7\"],\"columns\":{\"cb37ded7-9f40-418f-bfb9-6250652373d7\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SSDEEP\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.ssdeep\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"cb37ded7-9f40-418f-bfb9-6250652373d7\",\"layerId\":\"2825d170-daeb-4a6d-9d8f-8fda4dccffcc\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"703fd39c-9642-4c7d-93c8-056f019acf42\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"703fd39c-9642-4c7d-93c8-056f019acf42\",\"title\":\"Unique SSDEEP [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ace6c894-6dac-441d-b0db-3e246db99579\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ace6c894-6dac-441d-b0db-3e246db99579\":{\"columnOrder\":[\"4c6f7061-d5e9-4c04-b9b2-39b984b06393\",\"e00a1b25-655b-4541-8ce0-1f84bdb16b1e\"],\"columns\":{\"4c6f7061-d5e9-4c04-b9b2-39b984b06393\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.description\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e00a1b25-655b-4541-8ce0-1f84bdb16b1e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.description\"},\"e00a1b25-655b-4541-8ce0-1f84bdb16b1e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of threat.indicator.description\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.description\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"4c6f7061-d5e9-4c04-b9b2-39b984b06393\"],\"layerId\":\"ace6c894-6dac-441d-b0db-3e246db99579\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e00a1b25-655b-4541-8ce0-1f84bdb16b1e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"9717eae1-9937-41e7-bad1-e9ce43d06723\",\"w\":22,\"x\":25,\"y\":0},\"panelIndex\":\"9717eae1-9937-41e7-bad1-e9ce43d06723\",\"title\":\"File Descriptions [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_cif3-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"Unique SHA1 [CIFv3]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":7,\"y\":8},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-331e77de-53be-48a4-8793-3fe9a23b22b1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"331e77de-53be-48a4-8793-3fe9a23b22b1\":{\"columnOrder\":[\"428df405-7955-4c10-94c1-0791e75aed8f\"],\"columns\":{\"428df405-7955-4c10-94c1-0791e75aed8f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA512\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha512\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"428df405-7955-4c10-94c1-0791e75aed8f\",\"layerId\":\"331e77de-53be-48a4-8793-3fe9a23b22b1\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"cb4ca769-08b2-4570-8a30-27cff9b77093\",\"w\":6,\"x\":13,\"y\":8},\"panelIndex\":\"cb4ca769-08b2-4570-8a30-27cff9b77093\",\"title\":\"Unique SHA512 [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4c3ad4e3-46af-447e-a4ce-dab516c52797\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4c3ad4e3-46af-447e-a4ce-dab516c52797\":{\"columnOrder\":[\"181798f7-2b90-44e1-b76a-2f17b7210690\"],\"columns\":{\"181798f7-2b90-44e1-b76a-2f17b7210690\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique IMPHASH\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.pe.imphash\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"181798f7-2b90-44e1-b76a-2f17b7210690\",\"layerId\":\"4c3ad4e3-46af-447e-a4ce-dab516c52797\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"823f92b7-a2ff-4883-aad1-28d3652371fe\",\"w\":6,\"x\":19,\"y\":8},\"panelIndex\":\"823f92b7-a2ff-4883-aad1-28d3652371fe\",\"title\":\"Unique IMPHASH [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] Files", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "703fd39c-9642-4c7d-93c8-056f019acf42:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "703fd39c-9642-4c7d-93c8-056f019acf42:indexpattern-datasource-layer-2825d170-daeb-4a6d-9d8f-8fda4dccffcc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9717eae1-9937-41e7-bad1-e9ce43d06723:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9717eae1-9937-41e7-bad1-e9ce43d06723:indexpattern-datasource-layer-ace6c894-6dac-441d-b0db-3e246db99579", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cb4ca769-08b2-4570-8a30-27cff9b77093:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cb4ca769-08b2-4570-8a30-27cff9b77093:indexpattern-datasource-layer-331e77de-53be-48a4-8793-3fe9a23b22b1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "823f92b7-a2ff-4883-aad1-28d3652371fe:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "823f92b7-a2ff-4883-aad1-28d3652371fe:indexpattern-datasource-layer-4c3ad4e3-46af-447e-a4ce-dab516c52797", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index 3e594dc91a..0000000000 --- a/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about IP type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":[\"ipv6-addr\",\"ipv4-addr\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"threat.indicator.type\":\"ipv6-addr\"}},{\"match_phrase\":{\"threat.indicator.type\":\"ipv4-addr\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[CIFv3 Overview](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Emails](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Files](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3) \\n[CIFv3 FQDNs](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3) \\n**[CIFv3 IPs(This Page)](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3)** \\n[CIFv3 URLs](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3) \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: ipv4-addr OR ipv6-addr**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like prevalent ASNs, GeoIP regions, statistics about how many unique indicators are ingested, and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-79edd9a4-1178-4294-94df-5d4b145d0e40\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"79edd9a4-1178-4294-94df-5d4b145d0e40\":{\"columnOrder\":[\"d1ce22a5-8010-4830-8c61-e8da8c2b2d11\"],\"columns\":{\"d1ce22a5-8010-4830-8c61-e8da8c2b2d11\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique IPs\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"d1ce22a5-8010-4830-8c61-e8da8c2b2d11\",\"layerId\":\"79edd9a4-1178-4294-94df-5d4b145d0e40\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"7725b9bd-df8d-491c-a518-fe00a4538ebc\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"7725b9bd-df8d-491c-a518-fe00a4538ebc\",\"title\":\"Unique IPs [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e8210fab-252e-4357-82f5-c8fc55fe2057\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e8210fab-252e-4357-82f5-c8fc55fe2057\":{\"columnOrder\":[\"937cc845-c2e1-412a-b419-97c9d8076bee\"],\"columns\":{\"937cc845-c2e1-412a-b419-97c9d8076bee\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique ASNs\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.as.number\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"937cc845-c2e1-412a-b419-97c9d8076bee\",\"layerId\":\"e8210fab-252e-4357-82f5-c8fc55fe2057\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"329518f4-c5f9-42b0-b396-85ffcbb8cda3\",\"w\":5,\"x\":12,\"y\":0},\"panelIndex\":\"329518f4-c5f9-42b0-b396-85ffcbb8cda3\",\"title\":\"Unique ASNs [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-864ef66d-9195-45a5-9dcd-916bcac76fd1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"864ef66d-9195-45a5-9dcd-916bcac76fd1\":{\"columnOrder\":[\"d8bba7bc-4a82-40c3-a858-e92244ef476c\",\"1c86e415-dcb9-49ae-aa85-e4c7c0ddffd7\"],\"columns\":{\"1c86e415-dcb9-49ae-aa85-e4c7c0ddffd7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"d8bba7bc-4a82-40c3-a858-e92244ef476c\":{\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.as.number\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"1c86e415-dcb9-49ae-aa85-e4c7c0ddffd7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.as.number\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d8bba7bc-4a82-40c3-a858-e92244ef476c\"],\"layerId\":\"864ef66d-9195-45a5-9dcd-916bcac76fd1\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"1c86e415-dcb9-49ae-aa85-e4c7c0ddffd7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c651f85b-26e4-481e-91ff-39267e540183\",\"w\":21,\"x\":17,\"y\":0},\"panelIndex\":\"c651f85b-26e4-481e-91ff-39267e540183\",\"title\":\"Most Prevalent ASNs [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b3600118-bbef-4f41-b472-c08e802518c3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b3600118-bbef-4f41-b472-c08e802518c3\":{\"columnOrder\":[\"deabebaa-8bfa-4b99-8996-5dd59ecd37ca\",\"a9e4b58d-6503-4645-bc9b-69aede4b3a4c\"],\"columns\":{\"a9e4b58d-6503-4645-bc9b-69aede4b3a4c\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"deabebaa-8bfa-4b99-8996-5dd59ecd37ca\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Country Code\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a9e4b58d-6503-4645-bc9b-69aede4b3a4c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":15},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.geo.country_iso_code\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"deabebaa-8bfa-4b99-8996-5dd59ecd37ca\",\"isTransposed\":false},{\"columnId\":\"a9e4b58d-6503-4645-bc9b-69aede4b3a4c\",\"isTransposed\":false}],\"layerId\":\"b3600118-bbef-4f41-b472-c08e802518c3\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"aea51b8a-0962-4b21-aa7e-7c599f0f45a4\",\"w\":10,\"x\":38,\"y\":0},\"panelIndex\":\"aea51b8a-0962-4b21-aa7e-7c599f0f45a4\",\"title\":\"Most Common Countries [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-da912e35-7510-42a6-b546-8d10a33b6546\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"da912e35-7510-42a6-b546-8d10a33b6546\":{\"columnOrder\":[\"989df1d6-f18f-4874-8601-9e7741935cc8\",\"f60fc28d-e739-46a2-a0ce-1340df8f7249\"],\"columns\":{\"989df1d6-f18f-4874-8601-9e7741935cc8\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f60fc28d-e739-46a2-a0ce-1340df8f7249\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":2},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.type\"},\"f60fc28d-e739-46a2-a0ce-1340df8f7249\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of threat.indicator.ip\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"989df1d6-f18f-4874-8601-9e7741935cc8\"],\"layerId\":\"da912e35-7510-42a6-b546-8d10a33b6546\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f60fc28d-e739-46a2-a0ce-1340df8f7249\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"1536f4f2-41d6-4fd0-b6c4-3650a2b5f92d\",\"w\":10,\"x\":7,\"y\":8},\"panelIndex\":\"1536f4f2-41d6-4fd0-b6c4-3650a2b5f92d\",\"title\":\"Percentage of IP Type [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"3df0f38b-db9e-451e-bb01-5a27226075df\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"threat.indicator.geo.location\\\",\\\"filterByMapBounds\\\":true,\\\"scalingType\\\":\\\"MVT\\\",\\\"id\\\":\\\"13a0c980-6195-4e3e-8506-b383ab8866c2\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"tooltipProperties\\\":[],\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSplitField\\\":\\\"\\\",\\\"topHitsSize\\\":1},\\\"id\\\":\\\"0a0a1a3e-d002-47b0-a99a-03eb965b8bc4\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#ea7861\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#e05235\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":1}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"TILED_VECTOR\\\",\\\"joins\\\":[]}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.14,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-75m\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":false,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":360,\"minLat\":-85.05113,\"minLon\":-360},\"mapCenter\":{\"lat\":26.16939,\"lon\":14.00125,\"zoom\":0.49},\"openTOCDetails\":[]},\"gridData\":{\"h\":14,\"i\":\"ad624736-f1dd-4d77-8517-680e7bc4b882\",\"w\":23,\"x\":7,\"y\":15},\"panelIndex\":\"ad624736-f1dd-4d77-8517-680e7bc4b882\",\"title\":\"IP Source Location [Logs CIFv3]\",\"type\":\"map\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] IPs", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7725b9bd-df8d-491c-a518-fe00a4538ebc:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7725b9bd-df8d-491c-a518-fe00a4538ebc:indexpattern-datasource-layer-79edd9a4-1178-4294-94df-5d4b145d0e40", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "329518f4-c5f9-42b0-b396-85ffcbb8cda3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "329518f4-c5f9-42b0-b396-85ffcbb8cda3:indexpattern-datasource-layer-e8210fab-252e-4357-82f5-c8fc55fe2057", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c651f85b-26e4-481e-91ff-39267e540183:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c651f85b-26e4-481e-91ff-39267e540183:indexpattern-datasource-layer-864ef66d-9195-45a5-9dcd-916bcac76fd1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aea51b8a-0962-4b21-aa7e-7c599f0f45a4:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aea51b8a-0962-4b21-aa7e-7c599f0f45a4:indexpattern-datasource-layer-b3600118-bbef-4f41-b472-c08e802518c3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1536f4f2-41d6-4fd0-b6c4-3650a2b5f92d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1536f4f2-41d6-4fd0-b6c4-3650a2b5f92d:indexpattern-datasource-layer-da912e35-7510-42a6-b546-8d10a33b6546", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ad624736-f1dd-4d77-8517-680e7bc4b882:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index 2fe7bc6819..0000000000 --- a/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about indicators ingested from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[CIFv3 (This Page)](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3)** \\n[CIFv3 Emails](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Files](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3) \\n[CIFv3 FQDNs](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3) \\n[CIFv3 IPs](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3) \\n[CIFv3 URLs](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3) \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the Collective Intelligence Framework v3 integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from a CIFv3 instance. \\n\\nThe ingestion rates (by default it fetches new updates every 60 minutes) and provides a few filters for drilling down to specific indicator types retrieved from the CIFv3 instance.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [CIFv3]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":31,\"i\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"title\":\"Overview Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_cif3.feed\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_cif3.feed\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1635779603363\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1635779625911\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"tags\",\"id\":\"1658691004225\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern\",\"label\":\"Indicator Tag\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Feed and Indicator Selector [CIFv3]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"title\":\"Feed and Indicator Selector [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"includeEmptyRows\":true,\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"legendSize\":\"auto\",\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs CIFv3]\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"w\":29,\"x\":7,\"y\":6},\"panelIndex\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"title\":\"Indicators ingested per Datastream [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2c2ce8ee-a793-4242-aad4-06f3a8707b02\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2c2ce8ee-a793-4242-aad4-06f3a8707b02\":{\"columnOrder\":[\"1d9b6fbf-58e3-427e-a453-edec40466320\",\"b6cbd44b-6f5d-4e1e-b1ab-0c09b3a67111\"],\"columns\":{\"1d9b6fbf-58e3-427e-a453-edec40466320\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b6cbd44b-6f5d-4e1e-b1ab-0c09b3a67111\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.type\"},\"b6cbd44b-6f5d-4e1e-b1ab-0c09b3a67111\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1d9b6fbf-58e3-427e-a453-edec40466320\"],\"layerId\":\"2c2ce8ee-a793-4242-aad4-06f3a8707b02\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b6cbd44b-6f5d-4e1e-b1ab-0c09b3a67111\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c446ea70-8a63-418e-8997-e43a5f7c5b5d\",\"w\":12,\"x\":36,\"y\":6},\"panelIndex\":\"c446ea70-8a63-418e-8997-e43a5f7c5b5d\",\"title\":\"Total Percentage by Type [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"070f5dbc-7687-4e97-9a57-5542b401c13f\":{\"columnOrder\":[\"1e352b49-3b83-44a6-98fe-8703d30f2517\"],\"columns\":{\"1e352b49-3b83-44a6-98fe-8703d30f2517\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"1e352b49-3b83-44a6-98fe-8703d30f2517\",\"layerId\":\"070f5dbc-7687-4e97-9a57-5542b401c13f\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"Total Indicators [Logs CIFv3]\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"w\":6,\"x\":36,\"y\":14},\"panelIndex\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"title\":\"Total Indicators [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_cif3-49830790-3b27-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df8e3a91-700b-428a-a763-525076e4d3c8\":{\"columnOrder\":[\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\"],\"columns\":{\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\",\"layerId\":\"df8e3a91-700b-428a-a763-525076e4d3c8\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"Total Datastreams [Logs CIFv3]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"w\":6,\"x\":42,\"y\":14},\"panelIndex\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"title\":\"Total Datastreams [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c446ea70-8a63-418e-8997-e43a5f7c5b5d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c446ea70-8a63-418e-8997-e43a5f7c5b5d:indexpattern-datasource-layer-2c2ce8ee-a793-4242-aad4-06f3a8707b02", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index fce7d83a02..0000000000 --- a/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about Email type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"email-addr\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"email-addr\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[CIFv3 Overview](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3) \\n**[CIFv3 Emails (This Page)](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3)** \\n[CIFv3 Files](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3) \\n[CIFv3 FQDNs](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3) \\n[CIFv3 IPs](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3) \\n[CIFv3 URLs](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3) \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: email-addr**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, and statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-cd81a60b-2661-48b3-a40f-ba8451e802a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"cd81a60b-2661-48b3-a40f-ba8451e802a6\":{\"columnOrder\":[\"4f96463f-c5f9-448b-ab9e-7e17a2bd5969\"],\"columns\":{\"4f96463f-c5f9-448b-ab9e-7e17a2bd5969\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Addresses\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.email.address\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"4f96463f-c5f9-448b-ab9e-7e17a2bd5969\",\"layerId\":\"cd81a60b-2661-48b3-a40f-ba8451e802a6\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"3a6a2852-0fb8-45df-9a79-e7729691fe5f\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"3a6a2852-0fb8-45df-9a79-e7729691fe5f\",\"title\":\"Unique Addresses [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\",\"rowHeight\":\"single\",\"rowHeightLines\":1}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":19,\"y\":0},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] Emails", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3a6a2852-0fb8-45df-9a79-e7729691fe5f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3a6a2852-0fb8-45df-9a79-e7729691fe5f:indexpattern-datasource-layer-cd81a60b-2661-48b3-a40f-ba8451e802a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index d29035b7c7..0000000000 --- a/packages/ti_cif3/0.2.1/kibana/dashboard/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about URL type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[CIFv3 Overview](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Emails](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Files](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3) \\n[CIFv3 FQDNs](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3) \\n[CIFv3 IPs](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3) \\n**[CIFv3 URLs (This Page)](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3)** \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"legendSize\":\"auto\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":10,\"x\":25,\"y\":0},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\",\"rowHeight\":\"single\",\"rowHeightLines\":1}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-dfaa5b71-ed27-4602-9dbe-d263fd33aa05\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"dfaa5b71-ed27-4602-9dbe-d263fd33aa05\":{\"columnOrder\":[\"c00d8a88-7047-4fa4-b99f-7e8be1370b6f\",\"14f7e661-8382-4e25-a998-10c6c576255e\"],\"columns\":{\"14f7e661-8382-4e25-a998-10c6c576255e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c00d8a88-7047-4fa4-b99f-7e8be1370b6f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"14f7e661-8382-4e25-a998-10c6c576255e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"c00d8a88-7047-4fa4-b99f-7e8be1370b6f\"],\"layerId\":\"dfaa5b71-ed27-4602-9dbe-d263fd33aa05\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"14f7e661-8382-4e25-a998-10c6c576255e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"353bb92f-8375-4dc6-b961-9ed7f7509627\",\"w\":28,\"x\":7,\"y\":8},\"panelIndex\":\"353bb92f-8375-4dc6-b961-9ed7f7509627\",\"title\":\"Most Popular File Extensions [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] URLs", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "353bb92f-8375-4dc6-b961-9ed7f7509627:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "353bb92f-8375-4dc6-b961-9ed7f7509627:indexpattern-datasource-layer-dfaa5b71-ed27-4602-9dbe-d263fd33aa05", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.1/kibana/tag/ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1.json.json b/packages/ti_cif3/0.2.1/kibana/tag/ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1.json.json deleted file mode 100755 index 5d464afed9..0000000000 --- a/packages/ti_cif3/0.2.1/kibana/tag/ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1.json.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "attributes": { - "color": "#01426A", - "description": "", - "name": "CIFv3" - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.1/manifest.yml b/packages/ti_cif3/0.2.1/manifest.yml deleted file mode 100755 index b68fcfc834..0000000000 --- a/packages/ti_cif3/0.2.1/manifest.yml +++ /dev/null @@ -1,43 +0,0 @@ -format_version: 1.0.0 -name: ti_cif3 -title: "Collective Intelligence Framework v3" -version: 0.2.1 -release: beta -license: basic -description: "Ingest threat indicators from a Collective Intelligence Framework v3 instance with Elastic Agent." -type: integration -categories: - - security - - threat_intel -conditions: - kibana.version: "^8.0.0" -icons: - - src: /img/csg_logo_big.svg - title: csirtgadgets logo - size: 1047x748 - type: image/svg+xml -policy_templates: - - name: ti_cif3 - title: Collective Intelligence Framework v3 - description: Ingest threat indicators from a Collective Intelligence Framework v3 instance with Elastic Agent. - inputs: - - type: httpjson - title: Collect threat indicators via API - description: Ingest threat indicators from a Collective Intelligence Framework v3 instance with Elastic Agent. - vars: - - name: url - type: url - title: CIFv3 API base URL - multi: false - required: true - show_user: true - description: "Base URL for CIFv3 instance, e.g.: https://cif.yourdomain.tld" - - name: api_token - type: password - title: API Token - multi: false - required: true - show_user: true - description: The CIFv3 API read token -owner: - github: elastic/security-external-integrations diff --git a/packages/ti_cif3/0.2.2/LICENSE.txt b/packages/ti_cif3/0.2.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/ti_cif3/0.2.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/ti_cif3/0.2.2/changelog.yml b/packages/ti_cif3/0.2.2/changelog.yml deleted file mode 100755 index b267c7d873..0000000000 --- a/packages/ti_cif3/0.2.2/changelog.yml +++ /dev/null @@ -1,21 +0,0 @@ -# newer versions go on top -- version: "0.2.2" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "0.2.1" - changes: - - description: Fix documentation build error - type: enhancement - link: https://github.com/elastic/integrations/pull/4295 -- version: "0.2.0" - changes: - - description: Labelling with Threat Intelligence category - type: enhancement - link: https://github.com/elastic/integrations/pull/4304 -- version: "0.1.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/3839 diff --git a/packages/ti_cif3/0.2.2/data_stream/feed/agent/stream/httpjson.yml.hbs b/packages/ti_cif3/0.2.2/data_stream/feed/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 42f0dcb645..0000000000 --- a/packages/ti_cif3/0.2.2/data_stream/feed/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,87 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" - -{{#if url}} -request.url: {{url}}/feed -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: -- set: - target: header.Accept - value: 'application/vnd.cif.v3+json' -- delete: - target: header.User-Agent -- set: - target: header.User-Agent - value: elastic-integration/0.1.0 -{{#if api_token }} -- set: - target: header.Authorization - value: Token token={{ api_token }} -{{/if}} -{{#if type}} -- set: - target: url.params.itype - value: {{ type }} -{{/if}} -{{#if confidence}} -- set: - target: url.params.confidence - value: {{ confidence }} -{{/if}} -{{#if limit}} -- set: - target: url.params.limit - value: {{ limit }} -{{/if}} -{{#if cif_tags}} -- set: - target: url.params.tags - value: {{ cif_tags }} -{{/if}} -{{#if lookback_hours}} -- set: - target: url.params.hours - value: {{ lookback_hours }} -{{/if}} -- set: - target: url.params.reporttime - value: '[[.cursor.last_requested_at]]' - default: '[[ formatDate (now (parseDuration "-{{initial_lookback}}")) "RFC3339" ]]' - -{{#each filters}} -- set: - target: "url.params.{{{ @key }}}" - value: {{ this }} -{{/each}} - -response.split: - target: body.data - -cursor: - last_requested_at: - value: '[[ formatDate (now) "RFC3339" ]]' - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.2/data_stream/feed/elasticsearch/ingest_pipeline/default.yml b/packages/ti_cif3/0.2.2/data_stream/feed/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 710037d1b1..0000000000 --- a/packages/ti_cif3/0.2.2/data_stream/feed/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,341 +0,0 @@ ---- -description: Pipeline for processing CIFv3 threat indicators -processors: - #################### - # Event ECS fields # - #################### - - set: - field: ecs.version - value: "8.4.0" - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - ###################### - # General ECS fields # - ###################### - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: cif3 - - ##################### - # Threat ECS Fields # - ##################### - - rename: - field: cif3.firsttime - target_field: threat.indicator.first_seen - ignore_missing: true - - rename: - field: cif3.lasttime - target_field: threat.indicator.last_seen - ignore_missing: true - - rename: - field: cif3.reporttime - target_field: threat.indicator.modified_at - ignore_missing: true - - rename: - field: cif3.provider - target_field: threat.indicator.provider - ignore_missing: true - - rename: - field: cif3.reference - target_field: threat.indicator.reference - ignore_missing: true - - rename: - field: cif3.count - target_field: threat.indicator.sightings - ignore_missing: true - - rename: - field: cif3.description - target_field: threat.indicator.description - ignore_missing: true - if: "ctx.cif3?.description != ''" - - uppercase: - field: cif3.tlp - target_field: threat.indicator.marking.tlp - ignore_missing: true - if: ctx.cif3?.tlp != null - ## File indicator operations - - set: - field: threat.indicator.type - value: file - if: "['md5', 'sha1', 'sha256', 'sha512', 'ssdeep'].contains(ctx.cif3?.itype) && !ctx.cif3?.tags.contains('ja3')" - - rename: - field: cif3.indicator - target_field: threat.indicator.tls.client.ja3 - ignore_missing: true - if: "ctx.cif3?.itype == 'md5' && ctx.cif3?.tags.contains('ja3')" - - rename: - field: cif3.indicator - target_field: threat.indicator.file.pe.imphash - ignore_missing: true - if: "ctx.cif3?.itype == 'md5' && ctx.cif3?.tags.contains('imphash')" - - append: - field: related.hash - value: "{{{ threat.indicator.file.hash.pe.imphash }}}" - if: ctx?.threat?.indicator?.file?.pe?.imphash != null - - rename: - field: cif3.indicator - target_field: _tmp.hashvalue - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'file'" - - set: - field: threat.indicator.file.hash.{{cif3.itype}} - value: "{{{ _tmp.hashvalue }}}" - if: "ctx.threat?.indicator?.type == 'file'" - - append: - field: related.hash - value: "{{{ _tmp.hashvalue }}}" - ignore_failure: true - if: "ctx.threat?.indicator?.type == 'file' && ctx?.threat?.indicator?.file?.pe?.imphash == null" - - ## ASN indicator operations - - set: - field: threat.indicator.type - value: autonomous-system - if: "ctx.cif3?.itype == 'asn'" - - grok: - field: cif3.indicator - patterns: - - "as(?:%{INT:threat.indicator.as.number})" - ignore_failure: true - if: "ctx.cif3?.itype == 'asn'" - - ## IP indicator operations - - set: - field: threat.indicator.type - value: ipv4-addr - if: "ctx.cif3?.itype == 'ipv4'" - - set: - field: threat.indicator.type - value: ipv6-addr - if: "ctx.cif3?.itype == 'ipv6'" - - rename: - field: cif3.indicator - target_field: threat.indicator.network.cidr - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && (ctx.cif3?.indicator_ipv4_mask != null || ctx.cif3?.indicator_ipv6_mask != null)" - - convert: - field: cif3.indicator - type: ip - target_field: threat.indicator.ip - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.indicator_ipv4_mask == null && ctx.cif3?.indicator_ipv6_mask == null" - - append: - field: related.ip - value: "{{{ threat.indicator.ip }}}" - if: ctx?.threat?.indicator?.ip != null - - rename: - field: cif3.cc - target_field: threat.indicator.geo.country_iso_code - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.cc != null" - - rename: - field: cif3.asn - target_field: threat.indicator.as.number - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.asn != null" - - rename: - field: cif3.asn_desc - target_field: threat.indicator.as.organization.name - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.asn_desc != null" - - rename: - field: cif3.latitude - target_field: threat.indicator.geo.location.lat - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.latitude != null" - - rename: - field: cif3.longitude - target_field: threat.indicator.geo.location.lon - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.longitude != null" - - rename: - field: cif3.region - target_field: threat.indicator.geo.region_name - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.region != null" - - rename: - field: cif3.timezone - target_field: threat.indicator.geo.timezone - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.timezone != null" - - ## URL indicator operations - - set: - field: threat.indicator.type - value: url - if: "ctx.cif3?.itype == 'url'" - - uri_parts: - field: cif3.indicator - target_field: threat.indicator.url - keep_original: true - remove_if_successful: true - if: "ctx.threat?.indicator?.type == 'url'" - - set: - field: threat.indicator.url.full - value: "{{{threat.indicator.url.original}}}" - ignore_empty_value: true - if: "ctx.cif3?.itype == 'url'" - # Host could be either IP address or hostname - - grok: - field: cif3.indicator - patterns: - - "%{URIPROTO:threat.indicator.url.scheme}://(?:%{IPV4:threat.indicator.ip}|\\[?%{IPV6:threat.indicator.ip}\\]?|%{HOSTNAME:threat.indicator.url.domain})(?::%{POSINT:threat.indicator.url.port})?(?:%{URIPATH:threat.indicator.url.path})?.*" - ignore_failure: true - if: "ctx.cif3?.itype == 'url'" - - ## Email indicator operations - - set: - field: threat.indicator.type - value: email-addr - if: "ctx.cif3?.itype == 'email'" - - rename: - field: cif3.indicator - target_field: threat.indicator.email.address - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'email-addr'" - - grok: - field: threat.indicator.email.address - patterns: - - "%{USERNAME}@%{GREEDYDATA:threat.indicator.url.domain}" - ignore_failure: true - if: "ctx.threat?.indicator?.type == 'email-addr'" - - ## Domain indicator operations - - set: - field: threat.indicator.type - value: domain-name - if: "ctx.cif3?.itype == 'fqdn'" - - rename: - field: cif3.indicator - target_field: threat.indicator.url.domain - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.threat?.indicator?.url?.domain == null" - - append: - field: related.hosts - value: "{{{ threat.indicator.url.domain }}}" - if: ctx?.threat?.indicator?.url?.domain != null - - ###################### - # Confidence # - ###################### - - script: - lang: painless - if: ctx.cif3?.confidence != null - description: Normalize confidence level. - source: > - def value = ctx.cif3.confidence; - if (value < 0.0 || value > 10.0) { - ctx.threat.indicator.confidence = "None"; - return; - } - if (value >= 0.0 && value < 3.0) { - ctx.threat.indicator.confidence = "Low"; - return; - } - if (value >= 3.0 && value < 7.0) { - ctx.threat.indicator.confidence = "Med"; - return; - } - if (value >= 7.0 && value <= 10.0) { - ctx.threat.indicator.confidence = "High"; - return; - } - - ################### - # Tags ECS fields # - ################### - - foreach: - field: cif3.tags - ignore_missing: true - processor: - append: - field: tags - value: "{{_ingest._value}}" - allow_duplicates: false - if: ctx.cif3?.tags != null - - ## Misc - - rename: - field: cif3.protocol - target_field: network.transport - if: ctx.cif3?.protocol != null - - rename: - field: cif3.application - target_field: network.protocol - if: ctx.cif3?.application != null - - rename: - field: cif3.port - target_field: threat.indicator.port - # sometimes contains a range like 1000-1002 or CSVs like 10,22,52 - ignore_failure: true - if: ctx.cif3?.port != null - - ###################### - # Cleanup processors # - ###################### - - set: - field: threat.indicator.type - value: unknown - if: ctx.threat?.indicator?.type == null - - script: - lang: painless - if: ctx.cif3 != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: cif3.rdata - ignore_missing: true - if: "ctx.cif3?.rdata == ''" - - remove: - field: - - cif3.indicator - - cif3.confidence - - cif3.indicator_ipv4 - - cif3.indicator_ipv6 - - cif3.group - - cif3.latitude - - cif3.longitude - - cif3.location - - cif3.city - - cif3.region - - cif3.tags - - cif3.tlp - - message - - _tmp - ignore_missing: true - if: ctx.threat?.indicator?.type != null -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_cif3/0.2.2/data_stream/feed/fields/base-fields.yml b/packages/ti_cif3/0.2.2/data_stream/feed/fields/base-fields.yml deleted file mode 100755 index 4b8c057a9a..0000000000 --- a/packages/ti_cif3/0.2.2/data_stream/feed/fields/base-fields.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Name of the module this data is coming from. - value: ti_cif3 -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: cif3 -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_cif3.feed diff --git a/packages/ti_cif3/0.2.2/data_stream/feed/fields/beats.yml b/packages/ti_cif3/0.2.2/data_stream/feed/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/ti_cif3/0.2.2/data_stream/feed/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_cif3/0.2.2/data_stream/feed/fields/ecs.yml b/packages/ti_cif3/0.2.2/data_stream/feed/fields/ecs.yml deleted file mode 100755 index aa47d10516..0000000000 --- a/packages/ti_cif3/0.2.2/data_stream/feed/fields/ecs.yml +++ /dev/null @@ -1,220 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Error message. - name: error.message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: Type of indicator as represented by Cyber Observable in STIX 2.0. - name: threat.indicator.type - type: keyword -- description: The date and time when intelligence source first reported sighting this indicator. - name: threat.indicator.first_seen - type: date -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: The date and time when intelligence source last modified information for this indicator. - name: threat.indicator.modified_at - type: date -- description: Reference URL linking to additional information about this indicator. - name: threat.indicator.reference - type: keyword -- description: Describes the type of action conducted by the threat. - name: threat.indicator.description - type: keyword -- description: Number of times this indicator was observed conducting threat activity. - name: threat.indicator.sightings - type: long -- description: File type (file, dir, or symlink). - name: threat.indicator.file.type - type: keyword -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: SHA512 hash. - name: threat.indicator.file.hash.sha512 - type: keyword -- description: |- - A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - name: threat.indicator.file.pe.imphash - type: keyword -- description: SSDEEP hash. - name: threat.indicator.file.hash.ssdeep - type: keyword -- description: An md5 hash that identifies clients based on their TLS handshake. - level: extended - name: threat.indicator.tls.client.ja3 - type: keyword -- description: Identifies a threat indicator as an email address (irrespective of direction). - name: threat.indicator.email.address - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.full - type: wildcard -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.original - type: wildcard -- description: Path of the request, such as "/search". - name: threat.indicator.url.path - type: wildcard -- description: Port of the request, such as 443. - name: threat.indicator.url.port - type: long -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: threat.indicator.url.scheme - type: keyword -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: threat.indicator.url.query - type: keyword -- description: The name of the indicator's provider. - name: threat.indicator.provider - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: threat.indicator.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.as.organization.name - type: keyword -- description: Traffic Light Protocol sharing markings. - name: threat.indicator.marking.tlp - type: keyword -- description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. - name: threat.indicator.confidence - type: keyword -- description: Longitude and latitude. - name: threat.indicator.geo.location - type: geo_point -- description: Country ISO code. - name: threat.indicator.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - name: threat.indicator.geo.location.lat - type: geo_point -- description: Longitude and latitude. - name: threat.indicator.geo.location.lon - type: geo_point -- description: Region name. - name: threat.indicator.geo.region_name - type: keyword -- description: The time zone of the location, such as IANA time zone name. - name: threat.indicator.geo.timezone - type: keyword diff --git a/packages/ti_cif3/0.2.2/data_stream/feed/fields/fields.yml b/packages/ti_cif3/0.2.2/data_stream/feed/fields/fields.yml deleted file mode 100755 index 4977ea2d80..0000000000 --- a/packages/ti_cif3/0.2.2/data_stream/feed/fields/fields.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: cif3 - type: group - description: Fields for CIFv3 Threat Indicators - fields: - - name: uuid - type: keyword - description: The ID of the indicator. - - name: indicator - type: keyword - description: > - The value of the indicator, for example if the type is fqdn, this would be the value. - - - name: description - type: keyword - description: A description of the indicator. - - name: rdata - type: keyword - description: > - Extra text or descriptive content related to the indicator such as OS, reverse lookup, etc. - - - name: reference - type: keyword - description: A reference URL with further info related to the indicator. - - name: itype - type: keyword - description: > - The indicator type, can for example be "ipv4, fqdn, email, url, sha256". - - - name: tags - type: keyword - description: > - Comma-separated list of words describing the indicator such as "malware,exploit". - - - name: confidence - type: float - description: > - The confidence on a scale of 0-10 that the tags appropriately contextualize the indicator. - - - name: provider - type: keyword - description: The source of the indicator information. - - name: application - type: keyword - description: The application used by the indicator, such as telnet or ssh. - - name: protocol - type: text - description: The protocol used by the indicator. - - name: portlist - type: text - description: The port or range of ports used by the indicator. - - name: city - type: keyword - description: GeoIP city information. - - name: region - type: keyword - description: GeoIP region information. - - name: count - type: integer - description: > - The number of times the same indicator has been reported with the same metadata by the same provider. - - - name: cc - type: keyword - description: Country code of GeoIP. - - name: location - type: geo_point - description: Lat/Long of GeoIP. - - name: latitude - type: keyword - description: Latitude of GeoIP. - - name: longitude - type: keyword - description: Longitude of GeoIP. - - name: timezone - type: text - description: Timezone of GeoIP. - - name: asn - type: integer - description: AS Number of IP. - - name: asn_desc - type: keyword - description: AS Number org name. - - name: indicator_ipv4 - type: ip - description: IPv4 address. - - name: indicator_ipv4_mask - type: integer - description: subnet mask of IPv4 CIDR. - - name: indicator_ipv6 - type: keyword - description: singleton IPv6 address. - - name: indicator_ipv6_mask - type: integer - description: subnet mask of IPv6 CIDR. - - name: indicator_iprange - type: ip_range - description: IPv4 or IPv6 IP Range. - - name: indicator_ssdeep_chunksize - type: integer - description: SSDEEP hash chunk size. - - name: indicator_ssdeep_chunk - type: text - description: SSDEEP hash chunk. - - name: indicator_ssdeep_double_chunk - type: text - description: SSDEEP hash double chunk. diff --git a/packages/ti_cif3/0.2.2/data_stream/feed/manifest.yml b/packages/ti_cif3/0.2.2/data_stream/feed/manifest.yml deleted file mode 100755 index 12e7254fbc..0000000000 --- a/packages/ti_cif3/0.2.2/data_stream/feed/manifest.yml +++ /dev/null @@ -1,113 +0,0 @@ -title: "CIFv3 Feed" -type: logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: CIFv3 feed indicators - description: Collect CIFv3 feed indicators - vars: - - name: confidence - type: text - title: Confidence - multi: false - required: true - show_user: true - default: 8 - description: "Minimum confidence (0-10) to return indicator in feed" - - name: cif_tags - type: text - title: Filter on indicator tags - multi: false - required: true - show_user: true - description: "A comma separated list of indicator tags to retrieve, e.g.: 'botnet,exploit,malware,phishing'" - - name: type - type: text - title: Filter on indicator type - multi: false - required: true - show_user: true - description: "An indicator type (fqdn|ipv4|url|ssdeep) to retrieve, example: 'md5'" - - name: limit - type: text - title: Result size limit - multi: false - required: true - show_user: true - default: 100000 - description: "Maximum result set size, capped at 250000" - - name: initial_lookback - type: text - title: Initial lookback period - multi: false - required: true - show_user: true - default: 120h - description: How far back to look for indicators the first time the agent is started. - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 60m - description: How frequently to pull the feed. - # this doesn't currently work - #- name: filters - # type: yaml - # title: Optional REST API filters - # multi: false - # required: false - # show_user: false - # default: |- - # #tlp: white - # description: "Optional REST API Feed filters supported by [CIFv3](https://github.com/csirtgadgets/bearded-avenger/blob/master/cif/httpd/common.py#L7-L9)." - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - description: "Default example enables https verification. Change to 'none' to disable. https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html" - default: |- - verification_mode: full - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: false - default: 120s - - name: proxy_url - type: url - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - description: Tags to add to each event once ingested into Elastic. Ingested indicators' tags will be appended dynamically to this list. - default: - - forwarded - - cif3-indicator - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/ti_cif3/0.2.2/data_stream/feed/sample_event.json b/packages/ti_cif3/0.2.2/data_stream/feed/sample_event.json deleted file mode 100755 index ab302efe65..0000000000 --- a/packages/ti_cif3/0.2.2/data_stream/feed/sample_event.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "@timestamp": "2022-07-25T02:59:05.404Z", - "agent": { - "ephemeral_id": "6d30ac65-9d55-4014-9a2a-2fbcf8816fff", - "id": "f599fd51-b36d-45b4-a90f-4d63240b8477", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cif3": { - "itype": "ipv4", - "portlist": "443", - "uuid": "ac240898-1443-4d7e-a98a-1daed220c162" - }, - "data_stream": { - "dataset": "ti_cif3.feed", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "f599fd51-b36d-45b4-a90f-4d63240b8477", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-07-25T02:59:05.404Z", - "dataset": "ti_cif3.feed", - "ingested": "2022-07-25T02:59:08Z", - "kind": "enrichment", - "original": "{\"application\":\"https\",\"asn\":8075,\"asn_desc\":\"microsoft-corp-msn-as-block\",\"cc\":\"br\",\"city\":\"campinas\",\"confidence\":10,\"count\":1,\"firsttime\":\"2022-07-20T20:25:53.000000Z\",\"group\":[\"everyone\"],\"indicator\":\"20.206.75.106\",\"indicator_ipv4\":\"20.206.75.106\",\"itype\":\"ipv4\",\"lasttime\":\"2022-07-20T20:25:53.000000Z\",\"latitude\":-22.9035,\"location\":[-47.0565,-22.9035],\"longitude\":-47.0565,\"portlist\":\"443\",\"protocol\":\"tcp\",\"provider\":\"sslbl.abuse.ch\",\"reference\":\"https://sslbl.abuse.ch/blacklist/sslipblacklist.csv\",\"region\":\"sao paulo\",\"reporttime\":\"2022-07-21T20:33:26.585967Z\",\"tags\":[\"botnet\"],\"timezone\":\"america/sao_paulo\",\"tlp\":\"white\",\"uuid\":\"ac240898-1443-4d7e-a98a-1daed220c162\"}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "network": { - "protocol": "https", - "transport": "tcp" - }, - "related": { - "ip": [ - "20.206.75.106" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "cif3-indicator", - "botnet" - ], - "threat": { - "indicator": { - "as": { - "number": 8075, - "organization": { - "name": "microsoft-corp-msn-as-block" - } - }, - "confidence": "High", - "first_seen": "2022-07-20T20:25:53.000000Z", - "geo": { - "country_iso_code": "br", - "location": { - "lat": -22.9035, - "lon": -47.0565 - }, - "region_name": "sao paulo", - "timezone": "america/sao_paulo" - }, - "ip": "20.206.75.106", - "last_seen": "2022-07-20T20:25:53.000000Z", - "marking": { - "tlp": "WHITE" - }, - "modified_at": "2022-07-21T20:33:26.585967Z", - "provider": "sslbl.abuse.ch", - "reference": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv", - "sightings": 1, - "type": "ipv4-addr" - } - } -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.2/docs/README.md b/packages/ti_cif3/0.2.2/docs/README.md deleted file mode 100755 index af59f9a5e8..0000000000 --- a/packages/ti_cif3/0.2.2/docs/README.md +++ /dev/null @@ -1,211 +0,0 @@ -# Collective Intelligence Framework v3 Integration - -This integration connects with the [REST API from the running CIFv3 instance](https://github.com/csirtgadgets/bearded-avenger-deploymentkit/wiki/REST-API) to retrieve indicators. - -## Data Streams - -### Feed - -The CIFv3 integration collects threat indicators based on user-defined configuration including a polling interval, how far back in time it should look, and other filters like indicator type and tags. - -CIFv3 `confidence` field values (0..10) are converted to ECS confidence (None, Low, Medium, High) in the following way: - -| CIFv3 Confidence | ECS Conversion | -| ---------------- | -------------- | -| Beyond Range | None | -| 0 - \<3 | Low | -| 3 - \<7 | Medium | -| 7 - 10 | High | - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cif3.application | The application used by the indicator, such as telnet or ssh. | keyword | -| cif3.asn | AS Number of IP. | integer | -| cif3.asn_desc | AS Number org name. | keyword | -| cif3.cc | Country code of GeoIP. | keyword | -| cif3.city | GeoIP city information. | keyword | -| cif3.confidence | The confidence on a scale of 0-10 that the tags appropriately contextualize the indicator. | float | -| cif3.count | The number of times the same indicator has been reported with the same metadata by the same provider. | integer | -| cif3.description | A description of the indicator. | keyword | -| cif3.indicator | The value of the indicator, for example if the type is fqdn, this would be the value. | keyword | -| cif3.indicator_iprange | IPv4 or IPv6 IP Range. | ip_range | -| cif3.indicator_ipv4 | IPv4 address. | ip | -| cif3.indicator_ipv4_mask | subnet mask of IPv4 CIDR. | integer | -| cif3.indicator_ipv6 | singleton IPv6 address. | keyword | -| cif3.indicator_ipv6_mask | subnet mask of IPv6 CIDR. | integer | -| cif3.indicator_ssdeep_chunk | SSDEEP hash chunk. | text | -| cif3.indicator_ssdeep_chunksize | SSDEEP hash chunk size. | integer | -| cif3.indicator_ssdeep_double_chunk | SSDEEP hash double chunk. | text | -| cif3.itype | The indicator type, can for example be "ipv4, fqdn, email, url, sha256". | keyword | -| cif3.latitude | Latitude of GeoIP. | keyword | -| cif3.location | Lat/Long of GeoIP. | geo_point | -| cif3.longitude | Longitude of GeoIP. | keyword | -| cif3.portlist | The port or range of ports used by the indicator. | text | -| cif3.protocol | The protocol used by the indicator. | text | -| cif3.provider | The source of the indicator information. | keyword | -| cif3.rdata | Extra text or descriptive content related to the indicator such as OS, reverse lookup, etc. | keyword | -| cif3.reference | A reference URL with further info related to the indicator. | keyword | -| cif3.region | GeoIP region information. | keyword | -| cif3.tags | Comma-separated list of words describing the indicator such as "malware,exploit". | keyword | -| cif3.timezone | Timezone of GeoIP. | text | -| cif3.uuid | The ID of the indicator. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Name of the module this data is coming from. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.as.organization.name | Organization name. | keyword | -| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | -| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | -| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.indicator.geo.location | Longitude and latitude. | geo_point | -| threat.indicator.geo.location.lat | Longitude and latitude. | geo_point | -| threat.indicator.geo.location.lon | Longitude and latitude. | geo_point | -| threat.indicator.geo.region_name | Region name. | keyword | -| threat.indicator.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | -| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.indicator.sightings | Number of times this indicator was observed conducting threat activity. | long | -| threat.indicator.tls.client.ja3 | An md5 hash that identifies clients based on their TLS handshake. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | - - -An example event for `feed` looks as following: - -```json -{ - "@timestamp": "2022-07-25T02:59:05.404Z", - "agent": { - "ephemeral_id": "6d30ac65-9d55-4014-9a2a-2fbcf8816fff", - "id": "f599fd51-b36d-45b4-a90f-4d63240b8477", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "cif3": { - "itype": "ipv4", - "portlist": "443", - "uuid": "ac240898-1443-4d7e-a98a-1daed220c162" - }, - "data_stream": { - "dataset": "ti_cif3.feed", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "f599fd51-b36d-45b4-a90f-4d63240b8477", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-07-25T02:59:05.404Z", - "dataset": "ti_cif3.feed", - "ingested": "2022-07-25T02:59:08Z", - "kind": "enrichment", - "original": "{\"application\":\"https\",\"asn\":8075,\"asn_desc\":\"microsoft-corp-msn-as-block\",\"cc\":\"br\",\"city\":\"campinas\",\"confidence\":10,\"count\":1,\"firsttime\":\"2022-07-20T20:25:53.000000Z\",\"group\":[\"everyone\"],\"indicator\":\"20.206.75.106\",\"indicator_ipv4\":\"20.206.75.106\",\"itype\":\"ipv4\",\"lasttime\":\"2022-07-20T20:25:53.000000Z\",\"latitude\":-22.9035,\"location\":[-47.0565,-22.9035],\"longitude\":-47.0565,\"portlist\":\"443\",\"protocol\":\"tcp\",\"provider\":\"sslbl.abuse.ch\",\"reference\":\"https://sslbl.abuse.ch/blacklist/sslipblacklist.csv\",\"region\":\"sao paulo\",\"reporttime\":\"2022-07-21T20:33:26.585967Z\",\"tags\":[\"botnet\"],\"timezone\":\"america/sao_paulo\",\"tlp\":\"white\",\"uuid\":\"ac240898-1443-4d7e-a98a-1daed220c162\"}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "network": { - "protocol": "https", - "transport": "tcp" - }, - "related": { - "ip": [ - "20.206.75.106" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "cif3-indicator", - "botnet" - ], - "threat": { - "indicator": { - "as": { - "number": 8075, - "organization": { - "name": "microsoft-corp-msn-as-block" - } - }, - "confidence": "High", - "first_seen": "2022-07-20T20:25:53.000000Z", - "geo": { - "country_iso_code": "br", - "location": { - "lat": -22.9035, - "lon": -47.0565 - }, - "region_name": "sao paulo", - "timezone": "america/sao_paulo" - }, - "ip": "20.206.75.106", - "last_seen": "2022-07-20T20:25:53.000000Z", - "marking": { - "tlp": "WHITE" - }, - "modified_at": "2022-07-21T20:33:26.585967Z", - "provider": "sslbl.abuse.ch", - "reference": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv", - "sightings": 1, - "type": "ipv4-addr" - } - } -} -``` diff --git a/packages/ti_cif3/0.2.2/img/csg_logo_big.svg b/packages/ti_cif3/0.2.2/img/csg_logo_big.svg deleted file mode 100755 index 5ee2369a85..0000000000 --- a/packages/ti_cif3/0.2.2/img/csg_logo_big.svg +++ /dev/null @@ -1,270 +0,0 @@ - - - - - diff --git a/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index 6798fb65da..0000000000 --- a/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about FQDN type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"domain-name\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"domain-name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[CIFv3 Overview](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Emails](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Files](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3) \\n**[CIFv3 FQDNs (This Page)](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3)** \\n[CIFv3 IPs](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3) \\n[CIFv3 URLs](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3) \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: domain-name**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains and statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-09bca2c1-c599-4575-be8a-a416589c7082\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"09bca2c1-c599-4575-be8a-a416589c7082\":{\"columnOrder\":[\"87d9346d-c199-44ef-b58c-2c0c7625a523\",\"40a4b01a-1e63-4cd8-ab62-da960940d757\"],\"columns\":{\"40a4b01a-1e63-4cd8-ab62-da960940d757\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"},\"87d9346d-c199-44ef-b58c-2c0c7625a523\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"FQDN\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"40a4b01a-1e63-4cd8-ab62-da960940d757\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":15},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"87d9346d-c199-44ef-b58c-2c0c7625a523\",\"isTransposed\":false},{\"columnId\":\"40a4b01a-1e63-4cd8-ab62-da960940d757\",\"isTransposed\":false}],\"layerId\":\"09bca2c1-c599-4575-be8a-a416589c7082\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c2db10e8-0e7e-4199-b787-48e14bd2e2fe\",\"w\":18,\"x\":13,\"y\":0},\"panelIndex\":\"c2db10e8-0e7e-4199-b787-48e14bd2e2fe\",\"title\":\"Sample of Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] FQDNs", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c2db10e8-0e7e-4199-b787-48e14bd2e2fe:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c2db10e8-0e7e-4199-b787-48e14bd2e2fe:indexpattern-datasource-layer-09bca2c1-c599-4575-be8a-a416589c7082", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index 4b709d9915..0000000000 --- a/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about File type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[CIFv3 Overview](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Emails](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3) \\n**[CIFv3 Files (This Page)](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3)** \\n[CIFv3 FQDNs](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3) \\n[CIFv3 IPs](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3) \\n[CIFv3 URLs](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3) \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":35,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_cif3-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"Unique MD5 [CIFv3]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_cif3-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"Unique SHA256 [CIFv3]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2825d170-daeb-4a6d-9d8f-8fda4dccffcc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2825d170-daeb-4a6d-9d8f-8fda4dccffcc\":{\"columnOrder\":[\"cb37ded7-9f40-418f-bfb9-6250652373d7\"],\"columns\":{\"cb37ded7-9f40-418f-bfb9-6250652373d7\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SSDEEP\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.ssdeep\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"cb37ded7-9f40-418f-bfb9-6250652373d7\",\"layerId\":\"2825d170-daeb-4a6d-9d8f-8fda4dccffcc\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"703fd39c-9642-4c7d-93c8-056f019acf42\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"703fd39c-9642-4c7d-93c8-056f019acf42\",\"title\":\"Unique SSDEEP [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ace6c894-6dac-441d-b0db-3e246db99579\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ace6c894-6dac-441d-b0db-3e246db99579\":{\"columnOrder\":[\"4c6f7061-d5e9-4c04-b9b2-39b984b06393\",\"e00a1b25-655b-4541-8ce0-1f84bdb16b1e\"],\"columns\":{\"4c6f7061-d5e9-4c04-b9b2-39b984b06393\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.description\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e00a1b25-655b-4541-8ce0-1f84bdb16b1e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.description\"},\"e00a1b25-655b-4541-8ce0-1f84bdb16b1e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of threat.indicator.description\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.description\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"4c6f7061-d5e9-4c04-b9b2-39b984b06393\"],\"layerId\":\"ace6c894-6dac-441d-b0db-3e246db99579\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e00a1b25-655b-4541-8ce0-1f84bdb16b1e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"9717eae1-9937-41e7-bad1-e9ce43d06723\",\"w\":22,\"x\":25,\"y\":0},\"panelIndex\":\"9717eae1-9937-41e7-bad1-e9ce43d06723\",\"title\":\"File Descriptions [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_cif3-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"Unique SHA1 [CIFv3]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":7,\"y\":8},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-331e77de-53be-48a4-8793-3fe9a23b22b1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"331e77de-53be-48a4-8793-3fe9a23b22b1\":{\"columnOrder\":[\"428df405-7955-4c10-94c1-0791e75aed8f\"],\"columns\":{\"428df405-7955-4c10-94c1-0791e75aed8f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA512\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha512\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"428df405-7955-4c10-94c1-0791e75aed8f\",\"layerId\":\"331e77de-53be-48a4-8793-3fe9a23b22b1\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"cb4ca769-08b2-4570-8a30-27cff9b77093\",\"w\":6,\"x\":13,\"y\":8},\"panelIndex\":\"cb4ca769-08b2-4570-8a30-27cff9b77093\",\"title\":\"Unique SHA512 [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4c3ad4e3-46af-447e-a4ce-dab516c52797\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4c3ad4e3-46af-447e-a4ce-dab516c52797\":{\"columnOrder\":[\"181798f7-2b90-44e1-b76a-2f17b7210690\"],\"columns\":{\"181798f7-2b90-44e1-b76a-2f17b7210690\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique IMPHASH\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.pe.imphash\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"181798f7-2b90-44e1-b76a-2f17b7210690\",\"layerId\":\"4c3ad4e3-46af-447e-a4ce-dab516c52797\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"823f92b7-a2ff-4883-aad1-28d3652371fe\",\"w\":6,\"x\":19,\"y\":8},\"panelIndex\":\"823f92b7-a2ff-4883-aad1-28d3652371fe\",\"title\":\"Unique IMPHASH [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] Files", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "703fd39c-9642-4c7d-93c8-056f019acf42:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "703fd39c-9642-4c7d-93c8-056f019acf42:indexpattern-datasource-layer-2825d170-daeb-4a6d-9d8f-8fda4dccffcc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9717eae1-9937-41e7-bad1-e9ce43d06723:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9717eae1-9937-41e7-bad1-e9ce43d06723:indexpattern-datasource-layer-ace6c894-6dac-441d-b0db-3e246db99579", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cb4ca769-08b2-4570-8a30-27cff9b77093:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cb4ca769-08b2-4570-8a30-27cff9b77093:indexpattern-datasource-layer-331e77de-53be-48a4-8793-3fe9a23b22b1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "823f92b7-a2ff-4883-aad1-28d3652371fe:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "823f92b7-a2ff-4883-aad1-28d3652371fe:indexpattern-datasource-layer-4c3ad4e3-46af-447e-a4ce-dab516c52797", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index 3e594dc91a..0000000000 --- a/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about IP type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":[\"ipv6-addr\",\"ipv4-addr\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"threat.indicator.type\":\"ipv6-addr\"}},{\"match_phrase\":{\"threat.indicator.type\":\"ipv4-addr\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[CIFv3 Overview](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Emails](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Files](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3) \\n[CIFv3 FQDNs](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3) \\n**[CIFv3 IPs(This Page)](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3)** \\n[CIFv3 URLs](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3) \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: ipv4-addr OR ipv6-addr**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like prevalent ASNs, GeoIP regions, statistics about how many unique indicators are ingested, and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-79edd9a4-1178-4294-94df-5d4b145d0e40\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"79edd9a4-1178-4294-94df-5d4b145d0e40\":{\"columnOrder\":[\"d1ce22a5-8010-4830-8c61-e8da8c2b2d11\"],\"columns\":{\"d1ce22a5-8010-4830-8c61-e8da8c2b2d11\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique IPs\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"d1ce22a5-8010-4830-8c61-e8da8c2b2d11\",\"layerId\":\"79edd9a4-1178-4294-94df-5d4b145d0e40\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"7725b9bd-df8d-491c-a518-fe00a4538ebc\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"7725b9bd-df8d-491c-a518-fe00a4538ebc\",\"title\":\"Unique IPs [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e8210fab-252e-4357-82f5-c8fc55fe2057\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e8210fab-252e-4357-82f5-c8fc55fe2057\":{\"columnOrder\":[\"937cc845-c2e1-412a-b419-97c9d8076bee\"],\"columns\":{\"937cc845-c2e1-412a-b419-97c9d8076bee\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique ASNs\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.as.number\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"937cc845-c2e1-412a-b419-97c9d8076bee\",\"layerId\":\"e8210fab-252e-4357-82f5-c8fc55fe2057\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"329518f4-c5f9-42b0-b396-85ffcbb8cda3\",\"w\":5,\"x\":12,\"y\":0},\"panelIndex\":\"329518f4-c5f9-42b0-b396-85ffcbb8cda3\",\"title\":\"Unique ASNs [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-864ef66d-9195-45a5-9dcd-916bcac76fd1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"864ef66d-9195-45a5-9dcd-916bcac76fd1\":{\"columnOrder\":[\"d8bba7bc-4a82-40c3-a858-e92244ef476c\",\"1c86e415-dcb9-49ae-aa85-e4c7c0ddffd7\"],\"columns\":{\"1c86e415-dcb9-49ae-aa85-e4c7c0ddffd7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"d8bba7bc-4a82-40c3-a858-e92244ef476c\":{\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.as.number\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"1c86e415-dcb9-49ae-aa85-e4c7c0ddffd7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.as.number\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d8bba7bc-4a82-40c3-a858-e92244ef476c\"],\"layerId\":\"864ef66d-9195-45a5-9dcd-916bcac76fd1\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"1c86e415-dcb9-49ae-aa85-e4c7c0ddffd7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c651f85b-26e4-481e-91ff-39267e540183\",\"w\":21,\"x\":17,\"y\":0},\"panelIndex\":\"c651f85b-26e4-481e-91ff-39267e540183\",\"title\":\"Most Prevalent ASNs [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b3600118-bbef-4f41-b472-c08e802518c3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b3600118-bbef-4f41-b472-c08e802518c3\":{\"columnOrder\":[\"deabebaa-8bfa-4b99-8996-5dd59ecd37ca\",\"a9e4b58d-6503-4645-bc9b-69aede4b3a4c\"],\"columns\":{\"a9e4b58d-6503-4645-bc9b-69aede4b3a4c\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"deabebaa-8bfa-4b99-8996-5dd59ecd37ca\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Country Code\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a9e4b58d-6503-4645-bc9b-69aede4b3a4c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":15},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.geo.country_iso_code\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"deabebaa-8bfa-4b99-8996-5dd59ecd37ca\",\"isTransposed\":false},{\"columnId\":\"a9e4b58d-6503-4645-bc9b-69aede4b3a4c\",\"isTransposed\":false}],\"layerId\":\"b3600118-bbef-4f41-b472-c08e802518c3\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"aea51b8a-0962-4b21-aa7e-7c599f0f45a4\",\"w\":10,\"x\":38,\"y\":0},\"panelIndex\":\"aea51b8a-0962-4b21-aa7e-7c599f0f45a4\",\"title\":\"Most Common Countries [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-da912e35-7510-42a6-b546-8d10a33b6546\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"da912e35-7510-42a6-b546-8d10a33b6546\":{\"columnOrder\":[\"989df1d6-f18f-4874-8601-9e7741935cc8\",\"f60fc28d-e739-46a2-a0ce-1340df8f7249\"],\"columns\":{\"989df1d6-f18f-4874-8601-9e7741935cc8\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f60fc28d-e739-46a2-a0ce-1340df8f7249\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":2},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.type\"},\"f60fc28d-e739-46a2-a0ce-1340df8f7249\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of threat.indicator.ip\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"989df1d6-f18f-4874-8601-9e7741935cc8\"],\"layerId\":\"da912e35-7510-42a6-b546-8d10a33b6546\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f60fc28d-e739-46a2-a0ce-1340df8f7249\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"1536f4f2-41d6-4fd0-b6c4-3650a2b5f92d\",\"w\":10,\"x\":7,\"y\":8},\"panelIndex\":\"1536f4f2-41d6-4fd0-b6c4-3650a2b5f92d\",\"title\":\"Percentage of IP Type [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"3df0f38b-db9e-451e-bb01-5a27226075df\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"threat.indicator.geo.location\\\",\\\"filterByMapBounds\\\":true,\\\"scalingType\\\":\\\"MVT\\\",\\\"id\\\":\\\"13a0c980-6195-4e3e-8506-b383ab8866c2\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"tooltipProperties\\\":[],\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSplitField\\\":\\\"\\\",\\\"topHitsSize\\\":1},\\\"id\\\":\\\"0a0a1a3e-d002-47b0-a99a-03eb965b8bc4\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#ea7861\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#e05235\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":1}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"TILED_VECTOR\\\",\\\"joins\\\":[]}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.14,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-75m\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":false,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":360,\"minLat\":-85.05113,\"minLon\":-360},\"mapCenter\":{\"lat\":26.16939,\"lon\":14.00125,\"zoom\":0.49},\"openTOCDetails\":[]},\"gridData\":{\"h\":14,\"i\":\"ad624736-f1dd-4d77-8517-680e7bc4b882\",\"w\":23,\"x\":7,\"y\":15},\"panelIndex\":\"ad624736-f1dd-4d77-8517-680e7bc4b882\",\"title\":\"IP Source Location [Logs CIFv3]\",\"type\":\"map\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] IPs", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7725b9bd-df8d-491c-a518-fe00a4538ebc:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7725b9bd-df8d-491c-a518-fe00a4538ebc:indexpattern-datasource-layer-79edd9a4-1178-4294-94df-5d4b145d0e40", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "329518f4-c5f9-42b0-b396-85ffcbb8cda3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "329518f4-c5f9-42b0-b396-85ffcbb8cda3:indexpattern-datasource-layer-e8210fab-252e-4357-82f5-c8fc55fe2057", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c651f85b-26e4-481e-91ff-39267e540183:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c651f85b-26e4-481e-91ff-39267e540183:indexpattern-datasource-layer-864ef66d-9195-45a5-9dcd-916bcac76fd1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aea51b8a-0962-4b21-aa7e-7c599f0f45a4:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aea51b8a-0962-4b21-aa7e-7c599f0f45a4:indexpattern-datasource-layer-b3600118-bbef-4f41-b472-c08e802518c3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1536f4f2-41d6-4fd0-b6c4-3650a2b5f92d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1536f4f2-41d6-4fd0-b6c4-3650a2b5f92d:indexpattern-datasource-layer-da912e35-7510-42a6-b546-8d10a33b6546", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ad624736-f1dd-4d77-8517-680e7bc4b882:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index 2fe7bc6819..0000000000 --- a/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about indicators ingested from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[CIFv3 (This Page)](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3)** \\n[CIFv3 Emails](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Files](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3) \\n[CIFv3 FQDNs](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3) \\n[CIFv3 IPs](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3) \\n[CIFv3 URLs](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3) \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the Collective Intelligence Framework v3 integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from a CIFv3 instance. \\n\\nThe ingestion rates (by default it fetches new updates every 60 minutes) and provides a few filters for drilling down to specific indicator types retrieved from the CIFv3 instance.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [CIFv3]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":31,\"i\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"title\":\"Overview Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_cif3.feed\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_cif3.feed\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1635779603363\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1635779625911\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"tags\",\"id\":\"1658691004225\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern\",\"label\":\"Indicator Tag\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Feed and Indicator Selector [CIFv3]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"title\":\"Feed and Indicator Selector [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"includeEmptyRows\":true,\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"legendSize\":\"auto\",\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs CIFv3]\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"w\":29,\"x\":7,\"y\":6},\"panelIndex\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"title\":\"Indicators ingested per Datastream [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2c2ce8ee-a793-4242-aad4-06f3a8707b02\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2c2ce8ee-a793-4242-aad4-06f3a8707b02\":{\"columnOrder\":[\"1d9b6fbf-58e3-427e-a453-edec40466320\",\"b6cbd44b-6f5d-4e1e-b1ab-0c09b3a67111\"],\"columns\":{\"1d9b6fbf-58e3-427e-a453-edec40466320\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b6cbd44b-6f5d-4e1e-b1ab-0c09b3a67111\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.type\"},\"b6cbd44b-6f5d-4e1e-b1ab-0c09b3a67111\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1d9b6fbf-58e3-427e-a453-edec40466320\"],\"layerId\":\"2c2ce8ee-a793-4242-aad4-06f3a8707b02\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b6cbd44b-6f5d-4e1e-b1ab-0c09b3a67111\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c446ea70-8a63-418e-8997-e43a5f7c5b5d\",\"w\":12,\"x\":36,\"y\":6},\"panelIndex\":\"c446ea70-8a63-418e-8997-e43a5f7c5b5d\",\"title\":\"Total Percentage by Type [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"070f5dbc-7687-4e97-9a57-5542b401c13f\":{\"columnOrder\":[\"1e352b49-3b83-44a6-98fe-8703d30f2517\"],\"columns\":{\"1e352b49-3b83-44a6-98fe-8703d30f2517\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"1e352b49-3b83-44a6-98fe-8703d30f2517\",\"layerId\":\"070f5dbc-7687-4e97-9a57-5542b401c13f\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"Total Indicators [Logs CIFv3]\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"w\":6,\"x\":36,\"y\":14},\"panelIndex\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"title\":\"Total Indicators [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_cif3-49830790-3b27-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df8e3a91-700b-428a-a763-525076e4d3c8\":{\"columnOrder\":[\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\"],\"columns\":{\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\",\"layerId\":\"df8e3a91-700b-428a-a763-525076e4d3c8\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"Total Datastreams [Logs CIFv3]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"w\":6,\"x\":42,\"y\":14},\"panelIndex\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"title\":\"Total Datastreams [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c446ea70-8a63-418e-8997-e43a5f7c5b5d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c446ea70-8a63-418e-8997-e43a5f7c5b5d:indexpattern-datasource-layer-2c2ce8ee-a793-4242-aad4-06f3a8707b02", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index fce7d83a02..0000000000 --- a/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about Email type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"email-addr\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"email-addr\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[CIFv3 Overview](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3) \\n**[CIFv3 Emails (This Page)](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3)** \\n[CIFv3 Files](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3) \\n[CIFv3 FQDNs](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3) \\n[CIFv3 IPs](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3) \\n[CIFv3 URLs](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3) \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: email-addr**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, and statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-cd81a60b-2661-48b3-a40f-ba8451e802a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"cd81a60b-2661-48b3-a40f-ba8451e802a6\":{\"columnOrder\":[\"4f96463f-c5f9-448b-ab9e-7e17a2bd5969\"],\"columns\":{\"4f96463f-c5f9-448b-ab9e-7e17a2bd5969\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Addresses\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.email.address\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"4f96463f-c5f9-448b-ab9e-7e17a2bd5969\",\"layerId\":\"cd81a60b-2661-48b3-a40f-ba8451e802a6\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"3a6a2852-0fb8-45df-9a79-e7729691fe5f\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"3a6a2852-0fb8-45df-9a79-e7729691fe5f\",\"title\":\"Unique Addresses [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\",\"rowHeight\":\"single\",\"rowHeightLines\":1}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":19,\"y\":0},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] Emails", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3a6a2852-0fb8-45df-9a79-e7729691fe5f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3a6a2852-0fb8-45df-9a79-e7729691fe5f:indexpattern-datasource-layer-cd81a60b-2661-48b3-a40f-ba8451e802a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3.json deleted file mode 100755 index d29035b7c7..0000000000 --- a/packages/ti_cif3/0.2.2/kibana/dashboard/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about URL type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cif3.feed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cif3.feed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[CIFv3 Overview](/app/dashboards#/view/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Emails](/app/dashboards#/view/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3) \\n[CIFv3 Files](/app/dashboards#/view/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3) \\n[CIFv3 FQDNs](/app/dashboards#/view/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3) \\n[CIFv3 IPs](/app/dashboards#/view/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3) \\n**[CIFv3 URLs (This Page)](/app/dashboards#/view/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3)** \\n\\n[Integrations Page](/app/integrations/detail/ti_cif3/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs CIFv3]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\",\"size\":\"xl\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"legendSize\":\"auto\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":10,\"x\":25,\"y\":0},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\",\"rowHeight\":\"single\",\"rowHeightLines\":1}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-dfaa5b71-ed27-4602-9dbe-d263fd33aa05\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"dfaa5b71-ed27-4602-9dbe-d263fd33aa05\":{\"columnOrder\":[\"c00d8a88-7047-4fa4-b99f-7e8be1370b6f\",\"14f7e661-8382-4e25-a998-10c6c576255e\"],\"columns\":{\"14f7e661-8382-4e25-a998-10c6c576255e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c00d8a88-7047-4fa4-b99f-7e8be1370b6f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"14f7e661-8382-4e25-a998-10c6c576255e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"c00d8a88-7047-4fa4-b99f-7e8be1370b6f\"],\"layerId\":\"dfaa5b71-ed27-4602-9dbe-d263fd33aa05\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"14f7e661-8382-4e25-a998-10c6c576255e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"353bb92f-8375-4dc6-b961-9ed7f7509627\",\"w\":28,\"x\":7,\"y\":8},\"panelIndex\":\"353bb92f-8375-4dc6-b961-9ed7f7509627\",\"title\":\"Most Popular File Extensions [Logs CIFv3]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs CIFv3] URLs", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "353bb92f-8375-4dc6-b961-9ed7f7509627:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "353bb92f-8375-4dc6-b961-9ed7f7509627:indexpattern-datasource-layer-dfaa5b71-ed27-4602-9dbe-d263fd33aa05", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", - "type": "index-pattern" - }, - { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.2/kibana/tag/ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1.json.json b/packages/ti_cif3/0.2.2/kibana/tag/ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1.json.json deleted file mode 100755 index 5d464afed9..0000000000 --- a/packages/ti_cif3/0.2.2/kibana/tag/ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1.json.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "attributes": { - "color": "#01426A", - "description": "", - "name": "CIFv3" - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/ti_cif3/0.2.2/manifest.yml b/packages/ti_cif3/0.2.2/manifest.yml deleted file mode 100755 index 694b7104bb..0000000000 --- a/packages/ti_cif3/0.2.2/manifest.yml +++ /dev/null @@ -1,43 +0,0 @@ -format_version: 1.0.0 -name: ti_cif3 -title: "Collective Intelligence Framework v3" -version: 0.2.2 -release: beta -license: basic -description: "Ingest threat indicators from a Collective Intelligence Framework v3 instance with Elastic Agent." -type: integration -categories: - - security - - threat_intel -conditions: - kibana.version: "^8.0.0" -icons: - - src: /img/csg_logo_big.svg - title: csirtgadgets logo - size: 1047x748 - type: image/svg+xml -policy_templates: - - name: ti_cif3 - title: Collective Intelligence Framework v3 - description: Ingest threat indicators from a Collective Intelligence Framework v3 instance with Elastic Agent. - inputs: - - type: httpjson - title: Collect threat indicators via API - description: Ingest threat indicators from a Collective Intelligence Framework v3 instance with Elastic Agent. - vars: - - name: url - type: url - title: CIFv3 API base URL - multi: false - required: true - show_user: true - description: "Base URL for CIFv3 instance, e.g.: https://cif.yourdomain.tld" - - name: api_token - type: password - title: API Token - multi: false - required: true - show_user: true - description: The CIFv3 API read token -owner: - github: elastic/security-external-integrations diff --git a/packages/ti_misp/1.7.1/LICENSE.txt b/packages/ti_misp/1.7.1/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/ti_misp/1.7.1/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/ti_misp/1.7.1/changelog.yml b/packages/ti_misp/1.7.1/changelog.yml deleted file mode 100755 index 016d13e262..0000000000 --- a/packages/ti_misp/1.7.1/changelog.yml +++ /dev/null @@ -1,81 +0,0 @@ -# newer versions go on top -- version: "1.7.1" - changes: - - description: Remove duplicate field. - type: bugfix - link: https://github.com/elastic/integrations/issues/4327 -- version: "1.7.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3923 -- version: "1.6.1" - changes: - - description: Fix proxy URL documentation rendering. - type: bugfix - link: https://github.com/elastic/integrations/pull/3881 -- version: "1.6.0" - changes: - - description: Update categories to include `threat_intel`. - type: enhancement - link: https://github.com/elastic/integrations/pull/3689 -- version: "1.5.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "1.4.1" - changes: - - description: update readme to include link to MISP documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3168 -- version: "1.4.0" - changes: - - description: Fix pagination looping forever - type: enhancement - link: https://github.com/elastic/integrations/pull/3446 -- version: "1.3.1" - changes: - - description: Update package descriptions - type: enhancement - link: https://github.com/elastic/integrations/pull/3398 -- version: "1.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2781 -- version: "1.2.2" - changes: - - description: Add mapping for event.created - type: enhancement - link: https://github.com/elastic/integrations/pull/3042 -- version: "1.2.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2448 -- version: "1.1.0" - changes: - - description: Adds dashboards and threat.feed ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2485 -- version: "1.0.2" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.0.1" - changes: - - description: Bump minimum version - type: enhancement - link: https://github.com/elastic/integrations/pull/2063 -- version: "1.0.0" - changes: - - description: Initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/1946 diff --git a/packages/ti_misp/1.7.1/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_misp/1.7.1/data_stream/threat/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 8172ba39f7..0000000000 --- a/packages/ti_misp/1.7.1/data_stream/threat/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,75 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "POST" - -{{#if url}} -request.url: {{url}}/events/restSearch -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -request.body: -{{#if filters}} - {{filters}} -{{/if}} -request.transforms: -{{#if api_token}} -- set: - target: header.Authorization - value: {{api_token}} -{{/if}} -- set: - target: body.page - value: 1 -- set: - target: body.limit - value: 10 -- set: - target: body.returnFormat - value: json -- set: - target: body.timestamp - value: '[[.cursor.timestamp]]' - default: '[[ formatDate (now (parseDuration "-{{initial_interval}}")) "UnixDate" ]]' - -response.split: - target: body.response - split: - target: body.Event.Attribute - ignore_empty_value: true - keep_parent: true - split: - target: body.Event.Object - keep_parent: true - split: - target: body.Event.Object.Attribute - keep_parent: true -response.request_body_on_pagination: true -response.pagination: -- set: - target: body.page - value: '[[if (ne (len .last_response.body.response) 0)]][[add .last_response.page 1]][[end]]' - fail_on_template_error: true -cursor: - timestamp: - value: '[[.last_event.Event.timestamp]]' -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/ti_misp/1.7.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_misp/1.7.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index d5f868a2a8..0000000000 --- a/packages/ti_misp/1.7.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,379 +0,0 @@ ---- -description: Pipeline for parsing MISP Threat Intel -processors: - #################### - # Event ECS fields # - #################### - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - ###################### - # General ECS fields # - ###################### - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - fingerprint: - fields: - - json.Event.Attribute.uuid - - json.Event.Object.Attribute.uuid - target_field: "_id" - ignore_missing: true - - rename: - field: json.Event - target_field: misp - ignore_missing: true - - set: - field: threat.indicator.provider - value: misp - if: ctx.misp?.Orgc?.local != 'false' - - set: - field: threat.indicator.provider - value: "{{misp.Orgc.name}}" - if: ctx.misp?.Orgc?.local == 'false' - ignore_empty_value: true - - # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event - - remove: - field: - - misp.ShadowAttribute - - misp.RelatedEvent - - misp.Galaxy - - misp.Attribute.Galaxy - - misp.Attribute.ShadowAttribute - - misp.EventReport - - misp.Object.Attribute.Galaxy - - misp.Object.Attribute.ShadowAttribute - ignore_missing: true - - remove: - field: - - misp.Attribute - ignore_missing: true - if: ctx.misp?.Attribute.size() == 0 - - remove: - field: - - misp.Object - ignore_missing: true - if: ctx.misp?.Object.size() == 0 - - date: - field: misp.timestamp - formats: - - UNIX - ignore_failure: true - - rename: - field: misp.Attribute - target_field: misp.attribute - ignore_missing: true - - rename: - field: misp.Object - target_field: misp.object - ignore_missing: true - - rename: - field: misp.object.Attribute - target_field: misp.object.attribute - ignore_missing: true - - rename: - field: misp.Orgc - target_field: misp.orgc - ignore_missing: true - - rename: - field: misp.Org - target_field: misp.org - ignore_missing: true - - rename: - field: misp.Tag - target_field: misp.tag - ignore_missing: true - - # # Dance around issue of not being able to split the document into two. - # # Make the Object.Attribute field primary if it exists, but keep the - # # outer Attribute as context. - - rename: - field: misp.attribute - target_field: misp.context.attribute - ignore_missing: true - if: ctx.misp?.object != null - - rename: - field: misp.object.attribute - target_field: misp.attribute - ignore_missing: true - if: ctx.misp?.object != null - - ##################### - # Threat ECS Fields # - ##################### - - set: - field: threat.feed.name - value: "MISP" - - rename: - field: misp.attribute.first_seen - target_field: threat.indicator.first_seen - ignore_missing: true - - rename: - field: misp.attribute.last_seen - target_field: threat.indicator.last_seen - ignore_missing: true - - convert: - field: misp.analysis - type: long - target_field: threat.indicator.scanner_stats - ignore_missing: true - - convert: - field: misp.threat_level_id - type: long - ignore_missing: true - - ## File/Hash indicator operations - - set: - field: threat.indicator.type - value: file - if: "ctx.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.misp?.attribute?.type) || ctx.misp?.attribute?.type.startsWith('filename'))" - - rename: - field: misp.attribute.value - target_field: "threat.indicator.file.hash.{{misp.attribute.type}}" - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type != null && !ctx.misp?.attribute?.type.startsWith('filename')" - - rename: - field: misp.attribute.value - target_field: threat.indicator.file.name - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type == 'filename'" - - grok: - field: misp.attribute.type - patterns: - - "%{WORD}\\|%{WORD:_tmp.hashtype}" - ignore_missing: true - if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') - - grok: - field: misp.attribute.value - patterns: - - "%{DATA:threat.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" - ignore_missing: true - if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') - - set: - field: threat.indicator.file.hash.{{_tmp.hashtype}} - value: "{{_tmp.hashvalue}}" - if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" - - ## URL/URI indicator operations - - set: - field: threat.indicator.type - value: url - if: "ctx.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx.misp?.attribute?.type)" - - uri_parts: - field: misp.attribute.value - target_field: threat.indicator.url - keep_original: true - remove_if_successful: true - if: ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri' - - set: - field: threat.indicator.url.full - value: "{{{threat.indicator.url.original}}}" - ignore_empty_value: true - if: "ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri'" - - ## Regkey indicator operations - - set: - field: threat.indicator.type - value: windows-registry-key - if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('regkey')" - - rename: - field: misp.attribute.value - target_field: threat.indicator.registry.key - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'windows-registry-key' && ctx.misp?.attribute?.type == 'regkey'" - - grok: - field: misp.attribute.value - patterns: - - "%{DATA:threat.indicator.registry.key}\\|%{DATA:threat.indicator.registry.value}" - ignore_missing: true - if: "ctx.misp?.attribute?.type == 'regkey|value'" - - ## AS indicator operations - - set: - field: threat.indicator.type - value: autonomous-system - if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type == 'AS'" - - convert: - field: misp.attribute.value - type: long - target_field: threat.indicator.as.number - ignore_missing: true - if: ctx.threat?.indicator?.type == 'autonomous-system' - - ## Domain/IP/Port indicator operations - - set: - field: threat.indicator.type - value: domain-name - if: "ctx.misp?.attribute?.type != null && (ctx.misp?.attribute?.type == 'hostname' || ctx.misp?.attribute?.type.startsWith('domain'))" - - set: - field: threat.indicator.type - value: ipv4-addr - if: "ctx.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" - - rename: - field: misp.attribute.value - target_field: threat.indicator.url.domain - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.misp?.attribute?.type != 'domain|ip' && ctx.threat?.indicator?.url?.domain == null" - - rename: - field: misp.attribute.value - target_field: threat.indicator.ip - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'ipv4-addr' && ctx.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" - - grok: - field: misp.attribute.value - patterns: - - "%{DATA:threat.indicator.url.domain}\\|%{IP:threat.indicator.ip}" - ignore_missing: true - if: ctx.misp?.attribute?.type == 'domain|ip' && ctx.threat?.indicator?.url?.domain == null - - grok: - field: misp.attribute.value - patterns: - - "%{IP:threat.indicator.ip}\\|%{NUMBER:threat.indicator.port}" - ignore_missing: true - if: "['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" - - ## Email indicator operations - # Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp. - - set: - field: threat.indicator.type - value: email-addr - if: "ctx.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)" - - set: - field: threat.indicator.type - value: email-message - if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)" - - rename: - field: misp.attribute.value - target_field: threat.indicator.email.address - ignore_missing: true - if: ctx.threat?.indicator?.type == 'email-addr' - - rename: - field: misp.event_creator_email - target_field: user.email - ignore_missing: true - - append: - field: user.roles - value: "reporting_user" - if: ctx?.user?.email != null - - ## MAC Address indicator operations - - set: - field: threat.indicator.type - value: mac-addr - if: "ctx.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.misp?.attribute?.type)" - - rename: - field: misp.attribute.value - target_field: threat.indicator.mac - ignore_missing: true - if: ctx.threat?.indicator?.type == 'mac-addr' - - ################### - # Tags ECS fields # - ################### - # Stripping special characters from tags - - script: - lang: painless - if: ctx.misp?.tag != null - source: | - def tags = ctx.misp.tag.stream() - .map(t -> t.name.replace('\\', '').replace('"', '')) - .collect(Collectors.toList()); - def tlpTags = tags.stream() - .filter(t -> t.startsWith('tlp:')) - .map(t -> t.replace('tlp:', '').toUpperCase()) - .collect(Collectors.toList()); - - ctx.tags = tags; - ctx.threat.indicator.marking = [ 'tlp': tlpTags ]; - - ################# - # Convert types # - ################# - - convert: - field: misp.attribute.distribution - type: long - ignore_missing: true - - convert: - field: misp.context.attribute.distribution - type: long - ignore_missing: true - - convert: - field: threat.indicator.port - type: long - ignore_missing: true - - convert: - field: misp.attribute_count - type: long - ignore_missing: true - - ###################### - # Cleanup processors # - ###################### - - script: - lang: painless - if: ctx?.misp != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event - - remove: - field: - - misp.attribute.value - ignore_missing: true - if: ctx.threat?.indicator?.type != null - - remove: - field: - # This removes a number of fields that may be wanted in the future when - # misp.attribute and misp.object.attribute can - # be separated. At the root of .object are fields that mirror fields at - # the root of misp. - - misp.object - ignore_missing: true - - remove: - field: - - misp.Attribute.timestamp - - misp.timestamp - - misp.tag - - misp.org - - misp.analysis - - _tmp - - json - ignore_missing: true - -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_misp/1.7.1/data_stream/threat/fields/agent.yml b/packages/ti_misp/1.7.1/data_stream/threat/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/ti_misp/1.7.1/data_stream/threat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/ti_misp/1.7.1/data_stream/threat/fields/base-fields.yml b/packages/ti_misp/1.7.1/data_stream/threat/fields/base-fields.yml deleted file mode 100755 index 337375ce74..0000000000 --- a/packages/ti_misp/1.7.1/data_stream/threat/fields/base-fields.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: ti_misp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_misp.threat -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name. - value: MISP -- name: threat.feed.dashboard_id - type: constant_keyword - description: Dashboard ID used for Kibana CTI UI - value: ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294 -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/ti_misp/1.7.1/data_stream/threat/fields/beats.yml b/packages/ti_misp/1.7.1/data_stream/threat/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/ti_misp/1.7.1/data_stream/threat/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_misp/1.7.1/data_stream/threat/fields/ecs.yml b/packages/ti_misp/1.7.1/data_stream/threat/fields/ecs.yml deleted file mode 100755 index 66b64a4a4b..0000000000 --- a/packages/ti_misp/1.7.1/data_stream/threat/fields/ecs.yml +++ /dev/null @@ -1,169 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - normalize: - - array - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Array of user roles at the time of the event. - name: user.roles - normalize: - - array - type: keyword -- description: The date and time when intelligence source first reported sighting this indicator. - name: threat.indicator.first_seen - type: date -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: Count of AV/EDR vendors that successfully detected malicious file or URL. - name: threat.indicator.scanner_stats - type: long -- description: Type of indicator as represented by Cyber Observable in STIX 2.0. - name: threat.indicator.type - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.full - type: wildcard -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.original - type: wildcard -- description: Path of the request, such as "/search". - name: threat.indicator.url.path - type: wildcard -- description: Port of the request, such as 443. - name: threat.indicator.url.port - type: long -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: threat.indicator.url.scheme - type: keyword -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: threat.indicator.url.query - type: keyword -- description: Identifies a threat indicator as an email address (irrespective of direction). - name: threat.indicator.email.address - type: keyword -- description: The name of the indicator's provider. - name: threat.indicator.provider - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: threat.indicator.as.number - type: long -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: Traffic Light Protocol sharing markings. - name: threat.indicator.marking.tlp - type: keyword -- description: Identifies a threat indicator as a port number (irrespective of direction). - name: threat.indicator.port - type: long -- description: Hive-relative path of keys. - name: threat.indicator.registry.key - type: keyword -- description: Name of the value written. - name: threat.indicator.registry.value - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: threat.indicator.file.size - type: long -- description: File type (file, dir, or symlink). - name: threat.indicator.file.type - type: keyword -- description: Name of the file including the extension, without the directory. - name: threat.indicator.file.name - type: keyword diff --git a/packages/ti_misp/1.7.1/data_stream/threat/fields/fields.yml b/packages/ti_misp/1.7.1/data_stream/threat/fields/fields.yml deleted file mode 100755 index 133826511b..0000000000 --- a/packages/ti_misp/1.7.1/data_stream/threat/fields/fields.yml +++ /dev/null @@ -1,291 +0,0 @@ -- name: misp - type: group - description: > - Fields for MISP indicators - - fields: - - name: id - type: keyword - description: > - Attribute ID. - - - name: orgc_id - type: keyword - description: > - Organization Community ID of the event. - - - name: org_id - type: keyword - description: > - Organization ID of the event. - - - name: threat_level_id - type: long - description: > - Threat level from 5 to 1, where 1 is the most critical. - - - name: info - type: keyword - description: > - Additional text or information related to the event. - - - name: published - type: boolean - description: > - When the event was published. - - - name: uuid - type: keyword - description: > - The UUID of the event object. - - - name: date - type: date - description: > - The date of when the event object was created. - - - name: attribute_count - type: long - description: > - How many attributes are included in a single event object. - - - name: timestamp - type: date - description: > - The timestamp of when the event object was created. - - - name: distribution - type: keyword - description: > - Distribution type related to MISP. - - - name: proposal_email_lock - type: boolean - description: > - Settings configured on MISP for email lock on this event object. - - - name: locked - type: boolean - description: > - If the current MISP event object is locked or not. - - - name: publish_timestamp - type: date - description: > - At what time the event object was published - - - name: sharing_group_id - type: keyword - description: > - The ID of the grouped events or sources of the event. - - - name: disable_correlation - type: boolean - description: > - If correlation is disabled on the MISP event object. - - - name: extends_uuid - type: keyword - description: > - The UUID of the event object it might extend. - - - name: org.id - type: keyword - description: > - The organization ID related to the event object. - - - name: org.name - type: keyword - description: > - The organization name related to the event object. - - - name: org.uuid - type: keyword - description: > - The UUID of the organization related to the event object. - - - name: org.local - type: boolean - description: > - If the event object is local or from a remote source. - - - name: orgc.id - type: keyword - description: > - The Organization Community ID in which the event object was reported from. - - - name: orgc.name - type: keyword - description: > - The Organization Community name in which the event object was reported from. - - - name: orgc.uuid - type: keyword - description: > - The Organization Community UUID in which the event object was reported from. - - - name: orgc.local - type: boolean - description: > - If the Organization Community was local or synced from a remote source. - - - name: attribute.id - type: keyword - description: > - The ID of the attribute related to the event object. - - - name: attribute.type - type: keyword - description: > - The type of the attribute related to the event object. For example email, ipv4, sha1 and such. - - - name: attribute.category - type: keyword - description: > - The category of the attribute related to the event object. For example "Network Activity". - - - name: attribute.to_ids - type: boolean - description: > - If the attribute should be automatically synced with an IDS. - - - name: attribute.uuid - type: keyword - description: > - The UUID of the attribute related to the event. - - - name: attribute.event_id - type: keyword - description: > - The local event ID of the attribute related to the event. - - - name: attribute.distribution - type: long - description: > - How the attribute has been distributed, represented by integer numbers. - - - name: attribute.timestamp - type: date - description: > - The timestamp in which the attribute was attached to the event object. - - - name: attribute.comment - type: keyword - description: > - Comments made to the attribute itself. - - - name: attribute.sharing_group_id - type: keyword - description: > - The group ID of the sharing group related to the specific attribute. - - - name: attribute.deleted - type: boolean - description: > - If the attribute has been removed from the event object. - - - name: attribute.disable_correlation - type: boolean - description: > - If correlation has been enabled on the attribute related to the event object. - - - name: attribute.object_id - type: keyword - description: > - The ID of the Object in which the attribute is attached. - - - name: attribute.object_relation - type: keyword - description: > - The type of relation the attribute has with the event object itself. - - - name: attribute.value - type: keyword - description: > - The value of the attribute, depending on the type like "url, sha1, email-src". - - - name: context.attribute.id - type: keyword - description: > - The ID of the secondary attribute related to the event object. - - - name: context.attribute.type - type: keyword - description: > - The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. - - - name: context.attribute.category - type: keyword - description: > - The category of the secondary attribute related to the event object. For example "Network Activity". - - - name: context.attribute.to_ids - type: boolean - description: > - If the secondary attribute should be automatically synced with an IDS. - - - name: context.attribute.uuid - type: keyword - description: > - The UUID of the secondary attribute related to the event. - - - name: context.attribute.event_id - type: keyword - description: > - The local event ID of the secondary attribute related to the event. - - - name: context.attribute.distribution - type: long - description: > - How the secondary attribute has been distributed, represented by integer numbers. - - - name: context.attribute.timestamp - type: date - description: > - The timestamp in which the secondary attribute was attached to the event object. - - - name: context.attribute.comment - type: keyword - description: > - Comments made to the secondary attribute itself. - - - name: context.attribute.sharing_group_id - type: keyword - description: > - The group ID of the sharing group related to the specific secondary attribute. - - - name: context.attribute.deleted - type: boolean - description: > - If the secondary attribute has been removed from the event object. - - - name: context.attribute.disable_correlation - type: boolean - description: > - If correlation has been enabled on the secondary attribute related to the event object. - - - name: context.attribute.object_id - type: keyword - description: > - The ID of the Object in which the secondary attribute is attached. - - - name: context.attribute.object_relation - type: keyword - description: > - The type of relation the secondary attribute has with the event object itself. - - - name: context.attribute.value - type: keyword - description: > - The value of the attribute, depending on the type like "url, sha1, email-src". - - - name: context.attribute.first_seen - type: keyword - description: > - The first time the indicator was seen. - - - name: context.attribute.last_seen - type: keyword - description: > - The last time the indicator was seen. - diff --git a/packages/ti_misp/1.7.1/data_stream/threat/manifest.yml b/packages/ti_misp/1.7.1/data_stream/threat/manifest.yml deleted file mode 100755 index ecc9fe6490..0000000000 --- a/packages/ti_misp/1.7.1/data_stream/threat/manifest.yml +++ /dev/null @@ -1,101 +0,0 @@ -type: logs -title: MISP -streams: - - input: httpjson - vars: - - name: url - type: text - title: MISP URL - multi: false - required: true - show_user: true - default: https://mispserver.com - description: The URL or hostname of the MISP instance. - - name: api_token - type: password - title: MISP API Token - multi: false - required: true - show_user: true - description: The API token used to access the MISP instance. - - name: initial_interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 120h - description: How far back to look for indicators the first time the agent is started. - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: false - default: 30s - - name: filters - type: yaml - title: MISP API Filters - multi: false - required: false - show_user: false - default: | - #type: - # OR: - # - ip-src - # - ip-dst - #tags: - # NOT: - # - tlp-red - description: Filters documented at [MISP API Documentation](https://www.circl.lu/doc/misp/automation/#search) is supported. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http\[s\]://:@: - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 10m - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - default: | - #verification_mode: none - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - misp-threat - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: httpjson.yml.hbs - title: MISP - description: Collect indicators from the MISP API diff --git a/packages/ti_misp/1.7.1/data_stream/threat/sample_event.json b/packages/ti_misp/1.7.1/data_stream/threat/sample_event.json deleted file mode 100755 index 101990cd2d..0000000000 --- a/packages/ti_misp/1.7.1/data_stream/threat/sample_event.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "@timestamp": "2014-10-06T07:12:57.000Z", - "agent": { - "ephemeral_id": "0f6be3e4-7f46-4b9a-9d70-231d2cc3e346", - "id": "a4d670f7-b402-456c-89b1-fbf01d2c8a8b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "data_stream": { - "dataset": "ti_misp.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "a4d670f7-b402-456c-89b1-fbf01d2c8a8b", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-08-01T18:03:01.416Z", - "dataset": "ti_misp.threat", - "ingested": "2022-08-01T18:03:02Z", - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"22\",\"first_seen\":null,\"id\":\"12394\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1462454963\",\"to_ids\":false,\"type\":\"domain\",\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"value\":\"whatsapp.com\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"1\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#339900\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"tlp:green\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"29\",\"date\":\"2014-10-03\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1610622316\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1412579577\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "22", - "id": "12394", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "1462454963", - "to_ids": false, - "type": "domain", - "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16" - }, - "attribute_count": 29, - "date": "2014-10-03", - "disable_correlation": false, - "distribution": "3", - "extends_uuid": "", - "id": "2", - "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "locked": false, - "org_id": "1", - "orgc": { - "id": "2", - "local": false, - "name": "CthulhuSPRL.be", - "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" - }, - "orgc_id": "2", - "proposal_email_lock": false, - "publish_timestamp": "1610622316", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "54323f2c-e50c-4268-896c-4867950d210b" - }, - "tags": [ - "type:OSINT", - "tlp:green" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "marking": { - "tlp": [ - "GREEN" - ] - }, - "provider": "misp", - "scanner_stats": 2, - "type": "domain-name", - "url": { - "domain": "whatsapp.com" - } - } - } -} \ No newline at end of file diff --git a/packages/ti_misp/1.7.1/docs/README.md b/packages/ti_misp/1.7.1/docs/README.md deleted file mode 100755 index 62e7c28f77..0000000000 --- a/packages/ti_misp/1.7.1/docs/README.md +++ /dev/null @@ -1,259 +0,0 @@ -# MISP Integration - -The MISP integration uses the [REST API from the running MISP instance](https://www.circl.lu/doc/misp/automation/#automation-api) to retrieve indicators and Threat Intelligence. - -## Logs - -### Threat - -The MISP integration configuration allows to set the polling interval, how far back it -should look initially, and optionally any filters used to filter the results. - -The filters themselves are based on the [MISP API documentation](https://www.circl.lu/doc/misp/automation/#search) and should support all documented fields. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| misp.attribute.category | The category of the attribute related to the event object. For example "Network Activity". | keyword | -| misp.attribute.comment | Comments made to the attribute itself. | keyword | -| misp.attribute.deleted | If the attribute has been removed from the event object. | boolean | -| misp.attribute.disable_correlation | If correlation has been enabled on the attribute related to the event object. | boolean | -| misp.attribute.distribution | How the attribute has been distributed, represented by integer numbers. | long | -| misp.attribute.event_id | The local event ID of the attribute related to the event. | keyword | -| misp.attribute.id | The ID of the attribute related to the event object. | keyword | -| misp.attribute.object_id | The ID of the Object in which the attribute is attached. | keyword | -| misp.attribute.object_relation | The type of relation the attribute has with the event object itself. | keyword | -| misp.attribute.sharing_group_id | The group ID of the sharing group related to the specific attribute. | keyword | -| misp.attribute.timestamp | The timestamp in which the attribute was attached to the event object. | date | -| misp.attribute.to_ids | If the attribute should be automatically synced with an IDS. | boolean | -| misp.attribute.type | The type of the attribute related to the event object. For example email, ipv4, sha1 and such. | keyword | -| misp.attribute.uuid | The UUID of the attribute related to the event. | keyword | -| misp.attribute.value | The value of the attribute, depending on the type like "url, sha1, email-src". | keyword | -| misp.attribute_count | How many attributes are included in a single event object. | long | -| misp.context.attribute.category | The category of the secondary attribute related to the event object. For example "Network Activity". | keyword | -| misp.context.attribute.comment | Comments made to the secondary attribute itself. | keyword | -| misp.context.attribute.deleted | If the secondary attribute has been removed from the event object. | boolean | -| misp.context.attribute.disable_correlation | If correlation has been enabled on the secondary attribute related to the event object. | boolean | -| misp.context.attribute.distribution | How the secondary attribute has been distributed, represented by integer numbers. | long | -| misp.context.attribute.event_id | The local event ID of the secondary attribute related to the event. | keyword | -| misp.context.attribute.first_seen | The first time the indicator was seen. | keyword | -| misp.context.attribute.id | The ID of the secondary attribute related to the event object. | keyword | -| misp.context.attribute.last_seen | The last time the indicator was seen. | keyword | -| misp.context.attribute.object_id | The ID of the Object in which the secondary attribute is attached. | keyword | -| misp.context.attribute.object_relation | The type of relation the secondary attribute has with the event object itself. | keyword | -| misp.context.attribute.sharing_group_id | The group ID of the sharing group related to the specific secondary attribute. | keyword | -| misp.context.attribute.timestamp | The timestamp in which the secondary attribute was attached to the event object. | date | -| misp.context.attribute.to_ids | If the secondary attribute should be automatically synced with an IDS. | boolean | -| misp.context.attribute.type | The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. | keyword | -| misp.context.attribute.uuid | The UUID of the secondary attribute related to the event. | keyword | -| misp.context.attribute.value | The value of the attribute, depending on the type like "url, sha1, email-src". | keyword | -| misp.date | The date of when the event object was created. | date | -| misp.disable_correlation | If correlation is disabled on the MISP event object. | boolean | -| misp.distribution | Distribution type related to MISP. | keyword | -| misp.extends_uuid | The UUID of the event object it might extend. | keyword | -| misp.id | Attribute ID. | keyword | -| misp.info | Additional text or information related to the event. | keyword | -| misp.locked | If the current MISP event object is locked or not. | boolean | -| misp.org.id | The organization ID related to the event object. | keyword | -| misp.org.local | If the event object is local or from a remote source. | boolean | -| misp.org.name | The organization name related to the event object. | keyword | -| misp.org.uuid | The UUID of the organization related to the event object. | keyword | -| misp.org_id | Organization ID of the event. | keyword | -| misp.orgc.id | The Organization Community ID in which the event object was reported from. | keyword | -| misp.orgc.local | If the Organization Community was local or synced from a remote source. | boolean | -| misp.orgc.name | The Organization Community name in which the event object was reported from. | keyword | -| misp.orgc.uuid | The Organization Community UUID in which the event object was reported from. | keyword | -| misp.orgc_id | Organization Community ID of the event. | keyword | -| misp.proposal_email_lock | Settings configured on MISP for email lock on this event object. | boolean | -| misp.publish_timestamp | At what time the event object was published | date | -| misp.published | When the event was published. | boolean | -| misp.sharing_group_id | The ID of the grouped events or sources of the event. | keyword | -| misp.threat_level_id | Threat level from 5 to 1, where 1 is the most critical. | long | -| misp.timestamp | The timestamp of when the event object was created. | date | -| misp.uuid | The UUID of the event object. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | -| threat.feed.name | Display friendly feed name. | constant_keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | -| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.registry.key | Hive-relative path of keys. | keyword | -| threat.indicator.registry.value | Name of the value written. | keyword | -| threat.indicator.scanner_stats | Count of AV/EDR vendors that successfully detected malicious file or URL. | long | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.email | User email address. | keyword | -| user.roles | Array of user roles at the time of the event. | keyword | - - -An example event for `threat` looks as following: - -```json -{ - "@timestamp": "2014-10-06T07:12:57.000Z", - "agent": { - "ephemeral_id": "0f6be3e4-7f46-4b9a-9d70-231d2cc3e346", - "id": "a4d670f7-b402-456c-89b1-fbf01d2c8a8b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.2" - }, - "data_stream": { - "dataset": "ti_misp.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.4.0" - }, - "elastic_agent": { - "id": "a4d670f7-b402-456c-89b1-fbf01d2c8a8b", - "snapshot": false, - "version": "8.3.2" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-08-01T18:03:01.416Z", - "dataset": "ti_misp.threat", - "ingested": "2022-08-01T18:03:02Z", - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"22\",\"first_seen\":null,\"id\":\"12394\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1462454963\",\"to_ids\":false,\"type\":\"domain\",\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"value\":\"whatsapp.com\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"1\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#339900\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"tlp:green\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"29\",\"date\":\"2014-10-03\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1610622316\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1412579577\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "22", - "id": "12394", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "1462454963", - "to_ids": false, - "type": "domain", - "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16" - }, - "attribute_count": 29, - "date": "2014-10-03", - "disable_correlation": false, - "distribution": "3", - "extends_uuid": "", - "id": "2", - "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "locked": false, - "org_id": "1", - "orgc": { - "id": "2", - "local": false, - "name": "CthulhuSPRL.be", - "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" - }, - "orgc_id": "2", - "proposal_email_lock": false, - "publish_timestamp": "1610622316", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "54323f2c-e50c-4268-896c-4867950d210b" - }, - "tags": [ - "type:OSINT", - "tlp:green" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "marking": { - "tlp": [ - "GREEN" - ] - }, - "provider": "misp", - "scanner_stats": 2, - "type": "domain-name", - "url": { - "domain": "whatsapp.com" - } - } - } -} -``` \ No newline at end of file diff --git a/packages/ti_misp/1.7.1/img/misp.svg b/packages/ti_misp/1.7.1/img/misp.svg deleted file mode 100755 index 076530aa25..0000000000 --- a/packages/ti_misp/1.7.1/img/misp.svg +++ /dev/null @@ -1,158 +0,0 @@ - - - - diff --git a/packages/ti_misp/1.7.1/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json b/packages/ti_misp/1.7.1/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json deleted file mode 100755 index bd8d5dbf01..0000000000 --- a/packages/ti_misp/1.7.1/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about file type indicators from the MISP integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_misp.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[MISP Overview](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294) \\n**[MISP Files (This Page)](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877)** \\n[MISP URLs](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877) \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":27,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"title\":\"Files Navigation Textbox [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":12,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":18,\"y\":0},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":24,\"y\":0},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-52e62840-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"12768311-834b-48d5-8aad-d17d139c2ae5\":{\"columnOrder\":[\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\"],\"columns\":{\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique TLSH\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.tlsh\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\",\"layerId\":\"12768311-834b-48d5-8aad-d17d139c2ae5\",\"layerType\":\"data\"}},\"title\":\"Unique TLSH [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"w\":6,\"x\":30,\"y\":0},\"panelIndex\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"title\":\"Unique TLSH [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4f8c9d00-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\":{\"columnOrder\":[\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\"],\"columns\":{\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Imphash\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.pe.imphash\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\",\"layerId\":\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"layerType\":\"data\"}},\"title\":\"Unique Imphash [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"w\":6,\"x\":36,\"y\":0},\"panelIndex\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"title\":\"Unique Imphash [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-88ef6dd0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\":{\"columnOrder\":[\"b5cdfd94-1e22-4673-8216-59aca2131761\"],\"columns\":{\"b5cdfd94-1e22-4673-8216-59aca2131761\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SSDEEP\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.ssdeep\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b5cdfd94-1e22-4673-8216-59aca2131761\",\"layerId\":\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"layerType\":\"data\"}},\"title\":\"Unique SSDEEP [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"w\":6,\"x\":42,\"y\":0},\"panelIndex\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"title\":\"Unique SSDEEP [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06d9ac79-2055-437e-892c-de9ee07fe674\":{\"columnOrder\":[\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"df062557-78a5-4a78-93f1-34583c809bc3\"],\"columns\":{\"35f5321a-27f4-4076-9d1d-d326187f4689\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.name\"},\"df062557-78a5-4a78-93f1-34583c809bc3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"isTransposed\":false},{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"isTransposed\":false}],\"layerId\":\"06d9ac79-2055-437e-892c-de9ee07fe674\",\"layerType\":\"data\"}},\"title\":\"Most popular file names [Logs AbuseCH]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"w\":20,\"x\":7,\"y\":8},\"panelIndex\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"title\":\"Most popular file names [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\":{\"columnOrder\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\",\"de0e531b-dda7-461f-9783-3ab9267d202e\"],\"columns\":{\"06b603cb-c9fb-493a-9ca4-e6502ca12054\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.file.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.type\"},\"de0e531b-dda7-461f-9783-3ab9267d202e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\"],\"layerId\":\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"w\":21,\"x\":27,\"y\":8},\"panelIndex\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"title\":\"File Types [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs MISP] Files", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", - "type": "index-pattern" - }, - { - "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_misp/1.7.1/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json b/packages/ti_misp/1.7.1/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json deleted file mode 100755 index a9987e5bf9..0000000000 --- a/packages/ti_misp/1.7.1/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about URL type indicators from the MISP integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_misp.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[MISP Overview](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294) \\n[MISP Files](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877) \\n**[MISP URLs (This Page)](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877)** \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":31,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":23,\"x\":25,\"y\":0},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs MISP] URLs", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - }, - { - "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_misp/1.7.1/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json b/packages/ti_misp/1.7.1/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json deleted file mode 100755 index e60f8f871b..0000000000 --- a/packages/ti_misp/1.7.1/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about indicators ingested from the MISP integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.dataset\":\"ti_misp.threat\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[MISP Overview (This Page)](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294)** \\n[MISP Files](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877) \\n[MISP URLs](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877) \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the MISP integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from MISP. \\n\\nIt shows ingestion rates and provides a few filters for drilling down to specific indicator types retrieved from MISP.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":36,\"i\":\"ce31769b-ab7b-48c0-8869-bdf0c943d013\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"ce31769b-ab7b-48c0-8869-bdf0c943d013\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1641204819355\",\"indexPatternRefName\":\"control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_0_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1641204843291\",\"indexPatternRefName\":\"control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_1_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"8fd54b49-92c1-4b90-a0c9-c1cedaa137b5\",\"w\":26,\"x\":7,\"y\":0},\"panelIndex\":\"8fd54b49-92c1-4b90-a0c9-c1cedaa137b5\",\"title\":\"Indicator Selector [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d87f35ee-570a-488b-b618-6ada39b49df4\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d87f35ee-570a-488b-b618-6ada39b49df4\":{\"columnOrder\":[\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\",\"d0f21543-9576-400e-aeca-babc5407d3a7\"],\"columns\":{\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d0f21543-9576-400e-aeca-babc5407d3a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.type\"},\"d0f21543-9576-400e-aeca-babc5407d3a7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\"],\"layerId\":\"d87f35ee-570a-488b-b618-6ada39b49df4\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d0f21543-9576-400e-aeca-babc5407d3a7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":22,\"i\":\"793c8c41-d3d3-4196-a0e6-aaac8bc1572b\",\"w\":15,\"x\":33,\"y\":0},\"panelIndex\":\"793c8c41-d3d3-4196-a0e6-aaac8bc1572b\",\"title\":\"Total Indicators per type [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0491a750-3050-47a9-bb99-c45984d3d28c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0491a750-3050-47a9-bb99-c45984d3d28c\":{\"columnOrder\":[\"fb93835d-e6a1-49b4-8911-ae15b081da8a\"],\"columns\":{\"fb93835d-e6a1-49b4-8911-ae15b081da8a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"fb93835d-e6a1-49b4-8911-ae15b081da8a\",\"layerId\":\"0491a750-3050-47a9-bb99-c45984d3d28c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"7cb42a10-64fd-454a-8669-f579fa2d0850\",\"w\":6,\"x\":7,\"y\":8},\"panelIndex\":\"7cb42a10-64fd-454a-8669-f579fa2d0850\",\"title\":\"Total Indicators [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-471f2a97-fb44-41a1-a5a0-2f68b9140ef5\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"471f2a97-fb44-41a1-a5a0-2f68b9140ef5\":{\"columnOrder\":[\"16691165-3643-4658-bfc8-4bba834f2789\",\"3e085a0a-8386-4f64-a629-44ae27b18878\"],\"columns\":{\"16691165-3643-4658-bfc8-4bba834f2789\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"3e085a0a-8386-4f64-a629-44ae27b18878\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"},\"3e085a0a-8386-4f64-a629-44ae27b18878\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"3e085a0a-8386-4f64-a629-44ae27b18878\"],\"layerId\":\"471f2a97-fb44-41a1-a5a0-2f68b9140ef5\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"16691165-3643-4658-bfc8-4bba834f2789\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":true},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":true,\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"f5937489-643e-4254-819d-b1290b4b74c2\",\"w\":20,\"x\":13,\"y\":8},\"panelIndex\":\"f5937489-643e-4254-819d-b1290b4b74c2\",\"title\":\"Total Indicators per Provider [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"77a4acf0-c56d-420f-b50b-8e5b082931c9\",\"w\":41,\"x\":7,\"y\":22},\"panelIndex\":\"77a4acf0-c56d-420f-b50b-8e5b082931c9\",\"title\":\"Indicators ingested [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs MISP] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5:control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5:control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b:indexpattern-datasource-layer-d87f35ee-570a-488b-b618-6ada39b49df4", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7cb42a10-64fd-454a-8669-f579fa2d0850:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7cb42a10-64fd-454a-8669-f579fa2d0850:indexpattern-datasource-layer-0491a750-3050-47a9-bb99-c45984d3d28c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5937489-643e-4254-819d-b1290b4b74c2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5937489-643e-4254-819d-b1290b4b74c2:indexpattern-datasource-layer-471f2a97-fb44-41a1-a5a0-2f68b9140ef5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77a4acf0-c56d-420f-b50b-8e5b082931c9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77a4acf0-c56d-420f-b50b-8e5b082931c9:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", - "type": "index-pattern" - }, - { - "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_misp/1.7.1/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json b/packages/ti_misp/1.7.1/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json deleted file mode 100755 index b202c82473..0000000000 --- a/packages/ti_misp/1.7.1/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "", - "name": "MISP" - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/ti_misp/1.7.1/manifest.yml b/packages/ti_misp/1.7.1/manifest.yml deleted file mode 100755 index 0fd9e889f4..0000000000 --- a/packages/ti_misp/1.7.1/manifest.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: ti_misp -title: MISP -version: "1.7.1" -release: ga -description: Ingest threat intelligence indicators from MISP platform with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: ["security", "threat_intel"] -conditions: - kibana.version: ^8.0.0 -icons: - - src: /img/misp.svg - title: MISP - size: 216x216 - type: image/svg+xml -policy_templates: - - name: ti_misp - title: MISP - description: Ingest threat intelligence indicators from MISP platform with Elastic Agent. - inputs: - - type: httpjson - title: "Ingest threat intelligence indicators from MISP platform with Elastic Agent." - description: "Ingest threat intelligence indicators from MISP platform with Elastic Agent." -owner: - github: elastic/security-external-integrations diff --git a/packages/zeek/2.5.2/LICENSE.txt b/packages/zeek/2.5.2/LICENSE.txt deleted file mode 100755 index 809108b857..0000000000 --- a/packages/zeek/2.5.2/LICENSE.txt +++ /dev/null @@ -1,93 +0,0 @@ -Elastic License 2.0 - -URL: https://www.elastic.co/licensing/elastic-license - -## Acceptance - -By using the software, you agree to all of the terms and conditions below. - -## Copyright License - -The licensor grants you a non-exclusive, royalty-free, worldwide, -non-sublicensable, non-transferable license to use, copy, distribute, make -available, and prepare derivative works of the software, in each case subject to -the limitations and conditions below. - -## Limitations - -You may not provide the software to third parties as a hosted or managed -service, where the service provides users with access to any substantial set of -the features or functionality of the software. - -You may not move, change, disable, or circumvent the license key functionality -in the software, and you may not remove or obscure any functionality in the -software that is protected by the license key. - -You may not alter, remove, or obscure any licensing, copyright, or other notices -of the licensor in the software. Any use of the licensor’s trademarks is subject -to applicable law. - -## Patents - -The licensor grants you a license, under any patent claims the licensor can -license, or becomes able to license, to make, have made, use, sell, offer for -sale, import and have imported the software, in each case subject to the -limitations and conditions in this license. This license does not cover any -patent claims that you cause to be infringed by modifications or additions to -the software. If you or your company make any written claim that the software -infringes or contributes to infringement of any patent, your patent license for -the software granted under these terms ends immediately. If your company makes -such a claim, your patent license ends immediately for work on behalf of your -company. - -## Notices - -You must ensure that anyone who gets a copy of any part of the software from you -also gets a copy of these terms. - -If you modify the software, you must include in any modified copies of the -software prominent notices stating that you have modified the software. - -## No Other Rights - -These terms do not imply any licenses other than those expressly granted in -these terms. - -## Termination - -If you use the software in violation of these terms, such use is not licensed, -and your licenses will automatically terminate. If the licensor provides you -with a notice of your violation, and you cease all violation of this license no -later than 30 days after you receive that notice, your licenses will be -reinstated retroactively. However, if you violate these terms after such -reinstatement, any additional violation of these terms will cause your licenses -to terminate automatically and permanently. - -## No Liability - -*As far as the law allows, the software comes as is, without any warranty or -condition, and the licensor will not be liable to you for any damages arising -out of these terms or the use or nature of the software, under any kind of -legal claim.* - -## Definitions - -The **licensor** is the entity offering these terms, and the **software** is the -software the licensor makes available under these terms, including any portion -of it. - -**you** refers to the individual or entity agreeing to these terms. - -**your company** is any legal entity, sole proprietorship, or other kind of -organization that you work for, plus all organizations that have control over, -are under the control of, or are under common control with that -organization. **control** means ownership of substantially all the assets of an -entity, or the power to direct its management and policies by vote, contract, or -otherwise. Control can be direct or indirect. - -**your licenses** are all the licenses granted to you for the software under -these terms. - -**use** means anything you do with the software requiring one of your licenses. - -**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/zeek/2.5.2/changelog.yml b/packages/zeek/2.5.2/changelog.yml deleted file mode 100755 index 5c5e937e84..0000000000 --- a/packages/zeek/2.5.2/changelog.yml +++ /dev/null @@ -1,217 +0,0 @@ -# newer versions go on top -- version: "2.5.2" - changes: - - description: Remove duplicate field. - type: enhancement - link: https://github.com/elastic/integrations/pull/4339 -- version: "2.5.1" - changes: - - description: Use ECS geo.location definition. - type: enhancement - link: https://github.com/elastic/integrations/issues/4227 -- version: "2.5.0" - changes: - - description: Add threat.indicator handling - type: enhancement - link: https://github.com/elastic/integrations/issues/4065 -- version: "2.4.1" - changes: - - description: Remove unused visualizations - type: enhancement - link: https://github.com/elastic/integrations/issues/3975 -- version: "2.4.0" - changes: - - description: Update package to ECS 8.4.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/3872 -- version: "2.3.1" - changes: - - description: Update package name and description to align with standard wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3478 -- version: "2.3.0" - changes: - - description: Update package to ECS 8.3.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/3353 -- version: "2.2.0" - changes: - - description: Add new data sets for known_hosts, known_certs, known_services, & software logs files. - type: enhancement - link: https://github.com/elastic/integrations/pull/3340 -- version: "2.1.0" - changes: - - description: Add JA3/JA3S parsing & fix certificate data parsing; hash, not valid before/after timestamps - type: enhancement - link: https://github.com/elastic/integrations/pull/3440 -- version: "2.0.0" - changes: - - description: Migrate map visualisation from tile_map to map object - type: bugfix - link: https://github.com/elastic/integrations/pull/3263 -- version: "1.9.0" - changes: - - description: Add `message` field to `zeek.syslog` datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3264 - - description: Fix field definition for `zeek.syslog.msg` - type: bugfix - link: https://github.com/elastic/integrations/pull/3264 -- version: "1.8.0" - changes: - - description: Make sure field values are valid for ECS - type: bugfix - link: https://github.com/elastic/integrations/pull/3243 -- version: "1.7.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2781 -- version: "1.6.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.6.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2452 -- version: "1.5.4" - changes: - - description: Remove redundant event.ingested from Zeek pipelines. - type: bugfix - link: https://github.com/elastic/integrations/pull/2503 -- version: "1.5.3" - changes: - - description: Ignore URI parse failures in zeek.http data. - type: bugfix - link: https://github.com/elastic/integrations/pull/2501 -- version: "1.5.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.5.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.5.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2263 -- version: "1.4.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2078 -- version: "1.4.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1992 -- version: "1.4.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1861 -- version: "1.4.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1682 -- version: "1.3.0" - changes: - - description: Add Sigature and NTP data streams - type: enhancement - link: https://github.com/elastic/integrations/pull/1515 -- version: "1.2.2" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1512 -- version: '1.2.1' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1426 -- version: "1.2.0" - changes: - - description: Update documentation to fit mdx spec - type: enhancement - link: https://github.com/elastic/integrations/pull/1401 -- version: "1.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1217 - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1217 -- version: "0.8.4" - changes: - - description: Add support for Splunk authorization tokens - type: enhancement - link: https://github.com/elastic/integrations/pull/1147 -- version: "0.8.3" - changes: - - description: Fix Third Party Api ingest pipeline - type: bugfix - link: https://github.com/elastic/integrations/pull/1201 -- version: "0.8.2" - changes: - - description: Use `wildcard` field type. - type: enhancement - link: https://github.com/elastic/integrations/pull/1164 -- version: "0.8.1" - changes: - - description: Add support for ISO8601 timestamps - type: enhancement - link: https://github.com/elastic/integrations/pull/1118 -- version: "0.8.0" - changes: - - description: Update to ECS 1.10.0, adding processor fields and replacing default tags from . to - between words. - type: enhancement - link: https://github.com/elastic/integrations/pull/1109 -- version: "0.7.4" - changes: - - description: Add system test for httpjson Splunk input. - type: enhancement - link: https://github.com/elastic/integrations/pull/1108 -- version: "0.7.3" - changes: - - description: Make event.original optional - type: enhancement - link: https://github.com/elastic/integrations/pull/992 -- version: "0.7.2" - changes: - - description: adding back 0.7.0 changes - type: bugfix - link: https://github.com/elastic/integrations/pull/986 -- version: "0.7.1" - changes: - - description: rolling back to 0.6.0 changes for compatibility with 7.12 - type: bugfix - link: https://github.com/elastic/package-storage/pull/1273 -- version: "0.7.0" - changes: - - description: moving edge processing to ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/895 -- version: "0.6.1" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/831 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/245 diff --git a/packages/zeek/2.5.2/data_stream/capture_loss/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/capture_loss/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/capture_loss/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/capture_loss/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/capture_loss/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/capture_loss/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/capture_loss/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/capture_loss/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index e4cde141a9..0000000000 --- a/packages/zeek/2.5.2/data_stream/capture_loss/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -description: Pipeline for normalizing Zeek capture_loss.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - target_field: zeek.capture_loss - field: _temp_ - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: ecs.version - value: '8.4.0' - - date: - field: zeek.capture_loss.ts - formats: - - UNIX - - ISO8601 - - set: - field: event.kind - value: metric - - set: - field: event.type - value: info - - convert: - field: zeek.percent_lost - type: long - ignore_missing: true - - remove: - field: - - zeek.capture_loss.ts - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/capture_loss/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/capture_loss/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/capture_loss/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/capture_loss/fields/agent.yml b/packages/zeek/2.5.2/data_stream/capture_loss/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/capture_loss/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/capture_loss/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/capture_loss/fields/base-fields.yml deleted file mode 100755 index 9c7832bd78..0000000000 --- a/packages/zeek/2.5.2/data_stream/capture_loss/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.capture_loss -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/capture_loss/fields/beats.yml b/packages/zeek/2.5.2/data_stream/capture_loss/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/capture_loss/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/capture_loss/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/capture_loss/fields/ecs.yml deleted file mode 100755 index e6556a6265..0000000000 --- a/packages/zeek/2.5.2/data_stream/capture_loss/fields/ecs.yml +++ /dev/null @@ -1,40 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip diff --git a/packages/zeek/2.5.2/data_stream/capture_loss/fields/fields.yml b/packages/zeek/2.5.2/data_stream/capture_loss/fields/fields.yml deleted file mode 100755 index 54671c4d12..0000000000 --- a/packages/zeek/2.5.2/data_stream/capture_loss/fields/fields.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: zeek.capture_loss - type: group - fields: - - name: ts_delta - type: integer - description: | - The time delay between this measurement and the last. - - name: peer - type: keyword - description: | - In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. - - name: gaps - type: integer - description: | - Number of missed ACKs from the previous measurement interval. - - name: acks - type: integer - description: | - Total number of ACKs seen in the previous measurement interval. - - name: percent_lost - type: double - description: | - Percentage of ACKs seen where the data being ACKed wasn't seen. diff --git a/packages/zeek/2.5.2/data_stream/capture_loss/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/capture_loss/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/capture_loss/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/capture_loss/manifest.yml b/packages/zeek/2.5.2/data_stream/capture_loss/manifest.yml deleted file mode 100755 index db5171babd..0000000000 --- a/packages/zeek/2.5.2/data_stream/capture_loss/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek capture_loss logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of capture loss log file - multi: true - required: true - show_user: true - default: - - capture_loss.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-capture-loss - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek capture_loss.log - description: Collect Zeek capture_loss logs - - input: httpjson - title: Zeek capture_loss logs via Splunk Enterprise REST API - description: Collect Zeek capture_loss logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"capture_loss-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-capture-loss - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/connection/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/connection/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/connection/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/connection/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/connection/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/connection/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/connection/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/connection/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index f14051ded7..0000000000 --- a/packages/zeek/2.5.2/data_stream/connection/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,339 +0,0 @@ ---- -description: Pipeline for normalizing Zeek conn.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.connection - ignore_failure: true - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - dot_expander: - path: zeek.connection - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.connection - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.connection - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.connection - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.connection.duration - target_field: temp.duration - ignore_missing: true - - rename: - field: zeek.connection.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.connection.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.connection.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.connection.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.connection.proto - target_field: network.transport - ignore_missing: true - - rename: - field: zeek.connection.service - target_field: network.protocol - ignore_missing: true - - rename: - field: zeek.connection.uid - target_field: zeek.session_id - ignore_missing: true - - rename: - field: zeek.connection.orig_ip_bytes - target_field: source.bytes - ignore_missing: true - - rename: - field: zeek.connection.resp_ip_bytes - target_field: destination.bytes - ignore_missing: true - - rename: - field: zeek.connection.orig_pkts - target_field: source.packets - ignore_missing: true - - rename: - field: zeek.connection.resp_pkts - target_field: destination.packets - ignore_missing: true - - rename: - field: zeek.connection.conn_state - target_field: zeek.connection.state - ignore_missing: true - - rename: - field: zeek.connection.orig_l2_addr - target_field: source.mac - ignore_missing: true - - rename: - field: zeek.connection.resp_l2_addr - target_field: destination.mac - ignore_missing: true - - rename: - field: source.port - target_field: zeek.connection.icmp.type - ignore_missing: true - if: 'ctx?.network?.transport == "icmp"' - - rename: - field: destination.port - target_field: zeek.connection.icmp.code - ignore_missing: true - if: 'ctx?.network?.transport == "icmp"' - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - community_id: - if: 'ctx?.network?.transport != "icmp"' - - community_id: - icmp_type: zeek.connection.icmp.type - icmp_code: zeek.connection.icmp.code - if: 'ctx?.network?.transport == "icmp"' - - date: - field: zeek.connection.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.connection.ts - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - script: - source: ctx.event.duration = Math.round(ctx.temp.duration * params.scale) - params: - scale: 1000000000 - if: ctx.temp?.duration != null - - append: - field: tags - value: - - local_orig - if: ctx?.zeek?.connection?.local_orig != null - allow_duplicates: false - - append: - field: tags - value: - - local_resp - if: ctx?.zeek?.connection?.local_resp != null - allow_duplicates: false - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx?.destination?.ip != null - allow_duplicates: false - - script: - source: ctx.network.packets = ctx.source.packets + ctx.destination.packets - ignore_failure: true - - script: - source: ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes - ignore_failure: true - - script: - source: |- - if (ctx?.zeek?.connection?.local_orig == null || - ctx?.zeek?.connection?.local_resp == null) { - return; - } - if (ctx.zeek.connection.local_orig == true && - ctx.zeek.connection.local_resp == true) { - ctx.network.direction = "internal"; - return; - } - if (ctx.zeek.connection.local_orig == true && - ctx.zeek.connection.local_resp == false) { - ctx.network.direction = "outbound"; - return; - } - if (ctx.zeek.connection.local_orig == false && - ctx.zeek.connection.local_resp == true) { - ctx.network.direction = "inbound"; - return; - } - if (ctx.zeek.connection.local_orig == false && - ctx.zeek.connection.local_resp == false) { - ctx.network.direction = "external"; - return; - } - - geoip: - field: destination.ip - target_field: destination.geo - if: ctx?.destination?.ip != null - - geoip: - field: source.ip - target_field: source.geo - if: ctx?.source?.ip != null - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - script: - params: - S0: - conn_str: "Connection attempt seen, no reply." - types: - - connection - - start - S1: - conn_str: "Connection established, not terminated." - types: - - connection - - start - SF: - conn_str: "Normal establishment and termination." - types: - - connection - - start - - end - REJ: - conn_str: "Connection attempt rejected." - types: - - connection - - start - - denied - S2: - conn_str: "Connection established and close attempt by originator seen (but no reply from responder)." - types: - - connection - - info - S3: - conn_str: "Connection established and close attempt by responder seen (but no reply from originator)." - types: - - connection - - info - RSTO: - conn_str: "Connection established, originator aborted (sent a RST)." - types: - - connection - - info - RSTR: - conn_str: "Responder sent a RST." - types: - - connection - - info - RSTOS0: - conn_str: "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder." - types: - - connection - - info - RSTRH: - conn_str: "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator." - types: - - connection - - info - SH: - conn_str: "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)." - types: - - connection - - info - SHR: - conn_str: "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator." - types: - - connection - - info - OTH: - conn_str: "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)." - types: - - connection - - info - source: >- - if (ctx?.zeek?.connection?.state == null) { - return; - } - if (params.containsKey(ctx.zeek.connection.state)) { - ctx.zeek.connection.state_message = params[ctx.zeek.connection.state]["conn_str"]; - ctx.event.type = params[ctx.zeek.connection.state]["types"]; - } - - remove: - field: - - zeek.connection.id - - zeek.connection.orig_bytes - - zeek.connection.resp_bytes - - zeek.connection.tunnel_parents - - message - - json - - temp - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/connection/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/connection/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/connection/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/connection/fields/agent.yml b/packages/zeek/2.5.2/data_stream/connection/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/connection/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/connection/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/connection/fields/base-fields.yml deleted file mode 100755 index 9790a9113a..0000000000 --- a/packages/zeek/2.5.2/data_stream/connection/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.connection -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/connection/fields/beats.yml b/packages/zeek/2.5.2/data_stream/connection/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/connection/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/connection/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/connection/fields/ecs.yml deleted file mode 100755 index 7c4c2e168a..0000000000 --- a/packages/zeek/2.5.2/data_stream/connection/fields/ecs.yml +++ /dev/null @@ -1,211 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/connection/fields/fields.yml b/packages/zeek/2.5.2/data_stream/connection/fields/fields.yml deleted file mode 100755 index 648f871d9d..0000000000 --- a/packages/zeek/2.5.2/data_stream/connection/fields/fields.yml +++ /dev/null @@ -1,46 +0,0 @@ -- name: zeek.connection - type: group - fields: - - name: local_orig - type: boolean - description: | - Indicates whether the session is originated locally. - - name: local_resp - type: boolean - description: | - Indicates whether the session is responded locally. - - name: missed_bytes - type: long - description: | - Missed bytes for the session. - - name: state - type: keyword - description: | - Code indicating the state of the session. - - name: state_message - type: keyword - description: | - The state of the session. - - name: icmp - type: group - fields: - - name: type - type: integer - description: | - ICMP message type. - - name: code - type: integer - description: | - ICMP message code. - - name: history - type: keyword - description: | - Flags indicating the history of the session. - - name: vlan - type: integer - description: | - VLAN identifier. - - name: inner_vlan - type: integer - description: | - VLAN identifier. diff --git a/packages/zeek/2.5.2/data_stream/connection/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/connection/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/connection/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/connection/manifest.yml b/packages/zeek/2.5.2/data_stream/connection/manifest.yml deleted file mode 100755 index 088dc55b55..0000000000 --- a/packages/zeek/2.5.2/data_stream/connection/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek connection logs -streams: - - input: logfile - template_path: log.yml.hbs - title: Zeek conn.log - description: Collect Zeek connection logs - vars: - - name: filenames - type: text - title: Filename of connection log - multi: true - required: true - show_user: true - default: - - conn.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-connection - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: httpjson - title: Zeek connection logs via Splunk Enterprise REST API - description: Collect Zeek connection logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"conn-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-connection - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/dce_rpc/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/dce_rpc/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/dce_rpc/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/dce_rpc/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/dce_rpc/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/dce_rpc/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/dce_rpc/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/dce_rpc/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a636924754..0000000000 --- a/packages/zeek/2.5.2/data_stream/dce_rpc/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,169 +0,0 @@ ---- -description: Pipeline for normalizing Zeek dce_rpc.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.dce_rpc - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - append: - field: event.type - value: info - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: dce_rpc - - dot_expander: - path: zeek.dce_rpc - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.dce_rpc - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.dce_rpc - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.dce_rpc - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.dce_rpc.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.dce_rpc.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.dce_rpc.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.dce_rpc.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.dce_rpc.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - date: - field: zeek.dce_rpc.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.dce_rpc.ts - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx?.destination?.ip != null - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - set: - field: event.action - copy_from: zeek.dce_rpc.operation - if: "ctx?.zeek?.dce_rpc?.operation != null" - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.dce_rpc.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/dce_rpc/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/dce_rpc/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/dce_rpc/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/dce_rpc/fields/agent.yml b/packages/zeek/2.5.2/data_stream/dce_rpc/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/dce_rpc/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/dce_rpc/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/dce_rpc/fields/base-fields.yml deleted file mode 100755 index 3a568c3f53..0000000000 --- a/packages/zeek/2.5.2/data_stream/dce_rpc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.dce_rpc -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/dce_rpc/fields/beats.yml b/packages/zeek/2.5.2/data_stream/dce_rpc/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/dce_rpc/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/dce_rpc/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/dce_rpc/fields/ecs.yml deleted file mode 100755 index 09dfd4b50d..0000000000 --- a/packages/zeek/2.5.2/data_stream/dce_rpc/fields/ecs.yml +++ /dev/null @@ -1,176 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/dce_rpc/fields/fields.yml b/packages/zeek/2.5.2/data_stream/dce_rpc/fields/fields.yml deleted file mode 100755 index e0741e5456..0000000000 --- a/packages/zeek/2.5.2/data_stream/dce_rpc/fields/fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: zeek.dce_rpc - type: group - fields: - - name: rtt - type: integer - description: | - Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. - - name: named_pipe - type: keyword - description: | - Remote pipe name. - - name: endpoint - type: keyword - description: | - Endpoint name looked up from the uuid. - - name: operation - type: keyword - description: | - Operation seen in the call. diff --git a/packages/zeek/2.5.2/data_stream/dce_rpc/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/dce_rpc/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/dce_rpc/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/dce_rpc/manifest.yml b/packages/zeek/2.5.2/data_stream/dce_rpc/manifest.yml deleted file mode 100755 index 5db353cc78..0000000000 --- a/packages/zeek/2.5.2/data_stream/dce_rpc/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek dce_rpc logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of dce_rpc log file - multi: true - required: true - show_user: true - default: - - dce_rpc.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-dce-rpc - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek dce_rpc.log - description: Collect Zeek dce_rpc logs - - input: httpjson - title: Zeek dce_rpc logs via Splunk Enterprise REST API - description: Collect Zeek dce_rpc logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"dce_rpc-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-dce-rpc - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/dhcp/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/dhcp/agent/stream/httpjson.yml.hbs deleted file mode 100755 index a12f9a5875..0000000000 --- a/packages/zeek/2.5.2/data_stream/dhcp/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,64 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} - diff --git a/packages/zeek/2.5.2/data_stream/dhcp/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/dhcp/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/dhcp/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/dhcp/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/dhcp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index e383184ccc..0000000000 --- a/packages/zeek/2.5.2/data_stream/dhcp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,187 +0,0 @@ ---- -description: Pipeline for normalizing Zeek dhcp.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.dhcp - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - append: - field: event.type - value: info - - set: - field: event.kind - value: event - - set: - field: network.transport - value: udp - - set: - field: network.protocol - value: dhcp - - rename: - field: zeek.dhcp.uids - target_field: zeek.session_id - ignore_missing: true - - rename: - field: zeek.dhcp.assigned_addr - target_field: zeek.dhcp.address.assigned - ignore_missing: true - - rename: - field: zeek.dhcp.client_addr - target_field: zeek.dhcp.address.client - ignore_missing: true - - rename: - field: zeek.dhcp.mac - target_field: zeek.dhcp.address.mac - ignore_missing: true - - rename: - field: zeek.dhcp.requested_addr - target_field: zeek.dhcp.address.requested - ignore_missing: true - - rename: - field: zeek.dhcp.server_addr - target_field: zeek.dhcp.address.server - ignore_missing: true - - rename: - field: zeek.dhcp.host_name - target_field: zeek.dhcp.hostname - ignore_missing: true - - rename: - field: zeek.dhcp.client_message - target_field: zeek.dhcp.msg.client - ignore_missing: true - - rename: - field: zeek.dhcp.server_message - target_field: zeek.dhcp.msg.server - ignore_missing: true - - rename: - field: zeek.dhcp.msg_types - target_field: zeek.dhcp.msg.types - ignore_missing: true - - rename: - field: zeek.dhcp.msg_orig - target_field: zeek.dhcp.msg.origin - ignore_missing: true - - rename: - field: zeek.dhcp.client_software - target_field: zeek.dhcp.software.client - ignore_missing: true - - rename: - field: zeek.dhcp.server_software - target_field: zeek.dhcp.software.server - ignore_missing: true - - rename: - field: zeek.dhcp.circuit_id - target_field: zeek.dhcp.id.circuit - ignore_missing: true - - rename: - field: zeek.dhcp.agent_remote_id - target_field: zeek.dhcp.id.remote_agent - ignore_missing: true - - rename: - field: zeek.dhcp.subscriber_id - target_field: zeek.dhcp.id.subscriber - ignore_missing: true - - rename: - field: zeek.dhcp.client_port - target_field: source.port - ignore_missing: true - - rename: - field: zeek.dhcp.server_port - target_field: destination.port - ignore_missing: true - - set: - field: network.name - copy_from: zeek.dhcp.domain - if: ctx?.zeek?.dhcp?.domain != null - - set: - field: source.port - value: 68 - if: ctx?.source?.port == null - - set: - field: destination.port - value: 67 - if: ctx?.destination?.port == null - - set: - field: source.address - copy_from: zeek.dhcp.address.client - ignore_empty_value: true - - set: - field: client.address - copy_from: zeek.dhcp.address.client - ignore_empty_value: true - - set: - field: source.ip - copy_from: zeek.dhcp.address.client - ignore_empty_value: true - - set: - field: destination.address - copy_from: zeek.dhcp.address.server - ignore_empty_value: true - - set: - field: destination.ip - copy_from: zeek.dhcp.address.server - ignore_empty_value: true - - set: - field: server.address - copy_from: zeek.dhcp.address.server - ignore_empty_value: true - - date: - field: zeek.dhcp.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.dhcp.ts - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/dhcp/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/dhcp/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/dhcp/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/dhcp/fields/agent.yml b/packages/zeek/2.5.2/data_stream/dhcp/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/dhcp/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/dhcp/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/dhcp/fields/base-fields.yml deleted file mode 100755 index 82a42a99d3..0000000000 --- a/packages/zeek/2.5.2/data_stream/dhcp/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.dhcp -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/dhcp/fields/beats.yml b/packages/zeek/2.5.2/data_stream/dhcp/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/dhcp/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/dhcp/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/dhcp/fields/ecs.yml deleted file mode 100755 index fdadf909f4..0000000000 --- a/packages/zeek/2.5.2/data_stream/dhcp/fields/ecs.yml +++ /dev/null @@ -1,106 +0,0 @@ -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/dhcp/fields/fields.yml b/packages/zeek/2.5.2/data_stream/dhcp/fields/fields.yml deleted file mode 100755 index f095974165..0000000000 --- a/packages/zeek/2.5.2/data_stream/dhcp/fields/fields.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: zeek.dhcp - type: group - fields: - - name: domain - type: keyword - description: | - Domain given by the server in option 15. - - name: duration - type: double - description: | - Duration of the DHCP session representing the time from the first - message to the last, in seconds. - - name: hostname - type: keyword - description: | - Name given by client in Hostname option 12. - - name: client_fqdn - type: keyword - description: | - FQDN given by client in Client FQDN option 81. - - name: lease_time - type: integer - description: | - IP address lease interval in seconds. - - name: address - type: group - fields: - - name: assigned - type: ip - description: | - IP address assigned by the server. - - name: client - type: ip - description: | - IP address of the client. If a transaction is only a client sending - INFORM messages then there is no lease information exchanged so this - is helpful to know who sent the messages. Getting an address in this - field does require that the client sources at least one DHCP message - using a non-broadcast address. - - name: mac - type: keyword - description: | - Client's hardware address. - - name: requested - type: ip - description: | - IP address requested by the client. - - name: server - type: ip - description: | - IP address of the DHCP server. - - name: msg - type: group - fields: - - name: types - type: keyword - description: | - List of DHCP message types seen in this exchange. - - name: origin - type: ip - description: | - (present if policy/protocols/dhcp/msg-orig.bro is loaded) - The address that originated each message from the msg.types field. - - name: client - type: keyword - description: | - Message typically accompanied with a DHCP_DECLINE so the client can - tell the server why it rejected an address. - - name: server - type: keyword - description: | - Message typically accompanied with a DHCP_NAK to let the client know - why it rejected the request. - - name: software - type: group - fields: - - name: client - type: keyword - description: | - (present if policy/protocols/dhcp/software.bro is loaded) - Software reported by the client in the vendor_class option. - - name: server - type: keyword - description: | - (present if policy/protocols/dhcp/software.bro is loaded) - Software reported by the client in the vendor_class option. - - name: id - type: group - fields: - - name: circuit - type: keyword - description: | - (present if policy/protocols/dhcp/sub-opts.bro is loaded) - Added by DHCP relay agents which terminate switched or permanent - circuits. It encodes an agent-local identifier of the circuit from - which a DHCP client-to-server packet was received. Typically it - should represent a router or switch interface number. - - name: remote_agent - type: keyword - description: | - (present if policy/protocols/dhcp/sub-opts.bro is loaded) - A globally unique identifier added by relay agents to identify the - remote host end of the circuit. - - name: subscriber - type: keyword - description: | - (present if policy/protocols/dhcp/sub-opts.bro is loaded) - The subscriber ID is a value independent of the physical network - configuration so that a customer's DHCP configuration can be given - to them correctly no matter where they are physically connected. diff --git a/packages/zeek/2.5.2/data_stream/dhcp/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/dhcp/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/dhcp/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/dhcp/manifest.yml b/packages/zeek/2.5.2/data_stream/dhcp/manifest.yml deleted file mode 100755 index 78f6d098b1..0000000000 --- a/packages/zeek/2.5.2/data_stream/dhcp/manifest.yml +++ /dev/null @@ -1,52 +0,0 @@ -type: logs -title: Zeek dhcp logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of dhcp log file - multi: true - required: true - show_user: true - default: - - dhcp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-dhcp - template_path: log.yml.hbs - title: Zeek dhcp.log - description: Collect Zeek dhcp logs - - input: httpjson - title: Zeek dhcp logs via Splunk Enterprise REST API - description: Collect Zeek dhcp logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"dhcp-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-dhcp diff --git a/packages/zeek/2.5.2/data_stream/dnp3/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/dnp3/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/dnp3/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/dnp3/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/dnp3/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/dnp3/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/dnp3/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/dnp3/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ad95072968..0000000000 --- a/packages/zeek/2.5.2/data_stream/dnp3/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,188 +0,0 @@ ---- -description: Pipeline for normalizing Zeek dnp3.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.dnp3 - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - append: - field: event.type - value: info - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: dnp3 - - dot_expander: - path: zeek.dnp3 - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.dnp3 - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.dnp3 - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.dnp3 - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.dnp3.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.dnp3.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.dnp3.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.dnp3.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.dnp3.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.dnp3.fc_request - target_field: zeek.dnp3.function.request - ignore_missing: true - - rename: - field: zeek.dnp3.fc_reply - target_field: zeek.dnp3.function.reply - ignore_missing: true - - rename: - field: zeek.dnp3.iin - target_field: zeek.dnp3.id - ignore_missing: true - - date: - field: zeek.dnp3.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.dnp3.ts - - set: - field: event.action - copy_from: zeek.dnp3.function.request - if: "ctx?.zeek?.dnp3?.function?.request != null" - - set: - field: event.action - copy_from: zeek.dnp3.function.reply - if: "ctx?.zeek?.dnp3?.function?.reply != null" - - lowercase: - field: event.action - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx?.destination?.ip != null - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.dnp3.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/dnp3/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/dnp3/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/dnp3/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/dnp3/fields/agent.yml b/packages/zeek/2.5.2/data_stream/dnp3/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/dnp3/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/dnp3/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/dnp3/fields/base-fields.yml deleted file mode 100755 index 5b952e8fd0..0000000000 --- a/packages/zeek/2.5.2/data_stream/dnp3/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.dnp3 -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/dnp3/fields/beats.yml b/packages/zeek/2.5.2/data_stream/dnp3/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/dnp3/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/dnp3/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/dnp3/fields/ecs.yml deleted file mode 100755 index 09dfd4b50d..0000000000 --- a/packages/zeek/2.5.2/data_stream/dnp3/fields/ecs.yml +++ /dev/null @@ -1,176 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/dnp3/fields/fields.yml b/packages/zeek/2.5.2/data_stream/dnp3/fields/fields.yml deleted file mode 100755 index bddbd099d0..0000000000 --- a/packages/zeek/2.5.2/data_stream/dnp3/fields/fields.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: zeek.dnp3 - type: group - fields: - - name: function - type: group - fields: - - name: request - type: keyword - description: | - The name of the function message in the request. - - name: reply - type: keyword - description: | - The name of the function message in the reply. - - name: id - type: integer - description: | - The response's internal indication number. diff --git a/packages/zeek/2.5.2/data_stream/dnp3/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/dnp3/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/dnp3/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/dnp3/manifest.yml b/packages/zeek/2.5.2/data_stream/dnp3/manifest.yml deleted file mode 100755 index 58fc30a926..0000000000 --- a/packages/zeek/2.5.2/data_stream/dnp3/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek dnp3 logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of dnp3 log file - multi: true - required: true - show_user: true - default: - - dnp3.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-dnp3 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek dnp3.log - description: Collect Zeek dnp3 logs - - input: httpjson - title: Zeek dnp3 logs via Splunk Enterprise REST API - description: Collect Zeek dnp3 logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"dnp3-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-dnp3 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/dns/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/dns/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/dns/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/dns/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/dns/agent/stream/log.yml.hbs deleted file mode 100755 index 30e7049925..0000000000 --- a/packages/zeek/2.5.2/data_stream/dns/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.5.2/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 872c51b485..0000000000 --- a/packages/zeek/2.5.2/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,304 +0,0 @@ ---- -description: Pipeline for Filebeat Zeek dns.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.dns - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - append: - field: event.type - value: info - - set: - field: network.protocol - value: dns - - dot_expander: - path: zeek.dns - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.dns - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.dns - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.dns - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.dns.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.dns.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.dns.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.dns.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.dns.uid - target_field: zeek.session_id - ignore_missing: true - - rename: - field: zeek.dns.proto - target_field: network.transport - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - ignore_empty_value: true - - set: - field: source.ip - copy_from: source.address - ignore_empty_value: true - - set: - field: destination.ip - copy_from: destination.address - ignore_empty_value: true - - append: - field: dns.header_flags - value: AA - if: ctx?.zeek?.dns?.AA == true - - append: - field: dns.header_flags - value: TC - if: ctx?.zeek?.dns?.TC == true - - append: - field: dns.header_flags - value: RD - if: ctx?.zeek?.dns?.RD == true - - append: - field: dns.header_flags - value: RA - if: ctx?.zeek?.dns?.RA == true - - set: - field: dns.question.class - value: IN - if: ctx?.zeek?.dns?.qclass == 1 - - set: - field: dns.question.class - value: CH - if: ctx?.zeek?.dns?.qclass == 3 - - set: - field: dns.question.class - value: HS - if: ctx?.zeek?.dns?.qclass == 4 - - set: - field: dns.question.class - value: NONE - if: ctx?.zeek?.dns?.qclass == 254 - - set: - field: dns.question.class - value: ANY - if: ctx?.zeek?.dns?.qclass == 255 - - set: - field: dns.type - value: answer - if: ctx?.zeek?.dns?.rcode_name != null - - set: - field: dns.type - value: query - if: ctx?.dns?.type == null - - script: - lang: painless - source: >- - ctx.event.duration = ctx.zeek.dns.rtt * 1000000000L; - if: "ctx?.zeek?.dns?.rtt != null" - - script: - lang: painless - source: >- - def answers = ctx.zeek.dns.answers; - def ttls = ctx.zeek.dns.TTLs; - if (answers.isEmpty() || ttls.isEmpty() || answers.length != ttls.length) { - return; - } - def lst = new ArrayList(); - for (def i = 0; i < answers.length; i++) { - lst.add([ - "data": answers[i], - "ttl": (int)ttls[i] - ]) - } - if (ctx?.dns == null) { - ctx.dns = new HashMap(); - } - ctx.dns.answers = lst; - if: "ctx?.zeek?.dns?.answers != null && ctx?.zeek?.dns?.TTLs != null" - - foreach: - field: dns.answers - processor: - convert: - field: _ingest._value.data - target_field: _ingest._value.tmpip - type: ip - ignore_failure: true - ignore_missing: true - if: 'ctx?.dns?.answers != null && !ctx?.dns?.answers.isEmpty()' - - script: - lang: painless - source: >- - def answers = ctx.dns.answers; - def iplist = new ArrayList(); - for (def i = 0; i < ctx.dns.answers.length; i++) { - if (answers[i].containsKey("tmpip")) { - iplist.add(answers[i].tmpip); - answers[i].remove("tmpip"); - } - } - ctx.dns.resolved_ip = iplist; - if: 'ctx?.dns?.answers != null && !ctx?.dns?.answers.isEmpty()' - - set: - field: event.outcome - value: success - if: ctx?.dns?.rcode == 0 - - set: - field: event.outcome - value: success - if: ctx?.event?.outcome == null - - convert: - field: zeek.dns.trans_id - type: string - ignore_missing: true - - set: - field: dns.id - copy_from: zeek.dns.trans_id - ignore_empty_value: true - - set: - field: dns.question.type - copy_from: zeek.dns.qtype_name - ignore_empty_value: true - - set: - field: dns.response_code - copy_from: zeek.dns.rcode_name - ignore_empty_value: true - - registered_domain: - field: zeek.dns.query - target_field: dns.question - ignore_missing: true - - rename: - field: dns.question.domain - target_field: dns.question.name - ignore_missing: true - - date: - field: zeek.dns.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.dns.ts - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - community_id: - target_field: network.community_id - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.address != null - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx?.destination?.ip != null - allow_duplicates: false - - rename: - field: message - target_field: event.original - ignore_missing: true - if: ctx?.event?.original == null - - remove: - field: - - zeek.dns.Z - - zeek.dns.auth - - zeek.dns.addl - - zeek.dns.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/dns/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/dns/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/dns/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/dns/fields/agent.yml b/packages/zeek/2.5.2/data_stream/dns/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/dns/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index 6997ee2f12..0000000000 --- a/packages/zeek/2.5.2/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.dns -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/dns/fields/beats.yml b/packages/zeek/2.5.2/data_stream/dns/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/dns/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/dns/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/dns/fields/ecs.yml deleted file mode 100755 index eae43dde5b..0000000000 --- a/packages/zeek/2.5.2/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,263 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - normalize: - - array - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: Array of 2 letter DNS header flags. - name: dns.header_flags - normalize: - - array - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - normalize: - - array - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/dns/fields/fields.yml b/packages/zeek/2.5.2/data_stream/dns/fields/fields.yml deleted file mode 100755 index 18bc9c08d0..0000000000 --- a/packages/zeek/2.5.2/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,86 +0,0 @@ -- name: zeek.dns - type: group - fields: - - name: trans_id - type: keyword - description: | - DNS transaction identifier. - - name: rtt - type: double - description: | - Round trip time for the query and response. - - name: query - type: keyword - description: | - The domain name that is the subject of the DNS query. - - name: qclass - type: long - description: | - The QCLASS value specifying the class of the query. - - name: qclass_name - type: keyword - description: | - A descriptive name for the class of the query. - - name: qtype - type: long - description: | - A QTYPE value specifying the type of the query. - - name: qtype_name - type: keyword - description: | - A descriptive name for the type of the query. - - name: rcode - type: long - description: | - The response code value in DNS response messages. - - name: rcode_name - type: keyword - description: | - A descriptive name for the response code value. - - name: AA - type: boolean - description: | - The Authoritative Answer bit for response messages specifies that the responding - name server is an authority for the domain name in the question section. - - name: TC - type: boolean - description: | - The Truncation bit specifies that the message was truncated. - - name: RD - type: boolean - description: | - The Recursion Desired bit in a request message indicates that the client - wants recursive service for this query. - - name: RA - type: boolean - description: | - The Recursion Available bit in a response message indicates that the name - server supports recursive queries. - - name: answers - type: keyword - description: | - The set of resource descriptions in the query answer. - - name: TTLs - type: double - description: | - The caching intervals of the associated RRs described by the answers field. - - name: rejected - type: boolean - description: | - Indicates whether the DNS query was rejected by the server. - - name: total_answers - type: integer - description: | - The total number of resource records in the reply. - - name: total_replies - type: integer - description: | - The total number of resource records in the reply message. - - name: saw_query - type: boolean - description: | - Whether the full DNS query has been seen. - - name: saw_reply - type: boolean - description: | - Whether the full DNS reply has been seen. diff --git a/packages/zeek/2.5.2/data_stream/dns/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/dns/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/dns/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/dns/manifest.yml b/packages/zeek/2.5.2/data_stream/dns/manifest.yml deleted file mode 100755 index d655e5a773..0000000000 --- a/packages/zeek/2.5.2/data_stream/dns/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek dns logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of dns log file - multi: true - required: true - show_user: true - default: - - dns.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek dns.log - description: Collect Zeek dns logs - - input: httpjson - title: Zeek dns logs via Splunk Enterprise REST API - description: Collect Zeek dns logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"dns-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/dpd/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/dpd/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/dpd/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/dpd/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/dpd/agent/stream/log.yml.hbs deleted file mode 100755 index 30e7049925..0000000000 --- a/packages/zeek/2.5.2/data_stream/dpd/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.5.2/data_stream/dpd/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/dpd/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7ca4a86603..0000000000 --- a/packages/zeek/2.5.2/data_stream/dpd/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,162 +0,0 @@ ---- -description: Pipeline for normalizing Zeek dpd.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.dpd - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: info - - dot_expander: - path: zeek.dpd - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.dpd - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.dpd - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.dpd - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.dpd.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.dpd.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.dpd.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.dpd.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.dpd.proto - target_field: network.transport - ignore_missing: true - - rename: - field: zeek.dpd.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - date: - field: zeek.dpd.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.dpd.ts - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.dpd.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/dpd/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/dpd/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/dpd/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/dpd/fields/agent.yml b/packages/zeek/2.5.2/data_stream/dpd/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/dpd/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/dpd/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/dpd/fields/base-fields.yml deleted file mode 100755 index a1358e73f5..0000000000 --- a/packages/zeek/2.5.2/data_stream/dpd/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.dpd -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/dpd/fields/beats.yml b/packages/zeek/2.5.2/data_stream/dpd/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/dpd/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/dpd/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/dpd/fields/ecs.yml deleted file mode 100755 index a035b27a34..0000000000 --- a/packages/zeek/2.5.2/data_stream/dpd/fields/ecs.yml +++ /dev/null @@ -1,160 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/dpd/fields/fields.yml b/packages/zeek/2.5.2/data_stream/dpd/fields/fields.yml deleted file mode 100755 index 7365fbb1cc..0000000000 --- a/packages/zeek/2.5.2/data_stream/dpd/fields/fields.yml +++ /dev/null @@ -1,16 +0,0 @@ -- name: zeek.dpd - type: group - fields: - - name: analyzer - type: keyword - description: | - The analyzer that generated the violation. - - name: failure_reason - type: keyword - description: | - The textual reason for the analysis failure. - - name: packet_segment - type: keyword - description: | - (present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) - A chunk of the payload that most likely resulted in the protocol violation. diff --git a/packages/zeek/2.5.2/data_stream/dpd/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/dpd/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/dpd/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/dpd/manifest.yml b/packages/zeek/2.5.2/data_stream/dpd/manifest.yml deleted file mode 100755 index 7f39a5fbc1..0000000000 --- a/packages/zeek/2.5.2/data_stream/dpd/manifest.yml +++ /dev/null @@ -1,68 +0,0 @@ -type: logs -title: Zeek dpd logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of the dpd log file - multi: true - required: true - show_user: true - default: - - dpd.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-dpd - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek dpd.log - description: Collect Zeek dpd logs - - input: httpjson - title: Zeek dpd logs via Splunk Enterprise REST API - description: Collect Zeek dpd logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"dpd-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-dpd - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/files/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/files/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/files/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/files/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/files/agent/stream/log.yml.hbs deleted file mode 100755 index 30e7049925..0000000000 --- a/packages/zeek/2.5.2/data_stream/files/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.5.2/data_stream/files/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/files/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2980c44181..0000000000 --- a/packages/zeek/2.5.2/data_stream/files/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,137 +0,0 @@ ---- -description: Pipeline for normalizing Zeek files.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.files - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: file - - append: - field: event.type - value: info - - rename: - field: zeek.files.conn_uids - target_field: zeek.files.session_ids - ignore_missing: true - - set: - field: file.mime_type - copy_from: zeek.files.mime_type - if: ctx?.zeek?.files?.mime_type != null - - rename: - field: zeek.files.filename - target_field: file.name - ignore_missing: true - - rename: - field: zeek.files.total_bytes - target_field: file.size - ignore_missing: true - - set: - field: file.hash.md5 - copy_from: zeek.files.md5 - if: ctx?.zeek?.files?.md5 != null - - set: - field: file.hash.sha1 - copy_from: zeek.files.sha1 - if: ctx?.zeek?.files?.sha1 != null - - set: - field: file.hash.sha256 - copy_from: zeek.files.sha256 - if: ctx?.zeek?.files?.sha256 != null - - date: - field: zeek.files.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.files.ts - - script: - lang: painless - source: ctx.zeek.session_id = ctx.zeek.files.session_ids[0]; - if: ctx.zeek.files.session_ids != null - ignore_failure: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - foreach: - field: zeek.files.tx_hosts - processor: - append: - field: related.ip - value: "{{_ingest._value}}" - ignore_missing: true - - script: - lang: painless - source: ctx.zeek.files.tx_host = ctx.zeek.files.tx_hosts[0]; ctx.zeek.files.remove('tx_hosts'); - ignore_failure: true - - set: - field: server.ip - copy_from: zeek.files.tx_host - if: "ctx?.zeek?.files?.tx_host != null" - - foreach: - field: zeek.files.rx_hosts - processor: - append: - field: related.ip - value: "{{_ingest._value}}" - ignore_missing: true - - script: - lang: painless - source: ctx.zeek.files.rx_host = ctx.zeek.files.rx_hosts[0]; ctx.zeek.files.remove('rx_hosts'); - ignore_failure: true - - set: - field: client.ip - value: "{{zeek.files.rx_host}}" - if: "ctx?.zeek?.files?.rx_host != null" - - append: - field: related.hash - value: "{{file.hash.md5}}" - if: "ctx?.file?.hash?.md5 != null" - allow_duplicates: false - - append: - field: related.hash - value: "{{file.hash.sha1}}" - if: "ctx?.file?.hash?.sha1 != null" - allow_duplicates: false - - append: - field: related.hash - value: "{{file.hash.sha256}}" - if: "ctx?.file?.hash?.sha256 != null" - allow_duplicates: false - - remove: - field: - - zeek.files.x509 - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/files/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/files/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/files/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/files/fields/agent.yml b/packages/zeek/2.5.2/data_stream/files/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/files/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/files/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/files/fields/base-fields.yml deleted file mode 100755 index 48206e9d51..0000000000 --- a/packages/zeek/2.5.2/data_stream/files/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.files -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/files/fields/beats.yml b/packages/zeek/2.5.2/data_stream/files/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/files/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/files/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/files/fields/ecs.yml deleted file mode 100755 index cb3b3aefc7..0000000000 --- a/packages/zeek/2.5.2/data_stream/files/fields/ecs.yml +++ /dev/null @@ -1,87 +0,0 @@ -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: file.mime_type - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip diff --git a/packages/zeek/2.5.2/data_stream/files/fields/fields.yml b/packages/zeek/2.5.2/data_stream/files/fields/fields.yml deleted file mode 100755 index e7d400751c..0000000000 --- a/packages/zeek/2.5.2/data_stream/files/fields/fields.yml +++ /dev/null @@ -1,112 +0,0 @@ -- name: zeek.files - type: group - fields: - - name: fuid - type: keyword - description: | - A file unique identifier. - - name: tx_host - type: ip - description: | - The host that transferred the file. - - name: rx_host - type: ip - description: | - The host that received the file. - - name: session_ids - type: keyword - description: | - The sessions that have this file. - - name: source - type: keyword - description: | - An identification of the source of the file data. E.g. it may be a network protocol - over which it was transferred, or a local file path which was read, or some other - input source. - - name: depth - type: long - description: | - A value to represent the depth of this file in relation to its source. In SMTP, it - is the depth of the MIME attachment on the message. In HTTP, it is the depth of the - request within the TCP connection. - - name: analyzers - type: keyword - description: | - A set of analysis types done during the file analysis. - - name: mime_type - type: keyword - description: | - Mime type of the file. - - name: filename - type: keyword - description: | - Name of the file if available. - - name: local_orig - type: boolean - description: | - If the source of this file is a network connection, this field indicates if the data - originated from the local network or not. - - name: is_orig - type: boolean - description: | - If the source of this file is a network connection, this field indicates if the file is - being sent by the originator of the connection or the responder. - - name: duration - type: double - description: | - The duration the file was analyzed for. Not the duration of the session. - - name: seen_bytes - type: long - description: | - Number of bytes provided to the file analysis engine for the file. - - name: total_bytes - type: long - description: | - Total number of bytes that are supposed to comprise the full file. - - name: missing_bytes - type: long - description: | - The number of bytes in the file stream that were completely missed during the process - of analysis. - - name: overflow_bytes - type: long - description: | - The number of bytes in the file stream that were not delivered to stream file analyzers. - This could be overlapping bytes or bytes that couldn't be reassembled. - - name: timedout - type: boolean - description: | - Whether the file analysis timed out at least once for the file. - - name: parent_fuid - type: keyword - description: | - Identifier associated with a container file from which this one was extracted as part of - the file analysis. - - name: md5 - type: keyword - description: | - An MD5 digest of the file contents. - - name: sha1 - type: keyword - description: | - A SHA1 digest of the file contents. - - name: sha256 - type: keyword - description: | - A SHA256 digest of the file contents. - - name: extracted - type: keyword - description: | - Local filename of extracted file. - - name: extracted_cutoff - type: boolean - description: | - Indicate whether the file being extracted was cut off hence not extracted completely. - - name: extracted_size - type: long - description: | - The number of bytes extracted to disk. - - name: entropy - type: double - description: | - The information density of the contents of the file. diff --git a/packages/zeek/2.5.2/data_stream/files/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/files/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/files/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/files/manifest.yml b/packages/zeek/2.5.2/data_stream/files/manifest.yml deleted file mode 100755 index b87633f651..0000000000 --- a/packages/zeek/2.5.2/data_stream/files/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek files logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of the files log file - multi: true - required: true - show_user: true - default: - - files.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-files - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek files.log - description: Collect Zeek files logs - - input: httpjson - title: Zeek files logs via Splunk Enterprise REST API - description: Collect Zeek files logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"files-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-files - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/ftp/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/ftp/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/ftp/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/ftp/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/ftp/agent/stream/log.yml.hbs deleted file mode 100755 index 30e7049925..0000000000 --- a/packages/zeek/2.5.2/data_stream/ftp/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.5.2/data_stream/ftp/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/ftp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 17bac96b50..0000000000 --- a/packages/zeek/2.5.2/data_stream/ftp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,233 +0,0 @@ ---- -description: Pipeline for normalizing Zeek ftp.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.ftp - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - append: - field: event.type - value: info - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: ftp - - dot_expander: - path: zeek.ftp - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.ftp - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.ftp - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.ftp - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.ftp.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.ftp.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.ftp.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.ftp.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.ftp.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: user.name - copy_from: zeek.ftp.user - if: ctx?.zeek?.ftp?.user != null - - set: - field: event.action - copy_from: zeek.ftp.command - if: ctx?.zeek?.ftp?.command != null - - rename: - field: zeek.ftp.file_size - target_field: file.size - ignore_missing: true - - rename: - field: zeek.ftp.mime_type - target_field: file.mime_type - ignore_missing: true - - rename: - field: zeek.ftp.fuid - target_field: zeek.ftp.file.uid - ignore_missing: true - - rename: - field: zeek.ftp.reply_code - target_field: zeek.ftp.reply.code - ignore_missing: true - - rename: - field: zeek.ftp.reply_msg - target_field: zeek.ftp.reply.msg - ignore_missing: true - - dot_expander: - path: zeek.ftp - field: data_channel.orig_h - ignore_failure: true - - dot_expander: - path: zeek.ftp - field: data_channel.orig_p - ignore_failure: true - - dot_expander: - path: zeek.ftp - field: data_channel.resp_h - ignore_failure: true - - dot_expander: - path: zeek.ftp - field: data_channel.resp_p - ignore_failure: true - - rename: - field: zeek.ftp.data_channel.orig_h - target_field: zeek.ftp.data_channel.originating_host - ignore_missing: true - - rename: - field: zeek.ftp.data_channel.orig_p - target_field: zeek.ftp.data_channel.originating_port - ignore_missing: true - - rename: - field: zeek.ftp.data_channel.resp_h - target_field: zeek.ftp.data_channel.response_host - ignore_missing: true - - rename: - field: zeek.ftp.data_channel.resp_p - target_field: zeek.ftp.data_channel.response_port - ignore_missing: true - - date: - field: zeek.ftp.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.ftp.ts - - dot_expander: - field: data_channel.passive - path: zeek.ftp - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.ftp.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/ftp/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/ftp/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/ftp/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/ftp/fields/agent.yml b/packages/zeek/2.5.2/data_stream/ftp/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/ftp/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/ftp/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/ftp/fields/base-fields.yml deleted file mode 100755 index 96d39c2748..0000000000 --- a/packages/zeek/2.5.2/data_stream/ftp/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.ftp -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/ftp/fields/beats.yml b/packages/zeek/2.5.2/data_stream/ftp/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/ftp/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/ftp/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/ftp/fields/ecs.yml deleted file mode 100755 index d30caf988a..0000000000 --- a/packages/zeek/2.5.2/data_stream/ftp/fields/ecs.yml +++ /dev/null @@ -1,189 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: file.mime_type - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/ftp/fields/fields.yml b/packages/zeek/2.5.2/data_stream/ftp/fields/fields.yml deleted file mode 100755 index ca17231e59..0000000000 --- a/packages/zeek/2.5.2/data_stream/ftp/fields/fields.yml +++ /dev/null @@ -1,101 +0,0 @@ -- name: zeek.ftp - type: group - fields: - - name: user - type: keyword - description: | - User name for the current FTP session. - - name: password - type: keyword - description: | - Password for the current FTP session if captured. - - name: command - type: keyword - description: | - Command given by the client. - - name: arg - type: keyword - description: | - Argument for the command if one is given. - - name: file - type: group - fields: - - name: size - type: long - description: | - Size of the file if the command indicates a file transfer. - - name: mime_type - type: keyword - description: | - Sniffed mime type of file. - - name: fuid - type: keyword - description: | - (present if base/protocols/ftp/files.bro is loaded) - File unique ID. - - name: reply - type: group - fields: - - name: code - type: integer - description: | - Reply code from the server in response to the command. - - name: msg - type: keyword - description: | - Reply message from the server in response to the command. - - name: data_channel - type: group - fields: - - name: passive - type: boolean - description: | - Whether PASV mode is toggled for control channel. - - name: originating_host - type: ip - description: | - The host that will be initiating the data connection. - - name: response_host - type: ip - description: | - The host that will be accepting the data connection. - - name: response_port - type: integer - description: | - The port at which the acceptor is listening for the data connection. - - name: cwd - type: keyword - description: | - Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. - - name: cmdarg - type: group - fields: - - name: cmd - type: keyword - description: | - Command. - - name: arg - type: keyword - description: | - Argument for the command if one was given. - - name: seq - type: integer - description: | - Counter to track how many commands have been executed. - - name: pending_commands - type: integer - description: | - Queue for commands that have been sent but not yet responded to are tracked here. - - name: passive - type: boolean - description: | - Indicates if the session is in active or passive mode. - - name: capture_password - type: boolean - description: | - Determines if the password will be captured for this request. - - name: last_auth_requested - type: keyword - description: | - present if base/protocols/ftp/gridftp.bro is loaded. - Last authentication/security mechanism that was used. diff --git a/packages/zeek/2.5.2/data_stream/ftp/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/ftp/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/ftp/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/ftp/manifest.yml b/packages/zeek/2.5.2/data_stream/ftp/manifest.yml deleted file mode 100755 index d3f67f3067..0000000000 --- a/packages/zeek/2.5.2/data_stream/ftp/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek ftp logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of ftp log file - multi: true - required: true - show_user: true - default: - - ftp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-ftp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek ftp.log - description: Collect Zeek ftp logs - - input: httpjson - title: Zeek ftp logs via Splunk Enterprise REST API - description: Collect Zeek ftp logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"ftp-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-ftp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/http/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/http/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/http/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/http/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/http/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/http/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/http/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/http/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index d847f409bc..0000000000 --- a/packages/zeek/2.5.2/data_stream/http/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,251 +0,0 @@ ---- -description: Pipeline for normalizing Zeek http.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.http - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.category - value: web - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - append: - field: event.type - value: info - - set: - field: network.transport - value: tcp - - dot_expander: - path: zeek.http - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.http - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.http - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.http - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.http.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.http.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.http.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.http.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.http.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.http.method - target_field: http.request.method - ignore_missing: true - - rename: - field: zeek.http.referrer - target_field: http.request.referrer - ignore_missing: true - - rename: - field: zeek.http.status_code - target_field: http.response.status_code - ignore_missing: true - - rename: - field: zeek.http.version - target_field: http.version - ignore_missing: true - - rename: - field: zeek.http.request_body_len - target_field: http.request.body.bytes - ignore_missing: true - - rename: - field: zeek.http.response_body_len - target_field: http.response.body.bytes - ignore_missing: true - - uri_parts: - if: ctx?.zeek?.http?.uri != null - field: zeek.http.uri - on_failure: - - set: - field: url.original - copy_from: zeek.http.uri - ignore_failure: true - - append: - field: tags - value: _zeek_http_url_parse_failure - - remove: - field: zeek.http.uri - ignore_missing: true - - remove: - field: url.domain - ignore_missing: true - if: "ctx?.url?.domain == null || ctx?.url?.domain.isEmpty()" - - remove: - field: url.scheme - ignore_missing: true - if: "ctx?.url?.scheme == null || ctx?.url?.scheme.isEmpty()" - - rename: - field: zeek.http.host - target_field: url.domain - ignore_missing: true - - rename: - field: zeek.http.username - target_field: url.username - ignore_missing: true - - rename: - field: zeek.http.password - target_field: url.password - ignore_missing: true - - rename: - field: zeek.http.user_agent - target_field: user_agent.original - ignore_missing: true - - set: - field: event.action - copy_from: http.request.method - if: ctx?.http?.request?.method != null - - set: - field: user.name - copy_from: url.username - if: ctx?.url?.username != null - - date: - field: zeek.http.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.http.ts - - geoip: - field: destination.ip - target_field: destination.geo - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true - - set: - field: event.outcome - value: success - if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400" - - set: - field: event.outcome - value: failure - if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400" - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{url.username}}" - if: "ctx?.url?.username != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.http.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/http/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/http/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/http/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/http/fields/agent.yml b/packages/zeek/2.5.2/data_stream/http/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/http/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/http/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/http/fields/base-fields.yml deleted file mode 100755 index 4d1ce81520..0000000000 --- a/packages/zeek/2.5.2/data_stream/http/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.http -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/http/fields/beats.yml b/packages/zeek/2.5.2/data_stream/http/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/http/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/http/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/http/fields/ecs.yml deleted file mode 100755 index 778462f7a6..0000000000 --- a/packages/zeek/2.5.2/data_stream/http/fields/ecs.yml +++ /dev/null @@ -1,270 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Username of the request. - name: url.username - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/http/fields/fields.yml b/packages/zeek/2.5.2/data_stream/http/fields/fields.yml deleted file mode 100755 index f264ff0db9..0000000000 --- a/packages/zeek/2.5.2/data_stream/http/fields/fields.yml +++ /dev/null @@ -1,82 +0,0 @@ -- name: zeek.http - type: group - fields: - - name: trans_depth - type: integer - description: | - Represents the pipelined depth into the connection of this request/response transaction. - - name: status_msg - type: keyword - description: | - Status message returned by the server. - - name: info_code - type: integer - description: | - Last seen 1xx informational reply code returned by the server. - - name: info_msg - type: keyword - description: | - Last seen 1xx informational reply message returned by the server. - - name: tags - type: keyword - description: | - A set of indicators of various attributes discovered and related to a particular - request/response pair. - - name: password - type: keyword - description: | - Password if basic-auth is performed for the request. - - name: captured_password - type: boolean - description: | - Determines if the password will be captured for this request. - - name: proxied - type: keyword - description: | - All of the headers that may indicate if the HTTP request was proxied. - - name: range_request - type: boolean - description: | - Indicates if this request can assume 206 partial content in response. - - name: client_header_names - type: keyword - description: | - The vector of HTTP header names sent by the client. No header values - are included here, just the header names. - - name: server_header_names - type: keyword - description: | - The vector of HTTP header names sent by the server. No header values - are included here, just the header names. - - name: orig_fuids - type: keyword - description: | - An ordered vector of file unique IDs from the originator. - - name: orig_mime_types - type: keyword - description: | - An ordered vector of mime types from the originator. - - name: orig_filenames - type: keyword - description: | - An ordered vector of filenames from the originator. - - name: resp_fuids - type: keyword - description: | - An ordered vector of file unique IDs from the responder. - - name: resp_mime_types - type: keyword - description: | - An ordered vector of mime types from the responder. - - name: resp_filenames - type: keyword - description: | - An ordered vector of filenames from the responder. - - name: orig_mime_depth - type: integer - description: | - Current number of MIME entities in the HTTP request message body. - - name: resp_mime_depth - type: integer - description: | - Current number of MIME entities in the HTTP response message body. diff --git a/packages/zeek/2.5.2/data_stream/http/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/http/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/http/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/http/manifest.yml b/packages/zeek/2.5.2/data_stream/http/manifest.yml deleted file mode 100755 index 5e5e0e36fa..0000000000 --- a/packages/zeek/2.5.2/data_stream/http/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek http logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of http log file - multi: true - required: true - show_user: true - default: - - http.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-http - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek http.log - description: Collect Zeek http logs - - input: httpjson - title: Zeek http logs via Splunk Enterprise REST API - description: Collect Zeek http logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"http-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-http - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/intel/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/intel/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/intel/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/intel/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/intel/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/intel/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/intel/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/intel/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 26a93523d0..0000000000 --- a/packages/zeek/2.5.2/data_stream/intel/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,300 +0,0 @@ ---- -description: Pipeline for normalizing Zeek intel.log. -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.intel - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: enrichment - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: threat - - append: - field: event.type - value: indicator - - dot_expander: - path: zeek.intel - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.intel - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.intel - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.intel - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.intel.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.intel.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.intel.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.intel.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.intel.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - dot_expander: - path: zeek.intel - field: seen.indicator - ignore_failure: true - - dot_expander: - path: zeek.intel - field: seen.indicator_type - ignore_failure: true - - dot_expander: - path: zeek.intel - field: seen.host - ignore_failure: true - - dot_expander: - path: zeek.intel - field: seen.where - ignore_failure: true - - dot_expander: - path: zeek.intel - field: seen.node - ignore_failure: true - - dot_expander: - path: zeek.intel - field: seen.conn - ignore_failure: true - - dot_expander: - path: zeek.intel - field: seen.uid - ignore_failure: true - - dot_expander: - path: zeek.intel - field: seen.f - ignore_failure: true - - dot_expander: - path: zeek.intel - field: seen.fuid - ignore_failure: true - - date: - field: zeek.intel.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.intel.ts - # IP Geolocation Lookup - - geoip: - if: ctx.source?.geo == null - field: source.ip - target_field: source.geo - ignore_missing: true - properties: - - city_name - - continent_name - - country_iso_code - - country_name - - location - - region_iso_code - - region_name - - geoip: - if: ctx.destination?.geo == null - field: destination.ip - target_field: destination.geo - ignore_missing: true - properties: - - city_name - - continent_name - - country_iso_code - - country_name - - location - - region_iso_code - - region_name - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: "related.ip" - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: "related.ip" - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - rename: - field: message - target_field: event.original - ignore_missing: true - if: ctx?.event?.original == null - - # Add threat indicators. - - convert: - target_field: threat.indicator.ip - field: zeek.intel.seen.indicator - type: ip - if: ctx.zeek?.intel?.seen?.indicator_type == "Intel::ADDR" - ignore_missing: true - ignore_failure: true - - set: - field: threat.indicator.type - value: ipv4-addr - if: ctx.zeek?.intel?.seen?.indicator_type == "Intel::ADDR" - - set: - field: threat.indicator.type - value: ipv6-addr - if: ctx.threat?.indicator?.ip != null && ctx.threat.indicator.ip.contains(':') - - geoip: - database_file: GeoLite2-ASN.mmdb - field: threat.indicator.ip - target_field: threat.indicator.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: threat.indicator.as.asn - target_field: threat.indicator.as.number - ignore_missing: true - ignore_failure: true - - rename: - field: threat.indicator.as.organization_name - target_field: threat.indicator.as.organization.name - ignore_missing: true - ignore_failure: true - - geoip: - field: threat.indicator.ip - target_field: threat.indicator.geo - ignore_missing: true - properties: - - city_name - - continent_name - - country_iso_code - - country_name - - location - - region_iso_code - - region_name - - timezone - - set: - field: threat.indicator._url - copy_from: zeek.intel.seen.indicator - if: ctx.zeek?.intel?.seen?.indicator_type == "Intel::URL" - ignore_failure: true - - set: - field: threat.indicator.type - value: url - if: ctx.zeek?.intel?.seen?.indicator_type == "Intel::URL" - - uri_parts: - field: threat.indicator._url - target_field: threat.indicator.url - ignore_failure: true - keep_original: false - remove_if_successful: true - if: ctx.threat?.indicator?._url != null - - set: - field: threat.indicator.email.address - copy_from: zeek.intel.seen.indicator - if: ctx.zeek?.intel?.seen?.indicator_type == "Intel::EMAIL" - ignore_failure: true - - set: - field: threat.indicator.type - value: email-addr - if: ctx.zeek?.intel?.seen?.indicator_type == "Intel::EMAIL" - - set: - field: threat.indicator.file.name - copy_from: zeek.intel.seen.indicator - if: ctx.zeek?.intel?.seen?.indicator_type == "Intel::FILE_NAME" - ignore_failure: true - - set: - field: threat.indicator.type - value: file - if: ctx.zeek?.intel?.seen?.indicator_type == "Intel::FILE_NAME" - - - remove: - field: - - zeek.intel.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/intel/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/intel/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/intel/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/intel/fields/agent.yml b/packages/zeek/2.5.2/data_stream/intel/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/intel/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/intel/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/intel/fields/base-fields.yml deleted file mode 100755 index 9a9df3515f..0000000000 --- a/packages/zeek/2.5.2/data_stream/intel/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.intel -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/intel/fields/beats.yml b/packages/zeek/2.5.2/data_stream/intel/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/intel/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/intel/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/intel/fields/ecs.yml deleted file mode 100755 index 50d5da2ddd..0000000000 --- a/packages/zeek/2.5.2/data_stream/intel/fields/ecs.yml +++ /dev/null @@ -1,272 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: A list of associated indicators objects enriching the event, and the context of that association/enrichment. - name: threat.enrichments - normalize: - - array - type: nested -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: threat.indicator.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.as.organization.name - type: keyword -- description: Identifies a threat indicator as an email address (irrespective of direction). - name: threat.indicator.email.address - type: keyword -- description: Name of the file including the extension, without the directory. - name: threat.indicator.file.name - type: keyword -- description: City name. - name: threat.indicator.geo.city_name - type: keyword -- description: Name of the continent. - name: threat.indicator.geo.continent_name - type: keyword -- description: Country ISO code. - name: threat.indicator.geo.country_iso_code - type: keyword -- description: Country name. - name: threat.indicator.geo.country_name - type: keyword -- description: Longitude and latitude. - name: threat.indicator.geo.location - type: geo_point -- description: Region ISO code. - name: threat.indicator.geo.region_iso_code - type: keyword -- description: Region name. - name: threat.indicator.geo.region_name - type: keyword -- description: The time zone of the location, such as IANA time zone name. - name: threat.indicator.geo.timezone - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: Type of indicator as represented by Cyber Observable in STIX 2.0. - name: threat.indicator.type - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: threat.indicator.url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.original - type: wildcard -- description: Password of the request. - name: threat.indicator.url.password - type: keyword -- description: Path of the request, such as "/search". - name: threat.indicator.url.path - type: wildcard -- description: Port of the request, such as 443. - name: threat.indicator.url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: threat.indicator.url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: threat.indicator.url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: threat.indicator.url.scheme - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: threat.indicator.url.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: threat.indicator.url.top_level_domain - type: keyword -- description: Username of the request. - name: threat.indicator.url.username - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/intel/fields/fields.yml b/packages/zeek/2.5.2/data_stream/intel/fields/fields.yml deleted file mode 100755 index 2d513fe45e..0000000000 --- a/packages/zeek/2.5.2/data_stream/intel/fields/fields.yml +++ /dev/null @@ -1,62 +0,0 @@ -- name: zeek.intel - type: group - fields: - - name: seen - type: group - fields: - - name: indicator - type: keyword - description: | - The intelligence indicator. - - name: indicator_type - type: keyword - description: | - The type of data the indicator represents. - - name: host - type: keyword - description: | - If the indicator type was Intel::ADDR, then this field will be present. - - name: conn - type: keyword - description: | - If the data was discovered within a connection, the connection record should go here to give context to the data. - - name: where - type: keyword - description: | - Where the data was discovered. - - name: node - type: keyword - description: | - The name of the node where the match was discovered. - - name: uid - type: keyword - description: | - If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. - - name: f - type: object - description: | - If the data was discovered within a file, the file record should go here to provide context to the data. - - name: fuid - type: keyword - description: | - If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. - - name: matched - type: keyword - description: | - Event to represent a match in the intelligence data from data that was seen. - - name: sources - type: keyword - description: | - Sources which supplied data for this match. - - name: fuid - type: keyword - description: | - If a file was associated with this intelligence hit, this is the uid for the file. - - name: file_mime_type - type: keyword - description: | - A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. - - name: file_desc - type: keyword - description: | - Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. diff --git a/packages/zeek/2.5.2/data_stream/intel/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/intel/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/intel/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/intel/manifest.yml b/packages/zeek/2.5.2/data_stream/intel/manifest.yml deleted file mode 100755 index de479c71e7..0000000000 --- a/packages/zeek/2.5.2/data_stream/intel/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek intel logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of intel log file - multi: true - required: true - show_user: true - default: - - intel.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-intel - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek intel.log - description: Collect Zeek intel logs - - input: httpjson - title: Zeek intel logs via Splunk Enterprise REST API - description: Collect Zeek intel logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"intel-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-intel - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/irc/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/irc/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/irc/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/irc/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/irc/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/irc/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/irc/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/irc/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3d6fbd5917..0000000000 --- a/packages/zeek/2.5.2/data_stream/irc/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,190 +0,0 @@ ---- -description: Pipeline for normalizing Zeek irc.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.irc - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - append: - field: event.type - value: info - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: irc - - dot_expander: - path: zeek.irc - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.irc - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.irc - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.irc - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.irc.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.irc.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.irc.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.irc.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.irc.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.irc.dcc_file_name - target_field: file.name - ignore_missing: true - - rename: - field: zeek.irc.dcc_mime_type - target_field: file.mime_type - ignore_missing: true - - rename: - field: zeek.irc.dcc.file.size - target_field: file.size - ignore_missing: true - - rename: - field: zeek.irc.user - target_field: user.name - ignore_missing: true - - set: - field: event.action - copy_from: zeek.irc.command - if: ctx?.zeek?.irc?.command != null - - date: - field: zeek.irc.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.irc.ts - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.irc.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/irc/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/irc/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/irc/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/irc/fields/agent.yml b/packages/zeek/2.5.2/data_stream/irc/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/irc/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/irc/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/irc/fields/base-fields.yml deleted file mode 100755 index 97d9860af0..0000000000 --- a/packages/zeek/2.5.2/data_stream/irc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.irc -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/irc/fields/beats.yml b/packages/zeek/2.5.2/data_stream/irc/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/irc/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/irc/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/irc/fields/ecs.yml deleted file mode 100755 index 0f47816383..0000000000 --- a/packages/zeek/2.5.2/data_stream/irc/fields/ecs.yml +++ /dev/null @@ -1,192 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: file.mime_type - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/irc/fields/fields.yml b/packages/zeek/2.5.2/data_stream/irc/fields/fields.yml deleted file mode 100755 index 532e0f8620..0000000000 --- a/packages/zeek/2.5.2/data_stream/irc/fields/fields.yml +++ /dev/null @@ -1,49 +0,0 @@ -- name: zeek.irc - type: group - fields: - - name: nick - type: keyword - description: | - Nickname given for the connection. - - name: user - type: keyword - description: | - Username given for the connection. - - name: command - type: keyword - description: | - Command given by the client. - - name: value - type: keyword - description: | - Value for the command given by the client. - - name: addl - type: keyword - description: | - Any additional data for the command. - - name: dcc - type: group - fields: - - name: file - type: group - fields: - - name: name - type: keyword - description: | - Present if base/protocols/irc/dcc-send.bro is loaded. - DCC filename requested. - - name: size - type: long - description: | - Present if base/protocols/irc/dcc-send.bro is loaded. - Size of the DCC transfer as indicated by the sender. - - name: mime_type - type: keyword - description: | - present if base/protocols/irc/dcc-send.bro is loaded. - Sniffed mime type of the file. - - name: fuid - type: keyword - description: | - present if base/protocols/irc/files.bro is loaded. - File unique ID. diff --git a/packages/zeek/2.5.2/data_stream/irc/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/irc/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/irc/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/irc/manifest.yml b/packages/zeek/2.5.2/data_stream/irc/manifest.yml deleted file mode 100755 index dd8a389467..0000000000 --- a/packages/zeek/2.5.2/data_stream/irc/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek irc logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of irc log file - multi: true - required: true - show_user: true - default: - - irc.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-irc - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek irc.log - description: Collect Zeek irc logs - - input: httpjson - title: Zeek irc logs via Splunk Enterprise REST API - description: Collect Zeek irc logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"irc-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-irc - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/kerberos/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/kerberos/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/kerberos/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/kerberos/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/kerberos/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/kerberos/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/kerberos/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/kerberos/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 15f8f41522..0000000000 --- a/packages/zeek/2.5.2/data_stream/kerberos/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,364 +0,0 @@ ---- -description: Pipeline for normalizing Zeek kerberos.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.kerberos - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: ["network", "authentication"] - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - append: - field: event.type - value: access - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: kerberos - - dot_expander: - path: zeek.kerberos - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.kerberos - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.kerberos - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.kerberos - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.kerberos.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.kerberos.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.kerberos.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.kerberos.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.kerberos.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: client.address - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: server.address - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: event.action - copy_from: zeek.kerberos.request_type - if: ctx?.zeek?.kerberos?.request_type != null - - rename: - field: zeek.kerberos.till - target_field: zeek.kerberos.valid.until - ignore_missing: true - - rename: - field: zeek.kerberos.from - target_field: zeek.kerberos.valid.from - ignore_missing: true - - rename: - field: zeek.kerberos.error_code - target_field: zeek.kerberos.error.code - ignore_missing: true - - rename: - field: zeek.kerberos.error_msg - target_field: zeek.kerberos.error.msg - ignore_missing: true - - dot_expander: - path: zeek.kerberos - field: cert.client - ignore_failure: true - - dot_expander: - path: zeek.kerberos - field: cert.client_subject - ignore_failure: true - - dot_expander: - path: zeek.kerberos - field: cert.client_fuid - ignore_failure: true - - dot_expander: - path: zeek.kerberos - field: cert.server - ignore_failure: true - - dot_expander: - path: zeek.kerberos - field: cert.server_subject - ignore_failure: true - - dot_expander: - path: zeek.kerberos - field: cert.server_fuid - ignore_failure: true - - rename: - field: zeek.kerberos.cert.client - target_field: zeek.kerberos.cert.client.value - ignore_missing: true - - rename: - field: zeek.kerberos.cert.client_subject - target_field: zeek.kerberos.cert.client.subject - ignore_missing: true - - rename: - field: zeek.kerberos.cert.client_fuid - target_field: zeek.kerberos.cert.client.fuid - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server - target_field: zeek.kerberos.cert.server.value - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server_subject - target_field: zeek.kerberos.cert.server.subject - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server_fuid - target_field: zeek.kerberos.cert.server.fuid - ignore_missing: true - - rename: - field: zeek.kerberos.auth_ticket - target_field: zeek.kerberos.ticket.auth - ignore_missing: true - - rename: - field: zeek.kerberos.new_ticket - target_field: zeek.kerberos.ticket.new - ignore_missing: true - - dissect: - field: zeek.kerberos.client - pattern: "%{user.name}/%{user.domain}" - ignore_missing: true - if: ctx?.zeek?.kerberos?.client.contains('/') - - date: - field: zeek.kerberos.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.kerberos.ts - - script: - source: "ctx.zeek.kerberos.valid.days = Math.round( (ctx.zeek.kerberos.valid.until - ctx.zeek.kerberos.valid.from) / 86400 )" - if: "ctx.zeek.kerberos.valid?.from != null && ctx.zeek.kerberos.valid?.until != null" - - date: - field: zeek.kerberos.valid.until - target_field: zeek.kerberos.valid.until - formats: - - UNIX - - ISO8601 - if: ctx.zeek.kerberos.valid?.until != null - - date: - field: zeek.kerberos.valid.from - target_field: zeek.kerberos.valid.from - formats: - - UNIX - - ISO8601 - if: ctx.zeek.kerberos.valid?.from != null - - set: - field: event.outcome - value: success - if: "ctx?.zeek?.kerberos?.success == true" - - set: - field: event.outcome - value: failure - if: "ctx?.zeek?.kerberos?.success == false" - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - allow_duplicates: false - - gsub: - field: zeek.kerberos.cert.client.subject - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: zeek.kerberos.cert.client.subject - field_split: "," - value_split: "=" - target_field: zeek.kerberos.cert.client.kv_sub - ignore_missing: true - - rename: - field: zeek.kerberos.cert.client.kv_sub.C - target_field: tls.client.x509.subject.country - ignore_missing: true - - rename: - field: zeek.kerberos.cert.client.kv_sub.CN - target_field: tls.client.x509.subject.common_name - ignore_missing: true - - rename: - field: zeek.kerberos.cert.client.kv_sub.L - target_field: tls.client.x509.subject.locality - ignore_missing: true - - rename: - field: zeek.kerberos.cert.client.kv_sub.O - target_field: tls.client.x509.subject.organization - ignore_missing: true - - rename: - field: zeek.kerberos.cert.client.kv_sub.OU - target_field: tls.client.x509.subject.organizational_unit - ignore_missing: true - - rename: - field: zeek.kerberos.cert.client.kv_sub.ST - target_field: tls.client.x509.subject.state_or_province - ignore_missing: true - - remove: - field: zeek.kerberos.cert.client.kv_sub - ignore_missing: true - - gsub: - field: zeek.kerberos.cert.server.subject - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: zeek.kerberos.cert.server.subject - field_split: "," - value_split: "=" - target_field: zeek.kerberos.cert.server.kv_sub - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server.kv_sub.C - target_field: tls.server.x509.subject.country - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server.kv_sub.CN - target_field: tls.server.x509.subject.common_name - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server.kv_sub.L - target_field: tls.server.x509.subject.locality - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server.kv_sub.O - target_field: tls.server.x509.subject.organization - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server.kv_sub.OU - target_field: tls.server.x509.subject.organizational_unit - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server.kv_sub.ST - target_field: tls.server.x509.subject.state_or_province - ignore_missing: true - - remove: - field: zeek.kerberos.cert.server.kv_sub - ignore_missing: true - - community_id: - target_field: network.community_id - - remove: - field: - - message - - json - - zeek.kerberos.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/kerberos/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/kerberos/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/kerberos/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/kerberos/fields/agent.yml b/packages/zeek/2.5.2/data_stream/kerberos/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/kerberos/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/kerberos/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/kerberos/fields/base-fields.yml deleted file mode 100755 index bb4e2c75f5..0000000000 --- a/packages/zeek/2.5.2/data_stream/kerberos/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.kerberos -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/kerberos/fields/beats.yml b/packages/zeek/2.5.2/data_stream/kerberos/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/kerberos/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/kerberos/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/kerberos/fields/ecs.yml deleted file mode 100755 index 9cf137d1ff..0000000000 --- a/packages/zeek/2.5.2/data_stream/kerberos/fields/ecs.yml +++ /dev/null @@ -1,264 +0,0 @@ -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of common names (CN) of subject. - name: tls.client.x509.subject.common_name - normalize: - - array - type: keyword -- description: List of country \(C) code - name: tls.client.x509.subject.country - normalize: - - array - type: keyword -- description: List of locality names (L) - name: tls.client.x509.subject.locality - normalize: - - array - type: keyword -- description: List of organizations (O) of subject. - name: tls.client.x509.subject.organization - normalize: - - array - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.client.x509.subject.organizational_unit - normalize: - - array - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.subject.state_or_province - normalize: - - array - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - normalize: - - array - type: keyword -- description: List of country \(C) code - name: tls.server.x509.subject.country - normalize: - - array - type: keyword -- description: List of locality names (L) - name: tls.server.x509.subject.locality - normalize: - - array - type: keyword -- description: List of organizations (O) of subject. - name: tls.server.x509.subject.organization - normalize: - - array - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.server.x509.subject.organizational_unit - normalize: - - array - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.subject.state_or_province - normalize: - - array - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/kerberos/fields/fields.yml b/packages/zeek/2.5.2/data_stream/kerberos/fields/fields.yml deleted file mode 100755 index 7f5d5fcbb6..0000000000 --- a/packages/zeek/2.5.2/data_stream/kerberos/fields/fields.yml +++ /dev/null @@ -1,101 +0,0 @@ -- name: zeek.kerberos - type: group - fields: - - name: request_type - type: keyword - description: | - Request type - Authentication Service (AS) or Ticket Granting Service (TGS). - - name: client - type: keyword - description: | - Client name. - - name: service - type: keyword - description: | - Service name. - - name: success - type: boolean - description: | - Request result. - - name: error - type: group - fields: - - name: code - type: integer - description: | - Error code. - - name: msg - type: keyword - description: | - Error message. - - name: valid - type: group - fields: - - name: from - type: date - description: | - Ticket valid from. - - name: until - type: date - description: | - Ticket valid until. - - name: days - type: integer - description: | - Number of days the ticket is valid for. - - name: cipher - type: keyword - description: | - Ticket encryption type. - - name: forwardable - type: boolean - description: | - Forwardable ticket requested. - - name: renewable - type: boolean - description: | - Renewable ticket requested. - - name: ticket - type: group - fields: - - name: auth - type: keyword - description: | - Hash of ticket used to authorize request/transaction. - - name: new - type: keyword - description: | - Hash of ticket returned by the KDC. - - name: cert - type: group - fields: - - name: client - type: group - fields: - - name: value - type: keyword - description: | - Client certificate. - - name: fuid - type: keyword - description: | - File unique ID of client cert. - - name: subject - type: keyword - description: | - Subject of client certificate. - - name: server - type: group - fields: - - name: value - type: keyword - description: | - Server certificate. - - name: fuid - type: keyword - description: | - File unique ID of server certificate. - - name: subject - type: keyword - description: | - Subject of server certificate. diff --git a/packages/zeek/2.5.2/data_stream/kerberos/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/kerberos/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/kerberos/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/kerberos/manifest.yml b/packages/zeek/2.5.2/data_stream/kerberos/manifest.yml deleted file mode 100755 index 20b96a5801..0000000000 --- a/packages/zeek/2.5.2/data_stream/kerberos/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek kerberos logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of kerberos log file - multi: true - required: true - show_user: true - default: - - kerberos.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-kerberos - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek kerberos.log - description: Collect Zeek kerberos logs - - input: httpjson - title: Zeek kerberos logs via Splunk Enterprise REST API - description: Collect Zeek kerberos logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"kerberos-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-kerberos - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/known_certs/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/known_certs/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_certs/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/known_certs/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/known_certs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index f69eedb568..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_certs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,129 +0,0 @@ ---- -description: Pipeline for normalizing Zeek known_certs.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: json - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?.json?.ts == null' - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: - - network - - file - - set: - field: event.type - value: - - info - - date: - field: json.ts - formats: - - UNIX - - ISO8601 - - rename: - field: json.host - target_field: host.ip - ignore_missing: true - - set: - field: network.type - value: ipv4 - if: ctx.host?.ip.contains('.') - - set: - field: network.type - value: ipv6 - if: ctx.host?.ip.contains(':') - - append: - field: related.ip - value: "{{host.ip}}" - if: ctx?.host?.ip != null - allow_duplicates: false - - geoip: - field: host.ip - target_field: host.geo - ignore_missing: true - - set: - field: server - copy_from: host - ignore_empty_value: true - - rename: - field: json.port_num - target_field: server.port - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: server.ip - target_field: server.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: server.as.asn - target_field: server.as.number - ignore_missing: true - - rename: - field: server.as.organization_name - target_field: server.as.organization.name - ignore_missing: true - - rename: - field: json.subject - target_field: tls.server.x509.subject.distinguished_name - ignore_missing: true - - rename: - field: json.issuer_subject - target_field: tls.server.x509.issuer.distinguished_name - ignore_missing: true - - rename: - field: json.serial - target_field: tls.server.x509.serial_number - ignore_missing: true - - grok: - field: tls.server.x509.subject.distinguished_name - ignore_missing: true - patterns: - - 'CN=%{CN:tls.server.x509.subject.common_name}' - pattern_definitions: - CN: '[^,]+' - - grok: - field: tls.server.x509.issuer.distinguished_name - ignore_missing: true - patterns: - - 'CN=%{CN:tls.server.x509.issuer.common_name}' - pattern_definitions: - CN: '[^,]+' - - set: - field: tls.server.issuer - copy_from: tls.server.x509.issuer.distinguished_name - ignore_empty_value: true - - set: - field: tls.server.subject - copy_from: tls.server.x509.subject.distinguished_name - ignore_empty_value: true - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/known_certs/fields/agent.yml b/packages/zeek/2.5.2/data_stream/known_certs/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_certs/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/known_certs/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/known_certs/fields/base-fields.yml deleted file mode 100755 index 2867f9687f..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_certs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.known_certs -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/known_certs/fields/beats.yml b/packages/zeek/2.5.2/data_stream/known_certs/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_certs/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/known_certs/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/known_certs/fields/ecs.yml deleted file mode 100755 index 66b2268703..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_certs/fields/ecs.yml +++ /dev/null @@ -1,140 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: City name. - name: host.geo.city_name - type: keyword -- description: Name of the continent. - name: host.geo.continent_name - type: keyword -- description: Country ISO code. - name: host.geo.country_iso_code - type: keyword -- description: Country name. - name: host.geo.country_name - type: keyword -- description: Longitude and latitude. - name: host.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: host.geo.name - type: keyword -- description: Region ISO code. - name: host.geo.region_iso_code - type: keyword -- description: Region name. - name: host.geo.region_name - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: City name. - name: server.geo.city_name - type: keyword -- description: Name of the continent. - name: server.geo.continent_name - type: keyword -- description: Country ISO code. - name: server.geo.country_iso_code - type: keyword -- description: Country name. - name: server.geo.country_name - type: keyword -- description: Longitude and latitude. - name: server.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: server.geo.name - type: keyword -- description: Region ISO code. - name: server.geo.region_iso_code - type: keyword -- description: Region name. - name: server.geo.region_name - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.server.x509.issuer.distinguished_name - type: keyword -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.server.x509.serial_number - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.server.x509.subject.distinguished_name - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - normalize: - - array - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - normalize: - - array - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: Subject of the x.509 certificate presented by the server. - name: tls.server.subject - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/known_certs/manifest.yml b/packages/zeek/2.5.2/data_stream/known_certs/manifest.yml deleted file mode 100755 index 19a7c17b2d..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_certs/manifest.yml +++ /dev/null @@ -1,41 +0,0 @@ -type: logs -title: Zeek Known Certs logs -streams: - - input: logfile - template_path: log.yml.hbs - title: Zeek known_certs.log - description: Collect Zeek Known Certs logs - vars: - - name: filenames - type: text - title: Filename of Known Certs log - multi: true - required: true - show_user: true - default: - - known_certs.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-known_certs - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/known_hosts/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/known_hosts/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_hosts/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/known_hosts/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/known_hosts/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 6c5dfff0d1..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_hosts/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,71 +0,0 @@ ---- -description: Pipeline for normalizing Zeek known_hosts.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: json - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?.json?.ts == null' - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: - - network - - host - - set: - field: event.type - value: - - info - - date: - field: json.ts - formats: - - UNIX - - ISO8601 - - rename: - field: json.host - target_field: host.ip - ignore_missing: true - - set: - field: network.type - value: ipv4 - if: ctx.host?.ip.contains('.') - - set: - field: network.type - value: ipv6 - if: ctx.host?.ip.contains(':') - - append: - field: related.ip - value: "{{host.ip}}" - if: ctx?.host?.ip != null - allow_duplicates: false - - geoip: - field: host.ip - target_field: host.geo - ignore_missing: true - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/known_hosts/fields/agent.yml b/packages/zeek/2.5.2/data_stream/known_hosts/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_hosts/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/known_hosts/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/known_hosts/fields/base-fields.yml deleted file mode 100755 index 3f252f24b8..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_hosts/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.known_hosts -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/known_hosts/fields/beats.yml b/packages/zeek/2.5.2/data_stream/known_hosts/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_hosts/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/known_hosts/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/known_hosts/fields/ecs.yml deleted file mode 100755 index a19a1829dd..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_hosts/fields/ecs.yml +++ /dev/null @@ -1,82 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: City name. - name: host.geo.city_name - type: keyword -- description: Name of the continent. - name: host.geo.continent_name - type: keyword -- description: Country ISO code. - name: host.geo.country_iso_code - type: keyword -- description: Country name. - name: host.geo.country_name - type: keyword -- description: Longitude and latitude. - name: host.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: host.geo.name - type: keyword -- description: Region ISO code. - name: host.geo.region_iso_code - type: keyword -- description: Region name. - name: host.geo.region_name - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip diff --git a/packages/zeek/2.5.2/data_stream/known_hosts/manifest.yml b/packages/zeek/2.5.2/data_stream/known_hosts/manifest.yml deleted file mode 100755 index af25548e32..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_hosts/manifest.yml +++ /dev/null @@ -1,41 +0,0 @@ -type: logs -title: Zeek Known Hosts logs -streams: - - input: logfile - template_path: log.yml.hbs - title: Zeek known_hosts.log - description: Collect Zeek Known Hosts logs - vars: - - name: filenames - type: text - title: Filename of Known Hosts log - multi: true - required: true - show_user: true - default: - - known_hosts.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-known_hosts - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/known_services/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/known_services/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_services/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/known_services/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/known_services/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 1d2edab206..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_services/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,102 +0,0 @@ ---- -description: Pipeline for normalizing Zeek known_services.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: json - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?.json?.ts == null' - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: - - network - - set: - field: event.type - value: - - info - - date: - field: json.ts - formats: - - UNIX - - ISO8601 - - rename: - field: json.host - target_field: host.ip - ignore_missing: true - - set: - field: network.type - value: ipv4 - if: ctx.host?.ip.contains('.') - - set: - field: network.type - value: ipv6 - if: ctx.host?.ip.contains(':') - - append: - field: related.ip - value: "{{host.ip}}" - if: ctx?.host?.ip != null - allow_duplicates: false - - geoip: - field: host.ip - target_field: host.geo - ignore_missing: true - - set: - field: server - copy_from: host - ignore_empty_value: true - - rename: - field: json.port_num - target_field: server.port - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: server.ip - target_field: server.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: server.as.asn - target_field: server.as.number - ignore_missing: true - - rename: - field: server.as.organization_name - target_field: server.as.organization.name - ignore_missing: true - - rename: - field: json.port_proto - target_field: network.transport - ignore_missing: true - - rename: - field: json.service - target_field: network.application - ignore_missing: true - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/known_services/fields/agent.yml b/packages/zeek/2.5.2/data_stream/known_services/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_services/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/known_services/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/known_services/fields/base-fields.yml deleted file mode 100755 index ecbd3a015c..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_services/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.known_services -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/known_services/fields/beats.yml b/packages/zeek/2.5.2/data_stream/known_services/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_services/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/known_services/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/known_services/fields/ecs.yml deleted file mode 100755 index 0880bda748..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_services/fields/ecs.yml +++ /dev/null @@ -1,126 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: City name. - name: host.geo.city_name - type: keyword -- description: Name of the continent. - name: host.geo.continent_name - type: keyword -- description: Country ISO code. - name: host.geo.country_iso_code - type: keyword -- description: Country name. - name: host.geo.country_name - type: keyword -- description: Longitude and latitude. - name: host.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: host.geo.name - type: keyword -- description: Region ISO code. - name: host.geo.region_iso_code - type: keyword -- description: Region name. - name: host.geo.region_name - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: City name. - name: server.geo.city_name - type: keyword -- description: Name of the continent. - name: server.geo.continent_name - type: keyword -- description: Country ISO code. - name: server.geo.country_iso_code - type: keyword -- description: Country name. - name: server.geo.country_name - type: keyword -- description: Longitude and latitude. - name: server.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: server.geo.name - type: keyword -- description: Region ISO code. - name: server.geo.region_iso_code - type: keyword -- description: Region name. - name: server.geo.region_name - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/known_services/manifest.yml b/packages/zeek/2.5.2/data_stream/known_services/manifest.yml deleted file mode 100755 index 4b5ebb150d..0000000000 --- a/packages/zeek/2.5.2/data_stream/known_services/manifest.yml +++ /dev/null @@ -1,41 +0,0 @@ -type: logs -title: Zeek Known Services logs -streams: - - input: logfile - template_path: log.yml.hbs - title: Zeek known_services.log - description: Collect Zeek Known Services logs - vars: - - name: filenames - type: text - title: Filename of Known Services log - multi: true - required: true - show_user: true - default: - - known_services.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-known_services - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/modbus/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/modbus/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/modbus/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/modbus/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/modbus/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/modbus/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/modbus/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/modbus/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a4d34516b9..0000000000 --- a/packages/zeek/2.5.2/data_stream/modbus/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,180 +0,0 @@ ---- -description: Pipeline for normalizing Zeek modbus.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.modbus - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: modbus - - dot_expander: - path: zeek.modbus - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.modbus - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.modbus - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.modbus - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.modbus.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.modbus.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.modbus.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.modbus.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.modbus.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - rename: - field: zeek.modbus.func - target_field: zeek.modbus.function - ignore_missing: true - - set: - field: event.action - copy_from: zeek.modbus.function - if: ctx?.source?.address != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: event.outcome - value: failure - if: ctx?.zeek?.modbus?.exception != null - - set: - field: event.outcome - value: success - if: ctx?.event?.outcome == null - - date: - field: zeek.modbus.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.modbus.ts - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.modbus.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/modbus/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/modbus/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/modbus/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/modbus/fields/agent.yml b/packages/zeek/2.5.2/data_stream/modbus/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/modbus/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/modbus/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/modbus/fields/base-fields.yml deleted file mode 100755 index 6f2c2ac706..0000000000 --- a/packages/zeek/2.5.2/data_stream/modbus/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.modbus -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/modbus/fields/beats.yml b/packages/zeek/2.5.2/data_stream/modbus/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/modbus/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/modbus/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/modbus/fields/ecs.yml deleted file mode 100755 index 2d087f6326..0000000000 --- a/packages/zeek/2.5.2/data_stream/modbus/fields/ecs.yml +++ /dev/null @@ -1,178 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/modbus/fields/fields.yml b/packages/zeek/2.5.2/data_stream/modbus/fields/fields.yml deleted file mode 100755 index 220bd043d7..0000000000 --- a/packages/zeek/2.5.2/data_stream/modbus/fields/fields.yml +++ /dev/null @@ -1,16 +0,0 @@ -- name: zeek.modbus - type: group - fields: - - name: function - type: keyword - description: | - The name of the function message that was sent. - - name: exception - type: keyword - description: | - The exception if the response was a failure. - - name: track_address - type: integer - description: | - Present if policy/protocols/modbus/track-memmap.bro is loaded. - Modbus track address. diff --git a/packages/zeek/2.5.2/data_stream/modbus/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/modbus/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/modbus/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/modbus/manifest.yml b/packages/zeek/2.5.2/data_stream/modbus/manifest.yml deleted file mode 100755 index ab505158c1..0000000000 --- a/packages/zeek/2.5.2/data_stream/modbus/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek modbus logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of modbus log file - multi: true - required: true - show_user: true - default: - - modbus.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-modbus - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek modbus.log - description: Collect Zeek modbus logs - - input: httpjson - title: Zeek modbus logs via Splunk Enterprise REST API - description: Collect Zeek modbus logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"modbus-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-modbus - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/mysql/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/mysql/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/mysql/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/mysql/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/mysql/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/mysql/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c9fd4e48e0..0000000000 --- a/packages/zeek/2.5.2/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,203 +0,0 @@ ---- -description: Pipeline for normalizing Zeek mysql.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.mysql - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.category - value: database - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: mysql - - dot_expander: - path: zeek.mysql - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.mysql - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.mysql - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.mysql - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.mysql.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.mysql.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.mysql.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.mysql.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.mysql.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: event.action - copy_from: zeek.mysql.cmd - if: ctx?.zeek?.mysql?.cmd != null - - set: - field: event.outcome - value: success - if: ctx?.zeek?.mysql?.success == true - - set: - field: event.outcome - value: failure - if: ctx?.event?.outcome == null - - date: - field: zeek.mysql.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.mysql.ts - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: event.type - value: access - if: "ctx?.zeek?.mysql?.cmd != null && (ctx.zeek.mysql.cmd == 'connect' || ctx.zeek.mysql.cmd == 'connect_out')" - - append: - field: event.type - value: change - if: "ctx?.zeek?.mysql?.cmd != null && (ctx.zeek.mysql.cmd == 'init_db' || ctx.zeek.mysql.cmd == 'change_user' || ctx.zeek.mysql.cmd == 'set_option' || ctx.zeek.mysql.cmd == 'drop_db' || ctx.zeek.mysql.cmd == 'create_db' || ctx.zeek.mysql.cmd == 'process_kill' || ctx.zeek.mysql.cmd == 'delayed_insert')" - - append: - field: event.type - value: info - if: "ctx?.zeek?.mysql?.cmd != null && ctx.zeek.mysql.cmd != 'init_db' && ctx.zeek.mysql.cmd != 'change_user' && ctx.zeek.mysql.cmd != 'set_option' && ctx.zeek.mysql.cmd != 'drop_db' && ctx.zeek.mysql.cmd != 'create_db' && ctx.zeek.mysql.cmd != 'process_kill' && ctx.zeek.mysql.cmd != 'delayed_insert' && ctx.zeek.mysql.cmd != 'connect' && ctx.zeek.mysql.cmd != 'connect_out'" - - append: - field: event.type - value: start - if: "ctx?.zeek?.mysql?.cmd != null && ctx.zeek.mysql.cmd == 'connect'" - - append: - field: event.type - value: end - if: "ctx?.zeek?.mysql?.cmd != null && ctx.zeek.mysql.cmd == 'connect_out'" - - append: - field: event.category - value: session - if: "ctx?.zeek?.mysql?.cmd != null && (ctx.zeek.mysql.cmd == 'connect' || ctx.zeek.mysql.cmd == 'connect_out')" - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.mysql.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/mysql/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/mysql/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/mysql/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/mysql/fields/agent.yml b/packages/zeek/2.5.2/data_stream/mysql/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/mysql/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/mysql/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/mysql/fields/base-fields.yml deleted file mode 100755 index abbb37d349..0000000000 --- a/packages/zeek/2.5.2/data_stream/mysql/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.mysql -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/mysql/fields/beats.yml b/packages/zeek/2.5.2/data_stream/mysql/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/mysql/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/mysql/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/mysql/fields/ecs.yml deleted file mode 100755 index 2d087f6326..0000000000 --- a/packages/zeek/2.5.2/data_stream/mysql/fields/ecs.yml +++ /dev/null @@ -1,178 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/mysql/fields/fields.yml b/packages/zeek/2.5.2/data_stream/mysql/fields/fields.yml deleted file mode 100755 index 475a41bb53..0000000000 --- a/packages/zeek/2.5.2/data_stream/mysql/fields/fields.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: zeek.mysql - type: group - fields: - - name: cmd - type: keyword - description: | - The command that was issued. - - name: arg - type: keyword - description: | - The argument issued to the command. - - name: success - type: boolean - description: | - Whether the command succeeded. - - name: rows - type: integer - description: | - The number of affected rows, if any. - - name: response - type: keyword - description: | - Server message, if any. diff --git a/packages/zeek/2.5.2/data_stream/mysql/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/mysql/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/mysql/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/mysql/manifest.yml b/packages/zeek/2.5.2/data_stream/mysql/manifest.yml deleted file mode 100755 index 1d8e9acee6..0000000000 --- a/packages/zeek/2.5.2/data_stream/mysql/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek mysql logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of mysql log file - multi: true - required: true - show_user: true - default: - - mysql.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-mysql - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek mysql.log - description: Collect Zeek mysql logs - - input: httpjson - title: Zeek mysql logs via Splunk Enterprise REST API - description: Collect Zeek mysql logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"mysql-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-mysql - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/notice/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/notice/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/notice/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/notice/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/notice/agent/stream/log.yml.hbs deleted file mode 100755 index 30e7049925..0000000000 --- a/packages/zeek/2.5.2/data_stream/notice/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.5.2/data_stream/notice/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/notice/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 04d46c8aa2..0000000000 --- a/packages/zeek/2.5.2/data_stream/notice/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,272 +0,0 @@ ---- -description: Pipeline for normalizing Zeek notice.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.notice - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: alert - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: intrusion_detection - - append: - field: event.type - value: info - - dot_expander: - path: zeek.notice - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.notice - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.notice - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.notice - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.notice.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.notice.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.notice.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.notice.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.notice.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - rename: - field: zeek.notice.src - target_field: source.address - ignore_missing: true - if: ctx?.source?.address == null - - remove: - field: zeek.notice.src - ignore_missing: true - if: ctx?.zeek?.notice?.src == ctx?.source?.address - - rename: - field: zeek.notice.dst - target_field: destination.address - ignore_missing: true - if: ctx?.destination?.address == null - - remove: - field: zeek.notice.dst - ignore_missing: true - if: ctx?.zeek?.notice?.dst == ctx?.destination?.address - - rename: - field: zeek.notice.p - target_field: destination.port - ignore_missing: true - if: ctx?.destination?.port == null - - remove: - field: zeek.notice.p - ignore_missing: true - if: ctx?.zeek?.notice?.p == ctx?.destination?.port - - rename: - field: zeek.notice.conn - target_field: zeek.notice.connnection_id - ignore_missing: true - - rename: - field: zeek.notice.iconn - target_field: zeek.notice.icmp_id - ignore_missing: true - - rename: - field: zeek.notice.proto - target_field: network.transport - ignore_missing: true - - dot_expander: - path: zeek.notice - field: f.id - ignore_failure: true - - dot_expander: - path: zeek.notice - field: f.parent_id - ignore_failure: true - - dot_expander: - path: zeek.notice - field: f.source - ignore_failure: true - - dot_expander: - path: zeek.notice - field: f.is_orig - ignore_failure: true - - dot_expander: - path: zeek.notice - field: f.seen_bytes - ignore_failure: true - - dot_expander: - path: zeek.notice - field: f.total_bytes - ignore_failure: true - - rename: - field: zeek.notice.f.id - target_field: zeek.notice.file.id - ignore_missing: true - - rename: - field: zeek.notice.f.parent_id - target_field: zeek.notice.file.parent_id - ignore_missing: true - - rename: - field: zeek.notice.f.source - target_field: zeek.notice.file.source - ignore_missing: true - - rename: - field: zeek.notice.f.is_orig - target_field: zeek.notice.file.is_orig - ignore_missing: true - - rename: - field: zeek.notice.f.seen_bytes - target_field: zeek.notice.file.seen_bytes - ignore_missing: true - - rename: - field: zeek.notice.f.total_bytes - target_field: zeek.notice.file.total_bytes - ignore_missing: true - - rename: - field: zeek.notice.file_mime_type - target_field: zeek.notice.file.mime_type - ignore_missing: true - - set: - field: file.size - copy_from: zeek.notice.file.total_bytes - if: ctx?.zeek?.notice?.file?.total_bytes != null - - set: - field: file.mime_type - copy_from: zeek.notice.file.mime_type - if: ctx?.zeek?.notice?.file?.mime_type != null - - set: - field: rule.name - copy_from: zeek.notice.note - if: ctx?.zeek?.notice?.note != null - - set: - field: rule.description - copy_from: zeek.notice.msg - if: ctx?.zeek?.notice?.msg != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - date: - field: zeek.notice.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.notice.ts - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: event.type - value: allowed - if: "ctx?.zeek?.notice?.dropped == false" - - append: - field: event.type - value: denied - if: "ctx?.zeek?.notice?.dropped == true" - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.notice.action - - zeek.notice.remote_location - - zeek.notice.f - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/notice/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/notice/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/notice/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/notice/fields/agent.yml b/packages/zeek/2.5.2/data_stream/notice/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/notice/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/notice/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/notice/fields/base-fields.yml deleted file mode 100755 index 0ac336f28c..0000000000 --- a/packages/zeek/2.5.2/data_stream/notice/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.notice -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/notice/fields/beats.yml b/packages/zeek/2.5.2/data_stream/notice/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/notice/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/notice/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/notice/fields/ecs.yml deleted file mode 100755 index b608072cb4..0000000000 --- a/packages/zeek/2.5.2/data_stream/notice/fields/ecs.yml +++ /dev/null @@ -1,174 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: file.mime_type - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: The description of the rule generating the event. - name: rule.description - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/notice/fields/fields.yml b/packages/zeek/2.5.2/data_stream/notice/fields/fields.yml deleted file mode 100755 index 52e50fa4da..0000000000 --- a/packages/zeek/2.5.2/data_stream/notice/fields/fields.yml +++ /dev/null @@ -1,107 +0,0 @@ -- name: zeek.notice - type: group - fields: - - name: connection_id - type: keyword - description: | - Identifier of the related connection session. - - name: icmp_id - type: keyword - description: | - Identifier of the related ICMP session. - - name: file.id - type: keyword - description: | - An identifier associated with a single file that is related to this notice. - - name: file.parent_id - type: keyword - description: | - Identifier associated with a container file from which this one was extracted. - - name: file.source - type: keyword - description: | - An identification of the source of the file data. E.g. it may be a network protocol - over which it was transferred, or a local file path which was read, or some other - input source. - - name: file.mime_type - type: keyword - description: | - A mime type if the notice is related to a file. - - name: file.is_orig - type: boolean - description: | - If the source of this file is a network connection, this field indicates if the file is - being sent by the originator of the connection or the responder. - - name: file.seen_bytes - type: long - description: | - Number of bytes provided to the file analysis engine for the file. - - name: ffile.total_bytes - type: long - description: | - Total number of bytes that are supposed to comprise the full file. - - name: file.missing_bytes - type: long - description: | - The number of bytes in the file stream that were completely missed during the process - of analysis. - - name: file.overflow_bytes - type: long - description: | - The number of bytes in the file stream that were not delivered to stream file analyzers. - This could be overlapping bytes or bytes that couldn't be reassembled. - - name: fuid - type: keyword - description: | - A file unique ID if this notice is related to a file. - - name: note - type: keyword - description: | - The type of the notice. - - name: msg - type: keyword - description: | - The human readable message for the notice. - - name: sub - type: keyword - description: | - The human readable sub-message. - - name: "n" - type: long - description: | - Associated count, or a status code. - - name: peer_name - type: keyword - description: | - Name of remote peer that raised this notice. - - name: peer_descr - type: text - description: | - Textual description for the peer that raised this notice. - - name: actions - type: keyword - description: | - The actions which have been applied to this notice. - - name: email_body_sections - type: text - description: | - By adding chunks of text into this element, other scripts can expand on notices - that are being emailed. - - name: email_delay_tokens - type: keyword - description: | - Adding a string token to this set will cause the built-in emailing functionality - to delay sending the email either the token has been removed or the email - has been delayed for the specified time duration. - - name: identifier - type: keyword - description: | - This field is provided when a notice is generated for the purpose of deduplicating notices. - - name: suppress_for - type: double - description: | - This field indicates the length of time that this unique notice should be suppressed. - - name: dropped - type: boolean - description: | - Indicate if the source IP address was dropped and denied network access. diff --git a/packages/zeek/2.5.2/data_stream/notice/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/notice/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/notice/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/notice/manifest.yml b/packages/zeek/2.5.2/data_stream/notice/manifest.yml deleted file mode 100755 index 59afd2ab57..0000000000 --- a/packages/zeek/2.5.2/data_stream/notice/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek notice logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of notice log file - multi: true - required: true - show_user: true - default: - - notice.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-notice - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek notice.log - description: Collect Zeek notice logs - - input: httpjson - title: Zeek notice logs via Splunk Enterprise REST API - description: Collect Zeek notice logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"notice-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-notice - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/ntlm/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/ntlm/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntlm/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/ntlm/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/ntlm/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntlm/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/ntlm/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/ntlm/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8ef39ad970..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntlm/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,206 +0,0 @@ ---- -description: Pipeline for normalizing Zeek ntlm.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.ntlm - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.category - value: authentication - - append: - field: event.type - value: connection - - append: - field: event.type - value: info - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: ntlm - - dot_expander: - path: zeek.ntlm - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.ntlm - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.ntlm - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.ntlm - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.ntlm.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.ntlm.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.ntlm.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.ntlm.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.ntlm.uid - target_field: zeek.session_id - ignore_missing: true - - rename: - field: zeek.ntlm.domainname - target_field: zeek.ntlm.domain - ignore_missing: true - - rename: - field: zeek.ntlm.server_dns_computer_name - target_field: zeek.ntlm.server.name.dns - ignore_missing: true - - rename: - field: zeek.ntlm.server_nb_computer_name - target_field: zeek.ntlm.server.name.netbios - ignore_missing: true - - rename: - field: zeek.ntlm.server_tree_name - target_field: zeek.ntlm.server.name.tree - ignore_missing: true - - set: - field: user.name - copy_from: zeek.ntlm.username - if: ctx?.zeek?.ntlm?.username != null - - set: - field: user.domain - copy_from: zeek.ntlm.domain - if: ctx?.zeek?.ntlm?.domain != null - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: event.outcome - value: success - if: ctx?.zeek?.ntlm?.success == true - - set: - field: event.outcome - value: failure - if: ctx?.zeek?.ntlm?.success == false - - date: - field: zeek.ntlm.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.ntlm.ts - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - community_id: - target_field: network.community_id - - remove: - field: - - message - - json - - zeek.ntlm.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/ntlm/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/ntlm/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntlm/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/ntlm/fields/agent.yml b/packages/zeek/2.5.2/data_stream/ntlm/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntlm/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/ntlm/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/ntlm/fields/base-fields.yml deleted file mode 100755 index c337a76049..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntlm/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.ntlm -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/ntlm/fields/beats.yml b/packages/zeek/2.5.2/data_stream/ntlm/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntlm/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/ntlm/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/ntlm/fields/ecs.yml deleted file mode 100755 index c8ea0c0b83..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntlm/fields/ecs.yml +++ /dev/null @@ -1,195 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/ntlm/fields/fields.yml b/packages/zeek/2.5.2/data_stream/ntlm/fields/fields.yml deleted file mode 100755 index 42c05921af..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntlm/fields/fields.yml +++ /dev/null @@ -1,37 +0,0 @@ -- name: zeek.ntlm - type: group - fields: - - name: domain - type: keyword - description: | - Domain name given by the client. - - name: hostname - type: keyword - description: | - Hostname given by the client. - - name: success - type: boolean - description: | - Indicate whether or not the authentication was successful. - - name: username - type: keyword - description: | - Username given by the client. - - name: server - type: group - fields: - - name: name - type: group - fields: - - name: dns - type: keyword - description: | - DNS name given by the server in a CHALLENGE. - - name: netbios - type: keyword - description: | - NetBIOS name given by the server in a CHALLENGE. - - name: tree - type: keyword - description: | - Tree name given by the server in a CHALLENGE. diff --git a/packages/zeek/2.5.2/data_stream/ntlm/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/ntlm/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntlm/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/ntlm/manifest.yml b/packages/zeek/2.5.2/data_stream/ntlm/manifest.yml deleted file mode 100755 index d56238fb0c..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntlm/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek ntlm logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of ntlm log file - multi: true - required: true - show_user: true - default: - - ntlm.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-ntlm - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek ntlm.log - description: Collect Zeek ntlm logs - - input: httpjson - title: Zeek ntlm logs via Splunk Enterprise REST API - description: Collect Zeek ntlm logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"ntlm-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-ntlm - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/ntp/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/ntp/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntp/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/ntp/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/ntp/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntp/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/ntp/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/ntp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 173f0afc45..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,193 +0,0 @@ ---- -description: Pipeline for normalizing Zeek conn.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.ntp - ignore_failure: true - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - append: - field: event.type - value: - - connection - - protocol - - info - allow_duplicates: false - - dot_expander: - path: zeek.ntp - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.ntp - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.ntp - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.ntp - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.ntp.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.ntp.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.ntp.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.ntp.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.ntp.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: network.transport - value: udp - - set: - field: network.protocol - value: ntp - - set: - field: network.type - value: ipv4 - if: ctx.source?.ip.contains('.') - - set: - field: network.type - value: ipv6 - if: ctx.source?.ip.contains(':') - - community_id: - ignore_missing: true - - date: - field: zeek.ntp.ts - formats: - - UNIX - - ISO8601 - - date: - field: zeek.ntp.ref_time - target_field: zeek.ntp.ref_time - formats: - - UNIX - - date: - field: zeek.ntp.org_time - target_field: zeek.ntp.org_time - formats: - - UNIX - - date: - field: zeek.ntp.rec_time - target_field: zeek.ntp.rec_time - formats: - - UNIX - - date: - field: zeek.ntp.xmt_time - target_field: zeek.ntp.xmt_time - formats: - - UNIX - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx?.destination?.ip != null - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: - - zeek.ntp.id - - zeek.ntp.ts - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/ntp/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/ntp/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntp/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/ntp/fields/agent.yml b/packages/zeek/2.5.2/data_stream/ntp/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntp/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/ntp/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/ntp/fields/base-fields.yml deleted file mode 100755 index 048a36b4f4..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntp/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.ntp -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/ntp/fields/beats.yml b/packages/zeek/2.5.2/data_stream/ntp/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntp/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/ntp/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/ntp/fields/ecs.yml deleted file mode 100755 index a452cfbcb3..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntp/fields/ecs.yml +++ /dev/null @@ -1,216 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/ntp/fields/fields.yml b/packages/zeek/2.5.2/data_stream/ntp/fields/fields.yml deleted file mode 100755 index 022ae5dc50..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntp/fields/fields.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: zeek.ntp - type: group - default_field: false - description: > - Fields exported by the Zeek NTP log. - - fields: - - name: version - type: integer - description: > - The NTP version number (1, 2, 3, 4). - - - name: mode - type: integer - description: > - The NTP mode being used. - - - name: stratum - type: integer - description: > - The stratum (primary server, secondary server, etc.). - - - name: poll - type: double - description: > - The maximum interval between successive messages in seconds. - - - name: precision - type: double - description: > - The precision of the system clock in seconds. - - - name: root_delay - type: double - description: > - Total round-trip delay to the reference clock in seconds. - - - name: root_disp - type: double - description: > - Total dispersion to the reference clock in seconds. - - - name: ref_id - type: keyword - description: > - For stratum 0, 4 character string used for debugging. For stratum 1, ID assigned to the reference clock by IANA. Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4). - - - name: ref_time - type: date - description: > - Time when the system clock was last set or correct. - - - name: org_time - type: date - description: > - Time at the client when the request departed for the NTP server. - - - name: rec_time - type: date - description: > - Time at the server when the request arrived from the NTP client. - - - name: xmt_time - type: date - description: > - Time at the server when the response departed for the NTP client. - - - name: num_exts - type: integer - description: >- - Number of extension fields (which are not currently parsed). diff --git a/packages/zeek/2.5.2/data_stream/ntp/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/ntp/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntp/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/ntp/manifest.yml b/packages/zeek/2.5.2/data_stream/ntp/manifest.yml deleted file mode 100755 index f450b993be..0000000000 --- a/packages/zeek/2.5.2/data_stream/ntp/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek ntp logs -streams: - - input: logfile - template_path: log.yml.hbs - title: Zeek conn.log - description: Collect Zeek ntp logs - vars: - - name: filenames - type: text - title: Filename of ntp log - multi: true - required: true - show_user: true - default: - - ntp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-ntp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: httpjson - title: Zeek ntp logs via Splunk Enterprise REST API - description: Collect Zeek ntp logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"ntp-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-ntp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/ocsp/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/ocsp/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/ocsp/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/ocsp/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/ocsp/agent/stream/log.yml.hbs deleted file mode 100755 index 30e7049925..0000000000 --- a/packages/zeek/2.5.2/data_stream/ocsp/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.5.2/data_stream/ocsp/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/ocsp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 6eeeecda49..0000000000 --- a/packages/zeek/2.5.2/data_stream/ocsp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,119 +0,0 @@ ---- -description: Pipeline for normalizing Zeek ocsp.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.ocsp - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - set: - field: network.transport - value: tcp - - rename: - field: zeek.ocsp.id - target_field: zeek.ocsp.file_id - ignore_missing: true - - rename: - field: zeek.ocsp.hashAlgorithm - target_field: zeek.ocsp.hash.algorithm - ignore_missing: true - - rename: - field: zeek.ocsp.issuerNameHash - target_field: zeek.ocsp.hash.issuer.name - ignore_missing: true - - rename: - field: zeek.ocsp.issuerKeyHash - target_field: zeek.ocsp.hash.issuer.key - ignore_missing: true - - rename: - field: zeek.ocsp.serialNumber - target_field: zeek.ocsp.serial_number - ignore_missing: true - - rename: - field: zeek.ocsp.certStatus - target_field: zeek.ocsp.status - ignore_missing: true - - rename: - field: zeek.ocsp.revoketime - target_field: zeek.ocsp.revoke.date - ignore_missing: true - - rename: - field: zeek.ocsp.revokereason - target_field: zeek.ocsp.revoke.reason - ignore_missing: true - - rename: - field: zeek.ocsp.thisUpdate - target_field: zeek.ocsp.update.this - ignore_missing: true - - rename: - field: zeek.ocsp.nextUpdate - target_field: zeek.ocsp.update.next - ignore_missing: true - - date: - field: zeek.ocsp.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.ocsp.ts - - date: - field: zeek.ocsp.revoke.date - target_field: zeek.ocsp.revoke.date - formats: - - UNIX - - ISO8601 - if: ctx.zeek.ocsp.revoke?.date != null - - date: - field: zeek.ocsp.update.this - target_field: zeek.ocsp.update.this - formats: - - UNIX - - ISO8601 - if: ctx.zeek.ocsp.update?.this != null - - date: - field: zeek.ocsp.update.next - target_field: zeek.ocsp.update.next - formats: - - UNIX - - ISO8601 - if: ctx.zeek.ocsp.update?.next != null - - append: - field: related.hash - value: "{{zeek.ocsp.issuerNameHash}}" - if: "ctx?.zeek?.ocsp?.issuerNameHash != null" - allow_duplicates: false - - append: - field: related.hash - value: "{{zeek.ocsp.issuerKeyHash}}" - if: "ctx?.zeek?.ocsp?.issuerKeyHash != null" - allow_duplicates: false - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/ocsp/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/ocsp/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/ocsp/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/ocsp/fields/agent.yml b/packages/zeek/2.5.2/data_stream/ocsp/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/ocsp/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/ocsp/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/ocsp/fields/base-fields.yml deleted file mode 100755 index 488e62b186..0000000000 --- a/packages/zeek/2.5.2/data_stream/ocsp/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.ocsp -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/ocsp/fields/beats.yml b/packages/zeek/2.5.2/data_stream/ocsp/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/ocsp/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/ocsp/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/ocsp/fields/ecs.yml deleted file mode 100755 index f73c570fc5..0000000000 --- a/packages/zeek/2.5.2/data_stream/ocsp/fields/ecs.yml +++ /dev/null @@ -1,48 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/ocsp/fields/fields.yml b/packages/zeek/2.5.2/data_stream/ocsp/fields/fields.yml deleted file mode 100755 index f2be6d1ba8..0000000000 --- a/packages/zeek/2.5.2/data_stream/ocsp/fields/fields.yml +++ /dev/null @@ -1,55 +0,0 @@ -- name: zeek.ocsp - type: group - fields: - - name: file_id - type: keyword - description: | - File id of the OCSP reply. - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: | - Hash algorithm used to generate issuerNameHash and issuerKeyHash. - - name: issuer - type: group - fields: - - name: name - type: keyword - description: | - Hash of the issuer's distingueshed name. - - name: key - type: keyword - description: | - Hash of the issuer's public key. - - name: serial_number - type: keyword - description: | - Serial number of the affected certificate. - - name: status - type: keyword - description: | - Status of the affected certificate. - - name: revoke - type: group - fields: - - name: date - type: date - description: | - Time at which the certificate was revoked. - - name: reason - type: keyword - description: | - Reason for which the certificate was revoked. - - name: update - type: group - fields: - - name: this - type: date - description: | - The time at which the status being shows is known to have been correct. - - name: next - type: date - description: | - The latest time at which new information about the status of the certificate will be available. diff --git a/packages/zeek/2.5.2/data_stream/ocsp/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/ocsp/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/ocsp/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/ocsp/manifest.yml b/packages/zeek/2.5.2/data_stream/ocsp/manifest.yml deleted file mode 100755 index 6cca1eabd2..0000000000 --- a/packages/zeek/2.5.2/data_stream/ocsp/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek ocsp logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of ocsp log file - multi: true - required: true - show_user: true - default: - - ocsp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-ocsp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek ocsp.log - description: Collect Zeek ocsp logs - - input: httpjson - title: Zeek ocsp logs via Splunk Enterprise REST API - description: Collect Zeek ocsp logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"ocsp-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-ocsp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/pe/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/pe/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/pe/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/pe/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/pe/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/pe/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/pe/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/pe/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 78dbe84540..0000000000 --- a/packages/zeek/2.5.2/data_stream/pe/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- -description: Pipeline for normalizing Zeek pe.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.pe - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: file - - append: - field: event.type - value: info - - rename: - field: zeek.pe.compile_ts - target_field: zeek.pe.compile_time - ignore_missing: true - - date: - field: zeek.pe.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.pe.ts - - date: - field: zeek.pe.compile_time - target_field: zeek.pe.compile_time - formats: - - UNIX - - ISO8601 - if: ctx.zeek.pe.compile_time != null - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/pe/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/pe/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/pe/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/pe/fields/agent.yml b/packages/zeek/2.5.2/data_stream/pe/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/pe/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/pe/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/pe/fields/base-fields.yml deleted file mode 100755 index 98af311efa..0000000000 --- a/packages/zeek/2.5.2/data_stream/pe/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.pe -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/pe/fields/beats.yml b/packages/zeek/2.5.2/data_stream/pe/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/pe/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/pe/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/pe/fields/ecs.yml deleted file mode 100755 index 9e6ed92055..0000000000 --- a/packages/zeek/2.5.2/data_stream/pe/fields/ecs.yml +++ /dev/null @@ -1,48 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip diff --git a/packages/zeek/2.5.2/data_stream/pe/fields/fields.yml b/packages/zeek/2.5.2/data_stream/pe/fields/fields.yml deleted file mode 100755 index f4d50fff0f..0000000000 --- a/packages/zeek/2.5.2/data_stream/pe/fields/fields.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: zeek.pe - type: group - fields: - - name: client - type: keyword - description: | - The client's version string. - - name: id - type: keyword - description: | - File id of this portable executable file. - - name: machine - type: keyword - description: | - The target machine that the file was compiled for. - - name: compile_time - type: date - description: | - The time that the file was created at. - - name: os - type: keyword - description: | - The required operating system. - - name: subsystem - type: keyword - description: | - The subsystem that is required to run this file. - - name: is_exe - type: boolean - description: | - Is the file an executable, or just an object file? - - name: is_64bit - type: boolean - description: | - Is the file a 64-bit executable? - - name: uses_aslr - type: boolean - description: | - Does the file support Address Space Layout Randomization? - - name: uses_dep - type: boolean - description: | - Does the file support Data Execution Prevention? - - name: uses_code_integrity - type: boolean - description: | - Does the file enforce code integrity checks? - - name: uses_seh - type: boolean - description: | - Does the file use structured exception handing? - - name: has_import_table - type: boolean - description: | - Does the file have an import table? - - name: has_export_table - type: boolean - description: | - Does the file have an export table? - - name: has_cert_table - type: boolean - description: | - Does the file have an attribute certificate table? - - name: has_debug_data - type: boolean - description: | - Does the file have a debug table? - - name: section_names - type: keyword - description: | - The names of the sections, in order. diff --git a/packages/zeek/2.5.2/data_stream/pe/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/pe/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/pe/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/pe/manifest.yml b/packages/zeek/2.5.2/data_stream/pe/manifest.yml deleted file mode 100755 index 529d8abb40..0000000000 --- a/packages/zeek/2.5.2/data_stream/pe/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek pe logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of pe log file - multi: true - required: true - show_user: true - default: - - pe.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-pe - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek pe.log - description: Collect Zeek pe logs - - input: httpjson - title: Zeek pe logs via Splunk Enterprise REST API - description: Collect Zeek pe logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"pe-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-pe - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/radius/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/radius/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/radius/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/radius/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/radius/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/radius/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/radius/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/radius/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3e80b29895..0000000000 --- a/packages/zeek/2.5.2/data_stream/radius/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,180 +0,0 @@ ---- -description: Pipeline for normalizing Zeek radius.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.radius - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.category - value: authentication - - append: - field: event.type - value: connection - - append: - field: event.type - value: info - - set: - field: network.transport - value: udp - - set: - field: network.protocol - value: radius - - dot_expander: - path: zeek.radius - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.radius - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.radius - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.radius - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.radius.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.radius.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.radius.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.radius.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.radius.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: user.name - copy_from: zeek.radius.username - if: ctx?.zeek?.radius?.username != null - - set: - field: event.outcome - copy_from: zeek.radius.result - if: ctx?.zeek?.radius?.result != null - - date: - field: zeek.radius.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.radius.ts - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.radius.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/radius/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/radius/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/radius/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/radius/fields/agent.yml b/packages/zeek/2.5.2/data_stream/radius/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/radius/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/radius/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/radius/fields/base-fields.yml deleted file mode 100755 index a9e14f26e2..0000000000 --- a/packages/zeek/2.5.2/data_stream/radius/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.radius -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/radius/fields/beats.yml b/packages/zeek/2.5.2/data_stream/radius/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/radius/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/radius/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/radius/fields/ecs.yml deleted file mode 100755 index 29d3c32a6f..0000000000 --- a/packages/zeek/2.5.2/data_stream/radius/fields/ecs.yml +++ /dev/null @@ -1,184 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/radius/fields/fields.yml b/packages/zeek/2.5.2/data_stream/radius/fields/fields.yml deleted file mode 100755 index bb2cfd38d0..0000000000 --- a/packages/zeek/2.5.2/data_stream/radius/fields/fields.yml +++ /dev/null @@ -1,39 +0,0 @@ -- name: zeek.radius - type: group - fields: - - name: username - type: keyword - description: | - The username, if present. - - name: mac - type: keyword - description: | - MAC address, if present. - - name: framed_addr - type: ip - description: | - The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. - - name: remote_ip - type: ip - description: | - Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. - - name: connect_info - type: keyword - description: | - Connect info, if present. - - name: reply_msg - type: keyword - description: | - Reply message from the server challenge. This is frequently shown to the user authenticating. - - name: result - type: keyword - description: | - Successful or failed authentication. - - name: ttl - type: integer - description: | - The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. - - name: logged - type: boolean - description: | - Whether this has already been logged and can be ignored. diff --git a/packages/zeek/2.5.2/data_stream/radius/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/radius/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/radius/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/radius/manifest.yml b/packages/zeek/2.5.2/data_stream/radius/manifest.yml deleted file mode 100755 index b703d8bfce..0000000000 --- a/packages/zeek/2.5.2/data_stream/radius/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek radius logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of radius log file - multi: true - required: true - show_user: true - default: - - radius.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-radius - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek radius.log - description: Collect Zeek radius logs - - input: httpjson - title: Zeek radius logs via Splunk Enterprise REST API - description: Collect Zeek radius logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"radius-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-radius - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/rdp/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/rdp/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 27d1775b51..0000000000 --- a/packages/zeek/2.5.2/data_stream/rdp/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.5.2/data_stream/rdp/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/rdp/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/rdp/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/rdp/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/rdp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index e14d72f7b9..0000000000 --- a/packages/zeek/2.5.2/data_stream/rdp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,213 +0,0 @@ ---- -description: Pipeline for normalizing Zeek rdp.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.rdp - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: protocol - - append: - field: event.type - value: info - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: rdp - - dot_expander: - path: zeek.rdp - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.rdp - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.rdp - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.rdp - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.rdp.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.rdp.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.rdp.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.rdp.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.rdp.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.rdp.client_build - target_field: zeek.rdp.client.build - ignore_missing: true - - rename: - field: zeek.rdp.client_name - target_field: zeek.rdp.client.name - ignore_missing: true - - rename: - field: zeek.rdp.client_dig_product_id - target_field: zeek.rdp.client.product_id - ignore_missing: true - - rename: - field: zeek.rdp.desktop_width - target_field: zeek.rdp.desktop.width - ignore_missing: true - - rename: - field: zeek.rdp.desktop_height - target_field: zeek.rdp.desktop.height - ignore_missing: true - - rename: - field: zeek.rdp.requested_color_depth - target_field: zeek.rdp.desktop.color_depth - ignore_missing: true - - rename: - field: zeek.rdp.cert_type - target_field: zeek.rdp.cert.type - ignore_missing: true - - rename: - field: zeek.rdp.cert_count - target_field: zeek.rdp.cert.count - ignore_missing: true - - rename: - field: zeek.rdp.cert_permanent - target_field: zeek.rdp.cert.permanent - ignore_missing: true - - rename: - field: zeek.rdp.encryption_level - target_field: zeek.rdp.encryption.level - ignore_missing: true - - rename: - field: zeek.rdp.encryption_method - target_field: zeek.rdp.encryption.method - ignore_missing: true - - date: - field: zeek.rdp.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.rdp.ts - - convert: - field: zeek.rdp.ssl - target_field: tls.established - type: boolean - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.rdp.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/rdp/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/rdp/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/rdp/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/rdp/fields/agent.yml b/packages/zeek/2.5.2/data_stream/rdp/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/rdp/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/rdp/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/rdp/fields/base-fields.yml deleted file mode 100755 index 4fae2e698d..0000000000 --- a/packages/zeek/2.5.2/data_stream/rdp/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.rdp -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/rdp/fields/beats.yml b/packages/zeek/2.5.2/data_stream/rdp/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/rdp/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/rdp/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/rdp/fields/ecs.yml deleted file mode 100755 index e5b48f0f7f..0000000000 --- a/packages/zeek/2.5.2/data_stream/rdp/fields/ecs.yml +++ /dev/null @@ -1,168 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - name: tls.established - type: boolean diff --git a/packages/zeek/2.5.2/data_stream/rdp/fields/fields.yml b/packages/zeek/2.5.2/data_stream/rdp/fields/fields.yml deleted file mode 100755 index 379d00eb00..0000000000 --- a/packages/zeek/2.5.2/data_stream/rdp/fields/fields.yml +++ /dev/null @@ -1,84 +0,0 @@ -- name: zeek.rdp - type: group - fields: - - name: cookie - type: keyword - description: | - Cookie value used by the client machine. This is typically a username. - - name: result - type: keyword - description: | - Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. - - name: security_protocol - type: keyword - description: | - Security protocol chosen by the server. - - name: keyboard_layout - type: keyword - description: | - Keyboard layout (language) of the client machine. - - name: client - type: group - fields: - - name: build - type: keyword - description: | - RDP client version used by the client machine. - - name: client_name - type: keyword - description: | - Name of the client machine. - - name: product_id - type: keyword - description: | - Product ID of the client machine. - - name: desktop - type: group - fields: - - name: width - type: integer - description: | - Desktop width of the client machine. - - name: height - type: integer - description: | - Desktop height of the client machine. - - name: color_depth - type: keyword - description: | - The color depth requested by the client in the high_color_depth field. - - name: cert - type: group - fields: - - name: type - type: keyword - description: | - If the connection is being encrypted with native RDP encryption, this is the type of cert being used. - - name: count - type: integer - description: | - The number of certs seen. X.509 can transfer an entire certificate chain. - - name: permanent - type: boolean - description: | - Indicates if the provided certificate or certificate chain is permanent or temporary. - - name: encryption - type: group - fields: - - name: level - type: keyword - description: | - Encryption level of the connection. - - name: method - type: keyword - description: | - Encryption method of the connection. - - name: done - type: boolean - description: | - Track status of logging RDP connections. - - name: ssl - type: boolean - description: | - (present if policy/protocols/rdp/indicate_ssl.bro is loaded) - Flag the connection if it was seen over SSL. diff --git a/packages/zeek/2.5.2/data_stream/rdp/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/rdp/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/rdp/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/rdp/manifest.yml b/packages/zeek/2.5.2/data_stream/rdp/manifest.yml deleted file mode 100755 index 02303490ed..0000000000 --- a/packages/zeek/2.5.2/data_stream/rdp/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek rdp logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of rdp log file - multi: true - required: true - show_user: true - default: - - rdp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-rdp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek rdp.log - description: Collect Zeek rdp logs - - input: httpjson - title: Zeek rdp logs via Splunk Enterprise REST API - description: Collect Zeek rdp logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"rdp-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-rdp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/rfb/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/rfb/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/rfb/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/rfb/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/rfb/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/rfb/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/rfb/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/rfb/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 9c770ab56a..0000000000 --- a/packages/zeek/2.5.2/data_stream/rfb/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,188 +0,0 @@ ---- -description: Pipeline for normalizing Zeek rfb.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.rfb - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: info - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: rfb - - dot_expander: - path: zeek.rfb - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.rfb - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.rfb - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.rfb - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.rfb.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.rfb.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.rfb.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.rfb.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.rfb.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.rfb.client_major_version - target_field: zeek.rfb.version.client.major - ignore_missing: true - - rename: - field: zeek.rfb.client_minor_version - target_field: zeek.rfb.version.client.minor - ignore_missing: true - - rename: - field: zeek.rfb.server_major_version - target_field: zeek.rfb.version.server.major - ignore_missing: true - - rename: - field: zeek.rfb.server_minor_version - target_field: zeek.rfb.version.server.minor - ignore_missing: true - - rename: - field: zeek.rfb.auth - target_field: zeek.rfb.auth.success - ignore_missing: true - - rename: - field: zeek.rfb.authentication_method - target_field: zeek.rfb.auth.method - ignore_missing: true - - date: - field: zeek.rfb.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.rfb.ts - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.rfb.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/rfb/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/rfb/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/rfb/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/rfb/fields/agent.yml b/packages/zeek/2.5.2/data_stream/rfb/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/rfb/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/rfb/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/rfb/fields/base-fields.yml deleted file mode 100755 index 0908f5c5ed..0000000000 --- a/packages/zeek/2.5.2/data_stream/rfb/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.rfb -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/rfb/fields/beats.yml b/packages/zeek/2.5.2/data_stream/rfb/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/rfb/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/rfb/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/rfb/fields/ecs.yml deleted file mode 100755 index 12fe1b3f04..0000000000 --- a/packages/zeek/2.5.2/data_stream/rfb/fields/ecs.yml +++ /dev/null @@ -1,165 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/rfb/fields/fields.yml b/packages/zeek/2.5.2/data_stream/rfb/fields/fields.yml deleted file mode 100755 index 77fe1df108..0000000000 --- a/packages/zeek/2.5.2/data_stream/rfb/fields/fields.yml +++ /dev/null @@ -1,55 +0,0 @@ -- name: zeek.rfb - type: group - fields: - - name: version - type: group - fields: - - name: client - type: group - fields: - - name: major - type: keyword - description: | - Major version of the client. - - name: minor - type: keyword - description: | - Minor version of the client. - - name: server - type: group - fields: - - name: major - type: keyword - description: | - Major version of the server. - - name: minor - type: keyword - description: | - Minor version of the server. - - name: auth - type: group - fields: - - name: success - type: boolean - description: | - Whether or not authentication was successful. - - name: method - type: keyword - description: | - Identifier of authentication method used. - - name: share_flag - type: boolean - description: | - Whether the client has an exclusive or a shared session. - - name: desktop_name - type: keyword - description: | - Name of the screen that is being shared. - - name: width - type: integer - description: | - Width of the screen that is being shared. - - name: height - type: integer - description: | - Height of the screen that is being shared. diff --git a/packages/zeek/2.5.2/data_stream/rfb/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/rfb/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/rfb/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/rfb/manifest.yml b/packages/zeek/2.5.2/data_stream/rfb/manifest.yml deleted file mode 100755 index b5513bb69d..0000000000 --- a/packages/zeek/2.5.2/data_stream/rfb/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek rfb logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of rfb log file - multi: true - required: true - show_user: true - default: - - rfb.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-rfb - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek rfb.log - description: Collect Zeek rfb logs - - input: httpjson - title: Zeek rfb logs via Splunk Enterprise REST API - description: Collect Zeek rfb logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"rfb-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-rfb - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/signature/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/signature/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/signature/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/signature/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/signature/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/signature/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/signature/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/signature/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 895425b2a3..0000000000 --- a/packages/zeek/2.5.2/data_stream/signature/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,149 +0,0 @@ ---- -description: Pipeline for normalizing Zeek conn.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.signature - ignore_failure: true - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: alert - - set: - field: event.category - value: network - - rename: - field: zeek.signature.src_addr - target_field: source.address - ignore_missing: true - - rename: - field: zeek.signature.src_port - target_field: source.port - ignore_missing: true - - rename: - field: zeek.signature.dst_addr - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.signature.dst_port - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.signature.uid - target_field: zeek.session_id - ignore_missing: true - - rename: - field: zeek.signature.sig_id - target_field: rule.id - ignore_missing: true - - rename: - field: zeek.signature.event_msg - target_field: rule.description - ignore_missing: true - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - date: - field: zeek.signature.ts - formats: - - UNIX - - ISO8601 - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: network.type - value: ipv4 - if: ctx.source?.ip.contains('.') - - set: - field: network.type - value: ipv6 - if: ctx.source?.ip.contains(':') - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx?.destination?.ip != null - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: - - zeek.signature.ts - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/signature/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/signature/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/signature/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/signature/fields/agent.yml b/packages/zeek/2.5.2/data_stream/signature/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/signature/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/signature/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/signature/fields/base-fields.yml deleted file mode 100755 index a1d0bd61fd..0000000000 --- a/packages/zeek/2.5.2/data_stream/signature/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.signature -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/signature/fields/beats.yml b/packages/zeek/2.5.2/data_stream/signature/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/signature/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/signature/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/signature/fields/ecs.yml deleted file mode 100755 index 9f7bc4591d..0000000000 --- a/packages/zeek/2.5.2/data_stream/signature/fields/ecs.yml +++ /dev/null @@ -1,222 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ - type: keyword -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The description of the rule generating the event. - name: rule.description - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/signature/fields/fields.yml b/packages/zeek/2.5.2/data_stream/signature/fields/fields.yml deleted file mode 100755 index 6b3043bf65..0000000000 --- a/packages/zeek/2.5.2/data_stream/signature/fields/fields.yml +++ /dev/null @@ -1,36 +0,0 @@ -- name: zeek.signature - type: group - default_field: false - description: > - Fields exported by the Zeek Signature log. - - fields: - - name: note - type: keyword - description: > - Notice associated with signature event. - - - name: sig_id - type: keyword - description: > - The name of the signature that matched. - - - name: event_msg - type: keyword - description: > - A more descriptive message of the signature-matching event. - - - name: sub_msg - type: keyword - description: > - Extracted payload data or extra message. - - - name: sig_count - type: integer - description: > - Number of sigs, usually from summary count. - - - name: host_count - type: integer - description: >- - Number of hosts, from a summary count. diff --git a/packages/zeek/2.5.2/data_stream/signature/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/signature/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/signature/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/signature/manifest.yml b/packages/zeek/2.5.2/data_stream/signature/manifest.yml deleted file mode 100755 index bd9ca42ed4..0000000000 --- a/packages/zeek/2.5.2/data_stream/signature/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek signature logs -streams: - - input: logfile - template_path: log.yml.hbs - title: Zeek signature.log - description: Collect Zeek signature logs - vars: - - name: filenames - type: text - title: Filename of signature log - multi: true - required: true - show_user: true - default: - - signature.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-signature - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: httpjson - title: Zeek signature logs via Splunk Enterprise REST API - description: Collect Zeek signature logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"signature-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-signature - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/sip/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/sip/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/sip/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/sip/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/sip/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/sip/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/sip/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/sip/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 033498f9b8..0000000000 --- a/packages/zeek/2.5.2/data_stream/sip/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,240 +0,0 @@ ---- -description: Pipeline for normalizing Zeek sip.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.sip - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: udp - - set: - field: network.protocol - value: sip - - dot_expander: - path: zeek.sip - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.sip - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.sip - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.sip - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.sip.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.sip.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.sip.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.sip.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.sip.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.sip.trans_depth - target_field: zeek.sip.transaction_depth - ignore_missing: true - - rename: - field: zeek.sip.method - target_field: zeek.sip.sequence.method - ignore_missing: true - - rename: - field: zeek.sip.request_from - target_field: zeek.sip.request.from - ignore_missing: true - - rename: - field: zeek.sip.request_to - target_field: zeek.sip.request.to - ignore_missing: true - - rename: - field: zeek.sip.request_path - target_field: zeek.sip.request.path - ignore_missing: true - - rename: - field: zeek.sip.request_body_len - target_field: zeek.sip.request.body_length - ignore_missing: true - - rename: - field: zeek.sip.response_from - target_field: zeek.sip.response.from - ignore_missing: true - - rename: - field: zeek.sip.response_to - target_field: zeek.sip.response.to - ignore_missing: true - - rename: - field: zeek.sip.response_path - target_field: zeek.sip.response.path - ignore_missing: true - - rename: - field: zeek.sip.response_body_len - target_field: zeek.sip.response.body_length - ignore_missing: true - - rename: - field: zeek.sip.status_code - target_field: zeek.sip.status.code - ignore_missing: true - - rename: - field: zeek.sip.status_msg - target_field: zeek.sip.status.msg - ignore_missing: true - - set: - field: event.action - copy_from: zeek.sip.sequence.method - if: ctx?.zeek?.sip?.sequence?.method != null - - set: - field: url.full - copy_from: zeek.sip.uri - if: ctx?.zeek?.sip?.uri != null - - date: - field: zeek.sip.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.sip.ts - - grok: - field: zeek.sip.seq - patterns: - - "%{NUMBER:zeek.sip.sequence.number}" - ignore_missing: true - - remove: - field: zeek.sip.seq - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: event.type - value: error - if: "ctx?.zeek?.sip?.status?.code != null && ctx.zeek.sip.status.code >= 400" - - set: - field: event.outcome - value: failure - if: "ctx?.zeek?.sip?.status?.code != null && ctx.zeek.sip.status.code >= 400" - - set: - field: event.outcome - value: success - if: "ctx?.zeek?.sip?.status?.code != null && ctx.zeek.sip.status.code < 400" - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.sip.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/sip/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/sip/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/sip/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/sip/fields/agent.yml b/packages/zeek/2.5.2/data_stream/sip/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/sip/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/sip/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/sip/fields/base-fields.yml deleted file mode 100755 index 7e5ed093a6..0000000000 --- a/packages/zeek/2.5.2/data_stream/sip/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.sip -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/sip/fields/beats.yml b/packages/zeek/2.5.2/data_stream/sip/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/sip/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/sip/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/sip/fields/ecs.yml deleted file mode 100755 index 6a218eb2d1..0000000000 --- a/packages/zeek/2.5.2/data_stream/sip/fields/ecs.yml +++ /dev/null @@ -1,184 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard diff --git a/packages/zeek/2.5.2/data_stream/sip/fields/fields.yml b/packages/zeek/2.5.2/data_stream/sip/fields/fields.yml deleted file mode 100755 index 399f7a09b1..0000000000 --- a/packages/zeek/2.5.2/data_stream/sip/fields/fields.yml +++ /dev/null @@ -1,99 +0,0 @@ -- name: zeek.sip - type: group - fields: - - name: transaction_depth - type: integer - description: | - Represents the pipelined depth into the connection of this request/response transaction. - - name: sequence - type: group - fields: - - name: method - type: keyword - description: | - Verb used in the SIP request (INVITE, REGISTER etc.). - - name: number - type: keyword - description: | - Contents of the CSeq: header from the client. - - name: uri - type: keyword - description: | - URI used in the request. - - name: date - type: keyword - description: | - Contents of the Date: header from the client. - - name: request - type: group - fields: - - name: from - type: keyword - description: | - Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. - - name: to - type: keyword - description: | - Contents of the To: header. - - name: path - type: keyword - description: | - The client message transmission path, as extracted from the headers. - - name: body_length - type: long - description: | - Contents of the Content-Length: header from the client. - - name: response - type: group - fields: - - name: from - type: keyword - description: | - Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. - - name: to - type: keyword - description: | - Contents of the response To: header. - - name: path - type: keyword - description: | - The server message transmission path, as extracted from the headers. - - name: body_length - type: long - description: | - Contents of the Content-Length: header from the server. - - name: reply_to - type: keyword - description: | - Contents of the Reply-To: header. - - name: call_id - type: keyword - description: | - Contents of the Call-ID: header from the client. - - name: subject - type: keyword - description: | - Contents of the Subject: header from the client. - - name: user_agent - type: keyword - description: | - Contents of the User-Agent: header from the client. - - name: status - type: group - fields: - - name: code - type: integer - description: | - Status code returned by the server. - - name: msg - type: keyword - description: | - Status message returned by the server. - - name: warning - type: keyword - description: | - Contents of the Warning: header. - - name: content_type - type: keyword - description: | - Contents of the Content-Type: header from the server. diff --git a/packages/zeek/2.5.2/data_stream/sip/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/sip/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/sip/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/sip/manifest.yml b/packages/zeek/2.5.2/data_stream/sip/manifest.yml deleted file mode 100755 index d922c5d29c..0000000000 --- a/packages/zeek/2.5.2/data_stream/sip/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek sip logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of sip log file - multi: true - required: true - show_user: true - default: - - sip.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-sip - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek sip.log - description: Collect Zeek sip logs - - input: httpjson - title: Zeek sip logs via Splunk Enterprise REST API - description: Collect Zeek sip logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"sip-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-sip - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/smb_cmd/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/smb_cmd/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_cmd/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/smb_cmd/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/smb_cmd/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_cmd/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/smb_cmd/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/smb_cmd/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 4800d870a9..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_cmd/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,290 +0,0 @@ ---- -description: Pipeline for normalizing Zeek smb_cmd.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.smb_cmd - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: smb - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.ts - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.id.resp_p - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.size - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.times.modified - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.times.accessed - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.times.created - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.times.changed - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.uid - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.action - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.name - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.path - ignore_failure: true - - remove: - field: - - zeek.smb_cmd.referenced_file.ts - - zeek.smb_cmd.referenced_file.id.orig_p - - zeek.smb_cmd.referenced_file.id.resp_p - - zeek.smb_cmd.referenced_file.size - - zeek.smb_cmd.referenced_file.times.modified - - zeek.smb_cmd.referenced_file.times.accessed - - zeek.smb_cmd.referenced_file.times.created - - zeek.smb_cmd.referenced_file.times.changed - ignore_missing: true - - remove: - field: - - zeek.smb_cmd.referenced_file.uid - - zeek.smb_cmd.referenced_file.id.orig_h - - zeek.smb_cmd.referenced_file.id.resp_h - ignore_missing: true - if: ctx?.zeek?.smb_cmd?.referenced_file?.action == null - - dot_expander: - path: zeek.smb_cmd - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.smb_cmd.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.smb_cmd.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.smb_cmd.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.smb_cmd.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.smb_cmd.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.smb_cmd.referenced_file.uid - target_field: zeek.smb_cmd.file.uid - ignore_missing: true - - rename: - field: zeek.smb_cmd.referenced_file.id.orig_h - target_field: zeek.smb_cmd.file.host.tx - ignore_missing: true - - rename: - field: zeek.smb_cmd.referenced_file.id.resp_h - target_field: zeek.smb_cmd.file.host.rx - ignore_missing: true - - rename: - field: zeek.smb_cmd.referenced_file.name - target_field: zeek.smb_cmd.file.name - ignore_missing: true - - rename: - field: zeek.smb_cmd.referenced_file.path - target_field: zeek.smb_cmd.file.path - ignore_missing: true - - rename: - field: zeek.smb_cmd.referenced_file.action - target_field: zeek.smb_cmd.file.action - ignore_missing: true - - set: - field: event.action - copy_from: zeek.smb_cmd.command - if: ctx?.zeek?.smb_cmd?.command != null - - set: - field: user.name - copy_from: zeek.smb_cmd.username - if: ctx?.zeek?.smb_cmd?.username != null - - date: - field: zeek.smb_cmd.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.smb_cmd.ts - - remove: - field: zeek.smb_cmd.referenced_file - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - allow_duplicates: false - - append: - field: event.type - value: error - if: "ctx?.zeek?.smb_cmd?.status != null && ctx.zeek.smb_cmd.status.toLowerCase() != 'success'" - - set: - field: event.outcome - value: success - if: "ctx?.zeek?.smb_cmd?.status != null && ctx.zeek.smb_cmd.status.toLowerCase() == 'success'" - - set: - field: event.outcome - value: failure - if: "ctx?.zeek?.smb_cmd?.status != null && ctx.zeek.smb_cmd.status.toLowerCase() != 'success'" - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.smb_cmd.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/smb_cmd/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/smb_cmd/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_cmd/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/smb_cmd/fields/agent.yml b/packages/zeek/2.5.2/data_stream/smb_cmd/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_cmd/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/smb_cmd/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/smb_cmd/fields/base-fields.yml deleted file mode 100755 index 2da0d47a43..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_cmd/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.smb_cmd -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/smb_cmd/fields/beats.yml b/packages/zeek/2.5.2/data_stream/smb_cmd/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_cmd/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/smb_cmd/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/smb_cmd/fields/ecs.yml deleted file mode 100755 index 71303d6eda..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_cmd/fields/ecs.yml +++ /dev/null @@ -1,189 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/smb_cmd/fields/fields.yml b/packages/zeek/2.5.2/data_stream/smb_cmd/fields/fields.yml deleted file mode 100755 index 73c6a4b084..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_cmd/fields/fields.yml +++ /dev/null @@ -1,75 +0,0 @@ -- name: zeek.smb_cmd - type: group - fields: - - name: command - type: keyword - description: | - The command sent by the client. - - name: sub_command - type: keyword - description: | - The subcommand sent by the client, if present. - - name: argument - type: keyword - description: | - Command argument sent by the client, if any. - - name: status - type: keyword - description: | - Server reply to the client's command. - - name: rtt - type: double - description: | - Round trip time from the request to the response. - - name: version - type: keyword - description: | - Version of SMB for the command. - - name: username - type: keyword - description: | - Authenticated username, if available. - - name: tree - type: keyword - description: | - If this is related to a tree, this is the tree that was used for the current command. - - name: tree_service - type: keyword - description: | - The type of tree (disk share, printer share, named pipe, etc.). - - name: file - type: group - fields: - - name: name - type: keyword - description: | - Filename if one was seen. - - name: action - type: keyword - description: | - Action this log record represents. - - name: uid - type: keyword - description: | - UID of the referenced file. - - name: host - type: group - fields: - - name: tx - type: ip - description: | - Address of the transmitting host. - - name: rx - type: ip - description: | - Address of the receiving host. - - name: smb1_offered_dialects - type: keyword - description: | - Present if base/protocols/smb/smb1-main.bro is loaded. - Dialects offered by the client. - - name: smb2_offered_dialects - type: integer - description: | - Present if base/protocols/smb/smb2-main.bro is loaded. - Dialects offered by the client. diff --git a/packages/zeek/2.5.2/data_stream/smb_cmd/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/smb_cmd/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_cmd/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/smb_cmd/manifest.yml b/packages/zeek/2.5.2/data_stream/smb_cmd/manifest.yml deleted file mode 100755 index 835b2e365e..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_cmd/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek smb_cmd logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of smb_cmd log file - multi: true - required: true - show_user: true - default: - - smb_cmd.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-smb-cmd - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek smb_cmd.log - description: Collect Zeek smb_cmd logs - - input: httpjson - title: Zeek smb_cmd logs via Splunk Enterprise REST API - description: Collect Zeek smb_cmd logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"smb_cmd-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-smb-cmd - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/smb_files/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/smb_files/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_files/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/smb_files/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/smb_files/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_files/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/smb_files/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/smb_files/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c7ac4c0dda..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_files/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,256 +0,0 @@ ---- -description: Pipeline for normalizing Zeek smb_files.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.smb_files - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.category - value: file - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: smb - - dot_expander: - path: zeek.smb_files - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.smb_files - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.smb_files - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.smb_files - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.smb_files.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.smb_files.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.smb_files.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.smb_files.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.smb_files.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: event.action - copy_from: zeek.smb_files.action - if: ctx?.zeek?.smb_files?.action != null - - set: - field: file.name - copy_from: zeek.smb_files.name - if: ctx?.zeek?.smb_files?.name != null - - set: - field: file.size - copy_from: zeek.smb_files.size - if: ctx?.zeek?.smb_files?.size != null - - date: - field: zeek.smb_files.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.smb_files.ts - - dot_expander: - field: times.accessed - path: zeek.smb_files - - dot_expander: - field: times.changed - path: zeek.smb_files - - dot_expander: - field: times.created - path: zeek.smb_files - - dot_expander: - field: times.modified - path: zeek.smb_files - - date: - field: zeek.smb_files.times.accessed - target_field: zeek.smb_files.times.accessed - formats: - - UNIX - - ISO8601 - if: ctx.zeek.smb_files.times?.accessed != null - - set: - field: file.accessed - value: "{{zeek.smb_files.times.accessed}}" - if: "ctx?.zeek?.smb_files?.times?.accessed != null" - - date: - field: zeek.smb_files.times.changed - target_field: zeek.smb_files.times.changed - formats: - - UNIX - - ISO8601 - if: ctx.zeek.smb_files.times?.accessed != null - - set: - field: file.ctime - value: "{{zeek.smb_files.times.changed}}" - if: "ctx?.zeek?.smb_files?.times?.changed != null" - - date: - field: zeek.smb_files.times.created - target_field: zeek.smb_files.times.created - formats: - - UNIX - - ISO8601 - if: ctx.zeek.smb_files.times?.accessed != null - - set: - field: file.created - value: "{{zeek.smb_files.times.created}}" - if: "ctx?.zeek?.smb_files?.times?.created != null" - - date: - field: zeek.smb_files.times.modified - target_field: zeek.smb_files.times.modified - formats: - - UNIX - - ISO8601 - if: ctx.zeek.smb_files.times?.accessed != null - - set: - field: file.mtime - value: "{{zeek.smb_files.times.modified}}" - if: "ctx?.zeek?.smb_files?.times?.modified != null" - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - allow_duplicates: false - - set: - field: file.path - value: "{{zeek.smb_files.path}}\\{{zeek.smb_files.name}}" - if: "ctx?.zeek?.smb_files?.path != null && ctx?.zeek?.smb_files?.name != null" - - append: - field: event.type - value: deletion - if: "ctx?.zeek?.smb_files?.action == 'SMB::FILE_DELETE'" - - append: - field: event.type - value: change - if: "ctx?.zeek?.smb_files?.action == 'SMB::FILE_RENAME' || ctx?.zeek?.smb_files?.action == 'SMB::FILE_SET_ATTRIBUTE'" - - append: - field: event.type - value: info - if: "ctx?.zeek?.smb_files?.action != null && ctx.zeek.smb_files != 'SMB::FILE_DELETE' && ctx.zeek.smb_files != 'SMB::FILE_RENAME' && ctx.zeek.smb_files != 'SMB::FILE_SET_ATTRIBUTE'" - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.smb_files.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/smb_files/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/smb_files/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_files/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/smb_files/fields/agent.yml b/packages/zeek/2.5.2/data_stream/smb_files/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_files/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/smb_files/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/smb_files/fields/base-fields.yml deleted file mode 100755 index 21aa2739e6..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_files/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.smb_files -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/smb_files/fields/beats.yml b/packages/zeek/2.5.2/data_stream/smb_files/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_files/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/smb_files/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/smb_files/fields/ecs.yml deleted file mode 100755 index ffba293947..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_files/fields/ecs.yml +++ /dev/null @@ -1,207 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - Last time the file was accessed. - Note that not all filesystems keep track of access time. - name: file.accessed - type: date -- description: |- - File creation time. - Note that not all filesystems store the creation time. - name: file.created - type: date -- description: |- - Last time the file attributes or metadata changed. - Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. - name: file.ctime - type: date -- description: Last time the file content was modified. - name: file.mtime - type: date -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/smb_files/fields/fields.yml b/packages/zeek/2.5.2/data_stream/smb_files/fields/fields.yml deleted file mode 100755 index 9a2bae33cb..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_files/fields/fields.yml +++ /dev/null @@ -1,50 +0,0 @@ -- name: zeek.smb_files - type: group - fields: - - name: action - type: keyword - description: | - Action this log record represents. - - name: fid - type: integer - description: | - ID referencing this file. - - name: name - type: keyword - description: | - Filename if one was seen. - - name: path - type: keyword - description: | - Path pulled from the tree this file was transferred to or from. - - name: previous_name - type: keyword - description: | - If the rename action was seen, this will be the file's previous name. - - name: size - type: long - description: | - Byte size of the file. - - name: times - type: group - fields: - - name: accessed - type: date - description: | - The file's access time. - - name: changed - type: date - description: | - The file's change time. - - name: created - type: date - description: | - The file's create time. - - name: modified - type: date - description: | - The file's modify time. - - name: uuid - type: keyword - description: | - UUID referencing this file if DCE/RPC. diff --git a/packages/zeek/2.5.2/data_stream/smb_files/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/smb_files/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_files/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/smb_files/manifest.yml b/packages/zeek/2.5.2/data_stream/smb_files/manifest.yml deleted file mode 100755 index a8906ac4d0..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_files/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek smb_files logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of smb_files log file - multi: true - required: true - show_user: true - default: - - smb_files.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-smb-files - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek smb_files.log - description: Collect Zeek smb_files logs - - input: httpjson - title: Zeek smb_files logs via Splunk Enterprise REST API - description: Collect Zeek smb_files logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"smb_files-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-smb-files - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/smb_mapping/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/smb_mapping/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_mapping/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/smb_mapping/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/smb_mapping/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_mapping/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/smb_mapping/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/smb_mapping/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3d001996a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_mapping/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,164 +0,0 @@ ---- -description: Pipeline for normalizing Zeek smb_mapping.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.smb_mapping - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: smb - - dot_expander: - path: zeek.smb_mapping - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.smb_mapping - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.smb_mapping - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.smb_mapping - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.smb_mapping.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.smb_mapping.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.smb_mapping.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.smb_mapping.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.smb_mapping.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - date: - field: zeek.smb_mapping.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.smb_mapping.ts - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.smb_mapping.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/smb_mapping/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/smb_mapping/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_mapping/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/smb_mapping/fields/agent.yml b/packages/zeek/2.5.2/data_stream/smb_mapping/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_mapping/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/smb_mapping/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/smb_mapping/fields/base-fields.yml deleted file mode 100755 index b790ebf752..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_mapping/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.smb_mapping -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/smb_mapping/fields/beats.yml b/packages/zeek/2.5.2/data_stream/smb_mapping/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_mapping/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/smb_mapping/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/smb_mapping/fields/ecs.yml deleted file mode 100755 index 9f61db3e2d..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_mapping/fields/ecs.yml +++ /dev/null @@ -1,171 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/smb_mapping/fields/fields.yml b/packages/zeek/2.5.2/data_stream/smb_mapping/fields/fields.yml deleted file mode 100755 index 050d877b41..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_mapping/fields/fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: zeek.smb_mapping - type: group - fields: - - name: path - type: keyword - description: | - Name of the tree path. - - name: service - type: keyword - description: | - The type of resource of the tree (disk share, printer share, named pipe, etc.). - - name: native_file_system - type: keyword - description: | - File system of the tree. - - name: share_type - type: keyword - description: | - If this is SMB2, a share type will be included. For SMB1, the type of share - will be deduced and included as well. diff --git a/packages/zeek/2.5.2/data_stream/smb_mapping/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/smb_mapping/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_mapping/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/smb_mapping/manifest.yml b/packages/zeek/2.5.2/data_stream/smb_mapping/manifest.yml deleted file mode 100755 index 8f43d7dba2..0000000000 --- a/packages/zeek/2.5.2/data_stream/smb_mapping/manifest.yml +++ /dev/null @@ -1,51 +0,0 @@ -type: logs -title: Zeek smb_mapping logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of smb_mapping log file - multi: true - required: true - show_user: true - default: - - smb_mapping.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - forwarded - - zeek.smb_mapping - template_path: log.yml.hbs - title: Zeek smb_mapping.log - description: Collect Zeek smb_mapping logs - - input: httpjson - title: Zeek smb_mapping logs via Splunk Enterprise REST API - description: Collect Zeek smb_mapping logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"smb_mapping-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/zeek/2.5.2/data_stream/smtp/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/smtp/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/smtp/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/smtp/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/smtp/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/smtp/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/smtp/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/smtp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index d44d23535f..0000000000 --- a/packages/zeek/2.5.2/data_stream/smtp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,192 +0,0 @@ ---- -description: Pipeline for normalizing Zeek smtp.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.smtp - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: smtp - - dot_expander: - path: zeek.smtp - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.smtp - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.smtp - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.smtp - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.smtp.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.smtp.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.smtp.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.smtp.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.smtp.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.smtp.trans_depth - target_field: zeek.smtp.transaction_depth - ignore_missing: true - - rename: - field: zeek.smtp.mailfrom - target_field: zeek.smtp.mail_from - ignore_missing: true - - rename: - field: zeek.smtp.rcptto - target_field: zeek.smtp.rcpt_to - ignore_missing: true - - convert: - field: zeek.smtp.tls - target_field: tls.established - type: boolean - if: ctx?.zeek?.smtp?.tls != null - - date: - field: zeek.smtp.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.smtp.ts - - date: - field: zeek.smtp.date - target_field: zeek.smtp.date - formats: - - EEE, d MMM yyyy HH:mm:ss Z - if: ctx.zeek.smtp.date != null - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.smtp.fuids - ignore_missing: true - if: 'ctx?.zeek?.smtp?.fuids == null || ctx?.zeek?.smtp?.isEmpty()' - - remove: - field: - - zeek.smtp.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/smtp/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/smtp/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/smtp/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/smtp/fields/agent.yml b/packages/zeek/2.5.2/data_stream/smtp/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/smtp/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/smtp/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/smtp/fields/base-fields.yml deleted file mode 100755 index c3f1dee8ed..0000000000 --- a/packages/zeek/2.5.2/data_stream/smtp/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.smtp -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/smtp/fields/beats.yml b/packages/zeek/2.5.2/data_stream/smtp/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/smtp/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/smtp/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/smtp/fields/ecs.yml deleted file mode 100755 index e5b48f0f7f..0000000000 --- a/packages/zeek/2.5.2/data_stream/smtp/fields/ecs.yml +++ /dev/null @@ -1,168 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - name: tls.established - type: boolean diff --git a/packages/zeek/2.5.2/data_stream/smtp/fields/fields.yml b/packages/zeek/2.5.2/data_stream/smtp/fields/fields.yml deleted file mode 100755 index 167b12eb1f..0000000000 --- a/packages/zeek/2.5.2/data_stream/smtp/fields/fields.yml +++ /dev/null @@ -1,96 +0,0 @@ -- name: zeek.smtp - type: group - fields: - - name: transaction_depth - type: integer - description: | - A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. - - name: helo - type: keyword - description: | - Contents of the Helo header. - - name: mail_from - type: keyword - description: | - Email addresses found in the MAIL FROM header. - - name: rcpt_to - type: keyword - description: | - Email addresses found in the RCPT TO header. - - name: date - type: date - description: | - Contents of the Date header. - - name: from - type: keyword - description: | - Contents of the From header. - - name: to - type: keyword - description: | - Contents of the To header. - - name: cc - type: keyword - description: | - Contents of the CC header. - - name: reply_to - type: keyword - description: | - Contents of the ReplyTo header. - - name: msg_id - type: keyword - description: | - Contents of the MsgID header. - - name: in_reply_to - type: keyword - description: | - Contents of the In-Reply-To header. - - name: subject - type: keyword - description: | - Contents of the Subject header. - - name: x_originating_ip - type: keyword - description: | - Contents of the X-Originating-IP header. - - name: first_received - type: keyword - description: | - Contents of the first Received header. - - name: second_received - type: keyword - description: | - Contents of the second Received header. - - name: last_reply - type: keyword - description: | - The last message that the server sent to the client. - - name: path - type: ip - description: | - The message transmission path, as extracted from the headers. - - name: user_agent - type: keyword - description: | - Value of the User-Agent header from the client. - - name: tls - type: boolean - description: | - Indicates that the connection has switched to using TLS. - - name: process_received_from - type: boolean - description: | - Indicates if the "Received: from" headers should still be processed. - - name: has_client_activity - type: boolean - description: | - Indicates if client activity has been seen, but not yet logged. - - name: fuids - type: keyword - description: | - (present if base/protocols/smtp/files.bro is loaded) - An ordered vector of file unique IDs seen attached to the message. - - name: is_webmail - type: boolean - description: | - Indicates if the message was sent through a webmail interface. diff --git a/packages/zeek/2.5.2/data_stream/smtp/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/smtp/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/smtp/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/smtp/manifest.yml b/packages/zeek/2.5.2/data_stream/smtp/manifest.yml deleted file mode 100755 index d9f7afcd41..0000000000 --- a/packages/zeek/2.5.2/data_stream/smtp/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek smtp logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of smtp log file - multi: true - required: true - show_user: true - default: - - smtp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-smtp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek smtp.log - description: Collect Zeek smtp logs - - input: httpjson - title: Zeek smtp logs via Splunk Enterprise REST API - description: Collect Zeek smtp logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"smtp-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-smtp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/snmp/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/snmp/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/snmp/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/snmp/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/snmp/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/snmp/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/snmp/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/snmp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 0896e48264..0000000000 --- a/packages/zeek/2.5.2/data_stream/snmp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,187 +0,0 @@ ---- -description: Pipeline for normalizing Zeek snmp.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.snmp - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: udp - - set: - field: network.protocol - value: snmp - - dot_expander: - path: zeek.snmp - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.snmp - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.snmp - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.snmp - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.snmp.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.snmp.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.snmp.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.snmp.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.snmp.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.snmp.get_requests - target_field: zeek.snmp.get.requests - ignore_missing: true - - rename: - field: zeek.snmp.get_bulk_requests - target_field: zeek.snmp.get.bulk_requests - ignore_missing: true - - rename: - field: zeek.snmp.get_responses - target_field: zeek.snmp.get.responses - ignore_missing: true - - rename: - field: zeek.snmp.set_requests - target_field: zeek.snmp.set.requests - ignore_missing: true - - date: - field: zeek.snmp.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.snmp.ts - - date: - field: zeek.snmp.up_since - target_field: zeek.snmp.up_since - formats: - - UNIX - - ISO8601 - if: ctx.zeek.snmp.up_since != null - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.snmp.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/snmp/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/snmp/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/snmp/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/snmp/fields/agent.yml b/packages/zeek/2.5.2/data_stream/snmp/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/snmp/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/snmp/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/snmp/fields/base-fields.yml deleted file mode 100755 index 604ea318eb..0000000000 --- a/packages/zeek/2.5.2/data_stream/snmp/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.snmp -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/snmp/fields/beats.yml b/packages/zeek/2.5.2/data_stream/snmp/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/snmp/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/snmp/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/snmp/fields/ecs.yml deleted file mode 100755 index 12fe1b3f04..0000000000 --- a/packages/zeek/2.5.2/data_stream/snmp/fields/ecs.yml +++ /dev/null @@ -1,165 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/snmp/fields/fields.yml b/packages/zeek/2.5.2/data_stream/snmp/fields/fields.yml deleted file mode 100755 index f005e686aa..0000000000 --- a/packages/zeek/2.5.2/data_stream/snmp/fields/fields.yml +++ /dev/null @@ -1,45 +0,0 @@ -- name: zeek.snmp - type: group - fields: - - name: duration - type: double - description: | - The amount of time between the first packet beloning to the SNMP session and the latest one seen. - - name: version - type: keyword - description: | - The version of SNMP being used. - - name: community - type: keyword - description: | - The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. - - name: get - type: group - fields: - - name: requests - type: integer - description: | - The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. - - name: bulk_requests - type: integer - description: | - The number of variable bindings in GetBulkRequest PDUs seen for the session. - - name: responses - type: integer - description: | - The number of variable bindings in GetResponse/Response PDUs seen for the session. - - name: set - type: group - fields: - - name: requests - type: integer - description: | - The number of variable bindings in SetRequest PDUs seen for the session. - - name: display_string - type: keyword - description: | - A system description of the SNMP responder endpoint. - - name: up_since - type: date - description: | - The time at which the SNMP responder endpoint claims it's been up since. diff --git a/packages/zeek/2.5.2/data_stream/snmp/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/snmp/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/snmp/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/snmp/manifest.yml b/packages/zeek/2.5.2/data_stream/snmp/manifest.yml deleted file mode 100755 index 8fadc2cfd4..0000000000 --- a/packages/zeek/2.5.2/data_stream/snmp/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek snmp logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of snmp log file - multi: true - required: true - show_user: true - default: - - snmp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-snmp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek snmp.log - description: Collect Zeek snmp logs - - input: httpjson - title: Zeek snmp logs via Splunk Enterprise REST API - description: Collect Zeek snmp logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"snmp-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-snmp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/socks/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/socks/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/socks/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/socks/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/socks/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/socks/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/socks/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/socks/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index d5d9cf8670..0000000000 --- a/packages/zeek/2.5.2/data_stream/socks/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,204 +0,0 @@ ---- -description: Pipeline for normalizing Zeek socks.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.socks - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: socks - - dot_expander: - path: zeek.socks - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.socks - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.socks - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.socks - field: id.resp_p - ignore_failure: true - - dot_expander: - path: zeek.socks - field: request.name - ignore_failure: true - - rename: - field: zeek.socks.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.socks.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.socks.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.socks.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.socks.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.socks.request.name - target_field: zeek.socks.request.host - ignore_missing: true - - rename: - field: zeek.socks.request_p - target_field: zeek.socks.request.port - ignore_missing: true - - rename: - field: zeek.socks.bound_p - target_field: zeek.socks.bound.port - ignore_missing: true - - set: - field: user.name - copy_from: zeek.socks.user - if: ctx?.zeek?.socks?.user != null - - date: - field: zeek.socks.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.socks.ts - - dot_expander: - field: bound.host - path: zeek.socks - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - allow_duplicates: false - - append: - field: event.type - value: error - if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status != 'succeeded'" - - set: - field: event.outcome - value: success - if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status == 'succeeded'" - - set: - field: event.outcome - value: failure - if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status != 'succeeded'" - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.socks.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/socks/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/socks/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/socks/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/socks/fields/agent.yml b/packages/zeek/2.5.2/data_stream/socks/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/socks/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/socks/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/socks/fields/base-fields.yml deleted file mode 100755 index 8363b20b60..0000000000 --- a/packages/zeek/2.5.2/data_stream/socks/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.socks -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/socks/fields/beats.yml b/packages/zeek/2.5.2/data_stream/socks/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/socks/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/socks/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/socks/fields/ecs.yml deleted file mode 100755 index 3c05a03bd5..0000000000 --- a/packages/zeek/2.5.2/data_stream/socks/fields/ecs.yml +++ /dev/null @@ -1,181 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - normalize: - - array - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/socks/fields/fields.yml b/packages/zeek/2.5.2/data_stream/socks/fields/fields.yml deleted file mode 100755 index 05cdd644f4..0000000000 --- a/packages/zeek/2.5.2/data_stream/socks/fields/fields.yml +++ /dev/null @@ -1,45 +0,0 @@ -- name: zeek.socks - type: group - fields: - - name: version - type: integer - description: | - Protocol version of SOCKS. - - name: user - type: keyword - description: | - Username used to request a login to the proxy. - - name: password - type: keyword - description: | - Password used to request a login to the proxy. - - name: status - type: keyword - description: | - Server status for the attempt at using the proxy. - - name: request - type: group - fields: - - name: host - type: keyword - description: | - Client requested SOCKS address. Could be an address, a name or both. - - name: port - type: integer - description: | - Client requested port. - - name: bound - type: group - fields: - - name: host - type: keyword - description: | - Server bound address. Could be an address, a name or both. - - name: port - type: integer - description: | - Server bound port. - - name: capture_password - type: boolean - description: | - Determines if the password will be captured for this request. diff --git a/packages/zeek/2.5.2/data_stream/socks/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/socks/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/socks/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/socks/manifest.yml b/packages/zeek/2.5.2/data_stream/socks/manifest.yml deleted file mode 100755 index 5e001fd7a3..0000000000 --- a/packages/zeek/2.5.2/data_stream/socks/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek socks logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of socks log file - multi: true - required: true - show_user: true - default: - - socks.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-socks - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek socks.log - description: Collect Zeek socks logs - - input: httpjson - title: Zeek socks logs via Splunk Enterprise REST API - description: Collect Zeek socks logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"socks-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-socks - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/software/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/software/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/software/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/software/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/software/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 18387e0b7c..0000000000 --- a/packages/zeek/2.5.2/data_stream/software/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,102 +0,0 @@ ---- -description: Pipeline for normalizing Zeek software.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.software - ignore_failure: true - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: ecs.version - value: '8.4.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: - - network - - file - - set: - field: event.type - value: - - info - - rename: - field: zeek.software.host - target_field: host.ip - ignore_missing: true - - date: - field: zeek.software.ts - formats: - - UNIX - - ISO8601 - - set: - field: network.type - value: ipv4 - if: ctx.host?.ip.contains('.') - - set: - field: network.type - value: ipv6 - if: ctx.host?.ip.contains(':') - - append: - field: related.ip - value: "{{host.ip}}" - if: ctx?.host?.ip != null - allow_duplicates: false - - geoip: - field: host.ip - target_field: host.geo - ignore_missing: true - - rename: - field: zeek.software.software_type - target_field: zeek.software.type - ignore_missing: true - - rename: - field: zeek.software.unparsed_version - target_field: zeek.software.version.full - ignore_missing: true - - dot_expander: - field: version.major - path: zeek.software - - dot_expander: - field: version.minor - path: zeek.software - - dot_expander: - field: version.minor2 - path: zeek.software - - dot_expander: - field: version.minor3 - path: zeek.software - - dot_expander: - field: version.addl - path: zeek.software - - rename: - field: zeek.software.version.addl - target_field: zeek.software.version.additional - ignore_missing: true - - remove: - field: - - zeek.software.ts - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/software/fields/agent.yml b/packages/zeek/2.5.2/data_stream/software/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/software/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/software/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/software/fields/base-fields.yml deleted file mode 100755 index 642369ccea..0000000000 --- a/packages/zeek/2.5.2/data_stream/software/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.software -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/software/fields/beats.yml b/packages/zeek/2.5.2/data_stream/software/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/software/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/software/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/software/fields/ecs.yml deleted file mode 100755 index a19a1829dd..0000000000 --- a/packages/zeek/2.5.2/data_stream/software/fields/ecs.yml +++ /dev/null @@ -1,82 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: City name. - name: host.geo.city_name - type: keyword -- description: Name of the continent. - name: host.geo.continent_name - type: keyword -- description: Country ISO code. - name: host.geo.country_iso_code - type: keyword -- description: Country name. - name: host.geo.country_name - type: keyword -- description: Longitude and latitude. - name: host.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: host.geo.name - type: keyword -- description: Region ISO code. - name: host.geo.region_iso_code - type: keyword -- description: Region name. - name: host.geo.region_name - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip diff --git a/packages/zeek/2.5.2/data_stream/software/fields/fields.yml b/packages/zeek/2.5.2/data_stream/software/fields/fields.yml deleted file mode 100755 index b9011e9f04..0000000000 --- a/packages/zeek/2.5.2/data_stream/software/fields/fields.yml +++ /dev/null @@ -1,46 +0,0 @@ -- name: zeek.software - type: group - default_field: false - description: > - Fields exported by the Zeek Software log. - - fields: - - name: name - type: keyword - description: > - Name of the software (e.g. Apache). - - - name: type - type: keyword - description: > - The type of software detected - - - name: version.full - type: keyword - description: > - Full unparsed version of the software. - - - name: version.major - type: long - description: > - Major version of software. - - - name: version.minor - type: long - description: > - minor version of software. - - - name: version.minor2 - type: long - description: > - 2nd minor version of software. - - - name: version.minor3 - type: long - description: > - 3rd minor version of software. - - - name: version.additional - type: keyword - description: >- - Additional version information diff --git a/packages/zeek/2.5.2/data_stream/software/manifest.yml b/packages/zeek/2.5.2/data_stream/software/manifest.yml deleted file mode 100755 index d12de67c7c..0000000000 --- a/packages/zeek/2.5.2/data_stream/software/manifest.yml +++ /dev/null @@ -1,41 +0,0 @@ -type: logs -title: Zeek software logs -streams: - - input: logfile - template_path: log.yml.hbs - title: Zeek software.log - description: Collect Zeek software logs - vars: - - name: filenames - type: text - title: Filename of software log - multi: true - required: true - show_user: true - default: - - software.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-software - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/ssh/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/ssh/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssh/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/ssh/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/ssh/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssh/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/ssh/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/ssh/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 0ded69576c..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssh/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,200 +0,0 @@ ---- -description: Pipeline for normalizing Zeek ssh.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.ssh - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: ssh - - dot_expander: - path: zeek.ssh - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.ssh - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.ssh - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.ssh - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.ssh.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.ssh.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.ssh.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.ssh.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.ssh.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.ssh.auth_attempts - target_field: zeek.ssh.auth.attempts - ignore_missing: true - - rename: - field: zeek.ssh.auth_success - target_field: zeek.ssh.auth.success - ignore_missing: true - - rename: - field: zeek.ssh.cipher_alg - target_field: zeek.ssh.algorithm.cipher - ignore_missing: true - - rename: - field: zeek.ssh.mac_alg - target_field: zeek.ssh.algorithm.mac - ignore_missing: true - - rename: - field: zeek.ssh.compression_alg - target_field: zeek.ssh.algorithm.compression - ignore_missing: true - - rename: - field: zeek.ssh.kex_alg - target_field: zeek.ssh.algorithm.key_exchange - ignore_missing: true - - rename: - field: zeek.ssh.host_key_alg - target_field: zeek.ssh.algorithm.host_key - ignore_missing: true - - date: - field: zeek.ssh.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.ssh.ts - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - set: - field: event.outcome - value: failure - if: "ctx?.zeek?.ssh?.auth?.success != null && ctx.zeek.ssh.auth.success == false" - - set: - field: event.outcome - value: success - if: "ctx?.zeek?.ssh?.auth?.success != null && ctx.zeek.ssh.auth.success == true" - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.ssh.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/ssh/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/ssh/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssh/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/ssh/fields/agent.yml b/packages/zeek/2.5.2/data_stream/ssh/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssh/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/ssh/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/ssh/fields/base-fields.yml deleted file mode 100755 index 0f408feeb0..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssh/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.ssh -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/ssh/fields/beats.yml b/packages/zeek/2.5.2/data_stream/ssh/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssh/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/ssh/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/ssh/fields/ecs.yml deleted file mode 100755 index 2d70389be2..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssh/fields/ecs.yml +++ /dev/null @@ -1,173 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/ssh/fields/fields.yml b/packages/zeek/2.5.2/data_stream/ssh/fields/fields.yml deleted file mode 100755 index bc2f658f4b..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssh/fields/fields.yml +++ /dev/null @@ -1,62 +0,0 @@ -- name: zeek.ssh - type: group - fields: - - name: client - type: keyword - description: | - The client's version string. - - name: direction - type: keyword - description: | - Direction of the connection. If the client was a local host logging into - an external host, this would be OUTBOUND. INBOUND would be set for the - opposite situation. - - name: host_key - type: keyword - description: | - The server's key thumbprint. - - name: server - type: keyword - description: | - The server's version string. - - name: version - type: integer - description: | - SSH major version (1 or 2). - - name: algorithm - type: group - fields: - - name: cipher - type: keyword - description: | - The encryption algorithm in use. - - name: compression - type: keyword - description: | - The compression algorithm in use. - - name: host_key - type: keyword - description: | - The server host key's algorithm. - - name: key_exchange - type: keyword - description: | - The key exchange algorithm in use. - - name: mac - type: keyword - description: | - The signing (MAC) algorithm in use. - - name: auth - type: group - fields: - - name: attempts - type: integer - description: | - The number of authentication attemps we observed. There's always at - least one, since some servers might support no authentication at all. - It's important to note that not all of these are failures, since some - servers require two-factor auth (e.g. password AND pubkey). - - name: success - type: boolean - description: | - Authentication result. diff --git a/packages/zeek/2.5.2/data_stream/ssh/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/ssh/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssh/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/ssh/manifest.yml b/packages/zeek/2.5.2/data_stream/ssh/manifest.yml deleted file mode 100755 index be5e501a70..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssh/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek ssh logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of ssh log file - multi: true - required: true - show_user: true - default: - - ssh.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-ssh - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek ssh.log - description: Collect Zeek ssh logs - - input: httpjson - title: Zeek ssh logs via Splunk Enterprise REST API - description: Collect Zeek ssh logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"ssh-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-ssh - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/ssl/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/ssl/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssl/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/ssl/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/ssl/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssl/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/ssl/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/ssl/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index daca4b0416..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssl/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,535 +0,0 @@ ---- -description: Pipeline for normalizing Zeek ssl.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.ssl - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - dot_expander: - path: zeek.ssl - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.ssl - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.ssl - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.ssl - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.ssl.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.ssl.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.ssl.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.ssl.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.ssl.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: client.address - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: server.address - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.ssl.server_name - target_field: zeek.ssl.server.name - ignore_missing: true - - rename: - field: zeek.ssl.cert_chain - target_field: zeek.ssl.server.cert_chain - ignore_missing: true - - rename: - field: zeek.ssl.cert_chain_fuids - target_field: zeek.ssl.server.cert_chain_fuids - ignore_missing: true - - rename: - field: zeek.ssl.client_cert_chain - target_field: zeek.ssl.client.cert_chain - ignore_missing: true - - rename: - field: zeek.ssl.client_cert_chain_fuids - target_field: zeek.ssl.client.cert_chain_fuids - ignore_missing: true - - rename: - field: zeek.ssl.validation_status - target_field: zeek.ssl.validation.status - ignore_missing: true - - rename: - field: zeek.ssl.validation_code - target_field: zeek.ssl.validation.code - ignore_missing: true - - date: - field: zeek.ssl.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.ssl.ts - - rename: - field: zeek.ssl.not_valid_after - target_field: tls.server.not_after - ignore_missing: true - - rename: - field: zeek.ssl.not_valid_before - target_field: tls.server.not_before - ignore_missing: true - - date: - if: ctx.tls?.server?.not_before != null - field: tls.server.not_before - target_field: tls.server.not_before - formats: - - UNIX - - ISO8601 - - date: - if: ctx.tls?.server?.not_after != null - field: tls.server.not_after - target_field: tls.server.not_after - formats: - - UNIX - - ISO8601 - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: zeek.ssl.client.cert_chain_fuids - if: ctx.zeek.ssl.client?.cert_chain_fuids?.length == 0 - ignore_missing: true - - gsub: - field: zeek.ssl.issuer - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: zeek.ssl.issuer - field_split: "," - value_split: "=" - target_field: zeek.ssl.server.issuer - ignore_missing: true - - rename: - field: zeek.ssl.issuer - target_field: tls.server.issuer - ignore_missing: true - - rename: - field: zeek.ssl.server.issuer.C - target_field: zeek.ssl.server.issuer.country - ignore_missing: true - - rename: - field: zeek.ssl.resp_certificate_sha1 - target_field: tls.server.hash.sha1 - ignore_missing: true - - uppercase: - field: tls.server.hash.sha1 - ignore_missing: true - - set: - field: tls.server.x509.issuer.country - value: "{{zeek.ssl.server.issuer.country}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.issuer.CN - target_field: zeek.ssl.server.issuer.common_name - ignore_missing: true - - set: - field: tls.server.x509.issuer.common_name - value: "{{zeek.ssl.server.issuer.common_name}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.issuer.L - target_field: zeek.ssl.server.issuer.locality - ignore_missing: true - - set: - field: tls.server.x509.issuer.locality - value: "{{zeek.ssl.server.issuer.locality}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.issuer.O - target_field: zeek.ssl.server.issuer.organization - ignore_missing: true - - set: - field: tls.server.x509.issuer.organization - value: "{{zeek.ssl.server.issuer.organization}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.issuer.OU - target_field: zeek.ssl.server.issuer.organizational_unit - ignore_missing: true - - set: - field: tls.server.x509.issuer.organizational_unit - value: "{{zeek.ssl.server.issuer.organizational_unit}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.issuer.ST - target_field: zeek.ssl.server.issuer.state - ignore_missing: true - - set: - field: tls.server.x509.issuer.state_or_province - value: "{{zeek.ssl.server.issuer.state}}" - ignore_empty_value: true - - gsub: - field: zeek.ssl.subject - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: zeek.ssl.subject - field_split: "," - value_split: "=" - target_field: zeek.ssl.server.subject - ignore_missing: true - - rename: - field: zeek.ssl.subject - target_field: tls.server.subject - ignore_missing: true - - rename: - field: zeek.ssl.server.subject.C - target_field: zeek.ssl.server.subject.country - ignore_missing: true - - set: - field: tls.server.x509.subject.country - value: "{{zeek.ssl.server.subject.country}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.subject.CN - target_field: zeek.ssl.server.subject.common_name - ignore_missing: true - - set: - field: tls.server.x509.subject.common_name - value: "{{zeek.ssl.server.subject.common_name}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.subject.L - target_field: zeek.ssl.server.subject.locality - ignore_missing: true - - set: - field: tls.server.x509.subject.locality - value: "{{zeek.ssl.server.subject.locality}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.subject.O - target_field: zeek.ssl.server.subject.organization - ignore_missing: true - - set: - field: tls.server.x509.subject.organization - value: "{{zeek.ssl.server.subject.organization}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.subject.OU - target_field: zeek.ssl.server.subject.organizational_unit - ignore_missing: true - - set: - field: tls.server.x509.subject.organizational_unit - value: "{{zeek.ssl.server.subject.organizational_unit}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.subject.ST - target_field: zeek.ssl.server.subject.state - ignore_missing: true - - set: - field: tls.server.x509.subject.state_or_province - value: "{{zeek.ssl.server.subject.state}}" - ignore_empty_value: true - - gsub: - field: zeek.ssl.client_issuer - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: zeek.ssl.client_issuer - field_split: "," - value_split: "=" - target_field: zeek.ssl.client.issuer - ignore_missing: true - - rename: - field: zeek.ssl.client_issuer - target_field: tls.client.issuer - ignore_missing: true - - rename: - field: zeek.ssl.client.issuer.C - target_field: zeek.ssl.client.issuer.country - ignore_missing: true - - set: - field: tls.client.x509.issuer.country - value: "{{zeek.ssl.client.issuer.country}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.issuer.CN - target_field: zeek.ssl.client.issuer.common_name - ignore_missing: true - - set: - field: tls.client.x509.issuer.common_name - value: "{{zeek.ssl.client.issuer.common_name}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.issuer.L - target_field: zeek.ssl.client.issuer.locality - ignore_missing: true - - set: - field: tls.client.x509.issuer.locality - value: "{{zeek.ssl.client.issuer.locality}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.issuer.O - target_field: zeek.ssl.client.issuer.organization - ignore_missing: true - - set: - field: tls.client.x509.issuer.organization - value: "{{zeek.ssl.client.issuer.organization}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.issuer.OU - target_field: zeek.ssl.client.issuer.organizational_unit - ignore_missing: true - - set: - field: tls.client.x509.issuer.organizational_unit - value: "{{zeek.ssl.client.issuer.organizational_unit}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.issuer.ST - target_field: zeek.ssl.client.issuer.state - ignore_missing: true - - set: - field: tls.client.x509.issuer.state_or_province - value: "{{zeek.ssl.client.issuer.state}}" - ignore_empty_value: true - - gsub: - field: zeek.ssl.client_subject - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: zeek.ssl.client_subject - field_split: "," - value_split: "=" - target_field: zeek.ssl.client.subject - ignore_missing: true - - remove: - field: zeek.ssl.client_subject - ignore_missing: true - - rename: - field: zeek.ssl.client.subject.C - target_field: zeek.ssl.client.subject.country - ignore_missing: true - - set: - field: tls.client.x509.subject.country - value: "{{zeek.ssl.client.subject.country}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.subject.CN - target_field: zeek.ssl.client.subject.common_name - ignore_missing: true - - set: - field: tls.client.x509.subject.common_name - value: "{{zeek.ssl.client.subject.common_name}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.subject.L - target_field: zeek.ssl.client.subject.locality - ignore_missing: true - - set: - field: tls.client.x509.subject.locality - value: "{{zeek.ssl.client.subject.locality}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.subject.O - target_field: zeek.ssl.client.subject.organization - ignore_missing: true - - set: - field: tls.client.x509.subject.organization - value: "{{zeek.ssl.client.subject.organization}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.subject.OU - target_field: zeek.ssl.client.subject.organizational_unit - ignore_missing: true - - set: - field: tls.client.x509.subject.organizational_unit - value: "{{zeek.ssl.client.subject.organizational_unit}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.subject.ST - target_field: zeek.ssl.client.subject.state - ignore_missing: true - - set: - field: tls.client.x509.subject.state_or_province - value: "{{zeek.ssl.client.subject.state}}" - ignore_empty_value: true - - set: - field: tls.cipher - value: "{{zeek.ssl.cipher}}" - if: ctx.zeek?.ssl?.cipher != null - - set: - field: tls.curve - value: "{{zeek.ssl.curve}}" - if: ctx.zeek?.ssl?.curve != null - - convert: - target_field: tls.established - field: zeek.ssl.established - type: boolean - ignore_missing: true - - convert: - target_field: tls.resumed - field: zeek.ssl.resumed - type: boolean - ignore_missing: true - - script: - lang: painless - if: ctx.zeek?.ssl?.version != null - source: >- - def parts = ctx.zeek.ssl.version.splitOnToken("v"); - if (parts.length != 2) { - return; - } - if (parts[0] == "SSL") { - ctx.tls.version = parts[1] + ".0"; - } else { - ctx.tls.version = parts[1].substring(0,1) + "." + parts[1].substring(1); - } - ctx.tls.version_protocol = parts[0].toLowerCase(); - - rename: - field: zeek.ssl.ja3 - target_field: tls.client.ja3 - ignore_missing: true - - rename: - field: zeek.ssl.ja3s - target_field: tls.server.ja3s - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.hash - value: "{{tls.server.ja3s}}" - if: "ctx?.tls?.server?.ja3s != null" - - append: - field: related.hash - value: "{{tls.client.ja3}}" - if: "ctx?.tls?.client?.ja3 != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.ssl.client - ignore_missing: true - if: 'ctx?.zeek?.ssl?.client == null || ctx?.zeek?.ssl?.client.isEmpty()' - - remove: - field: - - zeek.ssl.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/ssl/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/ssl/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssl/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/ssl/fields/agent.yml b/packages/zeek/2.5.2/data_stream/ssl/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssl/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/ssl/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/ssl/fields/base-fields.yml deleted file mode 100755 index 762c6239d5..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssl/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.ssl -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/ssl/fields/beats.yml b/packages/zeek/2.5.2/data_stream/ssl/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssl/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/ssl/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/ssl/fields/ecs.yml deleted file mode 100755 index 02fc208193..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssl/fields/ecs.yml +++ /dev/null @@ -1,310 +0,0 @@ -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - normalize: - - array - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: List of common names (CN) of subject. - name: tls.client.x509.subject.common_name - normalize: - - array - type: keyword -- description: List of country \(C) code - name: tls.client.x509.subject.country - normalize: - - array - type: keyword -- description: List of locality names (L) - name: tls.client.x509.subject.locality - normalize: - - array - type: keyword -- description: List of organizations (O) of subject. - name: tls.client.x509.subject.organization - normalize: - - array - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.client.x509.subject.organizational_unit - normalize: - - array - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.subject.state_or_province - normalize: - - array - type: keyword -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: String indicating the curve used for the given cipher, when applicable. - name: tls.curve - type: keyword -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - name: tls.established - type: boolean -- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - name: tls.resumed - type: boolean -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: Subject of the x.509 certificate presented by the server. - name: tls.server.subject - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - normalize: - - array - type: keyword -- description: List of country \(C) codes - name: tls.server.x509.issuer.country - normalize: - - array - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.server.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.issuer.locality - normalize: - - array - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.server.x509.issuer.organization - normalize: - - array - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.server.x509.issuer.organizational_unit - normalize: - - array - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.issuer.state_or_province - normalize: - - array - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - normalize: - - array - type: keyword -- description: List of country \(C) code - name: tls.server.x509.subject.country - normalize: - - array - type: keyword -- description: List of locality names (L) - name: tls.server.x509.subject.locality - normalize: - - array - type: keyword -- description: List of organizations (O) of subject. - name: tls.server.x509.subject.organization - normalize: - - array - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.server.x509.subject.organizational_unit - normalize: - - array - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.subject.state_or_province - normalize: - - array - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword -- description: Timestamp indicating when server certificate is no longer considered valid. - name: tls.server.not_after - type: date -- description: Timestamp indicating when server certificate is first considered valid. - name: tls.server.not_before - type: date -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha1 - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/ssl/fields/fields.yml b/packages/zeek/2.5.2/data_stream/ssl/fields/fields.yml deleted file mode 100755 index 13d506136c..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssl/fields/fields.yml +++ /dev/null @@ -1,178 +0,0 @@ -- name: zeek.ssl - type: group - fields: - - name: version - type: keyword - description: | - SSL/TLS version that was logged. - - name: cipher - type: keyword - description: | - SSL/TLS cipher suite that was logged. - - name: curve - type: keyword - description: | - Elliptic curve that was logged when using ECDH/ECDHE. - - name: resumed - type: boolean - description: | - Flag to indicate if the session was resumed reusing the key material exchanged in an - earlier connection. - - name: next_protocol - type: keyword - description: | - Next protocol the server chose using the application layer next protocol extension. - - name: established - type: boolean - description: | - Flag to indicate if this ssl session has been established successfully. - - name: validation - type: group - fields: - - name: status - type: keyword - description: | - Result of certificate validation for this connection. - - name: code - type: keyword - description: | - Result of certificate validation for this connection, given as OpenSSL validation code. - - name: last_alert - type: keyword - description: | - Last alert that was seen during the connection. - - name: server - type: group - fields: - - name: name - type: keyword - description: | - Value of the Server Name Indicator SSL/TLS extension. It indicates the server name - that the client was requesting. - - name: cert_chain - type: keyword - description: | - Chain of certificates offered by the server to validate its complete signing chain. - - name: cert_chain_fuids - type: keyword - description: | - An ordered vector of certificate file identifiers for the certificates offered by the server. - - name: issuer - type: group - fields: - - name: common_name - type: keyword - description: | - Common name of the signer of the X.509 certificate offered by the server. - - name: country - type: keyword - description: | - Country code of the signer of the X.509 certificate offered by the server. - - name: locality - type: keyword - description: | - Locality of the signer of the X.509 certificate offered by the server. - - name: organization - type: keyword - description: | - Organization of the signer of the X.509 certificate offered by the server. - - name: organizational_unit - type: keyword - description: | - Organizational unit of the signer of the X.509 certificate offered by the server. - - name: state - type: keyword - description: | - State or province name of the signer of the X.509 certificate offered by the server. - - name: subject - type: group - fields: - - name: common_name - type: keyword - description: | - Common name of the X.509 certificate offered by the server. - - name: country - type: keyword - description: | - Country code of the X.509 certificate offered by the server. - - name: locality - type: keyword - description: | - Locality of the X.509 certificate offered by the server. - - name: organization - type: keyword - description: | - Organization of the X.509 certificate offered by the server. - - name: organizational_unit - type: keyword - description: | - Organizational unit of the X.509 certificate offered by the server. - - name: state - type: keyword - description: | - State or province name of the X.509 certificate offered by the server. - - name: client - type: group - fields: - - name: cert_chain - type: keyword - description: | - Chain of certificates offered by the client to validate its complete signing chain. - - name: cert_chain_fuids - type: keyword - description: | - An ordered vector of certificate file identifiers for the certificates offered by the client. - - name: issuer - type: group - fields: - - name: common_name - type: keyword - description: | - Common name of the signer of the X.509 certificate offered by the client. - - name: country - type: keyword - description: | - Country code of the signer of the X.509 certificate offered by the client. - - name: locality - type: keyword - description: | - Locality of the signer of the X.509 certificate offered by the client. - - name: organization - type: keyword - description: | - Organization of the signer of the X.509 certificate offered by the client. - - name: organizational_unit - type: keyword - description: | - Organizational unit of the signer of the X.509 certificate offered by the client. - - name: state - type: keyword - description: | - State or province name of the signer of the X.509 certificate offered by the client. - - name: subject - type: group - fields: - - name: common_name - type: keyword - description: | - Common name of the X.509 certificate offered by the client. - - name: country - type: keyword - description: | - Country code of the X.509 certificate offered by the client. - - name: locality - type: keyword - description: | - Locality of the X.509 certificate offered by the client. - - name: organization - type: keyword - description: | - Organization of the X.509 certificate offered by the client. - - name: organizational_unit - type: keyword - description: | - Organizational unit of the X.509 certificate offered by the client. - - name: state - type: keyword - description: | - State or province name of the X.509 certificate offered by the client. diff --git a/packages/zeek/2.5.2/data_stream/ssl/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/ssl/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssl/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/ssl/manifest.yml b/packages/zeek/2.5.2/data_stream/ssl/manifest.yml deleted file mode 100755 index 93ba40223c..0000000000 --- a/packages/zeek/2.5.2/data_stream/ssl/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek ssl logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of ssl log file - multi: true - required: true - show_user: true - default: - - ssl.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-ssl - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek ssl.log - description: Collect Zeek ssl logs - - input: httpjson - title: Zeek ssl logs via Splunk Enterprise REST API - description: Collect Zeek ssl logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"ssl-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-ssl - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/stats/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/stats/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/stats/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/stats/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/stats/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/stats/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/stats/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/stats/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ffcb509ce4..0000000000 --- a/packages/zeek/2.5.2/data_stream/stats/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,144 +0,0 @@ ---- -description: Pipeline for normalizing Zeek stats.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.stats - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - rename: - field: zeek.stats.mem - target_field: zeek.stats.memory - ignore_missing: true - - rename: - field: zeek.stats.pkts_proc - target_field: zeek.stats.packets.processed - ignore_missing: true - - rename: - field: zeek.stats.pkts_dropped - target_field: zeek.stats.packets.dropped - ignore_missing: true - - rename: - field: zeek.stats.pkts_link - target_field: zeek.stats.packets.received - ignore_missing: true - - rename: - field: zeek.stats.bytes_recv - target_field: zeek.stats.bytes.received - ignore_missing: true - - rename: - field: zeek.stats.tcp_conns - target_field: zeek.stats.connections.tcp.count - ignore_missing: true - - rename: - field: zeek.stats.active_tcp_conns - target_field: zeek.stats.connections.tcp.active - ignore_missing: true - - rename: - field: zeek.stats.udp_conns - target_field: zeek.stats.connections.udp.count - ignore_missing: true - - rename: - field: zeek.stats.active_udp_conns - target_field: zeek.stats.connections.udp.active - ignore_missing: true - - rename: - field: zeek.stats.icmp_conns - target_field: zeek.stats.connections.icmp.count - ignore_missing: true - - rename: - field: zeek.stats.active_icmp_conns - target_field: zeek.stats.connections.icmp.active - ignore_missing: true - - rename: - field: zeek.stats.events_proc - target_field: zeek.stats.events.processed - ignore_missing: true - - rename: - field: zeek.stats.events_queued - target_field: zeek.stats.events.queued - ignore_missing: true - - rename: - field: zeek.stats.timers - target_field: zeek.stats.timers.count - ignore_missing: true - - rename: - field: zeek.stats.active_timers - target_field: zeek.stats.timers.active - ignore_missing: true - - rename: - field: zeek.stats.files - target_field: zeek.stats.files.count - ignore_missing: true - - rename: - field: zeek.stats.active_files - target_field: zeek.stats.files.active - ignore_missing: true - - rename: - field: zeek.stats.dns_requests - target_field: zeek.stats.dns_requests.count - ignore_missing: true - - rename: - field: zeek.stats.active_dns_requests - target_field: zeek.stats.dns_requests.active - ignore_missing: true - - rename: - field: zeek.stats.reassem_tcp_size - target_field: zeek.stats.reassembly_size.tcp - ignore_missing: true - - rename: - field: zeek.stats.reassem_file_size - target_field: zeek.stats.reassembly_size.file - ignore_missing: true - - rename: - field: zeek.stats.reassem_frag_size - target_field: zeek.stats.reassembly_size.frag - ignore_missing: true - - rename: - field: zeek.stats.reassem_unknown_size - target_field: zeek.stats.reassembly_size.unknown - ignore_missing: true - - rename: - field: zeek.stats.pkt_lag - target_field: zeek.stats.timestamp_lag - ignore_missing: true - - date: - field: zeek.stats.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.stats.ts - - set: - field: event.kind - value: metric - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/stats/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/stats/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/stats/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/stats/fields/agent.yml b/packages/zeek/2.5.2/data_stream/stats/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/stats/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/stats/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/stats/fields/base-fields.yml deleted file mode 100755 index ea7cc2e519..0000000000 --- a/packages/zeek/2.5.2/data_stream/stats/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.stats -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/stats/fields/beats.yml b/packages/zeek/2.5.2/data_stream/stats/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/stats/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/stats/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/stats/fields/ecs.yml deleted file mode 100755 index d6736d6d8d..0000000000 --- a/packages/zeek/2.5.2/data_stream/stats/fields/ecs.yml +++ /dev/null @@ -1,32 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip diff --git a/packages/zeek/2.5.2/data_stream/stats/fields/fields.yml b/packages/zeek/2.5.2/data_stream/stats/fields/fields.yml deleted file mode 100755 index 95fb318c92..0000000000 --- a/packages/zeek/2.5.2/data_stream/stats/fields/fields.yml +++ /dev/null @@ -1,136 +0,0 @@ -- name: zeek.stats - type: group - fields: - - name: peer - type: keyword - description: | - Peer that generated this log. Mostly for clusters. - - name: memory - type: integer - description: | - Amount of memory currently in use in MB. - - name: packets - type: group - fields: - - name: processed - type: long - description: | - Number of packets processed since the last stats interval. - - name: dropped - type: long - description: | - Number of packets dropped since the last stats interval if reading live traffic. - - name: received - type: long - description: | - Number of packets seen on the link since the last stats interval if reading live traffic. - - name: bytes - type: group - fields: - - name: received - type: long - description: | - Number of bytes received since the last stats interval if reading live traffic. - - name: connections - type: group - fields: - - name: tcp - type: group - fields: - - name: active - type: integer - description: | - TCP connections currently in memory. - - name: count - type: integer - description: | - TCP connections seen since last stats interval. - - name: udp - type: group - fields: - - name: active - type: integer - description: | - UDP connections currently in memory. - - name: count - type: integer - description: | - UDP connections seen since last stats interval. - - name: icmp - type: group - fields: - - name: active - type: integer - description: | - ICMP connections currently in memory. - - name: count - type: integer - description: | - ICMP connections seen since last stats interval. - - name: events - type: group - fields: - - name: processed - type: integer - description: | - Number of events processed since the last stats interval. - - name: queued - type: integer - description: | - Number of events that have been queued since the last stats interval. - - name: timers - type: group - fields: - - name: count - type: integer - description: | - Number of timers scheduled since last stats interval. - - name: active - type: integer - description: | - Current number of scheduled timers. - - name: files - type: group - fields: - - name: count - type: integer - description: | - Number of files seen since last stats interval. - - name: active - type: integer - description: | - Current number of files actively being seen. - - name: dns_requests - type: group - fields: - - name: count - type: integer - description: | - Number of DNS requests seen since last stats interval. - - name: active - type: integer - description: | - Current number of DNS requests awaiting a reply. - - name: reassembly_size - type: group - fields: - - name: tcp - type: integer - description: | - Current size of TCP data in reassembly. - - name: file - type: integer - description: | - Current size of File data in reassembly. - - name: frag - type: integer - description: | - Current size of packet fragment data in reassembly. - - name: unknown - type: integer - description: | - Current size of unknown data in reassembly (this is only PIA buffer right now). - - name: timestamp_lag - type: integer - description: | - Lag between the wall clock and packet timestamps if reading live traffic. diff --git a/packages/zeek/2.5.2/data_stream/stats/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/stats/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/stats/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/stats/manifest.yml b/packages/zeek/2.5.2/data_stream/stats/manifest.yml deleted file mode 100755 index 665b9b9781..0000000000 --- a/packages/zeek/2.5.2/data_stream/stats/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek stats logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of stats log file - multi: true - required: true - show_user: true - default: - - stats.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-stats - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek stats.log - description: Collect Zeek stats logs - - input: httpjson - title: Zeek stats logs via Splunk Enterprise REST API - description: Collect Zeek stats logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"stats-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-stats - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/syslog/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/syslog/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/syslog/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/syslog/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/syslog/agent/stream/log.yml.hbs deleted file mode 100755 index 30e7049925..0000000000 --- a/packages/zeek/2.5.2/data_stream/syslog/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.5.2/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c631ed2170..0000000000 --- a/packages/zeek/2.5.2/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,168 +0,0 @@ ---- -description: Pipeline for normalizing Zeek syslog.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.syslog - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - set: - field: network.protocol - value: syslog - - dot_expander: - path: zeek.syslog - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.syslog - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.syslog - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.syslog - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.syslog.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.syslog.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.syslog.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.syslog.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.syslog.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.syslog.proto - target_field: network.transport - ignore_missing: true - - rename: - field: zeek.syslog.message - target_field: zeek.syslog.msg - ignore_missing: true - - set: - field: message - copy_from: zeek.syslog.msg - ignore_empty_value: true - - set: - field: log.syslog.facility.name - copy_from: zeek.syslog.facility - if: ctx?.zeek?.syslog?.facility != null - - set: - field: log.syslog.severity.name - copy_from: zeek.syslog.severity - if: ctx?.zeek?.syslog?.severity != null - - date: - field: zeek.syslog.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.syslog.ts - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/syslog/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/syslog/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/syslog/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/syslog/fields/agent.yml b/packages/zeek/2.5.2/data_stream/syslog/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/syslog/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/syslog/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/syslog/fields/base-fields.yml deleted file mode 100755 index 1bd5bc9258..0000000000 --- a/packages/zeek/2.5.2/data_stream/syslog/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.syslog -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/syslog/fields/beats.yml b/packages/zeek/2.5.2/data_stream/syslog/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/syslog/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/syslog/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/syslog/fields/ecs.yml deleted file mode 100755 index 6070c42469..0000000000 --- a/packages/zeek/2.5.2/data_stream/syslog/fields/ecs.yml +++ /dev/null @@ -1,163 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: The Syslog text-based facility of the log event, if available. - name: log.syslog.facility.name - type: keyword -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. - name: log.syslog.severity.name - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/syslog/fields/fields.yml b/packages/zeek/2.5.2/data_stream/syslog/fields/fields.yml deleted file mode 100755 index 7f72b52f24..0000000000 --- a/packages/zeek/2.5.2/data_stream/syslog/fields/fields.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: zeek.syslog - type: group - fields: - - name: facility - type: keyword - description: | - Syslog facility for the message. - - name: severity - type: keyword - description: | - Syslog severity for the message. - - name: msg - type: keyword - description: | - The plain text message. diff --git a/packages/zeek/2.5.2/data_stream/syslog/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/syslog/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/syslog/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/syslog/manifest.yml b/packages/zeek/2.5.2/data_stream/syslog/manifest.yml deleted file mode 100755 index ac982fd6b3..0000000000 --- a/packages/zeek/2.5.2/data_stream/syslog/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek syslog logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of syslog log file - multi: true - required: true - show_user: true - default: - - syslog.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-syslog - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek syslog.log - description: Collect Zeek syslog logs - - input: httpjson - title: Zeek syslog logs via Splunk Enterprise REST API - description: Collect Zeek syslog logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"syslog-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-syslog - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/traceroute/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/traceroute/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/traceroute/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/traceroute/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/traceroute/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/traceroute/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/traceroute/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/traceroute/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 5832f42673..0000000000 --- a/packages/zeek/2.5.2/data_stream/traceroute/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,126 +0,0 @@ ---- -description: Pipeline for normalizing Zeek traceroute.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.traceroute - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: info - - rename: - field: zeek.traceroute.src - target_field: source.address - ignore_missing: true - - rename: - field: zeek.traceroute.dst - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.traceroute.proto - target_field: network.transport - ignore_missing: true - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - date: - field: zeek.traceroute.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.traceroute.ts - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - remove: - field: - - zeek.traceroute - ignore_missing: true - if: 'ctx?.zeek?.traceroute == null || ctx?.zeek?.traceroute.isEmpty()' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/traceroute/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/traceroute/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/traceroute/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/traceroute/fields/agent.yml b/packages/zeek/2.5.2/data_stream/traceroute/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/traceroute/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/traceroute/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/traceroute/fields/base-fields.yml deleted file mode 100755 index 9168f187a4..0000000000 --- a/packages/zeek/2.5.2/data_stream/traceroute/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.traceroute -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/traceroute/fields/beats.yml b/packages/zeek/2.5.2/data_stream/traceroute/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/traceroute/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/traceroute/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/traceroute/fields/ecs.yml deleted file mode 100755 index 6b02e1277b..0000000000 --- a/packages/zeek/2.5.2/data_stream/traceroute/fields/ecs.yml +++ /dev/null @@ -1,146 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip diff --git a/packages/zeek/2.5.2/data_stream/traceroute/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/traceroute/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/traceroute/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/traceroute/manifest.yml b/packages/zeek/2.5.2/data_stream/traceroute/manifest.yml deleted file mode 100755 index 15b6db7685..0000000000 --- a/packages/zeek/2.5.2/data_stream/traceroute/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek traceroute logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of traceroute log file - multi: true - required: true - show_user: true - default: - - traceroute.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-traceroute - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek traceroute.log - description: Collect Zeek traceroute logs - - input: httpjson - title: Zeek traceroute logs via Splunk Enterprise REST API - description: Collect Zeek traceroute logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"traceroute-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-traceroute - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/tunnel/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/tunnel/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/tunnel/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/tunnel/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/tunnel/agent/stream/log.yml.hbs deleted file mode 100755 index 30e7049925..0000000000 --- a/packages/zeek/2.5.2/data_stream/tunnel/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.5.2/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2a42719811..0000000000 --- a/packages/zeek/2.5.2/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,163 +0,0 @@ ---- -description: Pipeline for normalizing Zeek tunnel.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.tunnel - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - dot_expander: - path: zeek.tunnel - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.tunnel - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.tunnel - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.tunnel - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.tunnel.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.tunnel.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.tunnel.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.tunnel.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.tunnel.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.tunnel.tunnel_type - target_field: zeek.tunnel.type - ignore_missing: true - - set: - field: event.action - copy_from: zeek.tunnel.action - if: ctx?.zeek?.tunnel?.action != null - - date: - field: zeek.tunnel.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.tunnel.ts - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.tunnel.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/tunnel/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/tunnel/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/tunnel/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/tunnel/fields/agent.yml b/packages/zeek/2.5.2/data_stream/tunnel/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/tunnel/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/tunnel/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/tunnel/fields/base-fields.yml deleted file mode 100755 index 215a69fc48..0000000000 --- a/packages/zeek/2.5.2/data_stream/tunnel/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.tunnel -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/tunnel/fields/beats.yml b/packages/zeek/2.5.2/data_stream/tunnel/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/tunnel/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/tunnel/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/tunnel/fields/ecs.yml deleted file mode 100755 index 545425d5cd..0000000000 --- a/packages/zeek/2.5.2/data_stream/tunnel/fields/ecs.yml +++ /dev/null @@ -1,155 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/tunnel/fields/fields.yml b/packages/zeek/2.5.2/data_stream/tunnel/fields/fields.yml deleted file mode 100755 index 576ddac9a3..0000000000 --- a/packages/zeek/2.5.2/data_stream/tunnel/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: zeek.tunnel - type: group - fields: - - name: type - type: keyword - description: | - The type of tunnel. - - name: action - type: keyword - description: | - The type of activity that occurred. diff --git a/packages/zeek/2.5.2/data_stream/tunnel/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/tunnel/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/tunnel/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/tunnel/manifest.yml b/packages/zeek/2.5.2/data_stream/tunnel/manifest.yml deleted file mode 100755 index 01956ef680..0000000000 --- a/packages/zeek/2.5.2/data_stream/tunnel/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek tunnel logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of tunnel log file - multi: true - required: true - show_user: true - default: - - tunnel.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-tunnel - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek tunnel.log - description: Collect Zeek tunnel logs - - input: httpjson - title: Zeek tunnel logs via Splunk Enterprise REST API - description: Collect Zeek tunnel logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"tunnel-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-tunnel - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/weird/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/weird/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/weird/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/weird/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/weird/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/weird/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/weird/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/weird/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 6379f74bc3..0000000000 --- a/packages/zeek/2.5.2/data_stream/weird/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,161 +0,0 @@ ---- -description: Pipeline for normalizing Zeek weird.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.weird - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: info - - dot_expander: - path: zeek.weird - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.weird - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.weird - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.weird - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.weird.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.weird.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.weird.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.weird.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.weird.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.weird.addl - target_field: zeek.weird.additional_info - ignore_missing: true - - set: - field: rule.name - copy_from: zeek.weird.name - if: ctx?.weird?.name != null - - date: - field: zeek.weird.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.weird.ts - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - remove: - field: - - zeek.weird.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.5.2/data_stream/weird/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/weird/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/weird/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/weird/fields/agent.yml b/packages/zeek/2.5.2/data_stream/weird/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/weird/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/weird/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/weird/fields/base-fields.yml deleted file mode 100755 index 1a19d17062..0000000000 --- a/packages/zeek/2.5.2/data_stream/weird/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.weird -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/weird/fields/beats.yml b/packages/zeek/2.5.2/data_stream/weird/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/weird/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/weird/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/weird/fields/ecs.yml deleted file mode 100755 index 26b52f0ef1..0000000000 --- a/packages/zeek/2.5.2/data_stream/weird/fields/ecs.yml +++ /dev/null @@ -1,150 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - normalize: - - array - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip -- description: All of the IPs seen on your event. - name: related.ip - normalize: - - array - type: ip -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.5.2/data_stream/weird/fields/fields.yml b/packages/zeek/2.5.2/data_stream/weird/fields/fields.yml deleted file mode 100755 index 96b9438808..0000000000 --- a/packages/zeek/2.5.2/data_stream/weird/fields/fields.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: zeek.weird - type: group - fields: - - name: name - type: keyword - description: | - The name of the weird that occurred. - - name: additional_info - type: keyword - description: | - Additional information accompanying the weird if any. - - name: notice - type: boolean - description: | - Indicate if this weird was also turned into a notice. - - name: peer - type: keyword - description: | - The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble. - - name: identifier - type: keyword - description: | - This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird. diff --git a/packages/zeek/2.5.2/data_stream/weird/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/weird/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/weird/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/weird/manifest.yml b/packages/zeek/2.5.2/data_stream/weird/manifest.yml deleted file mode 100755 index d2619e9ebe..0000000000 --- a/packages/zeek/2.5.2/data_stream/weird/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek weird logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of weird log file - multi: true - required: true - show_user: true - default: - - weird.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-weird - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek weird.log - description: Collect Zeek weird logs - - input: httpjson - title: Zeek weird logs via Splunk Enterprise REST API - description: Collect Zeek weird logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"weird-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-weird - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/data_stream/x509/agent/stream/httpjson.yml.hbs b/packages/zeek/2.5.2/data_stream/x509/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.5.2/data_stream/x509/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/x509/agent/stream/log.yml.hbs b/packages/zeek/2.5.2/data_stream/x509/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.5.2/data_stream/x509/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.5.2/data_stream/x509/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.5.2/data_stream/x509/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 40e0813813..0000000000 --- a/packages/zeek/2.5.2/data_stream/x509/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,421 +0,0 @@ ---- -description: Pipeline for normalizing Zeek x509.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.x509 - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.4.0' - - append: - field: event.type - value: info - - dot_expander: - path: zeek.x509 - field: certificate.version - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.serial - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.subject - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.issuer - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.not_valid_before - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.not_valid_after - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.key_alg - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.sig_alg - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.key_type - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.key_length - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.exponent - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.cn - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: zeek.x509.basic_constraints.ca - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: basic_constraints.path_len - ignore_failure: true - - rename: - field: zeek.x509.id - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - rename: - field: zeek.x509.certificate.not_valid_before - target_field: zeek.x509.certificate.valid.from - ignore_missing: true - - rename: - field: zeek.x509.certificate.not_valid_after - target_field: zeek.x509.certificate.valid.until - ignore_missing: true - - rename: - field: zeek.x509.basic_constraints.ca - target_field: zeek.x509.basic_constraints.certificate_authority - ignore_missing: true - - rename: - field: zeek.x509.basic_constraints.path_len - target_field: zeek.x509.basic_constraints.path_length - ignore_missing: true - - rename: - field: zeek.x509.basic_constraints.path_len - target_field: zeek.x509.basic_constraints.path_length - ignore_missing: true - - rename: - field: zeek.x509.certificate.cn - target_field: zeek.x509.certificate.common_name - ignore_missing: true - - rename: - field: zeek.x509.certificate.issuer - target_field: zeek.x509.certificate.iss - ignore_missing: true - - rename: - field: zeek.x509.certificate.subject - target_field: zeek.x509.certificate.sub - ignore_missing: true - - rename: - field: zeek.x509.certificate.key_alg - target_field: zeek.x509.certificate.key.algorithm - ignore_missing: true - - rename: - field: zeek.x509.certificate.key_length - target_field: zeek.x509.certificate.key.length - ignore_missing: true - - rename: - field: zeek.x509.certificate.key_type - target_field: zeek.x509.certificate.key.type - ignore_missing: true - - rename: - field: zeek.x509.certificate.sig_alg - target_field: zeek.x509.certificate.signature_algorithm - ignore_missing: true - - rename: - field: zeek.x509.logcert - target_field: zeek.x509.log_cert - ignore_missing: true - - date: - field: zeek.x509.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.x509.ts - - set: - field: event.id - value: "{{zeek.session_id}}" - if: ctx.zeek.session_id != null - - set: - field: file.x509.signature_algorithm - value: "{{zeek.x509.certificate.signature_algorithm}}" - ignore_empty_value: true - - script: - lang: painless - params: - "md2WithRSAEncryption": MD2-RSA - "md5WithRSAEncryption": MD5-RSA - "sha-1WithRSAEncryption": SHA1-RSA - "sha256WithRSAEncryption": SHA256-RSA - "sha384WithRSAEncryption": SHA384-RSA - "sha512WithRSAEncryption": SHA512-RSA - "dsaWithSha1": DSA-SHA1 - "dsaWithSha256": DSA-SHA256 - "ecdsa-with-SHA1": ECDSA-SHA1 - "ecdsa-with-SHA256": ECDSA-SHA256 - "ecdsa-with-SHA384": ECDSA-SHA384 - "ecdsa-with-SHA512": ECDSA-SHA512 - "id-Ed25519": Ed25519 - source: | - String algo = params.get(ctx.file.x509.signature_algorithm); - if (algo != null) { - ctx.file.x509.signature_algorithm = algo; - } - if: ctx?.file?.x509?.signature_algorithm != null - - set: - field: file.x509.public_key_algorithm - value: "{{zeek.x509.certificate.key.algorithm}}" - ignore_empty_value: true - - convert: - field: zeek.x509.certificate.key.length - target_field: file.x509.public_key_size - type: long - ignore_missing: true - - dot_expander: - field: certificate.exponent - path: zeek.x509 - - convert: - field: zeek.x509.certificate.exponent - target_field: file.x509.public_key_exponent - type: long - ignore_missing: true - - dot_expander: - field: certificate.serial - path: zeek.x509 - - set: - field: file.x509.serial_number - value: "{{zeek.x509.certificate.serial}}" - ignore_empty_value: true - - dot_expander: - field: certificate.version - path: zeek.x509 - - set: - field: file.x509.version_number - value: "{{zeek.x509.certificate.version}}" - ignore_empty_value: true - - dot_expander: - field: san.dns - path: zeek.x509 - - foreach: - field: zeek.x509.san.dns - ignore_missing: true - processor: - append: - field: file.x509.alternative_names - value: "{{_ingest._value}}" - - dot_expander: - field: san.uri - path: zeek.x509 - - foreach: - field: zeek.x509.san.uri - ignore_missing: true - processor: - append: - field: file.x509.alternative_names - value: "{{_ingest._value}}" - - dot_expander: - field: san.email - path: zeek.x509 - - foreach: - field: zeek.x509.san.email - ignore_missing: true - processor: - append: - field: file.x509.alternative_names - value: "{{_ingest._value}}" - - dot_expander: - field: san.ip - path: zeek.x509 - - foreach: - field: zeek.x509.san.ip - ignore_missing: true - processor: - append: - field: file.x509.alternative_names - value: "{{_ingest._value}}" - - dot_expander: - field: san.other_fields - path: zeek.x509 - - foreach: - field: zeek.x509.san.other_fields - ignore_missing: true - processor: - append: - field: file.x509.alternative_names - value: "{{_ingest._value}}" - - date: - field: zeek.x509.certificate.valid.from - target_field: zeek.x509.certificate.valid.from - formats: - - UNIX - - ISO8601 - if: ctx.zeek.x509.certificate?.valid?.from != null - - set: - field: file.x509.not_before - value: "{{zeek.x509.certificate.valid.from}}" - ignore_empty_value: true - - date: - field: zeek.x509.certificate.valid.until - target_field: zeek.x509.certificate.valid.until - formats: - - UNIX - - ISO8601 - if: ctx.zeek.x509.certificate?.valid?.until != null - - set: - field: file.x509.not_after - value: "{{zeek.x509.certificate.valid.until}}" - ignore_empty_value: true - - gsub: - field: zeek.x509.certificate.iss - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: zeek.x509.certificate.iss - field_split: "," - value_split: "=" - target_field: zeek.x509.certificate.issuer - ignore_missing: true - - remove: - field: zeek.x509.certificate.iss - ignore_missing: true - - rename: - field: zeek.x509.certificate.issuer.C - target_field: zeek.x509.certificate.issuer.country - ignore_missing: true - - set: - field: file.x509.issuer.country - value: "{{zeek.x509.certificate.issuer.country}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.issuer.CN - target_field: zeek.x509.certificate.issuer.common_name - ignore_missing: true - - set: - field: file.x509.issuer.common_name - value: "{{zeek.x509.certificate.issuer.common_name}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.issuer.L - target_field: zeek.x509.certificate.issuer.locality - ignore_missing: true - - set: - field: file.x509.issuer.locality - value: "{{zeek.x509.certificate.issuer.locality}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.issuer.O - target_field: zeek.x509.certificate.issuer.organization - ignore_missing: true - - set: - field: file.x509.issuer.organization - value: "{{zeek.x509.certificate.issuer.organization}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.issuer.OU - target_field: zeek.x509.certificate.issuer.organizational_unit - ignore_missing: true - - set: - field: file.x509.issuer.organizational_unit - value: "{{zeek.x509.certificate.issuer.organizational_unit}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.issuer.ST - target_field: zeek.x509.certificate.issuer.state - ignore_missing: true - - set: - field: file.x509.issuer.state_or_province - value: "{{zeek.x509.certificate.issuer.state}}" - ignore_empty_value: true - - gsub: - field: zeek.x509.certificate.sub - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: zeek.x509.certificate.sub - field_split: "," - value_split: "=" - target_field: zeek.x509.certificate.subject - ignore_missing: true - - remove: - field: zeek.x509.certificate.sub - ignore_missing: true - - rename: - field: zeek.x509.certificate.subject.C - target_field: zeek.x509.certificate.subject.country - ignore_missing: true - - set: - field: file.x509.subject.country - value: "{{zeek.x509.certificate.subject.country}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.subject.CN - target_field: zeek.x509.certificate.subject.common_name - ignore_missing: true - - set: - field: file.x509.subject.common_name - value: "{{zeek.x509.certificate.subject.common_name}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.subject.L - target_field: zeek.x509.certificate.subject.locality - ignore_missing: true - - set: - field: file.x509.subject.locality - value: "{{zeek.x509.certificate.subject.locality}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.subject.O - target_field: zeek.x509.certificate.subject.organization - ignore_missing: true - - set: - field: file.x509.subject.organization - value: "{{zeek.x509.certificate.subject.organization}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.subject.OU - target_field: zeek.x509.certificate.subject.organizational_unit - ignore_missing: true - - set: - field: file.x509.subject.organizational_unit - value: "{{zeek.x509.certificate.subject.organizational_unit}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.subject.ST - target_field: zeek.x509.certificate.subject.state - ignore_missing: true - - set: - field: file.x509.subject.state_or_province - value: "{{zeek.x509.certificate.subject.state}}" - ignore_empty_value: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{_ingest.on_failure_message}}" diff --git a/packages/zeek/2.5.2/data_stream/x509/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.5.2/data_stream/x509/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.5.2/data_stream/x509/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.5.2/data_stream/x509/fields/agent.yml b/packages/zeek/2.5.2/data_stream/x509/fields/agent.yml deleted file mode 100755 index ed1313d1b0..0000000000 --- a/packages/zeek/2.5.2/data_stream/x509/fields/agent.yml +++ /dev/null @@ -1,171 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.5.2/data_stream/x509/fields/base-fields.yml b/packages/zeek/2.5.2/data_stream/x509/fields/base-fields.yml deleted file mode 100755 index 3a93a8353e..0000000000 --- a/packages/zeek/2.5.2/data_stream/x509/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.x509 -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.5.2/data_stream/x509/fields/beats.yml b/packages/zeek/2.5.2/data_stream/x509/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.5.2/data_stream/x509/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.5.2/data_stream/x509/fields/ecs.yml b/packages/zeek/2.5.2/data_stream/x509/fields/ecs.yml deleted file mode 100755 index 1751b054f4..0000000000 --- a/packages/zeek/2.5.2/data_stream/x509/fields/ecs.yml +++ /dev/null @@ -1,143 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - normalize: - - array - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: file.x509.alternative_names - normalize: - - array - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: file.x509.issuer.common_name - normalize: - - array - type: keyword -- description: List of country \(C) codes - name: file.x509.issuer.country - normalize: - - array - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: file.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: file.x509.issuer.locality - normalize: - - array - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: file.x509.issuer.organization - normalize: - - array - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: file.x509.issuer.organizational_unit - normalize: - - array - type: keyword -- description: List of state or province names (ST, S, or P) - name: file.x509.issuer.state_or_province - normalize: - - array - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: file.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: file.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: file.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: file.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: file.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: file.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: file.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: file.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: file.x509.subject.common_name - normalize: - - array - type: keyword -- description: List of country \(C) code - name: file.x509.subject.country - normalize: - - array - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: file.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: file.x509.subject.locality - normalize: - - array - type: keyword -- description: List of organizations (O) of subject. - name: file.x509.subject.organization - normalize: - - array - type: keyword -- description: List of organizational units (OU) of subject. - name: file.x509.subject.organizational_unit - normalize: - - array - type: keyword -- description: List of state or province names (ST, S, or P) - name: file.x509.subject.state_or_province - normalize: - - array - type: keyword -- description: Version of x509 format. - name: file.x509.version_number - type: keyword -- description: Host ip addresses. - name: host.ip - normalize: - - array - type: ip diff --git a/packages/zeek/2.5.2/data_stream/x509/fields/fields.yml b/packages/zeek/2.5.2/data_stream/x509/fields/fields.yml deleted file mode 100755 index 7f79ef0720..0000000000 --- a/packages/zeek/2.5.2/data_stream/x509/fields/fields.yml +++ /dev/null @@ -1,153 +0,0 @@ -- name: zeek.x509 - type: group - fields: - - name: id - type: keyword - description: | - File id of this certificate. - - name: certificate - type: group - fields: - - name: version - type: integer - description: | - Version number. - - name: serial - type: keyword - description: | - Serial number. - - name: subject - type: group - fields: - - name: country - type: keyword - description: | - Country provided in the certificate subject. - - name: common_name - type: keyword - description: | - Common name provided in the certificate subject. - - name: locality - type: keyword - description: | - Locality provided in the certificate subject. - - name: organization - type: keyword - description: | - Organization provided in the certificate subject. - - name: organizational_unit - type: keyword - description: | - Organizational unit provided in the certificate subject. - - name: state - type: keyword - description: | - State or province provided in the certificate subject. - - name: issuer - type: group - fields: - - name: country - type: keyword - description: | - Country provided in the certificate issuer field. - - name: common_name - type: keyword - description: | - Common name provided in the certificate issuer field. - - name: locality - type: keyword - description: | - Locality provided in the certificate issuer field. - - name: organization - type: keyword - description: | - Organization provided in the certificate issuer field. - - name: organizational_unit - type: keyword - description: | - Organizational unit provided in the certificate issuer field. - - name: state - type: keyword - description: | - State or province provided in the certificate issuer field. - - name: common_name - type: keyword - description: | - Last (most specific) common name. - - name: valid - type: group - fields: - - name: from - type: date - description: | - Timestamp before when certificate is not valid. - - name: until - type: date - description: | - Timestamp after when certificate is not valid. - - name: key - type: group - fields: - - name: algorithm - type: keyword - description: | - Name of the key algorithm. - - name: type - type: keyword - description: | - Key type, if key parseable by openssl (either rsa, dsa or ec). - - name: length - type: integer - description: | - Key length in bits. - - name: signature_algorithm - type: keyword - description: | - Name of the signature algorithm. - - name: exponent - type: keyword - description: | - Exponent, if RSA-certificate. - - name: curve - type: keyword - description: | - Curve, if EC-certificate. - - name: san - type: group - fields: - - name: dns - type: keyword - description: | - List of DNS entries in SAN. - - name: uri - type: keyword - description: | - List of URI entries in SAN. - - name: email - type: keyword - description: | - List of email entries in SAN. - - name: ip - type: ip - description: | - List of IP entries in SAN. - - name: other_fields - type: boolean - description: | - True if the certificate contained other, not recognized or parsed name fields. - - name: basic_constraints - type: group - fields: - - name: certificate_authority - type: boolean - description: | - CA flag set or not. - - name: path_length - type: integer - description: | - Maximum path length. - - name: log_cert - type: boolean - description: | - Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded - Logging of certificate is suppressed if set to F. diff --git a/packages/zeek/2.5.2/data_stream/x509/fields/package-fields.yml b/packages/zeek/2.5.2/data_stream/x509/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.5.2/data_stream/x509/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.5.2/data_stream/x509/manifest.yml b/packages/zeek/2.5.2/data_stream/x509/manifest.yml deleted file mode 100755 index ae5b23ca7e..0000000000 --- a/packages/zeek/2.5.2/data_stream/x509/manifest.yml +++ /dev/null @@ -1,85 +0,0 @@ -type: logs -title: Zeek x509 logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of x509 log file - multi: true - required: true - show_user: true - default: - - x509.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zeek-x509 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek x509.log - description: Collect Zeek x509 logs - - input: httpjson - title: Zeek x509 logs via Splunk Enterprise REST API - description: Collect Zeek x509 logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"x509-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-x509 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.5.2/docs/README.md b/packages/zeek/2.5.2/docs/README.md deleted file mode 100755 index d23c4f1434..0000000000 --- a/packages/zeek/2.5.2/docs/README.md +++ /dev/null @@ -1,4494 +0,0 @@ -# Zeek Integration - -This is an integration for [Zeek](https://www.zeek.org/), which was formerly -named Bro. Zeek is a passive, open-source network traffic analyzer. This -integrations ingests the logs Zeek produces about the network traffic that it -analyzes. - -Zeek logs must be output in JSON format. This is normally done by appending the -[json-logs policy](https://docs.zeek.org/en/lts/scripts/policy/tuning/json-logs.zeek.html) -to your `local.zeek` file. Add this line to your `local.zeek`. - -`@load policy/tuning/json-logs.zeek` - -## Compatibility -This module has been developed against Zeek 2.6.1, but is expected to work with -other versions of Zeek. - -Zeek requires a Unix-like platform, and it currently supports Linux, -FreeBSD, and Mac OS X. - -## Logs -### capture_loss - -The `capture_loss` dataset collects the Zeek capture_loss.log file, -which contains packet loss rate data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.capture_loss.acks | Total number of ACKs seen in the previous measurement interval. | integer | -| zeek.capture_loss.gaps | Number of missed ACKs from the previous measurement interval. | integer | -| zeek.capture_loss.peer | In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. | keyword | -| zeek.capture_loss.percent_lost | Percentage of ACKs seen where the data being ACKed wasn't seen. | double | -| zeek.capture_loss.ts_delta | The time delay between this measurement and the last. | integer | -| zeek.session_id | A unique identifier of the session | keyword | - - -### connection - -The `connection` dataset collects the Zeek conn.log file, which -contains TCP/UDP/ICMP connection data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.connection.history | Flags indicating the history of the session. | keyword | -| zeek.connection.icmp.code | ICMP message code. | integer | -| zeek.connection.icmp.type | ICMP message type. | integer | -| zeek.connection.inner_vlan | VLAN identifier. | integer | -| zeek.connection.local_orig | Indicates whether the session is originated locally. | boolean | -| zeek.connection.local_resp | Indicates whether the session is responded locally. | boolean | -| zeek.connection.missed_bytes | Missed bytes for the session. | long | -| zeek.connection.state | Code indicating the state of the session. | keyword | -| zeek.connection.state_message | The state of the session. | keyword | -| zeek.connection.vlan | VLAN identifier. | integer | -| zeek.session_id | A unique identifier of the session | keyword | - - -### dce_rpc - -The `dce_rpc` dataset collects the Zeek dce_rpc.log file, which -contains Distributed Computing Environment/RPC data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.dce_rpc.endpoint | Endpoint name looked up from the uuid. | keyword | -| zeek.dce_rpc.named_pipe | Remote pipe name. | keyword | -| zeek.dce_rpc.operation | Operation seen in the call. | keyword | -| zeek.dce_rpc.rtt | Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. | integer | -| zeek.session_id | A unique identifier of the session | keyword | - - -### dhcp - -The `dhcp` dataset collects the Zeek dhcp.log file, which contains -DHCP lease data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.dhcp.address.assigned | IP address assigned by the server. | ip | -| zeek.dhcp.address.client | IP address of the client. If a transaction is only a client sending INFORM messages then there is no lease information exchanged so this is helpful to know who sent the messages. Getting an address in this field does require that the client sources at least one DHCP message using a non-broadcast address. | ip | -| zeek.dhcp.address.mac | Client's hardware address. | keyword | -| zeek.dhcp.address.requested | IP address requested by the client. | ip | -| zeek.dhcp.address.server | IP address of the DHCP server. | ip | -| zeek.dhcp.client_fqdn | FQDN given by client in Client FQDN option 81. | keyword | -| zeek.dhcp.domain | Domain given by the server in option 15. | keyword | -| zeek.dhcp.duration | Duration of the DHCP session representing the time from the first message to the last, in seconds. | double | -| zeek.dhcp.hostname | Name given by client in Hostname option 12. | keyword | -| zeek.dhcp.id.circuit | (present if policy/protocols/dhcp/sub-opts.bro is loaded) Added by DHCP relay agents which terminate switched or permanent circuits. It encodes an agent-local identifier of the circuit from which a DHCP client-to-server packet was received. Typically it should represent a router or switch interface number. | keyword | -| zeek.dhcp.id.remote_agent | (present if policy/protocols/dhcp/sub-opts.bro is loaded) A globally unique identifier added by relay agents to identify the remote host end of the circuit. | keyword | -| zeek.dhcp.id.subscriber | (present if policy/protocols/dhcp/sub-opts.bro is loaded) The subscriber ID is a value independent of the physical network configuration so that a customer's DHCP configuration can be given to them correctly no matter where they are physically connected. | keyword | -| zeek.dhcp.lease_time | IP address lease interval in seconds. | integer | -| zeek.dhcp.msg.client | Message typically accompanied with a DHCP_DECLINE so the client can tell the server why it rejected an address. | keyword | -| zeek.dhcp.msg.origin | (present if policy/protocols/dhcp/msg-orig.bro is loaded) The address that originated each message from the msg.types field. | ip | -| zeek.dhcp.msg.server | Message typically accompanied with a DHCP_NAK to let the client know why it rejected the request. | keyword | -| zeek.dhcp.msg.types | List of DHCP message types seen in this exchange. | keyword | -| zeek.dhcp.software.client | (present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option. | keyword | -| zeek.dhcp.software.server | (present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### dnp3 - -The `dnp3` dataset collects the Zeek dnp3.log file which contains DNP3 -requests and replies. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.dnp3.function.reply | The name of the function message in the reply. | keyword | -| zeek.dnp3.function.request | The name of the function message in the request. | keyword | -| zeek.dnp3.id | The response's internal indication number. | integer | -| zeek.session_id | A unique identifier of the session | keyword | - - -### dns - -The `dns` dataset collects the Zeek dns.log file which contains DNS -activity. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.header_flags | Array of 2 letter DNS header flags. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.dns.AA | The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section. | boolean | -| zeek.dns.RA | The Recursion Available bit in a response message indicates that the name server supports recursive queries. | boolean | -| zeek.dns.RD | The Recursion Desired bit in a request message indicates that the client wants recursive service for this query. | boolean | -| zeek.dns.TC | The Truncation bit specifies that the message was truncated. | boolean | -| zeek.dns.TTLs | The caching intervals of the associated RRs described by the answers field. | double | -| zeek.dns.answers | The set of resource descriptions in the query answer. | keyword | -| zeek.dns.qclass | The QCLASS value specifying the class of the query. | long | -| zeek.dns.qclass_name | A descriptive name for the class of the query. | keyword | -| zeek.dns.qtype | A QTYPE value specifying the type of the query. | long | -| zeek.dns.qtype_name | A descriptive name for the type of the query. | keyword | -| zeek.dns.query | The domain name that is the subject of the DNS query. | keyword | -| zeek.dns.rcode | The response code value in DNS response messages. | long | -| zeek.dns.rcode_name | A descriptive name for the response code value. | keyword | -| zeek.dns.rejected | Indicates whether the DNS query was rejected by the server. | boolean | -| zeek.dns.rtt | Round trip time for the query and response. | double | -| zeek.dns.saw_query | Whether the full DNS query has been seen. | boolean | -| zeek.dns.saw_reply | Whether the full DNS reply has been seen. | boolean | -| zeek.dns.total_answers | The total number of resource records in the reply. | integer | -| zeek.dns.total_replies | The total number of resource records in the reply message. | integer | -| zeek.dns.trans_id | DNS transaction identifier. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### dpd - -The `dpd` dataset collects the Zeek dpd.log, which contains dynamic -protocol detection failures. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.dpd.analyzer | The analyzer that generated the violation. | keyword | -| zeek.dpd.failure_reason | The textual reason for the analysis failure. | keyword | -| zeek.dpd.packet_segment | (present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) A chunk of the payload that most likely resulted in the protocol violation. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### files - -The `files` dataset collects the Zeek files.log file, which contains -file analysis results. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| zeek.files.analyzers | A set of analysis types done during the file analysis. | keyword | -| zeek.files.depth | A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection. | long | -| zeek.files.duration | The duration the file was analyzed for. Not the duration of the session. | double | -| zeek.files.entropy | The information density of the contents of the file. | double | -| zeek.files.extracted | Local filename of extracted file. | keyword | -| zeek.files.extracted_cutoff | Indicate whether the file being extracted was cut off hence not extracted completely. | boolean | -| zeek.files.extracted_size | The number of bytes extracted to disk. | long | -| zeek.files.filename | Name of the file if available. | keyword | -| zeek.files.fuid | A file unique identifier. | keyword | -| zeek.files.is_orig | If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder. | boolean | -| zeek.files.local_orig | If the source of this file is a network connection, this field indicates if the data originated from the local network or not. | boolean | -| zeek.files.md5 | An MD5 digest of the file contents. | keyword | -| zeek.files.mime_type | Mime type of the file. | keyword | -| zeek.files.missing_bytes | The number of bytes in the file stream that were completely missed during the process of analysis. | long | -| zeek.files.overflow_bytes | The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn't be reassembled. | long | -| zeek.files.parent_fuid | Identifier associated with a container file from which this one was extracted as part of the file analysis. | keyword | -| zeek.files.rx_host | The host that received the file. | ip | -| zeek.files.seen_bytes | Number of bytes provided to the file analysis engine for the file. | long | -| zeek.files.session_ids | The sessions that have this file. | keyword | -| zeek.files.sha1 | A SHA1 digest of the file contents. | keyword | -| zeek.files.sha256 | A SHA256 digest of the file contents. | keyword | -| zeek.files.source | An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source. | keyword | -| zeek.files.timedout | Whether the file analysis timed out at least once for the file. | boolean | -| zeek.files.total_bytes | Total number of bytes that are supposed to comprise the full file. | long | -| zeek.files.tx_host | The host that transferred the file. | ip | -| zeek.session_id | A unique identifier of the session | keyword | - - -### ftp - -The `ftp` dataset collects the Zeek ftp.log file, which contains FTP -activity. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zeek.ftp.arg | Argument for the command if one is given. | keyword | -| zeek.ftp.capture_password | Determines if the password will be captured for this request. | boolean | -| zeek.ftp.cmdarg.arg | Argument for the command if one was given. | keyword | -| zeek.ftp.cmdarg.cmd | Command. | keyword | -| zeek.ftp.cmdarg.seq | Counter to track how many commands have been executed. | integer | -| zeek.ftp.command | Command given by the client. | keyword | -| zeek.ftp.cwd | Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. | keyword | -| zeek.ftp.data_channel.originating_host | The host that will be initiating the data connection. | ip | -| zeek.ftp.data_channel.passive | Whether PASV mode is toggled for control channel. | boolean | -| zeek.ftp.data_channel.response_host | The host that will be accepting the data connection. | ip | -| zeek.ftp.data_channel.response_port | The port at which the acceptor is listening for the data connection. | integer | -| zeek.ftp.file.fuid | (present if base/protocols/ftp/files.bro is loaded) File unique ID. | keyword | -| zeek.ftp.file.mime_type | Sniffed mime type of file. | keyword | -| zeek.ftp.file.size | Size of the file if the command indicates a file transfer. | long | -| zeek.ftp.last_auth_requested | present if base/protocols/ftp/gridftp.bro is loaded. Last authentication/security mechanism that was used. | keyword | -| zeek.ftp.passive | Indicates if the session is in active or passive mode. | boolean | -| zeek.ftp.password | Password for the current FTP session if captured. | keyword | -| zeek.ftp.pending_commands | Queue for commands that have been sent but not yet responded to are tracked here. | integer | -| zeek.ftp.reply.code | Reply code from the server in response to the command. | integer | -| zeek.ftp.reply.msg | Reply message from the server in response to the command. | keyword | -| zeek.ftp.user | User name for the current FTP session. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### http - -The `http` dataset collects the Zeek http.log file, which contains -HTTP requests and replies. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.username | Username of the request. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | -| zeek.http.captured_password | Determines if the password will be captured for this request. | boolean | -| zeek.http.client_header_names | The vector of HTTP header names sent by the client. No header values are included here, just the header names. | keyword | -| zeek.http.info_code | Last seen 1xx informational reply code returned by the server. | integer | -| zeek.http.info_msg | Last seen 1xx informational reply message returned by the server. | keyword | -| zeek.http.orig_filenames | An ordered vector of filenames from the originator. | keyword | -| zeek.http.orig_fuids | An ordered vector of file unique IDs from the originator. | keyword | -| zeek.http.orig_mime_depth | Current number of MIME entities in the HTTP request message body. | integer | -| zeek.http.orig_mime_types | An ordered vector of mime types from the originator. | keyword | -| zeek.http.password | Password if basic-auth is performed for the request. | keyword | -| zeek.http.proxied | All of the headers that may indicate if the HTTP request was proxied. | keyword | -| zeek.http.range_request | Indicates if this request can assume 206 partial content in response. | boolean | -| zeek.http.resp_filenames | An ordered vector of filenames from the responder. | keyword | -| zeek.http.resp_fuids | An ordered vector of file unique IDs from the responder. | keyword | -| zeek.http.resp_mime_depth | Current number of MIME entities in the HTTP response message body. | integer | -| zeek.http.resp_mime_types | An ordered vector of mime types from the responder. | keyword | -| zeek.http.server_header_names | The vector of HTTP header names sent by the server. No header values are included here, just the header names. | keyword | -| zeek.http.status_msg | Status message returned by the server. | keyword | -| zeek.http.tags | A set of indicators of various attributes discovered and related to a particular request/response pair. | keyword | -| zeek.http.trans_depth | Represents the pipelined depth into the connection of this request/response transaction. | integer | -| zeek.session_id | A unique identifier of the session | keyword | - - -### intel - -The `intel` dataset collects the Zeek intel.log file, which contains -intelligence data matches. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.enrichments | A list of associated indicators objects enriching the event, and the context of that association/enrichment. | nested | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.as.organization.name | Organization name. | keyword | -| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.geo.city_name | City name. | keyword | -| threat.indicator.geo.continent_name | Name of the continent. | keyword | -| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.indicator.geo.country_name | Country name. | keyword | -| threat.indicator.geo.location | Longitude and latitude. | geo_point | -| threat.indicator.geo.region_iso_code | Region ISO code. | keyword | -| threat.indicator.geo.region_name | Region name. | keyword | -| threat.indicator.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.password | Password of the request. | keyword | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| threat.indicator.url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| threat.indicator.url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| threat.indicator.url.username | Username of the request. | keyword | -| zeek.intel.file_desc | Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. | keyword | -| zeek.intel.file_mime_type | A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. | keyword | -| zeek.intel.fuid | If a file was associated with this intelligence hit, this is the uid for the file. | keyword | -| zeek.intel.matched | Event to represent a match in the intelligence data from data that was seen. | keyword | -| zeek.intel.seen.conn | If the data was discovered within a connection, the connection record should go here to give context to the data. | keyword | -| zeek.intel.seen.f | If the data was discovered within a file, the file record should go here to provide context to the data. | object | -| zeek.intel.seen.fuid | If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. | keyword | -| zeek.intel.seen.host | If the indicator type was Intel::ADDR, then this field will be present. | keyword | -| zeek.intel.seen.indicator | The intelligence indicator. | keyword | -| zeek.intel.seen.indicator_type | The type of data the indicator represents. | keyword | -| zeek.intel.seen.node | The name of the node where the match was discovered. | keyword | -| zeek.intel.seen.uid | If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. | keyword | -| zeek.intel.seen.where | Where the data was discovered. | keyword | -| zeek.intel.sources | Sources which supplied data for this match. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### irc - -The `irc` dataset collects the Zeek irc.log file, which contains IRC -commands and responses. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zeek.irc.addl | Any additional data for the command. | keyword | -| zeek.irc.command | Command given by the client. | keyword | -| zeek.irc.dcc.file.name | Present if base/protocols/irc/dcc-send.bro is loaded. DCC filename requested. | keyword | -| zeek.irc.dcc.file.size | Present if base/protocols/irc/dcc-send.bro is loaded. Size of the DCC transfer as indicated by the sender. | long | -| zeek.irc.dcc.mime_type | present if base/protocols/irc/dcc-send.bro is loaded. Sniffed mime type of the file. | keyword | -| zeek.irc.fuid | present if base/protocols/irc/files.bro is loaded. File unique ID. | keyword | -| zeek.irc.nick | Nickname given for the connection. | keyword | -| zeek.irc.user | Username given for the connection. | keyword | -| zeek.irc.value | Value for the command given by the client. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### kerberos - -The `kerberos` dataset collects the Zeek kerberos.log file, which -contains kerberos data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.client.x509.subject.country | List of country \(C) code | keyword | -| tls.client.x509.subject.locality | List of locality names (L) | keyword | -| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country \(C) code | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zeek.kerberos.cert.client.fuid | File unique ID of client cert. | keyword | -| zeek.kerberos.cert.client.subject | Subject of client certificate. | keyword | -| zeek.kerberos.cert.client.value | Client certificate. | keyword | -| zeek.kerberos.cert.server.fuid | File unique ID of server certificate. | keyword | -| zeek.kerberos.cert.server.subject | Subject of server certificate. | keyword | -| zeek.kerberos.cert.server.value | Server certificate. | keyword | -| zeek.kerberos.cipher | Ticket encryption type. | keyword | -| zeek.kerberos.client | Client name. | keyword | -| zeek.kerberos.error.code | Error code. | integer | -| zeek.kerberos.error.msg | Error message. | keyword | -| zeek.kerberos.forwardable | Forwardable ticket requested. | boolean | -| zeek.kerberos.renewable | Renewable ticket requested. | boolean | -| zeek.kerberos.request_type | Request type - Authentication Service (AS) or Ticket Granting Service (TGS). | keyword | -| zeek.kerberos.service | Service name. | keyword | -| zeek.kerberos.success | Request result. | boolean | -| zeek.kerberos.ticket.auth | Hash of ticket used to authorize request/transaction. | keyword | -| zeek.kerberos.ticket.new | Hash of ticket returned by the KDC. | keyword | -| zeek.kerberos.valid.days | Number of days the ticket is valid for. | integer | -| zeek.kerberos.valid.from | Ticket valid from. | date | -| zeek.kerberos.valid.until | Ticket valid until. | date | -| zeek.session_id | A unique identifier of the session | keyword | - - -### known_certs - -The `known_certs` dataset captures information about SSL/TLS certificates seen on the local network. See the [documentation](https://docs.zeek.org/en/master/logs/known-and-software.html#known-certs-log) for more details. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| server.geo.city_name | City name. | keyword | -| server.geo.continent_name | Name of the continent. | keyword | -| server.geo.country_iso_code | Country ISO code. | keyword | -| server.geo.country_name | Country name. | keyword | -| server.geo.location | Longitude and latitude. | geo_point | -| server.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| server.geo.region_iso_code | Region ISO code. | keyword | -| server.geo.region_name | Region name. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | - - -### known_hosts - -The `known_hosts` dataset simply records a timestamp and an IP address when Zeek observes a new system on the local network.. See the [documentation](https://docs.zeek.org/en/master/logs/known-and-software.html#known-hosts-log) for more details. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | - - -### known_services - -The `known_services` dataset records a timestamp, IP, port number, protocol, and service (if available) when Zeek observes a system offering a new service on the local network. See the [documentation](https://docs.zeek.org/en/master/logs/known-and-software.html#known-services-log) for more details. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| server.geo.city_name | City name. | keyword | -| server.geo.continent_name | Name of the continent. | keyword | -| server.geo.country_iso_code | Country ISO code. | keyword | -| server.geo.country_name | Country name. | keyword | -| server.geo.location | Longitude and latitude. | geo_point | -| server.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| server.geo.region_iso_code | Region ISO code. | keyword | -| server.geo.region_name | Region name. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| tags | List of keywords used to tag each event. | keyword | - - -### modbus - -The `modbus` dataset collects the Zeek modbus.log file, which contains -modbus commands and responses. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.modbus.exception | The exception if the response was a failure. | keyword | -| zeek.modbus.function | The name of the function message that was sent. | keyword | -| zeek.modbus.track_address | Present if policy/protocols/modbus/track-memmap.bro is loaded. Modbus track address. | integer | -| zeek.session_id | A unique identifier of the session | keyword | - - -### mysql - -The `mysql` dataset collects the Zeek mysql.log file, which contains -MySQL data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.mysql.arg | The argument issued to the command. | keyword | -| zeek.mysql.cmd | The command that was issued. | keyword | -| zeek.mysql.response | Server message, if any. | keyword | -| zeek.mysql.rows | The number of affected rows, if any. | integer | -| zeek.mysql.success | Whether the command succeeded. | boolean | -| zeek.session_id | A unique identifier of the session | keyword | - - -### notice - -The `notice` dataset collects the Zeek notice.log file, which contains -Zeek notices. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.description | The description of the rule generating the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.notice.actions | The actions which have been applied to this notice. | keyword | -| zeek.notice.connection_id | Identifier of the related connection session. | keyword | -| zeek.notice.dropped | Indicate if the source IP address was dropped and denied network access. | boolean | -| zeek.notice.email_body_sections | By adding chunks of text into this element, other scripts can expand on notices that are being emailed. | text | -| zeek.notice.email_delay_tokens | Adding a string token to this set will cause the built-in emailing functionality to delay sending the email either the token has been removed or the email has been delayed for the specified time duration. | keyword | -| zeek.notice.ffile.total_bytes | Total number of bytes that are supposed to comprise the full file. | long | -| zeek.notice.file.id | An identifier associated with a single file that is related to this notice. | keyword | -| zeek.notice.file.is_orig | If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder. | boolean | -| zeek.notice.file.mime_type | A mime type if the notice is related to a file. | keyword | -| zeek.notice.file.missing_bytes | The number of bytes in the file stream that were completely missed during the process of analysis. | long | -| zeek.notice.file.overflow_bytes | The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn't be reassembled. | long | -| zeek.notice.file.parent_id | Identifier associated with a container file from which this one was extracted. | keyword | -| zeek.notice.file.seen_bytes | Number of bytes provided to the file analysis engine for the file. | long | -| zeek.notice.file.source | An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source. | keyword | -| zeek.notice.fuid | A file unique ID if this notice is related to a file. | keyword | -| zeek.notice.icmp_id | Identifier of the related ICMP session. | keyword | -| zeek.notice.identifier | This field is provided when a notice is generated for the purpose of deduplicating notices. | keyword | -| zeek.notice.msg | The human readable message for the notice. | keyword | -| zeek.notice.n | Associated count, or a status code. | long | -| zeek.notice.note | The type of the notice. | keyword | -| zeek.notice.peer_descr | Textual description for the peer that raised this notice. | text | -| zeek.notice.peer_name | Name of remote peer that raised this notice. | keyword | -| zeek.notice.sub | The human readable sub-message. | keyword | -| zeek.notice.suppress_for | This field indicates the length of time that this unique notice should be suppressed. | double | -| zeek.session_id | A unique identifier of the session | keyword | - - -### ntp - -The `ntp` dataset collects the Zeek ntp.log file, which contains -NTP data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.ntp.mode | The NTP mode being used. | integer | -| zeek.ntp.num_exts | Number of extension fields (which are not currently parsed). | integer | -| zeek.ntp.org_time | Time at the client when the request departed for the NTP server. | date | -| zeek.ntp.poll | The maximum interval between successive messages in seconds. | double | -| zeek.ntp.precision | The precision of the system clock in seconds. | double | -| zeek.ntp.rec_time | Time at the server when the request arrived from the NTP client. | date | -| zeek.ntp.ref_id | For stratum 0, 4 character string used for debugging. For stratum 1, ID assigned to the reference clock by IANA. Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4). | keyword | -| zeek.ntp.ref_time | Time when the system clock was last set or correct. | date | -| zeek.ntp.root_delay | Total round-trip delay to the reference clock in seconds. | double | -| zeek.ntp.root_disp | Total dispersion to the reference clock in seconds. | double | -| zeek.ntp.stratum | The stratum (primary server, secondary server, etc.). | integer | -| zeek.ntp.version | The NTP version number (1, 2, 3, 4). | integer | -| zeek.ntp.xmt_time | Time at the server when the response departed for the NTP client. | date | -| zeek.session_id | A unique identifier of the session | keyword | - - -### ntlm - -The `ntlm` dataset collects the Zeek ntlm.log file, which contains NT -LAN Manager(NTLM) data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zeek.ntlm.domain | Domain name given by the client. | keyword | -| zeek.ntlm.hostname | Hostname given by the client. | keyword | -| zeek.ntlm.server.name.dns | DNS name given by the server in a CHALLENGE. | keyword | -| zeek.ntlm.server.name.netbios | NetBIOS name given by the server in a CHALLENGE. | keyword | -| zeek.ntlm.server.name.tree | Tree name given by the server in a CHALLENGE. | keyword | -| zeek.ntlm.success | Indicate whether or not the authentication was successful. | boolean | -| zeek.ntlm.username | Username given by the client. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### ocsp - -The `ocsp` dataset collects the Zeek ocsp.log file, which contains -Online Certificate Status Protocol (OCSP) data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| tags | List of keywords used to tag each event. | keyword | -| zeek.ocsp.file_id | File id of the OCSP reply. | keyword | -| zeek.ocsp.hash.algorithm | Hash algorithm used to generate issuerNameHash and issuerKeyHash. | keyword | -| zeek.ocsp.hash.issuer.key | Hash of the issuer's public key. | keyword | -| zeek.ocsp.hash.issuer.name | Hash of the issuer's distingueshed name. | keyword | -| zeek.ocsp.revoke.date | Time at which the certificate was revoked. | date | -| zeek.ocsp.revoke.reason | Reason for which the certificate was revoked. | keyword | -| zeek.ocsp.serial_number | Serial number of the affected certificate. | keyword | -| zeek.ocsp.status | Status of the affected certificate. | keyword | -| zeek.ocsp.update.next | The latest time at which new information about the status of the certificate will be available. | date | -| zeek.ocsp.update.this | The time at which the status being shows is known to have been correct. | date | -| zeek.session_id | A unique identifier of the session | keyword | - - -### pe - -The `pe` dataset collects the Zeek pe.log file, which contains -portable executable data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.pe.client | The client's version string. | keyword | -| zeek.pe.compile_time | The time that the file was created at. | date | -| zeek.pe.has_cert_table | Does the file have an attribute certificate table? | boolean | -| zeek.pe.has_debug_data | Does the file have a debug table? | boolean | -| zeek.pe.has_export_table | Does the file have an export table? | boolean | -| zeek.pe.has_import_table | Does the file have an import table? | boolean | -| zeek.pe.id | File id of this portable executable file. | keyword | -| zeek.pe.is_64bit | Is the file a 64-bit executable? | boolean | -| zeek.pe.is_exe | Is the file an executable, or just an object file? | boolean | -| zeek.pe.machine | The target machine that the file was compiled for. | keyword | -| zeek.pe.os | The required operating system. | keyword | -| zeek.pe.section_names | The names of the sections, in order. | keyword | -| zeek.pe.subsystem | The subsystem that is required to run this file. | keyword | -| zeek.pe.uses_aslr | Does the file support Address Space Layout Randomization? | boolean | -| zeek.pe.uses_code_integrity | Does the file enforce code integrity checks? | boolean | -| zeek.pe.uses_dep | Does the file support Data Execution Prevention? | boolean | -| zeek.pe.uses_seh | Does the file use structured exception handing? | boolean | -| zeek.session_id | A unique identifier of the session | keyword | - - -### radius - -The `radius` dataset collects the Zeek radius.log file, which contains -RADIUS authentication attempts. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zeek.radius.connect_info | Connect info, if present. | keyword | -| zeek.radius.framed_addr | The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. | ip | -| zeek.radius.logged | Whether this has already been logged and can be ignored. | boolean | -| zeek.radius.mac | MAC address, if present. | keyword | -| zeek.radius.remote_ip | Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. | ip | -| zeek.radius.reply_msg | Reply message from the server challenge. This is frequently shown to the user authenticating. | keyword | -| zeek.radius.result | Successful or failed authentication. | keyword | -| zeek.radius.ttl | The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. | integer | -| zeek.radius.username | The username, if present. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### rdp - -The `rdp` dataset collects the Zeek rdp.log file, which contains RDP -data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| zeek.rdp.cert.count | The number of certs seen. X.509 can transfer an entire certificate chain. | integer | -| zeek.rdp.cert.permanent | Indicates if the provided certificate or certificate chain is permanent or temporary. | boolean | -| zeek.rdp.cert.type | If the connection is being encrypted with native RDP encryption, this is the type of cert being used. | keyword | -| zeek.rdp.client.build | RDP client version used by the client machine. | keyword | -| zeek.rdp.client.client_name | Name of the client machine. | keyword | -| zeek.rdp.client.product_id | Product ID of the client machine. | keyword | -| zeek.rdp.cookie | Cookie value used by the client machine. This is typically a username. | keyword | -| zeek.rdp.desktop.color_depth | The color depth requested by the client in the high_color_depth field. | keyword | -| zeek.rdp.desktop.height | Desktop height of the client machine. | integer | -| zeek.rdp.desktop.width | Desktop width of the client machine. | integer | -| zeek.rdp.done | Track status of logging RDP connections. | boolean | -| zeek.rdp.encryption.level | Encryption level of the connection. | keyword | -| zeek.rdp.encryption.method | Encryption method of the connection. | keyword | -| zeek.rdp.keyboard_layout | Keyboard layout (language) of the client machine. | keyword | -| zeek.rdp.result | Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. | keyword | -| zeek.rdp.security_protocol | Security protocol chosen by the server. | keyword | -| zeek.rdp.ssl | (present if policy/protocols/rdp/indicate_ssl.bro is loaded) Flag the connection if it was seen over SSL. | boolean | -| zeek.session_id | A unique identifier of the session | keyword | - - -### rfb - -The `rfb` dataset collects the Zeek rfb.log file, which contains -Remote Framebuffer (RFB) data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.rfb.auth.method | Identifier of authentication method used. | keyword | -| zeek.rfb.auth.success | Whether or not authentication was successful. | boolean | -| zeek.rfb.desktop_name | Name of the screen that is being shared. | keyword | -| zeek.rfb.height | Height of the screen that is being shared. | integer | -| zeek.rfb.share_flag | Whether the client has an exclusive or a shared session. | boolean | -| zeek.rfb.version.client.major | Major version of the client. | keyword | -| zeek.rfb.version.client.minor | Minor version of the client. | keyword | -| zeek.rfb.version.server.major | Major version of the server. | keyword | -| zeek.rfb.version.server.minor | Minor version of the server. | keyword | -| zeek.rfb.width | Width of the screen that is being shared. | integer | -| zeek.session_id | A unique identifier of the session | keyword | - - -### signature - -The `signature` dataset collects the Zeek signature.log file, which contains -Zeek signature matches. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.signature.event_msg | A more descriptive message of the signature-matching event. | keyword | -| zeek.signature.host_count | Number of hosts, from a summary count. | integer | -| zeek.signature.note | Notice associated with signature event. | keyword | -| zeek.signature.sig_count | Number of sigs, usually from summary count. | integer | -| zeek.signature.sig_id | The name of the signature that matched. | keyword | -| zeek.signature.sub_msg | Extracted payload data or extra message. | keyword | - - -### sip - -The `sip` dataset collects the Zeek sip.log file, which contains SIP -data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.sip.call_id | Contents of the Call-ID: header from the client. | keyword | -| zeek.sip.content_type | Contents of the Content-Type: header from the server. | keyword | -| zeek.sip.date | Contents of the Date: header from the client. | keyword | -| zeek.sip.reply_to | Contents of the Reply-To: header. | keyword | -| zeek.sip.request.body_length | Contents of the Content-Length: header from the client. | long | -| zeek.sip.request.from | Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. | keyword | -| zeek.sip.request.path | The client message transmission path, as extracted from the headers. | keyword | -| zeek.sip.request.to | Contents of the To: header. | keyword | -| zeek.sip.response.body_length | Contents of the Content-Length: header from the server. | long | -| zeek.sip.response.from | Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. | keyword | -| zeek.sip.response.path | The server message transmission path, as extracted from the headers. | keyword | -| zeek.sip.response.to | Contents of the response To: header. | keyword | -| zeek.sip.sequence.method | Verb used in the SIP request (INVITE, REGISTER etc.). | keyword | -| zeek.sip.sequence.number | Contents of the CSeq: header from the client. | keyword | -| zeek.sip.status.code | Status code returned by the server. | integer | -| zeek.sip.status.msg | Status message returned by the server. | keyword | -| zeek.sip.subject | Contents of the Subject: header from the client. | keyword | -| zeek.sip.transaction_depth | Represents the pipelined depth into the connection of this request/response transaction. | integer | -| zeek.sip.uri | URI used in the request. | keyword | -| zeek.sip.user_agent | Contents of the User-Agent: header from the client. | keyword | -| zeek.sip.warning | Contents of the Warning: header. | keyword | - - -### smb_cmd - -The `smb_cmd` dataset collects the Zeek smb_cmd.log file, which -contains SMB commands. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.smb_cmd.argument | Command argument sent by the client, if any. | keyword | -| zeek.smb_cmd.command | The command sent by the client. | keyword | -| zeek.smb_cmd.file.action | Action this log record represents. | keyword | -| zeek.smb_cmd.file.host.rx | Address of the receiving host. | ip | -| zeek.smb_cmd.file.host.tx | Address of the transmitting host. | ip | -| zeek.smb_cmd.file.name | Filename if one was seen. | keyword | -| zeek.smb_cmd.file.uid | UID of the referenced file. | keyword | -| zeek.smb_cmd.rtt | Round trip time from the request to the response. | double | -| zeek.smb_cmd.smb1_offered_dialects | Present if base/protocols/smb/smb1-main.bro is loaded. Dialects offered by the client. | keyword | -| zeek.smb_cmd.smb2_offered_dialects | Present if base/protocols/smb/smb2-main.bro is loaded. Dialects offered by the client. | integer | -| zeek.smb_cmd.status | Server reply to the client's command. | keyword | -| zeek.smb_cmd.sub_command | The subcommand sent by the client, if present. | keyword | -| zeek.smb_cmd.tree | If this is related to a tree, this is the tree that was used for the current command. | keyword | -| zeek.smb_cmd.tree_service | The type of tree (disk share, printer share, named pipe, etc.). | keyword | -| zeek.smb_cmd.username | Authenticated username, if available. | keyword | -| zeek.smb_cmd.version | Version of SMB for the command. | keyword | - - -### smb_files - -The `smb_files` dataset collects the Zeek smb_files.log file, which -contains SMB file data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | -| file.created | File creation time. Note that not all filesystems store the creation time. | date | -| file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | -| file.mtime | Last time the file content was modified. | date | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.smb_files.action | Action this log record represents. | keyword | -| zeek.smb_files.fid | ID referencing this file. | integer | -| zeek.smb_files.name | Filename if one was seen. | keyword | -| zeek.smb_files.path | Path pulled from the tree this file was transferred to or from. | keyword | -| zeek.smb_files.previous_name | If the rename action was seen, this will be the file's previous name. | keyword | -| zeek.smb_files.size | Byte size of the file. | long | -| zeek.smb_files.times.accessed | The file's access time. | date | -| zeek.smb_files.times.changed | The file's change time. | date | -| zeek.smb_files.times.created | The file's create time. | date | -| zeek.smb_files.times.modified | The file's modify time. | date | -| zeek.smb_files.uuid | UUID referencing this file if DCE/RPC. | keyword | - - -### smb_mapping - -The `smb_mapping` dataset collects the Zeek smb_mapping.log file, -which contains SMB trees. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.smb_mapping.native_file_system | File system of the tree. | keyword | -| zeek.smb_mapping.path | Name of the tree path. | keyword | -| zeek.smb_mapping.service | The type of resource of the tree (disk share, printer share, named pipe, etc.). | keyword | -| zeek.smb_mapping.share_type | If this is SMB2, a share type will be included. For SMB1, the type of share will be deduced and included as well. | keyword | - - -### smtp - -The `smtp` dataset collects the Zeek smtp.log file, which contains -SMTP transactions.. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.smtp.cc | Contents of the CC header. | keyword | -| zeek.smtp.date | Contents of the Date header. | date | -| zeek.smtp.first_received | Contents of the first Received header. | keyword | -| zeek.smtp.from | Contents of the From header. | keyword | -| zeek.smtp.fuids | (present if base/protocols/smtp/files.bro is loaded) An ordered vector of file unique IDs seen attached to the message. | keyword | -| zeek.smtp.has_client_activity | Indicates if client activity has been seen, but not yet logged. | boolean | -| zeek.smtp.helo | Contents of the Helo header. | keyword | -| zeek.smtp.in_reply_to | Contents of the In-Reply-To header. | keyword | -| zeek.smtp.is_webmail | Indicates if the message was sent through a webmail interface. | boolean | -| zeek.smtp.last_reply | The last message that the server sent to the client. | keyword | -| zeek.smtp.mail_from | Email addresses found in the MAIL FROM header. | keyword | -| zeek.smtp.msg_id | Contents of the MsgID header. | keyword | -| zeek.smtp.path | The message transmission path, as extracted from the headers. | ip | -| zeek.smtp.process_received_from | Indicates if the "Received: from" headers should still be processed. | boolean | -| zeek.smtp.rcpt_to | Email addresses found in the RCPT TO header. | keyword | -| zeek.smtp.reply_to | Contents of the ReplyTo header. | keyword | -| zeek.smtp.second_received | Contents of the second Received header. | keyword | -| zeek.smtp.subject | Contents of the Subject header. | keyword | -| zeek.smtp.tls | Indicates that the connection has switched to using TLS. | boolean | -| zeek.smtp.to | Contents of the To header. | keyword | -| zeek.smtp.transaction_depth | A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. | integer | -| zeek.smtp.user_agent | Value of the User-Agent header from the client. | keyword | -| zeek.smtp.x_originating_ip | Contents of the X-Originating-IP header. | keyword | - - -### snmp - -The `snmp` dataset collects the Zeek snmp.log file, which contains -SNMP messages. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.snmp.community | The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. | keyword | -| zeek.snmp.display_string | A system description of the SNMP responder endpoint. | keyword | -| zeek.snmp.duration | The amount of time between the first packet beloning to the SNMP session and the latest one seen. | double | -| zeek.snmp.get.bulk_requests | The number of variable bindings in GetBulkRequest PDUs seen for the session. | integer | -| zeek.snmp.get.requests | The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. | integer | -| zeek.snmp.get.responses | The number of variable bindings in GetResponse/Response PDUs seen for the session. | integer | -| zeek.snmp.set.requests | The number of variable bindings in SetRequest PDUs seen for the session. | integer | -| zeek.snmp.up_since | The time at which the SNMP responder endpoint claims it's been up since. | date | -| zeek.snmp.version | The version of SNMP being used. | keyword | - - -### socks - -The `socks` dataset collects the Zeek socks.log file, which contains -SOCKS proxy requests. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.socks.bound.host | Server bound address. Could be an address, a name or both. | keyword | -| zeek.socks.bound.port | Server bound port. | integer | -| zeek.socks.capture_password | Determines if the password will be captured for this request. | boolean | -| zeek.socks.password | Password used to request a login to the proxy. | keyword | -| zeek.socks.request.host | Client requested SOCKS address. Could be an address, a name or both. | keyword | -| zeek.socks.request.port | Client requested port. | integer | -| zeek.socks.status | Server status for the attempt at using the proxy. | keyword | -| zeek.socks.user | Username used to request a login to the proxy. | keyword | -| zeek.socks.version | Protocol version of SOCKS. | integer | - - -### software - -The `software` dataset collects details on applications operated by the hosts it sees on the local network. See the [documentation](https://docs.zeek.org/en/master/logs/known-and-software.html#software-log) for more details. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | -| zeek.software.name | Name of the software (e.g. Apache). | keyword | -| zeek.software.type | The type of software detected | keyword | -| zeek.software.version.additional | Additional version information | keyword | -| zeek.software.version.full | Full unparsed version of the software. | keyword | -| zeek.software.version.major | Major version of software. | long | -| zeek.software.version.minor | minor version of software. | long | -| zeek.software.version.minor2 | 2nd minor version of software. | long | -| zeek.software.version.minor3 | 3rd minor version of software. | long | - - -### ssh - -The `ssh` dataset collects the Zeek ssh.log file, which contains SSH -connection data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.ssh.algorithm.cipher | The encryption algorithm in use. | keyword | -| zeek.ssh.algorithm.compression | The compression algorithm in use. | keyword | -| zeek.ssh.algorithm.host_key | The server host key's algorithm. | keyword | -| zeek.ssh.algorithm.key_exchange | The key exchange algorithm in use. | keyword | -| zeek.ssh.algorithm.mac | The signing (MAC) algorithm in use. | keyword | -| zeek.ssh.auth.attempts | The number of authentication attemps we observed. There's always at least one, since some servers might support no authentication at all. It's important to note that not all of these are failures, since some servers require two-factor auth (e.g. password AND pubkey). | integer | -| zeek.ssh.auth.success | Authentication result. | boolean | -| zeek.ssh.client | The client's version string. | keyword | -| zeek.ssh.direction | Direction of the connection. If the client was a local host logging into an external host, this would be OUTBOUND. INBOUND would be set for the opposite situation. | keyword | -| zeek.ssh.host_key | The server's key thumbprint. | keyword | -| zeek.ssh.server | The server's version string. | keyword | -| zeek.ssh.version | SSH major version (1 or 2). | integer | - - -### ssl - -The `ssl` dataset collects the Zeek ssl.log file, which contains -SSL/TLS handshake info. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.client.x509.subject.country | List of country \(C) code | keyword | -| tls.client.x509.subject.locality | List of locality names (L) | keyword | -| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | -| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | -| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | -| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.country | List of country \(C) codes | keyword | -| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.locality | List of locality names (L) | keyword | -| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country \(C) code | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.ssl.cipher | SSL/TLS cipher suite that was logged. | keyword | -| zeek.ssl.client.cert_chain | Chain of certificates offered by the client to validate its complete signing chain. | keyword | -| zeek.ssl.client.cert_chain_fuids | An ordered vector of certificate file identifiers for the certificates offered by the client. | keyword | -| zeek.ssl.client.issuer.common_name | Common name of the signer of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.issuer.country | Country code of the signer of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.issuer.locality | Locality of the signer of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.issuer.organization | Organization of the signer of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.issuer.organizational_unit | Organizational unit of the signer of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.issuer.state | State or province name of the signer of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.subject.common_name | Common name of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.subject.country | Country code of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.subject.locality | Locality of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.subject.organization | Organization of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.subject.organizational_unit | Organizational unit of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.subject.state | State or province name of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.curve | Elliptic curve that was logged when using ECDH/ECDHE. | keyword | -| zeek.ssl.established | Flag to indicate if this ssl session has been established successfully. | boolean | -| zeek.ssl.last_alert | Last alert that was seen during the connection. | keyword | -| zeek.ssl.next_protocol | Next protocol the server chose using the application layer next protocol extension. | keyword | -| zeek.ssl.resumed | Flag to indicate if the session was resumed reusing the key material exchanged in an earlier connection. | boolean | -| zeek.ssl.server.cert_chain | Chain of certificates offered by the server to validate its complete signing chain. | keyword | -| zeek.ssl.server.cert_chain_fuids | An ordered vector of certificate file identifiers for the certificates offered by the server. | keyword | -| zeek.ssl.server.issuer.common_name | Common name of the signer of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.issuer.country | Country code of the signer of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.issuer.locality | Locality of the signer of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.issuer.organization | Organization of the signer of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.issuer.organizational_unit | Organizational unit of the signer of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.issuer.state | State or province name of the signer of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.name | Value of the Server Name Indicator SSL/TLS extension. It indicates the server name that the client was requesting. | keyword | -| zeek.ssl.server.subject.common_name | Common name of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.subject.country | Country code of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.subject.locality | Locality of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.subject.organization | Organization of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.subject.organizational_unit | Organizational unit of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.subject.state | State or province name of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.validation.code | Result of certificate validation for this connection, given as OpenSSL validation code. | keyword | -| zeek.ssl.validation.status | Result of certificate validation for this connection. | keyword | -| zeek.ssl.version | SSL/TLS version that was logged. | keyword | - - -### stats - -The `stats` dataset collects the Zeek stats.log file, which contains -memory/event/packet/lag statistics. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.stats.bytes.received | Number of bytes received since the last stats interval if reading live traffic. | long | -| zeek.stats.connections.icmp.active | ICMP connections currently in memory. | integer | -| zeek.stats.connections.icmp.count | ICMP connections seen since last stats interval. | integer | -| zeek.stats.connections.tcp.active | TCP connections currently in memory. | integer | -| zeek.stats.connections.tcp.count | TCP connections seen since last stats interval. | integer | -| zeek.stats.connections.udp.active | UDP connections currently in memory. | integer | -| zeek.stats.connections.udp.count | UDP connections seen since last stats interval. | integer | -| zeek.stats.dns_requests.active | Current number of DNS requests awaiting a reply. | integer | -| zeek.stats.dns_requests.count | Number of DNS requests seen since last stats interval. | integer | -| zeek.stats.events.processed | Number of events processed since the last stats interval. | integer | -| zeek.stats.events.queued | Number of events that have been queued since the last stats interval. | integer | -| zeek.stats.files.active | Current number of files actively being seen. | integer | -| zeek.stats.files.count | Number of files seen since last stats interval. | integer | -| zeek.stats.memory | Amount of memory currently in use in MB. | integer | -| zeek.stats.packets.dropped | Number of packets dropped since the last stats interval if reading live traffic. | long | -| zeek.stats.packets.processed | Number of packets processed since the last stats interval. | long | -| zeek.stats.packets.received | Number of packets seen on the link since the last stats interval if reading live traffic. | long | -| zeek.stats.peer | Peer that generated this log. Mostly for clusters. | keyword | -| zeek.stats.reassembly_size.file | Current size of File data in reassembly. | integer | -| zeek.stats.reassembly_size.frag | Current size of packet fragment data in reassembly. | integer | -| zeek.stats.reassembly_size.tcp | Current size of TCP data in reassembly. | integer | -| zeek.stats.reassembly_size.unknown | Current size of unknown data in reassembly (this is only PIA buffer right now). | integer | -| zeek.stats.timers.active | Current number of scheduled timers. | integer | -| zeek.stats.timers.count | Number of timers scheduled since last stats interval. | integer | -| zeek.stats.timestamp_lag | Lag between the wall clock and packet timestamps if reading live traffic. | integer | - - -### syslog - -The `syslog` dataset collects the Zeek syslog.log file which contains -syslog messages. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | -| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.syslog.facility | Syslog facility for the message. | keyword | -| zeek.syslog.msg | The plain text message. | keyword | -| zeek.syslog.severity | Syslog severity for the message. | keyword | - - -### traceroute - -The `traceroute` dataset collects the Zeek traceroute.log file, which -contains traceroute detections. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### tunnel - -The `tunnel` dataset collects the Zeek tunnel.log file, which contains -tunneling protocol events. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.tunnel.action | The type of activity that occurred. | keyword | -| zeek.tunnel.type | The type of tunnel. | keyword | - - -### weird - -The `weird` dataset collects the Zeek weird.log file, which contains -unexpected network-level activity. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| related.ip | All of the IPs seen on your event. | ip | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.weird.additional_info | Additional information accompanying the weird if any. | keyword | -| zeek.weird.identifier | This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird. | keyword | -| zeek.weird.name | The name of the weird that occurred. | keyword | -| zeek.weird.notice | Indicate if this weird was also turned into a notice. | boolean | -| zeek.weird.peer | The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble. | keyword | - - -### x509 - -The `x509` dataset collects the Zeek x509.log file, which contains -X.509 certificate info. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| file.x509.issuer.country | List of country \(C) codes | keyword | -| file.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| file.x509.issuer.locality | List of locality names (L) | keyword | -| file.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| file.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| file.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| file.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| file.x509.not_before | Time at which the certificate is first considered valid. | date | -| file.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| file.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| file.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| file.x509.public_key_size | The size of the public key space in bits. | long | -| file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| file.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| file.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| file.x509.subject.country | List of country \(C) code | keyword | -| file.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| file.x509.subject.locality | List of locality names (L) | keyword | -| file.x509.subject.organization | List of organizations (O) of subject. | keyword | -| file.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| file.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| file.x509.version_number | Version of x509 format. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.x509.basic_constraints.certificate_authority | CA flag set or not. | boolean | -| zeek.x509.basic_constraints.path_length | Maximum path length. | integer | -| zeek.x509.certificate.common_name | Last (most specific) common name. | keyword | -| zeek.x509.certificate.curve | Curve, if EC-certificate. | keyword | -| zeek.x509.certificate.exponent | Exponent, if RSA-certificate. | keyword | -| zeek.x509.certificate.issuer.common_name | Common name provided in the certificate issuer field. | keyword | -| zeek.x509.certificate.issuer.country | Country provided in the certificate issuer field. | keyword | -| zeek.x509.certificate.issuer.locality | Locality provided in the certificate issuer field. | keyword | -| zeek.x509.certificate.issuer.organization | Organization provided in the certificate issuer field. | keyword | -| zeek.x509.certificate.issuer.organizational_unit | Organizational unit provided in the certificate issuer field. | keyword | -| zeek.x509.certificate.issuer.state | State or province provided in the certificate issuer field. | keyword | -| zeek.x509.certificate.key.algorithm | Name of the key algorithm. | keyword | -| zeek.x509.certificate.key.length | Key length in bits. | integer | -| zeek.x509.certificate.key.type | Key type, if key parseable by openssl (either rsa, dsa or ec). | keyword | -| zeek.x509.certificate.serial | Serial number. | keyword | -| zeek.x509.certificate.signature_algorithm | Name of the signature algorithm. | keyword | -| zeek.x509.certificate.subject.common_name | Common name provided in the certificate subject. | keyword | -| zeek.x509.certificate.subject.country | Country provided in the certificate subject. | keyword | -| zeek.x509.certificate.subject.locality | Locality provided in the certificate subject. | keyword | -| zeek.x509.certificate.subject.organization | Organization provided in the certificate subject. | keyword | -| zeek.x509.certificate.subject.organizational_unit | Organizational unit provided in the certificate subject. | keyword | -| zeek.x509.certificate.subject.state | State or province provided in the certificate subject. | keyword | -| zeek.x509.certificate.valid.from | Timestamp before when certificate is not valid. | date | -| zeek.x509.certificate.valid.until | Timestamp after when certificate is not valid. | date | -| zeek.x509.certificate.version | Version number. | integer | -| zeek.x509.id | File id of this certificate. | keyword | -| zeek.x509.log_cert | Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded Logging of certificate is suppressed if set to F. | boolean | -| zeek.x509.san.dns | List of DNS entries in SAN. | keyword | -| zeek.x509.san.email | List of email entries in SAN. | keyword | -| zeek.x509.san.ip | List of IP entries in SAN. | ip | -| zeek.x509.san.other_fields | True if the certificate contained other, not recognized or parsed name fields. | boolean | -| zeek.x509.san.uri | List of URI entries in SAN. | keyword | - diff --git a/packages/zeek/2.5.2/img/kibana-zeek.png b/packages/zeek/2.5.2/img/kibana-zeek.png deleted file mode 100755 index 20aea6164f..0000000000 Binary files a/packages/zeek/2.5.2/img/kibana-zeek.png and /dev/null differ diff --git a/packages/zeek/2.5.2/img/zeek.svg b/packages/zeek/2.5.2/img/zeek.svg deleted file mode 100755 index 0e346f98c7..0000000000 --- a/packages/zeek/2.5.2/img/zeek.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/zeek/2.5.2/kibana/dashboard/zeek-7cbb5410-3700-11e9-aa6d-ff445a78330c.json b/packages/zeek/2.5.2/kibana/dashboard/zeek-7cbb5410-3700-11e9-aa6d-ff445a78330c.json deleted file mode 100755 index 8d5a16ff0b..0000000000 --- a/packages/zeek/2.5.2/kibana/dashboard/zeek-7cbb5410-3700-11e9-aa6d-ff445a78330c.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "Overview of Zeek", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":16,\"x\":0,\"y\":32},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":16,\"x\":16,\"y\":32},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"7\",\"w\":16,\"x\":32,\"y\":32},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"88dc4f7d-0197-4fbe-98b2-910ba90cfd2d\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"d8bacd97-be31-4300-b5f7-7689d528b9ae\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Destination Geo [Logs Zeek]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"c3374e39-902e-4cc5-90c5-b6a1a3ebfdf2\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15m\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"(data_stream.dataset:zeek.capture_loss OR data_stream.dataset:zeek.connection OR data_stream.dataset:zeek.dce_rpc OR data_stream.dataset:zeek.dhcp OR data_stream.dataset:zeek.dnp3 OR data_stream.dataset:zeek.dns OR data_stream.dataset:zeek.dpd OR data_stream.dataset:zeek.files OR data_stream.dataset:zeek.ftp OR data_stream.dataset:zeek.http OR data_stream.dataset:zeek.intel OR data_stream.dataset:zeek.irc OR data_stream.dataset:zeek.kerberos OR data_stream.dataset:zeek.modbus OR data_stream.dataset:zeek.mysql OR data_stream.dataset:zeek.notice OR data_stream.dataset:zeek.ntlm OR data_stream.dataset:zeek.ocsp OR data_stream.dataset:zeek.pe OR data_stream.dataset:zeek.radius OR data_stream.dataset:zeek.rdp OR data_stream.dataset:zeek.rfb OR data_stream.dataset:zeek.sip OR data_stream.dataset:zeek.smb_cmd OR data_stream.dataset:zeek.smb_files OR data_stream.dataset:zeek.smb_mapping OR data_stream.dataset:zeek.smtp OR data_stream.dataset:zeek.snmp OR data_stream.dataset:zeek.socks OR data_stream.dataset:zeek.ssh OR data_stream.dataset:zeek.ssl OR data_stream.dataset:zeek.stats OR data_stream.dataset:zeek.syslog OR data_stream.dataset:zeek.traceroute OR data_stream.dataset:zeek.tunnel OR data_stream.dataset:zeek.weird OR data_stream.dataset:zeek.x509)\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Destination Geo [Logs Zeek]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":3.3505,\"lon\":10.89865,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":20,\"i\":\"4e6959b3-e0d0-40dc-aca0-b40adcd088bb\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4e6959b3-e0d0-40dc-aca0-b40adcd088bb\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Logs Zeek] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "zeek-7cbb5410-3700-11e9-aa6d-ff445a78330c", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "zeek-1df7ea80-370d-11e9-aa6d-ff445a78330c", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "zeek-466e5850-370d-11e9-aa6d-ff445a78330c", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "zeek-649acd40-370d-11e9-aa6d-ff445a78330c", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "zeek-9436c270-370d-11e9-aa6d-ff445a78330c", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "zeek-bec2f0e0-370d-11e9-aa6d-ff445a78330c", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "zeek-e042fda0-370d-11e9-aa6d-ff445a78330c", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "zeek-f8c40810-370d-11e9-aa6d-ff445a78330c", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "4e6959b3-e0d0-40dc-aca0-b40adcd088bb:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/zeek/2.5.2/kibana/visualization/zeek-1df7ea80-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/2.5.2/kibana/visualization/zeek-1df7ea80-370d-11e9-aa6d-ff445a78330c.json deleted file mode 100755 index d37e28de1b..0000000000 --- a/packages/zeek/2.5.2/kibana/visualization/zeek-1df7ea80-370d-11e9-aa6d-ff445a78330c.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:zeek.capture_loss OR data_stream.dataset:zeek.connection OR data_stream.dataset:zeek.dce_rpc OR data_stream.dataset:zeek.dhcp OR data_stream.dataset:zeek.dnp3 OR data_stream.dataset:zeek.dns OR data_stream.dataset:zeek.dpd OR data_stream.dataset:zeek.files OR data_stream.dataset:zeek.ftp OR data_stream.dataset:zeek.http OR data_stream.dataset:zeek.intel OR data_stream.dataset:zeek.irc OR data_stream.dataset:zeek.kerberos OR data_stream.dataset:zeek.modbus OR data_stream.dataset:zeek.mysql OR data_stream.dataset:zeek.notice OR data_stream.dataset:zeek.ntlm OR data_stream.dataset:zeek.ocsp OR data_stream.dataset:zeek.pe OR data_stream.dataset:zeek.radius OR data_stream.dataset:zeek.rdp OR data_stream.dataset:zeek.rfb OR data_stream.dataset:zeek.sip OR data_stream.dataset:zeek.smb_cmd OR data_stream.dataset:zeek.smb_files OR data_stream.dataset:zeek.smb_mapping OR data_stream.dataset:zeek.smtp OR data_stream.dataset:zeek.snmp OR data_stream.dataset:zeek.socks OR data_stream.dataset:zeek.ssh OR data_stream.dataset:zeek.ssl OR data_stream.dataset:zeek.stats OR data_stream.dataset:zeek.syslog OR data_stream.dataset:zeek.traceroute OR data_stream.dataset:zeek.tunnel OR data_stream.dataset:zeek.weird OR data_stream.dataset:zeek.x509)\"}}" - }, - "title": "Network Transport [Logs Zeek]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Network Transport [Logs Zeek]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "zeek-1df7ea80-370d-11e9-aa6d-ff445a78330c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zeek/2.5.2/kibana/visualization/zeek-466e5850-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/2.5.2/kibana/visualization/zeek-466e5850-370d-11e9-aa6d-ff445a78330c.json deleted file mode 100755 index c80921c34f..0000000000 --- a/packages/zeek/2.5.2/kibana/visualization/zeek-466e5850-370d-11e9-aa6d-ff445a78330c.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:zeek.capture_loss OR data_stream.dataset:zeek.connection OR data_stream.dataset:zeek.dce_rpc OR data_stream.dataset:zeek.dhcp OR data_stream.dataset:zeek.dnp3 OR data_stream.dataset:zeek.dns OR data_stream.dataset:zeek.dpd OR data_stream.dataset:zeek.files OR data_stream.dataset:zeek.ftp OR data_stream.dataset:zeek.http OR data_stream.dataset:zeek.intel OR data_stream.dataset:zeek.irc OR data_stream.dataset:zeek.kerberos OR data_stream.dataset:zeek.modbus OR data_stream.dataset:zeek.mysql OR data_stream.dataset:zeek.notice OR data_stream.dataset:zeek.ntlm OR data_stream.dataset:zeek.ocsp OR data_stream.dataset:zeek.pe OR data_stream.dataset:zeek.radius OR data_stream.dataset:zeek.rdp OR data_stream.dataset:zeek.rfb OR data_stream.dataset:zeek.sip OR data_stream.dataset:zeek.smb_cmd OR data_stream.dataset:zeek.smb_files OR data_stream.dataset:zeek.smb_mapping OR data_stream.dataset:zeek.smtp OR data_stream.dataset:zeek.snmp OR data_stream.dataset:zeek.socks OR data_stream.dataset:zeek.ssh OR data_stream.dataset:zeek.ssl OR data_stream.dataset:zeek.stats OR data_stream.dataset:zeek.syslog OR data_stream.dataset:zeek.traceroute OR data_stream.dataset:zeek.tunnel OR data_stream.dataset:zeek.weird OR data_stream.dataset:zeek.x509)\"}}" - }, - "title": "Network Protocols [Logs Zeek]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Network Protocols [Logs Zeek]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "zeek-466e5850-370d-11e9-aa6d-ff445a78330c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zeek/2.5.2/kibana/visualization/zeek-649acd40-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/2.5.2/kibana/visualization/zeek-649acd40-370d-11e9-aa6d-ff445a78330c.json deleted file mode 100755 index e465c8b637..0000000000 --- a/packages/zeek/2.5.2/kibana/visualization/zeek-649acd40-370d-11e9-aa6d-ff445a78330c.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:zeek.capture_loss OR data_stream.dataset:zeek.connection OR data_stream.dataset:zeek.dce_rpc OR data_stream.dataset:zeek.dhcp OR data_stream.dataset:zeek.dnp3 OR data_stream.dataset:zeek.dns OR data_stream.dataset:zeek.dpd OR data_stream.dataset:zeek.files OR data_stream.dataset:zeek.ftp OR data_stream.dataset:zeek.http OR data_stream.dataset:zeek.intel OR data_stream.dataset:zeek.irc OR data_stream.dataset:zeek.kerberos OR data_stream.dataset:zeek.modbus OR data_stream.dataset:zeek.mysql OR data_stream.dataset:zeek.notice OR data_stream.dataset:zeek.ntlm OR data_stream.dataset:zeek.ocsp OR data_stream.dataset:zeek.pe OR data_stream.dataset:zeek.radius OR data_stream.dataset:zeek.rdp OR data_stream.dataset:zeek.rfb OR data_stream.dataset:zeek.sip OR data_stream.dataset:zeek.smb_cmd OR data_stream.dataset:zeek.smb_files OR data_stream.dataset:zeek.smb_mapping OR data_stream.dataset:zeek.smtp OR data_stream.dataset:zeek.snmp OR data_stream.dataset:zeek.socks OR data_stream.dataset:zeek.ssh OR data_stream.dataset:zeek.ssl OR data_stream.dataset:zeek.stats OR data_stream.dataset:zeek.syslog OR data_stream.dataset:zeek.traceroute OR data_stream.dataset:zeek.tunnel OR data_stream.dataset:zeek.weird OR data_stream.dataset:zeek.x509)\"}}" - }, - "title": "Network Traffic Direction [Logs Zeek]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.direction\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Network Traffic Direction [Logs Zeek]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "zeek-649acd40-370d-11e9-aa6d-ff445a78330c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zeek/2.5.2/kibana/visualization/zeek-9436c270-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/2.5.2/kibana/visualization/zeek-9436c270-370d-11e9-aa6d-ff445a78330c.json deleted file mode 100755 index 88a7ac664c..0000000000 --- a/packages/zeek/2.5.2/kibana/visualization/zeek-9436c270-370d-11e9-aa6d-ff445a78330c.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:zeek.capture_loss OR data_stream.dataset:zeek.connection OR data_stream.dataset:zeek.dce_rpc OR data_stream.dataset:zeek.dhcp OR data_stream.dataset:zeek.dnp3 OR data_stream.dataset:zeek.dns OR data_stream.dataset:zeek.dpd OR data_stream.dataset:zeek.files OR data_stream.dataset:zeek.ftp OR data_stream.dataset:zeek.http OR data_stream.dataset:zeek.intel OR data_stream.dataset:zeek.irc OR data_stream.dataset:zeek.kerberos OR data_stream.dataset:zeek.modbus OR data_stream.dataset:zeek.mysql OR data_stream.dataset:zeek.notice OR data_stream.dataset:zeek.ntlm OR data_stream.dataset:zeek.ocsp OR data_stream.dataset:zeek.pe OR data_stream.dataset:zeek.radius OR data_stream.dataset:zeek.rdp OR data_stream.dataset:zeek.rfb OR data_stream.dataset:zeek.sip OR data_stream.dataset:zeek.smb_cmd OR data_stream.dataset:zeek.smb_files OR data_stream.dataset:zeek.smb_mapping OR data_stream.dataset:zeek.smtp OR data_stream.dataset:zeek.snmp OR data_stream.dataset:zeek.socks OR data_stream.dataset:zeek.ssh OR data_stream.dataset:zeek.ssl OR data_stream.dataset:zeek.stats OR data_stream.dataset:zeek.syslog OR data_stream.dataset:zeek.traceroute OR data_stream.dataset:zeek.tunnel OR data_stream.dataset:zeek.weird OR data_stream.dataset:zeek.x509)\"}}" - }, - "title": "Top DNS Domains [Logs Zeek]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"zeek.dns.query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Top DNS Domains [Logs Zeek]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "zeek-9436c270-370d-11e9-aa6d-ff445a78330c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zeek/2.5.2/kibana/visualization/zeek-bec2f0e0-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/2.5.2/kibana/visualization/zeek-bec2f0e0-370d-11e9-aa6d-ff445a78330c.json deleted file mode 100755 index 3b47e2805c..0000000000 --- a/packages/zeek/2.5.2/kibana/visualization/zeek-bec2f0e0-370d-11e9-aa6d-ff445a78330c.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:zeek.capture_loss OR data_stream.dataset:zeek.connection OR data_stream.dataset:zeek.dce_rpc OR data_stream.dataset:zeek.dhcp OR data_stream.dataset:zeek.dnp3 OR data_stream.dataset:zeek.dns OR data_stream.dataset:zeek.dpd OR data_stream.dataset:zeek.files OR data_stream.dataset:zeek.ftp OR data_stream.dataset:zeek.http OR data_stream.dataset:zeek.intel OR data_stream.dataset:zeek.irc OR data_stream.dataset:zeek.kerberos OR data_stream.dataset:zeek.modbus OR data_stream.dataset:zeek.mysql OR data_stream.dataset:zeek.notice OR data_stream.dataset:zeek.ntlm OR data_stream.dataset:zeek.ocsp OR data_stream.dataset:zeek.pe OR data_stream.dataset:zeek.radius OR data_stream.dataset:zeek.rdp OR data_stream.dataset:zeek.rfb OR data_stream.dataset:zeek.sip OR data_stream.dataset:zeek.smb_cmd OR data_stream.dataset:zeek.smb_files OR data_stream.dataset:zeek.smb_mapping OR data_stream.dataset:zeek.smtp OR data_stream.dataset:zeek.snmp OR data_stream.dataset:zeek.socks OR data_stream.dataset:zeek.ssh OR data_stream.dataset:zeek.ssl OR data_stream.dataset:zeek.stats OR data_stream.dataset:zeek.syslog OR data_stream.dataset:zeek.traceroute OR data_stream.dataset:zeek.tunnel OR data_stream.dataset:zeek.weird OR data_stream.dataset:zeek.x509)\"}}" - }, - "title": "Top URL Domains [Logs Zeek]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Top URL Domains [Logs Zeek]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "zeek-bec2f0e0-370d-11e9-aa6d-ff445a78330c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zeek/2.5.2/kibana/visualization/zeek-e042fda0-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/2.5.2/kibana/visualization/zeek-e042fda0-370d-11e9-aa6d-ff445a78330c.json deleted file mode 100755 index 3c90d1037d..0000000000 --- a/packages/zeek/2.5.2/kibana/visualization/zeek-e042fda0-370d-11e9-aa6d-ff445a78330c.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:zeek.capture_loss OR data_stream.dataset:zeek.connection OR data_stream.dataset:zeek.dce_rpc OR data_stream.dataset:zeek.dhcp OR data_stream.dataset:zeek.dnp3 OR data_stream.dataset:zeek.dns OR data_stream.dataset:zeek.dpd OR data_stream.dataset:zeek.files OR data_stream.dataset:zeek.ftp OR data_stream.dataset:zeek.http OR data_stream.dataset:zeek.intel OR data_stream.dataset:zeek.irc OR data_stream.dataset:zeek.kerberos OR data_stream.dataset:zeek.modbus OR data_stream.dataset:zeek.mysql OR data_stream.dataset:zeek.notice OR data_stream.dataset:zeek.ntlm OR data_stream.dataset:zeek.ocsp OR data_stream.dataset:zeek.pe OR data_stream.dataset:zeek.radius OR data_stream.dataset:zeek.rdp OR data_stream.dataset:zeek.rfb OR data_stream.dataset:zeek.sip OR data_stream.dataset:zeek.smb_cmd OR data_stream.dataset:zeek.smb_files OR data_stream.dataset:zeek.smb_mapping OR data_stream.dataset:zeek.smtp OR data_stream.dataset:zeek.snmp OR data_stream.dataset:zeek.socks OR data_stream.dataset:zeek.ssh OR data_stream.dataset:zeek.ssl OR data_stream.dataset:zeek.stats OR data_stream.dataset:zeek.syslog OR data_stream.dataset:zeek.traceroute OR data_stream.dataset:zeek.tunnel OR data_stream.dataset:zeek.weird OR data_stream.dataset:zeek.x509)\"}}" - }, - "title": "Top SSL Servers [Logs Zeek]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"zeek.ssl.server.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Top SSL Servers [Logs Zeek]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "zeek-e042fda0-370d-11e9-aa6d-ff445a78330c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zeek/2.5.2/kibana/visualization/zeek-f8c40810-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/2.5.2/kibana/visualization/zeek-f8c40810-370d-11e9-aa6d-ff445a78330c.json deleted file mode 100755 index 90b14febbe..0000000000 --- a/packages/zeek/2.5.2/kibana/visualization/zeek-f8c40810-370d-11e9-aa6d-ff445a78330c.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Number of Sessions Overtime [Logs Zeek]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Number of Sessions Overtime [Logs Zeek]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "zeek-f8c40810-370d-11e9-aa6d-ff445a78330c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zeek/2.5.2/manifest.yml b/packages/zeek/2.5.2/manifest.yml deleted file mode 100755 index 9971dd3b95..0000000000 --- a/packages/zeek/2.5.2/manifest.yml +++ /dev/null @@ -1,102 +0,0 @@ -name: zeek -title: Zeek -version: 2.5.2 -release: ga -description: Collect logs from Zeek with Elastic Agent. -type: integration -icons: - - src: /img/zeek.svg - title: zeek - size: 214x203 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: [network, monitoring, security] -conditions: - kibana.version: ^8.0.0 -screenshots: - - src: /img/kibana-zeek.png - title: kibana zeek - size: 3530x2414 - type: image/png -policy_templates: - - name: zeek - title: Zeek logs - description: Collect logs from Zeek instances - inputs: - - type: logfile - title: "Collect Zeek logs" - description: "Collects logs from Zeek instances. Supported logs include: capture_loss, connection, dce_rpc, dhcp, dnp3, dns, dpd, files, ftp, http, intel, irc, kerberos, modbus, mysql, notice, ntlm, ntp, ocsp, pe, radius, rdp, rfb, signature, sip, smb_cmd, smb_files, smb_mapping, smtp, snmp, socks, ssh, ssl, stats, syslog, traceroute, tunnel, weird and x509" - vars: - - name: base_paths - required: true - show_user: true - title: Base Path - description: Base paths to zeek log files (eg. /var/log/bro/current) - type: text - multi: true - default: - - /var/log/bro/current - - /opt/zeek/logs/current - - /usr/local/var/spool/zeek - - type: httpjson - title: Collect logs from third-party REST API (experimental) - description: Collect logs from third-party REST API (experimental) - vars: - - name: url - type: text - title: URL of Splunk Enterprise Server - description: i.e. scheme://host:port, path is automatic - show_user: true - required: true - default: https://server.example.com:8089 - - name: username - type: text - title: Splunk REST API Username - show_user: true - required: false - - name: password - type: password - title: Splunk REST API Password - show_user: true - required: false - - name: token - type: password - title: Splunk Authorization Token - description: | - Bearer Token or Session Key, e.g. "Bearer eyJFd3e46..." - or "Splunk 192fd3e...". Cannot be used with username - and password. - show_user: true - required: false - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- -owner: - github: elastic/security-external-integrations